"Batch compiling incrementally slow". The time it took to add a
log line to the progress window in the "Compile" dialog slowed
down a lot as amount of text in QTextEditor increased.
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): fixed bug
#2836321: "SNAT rule that changes Trans Src and Trans Port does
not work". Dual translation rule that changes source address and
destination port was not supported.
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixed bug #2823951: "unnecessary rules in FORWARD chain". Policy
rules that have interface object in "Interface" column and
direction "Both" generate unnecessary iptables commands in the
FORWARD chain when destination matches one of the addresses that
belong to the firewall.
bug #2819901: "sub-optimal expansion of negated interface". Policy
rules with single interface object in "interface" rule element
with negation should generate iptables commands using "-i ! itf"
or "-o ! itf" rather than multiply the rule using all other
interfaces of the firewall. Note that for iptables v1.4.3 and
later, extrapositioned syntax is used, such as "! -i itf".
bug #2821050: "loading new fw rules on iptables 1.4.3.2+ gives
warnings". starting with v1.4.3.1 iptables started giving warnings
when negation ("!") is used after --option. This fix adds version
"1.4.3" to the list of recognized iptables versions in fwbuilder
and makes compiler generate extrapositioned version of the option
such as "! --option arg".
fixed bug #2820840: "IPT: prolog script+iptables-restore silent
incompatibility". With this fix the GUI does not allow for the
prolog script to be placed after policy reset if iptables-restore
is used to activate iptables rules. Also policy compiler for
iptables checks for this condition and aborts with an error
message if prolog place is set to "after reset" but
iptables-restore is used to activate policy. Configuration may end
up with this combination of options if user set prolog place to
"after reset" first and switched activation method to
iptables-restore later.
2009-07-11 vadim <vadim@vk.crocodile.org>
* AddressRange.h (libfwbuilder): fixed bug #2820152: "Address
ranges and other such need IPv4/v6 typing". AddressRange object
should be recognized and removed from the rule if it is used in
ipv6 rule set. To do this, add virtual method
hasInetAddress() (should return true) to indicate that this object
has an address. This works since virtual method getAddressPtr()
has been implemented anyway.
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): fixed bug
#2803702 "NAT rule with source port range in TSrv is broken for
PF". NAT rules matching source port ranges and translating source
port ranges should be possible.
* NATCompiler.cpp (classifyNATRule::processNext): (change in
libfwbuilder) fixed bug #2803689 "NAT rule matching dport but
chaning sport is broken". NAT rules that match destination port
but translate source port should be possible (and the opposite
too).
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): Improved
support for NAT rules that translate both source and destination:
now a rule like this can translate both source and destination
addresses and at the same time source and destination port ranges.
Compiler generates two iptables commands, one with SNAT and
another with DNAT translation for a rule like this.
* NATCompiler_PrintRule.cpp (PrintRule::processNext): Added
support for SNAT rules that translate only source port of udp or
tcp packets. This rule generate "-j SNAT --to-source :<port>"
with no address part.
;
* RCSFilePreview.cpp (RCSViewItem::operator<): implemented feature
req. #2796238 "3.0.4 - FEAT REQ: Sort order for RCSFilePreview".
RCS file preview dialog (the one that shows RCS revisions and RCS
log records) can display revisions in the tree or list view style,
controlled by radio-buttons. Style setting is saved in user
preferences and persists from session to session. In both cases
the view can be sorted by revision number or data. Sort column
choice is also saved in preferences. By default program sorts by
date and selects the latest revision.
* ObjectManipulator.cpp (ObjectManipulator::actuallyPasteTo):
fixed bug (no #): the GUI did not allow to copy/paste an address
from one interface to another. This should be possible.
* PolicyCompiler_ipt.cpp (checkInterfaceAgainstAddressFamily::processNext):
fixed bug #2792888: "interface with only v4 address is used in v6
rules". Compiler should drop rule if it is associate with an
interface that does not have address that belongs to the address
family declared for the rule set. If interface has only ipv4
address, it will never see ipv6 packets and therefore rules that
have this interface in the "interface" rule element should not be
included in the output generated for the ipv6 or combined
ipv4+ipv6 rule sets.
* ipt.cpp (dumpScript): fixed bug #2356131: "Iptables-restore
option broken for multiple policy sets". Compiler inserted
redundant line "echo COMMIT" to the iptables script if
iptables-restore was used and there were no rules in the mangle
table.
bug #2666971 "fwb_ipt crashes when Address Range object in routing
rule". Policy compiler for iptables crashed if Address Range
object was used in "Destination" of a routing rule.
bug #2540389: "Routing Broken from 2.1 to 3.0.3". Generated script
preserved default route when it deleted route entries before
installing new ones. This was different compared to the behavior
of the v2.1 where default was deleted together with other routing
entries. The reason for this change (made some time in summer of
2008) was that if user did not define default route in their
routing ruleset, the script would delete existing default without
installing new one, leaving firewall with no default route at all.
