rule action for Continue". Rules with action "Continue" should
translate into iptables commands without "-j TARGET" parameter. If
such rule also has logging enabled, it should use target "-j LOG"
instead of generating additional chain.
MAC-matching rules not generated properly". Iptables NAT rules
matching a group of host objects with both IP and MAC addresses each
in "Original Source" were not generated properly.
3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are
added automatically to ipv6 Linux firewall to permit neighbor discovery
packets should be also added to the FORWARD chain if the firewall is
a bridge.
see #2323
with service set to "http" and destination set to asa firewall
object should generate different command syntax". Policy rules
that have firewall object in Destination and http object in
Service now generate "http" commands. This is similar to how
fwbuilder generates "ssh", "telnet" and "icmp" commands to permit
corresponding services to the firewall itself.
3213019 "FWSM Network zone and IPv6". Currently we do not support
ipv6 with PIX/ASA and FWSM. If user creates a group to be used as
network zone object and places ipv6 address in it, this address
should be ignored while compiling the policy but this should not
be an error.
rule element by name after group is expanded, this helps ensure
stable ordering of objects in generated configuration.
* Compiler.cpp (replaceClusterInterfaceInItfRE::processNext):
sorting objects in rule element after cluster interfaces have been
replaced, this helps ensure stable ordering of objects in generated
configuration.
* FWObject.h (FWObjectNameCmpPredicate): moved this class from
gui-specific module to libfwbuilder as it is universally useful.
It can compare FWObject objects by name and can optionally can
follow references; it can be used with std::sort() to sort lists
of FWObject pointers or directly sort rule elements.
inbound and outbound interface columns in iptables NAT
rules". This also addresses SF feature requests 1954286 "DNAT with
interface as condition not possible" and 621023 "manipulating
interface in NAT rule".
inbound and outbound interface columns in iptables NAT
rules". This also addresses SF feature requests 1954286 "DNAT with
interface as condition not possible" and 621023 "manipulating
interface in NAT rule".
nat compiler for ipfilter work with interface column, however the
column is not exposed to the user. Compiler behavior should be
backwards compatible with older versions of fwbuilder.
branch, running tests. Making sure rules that have firewall
object in ODst and interface columnblank end up with rdr command
without "on interface" clause as before.
sure we print "ifconfig" commands for mtu and other parameters for
all interfaces, including those with no ip addresses and bridge
ports (unnumbered interfaces used to be skipped before)
