onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2025-10-17 07:57:43 +02:00
Code Issues Releases Wiki Activity
fwbuilder/doc/ChangeLog
Vadim Kurland 00d1562d36 merging -r887:HEAD from branch v3
2009-05-06 23:42:33 +00:00

8503 lines
353 KiB
Plaintext
Raw Blame History

2009-05-06 vadim <vadim@vk.crocodile.org>
* FirewallInstallerCisco.cpp (FirewallInstallerCisco::activatePolicy):
fixed bug #2787932 "External install script is not supported for
PIX".
* fixed bug #2787857: "b847 crashes on Start". v3.0.5 build 847
links with QtDBus framework as part of the future development but
the framework file was not included in the bundle. This caused
crash on Mac OS X.
2009-05-02 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid): fixed bug
#2785671 "Menu 'Import Policy' opens wizard with wrong option
checked". The "discovery druid' dialog would open on the first
page (where user makes a choice which discovery method to use)
even when called via main menu "File/Import Policy" and radio
button for the SNMP discovery was activated.
2009-04-30 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::addTreePage): fixed
bug #2783780: using QTreeWidget::sortItems() instead of
sortByColumn to sort objects in the tree.
2009-04-29 Vadim Kurland <vadim@vk.crocodile.org>
* RoutingCompiler_pix.cpp (RoutingCompiler_pix::prolog): fixes bug
#2782645: "Can't compile for FWSM platform". Routing compiler for
PIX should accept firewall object with platform "fwsm" as well as
"pix".
* ObjectManipulator.cpp (ObjectManipulator::actuallyCreateObject):
fixes bug #2783780: "Tree objects not sorted in
3.0.4". Automatically re-sort object branch when new host or
firewall object is created so that the new object is positioned in
the alphabetic sorting order.
2009-04-27 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::getMenuState): for bug
#2782289: "Crashes when deleting unused host object". Added
safeguards to make it impossible to delete objects in the Standard
library, as well as for a few other cases. Waiting for a
clarification on the bug anyway.
* ObjectListView.cpp (ObjectListView::dragObject): fixed bug
#2781952: "fwbuilder (3.0.4-b794) crashes when creating a new
group". The GUI crashed if user clicked and dragged mouse inside
empty list of group members in the dialog of the new group object.
2009-04-15 vadim <vadim@vk.crocodile.org>
* ipcopAdvancedDialog.cpp (ipcopAdvancedDialog::ipcopAdvancedDialog):
Integration with IPCOP, Endian and OneShield firewall apliances
(all based on linux/iptables). This sets generate file name to
"rc.firewall.local", destination directory on the firewall to
"/etc/rc.d/" and activation command to "/etc/rc.d/rc.firewall
restart". Provided resource files for ipcop, endian and oneshield
platforms and os define default parameters, including path to
iptables and other command line tools. Generated script performs
minimal environment setting, because everything is supposed to be
set up by the aplpiance itself. Iptables commands are put in the
standard chains INPUT/OUTPUT/FORWARD, with user-defined chans
created as required. At this time policy and NAT rules work. Rules
added by fwbuilder are activated by the standard appliance
firewall script rc.firewall after all IPCOP rules are added and
before all hooks. This means rules created by fwbuilder do not
replace rules added by the appliance, but work together with
those. Prolog and epilog user-defined sections work as
well. Prolog is always added on top of the rules generated by
fwbuilder. Prolog and epilog sections can include any kind of
shell commands, not only iptables rules. Two new firewall
templates are provided: one for IPCOP/Endian firewall with two
interfaces (br0 is GREEN and eth1 is RED) and another for the
appliance with three interfaces (additionally eth2, as ORANGE).
* ipt.cpp (main): implemented feature request #2454447 "Standard
options for startup-script". Script generated by fwbuilder now
accepts standard arguments "start" and "stop". Running the script
with no argument is equivalent to "start" for backwards
compatibility. Running script with argument "stop" resets iptables
tables and chains and sets all to default policy DROP (beware!).
2009-04-11 vadim <vadim@vk.crocodile.org>
* platforms.cpp (setPlatform): Firewall platforms are grouped in
the drop-down list that appears in the firewall object dialog and
new firewall creation dialog. Platforms are grouped using XML
element <group> in the platform xml resource file.
* newFirewallDialog.cpp (newFirewallDialog::finishClicked):
remember firewall platform used to create new firewall object
between sessions. Also limit set of host OS shown in the second
combo box to only those supported by chosen firewall platform.
* VERSION: start v3.1.0
* platforms.cpp (setHostOS): fill "hsot OS" drop-down list with
OS names supported for the choosen firewall platform.
2009-04-10 vadim <vadim@vk.crocodile.org>
* ipt.cpp (dumpScript): fixed bug #2356131: "Iptables-restore
option broken for multiple policy sets". Compiler inserted
redundant line "echo COMMIT" to the iptables script if
iptables-restore was used and there were no rules in the mangle
table.
* ObjectManipulator.cpp (ObjectManipulator::findWhereUsedRecursively):
fixed bug #2744798 "dependency checking failed". In case when an
object was used in a group and group used in a rule of a firewall,
the program failed to properly update "last modified" attribute
of the firewall when the object was changed.
2009-04-09 vadim <vadim@vk.crocodile.org>
* VERSION: start v3.0.5
2009-04-08 Vadim Kurland <vadim@vk.crocodile.org>
* v3.0.4 released, merged to the trunk, this comment is r796
2009-03-29 vadim <vadim@vk.crocodile.org>
* v3.0.4 release
2009-03-25 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (PrintRule::_printPort): fixed bug
#2712514: "Bug in PF NAT Writer - 'tagged' keyword". Keyword
'tagged' is only allowed on the left hand side of '->' in nat
and rdr rules.
* RuleElement.cpp (RuleElementTSrv::validateChild): (change in
libfwbuilder) fixed bug #2712575: "NAT RuleSetView allows
TagService to be in Translated Svc". TagService object should not
be allowed in "Translated Service" in NAT rules.
2009-03-24 vadim <vadim@vk.crocodile.org>
* DialogData.cpp (DialogData::loadToWidget): fixed bug #2710309:
"Bug in gui/DialogData.cpp when not using mapping.". There was a
bug in DialogData.cpp that when setting the value of a combobox
and not using a mapping array the requested value would not be
selected. Applied patch provided by Tom Judge ( tomjudge )
* platforms.cpp (init_platforms): fixed bug #2710300 "Bug in
gui/platforms.cpp". there was a discrepancy between the list of
route-to options for PF and UI elements.
* pf.cpp (main): more changes to add support for
externally-controlled policy rulesets for PF: if policy ruelset
name ends with "/*", the program assumes it is controlled by
external means and does not compile rules in it and does not
create .conf file from it.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): Added
support for anchor names with "/*" suffix for PF. Now the user can
create policy ruleset with name e.g. "ftp-proxy/*" and then set up
branching rule pointing to this ruleset. This ruleset is treated
by the program in a special way. First, it allows characters "/"
and "*" in the name of the ruleset (but only for PF firewalls).
Second, compiler does not create a .conf file with rules from this
ruleset, assuming that it will be controlled by external program
such as ftp-proxy. See man page ftp-proxy(8) for examples.
2009-03-23 vadim <vadim@vk.crocodile.org>
* pf.cpp (main): fixed bug (no #): compiler for pf added code
provided in the "prolog" section while option was set to "add
after table definitions" in the incorrect place.
2009-03-22 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::updateGroups): fixed bug #2701593
"gui problem". Adding a rule to a policy with rule groups caused
weird rule display - a rule immediately above rule group header
would appear empty, with only "Source" shoring.
2009-03-19 vadim <vadim@vk.crocodile.org>
* iosacl.cpp (safetyNetInstall): fixed bug #2694146: "IPv6
temporary ACL blocks ICMPv6". Temporary ipv6 access list created
for the "safety net install" should permit icmp.
2009-03-18 vadim <vadim@vk.crocodile.org>
* iosacl.cpp (safetyNetInstall): fixed bug #2694440 "Multiple
policies cause multiple temporary ACLs": when "safety net install"
option is used, temporary access list must be generated only once
even when firewall object has multiple rulesets.
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
bug #2694432 "IOS ACL syntax error with IPv6 host addresses &
"safety net"": temporary access list created for IOS when option
"safety net install" is used and ipv6 address is provided should
use keyword "host" if provided address does not specify netmask.
* fwbedit: properly saving data file after "checktree" operation
2009-03-17 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
bug #2689978: "IOS ACL 'safety net' doesn't support
IPv6?". Compiler did not process properly ipv6 address entered in
the "safety net" install script option parameter.
* iosaclAdvancedDialog.cpp, pixAdvancedDialog.cpp: fixed bug
#2689987: "Typo in "script options" tab in 'Firewall settings'".
* IPv6Dialog.cpp (IPv6Dialog::changed): fixed bug #2689958 "Error
changing properties of a IPv6 address". Button "Apply" would stay
greyed out when user changed network prefix length in IPv6 address
dialog.
2009-03-12 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
few bugs (no #) in policy compiler for Cisco IPv6 ACLs:
- The "extended" keyword is not supported by IOS for IPv6 ACLs
- keyword "established" is only valid in combination with
protocol tcp. If standard CustomService objects "ESTABLISHED" and
"ESTABLISHED ipv6" are used in a rule, enforce protocol to "tcp".
- command to clear ipv6 access lists should be "no ipv6
access-list ipv6_management_in"
- command to assign ipv6 acl to interface should be "ipv6
traffic-filter ipv6_acl in"
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printAddr): fixed
bug (no #): compiler for IOS ACL used not to ignore netmasks of
IPv4 and IPv6 objects and added them to the generated access list
with netmask wildcard bits 255.255.255.255 which was equivalen to
'any'.
2009-03-11 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::createGroup): fixed bug (no #): if
user selected some rules that belonged to a group and few other
rules that did not belong to any group at the same time and used
context menu to place all these rules in a new group, the GUI used
to crash.
2009-03-06 vadim <vadim@vk.crocodile.org>
* ProjectPanel.h (class ProjectPanel): code clean-up: removed
obsolete method getAddOnLibs()
2009-03-05 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt.cpp (addressRangesInDst::processNext): fixed
bug #2666971 "fwb_ipt crashes when Address Range object in routing
rule". Policy compiler for iptables crashed if Address Range
object was used in "Destination" of a routing rule.
* RuleSetView.cpp (RuleSetView::insertRule),
ProjectPanel.cpp (ProjectPanel::closeEvent): fixed bug #2656815
"Copy/paste does not work properly". Fixed Copy/Paste problem with
policy rules and crash reported in this bug report.
2009-03-04 vadim <vadim@vk.crocodile.org>
* iosacl.cpp (main), FirewallDialog::platformChanged(): fixed bug
#2662290: "fwb_iosacl crash after firewall converted from
iptables". If user changed platform setting of the firewall
object, the program preserved its old version which was invalid
for the new platform.
2009-03-02 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): finish
fixes for bugs #2540389: "Routing Broken from 2.1 to 3.0.3" and
#2356151 "Routing broken when default route has a 0
metric". Redirect script output to a file for the time when we
remove static routing entries and add new ones to prevent ssh
session from stalling. Restore output back to the terminal when
script finishes or when an error is detected. Using idea suggested
by Heiko Helmle <helman@gmx.de>
2009-02-27 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed
bugs #2540389: "Routing Broken from 2.1 to 3.0.3" and #2356151
"Routing broken when default route has a 0 metric". Generated
script preserved default route when it deleted route entries
before installing new ones. This was different in v2.1 where
default was deleted together with other routing entries. The
reason for this change (made some time in summer of 2008) was that
if user did not define default route in their routing ruleset, the
script would delete existing default without installing new one,
leaving firewall with no default route at all. Now the script
deletes default if there is new one to install and preserves it
otherwise.
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed
bug (no #): if generated firewall script detects an error from one
of the commands that install routing rules and runs function that
restores previous routing entries, it should also run epilog
commands.
2009-02-21 vadim <vadim@vk.crocodile.org>
* FirewallInstaller.cpp (FirewallInstaller::getDestinationDir):
bugfix (bug was introduced in build 768). If user entered
alternative activation command in the "installer" tab of the
firewall object settings dialog, the program confused it with
destination directory and tried to execute incorrect command to
copy files to the firewall. This build (770) fixes this problem.
* SSHUnx.cpp (SSHUnx::SSHUnx): New feature: built-in installer can
now enter sudo password. There is no need to configure firewall
management account for password-less sudo access anymore.
2009-02-19 vadim <vadim@vk.crocodile.org>
* FirewallInstaller.cpp (FirewallInstaller::getDestinationDir):
fixed bug #2618772 ""test install" option does not work". If "test
install" checkbox was checked in the installer options dialog, the
program copied file to directory /etc/fw on the firewall but tried
to find it in /etc/fw/tmp to run.
* FirewallInstaller.cpp (FirewallInstaller::packSCPArgs): fix bug
#2618686 "built-in installer can not handle ipv6 management
address". Built-in installer did not properly for scp and ssh
command like when it had to use IPv6 address to communicate with
firewall.
2009-02-17 vadim <vadim@vk.crocodile.org>
* Management.cpp (Management::fromXML): (change in libfwbuilder):
fixed bug #2609796 "internal object Management does not accept
ipv6 address". Class Management should accept ipv6 address. The
problem was that if an interface of the firewall had only ipv6
address and was marked as "management" interface, saving such
configuration to .fwb file created broken data file that could not
be loaded back. The error was:
The program encountered error trying to load data file.
The file has not been loaded. Error:
Exception: Invalid IP address: 'aaaa:bbbb:cccc::1'
XML element : Management
where aaaa:bbbb:cccc: is ipv6 address.
2009-02-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (finalizeChain::processNext): fixed bug
#2597959 "rules disappear in ipv6 policy unless ipv4 forwarding is
on". Example: IPv6 policy, rule where fw object and internal
network are in source, destination is "any". If option "assume
firewall is part of any" was turned off and ipv6 forwarding was on
but ipv4 forwarding was off, this rule did not yield any iptables
commands in generated script.
* iosaclAdvancedDialog.cpp (iosaclAdvancedDialog::accept): fixed
bug #2597949 "GUI crash in IOS ACL "advanced" settings
dialog". GUI crashed upon click OK in the firewall settings dialog
for the IOS ACL firewall.
2009-02-06 vadim <vadim@vk.crocodile.org>
* src/gui/Icons/accept_25.png: fixed bug #2565164 "Colorblind
friendly Accept & Deny Icons". Accept and Deny icons were
indistinguishable for red-green colorblind people. New icons
incorporate standard symbolics for the "Aceept" and "deny"
functions to make them sufficiently different besides the color.
2009-02-05 vadim <vadim@vk.crocodile.org>
* src/res/os/linux24.xml.in: fixed bug #2568819 "generated script
created on windows is not executable". If the GUI runs on Windows,
produced .fw script lacks executable permission bit ('x') when it
is copied over to the firewall with pscp.exe. Because of this,
activation command "sudo -S /etc/fw/script.fw" can not run it and
installation fails. Need to run "chmod" as part of the activation
sequence. (We used to run chmod as part of the copy sequence when
copying was done with ssh/plink.exe. Now that the copy is done
with scp/pscp.exe, there is no way to change permissions bits on
the firewall side during copy).
* OSConfigurator_linux24.cpp: add empty line after user's code
in prolog and epilog shell functions to make sure shell syntax
is not violated if user does not end prolog or epilog code
with linefeed.
2009-01-31 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (processPolicyRuleSet): fixed bug #2550074: "Automatic
rules for filter table included twice in iptables". If user had
two policy ruleset objects marked as "top" rule set, then
automaitc rules were added twice.
2009-01-27 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (main): bug #535146: "firewall script: exit code for
ip6tables overwrites iptables". If generated iptables script used
iptables-restore to activate the policy and contained both ipv4
and ipv6 iptables policies, return code from iptables-restore was
overwritten with return code from ip6tables-restore and only the
latter was returned as the return code of the script. To fix this,
prolog and epilog commands were moved to shell functions
prolog_commands and epilog_commands which are called from various
places in the script. Script checks return code of
iptables-restore and ip6tables-restore and if an error is detected
from either, it runs epilog_commands and terminates, returning
error code obtained from iptables-restore (or
ip6tables-restore). In case of error, we always run epilog but do
not turn ip forwarding on in the kernel. Also, if prolog place is
set to "After iptables reset" in the GUI and script uses
iptables-restore, prolog commands are executed just before
iptables rules are sent to iptables-restore. This means if
iptables-restore is used, position "after iptables reset" is
equivalent to position "on top of the script". If iptables-restore
is not used and prolog position is "after iptables reset", then
prolog commands are executed right after the script flushes all
chains in all tables and sets deault policy for all chains. Other
positions of prolog commands in the script (on top and after
interface configuration) are naffected and work as before.
2009-01-24 vadim <vadim@vk.crocodile.org>
* objects_init.xml.in: Added CustomService object "ESTABLISHED
ipv6" which defines code for iptables, ipfw and IOS extended
access lists for IPv6.
* PolicyCompiler_ipfw_writers.cpp (PrintRule::_printProtocol):
fixed behavior or policy compiler for ipfw which was broken in
rev714 - it should print protocol "tcp" when custom service object
that adds option "established" is used. This compiler worked like
that before attribute "protocol" was added to the CustomService
object.
* platforms.cpp (getReadableRuleElementName): code refactoring:
made it possible to translate ruleset table column
names ("Source", "Destination" etc.). Currently only Russian
translation is provided.
2009-01-23 vadim <vadim@vk.crocodile.org>
* FindWhereUsedWidget.cpp (FindWhereUsedWidget::createQTWidgetItem):
fixed bug #2412334: "feature request: where used ->
directly". There has been a change in the "Where used" function in
v3.0 compared to the implementation in v2.1. New version showed
not only rule elements and groups that referred to the given
object, but also found all groups that referred to other groups
that referred to the given object. Such recursive action was not
always obvious to the user and was inconvenient when the function
was used to find all places where given object was used with the
goal to replace it with some other object. This fix reverts to the
old behavior where only direct usages are reported by the "Where
used" function. Elements of UI in this function have also been
cleaned up and further unified with confirmation dialog shown when
user tries to delete an object that is used in some groups and
rules.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printChain): fixed bug
#2507239: "length of iptables rule chain names not
checked". Iptables does not allow chain names longer than 30
characters; policy compiler fwb_ipt should check for this.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bug
#2526173: "fwb_ipt crashes due to old-broadcast". This bug was
introduced when support for module iprange was sadded. Need
special check for AddressRange objects where start and end of
range addresses are equal.
* NetworkDialog.cpp (NetworkDialog::addressEntered): fixed bug (no
#): the GUI used to check ip address entered for the network
object whenever user switched focus from the address input widget
in the network object dialog to another widget or even a different
application to look up the address. This caused the program to
show error dialog if this happened when the address was
incomplete. This change makes the program verify the address only
when user clicks "Apply".
2009-01-19 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::prepareFileOpenRecentMenu): Added menu
Files/Open Recent. This implements feature req. #2499615 "open
last used file".
* FWWindow.cpp (FWWindow::startupLoad): open StartTipDialog from
FWWindow rather than main() to make sure this dialog always
remains on top of the main window.
* ProjectPanel_file_ops.cpp (ProjectPanel::autoSave): fixed bug
#2499569: "fwbuilder crashes after some hours". The auto-save
function now saves data file only if it has been
modified. Frequent saves exasperate small memory leaks that appear
in some old versions of libxml2.
2009-01-17 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (FWWindow::filePrint): fixed bug (no #): the
GUI crashed if user tried to use File/Print function when no
ruleset was opened in the right hand panel.
* printerStream.cpp (printerStream::printQTable): Applied patch by
Paul@Auroragrp.Com that fixes problems with printing long rule
sets. If rule set printout exceeded the length of the page, some
rules at the bottom were cut off and lost. The patch corrects the
problem by taking into account printer dpi while calculating
position for page breaks.
2009-01-11 vadim <vadim@vk.crocodile.org>
* unknown.xml.in: fixed bug #2486558 "firewall platform "unknown"
should support basic actions".
2009-01-10 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromCrawler): bug
#2023261 "IPv6 - SNMP discovery of interfaces not working for
IPv6". SNMP discovery can now read IPv6 addresses of interfaces
using IP-MIB RFC4293. Not all snmp agents support this MIB, for
example only recent versions of net-snmp support it.
* starting with v3.0.4 build 739 snmp discovery is supported on
Windows.
2009-01-06 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_iosacl_writers.cpp (PrintRule::PrintRule): fixes
to make code compile on Windows.
2009-01-05 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_cisco.cpp (RoutingCompiler_cisco::compile):
fixed bug (no #): routing compiler for pix refused to add more
than one routing rule with an error saying that other rules were
duplicates. Error was introduced in build 732.
2009-01-02 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_iosacl.cpp (RoutingCompiler_iosacl::compile):
Added support for generation of "ip route" commands for Cisco IOS.
Variant of Cisco IOS "ip route" command where gateway is the name
of one of the interfaces of the router is also supported. To get
this, put interface object in the "gateway" column of the routing
rule.
* pix.xml.in, RuleSetView.cpp: Routing ruleset view shows column
"interface" only for platforms that require it. Currently IOS does
not require it, while other platforms for which routing commands
generation is supported require it (iptables and PIX).
2009-01-01 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_cisco.cpp: refactored PIX routing compiler by
steven@openbsd.org to use it as a foundation of the routing
compiler for both PIX and Cisco IOS (r731).
* RoutingCompiler_pix.cpp: applied patch by Steven Mestdagh
<steven@openbsd.org> that adds support for static routing
configuration for PIX. Patch tested and applied in r726.
2008-12-31 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::copyRule): fixed bug #2478528:
"Crash when copying multiple policy rules". GUI crashed if user
tried to copy/paste several rules, some of which belonged to rule
group and some did not.
2008-12-30 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_clampTcpToMssRule):
bug #2477775: "Clamp MTU doesn't work in ip6tables". iptables
target TCPMSS is available in ip6tables only in 1.3.8 and later.
* unfortunately the package is not going to work on Tiger because
of the mismatch in versions of libnetsnmp library. If this library
is packaged with the bundle, the program crashes because the code
in libnetsnmp v15.1.0 (that comes with Leopard) depends on
functions missing in libSystem on Tiger. If libnetsnmp is not
packaged with the bundle, then stubs linked with the GUI on
Leopard do not match libnetsnmp that comes with Tiger (older
version). So, even though we now have universal Mac OS X binary,
it will only work on Leopard.
2008-12-29 vadim <vadim@vk.crocodile.org>
* FirewallInstallerUnx.cpp (FirewallInstallerUnx::executeInstallScript)
bug #2474949: "External install script: trailing spaces". Trimming
leading and trailing white spaces in the external installation script
and its arguments before running it.
* runqmake.sh: starting with v3.0.4 build 717, building universal
binary for Mac OS X (both x86 and ppc architectures)
* bug #2474194 "Please Provide MacOS X PowerPC Builds": debugging
universal binary package for Mac OS X, trying to make it work on
Tiger as well
2008-12-28 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printDstService):
support for the CustomService in compiler for IOS ACL, including
support for address family, protocol and code string parameters.
* PolicyCompiler_ipfw_writers.cpp (PrintRule::_printProtocol):
support for the new "protocol" parameter of the CustomService
object in compilers for ipfilter and ipfw.
* NATCompiler_pf_writers.cpp (PrintRule::_printProtocol):
'checking for "proto ..." in the custom service code string before
printing protocol part in policy and nat compilers for pf.
2008-12-27 vadim <vadim@vk.crocodile.org>
* feature req. #1111267 "CustomService should specify protocol and
parameters for it". Support for protocol string in Custom Service
in compilers for iptables and PF.
* CustomServiceDialog.cpp (CustomServiceDialog::loadFWObject):
feature requests #1111267 "CustomService should specify protocol
and parameters for it" and #2463048 "custom services should have
IPv4/v6 setting". Added corresponding input elements to the
CustomService object dialog.
* CustomService.h (libfwbuilder): feature requests #1111267
"CustomService should specify protocol and parameters for it" and
#2463048 "custom services should have IPv4/v6 setting". Added
attributes "protocol" and "address_family" to the CustomService
object. Corresponding XML attributes are "#IMPLIED", this helps
avoid having to provide XSLT auto-upgrade script for this
version. Class CustomService returns "any" for the protocol and
"ipv4" for address family if these attributes are missing.
2008-12-25 vadim <vadim@vk.crocodile.org>
* All policy compilers: using FWObjectDatabase::createClass
methods to create rules and other objects in compilers wherever
the type is known at the (code) compile time. This makes code
cleaner and speeds it up a little because of eliminated cast() and
string comparison.
* changes in libfbuilder: eliminated excessive use of dynamic_cast
and long chains of "if" comparing object type names in
FWObjectDatabase in methods that create new objects of given type.
2008-12-23 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printSrcAddr):
implemented feature req. #2353737 "use -m iprange". Using module
iprange for AddressRange objects if iptables version is set to
>=1.2.11.
2008-12-21 vadim <vadim@vk.crocodile.org>
* SSHSession.cpp (SSHSession::heartBeat): built-in installer
periodically "pings" the other end to keep ssh session alive. This
helps recreate state in the firewall state table if it is cleared
when rules are reloaded, which in turn prevents installer from
hanging.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::addDefaultPolicyRule):
Deprecated options "generate commands for both in and out" and
"pass all outgoing" in compiler for PF. Before, user could choose
whether compiler was to generate only commands to match inbound
packets or both inbound and outbound. The distinction between
these two modes became very minimal in the recent versions of
fwbuilder because algorithm was mostly controlled by the setting
of "direction" in the policy rules. Now these two options have
been removed completely, the behavior of the compiler is as if
option "generate both in and out" was used.
* pf.cpp (main): Compiler can add command "pfctl -F states" after
command "pfctl -f file.conf" to flush states that existed in
memory from sessions opened prior to the policy reload. The reason
is that some of these sessions might be denied by the new policy,
but if state is not flushed, they will still work after policy
reload. This is optional and is controller by checkbox in the
"Script" tab of the "advanced" settings dialog for the PF
firewall.
2008-12-20 vadim <vadim@vk.crocodile.org>
* PrintingController.cpp (PrintingController::addObjectsToTable):
fixed bug #2388067: "Print out FWB 3.0.3 not ok". File/Print
function failed to print objects used by rules of the firewall.
2008-12-19 vadim <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp (ProjectPanel::loadFile): Implemented
feature request #2412323: "feature request: command line flag to
skip RCSFilePreview". New command line switch "-r" makes the GUI
automatically open RCS head revision of the file given on command
line if the file is in RCS. If the file is not in RCS, the new
switch does nothing and the file is opened as usual.
2008-12-18 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::renameGroup): fixed bug #2412310:
"Umlauts in group names". The GUI should properly handle non-ascii
characters in the rule group names
2008-12-15 vadim <vadim@vk.crocodile.org>
* ipt.cpp, ipfw.cpp, pf.cpp, iosacl.cpp: changes for FR #2431602:
support for rulesets configured as "dual address family", that is,
rulesets that should be compiled for both ipv4 and ipv6. Compiler
processes rulesets like this twice, first for ipv4 and then for
ipv6. On each pass it will only use address and service objects
that match address family it uses for the ruleset. This also
applies to "compile-time" DNSName objects, that is, it will use
getaddrinfo() to get AF_INET address on ipv4 pass and AF_INET6 on
ipv6 pass.
Rules with "any" in rule elements in the "dual address family"
ruleset yield iptables commands for both families. This was the
reason I made setting exclusive in the first place. This means
that users who do not want fwbuilder to generate ipv6 policy for
them and want all ipv6 accepted, should not use "dual address
family" setting. If the do, the bottom catch-all rule will install
ip6tables command to block all ipv6 automatically even if all
rules have absolutely no ipv6 objects at all.
* RuleSetDialog.cpp (RuleSetDialog::applyChanges): implemented
feature request #2431602: "Feature request: Unified
policies (IPv4/v6)". RuleSet object now has two variables that
define which address family it should be compiled for - ipv4 or
ipv6. It is possible to have both set, in which case the same
ruleset will be compiled for both address families.
2008-12-13 Vadim Kurland <vadim@vk.crocodile.org>
* VERSION (VERSION): started v3.0.4
* v3.0.3 released, merged to trunk. This comment is -r689
2008-12-08 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::contextMenu): fixed bug #2407141
"label markers". Color label text set in Preferences was not used
in the contet menus where user can actually apply those colors to
rules.
* RCS.cpp: fixed bug #2405909: "Umlauts in RCS log". RCS log is
stored in RCS file in Utf8, need to convert it back from Utf8 on
read. Technical note: rcs tools on windows do not seem to process
properly rcs comments converted with toLocal8Bit, comment text
comes out as '????' when inspected with rlog.exe from the command
line. Comment text stored in Utf8, on the other hand, appears
intact even though it can not be read in the output of rlog.exe.
2008-12-07 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase_tree_ops.cpp (_recursivelyCopySubtree): (change
in libfwbuilder) additional fixes in algorithm that recursively
copies object subtree between different data files. Making sure we
do not create duplicates of groups referred to by other groups.
* ObjectManipulator.cpp (ObjectManipulator::pasteObj): changes to
speed up GUI when user copies many objects between different data
files (do not reload and redraw object tree widget until last
object is copied). Refactoring of the pasteObj to keep the same
object ID mapping table for the duration of the bulk paste
operation, this helps deduplicate objects. Also using the same
".copy_of_NNNN" object attribute to deduplicate objects.
2008-12-06 Vadim Kurland <vadim@vk.crocodile.org>
* iptables.g: Changes in grammar for iptables: removed
ambiguitiesin parser; added lexer rules for elements of ipv6
address. Rules for IPV6 address parsing do not work yet, commented
out as work in progress. No new functionality in the parser for
iptables, only clean-up and preparations for ipv6.
2008-12-05 Vadim Kurland <vadim@vk.crocodile.org>
* InetAddr.cpp (InetAddr::toString): (change in libfwbuilder):
Should use bits==128 because inet_net_ntop_ipv6 on FreeBSD applies
mask constructed from the bits argument to the result, so with
bits==0 it always returned "::/0"
2008-12-04 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel.cpp (ProjectPanel::closeEvent): (fixed bug (no #):
need to check if object in the object editor panel has been
modified and needs to be saved when user closes internal window
using "close" button in its title bar.
* FWWindow.cpp (FWWindow::closeEvent): fixed bug (no #): GUI
crashed if user closed internal window so no object files were
left open, then closed application using "close" button in the
main window title bar.
2008-12-03 Vadim Kurland <vadim@vk.crocodile.org>
* iosacl.g (certificate): fixed bug #2334007: "Problem parsing
Cisco config". Parser now recognizes IOS configuration lines
"certificate", "ip community-list", "controller
... description". These lines are recognized and ignored, they
should not stop parser from processing the rest of the
configuration.
* ipt.cpp (main): fixed bug #2378672: "fwb 3.0.2 build 676
iptables script is not executable". Generated .fw file should have
executable permissions.
2008-12-02 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase_tree_ops.cpp (recursivelyCopySubtree): (change
in libfwbuilder) fixed bug #2375327: "Crash copying multiple
groups between different data files". Using better algorithm to
copy objects between different data files.
* ObjectManipulator.cpp (ObjectManipulator::duplicateWithDependencies):
using FWObjectDatabase::recusrivelyCopySubtree() to copy objects if
they are located in different data files.
* FWObjectDatabase_tree_ops.cpp (_recursivelyCopySubtree): (change
in libfwbuilder) Implemented additional check for object
duplicates while copying objects. The problem happened when
several object were copied in a batch operation (e.g. when user
selected several objects in the GUI and then used copy/paste to
copy them all). If some of these objects were groups that referred
to other objects from the same batch, the program would copy the
object and then create another copy of it when it copied the group
using it. To avoid such multiplication it now creates special
hidden attribute in the object when it makes a copy to keep track
of the original object. When the same original object needs to be
copied again, the program can find its copy in the target data
tree using this attribute. This creates another problem because
the attribute used to track original object is persistent for the
duration of the program run. The scenario that leads to this is as
follows: user copies object A, modifies it and then copies group B
using the orignal of A. The end result is that the program does
not recognize that the copy of A has changed and makes copy of
group B use it anyway. This means the new group points at modified
object A. This can not be easily fixed because we do not have
"last_modified" attribute in each object.
2008-12-01 vadim <vadim@vk.crocodile.org>
* Started v3.0.3
* v3.0.2 released, merged -r565:676 to trunk. This changelog
record is in rev 678
2008-11-28 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::prepareFileMenu): fixed bug #2353052
"fwbuilder crashes on import without open object file". Fixed in
rev 676.
* ipt.cpp (dumpScript): fixed bug 2356131 "Iptables-restore option
broken for multiple policy sets". If firewall was configured to
use iptables-restore to activate policy and if it had two or more
policy rule sets, compiler used to put "echo COMMIT" line at the
bottom of each ruleset. This was incorrect, iptables-restore
expects only one COMMIT line at the end of each table. Fixed in
rev 675.
2008-11-28 User Vadim <vadim@vk.crocodile.org>
* InetAddr.cpp (InetAddr::toString): (change in libfwbuilder) Our
included copy of inet_net_ntop does not add "/netmask" to IPv6
addresses if argument #3 is -1 (bits). However, the same function
included in libc on FreeBSD returns EINVAL for bits=-1. It appears
the function in libc in FreeBSD is based on the same code as our
copy, but has been updated and instead of doing check "if ((bits <
-1) || (bits > 128))" probably checks for (bits < 0). Because of
this, fwbuilder GUI crashed when user tried to create IPv6 network
object on FreeBSD. To fix, will use bits=0 in call to
inet_net_ntop in InetAddr::toString and then strip /0 that
inet_net_ntop adds to the generated string. Both our copy of
inet_net_ntop and the one shipped with FreeBSD add "/0"
consistently, so this works on all platforms.
2008-11-26 Vadim Kurland <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushRule): fixed crash in the
importer for iptables
* iptables.g (m_comment): rudimentary support for iptables module
"comment"
2008-11-24 Vadim Kurland <vadim@vk.crocodile.org>
* tcpservicedialog_q.ui: fixed bug #2333759: "A really small camp".
Fixes in dialog layouts for KDE4 theme Oxygen
* Build fixes for FreeBSD.
* Added GUI elements for krcmd and ekshell options for ipfilter
Thanks to Cy.Schubert@komquats.com for the patch!
* Using QT4 stylesheet to improve layout of TCP Service, UDP
Service and group object dialogs when program is used with KDE
theme Oxygen.
2008-11-23 Vadim Kurland <vadim@vk.crocodile.org>
* Help.cpp, StartTipDialog.cpp: the GUI will use English help
files for online help (where available) and "start tip" dialog if
it is started in the non-enligsh locale and help file for this
locale inot available. This is better than to show an empty
dialog.
2008-11-22 vadim <vadim@vk.crocodile.org>
* StartTipDialog.cpp (StartTipDialog::StartTipDialog): Added
"start tip" dialog that shows brief information on the online
resources available to the user (web site URL, links to the
Firewall Builder FAQ, HOWTOs, Cook Book). Linked pages open in the
standard browser.
* FWWindow.cpp: added menu item Help/Firewall Builder Help that
opens a page with information about online resources for Firewall
Builder (the same page that is shown in the "start tip" dialog).
* ipf.cpp (main): fixed bug #2328330: "basic_string::erase error
in fwb_ipf". Compiler for ipfilter aborted processing with error
"basic_string::erase" when compilation was launched from the GUI.
2008-11-21 vadim <vadim@vk.crocodile.org>
* Improved Mac OS X bundle: included qt.conf file to make it look
only inside the bundle for QT libraries and plugins, this
eliminated warnings about QT libraries being loaded from two
places if the system where fwbuilder GUI was running had QT
installed on it. Now packaging QT accessibility plugin library,
this should make the GUI run with acessibility features if
accessibility aids are turned on system-wide.
2008-11-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printLogPrefix): fixed
bug #2318639: "bug in logging (rule number)". Added logging prefix
macro %R that gets expanded to the ruleset name. This can be
useful in logging prefixes for rules in branch rulesets.
2008-11-19 vadim <vadim@vk.crocodile.org>
* printerStream.cpp (printerStream::begin): fixed printing with QT
4.4. QT 4.4 correctly sets physical resolution of the printer and
sets its logical resolution to 1200dpi. This caused rulesets to be
printed incorrectly on Windows and Mac where we use QT 4.4.1. This
fix restores printing on these platforms.
* Printing from command line: user can print firewall object and
all its rulesets from command line without running the program in
interactive GUI mode using command line
"fwbuilder -f file -P fw_object -o print_output_file.pdf". Making
sure this works on Mac OS X as well where the program should be
launched as "fwbuilder3.app/Contents/MacOS/fwbuilder"
* RuleSetView.cpp (RuleSetView::updateGroups): fixed printing from
command line which was broken some time ago (perhaps in
3.0.1). When user prints firewall policy from command line using
"fwbuilder -f file -P fw_object" all rule groups are always
printed expanded.
2008-11-18 vadim <vadim@vk.crocodile.org>
* prefsdialog_q.ui: better layout of the first page of Preferences
dialog to make sure long path to the working directory fits in the
input widget.
* SSHPIX.cpp (SSHPIX::stateMachine): bugfix: installer for Cisco
routers and PIX could not find generated file because variable
conffile is now always a full absolute path. This bug was
introduced earlier during installer rewrite for v3.0.2. Tested
installer for router and PIX using default generated file name, as
well as custom generated file name, defined both as absolute and
as relative path. Tested batch install of combination of a router
and a pix in one batch (the same user account, then same enable
password on both)
2008-11-17 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::duplicateObject): fix
bug #2303486: "Operation of duplicating firewall should switch
policy". When firewall object is duplicated, the GUI should
automatically open policy of the new object rather than keep
policy of the original open. At the same time, reset lastModified,
lastCompiled, lastInstalled of the new firewall instead of keeping
copies from the original.
* instDialog.cpp (instDialog::testFirewall): Check to make sure
paths to ssh and scp utilities are properly configured in
Preferences before running install. Show aprropriate error dialog
to the user if path to ssh or scp is not configured.
2008-11-15 Vadim Kurland <vadim@vk.crocodile.org>
* antlr/CharScanner.hpp: applied patch for gcc 4.4 from bug#
2282828 "patch for gcc-4.4"
* AddressTable.cpp (AddressTable::AddressTable): (change in
libfwbuilder) fixed bug# 2293052 "Saving file with empy
AddressTable produces corrupt XML". When new AddressTable object
is created, its "filename" attribute is empty. If data file was
saved right after such new AddressTable object was created,
resultant file could not be loaded back into the program becaise
it violated XML DTD.
