* src/res/configlets/linux24/automatic_rules: Generation of the
automatic rules (matching ESTABLISHED and INVALID states,
backup ssh access and others) now uses configlet. Fixes#883
* src/res/configlets/linux24/automatic_rules: generated script can
now include automatic rules to match IPv6 neighbor discovery ICMP6
packets. This is controlled by a checkbox in the iptables
"advanced" settings dialog and is off by default. Fixes#878
* PrefsDialog.cpp (PrefsDialog::accept): Added a place in the
global Preferences dialog for options specific for different
object types. First parameters include options for DNSName and
AddressTable to let the user decide if the newly created objects
of these types should be automatically configured with "Compile
Time" or "Run Time" mode. Also, added an option that makes DNSName
object editor copy the name of the object into the DNS record
input field when new object is created or whenever the name
changes. This is useful when the user does not want to keep
object name and dns record different because they need to enter
the name only once.
* DNSNameDialog.cpp (DNSNameDialog::applyChanges): If global
Preferences option "Use DNS Name object name for the DNS record"
is turned on, copy the name into the record on every name change.
Fixes#866
* GroupObjectDialog.cpp (GroupObjectDialog::newObject):
Implemented feature request #2245537 "Add service object to
service groups directly from groups". Group object dialog now has
a button that shows a menu when clicked, this menu allows the user
to create new object and add it to the group in one operation.
This fixes#119
* ObjectManipulator::addNewObjectMenuItem: fixes#850 Redesigned
methods used to create "new object" menu and call functions that
create new objects to be able to build menus with limited sets
of new object types.
* ../src/gui/FWBTree.h (class FWBTree): added methods
getTranslatableObjectTypeName and getTranslatableNewObjectMenuText
that return translatable strings for the given object type name.
wizard dialog now offers a new page where they can change ip
addresses of the interfaces of the template. User can change name,
label, address, netmask, MAC address and type (regular/dynamic) of
the interface, as well as add and delete interfaces. The program
then creates interface objects with new parameters and updates
policy and NAT rules of the template. It creates new Network and
NetworkIPv6 objects using new addresses and replaces references to
network objects that match old addresses with references to these
new objects in rules and groups. This eliminates the need to do
manual search and replace to update firewall object created from a
template to make it match actual user network configuration.
Fixes#613
* ObjectManipulator.cpp (ObjectManipulator::libChanged):
Experimental change in the GUI, new feature: Now the program does
not switch object in the editor on a single click in the tree.
User should double click object in the tree or use context menu
item "Edit" to open object in the editor. User can select
different object in the tree or switch to another library while
editor has unsaved changes. This helps, for example, when they
need to populate large object group and need to switch between
libraries to find objects. Switching to another library or
accidentally clicking on a wrong object in the tree does not cause
editor to switch.
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::run): Added
support for failover configurations for PIX.
- Interfaces of member firewalls used for failover configuration
should be marked as "Dedicated failover" interfaces. They should
have normal IP addresses. These interfaces will be used to
generate "failover" commands in the PIX configuration.
- Cluster should have interface with the same name as failover
interfaces of the members, with protocol set to "PIX failover" and
members configured as usual. This interface has no ip address.
- Other interfaces of the cluster have the same name as
corresponding interfaces of the member firewalls, protocol "None"
and failover groups that define members as usual. These cluster
interfaces also have no ip address.
- Cluster state synchronization group uses protocol "PIX state
synchrnization" and its members should be configured as usual.
Use failover interfaces of the members as members of the state
sync group.
* Interface.cpp: Added attribute "dedicated_failover" to the
Interface object. Interfaces with this attribute are treated like
other "unprotected" interfaces, that is they are not used to
attach ACLs to and not used in rules. Dedicated failover
interfaces have special meaning in PIX configurations and are used
to describe interfaces used for LAN failover.
Implemented TCP flag matching per #2865044: "Add TCP options
support for IOS ACL". Uses extended ACL option "match-all" that
supports list of TCP flags that should be set and cleared. This
requires IOS v12.4 or later even though Cisco documentation seems
to indicate this option was introduced in 12.3(4)T. Fixes#455
does not support IP options matching, compiler issues warning.
Fixes#567
* res/platform/iosacl.xml: Recognized IOS versions: 12.1, 12.2,
12.3
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
Added support for IP options matching, requires IOS v12.3 or
later. Fixes#566, #568
Sveasoft (busybox) does not like empty shell functions and fails
with an error "36: Syntax error: "}" unexpected". Will call
/bin/true as a placeholder so that if some other commands are
added to the function body during template expansion, they are
executed after /bin/true and their return code is preserved. If no
commands are added, then the function body won't be empty and will
return success.
#2889579: "fwb_pf crash when unnumbered interface is used in nat
rule". Compiler for PF crashed when unnumbered interface was used
in TSrc element of a NAT rule.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printSrcAddr): Fixed
bug #2892100: "'Old boradcast' object produces 0/0 in iptables
script". The bug triggered when iptables version was set to 1.3.x
or later. "Old broadcast" object is defined as AddressRange with
0.0.0.0 as a start and end addresses of the range. Generated
script should have "0.0.0.0" but the compiler uses "0/0" instead.
