QProcess::waitForFinished() instead of just sleep() after we send
TERM signal to the background process. Also let Qt process events
to update the GUI while waiting.
* instDialog_installer.cpp (instDialog::stopInstall): fixed#1428
button "Stop" in the installer dialog does not stop installer
process
fixes#1417 rule shadowing detection should recognize different rule options.
Policy compiler for iptables takes into account rule options for modules
limit, connlimit and hashlimit when it considers rules for rule shadowing.
fixed#1415 "action branch that creates branch in mangle table
should branch in FORWARD chain". Rule with "any" in src and dst
and action Branch with option "branch in mangle table" will go
into FORWARD chain in addition to the PREROUTING and POSTROUTING
chains as before. Note that choice of PREROUTING or POSTROUTING
chains depends on direction.
nat rules syntax has changed in OpenBSD 4.7. Nat and rdr rules in
4.7 should be implemented using action "match" and keywords
"nat-to" and "rdr-to"
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction):
fixes#1414: use "match" action for tagging. Policy rules
with action Tag should use pf action "match" instead of "pass"
if version is 4.6 or later.
fixed#1379 "Should be able to build routing rules with interface
as gateway for IOS". Routing rules for IOS now have column
"Interface". Rules can be built either with explicit address of
the gateway or interface.
some flags for the "non-default" rule options for PF"
* FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getPolicyRuleOptions):
fixed#1364 "add synproxy and other missing pf rule options to the
rule options tooltip"
fixed time format for the iptables parameters --datestart,
--datestop which is supposed to be ISO 8601 "T" notation but
apparently with no support for time zone designators. Timezone
desginators are an error in iptables 1.4.1.1 and 1.4.5, did not
test newer versions. Fixes#1286 SourceForge bug #2961532
rules". Fixes this and several other problems with policy and nat
rules that use cluster inetrfaces with dynamic addresses.
PolicyCompiler_ipt.cpp
NATCompiler_ipt.cpp
fixes#1234 When failover group object is used in the rule, rule
gets placed in FORWARD chain. Working implementation follows these
rules: 1) if cluster interface obejct is used in the rule, it is
expanded to the set of addresses including cluster virtual IP
address and all addresses of the corresponding member firewall
interface; 2) Failover Group is treated as any regular object
group. Expanding Failover group to the address of its
parent (cluster interface) would work but seems counter-intuitive
fixes#1231 rules are placed FORWARD chain if firewall object is
"bridging firewall". This bugfix concerns specific rule
configuration used with bridging firewall where firewall object or
one of its interfaces is used in "destination" and an interface
which is not a bridge port is in the "interface" rule column. Rule
like this should go into INPUT chain but compiler used to splut it
and put generated iptables rules in both INPUT and FORWARD chains.
Rule should be placed in the FORWARD chain only if interface in
"interface" column is bridge port. The same algorithm also applies
to rules with firewall or one if its interfaces in the "Source"
column.
New feature: generated script adds and removes CARP interfaces
incrementally. This means it is not going to run ifconfig command
to create carp interface if it is already there and will run
"ifconfig carp1 destroy" command if interface carp1 has been
removed in fwbuilder GUI to delete it on the firewall.
New feature: incremental VLAN interface management for OpenBSD and
FreeBSD. When user adds or removes VLAN subinterface in fwbuilder
GUI, geenrated script executes appropriate ifconfig commands to
add or remove corresponding vlan pseudo-interface on the firewall
machine.
fixes#1210 "syntax error in PF rule - "modulate state" is
required". Per bug reported in the mailing list (and according to
the pf.conf manual), pf.conf requires "keep state", "modulate
state" or "synproxy"if any of the stateful tracking options are
used in the rule. These include "max", "no-sync", "pflow",
"sloppy", "source-track" and others.
fixes#1175 "There is no option for unicast on conntrac
sync-group (like heartbeat)". User can now choose between multicast
and unicast for conntrackd communication.
"compiler/GUI crash compiling cluster NAT rule when cluster and
members have dynamic interface". It should be possible to have
cluster interface that is mapped to dynamic interfaces of the
member firewalls and then use this interface or whole cluster
object in rules. Compiler should expand cluster object and replace
it with its interfaces and corresponding interfaces of the member
firewall and then correctly handle dynamic ones.
