* PolicyCompiler.cpp (ItfNegation::processNext): fix for bug
#2710034 "PF Compiler in 3.0.3 Unprotected Interface Bug". When we
expand "interface" rule element which uses negation, skip
unprotected interfaces.
security vulnerability in the generated script that was caused by
incorrect creation of a temporary file. The problem made generated
script vulnerable to symlink attacks. The vulnerability only
affected systems where Firewall Builder was used to generate
static routing configuration on Linux.
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printDstService):
fixed bug (no #): policy compiler for Cisco IOS ACL did not add
icmp type to the generated ipv6 access-list statements for rules
that matched ICMPv6 services.
"Batch compiling incrementally slow". The time it took to add a
log line to the progress window in the "Compile" dialog slowed
down a lot as amount of text in QTextEditor increased.
fixed bug #2844596: "Crash during newFirewallDialog". GUI crashed
if user clicked "next" in the new firewall dialog to open page
with templates, then clicked "Back" and then "Next" again.
* ObjectManipulator.cpp (ObjectManipulator::select): fixed bug
#2845667 "Crash after find object". When host object was found
using "Find object" function while searching by ip address,
clicking on the selected host in the tree caused crash.
* VERSION (LIBFWBUILDER_SOMAJOR): started 3.0.7
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): fixed bug
#2836321: "SNAT rule that changes Trans Src and Trans Port does
not work". Dual translation rule that changes source address and
destination port was not supported.
#2835193: "Modulate state doesnt work for PF". Check variable
"modulate state" in rule optiopns and global firewall options. If
checkbox is turned on in the firewall options, then we always use
"modulate state". This option can also be turned on for an
individual rule using rule options dialog.
* pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): Fixed
bug #2835193: "Modulate state doesnt work for PF". The name Xml
attribute used to hold the value of "module state" option was
entered incorrectly in the dialog.
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): remove
extra white space after tcp port spec if source port match was not
used in the rule.
* PolicyCompiler_pf.cpp (fillDirection::processNext): Applied
patch per bug report #2828633: "Patch: Warning when changing rule
direction in compiler". This adds warning when rule direction is
changed by the compiler because object in source or destination
was firewall itself.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): Implemented
change per bug #2828602: "PF Compiler Direction Both no
Duplication Patch". PF rules with direction "both" used to be
split to make two rules, one with direction "inbound" and another
with direction "outbound". This was an artefact of old rule
generation model where user could choose to permit everything
outbound and only generate inbound rules, or generate both inbound
and outbound rules. Since we now always generate both in abd out
rules and PF matches both directions when neither "in" or "out" is
specificed, this splitting has become redundant.
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixed bug #2823951: "unnecessary rules in FORWARD chain". Policy
rules that have interface object in "Interface" column and
direction "Both" generate unnecessary iptables commands in the
FORWARD chain when destination matches one of the addresses that
belong to the firewall.
* RuleSetView.cpp (RuleSetView::moveRule): fixed bug #2823668:
"MDI window glitch". If the GUI had two or more MDI windows and
user moved rules in one of them, the GUI switched to another after
the operation was complete.
bug #2819901: "sub-optimal expansion of negated interface". Policy
rules with single interface object in "interface" rule element
with negation should generate iptables commands using "-i ! itf"
or "-o ! itf" rather than multiply the rule using all other
interfaces of the firewall. Note that for iptables v1.4.3 and
later, extrapositioned syntax is used, such as "! -i itf".
bug #2821050: "loading new fw rules on iptables 1.4.3.2+ gives
warnings". starting with v1.4.3.1 iptables started giving warnings
when negation ("!") is used after --option. This fix adds version
"1.4.3" to the list of recognized iptables versions in fwbuilder
and makes compiler generate extrapositioned version of the option
such as "! --option arg".
fixed bug #2820840: "IPT: prolog script+iptables-restore silent
incompatibility". With this fix the GUI does not allow for the
prolog script to be placed after policy reset if iptables-restore
is used to activate iptables rules. Also policy compiler for
iptables checks for this condition and aborts with an error
message if prolog place is set to "after reset" but
iptables-restore is used to activate policy. Configuration may end
up with this combination of options if user set prolog place to
"after reset" first and switched activation method to
iptables-restore later.
remark command". Remarks now include rule comments; if comment
consists of several lines, each line is added using separate
remark statement. This works for both IOS ACL and PIX platforms.
#2807724: "Print out FWB still not ok". Taking into account hidden
rable rows associated with rule groups while printing rule sets.
Before this fix some rules disappeared between pages in the
printout.
2009-07-11 vadim <vadim@vk.crocodile.org>
* AddressRange.h (libfwbuilder): fixed bug #2820152: "Address
ranges and other such need IPv4/v6 typing". AddressRange object
should be recognized and removed from the rule if it is used in
ipv6 rule set. To do this, add virtual method
hasInetAddress() (should return true) to indicate that this object
has an address. This works since virtual method getAddressPtr()
has been implemented anyway.
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printRule):
implemented feature request #1778536: "IOSACL - remark command".
This adds support for the "remark" command in generated IOS
ACL configuration. Controlled by the checkbox "Add ACL remarks"
in the "Script" tab of the firewall object settings dialog.
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): fixed bug
#2803702 "NAT rule with source port range in TSrv is broken for
PF". NAT rules matching source port ranges and translating source
port ranges should be possible.
* NATCompiler.cpp (classifyNATRule::processNext): (change in
libfwbuilder) fixed bug #2803689 "NAT rule matching dport but
chaning sport is broken". NAT rules that match destination port
but translate source port should be possible (and the opposite
too).
