fixes#1231 rules are placed FORWARD chain if firewall object is
"bridging firewall". This bugfix concerns specific rule
configuration used with bridging firewall where firewall object or
one of its interfaces is used in "destination" and an interface
which is not a bridge port is in the "interface" rule column. Rule
like this should go into INPUT chain but compiler used to splut it
and put generated iptables rules in both INPUT and FORWARD chains.
Rule should be placed in the FORWARD chain only if interface in
"interface" column is bridge port. The same algorithm also applies
to rules with firewall or one if its interfaces in the "Source"
column.
support for NAT MASQUERADE source port randomization. This adds
support for the "--random" option for SNAT, DNAT and MASQUERADE
targets in iptables NAT rules. User needs to turn on the checkbox
that adds this option in NAT rules again
#1123, #1124: Text label next to the option that translates into
--connlimit-above clause for the iptables "connlimit" module
now matches description in the iptables manual. Added checkbox
that allows the user to add negation to the generated code
fixes#1123, #1124
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes#1087
fixes#1086: incorrect processing of run time address tables.
SourceForge bug 2932680. Rules with two run-time AddressTable
objects in the same rule element (source or destination) were
converted to the shell script that read addresses from the address
table files, plus wrong iptables command that matched any to any.
This change removes this extra command.
fixes#1084 "if all user turns off all interface management and
configuration checkboxes, the check_tools shell function is not
added to the script but still called". Shell function
"check_tools" verifies that system tools iptables script needs to
operate properly are installed on the firewall. These are: ip,
modprobe and optionally vconfig, brctl, ifenslave. The bug made
compiler for iptables to add the call to the function but function
definition was missing if user unchecked all "configure
interfaces" checkboxes in the Script tab of firewall object
settings dialog.
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Refs #869
making sure non-english comments appear correctly in the single
rule compile output and generated configuration files and scripts.
really fixed#869 "compile rule" should also print the comment.
Printing rule comment in the compiler output in the single rule
compile mode when firewall object is configured to use
iptables-restore. Code that prints rule label and comment has been
unified for compilers for all firewall platforms.
#1064: "Dedicated IPv6 interfaces show up in IPv4-NAT rules". Use
interface only if it has addresses that match address family we
compile for.
fixes#1064
* src/res/configlets/linux24/automatic_rules: Generation of the
automatic rules (matching ESTABLISHED and INVALID states,
backup ssh access and others) now uses configlet. Fixes#883
* src/res/configlets/linux24/automatic_rules: generated script can
now include automatic rules to match IPv6 neighbor discovery ICMP6
packets. This is controlled by a checkbox in the iptables
"advanced" settings dialog and is off by default. Fixes#878
* NATCompiler_ipt.cpp (dynamicInterfaceInTSrc::processNext):
Implemented feature request #2829661: "SNAT instead of MASQUERADE
on dynamic interfaces". NAT rule options dialog now has a checkbox
that makes compiler use SNAT target instead of MASQUERADING when
checked when TSrc has dynamic interface. Apparently MASQ target
has problems when iptables NAT is used in combination with policy
routing. Using SNAT with a variable that gets interface address
solves the problem. By default this option is off, that is
compiler uses MASQUERADE target when TSrc has dynamic interface.
Fixes#560
"Batch compiling incrementally slow". The time it took to add a
log line to the progress window in the "Compile" dialog slowed
down a lot as amount of text in QTextEditor increased.
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): fixed bug
#2836321: "SNAT rule that changes Trans Src and Trans Port does
not work". Dual translation rule that changes source address and
destination port was not supported.
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixed bug #2823951: "unnecessary rules in FORWARD chain". Policy
rules that have interface object in "Interface" column and
direction "Both" generate unnecessary iptables commands in the
FORWARD chain when destination matches one of the addresses that
belong to the firewall.
bug #2819901: "sub-optimal expansion of negated interface". Policy
rules with single interface object in "interface" rule element
with negation should generate iptables commands using "-i ! itf"
or "-o ! itf" rather than multiply the rule using all other
interfaces of the firewall. Note that for iptables v1.4.3 and
later, extrapositioned syntax is used, such as "! -i itf".
bug #2821050: "loading new fw rules on iptables 1.4.3.2+ gives
warnings". starting with v1.4.3.1 iptables started giving warnings
when negation ("!") is used after --option. This fix adds version
"1.4.3" to the list of recognized iptables versions in fwbuilder
and makes compiler generate extrapositioned version of the option
such as "! --option arg".
fixed bug #2820840: "IPT: prolog script+iptables-restore silent
incompatibility". With this fix the GUI does not allow for the
prolog script to be placed after policy reset if iptables-restore
is used to activate iptables rules. Also policy compiler for
iptables checks for this condition and aborts with an error
message if prolog place is set to "after reset" but
iptables-restore is used to activate policy. Configuration may end
up with this combination of options if user set prolog place to
"after reset" first and switched activation method to
iptables-restore later.
2009-07-11 vadim <vadim@vk.crocodile.org>
* AddressRange.h (libfwbuilder): fixed bug #2820152: "Address
ranges and other such need IPv4/v6 typing". AddressRange object
should be recognized and removed from the rule if it is used in
ipv6 rule set. To do this, add virtual method
hasInetAddress() (should return true) to indicate that this object
has an address. This works since virtual method getAddressPtr()
has been implemented anyway.
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): fixed bug
#2803702 "NAT rule with source port range in TSrv is broken for
PF". NAT rules matching source port ranges and translating source
port ranges should be possible.
* NATCompiler.cpp (classifyNATRule::processNext): (change in
libfwbuilder) fixed bug #2803689 "NAT rule matching dport but
chaning sport is broken". NAT rules that match destination port
but translate source port should be possible (and the opposite
too).
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): Improved
support for NAT rules that translate both source and destination:
now a rule like this can translate both source and destination
addresses and at the same time source and destination port ranges.
Compiler generates two iptables commands, one with SNAT and
another with DNAT translation for a rule like this.
* NATCompiler_PrintRule.cpp (PrintRule::processNext): Added
support for SNAT rules that translate only source port of udp or
tcp packets. This rule generate "-j SNAT --to-source :<port>"
with no address part.
;
