Implemented TCP flag matching per #2865044: "Add TCP options
support for IOS ACL". Uses extended ACL option "match-all" that
supports list of TCP flags that should be set and cleared. This
requires IOS v12.4 or later even though Cisco documentation seems
to indicate this option was introduced in 12.3(4)T. Fixes#455
does not support IP options matching, compiler issues warning.
Fixes#567
* res/platform/iosacl.xml: Recognized IOS versions: 12.1, 12.2,
12.3
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
Added support for IP options matching, requires IOS v12.3 or
later. Fixes#566, #568
Sveasoft (busybox) does not like empty shell functions and fails
with an error "36: Syntax error: "}" unexpected". Will call
/bin/true as a placeholder so that if some other commands are
added to the function body during template expansion, they are
executed after /bin/true and their return code is preserved. If no
commands are added, then the function body won't be empty and will
return success.
#2889579: "fwb_pf crash when unnumbered interface is used in nat
rule". Compiler for PF crashed when unnumbered interface was used
in TSrc element of a NAT rule.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printSrcAddr): Fixed
bug #2892100: "'Old boradcast' object produces 0/0 in iptables
script". The bug triggered when iptables version was set to 1.3.x
or later. "Old broadcast" object is defined as AddressRange with
0.0.0.0 as a start and end addresses of the range. Generated
script should have "0.0.0.0" but the compiler uses "0/0" instead.
* NATCompiler_ipt.cpp (dynamicInterfaceInTSrc::processNext):
Implemented feature request #2829661: "SNAT instead of MASQUERADE
on dynamic interfaces". NAT rule options dialog now has a checkbox
that makes compiler use SNAT target instead of MASQUERADING when
checked when TSrc has dynamic interface. Apparently MASQ target
has problems when iptables NAT is used in combination with policy
routing. Using SNAT with a variable that gets interface address
solves the problem. By default this option is off, that is
compiler uses MASQUERADE target when TSrc has dynamic interface.
Fixes#560
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::prolog): Fixed bug
#2792847 (SourceForge) "cant turn off "part of any" for a rule if
default is on". There was no way to turn option "Assume firewall
is part of any" for just one rule when it was ON globally. Now
this attribute is presented as a tri-state control in the rule
options dialog, with options "Follow global setting", "On" and
"Off". Now this option can be turned on and off in individual
rules regardless of the global setting. Default is "follow
global". Old "Off" maps to the new "follow global", old "On" maps
to the new "On". Fixes#559.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printInterface): New
feature: optimization in compiler for PF. Rules that have several
interface objects (or a group) in the "Interface" column are
compiled using "{ }" grouping to produce only one configuration
line instead of several for such rule. Fixes#76
* PolicyCompiler_pf.cpp (SpecialServices::processNext): Compiler
for PF generates "allow-opts" keyword when IPService object used
in the rule has IP options. This includes new option "router-alert".
Fixes#503
* IPServiceDialog.cpp (IPServiceDialog::applyChanges): Added GUI
elements to support IP option "router-alert" which is now
available as an attribute of IPService object. Fixes#502
* CompilerDriver_pf.cpp (CompilerDriver_pf::printStaticOptions):
Added support for PF configuration parameter "set state-policy"
which can have values "if-bound" or "floating". The GUI input
element provides these options in addition to the default empty
option. If empty list item is selected, command "set state-policy"
is not added to the generated .conf file at all. Fixes#423
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
New feature: password caching. Built-in installer can remember
firewall password (and enable password for Ciscos) for the
duration of the session. Passwords are never stored permanenetly
in any form, encrypted or plain text. The user needs to enter
password once when they activate generated policy. If they keep
the program open and need to modify and activate policy again, the
password fields in the installer dialog can be filled
automatically. The feature is optional and is off by default.
Cached passwords are associated with the firewall object and
account name used to activate policy. Implemented by a2k@codeminders.com
