When branching rule points to a rule set that has rules with Tag and
Classify options, branching should occur in mangle table even when
checkbox "create branch in mangle table" is not checked. The fix in
this change is tentative as it creates branch in chains PREROUTING,
POSTROUTING and OUTPUT. Since target CLASSIFY is only allowed in
POSTROUTING, this may create conflict. Need to test more.
type: network object that automatically matches subnets an
interface is attached to. The object can be a child of an
interface. The object is optional and is not created automatically
for all interfaces; user can add it using context menu associated
with an interface. Dialog for this object allows editing of the
name and comment. List of network addresses represented by this
object is always generated automatically. Compiler for PF
translates this object to "en0:network" construct that is
supported by PF. Compiler for iptables expands it to the list of
ipv4 and ipv6 networks defined by the addresses of the parent
interface if interface has static addresses. If interface is
confgiured as "dynamic" and has no address in fwbuilder, then
compiler treats AttachedNetworks object as run-time and uses shell
function to determine network addresses during activation of the
firewall script. Compilers for other firewall platforms always
treat this object as compile-time and abort if it is used with
dynamic interface.
should be done in PREROUTING so it can be acted on later". If a
rule has both tagging and classification options, the rule should
be split so that iptables command doing tagging goes in PREROUTING
and rule doing classification goes into POSTROUTING chain.
;
change in other directories the dependent files don't get recompiled.
Fixed up INCLUDEPATH in various places.
Removed -pthread as an INCLUDEPATH (leads to bogus -I-pthread).
files from DTD v18 to DTD v19. This transformation finds
"PolicyRule" elements with missing "Itf" child elements and fixes
them by adding such element with a reference pointint to "any".
Fixes#2383
* fwbuilder.dtd.in: Element "Itf" (an interface) of "PolicyRule"
should be required. DTD version increment.
object is created in the middle of the "new firewall" wizard and
clicking Back creates two firewall objects". If user chose to
create new firewall object from a template and clicked Back after
choosing the template, the program actually created two firewall
objects but only one was visible in the tree.
actions per policy rule". Options "Tag", "Classify" and "Route"
work with iptables in a combination with any action. This
implementation has one restriction: option Route can not be used
in combination with options Tag or Classify and any action that is
not Continue. This is because option Route can yield rules in
PREROUTING or POSTROUTING chains that are also used by options Tag
and Classify. For this combination we create two user-defined
chains that perform routing and tagging (or classification). In
case of a terminating action both chains end with it. This means
if one matches the packet, the other is never going to see it.
Non-terminating action "Continue" does not create this problem.
This limitation may be removed in future versions of fwbuilder.
