onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-18 17:27:20 +01:00
Code Issues Releases Wiki Activity
4,152 Commits 3 Branches 3 Tags
Commit Graph

36 Commits

Author SHA1 Message Date
Vadim Kurland
a787f35fd0 see #2401 "Deprecating 
Route option for iptables"
 2011-05-13 16:14:34 -07:00
Vadim Kurland
2b67a0a491 see #2399, #2340 rules that require tagging, classification or routing are now split so that regular actions such as Accept are implemented using normal rules in the table "filter" and rules in table "mangle" only implement tagging, classification and routing. See ChangeLog for longer description 2011-05-13 13:06:42 -07:00
Vadim Kurland
49e65c2775 see #2367 upgraded unit test files and made sure tests pass. Some chain names have changed after this change but overall script structure has improved. Still need to add more tests for various combinations of Classify, Tag and Route options with different actions 2011-05-03 20:43:38 -07:00
Vadim Kurland
9ba2dc42ee * RoutingCompiler_ipt.cpp (compile): see #2359 "Crash when 
compiling single rule with IPv6 destination and IPv4 gateway or
interface". Routing compiler for iptables does not support ipv6 at
this time and will issue a warning when user tries to place ipv6
address or network in a routing rule. The warning does not appear
when ipv6 address is a member of a group used in the rule. Also
see #1575.
 2011-04-19 14:18:33 -07:00
Vadim Kurland
d64b12221a * PolicyCompiler_PrintRule.cpp (_printTarget): see #2235 "Modified 
rule action for Continue". Rules with action "Continue" should
translate into iptables commands without "-j TARGET" parameter. If
such rule also has logging enabled, it should use target "-j LOG"
instead of generating additional chain.
 2011-04-11 19:35:42 -07:00
Vadim Kurland
aa4c661395 * utils.cpp (expand_interface_with_phys_address): see #2324 "NAT + 
MAC-matching rules not generated properly". Iptables NAT rules
matching a group of host objects with both IP and MAC addresses each
in "Original Source" were not generated properly.
 2011-04-10 18:58:29 -07:00
Vadim Kurland
f366e2dc66 * PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): SF bug 
3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are
added automatically to ipv6 Linux firewall to permit neighbor discovery
packets should be also added to the FORWARD chain if the firewall is
a bridge.

see #2323
 2011-04-10 17:58:32 -07:00
Vadim Kurland
0aa3eac4d4 * Compiler.cpp (expandGroupsInRuleElement): sorting objects in the 
rule element by name after group is expanded, this helps ensure
stable ordering of objects in generated configuration.

* Compiler.cpp (replaceClusterInterfaceInItfRE::processNext):
sorting objects in rule element after cluster interfaces have been
replaced, this helps ensure stable ordering of objects in generated
configuration.

