onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 03:07:20 +01:00
Code Issues Releases Wiki Activity
4,250 Commits 3 Branches 3 Tags
Commit Graph

4250 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Vadim Kurland
3a88a0cbc5 user-specified parameter for action Reject takes precedence over automatically determined action based on the protocol. If user chooses one of the icmp responses, it should be used even with tcp (we used to force return-rst in that case) 2011-05-29 13:36:55 -07:00
Vadim Kurland
aac598f1cc see #2445 fixed import of tcp/udp ports defined by names; still need to test all possible names to make sure mappings work 2011-05-28 09:27:27 -07:00
Vadim Kurland
a3a07b4b42 see #2394 documenting import limitations in ChangeLog 2011-05-27 14:50:28 -07:00
Vadim Kurland
ef3102aa6a added .gitignore for PF import tests 2011-05-27 14:45:08 -07:00
Vadim Kurland
83fc99f076 see #2435 tcp flags parsing 2011-05-27 14:35:37 -07:00
Vadim Kurland
8082f602b3 see #2436 fixed handling of the synproxy state option, minor tweaks to the grammar 2011-05-27 12:37:44 -07:00
Vadim Kurland
afdc3707de fixes #2442 pre-processor removed the very last "\n" from the input stream which broke parser 2011-05-27 12:35:33 -07:00
Vadim Kurland
adde1d534c see #2436 setting stateless/stateful rule option depending on combination of the "state" keyword and user-chosen version 2011-05-27 12:20:30 -07:00
Vadim Kurland
3b229be520 see #2436, #2435 added GUI controls to let user choose host OS and version as part of the PF import process. Using this information to configure firewall object 2011-05-27 11:38:29 -07:00
Vadim Kurland
765060c29c see #2403 added test case file; fixed import of icmp services, added test case file; other fixes 2011-05-26 22:30:07 -07:00
Vadim Kurland
e89cc24466 see #2403 added ability to import clause en0:network; stubbed import of en0:broadcast 2011-05-26 21:29:12 -07:00
Vadim Kurland
68bc1ec263 see #2394 populating policy rules with services 2011-05-26 18:45:05 -07:00
Vadim Kurland
cc7fb3c1b0 fixing typo 2011-05-26 14:42:18 -07:00
Vadim Kurland
a814b38c0f Merge branch 'pf_import' into development 2011-05-26 14:29:45 -07:00
Vadim Kurland
ca77bbb51c re-ran tests for iptables 2011-05-26 14:29:14 -07:00
Vadim Kurland
a544492ced see #2434 "PF compiler should use 'self' keyword where 
appropriate". Compiler for PF now uses keyword 'self' in rules
where firewall object is used in Source or Destination.
 2011-05-26 14:13:26 -07:00
Vadim Kurland
29bf29f892 see #2394 grammar clean-up; creating policy rules in the right ruleset and renumbering rule set in the end 2011-05-26 12:06:50 -07:00
Vadim Kurland
e10ab65393 see #2394 creating policy rules with src and dst populated; parsing and creating address tables and groups of addresses 2011-05-25 23:57:27 -07:00
Vadim Kurland
ea9c28fda1 See #2394 grammar can parse most of the sample pf.conf files, including important ones 2011-05-25 18:57:44 -07:00
Theron Tock
b6f2d7d921 Merge branch 'development' of ssh://ncgit/var/git/fwbuilder into development 
Conflicts:
	src/libfwbuilder/src/fwbuilder/fwbuilder.pro
 2011-05-25 15:05:56 -07:00
Theron Tock
52c0bce5d2 Remove ^Ms from file 2011-05-25 15:01:22 -07:00
Vadim Kurland
439f8240ba see #2394 checking pf.conf file before import to determine if it is designed in the style not using keyword "quick". We can not import config like that 2011-05-24 23:01:41 -07:00
Vadim Kurland
db8ae42ad1 grammar matches port ranges; better grammar for ipv6 2011-05-23 19:03:49 -07:00
Vadim Kurland
12abcf9533 minimal grammar to match "from" and "to", both addresses and ports 2011-05-22 23:17:05 -07:00
Vadim Kurland
9be69950eb preprocessor for the pf.conf file: unfolging long lines and macro substitutions 2011-05-21 20:12:39 -07:00
Vadim Kurland
64661383cc Merge branch 'development' into pf_import 2011-05-20 16:22:19 -07:00
Vadim Kurland
bf41a75454 build 3544 2011-05-20 10:33:22 -07:00
Vadim Kurland
af8031a87a building with mingw on windows 2011-05-19 19:22:58 -07:00
Vadim Kurland
ad73a04eae fixes #2421 windows build failure 2011-05-17 13:56:25 -07:00
Vadim Kurland
24314576f4 see #2420 fixed the function (forgot to return value) 2011-05-17 12:45:48 -07:00
Vadim Kurland
c91740d366 build 3543 2011-05-17 12:00:43 -07:00
Vadim Kurland
ea7f28e1ef * FWObjectDatabase_tree_ops.cpp (merge): see #2420 "Crash when 
selecting New Firewall and existing firewall has interface that is
locked". Fixed GUI crash that happened on some operations if an
object in the tree was locked. For example, if the user locked an
interface of one of the firewall objects that then proceeded to
create new firewall object, the GUI would crash. The problem was
not limited to locking specifically interface objects.
