onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-18 17:27:20 +01:00
Code Issues Releases Wiki Activity
fwbuilder/doc/ChangeLog
Theron Tock dc32508caf * Fixed #2505: make sure that objects that we show are members of 
a dynamic group are actually objects.  Previously we were showing
	stuff like FirewallOptions objects.  To make sure that dynamic
	group expansion is done the same way in the UI and for the
	compiler, also fixed #2502 (consolidate logic for DynamicGroup).
2011-07-13 12:09:36 -07:00

16357 lines
702 KiB
Plaintext
Raw Blame History

2011-07-13 theron <theron@netcitadel.com>
* Fixed #2505: make sure that objects that we show are members of
a dynamic group are actually objects. Previously we were showing
stuff like FirewallOptions objects. To make sure that dynamic
group expansion is done the same way in the UI and for the
compiler, also fixed #2502 (consolidate logic for DynamicGroup).
2011-07-11 theron <theron@netcitadel.com>
* Implemented #2514, support for address table alternate paths.
There's a "data directory" setting under user preferences. If the
user selects an address table file using "choose file" and that
file is "inside" the data directory, then the appropriate part of
the path is replaced with %DATADIR% as a variable. If the address
table is marked "run-time" then the path is taken from the
firewall data directory option.
2011-07-11 Vadim Kurland <vadim@netcitadel.com>
* TableFactory.cpp (createTablesForRE): see #2513 "Group and
Address Table name persistence in generated config". Compiler for
PF can now preserve names of object groups, dynamic groups,
compile-time AddressTable and compile-time DNSName objects in
the generated pf.conf file. This is optional and is controlled
by a checkbox in the firewall settings dialog.
2011-07-09 vadim <vadim@netcitadel.com>
* pf.g (rule_extended): see #2551 Importer should parse PF rules
that use "route-to", "reply-to" and "dup-to" options in both
pre-4.7 and 4.7 formats. In PF 4.7 these parameters moved to the
end of the rule and are now part of the "filteropts" block of
parameters.
* PFImporter.cpp (pushPolicyRule): see #2551 Importer should
correctly import "pool type" parameter that follows source routing
rule options "route-to", "reply-to" and "dup-to". Also, since
currently fwbuilder does not support source routing rules with
multiple different interface-gateway pairs (only one interface in
combination with one or multiple gateway addresses are supported),
importer displays warning and marks rules as "broken" when it
encounters this configuration.
* ObjectManipulator_slots.cpp (makeSubinterface): see #2561
operation of making an interface a subinterface should be
performed using undo/redo command. Also, this should take care of
inconvenient scrolling of the object tree after this operation.
* ObjectManipulator.cpp (addSubinterfaceSubmenu): see #2562 "Crash
when making an interface that has subinterfaces a subinterface of
another interfrace". If an interface has subinterfaces, it should
not be allowed to become subinterface of another interface.
2011-07-08 vadim <vadim@netcitadel.com>
* ObjectManipulator_slots.cpp (makeSubinterface): see #2561 "Add
context menu to move an interface to be a child of another
interface". New context menu (submenu) allows user to move an
interface in the tree to make it a subinterface of another
interface.
* parsers/pf.g: see #2556 "PF import: impor of rules referring to
undefined macros". Importer now records all parser errors in the
comments of rules where they occurred and marks these rules
"broken" by coloring them red. Behavior on import of pf.conf file
with undefined macros is inconsistent at this time: undefined
macro that appears in a rule where parser expects ip addresses is
converted to a run-time DNSName object with name "$macro", a
warning is displayed and rule is marked as "broken". Undefined
macro in the position of interface name, port name or other
parameters triggers generic parser error that looks like "Parser
error: line 26:19: unexpected token: $ext". The rule is marked as
"broken" and the error is recorded in the comment.
* PFImporterRun.cpp (substituteMacros): see #2556 "PF import:
impor of rules referring to undefined macros". Importer displays
warnings for all undefined macros found in the file, even if there
are several.
* objectSignature.cpp: fixes #2559 "Crash on import when at least
one DynamicGroup object already exists in the object tree."
2011-07-07 Vadim Kurland <vadim@netcitadel.com>
* RoutingCompiler.cpp (processNext): see #2191 "Crash when
compiling a route with table object". Compiler for PF crashed
when run-time AddressTable object was used in RDst of a routing
rule.
* PFImporter.cpp (makeAddressObj): see #2546 "PF import - negation
inside of inline tables is ignored". Since we can not import
address lists or tables that contain a mix of negated and
non-negated items, importer should display an error when it
enounters one of these and mark all rules that use it as "broken"
(rule is colored red and error message is added to the comment).
* PFImporter.cpp (makeAddressObj): see #2556 "PF import: impor of
rules referring to undefined macros". If pf.conf file uses an
undefined macro (there is $macro somewhere but the macro has never
been defined), importer issues a warning, creates run-time DNSName
object with the name "$macro" and marks all rules where it is used
as broken, that is, rules are colored red and the error message is
added to the comment field. Using run-time DNSName object makes
compiler use "$macro" in the generated pf rule which means
fwbuilder generates exactly the same pf rule as the one it tried
to import.
* PFImporterRun.cpp (run): see #2554 "PF import: create groups of
address objects for macros where possible". Importer for PF
recognizes macros that define lists of ip addresses, interfaces or
host names and creates object groups with the same name from them.
Only macros that contain at least one ip address in the list are
recognized.
* PF import: check if a macro used somewhere in the file to be
imported is actually defined and abort if not
* PF import: see #2551 making sure rules that have route-to option
get the call to setRoute() in the importer
2011-07-06 Vadim Kurland <vadim@netcitadel.com>
* applied two patches by Vadim Zhukov persgray@gmail.com to
replace calls to sprintf with safer calls to snprintf and fix some
compiler warnings.
* Importer.cpp (addStandardImportComment): see #2552 "PF import:
add ability to suppress comments referring to line numbers in the
original file".
* PFImporter.cpp (pushPolicyRule): see #2551 "PF Import - source
routing rules are not imported with rule options set". Importer
should import "route-to" rule parameters.
* PFImporter.cpp (newAddressTableObject): see #2546 "PF import -
negation inside of inline tables is ignored". We can not import
PF table definition that has some addresses negated.
* PFImporterRun.cpp (run): see #2550 "PF import - recursive macros
are not supported". Importer for PF should interpret macro
definitions that use other macros. See #2545 "PF import error when
using macro names with same base name and incrementing digit
suffix". Importer should correctly interpret a macro that has name
of another macro as a substring of its own name.
2011-07-05 vadim <vadim@netcitadel.com>
* PolicyCompiler_pf_writers.cpp (processNext): see #2549 "Update
generated route-to configuration for PF versions 4.7 and later",
SF bug 3348931. The "route-to" parameter moved to the end of
pass rules in PF 4.7
* pf.g: fixed bug in PF import: address lists such as "{ addr1,
addr2, ... }" defined as macros or inside the rule could not be
imported correctly.
* pf.g: we should be able to import both "block quick log" and
"block log quick".
2011-06-29 theron <theron@netcitadel.com>
* Fixed #2547, made keyword add/remove buttons same size.
2011-06-29 theron <theron@netcitadel.com>
* Fixed #2540. On mac we can get a drop event even if
dragMoveEvent() says the drop is invalid. So in ObjectTreeView we
validate the drop the same we we validate in dragMove to make sure
the drop is valid.
* Fixed #2542. Catch exception inside preprocessor loop so that
loop continues after error (for unit tests). Also make sure to
set ".loaded" variable before calling loadFromSource so that if an
exception happens we won't try to load it again later.
* Fixed #2539. Make sure user folders are added properly. Also
deal with case of an object that has a folder attribute that
doesn't exist in the parent's subfolders list (shouldn't ever
happen, but in case it does it no longer crashes). Also make sure
that subfolders don't have commas in them.
* Partially fixed #2544. Adding new icons for dynamic group.
2011-06-27 theron <theron@netcitadel.com>
* Fixed #2530, where adding a subfolder opens the parent folder in
the object editor.
* Fixed #2529, where dragging and dropping items between
subfolders could cause a crash.
* Fixed #2528, display icon next to "new subfolder" menu item.
* Added feature #2517: directory location caching. Use
FWBSettings::{get|set}OpenFileDir() any time we use QFileDialog so
that the directory you navigated to last time shows up in the next
file dialog. This behavior is overridden by setting a working
directory. If the directory no longer exists, gracefully fall
back to something sensible.
2011-06-23 theron <theron@netcitadel.com>
* Added support for creating user-defined subfolders. The
subfolders exist purely in the display and are not reflected in
the FWObject tree, in order to keep changes in the back-end to a
minimum. New attribute "subfolders" on a system folder tells the
gui what additional child elements to display in the tree, and
attribute "folder" on any FWObject tells gui which child tree
element to put it in.
2011-06-22 Vadim Kurland <vadim@netcitadel.com>
* ObjectManipulator_ops.cpp (autorename): fixed #2520 "Attached
Network objects are not renamed if a firewall is renamed"
* AttachedNetworksDialog.cpp (addAddressToList): see #2519 Avoid
creating duplicate network objects for the AttachedNetwork object
if the parent interface has multiple ip addresses that belong to
the same subnet.
* CompilerDriver.cpp (CompilerDriver): fixed #2521 "Compile fails
if firewall has locked interface that is set to dynamic".
* NATCompiler_pf_writers.cpp (_printProtocol): see #2524 'avoid
" {tcp udp icmp} " in place of protocol'. NAT compiler for PF does
not need to generate protocol match "proto {tcp udp icmp}" when
service object used in the NAT rule is "any". The reason this was
done this way is lost in the mist of time; it's been like this
since very early versions of fwbuilder.
2011-06-21 vadim <vadim@netcitadel.com>
* NATCompiler_pf.cpp (compile): fixed #2428 "PF compiler crashes
when ipv4+ipv6 NAT rule uses only ipv4 address". This has been
reported as SF bug 3305234.
2011-06-20 Vadim Kurland <vadim@netcitadel.com>
* ObjectManipulator_slots.cpp (forward): see #2493 implemented
"forward" function in addition to the "back" function, added
a button to the roolbar, using new icons for Back and Forward
buttons.
* src.pro (SUBDIRS): see #2477 removed transfer agent
code.
* gui.pro: see #2506 Removed obsolete localization files (Russian
and Japanese). These were incomplete and have never been updated for
v4.
2011-06-10 Theron Tock <theron@netcitadel.com>
* implementation of keywords associated with objects in the GUI;
ability to filter by keywords, dialog layout changes to add GUI
controls for keywords.
* imlementation of the DynamicGroup object type. Dynamic group
automatically expands to a set of objects using matching rules
that at this time can match object types and keywords.
2011-06-09 Vadim Kurland <vadim@netcitadel.com>
* fixed several GUI crashes that happened when user performed
various operations on the object tree that contained locked
objects. see #2487
2011-06-04 vadim <vadim@netcitadel.com>
* FWWindow_editor.cpp (openEditor): this change is a part of the
GUI usability improvements: when user double clicks on a firewall
object to open it in the editor, rule set view panel switches to
the rule set of that firewall. To decide which rule set to show,
the program scans history of the objects the user opened before in
the same GUI session and shows that firewall's rule set they
opened last. If user never opened any rule sets of this firewall,
then the first Policy object is shown. See #2465.
* RuleSetView.cpp (itemDoubleClicked): as part of the GUI
usability improvements, its behavior when user double clicks on
"any" in a rule has changed. Now the program opens object "any" in
the editor and shows prompt text that explains its behavior. The
editor stays read-only and should appear grayed-out if palette
is set up for that. This reverses the change made for #1731. See #2454.
2011-06-03 vadim <vadim@netcitadel.com>
* applied patch to provide configure command line option to specify
path to ccache. Thanks to user "a. k. huettel " on SourceForge.
* NATCompiler_pf.cpp (_expand_addr): see #2455 NAT Compiler for PF
should use "(interface)" syntax to the right of "->" in NAT rules.
This now works for all interfaces, including those that have ip
addresses in fwbuilder configuration, when interface object
appears in "Translated Source" in a nat rule. When firewall object
appears in "Translated Source", it gets replaced with a set of its
interfaces which also get translated into "-> (interface)".
* NATCompiler_ipt.cpp (compile): see #2456 Added support for
single object negation in "Inbound Interface" and "Outbound
Interface" columns in compiler for iptables.
* NATCompiler_pf.cpp (compile): see #2456 Added support for single
object negation in "Interface" rule element of PF NAT rules. Now
compiler can produce PF commands such as "nat on ! em0 ... " (for
PF <4.7) or "match on ! em0 ..." (for PF >= 4.7)
* Compiler.cpp (singleObjectNegation::processNext): moved rule
processor that processes single object negation in any rule
element to the base class Compiler.
2011-06-02 Vadim Kurland <vadim@netcitadel.com>
* pf.g (set_rule): see #2464 implemented import of PF "set timeout",
"set limit" and other "set" commands. Known limitations:
- commands "set ruleset-optimization", "set loginterface",
"set block-policy", "set state-defaults", "set require-order",
"set fingerprints", "set reassemble", "set hostid" are not supported.
2011-05-30 vadim <vadim@netcitadel.com>
* pf.g (nat_rule): see #2449 Implementd import of PF "nat"
rules. Known limitations:
- as of v4.2 we can not generate optinal parameters for the
"source-hash" pooltype. "sticky-address" is not supported either.
- Interface group names are not recognized
2011-05-27 vadim <vadim@netcitadel.com>
* PFImporter.cpp: see #2394 pf.conf import. This version implements
import of pf.conf configuration with the following limitations:
- anchors are not imported. Anchor rules are imported but rules
inside anchors are not.
- only pf.conf configurations designed with the use of keyword
"quick" can be imported.
- Macros are expanded during import and are not recreated as
objects. Tables are imported as run-time AddressTable obejcts
configured with the file name, or object groups.
- User has to specify host OS and PF version number during import
process because interpretation of rules with default settings
of some parameters is version-dependent.
- Import of IPv6 addresses and ICMPv6 matches in pf.conf is not
supported at this time.
- Import of TCP flag matches for flags 'E' and 'W' is not supported.
- Import of "include" clause is not supported
- Import of "user" and "group" matches is not supported
2011-05-26 Vadim Kurland <vadim@netcitadel.com>
* PolicyCompiler_pf.cpp (compile): see #2434 "PF compiler should
use 'self' keyword where appropriate". Compiler for PF now uses
keyword 'self' in rules where firewall object is used in Source
or Destination.
* fwcompiler/Compiler.cpp (processNext): added rule processor to
replace firewall object with special run-time object "self" in
Source and Destination rule elements. This rule processor can
be used in policy compilers for any platform.
2011-05-17 vadim <vadim@netcitadel.com>
* FWObjectDatabase_tree_ops.cpp (merge): see #2420 "Crash when
selecting New Firewall and existing firewall has interface that is
locked". Fixed GUI crash that happened on some operations if an
object in the tree was locked. For example, if the user locked an
interface of one of the firewall objects that then proceeded to
create new firewall object, the GUI would crash. The problem was
not limited to locking specifically interface objects.
2011-05-15 vadim <vadim@netcitadel.com>
* IPTImporter.cpp (pushPolicyRule): see #2411 Implemented import
of iptables rules with target CLASSIFY.
2011-05-14 vadim <vadim@netcitadel.com>
* CompilerDriver_ipt.cpp (findBranchesInMangleTable): see #2405
"Tag and classify actions dont work properly with branches".
When branching rule points to a rule set that has rules with Tag
and Classify options, branching should occur in mangle table even
when checkbox "create branch in mangle table" is not checked. The
fix in this change is tentative as it creates branch in chains
PREROUTING, POSTROUTING and OUTPUT. Since target CLASSIFY is only
allowed in POSTROUTING, this may create conflict. Need to test
more.
* AttachedNetworks.cpp (AttachedNetworks): see #1580 New object
type: network object that automatically matches subnets an
interface is attached to. The object can be a child of an
interface. The object is optional and is not created automatically
for all interfaces; user can add it using context menu associated
with an interface. Dialog for this object allows editing of the
name and comment. List of network addresses represented by this
object is always generated automatically. Compiler for PF
translates this object to "en0:network" construct that is
supported by PF. Compiler for iptables expands it to the list of
ipv4 and ipv6 networks defined by the addresses of the parent
interface if interface has static addresses. If interface is
confgiured as "dynamic" and has no address in fwbuilder, then
compiler treats AttachedNetworks object as run-time and uses shell
function to determine network addresses during activation of the
firewall script. Compilers for other firewall platforms always
treat this object as compile-time and abort if it is used with
dynamic interface.
2011-05-13 vadim <vadim@netcitadel.com>
* PolicyCompiler_ipt.cpp (processNext): see #2402 "Tag action
should be done in PREROUTING so it can be acted on later". If a
rule has both tagging and classification options, the rule should
be split so that iptables command doing tagging goes in PREROUTING
and rule doing classification goes into POSTROUTING chain.
* PolicyCompiler_ipt.cpp (processNext): see #2401 "Deprecating
Route option for iptables". This target is not included in any of
the popular Linux distributions (checked in Ubuntu, Fedora and
CentOS). The GUI dialog and all support in the compiler will be
removed in future version of fwbuilder. Beginning with 4.3.0,
compiler aborts with an error when it encounters a rule using this
option. In older versions of fwbuilder (4.2.x and before) this
option was presented as an action "Route".
* CompilerDriver_ipt_run.cpp (run): see #2400 'Mixing Actions
"Accept" and "Classify" results in incorrect rules', see #2399
'Mixing Actions "Accept" and "Tag" results in incorrect ruleset'.
After we made Tag, Classify and Route rule options instead of
actions, rules that mix these options with actions "Accept" and
others, except for "Continue", should be treated differently. The
action are now implemented using iptables rules in the table
"filter" and additional rules in table "mangle" is used to
implement only tagging, classification or routing. Generated
script does not change default action in table "mangle" and
assumes it is "ACCEPT" so adding rules with target ACCEPT in
mangle table should not be necessary. Another change because of
this affects branching rules that use option "create branch in
mangle table in addition to the filter table". These rules used to
duplicate the same action and logging rules in mangle. Now they
dont do this and only create rules in mangle if branch rule set
performs tagging, classification or routing.
2011-05-11 vadim <vadim@netcitadel.com>
* v4.2.2 released
* newFirewallDialog.cpp (finishClicked): fixes #2395 "Crash when
setting installer directory location" and fixes #2396 "Crash when
changing firewall name". These two bug reports where the
manifestation of the same problem that was introduced by the fix
for #2380. When user hits OK in the newFirewallDialog and it
merges temporary object tree into the main object tree, it should
call fixTree() to fix all pointers to the root of the tree.
2011-05-10 vadim <vadim@netcitadel.com>
* v4.2.1 released
2011-05-10 Vadim Kurland <vadim@netcitadel.com>
* fwbuilder 4.2.1.3540 released; started v4.3.0
* merged from branch multiple_actions to add changes that
implement conversion of actions Tag, Classify and Route to
options. Now one policy rule can have any combination of these
options. See #2367.
2011-05-09 Vadim Kurland <vadim@netcitadel.com>
* FWCmdAddObject.cpp (redo): fixes #2391 "selecting 'new library'
when editor panel not on 'editor' tab causes crash"
2011-05-06 vadim <vadim@netcitadel.com>
* PolicyCompiler_pf_writers.cpp (_printQueue): see #2390 Classify
does not generate "queue" string for rules created in V4.2.1.3538
This completes the fix for the bug #2385.
2011-05-05 Vadim Kurland <vadim@netcitadel.com>
* FWObjectDatabase_19.xslt: see #2385 "PF action Classify uses
wrong parameter". This change fixes a bug introduced in 4.2.0
that affects rules with action Classify in PF firewalls.
The bug causes the following problems:
For users who built their rules before v4.2.0:
- rules compile normally, both in the single rule compile and
when the whole firewall is compiled
- if they opened the action of one of such rules in the action
editor, the classification string would look empty
- if they entered new classification string in the editor,
compiler kept using the old one (which they can not see or
change in the editor)
For users who tried to build rules with action Classify with v4.2.0:
- no matter what classification string they enter in the action
dialog, generated code does not use it
2011-05-04 Vadim Kurland <vadim@netcitadel.com>
* FWObjectDatabase_18.xslt: XSLT transformation to upgrade data
files from DTD v18 to DTD v19. This transformation finds
"PolicyRule" elements with missing "Itf" child elements and fixes
them by adding such element with a reference pointint to "any".
Fixes #2383
* fwbuilder.dtd.in: Element "Itf" (an interface) of "PolicyRule"
should be required. DTD version increment.
2011-05-03 vadim <vadim@netcitadel.com>
* PolicyCompiler_ipt.cpp (processNext): see #2367 "Multiple
actions per policy rule". Options "Tag", "Classify" and "Route"
work with iptables in a combination with any action. This
implementation has one restriction: option Route can not be used
in combination with options Tag or Classify and any action that is
not Continue. This is because option Route can yield rules in
PREROUTING or POSTROUTING chains that are also used by options Tag
and Classify. For this combination we create two user-defined
chains that perform routing and tagging (or classification). In
case of a terminating action both chains end with it. This means
if one matches the packet, the other is never going to see it.
Non-terminating action "Continue" does not create this problem.
This limitation may be removed in future versions of fwbuilder.
2011-05-03 vadim <vadim@netcitadel.com>
* newFirewallDialog.cpp (finishClicked): see #2380 "Firewall
object is created in the middle of the "new firewall" wizard and
clicking Back creates two firewall objects". If user chose to
create new firewall object from a template and clicked Back after
choosing the template, the program actually created two firewall
objects but only one was visible in the tree.
2011-04-30 vadim <vadim@netcitadel.com>
* RuleSetModel.cpp (objectChanged): see #2373 "GUI becomes
unresponsive for a long time when an object that is used in a
large number of rules is modified". The program spent too much
time resizing rule set view columns.
2011-04-29 vadim <vadim@netcitadel.com>
* UsageResolver.cpp (findFirewallsForObject): see #2373 "GUI
becomes unresponsive for a long time when an object that is used
in a large number of rules is modified". This bug only affected
configurations with very large rule sets (1500 rules) where lots
of rules used the same object. The change in UsageResolver
eliminates unnecessary scanning of all rule sets to check if the
affected rule set might be used as a branch. The program used to
scan the same objects many times.
* iosaclAdvancedDialog.cpp (accept): fixes #2368 and SF bug
3294457 "External install script". External install script name
and arguments weren't saved for IOS firewall objects.
* snmpNetworkDiscoveryWizard/ND_ProgressPage.h: fixes #2370, #2371
"broken signals in network discovery wizard". Network discovery
wizard was not correctly initializased and did not work.
2011-04-25 Vadim Kurland <vadim@netcitadel.com>
* instDialog_ui_ops.cpp (readInstallerOptionsFromDialog):
tentative fix for SF bug 3169045 "Batch installer lists IPv4
address as management address". Built-in installer wanted to use
management interface address in batch mode even when alternative
address or putty session name was provided. This happens only in
batch mode install.
* VERSION (GENERATION): version 4.2.0 released; started 4.2.1
2011-04-20 vadim <vadim@netcitadel.com>
* configlets/pix_os/script_skeleton: fixed bug (no #): "clear"
commands were not added when option "generate only access-list,
access-group, nat, static..." was in effect; also making sure
"clear" commands for object-groups and ssh are not added when
option "do not add clear commands" is on. This affects PIX/ASA/FWSM.
2011-04-19 Vadim Kurland <vadim@netcitadel.com>
* RoutingCompiler_ipt.cpp (compile): see #2359 "Crash when
compiling single rule with IPv6 destination and IPv4 gateway or
interface". Routing compiler for iptables does not support ipv6 at
this time and will issue a warning when user tries to place ipv6
address or network in a routing rule. The warning does not appear
when ipv6 address is a member of a group used in the rule. Also
see #1575.
2011-04-17 vadim <vadim@netcitadel.com>
* fwbedit.cpp (main): added command line switch "-d" to function
"import" in fwbedit. This switch activates object deduplication
on import.
2011-04-15 vadim <vadim@netcitadel.com>
* fwbedit.cpp (main): see #2328 "Add ability to run firewall import
from the command line". This has been implemented as a new function
"import" in fwbedit. See man page fwbedit(1) and "fwbedit -h" for
more details.
* iptables.g (multiport_tcp_udp_port_spec): see #2245 fixed bug in
parser for iptables that prevented correct import of iptables rules
using module "multiport" with port range matches.
2011-04-14 vadim <vadim@netcitadel.com>
* CompilerDriver_pix_run.cpp (pixSecurityLevelChecks): see #2351
Security levels of ASA and FWSM interfaces do not have to be
unique. Removed check that enforced this.
* IPTImporterRun.cpp (run): see #2275 Importer for iptables now
correctly handles both "intrapositioned" ("-s ! address") and
"extrapositioned" ("! -s address") negation.
* platform/fwsm.xml: see #2295 Added FWSM version "3.2". According to
Cisco documentation, FWSM version 3.2 matches PIX 7.
* platform/pix.xml: see #2348: "Accounting action is not valid for
FWSM platform". Actions "Accounting" and "Reject" should not
appear in the drop-down list of actions in the GUI if platform is
pix or fwsm.
* PolicyCompiler_pix.cpp (printPreambleCommands): see #2347 "FWSM
move up the "access-list mode auto-commit" command". Command that
configures access list commit mode should be issued before any
commands that clear and configure access lists. Also in this
change moving commands that set up temporary access list to the
top of the script.
* PolicyCompiler_pix.cpp (printClearCommands): see #2322 If this
is FWSM and if manual commit mode is used, need to commit after
clearing ACLs before we clear object groups.
2011-04-13 Vadim Kurland <vadim@netcitadel.com>
* IPTImporter.cpp (pushPolicyRule): see #2338 "Empty Mangle Policy
object created on import". Iptables rules in the table 'mangle'
will be imported in the dedicated Policy rule set with name
"Mangle". Rules that use chains FORWARD and POSTROUTING in table
'mangle' can not be reproduced and will be marked as "bad" (color
red and corresponding comment).
* configlets/fwsm_os/ntp: see #2344 fwbuilder should not generate
any "ntp" commands for FWSM because NTP can not be configured on FWSM.
* OSConfigurator_pix_os.cpp (_printSysopt): see #2345 More fixes for
FWSM 4.x: "service resetoutbound", "timeout xlate", "timeout sunrpc"
* OSConfigurator_pix_os.cpp (_printInterfaceConfiguration): see #2343
"Interface nameif error when installing generated config for FWSM".
Use correct "nameif" command sytax in FWSM 2.x and 4.x.
* OSConfigurator_pix_os.cpp (_printSSHConfiguration): see #2344
"FWSM install errors for clear commands". Using correct syntax for
"clear" commands for FWSM v4.x
2011-04-11 vadim <vadim@netcitadel.com>
* PolicyCompiler_PrintRule.cpp (_printTarget): see #2235 "Modified
rule action for Continue". Rules with action "Continue" should
translate into iptables commands without "-j TARGET" parameter. If
such rule also has logging enabled, it should use target "-j LOG"
instead of generating additional chain.
* IPTImporter.cpp (pushPolicyRule): see #2206 Iptables commands with
no "-j TARGET" parameter should be imported using action "Continue".
* iptables.g (comment): see #2336 Importer for iptables recognizes
version stored in the top comment by iptables-save and sets
version in the firewall object it creates.
2011-04-10 vadim <vadim@netcitadel.com>
* utils.cpp (expand_interface_with_phys_address): see #2324 "NAT +
MAC-matching rules not generated properly". Iptables NAT rules
matching a group of host objects with both IP and MAC addresses each
in "Original Source" were not generated properly.
* PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): SF bug
3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are
added automatically to ipv6 Linux firewall to permit neighbor discovery
packets should be also added to the FORWARD chain if the firewall is
a bridge.
* ObjectManipulator_create_new.cpp (actuallyCreateObject): see #2229
"Multiple new objects with the same name". The GUI should automatically
choose unique object names for new objects.
* platforms.cpp (setInterfaceTypes): see #2224 "FreeBSD - Bridge
interfaces with the name vlan<xx> don't show as Bridge Port
Interfaces". This actually applies to all OS where we support vlan
and bridge interfaces. Fwbuilder GUI should allow the user to set
subinterface type to both "ethernet" and "vlan" when its parent
interface has type "bridge". Setting subinterface type to
"ethernet" makes it bridge port, while setting the type to "vlan"
signals policy compiler that it should generate code to configure
real vlan interface. If the name of the subinterface does not
include the name of the parent, such as "vlan101", or when the
name does not match vlan ID, such as "vlan8101", global
preferences option "Verify interface names and autoconfigure their
parameters..." should turned off. The option is located in the
Preferences dialog, tab "Objects".
2011-04-08 vadim <vadim@netcitadel.com>
* FWBSettings.cpp (init): fixed bug (no #): "Show text
description in rule columns" does not persist across sessions
* clusterMembersDialog.cpp (createMember): see SF bug 3211769
"Member interfaces not sorted". Sorting interfaces by name in the
dialog where user adds them to the cluster member group.
* os/ios.xml: see #2330 "Crash when creating a cluster of IOS
router firewalls". Added support for basic IOS router clusters.
No failover protocol support at this time, but the cluster can be
configured with protocol "None" and fwbuilder will do address
substitutions at compile time.
* PolicyCompiler_cisco.cpp (processNext): see #2308 "ASA rules
with service set to "http" and destination set to asa firewall
object should generate different command syntax". Policy rules
that have firewall object in Destination and http object in
Service now generate "http" commands. This is similar to how
fwbuilder generates "ssh", "telnet" and "icmp" commands to permit
corresponding services to the firewall itself.
* pix.g (static_starts_with_tcp_udp): more fixes for import of
PIX/ASA "static" command in different variations. See #2334
* ObjectEditor.cpp (changed): see #2335 "GUI switches between data
files upon closing editor panel". If user opened two data files in
the GUI and was in the process of editing objects in one of them,
the GUI would flip to the other file under certin circumstances.
2011-04-07 vadim <vadim@netcitadel.com>
* PIXImporterNat.cpp (buildDNATRule): resolved several problems
with import of "static" commands that use access list that matches
source or destination tcp/udp ports. See #2326, #2327
* pix.g (network_top_level_command): see #2295 fixes in the grammar
to support import of FWSM configs
* PIXImporter.cpp (fixServiceObjectUsedForBothSrcAndDstPorts):
see #2265 "ASA 8.3 acl import: access-list commands using two
named objects or object-groups", see #2290 "Access lists that
include mix of service objects and inline service definitions are
not properly imported". To import access-list command that matches
both source and destination tcp/udp ports and uses object-group in
either match I should create a new service group with a collection
of TCP or UDP service objects matching all combinations of source
and destination port ranges defined by the rule. This should work
when one or both matches use object-group in combination with
inline port match.
* PIXImporter.cpp (pushPolicyRule): see #2297 Added warning when
importer enounters access-list command that matches tcp or udp
ports with "neq" port operators in both source and
destination. This configuration is not supported by import at this
time.
* PIXImporterNat.cpp (buildSNATRule): see #2319 "Imported nat
rules with multi-line access-lists have only the first entry"
* PIXImporterRun.cpp (run): see #2167 Implemented import of
"names" and "name" commands in PIX/ASA configs.
* CompilerDriver_pix_run.cpp (pixNetworkZoneChecks): see SF bug
3213019 "FWSM Network zone and IPv6". Currently we do not support
ipv6 with PIX/ASA and FWSM. If user creates a group to be used as
network zone object and places ipv6 address in it, this address
should be ignored while compiling the policy but this should not
be an error.
* FirewallInstaller.cpp (executeExternalInstallScript): see SF bug
3212988 "external script makes getopt difficult". User-defined
parameters for the external script moved to the end of the command
line.
* res/os/fwsm_os.xml: updated filesystem path on FWSM where
fwbuilder built-in installer should place generated configuration
when it is installed using scp. Currently using path "disk:".
2011-04-05 vadim <vadim@netcitadel.com>
* pix.g (static_command_common_last_parameters): see #2314 "Import
of static NAT statements drops netmask value and uses host
instead". "Netmask" parameter of a "static" command applies to
the real address.
* PIXImporterNat.cpp (buildDNATRule): see #2313 "NAT with
access-list destination address and original service not set".
"Nat" and "static" commands that use access-list should import all
components of the access-list command (source, destination and
service/protocol).
* PIXImporterNat.cpp (buildSNATRule): see #2310 "Imported global /
nat rule has wrong interface defined". Importer mixed up inbound
and outbound interfaces in NAT commands created from combination
of "global" and "nat" PIX/ASA commands.
* pix.g (nat_new_top_level_command): since import of ASA8.3
"new" nat commands is not implemented yet, importer should issue
a warning when such command is encountered. See #2315
2011-04-01 vadim <vadim@netcitadel.com>
* FWObject.cpp (insert_before): see #2171 "Undoing delete of rule
ends up with rules being created with duplicate rule
numbers". Also see #2172 "Crash when deleting rule - related to
#2171". When user deleted the last rule in a rule set, then used
Undo to restore it, the program lost track of rules in the rule
set and became unstable.
* FWObject.cpp (shallowDuplicate): see #2286 "Crash when closing
file". The GUI crashed if user imported iptables or pix
configuration, then deleted a rule and tried to close project
window.
* PIXImporter.cpp (mirrorServiceObjectRecursively): see #2291 The
same service object-group that matches some tcp or udp ports can
be used to match both source and destination ports in an
access-list command. Importer should recognize when such group
is used to match source ports and create mirrored group with
potentially mirrored service objects. This should work when group
includes other groups.
* FWWindow_editor.cpp (openOptEditor): fixes #2307 "GUI switches
to another file after editor panel is closed"
2011-03-31 vadim <vadim@netcitadel.com>
* parsers/pix.g (http_command): see #2164 fixed import of "ssh"
commands and added import of "http" commands
* objectMaker.h (ObjectMakerErrorTracker): see #2302 Importer
should log and continue when it encounters an error. This matches
its behavior in older versions and makes it more resilient to
changes in target platform firewall languages. Rule that had an
error or unrecognized syntax in it should be marked by changing
its color to red and an explanation should be added to its
comment.
* PIXImporterNat.cpp (buildSNATRule): import of PIX/ASA "global"
and "nat" commands works.
2011-03-30 vadim <vadim@netcitadel.com>
* PIXImporterNat.cpp (buildDNATRule): import of PIX/ASA "static"
commands works for the most part. Needs more testing.
2011-03-28 vadim <vadim@netcitadel.com>
* ObjectManipulator.cpp (getDeleteMenuState): see #2226 fixed GUI
crash that happened when user tried to delete or cut an object
from locked library.
* RuleOptionsDialog.cpp (loadFWObject): see #2230 the GUI should
allow limit-burst values of up to 10000
2011-03-27 vadim <vadim@netcitadel.com>
* import/PIXImporter.cpp (addLogging): see #2279 Support for import
of ASA access-list lines with log levels and intervals
* parsers/pix.g (tcp_udp_port_spec): see #2284 fixed import of
tcp/udp port ranges using mix of port numbers and port names
* getServByName.cpp (getPortByName): see #2268 Making sure all tcp
and udp port names are recognized on import; also since PIX/ASA
converts udp port numbersin "show run" output to the same names
as if they were tcp, using the same name mapping table.
2011-03-25 vadim <vadim@netcitadel.com>
* Importer.cpp (pushRule): fixes #2280 Rules created from PIX
config import showed an icon that indicated non-default
combination of rule options, yet all rule options looked normal
when opened in the editor.
* parsers/pix.g (icmp_top_level_command): see #2164 Implemented
import of "ssh", "telnet" and "icmp" PIX/ASA commands. These
commands are imported as regular rules in the main Policy ruleset.
* PIXImporter.cpp (finalize): see #2277 "Create policy objects for
ASA access-lists that are not applied in an access-group". Policy
rule set will be created and populated with rules found in the
corresponding access-list even if this access-list is not applied
to an interface with access-group command.
* parsers/pix.g (tcp_udp_rule_extended): see #2273 Improvements in
the parser for PIX/ASA configs to make it recognize object-group
and named object names used to define source port, destination
address or destination port in "access-list ... tcp|udp" rules,
including ambiguous situation when an object-group appears after
source address specification because this group can define either
source port or destination address.
2011-03-24 vadim <vadim@netcitadel.com>
* ASA8ObjectGroup.cpp: see #2263 looks like "object-group service"
that includes named objects defined as "service-object" can not be
used in access-list commands and therefore is useless. Unless I
misunderstood and there is a way to use it, I should not generate
ASA configuration like this:
object-group service id5102X14531.srv.tcp.0 tcp
service-object object http.0
service-object object https.0
Object-group with "tcp" or "udp" type-suffix in the end does not
allow "service-object" statements at all, so this configuration
is incorrect anyway. However even without "tcp" in the end to
make "service-object" references acceptable, the group can be built
but can not be used in access-list statements.
Instead, the group should use port-object statements:
object-group service id5102X14531.srv.tcp.0 tcp
port-object eq 80
port-object eq 443
* IOSImporter.cpp (createTCPUDPServicePair): see #2267 added
support for import of object-group and service-object statements
of type "tcp-udp" (these get imported as service group object with
two tcp and udp service objects).
* getServByName.cpp (getPortByName): see #2268 updated list of
named tcp and udp ports recognized by the importer for Cisco ASA.
It is still unclear what port does the name "cifs" correspond to.
2011-03-23 vadim <vadim@netcitadel.com>
* addressObjectMaker.cpp (createObject): see #1548 Improved
algorithm used to deduplicate Network objects on import.
* FWWindow.cpp (prepareToolsMenu): fixed SF bug 3238026: build
failure on systems without net-snmp development libraries.
2011-03-22 vadim <vadim@netcitadel.com>
* parsers/pix.g (acl_xoperator_src): first attempt at PIX/ASA
access-list import. Not done yet.
* parsers/pix.g (port_object): see #2234 added support for import
of "obejct-group service name tcp|udp" constructs in ASA 8.3 with
subsequent "port-object" statements.
2011-03-21 vadim <vadim@netcitadel.com>
* PortRangeConverter.h (PortRangeConverter): see #2252 TCP and UDP
service objects that define port ranges assume port ranges are
inclusive, that is, range boundaries are included in the
match. This is the behavior of port range matches in iptables and
PF, however policy compilers for Cisco IOS ACL and PIX used to
convert these objects into ios and pix access list configurations
that excluded port range boundaries from the match. This behavior
made TCP and UDP service objects with port ranges incompatible
between firewall platforms, that is, the same object could not be
used in rules of firewall objects of different platforms because
generated configurations would behave differently. This change
makes port ranges inclusive in generated IOS and PIX
configurations. Users should verify their configurations and
adjust port range boundaries in TCP and UDP service objects if
necessary.
2011-03-20 vadim <vadim@netcitadel.com>
* ImportFirewallConfigurationWizard.cpp (accept): see #2253
"importer should not creates objects while still in the middle of
the wizard". Importer wizard creates new objects in the object
tree only when user clicks Finish and abandons results if they
click Cancel.
2011-03-19 vadim <vadim@netcitadel.com>
* IOSImporter.cpp (createTCPUDPNeqObject): see #2248 implemented
import of Cisco IOS and PIX/ASA service configurations using port
operation "neq". Since object model in fwbuilder does not provide
direct support for "port not equal to" expression, this
configuration is conveted into two tcp or udp service objects with
port range extending below and above specified port and these two
service objects are then placed in a group.
* objectMaker.cpp (findMatchingObject): see #2240 better
deduplication algorithm on import: we consider objects created
from in-line address/netmask and port specifications found inside
object-group, access-list, filter or nat commands "anonymous"
objects. These objects get automatically generated names and are
deduplicated using only their relevant attributes but not names.
Objects created from pix named object ("object network foo",
"object service bar") statements are considered "named"
objects. They get the name matching the name in corresponding pix
config line and are deduplicated using both relevant attributes
and the name.
2011-03-17 vadim <vadim@netcitadel.com>
* PIXImporter.cpp (newObjectGroupNetwork): see #2234 Added support
for import of PIX/ASA "object-group" statements.
* FirewallInstaller.cpp (getActivationCmd): see #2239 Added
variable "firewall_name" to configlets that define commands
installer runs on the firewall to activate new policy (all
platforms).
2011-03-16 vadim <vadim@netcitadel.com>
* Importer.cpp (prepareForDeduplication): fixed #1548 "Object
de-duplication during import process". Also SourceForge 3030072
"remove duplicates during any import". Now the program can
optionally re-use existing objects from both Standard Objects and
user-defined libraries when it imports existing firewall
configuration. This works for any firewall platform for which we
support policy import. Objects are matched by attributes such as
address, netmask, port etc. Object name and comment are not taken
into account. Importing the same configuration file twice creates
two firewall objects with the same interfaces and rules but
re-uses address and service objects created on the first import.
2011-03-14 vadim <vadim@netcitadel.com>
* pix.g (named_object_network): see #2223 Implemented import of
named objects for Cisco PIX and ASA ("object network name" and
"object service name")
2011-03-12 vadim <vadim@netcitadel.com>
* Compiler.cpp (expandGroupsInRuleElement): sorting objects in the
rule element by name after group is expanded, this helps ensure
stable ordering of objects in generated configuration.
* Compiler.cpp (replaceClusterInterfaceInItfRE::processNext):
sorting objects in rule element after cluster interfaces have been
replaced, this helps ensure stable ordering of objects in generated
configuration.
* FWObject.h (FWObjectNameCmpPredicate): moved this class from
gui-specific module to libfwbuilder as it is universally useful.
It can compare FWObject objects by name and can optionally can
follow references; it can be used with std::sort() to sort lists
of FWObject pointers or directly sort rule elements.
* Compiler.cpp (_init): see #2212 "Performance improvement in
compilers". This change brings significant improvement in compile
time on large object trees. The speed-up is especially noticeable
in single rule compile where the time before generated firewall
configuration appears in the GUI shrank by up to a factor of 10.
2011-03-11 vadim <vadim@netcitadel.com>
* FWObject.cpp (add): fixes #2209 "do not allow the same object to
be child of different objects in the tree". Method FWObject::add()
enforces this. Subsequent clean-up and fixes in many places to
follow this logic. This makes code much cleaner, better organized
and more reliable.
2011-03-10 vadim <vadim@netcitadel.com>
* libfwbuilder/src/fwcompiler/Compiler.cpp (Compiler): see #2207
fixed memory leak in policy compilers. The impact of this leak was
especially severe on Windows with very large object databases.
2011-03-08 vadim <vadim@netcitadel.com>
* CustomServiceDialog.cpp (loadFWObject): fixes #2201 "Some fields
of locked object are editable". Some input fields of the Custom
Service object dialog were editable even when object was locked
read-only.
* GroupObjectDialog.cpp (loadFWObject): fixes #2203 "Crash when
attempting to add an object to a locked group".
* PolicyCompiler.cpp (checkForShadowing): see #2204 "Shadowing
detected for rule with action Continue". Policy rules with action
"Continue" should not shadow other rules and can not be shadowed.
* Importer.cpp (addStandardRuleComment): see #2189 Program adds
the file name and the line number to comments of policy and nat
rules it creates during import.
* IPTImporter.cpp (pushPolicyRule): see #2202 importer for
iptables creates Custom Service object to match combination of
states it does not recognize. This includes "NEW,ESTABLISHED".
2011-03-07 vadim <vadim@netcitadel.com>
* IPTImporter.cpp (pushNATRule): see #2197 "iptables nat rules in
chain OUTPUT not imported correctly"
* iptables.g (nat_addr_range): see #2194 "iptables import problem
with SNAT rule translating to an address range". NAT rules
translating into address range with "-j SNAT --to-source
192.168.1.1-192.168.1.10" did not import correctly
* IPTImporter.cpp (pushNATRule): fixes #2195 "incorrect iptables
import of nat rule with NETMAP target"
* IPTImporter.cpp (pushNATRule): see #2196 "iptables nat rules
with target REDIRECT not imported". Iptables NAT rules with target
REDIRECT where not imported correctly.
* IPTImporter.cpp (pushNATRule): see #2190 "support for import of
branches in NAT rules for iptables". Implemented import of NAT
rules in user-defined chains for iptables, these translate into
branching NAT rules in fwbuilder.
2011-03-06 vadim <vadim@netcitadel.com>
* Importer.cpp (ignoreCurrentInterface): see #2152 "ASA Import -
shutdown interfaces". Importer recognizes and skips ASA interfaces
in "shutdown" mode.
* IPTImporter.cpp (pushNATRule): see #2181 "Update iptables
importer to detect inbound & outbound interfaces in NAT rules".
Importer can now import nat rules with "-i" or "-o" interface spec.
* NATCompiler_ipt.cpp (processNext): see #2170 "Compiler should
generate error for invalid iptables NAT configs". Now that we
allow the user to specify inbound and outbound interfaces in
iptables NAT rules, compiler should verify that combination of
requested "-i" and "-o" interfaces is in fact valid. For example
iptables does not allow "-o" interface spec with rules that go
into PREROUTING chain (DNAT rules) or "-i" interface spec with
rules in POSTROUTING chain (SNAT rules).
* IPTImporter.cpp (pushPolicyRule): see #2189 Policy importer
warnings and errors now include line numbers to help find relevant
lines in the original configuration file.
2011-03-05 vadim <vadim@netcitadel.com>
* importFirewallConfigurationWizard/IC_ProgressPage.cpp (logLine):
see #2183 "count errors and warnings generated by the importer and
show the numbers in the progress page of the wizard". Configuration
import wizard now shows counters of warnings and errors generated
by the importer.
* FWBMainWindow_q.ui: see #2162 menu item "File / Import Policy"
renamed to "File / Import Firewall". This menu item launches
wizard that imports existing iptables, Cisco router IOS or
Cisco PIX/ASA config.
2011-03-04 vadim <vadim@netcitadel.com>
* IC_NetworkZonesPage.cpp (setNetworkZones): see #2161 policy
import wizard shows the page where user can set up network zones
of interfaces if firewall platform was determined to be PIX.
* IC_PlatformWarningPage.cpp (initializePage): see #2161 "import
workflow and automatic detection of firewall platform from the
config file". When user imports existing firewall configuration,
the GUI automatically detects firewall platform from the format
of the config file and shows platform-specific warning to explain
what parts of the config can and can not be imported. It also
detects firewall host name where possible (currently Cisco IOS
and ASA/PIX). Importer wizard has been reimplemented using
QWizard and QWizardPage classes and its workflow significantly
improved.
2011-03-01 vadim <vadim@netcitadel.com>
* importAddressListWizard/ImportAddressListWizard.cpp
(ImportAddressListWizard): see #2163 code that imports addresses
from a file in /etc/hosts format moved to its own wizard; using
QWizard and QWizardPage classes with correct implementation of
page sequencing and validation; old discovery druid has been
disabled. SNMP discovery and ios/pix/iptables configuration import
will move to their own wizards later.
2011-02-27 vadim <vadim@netcitadel.com>
* DiscoveryDruid.cpp (finishClicked): fixes #2156 "After import
the firewall should be opened in object tree".
* instDialog_ui_ops.cpp (readInstallerOptionsFromFirewallObject):
fixes #2160 "Installer reports error "Generated script file
<firewall>.fw not found."". The problem was intorduced earlier
while fixing #2047
2011-02-26 vadim <vadim@netcitadel.com>
* DiscoveryDruid.cpp (finishClicked): see #2153 "Add Network Zone
explanation and selection dialog to ASA/PIX import". Wizard shows
additional page when user imports PIX/ASA config. This page
explains concept of network zones and offers UI to let them choose
network objects or groups as a network zone of each interface.
* PIXImporter.cpp (rearrangeVlanInterfaces): see #2145 "ASA Import
of VLAN interfaces - Advanced Interface Settings not available".
Vlan interfaces discovered in the process of PIX configuration
import should be created as subinterfaces of the corresponding
parent with correct interface type and vlan id.
* parsers/pix.g (intf_address): fixes #2146 Issue a warning when
parser encounters "standby" parameter in an interface
configuration. We do not support import of PIX failover
configuration at this time.
* platforms.cpp (findBestVersionMatch): fixes #2147 "ASA Import -
some versions are not detected correctly". when user imports
PIX/ASA configuration, firewall object will automatically be
configured with the version setting that best fits version
indicated in the imported configuration. Note that fwbuilder does
not provide the list of version numbers that match PIX/ASA
versions exactly, for example we do not have settings "7.1" and
"7.2". Devices running these versions of PIX/ASA software should
be configured with version "7.0" in fwbuilder.
2011-02-25 vadim <vadim@netcitadel.com>
* parsers/pix.g (intf_address): see #87 "Import of PIX
configuration". Basic grammar that can parse host name, version,
interfaces, their names, labels, addresses, security levels and
few other things for PIX 6, 7 and ASA 8. PIX standby configuration
is not parsed (so we can't import cluster configuration at this
time). More work needs to be done to import named objects, object
groups, as well as policy and nat rules.
2011-02-24 Vadim Kurland <vadim@netcitadel.com>
* FirewallInstaller.cpp (getGeneratedFileName): see #2047 "Inspect
generated files button shows different path information". Do not
pass full path to the output file as an argument of the "-o"
option when the GUI launches policy compiler. Since the "-d"
option passes directory path where files sould be saved, actual
file names do not need to be absolute path, except if the user
entered absolute path for the output file name in the firewall
settings dialog.
* configlets/freebsd/installer_commands_root: see #2143 "installer
should run /etc/rc.d/pf script to reload PF rules on FreeBSD when
generated script is in rc.conf format"
* AddressTableDialog.cpp (browse): see #2140 "Attempting to create
new Address Table file results in read-only error". Implemented
support for the workflow when user wants to create the file used
to feed addresses to the AddressTable object.
* AddressTableEditor.cpp (load): fixes #2139 "Provide "Cancel"
button if Address Table file is read-only". IF the file configured
with Address Table object is read-only, the GUI shows warning when
user clicks "Edit" button and offers a choice: open it for viewing
read-only or cancel.
2011-02-23 vadim <vadim@netcitadel.com>
* AddressTableEditor.cpp (save): fixes #2135 "Editing table
objects". Dialog of the AddressTable object now offers button
"Edit" that lets the user edit address table file. This only
works if the file is located on the same machine where the GUI
is running, so it is probably most useful for compile time
objects.
2011-02-22 Vadim Kurland <vadim@netcitadel.com>
* configlets/linux24/shell_functions: see #2130 "unnecessary
output when iptables script runs on the firewall". Ever since I
switched to using "command" to verify that various system
utilities generated script needs are present and can be used, the
scirpt produced extra lines in the log printing full path and
names to /usr/bin/logger, /sbin/ip etc. These lines are
unnecessary and should not be there. This problem was introduced
some time during the work on 4.2.0
* instOptionsDialog.cpp (instOptionsDialog): fixes #2129
'deprecate "test install" function'. We have decided to deprecate
test install because it is rather heavy-handed on Linux and PIX
where it reboots the firewall and plain does not work on *BSD.
2011-02-21 vadim <vadim@netcitadel.com>
* PolicyCompiler_ipt.cpp (processNext): fixes #2008 "option
"--physdev-out" is not allowed in OUTPUT chain". After this
change, compiler avoids INPUT/OUTPUT chain if interface in the
rule column "Interface" is a bridge port and firewall is bridging
firewall (which means we are going to use --physdev-in or
--physdev-out option for this rule).
* newFirewallDialog.cpp (monitor): see #2126 Using snmp sysDescr
OID to guess version of the new firewall when it is created using
snmp polling.
* platform/pix.xml: see #1990 "Change default value for Cisco
ASA/PIX 7+ to generate outbound ACLs". Newly created PIX/ASA
firewall objects will now have "generate outbound acl" option
turned on by default.
* newFirewallDialog.cpp (showPage): fixes #1678 "When creating a
firewall from template it appears that a default template is
selected". When user arrives at the page where they choose
template to create new firewall object from, the first template
should be automatically selected.
* AddressRangeDialog.cpp (applyChanges): fixes #1971 "Address
range can be created with end address lower than start address".
Address Range object dialog should not let the user enter range
end address which is lower than range start address. Dialog
behavior is now similar to the behavior of the tcp and udp service
dialog where user can not enter port range end number lower than
port range start number.
* InterfaceData.cpp (guessLabel): fixes #2113 "ASA/PIX SNMP
discovery - assign default labels based on interface description".
Added pattern to match Cisco ASA interface description which is
different from Cisco PIX interface descriptions as returned via
snmp.
2011-02-20 vadim <vadim@netcitadel.com>
* BaseCompiler.cpp (getErrorsForRule): fixes #2124 "some error
messages get multiplied when compiler splits rules". Under certain
circumstances error messages could appear multiple times in the
generated script.
* Compiler.cpp (_expand_interface): fixes #1920 "Setting host
interface to unnumbered after it has been assigned IP address
doesn't have desired effect". Compiler still used ip addresses
that belonged to the interface even if it switchd to "unnumbered".
These children address objects should be ignored.
2011-02-19 vadim <vadim@netcitadel.com>
* NATCompiler_pix.cpp (processNext): see #2098 Added support for
user-configurable inbound and outbound interfaces in Cisco PIX/ASA
NAT rules. Two new columns appear in the rule set view: "Inbound
Interface" and "Outbound Interface". If user leaves one or both
columns blank, the GUI shows "Auto" in there and policy compiler
picks corresponding interface automatically. Leaving both columns
blank ("Auto") triggers backwards-compatible automatic behavior
where both interfaces are picked automatically. Multiple interface
objects and groups of interfaces are allowed in these columns.
* ClusterInterfaceWidget.cpp (getInterfaceData): fixes #2117 "CARP
interfaces in cluster that use VLAN interaces have no interface
set to MASTER". When PF cluster configuration was built using vlan
interfaces of member firewalls, CARP interfaces were not properly
configured with master/slave choice user makes on the first page
of the new cluster wizard.
* configlets/bsd/update_addresses: fixes #2116 "When CARP
interface IP address can't be assigned error or warning should
appear". The problem actually affects any type of interface.
Generated script should abort with an error termination code
when ifconfig fails to assign ip address to an interface.
2011-02-17 vadim <vadim@netcitadel.com>
* NATCompiler_ipt.cpp (processNext): see #2097 #133 "support for
inbound and outbound interface columns in iptables NAT
rules". This also addresses SF feature requests 1954286 "DNAT with
interface as condition not possible" and 621023 "manipulating
interface in NAT rule".
* platforms.cpp (setDefaultFailoverGroupAttributes): fixes #2101
"CARP interfaces are set with same advskew". When new PF cluster
is created, master advskew paramerer will be set to 10 and backup
to 20 to make it deterministic.
* NATCompiler_ipf.cpp (processNext): see #133, fixes #2108 making
nat compiler for ipfilter work with interface column, however the
column is not exposed to the user. Compiler behavior should be
backwards compatible with older versions of fwbuilder.
* NATCompiler_pf.cpp (processNext): see #133. MErged code from the
branch, running tests. Making sure rules that have firewall
object in ODst and interface columnblank end up with rdr command
without "on interface" clause as before.
* stopped making builds on Ubuntu Hardy. Old Qt (4.4.1) means more
and more parts of the code do not compile and require workarounds,
sometimes with loss of functionality in the GUI. v4.1.3 will be
the last officially released version of fwbuilder to work on
Hardy.
2011-02-16 vadim <vadim@netcitadel.com>
* NATCompiler_pf.cpp (compile): fixes #2095 added support for
groups and multiple objects in column "Interface" for PF NAT
rules. These translate into { em0 em1 em2 } groups in generated
pf.conf lines.
* NATCompiler_pf.cpp (compile): fixes #2096 added support for
negation in Interface column for PF NAT rules. Sets of interfaces
are converted to complementary sets using complete list of
interfaces of the firewall.
* carpOptionsDialog.cpp (validate): fixes #2100 carp password
should be optional parameter
* OSConfigurator_bsd_interfaces.cpp (configureInterfaces): make
sure we print "ifconfig" commands for mtu and other parameters for
all interfaces, including those with no ip addresses and bridge
ports (unnumbered interfaces used to be skipped before)
* ObjectTreeView.cpp (startDrag): fixes #2099 "Object list scrolls
up to the last edited object". Object tree used to scroll
spontaneously when user started dragging an object from it to a
rule.
* configlets/bsd/update_vlans: see #2105: generated script now
supports vlan interfaces with names that do not match vlan IDs
(OpenBSD, FreeBSD, shell script format).
* OSConfigurator_bsd_interfaces.cpp (sort_interface_names): see
#1807, #2104: arrange interface configuration commands in the
generated scritpt in such order that bridge and carp interfaces
are configured after all other interfaces are done.
* compiler_lib/CompilerDriver.cpp (commonChecks2): see #2103
removed interface name validation check in compilers, this
check will only be done in the GUI. Comiler still verifies
bridge inetrface configuration and makes sure vlan interfaces
that should also be bridge ports are created as copies.
* InterfaceDialog.cpp (applyChanges): see #2103 "complex
vlan/bridge configurations are not supported by the interface
validation code". Added checkbox to let the user turn off
interface name validation functions in the GUI. Checkbox is
located in the global Preferences dialog, tab Objects, subtab
Interface. For backwards compatibility, the checkbox is turned on
by default. When it is off, the GUI does not validate the name of
inetrfaces and subinterfaces and turns off checks that enforced
interface name patterns for VLAN, bridge and bodning interfaces.
It also turns off check for the validity of vlan ID derived from
vlan interface name and turns off automatic configuration of
interface type and vlan ID. These checks sometimes were in the way
of building complex configurations that involved multiple vlan
interfaces with names not matching their IDs. This also fixes SF
bug #3066714 "please dont stop me from creating a new interface"
where user wanted to create interface "veth201.0" on Linux but the
GUI blocked this operation because the name seemed to match vlan
interface pattern.
2011-02-15 vadim <vadim@netcitadel.com>
* ActionsDialog.cpp (setRule): see #1871 "PF Actions Tag and
Classify can be terminating or non-terminating". Added checkbox to
the action properties dialog for actions Tag and Classify for PF
that lets the user choose if these actions should be terminating
or not. Old behavior (Tag was non-terminating and Classify was
terminating) is reflected in default settings of the checkboxes.
Terminating rules generate "pass quick" commands, while
non-terminating rules generate "pass" commands (no "quick" option).
* libfwbuilder/migration/FWObjectDatabase_17.xslt: see #133
Working on adding interfaces to the NAT rule model. There will be
two inetrfaces per NAT rule: "inbound interface" and "outbound
interface". DTD version changes to "18", old data files need to
be upgraded.
2011-02-14 vadim <vadim@netcitadel.com>
* OSConfigurator_bsd_interfaces.cpp (configureInterfaces): fixes
#2091 "ethernet intrface options a used twice if the interface is
a bridge port". When an interface appeared twice in the firewall
configuration, such as when it is used as a bridge port and
vlan parent interface, options configured for it in its settings
dialog were added twice to the generated configuration.
* OSConfigurator_freebsd.cpp (interfaceConfigLineBridge): fixes
#2092 "option "stp" should be optional in the ifconfig command
that builds bridge interface for FreeBSD". The dialog provides
checkbox "Enable STP", parameter "stp" will be added to the
ifconfig command only when the checkbox is turned on.
* pfAdvancedDialog.cpp (pfAdvancedDialog): fixes #1866 "support
for pf option set state-policy", #1868 "support for pf
option set block-policy", #1869 "support for pf option set debug".
2011-02-13 vadim <vadim@netcitadel.com>
* configlets/freebsd/carp_interface: see #2074 On FreeBSD ifconfig
does not understand parameter carpdev
* PolicyCompiler_pf.cpp (checkForShadowingPlatformSpecific): see
#1867 "PF: rule with non-terminating action Tag shadows other
rules below it". Since action Tag is non-terminating, rules with
this action should not shadow other rules.
* instConf.cpp (clear): see #2088 "Installer caches putty session".
Need to initialize putty_session properly and clear it in clear().
* snmp.cpp (run_impl): See #2084 "snmp discovery takes forever on
devices with large routing tables". This takes very long time on
decides with large routing tables. This code was implemented long
time ago and apparently routing data was intended to be used to
discover "external" interfaces, but it is unclear if this is still
done. The concept of external/internal currently exists only for
platforms that support security levels (PIX) and there we guess
levels by matching addresses against RFC1918 and let the user user
adjust levels manually anyway.
2011-02-12 vadim <vadim@netcitadel.com>
* ObjectManipulator_tree_ops.cpp (expandOrCollapseCurrentTreeNode):
fixes #1895 "Add context menu option to expand all child nodes in
object tree". Added menu item "Expand" to the context menu
associated with all objects in the object tree. This item recursively
expands all tree nodes under the given object and automatically
changes to "Collapse" if the item is expanded. Also changed behavior
of the double click on the object in tree: before, double click
opened object in the editor and expanded or collapsed subtree. Now
it only opens object in the editor but does not expand/collapse
subtree.
* fixes #2083 Added new services to the Standard Objects Library:
rtmp, xmpp-client, xmpp-server, nrpe
2011-02-11 vadim <vadim@netcitadel.com>
* instDialog_ui_ops.cpp (verifyManagementAddress): see #2073 "Add
additional information or workflow when no management inferface
configured". The error message shown to the user when no
interfaces has been marked as "management" is now more verbose and
provides instructions how to do this. Also, if user provided
alternative address to be used to communicate with the firewall,
the check for the management interface is not performed since it
is not needed.
* configlets/bsd/update_carp: see #2078 added verbose error
message in a situation when "ifconfig carp0 create" command fails
to create CARP interface.
* OSConfigurator_bsd_interfaces.cpp (interfaceIfconfigLine): fixes
#2058 "Ability to configure mtu and metric of regular inetrfaces".
"Advanced settings" dialog of the interface object provides
controls to configure MTU and possibly add any additional ifconfig
parameters. This is available for OpenBSD and FreeBSD.
2011-02-10 vadim <vadim@netcitadel.com>
* NamedObjectsManagerPIX.cpp (getClearCommands): fixes #2060
"Existing configuration objects are not cleared in PIX 6.3".
Commands used to clear object groups and objects have different
syntax in PIX 6.3 and PIX 7 and later.
* linux24/check_utilities: fixes #1999 "log() does not work" Using
built-in utitlity "command" to verify that all the tools generated
script needs to function properly are available and can be
accessed either via direct full path or are in the PATH
variable. This includes the check for the logger tool that is used
to make log record when firewall is activated.
* OSConfigurator_freebsd.cpp (interfaceConfigLineVlan): fixes #2071
"vlandev missing in the vlan definition (when using rc.conf.local )"
* NATCompiler_ipt.cpp (getAddressTableVarName): fixed SF bug
#3102044 "Colon in (runtime) Address Table name". Variable used to
process addresses in the run-time address table should not use
character ":" even if it appears in the Address Table object name.
* instDialog_ui_ops.cpp (summary): fixed SF bug 3169045: "Batch
installer lists IPv4 address as management address". The "summary"
display in the installer progress log output will now show putty
session name if it is used instead of the management address.
* NATCompiler_pf.cpp (processNext): fixes #2069 "PF: allow
multiple objects in ODst of redirecting nat rule". This fixes SF
bug 3162862 "NAT - more than one object in original destination"
* newFirewallDialog_from_template.cpp (replaceReferencesToNetworks):
fixes #1979 "New firewall created with Cisco c36xx template
results in network object in interface column in Policy"
* ObjectManipulator_tree_ops.cpp (getTreeLabel): fixes #2067 "Add
way to show interface label in object tree". The tree now shows
interface name and label if the label is not empty.
* configlets/bsd/update_vlans: fixes #2066 "Existing VLAN
interfaces are not properly removed from FreeBSD and install
script fails"
2011-02-09 Vadim Kurland <vadim@netcitadel.com>
* RuleSetView.cpp (showToolTip): fixes #1915 "tooltip shown when
mouse is over rule number should be added to the list of
suppressed tooltips when 'Advanced user mode' is in effect"
* platforms.cpp (setDefaultFailoverGroupAttributes): fixes #2064
"CARP interfaces are not properly installed on FreeBSD cluster".
I need to populate failover group objects with some reasonable
defaults when they are created.
* configlets/freebsd/installer_commands_root: fixes #2065
"activation commands on FreeBSD and OpenBSD lose script exit
status". Sequence of commands ran by the built-in installer on
*BSD firewalls were losing exit status of the script which meant
installer always declared installation a "success" even when
there were errors.
2011-02-08 vadim <vadim@netcitadel.com>
* SSHUnx.cpp (SSHUnx): fixes #2061 "Installer shows success for
failed installed on FreeBSD due to corrupt script file". Added
bunch of common shell error messages to make sure installer
recognizes them and mark install as a failure even if ssh fails
to pass termination code.
* instDialog.cpp (showPage): fixes #2037 "If there is an error
when compiling firewall then installer should be
aborted". Compile/install wizard should disable "Next" button
after compile phase is done if all firewalls failed to compile
with no errors.
* configlets/bsd/update_bridge: fixes #2042 "add configlet and
shell functions to manage bridge interfaces via shell script on
OpenBSD and FreeBSD". Bridge interfaces are managed incrementally,
that is, the script creates and destroys them as needed, then adds
or removes bridge ports, to bring bridge configuration in sync
with what is defined in fwbuilder GUI.
* CompilerDriver_pf_run.cpp (run): fixes #2054 "Add support for
load anchor PF command". Instead of loading anchors using "pfctl
-a anchor -f file" command in the .fw initialization script, now
generated PF configuration uses "load anchor" commands in the
pf.conf file. This way, we can load anchors correctly when PF
configuration is activated from the generated rc.conf.local file
where only one pf.conf file can be referenced.
2011-02-07 Vadim Kurland <vadim@netcitadel.com>
* CompilerDriver_pix_run.cpp (run): fixes #2055 "Compiler shows
success, but there was a fatal error in the config". The bug has
been introduced recently (in 4.2.0) and really affected all
compilers.
* AddressTableDialog.cpp (browse): fixes #1914 "Address table
object file name is not created properly if user clicks outside
Editor panel"
2011-02-06 vadim <vadim@netcitadel.com>
* SSHUnx.cpp (SSHUnx): fixes #2049 "Installer reports success even
if there was an error while creating static routes". Added our own
error message generated when command used to add static route
fails to the list of error messages recognized by the installer.
* OSConfigurator_freebsd.cpp (updateBridgeOfInterface): see #1889, #2043
Added support for bridge interface configuration in BSD.
2011-02-05 vadim <vadim@netcitadel.com>
* SSHUnx.cpp (SSHUnx): see #2039 "Installer reports success even
if pfctl can't load config file". Added more pfctl error messages
to the list to make code more robust.
* CompilerDriver_pf.cpp (printStaticOptions): fixes #2038 "pfctl
error when firewall settings include scrub option for reassembly".
Command "scrub all reassemble tcp" does not allow direction.
Tested and verified on OpenBSD 4.2 and FreeBSD 8.1
2011-02-04 vadim <vadim@netcitadel.com>
* freebsdInterfaces.cpp (manageIpAddresses): fixes #2032 "support
for DHCP interfaces in rc.conf mode". Include dynamic interfaces
inin the list of interfaces generated script manages when the
script is in rc.conf format. This addds lines similar to
'ifconfig_em0="DHCP"'.
2011-02-03 vadim <vadim@netcitadel.com>
* RoutingCompiler_freebsd_writers.cpp (RoutingRuleToString): fixes
#2026 Compiler can now generate static routing configuration
in rc.conf format for FreeBSD.
* pfAdvancedDialog.cpp (pfAdvancedDialog): fixes #2021 "since
rc.conf format is only supported for FreeBSD, the option in the
dialog should not be available for other OS"
2011-02-02 vadim <vadim@netcitadel.com>
* OSConfigurator_freebsd.cpp: see #1888 "Add option to generate
rc.conf.local file for BSD systems". Added ability to generate
initialization script in rc.conf fromat for FreeBSD. Only FreeBSD
is currently supported (not OpenBSD). Generated script includes
variables to configure interfaces and their ipv4 and ipv6
addresses, vlans, CARP and pfsync interfaces, as well as variables
that initialize PF.
2011-02-01 vadim <vadim@netcitadel.com>
* CompilerDriver_files.cpp (determineOutputFileNames): See #2015
"Add support for setting names of generated .fw and .conf files
separately for PF". Added second input field in the "advanced
settings" dialog, tab "Compiler" for the firewall platform "PF".
Now user can set the name for both the generated .fw
initialization script and .conf PF configuration file, as well as
names for both files on the firewall. Support for this is generic
and the same functions work for other platforms if corresponding
input field in the dialog exists. The name of the initialization
script is set as follows: 1) if user provided -o command line
switch to the compiler, its argument is used. 2) if -o switch was
not present but the name was configured in the firewall settings
dialog, it is used. 3) if none of them were present, the name is
constructed from the name of the firewall object with suffix .fw.
The name of the .conf PF configuration file is taken from the
settings dialog, but if it is blank, then it is constructed from
the name of the initialization script but with suffix .conf.
2011-01-31 Vadim Kurland <vadim@netcitadel.com>
* RoutingCompiler_bsd_writers.cpp (_printAddr): see #1890 "Add
support for configuring static routes on BSD". Implemented support
for simple static routing rules. ECMP and routing via interface
(routing to directly reachable subnets) are not
supported. Generated script preserves static routing entries that
existed before and attempts to recover in case of error. Needs
testing.
2011-01-30 vadim <vadim@netcitadel.com>
* FWWindow_editor.cpp (clearEditorAndSearchPanels): see #2006
"Crash when closing editor panel with find-and-replace". The GUI
crashed if user tried to close editor panel at the bottom after
closing objects+rules panel and while some object was still
displayed in the editor.
2011-01-28 vadim <vadim@netcitadel.com>
* newFirewallDialog.cpp (fillInterfaceNZList): fixes #2000 "New
dialog window in New Firewall wizard for ASA / PIX - Network Zone
explanation". Added page to the new firewall wizard to let the
user configure network zones of interfaces when chosen firewall
platform supports network zones (only PIX/ASA right now).
* newFirewallDialog.cpp (fillInterfaceSLList): fixes #1983 "ASA
multiple interfaces have the same security level". Using table
widget with spin-boxes to let the user edit security levels of
interfaces conveniently.
2011-01-27 vadim <vadim@netcitadel.com>
* ProjectPanel.cpp (closeEvent): fixes #1998 "Crash after running
find-and-replace then closing file". Specific sequence of actions
and only on Mac OSX caused GUI to crash. To fix, I clear editor
panel when user closes project window using MDI window title menu
item "Close" or "Close" button.
* ProjectPanel.cpp (registerModifiedObject): see #1996 "Crash when
finding and replacing a large number of objects". When "find and
replace" function was used to replace large number of objects in a
rule set, it generated stream of calls to
updateLastModifiedTimestampForAllFirewalls() which caused
corresponding stream of events to update various parts of the GUI,
both in the tree and rule set views. This caused weird corruption
and crash on Windows. Trying to resolve the issue by optimizing
the part that updated "last modified" timestamp on the firewall
since all parts of the rule set updated in one call to "find and
replace" function belong to the same firewall.
* IOSImporterRun.cpp (run): see #1931 "Update failed import
behavior". Added meaningful error messages for when policy
importer fails to create firewall object or does not create
interface objects or any rules.
* Rule.cpp (removeRef): fixes #1997 "add removeRef and addRef
methods to class NATRule". Now undo and redo correctly remove and
restore references to NAT rule sets in NAT rules with action
Branch.
* Rule.cpp (addRef): fixes #1991 "Undo does not restore object as
a parameter of policy rule action Branch or Tag after it was
deleted deleted". Now Undo restores references to rule sets and tag
services as arguments of corresponding policy rules, as well as
references to objects configured as interface network zones.
* Interface.cpp (removeRef): fixes #1987 "Deleting object that is
used as Network Zone for ASA/PIX interface results in inconsistent
behavior". When an object that is used as a network zone of an
interface is deleted, it should be removed from the interface
configuration as well.
* Cluster.cpp (init): fixes #1995 "Crash when compiling a cluster
with identical firewalls". Method Cluster::init() must call base
class method Firewall::init() to get child Policy, NAT and Routing
objects created.
* CompilerDriver_pix_run.cpp (run): fixes #1994 "Crash when
compiling a firewall in an imported Library". Compilers should
reset any read-only flags in the copy of object tree they work
with before they make any modifications.
2011-01-26 vadim <vadim@netcitadel.com>
* ProjectPanel_events.cpp (event): see #1994 "Crash when compiling
a firewall in an imported Library". To prevent crash, added check
to make sure firewall object is not read-only before an attempt to
update its "last compiled" or "last installed" timestamp.
* ProjectPanel_file_ops.cpp (fileExport): fixes #1993 "V4.2 on
Windows - export Library shows the file type as Firewall Builder
2"
* FWBSettings.h (SETTINGS_PATH_PREFIX): fixes #1992 " V4.2 on
Windows - installer error can't find Secure Shell utility"
* init.cpp (init): fixed #1989 "variables respath and librespath
are redundant and copy Constants::getTemplateDirectory()". Got rid
of global variables sysfname, tempfname, librespath, respath and
localepath; will now use class Constants to keep this information.
2011-01-25 vadim <vadim@netcitadel.com>
* src/fwbuilder/libfwbuilder-config.h.in: fixes #1937 "RES_DIR
macro is defined twice". Got rid of duplicate definition of this
macro.
* FWObject.cpp (updateNonStandardObjectReferences): see #1985
added virtual function updateNonStandardObjectReferences() that is
supposed to update any references to objects stored as attributes.
* ACL.cpp (trimLine): fixes #1986 "Cisco ASA remarks should be
truncated to 100 characters or less". Trimming all lines used for
access list remarks to <100 characters. Remarks can only be less
than 101 characters on PIX/ASA and less than 100 characters on
IOS.
2011-01-24 Vadim Kurland <vadim@netcitadel.com>
* PolicyCompiler.cpp (addMgmtRule): fixes #1966 "IOSACL:
object-group can get name that consists of only suffix". Compiler
generated object-group statements with names such as ".src.net.0"
in some cases.
* ObjectIconView.cpp (dragEnterEvent): see #1980 "Objects from
Deleted Objects should not be allowed to be used in rules". Added
checks to not allow drag&drop of an object from Deleted Objects
library into rules and groups.
* NamedObject.cpp (createServiceObjectCommand): See #1958
"consistently use "exit" to get out of nested context in pix
config". Using "exit" to exit from nested context while adding
network or service object in generated PIX/ASA configuraton.
* PolicyCompiler_pix.cpp (compile): see #1970 "ASA Policy - single
IPv6 icmp object allowed in rules". Since we do not support ipv6
for PIX/ASA at this time, policy compiler should drop the rule
if ipv6 address or icmpv6 service is used and issue a warning.
* PolicyCompiler_pix_v6_acls.cpp (processNext): see #1981 "ASA /
FWSM Policy - Generate warning message if rule will not generate
config data"
2011-01-22 vadim <vadim@netcitadel.com>
* ObjectManipulator.cpp (contextMenuRequested): context menu item
that opens object in the editor should be named "Inspect" when the
object is read-only because the editor would not allow the user to
change it.
* ObjectManipulator.cpp (contextMenuRequested): fixed #1926
"Crash when moving object in Standard library". Context menu
item "Move" should be disabled when the object is located in
the read-only library.
* GroupObjectDialog.cpp (setupPopupMenu): see #1976 "Crash when
deleting firewall object from rule after export / import library"
Crash occurred as the result of the following sequence of actions
in the GUI: 1) use context menu item "Cut" to delete an object in
the tree, 2) open object group or rule and use context menu item
"Paste" to add it, 3) export library to an external file, 4)
import this library into different data file, 5) save the data
file. Saved data file is invalid XML since it has unsatisfied
reference and some operations on it cause crash. The problem is
that since it is a reference to the object that is being added in
case of both groups and rules, we end up with a group or rule with
a reference to an object that is located in Deleted Objects
library. Deleted Objects library is not included when a library
file is merged into data file and this leads to a dangling
reference. The fix is to not allow Paste if object in the
clipboard has been deleted.
* NamedObjectsAndGroupsSupport.cpp (saveObjectGroups): see #1968,
#1972 Class NamedObjectsManager maintains its own copy of object
tree that holds object group objects it creates during compiler
passes. This allows me to maitain one common set of object groups
for both policy and nat compilers and avoid creating duplicate and
redundant object-group statements.
* NamedObjectsManagerPIX.cpp (getClearCommands): see #1968, #1972
class NamedObjectsManager (and derived classes for IOS and PIX)
generate "clear" commands. This way, I can generate correct set
of "clear" commands that take into account any named objects and
object-groups that could be created during both policy and nat
compiler passes.
2011-01-21 vadim <vadim@netcitadel.com>
* FWObject.cpp (init): see #1972 Seaprated object creation and
initialization. Some complex objects need to create a set of
standard child objects. Previously this was done in a special type
of constructor which required pointer to the object tree root
(FWObjectDatabase*). This created problems with implementation
of the method to register functions that create objects of new
types outside of the API. Now all objects have just a basic set
of constructors, plus method init() that can initialize them.
* FWObjectDatabase_create_object.cpp (registerObjectType): see
#1972 implemented mechanism that allows me to register new object
types created and used outside of libfwbuilder API. This means
FWObjectDatabase can then copy and manipulate object trees that
use these new object types.