2008-11-13 Vadim Kurland <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushPolicyRule): policy importer
for iptables properly creates TagService objects and places them
into action of the rule finds iptables rule with target "-j MARK"
* IPTImporter.cpp (IPTImporter::pushPolicyRule): policy importer
for iptables correctly imports user-defined chain, configures rule
with action "Chain" and establishes association between it and
ruleset created for the user-defined chain. Multiple rules with
this action can point at the same ruleset.
2008-11-12 Vadim Kurland <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::finalize): fixed bug (no #):
policy importer used to create separate Policy objects for chains
INPUT, FORWARD, OUTPUT.
* CircularQueue.hpp (OFFSET_MAX_RESIZE): a temporary fix for the
problem in ANTLR that causes crash on import of very large config
files. This affected import of both iptables and Cisco IOS
configurations and depended just on their size.
2008-11-10 vadim <vadim@vk.crocodile.org>
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
for bug #2135827: "'Store a copy of fwb file...' very slow" -
need to enable option "store copy of data file on the firewall"
for the batch install.
* RuleSetDialog.cpp (RuleSetDialog::applyChanges): fixed bug
#2255591 Adding new ipv6 policy is always type "mangle". When user
added new Policy object to the iptables firewall and made and
saved any changes in the object editor (switched to "top rule set"
or toggled setting "filter+mangle"="mangle only"), the setting of
the ruleset would switch to "mangle only" and stick there. There
was no way to switch it back to "filter+mangle". This is fixed in
build 641.
2008-11-09 <vadim@vk.crocodile.org>
* Added updated Japanese translation by Tadashi Jokagi ( elf2000 )
from bug #2214440
* FirewallInstallerUnx.cpp(FirewallInstallerUnx::packInstallJobsList):
fixed a bug introduced some time earlier and reported in the bug
report #2135827: policy installer would only copy .fwb file to the
firewall when "Store data file on the firewall" was activated and
skipped actual generated policy file(s) (.fw). This only happened
on Windows.
2008-11-01 vadim <vadim@vk.crocodile.org>
* fwbuilder/Rule.cpp (PolicyRule::PolicyRule): a bugfix in the
PolicyRule class, fixes errors in some operations in policy
compilers that were caused by switch to a more efficient way to
find rule element objects in rules.
2008-10-30 vadim <vadim@vk.crocodile.org>
* Added Japanese translation by Tadashi Jokagi ( elf2000 )
Translation converted from the .po file generated for
fwbuilder 2.1.19. Since translation was done for the old version
of the product, it is incomplete, however at least menus seem
to be translated.
* ObjectIconView.cpp (ObjectIconView::event): fixed bug #2209210
"crash in fwbuilder: ObjectIconView.cpp:90:". The GUI crashed if
user moved mouse cursor over object icons in a group object editor
when tooltips were activated.
2008-10-26 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::setRuleColor): making sure no rule
operations are allowed when rule set or parent firewall object are
read-only. This fixes GUI crash that happened when user tried to
remove rule from a group in the read-only firewall.
2008-10-25 vadim <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp (ProjectPanel::loadFromRCS): more
fixes for bug #2194829: use toLocal8Bit() instead of toLatin1() in
all calls to libfwbuilder functions that deal with
files (FWObjectDatabase::load() etc.), as well as system functions
such as unlink(), rename(), access(). Now I can open, save, check
out and check in file if it is in directory with non-ascii name
and also can use non-ascii characters in RCS checkin log records.
* instDialog_compile.cpp (instDialog::prepareArgForCompiler):
fixed bug #2194829: "the gui can not locate data file in non-ascii
directory". This seems to have happened only on Windows and Mac;
if data file was located in the directory with the name with
non-ascii characters, the gui generated incorrect command line for
the compiler when user tried to compile the data file more than
once.
2008-10-23 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (isChainDescendantOfOutput): more for the
bug #2186568 "Again User service - group/negate". Support for
groups of user service with negation. Now have a framework to keep
track of chain "descendants", so that compiler can tell if some
chain can be traced back to INPUT or OUTPUT through the sequence
of chains calling each other.
2008-10-22 vadim <vadim@vk.crocodile.org>
* various dialogs: fixed bug #2187094: "fwbuilder does not use
system colors for text boxes". Some dialogs would not properly
pick up KDE theme. This was especially visible if theme used dark
background colors and white font, in which case many input fields
in dialogs would use white text on white background.
* PolicyCompiler_ipt.cpp (separateUserServices::processNext):
fixed bug #2186568 "Again User service - group/negate". Compiler
for iptables did not support groups and negation of the
UserService objects.
2008-10-21 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): (change
in libfwbuilder) Optimisations in the code that detects rule
shadowing. Combined with improvements in classes Rule and
RuleElement, this yields speed-up in shadowing detection by a
factor of about 5.
2008-10-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): (change
in libfwbuilder) Using internal caching to speed-up shadowing
detection. This cuts time of shadowing detection almost in half
for large policies with many rules.
* dns.cpp (list): (change in libfwbuilder) getHostByName() used to
insert duplicate IP addresses into the list of the results. Now
making sure ip addresses in the result are unique.
* Compiler.cpp (Compiler::_expand_addr_recursive): (change in
libfwbuilder) change in the algorithm used to decide which
interfaces of the host or firewall object to use in a rule when
this host or firewall object is found in source or
destination. Previously, compiler would skip loopback interface
unless user associated the rule with loopback by putting it in the
"Interface" rule element. This made it impossible to create rules
with address 127.0.0.1 in destination but attached to interface
other than loopback (such rule is used for transparent proxy
configuration). Now if user explicitly put loopback interface
object into rule element, we always keep it. However when compiler
expands interfaces from a host or firewall object, it will skip
loopback as before, unless the rule is attached to loopback
interface.
2008-10-19 vadim <vadim@vk.crocodile.org>
* fixed object type icon in the RuleSet and Interface object dialogs.
* ProjectPanel.cpp (ProjectPanel::openEditor): fixed bug: object
editor panel resized itself erratically when user switched between
objects while editor was open. This happened on Windows and Mac OS
X.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
fixed bug #2180556: "broken support for the "old" time module for
iptables". Compiler generated incorrect parameters for the "time"
module for versions <1.4.0
2008-10-18 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (singleDstNegation::processNext): while
processing single object negation, consider hosts and firewalls
with one normal interface and loopback interface
eligible (i.e. ignore loopback address even though formally such
object has at least two ip addresses).
* PolicyCompiler_ipt.cpp (singleDstNegation::processNext): fixed
bug (no #): policy compiler for iptables did not handle correctly
rules where a host that has multiple addresses was a single object
in a rule element and had negation.
* NATCompiler_ipt.cpp (singleObjectNegation::processNext): added
support for single object negation in OSrc and ODst in NAT rules.
This provides for more compact iptables script in the often used
case where single object is used with negation in these elements
of a NAT rule. Other improvements in handling NAT rules with
negation.
2008-10-15 vadim <vadim@vk.crocodile.org>
* ipt.cpp (dumpScript): Explicitly use "\n" instead of endl to
avoid implicit conversion to "\r\n" on Windows (generated script
is for iptables which can only run on Linux, so it is safe to use
"\n" instead of endl).
2008-10-13 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::compile): fixed
bug (no #): policy compiler for iptables would crash with
assertion when AddressTable or DNSName object was used in a rule
in pure mangle table ruleset. This could be related to crash
reported in bug #2157121.
2008-10-11 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (finalizeChain::processNext): Always
placing rules with action "Accept" in table mangle in chain
PREROUTING
* RuleSetDialog.cpp (RuleSetDialog::loadFWObject): Added attribute
to the Policy object for iptables to indicate that this policy
ruleset should be compiled into filter and mangle tables or only
for the mangle table. This makes sense (and is only shown) for
iptables firewalls. By default the attribute is set to
"filter+mangle" which means compiler will try to figure out which
table each rule should go to. However some combinations of service
objects and actions are ambiguous and can be used in both filter
and mangle tables. In cases like these, user can help by creating
separate Policy ruleset that will be translated only into iptables
rules in the mangle table.
* PolicyCompiler_ipt.cpp (singleSrvNegation::processNext): fixed
bug #2148378: "Negation does not work on Tag Service". Policy
compiler for iptables should be able to use "!" single-object
negation for TagService obejcts
* ObjectTreeView.cpp (ObjectTreeView::updateTreeItems): fixed bug
#2149503: ever since attribute "read-only" of FWObject has been
converted from a dictionary entry to a member variable, the GUI
could not properly check if an object is read-only and could not
update context menu and icon in the object tree. This lead to
unstable behavior when an object was set read-only because the GUI
could not show corresponding icon to indicate its status change,
did not switch context menu items and permitted operations that
should not have been permitted.
* ProjectPanel.cpp (ProjectPanel::getDeleteMenuState): fixed bug
#2149585 "Deleting Routing object breaks file". The GUI should not
allow the user to delete "Routing" ruleset object, as well as any
other top-level ruleset object. This applies to both deleting them
via context menu item or Delete key stroke.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::newIptables): fixed
bug #2151898: "use of "--icmp-type any" iptables 1.2.6a". Iptables
v1.2.6a and older do not have option "-m icmp --icmp-type any".
* PrefsDialog.cpp (PrefsDialog::PrefsDialog): Added tab "Data
File" to the Preferences dialog; added checkbox "Enable data file
compression" to this tab. If this checkbox is turned on, the GUI
will compress data file when it is saved to disk.
* FWBSettings.cpp (FWBSettings::getCompression): saving data file
compression flag in user settings.
* ProjectPanel_file_ops.cpp (ProjectPanel::exportLibraryTo): added
support for data file compression. This fixes bug# 2130128: "Option
to compress the FWB file".
* pix.pro, iosacl.pro: should be ../../install.sh rather than
../../install
2008-10-10 User Vadim <vadim@vk.crocodile.org>
* FirewallInstallerUnx.cpp: fixed bug #2158561: "Solaris fwb 3.0.2-b599
build prob" Fixed build problems on FreeBSD and Solaris
* pix.pro, iosacl.pro: fixed bug #2158407: "iosacl and pix install
probs"
2008-10-10 Vadim Kurland <vadim@vk.crocodile.org>
* iosacl.cpp (main): fixed bug #2154906 "Post script is missing /
Cisco ACL handling". Prolog/epilog sections were not added to the
generated script for Cisco IOS ACLs.
2008-10-09 vadim <vadim@vk.crocodile.org>
* ipt.cpp (main): Compiler for iptables uses QT functions to
properly process non-ascii file names and firewall object
names. Compiler correctly creates generated script when its file
name contains non-ascii characters on all supported OS. The GUI
can find the file and built-in installer can copy it to the
firewall and activate it there. QT helps manage encodings and
locales in OS-independent manner. Caveats:
- Dependency on QT libraries means compilers can not be deployed
on the firewall separately from the GUI.
- pscp.exe on Windows does not seem to be able to pick up file
with non-ascii characters in name when program runs on Windows
with standard English locale. Could not test on Windows running
with national locale. As a workaround, user can specify
alternative name for the generated script in the firewall settings
dialog (tab "Compiler").
- Support for non-ascii firewall object and generated script
names is currently only available in compiler for iptables
* instDialog_compile.cpp (instDialog::prepareArgForCompiler):
always provide "-o" command line option to compilers when calling
them from the GUI. The output file name defined this way can be
encoded properly for the OS encoding and locale (compilers do not
use QT so it is hard to do there).
2008-10-08 vadim <vadim@vk.crocodile.org>
* merged branch "new-installer" -r569:HEAD
* PrefsDialog.cpp (PrefsDialog::accept): Added GUI control for the
path to scp utility used by built-in policy installer
* All compilers: firewall object can be specified by its ID in
addition to by name. Command line option "-i" tells compiler that
the last parameter of the command line is object ID. This works
reliably when firewall object name contains non-ascii characters
and the program runs under locale using 8 bit characters. Built-in
installer now uses this method while calling all policy compilers.
2008-10-07 vadim <vadim@vk.crocodile.org>
* pf.cpp, ipf.cpp: Policy compilers for pf and ipf use file name
and path specified with "-o" command line option for the name and
path for all .fw and .conf files they generate.
* instDialog.cpp: built-in installer finds all generated files
when user specifies alternative name (possibly full path) for the
generated script.
* FirewallInstaller.cpp (FirewallInstaller::getGeneratedFileFullPath):
built-in installer works properly when firewall name contains
non-english characters. In this case generated firewall script
also has name that contains non-english characters.
* FWWindowPrint.cpp, RuleSetView.cpp, FWBSettings.h,
ProjectPanel_state_ops.cpp: got rid of references to
InterfacePolicy class; build fixes for FreeBSD 7 (should fix
compile problems on other systems too, such as Solaris)
2008-10-06 vadim <vadim@vk.crocodile.org>
* SSHPIX.cpp (SSHPIX::stateMachine): fixed crash in built-in
installer that happened when existing PIX configuration was saved
before loading new one.
* pixAdvancedDialog.cpp (pixAdvancedDialog::accept): fixed crash
that happened when user opened PIX firewall "advanced" settings
dialog and then tried to save changes by clicking OK.
* FirewallInstaller.h (class FirewallInstaller): all installer
logic moved to separate classes FirewallInstaller,
FirewallInstallerCisco and FirewallInstallerUnx. These classes
launch background process (via SSHSession or QProcess) and control
all steps of policy installation and activation, but do not deal
with the UI. This provides for good separation of functions
between UI and core logic classes. The code is much cleaner and
easier to maintain now.
2008-10-05 vadim <vadim@vk.crocodile.org>
* instDialog_unx.cpp (instDialog::copyFileOnUnx): Using
scp (pscp.exe on windows) to copy files to the firewall. This
helps improve performance of the installer. This fixes bug
#2135827: "Store a copy of fwb file..." very slow
* instDialog.cpp (instDialog::instDialog): refactored installer
classes to make code more manageable.
* VERSION: started 3.0.2
2008-10-04 Vadim Kurland <vadim@vk.crocodile.org>
* v3.0.1 released Oct 4, 2008. Merged branch "v3" r513:565 to trunk
* global.h (SETTINGS_PATH_PREFIX): making sure all modules store
settings under the same path prefix "3.0/" (applies to all OS).
2008-10-03 Vadim Kurland <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (GroupObjectDialog::iconContextMenu):
fixed bug #2144122 "Segfault when trying to add an address to a
group"
* ProjectPanel_file_ops.cpp (ProjectPanel::chooseNewFileName):
fixed bug #2144358 "Double check with 'save as'". The GUI used to
ask twice if user wants to overwrite the file in Save As operation
if file with given name already existed.
* FWWindow.cpp (FWWindow::projectWindowClosed): fixed bug #2144114
"fwbuilder * exits if the last object file is closed". The GUI
will not terminate after the last window is closed but instead
will just show empty main window.
* fwbedit.cpp (main): fixed bug #2143894: "fwbedit list does not
show objects". Command "fwbedit list -f file" did not print
anything unless option "-F" was supplied. This change adds default
value for this option so that when it is missing, the command
prints object path.
* fwbedit.1: fixed bug #2143961: a typo in the man page fwbedit.1
2008-10-02 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::finishInstall): fixed bug #2125604:
"Cancel button does not kill the installer". Cancel button of the
installer wizard in fact kills background process. Second issue
raised in this bug report is that "Finish" button was always
enabled. This is now fixed.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTarget): fixed
bug #2141911: "no ULOG for ip6tables". ULOG target has not been
implemented for ip6tables yet, so the compiler should fall back to
LOG target while compiling ipv6 policy.
* RuleSetView.cpp (RuleSetView::updateGeometries): fixed crash
that happened on Ubuntu with QT 4.3.x because of recursive call to
updateGeometries()
* fixed icon for rule action "Mark"
2008-09-30 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (PolicyView::PolicyView): constructors of rule
set view classes (PolicyView, NATView, RoutingView) used to set
"dirty" flag in the object database which caused the GUI to ask
the user if they wanted to save modifications before exisitng the
program even when there were no modifications made. This change
fixes this annoying problem.
2008-09-29 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::updateGroups): using setSpan to
make row holding rule group head span across all columns. Without
this, clicking on table cell in column >1 caused visual
artifacts (cell color would turn white, possibly erasing part of
the group name).
* FindWhereUsedWidget.cpp (FindWhereUsedWidget::showObject): fixed
bug #2129726: "Where Used" not working on collapsed groups.
* RuleSetView.cpp (RuleSetView::paintEvent): fixed bug related to
#2123152 "Fwbuilder 3.0.0 Gui very slow and doesn't refresh
properly". There seems to be a bug in QT 4.4.1 (not sure of 4.4.0,
definitely not in 4.3.x) which causes the last row of the rule set
view table to come out blank when the table is redrawn. This
happens when rows have very different height and looks like the
last row comes out blank when user scrolls the table up. The last
row is finally redrawn when most of it is already visible.
2008-09-26 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAF): fixed
bug (no #): policy compiler for PF used to insert both "inet" and
"inet6" into generated pf.conf lines for the IPv6 policy.
* RuleSetView.cpp (RuleSetView::getFullRuleGroupTitle): Added
tooltip in the rule set view for the column showing rule group
handle, the tooltip shows group name and number of rules.
2008-09-25 Vadim Kurland <vadim@vk.crocodile.org>
* FirewallDialog.cpp (FirewallDialog::openFWDialog): fixed bug
#2105977: "Viewing firewall settings change state to
edited". Opening firewall "advanced" settings dialog triggered
internal flag that signalled that something in the object tree has
changed.
* FWObject.cpp (FWObject::setInt): (change in libfwbuilder) fixed
bug #2128261: "fwbuilder thinks the file has changed when opened
read-only". Operation "find where used" triggered "dirty" flag on
the object tree even though it does not change anything.
* NetworkDialog.cpp (NetworkDialog::addressEntered): Network and
NetworkIPv6 object dialogs accept CIDR notation in the "address"
input field. Netmask input field is filled automatically using
"/NN" entered as part of the address when user hits Return or Tab
or switches to another input element using mouse click.
* ProjectPanel_file_ops.cpp (ProjectPanel::saveIfModified): fixed
GUI crash that happened when user made modifications in the
default object tree but did not save the changes and then tried to
exit the program.
* FWBTree.cpp (FWBTree::createNewLibrary): fixed bug #2126524:
"User Service created in the Service Group section".
* objects_init.xml.in: bug #2126524: "User Service created in the
Service Group section" - added missing group UserServices to the
standard objects file.
2008-09-24 Vadim Kurland <vadim@vk.crocodile.org>
* Network.cpp (Network::Network): (change in libfwbuilder) set
netmask to /32 when new Network object is created. This used to be
the default in fwbuilder v2.1. New default of 0.0.0.0 appears to
be confusing and error-prone, by user's requests changing default
back to /32. This fixes bug #2125542: New Address objects added
with netmask of "0.0.0.0"
* FWObjectPropertiesFactory.cpp (getObjectProperties): do not
print netmask of the IPv4 and IPv6 objects in tooltips and "info"
panel unless such object is child of an Interface. This fixes bug
#2125542: New Address objects added with netmask of "0.0.0.0"
* RuleSetView.cpp (RuleSetView::updateGeometries): fixed bug
#2124804: "Policy list "jump" when using groups". Combination of
rule groups and very tall rows in the rule set view caused
problems with vertical scrolling.
2008-09-23 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::insertRule): fixed bug #2123150:
"add new rule below inserts at end of rulebase". The program used
to append rule at the bottom of the policy when user tried to
insert it n the middle when there were rule groups.
* RuleSetView.cpp (RuleSetView::saveCollapsedGroups): fixed bug #
2106266: "Save collapse/expand state of groups in policy". The GUI
will remember state of the rule groups (expanded/collapsed)
between sessions. The state is saved in preferences. Groups are
referenced by combination of file name (full path), firewall object
name, ruleset name, group name. Since state is saved in
preferences rather than in the data file, state of the rule groups
is separate for each user.
2008-09-21 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_pix.cpp (mergeNATCmd::processNext): fixed crash in
compiler for PIX that happened when compiler tried to merge
"global" commands and some of the interfaces of the firewall had
dynamic address.
* FWObject.cpp (FWObject::fromXML): (change in libfwbuilder)
converted attribute "ro" (read-only) from a dictionary variable to
the member variable of class FWObject. We check read-only status
of objects very often and dictionary lookups were slowing compiler
down considerably.
* FWObjectDatabase.cpp (FWObjectDatabase::getStringId): (change in
libfwbuilder) generate unique string object id on demand instead
of in the call to generateUniqeueId. This helps speed up compiler
operations by a factor of about 3 because we generate unique int
ID every time object is created or copied, yet string ID is only
needed when object is stored in external XML file. Also using
sprintf to assemble string ID, it works faster than ostringstream.
* RoutingCompiler.cpp (reachableAddressInRGtw::processNext): (change
in libfwbuilder) fixed crashes in RoutingCompiler that happened
because Routing ruleset object being processed is disconnected
from the firewall parent at the time compiler works with it.
* RoutingCompiler.cpp (rItfChildOfFw::processNext): (change in
libfwbuilder) fixed compiler error "Error (iptables): The object
"eth0" used as interface in the routing rule 0 (main) is not a
child of the firewall the rule belongs to!" that also happened
because Routing ruleset object being processed is disconnected
from the firewall parent at the time compiler works with it.
2008-09-19 Vadim Kurland <vadim@vk.crocodile.org>
* ipfw.cpp (main): Basic suport for IPv6 for ipfw. IPv6 rules
should be kept in a separate policy, just like for all other
platforms. Branching rules are not supported so there is no
support for multiple policies (although there is no check for that
at this time either). Both ipv4 and ipv6 rules are loaded into the
same ipfw set "1" with globally unique increasing rule
numbers. The order in which ipv4 and ipv6 policies are processed
is controlled by an option in firewall settings dialog.
* FWWindow.cpp (startupLoad): Using list of strings openDocFiles
to pass names of the files that should be opened at start up time
both when these names come from the command line and from odoc
signal handler on Mac. This finally makes the GUI properly open a
file given on the command line or via odoc signal (double clicking
in Finder on Mac) in a single sub window, replacing default
objects tree.
2008-09-16 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::fileOpen): when the program is started
without data file, it shows panel with just default objects, with
a title "Untitled". If user opens data file, it is loaded into the
same panel and its title changes accordingly. If user makes
changes and then saves using "Save As", its title also changes
accordingly (and there is still one panel). If user uses "File/New
data file" and enters the name of the new data file, it is loaded
into the same panel and its title changes accordingly. Still,
after this there is only one panel. However if the panel shows
contents of some data file, operations "File/Open" and "File/New"
load second data file into a new panel.
2008-09-16 vadim <vadim@vk.crocodile.org>
* IPv4.cpp (IPv4::fromXML): (change in libfwbuilder) filter
addresses and strip leading and trailing whitespaces and other
non-digit characters before converting to InetAddr. This will help
with annoying problem where v2.1 allowed such characters in
address attributes of Address objects but v3.0 applies strict
checks during file load and rejects such data files.
2008-09-15 vadim <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp (ProjectPanel::fileOpen): workaround
for a problem that only appears on Mac: if user uses File/Open but
cancels operation, the main window used to switch from the
subwindow that was active to another one (usually the empty
default window with only standard objects tree).
* FWWindow.cpp (FWWindow::FWWindow): Experiment: since MDI looks
very foreign on Mac and can not be fixed, trying tabbed
presentation of internal subwindows. Only on Mac OS X.
2008-09-14 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp, debugDialog.cpp, filePropDialog.cpp: enable
"close" button in the dialog window title (it was not shown on
Mac).
2008-09-14 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel_state_ops.cpp (ProjectPanel::loadLastOpenedLib):
change in the logic applied when the program decided which library
to open at start time. If a file is opened and there is settings
record pointing to the library that was opened in this file last
time the program was used, this library is opened. If there is no
such settings record, the program tries to find the first not
system library in the file but prefers the one named "User". If
the program starts without data file, it shows library "User" from
the standard objects file.
* instDialog.cpp (instDialog::addToLog): better regex to recognize
compiler erorrs.
* TimeDialog.cpp (TimeDialog::loadFWObject): Changed format of the
start and stop date fields in the Time Interval object to show
year as four digits. Also enabled calendar in these widgets.
* bug #2099700 "Association of the .fwb and .fwl file types with
app". Implemented support for the association of the application
and data file type on Windows. Double-clicking on .fwb and .fwl
files in Explorer will now open application and load files
automatically.
2008-09-13 Vadim Kurland <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (GroupObjectDialog::listContextMenu):
fixed bug #2109833: "Crash on right mouse click in the object
group".
* FWWindow.cpp (FWWindow::prepareWindowsMenu): fixed bug #2109675:
"file Title bar contains redundant info". Internal page title
should be coordinated with items in the Windows main menu. There
is also no need to add "Firewall Builder" to the title of internal
windows.
* instDialog.cpp (instDialog::interpretLogLine): fixed bug
#2109660: "Compiler Progress: bar is incomplete". Compiler
progress bar failed to show full length bar when operation was
complete for some firewall platforms.
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed bug #2109431: "context menu item "Where used" is missing for
rulesets".
* RuleSetView.cpp (RuleSetView::selectRE): fixed bug # 2109432:
"double click on results in "Where used" list opens wrong rule."
* objects_init.xml.in: fix for bug #2099631: there used to be
object "icmpv6 unreachables" in the Deleted Objects library in the
file of standard objects that comes with the package.
* FindWhereUsedWidget.cpp (FindWhereUsedWidget::showObject): fixed
bug #2090332: "Where used search function does not always work.".
WhereUsed function could not find firewall if it was used in its
own rules.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
fixed bug (no #): compiler for iptables used date entered for the
beginning of the interval in "Time" object both for the beginning
and for the end.
2008-09-12 Vadim Kurland <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (GroupObjectDialog::applyChanges): fixed
bug #2107004: "Fwbuilder crashes while deleting objects in
groups". I could only reproduce the crash when there were two
identical objects in the group and I was trying to delete
both. v3.0 does not allow the user to add the same object twice to
the group so this condition should not be possible.
2008-09-11 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::addToLog): working on bug #2105111:
"use color for compiler status and errors". Compilation and
installation status is color coded in the left panel of
compile/install dialog (Error is red, Success is green). Also
coloring compiler error messages red in the compiler progress
panel.
* RuleSetView.cpp (RuleSetView::updateGroups): fixed bug #2106124:
"Crash after deletion of (last rule in + whole) rule group".
* RuleSetView.cpp (RuleSetView::paintCell): working on bug
#2106280: "option to change color of rule group head". Made rule
group head colored in "medium dark", actual color depends on
chosen QT theme.
* RuleSetView.cpp (RuleTableModel::headerData): fixed bug #2106229
"Disable-Icon bad position in rule group". Icon that indicates
that a rule is disabled used to be drawn in the wrong row of the
ruleset table.
* ProjectPanel_state_ops.cpp (ProjectPanel::loadLastOpenedLib):
more for bug #2091225: "Can objects in the left pane remember last
state.". If there is no record of the last library used by he user
in the settings, the GUI opens library "User" or the first
non-system library if there is non named "User". Minor bug-fix to
prevent desynchronization of the tree view and pull-down list of
libraries.
2008-09-10 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::pasteRuleAbove): More checks for
operations with rules and ruleset on the deleted Policy or NAT
object. User should not be able to change anything in rule set
object that has been deleted because it does not have parent
firewall object.
* FWWindow.cpp (FWWindow::prepareEditMenu): more fixes for bug
#2100415: "cannot re-create or clone Routing object". Properly
synchronizing main menu Edit to make sure user can not delete
Ruleset objects.
* instDialog.cpp (instDialog::initiateCopy): fixed bug (no #): if
the name of the plink.exe program was specified in upper case in
Preferences dialog, built-in installer failed to provide correct
command line options to it.
* ObjectManipulator.cpp (ObjectManipulator::getMenuState): fixed
bug #2100415: "cannot re-create or clone Routing object". The GUI
does not let the user to delete Routing object. Policy and NAT
objects can be deleted as long as there is at least one more
left. Also "top" rule set objects can not be deleted at all.
* ObjectManipulator.cpp (ObjectManipulator::pasteTo): fixed
bug (no #): added ability to copy/paste rule set objects.
2008-09-09 Vadim Kurland <vadim@vk.crocodile.org>
* FWBSettings.cpp (FWBSettings::setExpandedObjectIds): bug
#2091225: "Can objects in the left pane remember last state.". The
program saves state of the object tree branches (expanded or
collapsed) between sessions.
* FWBSettings.cpp (FWBSettings::getVisibleRuleSetId): bug #2099631
"GUI should rememver firewall object that was opened last". The
program remembers opened ruleset between sessions.
2008-09-08 Vadim Kurland <vadim@vk.crocodile.org>
* fwbedit.cpp (usage): fixed "usage" in fwbedit, command line
option that specifies object attributes for the command "new" is
"-a", not "-o". Also fixed this in the man page.
2008-09-08 vadim <vadim@vk.crocodile.org>
* main.cpp (odocHandler): bug #2099700 "Association of the .fwb
and .fwl file types with app on Mac". Implemented support for the
association of the application and data file type on Mac OS
X. Double-clicking on .fwb and .fwl files in Finder will now open
application and load files automatically. User can open several
files by selecting them in Finder and double-clicking.
* main.cpp (main): remove "safe mode" command line flag -s because
on Mac OS X the program is started with flag -psn when it is
launched via finder. This caused undesired effects.
2008-09-06 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::projectWindowClosed): fixed bug
#2091520: "Crash FWB". The GUI crashed if user closed mdi window
showing just standard objects and then tried to close the main
window.
* FWWindow.cpp (FWWindow::fileNew): fixed bug #2091507: "Create
New Firewall problem.". If user created new data file using
File/New main menu item, items in the main menu File used to stay
disabled and file could only be saved using "File/Save As" (which
did not make sense because the name has already been assigned to
the file during File/New operation).
* ProjectPanel_file_ops.cpp (ProjectPanel::fileSaveAs): bugfix: if
user called "Save As" and then hit Cancel in the dialog where they
choose file name, internal RCS object used to be deleted anyway.
* v3.0.1 started
* v3.0.0 released Sep 1, 2008. Merged branch "v3" r512 to trunk
2008-09-01 Vadim Kurland <vadim@vk.crocodile.org>
* res.pro: Do not try to install icons if variable ICONSDIR was
not defined by configure. This is the case on FreeBSD, I do not
know where application icons should be installed there.
* ActionsDialog.cpp: more fixes for compile problems on FreeBSD
2008-08-31 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectTreeViewItem.cpp: more fixes for compile problems on
FreeBSD
2008-08-30 Vadim Kurland <vadim@vk.crocodile.org>
* PrefsDialog.cpp: more fixes for compile problems on FreeBSD
* instDialog.cpp (instDialog::fillCompileSelectList): fixed a bug:
firewall table in the compile/install dialog did not show "last
compiled", "last modified", "last installed" time stamps on
windows and mac.
* RuleSetDialog.cpp: fixing compile problems on FreeBSD 7.0
* instDialog.cpp (instDialog::fillCompileSelectList): resize rows
in the table that lists all firewalls for compile/install to make
rows minimal required height.
* FWWindow.cpp (FWWindow::FWWindow): fixed GUI crash that happened
when user clicked toolbar button "Install" right after gui start
before any data file was opened.
* instDialog.cpp (instDialog::fillCompileSelectList): disabled
font manipulations in install/compile dialog, it did not work
right on windows
* InterfaceDialog: layout adjustment for bug #2078671: "fwbuilder
3.0.0 build 487 - add/edit interface". Layout did not work quite
right with QT4 themes Plastique and Oxygen with default font size
14.
2008-08-29 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectEditor.cpp: more missing #include for FreeBSD
* ObjectManipulator.cpp: Added missing #include for FreeBSD 7.0
port
* making sure dialogs do not enforce font type and size if not
necessary. Main window and install dialog used to override system
font which led to problems with dialog layouts on some systems.
2008-08-27 Vadim Kurland <vadim@vk.crocodile.org>
* configure.in: Applied patch per bug #2079941: "Patch for
configure.in --with-qmake". Patch adds option --with-qmake to
configure in libfwbuilder and fwbuilder.
* iosaclAdvancedDialog.cpp (toggleGenerateLogging): fixed bug
#2078107: "IOS ACL compiler issue". Logging commands for IOS ACL
were not generated properly (settings made in the GUI were
ignored). Also added checkbox to completely enable or suppress
generation of logging commands, this checkbox is off by
default. This provides for better backwards compatibility for
existing routers.
* various object type dialogs: layout changes for bug #2078671:
"fwbuilder 3.0.0 build 487 - add/edit interface". Dialogs did not
look right under QT theme with large fonts.
2008-08-26 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::addToLog): fixed bug (no #): compile
and install progress window was stuck showing the topmost part of
the output of the compiler or installer. Need to make the window
automatically scroll and follow the output so that the latest
output lines are always visible.
2008-08-24 Vadim Kurland <vadim@vk.crocodile.org>
* HttpGet.cpp (HttpGet::httpDone): reset last_error when new http
operation begins to make sure we do not accumulate error messages
on top of those from previous http ops.
2008-08-23 Vadim Kurland <vadim@vk.crocodile.org>
* PrefsDialog.cpp (PrefsDialog::checkSwUpdates): Added setting for
http proxy used with automatic checks for the new version of the
program. Proxy can be defined by "host:port" pair; if port is not
specified, port 80 is assumed.
* FWObject.cpp (FWObject::toXML): (change in libfwbuilder) moved
saving of XML attributes name and comment from FWObject::toXML()
to implementations of this virtual method in all classes that are
supposed to have name and comment. When user created an object
with empty name, the old code used to save such object into XML
file w/o attribute "name" which violated DTD. This is fixed now.
2008-08-22 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::keyPressEvent): fixed bug (no #):
while navigating between rule elements using keyboard, it was not
possible to reach the very last rule if ruleset contained rule
groups
* RuleSetView.cpp (RuleSetView::paintCell): do not draw green
frame around rule group; draw black bracket line in the column #0
longer, almost to the bottom of the last rule row. Draw rule group
head row grey to make it visually stand out.
* ipt.cpp (main): additional fix for the bug #2051629 "group with
dns names are handled as empty": Compiler should check if any
rules of given address family exists before running
preprocessor. This is to prevent it from trying to resolve DNSName
objects for IPv6 when there are no ipv6 rules.
2008-08-21 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp (ProjectPanel::load): truncating very
long error messages that happen when GUI tries to load broken .fwb
file. These error messages contain complete output of the XML
parser which can be very long and does not fit in the normal error
dialog. Message will be cut off at 1000 characters, which is
enough to see the topmost part of the parser output.
2008-08-20 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (ObjectTreeView::ObjectTreeView): Fixed GUI
crash on Ubuntu Hardy that happened b/c of a bug in QT
4.3.4. Crash happened when user added second object to any branch
of the tree. When second object was added to the tree, the program
terminated with assertion "ASSERT: "left.level > right.level" in
file itemviews/qtreeview.cpp". This did not happen with QT 4.4.1
and 4.3.2 (could not test with 4.3.5). The fix was to disable
sorting in the QTreeView widget used to represent object tree.
2008-08-19 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (PrintRule::_printSrcService): fixed
bug (no #): policy compielr for iptables used multiport module
option "--destination-port" instead of "--dports" when version was
set to 1.4.0. Option "--destination-port" is only for very old
versions of iptables (<1.2.6). This change makes compiler properly
compare version numbers rather than compare them as strings.
* RuleSetView.cpp (RuleSetView::pasteRuleAbove): Permit copy/paste
of individual rules between two data files. When a rule is copied
this way, all objects used in this rule are copied as well.
* FWWindow.cpp (FWWindow::recreateWindowsMenu): fixed typo in the
main menu item name
2008-08-18 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::complexMatch): (change in libfwbuilder)
fixed bug (no #): policy compiler for iptables used chain OUTPUT
instead of FORWARD if NetworkIPv6 was used in "source".
2008-08-17 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug #2054755: "Duplicate Chain". Compiler
for iptables used to generate duplicate "iptables -N chain"
commands for the same chain in some cases.
* Preprocessor_pf.cpp (Preprocessor_pf::convertObject): fixed bug
#2056510 "Compile time" address tables objects dont
work. Preprocessor in compiler for PF for some reason used to
convert all compile time AddressTable objects to run-time. There
was no mention of this in changelog and no comment in the module.
* RuleSetView.cpp (RuleSetView::copySelectedObject): fixed bug
#2055984: "Negate Objects not work". the problem really was not
related to negated objects, instead, user could not copy an object
from rule element into clipboard more than once. Copying whole
rule into clipboard worked fine, but individual object inside the
rule could be placed in clipboard only one time.
2008-08-15 Vadim Kurland <vadim@vk.crocodile.org>
* Preprocessor.cpp (Preprocessor::isUsedByThisFirewall): fixed bug
#2051629: "group with dns names are handled as empty". This bug
triggered when object group that consisted of DNSName objects set
to resolve at compile time was used in policy rule and at the same
none of these DNSName objects were used in rules. If an object
from the group was itself used in a rule, compiler properly
converted it to address. But object was never used in rules by
itself, it was not converted.
2008-08-14 Vadim Kurland <vadim@vk.crocodile.org>
* SSHUnx.cpp (SSHUnx::SSHUnx): fixed bug #2051005: "install to
localhost fails with pam_thinkfinger". Built-in installer
recognizes password prompt produced by pam_thinkfinger module that
accepts both password or asks user to swipe finger against
fingerprint reader device. Note that installer is likely to not
work with fingerprint authentication because it will not wait once
it gets to the point where pam_thinkfinger module asks for the
password or fingerprint and will try to enter password. However
with this change password prompt from pam_thinkfiger is recognized
and password authentication becomes possible.
2008-08-13 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (NATCompiler_ipt::getInterfaceVarName):
fixed bug 2047082: "Beta 3.0 Build 456: IPv4 & IPv6 mixed
firewall". Compiler used ipv4 address of a dynamic interface in
the ipv6 policy rules if interface address was determined
dynamically at run time. This change makes compiler properly
determine ipv4 address for ipv4 rules and ipv6 address for ipv6
rules.
2008-08-12 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectListViewItem.cpp (ObjectListViewItem::operator<): (and
several other places): code fixes to address warnings issued by
gcc 4.3
* Helper.cpp (Helper::findInterfaceByNetzone): fixed bug in policy
compiler for pix - it could not properly identify interface with
network zone "any"
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed bug #2047992: "segfault cloning policies in version
3". "Duplicate" and "Move" context menu items should not be
presented if an object for which context menu is called is policy
or interface.