 2011-05-17 11:56:21 -07:00
Vadim Kurland
6dcf4026c6 see #2408 catching exceptions in FWBApplication::notify() 2011-05-17 10:56:16 -07:00
Vadim Kurland
2e11bc22da pf import: first draft of the grammar (still does nothing useful), importer class skeleton 2011-05-17 10:05:33 -07:00
Vadim Kurland
8c4fd89855 upgraded large_policy_test.fwb, added test case for branch rules and Classify 2011-05-16 14:09:36 -07:00
Vadim Kurland
25bf50d6a0 fixes #2401 fixed typo 2011-05-15 23:04:01 -07:00
Vadim Kurland
4eb655a9ea see #2415 call notify() from undo/redo methods of FWCmdRuleNegateRE command 2011-05-15 23:01:59 -07:00
Vadim Kurland
ac4e1bfb62 see #2411 implemented import of iptables rules with target CLASSIFY 2011-05-15 22:47:55 -07:00
Vadim Kurland
b13e56d7d3 see #2414 permit menu item delete for the AttachedNetworks object 2011-05-15 22:26:46 -07:00
Vadim Kurland
edd7f352d0 see #2413, #2414 do not allow user to copy/paste or duplicate AttachedNetworks object 2011-05-15 19:25:31 -07:00
Vadim Kurland
d2e74f445d minor tweak for the test - added "catch all" rule in ipv6 branch to make sure it compiles for ipv6 2011-05-15 12:04:24 -07:00
Vadim Kurland
7739ebbcd2 adding missing files 2011-05-15 10:48:58 -07:00
Vadim Kurland
04545f9818 applied patch per SF bug 3302219 
"unit tests are badly portable"
 2011-05-14 22:47:37 -07:00
Vadim Kurland
e149666e51 updated unit test data files 2011-05-14 22:16:46 -07:00
Vadim Kurland
1199fd926a see #2405 "Tag and classify actions dont work properly with branches". 
When branching rule points to a rule set that has rules with Tag and
Classify options, branching should occur in mangle table even when
checkbox "create branch in mangle table" is not checked. The fix in
this change is tentative as it creates branch in chains PREROUTING,
POSTROUTING and OUTPUT. Since target CLASSIFY is only allowed in
POSTROUTING, this may create conflict. Need to test more.
 2011-05-14 15:46:23 -07:00
Vadim Kurland
c8cc37a6f1 see #1580 re-ran tests 2011-05-14 15:45:10 -07:00
Vadim Kurland
f0dc79359e * AttachedNetworks.cpp (AttachedNetworks): see #1580 New object 
type: network object that automatically matches subnets an
interface is attached to. The object can be a child of an
interface. The object is optional and is not created automatically
for all interfaces; user can add it using context menu associated
with an interface. Dialog for this object allows editing of the
name and comment. List of network addresses represented by this
object is always generated automatically. Compiler for PF
translates this object to "en0:network" construct that is
supported by PF. Compiler for iptables expands it to the list of
ipv4 and ipv6 networks defined by the addresses of the parent
interface if interface has static addresses. If interface is
confgiured as "dynamic" and has no address in fwbuilder, then
compiler treats AttachedNetworks object as run-time and uses shell
function to determine network addresses during activation of the
firewall script. Compilers for other firewall platforms always
treat this object as compile-time and abort if it is used with
dynamic interface.
 2011-05-14 14:44:00 -07:00
Vadim Kurland
6f9add86c3 * PolicyCompiler_ipt.cpp (processNext): see #2402 "Tag action 
should be done in PREROUTING so it can be acted on later". If a
rule has both tagging and classification options, the rule should
be split so that iptables command doing tagging goes in PREROUTING
and rule doing classification goes into POSTROUTING chain.
;
 2011-05-13 18:21:56 -07:00
Vadim Kurland
a787f35fd0 see #2401 "Deprecating 
Route option for iptables"
 2011-05-13 16:14:34 -07:00
Vadim Kurland
2b67a0a491 see #2399, #2340 rules that require tagging, classification or routing are now split so that regular actions such as Accept are implemented using normal rules in the table "filter" and rules in table "mangle" only implement tagging, classification and routing. See ChangeLog for longer description 2011-05-13 13:06:42 -07:00