* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
bug (no #): temporary access list created for IOS when option
"safety net install" is used and ipv6 address is provided should
use keyword "host" if provided address does not specify netmask.
* fwbedit: properly saving data file after "checktree" operation
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
few bugs (no #) in policy compiler for Cisco IPv6 ACLs:
- The "extended" keyword is not supported by IOS for IPv6 ACLs
- keyword "established" is only valid in combination with
protocol tcp. If standard CustomService objects "ESTABLISHED" and
"ESTABLISHED ipv6" are used in a rule, enforce protocol to "tcp".
- command to clear ipv6 access lists should be "no ipv6
access-list ipv6_management_in"
- command to assign ipv6 acl to interface should be "ipv6
traffic-filter ipv6_acl in"
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printAddr): fixed
bug (no #): compiler for IOS ACL used not to ignore netmasks of
IPv4 and IPv6 objects and added them to the generated access list
with netmask wildcard bits 255.255.255.255 which was equivalen to
any.
* RuleSetView.cpp (RuleSetView::createGroup): fixed bug (no #): if
user selected some rules that belonged to a group and few other
rules that did not belong to any group at the same time and used
context menu to place all these rules in a new group, the GUI used
to crash.
;
bug #2666971 "fwb_ipt crashes when Address Range object in routing
rule". Policy compiler for iptables crashed if Address Range
object was used in "Destination" of a routing rule.
ProjectPanel.cpp (ProjectPanel::closeEvent): fixed bug #2656815
"Copy/paste does not work properly". Fixed Copy/Paste problem with
policy rules and crash reported in this bug report.
bug #2540389: "Routing Broken from 2.1 to 3.0.3". Generated script
preserved default route when it deleted route entries before
installing new ones. This was different compared to the behavior
of the v2.1 where default was deleted together with other routing
entries. The reason for this change (made some time in summer of
2008) was that if user did not define default route in their
routing ruleset, the script would delete existing default without
installing new one, leaving firewall with no default route at all.
Now the script deletes default if there is new one to install and
preserves it otherwise.
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed
bug (no #): if generated firewall script detects an error from one
of the commands that install routing rules and runs function that
restores previous routing entries, it should also run epilog
commands.
bugfix (bug was introduced in build 768). If user entered
alternative activation command in the "installer" tab of the
firewall object settings dialog, the program confused it with
destination directory and tried to execute incorrect command to
copy files to the firewall. This build (770) fixes this problem.
* SSHUnx.cpp (SSHUnx::SSHUnx): New feature: built-in installer can
now enter sudo password. There is no need to configure firewall
management account for password-less sudo access anymore.
* FirewallInstaller.cpp (FirewallInstaller::getDestinationDir):
fixed bug #2618772 ""test install" option does not work". If "test
install" checkbox was checked in the installer options dialog, the
program copied file to directory /etc/fw on the firewall but tried
to find it in /etc/fw/tmp to run.
* Management.cpp (Management::fromXML): (change in libfwbuilder):
fixed bug #2609796 "internal object Management does not accept
ipv6 address". Class Management should accept ipv6 address. The
problem was that if an interface of the firewall had only ipv6
address and was marked as "management" interface, saving such
configuration to .fwb file created broken data file that could not
be loaded back. The error was:
The program encountered error trying to load data file.
The file has not been loaded. Error:
Exception: Invalid IP address: aaaa:bbbb:cccc::1
XML element : Management
where aaaa:bbbb:cccc: is ipv6 address.
* PolicyCompiler_ipt.cpp (finalizeChain::processNext): fixed bug
#2597959 "rules disappear in ipv6 policy unless ipv4 forwarding is
on". Example: IPv6 policy, rule where fw object and internal
network are in source, destination is "any". If option "assume
firewall is part of any" was turned off and ipv6 forwarding was on
but ipv4 forwarding was off, this rule did not yield any iptables
commands in generated script.
* iosaclAdvancedDialog.cpp (iosaclAdvancedDialog::accept): fixed
bug #2597949 "GUI crash in IOS ACL "advanced" settings
dialog". GUI crashed upon click OK in the firewall settings dialog
for the IOS ACL firewall.
friendly Accept & Deny Icons". Accept and Deny icons were
indistinguishable for red-green colorblind people. New icons
incorporate standard symbolics for the "Aceept" and "deny"
functions to make them sufficiently different besides the color.
* ipt.cpp (processPolicyRuleSet): fixed bug #2550074: "Automatic
rules for filter table included twice in iptables". If user had
two policy ruleset objects marked as "top" rule set, then
automaitc rules were added twice.
ipv6" which defines code for iptables, ipfw and IOS extended
access lists for IPv6.
* PolicyCompiler_ipfw_writers.cpp (PrintRule::_printProtocol):
fixed behavior or policy compiler for ipfw which was broken in
rev714 - it should print protocol "tcp" when custom service object
that adds option "established" is used. This compiler worked like
that before attribute "protocol" was added to the CustomService
object.
* platforms.cpp (getReadableRuleElementName): code refactoring:
made it possible to translate ruleset table column
names ("Source", "Destination" etc.). Currently only Russian
translation is provided.
* FindWhereUsedWidget.cpp (FindWhereUsedWidget::createQTWidgetItem):
fixed bug #2412334: "feature request: where used ->
directly". There has been a change in the "Where used" function in
v3.0 compared to the implementation in v2.1. New version showed
not only rule elements and groups that referred to the given
object, but also found all groups that referred to other groups
that referred to the given object. Such recursive action was not
always obvious to the user and was inconvenient when the function
was used to find all places where given object was used with the
goal to replace it with some other object. This fix reverts to the
old behavior where only direct usages are reported by the "Where
used" function. Elements of UI in this function have also been
cleaned up and further unified with confirmation dialog shown when
user tries to delete an object that is used in some groups and
rules.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bug
#2526173: "fwb_ipt crashes due to old-broadcast". This bug was
introduced when support for module iprange was sadded. Need
special check for AddressRange objects where start and end of
range addresses are equal.
* NetworkDialog.cpp (NetworkDialog::addressEntered): fixed bug (no
#): the GUI used to check ip address entered for the network
object whenever user switched focus from the address input widget
in the network object dialog to another widget or even a different
application to look up the address. This caused the program to
show error dialog if this happened when the address was
incomplete. This change makes the program verify the address only
when user clicks "Apply".
* FWWindowPrint.cpp (FWWindow::filePrint): fixed bug (no #): the
GUI crashed if user tried to use File/Print function when no
ruleset was opened in the right hand panel.
* printerStream.cpp (printerStream::printQTable): Applied patch by
Paul@Auroragrp.Com that fixes problems with printing long rule
sets. If rule set printout exceeded the length of the page, some
rules at the bottom were cut off and lost. The patch corrects the
problem by taking into account printer dpi while calculating
position for page breaks.
* RoutingCompiler_cisco.cpp (RoutingCompiler_cisco::compile):
fixed bug (no #): routing compiler for pix refused to add more
than one routing rule with an error saying that other rules were
duplicates. Error was introduced in build 732.
* RoutingCompiler_iosacl.cpp (RoutingCompiler_iosacl::compile):
Added support for generation of "ip route" commands for Cisco IOS.
Variant of Cisco IOS "ip route" command where gateway is the name
of one of the interfaces of the router is also supported. To get
this, put interface object in the "gateway" column of the routing
rule.
* pix.xml.in, RuleSetView.cpp: Routing ruleset view shows column
"interface" only for platforms that require it. Currently IOS does
not require it, while other platforms for which routing commands
generation is supported require it (iptables and PIX).