* Rule.cpp (PolicyRule::removeRef): (change in libfwbuilder) fixed
bug #2047991 "Drag & Drop in CHAIN actions, version 3". THe bug
report consits of 3 parts, part 3 is "When I change the Action
from CHAIN to ACCEPT and switch it back to CHAIN it still shows
the last policy target I used. EVEN WHEN I DELETED this object
meanwhile. I manually have to remove the policy object from the
properties of the CHAIN action.". PolicyRule::removeRef removes
references to RuleSets and TagSErvice objects from rule options
when corresponding RuleSet or TagService object is deleted.
2008-08-11 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (ObjectTreeView::edit): double-clicking on an
object in the tree opens it in the editor panel. Normally,
QTreeWidget also expands or collapses tree branch on double click
if the object has children. This was confusing. This change makes
tree not expand and collapse branches on double click.
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext):
Applied a one-line patch from <jringle@users.sourceforge.net> to
fix problem in the generated iptables script where it would
delete default route if routing rules were used.
2008-08-10 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::checkForUpgrade): the GUI checks if
updated version is available on startup by making simple HTTP GET
request to the web site at http://www.fwbuilder.org. This can be
turned off in the Preferences dialog. Preferences dialog also
provides a button to perform this query at any time. If function
is enabled in Preferences, it is performed at every time the GUI
is launched. The query does not transmit any data to the server,
but the URL of the query includes the version of the Firewall
Builder.
2008-08-06 Vadim Kurland <vadim@vk.crocodile.org>
* new_object.cpp (newObject): fixed bug # 1997469: "Create a new
User library via fwbedit". Fwbedit creates new library and
populates it with correct set of standard folders.
2008-08-05 Vadim Kurland <vadim@vk.crocodile.org>
* pfAdvancedDialog_en_US.html: Help page for the advanced settings
dialog for PF firewall
2008-08-04 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printActionOnReject):
fixed bug #2037806: "Beta 3.0 Build 437: IPTABLES IPv6 policy ICMP
reject action". Ip6tables target REJECT accepts different
arguments for the --reject-with.
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#2037809: "Beta 3.0 Build 437: IP6TABLES_RESTORE missing". Added
missing variable declaration for IP6TABLES_RESTORE to the
generated iptables script
2008-08-03 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp: bug #2037314: "b449 does not
build". More missing #include for gcc 4.3
* newhostdialog_q.ui: fixed bug # 2036963 "Add new Host Object on
MacOSX". The "new host" dialog was too big and did not fit on low
resolution screen
* res.pro: Now installing fwbuilder.desktop file on Linux and
application icons under $DATADIR/icons/hicolor/ (sizes 128x128
16x16 24x24 256x256 32x32 48x48 512x512 72x72)
* bug #2036912 "fwbuilder b442 does not build". Added missing
forward declarations and #include for gcc 4.3
* Applied patch for gcc 4.3 per bug #2036881 "gcc 4.3 patch for
b442", Mandriva Cooker patch
http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/fwbuilder/current/SOURCES/fwbuilder-3.0.0-gcc4.3.patch
2008-08-02 Vadim Kurland <vadim@vk.crocodile.org>
* iptAdvancedDialog_en_US.html: Added help file for the firewall
settings dialog for iptables firewalls
* Help.cpp (Help::Help): generic built-in help framework. Help
files are created in .html format in src/res/help directory. Help
files can be localized, locale name is part of the file name; we
need to create separate file for each supported language.
First dialog to get associated help panel that can be activated by
clicking "Help" button is Linux 2.4/2.6 firewall host settings
dialog.
2008-08-01 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.pro: Eliminated dependency on QT in all policy compilers.
Compiler binaries can be deployed on machines without QT and X11.
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed bug #2023243: "IPv6 - Some objects missing from context
menus". Added items "New Address IPv6" and "New Network IPv6" to
context menus associated with folders "Addresses" and "Networks"
in the tree.
2008-08-01 Vadim Kurland <vadim@vk.crocodile.org>
* Fixed build on Mac, starting with rev 433 code is built with QT
4.4.1 and works on both Leopard and Tiger.
* list_object.cpp (getAttributeValue): added command "list" to
fwbedit. This command can print contents of one object, an object
and all objects below it in the tree or contents of a
group. Object's attributes can be arranged in the output according
to the provided format string where attributes are represented by
macros of the format "%attr_name%" where attr_name is the name of
the attribute.
* fwbedit.1: Man page fwbedit.1 has been updated with the list of
commands, options, supported attributes and examples.
* with addition of the "list" command to fwbedit, utility
fwblookup has been deprecated and removed from the package and
source code tree.
2008-07-31 Vadim Kurland <vadim@vk.crocodile.org>
* fwbedit.cpp (usage): Redesigned command line interface for
fwbedit. The first command line argument is a command (one of
"new", "delete", "modify", "list", "add", "remove", "upgrade" or
"checktree") followed by options. Now fwbedit can be used not only
to add or remove objects, but also to modify object
attributes. The CLI is lot more consistent and can be extended
with new commands in the future.
2008-07-30 Vadim Kurland <vadim@vk.crocodile.org>
* fwbedit.cpp: fixes for the bug #2030331: fwbedit/fwblookup
issues: added option "-c" for fwbedit, with this option user can
specify comment for the object being created; fixed both fwblookup
and fwbedit to properly handle objects with duplicate names when
operations are performed on objects specified by their path in the
tree. Now, if several objects have the same name, operation will
be performed on all such objects. Note that this includes
deletion, that is, command
"fwbedit -f file.fwb -l /User/Objects/Addresses/TestAddress"
deletes all objects with name "TestAddress" if there are several.
Added ability to create IPv6 and NetworkIPv6 objects in fwbedit.
New command line option "-c text" can be used to set comment for
the object created via "-t type -n name".
2008-07-30 vadim <vadim@vk.crocodile.org>
* fwbedit.cpp (main): fixed bug #1997475: "Adding Interface via
fwbedit breaks .fwb file"
2008-07-28 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::removeLib): fixed
crash that happened upon exit on some platforms. Need to break
away from the loop after lists were modified because iterators
become undefined.
2008-07-28 Vadim Kurland <vadim@vk.crocodile.org>
* New application icon
2008-07-27 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator.h (class ObjectManipulator): removed strange
methods copyObjWithDeep and copyObj2Tree. Fixed drag&drop between
different data files. Copy/Paste and D&D between different data
files properly copy all dependencies and fix references in rules
and groups. Tested with recursive groups (group references itself)
and firewalls with rules referencing other firewalls with groups
and other objects.
* ObjectManipulator.cpp (ObjectManipulator::duplicateWithDependencies):
duplicate object that references other objects and create copies
of these other objects. Examples: firewall (rules reference other
object) and groups. This method is used in "Paste" operation. Will
use it for d&d as well.
2008-07-26 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::moveObj): code
refactoring and cleaning up. Movig all loops over mdi child
windows from ObjectManipulator class to the FWWindow class that
owns all children windows. Along the way fixed few bugs, such as
restored functions "Duplicate to .. " and "Move to ..." that are
available via context menu associated with an object in the tree.
* ProjectPanel_file_ops.cpp (ProjectPanel::saveIfModified):
refactored class ProjectPanel to keep code more organized in
several modules.
2008-07-25 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::closeEvent): properly checking for
unsaved modifications when user hits File/Exit or tries to close
main window.
* ProjectPanel.cpp (ProjectPanel::fileCommit): fixed bug (no #):
crash while doing File/Commit.
* PolicyCompiler_ipt.cpp (checkForMatchingBroadcastAndMulticast):
fixed bug (no #): crash in fwb_ipt when interface object is used
in destination and chain is INPUT.
* init.cpp: removed #include <QCoreApplication>, trying to fix bug
#2027918: "Cannot compile fwbuilder-3.0.0-b413 on x86_64"
2008-07-24 Vadim Kurland <vadim@vk.crocodile.org>
* RCS.cpp (RCS::RCS): If data file has been added to RCS, show its
revision history properly sorted by the revision number in
ascending order and automatically select the latest revision in
the dialog
2008-07-24 vadim <vadim@vk.crocodile.org>
* init.cpp (guessExecPath): properly managing path to the bundle
on Mac.
2008-07-22 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp: Applied patch to make code compile with gcc 4.3 per
http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/fwbuilder/current/SOURCES/fwbuilder-3.0.0-gcc43.patch
2008-07-21 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel.h (libfwbuilder): Added missing declarations for
gcc 4.3 per bug #2023292: "fwbuilder 3.0.0 does not build"
* (libfwbuilder) Applied patch for gcc 4.3 per bug #2023676:
"libfwbuilder does not build against gcc 4.3".
* (libfwbuilder) fwbuilder.pro: removed unnecessary override in
target.path to make it install in a proper place on 64 bit
machines'
2008-07-20 <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleTableModel::insertRow): fixed bug (no #)
which caused crash on windows when new rule group was
created. This happened only on win32.
2008-07-20 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::moveRule): fixed bug (no #): if
rule set had several rule groups, moving rules within rule set did
not work and caused weird effects.
* NetworkIPv6.cpp (NetworkIPv6::NetworkIPv6): per bug #2023140:
"Default prefix for IPv6 addresses" setting default netmask to /64
for NetworkIPv6 object.
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): fixed bug
#2023141: "Can't set interface options". The GUI kept all controls
in the interface object editor enabled when interface was child of
a Host object, even though some controls do not apply to
interfaces of a host. These controls were not saved into interface
objects and the whoile behavior of the GUI was rather
confusing. Now only proper controls are enabled when interface is
a child of a host object.
* RuleSetView.cpp (RuleSetView::removeRule): Fixed bug (no #):
"remove rule" function used to remove wrong rule in the rule set
if rule groups were used.
2008-07-18 <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::installerSuccess): bugfixes in the
built-in installer on Windows in case of successfull and
unsuccessfull termination of the process. Tests for when plink.exe
asks whether user wants to accept new ssh host key from the
firewall.
2008-07-18 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bugs in
compiler for iptables where it sometimes would not print netmasks
in ipv6 network objects in policy and nat rules.
* Added control for IPv6 forwarding setting in "host settings"
dialogs for Linux, OpenBSD and FreeBSD. This is in addition to the
old ip forwarding control. Corresponding policy compilers add
proper commands to generated scripts to turn ipv6 forwarding on or
off in the kernel.
* ipt.cpp (main): compiler for iptables puts build number in
addition to the version number into "Generated with ..." comment
in the produced script
* instDialog.cpp (instDialog::installerError): fixed crash in the
installer that happened when policy activation ended with an error
* ipt.cpp (main): fixed bug (no #): if generated script used
iptables-restore and if there were automatically generated rules
in the magle table, for example for the "clamp MSS to MTU" rule,
but no other rules in the mangle table, compiler would not add
COMMIT.
2008-07-17 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (prepareForMultiport::processNext): fixed
bug (no #) where compiler for iptables ignored ICMP6 Service
objects used in the same rule in combination with tcp or udp
service objects.
* objects_init.xml.in: Added few more ICMPv6 objects to the Standard
objects library:
type name comment
133 routersol Router solicitation
134 routeradv Router advertisement
135 neighbrsol Neighbor solicitation
136 neighbradv Neighbor advertisement
137 redir Shorter route exists
* ObjectManipulator.cpp (ObjectManipulator::delObj): fixed bug (no
#): GUI crashed when user deleted one of the rule set objects of
a firewall.
* many dialogs: adjusted shape and size of many dialogs that used
to be too big.
* utils.cpp (getAddrByName): getAddrByName() works on all
platforms and gets ipv4 and ipv6 addresses as requested. It looks
like for it to work on Windows Vista machine needs to be
configured with routable ipv6 addresses. When machine only had
Link-local address on fe80:: net, even when ipv6 was enabled,
getaddrinfo sent proper dns request for AAAA record, got reply but
did not pass it back to the application. Once machine was
configured with routable ipv6 address, getaddrinfo started working
as expected. This problem was not observed on Linux and Mac OS X.
* IPv6Dialog.cpp (IPv6Dialog::DNSlookup): Added "DNS Looup" button
to the IPv6 object dialog.
* dns.cpp (list): (libfwbuilder) Using getaddrinfo on all OS to
perform dns lookup for different address families (AF_INET or
AF_INET6).
* utils.cpp (getAddrByName): using DNS::getHostByName instead of
QT functions to perform host name lookup. This should allow us to
do it for both AF_INET and AF_INET6 address families. Needs more
testing.
2008-07-16 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (dumpScript): Fixed bug (no #) that triggered when
iptables script was geenrated with option that uses
iptables-restore for activation. If ipv6 policy was empty,
compiler added "( ) | ip6tables-restore" anyway which caused
syntax errors.
* RuleSetView.cpp (RuleSetView::addToGroupAbove): Additional check
for a bug where adding very long list of rules to a rule group
caused crash once. Bug is hard to reproduce.
2008-07-15 vadim <vadim@vk.crocodile.org>
* testing and bug fixes with QT 4.4.
* Testing on Mac OS X and Windows Vista.
2008-07-08 vadim <vadim@vk.crocodile.org>
* fwcompiler.pro (LIBS): fixed build errors on Ubuntu Hardy.
Background info: need to include -lfwbuilder while linking
fwcompiler library on all Unix platforms because of the linker
option -Wl,-Bsymbolic-functions . Discovered this on Ubuntu Hardy
where libsnmp adds this option via net-snmp-config --libs
2008-07-07 Vadim Kurland <vadim@vk.crocodile.org>
* listOfLibraries.cpp (listOfLibraries::listOfLibraries): Removed
support for add-on libraries in the GUI. User can now open their
working file and external library file simultaneously and copy
objects from one to another. This removes the need for the
cumbersome add-on libraries feature. Will keep module
listOfLibraries and corresponding code fragments in ProjectPanel
and FWWindow until removal of this feature is validated by users.
* PolicyCompiler_pf_writers.cpp: Support for "synproxy state"
option for PF per FR #1098098: "Per-rule Synproxy"
* templates.xml.in: Updated template firewall objects to include
"top_rule_set" attribute.
* RuleSetDialog.cpp (RuleSetDialog::loadFWObject): Added attribute
"top_rule_set" to Policy, NAT and Routing objects. This attribute
is controlled by a checkbox "Top rule set" in the corresponding
object dialog.
The attribute has platform-specific meanning. On iptables, "top"
rule set goes into the built-in chains INPUT, OUTPUT, FORWARD; if
this flag is unchecked, rules go into user-defined chain with the
name the same as the name of the rule set. On PF, If this flag is
unchecked, rules go into anchor with the name the same as the name
of the rule set. On Ciscio IOS ACL If this flag is unchecked,
generated access list will not be assigned to interfaces with "ip
access-group" command and also the name of the ACL will be
prefixed with the name of the rule set to make it unique.
One policy, nat and routing rule set must be marked as
"top". Other rule sets are secondary and will be placed in their
own unique chains, anchors or access lists (depending on the
platform). Control may or may not be passed to these chains and
anchors. One way to pass control is by using rule action "Branch"
in the top rule set. However if control is not passed that way,
compiler will still generate corresponding commands which can be
used by means external to the firewall builder.
Auto-upgrade migration script will assign attribute "top_rule_set"
to Policy objects with name "Policy", NAT objects with name "NAT"
and Routing objects with name "Routing". This provides for
consistent backwards-compatible behaviour after upgrade from v2.1
2008-07-06 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printAddr):
Support for IPv6 in Cisco IOS ACL compiler fwb_iosacl.
* iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog):
Removed option "Enable IPv6 support" in the "advanced" dialog for
all platforms. Now user needs to explicitly declare rule sets as
ipv6. Since by default all rule sets are ipv4, there is no need
in yet another parameter to enable ipv6 support.
* RuleSetDialog.cpp (RuleSetDialog::applyChanges): Objects Policy,
NAT and Routing now have attribute that tells compiler that
corresponding rule set is ipv4 or ipv6. The attribute is
controlled by radio-buttons in corresponding object dialog. Every
policy or nat rule set is treated as exclusively either ipv4 or
ipv6 by compilers, however the user can put objects of both
address families in rules. This allows for creation of object
groups that include objects of both address families. Such groups
can be used in both ipv4 and ipv6 rule sets. Compilers pick
objects that match address family declared for the rule set and drop
others.
One of the reasons why this attribute was added is to avoid
generation of unwanted iptables or acl lines for rules that can
not be unambiguously attributed to particular address
family. Example of such rule is rule with "any" in both source and
destination (e.g. "catch all and deny" rule typically found at the
bottom of the policy). Without this attribute compilers tried to
process every rule set for both ipv4 and ipv6. This way rule "any
any any deny" found in ipv4 policy yielded corresponding line in
the ipv6 policy, which was wrong.
* instDialog.cpp (instDialog::installSelected): minor fixed in
installer dialog (fixed progress bar and buffering of the compiler
output)
2008-07-05 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printTOS):
Support for TOS and DSCP matching in IOS access lists.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printDstService):
Support for tos matching in compiler for pf. PF does not support
DSCP matching.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): Support for
TOS and DSCP matching in compiler for iptables.
* IPServiceDialog.cpp (IPServiceDialog::loadFWObject): Added
support for attriutes "tos" and "dscp" in IPService object. FR
#1948944: "support for TOS matching".
* PolicyCompiler_PrintRule.cpp (PrintRule::_printModules):
Implemented support for combinations of srcip, dstip, srcport,
dstport options of the hashlimit module for iptables per bug
#1812388: "add srcip,dstip to choices for hashlimit mode"
2008-07-03 Vadim Kurland <vadim@vk.crocodile.org>
* fwbuilder.1: updated man page for fwbuilder GUI.
* ipt.cpp (main): document iptables version settings from the
firewall object in generated script (for support and debugging).
* MangleTableCompiler_ipt.cpp (flushAndSetDefaultPolicy): iptables
rule with target TCPMSS generated for option "Clamp MSS to MTU" is
valid only in mangle table in iptables 1.3.x and later. Still
generate this command in the filter table for earlier versions of
iptables
* PrefsDialog.cpp (PrefsDialog::getFontDescription): Tab "Fonts"
of the Preferences dialog shows currently selected fonts for both
the tree and rules.
2008-07-02 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::addToLog): fixes in built-in
installer; pretty printing of the external process output;
properly enable "next" and "finish" buttons.
2008-07-01 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printProtocol):
compiler for iptables distinguishes ICMPService and ICMP6Service
* objects_init.xml.in: Added few standard ICMP6 objects
* ObjectManipulator.cpp (ObjectManipulator::newICMP6): Added
support for ICMP6Service object type in the GUI
* ICMP6Service.cpp (ICMP6Service::ICMP6Service): Added class
ICMP6Service
* fwbuilder.dtd.in: Added XML element ICMP6Service
2008-06-30 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printProtocol): do not
generate "-m icmp6 --icmp6-type any" for ipv6 for object "any
icmp".
2008-06-28 Vadim Kurland <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromDNS): object
"discovery" by DNS zone transfer is not supported anymore.
2008-06-27 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printProtocol):
should use "-p ipv6-icmp" for ipv6 rules.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printProtocol): skip
"-p all" for ipv6 to avoid warning "Warning: never matched
protocol: all. use exension match instead"
2008-06-26 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): using
"-m frag --fragmore" for IPService objects that should match ip
fragments.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printDstService):
compiler uses "--icmpv6-type" and "-m icmp6" options while
generating ipv6 script.
2008-06-20 <alek@codeminders.com>
* FWWindowPrint.cpp: fixed bug # 1896771: "printing user defined
chains".
* main.cpp: implemented printing of the firewall object contents
from CLI per bug #1996739: "Feature: CLI printing or policy export".
Use command line flag "-P <firewall_name>" to print and exit.
2008-06-16 <alek@codeminders.com>
* newHostDiaog.cpp: fixed bug #1899488: "Unable to set MAC address
while adding a host"
2008-06-13 <alek@codeminders.com>
* GroupObjectDialog.cpp: implemented sorting by name and parameter
in group dialogs per bug #646804: "No sort in Group".
2008-06-10 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
support for the "new" time module for iptables
2008-06-08 Vadim Kurland <vadim@vk.crocodile.org>
* merged branch "id-experiment" r233:HEAD
2008-06-07 Vadim Kurland <vadim@vk.crocodile.org>
* main.cpp (main): support for integer object ids
2008-06-06 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::_printUser): Support
for UserService in compiler for PF. FR #1948872: "User based
rules"
* FWBSettings.cpp (FWBSettings::restoreGeometry): the program will
remember window size and restore it on subsequent runs, but will
not remember window position on the screen. This caused problems
on Mac OS X (because window title bar and tool bar weren't taken
into account, so window would slide up on every next run)
2008-06-05 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (checkUserServiceInWrongChains::processNext):
Support for UserService in compiler for iptables. FR #1948872:
"User based rules"
* IPv6 suport implemented in the GUI and compilers for iptables
and pf: FR #1517015, 1705261, 1706246, 1826325
* Rules with action Tag reference TagService objects. User drags
and drops TagService object into a drop area in the rule action
dialog. FR #1696841: "Mark action and TagService"
2008-06-05 <alek@codeminders.com>
* IPv4Dialog, NetworkDialog, newHostDialog, newFirewallDialog:
netmask can be entered as bit length, in addition to the bit mask
format supported before. Both formats are recognized. FR #995452,
1617297, 1666016
2008-06-05 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp, pf.cpp: Compilers for iptables and pf recognize branch
rule sets that belong to different firewall objects. FR #737132:
"Linkable Rules", #1224898 "Rule Link"
* PolicyCompiler_ipt.cpp (dropTerminatingTargets::processNext):
bugfix in the shadowing detection for non-terminating rules in the
mangle table.
* All compilers: all compilers include error and warning messages
produced during compilation in the generated script. Messages are
grouped by corresponding section (Policy, NAT, all branches
etc.). Normally only warnings will be included because compilers
stop when they encounter an error condition, however if compiler
is being ran with "-xt" command line option, it does not stop and
includes error messages in the output as well. This helps catch
changes that generate warnings but do not translate into
differences in generated configuration.
2008-06-02 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
Support for --weekdays parameter in iptables 1.4.0 module "time".
Per bugs #1914371: "iptables 1.4.0", #1806045: "latest 1.3.8
time match changed", #853364: "Time Restriction feature request".
* platforms.cpp (list): Added iptables version 1.4.0 to the list.
Will use it for the "new" time module support. Bugs #1914371:
"iptables 1.4.0" and #1806045: "latest 1.3.8 time match changed"
2008-05-30 Vadim Kurland <vadim@vk.crocodile.org>
* pf.cpp (main): Like compiler for iptables, compiler for PF now
supports multiple rule sets for policy and nat. Each rule set is
translated into corresponding anchor .conf file. If some rule in
another rule set references it via action Branch, corresponding
"anchor" configuration line is generated, but if it is not
references from any rule, the anchor .conf file is still
created. Rule sets "Policy" and "NAT" are configured "main" or
"root" and placed in the main .conf file with the name of the
firewall object.
2008-05-29 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (main): Compiler for iptables processes all Policy and
NAT rulesets that firewall object has, regardless of whether they
are referenced from any rules with action Branch or not. This is a
change compared to the behavior of 2.1 which processed only those
branch rule sets that were used in Branch rules. Each rule set
that has name other than "Policy" is placed in a chain with the
name the same as the name of the rule set. This way the user can
create multiple rule sets and place them in different chains,
control to these chains can be passed in the iptables commands
supplied in prolog or epilog scripts.
Another reason for this is to allow the user to place rules for
ipv4 and ipv6 in separate rule sets. An attribute "address_family"
will be added to objects Policy and NAT later on to be able to
mark rule sets as belonging to either ipv4 or ipv6 address
family. This separation helps avoid ambiguity that is possible in
mixed rule sets (when both ipv4 and ipv6 rules are mixed in the
same rule set). Suppose we allow the user to put both ipv4 and
ipv6 rules in the same rule set and the user creates a rule with
ipv4 object in Dst with negation. "Not host A", where "host A"
translates into one ipv4 address should probably include "all
ipv6" as well, which means that this simple rule can inadvertenly
block all ipv6 without user even noticing it. This can be very
confusing and difficult to troubleshoot. Placing rules acting on
different address families into different rule sets helps avoid
this problem.
* ipt.cpp: Compiler for iptables can determine if a rule set is
referenced by a rule with action Branch and option "branch in
mangle table in addition to the filter table" and correctly places
referenced rule set in both filter and mangle tables.
2008-05-29 <alek@codeminders.com>
* ObjectManipulator.cpp: new feature v3: Policy rules can now be
arranged in multiple rule sets with names. These rule sets are
shown in the tree under the firewall object (next to its
interfaces). Each rule set is independent from others, user can
add as many as they want. Rules with action "Branch" refer to
existing rule sets, user associates them by dragging rule set
object into action parameters dialog of the branching rule. This
also fixes bug #1753297: "duplicate chain tab".
2008-05-23 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (countChainUsage::processNext): New
feature: compiler for iptables keeps track of chain usage and
removes unused chains from the generated iptables script. This
helps optimize generated script and makes it smaller, especially
in mixed IPv4/IPv6 configurations.
2008-05-22 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (main): Policy compiler for iptables supports
IPv6. Added command line switches "-4" and "-6" which force
compiler to generate script for only one specified address
family (by default it does both). Compiler can generate simple
ipv6 iptables script. Generated script still can be improved but
seems to be formally correct at this time.
2008-05-18 Vadim Kurland <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp: compiler for iptables converted to
use exclusively methods getAddressPtr and getNetmaskPtr. Checking
for when Address object has no IP address where
appropriate (getAddressPtr() returns NULL in this case).
2008-05-10 vadim <vadim@vk.crocodile.org>
* pf.cpp: (from 2.1) fixed bug #1961202: "Pf Timeouts overriden by
Optimization". Compiler should generate "set optimization" command
before "set timeout" commands.
2008-05-08 vadim <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (printFirewall): (from 2.1): fixed bug
#1562726: "policy print rule cut-off". Long rulesets would not
print correctly on Windows, the bottom of the ruleset table was
just printed solid grey with no rules visible.
* PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): (from
2.1): partial fix for bugs #1789059 "shadow issue when using
action chain" and #1945149: "Shadowing test for rules with action
"chain". The mechanism for rule shadowing detection we have at
this time can only detect shadowing of one rule by another. In
case of branching it is a combination of the branching rule and
rules inside the branch that may shadow other rules. I plan to
redesign this part of the code in the future, but it won't happen
in upcoming v3.
Meanwhile, I am fixing it in 2.1 by making compiler ignore rules
with action Branch.
2008-05-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext),
RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): (from
2.1) fixed bug #1821573: "Rule options limits allow for multiple
overload tables". PF allows only for one "overload" option per
rule.
* IPTImporter.cpp (IPTImporter::pushPolicyRule), (from 2.1)
iptables.g (target_options): fixed bug #1949438: "parser expects
decimal - hex is not accepted". Importer for iptables should be
able to process "--set-mark" with hex argument.
* fwbedit.1: (from 2.1) fixed bug #1949103: "manpage slightly
broken". Minor fixes in fwbedit.1 man page.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules):
(from 2.1) fixed bug# 1940504: "Clamp MSS to MTU". Iptables
command that invokes "-j TCPMSS --clamp-mss-to-pmtu" in FORWARD
chain should go before the one that matches "--state
ESTABLISHED,RELATED" in order to work for the packets in these
states.
* RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): (from
2.1) fixed bug #1938985: Rate in hashlimit in local language
2008-04-28 <alek@codeminders.com>
* v3 feature: rules can be grouped in Policy, NAT and
Routing. Group of rules can have a name and color and can be
collapsed or expanded. Collapsed rule groups take room equivalent
to one rule in the ruleset panel. This implements Feature Requests
#1961702, 1938992, 1751141, 1602294, 1372620, 1083981, 1017566,
848553, 811542,
2008-04-13 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bug (no
#): compiler fwb_ipt used to treat host objects as networks in
TDst and generate iptables output with /netmask of the interface.
* (various places in src/ipt): PREPARATION FOR IPV6: Changing
IPv4::cast to dynamic_cast<InetAddrMask*> everywhere. In loops
that walk child objects of interfaces, cast child objects to
InetAddrMask* or to FWObject* instead of IPv4*. This is to
facilitate support for ipv6 in the future. In all these places we
need to use two aspects of the child objects: either their
position in the tree, in which case FWObject* is sufficient, or
their address/netmask, in which case we should use InetAddrMask.
* (various places in src/pflib): PREPARATION FOR IPV6: Changing
IPv4::cast to dynamic_cast<InetAddrMask*> everywhere.
2008-03-09 vadim <vadim@vk.crocodile.org>
* (from 2.1) pf.cpp: fixed bug #1899914: "Script to apply the new
rules." It is enough to execute "pfctl -f file.conf" to load PF
policy. There is no need to purge filter and nat rules first, then
reload it.
* (from 2.1) RCS.cpp (RCSEnvFix::RCSEnvFix): fixed bug #1908351:
"rcs does not save log message and file remains locked"
* (from 2.1)
Compiler.cpp (emptyGroupsInRE::countChildren): (libfwbuilder)
fixed bug #1905718: "Group of DNS Name objects considered empty"
2008-03-06 <alek@codeminders.com>
* v3 feature: Firewall Builder v3 GUI redesigned as MDI
interfaces. Several data files can be opened simultaneously and
objects dragged and dropped from one file to another. FR # 984979
"split window view of tabs".
* v3 feature: the GUI allows the user to change font used for the
UI, object tree and rules (separately). FR #1621799: "main window
font_size & column resizing" (although column width is not saved).
* v3 feature: The user can switch between icons 25x25 and 16x16 in
rules. FR #1844437 "25x25 Icons to 16x16"
2008-03-05 vadim <vadim@vk.crocodile.org>
* VERSION: started v2.1.18
* src/cisco_lib, src/iosacl, src/pix: Code for policy compilers
for Cisco IOS ACL and PIX has been released under
GPL and merged into the main fwbuilder tree.
2008-02-18 vadim <vadim@vk.crocodile.org>
* CircularQueue.hpp (antlr): fixed crash of the policy importer on
64-bit systems. This fixes bug #1886575: "Seg Fault on reading
vanilla Fedora iptables file". See comment in module
CircularQueue.hpp for details.
2008-02-10 vadim <vadim@vk.crocodile.org>
* pt_BR.po: updated Brazilian Portuguese translation by Rubens
Ferreira Neto <rubens.ferreiraneto@ig.com.br> and Jose
Carlos Medeiros <jose@psabs.com.br>
* PrefsDialog.cpp (PrefsDialog::PrefsDialog): fixed bug #1886570:
Diagnostic related to Edit->Preferences. Removed harmless but
annoying error message that appeared on stderr when user opened
Preferences dialog.
* IPTImporter.cpp (IPTImporter::pushPolicyRule): Fixed bug
1883536: "fwbuilder segfaults when importing iptables conf". Added
support for TCPMSS target with option --clamp-mss-to-pmtu in
iptables importer; also made importer upderstand option
--tcp-option but skip it since it is not supported in fwbuilder.
2008-02-06 <vadim@vk.crocodile.org>
* RCS.cpp (RCSEnvFix::RCSEnvFix): fixed bug #1849392: "RCS using
windows 2003 without administrator rights". Pass TMP and TEMP
environment variables to RCS tools
* pix_os.xml.in: more for the bug #1816798: "Installing policy on
PIX 501 fails". The fix that was made for v2.1.16 did not cover
test-mode install, which is now fixed too. Command "terminal pager
" is valid only for PIX 7.x and caused error while installing
policy on PIX 6.3. Removed this command from the install sequence,
it was not essential.
2007-12-29 <vadim@vk.crocodile.org>
* SSHUnx.cpp (SSHUnx::stateMachine): using signal proper for qt4
(bytesWritten(quint64) instead of wroteToStdin)
2007-12-19 vadim <vadim@vk.crocodile.org>
* v2.1.16 release
2007-12-15 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp
(OSConfigurator_linux24::printRunTimeWrappers):
fixed bug #1851166: "Installscript does not test for destination
ip address". The problem affected specific case of a firewall with
two (or more) interfaces that get their address dynamically and a
policy rule that has one such interface in source and another in
destination. Generated iptables script retrieves actual addresses
of both interfaces and assigns them to variables, then uses these
variables in actual iptables rules. Special check is provided in
case some interface did not obtain any ip address at a time of
execution of the script. Previously such test was only done for
one dynamic interface per rule. This change makes the script check
for both.
* ipt.cpp: bug #1850352: "Install script wrongly completes
successful". Storing exit status of iptables-restore so that
generated firewall script can return the same status after it
executes commands that set kernel parameters and runs user-defined
epilog code.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printRouteOptions):
applied patch #1850357: "Add support fo load balancing with pf to
PolicyRule::Route" by Tom Judge (tomjudge@users.sourceforge.net)
that adds support for load balancing rules in PF. Extended the
patch adding support for address/netmask format of the next hop.
Added checks for illegal IP addresses and netmasks in the next
hop. Test cases for the PF load balancing rules are in
test/pf/objects-for-regression-tests.fwb, firewall object
firewall40-1.
2007-12-13 vadim <vadim@vk.crocodile.org>
* linux24.xml.in: working on bug #1850352: "Install script wrongly
completes successful". Added more checks to the installer
scriptlet to make it properly terminate with non-zero error code
if iptables-restore returned error. Previously "echo" in the end
of the generated masked error code returned by iptables-restore
and made the GUI report successfull install even when it
terminated with an error. Also added test for the presence of
pkill on the system so that the script does not try to run it if
it is not available.
* platforms.cpp (list): applied patch #1850368: 'PF 3.7 has
support for "set skip on"'. Patch by tomjudge@users.sourceforge.net
extends support for "set skip on" option to pf 3.7.
* platforms.cpp (isDefaultPolicyRuleOptions): fixed bug #1850346:
"GUI has 2 views on which actions should be stateless". Even
though GUI made rules with action Route stateful by default, code
that determined if combination of options of a given policy rules
was default thought these rules should be stateless.
* ipt.cpp: Applied patch 1835308: "Patch for adding "-q" option to
fwb_ipt". Option "-q" suppresses timestamp that is normally
included in the generated script. This way, if no objects or rules
changed in the firewall builder, generated script will be exactly
the same. Timestamps made generated script different even if
nothing really changed in the objects, which made external version
control systems detect changes when there were none.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules):
fixed bug 1848204: "ULOG-Setting ignored for invalid packets",
applied patch #1848609 provided by reporter. Code that matched and
logged packets in state INVALID always used target LOG, which was
a problem for iptables installations that only come with target
ULOG.
* tcpservicedialog_q.ui: patch #1849500: "tooltip patch for
tcpservicedialog_q.ui". Additional tooltips in the TCP Service
dialog to explain function of tcp flags masks and settings.
2007-12-12 vadim <vadim@vk.crocodile.org>
* ipt.cpp: fixed bug #1849328: "iptables restore unusable in
2.1.15". This bug was introduced by the change for the bug
1812295. If option "use iptables-restore to activate policy" is
on, we always generate script that prints iptables commands using
echo and sends them to the input of iptables-restore via pipe.
* VERSION (FWB_MICRO_VERSION): begin v2.1.16
2007-12-08 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed
bug #1821576: "Rule option tracking gives inavlid config with
default value". Compiler should skip max-src-nodes when it is set
to default '0' in the GUI.
* Added Brazilian Portuguese translation by Jose Carlos Medeiros
<jose@psabs.com.br>
2007-11-25 vadim <vadim@vk.crocodile.org>
* Starting with build 320 Windows packages install on Vista
2007-11-15 vadim <vadim@vk.crocodile.org>
* FWObjectDropArea.cpp (FWObjectDropArea::paintEvent): more fixes
for bug #1826558: need to fill background rectangle in "object
drop" widget for search.
* RuleSetView.cpp (RuleSetView::paintCell): more fixes for bug
#1826558: need to fill background rectangle in action, options and
comment columns.
2007-11-14 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::paintCell): fixed bug #1826558:
"OSX 10.5 font problem". This problem appeared only in Mac OS X
Leoprard (10.5) build, other platforms were unaffected.
2007-11-02 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::installSelected): previous fix for
the bug #1811781: "Batch Install" was insufficient. Needed to
clear altAddress input field in the install options dialog in case
of the batch install.
2007-10-28 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::createPrintRuleProcessor):
fixed bug #1812295: "Can't use runtime address tables AND
iptabels-restore". Script generated by fwb_ipt used "here
document" if the option "use iptables-restore to activate policy"
was turned on. This did not work in case policy used any tun-time
address table objects. Now generated script always uses "echo" to
generate iptables commands that it sends to th standard input of
iptables-restore.
* instDialog.cpp (instDialog::doInstallPage): fixed bug #1811781:
"Batch Install". Built-in installer used address of the first
firewall of the batch to communicate with all firewalls in the
"batch install" mode.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::addDefaultPolicyRule):
fixed bug #1800875 "'keep state' missing from pass out going
traffic rule". Compilers for pf, ipf and ipfw were affected.
* pix_os.xml.in: fixed bug #1816798: "Installing policy on PIX 501
fails". Command "terminal pager " is valid only for PIX 7.x and
caused error while installing policy on PIX 6.3. Removed this
command from the install sequence, it was not essential.
2007-10-06 vadim <vadim@vk.crocodile.org>
* ipfAdvancedDialog.cpp (ipfAdvancedDialog::ipfAdvancedDialog):
applied patch by <Cy.Schubert@komquats.com> to add support for
Kerberos rcmd and Kerberos ekshell proxies in ipfilter NAT rules.
* VERSION (FWB_MICRO_VERSION): begin v2.1.15
2007-09-10 vadim <vadim@vk.crocodile.org>
* 2.1.14 release
2007-09-08 vadim <vadim@vk.crocodile.org>
* configure.in: patch by Carlos Silva <r3pek@r3pek.org> to add
third parameter to AC_DEFINE_UNQUOTED
2007-08-25 vadim <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): fixed
bug #1764971: "allowed value range for burst limit". Iptables
"--limit-burst" option should not be limited in the GUI.
* instDialog.cpp (instDialog::continueRun): fixed bug #1772722:
"installer should recognize when it uses plink 0.60". We detect
when installer uses plink on Windows by checking the name of the
configured ssh client. The check should be case-insensitive.
2007-08-06 vadim <vadim@vk.crocodile.org>
* configure.in: applied patch by Carlos Silva <r3pek@r3pek.org> to
make configure.in use ANTLR C++ run-time installed on the system
if it can find one; otherwise it uses copy in src/antlr
2007-08-05 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp: fixed bug (no num): importer for iptables
should properly assign rule options when it finds "-m limit" and
"--limit" options in the input file.
