* PolicyCompiler_PrintRule.cpp (PrintRule::_printSrcAddr):
implemented feature req. #2353737 "use -m iprange". Using module
iprange for AddressRange objects if iptables version is set to
>=1.2.11.
* ipt.cpp, ipfw.cpp, pf.cpp, iosacl.cpp: changes for FR #2431602:
support for rulesets configured as "dual address family", that is,
rulesets that should be compiled for both ipv4 and ipv6.
* RuleSetDialog.cpp (RuleSetDialog::applyChanges): implemented
feature request #2431602: "Feature request: Unified
policies (IPv4/v6)". RuleSet object now has two variables that
define which address family it should be compiled for - ipv4 or
ipv6. It is possible to have both set, in which case the same
ruleset will be compiled for both address families.
broken for multiple policy sets". If firewall was configured to
use iptables-restore to activate policy and if it had two or more
policy rule sets, compiler used to put "echo COMMIT" line at the
bottom of each ruleset. This was incorrect, iptables-restore
expects only one COMMIT line at the end of each table.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printLogPrefix): fixed
bug #2318639: "bug in logging (rule number)". Added logging prefix
macro %R that gets expanded to the ruleset name. This can be
useful in logging prefixes for rules in branch rulesets.
;
bug #2186568 "Again User service - group/negate". Support for
groups of user service with negation. Now have a framework to keep
track of chain "descendants", so that compiler can tell if some
chain can be traced back to INPUT or OUTPUT through the sequence
of chains calling each other.
system colors for text boxes". Some dialogs would not properly
pick up KDE theme. This was especially visible if theme used dark
background colors and white font, in which case many input fields
in dialogs would use white text on white background.
* PolicyCompiler_ipt.cpp (separateUserServices::processNext):
fixed bug #2186568 "Again User service - group/negate". Compiler
for iptables did not support groups and negation of the
UserService objects.
algorithm used to decide which interfaces of the host or firewall
object to use in a rule when this host or firewall object is found
in source or destination.
fixed bug #2180556: "broken support for the "old" time module for
iptables". Compiler generated incorrect parameters for the "time"
module for versions <1.4.0
bug (no #): policy compiler for iptables did not handle correctly
rules where a host that has multiple addresses was a single object
in a rule element and had negation.
* NATCompiler_ipt.cpp (singleObjectNegation::processNext): added
support for single object negation in OSrc and ODst in NAT rules.
This provides for more compact iptables script in the often used
case where single object is used with negation in these elements
of a NAT rule. Other improvements in handling NAT rules with
negation.
bug (no #): policy compiler for iptables would crash with
assertion when AddressTable or DNSName object was used in a rule
in pure mangle table ruleset. This can be related to crash
reported in bug #2157121.
bug #2141911: "no ULOG for ip6tables". ULOG target has not been
implemented for ip6tables yet, so the compiler should fall back to
LOG target while compiling ipv6 policy.