2011-01-20 vadim <vadim@netcitadel.com>
* NamedObjectsAndGroupsSupport.cpp (getNamedObjectsDefinitions):
see #1963 "move printing of object-group definitions to
NamedObjectManager::getNamedObjectsDefinitions()". Consolidated
code that works with named objects and object groups in the class
NamedObjectManager. This class manages all the objects and in the
end generates commands.
* PolicyCompiler_cisco (printClearCommands): Refactored parts that
generate "clear" commands to make sure they are printed in the
right order at the top of the generated configuration. Previously
compiler placed "clear global", "clear static" and "clear nat"
commands above the NAT section but below policy section. Since
ASA8.3 nat commands can use named objects and object groups, and
since I have added support for object groups in ASA 8.3 policy
rules, I now need to clear objects and object groups at the very
beginning of the generated config. However in order to be able to
clear objects and object-groups, I need to clear access-lists and
nat commands that might be using them first. So, all clear
commands are now grouped at the beginning of the generated
configuration. This affects pix/asa, iosacl and procurve_acl
platforms.
* NamedObjectsAndGroupsSupport.cpp (printObjectsForRE): See #1959
"ASA Policy - ranges are broken into composite network instead of
using range command". I have to create named objects for address
ranges and put them into an object-group, which I can then use in
access-list commands.
* PolicyCompiler_pix.cpp (compile): See #1965 "ASA Policy - PIX
6.1 configurations use object groups". Policy compiler for PIX is
now aware that object-group statement was introduced in PIX v6.2
and avoids using object-groups when firewall object version is set
to 6.1
* NamedObjectsAndGroupsSupport.cpp (processNext): made names
automatically assigned to object-groups in generated PIX
configuration shorter by removing interface label prefix.
2011-01-19 vadim <vadim@netcitadel.com>
* PolicyCompiler_pix.cpp (compile): See #1959 "ASA Policy - ranges
are broken into composite network instead of using range command."
Added support for address ranges using named network object with
parameter "range" for ASA 8.3 and later. NOTE: if a network or ip
address object is used in a nat rule for ASA 8.3, a named object
has to be created for it since ASA 8.3 does not accept ip
addresses or subnets in "nat" commands. In the situation like
this, if the same address or network object is used in any Policy
rule, the same named object will be used in the generated
access-lists command.
* NamedObjectsAndGroupsSupport.cpp (getNamedObjectsDefinitions):
see #1959 Moved generation of the code that defines named objects
to class NamedObjectManager. This allows me to put all named
object commands on top of the generated policy, nat and routing
configurations and make sure each object is defined only once.
Still need to do #1963 - move code that generates commands to
define object-groups to class NamedObjectManager.
* NATCompiler_asa8.cpp (processNext): see #1954 "ASA NAT -
generate warning if nat rule is split and one of the resulting nat
rules have the same real interface and mapped interface". Compiler
issues warning when objects used in OSrc and TSrc of a NAT rule
make it use the same interface as both real and mapped interface
in the generated nat command. This check is only done for ASA 8.3
NAT rules.
2011-01-19 Vadim Kurland <vadim@netcitadel.com>
* NamedObject.cpp (sanitizeObjectName): see #1953 "ASA NAT - two
host objects in the same rule result in incorrect config". We now
register and keep track of all named objects to make sure their
names are unique.
* newHostDialog.cpp (finishClicked): see #1953 "ASA NAT - two host
objects in the same rule result in incorrect config". Objects that
represent addresses of interfaces of a host object created using
template will be automatically renamed to follow standard naming
convention "host_name:interface_name:ip" to avoid creating
duplicate names.
* PolicyCompiler_pix_writers.cpp: see #1960 add support for
CustomService for PIX policy rules. Note that CustomService
objects are only supported in Policy rules since nat commands in
ASA 8.3 require use of named objects and it is difficult to
implement correct named objects and object-groups with protocol
parameter and custom services.
2011-01-18 Vadim Kurland <vadim@netcitadel.com>
* PIXObjectGroup.cpp: ASA 8.3 see #1942, #1943 fixed generation of
the "object-group" statements by adding protocol keyword at the
end so that the group can be used in access-list commands. It
looks like mixed service groups that have no protocol keyword at
the end of the line that defines them cause error "specified
object group <foo> has wrong type; expecting service type". I am
going to avoid using mixed service groups because of this.
2011-01-17 vadim <vadim@netcitadel.com>
* ASA8TwiceNatLogic.cpp (getAutomaticType): fixes #1916 "nat rule
must be "static" when subnet is present in TSrc"
* ServiceRuleProcessors.cpp (condition): see #1942 improved
support for CustomService objects for ASA 8.3. Generate separate
named object and object-group for these objects, then split policy
and nat rules so that only one custom service object is left in
each rule and then use object-group to match it. Note: this has
been rolled back. There is no support for CustomService objects in
NAT rules.
* PolicyCompiler_pix.cpp (processNext): fixes #1948 "incorrect
configuration created when a CustomService object is used in a
policy rule for PIX/ASA v<8.3". Since we do not support custom
service objects in policy and nat rules for versions older than
8.3, added check to generate fatal error when such object is used.
* NamedObjectsAndGroupsSupport.cpp (init): fixes #1945
"object-group names include ever-growing suffix". Object-groups
created by the compiler for PIX/ASA had numerical suffix that was
constantly increasing when user used single-rule compile function
in the GUI.
* PolicyCompiler_pix.cpp (compile): fixed #1944 "ASA Policy -
duplicate network object groups created for mixed service group
with TCP dst and TCP src port range objects". Need to convert
address range objects to subnets early, before the rule is split
for any reason, to make sure object groups created later match
and are reused.
* NamedObjectsAndGroupsSupport.cpp (processNext): See #1943 "ASA
Policy - mixed service group with TCP destination port range and
standard TCP object generates invalid config". Protocol word "tcp"
was missing after "deny" in the generated rule.
* NATCompiler_asa8.h (fwcompiler): see #1949 "ASA NAT - split
objects if OSrc contains objects that are in more than one network
zone".
2011-01-16 vadim <vadim@netcitadel.com>
* NamedObjectsAndGroupsSupport.cpp (processNext): Added support for
CustomService objects in policy and nat rules for asa 8.3 using
named objects and object-groups.
-- see #1942 "ASA NAT - if custom service is included in service
group incorrect config generated"
-- see #1929 "move map named_objects inside class NamedObjectManager"
-- see #1946 "restrict generation of the named objects by
PolicyCompiler_pix to ASA 8"
-- see #1885 "named network and service objects in pix8"
Note: this has been rolled back. There is no support for
CustomService objects in NAT rules.
* NATCompiler_pix.cpp (processNext): see #1941 "ASA NAT - compiler
complains about range in original destination". NAT rules
translating destination allow Address Range objects in ODst or TDst
for ASA 8.3
* NamedObject.cpp (NamedObject): see #1940 "ASA NAT - fwbuilder
host objects interface ip is reserved keyword". Added list of
reserved words used in IOS and ASA software to make sure generated
named objects do not conflict. Will maintain single super-set
of reserved words instead of separate set for each version of IOS
and ASA.
* PolicyCompiler_pix.cpp (compile): fixed #1938 "icmp" commands
were not generated for ASA 8.x policy rules.
* NATCompiler_asa8.cpp (processNext): See #1927. Added check for
NAT rules that request translation of destination address but have
ODst "any". This only applies to ASA 8.3; these rules are
prohibited.
2011-01-14 vadim <vadim@netcitadel.com>
* NATCompiler_asa8_writers.cpp (printSDNAT): fixes #1932 "Add
description field to generated NAT rules for ASA". NAT rules
generated for ASA 8.3 and later will have "description" keyword
added, with rule label as an argument. Rule label includes
word "NAT" and rule number.
* libfwbuilder/src/fwbuilder/InetAddrMask.cpp (getOverlap): fixes
#1934 "libfwbuilder::getOverlap() incorrectly calculates overlap
between ipv4 networks". This should also fix SF bug 3156376 "Can
not find interface with network zone that includes address range".
2011-01-13 vadim <vadim@netcitadel.com>
* NATCompiler_asa8.cpp (compile): refs #1928 "Support for
object-group in OSrc". Implemented support for object-group
and named objects for Osrc and ODst in ASA 8.3 NAT rules.
* PolicyCompiler_cisco.cpp (removeRedundantAddresses): fixed #1917
"Duplicate objects are not detected". Compiler should detect
duplicate objects that may be created in a rule element when user
combines Address Table object with other address or network
objects there.
* ASA8ObjectGroup.cpp (toString): refs #1885 Compiler uses named
objects and objects groups to build configurations that use
address ranges in TSrc in NAT rules. (only ASA 8.3 and later)
2011-01-12 Vadim Kurland <vadim@netcitadel.com>
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1907 "ASA NAT -
fwbuilder doesn't support multiple translated sources in a single
NAT rule". Compiler uses object-group to translate NAT rules that
have multiple objects in Translated Source.
* PolicyCompiler_pix_writers.cpp (_printLog): fixed #1913 "ASA/PIX
rules with logging enabled don't have log set unless user modifies
Firewall Settings". Added default log level setting to the
resource xml file for platform "pix", set to "informational". ACL
lines now get "log " keyword followed by the log level taken from
the rule options, or if that was not configured, from the
firewall object settings, or if that is not configured, the
default.
2011-01-11 vadim <vadim@netcitadel.com>
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1908 "ASA NAT -
cannot configure static NAT translations with (inside,outside)".
Added NAT rule option to make source nat rules "static". The
option is presented to the user as three radio buttons in the NAT
rule options dialog which is only enabled when platform is "pix"
and version >= 8.3. Policy compiler generates "twice nat" rules
with keyword "static" in the following cases: when TSrc is
"original", so the rule translates destination and not source or
when numbers of ip addresses represented by OSrc and TSrc are
equal. If TSrc is not "original" and represents different number
of ip addresses than OSrc, compiler looks at the new rule
option. User can use or override automatic algorithm using radio
buttons in the NAT rule options dialog.
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1902 "Add NAT
rule option "translate dns" for PIX". The option is only available
for ASA 8.3 or later.
* NATCompiler_asa8_writers.cpp (printSDNAT): fixed #1909 "ASA NAT
- static nat port translation where service is the same for
original service and translated service not generated correctly"
2011-01-10 vadim <vadim@netcitadel.com>
* PolicyCompiler_pix.cpp (compile): fixed #1862 "fwb_pix crash".
Compiler fwb_pix crashed when DNSName run-time object was used in
a rule, but worked fine and issued an error when used in
single-rule compile mode.
* Helper.cpp (findInterfaceByNetzone): fixed #1906 "ASA NAT -
Address objects are not properly identified by network zone and
have the wrong real interface". The problem should have affected
both "old" (PIX 6 and 7) and "new" (ASA 8.3) configuration. When
an Address object was used in Original Source of a NAT rule,
compiler used wrong interface in the (interfac1,interface2) pair
in "nat" command.
* CompilerDriver_pix_run.cpp (run): fixed #1905 "fwbuilder crash
when compiling a rule with hosts folder as destination". Compiler
issues a warning when an empty group object is used in a rule, but
GUI crashed when user tried to compile this rule using single-rule
compile function. The change actually affects all policy compilers
and makes sure the GUI catches exception and does not crash, and
prints any errors generated by the compiler in the compiler output
panel when single-rule compile function is used.
* CompilerDriver_ipt.cpp (findBranchesInMangleTable): fixed #1879
"gui crash". Both GUI and fwb_ipt crashed trying to compile a rule
with action Branch that was not configured to point to any rule
set.
2011-01-07 vadim <vadim@netcitadel.com>
* NATCompiler_pix.cpp (NATCompiler_pix): fixes #1901 "add
destructor to NATCompiler_pix and NATCompiler_asa8". This
eliminates memory leak.
* ASA8Object.cpp (ASA8Object): refs #1885 "named network and
service objects in pix8". So far, these objects are only used
for nat configuration.
* NATCompiler_asa8_writers.cpp (processNext): fixes #1903 "correct
order of clear commands for ASA 8.3"
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1886 "new nat
configuration in pix 8.3". Initial support for new style nat
configuation.
2011-01-04 vadim <vadim@netcitadel.com>
* platform/fwsm.xml: FWSM v4.x does not have "fixup" command, instead,
we should use policy-map and class commands.
* OSConfigurator_pix_os_inspectors_pix8.cpp (_printPolicyMapTypeInspect):
refs #1893 fixes #1883 "inspect ip options in pix8". Added support for
"policy-map type inspect ip-options" command in PIX v8.2 and later.
At this time, of all possible types of "policy-map type inspect"
command only "ip-options" is implemented.
* PIX8ObjectGroup.cpp (toString): refs #1882 "Mixed service groups
in PIX8". Added pix versions 8.0 and 8.3; added support for mixed
servcie groups in pix 8.0 and later.
* PolicyCompiler_srvre_functions.cpp (processNext): fixed #1892
"move rule processor class separateServiceObject to
PolicyCompiler". This rule processor used to be implemented only
in the compiler for PF, but since it has very general meaning, the
same function was duplicated in other compilers as well. Moved the
class to libfwbuilder and reimplemented several other rule
processors to inherit from this class to avoid further duplication
for code.
* PolicyCompiler_pix.cpp (compile): fixed #1891 "problems with TCP
and UDP services with source ports". Policy compiler for PIX did not
generate correct PIX ACL lines when one Policy rule tried to match
several TCP and/or UDP objects matching source ports.
2010-12-29 vadim <vadim@netcitadel.com>
* VERSION (VERSION): started 4.2.0
This version is the first one to merge libfwbuilder and fwbuilder
packages. Libfwbuilder is now in the src/libfwbuilder subtree inside
fwbuilder code tree.
RPM .spec files and DEB .control files are now located in the packaging
directory inside fwbuilder code tree.
Changes in the versioning format: I am going to use build number
as a "nano" version number, composing complete version as
"4.2.0.3425". The "-N" suffix in rpm and deb package names will
be used for package release number and most of the time will be
"-1". This suffix should reflect minor differences in the package
that do not affect code at all.
2010-12-16 Vadim Kurland <vadim@netcitadel.com>
* ActionsDialog.cpp (fillInterfaces): fixed #1872: "vlan interface
does not appear in the list of interfaces for route-to action for
PF".
2010-12-12 Vadim Kurland <vadim@netcitadel.com>
* VERSION (FWB_MICRO_VERSION): started 4.1.4
2010-12-05 Mike Horn <mike@netcitadel.com>
* minor updates to main help dialog text to fix broken/outdated
links
2010-12-02 Vadim Kurland <vadim@netcitadel.com>
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::getInterfaceVarName):
fixed #1856 "Pemit '-' in Linux interface names". OpenWRT uses
name "ppp-dsl" for PPPoE interfaces. In addition to that, Linux
bridge interfaces may have names with a "-" such as
"br-lan". We will now permit a "-" in Linux interface names.
* FWWIndow.cpp: Fixes #1858 'Remove "Summary of features" page
from the package' and #1857 'Remove "Getting Started" guide from
the package'. We have dediced to keep documentation and other
content like this on the web site. Button "Watch Getting Started
Tutorial" in the Tip of the Day dialog opens tutorial hosted on
the web site in a web browser.
2010-11-16 Vadim Kurland <vadim@netcitadel.com>
* check_utilities: fixed #1851 "no need to check for modprobe when
host OS is "dd-wrt" and possibly other embedded Linux
systems". Generated script does not use modprobe utility when host
OS is set to "DD-WRT" or "OpenWRT" and should not try to find this
utility on the system. This is also related to the SourceForge bug
3032293
2010-11-16 Vadim Kurland <vadim@vk.crocodile.org>
* newclusterdialog_q.ui: fixed #1848 Text formatting clean up -
New cluster wizard dialog
2010-11-15 Vadim Kurland <vadim@vk.crocodile.org>
* InetAddr.cpp (InetAddr::opGT): (change in libfwbuilder) added
module uint128 (128-bt arithmetics by Evan Teran). Implemented
basic operations with ipv6 addresses using this module. See #1834.
Now all policy compilers can correctly compare ipv6 addresses used
in rules with ipv6 addresses of interfaces. This helps perform
various optimizations and fixes issues with the algorithm used to
pick the right interface for the Cisco IOS ACL compiled from a
policy rule with an empty "interface" rule element and direction
"both".
2010-11-11 Vadim Kurland <vadim@vk.crocodile.org>
* newClusterDialog_create.cpp (copyRuleSets): Fixed SF bug
#3106168 "Branch destinations lost when adding to cluster". Since
the order in which I copy rule sets is undefined and because they
may have references to each other via branching rules, I need to
fix references after I create all of them.
* configlets/linux24/load_modules: fixed #1844 "generated script
fails if module nf_conntrack_ipv6 does not exist". Generated
script tries to load module nf_conntrack_ipv6 if user defined
any ipv6 rules, however the script should not fail if the module
is not installed.
* src/gui/gui.pro (LIBS): fixed #1840: fixed build on Mandriva
2010, all static libraries should go first on the linker command
line.
2010-11-10 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (processNext): fixed SF bug 3103582 "Cant
create redirect rule in cluster firewall object". Iptables nat
rule with target REDIRECT could not be built in a cluster
configuration. It should be possible to do this by putting cluster
object in Translated Destination.
* OSConfigurator_linux24_interfaces.cpp (printDynamicAddressesConfigurationCommands):
fixed #1838 "function configure_interfaces() does not manage ip
addresses of vlan interfaces". This function used to take into
account only interfaces that were direct children objects of the
firewall. Since vlan interfaces are children of the corresponding
physical interface, they were not included.
* FirewallInstaller.cpp (getGeneratedFileFullPath): fixed #1837
"generated script gets .fw suffix even when user set output file
name". Suffix .fw should not be appended to the name entered by
the user in the "output file name" input field in the firewall
settings dialog.
* PolicyCompiler_ipfw_writers.cpp (processNext): fixed #1836
"installer hangs and fails after activation of ipfw policy". As
soon as .fw script swapped ipfw sets usig command "ipfw sawp" and
deleted temporary set 1, ssh session would hang and eventually
break. We optionally add ipfw rules to permit ssh session used to
manage the firewall, as well as a rule to permit reply packets but
the latter rule was not built correctly. It should match source
and destination reversed, as well as match keyword "established"
and recreate state with "keep-state". This rule automatically
recreates state for the established ssh session over which
firewall policy is being managed. Also added a comment to the
firewall settings dialog for ipfw to remind the user that address
or subnet they use with this automatic rule should be as narrow as
possible.
* instOptionsDialog.cpp (instOptionsDialog): see #1832 if user
wants to use putty session, show session name instead of the ip
address in the "Address that will be used to communicate with the
firewall" input field in the installer options dialog.
2010-11-09 Vadim Kurland <vadim@netcitadel.com>
* Helper.cpp (Helper::findInterfaceByAddress): see #1834 Fixed
matching algorithm that determins which interface a rule should be
associated with for Cisco IOS ACLs. Previously compiler did not
compare subnets properly and because of that it interpreted some
configurations incorrectly. For example in the case with a network
object 10.0.0.0/8 in "source" and an interface with address
10.0.0.1/24 (network should not be considered matching) compiler
considered this interface matching and assigned the rule to the
interface only with direction "inbound".
* FirewallInstaller.cpp (FirewallInstaller::packSCPArgs): see #1832
pscp.exe supports putty session in place of the target name but
not if argument "-load session_name" is also present. Plink.exe
does the same. We can not use fwb_session_with_keepalive if user
wants to use putty session.
2010-11-08 Vadim Kurland <vadim@netcitadel.com>
* FirewallInstaller.cpp (FirewallInstaller::packSCPArgs): See
#1832, SF bug 3097419 "installer uses bare IP address instead of
putty session name". It appears pscp.exe on Windows can use putty
session name in place of the host name. This change restores old
behavior where session name was used like that but does it for
both plink.exe and pscp.exe. This only affects users who run
fwbuilder GUI on Windows
2010-11-05 Roman Bovsunivskiy <a2k0001@gmail.com>
* see #1809 "Add Firewall Setting in Logging settings for default
log setting on new rules". Added a tab "Policy Rule" to the
"Objects" page of the global preferences dialog; checkbox in this
tab allows the user to choose whether new policy rules should be
created with logging turned on or off.
2010-11-04 Roman Bovsunivskiy <a2k0001@gmail.com>
* see #1826 "Please place all unit tests in one directory". All GUI
and other unit tests moved to the directory src/unit_tests
2010-11-03 Roman Bovsunivskiy <a2k0001@gmail.com>
* code refactoring: see #1822 "refactor all GUI classes into
libgui library and link executable with it"
* see #1787 "new fw name input field should have focus when new
firewall wizard opens"
* see #1823 "Add Preference option for Advanced / Power users".
Added checkbox to the Preferences dialog, this checkbox turns off
some tooltips that can be annoying for users who are sufficiently
familiar with the GUI
2010-11-02 Vadim Kurland <vadim@vk.crocodile.org>
* OSConfigurator_linux24_interfaces.cpp (printVerifyInterfacesCommands):
fixed #1824 "should not try to verify wildcard interfaces".
2010-11-01 Vadim Kurland <vadim@netcitadel.com>
* CompilerDriver.cpp (CompilerDriver::getAbsOutputFileName): fixed
SF bug 3090249 "fwb_ipt ignores -d option ". Documented behavior
is for the compiler to create files in the directory specified by
the argument of the "-d" command line flag. If flag "-d" is not
provided, files should be created in the current directory.
2010-10-29 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (checkForStatefulICMP6Rules::processNext):
fixed SF bug 3094273 "no state needed for ipv6-icmp in
ip6tables". Rules that match ICMPv6 objects should be
stateless. Compiler will check for this and reset "stateful" flag
of a rule and issue warning if the rule was built stateful in the
GUI. This could be version-dependent, we may need to revisit this
in the future when netfilter fixes the underlying issue. Some
resources: https://bugzilla.redhat.com/show_bug.cgi?id=243739
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/479105
* src/res/objects_init.xml.in: added ICMPv6 object "parameter
problem" (type 4, any code) per SF feature request 3094743. Also
added service group object "ipv6 unreachable messages" that
includes ICMPv6 messages "destination unreachable", "packet too
big", "parameter problem" and "time exceeded" per SF feature
request 3094758
* configlets/linux24/automatic_rules: implemented SF feature
request 3094738 "Set the HL to 255 for IPv6 Neighbor
Discovery". Neighbor discovery packets must have hop limit of 255
per RFC 2461. Automatically generated rules that match neighbor
discovery packets will math hooplimit 255.
* configlets/linux24/update_addresses: fixed SF bug 3091069:
"Routing configuration failed". Iptables script generated by
fwbuilder did not configure broadcast when it added ip addresses
to interfaces. Using "ip addr add ADDR/NM boradcast + dev INTF"
syntax to do this.
* OSConfigurator_bsd.cpp (compare_names): fixed #1807 "wrong order
of address assignment in the generated OpenBSD/PF/CARP cluster
configuration". Need to assign ip addresses to regular interfaces
before trying to assign them to carp interfaces.
* configlets/linux24/load_modules: fixed #1820 "skip module
"nf_conntrack_ipv6" if generated script has no ipv6 rules"
Shell function load_modules should not try to load module
nf_conntrack_ipv6 if generated script does not load any ipv6
rules. Loading this module fails if ipv6 has been disabled in
the kernel.
2010-10-29 Vadim Kurland <vadim@netcitadel.com>
* run_time_wrappers: fix for the SF bug #3095615 "reopen no
PREROUTING rule with *-Interface - ID: 3077132". Configlet used wrong
shell variable to access ip address of a wildcard interface.
* VERSION (FWB_MICRO_VERSION): started 4.1.3
2010-10-07 Vadim Kurland <vadim@vk.crocodile.org>
* configlets/pix_os/installer_commands_reg_user: using command
"terminal width 256" to turn off ANSI commands in the PIX command
echo.
* FindObjectWidget.cpp (showObject): rolled back change done in
r3320 (refs #1790) "When an object is found using Find and the
object is in the object tree, the keyboard focus shifts to the
Object Panel". That change broke highlighting of the found object
in rules.
* refs #336 "Need template for PIX firewall"; added template for
PIX 50X (501 and 506)
2010-10-06 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::showIntroDialog): fixed compile problem
with old Qt (v < 4.5.0).
* FWWindow.cpp (FWWindow::showIntroDialog): See #1765, #1779 Will
show a dialog inviting the user to watch Quick Start Guide on the
web site when they run the GUI for the first few times. The dialog
is shown instead of the Time of the day dialog. Switching to the
tip of the day after 5 starts.
* RoutingCompiler_pix.cpp (emptyRDstOrRItf::processNext): fixed
#1783 "PIX routing entries require interface, but PIX config will
compile without interface in Routing rule". Policy compiler for PIX
now checks that both "interface" and "gateway" rule elements are
not empty.
2010-10-05 Vadim Kurland <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printRunTimeWrappers): fixed SF bug
3077132 "no PREROUTING rule with *-Interface". Rules matching
addresses of a wildcard interface (e.g. "ppp*") were not properly
generated.
* RuleSetView.cpp (updateSelectionSensitiveActions): fixed SF bug
3039681 "context-menu items inconsistent for Single/Multiple
rules". When several rules are selected in rule set, some context
menu itmes should turn to plural.
* FWWindow.cpp (prepareRulesMenu): fixed #1778 "main menu Rules
should have the same items that context RuleSetView menu when no
rules are selected"
2010-10-04 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (showObjectInTree): fixed #1777 "scroll
new fw object to the top of the tree view panel once its created"
This has side effect in that some other operations that open an
object in the tree will also sc roll the tree to position this
object at the top.
* FWBSettings.cpp (setCustomTemplatesEnabled): fixed #1791 "Add
preference flag to enable / disable the Custom templates button on
the New Firewall Wizard". Use of the custom template library
to create new firewall object is now optional, controlled by
a checkbox in the "Object" tab of the gobal preferenes dialog.
New users will have this option turned off by default, however
existing users will see it enabled for backwards compatibility.
* FindObjectWidget.cpp (showObject): fixed #1790 "When an object
is found using Find and the object is in the object tree, the
keyboard focus shifts to the Object Panel". The "find" pabel now
retains keyboard focus after it shows found object in the tree,
this allows the user to just hit Enter on the keyboard to find
the next object.
* FindObjectWidget.cpp (objectDeleted): fixed #1785 "Deleting
graphic icon of object from Find tab should also remove the text
name or label"
* newFirewallDialog.cpp (changed): fixed #1770 Eliminated pause
that happened when user switched from page 0 to page 1 of the new
firewall wizard. Pause was caused by the DNS queries the program
ran trying to determine ip address of the firewall using the name
provided on the first page of the wizard. Now DNS query is
launched only if user wants to create interfaces uses snmp scan.
* InterfaceEditorWidget.cpp (InterfaceEditorWidget): fixed #1772
improved design of the widget used to edit ip addresses and other
attributes of an interface in the new firewall, new host and new
cluster wizards. Removed "MAC Address" imput field and rearranged
other input fields according to the result of usability tests.
* SSHCisco.cpp (SSHCisco): fixed #1784 added Cisco ASA (PIX) error
message "cannot add route entry" to the list of errors that
built-in installer recognizes and marks install process as
"Failure".
* newFirewallDialog.cpp (showPage): fixed #1767 improved UI in the
new firewall and new host dialogs where user chooses file for the
custom template library or uses standard template library.
2010-10-03 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator_create_new.cpp (ObjectManipulator::createNewObject):
fixed #1776 once new firewall is created, automatically open its Policy
* FWWindow.cpp (FWWindow::showIntroDialog): fixed #1765, #1779
Move quick start guide to the web site. The "Quick Start Guide" is
now part of the web site and the GUI only shows a
dialog-invitation to watch it.
2010-10-01 Vadim Kurland <vadim@vk.crocodile.org>
* FWBSettings.cpp (getABTestingGroup): fixed #1763 Implemented
basic facility for A/B testing within the GUI
2010-09-30 Vadim Kurland <vadim@vk.crocodile.org>
* FindObjectWidget.cpp (keyPressEvent): fixed #1755 "hitting enter
after editing search attribute in the Find panel should trigger
search"
* FindObjectWidget.cpp (matchAttr): fixed #1760 'Search by
attribute "name" should search by name or label'.
* FindObjectWidget.cpp (objectInserted): fixed #1757 Allow
searching by attributes even after an object is dropped into the
drop area in search panel.
* newFirewallDialog.cpp (browseTemplate): fixed #1759 "Use default
template library" button seems to do nothing. This button should
only be enabled if user switched to their own library of template
objects. The button should be disabled if they switched back to
the standard template library or never switched to their own one.
* newHostDialog.cpp (finishClicked): fixed #1761 "blank interface
name is possible in new host wizard"
* FWObjectPropertiesFactory.cpp (getInterfaceNameExamplesForHostOS):
fixed #1753 "Set interface name hint based on firewall platform
and host OS". The placeholder text in the interface name and label
input fields in the new firewall wizard will depend on the host OS
chosen in the first page of the wizard.
* utils.cpp (validateName): fixed #1751 "Don't allow interface
names to be blank". The GUI should not allow the name of any
object to be blank.
2010-09-29 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel.cpp (ProjectPanel::inspect): fixed #1718 "Inspect
generated files" dialog says "Multiple firewalls" even when there
is only one
* InterfaceEditorWidget.cpp (InterfaceEditorWidget::InterfaceEditorWidget):
added "placeholder" text to the interface name and label input
fields. This text is displayed in greyed-out small font inside
the imput field but is cleared as soon as user starts their input.
The text gives user a prompt as of what is expected in each input
field. The "placeholder" text support is available only in Qt 4.7
and later so the code is conditional on the version of Qt.
* WorkflowIcons.cpp (WorkflowIcons::openTutorial): fixed #1733
"Add button for video tutorial link". Shortcut button "Watch
Getting Started Tutorial" opens page with video tutorials in
the standard browser.
* InterfaceEditorWidget.cpp (InterfaceEditorWidget::isValid):
fixed #1746 "Force user to change interface name in New Firewall
wizard". When user creates interfaces for the new firewall or host
using manual method and clicks on the "+" button to add a tab for
the new interface in the wizard page, the interface tab is created
with blank name. Wizard later checks the name when user clicks
Finish to create new firewall or host object and does not let them
do this while interface name is still blank. Error dialog reminds
that the name of the interface must match the name of the
interface on the machine.
* ProjectPanel.cpp (ProjectPanel::updateFirewallName): fixed #1745
"Remove path data from text above rules window that shows firewall
name".
2010-09-28 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator_create_new.cpp (reminderAboutStandardLib):
refs #1748 "Add dialog about Standard Library when user creates
first Service object". First time users will see an informational
dialog reminding them about the Standard objects library when
they create their first service object.
2010-09-27 Vadim Kurland <vadim@vk.crocodile.org>
* src/gui/Tutorial/introduction/html/page0.html: refs #1737 Added
"Quick Start Guide" tutorial that demonstrates basic features and
key concepts of Firewall Builder. The tutorial is accessible
via Help / Tutorials menu and is shown to the first-time user
on the GUI startup instead of the "tip of the day" dialog.
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
system folders in the tree now have tooltips that explain what
kind of objects belong there.
* RuleSetView.cpp (showToolTip): Added text to the tooltips shown
for the "Direction" and "Action" rule elements to remind user that
to change these rule parameters they need to click right mouse
button to open list of possible settings
* RuleSetView.cpp (showToolTip): fixed #1744 "Add tooltip to the
rule number". The column in the RuleSetView? where rule number is
shown now has a tooltip to remind the user that they can click
right mouse button to the the context menu and use keyboard
shortcut "x" to compile the rule
* FWBSettings.cpp (init): fixed #1743 "change default for the
option 'Show text descriptions for direction and action'". The
option should be on by default.
* RuleSetView.cpp (showToolTip): fixed #1730 "Add background help
text and images to empty policy window". Showing tooltip in the
empty space in the rule set view, this tooltip provides hints on
how to edit rules which should be useful for the beginners.
2010-09-26 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed #1741 "there is no way to undelete a library object".
* FWCmdMoveObject.cpp (FWCmdMoveObject::notify): fixed #1740
"Deleted library remains in the drop-down list". If option "Show
deleted objects" was turned off in the Preferences dialog and user
deleted a library, it remained in the drop-down list of libraries
and its object tree was still displayed in the object tree panel.
* listOfLibrariesModel.cpp (ListOfLibrariesModel::addStaticItems):
fixed #1728 "Update Library drop down menu". Library drop down
list shows an item "Object libraries:" at the top that can not be
selected and that always stays on top as libraries are added,
removed and renamed. The list always stays sorted in ascending
order. Library names are indented by 2 spaces to make them
visually distinguishable from the prompt item at the
top. Implementation uses class ListOfLibrariesModel that inherits
QStringListModel.
* PrefsDialog.cpp (PrefsDialog::PrefsDialog): fixed #1739 "remove
"tooltip delay" input form preferences dialog". Qt4 does not allow
for changing tooltip delay.
2010-09-24 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (itemDoubleClicked): refs #1731 Change
double-clicking on "Any" object behavior. Double click on "any" in
a rule does not try to open object "any" in the tree and editor
panel.
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
refs #1731 Change double-clicking on "Any" object
behavior. Tooltip shown for the object "any" in rules says
"to modify the rule drag and drop an object from the tree here"
instead of atributes of the object "any".
* FWBSettings.cpp (init): fixed #1738 "Enable tooltips by default"
* ObjectManipulator.cpp (editSelectedObject): fixed #1729 "double
clicking a folder in the tree should expand it rather than open it
in the editor".
* ObjectTreeView.cpp (edit): fixed #1732 "Double clicking on
object with child objects should auto expand them". Double
clicking on objects and folders in the tree expands and collapses
them, as well as opens object in the editor.
* ObjectManipulator.cpp (expandObjectInTree): fixed #1715
"automatically expand new firewall and new host objects in the
tree once they are created"
* configlets/linux24/check_utilities: fixed #1714 "make checking
for MODPROBE conditional". There is no need to check if modprobe
utility exists on the firewall machine if it is not used by the
script.
2010-09-22 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog_ui_ops.cpp (instDialog::readInstallerOptionsFromFirewallObject):
fixed #1724 . There was a problem with pscp.exe and putty
sessions. Plink.exe accepts session name in place of the host name
on the command line, but pscp.exe does not. We ask user to enter
session name in the "alternative name or address to use to
communicate with the firewall" input field in the "Installer" tab
of the firewall settings dialog and then use it in place of the
host name in the command line for pscp.exe and plink.exe. This
works with plink.exe but breaks pscp.exe which interprets it as a
host name and fails with an error ""ssh_init: Host does not
exist". The fix checks if what user entered in the "alternative
host or address field" is a session name and uses different
command line with pscp.exe
2010-09-20 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (compile): fixed SF bug #3071667
"Compilation segfault with DNS address in NAT rule". Added rule
processors to replace Run-time DNSName and Address Table objects
in TSrc and TDst.
2010-09-16 Vadim Kurland <vadim@vk.crocodile.org>
* SSHSession.cpp: Refs #1699 installation session status was reset
from "failure" to "success" in a configuration where fwbuilder gui
was running on Windows and talked to Cisco router using pscp.exe
and plink.exe and ssh session failed because of authentication
failure. This happened because plink.exe terminated with return
status "success" even in case of authentication failure.
* generatedScriptTestsIpfilter.cpp (GeneratedScriptTest::runCompiler):
unit tests to test manifest and activation commands in the generated
.fw script for ipfilter. Refs #1702
* FirewallInstaller.cpp (FirewallInstaller::getGeneratedFileFullPath):
fixed how we append suffix ".fw" to the name of generated script
when it is preconfigured in the firewall settings dialog and already
includes ".fw" suffix (it was added twice).
* CompilerDriver_ipf_run.cpp (CompilerDriver_ipf::run): fixed #1702
"Wrong path in the activation script for ipfilter". Activation command
embedded in the generated .fw script used local path to the generated
.conf file on the machine where fwbuilder compiler was running.
2010-09-14 Vadim Kurland <vadim@vk.crocodile.org>
* FirewallInstaller.cpp (getGeneratedFileFullPath): fixed SF bug
3049665 "Firewall Settings -> Output file name misses .fw
extension"
* CompilerDriver_ipt_policy.cpp (processPolicyRuleSet): fixed
#1707 "call function "prolog_commands" from the main iptables
script part instead of function "script_body" when prolog should
be executed after iptables reset"
* configlets/linux24/script_skeleton (cmd): fixed SF bug 3060325
"Address table object and prolog script conflict". Generated
script should run prolog before checking and loading run-time
address tables.
* NATCompiler_PrintRule.cpp (processNext): fixed SF bug 3057503
"DNAT rule with dynamic IP has a white space, causing error".
* PolicyCompiler_PrintRule.cpp (_printIpSetMatch): fixed #1705
"iptables (v>=1.4.4) "--set option deprecated ..." (SF bug 3059893)
Option "--set" has been deprecated and renamed "--match-set" in
iptales 1.4.4
* CompilerDriver_pf.cpp (printPathForAllTools): fixed SF bug
3061034 "ifconfig definition missing". Script generated for the
ipfw firewall on Mac OS X missed definition of variable IFCONFIG.
2010-09-13 Vadim Kurland <vadim@vk.crocodile.org>
* IPTImporter.cpp (addPktTypeMatch), iptables.g: fixed #1703
"importing iptables line with module pkttype causes parser
error". We do not have any object with the behavior closely
resembling that of iptables module "pkttype" so the importer
creates CustomService object with the code taken from the original
iptables rule. SF bug 3065435
* VERSION (FWB_MICRO_VERSION): started 4.1.2
2010-08-20 Vadim Kurland <vadim@fwbuilder.org>
* v4.1.1 released
2010-08-19 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (splitNATBranchRule::processNext): fixed #1686
"can not generate basic NAT branching rule". NAT branching rules
were not generated in single rule compile mode because compiler
needs information about targets used in the branch rule set rules
to decide which chain the branching rule should be placed in. Now it
will use PREROUTING and POSTROUTING in single compile mode but issue
a warning.
* NATCompiler_ipt.cpp (VerifyRules2::processNext): fixed #1685
"iptables redirecting NAT rules in the OUTPUT chain". NAT rules
should be allowed to translate from CustomService to TCP or UDP
service, provided CustomService object is configured with matching
protocol. See also change in libfwbuilder NATCompiler::classifyNATRule::processNext.
* NATCompiler_ipt.cpp (localNATRule::processNext): see #1685
"iptables redirecting NAT rules in the OUTPUT chain". This fix
makes it possible to create iptables NAT rule with target REDIRECT
in the OUTPUT chain. The rule should have firewall object in OSrc
and TDst rule elements.
* NATCompiler_PrintRule.cpp (PrintRule::processNext): fixed #1693
SF bug 3048516 "NAT rule with 'Use SNAT instead MASQ' doesn't
work". NAT rule using combination of the option "Use SNAT instead
of MASQ", dynamic address of an interface and source port
translation produced iptables command with incorrect syntax.
2010-08-18 Vadim Kurland <vadim@vk.crocodile.org>
* Helper.cpp (list): fixed #1691 , this is a better fix for the
problem reported in the earlier bug (see #1690).
Function Helper::findInterfaceByNetzone() throws FWException, this
changed in v4.1.0 with a fix for #1653.
2010-08-17 Vadim Kurland <vadim@vk.crocodile.org>
* procurveInterfaces.cpp (procurveInterfaces::parseVlan): fixed #1683
class procurveInterfaces interprets interface "DEFAULT_VLAN" as
vlan interface with vlan id 1.
* newFirewallDialog.cpp (newFirewallDialog::finishClicked):
fixed #1683 When user creates new firewall using snmp scan,
fwbuilder will now guess and assign the type to interfaces that
look like vlans for the given platform and host OS.
* safety_net_acl: fixed #1687 "temporary access list commands
syntax is incorrect". Temporary ACL generated for the Procurve
platform was incorrect.
* PolicyCompiler_cisco.cpp (PolicyCompiler_cisco::setAllNetworkZonesToAny):
fixed #1690 "IOS ACL and Procurve ACL compilers fail because
interfaces are not assumed to have network zone "any" anymore".
Compilers for Cisco IOS ACL and Procurve ACL always assumed all
interfaces have network zone "any". Recent changes made in 4.1.0
changed that and compilers stopped working for some rule configurations.
* (PolicyCompiler_cisco::createACLObject): fixed #1688 "Procurve
ACL remarks should be in quotes if they include space"
2010-08-14 Vadim Kurland <vadim@vk.crocodile.org>
* FirewallInstallerProcurve.cpp (FirewallInstallerProcurve::packInstallJobsList):
Policy installer for HP Procurve. Currently only works in line-by-line
mode (no support for scp). Tested with Procurve firmware K14.31 on
ProCurve J9470A Switch 3500-24. Caveat: manager access should not be
configured with user name (that is, no "password manager user-name foo")
* set version to 4.1.1
2010-08-10 Vadim Kurland <vadim@vk.crocodile.org>
* v4.1.0 released
2010-08-08 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator_ops.cpp (ObjectManipulator::actuallyDeleteObject):
fixed #1674 "Crash while using Undo Stack". Operation "Cut" should be
represented by an undo macro object and should appear as one operation
on the undo stack.
* ObjectManipulator.cpp (ObjectManipulator::getMenuState): fixed #1676
"Crash when deleting an interface that has multiple IP addresses
and not all addresses are selected for deletion"
2010-08-06 vadim <vadim@vk.crocodile.org>
* ObjectManipulator_tree_ops.cpp (ObjectManipulator::clearObjects):
fixed crash that happened on Mac if the GUI was started with a
file name as command line argument. The issue was introduced recently
when GUI state update was reimplemented as an event.
2010-08-05 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel_events.cpp (event): fixed #1660 "Crash when
cut-and-pasting firewall between libraries". GUI crashed if user
performed the following sequence: cut an object, switch to a
different object library, try to paste using keyboard shortcut
Ctrl-V while library object was selected in the tree.
2010-08-04 Vadim Kurland <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::finalize): fixed #1664 "Policy
import creates firewall object w/o version". This also fixes
crash reported in SF bug #3036934
* pixAdvancedDialog.cpp (pixAdvancedDialog::displayCommands):
fixed SF bug #3038945 "ASA inspect configurations not saved".
Under some circumstances the GUI did not save changes made in the
"Inspectors" tab of the PIX advanced settings dialog into the
object.
* ObjectManipulator_tree_ops.cpp (ObjectManipulator::removeObjectFromHistory):
fixed #1661 "Crash after deleting firewall" a sequence where user deleted
an object and then hit "Back" button caused crash.
2010-08-03 Vadim Kurland <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (pixAdvancedDialog): fixed SF bug #3038948
"ASA logging severity levels are incremented". Log levels in the
"Logging" tab of the PIX firewall advanced settings were
incremented every time user opened the dialog and then clicked OK.
* PolicyCompiler_PrintRule.cpp (_printIP): fixed SF bug #3038636
@v4.1b, "iptables v1.4.8: unknown option `--ra'". Ipv4options
module has changed in iptables 1.4.3 and now accepts different set
of parameters. Policy compiler generates new parameters if user
set version in the firewall object dialog to "1.4.3 or later".
2010-08-02 Vadim Kurland <vadim@vk.crocodile.org>
* InterfaceDialog.cpp (loadFWObject): fixed #1657 "When no network
zone is defined on the interface, the Interface object editor says
it is "Any" which is a lie"
* configlets/linux24/run_time_address_tables: fixed #1652 "support
for adding single address to address table in the generated
script". Generated iptables script now provides functions
"add_to_address_table", "remove_from_address_table" and
"test_address_table" that let administrator add or remove single
ip address to a given address_table.
* OSConfigurator_linux24.cpp (printRunTimeAddressTablesCode):
fixed #1654 "Support for run-time Address Tables with empty file
in iptables". This is an implementation of the same feature we
already have for PF. If the file name in the configuration of the
run-time Address Table object is blank, policy compiler generates
firewall configuration that uses ipset with the name the same as
the name of the object but does not generate code to load
addresses from a file into it. All control of the ipset is left
for the user.
* Helper.cpp (findInterfaceByNetzone): fixed #1653 "Crash when
compiling a rule for Cisco PIX with incorrect network zone".
2010-07-29 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog_installer.cpp (instDialog::installerSuccess):
fixed #1639 "Add success message to the bottom of the process log
for the installer". Added a message to the installer log to
display installation status.
* stop_action: "stop" action should reset ipv4 iptables
configuration only if firewall object configuration defines any
ipv4 rules. This is how generated script works for ipv6; behavior
for ipv4 and ipv6 should be similar. Fixes SF bug #3036541 "IPV6
only firewall resets ipv4 stack"
* script_skeleton (cmd): added action "block" to the "usage" string
of the generated iptables script
2010-07-28 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (checkActionInMangleTable::processNext):
fixed SF bug 3034628 "iptables does not allow target REJECT in
mangle table". Iptables does not support target REJECT in mangle
table. Added check to the policy compiler to make it detect this
situation and issue an error.
* FWWindow.cpp (FWWindow::compile): fixed SF bug 3035426 "canceled
save writes .fwb ". The program created file with name ".fwb" if
user started with an empty project paje, created some objects, then
hit "Compile" but then clicked "Cancel" when offered a chance to
save objects into a new data file.
* CompilerDriver.cpp (CompilerDriver::_findImportedRuleSetsRecursively):
fixed #1631 "Process branch rule sets recursively". Policy
compilers used to look only one level deep while processing
branching rules. They should allow for arbitrary nesting and
correctly avoid infinite loops if user creates looped branches.
Compiler issues a warning when it detects looped bracnhing.
This fixes SF bug 3033462 "nested shared branch rules between
servers not working".
* UsageResolver.cpp (UsageResolver::findWhereUsedRecursively):
fixed #1632 "dependencies created by branching rule sets should be
processed recursively". In the case of multi-level branches
the GUI should trace all references to find all firewalls affected
by a change of an object used in the rule.
2010-07-27 Vadim Kurland <vadim@vk.crocodile.org>
* configlets/linux24/block_action: fixed #1640 "default policy
when the script is stopped should be optional". The "stop" command
used to be interpreted by the iptables script generated by
fwbuilder in a way that it blocked all connections going to, from
and through the firewall. Luc Paulin <lpaulin@touchtunes.com>
pointed out that this behavior is incompatible with other firewall
management scripts, such as /etc/rc.d/init.d/iptables on Fedora
Linux or ufw on Ubuntu, where "stop" means disabling the firewall.
In v4.1 the "stop" command flushed all chains in all tables and
sets default policy to ACCEPT. New command "block" does what
"stop" used to do before, that is, flushes all chains in all
tables and sets default policy to "DROP". The option to add
a rule to permit ssh access from the management workstation when
firewall is stopped now adds this rule when firewall script is
run with "block" command instead.
2010-07-26 Vadim Kurland <vadim@vk.crocodile.org>
* configlets/linux24/run_time_address_tables: implemented support
for mixed address lists for run-time address table objects using
ipset module. Normally, one ipset set can either contain
individual ip addresses or subnets. We create a "setlist" type set
that includes two sub-sets, one for ip addresses and the other for
subnets. Function reload_address_table in the configlet
run_time_address_tables takes care of managing these three sets
automatically. Address list file has the same format as for all
other supported types of Address Table object: one address per
line, subnets are defined using '/bitlength' or '/netmask' syntax,
comments start with '#' or ';' character.
2010-07-24 Vadim Kurland <vadim@vk.crocodile.org>
* code cleanup. Removed bunch of warnings and cleaned up some test
cases using small patches from Mike Slifcak slif@bellsouth.net
2010-07-23 Vadim Kurland <vadim@vk.crocodile.org>
* Fixes #1635: included code generated by the configlet
run_time_address_tables into script for all linux-based host
OS (dd-wrt, openwrt, ipcop) even though most of they do not
support ipset at this time. If ipset is not supported because
iptables version is too old or the module is simply not available
for the platform, user can just uncheck the checkbox in the
firewall settings dialog and code generated by the configlet will
support method of loading addresses from the file at run time
based on script variables and a "while" loop.
* script_skeleton: added command line argument "reload_address_table"
that calls function reload_address_table and takes two additional
arguments: set name and file name.
* script_skeleton (cmd): calling functions to check if data files
used by run time address table objects are available before making
any changes to iptables policy. If files are not available, the
script aborts and leaves iptables in the original state. This
fixes #1628 "generated script checks presence of the address table
files after it sets default iptables policy to DROP". fixes #1628
* run_time_address_tables: new configlet that adds shell code to
check if all run time address table data files are present on the
firewall machine and that ipset utility works and can communicate
the the kernel driver. This configlet also defines a function to
reload one ipset with given name and data file name and function
to reload all ipsets used in the generated script. Fixes #1625, #1627
* PolicyCompiler_PrintRule.cpp (PrintRule::normalizeSetName):
fixed #1626 "convert space and other special characters found in
the run time address table object into underscores". The name of
the run-time Address Table object is used for the name of the
ipset module set. Making sure the name is sanitized of the
chanracters considered "special" by shell before it is used.
* check_utilities: fixed #1625, #see 137: added ipset to the list
of command line utilities generated iptables script can
use. Script will check if the utility is present on the firewall
if user requested use of iptables module "set" for run-time
Address Table objects. Also added an input field for ipset in the
advanced settings host OS dialog for Linux to let the user specify
path to ipset if it is not standard.
2010-07-22 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp: added support for iptables module
"set" used to generate iptables command for rules with run-time
AddressTable objects. This module is only available in iptables
1.4.1.1 and later, however some embedded platforms do not have it
even though they ship later versions of iptables (e.g. OpenWRT).
Use of this module is controlled by a checkbox in the iptables
"advanced" settings dialog which is off by default. This checkbox
becomes disabled when iptables version is set to < 1.4.1.1.
* newClusterDialog_create.cpp (newClusterDialog::createNewCluster):
fixed #1622 "Crash when configuring cluster". The GUI used to crash
if user created a cluster copying rules of one of the cluster members
while that rule set was opened in the rule set view.
2010-07-21 Vadim Kurland <vadim@vk.crocodile.org>
* iptadvanceddialog_q.ui: rearranged elements in the tab
"Compiler" of the dialog to make it shorter and wider. Still
needs some work to make it render better.
* InterfaceEditorWidget.ui: set minimum height for the name, label
and few other input fields because they came out squished on Mac.
Fixes #1613.
* FWWindow.cpp (fileNew): fixed #1611 "File/New should create new
project panel". Like #1612, open new data file in a new project
panel if current project panel has no data file associated with it
but has unsaved changes.
* FWWindow.cpp (loadFile): fixed #1612 "File/Open should create
new project panel". If user has some unsaved changes in the
default project panel (the one with no associated file) and then
uses File/Open menu to open another data file, the file should
open in a new project panel.
2010-07-20 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::showEvent): default main window geometry
should be 1000x600, wider than it used to be before. This is to
make object dialogs fit in the main window without squishing.
* routing_functions: added a copy of the routing_functions
configlet to the dd-wrt-nvram and dd-wrt-jjfs because newest
versions of DD-WRT lack mktemp. The original routing_functions
configlet does not use mktemp either, but Gentoo (and possibly
other distros) ship patched version that needs mktemp which breaks
fwbuilder generated script on these versions of DD-WRT. Hopefully
they won't patch the copy of routing_functions configlet.
* StartTipDialog.cpp (StartTipDialog::StartTipDialog): fixed #1603
"Welcome dialog should show full version of the program".
* set version to 4.1.0 and version of the data file format to
"17". Data files need to be upgraded. Upgrade script changes the
version and makes sure Standard objects library is read-only. Some
users may have this library configured read-write in their data
files because of a bug in the early versions of fwbuilder 4.
* We have decided to release this version as 4.1.0 rather than
4.0.2. "4.0.2" will remain our internal testing version
designation.
2010-07-19 Roman Bovsunivskiy <a2k0001@gmail.com>
* DiscoveryDruid_q.ui, newclusterdialog_q.ui, newfirewalldialog_q.ui:
Set up default buttons in dialogs
* DiscoveryDruid_q.ui, DiscoveryDruid.cpp, Importer.cpp: Added firewall
name input field.
* InterfaceEditorWidget.cpp: Button "Add address" now changes text
to "Add anoter address" when there is at least one address in current
interface.
2010-07-19 Vadim Kurland <vadim@vk.crocodile.org>
* objects_init.xml.in: fixed bug #3031721 "Qt has caught an
exception thrown from an event handler." The "Standard" objects
library was made read-write in one of the earlier builds
2010-07-17 Vadim Kurland <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid): fixed #1597
import method "import configuration of a firewall" is disabled on
the first page of the discovery druid
2010-07-15 Vadim Kurland <vadim@vk.crocodile.org>
* newFirewallDialog_from_template.cpp (newFirewallDialog::replaceReferencesToNetworks):
fixed #1582 'tree is not refreshed after address substitutions in
"new firewall" wizard'
2010-07-14 Vadim Kurland <vadim@vk.crocodile.org>
* FirewallInstaller.cpp (FirewallInstaller::packSCPArgs):
fixed #1571 "Installer does not work if firewall object name
contains spaces". Installer should use escaping to make sure
file name with a space is correctly interpreted by the script
it runs on the firewall.
* DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromImporter):
fixed #1544 "fwbuilder crashes during import of file with rtf
formatting data". The fix should prevent crashes in other cases
when import was unsuccessful.
2010-07-13 Roman Bovsunivskiy <a2k0001@gmail.com>
* instdialogoptions_q.ui: Added "Cancell All" button to stop all
firewalls installations, renamed OK button to "Install"
* instDialog_ui_opts.cpp (instDialog::getInstOptions): added support
for "Cancel All" dialog result code.
2010-07-12 Roman Bovsunivskiy <a2k0001@gmail.com>
* instDialog_ui_opts.cpp (intDialog::fillCompileSelectList): fixed
wrong display of non-ascii symbols in cluster member compilation
warning.
* newFirewallDialog.cpp (newFirewallDialog::showPage): firewall names
are now resolved to IP address. Added new input element for firewall
IP address to use for SNMP interface discovery.
2010-07-11 Vadim Kurland <vadim@vk.crocodile.org>
* FirewallInstaller.cpp (FirewallInstaller::packSSHArgs): fixed
bug 3027284: "redux settings for scp/ssh to respond to line
failure". The solution for bug 3020381 used to force ssh and scp
commands to use the parameters ServerAliveInterval and
ConnectTimeout to activate and configure ssh keepalive protocol.
These command line parameters were enforced and added to the input
fields where user enters the path to ssh and scp utilities on the
machine where fwbuilder GUI is running. This was confusing and
poor GUI design as the program was changing fields that were
supposed to be user-editable. This fix adds an input field for the
timeout value in seconds to the "Installer" tab of the global
preferences dialog. The program does not change strings entered by
the user for ssh and scp path anymore. The same timeout value is
used to set up ServerAliveInterval parameter for ssh,
ConnectTimeout parameter for scp and registry entries required by
plink and pscp on Windows.
2010-07-10 Vadim Kurland <vadim@vk.crocodile.org>
* Importer.cpp (Importer::getFirewallObject): fixed bug #3027272:
"default values taken from unexpected sources". When new firewall
object was created using "Import Policy" function, parts of its
configuration were taken from default settings of an unexpected
host OS.
2010-07-09 Roman Bovsunivskiy <a2k0001@gmail.com>
* newFirewallDialog.cpp (newFirewallDialog::finishClicked): fixed
crash when clicking finish after getting error about wrong IP
address or netmask
* FirewallCodeViewer.cpp (FirewallCodeViewer::fileSelected): now
when viewing again file that was viewed before scroll position is
same as user left it.
* instDialog_q.ui: renames "All" button to "Select all" and "None"
to "Select none"
* instDialog.cpp (instDialog::show): hide "Select all" and "Select none"
buttons when there is only one firewall in list
* instDialog.cpp (instDialog::showPage): next button on inspect page
is now not enabled if dialog called for compile only
2010-07-05 Roman Bovsunivskiy <a2k0001@gmail.com>
* instDialog.cpp (instDialog::findFirewalls): sorting of filewall
and cluster items in compile/install dialog is now case insensitive.
* ProjectPanel.cpp (ProjectPanel::inspectAll)
* ObjectManipulator.cpp (ObjectManipulator::inspet): inspect is now
working with cluster objects.
2010-07-03 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::restoreCollapsedGroups): fixed
SourceForge bug 3020761 "printing from command line causes
Segmentation fault". Fixes #1533
2010-06-28 Vadim Kurland <vadim@vk.crocodile.org>
* utils.cpp (parseCommandLine): See #1542 since now user can enter
differet command line parameters together with the path to ssh and
scp clients in the global Preferences dialog, we need to parse
these properly. This is especially important if file paths or
arguments contain white space characters. Unit tests are in
src/gui/unit_tests/parseCommandLineTest
2010-06-26 Vadim Kurland <vadim@vk.crocodile.org>
* installer_commands_reg_user: all instllation commands should be
on the single line in the configlet so they are sent to the
firewall as one line. When these commands were on separate lines,
linefeed characters between them appeared on the standard input of
command "sudo -S" and broke installation process. This only
happened in my tests when I ran GUI installer on windows and
looked like some sort of a race. When all commands are on the one
line the problem disappeared. Changed only configlets that used
sudo as part of installation script.
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::pixNetworkZoneChecks):
do not verify network zones of unprotected interfaces. Compiler
does not allow the same obejct to be used as network zone of two
different interfaces, which caused problems when a vlan parent
interface has zone "Any". Vlan parent interface can not have ACLs
attached to it and does not need any meaningful network zone, so
"Any" is reasonable fill-in choice. However it coinsides with network
zone of the "outside" interface which triggered this check.
* SSHUnx.cpp (SSHUnx::stateMachine): SF bug 3020381: "Line failure
should abort remote firewall install". If network connection is
lost during firewall policy activation, policy installer should
detect this, disconnect and declare installation session a
failure. Prior to v4.0.2, installer detected network failures
during policy copy (done with scp) or when it could not connect to
the firewall at all, but hang if connection was lost in the middle
of ssh session used to activate firewall policy. Now using ssh
parameter "ServerAliveInterval" to make it detect connection
failure. This does not work with plink.exe on Windows which does
not support these command line options. Still looking for a
solution.
* FWBSettings.cpp (FWBSettings::init): automatically adding ssh
parameters "-o ServerAliveInterval=2 -o ServerAliveCountMax=15" and
scp parameter "-o ConnectTimeout=30" to the path to ssh and scp in
the global preferecnes dialog, tab "Installer" to activate ssh
keepalive. This way, user can change values if they need
to. Default values define 30 sec timeout which should be rather
conservative. On windows automatically configuring plink.exe and
pscp.exe to load parameters of putty session "fwb_session_with_keepalive"
that turns keepalives on.
2010-06-25 Roman Bovsunivskiy <a2k0001@gmail.com>
* FirewallCodeViewer.cpp (FirewallCodeViewer::FirewallCodeViewer):
See #1346. Mostly completed implementation of the viewer panel
that can be used to inspect generated firewall configuration files
from within the GUI. The panel can be opened using a button in the
mini-toolbar above firewall rules or as a page in the compile and
install wizard.
2010-06-24 Vadim Kurland <vadim@vk.crocodile.org>
* OSConfigurator_linux24::printVirtualAddressesForNatCommands:
fixed bug 3001228 "v4.0.0 iptables: NAT not creating interface
addresses". Iptables script generated by fwbuilder used to include
commands to configure virtual ip addresses for NAT only if option
"configure interfaces" was turned on. Expected behavior is to
generate these commands when option "Add virtual addresses for
NAT" is turned on regardless of the setting of the option
"configure interfaces".
2010-06-22 Roman Bovsunivskiy <a2k0001@gmail.com>
* fixed #1526 "Make sure GUI unit tests work in the environment
where user turned off tip of the day dialog". Unit tests now use
alternative settings file with all default values and do not
depend on user's preferences.
2010-06-18 Roman Bovsunivskiy <a2k0001@gmail.com>
* fixed #1520 ("Comment field display clips comment text"
2010-06-17 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixed #1523 "outbound ipv6 rule matching multicast ipv6 destination
is not generated". The rule with network object fe80::/10 in source
and ipv6 muticast ff00::/8 in destination did not produce correspondign
ip6tables command. The change affects other cases with rules using
broadcast or multicast objects that should be considered matching
the firewall object.
2010-06-17 Roman Bovsunivskiy <a2k0001@gmail.com>
* RuleSetView.cpp: fixed SF bug 3016680 "Vertical scrollbar issue"
rules with a lot of objects did not scroll properly vertically.
* fixed #1493 "workflow icons in the big empty space". The GUI
shows big buttons in the empty space in the right hand side of the
main window when no firewall policy is not opened yet. These buttons
provide simple shortcuts to the workflow functions useful for the
novice users. Currently this includes "Create new firewall",
"Import configuration of existing firewall" and "Watch Getting
Started Tutorial".
* fixed #1521 "GUI crashes upon exit on CentOS 5". This fixes
SourceForge bug reports 3016482 "segfault with RHEL5 pre-built
packages on CentOS 5.5" and 3015979 "fwbuilder not exiting in
centos 5.5"
2010-06-16 Vadim Kurland <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed SF bug 3017084
"compiler adds extra quote characters to log-prefix string".
2010-06-15 Vadim Kurland <vadim@vk.crocodile.org>
* IPTImporterRun.cpp (IPTImporter::run): policy importer for
iptables replaces --sport and --dport parameters of module
multiport with --source-ports and --destination-ports to remove
grammar ambiguity that arises from the use of the same parameters
--sport and --dport by different iptables modules with different
argument syntax.
* iptables.g (match_iprange_src): Fixed SF bug 3016779: Policy
importer for iptables should understand module iprange
* FWWindow.cpp (FWWindow::prepareFileMenu): fixed bug 3016720
"import policy disabled after file close". Menu items "File/Import
Library" and "File/Import policy" became disabled after user
closed data file using "File/Close" and never became enabled
again.
2010-06-14 Roman Bovsunivskiy <a2k0001@gmail.com>
* FWBSettings.cpp (FWBSettings::init): fixed #1504 Added (optional)
text to the toolbar buttons. Text is turned on by default but
can be turned off in the global Preferences dialog.
* Preferences.cpp: fixed #1505 move "Clip comments in rules"
checkbox to "Appearance" tab.
2010-06-14 Vadim Kurland <vadim@vk.crocodile.org>
* release_notes_4.0.2.html: Added release notes for v4.0.2 to
the package. fixes #1515
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed SF bug
3015641 "imported REJECT rule changed during compile". Importer of
iptables rules did not handle properly parameters of the REJECT
target.
2010-06-12 Vadim Kurland <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed #1516
policy importer for iptables should not use automatic ESTABLISHED
rule. (See also SF bug 3012953). Policy importer for iptables
always creates explicit rule to match ESTABLISHED,RELATED to make
sure it goes into the same chain as the original rule. Also in the
same fix, importer creates branch for iptables rules that match
both regular service and state ESTABLISHED,RELATED. The service is
matched in the main policy rule set, while ESTABLISHED,RELATED
state is matched in the branch.
* GroupObjectDialog.h (class GroupObjectDialog): fixed #1499
"GroupObjectDialogTest.cpp does not compile with gcc 3.4.6" and SF
bug 3015307. There is no reason to make method insertObject()
protected which caused problems (and hacky workaround) in the unit
test.
* IPTImporter.cpp (IPTImporter::finalize): fixed SF bug #3015305
"compile error XML validity ". The problem was introduced with a
change that made policy importer cabaple of reproducing default
policies of main chains.
2010-06-11 Vadim Kurland <vadim@vk.crocodile.org>
* fixed SF bug #3013743 "UI build warnings"
* longtextdialog_q.ui, objconflictresolutiondialog_q.ui: fixed
SF bug #3013735 "invalid pixmap properties during make". Fixed
uic warnings.
* IPServiceDialogTest.cpp (IPServiceDialogTest::testIpOptions):
fixed SF bug #3013855 "various fixes for run_tests". Applied
patch suggested by Michael J. Slifcak (with changes).
* DiscoveryDruid.cpp (DiscoveryDruid::browseForImport): fixed SF
bug #3013532 "file chooser dialog for import policy does not show
all files".
* IPTImporter.cpp (IPTImporter::finalize): fixed #1513 iptables
importer should check default policy in standard chains. Importer
creates rules at the bottom of the policy rule set to reproduce
default policies in the built-in chains INPUT,OUTPUT,FORWARD.
These rules are added only when default policy in these chains is
set to ACCEPT because generated iptables script always sets
default policies to DROP. Support for this in the mangle table is
limited so far, only default policies in PREROUTING, OUTPUT and
POSTROUTING can be implemented. Rules created for the commands
that set default policy in chains FORWARD and INPUT will generate
commands in PREROUTING chain instead. We will try to address this
in the future if there is sufficient demand.
2010-06-08 Vadim Kurland <vadim@vk.crocodile.org>
* applied patch from slif@bellsouth.net to fix compiler
warnings. Patch applied partially since not all fixes were
appropriate. fixes #1510
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed #1512 SF
bug 3012953: iptables importer sometimes does not recognize rule
with " ESTABLISHED,RELATED ". Parser properly processed iptables
rules with state "RELATED,ESTABLISHED" but not when states were
in the opposite order.
* IPTImporter.cpp (IPTImporter::pushPolicyRule): policy importer
for iptables can now parse numerical log levels.
* Importer.cpp (Importer::getUDPService): fixed sourceforge bug
3012953 name of UDP and TCP objects created during import should
follow the same pattern and not include "0-0" for the source ports
if they are equal to zero.
* IPTImporter.cpp (IPTImporter::IPTImporter): fixed #1511, SF bug 3012953:
iptables import parse error icmp_type any
2010-06-07 Vadim Kurland <vadim@vk.crocodile.org>
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::pixNetworkZoneChecks):
fixed #1491 fwb_pix crashes trying to compile simple rule. Compiler
should check validity of the object used as network zone of an interface.
* FWBSettings.cpp (FWBSettings::init): fixed #1501 call qsrand(seed)
to seed random generator before generating new UUID
* TransferDevice.h (fwtransfer): fixed #1490 compile problem with
Qt 4.7
* FWWindow.cpp (FWWindow::prepareRulesMenu): fixed #1489 removed
unnecessary debugging messages.
* interfaceProperties.cpp (interfaceProperties::manageIpAddresses):
fixed #1506 SF bug #3011516: generated iptables script tries to
update ip addresses of unnumbered interface.
* v4.0.2 started
2010-06-06 vadim <vadim@vk.crocodile.org>
* FWBSettings.cpp (FWBSettings::FWBSettings): using separate
settings object and file in the .ini format to store instance uuid
to ensure uuid persistence on windows across upgrades done with
complete deinstall. Fixes #1497
* UserWorkflow.cpp (UserWorkflow::flagsToQueryString): added user
workflow progress flags for an attempted install and first
successful install. Both flags are boolean true/false indicating
that the even occurred. We do not track and do not report any
information about the firewall, platform, rules etc. These flags
will be used to determine how many users abandon the program
before even trying to run install for real because it is too
complicated or the UI is not good enough. Fixes #1495
* UserWorkflow.cpp (UserWorkflow::flagsToQueryString): added user
workflow flag indicating that ssh/scp have been configured in the
Prefereces dialog. The flag is boolean and registers only the fact
that something was entered in ssh and scp fields. Actual path and
programs used are not registered and reported. Fixes #1496
2010-06-03 vadim <vadim@vk.crocodile.org>
* v4.0.1 released
2010-06-02 vadim <vadim@vk.crocodile.org>
* Preprocessor.cpp (Preprocessor::findMultiAddressObjectsUsedInRules):
change in libfwbuilder: fixed #1485 "dns name object is recognized
as an empty group when it appears in shared rule set"
2010-06-02 yalovoy <yalovoy@gmail.com>
* fixes #1484 "paste below" function pastes rules out of order
1) copy 2 complete rules
2) go to a(nother) policy
3) right click on rule 0, say "paste rules below"
=> BUG: the two rules from the buffer become rules 0+2, the original
rule 0 becomes rule 1
The original should stay rule 0, the two from buffer become 1+2
Affected files: FWCmdRule.cpp, FWCmdRule.h, RuleSetView.cpp
2010-06-01 vadim <vadim@vk.crocodile.org>
* Help.cpp (Help::downloadComplete): fixed #1482 Class Help should
open window only after successful download
* ObjConflictResolutionDialog.cpp (ObjConflictResolutionDialog::run):
refs #1483 If program detects change in CustomService object and
the change just adds code string for a platform that was not
in the object in the user's data file, the change is accepted without
showing the dialog.
* ../src/res/objects_init.xml.in: fixed #1483 "missing code in the
custom service object ESTABLISHED for ProCurve"
2010-05-31 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::checkForUpgrade): added mechanism for
one-time announcements that can be pulled from the web site
when version check server says there is one. Announcement is
shown only once. To do this, I store time stamp when it was shown
in settings using hash of the announcement url.
* Help.cpp (Help::setSource): made class Help capable of
downloading contents via HTTP.
* FirewallDialog.cpp (FirewallDialog::fillVersion): fixed #1481
when user changes platform in the firewall object, its version
should change too.
2010-05-28 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::editSelectedObject):
see #1447 Reverting change done for ticket #1447 in r2892 and
r2896 because of the user complaints. It appears to be more
convenient if Policy, NAT and Routing objects open in the rule set
view on double click but not in the editor. Second double clik
opens these objects in the editor.
2010-05-25 vadim <vadim@vk.crocodile.org>
* configure.in (CPPUNIT_LIBS): fixed #1478 always use included
antlr run-time library. Because of the fixes I've made in
CircularQueue?.hpp in 2008 for 64 bit systems, we should always
link with antlr run-time that is included with fwbuilder code tree
rather than attempt to use the one that might be installed with
the OS.
2010-05-24 vadim <vadim@vk.crocodile.org>
* UserWorkflow.cpp (UserWorkflow::report): see #1466 Implemented
instrumentation that should help us improve user experience. Will
track few things that new users do (or don't do) and report as a
combination of boolean flags at the end of the GUI
session. Reporting things such as if user ever looked at the
"Getting Started" tutorial, if they created their first firewall
object, modified any rules, tried to compile, install or import
existing rule set. Information passed in the report is strictly a
set of boolean flags, it is not identifiable and does not reveal
what firewall platform they are using or anything about their
objects and rules. List of flags is listed in the module UserWorkflow.h
2010-05-23 vadim <vadim@vk.crocodile.org>
* FWCmdAddObject.cpp (FWCmdAddObject::redo): fixed #1468 Open new
object in the editor after it has been created.
* applied patch by Vadim Jukov <persgray@gmail.com>, maintainer of
OpenBSD port. Patch fixes compile issues on OpenBSD
2010-05-22 yalovoy <yalovoy@gmail.com>
* fixes #1463 Always show branch rule set name with action "Branch"
affected files: RuleSetView.cpp, RuleSetViewDelegate.cpp, RuleSetViewDelegate.h
* fixes #1469 some actions should always display argument, even when text labels for actions and directions is off
affected files: RuleSetViewDelegate.cpp
2010-05-21 vadim <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject):
fixes #1467: "rule options dialog shows iptables parameters for
procurve_acl"
* FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getPolicyRuleOptions):
fixes #1457 "tooltips for rule options seem to be broken". Tooltip
always includes the line telling of the rule is "stateful" or
"stateless", the function almost never returns empty string now.
Added missing hashlimit parameters to the rule options
tooltip. Some of the more rarely used hashlimit parameters are
still not included in the tooltip. Improved tooltip formatting
using html table.
2010-05-20 vadim <vadim@vk.crocodile.org>
* ProjectPanel.cpp (ProjectPanel::addRule): fixed #1461 Need
obvious button to add new rule to the empty rule set
* instDialog.cpp (instDialog::show): fixed #1462 "if you do a bulk
install, and then want to do a single install, bulk mode is
selected"
* ActionsDialog.cpp (ActionsDialog::setRule): fixed #1464
SourceForge bug 3004274: "Branch rule set object displays
improperly". Branch rule set attribute was not loaded properly
into Branch action dialog for rules of PF firewalls.
2010-05-17 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printRule):
restored function of the "comment the code" in the "Script
options" of the firewall settings dialog for Cisco IOS ACL and
ProCurve ACL. When this checkbox is off, comments are not
added to generated script.
* RuleSetViewDelegate.cpp (RuleSetViewDelegate::paintOptions):
fixed #1460 "when "show icons in rules" is turned off, there is no
way to tell when logging is turned on and non-default options are
present in a rule".
* fixed #1339 "Logging" icon appears looking the same as "Rule
options" icon on Mac
2010-05-15 Vadim Kurland <vadim@vk.crocodile.org>
* linux24Interfaces.cpp (linux24Interfaces::basicValidateInterfaceName):
fixed #1458 Should permit interface name "br-lan" for bridge interface
on Linux. Bridge interfaces on Linux can have any name, including those
with "-". OpenWRT creates bridge interface with the name "br-lan" by
default.
2010-05-14 Vadim Kurland <vadim@vk.crocodile.org>
* update_addresses: fixed #1455 Function update_addresses() (host
OS linux24 and derivatives) uses both ip and ifconfig. Should stick
with /sbin/ip so the script works on systems where ifconfig is
not installed.
2010-05-13 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDropArea.cpp (FWObjectDropArea::editObject): fixed #1452
double click on a rule set in the branch action dialog should open
it in rule set view
* iptables.g (MATCH_RECENT_SET): see #1451 "policy importer should
support some popular iptables modules". Added support for module
"recent" and rules that match standard ip/icmp/udp/tcp protocols
and at the same time module "mark", "length", "limit" or "recent".
Rules like these are translated into a combination of a branching
rule and additional rule in a branch rule set that implements
module match.
* iptables.g (multiport_tcp_udp_port_spec): fixes #1453 "iptables
importer should parse multiport module parameter --ports". Module
multuport with parameter "--ports" matches either source or
destination port numbers. Importer creates two tcp (or udp)
service objects to implement this match.
* IPTImporter.cpp (IPTImporter::addSrv): See #1450, SourceForge
ticket 3000809: iptables parser can now import "mark" module
matches with hexadecimal parameters and "length" module
matches. Also added check in the importer for broken iptables-save
files where rules for any table are not terminated with "COMMIT".
2010-05-12 vadim <vadim@vk.crocodile.org>
* configlets/procurve/installer_commands_pre_config: commands
for the installer for ProCurve
* instDialog.cpp (instDialog::isCiscoFamily): Using the same
built-in installer for Cisco and for ProCurve.
* procurveaclAdvancedDialog.cpp (procurveaclAdvancedDialog::procurveaclAdvancedDialog):
fixed #1449 options for ACL remarks and comments for ProCurve
* PolicyCompiler_procurve_acl_writers.cpp (PolicyCompiler_procurve_acl::printAccessGroupCmd):
generated commands that attach acl to a regular inetrface needed
newline after "exit".
* configlets/procurve/safety_net_acl: generating different
commands in "Safety net" install mode depending on whether
management interface is vlan or not.
2010-05-11 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulatorTest.cpp (ObjectManipulatorTest::editSelectedObject):
see #1447 fixed unit test for this change
* ../src/res/configlets/dd-wrt-jffs/installer_commands_root:
fixes #1448 "need to commit nvram changes on DD-WRT".
* ObjectManipulator.cpp (ObjectManipulator::editSelectedObject):
fixes #1447: context menu item "Edit" associated with rule set
object in the tree opens it in the rule set view and the editor
panel. Menu item "Open" only opens it in the rule set view. This
eliminates strange behavior where it would open in the rule set
view on first click on "Edit" and then in the editor in the second
click on "Edit". Double click used to work the same, the first
double click opened in rule set view, the second in the
editor. Now double click always opens in rule set view and the
editor which is more consistent with the behavior for other object
types.
* PolicyCompiler_procurve_acl_writers.cpp (PolicyCompiler_procurve_acl::printAccessGroupCmd):
ProCurve uses different syntax for vlan ACLs and ACLs bound to
switch ports. Enabled "advanced interface settings" dialog for
ProCurve interfaces.
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): button
"Advanced interface settings" is controlled by element
<supports_advanced_interface_options> in the host OS xml resource
file. Before, it was controlled by the element
<supports_subinterfaces>. I need this button and associated dialog
for vlan interfaces on ProCurves, where vlan interfaces are not
subinterfaces.
2010-05-10 vadim <vadim@vk.crocodile.org>
* CompilerDriver_procurve_acl_run.cpp (CompilerDriver_procurve_acl::run):
See #1442 Support for HP ProCurve. Added experimental support for
HP ProCurve "intelligent" switches (L3). Code is based on the policy
compiler for Cisco IOS extended access lists. Differences include
';' character for comments, different naming convention for Vlan
interfaces ("VLAN 2", with a space), requirement to unbind an ACL
from interface before it can be cleared.
* CompilerDriver_iosacl.cpp (CompilerDriver_iosacl::safetyNetInstall):
using configlet "safety_net" to add temporary ACL for the "safety
net" install method.
2010-05-05 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel_events.cpp (ProjectPanel::event): fixed #1443
GUI crashes compiling file opened read-only. If a file that was
added to RCS was opened read-only and then any firewall object
in it compiled, the GUI crashed trying to update "last_compiled"
timestamp.
