nat compiler for ipfilter work with interface column, however the
column is not exposed to the user. Compiler behavior should be
backwards compatible with older versions of fwbuilder.
branch, running tests. Making sure rules that have firewall
object in ODst and interface columnblank end up with rdr command
without "on interface" clause as before.
of the change in the nat and rdr rules syntax in 4.7, I can no
longer implement no-nat rules correctly for this version. They
dropped the "no" keyword and their examples suggest using "pass"
to implement exclusions for the nat rules. I need no-nat rule to
just not translate but not make a decision whether the packet
should be passed or dropped. In the new PF model, translation
rules are just options on the matching policy rules and they do
not offer any keyword or option to not translate.
nat rules syntax has changed in OpenBSD 4.7. Nat and rdr rules in
4.7 should be implemented using action "match" and keywords
"nat-to" and "rdr-to"
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction):
fixes#1414: use "match" action for tagging. Policy rules
with action Tag should use pf action "match" instead of "pass"
if version is 4.6 or later.
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes#1087
#2889579: "fwb_pf crash when unnumbered interface is used in nat
rule". Compiler for PF crashed when unnumbered interface was used
in TSrc element of a NAT rule.
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): fixed bug
#2803702 "NAT rule with source port range in TSrv is broken for
PF". NAT rules matching source port ranges and translating source
port ranges should be possible.
* NATCompiler.cpp (classifyNATRule::processNext): (change in
libfwbuilder) fixed bug #2803689 "NAT rule matching dport but
chaning sport is broken". NAT rules that match destination port
but translate source port should be possible (and the opposite
too).
* All policy compilers: using FWObjectDatabase::createClass
methods to create rules and other objects in compilers wherever
the type is known at the (code) compile time. This makes code
cleaner and speeds it up a little because of eliminated cast() and
string comparison.
* changes in libfbuilder: eliminated excessive use of dynamic_cast
and long chains of "if" comparing object type names in
FWObjectDatabase in methods that create new objects of given type.
