onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 10:17:16 +01:00
Code Issues Releases Wiki Activity
fwbuilder/doc/ChangeLog
Vadim Kurland 7d237a01f9 Merging branch inet-addr-changes -r62:HEAD
2008-04-13 18:44:45 +00:00

5669 lines
231 KiB
Plaintext
Raw Blame History

2008-04-13 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bug (no
#): compiler fwb_ipt used to treat host objects as networks in
TDst and generate iptables output with /netmask of the interface.
* (various places in src/ipt): PREPARATION FOR IPV6: Changing
IPv4::cast to dynamic_cast<InetAddrMask*> everywhere. In loops
that walk child objects of interfaces, cast child objects to
InetAddrMask* or to FWObject* instead of IPv4*. This is to
facilitate support for ipv6 in the future. In all these places we
need to use two aspects of the child objects: either their
position in the tree, in which case FWObject* is sufficient, or
their address/netmask, in which case we should use InetAddrMask.
2008-03-09 vadim <vadim@vk.crocodile.org>
* (from 2.1) pf.cpp: fixed bug #1899914: "Script to apply the new
rules." It is enough to execute "pfctl -f file.conf" to load PF
policy. There is no need to purge filter and nat rules first, then
reload it.
* (from 2.1) RCS.cpp (RCSEnvFix::RCSEnvFix): fixed bug #1908351:
"rcs does not save log message and file remains locked"
* (from 2.1)
Compiler.cpp (emptyGroupsInRE::countChildren): (libfwbuilder)
fixed bug #1905718: "Group of DNS Name objects considered empty"
2008-03-05 vadim <vadim@vk.crocodile.org>
* VERSION: started v2.1.18
* src/cisco_lib, src/iosacl, src/pix: Code for policy compilers
for Cisco IOS ACL and PIX has been released under
GPL and merged into the main fwbuilder tree.
2008-02-18 vadim <vadim@vk.crocodile.org>
* CircularQueue.hpp (antlr): fixed crash of the policy importer on
64-bit systems. This fixes bug #1886575: "Seg Fault on reading
vanilla Fedora iptables file". See comment in module
CircularQueue.hpp for details.
2008-02-10 vadim <vadim@vk.crocodile.org>
* pt_BR.po: updated Brazilian Portuguese translation by Rubens
Ferreira Neto <rubens.ferreiraneto@ig.com.br> and Jose
Carlos Medeiros <jose@psabs.com.br>
* PrefsDialog.cpp (PrefsDialog::PrefsDialog): fixed bug #1886570:
Diagnostic related to Edit->Preferences. Removed harmless but
annoying error message that appeared on stderr when user opened
Preferences dialog.
* IPTImporter.cpp (IPTImporter::pushPolicyRule): Fixed bug
1883536: "fwbuilder segfaults when importing iptables conf". Added
support for TCPMSS target with option --clamp-mss-to-pmtu in
iptables importer; also made importer upderstand option
--tcp-option but skip it since it is not supported in fwbuilder.
2008-02-06 <vadim@vk.crocodile.org>
* RCS.cpp (RCSEnvFix::RCSEnvFix): fixed bug #1849392: "RCS using
windows 2003 without administrator rights". Pass TMP and TEMP
environment variables to RCS tools
* pix_os.xml.in: more for the bug #1816798: "Installing policy on
PIX 501 fails". The fix that was made for v2.1.16 did not cover
test-mode install, which is now fixed too. Command "terminal pager
" is valid only for PIX 7.x and caused error while installing
policy on PIX 6.3. Removed this command from the install sequence,
it was not essential.
2007-12-29 <vadim@vk.crocodile.org>
* SSHUnx.cpp (SSHUnx::stateMachine): using signal proper for qt4
(bytesWritten(quint64) instead of wroteToStdin)
2007-12-19 vadim <vadim@vk.crocodile.org>
* v2.1.16 release
2007-12-15 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp
(OSConfigurator_linux24::printRunTimeWrappers):
fixed bug #1851166: "Installscript does not test for destination
ip address". The problem affected specific case of a firewall with
two (or more) interfaces that get their address dynamically and a
policy rule that has one such interface in source and another in
destination. Generated iptables script retrieves actual addresses
of both interfaces and assigns them to variables, then uses these
variables in actual iptables rules. Special check is provided in
case some interface did not obtain any ip address at a time of
execution of the script. Previously such test was only done for
one dynamic interface per rule. This change makes the script check
for both.
* ipt.cpp: bug #1850352: "Install script wrongly completes
successful". Storing exit status of iptables-restore so that
generated firewall script can return the same status after it
executes commands that set kernel parameters and runs user-defined
epilog code.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printRouteOptions):
applied patch #1850357: "Add support fo load balancing with pf to
PolicyRule::Route" by Tom Judge (tomjudge@users.sourceforge.net)
that adds support for load balancing rules in PF. Extended the
patch adding support for address/netmask format of the next hop.
Added checks for illegal IP addresses and netmasks in the next
hop. Test cases for the PF load balancing rules are in
test/pf/objects-for-regression-tests.fwb, firewall object
firewall40-1.
2007-12-13 vadim <vadim@vk.crocodile.org>
* linux24.xml.in: working on bug #1850352: "Install script wrongly
completes successful". Added more checks to the installer
scriptlet to make it properly terminate with non-zero error code
if iptables-restore returned error. Previously "echo" in the end
of the generated masked error code returned by iptables-restore
and made the GUI report successfull install even when it
terminated with an error. Also added test for the presence of
pkill on the system so that the script does not try to run it if
it is not available.
* platforms.cpp (list): applied patch #1850368: 'PF 3.7 has
support for "set skip on"'. Patch by tomjudge@users.sourceforge.net
extends support for "set skip on" option to pf 3.7.
* platforms.cpp (isDefaultPolicyRuleOptions): fixed bug #1850346:
"GUI has 2 views on which actions should be stateless". Even
though GUI made rules with action Route stateful by default, code
that determined if combination of options of a given policy rules
was default thought these rules should be stateless.
* ipt.cpp: Applied patch 1835308: "Patch for adding "-q" option to
fwb_ipt". Option "-q" suppresses timestamp that is normally
included in the generated script. This way, if no objects or rules
changed in the firewall builder, generated script will be exactly
the same. Timestamps made generated script different even if
nothing really changed in the objects, which made external version
control systems detect changes when there were none.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules):
fixed bug 1848204: "ULOG-Setting ignored for invalid packets",
applied patch #1848609 provided by reporter. Code that matched and
logged packets in state INVALID always used target LOG, which was
a problem for iptables installations that only come with target
ULOG.
* tcpservicedialog_q.ui: patch #1849500: "tooltip patch for
tcpservicedialog_q.ui". Additional tooltips in the TCP Service
dialog to explain function of tcp flags masks and settings.
2007-12-12 vadim <vadim@vk.crocodile.org>
* ipt.cpp: fixed bug #1849328: "iptables restore unusable in
2.1.15". This bug was introduced by the change for the bug
1812295. If option "use iptables-restore to activate policy" is
on, we always generate script that prints iptables commands using
echo and sends them to the input of iptables-restore via pipe.
* VERSION (FWB_MICRO_VERSION): begin v2.1.16
2007-12-08 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed
bug #1821576: "Rule option tracking gives inavlid config with
default value". Compiler should skip max-src-nodes when it is set
to default '0' in the GUI.
* Added Brazilian Portuguese translation by Jose Carlos Medeiros
<jose@psabs.com.br>
2007-11-25 vadim <vadim@vk.crocodile.org>
* Starting with build 320 Windows packages install on Vista
2007-11-15 vadim <vadim@vk.crocodile.org>
* FWObjectDropArea.cpp (FWObjectDropArea::paintEvent): more fixes
for bug #1826558: need to fill background rectangle in "object
drop" widget for search.
* RuleSetView.cpp (RuleSetView::paintCell): more fixes for bug
#1826558: need to fill background rectangle in action, options and
comment columns.
2007-11-14 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::paintCell): fixed bug #1826558:
"OSX 10.5 font problem". This problem appeared only in Mac OS X
Leoprard (10.5) build, other platforms were unaffected.
2007-11-02 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::installSelected): previous fix for
the bug #1811781: "Batch Install" was insufficient. Needed to
clear altAddress input field in the install options dialog in case
of the batch install.
2007-10-28 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::createPrintRuleProcessor):
fixed bug #1812295: "Can't use runtime address tables AND
iptabels-restore". Script generated by fwb_ipt used "here
document" if the option "use iptables-restore to activate policy"
was turned on. This did not work in case policy used any tun-time
address table objects. Now generated script always uses "echo" to
generate iptables commands that it sends to th standard input of
iptables-restore.
* instDialog.cpp (instDialog::doInstallPage): fixed bug #1811781:
"Batch Install". Built-in installer used address of the first
firewall of the batch to communicate with all firewalls in the
"batch install" mode.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::addDefaultPolicyRule):
fixed bug #1800875 "'keep state' missing from pass out going
traffic rule". Compilers for pf, ipf and ipfw were affected.
* pix_os.xml.in: fixed bug #1816798: "Installing policy on PIX 501
fails". Command "terminal pager " is valid only for PIX 7.x and
caused error while installing policy on PIX 6.3. Removed this
command from the install sequence, it was not essential.
2007-10-06 vadim <vadim@vk.crocodile.org>
* ipfAdvancedDialog.cpp (ipfAdvancedDialog::ipfAdvancedDialog):
applied patch by <Cy.Schubert@komquats.com> to add support for
Kerberos rcmd and Kerberos ekshell proxies in ipfilter NAT rules.
* VERSION (FWB_MICRO_VERSION): begin v2.1.15
2007-09-10 vadim <vadim@vk.crocodile.org>
* 2.1.14 release
2007-09-08 vadim <vadim@vk.crocodile.org>
* configure.in: patch by Carlos Silva <r3pek@r3pek.org> to add
third parameter to AC_DEFINE_UNQUOTED
2007-08-25 vadim <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): fixed
bug #1764971: "allowed value range for burst limit". Iptables
"--limit-burst" option should not be limited in the GUI.
* instDialog.cpp (instDialog::continueRun): fixed bug #1772722:
"installer should recognize when it uses plink 0.60". We detect
when installer uses plink on Windows by checking the name of the
configured ssh client. The check should be case-insensitive.
2007-08-06 vadim <vadim@vk.crocodile.org>
* configure.in: applied patch by Carlos Silva <r3pek@r3pek.org> to
make configure.in use ANTLR C++ run-time installed on the system
if it can find one; otherwise it uses copy in src/antlr
2007-08-05 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp: fixed bug (no num): importer for iptables
should properly assign rule options when it finds "-m limit" and
"--limit" options in the input file.
* IPTImporter.cpp: added a workaround for a situation when several
iptables commands pass control to the same user-define chaine in
the iptables-save file. As of fwbuilder v2.1, branch ruleset is a
child object of PolicyRule. This means two different rules can not
point at the same branch ruleset. This is unfortunate but it is
hard to fix in the current version because it requires changes XML
DTD and API. Will do this in 3.0. Meanwhile, checking if branch
ruleset with requested name already exists and change the name by
adding suffix '1', '2' etc to make it different. Imported rule is
marked as 'bad' (red background) and gets a comment explaining this.
* iptables.g (tcp_flags_list): fixed bug #1764988: "iptables
import -> GUI crash": syntax for TCP flag matching in
iptables-save should allow for more than 2 flags in 'comp' part
* iptables.g (target_options): added missing supprot for
"--log-tcp-sequence", "--log-tcp-options" and "--log-ip-options"
options for target LOG to iptables policy importer
* iptables.g (protocol_word): fixed bug (no num): iptables policy
importer should properly parse numeric protocol
specification (e.g. "-p 47").
* Importer.cpp (Importer::getTCPService): fixed bug #1764988:
"iptables import -> GUI crash": iptables policy importer
recognizes and parses TCP flag parameters ALL and NONE
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed bug
#1764988: "iptables import -> GUI crash": iptables policy importer
recognizes and parses target RETURN
2007-08-01 Vadim <vadim@debian-unstable.vk.crocodile.org>
* FirewallDialog.cpp: fixed bug reported in Debian Bug report
#417685 - added missing #include <algorithm> to make code
compile with gcc 4.3
* fixed bug #1761373: "libfwbuilder doesn't build on Mandriva
cooker". Applied fixes to make the code compile with gcc 4.2
* VERSION: started 2.1.14
2007-07-18 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (InterfaceAndDirection::processNext):
compiler permits setting direction in the rule while interface
field is "All". This generates iptables command in chain INPUT or
OUTPUT with "-i +" or "-o +" interface specification to match all
interfaces.
2007-07-14 vadim <vadim@vk.crocodile.org>
* platforms.cpp (isDefaultPolicyRuleOptions): platform "iosacl"
does not have any rule options at this time; making sure we never
show an icon indicating non-default options.
* templates.xml: added simple template for Cisco router 36xx
* pf.cpp (main): Added support for "set skip on <ifspec>" command
for PF. If an interface is marked as "unprotected" in the GUI,
compiler generates this command for it. This is useful for loopback
or other virtual interfaces.
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): better
compliance with PF 4.x. Feature Req. #1679793: "add 'no state' and
'flags any'". If version is set to 4.x, compiler skips "flags S/SA
keep state" for rules mathcing tcp services. However, according to
the section "1.2. Operational changes" in PF FAQ at
http://www.openbsd.org/faq/upgrade41.html , there should be a way
to add "keep state" explicitly for rules on interface enc0. Added
this option to the rule options dialog.
* pf.cpp (main): implemented support for PF limit options
"src-nodes", "tables" and "table-entries". Feature Req. #1674919:
"Support "set limit table-entries""
2007-07-12 vadim <vadim@vk.crocodile.org>
* SSHSession.cpp: More key caching request and other messages for
wider variety of ssh clients.
* SSHPIX.cpp (SSHPIX::stateMachine): fixed bug #1753188: "policy
activation fails on PIX and IOS". Installer failed if account used
to authenticate to the router or PIX went straight to 'enable'
mode after login.
2007-07-07 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::_printLogging): fixed
bug #1747828: "anchors generation - "log" not supported". "Log"
keyword is not allowed in "anchor" rules; compiler should not
generate it even if user turned logging on in a rule with action
'Branch'
* PolicyCompiler_ipt.cpp (checkForRestoreMarkInOutput::processNext):
fixed bug #1747332: "missing CONNMARK/ restore mark in Output Chain"
* PolicyCompiler_PrintRule.cpp (PrintRule::_flushAndSetDefaultPolicy):
fixed bug #1746257: "fwbuilder breaks IPv6". Added an option to
the firewall settings dialog for iptables that controls whether
compiler should skip generation of the code to set default policy
of all ipv6 chains to DROP. This option is off by default, that is
compiler puts the code in. This helps maintain backwards
compatibility with old data files that do not have this option,
which is equivalent to this option being "off".
2007-07-06 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::unlockObject): fixed
bug #1743117: "crash while editing any". Added check, user should
not be able to unlock Standard objects library
* FWObject.cpp (FWObject::shallowDuplicate): fixed bug #1740766:
"lock not saved". This method now copies the value of "ro"
attribute (read-only). Clear it in the caller if
neccessary. Method duplicate() clears it after calling
shallowDuplicate in order to be able to modify the object, then
restores this attribute to its original value.
2007-06-23 vadim <vadim@vk.crocodile.org>
* v2.1.12 release
* iptables.g (target_options): parser for iptables is aware of
"--set-tos" target option. Even though fwbuilder does not support
target TOS, importer should be able to import policy that uses it
without crashing.
2007-06-20 vadim <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (printFirewall): fixed bug #1739373: "FWB2111,
register Routing not printed". Tab "Routing" was not included in
the printed copy of firewall policies.
* NATCompiler_pf.h: fixed bug #1740545: "AddressTable in NAT
section". Policy compiler for PF crashed if AddressTable object
was used in TDst element of a NAT rule.
2007-06-17 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::initiateCopy): fixed bug (no number)
where installer failed to properly copy .fwb file over to the
firewall if file name contained whitespace
2007-06-16 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::prepareInstallerOptions): discovered
and fixed bug in the installer: if management interface of the
firewall is dynamic (i.e. had no IP address) and address of the
firewall was given in the "Installer" tab of the firewall object
dialog, installer failed to copy it to the instOptionsDialog and
filled corresponding entry field with 0.0.0.0
* OSConfigurator_linux24.cpp
(OSConfigurator_linux24::printShellFunctions): fixed bug 1737733:
"install script doesn't detect BROADCAST if eth is NO-CARRIER".
If firewall script runs before network interface comes up (i.e. is
still in NO-CARRIER state), script failed to add virtual addresses
for NAT.
2007-06-13 vadim <vadim@vk.crocodile.org>
* ActionsDialog.cpp (registerOption): after changes made in the
compiler to simplify algorithm used to decide which chain a rule
with action Tag should go to, rule action option "Mark connections
in PREROUTING chain" ( "ipt_mark_prerouting" ) has been
deprecated.
2007-06-12 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::reopenFirewall): Added platform
capability element "supports_nat" - if True, platform supports NAT
rules so the main window should show tab "NAT" in the policy
view. If this parameter is False, the tab disappears.
* DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid): added main
menu item "File -> Import Policy" that activates Discovery Druid
and opens it on the page where user can choose configuration file
for import.
2007-06-09 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_flushAndSetDefaultPolicy):
fixed bug #1711595: "ip6tables DROPs". Compiler adds rules to
permit any-to-any on loopback interface for ipv6 in addition to
rules that set default policy to DROP for all chains in ipv6
2007-06-06 vadim <vadim@vk.crocodile.org>
* antlr.pro: Added ANTLR C++ runtime to the project under src/antlr
2007-06-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (setChainPreroutingForTag::processNext):
streamlined algorithm that assigns chain to a rule with action
Tag. The goal is to always use chain PREROUTING for rules with
direction Inbound or Both and a combination of OUTPUT and
POSTROUTING for rules with direction Outbound and Both.
2007-06-02 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::importPlatformChanged):
finalized rule importer GUI.
2007-06-01 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushNATRule): NAT import now works
2007-05-30 vadim <vadim@vk.crocodile.org>
* pf.cpp (main): fixed bug #1727715: "Policy Installer failed but
indicates succes". Activation script for PF exits with non-zero
return code if script activation fails.
* IPTImporter.cpp (IPTImporter::addSrv): import of target MARK and
TagService for iptables
* IPTImporter.cpp (IPTImporter::pushRule): support for module
"limit" in importer for iptables
2007-05-29 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushRule): meaningful import of
iptables-restore files with all actions for filter table. Action
"Continue" helps import iptables commands with targets LOG and
ULOG.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::compile): Added
support for action "Continue" (an empty action) in the GUI and
compiler for iptables. This action creates a rule that does
nothing, however it generates iptables command with target "-j
LOG" if logging is turned on. This can be useful if one wants only
to log packets that match certain pattern but not make any policy
decision in the same rule.
2007-05-28 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushRule): basic iptables-restore
import works (only policy rules, only minimal set of modules)
2007-05-27 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp: initial work on iptables importer
* OSConfigurator_linux24.cpp
(OSConfigurator_linux24::generateCodeForProtocolHandlers): Fixed
bug in the shell code that finds netfilter modules (missing
closing '"'). This bug broke generated iptables script. Bug was
introduced in 2.1.12 some time before build 270
2007-05-25 vadim <vadim@vk.crocodile.org>
* iosacl.g (vlan): ignore "vlan" commands while importing IOS
config
* IOSImporter.cpp (IOSImporter::finalize): IOS accesslists
importer properly handles situation when the same list is applied
to multiple interfaces with different directions.
2007-05-22 vadim <vadim@vk.crocodile.org>
* run-tests.sh: simple framework for automated unit tests
* importer_test.cpp: unit test for Cisco IOS access lists
importer
* IOSImporter.cpp (IOSImporter::finalize): IOS access lists
importer works with a large complex test file. Test can be
imported and then compiled with no manual changes.
* PolicyCompiler_ipt.cpp (InterfacePolicyRulesWithOptimization):
allow for object group in "Interface" rule element
2007-05-21 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromImporter):
finished configuration importer GUI
2007-05-16 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt_writers.cpp: fixed bug #1718791: "Bug with
more than one router". This bug affected routing rules.
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::generateCodeForProtocolHandlers):
fixed bug #1720022: "Fail to load modules .ko.gz".
* MangleTableCompiler_ipt.cpp (keepMangleTableRules::processNext):
fixed bug #1720480: '"-A POSTROUTING -i interface" in branching
rules'. Compiler should not generate iptables commands in
POSTROUTING chain with "-i interface" clause.
2007-05-15 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::importConfig): basic GUI
support for the configuration importer
* IOSImporter.h (class IOSImporter): derived class - importer for
Cisco IOS ACLs
* Importer.h: generalized policy importer framework. Requires
grammar for each platform.
* iosacl.g: ANTLR grammar for IOS ACLs. Only "access-list ", "ip
access-list extended" and certain "interface" commands cam be
parsed
2007-05-11 vadim <vadim@vk.crocodile.org>
* SSHSession.cpp (SSHSession::readFromStdout): note about
built-in installer on windows. Installer seems to have broke with
upgrade of QT to 3.3.8. Specifically, in
SSHSession::readFromStdout(), proc->readStdout() returns a byte
array that contains actual output from the device, with some
garbage appeneded to it. The garbage is included in the size()
count of QByteArray returned by readStdout so it gets included
into the QString which we append to stdoutBuffer. This happens
only on win32; reverting to QT 3.3.7 fixes the problem.
2007-05-10 vadim <vadim@vk.crocodile.org>
* SSHPIX.cpp (SSHPIX::stateMachine): implemented support for
scheduled reload for PIX firewalls (for roll-back).
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
PIX and Cisco routers (IOS) : built-in installer can schedule
reboot of the firewall before activating new policy, then cancel
it if the policy has been activated successfully.
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
fixed long-standing problem with size of the built-in installer
options dialog. The dialog was too big and did not properly resize
itself when some options were hidden.
* SSHIOS.cpp (SSHIOS::stateMachine): installer for Cisco routers
2007-05-09 vadim <vadim@vk.crocodile.org>
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): added
support for the new attribute "unprotected" for the Interface
object in the GUI. Compilers skip this interface while assigning
ACLs or policy rules to interfaces. This is supported only in the
compiler for Cisco IOS ACLs at this time.
2007-05-08 vadim <vadim@vk.crocodile.org>
* iosAdvancedDialog.cpp (iosAdvancedDialog::iosAdvancedDialog):
Added dialogs and resource files for Cisco IOS ACLs
2007-05-07 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::changeAction): setting option
"stateless" appropriately when new rule is created.
* objects_init.xml: added object "All TCP established" - a tcp
object with open port range and flag "established"
* PolicyCompiler_ipf.cpp (PolicyCompiler_ipf::compile): using rule
processor CheckForTCPEstablished in compilers for iptables, ipf
and pf to check for TCP service objects with flag
"established". This is considered an error because these platforms
do not provide support for "established".
* PolicyCompiler_ipfw_writers.cpp (PrintRule::processNext): using
new TCPService object flag "established" in compiler for ipfw.
* PolicyCompiler_ipf.cpp (doSrcNegation::processNext) and
PolicyCompiler_ipfw.cpp: rules created for negation with action
'Continue' should be stateless.
* PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug (no
number): compiler used to not set unique internal id for rules in
branches, which lead to chain names like 'C.0' in generated
script.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printLogPrefix): fixed
bug (no number): when a rule number is inserted into a log record
in place of macro %N, it should be formatted as "N/M" for rules in
a branch.
* PolicyCompiler_ipt.cpp (decideOnChainForClassify::processNext):
fixed bug (no number): setting chain for Classify action only if
it has not been set before. Setting chain to POSTROUTING always
broke things if a rule with action 'Classify' was used in a
branch (so the chain has been set to that of the branch)
* RuleSetView.cpp (RuleSetView::changeAction): working on bugs
#1676635: "no way to match on state if the action is drop" and
#1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW
stanza". Rule option 'stateless' is automatically set when user
changes rule action so it becomes anything except 'Accept', 'Tag'
or 'Route'. This option is also automatically cleared when action
is switched to any of these three actions. The user can override
these default settings by checking or unchecking the option in the
rule options dialog.
* PolicyCompiler_PrintRule.cpp: working on bugs #1676635: "no way
to match on state if the action is drop" and #1671910: "2.1.8 In
'Branch' acton compiler doesn't insert NEW stanza". Rely only on
rule option 'stateless' to decide whether the rule should have
"-m state --state NEW".
2007-05-06 vadim <vadim@vk.crocodile.org>
* v2.1.12 started
2007-04-28 vadim <vadim@vk.crocodile.org>
* v2.1.11 release
2007-04-24 vadim <vadim@vk.crocodile.org>
* SSHUnx.cpp (SSHUnx::SSHUnx): fixed bug #1702830: "fwbuilder does
not detect errors during policy install". Built-in installer
detects error messages printed by iptables and iptables-restore
and aborts installation process. Summary page shown in the end
reflects this as failed install.
* instOptionsDialog.cpp (instOptionsDialog::updateRollback): fixed
bug #1701971: "Enabeling test mode doent activate the reboot
interval". Checking "Test mode" checkbox in the installer options
dialog should enable widgets that configure automatic reboot
timeout.
2007-04-23 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): bug
#1699483: "hashlimit-htable-expire not set". Compiler
automatically generates name for the --hashlimit-name option if it
is not set in the GUI.