* IPTImporter.cpp: added a workaround for a situation when several
iptables commands pass control to the same user-define chaine in
the iptables-save file. As of fwbuilder v2.1, branch ruleset is a
child object of PolicyRule. This means two different rules can not
point at the same branch ruleset. This is unfortunate but it is
hard to fix in the current version because it requires changes XML
DTD and API. Will do this in 3.0. Meanwhile, checking if branch
ruleset with requested name already exists and change the name by
adding suffix '1', '2' etc to make it different. Imported rule is
marked as 'bad' (red background) and gets a comment explaining this.
* iptables.g (tcp_flags_list): fixed bug #1764988: "iptables
import -> GUI crash": syntax for TCP flag matching in
iptables-save should allow for more than 2 flags in 'comp' part
* iptables.g (target_options): added missing supprot for
"--log-tcp-sequence", "--log-tcp-options" and "--log-ip-options"
options for target LOG to iptables policy importer
* iptables.g (protocol_word): fixed bug (no num): iptables policy
importer should properly parse numeric protocol
specification (e.g. "-p 47").
* Importer.cpp (Importer::getTCPService): fixed bug #1764988:
"iptables import -> GUI crash": iptables policy importer
recognizes and parses TCP flag parameters ALL and NONE
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed bug
#1764988: "iptables import -> GUI crash": iptables policy importer
recognizes and parses target RETURN
2007-08-01 Vadim <vadim@debian-unstable.vk.crocodile.org>
* FirewallDialog.cpp: fixed bug reported in Debian Bug report
#417685 - added missing #include <algorithm> to make code
compile with gcc 4.3
* fixed bug #1761373: "libfwbuilder doesn't build on Mandriva
cooker". Applied fixes to make the code compile with gcc 4.2
* VERSION: started 2.1.14
2007-07-18 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (InterfaceAndDirection::processNext):
compiler permits setting direction in the rule while interface
field is "All". This generates iptables command in chain INPUT or
OUTPUT with "-i +" or "-o +" interface specification to match all
interfaces.
2007-07-14 vadim <vadim@vk.crocodile.org>
* platforms.cpp (isDefaultPolicyRuleOptions): platform "iosacl"
does not have any rule options at this time; making sure we never
show an icon indicating non-default options.
* templates.xml: added simple template for Cisco router 36xx
* pf.cpp (main): Added support for "set skip on <ifspec>" command
for PF. If an interface is marked as "unprotected" in the GUI,
compiler generates this command for it. This is useful for loopback
or other virtual interfaces.
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): better
compliance with PF 4.x. Feature Req. #1679793: "add 'no state' and
'flags any'". If version is set to 4.x, compiler skips "flags S/SA
keep state" for rules mathcing tcp services. However, according to
the section "1.2. Operational changes" in PF FAQ at
http://www.openbsd.org/faq/upgrade41.html , there should be a way
to add "keep state" explicitly for rules on interface enc0. Added
this option to the rule options dialog.
* pf.cpp (main): implemented support for PF limit options
"src-nodes", "tables" and "table-entries". Feature Req. #1674919:
"Support "set limit table-entries""
2007-07-12 vadim <vadim@vk.crocodile.org>
* SSHSession.cpp: More key caching request and other messages for
wider variety of ssh clients.
* SSHPIX.cpp (SSHPIX::stateMachine): fixed bug #1753188: "policy
activation fails on PIX and IOS". Installer failed if account used
to authenticate to the router or PIX went straight to 'enable'
mode after login.
2007-07-07 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::_printLogging): fixed
bug #1747828: "anchors generation - "log" not supported". "Log"
keyword is not allowed in "anchor" rules; compiler should not
generate it even if user turned logging on in a rule with action
'Branch'
* PolicyCompiler_ipt.cpp (checkForRestoreMarkInOutput::processNext):
fixed bug #1747332: "missing CONNMARK/ restore mark in Output Chain"
* PolicyCompiler_PrintRule.cpp (PrintRule::_flushAndSetDefaultPolicy):
fixed bug #1746257: "fwbuilder breaks IPv6". Added an option to
the firewall settings dialog for iptables that controls whether
compiler should skip generation of the code to set default policy
of all ipv6 chains to DROP. This option is off by default, that is
compiler puts the code in. This helps maintain backwards
compatibility with old data files that do not have this option,
which is equivalent to this option being "off".
2007-07-06 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::unlockObject): fixed
bug #1743117: "crash while editing any". Added check, user should
not be able to unlock Standard objects library
* FWObject.cpp (FWObject::shallowDuplicate): fixed bug #1740766:
"lock not saved". This method now copies the value of "ro"
attribute (read-only). Clear it in the caller if
neccessary. Method duplicate() clears it after calling
shallowDuplicate in order to be able to modify the object, then
restores this attribute to its original value.
2007-06-23 vadim <vadim@vk.crocodile.org>
* v2.1.12 release
* iptables.g (target_options): parser for iptables is aware of
"--set-tos" target option. Even though fwbuilder does not support
target TOS, importer should be able to import policy that uses it
without crashing.
2007-06-20 vadim <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (printFirewall): fixed bug #1739373: "FWB2111,
register Routing not printed". Tab "Routing" was not included in
the printed copy of firewall policies.
* NATCompiler_pf.h: fixed bug #1740545: "AddressTable in NAT
section". Policy compiler for PF crashed if AddressTable object
was used in TDst element of a NAT rule.
2007-06-17 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::initiateCopy): fixed bug (no number)
where installer failed to properly copy .fwb file over to the
firewall if file name contained whitespace
2007-06-16 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::prepareInstallerOptions): discovered
and fixed bug in the installer: if management interface of the
firewall is dynamic (i.e. had no IP address) and address of the
firewall was given in the "Installer" tab of the firewall object
dialog, installer failed to copy it to the instOptionsDialog and
filled corresponding entry field with 0.0.0.0
* OSConfigurator_linux24.cpp
(OSConfigurator_linux24::printShellFunctions): fixed bug 1737733:
"install script doesn't detect BROADCAST if eth is NO-CARRIER".
If firewall script runs before network interface comes up (i.e. is
still in NO-CARRIER state), script failed to add virtual addresses
for NAT.
2007-06-13 vadim <vadim@vk.crocodile.org>
* ActionsDialog.cpp (registerOption): after changes made in the
compiler to simplify algorithm used to decide which chain a rule
with action Tag should go to, rule action option "Mark connections
in PREROUTING chain" ( "ipt_mark_prerouting" ) has been
deprecated.
2007-06-12 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::reopenFirewall): Added platform
capability element "supports_nat" - if True, platform supports NAT
rules so the main window should show tab "NAT" in the policy
view. If this parameter is False, the tab disappears.
* DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid): added main
menu item "File -> Import Policy" that activates Discovery Druid
and opens it on the page where user can choose configuration file
for import.
2007-06-09 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_flushAndSetDefaultPolicy):
fixed bug #1711595: "ip6tables DROPs". Compiler adds rules to
permit any-to-any on loopback interface for ipv6 in addition to
rules that set default policy to DROP for all chains in ipv6
2007-06-06 vadim <vadim@vk.crocodile.org>
* antlr.pro: Added ANTLR C++ runtime to the project under src/antlr
2007-06-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (setChainPreroutingForTag::processNext):
streamlined algorithm that assigns chain to a rule with action
Tag. The goal is to always use chain PREROUTING for rules with
direction Inbound or Both and a combination of OUTPUT and
POSTROUTING for rules with direction Outbound and Both.
2007-06-02 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::importPlatformChanged):
finalized rule importer GUI.
2007-06-01 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushNATRule): NAT import now works
2007-05-30 vadim <vadim@vk.crocodile.org>
* pf.cpp (main): fixed bug #1727715: "Policy Installer failed but
indicates succes". Activation script for PF exits with non-zero
return code if script activation fails.
* IPTImporter.cpp (IPTImporter::addSrv): import of target MARK and
TagService for iptables
* IPTImporter.cpp (IPTImporter::pushRule): support for module
"limit" in importer for iptables
2007-05-29 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushRule): meaningful import of
iptables-restore files with all actions for filter table. Action
"Continue" helps import iptables commands with targets LOG and
ULOG.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::compile): Added
support for action "Continue" (an empty action) in the GUI and
compiler for iptables. This action creates a rule that does
nothing, however it generates iptables command with target "-j
LOG" if logging is turned on. This can be useful if one wants only
to log packets that match certain pattern but not make any policy
decision in the same rule.
2007-05-28 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushRule): basic iptables-restore
import works (only policy rules, only minimal set of modules)
2007-05-27 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp: initial work on iptables importer
* OSConfigurator_linux24.cpp
(OSConfigurator_linux24::generateCodeForProtocolHandlers): Fixed
bug in the shell code that finds netfilter modules (missing
closing '"'). This bug broke generated iptables script. Bug was
introduced in 2.1.12 some time before build 270
2007-05-25 vadim <vadim@vk.crocodile.org>
* iosacl.g (vlan): ignore "vlan" commands while importing IOS
config
* IOSImporter.cpp (IOSImporter::finalize): IOS accesslists
importer properly handles situation when the same list is applied
to multiple interfaces with different directions.
2007-05-22 vadim <vadim@vk.crocodile.org>
* run-tests.sh: simple framework for automated unit tests
* importer_test.cpp: unit test for Cisco IOS access lists
importer
* IOSImporter.cpp (IOSImporter::finalize): IOS access lists
importer works with a large complex test file. Test can be
imported and then compiled with no manual changes.
* PolicyCompiler_ipt.cpp (InterfacePolicyRulesWithOptimization):
allow for object group in "Interface" rule element
2007-05-21 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromImporter):
finished configuration importer GUI
2007-05-16 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt_writers.cpp: fixed bug #1718791: "Bug with
more than one router". This bug affected routing rules.
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::generateCodeForProtocolHandlers):
fixed bug #1720022: "Fail to load modules .ko.gz".
* MangleTableCompiler_ipt.cpp (keepMangleTableRules::processNext):
fixed bug #1720480: '"-A POSTROUTING -i interface" in branching
rules'. Compiler should not generate iptables commands in
POSTROUTING chain with "-i interface" clause.
2007-05-15 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::importConfig): basic GUI
support for the configuration importer
* IOSImporter.h (class IOSImporter): derived class - importer for
Cisco IOS ACLs
* Importer.h: generalized policy importer framework. Requires
grammar for each platform.
* iosacl.g: ANTLR grammar for IOS ACLs. Only "access-list ", "ip
access-list extended" and certain "interface" commands cam be
parsed
2007-05-11 vadim <vadim@vk.crocodile.org>
* SSHSession.cpp (SSHSession::readFromStdout): note about
built-in installer on windows. Installer seems to have broke with
upgrade of QT to 3.3.8. Specifically, in
SSHSession::readFromStdout(), proc->readStdout() returns a byte
array that contains actual output from the device, with some
garbage appeneded to it. The garbage is included in the size()
count of QByteArray returned by readStdout so it gets included
into the QString which we append to stdoutBuffer. This happens
only on win32; reverting to QT 3.3.7 fixes the problem.
2007-05-10 vadim <vadim@vk.crocodile.org>
* SSHPIX.cpp (SSHPIX::stateMachine): implemented support for
scheduled reload for PIX firewalls (for roll-back).
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
PIX and Cisco routers (IOS) : built-in installer can schedule
reboot of the firewall before activating new policy, then cancel
it if the policy has been activated successfully.
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
fixed long-standing problem with size of the built-in installer
options dialog. The dialog was too big and did not properly resize
itself when some options were hidden.
* SSHIOS.cpp (SSHIOS::stateMachine): installer for Cisco routers
2007-05-09 vadim <vadim@vk.crocodile.org>
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): added
support for the new attribute "unprotected" for the Interface
object in the GUI. Compilers skip this interface while assigning
ACLs or policy rules to interfaces. This is supported only in the
compiler for Cisco IOS ACLs at this time.
2007-05-08 vadim <vadim@vk.crocodile.org>
* iosAdvancedDialog.cpp (iosAdvancedDialog::iosAdvancedDialog):
Added dialogs and resource files for Cisco IOS ACLs
2007-05-07 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::changeAction): setting option
"stateless" appropriately when new rule is created.
* objects_init.xml: added object "All TCP established" - a tcp
object with open port range and flag "established"
* PolicyCompiler_ipf.cpp (PolicyCompiler_ipf::compile): using rule
processor CheckForTCPEstablished in compilers for iptables, ipf
and pf to check for TCP service objects with flag
"established". This is considered an error because these platforms
do not provide support for "established".
* PolicyCompiler_ipfw_writers.cpp (PrintRule::processNext): using
new TCPService object flag "established" in compiler for ipfw.
* PolicyCompiler_ipf.cpp (doSrcNegation::processNext) and
PolicyCompiler_ipfw.cpp: rules created for negation with action
'Continue' should be stateless.
* PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug (no
number): compiler used to not set unique internal id for rules in
branches, which lead to chain names like 'C.0' in generated
script.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printLogPrefix): fixed
bug (no number): when a rule number is inserted into a log record
in place of macro %N, it should be formatted as "N/M" for rules in
a branch.
* PolicyCompiler_ipt.cpp (decideOnChainForClassify::processNext):
fixed bug (no number): setting chain for Classify action only if
it has not been set before. Setting chain to POSTROUTING always
broke things if a rule with action 'Classify' was used in a
branch (so the chain has been set to that of the branch)
* RuleSetView.cpp (RuleSetView::changeAction): working on bugs
#1676635: "no way to match on state if the action is drop" and
#1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW
stanza". Rule option 'stateless' is automatically set when user
changes rule action so it becomes anything except 'Accept', 'Tag'
or 'Route'. This option is also automatically cleared when action
is switched to any of these three actions. The user can override
these default settings by checking or unchecking the option in the
rule options dialog.
* PolicyCompiler_PrintRule.cpp: working on bugs #1676635: "no way
to match on state if the action is drop" and #1671910: "2.1.8 In
'Branch' acton compiler doesn't insert NEW stanza". Rely only on
rule option 'stateless' to decide whether the rule should have
"-m state --state NEW".
2007-05-06 vadim <vadim@vk.crocodile.org>
* v2.1.12 started
2007-04-28 vadim <vadim@vk.crocodile.org>
* v2.1.11 release
2007-04-24 vadim <vadim@vk.crocodile.org>
* SSHUnx.cpp (SSHUnx::SSHUnx): fixed bug #1702830: "fwbuilder does
not detect errors during policy install". Built-in installer
detects error messages printed by iptables and iptables-restore
and aborts installation process. Summary page shown in the end
reflects this as failed install.
* instOptionsDialog.cpp (instOptionsDialog::updateRollback): fixed
bug #1701971: "Enabeling test mode doent activate the reboot
interval". Checking "Test mode" checkbox in the installer options
dialog should enable widgets that configure automatic reboot
timeout.
2007-04-23 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): bug
#1699483: "hashlimit-htable-expire not set". Compiler
automatically generates name for the --hashlimit-name option if it
is not set in the GUI.
* PolicyCompiler_ipt.cpp (TagIfSrcFw::processNext): fixed bug
#1703954: "Mark target in postrouting chain". Packets that
originate on the firewall should be marked in the OUTPUT
chain. According to the netfilter packet flow diagram at
http://www.shorewall.net/NetfilterOverview.html , rerouting
happens after OUTPUT hook but before POSTROUTING hook.
* FWBTree.cpp (FWBTree::isSystem): fixed bug #1703595: "build 230
crashes when seaching for a deleted object"
2007-04-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): fixed
bug 1699483: "hashlimit-htable-expire not set". Added GUI controls
and compiler support for hashlimit module options
"--hashlimit-name", "--hashlimit-htable-size",
"--hashlimit-htable-max", "--hashlimit-htable-expire" and
"--hashlimit-htable-gcinterval"
* OSConfigurator_linux24.cpp (linux24::generateCodeForProtocolHandlers):
fixed bug #1697832: "fc5 kernel 2.6.20 moved *conntrack* modules".
Starting with kernel 2.6.20, netfilter installs *conntrack*
modules in "/lib/modules/`uname -r`/kernel/net/netfilter/" rather
than "/lib/modules/`uname
-r`/kernel/net/ipv4/netfilter/". Modified shell code that finds
and loads all "*conntrack*" and "*nat*" modules, it should now
work with both old and new kernels.
I do not know if this directory change was introduced only by
Fedora or it is general for the netfilter.
* TCPServiceDialog.cpp (TCPServiceDialog::validate): fixed bug
#1695481: "compliation error with lower end port". Before, user
could enter start port range number greater than the end port
range number. Neither the GUI nor compiler noticed this, which
resulted in the incorrect firewall configuration. This fix adds
check in the GUI to not let the user enter port ranges like that.
2007-04-03 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipf_writers.cpp (PrintRule::_printWith): fixed
bug #1676845: "lsrr option not compiling"
* PolicyCompiler_ipf_writers.cpp (PrintRule::_printWith): fixed
bug #1678410: "Ipfilter compiler uses wrong keyword for "fragment""
* utils.cpp (getUserName): fixed bug #1684334: "RCS should use
$LOGNAME when commit"
* ActionsDialog.cpp (ActionsDialog::loadFWObject): fixed bug
#1692411: "can't set accouting rule name (fwbuilder 2.1.11)"
2007-03-24 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::paintCell): fixed bug #1685741:
"GUI crash: click on an empty part of obj tree, then desktop"
2007-03-21 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (ObjectTreeView::focusOutEvent): working on
the bug #1685741: "GUI crash: click on an empty part of obj tree,
then desktop"
2007-03-18 vadim <vadim@vk.crocodile.org>
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): minor
redesign of the interface object dialog to make network zone more
prominent and easier to set when network and group objects have
long names.
2007-03-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed
bug #1674940: "if max-src-conn == 0: syntax error". Options
max-src-conn and max-src-states can not have value '0'
* TimeDialog.cpp (TimeDialog::loadFWObject): redesigned TimeService
object dialog
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
fixed bug #1672191: "Time limit generates unexpected iptables
command"
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
Added support for --datestart and --datestop options for module
'time' in compiler for iptables
* started v2.1.11
2007-02-17 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::findWhereUsedSlot): added an item
"Where used" to the context menu associated with objects in rules
* FWWindow.cpp (FWWindow::setPolicyBranchTabName): a workaround
for the bug 1629461: "Policy tabs do not scroll @ window extent on
OSX". The tab widget used to show policy, nat, routing and policy
branch rulesets does not switch to a "folded" mode on Mac OS X
when it needs to show more tabs that fit in the window. Since I
can't figure out a way to force it to do that, I am dropping
"Policy/" from the tab titles for branches to make them
shorter. This will help users with policies with many branches,
however it does not solve the problem because as they keep adding
branches, at some point they won't fit in the window again.
2007-02-15 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::fileCompare): fixed bug #1659832: "No
compile with QT without STL support"
* instDialog.cpp (instDialog::initiateCopy): fixed bug #1661140:
"built-in installer broken in 2.1.9 for PF". Installer incorrectly
set name for files it copied to the firewall if compiler generated
more than one file. Normally two files are generated for PF and
ipfilter.
* v2.1.10 started
2007-02-10 vadim <vadim@vk.crocodile.org>
* v2.1.9 release
* main.cpp (tty_raw): bug #1650369: "[patch] please add support
for GNU/kFreeBSD". Applied patch to make code compile on kFreeBSD.
2007-02-03 vadim <vadim@vk.crocodile.org>
* listOfLibraries.cpp (list): fixed bug #1620284: "conflict when
adding library to Preferences/Libraries". When the user tried to
add a library to the list in Preferemces/Libraries when a data
file with the same object library was loaded, the GUI detected the
conflict and showed error dialog.
* FWWindow.cpp (FWWindow::fileCompare): New feature: new operation
"Tools/Find Conflicting Objects in Two Data Files". This operation
inspects two data files (either .fwb or .fwl) and finds
conflicting objects. Conflicting objects have the same internal ID
but different attributes. Two data files can not be merged, or one
imported into another, if they contain such objects. This
operation also helps identify changes made to objects in two
copies of the same data file. This operation does not find objects
present in one file but not in the other, such objects present no
problem for merge or import operations. This operation works with
two external files, neither of which needs to be opened in the
program. Currently opened data file is not affected by this
operation and objects in the tree do not change. In the process of
this operation user is presented with series of dialogs showing
conflicting objects side by side. In the end the program can
generate report and write it to a text file.
2007-01-30 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::initiateCopy): more for the bug
#1617501:"Install fails after compile". Making sure we always
strip directory path from the file name if user specified full
path for the policy file in the "Output file name" input field in
the "Compiler" tab of firewall object dialog. Need to strip path
when macro "%FWSCRIPT%" is substituted in installation scriptlets
and in some other places.
2007-01-15 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (linux24::printRunTimeWrappers):
fixed bug (no num.): data files used for run-time AddressTable
objects can have empty lines, the script should skip them.
2007-01-14 vadim <vadim@vk.crocodile.org>
* iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog):
more for bug #1618381: "CLASSIFY/MARK are non-terminating".
Emulation of the terminating behavior for Classify and Tag actions
is now controlled by a global option in the "Compiler" tab of the
firewall properties dialog. This means emulation can be turned on
and off for all rules that might require it at once. It is
impossible to mix such rules with terminating and non-termninating
behavior. The reason for this is that shadowing detection
algorithm can only work with either terminating or non-terminating
rules, not with the mix. Hopefully this is the last change made
for this bug.
* PolicyCompiler_ipt.cpp (ipt::getAddressTableVarName): fixed bug
#1632054: "Runtime AddressObjects FAIL to load if "Name:" contains
"."". Compiler checks if the name of the run-time AddressTable
object contains characters that have special meaning in sheel and
relaces them with '_' when it generates the name of the temporary
shell variable.
* PolicyCompiler_ipt.cpp (splitNonTerminatingTargets): update for
bug #1618381: "CLASSIFY/MARK are non-terminating". Adding iptables
rule with target ACCEPT to make Tag and Classify rules
terminating. This is controlled by checkbox in the action dialog
for actions Classify and Tag. Default setting is off.
2007-01-09 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::scheduleRuleSetRedraw): fixed bug (no
num.): GUI used show fanthom 'Policy', 'NAT' and 'Routing' tabs
when user deleted objects from the Deleted Objects library,
provided some of these objects were previously deleted firewalls.
2007-01-07 vadim <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (GroupObjectDialog::dropped): fixed bug
#1624577: "group window doesn't stay open on multiple-adds". Using
special flag to tell ObjectTreeView that it should ignore
MouseReleaseEvent it gets after d&d operation, so it wont switch
object in the editor panel. Note the bug triggered only on Mac OS
X.
* FWWindow.cpp (FWWindow::FWWindow): "Apply" and "Close" buttons
in the objct editor panel should be of fixed size horizontally
2007-01-06 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::testFirewall): fixed bug
#1617501:"Install fails after compile". The GUI got confused when
user enter full path to the policy file in the "Output file name"
input field in the "Compiler" tab of firewall object dialog.
* SimpleTextEditor.cpp (SimpleTextEditor::loadFromFile): fixed bug
1619930: "Prolog tab's ScriptEditor's import fails to overwrite"
* OSConfigurator_linux24.cpp (linux24::printRunTimeWrappers):
fixed bug #1628989: "run-time-loaded rules don't accept ";" as
line comment"
* RuleOptionsDialog.cpp (RuleOptionsDialog::changed): fixed bug
#1620206: "RuleOptions' "Apply" button greyed-out until menu
selection"
* SimpleTextEditor.cpp (SimpleTextEditor::SimpleTextEditor): fixed
bug #1619842: "prolog "script editor" opens behind other windows"
* RuleSetView.cpp (RuleSetView::removeRule): fixed bug #1629521:
"can't delete empty chain/policy tab"
* instOptionsDialog.cpp (instOptionsDialog::hidePIXOptions):
installOptionsDialog was too large and did not fit on some laptop
screens. Doing tricks to make sure the dialog properly resized
after unused GUI elements are hidden.
2007-01-04 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (DetectShadowingForNonTerminatingRules::processNext):
(API change)
fixed bug #1618381: "CLASSIFY/MARK are non-terminating". Non-terminating
rules shadow each other "backwards", that is more general rule
shadows other rules _above_ it. Added flag 'reverse' to the method
find_more_general_rule and added new rule processor
DetectShadowingForNonTerminatingRules that finds such cases of
'reverse' shadowing. Using it for rules in the mangle table for iptables.
* PolicyCompiler_ipt.cpp (finalizeChain::processNext): working on
bug #1618381
* For action Branch with option to add branching rule to the
mangle table: we now generate rules in PREROUTING, POSTROUTING,
INPUT, OUTPUT and FORWARD chains. This is because some targets
can only work in PREROUTING or POSTROUTING chains but we do not
know what rules will user put in the branch. So we need to branch
in all chains
* For rules in mangle table with direction set to Inbound or
Outbound force chain to PREROUTING or POSTROUTING respectively
early. This eliminates duplicates such as the same rule in
PREROUTING and INPUT chains. Also since most (all?) targets that
require mangle table go into either PREROUTING or POSTROUTING
chains, it should be enough to use these two chains.
2007-01-01 vadim <vadim@vk.crocodile.org>
* ActionsDialog.cpp (ActionsDialog::setRule),
PolicyCompiler_ipt.cpp (splitNonTerminatingTargets::processNext):
working on bug #1618381: "CLASSIFY/MARK are
non-terminating". Converting non-terminating targets MARK and
CLASSIFY into equivalent of terminating targets using intermediate
chain and "-g" option to pass control to it. Added a checkbox to
the rule options dialog for action Classify for this, by default
this feature is off.
2006-12-27 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::expandGroupsInRuleElement): fixed bug
#1620925: "compile-time AddressTable object with empty file".
Compile-time AddressTable object that uses file with no addresses
should be treated as an empty group according to the "Ignore empty
groups" option. Changes are made as follows:
- Compiler::expandGroupsInRuleElement does not call
s->setAnyElement(); to set rule element to 'any' before adding
addresses from the group. This means that if group is empty, rule
element remains empty (not even 'any', just with no children,
i.e. with size()==0). Note that AddressTable::loadFromSource()
leaves AddressTable object empty if the file does not have any
addresses.
- Compiler::emptyGroupsInRE specifically checks for run-time
MultiAddress objects and skips them so they wont be treated as
empty groups (since they are indeed empty). Compile-time
MultiAddress objects are treated as groups and algorithm that
depends on option 'ignore empty groups' is executed for both empty
regular groups and empty compile-time MultiAddress objects.
* PolicyCompiler_ipt_optimizer.cpp (optimize1::optimizeForRuleElement):
fixed bug #1623113: 'connlimit fails in compiled "address table" rules'
Module connlimit can only be used in iptables rules matching TCP services.
Such iptables commands have "-p tcp" and/or "-m tcp" options. If
a rule in fwbuilder uses TCP Service and connlimit option and has
multiple objects in src and dst, optimizer used to split it to minimize
matches. It however preserved connlimit option in all subrules,
even though some of them did not have TCP service after the split. This
lead to generation of incorrect iptables commands.
* PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug
#1623338: "Can not disable rules in a branch". Compiler for
iptables ignored flag 'disabled' on rules in a branch.
2006-12-26 vadim <vadim@vk.crocodile.org>
* VERSION (FWB_MICRO_VERSION): set version to 2.1.9
2006-12-03 vadim <vadim@vk.crocodile.org>
* v2.1.8 released
2006-11-30 vadim <vadim@vk.crocodile.org>
* FirewallDialog.cpp (FirewallDialog::applyChanges): fixed bug
#1589743: "compiler setting should be erased when fw platform
changes". If user configured firewall object to use thrid-party
compiler, this setting should be erased when firewall platform of
this object changes. 1) compilers are always platform-specific and
old compiler most likely won't work with different platform; 2)
'advanced' firewall settings dialog may not have an entry field
for the compiler (e.g. dialog for PIX does not have it)
2006-11-26 vadim <vadim@vk.crocodile.org>
* gui.pro (TARGET): All binaries are renamed to drop suffix
'21'. Opinion poll amongs the mailing list sbscribers showed
majority of users does not care for the ability to install and run
both old and new versions of fwbuilder on the same machine. This
feature creates substantial problems because of the symlinks to
libfwbuilder libraries that have the same name regardless of the
library version ('libfwbuilder.so' and 'libfwcompiler.so'). These
symlinks are required on Linux and *BSD and can not be avoided
easily. The only simple alternative was to rename libraries to
libfwbuilder21 and libfwcompiler21. I was impartial and thought of
doing this but FreeBSD port maintainer did not like this
solution. Given that most users said in the poll they do not want
this feature anyway, I am reverting binary and man page names back
to the old standard scheme without suffix '21'.
2006-11-16 vadim <vadim@vk.crocodile.org>
* FindObjectWidget.cpp (FindObjectWidget::matchAttr): added back
search by regexp - object name or port, protocol or ICMP type
numbers can be defined as regular expressions.
2006-11-09 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printDirectionAndInterface):
fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV:
no physdev opti..." Some times rules were generated with "-m
physdev" but witout "--physdev-in" or "--physdev-out" options.
* PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug
#1592130: "Policy Chaining Issues". Policy compiler should expand
rule subsets recursively
* FWWindow.cpp (FWWindow::addPolicyBranchTab): working on bug
#1592130: "Policy Chaining Issues". The GUI should properly
display nested branch rulesets.
* set version to 2.1.8
2006-10-30 vadim <vadim@vk.crocodile.org>
* v2.1.7 released
2006-10-28 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::paintCell): fixes for QT w/o STL support
2006-10-24 vadim <vadim@vk.crocodile.org>
* manually removed <includehint> from findobjectwidget_q.ui and
findwhereusedwidget_q.ui
* build 155
2006-10-23 vadim <vadim@vk.crocodile.org>
* platforms.cpp (getRouteOptions_pf_ipf): fixed bug (no num): the
program used to incorrectly save "route option" parameter that is
used for pf anf ipf firewalls when user edited action "Routing"
for iptables firewall. This would corrupt saved XML file if the
program was used under non-English locale.
2006-10-22 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (ObjectTreeView::updateTreeItems): eliminated
useless creation of interim QPixmap objects. It appears this was
responsible for creation of tons of extra pixmaps that triggered
bug 1582130 on windows.
Bug ##1582130: "GUI crashes on windows when very large data file
is opened" is now fixed.
2006-10-21 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::addTreePage): working
on bug #1582130: "GUI crashes on windows when very large data file
is opened". Using QPixmapCache everywhere.
* PixmapFactory.cpp (PixmapFactory::getPixmap): bug #1582130 "GUI
crashes on windows when very large data file is opened". Ran into
a known limitation on number of simultaneously created pixmaps on
Windows. If the data file contains over 3000 obects or so, the GUI
crashes on Windows. This is caused by the fact that GDI has global
limit on the number of pixmaps. See here:
http://lists.trolltech.com/qt-interest/2005-01/thread00679-0.html
Using QPixmapCache class to cache and reuse pixmaps, using it via
simple wrapper PixmapFactory that automatically creates pixmaps
not found in the cache.
2006-10-20 vadim <vadim@vk.crocodile.org>
* listOfLibraries.cpp (listOfLibraries::listOfLibraries): fixes
for QT w/o STL support on win32
2006-10-19 vadim <vadim@vk.crocodile.org>
* DialogData.cpp (DialogData::loadToWidget): properly using
remapping tables while loading strings into QComboBox when program
runs under international locale. Strings for qomboboxes are
defined in platforms.cpp and need to be translated accordingly.
2006-10-16 vadim <vadim@vk.crocodile.org>
* RCSFileDialog.cpp (RCSFileDialog::getSelectedRev): fixed bug
#1578502: "crashing opening file". The GUI crashed if the user
switched "open file" dialog to detailed list mode and then tried
to open a file.
2006-10-15 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): All
compilers print error mesage when they encounter unknow action in
a rule
* Preprocessor.cpp (Preprocessor::convertObject): fixed bug
#1575355: "Compiler tries to resove deleted AddressTable
objects". Using findWhereUsed to find if MultiAddress object is
used in firewall being compiled so we don't try to resolve objects
that are not used anywhere.
* FWObjectDatabase.cpp (FWObjectDatabase::findObjectsInGroup):
code refactoring: moved methods findObjectsInGroup and
findWhereUsed from the GUI to API.
2006-10-08 vadim <vadim@vk.crocodile.org>
* v2.1.6 build 134: major improvements in support for outbound
ACLs in PIX 7.0 in compiler for PIX. Added file
'v21_migration_notes.txt' to fwbuilder-pix package
2006-10-07 vadim <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (PrintRule::_printDstService): fixed
bug#1572735: "Wrong syntax with TagService in NAT table". Added
mssing "-m mark"
2006-10-06 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw.cpp (SpecialRuleActionsForShadowing::processNext):
rule with action 'Pipe' or 'Custom' should not shadow other rules
* PolicyCompiler_ipfw_writers.cpp (PrintRule::processNext):
compiler for ipfw generates rule with action check-state depending
on the setting of he option "Add rule to accept packets matching
dynamic rules created for known sessions". This option is
controlled by a checkbox in the firewall settings dialog.
* TableFactory.cpp (TableFactory::PrintTables): if AddressTable
object is configured to resolve at run time but file name is left
blank, compiler for PF generates PF configuration as follows:
"table <tblname> persist". That is, it omits 'file "filename"'
clause all together. This is useful if table is updated
automatically using "max-src-conn, overload <table>" option and
does not need to be pre-populated with addresses from a file.
2006-10-05 vadim <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (pixAdvancedDialog::pixAdvancedDialog):
added option "Generate outbound ACLs" for PIX 7.0
2006-10-02 vadim <vadim@vk.crocodile.org>
* Checking in updated German translation by Hans Peter Dittler
<hpdittler@braintec-consult.de>
2006-09-29 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (ipt::compile): fixed bug #1567873:
"CLASSIFY/Logging". eed to run rule processor
decideOnChainForClassify before rule is split for negation or
logging to properly pick up chain for action Classify. Previously
rules with this action and either negation or logging would match
packets in chains INPUT/OUTPUT/FORWARD but use chain POSTROUTING
when applying action.
2006-09-28 vadim <vadim@vk.crocodile.org>
* pf.cpp (main): 'Prolog' section of the generated script can now
be added in different places:
- to the activation shell script, as before
- at the very top of generated .conf file
- after 'set' commands in the generated .conf file
- after 'scrub' commands in the generated .conf file
- after table definitions in the generated .conf file but
before all policy commands
2006-09-26 vadim <vadim@vk.crocodile.org>
* checking in updated Russian localization by <sov@rbsec.ru>
2006-09-21 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::deleteObj): fixed bug
#1562965: "no confirmation when deleting an object". In a scenario
when user starts with an emty object tree, then adds a firewall
with an interfaces, then tries to delete the interface, the GUI
would just delete it without presenting the user with "Are you
sure ?" confirmation dialog.
2006-09-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (convertAnyToNotFWForShadowing::processNext):
fixed bug #1562348: "a case of undetected rule shadowing".
Compiler did not detect shadowing in the pair of rules where first
rule was 'any any service' (flag 'firewall is part of any' is ON)
and the second was 'fw any service' when global flag 'firewall is
part of any' is OFF
* confirmdeleteobjectdialog_q.ui: fixed bug #1561165: "Delete
dialog box sizing incorrect"
* FWObject.cpp (FWObject::shallowDuplicate): API change: fixed bug
1562290: "GUI crashes in discovery
druid". FWObject::shallowDuplicate should add to database index
only if dbroot is defined. If dbroot==NULL, trying to copy it from
parameter x of shallowDuplicate (the object we are duplicating),
but need to check if dbroot is != NULL after that as well, because
object we are dulicating may not belong to any object tree. This
is the case with interface objects created in
SNMPQuery::fetchInterfaces
2006-09-17 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): feature
request #1531599: "max-src-conn and max-src-conn-rate". Added
support for max-src-conn and max-src-conn-rate options n compiler
for PF.
* RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): feature
request #1531599: "max-src-conn and max-src-conn-rate". Added GUI
elements to support these PF options.
2006-09-16 vadim <vadim@vk.crocodile.org>
* SSHPIX.cpp (SSHPIX::stateMachine): fixed a bug in the code that
deals with previously unseen ssh host key. Properly terminating
session if user hits 'No'; stopping heartbeat timer while waiting
for user input.
* FWWindow.cpp (FWWindow::install): compile/install wizard is now
a top level non-modal window, it can be used in parallel with the
main window so one can inspect and fix rules while still looking
at the output produced by the compiler, or work with objects and
rules while pushing policy update to the firewall.
2006-09-15 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::installerError): fixed bug #1559697:
"built-in installer crashes on incorrect password"
2006-09-14 vadim <vadim@vk.crocodile.org>
* FWObjectClipboard.h: clipboard holds list of object IDs instead
of object copies. Clearing clipboard when an object is deleted
from the "Deleted objects" library in ObjectManipulator::delObj.
* FWWindow.cpp (FWWindow::load): calling FWObjectDatabase::reIndex
to fix object reference counters and rebuild the index after
object tree is loaded from .fwb file. Doing the same in all policy
compilers.
* NATCompiler_pf.cpp (splitForTSrc::processNext): fixed bug
#1556984" "Nat statements in PF are missing (source-natting)"
Compiler was too restrictive checking firewall's interfaces while
generating 'nat' rules. It generated such rule only when it was
able to find an interface with address/netmask combination that
defined subnet to which TSrc address belonged. 2.0.X used to be
more liberal and created nat rule even if such interface was not
found, in such case it generated nat rule bound to all interfaces
of the firewall.
2006-09-13 vadim <vadim@vk.crocodile.org>
* ActionsDialog.cpp (ActionsDialog::iptRouteContinueToggled):
fixed bug #1557827: "iptables, routing, iif and continue". GUI
enforces rules on options to iptables target ROUTE: 'continue' is
mutually exclusive with --iif and --tee, therefore checking option
'Continue packet inspection' disables options 'Change inbound
interface to' and 'Make a copy' (GUI elements are greyed out).
2006-09-10 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::scheduleRuleSetRedraw): using timer
event to make sure rule sets are redrawn no more than once when
needed.
2006-09-08 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::load): using
FWObjectDatabase::addToIndexRecursive to quickly reindex whole
database once datafile is loaded. This works very fast.
