* PolicyCompiler.cpp (ItfNegation::processNext): fix for bug
#2710034 "PF Compiler in 3.0.3 Unprotected Interface Bug". When we
expand "interface" rule element which uses negation, skip
unprotected interfaces.
security vulnerability in the generated script that was caused by
incorrect creation of a temporary file. The problem made generated
script vulnerable to symlink attacks. The vulnerability only
affected systems where Firewall Builder was used to generate
static routing configuration on Linux.
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printDstService):
fixed bug (no #): policy compiler for Cisco IOS ACL did not add
icmp type to the generated ipv6 access-list statements for rules
that matched ICMPv6 services.
"Batch compiling incrementally slow". The time it took to add a
log line to the progress window in the "Compile" dialog slowed
down a lot as amount of text in QTextEditor increased.
fixed bug #2844596: "Crash during newFirewallDialog". GUI crashed
if user clicked "next" in the new firewall dialog to open page
with templates, then clicked "Back" and then "Next" again.
* ObjectManipulator.cpp (ObjectManipulator::select): fixed bug
#2845667 "Crash after find object". When host object was found
using "Find object" function while searching by ip address,
clicking on the selected host in the tree caused crash.
* VERSION (LIBFWBUILDER_SOMAJOR): started 3.0.7
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): fixed bug
#2836321: "SNAT rule that changes Trans Src and Trans Port does
not work". Dual translation rule that changes source address and
destination port was not supported.
#2835193: "Modulate state doesnt work for PF". Check variable
"modulate state" in rule optiopns and global firewall options. If
checkbox is turned on in the firewall options, then we always use
"modulate state". This option can also be turned on for an
individual rule using rule options dialog.
* pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): Fixed
bug #2835193: "Modulate state doesnt work for PF". The name Xml
attribute used to hold the value of "module state" option was
entered incorrectly in the dialog.
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): remove
extra white space after tcp port spec if source port match was not
used in the rule.
* PolicyCompiler_pf.cpp (fillDirection::processNext): Applied
patch per bug report #2828633: "Patch: Warning when changing rule
direction in compiler". This adds warning when rule direction is
changed by the compiler because object in source or destination
was firewall itself.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): Implemented
change per bug #2828602: "PF Compiler Direction Both no
Duplication Patch". PF rules with direction "both" used to be
split to make two rules, one with direction "inbound" and another
with direction "outbound". This was an artefact of old rule
generation model where user could choose to permit everything
outbound and only generate inbound rules, or generate both inbound
and outbound rules. Since we now always generate both in abd out
rules and PF matches both directions when neither "in" or "out" is
specificed, this splitting has become redundant.
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixed bug #2823951: "unnecessary rules in FORWARD chain". Policy
rules that have interface object in "Interface" column and
direction "Both" generate unnecessary iptables commands in the
FORWARD chain when destination matches one of the addresses that
belong to the firewall.
* RuleSetView.cpp (RuleSetView::moveRule): fixed bug #2823668:
"MDI window glitch". If the GUI had two or more MDI windows and
user moved rules in one of them, the GUI switched to another after
the operation was complete.
bug #2819901: "sub-optimal expansion of negated interface". Policy
rules with single interface object in "interface" rule element
with negation should generate iptables commands using "-i ! itf"
or "-o ! itf" rather than multiply the rule using all other
interfaces of the firewall. Note that for iptables v1.4.3 and
later, extrapositioned syntax is used, such as "! -i itf".