* PolicyCompiler_ipt.cpp (TagIfSrcFw::processNext): fixed bug
#1703954: "Mark target in postrouting chain". Packets that
originate on the firewall should be marked in the OUTPUT
chain. According to the netfilter packet flow diagram at
http://www.shorewall.net/NetfilterOverview.html , rerouting
happens after OUTPUT hook but before POSTROUTING hook.
* FWBTree.cpp (FWBTree::isSystem): fixed bug #1703595: "build 230
crashes when seaching for a deleted object"
2007-04-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): fixed
bug 1699483: "hashlimit-htable-expire not set". Added GUI controls
and compiler support for hashlimit module options
"--hashlimit-name", "--hashlimit-htable-size",
"--hashlimit-htable-max", "--hashlimit-htable-expire" and
"--hashlimit-htable-gcinterval"
* OSConfigurator_linux24.cpp (linux24::generateCodeForProtocolHandlers):
fixed bug #1697832: "fc5 kernel 2.6.20 moved *conntrack* modules".
Starting with kernel 2.6.20, netfilter installs *conntrack*
modules in "/lib/modules/`uname -r`/kernel/net/netfilter/" rather
than "/lib/modules/`uname
-r`/kernel/net/ipv4/netfilter/". Modified shell code that finds
and loads all "*conntrack*" and "*nat*" modules, it should now
work with both old and new kernels.
I do not know if this directory change was introduced only by
Fedora or it is general for the netfilter.
* TCPServiceDialog.cpp (TCPServiceDialog::validate): fixed bug
#1695481: "compliation error with lower end port". Before, user
could enter start port range number greater than the end port
range number. Neither the GUI nor compiler noticed this, which
resulted in the incorrect firewall configuration. This fix adds
check in the GUI to not let the user enter port ranges like that.
2007-04-03 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipf_writers.cpp (PrintRule::_printWith): fixed
bug #1676845: "lsrr option not compiling"
* PolicyCompiler_ipf_writers.cpp (PrintRule::_printWith): fixed
bug #1678410: "Ipfilter compiler uses wrong keyword for "fragment""
* utils.cpp (getUserName): fixed bug #1684334: "RCS should use
$LOGNAME when commit"
* ActionsDialog.cpp (ActionsDialog::loadFWObject): fixed bug
#1692411: "can't set accouting rule name (fwbuilder 2.1.11)"
2007-03-24 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::paintCell): fixed bug #1685741:
"GUI crash: click on an empty part of obj tree, then desktop"
2007-03-21 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (ObjectTreeView::focusOutEvent): working on
the bug #1685741: "GUI crash: click on an empty part of obj tree,
then desktop"
2007-03-18 vadim <vadim@vk.crocodile.org>
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): minor
redesign of the interface object dialog to make network zone more
prominent and easier to set when network and group objects have
long names.
2007-03-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed
bug #1674940: "if max-src-conn == 0: syntax error". Options
max-src-conn and max-src-states can not have value '0'
* TimeDialog.cpp (TimeDialog::loadFWObject): redesigned TimeService
object dialog
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
fixed bug #1672191: "Time limit generates unexpected iptables
command"
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
Added support for --datestart and --datestop options for module
'time' in compiler for iptables
* started v2.1.11
2007-02-17 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::findWhereUsedSlot): added an item
"Where used" to the context menu associated with objects in rules
* FWWindow.cpp (FWWindow::setPolicyBranchTabName): a workaround
for the bug 1629461: "Policy tabs do not scroll @ window extent on
OSX". The tab widget used to show policy, nat, routing and policy
branch rulesets does not switch to a "folded" mode on Mac OS X
when it needs to show more tabs that fit in the window. Since I
can't figure out a way to force it to do that, I am dropping
"Policy/" from the tab titles for branches to make them
shorter. This will help users with policies with many branches,
however it does not solve the problem because as they keep adding
branches, at some point they won't fit in the window again.
2007-02-15 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::fileCompare): fixed bug #1659832: "No
compile with QT without STL support"
* instDialog.cpp (instDialog::initiateCopy): fixed bug #1661140:
"built-in installer broken in 2.1.9 for PF". Installer incorrectly
set name for files it copied to the firewall if compiler generated
more than one file. Normally two files are generated for PF and
ipfilter.
* v2.1.10 started
2007-02-10 vadim <vadim@vk.crocodile.org>
* v2.1.9 release
* main.cpp (tty_raw): bug #1650369: "[patch] please add support
for GNU/kFreeBSD". Applied patch to make code compile on kFreeBSD.
2007-02-03 vadim <vadim@vk.crocodile.org>
* listOfLibraries.cpp (list): fixed bug #1620284: "conflict when
adding library to Preferences/Libraries". When the user tried to
add a library to the list in Preferemces/Libraries when a data
file with the same object library was loaded, the GUI detected the
conflict and showed error dialog.
* FWWindow.cpp (FWWindow::fileCompare): New feature: new operation
"Tools/Find Conflicting Objects in Two Data Files". This operation
inspects two data files (either .fwb or .fwl) and finds
conflicting objects. Conflicting objects have the same internal ID
but different attributes. Two data files can not be merged, or one
imported into another, if they contain such objects. This
operation also helps identify changes made to objects in two
copies of the same data file. This operation does not find objects
present in one file but not in the other, such objects present no
problem for merge or import operations. This operation works with
two external files, neither of which needs to be opened in the
program. Currently opened data file is not affected by this
operation and objects in the tree do not change. In the process of
this operation user is presented with series of dialogs showing
conflicting objects side by side. In the end the program can
generate report and write it to a text file.
2007-01-30 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::initiateCopy): more for the bug
#1617501:"Install fails after compile". Making sure we always
strip directory path from the file name if user specified full
path for the policy file in the "Output file name" input field in
the "Compiler" tab of firewall object dialog. Need to strip path
when macro "%FWSCRIPT%" is substituted in installation scriptlets
and in some other places.
2007-01-15 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (linux24::printRunTimeWrappers):
fixed bug (no num.): data files used for run-time AddressTable
objects can have empty lines, the script should skip them.
2007-01-14 vadim <vadim@vk.crocodile.org>
* iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog):
more for bug #1618381: "CLASSIFY/MARK are non-terminating".
Emulation of the terminating behavior for Classify and Tag actions
is now controlled by a global option in the "Compiler" tab of the
firewall properties dialog. This means emulation can be turned on
and off for all rules that might require it at once. It is
impossible to mix such rules with terminating and non-termninating
behavior. The reason for this is that shadowing detection
algorithm can only work with either terminating or non-terminating
rules, not with the mix. Hopefully this is the last change made
for this bug.
* PolicyCompiler_ipt.cpp (ipt::getAddressTableVarName): fixed bug
#1632054: "Runtime AddressObjects FAIL to load if "Name:" contains
"."". Compiler checks if the name of the run-time AddressTable
object contains characters that have special meaning in sheel and
relaces them with '_' when it generates the name of the temporary
shell variable.
* PolicyCompiler_ipt.cpp (splitNonTerminatingTargets): update for
bug #1618381: "CLASSIFY/MARK are non-terminating". Adding iptables
rule with target ACCEPT to make Tag and Classify rules
terminating. This is controlled by checkbox in the action dialog
for actions Classify and Tag. Default setting is off.
2007-01-09 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::scheduleRuleSetRedraw): fixed bug (no
num.): GUI used show fanthom 'Policy', 'NAT' and 'Routing' tabs
when user deleted objects from the Deleted Objects library,
provided some of these objects were previously deleted firewalls.
2007-01-07 vadim <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (GroupObjectDialog::dropped): fixed bug
#1624577: "group window doesn't stay open on multiple-adds". Using
special flag to tell ObjectTreeView that it should ignore
MouseReleaseEvent it gets after d&d operation, so it wont switch
object in the editor panel. Note the bug triggered only on Mac OS
X.
* FWWindow.cpp (FWWindow::FWWindow): "Apply" and "Close" buttons
in the objct editor panel should be of fixed size horizontally
2007-01-06 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::testFirewall): fixed bug
#1617501:"Install fails after compile". The GUI got confused when
user enter full path to the policy file in the "Output file name"
input field in the "Compiler" tab of firewall object dialog.
* SimpleTextEditor.cpp (SimpleTextEditor::loadFromFile): fixed bug
1619930: "Prolog tab's ScriptEditor's import fails to overwrite"
* OSConfigurator_linux24.cpp (linux24::printRunTimeWrappers):
fixed bug #1628989: "run-time-loaded rules don't accept ";" as
line comment"
* RuleOptionsDialog.cpp (RuleOptionsDialog::changed): fixed bug
#1620206: "RuleOptions' "Apply" button greyed-out until menu
selection"
* SimpleTextEditor.cpp (SimpleTextEditor::SimpleTextEditor): fixed
bug #1619842: "prolog "script editor" opens behind other windows"
* RuleSetView.cpp (RuleSetView::removeRule): fixed bug #1629521:
"can't delete empty chain/policy tab"
* instOptionsDialog.cpp (instOptionsDialog::hidePIXOptions):
installOptionsDialog was too large and did not fit on some laptop
screens. Doing tricks to make sure the dialog properly resized
after unused GUI elements are hidden.
2007-01-04 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (DetectShadowingForNonTerminatingRules::processNext):
(API change)
fixed bug #1618381: "CLASSIFY/MARK are non-terminating". Non-terminating
rules shadow each other "backwards", that is more general rule
shadows other rules _above_ it. Added flag 'reverse' to the method
find_more_general_rule and added new rule processor
DetectShadowingForNonTerminatingRules that finds such cases of
'reverse' shadowing. Using it for rules in the mangle table for iptables.
* PolicyCompiler_ipt.cpp (finalizeChain::processNext): working on
bug #1618381
* For action Branch with option to add branching rule to the
mangle table: we now generate rules in PREROUTING, POSTROUTING,
INPUT, OUTPUT and FORWARD chains. This is because some targets
can only work in PREROUTING or POSTROUTING chains but we do not
know what rules will user put in the branch. So we need to branch
in all chains
* For rules in mangle table with direction set to Inbound or
Outbound force chain to PREROUTING or POSTROUTING respectively
early. This eliminates duplicates such as the same rule in
PREROUTING and INPUT chains. Also since most (all?) targets that
require mangle table go into either PREROUTING or POSTROUTING
chains, it should be enough to use these two chains.
2007-01-01 vadim <vadim@vk.crocodile.org>
* ActionsDialog.cpp (ActionsDialog::setRule),
PolicyCompiler_ipt.cpp (splitNonTerminatingTargets::processNext):
working on bug #1618381: "CLASSIFY/MARK are
non-terminating". Converting non-terminating targets MARK and
CLASSIFY into equivalent of terminating targets using intermediate
chain and "-g" option to pass control to it. Added a checkbox to
the rule options dialog for action Classify for this, by default
this feature is off.
2006-12-27 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::expandGroupsInRuleElement): fixed bug
#1620925: "compile-time AddressTable object with empty file".
Compile-time AddressTable object that uses file with no addresses
should be treated as an empty group according to the "Ignore empty
groups" option. Changes are made as follows:
- Compiler::expandGroupsInRuleElement does not call
s->setAnyElement(); to set rule element to 'any' before adding
addresses from the group. This means that if group is empty, rule
element remains empty (not even 'any', just with no children,
i.e. with size()==0). Note that AddressTable::loadFromSource()
leaves AddressTable object empty if the file does not have any
addresses.
- Compiler::emptyGroupsInRE specifically checks for run-time
MultiAddress objects and skips them so they wont be treated as
empty groups (since they are indeed empty). Compile-time
MultiAddress objects are treated as groups and algorithm that
depends on option 'ignore empty groups' is executed for both empty
regular groups and empty compile-time MultiAddress objects.
* PolicyCompiler_ipt_optimizer.cpp (optimize1::optimizeForRuleElement):
fixed bug #1623113: 'connlimit fails in compiled "address table" rules'
Module connlimit can only be used in iptables rules matching TCP services.
Such iptables commands have "-p tcp" and/or "-m tcp" options. If
a rule in fwbuilder uses TCP Service and connlimit option and has
multiple objects in src and dst, optimizer used to split it to minimize
matches. It however preserved connlimit option in all subrules,
even though some of them did not have TCP service after the split. This
lead to generation of incorrect iptables commands.
* PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug
#1623338: "Can not disable rules in a branch". Compiler for
iptables ignored flag 'disabled' on rules in a branch.
2006-12-26 vadim <vadim@vk.crocodile.org>
* VERSION (FWB_MICRO_VERSION): set version to 2.1.9
2006-12-03 vadim <vadim@vk.crocodile.org>
* v2.1.8 released
2006-11-30 vadim <vadim@vk.crocodile.org>
* FirewallDialog.cpp (FirewallDialog::applyChanges): fixed bug
#1589743: "compiler setting should be erased when fw platform
changes". If user configured firewall object to use thrid-party
compiler, this setting should be erased when firewall platform of
this object changes. 1) compilers are always platform-specific and
old compiler most likely won't work with different platform; 2)
'advanced' firewall settings dialog may not have an entry field
for the compiler (e.g. dialog for PIX does not have it)
2006-11-26 vadim <vadim@vk.crocodile.org>
* gui.pro (TARGET): All binaries are renamed to drop suffix
'21'. Opinion poll amongs the mailing list sbscribers showed
majority of users does not care for the ability to install and run
both old and new versions of fwbuilder on the same machine. This
feature creates substantial problems because of the symlinks to
libfwbuilder libraries that have the same name regardless of the
library version ('libfwbuilder.so' and 'libfwcompiler.so'). These
symlinks are required on Linux and *BSD and can not be avoided
easily. The only simple alternative was to rename libraries to
libfwbuilder21 and libfwcompiler21. I was impartial and thought of
doing this but FreeBSD port maintainer did not like this
solution. Given that most users said in the poll they do not want
this feature anyway, I am reverting binary and man page names back
to the old standard scheme without suffix '21'.
2006-11-16 vadim <vadim@vk.crocodile.org>
* FindObjectWidget.cpp (FindObjectWidget::matchAttr): added back
search by regexp - object name or port, protocol or ICMP type
numbers can be defined as regular expressions.
2006-11-09 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printDirectionAndInterface):
fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV:
no physdev opti..." Some times rules were generated with "-m
physdev" but witout "--physdev-in" or "--physdev-out" options.
* PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug
#1592130: "Policy Chaining Issues". Policy compiler should expand
rule subsets recursively
* FWWindow.cpp (FWWindow::addPolicyBranchTab): working on bug
#1592130: "Policy Chaining Issues". The GUI should properly
display nested branch rulesets.
* set version to 2.1.8
2006-10-30 vadim <vadim@vk.crocodile.org>
* v2.1.7 released
2006-10-28 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::paintCell): fixes for QT w/o STL support
2006-10-24 vadim <vadim@vk.crocodile.org>
* manually removed <includehint> from findobjectwidget_q.ui and
findwhereusedwidget_q.ui
* build 155
2006-10-23 vadim <vadim@vk.crocodile.org>
* platforms.cpp (getRouteOptions_pf_ipf): fixed bug (no num): the
program used to incorrectly save "route option" parameter that is
used for pf anf ipf firewalls when user edited action "Routing"
for iptables firewall. This would corrupt saved XML file if the
program was used under non-English locale.
2006-10-22 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (ObjectTreeView::updateTreeItems): eliminated
useless creation of interim QPixmap objects. It appears this was
responsible for creation of tons of extra pixmaps that triggered
bug 1582130 on windows.
Bug ##1582130: "GUI crashes on windows when very large data file
is opened" is now fixed.
2006-10-21 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::addTreePage): working
on bug #1582130: "GUI crashes on windows when very large data file
is opened". Using QPixmapCache everywhere.
* PixmapFactory.cpp (PixmapFactory::getPixmap): bug #1582130 "GUI
crashes on windows when very large data file is opened". Ran into
a known limitation on number of simultaneously created pixmaps on
Windows. If the data file contains over 3000 obects or so, the GUI
crashes on Windows. This is caused by the fact that GDI has global
limit on the number of pixmaps. See here:
http://lists.trolltech.com/qt-interest/2005-01/thread00679-0.html
Using QPixmapCache class to cache and reuse pixmaps, using it via
simple wrapper PixmapFactory that automatically creates pixmaps
not found in the cache.
2006-10-20 vadim <vadim@vk.crocodile.org>
* listOfLibraries.cpp (listOfLibraries::listOfLibraries): fixes
for QT w/o STL support on win32
2006-10-19 vadim <vadim@vk.crocodile.org>
* DialogData.cpp (DialogData::loadToWidget): properly using
remapping tables while loading strings into QComboBox when program
runs under international locale. Strings for qomboboxes are
defined in platforms.cpp and need to be translated accordingly.
2006-10-16 vadim <vadim@vk.crocodile.org>
* RCSFileDialog.cpp (RCSFileDialog::getSelectedRev): fixed bug
#1578502: "crashing opening file". The GUI crashed if the user
switched "open file" dialog to detailed list mode and then tried
to open a file.
2006-10-15 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): All
compilers print error mesage when they encounter unknow action in
a rule
* Preprocessor.cpp (Preprocessor::convertObject): fixed bug
#1575355: "Compiler tries to resove deleted AddressTable
objects". Using findWhereUsed to find if MultiAddress object is
used in firewall being compiled so we don't try to resolve objects
that are not used anywhere.
* FWObjectDatabase.cpp (FWObjectDatabase::findObjectsInGroup):
code refactoring: moved methods findObjectsInGroup and
findWhereUsed from the GUI to API.
2006-10-08 vadim <vadim@vk.crocodile.org>
* v2.1.6 build 134: major improvements in support for outbound
ACLs in PIX 7.0 in compiler for PIX. Added file
'v21_migration_notes.txt' to fwbuilder-pix package
2006-10-07 vadim <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (PrintRule::_printDstService): fixed
bug#1572735: "Wrong syntax with TagService in NAT table". Added
mssing "-m mark"
2006-10-06 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw.cpp (SpecialRuleActionsForShadowing::processNext):
rule with action 'Pipe' or 'Custom' should not shadow other rules
* PolicyCompiler_ipfw_writers.cpp (PrintRule::processNext):
compiler for ipfw generates rule with action check-state depending
on the setting of he option "Add rule to accept packets matching
dynamic rules created for known sessions". This option is
controlled by a checkbox in the firewall settings dialog.
* TableFactory.cpp (TableFactory::PrintTables): if AddressTable
object is configured to resolve at run time but file name is left
blank, compiler for PF generates PF configuration as follows:
"table <tblname> persist". That is, it omits 'file "filename"'
clause all together. This is useful if table is updated
automatically using "max-src-conn, overload <table>" option and
does not need to be pre-populated with addresses from a file.
2006-10-05 vadim <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (pixAdvancedDialog::pixAdvancedDialog):
added option "Generate outbound ACLs" for PIX 7.0
2006-10-02 vadim <vadim@vk.crocodile.org>
* Checking in updated German translation by Hans Peter Dittler
<hpdittler@braintec-consult.de>
2006-09-29 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (ipt::compile): fixed bug #1567873:
"CLASSIFY/Logging". eed to run rule processor
decideOnChainForClassify before rule is split for negation or
logging to properly pick up chain for action Classify. Previously
rules with this action and either negation or logging would match
packets in chains INPUT/OUTPUT/FORWARD but use chain POSTROUTING
when applying action.
2006-09-28 vadim <vadim@vk.crocodile.org>
* pf.cpp (main): 'Prolog' section of the generated script can now
be added in different places:
- to the activation shell script, as before
- at the very top of generated .conf file
- after 'set' commands in the generated .conf file
- after 'scrub' commands in the generated .conf file
- after table definitions in the generated .conf file but
before all policy commands
2006-09-26 vadim <vadim@vk.crocodile.org>
* checking in updated Russian localization by <sov@rbsec.ru>
2006-09-21 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::deleteObj): fixed bug
#1562965: "no confirmation when deleting an object". In a scenario
when user starts with an emty object tree, then adds a firewall
with an interfaces, then tries to delete the interface, the GUI
would just delete it without presenting the user with "Are you
sure ?" confirmation dialog.
2006-09-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (convertAnyToNotFWForShadowing::processNext):
fixed bug #1562348: "a case of undetected rule shadowing".
Compiler did not detect shadowing in the pair of rules where first
rule was 'any any service' (flag 'firewall is part of any' is ON)
and the second was 'fw any service' when global flag 'firewall is
part of any' is OFF
* confirmdeleteobjectdialog_q.ui: fixed bug #1561165: "Delete
dialog box sizing incorrect"
* FWObject.cpp (FWObject::shallowDuplicate): API change: fixed bug
1562290: "GUI crashes in discovery
druid". FWObject::shallowDuplicate should add to database index
only if dbroot is defined. If dbroot==NULL, trying to copy it from
parameter x of shallowDuplicate (the object we are duplicating),
but need to check if dbroot is != NULL after that as well, because
object we are dulicating may not belong to any object tree. This
is the case with interface objects created in
SNMPQuery::fetchInterfaces
2006-09-17 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): feature
request #1531599: "max-src-conn and max-src-conn-rate". Added
support for max-src-conn and max-src-conn-rate options n compiler
for PF.
* RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): feature
request #1531599: "max-src-conn and max-src-conn-rate". Added GUI
elements to support these PF options.
2006-09-16 vadim <vadim@vk.crocodile.org>
* SSHPIX.cpp (SSHPIX::stateMachine): fixed a bug in the code that
deals with previously unseen ssh host key. Properly terminating
session if user hits 'No'; stopping heartbeat timer while waiting
for user input.
* FWWindow.cpp (FWWindow::install): compile/install wizard is now
a top level non-modal window, it can be used in parallel with the
main window so one can inspect and fix rules while still looking
at the output produced by the compiler, or work with objects and
rules while pushing policy update to the firewall.
2006-09-15 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::installerError): fixed bug #1559697:
"built-in installer crashes on incorrect password"
2006-09-14 vadim <vadim@vk.crocodile.org>
* FWObjectClipboard.h: clipboard holds list of object IDs instead
of object copies. Clearing clipboard when an object is deleted
from the "Deleted objects" library in ObjectManipulator::delObj.
* FWWindow.cpp (FWWindow::load): calling FWObjectDatabase::reIndex
to fix object reference counters and rebuild the index after
object tree is loaded from .fwb file. Doing the same in all policy
compilers.
* NATCompiler_pf.cpp (splitForTSrc::processNext): fixed bug
#1556984" "Nat statements in PF are missing (source-natting)"
Compiler was too restrictive checking firewall's interfaces while
generating 'nat' rules. It generated such rule only when it was
able to find an interface with address/netmask combination that
defined subnet to which TSrc address belonged. 2.0.X used to be
more liberal and created nat rule even if such interface was not
found, in such case it generated nat rule bound to all interfaces
of the firewall.
2006-09-13 vadim <vadim@vk.crocodile.org>
* ActionsDialog.cpp (ActionsDialog::iptRouteContinueToggled):
fixed bug #1557827: "iptables, routing, iif and continue". GUI
enforces rules on options to iptables target ROUTE: 'continue' is
mutually exclusive with --iif and --tee, therefore checking option
'Continue packet inspection' disables options 'Change inbound
interface to' and 'Make a copy' (GUI elements are greyed out).
2006-09-10 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::scheduleRuleSetRedraw): using timer
event to make sure rule sets are redrawn no more than once when
needed.
2006-09-08 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::load): using
FWObjectDatabase::addToIndexRecursive to quickly reindex whole
database once datafile is loaded. This works very fast.
Fixes everywhere for the new format of FWObjectDatabase::create
2006-09-07 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::load): improvements in the GUI
ergonomics when working with very large data files:
- The main window opens before the file specified on the command
line is loaded
- Using status bar to print messages indicating progress of the
file loading process
- Enforcing objects indexing after the file is loaded, this
speeds things up later
* ObjectEditor.cpp (ObjectEditor::actionChanged): fixed bug
#1553394: "Options windows stays the same".
2006-09-05 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::killInstDialog): compile/install dialog
is now not modal, this means the user can look at the policy and
objects while compilation and/or installation is going on. This is
especially convenient as it allows one to inspect the rules after
failed compilation while still having compiler error on screen.
* VERSION: set version to 2.1.6
* configure.in: added check to make sure qmake found by configure
really is part of QT 3.x. This should help avoid build failures on
systems where both QT 3.x and 4.x are installed and where
/usr/bin/qmake is really QT 4.x qmake which we can not use.
2006-08-31 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw.cpp (processMultiAddressObjectsInRE):
checking for (currently unsupported) run-time AddressTable objects
* All compilers: fixed bug #1544488: 'Error with DNS_name object
when "resolve during run time"'. Needed to swap run-time DNSName
and AddressTable objects with MultiAddressRunTime during rule
shadowing run
2006-08-29 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (readFromStdout): properly processing text coming
from the background process if it comes buffered in chunks that
include several lines of text and possibly incomplete last
line. Previously, text would come out werdly formatted in the log
window.
* instDialog.cpp (processExited): detectig situation when
background process (compiler) crashes or is killed
* RuleSetView.cpp (fixRulePosition): this method fixes rule
position if it is incorrect (this happens sometimes because of
errors in auto-upgrade transformations). fixRulePosition checks if
object the rule belongs to is read-only or belongs to a read-only
subtree in the database and temporarily breaks the lock in order
to be able to fix rule position. This method is recursive so it
supports cases when several objects between the rule and database
root are read-only.