Fixes everywhere for the new format of FWObjectDatabase::create
2006-09-07 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::load): improvements in the GUI
ergonomics when working with very large data files:
- The main window opens before the file specified on the command
line is loaded
- Using status bar to print messages indicating progress of the
file loading process
- Enforcing objects indexing after the file is loaded, this
speeds things up later
* ObjectEditor.cpp (ObjectEditor::actionChanged): fixed bug
#1553394: "Options windows stays the same".
2006-09-05 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::killInstDialog): compile/install dialog
is now not modal, this means the user can look at the policy and
objects while compilation and/or installation is going on. This is
especially convenient as it allows one to inspect the rules after
failed compilation while still having compiler error on screen.
* VERSION: set version to 2.1.6
* configure.in: added check to make sure qmake found by configure
really is part of QT 3.x. This should help avoid build failures on
systems where both QT 3.x and 4.x are installed and where
/usr/bin/qmake is really QT 4.x qmake which we can not use.
2006-08-31 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw.cpp (processMultiAddressObjectsInRE):
checking for (currently unsupported) run-time AddressTable objects
* All compilers: fixed bug #1544488: 'Error with DNS_name object
when "resolve during run time"'. Needed to swap run-time DNSName
and AddressTable objects with MultiAddressRunTime during rule
shadowing run
2006-08-29 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (readFromStdout): properly processing text coming
from the background process if it comes buffered in chunks that
include several lines of text and possibly incomplete last
line. Previously, text would come out werdly formatted in the log
window.
* instDialog.cpp (processExited): detectig situation when
background process (compiler) crashes or is killed
* RuleSetView.cpp (fixRulePosition): this method fixes rule
position if it is incorrect (this happens sometimes because of
errors in auto-upgrade transformations). fixRulePosition checks if
object the rule belongs to is read-only or belongs to a read-only
subtree in the database and temporarily breaks the lock in order
to be able to fix rule position. This method is recursive so it
supports cases when several objects between the rule and database
root are read-only.
2006-08-27 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (prepareInstallerOptions): Added checkbox 'save
copy of fwb file on the firewall' to the installer options
dialog. If this checkbox is on, installer copies .fwb file to the
firewall before it copies generated configuration and activates
it. This can be used as last resort backup but should be avoided
if firewall is managed from remote workstation and especially if
many firewalls are managed from dedicated management
workstation (because storing fwb file on each firewall means
security policy of all firewalls resides on all every one of them).
This option is off by default.
2006-08-26 vadim <vadim@vk.crocodile.org>
* ConfirmDeleteObjectDialog.cpp (findForObject): redesign of the
dialog: now showing objects to be deleted and their parent objects
in the same list with selection disabled. This removes confusion
caused by the text in the dialog saying that 'seletect objects'
were bout to be deleted and ability to select objects in the
confirmation dialog.
2006-08-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (fillDirection::processNext): fixed bug
#1543684: "fwb 2.1.5 IPFilter fallback rule issues". Fallback rule
should be 'pass out' if option 'Pass all outgoing' is used.
2006-08-19 vadim <vadim@vk.crocodile.org>
* MangleTableCompiler_ipt.cpp (processNext): (new feature): added
checkbox to the action 'Branch' for iptables "In addition to
'filter', create branching rule in 'mangle' table as well". When
this parameter is activated, compiler creates branching rules in
both filter and mangle tables; in mangle table it always uses
chains PREROUTING, INPUT, OUTPUT and FORWARD.
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1534423 "2.1.5,
mark action rules in branches". Added checkbox "Mark packets in
PREROUTING chain" to the action "Tag" for iptables. Compiler
places rule into PREROUTING chain when this parameter is
activated.
2006-08-18 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (compile): working on bug #1534423
"2.1.5, mark action rules in branches". Branch rules with action
Tag go into mangle table.
2006-08-17 vadim <vadim@vk.crocodile.org>
* gui.cw: this file is used by QT to save descriptions of custom
widgets
* ObjectManipulator.h: added bunch of missing virtual destructors
to various classes
2006-08-10 Vadim <vadim@vk.crocodile.org>
* ConfirmDeleteObjectDialog.cpp (ConfirmDeleteObjectDialog):
completed implementation of feature request #1116454: "Where Used
Option". When the user tries to delete an object from the tree,
the GUI presents a list of groups and firewall rules where this
object is used.
2006-08-09 Vadim <vadim@vk.crocodile.org>
* instDialog.cpp (findFirewalls): main menu item 'Compile' and
corresponding toolbar button activate compilation/installation for
all firewalls in all libraries. This fixes bug #1531007: "no
firewall in comp/inst dialog if standard library selected"
* utils.h (findByObjectType): added parameter bool skip_system_libs.
This method will skip libraries DELETED_LIB and TEMPLATE_LIB if this
parameter is true (which is its default value).
2006-08-08 Vadim <vadim@vk.crocodile.org>
* ObjectEditor.cpp (validateAndClose): fixed bug (no num.):
"Apply" button in the editor panel would not activate when user
reopened an object after it was edited and then editor panel
closed.
2006-08-08 Vadim <vadim@vk.crocodile.org>
* ObjectEditor.cpp (apply): fixed bug #1531020: "gui behaviour on
object renaming". Changing name of the selected object in the
editor updated it in the tree but not in the rule set view.
* ActionsDialog.cpp (applyChanges): fixed bug #1531008: "gui
behaviour improvements". Gui used to reset rule selection after
user selected different object in the tree.
2006-08-05 Vadim <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (newFirewallDialog): fixed bug #1525808:
"fwbuilder21: Windows are too large ". One of the pages of the
firewall creation druid was too large vertically, as the result
whole druid would not fit on screens 1024x768 with standard font
bigger than 18pt
* FindWhereUsedWidget.h (class FindWhereUsedWidget): Feature
request #1116454: "Where Used Option". Ilya implemented "Find
Where Used" function which quickly finds and shows rules of all
firewalls that utilize a given object.
2006-07-23 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (copyRule): still debugging problems caused by
QT w/o STL support. Also got rid of methods RuleSetView::isSrc,
isDst, isSrv etc, makes code cleaner cause these methods violated
data access boundaries in the class hierarchy.
2006-07-22 vadim <vadim@vk.crocodile.org>
* FWObjectPropertiesFactory.cpp (getPolicyRuleOptions): fixes in
bunch of places where code assumed QT is built with STL support
2006-07-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt_optimizer.cpp (processNext): checking if
objects in srv are of the type TCPService or UDPService; if they
are, treat srv as if it has one object even if there are several in
it. This eliminates uncessesary rule splitting that optimizer used
to do.
* PolicyCompiler_ipt.cpp (compile): moved
InterfacePolicyRulesWithOptimization further down the chain of
rule processors to let other processors properly decide on chain
for rules that are associated with multiple interfaces. Such rule
is now treated as if it has one interface, and most of the chain
and target decisions are made before the rule is split. When the
rule is split in InterfacePolicyRulesWithOptimization, each part
gets one interface from the original list.
* PolicyCompiler_ipt.cpp (SrcNegation): all rule processors that
work with negation reset "Interface" rule element in subrules they
create except for the very first.
* main.cpp (main): removed plays with styles on Mac, they proved
unnecessary
2006-07-18 vadim <vadim@vk.crocodile.org>
* unit_tests.cpp (main): unit test for RCS module, currently only
checks if rlog reading routing works right
* RCS.cpp (RCS): trying to fix mysterious bug that causes RCS
module to misinterpret RCS log in some cases and read modification
date/time instead of the name of the user who apparently opened
and locked the file. However in cases like that the file in fact
is checked in and unlocked. Instead of reading rlog output line by
line and using regex to parse each line separately, we now read
the output in chunks using '------' as a separator. Each chunk
corresponds to one revision and all regexps are written to work on
the whole chunk instead of one line.
2006-07-17 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (paintCell): When user selects an object in the
rule set, all references to the same object in other rules are
highlighted by drawing thin red frame around them. Similarly, when
an object is selected in the tree, all references to it in the
currently visible ruleset are similarly highlighted. This helps
enforce the notion that all instances of the object in rules are
really references to the same object, as well as helps locate
these references visually.
2006-07-12 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (exportLibraryTo): user choses libraries for export
using spearate modal dialog instead of built-in panel in the file
choosing dialog in the "File/Export Library" function
2006-07-11 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow): FindObjectWidget is not a custom widget
anymore - this is a workaround for QT bug #85440 :
http://www.trolltech.com/developer/task-tracker/index_html?id=85440&method=entry
2006-07-09 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (contentsMouseReleaseEvent): bugfix: the GUI
used to switch object in the editor if user tried to open a
different library and expand/collapse subtree in it. It should not
do this, expading/collapsing subtrees should not cause object
switch in the editor.
2006-06-30 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (paintCell): highlighting whole table cell for
rule options/actions/directions/etc when corresponding rule
element is selected.
* Added title bar with icon and object type name to dialog panels
for all object types
2006-06-25 vadim <vadim@vk.crocodile.org>
* PrefsDialog.cpp (PrefsDialog): removed "Data format" tab from
the Preferences dialog. Option that turns off saving standard
objects in every users data file was on by default for a long
time, now it is time to remove the GUI control all together.
* FWBSettings.h: using macro SETTINGS_PATH_PREFIX to define path
prefix for settings. This makes it easier to change the prefix
when new version is introduced
2006-06-23 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (): using QDns to get host names for
discovered ip addresses instead of our own DNS methods
2006-06-21 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (_printPort): fixed bug #1509411:
"FWB does not build correct PF RDR port ranges". RDR rules should
support port ranges in the RHS of "->"
* qmake.inc.in: Passing CXXFLAGS from environment to the build
process. Fedora engineers had to add a hack to their .spec file to
do this, this change makes their hack unnecessary
2006-06-17 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (_printRouteOptions): implemented
spport for action Route for PF
2006-06-15 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (contentsMouseReleaseEvent): fixed selection
of multiple objects in the tree and interaction with editor.
2006-06-14 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): implemented support for
action Route for iptables
2006-06-13 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (openObjectInTree): selecting object in a rule
automatically opens it in the tree (both when editor opened and
when it is closed)
2006-06-11 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (requestEditorOwnership): moved all the logic
controlling switching between objects whith editor open to this
method of FWWindow, this significantly simplifies other
classes. Now we can properly process situations when user opens an
object in a rule, edits it and then tries to open an object in the
tree for editing. This also works in other situations when object
with unsaved changes is opened in the editor and user tries to
switch to another one, possibly in a different panel or
widget. Still need to explore ways to maintain synchronized object
highlighting in the tree and in rules.
2006-06-06 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (maybeTip): directions are represented only by
icons with no text; added tooltip for directions
* ObjectEditor.cpp (validateAndSave): cleanup in ObjectEditor
class - reusing method validateAndSave in methods close,
validateAndClose
* FirewallDialog.cpp (loadFWObject): "snmp" tab of the firewall
object dialog has been deprecated
2006-06-04 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (revealObjectInTree): change in the GUI
behavior: - selection in the tree and ruleset are mutually
exclusive, that is selecting an object in ruleset turn selection
off in the tree and vice versa. Added menu item "Reveal in tree"
to the context menu that appears when user clicks right mouse
button on an object in ruleset.
* PolicyCompiler_ipt.cpp (processNext): Added support for CONNMARK
as an option for rules with action Tag. If a checkbox "Mark
connections created by packets that match this rule" in rule
options of a rule with action Tag is checked, compiler adds
iptables command to save mark set by the Tag action into connmark
module, and then adds another command at the beginning of the
policy to restore it.
2006-06-03 vadim <vadim@vk.crocodile.org>
* ActionsDialog.cpp (setRule): New rule action: "Route", to be
mapped to ROUTE target for iptables and 'route' option for pf and
ipf
2006-05-31 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (paintCell): When a group is opened in the
editor, an object can be highlighted there which is different from
the object highlighted in rules. Using alternatie color to
highlight object in rules when user switches keyboard focus to the
editor panel. This helps avoid confusion caused by identical look
of objects highlighted in rules and group view. Currently using
QColorGroup::midlight() to get color for when ruleset widget has
no focus. This is probably incorrect because color should change
when widget's colorGroup() changes from active to normal. Using
midlight color may lead to incorrect results if QT theme does not
define this color properly.
2006-05-25 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (edit): GUI opens objects in the editor
panel on single mouse click on an object in the tree if editor
panel is opened. If it is closed, click just changes selection in
the tree. Drag and drop works because object is opened in the
editor on mouse release. Similarly, if user navigates in the tree
using keyboard, object is opened in the editor on keyReleased
event. Multiple selection works both by mouse and by keyboard.
2006-05-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (swapAddressTableObjectsInRE):
AddressTable objects are converted to PF tables with the name of
the object in both run-time and compile-time mode. This is so only
for PF because other compilers simply expand compile-time
AddressTable objects as a group of addresses (and lose its name in
the process). Administrator can use compile-time AddressTable
object to create tables with names known beforehand. In the future
these tables can be used with 'overflow' rule option that updates
tables automatically.
* TableFactory.cpp (init): implemented persistent tables in
compiler for PF: compiler maintains list of tables it creates
between passes for NAT and policy rules. This reduces duplication
if the same tables need to be created for both policy and NAT
rules. Tables for branched rule sets (anchors) are generated
separately and may duplicate those in the main rule set (although
their name is different).
2006-05-16 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (processMultiAddressObjectsInRE): DNSName
object now inherits MultiAddress, this allows for DNSName to be
expanded into multiple addresses at compile time. Run time support
hasn't changed because most fw platforms automatically expand
domain name into all IP addresses defined as DNS A records for
this name.
2006-05-14 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (unselectRules): rule set should lose focus when
object editor is opened in a panel. Object shown in the editor is
highlighted in the tree anyway. This works better during search
when "find next" finds object in the tree
* NATCompiler_PrintRule.cpp (processNext): fixed bug #1476797:
"ipt NETMAP, POSTROUTING** chain --to problem with multiple
network targets".
* PolicyCompiler_PrintRule.cpp (_printModules): Added support for
hashlimit module for iptables (with an option for older systems
where the same module is called dstlimit)
2006-05-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (_printModules): added support for
connlimit module for iptables
2006-05-12 vadim <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (loadFWObject): added input fieds for
iptables module "connlimit"
* Many dialogs: converting all object, rule options and actions
editors from pop-up dialogs to built-in panels.
2006-05-07 vadim <vadim@vk.crocodile.org>
* PrefsDialog.cpp (accept): removed entry field for scp, it is not
used by the installer. Cleaned up in all places where we check if
path to ssh is configured to make sure installer can use it.
* TableFactory.cpp (createTablesForRE): names for tables that go
into an anchor have anchor name prepended to them as a prefix to
ensure global uniqueness. One side effect of this is that
AddressTable objects can only be used either in global rules or in
an anchor, but not in both at the same time because the name of
the table created for such object follows the name of the object
and hence appears the same in the main rule set and in the anchor.
2006-05-06 vadim <vadim@vk.crocodile.org>
* pf.cpp (main): Added support for branching rules for PF,
imlpemented via anchors. Rules defined in branches are stored in
separate .conf files and loaded by the .fw file using
pfctl -a <anchor_name> -f <anchor_rules_file> Anchor rule files
are also added to manifest in the .fw file to make sure the built-in
installer will copy them to the firewall.
* PolicyCompiler_ipt.cpp (processNext): support for branching
rules for iptables (via user-ddefined chain, chain name is
specified as action parameter for action 'Chain')
* FWWindow.cpp (reopenFirewall): added support for policy
branches. Setting rule action to "Chain" or "Anchor" (depending on
platform) creates additional tab with a policy rule set. These
rules represent a branch in the policy, implemented by means of a
user-defined chain for iptables and anchor for pf. Chain or anchor
name is set as action parameter through standard action options
dialog.
* FWWindow.cpp (fileSaveAs): fixed bug #1424880: "Save As" works
incorrectly. "Save As" works as follows:
* a new file is created with the name provided by user, this file
captures the state of the object database as of the moment when
user executed 'Save As' operation.
* if the old file was not in RCS, then any changes made to it
since it was saved to disk last time are lost. In other words,
next time user opens the old file, its content will be as it was
when it was saved to disk last time before using 'Save As'
operation
* if the old file was in RCS, then it is reverted to the head
revision in RCS
* fixed bug #1434321: firewall name heading incorrect after
duplicate. After a firewall object is duplicated, the name of the
new object as shown in the tree and in pull-down list of firewalls
was incorrect.
* ActionsDialog.cpp (setRule): Added GUI support for action
'Branch' (represented as 'Chain' for iptables and 'Anchor' for pf)
2006-04-30 vadim <vadim@vk.crocodile.org>
* platforms.cpp (getActionNameForPlatform): remapping names of
some new actions depending on the target firewall platform. For
example, action "Tag" appears as "Tag" for PF and as "Mark" for
iptables. Also remapping name for actions Pipe and
Accounting. This should help adoption of the new actions by people
who are familiar with corresponding features of the target
firewall platforms. Name mapping is done only for presentation;
all internal references to actions use their abstract internal
names both in the GUI and in all compilers.
2006-04-30 <vadim@beaver.vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed
bug #1464806: "Global custom log prefix not applied to built in
options". Autogenerated rule that blocks packets matching INVALID
state will use globally set custom logging prefix. "-1" is used
for the rule number; macro "%C" is replaced with the chain name
"drop_invalid"
* NATCompiler_pf_writers.cpp (processNext): fixed bug #1407328:
"NAT / RDR Exception PF problem". "no nat" rule in PF can
translate either into 'no nat' or 'no rdr', depending on what the
user really needs to achieve. There is no way fwbuilder can guess
right by just analysing this single rule, so it will generate both
variants.
2006-04-23 vadim <vadim@vk.crocodile.org>
* SSHSession.h: fix for bug #1455772 did not work on windows where
QProcess added '\0' to each line of the stream passed to the ssh
client. On Unix we run fwbuilder as a wrapper for ssh client and
can intercept and filter these characters but on windows we do not
use wrapper and can't fix the problem that way. Better fix is to
avoid QString (and therefore conversions UTF8 <-> Unicode) all
together. Changed last parameter for constructor of SSHSession and
derived classes from QStringList to list<string>. Now instDialog
reads script as sequence of bytes and does not convert it to
Unicode, then passes to the ssh client via SSHSession as-is. In
principle, this alleviates the need in the hack in main.cpp but I
leave it there just in case. (Forward ported from 2.0.12)
2006-04-23 vadim <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (displayCommands): changed title of the
tab where user controls protocol inspectors from "Fixup" to
"Inspect". Added a button to show commands that will be generated
by the compiler for a current combination of inspector
configuration, this button calls policy compiler fwb_pix and feeds
XML to it via standard input. Doing this automatically every time
user touches something in the inspector control widgets may be
slow on underpowered machines or when the data tree is very large
because the GUI needs to start external process, which reads and
parses the whole XML file.
2006-04-22 vadim <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (pixAdvancedDialog): calling fwb_pix to
generate protocol inspection commands. Need to implement saving
into a buffer in FWObjectDatabase to make this work.
2006-04-19 ilya <yalovoy@gmail.com>
* FWWindow.cpp (singleInstall): batch compile and intsall
operations are possible when user selects several firewalls in the
tree and uses context menu items "Compile" and "install". Selected
firewalls are automatically checked in the batch install dialog.
* FirewallDialog.cpp (loadFWObject): support for attribute
"inactive" in Firewall. Inactive firewalls are not picked for
batch compile and install operations.
2006-04-10 vadim <vadim@vk.crocodile.org>
* NATCompiler_ipf.cpp (processNext),
ipfAdvancedDialog.cpp (ipfAdvancedDialog): Added support for PPTP
and IRC proxies for ipfilter
2006-04-07 ilya <yalovoy@gmail.com>
* instDialog.cpp (selected): implemented batch compile and batch
install modes. Requires some work to polish the UI but basic
functionality works
2006-03-26 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers):
fixed bug#1364060: "conntrack modules not found". The name of the
'conntrack' module in Linux 2.6 is 'ip_conntrack.ko' and
'ipt_conntack.ko'. Changed shell pattern to match new modules as
well as old ones.
* linux24.xml.in: made "chmod +x" part of the sequence that
copieswall script to make the script is executable. This fixed bug
#1455748: "make firewall script executable"
* main.cpp (main): it appears some older versions of Qt have a bug
referred to in the following article:
http://lists.trolltech.com/qt-interest/2004-10/thread00024-0.html
This bug causes '\0' to be appended to strings passed to/from
QProcess if they are converted to/from utf-8. Added workaround in
the ssh wrapper code to skip zeros. In combination with converting
config file strings from/to utf-8 this fixes bug #1455772: "Problem
with UTF8 Descriptions in FW Objects"
* instDialog.cpp (initiateCopy): need to convert strings of the
config file from utf-8 in order to be able to use methods of
QString to process them. Strings are converted back to utf-8 right
before they are sent to the background ssh process to be copied to
the firewall in SSHSession::sendLine()
2006-03-22 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (prolog): switched from
Compiler::objcache to object index in FWObjectDatabase. Replaced
calls to Compiler::getCachedObject with calls to
FWReference::getPointer() everywhere
2006-03-20 vadim <vadim@vk.crocodile.org>
* ipf.cpp, ipt.cpp, pf.cpp, ipfw.cpp (main): added call to
Preprocessor::compile() to convert DNSName and AddressTable
objects before rule processing starts
2006-03-18 vadim <vadim@vk.crocodile.org>
* OSConfigurator_solaris.cpp (printPathForAllTools): fixed bug
#1393004: "Solaris does not have "egrep -q". Since egrep shipped
with Solaris does not have option '-q', using '-s'
* ipf.cpp (main): fixed bug #1386226: "generated -nat.conf is not
removed when nat rules removed.". Old fw-nat.conf was left in
place when user deleted all NAT rules (the new one was not created
either). Now compiler deletes *-ipf.conf and *-nat.conf files
before creating new ones, also installer gets correct list of
files to read.
* PolicyCompiler_PrintRule.cpp (PolicyRuleToString): fixed bug
#1375432: "fwb_ipt with twice -m state". Compiler used to generate
options "-m state --state XYZ" twice in a situation when
administrator uses custom service that already includes this code
and rule is not stateless.
2006-03-15 ilya <yalovoy@gmail.com>
* ObjectManipulator.cpp (findFirewallsForObject): Using method
findWhereUSed to find firewalls that require compile/install after
an object is modified.
2006-03-15 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (_findWhereUsed): generic recursive method
that finds all groups and rules that use an object.
2006-03-10 ilya <yalovoy@gmail.com>
* ObjectManipulator.cpp (contextMenu): added temporary pop-up menu
item 'simulate Install' for testing.
* ObjectManipulator.cpp (__Is_Object_Ref_In_Firewall): added
support for detection of firewall objects that require compile and
install after any object in the tree is modified. The code keeps
track of changes made to firewall's policy rules, as well as
changes in all objects in the tree. After the user applies changes
in an object editor, the program inspects every firewall trying to
determine if the object is used in one of its rules. When one or
more firewalls using this object are found, corresponding items in
the tree are highlighted. Indirect usage, such as if the object is
a member of a group that is used in a rule, is also
detected. Multi-level group membership is detected too.
2006-03-07 vadim <vadim@vk.crocodile.org>
* All compilers: compiler prints only one 'success' message at the
and of processing instead of after each section (policy, NAT
etc). This makes it easier to keep track of its progress and is
less confusing if it runs in a silent mode and takes a long time
to process one section. Before, when it printed "Rules compiled
successfully" after each section, the user could interpret this
message as if compiler was done, while in fact it was still
working on the next section
2006-03-06 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (removeFW): restored rule processor that
removes firewall object from src or dst to simplify rule if it
uses OUTPUT or INPUT chain. Doing this only if original rule did
not have negation and we do not add any virtual addresses for NAT.
After removal the rule collapses to a simple command like this:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
this works fine except if we have added virtual addresses for
NAT. It is assumed that firewall object in rules represents
combination of addresses configured in its interfaces in the
GUI. Virtual addresses added for NAT are considered to be a side
effect and connections should not be implicitly permitted to them
by a rule with fw object in destination. The same applies to fw
object in source. See bug #685947 for discussion. To avoid
inadvertently opening holes in the firewall by a rule like that,
we remove fw object only when it is safe to do so.
2006-03-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (decideOnChainForClassify): setting chain
to POSTROUTING for rules with action Classify. Also added checks
for this action in all rule processors that split rules in order
to assign them to INPUT/OUTPUT/FORWARD chains later because this
is not needed for this action (since only one chain is allowed
anyway)
* PolicyCompiler_PrintRule.cpp (_printDstService): added checks
for iptables version "1.3.0"
* PolicyCompiler_PrintRule.cpp (_printDirectionAndInterface):
added support for physdev module for bridging firewalls. This
module is used if interface a rule is associated with is marked as
bridge port and iptables version is set to 1.3.0 or later in the
firewall settings. Feature Request #1000757: "bridging: using physdev"
* All compilers: by default treating bridge port interfaces the
same as unnumbered interfaces, unless target firewall platform
provides special support for bridge ports, such as module
'physdev' in iptables
* InterfaceDialog.cpp (loadFWObject): added support for bridge
port interface
2006-03-04 vadim <vadim@vk.crocodile.org>
* fwbedit.cpp (main), fwblookup.cpp (main): using global variable
instead of singleton FWObjectDatabase::db. FWObjectDatabase::db
is not used in fwbuilder2 anywhere and can be eliminated.
* FWObjectClipboard.cpp (add): must create new objects using
current instance of FWObjectDatabase because it maintains internal
object index. Replacing FWObjectDatabase::db with mw->db() to
accomplish that
* getting rid of singleton FWObjectDatabase::db in the GUI -
replacing it everywhere with mw->db()
2006-02-28 Vadim <vadim@vk.crocodile.org>
* FWObjectPropertiesFactory.cpp (getObjectProperties): printing
firewall's lastModified, lastCompiled and lastInstalled timestamps
in the info window and in tooltips
2006-02-26 ilya <yalovoy@gmail.com>
* ObjectManipulator.cpp (updateLastModifiedTimestamp): added
methods to keep timestamps for the moments when a Firewall has
been modified, compiled and installed. Using these timestamps to
provide visual indication for when a firewall needs to be
installed using bold font for its name in the tree view. Will use
the same mechanism to automatically suggest which firewalls to
install when user hits "Install" menu item or toolbar
button. Still need to implement object modification tracking to
properly detect which firewall needs to be marked when an object
is modified (an object can be used in a firewall rule directly or
indirectly if it is a member of a group)
2006-02-19 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (reopenFirewall): the GUI shows "Routing" tab only
if the corresponding policy compiler for a give host OS supports
it. Using <capabilities> element in the res/os/OS.xml resource
file.
* FirewallDialog.cpp (fillVersion): fixed a bug where firewall
versions would appear in a mixed order in the 'version' pull-down
in firewall object dialog
2006-02-18 vadim <vadim@vk.crocodile.org>
* Added support for load balancing rules in PF
* Added support for address ranges and network objects in TSrc in
NAT rules for PF
* Added support for pool types in NAT rules for PF ('bitmask',
'random', 'source-hash', 'round-robin') as well as 'static-port'
option
* PolicyCompiler_ipf_writers.cpp (_printAction): basic support for
Custom action for ipfilter. Lack of examples for actions 'auth'
and 'call' in ipfilter documentation or anywhere on the web makes
it hard to implement right.
* PolicyCompiler_ipfw_writers.cpp (_printAction): Added support
for policy rule action Custom for ipfw
* PolicyCompiler_ipfw_writers.cpp (_printAction): Fwbuilder policy
rule action 'Classify' is mapped to ipfw actions 'pipe' or
'queue'. Fwbuilder policy rule action 'Pipe' is mapped to ipfw
action 'divert'
2006-02-17 ilya <yalovoy@gmail.com>
* execDialog.cpp (saveLog): Added a button and function to save
compile or install progress log to a file with extension .txt
* killed startup wizard; the GUI starts accordingly to the setting
on the first page of the Preferences dialog - it can either start
up showing just standard objects library or automatically open
file the user was editing last time the GUI was used.
* object created using "Duplicate" menu item is automatically
activated and opened in the editor
2006-02-15 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (_printQueue): implemented support
for action 'Classify' in compiler for PF, mapped to a filtering
rule option 'queue _queue_name_'
* PolicyCompiler_PrintRule.cpp (PrintRule): implemented support
for actions 'Classify' and 'Custom' in compiler for
iptables. Action 'Classify' is mapped to '-j CLASSIFY --set-class M:N';
action 'Custom' is used verbatim
2006-02-15 ilya <yalovoy@gmail.com>
* :version 2.1.5
* :Added new Actions 'Classify' and 'Custom'.
* :Added new dialog NATRuleOptionsDialog.
* RuleSetView: In NATView inserted new column "Options" for
viewing of Nat Rule Options.
2006-02-11 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (checkSNMPCommunity): unified method to check
validity of the host name/ip address for dns name server used for
zone transfer and seed host used for snmp crawler
2006-02-09 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (_printDstService): added support
for the TagService object (using 'tagged')
* PolicyCompiler_PrintRule.cpp (_printDstService): added support
for the TagService service object (using --mark)
2006-02-09 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (DiscoveryDruid): improvements in the
implementation of the address and name validity for snmp crawler
seed host and dns server for dns zone import. Implemented support
for IP aliases in snmp crawler
2006-02-05 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (save): saving/restoring parameters of the
DiscoveryDruid between sessions
2006-01-27 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (changedSelected): proper implementation of
long/short name generation for dns zone import; proper checks for
correctness of the seed host address for snmp crawler; showing
number of interfaces in discovered hosts on the results page
2006-01-21 vadim <vadim@vk.crocodile.org>
* gui.pro (IMAGES): grand icons clean-up and update. Removed old
unused icons and images, added new icon theme by Irina Filvarova
2006-01-20 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (changedSelected): working version of
discovey druid. Got rid of all calls to setModal, hence
workarounds defined in qt_workarounds.h are not needed anymore
2006-01-16 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (stripObjects): minor formatting cleanup in
DiscoveryDruid; fixed typos in DiscoveryDruid ('wasCanceled' ->
'wasCancelled'); refactored #includes to improve compilation speed
in DiscoveryDruid
* DiscoveryDruid.cpp: had to move '#include "DiscoveryDruid.h"'
below all qt #include's to make code compile on windows. When this
#include was above qt includes, compiler would stop with an error:
------------------------------------------------------------
C:\Qt\3.3.1\include\qlistbox.h(139) : warning C4003: not enough actual parameter
s for macro 'index'
C:\Qt\3.3.1\include\qlistbox.h(139) : error C2059: syntax error : ')'
C:\Qt\3.3.1\include\qlistbox.h(139) : error C2143: syntax error : missing ')' be
fore ';'
------------------------------------------------------------
I haven't figured out where does 'index' macro come from
* discoverydruid_q.ui.h: added workarounds for missing
QDialog::setModal in QT 3.1
* FWWindow.cpp (doCompile): since we now package platform and os
resource files with externally packaged compilers, we do not need
to use "-r" flag while calling compilers anymore
2006-01-10 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (startHostsScan): implemented object import
from a file in "/etc/hosts" format. This includes druid page where
user selects objects from the list, a page where they can assign
object type for each record and a page where they chose a library
new objects should be part of
2006-01-07 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw_writers.cpp (_printAction): support for
action Pipe in ipfw. This action can be implemented using
"divert", "pipe" or "queue" rule actions in ipfw; the method is
chosen using rule action parameters dialog in the GUI.
* ActionsDialog.cpp (setRule): support for action Pipe for ipfw in
the GUI.
* PolicyCompiler_pf_writers.cpp (_printAction): added support for
Tag action for PF
2006-01-03 vadim <vadim@vk.crocodile.org>
* ipt.cpp (main): implemented checks for the situation when
compiler produces an empty script. In such cases we avoid printing
any header or commit commands (such as '*mangle' and 'COMMIT'
if iptables-restore format is used)
* PolicyCompiler_ipt.cpp (processNext): implemented support for
QUEUE target in compiler for iptables. Commands with this target
are generated for fwbuilder rules with action "Pipe"
* MangleTableCompiler_ipt.h: Implemented support for MARK target
for iptables. Iptables commands with target MARK are generated for
fwbuilder rules using action "Tag". Rules are placed in
INPUT,OUTPUT and FORWARD chain of the "mangle" table, this ensures
that DNAT happens before rules placed in the mangle table see the
packet. PREROUTING chain in mangle table is executed before
PREROUTING chain in the nat table, so placing tagging rules in the
PREROUTING chain would make them fire before DNAT. POSTROUTING
chain of the mangle table, as well as its FORWARD and OUTPUT
chains, work before corresponding chains of the nat table. In all
cases the goal is to make sure DNAT rules process the packet
before, and SNAT rules process it after filtering and tagging
rules.
* AddressTableDialog.cpp (preview): AddressTable dialog "preview"
function looks for the table file in the same directory as
currently opened data file if file name is entered as relative
path
2005-12-16 ilya <yalovoy@gmail.com>
* FWObjectPropertiesFactory.cpp : For objects of type 'interface'
a path to library is included in "detailed properties".
* FWWindow.cpp : Added new menu "/tools/Discovery Druid"
* DiscoveryDruid.cpp : Created basic gui for Discovery druid
2005-12-16 ilya <yalovoy@gmail.com>
* SimpleTextView.cpp: new custom text viewer.
* AddressTableDialog.cpp: file preview uses SimpleTextView.
* newfirewalldialog_q.ui: Dialog size fixed (now all internal
widgets are visible)
* fwbedit.cpp : fixed run with unknown options. Added a new option:
-u - interactive file upgrade
2005-12-14 ilya <yalovoy@gmail.com>
* Added detailed tooltips for rule options for all fw platforms
* Redrawing policy view if user changes firewall version; this
ensures that icon that indicates non-default rule options is
correctly updated in case different versions of the same fw
platform support different combinations of rule options.
* Redesigned page of the new host dialog where user adds
interfaces manually. Before buttons "add","Update","remove" were
hidden because dialog was too small.
2005-12-13 vadim <vadim@vk.crocodile.org>
* po.pro: Added Swedish translation made by Daniel Nylander
<yeager@lidkoping.net>
2005-12-13 ilya <yalovoy@gmail.com>
* RuleSetView.cpp (maybeTip): added tooltips for rule elements
Action and Options
2005-12-02 vadim <vadim@vk.crocodile.org>
* NATCompiler_ipf.cpp (processNext): Run-time AddressTable objects
are not supported in ipfilter; added a placeholder for
corresponding rule processors, aborting compilation when such
object is detected in a rule
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#1361564: "Prolog script env settings unavailable". Need to define
env variables IPTABLES, LSMOD etc before prolog.
(OSConfigurator_linux24::printChecksForRunTimeAddressTables):
compiler for iptables inserts shell code to ensure that data files
used in run-time AddressTable objects are present before firewall
policy is activated.
* PolicyCompiler_PrintRule.cpp (processNext): implemented run-time
mode for AddressTable object in compiler for iptables. Current
implementation *dos not* emulate dynamic table reloads as can be
done for PF using "pfctl -t table -Treplace" command. The whole
policy script must be run again if data file AddressTable object
refers to changes. Current implementation does not allow comments
in the data file
2005-12-01 ilya <yalovoy@gmail.com>
* version 2.1.4
* new object type TagService
Actions 'Mark' and 'Queue' renamed as 'Tag' and 'Pipe'
respectively.
* fwbedit.cpp: fixing of absent 'TagServices' group added.
* ActionsDialog.cpp: new actions control dialog
* RuleSetView.cpp: changed actions context menu to use new
parameters dialog (support of actions with parameters).
2005-11-24 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (processNext): added support for run-time
AddressTable objects for PF.
* PolicyCompiler_pf (PrintRule::_printAddr)
* TableFactory.cpp (TableFactory::PrintTables): support for DNSName
run-time mode in compiler for pf, ipfw and ipf
* PolicyCompiler_PrintRule.cpp (_printAddr): support for DNSName
run-time mode in compiler for iptables
2005-11-23 Vadim <vadim@vk.crocodile.org>
* AddressTable object dialog
2005-11-22 vadim <vadim@vk.crocodile.org>
* TableFactory.cpp (createTablesForRE): class TableFactory reuses
existing tables separately for NAT and policy rules. Reuse of
tables created for NAT in the policy rules is difficult because
tables themselves are created in the temporary copy of the tree in
the NAT compiler (the same applies to the objects - members of the
tables)
2005-11-21 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (_printAddr): Improvement in the
compiler for PF: using '!' syntax for one-object negations
* NATCompiler_pf.cpp (CeateTables): Improvement in the compiler
for PF: Using tables for NAT rules
* TableFactory.cpp (createTablesForRE): using the same class to
generate tables for both policy and NAT rules for pf. Table names
are composed using rule positions so that table names do not
change between compiler runs (they used to change because they
were created using rule IDs, which changed because compiler
generated lots of copies of rules)
2005-11-14 Vadim <vadim@tourist.vk.crocodile.org>
* version 2.1.3
new object type DNSName
using this method in Compiler::prolog to resolve DNSName objects
that are supposed to be resolved at compile-time
Redesigned RuleOptionsDialog to make room for new options
Added actions MARK and QUEUE with basic support in API and GUI
Added new object type AddressTable
2005-11-05 vadim <vadim@tower.vk.crocodile.org>
* iptAdvancedDialog.cpp (iptAdvancedDialog): fixed bug #1349326
"ulogd option does not work". There was a typo in the class
iptAdvancedDialog ( useULOG instead of use_ULOG )
*** Ported from 2.0.10 ***
2005-11-01 vadim <vadim@tower.local>
* NATCompiler_ipt.cpp (processNext): fixed bug #1342495: "SNAT
with address range". Compiler used to print warning "Adding
virtual addresses for NAT is not supported for address range" even
if adding virtual addresses for NAT was turned off.
*** Ported from 2.0.10 ***
2005-10-26 vadim <vadim@tower.local>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1313420:
"OUTPUT chain is built wrong under certain conditions." Rules
that have firewall in SRC and DST, while DST has negation, should
be split so that the second generated rule goes into OUTPUT chain
rather than FORWARD
*** Ported from 2.0.10 ***
2005-10-24 vadim <vadim@tower.local>
* FirewallDialog.cpp (openFWDialog): fixed bug #1315892:
"fwbuilder crashes on missing OS template" The GUI crashed if user
added new hostOS or firewall platform template under resources/os
or resources/platforms, then reinstalled the package (and
therefore lost their custom template files), then tried to open
firewall or host OS settings dialog for the object using new
template.
*** Ported from 2.0.10 ***
* RuleOptionsDialog.cpp (loadFWObject): fixed bug #1305933:
"fwbuilder/Solaris: compilation errors". Another case of implicit
type conversion QString->string which does not compile on systems
with QT built w/o STL support.
