2010-09-20 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler.h (fwcompiler): fixed SF bug #3071667
"Compilation segfault with DNS address in NAT rule". Added
rule processors to replace Run-time DNSName and Address Table
objects in TSrc and TDst.
2010-09-13 Vadim Kurland <vadim@vk.crocodile.org>
* VERSION (LIBFWBUILDER_MICRO_VERSION): started 4.1.2
2010-08-20 Vadim Kurland <vadim@fwbuilder.org>
* v4.1.1 released
2010-08-19 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::_expandAddressRanges): fixed
fwbuilder:ticket:1696 "Compiler ignores, but provides no warning,
about rules with invalid address range being
skipped". AddressRange object in the ticket had start address
greater than the end address.
* NATCompiler.cpp (classifyNATRule::processNext):
fixed fwbuilder:ticket:1685 "iptables redirecting NAT
rules in the OUTPUT chain". NAT rules should be allowed to
translate from CustomService to TCP or UDP service, provided
CustomService object is configured with matching protocol.
2010-08-14 Vadim Kurland <vadim@vk.crocodile.org>
* set version to 4.1.1
2010-08-10 Vadim Kurland <vadim@vk.crocodile.org>
* v4.1.0 released
2010-08-09 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectGroup.cpp (validateChild): fixed fwbuilder:ticket:1679
"Group allows invalid objects to be added (Policy, NAT, Routing)".
Change done in ObjectGroup and ServiceGroup.
2010-06-17 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectMatcher.cpp (ObjectMatcher::checkComplexMatchForSubnet):
added method to check object matching with subnets
2010-06-12 Vadim Kurland <vadim@vk.crocodile.org>
* CustomService.cpp (CustomService::CustomService): fixed missing
class variable initialization.
* FWObjectDatabase.cpp (FWObjectDatabase::setPredictableIds):
this method is used to replace random string object ids with
predictable ones; useful for unit tests because it allows us
to create data files that can be compared.
Fixes fwbuilder:ticket:1517
* FWReference.cpp (FWReference::toXML): always use int id when
saving to xml. This allows us to change string ids if necessary
using call to FWObjectDatabase::changeStringId() and it will
change both in id and ref attributes when objects are saved to
xml file. This is needed for unit tests to let tests create .fwb
files with predictable IDs that can be compared later.
See fwbuilder:ticket:1517
* FWObjectDatabase.cpp (FWObjectDatabase::changeStringId): this
method changes string ID associated with given int ID. Using this
in unit tests to create .fwb files with predictable IDs that can
be compared with golden files.
See fwbuilder:ticket:1517
2010-06-02 vadim <vadim@vk.crocodile.org>
* Preprocessor.cpp (Preprocessor::findMultiAddressObjectsUsedInRules):
fixed #1485 "dns name object is recognized as an empty group when
it appears in shared rule set"
2010-05-12 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::epilog): fixed SourceForge bug #3000159
"libfwbuilder-4.0.1. calls exit warning.". Calling exit() or
_exit() from a library function is discouraged, and as it turns
out unnecessary in our case.
2010-04-24 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (PolicyCompiler::checkForShadowingPlatformSpecific):
added virtual function checkForShadowingPlatformSpecific() that
should be reimplemented in specific PolicyCompiler classes to check
if platform-specific rule options affect rule shadowing decision.
Also bumped so version of fwbuilder and fwcompiler libraries to 9.1.0
2010-04-20 vadim <vadim@vk.crocodile.org>
* RoutingCompiler.cpp (reachableAddressInRGtw::checkReachableIPAddress):
fixes #1410 "Problem with route for 4.0.0-b2809". Compiler did
not allow vlan subinterface as a gateway in a routing rule.
2010-04-08 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::_expand_interface): fixes #1394 using
existing virtual functions that expand multiple addresses to
expand cluster interfaces. Renamed function _expandAddr to
_expand_addr, added parameter bool expand_cluster_interfaces_fully
to _expand_addr, _expand_addr_recursive and _expand_interface
2010-03-29 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (expandGroupsInItf::processNext): added rule
processor expandGroupsInItf and moved expandGroupsInSrv from
compiler for iptables. See fwbuilder:ticket:1374 "Rule with group
of interfaces in the "Interface" column is not compiled the same
as when the same interfaces are placed there without group"
* RuleElement.cpp (RuleElementItf::checkItfChildOfThisFw): fixed
fwbuilder:ticket:1372 group is not allowed in the "Interface"
column. Group of interfaces should be allowed in the "Interface"
rule element provided all group members are children of the same
firewall.
2010-03-23 Vadim Kurland <vadim@vk.crocodile.org>
* inet_net_pton.c (inet_cidr_pton_ipv4): fixed fwbuilder:ticket:1328
"IPv4 dialog takes incorrect ip addresses". Function inet_cidr_pton_ipv4
translated incomplete ipv4 addresses such as "1.0.0" incorrectly. The
last octet in the result had random value because of use of unitialized
memory.
2010-03-18 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (replaceFailoverInterfaceInRE::processNext): fixes
fwbuilder:ticket:1344 "PF script generated or the cluster uses
carp interfaces".
2010-03-16 vadim <vadim@vk.crocodile.org>
* XMLTools.cpp (XMLTools::loadFile): passing error code returned
by access() for better diagnostics. See fwbuilder:ticket:1334
2010-03-04 vadim <vadim@vk.crocodile.org>
* ObjectMatcher.cpp (ObjectMatcher::dispatch): recognize multicast
when matching Network and NetworkIPv6 objects. See fwbuilder:ticket:1298
2010-03-03 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* FWObject.cpp (FWObject::findDuplicateLinksInTree): test/debugging
method that walks the tree looking for objects referenced by two
parents. Refs fwbuilder:ticket:1296
2010-03-02 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* FWObject.cpp (FWObject::destroyChildren): fixed memory leak
where objects were not destroyed if they had no children.
2010-02-28 vadim <vadim@vk.crocodile.org>
* ../src/fwbuilder/ObjectMatcher.h (libfwbuilder): added virtual
destructor. Fixes fwbuilder:ticket:1259
2010-02-27 vadim <vadim@vk.crocodile.org>
* configure.in: find cppunit library for unit tests
2010-02-25 vadim <vadim@vk.crocodile.org>
* FWObject.cpp (FWObject::getPrivateData): added facility for
storing arbitrary blocks of user data with FWObject objects, keyed
by a std::string key.
2010-02-23 vadim <vadim@vk.crocodile.org>
* RuleElement.cpp (RuleElement::isAny): made isAny() a const
method. Part of the great const-ification, see #2
* FWReference.h (libfwbuilder): added method getPinterIdDirect()
that just returns int_id. This is a const method, it does not
perform delayed initialization in case FWReference object only
has string id for the object it points to. See #2
2010-02-18 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* Firewall.cpp (Firewall::duplicate): fixed #1254 ""locked" status
of the object is lost when data file is loaded". "Read-only" or
"locked" status of the firewall object was lost when data file was
loaded into the program. The bug affected only Firewall object.
2010-02-17 vadim <vadim@vk.crocodile.org>
* ObjectMirror.cpp (ObjectMirror::getMirroredService): class
ObjectMirror (refs fwbuilder:ticket:1241 "add mirror rule"
checkbox for IOSACL)
2010-02-16 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::correctForCluster): this method takes an
Address object and replaces it with interface of a member firewall
if it turns out to be cluster interface. refs fwbuilder:ticket:1235
2010-02-15 vadim <vadim@vk.crocodile.org>
* XMLTools.h (libfwbuilder): definition of XMLFREEBUFF moved to
libfwbuilder-config.h
2010-02-15 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (FWObjectDatabase::load): working on memory
leaks with the help of valgrind. Refs fwbuilder:ticket:1229
2010-02-14 glitch.vk.crocodile.org <vadim@vk.crocodile.org>
* Management.cpp (SNMPManagement::fromXML): refs fwbuilder:ticket:1229
memory leak problems
2010-02-02 vadim <vadim@vk.crocodile.org>
* fwbuilder/ObjectMatcher.h (libfwbuilder): reimplemented ObjectMatcher
class using generic base class Dispatch
* fwbuilder/Dispatch.h (__DECLARE_DISPATCH_METHODS): generic class
that implements double dispatch pattern. Helps avoid long chains
of if-then-else statements that compare object type names.
Refs fwbuilder:ticket:1186
* Interface.cpp (Interface::isLoopback): method isLoopback() will
return true for cluster interface that has no ip address of its
own but is mapped to loopback interfaces of cluster members.
2010-01-31 vadim <vadim@vk.crocodile.org>
* ClusterGroup.cpp (ClusterGroup::getInterfaceForMemberFirewall):
added a method for the often used pattern. See fwbuilder:ticket:1184
for the reference of other changes in fwbuilder that prompted this.
2010-01-30 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (PolicyCompiler::prolog): do not remove
disabled rules in prolog() because some compilers might use
RuleSet::insertRuleAtTop() and other similar methods from prolog()
or addPredefinedPolicyRules() and these methods renumber rules. As
the result, labels stop matching rule positions when this is done
because labels are configured in prolog() method of the base
class. See fwbuilder ticket 1173. Instead of dropping disabled
rules in prolog(), will keep them and drop them in rule processor
Begin which is always the first in all compilers.
2010-01-25 vadim <vadim@vk.crocodile.org>
* ObjectMatcher.cpp (ObjectMatcher::checkComplexMatchForSingleAddress):
if flag match_subnets is true, check if given address is inside
the subnect defined by the address/netmask of obj2.
* ObjectMatcher.cpp (ObjectMatcher::checkComplexMatch): if flag
match_subnets is true, treat AddressRange objects in a special
way: check range boundaries against subnet defined by the
address/netmask of obj2. Exact match is when range boundaries
exactly match beginning and the end of the subnet. Partial match
is when either boundary (or both) is inside of the subnet.
* ObjectMatcher.h (libfwbuilder): setting all flags through setter
methods instead of passing parameters to constructor. Added flag
"match_subnets"
2010-01-19 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::_expand_interface): method
_expand_interface (renamed, used to be _expandInterface) takes
pointer to the rule as first argument. This makes it possible
to generate error and warning messages associated with rules.
2010-01-18 vadim <vadim@vk.crocodile.org>
* ../VERSION (LIBFWBUILDER_REVISION): Set version to 4.0.0 in
preparation for public beta
2010-01-17 vadim <vadim@vk.crocodile.org>
* FWObjectDatabase_15.xslt: incremented DTD version to 16,
migration script changes value attribute "host_OS" of Firewall
element from "linksys" to "sveasoft".
2010-01-15 vadim <vadim@vk.crocodile.org>
* AddressTable::loadFromSource , DNSName::loadFromSource : When
address table file needed to resolve AddressTable object can not
be found, the object uses dummy test address but also sets an
attribute ".error_msg" in this object to indicate that there was
an error and the object is not real.
* Compiler.cpp (checkForObjectsWithErrors::processNext): Rule
processor Compiler::checkForObjectsWithErrors was added to check
for the ".error_msg" attributes and translate them into error
messages that can be associated with rules. This way, Preprocessor
can convert MultiAddress objects without having to scan all rules
which makes it faster and we still can associate errors that
happen during this process with rules.
2010-01-09 vadim <vadim@vk.crocodile.org>
* DNSName.cpp (DNSName::loadFromSource): method loadFromSource()
now takes second argument "bool test_mode". When compiler runs in
a test mode, it passes true in this argument to loadFromSource()
to make it use dummy ip address in case it can not resolve
requested DNS record. This helps test compiler on data files that
use compile-time DNSName objects that do not resolve. The same
argument is now available in AddressTable::loadFromSource() method.
2010-01-08 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (PolicyCompiler::checkInterfacesForShadowing):
include interface rule element in the shadowing detection
algorithm. See ticket #1068
2010-01-07 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase_tree_ops.cpp (FWObjectDatabase::findDuplicateIds):
function to find objects with duplicate IDs in two object trees.
2009-12-24 vadim <vadim@vk.crocodile.org>
* Preprocessor.cpp (Preprocessor::findMultiAddressObjectsUsedInRules):
Eliminated bottleneck that caused noticeable delay in
Preprocessor::compile(). Old code would find all MultiAddress
objects in the tree and then check if they were used by the
firewall we are compiling. This caused multiple tree walks. New
approach is to walk all the rules of the firewall, looking for
objects used in the rules. If the object is MultiAddress, it is
pushed to the list, if it is a group, the group members are
scanned in turn. Groups are scanned recursively. This way we first
build a list of MultiAddress objects used in rules by doing single
scan of the subtree rather than multiple scans of the whole tree.
In addition, in single rule compile mode we scan only single
rule rather than all rules of the firewall.
2009-12-11 vadim <vadim@vk.crocodile.org>
* ../src/fwbuilder/Group.h (libfwbuilder): Added method
getAllowedTypesOfChildren() that returns a list of allowed
children object types (should reflect DTD)
2009-11-30 vadim <vadim@vk.crocodile.org>
* RuleElement.cpp (RuleElement::toXML): RuleElement objects
should have ID, but since DTD does not define one for them,
will only keep this ID in the objects in memory and drop it
before saving them to XML file.
2009-11-25 vadim <vadim@vk.crocodile.org>
* fwbuilder.dtd.in (RuleSetOptions): added XML element
RuleSetOptions (child of Policy, NAT, Routing). Moved option
"ipt_mangle_only_rule_sets" from FirewallOptions to RuleSetOptions.
See fwbuilder:ticket:650, fwbuilder:ticket:709
2009-11-20 vadim <vadim@vk.crocodile.org>
* FWObject.cpp (FWObject::remove): Change in implicit behavior:
removing an object does not move it to the Deleted Objects library
anymore. This should be done in the GUI.
2009-11-14 vadim <vadim@vk.crocodile.org>
* FWObject.cpp: Added method FWObject::findIf - generic method
that searches for child objects that match criteria impemented
by a predicate object passed as an argument.
2009-11-11 vadim <vadim@vk.crocodile.org>
* Group.cpp (Group::isMember): Generic member that checks
if given object is a member of the group.
2009-11-09 vadim <vadim@vk.crocodile.org>
* fwbuilder.dtd.in (TODO): Added attribute "dedicated_failover"
to the element Interface and corresponding class.
