inbound and outbound interface columns in iptables NAT
rules". This also addresses SF feature requests 1954286 "DNAT with
interface as condition not possible" and 621023 "manipulating
interface in NAT rule".
name "ppp-dsl" for PPPoE interfaces. In addition to that, Linux
bridge interfaces may have names with a "-" such as
"br-lan". We will now permit a "-" in Linux interface names.
fixed SF bug 3094273 "no state needed for ipv6-icmp in
ip6tables". Rules that match ICMPv6 objects should be
stateless. Compiler will check for this and reset "stateful" flag
of a rule and issue warning if the rule was built stateful in the
GUI.
"iptables redirecting NAT rules in the OUTPUT chain". NAT rules
should be allowed to translate from CustomService to TCP or UDP
service, provided CustomService object is configured with matching
protocol. See also change in libfwbuilder NATCompiler::classifyNATRule::processNext.
"iptables redirecting NAT rules in the OUTPUT chain". This fix
makes it possible to create iptables NAT rule with target REDIRECT
in the OUTPUT chain. The rule should have firewall object in OSrc
and TDst rule elements.
only firewall resets ipv4 stack" only reset ipv4 iptables when there are some ip4 rules; also added action block to usage string of the generated iptables script
"set" used to generate iptables command for rules with run-time
AddressTable objects. This module is only available in iptables
1.4.1.1 and later, however some embedded platforms do not have it
even though they ship later versions ofiptables (e.g. OpenWRT).
Use of this module is controlled by a checkbox in the iptables
"advanced" settings dialog which is off by default. This checkbox
becomes disabled when iptables version is set to < 1.4.1.1.
fixed#1523 "outbound ipv6 rule matching multicast ipv6 destination
is not generated". The rule with network object fe80::/10 in source
and ipv6 muticast ff00::/8 in destination did not produce correspondign
ip6tables command. The change affects other cases with rules using
broadcast or multicast objects that should be considered matching
the firewall object.
support some popular iptables modules". Added support for module
"recent" and rules that match standard ip/icmp/udp/tcp protocols
and at the same time module "mark", "length", "limit" or "recent".
Rules like these are translated into a combination of a branching
rule and additional rule in a branch rule set that implements
module match.
QProcess::waitForFinished() instead of just sleep() after we send
TERM signal to the background process. Also let Qt process events
to update the GUI while waiting.
* instDialog_installer.cpp (instDialog::stopInstall): fixed#1428
button "Stop" in the installer dialog does not stop installer
process
fixes#1417 rule shadowing detection should recognize different rule options.
Policy compiler for iptables takes into account rule options for modules
limit, connlimit and hashlimit when it considers rules for rule shadowing.
fixed#1415 "action branch that creates branch in mangle table
should branch in FORWARD chain". Rule with "any" in src and dst
and action Branch with option "branch in mangle table" will go
into FORWARD chain in addition to the PREROUTING and POSTROUTING
chains as before. Note that choice of PREROUTING or POSTROUTING
chains depends on direction.
fixed time format for the iptables parameters --datestart,
--datestop which is supposed to be ISO 8601 "T" notation but
apparently with no support for time zone designators. Timezone
desginators are an error in iptables 1.4.1.1 and 1.4.5, did not
test newer versions. Fixes#1286 SourceForge bug #2961532
fixes#1231 rules are placed FORWARD chain if firewall object is
"bridging firewall". This bugfix concerns specific rule
configuration used with bridging firewall where firewall object or
one of its interfaces is used in "destination" and an interface
which is not a bridge port is in the "interface" rule column. Rule
like this should go into INPUT chain but compiler used to splut it
and put generated iptables rules in both INPUT and FORWARD chains.
Rule should be placed in the FORWARD chain only if interface in
"interface" column is bridge port. The same algorithm also applies
to rules with firewall or one if its interfaces in the "Source"
column.
support for NAT MASQUERADE source port randomization. This adds
support for the "--random" option for SNAT, DNAT and MASQUERADE
targets in iptables NAT rules. User needs to turn on the checkbox
that adds this option in NAT rules again
#1123, #1124: Text label next to the option that translates into
--connlimit-above clause for the iptables "connlimit" module
now matches description in the iptables manual. Added checkbox
that allows the user to add negation to the generated code
fixes#1123, #1124
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes#1087
