* Compile time checking adjust includes and code for deprecated features
* QHttp class is removed from Qt5 so the custom HttpGet class is
disabled when compiling with Qt5. The api on fwbuilder.org isn't
working, so the code for getting tips and checking if a new version is
available must be rewritten anyway.
There's a "data directory" setting under user preferences. If the
user selects an address table file using "choose file" and that
file is "inside" the data directory, then the appropriate part of
the path is replaced with %DATADIR% as a variable. If the address
table is marked "run-time" then the path is taken from the
firewall data directory option.
change in other directories the dependent files don't get recompiled.
Fixed up INCLUDEPATH in various places.
Removed -pthread as an INCLUDEPATH (leads to bogus -I-pthread).
Compile/install wizard should disable "Next" button
after compile phase is done if all firewalls failed to compile
with no errors.
see #2061
Added
bunch of common shell error messages to make sure installer
recognizes them and mark install as a failure even if ssh fails
to pass termination code.
security vulnerability in the generated script that was caused by
incorrect creation of a temporary file. The problem made generated
script vulnerable to symlink attacks. The vulnerability only
affected systems where Firewall Builder was used to generate
static routing configuration on Linux.
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): fixed bug
#2836321: "SNAT rule that changes Trans Src and Trans Port does
not work". Dual translation rule that changes source address and
destination port was not supported.
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixed bug #2823951: "unnecessary rules in FORWARD chain". Policy
rules that have interface object in "Interface" column and
direction "Both" generate unnecessary iptables commands in the
FORWARD chain when destination matches one of the addresses that
belong to the firewall.
bug #2819901: "sub-optimal expansion of negated interface". Policy
rules with single interface object in "interface" rule element
with negation should generate iptables commands using "-i ! itf"
or "-o ! itf" rather than multiply the rule using all other
interfaces of the firewall. Note that for iptables v1.4.3 and
later, extrapositioned syntax is used, such as "! -i itf".
bug #2821050: "loading new fw rules on iptables 1.4.3.2+ gives
warnings". starting with v1.4.3.1 iptables started giving warnings
when negation ("!") is used after --option. This fix adds version
"1.4.3" to the list of recognized iptables versions in fwbuilder
and makes compiler generate extrapositioned version of the option
such as "! --option arg".
fixed bug #2820840: "IPT: prolog script+iptables-restore silent
incompatibility". With this fix the GUI does not allow for the
prolog script to be placed after policy reset if iptables-restore
is used to activate iptables rules. Also policy compiler for
iptables checks for this condition and aborts with an error
message if prolog place is set to "after reset" but
iptables-restore is used to activate policy. Configuration may end
up with this combination of options if user set prolog place to
"after reset" first and switched activation method to
iptables-restore later.
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): Improved
support for NAT rules that translate both source and destination:
now a rule like this can translate both source and destination
addresses and at the same time source and destination port ranges.
Compiler generates two iptables commands, one with SNAT and
another with DNAT translation for a rule like this.
* NATCompiler_PrintRule.cpp (PrintRule::processNext): Added
support for SNAT rules that translate only source port of udp or
tcp packets. This rule generate "-j SNAT --to-source :<port>"
with no address part.
;
