bug #2540389: "Routing Broken from 2.1 to 3.0.3". Generated script
preserved default route when it deleted route entries before
installing new ones. This was different compared to the behavior
of the v2.1 where default was deleted together with other routing
entries. The reason for this change (made some time in summer of
2008) was that if user did not define default route in their
routing ruleset, the script would delete existing default without
installing new one, leaving firewall with no default route at all.
Now the script deletes default if there is new one to install and
preserves it otherwise.
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed
bug (no #): if generated firewall script detects an error from one
of the commands that install routing rules and runs function that
restores previous routing entries, it should also run epilog
commands.
bugfix (bug was introduced in build 768). If user entered
alternative activation command in the "installer" tab of the
firewall object settings dialog, the program confused it with
destination directory and tried to execute incorrect command to
copy files to the firewall. This build (770) fixes this problem.
* SSHUnx.cpp (SSHUnx::SSHUnx): New feature: built-in installer can
now enter sudo password. There is no need to configure firewall
management account for password-less sudo access anymore.
* FirewallInstaller.cpp (FirewallInstaller::getDestinationDir):
fixed bug #2618772 ""test install" option does not work". If "test
install" checkbox was checked in the installer options dialog, the
program copied file to directory /etc/fw on the firewall but tried
to find it in /etc/fw/tmp to run.
* FirewallInstaller.cpp (FirewallInstaller::packSCPArgs): fix bug
#2618686 "built-in installer can not handle ipv6 management
address". Built-in installer did not properly for scp and ssh
command like when it had to use IPv6 address to communicate with
firewall.
* Management.cpp (Management::fromXML): (change in libfwbuilder):
fixed bug #2609796 "internal object Management does not accept
ipv6 address". Class Management should accept ipv6 address. The
problem was that if an interface of the firewall had only ipv6
address and was marked as "management" interface, saving such
configuration to .fwb file created broken data file that could not
be loaded back. The error was:
The program encountered error trying to load data file.
The file has not been loaded. Error:
Exception: Invalid IP address: aaaa:bbbb:cccc::1
XML element : Management
where aaaa:bbbb:cccc: is ipv6 address.
* PolicyCompiler_ipt.cpp (finalizeChain::processNext): fixed bug
#2597959 "rules disappear in ipv6 policy unless ipv4 forwarding is
on". Example: IPv6 policy, rule where fw object and internal
network are in source, destination is "any". If option "assume
firewall is part of any" was turned off and ipv6 forwarding was on
but ipv4 forwarding was off, this rule did not yield any iptables
commands in generated script.
* iosaclAdvancedDialog.cpp (iosaclAdvancedDialog::accept): fixed
bug #2597949 "GUI crash in IOS ACL "advanced" settings
dialog". GUI crashed upon click OK in the firewall settings dialog
for the IOS ACL firewall.
friendly Accept & Deny Icons". Accept and Deny icons were
indistinguishable for red-green colorblind people. New icons
incorporate standard symbolics for the "Aceept" and "deny"
functions to make them sufficiently different besides the color.
* ipt.cpp (processPolicyRuleSet): fixed bug #2550074: "Automatic
rules for filter table included twice in iptables". If user had
two policy ruleset objects marked as "top" rule set, then
automaitc rules were added twice.
ipv6" which defines code for iptables, ipfw and IOS extended
access lists for IPv6.
* PolicyCompiler_ipfw_writers.cpp (PrintRule::_printProtocol):
fixed behavior or policy compiler for ipfw which was broken in
rev714 - it should print protocol "tcp" when custom service object
that adds option "established" is used. This compiler worked like
that before attribute "protocol" was added to the CustomService
object.
* platforms.cpp (getReadableRuleElementName): code refactoring:
made it possible to translate ruleset table column
names ("Source", "Destination" etc.). Currently only Russian
translation is provided.
* FindWhereUsedWidget.cpp (FindWhereUsedWidget::createQTWidgetItem):
fixed bug #2412334: "feature request: where used ->
directly". There has been a change in the "Where used" function in
v3.0 compared to the implementation in v2.1. New version showed
not only rule elements and groups that referred to the given
object, but also found all groups that referred to other groups
that referred to the given object. Such recursive action was not
always obvious to the user and was inconvenient when the function
was used to find all places where given object was used with the
goal to replace it with some other object. This fix reverts to the
old behavior where only direct usages are reported by the "Where
used" function. Elements of UI in this function have also been
cleaned up and further unified with confirmation dialog shown when
user tries to delete an object that is used in some groups and
rules.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bug
#2526173: "fwb_ipt crashes due to old-broadcast". This bug was
introduced when support for module iprange was sadded. Need
special check for AddressRange objects where start and end of
range addresses are equal.
* NetworkDialog.cpp (NetworkDialog::addressEntered): fixed bug (no
#): the GUI used to check ip address entered for the network
object whenever user switched focus from the address input widget
in the network object dialog to another widget or even a different
application to look up the address. This caused the program to
show error dialog if this happened when the address was
incomplete. This change makes the program verify the address only
when user clicks "Apply".