2006-08-27 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (prepareInstallerOptions): Added checkbox 'save
copy of fwb file on the firewall' to the installer options
dialog. If this checkbox is on, installer copies .fwb file to the
firewall before it copies generated configuration and activates
it. This can be used as last resort backup but should be avoided
if firewall is managed from remote workstation and especially if
many firewalls are managed from dedicated management
workstation (because storing fwb file on each firewall means
security policy of all firewalls resides on all every one of them).
This option is off by default.
2006-08-26 vadim <vadim@vk.crocodile.org>
* ConfirmDeleteObjectDialog.cpp (findForObject): redesign of the
dialog: now showing objects to be deleted and their parent objects
in the same list with selection disabled. This removes confusion
caused by the text in the dialog saying that 'seletect objects'
were bout to be deleted and ability to select objects in the
confirmation dialog.
2006-08-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (fillDirection::processNext): fixed bug
#1543684: "fwb 2.1.5 IPFilter fallback rule issues". Fallback rule
should be 'pass out' if option 'Pass all outgoing' is used.
2006-08-19 vadim <vadim@vk.crocodile.org>
* MangleTableCompiler_ipt.cpp (processNext): (new feature): added
checkbox to the action 'Branch' for iptables "In addition to
'filter', create branching rule in 'mangle' table as well". When
this parameter is activated, compiler creates branching rules in
both filter and mangle tables; in mangle table it always uses
chains PREROUTING, INPUT, OUTPUT and FORWARD.
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1534423 "2.1.5,
mark action rules in branches". Added checkbox "Mark packets in
PREROUTING chain" to the action "Tag" for iptables. Compiler
places rule into PREROUTING chain when this parameter is
activated.
2006-08-18 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (compile): working on bug #1534423
"2.1.5, mark action rules in branches". Branch rules with action
Tag go into mangle table.
2006-08-17 vadim <vadim@vk.crocodile.org>
* gui.cw: this file is used by QT to save descriptions of custom
widgets
* ObjectManipulator.h: added bunch of missing virtual destructors
to various classes
2006-08-10 Vadim <vadim@vk.crocodile.org>
* ConfirmDeleteObjectDialog.cpp (ConfirmDeleteObjectDialog):
completed implementation of feature request #1116454: "Where Used
Option". When the user tries to delete an object from the tree,
the GUI presents a list of groups and firewall rules where this
object is used.
2006-08-09 Vadim <vadim@vk.crocodile.org>
* instDialog.cpp (findFirewalls): main menu item 'Compile' and
corresponding toolbar button activate compilation/installation for
all firewalls in all libraries. This fixes bug #1531007: "no
firewall in comp/inst dialog if standard library selected"
* utils.h (findByObjectType): added parameter bool skip_system_libs.
This method will skip libraries DELETED_LIB and TEMPLATE_LIB if this
parameter is true (which is its default value).
2006-08-08 Vadim <vadim@vk.crocodile.org>
* ObjectEditor.cpp (validateAndClose): fixed bug (no num.):
"Apply" button in the editor panel would not activate when user
reopened an object after it was edited and then editor panel
closed.
2006-08-08 Vadim <vadim@vk.crocodile.org>
* ObjectEditor.cpp (apply): fixed bug #1531020: "gui behaviour on
object renaming". Changing name of the selected object in the
editor updated it in the tree but not in the rule set view.
* ActionsDialog.cpp (applyChanges): fixed bug #1531008: "gui
behaviour improvements". Gui used to reset rule selection after
user selected different object in the tree.
2006-08-05 Vadim <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (newFirewallDialog): fixed bug #1525808:
"fwbuilder21: Windows are too large ". One of the pages of the
firewall creation druid was too large vertically, as the result
whole druid would not fit on screens 1024x768 with standard font
bigger than 18pt
* FindWhereUsedWidget.h (class FindWhereUsedWidget): Feature
request #1116454: "Where Used Option". Ilya implemented "Find
Where Used" function which quickly finds and shows rules of all
firewalls that utilize a given object.
2006-07-23 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (copyRule): still debugging problems caused by
QT w/o STL support. Also got rid of methods RuleSetView::isSrc,
isDst, isSrv etc, makes code cleaner cause these methods violated
data access boundaries in the class hierarchy.
2006-07-22 vadim <vadim@vk.crocodile.org>
* FWObjectPropertiesFactory.cpp (getPolicyRuleOptions): fixes in
bunch of places where code assumed QT is built with STL support
2006-07-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt_optimizer.cpp (processNext): checking if
objects in srv are of the type TCPService or UDPService; if they
are, treat srv as if it has one object even if there are several in
it. This eliminates uncessesary rule splitting that optimizer used
to do.
* PolicyCompiler_ipt.cpp (compile): moved
InterfacePolicyRulesWithOptimization further down the chain of
rule processors to let other processors properly decide on chain
for rules that are associated with multiple interfaces. Such rule
is now treated as if it has one interface, and most of the chain
and target decisions are made before the rule is split. When the
rule is split in InterfacePolicyRulesWithOptimization, each part
gets one interface from the original list.
* PolicyCompiler_ipt.cpp (SrcNegation): all rule processors that
work with negation reset "Interface" rule element in subrules they
create except for the very first.
* main.cpp (main): removed plays with styles on Mac, they proved
unnecessary
2006-07-18 vadim <vadim@vk.crocodile.org>
* unit_tests.cpp (main): unit test for RCS module, currently only
checks if rlog reading routing works right
* RCS.cpp (RCS): trying to fix mysterious bug that causes RCS
module to misinterpret RCS log in some cases and read modification
date/time instead of the name of the user who apparently opened
and locked the file. However in cases like that the file in fact
is checked in and unlocked. Instead of reading rlog output line by
line and using regex to parse each line separately, we now read
the output in chunks using '------' as a separator. Each chunk
corresponds to one revision and all regexps are written to work on
the whole chunk instead of one line.
2006-07-17 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (paintCell): When user selects an object in the
rule set, all references to the same object in other rules are
highlighted by drawing thin red frame around them. Similarly, when
an object is selected in the tree, all references to it in the
currently visible ruleset are similarly highlighted. This helps
enforce the notion that all instances of the object in rules are
really references to the same object, as well as helps locate
these references visually.
2006-07-12 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (exportLibraryTo): user choses libraries for export
using spearate modal dialog instead of built-in panel in the file
choosing dialog in the "File/Export Library" function
2006-07-11 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow): FindObjectWidget is not a custom widget
anymore - this is a workaround for QT bug #85440 :
http://www.trolltech.com/developer/task-tracker/index_html?id=85440&method=entry
2006-07-09 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (contentsMouseReleaseEvent): bugfix: the GUI
used to switch object in the editor if user tried to open a
different library and expand/collapse subtree in it. It should not
do this, expading/collapsing subtrees should not cause object
switch in the editor.
2006-06-30 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (paintCell): highlighting whole table cell for
rule options/actions/directions/etc when corresponding rule
element is selected.
* Added title bar with icon and object type name to dialog panels
for all object types
2006-06-25 vadim <vadim@vk.crocodile.org>
* PrefsDialog.cpp (PrefsDialog): removed "Data format" tab from
the Preferences dialog. Option that turns off saving standard
objects in every users data file was on by default for a long
time, now it is time to remove the GUI control all together.
* FWBSettings.h: using macro SETTINGS_PATH_PREFIX to define path
prefix for settings. This makes it easier to change the prefix
when new version is introduced
2006-06-23 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (): using QDns to get host names for
discovered ip addresses instead of our own DNS methods
2006-06-21 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (_printPort): fixed bug #1509411:
"FWB does not build correct PF RDR port ranges". RDR rules should
support port ranges in the RHS of "->"
* qmake.inc.in: Passing CXXFLAGS from environment to the build
process. Fedora engineers had to add a hack to their .spec file to
do this, this change makes their hack unnecessary
2006-06-17 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (_printRouteOptions): implemented
spport for action Route for PF
2006-06-15 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (contentsMouseReleaseEvent): fixed selection
of multiple objects in the tree and interaction with editor.
2006-06-14 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): implemented support for
action Route for iptables
2006-06-13 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (openObjectInTree): selecting object in a rule
automatically opens it in the tree (both when editor opened and
when it is closed)
2006-06-11 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (requestEditorOwnership): moved all the logic
controlling switching between objects whith editor open to this
method of FWWindow, this significantly simplifies other
classes. Now we can properly process situations when user opens an
object in a rule, edits it and then tries to open an object in the
tree for editing. This also works in other situations when object
with unsaved changes is opened in the editor and user tries to
switch to another one, possibly in a different panel or
widget. Still need to explore ways to maintain synchronized object
highlighting in the tree and in rules.
2006-06-06 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (maybeTip): directions are represented only by
icons with no text; added tooltip for directions
* ObjectEditor.cpp (validateAndSave): cleanup in ObjectEditor
class - reusing method validateAndSave in methods close,
validateAndClose
* FirewallDialog.cpp (loadFWObject): "snmp" tab of the firewall
object dialog has been deprecated
2006-06-04 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (revealObjectInTree): change in the GUI
behavior: - selection in the tree and ruleset are mutually
exclusive, that is selecting an object in ruleset turn selection
off in the tree and vice versa. Added menu item "Reveal in tree"
to the context menu that appears when user clicks right mouse
button on an object in ruleset.
* PolicyCompiler_ipt.cpp (processNext): Added support for CONNMARK
as an option for rules with action Tag. If a checkbox "Mark
connections created by packets that match this rule" in rule
options of a rule with action Tag is checked, compiler adds
iptables command to save mark set by the Tag action into connmark
module, and then adds another command at the beginning of the
policy to restore it.
2006-06-03 vadim <vadim@vk.crocodile.org>
* ActionsDialog.cpp (setRule): New rule action: "Route", to be
mapped to ROUTE target for iptables and 'route' option for pf and
ipf
2006-05-31 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (paintCell): When a group is opened in the
editor, an object can be highlighted there which is different from
the object highlighted in rules. Using alternatie color to
highlight object in rules when user switches keyboard focus to the
editor panel. This helps avoid confusion caused by identical look
of objects highlighted in rules and group view. Currently using
QColorGroup::midlight() to get color for when ruleset widget has
no focus. This is probably incorrect because color should change
when widget's colorGroup() changes from active to normal. Using
midlight color may lead to incorrect results if QT theme does not
define this color properly.
2006-05-25 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (edit): GUI opens objects in the editor
panel on single mouse click on an object in the tree if editor
panel is opened. If it is closed, click just changes selection in
the tree. Drag and drop works because object is opened in the
editor on mouse release. Similarly, if user navigates in the tree
using keyboard, object is opened in the editor on keyReleased
event. Multiple selection works both by mouse and by keyboard.
2006-05-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (swapAddressTableObjectsInRE):
AddressTable objects are converted to PF tables with the name of
the object in both run-time and compile-time mode. This is so only
for PF because other compilers simply expand compile-time
AddressTable objects as a group of addresses (and lose its name in
the process). Administrator can use compile-time AddressTable
object to create tables with names known beforehand. In the future
these tables can be used with 'overflow' rule option that updates
tables automatically.
* TableFactory.cpp (init): implemented persistent tables in
compiler for PF: compiler maintains list of tables it creates
between passes for NAT and policy rules. This reduces duplication
if the same tables need to be created for both policy and NAT
rules. Tables for branched rule sets (anchors) are generated
separately and may duplicate those in the main rule set (although
their name is different).
2006-05-16 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (processMultiAddressObjectsInRE): DNSName
object now inherits MultiAddress, this allows for DNSName to be
expanded into multiple addresses at compile time. Run time support
hasn't changed because most fw platforms automatically expand
domain name into all IP addresses defined as DNS A records for
this name.
2006-05-14 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (unselectRules): rule set should lose focus when
object editor is opened in a panel. Object shown in the editor is
highlighted in the tree anyway. This works better during search
when "find next" finds object in the tree
* NATCompiler_PrintRule.cpp (processNext): fixed bug #1476797:
"ipt NETMAP, POSTROUTING** chain --to problem with multiple
network targets".
* PolicyCompiler_PrintRule.cpp (_printModules): Added support for
hashlimit module for iptables (with an option for older systems
where the same module is called dstlimit)
2006-05-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (_printModules): added support for
connlimit module for iptables
2006-05-12 vadim <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (loadFWObject): added input fieds for
iptables module "connlimit"
* Many dialogs: converting all object, rule options and actions
editors from pop-up dialogs to built-in panels.
2006-05-07 vadim <vadim@vk.crocodile.org>
* PrefsDialog.cpp (accept): removed entry field for scp, it is not
used by the installer. Cleaned up in all places where we check if
path to ssh is configured to make sure installer can use it.
* TableFactory.cpp (createTablesForRE): names for tables that go
into an anchor have anchor name prepended to them as a prefix to
ensure global uniqueness. One side effect of this is that
AddressTable objects can only be used either in global rules or in
an anchor, but not in both at the same time because the name of
the table created for such object follows the name of the object
and hence appears the same in the main rule set and in the anchor.
2006-05-06 vadim <vadim@vk.crocodile.org>
* pf.cpp (main): Added support for branching rules for PF,
imlpemented via anchors. Rules defined in branches are stored in
separate .conf files and loaded by the .fw file using
pfctl -a <anchor_name> -f <anchor_rules_file> Anchor rule files
are also added to manifest in the .fw file to make sure the built-in
installer will copy them to the firewall.
* PolicyCompiler_ipt.cpp (processNext): support for branching
rules for iptables (via user-ddefined chain, chain name is
specified as action parameter for action 'Chain')
* FWWindow.cpp (reopenFirewall): added support for policy
branches. Setting rule action to "Chain" or "Anchor" (depending on
platform) creates additional tab with a policy rule set. These
rules represent a branch in the policy, implemented by means of a
user-defined chain for iptables and anchor for pf. Chain or anchor
name is set as action parameter through standard action options
dialog.
* FWWindow.cpp (fileSaveAs): fixed bug #1424880: "Save As" works
incorrectly. "Save As" works as follows:
* a new file is created with the name provided by user, this file
captures the state of the object database as of the moment when
user executed 'Save As' operation.
* if the old file was not in RCS, then any changes made to it
since it was saved to disk last time are lost. In other words,
next time user opens the old file, its content will be as it was
when it was saved to disk last time before using 'Save As'
operation
* if the old file was in RCS, then it is reverted to the head
revision in RCS
* fixed bug #1434321: firewall name heading incorrect after
duplicate. After a firewall object is duplicated, the name of the
new object as shown in the tree and in pull-down list of firewalls
was incorrect.
* ActionsDialog.cpp (setRule): Added GUI support for action
'Branch' (represented as 'Chain' for iptables and 'Anchor' for pf)
2006-04-30 vadim <vadim@vk.crocodile.org>
* platforms.cpp (getActionNameForPlatform): remapping names of
some new actions depending on the target firewall platform. For
example, action "Tag" appears as "Tag" for PF and as "Mark" for
iptables. Also remapping name for actions Pipe and
Accounting. This should help adoption of the new actions by people
who are familiar with corresponding features of the target
firewall platforms. Name mapping is done only for presentation;
all internal references to actions use their abstract internal
names both in the GUI and in all compilers.
2006-04-30 <vadim@beaver.vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed
bug #1464806: "Global custom log prefix not applied to built in
options". Autogenerated rule that blocks packets matching INVALID
state will use globally set custom logging prefix. "-1" is used
for the rule number; macro "%C" is replaced with the chain name
"drop_invalid"
* NATCompiler_pf_writers.cpp (processNext): fixed bug #1407328:
"NAT / RDR Exception PF problem". "no nat" rule in PF can
translate either into 'no nat' or 'no rdr', depending on what the
user really needs to achieve. There is no way fwbuilder can guess
right by just analysing this single rule, so it will generate both
variants.
2006-04-23 vadim <vadim@vk.crocodile.org>
* SSHSession.h: fix for bug #1455772 did not work on windows where
QProcess added '\0' to each line of the stream passed to the ssh
client. On Unix we run fwbuilder as a wrapper for ssh client and
can intercept and filter these characters but on windows we do not
use wrapper and can't fix the problem that way. Better fix is to
avoid QString (and therefore conversions UTF8 <-> Unicode) all
together. Changed last parameter for constructor of SSHSession and
derived classes from QStringList to list<string>. Now instDialog
reads script as sequence of bytes and does not convert it to
Unicode, then passes to the ssh client via SSHSession as-is. In
principle, this alleviates the need in the hack in main.cpp but I
leave it there just in case. (Forward ported from 2.0.12)
2006-04-23 vadim <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (displayCommands): changed title of the
tab where user controls protocol inspectors from "Fixup" to
"Inspect". Added a button to show commands that will be generated
by the compiler for a current combination of inspector
configuration, this button calls policy compiler fwb_pix and feeds
XML to it via standard input. Doing this automatically every time
user touches something in the inspector control widgets may be
slow on underpowered machines or when the data tree is very large
because the GUI needs to start external process, which reads and
parses the whole XML file.
2006-04-22 vadim <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (pixAdvancedDialog): calling fwb_pix to
generate protocol inspection commands. Need to implement saving
into a buffer in FWObjectDatabase to make this work.
2006-04-19 ilya <yalovoy@gmail.com>
* FWWindow.cpp (singleInstall): batch compile and intsall
operations are possible when user selects several firewalls in the
tree and uses context menu items "Compile" and "install". Selected
firewalls are automatically checked in the batch install dialog.
* FirewallDialog.cpp (loadFWObject): support for attribute
"inactive" in Firewall. Inactive firewalls are not picked for
batch compile and install operations.
2006-04-10 vadim <vadim@vk.crocodile.org>
* NATCompiler_ipf.cpp (processNext),
ipfAdvancedDialog.cpp (ipfAdvancedDialog): Added support for PPTP
and IRC proxies for ipfilter
2006-04-07 ilya <yalovoy@gmail.com>
* instDialog.cpp (selected): implemented batch compile and batch
install modes. Requires some work to polish the UI but basic
functionality works
2006-03-26 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers):
fixed bug#1364060: "conntrack modules not found". The name of the
'conntrack' module in Linux 2.6 is 'ip_conntrack.ko' and
'ipt_conntack.ko'. Changed shell pattern to match new modules as
well as old ones.
* linux24.xml.in: made "chmod +x" part of the sequence that
copieswall script to make the script is executable. This fixed bug
#1455748: "make firewall script executable"
* main.cpp (main): it appears some older versions of Qt have a bug
referred to in the following article:
http://lists.trolltech.com/qt-interest/2004-10/thread00024-0.html
This bug causes '\0' to be appended to strings passed to/from
QProcess if they are converted to/from utf-8. Added workaround in
the ssh wrapper code to skip zeros. In combination with converting
config file strings from/to utf-8 this fixes bug #1455772: "Problem
with UTF8 Descriptions in FW Objects"
* instDialog.cpp (initiateCopy): need to convert strings of the
config file from utf-8 in order to be able to use methods of
QString to process them. Strings are converted back to utf-8 right
before they are sent to the background ssh process to be copied to
the firewall in SSHSession::sendLine()
2006-03-22 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (prolog): switched from
Compiler::objcache to object index in FWObjectDatabase. Replaced
calls to Compiler::getCachedObject with calls to
FWReference::getPointer() everywhere
2006-03-20 vadim <vadim@vk.crocodile.org>
* ipf.cpp, ipt.cpp, pf.cpp, ipfw.cpp (main): added call to
Preprocessor::compile() to convert DNSName and AddressTable
objects before rule processing starts
2006-03-18 vadim <vadim@vk.crocodile.org>
* OSConfigurator_solaris.cpp (printPathForAllTools): fixed bug
#1393004: "Solaris does not have "egrep -q". Since egrep shipped
with Solaris does not have option '-q', using '-s'
* ipf.cpp (main): fixed bug #1386226: "generated -nat.conf is not
removed when nat rules removed.". Old fw-nat.conf was left in
place when user deleted all NAT rules (the new one was not created
either). Now compiler deletes *-ipf.conf and *-nat.conf files
before creating new ones, also installer gets correct list of
files to read.
* PolicyCompiler_PrintRule.cpp (PolicyRuleToString): fixed bug
#1375432: "fwb_ipt with twice -m state". Compiler used to generate
options "-m state --state XYZ" twice in a situation when
administrator uses custom service that already includes this code
and rule is not stateless.
2006-03-15 ilya <yalovoy@gmail.com>
* ObjectManipulator.cpp (findFirewallsForObject): Using method
findWhereUSed to find firewalls that require compile/install after
an object is modified.
2006-03-15 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (_findWhereUsed): generic recursive method
that finds all groups and rules that use an object.
2006-03-10 ilya <yalovoy@gmail.com>
* ObjectManipulator.cpp (contextMenu): added temporary pop-up menu
item 'simulate Install' for testing.
* ObjectManipulator.cpp (__Is_Object_Ref_In_Firewall): added
support for detection of firewall objects that require compile and
install after any object in the tree is modified. The code keeps
track of changes made to firewall's policy rules, as well as
changes in all objects in the tree. After the user applies changes
in an object editor, the program inspects every firewall trying to
determine if the object is used in one of its rules. When one or
more firewalls using this object are found, corresponding items in
the tree are highlighted. Indirect usage, such as if the object is
a member of a group that is used in a rule, is also
detected. Multi-level group membership is detected too.
2006-03-07 vadim <vadim@vk.crocodile.org>
* All compilers: compiler prints only one 'success' message at the
and of processing instead of after each section (policy, NAT
etc). This makes it easier to keep track of its progress and is
less confusing if it runs in a silent mode and takes a long time
to process one section. Before, when it printed "Rules compiled
successfully" after each section, the user could interpret this
message as if compiler was done, while in fact it was still
working on the next section
2006-03-06 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (removeFW): restored rule processor that
removes firewall object from src or dst to simplify rule if it
uses OUTPUT or INPUT chain. Doing this only if original rule did
not have negation and we do not add any virtual addresses for NAT.
After removal the rule collapses to a simple command like this:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
this works fine except if we have added virtual addresses for
NAT. It is assumed that firewall object in rules represents
combination of addresses configured in its interfaces in the
GUI. Virtual addresses added for NAT are considered to be a side
effect and connections should not be implicitly permitted to them
by a rule with fw object in destination. The same applies to fw
object in source. See bug #685947 for discussion. To avoid
inadvertently opening holes in the firewall by a rule like that,
we remove fw object only when it is safe to do so.
2006-03-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (decideOnChainForClassify): setting chain
to POSTROUTING for rules with action Classify. Also added checks
for this action in all rule processors that split rules in order
to assign them to INPUT/OUTPUT/FORWARD chains later because this
is not needed for this action (since only one chain is allowed
anyway)
* PolicyCompiler_PrintRule.cpp (_printDstService): added checks
for iptables version "1.3.0"
* PolicyCompiler_PrintRule.cpp (_printDirectionAndInterface):
added support for physdev module for bridging firewalls. This
module is used if interface a rule is associated with is marked as
bridge port and iptables version is set to 1.3.0 or later in the
firewall settings. Feature Request #1000757: "bridging: using physdev"
* All compilers: by default treating bridge port interfaces the
same as unnumbered interfaces, unless target firewall platform
provides special support for bridge ports, such as module
'physdev' in iptables
* InterfaceDialog.cpp (loadFWObject): added support for bridge
port interface
2006-03-04 vadim <vadim@vk.crocodile.org>
* fwbedit.cpp (main), fwblookup.cpp (main): using global variable
instead of singleton FWObjectDatabase::db. FWObjectDatabase::db
is not used in fwbuilder2 anywhere and can be eliminated.
* FWObjectClipboard.cpp (add): must create new objects using
current instance of FWObjectDatabase because it maintains internal
object index. Replacing FWObjectDatabase::db with mw->db() to
accomplish that
* getting rid of singleton FWObjectDatabase::db in the GUI -
replacing it everywhere with mw->db()
2006-02-28 Vadim <vadim@vk.crocodile.org>
* FWObjectPropertiesFactory.cpp (getObjectProperties): printing
firewall's lastModified, lastCompiled and lastInstalled timestamps
in the info window and in tooltips
2006-02-26 ilya <yalovoy@gmail.com>
* ObjectManipulator.cpp (updateLastModifiedTimestamp): added
methods to keep timestamps for the moments when a Firewall has
been modified, compiled and installed. Using these timestamps to
provide visual indication for when a firewall needs to be
installed using bold font for its name in the tree view. Will use
the same mechanism to automatically suggest which firewalls to
install when user hits "Install" menu item or toolbar
button. Still need to implement object modification tracking to
properly detect which firewall needs to be marked when an object
is modified (an object can be used in a firewall rule directly or
indirectly if it is a member of a group)
2006-02-19 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (reopenFirewall): the GUI shows "Routing" tab only
if the corresponding policy compiler for a give host OS supports
it. Using <capabilities> element in the res/os/OS.xml resource
file.
* FirewallDialog.cpp (fillVersion): fixed a bug where firewall
versions would appear in a mixed order in the 'version' pull-down
in firewall object dialog
2006-02-18 vadim <vadim@vk.crocodile.org>
* Added support for load balancing rules in PF
* Added support for address ranges and network objects in TSrc in
NAT rules for PF
* Added support for pool types in NAT rules for PF ('bitmask',
'random', 'source-hash', 'round-robin') as well as 'static-port'
option
* PolicyCompiler_ipf_writers.cpp (_printAction): basic support for
Custom action for ipfilter. Lack of examples for actions 'auth'
and 'call' in ipfilter documentation or anywhere on the web makes
it hard to implement right.