*** Ported from 2.0.10 ***
* main.cpp: fixed bug #1304878: fwbuilder: signal.h
required (Solaris). Using 'AC_CHECK_HEADERS([signal.h])' in
configure.in to check for the appropriate #include.
*** Ported from 2.0.10 ***
* configure.in: fixed bug #1304764: "configure script: Sun make
check fails". Need to use ${MAKE-make} instead of $ac_make when
checking for GNU make.
*** Ported from 2.0.10 ***
* fixed bug #1304785: "fwbuilder - Solaris has no libutil". Using
better way to check whether we need to link with libutil.
*** Ported from 2.0.10 ***
2005-10-22 vadim <vadim@vk.crocodile.org>
* VERSION: set version to 2.0.10 in branch fwb2-2.0-maint
2005-09-29 Vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (InterfacePolicyRulesWithOptimization):
new rule processor: checks if the rule is associated with an
interface and uses setInterfaceId to record its id. If the rule is
associated with multiple interfaces, splits the rule
accordingly. Unlike basic processor
PolicyCompiler::InterfacePolicyrules, this processor tries to
optimize rules applied to multiple interfaces using user-defined
chain
***** Policy compilers support multiple interfaces and negation in
"Interface" rule element
2005-09-28 Vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (paintCell): merged interface policies with
global policy. Keeping most of the code that implements interface
policy tabs just in case.
* set version to 2.1.2
2005-09-26 Vadim <vadim@vk.crocodile.org>
* RoutingRuleOptionsDialog.cpp (loadFWObject): Added support for
routing rules. Using "fwbuilder-routing" patch provided by Tidei
Maurizio <fwbuilder-routing at compal.de>
* set version to 2.1.1
* ObjectManipulator.cpp (createObject),(newDNSName),
newHostDialog.cpp (accept): added checks for broken object tree
2005-09-20 <vadim@vk.crocodile.org>
* DNSNameDialog.cpp (loadFWObject): new object type: DNSName
(Illiya)
2005-09-17 <vadim@vk.crocodile.org>
* 2.0.9 release in branch fwb2-2.0-maint
2005-09-12 <vadim@vk.crocodile.org>
* fwsm.xml.in: Added support for Cisco FWSM (platform and host OS)
* pixAdvancedDialog.cpp (pixAdvancedDialog): Added support for
manual ACL commit in FWSM
2005-09-11 <vadim@vk.crocodile.org>
* SSHPIX.cpp (SSHPIX): enable_prompt should include string "Access
Rules Download Complete" which is _sometimes_ printed by FWSM when
in auto-commit mode.
2005-09-07 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (lockObject): Added ability to lock/unlock
individual objects in the tree (Illiya)
* GroupObjectDialog.cpp (listViewSelectionChanged): Illiya
implemented Feature Req #1151208: "Allow multiple objects select
to make an action (Group)"
2005-09-07 <vadim@vk.crocodile.org>
* SSHSession.cpp (cmpPrompt): overloaded method
SSHSession::cmpPrompt to be able to specify prompt as a regular
expression. This variant is very convenient for PIX prompts.
2005-09-05 <vadim@vk.crocodile.org>
* fixed bug #1254775: "RCS checkin fails on Windows when data file
is too big". RCS tools failed to check the file in if it consisted
of one huge line of text. This fix makes th GUI save data file
(.fwb) in formatted form on Windows, just like on Linux. This
means each XML element is saved on separate line instead of all of
them being on the same line.
2005-09-04 <vadim@vk.crocodile.org>
* NATCompiler_pf.cpp (processNext): fixed bug #1276083:
"Destination NAT rules". Old restriction on "rdr" rules that
required service in OSrv is not valid anymore, pf supports rdr
rules with no protocol specification. (ported from 2.0.9)
2005-09-04 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (fileCommit): properly handling situation when user
hits Cancel in check-in log dialog (should abort File/Commit
operation entirely)
* main.cpp (main): added a workaround to make the GUI work in
Spanish locale (QT 3.3.4 ships with broken qt_es.qm file at least
on Fedora-C4 and Mac OS X)
2005-08-31 <vadim@vk.crocodile.org>
* SSHUnx.cpp (stateMachine): fixed bug #1277129: "script is
truncated when installed by the GUI running on Mac". Large script
was getting truncated while copied to the firewall if GUI was
running on Mac OS X (bugfix ported from 2.0.9)
2005-08-17 <vadim@vk.crocodile.org>
* fwbedit.cpp (usage): Finished implementation of RFE #1211612
"fwbedit - add object?". Using "-p","-L","n" and "-o" command line
switches to specify parent, library, name and attributes of an
object
2005-08-04 <vadim@vk.crocodile.org>
* fwbedit.cpp (main): Illiya is working on RFE #1211612: "fwbedit
- add object?" and #1114501: "Data file repair". Fwbedit can now
add objects as well as repair tree structure. Still needs some
more work.
2005-07-31 <vadim@vk.crocodile.org>
* LINGUAS: Added Spanish translation, thanks to Carlos Lozano
<clozano@andago.com>
2005-07-30 <vadim@vk.crocodile.org>
* Started v2.1.0
2005-07-30 <vadim@vk.crocodile.org>
* FWWindow.cpp (fileCommit): Illya implemented Feature Request
#1187461 "Add "commit" menu item". This menu item commits opened
data file to RCS but keeps it opened so the user can continue
editing.
2005-07-29 <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (addObjectsToTable): Illiya implemented
Feature Request #1225393 "FeatureRequest Print comments on
objects"
2005-07-23 <vadim@vk.crocodile.org>
* RuleSetView.cpp (dragMoveEvent): Illiya fixed bug #1226069:
"Segfault: Drag&Drop between two instances"
2005-07-21 <vadim@vk.crocodile.org>
* platforms.cpp (getLogFacilities): Illiya moved definitions of
log levels, log facilities and actions on reject to module
platforms.cpp. Methods getLogLevel, getLogFacilities and
getActionsOnReject return string lists suitable for using with
DialogData to provide mapping between localized and english
strings so that the user sees translated ones but enlish ones are
written into FWOptions object and used by compilers. This fixes
bugs #1240205: "Iilegal --log-level Information" and #1233165:
"Illegal Logging-Limit string.".
2005-07-08 <vadim@vk.crocodile.org>
v2.0.8 released
2005-07-05 <vadim@vk.crocodile.org>
* SSHSession.cpp (allDataSent): calling allDataSent from heartBeat
slot method because on windows signal 'wroteToStdin' is emitted
before I had a chance to connect it to a slot in
SSHUnx::stateMachine in state PUSHING_CONFIG after entire file has
been transmitted. I used to send an extra '\n' to force signal
'wroteToStdin', but that made the file to be sligltly different on
the receiving end and I do not like that.
* RuleSetView.cpp (dragMoveEvent): not really a change: bug
1226069 "Segfault: Drag&Drop between two instances" requires
redesign of the drag&drop mechanism so that live pointer to
FWObject is not passed between sender and receiver.
2005-07-04 <vadim@vk.crocodile.org>
* SSHSession.cpp (startSession): fixed bug #1232478: "FWB shuts
down on incorrect password". Bug was intorduced in build 624 while
working on installer stalls and undescriptive ssh termination
error when OpenSSH 4.0 was used.
2005-07-02 Vadim Kurland <vadim@vk.crocodile.org>
* main.cpp (main): ignore SIGHUP in the child process in ssh
wrapper. Closing stdin at the end of the file copy sends SIGHUP to
the child. By some reason, this caused ssh to terminate with error
message "killed by signal 1" and return code 255 on Fedora C4
which uses OpenSSH v4.0p1
2005-07-02 <vadim@vk.crocodile.org>
* main.cpp (tty_raw): switched from TCSAFLUSH to TCSANOW in call
to tcsetattr when we switch tty to raw mode in ssh wrapper
code. This should fix mysterious stalls in the installer that were
introduced when I worked on the wrapper code to fix bug #1213361
(problems with file copies on FreeBSD 5.4)
* instDialog.cpp (initiateCopy): added missing "-v" option to ssh
call used to copy policy script to the firewall if "verbose"
checkbox is checked. This should help troubleshoot problems with
installer when ssh fails and terminates with an error.
2005-06-25 <vadim@vk.crocodile.org>
* configure.in: need to call macro AC_PROG_MAKE_SET before
using $ac_make to check for GNU make
* configure.in: added check for cfmakeraw (which is absent on Solaris)
* configure.in: make script continue if forkpty is not found,
the program will use emulation.
2005-06-13 <vadim@vk.crocodile.org>
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
sorting list of objects for tooltips. Sorting is done by object
name, alphabetically. TODO: use locale-aware sort and ignore
case of the letters.
2005-06-12 <vadim@vk.crocodile.org>
* main.cpp (main): need to switch the pipe and stdin in the child
process to raw mode in order to ensure proper communication when
fwbuilder works in ssh wrapper mode. This (really) fixes bug
#1213361
* configure.in: Added path to QT where it is installed on 64-bit
systems to the list configure tries while searching for QT
2005-06-11 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1215279: "rate
limiting rule logs everything". Rule utlilizing "limit" module to
rate limit packets with logging logged every packet and dropped
those that exceeded the limit. The fix makes it apply the limit
first and then log only packets that were dropped.
* main.cpp (forkpty): fixed bug #1072842: "fwbuilder: Solaris and
forkpty". We need forkpty fr built-in installer but this function
is not awailable on Solaris. I am adding re-implementation, but it
hasn't been tested since I do not have Solaris machine.
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
fixed bug #1212179: "tool tips for TCP services cuts off some
services". The gui would show very long tooltip for large groups;
if the group was too large, the tooltip did not fit on the screen.
* main.cpp (main): fixed bug #1213361: "PF on FreeBSD-5.4R". Bug
description is misleading, the probem was caused by built-in
installer rather than by compiler for PF. Installer would not copy
generated script over ssh if the script was longer than some
threshold and the gui was running on FreeBSD.
2005-06-05 <vadim@vk.crocodile.org>
* linux24.xml.in: fixed bug #1212121: "sudo shutdown doesn't
work". Installer needs to schedule reboot when the user activates
policy in a test mode. There was a bug in the installer script
that improperly used sudo to run shutdown when installation was
performed using regular user account.
* linux24.xml.in: fixed bug #1212123: "executing file below /tmp
as root". Avoiding world-writable directory /tmp/ while activating
policy in the test mode. This change makes installer use
subdirectory "tmp" under directory specified in the "intaller" tab
of firewall settings dialog. That directory is expected to have
proper permissions; subdirectory "tmp" can be created manually,
otherwise installer creates it. Either way, it is not
world-writable, therefore unauthorized users can not create
scripts in it.
* freebsd.xml.in: Using pkill to find running shutdown process and
kill it to cancel pending reboot. Pkill simplifies the scriptlet
so we don't need to deal with output redirection etc. Pkill is
available on FreeBSD, Linux, OpenBSD and Solaris.
* linux24.xml.in: another fix for a bug #1201406: "shutdown
messages should be suppressed". Scriptlet has been modified to
make sure it works in both sh and csh (user who installs the
policy may have tcsh as their login shell, root may use tcsh too)
2005-05-30 <vadim@vk.crocodile.org>
* src/res/os/*.xml.in: fixed bug #1201406: "shutdown messages
should be suppressed". Installation scriptlet tries to kill
shutdown process, if there is one, to cancel pending shutdown that
might have been left over from test install. If there is none, the
script prints an error message "shutdown process not found" or
similar, which confuses user. Needed to suppress these error
messages.
* fixed bug #1155351: "Remote install of FW rulset fails due to
race condition". Generated ipfw firewall script could not be ran
reliably over ssh session because "ipfw -f" flushes all rules and
all state, which breaks ssh session. As soon as the script needed
to print anything, it got I/O error from the system because TCP
session for ssh was blocked; this stopped the script and did not
let it activate new firewall policy.
* PolicyCompiler_ipfw_writers.cpp (processNext): improvemet in the
compiler for ipfw: added "established" rule on top of the regular
backup ssh access rule; this allows to maintain management ssh
session after the policy is reloaded. both "ipfw -f" and swapping
sets flushes all states, so the ssh session used to upload and
activate new policy breaks. A rule with "established" keyword
maintains this session.
* PolicyCompiler_ipfw_writers.cpp (processNext): improvement in
the compiler for ipfw: using rule sets to atomically swap old and
new rules. New rules are loaded in the set 1 and then swapped into
set 0. If there is an error in a new rule set, it is caught while
loading rules into inactive set 1, at which point script stops
without changing old firewall rules.
* PolicyCompiler_pf.cpp (addDefaultPolicyRule): implemented
support for subnets for backup ssh access for pf,ipf,ipfw. Subnet
can be defined using either full netmask or bitlength: both
"192.168.1.0/255.255.255.0" and "192.168.1.0/24" are
acceptable. Single host address works too, both as "192.168.1.10"
and as "192.168.1.10/255.255.255.255" or
"192.168.1.10/32". Incorrect address or netmask cause compiler to
abort processing.
2005-05-28 <vadim@vk.crocodile.org>
* GroupDialog: fixed bug #1207983: "incorrect size of "I" and "L"
buttons in the group view dialog". Tested with large font and
cleaned up layout in many dialogs.
* HostDialog.cpp (loadFWObject): removed 'snmp community' option
from the Host object dialog - it was not used anywhere
* ipt.cpp (main): fixed bug #1205665: "Error with summer time when
compiling script". Sometimes timezone name has "'" in it which
confuses shell and causes an error when generated script prints
"Activating firewall policy..." log message
* RCS.cpp (RCSEnvFix): fixed bug #1204067: "incorrect timezone
handling in RCS". Windows version of RCS incorrectly converts
check-in time when time zone is east of GMT. Had to use "-z"
option on all RCS commands to explicitly set offset; "-zLT"
produces wrong results in rlog.
* fwb_compile_all (LIB): fixed bug #1200902: "fwb_compile_all does
not work in 2.0". Script fwb_compile_all broke because of changes
in data file format
* PolicyCompiler_PrintRule.cpp (_printTimeInterval): fixed bug
#191423: "Weekend Time restriction not created correctly". Rules
with time restriction spanning from Saturday to Sunday were
generated with incorrect "--day" option
* objects_init.xml.in: fixed bug #210518: 'Incorrect ending day in
the standard object "weekends"'. This object defined time interval
ending at 23:59 on Monday instead of Sunday
* implemented Feature Request #1145666: "Print RCS
Log". File/Properties dialog can now print RCS log. Thanks to
"Ilya V. Yalovoy" <yalovoy@pilot.aip.mk.ua> for the patch.
2005-05-23 <vadim@vk.crocodile.org>
* added updated German translation by Hans Peter Dittler
<hpdittler@braintec-consult.de>
2005-05-20 <vadim@vk.crocodile.org>
* set version to 2.0.8
2005-05-08 <vadim@vk.crocodile.org>
* v2.0.7 released
2005-05-04 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#1195201: "getaddr function return error ip address". Yet another
change in the way we use grep to find IP addresses of an interface
on Linux. We can't use regex (bug #1123748) and need to filter out
secondary addresses from the "ip addr show" output. It looks like
"grep -v :" neatly solves the problem without using regex.
2005-05-02 <vadim@vk.crocodile.org>
* snmp.cpp: API change: Compiled all OIDs. The program may run on
a system where MIBs are not installed, so we can not always use
symbolic OID names Also using snmp_out_toggle_options to turn
numeric output in all responses (equivalent to -On in snmp tools)
2005-05-01 <vadim@vk.crocodile.org>
* snmp.cpp (walk): API changes: verbose error message, printing
response->errstat code as well as corresponding error string; this
should help debug snmp -related problems better
* snmp.cpp (walk): API changes: using snmp_error to print last
snmp error string
2005-04-27 <vadim@vk.crocodile.org>
* implemented support for SNMP operations in Windows packages
* qmake.inc files overhaul
2005-04-26 <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (getInterfacesViaSNMP): switched to using
QT class DNS to get host/firewall name in new HostDialog and
newFirewallDialog classes. This seems to work better on Windows.
Also added more locks to prevent reentering getInterfacesViaSNMP
if user clicks the button multiple times in quick succession
2005-04-23 <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (accept): fixed bug #1187248: using "find"
for an address "192.168.10*" several times after a firewall
objects has been created using templates caused GUI to crash
2005-04-17 <vadim@vk.crocodile.org>
* findDialog.cpp (matchAttr): implemented feature request
#1151206: "Search for IP Addresses". "Find" dialog searches for
objects by a combination of name and one of the following
attributes: address, tcp/udp port, ip protocol number or icmp
message type. Regular expressions can be used for both name and
attribute.
* ObjectTreeView.cpp (getSimplifiedSelection): fixed bug #1151212:
"Collapsed sub-objects shouldn't be added if they are
hidden". When user selects multiple objects in the tree some of
which have child objects, those child objects used to be also
selected and added to groups in addition to their parent
objects via drag-and-drop operation.
* GroupObjectDialog.cpp (pasteObj): fixed bug #1184791: "can not
copy/paste multiple objects into a group"
* FWWindow.cpp (doCompile): implemented feature req. #1151220:
"Close" button should change is caption/title to "Install". When
user clicks "Install" toolbar button or main menu item, the
"Close" button in the pop-up window that displays compiler
progress changes its text caption to "Install"
2005-04-13 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (addPredefinedPolicyRules): fixed bug
#1181359: "Missing traling space in "INVALID state" syslog
message"
2005-04-10 <vadim@vk.crocodile.org>
* instDialog.cpp (continueRun): Improvement in built-in installer:
user can specify additional command line parameters for ssh that
built-in installer runs to access firewall. This allows for
alternative ssh port or alternative ssh identity to be used when
accessing firewall. Parameters can be added in the "Installer" tab
of firewall settings dialog for all platforms.
2005-04-09 <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug #1179103: 'compiled rules can not be
install'. Generated iptables script could not be used on systems
with non-English locale where timezone name used local characters
because these characters were printed as hex ( "&#21488;" ) and
'&' caused problems with shell. Now using single quotes to make
shell ignore any characters in the string. Will deal with proper
printing of localazed timezone later.
2005-04-07 <vadim@vk.crocodile.org>
* OSConfigurator_freebsd.cpp (printPathForAllTools): function
getaddr() falls back to 0.0.0.0/32 if dynamic interface has not
been assigned an address yet or is down. Ipfilter policy using
run-time substitution of dynamic interface addresses will be
functional even if these interfaces are down or do not have IP
address.
2005-04-05 <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (_flushAndSetDefaultPolicy): fixed
bug #1176890: "block IPv6". Generated iptables script sets default
policies to DROP in all ipv6 filter chains. More detailed control
can be implemented using prolog or epilog scripts.
2005-04-03 <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (separateSrcPort): fixed bug #1176051:
"incorrect rule generated for TCP service ftp-data". If a rule
used several TCP or UDP service objects and one of them has source
port range configured, generated PF filter rule incorrectly
matched on a combiantion of that source port range _and_
destination port ranges from all other service objects. This bug
affected compilers for OpenBSD PF and ipfilter
2005-03-31 <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (filePrint): fixed bug #1155163: "print does
not print group contents". The program printed only number of
objects contaned in object or service groups. Now it prints lists
of member objects for all groups used in rules. If groups contain
other groups, they are printed recursively.
2005-03-30 <vadim@vk.crocodile.org>
* objects_init.xml.in: fixed bug #1172620: "Add tcp service object
for icslap". Added this object to the objects library "Standard".
* FWWindow.cpp (info): fixed bug #1151243: "Maintain format of
description text". The GUI ignored text formatting in object
comment when displayed it in the info panel (lower left corner of
the main windows)
* FWOptions.cpp (toXML): API change: fixed bug #1173801: '"&"
character in prolog/epilog'. Needed to call xmlEncodeSpecialChars
to encode special characters in firewall options
2005-03-29 <vadim@vk.crocodile.org>
* ipf.cpp (printActivationCommandWithSubstitution): fixed bug
#1173064: "support for dynamic interfaces in ipfilter". Actual
address of dynamic interface is now determined at run-time in the
policy activation script <firewall_name>.fw generated by
fwbuilder. If dynamic interface is used somewhere in the policy or
nat rules, it will be replaced with its actual address by
activation script before configuration is sent to ipf or ipnat for
activation. This run-time substitution is done only if a checkbox
is checked in the "Script options" tab of firewall settings
dialog. Default behavior is to use "any". This is because ipfilter
configuration files <firewall>-ipf.conf and <firewall>-nat.conf
that rely on run-time substitution of dynamic interface address
can not be loaded using standard activation scripts that come with
FreeBSD.
This also fixes another problem in fwb_ipf where it generated rdr
and nat commands with address 0.0.0.0/32 if dynamic interface was
used in a NAT rule.
2005-03-28 vadim <vadim@tourist2.local>
* PolicyCompiler_PrintRule.cpp (_printMultiport): fixed bug
#1160186: 'IPTables Compiler - Multiport Issue'. When 16 or 31
ports were used in a single rule, compiler generated command with
conflicting options "-m multiport --dport"
* NATCompiler_ipf.cpp (processNext): fixed bug #1173067: "support
for port ranges in NAT rules (ipfilter)" - policy compiler for
ipfilter should split DNAT rules (rdr) that use TCP or UDP objects
with port ranges. A warning is issued if more than 20 rules are
created.
2005-03-20 <vadim@vk.crocodile.org>
* utils.cpp (getFileDir): fixed bug #1157976: "patches to make
fwbuilder compile under NetBSD 1.6". Applied patches.
* newHostDialog.cpp (newHostDialog): fixed bug #1151219: "New Host
creation window is not well dimensioned". Fixed wrong dialog page
layout in the new host wizard.
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#1123748: "busybox grep -E". Busybox in floppyfw is compiled
without support for egrep (or grep -E). Switched to using "plain"
grep.
* InterfaceDialog.cpp (loadFWObject): fixed bug #1151052: "Not
external interfaces marked as external". Dialog for an interface
object that belongs to a host should not show checkbox "external
(insecure) interface"
* Tools.cpp: API change: fixed bug #1158870: "mutexes are not
properly created on FreeBSD". Mutexes gethostbyname_mutex and
gethostbyaddr_mutex were never created but used on OS where
thread-safe resolver is not available.
2005-02-17 <vadim@vk.crocodile.org>
* v2.0.6 released
2005-02-17 <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug #1123933 "iptables add_addr() expr
binary not found". As it turns out, /usr/bin/ is not in PATH
during boot time on Slackware. I added /usr/bin/ to PATH variable
in generated iptables script.
2005-02-16 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#1123748 "busybox grep -E". Busybox does not support option "-E"
with grep, however it has "egrep".
2005-02-12 <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog): proper localization in the
installer where it displays progress of the installation operation
2005-02-11 <vadim@vk.crocodile.org>
* main.cpp (main): Troubleshooting weird case of data file
corruption during install
* RCS.cpp (RCS): fixed bug #1120904: "GUI hangs when accessing RCS
file". Improved parsing of rlog output.
2005-02-09 <vadim@vk.crocodile.org>
* utils.cpp (getUserName): working on bug #1118717: "fwbuilder 206
on Windows XP SP2: error checking out". Env variable USERNAME was
not set in user's profile, which triggered this bug. Now using
getuid to get user name on Unix and GetUserName on Windows. This
should make the program more resilient for situations when
environment variable LOGNAME or USERNAME is not set
2005-02-08 <vadim@vk.crocodile.org>
* ipt.cpp (main): Using getuid to read real user's ID on Unix
2005-02-07 <vadim@vk.crocodile.org>
* instDialog.cpp (continueRun): Fix for support request #1118039:
"Error when Windows client calls plink -ssh". The problem is that
putty ignores protocol and port specified in the session file if
command line option -ssh is given. On the other hand, the sign of
session usage is an empty user name, so we can check for that. If
user name is empty, then putty will use current Windows account
name to log in to the firewall and this is unlikely to work
anyway. This seems to be a decent workaround.
* printerStream.cpp (printQTable): further bugfixes in printing,
in particular fixed a problem with partially greyed-out horizontal
and vertical headers when ruleset was small enough to fit on the
first page.
2005-02-05 <vadim@vk.crocodile.org>
* RuleSetView.cpp (selectionChanged): fixed bug #1030538:
"incorrect highlighting when selecting multiple rules". This bug
seems to be specific to Mac OS X
* printerStream.cpp (printQTable): improvements in printing:
- if a rule set does not fit on a single page, the program
repeats table header on each page ("Source","Destination","Service" etc)
- the program does not draw the whole rule set in memory
anymore. Instead, it "scrolls" the table and only draws section
that fits on a single page. This means we can now print really
huge policies that can not be drawn as a whole because they
exceed maximum coordinate value. Tested with a rule set that
consists of 1200 rules which has size of 677x34884 pixels on my
machine.
2005-02-03 <vadim@vk.crocodile.org>
* instDialog.cpp (selected): working on bug #1115412: "Problem
installer FWbuilder 2.0.5 for Windows". Switched to command line
option "-l" to specify user name for external ssh in
installer. This was necessary because Van Dyke SecureCRT on
Windows does not support user@host syntax.
* instDialog.cpp: Installer verbose and quiet modes work as follows:
- if quiet is off, verbose is off: prints everything that
firewall script prints on stdout and stderr; does not add "-v"
to calls to external ssh utilities
- if quiet is off, verbose is on: adds "-v" to ssh command line
- if quiet is on - supresses script output but still prints short
messages to indicate when it copies files to the firewall and when
it executes them
2005-02-01 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (delObj): slightly changed logic with user
warnings in the object removal code. The program asks the user for
confirmation if they remove an ordinary object from a regular
library. Confirmation is not asked if object is removed from
"Deleted objects" library or when a library is being deleted (in
this case we ask a different quastion later anyway). This helps
avoid double warning when a library is deleted.
2005-01-31 <vadim@vk.crocodile.org>
* POmakefile.in (POTFILES): Added module FWWindowPrint.cpp to the
list of files processed for localization
* FWWindowPrint.cpp (filePrint): Added small margin inside table
cells in Legend and Object tables in the printout.
2005-01-30 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1112470:
"Problem with FW part of ANY in Bridged mode". If fw is
considered part of any, we should place rule in INPUT/OUTPUT
chains even if it is a bridging fw since fw itself may send or
receive packets.
* PolicyCompiler_ipt.cpp (accounting): implemented feature
req. #1112980: "Need unique names for accounting rules". User can
now specify a unique name for rules with action 'Accounting'; this
name will be converted to a chain name. This simplifies accounting
since chain name for such rule won't change if the user adds or
removes rules above or below.
* PolicyCompiler_ipt.cpp (accounting): fixed bug #1112976:
"Accounting rule with logging produces looped iptables command"
* FWWindowPrint.cpp (beginPage): implemented Feature
Req. #1112778: "include date and time on printouts". Added date
and time to the header on each printed page.
* RuleSetView.cpp (paintCell): fixed bug #1112776: "some items
touching seperator lines on printouts". Rule elements "Action",
"Direction", "Options" and "Comment" were placed right at the top
of the table cell which led to their clipping when rule set was
printed on Mac OS X. Need more testing.
* FWWindowPrint.cpp (filePrint): fixed bug #1112764: "some Objects
are partially obscured in printout". Parts of the "Objects" table
were clipped. Need to test some more.
2005-01-29 <vadim@vk.crocodile.org>
* FWBSettings.cpp (init): fixed bug #1112264: "Load last edited
file" setting doesn't work. This was broken only on Mac OS X.
* FWObjectDatabase.cpp (merge): API change: fixed bug #1105167:
"Crash when importing a library that has been deleted".
2005-01-27 <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (_printPort): not quite fixed bug
#1105755 "Custom Service objects not working for PF
compiler". User tried to generate a nat rule like this using
CustomService object:
nat on eth1 proto {tcp udp icmp gre} from 192.168.1.0/24 to any -> 22.22.22.22
Taken from the bug report:
it turned out, I can not fix this. You are trying to use Custom
Service object to insert protocol list into a "nat"
rule. Normally, a service object such as TCP or UDP service
generates two components for any rule where it is used: a protocol
specification and port specification
(type/ code spec for ICMP). PF is sensitive to the order of
parameters in the rule, in particular, protocol must be defined
after interface but before src/dst addresses in the rule, while
port numbers go after addresses. Compiler easily retrieves this
information from IP, TCP, UDP and ICMP services and places it in a
proper slots in the rule it generates. CustomService does not
have a notion of protocol and parameters for it, so compiler puts
a string that is configured in the CustomService in the place
reserved for port numbers. This means you can not use
CustomService to specify protocols.
There still was a bug in fwb_pf where it would print
"custom_service" in place of protocol. This is fixed in 2.0.6
build 542. Protocols can not be inserted with Custom Service
though.
Feature request #1111267 "CustomService should specify protocol
and parameters for it" has been opened
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1102629: "lost
chain in accounting rules". Rules with multiple objects in one of
the rule elements and action 'Accounting' generated code that
ignored objects in that rule element
* ObjectManipulator.cpp (newPhysicalAddress): fixed bug #1111244
"GUI allows to add more than one MAC address to an
interface". There can only be one MAC address for each interface.
* FWWindowPrint.cpp (printQTable): While printing rule sets, the
program makes sure rule set tables are broken on the rule
boundaries while switching to a new page.
* Added "Page setup" dialog to set parameters such as printing
header, printing of a legend and object lists etc.
* fixed bug #1109174: "Cannot print rule base" - implemented
printing
2005-01-25 <vadim@vk.crocodile.org>
* instDialog.cpp (selected): fixed bug #1109631: "can not copy
firewall script to /etc on Linksys". Added an option ot all OS
resource files that determines whether user is allowed to change
installation directory on the firewall. Currently it is allowed on
all supported OS except Linksys/Sveasoft because there /etc/
resides on read-only filesystem
2005-01-24 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1101910: "Samba
problem with Bridged Firewall". Need to split rule to take care of
broadcasts forwarded by the bridge and broadcasts that are
accepted by the firewall itself. Need to do this only if the rule
is not associated with any bridging interface.
* PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed
bug #1106701: 'backup ssh access' and statefulness
interation. Need to add rules matching states ESTABLISHED and
RELATED for the backup ssh access to make sure it works even if
global rule matching these states is disabled.
* configure.in: fixed bug #1107838: "bug in configure script in
fwbuilder 2.0.6". Need to specify path "./" when calling
runqmake.sh
* FWWindowPrint.cpp (filePrint): printing legend and a list of
objects at the bottom of a printed document.
* Compiler_ops.cpp (operator==): API change: fixed bug #1108861:
"two rules using MAC address matching shadow each other". Need to
check for MAC addresses while processing rules for shadowing.
2005-01-21 <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (filePrint): Implemented printing of firewall
rule sets. Using standard QT class QPrinter; can print to a system
printers or to a file (PostScript), both in black and white or a
color where available. Prints policies of the currently opened
firewall. The program can calculate total number of pages and
offer the user a choice in the Print dialog only if QT v3.2 and
later is used. Each printed page has a header with the file name,
RCS revision and a page number. Currently, the header can not be
turned off (will implement in the future).
2005-01-07 <vadim@vk.crocodile.org>
* v2.0.5 released
2005-01-06 <vadim@vk.crocodile.org>
* RCS.cpp (isDiff): writing RCS log in UTF-8, this simplified
localization
2005-01-02 <vadim@vk.crocodile.org>
* RCS.cpp (RCS): working on localization of RCS log entries. Build
516 converts log strings into 8bit string into locale-specific
format on Unix before sending it to ci. Strings returned by rlog
are converted from locale-specific format. No conversion is done
on Windows and Mac OS X.
* objects_init.xml.in: fixed bug (no num) that caused GUI crash
when user created new firewall object using template with three
interfaces.
2004-12-30 <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw_writers.cpp (processNext): fixed bug
#1093620: "path (to ipfw) with spaces fails". Generated script
failed if path to ipfw contained space. I only worked around this
problem for ipfw; paths to sysctl and logger must be standard and
never contain spaces.
* PolicyCompiler_ipfw.cpp (processNext): fixed bug #1093472: "ipfw
port range(s) errors". There can only be one port range in a
single ipfw rule.
* PolicyCompiler_ipfw_writers.cpp (_printProtocol): fixed bug
#1093461: "problem with 'established' in ipfw". Ipfw requires
protocol to be set to 'tcp' if option 'established' is used in a
rule.
2004-12-29 <vadim@vk.crocodile.org>
* RCS.cpp (RCS): fixed bug #1092810: "Multiline RCS comments are
shown as a single line on windows". As it turned out, this bug
affected all platforms.
* RCS.cpp (ci): an attempt to fix a bug that does not allow to
enter RCS comment using non-english locale.
2004-12-28 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (getInterfaceVarName): fixed bug
#1059393: "function getaddr failed for eth1.0020". Generated
script can now work with interfaces that have a dot in their name
(such as "eth1.0020" - vlan interface)
* PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed
bug #1092141: "irritating FORWARD rule for established
connections". Need rule in FORWARD chain only if ip forwarding is
on or set to "no change"
2004-12-22 <vadim@vk.crocodile.org>
* Compiler.cpp (createRuleLabel): API change: fixed bug #1068119:
"additional whitespace for Rule comments in .fw file". Added extra
space between rule number and interface spec in rule comments.
* PolicyCompiler_ipfw.cpp (processNext): fixed bug #1089866:
"multiple services in one rule confuses ipfw compiler". If several
UDP or TCP objects were used in the same policy rule and these
service objects had source port ranges defined, the compiler would
produce incorrect code by combining source port range
specifications together in the same ipfw command.
* main.cpp (main): Pull-down menu "On startup" in the "General"
tab of the preferences dialog now has three items: "Load standard
objects", "Load last edited file" and "Ask user what to do". The
last item is default.
* PolicyCompiler_PrintRule.cpp (_printProtocol): fixed bug
#1089586: "default --icmp-type value is 0 in iptables <
1.2.9". The problem concerns policy rules using service object
"any ICMP". A rule like this is supposed to match any ICMP
packet. Few versions ago I had to add option "-m icmp" (and "-m
udp", "-m tcp") because I've discovered that iptables-restore on
some systems (linksys sveasoft firmware, iptables v1.2.11) refused
to load rules without it. Now it turns out that iptables v < 1.2.9
(tested on 1.2.6a and 1.2.7a) implicitly adds equivalent of
"--icmp-type 0" to rules with "-p icmp -m icmp" and without
"--icmp-type" option. Since type 0 is actually icmp echo reply, a
rule like this does not match "any ICMP" as it was supposed to
do. Iptables 1.2.9 implicitly adds "--icmp-type 255" which matches
any icmp type. Using "--icmp-type 255" on iptables 1.2.6 and 1.2.7
does not work (a rule does not match icmp packets with type
different from 255). The fix generates "-p icmp -m icmp
--icmp-type any" for iptables 1.2.9 and later, as well as when
iptables version is not specified in the firewall object settings.
It generates just "-p icmp" for versions < 1.2.9.
2004-12-19 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (newInterfaceAddress): GUI change: main
menu item "Object/New Object/Address" and corresponding toolbar
button always creates an Address object under Objects/Addresses
folder in the tree. Address of an interface can be created using
pop-up menu item "Add IP Address"
2004-12-16 <vadim@vk.crocodile.org>
* Bunch of cosmetic bugfixes in the GUI
* PrefsDialog.cpp (setButtonColor): implemented feature request:
colors that are used to color rules can be changed in Preferences
dialog.
2004-12-13 <vadim@vk.crocodile.org>
* FWWindow.cpp (fileOpen): when user clicks menu item "File/Open"
to open a new file, the GUI should save and close currently opened
file only after the user chooses new file. If user clicks Cancel
in the File/Open dialog, operation should be cancelled so the user
can continue working with currently opened file. The same applies
to operation File/New.
2004-12-12 <vadim@vk.crocodile.org>
* po.pro: fixed bug (no num): localization was broken on win32 and
mac os x because translation files were not installed properly.
* ObjectManipulator.cpp (pasteTo): improved behavior of the main
menu "Edit" as well as pop-up menu that appears when user right
mouse clicks on an object in the tree. Menu item "Paste" should
only be enabled if the clipboard is not empty and objects that are
stored in it can be pasted into selected object in the tree.
2004-12-10 <vadim@vk.crocodile.org>
* RCSFilePreview.cpp (selectedRevision): fixed bug (localization):
RCS log entries made using non-ascii characters used to appear as
'???' in Open File and File/Properties dialogs.
* ObjectEditor.cpp (validateAndClose): more bugfixes for the
behavior of the object editor dialogs. Dialog should ask if user
wants to save data and then validate it when user clicks on [x] to
close editor dialog. It used to validate the data first, then ask
if they want to close dialog.
2004-12-09 <vadim@vk.crocodile.org>
* FWWindow.cpp (load): when user opens data file in the old format
(fwbuilder v1.1.x, extension .xml) and after autoupgrade the
program discovers that the same file with extension .fwb already
exists, it offers the user a chance to choose different name. If
user clicks "Cancel" at this point, the program cancel operation
and reverts upgraded data file back to its original name and
version.
* listOfLibraries.cpp (add): fixed bug (internal #34) the program
should issue a warning when user tries to add a library file
(.fwl) that contains object library that already exists in the
opened data file.
* ObjectEditor.cpp (validate): Streamlined logic in the object
editor dialog. This improves handling of the situation when user
closes dialog by clicking on [x] while 1) there are unsaved data
and/or 2) some of the object's parameters have illegal values. The
dialog behavior also depends on the setting of the global flag
"Autosave" that causes dialog to automatically save data when user
switches between objects.
2004-12-08 <vadim@vk.crocodile.org>
* listOfLibraries.cpp (add): numerous fixes for localization
2004-12-05 <vadim@vk.crocodile.org>
* ObjectManipulator.h: numerous bugfixes:
- properly synchronizing state of the items main menu with state
of corresponding items in the pop-up menu that appears when user
right-mouse-clicks on an object in the tree
- fixes for non-localized text strings in dialogs (mostly
"Continue", "Yes"/"No" etc. in many places)
- proper localization of the human-readable version number text
for iptables; also made info window print readable text instead of
"lt_1.2.6"
- cosmetic changes in some dialogs layout to make the look better
when localized text makes strings much longer
- firewall object dialog tab "Templates" has been hidden. It is
unlikely that this feature will be implemented in 2.0.X series.
