onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 01:37:17 +01:00
Code Issues Releases Wiki Activity
4,007 Commits 3 Branches 3 Tags
Commit Graph

462 Commits

Author SHA1 Message Date
Vadim Kurland
126b561e32 * PolicyCompiler_cisco.cpp (processNext): see #2308 "ASA rules 
with service set to "http" and destination set to asa firewall
object should generate different command syntax". Policy rules
that have firewall object in Destination and http object in
Service now generate "http" commands. This is similar to how
fwbuilder generates "ssh", "telnet" and "icmp" commands to permit
corresponding services to the firewall itself.
 2011-04-08 18:08:56 -07:00
Vadim Kurland
4d6302a4cc * CompilerDriver_pix_run.cpp (pixNetworkZoneChecks): see SF bug 
3213019 "FWSM Network zone and IPv6". Currently we do not support
ipv6 with PIX/ASA and FWSM. If user creates a group to be used as
network zone object and places ipv6 address in it, this address
should be ignored while compiling the policy but this should not
be an error.
 2011-04-07 11:05:46 -07:00
Vadim Kurland
0e3bf10cb9 see #2252 compilers for iosacl and pix automatically increment/decrement port range boundaries to make tcp/udp port ranges defined in tcp/udp service objects inclusive 2011-03-21 12:56:37 -07:00
Vadim Kurland
f46bd98736 updated unit test file 2011-03-13 00:06:35 -08:00
Vadim Kurland
0aa3eac4d4 * Compiler.cpp (expandGroupsInRuleElement): sorting objects in the 
rule element by name after group is expanded, this helps ensure
stable ordering of objects in generated configuration.

* Compiler.cpp (replaceClusterInterfaceInItfRE::processNext):
sorting objects in rule element after cluster interfaces have been
replaced, this helps ensure stable ordering of objects in generated
configuration.