Now the script deletes default if there is new one to install and
preserves it otherwise.
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed
bug (no #): if generated firewall script detects an error from one
of the commands that install routing rules and runs function that
restores previous routing entries, it should also run epilog
commands.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bug
#2526173: "fwb_ipt crashes due to old-broadcast". This bug was
introduced when support for module iprange was sadded. Need
special check for AddressRange objects where start and end of
range addresses are equal.
* NetworkDialog.cpp (NetworkDialog::addressEntered): fixed bug (no
#): the GUI used to check ip address entered for the network
object whenever user switched focus from the address input widget
in the network object dialog to another widget or even a different
application to look up the address. This caused the program to
show error dialog if this happened when the address was
incomplete. This change makes the program verify the address only
when user clicks "Apply".
* RoutingCompiler_iosacl.cpp (RoutingCompiler_iosacl::compile):
Added support for generation of "ip route" commands for Cisco IOS.
Variant of Cisco IOS "ip route" command where gateway is the name
of one of the interfaces of the router is also supported. To get
this, put interface object in the "gateway" column of the routing
rule.
* pix.xml.in, RuleSetView.cpp: Routing ruleset view shows column
"interface" only for platforms that require it. Currently IOS does
not require it, while other platforms for which routing commands
generation is supported require it (iptables and PIX).
* PolicyCompiler_PrintRule.cpp (PrintRule::_printSrcAddr):
implemented feature req. #2353737 "use -m iprange". Using module
iprange for AddressRange objects if iptables version is set to
>=1.2.11.
* ipt.cpp, ipfw.cpp, pf.cpp, iosacl.cpp: changes for FR #2431602:
support for rulesets configured as "dual address family", that is,
rulesets that should be compiled for both ipv4 and ipv6.
* RuleSetDialog.cpp (RuleSetDialog::applyChanges): implemented
feature request #2431602: "Feature request: Unified
policies (IPv4/v6)". RuleSet object now has two variables that
define which address family it should be compiled for - ipv4 or
ipv6. It is possible to have both set, in which case the same
ruleset will be compiled for both address families.
broken for multiple policy sets". If firewall was configured to
use iptables-restore to activate policy and if it had two or more
policy rule sets, compiler used to put "echo COMMIT" line at the
bottom of each ruleset. This was incorrect, iptables-restore
expects only one COMMIT line at the end of each table.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printLogPrefix): fixed
bug #2318639: "bug in logging (rule number)". Added logging prefix
macro %R that gets expanded to the ruleset name. This can be
useful in logging prefixes for rules in branch rulesets.
;
bug #2186568 "Again User service - group/negate". Support for
groups of user service with negation. Now have a framework to keep
track of chain "descendants", so that compiler can tell if some
chain can be traced back to INPUT or OUTPUT through the sequence
of chains calling each other.
system colors for text boxes". Some dialogs would not properly
pick up KDE theme. This was especially visible if theme used dark
background colors and white font, in which case many input fields
in dialogs would use white text on white background.
* PolicyCompiler_ipt.cpp (separateUserServices::processNext):
fixed bug #2186568 "Again User service - group/negate". Compiler
for iptables did not support groups and negation of the
UserService objects.
algorithm used to decide which interfaces of the host or firewall
object to use in a rule when this host or firewall object is found
in source or destination.
fixed bug #2180556: "broken support for the "old" time module for
iptables". Compiler generated incorrect parameters for the "time"
module for versions <1.4.0
bug (no #): policy compiler for iptables did not handle correctly
rules where a host that has multiple addresses was a single object
in a rule element and had negation.
* NATCompiler_ipt.cpp (singleObjectNegation::processNext): added
support for single object negation in OSrc and ODst in NAT rules.
This provides for more compact iptables script in the often used
case where single object is used with negation in these elements
of a NAT rule. Other improvements in handling NAT rules with
negation.
bug (no #): policy compiler for iptables would crash with
assertion when AddressTable or DNSName object was used in a rule
in pure mangle table ruleset. This can be related to crash
reported in bug #2157121.
bug #2141911: "no ULOG for ip6tables". ULOG target has not been
implemented for ip6tables yet, so the compiler should fall back to
LOG target while compiling ipv6 policy.