* ssh_wrappers.cpp: fixed #1444 compile error on FreeBSD-Current
Compiler issues error "/usr/include/utmp.h:2:2: error: #error
<utmp.h> has been replaced by <utmpx.> h>"
* started work on v4.0.1. VERSION set to 4.0.1 in libfwbuilder and
fwbuilder
2010-05-04 Vadim Kurland <vadim@vk.crocodile.org>
* v 4.0.0 released
2010-05-02 Vadim Kurland <vadim@vk.crocodile.org>
* Helper.cpp (Helper::findInterfaceByNetzone): fixed #1439 "ssh
access rule uses wrong interface in the generated PIX config"
* instDialog_ui_ops.cpp (instDialog::opError): fixed #1438
"installer crashes when user interrupts install to PIX". This only
affected installs to PIX cluster and only if user decided to
interrupt the process.
2010-05-01 vadim <vadim@vk.crocodile.org>
* new_object.cpp (_modObject): fixed #1437: fwbedit should support
object type Cluster.
* fwbedit.cpp (usage): fixed #1435: typo in fwbedit "usage" text
* new_object.cpp (_modObject): fixed #1434 "fwbedit modify comment
operation expects an attribute"
* instDialog.cpp (instDialog::show): fixes #1433 "batch install"
checkbox should be enabled even when when there is only one
cluster in the list of objects to compile and install.
* CompilerDriver_ipt_policy.cpp (CompilerDriver_ipt::processPolicyRuleSet):
fixes #1432 "automatic rule with --restore-mark is missing if
rules using action Tag are not in the default Policy rule set".
2010-05-01 yalovoy <yalovoy@gmail.com>
* RuleSetView.cpp: fixes #1431 GUI crash adding rules to rule group
2010-05-01 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule):
fixed #1411 outbound rule that permits VRRP should be added
outside the loop to avoid duplicate rules for clusters with 3 or
more members.
2010-04-29 Vadim Kurland <vadim@vk.crocodile.org>
* SSHSession.cpp (SSHSession::terminate): see #1426, #1428
QProcess sends signal "finished()" during event processing on
windows, added checks for that.
* instDialog.cpp (instDialog::mainLoopInstall): disabling and
enabling "stop" button in the compile/install dialog appropriately
2010-04-28 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::show): fixes #1429 "Finish" button
is activated during compile. Also added unit test for this.
2010-04-27 vadim <vadim@vk.crocodile.org>
* CompilerDriver_ipt.cpp (CompilerDriver_ipt::dumpScript): fixes #1425
"iptables script generated for the empty rule set is broken". Compiler
generated empty shell function for empty Policy rule set. It should
always include at least automatic rules.
* SSHSession.cpp (SSHSession::terminate): see #1426, #1428 use
QProcess::waitForFinished() instead of just sleep() after we send
TERM signal to the background process. Also let Qt process events
to update the GUI while waiting.
* instDialog_installer.cpp (instDialog::stopInstall): fixed #1428
button "Stop" in the installer dialog does not stop installer
process
* SSHSession.cpp (terminate): fixes #1426 "segfault when cancel
while installing" (SF bug 2990333). No need to process events in
terminate(); instead, using QProcess::waitForFinished() to give
QProcess object opportunity to call this signal if user hit Cancel
at just right time when background process has finished but
QProcess has not noticed this yet. This situation caused crash
reported in the SF bug. This problem appears to be specific to
some versions of Qt. It does not happen with Qt 4.5.0 or Qt 4.6.2
but happens with 4.5.3.
* instDialog_ui_ops.cpp (addToLog): working on #1426 "segfault
when cancel while installing". SF bug 2990333. Processing of large
chunks of compile or installer output took long time, especially
scanning for errors and warnings which involves RegEx
match. Splitting the buffer onto individual QString lines and
matching each line against all error and warning pattern regexes
made it much faster. Also do not call qApp->processEvents() from
addtoLog() to avoid recursive call.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::checkForShadowingPlatformSpecific):
see #1417 (SF bug 2992177) rule with greater limit module rate
value shadows rule with lower rate value. Comments in the code
explain why.
2010-04-26 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::checkForShadowingPlatformSpecific):
additional fix for #1417 (SF bug 2992177): compiler should compare
limit rate value and other parameters set for modules limit,
connlimit and hashlimit while deciding if rules shadow each other.
2010-04-24 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::checkForShadowingPlatformSpecific):
fixes #1417 rule shadowing detection should recognize different
rule options. Policy compiler for iptables takes into account
rule options for modules limit, connlimit and hashlimit when it
considers rules for rule shadowing.
* instDialog.cpp (instDialog::show): fixed #1419: clear progress
log display when instDialog is opened
2010-04-23 vadim <vadim@vk.crocodile.org>
* MangleTableCompiler_ipt.cpp (keepMangleTableRules::processNext):
fixed #1415 "action branch that creates branch in mangle table
should branch in FORWARD chain". Rule with "any" in src and dst
and action Branch with option "branch in mangle table" will go
into FORWARD chain in addition to the PREROUTING and POSTROUTING
chains as before. Note that choice of PREROUTING or POSTROUTING
chains depends on direction.
2010-04-23 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::show): fixed #1418 "install
checkboxes disappear from the compile/install dialog". This was a
regression introduced when we fixed #547 ("User can open multiple
compile/install dialogs")
* instDialog_ui_ops.cpp (instDialog::checkIfNeedToCompile): see #1418
Simplified algorithm that decides whether compile and install checkboxes
should be turned on in the install/compile dialog. Now always using
Firewall::needsCompile() and Firewall::needsInstall(), which check
"last_modified", "last_compiled" and "last_installed" timestamps.
Before this change, the dialog also tried to take into account how
the dialog was started, using main toolbar or menu or context menu
or local toolbar. This was confusing and hard to test.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTarget): fixes #1416
leading blank space in front of the custom action is missing.
SF bug 2991397.
2010-04-22 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf.cpp (VerifyRules::processNext): see #1401. Because
of the change in the nat and rdr rules syntax in 4.7, I can no
longer implement no-nat rules correctly for this version. They
dropped the "no" keyword and their examples suggest using "pass"
to implement exclusions for the nat rules. I need no-nat rule to
just not translate but not make a decision whether the packet
should be passed or dropped. In the new PF model, translation
rules are just options on the matching policy rules and they do
not offer any keyword or option to not translate.
* NATCompiler_pf_writers.cpp (PrintRule::processNext): fixes #1401
nat rules syntax has changed in OpenBSD 4.7. Nat and rdr rules in
4.7 should be implemented using action "match" and keywords
"nat-to" and "rdr-to"
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction):
fixes #1414: use "match" action for tagging. Policy rules
with action Tag should use pf action "match" instead of "pass"
if version is 4.6 or later.
2010-04-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule):
fixes #1411 "automatic rules for the HA protocol should match
source IP". Rules added for heartbeat in unicast mode already
matched source IP, this change makes rules added for VRRP, OpenAIS
and heartbeat in muticast mode also match source address.
* configlets/ipf/script_skeleton: fixed #1409, SF bug 2985886.
Depending on the combination of the activated options, shell
functions in the generated launcher script could have no body,
which is a syntax error in bash.
2010-04-09 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt.cpp (RoutingCompiler_ipt::epilog): fixed #1404
call to function restore_script_output in the generated iptables
script is sometimes added without function definition
* NATCompiler_pf.cpp (ReplaceFirewallObjectsODst::processNext):
fixes #1397 PF compiler fix: destination nat rule with fw object
in ODst should skip "on intf"
* NATCompiler_ipt.cpp (AssignInterface::processNext): fixes #1403
refs #1150 "Using ip address of wrong interface" is broken in v4.0.
This effectively rolls back change r2437. With no "Interface" column
in the NAT rules, it is difficult to build rules with arbitrary
"-o" clause using address for SNAT that does not match interface
of the firewall, or especially rules with address for SNAT that does
match some inetrface but with another interface in "-o". Keeping old
documented behavior where object in TSrc dictated this. If the object
was a child of the firewall (an interface or address), then the rule
was attached to the interface using "-o". If the object is not a child
of the firewall, then the rule is attached to all interfaces using
"-o eth+" but skips unnumbered interfaces. Column "interface" should
be added to the NAT rules in the future to avoid these complications.
* ProjectPanel_state_ops.cpp (ProjectPanel::saveState): fixed #1402
GUI crashes on exit when no rules are opened in the ruleset panel view
* ObjectTreeViewItem.cpp (ObjectTreeViewItem::data): fixed #1398
bold font and "*" in the tree indicate firewalls that require
installation but should indicate those that require recompile
2010-04-08 Vadim Kurland <vadim@vk.crocodile.org>
* interfacePropertiesObjectFactory.cpp: fixed #1396, SF bug 2984193
Vlan error when OpenWrt is selected as host
2010-04-08 vadim <vadim@vk.crocodile.org>
* CompilerDriver.cpp (CompilerDriver::copyFailoverInterface):
see #1394 there is no need to add a copy of member interface objects
to the cluster anymore.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::_expand_interface):
fixes #1394 Using existing virtual functions that expand multiple
addresses to expand cluster interfaces. Added parameter bool
expand_cluster_interfaces_fully to _expand_addr,
_expand_addr_recursive and _expand_interface. Now expanding
cluster interface in the Compiler::_expand_interface instead of
PolicyCompiler_ipt::_expand_interface. Now it is possible to
use interface of another cluster in rules (interface of a cluster
object different from the one being compiled).
* ProjectPanel_file_ops.cpp (ProjectPanel::exportLibraryTest):
fixed #1395 "routing rules are not reported properly while
exporting library"
* configlets/linux24/update_addresses: fixed #1391 "function
getaddr_internal does not work with point-to-point interfaces".
In fact, fwbuilder v3 and v4 can not manage ip addresses of
point-to-point interfaces. This fix makes generated script skip
such interfaces and do not try to add, remove or change their ip
addresses. Proper support for address management of point-to-point
interfaces will be added in the future versions of the program.
2010-04-07 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushPolicyRule): see #1390 'update
iptables importer to recognize rules with "-i intf -o intf"'
2010-04-01 vadim <vadim@vk.crocodile.org>
* src/res/os/dd-wrt-nvram.xml: Added direct support for DD-WRT
in two modes: nvram and jffs
2010-04-01 Vadim Kurland <vadim@vk.crocodile.org>
* AddressRangeDialogTest.cpp (AddressRangeDialogTest::initTestCase):
fixed #1366 - fixed unit test for AddressRangeDialog class
2010-03-29 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_iosacl_writers.cpp (PrintRule::_printRItf):
fixed #1379 "Should be able to build routing rules with interface
as gateway for IOS". Routing rules for IOS now have column
"Interface". Rules can be built either with explicit address of
the gateway or interface.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): fixed #1375
Interface group is not expanded in "Interface" rule element by
compiler for PF
* FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getObjectProperties):
fixed #1371 "interface properties look ugly when interface is a
member of a group".
2010-03-28 Vadim Kurland <vadim@vk.crocodile.org>
* generatedScriptTestsLinux.cpp (GeneratedScriptTest::CheckUtilitiesTest):
See #1370. This is a place for the future compiler unit tests. In
the future we are going to migrate tests from test/ipt/ to this
directory, using cppunit framework and functions added to the
class Configlet per #1369
* Configlet.h (class Configlet): fixes #1369 "Framework for unit
testing of code generation via configlets"
2010-03-28 vadim <vadim@vk.crocodile.org>
* configlets/openbsd/installer_commands_reg_user: see #1368 A fix
for the problem that causes built-in installer to hang after
updating configuration of PF firewalls.
2010-03-27 vadim <vadim@vk.crocodile.org>
* fixed #1360 "negation of cluster interfaces is broken". Rule
with one or several cluster interfaces in the "Interface" rule
element with negation should compile into a rule using all other
interfaces of the member firewall, or using single object negation
"!" if appropriate. This is also fixed in compiler for PF.
Files:
src/iptlib/PolicyCompiler_ipt.cpp
src/pflib/PolicyCompiler_pf.cpp
See also changes r591 , r592 in libfwbuilder
* platforms.cpp (isDefaultPolicyRuleOptions): fixed #1365 "missing
some flags for the "non-default" rule options for PF"
* FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getPolicyRuleOptions):
fixed #1364 "add synproxy and other missing pf rule options to the
rule options tooltip"
2010-03-26 vadim <vadim@vk.crocodile.org>
* RuleSetModel.cpp (RuleSetModel::getDecoration): fixed #1363
"GUI crash in newClusterDialog". GUI crashed after a new cluster
object has been created from two PF firewalls.
* configlets/linux24/check_utilities: fixed #1359 "generated
script hangs testing for iptables-restore"
2010-03-25 vadim <vadim@vk.crocodile.org>
* FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getObjectPropertiesBrief):
fixed #1356 "Show number of rules in the rule set object in the
second column of the tree"
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed #1351
"synproxy rule option is broken"
2010-03-24 Roman Bovsunivskiy <a2k0001@gmail.com>
* unit tests for IPv4Dialog, IPv6dialog, NetworkDialog, NetworkIPv6dialog
fixed #1329, #1327
2010-03-23 Vadim Kurland <vadim@vk.crocodile.org>
* using CppUnit::TestFixture in unit tests based on cppunit:
ImporterTest.h
UsageResolverTest.h
RCSTest.h
FWBTreeTest.h
interfacePropertiesTest.h
* configlets/linux24/check_utilities: fixes #1348 "check_tools
should check IPTABLES and IPTABLES_RESTORE as well"
2010-03-20 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::updateGlobalToolbar): additional check
for condition that happens in unit test
2010-03-19 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::updateGlobalToolbar): fixed SF bug 2973137
"'warning text goes here'". Main toolbar buttons "Compile" and "Install",
as well as menu items Rules/Compile and Rules/Install should be
disabled if currently opened data file has no firewalls to compile.
* CompilerDriverFactory.cpp (CompilerDriverFactory::createCompilerDriver):
fixed SF bug 2973221 "single rule compile (x) results in sigsegv".
* SSHCisco.cpp (SSHCisco::stateMachine): fixed SF bug 2973136,
fwbuilder bug #1347: ssh 'cancel' rule install sigsegv. Installer
caused GUI crash if user hit "Cancel" at just the right
moment. Apparently this also depends on the firewall platform
(was discovered and reported for Cisco FWSM) and perhaps on how
fast it responds to the installer commands.
* platform/fwsm.xml: fixed SourceForge bug 2973121: Added support
for FWSM v4.x
* pixAdvancedDialog.cpp: fixed SourceForge bug 2973079 "pix typo"
(typo in a tooltip)
2010-03-18 vadim <vadim@vk.crocodile.org>
* fixed SourceForge bug #2972699 "fwsm/pix syslog name". The dialog
only accepts ip address for the syslog server.
* configlets/ipfw/script_skeleton: fixed #1335 "Empty functions in
ipfw script". Under some circumstances shell functions in the
generated ipfw script could have no body; /bin/sh does not like
that.
* newFirewallDialog::createFirewallFromTemplate: fixes #1340
firewall object created from template does not inherit fw and host
os settings. See the ticket and comment in the code for caveats.
* templates.xml.in: set "stateless rule " option in template rules
where it makes sense; turned ip forwarding and "assume fw is part
of any" in the "web server" template object.
2010-03-16 <vadim@vk.crocodile.org>
* RCS.cpp, FWWindow.cpp: Fixed #1334 Program failed to open data
file on Windows if it was stored on mounted network volume.
"File/Open" operation terminated with no error but did not load
the file. "File/Open Recent" ended with an error message that
quoted file path as somehting like this:
"Volume{3c50bdba-21b0-4ea5-b52f-aa5d9755f918}/test1.fwb"
which was obviously incorrect and the file could not be loaded.
2010-03-15 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules):
fixes #1333 "Add variable management_interface for the
automatic_rules configlet". Variable "management_address"
renamed "ssh_management_address" to avoid ambiguity.
* ObjectManipulator.cpp (ObjectManipulator::editSelectedObject):
change in the behavior of double click in the tree. Open rule set
object in the editor if it is already opened in RuleSetView. If we
just opened it in RuleSetView, check if the editor is visible and
if yes, open the object in the editor right away. Fixes #1331
2010-03-13 vadim <vadim@vk.crocodile.org>
* using file name for the floating tree panel title. See #1317
* fixes #1326 MDI subwindow title is left "Untitled" when GUI
starts with a file on the command line
2010-03-13 Roman Bovsunivskiy <a2k0001@gmail.com>
* Object tree panel should have title when detached. Fixes #1317
2010-03-08 yalovoy <yalovoy@gmail.com>
* RuleSetView.cpp: fixes #1315 menu item "Remove from group" is
available for rules inside the group.
"Create new group" action is fixed too.
* fixes #1202: Main menu "Rules" does not match rule context menu
Items in the main menu Rules should get disabled and enabled just
like items in the context menu do.
Affected files: RuleSetView.cpp, RuleSetView.h
* src/gui/FWWindow.cpp: fixes #1322 main menu items "Rules" are broken
2010-03-07 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::startupLoad): final (hopefully) design
of the welcome/startup window. Always showing startup tip dialog;
added buttons to show "Getting started" and "summary of features"
to the same dialog window. Fixes #1224
* renamed menu item Help/Welcome to Help/Summary of features.
fixes #1311
2010-03-07 yalovoy <yalovoy@gmail.com>
* refs #1202: Main menu "Rules" does not match rule context menu
Items in the main menu Rules should get disabled and enabled just
like items in the context menu do.
Added action: copyRuleAction; cutRuleAction; pasteRuleAboveAction;
pasteRuleBelowAction; disableRuleAction; enableRuleAction;
setColorEmptyAction; setColorRedAction; setColorBlueAction;
setColorOrangeAction; setColorPurpleAction; setColorGrayAction;
setColorYellowAction; setColorGreenAction;
Affected files:
FWWindow.cpp
FWBMainWindow_q.ui
RuleSetView.cpp
RuleSetView.h
2010-03-07 Roman Bovsunivskiy <a2k0001@gmail.com>
* ticket #1307 "cluster names in cyrillic appear garbled in
instDialog list"
* ticket #1289 "turn off mouse wheel scrolling of tabs in the main
window MDI area"
* Ticket #1310 "New slots in startup dialog". Buttons in the startup
tip dialog connected to slots that open "Getting started" tutorial
and "Summary of features"
2010-03-06 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::checkForUpgrade): code that checks if
upgrade is available shows warning dialog no more than once a day.
Also framework for unit testing of this function. See #1309
2010-03-05 vadim <vadim@vk.crocodile.org>
* instDialog_ui_ops.cpp (instDialog::fillCompileSelectList):
fixed #1305 "Compilation of cluster firewall". when user tries to
compile a firewall object that is also a cluster member, but did
not request compilation of the cluster, a warning should be
presented.
* fixed #1303 "Improve design of the global Preferences, tab
Objects"
2010-03-04 vadim <vadim@vk.crocodile.org>
* pfAdvancedDialog.cpp (pfAdvancedDialog::doScrubToggled):
fixed #1297 "change in scrub rules in PF 4.6". PF 4.6 stopped
support for several reassemble options except for "reassemble tcp"
and changed format for the "scrub" rules.
* PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc::processNext):
recognize multicast when matching Network and NetworkIPv6
objects. Fixes #1298
* ObjectManipulator.cpp (ObjectManipulator::getDeleteMenuState):
fixed #1301 "can not delete Policy object when it is in Deleted
Objects lib". SF bug 2962628
2010-03-03 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::run):
fixed #1296 "crash in fwb_pix". Compiler used to create copy of
each network zone object, expanded it recursively and added
network and address objects to the newly created group
directly (rather than via references). This created objects that
were referenced by two parents in the tree which caused crash in
FWObject::destroyChildren() because an attempt to free the same
block of memory twice.
2010-03-03 vadim <vadim@vk.crocodile.org>
* compiler_lib/CompilerDriver.cpp (CompilerDriver::commonChecks2):
fixed #1292 Added check for interfaces with valid address and
netmask 0.0.0.0
2010-03-03 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* iptables.g (port_def_with_incomplete_range): fixed #1294
'importer for iptables does not parse "--dport NNNN:"'. Policy
importer for iptables should recognize the following variant of
the --dport and --sport port ranges: "port1", "port1:port2",
":port1" and "port2:"
2010-03-03 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::finalize): fixed #1288 "all rules
created by policy import have rule number 0"
* FWWindowPrint.cpp (FWWindow::filePrint): fixed #1295 "File/Print
does not work for clusters"
* Importer.cpp (Importer::createAddress): fixed #1287 "policy
importer (iptables) crashes when host name is used in iptables
rule in place of an address". Importer now creates DNSName object.
* fixed #1291 "deleted objects 'policy' problem". SF bug 2962628
If user ended up placing a 'policy' object in the 'Deleted
Objects' library, it could not be deleted or opened.
RuleSetView.cpp
RuleSetModel.cpp
ActionsDialog.cpp
RuleSetDialog.cpp
platforms.cpp
* Helper.cpp: fixes #1293 When compiler searches for an interface
that should match given address, it should skip unprotected
interfaces.
2010-03-02 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* RCS.cpp (RCS::init): checking if RCS tools are installed on the
system once in the beginning. This helps avoid unnecessary
QProcess starts that make working with valgrind more difficult
because of subprocess starts/stops.
2010-03-01 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
fixed time format for the iptables parameters --datestart,
--datestop which is supposed to be ISO 8601 "T" notation but
apparently with no support for time zone designators. Timezone
desginators are an error in iptables 1.4.1.1 and 1.4.5, did not
test newer versions. Fixes #1286 SourceForge bug #2961532
2010-02-28 vadim <vadim@vk.crocodile.org>
* (many files) fixed warning " format not a string literal and no
format arguments". Fixes #1285
2010-02-28 yalovoy <yalovoy@gmail.com>
* refs #1202: Main menu "Rules" does not match rule context menu
Items in the main menu Rules should get disabled and enabled just
like items in the context menu do.
Added action: insertRuleAction, addRuleAfterCurrentAction,
addToGroupAboveAction, addToGroupBelowAction
Affected files:
FWWindow.cpp
RuleSetView.cpp
RuleSetView.h
2010-02-27 vadim <vadim@vk.crocodile.org>
* ../src/gui/Tutorial/getting_started/html/page0.html: "Getting
Started" turorial is complete, it can be activated using main menu
item "Help/Tutorials/Getting Started".
2010-02-27 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* unit_tests.sh (commands): Using Xvfb for GUI unit tests so they
can run as an automated task. This was broken by r2602
2010-02-26 vadim <vadim@vk.crocodile.org>
* ../src/gui/TutorialDialog.cpp (TutorialDialog::showPage):
TutorialDialog supports multiple tutorials. Each tutorial
is presented in HTML with accompanying CSS stylesheet. fixes #1274
* ../src/res/configlets/bsd/update_vlans: fixes #1275 "script
always deletes, then adds vlans back on OpenBSD"
2010-02-25 Roman Bovsunivskiy a2k0001@gmail.com
* TutorialDialog.cpp (TutorialDialog::TutorialDialog): in-program
tutorial "Getting Started". Activated using menu Help/Tutorial.
Refs #1217
2010-02-19 vadim <vadim@vk.crocodile.org>
* ProjectPanel_state_ops.cpp (ProjectPanel::loadState): refs #1236
Crash on Mac. The GUI could be crashed by repetetivie scrolling of
the tree and other parts of the main window with mouse scroll
wheel on Mac
* FindObjectWidget.cpp (FindObjectWidget::_findAll): fixed #1256
search in the policy of firewalls does not work. This problem was
introduced whith a fix for #1250
2010-02-15 yalovoy <yalovoy@gmail.com>
* ProjectPanel.cpp: fixes #1244 GUI crash on exit
Looks like it is sufficient to just open some data file, open rule set
(I tried with Policy) and insert a rule in the middle. Then exist the
program and it crashes.
2010-02-18 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl.cpp (splitTCPServiceWithFlags::processNext):
fixed #1247 incorrect use of tcp service with flags in
object-group. "object-group service" does not seem to support tcp
flags and "established"
* ObjectTreeViewItem.cpp (ObjectTreeViewItem::data):
fixed #1248 Filtering in the object-tree crashes the GUI,
SourceForge bug #2954501
* ObjectManipulator_tree_ops.cpp (ObjectManipulator::updateObjectInTree):
fixed #1249 GUI freezes when filters are applied. The GUI would
freeze for a few seconds every time user modified anything in rules
if a filter was applied to the tree at the same time.
SourceForge bug #2954501
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed #1255 context menu items "Lock" and "Unlock" are not updated
after object is locked.
* ProjectPanel_events.cpp (ProjectPanel::event): fixed #1253
Locking an object in the tree causes GUI crash.
2010-02-18 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::FWWindow): fixed #1252 The "New
Object"-Dialog is always opened up twice when pressing <CTRL>+<N>
* FindObjectWidget.cpp (FindObjectWidget::_findAll): fixed #1250
The Find-Dialog searches 'Deleted Objects'-library although it's
not enabled in the preferences. Sourceforge bug #2954501
* IPv4Dialog.cpp (IPv4Dialog::DNSlookup): fixed #1251 DNS-Lookups
in Address-Objects don't work. Sourceforge bug #2954501
2010-02-17 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl.cpp (mirrorRule::processNext): fixes #1241
"add mirror rule" checkbox for IOSACL. New feature: policy rule
option "Add mirrored rule" (checkbox in the rule options dialog)
makes policy compiler for IOS ACL automatically create a rule with
mirrored source and destination addresses and service fields. This
can be used to match "reply" packets using address and service
parameters matched by this rule. The action of the mirrored rule
is the same as that of this one. Firewall Builder recognizes the
following services and creates "mirrored" versions as follows:
- UDP service: mirrored service has source and destination port
ranges reversed
- TCP service: mirrored service has source and destination
port ranges reversed and "established" flag inverted.
If TCP service used in this rule does not have "established"
flag, the mirrored service gets it, and the other way around.
This is designed to simplify creating ACL rules to permit
"reply" TCP packets
- ICMP service: ICMP echo request is recognized, mirrored service
becomes ICMP echo reply. Other ICMP types are simply copied to the
mirrored service
- ICMPv6 service: like with ICMP, ICMP echo request is recognized
and other ICMPv6 types are just copied
- IP service: mirrored service is a copy
* ssh_wrappers.cpp (ssh_wrapper): fixed #1246 policy installer
fails on Linux. Policy installer failed with error "bash: -c: line
6: syntax error: unexpected end of file" while trying to activate
iptables script on Linux. This error was introduced in one of the
recent builds.
2010-02-16 vadim <vadim@vk.crocodile.org>
* fixed #1243 "new cluster" operation creates failover groups that
recursively refer to the interfaces of the same cluster. This
happened when new cluster was created with a copy of rules from
one of the firewalls.
newClusterDialog_create.cpp
* fixed #1235 "cluster with dynamic interface can not be used in
rules". Fixes this and several other problems with policy and nat
rules that use cluster inetrfaces with dynamic addresses.
PolicyCompiler_ipt.cpp
NATCompiler_ipt.cpp
* fixed #1240 nat rule should get "on interface" when cluster
interface is used in TSrc.
NATCompiler_pf.cpp
* Configlet.cpp (Configlet::expand): added basic protection
against infinite loops in configlet expansion.
2010-02-15 vadim <vadim@vk.crocodile.org>
* Added template for the OpenWRT firewall. Fixes #1237
2010-02-15 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* working on memory leaks with the help of valgrind. Refs #1229
Help.cpp
Help.h
RCS.cpp
StartTipDialog.cpp
StartTipDialog.h
ssh_wrappers.cpp
2010-02-15 yalovoy <yalovoy@gmail.com>
* refs #1202: Main menu "Rules" does not match rule context menu
Items in the main menu Rules should get disabled and enabled just
like items in the context menu do.
Affected files:
FWWindow.cpp
RuleSetView.cpp
RuleSetView.h
2010-02-14 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* ProjectPanel.cpp (ProjectPanel): refs #1229 memory leak problems.
2010-02-14 yalovoy <yalovoy@gmail.com>
* fixes #1228: removing consecutive rules from a group in a ruleset
its currently only possible to remove either the single top rule
or single last rule from a group
it would be useful to be able to select say the first several rules
or last several rules and remove them all at once or if you select
all rules in the group it would then just remove the group.
Affected files:
FWWindow.cpp
FWWindow.h: #1228
RuleSetView.cpp: #1228
RuleSetView.h: #1228
2010-02-14 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::_expand_interface):
fixes #1234 When failover group object is used in the rule, rule
gets placed in FORWARD chain. Working implementation follows these
rules: 1) if cluster interface obejct is used in the rule, it is
expanded to the set of addresses including cluster virtual IP
address and all addresses of the corresponding member firewall
interface; 2) Failover Group is treated as any regular object
group. Expanding Failover group to the address of its
parent (cluster interface) would work but seems counter-intuitive
* PolicyCompiler_ipt.cpp (decideOnChainIfDstFW::processNext):
fixes #1231 rules are placed FORWARD chain if firewall object is
"bridging firewall". This bugfix concerns specific rule
configuration used with bridging firewall where firewall object or
one of its interfaces is used in "destination" and an interface
which is not a bridge port is in the "interface" rule column. Rule
like this should go into INPUT chain but compiler used to splut it
and put generated iptables rules in both INPUT and FORWARD chains.
Rule should be placed in the FORWARD chain only if interface in
"interface" column is bridge port. The same algorithm also applies
to rules with firewall or one if its interfaces in the "Source"
column.
2010-02-13 vadim <vadim@vk.crocodile.org>
* OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces):
New feature: incremental management of pfsync0 interface on
OpenBSD. The script checks if interface exists and if not, it runs
"ifconfig pfsync0 create" command to create it. If interface
exists, the script only runs ifconfig to configure its parameters
but does not try to create it again. If State Synchronization
group object is deleted in fwbuilder GUI, interface pfsync0 will
be deleted on the firewall by the script.
* OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces):
generated script compares vlan and carp interfaces of the firewall
with objects created in fwbuilder GUI and deletes any such
interfaces it finds if they are not defined in fwbuilder. This is
done even when there are no vlan or carp interfaces in fwbuilder
configuration. This code is added only when checkboxes "Configure
VLAN interfaces" and "Configure CARP interfaces" are checked.
* OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces):
New feature: generated script adds and removes CARP interfaces
incrementally. This means it is not going to run ifconfig command
to create carp interface if it is already there and will run
"ifconfig carp1 destroy" command if interface carp1 has been
removed in fwbuilder GUI to delete it on the firewall.
* OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces):
New feature: incremental VLAN interface management for OpenBSD and
FreeBSD. When user adds or removes VLAN subinterface in fwbuilder
GUI, geenrated script executes appropriate ifconfig commands to
add or remove corresponding vlan pseudo-interface on the firewall
machine.
2010-02-12 vadim <vadim@vk.crocodile.org>
* OSConfigurator_bsd.cpp (OSConfigurator_bsd::updateAddressesOfInterfaceCall):
New feature: incremental IP address management for OpenBSD and
FreeBSD. Generated script adds and removes ipv4 and ipv6 addresses
of interfaces as needed. When user adds an address in the
fwbuilder object, the script adds it. Second run of the same script
does nothing. If user removes an address in fwbuilder, generated
script removes it from the interfaces to bring actual configuration
of the machine in sync with fwbuilder objects.
2010-02-10 yalovoy <yalovoy@gmail.com>
* src/gui/RuleSetModel.cpp: fixes #1223: GUI crash while adding a host to a group
To reproduce:
- open test-fw1 / Policy by double clicking Policy object
- expand Objects/Groups and Objects/Hosts tree branches
- open group LDA-Servers by double clicking it
- drag host ldap-server1 to the group dialog
2010-02-10 vadim <vadim@vk.crocodile.org>
* UsageResolver.cpp (list): fixes #1222 modification of host or fw
settings of a member firewall does not trigger cluster recompile
* InterfaceDialog.cpp (InterfaceDialog::validate): fixes #1221
warning dialogs for the incorrect interface name would not go
away. If user entered incorrect name of the
subinterace (e.g. name that is not a valid VLAN subinterface name)
the GUI would pop up warning dialog infinitely.
* ../src/gui/ProjectPanel_events.cpp (ProjectPanel::event): this
change attempts to fix a bug that causes main menu item Edit /
Paste (keyboard shortcut Ctrl-V) to stop working. The bug is hard
to reproduce and we were not able to find reliable scenario to
trigger it.
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixes #1220 "bridging fw rule using all multicast object in
destination does not produce any iptables rules".
2010-02-07 vadim <vadim@vk.crocodile.org>
* src/gui/ClusterGroupDialog.cpp (ClusterGroupDialog::applyChanges):
fixes #1215 "Edit protocol parameters" button gets disabled for no
reason. This button would get disabled after certain manipulations
in the cluster group object dialog even when no changes were made.
* FWCmdChange.cpp (FWCmdChangeOptionsObject::notify): fixes #1212
Cluster object was not marked for recompile when user edited
conntrack group parameters
2010-02-06 vadim <vadim@vk.crocodile.org>
* src/pflib/PolicyCompiler_pf_writers.cpp (PrintRule::processNext):
fixes #1210 "syntax error in PF rule - "modulate state" is
required". Per bug reported in the mailing list (and according to
the pf.conf manual), pf.conf requires "keep state", "modulate
state" or "synproxy"if any of the stateful tracking options are
used in the rule. These include "max", "no-sync", "pflow",
"sloppy", "source-track" and others.
* src/pflib/PolicyCompiler_pf_writers.cpp (PrintRule::processNext):
fixes #1209 "incorrect syntax in PF rules when only "Activate
source tracking" option is on". Compiler sometimes generated empty
"( )" in the end of the pf.conf line when there were no state
tracking options
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertConntrackRule):
fixes #1175 "There is no option for unicast on conntrac
sync-group (like heartbeat)". User can now choose between multicast
and unicast for conntrackd communication.
* FWWindow.cpp (FWWindow::showWelcome): fixes #1213 Welcome screen.
When user starts the program for the very first time, it shows
a "Welcome" screen that lists summary of features of fwbuilder and
provides a link to the Getting Started Guide on the web site. Link
to the local copy of Release Notes is also provided.
* InterfaceEditorWidget.cpp (InterfaceEditorWidget::isValid): "new
cluster" visard should permit the user to create cluster
interfaces without IP addresses for any failover protocol. Disable
widgets used to add virtual ip addresses only for protocol "None".
All other protocols permit adding addresses regardless of the OS
resource file attribute "no_ip_ok".
* linux24.xml, openwrt.xml: fixed #1172 It is ok for a cluster
interface with failover protocol heartbeat to have no ip address.
There are legitimate configurations where admin might want to run
heartbeat over an inetrface which itself has no virtual ip
address, for example to confine heartbeat packets to a dedicated
link.
2010-02-02 vadim <vadim@vk.crocodile.org>
* FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getObjectPropertiesDetailed):
fixes #1201 "add parent to the object properties tooltip".
Include parent name in the tooltip that is shown for interface
objects. This helps identify interfaces in rules, especially
subinterfaces and interfaces with common names in complex
configurations with many firewall objects.
* NATCompiler_ipt.cpp (ReplaceFirewallObjectsTSrc::processNext):
fixes #1200 "SNAT with cluster object in TSrc uses all
interfaces". When a network or host address used in OSrc of a NAT
rule matches one of the interfaces of the firewall or a cluster,
there is not need to use this interface for the "-o" clause in
SNAT rule.
2010-02-02 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::closeEvent): fixes #1207 'status
"maximized" of internal subwindows is not saved correctly'
2010-02-01 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::fileExit): fixes #1197 "clicking Cancel
in RCS log dialog cancels log but the program still exits".
* CompilerDriver.cpp (CompilerDriver::populateClusterElements):
see #1198. The check of subnets defined by the member and cluster
interfaces has been removed. The check originally implemented by
Secuwall developers looked only at the first address of the
interface and ignored others. It also did not allow for the
cluster interface netmask /32, which is the case with vrrpd. All
in all, the value here does not seem to be worth the effort of
implementing checks for all combinations.
* ../src/res/configlets/linux24/update_addresses: fixes #1196
"shell function update_addresses_of_interface() does not ignore
virtual addresses of cluster inetrfaces". When generated iptables
script updates ip addresses of interfaces, it should ignore
addresses managed by vrrpd, heartbeat or other failover daemons.
The script did not ignore them and instead removed them from
interfaces.
* objects_init.xml: fixes #1194 "Add standard address objects for
various multicast groups". Added address objects for standard
multicast groups OSPF, RIP, EIGRP, DHCP server / relay agent, PIM,
RSVP-ENCAPSULATION, VRRP, IGMP, OSPFIGP-TE, HSRP, mDNS, Link-local
Multicast Name Resolution, Teredo.
* ObjectManipulator.cpp (ObjectManipulator::updateCreateObjectMenu):
fixes #1195 the GUI should enable "new object" button and menu
item when objects_init.xml library is opened
* platforms.cpp (isDefaultPolicyRuleOptions): fixes #1193 default
setting for "Assume fw is part of any" per-rule option is "follow
global"
* ../src/res/os/linux24.xml: fixes #1192 "iptables script should
skip virtual addresses configured on cluster interfaces while
updating addresses of interfaces". The problem only affected
cluster interfaces with VRRP failover protocol.
* InterfaceEditorWidget.cpp (InterfaceEditorWidget::deleteAddress):
fixes #1191 "broken behavior in InterfaceEditorWidget". When user
added and then deleted bunch of ip addresses to an interface in
the new firewall or new cluster wizard, addresses below the
deleted row were ignored.
* InterfaceEditorWidget.cpp (InterfaceEditorWidget::deleteAddress):
fixes #1189 "GUI crash in newFirewall dialog upon completion".
GUI crashed in the new firewall wizard if user deleted an address
of an interface that had 3 or more addresses.
2010-01-31 vadim <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (ReplaceFirewallObjectsTSrc::processNext):
fixes #1185 "do not include member ip addresses for cluster NAT
policies". For NAT rules in a cluster, make it use only cluster ip
and ignore member ips.
* PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc::processNext):
fixes #1187: "regression in compiler for PIX". Rules that have
cluster or firewall object in src or dst that expands to a bunch
of addresses that match network zones of different interfaces
should still be assigned to the interface dictated by the
combination of both src and dst. There is no need to add them to
the ACL of inetrface 1 in direction "outbound" if destination
belongs to the network zone of inetrface 2. Rule like that should
only be assigned to interface 2, direction outbound. However
this does not apply to anti-spoofing rules.
* NATCompiler_ipt.cpp (AssignInterface::processNext): fixes #1184
"compiler/GUI crash compiling cluster NAT rule when cluster and
members have dynamic interface". It should be possible to have
cluster interface that is mapped to dynamic interfaces of the
member firewalls and then use this interface or whole cluster
object in rules. Compiler should expand cluster object and replace
it with its interfaces and corresponding interfaces of the member
firewall and then correctly handle dynamic ones.
2010-01-31 yalovoy <yalovoy@gmail.com>
* RuleSetModel.cpp: fixes #1182 rule number column is invisible
when very first rule is created in a rule set
* fixes #1164 focus moves in RuleSetView after paste If i am in a
rule and place the selection to service field of say rule 1 and
ctrl c and then arrow down the selection to service element in
rule 2 and ctrl v the focus then moves back to the rule number
element of rule 2 after the paste instead of staying on the
service element. likewise if i am on an element and do ctrl x it
brings the focus back to the rule number element.
my first expectation was that the focus would remain on the
service element of the rule and not brought back to the rule
number element. i guess this has something to do with refresh of
the gui and you are not keeping track of which element the
selection was on for the last operation.
Affected files:
FWCmdRule.cpp
FWCmdRule.h
RuleSetView.cpp
RuleSetView.h
2010-01-30 vadim <vadim@vk.crocodile.org>
* change in libfwbuilder. fixes #1173 "rule ID labels do not match
rule numbers when disabled rules exist in rule set". Do not remove
disabled rules in PolicyCompiler::prolog() because some compilers
might use RuleSet::insertRuleAtTop() and other similar methods
from prolog() or addPredefinedPolicyRules() and these methods
renumber rules. As the result, labels stop matching rule positions
when this is done because labels are configured in prolog() method
of the base class. See fwbuilder ticket 1173. Instead of dropping
disabled rules in prolog(), will keep them and drop them in rule
processor Begin which is always the first in all compilers.
* PolicyCompiler_ipt.cpp (checkInterfaceAgainstAddressFamily::processNext):
fixes #1172 "fwb_ipt does not generate rule for cluster interface
with no ip address".
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::processFirewallOptions):
fixes #1177 "problems with commands for conntrack_max, hashsize
and other advanced conntrack parameters". Needed to add a line
break between shell commands that set up kernel variables and
those that set up conntrack kernel variables.
* FWWindow.cpp (FWWindow::showSub): fixes #1181 "save state of
subwindow on maximize/restore". The GUI would revert to the
non-maximized subwindows display if user de-maximized subwindow,
then maximized it again and tried to open new data file.
* ProjectPanel_file_ops.cpp (ProjectPanel::fileNew): fixes #1178
window title stays "[Untitled]" after File/new
2010-01-30 yalovoy <yalovoy@gmail.com>
* fixes #1159 GUI crash on redo() :
FWCmdChange.cpp
FWCmdChange.h
* fixes #1121 changing "rules font" in global preferences has no effect
PrefsDialog.cpp
RuleSetModel.cpp
RuleSetViewDelegate.cpp
2010-01-30 vadim <vadim@vk.crocodile.org>
* ../src/res/os/linux24.xml: fixes #1180 "heartbeat failover
protocol uses virtual ip address". New cluster wizard did not
allow the user to add ip address to cluster interface configured
with heartbeat failover protocol.
* ../src/gui/instDialog_ui_ops.cpp (instDialog::setFlags): fixes #1176
GUI crash while compiling cluster object with no StateSyncGroup.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule):
fixes #1174 "OUTPUT rule is not generated for
heartbeat". Automatically generated rules for cluster members using
heartbeat should be placed in both INPUT and OUTPUT chains.
* ../src/gui/FirewallDialog.cpp (FirewallDialog::applyChanges):
fixes #1171: the warning dialog asking if ip address objects
should be renamed automatically appears twice. when user renames
cluster, firewall, host or interface object, the GUI asks if they
want to rename ip address objects as well to make them adhere to
some naming convention. The warning dialog appeared twice on Mac
and Windows with Qt 4.6
2010-01-29 vadim <vadim@vk.crocodile.org>
* ../src/res/configlets/linux24/installer_commands_reg_user: try
to cancel reboot only if one is pending. This avoids a warning
saying "cant find pid of running shutdown" every time user
installs updated iptables script on Linux firewall. Fixes #1169
Fwbuilder can schedule reboot in a few minutes if user installs
updated policy in "test mode" and requests reboot as a brute-force
rollback to safeguard against locking themselves out of the
firewall in case of error in the policy.
* ../src/gui/ObjectManipulator_ops.cpp (ObjectManipulator::autorename):
cluster failover group objects are now included in the algorithm
that automatically renames addresses of interfaces when user
renames firewall or cluster object. Fixes #1170
* ../src/gui/ObjectManipulator_slots.cpp (ObjectManipulator::copyObj):
show a not on the status bar whenever user copies an object to
clipboard. fixes #1167
2010-01-28 vadim <vadim@vk.crocodile.org>
* ../src/gui/ProjectPanel.cpp (ProjectPanel::isManipulatorSelected):
fixes #1130 "Ctrl-C , Ctrl-V shortcuts do not work for selected
objects in rule elements". Global keyboard shortcuts Ctrl-C,
Ctrl-V, Ctrl-X should work on objects in rule elements when
keyboard focus belongs to the rule set view or on objects in the
tree when focus is on the tree. This also fixes #1138 "ctrl+x and
edit->cut problems in both Policy and NAT". These keyboard
shortcuts operate only on objects in the tree and rule elements
but not on rules. Visual difference between the state when whole
rule is selected and the state when an object is selected in one
of the rule elements is insufficient so making Ctrl-X cut whole
rule may appear unextected for the user.
2010-01-26 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::showContextMenu): fixes #1155
context menu is not updated on rule enable/disable
* NATCompiler_PrintRule.cpp (PrintRule::processNext): fixes #1147
--persistent option for DNAT and SNAT. This adds support for the
"--persistent" option in NAT rules. Version should be set to 1.4.3
or later in the firewall object.
* NATCompiler_PrintRule.cpp (PrintRule::processNext): fixes #1146
support for NAT MASQUERADE source port randomization. This adds
support for the "--random" option for SNAT, DNAT and MASQUERADE
targets in iptables NAT rules. User needs to turn on the checkbox
that adds this option in NAT rules again
2010-01-26 yalovoy <yalovoy@gmail.com>
* RuleSetView.cpp: fixes #1145
show keyboard shortcuts for "move rule up/down" in the rule context menu
* RuleSetView.cpp: fixes #1158
ctrl page up/down breaks arrowing in the ruleset
2010-01-26 vadim <vadim@vk.crocodile.org>
* FWCmdChange.cpp (FWCmdChange::notify): fixes #1139
GUI crash on click in undo panel view. Sequence that caused crash:
1) new firewall next next finish
2) rename firewall couple of times
3) click to top of undo stack and it crashes
* DiscoveryDruid.cpp (DiscoveryDruid::createRealObjects): fixes #1144
after snmp discovery object attributes are not shown properly
in the tree
2010-01-25 vadim <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp (ProjectPanel::chooseNewFileName):
fixes #1157 Qt dialog does not detect conflict of filenames
properly for linux. When user tried to create new file using
File/New or save existing one using using File/SaveAs and entered
a name without extension when prompted to enter the file name, the
program would overwrite existing file with the same name and
suffix ".fwb" without warning. This happened on Linux but did not
happen on Mac OS X where dialog automatically added the suffix to
the file name.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::insertCarpRule):
fixes #1152 CARP and pfsync rules should match "in" and "out".
Automatically added rules for CARP and pfsync for the PF firewall
should match in both directions, rather than just "out".
* NATCompiler_ipt.cpp (AssignInterface::processNext): fixes #1150
"fwb_ipt should check AddressRange in TSrc against addresses of
interfaces". Compiler for iptables finds interface that matches
AddressRange object used in Translated Source of a NAT rule and
uses it for the "-o intf" clause. Addresses of interface can match
the range excactly or partially. Exact match is when range
boundaries match the beginning and the end of the subnet defined
by the interface address and netmask. Partial match is when one of
the range boundaries belongs to the subnet but another one does
not. In this case compiler uses inetrface but issues a warning. If
interface has multiple ip addresses, all of them are taken into
consideration and interface is used if at least one matches. If
address range in TSrc is wide and matches subnets of several
interfaces, compiler splits the rule and uses all of them but does
not replace the range with narrower one and still issues a
warning.
* ProjectPanel.cpp (ProjectPanel::getDestDir): fixes #1149:
ProjectPanel::getDestDir should use userDataDir dir on all OS
2010-01-24 yalovoy <yalovoy@gmail.com>
* #1127 GUI crash when clicking in undo panel
1) new firewall (set name, Next, Next, Finish)
2) add interface
3) open Policy rule set view
4) insert rule
5) drag interface to the "Interface" rule element of the rule
6) click on <empty> in the undo panel
6) click on the last entry in the undo panel
Affected files: RuleSetModel.cpp
* #1132 Keyboard shortcuts for moving rules with "move up", "move down"
Affected files: src/gui/RuleSetView.cpp, src/gui/RuleSetView.h
* #1131 after rule moves with "move up" or "move down", it loses selection
Affected files: src/gui/RuleSetView.cpp, src/gui/RuleSetView.h, src/gui/FWCmdRule.cpp
* #1142 GUI crash on moving rule into a group with russian name
Affected files: src/gui/RuleSetModel.cpp
2010-01-23 vadim <vadim@vk.crocodile.org>
* ../src/gui/FWWindow.cpp (FWWindow::startupLoad): fixes #147:
show Release Notes only once when user starts the program for the
first time. When user upgrades to a new version, Release Notes for
it will be shown once again. Show tip of the day on all subsequent
runs, unless user disables it.
* instDialog_ui_ops.cpp (instDialog::setFlags): fixes #1136:
"install" checkbox appears next to the cluster object in
instDialog and "compile" checkoxes appear next to cluster
member firewalls.
2010-01-23 yalovoy <yalovoy@gmail.com>
* FWCmdRule.cpp (FWCmdRuleInsert::redoOnModel): refs #1127:
GUI crash when clicking in undo panel.
* FWCmdRule.h
* RuleSetModel.cpp
* RuleSetModel.h
2010-01-22 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::compile):
fixes #1134: object-group clause can only be used with ipv4
access lists in IOS per
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1058359
* IOSObjectGroup.cpp (IOSObjectGroup::toString): fixes #1107:
support for "object-group" clause in IOS access lists. Fixed
syntax for the subnet clause inside "object-group network".
2010-01-21 vadim <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (RuleOptionsDialog::limitLabelChange):
Added support for negation in the "-m limit --limit rate" clause
for iptables.
2010-01-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): fixes
#1123, #1124: Text label next to the option that translates into
--connlimit-above clause for the iptables "connlimit" module
now matches description in the iptables manual. Added checkbox
that allows the user to add negation to the generated code
(make it ! --connlimit-above NN)
* IOSObjectGroup.cpp (IOSObjectGroup::toString): Refs #1107: first
draft of the object-groups support for Cisco IOS. Controlled by a
checkbox in the "Advanced" settings dialog of the firewall object;
this feature requires IOS v12.4(20)T or later and is off by
default.
* CompilerDriver.cpp (CompilerDriver::validateClusterGroups):
fixes #1119 "add test for the integrity of failover cluster
groups". Compilers require all failover group objects to be
configured with interfaces of member firewalls.
* PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc::processNext):
fixes #1120 "redundant commands generated for ssh
access". Compiler for PIX generated two "ssh address netmask
inside" commands for the same rule that permits ssh to the firewall.
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::assembleFwScript):
fixes #1106 "fwb_pix does not include prolog". Prolog script was
not included in generated configuration if firewall object was
converted from some other platform because FirewallOptions? object
inherited old "prolog_place" variable
* Helper.cpp (Helper::findInterfaceByNetzone): fixes #1118
"fwb_pix uses wrong interface compiling the second cluster
member". NAT compiler for PIX failed to find interface with
correct network zone if interface was a child of another
interface, e.g. vlan subinterface.
* clusterMembersDialog.cpp (clusterMembersDialog::getSelectedMembers):
fixes #1117 "failover group member editor loses interfaces". If
failover group included vlan interfaces of the member firewalls,
the dialog that appears when user clicks on "manage members"
button would not show members at all.
* NATCompiler_pix.cpp (NATCompiler_pix::_expand_interface): fixes
#1115: "fwb_pix crash compiling cluster NAT rule set with
interface in TSrc". A cluster interface was used in the TSrc rule
element of a NAT rule. Cluster interfaces of PIX cluster have no
ip addresses of their own (PIX HA pair uses ip addresses of the
master unit), this caused rule element to become empty after
interface object was supposed to be replaced with its ip address.
2010-01-19 vadim <vadim@vk.crocodile.org>
* ../src/cisco_lib/NATCompiler_pix.cpp (NATCompiler_pix::compile):
fixes #1108: fwb_pix: incorrect access list is generated for
"static". When a firewall or host object with an interface that
was configured with netmask that was not
255.255.255.255 (i.e. configured correctly) was used in TDst of a
NAT rule for PIX firewall, compiler generated configuration that
used subnet instead of just the address of the inetrface.
* (NATCompiler_pix::_expand_interface): reimplemented virtual
method Compiler::_expand_interface() to process cluster
interfaces. Using member interface instead of the cluster
interface while compiling the rule.
* (createNATCmd::processNext): fixes #1114: "fwb_pix crash when fw
with dynamic interface is used in TDst".
* ../src/iptlib/NATCompiler_ipt.cpp (VerifyRules2::processNext):
fixes #1109: "rules that do not pass verifyRules() checks may
cause compiler crash in test mode or gui crash in single rule
compile mode"
* CompilerDriver.cpp (CompilerDriver::formSingleRuleCompileOutput):
fixes #1110: "when compiler detects fatal error and drops the rule
that caused it, the error does not appear in the single rule
compile output".
* ../src/pflib/TableFactory.cpp (TableFactory::createTablesForRE):
fixes #1111: "NAT compiler for PF does not recognize dynamic
interface of the firewall in rule element". Compiler issued an
error that it can not generate code using dynamic interface that
does not belong to the firewall because its address is unknown.
* ../src/cisco_lib/NATCompiler_pix.cpp (VerifyRules::processNext):
fixes #1104: policy compiler for PIX crashed when it enountered
NAT rule trying to trsnslate both source and destination addresses.
* ../src/cisco_lib/Helper.cpp (triplet::hash): fixes #1105:
compiler for PIX crashed when interface with dynamic address
was used in ODst of a NAT rule.
2010-01-17 vadim <vadim@vk.crocodile.org>
* instDialog_ui_ops.cpp (instDialog::checkIfNeedToInstall):
Regression: fixed #1092 "missing "install" checkboxes in the list
of firewalls on the first page of the installer
wizard". Checkboxes "install" disappeared randomly from the first
page of the installer wizard.
2010-01-16 vadim <vadim@vk.crocodile.org>
* FWCmdAddObject.cpp (FWCmdAddObject::redo): fixes #1088
"duplicate objects on redo". Click on the last line in undo stack
view created duplicate objects in the tree if some undo/redo
commands created new objects.
* ObjectManipulator_create_new.cpp (ObjectManipulator::newInterfaceAddress):
fixes #1090: extra undo command added to the stack on "New address"
* FWWindow.cpp (FWWindow::event): If user opens two data files
with the same names but located in different directories, titles
of the subwindows, the list in the main Windows menu and entries
in the recently opened files list will display full path. See #936
* FWWindow.cpp (FWWindow::fileOpen, FWWindow::alreadyOpened): The
GUI should not let the user open the same data file twice. If user
tries to do this, even using different (e.g. relative) path, the
program will instead activate project window that already holds
this file. Still can not open the same data file in two
subwindows. See #396
2010-01-15 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::compile): Using rule
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes #1087
* PolicyCompiler_ipt.cpp (processMultiAddressObjectsInRE::processNext):
fixes #1086: incorrect processing of run time address tables.
SourceForge bug 2932680. Rules with two run-time AddressTable
objects in the same rule element (source or destination) were
converted to the shell script that read addresses from the address
table files, plus wrong iptables command that matched any to any.
This change removes this extra command.
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions):
fixes #1084 "if all user turns off all interface management and
configuration checkboxes, the check_tools shell function is not
added to the script but still called". Shell function
"check_tools" verifies that system tools iptables script needs to
operate properly are installed on the firewall. These are: ip,
modprobe and optionally vconfig, brctl, ifenslave. The bug made
compiler for iptables to add the call to the function but function
definition was missing if user unchecked all "configure
interfaces" checkboxes in the Script tab of firewall object
settings dialog.
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Refs #869
making sure non-english comments appear correctly in the single
rule compile output and generated configuration files and scripts.
2010-01-14 vadim <vadim@vk.crocodile.org>
* FirewallInstaller.cpp: fixed #1083: "installer uses incorrect
path when GUI runs on windows" (Sourceforge bug
#2932446). Built-in installer used incorrect path on the firewall
to store copy of the .fwb data file. This happened only when
the GUI ran on Windows.
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): Added
support for pf state tracking options "no-sync" and "pflow". Set
version to "4.5" or "4.6" in the firewall object to be able to use
these new options.
2010-01-13 vadim <vadim@vk.crocodile.org>
* CompilerDriver.cpp (CompilerDriver::commonChecks2): fixes #1080:
"Add warning when "top" rule set is missing". All compilers issue
a warning when the firewall has no top level NAT or Policy rule
set. This could be an important error because rule set is used to
generate iptables rules for the built-in chains
INPUT/OUTPUT/FORWARD or the main PF rules. However there are
legitimate cases when administrator may want to use fwbuilder to
only generate iptables commands for a custom chain or
configuration for a custom PF anchor, in which case this is not an
error. Compilers generate warning for this condition to bring it
to the attention of administrator but continue processing the
rules.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::flushAndSetDefaultPolicy):
fixes #178: "remove chain initialization commands in the single
rule compile output". Lines that create chains do not need to be
printed when user compiles just one rule, they take up display space
and do not provide any useful information.
* PolicyCompiler_PrintRuleIptRst.cpp (PrintRuleIptRst::_printRuleLabel):
really fixed #869 '"compile rule" should also print the comment'.
Printing rule comment in the compiler output in the single rule
compile mode when firewall object is configured to use
iptables-restore. Code that prints rule label and comment has been
unified for compilers for all firewall platforms.
2010-01-12 vadim <vadim@vk.crocodile.org>
* TCPServiceDialog.cpp (TCPServiceDialog::applyChanges): fixed bug
#1076: "when the start of a port range is greater than the end,
the GUI goes into a loop showing error dialogs". Ths problem
affected TCP and UDP service objects
2010-01-10 vadim <vadim@vk.crocodile.org>
* TableFactory.cpp (TableFactory::PrintTables): suppress comment
"Tables: (0)" in the compiler for PF output when there are no
tables.
* CompilerDriver.cpp (CompilerDriver::findImportedRuleSets): fixed
bug #1072: "member ruleset override produces empty config files
for PF". In this case, cluster nat rule branched to a separate nat
rule set. There was nat rule set with the same name in the member
firewall but compiler seemed to ignore it and produced empty .conf
file for this rule set. The warning about member having rule set
with the same name was not issued
* NATCompiler_pf.cpp (checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces):
fixed bug #1071 "can't use dynamic cluster interface in NAT rules
for PF". In this case, cluster has interface rl1 which is mapped
to dynamic interfaces rl1 of two member firewalls. Cluster
interface object is used in the TSrc of a NAT rule. Compiler
refused to compile this rule with error "cluster:NAT:2: error: Can
not build rule using dynamic interface 'rl1' of the object 'member1'
because its address in unknown."
2010-01-09 Vadim Kurland <vadim@vk.crocodile.org>
* src/res/configlets/openwrt/installer_commands_root: Added
support for OpenWRT. Generated iptables script has standard format
of the OpenWRT system scripts and should be installed in
/etc/init.d/. The script loads firewall policy when it is started
with command line argument "start" and stops it when it runs with
argument "stop". Other standard arguments recognized by OpenWRT
startup scripts are also supported. To make the system run
fwbuilder script during boot, run it with argument "enable". See
Release Notes for more details.
* OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces):
Added support for configuring ipv6 addresses of interfaces for *BSD,
including CARP cluster interfaces
2010-01-08 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (AssignInterface::processNext): fixed bug
#1064: "Dedicated IPv6 interfaces show up in IPv4-NAT rules". Use
interface only if it has addresses that match address family we
compile for.
* PolicyCompiler.cpp (PolicyCompiler::checkInterfacesForShadowing):
(change in libfwbuilder) include interface rule element in the
shadowing detection algorithm. See ticket #1068
2010-01-07 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getObjectPropertiesBrief):
fixes #1059: "set attribute field in gui tree for policy and nat
based on its settings". Show "top ruleset" and "ipv4" or "ipv6" in
the second column of the object tree for rule set objects.
* ProjectPanel_file_ops.cpp (ProjectPanel::loadLibrary): fixed bug
#1053 "duplicate objects created on "Import library" operation".
When user used "File/Import Library" function, the library is
checked for objects with duplicate IDs. Library name is also
checked for duplicates and changed by adding suffix "-1" if it
matches existing library name. This means the same library can now
be imported several times, which creates several copies (all with
their unique IDs to make XML file valid)
2010-01-06 vadim <vadim@vk.crocodile.org>
* bug fixes in installer for PF: fixed commands it runs on the
firewall when it authenticates as regular user.
* ObjectManipulator_create_new.cpp (ObjectManipulator::newInterface):
fixed bug #1051: GUI crash when user tried to add an interface to
an interface.
* CompilerDriver_pf.cpp (CompilerDriver_pf::getRemoteConfFileName):
fixed bug #1049 (SourceForge bug #2927165) '(windows only)
installer uses incorrect path on the OpenBSD firewall'
2010-01-01 vadim <vadim@vk.crocodile.org>
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
fixed bug #1043: added explanation of the risk associated with
password caching to the Preferences dialog and Release Notes;
checkbox "remember passwords" will be disabled if user name is not
configured
* ObjectManipulator_tree_ops.cpp (ObjectManipulator::updateLibName):
fixed bug #1042: editing name of a library updates it in the tree
but does not update it in the drop-down list
2009-12-29 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::restoreCurrentRowColumn): fixed
bug that caused rule set view to scroll all the way to the top
every time user modified any object used in the rules. Fixes #968
2009-12-28 vadim <vadim@vk.crocodile.org>
Ticket #1040 (Another GUI crash in newClusterDialog) closed by a2k
fixed
Ticket #1038 (GUI crash in newClusterDialog on Ubuntu 8.04) closed
by a2k fixed: (In [2296]) Fixed #1038
Ticket #1014 (fix tab order of elements in iptadvanceddialog_q.ui)
closed by a2k fixed: (In [2292]) Fixed #1013, #1014, #1015, #1016,
#1017
Ticket #1015 (fix tab order in pixadvanceddialog_q.ui) closed by
a2k fixed: (In [2292]) Fixed #1013, #1014, #1015, #1016, #1017
Ticket #1016 (fix tab order in pfadvanceddialog_q.ui) closed by
a2k fixed: (In [2292]) Fixed #1013, #1014, #1015, #1016, #1017
Ticket #1017 (fix tab order in openbsdadvanceddialog_q.ui) closed
by a2k fixed: (In [2292]) Fixed #1013, #1014, #1015, #1016, #1017
Ticket #1013 (fix tab order of elements in
iosacladvanceddialog_q.ui) closed by a2k fixed: (In [2292]) Fixed
#1013, #1014, #1015, #1016, #1017
Ticket #1030 (firewall name should be prepended with library name
in the list on the ...) closed by a2k fixed: (In [2290]) Fixed
#1030
Ticket #1025 (newCLuster dialog loses all interface addresses if
user hits Back on the ...) closed by a2k fixed: (In [2289]) Fixed
#1025, #1019
Ticket #1019 (unit test failure) closed by a2k fixed: (In [2289])
Fixed #1025, #1019
* instDialog_ui_ops.cpp (instDialog::setFlags): For the PIX
cluster, built-in installer installs generated configuration only
on the master member firewall. It determines which one is the
master by looking in the StateSyncGroup object (state
synchronization cluster group). Fixes #998
* fixed a bug in the rule options dialog: if user tried to edit
iptables log prefix for the rule and deleted a character in the
middle of the string, cursor jumped to the end of the line. Also,
undo command was created for each keystroke in this input field.
fixes #1037
2009-12-27 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::addDefaultPolicyRule):
compiler for IOS ACL added only inbound automatic rule to permit
ssh access from the management workstation but did not add a rule
to permit reply packets. This fixes #993
* CompilerDriver_iosacl_run.cpp (CompilerDriver_iosacl::run):
fixed bug (no #): compiler for iosacl failed to open output file
because of the wrong path.
* pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): fixed
SF bug #2919941 "Wrong optimization flag for PF". If "For high
latency" is selected the compiler outputs the following value for
OpenBSD PF: "set optimization For high latency". Which is wrong
syntax, should be high-latency. Fixes #1005
* bug fixes and changes 2009-12-27:
Ticket #1032 ("creating cluster from selected firewalls" does not
work) closed by vadim fixed: (In [2279])
Ticket #1031 ("New Cluster" function creates two undo commands and
two cluster objects) closed by vadim fixed: (In [2278])
Ticket #969 ("Create and add to group" creates several undo
commands) closed by yalovoy fixed: (In [2277])
2009-12-26 vadim <vadim@vk.crocodile.org>
* ObjectManipulator_ops.cpp (ObjectManipulator::actuallyPasteTo):
when an object was duplicated to another library, suffix "-1" was
appended to its name even if there were no other objects with the
same name. Also when an object was pasted into a group, its name
was preserved. If the group had an object with the same name and
user opened new one in the editor and tried to change anything,
the program complained about duplicate name. fixes #1028
* newClusterDialog.cpp: program crashed when user tried to create
new cluster dialog and turned the option to copy rules from one
of the members to the cluster. Fixes #1026
2009-12-25 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed bug #1022: context menu item "New Interface" is disabled.
if user selected an interface object in the tree and opens context
menu, the "New Interface" menu item was always disabled.
2009-12-23 vadim <vadim@vk.crocodile.org>
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
Added support for the "dry run" installer option for Cisco
routers. When this option is on, installer logs into the router
and switches to the enable mode, but does not execute any actual
commands. If scp is used to copy configuration to the router,
installer will copy the file but will not activate it. This tests
ssh session in general, login password, enable password and scp
but does not make any changes to the router configuration.
* OSConfigurator_pix_os.cpp (OSConfigurator_pix_os::_printSSHConfiguration):
Implemented pushing of the PIX configuration using scp. This
requires PIX v7, ssh v2 and scp should be enabled on the
firewall. This method is much faster than running configuration
line by line. Controlled by a checkbox in the pix advanced
settings dialog. fixes #995
2009-12-22 vadim <vadim@vk.crocodile.org>
* src/res/configlets/ios/installer_commands_reg_user: Built-in
installer can use command scp to copy IOS configuration to the
router using ssh and then command "copy file running-config" to
activate it. This method is much faster than running
configuration line by line. The router should be configured with
ssh v2 and scp server. This method can be combined with
rollback (by reload or EEM).
* src/res/configlets/ios/installer_commands_pre_config: Built-in
policy installer uses EEM (Embedded Event Manager) on IOS 12.4 or
later to schedule automatic configuration rollback instead of
reloading the router. EEM appears in IOS 12.4 and supports
background operations that can be triggered by some events on the
router or by timers. In this new feature, fwbuilder creates EEM
applet with a countdown timer that executes command "config
replace nvram:startup-config force" when timer expires. User has
the following options:
- install updated ACL configuration and schedule automatic
rollback in a few minutes. This can be used to test new policy and
revert to the original one after some short period of time. This
also helps to avoid a situation when updated policy blocks access
to the router because of an error; rolling back to the ACL
configuration that was running before the update will restore
access automatically.
- install updated ACL, schedule rollback in a few minutes but
cancel rollback if installation of the new configuration was
successful. This is mostly intended to prevent blocking access to
the router in case of an error in the new ACL configuration. If
fwbuilder was able to enter all lines of the new configuration all
the way to the end, then new configuration does not block access
and installer executes command "no event manager applet
fwbuilder-rollback" to cancel scheduled rollback.
2009-12-21 vadim <vadim@vk.crocodile.org>
* bug fixes and changes for 2009-12-21:
Ticket #982 (raise floating tree window when user switches between
different project windows) closed by vadim fixed: (In [2233])
Ticket #981 (Error entering new service. User could not change
port range start before changing port range end for TCP and UDP
services) closed by vadim fixed: (In [2234])
Ticket #983 (crash on IOS configuration import) closed by vadim
fixed: (In [2235])
Ticket #875 (unit tests for the policy importers) closed by a2k
fixed: (In [2237])
Ticket #897 (Add paragraph to the release notes explaining new
"conntrack" tab in host OS dialog for Linux) closed by vadim
fixed: (In [2239])
Ticket #901 (mention support for openWRT in release notes) closed
by vadim fixed: (In [2239])
Ticket #900 (mention support for ipcop in release notes) closed by
vadim fixed: (In [2239])
Ticket #899 (paragraph about script structure and command line
args in release notes) closed by vadim fixed: (In [2239])
Ticket #788 (review ChangeLog and update release notes for v4.0)
closed by vadim fixed: (In [2240])
2009-12-20 vadim <vadim@vk.crocodile.org>
* interfaceProperties.cpp (interfaceProperties::validateInterface):
permit unnumbered cluster interfaces. If member firewalls have
unnumbered interfaces that user wants to use in rules, then
cluster needs corresponding cluster interface as well. Previously
the GUI did not allow copy/paste of an unnumbered interface from a
firewall to a cluster and compiler complained about such interface
not having ip address. Now both operations are permitted.
* minor bug fixes:
Ticket #971 (cluster interface should inherit properties of the
member interfaces) closed by vadim fixed: (In [2225]) refs #487
fixes #966, #971
Ticket #947 (Add new options to the "help" dialog) closed by vadim
Ticket #975 (if fw object has empty platform, it can not be
changed) closed by vadim fixed: (In [2228])
Ticket #977 (context menu items Delete and Cut are disabled if
library is Template ...) closed by vadim fixed: (In [2229])
Ticket #974 (fw template 3 is broken) closed by vadim
Ticket #979 (recognize extension .fwl for the template file)
closed by vadim
2009-12-19 vadim <vadim@vk.crocodile.org>
* src/res/configlets/linux24/status_action: Fixes #954 : generated
iptables script now recognizes "status" command line
parameter. When the script runs with this parameter, its exist
status code indicates the state of the firewall: 0 means iptables
modules are loaded and some rules are configured; 3 means either
modules are not loaded or there are no tables. The script can not
verify that the rules are those configured in fwbuilder, it only
verifies that modules are loaded and there are some
rules. Configuration with no rules but with default policies, even
if these policies are ACCEPT in all chanins, returns "0" return
code. This is consistent with behavior of
/etc/rc.d/init.d/iptables script on Fedora Core Linux.
* RuleSetView.cpp (RuleSetView::changeAction): fixed #957: when
user changes action of a policy rule, it should be opened in the
editor only if the new action has some parameters that can be
edited. Such actions as "accept" and "deny" have no parameters and
it does not make sense to open blank editor panel.
* Ticket #959 (context menu items appear rearranged) closed by a2k
fixed: (In [2212]) Fixed #959
* Ticket #958 (when user compiles single firewall, skip the first
page of the wizard) closed by a2k fixed: (In [2210]) Fixed #958
* Ticket #952 (tooltips in RuleSetView should be controlled by ...)
closed by yalovoy fixed: (In [2209]) fixes #952 tooltips in
RuleSetView? should be controlled by …
* Ticket #941 (Add Rule Below adds the new rule above) closed by
yalovoy fixed: (In [2208]) fixes #941 Add Rule Below adds the new
rule above
* Ticket #951 (double click on an object in the group member list
should open it in the ...) closed by a2k fixed: (In [2206]) Fixed
#951
* Ticket #931 (context menu item "New cluster from selected
firewalls" should be enabled ...) closed by a2k fixed: (In [2205])
Fixed #931
2009-12-18 vadim <vadim@vk.crocodile.org>
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): generated
script can now install backup ssh access rule when it shuts down
the firewall. This is optional and is controlled by a checkbox in
the "advanced settings" dialog for iptables firewall. To shut down
the firewall user should run the script with command line option
"stop". fixes #939
2009-12-17 vadim <vadim@vk.crocodile.org>
* fixed bug in the GUI: when user duplicated an object, it was
created with the same name as the original, then the program
complained about duplicate name on every attempt to modify it.
* creating IPv4 or IPv6 address object using main "New object"
menu ended up creating two identical objects instead of one
* built-in policy installer failed if the GUI was running on
Windows, the firewall was running CentOS5 system and regular user
account was used to authenticate
* fixed bug in the GUI: it was not possible to add interface
object to the "Interface" rule element of Policy and Routing
rules.
* fixed bug in the GUI: if the user hit Tab to move from one
input field in the object editor to another after making some
changes, keyboard focus jumped to the object tree.
* improvement in the built-in policy installer: now installer
dialog terminates background ssh or scp process if user clicks
"Cancel" or closes dialog window in the middle of the process.
* documentation: Added comment to all configlet files explaining
how user can modify them.
2009-12-16 vadim <vadim@vk.crocodile.org>
* src/res/configlets/linux24/installer_commands_root: Added
command "chomd +x" to make firewall script executable on the
firewall. Before, this was only done when the program used
regular user account rather than root. Fixes #909
* src/res/configlets/linux24/installer_commands_root: Built-in
policy installer gets commands that it needs to execute on the
firewall from configlets (small scripts using simple macro
language) that are installed in the
/usr/share/fwbuilder-3.1.0/configlets on Linux. User can modify
them by making a copy in $HOME/fwbuilder/configlets without having
to touch the code. Fixes #268.
2009-12-15 vadim <vadim@vk.crocodile.org>
* FirewallInstaller.cpp (FirewallInstaller::readManifest): fixed
bug in installer: when the GUI ran on Windows, the path of the
file on the firewall was generated with mixed separators '/' and
'\'. As the result, pscp.exe failed to copy the file to the
firewall.
* OSConfigurator_linux24::printInterfaceConfigurationCommands:
call shell function clear_addresses_except_known_interfaces() with
a list of all interfaces configured in fwbuilder. This will clear
ip addresses of interfaces that are not configured in fwbuilder
and bring them down. Before, the call to this function did not
include dynamic interfaces and as the result, the script deleted
their addresses and brought them down.
* ../src/res/os/linux24.xml: the GUI and compiler should not
assume that when failover protocol is VRRP, then there should be
interface vrrpN. This seems to be the case and the default only
for Secunet Secuwall firewall. Vrrpd daemon on Linux does not
create vrrp inetrfaces and just manipulates alias IP and MAC
addresses. Fixes #895
* objects_init.xml: Standard objects library now comes with new
IPv6 Network objects. These objects represent IPv6 networks that
should not be routed on the Internet. Included: RFC3849
"Documentation Network" 2001:db8::; RFC4291 "Link local"
fe80::/10; RFC4773 "Experimental Network" 2001:0000::/29 to
2001:01F8::/29. Also added a group "ipv6 private" that includes
all these networks. Fixes #888
* instDialog.cpp (instDialog::instDialog): Moved "batch install"
checkbox to the page that shows compiler progress so the user can
decide to do batch install right before they perform installations
instead of doing this before they start compile.
2009-12-14 vadim <vadim@vk.crocodile.org>
* src/res/configlets/linux24/automatic_rules: Generation of the
automatic rules (matching ESTABLISHED and INVALID states,
backup ssh access and others) now uses configlet. Fixes #883
* src/res/configlets/linux24/automatic_rules: generated script can
now include automatic rules to match IPv6 neighbor discovery ICMP6
packets. This is controlled by a checkbox in the iptables
"advanced" settings dialog and is off by default. Fixes #878
* PrefsDialog.cpp (PrefsDialog::accept): Added a place in the
global Preferences dialog for options specific for different
object types. First parameters include options for DNSName and
AddressTable to let the user decide if the newly created objects
of these types should be automatically configured with "Compile
Time" or "Run Time" mode. Also, added an option that makes DNSName
object editor copy the name of the object into the DNS record
input field when new object is created or whenever the name
changes. This is useful when the user does not want to keep
object name and dns record different because they need to enter
the name only once.
* DNSNameDialog.cpp (DNSNameDialog::applyChanges): If global
Preferences option "Use DNS Name object name for the DNS record"
is turned on, copy the name into the record on every name change.
Fixes #866
2009-12-11 vadim <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (GroupObjectDialog::newObject):
Implemented feature request #2245537 "Add service object to
service groups directly from groups". Group object dialog now has
a button that shows a menu when clicked, this menu allows the user
to create new object and add it to the group in one operation.
This fixes #119
* ObjectManipulator::addNewObjectMenuItem: fixes #850 Redesigned
methods used to create "new object" menu and call functions that
create new objects to be able to build menus with limited sets
of new object types.
* ../src/gui/FWBTree.h (class FWBTree): added methods
getTranslatableObjectTypeName and getTranslatableNewObjectMenuText
that return translatable strings for the given object type name.
2009-12-09 vadim <vadim@vk.crocodile.org>
* FindWhereUsedWidget.cpp (FindWhereUsedWidget::_find): "Find
where used" function can now find all uses of the given object, as
well as all uses of its children. For example, if the object is
firewall, then this function can find all groups and rules that
refer to it directly, or to it and all its interfaces and their
addresses. This extension is optional, it is controlled by a
checkbox in the "Find" dialog.
2009-12-08 vadim <vadim@vk.crocodile.org>
* ../src/fwbedit/merge.cpp: fixed bug #2794851 (fwbuilder bug
#202): "Ability to import Library using fwbedit". User can now
merge objects from two files together using fwbedit just like the
"Import library" function in the GUI.
2009-12-07 vadim <vadim@vk.crocodile.org>
* instDialog_ui_ops.cpp (instDialog::getInstOptions): fixed bug
#2908220 (fwbuilder bug #803): "Running fwbuilder as root
hardcodes batch install user". Built-in installer ignored user
name entered in the installer options dialog and communicated with
the firewall using the name of the user running the program.
2009-12-04 vadim <vadim@vk.crocodile.org>
* ../src/res/platform/pf.xml, iptables.xml: unified terminology
for policy rule actions that create branching in the rule set or
tag packets. Now we call these actions "Branch" and "Tag" for all
platforms. Before, the name was different and matched original
action on each platform, that is for PF it was "Anchor" and "Tag"
and for iptables "Chain" and "Mark" respectively.
2009-12-01 vadim <vadim@vk.crocodile.org>
* src/res/configlets/linux24/run_time_wrappers: fixed #651:
"support for dynamic ipv6 addresses is broken". When an interface
with dynamic address was used in a rule in IPv6 rule set,
generated shell script was supposed to read its IPV6 address and
use it in the rule. This code was broken and never worked
properly. Implemented idea for getaddr6 code suggested by
<j.kammer@eurodata.de>, it now reads all IPv6 addresses of the
interface and uses them in the rule via shell "for"
loop. Implemented the same change for IPv4 as well. This changes
behavior of the generated iptables script compared to fwbuilder v2
and v3 where it only used the first IPv4 address of the dynamic
interface. In v3.1 and v4 it will use all addresses of such
interface.
