"set" used to generate iptables command for rules with run-time
AddressTable objects. This module is only available in iptables
1.4.1.1 and later, however some embedded platforms do not have it
even though they ship later versions ofiptables (e.g. OpenWRT).
Use of this module is controlled by a checkbox in the iptables
"advanced" settings dialog which is off by default. This checkbox
becomes disabled when iptables version is set to < 1.4.1.1.
fixed time format for the iptables parameters --datestart,
--datestop which is supposed to be ISO 8601 "T" notation but
apparently with no support for time zone designators. Timezone
desginators are an error in iptables 1.4.1.1 and 1.4.5, did not
test newer versions. Fixes#1286 SourceForge bug #2961532
#1123, #1124: Text label next to the option that translates into
--connlimit-above clause for the iptables "connlimit" module
now matches description in the iptables manual. Added checkbox
that allows the user to add negation to the generated code
fixes#1123, #1124
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes#1087
fixes#1086: incorrect processing of run time address tables.
SourceForge bug 2932680. Rules with two run-time AddressTable
objects in the same rule element (source or destination) were
converted to the shell script that read addresses from the address
table files, plus wrong iptables command that matched any to any.
This change removes this extra command.
really fixed#869 "compile rule" should also print the comment.
Printing rule comment in the compiler output in the single rule
compile mode when firewall object is configured to use
iptables-restore. Code that prints rule label and comment has been
unified for compilers for all firewall platforms.
* src/res/configlets/linux24/automatic_rules: Generation of the
automatic rules (matching ESTABLISHED and INVALID states,
backup ssh access and others) now uses configlet. Fixes#883
* src/res/configlets/linux24/automatic_rules: generated script can
now include automatic rules to match IPv6 neighbor discovery ICMP6
packets. This is controlled by a checkbox in the iptables
"advanced" settings dialog and is off by default. Fixes#878
