some flags for the "non-default" rule options for PF"
* FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getPolicyRuleOptions):
fixed#1364 "add synproxy and other missing pf rule options to the
rule options tooltip"
New feature: incremental VLAN interface management for OpenBSD and
FreeBSD. When user adds or removes VLAN subinterface in fwbuilder
GUI, geenrated script executes appropriate ifconfig commands to
add or remove corresponding vlan pseudo-interface on the firewall
machine.
fixes#1210 "syntax error in PF rule - "modulate state" is
required". Per bug reported in the mailing list (and according to
the pf.conf manual), pf.conf requires "keep state", "modulate
state" or "synproxy"if any of the stateful tracking options are
used in the rule. These include "max", "no-sync", "pflow",
"sloppy", "source-track" and others.
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes#1087
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Refs #869
making sure non-english comments appear correctly in the single
rule compile output and generated configuration files and scripts.
* CompilerDriver_pf.cpp (CompilerDriver_pf::printStaticOptions):
Added support for PF configuration parameter "set state-policy"
which can have values "if-bound" or "floating". The GUI input
element provides these options in addition to the default empty
option. If empty list item is selected, command "set state-policy"
is not added to the generated .conf file at all. Fixes#423
* PolicyCompiler.cpp (ItfNegation::processNext): fix for bug
#2710034 "PF Compiler in 3.0.3 Unprotected Interface Bug". When we
expand "interface" rule element which uses negation, skip
unprotected interfaces.
#2835193: "Modulate state doesnt work for PF". Check variable
"modulate state" in rule optiopns and global firewall options. If
checkbox is turned on in the firewall options, then we always use
"modulate state". This option can also be turned on for an
individual rule using rule options dialog.
* pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): Fixed
bug #2835193: "Modulate state doesnt work for PF". The name Xml
attribute used to hold the value of "module state" option was
entered incorrectly in the dialog.
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): fixed bug
#2803702 "NAT rule with source port range in TSrv is broken for
PF". NAT rules matching source port ranges and translating source
port ranges should be possible.
* NATCompiler.cpp (classifyNATRule::processNext): (change in
libfwbuilder) fixed bug #2803689 "NAT rule matching dport but
chaning sport is broken". NAT rules that match destination port
but translate source port should be possible (and the opposite
too).
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): fixed
bug (no #): compiler for PF did not remove rules using IPv4
objects while compiling policy set to be "combined IPv4 and IPv6"
for IPv6 and vice versa. As the result, it used to double some
rules because the would appear both in IPv4 and IPv6 sections of
generated .conf file.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): fixed bug
#2801548 "fwb_ipt should issue error for ipsrv with options for
ipv6". Since IP options lsrr, ssrr, rr do not exist in ipv6,
compiler should refuse to compile rules that request matching
these options.
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
fixed bug #2801547 "fwb_iosacl should issue an error for ipservice
with options". IOS access lists can not match source routing
options set in IPService object, compiler should issue an error
and abort processing when an object like this is encountered in a
rule.
* IPServiceDialog.cpp (IPServiceDialog::loadFWObject): fixed bug
#2801545 "IP Service object: lsrr, ssrr, rr options not saved".
* PolicyCompiler_pf_writers.cpp (PrintRule::_printDstService):
fixed bug #2801544 "missing space after tos option in pf config"
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAddr): fixed
bug (no #): policy compiler for pf crashed when dynamic interface
was used in source or destination of a policy rule.
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed bug #2793144 "Context menu item for the new User Service
object is missing".
* PolicyCompiler_pf.cpp (fillDirection::processNext): fixed bug
#2791950 "no way to generate "pass out" rule with no interface".
Compiler created two rules "pass out" and "pass in" for rules with
no interface and direction "in" or "out". It should create one
rule with direction defined by the rule in the GUI.
* DialogData.cpp (DialogData::loadToWidget): fixed bug #2710309:
"Bug in gui/DialogData.cpp when not using mapping.". There was a
bug in DialogData.cpp that when setting the value of a combobox
and not using a mapping array the requested value would not be
selected. Applied patch provided by Tom Judge ( tomjudge )
* platforms.cpp (init_platforms): fixed bug #2710300 "Bug in
gui/platforms.cpp". there was a discrepancy between the list of
route-to options for PF and UI elements.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): Added
support for anchor names with "/*" suffix for PF. Now the user can
create policy ruleset with name e.g. "ftp-proxy/*" and then set up
branching rule pointing to this ruleset. This ruleset is treated
by the program in a special way. First, it allows characters "/"
and "*" in the name of the ruleset (but only for PF firewalls).
Second, compiler does not create a .conf file with rules from this
ruleset, assuming that it will be controlled by external program
such as ftp-proxy. See man page ftp-proxy(8) for examples.
* pf.cpp (main): fixed bug (no #): compiler for pf added code
provided in the "prolog" section while option was set to "add
after table definitions" in the incorrect place.
* RuleSetView.cpp (RuleSetView::createGroup): fixed bug (no #): if
user selected some rules that belonged to a group and few other
rules that did not belong to any group at the same time and used
context menu to place all these rules in a new group, the GUI used
to crash.
;
periodically "pings" the other end to keep ssh session alive. This
helps recreate state in the firewall state table if it is cleared
when rules are reloaded, which in turn prevents installer from
hanging.
* RuleSetView.cpp (RuleSetView::contextMenu): fixed bug #2407141
"label markers". Color label text set in Preferences was not used
in the contet menus where user can actually apply those colors to
rules.
* ObjectManipulator.cpp (ObjectManipulator::duplicateObject): fix
bug #2303486: "Operation of duplicating firewall should switch
policy". When firewall object is duplicated, the GUI should
automatically open policy of the new object rather than keep
policy of the original open. At the same time, reset lastModified,
lastCompiled, lastInstalled of the new firewall instead of keeping
copies from the original.
* instDialog.cpp (instDialog::testFirewall): Check to make sure
paths to ssh and scp utilities are properly configured in
Preferences before running install. Show aprropriate error dialog
to the user if path to ssh or scp is not configured.
algorithm used to decide which interfaces of the host or firewall
object to use in a rule when this host or firewall object is found
in source or destination.