2009-11-29 vadim <vadim@vk.crocodile.org>
* newClusterDialog.cpp (newClusterDialog::finishClicked): New
feature: the wizard that creates new cluster object starts with
the list of firewall objects where the user can choose which
firewalls should become members of the cluster. Next, the program
finds interfaces of the member firewalls that have the same name
and can be part of the cluster and creates cluster interfaces with
the same name. Not all interfaces are eligible, for example bridge
ports, bonding interface slaves or parents of vlan interfaces can
not be used for the cluster. Cluster interfaces define failover
groups. The user can add, remove or rename cluster interfaces, as
well as change which interfaces of the member firewalls are used
with each one. On the next page of the wizard user changes
failover protocols and can add or remove or change ip addresses of
cluster interfaces. Not all failover protocols require ip
addresses, for example VRRP or CARP do but heartbeat or OpenAIS
don't. Finally, the user can choose to use policy and NAT rules of
one of the member firewalls to populate Policy and NAT rule sets
of the new cluster. If this is done, all references to the
original member firewall and its interfaces in rules are replaced
with references to the cluster and its interfaces. The program
also creates backup copies of the member firewall objects with
the name with suffux "-bak" and clears Policy and NAT rule sets of
the member firewall objects used with the cluster before new cluster
is created.
2009-11-21 vadim <vadim@vk.crocodile.org>
* ObjectEditor.cpp (ObjectEditor::apply): New feature: behavior of
all object dialogs has changed. According to the results of the
user community opinion poll and discussion, object dialogs are
losing button "Apply". All changes made in dialog entry fields are
saved into the object immediately. This does not change the data
in the .fwb file, only objects in memory. Combined with Undo, this
allows for faster object editing and roll back of changes.
* New feature: Undo/Redo facility. Undo supports changes to object
parameters in editors, creation of new objects, deletion of
objects, adding and removed objects to groups. Undo stack can be
displayed in a special docked window.
2009-11-14 vadim <vadim@vk.crocodile.org>
* newFirewallDialog_from_template.cpp (newFirewallDialog::replaceReferencesToNetworks):
New feature: when user creates new firewall from a template, the
wizard dialog now offers a new page where they can change ip
addresses of the interfaces of the template. User can change name,
label, address, netmask, MAC address and type (regular/dynamic) of
the interface, as well as add and delete interfaces. The program
then creates interface objects with new parameters and updates
policy and NAT rules of the template. It creates new Network and
NetworkIPv6 objects using new addresses and replaces references to
network objects that match old addresses with references to these
new objects in rules and groups. This eliminates the need to do
manual search and replace to update firewall object created from a
template to make it match actual user network configuration.
Fixes #613
2009-11-10 vadim <vadim@vk.crocodile.org>
* configlets/pix_os/failover_commands: New feature: Added ability
to generate failover commands for PIX. Summary:
- only "lan" type failover configuration is supported
- one interface in each member firewall should be marked as
"dedicated failover" interface. These interfaces must have the
same name.
- cluster should have interface with the same name as failover
interface of the member firewalls; this cluster interface should
have failover cluster group child object. The failover group is
configured with failover interfaces of both members. One interface
must be marked as "master". Compiler checks for this.
- Protocol in this failover group should be configured as "PIX
failover protocol"
- cluster must have state synchronization cluster group object,
configured with interfaces of member firewalls. Use the same
interface as for the failover or another dedicated inetrface. In
the latter case interface objects of the member firewalls used for
state sync must be marked as "dedicated failover" as well.
- Failover and state sync groups should have the same member
firewall configured as "master". Compiler checks for this.
- Regular interfaces: cluster should have interface object with
the name matching corresponding interface of member
firewalls. Each of these cluster interfaces should have failover
cluster group child object configured with member firewall
interfaces. Protocol in this failover group can be set to
"None" (or blank). It is also not necessary to mark member
interface as master.
* OSConfigurator_pix_os.cpp (OSConfigurator_pix_os::_printInterfaceConfiguration):
Using configlet to generate interface configuration commands for
PIX. Now user can change generated script if necessary without
making changes in the fwbuilder code.
* ObjectManipulator.cpp (ObjectManipulator::libChanged):
Experimental change in the GUI, new feature: Now the program does
not switch object in the editor on a single click in the tree.
User should double click object in the tree or use context menu
item "Edit" to open object in the editor. User can select
different object in the tree or switch to another library while
editor has unsaved changes. This helps, for example, when they
need to populate large object group and need to switch between
libraries to find objects. Switching to another library or
accidentally clicking on a wrong object in the tree does not cause
editor to switch.
2009-11-09 vadim <vadim@vk.crocodile.org>
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::run): Added
support for failover configurations for PIX.
- Interfaces of member firewalls used for failover configuration
should be marked as "Dedicated failover" interfaces. They should
have normal IP addresses. These interfaces will be used to
generate "failover" commands in the PIX configuration.
- Cluster should have interface with the same name as failover
interfaces of the members, with protocol set to "PIX failover" and
members configured as usual. This interface has no ip address.
- Other interfaces of the cluster have the same name as
corresponding interfaces of the member firewalls, protocol "None"
and failover groups that define members as usual. These cluster
interfaces also have no ip address.
- Cluster state synchronization group uses protocol "PIX state
synchrnization" and its members should be configured as usual.
Use failover interfaces of the members as members of the state
sync group.
* Interface.cpp: Added attribute "dedicated_failover" to the
Interface object. Interfaces with this attribute are treated like
other "unprotected" interfaces, that is they are not used to
attach ACLs to and not used in rules. Dedicated failover
interfaces have special meaning in PIX configurations and are used
to describe interfaces used for LAN failover.
2009-11-07 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printTCPFlags):
Implemented TCP flag matching per #2865044: "Add TCP options
support for IOS ACL". Uses extended ACL option "match-all" that
supports list of TCP flags that should be set and cleared. This
requires IOS v12.4 or later even though Cisco documentation seems
to indicate this option was introduced in 12.3(4)T. Fixes #455
2009-11-06 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pix_writers.cpp (PrintRule::_printDstService): PIX
does not support IP options matching, compiler issues warning.
Fixes #567
* res/platform/iosacl.xml: Recognized IOS versions: 12.1, 12.2,
12.3, 12.4
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
Added support for IP options matching, requires IOS v12.4 or
later. Fixes #566, #568
* configlets/sveasoft/script_skeleton: Fixes #571 /bin/sh on
Sveasoft (busybox) does not like empty shell functions and fails
with an error "36: Syntax error: "}" unexpected". Will call
/bin/true as a placeholder so that if some other commands are
added to the function body during template expansion, they are
executed after /bin/true and their return code is preserved. If no
commands are added, then the function body won't be empty and will
return success.
* NATCompiler_pf.cpp (NATCompiler_pf::compile): fixed bug
#2889579: "fwb_pf crash when unnumbered interface is used in nat
rule". Compiler for PF crashed when unnumbered interface was used
in TSrc element of a NAT rule.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printSrcAddr): Fixed
bug #2892100: "'Old boradcast' object produces 0/0 in iptables
script". The bug triggered when iptables version was set to 1.3.x
or later. "Old broadcast" object is defined as AddressRange with
0.0.0.0 as a start and end addresses of the range. Generated
script should have "0.0.0.0" but the compiler uses "0/0" instead.
2009-11-04 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw_writers.cpp (PrintRule::_printDstService):
Added support for IP options matching in ipfw using "ipoptions"
keyword. Matching IPService object with "any options" attribute
is not supported though.
* IPServiceDialog.cpp (IPServiceDialog::loadFWObject): IPService
object now has attribute "any options". If this attribute is
turned on, compilers will generate configuration to match IP
packets with any options present. Fixes #561
2009-11-03 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (dynamicInterfaceInTSrc::processNext):
Implemented feature request #2829661: "SNAT instead of MASQUERADE
on dynamic interfaces". NAT rule options dialog now has a checkbox
that makes compiler use SNAT target instead of MASQUERADING when
checked when TSrc has dynamic interface. Apparently MASQ target
has problems when iptables NAT is used in combination with policy
routing. Using SNAT with a variable that gets interface address
solves the problem. By default this option is off, that is
compiler uses MASQUERADE target when TSrc has dynamic interface.
Fixes #560
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::prolog): Fixed bug
#2792847 (SourceForge) "cant turn off "part of any" for a rule if
default is on". There was no way to turn option "Assume firewall
is part of any" for just one rule when it was ON globally. Now
this attribute is presented as a tri-state control in the rule
options dialog, with options "Follow global setting", "On" and
"Off". Now this option can be turned on and off in individual
rules regardless of the global setting. Default is "follow
global". Old "Off" maps to the new "follow global", old "On" maps
to the new "On". Fixes #559.
2009-11-02 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::_printInterface): New
feature: optimization in compiler for PF. Rules that have several
interface objects (or a group) in the "Interface" column are
compiled using "{ }" grouping to produce only one configuration
line instead of several for such rule. Fixes #76
* PolicyCompiler_pf.cpp (SpecialServices::processNext): Compiler
for PF generates "allow-opts" keyword when IPService object used
in the rule has IP options. This includes new option "router-alert".
Fixes #503
* IPServiceDialog.cpp (IPServiceDialog::applyChanges): Added GUI
elements to support IP option "router-alert" which is now
available as an attribute of IPService object. Fixes #502
2009-11-01 Vadim Kurland <vadim@vk.crocodile.org>
* CompilerDriver_pf.cpp (CompilerDriver_pf::printStaticOptions):
Added support for PF configuration parameter "set state-policy"
which can have values "if-bound" or "floating". The GUI input
element provides these options in addition to the default empty
option. If empty list item is selected, command "set state-policy"
is not added to the generated .conf file at all. Fixes #423
2009-10-31 Vadim Kurland <vadim@vk.crocodile.org>
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
New feature: password caching. Built-in installer can remember
firewall password (and enable password for Ciscos) for the
duration of the session. Passwords are never stored permanenetly
in any form, encrypted or plain text. The user needs to enter
password once when they activate generated policy. If they keep
the program open and need to modify and activate policy again, the
password fields in the installer dialog can be filled
automatically. The feature is optional and is off by default.
Cached passwords are associated with the firewall object and
account name used to activate policy. Implemented by a2k@codeminders.com
2009-10-22 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::itemDoubleClicked): Fixes #545.
Change in the GUI behavior: both left and right mouse click on an
object in rules should not select it in the tree. If user wants to
open it in the tree, they can use context menu item "Reveal in the
tree" or double click the object. This solves the following
inconvenient behavior (quoting from email):
1) anytime I copy something and then right click to paste into a
policy or nat it immediately changes the tree to the location of
the object under the cursor which is usually to the standard
library on any and then i have change it back to the user
library.
2) if I want to compile a rule, unless I am careful and right
click on the rule number instead of any field in the rule to
select compile it move the tree to whatever is under the cursor.
2009-10-20 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (PrintRule::processNext): Added
support for branching NAT rules for PF. Compiler generates
keyword "anchor" if PF version is 4.3 or later and "nat-anchor"
and "rdr-anchor" for earlier versions.
* platforms.cpp (getActionNameForPlatform): Human-readable names
for Policy and NAT rule actions come from the platform .xml
resource file (attribute "description"). This implements Feature
Requests #1948874 and #1796803
* Support for branch rules in NAT rule sets. Currently only
supported for iptables and PF. NAT rules get column "Action" for
these platforms, with possible acctions "Translate" and "Branch".
Action parameters dialog for the Branch action provides drop well
where another NAT ruleset object can be dropped (just like with
Branch action in the Policy rules). Action "Translate" performs
translation as defined in the rule. Objects in the "Translated
source/destination/service" are ignored in NAT rules with action
"Branch" and a warning is issued at compile time.
* NATCompiler_ipt.cpp (splitNATBranchRule::processNext): Support
for branching NAT rules for iptables. Rules in the branch rule set
are processed first and their targets and corresponding chains are
recorded. These rules are placed in the user-defined chains with
the name composed of the rule set name and the
chain ("POSTROUTING" or "PREROUTING") that corresponds to the
chosen target. Then top NAT rule set is processed. Branching rules
found in it pass control to the chains used for the rules from the
branching rule set. IF branching rule set uses a mix of SNAT and
DNAT rules, the branching rule in the top rule set is split and
placed in both PREROUTING and POSTROUTING chains as appropriate.
2009-10-14 vadim <vadim@vk.crocodile.org>
* src/res/configlets/linux24/conntrack: Implemented support for
conntrack performance tuning parameters and tcp window tracking
option. Parameters CONNTRACK_MAX and HASHSIZE are described at
http://www.wallfire.org/misc/netfilter_conntrack_perf.txt. The
conntrack_tcp_be_liberal option is described at
http://conntrack-tools.netfilter.org/manual.html . Parameters can
be set in the host OS dialog for Linux (added new tab
"conntrack"). Commands that will be added to the generated script
come from the new configlet "conntrack". Commands are different
for iptables versions <1.4.0 and >=1.4.0. User can customize the
commands by substituting the configlet if necessary. Fixes #198, #511.
2009-10-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipf.cpp (SplitDirectionIpfilter::processNext):
fixed bug #2874571: "ipfilter version 3.4.29 issues after
introduction of 282860". Optimizations added for PF broke rule
generation for ipfilter which does not allow rule without explicit
direction specification.
* FWBSettings.cpp (FWBSettings::getCollapsedRuleGroups): fixed bug
#2872365: "problem with group names containing comma". State of
the rule group with a comma in the name could not be saved in
program settings and the group could not be expanded once it was
collapsed.
* CustomServiceDialog.cpp (CustomServiceDialog::loadFWObject):
fixed bug #2870562: "custom service - protocol name
options". Added protocol "ipv6-icmp" to the list of predefined
protocols in the CustomService object and fixed the dialog to make
it properly save protocol name entered by the user (the widget
where user choses protocol name also supports editing so the user
can enter any protocol name not offered in the list of standard
protocols).
* FWWindow.cpp (FWWindow::toolsDiscoveryDruid): fixed bug
#2867550: "Discovery Druid dieswhen there is no active'project
window".
* debugDialog.cpp (debugDialog::debugDialog),
DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid) Reversing the
change made in 3.0.7 in the debug and discovery druid windows, the
change was intended to make the window title bar show "close"
button on Mac OS X. Unfortunately the caused the title bar to
disappear all together on Linux under some window managers. Modal
QT dialogs do not have title bar buttons on Mac OS X, but since
they always have "OK", "Finish", "Close" or "Cancel" buttons as
part of the dialog contents, absense of the "close" button in the
title bar is not critical.
* VERSION (VERSION): started v3.0.8
2009-10-07 vadim <vadim@vk.crocodile.org>
* FindWhereUsedWidget.cpp (FindWhereUsedWidget::itemClicked):
"find where used" panel selects object in the tree or in rules on
single click in the list of the results. To open the object in the
editor user needs to switch to the editor tab in the bottom docked
panel.
2009-10-03 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule):
Added support for heartbeat over unicast. Protocol options dialog
for heartbeat offers checkbox "Use unicast" (off by default, when
checked, address input field for the multicast heartbeat address
becomes disabled). When checkbox is checked, compiler
automatically adds rules to permit unicast heartbeat health checks
between addresses of interfaces which are members of the failover
group.
2009-10-02 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel.cpp (topLevelChangedForTreePanel): Main window
layout redesign: Panels that show object tree and object editor
now use docked widget and are detachable. User can "float" these
panels to be able to rearrange information on the screen. When
panel showing objects tree is detached, it can be expanded to show
multiple columns of information comfortably. Also, when the tree
is detached, panel showing rules expands to occupy whole window
which helps to see rules using objects with long names. This
provides easy way to see attrivbutes of many objects at
once. Panel that shows object editor dialogs also shows "find" and
"find where used" dialogs in a Tab widget. This panel is part of
the main window (it used to be part of the internal MDI subwindow)
and also can be detached. Editor panel now occupies whole bottom
part of the main window. Since editor dialogs show all relevant
information about the object, the "Info" panel has been
deprecated. Since the editor and search dialogs are now placed
inside docked widget that has its own "close" button, "Close"
buttons in these dialogs have been removed.
2009-09-30 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::setAttributesColumnEnabled):
New feature: the GUI can show brief summary of object attributes
in the second column in the object tree. This is controlled by a
checkbox in the global preferences dialog, tab "Objects". This is
off by default. The first column always shows object icon and its
name, the second (optional) column shows its attributes. Interface
label is shown in the second column. The width of both columns in
the tree is set automatically to accommodate all the text, then
can be adjusted by the user using mouse. Column width is saved in
settings and will be restored upon program restart. Column width
is saved per-file, per-library.
2009-09-23 vadim <vadim@vk.crocodile.org>
* ../src/res/configlets/linux24/update_bonding: Generated iptables
script incrementally updates bonding interfaces:
- It creates new bonding interfaces with parameters configured in
the GUI if module 'bonding' is not loaded. This is what happens
if fwbuilder script runs after reboot.
- if there are no bonding interfaces in fwbuilder configuration,
the script removes bonding module to kill any bonding interfaces
that might exist on the machine
- if you add new bonding interface in fwbuilder, the script checks
if it exists on the machine. It will not create it because to do
so, it would have to remove the module which kills other bonding
interfaces. If this second bonding interface exists, it will be
configured with slaves and addresses. If it does not exist, script
aborts. In this case you need to either 1) reload module manually
or 2) add max_bonds=2 to /etc/modules.conf and reboot or 3) unload
module and run fwbuilder script again (if module is not loaded,
the script loads it with correct max_bonds parameter)
- if a bonding interface exists on the machine but not in
fwbuilder configuration, the script removes all slaves from it and
brings it down. It can not delete it because to do so it would
need to remove the module, which kills other bonding interfaces.
Limitation: currently all bonding interfaces will use the same
protocol parameters. This is because module loading with parameter
"-obond1" that is supposed to be the way to obtain more than one
bonding interface and also the way to specify different parameters
for different interfaces causes kernel panic in my tests. Tested
with bonding module v3.5.0 and kernel 2.6.29.4-167.fc11.i686.PAE
on Fedora Core 11. The only working way to get two bonding
interfaces I could find is to load the module with parameter
max_bonds=2, but this means all bonding interfaces work with the
same protocol parameters. If bond interfaces are configured with
different parameters in fwbuilder, compiler uses the first and
issues warning for others.
2009-09-18 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (ItfNegation::processNext): (change in
libfwbuilder) fix for bug #2710034 "PF Compiler in 3.0.3
Unprotected Interface Bug". When we expand "interface" rule
element which uses negation, skip unprotected interfaces.
2009-09-16 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): Fixed
security issue with temporary file handling in the generated
iptables script. The problem only affects Linux systems where
Firewall Builder is used to generate static routing
configuration. The problem exists in Firewall Builder versions
3.0.4, 3.0.5, 3.0.6
2009-09-14 vadim <vadim@vk.crocodile.org>
* standardized compiler error and warning messages using format
fw_name:ruleset_name:rule_number: warning: message
fw_name:ruleset_name:rule_number: error: message
* dialogs that show compiler output recognize error and warning
messages and highlight them using different color and bold font.
2009-09-07 vadim <vadim@vk.crocodile.org>
* single rule compile feature implemented for all
platforms (iptables, ipfilter, pf, ipfw, iosacl, pix) and
integrated with the GUI. Currently using keyboard shortcut "x".
Fixes #23.
2009-09-06 vadim <vadim@vk.crocodile.org>
* RuleSetView_single_rule_compile.cpp (RuleSetView::compileForCurrentRow):
Single rule compile implementation. Currently this is triggered by
hitting keyboard key 'x', the event is processed by RuleSetView
class which calls RuleSetView::compileForCurrentRow(). This
creates compiler driver object and calls it to compile currently
selected rule. The result is shown in the editor panel. User can
select parts or the whole of the generated script in the editor
panel but it is read-only. Works only with iptables yet. Refs #23.
* src/iptlib/iptlib.pro (SOURCES): Moved all modules for fwb_ipt
except main module ipt.cpp to a separate library so that they can
be linked with either command line compiler fwb_ipt or the
GUI. Refs #23
2009-09-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printDstService):
fixed bug (no #): policy compiler for Cisco IOS ACL did not add
icmp type to the generated ipv6 access-list statements for rules
that matched ICMPv6 services.
2009-09-03 vadim <vadim@vk.crocodile.org>
* src/res/configlets/linux24/update_bridge: configlet that updates
bridge interfaces will now completely synchronize interfaces with
configuration created in fwbuilder even if no bridge interfaces
are used in fwbuilder. Bridge interfaces that exist on the
firewall but not in fwbuilder will be deleted and those that exist
in fwbuilder but are missing on the machine will be added. Bridge
ports are deleted and added after bridge interfaces have been
synchronized.
* src/res/configlets/linux24/update_vlans: fixed command line in
the command that removed vlan interface
2009-08-30 vadim <vadim@vk.crocodile.org>
* instDialog_ui_ops.cpp (instDialog::addToLog): fixed bug #2847263
"Batch compiling incrementally slow". The time it took to add a
log line to the progress window in the "Compile" dialog slowed
down a lot as amount of text in QTextEditor increased.
2009-08-28 vadim <vadim@vk.crocodile.org>
* ProjectPanel.cpp (ProjectPanel::event): instead of several
methods in FWWindow that scan all project panel windows and
execute some operation, using user defined events. Currently have
two events: dataModifiedEvent and updateObjectInTreeEvent. The
first one signals that some object has changed so that
ProjectPanel::event() can update timestamps and do other things.
It then posts the second event, which it will catch and process on
the next event processing run. The second event does UI updates.
Both events carry file name and object ID. Only those ProjectPanel
objects that have the same file process the event. Events are
dispatched to project panels in FWWindow::event(). Concentrating
all UI update logic in one place helps avoid unnecessary redraws.
This replaces FWWIndow::updateLastModifiedTimestampForOneFirewall,
FWWindow::updateLastModifiedTimestampForAllFirewalls,
FWWindow::reloadAllWindowsWithFile.
* interfaceProperties.cpp (interfaceProperties::manageIpAddresses):
this is a generic method that implements a policy to decide
whether generated script should manage ip addresses of a given
interface. It checks if it belongs to a cluster or a firewall and
failover protocol (if it belongs to a cluster). It fills two
lists: one is the list of addresses that the interface should have
and another is a list of interfaces the script must not remove
even if they are assigned to the interface. The method uses data
from host_os XML resource file.
2009-08-27 vadim <vadim@vk.crocodile.org>
* CompilerDriver.cpp (CompilerDriver::mergeRuleSets): See #372:
this change reverses the logic of the program when it merges rule
sets from the cluster into its member firewalls. In the original
Secunet implementation rule sets of members were ignored and only
one top level rule set from the cluster was ever used. Now we
check if member firewall has rule set of the same name as cluster
and use it if it is not empty and issue a warning. If rule set of
the member firewall with the same name is empty, rules from the
cluster are used. All rule sets of the cluster that do not match
anything in member firewalls are merged into firewalls and used
for compilation. This way, we can have multiple rule sets in the
cluster and can have slightly different rules in member firewalls
if necessary. See ticket #372 for more details and info for the
documentation.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::addPredefinedPolicyRules):
fixes #388: "automatic rules are added to second rule set in
cluster member". IF a cluster member firewall had several policy
rule set objects, automatic rules for conntrackd, vrrp, heartbeat
were added multiple times.
* OSConfigurator_linux24_interfaces.cpp (printInterfaceConfigurationCommands):
fixes #387: add calls to update_addresses shell function in
generated script even for interfaces with no ip addresses. This
way, if such interface has an address on the machine, it will be
removed. This helps synchronize configuration with fwbuilder when
user removes all addresses from an interface and converts it to
"unnumbered". Note that update_addresses never removes scope link
and scope host addresses of the interface even if they are not
configured in fwbuilder GUI.
* PolicyCompiler_pf.cpp (SplitDirection::processNext): applied
patch per #2844561: "PF Compiler Direction Both Duplicate for
Route Action". Need to split the rule if direction is Both
and action is Route.
* newFirewallDialog.cpp (newFirewallDialog::templateSelected):
fixed bug #2844596: "Crash during newFirewallDialog". GUI crashed
if user clicked "next" in the new firewall dialog to open page
with templates, then clicked "Back" and then "Next" again.
* ObjectManipulator.cpp (ObjectManipulator::select): fixed bug
#2845667 "Crash after find object". When host object was found
using "Find object" function while searching by ip address,
clicking on the selected host in the tree caused crash.
* VERSION (LIBFWBUILDER_SOMAJOR): started 3.0.7
2009-08-26 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::validateForPaste):
User should be able to add vlan interface to a bridge (vlan
interface becomes bridge port). Fixes #384
* CompilerDriver.cpp (CompilerDriver::populateClusterElements):
moved this method from class Compiler. fixes #367
* CompilerDriver_compile.cpp (compileSingleRule): entry point for
single rule compile. Takes one argument - rule ID and returns a
QMap<QString,QString> where key is firewall name and value is
generated script for this rule. Currently using this entry point
in the command line compilers via cli argument -s rule_id. Fully
implemented in fwb_ipt. Fixes #358, #206
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): using
std::auto_ptr to protect OSConfigurator, PolicyCompiler and
NATCompiler objects and to properly delete them to avoid memory
leaks in fwb_ipt. fixes #371
2009-08-24 vadim <vadim@vk.crocodile.org>
* CompilerDriver.cpp (CompilerDriver::commonChecks2): refactored
bunch of common sense checks from compilers for ipt and pf into
common module. This also fixes #337 by checking if it is ok for
the cluster interface to have no ip address using xml resource
file for the fw host OS. Protocols such as heartbeat and openais
can operate when failover interface has no shared cluster address
because these protocls can use multicast address. However
configuration when cluster interface using one of these protocols
has shared IP is also legit. The check here only suppresses error
message when interface has no ip.
* platforms.cpp (setInterfaceTypes): Fixes #335 : if interface
name matches naming convention for vlan interfaces and vlan type
is in the list that came from the resource file, then leave only
vlan in the list we return. Note that if resource file says this
subint can not be vlan, we dan't return vlan type on the list even
if its name looks like it could be one.
* ProjectPanel.cpp (ProjectPanel::updateTreeViewItemOrder):
Removed ProjectPanel::updateTreeViewItemOrder() and removed call
to it from ObjectEditor::notifyChangesApplied(). We take care of
QT bug workaround for improper sorting in other places. This
change fixes #329.
2009-08-21 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::newInterface): If
newly created interface object is a top-level interface, always
set its type to "ethernet". If it is subinterface, call
guessInterfaceType() to guess.
* ObjectManipulator.cpp (guessInterfaceType): fixes #334. the GUI
guesses correct subinterface type when it is created and when user
hits "Apply" in the interface object dialog after some changes
have been made. If inetrface name matches one of the patterns of
the vlan inetrface for the given OS, its type is set to "vlan" and
vlan ID is assigned. If its name does not match naming pattern of
a vlan interface but parent interface type is "bridge" or
"bonding", subinterface type is set to "ethernet". This covers
most of the use cases and makes subinterface type assignment
automatic.
* ObjectManipulator.cpp (ObjectManipulator::newInterfaceAddress):
fixes #330: the name of the ip address of an interface should
follow the schema "firewall:interface:subinterface:ip". The same
schema should be followed when address object is automatically
renamed when the user renames firewall or interface object.
* ObjectManipulator.cpp (ObjectManipulator::copyObj): call
Interface::getOptionsObject() at the beginning of copy and
dragStart operations to make sure interface has options object
later in paste and drop operations when we need it to do some
validation checks.
2009-08-20 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::validateForPaste):
perform checks for the valid vlan subinterface configuration
for copy/paste and d&d drop operations; this uses the same
algorithms as the check done when user renames an interface.
This means user can not copy/paste or d&d interface "eth1.100"
to make it a subinterface of "eth0" or top-level interface.
* InterfaceDialog.cpp (InterfaceDialog::validate): Additional
checks for validity of interface name: the name can not contain
white space, if the name looks like vlan interface, checking
if it is valid (base name must match name of the parent interface
and vlan ID must be in the allowed range)
* InterfaceDialog.cpp (InterfaceDialog::applyChanges): Fixes #328:
"automatically assign vlan id to interface based on interface
name". The GUI automatically sets interface type to "vlan" and
configures vlan ID if user changes name of the interface to
something that matches regex for vlan interfaces on given OS.
This is done when user hits "Apply" button in the Interface object
dialog.
* src/compiler_lib/interfaceProperties.h (class
interfaceProperties): refactored class linux24Intrfaces into class
hierarchy with base class interfaceProperties and factory
class interfacePropertiesObjectFactory. These classes are now
part of the compiler extensions library in src/compiler_lib
and can be used by both the GUI and compilers.
* Configlet.cpp (Configlet::Configlet): New constructor for the
class Configlet accepts os name perifx and default os name prefix.
If configlet file is not found in the directory defined by the
first prefix, the program tries to find it in the default place
defined by the second prefix.
* src/res/configlets/sveasoft/script_skeleton: Using separate
configlets for Linksys/Sveasoft host os.
2009-08-19 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::newInterfaceAddress):
fixes #318: New ip address of interface was always created with
the same name even if there was an address object with the same
name under the same interface.
* OSConfigurator_linux24_interfaces.cpp (validateInterfaces):
Tests for unsupported interface configurations, see #315, 324.
The first test scans all subinterfaces of each interface and tries
to find top level inetrfaces wth the same name, then checks their
type. For the combination some_interface/br1, we look for the top
level interface "br1" and if it exists and its type is "bridge",
then this is unsupported configuration. This test does not allow
subinterface to have the same name as a bridge interface
regardless of the type of the parent interface. So, bridge/bridge
or bonding/bridge combinations are not allowed. The test has to
search top level interfaces because bridge port subinterfaces can
be copies (e.g. when a vlan interface is at the same time a bridge
port).
The second test looks for the following combinations: 1) vlan
interfaces under bridge interface (e.g. br0 = [eth1, eth2], vlan
inetrface br0.100 is not supported) and 2) vlan interfaces as
slaves of bonding interfaces (e.g. eth0.100, eth1.100, bond0
= [eth0.100, eth1.100], note the difference between this and vlan
of bonding interface such as bond0.201). Only regular interfaces
can be slaves of bonding interface. If subinterface type is
"ethernet" but its name matches one of the vlan interface regexes,
assume this is vlan. Slave subintrfaces do not have to be copies,
one can have "eth4" only once, as a slave, so we cant search for a
top level interface with the same name and rely on the
subinterface type.
2009-08-18 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::makeNameUnique): The
program should never change the name of vlan interface when such
interface is being copied/pasted or dropped to become a
subinterface. The name of the vlan interface carries vlan ID and
changing name is not allowed. One of the typical usage patterns is
to create vlan interface "eth0.101" and then immediately try to
copy/paste it to under br0 to make it bridge port. In this case
interface eth0.101 wont have type "8021q" just yet because the
user did not open interface "advanced" settings dialog to set its
type and VLAN ID. Users assume that if its name is "eth0.101",
then it must be vlan interface. We should follow this assumption
too. Also, check for names "vlanNNN" as well.
* ObjectManipulator.cpp (ObjectManipulator::actuallyPasteTo):
during "paste" operation, call makeNameUnique() to make the name
of the copy unique before actually adding the object to its
parent. Otherwise makeNameUnique() finds it and changes the name.
* src/res/configlets/ipcop/script_skeleton: Using configlet to
define script structure for generated IPCOP script. IPCOP script
is executed as /etc/rc.d/rc.firewall.local and does not manage ip
addresses of interfaces or vlan/bond/bridge interfaces so it does
not need corresponding shell functions. Script can check if
interfaces configured in fwbuilder GUI match actual appliance, so
the shell code to do that is included. Since we should be able to
use interfaces with addresses assigned dynamically in rules, the
code that gets their addresses at run time is included. Code to
check if data files used by run time address table objects exist
is also included. Using configlets helps better manage what is
included for the given os family ("linux24" or "ipcop" or some
other in the future). Also, user can override our configlets by
placing file with the same name in "fwbuilder/configlets"
directory in their $HOME.
2009-08-17 vadim <vadim@vk.crocodile.org>
* src/res/configlets/linux24/shell_functions: cleaned up coding
style in shell functions in configlets: using uniform 4 spaces
indentation.
* src/res/configlets/linux24/script_skeleton: This configlet
defines structure of generated iptables script. Script recognizes
the following command line options: start|stop|interfaces
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Building
whole iptables script from configlet.
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::configureInterfaces):
See #314. Need to update vlans and bond interfaces first and only
then deal with bridges because bridge may use bonding interface or
vlan created in the first step. Unsupported configurations: vlan
interfaces under bridge interface (e.g. br0 = [eth1, eth2], vlan
inetrface br0.100 is not supported), bridge interface as part of
bonding interface (e.g. bond0 = [br0, br1]), vlan interface as a
slave of bonding interface (e.g. eth0.100, eth1.100, bond0
= [eth0.100, eth1.100]). Only regular interfaces can be slaves of
bonding interface; vlans can be created under bonding interface
(e.g. bond0.100), both regular interfaces and vlans can be bridge
ports. Script first updates bonding interfaces, then updates all
vlans, including possibly those under bonding interfaces, and
finally updates bridge configurations using interfaces created in
first two steps.
2009-08-12 vadim <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): fixed bug
#2836321: "SNAT rule that changes Trans Src and Trans Port does
not work". Dual translation rule that changes source address and
destination port was not supported.
2009-08-10 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): For bug
#2835193: "Modulate state doesnt work for PF". Check variable
"modulate state" in rule optiopns and global firewall options. If
checkbox is turned on in the firewall options, then we always use
"modulate state". This option can also be turned on for an
individual rule using rule options dialog.
* pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): Fixed
bug #2835193: "Modulate state doesnt work for PF". The name Xml
attribute used to hold the value of "module state" option was
entered incorrectly in the dialog.
2009-08-09 vadim <vadim@vk.crocodile.org>
* ipfw.cpp (main): compiler for ipfw uses new manifest format
and supports remote file name for the generated .fw script
Fixes #308
* ipf.cpp (main): compiler for ipfilter uses new manifest format
and supports remote file names for generated .fw and .conf
files. Fixes #307
* CompilerDriver_pf.cpp (CompilerDriver_pf::getRemoteConfFileName):
compiler for PF uses new manifest format and supports remote file names
for generated .fw and .conf files. Fixes #306
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): compiler
for iptables uses new manifest format to implement support for
alternative name of the script on the firewall. Fixes #305
2009-08-08 vadim <vadim@vk.crocodile.org>
* instDialog.cpp: Installation process is controlled by sevral
variables that the user can change in the "advanced" dialog
for the firewall platform:
Tab "Compiler":
- output file name
- script name on the firewall
- for PF and ipfilter additionally .conf file name on the firewall
Tab "Installer":
- directory on the firewall where script should be installed
- command that installer should execute on the firewall
These variables have default values if input fields are left blank
in the dialog as follows:
output file name: the name of the firewall object, plus extension
".fw". For PF two files are generated: <firewall>.fw and
<firewall>.conf; for ipfilter files <firewall>.fw, <firewall>-ipf.conf
and <firewall>-nat.conf are generated.
script name on the firewall: the same as the output file name
directory on the firewall: "/etc"
command that installer executes to activate policy: installer runs
script <firewall>.fw
If user enters alternative name in the "script name on the
firewall", it is used when generated script is copied to the
firewall. There are two input fields in the dialogs for PF and ipf
where user can enter alternative name for the .fw script and .conf
file. The name can be relative or absolute path. If it is a
relative path or just a file name, it is treated as a file name in
the directory specified by the "directory on the firewall" input
field in the "Installer" tab. If the name is an absolute path, the
directory entered in "directory on the firewall..." input field is
ignored. If user entered alternative name for the script on the
firewall, the command that installer should execute to activate it
must be entered as well. If the alternative name was entered as an
absolute path, activation command should take this into account
and use the same absolute path. The command can start with "sudo "
if user account used to copy and activate policy is not root.
* iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog):
Added input fields to the "advanced" dialogs for iptables, pf,
ipfilter and ipfw to make it possible to specify the name of the
generated script on the firewall. With this change, fwbuilder can
generate the script using unique name but use standard common name
such as "rc.firewall" when the script is copied to the firewall
machine. This is important when two firewalls that are part of a
cluster are compiled at the same time. In this case we can not use
name such as "rc.firewall" for the output script because file
generated for the second firewall in the pair overwrites the one
generated earlier for the first. Now we can use unique names for
scripts generated for each member of the pair but copy them to the
firewall machines using the same common name. Fixes #304 The
implementation is not complete yet, I still need to make changes
in the installer and policy compilers.
2009-08-07 vadim <vadim@vk.crocodile.org>
* src/res/configlets/linux24/process_bridge: Configlets that
updated ip addresses, vlan, bridge and bonding interfaces bring
interfaces up using $IFCONFIG command. Fixes #301
2009-08-06 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::actuallyPasteTo): When
a subinterface is copied to make a subinterface of another
interface, the type of the copy is reset to "ethernet". If the
type was retained, it was easy to create subinterface with invalid
type without obvious signs in the GUI that this has happened. For
example, if vlan subinterface was copied to make subinterface of a
bridge interface, it retained type "8021q" but ended up as a child
of interface with the name that did not match. The intention was
to use vlan subinterface as a bridge port, but compiler issued an
error because of a subinterface having illegal name (name is only
checked for vlan subinterfaces). Fixes #299
* PrefsDialog.cpp: Added a page to the global Preferences dialog
where user can enable/disable target firewall platforms and host
OS. Disabled platforms and OS do not appear in the drop-down lists
in a "new firewall" and "new cluster" dialogs, as well as object
editor panel. This helps reduce clutter if user only works with a
couple of platforms and OS. Default setting of the status for each
platform and os comes from the corresponding XML resource
file. This way we can ship the program with some host OS or
platforms disabled by default, but the user can still enable them.
Settings in users preferences override default status setting
in the resource file. Fixes #262
* ObjectManipulator.cpp (ObjectManipulator::newAddressRange):
newly created objects get default name that is the same as the
type name with no "New ..." prefix.
* ObjectTreeView.cpp (ObjectTreeView::dropEvent): if user drags an
object in the tree and drops it beyond the last tree item, the
program should ignore this drop operation and do nothing (it used
to crash). Added checks for this condition. Fixes #294
* ObjectManipulator.cpp (ObjectManipulator::makeNameUnique): while
guessing the name of the new interface or trying to avoid
duplicate names during copy/paste, we should not change names of
the vlan interfaces. Fixes #296
2009-08-05 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::prepareToolsMenu): disable
Tools/Discover menu if all internal windows were closed and there
is no active object tree where discovered objects could be
created. Fixes #291
* ObjectManipulator.cpp (ObjectManipulator::relocateTo): Added
check for when user tries to drag&drop an object onto itself in
the tree. Fixes #292
2009-08-04 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::newInterface): when
user creates interfaces of a firewall or a cluster using context
menu "Add Interface" in the object tree, the program finds
interface that was created most recently and uses its name as a
prototype, automatically incrementing its number. For example, if
the user needs to create several "eth" interfaces, the program
will automatically create "eth0", "eth1", "eth2" etc. whithout the
need for the user to rename them. Fixes #277
* configure.in: Removed all .xml.in resource files in src/res/
src/res/os and src/res/platform. The only configurable attribute
in these was "version", which is not required and was not used
anywhere. Fixes #269
* PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules):
automatically added rule that matches packets in state INVALID
should use log prefix that says it is for state INVALID. The rule
now ignores user-defined global logging prefix and always uses
"INVALID state -- DENY ". Fixes #283
2009-08-04 Vadim Kurland <vadim@vk.crocodile.org>
* heartbeatOptionsDialog.cpp (heartbeatOptionsDialog::heartbeatOptionsDialog):
Added GUI elements to allow the user to change multicast address
for heartbeat. Deafault address is 224.0.10.100. Fixes #213
* clusterMembersDialog.cpp (clusterMembersDialog::firewallAdd):
enabled multiple object selection in the left panel of the cluster
member management dialog. User can select several interfaces using
Ctrl-click (or Command-Click on Mac OS X) and then move them all
to the right panel at once. Fixes #254
* ObjectEditor.cpp (ObjectEditor::notifyChangesApplied): Dialogs
that have buttons to open "advanced" settings dialogs now save
changes and disable "Apply" button when such additional dialog is
opened. This includes Firewall, Interface, cluster group and few
other objects. Previously changes were saved as well but the
"Apply" button was not disabled, making impression that changes
were not saved into the object. Fixes #286
2009-08-03 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::autorename): See #273:
"child objects not getting renamed". Autorename function should
rename ip and mac addresses of interfaces and subinterfaces when
the host or parent interface name changes.
* newClusterDialog.cpp (newClusterDialog::finishClicked): See
#211: "interface type mismatch between member interfaces and
cluster interface". When cluster object was created manually and
failover type was set to "heartbeat" or "openais" for its
interfaces, the type was not properly set in created objects.
2009-08-02 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (ObjectTreeView::dropEvent): Dragging several
subinterfaces from one parent interface to another created
bizzarre tree-like structure where each of these subinterfaces
became subinterface of another. See #280. Fixed in r1254
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertConntrackRule):
Added test to make sure ip address entered by the user in the
StateSync group dialog for conntrack is valid. Fixes #220
* CompilerDriver_ipt_cluster.cpp (CompilerDriver_ipt::processStateSyncGroups):
The program did not find StateSync group member inetrfaces when
they were subinterfaces and as the result compiler did not
generate automatic policy rules for conntrack. Fixed in r1253
* ObjectManipulator.cpp (ObjectManipulator::prepareForInsertion):
DTD does not allow nested subinterfaces; only one level of
subinterfaces is supported. Interface::validateChild() now checks
for this condition and the GUI shows detailed error message dialog
when user tries to move interface that has subinterfaces under
another interface using copy/paste or d&d. Fixes #275
* ObjectManipulator.cpp (ObjectManipulator::relocateTo): When user
dragged an interface that has child objects (ip address, MAC
address) and dropped it in a different place in the object tree,
the program would show only the interface object in the new place
but not its children. Should be using insertSubtree() to fix
this. Fixes #276
2009-08-01 vadim <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp (ProjectPanel::chooseNewFileName): If
user forgot to add .fwb suffix to the file name they entered in
the "Save As" function, the program automatically adds it.
See #234
* CompilerDriver.cpp (CompilerDriver::commonChecks): compiler
should check that cluster member firewalls are configured to use
different output file names. See #237
* OSConfigurator_linux24::printVerifyInterfacesCommands: function
verify_interfaces uses configlet "verify_interfaces" and checks if
all interfaces of the firewall defined in the GUI really exist,
including bonding, vlan and bridge interfaces.
* OSConfigurator_linux24::printInterfaceConfigurationCommands:
Using configlet process_addresses to implement shell commands that
incrementally add and remove addresses on interfaces. Added
support for IPv6 addresses. Addresses found on the actual
interfaces of the firewall are compared with those defined in
fwbuilder objects and missing ones are added and those not defined
in fwbuilder are deleted. If a firewall is a cluster member using
heratbeat for failover, ip addresses associated with heartbeat
failover groups are skipped. The script wont delete these on the
firewall that is active at the moment when script runs and wont
add them to the passive firewall because that would interfere with
operation of heartbeat. The same is done for OpenAIS
protocol. Fixes #270 , See #261
2009-07-31 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24_interfaces.cpp (OSConfigurator_linux24::printVlanInterfaceConfigurationCommands):
Using configlets to generate shell script that incrementally
updates (adds and removed) VLAN, bridge and bonding interfaces.
See #261
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions):
Using configlets to generate iptables script.
* Configlet.cpp (Configlet::Configlet): generic class to read
fragment of generated script from an external file, possibly do
macro substitution and then insert the contents into generated
script. Configlets are stored in files in the resources directory
that is part if installed package (/usr/share/fwbuilder/configlets
on Linux, fwbuilder31.app/Contents/Resources/configlets on Mac OS
X, c:\FWBuilder31\resources\configlets on Windows) or in the
subdirectory "fwbuilder/configlets" in users home directory on all
OS. If configlet file is found in the home directory, it overrides
the one installed with the package. This provides for simple way
for users to override parts of the generated configuration
scripts. Currently configlets are only impletened for Linux-based
OS. Fixes #263
2009-07-30 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions):
fixes #259 Generated script should check if brctl, vconfig and
ifenslave tools are available before using them.
* Host.cpp (Host::getManagementAddress): the program failed to
retrieve ip address that should be used to talk to the fw when
management interface was subinterface. Fixes #260
* linux24advanceddialog_q.ui: Fixes #258 fixed tab order in the
dialog.
2009-07-29 vadim <vadim@vk.crocodile.org>
* linux24AdvancedDialog.cpp (linux24AdvancedDialog::linux24AdvancedDialog):
Added input fields for vconfig, brctl and ifenslave to the host
settings dialogs for linux24, linksys, ipcop, openwrt. See #256
* DiscoveryDruid.cpp (DiscoveryDruid::addInterface): Removed
obsolete checkbox "Add virtual addresses", we always discover
virtual addresses. Instead added checkbox "Add interfaces with no
ip addresses". If this option is turned on, discovery druid
creates interfaces with no ip addresses as "unnumbered". Even when
this option is off, interfaces with no addresses are created if
they are discovered to have vlan, bridge or bodning subinterfaces.
Fixes #246 and 229
* NetworkDialog.cpp (NetworkDialog::validate): Fixes #251: do not
allow 0 bit netmask for Network and NetworkIPv6 objects.
* linux24Interfaces.cpp (linux24Interfaces::rearrangeInterfaces):
Special treatment of the vlan subinterface that are members of
bridge group: snmp discovery now creates subinterfaces for these
vlan interfaces twice, first time as a child of the bridge
interface and then also as a vlan subinterface of the parent
physical interface. For example, in the confgiuration such as the
following
bridge name bridge id STP enabled interfaces
br0 8000.000c29f6bebe no eth4.102
eth5
We create interface br0 with subinterfaces eth4.102, eth5, and
also we create interface eth4 with subinterface eth4.102
* ObjectManipulator.cpp (ObjectManipulator::makeNameUnique):
duplicate names are automatically fixed only if objects with the
same name belong to the same parent. Identical names on different
levels are allowed. For example, interface "eth0" can be direct
child of a Firewall object (so it can have vlan subinterfaces) and
a member of the bridge group where it is a child of another
interface.
2009-07-28 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): remove
extra white space after tcp port spec if source port match was not
used in the rule.
* PolicyCompiler_pf.cpp (fillDirection::processNext): Applied
patch per bug report #2828633: "Patch: Warning when changing rule
direction in compiler". This adds warning when rule direction is
changed by the compiler because object in source or destination
was firewall itself.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): Implemented
change per bug #2828602: "PF Compiler Direction Both no
Duplication Patch". PF rules with direction "both" used to be
split to make two rules, one with direction "inbound" and another
with direction "outbound". This was an artefact of old rule
generation model where user could choose to permit everything
outbound and only generate inbound rules, or generate both inbound
and outbound rules. Since we now always generate both in abd out
rules and PF matches both directions when neither "in" or "out" is
specificed, this splitting has become redundant.
* Compiler_cluster.cpp (Compiler::populateClusterElements): while
scanning interfaces-members of a failover group, use only those
that are children of the firewall that we are compiling. fixes
#242 "fwb_ipt generates duplicate automatic rules for heartbeat
and other protocols"
* FWWindow.cpp (FWWindow::disableActions): Always enable toolbar
buttons "Compile" and "Install". Fixes #249
* FirewallDialog.cpp (FirewallDialog::validate): fixes #248
"setting firewall type as empty space crashes". Note that the
combobox with firewall platforms will have separators instead of
spaces if QT version is 4.5 or above. Separators are not
selectable so this problem can not happen with late versions of
QT. Old versions of QT do not support separators in QComboBox
widget, which is why spaces are inserted in the list. This change
makes the program validate platform and host os settings and not
allow empty strings.
* RoutingRuleOptionsDialog.cpp (RoutingRuleOptionsDialog::loadFWObject):
fixes #247 - "lusters->fw->routing->insert rule->options causes
segfault". Needed to check for Firewall and Cluster types here and
in a few other places.
* instDialog_ui_ops.cpp (instDialog::completeInstallerOptions):
fixes #244: "installer does not check subinterfaces when it is
looking for management interface"
* OSConfigurator_linux24_interfaces.cpp (OSConfigurator_linux24::printVlanInterfaceConfigurationCommands):
fixes #243 - need to set naming schema for vlan interfaces in
a separate command before creating vlan interface. Doing so in
one vconfig command causes error.
* DiscoveryDruid.cpp (DiscoveryDruid::createRealObjects):
discovery druid guesses which interfaces from the list found by
SNMP crawler are vlan subinterfaces and creates them as children
of the corresponding top level interface. It also sets interface
type and vlan ID. Fixes #239 Bonding and bridge subinterfaces
are also recognized.
* DiscoveryDruid.cpp (DiscoveryDruid::createRealObjects):
discovery druid sets firewall platform and host OS using
information from sysDescr OID. fixes #241
* linux24Interfaces.cpp (linux24Interfaces::rearrangeInterfaces):
this new class implements various algorithms used to guess which
interfaces discovered by SNMP crawler might be vlan subinterfaces.
It will also find bonding and bridge interfaces. Fixes #240
2009-07-27 vadim <vadim@vk.crocodile.org>
* clusterMembersDialog.cpp (clusterMembersDialog::createMember):
support for subinterfaces as cluster group members. Fixes #235
2009-07-26 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt_optimizer.cpp (optimizeForMinusIOPlus::processNext):
Better way to do optimization for "-i +", "-o +" for bug #2822098:
check for interfaceStr equal to "*" instead of re->isAny()
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): check all
interfaces, including subinterfaces to make sure all the ones
marked as "regular" have IP addresses.
* DialogFactory.cpp (DialogFactory::createClusterGroupOptionsDialog):
fixed bug introduced in r1208 - clicking button "Edit protocol
settings" in the failover group with type "heartbeat" failed to
open the dialog.
* PolicyCompiler_ipt_optimizer.cpp (optimizeForMinusIOPlus::processNext):
Better way to do optimization for "-i +", "-o +" for bug #2822098:
check for interfaceStr equal to "*" instead of re->isAny()
2009-07-25 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24_interfaces.cpp (printInterfaceConfigurationCommands):
the program did not create commands to add ip addresses to VLAN
subinterfaces. Fixes #226
* openaisOptionsDialog.cpp (openaisOptionsDialog::openaisOptionsDialog):
Added support for OpenAIS failover protocol in the GUI and
policy compiler for iptables. Fixes #214
* newFirewallDialog.cpp (newFirewallDialog::finishClicked): the
program left platform and os settings undefined of the new
firewall object created from template. Fixes #210
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule):
Policy compiler for iptables adds automatic rules for heartbeat
protocol if it is used for failover. Rules permit all udp port 694
in and out on the given interface. Refs #213
* Cluster.cpp (Cluster::getMembersList): need to scan not only
StateSyncClusterGroup child objects but also all
FailoverClusterGroup objects in order to find all member
firewalls. The program used to look only at StateSyncClusterGroup
objects, which meant it did not recognize any members if state
sync group was empty. This fixes issue #4 in the bug #2826765:
"problems and suggestions for 3.1.0-b1187".
2009-07-24 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (decideOnChainIfDstFW::processNext):
There was no rule in INPUT chain generated when cluster object was
in "destination". Fixes #215
* CompilerDriver_ipt.cpp (CompilerDriver_ipt::processPolicyRuleSet):
fixed problem #2 "duplicate rules" reported in the bug #2826765:
"problems and suggestions for 3.1.0-b1187". Compiler did not add a
call to the shell function reset_iptables_v4 to reset all chains.
* Rule.cpp (PolicyRule::getBranch): fixed problem #4 "GUI crash
when setting action to be a chain." reported in the bug #2826765:
"problems and suggestions for 3.1.0-b1187". The GUI crashed when
policy rule in the cluster policy was set to action "Chain".
2009-07-23 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertConntrackRule):
automatically added rules that permit conntrackd messages use
address and port configured in the protocol options for the state
sync group for the cluster, or if these are empty, default values
from the host OS xml resource file. Generated rules are configured
to go into INPUT and OUTPUT chains. Refs #212
* conntrackOptionsDialog.cpp (conntrackOptionsDialog::conntrackOptionsDialog):
make conntrackd multicast address and udp port configurable in the
protocol options dialog for conntrackd state sync protocol. Default
address and port are stored in the host OS xml resource file. Refs #212
2009-07-19 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixed bug #2823951: "unnecessary rules in FORWARD chain". Policy
rules that have interface object in "Interface" column and
direction "Both" generate unnecessary iptables commands in the
FORWARD chain when destination matches one of the addresses that
belong to the firewall.
2009-07-18 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::moveRule): fixed bug #2823668:
"MDI window glitch". If the GUI had two or more MDI windows and
user moved rules in one of them, the GUI switched to another after
the operation was complete.
* resources.xml.in: Removed unused XML elements from the resource
file. A lot of the stuff was obsolete in there.
* ObjectTreeView.cpp (ObjectTreeView::updateTreeItems): New icons
for v4. Cleanup in the code to make sure we use proper icons
everywhere.
2009-07-17 vadim <vadim@vk.crocodile.org>
* linux24.xml.in: Moved tables of allowed failover and state sync
types as well as interface and subinterface types from the code in
platforms.cpp to the OS resource files in src/res/os/*.xml.in
Fixes #58
* fwbuilder.dtd.in (Library): fixed bug #2823424: "Deleting
UserService object breaks data file format". When user deleted
UserService object, it was moved to the "Deleted Objects" library
which broke XML file because DTD did not allow UserService element
as a child of Library
2009-07-16 vadim <vadim@vk.crocodile.org>
* newClusterDialog.cpp (newClusterDialog::shrinkListOfPlatforms):
clean-up in the newClusterDialog class. List of platforms shown on
the first page should include only platforms that support
clustering. Fixes #197
* FWBTree.cpp (systemObjects): system group "Clusters" moves to
the top level of the tree. Fixes #167
2009-07-15 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt_optimizer.cpp (optimizeForMinusIOPlus::processNext):
fixed bug #2822098: "IPT: adds useless "-i +" iin some cases".
Added optimization to remove redundant "-i +" and "-o +" if
chain is INPUT or OUTPUT.
2009-07-14 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (singleItfNegation::processNext): fixed
bug #2819901: "sub-optimal expansion of negated interface". Policy
rules with single interface object in "interface" rule element
with negation should generate iptables commands using "-i ! itf"
or "-o ! itf" rather than multiply the rule using all other
interfaces of the firewall. Note that for iptables v1.4.3 and
later, extrapositioned syntax is used, such as "! -i itf".
* PolicyCompiler_PrintRule.cpp, NATCompiler_PrintRule.cpp: fixed
bug #2821050: "loading new fw rules on iptables 1.4.3.2+ gives
warnings". starting with v1.4.3.1 iptables started giving warnings
when negation ("!") is used after --option. This fix adds version
"1.4.3" to the list of recognized iptables versions in fwbuilder
and makes compiler generate extrapositioned version of the option
such as "! --option arg".
2009-07-13 vadim <vadim@vk.crocodile.org>
* iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog):
fixed bug #2820840: "IPT: prolog script+iptables-restore silent
incompatibility". With this fix the GUI does not allow for the
prolog script to be placed after policy reset if iptables-restore
is used to activate iptables rules. Also policy compiler for
iptables checks for this condition and aborts with an error
message if prolog place is set to "after reset" but
iptables-restore is used to activate policy. Configuration may end
up with this combination of options if user set prolog place to
"after reset" first and switched activation method to
iptables-restore later.
* ACL.cpp (ciscoACL::addRemark): fixed bug #1778536 "IOSACL -
remark command". Remarks now include rule comments; if comment
consists of several lines, each line is added using separate
remark statement. This works for both IOS ACL and PIX platforms.
2009-07-12 vadim <vadim@vk.crocodile.org>
* printerStream.cpp (printerStream::printQTable): fix bug
#2807724: "Print out FWB still not ok". Taking into account hidden
rable rows associated with rule groups while printing rule sets.
Before this fix some rules disappeared between pages in the
printout.
2009-07-11 vadim <vadim@vk.crocodile.org>
* PrintingController.cpp (PrintingController::printRuleSet): bug
#2807724: "Print out FWB still not ok". Rule groups were always
printed expanded, even if they were collapsed by the user in the
GUI.
* OSConfigurator_openbsd.cpp (processFirewallOptions): fixed bug
#2820162 "Bad sysctl name for OpenBSD pf" - the sysctl argument
for IPv6 forwarding was incorrect.
* AddressRange.h (libfwbuilder): fixed bug #2820152: "Address
ranges and other such need IPv4/v6 typing". AddressRange object
should be recognized and removed from the rule if it is used in
ipv6 rule set. To do this, add virtual method
hasInetAddress() (should return true) to indicate that this object
has an address. This works since virtual method getAddressPtr()
has been implemented anyway.
* VERSION (VERSION): started v3.0.6
2009-07-11 vadim <vadim@vk.crocodile.org>
* FindObjectWidget.cpp (FindObjectWidget::inSelectedFirewall):
Search and replace did not work in scope "policy of opened
firewall" for cluster policies. Fixes #185
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): since
current implementation can not generate configuration commands for
interfaces of the member firewalls using attributes of the cluster
interface, disable GUI controls in the interface object dialog if
it is an interface of a cluster. fixes #187
* Summary of changes in the "interface advanced options" dialogs
for cluster interfaces. The "Advanced settings" button is now
disabled in the dialog for the main cluster interface. The code
has been changed to always check the type of the failover group
instead of the interface type where it needs to determine failover
protocol (vrrp, heartbeat or carp). All parameters of the failover
protocol should be configured using failover group object. The
"advanced options" dialog is still available for interfaces of the
real firewalls and their subinterfaces. Fixes #109, refs #180,
#183, #181, #187, #179, #163
2009-07-09 Vadim Kurland <vadim@vk.crocodile.org>
* OSConfigurator_linux24_interfaces.cpp (printInterfaceConfigurationCommands):
user can now add loopback interface to the cluster object and use
it in rules. This interface does not have failover group and has
the usual 127.0.0.1/8 ip address. fixes #163
* OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces):
ref #181: using failover group type instead of cluster interface
type.
* newClusterDialog.cpp (newClusterDialog::finishClicked): ref
#183: set type of the cluster intrfaces to "cluster_intrface".
Before, new cluster wizard unconditionally set it to "vrrp". Still
need to add dialog elements to let user choose failover protocol.
* linux24IfaceOptsDialog.cpp (linux24IfaceOptsDialog::linux24IfaceOptsDialog):
fixes #180: hide "interface type" gui element from the "advanced"
interface options dialog for the main interfaces of cluster
objects. These interfaces have no parameters and their type always
matches the type of failover cluster group object. All parameters
of the failover protocol are set in the dialog of the failover
group.
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): ref #180 :
disable "Advanced settings" button in the interface object
dialog if it is main intrface of a cluster object.
2009-06-29 Vadim Kurland <vadim@vk.crocodile.org>
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Compiler
checks types of state sync and failover groups and aborts if
it finds unsupported type. Fixes #164
* ClusterDialog.cpp (ClusterDialog::resetClusterGroupTypes): fix
types of state sync and failover groups when user changes host OS
and/or platform. Fixes #164
2009-06-28 Vadim Kurland <vadim@vk.crocodile.org>
* OSConfigurator_linux24_interfaces.cpp (printBondingInterfaceConfigurationCommands):
Support for intrface bonding for generic Linux firewall.
"Advanced" interface settings dialog provides three interface types:
"vlan", "bridge", "bonding". For bonding interfaces, GUI controls
are provided for the following parameters: mode, xmit_hash_policy
and a free-style single line input field for other driver options.
Fixes #172
* platforms.cpp (getInterfaceTypes): Support for "heartbeat"
failover protocol in clusters: "heartbeat" interface type,
"heartbeat" failover group type. Compiler adds rules to permit
vrrp only when failover type is set to "vrrp". For "heartbeat"
failover no rules are added atm. Fixes #169
* Compiler_cluster.cpp (Compiler::processFailoverGroup): (change
in libfwbuilder) fixes #166: cluster should be allowed to have
interfaces with the same name as interfaces of the member
firewall (i.e. "eth0"). This is necessary to support failover
protocols that do not create virtual interfaces, but rather
operate over normal interfaces, such as heartbeat.
2009-06-23 vadim <vadim@vk.crocodile.org>
* pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): force
the tab widget to open tab 0 on creation of the dialog. Often
after the dialog was modified in Designer, it is left in the state
when it opens on some random page. This fixes #155 "pf advanced
settings dialog opens on tab "Script" by default"
* OSConfigurator_bsd.h: common class for all supported BSD-like
host OS (freebsd, openbsd, macosx). Using common base class to
avoid code duplication. This fixes #162 "ifconfig commands to
create carp and pfsync interfaces are not generated for FreeBSD".
* ClusterGroupDialog.cpp (ClusterGroupDialog::addIcon): fixes #161:
pfsync protocol does not require "master" setting in cluster group.
* clusterMembersDialog.cpp (clusterMembersDialog::availableClicked):
Let user click in any column of the list except the very first to
select interface to be added to the list of cluster group members.
* clusterMembersDialog.cpp (clusterMembersDialog::updateAvailableTree):
fixes #111 "Member dialog should keep the tree on the left hand
side expanded all the time". The left hand side panel used to
collapse all available firewalls, thus hiding their interfaces
from view every time user added an interface to the right hand
side panel.
* CompilerDriver.cpp (CompilerDriver::configure): Using separator
"," between fw object id and file name instead of ':' which was a
poor choice because it is part of the file path on Windows. Fixes #157
* CompilerDriver_pf.cpp (CompilerDriver_pf::getConfFileName): Using
QT classes QFileInfo and QDir to manipulate output file names
and paths portably.
* freebsd.xml.in: Support CARP/pfsync clusters on FreeBSD.
2009-06-19 vadim <vadim@vk.crocodile.org>
* release_notes_3.1.0_en_US.html: fixes #146: A warning telling
the user that the way bridging interfaces should be configured has
changed. Uses a one-time dialog created per #145. Refs #145 #147.
* FWWindow.cpp (FWWindow::startupLoad): Fixes #145: universal
facility for a one-time dialog shown to the user on program start.
These dialogs will have important information about the
release. Dialog is shown once for each version.
2009-06-18 vadim <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (newFirewallDialog::newFirewallDialog):
Fixes #90: Interface attribute "bridgeport" has been deprecated,
removing GUI controls in the new firewall dialog and interface
dialog.
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): Fixes #143:
If inetrface is a bridge port, then GUI elemnts "regular",
"dynamic" "unnumbered" should be disabled b/c it can not have an
ip address. Instead, showing text label "Bridge Port Interface".
* ObjectManipulator.cpp (ObjectManipulator::relocateTo):
Implemented drag&drop function to move objects from one place in
the tree to another. Dragging with Ctrl button pressed creates a
copy. Fixes #141.
2009-06-17 vadim <vadim@vk.crocodile.org>
* v3.0.5 released in the main production branch
2009-06-14 vadim <vadim@vk.crocodile.org>
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): Ticket #55:
(libfwbuilder) deprecated isExt() and setExt() methods. Platforms
that care about interface being external should use security
levels. Currently this is only PIX and it uses sec. levels
already. Also removed dialog element in InterfaceDialog class
and references to these methods elsewhere. Compilers did not
use the flag "ext" already.
2009-06-11 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printRule):
implemented feature request #1778536: "IOSACL - remark command".
This adds support for the "remark" command in generated IOS
ACL configuration. Controlled by the checkbox "Add ACL remarks"
in the "Script" tab of the firewall object settings dialog.
2009-06-09 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): fixed bug
#2803702 "NAT rule with source port range in TSrv is broken for
PF". NAT rules matching source port ranges and translating source
port ranges should be possible.
* NATCompiler.cpp (classifyNATRule::processNext): (change in
libfwbuilder) fixed bug #2803689 "NAT rule matching dport but
chaning sport is broken". NAT rules that match destination port
but translate source port should be possible (and the opposite
too).
2009-06-08 vadim <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): Improved
support for NAT rules that translate both source and destination:
now a rule like this can translate both source and destination
addresses and at the same time source and destination port ranges.
Compiler generates two iptables commands, one with SNAT and
another with DNAT translation for a rule like this.
* PolicyCompiler_ipt.cpp (checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces):
Using Compiler::abort() instead of throwing exception on all error
conditions in the compiler.
* NATCompiler_PrintRule.cpp (PrintRule::processNext): Added
support for SNAT rules that translate only source port of udp or
tcp packets. This rule generate "-j SNAT --to-source :<port>"
with no address part.
2009-06-06 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): fixed
bug (no #): compiler for PF did not remove rules using IPv4
objects while compiling policy set to be "combined IPv4 and IPv6"
for IPv6 and vice versa. As the result, it used to double some
rules because the would appear both in IPv4 and IPv6 sections of
generated .conf file.
2009-06-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): fixed bug
#2801548 "fwb_ipt should issue error for ipsrv with options for
ipv6". Since IP options lsrr, ssrr, rr do not exist in ipv6,
compiler should refuse to compile rules that request matching
these options.
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
fixed bug #2801547 "fwb_iosacl should issue an error for ipservice
with options". IOS access lists can not match source routing
options set in IPService object, compiler should issue an error
and abort processing when an object like this is encountered in a
rule.
* IPServiceDialog.cpp (IPServiceDialog::loadFWObject): fixed bug
#2801545 "IP Service object: lsrr, ssrr, rr options not saved".
* PolicyCompiler_pf_writers.cpp (PrintRule::_printDstService):
fixed bug #2801544 "missing space after tos option in pf config"
2009-06-04 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed bug
#2801362 "Iptables policy import does not handle rules with
ESTABLISED". Policy importer for iptables should properly
handle rules that use combination of a "-p protocol" and
match state "RELATED,ESTABLISHED". Example:
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
This rule should translate into fwbuilder rule using CustomService
object with code "-m state --state RELATED,ESTABLISHED"
and protocol spec "tcp".
2009-06-03 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::findWhereUsedRecursively):
fixed bug #2800625 "recursive groups cause infinite loop and crash
in compiler". When a group included itself, compiler used to go
into infinite loop and crash. The fix in this function also takes
care of the situation when group A referenced group B, which in
turn referenced group A again.
* OSConfigurator_linux24_interfaces.cpp (OSConfigurator_linux24::printBridgeInterfaceConfigurationCommands):
implemented support for bridge configuration on Linux using brctl
tool. Of bridge options only "stp on" is supported, it turns on
STP protocol support on the bridge.
2009-06-02 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::configureInterfaces):
implemented support for VLAN interfaces for Linux24 host os.
Generated script uses "vconfig" to create and configure vlan
interfaces. GUI provides elements for VLAN ID and VLAN interface
name type (VLAN_PLUS_VID (vlan0005), VLAN_PLUS_VID_NO_PAD (vlan5),
DEV_PLUS_VID (eth0.0005), DEV_PLUS_VID_NO_PAD (eth0.5). Compiler
verifies that the name of the vlan interface object matches
requested name type.
2009-06-01 vadim <vadim@vk.crocodile.org>
* OSConfigurator_openbsd.cpp (OSConfigurator_openbsd::configureInterfaces):
implemented support for pfsync interface configuration for
OpenBSD. Unicast communication method can be configured using
checkbox in the pfsync protocol options dialog. Compiler generates
ifconfig commands to configure pfsync virtual interfaces if
checkbox "Configure pfsync interfaces" is turned on in the pf
"advanced" settings dialog. Only one pfsync interface per firewall
is supported (pfsync0), only with IPv4 addresses.
* OSConfigurator_openbsd.cpp (OSConfigurator_openbsd::configureInterfaces):
implemented support for CARP interface configuration for OpenBSD.
Generated script uses ifconfig to create and configure carpN
interfaces. The script is added only if option "Configure CARP
interfaces" is turned on in the "advanced" settings dialog for PF.
Currently only IPv4 addresses are supported and only one address
per CARP interface is configured. CARP password and VHID are
defined in the failover protocol settings dialog that user can open
by clicking "Protocol parameters" button in the Failover group
object dialog.
* newHostDialog.cpp (newHostDialog::selectedInterface): fixed the
same error reported in bug #2799163: "crash on correcting an
error". The GUI crashed if user tried to add, then delete
interfaces in the new firewall wizard. The crash occurred when the
last interface was deleted on the page where interfaces can be
configured manually. This needed to be fixed in both "new
firewall" and "new host" dialogs.
2009-05-31 vadim <vadim@vk.crocodile.org>
* FindObjectWidget.cpp (FindObjectWidget::findNext): fixed bug
#2799315 "Find object" cant find object in rules of opened
firewall. If scope was set to "policy of the opened firewall",
"Find object" function could not find anything. It worked when
scope was set to "policy of all firewalls".
* RuleSetView.cpp (RuleSetView::contextMenu): fixed bug #2799254
"Erratic behavior when rule is removed from the group". If user
tried to remove a rule from the middle of a group of rules, the
GUI behaved erratically. It showed two groups with the same name,
each of these two groups claimed to have more rules than it really
did. Also only one of these two groups could be collapsed at the
time. Other weird things also happened. The fix is to not allow
removing a rule from the rule group if the rule is in the middle.
* newFirewallDialog.cpp (newFirewallDialog::selectedInterface):
fixed bug #2799163: "crash on correcting an error". The GUI
crashed if user tried to add, then delete interfaces in the new
firewall wizard. The crash occurred when the last interface was
deleted on the page where interfaces can be configured manually.
* ObjectTreeView.cpp (ObjectTreeView::dragMoveEvent): fixed bug
#2799174: "Multiple instance crashes a bug". The GUI crashed if
user tried to drag and drop an object between two different
running copies. Copy/Paste and Drag&Drop between separate copies
are not supported at this time.
2009-05-30 vadim <vadim@vk.crocodile.org>
* CompilerDriver_pf_run.cpp (CompilerDriver_pf::run): ref #22:
compiler for PF uses CompilerDriver class.
2009-05-29 vadim <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (newFirewallDialog::finishClicked): better
fix for the bug #2796760 "Display error when adding new FW with
multiple interfaces".
2009-05-28 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::actuallyCreateObject):
fixed bug #2797791: "Display error when duplicating an object".
* InterfaceData.cpp (InterfaceData::guessSecurityLevel): (change
in libfwbuilder) set security level to 0 (insecure) by
default. This makes all interfaces of the newly created firewall
be "external" or "insecure" unless they were assigned labels or
addresses from the private address space in which case
guessSecurityLevel() assigns level 100. This addresses bug
#2796760 "Display error when adding new FW with multiple
interfaces".
2009-05-27 vadim <vadim@vk.crocodile.org>
* RCSFilePreview.cpp (RCSViewItem::operator<): implemented feature
req. #2796238 "3.0.4 - FEAT REQ: Sort order for RCSFilePreview".
RCS file preview dialog (the one that shows RCS revisions and RCS
log records) can display revisions in the tree or list view style,
controlled by radio-buttons. Style setting is saved in user
preferences and persists from session to session. In both cases
the view can be sorted by revision number or data. Sort column
choice is also saved in preferences. By default program sorts by
date and selects the latest revision.
* ObjectManipulator.cpp (ObjectManipulator::actuallyPasteTo):
fixed bug (no #): the GUI did not allow to copy/paste an address
from one interface to another. This should be possible.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAddr): fixed
bug (no #): policy compiler for pf crashed when dynamic interface
was used in source or destination of a policy rule.
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed bug #2793144 "Context menu item for the new User Service
object is missing".
2009-05-21 vadim <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp (ProjectPanel::fileOpen): (finally)
fixed the algorithm used to determine directory offered to the
user when they use main menu File/Open to open a file:
1) if "work directory" is configured in preferences, always use
it first;
2) if it is blank, use the same directory where currently opened
file is located;
3) if this is the first file to be opened, use the same
directory user used last time they ran the program (saved in user
settings).
* RuleSetView.cpp (RuleSetView::pasteObject): fixed bug #2794827
"crash when pasting from a Library in a another file". The GUI
crashed if user tried to copy/paste an object from one data file
into a rule in another.
2009-05-20 vadim <vadim@vk.crocodile.org>
* ObjectEditor.cpp (ObjectEditor::help): Added support for the
built-in help page for all objects dialogs, including rule
actions and options dialog. Implemented help pages for actions
"Route", "Branch", "Tag", "Classify" and rule options dialogs for
iptables and pf. Button "Help" is greyed out if corresponding help
page is unavailable.
* RuleSetView.cpp (RuleSetView::switchObjectInEditor): fixed bug
#2794484 "Crash after click in the "Options" col of rule group
title".
2009-05-16 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (checkInterfaceAgainstAddressFamily::processNext):
fixed bug #2792888: "interface with only v4 address is used in v6
rules". Compiler should drop rule if it is associate with an
interface that does not have address that belongs to the address
family declared for the rule set. If interface has only ipv4
address, it will never see ipv6 packets and therefore rules that
have this interface in the "interface" rule element should not be
included in the output generated for the ipv6 or combined
ipv4+ipv6 rule sets.
2009-05-14 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (fillDirection::processNext): fixed bug
#2791950 "no way to generate "pass out" rule with no interface".
Compiler created two rules "pass out" and "pass in" for rules with
no interface and direction "in" or "out". It should create one
rule with direction defined by the rule in the GUI.
2009-05-12 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed
bug #2790927: "Add support for "sloppy" state tracking for PF".
* FWWindowPrint.cpp (FWWindow::tableResolutionSettingChanged):
Using slider widget to set table scaling factor; now user can
choose any scaling factor between 1 and 200%. This fixes bug
#2789903: "Table scaling when printing in 3.0.4"
2009-05-09 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions):
Moved configuration for the location of kernel modules to host os
resource file (attribute Target/options/default/modules_dir). The
value of this attribute is different for OpenWRT. This fixes
ticket #2.
* DialogFactory.cpp (DialogFactory::createFWDialog): Now that we
use common platform "iptables" for linux-based appliances and
differentiate then by host_OS, dialog for IPCOP, Endian and
OneShield is determined using combination of platform and
host family attribute from the os resource file.
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions):
Fixes #2: added host OS "OpenWRT"; the only difference at this time
is the path to the directory where kernel modules are found.
* ipt.cpp (main): Now that we use the same platform name for
iptables on linux, ipcop, endian, oneshield and secuwall, there is
no need in policy/nat/routing compiler classes for ipcop.
* platform/iptables.xml.in: Unified support for different iptables
appliances: configuration will require platform "iptables" and
host os that corresponds to the chosen appliance. This matches
support for Secuwall and is easier to maintain than separate
platform-os pairs for each appliance.
2009-05-08 vadim <vadim@vk.crocodile.org>
* clusterMembersDialog.h (class clusterMembersDialog): Renamed
class and module secuwallClusterConfDialog to
clusterMembersDialog. This dialog is generic and is not specific
to secunet wall in any way. This fixes #13.
* PolicyCompiler_ipt.cpp (removeFW::processNext): fixes #15: using
Compiler::isFirewallOrCluster to match object in rules to both
firewall or it parent cluster. This helps compiler idenitify
cluster in rules and choose correct chains (INPUT/OUTPUT) as if
firewall object was there.
* CompilerDriver.cpp (CompilerDriver::determineOutputFileName):
this method implements logic that extracts enforced output file
names from command line parameters of the compiler or determines
these names automatically.
* instDialog_compile.cpp (instDialog::prepareArgForCompiler):
While compiling firewall cluster, passing output file name to the
compiler using "-O" command line option. The old option "-o" is
preserved for backwards compatibility and is used while compiling
stand-alone firewall objects.
2009-05-07 vadim <vadim@vk.crocodile.org>
* instDialog_ui_ops.cpp (instDialog::createTreeItem): dialog that
lists firewalls and clusters for compilation and installation puts
checkbox for compile next to a cluster and checkbox for install
next to a real firewall. Checkboxes are pre-checked if
corresponding objects require compilation and installtion. Mutual
dependencies between cluster and its members are tracked. this
fixes #19
* ipt.cpp (main): Policy compiler for iptables accepts either
Firewall or Cluster object as an argument. If Cluster is
specified, compiler runs itself several times, generating script
for each member firewall. Object can be defined by its name or ID
as before. This fixes #18.
* CompilerDriver.h (class CompilerDriver): Introduced class
CompilerDriver that controls invocation of Policy, Mangle, NAT and
Routing compilers for one firewall. The firewall may be part of a
cluster, in which case we create several objects of this class and
process each member firewall separately.
* PolicyCompiler_secuwall.cpp (PolicyCompiler_secuwall::addMgmtRule):
fixes #16: using RuleSet::insertRuleAtTop with arg hidden_rule to
make automatic rules added for secunet wall "hidden". This way,
these rules are ignored during shadowing detection and their
position numbers are forced negative so that position numbers of
regular rules do not change.
2009-05-06 vadim <vadim@vk.crocodile.org>
* FirewallInstallerCisco.cpp (FirewallInstallerCisco::activatePolicy):
fixed bug #2787932 "External install script is not supported for
PIX".
