Compile/install wizard should disable "Next" button
after compile phase is done if all firewalls failed to compile
with no errors.
see #2061
Added
bunch of common shell error messages to make sure installer
recognizes them and mark install as a failure even if ssh fails
to pass termination code.
fixed bug #2820840: "IPT: prolog script+iptables-restore silent
incompatibility". With this fix the GUI does not allow for the
prolog script to be placed after policy reset if iptables-restore
is used to activate iptables rules. Also policy compiler for
iptables checks for this condition and aborts with an error
message if prolog place is set to "after reset" but
iptables-restore is used to activate policy. Configuration may end
up with this combination of options if user set prolog place to
"after reset" first and switched activation method to
iptables-restore later.
* ipt.cpp (main): Now that we use the same platform name for
iptables on linux, ipcop, endian, oneshield and secuwall, there is
no need in policy/nat/routing compiler classes for ipcop.
* platform/iptables.xml.in: Unified support for different iptables
appliances: configuration will require platform "iptables" and
host os that corresponds to the chosen appliance. This matches
support for Secuwall and is easier to maintain than separate
platform-os pairs for each appliance.
* ipcopAdvancedDialog.cpp (ipcopAdvancedDialog::ipcopAdvancedDialog):
Integration with IPCOP, Endian and OneShield firewall apliances
(all based on linux/iptables). This sets generate file name to
"rc.firewall.local", destination directory on the firewall to
"/etc/rc.d/" and activation command to "/etc/rc.d/rc.firewall
restart". Provided resource files for ipcop, endian and oneshield
platforms and os define default parameters, including path to
iptables and other command line tools. Generated script performs
minimal environment setting, because everything is supposed to be
set up by the aplpiance itself. Iptables commands are put in the
standard chains INPUT/OUTPUT/FORWARD, with user-defined chans
created as required. At this time policy and NAT rules work. Rules
added by fwbuilder are activated by the standard appliance
firewall script rc.firewall after all IPCOP rules are added and
before all hooks. This means rules created by fwbuilder do not
replace rules added by the appliance, but work together with
those. Prolog and epilog user-defined sections work as
well. Prolog is always added on top of the rules generated by
fwbuilder. Prolog and epilog sections can include any kind of
shell commands, not only iptables rules. Two new firewall
templates are provided: one for IPCOP/Endian firewall with two
interfaces (br0 is GREEN and eth1 is RED) and another for the
appliance with three interfaces (additionally eth2, as ORANGE).
* ipt.cpp (main): implemented feature request #2454447 "Standard
options for startup-script". Script generated by fwbuilder now
accepts standard arguments "start" and "stop". Running the script
with no argument is equivalent to "start" for backwards
compatibility. Running script with argument "stop" resets iptables
tables and chains and sets all to default policy DROP (beware!).
* ipt.cpp (dumpScript): fixed bug #2356131: "Iptables-restore
option broken for multiple policy sets". Compiler inserted
redundant line "echo COMMIT" to the iptables script if
iptables-restore was used and there were no rules in the mangle
table.
* ipt.cpp (processPolicyRuleSet): fixed bug #2550074: "Automatic
rules for filter table included twice in iptables". If user had
two policy ruleset objects marked as "top" rule set, then
automaitc rules were added twice.
* ipt.cpp, ipfw.cpp, pf.cpp, iosacl.cpp: changes for FR #2431602:
support for rulesets configured as "dual address family", that is,
rulesets that should be compiled for both ipv4 and ipv6.
* RuleSetDialog.cpp (RuleSetDialog::applyChanges): implemented
feature request #2431602: "Feature request: Unified
policies (IPv4/v6)". RuleSet object now has two variables that
define which address family it should be compiled for - ipv4 or
ipv6. It is possible to have both set, in which case the same
ruleset will be compiled for both address families.
* iosacl.g (certificate): fixed bug #2334007: "Problem parsing
Cisco config". Parser now recognizes IOS configuration lines
"certificate", "ip community-list", "controller
... description". These lines are recognized and ignored, they
should not stop parser from processing the rest of the
configuration.
* ipt.cpp (main): fixed bug #2378672: "fwb 3.0.2 build 676
iptables script is not executable". Generated .fw file should have
executable permissions.
broken for multiple policy sets". If firewall was configured to
use iptables-restore to activate policy and if it had two or more
policy rule sets, compiler used to put "echo COMMIT" line at the
bottom of each ruleset. This was incorrect, iptables-restore
expects only one COMMIT line at the end of each table.
avoid implicit conversion to "\r\n" on Windows (generated script
is for iptables which can only run on Linux, so it is safe to use
"\n" instead of endl).
