table entries in case of an error with commands adding new routing
entries was broken and left the machine with no routes at all.
Also, using mktemp to create temporary directory. If mktemp is not
available, fall back onto less secure but guaranteed to work method
where I generate randomized the name of the temporary directory using
process ID.
5.0.1". Rule with cluster interface in "Destination" should compile
into matching ip addresses assigned to the cluster interface object
and corresponding member firewall's interface object, but in v5.0.1 it
only matched member interface address. This bug triggered when
iptables version was set to 1.2.11 or greater. This was a regression
from v5.0.0
parent bridge interface. This allows us to correctly match which
bridge the packet comes through in configurations using wildcard
bridge port interfaces. For example, when br0 and br1 have "vnet+"
bridge port interface, iptables can still correctly match which bridge
the packet went through using "-o br0" or "-o br1" clause. This can be
useful in installations with many bridged interfaces that get created
and destroyed dynamically, e.g. with virtual machines. Note that the
"-i br0" / "-o br0" clause is only added when there is more than one
bridge interface and bridge port name ends with a wild card symbol "+"
iptables script uses "which" to check if all utilities it uses exist
on the machine. We should also check if "which" itself exists and
issue meaningful error message if not.
direct broadcast addresses. When interface of the firewall is
configured with netmask /31, policy compilers should not treat the
second address of this "subnet" as a broadcast.
iptables INPUT chain". Compiler was choosing chain INPUT with
direction "outbound" for rules that had old broadcast address in
"Source", this lead to invalid iptables configuration with chain INPUT
and "-o eth0" interface match clause.
fixed bug in the rule processor that replaces AddressRange object that
represents single address with an IPv4 object. Also eliminated code
redundancy.
single object negation in "Inbound Interface" and "Outbound
Interface" columns in compiler for iptables.
* NATCompiler_pf.cpp (compile): see #2456 Added support for single
object negation in "Interface" rule element of PF NAT rules. Now
compiler can produce PF commands such as "nat on ! em0 ... " (for
PF <4.7) or "match on ! em0 ..." (for PF >= 4.7)
* Compiler.cpp (singleObjectNegation::processNext): moved rule
processor that processes single object negation in any rule
element to the base class Compiler.
should be done in PREROUTING so it can be acted on later". If a
rule has both tagging and classification options, the rule should
be split so that iptables command doing tagging goes in PREROUTING
and rule doing classification goes into POSTROUTING chain.
;
compiling single rule with IPv6 destination and IPv4 gateway or
interface". Routing compiler for iptables does not support ipv6 at
this time and will issue a warning when user tries to place ipv6
address or network in a routing rule. The warning does not appear
when ipv6 address is a member of a group used in the rule. Also
see #1575.
rule action for Continue". Rules with action "Continue" should
translate into iptables commands without "-j TARGET" parameter. If
such rule also has logging enabled, it should use target "-j LOG"
instead of generating additional chain.
MAC-matching rules not generated properly". Iptables NAT rules
matching a group of host objects with both IP and MAC addresses each
in "Original Source" were not generated properly.
3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are
added automatically to ipv6 Linux firewall to permit neighbor discovery
packets should be also added to the FORWARD chain if the firewall is
a bridge.
see #2323
rule element by name after group is expanded, this helps ensure
stable ordering of objects in generated configuration.
* Compiler.cpp (replaceClusterInterfaceInItfRE::processNext):
sorting objects in rule element after cluster interfaces have been
replaced, this helps ensure stable ordering of objects in generated
configuration.
* FWObject.h (FWObjectNameCmpPredicate): moved this class from
gui-specific module to libfwbuilder as it is universally useful.
It can compare FWObject objects by name and can optionally can
follow references; it can be used with std::sort() to sort lists
of FWObject pointers or directly sort rule elements.
inbound and outbound interface columns in iptables NAT
rules". This also addresses SF feature requests 1954286 "DNAT with
interface as condition not possible" and 621023 "manipulating
interface in NAT rule".