2009-05-04 vadim <vadim@vk.crocodile.org>
* instDialog_ui_ops.cpp (instDialog::fillCompileSelectList):
dialog that shows list of firewalls for compilation and
installation now uses QTreeWidget and displays firewall clusters
and corresponding member firewalls as branches in the tree. The
rest of the functionality remains the same as before. If user
selected a cluster object in the object tree and clicked "Compile"
in its context menu, only member firewalls of this clusters are
going to be checked for compilation. Clicking "Compile" toolbar
button or main menu selects all firewalls for compilation as
before. Cluster objects can not be selected (do not have
checkboxes in the widget) because compiler and installer works
with actual firewall objects rather than cluster objects. This
fixes ticket #7.
2009-05-02 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid): fixed bug
#2785671 "Menu 'Import Policy' opens wizard with wrong option
checked". The "discovery druid' dialog would open on the first
page (where user makes a choice which discovery method to use)
even when called via main menu "File/Import Policy" and radio
button for the SNMP discovery was activated.
2009-04-30 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::addTreePage): fixed
bug #2783780: using QTreeWidget::sortItems() instead of
sortByColumn to sort objects in the tree.
2009-04-29 Vadim Kurland <vadim@vk.crocodile.org>
* RoutingCompiler_pix.cpp (RoutingCompiler_pix::prolog): fixes bug
#2782645: "Can't compile for FWSM platform". Routing compiler for
PIX should accept firewall object with platform "fwsm" as well as
"pix".
* ObjectManipulator.cpp (ObjectManipulator::actuallyCreateObject):
fixes bug #2783780: "Tree objects not sorted in
3.0.4". Automatically re-sort object branch when new host or
firewall object is created so that the new object is positioned in
the alphabetic sorting order.
2009-04-27 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::getMenuState): for bug
#2782289: "Crashes when deleting unused host object". Added
safeguards to make it impossible to delete objects in the Standard
library, as well as for a few other cases. Waiting for a
clarification on the bug anyway.
* ObjectListView.cpp (ObjectListView::dragObject): fixed bug
#2781952: "fwbuilder (3.0.4-b794) crashes when creating a new
group". The GUI crashed if user clicked and dragged mouse inside
empty list of group members in the dialog of the new group object.
2009-04-17 vadim <vadim@vk.crocodile.org>
* ClusterDialog.cpp (ClusterDialog::ClusterDialog): Support for
clusters of firewalls
* Merging patches from Secunet Security Networks AG to add support
for Secuwall firewall.
* VERSION: start v3.1.0 branch v3_1_secunet
2009-04-15 vadim <vadim@vk.crocodile.org>
* ipcopAdvancedDialog.cpp (ipcopAdvancedDialog::ipcopAdvancedDialog):
Integration with IPCOP, Endian and OneShield firewall apliances
(all based on linux/iptables). This sets generate file name to
"rc.firewall.local", destination directory on the firewall to
"/etc/rc.d/" and activation command to "/etc/rc.d/rc.firewall
restart". Provided resource files for ipcop, endian and oneshield
platforms and os define default parameters, including path to
iptables and other command line tools. Generated script performs
minimal environment setting, because everything is supposed to be
set up by the aplpiance itself. Iptables commands are put in the
standard chains INPUT/OUTPUT/FORWARD, with user-defined chans
created as required. At this time policy and NAT rules work. Rules
added by fwbuilder are activated by the standard appliance
firewall script rc.firewall after all IPCOP rules are added and
before all hooks. This means rules created by fwbuilder do not
replace rules added by the appliance, but work together with
those. Prolog and epilog user-defined sections work as
well. Prolog is always added on top of the rules generated by
fwbuilder. Prolog and epilog sections can include any kind of
shell commands, not only iptables rules. Two new firewall
templates are provided: one for IPCOP/Endian firewall with two
interfaces (br0 is GREEN and eth1 is RED) and another for the
appliance with three interfaces (additionally eth2, as ORANGE).
* ipt.cpp (main): implemented feature request #2454447 "Standard
options for startup-script". Script generated by fwbuilder now
accepts standard arguments "start" and "stop". Running the script
with no argument is equivalent to "start" for backwards
compatibility. Running script with argument "stop" resets iptables
tables and chains and sets all to default policy DROP (beware!).
2009-04-11 vadim <vadim@vk.crocodile.org>
* platforms.cpp (setPlatform): Firewall platforms are grouped in
the drop-down list that appears in the firewall object dialog and
new firewall creation dialog. Platforms are grouped using XML
element <group> in the platform xml resource file.
* newFirewallDialog.cpp (newFirewallDialog::finishClicked):
remember firewall platform used to create new firewall object
between sessions. Also limit set of host OS shown in the second
combo box to only those supported by chosen firewall platform.
* VERSION: start v3.1.0
* platforms.cpp (setHostOS): fill "hsot OS" drop-down list with
OS names supported for the choosen firewall platform.
2009-04-10 vadim <vadim@vk.crocodile.org>
* ipt.cpp (dumpScript): fixed bug #2356131: "Iptables-restore
option broken for multiple policy sets". Compiler inserted
redundant line "echo COMMIT" to the iptables script if
iptables-restore was used and there were no rules in the mangle
table.
* ObjectManipulator.cpp (ObjectManipulator::findWhereUsedRecursively):
fixed bug #2744798 "dependency checking failed". In case when an
object was used in a group and group used in a rule of a firewall,
the program failed to properly update "last modified" attribute
of the firewall when the object was changed.
2009-04-09 vadim <vadim@vk.crocodile.org>
* VERSION: start v3.0.5
2009-04-08 Vadim Kurland <vadim@vk.crocodile.org>
* v3.0.4 released, merged to the trunk, this comment is r796
2009-03-29 vadim <vadim@vk.crocodile.org>
* v3.0.4 release
2009-03-25 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (PrintRule::_printPort): fixed bug
#2712514: "Bug in PF NAT Writer - 'tagged' keyword". Keyword
'tagged' is only allowed on the left hand side of '->' in nat
and rdr rules.
* RuleElement.cpp (RuleElementTSrv::validateChild): (change in
libfwbuilder) fixed bug #2712575: "NAT RuleSetView allows
TagService to be in Translated Svc". TagService object should not
be allowed in "Translated Service" in NAT rules.
2009-03-24 vadim <vadim@vk.crocodile.org>
* DialogData.cpp (DialogData::loadToWidget): fixed bug #2710309:
"Bug in gui/DialogData.cpp when not using mapping.". There was a
bug in DialogData.cpp that when setting the value of a combobox
and not using a mapping array the requested value would not be
selected. Applied patch provided by Tom Judge ( tomjudge )
* platforms.cpp (init_platforms): fixed bug #2710300 "Bug in
gui/platforms.cpp". there was a discrepancy between the list of
route-to options for PF and UI elements.
* pf.cpp (main): more changes to add support for
externally-controlled policy rulesets for PF: if policy ruelset
name ends with "/*", the program assumes it is controlled by
external means and does not compile rules in it and does not
create .conf file from it.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): Added
support for anchor names with "/*" suffix for PF. Now the user can
create policy ruleset with name e.g. "ftp-proxy/*" and then set up
branching rule pointing to this ruleset. This ruleset is treated
by the program in a special way. First, it allows characters "/"
and "*" in the name of the ruleset (but only for PF firewalls).
Second, compiler does not create a .conf file with rules from this
ruleset, assuming that it will be controlled by external program
such as ftp-proxy. See man page ftp-proxy(8) for examples.
2009-03-23 vadim <vadim@vk.crocodile.org>
* pf.cpp (main): fixed bug (no #): compiler for pf added code
provided in the "prolog" section while option was set to "add
after table definitions" in the incorrect place.
2009-03-22 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::updateGroups): fixed bug #2701593
"gui problem". Adding a rule to a policy with rule groups caused
weird rule display - a rule immediately above rule group header
would appear empty, with only "Source" shoring.
2009-03-19 vadim <vadim@vk.crocodile.org>
* iosacl.cpp (safetyNetInstall): fixed bug #2694146: "IPv6
temporary ACL blocks ICMPv6". Temporary ipv6 access list created
for the "safety net install" should permit icmp.
2009-03-18 vadim <vadim@vk.crocodile.org>
* iosacl.cpp (safetyNetInstall): fixed bug #2694440 "Multiple
policies cause multiple temporary ACLs": when "safety net install"
option is used, temporary access list must be generated only once
even when firewall object has multiple rulesets.
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
bug #2694432 "IOS ACL syntax error with IPv6 host addresses &
"safety net"": temporary access list created for IOS when option
"safety net install" is used and ipv6 address is provided should
use keyword "host" if provided address does not specify netmask.
* fwbedit: properly saving data file after "checktree" operation
2009-03-17 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
bug #2689978: "IOS ACL 'safety net' doesn't support
IPv6?". Compiler did not process properly ipv6 address entered in
the "safety net" install script option parameter.
* iosaclAdvancedDialog.cpp, pixAdvancedDialog.cpp: fixed bug
#2689987: "Typo in "script options" tab in 'Firewall settings'".
* IPv6Dialog.cpp (IPv6Dialog::changed): fixed bug #2689958 "Error
changing properties of a IPv6 address". Button "Apply" would stay
greyed out when user changed network prefix length in IPv6 address
dialog.
2009-03-12 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
few bugs (no #) in policy compiler for Cisco IPv6 ACLs:
- The "extended" keyword is not supported by IOS for IPv6 ACLs
- keyword "established" is only valid in combination with
protocol tcp. If standard CustomService objects "ESTABLISHED" and
"ESTABLISHED ipv6" are used in a rule, enforce protocol to "tcp".
- command to clear ipv6 access lists should be "no ipv6
access-list ipv6_management_in"
- command to assign ipv6 acl to interface should be "ipv6
traffic-filter ipv6_acl in"
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printAddr): fixed
bug (no #): compiler for IOS ACL used not to ignore netmasks of
IPv4 and IPv6 objects and added them to the generated access list
with netmask wildcard bits 255.255.255.255 which was equivalen to
'any'.
2009-03-11 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::createGroup): fixed bug (no #): if
user selected some rules that belonged to a group and few other
rules that did not belong to any group at the same time and used
context menu to place all these rules in a new group, the GUI used
to crash.
2009-03-06 vadim <vadim@vk.crocodile.org>
* ProjectPanel.h (class ProjectPanel): code clean-up: removed
obsolete method getAddOnLibs()
2009-03-05 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt.cpp (addressRangesInDst::processNext): fixed
bug #2666971 "fwb_ipt crashes when Address Range object in routing
rule". Policy compiler for iptables crashed if Address Range
object was used in "Destination" of a routing rule.
* RuleSetView.cpp (RuleSetView::insertRule),
ProjectPanel.cpp (ProjectPanel::closeEvent): fixed bug #2656815
"Copy/paste does not work properly". Fixed Copy/Paste problem with
policy rules and crash reported in this bug report.
2009-03-04 vadim <vadim@vk.crocodile.org>
* iosacl.cpp (main), FirewallDialog::platformChanged(): fixed bug
#2662290: "fwb_iosacl crash after firewall converted from
iptables". If user changed platform setting of the firewall
object, the program preserved its old version which was invalid
for the new platform.
2009-03-02 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): finish
fixes for bugs #2540389: "Routing Broken from 2.1 to 3.0.3" and
#2356151 "Routing broken when default route has a 0
metric". Redirect script output to a file for the time when we
remove static routing entries and add new ones to prevent ssh
session from stalling. Restore output back to the terminal when
script finishes or when an error is detected. Using idea suggested
by Heiko Helmle <helman@gmx.de>
2009-02-27 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed
bugs #2540389: "Routing Broken from 2.1 to 3.0.3" and #2356151
"Routing broken when default route has a 0 metric". Generated
script preserved default route when it deleted route entries
before installing new ones. This was different in v2.1 where
default was deleted together with other routing entries. The
reason for this change (made some time in summer of 2008) was that
if user did not define default route in their routing ruleset, the
script would delete existing default without installing new one,
leaving firewall with no default route at all. Now the script
deletes default if there is new one to install and preserves it
otherwise.
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed
bug (no #): if generated firewall script detects an error from one
of the commands that install routing rules and runs function that
restores previous routing entries, it should also run epilog
commands.
2009-02-21 vadim <vadim@vk.crocodile.org>
* FirewallInstaller.cpp (FirewallInstaller::getDestinationDir):
bugfix (bug was introduced in build 768). If user entered
alternative activation command in the "installer" tab of the
firewall object settings dialog, the program confused it with
destination directory and tried to execute incorrect command to
copy files to the firewall. This build (770) fixes this problem.
* SSHUnx.cpp (SSHUnx::SSHUnx): New feature: built-in installer can
now enter sudo password. There is no need to configure firewall
management account for password-less sudo access anymore.
2009-02-19 vadim <vadim@vk.crocodile.org>
* FirewallInstaller.cpp (FirewallInstaller::getDestinationDir):
fixed bug #2618772 ""test install" option does not work". If "test
install" checkbox was checked in the installer options dialog, the
program copied file to directory /etc/fw on the firewall but tried
to find it in /etc/fw/tmp to run.
* FirewallInstaller.cpp (FirewallInstaller::packSCPArgs): fix bug
#2618686 "built-in installer can not handle ipv6 management
address". Built-in installer did not properly for scp and ssh
command like when it had to use IPv6 address to communicate with
firewall.
2009-02-17 vadim <vadim@vk.crocodile.org>
* Management.cpp (Management::fromXML): (change in libfwbuilder):
fixed bug #2609796 "internal object Management does not accept
ipv6 address". Class Management should accept ipv6 address. The
problem was that if an interface of the firewall had only ipv6
address and was marked as "management" interface, saving such
configuration to .fwb file created broken data file that could not
be loaded back. The error was:
The program encountered error trying to load data file.
The file has not been loaded. Error:
Exception: Invalid IP address: 'aaaa:bbbb:cccc::1'
XML element : Management
where aaaa:bbbb:cccc: is ipv6 address.
2009-02-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (finalizeChain::processNext): fixed bug
#2597959 "rules disappear in ipv6 policy unless ipv4 forwarding is
on". Example: IPv6 policy, rule where fw object and internal
network are in source, destination is "any". If option "assume
firewall is part of any" was turned off and ipv6 forwarding was on
but ipv4 forwarding was off, this rule did not yield any iptables
commands in generated script.
* iosaclAdvancedDialog.cpp (iosaclAdvancedDialog::accept): fixed
bug #2597949 "GUI crash in IOS ACL "advanced" settings
dialog". GUI crashed upon click OK in the firewall settings dialog
for the IOS ACL firewall.
2009-02-06 vadim <vadim@vk.crocodile.org>
* src/gui/Icons/accept_25.png: fixed bug #2565164 "Colorblind
friendly Accept & Deny Icons". Accept and Deny icons were
indistinguishable for red-green colorblind people. New icons
incorporate standard symbolics for the "Aceept" and "deny"
functions to make them sufficiently different besides the color.
2009-02-05 vadim <vadim@vk.crocodile.org>
* src/res/os/linux24.xml.in: fixed bug #2568819 "generated script
created on windows is not executable". If the GUI runs on Windows,
produced .fw script lacks executable permission bit ('x') when it
is copied over to the firewall with pscp.exe. Because of this,
activation command "sudo -S /etc/fw/script.fw" can not run it and
installation fails. Need to run "chmod" as part of the activation
sequence. (We used to run chmod as part of the copy sequence when
copying was done with ssh/plink.exe. Now that the copy is done
with scp/pscp.exe, there is no way to change permissions bits on
the firewall side during copy).
* OSConfigurator_linux24.cpp: add empty line after user's code
in prolog and epilog shell functions to make sure shell syntax
is not violated if user does not end prolog or epilog code
with linefeed.
2009-01-31 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (processPolicyRuleSet): fixed bug #2550074: "Automatic
rules for filter table included twice in iptables". If user had
two policy ruleset objects marked as "top" rule set, then
automaitc rules were added twice.
2009-01-27 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (main): bug #535146: "firewall script: exit code for
ip6tables overwrites iptables". If generated iptables script used
iptables-restore to activate the policy and contained both ipv4
and ipv6 iptables policies, return code from iptables-restore was
overwritten with return code from ip6tables-restore and only the
latter was returned as the return code of the script. To fix this,
prolog and epilog commands were moved to shell functions
prolog_commands and epilog_commands which are called from various
places in the script. Script checks return code of
iptables-restore and ip6tables-restore and if an error is detected
from either, it runs epilog_commands and terminates, returning
error code obtained from iptables-restore (or
ip6tables-restore). In case of error, we always run epilog but do
not turn ip forwarding on in the kernel. Also, if prolog place is
set to "After iptables reset" in the GUI and script uses
iptables-restore, prolog commands are executed just before
iptables rules are sent to iptables-restore. This means if
iptables-restore is used, position "after iptables reset" is
equivalent to position "on top of the script". If iptables-restore
is not used and prolog position is "after iptables reset", then
prolog commands are executed right after the script flushes all
chains in all tables and sets deault policy for all chains. Other
positions of prolog commands in the script (on top and after
interface configuration) are naffected and work as before.
2009-01-24 vadim <vadim@vk.crocodile.org>
* objects_init.xml.in: Added CustomService object "ESTABLISHED
ipv6" which defines code for iptables, ipfw and IOS extended
access lists for IPv6.
* PolicyCompiler_ipfw_writers.cpp (PrintRule::_printProtocol):
fixed behavior or policy compiler for ipfw which was broken in
rev714 - it should print protocol "tcp" when custom service object
that adds option "established" is used. This compiler worked like
that before attribute "protocol" was added to the CustomService
object.
* platforms.cpp (getReadableRuleElementName): code refactoring:
made it possible to translate ruleset table column
names ("Source", "Destination" etc.). Currently only Russian
translation is provided.
2009-01-23 vadim <vadim@vk.crocodile.org>
* FindWhereUsedWidget.cpp (FindWhereUsedWidget::createQTWidgetItem):
fixed bug #2412334: "feature request: where used ->
directly". There has been a change in the "Where used" function in
v3.0 compared to the implementation in v2.1. New version showed
not only rule elements and groups that referred to the given
object, but also found all groups that referred to other groups
that referred to the given object. Such recursive action was not
always obvious to the user and was inconvenient when the function
was used to find all places where given object was used with the
goal to replace it with some other object. This fix reverts to the
old behavior where only direct usages are reported by the "Where
used" function. Elements of UI in this function have also been
cleaned up and further unified with confirmation dialog shown when
user tries to delete an object that is used in some groups and
rules.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printChain): fixed bug
#2507239: "length of iptables rule chain names not
checked". Iptables does not allow chain names longer than 30
characters; policy compiler fwb_ipt should check for this.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bug
#2526173: "fwb_ipt crashes due to old-broadcast". This bug was
introduced when support for module iprange was sadded. Need
special check for AddressRange objects where start and end of
range addresses are equal.
* NetworkDialog.cpp (NetworkDialog::addressEntered): fixed bug (no
#): the GUI used to check ip address entered for the network
object whenever user switched focus from the address input widget
in the network object dialog to another widget or even a different
application to look up the address. This caused the program to
show error dialog if this happened when the address was
incomplete. This change makes the program verify the address only
when user clicks "Apply".
2009-01-19 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::prepareFileOpenRecentMenu): Added menu
Files/Open Recent. This implements feature req. #2499615 "open
last used file".
* FWWindow.cpp (FWWindow::startupLoad): open StartTipDialog from
FWWindow rather than main() to make sure this dialog always
remains on top of the main window.
* ProjectPanel_file_ops.cpp (ProjectPanel::autoSave): fixed bug
#2499569: "fwbuilder crashes after some hours". The auto-save
function now saves data file only if it has been
modified. Frequent saves exasperate small memory leaks that appear
in some old versions of libxml2.
2009-01-17 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (FWWindow::filePrint): fixed bug (no #): the
GUI crashed if user tried to use File/Print function when no
ruleset was opened in the right hand panel.
* printerStream.cpp (printerStream::printQTable): Applied patch by
Paul@Auroragrp.Com that fixes problems with printing long rule
sets. If rule set printout exceeded the length of the page, some
rules at the bottom were cut off and lost. The patch corrects the
problem by taking into account printer dpi while calculating
position for page breaks.
2009-01-11 vadim <vadim@vk.crocodile.org>
* unknown.xml.in: fixed bug #2486558 "firewall platform "unknown"
should support basic actions".
2009-01-10 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromCrawler): bug
#2023261 "IPv6 - SNMP discovery of interfaces not working for
IPv6". SNMP discovery can now read IPv6 addresses of interfaces
using IP-MIB RFC4293. Not all snmp agents support this MIB, for
example only recent versions of net-snmp support it.
* starting with v3.0.4 build 739 snmp discovery is supported on
Windows.
2009-01-06 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_iosacl_writers.cpp (PrintRule::PrintRule): fixes
to make code compile on Windows.
2009-01-05 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_cisco.cpp (RoutingCompiler_cisco::compile):
fixed bug (no #): routing compiler for pix refused to add more
than one routing rule with an error saying that other rules were
duplicates. Error was introduced in build 732.
2009-01-02 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_iosacl.cpp (RoutingCompiler_iosacl::compile):
Added support for generation of "ip route" commands for Cisco IOS.
Variant of Cisco IOS "ip route" command where gateway is the name
of one of the interfaces of the router is also supported. To get
this, put interface object in the "gateway" column of the routing
rule.
* pix.xml.in, RuleSetView.cpp: Routing ruleset view shows column
"interface" only for platforms that require it. Currently IOS does
not require it, while other platforms for which routing commands
generation is supported require it (iptables and PIX).
2009-01-01 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_cisco.cpp: refactored PIX routing compiler by
steven@openbsd.org to use it as a foundation of the routing
compiler for both PIX and Cisco IOS (r731).
* RoutingCompiler_pix.cpp: applied patch by Steven Mestdagh
<steven@openbsd.org> that adds support for static routing
configuration for PIX. Patch tested and applied in r726.
2008-12-31 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::copyRule): fixed bug #2478528:
"Crash when copying multiple policy rules". GUI crashed if user
tried to copy/paste several rules, some of which belonged to rule
group and some did not.
2008-12-30 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_clampTcpToMssRule):
bug #2477775: "Clamp MTU doesn't work in ip6tables". iptables
target TCPMSS is available in ip6tables only in 1.3.8 and later.
* unfortunately the package is not going to work on Tiger because
of the mismatch in versions of libnetsnmp library. If this library
is packaged with the bundle, the program crashes because the code
in libnetsnmp v15.1.0 (that comes with Leopard) depends on
functions missing in libSystem on Tiger. If libnetsnmp is not
packaged with the bundle, then stubs linked with the GUI on
Leopard do not match libnetsnmp that comes with Tiger (older
version). So, even though we now have universal Mac OS X binary,
it will only work on Leopard.
2008-12-29 vadim <vadim@vk.crocodile.org>
* FirewallInstallerUnx.cpp (FirewallInstallerUnx::executeInstallScript)
bug #2474949: "External install script: trailing spaces". Trimming
leading and trailing white spaces in the external installation script
and its arguments before running it.
* runqmake.sh: starting with v3.0.4 build 717, building universal
binary for Mac OS X (both x86 and ppc architectures)
* bug #2474194 "Please Provide MacOS X PowerPC Builds": debugging
universal binary package for Mac OS X, trying to make it work on
Tiger as well
2008-12-28 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printDstService):
support for the CustomService in compiler for IOS ACL, including
support for address family, protocol and code string parameters.
* PolicyCompiler_ipfw_writers.cpp (PrintRule::_printProtocol):
support for the new "protocol" parameter of the CustomService
object in compilers for ipfilter and ipfw.
* NATCompiler_pf_writers.cpp (PrintRule::_printProtocol):
'checking for "proto ..." in the custom service code string before
printing protocol part in policy and nat compilers for pf.
2008-12-27 vadim <vadim@vk.crocodile.org>
* feature req. #1111267 "CustomService should specify protocol and
parameters for it". Support for protocol string in Custom Service
in compilers for iptables and PF.
* CustomServiceDialog.cpp (CustomServiceDialog::loadFWObject):
feature requests #1111267 "CustomService should specify protocol
and parameters for it" and #2463048 "custom services should have
IPv4/v6 setting". Added corresponding input elements to the
CustomService object dialog.
* CustomService.h (libfwbuilder): feature requests #1111267
"CustomService should specify protocol and parameters for it" and
#2463048 "custom services should have IPv4/v6 setting". Added
attributes "protocol" and "address_family" to the CustomService
object. Corresponding XML attributes are "#IMPLIED", this helps
avoid having to provide XSLT auto-upgrade script for this
version. Class CustomService returns "any" for the protocol and
"ipv4" for address family if these attributes are missing.
2008-12-25 vadim <vadim@vk.crocodile.org>
* All policy compilers: using FWObjectDatabase::createClass
methods to create rules and other objects in compilers wherever
the type is known at the (code) compile time. This makes code
cleaner and speeds it up a little because of eliminated cast() and
string comparison.
* changes in libfbuilder: eliminated excessive use of dynamic_cast
and long chains of "if" comparing object type names in
FWObjectDatabase in methods that create new objects of given type.
2008-12-23 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printSrcAddr):
implemented feature req. #2353737 "use -m iprange". Using module
iprange for AddressRange objects if iptables version is set to
>=1.2.11.
2008-12-21 vadim <vadim@vk.crocodile.org>
* SSHSession.cpp (SSHSession::heartBeat): built-in installer
periodically "pings" the other end to keep ssh session alive. This
helps recreate state in the firewall state table if it is cleared
when rules are reloaded, which in turn prevents installer from
hanging.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::addDefaultPolicyRule):
Deprecated options "generate commands for both in and out" and
"pass all outgoing" in compiler for PF. Before, user could choose
whether compiler was to generate only commands to match inbound
packets or both inbound and outbound. The distinction between
these two modes became very minimal in the recent versions of
fwbuilder because algorithm was mostly controlled by the setting
of "direction" in the policy rules. Now these two options have
been removed completely, the behavior of the compiler is as if
option "generate both in and out" was used.
* pf.cpp (main): Compiler can add command "pfctl -F states" after
command "pfctl -f file.conf" to flush states that existed in
memory from sessions opened prior to the policy reload. The reason
is that some of these sessions might be denied by the new policy,
but if state is not flushed, they will still work after policy
reload. This is optional and is controller by checkbox in the
"Script" tab of the "advanced" settings dialog for the PF
firewall.
2008-12-20 vadim <vadim@vk.crocodile.org>
* PrintingController.cpp (PrintingController::addObjectsToTable):
fixed bug #2388067: "Print out FWB 3.0.3 not ok". File/Print
function failed to print objects used by rules of the firewall.
2008-12-19 vadim <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp (ProjectPanel::loadFile): Implemented
feature request #2412323: "feature request: command line flag to
skip RCSFilePreview". New command line switch "-r" makes the GUI
automatically open RCS head revision of the file given on command
line if the file is in RCS. If the file is not in RCS, the new
switch does nothing and the file is opened as usual.
2008-12-18 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::renameGroup): fixed bug #2412310:
"Umlauts in group names". The GUI should properly handle non-ascii
characters in the rule group names
2008-12-15 vadim <vadim@vk.crocodile.org>
* ipt.cpp, ipfw.cpp, pf.cpp, iosacl.cpp: changes for FR #2431602:
support for rulesets configured as "dual address family", that is,
rulesets that should be compiled for both ipv4 and ipv6. Compiler
processes rulesets like this twice, first for ipv4 and then for
ipv6. On each pass it will only use address and service objects
that match address family it uses for the ruleset. This also
applies to "compile-time" DNSName objects, that is, it will use
getaddrinfo() to get AF_INET address on ipv4 pass and AF_INET6 on
ipv6 pass.
Rules with "any" in rule elements in the "dual address family"
ruleset yield iptables commands for both families. This was the
reason I made setting exclusive in the first place. This means
that users who do not want fwbuilder to generate ipv6 policy for
them and want all ipv6 accepted, should not use "dual address
family" setting. If the do, the bottom catch-all rule will install
ip6tables command to block all ipv6 automatically even if all
rules have absolutely no ipv6 objects at all.
* RuleSetDialog.cpp (RuleSetDialog::applyChanges): implemented
feature request #2431602: "Feature request: Unified
policies (IPv4/v6)". RuleSet object now has two variables that
define which address family it should be compiled for - ipv4 or
ipv6. It is possible to have both set, in which case the same
ruleset will be compiled for both address families.
2008-12-13 Vadim Kurland <vadim@vk.crocodile.org>
* VERSION (VERSION): started v3.0.4
* v3.0.3 released, merged to trunk. This comment is -r689
2008-12-08 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::contextMenu): fixed bug #2407141
"label markers". Color label text set in Preferences was not used
in the contet menus where user can actually apply those colors to
rules.
* RCS.cpp: fixed bug #2405909: "Umlauts in RCS log". RCS log is
stored in RCS file in Utf8, need to convert it back from Utf8 on
read. Technical note: rcs tools on windows do not seem to process
properly rcs comments converted with toLocal8Bit, comment text
comes out as '????' when inspected with rlog.exe from the command
line. Comment text stored in Utf8, on the other hand, appears
intact even though it can not be read in the output of rlog.exe.
2008-12-07 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase_tree_ops.cpp (_recursivelyCopySubtree): (change
in libfwbuilder) additional fixes in algorithm that recursively
copies object subtree between different data files. Making sure we
do not create duplicates of groups referred to by other groups.
* ObjectManipulator.cpp (ObjectManipulator::pasteObj): changes to
speed up GUI when user copies many objects between different data
files (do not reload and redraw object tree widget until last
object is copied). Refactoring of the pasteObj to keep the same
object ID mapping table for the duration of the bulk paste
operation, this helps deduplicate objects. Also using the same
".copy_of_NNNN" object attribute to deduplicate objects.
2008-12-06 Vadim Kurland <vadim@vk.crocodile.org>
* iptables.g: Changes in grammar for iptables: removed
ambiguitiesin parser; added lexer rules for elements of ipv6
address. Rules for IPV6 address parsing do not work yet, commented
out as work in progress. No new functionality in the parser for
iptables, only clean-up and preparations for ipv6.
2008-12-05 Vadim Kurland <vadim@vk.crocodile.org>
* InetAddr.cpp (InetAddr::toString): (change in libfwbuilder):
Should use bits==128 because inet_net_ntop_ipv6 on FreeBSD applies
mask constructed from the bits argument to the result, so with
bits==0 it always returned "::/0"
2008-12-04 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel.cpp (ProjectPanel::closeEvent): (fixed bug (no #):
need to check if object in the object editor panel has been
modified and needs to be saved when user closes internal window
using "close" button in its title bar.
* FWWindow.cpp (FWWindow::closeEvent): fixed bug (no #): GUI
crashed if user closed internal window so no object files were
left open, then closed application using "close" button in the
main window title bar.
2008-12-03 Vadim Kurland <vadim@vk.crocodile.org>
* iosacl.g (certificate): fixed bug #2334007: "Problem parsing
Cisco config". Parser now recognizes IOS configuration lines
"certificate", "ip community-list", "controller
... description". These lines are recognized and ignored, they
should not stop parser from processing the rest of the
configuration.
* ipt.cpp (main): fixed bug #2378672: "fwb 3.0.2 build 676
iptables script is not executable". Generated .fw file should have
executable permissions.
2008-12-02 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase_tree_ops.cpp (recursivelyCopySubtree): (change
in libfwbuilder) fixed bug #2375327: "Crash copying multiple
groups between different data files". Using better algorithm to
copy objects between different data files.
* ObjectManipulator.cpp (ObjectManipulator::duplicateWithDependencies):
using FWObjectDatabase::recusrivelyCopySubtree() to copy objects if
they are located in different data files.
* FWObjectDatabase_tree_ops.cpp (_recursivelyCopySubtree): (change
in libfwbuilder) Implemented additional check for object
duplicates while copying objects. The problem happened when
several object were copied in a batch operation (e.g. when user
selected several objects in the GUI and then used copy/paste to
copy them all). If some of these objects were groups that referred
to other objects from the same batch, the program would copy the
object and then create another copy of it when it copied the group
using it. To avoid such multiplication it now creates special
hidden attribute in the object when it makes a copy to keep track
of the original object. When the same original object needs to be
copied again, the program can find its copy in the target data
tree using this attribute. This creates another problem because
the attribute used to track original object is persistent for the
duration of the program run. The scenario that leads to this is as
follows: user copies object A, modifies it and then copies group B
using the orignal of A. The end result is that the program does
not recognize that the copy of A has changed and makes copy of
group B use it anyway. This means the new group points at modified
object A. This can not be easily fixed because we do not have
"last_modified" attribute in each object.
2008-12-01 vadim <vadim@vk.crocodile.org>
* Started v3.0.3
* v3.0.2 released, merged -r565:676 to trunk. This changelog
record is in rev 678
2008-11-28 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::prepareFileMenu): fixed bug #2353052
"fwbuilder crashes on import without open object file". Fixed in
rev 676.
* ipt.cpp (dumpScript): fixed bug 2356131 "Iptables-restore option
broken for multiple policy sets". If firewall was configured to
use iptables-restore to activate policy and if it had two or more
policy rule sets, compiler used to put "echo COMMIT" line at the
bottom of each ruleset. This was incorrect, iptables-restore
expects only one COMMIT line at the end of each table. Fixed in
rev 675.
2008-11-28 User Vadim <vadim@vk.crocodile.org>
* InetAddr.cpp (InetAddr::toString): (change in libfwbuilder) Our
included copy of inet_net_ntop does not add "/netmask" to IPv6
addresses if argument #3 is -1 (bits). However, the same function
included in libc on FreeBSD returns EINVAL for bits=-1. It appears
the function in libc in FreeBSD is based on the same code as our
copy, but has been updated and instead of doing check "if ((bits <
-1) || (bits > 128))" probably checks for (bits < 0). Because of
this, fwbuilder GUI crashed when user tried to create IPv6 network
object on FreeBSD. To fix, will use bits=0 in call to
inet_net_ntop in InetAddr::toString and then strip /0 that
inet_net_ntop adds to the generated string. Both our copy of
inet_net_ntop and the one shipped with FreeBSD add "/0"
consistently, so this works on all platforms.
2008-11-26 Vadim Kurland <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushRule): fixed crash in the
importer for iptables
* iptables.g (m_comment): rudimentary support for iptables module
"comment"
2008-11-24 Vadim Kurland <vadim@vk.crocodile.org>
* tcpservicedialog_q.ui: fixed bug #2333759: "A really small camp".
Fixes in dialog layouts for KDE4 theme Oxygen
* Build fixes for FreeBSD.
* Added GUI elements for krcmd and ekshell options for ipfilter
Thanks to Cy.Schubert@komquats.com for the patch!
* Using QT4 stylesheet to improve layout of TCP Service, UDP
Service and group object dialogs when program is used with KDE
theme Oxygen.
2008-11-23 Vadim Kurland <vadim@vk.crocodile.org>
* Help.cpp, StartTipDialog.cpp: the GUI will use English help
files for online help (where available) and "start tip" dialog if
it is started in the non-enligsh locale and help file for this
locale inot available. This is better than to show an empty
dialog.
2008-11-22 vadim <vadim@vk.crocodile.org>
* StartTipDialog.cpp (StartTipDialog::StartTipDialog): Added
"start tip" dialog that shows brief information on the online
resources available to the user (web site URL, links to the
Firewall Builder FAQ, HOWTOs, Cook Book). Linked pages open in the
standard browser.
* FWWindow.cpp: added menu item Help/Firewall Builder Help that
opens a page with information about online resources for Firewall
Builder (the same page that is shown in the "start tip" dialog).
* ipf.cpp (main): fixed bug #2328330: "basic_string::erase error
in fwb_ipf". Compiler for ipfilter aborted processing with error
"basic_string::erase" when compilation was launched from the GUI.
2008-11-21 vadim <vadim@vk.crocodile.org>
* Improved Mac OS X bundle: included qt.conf file to make it look
only inside the bundle for QT libraries and plugins, this
eliminated warnings about QT libraries being loaded from two
places if the system where fwbuilder GUI was running had QT
installed on it. Now packaging QT accessibility plugin library,
this should make the GUI run with acessibility features if
accessibility aids are turned on system-wide.
2008-11-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printLogPrefix): fixed
bug #2318639: "bug in logging (rule number)". Added logging prefix
macro %R that gets expanded to the ruleset name. This can be
useful in logging prefixes for rules in branch rulesets.
2008-11-19 vadim <vadim@vk.crocodile.org>
* printerStream.cpp (printerStream::begin): fixed printing with QT
4.4. QT 4.4 correctly sets physical resolution of the printer and
sets its logical resolution to 1200dpi. This caused rulesets to be
printed incorrectly on Windows and Mac where we use QT 4.4.1. This
fix restores printing on these platforms.
* Printing from command line: user can print firewall object and
all its rulesets from command line without running the program in
interactive GUI mode using command line
"fwbuilder -f file -P fw_object -o print_output_file.pdf". Making
sure this works on Mac OS X as well where the program should be
launched as "fwbuilder3.app/Contents/MacOS/fwbuilder"
* RuleSetView.cpp (RuleSetView::updateGroups): fixed printing from
command line which was broken some time ago (perhaps in
3.0.1). When user prints firewall policy from command line using
"fwbuilder -f file -P fw_object" all rule groups are always
printed expanded.
2008-11-18 vadim <vadim@vk.crocodile.org>
* prefsdialog_q.ui: better layout of the first page of Preferences
dialog to make sure long path to the working directory fits in the
input widget.
* SSHPIX.cpp (SSHPIX::stateMachine): bugfix: installer for Cisco
routers and PIX could not find generated file because variable
conffile is now always a full absolute path. This bug was
introduced earlier during installer rewrite for v3.0.2. Tested
installer for router and PIX using default generated file name, as
well as custom generated file name, defined both as absolute and
as relative path. Tested batch install of combination of a router
and a pix in one batch (the same user account, then same enable
password on both)
2008-11-17 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::duplicateObject): fix
bug #2303486: "Operation of duplicating firewall should switch
policy". When firewall object is duplicated, the GUI should
automatically open policy of the new object rather than keep
policy of the original open. At the same time, reset lastModified,
lastCompiled, lastInstalled of the new firewall instead of keeping
copies from the original.
* instDialog.cpp (instDialog::testFirewall): Check to make sure
paths to ssh and scp utilities are properly configured in
Preferences before running install. Show aprropriate error dialog
to the user if path to ssh or scp is not configured.
2008-11-15 Vadim Kurland <vadim@vk.crocodile.org>
* antlr/CharScanner.hpp: applied patch for gcc 4.4 from bug#
2282828 "patch for gcc-4.4"
* AddressTable.cpp (AddressTable::AddressTable): (change in
libfwbuilder) fixed bug# 2293052 "Saving file with empy
AddressTable produces corrupt XML". When new AddressTable object
is created, its "filename" attribute is empty. If data file was
saved right after such new AddressTable object was created,
resultant file could not be loaded back into the program becaise
it violated XML DTD.
2008-11-13 Vadim Kurland <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushPolicyRule): policy importer
for iptables properly creates TagService objects and places them
into action of the rule finds iptables rule with target "-j MARK"
* IPTImporter.cpp (IPTImporter::pushPolicyRule): policy importer
for iptables correctly imports user-defined chain, configures rule
with action "Chain" and establishes association between it and
ruleset created for the user-defined chain. Multiple rules with
this action can point at the same ruleset.
2008-11-12 Vadim Kurland <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::finalize): fixed bug (no #):
policy importer used to create separate Policy objects for chains
INPUT, FORWARD, OUTPUT.
* CircularQueue.hpp (OFFSET_MAX_RESIZE): a temporary fix for the
problem in ANTLR that causes crash on import of very large config
files. This affected import of both iptables and Cisco IOS
configurations and depended just on their size.
2008-11-10 vadim <vadim@vk.crocodile.org>
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
for bug #2135827: "'Store a copy of fwb file...' very slow" -
need to enable option "store copy of data file on the firewall"
for the batch install.
* RuleSetDialog.cpp (RuleSetDialog::applyChanges): fixed bug
#2255591 Adding new ipv6 policy is always type "mangle". When user
added new Policy object to the iptables firewall and made and
saved any changes in the object editor (switched to "top rule set"
or toggled setting "filter+mangle"="mangle only"), the setting of
the ruleset would switch to "mangle only" and stick there. There
was no way to switch it back to "filter+mangle". This is fixed in
build 641.
2008-11-09 <vadim@vk.crocodile.org>
* Added updated Japanese translation by Tadashi Jokagi ( elf2000 )
from bug #2214440
* FirewallInstallerUnx.cpp(FirewallInstallerUnx::packInstallJobsList):
fixed a bug introduced some time earlier and reported in the bug
report #2135827: policy installer would only copy .fwb file to the
firewall when "Store data file on the firewall" was activated and
skipped actual generated policy file(s) (.fw). This only happened
on Windows.
2008-11-01 vadim <vadim@vk.crocodile.org>
* fwbuilder/Rule.cpp (PolicyRule::PolicyRule): a bugfix in the
PolicyRule class, fixes errors in some operations in policy
compilers that were caused by switch to a more efficient way to
find rule element objects in rules.
2008-10-30 vadim <vadim@vk.crocodile.org>
* Added Japanese translation by Tadashi Jokagi ( elf2000 )
Translation converted from the .po file generated for
fwbuilder 2.1.19. Since translation was done for the old version
of the product, it is incomplete, however at least menus seem
to be translated.
* ObjectIconView.cpp (ObjectIconView::event): fixed bug #2209210
"crash in fwbuilder: ObjectIconView.cpp:90:". The GUI crashed if
user moved mouse cursor over object icons in a group object editor
when tooltips were activated.
2008-10-26 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::setRuleColor): making sure no rule
operations are allowed when rule set or parent firewall object are
read-only. This fixes GUI crash that happened when user tried to
remove rule from a group in the read-only firewall.
2008-10-25 vadim <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp (ProjectPanel::loadFromRCS): more
fixes for bug #2194829: use toLocal8Bit() instead of toLatin1() in
all calls to libfwbuilder functions that deal with
files (FWObjectDatabase::load() etc.), as well as system functions
such as unlink(), rename(), access(). Now I can open, save, check
out and check in file if it is in directory with non-ascii name
and also can use non-ascii characters in RCS checkin log records.
* instDialog_compile.cpp (instDialog::prepareArgForCompiler):
fixed bug #2194829: "the gui can not locate data file in non-ascii
directory". This seems to have happened only on Windows and Mac;
if data file was located in the directory with the name with
non-ascii characters, the gui generated incorrect command line for
the compiler when user tried to compile the data file more than
once.
2008-10-23 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (isChainDescendantOfOutput): more for the
bug #2186568 "Again User service - group/negate". Support for
groups of user service with negation. Now have a framework to keep
track of chain "descendants", so that compiler can tell if some
chain can be traced back to INPUT or OUTPUT through the sequence
of chains calling each other.
2008-10-22 vadim <vadim@vk.crocodile.org>
* various dialogs: fixed bug #2187094: "fwbuilder does not use
system colors for text boxes". Some dialogs would not properly
pick up KDE theme. This was especially visible if theme used dark
background colors and white font, in which case many input fields
in dialogs would use white text on white background.
* PolicyCompiler_ipt.cpp (separateUserServices::processNext):
fixed bug #2186568 "Again User service - group/negate". Compiler
for iptables did not support groups and negation of the
UserService objects.
2008-10-21 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): (change
in libfwbuilder) Optimisations in the code that detects rule
shadowing. Combined with improvements in classes Rule and
RuleElement, this yields speed-up in shadowing detection by a
factor of about 5.
2008-10-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): (change
in libfwbuilder) Using internal caching to speed-up shadowing
detection. This cuts time of shadowing detection almost in half
for large policies with many rules.
* dns.cpp (list): (change in libfwbuilder) getHostByName() used to
insert duplicate IP addresses into the list of the results. Now
making sure ip addresses in the result are unique.
* Compiler.cpp (Compiler::_expand_addr_recursive): (change in
libfwbuilder) change in the algorithm used to decide which
interfaces of the host or firewall object to use in a rule when
this host or firewall object is found in source or
destination. Previously, compiler would skip loopback interface
unless user associated the rule with loopback by putting it in the
"Interface" rule element. This made it impossible to create rules
with address 127.0.0.1 in destination but attached to interface
other than loopback (such rule is used for transparent proxy
configuration). Now if user explicitly put loopback interface
object into rule element, we always keep it. However when compiler
expands interfaces from a host or firewall object, it will skip
loopback as before, unless the rule is attached to loopback
interface.
2008-10-19 vadim <vadim@vk.crocodile.org>
* fixed object type icon in the RuleSet and Interface object dialogs.
* ProjectPanel.cpp (ProjectPanel::openEditor): fixed bug: object
editor panel resized itself erratically when user switched between
objects while editor was open. This happened on Windows and Mac OS
X.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
fixed bug #2180556: "broken support for the "old" time module for
iptables". Compiler generated incorrect parameters for the "time"
module for versions <1.4.0
2008-10-18 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (singleDstNegation::processNext): while
processing single object negation, consider hosts and firewalls
with one normal interface and loopback interface
eligible (i.e. ignore loopback address even though formally such
object has at least two ip addresses).
* PolicyCompiler_ipt.cpp (singleDstNegation::processNext): fixed
bug (no #): policy compiler for iptables did not handle correctly
rules where a host that has multiple addresses was a single object
in a rule element and had negation.
* NATCompiler_ipt.cpp (singleObjectNegation::processNext): added
support for single object negation in OSrc and ODst in NAT rules.
This provides for more compact iptables script in the often used
case where single object is used with negation in these elements
of a NAT rule. Other improvements in handling NAT rules with
negation.
2008-10-15 vadim <vadim@vk.crocodile.org>
* ipt.cpp (dumpScript): Explicitly use "\n" instead of endl to
avoid implicit conversion to "\r\n" on Windows (generated script
is for iptables which can only run on Linux, so it is safe to use
"\n" instead of endl).
2008-10-13 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::compile): fixed
bug (no #): policy compiler for iptables would crash with
assertion when AddressTable or DNSName object was used in a rule
in pure mangle table ruleset. This could be related to crash
reported in bug #2157121.
2008-10-11 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (finalizeChain::processNext): Always
placing rules with action "Accept" in table mangle in chain
PREROUTING
* RuleSetDialog.cpp (RuleSetDialog::loadFWObject): Added attribute
to the Policy object for iptables to indicate that this policy
ruleset should be compiled into filter and mangle tables or only
for the mangle table. This makes sense (and is only shown) for
iptables firewalls. By default the attribute is set to
"filter+mangle" which means compiler will try to figure out which
table each rule should go to. However some combinations of service
objects and actions are ambiguous and can be used in both filter
and mangle tables. In cases like these, user can help by creating
separate Policy ruleset that will be translated only into iptables
rules in the mangle table.
* PolicyCompiler_ipt.cpp (singleSrvNegation::processNext): fixed
bug #2148378: "Negation does not work on Tag Service". Policy
compiler for iptables should be able to use "!" single-object
negation for TagService obejcts
* ObjectTreeView.cpp (ObjectTreeView::updateTreeItems): fixed bug
#2149503: ever since attribute "read-only" of FWObject has been
converted from a dictionary entry to a member variable, the GUI
could not properly check if an object is read-only and could not
update context menu and icon in the object tree. This lead to
unstable behavior when an object was set read-only because the GUI
could not show corresponding icon to indicate its status change,
did not switch context menu items and permitted operations that
should not have been permitted.
* ProjectPanel.cpp (ProjectPanel::getDeleteMenuState): fixed bug
#2149585 "Deleting Routing object breaks file". The GUI should not
allow the user to delete "Routing" ruleset object, as well as any
other top-level ruleset object. This applies to both deleting them
via context menu item or Delete key stroke.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::newIptables): fixed
bug #2151898: "use of "--icmp-type any" iptables 1.2.6a". Iptables
v1.2.6a and older do not have option "-m icmp --icmp-type any".
* PrefsDialog.cpp (PrefsDialog::PrefsDialog): Added tab "Data
File" to the Preferences dialog; added checkbox "Enable data file
compression" to this tab. If this checkbox is turned on, the GUI
will compress data file when it is saved to disk.
* FWBSettings.cpp (FWBSettings::getCompression): saving data file
compression flag in user settings.
* ProjectPanel_file_ops.cpp (ProjectPanel::exportLibraryTo): added
support for data file compression. This fixes bug# 2130128: "Option
to compress the FWB file".
* pix.pro, iosacl.pro: should be ../../install.sh rather than
../../install
2008-10-10 User Vadim <vadim@vk.crocodile.org>
* FirewallInstallerUnx.cpp: fixed bug #2158561: "Solaris fwb 3.0.2-b599
build prob" Fixed build problems on FreeBSD and Solaris
* pix.pro, iosacl.pro: fixed bug #2158407: "iosacl and pix install
probs"
2008-10-10 Vadim Kurland <vadim@vk.crocodile.org>
* iosacl.cpp (main): fixed bug #2154906 "Post script is missing /
Cisco ACL handling". Prolog/epilog sections were not added to the
generated script for Cisco IOS ACLs.
2008-10-09 vadim <vadim@vk.crocodile.org>
* ipt.cpp (main): Compiler for iptables uses QT functions to
properly process non-ascii file names and firewall object
names. Compiler correctly creates generated script when its file
name contains non-ascii characters on all supported OS. The GUI
can find the file and built-in installer can copy it to the
firewall and activate it there. QT helps manage encodings and
locales in OS-independent manner. Caveats:
- Dependency on QT libraries means compilers can not be deployed
on the firewall separately from the GUI.
- pscp.exe on Windows does not seem to be able to pick up file
with non-ascii characters in name when program runs on Windows
with standard English locale. Could not test on Windows running
with national locale. As a workaround, user can specify
alternative name for the generated script in the firewall settings
dialog (tab "Compiler").
- Support for non-ascii firewall object and generated script
names is currently only available in compiler for iptables
* instDialog_compile.cpp (instDialog::prepareArgForCompiler):
always provide "-o" command line option to compilers when calling
them from the GUI. The output file name defined this way can be
encoded properly for the OS encoding and locale (compilers do not
use QT so it is hard to do there).
2008-10-08 vadim <vadim@vk.crocodile.org>
* merged branch "new-installer" -r569:HEAD
* PrefsDialog.cpp (PrefsDialog::accept): Added GUI control for the
path to scp utility used by built-in policy installer
* All compilers: firewall object can be specified by its ID in
addition to by name. Command line option "-i" tells compiler that
the last parameter of the command line is object ID. This works
reliably when firewall object name contains non-ascii characters
and the program runs under locale using 8 bit characters. Built-in
installer now uses this method while calling all policy compilers.
2008-10-07 vadim <vadim@vk.crocodile.org>
* pf.cpp, ipf.cpp: Policy compilers for pf and ipf use file name
and path specified with "-o" command line option for the name and
path for all .fw and .conf files they generate.
* instDialog.cpp: built-in installer finds all generated files
when user specifies alternative name (possibly full path) for the
generated script.
* FirewallInstaller.cpp (FirewallInstaller::getGeneratedFileFullPath):
built-in installer works properly when firewall name contains
non-english characters. In this case generated firewall script
also has name that contains non-english characters.
* FWWindowPrint.cpp, RuleSetView.cpp, FWBSettings.h,
ProjectPanel_state_ops.cpp: got rid of references to
InterfacePolicy class; build fixes for FreeBSD 7 (should fix
compile problems on other systems too, such as Solaris)
2008-10-06 vadim <vadim@vk.crocodile.org>
* SSHPIX.cpp (SSHPIX::stateMachine): fixed crash in built-in
installer that happened when existing PIX configuration was saved
before loading new one.
* pixAdvancedDialog.cpp (pixAdvancedDialog::accept): fixed crash
that happened when user opened PIX firewall "advanced" settings
dialog and then tried to save changes by clicking OK.
* FirewallInstaller.h (class FirewallInstaller): all installer
logic moved to separate classes FirewallInstaller,
FirewallInstallerCisco and FirewallInstallerUnx. These classes
launch background process (via SSHSession or QProcess) and control
all steps of policy installation and activation, but do not deal
with the UI. This provides for good separation of functions
between UI and core logic classes. The code is much cleaner and
easier to maintain now.
2008-10-05 vadim <vadim@vk.crocodile.org>
* instDialog_unx.cpp (instDialog::copyFileOnUnx): Using
scp (pscp.exe on windows) to copy files to the firewall. This
helps improve performance of the installer. This fixes bug
#2135827: "Store a copy of fwb file..." very slow
* instDialog.cpp (instDialog::instDialog): refactored installer
classes to make code more manageable.
* VERSION: started 3.0.2
2008-10-04 Vadim Kurland <vadim@vk.crocodile.org>
* v3.0.1 released Oct 4, 2008. Merged branch "v3" r513:565 to trunk
* global.h (SETTINGS_PATH_PREFIX): making sure all modules store
settings under the same path prefix "3.0/" (applies to all OS).
2008-10-03 Vadim Kurland <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (GroupObjectDialog::iconContextMenu):
fixed bug #2144122 "Segfault when trying to add an address to a
group"
* ProjectPanel_file_ops.cpp (ProjectPanel::chooseNewFileName):
fixed bug #2144358 "Double check with 'save as'". The GUI used to
ask twice if user wants to overwrite the file in Save As operation
if file with given name already existed.
* FWWindow.cpp (FWWindow::projectWindowClosed): fixed bug #2144114
"fwbuilder * exits if the last object file is closed". The GUI
will not terminate after the last window is closed but instead
will just show empty main window.
* fwbedit.cpp (main): fixed bug #2143894: "fwbedit list does not
show objects". Command "fwbedit list -f file" did not print
anything unless option "-F" was supplied. This change adds default
value for this option so that when it is missing, the command
prints object path.
* fwbedit.1: fixed bug #2143961: a typo in the man page fwbedit.1
2008-10-02 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::finishInstall): fixed bug #2125604:
"Cancel button does not kill the installer". Cancel button of the
installer wizard in fact kills background process. Second issue
raised in this bug report is that "Finish" button was always
enabled. This is now fixed.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTarget): fixed
bug #2141911: "no ULOG for ip6tables". ULOG target has not been
implemented for ip6tables yet, so the compiler should fall back to
LOG target while compiling ipv6 policy.
* RuleSetView.cpp (RuleSetView::updateGeometries): fixed crash
that happened on Ubuntu with QT 4.3.x because of recursive call to
updateGeometries()
* fixed icon for rule action "Mark"
2008-09-30 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (PolicyView::PolicyView): constructors of rule
set view classes (PolicyView, NATView, RoutingView) used to set
"dirty" flag in the object database which caused the GUI to ask
the user if they wanted to save modifications before exisitng the
program even when there were no modifications made. This change
fixes this annoying problem.
2008-09-29 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::updateGroups): using setSpan to
make row holding rule group head span across all columns. Without
this, clicking on table cell in column >1 caused visual
artifacts (cell color would turn white, possibly erasing part of
the group name).
* FindWhereUsedWidget.cpp (FindWhereUsedWidget::showObject): fixed
bug #2129726: "Where Used" not working on collapsed groups.
* RuleSetView.cpp (RuleSetView::paintEvent): fixed bug related to
#2123152 "Fwbuilder 3.0.0 Gui very slow and doesn't refresh
properly". There seems to be a bug in QT 4.4.1 (not sure of 4.4.0,
definitely not in 4.3.x) which causes the last row of the rule set
view table to come out blank when the table is redrawn. This
happens when rows have very different height and looks like the
last row comes out blank when user scrolls the table up. The last
row is finally redrawn when most of it is already visible.
2008-09-26 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAF): fixed
bug (no #): policy compiler for PF used to insert both "inet" and
"inet6" into generated pf.conf lines for the IPv6 policy.
* RuleSetView.cpp (RuleSetView::getFullRuleGroupTitle): Added
tooltip in the rule set view for the column showing rule group
handle, the tooltip shows group name and number of rules.
2008-09-25 Vadim Kurland <vadim@vk.crocodile.org>
* FirewallDialog.cpp (FirewallDialog::openFWDialog): fixed bug
#2105977: "Viewing firewall settings change state to
edited". Opening firewall "advanced" settings dialog triggered
internal flag that signalled that something in the object tree has
changed.
* FWObject.cpp (FWObject::setInt): (change in libfwbuilder) fixed
bug #2128261: "fwbuilder thinks the file has changed when opened
read-only". Operation "find where used" triggered "dirty" flag on
the object tree even though it does not change anything.
* NetworkDialog.cpp (NetworkDialog::addressEntered): Network and
NetworkIPv6 object dialogs accept CIDR notation in the "address"
input field. Netmask input field is filled automatically using
"/NN" entered as part of the address when user hits Return or Tab
or switches to another input element using mouse click.
* ProjectPanel_file_ops.cpp (ProjectPanel::saveIfModified): fixed
GUI crash that happened when user made modifications in the
default object tree but did not save the changes and then tried to
exit the program.
* FWBTree.cpp (FWBTree::createNewLibrary): fixed bug #2126524:
"User Service created in the Service Group section".
* objects_init.xml.in: bug #2126524: "User Service created in the
Service Group section" - added missing group UserServices to the
standard objects file.
2008-09-24 Vadim Kurland <vadim@vk.crocodile.org>
* Network.cpp (Network::Network): (change in libfwbuilder) set
netmask to /32 when new Network object is created. This used to be
the default in fwbuilder v2.1. New default of 0.0.0.0 appears to
be confusing and error-prone, by user's requests changing default
back to /32. This fixes bug #2125542: New Address objects added
with netmask of "0.0.0.0"
* FWObjectPropertiesFactory.cpp (getObjectProperties): do not
print netmask of the IPv4 and IPv6 objects in tooltips and "info"
panel unless such object is child of an Interface. This fixes bug
#2125542: New Address objects added with netmask of "0.0.0.0"
* RuleSetView.cpp (RuleSetView::updateGeometries): fixed bug
#2124804: "Policy list "jump" when using groups". Combination of
rule groups and very tall rows in the rule set view caused
problems with vertical scrolling.
2008-09-23 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::insertRule): fixed bug #2123150:
"add new rule below inserts at end of rulebase". The program used
to append rule at the bottom of the policy when user tried to
insert it n the middle when there were rule groups.
* RuleSetView.cpp (RuleSetView::saveCollapsedGroups): fixed bug #
2106266: "Save collapse/expand state of groups in policy". The GUI
will remember state of the rule groups (expanded/collapsed)
between sessions. The state is saved in preferences. Groups are
referenced by combination of file name (full path), firewall object
name, ruleset name, group name. Since state is saved in
preferences rather than in the data file, state of the rule groups
is separate for each user.
2008-09-21 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_pix.cpp (mergeNATCmd::processNext): fixed crash in
compiler for PIX that happened when compiler tried to merge
"global" commands and some of the interfaces of the firewall had
dynamic address.
* FWObject.cpp (FWObject::fromXML): (change in libfwbuilder)
converted attribute "ro" (read-only) from a dictionary variable to
the member variable of class FWObject. We check read-only status
of objects very often and dictionary lookups were slowing compiler
down considerably.
* FWObjectDatabase.cpp (FWObjectDatabase::getStringId): (change in
libfwbuilder) generate unique string object id on demand instead
of in the call to generateUniqeueId. This helps speed up compiler
operations by a factor of about 3 because we generate unique int
ID every time object is created or copied, yet string ID is only
needed when object is stored in external XML file. Also using
sprintf to assemble string ID, it works faster than ostringstream.
* RoutingCompiler.cpp (reachableAddressInRGtw::processNext): (change
in libfwbuilder) fixed crashes in RoutingCompiler that happened
because Routing ruleset object being processed is disconnected
from the firewall parent at the time compiler works with it.
* RoutingCompiler.cpp (rItfChildOfFw::processNext): (change in
libfwbuilder) fixed compiler error "Error (iptables): The object
"eth0" used as interface in the routing rule 0 (main) is not a
child of the firewall the rule belongs to!" that also happened
because Routing ruleset object being processed is disconnected
from the firewall parent at the time compiler works with it.
2008-09-19 Vadim Kurland <vadim@vk.crocodile.org>
* ipfw.cpp (main): Basic suport for IPv6 for ipfw. IPv6 rules
should be kept in a separate policy, just like for all other
platforms. Branching rules are not supported so there is no
support for multiple policies (although there is no check for that
at this time either). Both ipv4 and ipv6 rules are loaded into the
same ipfw set "1" with globally unique increasing rule
numbers. The order in which ipv4 and ipv6 policies are processed
is controlled by an option in firewall settings dialog.
* FWWindow.cpp (startupLoad): Using list of strings openDocFiles
to pass names of the files that should be opened at start up time
both when these names come from the command line and from odoc
signal handler on Mac. This finally makes the GUI properly open a
file given on the command line or via odoc signal (double clicking
in Finder on Mac) in a single sub window, replacing default
objects tree.
2008-09-16 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::fileOpen): when the program is started
without data file, it shows panel with just default objects, with
a title "Untitled". If user opens data file, it is loaded into the
same panel and its title changes accordingly. If user makes
changes and then saves using "Save As", its title also changes
accordingly (and there is still one panel). If user uses "File/New
data file" and enters the name of the new data file, it is loaded
into the same panel and its title changes accordingly. Still,
after this there is only one panel. However if the panel shows
contents of some data file, operations "File/Open" and "File/New"
load second data file into a new panel.
2008-09-16 vadim <vadim@vk.crocodile.org>
* IPv4.cpp (IPv4::fromXML): (change in libfwbuilder) filter
addresses and strip leading and trailing whitespaces and other
non-digit characters before converting to InetAddr. This will help
with annoying problem where v2.1 allowed such characters in
address attributes of Address objects but v3.0 applies strict
checks during file load and rejects such data files.
2008-09-15 vadim <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp (ProjectPanel::fileOpen): workaround
for a problem that only appears on Mac: if user uses File/Open but
cancels operation, the main window used to switch from the
subwindow that was active to another one (usually the empty
default window with only standard objects tree).
* FWWindow.cpp (FWWindow::FWWindow): Experiment: since MDI looks
very foreign on Mac and can not be fixed, trying tabbed
presentation of internal subwindows. Only on Mac OS X.
2008-09-14 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp, debugDialog.cpp, filePropDialog.cpp: enable
"close" button in the dialog window title (it was not shown on
Mac).
2008-09-14 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel_state_ops.cpp (ProjectPanel::loadLastOpenedLib):
change in the logic applied when the program decided which library
to open at start time. If a file is opened and there is settings
record pointing to the library that was opened in this file last
time the program was used, this library is opened. If there is no
such settings record, the program tries to find the first not
system library in the file but prefers the one named "User". If
the program starts without data file, it shows library "User" from
the standard objects file.
* instDialog.cpp (instDialog::addToLog): better regex to recognize
compiler erorrs.
* TimeDialog.cpp (TimeDialog::loadFWObject): Changed format of the
start and stop date fields in the Time Interval object to show
year as four digits. Also enabled calendar in these widgets.
* bug #2099700 "Association of the .fwb and .fwl file types with
app". Implemented support for the association of the application
and data file type on Windows. Double-clicking on .fwb and .fwl
files in Explorer will now open application and load files
automatically.
2008-09-13 Vadim Kurland <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (GroupObjectDialog::listContextMenu):
fixed bug #2109833: "Crash on right mouse click in the object
group".
* FWWindow.cpp (FWWindow::prepareWindowsMenu): fixed bug #2109675:
"file Title bar contains redundant info". Internal page title
should be coordinated with items in the Windows main menu. There
is also no need to add "Firewall Builder" to the title of internal
windows.
* instDialog.cpp (instDialog::interpretLogLine): fixed bug
#2109660: "Compiler Progress: bar is incomplete". Compiler
progress bar failed to show full length bar when operation was
complete for some firewall platforms.
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed bug #2109431: "context menu item "Where used" is missing for
rulesets".
* RuleSetView.cpp (RuleSetView::selectRE): fixed bug # 2109432:
"double click on results in "Where used" list opens wrong rule."
* objects_init.xml.in: fix for bug #2099631: there used to be
object "icmpv6 unreachables" in the Deleted Objects library in the
file of standard objects that comes with the package.
* FindWhereUsedWidget.cpp (FindWhereUsedWidget::showObject): fixed
bug #2090332: "Where used search function does not always work.".
WhereUsed function could not find firewall if it was used in its
own rules.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
fixed bug (no #): compiler for iptables used date entered for the
beginning of the interval in "Time" object both for the beginning
and for the end.
2008-09-12 Vadim Kurland <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (GroupObjectDialog::applyChanges): fixed
bug #2107004: "Fwbuilder crashes while deleting objects in
groups". I could only reproduce the crash when there were two
identical objects in the group and I was trying to delete
both. v3.0 does not allow the user to add the same object twice to
the group so this condition should not be possible.
2008-09-11 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::addToLog): working on bug #2105111:
"use color for compiler status and errors". Compilation and
installation status is color coded in the left panel of
compile/install dialog (Error is red, Success is green). Also
coloring compiler error messages red in the compiler progress
panel.
* RuleSetView.cpp (RuleSetView::updateGroups): fixed bug #2106124:
"Crash after deletion of (last rule in + whole) rule group".
* RuleSetView.cpp (RuleSetView::paintCell): working on bug
#2106280: "option to change color of rule group head". Made rule
group head colored in "medium dark", actual color depends on
chosen QT theme.
* RuleSetView.cpp (RuleTableModel::headerData): fixed bug #2106229
"Disable-Icon bad position in rule group". Icon that indicates
that a rule is disabled used to be drawn in the wrong row of the
ruleset table.
* ProjectPanel_state_ops.cpp (ProjectPanel::loadLastOpenedLib):
more for bug #2091225: "Can objects in the left pane remember last
state.". If there is no record of the last library used by he user
in the settings, the GUI opens library "User" or the first
non-system library if there is non named "User". Minor bug-fix to
prevent desynchronization of the tree view and pull-down list of
libraries.
2008-09-10 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::pasteRuleAbove): More checks for
operations with rules and ruleset on the deleted Policy or NAT
object. User should not be able to change anything in rule set
object that has been deleted because it does not have parent
firewall object.
* FWWindow.cpp (FWWindow::prepareEditMenu): more fixes for bug
#2100415: "cannot re-create or clone Routing object". Properly
synchronizing main menu Edit to make sure user can not delete
Ruleset objects.
* instDialog.cpp (instDialog::initiateCopy): fixed bug (no #): if
the name of the plink.exe program was specified in upper case in
Preferences dialog, built-in installer failed to provide correct
command line options to it.
* ObjectManipulator.cpp (ObjectManipulator::getMenuState): fixed
bug #2100415: "cannot re-create or clone Routing object". The GUI
does not let the user to delete Routing object. Policy and NAT
objects can be deleted as long as there is at least one more
left. Also "top" rule set objects can not be deleted at all.
* ObjectManipulator.cpp (ObjectManipulator::pasteTo): fixed
bug (no #): added ability to copy/paste rule set objects.
2008-09-09 Vadim Kurland <vadim@vk.crocodile.org>
* FWBSettings.cpp (FWBSettings::setExpandedObjectIds): bug
#2091225: "Can objects in the left pane remember last state.". The
program saves state of the object tree branches (expanded or
collapsed) between sessions.
* FWBSettings.cpp (FWBSettings::getVisibleRuleSetId): bug #2099631
"GUI should rememver firewall object that was opened last". The
program remembers opened ruleset between sessions.
2008-09-08 Vadim Kurland <vadim@vk.crocodile.org>
* fwbedit.cpp (usage): fixed "usage" in fwbedit, command line
option that specifies object attributes for the command "new" is
"-a", not "-o". Also fixed this in the man page.
2008-09-08 vadim <vadim@vk.crocodile.org>
* main.cpp (odocHandler): bug #2099700 "Association of the .fwb
and .fwl file types with app on Mac". Implemented support for the
association of the application and data file type on Mac OS
X. Double-clicking on .fwb and .fwl files in Finder will now open
application and load files automatically. User can open several
files by selecting them in Finder and double-clicking.
* main.cpp (main): remove "safe mode" command line flag -s because
on Mac OS X the program is started with flag -psn when it is
launched via finder. This caused undesired effects.
2008-09-06 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::projectWindowClosed): fixed bug
#2091520: "Crash FWB". The GUI crashed if user closed mdi window
showing just standard objects and then tried to close the main
window.
* FWWindow.cpp (FWWindow::fileNew): fixed bug #2091507: "Create
New Firewall problem.". If user created new data file using
File/New main menu item, items in the main menu File used to stay
disabled and file could only be saved using "File/Save As" (which
did not make sense because the name has already been assigned to
the file during File/New operation).
* ProjectPanel_file_ops.cpp (ProjectPanel::fileSaveAs): bugfix: if
user called "Save As" and then hit Cancel in the dialog where they
choose file name, internal RCS object used to be deleted anyway.
* v3.0.1 started
* v3.0.0 released Sep 1, 2008. Merged branch "v3" r512 to trunk
2008-09-01 Vadim Kurland <vadim@vk.crocodile.org>
* res.pro: Do not try to install icons if variable ICONSDIR was
not defined by configure. This is the case on FreeBSD, I do not
know where application icons should be installed there.
* ActionsDialog.cpp: more fixes for compile problems on FreeBSD
2008-08-31 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectTreeViewItem.cpp: more fixes for compile problems on
FreeBSD
2008-08-30 Vadim Kurland <vadim@vk.crocodile.org>
* PrefsDialog.cpp: more fixes for compile problems on FreeBSD
* instDialog.cpp (instDialog::fillCompileSelectList): fixed a bug:
firewall table in the compile/install dialog did not show "last
compiled", "last modified", "last installed" time stamps on
windows and mac.
* RuleSetDialog.cpp: fixing compile problems on FreeBSD 7.0
* instDialog.cpp (instDialog::fillCompileSelectList): resize rows
in the table that lists all firewalls for compile/install to make
rows minimal required height.
* FWWindow.cpp (FWWindow::FWWindow): fixed GUI crash that happened
when user clicked toolbar button "Install" right after gui start
before any data file was opened.
* instDialog.cpp (instDialog::fillCompileSelectList): disabled
font manipulations in install/compile dialog, it did not work
right on windows
* InterfaceDialog: layout adjustment for bug #2078671: "fwbuilder
3.0.0 build 487 - add/edit interface". Layout did not work quite
right with QT4 themes Plastique and Oxygen with default font size
14.
2008-08-29 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectEditor.cpp: more missing #include for FreeBSD
* ObjectManipulator.cpp: Added missing #include for FreeBSD 7.0
port
* making sure dialogs do not enforce font type and size if not
necessary. Main window and install dialog used to override system
font which led to problems with dialog layouts on some systems.
2008-08-27 Vadim Kurland <vadim@vk.crocodile.org>
* configure.in: Applied patch per bug #2079941: "Patch for
configure.in --with-qmake". Patch adds option --with-qmake to
configure in libfwbuilder and fwbuilder.
* iosaclAdvancedDialog.cpp (toggleGenerateLogging): fixed bug
#2078107: "IOS ACL compiler issue". Logging commands for IOS ACL
were not generated properly (settings made in the GUI were
ignored). Also added checkbox to completely enable or suppress
generation of logging commands, this checkbox is off by
default. This provides for better backwards compatibility for
existing routers.
* various object type dialogs: layout changes for bug #2078671:
"fwbuilder 3.0.0 build 487 - add/edit interface". Dialogs did not
look right under QT theme with large fonts.
2008-08-26 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::addToLog): fixed bug (no #): compile
and install progress window was stuck showing the topmost part of
the output of the compiler or installer. Need to make the window
automatically scroll and follow the output so that the latest
output lines are always visible.
2008-08-24 Vadim Kurland <vadim@vk.crocodile.org>
* HttpGet.cpp (HttpGet::httpDone): reset last_error when new http
operation begins to make sure we do not accumulate error messages
on top of those from previous http ops.
2008-08-23 Vadim Kurland <vadim@vk.crocodile.org>
* PrefsDialog.cpp (PrefsDialog::checkSwUpdates): Added setting for
http proxy used with automatic checks for the new version of the
program. Proxy can be defined by "host:port" pair; if port is not
specified, port 80 is assumed.
* FWObject.cpp (FWObject::toXML): (change in libfwbuilder) moved
saving of XML attributes name and comment from FWObject::toXML()
to implementations of this virtual method in all classes that are
supposed to have name and comment. When user created an object
with empty name, the old code used to save such object into XML
file w/o attribute "name" which violated DTD. This is fixed now.
2008-08-22 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::keyPressEvent): fixed bug (no #):
while navigating between rule elements using keyboard, it was not
possible to reach the very last rule if ruleset contained rule
groups
* RuleSetView.cpp (RuleSetView::paintCell): do not draw green
frame around rule group; draw black bracket line in the column #0
longer, almost to the bottom of the last rule row. Draw rule group
head row grey to make it visually stand out.
* ipt.cpp (main): additional fix for the bug #2051629 "group with
dns names are handled as empty": Compiler should check if any
rules of given address family exists before running
preprocessor. This is to prevent it from trying to resolve DNSName
objects for IPv6 when there are no ipv6 rules.
2008-08-21 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp (ProjectPanel::load): truncating very
long error messages that happen when GUI tries to load broken .fwb
file. These error messages contain complete output of the XML
parser which can be very long and does not fit in the normal error
dialog. Message will be cut off at 1000 characters, which is
enough to see the topmost part of the parser output.
2008-08-20 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (ObjectTreeView::ObjectTreeView): Fixed GUI
crash on Ubuntu Hardy that happened b/c of a bug in QT
4.3.4. Crash happened when user added second object to any branch
of the tree. When second object was added to the tree, the program
terminated with assertion "ASSERT: "left.level > right.level" in
file itemviews/qtreeview.cpp". This did not happen with QT 4.4.1
and 4.3.2 (could not test with 4.3.5). The fix was to disable
sorting in the QTreeView widget used to represent object tree.
2008-08-19 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (PrintRule::_printSrcService): fixed
bug (no #): policy compielr for iptables used multiport module
option "--destination-port" instead of "--dports" when version was
set to 1.4.0. Option "--destination-port" is only for very old
versions of iptables (<1.2.6). This change makes compiler properly
compare version numbers rather than compare them as strings.
* RuleSetView.cpp (RuleSetView::pasteRuleAbove): Permit copy/paste
of individual rules between two data files. When a rule is copied
this way, all objects used in this rule are copied as well.
* FWWindow.cpp (FWWindow::recreateWindowsMenu): fixed typo in the
main menu item name
2008-08-18 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::complexMatch): (change in libfwbuilder)
fixed bug (no #): policy compiler for iptables used chain OUTPUT
instead of FORWARD if NetworkIPv6 was used in "source".
2008-08-17 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug #2054755: "Duplicate Chain". Compiler
for iptables used to generate duplicate "iptables -N chain"
commands for the same chain in some cases.
* Preprocessor_pf.cpp (Preprocessor_pf::convertObject): fixed bug
#2056510 "Compile time" address tables objects dont
work. Preprocessor in compiler for PF for some reason used to
convert all compile time AddressTable objects to run-time. There
was no mention of this in changelog and no comment in the module.
* RuleSetView.cpp (RuleSetView::copySelectedObject): fixed bug
#2055984: "Negate Objects not work". the problem really was not
related to negated objects, instead, user could not copy an object
from rule element into clipboard more than once. Copying whole
rule into clipboard worked fine, but individual object inside the
rule could be placed in clipboard only one time.
2008-08-15 Vadim Kurland <vadim@vk.crocodile.org>
* Preprocessor.cpp (Preprocessor::isUsedByThisFirewall): fixed bug
#2051629: "group with dns names are handled as empty". This bug
triggered when object group that consisted of DNSName objects set
to resolve at compile time was used in policy rule and at the same
none of these DNSName objects were used in rules. If an object
from the group was itself used in a rule, compiler properly
converted it to address. But object was never used in rules by
itself, it was not converted.
2008-08-14 Vadim Kurland <vadim@vk.crocodile.org>
* SSHUnx.cpp (SSHUnx::SSHUnx): fixed bug #2051005: "install to
localhost fails with pam_thinkfinger". Built-in installer
recognizes password prompt produced by pam_thinkfinger module that
accepts both password or asks user to swipe finger against
fingerprint reader device. Note that installer is likely to not
work with fingerprint authentication because it will not wait once
it gets to the point where pam_thinkfinger module asks for the
password or fingerprint and will try to enter password. However
with this change password prompt from pam_thinkfiger is recognized
and password authentication becomes possible.
2008-08-13 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (NATCompiler_ipt::getInterfaceVarName):
fixed bug 2047082: "Beta 3.0 Build 456: IPv4 & IPv6 mixed
firewall". Compiler used ipv4 address of a dynamic interface in
the ipv6 policy rules if interface address was determined
dynamically at run time. This change makes compiler properly
determine ipv4 address for ipv4 rules and ipv6 address for ipv6
rules.
2008-08-12 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectListViewItem.cpp (ObjectListViewItem::operator<): (and
several other places): code fixes to address warnings issued by
gcc 4.3
* Helper.cpp (Helper::findInterfaceByNetzone): fixed bug in policy
compiler for pix - it could not properly identify interface with
network zone "any"
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed bug #2047992: "segfault cloning policies in version
3". "Duplicate" and "Move" context menu items should not be
presented if an object for which context menu is called is policy
or interface.