* PolicyCompiler_ipfw_writers.cpp (_printAction): Added support
for policy rule action Custom for ipfw
* PolicyCompiler_ipfw_writers.cpp (_printAction): Fwbuilder policy
rule action 'Classify' is mapped to ipfw actions 'pipe' or
'queue'. Fwbuilder policy rule action 'Pipe' is mapped to ipfw
action 'divert'
2006-02-17 ilya <yalovoy@gmail.com>
* execDialog.cpp (saveLog): Added a button and function to save
compile or install progress log to a file with extension .txt
* killed startup wizard; the GUI starts accordingly to the setting
on the first page of the Preferences dialog - it can either start
up showing just standard objects library or automatically open
file the user was editing last time the GUI was used.
* object created using "Duplicate" menu item is automatically
activated and opened in the editor
2006-02-15 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (_printQueue): implemented support
for action 'Classify' in compiler for PF, mapped to a filtering
rule option 'queue _queue_name_'
* PolicyCompiler_PrintRule.cpp (PrintRule): implemented support
for actions 'Classify' and 'Custom' in compiler for
iptables. Action 'Classify' is mapped to '-j CLASSIFY --set-class M:N';
action 'Custom' is used verbatim
2006-02-15 ilya <yalovoy@gmail.com>
* :version 2.1.5
* :Added new Actions 'Classify' and 'Custom'.
* :Added new dialog NATRuleOptionsDialog.
* RuleSetView: In NATView inserted new column "Options" for
viewing of Nat Rule Options.
2006-02-11 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (checkSNMPCommunity): unified method to check
validity of the host name/ip address for dns name server used for
zone transfer and seed host used for snmp crawler
2006-02-09 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (_printDstService): added support
for the TagService object (using 'tagged')
* PolicyCompiler_PrintRule.cpp (_printDstService): added support
for the TagService service object (using --mark)
2006-02-09 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (DiscoveryDruid): improvements in the
implementation of the address and name validity for snmp crawler
seed host and dns server for dns zone import. Implemented support
for IP aliases in snmp crawler
2006-02-05 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (save): saving/restoring parameters of the
DiscoveryDruid between sessions
2006-01-27 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (changedSelected): proper implementation of
long/short name generation for dns zone import; proper checks for
correctness of the seed host address for snmp crawler; showing
number of interfaces in discovered hosts on the results page
2006-01-21 vadim <vadim@vk.crocodile.org>
* gui.pro (IMAGES): grand icons clean-up and update. Removed old
unused icons and images, added new icon theme by Irina Filvarova
2006-01-20 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (changedSelected): working version of
discovey druid. Got rid of all calls to setModal, hence
workarounds defined in qt_workarounds.h are not needed anymore
2006-01-16 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (stripObjects): minor formatting cleanup in
DiscoveryDruid; fixed typos in DiscoveryDruid ('wasCanceled' ->
'wasCancelled'); refactored #includes to improve compilation speed
in DiscoveryDruid
* DiscoveryDruid.cpp: had to move '#include "DiscoveryDruid.h"'
below all qt #include's to make code compile on windows. When this
#include was above qt includes, compiler would stop with an error:
------------------------------------------------------------
C:\Qt\3.3.1\include\qlistbox.h(139) : warning C4003: not enough actual parameter
s for macro 'index'
C:\Qt\3.3.1\include\qlistbox.h(139) : error C2059: syntax error : ')'
C:\Qt\3.3.1\include\qlistbox.h(139) : error C2143: syntax error : missing ')' be
fore ';'
------------------------------------------------------------
I haven't figured out where does 'index' macro come from
* discoverydruid_q.ui.h: added workarounds for missing
QDialog::setModal in QT 3.1
* FWWindow.cpp (doCompile): since we now package platform and os
resource files with externally packaged compilers, we do not need
to use "-r" flag while calling compilers anymore
2006-01-10 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (startHostsScan): implemented object import
from a file in "/etc/hosts" format. This includes druid page where
user selects objects from the list, a page where they can assign
object type for each record and a page where they chose a library
new objects should be part of
2006-01-07 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw_writers.cpp (_printAction): support for
action Pipe in ipfw. This action can be implemented using
"divert", "pipe" or "queue" rule actions in ipfw; the method is
chosen using rule action parameters dialog in the GUI.
* ActionsDialog.cpp (setRule): support for action Pipe for ipfw in
the GUI.
* PolicyCompiler_pf_writers.cpp (_printAction): added support for
Tag action for PF
2006-01-03 vadim <vadim@vk.crocodile.org>
* ipt.cpp (main): implemented checks for the situation when
compiler produces an empty script. In such cases we avoid printing
any header or commit commands (such as '*mangle' and 'COMMIT'
if iptables-restore format is used)
* PolicyCompiler_ipt.cpp (processNext): implemented support for
QUEUE target in compiler for iptables. Commands with this target
are generated for fwbuilder rules with action "Pipe"
* MangleTableCompiler_ipt.h: Implemented support for MARK target
for iptables. Iptables commands with target MARK are generated for
fwbuilder rules using action "Tag". Rules are placed in
INPUT,OUTPUT and FORWARD chain of the "mangle" table, this ensures
that DNAT happens before rules placed in the mangle table see the
packet. PREROUTING chain in mangle table is executed before
PREROUTING chain in the nat table, so placing tagging rules in the
PREROUTING chain would make them fire before DNAT. POSTROUTING
chain of the mangle table, as well as its FORWARD and OUTPUT
chains, work before corresponding chains of the nat table. In all
cases the goal is to make sure DNAT rules process the packet
before, and SNAT rules process it after filtering and tagging
rules.
* AddressTableDialog.cpp (preview): AddressTable dialog "preview"
function looks for the table file in the same directory as
currently opened data file if file name is entered as relative
path
2005-12-16 ilya <yalovoy@gmail.com>
* FWObjectPropertiesFactory.cpp : For objects of type 'interface'
a path to library is included in "detailed properties".
* FWWindow.cpp : Added new menu "/tools/Discovery Druid"
* DiscoveryDruid.cpp : Created basic gui for Discovery druid
2005-12-16 ilya <yalovoy@gmail.com>
* SimpleTextView.cpp: new custom text viewer.
* AddressTableDialog.cpp: file preview uses SimpleTextView.
* newfirewalldialog_q.ui: Dialog size fixed (now all internal
widgets are visible)
* fwbedit.cpp : fixed run with unknown options. Added a new option:
-u - interactive file upgrade
2005-12-14 ilya <yalovoy@gmail.com>
* Added detailed tooltips for rule options for all fw platforms
* Redrawing policy view if user changes firewall version; this
ensures that icon that indicates non-default rule options is
correctly updated in case different versions of the same fw
platform support different combinations of rule options.
* Redesigned page of the new host dialog where user adds
interfaces manually. Before buttons "add","Update","remove" were
hidden because dialog was too small.
2005-12-13 vadim <vadim@vk.crocodile.org>
* po.pro: Added Swedish translation made by Daniel Nylander
<yeager@lidkoping.net>
2005-12-13 ilya <yalovoy@gmail.com>
* RuleSetView.cpp (maybeTip): added tooltips for rule elements
Action and Options
2005-12-02 vadim <vadim@vk.crocodile.org>
* NATCompiler_ipf.cpp (processNext): Run-time AddressTable objects
are not supported in ipfilter; added a placeholder for
corresponding rule processors, aborting compilation when such
object is detected in a rule
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#1361564: "Prolog script env settings unavailable". Need to define
env variables IPTABLES, LSMOD etc before prolog.
(OSConfigurator_linux24::printChecksForRunTimeAddressTables):
compiler for iptables inserts shell code to ensure that data files
used in run-time AddressTable objects are present before firewall
policy is activated.
* PolicyCompiler_PrintRule.cpp (processNext): implemented run-time
mode for AddressTable object in compiler for iptables. Current
implementation *dos not* emulate dynamic table reloads as can be
done for PF using "pfctl -t table -Treplace" command. The whole
policy script must be run again if data file AddressTable object
refers to changes. Current implementation does not allow comments
in the data file
2005-12-01 ilya <yalovoy@gmail.com>
* version 2.1.4
* new object type TagService
Actions 'Mark' and 'Queue' renamed as 'Tag' and 'Pipe'
respectively.
* fwbedit.cpp: fixing of absent 'TagServices' group added.
* ActionsDialog.cpp: new actions control dialog
* RuleSetView.cpp: changed actions context menu to use new
parameters dialog (support of actions with parameters).
2005-11-24 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (processNext): added support for run-time
AddressTable objects for PF.
* PolicyCompiler_pf (PrintRule::_printAddr)
* TableFactory.cpp (TableFactory::PrintTables): support for DNSName
run-time mode in compiler for pf, ipfw and ipf
* PolicyCompiler_PrintRule.cpp (_printAddr): support for DNSName
run-time mode in compiler for iptables
2005-11-23 Vadim <vadim@vk.crocodile.org>
* AddressTable object dialog
2005-11-22 vadim <vadim@vk.crocodile.org>
* TableFactory.cpp (createTablesForRE): class TableFactory reuses
existing tables separately for NAT and policy rules. Reuse of
tables created for NAT in the policy rules is difficult because
tables themselves are created in the temporary copy of the tree in
the NAT compiler (the same applies to the objects - members of the
tables)
2005-11-21 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (_printAddr): Improvement in the
compiler for PF: using '!' syntax for one-object negations
* NATCompiler_pf.cpp (CeateTables): Improvement in the compiler
for PF: Using tables for NAT rules
* TableFactory.cpp (createTablesForRE): using the same class to
generate tables for both policy and NAT rules for pf. Table names
are composed using rule positions so that table names do not
change between compiler runs (they used to change because they
were created using rule IDs, which changed because compiler
generated lots of copies of rules)
2005-11-14 Vadim <vadim@tourist.vk.crocodile.org>
* version 2.1.3
new object type DNSName
using this method in Compiler::prolog to resolve DNSName objects
that are supposed to be resolved at compile-time
Redesigned RuleOptionsDialog to make room for new options
Added actions MARK and QUEUE with basic support in API and GUI
Added new object type AddressTable
2005-11-05 vadim <vadim@tower.vk.crocodile.org>
* iptAdvancedDialog.cpp (iptAdvancedDialog): fixed bug #1349326
"ulogd option does not work". There was a typo in the class
iptAdvancedDialog ( useULOG instead of use_ULOG )
*** Ported from 2.0.10 ***
2005-11-01 vadim <vadim@tower.local>
* NATCompiler_ipt.cpp (processNext): fixed bug #1342495: "SNAT
with address range". Compiler used to print warning "Adding
virtual addresses for NAT is not supported for address range" even
if adding virtual addresses for NAT was turned off.
*** Ported from 2.0.10 ***
2005-10-26 vadim <vadim@tower.local>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1313420:
"OUTPUT chain is built wrong under certain conditions." Rules
that have firewall in SRC and DST, while DST has negation, should
be split so that the second generated rule goes into OUTPUT chain
rather than FORWARD
*** Ported from 2.0.10 ***
2005-10-24 vadim <vadim@tower.local>
* FirewallDialog.cpp (openFWDialog): fixed bug #1315892:
"fwbuilder crashes on missing OS template" The GUI crashed if user
added new hostOS or firewall platform template under resources/os
or resources/platforms, then reinstalled the package (and
therefore lost their custom template files), then tried to open
firewall or host OS settings dialog for the object using new
template.
*** Ported from 2.0.10 ***
* RuleOptionsDialog.cpp (loadFWObject): fixed bug #1305933:
"fwbuilder/Solaris: compilation errors". Another case of implicit
type conversion QString->string which does not compile on systems
with QT built w/o STL support.
*** Ported from 2.0.10 ***
* main.cpp: fixed bug #1304878: fwbuilder: signal.h
required (Solaris). Using 'AC_CHECK_HEADERS([signal.h])' in
configure.in to check for the appropriate #include.
*** Ported from 2.0.10 ***
* configure.in: fixed bug #1304764: "configure script: Sun make
check fails". Need to use ${MAKE-make} instead of $ac_make when
checking for GNU make.
*** Ported from 2.0.10 ***
* fixed bug #1304785: "fwbuilder - Solaris has no libutil". Using
better way to check whether we need to link with libutil.
*** Ported from 2.0.10 ***
2005-10-22 vadim <vadim@vk.crocodile.org>
* VERSION: set version to 2.0.10 in branch fwb2-2.0-maint
2005-09-29 Vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (InterfacePolicyRulesWithOptimization):
new rule processor: checks if the rule is associated with an
interface and uses setInterfaceId to record its id. If the rule is
associated with multiple interfaces, splits the rule
accordingly. Unlike basic processor
PolicyCompiler::InterfacePolicyrules, this processor tries to
optimize rules applied to multiple interfaces using user-defined
chain
***** Policy compilers support multiple interfaces and negation in
"Interface" rule element
2005-09-28 Vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (paintCell): merged interface policies with
global policy. Keeping most of the code that implements interface
policy tabs just in case.
* set version to 2.1.2
2005-09-26 Vadim <vadim@vk.crocodile.org>
* RoutingRuleOptionsDialog.cpp (loadFWObject): Added support for
routing rules. Using "fwbuilder-routing" patch provided by Tidei
Maurizio <fwbuilder-routing at compal.de>
* set version to 2.1.1
* ObjectManipulator.cpp (createObject),(newDNSName),
newHostDialog.cpp (accept): added checks for broken object tree
2005-09-20 <vadim@vk.crocodile.org>
* DNSNameDialog.cpp (loadFWObject): new object type: DNSName
(Illiya)
2005-09-17 <vadim@vk.crocodile.org>
* 2.0.9 release in branch fwb2-2.0-maint
2005-09-12 <vadim@vk.crocodile.org>
* fwsm.xml.in: Added support for Cisco FWSM (platform and host OS)
* pixAdvancedDialog.cpp (pixAdvancedDialog): Added support for
manual ACL commit in FWSM
2005-09-11 <vadim@vk.crocodile.org>
* SSHPIX.cpp (SSHPIX): enable_prompt should include string "Access
Rules Download Complete" which is _sometimes_ printed by FWSM when
in auto-commit mode.
2005-09-07 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (lockObject): Added ability to lock/unlock
individual objects in the tree (Illiya)
* GroupObjectDialog.cpp (listViewSelectionChanged): Illiya
implemented Feature Req #1151208: "Allow multiple objects select
to make an action (Group)"
2005-09-07 <vadim@vk.crocodile.org>
* SSHSession.cpp (cmpPrompt): overloaded method
SSHSession::cmpPrompt to be able to specify prompt as a regular
expression. This variant is very convenient for PIX prompts.
2005-09-05 <vadim@vk.crocodile.org>
* fixed bug #1254775: "RCS checkin fails on Windows when data file
is too big". RCS tools failed to check the file in if it consisted
of one huge line of text. This fix makes th GUI save data file
(.fwb) in formatted form on Windows, just like on Linux. This
means each XML element is saved on separate line instead of all of
them being on the same line.
2005-09-04 <vadim@vk.crocodile.org>
* NATCompiler_pf.cpp (processNext): fixed bug #1276083:
"Destination NAT rules". Old restriction on "rdr" rules that
required service in OSrv is not valid anymore, pf supports rdr
rules with no protocol specification. (ported from 2.0.9)
2005-09-04 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (fileCommit): properly handling situation when user
hits Cancel in check-in log dialog (should abort File/Commit
operation entirely)
* main.cpp (main): added a workaround to make the GUI work in
Spanish locale (QT 3.3.4 ships with broken qt_es.qm file at least
on Fedora-C4 and Mac OS X)
2005-08-31 <vadim@vk.crocodile.org>
* SSHUnx.cpp (stateMachine): fixed bug #1277129: "script is
truncated when installed by the GUI running on Mac". Large script
was getting truncated while copied to the firewall if GUI was
running on Mac OS X (bugfix ported from 2.0.9)
2005-08-17 <vadim@vk.crocodile.org>
* fwbedit.cpp (usage): Finished implementation of RFE #1211612
"fwbedit - add object?". Using "-p","-L","n" and "-o" command line
switches to specify parent, library, name and attributes of an
object
2005-08-04 <vadim@vk.crocodile.org>
* fwbedit.cpp (main): Illiya is working on RFE #1211612: "fwbedit
- add object?" and #1114501: "Data file repair". Fwbedit can now
add objects as well as repair tree structure. Still needs some
more work.
2005-07-31 <vadim@vk.crocodile.org>
* LINGUAS: Added Spanish translation, thanks to Carlos Lozano
<clozano@andago.com>
2005-07-30 <vadim@vk.crocodile.org>
* Started v2.1.0
2005-07-30 <vadim@vk.crocodile.org>
* FWWindow.cpp (fileCommit): Illya implemented Feature Request
#1187461 "Add "commit" menu item". This menu item commits opened
data file to RCS but keeps it opened so the user can continue
editing.
2005-07-29 <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (addObjectsToTable): Illiya implemented
Feature Request #1225393 "FeatureRequest Print comments on
objects"
2005-07-23 <vadim@vk.crocodile.org>
* RuleSetView.cpp (dragMoveEvent): Illiya fixed bug #1226069:
"Segfault: Drag&Drop between two instances"
2005-07-21 <vadim@vk.crocodile.org>
* platforms.cpp (getLogFacilities): Illiya moved definitions of
log levels, log facilities and actions on reject to module
platforms.cpp. Methods getLogLevel, getLogFacilities and
getActionsOnReject return string lists suitable for using with
DialogData to provide mapping between localized and english
strings so that the user sees translated ones but enlish ones are
written into FWOptions object and used by compilers. This fixes
bugs #1240205: "Iilegal --log-level Information" and #1233165:
"Illegal Logging-Limit string.".
2005-07-08 <vadim@vk.crocodile.org>
v2.0.8 released
2005-07-05 <vadim@vk.crocodile.org>
* SSHSession.cpp (allDataSent): calling allDataSent from heartBeat
slot method because on windows signal 'wroteToStdin' is emitted
before I had a chance to connect it to a slot in
SSHUnx::stateMachine in state PUSHING_CONFIG after entire file has
been transmitted. I used to send an extra '\n' to force signal
'wroteToStdin', but that made the file to be sligltly different on
the receiving end and I do not like that.
* RuleSetView.cpp (dragMoveEvent): not really a change: bug
1226069 "Segfault: Drag&Drop between two instances" requires
redesign of the drag&drop mechanism so that live pointer to
FWObject is not passed between sender and receiver.
2005-07-04 <vadim@vk.crocodile.org>
* SSHSession.cpp (startSession): fixed bug #1232478: "FWB shuts
down on incorrect password". Bug was intorduced in build 624 while
working on installer stalls and undescriptive ssh termination
error when OpenSSH 4.0 was used.
2005-07-02 Vadim Kurland <vadim@vk.crocodile.org>
* main.cpp (main): ignore SIGHUP in the child process in ssh
wrapper. Closing stdin at the end of the file copy sends SIGHUP to
the child. By some reason, this caused ssh to terminate with error
message "killed by signal 1" and return code 255 on Fedora C4
which uses OpenSSH v4.0p1
2005-07-02 <vadim@vk.crocodile.org>
* main.cpp (tty_raw): switched from TCSAFLUSH to TCSANOW in call
to tcsetattr when we switch tty to raw mode in ssh wrapper
code. This should fix mysterious stalls in the installer that were
introduced when I worked on the wrapper code to fix bug #1213361
(problems with file copies on FreeBSD 5.4)
* instDialog.cpp (initiateCopy): added missing "-v" option to ssh
call used to copy policy script to the firewall if "verbose"
checkbox is checked. This should help troubleshoot problems with
installer when ssh fails and terminates with an error.
2005-06-25 <vadim@vk.crocodile.org>
* configure.in: need to call macro AC_PROG_MAKE_SET before
using $ac_make to check for GNU make
* configure.in: added check for cfmakeraw (which is absent on Solaris)
* configure.in: make script continue if forkpty is not found,
the program will use emulation.
2005-06-13 <vadim@vk.crocodile.org>
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
sorting list of objects for tooltips. Sorting is done by object
name, alphabetically. TODO: use locale-aware sort and ignore
case of the letters.
2005-06-12 <vadim@vk.crocodile.org>
* main.cpp (main): need to switch the pipe and stdin in the child
process to raw mode in order to ensure proper communication when
fwbuilder works in ssh wrapper mode. This (really) fixes bug
#1213361
* configure.in: Added path to QT where it is installed on 64-bit
systems to the list configure tries while searching for QT
2005-06-11 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1215279: "rate
limiting rule logs everything". Rule utlilizing "limit" module to
rate limit packets with logging logged every packet and dropped
those that exceeded the limit. The fix makes it apply the limit
first and then log only packets that were dropped.
* main.cpp (forkpty): fixed bug #1072842: "fwbuilder: Solaris and
forkpty". We need forkpty fr built-in installer but this function
is not awailable on Solaris. I am adding re-implementation, but it
hasn't been tested since I do not have Solaris machine.
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
fixed bug #1212179: "tool tips for TCP services cuts off some
services". The gui would show very long tooltip for large groups;
if the group was too large, the tooltip did not fit on the screen.
* main.cpp (main): fixed bug #1213361: "PF on FreeBSD-5.4R". Bug
description is misleading, the probem was caused by built-in
installer rather than by compiler for PF. Installer would not copy
generated script over ssh if the script was longer than some
threshold and the gui was running on FreeBSD.
2005-06-05 <vadim@vk.crocodile.org>
* linux24.xml.in: fixed bug #1212121: "sudo shutdown doesn't
work". Installer needs to schedule reboot when the user activates
policy in a test mode. There was a bug in the installer script
that improperly used sudo to run shutdown when installation was
performed using regular user account.
* linux24.xml.in: fixed bug #1212123: "executing file below /tmp
as root". Avoiding world-writable directory /tmp/ while activating
policy in the test mode. This change makes installer use
subdirectory "tmp" under directory specified in the "intaller" tab
of firewall settings dialog. That directory is expected to have
proper permissions; subdirectory "tmp" can be created manually,
otherwise installer creates it. Either way, it is not
world-writable, therefore unauthorized users can not create
scripts in it.
* freebsd.xml.in: Using pkill to find running shutdown process and
kill it to cancel pending reboot. Pkill simplifies the scriptlet
so we don't need to deal with output redirection etc. Pkill is
available on FreeBSD, Linux, OpenBSD and Solaris.
* linux24.xml.in: another fix for a bug #1201406: "shutdown
messages should be suppressed". Scriptlet has been modified to
make sure it works in both sh and csh (user who installs the
policy may have tcsh as their login shell, root may use tcsh too)
2005-05-30 <vadim@vk.crocodile.org>
* src/res/os/*.xml.in: fixed bug #1201406: "shutdown messages
should be suppressed". Installation scriptlet tries to kill
shutdown process, if there is one, to cancel pending shutdown that
might have been left over from test install. If there is none, the
script prints an error message "shutdown process not found" or
similar, which confuses user. Needed to suppress these error
messages.
* fixed bug #1155351: "Remote install of FW rulset fails due to
race condition". Generated ipfw firewall script could not be ran
reliably over ssh session because "ipfw -f" flushes all rules and
all state, which breaks ssh session. As soon as the script needed
to print anything, it got I/O error from the system because TCP
session for ssh was blocked; this stopped the script and did not
let it activate new firewall policy.
* PolicyCompiler_ipfw_writers.cpp (processNext): improvemet in the
compiler for ipfw: added "established" rule on top of the regular
backup ssh access rule; this allows to maintain management ssh
session after the policy is reloaded. both "ipfw -f" and swapping
sets flushes all states, so the ssh session used to upload and
activate new policy breaks. A rule with "established" keyword
maintains this session.
* PolicyCompiler_ipfw_writers.cpp (processNext): improvement in
the compiler for ipfw: using rule sets to atomically swap old and
new rules. New rules are loaded in the set 1 and then swapped into
set 0. If there is an error in a new rule set, it is caught while
loading rules into inactive set 1, at which point script stops
without changing old firewall rules.
* PolicyCompiler_pf.cpp (addDefaultPolicyRule): implemented
support for subnets for backup ssh access for pf,ipf,ipfw. Subnet
can be defined using either full netmask or bitlength: both
"192.168.1.0/255.255.255.0" and "192.168.1.0/24" are
acceptable. Single host address works too, both as "192.168.1.10"
and as "192.168.1.10/255.255.255.255" or
"192.168.1.10/32". Incorrect address or netmask cause compiler to
abort processing.
2005-05-28 <vadim@vk.crocodile.org>
* GroupDialog: fixed bug #1207983: "incorrect size of "I" and "L"
buttons in the group view dialog". Tested with large font and
cleaned up layout in many dialogs.
* HostDialog.cpp (loadFWObject): removed 'snmp community' option
from the Host object dialog - it was not used anywhere
* ipt.cpp (main): fixed bug #1205665: "Error with summer time when
compiling script". Sometimes timezone name has "'" in it which
confuses shell and causes an error when generated script prints
"Activating firewall policy..." log message
* RCS.cpp (RCSEnvFix): fixed bug #1204067: "incorrect timezone
handling in RCS". Windows version of RCS incorrectly converts
check-in time when time zone is east of GMT. Had to use "-z"
option on all RCS commands to explicitly set offset; "-zLT"
produces wrong results in rlog.
