* PolicyCompiler.cpp (ItfNegation::processNext): fix for bug
#2710034 "PF Compiler in 3.0.3 Unprotected Interface Bug". When we
expand "interface" rule element which uses negation, skip
unprotected interfaces.
security vulnerability in the generated script that was caused by
incorrect creation of a temporary file. The problem made generated
script vulnerable to symlink attacks. The vulnerability only
affected systems where Firewall Builder was used to generate
static routing configuration on Linux.
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printDstService):
fixed bug (no #): policy compiler for Cisco IOS ACL did not add
icmp type to the generated ipv6 access-list statements for rules
that matched ICMPv6 services.
"Batch compiling incrementally slow". The time it took to add a
log line to the progress window in the "Compile" dialog slowed
down a lot as amount of text in QTextEditor increased.
fixed bug #2844596: "Crash during newFirewallDialog". GUI crashed
if user clicked "next" in the new firewall dialog to open page
with templates, then clicked "Back" and then "Next" again.
* ObjectManipulator.cpp (ObjectManipulator::select): fixed bug
#2845667 "Crash after find object". When host object was found
using "Find object" function while searching by ip address,
clicking on the selected host in the tree caused crash.
* VERSION (LIBFWBUILDER_SOMAJOR): started 3.0.7
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): fixed bug
#2836321: "SNAT rule that changes Trans Src and Trans Port does
not work". Dual translation rule that changes source address and
destination port was not supported.
#2835193: "Modulate state doesnt work for PF". Check variable
"modulate state" in rule optiopns and global firewall options. If
checkbox is turned on in the firewall options, then we always use
"modulate state". This option can also be turned on for an
individual rule using rule options dialog.
* pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): Fixed
bug #2835193: "Modulate state doesnt work for PF". The name Xml
attribute used to hold the value of "module state" option was
entered incorrectly in the dialog.
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): remove
extra white space after tcp port spec if source port match was not
used in the rule.
* PolicyCompiler_pf.cpp (fillDirection::processNext): Applied
patch per bug report #2828633: "Patch: Warning when changing rule
direction in compiler". This adds warning when rule direction is
changed by the compiler because object in source or destination
was firewall itself.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): Implemented
change per bug #2828602: "PF Compiler Direction Both no
Duplication Patch". PF rules with direction "both" used to be
split to make two rules, one with direction "inbound" and another
with direction "outbound". This was an artefact of old rule
generation model where user could choose to permit everything
outbound and only generate inbound rules, or generate both inbound
and outbound rules. Since we now always generate both in abd out
rules and PF matches both directions when neither "in" or "out" is
specificed, this splitting has become redundant.
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixed bug #2823951: "unnecessary rules in FORWARD chain". Policy
rules that have interface object in "Interface" column and
direction "Both" generate unnecessary iptables commands in the
FORWARD chain when destination matches one of the addresses that
belong to the firewall.
* RuleSetView.cpp (RuleSetView::moveRule): fixed bug #2823668:
"MDI window glitch". If the GUI had two or more MDI windows and
user moved rules in one of them, the GUI switched to another after
the operation was complete.
bug #2819901: "sub-optimal expansion of negated interface". Policy
rules with single interface object in "interface" rule element
with negation should generate iptables commands using "-i ! itf"
or "-o ! itf" rather than multiply the rule using all other
interfaces of the firewall. Note that for iptables v1.4.3 and
later, extrapositioned syntax is used, such as "! -i itf".
bug #2821050: "loading new fw rules on iptables 1.4.3.2+ gives
warnings". starting with v1.4.3.1 iptables started giving warnings
when negation ("!") is used after --option. This fix adds version
"1.4.3" to the list of recognized iptables versions in fwbuilder
and makes compiler generate extrapositioned version of the option
such as "! --option arg".
fixed bug #2820840: "IPT: prolog script+iptables-restore silent
incompatibility". With this fix the GUI does not allow for the
prolog script to be placed after policy reset if iptables-restore
is used to activate iptables rules. Also policy compiler for
iptables checks for this condition and aborts with an error
message if prolog place is set to "after reset" but
iptables-restore is used to activate policy. Configuration may end
up with this combination of options if user set prolog place to
"after reset" first and switched activation method to
iptables-restore later.
remark command". Remarks now include rule comments; if comment
consists of several lines, each line is added using separate
remark statement. This works for both IOS ACL and PIX platforms.
#2807724: "Print out FWB still not ok". Taking into account hidden
rable rows associated with rule groups while printing rule sets.
Before this fix some rules disappeared between pages in the
printout.
2009-07-11 vadim <vadim@vk.crocodile.org>
* AddressRange.h (libfwbuilder): fixed bug #2820152: "Address
ranges and other such need IPv4/v6 typing". AddressRange object
should be recognized and removed from the rule if it is used in
ipv6 rule set. To do this, add virtual method
hasInetAddress() (should return true) to indicate that this object
has an address. This works since virtual method getAddressPtr()
has been implemented anyway.