2009-11-04 Vadim Kurland <vadim@vk.crocodile.org>
* fwbuilder.dtd.in: Added attribute any_opt to IPService
2009-11-02 Vadim Kurland <vadim@vk.crocodile.org>
* IPService.cpp (IPService::hasIpOptions): Method hasIpOptions()
returns true if IPService object has one or more of the IP options:
lsrr, rr, ssrr, ts, rtr_alt
* fwbuilder.dtd.in: Added attributes rtralt and rtralt_value to
IPService
2009-10-13 vadim <vadim@vk.crocodile.org>
* VERSION (VERSION): started v3.0.8
2009-09-18 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (ItfNegation::processNext): fix for bug
#2710034 "PF Compiler in 3.0.3 Unprotected Interface Bug". When we
expand "interface" rule element which uses negation, skip
unprotected interfaces.
2009-08-28 vadim <vadim@vk.crocodile.org>
* Interface.cpp (Interface::getOptionsObjectConst): Added
Interface::getOptionsObjectconst(), Interface::isSlave()
2009-08-24 vadim <vadim@vk.crocodile.org>
* Compiler_cluster.cpp (Compiler::processFailoverGroup): cluster
interface may not need an ip address, but this depends on the
failover protocol. Adding check for when the address is missing.
See #337
2009-08-12 vadim <vadim@vk.crocodile.org>
* NATCompiler.cpp (classifyNATRule::processNext): fixed bug
#2836321: "SNAT rule that changes Trans Src and Trans Port does
not work". Dual translation rule that changes source address and
destination port was not supported.
2009-08-03 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::_expandInterface): See #284:
PolicyCompiler::ExpandMultipleAddresses and
NATCompiler::ExpandMultipleAddresses should include subinterfaces
2009-08-02 vadim <vadim@vk.crocodile.org>
* Interface.cpp (Interface::validateChild): DTD does not allow
nested subinterfaces; only one level of subinterfaces is supported.
Interface::validateChild() now checks for this condition.
2009-07-29 vadim <vadim@vk.crocodile.org>
* snmp.h (class SNMPCrawler): Removed obsolete parameter
skip_virtual - we never ignore virtual addresses.
2009-07-28 vadim <vadim@vk.crocodile.org>
* Compiler_cluster.cpp (Compiler::populateClusterElements): while
scanning interfaces-members of a failover group, use only those
that are children of the firewall that we are compiling. fixes
#242 "fwb_ipt generates duplicate automatic rules for heartbeat
and other protocols"
2009-07-27 vadim <vadim@vk.crocodile.org>
* Cluster.cpp (Cluster::getMembersList): cluster group members can
be references to interfaces and subinterfaces; this change adds
support for subinterfaces.
2009-07-26 vadim <vadim@vk.crocodile.org>
* Compiler_cluster.cpp (Compiler::processFailoverGroup): While
adding a copy of cluster interface to the firewall, make sure it
has new unique ID instead of a copy of the ID of the cluster's
interface object. If the ID is the same,
RuleElementItf::validateChild() finds clusters' interface which is
not a child of the firewall object and therefore is rejected.
2009-07-25 vadim <vadim@vk.crocodile.org>
* Compiler.h (fwcompiler): Deprecated object caching in compiler,
fixes #228
* Cluster.cpp (Cluster::getMembersList): need to scan not only
StateSyncClusterGroup child objects but also all
FailoverClusterGroup objects in order to find all member
firewalls. The program used to look only at StateSyncClusterGroup
objects, which meant it did not recognize any members if state
sync group was empty. This fixes issue #4 in the bug #2826765:
"problems and suggestions for 3.1.0-b1187".
2009-07-24 vadim <vadim@vk.crocodile.org>
* Rule.cpp (PolicyRule::getBranch): fixed problem #4 "GUI crash
when setting action to be a chain." reported in the bug #2826765:
"problems and suggestions for 3.1.0-b1187". The GUI crashed when
policy rule in the cluster policy was set to action "Chain".
2009-07-17 vadim <vadim@vk.crocodile.org>
* Resources.cpp (Resources::getResourceStrList): This function
provides a way to create lists of parameters in resource files.
* fwbuilder.dtd.in (Library): fixed bug #2823424: "Deleting
UserService object breaks data file format". When user deleted
UserService object, it was moved to the "Deleted Objects" library
which broke XML file because DTD did not allow UserService element
as a child of Library
2009-07-16 vadim <vadim@vk.crocodile.org>
* FWObjectDatabase_11.xslt: Bumped data file format to 12; system
group "Clusters" moves to the top level of the tree. Fixes #167
2009-07-13 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (checkForZeroAddr::findZeroAddress): followup
for bug #2820152: AddressRange object has an address but no
netmask. Have to check for getNetmaskPtr() == NULL where
necessary.
2009-07-11 vadim <vadim@vk.crocodile.org>
* AddressRange.h (libfwbuilder): fixed bug #2820152: "Address
ranges and other such need IPv4/v6 typing". AddressRange object
should be recognized and removed from the rule if it is used in
ipv6 rule set. To do this, add virtual method
hasInetAddress() (should return true) to indicate that this object
has an address. This works since virtual method getAddressPtr()
has been implemented anyway.
* VERSION (VERSION): started v3.0.6 in the current production branch
2009-07-09 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler_cluster.cpp (Compiler::populateClusterElements): user
can now add loopback interface to the cluster object and use it in
rules. This interface does not have failover group and has the
usual 127.0.0.1/8 ip address. refers #163
2009-06-28 Vadim Kurland <vadim@vk.crocodile.org>
* Firewall.cpp (Firewall::getIntrfacesByType()): Simple method to
get a list of pointers to all intrfaces of given type.
* Compiler_cluster.cpp (Compiler::processFailoverGroup): fixes
#166: cluster should be allowed to have interfaces with the same
name as interfaces of the member firewall (i.e. "eth0"). This is
necessary to support failover protocols that do not create virtual
interfaces, but rather operate over normal interfaces, such as
heartbeat.
2009-06-24 vadim <vadim@vk.crocodile.org>
* Rule.cpp (PolicyRule::getDirectionAsString): Direction
"Undefined" is not allowed per DTD, have to assume it is "Both"
if it is not "Inbound" or "Outbound". This is a last-minute fix
which causes re-relase of 3.0.5
2009-06-23 vadim <vadim@vk.crocodile.org>
* InetAddr.cpp (InetAddr::init_from_string): Fixes #112: use strtol
instead of atoi so we can determine when the string could not be
converted entirely.
2009-06-18 vadim <vadim@vk.crocodile.org>
* Interface.cpp (Interface::isBridgePort): Refs #90 :
deprecated attribute "bridgeport" in Interface object, using
type set in the InterfaceOptions object.
* Firewall.cpp (Firewall::duplicateInterfaces): Fixes #142 : Copy
interfaces of the firewall before policies in
Firewall::duplicate() because interfaces might be referenced in
rules and should be coped before rule elements for the latter
to set up references to the copies.
2009-06-17 vadim <vadim@vk.crocodile.org>
* v3.0.5 released
2009-06-14 vadim <vadim@vk.crocodile.org>
* Interface.h (libfwbuilder): Ticket #55: deprecated isExt()
and setExt() methods. Platforms that care about interface being
external should use security levels. Currently this is only PIX
and it uses sec. levels already.
2009-06-09 vadim <vadim@vk.crocodile.org>
* NATCompiler.cpp (classifyNATRule::processNext): fixed bug
#2803689 "NAT rule matching dport but chaning sport is broken".
NAT rules that match destination port but translate source port
should be possible (and the opposite too).
2009-06-08 vadim <vadim@vk.crocodile.org>
* Rule.cpp (PolicyRule::getDirectionAsString): should return
string "Undefined" for the direction equal to PolicyRule::Undefined
* NATCompiler.cpp (classifyNATRule::processNext): support for
SDNAT rules that translate both addresses and ports.
* NATCompiler.cpp (classifyNATRule::processNext): rules that
translate only source port are now classified as SNAT, rules that
translate only dest. port are classified as DNAT. Rules that try
to translate one service type into another cause an error.
2009-06-03 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (recursiveGroupsInRE::isRecursiveGroup): fixed bug
#2800625 "recursive groups cause infinite loop and crash in
compiler". When a group included itself, compiler used to go
into infinite loop and crash.
2009-06-01 vadim <vadim@vk.crocodile.org>
* Compiler_cluster.cpp (Compiler::processStateSyncGroup):
This method finds StateSyncClusterGroup objects and saves
essential parameters in the Interface objects of the firewall
so that compilers later can use this information to generate
script to confgure state synchronisation.
* IPService.cpp (IPService::addNamedProtocol): class IPService now
has internal mapping table of protocols numbers and names. By
default it comes with a list of typical protocols "ip", "icmp",
"tcp" and "udp". More protocols can be added to the table using
IPService::addNamedProtocol() method. After that, method
IPService::getProtocolName() will return protocol name for the
registered named protocols. This facility replaces CARPService
class.
2009-05-30 vadim <vadim@vk.crocodile.org>
* CARPService.cpp: Added trivial CARPService class that defines IP
service with name "carp" and protocol number 112. There is no
standard object of this type at this time and no XML DTD
definition. Objects of this class are created internally by policy
compilers. This is the same as VRRPService object. The purpose of
having separate classes VRRPService and CARPService is to insert
protocol name "vrrp" and "carp" in generated scripts.
* Compiler.cpp (Compiler::_expand_group_recursive): ref #50:
ignore various FWOptions child objects while expanding groups. In
particular this skips ClusterGroupOptions object which is a child
of FailoverClusterGroup and StateSyncClusterGroup objects.
2009-05-28 vadim <vadim@vk.crocodile.org>
* InterfaceData.cpp (InterfaceData::guessSecurityLevel): set
security level to 0 (insecure) by default. This makes all
interfaces of the newly created firewall be "external" or
"insecure" unless they were assigned labels or addresses from the
private address space in which case guessSecurityLevel() assigns
level 100. This addresses bug #2796760 "Display error when adding
new FW with multiple interfaces".
2009-05-27 vadim <vadim@vk.crocodile.org>
* XMLTools.cpp (XMLTools::version_compare): made it possible to
compare version strings with different number of components.
2009-05-09 vadim <vadim@vk.crocodile.org>
* Resources.cpp (map): additional checks to protect against empty
items created in map<string,Resources*> when we try to get
resource for non-existent platform or host os.
2009-05-08 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::IsFirewallOrCluster): This new method
compares given object with firewall or its parent cluster (if
any). Compares only IDs of these objects. This operation is often
used in compilers to check if an object in source or destination
is firewall, however when policy belongs to a cluster, it is
cluster object that is usually found in rules and we need generic
method to check for both conditions. This method checks an object
if it is firewall or its parent cluster.
* PolicyCompiler.cpp (PolicyCompiler::prolog): compilers reassign
position numbers to rules before compilation to protect against
possible errors upstream. Positional rule numbers are almost not used
anywhere except for compiler debugging.
2009-05-07 vadim <vadim@vk.crocodile.org>
* FWObjectDatabase::_findFirewallByNameRecursive: Made this method
find both Firewall and Cluster objects in the database.
* RuleSet.cpp (RuleSet::insertRuleAtTop): methods insertRuleAtTop
and appendRuleAtBottom now accept argument "hidden_rule". If this
arg is true, added new rule becomes "hidden" (using
Rule::setHidden()). Method RuleSet::renumberRules() assigns
negative position numbers to hidden rules
2009-04-20 vadim <vadim@vk.crocodile.org>
* RuleElement.cpp: Additional validation to make sure Inteval
objects are not allowed in rule elements except for the
RuleElementInterval
2009-04-17 vadim <vadim@vk.crocodile.org>
* Cluster.cpp (Cluster::Cluster): Support for clusters of
firewalls.
* FWObjectDatabase_10.xslt: auto-upgrade transformation adds tree
branch Clusters
* VERSION: DTD version 11
* Merging patches from Secunet Security Networks AG to add support
for Secuwall firewall.
* VERSION: start v3.1.0 branch v3_1_secunet
2009-04-09 vadim <vadim@vk.crocodile.org>
* VERSION: start v3.0.5
2009-04-08 Vadim Kurland <vadim@vk.crocodile.org>
* v3.0.4 released, merged to the trunk, this comment is r256
2009-03-29 vadim <vadim@vk.crocodile.org>
* v3.0.4 release
2009-03-25 vadim <vadim@vk.crocodile.org>
* RuleElement.cpp (RuleElementTSrv::validateChild): fixed bug
#2712575: "NAT RuleSetView allows TagService to be in Translated
Svc". TagService object should not be allowed in "Translated
Service" in NAT rules.
2009-02-21 vadim <vadim@vk.crocodile.org>
* VERSION (LIBFWBUILDER_REVISION): because of internal changes in
libfwbuilder in v3.0.4, bumping up so version to 8.2.0
2009-02-17 vadim <vadim@vk.crocodile.org>
* Management.cpp (Management::fromXML): fixed bug #2609796
"internal object Management does not accept ipv6 address". Class
Management should accept ipv6 address.
2009-01-23 vadim <vadim@vk.crocodile.org>
* FWObjectDatabase_search.cpp (FWObjectDatabase::findWhereObjectIsUsed):
fixes for bug #2412334: "feature request: where used -> directly".
Function FWObjectDatabase::findWhereObjectIsUsed returns a set of
pointers FWObject*. These pointers can be either parent of the
given object, or FWReference objects pointing to it. Note the
change: in previous versions this function tried to clean up
returned set and replaced references with pointers to the group or
rule that owns those references. This substitution is in fact
task-specific and should be done in the caller.
* DNSName.cpp (DNSName::loadFromSource): fixed bug #2526193: "typo
in error message"
2009-01-10 vadim <vadim@vk.crocodile.org>
* fwbuilder/snmp.cpp (SNMPVariable::create): using
SNMPVariable_Bits for snmp repsonses of type OBJECT_ID. This is
used in getAddressAndNetmask for IP-MIB data.
* fwbuilder/snmp.cpp (SNMPVariable_Bits::toString): This class of
SNMP variable now returns dot-separated text representation of its
value.
* InterfaceData.cpp (InterfaceData::InterfaceData): Converted
InterfaceDatra to a proper class with constructors and
destructor. Member addr_mask is now a list of InetAddrMask* so
that it can contain both InetAddrMask and Inet6AddrMask objects.