* fwb_compile_all (LIB): fixed bug #1200902: "fwb_compile_all does
not work in 2.0". Script fwb_compile_all broke because of changes
in data file format
* PolicyCompiler_PrintRule.cpp (_printTimeInterval): fixed bug
#191423: "Weekend Time restriction not created correctly". Rules
with time restriction spanning from Saturday to Sunday were
generated with incorrect "--day" option
* objects_init.xml.in: fixed bug #210518: 'Incorrect ending day in
the standard object "weekends"'. This object defined time interval
ending at 23:59 on Monday instead of Sunday
* implemented Feature Request #1145666: "Print RCS
Log". File/Properties dialog can now print RCS log. Thanks to
"Ilya V. Yalovoy" <yalovoy@pilot.aip.mk.ua> for the patch.
2005-05-23 <vadim@vk.crocodile.org>
* added updated German translation by Hans Peter Dittler
<hpdittler@braintec-consult.de>
2005-05-20 <vadim@vk.crocodile.org>
* set version to 2.0.8
2005-05-08 <vadim@vk.crocodile.org>
* v2.0.7 released
2005-05-04 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#1195201: "getaddr function return error ip address". Yet another
change in the way we use grep to find IP addresses of an interface
on Linux. We can't use regex (bug #1123748) and need to filter out
secondary addresses from the "ip addr show" output. It looks like
"grep -v :" neatly solves the problem without using regex.
2005-05-02 <vadim@vk.crocodile.org>
* snmp.cpp: API change: Compiled all OIDs. The program may run on
a system where MIBs are not installed, so we can not always use
symbolic OID names Also using snmp_out_toggle_options to turn
numeric output in all responses (equivalent to -On in snmp tools)
2005-05-01 <vadim@vk.crocodile.org>
* snmp.cpp (walk): API changes: verbose error message, printing
response->errstat code as well as corresponding error string; this
should help debug snmp -related problems better
* snmp.cpp (walk): API changes: using snmp_error to print last
snmp error string
2005-04-27 <vadim@vk.crocodile.org>
* implemented support for SNMP operations in Windows packages
* qmake.inc files overhaul
2005-04-26 <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (getInterfacesViaSNMP): switched to using
QT class DNS to get host/firewall name in new HostDialog and
newFirewallDialog classes. This seems to work better on Windows.
Also added more locks to prevent reentering getInterfacesViaSNMP
if user clicks the button multiple times in quick succession
2005-04-23 <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (accept): fixed bug #1187248: using "find"
for an address "192.168.10*" several times after a firewall
objects has been created using templates caused GUI to crash
2005-04-17 <vadim@vk.crocodile.org>
* findDialog.cpp (matchAttr): implemented feature request
#1151206: "Search for IP Addresses". "Find" dialog searches for
objects by a combination of name and one of the following
attributes: address, tcp/udp port, ip protocol number or icmp
message type. Regular expressions can be used for both name and
attribute.
* ObjectTreeView.cpp (getSimplifiedSelection): fixed bug #1151212:
"Collapsed sub-objects shouldn't be added if they are
hidden". When user selects multiple objects in the tree some of
which have child objects, those child objects used to be also
selected and added to groups in addition to their parent
objects via drag-and-drop operation.
* GroupObjectDialog.cpp (pasteObj): fixed bug #1184791: "can not
copy/paste multiple objects into a group"
* FWWindow.cpp (doCompile): implemented feature req. #1151220:
"Close" button should change is caption/title to "Install". When
user clicks "Install" toolbar button or main menu item, the
"Close" button in the pop-up window that displays compiler
progress changes its text caption to "Install"
2005-04-13 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (addPredefinedPolicyRules): fixed bug
#1181359: "Missing traling space in "INVALID state" syslog
message"
2005-04-10 <vadim@vk.crocodile.org>
* instDialog.cpp (continueRun): Improvement in built-in installer:
user can specify additional command line parameters for ssh that
built-in installer runs to access firewall. This allows for
alternative ssh port or alternative ssh identity to be used when
accessing firewall. Parameters can be added in the "Installer" tab
of firewall settings dialog for all platforms.
2005-04-09 <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug #1179103: 'compiled rules can not be
install'. Generated iptables script could not be used on systems
with non-English locale where timezone name used local characters
because these characters were printed as hex ( "&#21488;" ) and
'&' caused problems with shell. Now using single quotes to make
shell ignore any characters in the string. Will deal with proper
printing of localazed timezone later.
2005-04-07 <vadim@vk.crocodile.org>
* OSConfigurator_freebsd.cpp (printPathForAllTools): function
getaddr() falls back to 0.0.0.0/32 if dynamic interface has not
been assigned an address yet or is down. Ipfilter policy using
run-time substitution of dynamic interface addresses will be
functional even if these interfaces are down or do not have IP
address.
2005-04-05 <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (_flushAndSetDefaultPolicy): fixed
bug #1176890: "block IPv6". Generated iptables script sets default
policies to DROP in all ipv6 filter chains. More detailed control
can be implemented using prolog or epilog scripts.
2005-04-03 <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (separateSrcPort): fixed bug #1176051:
"incorrect rule generated for TCP service ftp-data". If a rule
used several TCP or UDP service objects and one of them has source
port range configured, generated PF filter rule incorrectly
matched on a combiantion of that source port range _and_
destination port ranges from all other service objects. This bug
affected compilers for OpenBSD PF and ipfilter
2005-03-31 <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (filePrint): fixed bug #1155163: "print does
not print group contents". The program printed only number of
objects contaned in object or service groups. Now it prints lists
of member objects for all groups used in rules. If groups contain
other groups, they are printed recursively.
2005-03-30 <vadim@vk.crocodile.org>
* objects_init.xml.in: fixed bug #1172620: "Add tcp service object
for icslap". Added this object to the objects library "Standard".
* FWWindow.cpp (info): fixed bug #1151243: "Maintain format of
description text". The GUI ignored text formatting in object
comment when displayed it in the info panel (lower left corner of
the main windows)
* FWOptions.cpp (toXML): API change: fixed bug #1173801: '"&"
character in prolog/epilog'. Needed to call xmlEncodeSpecialChars
to encode special characters in firewall options
2005-03-29 <vadim@vk.crocodile.org>
* ipf.cpp (printActivationCommandWithSubstitution): fixed bug
#1173064: "support for dynamic interfaces in ipfilter". Actual
address of dynamic interface is now determined at run-time in the
policy activation script <firewall_name>.fw generated by
fwbuilder. If dynamic interface is used somewhere in the policy or
nat rules, it will be replaced with its actual address by
activation script before configuration is sent to ipf or ipnat for
activation. This run-time substitution is done only if a checkbox
is checked in the "Script options" tab of firewall settings
dialog. Default behavior is to use "any". This is because ipfilter
configuration files <firewall>-ipf.conf and <firewall>-nat.conf
that rely on run-time substitution of dynamic interface address
can not be loaded using standard activation scripts that come with
FreeBSD.
This also fixes another problem in fwb_ipf where it generated rdr
and nat commands with address 0.0.0.0/32 if dynamic interface was
used in a NAT rule.
2005-03-28 vadim <vadim@tourist2.local>
* PolicyCompiler_PrintRule.cpp (_printMultiport): fixed bug
#1160186: 'IPTables Compiler - Multiport Issue'. When 16 or 31
ports were used in a single rule, compiler generated command with
conflicting options "-m multiport --dport"
* NATCompiler_ipf.cpp (processNext): fixed bug #1173067: "support
for port ranges in NAT rules (ipfilter)" - policy compiler for
ipfilter should split DNAT rules (rdr) that use TCP or UDP objects
with port ranges. A warning is issued if more than 20 rules are
created.
2005-03-20 <vadim@vk.crocodile.org>
* utils.cpp (getFileDir): fixed bug #1157976: "patches to make
fwbuilder compile under NetBSD 1.6". Applied patches.
* newHostDialog.cpp (newHostDialog): fixed bug #1151219: "New Host
creation window is not well dimensioned". Fixed wrong dialog page
layout in the new host wizard.
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#1123748: "busybox grep -E". Busybox in floppyfw is compiled
without support for egrep (or grep -E). Switched to using "plain"
grep.
* InterfaceDialog.cpp (loadFWObject): fixed bug #1151052: "Not
external interfaces marked as external". Dialog for an interface
object that belongs to a host should not show checkbox "external
(insecure) interface"
* Tools.cpp: API change: fixed bug #1158870: "mutexes are not
properly created on FreeBSD". Mutexes gethostbyname_mutex and
gethostbyaddr_mutex were never created but used on OS where
thread-safe resolver is not available.
2005-02-17 <vadim@vk.crocodile.org>
* v2.0.6 released
2005-02-17 <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug #1123933 "iptables add_addr() expr
binary not found". As it turns out, /usr/bin/ is not in PATH
during boot time on Slackware. I added /usr/bin/ to PATH variable
in generated iptables script.
2005-02-16 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#1123748 "busybox grep -E". Busybox does not support option "-E"
with grep, however it has "egrep".
2005-02-12 <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog): proper localization in the
installer where it displays progress of the installation operation
2005-02-11 <vadim@vk.crocodile.org>
* main.cpp (main): Troubleshooting weird case of data file
corruption during install
* RCS.cpp (RCS): fixed bug #1120904: "GUI hangs when accessing RCS
file". Improved parsing of rlog output.
2005-02-09 <vadim@vk.crocodile.org>
* utils.cpp (getUserName): working on bug #1118717: "fwbuilder 206
on Windows XP SP2: error checking out". Env variable USERNAME was
not set in user's profile, which triggered this bug. Now using
getuid to get user name on Unix and GetUserName on Windows. This
should make the program more resilient for situations when
environment variable LOGNAME or USERNAME is not set
2005-02-08 <vadim@vk.crocodile.org>
* ipt.cpp (main): Using getuid to read real user's ID on Unix
2005-02-07 <vadim@vk.crocodile.org>
* instDialog.cpp (continueRun): Fix for support request #1118039:
"Error when Windows client calls plink -ssh". The problem is that
putty ignores protocol and port specified in the session file if
command line option -ssh is given. On the other hand, the sign of
session usage is an empty user name, so we can check for that. If
user name is empty, then putty will use current Windows account
name to log in to the firewall and this is unlikely to work
anyway. This seems to be a decent workaround.
* printerStream.cpp (printQTable): further bugfixes in printing,
in particular fixed a problem with partially greyed-out horizontal
and vertical headers when ruleset was small enough to fit on the
first page.
2005-02-05 <vadim@vk.crocodile.org>
* RuleSetView.cpp (selectionChanged): fixed bug #1030538:
"incorrect highlighting when selecting multiple rules". This bug
seems to be specific to Mac OS X
* printerStream.cpp (printQTable): improvements in printing:
- if a rule set does not fit on a single page, the program
repeats table header on each page ("Source","Destination","Service" etc)
- the program does not draw the whole rule set in memory
anymore. Instead, it "scrolls" the table and only draws section
that fits on a single page. This means we can now print really
huge policies that can not be drawn as a whole because they
exceed maximum coordinate value. Tested with a rule set that
consists of 1200 rules which has size of 677x34884 pixels on my
machine.
2005-02-03 <vadim@vk.crocodile.org>
* instDialog.cpp (selected): working on bug #1115412: "Problem
installer FWbuilder 2.0.5 for Windows". Switched to command line
option "-l" to specify user name for external ssh in
installer. This was necessary because Van Dyke SecureCRT on
Windows does not support user@host syntax.
* instDialog.cpp: Installer verbose and quiet modes work as follows:
- if quiet is off, verbose is off: prints everything that
firewall script prints on stdout and stderr; does not add "-v"
to calls to external ssh utilities
- if quiet is off, verbose is on: adds "-v" to ssh command line
- if quiet is on - supresses script output but still prints short
messages to indicate when it copies files to the firewall and when
it executes them
2005-02-01 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (delObj): slightly changed logic with user
warnings in the object removal code. The program asks the user for
confirmation if they remove an ordinary object from a regular
library. Confirmation is not asked if object is removed from
"Deleted objects" library or when a library is being deleted (in
this case we ask a different quastion later anyway). This helps
avoid double warning when a library is deleted.
2005-01-31 <vadim@vk.crocodile.org>
* POmakefile.in (POTFILES): Added module FWWindowPrint.cpp to the
list of files processed for localization
* FWWindowPrint.cpp (filePrint): Added small margin inside table
cells in Legend and Object tables in the printout.
2005-01-30 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1112470:
"Problem with FW part of ANY in Bridged mode". If fw is
considered part of any, we should place rule in INPUT/OUTPUT
chains even if it is a bridging fw since fw itself may send or
receive packets.
* PolicyCompiler_ipt.cpp (accounting): implemented feature
req. #1112980: "Need unique names for accounting rules". User can
now specify a unique name for rules with action 'Accounting'; this
name will be converted to a chain name. This simplifies accounting
since chain name for such rule won't change if the user adds or
removes rules above or below.
* PolicyCompiler_ipt.cpp (accounting): fixed bug #1112976:
"Accounting rule with logging produces looped iptables command"
* FWWindowPrint.cpp (beginPage): implemented Feature
Req. #1112778: "include date and time on printouts". Added date
and time to the header on each printed page.
* RuleSetView.cpp (paintCell): fixed bug #1112776: "some items
touching seperator lines on printouts". Rule elements "Action",
"Direction", "Options" and "Comment" were placed right at the top
of the table cell which led to their clipping when rule set was
printed on Mac OS X. Need more testing.
* FWWindowPrint.cpp (filePrint): fixed bug #1112764: "some Objects
are partially obscured in printout". Parts of the "Objects" table
were clipped. Need to test some more.
2005-01-29 <vadim@vk.crocodile.org>
* FWBSettings.cpp (init): fixed bug #1112264: "Load last edited
file" setting doesn't work. This was broken only on Mac OS X.
* FWObjectDatabase.cpp (merge): API change: fixed bug #1105167:
"Crash when importing a library that has been deleted".
2005-01-27 <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (_printPort): not quite fixed bug
#1105755 "Custom Service objects not working for PF
compiler". User tried to generate a nat rule like this using
CustomService object:
nat on eth1 proto {tcp udp icmp gre} from 192.168.1.0/24 to any -> 22.22.22.22
Taken from the bug report:
it turned out, I can not fix this. You are trying to use Custom
Service object to insert protocol list into a "nat"
rule. Normally, a service object such as TCP or UDP service
generates two components for any rule where it is used: a protocol
specification and port specification
(type/ code spec for ICMP). PF is sensitive to the order of
parameters in the rule, in particular, protocol must be defined
after interface but before src/dst addresses in the rule, while
port numbers go after addresses. Compiler easily retrieves this
information from IP, TCP, UDP and ICMP services and places it in a
proper slots in the rule it generates. CustomService does not
have a notion of protocol and parameters for it, so compiler puts
a string that is configured in the CustomService in the place
reserved for port numbers. This means you can not use
CustomService to specify protocols.
There still was a bug in fwb_pf where it would print
"custom_service" in place of protocol. This is fixed in 2.0.6
build 542. Protocols can not be inserted with Custom Service
though.
Feature request #1111267 "CustomService should specify protocol
and parameters for it" has been opened
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1102629: "lost
chain in accounting rules". Rules with multiple objects in one of
the rule elements and action 'Accounting' generated code that
ignored objects in that rule element
* ObjectManipulator.cpp (newPhysicalAddress): fixed bug #1111244
"GUI allows to add more than one MAC address to an
interface". There can only be one MAC address for each interface.
* FWWindowPrint.cpp (printQTable): While printing rule sets, the
program makes sure rule set tables are broken on the rule
boundaries while switching to a new page.
* Added "Page setup" dialog to set parameters such as printing
header, printing of a legend and object lists etc.
* fixed bug #1109174: "Cannot print rule base" - implemented
printing
2005-01-25 <vadim@vk.crocodile.org>
* instDialog.cpp (selected): fixed bug #1109631: "can not copy
firewall script to /etc on Linksys". Added an option ot all OS
resource files that determines whether user is allowed to change
installation directory on the firewall. Currently it is allowed on
all supported OS except Linksys/Sveasoft because there /etc/
resides on read-only filesystem
2005-01-24 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1101910: "Samba
problem with Bridged Firewall". Need to split rule to take care of
broadcasts forwarded by the bridge and broadcasts that are
accepted by the firewall itself. Need to do this only if the rule
is not associated with any bridging interface.
* PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed
bug #1106701: 'backup ssh access' and statefulness
interation. Need to add rules matching states ESTABLISHED and
RELATED for the backup ssh access to make sure it works even if
global rule matching these states is disabled.
* configure.in: fixed bug #1107838: "bug in configure script in
fwbuilder 2.0.6". Need to specify path "./" when calling
runqmake.sh
* FWWindowPrint.cpp (filePrint): printing legend and a list of
objects at the bottom of a printed document.
* Compiler_ops.cpp (operator==): API change: fixed bug #1108861:
"two rules using MAC address matching shadow each other". Need to
check for MAC addresses while processing rules for shadowing.
2005-01-21 <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (filePrint): Implemented printing of firewall
rule sets. Using standard QT class QPrinter; can print to a system
printers or to a file (PostScript), both in black and white or a
color where available. Prints policies of the currently opened
firewall. The program can calculate total number of pages and
offer the user a choice in the Print dialog only if QT v3.2 and
later is used. Each printed page has a header with the file name,
RCS revision and a page number. Currently, the header can not be
turned off (will implement in the future).
2005-01-07 <vadim@vk.crocodile.org>
* v2.0.5 released
2005-01-06 <vadim@vk.crocodile.org>
* RCS.cpp (isDiff): writing RCS log in UTF-8, this simplified
localization
2005-01-02 <vadim@vk.crocodile.org>
* RCS.cpp (RCS): working on localization of RCS log entries. Build
516 converts log strings into 8bit string into locale-specific
format on Unix before sending it to ci. Strings returned by rlog
are converted from locale-specific format. No conversion is done
on Windows and Mac OS X.
* objects_init.xml.in: fixed bug (no num) that caused GUI crash
when user created new firewall object using template with three
interfaces.
2004-12-30 <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw_writers.cpp (processNext): fixed bug
#1093620: "path (to ipfw) with spaces fails". Generated script
failed if path to ipfw contained space. I only worked around this
problem for ipfw; paths to sysctl and logger must be standard and
never contain spaces.
* PolicyCompiler_ipfw.cpp (processNext): fixed bug #1093472: "ipfw
port range(s) errors". There can only be one port range in a
single ipfw rule.
* PolicyCompiler_ipfw_writers.cpp (_printProtocol): fixed bug
#1093461: "problem with 'established' in ipfw". Ipfw requires
protocol to be set to 'tcp' if option 'established' is used in a
rule.
2004-12-29 <vadim@vk.crocodile.org>
* RCS.cpp (RCS): fixed bug #1092810: "Multiline RCS comments are
shown as a single line on windows". As it turned out, this bug
affected all platforms.
* RCS.cpp (ci): an attempt to fix a bug that does not allow to
enter RCS comment using non-english locale.
2004-12-28 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (getInterfaceVarName): fixed bug
#1059393: "function getaddr failed for eth1.0020". Generated
script can now work with interfaces that have a dot in their name
(such as "eth1.0020" - vlan interface)
* PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed
bug #1092141: "irritating FORWARD rule for established
connections". Need rule in FORWARD chain only if ip forwarding is
on or set to "no change"
2004-12-22 <vadim@vk.crocodile.org>
* Compiler.cpp (createRuleLabel): API change: fixed bug #1068119:
"additional whitespace for Rule comments in .fw file". Added extra
space between rule number and interface spec in rule comments.
* PolicyCompiler_ipfw.cpp (processNext): fixed bug #1089866:
"multiple services in one rule confuses ipfw compiler". If several
UDP or TCP objects were used in the same policy rule and these
service objects had source port ranges defined, the compiler would
produce incorrect code by combining source port range
specifications together in the same ipfw command.
* main.cpp (main): Pull-down menu "On startup" in the "General"
tab of the preferences dialog now has three items: "Load standard
objects", "Load last edited file" and "Ask user what to do". The
last item is default.
* PolicyCompiler_PrintRule.cpp (_printProtocol): fixed bug
#1089586: "default --icmp-type value is 0 in iptables <
1.2.9". The problem concerns policy rules using service object
"any ICMP". A rule like this is supposed to match any ICMP
packet. Few versions ago I had to add option "-m icmp" (and "-m
udp", "-m tcp") because I've discovered that iptables-restore on
some systems (linksys sveasoft firmware, iptables v1.2.11) refused
to load rules without it. Now it turns out that iptables v < 1.2.9
(tested on 1.2.6a and 1.2.7a) implicitly adds equivalent of
"--icmp-type 0" to rules with "-p icmp -m icmp" and without
"--icmp-type" option. Since type 0 is actually icmp echo reply, a
rule like this does not match "any ICMP" as it was supposed to
do. Iptables 1.2.9 implicitly adds "--icmp-type 255" which matches
any icmp type. Using "--icmp-type 255" on iptables 1.2.6 and 1.2.7
does not work (a rule does not match icmp packets with type
different from 255). The fix generates "-p icmp -m icmp
--icmp-type any" for iptables 1.2.9 and later, as well as when
iptables version is not specified in the firewall object settings.
It generates just "-p icmp" for versions < 1.2.9.
2004-12-19 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (newInterfaceAddress): GUI change: main
menu item "Object/New Object/Address" and corresponding toolbar
button always creates an Address object under Objects/Addresses
folder in the tree. Address of an interface can be created using
pop-up menu item "Add IP Address"
2004-12-16 <vadim@vk.crocodile.org>
* Bunch of cosmetic bugfixes in the GUI
* PrefsDialog.cpp (setButtonColor): implemented feature request:
colors that are used to color rules can be changed in Preferences
dialog.
2004-12-13 <vadim@vk.crocodile.org>
* FWWindow.cpp (fileOpen): when user clicks menu item "File/Open"
to open a new file, the GUI should save and close currently opened
file only after the user chooses new file. If user clicks Cancel
in the File/Open dialog, operation should be cancelled so the user
can continue working with currently opened file. The same applies
to operation File/New.
2004-12-12 <vadim@vk.crocodile.org>
* po.pro: fixed bug (no num): localization was broken on win32 and
mac os x because translation files were not installed properly.
* ObjectManipulator.cpp (pasteTo): improved behavior of the main
menu "Edit" as well as pop-up menu that appears when user right
mouse clicks on an object in the tree. Menu item "Paste" should
only be enabled if the clipboard is not empty and objects that are
stored in it can be pasted into selected object in the tree.
2004-12-10 <vadim@vk.crocodile.org>
* RCSFilePreview.cpp (selectedRevision): fixed bug (localization):
RCS log entries made using non-ascii characters used to appear as
'???' in Open File and File/Properties dialogs.
* ObjectEditor.cpp (validateAndClose): more bugfixes for the
behavior of the object editor dialogs. Dialog should ask if user
wants to save data and then validate it when user clicks on [x] to
close editor dialog. It used to validate the data first, then ask
if they want to close dialog.
2004-12-09 <vadim@vk.crocodile.org>
* FWWindow.cpp (load): when user opens data file in the old format
(fwbuilder v1.1.x, extension .xml) and after autoupgrade the
program discovers that the same file with extension .fwb already
exists, it offers the user a chance to choose different name. If
user clicks "Cancel" at this point, the program cancel operation
and reverts upgraded data file back to its original name and
version.
* listOfLibraries.cpp (add): fixed bug (internal #34) the program
should issue a warning when user tries to add a library file
(.fwl) that contains object library that already exists in the
opened data file.
* ObjectEditor.cpp (validate): Streamlined logic in the object
editor dialog. This improves handling of the situation when user
closes dialog by clicking on [x] while 1) there are unsaved data
and/or 2) some of the object's parameters have illegal values. The
dialog behavior also depends on the setting of the global flag
"Autosave" that causes dialog to automatically save data when user
switches between objects.
2004-12-08 <vadim@vk.crocodile.org>
* listOfLibraries.cpp (add): numerous fixes for localization
2004-12-05 <vadim@vk.crocodile.org>
* ObjectManipulator.h: numerous bugfixes:
- properly synchronizing state of the items main menu with state
of corresponding items in the pop-up menu that appears when user
right-mouse-clicks on an object in the tree
- fixes for non-localized text strings in dialogs (mostly
"Continue", "Yes"/"No" etc. in many places)
- proper localization of the human-readable version number text
for iptables; also made info window print readable text instead of
"lt_1.2.6"
- cosmetic changes in some dialogs layout to make the look better
when localized text makes strings much longer
- firewall object dialog tab "Templates" has been hidden. It is
unlikely that this feature will be implemented in 2.0.X series.
2004-12-04 <vadim@vk.crocodile.org>
* listOfLibraries.cpp (add): fixed bug (no num): the GUI crashed
when user tried to add a library file for auto-load in
Preferences/Libraries and the first library object in that file
had a name using non-ascii characters
* Bunch of other fixes to avoid '????' in various places for
localized strings
2004-12-04 <vadim@vk.crocodile.org>
version 2.0.4 released
2004-12-02 <vadim@vk.crocodile.org>
* utils.cpp (fillLibraries): fixed bug (no num): if a library was
assigned a name with non-ascii characters, it would appear
distorted in the pull-down list in object dialogs.
* fixed bug #1077496 ] Error compiling libfwbuilder in FreeBSD:
The problem was caused by changed major version number of libnetsnmp library
in the latest net-snmp port (v5.2)
2004-12-01 <vadim@vk.crocodile.org>
* FWWindow.cpp (openFirewall): fixed bug #1077072: "CrossPlatform
Firewall Builder Crash" - pressing arrow down key on the keyboard
right after the GUI started with no firewall objects defined
caused crash.