* FWWindow.cpp (FWWindow::prepareFileOpenRecentMenu): Added menu
Files/Open Recent.
* FWWindow.cpp (FWWindow::startupLoad): open StartTipDialog from
FWWindow rather than main() to make sure this dialog always
remains on top of the main window.
* ProjectPanel_file_ops.cpp (ProjectPanel::autoSave): fixed bug
#2499569: "fwbuilder crashes after some hours". The auto-save
function now saves data file only if it has been
modified. Frequent saves exasperate small memory leaks that appear
in some old versions of libxml2.
Also, some clean up in libfwbuilder in data file writing
* FWWindowPrint.cpp (FWWindow::filePrint): fixed bug (no #): the
GUI crashed if user tried to use File/Print function when no
ruleset was opened in the right hand panel.
* printerStream.cpp (printerStream::printQTable): Applied patch by
Paul@Auroragrp.Com that fixes problems with printing long rule
sets. If rule set printout exceeded the length of the page, some
rules at the bottom were cut off and lost. The patch corrects the
problem by taking into account printer dpi while calculating
position for page breaks.
* RoutingCompiler_cisco.cpp (RoutingCompiler_cisco::compile):
fixed bug (no #): routing compiler for pix refused to add more
than one routing rule with an error saying that other rules were
duplicates. Error was introduced in build 732.
* RoutingCompiler_iosacl.cpp (RoutingCompiler_iosacl::compile):
Added support for generation of "ip route" commands for Cisco IOS.
Variant of Cisco IOS "ip route" command where gateway is the name
of one of the interfaces of the router is also supported. To get
this, put interface object in the "gateway" column of the routing
rule.
* pix.xml.in, RuleSetView.cpp: Routing ruleset view shows column
"interface" only for platforms that require it. Currently IOS does
not require it, while other platforms for which routing commands
generation is supported require it (iptables and PIX).
* RuleSetView.cpp (RuleSetView::copyRule): fixed bug #2478528:
"Crash when copying multiple policy rules". GUI crashed if user
tried to copy/paste several rules, some of which belonged to rule
group and some did not.
* All policy compilers: using FWObjectDatabase::createClass
methods to create rules and other objects in compilers wherever
the type is known at the (code) compile time. This makes code
cleaner and speeds it up a little because of eliminated cast() and
string comparison.
* changes in libfbuilder: eliminated excessive use of dynamic_cast
and long chains of "if" comparing object type names in
FWObjectDatabase in methods that create new objects of given type.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printSrcAddr):
implemented feature req. #2353737 "use -m iprange". Using module
iprange for AddressRange objects if iptables version is set to
>=1.2.11.
periodically "pings" the other end to keep ssh session alive. This
helps recreate state in the firewall state table if it is cleared
when rules are reloaded, which in turn prevents installer from
hanging.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::addDefaultPolicyRule):
Deprecated options "generate commands for both in and out" and
"pass all outgoing" in compiler for PF. Before, user could choose
whether compiler was to generate only commands to match inbound
packets or both inbound and outbound. The distinction between
these two modes became very minimal in the recent versions of
fwbuilder because algorithm was mostly controlled by the setting
of "direction" in the policy rules. Now these two options have
been removed completely, the behavior of the compiler is as if
option "generate both in and out" was used.
* pf.cpp (main): Compiler can add command "pfctl -F states" after
command "pfctl -f file.conf" to flush states that existed in
memory from sessions opened prior to the policy reload. The reason
is that some of these sessions might be denied by the new policy,
but if state is not flushed, they will still work after policy
reload. This is optireloand is controller by checkbox in the
"Script" tab of the "advanced" settings dialog for the PF
firewall.
* PrintingController.cpp (PrintingController::addObjectsToTable):
fixed bug #2388067: "Print out FWB 3.0.3 not ok". File/Print
function failed to print objects used by rules of the firewall.
;
* ProjectPanel_file_ops.cpp (ProjectPanel::loadFile): Implemented
feature request #2412323: "feature request: command line flag to
skip RCSFilePreview". New command line switch "-r" makes the GUI
automatically open RCS head revision of the file given on command
line if the file is in RCS. If the file is not in RCS, the new
switch does nothing and the file is opened as usual.
* ipt.cpp, ipfw.cpp, pf.cpp, iosacl.cpp: changes for FR #2431602:
support for rulesets configured as "dual address family", that is,
rulesets that should be compiled for both ipv4 and ipv6.
* RuleSetDialog.cpp (RuleSetDialog::applyChanges): implemented
feature request #2431602: "Feature request: Unified
policies (IPv4/v6)". RuleSet object now has two variables that
define which address family it should be compiled for - ipv4 or
ipv6. It is possible to have both set, in which case the same
ruleset will be compiled for both address families.