2004-12-04 <vadim@vk.crocodile.org>
* listOfLibraries.cpp (add): fixed bug (no num): the GUI crashed
when user tried to add a library file for auto-load in
Preferences/Libraries and the first library object in that file
had a name using non-ascii characters
* Bunch of other fixes to avoid '????' in various places for
localized strings
2004-12-04 <vadim@vk.crocodile.org>
version 2.0.4 released
2004-12-02 <vadim@vk.crocodile.org>
* utils.cpp (fillLibraries): fixed bug (no num): if a library was
assigned a name with non-ascii characters, it would appear
distorted in the pull-down list in object dialogs.
* fixed bug #1077496 ] Error compiling libfwbuilder in FreeBSD:
The problem was caused by changed major version number of libnetsnmp library
in the latest net-snmp port (v5.2)
2004-12-01 <vadim@vk.crocodile.org>
* FWWindow.cpp (openFirewall): fixed bug #1077072: "CrossPlatform
Firewall Builder Crash" - pressing arrow down key on the keyboard
right after the GUI started with no firewall objects defined
caused crash.
2004-11-30 <vadim@vk.crocodile.org>
* po/ru.qm: Updated Russian translation
2004-11-25 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (splitIfSrcNegAndFw::processNext): fixed
bug #1073491: incorrect code for rules using two interfaces with
negation. If a rule had two (or more) interfaces of the firewall
in the destination, with negation, the code generated by compiler
would check one interface's address in INPUT chain and another in
FORWARD chain. It should check addresses of all interfaces from
the corresponding rule element in the INPUT chain and also check
addresses and possibly services from other rule elements in the
FORWARD chain. This bug affected rules with two or more interfaces
both in source and destination.
* po/LINGUAS: translators maintain Russian localization using QT
linguist rather than gettext, removed ru locale from gettext
Makefiles but left it in po.pro for installation
* fwblookup.cpp: a fix to make it compile on FreeBSD w/o gnugetopt
port
* utils.cpp (addPopupMenuItem): minor fix to help localization
('add object' and operation on rules pull-down menus did not
translate properly)
2004-11-23 <vadim@vk.crocodile.org>
* instDialog.cpp (continueRun): built-in installer checks exit
status of the script it runs on the firewall and aborts
installation sequence if it detects an error. OS resource files
have been updated accordingly so they return exit status '1' in
case of error and '0' when they succeed.
* Compiler_ops.cpp (checkForShadowing): API change: still working
on the IPService object shadowing changes. ip fragments object was
shadowing GRE object, which was incorrect. Hopefully this change
finally fixes it.
2004-11-21 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug (no
number): policy compiler for iptables used "tail -1" in the shell
script that read actual IP addresses of interfaces of the
firewall. This shell code failed to determine correct address of
an interface that was configured with a secondary
address. Reverted to using grep (I switched to tail when ran into
limitations of one of the beta builds of Sveasoft Linksys firmware
that did not have grep)
2004-11-18 <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (processNext): fixed bug #1068936:
"unnumbered interace not using MASQUERADE". Comiler for iptables
will use target "MASQUERADE" if unnumbered interface is used in
Translated Source in a NAT rule.
* utils.cpp (fillLibraries): fixed bug (no num): group object
dialog showed incorrect library name for groups located in the
"Standard" library
2004-11-17 <vadim@vk.crocodile.org>
* listOfLibraries.cpp (add): fixed bug (no number): GUI could not
find names of the object libraries in external library files that
user added for automatic load in the Preferences dialog on
Windows. It would find the name of the library in the first file,
but failed to find library names in subsequent files and used the
name from the first file. Since this library was only present in
the first file, object tree was getting corrupted when the program
attempted to load this library from every file configured for
automatic pre-load. This only happened on Windows.
* dns.cpp (init): API change: fixed bug (no number): program
crashed on FreeBSD 5.3 when using SNMP to obtain parameters for
hosts and interfaces. Crash occurred because of use of
uninitialized mutex variables in module dns.cpp
2004-11-16 <vadim@vk.crocodile.org>
* main.cpp (main): improved error handling: if the GUI is started
with a file on the command line or is configured to open a file
automatically on startup and RCS can not check the file out, the
GUI will come up empty (with only standard objects loaded).
* po/ja.po: Added Japanese translation by Tadashi Jokagi
<elf@elf.no-ip.org>
* DialogFactory.cpp (createFWDialog): added XML element
FWBuilderResources/Target/dialog to platform and host OS resource
files. This element describes GUI dialog that should be opened for
the firewall object for a given firewall platform or host OS. This
is to be used with customized resource files, e.g. when user wants
to add their own host OS resource file to change commands used to
load and activate policy on the firewall. Such customized resource
file will have unique "description" element (the value of this
element appears in the pull-down menu in firewall object dialog)
and the same values for "family" and "dialog" elements to indicate
which firewall family it belongs to and which dialog should be
used. Policy compilers consult "family" element to check if the
firewall platform is supported by the compiler.
* GroupObjectDialog.cpp (addIcon): fixed bug (no number): group
object dialog corrupted object names if they contained non-ascii
characters.
2004-11-13 <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (pixAdvancedDialog): Removed "always new"
mode for access lists and object groups for PIX
configurations. This mode works well when user installs new
configuration but causes problems if they want to reinstall the
same configuration.
Also converted old option "pix_add_clear_statements" to one of the
confgiuration script modes. So, final list of script modes for PIX
is as follows:
- basic or old format when access lists are cleared and added
from scratch. This is the simplest mode which can be used if
management station connects to the firewall from inside. Remote
management over IPSEC tunnel may be difficult since tunnel
traffic is blocked as soon as "clear access-list" command is
executed.
- access-list and object-group commands are generated but "clear
access-list" and "clear object-groups" commands are not
added. User's installation scripts should take care of that. This
option replaces old option pix_add_clear_statements (with
opposite semantics)
- temporary access list is created and added to outside
interface, then main lists and object groups are added with
permanent names and assigned to interfaces. Temporary list
permits all traffic from a single subnet configured in the GUI
via option pix_acl_temp_addr. Temporary list is small and is not
cleared in the end. Temporary list helps maintain IPSEC tunnel
for the time when access-lists are cleared and firewall is
running with default acl that does implict deny for all traffic.
2004-11-12 <vadim@vk.crocodile.org>
* pf.cpp (main): fixed bug (no number): pfctl expects "-F Sources"
and "-F Tables" command line options with "Sources" and "Tables"
capitalized.
* FWObjectDatabase.cpp (merge): API change: changes in the object
database merge algorithm: when an object database we are trying to
merge has non-empty "Deleted objects" library, deleted objects
from this library should be ignored (they used to be deleted from
the current tree). Likewise, when current tree has non-empty
"Deleted objects" library and objects in it match objects being
merged in, objects should be removed from "Deleted objects"
library to avoid creating duplicate IDs with objects being merged
in.
2004-11-10 <vadim@vk.crocodile.org>
* Compiler_ops.cpp (checkForShadowing): API change: fixed bug (no
number): rule shadowing algorithm now assumes that IPService
object with protocol number '0' shadows any other service just
like 'any' does.
* PolicyCompiler_ipt_optimizer.cpp (optimizeForRuleElement): fixed
bug #1063953: "Wrong accept/multiport rule generated". Compiler
generated wrong code for rules using multiple service objects of
different types (TCP and UDP, or TCP and ICMP etc), multiple
addresses in src or dst with option that requires using TCP RST
for action REJECT.
2004-11-07 <vadim@vk.crocodile.org>
* SSHPIX.cpp (getACLs): New feature: added support for new
configuration script formats for PIX in installer:
- basic or old format when access lists are cleared and added
from scratch
- access lists have unique names each time policy is recompiled,
lists are added without clearing.
- access lists are added with temporary names and assigned to
interfaces, then the same lists are added with permanent names,
lists are swapped and temporary lists cleared
Last two methods provide for instantaneous access list swap so
that the firewall never runs with empty lists. This helps maintain
access to the firewall if configuration is installed remotely.
* SSHPIX.cpp: New feature: Installer always clears unused access
lists after confgiuration is loaded.
2004-11-06 <vadim@vk.crocodile.org>
* fwcompiler/Compiler.cpp (complexMatch): fixed bug #1055937:
"Any->all_multicasts not in INPUT Chain". Need to check if network
objects are multicasts; assume that multicast always matches
firewall object (e.g fwb_ipt will put rule with such network
object in destination in INPUT chain)
* instDialog.cpp (instDialog): Added an option to push PIX
configuration to a standby firewall at the end of install.
2004-11-01 <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (_printDstService): fixed bug (no
number) where compiler for iptables used option
"--destination-port" with module "multiport" for versions of
iptables that do not understand it (1.2.6 and later, as well as
default version setting 'any'). The option should be
"--destination-ports" or "--dports".
2004-10-31 <vadim@vk.crocodile.org>
* FWBSettings.cpp (init): fixed bug (no number): Policy installer
failed if the following conditions were met:
- it was running on Linux, FreeBSD or Mac OS X
- working directory configured in the "General" tab of the
Preferences dialog did not exist and could not be created or its
permissions did not allow user that runs the GUI to access it
* NATCompiler_ipt.cpp (processNext): fixed bug (no number) in
fwb_ipt that caused no-nat rules with firewall in OSrc to be
placed only in OUTPUT chain. Packets originating on the firewall
go into OUTPUT and POSTROUTING chains, so no-nat rules must be
placed in both. Other minor improvements for NAT of the locally
originated connections have been done as well.
2004-10-30 <vadim@vk.crocodile.org>
* NATCompiler_PrintRuleIptRst.cpp (_endRuleLine): fixed bug (no
number): compiler placed extra quote '"' at the end of each NAT
command in the script using iptables-restore; this happened
only if all interfaces of the firewall had static addresses.
* PolicyCompiler_PrintRule.cpp (_printProtocol): testing policy
installation via iptables-restore with old versions of iptables
(1.2.6a). Need to include "-m tcp", "-m udp" or "-m icmp",
otherwise iptables-restore does not understand options "--dport",
"--tcp-flags" and some others. Also had to use "--tcp-flags
SYN,RST,ACK SYN" instea dof "--syn" for better backwards
compatibility.
2004-10-26 <vadim@vk.crocodile.org>
* ipt.cpp (main): iptables: Added ability to instert shell
commands defined in the prolog script in three places:
- on the top of generated script
- after interface configuration but before resetting existing
iptables policy
- after existing policy rules are flushed and optional global
implied rules added but before all policy and NAT rules
2004-10-24 <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRuleIptRst.cpp (_createChain): implemented
Feature Request #1021201: "output iptables-restore compatible
config from fwb_ipt". Policy compiler for iptables can use
iptables-restore to activate firewall policy. Iptables-restore
provides for atomic policy load and allows to load large policy
much faster. Atomic load means the whole filter or nat table is
activated at once, and if there is an error, nothing is
changed. Compiler generates script in three possible formats:
- the ususal shell script that adds rules one at a time by
executing iptables command with an "-A" flag to add a rule;
- commands are fed to iptables-restore, this format is used when
all interfaces of the firewall have static IP addresses and
script does not need to determine addresses at run time;
- script determines IP addresses of interfaces and discovers
dynamic interfaces that were defined as a "wildcard" interface
in fwbuilder (e.g. 'ppp*'); code that is sent to
iptables-restore is generated dynamically by the script at run
time.
Using iptables-restore is optional and is controlled by
the checkbutton in the "Script options" tab of firewall settings
dialog. Path to iptables-restore utility can be set in the "Paths"
tab of the host settings dialog.
* A change in the script generated by fwb_ipt: if iptables-restore
is not used to load policy, generated shell script purges existing
firewall policy (all tables and chains) and sets default chain
policies after it configures interfaces of the firewall.
Previously, it would flush tables and set default policy before it
configured interfaces.
2004-10-23 <vadim@vk.crocodile.org>
* RuleSetView.cpp (pasteRuleAbove): fixed bug #1028866: "incorrect
order when several rules copied using copy/paste". Pasting
multiple rules into an empty policy caused rules to be inserted in
the wrong order.
* freebsdAdvancedDialog.cpp (freebsdAdvancedDialog): fixed bug
#1046345: "ipfw - no option to specify ipfw executable". Added GUI
control to let user specify alternative path to "ipfw" on
FreeBSD. Control like that was previously available only for Mac
OS X
* PolicyCompiler_ipt.cpp (checkForMatchingBroadcastAndMulticast),
Compiler.cpp (_complexMatchWithInterface): fixed bug #1040773:
need to match network address as well as broadcast. Packets sent
to the network address (192.168.1.0 for net 192.168.1.0/24) go in
the broadcast frame and behave just like IP broadcast packets
(sent to 192.168.1.1255 for the same net)
* PolicyCompiler_ipt.cpp (finalizeChain::processNext): fixed bug
#1040599: "unnecessary FORWARD rules". If ip forwarding is turned
off in the host settings dialog of the linux-based firewall,
compiler should not generate rules in FORWARD chain.
2004-10-20 <vadim@vk.crocodile.org>
* linux24.xml.in: Added element "Target/family" to all OS resource
XML files. Compilers use "family" resource element to determine if
host OS is supported. User may want to copy host OS resource file
to modify installer scriptlets; as long as the family element is
kept the same, compiler will accept new resource file.
* linksys.xml.in: Added elements
"Target/options/suppress_comments" and
"Target/options/suppress_modules" to the OS resource files
linksys.xml and linux24.xml. These options suppress printing
comments in the generated script and remove commands that load
kernel modules. These options are used for Linksys/Sveasoft
appliance but can also be used for other firewalls based on Linux.
2004-10-19 <vadim@vk.crocodile.org>
* pf.cpp (main): Activation script for PF flushes only information
about rules, nat, source and tables (it used to flush "all"). This
preserves queue entries and states.
* ipt.cpp (main): moved rule permitting backup ssh access from the
management station to the firewall to the top of the script. This
helps maintain ssh session, otherwise it may stall or break
because stdout buffer is filled with diagnostic or progress output
from the script that is printed after all chains are flushed but
before rule permitting ssh to the firewall is added. If stdout
buffer is full, ssh stops and tries to send the text to the
management station but times out because firewall blocks it.
* ipt.cpp: removed code that added iptables command to the "drop"
table to drop and log all dropped packets. This rule used
obsoleted patch-o-matic patch "drop" which is not available
anymore.
2004-10-17 <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug (no number): all policy compilers
properly detect an error when the output file can not be created
or overwritten and print error message to warn the user.
* New feature: added support for prolog and epilog scripts for all
firewall platforms. This was available for PIX for some time, now
it has been added for all platforms. "Prolog/Epilog" tab of the
firewall settings dialog allows for editing of two blocks of
commands that will be added to the generated firewall script
verbatim. Prolog block is added on top, while epilog block is
added at the bottom. Both prolog and epilog are expected to be
shell scripts and are added to the generated shell script that
activates firewall. For iptables and ipfw all compiler generates
is this shell script and prolog and epilog commands are inserted
into it. These commands may execute some actions, as well as add
any policy or nat commands. For ipf and pf prolog and epilog
commands are added to the activation shell script ( .fw file);
prolog is added immediately after the command that flushes all
rules. This way user may either execute shell commands or add
policy and/or nat rules by loading them from external file.
2004-10-10 <vadim@vk.crocodile.org>
* FWWindow.cpp (addFirewallToList): fixed bug (no number)
introduced in 2.0.3 when GUI crashed if user tried to choose
pull-down menu item in the firewall list after the very first
firewall object has been created.
* SSHPIX.cpp: Added #include <errno.h> to make code compile with
gcc 3.4.2 and glibc 2.3.3
* ipt.cpp (main): fixed bug #1040788: fwb_ipt and user
name. Compiler used to read environment variable "USER" to find
out user's name. Sometimes this variable is not set, which caused
compiler to abort. Using env variable LOGNAME in addition to USER.
2004-09-30 <vadim@vk.crocodile.org>
* v2.0.3 released
2004-09-28 <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog): since config diff is broken for pix
v6.3(3) (because it does not permit adding duplicate ACL entries),
"save diff to file" option is temporary disabled. "Incremental"
install renamed to "install only ACL,icmp,telnet,ssh,nat,global
and static commands"
2004-09-27 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printPathForAllTools): script
generated by compiler for iptables checks if /usr/sbin/ip exists
on the firewall before it tries to use it to verify interfaces and
configure IP addresses. This check is only performed if user
activated options that use this tool. An error message "Interface
eth0 does not exist" was generated if package iproute2 was not
installed on the firewall, which was confusing.
* FWWindow.cpp (doCompile): Added option "output file name" to
firewall settings dialogs for all platforms. User can specify the
name for the output file; this name is then used by built in
installer in place of a macro %FWSCRIPT%.
* ipt.cpp (main): Added command line option "-o" for all compilers
* FWWindow.cpp (save): fixed bug #1035800: "Autosave failure opens
error window repeatedly". This bug was in fact fixed earlier.
2004-09-26 <vadim@vk.crocodile.org>
* FWWindow.cpp (fileSaveAs): fixed bug #1035130: 'Persistent
"Save" dialog box'. Certain combination of actions on user's part
used to lead to an indefinite loop of "do you want to save the
data" dialogs. The problem was triggered if user skipped choosing
a name for the new file in startup dialog.
* linux24.xml.in: fixed bug #1035132: "compile errors with default
Linksys firewall object". This bug has been introduced in build
435. When user created a new firewall object using one of the
template objects, the GUI would add bunch of garbage to the
firewall options. This garbage violated XML DTD, so compilers and
the GUI would not accept the data file anymore.
2004-09-25 <vadim@vk.crocodile.org>
* ipt.cpp (main): using "set -x" to turn debugging on in generated
iptables script. This will work even if the script is activated
with "sh script.fw" command.
* OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers):
changed commmand line for sed to more portable version. We used to
use 'stmt; stmt' syntax, which is not always portable. Switched to
a supposedly more portable syntax using multiple "-e" command line
options.
2004-09-23 <vadim@vk.crocodile.org>
* instDialog.cpp (getActivationCmd): fixed bug (no number): as of
build #430, installer ignored activation command configured in the
"install" tab of firewall settings dialog. Restored this
functionality.
* OSConfigurator_linux24.cpp (printPathForAllTools): just like
with "tail -1", some busybox based systems require "head -1" to be
changed to "head -n1"
2004-09-22 <vadim@vk.crocodile.org>
* instDialog.cpp (testRunRequested): fixed bugs in installer that
prevented it from working on OpenBSD. Enabled shceduled reboot for
all OS except PIX.
2004-09-21 <vadim@vk.crocodile.org>
* instDialog.cpp (testRunRequested): "schedule reboot" option is
only enabled for linksys since it does not work on other platforms
(yet)
* FWWindow.cpp (openFirewall): implemented Feature Request
#1032126: "Firewall label for clarity". Printing the name of the
firewall object that is opened in the policy panel in a large font
right above interface/policy tabs. This was easy to implement but
I consider it an experiment. Will request feedback from users.
* SSHSession.cpp (startSession): refactored code in built-in
installer. Moved interaction with ssh to classes SSHSession,
SSHUnx and SSHPIX. Moved "scriptlets" that are executed on
firewall to activate policy in different modes to resource
files. Using ssh rather than scp to copy policy script to
unix-based firewalls (pscp.exe on Windows works only if the server
supports sftp, but dropbear on Linksys does not support it so
installer breaks if we use scp/pscp.exe to copy the policy).
Still having problems with scheduled reboot option on Linux/BSD
firewalls (it works on Linksys though).
* OSConfigurator_linux24.cpp (printPathForAllTools): bugfix: some
editions of busybox do not support "tail -1" syntax and require
"tail -n1"
2004-09-19 <vadim@vk.crocodile.org>
* instDialog.cpp (getActivationCmd): Improvement in the built-in
installer: added an option to schedule automatic firewall reboot
in specified time (in minutes) after policy activation. This
option is available for all firewall platforms but PIX. This
option only works if user requested policy activation in a test
mode, in which case policy is copied and activated on the firewall
but not stored in the permanent location. After reboot the
firewall reverts to the previous version of the policy. To cancel
scheduled reboot, run installer again with "test run" option
turned off. Installer stores the policy in the permanent location,
activates it and cancels scheduled reboot.
* src/res/os/linux24.xml.in and other: moved all commands used by
built-in installer to resource files.
2004-09-18 <vadim@vk.crocodile.org>
* NATCompiler_pf.cpp (processNext): NAT rule of type DNAT (rdr
rule) is assigned to an interface of the firewall if interface
object or its address object is used in ODst. To get rdr rule
without interface assignment, use an Address or a Host object that
has the same IP address as that of firewall's interface but that
is not a child of an interface. This is the same approach that is
used in iptables.
* PolicyCompiler_pf.cpp (compile): Compiler for pf always uses
tables; this breaks compatibility with older OpenBSD systems (3.2
and 3.3)
* PolicyCompiler_pf.cpp (findDynamicInterfaces): Compiler for pf
puts interface name in a table even if interface is dynamic for
rules that use multiple objects in src or dst and one of these
objects is dynamic interface of the firewall that is being
processed. Using dynamic interface of another object in a rule is
still considered an error. Compiler puts the name of dynamic
interface in a table verbatim, without brackets '(' ')' since pf
does not replace dynamic interface with its address dynamically if
it is used in a table (pfctl issues an error if interface is put
in brackets)
2004-09-17 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (configureInterfaces): flushing only
secondary ip addresses on interfaces. This should fix a bug that
caused linksys/sveasoft unit to lose default route upon reboot if
external interface has static IP address.
2004-09-15 <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (addDefaultPolicyRule): fixed bug
#1028980: "need an option to turn logging on on fallback rule"
* PolicyCompiler_pf_writers.cpp (processNext): fixed bug #1028973:
fwb_pf: missing "flags S/SA" in front of "modulate state"
* pfAdvancedDialog.cpp (pfAdvancedDialog): added an option to
permit tcp sessions opened prior to firewall restart. This is
needed now since compiler generates "flags S/SA" for the "keep
state" and "modulate state" rules which means firewall won't
permit TCP sessions unless it saw opening SYN packet.
* instDialog.cpp (getActivationCmd): improvements in policy
installer: added an option for test run. When this option is
activated, policy script is pushed to the firewall and is executed
but is not stored there permanently. Firewall reverts to the last
working configuration after reboot.
* NATCompiler_ipt_writers.cpp (processNext): using abbreviated
versions of "--dport", "--sport", "--dports", "--sports" options
to make generated iptables script smaller. Also changed the name
of the variables used to hold IP address of dynamic interface from
"interface_<ifname>" to "i_<ifname>". All this should help to fit
larger policies into small FLASH on linksys. These changes shrunk
my test script from 7964 bytes to 7430 bytes
2004-09-14 <vadim@vk.crocodile.org>
* platforms.cpp (isDefaultOptions): fixed bug #1028078:
"options.png is not displayed for "Assume firewall is part..."
* pfAdvancedDialog.cpp (pfAdvancedDialog): fixed bug (no num):
"firewall settings" dialog for OpenBSD pf did not save option "Use
tables".
* instDialog.cpp (getActivationCmd): implemented compression of
the firewall script for Linksys/Sveasoft combo. Using gzip and
uuencode/uudecode to compress the script and store it in flash
variable 'fwb'. Installer prints flash memory stats after
commiting changes. Installer uses scp to copy firewall script to
the firewall and autogenerated prompt to detect when it logged in;
it does not depend on Linksys shell prompt anymore.
2004-09-12 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (addPredefinedPolicyRules): implemented
feature request #1023430: "add checkbox for INVALID support in fw
settings". Added two checkboxes to the firewall settings dialog:
one adds a rule to drop INVALID packets and another adds logging
to the rule.
* FWWindow.cpp (fileSaveAs): fixed bug #1026945: '"Save As" does
not work if current file is in RCS'
* FWWindow.cpp (removeFirewallFromList): fixed a bug (no number):
after deleting a library firewall objects that belong to it were
not removed from the pull-down list
* PolicyCompiler_ipt_optimizer.cpp (optimizeForRuleElement): fixed
bug #1026794: multiple SRC ntwks --> "iptables: invalid
argument". Recent changes in optimizer introduced this bug. Rules
with multiple objects in src or dst, TCP service, action Reject
and option "reject with TCP RST" would generate iptables command
that used option "--reject-with tcp-reset" without "-p tcp"
* PolicyCompiler_pf_writers.cpp (_printDstAddr): fixed bug
#1006906: "Negated network causes pass on network". Compiler for
pf uses native negation syntax that is now available in pf
2004-09-11 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (TimeNegation): fixed bug #1022216:
"negated time produces incorrect iptables rule". Implemented
negation for the "Time" rule element for iptables
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1026509:
"incorrect rules generated for dual negation with time". Compiler
generated incorrect iptables commands for rules that had negation
in two or more rule elements, one of which was Time.
2004-09-09 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (prolog): rules that permit packets
associated with ESTABLISHED,RELATED states moved to the beginning
of the script before NAT rules.
* PolicyCompiler_ipt_writers.cpp: added a checkbox and support in
policy compiler for iptables to generate rules that drop packets
that are associated with no know connection (state "INVALID")
2004-09-08 <vadim@vk.crocodile.org>
* Firewall.cpp (duplicate): API change: fixed bug (no number): all
references to the interfaces, as well as their IP and MAC
addresses, in policy and NAT rules should be replaced when
Firewall object is duplicated. Until now only references to the
firewall object itself and to its interfaces were replaced with
references to the newly created copies of object. References to IP
and MAC addresses still pointed at the old objects.
* FWObjectDatabase.cpp (IDcounter): fixed bug #1022788: "GUI
corrupts XML file after creating a second firewall". Global object
ID counter was getting reset every time new FWObjectDatabase
object was created. This lead to the ID collision if user quickly
created and deleted complex objects (such as Firewall) and used
database merge. This should also fix bug #1022785: "GUI corrupts
XML file after creating a host entry"
* PolicyCompiler_ipt_optimizer.cpp (processNext): fixed bug
#1024861: "optimizer is broken in fwb_ipt". Used idea and a patch
by Mark Vevers <mark@vevers.net>. Fixed compiler fwb_ipt generates
more efficient iptables script for rules with multiple objects in
all rule elements. The script is smaller and eliminates
unnecessary comparisons for packet attributes. Every attribute
(i.e. source address, destination address, protocol and port
numbers) is checked by the script only once. This should help
reduce load on firewalls with lots of complex rules.
* VERSION: set version to 2.0.3
2004-08-31 <vadim@vk.crocodile.org>
* v2.0.2 released
2004-08-31 <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug #1019943: "Missing ip addresses in the
rule using interfaces"
* linksysAdvancedDialog.cpp (linksysAdvancedDialog): fixed bug
#1019691: "040829 nightly build doesn't add paths for linksys"
2004-08-30 <vadim@vk.crocodile.org>
* VERSION (VERSION): version 2.0.2, revision 1
* aboutdialog_q.ui.h (init): "About" dialog shows registration
status (used only in non-GPL versions)
2004-08-28 <vadim@vk.crocodile.org>
* fixed FreeBSD port, now compiles on 5.3BETA
2004-08-25 <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (loadFWObject): Added support for options
"max", "max-src-nodes" and "max-src-states" in pf. These allow to
limit number of concurrent state table entries ("max"), number of
source addresses that can simultaneously have state table entries
("max-src-nodes") and number of simultaneous state entries per
source address ("max-src-states") per rule.
* LibExportDialog.cpp (accept): fixed bug #1015884: "Export more
than one library fails with 0 references". Export library
operation failed if user exported two libraries with groups or
rules in one library referencing objects in the other.
2004-08-24 <vadim@vk.crocodile.org>
* pfAdvancedDialog.cpp (pfAdvancedDialog): Implemented support for
all timeout settings in pf: tcp.first,tcp.opening,tcp.established,
tcp.closing,tcp.finwait,tcp.closed,udp.first,udp.single,udp.multiple,
icmp.first,icmp.error,other.first,other.single,other.multiple, including
adaptive timeout scaling options adaptive.start and adaptive.end
2004-08-23 <vadim@vk.crocodile.org>
* FWBTree.cpp (getStandardSlotForObject): fixed bug #1014725:
"adding new ICMP types". If user created service group with the
name "ICMP", the GUI would place new ICMP objects under this group
instead of the standard folder "ICMP". There was the same problem
with other object types, too.
* ObjectManipulator.cpp (simplifySelection): debugging in
operations "delete object", "move object", "undelete". Making sure
we can delete and undelete libraries, delete and move several
objects at once, group several objects. There were problems if
user selected several host or firewall objects using Shift-Click
(although interface and address objects were not visible to the
user, they were selected and acted upon in delete or move
functions; this lead to unexected results or crashes).
2004-08-22 <vadim@vk.crocodile.org>
* templates.xml.in: added template firewall objects for Linksys
firewall and a web server.
* templates.xml.in: fixed bug #1013957: "incorrect NAT rule in
firewall created from template #3". The problem was caused by
incorrect ip address of interface "dmz" in the template object #3.
* pixAdvancedDialog.cpp (pixAdvancedDialog): implemented a backup
ssh access rule. The user specifies management station IP in the
firewall settings dialog for PIX and compiler adds a rule on top
of all other rules to permit ssh from this address to the
firewall.
2004-08-21 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (prolog): avoiding grep in the
generated iptables script - Sveasoft Alchemy pre-5.2.3 does not
have grep
* API change: fixed bug #1012733: "configure --libdir=DIR will be
ignored at installation". Needed to use macro _libdir to specify
target directory for libraries. Used it in configure, qmake.in,
libfwbuilder-config-2 and a .spec file
* objects_init.xml.in: added new service objects to the Standard
objects library: "xmas scan" (old object renamed "xmas scan -
full"), rsync, distcc, cvspserver, cvsup, afp, whois, bgp, radius
and radius acct, SSDP and UPnP. This fixes bug #1011248: "need two
xmas scan service objects"
* FWWindow.cpp (fileImport): function File/Import offers a choice
of .fwl, .fwb and "all files" in the open file dialog. This fixes
bug #1013485: "File/Import should allow to import .fwb file"
* FWWindow.cpp (load): fixed bug #1008956: "Existing .fwb file
gets overwritten if has wrong extension". If the GUI needs to
rename a data file with old extension .xml to .fwb, it checks if a
file with new extension exists and offers user a chance to choose
a different name. It also treats symlinks in a special way: if
user creates a symlink with extension .xml pointing at a file with
extension .fwb, the GUI simply follows the link and works with
.fwb file. This should work with Windows shortcuts, too.
* instDialog.cpp (instDialog): built-in installer uses shell
prompt string patterns configured in the host OS settings dialog
for linksys. This fixes bug #1013022: "can not install policy
script on linksts Alchemy pre-5.2"
* linksysAdvancedDialog.cpp (linksysAdvancedDialog): Added host OS
settings dialog for linksys/Sveasoft. Dialog provides entry fields
for paths to iptables, lsmod, modprobe, logger tools and two shell
prompt string patterns, this should help to work around changes in
the shell prompt on Linksys. This fixes bug #1013018: "host OS
settings" dialog is missing for linksys
2004-08-20 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (contextMenu): fixed bug #1009345: "Can
only move one host object at a time between libraries"
* ObjectManipulator.cpp (deleteObj): fixed bug #1013177: "deleting
multiple hosts causes crash"
* DTD change: fixed bug #1011617: "deleting physcal address object
leads to the DTD violation"
2004-08-08 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt_writers.cpp (_printDstService): fixed bug
#1005148: "MAC matching - space missing". Space was missing
between MAC address and custom service code.
2004-08-06 <vadim@vk.crocodile.org>
* listOfLibraries.cpp (add): fixed compile problem on systems
where QT is built without STL support
* PolicyCompiler_ipt_writers.cpp (_printLimit): fixed bug #1004153
"limit-burst = 0 is not valid". Iptables does not accept the rule
using "limit-burst" option if it is set to zero.
2004-08-04 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (pasteTo): fixed bug #1003068: "object
copy/paste not always working". IP address object could not be
placed under interface using copy/paste operation. Now ip address
object can be pasted to interface as well as to Objects/Addresses
folder.
* FWWindow.cpp (fileDiscard): Operation File/Discard closes the
file, discards all the changes that have been made to it and
replaces it with a fresh copy of the head revision from RCS. This
works if user wants to abort file upgrade when they switch to the
new version of fwbuilder.
2004-08-02 <vadim@vk.crocodile.org>
* FWObject.cpp (deleteChildren): fixed bug #1001833: "memory leak"
- children objects were not deleted when FWObjectDatabase object
was destroyed.
* iptAdvancedDialog.cpp (accept): fixed bug #1002388: "Clamp MSS
to MTU" option is missing in 2.0
2004-08-01 <vadim@vk.crocodile.org>
* objects_init.xml.in: there were two TCP Service objects
"linuxconf" in the Standard objects library. Object with ID
id3AED0D6D has been removed. It seems this object has been
duplicated long time ago (at least it was like this in 1.1.2)
* FWObject.cpp (getPath): fixed bug #1001725: "object with empty
name can not be deleted". the problem was caused by the algorithm
used in FWObject::getPath. If object had had a blank name, the
path returned by this method would end with the name of its parent
without slash.
* FWWindow.cpp (showFirewalls): fixed bug #1000485: "Firewalls in
the drop-down box not ordered". List of firewalls in the pull-down
that controls policy views is now alphabetically sorted on program
startup.
* utils.cpp (fillLibraries): fixed bug #1000862: "Creating groups
in Deleted Objects". Library "Deleted objects" should not be
offered as a choice for "group objects" operation.
* ObjectManipulator.cpp (contextMenu): fixed bug #1001275: "object
duplication fails w/ no action". GUI used to not allow user to
duplicate IP address object. Now any object can be duplicated so
that the copy is placed under the same parent, including IP
address.
* ICMPServiceDialog.cpp (applyChanges): fixed bug #1001521: "Cant
create ICMP service". ICMP Service dialog did not save icmp code
and type numbers in the object.
2004-07-29 <vadim@vk.crocodile.org>
* 2.0 released, CVS tag set
2004-07-27 <vadim@vk.crocodile.org>
* FWWindow.cpp (install): the GUI calls external installer script
if it is configured in firewall settings dialog when user clicks
'Install', otherwise it should use built-in installer.
2004-07-24 <vadim@vk.crocodile.org>
* RuleSetView.cpp (insertRule): correctly copying rule direction
when interface rule is copied/pasted
* instDialog.cpp (selected): proper error messages for management
interface misconfigurations
2004-07-20 <vadim@vk.crocodile.org>
* ICMPServiceDialog.cpp (loadFWObject): ICMP service dialog allows
for setting type and code to 'any' (-1)
2004-07-19 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (processFirewallOptions): fixed bug
#992969: "argument to log should be quoted"
2004-07-14 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): working on bug #990037:
"Wrong rule generated: fw interface included in negated
group". Rules with negation should not generate code in
INPUT/OUTPUT chains if option "assume firewall is part of any" is
off.
* ObjectManipulator.cpp (delObj): fixed bug #990675: "Application
crashes when deleting objects"
2004-07-11 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (splitIfSrcNegAndFw): optimized
processing of policy rules where firewall object is used in src or
dst with negation (possibly in combination with other
objects). Before, generated script would match firewall's
addresses in INPUT/OUTPUT and FORWARD chains which added redundant
checks in the FORWARD chain.
* NATCompiler_ipt.cpp (processNext): fixed bugs #935794: "dual
translation and negation in fwb_ipt" and #986376: "Wrong result
for negated source in NAT rules". Dual translation rule with
negation in OSrc did not process negation in the second half
(POSTROUTING rule, the one that translates the source).
* NATCompiler_ipt.cpp (processNext): fixed bug #965558: "False
ruleset generated for iptables (negate w/ nat)". There were
problems with double negations in NAT rules (OSrc and ODst, or
ODst and OSrv, etc).
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#988860: "Logging missing when firewall start is aborted". When
iptables script generated by fwb_ipt finds missing interfaces,
it prints error message both on stdout and sends it to the log.
2004-07-10 <vadim@vk.crocodile.org>
* FWObject.cpp (_moveToDeletedObjects): now move deleted objects
to the special library with id 'sysid99' rather than delete them
completely. This serves two purposes:
1. can easily provide for undelete function which is very
useful
2. can catch a situation when an object has been deleted
fromt he external library but is still used in the data
file
* FWObjectDatabase.cpp: while merging object trees, checking for
deleted objects. If an object is present in the current tree but
has been deleted in the file being merged in, special form of
conflict resolution dialog is shown. User has only one option - to
delete the object from the file. Typical situation when this
happens is when an object from external library is used in a rule
or group in a data file, then this object is deleted in the
external library. If this external library is preloaded and then
the data file using this object is opened, conflict occurs because
this object is present in the file but is in the "Deleted objects"
in the library. The problem is that the library is read-only, so
if we kept the object (actually, its copy coming from the data
file), the user would not be able to delete it. So, not only
object magically reappeared after it has been deleted from the
library, it appeared in read-only library and can not be deleted
anymore. To avoid this situation we must delete it in the file if
it has been deleted in the library.
* ObjectManipulator.cpp (delObj): "delete object" function moves
it to "Deleted objects" library.
* PrefsDialog.cpp (accept): Added checkbox "Show deleted objects"
to the preferences dialog. If this option is on, user has access
to deleted objects via library "Deleted objects".
* ObjectManipulator.cpp (contextMenu): pull-down menu item "Move"
turns into "Undelete" if an object is in "Deleted objects"
library. This provides for a simple undelete function.
2004-07-09 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #925199:
"compiles wrongly a double negation". Policy compiler for iptables
generated incorrect code for rules where two rule elements used
negation (i.e. both src and dst, or dst and srv, etc.)
* PolicyCompiler_ipt.cpp (prolog): fixed bug #978854: "false rule
generated for fw object in interface rule". Policy compiler for
iptables generated incorrect code for rules using negated firewall
object in source or destination when global option "assume
firewall is part of any" was turned off.
* fwb_ipt: implemented Feature Request #913273: make "assume fw is
part of any" a per-rule option
2004-07-08 <vadim@vk.crocodile.org>
* FWWindow.cpp (setupAutoSave): Added an option for autosave - if
this option is turned on, the gui periodically saves data to the
file. The autosave interval can be set between 1 minute and 2
hours.
* ipt.cpp (main): fixed bug #917422: "compiler misinterprets
interface with addr 0.0.0.0". If an interface has IP address
"0.0.0.0", it is considered an error.
* added option "strip comments in the script" to the installer
for Linksys and PIX
* do "nvram uset rc_firewall" before loading fw script on
Linksys
* added the following to the list of errors for Linksys
/dev/nvram: Cannot allocate memory
* skip table "mangle" when flushing iptables rules
2004-07-07 <vadim@vk.crocodile.org>
* NATCompiler_ipt_writers.cpp (processNext): fwb_ipt does not
include comments in the script if it is intended for linksys
firewall. Linksys has small nvram and script should be kept small,
otherwise it may not fit in nvram.