* FWObject.h (FWObjectNameCmpPredicate): moved this class from
gui-specific module to libfwbuilder as it is universally useful.
It can compare FWObject objects by name and can optionally can
follow references; it can be used with std::sort() to sort lists
of FWObject pointers or directly sort rule elements.
 2011-03-12 19:50:24 -08:00
Vadim Kurland
72f75c8f9b see #2220 AutomaticRuls classes for iosacl, pix, procurve_acl 2011-03-12 16:13:17 -08:00
Vadim Kurland
fd5eb7d8ce see #2220 AutomaticRules classes for ipt and pf 2011-03-12 15:52:09 -08:00
Vadim Kurland
fcd7c7920b re-ran tests for pix 2011-03-12 15:13:57 -08:00
Vadim Kurland
247d4efd61 commiting merge 2011-03-12 14:53:12 -08:00
Vadim Kurland
d3bf44b4d5 re-ran tests for pix 2011-03-12 14:44:47 -08:00
Vadim Kurland
1638eb4bd1 see #2207 finished fixes in all compilerts to enforce changes per #2209; regression tests for all platforms pass 2011-03-11 12:22:11 -08:00
Vadim Kurland
db9584cab5 fixes #2214 2011-03-11 10:40:40 -08:00
Vadim Kurland
7ebdc6c238 see #2207, #2209, fixes #2213 all objects created by compilers are placed in persistent_objects library; CompilerDriver creates and manages persistent_objects lib; changes in libfwbuilder - an object can be a child of only one parent in the tree, method FWObject::add() enforces this and FWObject::findDuplicateLinks() can be used to find objects with multiple parents 2011-03-11 10:11:42 -08:00
Vadim Kurland
2fa922d8b2 re-ran tests for ipfw 2011-03-11 09:19:03 -08:00
Vadim Kurland
9b4edad92f re-ran tests for ipf 2011-03-11 09:17:49 -08:00
Vadim Kurland
984a84ea2f Merge branch 'development' of ssh://vc.netcitadel.com:2222/var/git/fwbuilder into development 2011-03-10 21:10:11 -08:00
Vadim Kurland
7986214d4d re-ran pf tests and updated files 2011-03-10 21:09:54 -08:00
Vadim Kurland
a1111b83bd * PolicyCompiler.cpp (checkForShadowing): see #2204 "Shadowing 
detected for rule with action Continue". Policy rules with action
"Continue" should not shadow other rules and can not be shadowed.
 2011-03-08 19:02:19 -08:00
Vadim Kurland
2717d09f7e see #2170 checking combination of -i and -o interface and chain 2011-03-06 19:57:45 -08:00
Vadim Kurland
7e312722dc added test case for a group of hosts with mac addresses in a nat rule (SF bug should be opened later); re-ran tests 2011-02-27 22:37:16 -08:00
Vadim Kurland
e84751e95c see #2008 compiler avoids INPUT/OUTPUT chain if interface in the rule column "Interface" is a bridge port and firewall is bridging firewall (which means we are going to use --physdev-in or --physdev-out option for this rule) 2011-02-21 17:06:43 -08:00
Vadim Kurland
56f81407f1 fixes #2124 some error messages get multiplied when compiler splits rules 2011-02-20 21:32:58 -08:00
Vadim Kurland
2b342aa67d see #2057 detection of loops in branching rules ; see #2124 some error messages appeared multiple times in generated script 2011-02-20 20:12:18 -08:00
Vadim Kurland
344010c873 see #1920 Setting host interface to unnumbered after it has been assigned IP address doesnt have desired effect 2011-02-20 18:11:16 -08:00
Vadim Kurland
e9e7f89cf2 see #1920 Setting host interface to unnumbered after it has been assigned IP address doesnt have desired effect 2011-02-20 18:03:21 -08:00
Vadim Kurland
37ab989922 see #1877 added test case for this 2011-02-20 17:45:46 -08:00
Vadim Kurland
f817ddfe24 see #133 test case for SF feature request 1954286 2011-02-20 17:34:36 -08:00
Vadim Kurland
6f5f1ac075 fixes #153 Deprecate Rule::getInterfaceStr() fixes #2123 deprecate rule processor convertInterfaceIdToStr 2011-02-20 17:27:24 -08:00
Vadim Kurland
926db9b942 see #153 deprecating getInterfaceStr: eliminated use of this function in policy compiler for PIX and IOS ACL 2011-02-20 16:11:29 -08:00
Vadim Kurland
c272997b6b see #2098 support for interfaces in PIX/ASA NAT rules; see #153 deprecating Rule::getInterfaceStr() 2011-02-19 19:15:54 -08:00
Vadim Kurland
4136d63957 see #2098 support for interfaces in PIX/ASA NAT rules; see #153 deprecating Rule::getInterfaceStr() 2011-02-19 19:13:01 -08:00
Vadim Kurland
ccbe413c22 upgraded regression tests data fles 2011-02-19 16:29:43 -08:00
Vadim Kurland
aea53d35eb see #2116 "When CARP interface IP address cant be assigned error or warning should appear". Script should abort if command trying to add an ip address to an interface fails 2011-02-19 15:33:30 -08:00
Vadim Kurland
3a871d5f06 getting rid of sprintf where I can 2011-02-18 22:25:52 -08:00
Vadim Kurland
a8b65e6506 getting rid of sprintf where I can 2011-02-18 22:09:50 -08:00
Vadim Kurland
66681b9695 see #153 #133 got rid of getInterfaceStr and getInterfaceId in policy and nat compilers for PF 2011-02-18 18:54:21 -08:00
Vadim Kurland
2542b082f3 see #153 #2097 got rid of getInterfaceStr and getInterfaceId in policy and nat compilers for iptables 2011-02-18 18:48:16 -08:00
Vadim Kurland
faece9e40c see #2097 more test cases with negation and vlan interfaces 2011-02-17 18:39:17 -08:00
Vadim Kurland
581ccdc68e see #2097 #133 additional test cases 2011-02-17 18:01:45 -08:00
Vadim Kurland
6f30bc3446 * NATCompiler_ipt.cpp (processNext): see #2097 #133 "support for 
inbound and outbound interface columns in iptables NAT
rules". This also addresses SF feature requests 1954286 "DNAT with
interface as condition not possible" and 621023 "manipulating
interface in NAT rule".
 2011-02-17 17:48:04 -08:00
Vadim Kurland
d0ae7bac01 * NATCompiler_ipt.cpp (processNext): see #2097 #133 "support for 
inbound and outbound interface columns in iptables NAT
rules". This also addresses SF feature requests 1954286 "DNAT with
interface as condition not possible" and 621023 "manipulating
interface in NAT rule".
 2011-02-17 17:47:42 -08:00
Vadim Kurland
5162212073 see #2097 #133 : no need to replace cluster interfaces with member interfaces in NATCompiler_pf::AssignInterface::processNext() since it was already done in replaceClusterInterfaceInItfOutb 2011-02-17 15:36:28 -08:00
Vadim Kurland
cf17bb995c see #2097 showing "interface" columns in iptables NAT ruels 2011-02-17 15:27:37 -08:00
Vadim Kurland
fdb899bdd2 * NATCompiler_ipf.cpp (processNext): see #133, fixes #2108 making 
nat compiler for ipfilter work with interface column, however the
column is not exposed to the user. Compiler behavior should be
backwards compatible with older versions of fwbuilder.
 2011-02-17 12:06:50 -08:00
Vadim Kurland
100dca74bb * NATCompiler_pf.cpp (processNext): see #133. MErged code from the 
branch, running tests. Making sure rules that have firewall
object in ODst and interface columnblank end up with rdr command
without "on interface" clause as before.
 2011-02-17 11:50:14 -08:00
Vadim Kurland
8b158c0a74 * OSConfigurator_bsd_interfaces.cpp (configureInterfaces): make 
sure we print "ifconfig" commands for mtu and other parameters for
all interfaces, including those with no ip addresses and bridge
ports (unnumbered interfaces used to be skipped before)
 2011-02-16 16:23:54 -08:00
Vadim Kurland
8de52b3f06 fixes #2093 build failed because function QStringList::removeDuplicates() is only available in Qt 4.5 2011-02-16 15:49:02 -08:00
Vadim Kurland
1f8363c84e * configlets/bsd/update_vlans: see #2105: generated script now 
supports vlan interfaces with names that do not match vlan IDs
(OpenBSD, FreeBSD, shell script format).
 2011-02-16 15:22:47 -08:00
Vadim Kurland
f4858bfc83 fixes #2106 avoid adding pfsync_enable line if it is not needed in rc.conf format 2011-02-16 14:47:10 -08:00
Vadim Kurland
a58445ed16 see #1807, #2104 arrange interface configuration commands in the 
generated scritpt in such order that bridge and carp interfaces
are configured after all other interfaces are done.
 2011-02-16 14:42:06 -08:00