nat rules syntax has changed in OpenBSD 4.7. Nat and rdr rules in
4.7 should be implemented using action "match" and keywords
"nat-to" and "rdr-to"
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction):
fixes#1414: use "match" action for tagging. Policy rules
with action Tag should use pf action "match" instead of "pass"
if version is 4.6 or later.
some flags for the "non-default" rule options for PF"
* FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getPolicyRuleOptions):
fixed#1364 "add synproxy and other missing pf rule options to the
rule options tooltip"
New feature: generated script adds and removes CARP interfaces
incrementally. This means it is not going to run ifconfig command
to create carp interface if it is already there and will run
"ifconfig carp1 destroy" command if interface carp1 has been
removed in fwbuilder GUI to delete it on the firewall.
New feature: incremental VLAN interface management for OpenBSD and
FreeBSD. When user adds or removes VLAN subinterface in fwbuilder
GUI, geenrated script executes appropriate ifconfig commands to
add or remove corresponding vlan pseudo-interface on the firewall
machine.
fixes#1210 "syntax error in PF rule - "modulate state" is
required". Per bug reported in the mailing list (and according to
the pf.conf manual), pf.conf requires "keep state", "modulate
state" or "synproxy"if any of the stateful tracking options are
used in the rule. These include "max", "no-sync", "pflow",
"sloppy", "source-track" and others.
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes#1087
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Refs #869
making sure non-english comments appear correctly in the single
rule compile output and generated configuration files and scripts.
* CompilerDriver_pf.cpp (CompilerDriver_pf::printStaticOptions):
Added support for PF configuration parameter "set state-policy"
which can have values "if-bound" or "floating". The GUI input
element provides these options in addition to the default empty
option. If empty list item is selected, command "set state-policy"
is not added to the generated .conf file at all. Fixes#423
* PolicyCompiler.cpp (ItfNegation::processNext): fix for bug
#2710034 "PF Compiler in 3.0.3 Unprotected Interface Bug". When we
expand "interface" rule element which uses negation, skip
unprotected interfaces.
#2835193: "Modulate state doesnt work for PF". Check variable
"modulate state" in rule optiopns and global firewall options. If
checkbox is turned on in the firewall options, then we always use
"modulate state". This option can also be turned on for an
individual rule using rule options dialog.
* pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): Fixed
bug #2835193: "Modulate state doesnt work for PF". The name Xml
attribute used to hold the value of "module state" option was
entered incorrectly in the dialog.
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): fixed bug
#2803702 "NAT rule with source port range in TSrv is broken for
PF". NAT rules matching source port ranges and translating source
port ranges should be possible.
* NATCompiler.cpp (classifyNATRule::processNext): (change in
libfwbuilder) fixed bug #2803689 "NAT rule matching dport but
chaning sport is broken". NAT rules that match destination port
but translate source port should be possible (and the opposite
too).
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): fixed
bug (no #): compiler for PF did not remove rules using IPv4
objects while compiling policy set to be "combined IPv4 and IPv6"
for IPv6 and vice versa. As the result, it used to double some
rules because the would appear both in IPv4 and IPv6 sections of
generated .conf file.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): fixed bug
#2801548 "fwb_ipt should issue error for ipsrv with options for
ipv6". Since IP options lsrr, ssrr, rr do not exist in ipv6,
compiler should refuse to compile rules that request matching
these options.
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
fixed bug #2801547 "fwb_iosacl should issue an error for ipservice
with options". IOS access lists can not match source routing
options set in IPService object, compiler should issue an error
and abort processing when an object like this is encountered in a
rule.
* IPServiceDialog.cpp (IPServiceDialog::loadFWObject): fixed bug
#2801545 "IP Service object: lsrr, ssrr, rr options not saved".
* PolicyCompiler_pf_writers.cpp (PrintRule::_printDstService):
fixed bug #2801544 "missing space after tos option in pf config"
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAddr): fixed
bug (no #): policy compiler for pf crashed when dynamic interface
was used in source or destination of a policy rule.
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed bug #2793144 "Context menu item for the new User Service
object is missing".
* PolicyCompiler_pf.cpp (fillDirection::processNext): fixed bug
#2791950 "no way to generate "pass out" rule with no interface".
Compiler created two rules "pass out" and "pass in" for rules with
no interface and direction "in" or "out". It should create one
rule with direction defined by the rule in the GUI.
* DialogData.cpp (DialogData::loadToWidget): fixed bug #2710309:
"Bug in gui/DialogData.cpp when not using mapping.". There was a
bug in DialogData.cpp that when setting the value of a combobox
and not using a mapping array the requested value would not be
selected. Applied patch provided by Tom Judge ( tomjudge )
* platforms.cpp (init_platforms): fixed bug #2710300 "Bug in
gui/platforms.cpp". there was a discrepancy between the list of
route-to options for PF and UI elements.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): Added
support for anchor names with "/*" suffix for PF. Now the user can
create policy ruleset with name e.g. "ftp-proxy/*" and then set up
branching rule pointing to this ruleset. This ruleset is treated
by the program in a special way. First, it allows characters "/"
and "*" in the name of the ruleset (but only for PF firewalls).
Second, compiler does not create a .conf file with rules from this
ruleset, assuming that it will be controlled by external program
such as ftp-proxy. See man page ftp-proxy(8) for examples.
* pf.cpp (main): fixed bug (no #): compiler for pf added code
provided in the "prolog" section while option was set to "add
after table definitions" in the incorrect place.
* RuleSetView.cpp (RuleSetView::createGroup): fixed bug (no #): if
user selected some rules that belonged to a group and few other
rules that did not belong to any group at the same time and used
context menu to place all these rules in a new group, the GUI used
to crash.
;