* NATCompiler_pf.cpp (processNext): fixed bug #986518: "PF
redirection always point to loopback address"
2004-07-06 <vadim@vk.crocodile.org>
* instDialog4.cpp (stateMachineLinksys): Activating policy on
Linksys/Sveasoft wothout reboot (using command "nvram get
rc_firewall | /bin/sh" instead)
* OSConfigurator_linux24.cpp (prolog): added an option to firewall
platforms iptables, ipfilter, pf and ipfw that sets up a policy
rule to permit ssh access from one specified IP address to the
firewall regardless of other rules. This is for a backup ssh
access from the management workstation in case of an error in the
policy that locks user out of the firewall. The option (a checkbox
and entry field for the management station address) is located in
the "Compiler" tab of the firewall settings dialog. A command that
permits ssh to the firewall from the given address is added on top
of all other rules.
2004-07-05 <vadim@vk.crocodile.org>
* RuleSetView.cpp (dropEvent): fixed bug #985187: "Usability bug:
Copy objects from one rule to another". Dragging an object from
one rule to another with Ctrl down makes a copy. If Ctrl is up,
then the object is moved.
* instDialog4.cpp (stateMachineLinksys): Added support for Linksys
devices running Sveasoft firmware. Firewall object should be
configured as platform "iptables", host OS "linksys". Policy
installer works both using password and public key authentication.
* NATCompiler_pf_writers.cpp (processNext): fixed bug #985527: pf
NAT rules miss destination port specification. NAT rules that
translate to "map" missed destination port specification.
* main.cpp: the gui can now use external wrapper scipts for ssh
and scp all the way (removed all direct references to commands
"ssh" and "scp", use whatever is configured in preferences
everywhere)
2004-07-04 <vadim@vk.crocodile.org>
* RuleSetView.cpp (contextMenu): fixed bugs in the rule
selection. The user can select one rule with a simple left-click
on the rule number, or multiple consequtive rules using
shift-left-click. Selecting non-ajacent rules with ctrl-click is
not supported; ctrl-click acts as normal click. Right-click calls
context menu and uses existing selection if click is on one of the
selected rules, or resets it if click is outside of the selection.
2004-06-29 <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (dragObject): implemented drag and drop of
multiple objects. User can select and then drag several objects
from the tree to a group or a rule.
* LibExportDialog.cpp (accept): a change in the export library
algorithm. We now permit exporting several libraries to one file,
but check that all these libraries have only references to each
other and to objects in the Standard lib and have no references to
objects in libraries that are not going to be exported to the same
file. This ensures integrity of this file and helps avoid pulling
objects from other libraries into it. User can edit objects in the
exported libraries by opening this file as usual; the GUI does not
preload libraries configured in Preferences/Libraries when .fwl
file is opened and unlocks all libraries in this file so objects
can be edited. This way user can edit objects and move them
between libraries in the .fwl file.
2004-06-28 <vadim@vk.crocodile.org>
* RCS.cpp (RCSEnvFix): fixed a bug (no #) that appeared only on
Windows: the GUI failed to check a file in to RCS if it was
launched by windows explorer via file extension association.
* platform.cpp: pull-down "versions" is now translatable and says
"1.2.9 or later" for iptables v > 1.2.9
2004-06-26 <vadim@vk.crocodile.org>
* LibExportDialog.cpp: when a library is exported to a file, the
program checks whether any groups or rules in this library use
objects in the othe libraries. Only self-contained libraries can
be exported.
2004-06-24 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #979484:
"improper command for rule with servie any and action reject."
For rules like that, and if rule options dialog does not specify
particular way to handle this combination, the compiler splits the
rule; the first iptables command rejects any tcp packet with TCP
RST, while the second rejects everything else with ICMP message.
* minor bugfixes in the gui
* incorporated changes suggested by a user to make code compile
with gcc 3.4
2004-06-23 <vadim@vk.crocodile.org>
* LINGUAS: added Vietnamese translation .po file
* FWBSettings.cpp (init): Option "do not save standard libraries
in the user's data file" is now ON by default. User can still turn
it off though.
* FWWindow.cpp (save): Usability fixes in methods that work with
libraries:
- libary files have extension .fwl
- preloaded libraries are always read-only (flag RO is set when
library file is loaded, regardless of the value this attribute
has in the file)
- user can open library file using normal File/Open
operation. Read-only flag is cleared when library file is
opened, so it can be edited. File can be added to RCS and saved
using normal File/Save or File/SaveAs operations.
- When user opens library file for editing, other libraries that
are configured in Preferences/Libraries are not preloaded.
2004-06-22 <vadim@vk.crocodile.org>
* LibExportDialog.cpp (init): when object library is exported to a
file, the file gets extension .fwl to distinguish it from the
regular data file. The GUI allows to export only one library to a
file.
* FWWindow.cpp (fileDiscard): added main menu function
"File/discard" which discard all changes that have been done to
the data and saved to the file and checks out clean copy of its
head revision from RCS. This provides for a quick way to roll back
to the latest revision. Older revisions can be checked out from RCS
using list of versions in the right hand panel in open file dialog
(this creates a branch in RCS).
2004-06-20 <vadim@vk.crocodile.org>
* IPv4Dialog.cpp (DNSlookup): "DNS Lookup" button in the IP
address dialog runs dns query for the name of the address object
and if that fails, repeats query for the name of the host or
firewall object this address belongs to. If address object is in
the folder "Addresses", it does only one DNS lookup on its name.
2004-06-18 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator): disabled ability to
drop objects into groups in the tree. It was confusing and not
really useful. Objects can still be dropped into a group opened in
the editor dialog.
* ObjectTreeView.cpp (dragObject): enabled dragging of all objects
in the tree. It turns out, QListView will highlight multiple items
in the tree in Extended selection mode when user drags mouse
across items _and_ the first item they started cursor move on is
not drag-enabled. So, to avoid this unexpected highlighting
behavior, need to enable drag of all objects. We then make sure
that system folder can not be dropped anywhere.
2004-06-16 <vadim@vk.crocodile.org>
* Compiler_ops.cpp (checkForShadowing): fixed bug #906709: "A
dynamic interface". Dynamic interface used to "shadow" old
broadcast object (0.0.0.0)
* OSConfigurator_linux24.cpp (configureInterfaces): fixed bug
#912849: "Reorder activation of network interfaces in IPT" -
script generated by the compiler for iptables sets default policy
to DROP, flushes all rules and then reconfigures interfaces of the
firewall (it used to reconfigure intefaces and then flush the rules).
* IPv4Dialog.cpp (DNSlookup): Button "DNS lookup" in the IP
address editor dialog does DNS lookup on the address object name
if the object is located in the "Addresses" folder, or on the
parent host object name if it belongs to an interface of a host or
a firewall.
* ObjectManipulator.cpp (moveObject): refactored "move object"
functions and added debug printing. Trying to debug crash reported
by one of the users.
2004-06-15 <vadim@vk.crocodile.org>
* ObjectEditor.cpp (hide): checking if screen position for the
dialog is 0,0 and not storing this value. This should help to work
around a weird bug where screen position of dialogs sometimes is
returned as 0,0 when GUI runs in Gnome.
* Object names and comments are stored in the object file in UTF-8
format. This allows for names and comments to be entered and
displayed in local languages. Although object names can be
localized, it is recommended to keep firewall names in plain ASCII
because compilers do not support UTF-8 yet. This fixes very old
bug #657156: "Special characters problem".
2004-06-13 <vadim@vk.crocodile.org>
* init.cpp (init): the program uses reasonable default for the
directory where user might want to save their data files on each
OS. ( $HOME on Unix, $HOME/Documents on Mac,
$USERPROFILE/Documents in windows)
* ObjectManipulator.cpp (updateObjName): whenever user changes the
name of a firewall, host or an interface object, the GUI asks
whether they want to also rename all IP and MAC addresses that
belong to that firewall or host. If user agrees to rename them,
the program generates names automatically using scheme
'host_name:interface_name:ip' and 'host_name:interface_name:mac'
2004-06-12 <vadim@vk.crocodile.org>
* newHostDialog.cpp (selected): implemented "new host"
wizard. User can choose to add interfaces manually or can use a
library of predefined host object templates.
2004-06-10 <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (_printDstService): fixed a bug
(no number) where fwb_pf would not include code defined by custom
service object in the .conf file
2004-06-08 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (copyObj): implemented multi-object and
multi-rule copy/cut/paste operations
* ObjectManipulator.cpp (moveObject): implemented "move object"
operation - moves object to another library; operation is accessed
via pull-down menu in the object tree.
2004-06-06 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (groupObjects): added ability to select
multiple objects in the tree. Currently the following operations
are performed on multiple objects: delete, duplicate, group.
* ObjectManipulator.cpp (groupObjects): operation of grouping of
selected obejcts. User selects several objects in the tree and
choses menu item "group" in the pull-down menu; the GUI brings up
a dialog asking for the new group name and a library it should be
put in. New group is created and all selected objects are
automatically added to it when user hits "Create group" button.
2004-06-05 <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (accept): added "Installer" tab to the PIX
firewall settings dialog
* FWBSettings.cpp (getScreenPosition): checking if the window fits
in the screen before restoring its geometry.
* ObjectListView.cpp (dragObject): setting hot spot in the center
of the object icon for drag and drop.
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
showing group members in tooltips and conflict resolution dialog
* ObjectEditor.cpp (ObjectEditor): redesigned ObjectEditor
class. All individual object editor classes are now inherited from
QDialog and are top-level windows. Class ObjectEditor is just a
manager that opens and hides appropriate dialog and manages its
size and position on the screen. Geometry is remembered separately
for each dialog for each object type, so we can have group object
editor open wider than, say, IP service object editor. Each object
editor has its optimal size.
* pfAdvancedDialog.cpp (pfAdvancedDialog): yet another redesign of
PF firewall settings dialog. Using individual checkboxes to
enable/disable each "limit" and "timeout" option
* ipt.cpp (main): all compilers do not create any files if there
was an error during rule processing (not even empty ones)
2004-06-04 <vadim@vk.crocodile.org>
* RuleSetView.cpp : Info window shows properties of an object
selected in rules
* RuleSetView.cpp (paintCell): added tooltips for objects in the
policy view, using the same detailed properties text that is used
for Info panel.
* iptAdvancedDialog.cpp (accept): the actual command that
installer should run on the firewall to activate the policy can
now be specified in the "installer" tab of firewall settings
dialog for all platforms. If this input field is left blank,
installer will run firewall script, using sudo if user name used
to authenticate to the firewall is not 'root'. On Windows,
installer also does chmod +x on the file.
* FWBSettings.cpp (setSSHPath): directory path and a file name for
the secure file transfer and secure shell utilities can be
configured in the Preferences (tab "SSH"). This allows for using
of different SSH packages on Windows, as well as using SSH
installed in a non-standard directory on Unix.
2004-06-03 <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (dragObject): standard folders in the tree
can not be dragged into groups or rules and open/close on double
click. Regular objects open editor on doubleclick.
* ipt.cpp (main): compiler for iptables sets up PATH environment
variable at the beginning of the generated script. This is
particularly useful if policy is compiled on windows or mac for
Linux firewall that runs unknown version of Linux, so we cant be
sure where standard tools such as iptables, lsmod etc are
located. Most systems place them in /sbin, but for example SuSe
places iptables in /usr/sbin. If policy is compiled on one of the
Linux systems, we assume generated script will run on the same
system (which may not be true, btw), but if we compile on Windows,
there is no way to know where these tools are located
beforehand. In this case we need PATH. User can always override
this behavior and specify full path to all tools explicitly.
2004-06-02 <vadim@vk.crocodile.org>
* linux24.xml.in: changed "Linux 2.4" to "Linux 2.4/2.6" in all
menu
* iptAdvancedDialog.cpp (iptAdvancedDialog): removed "log all
dropped packets" option from the firewall settings dialog for
iptables. This option required p-o-m patch that has become
obsoleted and is not included in p-o-m anymore.
* FWWindow.cpp (install): when user hits "Install", the GUI checks
if objects in the database were modified since policy of a
firewall has been compiled last time. If existing policy file is
older than the database, program offers the user to compile it
before it is installed. There are options to recompile, install
old copy or cancel the operation.
2004-05-31 <vadim@vk.crocodile.org>
* RuleSetView.cpp: Added support for operations that act on
multiple rules: setting rule color, moving to a different position
in rule set, disabling/enabling, deleting. User can select
multiple rules by dragging mouse across several rows in the column
that shows rule numbers. Copy/Cut/Paste operations of multiple
rules are not supported yet.
2004-05-29 <vadim@vk.crocodile.org>
* RuleSetView.cpp (dragObject): implemented drag-and-drop of
objects in the rules
* utils.cpp (setDisabledPalette): all entry fields in the object
editor are disabled if an object is read-only or is located in
read-only library. Object editor is still opened for read-only
objects, but since all fields are disabled, changes are not
allowed. Opening object editor for read-only and standard objects
allows for inspection of their properties.
* FWWindow.cpp (load): file objects_init.xml does not include
empty "User" library anymore. Instead, this library is created
dynamically using method FWBTree::createNewLibrary when user
creates new data file. This simplified things since 1) "User"
library now has unique random ID in every data file so it can be
safely exported and then imported back without any conflicts; 2)
since its ID is unique, it can be renamed without creating any
conflicts. The library is only created in FWWindow::load()
(i.e. when new data file is created). It is not created when
existing data file is loaded because it is supposed to be
there. Old data files that still have this library with
semi-standard ID will load it as before, but the ID loses its
standard meaning.
2004-05-23 <vadim@vk.crocodile.org>
* filePropDialog.cpp (filePropDialog): added "File properties"
main menu item and dialog
* debugDialog.cpp (debugDialog): added "debug" menu item under "Help"
2004-05-20 <vadim@vk.crocodile.org>
* instDialog.cpp : built-in installer works with all supported
firewall platforms: iptables, ipf, pf, ipfw and pix.
* instDialog.cpp (instDialog): built-in installer reads list of
files that policy compiler generated for a given firewall object
("manifest") from the .fw file and installs them on the
firewall. One file in the manifest needs to be marked as
executable, installer runs it after all files are copied.
* all policy compilers: all compilers include a list of files
generated for a given firewall object ("manifest") in .fw file.
2004-05-18 <vadim@vk.crocodile.org>
* RuleSetView.cpp (contextMenu): split long context menu that used
to be shown when user clicked right mouse button on an object in a
rule. Now this menu has only actions related to the object, while
actions for the whole rule belong in the context menu shown when
user clicks right mouse button on the rule number.
* fr.po, ru.po: checked in updated French translation by
Jean-Michel Poure and added some rudimentary Russian
translation. Both translations are done in UTF-8.
2004-05-15 <vadim@vk.crocodile.org>
* init.cpp (init): define global var localepath that is
initialized with a path to the directory where translation files
(*.qm) are installed. This path is defined as $respath/locale on
all systems (on Unix this typically is
/usr/share/fwbuilder/locale, while on Windows and Mac it will be a
subdirectory "locale" in the directory where the binary is
installed)
2004-05-14 <vadim@vk.crocodile.org>
* ColorLabelMenuItem.cpp (ColorLabelMenuItem): implemented RFE
#725461: "Colors". Added ability to color-code rules in the
policy. User can pick one of the 7 predefined colors (plus none)
in the pop-down menu that appears when they right-mouse-click on
the policy or NAT rule. Custom text can be associated with each
color using a panel in the Preferences dialog, this text appears
as a tool tip when user flies mouse cursor over color buttons in
the pop-down menu.
2004-05-12 <vadim@vk.crocodile.org>
* src/gui/ui: QT's ui translator uic creates code in this directory.
This allows me to add generated files to the internationalization
infrastructure (include in the .pot file). also added *.cpp files
in src/gui/ui to cvs so translators can look at them to better understand
context without having full QT development environment.
2004-05-09 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #934949:
"duplicate rules". fwb_ipt created duplicate rules for a bridging
firewall if fw object or its interfaces or their addresses were
not in the source or desintaion
2004-05-04 <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (accept): "new firewall" wizard can create
a new firewall object using predefined templates from the file
templates.xml (the file is a pat of the package and is installed
in /usr/share/fwbuilder on Linux and in c:\FWBuilder\resources on
Windows). User picks a template and the program creates a
duplicate of the template object in the "User" object library. The
wizard page where user picks template shows a diagram of the
firewall configuration that illustrates its interfaces, their
configuration and addresses. Comment text associated with template
object explains its specific properties and is shown on the page
as well.
2004-05-02 <vadim@vk.crocodile.org>
* templates.xml.in : a library of firewall object templates. This
library is a part of the distribution and is installed in
${prefix}/share/fwbuilder on Linux and BSD and in
C:FWBuilder/resources on windows (the same dir where standard
objects are installed). This library is not loaded by default
though.
* listOfLibraries.cpp (listOfLibraries): Added a page to the
preferences dialog to manage add-on libraries. The GUI maintains a
list of available add-on libraries and allows user to define which
ones will be automatically loaded when the GUI is started. The
program always adds "standard" and "templates" libraries to the
list, then scans directory $HOME/.fwbuilder/lib/ (
C:\FWBuilder\lib on windows) and adds all .fwb files found there
to the list. It stores list of libraries in the user's preferences
together with a boolean flag that is set if a library should be
loaded on a start-up. Library added using main menu "Import
Library" is also added to the list so the user can make the
program load it automatically.
2004-04-29 <vadim@vk.crocodile.org>
* Makefile.in: Added support for internationalization. Using
gettext 0.14.1. This is the first version where support for QT
lanuage files is available, but it is not available in RedHat or
other Linux distributions yet. Therefore had to copy some m4 macro
colelctions from example to directory 'm4', as well as copied a
Makefile.in and script remove-potcdate.sin to directory 'po'. New
version of xgettext recognizes standard QT localization method
tr() and can generate usual .pot files from strings used with
it. The nwe msgfmt can generate .qm files from translated .po
files.
2004-04-25 <vadim@vk.crocodile.org>
* instDialog.cpp (cmd): this method can be used whenever we need
to execute several commands on the firewall sequentially.
* (instDialog): install dialog hides incremental install options
if 'diff' program can not be found (perhaps compiler that comes
with it is not installed)
* instDialog2.cpp (PIXincrementalInstall): integrated with
fwb_pix_diff
* instDialog2.cpp (PIXbackup): implemented function that stores
backup copy of firewall configuration in a file
2004-04-18 <vadim@vk.crocodile.org>
* findDialog.cpp (find): 'find object' function is implemented by
means of an external modeless dialog that allows for searching in
the tree and or policy rules and supports matching with regular
expressions.
* newFirewallDialog.cpp (getInterfacesViaSNMP): 'new firewall'
wizard can discover interfaces using SNMP. Finished work on the
page where user can arrange interfaces according to their security
levels.
2004-04-15 <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (accept): added 'new firewall'
wizard. Still need to work on the page where user sets security
levels of interfaces.
2004-04-14 <vadim@vk.crocodile.org>
* VERSION (BETA): added a variable in the VERSION file that
designates code revision as beta and stores beta testing period
expiration time (+30 days). Currently only About dialog shows this
time, but in the future I may make the program disable itself if
it is used past this time. The released version won't have this
limitation. This can be used to prompt people to upgrade, so I do
not have to support old versions.
2004-04-11 <vadim@vk.crocodile.org>
* FWBSettings.cpp (restoreGeometry): added ability for dialogs to
automatically remember and restore their geometry (size and
relative position on the screen). Currently only main window, conflict
resolution dialog and object editor dialogs do this. Geometry is
stored in preferences. Main window comes up with a default geometry
100,100,750,600 (x,y,w,h) when no geometry is found in settings.
2004-04-10 <vadim@vk.crocodile.org>
* FWWindow.cpp (ConflictResolutionPredicate): implemented conflict
detection and resolution for the "merge" operation. The same
mechanism works for "open file" since it is also based on
merge. When there is a conflict during merge, the program opens a
dialog and asks the user which copy of the object they want to
keep.
2004-04-09 <vadim@vk.crocodile.org>
* instDialog3.cpp (stateMachineSSHSUDO): builtin installer works
with Linux/BSD systems using combination of ssh on the client side
and sudo on the firewall. User provides a password for
authentication and the program logs in into the firewall as that
user, copies firewall script to "/etc/fw" (directory path is
hardcoded), then executes it using sudo. Sudo should be configured
for this user or group she belong to to be able to execute this
script as root with no password.
2004-04-08 <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog): added universal (hopefully) policy
installer program. The program uses ssh in a background on both
Unix and Windows (on Windows it requires putty/plink) to
communicate with the firewall. Currently only supports PIX but I
will add Linux/BSD later. Installer GUI asks user for a password.
2004-04-07 <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (loadFWObject): added rule options dialog
for ipt
2004-04-06 <vadim@vk.crocodile.org>
* FWWindow.cpp (search): implemented advanced search method that
finds and highlights objects both in the tree and in any rule of
any firewall. This resolves problem outlined in Feature Request
#837448: '"Where used" only shows fw objects'
2004-04-04 <vadim@vk.crocodile.org>
* FWWindow.cpp (save): implemented saving data file without making
copies of objects in the 'Standard' library (Feature Request
#810504). This feature is considered experimental and is off by
default. An option in Preferences dialog activates it.
* FWWindow.cpp (load): All load is done via merging of the loaded
file with a standard object tree. Now we can load files saved
without copies of unused standard objects.
* FWWindow.cpp (fileImport): implemented data import. Using method
FWObjectDatabase::merge to merge imported data with current object
tree. Only object IDs are compared, so modified standard object in
the imported file will be ignored and its changes will be lost.
2004-04-03 <vadim@vk.crocodile.org>
* export.cpp (exportLibrary): Implemented library export
* StartWizard.cpp (StartWizard): added simple startup wizard that
asks user if they want to open existing file or create a new
one. It also sets some useful preferences such as adds new file to
RCS and makes the program automatically open it when it is started
next time.
* OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers):
Fixed bug #956544: "Error into load modules script generation",
where generated script would not load kernel modules with names
"module.ko.gz". Regular expression should match on ".ko.*$" to
find these modules properly. Thanks to Andrey Kaminsky
<and@fao.lv> who pointed this out.
* RuleSetView.cpp (doubleClicked): double-clicking on an object in
the policy rule opens that object in the editor
2004-04-02 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator): using combobox widget
instead of a tab widget for libraries. This way we can fit more
libraries without making interface cluttered.
2004-03-31 <vadim@vk.crocodile.org>
* ipt.cpp (main): the GUI saves path to the DTD and resources in
user's settings using QT QSettings class. Policy compilers and
other tools can read this setting to quickly determine location of
DTD and resources.
2004-03-29 <vadim@vk.crocodile.org>
* getting rid of STL classes in the GUI. The idea is to make GUI
use QT classes in most of the code and use STL classes such as
'string', 'map', 'list' where it has to pass data to and from API
which is STL-based. This should simplify using QT compiled without
STL support (much less conversions between string and QString).
2004-03-28 <vadim@vk.crocodile.org>
* main.cpp (main): the data file can be specified on a command
line both as an argument for option '-f' and after all
options. Option '-f' is preserved for compatibility with old
versions. Preferred method is to specify the file name as a
parameter without any option: "fwbuilder file.fwb"
2004-03-27 <vadim@vk.crocodile.org>
* platforms.cpp (getVersionsForPlatform): usability improvement:
"combo boxes" that do not allow typing in them should not have
empty choices. Fixed this for a drop-down menu of version numbers
in firewall dialog.
2004-03-26 <vadim@vk.crocodile.org>
* RuleSetView.cpp (insertRule): counting rules from zero in the GUI
* (RuleSetView): this is not a change, I just wanted to document
that I tested the GUI with a policy that has 1000 rules. I haven't
noticed any delay in loading this policy compared with when it had
<100 rules.
2004-03-25 <vadim@vk.crocodile.org>
* FWWindow.cpp (fileSaveAs): gui automatically chooses working dir
if none is set and user calls 'file save as' menu item :
* on Unix will use current dir.
* on Windows will use user's document dir.
* NATCompiler_ipt.cpp (processNext): added a workaround for a bug
(no number): if address range object was used in SNAT or DNAT rule
and option 'manage virtual addresses' was on, compilerwould not
add virtual address properly. It still won't do it, but at least
there is a check for this situation and it prints appropriate
warning message. The problem with this is that if the range is
large, we end up with potentially lots of virtual addresses. Let
the user deal with this themselves.
* ipt.cpp: compiler(s) understand new command line option '-R',
which should specify a full path to the resources. This is useful
on Windows and Mac where resources are installed in a non-fixed
place by the GUI package, but need to be used by the compilers.
2004-03-24 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (contextMenu): each system group object in
the tree has an item in its pop-down menu that allows user to
quickly add an object to that group.
* IPv4Dialog.cpp (DNSlookup): added ability to determine IP
address of an Address object using DNS lookup (using QDns class)
* FWBSettings.cpp (FWBSettings): explicitly setting scope for
QSettings as "User"
2004-03-22 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (addTreePage): added attribute 'ro' to all
elements in DTD (see API). This provides for a way of locking down
parts of the tree.
* ObjectManipulator.cpp (addTreePage): read-only subtrees are
marked with an icon of a lock and text 'read-only'
* objects_init.xml : standard objects tree is now read-only. User
objects can not be moved into 'standard' tree and standard objects
can not be edited but can be duplicated (a copy is automatically
created in the first user-defined library, most often it is a
library 'User')
* FWWindow.cpp (install): GUI supplies a path to the firewall
object as a parameter to installation script rather than just its
name (as before). This is because the path has changed when
library element has been added. Changes made in the GUI (send path
instead of name) and in fwb_install script (to make it interpret
path).
2004-03-21 <vadim@vk.crocodile.org>
* pixosAdvancedDialog.cpp (pixosAdvancedDialog): 'advanced host
settings' dialog for PIX
* RuleSetView.cpp (contentsMousePressEvent): selectedObject is
chosen in mouse press and key press even handlers; got rid of
currentChanged slot all together. This eliminated flicker that was
caused by extra repaint of the cell when selected object was
chosen in currentChanged slot.
2004-03-20 <vadim@vk.crocodile.org>
* DialogData.cpp (DialogOption): universal class to load and save
data in dialogs
* pixAdvancedDialog.cpp (pixAdvancedDialog): 'advanced' firewall
options dialog for PIX. Implemented tabls 'Compiler options',
'Prolog/Epilog', 'Timeouts' and partially 'Fixups'. Fixup pages
are disabled using resource string that defines which fixups are
available in certain PIX version.
* FirewallDialog.cpp (openFWDialog): firewall dialog saves version
from the widget to the object before opening 'advanced' firewall
options dialog. This is a departure from the dialog logic where
all data is stored when user clicks 'Apply changes' button.
2004-03-19 <vadim@vk.crocodile.org>
* FWBSettings.cpp: added support for an "object autosave" option
(automatic saving of changes in dialogs while switching between
objects)
* RuleSetView.cpp (insertRule): added main menu items "insert
rule" and "add rule after current"
* RuleSetView.cpp (contextMenu): added pop-up menu items for
adding, removing and moving rules up and down, as well as standard
copy/cut/paste operations on moves. Similar menu items added to
the main menu.
* RuleSetView.cpp (paintCell): implemented double-buffering in
paintCell to improve performance and remove flickering
2004-03-17 <vadim@vk.crocodile.org>
* FWBSettings.cpp: saving the size of the info window in settings
* RCSFileDialog.cpp (RCSFileDialog): 'open file' dialog
automatically looks for files in the working directory configured
in a global preferences dialog.
* main.cpp (main): added a global setting "startup action" in
Preferences. Currently two actions are available: "load standard
objects" and "load last edited file".
* FWBSettings.cpp (FWBSettings): a specialized wrapper for
QSettings. I will be adding methods to this class to simplify
access to whatever global program preferences and options I
need. Currently it supports 'working dir' and 'info window style'
settings. Settings are stored in a platform-depended way as
QSettings does it.
2004-03-16 <vadim@vk.crocodile.org>
* NATCompiler_ipt_writers.cpp (_printOPorts): minor bugifx - fixed
typo ( '==' -> '=' )
* ObjectEditor.cpp (closeEvent): object editor checks for
modifications before closing if user closes it using window
manager buttons.
* FWWindow.cpp (unselectRules): the main window maintains single
selection across objects in the tree and in the policy
view. Selecting an object in the tree automatically unselects
object in the policy and vice versa. Now I can implement
copy/cut/paste functions driven by the main menu; these operations
will work on the currently selected object either in the tree or
in the policy.
* FWWindow.cpp (editCut): copy/cut/paste operations work between
the tree and policy views using both context menus and main
menu.
* ipt.cpp: output stream is created with a mode ios::binary on
Windows
* RCS.cpp (isDiff): having problems with rcsdiff.exe in windows,
for now will assume that the file always changes and needs checkin
comment.
2004-03-15 <vadim@vk.crocodile.org>
* RCS.cpp (co): using windows-specific functions to create a
temporary file for the file checkout
* global.h: added redefinition of macro assert to be able to use
it on windows where we compile without debugging info. (the reason
I do not build Debug version on win32 is because I use precompiled
libraries libxml2 etc that are built using Release CRT, and I
can't mix different runtimes).
* RCS.cpp (co): GUI makes sure that if the file has been opened
and locked by a user, another user can only open it read-only. The
same user has a choice of opening it read-only or read-write. The
latter case is useful in case of a program crash that leaves
opened files in the locked state.
* RCS.cpp (co): added ability to open older revision of the file
read-only. Requested revision is checked out into temporary file,
which is then loaded and immediately deleted. The object tree is
locked read-only and 'save' and 'save as' operations are disabled.
2004-03-14 <vadim@vk.crocodile.org>
* RCS.cpp (add): using "rcs -i -kb" to add a file to RCS, this
should help avoid extra CR in the file while working on windows
because it makes RCS use binary mode while working with the file.
2004-03-13 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp: GUI redesign: switched to a single window
design. Object manipulation happens inside three classes:
ObjectManipulator (the tree widgets and algorithms), ObjectEditor
(a stack of editor widgets and a glue logic), obejct info browser
(class QTextBrowser). Object editor appears as a non-modal dialog
when user double-clicks an object in the tree. Single click
updates data in the info window but does not open the
editor. Objects can be selected in the tree in any supported way -
keyboard arrows, keyboard shortcuts, hitting the first letter of
the objects's name, mouse click. In any case, appropriate object
is selected and info window is updated with its attributes.
Info window has three modes: collapsed (there is no info window),
showing only comment attrbibute and showing brief summary of
object's parameters and a comment. User can switch between modes
using a button located on the main window panel directly under the
info widget.
2004-03-12 <vadim@vk.crocodile.org>
* build environment is based on qmake: file qmake.inc is included
from qmake project files in all subdirectories. File qmake.inc
defines all variables for all platforms, so project files in
subdirs only add lists of files and take care of exceptions. File
qmake.inc is generated by configure, but all substitutions are
only needed for Unix and Mac. This file is checked in to cvs so it
could be used on Windows without a need to run configure.
All qmake project files in subdirectories need no substitutions
by configure, so they all are checked in to cvs and can be used on
windows right away.
Qmake project files fwbuilder2.pro and src/src.pro use template
'subdirs' and make qmake descent into subdirectories and rebuild
projects there.
Now using qmake to generate Makefile and MSVC project files in
src/fwblookup, src/fwbedit, src/ipt. Makes it easier to generate
consistent MSVC projects without having to edit them manually.
resource files (src/res/*.xml and src/res/*/*.xml) are generated
by configure, however, since substitutions made in them are only
relevant on Unix and Mac, generated files are checked in to cvs so
they can be used on windows without running configure.
No need to run configure (or autogen.sh) on Windows anymore.
To build on Unix and Mac:
$ autogen.sh
$ make
$ make install
To build on windows:
run qmake, then make in the root dir. of the project
Open fwbuilder2.dsw in MSVC and rebuild all
* NATCompiler_ipt.cpp, PolicyCompiler_ipt.cpp and others in
src/ipt: code cleanup. Removed all unused variables and added
handling for 'default' case in switch operators.
2004-03-10 <vadim@vk.crocodile.org>
* FWWindow.cpp (compile): implemented main menu items "Rules/compile"
and "Rules/install". Still need to add toolbar buttons though.
* execDialog.cpp (execDialog): a dialog for a background execution
of external commands. This class is used to call external policy
compilers and installer scripts. Uses QT class QProcess.
* ipt.cpp: transfered compiler for iptables over to fwb2. Only
minor changes: new file name schema (*.h, *.cpp); proper choice of
the directory where resource files are located; eliminated last
dependencies on glib
2004-03-09 <vadim@vk.crocodile.org>
* iptAdvancedDialog.cpp (accept): firewall settings dialog saves
all data in the object.
2004-03-07 <vadim@vk.crocodile.org>
* iptAdvancedDialog.cpp (iptAdvancedDialog): firewall settings
dialog for iptables. Saving of the data back in the firewall
object is not implemented yet.
* DialogFactory.cpp (createDialog): DialogFactory: class that
creates dialogs for all object types.
* FWBTree.cpp (FWBTree): refactored code: all methods that enforce
our standard tree structure now belong to the class FWBTree
* TimeDialog.cpp (applyChanges): added dialog for the Time
interval object.
2004-03-06 <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (setupPopupMenu): added pop-up menu in the
group view (both icon and list modes) with oprations
copy,cut,paste and delete.
* all dialogs: object is moved from library to library when user
clicks 'apply changes' (before it would move immediately when the
library was changed in the pop-down menu).
* CustomServiceDialog.cpp (loadFWObject): added dialog for the
Custom Service object
2004-03-05 <vadim@vk.crocodile.org>
* PropertyEditor.cpp (copyObj): added pop-up menu to object tree
view; implemented functions 'duplicate', 'copy', 'cut', 'paste'
2004-03-04 <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (contentsMouseReleaseEvent): objects in the
tree are selected with double-click.
2004-03-03 <vadim@vk.crocodile.org>
* RuleSetView.cpp (getRE): added platform capabilities check for
columns 'Time' and 'log/options' in policy views
* RuleSetView.cpp (dragMoveEvent): support for d&d of Time objects
2004-03-02 <vadim@vk.crocodile.org>
* InterfaceDialog.cpp (loadFWObject): added dialog elements for
interface security level, 'external' checkbox, network zone.
* RCS.cpp (isDiff): added a wrapper for rcsdiff in RCS class
2004-02-29 <vadim@vk.crocodile.org>
* PropertyEditor.cpp (createObject): properly creating interfaces
and addresses for the firewall object
* further testing and improvements in RCS integration
2004-02-28 <vadim@vk.crocodile.org>
* FWWindow.cpp (load): file can be opened with or without RCS, a
head revision or any specific revision, read-write or
read-only. File name, revision number and read-only status is
displayed on the main window's title bar.
* FWWindow.cpp (load): added ability to open data files read-only
* RCS.cpp (RCS): refactored the code, made class RCS a wrapper for
the command-line rcs tools. It should be possible to use the same
or similar interface for other version control system if needed.
2004-02-26 <vadim@vk.crocodile.org>
* RCSFilePreview.cpp (showFileRLog): Open File dialog shows RCS
revisions of the chosen file in a preview panel. Added button "add
to RCS" that allows user to add selected file to RCS right from
the "open file" dialog. Added elements for opening file read-only
and with or without locking (but these functions have not been
implemented yet).
2004-02-23 <vadim@vk.crocodile.org>
* RCS.cpp (rlog): class RCS provides simple integration with
RCS. Uses portable functions provided by QT to call external RCS
programs.
* configure.in: added checks for external RCS programs ci, co,
rlog.
2004-02-22 <vadim@vk.crocodile.org>
* FWWindow.cpp: added basic integration with RCS. Every time a
data file is opened, it is checked out from RCS and locked. If the
file has not been added to RCS, an initial checkin is performed
with a generic comment. Every time an opened file is saved (using
"save" or "save as" menu), it is checked in and kept in a locked
state. A new menu item "File/Close" has been added; this menu item
checks the file in and removes lock (does 'ci -u') so other users
can work on it, then it reopens a standard objects database in the
GUI. Opening a file while another file is already opened in the
GUI causes the latter to be closed (checked in and lock removed)
and a new one opened as described above.
still TODO: add a dialog to ask the user for a checkin comment
text. Add a global option "Use RCS" so that using version control
is optional. Test the whole thing on Windows.
2004-02-16 <vadim@vk.crocodile.org>
* PropertyEditor.cpp (PropertyEditor): added dialogs for
interface, MAC address, network, address range and other objects.
* FWObjectDrag.h: implemented custom drag class FWObjectDrag; all
widgets dynamically check if the object being dragged can be
dropped in them. User can drag objects from the tree into groups
and rules, as well as from a group into the tree.
2004-02-08 <vadim@vk.crocodile.org>
* IPServiceDialog.cpp (libChanged): implemented gui elements and
support for moving objects between libraries.
2004-01-20 <vadim@vk.crocodile.org>
* added dialog for object IPv4. This object can now be created in
a standard place in the tree in a group Objects/Addresses as well
as as a child object of interface (as before in fwbuilder 1). This
allows for using object IPv4 as an abstract for an IP address
which is simpler than using a Host object.
2004-01-04 <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp: Experiment: user and standard object tree
views have different background colors. This provides simple
visual clue of what library the object shown in the editor panel
belongs to. This is especially useful if a standard object is
referenced from the user defined group and user opens it; in this
case the tree switches from user-defined objects to the standard
onces but this switch may not be evident from the first glance,
thus user loses context and may be confused why his objects
apparently have gone away.
2004-01-03 <vadim@vk.crocodile.org>
* PropertyEditor.cpp (PropertyEditor): property editor has window
type "dialog" and always stays on top of the main
window. Implemented simple history feature for the object
navigation and added a button "Back" to the toolbar.
* GroupObjectDialog.cpp (loadFWObject): group object dialog can
now show group contents as a set of icons or as a list; switching
between two modes is done using toggle buttons a-la file list
modes in the "open file" dialog.
* PropertyEditor.cpp (loadObjects): merged object tree and object
property editor in one dialog.
2003-12-20 <vadim@vk.crocodile.org>
* main.cpp (main): resources and preferences files can now be
found dynamically, using a full path to the directory the binary
has been launched from. The RES_DIR macro defined in config.h
now specifies relative path to the resource files starting from
the application root dir. If program is installed in
/usr/local/bin, then the application root is "/usr/local" and
resources should be located in /usr/local/$RES_DIR directory.
Reference in New Issue View Git Blame Copy Permalink