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): Improved
support for NAT rules that translate both source and destination:
now a rule like this can translate both source and destination
addresses and at the same time source and destination port ranges.
Compiler generates two iptables commands, one with SNAT and
another with DNAT translation for a rule like this.
* NATCompiler_PrintRule.cpp (PrintRule::processNext): Added
support for SNAT rules that translate only source port of udp or
tcp packets. This rule generate "-j SNAT --to-source :<port>"
with no address part.
;
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): fixed
bug (no #): compiler for PF did not remove rules using IPv4
objects while compiling policy set to be "combined IPv4 and IPv6"
for IPv6 and vice versa. As the result, it used to double some
rules because the would appear both in IPv4 and IPv6 sections of
generated .conf file.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): fixed bug
#2801548 "fwb_ipt should issue error for ipsrv with options for
ipv6". Since IP options lsrr, ssrr, rr do not exist in ipv6,
compiler should refuse to compile rules that request matching
these options.
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
fixed bug #2801547 "fwb_iosacl should issue an error for ipservice
with options". IOS access lists can not match source routing
options set in IPService object, compiler should issue an error
and abort processing when an object like this is encountered in a
rule.
* IPServiceDialog.cpp (IPServiceDialog::loadFWObject): fixed bug
#2801545 "IP Service object: lsrr, ssrr, rr options not saved".
* PolicyCompiler_pf_writers.cpp (PrintRule::_printDstService):
fixed bug #2801544 "missing space after tos option in pf config"
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed bug
#2801362 "Iptables policy import does not handle rules with
ESTABLISED". Policy importer for iptables should properly
handle rules that use combination of a "-p protocol" and
match state "RELATED,ESTABLISHED". Example:
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
This rule should translate into fwbuilder rule using CustomService
object with code "-m state --state RELATED,ESTABLISHED"
and protocol spec "tcp".
* ObjectManipulator.cpp (ObjectManipulator::findWhereUsedRecursively):
fixed bug #2800625 "recursive groups cause infinite loop and crash
in compiler". When a group included itself, compiler used to go
into infinite loop and crash. The fix in this function also takes
care of the situation when group A referenced group B, which in
turn referenced group A again.
* newHostDialog.cpp (newHostDialog::selectedInterface): fixed the
same error reported in bug #2799163: "crash on correcting an
error". The GUI crashed if user tried to add, then delete
interfaces in the new firewall wizard. The crash occurred when the
last interface was deleted on the page where interfaces can be
configured manually. This needed to be fixed in both "new
firewall" and "new host" dialogs.
#2799315 "Find object" cant find object in rules of opened
firewall. If scope was set to "policy of the opened firewall",
"Find object" function could not find anything. It worked when
scope was set to "policy of all firewalls".
* RuleSetView.cpp (RuleSetView::contextMenu): fixed bug #2799254
"Erratic behavior when rule is removed from the group". If user
tried to remove a rule from the middle of a group of rules, the
GUI behaved erratically. It showed two groups with the same name,
each of these two groups claimed to have more rules than it really
did. Also only one of these two groups could be collapsed at the
time. Other weird things also happened. The fix is to not allow
removing a rule from the rule group if the rule is in the middle.
;
* newFirewallDialog.cpp (newFirewallDialog::selectedInterface):
fixed bug #2799163: "crash on correcting an error". The GUI
crashed if user tried to add, then delete interfaces in the new
firewall wizard. The crash occurred when the last interface was
deleted on the page where interfaces can be configured manually.
* ObjectTreeView.cpp (ObjectTreeView::dragMoveEvent): fixed bug
#2799174: "Multiple instance crashes a bug". The GUI crashed if
user tried to drag and drop an object between two different
running copies. Copy/Paste and Drag&Drop between separate copies
are not supported at this time.
;
* newFirewallDialog.cpp (newFirewallDialog::finishClicked): better
fix for the bug #2796760 "Display error when adding new FW with
multiple interfaces".
* ObjectManipulator.cpp (ObjectManipulator::actuallyCreateObject):
fixed bug #2797791: "Display error when duplicating an object".
* InterfaceData.cpp (InterfaceData::guessSecurityLevel): (change
in libfwbuilder) set security level to 0 (insecure) by
default. This makes all interfaces of the newly created firewall
be "external" or "insecure" unless they were assigned labels or
addresses from the private address space in which case
guessSecurityLevel() assigns level 100. This addresses bug
#2796760 "Display error when adding new FW with multiple
interfaces".
* RCSFilePreview.cpp (RCSViewItem::operator<): implemented feature
req. #2796238 "3.0.4 - FEAT REQ: Sort order for RCSFilePreview".
RCS file preview dialog (the one that shows RCS revisions and RCS
log records) can display revisions in the tree or list view style,
controlled by radio-buttons. Style setting is saved in user
preferences and persists from session to session. In both cases
the view can be sorted by revision number or data. Sort column
choice is also saved in preferences. By default program sorts by
date and selects the latest revision.
* ObjectManipulator.cpp (ObjectManipulator::actuallyPasteTo):
fixed bug (no #): the GUI did not allow to copy/paste an address
from one interface to another. This should be possible.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAddr): fixed
bug (no #): policy compiler for pf crashed when dynamic interface
was used in source or destination of a policy rule.
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed bug #2793144 "Context menu item for the new User Service
object is missing".
* ProjectPanel_file_ops.cpp (ProjectPanel::fileOpen): (finally)
fixed the algorithm used to determine directory offered to the
user when they use main menu File/Open to open a file:
1) if "work directory" is configured in preferences, always use
it first;
2) if it is blank, use the same directory where currently opened
file is located;
3) if this is the first file to be opened, use the same
directory user used last time they ran the program (saved in user
settings).