* Rule.cpp (PolicyRule::removeRef): (change in libfwbuilder) fixed
bug #2047991 "Drag & Drop in CHAIN actions, version 3". THe bug
report consits of 3 parts, part 3 is "When I change the Action
from CHAIN to ACCEPT and switch it back to CHAIN it still shows
the last policy target I used. EVEN WHEN I DELETED this object
meanwhile. I manually have to remove the policy object from the
properties of the CHAIN action.". PolicyRule::removeRef removes
references to RuleSets and TagSErvice objects from rule options
when corresponding RuleSet or TagService object is deleted.
2008-08-11 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (ObjectTreeView::edit): double-clicking on an
object in the tree opens it in the editor panel. Normally,
QTreeWidget also expands or collapses tree branch on double click
if the object has children. This was confusing. This change makes
tree not expand and collapse branches on double click.
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext):
Applied a one-line patch from <jringle@users.sourceforge.net> to
fix problem in the generated iptables script where it would
delete default route if routing rules were used.
2008-08-10 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::checkForUpgrade): the GUI checks if
updated version is available on startup by making simple HTTP GET
request to the web site at http://www.fwbuilder.org. This can be
turned off in the Preferences dialog. Preferences dialog also
provides a button to perform this query at any time. If function
is enabled in Preferences, it is performed at every time the GUI
is launched. The query does not transmit any data to the server,
but the URL of the query includes the version of the Firewall
Builder.
2008-08-06 Vadim Kurland <vadim@vk.crocodile.org>
* new_object.cpp (newObject): fixed bug # 1997469: "Create a new
User library via fwbedit". Fwbedit creates new library and
populates it with correct set of standard folders.
2008-08-05 Vadim Kurland <vadim@vk.crocodile.org>
* pfAdvancedDialog_en_US.html: Help page for the advanced settings
dialog for PF firewall
2008-08-04 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printActionOnReject):
fixed bug #2037806: "Beta 3.0 Build 437: IPTABLES IPv6 policy ICMP
reject action". Ip6tables target REJECT accepts different
arguments for the --reject-with.
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#2037809: "Beta 3.0 Build 437: IP6TABLES_RESTORE missing". Added
missing variable declaration for IP6TABLES_RESTORE to the
generated iptables script
2008-08-03 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp: bug #2037314: "b449 does not
build". More missing #include for gcc 4.3
* newhostdialog_q.ui: fixed bug # 2036963 "Add new Host Object on
MacOSX". The "new host" dialog was too big and did not fit on low
resolution screen
* res.pro: Now installing fwbuilder.desktop file on Linux and
application icons under $DATADIR/icons/hicolor/ (sizes 128x128
16x16 24x24 256x256 32x32 48x48 512x512 72x72)
* bug #2036912 "fwbuilder b442 does not build". Added missing
forward declarations and #include for gcc 4.3
* Applied patch for gcc 4.3 per bug #2036881 "gcc 4.3 patch for
b442", Mandriva Cooker patch
http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/fwbuilder/current/SOURCES/fwbuilder-3.0.0-gcc4.3.patch
2008-08-02 Vadim Kurland <vadim@vk.crocodile.org>
* iptAdvancedDialog_en_US.html: Added help file for the firewall
settings dialog for iptables firewalls
* Help.cpp (Help::Help): generic built-in help framework. Help
files are created in .html format in src/res/help directory. Help
files can be localized, locale name is part of the file name; we
need to create separate file for each supported language.
First dialog to get associated help panel that can be activated by
clicking "Help" button is Linux 2.4/2.6 firewall host settings
dialog.
2008-08-01 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.pro: Eliminated dependency on QT in all policy compilers.
Compiler binaries can be deployed on machines without QT and X11.
* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
fixed bug #2023243: "IPv6 - Some objects missing from context
menus". Added items "New Address IPv6" and "New Network IPv6" to
context menus associated with folders "Addresses" and "Networks"
in the tree.
2008-08-01 Vadim Kurland <vadim@vk.crocodile.org>
* Fixed build on Mac, starting with rev 433 code is built with QT
4.4.1 and works on both Leopard and Tiger.
* list_object.cpp (getAttributeValue): added command "list" to
fwbedit. This command can print contents of one object, an object
and all objects below it in the tree or contents of a
group. Object's attributes can be arranged in the output according
to the provided format string where attributes are represented by
macros of the format "%attr_name%" where attr_name is the name of
the attribute.
* fwbedit.1: Man page fwbedit.1 has been updated with the list of
commands, options, supported attributes and examples.
* with addition of the "list" command to fwbedit, utility
fwblookup has been deprecated and removed from the package and
source code tree.
2008-07-31 Vadim Kurland <vadim@vk.crocodile.org>
* fwbedit.cpp (usage): Redesigned command line interface for
fwbedit. The first command line argument is a command (one of
"new", "delete", "modify", "list", "add", "remove", "upgrade" or
"checktree") followed by options. Now fwbedit can be used not only
to add or remove objects, but also to modify object
attributes. The CLI is lot more consistent and can be extended
with new commands in the future.
2008-07-30 Vadim Kurland <vadim@vk.crocodile.org>
* fwbedit.cpp: fixes for the bug #2030331: fwbedit/fwblookup
issues: added option "-c" for fwbedit, with this option user can
specify comment for the object being created; fixed both fwblookup
and fwbedit to properly handle objects with duplicate names when
operations are performed on objects specified by their path in the
tree. Now, if several objects have the same name, operation will
be performed on all such objects. Note that this includes
deletion, that is, command
"fwbedit -f file.fwb -l /User/Objects/Addresses/TestAddress"
deletes all objects with name "TestAddress" if there are several.
Added ability to create IPv6 and NetworkIPv6 objects in fwbedit.
New command line option "-c text" can be used to set comment for
the object created via "-t type -n name".
2008-07-30 vadim <vadim@vk.crocodile.org>
* fwbedit.cpp (main): fixed bug #1997475: "Adding Interface via
fwbedit breaks .fwb file"
2008-07-28 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::removeLib): fixed
crash that happened upon exit on some platforms. Need to break
away from the loop after lists were modified because iterators
become undefined.
2008-07-28 Vadim Kurland <vadim@vk.crocodile.org>
* New application icon
2008-07-27 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator.h (class ObjectManipulator): removed strange
methods copyObjWithDeep and copyObj2Tree. Fixed drag&drop between
different data files. Copy/Paste and D&D between different data
files properly copy all dependencies and fix references in rules
and groups. Tested with recursive groups (group references itself)
and firewalls with rules referencing other firewalls with groups
and other objects.
* ObjectManipulator.cpp (ObjectManipulator::duplicateWithDependencies):
duplicate object that references other objects and create copies
of these other objects. Examples: firewall (rules reference other
object) and groups. This method is used in "Paste" operation. Will
use it for d&d as well.
2008-07-26 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::moveObj): code
refactoring and cleaning up. Movig all loops over mdi child
windows from ObjectManipulator class to the FWWindow class that
owns all children windows. Along the way fixed few bugs, such as
restored functions "Duplicate to .. " and "Move to ..." that are
available via context menu associated with an object in the tree.
* ProjectPanel_file_ops.cpp (ProjectPanel::saveIfModified):
refactored class ProjectPanel to keep code more organized in
several modules.
2008-07-25 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::closeEvent): properly checking for
unsaved modifications when user hits File/Exit or tries to close
main window.
* ProjectPanel.cpp (ProjectPanel::fileCommit): fixed bug (no #):
crash while doing File/Commit.
* PolicyCompiler_ipt.cpp (checkForMatchingBroadcastAndMulticast):
fixed bug (no #): crash in fwb_ipt when interface object is used
in destination and chain is INPUT.
* init.cpp: removed #include <QCoreApplication>, trying to fix bug
#2027918: "Cannot compile fwbuilder-3.0.0-b413 on x86_64"
2008-07-24 Vadim Kurland <vadim@vk.crocodile.org>
* RCS.cpp (RCS::RCS): If data file has been added to RCS, show its
revision history properly sorted by the revision number in
ascending order and automatically select the latest revision in
the dialog
2008-07-24 vadim <vadim@vk.crocodile.org>
* init.cpp (guessExecPath): properly managing path to the bundle
on Mac.
2008-07-22 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp: Applied patch to make code compile with gcc 4.3 per
http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/fwbuilder/current/SOURCES/fwbuilder-3.0.0-gcc43.patch
2008-07-21 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel.h (libfwbuilder): Added missing declarations for
gcc 4.3 per bug #2023292: "fwbuilder 3.0.0 does not build"
* (libfwbuilder) Applied patch for gcc 4.3 per bug #2023676:
"libfwbuilder does not build against gcc 4.3".
* (libfwbuilder) fwbuilder.pro: removed unnecessary override in
target.path to make it install in a proper place on 64 bit
machines'
2008-07-20 <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleTableModel::insertRow): fixed bug (no #)
which caused crash on windows when new rule group was
created. This happened only on win32.
2008-07-20 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::moveRule): fixed bug (no #): if
rule set had several rule groups, moving rules within rule set did
not work and caused weird effects.
* NetworkIPv6.cpp (NetworkIPv6::NetworkIPv6): per bug #2023140:
"Default prefix for IPv6 addresses" setting default netmask to /64
for NetworkIPv6 object.
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): fixed bug
#2023141: "Can't set interface options". The GUI kept all controls
in the interface object editor enabled when interface was child of
a Host object, even though some controls do not apply to
interfaces of a host. These controls were not saved into interface
objects and the whoile behavior of the GUI was rather
confusing. Now only proper controls are enabled when interface is
a child of a host object.
* RuleSetView.cpp (RuleSetView::removeRule): Fixed bug (no #):
"remove rule" function used to remove wrong rule in the rule set
if rule groups were used.
2008-07-18 <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::installerSuccess): bugfixes in the
built-in installer on Windows in case of successfull and
unsuccessfull termination of the process. Tests for when plink.exe
asks whether user wants to accept new ssh host key from the
firewall.
2008-07-18 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bugs in
compiler for iptables where it sometimes would not print netmasks
in ipv6 network objects in policy and nat rules.
* Added control for IPv6 forwarding setting in "host settings"
dialogs for Linux, OpenBSD and FreeBSD. This is in addition to the
old ip forwarding control. Corresponding policy compilers add
proper commands to generated scripts to turn ipv6 forwarding on or
off in the kernel.
* ipt.cpp (main): compiler for iptables puts build number in
addition to the version number into "Generated with ..." comment
in the produced script
* instDialog.cpp (instDialog::installerError): fixed crash in the
installer that happened when policy activation ended with an error
* ipt.cpp (main): fixed bug (no #): if generated script used
iptables-restore and if there were automatically generated rules
in the magle table, for example for the "clamp MSS to MTU" rule,
but no other rules in the mangle table, compiler would not add
COMMIT.
2008-07-17 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (prepareForMultiport::processNext): fixed
bug (no #) where compiler for iptables ignored ICMP6 Service
objects used in the same rule in combination with tcp or udp
service objects.
* objects_init.xml.in: Added few more ICMPv6 objects to the Standard
objects library:
type name comment
133 routersol Router solicitation
134 routeradv Router advertisement
135 neighbrsol Neighbor solicitation
136 neighbradv Neighbor advertisement
137 redir Shorter route exists
* ObjectManipulator.cpp (ObjectManipulator::delObj): fixed bug (no
#): GUI crashed when user deleted one of the rule set objects of
a firewall.
* many dialogs: adjusted shape and size of many dialogs that used
to be too big.
* utils.cpp (getAddrByName): getAddrByName() works on all
platforms and gets ipv4 and ipv6 addresses as requested. It looks
like for it to work on Windows Vista machine needs to be
configured with routable ipv6 addresses. When machine only had
Link-local address on fe80:: net, even when ipv6 was enabled,
getaddrinfo sent proper dns request for AAAA record, got reply but
did not pass it back to the application. Once machine was
configured with routable ipv6 address, getaddrinfo started working
as expected. This problem was not observed on Linux and Mac OS X.
* IPv6Dialog.cpp (IPv6Dialog::DNSlookup): Added "DNS Looup" button
to the IPv6 object dialog.
* dns.cpp (list): (libfwbuilder) Using getaddrinfo on all OS to
perform dns lookup for different address families (AF_INET or
AF_INET6).
* utils.cpp (getAddrByName): using DNS::getHostByName instead of
QT functions to perform host name lookup. This should allow us to
do it for both AF_INET and AF_INET6 address families. Needs more
testing.
2008-07-16 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (dumpScript): Fixed bug (no #) that triggered when
iptables script was geenrated with option that uses
iptables-restore for activation. If ipv6 policy was empty,
compiler added "( ) | ip6tables-restore" anyway which caused
syntax errors.
* RuleSetView.cpp (RuleSetView::addToGroupAbove): Additional check
for a bug where adding very long list of rules to a rule group
caused crash once. Bug is hard to reproduce.
2008-07-15 vadim <vadim@vk.crocodile.org>
* testing and bug fixes with QT 4.4.
* Testing on Mac OS X and Windows Vista.
2008-07-08 vadim <vadim@vk.crocodile.org>
* fwcompiler.pro (LIBS): fixed build errors on Ubuntu Hardy.
Background info: need to include -lfwbuilder while linking
fwcompiler library on all Unix platforms because of the linker
option -Wl,-Bsymbolic-functions . Discovered this on Ubuntu Hardy
where libsnmp adds this option via net-snmp-config --libs
2008-07-07 Vadim Kurland <vadim@vk.crocodile.org>
* listOfLibraries.cpp (listOfLibraries::listOfLibraries): Removed
support for add-on libraries in the GUI. User can now open their
working file and external library file simultaneously and copy
objects from one to another. This removes the need for the
cumbersome add-on libraries feature. Will keep module
listOfLibraries and corresponding code fragments in ProjectPanel
and FWWindow until removal of this feature is validated by users.
* PolicyCompiler_pf_writers.cpp: Support for "synproxy state"
option for PF per FR #1098098: "Per-rule Synproxy"
* templates.xml.in: Updated template firewall objects to include
"top_rule_set" attribute.
* RuleSetDialog.cpp (RuleSetDialog::loadFWObject): Added attribute
"top_rule_set" to Policy, NAT and Routing objects. This attribute
is controlled by a checkbox "Top rule set" in the corresponding
object dialog.
The attribute has platform-specific meanning. On iptables, "top"
rule set goes into the built-in chains INPUT, OUTPUT, FORWARD; if
this flag is unchecked, rules go into user-defined chain with the
name the same as the name of the rule set. On PF, If this flag is
unchecked, rules go into anchor with the name the same as the name
of the rule set. On Ciscio IOS ACL If this flag is unchecked,
generated access list will not be assigned to interfaces with "ip
access-group" command and also the name of the ACL will be
prefixed with the name of the rule set to make it unique.
One policy, nat and routing rule set must be marked as
"top". Other rule sets are secondary and will be placed in their
own unique chains, anchors or access lists (depending on the
platform). Control may or may not be passed to these chains and
anchors. One way to pass control is by using rule action "Branch"
in the top rule set. However if control is not passed that way,
compiler will still generate corresponding commands which can be
used by means external to the firewall builder.
Auto-upgrade migration script will assign attribute "top_rule_set"
to Policy objects with name "Policy", NAT objects with name "NAT"
and Routing objects with name "Routing". This provides for
consistent backwards-compatible behaviour after upgrade from v2.1
2008-07-06 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printAddr):
Support for IPv6 in Cisco IOS ACL compiler fwb_iosacl.
* iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog):
Removed option "Enable IPv6 support" in the "advanced" dialog for
all platforms. Now user needs to explicitly declare rule sets as
ipv6. Since by default all rule sets are ipv4, there is no need
in yet another parameter to enable ipv6 support.
* RuleSetDialog.cpp (RuleSetDialog::applyChanges): Objects Policy,
NAT and Routing now have attribute that tells compiler that
corresponding rule set is ipv4 or ipv6. The attribute is
controlled by radio-buttons in corresponding object dialog. Every
policy or nat rule set is treated as exclusively either ipv4 or
ipv6 by compilers, however the user can put objects of both
address families in rules. This allows for creation of object
groups that include objects of both address families. Such groups
can be used in both ipv4 and ipv6 rule sets. Compilers pick
objects that match address family declared for the rule set and drop
others.
One of the reasons why this attribute was added is to avoid
generation of unwanted iptables or acl lines for rules that can
not be unambiguously attributed to particular address
family. Example of such rule is rule with "any" in both source and
destination (e.g. "catch all and deny" rule typically found at the
bottom of the policy). Without this attribute compilers tried to
process every rule set for both ipv4 and ipv6. This way rule "any
any any deny" found in ipv4 policy yielded corresponding line in
the ipv6 policy, which was wrong.
* instDialog.cpp (instDialog::installSelected): minor fixed in
installer dialog (fixed progress bar and buffering of the compiler
output)
2008-07-05 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printTOS):
Support for TOS and DSCP matching in IOS access lists.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printDstService):
Support for tos matching in compiler for pf. PF does not support
DSCP matching.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): Support for
TOS and DSCP matching in compiler for iptables.
* IPServiceDialog.cpp (IPServiceDialog::loadFWObject): Added
support for attriutes "tos" and "dscp" in IPService object. FR
#1948944: "support for TOS matching".
* PolicyCompiler_PrintRule.cpp (PrintRule::_printModules):
Implemented support for combinations of srcip, dstip, srcport,
dstport options of the hashlimit module for iptables per bug
#1812388: "add srcip,dstip to choices for hashlimit mode"
2008-07-03 Vadim Kurland <vadim@vk.crocodile.org>
* fwbuilder.1: updated man page for fwbuilder GUI.
* ipt.cpp (main): document iptables version settings from the
firewall object in generated script (for support and debugging).
* MangleTableCompiler_ipt.cpp (flushAndSetDefaultPolicy): iptables
rule with target TCPMSS generated for option "Clamp MSS to MTU" is
valid only in mangle table in iptables 1.3.x and later. Still
generate this command in the filter table for earlier versions of
iptables
* PrefsDialog.cpp (PrefsDialog::getFontDescription): Tab "Fonts"
of the Preferences dialog shows currently selected fonts for both
the tree and rules.
2008-07-02 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::addToLog): fixes in built-in
installer; pretty printing of the external process output;
properly enable "next" and "finish" buttons.
2008-07-01 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printProtocol):
compiler for iptables distinguishes ICMPService and ICMP6Service
* objects_init.xml.in: Added few standard ICMP6 objects
* ObjectManipulator.cpp (ObjectManipulator::newICMP6): Added
support for ICMP6Service object type in the GUI
* ICMP6Service.cpp (ICMP6Service::ICMP6Service): Added class
ICMP6Service
* fwbuilder.dtd.in: Added XML element ICMP6Service
2008-06-30 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printProtocol): do not
generate "-m icmp6 --icmp6-type any" for ipv6 for object "any
icmp".
2008-06-28 Vadim Kurland <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromDNS): object
"discovery" by DNS zone transfer is not supported anymore.
2008-06-27 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printProtocol):
should use "-p ipv6-icmp" for ipv6 rules.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printProtocol): skip
"-p all" for ipv6 to avoid warning "Warning: never matched
protocol: all. use exension match instead"
2008-06-26 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): using
"-m frag --fragmore" for IPService objects that should match ip
fragments.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printDstService):
compiler uses "--icmpv6-type" and "-m icmp6" options while
generating ipv6 script.
2008-06-20 <alek@codeminders.com>
* FWWindowPrint.cpp: fixed bug # 1896771: "printing user defined
chains".
* main.cpp: implemented printing of the firewall object contents
from CLI per bug #1996739: "Feature: CLI printing or policy export".
Use command line flag "-P <firewall_name>" to print and exit.
2008-06-16 <alek@codeminders.com>
* newHostDiaog.cpp: fixed bug #1899488: "Unable to set MAC address
while adding a host"
2008-06-13 <alek@codeminders.com>
* GroupObjectDialog.cpp: implemented sorting by name and parameter
in group dialogs per bug #646804: "No sort in Group".
2008-06-10 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
support for the "new" time module for iptables
2008-06-08 Vadim Kurland <vadim@vk.crocodile.org>
* merged branch "id-experiment" r233:HEAD
2008-06-07 Vadim Kurland <vadim@vk.crocodile.org>
* main.cpp (main): support for integer object ids
2008-06-06 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::_printUser): Support
for UserService in compiler for PF. FR #1948872: "User based
rules"
* FWBSettings.cpp (FWBSettings::restoreGeometry): the program will
remember window size and restore it on subsequent runs, but will
not remember window position on the screen. This caused problems
on Mac OS X (because window title bar and tool bar weren't taken
into account, so window would slide up on every next run)
2008-06-05 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (checkUserServiceInWrongChains::processNext):
Support for UserService in compiler for iptables. FR #1948872:
"User based rules"
* IPv6 suport implemented in the GUI and compilers for iptables
and pf: FR #1517015, 1705261, 1706246, 1826325
* Rules with action Tag reference TagService objects. User drags
and drops TagService object into a drop area in the rule action
dialog. FR #1696841: "Mark action and TagService"
2008-06-05 <alek@codeminders.com>
* IPv4Dialog, NetworkDialog, newHostDialog, newFirewallDialog:
netmask can be entered as bit length, in addition to the bit mask
format supported before. Both formats are recognized. FR #995452,
1617297, 1666016
2008-06-05 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp, pf.cpp: Compilers for iptables and pf recognize branch
rule sets that belong to different firewall objects. FR #737132:
"Linkable Rules", #1224898 "Rule Link"
* PolicyCompiler_ipt.cpp (dropTerminatingTargets::processNext):
bugfix in the shadowing detection for non-terminating rules in the
mangle table.
* All compilers: all compilers include error and warning messages
produced during compilation in the generated script. Messages are
grouped by corresponding section (Policy, NAT, all branches
etc.). Normally only warnings will be included because compilers
stop when they encounter an error condition, however if compiler
is being ran with "-xt" command line option, it does not stop and
includes error messages in the output as well. This helps catch
changes that generate warnings but do not translate into
differences in generated configuration.
2008-06-02 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
Support for --weekdays parameter in iptables 1.4.0 module "time".
Per bugs #1914371: "iptables 1.4.0", #1806045: "latest 1.3.8
time match changed", #853364: "Time Restriction feature request".
* platforms.cpp (list): Added iptables version 1.4.0 to the list.
Will use it for the "new" time module support. Bugs #1914371:
"iptables 1.4.0" and #1806045: "latest 1.3.8 time match changed"
2008-05-30 Vadim Kurland <vadim@vk.crocodile.org>
* pf.cpp (main): Like compiler for iptables, compiler for PF now
supports multiple rule sets for policy and nat. Each rule set is
translated into corresponding anchor .conf file. If some rule in
another rule set references it via action Branch, corresponding
"anchor" configuration line is generated, but if it is not
references from any rule, the anchor .conf file is still
created. Rule sets "Policy" and "NAT" are configured "main" or
"root" and placed in the main .conf file with the name of the
firewall object.
2008-05-29 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (main): Compiler for iptables processes all Policy and
NAT rulesets that firewall object has, regardless of whether they
are referenced from any rules with action Branch or not. This is a
change compared to the behavior of 2.1 which processed only those
branch rule sets that were used in Branch rules. Each rule set
that has name other than "Policy" is placed in a chain with the
name the same as the name of the rule set. This way the user can
create multiple rule sets and place them in different chains,
control to these chains can be passed in the iptables commands
supplied in prolog or epilog scripts.
Another reason for this is to allow the user to place rules for
ipv4 and ipv6 in separate rule sets. An attribute "address_family"
will be added to objects Policy and NAT later on to be able to
mark rule sets as belonging to either ipv4 or ipv6 address
family. This separation helps avoid ambiguity that is possible in
mixed rule sets (when both ipv4 and ipv6 rules are mixed in the
same rule set). Suppose we allow the user to put both ipv4 and
ipv6 rules in the same rule set and the user creates a rule with
ipv4 object in Dst with negation. "Not host A", where "host A"
translates into one ipv4 address should probably include "all
ipv6" as well, which means that this simple rule can inadvertenly
block all ipv6 without user even noticing it. This can be very
confusing and difficult to troubleshoot. Placing rules acting on
different address families into different rule sets helps avoid
this problem.
* ipt.cpp: Compiler for iptables can determine if a rule set is
referenced by a rule with action Branch and option "branch in
mangle table in addition to the filter table" and correctly places
referenced rule set in both filter and mangle tables.
2008-05-29 <alek@codeminders.com>
* ObjectManipulator.cpp: new feature v3: Policy rules can now be
arranged in multiple rule sets with names. These rule sets are
shown in the tree under the firewall object (next to its
interfaces). Each rule set is independent from others, user can
add as many as they want. Rules with action "Branch" refer to
existing rule sets, user associates them by dragging rule set
object into action parameters dialog of the branching rule. This
also fixes bug #1753297: "duplicate chain tab".
2008-05-23 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (countChainUsage::processNext): New
feature: compiler for iptables keeps track of chain usage and
removes unused chains from the generated iptables script. This
helps optimize generated script and makes it smaller, especially
in mixed IPv4/IPv6 configurations.
2008-05-22 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (main): Policy compiler for iptables supports
IPv6. Added command line switches "-4" and "-6" which force
compiler to generate script for only one specified address
family (by default it does both). Compiler can generate simple
ipv6 iptables script. Generated script still can be improved but
seems to be formally correct at this time.
2008-05-18 Vadim Kurland <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp: compiler for iptables converted to
use exclusively methods getAddressPtr and getNetmaskPtr. Checking
for when Address object has no IP address where
appropriate (getAddressPtr() returns NULL in this case).
2008-05-10 vadim <vadim@vk.crocodile.org>
* pf.cpp: (from 2.1) fixed bug #1961202: "Pf Timeouts overriden by
Optimization". Compiler should generate "set optimization" command
before "set timeout" commands.
2008-05-08 vadim <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (printFirewall): (from 2.1): fixed bug
#1562726: "policy print rule cut-off". Long rulesets would not
print correctly on Windows, the bottom of the ruleset table was
just printed solid grey with no rules visible.
* PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): (from
2.1): partial fix for bugs #1789059 "shadow issue when using
action chain" and #1945149: "Shadowing test for rules with action
"chain". The mechanism for rule shadowing detection we have at
this time can only detect shadowing of one rule by another. In
case of branching it is a combination of the branching rule and
rules inside the branch that may shadow other rules. I plan to
redesign this part of the code in the future, but it won't happen
in upcoming v3.
Meanwhile, I am fixing it in 2.1 by making compiler ignore rules
with action Branch.
2008-05-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext),
RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): (from
2.1) fixed bug #1821573: "Rule options limits allow for multiple
overload tables". PF allows only for one "overload" option per
rule.
* IPTImporter.cpp (IPTImporter::pushPolicyRule), (from 2.1)
iptables.g (target_options): fixed bug #1949438: "parser expects
decimal - hex is not accepted". Importer for iptables should be
able to process "--set-mark" with hex argument.
* fwbedit.1: (from 2.1) fixed bug #1949103: "manpage slightly
broken". Minor fixes in fwbedit.1 man page.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules):
(from 2.1) fixed bug# 1940504: "Clamp MSS to MTU". Iptables
command that invokes "-j TCPMSS --clamp-mss-to-pmtu" in FORWARD
chain should go before the one that matches "--state
ESTABLISHED,RELATED" in order to work for the packets in these
states.
* RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): (from
2.1) fixed bug #1938985: Rate in hashlimit in local language
2008-04-28 <alek@codeminders.com>
* v3 feature: rules can be grouped in Policy, NAT and
Routing. Group of rules can have a name and color and can be
collapsed or expanded. Collapsed rule groups take room equivalent
to one rule in the ruleset panel. This implements Feature Requests
#1961702, 1938992, 1751141, 1602294, 1372620, 1083981, 1017566,
848553, 811542,
2008-04-13 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bug (no
#): compiler fwb_ipt used to treat host objects as networks in
TDst and generate iptables output with /netmask of the interface.
* (various places in src/ipt): PREPARATION FOR IPV6: Changing
IPv4::cast to dynamic_cast<InetAddrMask*> everywhere. In loops
that walk child objects of interfaces, cast child objects to
InetAddrMask* or to FWObject* instead of IPv4*. This is to
facilitate support for ipv6 in the future. In all these places we
need to use two aspects of the child objects: either their
position in the tree, in which case FWObject* is sufficient, or
their address/netmask, in which case we should use InetAddrMask.
* (various places in src/pflib): PREPARATION FOR IPV6: Changing
IPv4::cast to dynamic_cast<InetAddrMask*> everywhere.
2008-03-09 vadim <vadim@vk.crocodile.org>
* (from 2.1) pf.cpp: fixed bug #1899914: "Script to apply the new
rules." It is enough to execute "pfctl -f file.conf" to load PF
policy. There is no need to purge filter and nat rules first, then
reload it.
* (from 2.1) RCS.cpp (RCSEnvFix::RCSEnvFix): fixed bug #1908351:
"rcs does not save log message and file remains locked"
* (from 2.1)
Compiler.cpp (emptyGroupsInRE::countChildren): (libfwbuilder)
fixed bug #1905718: "Group of DNS Name objects considered empty"
2008-03-06 <alek@codeminders.com>
* v3 feature: Firewall Builder v3 GUI redesigned as MDI
interfaces. Several data files can be opened simultaneously and
objects dragged and dropped from one file to another. FR # 984979
"split window view of tabs".
* v3 feature: the GUI allows the user to change font used for the
UI, object tree and rules (separately). FR #1621799: "main window
font_size & column resizing" (although column width is not saved).
* v3 feature: The user can switch between icons 25x25 and 16x16 in
rules. FR #1844437 "25x25 Icons to 16x16"
2008-03-05 vadim <vadim@vk.crocodile.org>
* VERSION: started v2.1.18
* src/cisco_lib, src/iosacl, src/pix: Code for policy compilers
for Cisco IOS ACL and PIX has been released under
GPL and merged into the main fwbuilder tree.
2008-02-18 vadim <vadim@vk.crocodile.org>
* CircularQueue.hpp (antlr): fixed crash of the policy importer on
64-bit systems. This fixes bug #1886575: "Seg Fault on reading
vanilla Fedora iptables file". See comment in module
CircularQueue.hpp for details.
2008-02-10 vadim <vadim@vk.crocodile.org>
* pt_BR.po: updated Brazilian Portuguese translation by Rubens
Ferreira Neto <rubens.ferreiraneto@ig.com.br> and Jose
Carlos Medeiros <jose@psabs.com.br>
* PrefsDialog.cpp (PrefsDialog::PrefsDialog): fixed bug #1886570:
Diagnostic related to Edit->Preferences. Removed harmless but
annoying error message that appeared on stderr when user opened
Preferences dialog.
* IPTImporter.cpp (IPTImporter::pushPolicyRule): Fixed bug
1883536: "fwbuilder segfaults when importing iptables conf". Added
support for TCPMSS target with option --clamp-mss-to-pmtu in
iptables importer; also made importer upderstand option
--tcp-option but skip it since it is not supported in fwbuilder.
2008-02-06 <vadim@vk.crocodile.org>
* RCS.cpp (RCSEnvFix::RCSEnvFix): fixed bug #1849392: "RCS using
windows 2003 without administrator rights". Pass TMP and TEMP
environment variables to RCS tools
* pix_os.xml.in: more for the bug #1816798: "Installing policy on
PIX 501 fails". The fix that was made for v2.1.16 did not cover
test-mode install, which is now fixed too. Command "terminal pager
" is valid only for PIX 7.x and caused error while installing
policy on PIX 6.3. Removed this command from the install sequence,
it was not essential.
2007-12-29 <vadim@vk.crocodile.org>
* SSHUnx.cpp (SSHUnx::stateMachine): using signal proper for qt4
(bytesWritten(quint64) instead of wroteToStdin)
2007-12-19 vadim <vadim@vk.crocodile.org>
* v2.1.16 release
2007-12-15 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp
(OSConfigurator_linux24::printRunTimeWrappers):
fixed bug #1851166: "Installscript does not test for destination
ip address". The problem affected specific case of a firewall with
two (or more) interfaces that get their address dynamically and a
policy rule that has one such interface in source and another in
destination. Generated iptables script retrieves actual addresses
of both interfaces and assigns them to variables, then uses these
variables in actual iptables rules. Special check is provided in
case some interface did not obtain any ip address at a time of
execution of the script. Previously such test was only done for
one dynamic interface per rule. This change makes the script check
for both.
* ipt.cpp: bug #1850352: "Install script wrongly completes
successful". Storing exit status of iptables-restore so that
generated firewall script can return the same status after it
executes commands that set kernel parameters and runs user-defined
epilog code.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printRouteOptions):
applied patch #1850357: "Add support fo load balancing with pf to
PolicyRule::Route" by Tom Judge (tomjudge@users.sourceforge.net)
that adds support for load balancing rules in PF. Extended the
patch adding support for address/netmask format of the next hop.
Added checks for illegal IP addresses and netmasks in the next
hop. Test cases for the PF load balancing rules are in
test/pf/objects-for-regression-tests.fwb, firewall object
firewall40-1.
2007-12-13 vadim <vadim@vk.crocodile.org>
* linux24.xml.in: working on bug #1850352: "Install script wrongly
completes successful". Added more checks to the installer
scriptlet to make it properly terminate with non-zero error code
if iptables-restore returned error. Previously "echo" in the end
of the generated masked error code returned by iptables-restore
and made the GUI report successfull install even when it
terminated with an error. Also added test for the presence of
pkill on the system so that the script does not try to run it if
it is not available.
* platforms.cpp (list): applied patch #1850368: 'PF 3.7 has
support for "set skip on"'. Patch by tomjudge@users.sourceforge.net
extends support for "set skip on" option to pf 3.7.
* platforms.cpp (isDefaultPolicyRuleOptions): fixed bug #1850346:
"GUI has 2 views on which actions should be stateless". Even
though GUI made rules with action Route stateful by default, code
that determined if combination of options of a given policy rules
was default thought these rules should be stateless.
* ipt.cpp: Applied patch 1835308: "Patch for adding "-q" option to
fwb_ipt". Option "-q" suppresses timestamp that is normally
included in the generated script. This way, if no objects or rules
changed in the firewall builder, generated script will be exactly
the same. Timestamps made generated script different even if
nothing really changed in the objects, which made external version
control systems detect changes when there were none.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules):
fixed bug 1848204: "ULOG-Setting ignored for invalid packets",
applied patch #1848609 provided by reporter. Code that matched and
logged packets in state INVALID always used target LOG, which was
a problem for iptables installations that only come with target
ULOG.
* tcpservicedialog_q.ui: patch #1849500: "tooltip patch for
tcpservicedialog_q.ui". Additional tooltips in the TCP Service
dialog to explain function of tcp flags masks and settings.
2007-12-12 vadim <vadim@vk.crocodile.org>
* ipt.cpp: fixed bug #1849328: "iptables restore unusable in
2.1.15". This bug was introduced by the change for the bug
1812295. If option "use iptables-restore to activate policy" is
on, we always generate script that prints iptables commands using
echo and sends them to the input of iptables-restore via pipe.
* VERSION (FWB_MICRO_VERSION): begin v2.1.16
2007-12-08 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed
bug #1821576: "Rule option tracking gives inavlid config with
default value". Compiler should skip max-src-nodes when it is set
to default '0' in the GUI.
* Added Brazilian Portuguese translation by Jose Carlos Medeiros
<jose@psabs.com.br>
2007-11-25 vadim <vadim@vk.crocodile.org>
* Starting with build 320 Windows packages install on Vista
2007-11-15 vadim <vadim@vk.crocodile.org>
* FWObjectDropArea.cpp (FWObjectDropArea::paintEvent): more fixes
for bug #1826558: need to fill background rectangle in "object
drop" widget for search.
* RuleSetView.cpp (RuleSetView::paintCell): more fixes for bug
#1826558: need to fill background rectangle in action, options and
comment columns.
2007-11-14 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::paintCell): fixed bug #1826558:
"OSX 10.5 font problem". This problem appeared only in Mac OS X
Leoprard (10.5) build, other platforms were unaffected.
2007-11-02 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::installSelected): previous fix for
the bug #1811781: "Batch Install" was insufficient. Needed to
clear altAddress input field in the install options dialog in case
of the batch install.
2007-10-28 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::createPrintRuleProcessor):
fixed bug #1812295: "Can't use runtime address tables AND
iptabels-restore". Script generated by fwb_ipt used "here
document" if the option "use iptables-restore to activate policy"
was turned on. This did not work in case policy used any tun-time
address table objects. Now generated script always uses "echo" to
generate iptables commands that it sends to th standard input of
iptables-restore.
* instDialog.cpp (instDialog::doInstallPage): fixed bug #1811781:
"Batch Install". Built-in installer used address of the first
firewall of the batch to communicate with all firewalls in the
"batch install" mode.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::addDefaultPolicyRule):
fixed bug #1800875 "'keep state' missing from pass out going
traffic rule". Compilers for pf, ipf and ipfw were affected.
* pix_os.xml.in: fixed bug #1816798: "Installing policy on PIX 501
fails". Command "terminal pager " is valid only for PIX 7.x and
caused error while installing policy on PIX 6.3. Removed this
command from the install sequence, it was not essential.
2007-10-06 vadim <vadim@vk.crocodile.org>
* ipfAdvancedDialog.cpp (ipfAdvancedDialog::ipfAdvancedDialog):
applied patch by <Cy.Schubert@komquats.com> to add support for
Kerberos rcmd and Kerberos ekshell proxies in ipfilter NAT rules.
* VERSION (FWB_MICRO_VERSION): begin v2.1.15
2007-09-10 vadim <vadim@vk.crocodile.org>
* 2.1.14 release
2007-09-08 vadim <vadim@vk.crocodile.org>
* configure.in: patch by Carlos Silva <r3pek@r3pek.org> to add
third parameter to AC_DEFINE_UNQUOTED
2007-08-25 vadim <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): fixed
bug #1764971: "allowed value range for burst limit". Iptables
"--limit-burst" option should not be limited in the GUI.
* instDialog.cpp (instDialog::continueRun): fixed bug #1772722:
"installer should recognize when it uses plink 0.60". We detect
when installer uses plink on Windows by checking the name of the
configured ssh client. The check should be case-insensitive.
2007-08-06 vadim <vadim@vk.crocodile.org>
* configure.in: applied patch by Carlos Silva <r3pek@r3pek.org> to
make configure.in use ANTLR C++ run-time installed on the system
if it can find one; otherwise it uses copy in src/antlr
2007-08-05 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp: fixed bug (no num): importer for iptables
should properly assign rule options when it finds "-m limit" and
"--limit" options in the input file.
* IPTImporter.cpp: added a workaround for a situation when several
iptables commands pass control to the same user-define chaine in
the iptables-save file. As of fwbuilder v2.1, branch ruleset is a
child object of PolicyRule. This means two different rules can not
point at the same branch ruleset. This is unfortunate but it is
hard to fix in the current version because it requires changes XML
DTD and API. Will do this in 3.0. Meanwhile, checking if branch
ruleset with requested name already exists and change the name by
adding suffix '1', '2' etc to make it different. Imported rule is
marked as 'bad' (red background) and gets a comment explaining this.
* iptables.g (tcp_flags_list): fixed bug #1764988: "iptables
import -> GUI crash": syntax for TCP flag matching in
iptables-save should allow for more than 2 flags in 'comp' part
* iptables.g (target_options): added missing supprot for
"--log-tcp-sequence", "--log-tcp-options" and "--log-ip-options"
options for target LOG to iptables policy importer
* iptables.g (protocol_word): fixed bug (no num): iptables policy
importer should properly parse numeric protocol
specification (e.g. "-p 47").
* Importer.cpp (Importer::getTCPService): fixed bug #1764988:
"iptables import -> GUI crash": iptables policy importer
recognizes and parses TCP flag parameters ALL and NONE
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed bug
#1764988: "iptables import -> GUI crash": iptables policy importer
recognizes and parses target RETURN
2007-08-01 Vadim <vadim@debian-unstable.vk.crocodile.org>
* FirewallDialog.cpp: fixed bug reported in Debian Bug report
#417685 - added missing #include <algorithm> to make code
compile with gcc 4.3
* fixed bug #1761373: "libfwbuilder doesn't build on Mandriva
cooker". Applied fixes to make the code compile with gcc 4.2
* VERSION: started 2.1.14
2007-07-18 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (InterfaceAndDirection::processNext):
compiler permits setting direction in the rule while interface
field is "All". This generates iptables command in chain INPUT or
OUTPUT with "-i +" or "-o +" interface specification to match all
interfaces.
2007-07-14 vadim <vadim@vk.crocodile.org>
* platforms.cpp (isDefaultPolicyRuleOptions): platform "iosacl"
does not have any rule options at this time; making sure we never
show an icon indicating non-default options.
* templates.xml: added simple template for Cisco router 36xx
* pf.cpp (main): Added support for "set skip on <ifspec>" command
for PF. If an interface is marked as "unprotected" in the GUI,
compiler generates this command for it. This is useful for loopback
or other virtual interfaces.
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): better
compliance with PF 4.x. Feature Req. #1679793: "add 'no state' and
'flags any'". If version is set to 4.x, compiler skips "flags S/SA
keep state" for rules mathcing tcp services. However, according to
the section "1.2. Operational changes" in PF FAQ at
http://www.openbsd.org/faq/upgrade41.html , there should be a way
to add "keep state" explicitly for rules on interface enc0. Added
this option to the rule options dialog.
* pf.cpp (main): implemented support for PF limit options
"src-nodes", "tables" and "table-entries". Feature Req. #1674919:
"Support "set limit table-entries""
2007-07-12 vadim <vadim@vk.crocodile.org>
* SSHSession.cpp: More key caching request and other messages for
wider variety of ssh clients.
* SSHPIX.cpp (SSHPIX::stateMachine): fixed bug #1753188: "policy
activation fails on PIX and IOS". Installer failed if account used
to authenticate to the router or PIX went straight to 'enable'
mode after login.
2007-07-07 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::_printLogging): fixed
bug #1747828: "anchors generation - "log" not supported". "Log"
keyword is not allowed in "anchor" rules; compiler should not
generate it even if user turned logging on in a rule with action
'Branch'
* PolicyCompiler_ipt.cpp (checkForRestoreMarkInOutput::processNext):
fixed bug #1747332: "missing CONNMARK/ restore mark in Output Chain"
* PolicyCompiler_PrintRule.cpp (PrintRule::_flushAndSetDefaultPolicy):
fixed bug #1746257: "fwbuilder breaks IPv6". Added an option to
the firewall settings dialog for iptables that controls whether
compiler should skip generation of the code to set default policy
of all ipv6 chains to DROP. This option is off by default, that is
compiler puts the code in. This helps maintain backwards
compatibility with old data files that do not have this option,
which is equivalent to this option being "off".
2007-07-06 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::unlockObject): fixed
bug #1743117: "crash while editing any". Added check, user should
not be able to unlock Standard objects library
* FWObject.cpp (FWObject::shallowDuplicate): fixed bug #1740766:
"lock not saved". This method now copies the value of "ro"
attribute (read-only). Clear it in the caller if
neccessary. Method duplicate() clears it after calling
shallowDuplicate in order to be able to modify the object, then
restores this attribute to its original value.
2007-06-23 vadim <vadim@vk.crocodile.org>
* v2.1.12 release
* iptables.g (target_options): parser for iptables is aware of
"--set-tos" target option. Even though fwbuilder does not support
target TOS, importer should be able to import policy that uses it
without crashing.
2007-06-20 vadim <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (printFirewall): fixed bug #1739373: "FWB2111,
register Routing not printed". Tab "Routing" was not included in
the printed copy of firewall policies.
* NATCompiler_pf.h: fixed bug #1740545: "AddressTable in NAT
section". Policy compiler for PF crashed if AddressTable object
was used in TDst element of a NAT rule.
2007-06-17 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::initiateCopy): fixed bug (no number)
where installer failed to properly copy .fwb file over to the
firewall if file name contained whitespace
2007-06-16 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::prepareInstallerOptions): discovered
and fixed bug in the installer: if management interface of the
firewall is dynamic (i.e. had no IP address) and address of the
firewall was given in the "Installer" tab of the firewall object
dialog, installer failed to copy it to the instOptionsDialog and
filled corresponding entry field with 0.0.0.0
* OSConfigurator_linux24.cpp
(OSConfigurator_linux24::printShellFunctions): fixed bug 1737733:
"install script doesn't detect BROADCAST if eth is NO-CARRIER".
If firewall script runs before network interface comes up (i.e. is
still in NO-CARRIER state), script failed to add virtual addresses
for NAT.
2007-06-13 vadim <vadim@vk.crocodile.org>
* ActionsDialog.cpp (registerOption): after changes made in the
compiler to simplify algorithm used to decide which chain a rule
with action Tag should go to, rule action option "Mark connections
in PREROUTING chain" ( "ipt_mark_prerouting" ) has been
deprecated.
2007-06-12 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::reopenFirewall): Added platform
capability element "supports_nat" - if True, platform supports NAT
rules so the main window should show tab "NAT" in the policy
view. If this parameter is False, the tab disappears.
* DiscoveryDruid.cpp (DiscoveryDruid::DiscoveryDruid): added main
menu item "File -> Import Policy" that activates Discovery Druid
and opens it on the page where user can choose configuration file
for import.
2007-06-09 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_flushAndSetDefaultPolicy):
fixed bug #1711595: "ip6tables DROPs". Compiler adds rules to
permit any-to-any on loopback interface for ipv6 in addition to
rules that set default policy to DROP for all chains in ipv6
2007-06-06 vadim <vadim@vk.crocodile.org>
* antlr.pro: Added ANTLR C++ runtime to the project under src/antlr
2007-06-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (setChainPreroutingForTag::processNext):
streamlined algorithm that assigns chain to a rule with action
Tag. The goal is to always use chain PREROUTING for rules with
direction Inbound or Both and a combination of OUTPUT and
POSTROUTING for rules with direction Outbound and Both.
2007-06-02 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::importPlatformChanged):
finalized rule importer GUI.
2007-06-01 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushNATRule): NAT import now works
2007-05-30 vadim <vadim@vk.crocodile.org>
* pf.cpp (main): fixed bug #1727715: "Policy Installer failed but
indicates succes". Activation script for PF exits with non-zero
return code if script activation fails.
* IPTImporter.cpp (IPTImporter::addSrv): import of target MARK and
TagService for iptables
* IPTImporter.cpp (IPTImporter::pushRule): support for module
"limit" in importer for iptables
2007-05-29 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushRule): meaningful import of
iptables-restore files with all actions for filter table. Action
"Continue" helps import iptables commands with targets LOG and
ULOG.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::compile): Added
support for action "Continue" (an empty action) in the GUI and
compiler for iptables. This action creates a rule that does
nothing, however it generates iptables command with target "-j
LOG" if logging is turned on. This can be useful if one wants only
to log packets that match certain pattern but not make any policy
decision in the same rule.
2007-05-28 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushRule): basic iptables-restore
import works (only policy rules, only minimal set of modules)
2007-05-27 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp: initial work on iptables importer
* OSConfigurator_linux24.cpp
(OSConfigurator_linux24::generateCodeForProtocolHandlers): Fixed
bug in the shell code that finds netfilter modules (missing
closing '"'). This bug broke generated iptables script. Bug was
introduced in 2.1.12 some time before build 270
2007-05-25 vadim <vadim@vk.crocodile.org>
* iosacl.g (vlan): ignore "vlan" commands while importing IOS
config
* IOSImporter.cpp (IOSImporter::finalize): IOS accesslists
importer properly handles situation when the same list is applied
to multiple interfaces with different directions.
2007-05-22 vadim <vadim@vk.crocodile.org>
* run-tests.sh: simple framework for automated unit tests
* importer_test.cpp: unit test for Cisco IOS access lists
importer
* IOSImporter.cpp (IOSImporter::finalize): IOS access lists
importer works with a large complex test file. Test can be
imported and then compiled with no manual changes.
* PolicyCompiler_ipt.cpp (InterfacePolicyRulesWithOptimization):
allow for object group in "Interface" rule element
2007-05-21 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::loadDataFromImporter):
finished configuration importer GUI
2007-05-16 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt_writers.cpp: fixed bug #1718791: "Bug with
more than one router". This bug affected routing rules.
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::generateCodeForProtocolHandlers):
fixed bug #1720022: "Fail to load modules .ko.gz".
* MangleTableCompiler_ipt.cpp (keepMangleTableRules::processNext):
fixed bug #1720480: '"-A POSTROUTING -i interface" in branching
rules'. Compiler should not generate iptables commands in
POSTROUTING chain with "-i interface" clause.
2007-05-15 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (DiscoveryDruid::importConfig): basic GUI
support for the configuration importer
* IOSImporter.h (class IOSImporter): derived class - importer for
Cisco IOS ACLs
* Importer.h: generalized policy importer framework. Requires
grammar for each platform.
* iosacl.g: ANTLR grammar for IOS ACLs. Only "access-list ", "ip
access-list extended" and certain "interface" commands cam be
parsed
2007-05-11 vadim <vadim@vk.crocodile.org>
* SSHSession.cpp (SSHSession::readFromStdout): note about
built-in installer on windows. Installer seems to have broke with
upgrade of QT to 3.3.8. Specifically, in
SSHSession::readFromStdout(), proc->readStdout() returns a byte
array that contains actual output from the device, with some
garbage appeneded to it. The garbage is included in the size()
count of QByteArray returned by readStdout so it gets included
into the QString which we append to stdoutBuffer. This happens
only on win32; reverting to QT 3.3.7 fixes the problem.
2007-05-10 vadim <vadim@vk.crocodile.org>
* SSHPIX.cpp (SSHPIX::stateMachine): implemented support for
scheduled reload for PIX firewalls (for roll-back).
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
PIX and Cisco routers (IOS) : built-in installer can schedule
reboot of the firewall before activating new policy, then cancel
it if the policy has been activated successfully.
* instOptionsDialog.cpp (instOptionsDialog::instOptionsDialog):
fixed long-standing problem with size of the built-in installer
options dialog. The dialog was too big and did not properly resize
itself when some options were hidden.
* SSHIOS.cpp (SSHIOS::stateMachine): installer for Cisco routers
2007-05-09 vadim <vadim@vk.crocodile.org>
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): added
support for the new attribute "unprotected" for the Interface
object in the GUI. Compilers skip this interface while assigning
ACLs or policy rules to interfaces. This is supported only in the
compiler for Cisco IOS ACLs at this time.
2007-05-08 vadim <vadim@vk.crocodile.org>
* iosAdvancedDialog.cpp (iosAdvancedDialog::iosAdvancedDialog):
Added dialogs and resource files for Cisco IOS ACLs
2007-05-07 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::changeAction): setting option
"stateless" appropriately when new rule is created.
* objects_init.xml: added object "All TCP established" - a tcp
object with open port range and flag "established"
* PolicyCompiler_ipf.cpp (PolicyCompiler_ipf::compile): using rule
processor CheckForTCPEstablished in compilers for iptables, ipf
and pf to check for TCP service objects with flag
"established". This is considered an error because these platforms
do not provide support for "established".
* PolicyCompiler_ipfw_writers.cpp (PrintRule::processNext): using
new TCPService object flag "established" in compiler for ipfw.
* PolicyCompiler_ipf.cpp (doSrcNegation::processNext) and
PolicyCompiler_ipfw.cpp: rules created for negation with action
'Continue' should be stateless.
* PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug (no
number): compiler used to not set unique internal id for rules in
branches, which lead to chain names like 'C.0' in generated
script.
* PolicyCompiler_PrintRule.cpp (PrintRule::_printLogPrefix): fixed
bug (no number): when a rule number is inserted into a log record
in place of macro %N, it should be formatted as "N/M" for rules in
a branch.
* PolicyCompiler_ipt.cpp (decideOnChainForClassify::processNext):
fixed bug (no number): setting chain for Classify action only if
it has not been set before. Setting chain to POSTROUTING always
broke things if a rule with action 'Classify' was used in a
branch (so the chain has been set to that of the branch)
* RuleSetView.cpp (RuleSetView::changeAction): working on bugs
#1676635: "no way to match on state if the action is drop" and
#1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW
stanza". Rule option 'stateless' is automatically set when user
changes rule action so it becomes anything except 'Accept', 'Tag'
or 'Route'. This option is also automatically cleared when action
is switched to any of these three actions. The user can override
these default settings by checking or unchecking the option in the
rule options dialog.
* PolicyCompiler_PrintRule.cpp: working on bugs #1676635: "no way
to match on state if the action is drop" and #1671910: "2.1.8 In
'Branch' acton compiler doesn't insert NEW stanza". Rely only on
rule option 'stateless' to decide whether the rule should have
"-m state --state NEW".
2007-05-06 vadim <vadim@vk.crocodile.org>
* v2.1.12 started
2007-04-28 vadim <vadim@vk.crocodile.org>
* v2.1.11 release
2007-04-24 vadim <vadim@vk.crocodile.org>
* SSHUnx.cpp (SSHUnx::SSHUnx): fixed bug #1702830: "fwbuilder does
not detect errors during policy install". Built-in installer
detects error messages printed by iptables and iptables-restore
and aborts installation process. Summary page shown in the end
reflects this as failed install.
* instOptionsDialog.cpp (instOptionsDialog::updateRollback): fixed
bug #1701971: "Enabeling test mode doent activate the reboot
interval". Checking "Test mode" checkbox in the installer options
dialog should enable widgets that configure automatic reboot
timeout.
2007-04-23 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): bug
#1699483: "hashlimit-htable-expire not set". Compiler
automatically generates name for the --hashlimit-name option if it
is not set in the GUI.
* PolicyCompiler_ipt.cpp (TagIfSrcFw::processNext): fixed bug
#1703954: "Mark target in postrouting chain". Packets that
originate on the firewall should be marked in the OUTPUT
chain. According to the netfilter packet flow diagram at
http://www.shorewall.net/NetfilterOverview.html , rerouting
happens after OUTPUT hook but before POSTROUTING hook.
* FWBTree.cpp (FWBTree::isSystem): fixed bug #1703595: "build 230
crashes when seaching for a deleted object"
2007-04-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): fixed
bug 1699483: "hashlimit-htable-expire not set". Added GUI controls
and compiler support for hashlimit module options
"--hashlimit-name", "--hashlimit-htable-size",
"--hashlimit-htable-max", "--hashlimit-htable-expire" and
"--hashlimit-htable-gcinterval"
* OSConfigurator_linux24.cpp (linux24::generateCodeForProtocolHandlers):
fixed bug #1697832: "fc5 kernel 2.6.20 moved *conntrack* modules".
Starting with kernel 2.6.20, netfilter installs *conntrack*
modules in "/lib/modules/`uname -r`/kernel/net/netfilter/" rather
than "/lib/modules/`uname
-r`/kernel/net/ipv4/netfilter/". Modified shell code that finds
and loads all "*conntrack*" and "*nat*" modules, it should now
work with both old and new kernels.
I do not know if this directory change was introduced only by
Fedora or it is general for the netfilter.
* TCPServiceDialog.cpp (TCPServiceDialog::validate): fixed bug
#1695481: "compliation error with lower end port". Before, user
could enter start port range number greater than the end port
range number. Neither the GUI nor compiler noticed this, which
resulted in the incorrect firewall configuration. This fix adds
check in the GUI to not let the user enter port ranges like that.
2007-04-03 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipf_writers.cpp (PrintRule::_printWith): fixed
bug #1676845: "lsrr option not compiling"
* PolicyCompiler_ipf_writers.cpp (PrintRule::_printWith): fixed
bug #1678410: "Ipfilter compiler uses wrong keyword for "fragment""
* utils.cpp (getUserName): fixed bug #1684334: "RCS should use
$LOGNAME when commit"
* ActionsDialog.cpp (ActionsDialog::loadFWObject): fixed bug
#1692411: "can't set accouting rule name (fwbuilder 2.1.11)"
2007-03-24 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::paintCell): fixed bug #1685741:
"GUI crash: click on an empty part of obj tree, then desktop"
2007-03-21 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (ObjectTreeView::focusOutEvent): working on
the bug #1685741: "GUI crash: click on an empty part of obj tree,
then desktop"
2007-03-18 vadim <vadim@vk.crocodile.org>
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): minor
redesign of the interface object dialog to make network zone more
prominent and easier to set when network and group objects have
long names.
2007-03-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): fixed
bug #1674940: "if max-src-conn == 0: syntax error". Options
max-src-conn and max-src-states can not have value '0'
* TimeDialog.cpp (TimeDialog::loadFWObject): redesigned TimeService
object dialog
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
fixed bug #1672191: "Time limit generates unexpected iptables
command"
* PolicyCompiler_PrintRule.cpp (PrintRule::_printTimeInterval):
Added support for --datestart and --datestop options for module
'time' in compiler for iptables
* started v2.1.11
2007-02-17 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::findWhereUsedSlot): added an item
"Where used" to the context menu associated with objects in rules
* FWWindow.cpp (FWWindow::setPolicyBranchTabName): a workaround
for the bug 1629461: "Policy tabs do not scroll @ window extent on
OSX". The tab widget used to show policy, nat, routing and policy
branch rulesets does not switch to a "folded" mode on Mac OS X
when it needs to show more tabs that fit in the window. Since I
can't figure out a way to force it to do that, I am dropping
"Policy/" from the tab titles for branches to make them
shorter. This will help users with policies with many branches,
however it does not solve the problem because as they keep adding
branches, at some point they won't fit in the window again.
2007-02-15 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::fileCompare): fixed bug #1659832: "No
compile with QT without STL support"
* instDialog.cpp (instDialog::initiateCopy): fixed bug #1661140:
"built-in installer broken in 2.1.9 for PF". Installer incorrectly
set name for files it copied to the firewall if compiler generated
more than one file. Normally two files are generated for PF and
ipfilter.
* v2.1.10 started
2007-02-10 vadim <vadim@vk.crocodile.org>
* v2.1.9 release
* main.cpp (tty_raw): bug #1650369: "[patch] please add support
for GNU/kFreeBSD". Applied patch to make code compile on kFreeBSD.
2007-02-03 vadim <vadim@vk.crocodile.org>
* listOfLibraries.cpp (list): fixed bug #1620284: "conflict when
adding library to Preferences/Libraries". When the user tried to
add a library to the list in Preferemces/Libraries when a data
file with the same object library was loaded, the GUI detected the
conflict and showed error dialog.
* FWWindow.cpp (FWWindow::fileCompare): New feature: new operation
"Tools/Find Conflicting Objects in Two Data Files". This operation
inspects two data files (either .fwb or .fwl) and finds
conflicting objects. Conflicting objects have the same internal ID
but different attributes. Two data files can not be merged, or one
imported into another, if they contain such objects. This
operation also helps identify changes made to objects in two
copies of the same data file. This operation does not find objects
present in one file but not in the other, such objects present no
problem for merge or import operations. This operation works with
two external files, neither of which needs to be opened in the
program. Currently opened data file is not affected by this
operation and objects in the tree do not change. In the process of
this operation user is presented with series of dialogs showing
conflicting objects side by side. In the end the program can
generate report and write it to a text file.
2007-01-30 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::initiateCopy): more for the bug
#1617501:"Install fails after compile". Making sure we always
strip directory path from the file name if user specified full
path for the policy file in the "Output file name" input field in
the "Compiler" tab of firewall object dialog. Need to strip path
when macro "%FWSCRIPT%" is substituted in installation scriptlets
and in some other places.
2007-01-15 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (linux24::printRunTimeWrappers):
fixed bug (no num.): data files used for run-time AddressTable
objects can have empty lines, the script should skip them.
2007-01-14 vadim <vadim@vk.crocodile.org>
* iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog):
more for bug #1618381: "CLASSIFY/MARK are non-terminating".
Emulation of the terminating behavior for Classify and Tag actions
is now controlled by a global option in the "Compiler" tab of the
firewall properties dialog. This means emulation can be turned on
and off for all rules that might require it at once. It is
impossible to mix such rules with terminating and non-termninating
behavior. The reason for this is that shadowing detection
algorithm can only work with either terminating or non-terminating
rules, not with the mix. Hopefully this is the last change made
for this bug.
* PolicyCompiler_ipt.cpp (ipt::getAddressTableVarName): fixed bug
#1632054: "Runtime AddressObjects FAIL to load if "Name:" contains
"."". Compiler checks if the name of the run-time AddressTable
object contains characters that have special meaning in sheel and
relaces them with '_' when it generates the name of the temporary
shell variable.
* PolicyCompiler_ipt.cpp (splitNonTerminatingTargets): update for
bug #1618381: "CLASSIFY/MARK are non-terminating". Adding iptables
rule with target ACCEPT to make Tag and Classify rules
terminating. This is controlled by checkbox in the action dialog
for actions Classify and Tag. Default setting is off.
2007-01-09 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::scheduleRuleSetRedraw): fixed bug (no
num.): GUI used show fanthom 'Policy', 'NAT' and 'Routing' tabs
when user deleted objects from the Deleted Objects library,
provided some of these objects were previously deleted firewalls.
2007-01-07 vadim <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (GroupObjectDialog::dropped): fixed bug
#1624577: "group window doesn't stay open on multiple-adds". Using
special flag to tell ObjectTreeView that it should ignore
MouseReleaseEvent it gets after d&d operation, so it wont switch
object in the editor panel. Note the bug triggered only on Mac OS
X.
* FWWindow.cpp (FWWindow::FWWindow): "Apply" and "Close" buttons
in the objct editor panel should be of fixed size horizontally
2007-01-06 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::testFirewall): fixed bug
#1617501:"Install fails after compile". The GUI got confused when
user enter full path to the policy file in the "Output file name"
input field in the "Compiler" tab of firewall object dialog.
* SimpleTextEditor.cpp (SimpleTextEditor::loadFromFile): fixed bug
1619930: "Prolog tab's ScriptEditor's import fails to overwrite"
* OSConfigurator_linux24.cpp (linux24::printRunTimeWrappers):
fixed bug #1628989: "run-time-loaded rules don't accept ";" as
line comment"
* RuleOptionsDialog.cpp (RuleOptionsDialog::changed): fixed bug
#1620206: "RuleOptions' "Apply" button greyed-out until menu
selection"
* SimpleTextEditor.cpp (SimpleTextEditor::SimpleTextEditor): fixed
bug #1619842: "prolog "script editor" opens behind other windows"
* RuleSetView.cpp (RuleSetView::removeRule): fixed bug #1629521:
"can't delete empty chain/policy tab"
* instOptionsDialog.cpp (instOptionsDialog::hidePIXOptions):
installOptionsDialog was too large and did not fit on some laptop
screens. Doing tricks to make sure the dialog properly resized
after unused GUI elements are hidden.
2007-01-04 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (DetectShadowingForNonTerminatingRules::processNext):
(API change)
fixed bug #1618381: "CLASSIFY/MARK are non-terminating". Non-terminating
rules shadow each other "backwards", that is more general rule
shadows other rules _above_ it. Added flag 'reverse' to the method
find_more_general_rule and added new rule processor
DetectShadowingForNonTerminatingRules that finds such cases of
'reverse' shadowing. Using it for rules in the mangle table for iptables.
* PolicyCompiler_ipt.cpp (finalizeChain::processNext): working on
bug #1618381
* For action Branch with option to add branching rule to the
mangle table: we now generate rules in PREROUTING, POSTROUTING,
INPUT, OUTPUT and FORWARD chains. This is because some targets
can only work in PREROUTING or POSTROUTING chains but we do not
know what rules will user put in the branch. So we need to branch
in all chains
* For rules in mangle table with direction set to Inbound or
Outbound force chain to PREROUTING or POSTROUTING respectively
early. This eliminates duplicates such as the same rule in
PREROUTING and INPUT chains. Also since most (all?) targets that
require mangle table go into either PREROUTING or POSTROUTING
chains, it should be enough to use these two chains.
2007-01-01 vadim <vadim@vk.crocodile.org>
* ActionsDialog.cpp (ActionsDialog::setRule),
PolicyCompiler_ipt.cpp (splitNonTerminatingTargets::processNext):
working on bug #1618381: "CLASSIFY/MARK are
non-terminating". Converting non-terminating targets MARK and
CLASSIFY into equivalent of terminating targets using intermediate
chain and "-g" option to pass control to it. Added a checkbox to
the rule options dialog for action Classify for this, by default
this feature is off.
2006-12-27 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::expandGroupsInRuleElement): fixed bug
#1620925: "compile-time AddressTable object with empty file".
Compile-time AddressTable object that uses file with no addresses
should be treated as an empty group according to the "Ignore empty
groups" option. Changes are made as follows:
- Compiler::expandGroupsInRuleElement does not call
s->setAnyElement(); to set rule element to 'any' before adding
addresses from the group. This means that if group is empty, rule
element remains empty (not even 'any', just with no children,
i.e. with size()==0). Note that AddressTable::loadFromSource()
leaves AddressTable object empty if the file does not have any
addresses.
- Compiler::emptyGroupsInRE specifically checks for run-time
MultiAddress objects and skips them so they wont be treated as
empty groups (since they are indeed empty). Compile-time
MultiAddress objects are treated as groups and algorithm that
depends on option 'ignore empty groups' is executed for both empty
regular groups and empty compile-time MultiAddress objects.
* PolicyCompiler_ipt_optimizer.cpp (optimize1::optimizeForRuleElement):
fixed bug #1623113: 'connlimit fails in compiled "address table" rules'
Module connlimit can only be used in iptables rules matching TCP services.
Such iptables commands have "-p tcp" and/or "-m tcp" options. If
a rule in fwbuilder uses TCP Service and connlimit option and has
multiple objects in src and dst, optimizer used to split it to minimize
matches. It however preserved connlimit option in all subrules,
even though some of them did not have TCP service after the split. This
lead to generation of incorrect iptables commands.
* PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug
#1623338: "Can not disable rules in a branch". Compiler for
iptables ignored flag 'disabled' on rules in a branch.
2006-12-26 vadim <vadim@vk.crocodile.org>
* VERSION (FWB_MICRO_VERSION): set version to 2.1.9
2006-12-03 vadim <vadim@vk.crocodile.org>
* v2.1.8 released
2006-11-30 vadim <vadim@vk.crocodile.org>
* FirewallDialog.cpp (FirewallDialog::applyChanges): fixed bug
#1589743: "compiler setting should be erased when fw platform
changes". If user configured firewall object to use thrid-party
compiler, this setting should be erased when firewall platform of
this object changes. 1) compilers are always platform-specific and
old compiler most likely won't work with different platform; 2)
'advanced' firewall settings dialog may not have an entry field
for the compiler (e.g. dialog for PIX does not have it)
2006-11-26 vadim <vadim@vk.crocodile.org>
* gui.pro (TARGET): All binaries are renamed to drop suffix
'21'. Opinion poll amongs the mailing list sbscribers showed
majority of users does not care for the ability to install and run
both old and new versions of fwbuilder on the same machine. This
feature creates substantial problems because of the symlinks to
libfwbuilder libraries that have the same name regardless of the
library version ('libfwbuilder.so' and 'libfwcompiler.so'). These
symlinks are required on Linux and *BSD and can not be avoided
easily. The only simple alternative was to rename libraries to
libfwbuilder21 and libfwcompiler21. I was impartial and thought of
doing this but FreeBSD port maintainer did not like this
solution. Given that most users said in the poll they do not want
this feature anyway, I am reverting binary and man page names back
to the old standard scheme without suffix '21'.
2006-11-16 vadim <vadim@vk.crocodile.org>
* FindObjectWidget.cpp (FindObjectWidget::matchAttr): added back
search by regexp - object name or port, protocol or ICMP type
numbers can be defined as regular expressions.
2006-11-09 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printDirectionAndInterface):
fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV:
no physdev opti..." Some times rules were generated with "-m
physdev" but witout "--physdev-in" or "--physdev-out" options.
* PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug
#1592130: "Policy Chaining Issues". Policy compiler should expand
rule subsets recursively
* FWWindow.cpp (FWWindow::addPolicyBranchTab): working on bug
#1592130: "Policy Chaining Issues". The GUI should properly
display nested branch rulesets.
* set version to 2.1.8
2006-10-30 vadim <vadim@vk.crocodile.org>
* v2.1.7 released
2006-10-28 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::paintCell): fixes for QT w/o STL support
2006-10-24 vadim <vadim@vk.crocodile.org>
* manually removed <includehint> from findobjectwidget_q.ui and
findwhereusedwidget_q.ui
* build 155
2006-10-23 vadim <vadim@vk.crocodile.org>
* platforms.cpp (getRouteOptions_pf_ipf): fixed bug (no num): the
program used to incorrectly save "route option" parameter that is
used for pf anf ipf firewalls when user edited action "Routing"
for iptables firewall. This would corrupt saved XML file if the
program was used under non-English locale.
2006-10-22 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (ObjectTreeView::updateTreeItems): eliminated
useless creation of interim QPixmap objects. It appears this was
responsible for creation of tons of extra pixmaps that triggered
bug 1582130 on windows.
Bug ##1582130: "GUI crashes on windows when very large data file
is opened" is now fixed.
2006-10-21 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::addTreePage): working
on bug #1582130: "GUI crashes on windows when very large data file
is opened". Using QPixmapCache everywhere.
* PixmapFactory.cpp (PixmapFactory::getPixmap): bug #1582130 "GUI
crashes on windows when very large data file is opened". Ran into
a known limitation on number of simultaneously created pixmaps on
Windows. If the data file contains over 3000 obects or so, the GUI
crashes on Windows. This is caused by the fact that GDI has global
limit on the number of pixmaps. See here:
http://lists.trolltech.com/qt-interest/2005-01/thread00679-0.html
Using QPixmapCache class to cache and reuse pixmaps, using it via
simple wrapper PixmapFactory that automatically creates pixmaps
not found in the cache.
2006-10-20 vadim <vadim@vk.crocodile.org>
* listOfLibraries.cpp (listOfLibraries::listOfLibraries): fixes
for QT w/o STL support on win32
2006-10-19 vadim <vadim@vk.crocodile.org>
* DialogData.cpp (DialogData::loadToWidget): properly using
remapping tables while loading strings into QComboBox when program
runs under international locale. Strings for qomboboxes are
defined in platforms.cpp and need to be translated accordingly.
2006-10-16 vadim <vadim@vk.crocodile.org>
* RCSFileDialog.cpp (RCSFileDialog::getSelectedRev): fixed bug
#1578502: "crashing opening file". The GUI crashed if the user
switched "open file" dialog to detailed list mode and then tried
to open a file.
2006-10-15 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): All
compilers print error mesage when they encounter unknow action in
a rule
* Preprocessor.cpp (Preprocessor::convertObject): fixed bug
#1575355: "Compiler tries to resove deleted AddressTable
objects". Using findWhereUsed to find if MultiAddress object is
used in firewall being compiled so we don't try to resolve objects
that are not used anywhere.
* FWObjectDatabase.cpp (FWObjectDatabase::findObjectsInGroup):
code refactoring: moved methods findObjectsInGroup and
findWhereUsed from the GUI to API.
2006-10-08 vadim <vadim@vk.crocodile.org>
* v2.1.6 build 134: major improvements in support for outbound
ACLs in PIX 7.0 in compiler for PIX. Added file
'v21_migration_notes.txt' to fwbuilder-pix package
2006-10-07 vadim <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (PrintRule::_printDstService): fixed
bug#1572735: "Wrong syntax with TagService in NAT table". Added
mssing "-m mark"
2006-10-06 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw.cpp (SpecialRuleActionsForShadowing::processNext):
rule with action 'Pipe' or 'Custom' should not shadow other rules
* PolicyCompiler_ipfw_writers.cpp (PrintRule::processNext):
compiler for ipfw generates rule with action check-state depending
on the setting of he option "Add rule to accept packets matching
dynamic rules created for known sessions". This option is
controlled by a checkbox in the firewall settings dialog.
* TableFactory.cpp (TableFactory::PrintTables): if AddressTable
object is configured to resolve at run time but file name is left
blank, compiler for PF generates PF configuration as follows:
"table <tblname> persist". That is, it omits 'file "filename"'
clause all together. This is useful if table is updated
automatically using "max-src-conn, overload <table>" option and
does not need to be pre-populated with addresses from a file.
2006-10-05 vadim <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (pixAdvancedDialog::pixAdvancedDialog):
added option "Generate outbound ACLs" for PIX 7.0
2006-10-02 vadim <vadim@vk.crocodile.org>
* Checking in updated German translation by Hans Peter Dittler
<hpdittler@braintec-consult.de>
2006-09-29 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (ipt::compile): fixed bug #1567873:
"CLASSIFY/Logging". eed to run rule processor
decideOnChainForClassify before rule is split for negation or
logging to properly pick up chain for action Classify. Previously
rules with this action and either negation or logging would match
packets in chains INPUT/OUTPUT/FORWARD but use chain POSTROUTING
when applying action.
2006-09-28 vadim <vadim@vk.crocodile.org>
* pf.cpp (main): 'Prolog' section of the generated script can now
be added in different places:
- to the activation shell script, as before
- at the very top of generated .conf file
- after 'set' commands in the generated .conf file
- after 'scrub' commands in the generated .conf file
- after table definitions in the generated .conf file but
before all policy commands
2006-09-26 vadim <vadim@vk.crocodile.org>
* checking in updated Russian localization by <sov@rbsec.ru>
2006-09-21 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::deleteObj): fixed bug
#1562965: "no confirmation when deleting an object". In a scenario
when user starts with an emty object tree, then adds a firewall
with an interfaces, then tries to delete the interface, the GUI
would just delete it without presenting the user with "Are you
sure ?" confirmation dialog.
2006-09-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (convertAnyToNotFWForShadowing::processNext):
fixed bug #1562348: "a case of undetected rule shadowing".
Compiler did not detect shadowing in the pair of rules where first
rule was 'any any service' (flag 'firewall is part of any' is ON)
and the second was 'fw any service' when global flag 'firewall is
part of any' is OFF
* confirmdeleteobjectdialog_q.ui: fixed bug #1561165: "Delete
dialog box sizing incorrect"
* FWObject.cpp (FWObject::shallowDuplicate): API change: fixed bug
1562290: "GUI crashes in discovery
druid". FWObject::shallowDuplicate should add to database index
only if dbroot is defined. If dbroot==NULL, trying to copy it from
parameter x of shallowDuplicate (the object we are duplicating),
but need to check if dbroot is != NULL after that as well, because
object we are dulicating may not belong to any object tree. This
is the case with interface objects created in
SNMPQuery::fetchInterfaces
2006-09-17 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): feature
request #1531599: "max-src-conn and max-src-conn-rate". Added
support for max-src-conn and max-src-conn-rate options n compiler
for PF.
* RuleOptionsDialog.cpp (RuleOptionsDialog::loadFWObject): feature
request #1531599: "max-src-conn and max-src-conn-rate". Added GUI
elements to support these PF options.
2006-09-16 vadim <vadim@vk.crocodile.org>
* SSHPIX.cpp (SSHPIX::stateMachine): fixed a bug in the code that
deals with previously unseen ssh host key. Properly terminating
session if user hits 'No'; stopping heartbeat timer while waiting
for user input.
* FWWindow.cpp (FWWindow::install): compile/install wizard is now
a top level non-modal window, it can be used in parallel with the
main window so one can inspect and fix rules while still looking
at the output produced by the compiler, or work with objects and
rules while pushing policy update to the firewall.
2006-09-15 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::installerError): fixed bug #1559697:
"built-in installer crashes on incorrect password"
2006-09-14 vadim <vadim@vk.crocodile.org>
* FWObjectClipboard.h: clipboard holds list of object IDs instead
of object copies. Clearing clipboard when an object is deleted
from the "Deleted objects" library in ObjectManipulator::delObj.
* FWWindow.cpp (FWWindow::load): calling FWObjectDatabase::reIndex
to fix object reference counters and rebuild the index after
object tree is loaded from .fwb file. Doing the same in all policy
compilers.
* NATCompiler_pf.cpp (splitForTSrc::processNext): fixed bug
#1556984" "Nat statements in PF are missing (source-natting)"
Compiler was too restrictive checking firewall's interfaces while
generating 'nat' rules. It generated such rule only when it was
able to find an interface with address/netmask combination that
defined subnet to which TSrc address belonged. 2.0.X used to be
more liberal and created nat rule even if such interface was not
found, in such case it generated nat rule bound to all interfaces
of the firewall.
2006-09-13 vadim <vadim@vk.crocodile.org>
* ActionsDialog.cpp (ActionsDialog::iptRouteContinueToggled):
fixed bug #1557827: "iptables, routing, iif and continue". GUI
enforces rules on options to iptables target ROUTE: 'continue' is
mutually exclusive with --iif and --tee, therefore checking option
'Continue packet inspection' disables options 'Change inbound
interface to' and 'Make a copy' (GUI elements are greyed out).
2006-09-10 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::scheduleRuleSetRedraw): using timer
event to make sure rule sets are redrawn no more than once when
needed.
2006-09-08 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::load): using
FWObjectDatabase::addToIndexRecursive to quickly reindex whole
database once datafile is loaded. This works very fast.
Fixes everywhere for the new format of FWObjectDatabase::create
2006-09-07 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::load): improvements in the GUI
ergonomics when working with very large data files:
- The main window opens before the file specified on the command
line is loaded
- Using status bar to print messages indicating progress of the
file loading process
- Enforcing objects indexing after the file is loaded, this
speeds things up later
* ObjectEditor.cpp (ObjectEditor::actionChanged): fixed bug
#1553394: "Options windows stays the same".