* snmp.cpp (SNMPQuery::getAddressAndNetmask): bug #2023261 "IPv6 -
SNMP discovery of interfaces not working for IPv6". SNMP discovery
can now read IPv6 addresses of interfaces using IP-MIB
RFC4293. Not all snmp agents support this MIB, for example only
recent versions of net-snmp support it.
* snmp.cpp: code reformatting and refactoring in many places.
2009-01-02 vadim <vadim@vk.crocodile.org>
* RoutingCompiler.cpp (rItfChildOfFw::processNext): using
FWObject::isChildOf() instead of custom implementation.
2008-12-27 vadim <vadim@vk.crocodile.org>
* CustomService.h (libfwbuilder): feature requests #1111267
"CustomService should specify protocol and parameters for it" and
#2463048 "custom services should have IPv4/v6 setting". Added
attributes "protocol" and "address_family" to the CustomService
object. Corresponding XML attributes are "#IMPLIED", this helps
avoid having to provide XSLT auto-upgrade script for this
version. Class CustomService returns "any" for the protocol and
"ipv4" for address family if these attributes are missing.
2008-12-25 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::_expandAddressRanges): using
FWObjectDatabase::createClass methods to create rules and other
objects in compilers wherever the type is known at the (code)
compile time. This makes code cleaner and speeds it up a little
because of eliminated cast() and string comparison.
2008-12-24 vadim <vadim@vk.crocodile.org>
* FWObjectDatabase_create_object.cpp (init_create_methods_table):
using table of pointers to methods that create objects of
different types to dispatch call to createFWObjectClass methods
and avoid long chains of "if" operators that compare type names.
* FWObjectDatabase_create_object.cpp (CALL_CREATE_OBJ_METHOD):
added bunch of FWObjectDatabase::createClass methods for all known
object types to create objects of the corresponding class and
return a pointer to it. This provides a way to create an object
without excessive use of dynamic_cast() and many 'if' operators to
compare type name.
2008-12-23 vadim <vadim@vk.crocodile.org>
* FWObject.cpp (FWObject::FWObject): Code refactoring and
cleanup. Constructor that attached new object to the tree takes
argument pointer to FWObjectDatabase instead of pointer to
FWObject. This helps eliminate some unnecessary cast().
* InetAddrMask.cpp (InetAddrMask::dimension): fixed bug #2462927:
"ip6tables: objects with netmask /32 lose netmask in
script". InetAddrMask::dimension() returned incorrect value for
ipv6 addresses with mask <= 32.
2008-12-22 vadim <vadim@vk.crocodile.org>
* ObjectMatcher.h (libfwbuilder): refactored methods
Compiler::complexMatch() and similar into separate class
ObjectMatcher in fwbuilder. Using double dispatch pattern to
properly dispatch calls depending on the obbject type to avoid
multiple 'if' by object type.
2008-12-15 vadim <vadim@vk.crocodile.org>
* RuleSet.h (libfwbuilder): changes for bug #2431602: "Feature
request: Unified policies (IPv4/v6)". RuleSet object now has two
variables that define which address family it should be compiled
for - ipv4 or ipv6. It is possible to have both set, in which case
the same ruleset will be compiled for both address
families. Compilers already drop address objects that do not match
address family of the ruleset, this means ruleset can contain a
mix of ipv4 and ipv6 objects and compiler can produce two correct
policies from the same rules. New attribute of the RuleSet object
is "implied" in XML DTD for backward compatibility.
2008-12-13 Vadim Kurland <vadim@vk.crocodile.org>
* VERSION (VERSION): started v3.0.4
* v3.0.3 released, merged to the trunk, this comment is r229
2008-12-08 Vadim Kurland <vadim@vk.crocodile.org>
* DNSName.cpp (DNSName::DNSName): Need to set default values for
the "dnsrec" and "dnsrectype" attributes because they must be
preset to satisfy DTD.
2008-12-07 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase_tree_ops.cpp (_recursivelyCopySubtree):
additional fixes in algorithm that recursively copies object
subtree between different data files. Making sure we do not create
duplicates of groups referred to by other groups.
2008-12-05 User Vadim <vadim@vk.crocodile.org>
* InetAddr.cpp (InetAddr::toString): Should use bits==128 because
inet_net_ntop_ipv6 on FreeBSD applies mask constructed from the
bits argument to the result, so with bits==0 it always returned
"::/0"
2008-12-02 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase_tree_ops.cpp (recursivelyCopySubtree): fixed
bug #2375327: "Crash copying multiple groups between different
data files". Using better algorithm to copy objects between
different data files.
* FWObjectDatabase_tree_ops.cpp (_recursivelyCopySubtree):
Implemented additional check for object duplicates while copying
objects. The problem happened when several object were copied in a
batch operation (e.g. when user selected several objects in the
GUI and then used copy/paste to copy them all). If some of these
objects were groups that referred to other objects from the same
batch, the program would copy the object and then create another
copy of it when it copied the group using it. To avoid such
multiplication it now creates special hidden attribute in the
object when it makes a copy to keep track of the original
object. When the same original object needs to be copied again,
the program can find its copy in the target data tree using this
attribute. This creates another problem because the attribute used
to track original object is persistent for the duration of the
program run. The scenario that leads to this is as follows: user
copies object A, modifies it and then copies group B using the
orignal of A. The end result is that the program does not
recognize that the copy of A has changed and makes copy of group B
use it anyway. This means the new group points at modified object
A. This can not be easily fixed because we do not have
"last_modified" attribute in each object.
2008-12-01 User Vadim <vadim@vk.crocodile.org>
* Started v3.0.3
* v3.0.2 released, merged -r195:221 to trunk. This changelog record
is in rev 223
2008-11-28 User Vadim <vadim@vk.crocodile.org>
* InetAddr.cpp (InetAddr::toString): Our included copy of
inet_net_ntop does not add "/netmask" to IPv6 addresses if
argument #3 is -1 (bits). However, the same function included in
libc on FreeBSD returns EINVAL for bits=-1. It appears the
function in libc in FreeBSD is based on the same code as our copy,
but has been updated and instead of doing check "if ((bits < -1)
|| (bits > 128))" probably checks for (bits < 0). Because of this,
fwbuilder GUI crashed when user tried to create IPv6 network
object on FreeBSD. To fix, will use bits=0 in call to
inet_net_ntop in InetAddr::toString and then strip /0 that
inet_net_ntop adds to the generated string. Both our copy of
inet_net_ntop and the one shipped with FreeBSD add "/0"
consistently, so this works on all platforms.
2008-11-15 Vadim Kurland <vadim@vk.crocodile.org>
* AddressTable.cpp (AddressTable::AddressTable): fixed bug#
2293052 "Saving file with empy AddressTable produces corrupt XML".
When new AddressTable object is created, its "filename" attribute
is empty. If data file was saved right after such new AddressTable
object was created, resultant file could not be loaded back into
the program becaise it violated XML DTD.
2008-11-01 vadim <vadim@vk.crocodile.org>
* fwbuilder/Rule.cpp (PolicyRule::PolicyRule): create rule
elements exactly in the order defined by the DTD. Incorrect order
caused errors in compilers ever since getSrc, getDst and other
methods that return rule elements depend on the order.
2008-10-21 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (PolicyCompiler::checkForShadowing):
Optimisations in the code that detects rule shadowing. Combined
with conversion of the most used rule and rule element attributes
to class member variables, this yields improvement in shadowing
detection of about x5.
* RuleElement.h (class RuleElement): converted "neg" from
dictionary item to class member variable to improve performance of
policy compilers
* Rule.h (class PolicyRule): converted "action" and "direction"
from dictionary items to class member variables to improve
performance of policy compilers.
2008-10-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): Using
internal caching to speed-up shadowing detection. This cuts time
of shadowing detection almost in half for large policies with many
rules.
* dns.cpp (list): getHostByName() used to insert duplicate IP
addresses into the list of the results. Now making sure ip
addresses in the result are unique.
* Compiler.cpp (Compiler::_expand_addr_recursive): change in the
algorithm used to decide which interfaces of the host or firewall
object to use in a rule when this host or firewall object is found
in source or destination. Previously, compiler would skip loopback
interface unless user associated the rule with loopback by putting
it in the "Interface" rule element. This made it impossible to
create rules with address 127.0.0.1 in destination but attached to
interface other than loopback (such rule is used for transparent
proxy configuration). Now if user explicitly put loopback
interface object into rule element, we always keep it. However
when compiler expands interfaces from a host or firewall object,
it will skip loopback as before, unless the rule is attached to
loopback interface.
2008-10-18 vadim <vadim@vk.crocodile.org>
* Address.cpp (Address::countInetAddresses): Added virtual method
countInetAddresses() that returns total number of IP addresses
given object has, counting all its children.
2008-10-13 Vadim Kurland <vadim@vk.crocodile.org>
* Preprocessor.cpp (Preprocessor::isUsedByThisFirewall):
explicitly checking for RuleElement and Rule objects in the set
returned by findWhereUsed, this makes check if the object is used
by the firewall slightly faster.
2008-10-11 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (PolicyCompiler::prolog): assign name of the
source rule set to combined_ruleset and temp_ruleset
* FWObject.h (libfwbuilder): made getRO() public so it can be
called from the GUI.
* fwbuilder/XMLTools.cpp (XMLTools::readFile): Added support for
compressed data files. The flag that controls compression on save
is supposed to be set outside the API (in the GUI, via call to
xmlSetCompressMode()). The API uses gzopen, gzread routines to
read the file and therefore can transparently read both compressed
and uncompressed .fwb files.
2008-10-05 vadim <vadim@vk.crocodile.org>
* VERSION: started 3.0.2
2008-10-04 Vadim Kurland <vadim@vk.crocodile.org>
* v3.0.1 released Oct 4, 2008. Merged branch "v3" r181:195 to trunk
2008-09-25 Vadim Kurland <vadim@vk.crocodile.org>
* FWObject.cpp (FWObject::setInt): fixed bug #2128261: "fwbuilder
thinks the file has changed when opened read-only". Operation
"find where used" triggered "dirty" flag on the object tree even
though it does not change anything.
2008-09-24 Vadim Kurland <vadim@vk.crocodile.org>
* Network.cpp (Network::Network): set netmask to /32 when new
Network object is created. This used to be the default in
fwbuilder v2.1. New default of 0.0.0.0 appears to be confusing and
error-prone, by user's requests changing default back to /32.
* FWObjectDatabase.cpp (FWObjectTreeScanner::merge): at one point
I've got bunch of data files where DeletedObjects library
contained references to objects. This should not happen, but at
the same time this is valid file structure so the code should be
able to handle it. This change will make merge() just copy
contents of the DeletedObjects library without asking the user.
2008-09-21 Vadim Kurland <vadim@vk.crocodile.org>
* FWObject.cpp (FWObject::fromXML): converted attribute
"ro" (read-only) from a dictionary variable to the member variable
of class FWObject. We check read-only status of objects very often
and dictionary lookups were slowing compiler down considerably.
* FWObjectDatabase.cpp (FWObjectDatabase::getStringId): generate
unique string object id on demand instead of in the call to
generateUniqeueId. This helps speed up compiler operations by a
factor of about 3 because we generate unique int ID every time
object is created or copied, yet string ID is only needed when
object is stored in external XML file. Also using sprintf to
assemble string ID, it works faster than ostringstream.
* RoutingCompiler.cpp (reachableAddressInRGtw::processNext): fixed
crashes in RoutingCompiler that happened because Routing ruleset
object being processed is disconnected from the firewall parent
at the time compiler works with it.
* RoutingCompiler.cpp (rItfChildOfFw::processNext): fixed compiler
error "Error (iptables): The object "eth0" used as interface in
the routing rule 0 (main) is not a child of the firewall the rule
belongs to!" that also happened because Routing ruleset object
being processed is disconnected from the firewall parent at the
time compiler works with it.
* Preprocessor.cpp (Preprocessor::isUsedByThisFirewall): added
code to break infinite loop that happens when a group references
itelf.
* FWObjectDatabase.cpp (FWObjectDatabase::_findWhereUsed): fixed
findWhereUsed
2008-09-16 Vadim Kurland <vadim@vk.crocodile.org>
* IPv4.cpp (IPv4::fromXML): filter addresses and strip leading and
trailing whitespaces and other non-digit characters before
converting to InetAddr. This will help with annoying problem where
v2.1 allowed such characters in address attributes of Address
objects but v3.0 applies strict checks during file load and
rejects such data files.
2008-09-13 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (FWObjectDatabase::_findWhereUsed): fixed
bug #2090332: "Where used search function does not always work.".
WhereUsed function could not find firewall if it was used in its
own rules.
2008-09-10 Vadim Kurland <vadim@vk.crocodile.org>
* Firewall.cpp (Firewall::validateChild): making sure Firewall
object has only one Routing child object.
2008-09-06 Vadim Kurland <vadim@vk.crocodile.org>
* v3.0.0 released Sep 1, 2008. Merged branch "v3" r180 to trunk
2008-08-23 Vadim Kurland <vadim@vk.crocodile.org>
* FWObject.cpp (FWObject::toXML): moved saving of XML attributes
name and comment from FWObject::toXML to implementations of this
virtual method in all classes that are supposed to have name and
comment. Reason: name was initialized to empty string and
FWObject::toXML did not save it to XML file if it was empty. This
was done because some objects do not have name attribute per DTD,
but all classes called FWObject::toXML (their base class) as part
of their implementation of toXML. There were several classes that
did not have their own implementation of this method and solely
relied on FWObject::toXML. This caused problems when user created
an object with empty name because it was saved into XML file w/o
attribute name which violated DTD. Now each class that must have
name or comment takes care of saving these attributes, and those
that do not have it simply do not save it in their implementation
of toXML.
2008-08-18 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::complexMatch): fixed bug (no #): policy
compiler for iptables used chain OUTPUT instead of FORWARD if
NetworkIPv6 was used in "source".
* Compiler.cpp (Compiler::checkIfAddressesMatch): comparing both
ipv4 and ipv6 addresses while searching for interface that matches
given address.
2008-08-15 Vadim Kurland <vadim@vk.crocodile.org>
* AddressTable.cpp (AddressTable::loadFromSource): when
AddressTable object loads addresses from external file that
contains mixed set of ipv4 and ipv6 addresses, it picks only
addresses that belong to the same address family as that of the
policy being compiled. So, if it compiles ipv4 policy, it loads
only lines that look like ipv4 address (have a "." in them). If it
compiles ipv6 policy, it loads only lines that look like ipv6
address (have a ":" in them). Lins that contain addresses that do
not match address family are ignored.