2004-11-30 <vadim@vk.crocodile.org>
* po/ru.qm: Updated Russian translation
2004-11-25 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (splitIfSrcNegAndFw::processNext): fixed
bug #1073491: incorrect code for rules using two interfaces with
negation. If a rule had two (or more) interfaces of the firewall
in the destination, with negation, the code generated by compiler
would check one interface's address in INPUT chain and another in
FORWARD chain. It should check addresses of all interfaces from
the corresponding rule element in the INPUT chain and also check
addresses and possibly services from other rule elements in the
FORWARD chain. This bug affected rules with two or more interfaces
both in source and destination.
* po/LINGUAS: translators maintain Russian localization using QT
linguist rather than gettext, removed ru locale from gettext
Makefiles but left it in po.pro for installation
* fwblookup.cpp: a fix to make it compile on FreeBSD w/o gnugetopt
port
* utils.cpp (addPopupMenuItem): minor fix to help localization
('add object' and operation on rules pull-down menus did not
translate properly)
2004-11-23 <vadim@vk.crocodile.org>
* instDialog.cpp (continueRun): built-in installer checks exit
status of the script it runs on the firewall and aborts
installation sequence if it detects an error. OS resource files
have been updated accordingly so they return exit status '1' in
case of error and '0' when they succeed.
* Compiler_ops.cpp (checkForShadowing): API change: still working
on the IPService object shadowing changes. ip fragments object was
shadowing GRE object, which was incorrect. Hopefully this change
finally fixes it.
2004-11-21 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug (no
number): policy compiler for iptables used "tail -1" in the shell
script that read actual IP addresses of interfaces of the
firewall. This shell code failed to determine correct address of
an interface that was configured with a secondary
address. Reverted to using grep (I switched to tail when ran into
limitations of one of the beta builds of Sveasoft Linksys firmware
that did not have grep)
2004-11-18 <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (processNext): fixed bug #1068936:
"unnumbered interace not using MASQUERADE". Comiler for iptables
will use target "MASQUERADE" if unnumbered interface is used in
Translated Source in a NAT rule.
* utils.cpp (fillLibraries): fixed bug (no num): group object
dialog showed incorrect library name for groups located in the
"Standard" library
2004-11-17 <vadim@vk.crocodile.org>
* listOfLibraries.cpp (add): fixed bug (no number): GUI could not
find names of the object libraries in external library files that
user added for automatic load in the Preferences dialog on
Windows. It would find the name of the library in the first file,
but failed to find library names in subsequent files and used the
name from the first file. Since this library was only present in
the first file, object tree was getting corrupted when the program
attempted to load this library from every file configured for
automatic pre-load. This only happened on Windows.
* dns.cpp (init): API change: fixed bug (no number): program
crashed on FreeBSD 5.3 when using SNMP to obtain parameters for
hosts and interfaces. Crash occurred because of use of
uninitialized mutex variables in module dns.cpp
2004-11-16 <vadim@vk.crocodile.org>
* main.cpp (main): improved error handling: if the GUI is started
with a file on the command line or is configured to open a file
automatically on startup and RCS can not check the file out, the
GUI will come up empty (with only standard objects loaded).
* po/ja.po: Added Japanese translation by Tadashi Jokagi
<elf@elf.no-ip.org>
* DialogFactory.cpp (createFWDialog): added XML element
FWBuilderResources/Target/dialog to platform and host OS resource
files. This element describes GUI dialog that should be opened for
the firewall object for a given firewall platform or host OS. This
is to be used with customized resource files, e.g. when user wants
to add their own host OS resource file to change commands used to
load and activate policy on the firewall. Such customized resource
file will have unique "description" element (the value of this
element appears in the pull-down menu in firewall object dialog)
and the same values for "family" and "dialog" elements to indicate
which firewall family it belongs to and which dialog should be
used. Policy compilers consult "family" element to check if the
firewall platform is supported by the compiler.
* GroupObjectDialog.cpp (addIcon): fixed bug (no number): group
object dialog corrupted object names if they contained non-ascii
characters.
2004-11-13 <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (pixAdvancedDialog): Removed "always new"
mode for access lists and object groups for PIX
configurations. This mode works well when user installs new
configuration but causes problems if they want to reinstall the
same configuration.
Also converted old option "pix_add_clear_statements" to one of the
confgiuration script modes. So, final list of script modes for PIX
is as follows:
- basic or old format when access lists are cleared and added
from scratch. This is the simplest mode which can be used if
management station connects to the firewall from inside. Remote
management over IPSEC tunnel may be difficult since tunnel
traffic is blocked as soon as "clear access-list" command is
executed.
- access-list and object-group commands are generated but "clear
access-list" and "clear object-groups" commands are not
added. User's installation scripts should take care of that. This
option replaces old option pix_add_clear_statements (with
opposite semantics)
- temporary access list is created and added to outside
interface, then main lists and object groups are added with
permanent names and assigned to interfaces. Temporary list
permits all traffic from a single subnet configured in the GUI
via option pix_acl_temp_addr. Temporary list is small and is not
cleared in the end. Temporary list helps maintain IPSEC tunnel
for the time when access-lists are cleared and firewall is
running with default acl that does implict deny for all traffic.
2004-11-12 <vadim@vk.crocodile.org>
* pf.cpp (main): fixed bug (no number): pfctl expects "-F Sources"
and "-F Tables" command line options with "Sources" and "Tables"
capitalized.
* FWObjectDatabase.cpp (merge): API change: changes in the object
database merge algorithm: when an object database we are trying to
merge has non-empty "Deleted objects" library, deleted objects
from this library should be ignored (they used to be deleted from
the current tree). Likewise, when current tree has non-empty
"Deleted objects" library and objects in it match objects being
merged in, objects should be removed from "Deleted objects"
library to avoid creating duplicate IDs with objects being merged
in.
2004-11-10 <vadim@vk.crocodile.org>
* Compiler_ops.cpp (checkForShadowing): API change: fixed bug (no
number): rule shadowing algorithm now assumes that IPService
object with protocol number '0' shadows any other service just
like 'any' does.
* PolicyCompiler_ipt_optimizer.cpp (optimizeForRuleElement): fixed
bug #1063953: "Wrong accept/multiport rule generated". Compiler
generated wrong code for rules using multiple service objects of
different types (TCP and UDP, or TCP and ICMP etc), multiple
addresses in src or dst with option that requires using TCP RST
for action REJECT.
2004-11-07 <vadim@vk.crocodile.org>
* SSHPIX.cpp (getACLs): New feature: added support for new
configuration script formats for PIX in installer:
- basic or old format when access lists are cleared and added
from scratch
- access lists have unique names each time policy is recompiled,
lists are added without clearing.
- access lists are added with temporary names and assigned to
interfaces, then the same lists are added with permanent names,
lists are swapped and temporary lists cleared
Last two methods provide for instantaneous access list swap so
that the firewall never runs with empty lists. This helps maintain
access to the firewall if configuration is installed remotely.
* SSHPIX.cpp: New feature: Installer always clears unused access
lists after confgiuration is loaded.
2004-11-06 <vadim@vk.crocodile.org>
* fwcompiler/Compiler.cpp (complexMatch): fixed bug #1055937:
"Any->all_multicasts not in INPUT Chain". Need to check if network
objects are multicasts; assume that multicast always matches
firewall object (e.g fwb_ipt will put rule with such network
object in destination in INPUT chain)
* instDialog.cpp (instDialog): Added an option to push PIX
configuration to a standby firewall at the end of install.
2004-11-01 <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (_printDstService): fixed bug (no
number) where compiler for iptables used option
"--destination-port" with module "multiport" for versions of
iptables that do not understand it (1.2.6 and later, as well as
default version setting 'any'). The option should be
"--destination-ports" or "--dports".
2004-10-31 <vadim@vk.crocodile.org>
* FWBSettings.cpp (init): fixed bug (no number): Policy installer
failed if the following conditions were met:
- it was running on Linux, FreeBSD or Mac OS X
- working directory configured in the "General" tab of the
Preferences dialog did not exist and could not be created or its
permissions did not allow user that runs the GUI to access it
* NATCompiler_ipt.cpp (processNext): fixed bug (no number) in
fwb_ipt that caused no-nat rules with firewall in OSrc to be
placed only in OUTPUT chain. Packets originating on the firewall
go into OUTPUT and POSTROUTING chains, so no-nat rules must be
placed in both. Other minor improvements for NAT of the locally
originated connections have been done as well.
2004-10-30 <vadim@vk.crocodile.org>
* NATCompiler_PrintRuleIptRst.cpp (_endRuleLine): fixed bug (no
number): compiler placed extra quote '"' at the end of each NAT
command in the script using iptables-restore; this happened
only if all interfaces of the firewall had static addresses.
* PolicyCompiler_PrintRule.cpp (_printProtocol): testing policy
installation via iptables-restore with old versions of iptables
(1.2.6a). Need to include "-m tcp", "-m udp" or "-m icmp",
otherwise iptables-restore does not understand options "--dport",
"--tcp-flags" and some others. Also had to use "--tcp-flags
SYN,RST,ACK SYN" instea dof "--syn" for better backwards
compatibility.
2004-10-26 <vadim@vk.crocodile.org>
* ipt.cpp (main): iptables: Added ability to instert shell
commands defined in the prolog script in three places:
- on the top of generated script
- after interface configuration but before resetting existing
iptables policy
- after existing policy rules are flushed and optional global
implied rules added but before all policy and NAT rules
2004-10-24 <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRuleIptRst.cpp (_createChain): implemented
Feature Request #1021201: "output iptables-restore compatible
config from fwb_ipt". Policy compiler for iptables can use
iptables-restore to activate firewall policy. Iptables-restore
provides for atomic policy load and allows to load large policy
much faster. Atomic load means the whole filter or nat table is
activated at once, and if there is an error, nothing is
changed. Compiler generates script in three possible formats:
- the ususal shell script that adds rules one at a time by
executing iptables command with an "-A" flag to add a rule;
- commands are fed to iptables-restore, this format is used when
all interfaces of the firewall have static IP addresses and
script does not need to determine addresses at run time;
- script determines IP addresses of interfaces and discovers
dynamic interfaces that were defined as a "wildcard" interface
in fwbuilder (e.g. 'ppp*'); code that is sent to
iptables-restore is generated dynamically by the script at run
time.
Using iptables-restore is optional and is controlled by
the checkbutton in the "Script options" tab of firewall settings
dialog. Path to iptables-restore utility can be set in the "Paths"
tab of the host settings dialog.
* A change in the script generated by fwb_ipt: if iptables-restore
is not used to load policy, generated shell script purges existing
firewall policy (all tables and chains) and sets default chain
policies after it configures interfaces of the firewall.
Previously, it would flush tables and set default policy before it
configured interfaces.
2004-10-23 <vadim@vk.crocodile.org>
* RuleSetView.cpp (pasteRuleAbove): fixed bug #1028866: "incorrect
order when several rules copied using copy/paste". Pasting
multiple rules into an empty policy caused rules to be inserted in
the wrong order.
* freebsdAdvancedDialog.cpp (freebsdAdvancedDialog): fixed bug
#1046345: "ipfw - no option to specify ipfw executable". Added GUI
control to let user specify alternative path to "ipfw" on
FreeBSD. Control like that was previously available only for Mac
OS X
* PolicyCompiler_ipt.cpp (checkForMatchingBroadcastAndMulticast),
Compiler.cpp (_complexMatchWithInterface): fixed bug #1040773:
need to match network address as well as broadcast. Packets sent
to the network address (192.168.1.0 for net 192.168.1.0/24) go in
the broadcast frame and behave just like IP broadcast packets
(sent to 192.168.1.1255 for the same net)
* PolicyCompiler_ipt.cpp (finalizeChain::processNext): fixed bug
#1040599: "unnecessary FORWARD rules". If ip forwarding is turned
off in the host settings dialog of the linux-based firewall,
compiler should not generate rules in FORWARD chain.
2004-10-20 <vadim@vk.crocodile.org>
* linux24.xml.in: Added element "Target/family" to all OS resource
XML files. Compilers use "family" resource element to determine if
host OS is supported. User may want to copy host OS resource file
to modify installer scriptlets; as long as the family element is
kept the same, compiler will accept new resource file.
* linksys.xml.in: Added elements
"Target/options/suppress_comments" and
"Target/options/suppress_modules" to the OS resource files
linksys.xml and linux24.xml. These options suppress printing
comments in the generated script and remove commands that load
kernel modules. These options are used for Linksys/Sveasoft
appliance but can also be used for other firewalls based on Linux.
2004-10-19 <vadim@vk.crocodile.org>
* pf.cpp (main): Activation script for PF flushes only information
about rules, nat, source and tables (it used to flush "all"). This
preserves queue entries and states.
* ipt.cpp (main): moved rule permitting backup ssh access from the
management station to the firewall to the top of the script. This
helps maintain ssh session, otherwise it may stall or break
because stdout buffer is filled with diagnostic or progress output
from the script that is printed after all chains are flushed but
before rule permitting ssh to the firewall is added. If stdout
buffer is full, ssh stops and tries to send the text to the
management station but times out because firewall blocks it.
* ipt.cpp: removed code that added iptables command to the "drop"
table to drop and log all dropped packets. This rule used
obsoleted patch-o-matic patch "drop" which is not available
anymore.
2004-10-17 <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug (no number): all policy compilers
properly detect an error when the output file can not be created
or overwritten and print error message to warn the user.
* New feature: added support for prolog and epilog scripts for all
firewall platforms. This was available for PIX for some time, now
it has been added for all platforms. "Prolog/Epilog" tab of the
firewall settings dialog allows for editing of two blocks of
commands that will be added to the generated firewall script
verbatim. Prolog block is added on top, while epilog block is
added at the bottom. Both prolog and epilog are expected to be
shell scripts and are added to the generated shell script that
activates firewall. For iptables and ipfw all compiler generates
is this shell script and prolog and epilog commands are inserted
into it. These commands may execute some actions, as well as add
any policy or nat commands. For ipf and pf prolog and epilog
commands are added to the activation shell script ( .fw file);
prolog is added immediately after the command that flushes all
rules. This way user may either execute shell commands or add
policy and/or nat rules by loading them from external file.
2004-10-10 <vadim@vk.crocodile.org>
* FWWindow.cpp (addFirewallToList): fixed bug (no number)
introduced in 2.0.3 when GUI crashed if user tried to choose
pull-down menu item in the firewall list after the very first
firewall object has been created.
* SSHPIX.cpp: Added #include <errno.h> to make code compile with
gcc 3.4.2 and glibc 2.3.3
* ipt.cpp (main): fixed bug #1040788: fwb_ipt and user
name. Compiler used to read environment variable "USER" to find
out user's name. Sometimes this variable is not set, which caused
compiler to abort. Using env variable LOGNAME in addition to USER.
2004-09-30 <vadim@vk.crocodile.org>
* v2.0.3 released
2004-09-28 <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog): since config diff is broken for pix
v6.3(3) (because it does not permit adding duplicate ACL entries),
"save diff to file" option is temporary disabled. "Incremental"
install renamed to "install only ACL,icmp,telnet,ssh,nat,global
and static commands"
2004-09-27 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printPathForAllTools): script
generated by compiler for iptables checks if /usr/sbin/ip exists
on the firewall before it tries to use it to verify interfaces and
configure IP addresses. This check is only performed if user
activated options that use this tool. An error message "Interface
eth0 does not exist" was generated if package iproute2 was not
installed on the firewall, which was confusing.
* FWWindow.cpp (doCompile): Added option "output file name" to
firewall settings dialogs for all platforms. User can specify the
name for the output file; this name is then used by built in
installer in place of a macro %FWSCRIPT%.
* ipt.cpp (main): Added command line option "-o" for all compilers
* FWWindow.cpp (save): fixed bug #1035800: "Autosave failure opens
error window repeatedly". This bug was in fact fixed earlier.
2004-09-26 <vadim@vk.crocodile.org>
* FWWindow.cpp (fileSaveAs): fixed bug #1035130: 'Persistent
"Save" dialog box'. Certain combination of actions on user's part
used to lead to an indefinite loop of "do you want to save the
data" dialogs. The problem was triggered if user skipped choosing
a name for the new file in startup dialog.
* linux24.xml.in: fixed bug #1035132: "compile errors with default
Linksys firewall object". This bug has been introduced in build
435. When user created a new firewall object using one of the
template objects, the GUI would add bunch of garbage to the
firewall options. This garbage violated XML DTD, so compilers and
the GUI would not accept the data file anymore.
2004-09-25 <vadim@vk.crocodile.org>
* ipt.cpp (main): using "set -x" to turn debugging on in generated
iptables script. This will work even if the script is activated
with "sh script.fw" command.
* OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers):
changed commmand line for sed to more portable version. We used to
use 'stmt; stmt' syntax, which is not always portable. Switched to
a supposedly more portable syntax using multiple "-e" command line
options.
2004-09-23 <vadim@vk.crocodile.org>
* instDialog.cpp (getActivationCmd): fixed bug (no number): as of
build #430, installer ignored activation command configured in the
"install" tab of firewall settings dialog. Restored this
functionality.
* OSConfigurator_linux24.cpp (printPathForAllTools): just like
with "tail -1", some busybox based systems require "head -1" to be
changed to "head -n1"
2004-09-22 <vadim@vk.crocodile.org>
* instDialog.cpp (testRunRequested): fixed bugs in installer that
prevented it from working on OpenBSD. Enabled shceduled reboot for
all OS except PIX.
2004-09-21 <vadim@vk.crocodile.org>
* instDialog.cpp (testRunRequested): "schedule reboot" option is
only enabled for linksys since it does not work on other platforms
(yet)
* FWWindow.cpp (openFirewall): implemented Feature Request
#1032126: "Firewall label for clarity". Printing the name of the
firewall object that is opened in the policy panel in a large font
right above interface/policy tabs. This was easy to implement but
I consider it an experiment. Will request feedback from users.
* SSHSession.cpp (startSession): refactored code in built-in
installer. Moved interaction with ssh to classes SSHSession,
SSHUnx and SSHPIX. Moved "scriptlets" that are executed on
firewall to activate policy in different modes to resource
files. Using ssh rather than scp to copy policy script to
unix-based firewalls (pscp.exe on Windows works only if the server
supports sftp, but dropbear on Linksys does not support it so
installer breaks if we use scp/pscp.exe to copy the policy).
Still having problems with scheduled reboot option on Linux/BSD
firewalls (it works on Linksys though).
* OSConfigurator_linux24.cpp (printPathForAllTools): bugfix: some
editions of busybox do not support "tail -1" syntax and require
"tail -n1"
2004-09-19 <vadim@vk.crocodile.org>
* instDialog.cpp (getActivationCmd): Improvement in the built-in
installer: added an option to schedule automatic firewall reboot
in specified time (in minutes) after policy activation. This
option is available for all firewall platforms but PIX. This
option only works if user requested policy activation in a test
mode, in which case policy is copied and activated on the firewall
but not stored in the permanent location. After reboot the
firewall reverts to the previous version of the policy. To cancel
scheduled reboot, run installer again with "test run" option
turned off. Installer stores the policy in the permanent location,
activates it and cancels scheduled reboot.
* src/res/os/linux24.xml.in and other: moved all commands used by
built-in installer to resource files.
2004-09-18 <vadim@vk.crocodile.org>
* NATCompiler_pf.cpp (processNext): NAT rule of type DNAT (rdr
rule) is assigned to an interface of the firewall if interface
object or its address object is used in ODst. To get rdr rule
without interface assignment, use an Address or a Host object that
has the same IP address as that of firewall's interface but that
is not a child of an interface. This is the same approach that is
used in iptables.
* PolicyCompiler_pf.cpp (compile): Compiler for pf always uses
tables; this breaks compatibility with older OpenBSD systems (3.2
and 3.3)
* PolicyCompiler_pf.cpp (findDynamicInterfaces): Compiler for pf
puts interface name in a table even if interface is dynamic for
rules that use multiple objects in src or dst and one of these
objects is dynamic interface of the firewall that is being
processed. Using dynamic interface of another object in a rule is
still considered an error. Compiler puts the name of dynamic
interface in a table verbatim, without brackets '(' ')' since pf
does not replace dynamic interface with its address dynamically if
it is used in a table (pfctl issues an error if interface is put
in brackets)
2004-09-17 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (configureInterfaces): flushing only
secondary ip addresses on interfaces. This should fix a bug that
caused linksys/sveasoft unit to lose default route upon reboot if
external interface has static IP address.
2004-09-15 <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (addDefaultPolicyRule): fixed bug
#1028980: "need an option to turn logging on on fallback rule"
* PolicyCompiler_pf_writers.cpp (processNext): fixed bug #1028973:
fwb_pf: missing "flags S/SA" in front of "modulate state"
* pfAdvancedDialog.cpp (pfAdvancedDialog): added an option to
permit tcp sessions opened prior to firewall restart. This is
needed now since compiler generates "flags S/SA" for the "keep
state" and "modulate state" rules which means firewall won't
permit TCP sessions unless it saw opening SYN packet.
* instDialog.cpp (getActivationCmd): improvements in policy
installer: added an option for test run. When this option is
activated, policy script is pushed to the firewall and is executed
but is not stored there permanently. Firewall reverts to the last
working configuration after reboot.
* NATCompiler_ipt_writers.cpp (processNext): using abbreviated
versions of "--dport", "--sport", "--dports", "--sports" options
to make generated iptables script smaller. Also changed the name
of the variables used to hold IP address of dynamic interface from
"interface_<ifname>" to "i_<ifname>". All this should help to fit
larger policies into small FLASH on linksys. These changes shrunk
my test script from 7964 bytes to 7430 bytes
2004-09-14 <vadim@vk.crocodile.org>
* platforms.cpp (isDefaultOptions): fixed bug #1028078:
"options.png is not displayed for "Assume firewall is part..."
* pfAdvancedDialog.cpp (pfAdvancedDialog): fixed bug (no num):
"firewall settings" dialog for OpenBSD pf did not save option "Use
tables".
* instDialog.cpp (getActivationCmd): implemented compression of
the firewall script for Linksys/Sveasoft combo. Using gzip and
uuencode/uudecode to compress the script and store it in flash
variable 'fwb'. Installer prints flash memory stats after
commiting changes. Installer uses scp to copy firewall script to
the firewall and autogenerated prompt to detect when it logged in;
it does not depend on Linksys shell prompt anymore.
2004-09-12 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (addPredefinedPolicyRules): implemented
feature request #1023430: "add checkbox for INVALID support in fw
settings". Added two checkboxes to the firewall settings dialog:
one adds a rule to drop INVALID packets and another adds logging
to the rule.
* FWWindow.cpp (fileSaveAs): fixed bug #1026945: '"Save As" does
not work if current file is in RCS'
* FWWindow.cpp (removeFirewallFromList): fixed a bug (no number):
after deleting a library firewall objects that belong to it were
not removed from the pull-down list
* PolicyCompiler_ipt_optimizer.cpp (optimizeForRuleElement): fixed
bug #1026794: multiple SRC ntwks --> "iptables: invalid
argument". Recent changes in optimizer introduced this bug. Rules
with multiple objects in src or dst, TCP service, action Reject
and option "reject with TCP RST" would generate iptables command
that used option "--reject-with tcp-reset" without "-p tcp"
* PolicyCompiler_pf_writers.cpp (_printDstAddr): fixed bug
#1006906: "Negated network causes pass on network". Compiler for
pf uses native negation syntax that is now available in pf
2004-09-11 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (TimeNegation): fixed bug #1022216:
"negated time produces incorrect iptables rule". Implemented
negation for the "Time" rule element for iptables
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1026509:
"incorrect rules generated for dual negation with time". Compiler
generated incorrect iptables commands for rules that had negation
in two or more rule elements, one of which was Time.
2004-09-09 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (prolog): rules that permit packets
associated with ESTABLISHED,RELATED states moved to the beginning
of the script before NAT rules.
* PolicyCompiler_ipt_writers.cpp: added a checkbox and support in
policy compiler for iptables to generate rules that drop packets
that are associated with no know connection (state "INVALID")
2004-09-08 <vadim@vk.crocodile.org>
* Firewall.cpp (duplicate): API change: fixed bug (no number): all
references to the interfaces, as well as their IP and MAC
addresses, in policy and NAT rules should be replaced when
Firewall object is duplicated. Until now only references to the
firewall object itself and to its interfaces were replaced with
references to the newly created copies of object. References to IP
and MAC addresses still pointed at the old objects.
* FWObjectDatabase.cpp (IDcounter): fixed bug #1022788: "GUI
corrupts XML file after creating a second firewall". Global object
ID counter was getting reset every time new FWObjectDatabase
object was created. This lead to the ID collision if user quickly
created and deleted complex objects (such as Firewall) and used
database merge. This should also fix bug #1022785: "GUI corrupts
XML file after creating a host entry"
* PolicyCompiler_ipt_optimizer.cpp (processNext): fixed bug
#1024861: "optimizer is broken in fwb_ipt". Used idea and a patch
by Mark Vevers <mark@vevers.net>. Fixed compiler fwb_ipt generates
more efficient iptables script for rules with multiple objects in
all rule elements. The script is smaller and eliminates
unnecessary comparisons for packet attributes. Every attribute
(i.e. source address, destination address, protocol and port
numbers) is checked by the script only once. This should help
reduce load on firewalls with lots of complex rules.
