a dynamic group are actually objects. Previously we were showing
stuff like FirewallOptions objects. To make sure that dynamic
group expansion is done the same way in the UI and for the
compiler, also fixed#2502 (consolidate logic for DynamicGroup).
There's a "data directory" setting under user preferences. If the
user selects an address table file using "choose file" and that
file is "inside" the data directory, then the appropriate part of
the path is replaced with %DATADIR% as a variable. If the address
table is marked "run-time" then the path is taken from the
firewall data directory option.
config". Compiler for PF can now preserve names of object groups,
dynamic groups, compile-time AddressTable and compile-time DNSName
objects in the generated pf.conf file. This is optional and is
controlled by a checkbox in the firewall settings dialog.
"reply-to" and "dup-to" options in both pre-4.7 and 4.7 formats. In PF
4.7 these parameters moved to the end of the rule and are now part of
the "filteropts" block of parameters.
follows source routing rule options "route-to", "reply-to" and
"dup-to". Also, since currently fwbuilder does not support source
routing rules with multiple different interface-gateway pairs (only
one interface in combination with one or multiple gateway addresses
are supported), importer displays warning and marks rules as "broken"
when it encounters this configuration.
macros". Importer now records all parser errors in the comments of
rules where they occurred and marks these rules "broken" by coloring
them red. Behavior on import of pf.conf file with undefined macros is
inconsistent at this time: undefined macro that appears in a rule
where parser expects ip addresses is converted to a run-time DNSName
object with name "$macro", a warning is displayed and rule is marked
as "broken". Undefined macro in the position of interface name, port
name or other parameters triggers generic parser error that looks like
"Parser error: line 26:19: unexpected token: $ext". The rule is marked
as "broken" and the error is recorded in the comment.
ignored". Since we can not import address lists or tables that contain
a mix of negated and non-negated items, importer should display an
error when it enounters one of these and mark all rules that use it as
"broken" (rule is colored red and error message is added to the
comment).
macros". If pf.conf file uses an undefined macro (there is $macro
somewhere but the macro has never been defined), importer issues a
warning, creates run-time DNSName object with the name "$macro" and
marks all rules where it is used as broken, that is, rules are colored
red and the error message is added to the comment field. Using
run-time DNSName object makes compiler use "$macro" in the generated
pf rule which means fwbuilder generates exactly the same pf rule as
the one it tried to import.
where possible". Importer for PF recognizes macros that define lists
of ip addresses, interfaces or host names and creates object groups
with the same name from them. Only macros that contain at least one
ip address in the list are recognized.
are not supported". Importer for PF should interpret macro
definitions that use other macros. See #2545 "PF import error when
using macro names with same base name and incrementing digit
suffix". Importer should correctly interpret a macro that has name
of another macro as a substring of its own name.
addr2, ... }" defined as macros or inside the rule could not be
imported correctly.
* pf.g: we should be able to import both "block quick log" and
"block log quick".
object that has a folder attribute that doesn't exist in the parent's
subfolders list (shouldn't ever happen, but in case it does it no longer
crashes). Also make sure that subfolders don't have commas in them.
Fixes#2539.
error (for unit tests). Also make sure to set ".loaded" variable before
calling loadFromSource so that if an exception happens we won't try to
load it again later.
Fixes#2542.
QFileDialog. There is now a single function to call,
FWBSettings::getOpenFileDir() that will compute what directory to start
in.
Cleaned out some code using QFileDialog that is never used (execDialog
and file button in CommentEditor).
Fixes#2517
compiler for PF does not need to generate protocol match "proto {tcp
udp icmp}" when service object used in the NAT rule is "any". The
reason this was done this way is lost in the mist of time; it's been
like this since very early versions of fwbuilder.
GUI usability improvements: when user double clicks on a firewall
object to open it in the editor, rule set view panel switches to
the rule set of that firewall. To decide which rule set to show,
the program scans history of the objects the user opened before in
the same GUI session and shows that firewall's rule set they
opened last. If user never opened any rule sets of this firewall,
then the first Policy object is shown. See #2465.
should use "(interface)" syntax to the right of "->" in NAT rules.
This now works for all interfaces, including those that have ip
addresses in fwbuilder configuration, when interface object appears in
"Translated Source" in a nat rule. When firewall object appears in
"Translated Source", it gets replaced with a set of its interfaces
which also get translated into "-> (interface)".
single object negation in "Inbound Interface" and "Outbound
Interface" columns in compiler for iptables.
* NATCompiler_pf.cpp (compile): see #2456 Added support for single
object negation in "Interface" rule element of PF NAT rules. Now
compiler can produce PF commands such as "nat on ! em0 ... " (for
PF <4.7) or "match on ! em0 ..." (for PF >= 4.7)
* Compiler.cpp (singleObjectNegation::processNext): moved rule
processor that processes single object negation in any rule
element to the base class Compiler.