* Preprocessor.cpp (Preprocessor::isUsedByThisFirewall): fixed bug
#2051629: "group with dns names are handled as empty". This bug
triggered when object group that consisted of DNSName objects set
to resolve at compile time was used in policy rule and at the same
none of these DNSName objects were used in rules. If an object
from the group was itself used in a rule, compiler properly
converted it to address. But object was never used in rules by
itself, it was not converted.
2008-08-12 Vadim Kurland <vadim@vk.crocodile.org>
* Tools.cpp: Getting rid of sprintf, using ostringstream
* Rule.cpp (PolicyRule::removeRef): fixed bug #2047991 "Drag &
Drop in CHAIN actions, version 3". THe bug report consits of 3
parts, part 3 is "When I change the Action from CHAIN to ACCEPT
and switch it back to CHAIN it still shows the last policy target
I used. EVEN WHEN I DELETED this object meanwhile. I manually have
to remove the policy object from the properties of the CHAIN
action.". PolicyRule::removeRef removes references to RuleSets and
TagSErvice objects from rule options when corresponding RuleSet or
TagService object is deleted.
2008-08-03 Vadim Kurland <vadim@vk.crocodile.org>
* Address.h (libfwbuilder): removed return type qualifier "const"
from bool HasInetAddress() (no point in making it "const
bool"). Gcc 4.3 issued warning on this
2008-07-27 Vadim Kurland <vadim@vk.crocodile.org>
* FWObject.cpp (FWObject::replaceRef): moved replaceRef method
from Firewall to FWObject so it can be used for both firewalls and
groups.
* FWObject.cpp (FWObject::findDependencies): method that generates
list of pointers to the objects referenced by <this>, such
asobjects used in rules and groups.
2008-07-26 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (FWObjectDatabase::init_id_dict):
registering standard string ids for standard objects, deleted
objects and templates libraries.
2008-07-21 Vadim Kurland <vadim@vk.crocodile.org>
* fwbuilder.pro: removed unnecessary override in target.path to
make it install in a proper place on 64 bit machines'
* Applied patch for gcc 4.3 per bug #2023676: "libfwbuilder does
not build against gcc 4.3".
2008-07-20 Vadim Kurland <vadim@vk.crocodile.org>
* NetworkIPv6.cpp (NetworkIPv6::NetworkIPv6): per bug #2023140:
"Default prefix for IPv6 addresses" setting default netmask to /64
for NetworkIPv6 object.
2008-07-18 Vadim Kurland <vadim@vk.crocodile.org>
* InetAddrMask.cpp (InetAddrMask::dimension):
InetAddrMask::dimension returns MAXINT for netmask==0 and netmasks
with length > 32 (in case of ipv6). Need double long and special
integer arithmetics to calculate real dimension for ipv6
address/mask combinations with "short" masks. MAXINT should be
good enough for our purposes for now.
2008-07-17 Vadim Kurland <vadim@vk.crocodile.org>
* dns.cpp (list): Using getaddrinfo on all platforms to perform
dns lookup for different address families (AF_INET or AF_INET6).
It looks like for it to work on Windows Vista machine needs to be
configured with routable ipv6 addresses. When machine only had
Link-local address on fe80:: net, even when ipv6 was enabled,
getaddrinfo sent proper dns request for AAAA record, got reply but
did not pass it back to the application. Once machine was
configured with routable ipv6 address, getaddrinfo started working
as expected. This problem was not observed on Linux and Mac OS X.
2008-07-08 vadim <vadim@vk.crocodile.org>
* fwcompiler.pro (LIBS): need to include -lfwbuilder while linking
fwcompiler library on all Unix platforms because of the linker
option -Wl,-Bsymbolic-functions . Discovered this on Ubuntu
Hardy where libsnmp adds this option via net-snmp-config --libs
2008-07-07 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSet.cpp (RuleSet::shallowDuplicate): Added support for
attribute top_rule_set in class RuleSet
* fwbuilder.dtd.in: Added attribute "top_rule_set" to Policy, NAT
and Routing elements
2008-07-06 Vadim Kurland <vadim@vk.crocodile.org>
* RuleSet.cpp (RuleSet::fromXML): added support for attribute
ipv6_rule_set in class RuleSet
* fwbuilder.dtd.in: Added attribute "ipv6_rule_set" to elements
Policy, NAT and Routing
2008-07-05 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler_ops.cpp (fwcompiler::checkForShadowing): taking into
account attributes "tos" and "dscp" while considering IPService
objects for shadowing.
* fwbuilder.dtd.in: Added attributes for TOS and DSCP codes to
IPService xml element
2008-07-02 Vadim Kurland <vadim@vk.crocodile.org>
* InterfaceData.h (libfwbuilder): InterfaceData moved from
fwbuilder to libfwbuilder; using InterfaceData in snmp crawler
instead of creating temporary Interface objects.
2008-07-01 Vadim Kurland <vadim@vk.crocodile.org>
* ICMP6Service.cpp (ICMP6Service::ICMP6Service): Added class
ICMP6Service
* fwbuilder.dtd.in: Added XML element ICMP6Service
2008-06-28 Vadim Kurland <vadim@vk.crocodile.org>
* dns.cpp (DNS::getHostByAddr): class DNS has been radically
simplified. Hard to support functions to get NS records and DNS
zone tranfer have been removed. This class now only provides
convenience wrappers around gethostbyname2 and gethostbyaddr
functions. Wrapper functions now accept parameter that defines
address family type (AF_INET or AF_INET6).
* configure.in (HAVE_GOODLIBRESOLV): remove checks for thread-safe
dns libraries, these are not widely used and the code was hard to
maintain.
* dns.cpp: get rid of compile warnings
* DNSName.cpp (DNSName::loadFromSource): throw exception if
compile-time DNSName object can not resolve dns record.
2008-06-08 Vadim Kurland <vadim@vk.crocodile.org>
* merged branch "id-experiment" r98:HEAD
* Rule.cpp (PolicyRule::getSrc): Caching pointers to rule elements
in PolicyRule to avoid calls to getFirsTByType if possible
* TCPUDPService.h (libfwbuilder): source and destination port
ranges are stored as class member variables for tcp and udp
services.
2008-06-07 Vadim Kurland <vadim@vk.crocodile.org>
* FWReference.h (libfwbuilder): this class uses integer id of
objects it points to. It keeps id (and its string representation)
as class member variables to avoid access to the attribute map
which should speed it up. Using postponed initialization to
associate integer id with string id read from XML file (because by
the time this class reads itself from XML file not all objects can
be loaded yet so it is possible that the id of the object it
points to is yet unknown).
* FWObject.h (libfwbuilder): ID of all objects that inherit
FWObject is now represented by an integer. String ID used in XML
file is stored in a dictionary and used again when object is
stored back in XML. However all internal operations with objects
use integer ids
* Changes to support integer object IDs everywhere.
2008-06-05 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler_ops.cpp (fwcompiler::checkForShadowing): compilers will
include TagService and UserService in the rule shadowing analysis
* VERSION (LIBFWBUILDER_CURRENT): Library so version set to 8.0.0
to allow for simultaneous installation of fwbuilder 2.1 and
fwbuilder 3.0
* Compiler.cpp (Compiler::getErrors): compilers accumulate error
and warning messages the generate in an internal buffer; these
messages can later be added to the generated script.
2008-06-04 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase_7.xslt, FWObjectDatabase_8.xslt: autoupgrade
scripts that create missing TagService objects for all Tag
actions. Scripts check if TagService element with required
tagvalue attribute already exists in the same library and do not
create duplicates. Also suppress duplicates if many rules use the
same tag value. Duplicate TagService objects are not created
inside of each library, but TagService objects with the same codes
will be created if firewalls in different libraries need them. All
rules with action Tag have their option "tagvalue" replaced with
option "tagobject_id" pointing at existing or create TagService
objects in the same library.
2008-05-31 Vadim Kurland <vadim@vk.crocodile.org>
* InetAddr.cpp (InetAddr::init_from_string): Constructors of
InetAddr accept string that represent just a number (with no '.'
or ':' characters), which is interpreted as netmask length. Call
to constructor with such string is equivalent to the constructor
InetAddr(int).
2008-05-23 Vadim Kurland <vadim@vk.crocodile.org>
* InetAddr.h (libfwbuilder): Class InetAddr represents both IPv4
and IPv6 addresses (depending on its member variable
address_family). This simplifies design of the operators that
perform address manipulations. The reason is that these operators
should not modify object they are called with but rather return
temporary object. The address family of this temporary object
depends on address family of arguments, which makes it hard to
use virtual operators.
2008-05-22 Vadim Kurland <vadim@vk.crocodile.org>
* Changes for IPv6 support. All compilers and OSConfigurator
classes now accept paraeter "bool ipv6_policy" to the constructor,
which sets address familiy the compiler should process rules
for. Supporting functions to allow rule processors
ExpandMultipleAddresses, ExpandGroups and others to pick only
those address objects that match current address familiy.
2008-05-18 Vadim Kurland <vadim@vk.crocodile.org>
* Address.h (libfwbuilder): removed methods Address::getAddress
and Address::getNetmask, will only use methods getAddressPtr() and
getNetmaskPtr() (this way I can distinguish situation when a high
level address object such as Interface does not have any child
address objects).
2008-05-11 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase_5.xslt: auto-upgrade transformation to set data
format version to 6 and add tree branch for UserService objects.
* VERSION (FWBUILDER_XML_VERSION): set current data format version
to 6
* UserService.cpp (UserService::UserService): Added class UserService
* fwbuilder.dtd.in: Added UserService XML element
2008-05-08 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): partial
fix for bugs #1789059 "shadow issue when using action chain" and
#1945149: "Shadowing test for rules with action "chain". The
mechanism for rule shadowing detection we have at this time can
only detect shadowing of one rule by another. In case of branching
it is a combination of the branching rule and rules inside the
branch that may shadow other rules. I plan to redesign this part
of the code in the future, but it won't happen in upcoming v3.
Meanwhile, I am fixing it in 2.1 by making compiler ignore rules
with action Branch.
2008-04-28 Vadim Kurland <vadim@vk.crocodile.org>
* fwbuilder.dtd.in: Now there can be multiple child Policy and NAT
elements under Firewall element. Branch rule sets move from child
element under PolicyRule to under Firewall. Elements Policy and
NAT will now have the same set of "standard" attributes as other
objects, this includes name, comment, id and ro. Migration xslt
script adds attribute "name" with value "Policy" to all Policy
elements except branch rulesets. Branch rulesets are moved from
under PolicyRule to under Firewall and their name is taken from
the PolicyRuleOptions/Option with name "branch_name". NAT elements
get attribute "name" with value "NAT" (we never had NAT branches
so far).
2008-04-21 Vadim Kurland <vadim@vk.crocodile.org>
* DNSName.cpp (DNSName::fromXML): added support for attribute
dnsrectype in DNSName object. If this attribute is missing in XML
file, it is assumed to be "A" and will be inserted when object is
saved back to XML
* fwbuilder.dtd.in: changes for ipv6: added elements IPV6 and
NetworkIPv6, new attribute dnsrectype for element DNSName
* NetworkIPv6.cpp: class to represent ipv6 network
* IPv6.cpp: class to represent IPv6 address
* AddressTable.cpp (AddressTable::loadFromSource): preparing for
ipv6: AddressTable object can read ipv6 addresses from file.
2007-09-02 vadim <vadim@vk.crocodile.org>
* 2.1.14 release
2007-08-25 vadim <vadim@vk.crocodile.org>
* qmake.inc.in: removed reference to @OPENSSL_CFLAGS_Q@
* configure.in: since we do not really use openssl for anything
anymore, removing module src/fwbuilder/crypto and all checks for
openssl in configure.in . Note that this also makes libfwbuilder
and fwbuilder free of the licensing conflict between GPL and
OpenSSL licenses
(http://www.gnome.org/~markmc/openssl-and-the-gpl.html )
2007-07-18 vadim <vadim@vk.crocodile.org>
* Rule.h (libfwbuilder): using general data dictionary for
interface_id and Interface_str
2007-07-06 vadim <vadim@vk.crocodile.org>
* FWObject.cpp (FWObject::shallowDuplicate): fixed bug #1740766:
"lock not saved". This method now copies the value of "ro"
attribute (read-only). Clear it in the caller if
neccessary. Method duplicate() clears it after calling
shallowDuplicate in order to be able to modify the object, then
restores this attribute to its original value.
2007-06-23 vadim <vadim@vk.crocodile.org>
* v2.1.12 release
2007-05-22 vadim <vadim@vk.crocodile.org>
* RuleElement.cpp (RuleElementItf::validateChild): permit
objectgroup in the "Interface" rule element if all members of the
group are Interface objects.
2007-05-09 vadim <vadim@vk.crocodile.org>
* fwbuilder.dtd.in (TODO): Added attribute "unprotected" for
Interface. If this attribute is True, compilers should skip this
interface while assigning ACLs or policy rules.
2007-05-07 vadim <vadim@vk.crocodile.org>
* fwbuilder.dtd.in: Added support for boolean attribute
'established' in TCPService. When this attribute is set to True,
compilers should generate code to match TCP packet with port
ranges defined in the object and ACK or RST flags set. If platform
provides special option for this (typically called "established"),
it should be used.
* FWObjectDatabase_2.1.11.xslt: working on bugs #1676635: "no way
to match on state if the action is drop" and #1671910: "2.1.8 In
'Branch' acton compiler doesn't insert NEW stanza". Adding rule
option 'stateless=True' for rules with action NOT 'Accept' or
'Tag'. This is consistent with current hard-coded behavior of
policy compilers that treat all other actions as stateless by
default. This change provides a way for the user to override that.
* FWObjectDatabase_2.1.11.xslt: changing existing rule option
'stateless' to True if action qualifies.