* VERSION: set version to 2.0.3
2004-08-31 <vadim@vk.crocodile.org>
* v2.0.2 released
2004-08-31 <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug #1019943: "Missing ip addresses in the
rule using interfaces"
* linksysAdvancedDialog.cpp (linksysAdvancedDialog): fixed bug
#1019691: "040829 nightly build doesn't add paths for linksys"
2004-08-30 <vadim@vk.crocodile.org>
* VERSION (VERSION): version 2.0.2, revision 1
* aboutdialog_q.ui.h (init): "About" dialog shows registration
status (used only in non-GPL versions)
2004-08-28 <vadim@vk.crocodile.org>
* fixed FreeBSD port, now compiles on 5.3BETA
2004-08-25 <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (loadFWObject): Added support for options
"max", "max-src-nodes" and "max-src-states" in pf. These allow to
limit number of concurrent state table entries ("max"), number of
source addresses that can simultaneously have state table entries
("max-src-nodes") and number of simultaneous state entries per
source address ("max-src-states") per rule.
* LibExportDialog.cpp (accept): fixed bug #1015884: "Export more
than one library fails with 0 references". Export library
operation failed if user exported two libraries with groups or
rules in one library referencing objects in the other.
2004-08-24 <vadim@vk.crocodile.org>
* pfAdvancedDialog.cpp (pfAdvancedDialog): Implemented support for
all timeout settings in pf: tcp.first,tcp.opening,tcp.established,
tcp.closing,tcp.finwait,tcp.closed,udp.first,udp.single,udp.multiple,
icmp.first,icmp.error,other.first,other.single,other.multiple, including
adaptive timeout scaling options adaptive.start and adaptive.end
2004-08-23 <vadim@vk.crocodile.org>
* FWBTree.cpp (getStandardSlotForObject): fixed bug #1014725:
"adding new ICMP types". If user created service group with the
name "ICMP", the GUI would place new ICMP objects under this group
instead of the standard folder "ICMP". There was the same problem
with other object types, too.
* ObjectManipulator.cpp (simplifySelection): debugging in
operations "delete object", "move object", "undelete". Making sure
we can delete and undelete libraries, delete and move several
objects at once, group several objects. There were problems if
user selected several host or firewall objects using Shift-Click
(although interface and address objects were not visible to the
user, they were selected and acted upon in delete or move
functions; this lead to unexected results or crashes).
2004-08-22 <vadim@vk.crocodile.org>
* templates.xml.in: added template firewall objects for Linksys
firewall and a web server.
* templates.xml.in: fixed bug #1013957: "incorrect NAT rule in
firewall created from template #3". The problem was caused by
incorrect ip address of interface "dmz" in the template object #3.
* pixAdvancedDialog.cpp (pixAdvancedDialog): implemented a backup
ssh access rule. The user specifies management station IP in the
firewall settings dialog for PIX and compiler adds a rule on top
of all other rules to permit ssh from this address to the
firewall.
2004-08-21 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (prolog): avoiding grep in the
generated iptables script - Sveasoft Alchemy pre-5.2.3 does not
have grep
* API change: fixed bug #1012733: "configure --libdir=DIR will be
ignored at installation". Needed to use macro _libdir to specify
target directory for libraries. Used it in configure, qmake.in,
libfwbuilder-config-2 and a .spec file
* objects_init.xml.in: added new service objects to the Standard
objects library: "xmas scan" (old object renamed "xmas scan -
full"), rsync, distcc, cvspserver, cvsup, afp, whois, bgp, radius
and radius acct, SSDP and UPnP. This fixes bug #1011248: "need two
xmas scan service objects"
* FWWindow.cpp (fileImport): function File/Import offers a choice
of .fwl, .fwb and "all files" in the open file dialog. This fixes
bug #1013485: "File/Import should allow to import .fwb file"
* FWWindow.cpp (load): fixed bug #1008956: "Existing .fwb file
gets overwritten if has wrong extension". If the GUI needs to
rename a data file with old extension .xml to .fwb, it checks if a
file with new extension exists and offers user a chance to choose
a different name. It also treats symlinks in a special way: if
user creates a symlink with extension .xml pointing at a file with
extension .fwb, the GUI simply follows the link and works with
.fwb file. This should work with Windows shortcuts, too.
* instDialog.cpp (instDialog): built-in installer uses shell
prompt string patterns configured in the host OS settings dialog
for linksys. This fixes bug #1013022: "can not install policy
script on linksts Alchemy pre-5.2"
* linksysAdvancedDialog.cpp (linksysAdvancedDialog): Added host OS
settings dialog for linksys/Sveasoft. Dialog provides entry fields
for paths to iptables, lsmod, modprobe, logger tools and two shell
prompt string patterns, this should help to work around changes in
the shell prompt on Linksys. This fixes bug #1013018: "host OS
settings" dialog is missing for linksys
2004-08-20 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (contextMenu): fixed bug #1009345: "Can
only move one host object at a time between libraries"
* ObjectManipulator.cpp (deleteObj): fixed bug #1013177: "deleting
multiple hosts causes crash"
* DTD change: fixed bug #1011617: "deleting physcal address object
leads to the DTD violation"
2004-08-08 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt_writers.cpp (_printDstService): fixed bug
#1005148: "MAC matching - space missing". Space was missing
between MAC address and custom service code.
2004-08-06 <vadim@vk.crocodile.org>
* listOfLibraries.cpp (add): fixed compile problem on systems
where QT is built without STL support
* PolicyCompiler_ipt_writers.cpp (_printLimit): fixed bug #1004153
"limit-burst = 0 is not valid". Iptables does not accept the rule
using "limit-burst" option if it is set to zero.
2004-08-04 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (pasteTo): fixed bug #1003068: "object
copy/paste not always working". IP address object could not be
placed under interface using copy/paste operation. Now ip address
object can be pasted to interface as well as to Objects/Addresses
folder.
* FWWindow.cpp (fileDiscard): Operation File/Discard closes the
file, discards all the changes that have been made to it and
replaces it with a fresh copy of the head revision from RCS. This
works if user wants to abort file upgrade when they switch to the
new version of fwbuilder.
2004-08-02 <vadim@vk.crocodile.org>
* FWObject.cpp (deleteChildren): fixed bug #1001833: "memory leak"
- children objects were not deleted when FWObjectDatabase object
was destroyed.
* iptAdvancedDialog.cpp (accept): fixed bug #1002388: "Clamp MSS
to MTU" option is missing in 2.0
2004-08-01 <vadim@vk.crocodile.org>
* objects_init.xml.in: there were two TCP Service objects
"linuxconf" in the Standard objects library. Object with ID
id3AED0D6D has been removed. It seems this object has been
duplicated long time ago (at least it was like this in 1.1.2)
* FWObject.cpp (getPath): fixed bug #1001725: "object with empty
name can not be deleted". the problem was caused by the algorithm
used in FWObject::getPath. If object had had a blank name, the
path returned by this method would end with the name of its parent
without slash.
* FWWindow.cpp (showFirewalls): fixed bug #1000485: "Firewalls in
the drop-down box not ordered". List of firewalls in the pull-down
that controls policy views is now alphabetically sorted on program
startup.
* utils.cpp (fillLibraries): fixed bug #1000862: "Creating groups
in Deleted Objects". Library "Deleted objects" should not be
offered as a choice for "group objects" operation.
* ObjectManipulator.cpp (contextMenu): fixed bug #1001275: "object
duplication fails w/ no action". GUI used to not allow user to
duplicate IP address object. Now any object can be duplicated so
that the copy is placed under the same parent, including IP
address.
* ICMPServiceDialog.cpp (applyChanges): fixed bug #1001521: "Cant
create ICMP service". ICMP Service dialog did not save icmp code
and type numbers in the object.
2004-07-29 <vadim@vk.crocodile.org>
* 2.0 released, CVS tag set
2004-07-27 <vadim@vk.crocodile.org>
* FWWindow.cpp (install): the GUI calls external installer script
if it is configured in firewall settings dialog when user clicks
'Install', otherwise it should use built-in installer.
2004-07-24 <vadim@vk.crocodile.org>
* RuleSetView.cpp (insertRule): correctly copying rule direction
when interface rule is copied/pasted
* instDialog.cpp (selected): proper error messages for management
interface misconfigurations
2004-07-20 <vadim@vk.crocodile.org>
* ICMPServiceDialog.cpp (loadFWObject): ICMP service dialog allows
for setting type and code to 'any' (-1)
2004-07-19 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (processFirewallOptions): fixed bug
#992969: "argument to log should be quoted"
2004-07-14 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): working on bug #990037:
"Wrong rule generated: fw interface included in negated
group". Rules with negation should not generate code in
INPUT/OUTPUT chains if option "assume firewall is part of any" is
off.
* ObjectManipulator.cpp (delObj): fixed bug #990675: "Application
crashes when deleting objects"
2004-07-11 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (splitIfSrcNegAndFw): optimized
processing of policy rules where firewall object is used in src or
dst with negation (possibly in combination with other
objects). Before, generated script would match firewall's
addresses in INPUT/OUTPUT and FORWARD chains which added redundant
checks in the FORWARD chain.
* NATCompiler_ipt.cpp (processNext): fixed bugs #935794: "dual
translation and negation in fwb_ipt" and #986376: "Wrong result
for negated source in NAT rules". Dual translation rule with
negation in OSrc did not process negation in the second half
(POSTROUTING rule, the one that translates the source).
* NATCompiler_ipt.cpp (processNext): fixed bug #965558: "False
ruleset generated for iptables (negate w/ nat)". There were
problems with double negations in NAT rules (OSrc and ODst, or
ODst and OSrv, etc).
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#988860: "Logging missing when firewall start is aborted". When
iptables script generated by fwb_ipt finds missing interfaces,
it prints error message both on stdout and sends it to the log.
2004-07-10 <vadim@vk.crocodile.org>
* FWObject.cpp (_moveToDeletedObjects): now move deleted objects
to the special library with id 'sysid99' rather than delete them
completely. This serves two purposes:
1. can easily provide for undelete function which is very
useful
2. can catch a situation when an object has been deleted
fromt he external library but is still used in the data
file
* FWObjectDatabase.cpp: while merging object trees, checking for
deleted objects. If an object is present in the current tree but
has been deleted in the file being merged in, special form of
conflict resolution dialog is shown. User has only one option - to
delete the object from the file. Typical situation when this
happens is when an object from external library is used in a rule
or group in a data file, then this object is deleted in the
external library. If this external library is preloaded and then
the data file using this object is opened, conflict occurs because
this object is present in the file but is in the "Deleted objects"
in the library. The problem is that the library is read-only, so
if we kept the object (actually, its copy coming from the data
file), the user would not be able to delete it. So, not only
object magically reappeared after it has been deleted from the
library, it appeared in read-only library and can not be deleted
anymore. To avoid this situation we must delete it in the file if
it has been deleted in the library.
* ObjectManipulator.cpp (delObj): "delete object" function moves
it to "Deleted objects" library.
* PrefsDialog.cpp (accept): Added checkbox "Show deleted objects"
to the preferences dialog. If this option is on, user has access
to deleted objects via library "Deleted objects".
* ObjectManipulator.cpp (contextMenu): pull-down menu item "Move"
turns into "Undelete" if an object is in "Deleted objects"
library. This provides for a simple undelete function.
2004-07-09 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #925199:
"compiles wrongly a double negation". Policy compiler for iptables
generated incorrect code for rules where two rule elements used
negation (i.e. both src and dst, or dst and srv, etc.)
* PolicyCompiler_ipt.cpp (prolog): fixed bug #978854: "false rule
generated for fw object in interface rule". Policy compiler for
iptables generated incorrect code for rules using negated firewall
object in source or destination when global option "assume
firewall is part of any" was turned off.
* fwb_ipt: implemented Feature Request #913273: make "assume fw is
part of any" a per-rule option
2004-07-08 <vadim@vk.crocodile.org>
* FWWindow.cpp (setupAutoSave): Added an option for autosave - if
this option is turned on, the gui periodically saves data to the
file. The autosave interval can be set between 1 minute and 2
hours.
* ipt.cpp (main): fixed bug #917422: "compiler misinterprets
interface with addr 0.0.0.0". If an interface has IP address
"0.0.0.0", it is considered an error.
* added option "strip comments in the script" to the installer
for Linksys and PIX
* do "nvram uset rc_firewall" before loading fw script on
Linksys
* added the following to the list of errors for Linksys
/dev/nvram: Cannot allocate memory
* skip table "mangle" when flushing iptables rules
2004-07-07 <vadim@vk.crocodile.org>
* NATCompiler_ipt_writers.cpp (processNext): fwb_ipt does not
include comments in the script if it is intended for linksys
firewall. Linksys has small nvram and script should be kept small,
otherwise it may not fit in nvram.
* NATCompiler_pf.cpp (processNext): fixed bug #986518: "PF
redirection always point to loopback address"
2004-07-06 <vadim@vk.crocodile.org>
* instDialog4.cpp (stateMachineLinksys): Activating policy on
Linksys/Sveasoft wothout reboot (using command "nvram get
rc_firewall | /bin/sh" instead)
* OSConfigurator_linux24.cpp (prolog): added an option to firewall
platforms iptables, ipfilter, pf and ipfw that sets up a policy
rule to permit ssh access from one specified IP address to the
firewall regardless of other rules. This is for a backup ssh
access from the management workstation in case of an error in the
policy that locks user out of the firewall. The option (a checkbox
and entry field for the management station address) is located in
the "Compiler" tab of the firewall settings dialog. A command that
permits ssh to the firewall from the given address is added on top
of all other rules.
2004-07-05 <vadim@vk.crocodile.org>
* RuleSetView.cpp (dropEvent): fixed bug #985187: "Usability bug:
Copy objects from one rule to another". Dragging an object from
one rule to another with Ctrl down makes a copy. If Ctrl is up,
then the object is moved.
* instDialog4.cpp (stateMachineLinksys): Added support for Linksys
devices running Sveasoft firmware. Firewall object should be
configured as platform "iptables", host OS "linksys". Policy
installer works both using password and public key authentication.
* NATCompiler_pf_writers.cpp (processNext): fixed bug #985527: pf
NAT rules miss destination port specification. NAT rules that
translate to "map" missed destination port specification.
* main.cpp: the gui can now use external wrapper scipts for ssh
and scp all the way (removed all direct references to commands
"ssh" and "scp", use whatever is configured in preferences
everywhere)
2004-07-04 <vadim@vk.crocodile.org>
* RuleSetView.cpp (contextMenu): fixed bugs in the rule
selection. The user can select one rule with a simple left-click
on the rule number, or multiple consequtive rules using
shift-left-click. Selecting non-ajacent rules with ctrl-click is
not supported; ctrl-click acts as normal click. Right-click calls
context menu and uses existing selection if click is on one of the
selected rules, or resets it if click is outside of the selection.
2004-06-29 <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (dragObject): implemented drag and drop of
multiple objects. User can select and then drag several objects
from the tree to a group or a rule.
* LibExportDialog.cpp (accept): a change in the export library
algorithm. We now permit exporting several libraries to one file,
but check that all these libraries have only references to each
other and to objects in the Standard lib and have no references to
objects in libraries that are not going to be exported to the same
file. This ensures integrity of this file and helps avoid pulling
objects from other libraries into it. User can edit objects in the
exported libraries by opening this file as usual; the GUI does not
preload libraries configured in Preferences/Libraries when .fwl
file is opened and unlocks all libraries in this file so objects
can be edited. This way user can edit objects and move them
between libraries in the .fwl file.
2004-06-28 <vadim@vk.crocodile.org>
* RCS.cpp (RCSEnvFix): fixed a bug (no #) that appeared only on
Windows: the GUI failed to check a file in to RCS if it was
launched by windows explorer via file extension association.
* platform.cpp: pull-down "versions" is now translatable and says
"1.2.9 or later" for iptables v > 1.2.9
2004-06-26 <vadim@vk.crocodile.org>
* LibExportDialog.cpp: when a library is exported to a file, the
program checks whether any groups or rules in this library use
objects in the othe libraries. Only self-contained libraries can
be exported.
2004-06-24 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #979484:
"improper command for rule with servie any and action reject."
For rules like that, and if rule options dialog does not specify
particular way to handle this combination, the compiler splits the
rule; the first iptables command rejects any tcp packet with TCP
RST, while the second rejects everything else with ICMP message.
* minor bugfixes in the gui
* incorporated changes suggested by a user to make code compile
with gcc 3.4
2004-06-23 <vadim@vk.crocodile.org>
* LINGUAS: added Vietnamese translation .po file
* FWBSettings.cpp (init): Option "do not save standard libraries
in the user's data file" is now ON by default. User can still turn
it off though.
* FWWindow.cpp (save): Usability fixes in methods that work with
libraries:
- libary files have extension .fwl
- preloaded libraries are always read-only (flag RO is set when
library file is loaded, regardless of the value this attribute
has in the file)
- user can open library file using normal File/Open
operation. Read-only flag is cleared when library file is
opened, so it can be edited. File can be added to RCS and saved
using normal File/Save or File/SaveAs operations.
- When user opens library file for editing, other libraries that
are configured in Preferences/Libraries are not preloaded.
2004-06-22 <vadim@vk.crocodile.org>
* LibExportDialog.cpp (init): when object library is exported to a
file, the file gets extension .fwl to distinguish it from the
regular data file. The GUI allows to export only one library to a
file.
* FWWindow.cpp (fileDiscard): added main menu function
"File/discard" which discard all changes that have been done to
the data and saved to the file and checks out clean copy of its
head revision from RCS. This provides for a quick way to roll back
to the latest revision. Older revisions can be checked out from RCS
using list of versions in the right hand panel in open file dialog
(this creates a branch in RCS).
2004-06-20 <vadim@vk.crocodile.org>
* IPv4Dialog.cpp (DNSlookup): "DNS Lookup" button in the IP
address dialog runs dns query for the name of the address object
and if that fails, repeats query for the name of the host or
firewall object this address belongs to. If address object is in
the folder "Addresses", it does only one DNS lookup on its name.
2004-06-18 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator): disabled ability to
drop objects into groups in the tree. It was confusing and not
really useful. Objects can still be dropped into a group opened in
the editor dialog.
* ObjectTreeView.cpp (dragObject): enabled dragging of all objects
in the tree. It turns out, QListView will highlight multiple items
in the tree in Extended selection mode when user drags mouse
across items _and_ the first item they started cursor move on is
not drag-enabled. So, to avoid this unexpected highlighting
behavior, need to enable drag of all objects. We then make sure
that system folder can not be dropped anywhere.
2004-06-16 <vadim@vk.crocodile.org>
* Compiler_ops.cpp (checkForShadowing): fixed bug #906709: "A
dynamic interface". Dynamic interface used to "shadow" old
broadcast object (0.0.0.0)
* OSConfigurator_linux24.cpp (configureInterfaces): fixed bug
#912849: "Reorder activation of network interfaces in IPT" -
script generated by the compiler for iptables sets default policy
to DROP, flushes all rules and then reconfigures interfaces of the
firewall (it used to reconfigure intefaces and then flush the rules).
* IPv4Dialog.cpp (DNSlookup): Button "DNS lookup" in the IP
address editor dialog does DNS lookup on the address object name
if the object is located in the "Addresses" folder, or on the
parent host object name if it belongs to an interface of a host or
a firewall.
* ObjectManipulator.cpp (moveObject): refactored "move object"
functions and added debug printing. Trying to debug crash reported
by one of the users.
2004-06-15 <vadim@vk.crocodile.org>
* ObjectEditor.cpp (hide): checking if screen position for the
dialog is 0,0 and not storing this value. This should help to work
around a weird bug where screen position of dialogs sometimes is
returned as 0,0 when GUI runs in Gnome.
* Object names and comments are stored in the object file in UTF-8
format. This allows for names and comments to be entered and
displayed in local languages. Although object names can be
localized, it is recommended to keep firewall names in plain ASCII
because compilers do not support UTF-8 yet. This fixes very old
bug #657156: "Special characters problem".
2004-06-13 <vadim@vk.crocodile.org>
* init.cpp (init): the program uses reasonable default for the
directory where user might want to save their data files on each
OS. ( $HOME on Unix, $HOME/Documents on Mac,
$USERPROFILE/Documents in windows)
* ObjectManipulator.cpp (updateObjName): whenever user changes the
name of a firewall, host or an interface object, the GUI asks
whether they want to also rename all IP and MAC addresses that
belong to that firewall or host. If user agrees to rename them,
the program generates names automatically using scheme
'host_name:interface_name:ip' and 'host_name:interface_name:mac'
2004-06-12 <vadim@vk.crocodile.org>
* newHostDialog.cpp (selected): implemented "new host"
wizard. User can choose to add interfaces manually or can use a
library of predefined host object templates.
2004-06-10 <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (_printDstService): fixed a bug
(no number) where fwb_pf would not include code defined by custom
service object in the .conf file
2004-06-08 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (copyObj): implemented multi-object and
multi-rule copy/cut/paste operations
* ObjectManipulator.cpp (moveObject): implemented "move object"
operation - moves object to another library; operation is accessed
via pull-down menu in the object tree.
2004-06-06 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (groupObjects): added ability to select
multiple objects in the tree. Currently the following operations
are performed on multiple objects: delete, duplicate, group.
* ObjectManipulator.cpp (groupObjects): operation of grouping of
selected obejcts. User selects several objects in the tree and
choses menu item "group" in the pull-down menu; the GUI brings up
a dialog asking for the new group name and a library it should be
put in. New group is created and all selected objects are
automatically added to it when user hits "Create group" button.
2004-06-05 <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (accept): added "Installer" tab to the PIX
firewall settings dialog
* FWBSettings.cpp (getScreenPosition): checking if the window fits
in the screen before restoring its geometry.
* ObjectListView.cpp (dragObject): setting hot spot in the center
of the object icon for drag and drop.
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
showing group members in tooltips and conflict resolution dialog
* ObjectEditor.cpp (ObjectEditor): redesigned ObjectEditor
class. All individual object editor classes are now inherited from
QDialog and are top-level windows. Class ObjectEditor is just a
manager that opens and hides appropriate dialog and manages its
size and position on the screen. Geometry is remembered separately
for each dialog for each object type, so we can have group object
editor open wider than, say, IP service object editor. Each object
editor has its optimal size.
* pfAdvancedDialog.cpp (pfAdvancedDialog): yet another redesign of
PF firewall settings dialog. Using individual checkboxes to
enable/disable each "limit" and "timeout" option
* ipt.cpp (main): all compilers do not create any files if there
was an error during rule processing (not even empty ones)
2004-06-04 <vadim@vk.crocodile.org>
* RuleSetView.cpp : Info window shows properties of an object
selected in rules
* RuleSetView.cpp (paintCell): added tooltips for objects in the
policy view, using the same detailed properties text that is used
for Info panel.
* iptAdvancedDialog.cpp (accept): the actual command that
installer should run on the firewall to activate the policy can
now be specified in the "installer" tab of firewall settings
dialog for all platforms. If this input field is left blank,
installer will run firewall script, using sudo if user name used
to authenticate to the firewall is not 'root'. On Windows,
installer also does chmod +x on the file.
* FWBSettings.cpp (setSSHPath): directory path and a file name for
the secure file transfer and secure shell utilities can be
configured in the Preferences (tab "SSH"). This allows for using
of different SSH packages on Windows, as well as using SSH
installed in a non-standard directory on Unix.
2004-06-03 <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (dragObject): standard folders in the tree
can not be dragged into groups or rules and open/close on double
click. Regular objects open editor on doubleclick.
* ipt.cpp (main): compiler for iptables sets up PATH environment
variable at the beginning of the generated script. This is
particularly useful if policy is compiled on windows or mac for
Linux firewall that runs unknown version of Linux, so we cant be
sure where standard tools such as iptables, lsmod etc are
located. Most systems place them in /sbin, but for example SuSe
places iptables in /usr/sbin. If policy is compiled on one of the
Linux systems, we assume generated script will run on the same
system (which may not be true, btw), but if we compile on Windows,
there is no way to know where these tools are located
beforehand. In this case we need PATH. User can always override
this behavior and specify full path to all tools explicitly.
2004-06-02 <vadim@vk.crocodile.org>
* linux24.xml.in: changed "Linux 2.4" to "Linux 2.4/2.6" in all
menu
* iptAdvancedDialog.cpp (iptAdvancedDialog): removed "log all
dropped packets" option from the firewall settings dialog for
iptables. This option required p-o-m patch that has become
obsoleted and is not included in p-o-m anymore.
* FWWindow.cpp (install): when user hits "Install", the GUI checks
if objects in the database were modified since policy of a
firewall has been compiled last time. If existing policy file is
older than the database, program offers the user to compile it
before it is installed. There are options to recompile, install
old copy or cancel the operation.
2004-05-31 <vadim@vk.crocodile.org>
* RuleSetView.cpp: Added support for operations that act on
multiple rules: setting rule color, moving to a different position
in rule set, disabling/enabling, deleting. User can select
multiple rules by dragging mouse across several rows in the column
that shows rule numbers. Copy/Cut/Paste operations of multiple
rules are not supported yet.
2004-05-29 <vadim@vk.crocodile.org>
* RuleSetView.cpp (dragObject): implemented drag-and-drop of
objects in the rules
* utils.cpp (setDisabledPalette): all entry fields in the object
editor are disabled if an object is read-only or is located in
read-only library. Object editor is still opened for read-only
objects, but since all fields are disabled, changes are not
allowed. Opening object editor for read-only and standard objects
allows for inspection of their properties.
