table entries in case of an error with commands adding new routing
entries was broken and left the machine with no routes at all.
Also, using mktemp to create temporary directory. If mktemp is not
available, fall back onto less secure but guaranteed to work method
where I generate randomized the name of the temporary directory using
process ID.
command to set /proc variable
/proc/sys/net/ipv4/conf/all/promote_secondaries that makes the kernel
"promote" secondary address to a "primary" status when primary address
is deleted. Default behavior in Linux kernel is to delete all
addresses when primary address is deleted.
command to set /proc variable
/proc/sys/net/ipv4/conf/all/promote_secondaries that makes the kernel
"promote" secondary address to a "primary" status when primary address
is deleted. Default behavior in Linux kernel is to delete all
addresses when primary address is deleted.
5.0.1". Rule with cluster interface in "Destination" should compile
into matching ip addresses assigned to the cluster interface object
and corresponding member firewall's interface object, but in v5.0.1 it
only matched member interface address. This bug triggered when
iptables version was set to 1.2.11 or greater. This was a regression
from v5.0.0
partially reverted 3db31d6828fd2b35e46509fbcdd26088c0704d25 :
I should not trim strings coming out of QLineEdit in
DialogData::saveAll() because it affects various attributes that might
need trailing space, such as log prefix (see #2676). However trailing
spaces in the output file name are still trimmed in other places by
the changes done in 3db31d6828fd2b35e46509fbcdd26088c0704d25
deprecated". Need to use --match-set instead of --set if iptables
version is >= 1.4.4. The fix done for #3059893 was only in the policy
compiler but needs to be done in both policy and nat compilers.
parent bridge interface. This allows us to correctly match which
bridge the packet comes through in configurations using wildcard
bridge port interfaces. For example, when br0 and br1 have "vnet+"
bridge port interface, iptables can still correctly match which bridge
the packet went through using "-o br0" or "-o br1" clause. This can be
useful in installations with many bridged interfaces that get created
and destroyed dynamically, e.g. with virtual machines. Note that the
"-i br0" / "-o br0" clause is only added when there is more than one
bridge interface and bridge port name ends with a wild card symbol "+"
group and addresses table object names" is in effect. This happened if
the same user-defined group was used in multiple rules or different
rule element of the same rule. In this case generated PF table would
have several copies of the same addresses.
not work right when the same object is used in several different
groups. If the same object was a member of multiple groups and these
groups were used in the same or different rules of the same PF
firewall, compiler used all groups in all rules.
fixed bug (no number) introduced when I was working on #2667.
Setting broadcast address in the network object with netmask /31
to 255.255.255.255 broke rule shadowing algorithm.
iptables script uses "which" to check if all utilities it uses exist
on the machine. We should also check if "which" itself exists and
issue meaningful error message if not.
direct broadcast addresses. When interface of the firewall is
configured with netmask /31, policy compilers should not treat the
second address of this "subnet" as a broadcast.
iptables INPUT chain". Compiler was choosing chain INPUT with
direction "outbound" for rules that had old broadcast address in
"Source", this lead to invalid iptables configuration with chain INPUT
and "-o eth0" interface match clause.
fixed bug in the rule processor that replaces AddressRange object that
represents single address with an IPv4 object. Also eliminated code
redundancy.
row". Under certain circumstances, editing rule comment caused the GUI
to collapse corresponding row in the rule set view so that only the
first object of each rule element that contained several objects was
visible.
value fails". This bug made it impossible to edit the value of the end
of the port range because as soon as the value became less than the
value of the beginning the range, the GUI would reset it to be equal
to the value of the beginning of the range. This affected both TCP and
UDP service object dialogs.
