service objects in pix8". So far, these objects are only used
for nat configuration.
* NATCompiler_asa8_writers.cpp (processNext): fixes#1903 "correct
order of clear commands for ASA 8.3"
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1886 "new nat
configuration in pix 8.3". Initial support for new style nat
configuation.
"policy-map type inspect ip-options" command in PIX v8.2 and later.
At this time, of all possible types of "policy-map type inspect"
command only "ip-options" is implemented.
name "ppp-dsl" for PPPoE interfaces. In addition to that, Linux
bridge interfaces may have names with a "-" such as
"br-lan". We will now permit a "-" in Linux interface names.
create redirect rule in cluster firewall object". Iptables nat
rule with target REDIRECT could not be built in a cluster
configuration. It should be possible to do this by putting cluster
object in Translated Destination.
fixed SF bug 3094273 "no state needed for ipv6-icmp in
ip6tables". Rules that match ICMPv6 objects should be
stateless. Compiler will check for this and reset "stateful" flag
of a rule and issue warning if the rule was built stateful in the
GUI.
config will compile without interface in Routing rule". Policy
compiler for PIX now checks that both "interface" and "gateway"
rule elements are not empty.
"iptables redirecting NAT rules in the OUTPUT chain". NAT rules
should be allowed to translate from CustomService to TCP or UDP
service, provided CustomService object is configured with matching
protocol. See also change in libfwbuilder NATCompiler::classifyNATRule::processNext.
"iptables redirecting NAT rules in the OUTPUT chain". This fix
makes it possible to create iptables NAT rule with target REDIRECT
in the OUTPUT chain. The rule should have firewall object in OSrc
and TDst rule elements.
fixed#1690 "IOS ACL and Procurve ACL compilers fail because
interfaces are not assumed to have network zone "any" anymore".
Compilers for Cisco IOS ACL and Procurve ACL always assumed all
interfaces have network zone "any". Recent changes made in 4.1.0
changed that and compilers stopped working for some rule configurations.
* (PolicyCompiler_cisco::createACLObject): fixed#1688 "Procurve
ACL remarks should be in quotes if they include space"
only firewall resets ipv4 stack" only reset ipv4 iptables when there are some ip4 rules; also added action block to usage string of the generated iptables script
"set" used to generate iptables command for rules with run-time
AddressTable objects. This module is only available in iptables
1.4.1.1 and later, however some embedded platforms do not have it
even though they ship later versions ofiptables (e.g. OpenWRT).
Use of this module is controlled by a checkbox in the iptables
"advanced" settings dialog which is off by default. This checkbox
becomes disabled when iptables version is set to < 1.4.1.1.
fixed#1523 "outbound ipv6 rule matching multicast ipv6 destination
is not generated". The rule with network object fe80::/10 in source
and ipv6 muticast ff00::/8 in destination did not produce correspondign
ip6tables command. The change affects other cases with rules using
broadcast or multicast objects that should be considered matching
the firewall object.
restored function of the "comment the code" in the "Script
options" of the firewall settings dialog for Cisco IOS ACL and
ProCurve ACL. When this checkbox is off, comments are not
added to generated script.
support some popular iptables modules". Added support for module
"recent" and rules that match standard ip/icmp/udp/tcp protocols
and at the same time module "mark", "length", "limit" or "recent".
Rules like these are translated into a combination of a branching
rule and additional rule in a branch rule set that implements
module match.
