* ipt.cpp (main): Now that we use the same platform name for
iptables on linux, ipcop, endian, oneshield and secuwall, there is
no need in policy/nat/routing compiler classes for ipcop.
* platform/iptables.xml.in: Unified support for different iptables
appliances: configuration will require platform "iptables" and
host os that corresponds to the chosen appliance. This matches
support for Secuwall and is easier to maintain than separate
platform-os pairs for each appliance.
* ipcopAdvancedDialog.cpp (ipcopAdvancedDialog::ipcopAdvancedDialog):
Integration with IPCOP, Endian and OneShield firewall apliances
(all based on linux/iptables). This sets generate file name to
"rc.firewall.local", destination directory on the firewall to
"/etc/rc.d/" and activation command to "/etc/rc.d/rc.firewall
restart". Provided resource files for ipcop, endian and oneshield
platforms and os define default parameters, including path to
iptables and other command line tools. Generated script performs
minimal environment setting, because everything is supposed to be
set up by the aplpiance itself. Iptables commands are put in the
standard chains INPUT/OUTPUT/FORWARD, with user-defined chans
created as required. At this time policy and NAT rules work. Rules
added by fwbuilder are activated by the standard appliance
firewall script rc.firewall after all IPCOP rules are added and
before all hooks. This means rules created by fwbuilder do not
replace rules added by the appliance, but work together with
those. Prolog and epilog user-defined sections work as
well. Prolog is always added on top of the rules generated by
fwbuilder. Prolog and epilog sections can include any kind of
shell commands, not only iptables rules. Two new firewall
templates are provided: one for IPCOP/Endian firewall with two
interfaces (br0 is GREEN and eth1 is RED) and another for the
appliance with three interfaces (additionally eth2, as ORANGE).
* ipt.cpp (main): implemented feature request #2454447 "Standard
options for startup-script". Script generated by fwbuilder now
accepts standard arguments "start" and "stop". Running the script
with no argument is equivalent to "start" for backwards
compatibility. Running script with argument "stop" resets iptables
tables and chains and sets all to default policy DROP (beware!).
* ipt.cpp (dumpScript): fixed bug #2356131: "Iptables-restore
option broken for multiple policy sets". Compiler inserted
redundant line "echo COMMIT" to the iptables script if
iptables-restore was used and there were no rules in the mangle
table.
* ObjectManipulator.cpp (ObjectManipulator::findWhereUsedRecursively):
fixed bug #2744798 "dependency checking failed". In case when an
object was used in a group and group used in a rule of a firewall,
the program failed to properly update "last modified" attribute
of the firewall when the object was changed.
* DialogData.cpp (DialogData::loadToWidget): fixed bug #2710309:
"Bug in gui/DialogData.cpp when not using mapping.". There was a
bug in DialogData.cpp that when setting the value of a combobox
and not using a mapping array the requested value would not be
selected. Applied patch provided by Tom Judge ( tomjudge )
* platforms.cpp (init_platforms): fixed bug #2710300 "Bug in
gui/platforms.cpp". there was a discrepancy between the list of
route-to options for PF and UI elements.
* pf.cpp (main): more changes to add support for
externally-controlled policy rulesets for PF: if policy ruelset
name ends with "/*", the program assumes it is controlled by
external means and does not compile rules in it and does not
create .conf file from it.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): Added
support for anchor names with "/*" suffix for PF. Now the user can
create policy ruleset with name e.g. "ftp-proxy/*" and then set up
branching rule pointing to this ruleset. This ruleset is treated
by the program in a special way. First, it allows characters "/"
and "*" in the name of the ruleset (but only for PF firewalls).
Second, compiler does not create a .conf file with rules from this
ruleset, assuming that it will be controlled by external program
such as ftp-proxy. See man page ftp-proxy(8) for examples.
* pf.cpp (main): fixed bug (no #): compiler for pf added code
provided in the "prolog" section while option was set to "add
after table definitions" in the incorrect place.
* RuleSetView.cpp (RuleSetView::updateGroups): fixed bug #2701593
"gui problem". Adding a rule to a policy with rule groups caused
weird rule display - a rule immediately above rule group header
would appear empty, with only "Source" shoring.
* iosacl.cpp (safetyNetInstall): fixed bug #2694146: "IPv6
temporary ACL blocks ICMPv6". Temporary ipv6 access list created
for the "safety net install" should permit icmp.
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
bug (no #): temporary access list created for IOS when option
"safety net install" is used and ipv6 address is provided should
use keyword "host" if provided address does not specify netmask.
* fwbedit: properly saving data file after "checktree" operation
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
few bugs (no #) in policy compiler for Cisco IPv6 ACLs:
- The "extended" keyword is not supported by IOS for IPv6 ACLs
- keyword "established" is only valid in combination with
protocol tcp. If standard CustomService objects "ESTABLISHED" and
"ESTABLISHED ipv6" are used in a rule, enforce protocol to "tcp".
- command to clear ipv6 access lists should be "no ipv6
access-list ipv6_management_in"
- command to assign ipv6 acl to interface should be "ipv6
traffic-filter ipv6_acl in"
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printAddr): fixed
bug (no #): compiler for IOS ACL used not to ignore netmasks of
IPv4 and IPv6 objects and added them to the generated access list
with netmask wildcard bits 255.255.255.255 which was equivalen to
any.
* RuleSetView.cpp (RuleSetView::createGroup): fixed bug (no #): if
user selected some rules that belonged to a group and few other
rules that did not belong to any group at the same time and used
context menu to place all these rules in a new group, the GUI used
to crash.
;
bug #2666971 "fwb_ipt crashes when Address Range object in routing
rule". Policy compiler for iptables crashed if Address Range
object was used in "Destination" of a routing rule.
ProjectPanel.cpp (ProjectPanel::closeEvent): fixed bug #2656815
"Copy/paste does not work properly". Fixed Copy/Paste problem with
policy rules and crash reported in this bug report.
bug #2540389: "Routing Broken from 2.1 to 3.0.3". Generated script
preserved default route when it deleted route entries before
installing new ones. This was different compared to the behavior
of the v2.1 where default was deleted together with other routing
entries. The reason for this change (made some time in summer of
2008) was that if user did not define default route in their
routing ruleset, the script would delete existing default without
installing new one, leaving firewall with no default route at all.
Now the script deletes default if there is new one to install and
preserves it otherwise.
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed
bug (no #): if generated firewall script detects an error from one
of the commands that install routing rules and runs function that
restores previous routing entries, it should also run epilog
commands.
bugfix (bug was introduced in build 768). If user entered
alternative activation command in the "installer" tab of the
firewall object settings dialog, the program confused it with
destination directory and tried to execute incorrect command to
copy files to the firewall. This build (770) fixes this problem.
* SSHUnx.cpp (SSHUnx::SSHUnx): New feature: built-in installer can
now enter sudo password. There is no need to configure firewall
management account for password-less sudo access anymore.
* FirewallInstaller.cpp (FirewallInstaller::getDestinationDir):
fixed bug #2618772 ""test install" option does not work". If "test
install" checkbox was checked in the installer options dialog, the
program copied file to directory /etc/fw on the firewall but tried
to find it in /etc/fw/tmp to run.
* FirewallInstaller.cpp (FirewallInstaller::packSCPArgs): fix bug
#2618686 "built-in installer can not handle ipv6 management
address". Built-in installer did not properly for scp and ssh
command like when it had to use IPv6 address to communicate with
firewall.
