* CompilerDriver_pix_run.cpp (CompilerDriver_pix::run): Added
support for failover configurations for PIX.
- Interfaces of member firewalls used for failover configuration
should be marked as "Dedicated failover" interfaces. They should
have normal IP addresses. These interfaces will be used to
generate "failover" commands in the PIX configuration.
- Cluster should have interface with the same name as failover
interfaces of the members, with protocol set to "PIX failover" and
members configured as usual. This interface has no ip address.
- Other interfaces of the cluster have the same name as
corresponding interfaces of the member firewalls, protocol "None"
and failover groups that define members as usual. These cluster
interfaces also have no ip address.
- Cluster state synchronization group uses protocol "PIX state
synchrnization" and its members should be configured as usual.
Use failover interfaces of the members as members of the state
sync group.
* Interface.cpp: Added attribute "dedicated_failover" to the
Interface object. Interfaces with this attribute are treated like
other "unprotected" interfaces, that is they are not used to
attach ACLs to and not used in rules. Dedicated failover
interfaces have special meaning in PIX configurations and are used
to describe interfaces used for LAN failover.
Implemented TCP flag matching per #2865044: "Add TCP options
support for IOS ACL". Uses extended ACL option "match-all" that
supports list of TCP flags that should be set and cleared. This
requires IOS v12.4 or later even though Cisco documentation seems
to indicate this option was introduced in 12.3(4)T. Fixes#455
does not support IP options matching, compiler issues warning.
Fixes#567
* res/platform/iosacl.xml: Recognized IOS versions: 12.1, 12.2,
12.3
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
Added support for IP options matching, requires IOS v12.3 or
later. Fixes#566, #568
* NATCompiler_ipt.cpp (dynamicInterfaceInTSrc::processNext):
Implemented feature request #2829661: "SNAT instead of MASQUERADE
on dynamic interfaces". NAT rule options dialog now has a checkbox
that makes compiler use SNAT target instead of MASQUERADING when
checked when TSrc has dynamic interface. Apparently MASQ target
has problems when iptables NAT is used in combination with policy
routing. Using SNAT with a variable that gets interface address
solves the problem. By default this option is off, that is
compiler uses MASQUERADE target when TSrc has dynamic interface.
Fixes#560
* CompilerDriver_pf.cpp (CompilerDriver_pf::printStaticOptions):
Added support for PF configuration parameter "set state-policy"
which can have values "if-bound" or "floating". The GUI input
element provides these options in addition to the default empty
option. If empty list item is selected, command "set state-policy"
is not added to the generated .conf file at all. Fixes#423
* PolicyCompiler.cpp (ItfNegation::processNext): fix for bug
#2710034 "PF Compiler in 3.0.3 Unprotected Interface Bug". When we
expand "interface" rule element which uses negation, skip
unprotected interfaces.
"Batch compiling incrementally slow". The time it took to add a
log line to the progress window in the "Compile" dialog slowed
down a lot as amount of text in QTextEditor increased.
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): fixed bug
#2836321: "SNAT rule that changes Trans Src and Trans Port does
not work". Dual translation rule that changes source address and
destination port was not supported.
#2835193: "Modulate state doesnt work for PF". Check variable
"modulate state" in rule optiopns and global firewall options. If
checkbox is turned on in the firewall options, then we always use
"modulate state". This option can also be turned on for an
individual rule using rule options dialog.
* pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): Fixed
bug #2835193: "Modulate state doesnt work for PF". The name Xml
attribute used to hold the value of "module state" option was
entered incorrectly in the dialog.
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixed bug #2823951: "unnecessary rules in FORWARD chain". Policy
rules that have interface object in "Interface" column and
direction "Both" generate unnecessary iptables commands in the
FORWARD chain when destination matches one of the addresses that
belong to the firewall.
bug #2819901: "sub-optimal expansion of negated interface". Policy
rules with single interface object in "interface" rule element
with negation should generate iptables commands using "-i ! itf"
or "-o ! itf" rather than multiply the rule using all other
interfaces of the firewall. Note that for iptables v1.4.3 and
later, extrapositioned syntax is used, such as "! -i itf".
bug #2821050: "loading new fw rules on iptables 1.4.3.2+ gives
warnings". starting with v1.4.3.1 iptables started giving warnings
when negation ("!") is used after --option. This fix adds version
"1.4.3" to the list of recognized iptables versions in fwbuilder
and makes compiler generate extrapositioned version of the option
such as "! --option arg".
fixed bug #2820840: "IPT: prolog script+iptables-restore silent
incompatibility". With this fix the GUI does not allow for the
prolog script to be placed after policy reset if iptables-restore
is used to activate iptables rules. Also policy compiler for
iptables checks for this condition and aborts with an error
message if prolog place is set to "after reset" but
iptables-restore is used to activate policy. Configuration may end
up with this combination of options if user set prolog place to
"after reset" first and switched activation method to
iptables-restore later.
remark command". Remarks now include rule comments; if comment
consists of several lines, each line is added using separate
remark statement. This works for both IOS ACL and PIX platforms.
2009-07-11 vadim <vadim@vk.crocodile.org>
* AddressRange.h (libfwbuilder): fixed bug #2820152: "Address
ranges and other such need IPv4/v6 typing". AddressRange object
should be recognized and removed from the rule if it is used in
ipv6 rule set. To do this, add virtual method
hasInetAddress() (should return true) to indicate that this object
has an address. This works since virtual method getAddressPtr()
has been implemented anyway.
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printRule):
implemented feature request #1778536: "IOSACL - remark command".
This adds support for the "remark" command in generated IOS
ACL configuration. Controlled by the checkbox "Add ACL remarks"
in the "Script" tab of the firewall object settings dialog.