2006-09-05 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::killInstDialog): compile/install dialog
is now not modal, this means the user can look at the policy and
objects while compilation and/or installation is going on. This is
especially convenient as it allows one to inspect the rules after
failed compilation while still having compiler error on screen.
* VERSION: set version to 2.1.6
* configure.in: added check to make sure qmake found by configure
really is part of QT 3.x. This should help avoid build failures on
systems where both QT 3.x and 4.x are installed and where
/usr/bin/qmake is really QT 4.x qmake which we can not use.
2006-08-31 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw.cpp (processMultiAddressObjectsInRE):
checking for (currently unsupported) run-time AddressTable objects
* All compilers: fixed bug #1544488: 'Error with DNS_name object
when "resolve during run time"'. Needed to swap run-time DNSName
and AddressTable objects with MultiAddressRunTime during rule
shadowing run
2006-08-29 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (readFromStdout): properly processing text coming
from the background process if it comes buffered in chunks that
include several lines of text and possibly incomplete last
line. Previously, text would come out werdly formatted in the log
window.
* instDialog.cpp (processExited): detectig situation when
background process (compiler) crashes or is killed
* RuleSetView.cpp (fixRulePosition): this method fixes rule
position if it is incorrect (this happens sometimes because of
errors in auto-upgrade transformations). fixRulePosition checks if
object the rule belongs to is read-only or belongs to a read-only
subtree in the database and temporarily breaks the lock in order
to be able to fix rule position. This method is recursive so it
supports cases when several objects between the rule and database
root are read-only.
2006-08-27 vadim <vadim@vk.crocodile.org>
* instDialog.cpp (prepareInstallerOptions): Added checkbox 'save
copy of fwb file on the firewall' to the installer options
dialog. If this checkbox is on, installer copies .fwb file to the
firewall before it copies generated configuration and activates
it. This can be used as last resort backup but should be avoided
if firewall is managed from remote workstation and especially if
many firewalls are managed from dedicated management
workstation (because storing fwb file on each firewall means
security policy of all firewalls resides on all every one of them).
This option is off by default.
2006-08-26 vadim <vadim@vk.crocodile.org>
* ConfirmDeleteObjectDialog.cpp (findForObject): redesign of the
dialog: now showing objects to be deleted and their parent objects
in the same list with selection disabled. This removes confusion
caused by the text in the dialog saying that 'seletect objects'
were bout to be deleted and ability to select objects in the
confirmation dialog.
2006-08-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (fillDirection::processNext): fixed bug
#1543684: "fwb 2.1.5 IPFilter fallback rule issues". Fallback rule
should be 'pass out' if option 'Pass all outgoing' is used.
2006-08-19 vadim <vadim@vk.crocodile.org>
* MangleTableCompiler_ipt.cpp (processNext): (new feature): added
checkbox to the action 'Branch' for iptables "In addition to
'filter', create branching rule in 'mangle' table as well". When
this parameter is activated, compiler creates branching rules in
both filter and mangle tables; in mangle table it always uses
chains PREROUTING, INPUT, OUTPUT and FORWARD.
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1534423 "2.1.5,
mark action rules in branches". Added checkbox "Mark packets in
PREROUTING chain" to the action "Tag" for iptables. Compiler
places rule into PREROUTING chain when this parameter is
activated.
2006-08-18 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (compile): working on bug #1534423
"2.1.5, mark action rules in branches". Branch rules with action
Tag go into mangle table.
2006-08-17 vadim <vadim@vk.crocodile.org>
* gui.cw: this file is used by QT to save descriptions of custom
widgets
* ObjectManipulator.h: added bunch of missing virtual destructors
to various classes
2006-08-10 Vadim <vadim@vk.crocodile.org>
* ConfirmDeleteObjectDialog.cpp (ConfirmDeleteObjectDialog):
completed implementation of feature request #1116454: "Where Used
Option". When the user tries to delete an object from the tree,
the GUI presents a list of groups and firewall rules where this
object is used.
2006-08-09 Vadim <vadim@vk.crocodile.org>
* instDialog.cpp (findFirewalls): main menu item 'Compile' and
corresponding toolbar button activate compilation/installation for
all firewalls in all libraries. This fixes bug #1531007: "no
firewall in comp/inst dialog if standard library selected"
* utils.h (findByObjectType): added parameter bool skip_system_libs.
This method will skip libraries DELETED_LIB and TEMPLATE_LIB if this
parameter is true (which is its default value).
2006-08-08 Vadim <vadim@vk.crocodile.org>
* ObjectEditor.cpp (validateAndClose): fixed bug (no num.):
"Apply" button in the editor panel would not activate when user
reopened an object after it was edited and then editor panel
closed.
2006-08-08 Vadim <vadim@vk.crocodile.org>
* ObjectEditor.cpp (apply): fixed bug #1531020: "gui behaviour on
object renaming". Changing name of the selected object in the
editor updated it in the tree but not in the rule set view.
* ActionsDialog.cpp (applyChanges): fixed bug #1531008: "gui
behaviour improvements". Gui used to reset rule selection after
user selected different object in the tree.
2006-08-05 Vadim <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (newFirewallDialog): fixed bug #1525808:
"fwbuilder21: Windows are too large ". One of the pages of the
firewall creation druid was too large vertically, as the result
whole druid would not fit on screens 1024x768 with standard font
bigger than 18pt
* FindWhereUsedWidget.h (class FindWhereUsedWidget): Feature
request #1116454: "Where Used Option". Ilya implemented "Find
Where Used" function which quickly finds and shows rules of all
firewalls that utilize a given object.
2006-07-23 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (copyRule): still debugging problems caused by
QT w/o STL support. Also got rid of methods RuleSetView::isSrc,
isDst, isSrv etc, makes code cleaner cause these methods violated
data access boundaries in the class hierarchy.
2006-07-22 vadim <vadim@vk.crocodile.org>
* FWObjectPropertiesFactory.cpp (getPolicyRuleOptions): fixes in
bunch of places where code assumed QT is built with STL support
2006-07-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt_optimizer.cpp (processNext): checking if
objects in srv are of the type TCPService or UDPService; if they
are, treat srv as if it has one object even if there are several in
it. This eliminates uncessesary rule splitting that optimizer used
to do.
* PolicyCompiler_ipt.cpp (compile): moved
InterfacePolicyRulesWithOptimization further down the chain of
rule processors to let other processors properly decide on chain
for rules that are associated with multiple interfaces. Such rule
is now treated as if it has one interface, and most of the chain
and target decisions are made before the rule is split. When the
rule is split in InterfacePolicyRulesWithOptimization, each part
gets one interface from the original list.
* PolicyCompiler_ipt.cpp (SrcNegation): all rule processors that
work with negation reset "Interface" rule element in subrules they
create except for the very first.
* main.cpp (main): removed plays with styles on Mac, they proved
unnecessary
2006-07-18 vadim <vadim@vk.crocodile.org>
* unit_tests.cpp (main): unit test for RCS module, currently only
checks if rlog reading routing works right
* RCS.cpp (RCS): trying to fix mysterious bug that causes RCS
module to misinterpret RCS log in some cases and read modification
date/time instead of the name of the user who apparently opened
and locked the file. However in cases like that the file in fact
is checked in and unlocked. Instead of reading rlog output line by
line and using regex to parse each line separately, we now read
the output in chunks using '------' as a separator. Each chunk
corresponds to one revision and all regexps are written to work on
the whole chunk instead of one line.
2006-07-17 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (paintCell): When user selects an object in the
rule set, all references to the same object in other rules are
highlighted by drawing thin red frame around them. Similarly, when
an object is selected in the tree, all references to it in the
currently visible ruleset are similarly highlighted. This helps
enforce the notion that all instances of the object in rules are
really references to the same object, as well as helps locate
these references visually.
2006-07-12 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (exportLibraryTo): user choses libraries for export
using spearate modal dialog instead of built-in panel in the file
choosing dialog in the "File/Export Library" function
2006-07-11 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow): FindObjectWidget is not a custom widget
anymore - this is a workaround for QT bug #85440 :
http://www.trolltech.com/developer/task-tracker/index_html?id=85440&method=entry
2006-07-09 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (contentsMouseReleaseEvent): bugfix: the GUI
used to switch object in the editor if user tried to open a
different library and expand/collapse subtree in it. It should not
do this, expading/collapsing subtrees should not cause object
switch in the editor.
2006-06-30 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (paintCell): highlighting whole table cell for
rule options/actions/directions/etc when corresponding rule
element is selected.
* Added title bar with icon and object type name to dialog panels
for all object types
2006-06-25 vadim <vadim@vk.crocodile.org>
* PrefsDialog.cpp (PrefsDialog): removed "Data format" tab from
the Preferences dialog. Option that turns off saving standard
objects in every users data file was on by default for a long
time, now it is time to remove the GUI control all together.
* FWBSettings.h: using macro SETTINGS_PATH_PREFIX to define path
prefix for settings. This makes it easier to change the prefix
when new version is introduced
2006-06-23 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (): using QDns to get host names for
discovered ip addresses instead of our own DNS methods
2006-06-21 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (_printPort): fixed bug #1509411:
"FWB does not build correct PF RDR port ranges". RDR rules should
support port ranges in the RHS of "->"
* qmake.inc.in: Passing CXXFLAGS from environment to the build
process. Fedora engineers had to add a hack to their .spec file to
do this, this change makes their hack unnecessary
2006-06-17 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (_printRouteOptions): implemented
spport for action Route for PF
2006-06-15 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (contentsMouseReleaseEvent): fixed selection
of multiple objects in the tree and interaction with editor.
2006-06-14 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): implemented support for
action Route for iptables
2006-06-13 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (openObjectInTree): selecting object in a rule
automatically opens it in the tree (both when editor opened and
when it is closed)
2006-06-11 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (requestEditorOwnership): moved all the logic
controlling switching between objects whith editor open to this
method of FWWindow, this significantly simplifies other
classes. Now we can properly process situations when user opens an
object in a rule, edits it and then tries to open an object in the
tree for editing. This also works in other situations when object
with unsaved changes is opened in the editor and user tries to
switch to another one, possibly in a different panel or
widget. Still need to explore ways to maintain synchronized object
highlighting in the tree and in rules.
2006-06-06 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (maybeTip): directions are represented only by
icons with no text; added tooltip for directions
* ObjectEditor.cpp (validateAndSave): cleanup in ObjectEditor
class - reusing method validateAndSave in methods close,
validateAndClose
* FirewallDialog.cpp (loadFWObject): "snmp" tab of the firewall
object dialog has been deprecated
2006-06-04 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (revealObjectInTree): change in the GUI
behavior: - selection in the tree and ruleset are mutually
exclusive, that is selecting an object in ruleset turn selection
off in the tree and vice versa. Added menu item "Reveal in tree"
to the context menu that appears when user clicks right mouse
button on an object in ruleset.
* PolicyCompiler_ipt.cpp (processNext): Added support for CONNMARK
as an option for rules with action Tag. If a checkbox "Mark
connections created by packets that match this rule" in rule
options of a rule with action Tag is checked, compiler adds
iptables command to save mark set by the Tag action into connmark
module, and then adds another command at the beginning of the
policy to restore it.
2006-06-03 vadim <vadim@vk.crocodile.org>
* ActionsDialog.cpp (setRule): New rule action: "Route", to be
mapped to ROUTE target for iptables and 'route' option for pf and
ipf
2006-05-31 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (paintCell): When a group is opened in the
editor, an object can be highlighted there which is different from
the object highlighted in rules. Using alternatie color to
highlight object in rules when user switches keyboard focus to the
editor panel. This helps avoid confusion caused by identical look
of objects highlighted in rules and group view. Currently using
QColorGroup::midlight() to get color for when ruleset widget has
no focus. This is probably incorrect because color should change
when widget's colorGroup() changes from active to normal. Using
midlight color may lead to incorrect results if QT theme does not
define this color properly.
2006-05-25 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (edit): GUI opens objects in the editor
panel on single mouse click on an object in the tree if editor
panel is opened. If it is closed, click just changes selection in
the tree. Drag and drop works because object is opened in the
editor on mouse release. Similarly, if user navigates in the tree
using keyboard, object is opened in the editor on keyReleased
event. Multiple selection works both by mouse and by keyboard.
2006-05-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (swapAddressTableObjectsInRE):
AddressTable objects are converted to PF tables with the name of
the object in both run-time and compile-time mode. This is so only
for PF because other compilers simply expand compile-time
AddressTable objects as a group of addresses (and lose its name in
the process). Administrator can use compile-time AddressTable
object to create tables with names known beforehand. In the future
these tables can be used with 'overflow' rule option that updates
tables automatically.
* TableFactory.cpp (init): implemented persistent tables in
compiler for PF: compiler maintains list of tables it creates
between passes for NAT and policy rules. This reduces duplication
if the same tables need to be created for both policy and NAT
rules. Tables for branched rule sets (anchors) are generated
separately and may duplicate those in the main rule set (although
their name is different).
2006-05-16 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (processMultiAddressObjectsInRE): DNSName
object now inherits MultiAddress, this allows for DNSName to be
expanded into multiple addresses at compile time. Run time support
hasn't changed because most fw platforms automatically expand
domain name into all IP addresses defined as DNS A records for
this name.
2006-05-14 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (unselectRules): rule set should lose focus when
object editor is opened in a panel. Object shown in the editor is
highlighted in the tree anyway. This works better during search
when "find next" finds object in the tree
* NATCompiler_PrintRule.cpp (processNext): fixed bug #1476797:
"ipt NETMAP, POSTROUTING** chain --to problem with multiple
network targets".
* PolicyCompiler_PrintRule.cpp (_printModules): Added support for
hashlimit module for iptables (with an option for older systems
where the same module is called dstlimit)
2006-05-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (_printModules): added support for
connlimit module for iptables
2006-05-12 vadim <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (loadFWObject): added input fieds for
iptables module "connlimit"
* Many dialogs: converting all object, rule options and actions
editors from pop-up dialogs to built-in panels.
2006-05-07 vadim <vadim@vk.crocodile.org>
* PrefsDialog.cpp (accept): removed entry field for scp, it is not
used by the installer. Cleaned up in all places where we check if
path to ssh is configured to make sure installer can use it.
* TableFactory.cpp (createTablesForRE): names for tables that go
into an anchor have anchor name prepended to them as a prefix to
ensure global uniqueness. One side effect of this is that
AddressTable objects can only be used either in global rules or in
an anchor, but not in both at the same time because the name of
the table created for such object follows the name of the object
and hence appears the same in the main rule set and in the anchor.
2006-05-06 vadim <vadim@vk.crocodile.org>
* pf.cpp (main): Added support for branching rules for PF,
imlpemented via anchors. Rules defined in branches are stored in
separate .conf files and loaded by the .fw file using
pfctl -a <anchor_name> -f <anchor_rules_file> Anchor rule files
are also added to manifest in the .fw file to make sure the built-in
installer will copy them to the firewall.
* PolicyCompiler_ipt.cpp (processNext): support for branching
rules for iptables (via user-ddefined chain, chain name is
specified as action parameter for action 'Chain')
* FWWindow.cpp (reopenFirewall): added support for policy
branches. Setting rule action to "Chain" or "Anchor" (depending on
platform) creates additional tab with a policy rule set. These
rules represent a branch in the policy, implemented by means of a
user-defined chain for iptables and anchor for pf. Chain or anchor
name is set as action parameter through standard action options
dialog.
* FWWindow.cpp (fileSaveAs): fixed bug #1424880: "Save As" works
incorrectly. "Save As" works as follows:
* a new file is created with the name provided by user, this file
captures the state of the object database as of the moment when
user executed 'Save As' operation.
* if the old file was not in RCS, then any changes made to it
since it was saved to disk last time are lost. In other words,
next time user opens the old file, its content will be as it was
when it was saved to disk last time before using 'Save As'
operation
* if the old file was in RCS, then it is reverted to the head
revision in RCS
* fixed bug #1434321: firewall name heading incorrect after
duplicate. After a firewall object is duplicated, the name of the
new object as shown in the tree and in pull-down list of firewalls
was incorrect.
* ActionsDialog.cpp (setRule): Added GUI support for action
'Branch' (represented as 'Chain' for iptables and 'Anchor' for pf)
2006-04-30 vadim <vadim@vk.crocodile.org>
* platforms.cpp (getActionNameForPlatform): remapping names of
some new actions depending on the target firewall platform. For
example, action "Tag" appears as "Tag" for PF and as "Mark" for
iptables. Also remapping name for actions Pipe and
Accounting. This should help adoption of the new actions by people
who are familiar with corresponding features of the target
firewall platforms. Name mapping is done only for presentation;
all internal references to actions use their abstract internal
names both in the GUI and in all compilers.
2006-04-30 <vadim@beaver.vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed
bug #1464806: "Global custom log prefix not applied to built in
options". Autogenerated rule that blocks packets matching INVALID
state will use globally set custom logging prefix. "-1" is used
for the rule number; macro "%C" is replaced with the chain name
"drop_invalid"
* NATCompiler_pf_writers.cpp (processNext): fixed bug #1407328:
"NAT / RDR Exception PF problem". "no nat" rule in PF can
translate either into 'no nat' or 'no rdr', depending on what the
user really needs to achieve. There is no way fwbuilder can guess
right by just analysing this single rule, so it will generate both
variants.
2006-04-23 vadim <vadim@vk.crocodile.org>
* SSHSession.h: fix for bug #1455772 did not work on windows where
QProcess added '\0' to each line of the stream passed to the ssh
client. On Unix we run fwbuilder as a wrapper for ssh client and
can intercept and filter these characters but on windows we do not
use wrapper and can't fix the problem that way. Better fix is to
avoid QString (and therefore conversions UTF8 <-> Unicode) all
together. Changed last parameter for constructor of SSHSession and
derived classes from QStringList to list<string>. Now instDialog
reads script as sequence of bytes and does not convert it to
Unicode, then passes to the ssh client via SSHSession as-is. In
principle, this alleviates the need in the hack in main.cpp but I
leave it there just in case. (Forward ported from 2.0.12)
2006-04-23 vadim <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (displayCommands): changed title of the
tab where user controls protocol inspectors from "Fixup" to
"Inspect". Added a button to show commands that will be generated
by the compiler for a current combination of inspector
configuration, this button calls policy compiler fwb_pix and feeds
XML to it via standard input. Doing this automatically every time
user touches something in the inspector control widgets may be
slow on underpowered machines or when the data tree is very large
because the GUI needs to start external process, which reads and
parses the whole XML file.
2006-04-22 vadim <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (pixAdvancedDialog): calling fwb_pix to
generate protocol inspection commands. Need to implement saving
into a buffer in FWObjectDatabase to make this work.
2006-04-19 ilya <yalovoy@gmail.com>
* FWWindow.cpp (singleInstall): batch compile and intsall
operations are possible when user selects several firewalls in the
tree and uses context menu items "Compile" and "install". Selected
firewalls are automatically checked in the batch install dialog.
* FirewallDialog.cpp (loadFWObject): support for attribute
"inactive" in Firewall. Inactive firewalls are not picked for
batch compile and install operations.
2006-04-10 vadim <vadim@vk.crocodile.org>
* NATCompiler_ipf.cpp (processNext),
ipfAdvancedDialog.cpp (ipfAdvancedDialog): Added support for PPTP
and IRC proxies for ipfilter
2006-04-07 ilya <yalovoy@gmail.com>
* instDialog.cpp (selected): implemented batch compile and batch
install modes. Requires some work to polish the UI but basic
functionality works
2006-03-26 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers):
fixed bug#1364060: "conntrack modules not found". The name of the
'conntrack' module in Linux 2.6 is 'ip_conntrack.ko' and
'ipt_conntack.ko'. Changed shell pattern to match new modules as
well as old ones.
* linux24.xml.in: made "chmod +x" part of the sequence that
copieswall script to make the script is executable. This fixed bug
#1455748: "make firewall script executable"
* main.cpp (main): it appears some older versions of Qt have a bug
referred to in the following article:
http://lists.trolltech.com/qt-interest/2004-10/thread00024-0.html
This bug causes '\0' to be appended to strings passed to/from
QProcess if they are converted to/from utf-8. Added workaround in
the ssh wrapper code to skip zeros. In combination with converting
config file strings from/to utf-8 this fixes bug #1455772: "Problem
with UTF8 Descriptions in FW Objects"
* instDialog.cpp (initiateCopy): need to convert strings of the
config file from utf-8 in order to be able to use methods of
QString to process them. Strings are converted back to utf-8 right
before they are sent to the background ssh process to be copied to
the firewall in SSHSession::sendLine()
2006-03-22 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (prolog): switched from
Compiler::objcache to object index in FWObjectDatabase. Replaced
calls to Compiler::getCachedObject with calls to
FWReference::getPointer() everywhere
2006-03-20 vadim <vadim@vk.crocodile.org>
* ipf.cpp, ipt.cpp, pf.cpp, ipfw.cpp (main): added call to
Preprocessor::compile() to convert DNSName and AddressTable
objects before rule processing starts
2006-03-18 vadim <vadim@vk.crocodile.org>
* OSConfigurator_solaris.cpp (printPathForAllTools): fixed bug
#1393004: "Solaris does not have "egrep -q". Since egrep shipped
with Solaris does not have option '-q', using '-s'
* ipf.cpp (main): fixed bug #1386226: "generated -nat.conf is not
removed when nat rules removed.". Old fw-nat.conf was left in
place when user deleted all NAT rules (the new one was not created
either). Now compiler deletes *-ipf.conf and *-nat.conf files
before creating new ones, also installer gets correct list of
files to read.
* PolicyCompiler_PrintRule.cpp (PolicyRuleToString): fixed bug
#1375432: "fwb_ipt with twice -m state". Compiler used to generate
options "-m state --state XYZ" twice in a situation when
administrator uses custom service that already includes this code
and rule is not stateless.
2006-03-15 ilya <yalovoy@gmail.com>
* ObjectManipulator.cpp (findFirewallsForObject): Using method
findWhereUSed to find firewalls that require compile/install after
an object is modified.
2006-03-15 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (_findWhereUsed): generic recursive method
that finds all groups and rules that use an object.
2006-03-10 ilya <yalovoy@gmail.com>
* ObjectManipulator.cpp (contextMenu): added temporary pop-up menu
item 'simulate Install' for testing.
* ObjectManipulator.cpp (__Is_Object_Ref_In_Firewall): added
support for detection of firewall objects that require compile and
install after any object in the tree is modified. The code keeps
track of changes made to firewall's policy rules, as well as
changes in all objects in the tree. After the user applies changes
in an object editor, the program inspects every firewall trying to
determine if the object is used in one of its rules. When one or
more firewalls using this object are found, corresponding items in
the tree are highlighted. Indirect usage, such as if the object is
a member of a group that is used in a rule, is also
detected. Multi-level group membership is detected too.
2006-03-07 vadim <vadim@vk.crocodile.org>
* All compilers: compiler prints only one 'success' message at the
and of processing instead of after each section (policy, NAT
etc). This makes it easier to keep track of its progress and is
less confusing if it runs in a silent mode and takes a long time
to process one section. Before, when it printed "Rules compiled
successfully" after each section, the user could interpret this
message as if compiler was done, while in fact it was still
working on the next section
2006-03-06 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (removeFW): restored rule processor that
removes firewall object from src or dst to simplify rule if it
uses OUTPUT or INPUT chain. Doing this only if original rule did
not have negation and we do not add any virtual addresses for NAT.
After removal the rule collapses to a simple command like this:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
this works fine except if we have added virtual addresses for
NAT. It is assumed that firewall object in rules represents
combination of addresses configured in its interfaces in the
GUI. Virtual addresses added for NAT are considered to be a side
effect and connections should not be implicitly permitted to them
by a rule with fw object in destination. The same applies to fw
object in source. See bug #685947 for discussion. To avoid
inadvertently opening holes in the firewall by a rule like that,
we remove fw object only when it is safe to do so.
2006-03-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (decideOnChainForClassify): setting chain
to POSTROUTING for rules with action Classify. Also added checks
for this action in all rule processors that split rules in order
to assign them to INPUT/OUTPUT/FORWARD chains later because this
is not needed for this action (since only one chain is allowed
anyway)
* PolicyCompiler_PrintRule.cpp (_printDstService): added checks
for iptables version "1.3.0"
* PolicyCompiler_PrintRule.cpp (_printDirectionAndInterface):
added support for physdev module for bridging firewalls. This
module is used if interface a rule is associated with is marked as
bridge port and iptables version is set to 1.3.0 or later in the
firewall settings. Feature Request #1000757: "bridging: using physdev"
* All compilers: by default treating bridge port interfaces the
same as unnumbered interfaces, unless target firewall platform
provides special support for bridge ports, such as module
'physdev' in iptables
* InterfaceDialog.cpp (loadFWObject): added support for bridge
port interface
2006-03-04 vadim <vadim@vk.crocodile.org>
* fwbedit.cpp (main), fwblookup.cpp (main): using global variable
instead of singleton FWObjectDatabase::db. FWObjectDatabase::db
is not used in fwbuilder2 anywhere and can be eliminated.
* FWObjectClipboard.cpp (add): must create new objects using
current instance of FWObjectDatabase because it maintains internal
object index. Replacing FWObjectDatabase::db with mw->db() to
accomplish that
* getting rid of singleton FWObjectDatabase::db in the GUI -
replacing it everywhere with mw->db()
2006-02-28 Vadim <vadim@vk.crocodile.org>
* FWObjectPropertiesFactory.cpp (getObjectProperties): printing
firewall's lastModified, lastCompiled and lastInstalled timestamps
in the info window and in tooltips
2006-02-26 ilya <yalovoy@gmail.com>
* ObjectManipulator.cpp (updateLastModifiedTimestamp): added
methods to keep timestamps for the moments when a Firewall has
been modified, compiled and installed. Using these timestamps to
provide visual indication for when a firewall needs to be
installed using bold font for its name in the tree view. Will use
the same mechanism to automatically suggest which firewalls to
install when user hits "Install" menu item or toolbar
button. Still need to implement object modification tracking to
properly detect which firewall needs to be marked when an object
is modified (an object can be used in a firewall rule directly or
indirectly if it is a member of a group)
2006-02-19 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (reopenFirewall): the GUI shows "Routing" tab only
if the corresponding policy compiler for a give host OS supports
it. Using <capabilities> element in the res/os/OS.xml resource
file.
* FirewallDialog.cpp (fillVersion): fixed a bug where firewall
versions would appear in a mixed order in the 'version' pull-down
in firewall object dialog
2006-02-18 vadim <vadim@vk.crocodile.org>
* Added support for load balancing rules in PF
* Added support for address ranges and network objects in TSrc in
NAT rules for PF
* Added support for pool types in NAT rules for PF ('bitmask',
'random', 'source-hash', 'round-robin') as well as 'static-port'
option
* PolicyCompiler_ipf_writers.cpp (_printAction): basic support for
Custom action for ipfilter. Lack of examples for actions 'auth'
and 'call' in ipfilter documentation or anywhere on the web makes
it hard to implement right.
* PolicyCompiler_ipfw_writers.cpp (_printAction): Added support
for policy rule action Custom for ipfw
* PolicyCompiler_ipfw_writers.cpp (_printAction): Fwbuilder policy
rule action 'Classify' is mapped to ipfw actions 'pipe' or
'queue'. Fwbuilder policy rule action 'Pipe' is mapped to ipfw
action 'divert'
2006-02-17 ilya <yalovoy@gmail.com>
* execDialog.cpp (saveLog): Added a button and function to save
compile or install progress log to a file with extension .txt
* killed startup wizard; the GUI starts accordingly to the setting
on the first page of the Preferences dialog - it can either start
up showing just standard objects library or automatically open
file the user was editing last time the GUI was used.
* object created using "Duplicate" menu item is automatically
activated and opened in the editor
2006-02-15 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (_printQueue): implemented support
for action 'Classify' in compiler for PF, mapped to a filtering
rule option 'queue _queue_name_'
* PolicyCompiler_PrintRule.cpp (PrintRule): implemented support
for actions 'Classify' and 'Custom' in compiler for
iptables. Action 'Classify' is mapped to '-j CLASSIFY --set-class M:N';
action 'Custom' is used verbatim
2006-02-15 ilya <yalovoy@gmail.com>
* :version 2.1.5
* :Added new Actions 'Classify' and 'Custom'.
* :Added new dialog NATRuleOptionsDialog.
* RuleSetView: In NATView inserted new column "Options" for
viewing of Nat Rule Options.
2006-02-11 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (checkSNMPCommunity): unified method to check
validity of the host name/ip address for dns name server used for
zone transfer and seed host used for snmp crawler
2006-02-09 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (_printDstService): added support
for the TagService object (using 'tagged')
* PolicyCompiler_PrintRule.cpp (_printDstService): added support
for the TagService service object (using --mark)
2006-02-09 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (DiscoveryDruid): improvements in the
implementation of the address and name validity for snmp crawler
seed host and dns server for dns zone import. Implemented support
for IP aliases in snmp crawler
2006-02-05 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (save): saving/restoring parameters of the
DiscoveryDruid between sessions
2006-01-27 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (changedSelected): proper implementation of
long/short name generation for dns zone import; proper checks for
correctness of the seed host address for snmp crawler; showing
number of interfaces in discovered hosts on the results page
2006-01-21 vadim <vadim@vk.crocodile.org>
* gui.pro (IMAGES): grand icons clean-up and update. Removed old
unused icons and images, added new icon theme by Irina Filvarova
2006-01-20 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (changedSelected): working version of
discovey druid. Got rid of all calls to setModal, hence
workarounds defined in qt_workarounds.h are not needed anymore
2006-01-16 vadim <vadim@vk.crocodile.org>
* DiscoveryDruid.cpp (stripObjects): minor formatting cleanup in
DiscoveryDruid; fixed typos in DiscoveryDruid ('wasCanceled' ->
'wasCancelled'); refactored #includes to improve compilation speed
in DiscoveryDruid
* DiscoveryDruid.cpp: had to move '#include "DiscoveryDruid.h"'
below all qt #include's to make code compile on windows. When this
#include was above qt includes, compiler would stop with an error:
------------------------------------------------------------
C:\Qt\3.3.1\include\qlistbox.h(139) : warning C4003: not enough actual parameter
s for macro 'index'
C:\Qt\3.3.1\include\qlistbox.h(139) : error C2059: syntax error : ')'
C:\Qt\3.3.1\include\qlistbox.h(139) : error C2143: syntax error : missing ')' be
fore ';'
------------------------------------------------------------
I haven't figured out where does 'index' macro come from
* discoverydruid_q.ui.h: added workarounds for missing
QDialog::setModal in QT 3.1
* FWWindow.cpp (doCompile): since we now package platform and os
resource files with externally packaged compilers, we do not need
to use "-r" flag while calling compilers anymore
2006-01-10 ilya <yalovoy@gmail.com>
* DiscoveryDruid.cpp (startHostsScan): implemented object import
from a file in "/etc/hosts" format. This includes druid page where
user selects objects from the list, a page where they can assign
object type for each record and a page where they chose a library
new objects should be part of
2006-01-07 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw_writers.cpp (_printAction): support for
action Pipe in ipfw. This action can be implemented using
"divert", "pipe" or "queue" rule actions in ipfw; the method is
chosen using rule action parameters dialog in the GUI.
* ActionsDialog.cpp (setRule): support for action Pipe for ipfw in
the GUI.
* PolicyCompiler_pf_writers.cpp (_printAction): added support for
Tag action for PF
2006-01-03 vadim <vadim@vk.crocodile.org>
* ipt.cpp (main): implemented checks for the situation when
compiler produces an empty script. In such cases we avoid printing
any header or commit commands (such as '*mangle' and 'COMMIT'
if iptables-restore format is used)
* PolicyCompiler_ipt.cpp (processNext): implemented support for
QUEUE target in compiler for iptables. Commands with this target
are generated for fwbuilder rules with action "Pipe"
* MangleTableCompiler_ipt.h: Implemented support for MARK target
for iptables. Iptables commands with target MARK are generated for
fwbuilder rules using action "Tag". Rules are placed in
INPUT,OUTPUT and FORWARD chain of the "mangle" table, this ensures
that DNAT happens before rules placed in the mangle table see the
packet. PREROUTING chain in mangle table is executed before
PREROUTING chain in the nat table, so placing tagging rules in the
PREROUTING chain would make them fire before DNAT. POSTROUTING
chain of the mangle table, as well as its FORWARD and OUTPUT
chains, work before corresponding chains of the nat table. In all
cases the goal is to make sure DNAT rules process the packet
before, and SNAT rules process it after filtering and tagging
rules.
* AddressTableDialog.cpp (preview): AddressTable dialog "preview"
function looks for the table file in the same directory as
currently opened data file if file name is entered as relative
path
2005-12-16 ilya <yalovoy@gmail.com>
* FWObjectPropertiesFactory.cpp : For objects of type 'interface'
a path to library is included in "detailed properties".
* FWWindow.cpp : Added new menu "/tools/Discovery Druid"
* DiscoveryDruid.cpp : Created basic gui for Discovery druid
2005-12-16 ilya <yalovoy@gmail.com>
* SimpleTextView.cpp: new custom text viewer.
* AddressTableDialog.cpp: file preview uses SimpleTextView.
* newfirewalldialog_q.ui: Dialog size fixed (now all internal
widgets are visible)
* fwbedit.cpp : fixed run with unknown options. Added a new option:
-u - interactive file upgrade
2005-12-14 ilya <yalovoy@gmail.com>
* Added detailed tooltips for rule options for all fw platforms
* Redrawing policy view if user changes firewall version; this
ensures that icon that indicates non-default rule options is
correctly updated in case different versions of the same fw
platform support different combinations of rule options.
* Redesigned page of the new host dialog where user adds
interfaces manually. Before buttons "add","Update","remove" were
hidden because dialog was too small.
2005-12-13 vadim <vadim@vk.crocodile.org>
* po.pro: Added Swedish translation made by Daniel Nylander
<yeager@lidkoping.net>
2005-12-13 ilya <yalovoy@gmail.com>
* RuleSetView.cpp (maybeTip): added tooltips for rule elements
Action and Options
2005-12-02 vadim <vadim@vk.crocodile.org>
* NATCompiler_ipf.cpp (processNext): Run-time AddressTable objects
are not supported in ipfilter; added a placeholder for
corresponding rule processors, aborting compilation when such
object is detected in a rule
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#1361564: "Prolog script env settings unavailable". Need to define
env variables IPTABLES, LSMOD etc before prolog.
(OSConfigurator_linux24::printChecksForRunTimeAddressTables):
compiler for iptables inserts shell code to ensure that data files
used in run-time AddressTable objects are present before firewall
policy is activated.
* PolicyCompiler_PrintRule.cpp (processNext): implemented run-time
mode for AddressTable object in compiler for iptables. Current
implementation *dos not* emulate dynamic table reloads as can be
done for PF using "pfctl -t table -Treplace" command. The whole
policy script must be run again if data file AddressTable object
refers to changes. Current implementation does not allow comments
in the data file
2005-12-01 ilya <yalovoy@gmail.com>
* version 2.1.4
* new object type TagService
Actions 'Mark' and 'Queue' renamed as 'Tag' and 'Pipe'
respectively.
* fwbedit.cpp: fixing of absent 'TagServices' group added.
* ActionsDialog.cpp: new actions control dialog
* RuleSetView.cpp: changed actions context menu to use new
parameters dialog (support of actions with parameters).
2005-11-24 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (processNext): added support for run-time
AddressTable objects for PF.
* PolicyCompiler_pf (PrintRule::_printAddr)
* TableFactory.cpp (TableFactory::PrintTables): support for DNSName
run-time mode in compiler for pf, ipfw and ipf
* PolicyCompiler_PrintRule.cpp (_printAddr): support for DNSName
run-time mode in compiler for iptables
2005-11-23 Vadim <vadim@vk.crocodile.org>
* AddressTable object dialog
2005-11-22 vadim <vadim@vk.crocodile.org>
* TableFactory.cpp (createTablesForRE): class TableFactory reuses
existing tables separately for NAT and policy rules. Reuse of
tables created for NAT in the policy rules is difficult because
tables themselves are created in the temporary copy of the tree in
the NAT compiler (the same applies to the objects - members of the
tables)
2005-11-21 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (_printAddr): Improvement in the
compiler for PF: using '!' syntax for one-object negations
* NATCompiler_pf.cpp (CeateTables): Improvement in the compiler
for PF: Using tables for NAT rules
* TableFactory.cpp (createTablesForRE): using the same class to
generate tables for both policy and NAT rules for pf. Table names
are composed using rule positions so that table names do not
change between compiler runs (they used to change because they
were created using rule IDs, which changed because compiler
generated lots of copies of rules)
2005-11-14 Vadim <vadim@tourist.vk.crocodile.org>
* version 2.1.3
new object type DNSName
using this method in Compiler::prolog to resolve DNSName objects
that are supposed to be resolved at compile-time
Redesigned RuleOptionsDialog to make room for new options
Added actions MARK and QUEUE with basic support in API and GUI
Added new object type AddressTable
2005-11-05 vadim <vadim@tower.vk.crocodile.org>
* iptAdvancedDialog.cpp (iptAdvancedDialog): fixed bug #1349326
"ulogd option does not work". There was a typo in the class
iptAdvancedDialog ( useULOG instead of use_ULOG )
*** Ported from 2.0.10 ***
2005-11-01 vadim <vadim@tower.local>
* NATCompiler_ipt.cpp (processNext): fixed bug #1342495: "SNAT
with address range". Compiler used to print warning "Adding
virtual addresses for NAT is not supported for address range" even
if adding virtual addresses for NAT was turned off.
*** Ported from 2.0.10 ***
2005-10-26 vadim <vadim@tower.local>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1313420:
"OUTPUT chain is built wrong under certain conditions." Rules
that have firewall in SRC and DST, while DST has negation, should
be split so that the second generated rule goes into OUTPUT chain
rather than FORWARD
*** Ported from 2.0.10 ***
2005-10-24 vadim <vadim@tower.local>
* FirewallDialog.cpp (openFWDialog): fixed bug #1315892:
"fwbuilder crashes on missing OS template" The GUI crashed if user
added new hostOS or firewall platform template under resources/os
or resources/platforms, then reinstalled the package (and
therefore lost their custom template files), then tried to open
firewall or host OS settings dialog for the object using new
template.
*** Ported from 2.0.10 ***
* RuleOptionsDialog.cpp (loadFWObject): fixed bug #1305933:
"fwbuilder/Solaris: compilation errors". Another case of implicit
type conversion QString->string which does not compile on systems
with QT built w/o STL support.
*** Ported from 2.0.10 ***
* main.cpp: fixed bug #1304878: fwbuilder: signal.h
required (Solaris). Using 'AC_CHECK_HEADERS([signal.h])' in
configure.in to check for the appropriate #include.
*** Ported from 2.0.10 ***
* configure.in: fixed bug #1304764: "configure script: Sun make
check fails". Need to use ${MAKE-make} instead of $ac_make when
checking for GNU make.
*** Ported from 2.0.10 ***
* fixed bug #1304785: "fwbuilder - Solaris has no libutil". Using
better way to check whether we need to link with libutil.
*** Ported from 2.0.10 ***
2005-10-22 vadim <vadim@vk.crocodile.org>
* VERSION: set version to 2.0.10 in branch fwb2-2.0-maint
2005-09-29 Vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (InterfacePolicyRulesWithOptimization):
new rule processor: checks if the rule is associated with an
interface and uses setInterfaceId to record its id. If the rule is
associated with multiple interfaces, splits the rule
accordingly. Unlike basic processor
PolicyCompiler::InterfacePolicyrules, this processor tries to
optimize rules applied to multiple interfaces using user-defined
chain
***** Policy compilers support multiple interfaces and negation in
"Interface" rule element
2005-09-28 Vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (paintCell): merged interface policies with
global policy. Keeping most of the code that implements interface
policy tabs just in case.
* set version to 2.1.2
2005-09-26 Vadim <vadim@vk.crocodile.org>
* RoutingRuleOptionsDialog.cpp (loadFWObject): Added support for
routing rules. Using "fwbuilder-routing" patch provided by Tidei
Maurizio <fwbuilder-routing at compal.de>
* set version to 2.1.1
* ObjectManipulator.cpp (createObject),(newDNSName),
newHostDialog.cpp (accept): added checks for broken object tree
2005-09-20 <vadim@vk.crocodile.org>
* DNSNameDialog.cpp (loadFWObject): new object type: DNSName
(Illiya)
2005-09-17 <vadim@vk.crocodile.org>
* 2.0.9 release in branch fwb2-2.0-maint
2005-09-12 <vadim@vk.crocodile.org>
* fwsm.xml.in: Added support for Cisco FWSM (platform and host OS)
* pixAdvancedDialog.cpp (pixAdvancedDialog): Added support for
manual ACL commit in FWSM
2005-09-11 <vadim@vk.crocodile.org>
* SSHPIX.cpp (SSHPIX): enable_prompt should include string "Access
Rules Download Complete" which is _sometimes_ printed by FWSM when
in auto-commit mode.
2005-09-07 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (lockObject): Added ability to lock/unlock
individual objects in the tree (Illiya)
* GroupObjectDialog.cpp (listViewSelectionChanged): Illiya
implemented Feature Req #1151208: "Allow multiple objects select
to make an action (Group)"
2005-09-07 <vadim@vk.crocodile.org>
* SSHSession.cpp (cmpPrompt): overloaded method
SSHSession::cmpPrompt to be able to specify prompt as a regular
expression. This variant is very convenient for PIX prompts.
2005-09-05 <vadim@vk.crocodile.org>
* fixed bug #1254775: "RCS checkin fails on Windows when data file
is too big". RCS tools failed to check the file in if it consisted
of one huge line of text. This fix makes th GUI save data file
(.fwb) in formatted form on Windows, just like on Linux. This
means each XML element is saved on separate line instead of all of
them being on the same line.
2005-09-04 <vadim@vk.crocodile.org>
* NATCompiler_pf.cpp (processNext): fixed bug #1276083:
"Destination NAT rules". Old restriction on "rdr" rules that
required service in OSrv is not valid anymore, pf supports rdr
rules with no protocol specification. (ported from 2.0.9)
2005-09-04 Vadim Kurland <vadim@vk.crocodile.org>
* FWWindow.cpp (fileCommit): properly handling situation when user
hits Cancel in check-in log dialog (should abort File/Commit
operation entirely)
* main.cpp (main): added a workaround to make the GUI work in
Spanish locale (QT 3.3.4 ships with broken qt_es.qm file at least
on Fedora-C4 and Mac OS X)
2005-08-31 <vadim@vk.crocodile.org>
* SSHUnx.cpp (stateMachine): fixed bug #1277129: "script is
truncated when installed by the GUI running on Mac". Large script
was getting truncated while copied to the firewall if GUI was
running on Mac OS X (bugfix ported from 2.0.9)
2005-08-17 <vadim@vk.crocodile.org>
* fwbedit.cpp (usage): Finished implementation of RFE #1211612
"fwbedit - add object?". Using "-p","-L","n" and "-o" command line
switches to specify parent, library, name and attributes of an
object
2005-08-04 <vadim@vk.crocodile.org>
* fwbedit.cpp (main): Illiya is working on RFE #1211612: "fwbedit
- add object?" and #1114501: "Data file repair". Fwbedit can now
add objects as well as repair tree structure. Still needs some
more work.
2005-07-31 <vadim@vk.crocodile.org>
* LINGUAS: Added Spanish translation, thanks to Carlos Lozano
<clozano@andago.com>
2005-07-30 <vadim@vk.crocodile.org>
* Started v2.1.0
2005-07-30 <vadim@vk.crocodile.org>
* FWWindow.cpp (fileCommit): Illya implemented Feature Request
#1187461 "Add "commit" menu item". This menu item commits opened
data file to RCS but keeps it opened so the user can continue
editing.
2005-07-29 <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (addObjectsToTable): Illiya implemented
Feature Request #1225393 "FeatureRequest Print comments on
objects"
2005-07-23 <vadim@vk.crocodile.org>
* RuleSetView.cpp (dragMoveEvent): Illiya fixed bug #1226069:
"Segfault: Drag&Drop between two instances"
2005-07-21 <vadim@vk.crocodile.org>
* platforms.cpp (getLogFacilities): Illiya moved definitions of
log levels, log facilities and actions on reject to module
platforms.cpp. Methods getLogLevel, getLogFacilities and
getActionsOnReject return string lists suitable for using with
DialogData to provide mapping between localized and english
strings so that the user sees translated ones but enlish ones are
written into FWOptions object and used by compilers. This fixes
bugs #1240205: "Iilegal --log-level Information" and #1233165:
"Illegal Logging-Limit string.".
2005-07-08 <vadim@vk.crocodile.org>
v2.0.8 released
2005-07-05 <vadim@vk.crocodile.org>
* SSHSession.cpp (allDataSent): calling allDataSent from heartBeat
slot method because on windows signal 'wroteToStdin' is emitted
before I had a chance to connect it to a slot in
SSHUnx::stateMachine in state PUSHING_CONFIG after entire file has
been transmitted. I used to send an extra '\n' to force signal
'wroteToStdin', but that made the file to be sligltly different on
the receiving end and I do not like that.
* RuleSetView.cpp (dragMoveEvent): not really a change: bug
1226069 "Segfault: Drag&Drop between two instances" requires
redesign of the drag&drop mechanism so that live pointer to
FWObject is not passed between sender and receiver.
2005-07-04 <vadim@vk.crocodile.org>
* SSHSession.cpp (startSession): fixed bug #1232478: "FWB shuts
down on incorrect password". Bug was intorduced in build 624 while
working on installer stalls and undescriptive ssh termination
error when OpenSSH 4.0 was used.
2005-07-02 Vadim Kurland <vadim@vk.crocodile.org>
* main.cpp (main): ignore SIGHUP in the child process in ssh
wrapper. Closing stdin at the end of the file copy sends SIGHUP to
the child. By some reason, this caused ssh to terminate with error
message "killed by signal 1" and return code 255 on Fedora C4
which uses OpenSSH v4.0p1
2005-07-02 <vadim@vk.crocodile.org>
* main.cpp (tty_raw): switched from TCSAFLUSH to TCSANOW in call
to tcsetattr when we switch tty to raw mode in ssh wrapper
code. This should fix mysterious stalls in the installer that were
introduced when I worked on the wrapper code to fix bug #1213361
(problems with file copies on FreeBSD 5.4)
* instDialog.cpp (initiateCopy): added missing "-v" option to ssh
call used to copy policy script to the firewall if "verbose"
checkbox is checked. This should help troubleshoot problems with
installer when ssh fails and terminates with an error.
2005-06-25 <vadim@vk.crocodile.org>
* configure.in: need to call macro AC_PROG_MAKE_SET before
using $ac_make to check for GNU make
* configure.in: added check for cfmakeraw (which is absent on Solaris)
* configure.in: make script continue if forkpty is not found,
the program will use emulation.
2005-06-13 <vadim@vk.crocodile.org>
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
sorting list of objects for tooltips. Sorting is done by object
name, alphabetically. TODO: use locale-aware sort and ignore
case of the letters.
2005-06-12 <vadim@vk.crocodile.org>
* main.cpp (main): need to switch the pipe and stdin in the child
process to raw mode in order to ensure proper communication when
fwbuilder works in ssh wrapper mode. This (really) fixes bug
#1213361
* configure.in: Added path to QT where it is installed on 64-bit
systems to the list configure tries while searching for QT
2005-06-11 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1215279: "rate
limiting rule logs everything". Rule utlilizing "limit" module to
rate limit packets with logging logged every packet and dropped
those that exceeded the limit. The fix makes it apply the limit
first and then log only packets that were dropped.
* main.cpp (forkpty): fixed bug #1072842: "fwbuilder: Solaris and
forkpty". We need forkpty fr built-in installer but this function
is not awailable on Solaris. I am adding re-implementation, but it
hasn't been tested since I do not have Solaris machine.
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
fixed bug #1212179: "tool tips for TCP services cuts off some
services". The gui would show very long tooltip for large groups;
if the group was too large, the tooltip did not fit on the screen.
* main.cpp (main): fixed bug #1213361: "PF on FreeBSD-5.4R". Bug
description is misleading, the probem was caused by built-in
installer rather than by compiler for PF. Installer would not copy
generated script over ssh if the script was longer than some
threshold and the gui was running on FreeBSD.
2005-06-05 <vadim@vk.crocodile.org>
* linux24.xml.in: fixed bug #1212121: "sudo shutdown doesn't
work". Installer needs to schedule reboot when the user activates
policy in a test mode. There was a bug in the installer script
that improperly used sudo to run shutdown when installation was
performed using regular user account.
* linux24.xml.in: fixed bug #1212123: "executing file below /tmp
as root". Avoiding world-writable directory /tmp/ while activating
policy in the test mode. This change makes installer use
subdirectory "tmp" under directory specified in the "intaller" tab
of firewall settings dialog. That directory is expected to have
proper permissions; subdirectory "tmp" can be created manually,
otherwise installer creates it. Either way, it is not
world-writable, therefore unauthorized users can not create
scripts in it.
* freebsd.xml.in: Using pkill to find running shutdown process and
kill it to cancel pending reboot. Pkill simplifies the scriptlet
so we don't need to deal with output redirection etc. Pkill is
available on FreeBSD, Linux, OpenBSD and Solaris.
* linux24.xml.in: another fix for a bug #1201406: "shutdown
messages should be suppressed". Scriptlet has been modified to
make sure it works in both sh and csh (user who installs the
policy may have tcsh as their login shell, root may use tcsh too)
2005-05-30 <vadim@vk.crocodile.org>
* src/res/os/*.xml.in: fixed bug #1201406: "shutdown messages
should be suppressed". Installation scriptlet tries to kill
shutdown process, if there is one, to cancel pending shutdown that
might have been left over from test install. If there is none, the
script prints an error message "shutdown process not found" or
similar, which confuses user. Needed to suppress these error
messages.
* fixed bug #1155351: "Remote install of FW rulset fails due to
race condition". Generated ipfw firewall script could not be ran
reliably over ssh session because "ipfw -f" flushes all rules and
all state, which breaks ssh session. As soon as the script needed
to print anything, it got I/O error from the system because TCP
session for ssh was blocked; this stopped the script and did not
let it activate new firewall policy.
* PolicyCompiler_ipfw_writers.cpp (processNext): improvemet in the
compiler for ipfw: added "established" rule on top of the regular
backup ssh access rule; this allows to maintain management ssh
session after the policy is reloaded. both "ipfw -f" and swapping
sets flushes all states, so the ssh session used to upload and
activate new policy breaks. A rule with "established" keyword
maintains this session.
* PolicyCompiler_ipfw_writers.cpp (processNext): improvement in
the compiler for ipfw: using rule sets to atomically swap old and
new rules. New rules are loaded in the set 1 and then swapped into
set 0. If there is an error in a new rule set, it is caught while
loading rules into inactive set 1, at which point script stops
without changing old firewall rules.
* PolicyCompiler_pf.cpp (addDefaultPolicyRule): implemented
support for subnets for backup ssh access for pf,ipf,ipfw. Subnet
can be defined using either full netmask or bitlength: both
"192.168.1.0/255.255.255.0" and "192.168.1.0/24" are
acceptable. Single host address works too, both as "192.168.1.10"
and as "192.168.1.10/255.255.255.255" or
"192.168.1.10/32". Incorrect address or netmask cause compiler to
abort processing.
2005-05-28 <vadim@vk.crocodile.org>
* GroupDialog: fixed bug #1207983: "incorrect size of "I" and "L"
buttons in the group view dialog". Tested with large font and
cleaned up layout in many dialogs.
* HostDialog.cpp (loadFWObject): removed 'snmp community' option
from the Host object dialog - it was not used anywhere
* ipt.cpp (main): fixed bug #1205665: "Error with summer time when
compiling script". Sometimes timezone name has "'" in it which
confuses shell and causes an error when generated script prints
"Activating firewall policy..." log message
* RCS.cpp (RCSEnvFix): fixed bug #1204067: "incorrect timezone
handling in RCS". Windows version of RCS incorrectly converts
check-in time when time zone is east of GMT. Had to use "-z"
option on all RCS commands to explicitly set offset; "-zLT"
produces wrong results in rlog.
* fwb_compile_all (LIB): fixed bug #1200902: "fwb_compile_all does
not work in 2.0". Script fwb_compile_all broke because of changes
in data file format
* PolicyCompiler_PrintRule.cpp (_printTimeInterval): fixed bug
#191423: "Weekend Time restriction not created correctly". Rules
with time restriction spanning from Saturday to Sunday were
generated with incorrect "--day" option
* objects_init.xml.in: fixed bug #210518: 'Incorrect ending day in
the standard object "weekends"'. This object defined time interval
ending at 23:59 on Monday instead of Sunday
* implemented Feature Request #1145666: "Print RCS
Log". File/Properties dialog can now print RCS log. Thanks to
"Ilya V. Yalovoy" <yalovoy@pilot.aip.mk.ua> for the patch.
2005-05-23 <vadim@vk.crocodile.org>
* added updated German translation by Hans Peter Dittler
<hpdittler@braintec-consult.de>
2005-05-20 <vadim@vk.crocodile.org>
* set version to 2.0.8
2005-05-08 <vadim@vk.crocodile.org>
* v2.0.7 released
2005-05-04 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#1195201: "getaddr function return error ip address". Yet another
change in the way we use grep to find IP addresses of an interface
on Linux. We can't use regex (bug #1123748) and need to filter out
secondary addresses from the "ip addr show" output. It looks like
"grep -v :" neatly solves the problem without using regex.
2005-05-02 <vadim@vk.crocodile.org>
* snmp.cpp: API change: Compiled all OIDs. The program may run on
a system where MIBs are not installed, so we can not always use
symbolic OID names Also using snmp_out_toggle_options to turn
numeric output in all responses (equivalent to -On in snmp tools)
2005-05-01 <vadim@vk.crocodile.org>
* snmp.cpp (walk): API changes: verbose error message, printing
response->errstat code as well as corresponding error string; this
should help debug snmp -related problems better
* snmp.cpp (walk): API changes: using snmp_error to print last
snmp error string
2005-04-27 <vadim@vk.crocodile.org>
* implemented support for SNMP operations in Windows packages
* qmake.inc files overhaul
2005-04-26 <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (getInterfacesViaSNMP): switched to using
QT class DNS to get host/firewall name in new HostDialog and
newFirewallDialog classes. This seems to work better on Windows.
Also added more locks to prevent reentering getInterfacesViaSNMP
if user clicks the button multiple times in quick succession
2005-04-23 <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (accept): fixed bug #1187248: using "find"
for an address "192.168.10*" several times after a firewall
objects has been created using templates caused GUI to crash
2005-04-17 <vadim@vk.crocodile.org>
* findDialog.cpp (matchAttr): implemented feature request
#1151206: "Search for IP Addresses". "Find" dialog searches for
objects by a combination of name and one of the following
attributes: address, tcp/udp port, ip protocol number or icmp
message type. Regular expressions can be used for both name and
attribute.
* ObjectTreeView.cpp (getSimplifiedSelection): fixed bug #1151212:
"Collapsed sub-objects shouldn't be added if they are
hidden". When user selects multiple objects in the tree some of
which have child objects, those child objects used to be also
selected and added to groups in addition to their parent
objects via drag-and-drop operation.
* GroupObjectDialog.cpp (pasteObj): fixed bug #1184791: "can not
copy/paste multiple objects into a group"
* FWWindow.cpp (doCompile): implemented feature req. #1151220:
"Close" button should change is caption/title to "Install". When
user clicks "Install" toolbar button or main menu item, the
"Close" button in the pop-up window that displays compiler
progress changes its text caption to "Install"
2005-04-13 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (addPredefinedPolicyRules): fixed bug
#1181359: "Missing traling space in "INVALID state" syslog
message"
2005-04-10 <vadim@vk.crocodile.org>
* instDialog.cpp (continueRun): Improvement in built-in installer:
user can specify additional command line parameters for ssh that
built-in installer runs to access firewall. This allows for
alternative ssh port or alternative ssh identity to be used when
accessing firewall. Parameters can be added in the "Installer" tab
of firewall settings dialog for all platforms.
2005-04-09 <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug #1179103: 'compiled rules can not be
install'. Generated iptables script could not be used on systems
with non-English locale where timezone name used local characters
because these characters were printed as hex ( "&#21488;" ) and
'&' caused problems with shell. Now using single quotes to make
shell ignore any characters in the string. Will deal with proper
printing of localazed timezone later.
2005-04-07 <vadim@vk.crocodile.org>
* OSConfigurator_freebsd.cpp (printPathForAllTools): function
getaddr() falls back to 0.0.0.0/32 if dynamic interface has not
been assigned an address yet or is down. Ipfilter policy using
run-time substitution of dynamic interface addresses will be
functional even if these interfaces are down or do not have IP
address.
2005-04-05 <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (_flushAndSetDefaultPolicy): fixed
bug #1176890: "block IPv6". Generated iptables script sets default
policies to DROP in all ipv6 filter chains. More detailed control
can be implemented using prolog or epilog scripts.
2005-04-03 <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (separateSrcPort): fixed bug #1176051:
"incorrect rule generated for TCP service ftp-data". If a rule
used several TCP or UDP service objects and one of them has source
port range configured, generated PF filter rule incorrectly
matched on a combiantion of that source port range _and_
destination port ranges from all other service objects. This bug
affected compilers for OpenBSD PF and ipfilter
2005-03-31 <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (filePrint): fixed bug #1155163: "print does
not print group contents". The program printed only number of
objects contaned in object or service groups. Now it prints lists
of member objects for all groups used in rules. If groups contain
other groups, they are printed recursively.
2005-03-30 <vadim@vk.crocodile.org>
* objects_init.xml.in: fixed bug #1172620: "Add tcp service object
for icslap". Added this object to the objects library "Standard".
* FWWindow.cpp (info): fixed bug #1151243: "Maintain format of
description text". The GUI ignored text formatting in object
comment when displayed it in the info panel (lower left corner of
the main windows)
* FWOptions.cpp (toXML): API change: fixed bug #1173801: '"&"
character in prolog/epilog'. Needed to call xmlEncodeSpecialChars
to encode special characters in firewall options
2005-03-29 <vadim@vk.crocodile.org>
* ipf.cpp (printActivationCommandWithSubstitution): fixed bug
#1173064: "support for dynamic interfaces in ipfilter". Actual
address of dynamic interface is now determined at run-time in the
policy activation script <firewall_name>.fw generated by
fwbuilder. If dynamic interface is used somewhere in the policy or
nat rules, it will be replaced with its actual address by
activation script before configuration is sent to ipf or ipnat for
activation. This run-time substitution is done only if a checkbox
is checked in the "Script options" tab of firewall settings
dialog. Default behavior is to use "any". This is because ipfilter
configuration files <firewall>-ipf.conf and <firewall>-nat.conf
that rely on run-time substitution of dynamic interface address
can not be loaded using standard activation scripts that come with
FreeBSD.
This also fixes another problem in fwb_ipf where it generated rdr
and nat commands with address 0.0.0.0/32 if dynamic interface was
used in a NAT rule.
2005-03-28 vadim <vadim@tourist2.local>
* PolicyCompiler_PrintRule.cpp (_printMultiport): fixed bug
#1160186: 'IPTables Compiler - Multiport Issue'. When 16 or 31
ports were used in a single rule, compiler generated command with
conflicting options "-m multiport --dport"
* NATCompiler_ipf.cpp (processNext): fixed bug #1173067: "support
for port ranges in NAT rules (ipfilter)" - policy compiler for
ipfilter should split DNAT rules (rdr) that use TCP or UDP objects
with port ranges. A warning is issued if more than 20 rules are
created.
2005-03-20 <vadim@vk.crocodile.org>
* utils.cpp (getFileDir): fixed bug #1157976: "patches to make
fwbuilder compile under NetBSD 1.6". Applied patches.
* newHostDialog.cpp (newHostDialog): fixed bug #1151219: "New Host
creation window is not well dimensioned". Fixed wrong dialog page
layout in the new host wizard.
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#1123748: "busybox grep -E". Busybox in floppyfw is compiled
without support for egrep (or grep -E). Switched to using "plain"
grep.
* InterfaceDialog.cpp (loadFWObject): fixed bug #1151052: "Not
external interfaces marked as external". Dialog for an interface
object that belongs to a host should not show checkbox "external
(insecure) interface"
* Tools.cpp: API change: fixed bug #1158870: "mutexes are not
properly created on FreeBSD". Mutexes gethostbyname_mutex and
gethostbyaddr_mutex were never created but used on OS where
thread-safe resolver is not available.
2005-02-17 <vadim@vk.crocodile.org>
* v2.0.6 released
2005-02-17 <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug #1123933 "iptables add_addr() expr
binary not found". As it turns out, /usr/bin/ is not in PATH
during boot time on Slackware. I added /usr/bin/ to PATH variable
in generated iptables script.
2005-02-16 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#1123748 "busybox grep -E". Busybox does not support option "-E"
with grep, however it has "egrep".
2005-02-12 <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog): proper localization in the
installer where it displays progress of the installation operation
2005-02-11 <vadim@vk.crocodile.org>
* main.cpp (main): Troubleshooting weird case of data file
corruption during install
* RCS.cpp (RCS): fixed bug #1120904: "GUI hangs when accessing RCS
file". Improved parsing of rlog output.
2005-02-09 <vadim@vk.crocodile.org>
* utils.cpp (getUserName): working on bug #1118717: "fwbuilder 206
on Windows XP SP2: error checking out". Env variable USERNAME was
not set in user's profile, which triggered this bug. Now using
getuid to get user name on Unix and GetUserName on Windows. This
should make the program more resilient for situations when
environment variable LOGNAME or USERNAME is not set
2005-02-08 <vadim@vk.crocodile.org>
* ipt.cpp (main): Using getuid to read real user's ID on Unix
2005-02-07 <vadim@vk.crocodile.org>
* instDialog.cpp (continueRun): Fix for support request #1118039:
"Error when Windows client calls plink -ssh". The problem is that
putty ignores protocol and port specified in the session file if
command line option -ssh is given. On the other hand, the sign of
session usage is an empty user name, so we can check for that. If
user name is empty, then putty will use current Windows account
name to log in to the firewall and this is unlikely to work
anyway. This seems to be a decent workaround.
* printerStream.cpp (printQTable): further bugfixes in printing,
in particular fixed a problem with partially greyed-out horizontal
and vertical headers when ruleset was small enough to fit on the
first page.
2005-02-05 <vadim@vk.crocodile.org>
* RuleSetView.cpp (selectionChanged): fixed bug #1030538:
"incorrect highlighting when selecting multiple rules". This bug
seems to be specific to Mac OS X
* printerStream.cpp (printQTable): improvements in printing:
- if a rule set does not fit on a single page, the program
repeats table header on each page ("Source","Destination","Service" etc)
- the program does not draw the whole rule set in memory
anymore. Instead, it "scrolls" the table and only draws section
that fits on a single page. This means we can now print really
huge policies that can not be drawn as a whole because they
exceed maximum coordinate value. Tested with a rule set that
consists of 1200 rules which has size of 677x34884 pixels on my
machine.
2005-02-03 <vadim@vk.crocodile.org>
* instDialog.cpp (selected): working on bug #1115412: "Problem
installer FWbuilder 2.0.5 for Windows". Switched to command line
option "-l" to specify user name for external ssh in
installer. This was necessary because Van Dyke SecureCRT on
Windows does not support user@host syntax.
* instDialog.cpp: Installer verbose and quiet modes work as follows:
- if quiet is off, verbose is off: prints everything that
firewall script prints on stdout and stderr; does not add "-v"
to calls to external ssh utilities
- if quiet is off, verbose is on: adds "-v" to ssh command line
- if quiet is on - supresses script output but still prints short
messages to indicate when it copies files to the firewall and when
it executes them
2005-02-01 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (delObj): slightly changed logic with user
warnings in the object removal code. The program asks the user for
confirmation if they remove an ordinary object from a regular
library. Confirmation is not asked if object is removed from
"Deleted objects" library or when a library is being deleted (in
this case we ask a different quastion later anyway). This helps
avoid double warning when a library is deleted.
2005-01-31 <vadim@vk.crocodile.org>
* POmakefile.in (POTFILES): Added module FWWindowPrint.cpp to the
list of files processed for localization
* FWWindowPrint.cpp (filePrint): Added small margin inside table
cells in Legend and Object tables in the printout.
2005-01-30 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1112470:
"Problem with FW part of ANY in Bridged mode". If fw is
considered part of any, we should place rule in INPUT/OUTPUT
chains even if it is a bridging fw since fw itself may send or
receive packets.
* PolicyCompiler_ipt.cpp (accounting): implemented feature
req. #1112980: "Need unique names for accounting rules". User can
now specify a unique name for rules with action 'Accounting'; this
name will be converted to a chain name. This simplifies accounting
since chain name for such rule won't change if the user adds or
removes rules above or below.
* PolicyCompiler_ipt.cpp (accounting): fixed bug #1112976:
"Accounting rule with logging produces looped iptables command"
* FWWindowPrint.cpp (beginPage): implemented Feature
Req. #1112778: "include date and time on printouts". Added date
and time to the header on each printed page.
* RuleSetView.cpp (paintCell): fixed bug #1112776: "some items
touching seperator lines on printouts". Rule elements "Action",
"Direction", "Options" and "Comment" were placed right at the top
of the table cell which led to their clipping when rule set was
printed on Mac OS X. Need more testing.
* FWWindowPrint.cpp (filePrint): fixed bug #1112764: "some Objects
are partially obscured in printout". Parts of the "Objects" table
were clipped. Need to test some more.
2005-01-29 <vadim@vk.crocodile.org>
* FWBSettings.cpp (init): fixed bug #1112264: "Load last edited
file" setting doesn't work. This was broken only on Mac OS X.
* FWObjectDatabase.cpp (merge): API change: fixed bug #1105167:
"Crash when importing a library that has been deleted".
2005-01-27 <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (_printPort): not quite fixed bug
#1105755 "Custom Service objects not working for PF
compiler". User tried to generate a nat rule like this using
CustomService object:
nat on eth1 proto {tcp udp icmp gre} from 192.168.1.0/24 to any -> 22.22.22.22
Taken from the bug report:
it turned out, I can not fix this. You are trying to use Custom
Service object to insert protocol list into a "nat"
rule. Normally, a service object such as TCP or UDP service
generates two components for any rule where it is used: a protocol
specification and port specification
(type/ code spec for ICMP). PF is sensitive to the order of
parameters in the rule, in particular, protocol must be defined
after interface but before src/dst addresses in the rule, while
port numbers go after addresses. Compiler easily retrieves this
information from IP, TCP, UDP and ICMP services and places it in a
proper slots in the rule it generates. CustomService does not
have a notion of protocol and parameters for it, so compiler puts
a string that is configured in the CustomService in the place
reserved for port numbers. This means you can not use
CustomService to specify protocols.
There still was a bug in fwb_pf where it would print
"custom_service" in place of protocol. This is fixed in 2.0.6
build 542. Protocols can not be inserted with Custom Service
though.
Feature request #1111267 "CustomService should specify protocol
and parameters for it" has been opened
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1102629: "lost
chain in accounting rules". Rules with multiple objects in one of
the rule elements and action 'Accounting' generated code that
ignored objects in that rule element
* ObjectManipulator.cpp (newPhysicalAddress): fixed bug #1111244
"GUI allows to add more than one MAC address to an
interface". There can only be one MAC address for each interface.
* FWWindowPrint.cpp (printQTable): While printing rule sets, the
program makes sure rule set tables are broken on the rule
boundaries while switching to a new page.
* Added "Page setup" dialog to set parameters such as printing
header, printing of a legend and object lists etc.
* fixed bug #1109174: "Cannot print rule base" - implemented
printing
2005-01-25 <vadim@vk.crocodile.org>
* instDialog.cpp (selected): fixed bug #1109631: "can not copy
firewall script to /etc on Linksys". Added an option ot all OS
resource files that determines whether user is allowed to change
installation directory on the firewall. Currently it is allowed on
all supported OS except Linksys/Sveasoft because there /etc/
resides on read-only filesystem
2005-01-24 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1101910: "Samba
problem with Bridged Firewall". Need to split rule to take care of
broadcasts forwarded by the bridge and broadcasts that are
accepted by the firewall itself. Need to do this only if the rule
is not associated with any bridging interface.
* PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed
bug #1106701: 'backup ssh access' and statefulness
interation. Need to add rules matching states ESTABLISHED and
RELATED for the backup ssh access to make sure it works even if
global rule matching these states is disabled.
* configure.in: fixed bug #1107838: "bug in configure script in
fwbuilder 2.0.6". Need to specify path "./" when calling
runqmake.sh
* FWWindowPrint.cpp (filePrint): printing legend and a list of
objects at the bottom of a printed document.
* Compiler_ops.cpp (operator==): API change: fixed bug #1108861:
"two rules using MAC address matching shadow each other". Need to
check for MAC addresses while processing rules for shadowing.
2005-01-21 <vadim@vk.crocodile.org>
* FWWindowPrint.cpp (filePrint): Implemented printing of firewall
rule sets. Using standard QT class QPrinter; can print to a system
printers or to a file (PostScript), both in black and white or a
color where available. Prints policies of the currently opened
firewall. The program can calculate total number of pages and
offer the user a choice in the Print dialog only if QT v3.2 and
later is used. Each printed page has a header with the file name,
RCS revision and a page number. Currently, the header can not be
turned off (will implement in the future).
2005-01-07 <vadim@vk.crocodile.org>
* v2.0.5 released
2005-01-06 <vadim@vk.crocodile.org>
* RCS.cpp (isDiff): writing RCS log in UTF-8, this simplified
localization
2005-01-02 <vadim@vk.crocodile.org>
* RCS.cpp (RCS): working on localization of RCS log entries. Build
516 converts log strings into 8bit string into locale-specific
format on Unix before sending it to ci. Strings returned by rlog
are converted from locale-specific format. No conversion is done
on Windows and Mac OS X.
* objects_init.xml.in: fixed bug (no num) that caused GUI crash
when user created new firewall object using template with three
interfaces.
2004-12-30 <vadim@vk.crocodile.org>
* PolicyCompiler_ipfw_writers.cpp (processNext): fixed bug
#1093620: "path (to ipfw) with spaces fails". Generated script
failed if path to ipfw contained space. I only worked around this
problem for ipfw; paths to sysctl and logger must be standard and
never contain spaces.
* PolicyCompiler_ipfw.cpp (processNext): fixed bug #1093472: "ipfw
port range(s) errors". There can only be one port range in a
single ipfw rule.
* PolicyCompiler_ipfw_writers.cpp (_printProtocol): fixed bug
#1093461: "problem with 'established' in ipfw". Ipfw requires
protocol to be set to 'tcp' if option 'established' is used in a
rule.
2004-12-29 <vadim@vk.crocodile.org>
* RCS.cpp (RCS): fixed bug #1092810: "Multiline RCS comments are
shown as a single line on windows". As it turned out, this bug
affected all platforms.
* RCS.cpp (ci): an attempt to fix a bug that does not allow to
enter RCS comment using non-english locale.
2004-12-28 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (getInterfaceVarName): fixed bug
#1059393: "function getaddr failed for eth1.0020". Generated
script can now work with interfaces that have a dot in their name
(such as "eth1.0020" - vlan interface)
* PolicyCompiler_PrintRule.cpp (_printOptionalGlobalRules): fixed
bug #1092141: "irritating FORWARD rule for established
connections". Need rule in FORWARD chain only if ip forwarding is
on or set to "no change"
2004-12-22 <vadim@vk.crocodile.org>
* Compiler.cpp (createRuleLabel): API change: fixed bug #1068119:
"additional whitespace for Rule comments in .fw file". Added extra
space between rule number and interface spec in rule comments.
* PolicyCompiler_ipfw.cpp (processNext): fixed bug #1089866:
"multiple services in one rule confuses ipfw compiler". If several
UDP or TCP objects were used in the same policy rule and these
service objects had source port ranges defined, the compiler would
produce incorrect code by combining source port range
specifications together in the same ipfw command.
* main.cpp (main): Pull-down menu "On startup" in the "General"
tab of the preferences dialog now has three items: "Load standard
objects", "Load last edited file" and "Ask user what to do". The
last item is default.
* PolicyCompiler_PrintRule.cpp (_printProtocol): fixed bug
#1089586: "default --icmp-type value is 0 in iptables <
1.2.9". The problem concerns policy rules using service object
"any ICMP". A rule like this is supposed to match any ICMP
packet. Few versions ago I had to add option "-m icmp" (and "-m
udp", "-m tcp") because I've discovered that iptables-restore on
some systems (linksys sveasoft firmware, iptables v1.2.11) refused
to load rules without it. Now it turns out that iptables v < 1.2.9
(tested on 1.2.6a and 1.2.7a) implicitly adds equivalent of
"--icmp-type 0" to rules with "-p icmp -m icmp" and without
"--icmp-type" option. Since type 0 is actually icmp echo reply, a
rule like this does not match "any ICMP" as it was supposed to
do. Iptables 1.2.9 implicitly adds "--icmp-type 255" which matches
any icmp type. Using "--icmp-type 255" on iptables 1.2.6 and 1.2.7
does not work (a rule does not match icmp packets with type
different from 255). The fix generates "-p icmp -m icmp
--icmp-type any" for iptables 1.2.9 and later, as well as when
iptables version is not specified in the firewall object settings.
It generates just "-p icmp" for versions < 1.2.9.
2004-12-19 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (newInterfaceAddress): GUI change: main
menu item "Object/New Object/Address" and corresponding toolbar
button always creates an Address object under Objects/Addresses
folder in the tree. Address of an interface can be created using
pop-up menu item "Add IP Address"
2004-12-16 <vadim@vk.crocodile.org>
* Bunch of cosmetic bugfixes in the GUI
* PrefsDialog.cpp (setButtonColor): implemented feature request:
colors that are used to color rules can be changed in Preferences
dialog.
2004-12-13 <vadim@vk.crocodile.org>
* FWWindow.cpp (fileOpen): when user clicks menu item "File/Open"
to open a new file, the GUI should save and close currently opened
file only after the user chooses new file. If user clicks Cancel
in the File/Open dialog, operation should be cancelled so the user
can continue working with currently opened file. The same applies
to operation File/New.
2004-12-12 <vadim@vk.crocodile.org>
* po.pro: fixed bug (no num): localization was broken on win32 and
mac os x because translation files were not installed properly.
* ObjectManipulator.cpp (pasteTo): improved behavior of the main
menu "Edit" as well as pop-up menu that appears when user right
mouse clicks on an object in the tree. Menu item "Paste" should
only be enabled if the clipboard is not empty and objects that are
stored in it can be pasted into selected object in the tree.
2004-12-10 <vadim@vk.crocodile.org>
* RCSFilePreview.cpp (selectedRevision): fixed bug (localization):
RCS log entries made using non-ascii characters used to appear as
'???' in Open File and File/Properties dialogs.
* ObjectEditor.cpp (validateAndClose): more bugfixes for the
behavior of the object editor dialogs. Dialog should ask if user
wants to save data and then validate it when user clicks on [x] to
close editor dialog. It used to validate the data first, then ask
if they want to close dialog.
2004-12-09 <vadim@vk.crocodile.org>
* FWWindow.cpp (load): when user opens data file in the old format
(fwbuilder v1.1.x, extension .xml) and after autoupgrade the
program discovers that the same file with extension .fwb already
exists, it offers the user a chance to choose different name. If
user clicks "Cancel" at this point, the program cancel operation
and reverts upgraded data file back to its original name and
version.
* listOfLibraries.cpp (add): fixed bug (internal #34) the program
should issue a warning when user tries to add a library file
(.fwl) that contains object library that already exists in the
opened data file.
* ObjectEditor.cpp (validate): Streamlined logic in the object
editor dialog. This improves handling of the situation when user
closes dialog by clicking on [x] while 1) there are unsaved data
and/or 2) some of the object's parameters have illegal values. The
dialog behavior also depends on the setting of the global flag
"Autosave" that causes dialog to automatically save data when user
switches between objects.
2004-12-08 <vadim@vk.crocodile.org>
* listOfLibraries.cpp (add): numerous fixes for localization
2004-12-05 <vadim@vk.crocodile.org>
* ObjectManipulator.h: numerous bugfixes:
- properly synchronizing state of the items main menu with state
of corresponding items in the pop-up menu that appears when user
right-mouse-clicks on an object in the tree
- fixes for non-localized text strings in dialogs (mostly
"Continue", "Yes"/"No" etc. in many places)
- proper localization of the human-readable version number text
for iptables; also made info window print readable text instead of
"lt_1.2.6"
- cosmetic changes in some dialogs layout to make the look better
when localized text makes strings much longer
- firewall object dialog tab "Templates" has been hidden. It is
unlikely that this feature will be implemented in 2.0.X series.
2004-12-04 <vadim@vk.crocodile.org>
* listOfLibraries.cpp (add): fixed bug (no num): the GUI crashed
when user tried to add a library file for auto-load in
Preferences/Libraries and the first library object in that file
had a name using non-ascii characters
* Bunch of other fixes to avoid '????' in various places for
localized strings
2004-12-04 <vadim@vk.crocodile.org>
version 2.0.4 released
2004-12-02 <vadim@vk.crocodile.org>
* utils.cpp (fillLibraries): fixed bug (no num): if a library was
assigned a name with non-ascii characters, it would appear
distorted in the pull-down list in object dialogs.