* FWObject.h (FWObjectNameCmpPredicate): moved this class from
gui-specific module to libfwbuilder as it is universally useful.
It can compare FWObject objects by name and can optionally can
follow references; it can be used with std::sort() to sort lists
of FWObject pointers or directly sort rule elements.
 2011-03-12 19:50:24 -08:00
Vadim Kurland
7ebdc6c238 see #2207, #2209, fixes #2213 all objects created by compilers are placed in persistent_objects library; CompilerDriver creates and manages persistent_objects lib; changes in libfwbuilder - an object can be a child of only one parent in the tree, method FWObject::add() enforces this and FWObject::findDuplicateLinks() can be used to find objects with multiple parents 2011-03-11 10:11:42 -08:00
Vadim Kurland
a1111b83bd * PolicyCompiler.cpp (checkForShadowing): see #2204 "Shadowing 
detected for rule with action Continue". Policy rules with action
"Continue" should not shadow other rules and can not be shadowed.
 2011-03-08 19:02:19 -08:00
Vadim Kurland
2717d09f7e see #2170 checking combination of -i and -o interface and chain 2011-03-06 19:57:45 -08:00
Vadim Kurland
7e312722dc added test case for a group of hosts with mac addresses in a nat rule (SF bug should be opened later); re-ran tests 2011-02-27 22:37:16 -08:00
Vadim Kurland
e84751e95c see #2008 compiler avoids INPUT/OUTPUT chain if interface in the rule column "Interface" is a bridge port and firewall is bridging firewall (which means we are going to use --physdev-in or --physdev-out option for this rule) 2011-02-21 17:06:43 -08:00
Vadim Kurland
56f81407f1 fixes #2124 some error messages get multiplied when compiler splits rules 2011-02-20 21:32:58 -08:00
Vadim Kurland
2b342aa67d see #2057 detection of loops in branching rules ; see #2124 some error messages appeared multiple times in generated script 2011-02-20 20:12:18 -08:00
Vadim Kurland
f817ddfe24 see #133 test case for SF feature request 1954286 2011-02-20 17:34:36 -08:00
Vadim Kurland
6f5f1ac075 fixes #153 Deprecate Rule::getInterfaceStr() fixes #2123 deprecate rule processor convertInterfaceIdToStr 2011-02-20 17:27:24 -08:00
Vadim Kurland
aea53d35eb see #2116 "When CARP interface IP address cant be assigned error or warning should appear". Script should abort if command trying to add an ip address to an interface fails 2011-02-19 15:33:30 -08:00
Vadim Kurland
2542b082f3 see #153 #2097 got rid of getInterfaceStr and getInterfaceId in policy and nat compilers for iptables 2011-02-18 18:48:16 -08:00
Vadim Kurland
faece9e40c see #2097 more test cases with negation and vlan interfaces 2011-02-17 18:39:17 -08:00
Vadim Kurland
581ccdc68e see #2097 #133 additional test cases 2011-02-17 18:01:45 -08:00
Vadim Kurland
d0ae7bac01 * NATCompiler_ipt.cpp (processNext): see #2097 #133 "support for 
inbound and outbound interface columns in iptables NAT
rules". This also addresses SF feature requests 1954286 "DNAT with
interface as condition not possible" and 621023 "manipulating
interface in NAT rule".
 2011-02-17 17:47:42 -08:00
Vadim Kurland
4d9abebb64 new build, reran tests for ipt 2011-02-15 14:29:43 -08:00
Vadim Kurland
35749e782c fixes #1999 using tool "command" to make sure utilities we need are available and can be accessed either by full path or using PATH env variable; this includes logger as requested in the ticket 2011-02-10 14:53:44 -08:00
Vadim Kurland
8d97c4ab6e fixes SF bug 3102044 "Colon in (runtime) Address Table name" 2011-02-10 12:12:26 -08:00
Vadim Kurland
8459b6e061 see #2023 refactoring determineOutputFileNames() 2011-02-03 15:44:24 -08:00
Vadim Kurland
2995ee37f5 re-ran tests 2011-02-03 10:03:49 -08:00
Vadim Kurland
78e177f759 see #1890 re-ran tests 2011-01-31 18:38:08 -08:00
Vadim Kurland
d331ee7840 fixes #1966 IOSACL: object-group can get name that consists of only suffix 2011-01-24 18:28:48 -08:00
Vadim Kurland
15f8ba513c fixes #1956 rule processor NATCompiler_ipt::splitServices is redundant 2011-01-18 14:44:53 -08:00
Vadim Kurland
104a1bc287 using common rule processor separateSrcAndDstPort instead of the one specifically implemented only for iptables; Added Makefile to ipt test files in order to be able to run tests in parallel 2011-01-17 19:26:30 -08:00
Vadim Kurland
24ac2b56ac fixed #1905, #1879 2011-01-10 16:43:43 -08:00
Vadim Kurland
83646b91fa minor refactoring in NATCompiler::ExpandMultipleAddresses::processNext to include SDNAT rules; rerun tests 2011-01-07 13:27:37 -08:00
Vadim Kurland
00127aac9f fixes #1892 move rule processor class separateServiceObject to PolicyCompiler 2011-01-04 12:00:09 -08:00
Vadim Kurland
d3bfdcf0f7 removed {{$build}} from top_comment configlets since we do not have build number variable anymore 2011-01-03 13:23:17 -08:00
Vadim Kurland
abf2b3b2be checking in "golden" test files 2011-01-03 13:01:06 -08:00