2007-05-06 vadim <vadim@vk.crocodile.org>
* v2.1.12 started
2007-02-15 vadim <vadim@vk.crocodile.org>
* configure.in: fixed bug #1659526: "--with-openssl-prefix adds
obsolete -R option"
* v2.1.10 started
2007-01-04 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (DetectShadowingForNonTerminatingRules::processNext):
bug #1618381: "CLASSIFY/MARK are non-terminating". Non-terminating
rules shadow each other "backwards", that is more general rule
shadows other rules _above_ it. Added flag 'reverse' to the method
find_more_general_rule and added new rule processor
DetectShadowingForNonTerminatingRules that finds such cases of
'reverse' shadowing. Using it for rules in the mangle table for iptables.
2006-12-27 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (Compiler::expandGroupsInRuleElement): fixed bug
#1620925: "compile-time AddressTable object with empty file".
Compile-time AddressTable object that uses file with no addresses
should be treated as an empty group according to the "Ignore empty
groups" option. Changes are made as follows:
- Compiler::expandGroupsInRuleElement does not call
s->setAnyElement(); to set rule element to 'any' before adding
addresses from the group. This means that if group is empty, rule
element remains empty (not even 'any', just with no children,
i.e. with size()==0). Note that AddressTable::loadFromSource()
leaves AddressTable object empty if the file does not have any
addresses.
- Compiler::emptyGroupsInRE specifically checks for run-time
MultiAddress objects and skips them so they wont be treated as
empty groups (since they are indeed empty). Compile-time
MultiAddress objects are treated as groups and algorithm that
depends on option 'ignore empty groups' is executed for both empty
regular groups and empty compile-time MultiAddress objects.
2006-12-26 vadim <vadim@vk.crocodile.org>
* VERSION (LIBFWBUILDER_MICRO_VERSION): set version to 2.1.9
2006-12-03 vadim <vadim@vk.crocodile.org>
* v2.1.8 released
2006-11-09 vadim <vadim@vk.crocodile.org>
* set version to 2.1.8
* Applied patch #1593186: "xslt file for 2.1.1 broken"
2006-11-06 vadim <vadim@vk.crocodile.org>
* Tools.cpp (libfwbuilder::cxx_strtok_r): need to initialize
winsock dll on windows, this fixes bug #1590746: "problem with
using "DNS Names" objects on MS Windows"
2006-10-30 vadim <vadim@vk.crocodile.org>
* v2.1.7 released
2006-10-24 vadim <vadim@vk.crocodile.org>
* Preprocessor.cpp (Preprocessor::convertObject): bugfix for a fix
for the bug #1575355: while checking if an object is used in rules
of a firewall, need to compare firewall objects's ID instead of a
pointer.
2006-10-15 vadim <vadim@vk.crocodile.org>
* Preprocessor.cpp (Preprocessor::convertObject): fixed bug
#1575355: "Compiler tries to resove deleted AddressTable
objects". Using findWhereUsed to find if MultiAddress object is
used in firewall being compiled so we don't try to resolve objects
that are not used anywhere.
* FWObjectDatabase.cpp (FWObjectDatabase::findObjectsInGroup):
code refactoring: moved methods findObjectsInGroup and
findWhereUsed from the GUI to API.
2006-09-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): ignore
rules with action Return while detecting shadowing
* FWObject.cpp (FWObject::shallowDuplicate): fixed bug #1562290:
"GUI crashes in discovery druid". FWObject::shallowDuplicate
should add to database index only if dbroot is defined. If
dbroot==NULL, trying to copy it from parameter x of
shallowDuplicate (the object we are duplicating), but need to
check if dbroot is != NULL after that as well, because object we
are dulicating may not belong to any object tree. This is the case
with interface objects created in SNMPQuery::fetchInterfaces
2006-09-10 vadim <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (FWObjectDatabase::FWObjectDatabase):
reindexing database in the copy constructor
* a clean-up in many places where we create objects; always using
FWObjectDatabase::create rather than straight 'new'
* Added parameter 'prepopulate' to all object constructors that
get FWObject *root parameter. Objects that automatically create
children objects in this constructor do so only when
prepopulate==true. Calling this constructor with
prepopulate==false from createFromXML because children objects
will be created when they are read from XML file.
2006-09-08 vadim <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (FWObjectDatabase::addToIndexRecursive):
made this method public, it can be used to reindex whole database
* FWObjectDatabase.cpp (FWObjectDatabase::create): removed last
argument (bool with_root). Since we added autoindexing, all
objects where always created with variable dbroot pointing at the
database object that created them, regardless of the value of this
argument. Added argument that specifies object's ID; this way we
can create an object in FWObjectDatabase::createFromXML and set
right ID roght away. Previously new objects were given unique IDs
by FWObject constructor so FWObjectDatabase would add them to the
index with this ID. However the ID would then be reset to its
value read from XML file, so we ended up with lots of stale and
incorrect entries in the index.
2006-09-05 vadim <vadim@vk.crocodile.org>
* FWObjectDatabase_2.1.5.xslt: set version to 2.1.6
2006-08-31 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (checkForShadowing): working on bug #1544488:
'Error with DNS_name object when "resolve during run time"'. Can
not detect shadowing if DNSName or AddressTable object used in a
rule is configured to resolve at run time. Compiler will ignore
rules using such objects while deteecting shadowing.
2006-08-21 vadim <vadim@vk.crocodile.org>
* XMLTools.cpp (loadFile): loadFile normally reads file twice,
first time to check its version and upgrade it and second time to
load it and generate doc that will be used by the program. If the
datafile is '-' (stdin), it can not be read twice, so in this case
this method does not upgrade and just returns doc created for the
file as is. Currently this is only used by compiler for PIX to
generate 'fixup' or 'inspect' commands when it is called by the
GUI with command line option '-i'. This is a special case and GUI
guarantees that XML it sends to stdin of the compiler is built
according to the latest DTD.
2006-08-17 vadim <vadim@vk.crocodile.org>
* crypto.h (libfwbuilder): added missing virtual destructors to
several classes to satisfy requirement of modern g++ (v4.1)
2006-06-24 vadim <vadim@vk.crocodile.org>
* BackgroundOp.h (CHECK_STOP_AND_RETURN): converted macro
CHECK_STOP to two macros: CHECK_STOP_AND_RETURN and
CHECK_STOP_AND_THROW_EXCEPTION. Using both macros sparingly, to
make sure we do not throw exception or exit thread using
thread_exit from inside 'catch' statement. This is risky and
unnecessary since we can always throw exception in internal
methods and catch them in run_impl, where we can then check flag
stop_program and exit background thread simply by calling
'return'. Macro CHECK_STOP_AND_RETURN is used in run_impl for this
purpose. All other specific methods should throw exception using
CHECK_STOP_AND_THROW_EXCEPTION
2006-06-23 vadim <vadim@vk.crocodile.org>
* configure.in: changed default for --with-advanced-dns option to
NO because modern Linux does not expose corresponding
functions (they moved to private section in glibc)
2006-06-21 vadim <vadim@vk.crocodile.org>
* qmake.inc.in: passing CXXFLAGS variable from environment to the
build process
* configure.in: Added option --without-advanced-dns that turns off
checks for thread-safe resolver and dns zone transfers functions
2006-06-14 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (checkForShadowing): code that detects rule
shadowing ignores rules with action Route. We really need a better
algorithm...
2006-06-03 vadim <vadim@vk.crocodile.org>
* Rule.cpp (getAction): New rule action: "Route", to be mapped to
ROUTE target for iptables and 'route' option for pf and ipf
2006-05-20 vadim <vadim@vk.crocodile.org>
* Preprocessor.cpp (convertObject): added virtual method that
processes single object; overload this method in preprocessor
classes derived from Preprocessor to do additional manipulations
with objects.
2006-05-19 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (processNext): need to ensure replacement objects
of the class MultiAddressRunTime have stable IDs so compilers can
recognize them between passes. For example, compilers for policy
rules and nat rules for PF should recognize the same AddressTable
objects to avoid duplication
2006-05-16 vadim <vadim@vk.crocodile.org>
* DNSName.cpp (loadFromSource): Using universal mutable address
framework provided by class MultiAddress for DNSName.
* dns.cpp (DNS::getHostByName): changed the type of returned
object to list<IPAddress> so it can be sorted. This provides for a
stable result - every time we use DNS::getHostByName to get list
of ip addresses for a domain name, we will get them in the same
order, therefore generated firewall rules will not change from
compile to compile.
* MultiAddress.cpp (MultiAddress): universal base class for
mutable address objects that can be conerted into one or several
IP address at compile or run time. AddressTable class inherits
MultiAddress. DNSName will be converted later.
2006-05-07 vadim <vadim@vk.crocodile.org>
* Compiler.h: added internal variable and interface to set the
name for the ruleset compiler works on. Default name is empty;
non-empty name is to be used to compile rules in branches.
2006-05-06 vadim <vadim@vk.crocodile.org>
* Compiler.h (setSourceRuleSet): added ability to explicitly set
ruleset compiler should process. Currently using this in compiler
for pf to process anchor rulesets (branches) separately from the
main rule set.
* fwbuilder.dtd.in (TODO): element 'PolicyRule' can have a child
element 'Policy'; this is how we implement subpolicy (branching in
policy rules). Similarly, NAT rule may have child element 'NAT'
for NAT rule branchng and RoutingRule may have child element
'Routing'
2006-05-05 vadim <vadim@vk.crocodile.org>
* Rule.cpp (setAction): Added policy rule action 'Branch' for rule
subsets. This will be translated into user-defined chain for
iptables and anchor for PF
2006-04-23 vadim <vadim@vk.crocodile.org>
* XMLTools.cpp (readFile): added support for reading of XML from
stdin
* FWObjectDatabase.cpp (saveToBuffer): added method for saving XML
document into a memory buffer. Buffer is of type xmlChar** and
needs to be freed with xmlFree() in the calling process. This can
be used to pass XML to compilers via pipe to their standard input.
2006-04-21 vadim <vadim@vk.crocodile.org>
* Rule.cpp (setDirection): always setting direction to one of the
three values defined in the DTD: "Inbound","Outbound" or
"Both". If setDirection is passed an unknown argument, using
"Both" as the default.
* Rule.cpp (getActionAsString): the same for actions: code
enforces a value from the enumeration permitted by DTD. Using
"Deny" as default.
2006-04-19 ilya <yalovoy@gmail.com>
* fwbuilder.dtd.in: added element "inactive" to
Firewall. Firewalls marked as inactive won't be picked for batch
compile and install operations.
2006-04-13 vadim <vadim@vk.crocodile.org>
* FWObjectDatabase_2.0.99.xslt: v2.0.99 is an intermediate version
used to simplify migration chains. Migration scripts for previous
versions of 2.0.x will convert directly to 2.0.99 to avoid having
to go through multiple conversion stages that only change version
number
2006-03-21 vadim <vadim@vk.crocodile.org>
* AddressTable.cpp (AddressTableRunTime): AddressTableRunTime
should _not_ use the same ID as original AddressTable object. If
ID is identical, FWObjectDatabase::findById gets confused and
returns original AddressTable object, which causes problems
because AddressTable is not inherited from Address, so
Compiler::getFirstOSrc and other similar methods can not cast it
to Address and return NULL.
2006-03-20 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (cache_objects): switched from Compiler::objcache
to object index in FWObjectDatabase. Replaced calls to
Compiler::getCachedObject with calls to FWReference::getPointer()
everywhere
* ServiceGroup.cpp (validateChild): simplified check; need to
permit all service objects as well as base class Group which is
used in some compilers as a base class for a specialized group
class, e.g. in compiler for pix.
* Preprocessor.h: Class Preprocessor performs various operations
on the original copy of the object database before other compilers
are called to process rules. All other cmpilers create a local
copy copy of the database and work with it, but Preprocessor works
with the original database. Currently Preprocessor expands DNSName
and AddressTable objects. Preprocessor can be overloaded as any
other Compiler with customizations added eithe to its prolog() or
compile() methods.
2006-03-18 vadim <vadim@vk.crocodile.org>
* IPAddress.h, dns.h, BackgroundOp.h: fixes to make code compile
with g++ 4.1; patch by Martin Michlmayr <tbm@cyrius.com>
2006-03-15 ilya <yalovoy@gmail.com>
* FWOptions.cpp: added support for temporary object properties.
The name of such property starts with a dot and corresponding
XML attribute is not saved to the .fwb file.
2006-03-07 vadim <vadim@vk.crocodile.org>
* FWObject.cpp : added support for temporary object properties.
The name of such property starts with a dot and corresponding
XML attribute is not saved to the .fwb file.
2006-03-06 vadim <vadim@vk.crocodile.org>
* OSConfigurator.h: added simple mechanism to register virtual
addresses added for NAT rules (just a counter for now)
2006-03-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (findZeroAddress): treating bridge port
interfaces the same as unnumbered interfaces wherever algorithm
applies to an interface w/o IP address
* Interface.h (class Interface): added method Interface::isRegular
* Interface.cpp: Added methods for 'bridgeport' attribute
* fwbuilder.dtd.in (Interface): Added attribute 'bridgeport' to
Interface. Will use this for bridging firewalls.
2006-03-04 vadim <vadim@vk.crocodile.org>
* FWObjectDatabase.h (class FWObjectDatabase): completely
eliminated singleton FWObjectDatabase::db
* Group.cpp (Group): need to set dbroot in constructor of Group
because it uses virtual inheritance and does not call FWObject
constructor
* FWObjectDatabase.cpp (recursivelyRemoveObjFromTree): there is no
need to check for references pointing at certain types of objects,
such as references and rulesets. This speeds up deleting objects
by a large factor, especially when a firewall with lots of rules
or a group with lots of objects is being deleted.
* FWObject.cpp (getRoot): changed type of the object returned by
method FWObject::getRoot to be FWObjectDatabase
* FWObjectDatabase.cpp (addToIndex): methods to build and maintain
object index ( index is defined as map<string,FWObject*> )
* FWObjectDatabase.h (class FWObjectDatabase): made
generateUniqueId method static (it does not need an instance of
FWObjectDatabase)
* Interface.cpp (setPhysicalAddress): making sure we use method
'create' of the FWObjectDatabase instance the interface belongs to
instead of a singleton FWObjectDatabase::db. This is important
because method FWObjectDatabase::create updates internal index
which is a part of FWObjectDatabase.
* AddressTable.cpp (loadFile), FWObject.cpp (fromXML),
FWObject.cpp (addCopyOf): same as above
2006-02-28 ilya <yalovoy@gmail.com>
* Compiler: Recursive group preprocessing (DNSName, AddressTable)
is fixed.