* fixed bug #1077496 ] Error compiling libfwbuilder in FreeBSD:
The problem was caused by changed major version number of libnetsnmp library
in the latest net-snmp port (v5.2)
2004-12-01 <vadim@vk.crocodile.org>
* FWWindow.cpp (openFirewall): fixed bug #1077072: "CrossPlatform
Firewall Builder Crash" - pressing arrow down key on the keyboard
right after the GUI started with no firewall objects defined
caused crash.
2004-11-30 <vadim@vk.crocodile.org>
* po/ru.qm: Updated Russian translation
2004-11-25 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (splitIfSrcNegAndFw::processNext): fixed
bug #1073491: incorrect code for rules using two interfaces with
negation. If a rule had two (or more) interfaces of the firewall
in the destination, with negation, the code generated by compiler
would check one interface's address in INPUT chain and another in
FORWARD chain. It should check addresses of all interfaces from
the corresponding rule element in the INPUT chain and also check
addresses and possibly services from other rule elements in the
FORWARD chain. This bug affected rules with two or more interfaces
both in source and destination.
* po/LINGUAS: translators maintain Russian localization using QT
linguist rather than gettext, removed ru locale from gettext
Makefiles but left it in po.pro for installation
* fwblookup.cpp: a fix to make it compile on FreeBSD w/o gnugetopt
port
* utils.cpp (addPopupMenuItem): minor fix to help localization
('add object' and operation on rules pull-down menus did not
translate properly)
2004-11-23 <vadim@vk.crocodile.org>
* instDialog.cpp (continueRun): built-in installer checks exit
status of the script it runs on the firewall and aborts
installation sequence if it detects an error. OS resource files
have been updated accordingly so they return exit status '1' in
case of error and '0' when they succeed.
* Compiler_ops.cpp (checkForShadowing): API change: still working
on the IPService object shadowing changes. ip fragments object was
shadowing GRE object, which was incorrect. Hopefully this change
finally fixes it.
2004-11-21 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug (no
number): policy compiler for iptables used "tail -1" in the shell
script that read actual IP addresses of interfaces of the
firewall. This shell code failed to determine correct address of
an interface that was configured with a secondary
address. Reverted to using grep (I switched to tail when ran into
limitations of one of the beta builds of Sveasoft Linksys firmware
that did not have grep)
2004-11-18 <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (processNext): fixed bug #1068936:
"unnumbered interace not using MASQUERADE". Comiler for iptables
will use target "MASQUERADE" if unnumbered interface is used in
Translated Source in a NAT rule.
* utils.cpp (fillLibraries): fixed bug (no num): group object
dialog showed incorrect library name for groups located in the
"Standard" library
2004-11-17 <vadim@vk.crocodile.org>
* listOfLibraries.cpp (add): fixed bug (no number): GUI could not
find names of the object libraries in external library files that
user added for automatic load in the Preferences dialog on
Windows. It would find the name of the library in the first file,
but failed to find library names in subsequent files and used the
name from the first file. Since this library was only present in
the first file, object tree was getting corrupted when the program
attempted to load this library from every file configured for
automatic pre-load. This only happened on Windows.
* dns.cpp (init): API change: fixed bug (no number): program
crashed on FreeBSD 5.3 when using SNMP to obtain parameters for
hosts and interfaces. Crash occurred because of use of
uninitialized mutex variables in module dns.cpp
2004-11-16 <vadim@vk.crocodile.org>
* main.cpp (main): improved error handling: if the GUI is started
with a file on the command line or is configured to open a file
automatically on startup and RCS can not check the file out, the
GUI will come up empty (with only standard objects loaded).
* po/ja.po: Added Japanese translation by Tadashi Jokagi
<elf@elf.no-ip.org>
* DialogFactory.cpp (createFWDialog): added XML element
FWBuilderResources/Target/dialog to platform and host OS resource
files. This element describes GUI dialog that should be opened for
the firewall object for a given firewall platform or host OS. This
is to be used with customized resource files, e.g. when user wants
to add their own host OS resource file to change commands used to
load and activate policy on the firewall. Such customized resource
file will have unique "description" element (the value of this
element appears in the pull-down menu in firewall object dialog)
and the same values for "family" and "dialog" elements to indicate
which firewall family it belongs to and which dialog should be
used. Policy compilers consult "family" element to check if the
firewall platform is supported by the compiler.
* GroupObjectDialog.cpp (addIcon): fixed bug (no number): group
object dialog corrupted object names if they contained non-ascii
characters.
2004-11-13 <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (pixAdvancedDialog): Removed "always new"
mode for access lists and object groups for PIX
configurations. This mode works well when user installs new
configuration but causes problems if they want to reinstall the
same configuration.
Also converted old option "pix_add_clear_statements" to one of the
confgiuration script modes. So, final list of script modes for PIX
is as follows:
- basic or old format when access lists are cleared and added
from scratch. This is the simplest mode which can be used if
management station connects to the firewall from inside. Remote
management over IPSEC tunnel may be difficult since tunnel
traffic is blocked as soon as "clear access-list" command is
executed.
- access-list and object-group commands are generated but "clear
access-list" and "clear object-groups" commands are not
added. User's installation scripts should take care of that. This
option replaces old option pix_add_clear_statements (with
opposite semantics)
- temporary access list is created and added to outside
interface, then main lists and object groups are added with
permanent names and assigned to interfaces. Temporary list
permits all traffic from a single subnet configured in the GUI
via option pix_acl_temp_addr. Temporary list is small and is not
cleared in the end. Temporary list helps maintain IPSEC tunnel
for the time when access-lists are cleared and firewall is
running with default acl that does implict deny for all traffic.
2004-11-12 <vadim@vk.crocodile.org>
* pf.cpp (main): fixed bug (no number): pfctl expects "-F Sources"
and "-F Tables" command line options with "Sources" and "Tables"
capitalized.
* FWObjectDatabase.cpp (merge): API change: changes in the object
database merge algorithm: when an object database we are trying to
merge has non-empty "Deleted objects" library, deleted objects
from this library should be ignored (they used to be deleted from
the current tree). Likewise, when current tree has non-empty
"Deleted objects" library and objects in it match objects being
merged in, objects should be removed from "Deleted objects"
library to avoid creating duplicate IDs with objects being merged
in.
2004-11-10 <vadim@vk.crocodile.org>
* Compiler_ops.cpp (checkForShadowing): API change: fixed bug (no
number): rule shadowing algorithm now assumes that IPService
object with protocol number '0' shadows any other service just
like 'any' does.
* PolicyCompiler_ipt_optimizer.cpp (optimizeForRuleElement): fixed
bug #1063953: "Wrong accept/multiport rule generated". Compiler
generated wrong code for rules using multiple service objects of
different types (TCP and UDP, or TCP and ICMP etc), multiple
addresses in src or dst with option that requires using TCP RST
for action REJECT.
2004-11-07 <vadim@vk.crocodile.org>
* SSHPIX.cpp (getACLs): New feature: added support for new
configuration script formats for PIX in installer:
- basic or old format when access lists are cleared and added
from scratch
- access lists have unique names each time policy is recompiled,
lists are added without clearing.
- access lists are added with temporary names and assigned to
interfaces, then the same lists are added with permanent names,
lists are swapped and temporary lists cleared
Last two methods provide for instantaneous access list swap so
that the firewall never runs with empty lists. This helps maintain
access to the firewall if configuration is installed remotely.
* SSHPIX.cpp: New feature: Installer always clears unused access
lists after confgiuration is loaded.
2004-11-06 <vadim@vk.crocodile.org>
* fwcompiler/Compiler.cpp (complexMatch): fixed bug #1055937:
"Any->all_multicasts not in INPUT Chain". Need to check if network
objects are multicasts; assume that multicast always matches
firewall object (e.g fwb_ipt will put rule with such network
object in destination in INPUT chain)
* instDialog.cpp (instDialog): Added an option to push PIX
configuration to a standby firewall at the end of install.
2004-11-01 <vadim@vk.crocodile.org>
* NATCompiler_PrintRule.cpp (_printDstService): fixed bug (no
number) where compiler for iptables used option
"--destination-port" with module "multiport" for versions of
iptables that do not understand it (1.2.6 and later, as well as
default version setting 'any'). The option should be
"--destination-ports" or "--dports".
2004-10-31 <vadim@vk.crocodile.org>
* FWBSettings.cpp (init): fixed bug (no number): Policy installer
failed if the following conditions were met:
- it was running on Linux, FreeBSD or Mac OS X
- working directory configured in the "General" tab of the
Preferences dialog did not exist and could not be created or its
permissions did not allow user that runs the GUI to access it
* NATCompiler_ipt.cpp (processNext): fixed bug (no number) in
fwb_ipt that caused no-nat rules with firewall in OSrc to be
placed only in OUTPUT chain. Packets originating on the firewall
go into OUTPUT and POSTROUTING chains, so no-nat rules must be
placed in both. Other minor improvements for NAT of the locally
originated connections have been done as well.
2004-10-30 <vadim@vk.crocodile.org>
* NATCompiler_PrintRuleIptRst.cpp (_endRuleLine): fixed bug (no
number): compiler placed extra quote '"' at the end of each NAT
command in the script using iptables-restore; this happened
only if all interfaces of the firewall had static addresses.
* PolicyCompiler_PrintRule.cpp (_printProtocol): testing policy
installation via iptables-restore with old versions of iptables
(1.2.6a). Need to include "-m tcp", "-m udp" or "-m icmp",
otherwise iptables-restore does not understand options "--dport",
"--tcp-flags" and some others. Also had to use "--tcp-flags
SYN,RST,ACK SYN" instea dof "--syn" for better backwards
compatibility.
2004-10-26 <vadim@vk.crocodile.org>
* ipt.cpp (main): iptables: Added ability to instert shell
commands defined in the prolog script in three places:
- on the top of generated script
- after interface configuration but before resetting existing
iptables policy
- after existing policy rules are flushed and optional global
implied rules added but before all policy and NAT rules
2004-10-24 <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRuleIptRst.cpp (_createChain): implemented
Feature Request #1021201: "output iptables-restore compatible
config from fwb_ipt". Policy compiler for iptables can use
iptables-restore to activate firewall policy. Iptables-restore
provides for atomic policy load and allows to load large policy
much faster. Atomic load means the whole filter or nat table is
activated at once, and if there is an error, nothing is
changed. Compiler generates script in three possible formats:
- the ususal shell script that adds rules one at a time by
executing iptables command with an "-A" flag to add a rule;
- commands are fed to iptables-restore, this format is used when
all interfaces of the firewall have static IP addresses and
script does not need to determine addresses at run time;
- script determines IP addresses of interfaces and discovers
dynamic interfaces that were defined as a "wildcard" interface
in fwbuilder (e.g. 'ppp*'); code that is sent to
iptables-restore is generated dynamically by the script at run
time.
Using iptables-restore is optional and is controlled by
the checkbutton in the "Script options" tab of firewall settings
dialog. Path to iptables-restore utility can be set in the "Paths"
tab of the host settings dialog.
* A change in the script generated by fwb_ipt: if iptables-restore
is not used to load policy, generated shell script purges existing
firewall policy (all tables and chains) and sets default chain
policies after it configures interfaces of the firewall.
Previously, it would flush tables and set default policy before it
configured interfaces.
2004-10-23 <vadim@vk.crocodile.org>
* RuleSetView.cpp (pasteRuleAbove): fixed bug #1028866: "incorrect
order when several rules copied using copy/paste". Pasting
multiple rules into an empty policy caused rules to be inserted in
the wrong order.
* freebsdAdvancedDialog.cpp (freebsdAdvancedDialog): fixed bug
#1046345: "ipfw - no option to specify ipfw executable". Added GUI
control to let user specify alternative path to "ipfw" on
FreeBSD. Control like that was previously available only for Mac
OS X
* PolicyCompiler_ipt.cpp (checkForMatchingBroadcastAndMulticast),
Compiler.cpp (_complexMatchWithInterface): fixed bug #1040773:
need to match network address as well as broadcast. Packets sent
to the network address (192.168.1.0 for net 192.168.1.0/24) go in
the broadcast frame and behave just like IP broadcast packets
(sent to 192.168.1.1255 for the same net)
* PolicyCompiler_ipt.cpp (finalizeChain::processNext): fixed bug
#1040599: "unnecessary FORWARD rules". If ip forwarding is turned
off in the host settings dialog of the linux-based firewall,
compiler should not generate rules in FORWARD chain.
2004-10-20 <vadim@vk.crocodile.org>
* linux24.xml.in: Added element "Target/family" to all OS resource
XML files. Compilers use "family" resource element to determine if
host OS is supported. User may want to copy host OS resource file
to modify installer scriptlets; as long as the family element is
kept the same, compiler will accept new resource file.
* linksys.xml.in: Added elements
"Target/options/suppress_comments" and
"Target/options/suppress_modules" to the OS resource files
linksys.xml and linux24.xml. These options suppress printing
comments in the generated script and remove commands that load
kernel modules. These options are used for Linksys/Sveasoft
appliance but can also be used for other firewalls based on Linux.
2004-10-19 <vadim@vk.crocodile.org>
* pf.cpp (main): Activation script for PF flushes only information
about rules, nat, source and tables (it used to flush "all"). This
preserves queue entries and states.
* ipt.cpp (main): moved rule permitting backup ssh access from the
management station to the firewall to the top of the script. This
helps maintain ssh session, otherwise it may stall or break
because stdout buffer is filled with diagnostic or progress output
from the script that is printed after all chains are flushed but
before rule permitting ssh to the firewall is added. If stdout
buffer is full, ssh stops and tries to send the text to the
management station but times out because firewall blocks it.
* ipt.cpp: removed code that added iptables command to the "drop"
table to drop and log all dropped packets. This rule used
obsoleted patch-o-matic patch "drop" which is not available
anymore.
2004-10-17 <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug (no number): all policy compilers
properly detect an error when the output file can not be created
or overwritten and print error message to warn the user.
* New feature: added support for prolog and epilog scripts for all
firewall platforms. This was available for PIX for some time, now
it has been added for all platforms. "Prolog/Epilog" tab of the
firewall settings dialog allows for editing of two blocks of
commands that will be added to the generated firewall script
verbatim. Prolog block is added on top, while epilog block is
added at the bottom. Both prolog and epilog are expected to be
shell scripts and are added to the generated shell script that
activates firewall. For iptables and ipfw all compiler generates
is this shell script and prolog and epilog commands are inserted
into it. These commands may execute some actions, as well as add
any policy or nat commands. For ipf and pf prolog and epilog
commands are added to the activation shell script ( .fw file);
prolog is added immediately after the command that flushes all
rules. This way user may either execute shell commands or add
policy and/or nat rules by loading them from external file.
2004-10-10 <vadim@vk.crocodile.org>
* FWWindow.cpp (addFirewallToList): fixed bug (no number)
introduced in 2.0.3 when GUI crashed if user tried to choose
pull-down menu item in the firewall list after the very first
firewall object has been created.
* SSHPIX.cpp: Added #include <errno.h> to make code compile with
gcc 3.4.2 and glibc 2.3.3
* ipt.cpp (main): fixed bug #1040788: fwb_ipt and user
name. Compiler used to read environment variable "USER" to find
out user's name. Sometimes this variable is not set, which caused
compiler to abort. Using env variable LOGNAME in addition to USER.
2004-09-30 <vadim@vk.crocodile.org>
* v2.0.3 released
2004-09-28 <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog): since config diff is broken for pix
v6.3(3) (because it does not permit adding duplicate ACL entries),
"save diff to file" option is temporary disabled. "Incremental"
install renamed to "install only ACL,icmp,telnet,ssh,nat,global
and static commands"
2004-09-27 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (printPathForAllTools): script
generated by compiler for iptables checks if /usr/sbin/ip exists
on the firewall before it tries to use it to verify interfaces and
configure IP addresses. This check is only performed if user
activated options that use this tool. An error message "Interface
eth0 does not exist" was generated if package iproute2 was not
installed on the firewall, which was confusing.
* FWWindow.cpp (doCompile): Added option "output file name" to
firewall settings dialogs for all platforms. User can specify the
name for the output file; this name is then used by built in
installer in place of a macro %FWSCRIPT%.
* ipt.cpp (main): Added command line option "-o" for all compilers
* FWWindow.cpp (save): fixed bug #1035800: "Autosave failure opens
error window repeatedly". This bug was in fact fixed earlier.
2004-09-26 <vadim@vk.crocodile.org>
* FWWindow.cpp (fileSaveAs): fixed bug #1035130: 'Persistent
"Save" dialog box'. Certain combination of actions on user's part
used to lead to an indefinite loop of "do you want to save the
data" dialogs. The problem was triggered if user skipped choosing
a name for the new file in startup dialog.
* linux24.xml.in: fixed bug #1035132: "compile errors with default
Linksys firewall object". This bug has been introduced in build
435. When user created a new firewall object using one of the
template objects, the GUI would add bunch of garbage to the
firewall options. This garbage violated XML DTD, so compilers and
the GUI would not accept the data file anymore.
2004-09-25 <vadim@vk.crocodile.org>
* ipt.cpp (main): using "set -x" to turn debugging on in generated
iptables script. This will work even if the script is activated
with "sh script.fw" command.
* OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers):
changed commmand line for sed to more portable version. We used to
use 'stmt; stmt' syntax, which is not always portable. Switched to
a supposedly more portable syntax using multiple "-e" command line
options.
2004-09-23 <vadim@vk.crocodile.org>
* instDialog.cpp (getActivationCmd): fixed bug (no number): as of
build #430, installer ignored activation command configured in the
"install" tab of firewall settings dialog. Restored this
functionality.
* OSConfigurator_linux24.cpp (printPathForAllTools): just like
with "tail -1", some busybox based systems require "head -1" to be
changed to "head -n1"
2004-09-22 <vadim@vk.crocodile.org>
* instDialog.cpp (testRunRequested): fixed bugs in installer that
prevented it from working on OpenBSD. Enabled shceduled reboot for
all OS except PIX.
2004-09-21 <vadim@vk.crocodile.org>
* instDialog.cpp (testRunRequested): "schedule reboot" option is
only enabled for linksys since it does not work on other platforms
(yet)
* FWWindow.cpp (openFirewall): implemented Feature Request
#1032126: "Firewall label for clarity". Printing the name of the
firewall object that is opened in the policy panel in a large font
right above interface/policy tabs. This was easy to implement but
I consider it an experiment. Will request feedback from users.
* SSHSession.cpp (startSession): refactored code in built-in
installer. Moved interaction with ssh to classes SSHSession,
SSHUnx and SSHPIX. Moved "scriptlets" that are executed on
firewall to activate policy in different modes to resource
files. Using ssh rather than scp to copy policy script to
unix-based firewalls (pscp.exe on Windows works only if the server
supports sftp, but dropbear on Linksys does not support it so
installer breaks if we use scp/pscp.exe to copy the policy).
Still having problems with scheduled reboot option on Linux/BSD
firewalls (it works on Linksys though).
* OSConfigurator_linux24.cpp (printPathForAllTools): bugfix: some
editions of busybox do not support "tail -1" syntax and require
"tail -n1"
2004-09-19 <vadim@vk.crocodile.org>
* instDialog.cpp (getActivationCmd): Improvement in the built-in
installer: added an option to schedule automatic firewall reboot
in specified time (in minutes) after policy activation. This
option is available for all firewall platforms but PIX. This
option only works if user requested policy activation in a test
mode, in which case policy is copied and activated on the firewall
but not stored in the permanent location. After reboot the
firewall reverts to the previous version of the policy. To cancel
scheduled reboot, run installer again with "test run" option
turned off. Installer stores the policy in the permanent location,
activates it and cancels scheduled reboot.
* src/res/os/linux24.xml.in and other: moved all commands used by
built-in installer to resource files.
2004-09-18 <vadim@vk.crocodile.org>
* NATCompiler_pf.cpp (processNext): NAT rule of type DNAT (rdr
rule) is assigned to an interface of the firewall if interface
object or its address object is used in ODst. To get rdr rule
without interface assignment, use an Address or a Host object that
has the same IP address as that of firewall's interface but that
is not a child of an interface. This is the same approach that is
used in iptables.
* PolicyCompiler_pf.cpp (compile): Compiler for pf always uses
tables; this breaks compatibility with older OpenBSD systems (3.2
and 3.3)
* PolicyCompiler_pf.cpp (findDynamicInterfaces): Compiler for pf
puts interface name in a table even if interface is dynamic for
rules that use multiple objects in src or dst and one of these
objects is dynamic interface of the firewall that is being
processed. Using dynamic interface of another object in a rule is
still considered an error. Compiler puts the name of dynamic
interface in a table verbatim, without brackets '(' ')' since pf
does not replace dynamic interface with its address dynamically if
it is used in a table (pfctl issues an error if interface is put
in brackets)
2004-09-17 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (configureInterfaces): flushing only
secondary ip addresses on interfaces. This should fix a bug that
caused linksys/sveasoft unit to lose default route upon reboot if
external interface has static IP address.
2004-09-15 <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (addDefaultPolicyRule): fixed bug
#1028980: "need an option to turn logging on on fallback rule"
* PolicyCompiler_pf_writers.cpp (processNext): fixed bug #1028973:
fwb_pf: missing "flags S/SA" in front of "modulate state"
* pfAdvancedDialog.cpp (pfAdvancedDialog): added an option to
permit tcp sessions opened prior to firewall restart. This is
needed now since compiler generates "flags S/SA" for the "keep
state" and "modulate state" rules which means firewall won't
permit TCP sessions unless it saw opening SYN packet.
* instDialog.cpp (getActivationCmd): improvements in policy
installer: added an option for test run. When this option is
activated, policy script is pushed to the firewall and is executed
but is not stored there permanently. Firewall reverts to the last
working configuration after reboot.
* NATCompiler_ipt_writers.cpp (processNext): using abbreviated
versions of "--dport", "--sport", "--dports", "--sports" options
to make generated iptables script smaller. Also changed the name
of the variables used to hold IP address of dynamic interface from
"interface_<ifname>" to "i_<ifname>". All this should help to fit
larger policies into small FLASH on linksys. These changes shrunk
my test script from 7964 bytes to 7430 bytes
2004-09-14 <vadim@vk.crocodile.org>
* platforms.cpp (isDefaultOptions): fixed bug #1028078:
"options.png is not displayed for "Assume firewall is part..."
* pfAdvancedDialog.cpp (pfAdvancedDialog): fixed bug (no num):
"firewall settings" dialog for OpenBSD pf did not save option "Use
tables".
* instDialog.cpp (getActivationCmd): implemented compression of
the firewall script for Linksys/Sveasoft combo. Using gzip and
uuencode/uudecode to compress the script and store it in flash
variable 'fwb'. Installer prints flash memory stats after
commiting changes. Installer uses scp to copy firewall script to
the firewall and autogenerated prompt to detect when it logged in;
it does not depend on Linksys shell prompt anymore.
2004-09-12 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (addPredefinedPolicyRules): implemented
feature request #1023430: "add checkbox for INVALID support in fw
settings". Added two checkboxes to the firewall settings dialog:
one adds a rule to drop INVALID packets and another adds logging
to the rule.
* FWWindow.cpp (fileSaveAs): fixed bug #1026945: '"Save As" does
not work if current file is in RCS'
* FWWindow.cpp (removeFirewallFromList): fixed a bug (no number):
after deleting a library firewall objects that belong to it were
not removed from the pull-down list
* PolicyCompiler_ipt_optimizer.cpp (optimizeForRuleElement): fixed
bug #1026794: multiple SRC ntwks --> "iptables: invalid
argument". Recent changes in optimizer introduced this bug. Rules
with multiple objects in src or dst, TCP service, action Reject
and option "reject with TCP RST" would generate iptables command
that used option "--reject-with tcp-reset" without "-p tcp"
* PolicyCompiler_pf_writers.cpp (_printDstAddr): fixed bug
#1006906: "Negated network causes pass on network". Compiler for
pf uses native negation syntax that is now available in pf
2004-09-11 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (TimeNegation): fixed bug #1022216:
"negated time produces incorrect iptables rule". Implemented
negation for the "Time" rule element for iptables
* PolicyCompiler_ipt.cpp (processNext): fixed bug #1026509:
"incorrect rules generated for dual negation with time". Compiler
generated incorrect iptables commands for rules that had negation
in two or more rule elements, one of which was Time.
2004-09-09 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (prolog): rules that permit packets
associated with ESTABLISHED,RELATED states moved to the beginning
of the script before NAT rules.
* PolicyCompiler_ipt_writers.cpp: added a checkbox and support in
policy compiler for iptables to generate rules that drop packets
that are associated with no know connection (state "INVALID")
2004-09-08 <vadim@vk.crocodile.org>
* Firewall.cpp (duplicate): API change: fixed bug (no number): all
references to the interfaces, as well as their IP and MAC
addresses, in policy and NAT rules should be replaced when
Firewall object is duplicated. Until now only references to the
firewall object itself and to its interfaces were replaced with
references to the newly created copies of object. References to IP
and MAC addresses still pointed at the old objects.
* FWObjectDatabase.cpp (IDcounter): fixed bug #1022788: "GUI
corrupts XML file after creating a second firewall". Global object
ID counter was getting reset every time new FWObjectDatabase
object was created. This lead to the ID collision if user quickly
created and deleted complex objects (such as Firewall) and used
database merge. This should also fix bug #1022785: "GUI corrupts
XML file after creating a host entry"
* PolicyCompiler_ipt_optimizer.cpp (processNext): fixed bug
#1024861: "optimizer is broken in fwb_ipt". Used idea and a patch
by Mark Vevers <mark@vevers.net>. Fixed compiler fwb_ipt generates
more efficient iptables script for rules with multiple objects in
all rule elements. The script is smaller and eliminates
unnecessary comparisons for packet attributes. Every attribute
(i.e. source address, destination address, protocol and port
numbers) is checked by the script only once. This should help
reduce load on firewalls with lots of complex rules.
* VERSION: set version to 2.0.3
2004-08-31 <vadim@vk.crocodile.org>
* v2.0.2 released
2004-08-31 <vadim@vk.crocodile.org>
* ipt.cpp (main): fixed bug #1019943: "Missing ip addresses in the
rule using interfaces"
* linksysAdvancedDialog.cpp (linksysAdvancedDialog): fixed bug
#1019691: "040829 nightly build doesn't add paths for linksys"
2004-08-30 <vadim@vk.crocodile.org>
* VERSION (VERSION): version 2.0.2, revision 1
* aboutdialog_q.ui.h (init): "About" dialog shows registration
status (used only in non-GPL versions)
2004-08-28 <vadim@vk.crocodile.org>
* fixed FreeBSD port, now compiles on 5.3BETA
2004-08-25 <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (loadFWObject): Added support for options
"max", "max-src-nodes" and "max-src-states" in pf. These allow to
limit number of concurrent state table entries ("max"), number of
source addresses that can simultaneously have state table entries
("max-src-nodes") and number of simultaneous state entries per
source address ("max-src-states") per rule.
* LibExportDialog.cpp (accept): fixed bug #1015884: "Export more
than one library fails with 0 references". Export library
operation failed if user exported two libraries with groups or
rules in one library referencing objects in the other.
2004-08-24 <vadim@vk.crocodile.org>
* pfAdvancedDialog.cpp (pfAdvancedDialog): Implemented support for
all timeout settings in pf: tcp.first,tcp.opening,tcp.established,
tcp.closing,tcp.finwait,tcp.closed,udp.first,udp.single,udp.multiple,
icmp.first,icmp.error,other.first,other.single,other.multiple, including
adaptive timeout scaling options adaptive.start and adaptive.end
2004-08-23 <vadim@vk.crocodile.org>
* FWBTree.cpp (getStandardSlotForObject): fixed bug #1014725:
"adding new ICMP types". If user created service group with the
name "ICMP", the GUI would place new ICMP objects under this group
instead of the standard folder "ICMP". There was the same problem
with other object types, too.
* ObjectManipulator.cpp (simplifySelection): debugging in
operations "delete object", "move object", "undelete". Making sure
we can delete and undelete libraries, delete and move several
objects at once, group several objects. There were problems if
user selected several host or firewall objects using Shift-Click
(although interface and address objects were not visible to the
user, they were selected and acted upon in delete or move
functions; this lead to unexected results or crashes).
2004-08-22 <vadim@vk.crocodile.org>
* templates.xml.in: added template firewall objects for Linksys
firewall and a web server.
* templates.xml.in: fixed bug #1013957: "incorrect NAT rule in
firewall created from template #3". The problem was caused by
incorrect ip address of interface "dmz" in the template object #3.
* pixAdvancedDialog.cpp (pixAdvancedDialog): implemented a backup
ssh access rule. The user specifies management station IP in the
firewall settings dialog for PIX and compiler adds a rule on top
of all other rules to permit ssh from this address to the
firewall.
2004-08-21 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (prolog): avoiding grep in the
generated iptables script - Sveasoft Alchemy pre-5.2.3 does not
have grep
* API change: fixed bug #1012733: "configure --libdir=DIR will be
ignored at installation". Needed to use macro _libdir to specify
target directory for libraries. Used it in configure, qmake.in,
libfwbuilder-config-2 and a .spec file
* objects_init.xml.in: added new service objects to the Standard
objects library: "xmas scan" (old object renamed "xmas scan -
full"), rsync, distcc, cvspserver, cvsup, afp, whois, bgp, radius
and radius acct, SSDP and UPnP. This fixes bug #1011248: "need two
xmas scan service objects"
* FWWindow.cpp (fileImport): function File/Import offers a choice
of .fwl, .fwb and "all files" in the open file dialog. This fixes
bug #1013485: "File/Import should allow to import .fwb file"
* FWWindow.cpp (load): fixed bug #1008956: "Existing .fwb file
gets overwritten if has wrong extension". If the GUI needs to
rename a data file with old extension .xml to .fwb, it checks if a
file with new extension exists and offers user a chance to choose
a different name. It also treats symlinks in a special way: if
user creates a symlink with extension .xml pointing at a file with
extension .fwb, the GUI simply follows the link and works with
.fwb file. This should work with Windows shortcuts, too.
* instDialog.cpp (instDialog): built-in installer uses shell
prompt string patterns configured in the host OS settings dialog
for linksys. This fixes bug #1013022: "can not install policy
script on linksts Alchemy pre-5.2"
* linksysAdvancedDialog.cpp (linksysAdvancedDialog): Added host OS
settings dialog for linksys/Sveasoft. Dialog provides entry fields
for paths to iptables, lsmod, modprobe, logger tools and two shell
prompt string patterns, this should help to work around changes in
the shell prompt on Linksys. This fixes bug #1013018: "host OS
settings" dialog is missing for linksys
2004-08-20 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (contextMenu): fixed bug #1009345: "Can
only move one host object at a time between libraries"
* ObjectManipulator.cpp (deleteObj): fixed bug #1013177: "deleting
multiple hosts causes crash"
* DTD change: fixed bug #1011617: "deleting physcal address object
leads to the DTD violation"
2004-08-08 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt_writers.cpp (_printDstService): fixed bug
#1005148: "MAC matching - space missing". Space was missing
between MAC address and custom service code.
2004-08-06 <vadim@vk.crocodile.org>
* listOfLibraries.cpp (add): fixed compile problem on systems
where QT is built without STL support
* PolicyCompiler_ipt_writers.cpp (_printLimit): fixed bug #1004153
"limit-burst = 0 is not valid". Iptables does not accept the rule
using "limit-burst" option if it is set to zero.
2004-08-04 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (pasteTo): fixed bug #1003068: "object
copy/paste not always working". IP address object could not be
placed under interface using copy/paste operation. Now ip address
object can be pasted to interface as well as to Objects/Addresses
folder.
* FWWindow.cpp (fileDiscard): Operation File/Discard closes the
file, discards all the changes that have been made to it and
replaces it with a fresh copy of the head revision from RCS. This
works if user wants to abort file upgrade when they switch to the
new version of fwbuilder.
2004-08-02 <vadim@vk.crocodile.org>
* FWObject.cpp (deleteChildren): fixed bug #1001833: "memory leak"
- children objects were not deleted when FWObjectDatabase object
was destroyed.
* iptAdvancedDialog.cpp (accept): fixed bug #1002388: "Clamp MSS
to MTU" option is missing in 2.0
2004-08-01 <vadim@vk.crocodile.org>
* objects_init.xml.in: there were two TCP Service objects
"linuxconf" in the Standard objects library. Object with ID
id3AED0D6D has been removed. It seems this object has been
duplicated long time ago (at least it was like this in 1.1.2)
* FWObject.cpp (getPath): fixed bug #1001725: "object with empty
name can not be deleted". the problem was caused by the algorithm
used in FWObject::getPath. If object had had a blank name, the
path returned by this method would end with the name of its parent
without slash.
* FWWindow.cpp (showFirewalls): fixed bug #1000485: "Firewalls in
the drop-down box not ordered". List of firewalls in the pull-down
that controls policy views is now alphabetically sorted on program
startup.
* utils.cpp (fillLibraries): fixed bug #1000862: "Creating groups
in Deleted Objects". Library "Deleted objects" should not be
offered as a choice for "group objects" operation.
* ObjectManipulator.cpp (contextMenu): fixed bug #1001275: "object
duplication fails w/ no action". GUI used to not allow user to
duplicate IP address object. Now any object can be duplicated so
that the copy is placed under the same parent, including IP
address.
* ICMPServiceDialog.cpp (applyChanges): fixed bug #1001521: "Cant
create ICMP service". ICMP Service dialog did not save icmp code
and type numbers in the object.
2004-07-29 <vadim@vk.crocodile.org>
* 2.0 released, CVS tag set
2004-07-27 <vadim@vk.crocodile.org>
* FWWindow.cpp (install): the GUI calls external installer script
if it is configured in firewall settings dialog when user clicks
'Install', otherwise it should use built-in installer.
2004-07-24 <vadim@vk.crocodile.org>
* RuleSetView.cpp (insertRule): correctly copying rule direction
when interface rule is copied/pasted
* instDialog.cpp (selected): proper error messages for management
interface misconfigurations
2004-07-20 <vadim@vk.crocodile.org>
* ICMPServiceDialog.cpp (loadFWObject): ICMP service dialog allows
for setting type and code to 'any' (-1)
2004-07-19 <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (processFirewallOptions): fixed bug
#992969: "argument to log should be quoted"
2004-07-14 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): working on bug #990037:
"Wrong rule generated: fw interface included in negated
group". Rules with negation should not generate code in
INPUT/OUTPUT chains if option "assume firewall is part of any" is
off.
* ObjectManipulator.cpp (delObj): fixed bug #990675: "Application
crashes when deleting objects"
2004-07-11 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (splitIfSrcNegAndFw): optimized
processing of policy rules where firewall object is used in src or
dst with negation (possibly in combination with other
objects). Before, generated script would match firewall's
addresses in INPUT/OUTPUT and FORWARD chains which added redundant
checks in the FORWARD chain.
* NATCompiler_ipt.cpp (processNext): fixed bugs #935794: "dual
translation and negation in fwb_ipt" and #986376: "Wrong result
for negated source in NAT rules". Dual translation rule with
negation in OSrc did not process negation in the second half
(POSTROUTING rule, the one that translates the source).
* NATCompiler_ipt.cpp (processNext): fixed bug #965558: "False
ruleset generated for iptables (negate w/ nat)". There were
problems with double negations in NAT rules (OSrc and ODst, or
ODst and OSrv, etc).
* OSConfigurator_linux24.cpp (printPathForAllTools): fixed bug
#988860: "Logging missing when firewall start is aborted". When
iptables script generated by fwb_ipt finds missing interfaces,
it prints error message both on stdout and sends it to the log.
2004-07-10 <vadim@vk.crocodile.org>
* FWObject.cpp (_moveToDeletedObjects): now move deleted objects
to the special library with id 'sysid99' rather than delete them
completely. This serves two purposes:
1. can easily provide for undelete function which is very
useful
2. can catch a situation when an object has been deleted
fromt he external library but is still used in the data
file
* FWObjectDatabase.cpp: while merging object trees, checking for
deleted objects. If an object is present in the current tree but
has been deleted in the file being merged in, special form of
conflict resolution dialog is shown. User has only one option - to
delete the object from the file. Typical situation when this
happens is when an object from external library is used in a rule
or group in a data file, then this object is deleted in the
external library. If this external library is preloaded and then
the data file using this object is opened, conflict occurs because
this object is present in the file but is in the "Deleted objects"
in the library. The problem is that the library is read-only, so
if we kept the object (actually, its copy coming from the data
file), the user would not be able to delete it. So, not only
object magically reappeared after it has been deleted from the
library, it appeared in read-only library and can not be deleted
anymore. To avoid this situation we must delete it in the file if
it has been deleted in the library.
* ObjectManipulator.cpp (delObj): "delete object" function moves
it to "Deleted objects" library.
* PrefsDialog.cpp (accept): Added checkbox "Show deleted objects"
to the preferences dialog. If this option is on, user has access
to deleted objects via library "Deleted objects".
* ObjectManipulator.cpp (contextMenu): pull-down menu item "Move"
turns into "Undelete" if an object is in "Deleted objects"
library. This provides for a simple undelete function.
2004-07-09 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #925199:
"compiles wrongly a double negation". Policy compiler for iptables
generated incorrect code for rules where two rule elements used
negation (i.e. both src and dst, or dst and srv, etc.)
* PolicyCompiler_ipt.cpp (prolog): fixed bug #978854: "false rule
generated for fw object in interface rule". Policy compiler for
iptables generated incorrect code for rules using negated firewall
object in source or destination when global option "assume
firewall is part of any" was turned off.
* fwb_ipt: implemented Feature Request #913273: make "assume fw is
part of any" a per-rule option
2004-07-08 <vadim@vk.crocodile.org>
* FWWindow.cpp (setupAutoSave): Added an option for autosave - if
this option is turned on, the gui periodically saves data to the
file. The autosave interval can be set between 1 minute and 2
hours.
* ipt.cpp (main): fixed bug #917422: "compiler misinterprets
interface with addr 0.0.0.0". If an interface has IP address
"0.0.0.0", it is considered an error.
* added option "strip comments in the script" to the installer
for Linksys and PIX
* do "nvram uset rc_firewall" before loading fw script on
Linksys
* added the following to the list of errors for Linksys
/dev/nvram: Cannot allocate memory
* skip table "mangle" when flushing iptables rules
2004-07-07 <vadim@vk.crocodile.org>
* NATCompiler_ipt_writers.cpp (processNext): fwb_ipt does not
include comments in the script if it is intended for linksys
firewall. Linksys has small nvram and script should be kept small,
otherwise it may not fit in nvram.
* NATCompiler_pf.cpp (processNext): fixed bug #986518: "PF
redirection always point to loopback address"
2004-07-06 <vadim@vk.crocodile.org>
* instDialog4.cpp (stateMachineLinksys): Activating policy on
Linksys/Sveasoft wothout reboot (using command "nvram get
rc_firewall | /bin/sh" instead)
* OSConfigurator_linux24.cpp (prolog): added an option to firewall
platforms iptables, ipfilter, pf and ipfw that sets up a policy
rule to permit ssh access from one specified IP address to the
firewall regardless of other rules. This is for a backup ssh
access from the management workstation in case of an error in the
policy that locks user out of the firewall. The option (a checkbox
and entry field for the management station address) is located in
the "Compiler" tab of the firewall settings dialog. A command that
permits ssh to the firewall from the given address is added on top
of all other rules.
2004-07-05 <vadim@vk.crocodile.org>
* RuleSetView.cpp (dropEvent): fixed bug #985187: "Usability bug:
Copy objects from one rule to another". Dragging an object from
one rule to another with Ctrl down makes a copy. If Ctrl is up,
then the object is moved.
* instDialog4.cpp (stateMachineLinksys): Added support for Linksys
devices running Sveasoft firmware. Firewall object should be
configured as platform "iptables", host OS "linksys". Policy
installer works both using password and public key authentication.
* NATCompiler_pf_writers.cpp (processNext): fixed bug #985527: pf
NAT rules miss destination port specification. NAT rules that
translate to "map" missed destination port specification.
* main.cpp: the gui can now use external wrapper scipts for ssh
and scp all the way (removed all direct references to commands
"ssh" and "scp", use whatever is configured in preferences
everywhere)
2004-07-04 <vadim@vk.crocodile.org>
* RuleSetView.cpp (contextMenu): fixed bugs in the rule
selection. The user can select one rule with a simple left-click
on the rule number, or multiple consequtive rules using
shift-left-click. Selecting non-ajacent rules with ctrl-click is
not supported; ctrl-click acts as normal click. Right-click calls
context menu and uses existing selection if click is on one of the
selected rules, or resets it if click is outside of the selection.
2004-06-29 <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (dragObject): implemented drag and drop of
multiple objects. User can select and then drag several objects
from the tree to a group or a rule.
* LibExportDialog.cpp (accept): a change in the export library
algorithm. We now permit exporting several libraries to one file,
but check that all these libraries have only references to each
other and to objects in the Standard lib and have no references to
objects in libraries that are not going to be exported to the same
file. This ensures integrity of this file and helps avoid pulling
objects from other libraries into it. User can edit objects in the
exported libraries by opening this file as usual; the GUI does not
preload libraries configured in Preferences/Libraries when .fwl
file is opened and unlocks all libraries in this file so objects
can be edited. This way user can edit objects and move them
between libraries in the .fwl file.
2004-06-28 <vadim@vk.crocodile.org>
* RCS.cpp (RCSEnvFix): fixed a bug (no #) that appeared only on
Windows: the GUI failed to check a file in to RCS if it was
launched by windows explorer via file extension association.
* platform.cpp: pull-down "versions" is now translatable and says
"1.2.9 or later" for iptables v > 1.2.9
2004-06-26 <vadim@vk.crocodile.org>
* LibExportDialog.cpp: when a library is exported to a file, the
program checks whether any groups or rules in this library use
objects in the othe libraries. Only self-contained libraries can
be exported.
2004-06-24 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #979484:
"improper command for rule with servie any and action reject."
For rules like that, and if rule options dialog does not specify
particular way to handle this combination, the compiler splits the
rule; the first iptables command rejects any tcp packet with TCP
RST, while the second rejects everything else with ICMP message.
* minor bugfixes in the gui
* incorporated changes suggested by a user to make code compile
with gcc 3.4
2004-06-23 <vadim@vk.crocodile.org>
* LINGUAS: added Vietnamese translation .po file
* FWBSettings.cpp (init): Option "do not save standard libraries
in the user's data file" is now ON by default. User can still turn
it off though.
* FWWindow.cpp (save): Usability fixes in methods that work with
libraries:
- libary files have extension .fwl
- preloaded libraries are always read-only (flag RO is set when
library file is loaded, regardless of the value this attribute
has in the file)
- user can open library file using normal File/Open
operation. Read-only flag is cleared when library file is
opened, so it can be edited. File can be added to RCS and saved
using normal File/Save or File/SaveAs operations.
- When user opens library file for editing, other libraries that
are configured in Preferences/Libraries are not preloaded.
2004-06-22 <vadim@vk.crocodile.org>
* LibExportDialog.cpp (init): when object library is exported to a
file, the file gets extension .fwl to distinguish it from the
regular data file. The GUI allows to export only one library to a
file.
* FWWindow.cpp (fileDiscard): added main menu function
"File/discard" which discard all changes that have been done to
the data and saved to the file and checks out clean copy of its
head revision from RCS. This provides for a quick way to roll back
to the latest revision. Older revisions can be checked out from RCS
using list of versions in the right hand panel in open file dialog
(this creates a branch in RCS).
2004-06-20 <vadim@vk.crocodile.org>
* IPv4Dialog.cpp (DNSlookup): "DNS Lookup" button in the IP
address dialog runs dns query for the name of the address object
and if that fails, repeats query for the name of the host or
firewall object this address belongs to. If address object is in
the folder "Addresses", it does only one DNS lookup on its name.
2004-06-18 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator): disabled ability to
drop objects into groups in the tree. It was confusing and not
really useful. Objects can still be dropped into a group opened in
the editor dialog.
* ObjectTreeView.cpp (dragObject): enabled dragging of all objects
in the tree. It turns out, QListView will highlight multiple items
in the tree in Extended selection mode when user drags mouse
across items _and_ the first item they started cursor move on is
not drag-enabled. So, to avoid this unexpected highlighting
behavior, need to enable drag of all objects. We then make sure
that system folder can not be dropped anywhere.
2004-06-16 <vadim@vk.crocodile.org>
* Compiler_ops.cpp (checkForShadowing): fixed bug #906709: "A
dynamic interface". Dynamic interface used to "shadow" old
broadcast object (0.0.0.0)
* OSConfigurator_linux24.cpp (configureInterfaces): fixed bug
#912849: "Reorder activation of network interfaces in IPT" -
script generated by the compiler for iptables sets default policy
to DROP, flushes all rules and then reconfigures interfaces of the
firewall (it used to reconfigure intefaces and then flush the rules).
* IPv4Dialog.cpp (DNSlookup): Button "DNS lookup" in the IP
address editor dialog does DNS lookup on the address object name
if the object is located in the "Addresses" folder, or on the
parent host object name if it belongs to an interface of a host or
a firewall.
* ObjectManipulator.cpp (moveObject): refactored "move object"
functions and added debug printing. Trying to debug crash reported
by one of the users.
2004-06-15 <vadim@vk.crocodile.org>
* ObjectEditor.cpp (hide): checking if screen position for the
dialog is 0,0 and not storing this value. This should help to work
around a weird bug where screen position of dialogs sometimes is
returned as 0,0 when GUI runs in Gnome.
* Object names and comments are stored in the object file in UTF-8
format. This allows for names and comments to be entered and
displayed in local languages. Although object names can be
localized, it is recommended to keep firewall names in plain ASCII
because compilers do not support UTF-8 yet. This fixes very old
bug #657156: "Special characters problem".
2004-06-13 <vadim@vk.crocodile.org>
* init.cpp (init): the program uses reasonable default for the
directory where user might want to save their data files on each
OS. ( $HOME on Unix, $HOME/Documents on Mac,
$USERPROFILE/Documents in windows)
* ObjectManipulator.cpp (updateObjName): whenever user changes the
name of a firewall, host or an interface object, the GUI asks
whether they want to also rename all IP and MAC addresses that
belong to that firewall or host. If user agrees to rename them,
the program generates names automatically using scheme
'host_name:interface_name:ip' and 'host_name:interface_name:mac'
2004-06-12 <vadim@vk.crocodile.org>
* newHostDialog.cpp (selected): implemented "new host"
wizard. User can choose to add interfaces manually or can use a
library of predefined host object templates.
2004-06-10 <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (_printDstService): fixed a bug
(no number) where fwb_pf would not include code defined by custom
service object in the .conf file
2004-06-08 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (copyObj): implemented multi-object and
multi-rule copy/cut/paste operations
* ObjectManipulator.cpp (moveObject): implemented "move object"
operation - moves object to another library; operation is accessed
via pull-down menu in the object tree.
2004-06-06 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (groupObjects): added ability to select
multiple objects in the tree. Currently the following operations
are performed on multiple objects: delete, duplicate, group.
* ObjectManipulator.cpp (groupObjects): operation of grouping of
selected obejcts. User selects several objects in the tree and
choses menu item "group" in the pull-down menu; the GUI brings up
a dialog asking for the new group name and a library it should be
put in. New group is created and all selected objects are
automatically added to it when user hits "Create group" button.
2004-06-05 <vadim@vk.crocodile.org>
* pixAdvancedDialog.cpp (accept): added "Installer" tab to the PIX
firewall settings dialog
* FWBSettings.cpp (getScreenPosition): checking if the window fits
in the screen before restoring its geometry.
* ObjectListView.cpp (dragObject): setting hot spot in the center
of the object icon for drag and drop.
* FWObjectPropertiesFactory.cpp (getObjectPropertiesDetailed):
showing group members in tooltips and conflict resolution dialog
* ObjectEditor.cpp (ObjectEditor): redesigned ObjectEditor
class. All individual object editor classes are now inherited from
QDialog and are top-level windows. Class ObjectEditor is just a
manager that opens and hides appropriate dialog and manages its
size and position on the screen. Geometry is remembered separately
for each dialog for each object type, so we can have group object
editor open wider than, say, IP service object editor. Each object
editor has its optimal size.
* pfAdvancedDialog.cpp (pfAdvancedDialog): yet another redesign of
PF firewall settings dialog. Using individual checkboxes to
enable/disable each "limit" and "timeout" option
* ipt.cpp (main): all compilers do not create any files if there
was an error during rule processing (not even empty ones)
2004-06-04 <vadim@vk.crocodile.org>
* RuleSetView.cpp : Info window shows properties of an object
selected in rules
* RuleSetView.cpp (paintCell): added tooltips for objects in the
policy view, using the same detailed properties text that is used
for Info panel.
* iptAdvancedDialog.cpp (accept): the actual command that
installer should run on the firewall to activate the policy can
now be specified in the "installer" tab of firewall settings
dialog for all platforms. If this input field is left blank,
installer will run firewall script, using sudo if user name used
to authenticate to the firewall is not 'root'. On Windows,
installer also does chmod +x on the file.
* FWBSettings.cpp (setSSHPath): directory path and a file name for
the secure file transfer and secure shell utilities can be
configured in the Preferences (tab "SSH"). This allows for using
of different SSH packages on Windows, as well as using SSH
installed in a non-standard directory on Unix.
2004-06-03 <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (dragObject): standard folders in the tree
can not be dragged into groups or rules and open/close on double
click. Regular objects open editor on doubleclick.
* ipt.cpp (main): compiler for iptables sets up PATH environment
variable at the beginning of the generated script. This is
particularly useful if policy is compiled on windows or mac for
Linux firewall that runs unknown version of Linux, so we cant be
sure where standard tools such as iptables, lsmod etc are
located. Most systems place them in /sbin, but for example SuSe
places iptables in /usr/sbin. If policy is compiled on one of the
Linux systems, we assume generated script will run on the same
system (which may not be true, btw), but if we compile on Windows,
there is no way to know where these tools are located
beforehand. In this case we need PATH. User can always override
this behavior and specify full path to all tools explicitly.
2004-06-02 <vadim@vk.crocodile.org>
* linux24.xml.in: changed "Linux 2.4" to "Linux 2.4/2.6" in all
menu
* iptAdvancedDialog.cpp (iptAdvancedDialog): removed "log all
dropped packets" option from the firewall settings dialog for
iptables. This option required p-o-m patch that has become
obsoleted and is not included in p-o-m anymore.
* FWWindow.cpp (install): when user hits "Install", the GUI checks
if objects in the database were modified since policy of a
firewall has been compiled last time. If existing policy file is
older than the database, program offers the user to compile it
before it is installed. There are options to recompile, install
old copy or cancel the operation.
2004-05-31 <vadim@vk.crocodile.org>
* RuleSetView.cpp: Added support for operations that act on
multiple rules: setting rule color, moving to a different position
in rule set, disabling/enabling, deleting. User can select
multiple rules by dragging mouse across several rows in the column
that shows rule numbers. Copy/Cut/Paste operations of multiple
rules are not supported yet.
2004-05-29 <vadim@vk.crocodile.org>
* RuleSetView.cpp (dragObject): implemented drag-and-drop of
objects in the rules
* utils.cpp (setDisabledPalette): all entry fields in the object
editor are disabled if an object is read-only or is located in
read-only library. Object editor is still opened for read-only
objects, but since all fields are disabled, changes are not
allowed. Opening object editor for read-only and standard objects
allows for inspection of their properties.
* FWWindow.cpp (load): file objects_init.xml does not include
empty "User" library anymore. Instead, this library is created
dynamically using method FWBTree::createNewLibrary when user
creates new data file. This simplified things since 1) "User"
library now has unique random ID in every data file so it can be
safely exported and then imported back without any conflicts; 2)
since its ID is unique, it can be renamed without creating any
conflicts. The library is only created in FWWindow::load()
(i.e. when new data file is created). It is not created when
existing data file is loaded because it is supposed to be
there. Old data files that still have this library with
semi-standard ID will load it as before, but the ID loses its
standard meaning.
2004-05-23 <vadim@vk.crocodile.org>
* filePropDialog.cpp (filePropDialog): added "File properties"
main menu item and dialog
* debugDialog.cpp (debugDialog): added "debug" menu item under "Help"
2004-05-20 <vadim@vk.crocodile.org>
* instDialog.cpp : built-in installer works with all supported
firewall platforms: iptables, ipf, pf, ipfw and pix.
* instDialog.cpp (instDialog): built-in installer reads list of
files that policy compiler generated for a given firewall object
("manifest") from the .fw file and installs them on the
firewall. One file in the manifest needs to be marked as
executable, installer runs it after all files are copied.
* all policy compilers: all compilers include a list of files
generated for a given firewall object ("manifest") in .fw file.
2004-05-18 <vadim@vk.crocodile.org>
* RuleSetView.cpp (contextMenu): split long context menu that used
to be shown when user clicked right mouse button on an object in a
rule. Now this menu has only actions related to the object, while
actions for the whole rule belong in the context menu shown when
user clicks right mouse button on the rule number.
* fr.po, ru.po: checked in updated French translation by
Jean-Michel Poure and added some rudimentary Russian
translation. Both translations are done in UTF-8.
2004-05-15 <vadim@vk.crocodile.org>
* init.cpp (init): define global var localepath that is
initialized with a path to the directory where translation files
(*.qm) are installed. This path is defined as $respath/locale on
all systems (on Unix this typically is
/usr/share/fwbuilder/locale, while on Windows and Mac it will be a
subdirectory "locale" in the directory where the binary is
installed)
2004-05-14 <vadim@vk.crocodile.org>
* ColorLabelMenuItem.cpp (ColorLabelMenuItem): implemented RFE
#725461: "Colors". Added ability to color-code rules in the
policy. User can pick one of the 7 predefined colors (plus none)
in the pop-down menu that appears when they right-mouse-click on
the policy or NAT rule. Custom text can be associated with each
color using a panel in the Preferences dialog, this text appears
as a tool tip when user flies mouse cursor over color buttons in
the pop-down menu.
2004-05-12 <vadim@vk.crocodile.org>
* src/gui/ui: QT's ui translator uic creates code in this directory.
This allows me to add generated files to the internationalization
infrastructure (include in the .pot file). also added *.cpp files
in src/gui/ui to cvs so translators can look at them to better understand
context without having full QT development environment.
2004-05-09 <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (processNext): fixed bug #934949:
"duplicate rules". fwb_ipt created duplicate rules for a bridging
firewall if fw object or its interfaces or their addresses were
not in the source or desintaion
2004-05-04 <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (accept): "new firewall" wizard can create
a new firewall object using predefined templates from the file
templates.xml (the file is a pat of the package and is installed
in /usr/share/fwbuilder on Linux and in c:\FWBuilder\resources on
Windows). User picks a template and the program creates a
duplicate of the template object in the "User" object library. The
wizard page where user picks template shows a diagram of the
firewall configuration that illustrates its interfaces, their
configuration and addresses. Comment text associated with template
object explains its specific properties and is shown on the page
as well.
2004-05-02 <vadim@vk.crocodile.org>
* templates.xml.in : a library of firewall object templates. This
library is a part of the distribution and is installed in
${prefix}/share/fwbuilder on Linux and BSD and in
C:FWBuilder/resources on windows (the same dir where standard
objects are installed). This library is not loaded by default
though.
* listOfLibraries.cpp (listOfLibraries): Added a page to the
preferences dialog to manage add-on libraries. The GUI maintains a
list of available add-on libraries and allows user to define which
ones will be automatically loaded when the GUI is started. The
program always adds "standard" and "templates" libraries to the
list, then scans directory $HOME/.fwbuilder/lib/ (
C:\FWBuilder\lib on windows) and adds all .fwb files found there
to the list. It stores list of libraries in the user's preferences
together with a boolean flag that is set if a library should be
loaded on a start-up. Library added using main menu "Import
Library" is also added to the list so the user can make the
program load it automatically.
2004-04-29 <vadim@vk.crocodile.org>
* Makefile.in: Added support for internationalization. Using
gettext 0.14.1. This is the first version where support for QT
lanuage files is available, but it is not available in RedHat or
other Linux distributions yet. Therefore had to copy some m4 macro
colelctions from example to directory 'm4', as well as copied a
Makefile.in and script remove-potcdate.sin to directory 'po'. New
version of xgettext recognizes standard QT localization method
tr() and can generate usual .pot files from strings used with
it. The nwe msgfmt can generate .qm files from translated .po
files.
2004-04-25 <vadim@vk.crocodile.org>
* instDialog.cpp (cmd): this method can be used whenever we need
to execute several commands on the firewall sequentially.
* (instDialog): install dialog hides incremental install options
if 'diff' program can not be found (perhaps compiler that comes
with it is not installed)
* instDialog2.cpp (PIXincrementalInstall): integrated with
fwb_pix_diff
* instDialog2.cpp (PIXbackup): implemented function that stores
backup copy of firewall configuration in a file
2004-04-18 <vadim@vk.crocodile.org>
* findDialog.cpp (find): 'find object' function is implemented by
means of an external modeless dialog that allows for searching in
the tree and or policy rules and supports matching with regular
expressions.
* newFirewallDialog.cpp (getInterfacesViaSNMP): 'new firewall'
wizard can discover interfaces using SNMP. Finished work on the
page where user can arrange interfaces according to their security
levels.
2004-04-15 <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (accept): added 'new firewall'
wizard. Still need to work on the page where user sets security
levels of interfaces.
2004-04-14 <vadim@vk.crocodile.org>
* VERSION (BETA): added a variable in the VERSION file that
designates code revision as beta and stores beta testing period
expiration time (+30 days). Currently only About dialog shows this
time, but in the future I may make the program disable itself if
it is used past this time. The released version won't have this
limitation. This can be used to prompt people to upgrade, so I do
not have to support old versions.
2004-04-11 <vadim@vk.crocodile.org>
* FWBSettings.cpp (restoreGeometry): added ability for dialogs to
automatically remember and restore their geometry (size and
relative position on the screen). Currently only main window, conflict
resolution dialog and object editor dialogs do this. Geometry is
stored in preferences. Main window comes up with a default geometry
100,100,750,600 (x,y,w,h) when no geometry is found in settings.
2004-04-10 <vadim@vk.crocodile.org>
* FWWindow.cpp (ConflictResolutionPredicate): implemented conflict
detection and resolution for the "merge" operation. The same
mechanism works for "open file" since it is also based on
merge. When there is a conflict during merge, the program opens a
dialog and asks the user which copy of the object they want to
keep.
2004-04-09 <vadim@vk.crocodile.org>
* instDialog3.cpp (stateMachineSSHSUDO): builtin installer works
with Linux/BSD systems using combination of ssh on the client side
and sudo on the firewall. User provides a password for
authentication and the program logs in into the firewall as that
user, copies firewall script to "/etc/fw" (directory path is
hardcoded), then executes it using sudo. Sudo should be configured
for this user or group she belong to to be able to execute this
script as root with no password.
2004-04-08 <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog): added universal (hopefully) policy
installer program. The program uses ssh in a background on both
Unix and Windows (on Windows it requires putty/plink) to
communicate with the firewall. Currently only supports PIX but I
will add Linux/BSD later. Installer GUI asks user for a password.
2004-04-07 <vadim@vk.crocodile.org>
* RuleOptionsDialog.cpp (loadFWObject): added rule options dialog
for ipt
2004-04-06 <vadim@vk.crocodile.org>
* FWWindow.cpp (search): implemented advanced search method that
finds and highlights objects both in the tree and in any rule of
any firewall. This resolves problem outlined in Feature Request
#837448: '"Where used" only shows fw objects'
2004-04-04 <vadim@vk.crocodile.org>
* FWWindow.cpp (save): implemented saving data file without making
copies of objects in the 'Standard' library (Feature Request
#810504). This feature is considered experimental and is off by
default. An option in Preferences dialog activates it.
* FWWindow.cpp (load): All load is done via merging of the loaded
file with a standard object tree. Now we can load files saved
without copies of unused standard objects.
* FWWindow.cpp (fileImport): implemented data import. Using method
FWObjectDatabase::merge to merge imported data with current object
tree. Only object IDs are compared, so modified standard object in
the imported file will be ignored and its changes will be lost.
2004-04-03 <vadim@vk.crocodile.org>
* export.cpp (exportLibrary): Implemented library export
* StartWizard.cpp (StartWizard): added simple startup wizard that
asks user if they want to open existing file or create a new
one. It also sets some useful preferences such as adds new file to
RCS and makes the program automatically open it when it is started
next time.
* OSConfigurator_linux24.cpp (generateCodeForProtocolHandlers):
Fixed bug #956544: "Error into load modules script generation",
where generated script would not load kernel modules with names
"module.ko.gz". Regular expression should match on ".ko.*$" to
find these modules properly. Thanks to Andrey Kaminsky
<and@fao.lv> who pointed this out.
* RuleSetView.cpp (doubleClicked): double-clicking on an object in
the policy rule opens that object in the editor
2004-04-02 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator): using combobox widget
instead of a tab widget for libraries. This way we can fit more
libraries without making interface cluttered.
2004-03-31 <vadim@vk.crocodile.org>
* ipt.cpp (main): the GUI saves path to the DTD and resources in
user's settings using QT QSettings class. Policy compilers and
other tools can read this setting to quickly determine location of
DTD and resources.
2004-03-29 <vadim@vk.crocodile.org>
* getting rid of STL classes in the GUI. The idea is to make GUI
use QT classes in most of the code and use STL classes such as
'string', 'map', 'list' where it has to pass data to and from API
which is STL-based. This should simplify using QT compiled without
STL support (much less conversions between string and QString).
2004-03-28 <vadim@vk.crocodile.org>
* main.cpp (main): the data file can be specified on a command
line both as an argument for option '-f' and after all
options. Option '-f' is preserved for compatibility with old
versions. Preferred method is to specify the file name as a
parameter without any option: "fwbuilder file.fwb"
2004-03-27 <vadim@vk.crocodile.org>
* platforms.cpp (getVersionsForPlatform): usability improvement:
"combo boxes" that do not allow typing in them should not have
empty choices. Fixed this for a drop-down menu of version numbers
in firewall dialog.
2004-03-26 <vadim@vk.crocodile.org>
* RuleSetView.cpp (insertRule): counting rules from zero in the GUI
* (RuleSetView): this is not a change, I just wanted to document
that I tested the GUI with a policy that has 1000 rules. I haven't
noticed any delay in loading this policy compared with when it had
<100 rules.
2004-03-25 <vadim@vk.crocodile.org>
* FWWindow.cpp (fileSaveAs): gui automatically chooses working dir
if none is set and user calls 'file save as' menu item :
* on Unix will use current dir.
* on Windows will use user's document dir.
* NATCompiler_ipt.cpp (processNext): added a workaround for a bug
(no number): if address range object was used in SNAT or DNAT rule
and option 'manage virtual addresses' was on, compilerwould not
add virtual address properly. It still won't do it, but at least
there is a check for this situation and it prints appropriate
warning message. The problem with this is that if the range is
large, we end up with potentially lots of virtual addresses. Let
the user deal with this themselves.
* ipt.cpp: compiler(s) understand new command line option '-R',
which should specify a full path to the resources. This is useful
on Windows and Mac where resources are installed in a non-fixed
place by the GUI package, but need to be used by the compilers.
2004-03-24 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (contextMenu): each system group object in
the tree has an item in its pop-down menu that allows user to
quickly add an object to that group.
* IPv4Dialog.cpp (DNSlookup): added ability to determine IP
address of an Address object using DNS lookup (using QDns class)
* FWBSettings.cpp (FWBSettings): explicitly setting scope for
QSettings as "User"
2004-03-22 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (addTreePage): added attribute 'ro' to all
elements in DTD (see API). This provides for a way of locking down
parts of the tree.
* ObjectManipulator.cpp (addTreePage): read-only subtrees are
marked with an icon of a lock and text 'read-only'
* objects_init.xml : standard objects tree is now read-only. User
objects can not be moved into 'standard' tree and standard objects
can not be edited but can be duplicated (a copy is automatically
created in the first user-defined library, most often it is a
library 'User')
* FWWindow.cpp (install): GUI supplies a path to the firewall
object as a parameter to installation script rather than just its
name (as before). This is because the path has changed when
library element has been added. Changes made in the GUI (send path
instead of name) and in fwb_install script (to make it interpret
path).
2004-03-21 <vadim@vk.crocodile.org>
* pixosAdvancedDialog.cpp (pixosAdvancedDialog): 'advanced host
settings' dialog for PIX
* RuleSetView.cpp (contentsMousePressEvent): selectedObject is
chosen in mouse press and key press even handlers; got rid of
currentChanged slot all together. This eliminated flicker that was
caused by extra repaint of the cell when selected object was
chosen in currentChanged slot.
2004-03-20 <vadim@vk.crocodile.org>
* DialogData.cpp (DialogOption): universal class to load and save
data in dialogs
* pixAdvancedDialog.cpp (pixAdvancedDialog): 'advanced' firewall
options dialog for PIX. Implemented tabls 'Compiler options',
'Prolog/Epilog', 'Timeouts' and partially 'Fixups'. Fixup pages
are disabled using resource string that defines which fixups are
available in certain PIX version.
* FirewallDialog.cpp (openFWDialog): firewall dialog saves version
from the widget to the object before opening 'advanced' firewall
options dialog. This is a departure from the dialog logic where
all data is stored when user clicks 'Apply changes' button.
2004-03-19 <vadim@vk.crocodile.org>
* FWBSettings.cpp: added support for an "object autosave" option
(automatic saving of changes in dialogs while switching between
objects)
* RuleSetView.cpp (insertRule): added main menu items "insert
rule" and "add rule after current"
* RuleSetView.cpp (contextMenu): added pop-up menu items for
adding, removing and moving rules up and down, as well as standard
copy/cut/paste operations on moves. Similar menu items added to
the main menu.
* RuleSetView.cpp (paintCell): implemented double-buffering in
paintCell to improve performance and remove flickering
2004-03-17 <vadim@vk.crocodile.org>
* FWBSettings.cpp: saving the size of the info window in settings
* RCSFileDialog.cpp (RCSFileDialog): 'open file' dialog
automatically looks for files in the working directory configured
in a global preferences dialog.
* main.cpp (main): added a global setting "startup action" in
Preferences. Currently two actions are available: "load standard
objects" and "load last edited file".
* FWBSettings.cpp (FWBSettings): a specialized wrapper for
QSettings. I will be adding methods to this class to simplify
access to whatever global program preferences and options I
need. Currently it supports 'working dir' and 'info window style'
settings. Settings are stored in a platform-depended way as
QSettings does it.
2004-03-16 <vadim@vk.crocodile.org>
* NATCompiler_ipt_writers.cpp (_printOPorts): minor bugifx - fixed
typo ( '==' -> '=' )
* ObjectEditor.cpp (closeEvent): object editor checks for
modifications before closing if user closes it using window
manager buttons.
* FWWindow.cpp (unselectRules): the main window maintains single
selection across objects in the tree and in the policy
view. Selecting an object in the tree automatically unselects
object in the policy and vice versa. Now I can implement
copy/cut/paste functions driven by the main menu; these operations
will work on the currently selected object either in the tree or
in the policy.
* FWWindow.cpp (editCut): copy/cut/paste operations work between
the tree and policy views using both context menus and main
menu.
* ipt.cpp: output stream is created with a mode ios::binary on
Windows
* RCS.cpp (isDiff): having problems with rcsdiff.exe in windows,
for now will assume that the file always changes and needs checkin
comment.
2004-03-15 <vadim@vk.crocodile.org>
* RCS.cpp (co): using windows-specific functions to create a
temporary file for the file checkout
* global.h: added redefinition of macro assert to be able to use
it on windows where we compile without debugging info. (the reason
I do not build Debug version on win32 is because I use precompiled
libraries libxml2 etc that are built using Release CRT, and I
can't mix different runtimes).
* RCS.cpp (co): GUI makes sure that if the file has been opened
and locked by a user, another user can only open it read-only. The
same user has a choice of opening it read-only or read-write. The
latter case is useful in case of a program crash that leaves
opened files in the locked state.
* RCS.cpp (co): added ability to open older revision of the file
read-only. Requested revision is checked out into temporary file,
which is then loaded and immediately deleted. The object tree is
locked read-only and 'save' and 'save as' operations are disabled.
2004-03-14 <vadim@vk.crocodile.org>
* RCS.cpp (add): using "rcs -i -kb" to add a file to RCS, this
should help avoid extra CR in the file while working on windows
because it makes RCS use binary mode while working with the file.
2004-03-13 <vadim@vk.crocodile.org>
* ObjectManipulator.cpp: GUI redesign: switched to a single window
design. Object manipulation happens inside three classes:
ObjectManipulator (the tree widgets and algorithms), ObjectEditor
(a stack of editor widgets and a glue logic), obejct info browser
(class QTextBrowser). Object editor appears as a non-modal dialog
when user double-clicks an object in the tree. Single click
updates data in the info window but does not open the
editor. Objects can be selected in the tree in any supported way -
keyboard arrows, keyboard shortcuts, hitting the first letter of
the objects's name, mouse click. In any case, appropriate object
is selected and info window is updated with its attributes.
Info window has three modes: collapsed (there is no info window),
showing only comment attrbibute and showing brief summary of
object's parameters and a comment. User can switch between modes
using a button located on the main window panel directly under the
info widget.
2004-03-12 <vadim@vk.crocodile.org>
* build environment is based on qmake: file qmake.inc is included
from qmake project files in all subdirectories. File qmake.inc
defines all variables for all platforms, so project files in
subdirs only add lists of files and take care of exceptions. File
qmake.inc is generated by configure, but all substitutions are
only needed for Unix and Mac. This file is checked in to cvs so it
could be used on Windows without a need to run configure.
All qmake project files in subdirectories need no substitutions
by configure, so they all are checked in to cvs and can be used on
windows right away.
Qmake project files fwbuilder2.pro and src/src.pro use template
'subdirs' and make qmake descent into subdirectories and rebuild
projects there.
Now using qmake to generate Makefile and MSVC project files in
src/fwblookup, src/fwbedit, src/ipt. Makes it easier to generate
consistent MSVC projects without having to edit them manually.
resource files (src/res/*.xml and src/res/*/*.xml) are generated
by configure, however, since substitutions made in them are only
relevant on Unix and Mac, generated files are checked in to cvs so
they can be used on windows without running configure.
No need to run configure (or autogen.sh) on Windows anymore.
To build on Unix and Mac:
$ autogen.sh
$ make
$ make install
To build on windows:
run qmake, then make in the root dir. of the project
Open fwbuilder2.dsw in MSVC and rebuild all
* NATCompiler_ipt.cpp, PolicyCompiler_ipt.cpp and others in
src/ipt: code cleanup. Removed all unused variables and added
handling for 'default' case in switch operators.
2004-03-10 <vadim@vk.crocodile.org>
* FWWindow.cpp (compile): implemented main menu items "Rules/compile"
and "Rules/install". Still need to add toolbar buttons though.
* execDialog.cpp (execDialog): a dialog for a background execution
of external commands. This class is used to call external policy
compilers and installer scripts. Uses QT class QProcess.
* ipt.cpp: transfered compiler for iptables over to fwb2. Only
minor changes: new file name schema (*.h, *.cpp); proper choice of
the directory where resource files are located; eliminated last
dependencies on glib
2004-03-09 <vadim@vk.crocodile.org>
* iptAdvancedDialog.cpp (accept): firewall settings dialog saves
all data in the object.
2004-03-07 <vadim@vk.crocodile.org>
* iptAdvancedDialog.cpp (iptAdvancedDialog): firewall settings
dialog for iptables. Saving of the data back in the firewall
object is not implemented yet.
* DialogFactory.cpp (createDialog): DialogFactory: class that
creates dialogs for all object types.
* FWBTree.cpp (FWBTree): refactored code: all methods that enforce
our standard tree structure now belong to the class FWBTree
* TimeDialog.cpp (applyChanges): added dialog for the Time
interval object.
2004-03-06 <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp (setupPopupMenu): added pop-up menu in the
group view (both icon and list modes) with oprations
copy,cut,paste and delete.
* all dialogs: object is moved from library to library when user
clicks 'apply changes' (before it would move immediately when the
library was changed in the pop-down menu).
* CustomServiceDialog.cpp (loadFWObject): added dialog for the
Custom Service object
2004-03-05 <vadim@vk.crocodile.org>
* PropertyEditor.cpp (copyObj): added pop-up menu to object tree
view; implemented functions 'duplicate', 'copy', 'cut', 'paste'
2004-03-04 <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (contentsMouseReleaseEvent): objects in the
tree are selected with double-click.
2004-03-03 <vadim@vk.crocodile.org>
* RuleSetView.cpp (getRE): added platform capabilities check for
columns 'Time' and 'log/options' in policy views
* RuleSetView.cpp (dragMoveEvent): support for d&d of Time objects
2004-03-02 <vadim@vk.crocodile.org>
* InterfaceDialog.cpp (loadFWObject): added dialog elements for
interface security level, 'external' checkbox, network zone.
* RCS.cpp (isDiff): added a wrapper for rcsdiff in RCS class
2004-02-29 <vadim@vk.crocodile.org>
* PropertyEditor.cpp (createObject): properly creating interfaces
and addresses for the firewall object
* further testing and improvements in RCS integration
2004-02-28 <vadim@vk.crocodile.org>
* FWWindow.cpp (load): file can be opened with or without RCS, a
head revision or any specific revision, read-write or
read-only. File name, revision number and read-only status is
displayed on the main window's title bar.
* FWWindow.cpp (load): added ability to open data files read-only
* RCS.cpp (RCS): refactored the code, made class RCS a wrapper for
the command-line rcs tools. It should be possible to use the same
or similar interface for other version control system if needed.
2004-02-26 <vadim@vk.crocodile.org>
* RCSFilePreview.cpp (showFileRLog): Open File dialog shows RCS
revisions of the chosen file in a preview panel. Added button "add
to RCS" that allows user to add selected file to RCS right from
the "open file" dialog. Added elements for opening file read-only
and with or without locking (but these functions have not been
implemented yet).
2004-02-23 <vadim@vk.crocodile.org>
* RCS.cpp (rlog): class RCS provides simple integration with
RCS. Uses portable functions provided by QT to call external RCS
programs.
* configure.in: added checks for external RCS programs ci, co,
rlog.
2004-02-22 <vadim@vk.crocodile.org>
* FWWindow.cpp: added basic integration with RCS. Every time a
data file is opened, it is checked out from RCS and locked. If the
file has not been added to RCS, an initial checkin is performed
with a generic comment. Every time an opened file is saved (using
"save" or "save as" menu), it is checked in and kept in a locked
state. A new menu item "File/Close" has been added; this menu item
checks the file in and removes lock (does 'ci -u') so other users
can work on it, then it reopens a standard objects database in the
GUI. Opening a file while another file is already opened in the
GUI causes the latter to be closed (checked in and lock removed)
and a new one opened as described above.
still TODO: add a dialog to ask the user for a checkin comment
text. Add a global option "Use RCS" so that using version control
is optional. Test the whole thing on Windows.
2004-02-16 <vadim@vk.crocodile.org>
* PropertyEditor.cpp (PropertyEditor): added dialogs for
interface, MAC address, network, address range and other objects.
* FWObjectDrag.h: implemented custom drag class FWObjectDrag; all
widgets dynamically check if the object being dragged can be
dropped in them. User can drag objects from the tree into groups
and rules, as well as from a group into the tree.
2004-02-08 <vadim@vk.crocodile.org>
* IPServiceDialog.cpp (libChanged): implemented gui elements and
support for moving objects between libraries.
2004-01-20 <vadim@vk.crocodile.org>
* added dialog for object IPv4. This object can now be created in
a standard place in the tree in a group Objects/Addresses as well
as as a child object of interface (as before in fwbuilder 1). This
allows for using object IPv4 as an abstract for an IP address
which is simpler than using a Host object.
2004-01-04 <vadim@vk.crocodile.org>
* GroupObjectDialog.cpp: Experiment: user and standard object tree
views have different background colors. This provides simple
visual clue of what library the object shown in the editor panel
belongs to. This is especially useful if a standard object is
referenced from the user defined group and user opens it; in this
case the tree switches from user-defined objects to the standard
onces but this switch may not be evident from the first glance,
thus user loses context and may be confused why his objects
apparently have gone away.
2004-01-03 <vadim@vk.crocodile.org>
* PropertyEditor.cpp (PropertyEditor): property editor has window
type "dialog" and always stays on top of the main
window. Implemented simple history feature for the object
navigation and added a button "Back" to the toolbar.
* GroupObjectDialog.cpp (loadFWObject): group object dialog can
now show group contents as a set of icons or as a list; switching
between two modes is done using toggle buttons a-la file list
modes in the "open file" dialog.
* PropertyEditor.cpp (loadObjects): merged object tree and object
property editor in one dialog.
2003-12-20 <vadim@vk.crocodile.org>
* main.cpp (main): resources and preferences files can now be
found dynamically, using a full path to the directory the binary
has been launched from. The RES_DIR macro defined in config.h
now specifies relative path to the resource files starting from
the application root dir. If program is installed in
/usr/local/bin, then the application root is "/usr/local" and
resources should be located in /usr/local/$RES_DIR directory.
Reference in New Issue View Git Blame Copy Permalink