support for NAT MASQUERADE source port randomization. This adds
support for the "--random" option for SNAT, DNAT and MASQUERADE
targets in iptables NAT rules. User needs to turn on the checkbox
that adds this option in NAT rules again
#1123, #1124: Text label next to the option that translates into
--connlimit-above clause for the iptables "connlimit" module
now matches description in the iptables manual. Added checkbox
that allows the user to add negation to the generated code
fixes#1123, #1124
draft of the object-groups support for Cisco IOS. Controlled by a
checkbox in the "Advanced" settings dialog of the firewall object;
this feature requires IOS v12.4(20)T or later and is off by
default.
fixes#1119 "add test for the integrity of failover cluster
groups". Compilers require all failover group objects to be
configured with interfaces of member firewalls.
fixes#1120 "redundant commands generated for ssh
access". Compiler for PIX generated two "ssh address netmask
inside" commands for the same rule that permits ssh to the firewall.
"fwb_pix uses wrong interface compiling the second cluster
member". NAT compiler for PIX failed to find interface with
correct network zone if interface was a child of another
interface, e.g. vlan subinterface.
#1115: "fwb_pix crash compiling cluster NAT rule set with
interface in TSrc". A cluster interface was used in the TSrc rule
element of a NAT rule. Cluster interfaces of PIX cluster have no
ip addresses of their own (PIX HA pair uses ip addresses of the
master unit), this caused rule element to become empty after
interface object was supposed to be replaced with its ip address.
fixes#1115
fixes#1108: fwb_pix: incorrect access list is generated for
"static". When a firewall or host object with an interface that
was configured with netmask that was not
255.255.255.255 (i.e. configured correctly) was used in TDst of a
NAT rule for PIX firewall, compiler generated configuration that
used subnet instead of just the address of the inetrface.
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes#1087
fixes#1086: incorrect processing of run time address tables.
SourceForge bug 2932680. Rules with two run-time AddressTable
objects in the same rule element (source or destination) were
converted to the shell script that read addresses from the address
table files, plus wrong iptables command that matched any to any.
This change removes this extra command.
fixes#1084 "if all user turns off all interface management and
configuration checkboxes, the check_tools shell function is not
added to the script but still called". Shell function
"check_tools" verifies that system tools iptables script needs to
operate properly are installed on the firewall. These are: ip,
modprobe and optionally vconfig, brctl, ifenslave. The bug made
compiler for iptables to add the call to the function but function
definition was missing if user unchecked all "configure
interfaces" checkboxes in the Script tab of firewall object
settings dialog.
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Refs #869
making sure non-english comments appear correctly in the single
rule compile output and generated configuration files and scripts.
really fixed#869 "compile rule" should also print the comment.
Printing rule comment in the compiler output in the single rule
compile mode when firewall object is configured to use
iptables-restore. Code that prints rule label and comment has been
unified for compilers for all firewall platforms.
#1064: "Dedicated IPv6 interfaces show up in IPv4-NAT rules". Use
interface only if it has addresses that match address family we
compile for.
fixes#1064
compiler for IOS ACL added only inbound automatic rule to permit
ssh access from the management workstation but did not add a rule
to permit reply packets. This fixes#993
* src/res/configlets/linux24/automatic_rules: Generation of the
automatic rules (matching ESTABLISHED and INVALID states,
backup ssh access and others) now uses configlet. Fixes#883
* src/res/configlets/linux24/automatic_rules: generated script can
now include automatic rules to match IPv6 neighbor discovery ICMP6
packets. This is controlled by a checkbox in the iptables
"advanced" settings dialog and is off by default. Fixes#878