2006-02-24 ilya <yalovoy@gmail.com>
* Firewall,fwbuilder.dtd :
added new attributes:
- lastModified
- lastInstalled
- lastCompiled
and methods to deal with them
2006-02-15 ilya <yalovoy@gmail.com>
* version 2.1.5
* Added Policy rule actions "Custom" and "Classify"
* Added support for rule options for NAT rules
2006-02-09 vadim <vadim@vk.crocodile.org>
* TagService.h (class TagService): added missing virtual methods
getProtocolName and getProtocolNumber
2006-01-20 vadim <vadim@vk.crocodile.org>
* dns.cpp (DNS_bulkBackResolve_query::run_impl): making sure
running_mutex is unlocked before call to Cond::wait, also
unlocking the mutex after Cond::wait returns. Here is why: method
Cond::wait locks the mutex and calls pthread_cond_wait This is
because pthread_cond_wait atomically unlocks the mutex and puts
the thread into sleep mode waiting for for the condition variable
to be signaled. Also once signal is caught, before returning to
the calling thread, pthread_cond_wait locks the mutex again. Since
we do nothing that would require this mutex here (we only use this
mechanism to make sure we get control back when all worker threads
terminate), we just unlock it and proceed with the loop.
* snmp.cpp (many methods): using method
Logger::operator<<(std::ostringstream &sstr) everywhere to avoid
problems with formatting of the log entries in certain QT
widgets. Sometimes QT automatically prints text strings passed
to a widget in separate calls on a separate lines, this breaks
formating if we use Logger in a chain-like call such as
*logger << str1 << arg1 << str2 << arg2
Now we use ostringstream object to assembly the log line and then
pass it to the Logger using *logger << str.
* Logger.cpp (operator<<(std::ostringstream &sstr)): Added method
for output of the log records from the ostringstream class. This
method also purges ostringstream object so that subsequent uses of
the same object do not cause duplication of log lines.
2006-01-03 vadim <vadim@vk.crocodile.org>
* Compiler.cpp (getCompiledScriptLength): added method that
returns the length of generated script. Using method
sstream::tellp()
2005-12-16 ilya <yalovoy@gmail.com>
* Compiller.cpp: AddressTables and DNSNames processed only if they
included in current firewall.
2005-12-01 ilya <yalovoy@gmail.com>
* version 2.1.4
new object type TagService
Actions 'Mark' and 'Queue' renamed 'Tag' and 'Pipe'
respectively. New service 'TagService'.
* addresstable_test.cpp: unit-test for AddressTable object
2005-11-24 vadim <vadim@vk.crocodile.org>
* Compiler.h: swapAddressTableObjectsInRE - rule process that
replaces AddressTable objects with their AddressTableRunTime
equivalents.
* AddressTable.h (class AddressTableRunTime): new class
AddressTableRunTime - used in compilers as a substitution for
AddressTable. Class AddressTableRunTime inherits Address and
therefore is easy to use in rule elements that expect address,
such as Src,Dst with minimal or no changes in compilers. Rule
processor derived from swapAddressTableObjectsInRE replace
AddressTable objects that require run-time address expansion with
their AddressTableRunTime equivalents.
* Compiler.cpp (emptyGroupsInRE::processNext): making sure
AddressTable object is not considered an empty group. Object of
this type can be either processed by compiler in Compiler::prolog,
in which case it is replaced with a collection of addresses, or
left intact if configured in "run time" mode, in which case it
looks like an empty group.
* Compiler.cpp (Compiler::_expand_group_recursive): also need to
exclude AddressTable objects from ExpandGroup processor
2005-11-23 Vadim <vadim@tourist.local>
* commiting changes for AddressTable object: method
AddressTable::loadFile()
* new method Network& Network::operator=(const string &s)
for reading IP address/mask pairs from a text file.
* support for AddressTable objects in compilers (only compile-time
at this time)
2005-11-14 Vadim <vadim@tourist.local>
* version 2.1.3
new object type DNSName
using this method in Compiler::prolog to resolve DNSName objects
that are supposed to be resolved at compile-time
Redesigned RuleOptionsDialog to make room for new options
Added actions MARK and QUEUE with basic support in API and GUI
Added new object type AddressTable
2005-10-24 vadim <vadim@tower.local>
* configure.in: fixed bug #1304764: "configure script: Sun make
check fails". Need to use ${MAKE-make} instead of $ac_make when
checking for GNU make.
*** Ported from 2.0.10 ***
2005-10-22 vadim <vadim@tower.local>
* set version to 2.0.10 in branch fwb2-2.0-maint
Need another bugfix release
2005-09-29 Vadim <vadim@tourist.local>
* PolicyCompiler_ipt.cpp (InterfacePolicyRules):
new rule processor: checks if the rule is associated with an
interface and uses setInterfaceId to record its id. If the rule is
associated with multiple interfaces, splits the rule
accordingly.
2005-09-28 Vadim <vadim@tourist.local>
* FWObjectDatabase_2.1.1.xslt: this autoupgrade XSLT
transformation sets version to 2.1.2 and merges interface policies
and global policy into one combined policy
* PolicyCompiler.cpp (prolog): merged interface policies and
global policy. Added XML element "Itf" (child of
PolicyRule). Still keeping class InterfacePolicy just in case.
* set version to 2.1.2
2005-09-26 Vadim <vadim@tourist.local>
* fwbuilder.dtd.in (TODO): Added Routing element and corresponding
classes. Using "fwbuilder-routing" patch provided by Tidei
Maurizio <fwbuilder-routing at compal.de>
* set version to 2.1.1
* FWObjectDatabase_2.0.9.xslt: transformation adds tree branch "DNS Names"
2005-09-20 <vadim@vk.crocodile.org>
* fwbuilder.dtd.in: New element: DNSName (Illiya)
* DNSName.cpp (DNSName): API support for DNSName object type
2005-08-17 <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (generateUniqueId): Adding process ID to
the object ID to ensure its uniqueness. Before we only used time
in seconds to generate object IDs which lead to ID duplicates if
fwbedit was called in a quick succession to create objects.
2005-07-30 <vadim@vk.crocodile.org>
* Started v2.1.0
2005-07-17 vadim <vadim@tower.local>
* configure.in (HAVE_GOODLIBRESOLV): need to check architecture
and use /usr/lib64/libresolv.a on 64 bit machines
2005-05-20 <vadim@vk.crocodile.org>
* set version to 2.0.8
2005-05-08 <vadim@vk.crocodile.org>
* v2.0.7 released
2005-05-02 <vadim@vk.crocodile.org>
* snmp.cpp: Compiled all OIDs. The program may run on a system
where MIBs are not installed, so we can not always use symbolic
OID names Also using snmp_out_toggle_options to turn numeric
output in all responses (equivalent to -On in snmp tools)
2005-05-01 <vadim@vk.crocodile.org>
* snmp.cpp (walk): verbose error message, printing
response->errstat code as well as corresponding error string; this
should help debug snmp -related problems better
* snmp.cpp (walk): using snmp_error to print last snmp error string
2005-03-30 <vadim@vk.crocodile.org>
* FWOptions.cpp (toXML): fixed bug #1173801: '"&" character in
prolog/epilog'. Needed to call xmlEncodeSpecialChars to encode
special characters in firewall options
2005-03-20 <vadim@vk.crocodile.org>
* Tools.cpp (init): fixed bug #1158870: "mutexes are not properly
created on FreeBSD". Mutexes gethostbyname_mutex and
gethostbyaddr_mutex were never created but used on OS where
thread-safe resolver is not available.
2005-02-17 <vadim@vk.crocodile.org>
* v2.0.6 released
2005-02-01 <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (recursivelyRemoveObjFromTree): checking if
an object that needs to be recursively removed is in read-only
library. This way we get an error message about an attempt to
modify a library the object is in, which makes sense. Without this
check, API tried to remove references to this object before
removing the object itself. This means 1) if a reference existed
somewhere in another read-only library, the error message said it
was an attempt to modify that other library which was confusing
and 2) we could end up with some references removed but the object
itself could have been left in the tree if it was in read-only
library. It seems to be better if the object is all references are
intact of the object can not be removed at all.
* FWObject.cpp (removeAllInstances): checking if an object is in
read-only library before trying to remove it
2005-01-29 <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (merge): fixed bug #1105167: "Crash when
importing a library that has been deleted".
2005-01-24 <vadim@vk.crocodile.org>
* Compiler_ops.cpp (operator==): fixed bug #1108861: "two rules
using MAC address matching shadow each other". Need to check for
MAC addresses while processing rules for shadowing.
2005-01-07 <vadim@vk.crocodile.org>
* v2.0.5 released
2004-12-22 <vadim@vk.crocodile.org>
* Compiler.cpp (createRuleLabel): fixed bug #1068119: "additional
whitespace for Rule comments in .fw file". Added extra space
between rule number and interface spec in rule comments.
2004-12-04 <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (merge): Corrected error caused by the
change made on 12/04/04. We now delete "deleted objects" from
libraries we are merging in before calling
FWObjectDatabase::merge. Ignoring "Deleted objects" here caused
problems; in particular, deleted objects disappeared from a data
file whenever it was opened. This happened because we merged
user's data file into standard objects tree, so user's file was
_source_ here, and deleted objects in it were ignored.
2004-12-03 <vadim@vk.crocodile.org>
version 2.0.4 released
2004-11-30 <vadim@vk.crocodile.org>
* CustomService.cpp (toXML): using xmlEncodeSpecialChars to encode
special chars in custom service code (code may use '&' which is a
special character and needs to be encoded before storing in XML)
2004-11-23 <vadim@vk.crocodile.org>
* Compiler_ops.cpp (checkForShadowing): still working on the
IPService object shadowing changes. ip fragments object was
shadowing GRE object, which was incorrect. Hopefully this change
finally fixes it.
2004-11-17 <vadim@vk.crocodile.org>
* dns.cpp (init): fixed bug (no number): program crashed on
FreeBSD 5.3 when using SNMP to obtain parameters for hosts and
interfaces. Crash occurred because of use of uninitialized mutex
variables in module dns.cpp
2004-11-15 <vadim@vk.crocodile.org>
* Compiler_ops.cpp (checkForShadowing): fixed bug (no num): rule
shadowing algorithm checks for IP flags in IP service object. IP
service object with protocol 0 shades anything only if its flags
are cleared. Two IP services shade each other only if they are
completely equal (protocols and all flags settings are the
same). However, IP service with protocol 0 shades other IP service
with protocol !=0 if all flags settings are the same.
2004-11-12 <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (merge): changes in the object database
merge algorithm: when an object database we are trying to merge
has non-empty "Deleted objects" library, deleted objects from this
library should be ignored (they used to be deleted from the
current tree). Likewise, when current tree has non-empty "Deleted
objects" library and objects in it match objects being merged in,
objects should be removed from "Deleted objects" library to avoid
creating duplicate IDs with objects being merged in.
2004-11-10 <vadim@vk.crocodile.org>
* Compiler_ops.cpp (checkForShadowing): fixed bug (no number):
rule shadowing algorithm now assumes that IPService object with
protocol number '0' shadows any other service just like 'any'
does.
2004-11-06 <vadim@vk.crocodile.org>
* Compiler.cpp (complexMatch): fixed bug #1055937:
"Any->all_multicasts not in INPUT Chain". Need to check if network
objects are multicasts; assume that multicast always matches
firewall object (e.g fwb_ipt will put rule with such network
object in destination in INPUT chain)
2004-10-23 <vadim@vk.crocodile.org>
* Compiler.cpp (_complexMatchWithInterface): fixed bug #1040773:
need to match network address as well as broadcast. Packets sent
to the network address (192.168.1.0 for net 192.168.1.0/24) go in
the broadcast frame and behave just like IP broadcast packets
(sent to 192.168.1.1255 for the same net)
2004-09-30 <vadim@vk.crocodile.org>
* v2.0.3 released
2004-09-11 <vadim@vk.crocodile.org>
* RuleElement.cpp (reset): added method RuleElement::reset(). This
method clears all children of a rule element, sets it to 'any' and
clears negation flag.
2004-09-08 <vadim@vk.crocodile.org>
* Firewall.cpp (duplicate): fixed bug (no number): all references
to the interfaces, as well as their IP and MAC addresses, in
policy and NAT rules should be replaced when Firewall object is
duplicated. Until now only references to the firewall object
itself and to its interfaces were replaced with references to the
newly created copies of object. References to IP and MAC addresses
still pointed at the old objects.
* FWObjectDatabase.cpp (IDcounter): fixed bug #1022788: "GUI
corrupts XML file after creating a second firewall". Global object
ID counter was getting reset every time new FWObjectDatabase
object was created. This lead to the ID collision if user quickly
created and deleted complex objects (such as Firewall) and used
database merge. This should also fix bug #1022785: "GUI corrupts
XML file after creating a host entry"
* VERSION: set version to 2.0.3
2004-09-07 <vadim@vk.crocodile.org>
***************************************************************
* merged branch fwb2 *
***************************************************************
2004-08-31 <vadim@vk.crocodile.org>
* v2.0.2 released
2004-08-30 <vadim@vk.crocodile.org>
* VERSION (RELEASE_NUM): version 2.0.2, revision 1
2004-08-21 <vadim@vk.crocodile.org>
* qmake.inc.in: fixed bug #1012733: "configure --libdir=DIR will
be ignored at installation". Needed to use macro _libdir to specify
target directory for libraries. Used it in configure, qmake.in,
libfwbuilder-config-2 and a .spec file
2004-08-20 <vadim@vk.crocodile.org>
* fwbuilder.dtd.in (TODO): added element physAddress to list of
child elements of Library (bug #1011617)
2004-08-12 <vadim@vk.crocodile.org>
* v2.0.1 released
2004-08-04 <vadim@vk.crocodile.org>
* XMLTools.cpp (loadFile): deleting .bak file prior to renaming
the original one during autoupgrade procedure. Rename failed on
windows if .bak file already existed.
2004-08-02 <vadim@vk.crocodile.org>
* FWObject.cpp (deleteChildren): fixed bug #1001833: "memory leak"
- children objects were not deleted when FWObjectDatabase object
was destroyed.