* FWWindow.cpp (load): file objects_init.xml does not include
empty "User" library anymore. Instead, this library is created
dynamically using method FWBTree::createNewLibrary when user
creates new data file. This simplified things since 1) "User"
library now has unique random ID in every data file so it can be
safely exported and then imported back without any conflicts; 2)
since its ID is unique, it can be renamed without creating any
conflicts. The library is only created in FWWindow::load()
(i.e. when new data file is created). It is not created when
existing data file is loaded because it is supposed to be
there. Old data files that still have this library with
semi-standard ID will load it as before, but the ID loses its
standard meaning.
2004-05-23 <vadim@vk.crocodile.org>
* filePropDialog.cpp (filePropDialog): added "File properties"
main menu item and dialog
* debugDialog.cpp (debugDialog): added "debug" menu item under "Help"
2004-05-20 <vadim@vk.crocodile.org>
* instDialog.cpp : built-in installer works with all supported
firewall platforms: iptables, ipf, pf, ipfw and pix.
* instDialog.cpp (instDialog): built-in installer reads list of
files that policy compiler generated for a given firewall object
("manifest") from the .fw file and installs them on the
firewall. One file in the manifest needs to be marked as
executable, installer runs it after all files are copied.
* all policy compilers: all compilers include a list of files
generated for a given firewall object ("manifest") in .fw file.
2004-05-18 <vadim@vk.crocodile.org>
* RuleSetView.cpp (contextMenu): split long context menu that used
to be shown when user clicked right mouse button on an object in a
rule. Now this menu has only actions related to the object, while
actions for the whole rule belong in the context menu shown when
user clicks right mouse button on the rule number.
* fr.po, ru.po: checked in updated French translation by
Jean-Michel Poure and added some rudimentary Russian
translation. Both translations are done in UTF-8.
2004-05-15 <vadim@vk.crocodile.org>
* init.cpp (init): define global var localepath that is
initialized with a path to the directory where translation files
(*.qm) are installed. This path is defined as $respath/locale on
all systems (on Unix this typically is
/usr/share/fwbuilder/locale, while on Windows and Mac it will be a
subdirectory "locale" in the directory where the binary is
installed)
2004-05-14 <vadim@vk.crocodile.org>
* ColorLabelMenuItem.cpp (ColorLabelMenuItem): implemented RFE
#725461: "Colors". Added ability to color-code rules in the
policy. User can pick one of the 7 predefined colors (plus none)
in the pop-down menu that appears when they right-mouse-click on
the policy or NAT rule. Custom text can be associated with each
color using a panel in the Preferences dialog, this text appears
as a tool tip when user flies mouse cursor over color buttons in
the pop-down menu.
2004-05-12 <vadim@vk.crocodile.org>
* src/gui/ui: QT's ui translator uic creates code in this directory.
This allows me to add generated files to the internationalization
infrastructure (include in the .pot file). also added *.cpp files
in src/gui/ui to cvs so translators can look at them to better understand
context without having full QT development environment.
2004-05-09 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #934949:
"duplicate rules". fwb_ipt created duplicate rules for a bridging
firewall if fw object or its interfaces or their addresses were
not in the source or desintaion
2004-05-04 <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (accept): "new firewall" wizard can create
a new firewall object using predefined templates from the file
templates.xml (the file is a pat of the package and is installed
in /usr/share/fwbuilder on Linux and in c:\FWBuilder\resources on
Windows). User picks a template and the program creates a
duplicate of the template object in the "User" object library. The
wizard page where user picks template shows a diagram of the
firewall configuration that illustrates its interfaces, their
configuration and addresses. Comment text associated with template
object explains its specific properties and is shown on the page
as well.
2004-05-02 <vadim@vk.crocodile.org>
* templates.xml.in : a library of firewall object templates. This
library is a part of the distribution and is installed in
${prefix}/share/fwbuilder on Linux and BSD and in
C:FWBuilder/resources on windows (the same dir where standard
objects are installed). This library is not loaded by default
though.
* listOfLibraries.cpp (listOfLibraries): Added a page to the
preferences dialog to manage add-on libraries. The GUI maintains a
list of available add-on libraries and allows user to define which
ones will be automatically loaded when the GUI is started. The
program always adds "standard" and "templates" libraries to the
list, then scans directory $HOME/.fwbuilder/lib/ (
C:\FWBuilder\lib on windows) and adds all .fwb files found there
to the list. It stores list of libraries in the user's preferences
together with a boolean flag that is set if a library should be
loaded on a start-up. Library added using main menu "Import
Library" is also added to the list so the user can make the
program load it automatically.
2004-04-29 <vadim@vk.crocodile.org>
* Makefile.in: Added support for internationalization. Using
gettext 0.14.1. This is the first version where support for QT
lanuage files is available, but it is not available in RedHat or
other Linux distributions yet. Therefore had to copy some m4 macro
colelctions from example to directory 'm4', as well as copied a
Makefile.in and script remove-potcdate.sin to directory 'po'. New
version of xgettext recognizes standard QT localization method
tr() and can generate usual .pot files from strings used with
it. The nwe msgfmt can generate .qm files from translated .po
files.
2004-04-25 <vadim@vk.crocodile.org>
* instDialog.cpp (cmd): this method can be used whenever we need
to execute several commands on the firewall sequentially.
* (instDialog): install dialog hides incremental install options
if 'diff' program can not be found (perhaps compiler that comes
with it is not installed)
* instDialog2.cpp (PIXincrementalInstall): integrated with
fwb_pix_diff
* instDialog2.cpp (PIXbackup): implemented function that stores
backup copy of firewall configuration in a file
2004-04-18 <vadim@vk.crocodile.org>
* findDialog.cpp (find): 'find object' function is implemented by
means of an external modeless dialog that allows for searching in
the tree and or policy rules and supports matching with regular
expressions.
* newFirewallDialog.cpp (getInterfacesViaSNMP): 'new firewall'
wizard can discover interfaces using SNMP. Finished work on the
page where user can arrange interfaces according to their security
levels.
2004-04-15 <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (accept): added 'new firewall'
wizard. Still need to work on the page where user sets security
levels of interfaces.
2004-04-14 <vadim@vk.crocodile.org>
* VERSION (BETA): added a variable in the VERSION file that
designates code revision as beta and stores beta testing period
expiration time (+30 days). Currently only About dialog shows this
time, but in the future I may make the program disable itself if
it is used past this time. The released version won't have this
limitation. This can be used to prompt people to upgrade, so I do
not have to support old versions.
2004-04-11 <vadim@vk.crocodile.org>
* FWBSettings.cpp (restoreGeometry): added ability for dialogs to
automatically remember and restore their geometry (size and
relative position on the screen). Currently only main window, conflict
resolution dialog and object editor dialogs do this. Geometry is
stored in preferences. Main window comes up with a default geometry
100,100,750,600 (x,y,w,h) when no geometry is found in settings.
2004-04-10 <vadim@vk.crocodile.org>
* FWWindow.cpp (ConflictResolutionPredicate): implemented conflict
detection and resolution for the "merge" operation. The same
mechanism works for "open file" since it is also based on
merge. When there is a conflict during merge, the program opens a
dialog and asks the user which copy of the object they want to
keep.
2004-04-09 <vadim@vk.crocodile.org>
* instDialog3.cpp (stateMachineSSHSUDO): builtin installer works
with Linux/BSD systems using combination of ssh on the client side
and sudo on the firewall. User provides a password for
authentication and the program logs in into the firewall as that
user, copies firewall script to "/etc/fw" (directory path is
hardcoded), then executes it using sudo. Sudo should be configured
for this user or group she belong to to be able to execute this
script as root with no password.
2004-04-08 <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog): added universal (hopefully) policy
installer program. The program uses ssh in a background on both
Unix and Windows (on Windows it requires putty/plink) to
communicate with the firewall. Currently only supports PIX but I
will add Linux/BSD later. Installer GUI asks user for a password.
2004-04-07 <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (loadFWObject): added rule options dialog
for ipt
2004-04-06 <vadim@vk.crocodile.org>
* FWWindow.cpp (search): implemented advanced search method that
finds and highlights objects both in the tree and in any rule of
any firewall. This resolves problem outlined in Feature Request
#837448: '"Where used" only shows fw objects'
2004-04-04 <vadim@vk.crocodile.org>
* FWWindow.cpp (save): implemented saving data file without making
copies of objects in the 'Standard' library (Feature Request
#810504). This feature is considered experimental and is off by
default. An option in Preferences dialog activates it.
* FWWindow.cpp (load): All load is done via merging of the loaded
file with a standard object tree. Now we can load files saved
without copies of unused standard objects.
* FWWindow.cpp (fileImport): implemented data import. Using method
FWObjectDatabase::merge to merge imported data with current object
tree. Only object IDs are compared, so modified standard object in
the imported file will be ignored and its changes will be lost.
2004-04-03 <vadim@vk.crocodile.org>
* export.cpp (exportLibrary): Implemented library export
* StartWizard.cpp (StartWizard): added simple startup wizard that
asks user if they want to open existing file or create a new
one. It also sets some useful preferences such as adds new file to
RCS and makes the program automatically open it when it is started
next time.
* OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers):
Fixed bug #956544: "Error into load modules script generation",
where generated script would not load kernel modules with names
"module.ko.gz". Regular expression should match on ".ko.*$" to
find these modules properly. Thanks to Andrey Kaminsky
<and@fao.lv> who pointed this out.
* RuleSetView.cpp (doubleClicked): double-clicking on an object in
the policy rule opens that object in the editor
2004-04-02 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator): using combobox widget
instead of a tab widget for libraries. This way we can fit more
libraries without making interface cluttered.
2004-03-31 <vadim@vk.crocodile.org>
* ipt.cpp (main): the GUI saves path to the DTD and resources in
user's settings using QT QSettings class. Policy compilers and
other tools can read this setting to quickly determine location of
DTD and resources.
2004-03-29 <vadim@vk.crocodile.org>
* getting rid of STL classes in the GUI. The idea is to make GUI
use QT classes in most of the code and use STL classes such as
'string', 'map', 'list' where it has to pass data to and from API
which is STL-based. This should simplify using QT compiled without
STL support (much less conversions between string and QString).
2004-03-28 <vadim@vk.crocodile.org>
* main.cpp (main): the data file can be specified on a command
line both as an argument for option '-f' and after all
options. Option '-f' is preserved for compatibility with old
versions. Preferred method is to specify the file name as a
parameter without any option: "fwbuilder file.fwb"
2004-03-27 <vadim@vk.crocodile.org>
* platforms.cpp (getVersionsForPlatform): usability improvement:
"combo boxes" that do not allow typing in them should not have
empty choices. Fixed this for a drop-down menu of version numbers
in firewall dialog.
2004-03-26 <vadim@vk.crocodile.org>
* RuleSetView.cpp (insertRule): counting rules from zero in the GUI
* (RuleSetView): this is not a change, I just wanted to document
that I tested the GUI with a policy that has 1000 rules. I haven't
noticed any delay in loading this policy compared with when it had
<100 rules.
2004-03-25 <vadim@vk.crocodile.org>
* FWWindow.cpp (fileSaveAs): gui automatically chooses working dir
if none is set and user calls 'file save as' menu item :
* on Unix will use current dir.
* on Windows will use user's document dir.
* NATCompiler_ipt.cpp (processNext): added a workaround for a bug
(no number): if address range object was used in SNAT or DNAT rule
and option 'manage virtual addresses' was on, compilerwould not
add virtual address properly. It still won't do it, but at least
there is a check for this situation and it prints appropriate
warning message. The problem with this is that if the range is
large, we end up with potentially lots of virtual addresses. Let
the user deal with this themselves.
* ipt.cpp: compiler(s) understand new command line option '-R',
which should specify a full path to the resources. This is useful
on Windows and Mac where resources are installed in a non-fixed
place by the GUI package, but need to be used by the compilers.
2004-03-24 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (contextMenu): each system group object in
the tree has an item in its pop-down menu that allows user to
quickly add an object to that group.
* IPv4Dialog.cpp (DNSlookup): added ability to determine IP
address of an Address object using DNS lookup (using QDns class)
* FWBSettings.cpp (FWBSettings): explicitly setting scope for
QSettings as "User"
2004-03-22 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (addTreePage): added attribute 'ro' to all
elements in DTD (see API). This provides for a way of locking down
parts of the tree.
* ObjectManipulator.cpp (addTreePage): read-only subtrees are
marked with an icon of a lock and text 'read-only'
* objects_init.xml : standard objects tree is now read-only. User
objects can not be moved into 'standard' tree and standard objects
can not be edited but can be duplicated (a copy is automatically
created in the first user-defined library, most often it is a
library 'User')
* FWWindow.cpp (install): GUI supplies a path to the firewall
object as a parameter to installation script rather than just its
name (as before). This is because the path has changed when
library element has been added. Changes made in the GUI (send path
instead of name) and in fwb_install script (to make it interpret
path).
2004-03-21 <vadim@vk.crocodile.org>
* pixosAdvancedDialog.cpp (pixosAdvancedDialog): 'advanced host
settings' dialog for PIX
* RuleSetView.cpp (contentsMousePressEvent): selectedObject is
chosen in mouse press and key press even handlers; got rid of
currentChanged slot all together. This eliminated flicker that was
caused by extra repaint of the cell when selected object was
chosen in currentChanged slot.
2004-03-20 <vadim@vk.crocodile.org>
* DialogData.cpp (DialogOption): universal class to load and save
data in dialogs
* pixAdvancedDialog.cpp (pixAdvancedDialog): 'advanced' firewall
options dialog for PIX. Implemented tabls 'Compiler options',
'Prolog/Epilog', 'Timeouts' and partially 'Fixups'. Fixup pages
are disabled using resource string that defines which fixups are
available in certain PIX version.
* FirewallDialog.cpp (openFWDialog): firewall dialog saves version
from the widget to the object before opening 'advanced' firewall
options dialog. This is a departure from the dialog logic where
all data is stored when user clicks 'Apply changes' button.
2004-03-19 <vadim@vk.crocodile.org>
* FWBSettings.cpp: added support for an "object autosave" option
(automatic saving of changes in dialogs while switching between
objects)
* RuleSetView.cpp (insertRule): added main menu items "insert
rule" and "add rule after current"
* RuleSetView.cpp (contextMenu): added pop-up menu items for
adding, removing and moving rules up and down, as well as standard
copy/cut/paste operations on moves. Similar menu items added to
the main menu.
* RuleSetView.cpp (paintCell): implemented double-buffering in
paintCell to improve performance and remove flickering
2004-03-17 <vadim@vk.crocodile.org>
* FWBSettings.cpp: saving the size of the info window in settings
* RCSFileDialog.cpp (RCSFileDialog): 'open file' dialog
automatically looks for files in the working directory configured
in a global preferences dialog.
* main.cpp (main): added a global setting "startup action" in
Preferences. Currently two actions are available: "load standard
objects" and "load last edited file".
* FWBSettings.cpp (FWBSettings): a specialized wrapper for
QSettings. I will be adding methods to this class to simplify
access to whatever global program preferences and options I
need. Currently it supports 'working dir' and 'info window style'
settings. Settings are stored in a platform-depended way as
QSettings does it.
2004-03-16 <vadim@vk.crocodile.org>
* NATCompiler_ipt_writers.cpp (_printOPorts): minor bugifx - fixed
typo ( '==' -> '=' )
* ObjectEditor.cpp (closeEvent): object editor checks for
modifications before closing if user closes it using window
manager buttons.
* FWWindow.cpp (unselectRules): the main window maintains single
selection across objects in the tree and in the policy
view. Selecting an object in the tree automatically unselects
object in the policy and vice versa. Now I can implement
copy/cut/paste functions driven by the main menu; these operations
will work on the currently selected object either in the tree or
in the policy.
* FWWindow.cpp (editCut): copy/cut/paste operations work between
the tree and policy views using both context menus and main
menu.
* ipt.cpp: output stream is created with a mode ios::binary on
Windows
* RCS.cpp (isDiff): having problems with rcsdiff.exe in windows,
for now will assume that the file always changes and needs checkin
comment.
2004-03-15 <vadim@vk.crocodile.org>
* RCS.cpp (co): using windows-specific functions to create a
temporary file for the file checkout
* global.h: added redefinition of macro assert to be able to use
it on windows where we compile without debugging info. (the reason
I do not build Debug version on win32 is because I use precompiled
libraries libxml2 etc that are built using Release CRT, and I
can't mix different runtimes).
* RCS.cpp (co): GUI makes sure that if the file has been opened
and locked by a user, another user can only open it read-only. The
same user has a choice of opening it read-only or read-write. The
latter case is useful in case of a program crash that leaves
opened files in the locked state.
* RCS.cpp (co): added ability to open older revision of the file
read-only. Requested revision is checked out into temporary file,
which is then loaded and immediately deleted. The object tree is
locked read-only and 'save' and 'save as' operations are disabled.
2004-03-14 <vadim@vk.crocodile.org>
* RCS.cpp (add): using "rcs -i -kb" to add a file to RCS, this
should help avoid extra CR in the file while working on windows
because it makes RCS use binary mode while working with the file.
2004-03-13 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp: GUI redesign: switched to a single window
design. Object manipulation happens inside three classes:
ObjectManipulator (the tree widgets and algorithms), ObjectEditor
(a stack of editor widgets and a glue logic), obejct info browser
(class QTextBrowser). Object editor appears as a non-modal dialog
when user double-clicks an object in the tree. Single click
updates data in the info window but does not open the
editor. Objects can be selected in the tree in any supported way -
keyboard arrows, keyboard shortcuts, hitting the first letter of
the objects's name, mouse click. In any case, appropriate object
is selected and info window is updated with its attributes.
Info window has three modes: collapsed (there is no info window),
showing only comment attrbibute and showing brief summary of
object's parameters and a comment. User can switch between modes
using a button located on the main window panel directly under the
info widget.
2004-03-12 <vadim@vk.crocodile.org>
* build environment is based on qmake: file qmake.inc is included
from qmake project files in all subdirectories. File qmake.inc
defines all variables for all platforms, so project files in
subdirs only add lists of files and take care of exceptions. File
qmake.inc is generated by configure, but all substitutions are
only needed for Unix and Mac. This file is checked in to cvs so it
could be used on Windows without a need to run configure.
All qmake project files in subdirectories need no substitutions
by configure, so they all are checked in to cvs and can be used on
windows right away.
Qmake project files fwbuilder2.pro and src/src.pro use template
'subdirs' and make qmake descent into subdirectories and rebuild
projects there.
Now using qmake to generate Makefile and MSVC project files in
src/fwblookup, src/fwbedit, src/ipt. Makes it easier to generate
consistent MSVC projects without having to edit them manually.
resource files (src/res/*.xml and src/res/*/*.xml) are generated
by configure, however, since substitutions made in them are only
relevant on Unix and Mac, generated files are checked in to cvs so
they can be used on windows without running configure.
No need to run configure (or autogen.sh) on Windows anymore.
To build on Unix and Mac:
$ autogen.sh
$ make
$ make install
To build on windows:
run qmake, then make in the root dir. of the project
Open fwbuilder2.dsw in MSVC and rebuild all
* NATCompiler_ipt.cpp, PolicyCompiler_ipt.cpp and others in
src/ipt: code cleanup. Removed all unused variables and added
handling for 'default' case in switch operators.
2004-03-10 <vadim@vk.crocodile.org>
* FWWindow.cpp (compile): implemented main menu items "Rules/compile"
and "Rules/install". Still need to add toolbar buttons though.
* execDialog.cpp (execDialog): a dialog for a background execution
of external commands. This class is used to call external policy
compilers and installer scripts. Uses QT class QProcess.
* ipt.cpp: transfered compiler for iptables over to fwb2. Only
minor changes: new file name schema (*.h, *.cpp); proper choice of
the directory where resource files are located; eliminated last
dependencies on glib
2004-03-09 <vadim@vk.crocodile.org>
* iptAdvancedDialog.cpp (accept): firewall settings dialog saves
all data in the object.
2004-03-07 <vadim@vk.crocodile.org>
* iptAdvancedDialog.cpp (iptAdvancedDialog): firewall settings
dialog for iptables. Saving of the data back in the firewall
object is not implemented yet.
* DialogFactory.cpp (createDialog): DialogFactory: class that
creates dialogs for all object types.
* FWBTree.cpp (FWBTree): refactored code: all methods that enforce
our standard tree structure now belong to the class FWBTree
* TimeDialog.cpp (applyChanges): added dialog for the Time
interval object.
2004-03-06 <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (setupPopupMenu): added pop-up menu in the
group view (both icon and list modes) with oprations
copy,cut,paste and delete.
* all dialogs: object is moved from library to library when user
clicks 'apply changes' (before it would move immediately when the
library was changed in the pop-down menu).
* CustomServiceDialog.cpp (loadFWObject): added dialog for the
Custom Service object
2004-03-05 <vadim@vk.crocodile.org>
* PropertyEditor.cpp (copyObj): added pop-up menu to object tree
view; implemented functions 'duplicate', 'copy', 'cut', 'paste'
2004-03-04 <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (contentsMouseReleaseEvent): objects in the
tree are selected with double-click.
2004-03-03 <vadim@vk.crocodile.org>
* RuleSetView.cpp (getRE): added platform capabilities check for
columns 'Time' and 'log/options' in policy views
* RuleSetView.cpp (dragMoveEvent): support for d&d of Time objects
2004-03-02 <vadim@vk.crocodile.org>
* InterfaceDialog.cpp (loadFWObject): added dialog elements for
interface security level, 'external' checkbox, network zone.
* RCS.cpp (isDiff): added a wrapper for rcsdiff in RCS class
2004-02-29 <vadim@vk.crocodile.org>
* PropertyEditor.cpp (createObject): properly creating interfaces
and addresses for the firewall object
* further testing and improvements in RCS integration
2004-02-28 <vadim@vk.crocodile.org>
* FWWindow.cpp (load): file can be opened with or without RCS, a
head revision or any specific revision, read-write or
read-only. File name, revision number and read-only status is
displayed on the main window's title bar.
* FWWindow.cpp (load): added ability to open data files read-only
* RCS.cpp (RCS): refactored the code, made class RCS a wrapper for
the command-line rcs tools. It should be possible to use the same
or similar interface for other version control system if needed.
2004-02-26 <vadim@vk.crocodile.org>
* RCSFilePreview.cpp (showFileRLog): Open File dialog shows RCS
revisions of the chosen file in a preview panel. Added button "add
to RCS" that allows user to add selected file to RCS right from
the "open file" dialog. Added elements for opening file read-only
and with or without locking (but these functions have not been
implemented yet).
2004-02-23 <vadim@vk.crocodile.org>
* RCS.cpp (rlog): class RCS provides simple integration with
RCS. Uses portable functions provided by QT to call external RCS
programs.
* configure.in: added checks for external RCS programs ci, co,
rlog.
2004-02-22 <vadim@vk.crocodile.org>
* FWWindow.cpp: added basic integration with RCS. Every time a
data file is opened, it is checked out from RCS and locked. If the
file has not been added to RCS, an initial checkin is performed
with a generic comment. Every time an opened file is saved (using
"save" or "save as" menu), it is checked in and kept in a locked
state. A new menu item "File/Close" has been added; this menu item
checks the file in and removes lock (does 'ci -u') so other users
can work on it, then it reopens a standard objects database in the
GUI. Opening a file while another file is already opened in the
GUI causes the latter to be closed (checked in and lock removed)
and a new one opened as described above.
still TODO: add a dialog to ask the user for a checkin comment
text. Add a global option "Use RCS" so that using version control
is optional. Test the whole thing on Windows.
2004-02-16 <vadim@vk.crocodile.org>
* PropertyEditor.cpp (PropertyEditor): added dialogs for
interface, MAC address, network, address range and other objects.
* FWObjectDrag.h: implemented custom drag class FWObjectDrag; all
widgets dynamically check if the object being dragged can be
dropped in them. User can drag objects from the tree into groups
and rules, as well as from a group into the tree.
2004-02-08 <vadim@vk.crocodile.org>
* IPServiceDialog.cpp (libChanged): implemented gui elements and
support for moving objects between libraries.
2004-01-20 <vadim@vk.crocodile.org>
* added dialog for object IPv4. This object can now be created in
a standard place in the tree in a group Objects/Addresses as well
as as a child object of interface (as before in fwbuilder 1). This
allows for using object IPv4 as an abstract for an IP address
which is simpler than using a Host object.
2004-01-04 <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp: Experiment: user and standard object tree
views have different background colors. This provides simple
visual clue of what library the object shown in the editor panel
belongs to. This is especially useful if a standard object is
referenced from the user defined group and user opens it; in this
case the tree switches from user-defined objects to the standard
onces but this switch may not be evident from the first glance,
thus user loses context and may be confused why his objects
apparently have gone away.
2004-01-03 <vadim@vk.crocodile.org>
* PropertyEditor.cpp (PropertyEditor): property editor has window
type "dialog" and always stays on top of the main
window. Implemented simple history feature for the object
navigation and added a button "Back" to the toolbar.
* GroupObjectDialog.cpp (loadFWObject): group object dialog can
now show group contents as a set of icons or as a list; switching
between two modes is done using toggle buttons a-la file list
modes in the "open file" dialog.
* PropertyEditor.cpp (loadObjects): merged object tree and object
property editor in one dialog.
2003-12-20 <vadim@vk.crocodile.org>
* main.cpp (main): resources and preferences files can now be
found dynamically, using a full path to the directory the binary
has been launched from. The RES_DIR macro defined in config.h
now specifies relative path to the resource files starting from
the application root dir. If program is installed in
/usr/local/bin, then the application root is "/usr/local" and
resources should be located in /usr/local/$RES_DIR directory.
Reference in New Issue View Git Blame Copy Permalink