* All policy compilers: using FWObjectDatabase::createClass
methods to create rules and other objects in compilers wherever
the type is known at the (code) compile time. This makes code
cleaner and speeds it up a little because of eliminated cast() and
string comparison.
* changes in libfbuilder: eliminated excessive use of dynamic_cast
and long chains of "if" comparing object type names in
FWObjectDatabase in methods that create new objects of given type.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printSrcAddr):
implemented feature req. #2353737 "use -m iprange". Using module
iprange for AddressRange objects if iptables version is set to
>=1.2.11.
periodically "pings" the other end to keep ssh session alive. This
helps recreate state in the firewall state table if it is cleared
when rules are reloaded, which in turn prevents installer from
hanging.
* ipt.cpp, ipfw.cpp, pf.cpp, iosacl.cpp: changes for FR #2431602:
support for rulesets configured as "dual address family", that is,
rulesets that should be compiled for both ipv4 and ipv6.
* RuleSetDialog.cpp (RuleSetDialog::applyChanges): implemented
feature request #2431602: "Feature request: Unified
policies (IPv4/v6)". RuleSet object now has two variables that
define which address family it should be compiled for - ipv4 or
ipv6. It is possible to have both set, in which case the same
ruleset will be compiled for both address families.
* RuleSetView.cpp (RuleSetView::contextMenu): fixed bug #2407141
"label markers". Color label text set in Preferences was not used
in the contet menus where user can actually apply those colors to
rules.
broken for multiple policy sets". If firewall was configured to
use iptables-restore to activate policy and if it had two or more
policy rule sets, compiler used to put "echo COMMIT" line at the
bottom of each ruleset. This was incorrect, iptables-restore
expects only one COMMIT line at the end of each table.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printLogPrefix): fixed
bug #2318639: "bug in logging (rule number)". Added logging prefix
macro %R that gets expanded to the ruleset name. This can be
useful in logging prefixes for rules in branch rulesets.
;
* ObjectManipulator.cpp (ObjectManipulator::duplicateObject): fix
bug #2303486: "Operation of duplicating firewall should switch
policy". When firewall object is duplicated, the GUI should
automatically open policy of the new object rather than keep
policy of the original open. At the same time, reset lastModified,
lastCompiled, lastInstalled of the new firewall instead of keeping
copies from the original.
* instDialog.cpp (instDialog::testFirewall): Check to make sure
paths to ssh and scp utilities are properly configured in
Preferences before running install. Show aprropriate error dialog
to the user if path to ssh or scp is not configured.
bug #2186568 "Again User service - group/negate". Support for
groups of user service with negation. Now have a framework to keep
track of chain "descendants", so that compiler can tell if some
chain can be traced back to INPUT or OUTPUT through the sequence
of chains calling each other.
system colors for text boxes". Some dialogs would not properly
pick up KDE theme. This was especially visible if theme used dark
background colors and white font, in which case many input fields
in dialogs would use white text on white background.
* PolicyCompiler_ipt.cpp (separateUserServices::processNext):
fixed bug #2186568 "Again User service - group/negate". Compiler
for iptables did not support groups and negation of the
UserService objects.
algorithm used to decide which interfaces of the host or firewall
object to use in a rule when this host or firewall object is found
in source or destination.
fixed bug #2180556: "broken support for the "old" time module for
iptables". Compiler generated incorrect parameters for the "time"
module for versions <1.4.0
bug (no #): policy compiler for iptables did not handle correctly
rules where a host that has multiple addresses was a single object
in a rule element and had negation.
* NATCompiler_ipt.cpp (singleObjectNegation::processNext): added
support for single object negation in OSrc and ODst in NAT rules.
This provides for more compact iptables script in the often used
case where single object is used with negation in these elements
of a NAT rule. Other improvements in handling NAT rules with
negation.
bug (no #): policy compiler for iptables would crash with
assertion when AddressTable or DNSName object was used in a rule
in pure mangle table ruleset. This can be related to crash
reported in bug #2157121.
bug #2141911: "no ULOG for ip6tables". ULOG target has not been
implemented for ip6tables yet, so the compiler should fall back to
LOG target while compiling ipv6 policy.