2004-08-01 <vadim@vk.crocodile.org>
* FWObject.cpp (getPath): fixed bug #1001725: "object with empty
name can not be deleted". the problem was caused by the algorithm
used in FWObject::getPath. If object had had a blank name, the
path returned by this method would end with the name of its parent
without slash.
2004-07-29 <vadim@vk.crocodile.org>
* 2.0 released, CVS tag set.
2004-07-13 <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (scanAndAdd): pulling objects from other
libs if they are used for interface network zone while saving to
file w/o unnecessary object copying
* fwbuilder.dtd.in (TODO): added PolicyRule and NATRule elements
to the list of child elements of Library
* RuleSet.cpp (deleteRule): do not put deleted rules into "Deleted
objects"
2004-07-10 <vadim@vk.crocodile.org>
* FWObject.cpp (_moveToDeletedObjects): now move deleted objects
to the special library with id 'sysid99' rather than delete them
completely. This serves two purposes:
1. can easily provide for undelete function which is very
useful
2. can catch a situation when an object has been deleted
fromt he external library but is still used in the data
file
2004-06-30 <vadim@vk.crocodile.org>
* configure.in: using autoconf macro AC_C_BIGENDIAN to determine
endianness of the system
2004-06-28 <vadim@vk.crocodile.org>
* Network.cpp (shallowDuplicate): fixed a bug where network
objects would not get copied properly when data file was saved w/o
copies of standard objects (through exportSubtree)
2004-06-16 <vadim@vk.crocodile.org>
* Compiler_ops.cpp (checkForShadowing): fixed bug #906709: "A
dynamic interface". Dynamic interface used to "shadow" old
broadcast object (0.0.0.0)
* IPAddress.cpp (to32BitInt()): fixed bug that occured on big
endian architecture (e.g. Macintosh) because of incorrect usage of
preprocessor directives to check BYTE_ORDER. This bug caused
incorrect address arithmetics.
* (_convert_range_to_networks): fixed bug #950857: "Incorrect
conversion of address range" - address range that consisted of two
IP addresses was converted to a set of networks incorrectly.
2004-06-05 <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (merge): fixed a bug in merge where the
method would not ask the user for conflict resolution if
user-defined libraries were different
* FWObject.cpp (setReadOnly): setReadOnly does not change
lastModified timestamp
2004-06-04 <vadim@vk.crocodile.org>
* FWObjectDatabase.h (class FWObjectDatabase): added method that
allows to reset "lastModified" time. Every time we load a database
and merge it with the standard tree, lastModified timestamp
changes. As the result, even if the user made no changes to the
objects, the resultant tree is always different and RCS checks it
in and bumps revision number up. Since user did nothing, it is
confusing and uncessarily creates lots of revisions.
2004-06-02 <vadim@vk.crocodile.org>
* fwbuilder.dtd.in: added attribute 'lastModified' to element
FWBObjectDatabase. this attribute holds time of last modification
done to any object in the database (GMT). Added support for this
attribute in class FWObjectDatabase. This attribute is implied.
2004-05-05 <vadim@vk.crocodile.org>
* Firewall.cpp (duplicate): Method Firewall::duplicate replaces
references to the firewall, its interfaces and well as IPv4 and
physical addresses of the interfaces in all rule sets with
references to the copies of corresponding objects. Now firewall
created from another one using 'duplicate' does not reference
interfaces or addresses that belong to the original firewall
object.
2004-04-24 <vadim@vk.crocodile.org>
* libfwbuilder-config.h.win32: removed support and therefore a
dependency on openssl in the code compiled on windows.
2004-04-12 <vadim@vk.crocodile.org>
* FWObject.cpp (duplicate): fixed a bug that prevented copying of
the database into another database object using method 'duplicate'
if one or more subtrees were read-only. Need to add an object to
the tree before calling duplicate (method isReadOnly checks flag
'init' in the tree root, so if an object has not been added to the
tree, this check can not be done and read-only object causes
'duplicate' to throw an exception).
2004-04-10 <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (merge): implemented conflict resolution
for the object tree merge operation. Uses external predicate class
to hand control over to the user who should make a decision which
copy of the object to use. Typically this predicate should show a
dialog with information for user to chose from.
2004-04-06 <vadim@vk.crocodile.org>
* FWObject.cpp (operator++): implemented a global tree iterator
class 'tree_iterator'. This class can be used to walk the whole
tree.
2004-04-04 <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (merge): implemented tree merge
function. It adds objects that are not present in the tree and
skips those that are already there. Only object IDs are
compared. It does not resolve conflicts in a situation when a new
object has the same Id as one of the old ones but some of its
attributes are different. In this case it will assume the old
object is the same as the new one and will skip it. Practically
this means that if someone modified standard object instead of
making a copy of it in fwbuilder 1, then the changes will be lost
when data file is merged with a standard object tree.
2004-04-03 <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (exportSubtree): implemented subtree
export. This method creates new FWObjectDatabase object and copies
all objects from an object given as a parameter down the tree. It
also scans for references to objects that do not belong to this
subtree and creates relevant subtrees to ensure that the whole
tree is consistent and references never point at non-existent
objects.
2004-04-01 <vadim@vk.crocodile.org>
* Resources.cpp (getInstaller): added method Resources::getInstaller()
2004-03-28 <vadim@vk.crocodile.org>
* FWObjectDatabase_1.0.2.xslt: fixed bug that appeared only when
used with libxml2 2.6.6 and libxslt 1.0.33 - '*Group' elements
were not converted properly (losing all child elements). It worked
on RH 9 with libxml2 2.5.4 and libxslt 1.0.27. Fix tested with
libxml2 2.6.6 and libxslt 1.0.33 on Fedora C1
2004-03-26 <vadim@vk.crocodile.org>
* changed file names and target directories as follows:
- include files are installed in
${prefix}/include/fwb-2.0/fwbuilder and
${prefix}/include/fwb-2.0/fwcompiler
- libraries are named libfwbuilder-2.0.so.6.0.0 and
libfwcompiler-2.0.so.6.0.0
- DTD and migration scripts are installed in
${prefix}/share/libfwbuilder-2.0/
This should allow us to keep both old and new API on the same
machine. These changes are done only for Unix installations.
2004-03-25 <vadim@vk.crocodile.org>
* Tools.cpp (init): path for the directory where DTD is installed
is now passed to API as a parameter to the method
FWBObjectDatabase::load. There were too many problems with
guessing where it is installed on different platforms. On Unix it
is always installed in the absolute path which is encoded in
LIBFWBUILDER_TEMPLATE_DIR macro defined in
libfwbuilder-config.h. On Mac and windows it is installed in the
subdirectory off the directory where GUI and compiler binaries are
installed. There is no way we can know what this directory is
inside API, so it should be passed from the GUI or compiler as a
parameter. It was simpler to unify the approach and make it so it
is always passed to the API from outside.
2004-03-23 <vadim@vk.crocodile.org>
* FWObjectDatabase_1.0.2.xslt: migration makes 'Standard' tree read-only
2004-03-22 <vadim@vk.crocodile.org>
* fwbuilder.dtd.in: read-only attribute is now part of DTD and is
stored in the file. This allows us to lock down parts of the tree
(e.g. 'Standard').
2004-03-13 <vadim@vk.crocodile.org>
* qmake.inc.in: qmake-based build
2004-03-10 <vadim@vk.crocodile.org>
* manifest.cpp (save): applied patch sent by Carlo Wood needed to
compile with g++ 3.5
2004-02-08 Vadim Zaliva <lord@crocodile.org>
* libfwbuilder.info.in (Package): fink .info file tested to
work with MacOS X 10.3, fink package manager version: 0.17.4
and fink distribution version: 0.6.2.cvs
2004-02-28 <vadim@vk.crocodile.org>
* FWObject.cpp (setReadOnly): added a flag that marks an object
and the whole subtree under it as read-only. All operations that
modify objects check this flag and throw an expcetion if an
attempt to modify read-only object is made.
2004-02-23 <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp: moved RCS classes to the GUI. This allows
me to use portable functions provided by QT to call external
programs (co, ci, rlog etc).
2004-02-22 <vadim@vk.crocodile.org>
* FWObjectDatabase.cpp (coFile): basic integration with RCS.
TODO: reimplement using exec(3) instead of system(3)
2004-02-08 <vadim@vk.crocodile.org>
* fwbuilder.dtd.in (<!ENTITY % STD_ATTRIBUTES '): removed
attribute 'library'; libraries are now child elements of
FWObjectDatabase.
* FWObject.cpp (getLibrary): this method returns the name of the
library 'this' belongs to. It scans objects in the tree starting
from 'this', climbing up from 'this' to its parent and so on,
looking for an object of the type 'Library', then returns its
name.
2004-01-20 <vadim@vk.crocodile.org>
* FWObject.cpp (findObjectByName): added (non-virtual public)
method findObjectByName. This method find a child object of a
given type with given name.
2004-01-18 <vadim@vk.crocodile.org>
* Library.h (class Library): this class supports new element
"Library"
* FWObjectDatabase_1.0.2.xslt: this transformation converts data
file v1.0.2 to the new format where libraries are elements rather
than attributes (v2.0.0)
2004-01-17 <vadim@vk.crocodile.org>
* fwbuilder.dtd.in: DTD change: permitted element IPv4 to be a
child of ObjectGroup. This does not require any changes in
existing data files.
* fwbuilder.dtd.in: DTD change: added element "Library"
2004-01-10 <vadim@vk.crocodile.org>
* libfwbuilder-config.in (the_flags): added parameter "--includepath"
to script libfwbuilder-config. This parameter is used to generate
variables used in QT project files.
2003-12-30 <vadim@vk.crocodile.org>
* XMLTools.cc (setDTD): Bug #868278: "fwbuilder GUI crashes while
saving data to file on FreeBSD". The crash happens in the DTD
validation routine xmlValidateDocument when fwbuilder is working
with libxml2 v2.6.4. Tests seem to rule out bug in libxml2 (I used
their example program "tree2.c" and added similar fragment for
validation, it worked), so it must be something in our code. I
can't seem to find the problem though. We recreate the tree from
the objects in the memory, so doing validation here is mostly a
double check. It should be relatively safe to just skip validation
until I figure out what's wrong with it.
2003-12-27 <vadim@vk.crocodile.org>
* taking into account different directory separation
characters on unix and win32
* Resources can now be loaded from the directory defined
by the relative path (assumed to be relative to the directory
the binary was launched from)
2003-12-30 <vadim@vk.crocodile.org>
* XMLTools.cc (setDTD): Bug #868278: "fwbuilder GUI crashes while
saving data to file on FreeBSD". The crash happens in the DTD
validation routine xmlValidateDocument when fwbuilder is working
with libxml2 v2.6.4. Tests seem to rule out bug in libxml2 (I used
their example program "tree2.c" and added similar fragment for
validation, it worked), so it must be something in our code. I
can't seem to find the problem though. We recreate the tree from
the objects in the memory, so doing validation here is mostly a
double check. It should be relatively safe to just skip validation
until I figure out what's wrong with it.
* XMLTools.hh: properly using xmlFree to free blocks of memory
allocated by libxml2
2003-12-26 <vadim@vk.crocodile.org>
* Compiler.cc (normalizePortRange): fixed a bug ('==' used instead of '=')
Among other things, compiler failed to merge rules with tcp or udp
services using "multiport" module in ipt because of this bug
2003-12-26 <vadim@vk.crocodile.org>
* Makefile.in (FLIST): refactored xslt transformation scripts in
migration. Now version number is a part of the script name rather
than a directory; it is more convenient to deal with scripts named
this way in the VC++ projects.
* updated VC++ project files added autoupgrade XSLT scripts to
the projects on windows, DTD is installed in the same dir where
libraries are created
* porting fwcompiler to win32.
2003-12-25 <vadim@vk.crocodile.org>
* using xmlFree to free memory allocated inside libxml by
xmlGetProp and friends, however since declaration of xmlFree
is commented out in windows version of libxml (as of Dec 20003,
v 2.6.3), we do not free this memory on windows :-(
TODO: check why xmlFree is not available in windows version
2003-12-24 <vadim@vk.crocodile.org>
* renamed all .cc files to .cpp and all .hh files to .h
* added Visual C++ project files (.dsw and .dsp)
* added directory src/test and couple of tests
* made changes in fwbuilder to port it to win32.
* platform dependent functions moved to Tools.cpp (cxx_sleep,
cxx_strtok_r etc)
2003-12-22 <vadim@vk.crocodile.org>
* got rid of GLIB everywhere, now using POSIX threads functions
directly.
* configure.in: removed check for GLIB, added check for pthreads
***************************************************************
* VERSION (RELEASE_NUM): Created branch "fwb2", set package *
* version to 2.0.0 and library so version to 6.0.0 *
***************************************************************
2003-12-18 <vadim@vk.crocodile.org>
* libfwbuilder.info.in: fixed bug #862642: "fink packages do not
work for 10.3". Changes have been made to the fink .info files to
make libfwbuilder and fwbuilder build on Panther.
* libfwbuilder.spec.in: fixed bug #855896: "do not quote RPM Group
names". Group names in RPM .spec files should not be in quotes.
* VERSION (RELEASE_NUM): set version to v1.0.2-2
2003-11-23 <vadim@vk.crocodile.org>
* VERSION (LIBFWBUILDER_AGE): v1.0.2 released
2003-11-11 <vadim@vk.crocodile.org>
* XMLTools.cc (loadAndParseFile): fixed bug #840427: Problems with
libxml2. The GUI won't start if libxml2 v 2.6.2 was installed, the
error looked like this:
I/O warning : failed to load external entity "/resources.xml"
Function xmlParseFile broke in libxml2 v2.6.2 so I had to switch
to xmlParseMemory.
2003-11-09 <vadim@vk.crocodile.org>
* IPAddress.cc (_convert_range_to_networks): fixed several bugs
* Compiler.cc (_expandAddressRanges): implemented algorithm that
converts address range into a set of networks rather than N
hosts. Using method libfwbuilder::convertAddressRange.
2003-09-20 Vadim Kurland <vadim@vk.crocodile.org>
* set version to 1.0.2. There are no changes in the code (so far)
but version change allows me to insert some standard objects into
existing user's object files. In particular, I need to add
standard objects "broadcast" and "old-broadcast" that are used by
"help me build policy" druid for rules permitting DHCP.
