import of Cisco IOS and PIX/ASA service configurations using port
operation "neq". Since object model in fwbuilder does not provide
direct support for "port not equal to" expression, this
configuration is conveted into two tcp or udp service objects with
port range extending below and above specified port and these two
service objects are then placed in a group.
behavior: configuration import is aborted with an appropriate
error message in the log when program enounters protocol or
service name that it does not recognize and can not convert to
protocol or port number. We used to replace port number with some
placeholder (usually 0) and mark rule as "bad" by coloring it red
and adding comment.
de-duplication during import process". Also SourceForge bug
2980566 "Import from hostsfile may cause duplicate Objects" and
3030072 "remove duplicates during any import". Now the program can
optionally re-use existing objects from both Standard Objects and
user-defined libraries when it imports existing firewall
configuration. This works for any firewall platform for which we
support policy import.
rule element by name after group is expanded, this helps ensure
stable ordering of objects in generated configuration.
* Compiler.cpp (replaceClusterInterfaceInItfRE::processNext):
sorting objects in rule element after cluster interfaces have been
replaced, this helps ensure stable ordering of objects in generated
configuration.
* FWObject.h (FWObjectNameCmpPredicate): moved this class from
gui-specific module to libfwbuilder as it is universally useful.
It can compare FWObject objects by name and can optionally can
follow references; it can be used with std::sort() to sort lists
of FWObject pointers or directly sort rule elements.
with target REDIRECT not imported". Iptables NAT rules with target
REDIRECT where not imported correctly.
* IPTImporter.cpp (pushNATRule): see #2190 "support for import of
branches in NAT rules for iptables". Implemented import of NAT
rules in user-defined chains for iptables, these translate into
branching NAT rules in fwbuilder.
additional page when user imports PIX/ASA config. This page
explains concept of network zones and offers UI to let them choose
network objects or groups as a network zone of each interface.
Do not
pass full path to the output file as an argument of the "-o"
option when the GUI launches policy compiler. Since the "-d"
option passes directory path where files sould be saved, actual
file names do not need to be absolute path, except if the user
entered absolute path for the output file name in the firewall
settings dialog.
new Address Table file results in read-only error". Implemented
support for the workflow when user wants to create the file used
to feed addresses to the AddressTable object.
* configlets/linux24/shell_functions: see #2130 "unnecessary
output when iptables script runs on the firewall". Ever since I
switched to using "command" to verify that various system
utilities generated script needs are present and can be used, the
scirpt produced extra lines in the log printing full path and
names to /usr/bin/logger, /sbin/ip etc. These lines are
unnecessary and should not be there. This problem was introduced
some time during the work on 4.2.0
deprecate "test install" function. We have decided to deprecate test install because it is rather heavy-handed on Linux and PIX where it reboots the firewall and plain does not work on *BSD.