* NATCompiler_ipt.cpp (dynamicInterfaceInTSrc::processNext):
Implemented feature request #2829661: "SNAT instead of MASQUERADE
on dynamic interfaces". NAT rule options dialog now has a checkbox
that makes compiler use SNAT target instead of MASQUERADING when
checked when TSrc has dynamic interface. Apparently MASQ target
has problems when iptables NAT is used in combination with policy
routing. Using SNAT with a variable that gets interface address
solves the problem. By default this option is off, that is
compiler uses MASQUERADE target when TSrc has dynamic interface.
Fixes#560
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::prolog): Fixed bug
#2792847 (SourceForge) "cant turn off "part of any" for a rule if
default is on". There was no way to turn option "Assume firewall
is part of any" for just one rule when it was ON globally. Now
this attribute is presented as a tri-state control in the rule
options dialog, with options "Follow global setting", "On" and
"Off". Now this option can be turned on and off in individual
rules regardless of the global setting. Default is "follow
global". Old "Off" maps to the new "follow global", old "On" maps
to the new "On". Fixes#559.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printInterface): New
feature: optimization in compiler for PF. Rules that have several
interface objects (or a group) in the "Interface" column are
compiled using "{ }" grouping to produce only one configuration
line instead of several for such rule. Fixes#76
* PolicyCompiler_pf.cpp (SpecialServices::processNext): Compiler
for PF generates "allow-opts" keyword when IPService object used
in the rule has IP options. This includes new option "router-alert".
Fixes#503
* IPServiceDialog.cpp (IPServiceDialog::applyChanges): Added GUI
elements to support IP option "router-alert" which is now
available as an attribute of IPService object. Fixes#502
* CompilerDriver_pf.cpp (CompilerDriver_pf::printStaticOptions):
Added support for PF configuration parameter "set state-policy"
which can have values "if-bound" or "floating". The GUI input
element provides these options in addition to the default empty
option. If empty list item is selected, command "set state-policy"
is not added to the generated .conf file at all. Fixes#423
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
New feature: password caching. Built-in installer can remember
firewall password (and enable password for Ciscos) for the
duration of the session. Passwords are never stored permanenetly
in any form, encrypted or plain text. The user needs to enter
password once when they activate generated policy. If they keep
the program open and need to modify and activate policy again, the
password fields in the installer dialog can be filled
automatically. The feature is optional and is off by default.
Cached passwords are associated with the firewall object and
account name used to activate policy. Implemented by a2k@codeminders.com
* RuleSetView.cpp (RuleSetView::itemDoubleClicked): Fixes#545.
Change in the GUI behavior: both left and right mouse click on an
object in rules should not select it in the tree. If user wants to
open it in the tree, they can use context menu item "Reveal in the
tree" or double click the object. This solves the following
inconvenient behavior (quoting from email):
1) anytime I copy something and then right click to paste into a
policy or nat it immediately changes the tree to the location of
the object under the cursor which is usually to the standard
library on any and then i have change it back to the user
library.
2) if I want to compile a rule, unless I am careful and right
click on the rule number instead of any field in the rule to
select compile it move the tree to whatever is under the cursor.
* src/res/configlets/linux24/conntrack: Implemented support for
conntrack performance tuning parameters and tcp window tracking
option. Parameters CONNTRACK_MAX and HASHSIZE are described at
http://www.wallfire.org/misc/netfilter_conntrack_perf.txt. The
conntrack_tcp_be_liberal option is described at
http://conntrack-tools.netfilter.org/manual.html . Parameters can
be set in the host OS dialog for Linux (added new tab
"conntrack"). Commands that will be added to the generated script
come from the new configlet "conntrack". Commands are different
for iptables versions <1.4.0 and >=1.4.0. User can customize the
commands by substituting the configlet if necessary. Fixes#198, #511.
fixed bug #2874571: "ipfilter version 3.4.29 issues after
introduction of 282860". Optimizations added for PF broke rule
generation for ipfilter which does not allow rule without explicit
direction specification.
#2872365: "problem with group names containing comma". State of
the rule group with a comma in the name could not be saved in
program settings and the group could not be expanded once it was
collapsed.
fixed bug #2870562: "custom service - protocol name
options". Added protocol "ipv6-icmp" to the list of predefined
protocols in the CustomService object and fixed the dialog to make
it properly save protocol name entered by the user (the widget
where user choses protocol name also supports editing so the user
can enter any protocol name not offered in the list of standard
protocols).
* debugDialog.cpp (debugDialog::debugDialog),
DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid) Reversing the
change made in 3.0.7 in the debug and discovery druid windows, the
change was intended to make the window title bar show "close"
button on Mac OS X. Unfortunately the caused the title bar to
disappear all together on Linux under some window managers. Modal
QT dialogs do not have title bar buttons on Mac OS X, but since
they always have "OK", "Finish", "Close" or "Cancel" buttons as
part of the dialog contents, absense of the "close" button in the
title bar is not critical.
2009-10-07 vadim <vadim@vk.crocodile.org>
* FindWhereUsedWidget.cpp (FindWhereUsedWidget::itemClicked):
"find where used" panel selects object in the tree or in rules on
single click in the list of the results. To open the object in the
editor user needs to switch to the editor tab in the bottom docked
panel.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule):
Added support for heartbeat over unicast. Protocol options dialog
for heartbeat offers checkbox "Use unicast" (off by default, when
checked, address input field for the multicast heartbeat address
becomes disabled). When checkbox is checked, compiler
automatically adds rules to permit unicast heartbeat health checks
between addresses of interfaces which are members of the failover
group.