2003-09-02 Vadim Kurland <vadim@vk.crocodile.org>
* 1.0.1 released
2003-07-21 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (isRecursiveGroup): fixed bug #774834: compiler
hangs on a group referencing itself. If a group references itself,
policy compilers used to hang or dump core.
2003-07-19 Vadim Kurland <vadim@vk.crocodile.org>
* snmp.cc (fetchInterfaces): fixed bug #774462: wrong interface
made external if fw was discovered by the crawler.
* snmp.cc (fetchRoutingTable): fixed bug #773271: program crashes
while doing network object discovery.
2003-07-05 Vadim Kurland <vadim@vk.crocodile.org>
* XMLTools.cc: added method transformFileToFile that applies XSLT
transformation to a file and stores the result in another
file. This method is currently used for printing. This is done in
order to fix printing on RH90. Somehow method
transformDocumentToFile, when used in combination with
FWObjectDatabase::saveXML, did not work on RH90. Somehow it did
not load DTD properly, because of that XSLT transformation did not
work (many things broke, in particular XSLT function id() did not
work). Saving to a temporary file with FWObjectDatabase::saveFile
and then applying transformation to this file in the new method
worked.
2003-06-29 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler_ops.cc (operator==): need to take interfaces into
account when comparing Address objects. Dynamic and unnumbered
interfaces need to be compared by names (since method getAddress
of different dynamic interfaces will return the same IPAddress
object)
2003-06-20 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (_expandAddressRanges): fixed bug #742136: "iptables
compiler hangs". All compilers hang if address range object with
range start and end equal to 255.255.255.255 was used in the
policy rule.
* dns.cc (getHostByName): fixed bug #753946: "DNS lookup
crash". DNS lookup of non-exsiting name caused crash on SuSE 8.2
* set version to 1.0.1
2003-05-21 Vadim Kurland <vadim@vk.crocodile.org>
* v 1.0.0 released
2003-05-13 Vadim Kurland <vadim@vk.crocodile.org>
* IPAddress.cc (IPRoute): fixed bug (no number) improper use of
the constructor Interface(const Interface *iface) in place of the
copying constructor Interface(const Interface &iface)
* snmp.cc (fetchRoutingTable): fixed bug (no number): snmp crawler
did not pick external interface properly (external interface is
determined by looking for a defaul route).
2003-04-24 Vadim Kurland <vadim@vk.crocodile.org>
* configure.in: improvements in the build process. Script
configure eliminates duplicate CFLAGS and LIBS options and
libraries and makes compile lines shorter.
2003-04-13 Vadim Kurland <vadim@vk.crocodile.org>
* configure.in: Set version to 1.0.0, release "RC1"
2003-04-12 Vadim Kurland <vadim@vk.crocodile.org>
* snmp.cc (fetchArpTable): fixed bug where this method failed to
get MAC address for known IP address if net-snmp v5 was used to
compile and link the program.
2003-04-05 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (complexMatch): made complexMatch properly match if
the second argument is interface.
2003-04-04 Vadim Kurland <vadim@vk.crocodile.org>
* new .spec file for unified RPM build
2003-04-02 Vadim Kurland <vadim@vk.crocodile.org>
* configure.in: fixed bug #713582: Cannot build libfwbuilder from
rpm src file on RH 8.0. Needed better way to check for presence of
net-snmp or ucd-snmp libraries. RH 8.0 comes with both in a
package net-snmp; script should be able to differentiate them and
pick net-snmp. Script net-snmp-config is now present, using it for
--libs flags.
2003-03-28 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (catchUnnumberedIfaceInRE): this method is used in
rule processor checkForUnnumbered for all policy and nat
compilers. It checks if unnumbered interface is used in a given
rule element. Returns true if such interface was found.
2003-03-26 Vadim Kurland <vadim@vk.crocodile.org>
* Makefile.in (CXXLINK): linking libfwbuilder.so and
libfwcompiler.so with supporting libraries (libsnmp, libxml2,
libxslt). This should help automatically set dependencies on the
package.
2003-03-19 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler.cc (processNext): added new NAT rule type SDNAT for
rules that translate both source and destination.
2003-03-16 Vadim Kurland <vadim@vk.crocodile.org>
* XMLTools.cc (loadFile): better text for the xml file
auto-upgrade warning dialog.
* NATCompiler.cc (processNext): renamed processor addressRanges to
ExpandAddressRanges
2003-03-13 Vadim Kurland <vadim@vk.crocodile.org>
* rearranged top level Makefile so I can build tar file without
having to run configure first
2003-03-09 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.hh: added bool fwcompiler::operator==(const Interval &o1,const Interval &o2);
2003-03-03 Vadim Kurland <vadim@vk.crocodile.org>
* configure.in: platform and os resource files moved back to fwbuilder
2003-03-02 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.hh: converted everywhere from RuleElement::getFirst to
Compiler::getFirstSrc , Compiler::getFirstDst etc. This helps
improveme compile speed for all platforms, sometimes significantly.
* FWObject.cc (getById): API cleanup: got rid of the third
parameter for getById (parameter was called 'dereference'). Had to
make minor changes in the GUI to accomodate this.
2003-03-01 Vadim Kurland <vadim@vk.crocodile.org>
* configure.in: renamed var. HAVE_LIBBIND to HAVE_GOODLIBRESOLVE
The new name better reflects its meaning. Removed checks for
libdns and libisc, we don't seem to use these libraries anymore.
Improved detection whether libresolv has advanced functions for
zone transfers and error parsing.
2003-02-27 Vadim Kurland <vadim@vk.crocodile.org>
* fwbuilder.dtd, Rule.cc (setAction): added action 'Accounting'
2003-02-17 Vadim Kurland <vadim@vk.crocodile.org>
* macosx.xml.in: Added resource files for Mac OS X and ipfw
2003-01-21 Vadim Kurland <vadim@vk.crocodile.org>
* Makefile.in (OS_DATAFILES): moved files with platform and os
descriptions from the GUI to the API
2003-01-19 Vadim Kurland <vadim@vk.crocodile.org>
* BackgroundOp.cc (start_operation): flag stop_program is now
created as a dyhamic variable so that it can be checked even if
BackgroundOp object has been destroyed while run_impls was stuck
in a system call. See comment in the code. This fixes bug #637154:
seg fault on snmp get / undo
2003-01-12 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (findAddressFor): using const arguments
2003-01-11 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (findAddressFor): added method Compiler::findAddressFor
2003-01-02 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (_expandInterface): virtual method that can be
reimplemented in derived compiler class to properly deal with
physAddress objects (see PolicyCompiler_ipt)
2002-12-28 Vadim Kurland <vadim@vk.crocodile.org>
* snmp.cc (fetchInterfaces): fixed bug#617904: snmp does not get
multiple addresses. The crawler and the tool that discovers host's
interfaces using SNMP finds and creates appropriate IPv4 objects
for interfaces that have multiple addresses.
2002-12-25 Vadim Kurland <vadim@vk.crocodile.org>
* physAddress.hh (class physAddress): added XML element and
libfwbuilder class to represent hardware (physical) address. This
class works similarly to IPv4; it can only be a child of
Interface.
2002-12-24 Vadim Kurland <vadim@vk.crocodile.org>
* Interface.cc: Added support for unnumbered interfaces (working on
feature req. #546881 "Unnumbered Interfaces cause bad compile" and
some bug reports.)
* set version to 0.10.13
2002-12-23 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler.cc (processNext): fixed bug #657195: NAT port
mapping bug.
* configure.in: set version to 0.10.12-3 (to avoid having to
create temporary xslt transofrmation for data file upgrade. this
transformation will be added later we support for MAC address
object is introduced; version will be bumped up to 0.10.13 then).
2002-12-17 Vadim Kurland <vadim@vk.crocodile.org>
* 0.10.12 released
2002-12-16 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase.xslt: fixed bug #654505: 1.0.8 won't load file
from 1.0.6
* using attribute 'exclude-result-prefixes' in xsl:stylesheet to
fix the problem with extra namespace declaration added to the
FWObjectDatabase element if upgrade of the data file was done
using latest versions of libxml2 and libxslt. Added this attrbite
to FWObjectDatabase.xslt transformation for upgrades _from_ versions
0.10.9, 0.10.10 and 0.10.11
2002-12-13 Vadim Kurland <vadim@vk.crocodile.org>
* Rule.hh (class Rule): code cleanup - getting rid of
getStr/setStr in compilers. Added few variables used in compilers.
2002-12-02 Vadim Kurland <vadim@vk.crocodile.org>
* Rule.cc (duplicate): code cleanup: keeping NAT rule type and
interface_id in a private class member variables
2002-12-01 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler.cc (processNext): added basic support for Load
Balancing rules and some new rule types in both NAT and Policy.
2002-11-28 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.hh: added new rule processor emptyGroupsInRE that finds
and eliminates empty groups in rule elements. PolicyCompiler and
NATCompiler both inherit from this processor and create their own
sets of processors that check for empty groups in particular
rule elemetns (like in Src, Dst, Srv, OSrc etc.)
* Rule.hh (class Rule): added members and methods to class Rule to
support operations specific to fwcompiler classes. Rules can have
boolean flags "fallback", "hidden" and may have a label. These
parameters are not being stored in XML file. Had to add virtual
method duplicate to make sure these parameters get copied when
rules are duplicated.
2002-11-24 Vadim Kurland <vadim@vk.crocodile.org>
* fwbuilder.dtd.in (TCPService): added attributes for TCP flag
masks in TCPService element.
* TCPService.hh (class TCPService): added support for TCP flag
masks. Rearranged methods dealing with flags and masks.
* Compiler_ops.cc (operator<=): commented out operator<= for both
Address and Service - to be removed after some additional testing.
* Compiler.hh (checkForShading): renamed operator< to
checkForShading, both for Address and Service. Operator== stays.
* PolicyCompiler.cc (checkForShading): separated checkForShading and
cmpRules methods in both PolicyCompiler and NATCompiler
2002-11-21 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler.cc (processNext): fix for bug #642161: problem with
NAT rules that translate port numbers but do not change addresses.
2002-11-16 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (complexMatch): made changes to fix bug #637694:
bridge enabled / management. Background: if firewall object is
used in destination of the rule of the bridging firewall, chain
needs to be still INPUT. Changes in complexMatch allow calling
method to pass flags to control whether complexMatch would match
on broadcasts and multicasts.
2002-11-15 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler.cc (cmpRules): fixed bug with rule shading
detection: rules are considered not shading each other if any rule
element has negation turned on. It is too difficult to correctly
detect shading if there is negation somewhere.
2002-11-14 Vadim Kurland <vadim@vk.crocodile.org>
* Management.cc (toXML): fixed bug #635849: old and annoying
problem where GUI detected non-existent change in the data tree
once the user opened firewall object or any of the policy objects
(InterfacePolicy, Policy or NAT). It then asked if the user wants
to save the data before exiting the GUI.
2002-10-29 Vadim Kurland <vadim@vk.crocodile.org>
* 0.10.11 released
2002-10-24 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler_ops.cc (operator==): taking TCP flags into account
while comparing policy rule objects
2002-10-21 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler.cc (findZeroAddress): fixed bug #626238:
0.0.0.0/8 not detected correctly
2002-10-20 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase.xslt: setting FirewallOptions/Option with name
'check_shading' and value 'true' for all firewalls : rule shading
check is ON by default as of this version.
* Compiler.cc (Begin::processNext): compilers now work on a copy
of rule set. This allows for multiple passes to be created by
simply creating another set of rule processors and calling
runRuleProcessors again.
2002-10-19 Vadim Kurland <vadim@vk.crocodile.org>
* snmp.cc (fetchInterfaces) : now works with net-snmp library
2002-10-18 Vadim Kurland <vadim@vk.crocodile.org>
* FWObject.cc (shallowDuplicate): new method: copies attributes of
an object given as an argument, but does not change children.
2002-10-13 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.hh: output is now stringstream (so we can read and
write to it)
2002-09-30 Vadim Kurland <vadim@vk.crocodile.org>
* release 0.10.10
2002-09-24 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (complexMatch): this method now scans virtual
addresses on interfaces; it also avoid false positives with
objects with multiple interfaces, where one interface matches.
2002-09-23 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler.cc (processNext): added generic rule processor to
eliminate duplicates in rule elements.
* Compiler.cc (createRuleLabel): code cleanup in createRuleLabel
2002-09-21 Vadim Kurland <vadim@vk.crocodile.org>
* IPAddress.cc (to32BitInt): applied patch #612667 that fixes bug
#571882 - address arithmetics broken on SPARC
2002-09-20 Vadim Kurland <vadim@vk.crocodile.org>
* XMLTools.cc (cleanForNVTASCII): this method makes sure all
characters in str conform to NVT ASCII coding (codes are
<127). This must be true for example for sysDesc MIB variables.
* dns.cc (run_impl): fixed bug in DNS_bulkBackResolve_query which
happened if there were more threads than IPs to be resolved.
* PolicyCompiler.cc (checkForZeroAddr): better diagnostics message
2002-09-19 Vadim Kurland <vadim@vk.crocodile.org>
* IPAddress.cc (_convert_range_to_networks): fixed bug where this
method cycled indefinitely if input data were start=N.N.N.0 and
end=N.N.N.255
* PolicyCompiler.cc (checkForZeroAddr): in addition for checking
for objects with address 0.0.0.0, this rule processor also checks
for hosts with no interfaces.
2002-09-15 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler.cc (checkForZeroAddr): this processor checks for
host and network objects with address 0.0.0.0, which is equivalent
to 'any'. This is an error, compilation is aborted. This fixes bug
#607380: host with no IP creates any rule.
* Compiler.cc (complexMatch): fixed bug #605944: multicast
addresses in FORWARD chain
* XMLTools.cc (saveFile): setting utf-8 encoding on saved xml
files.
* XMLTools.cc (cleanForUTF8): added method that cleans up
character string, replacing characters that do not conform with
UTF8 encoding with '?'
2002-09-10 Vadim Kurland <vadim@vk.crocodile.org>
* version 0.10.9 released
2002-09-08 Vadim Kurland <vadim@vk.crocodile.org>
* snmp.cc (walk): using function snprint_objid from libsnmp. Added
corresponding check to configure.in. Thanks to
mithrandir@alwaysonline.net.au for patch.
* minor code cleanup. Changes to configure and Makefiles to
support compile and linking with STLport
2002-09-07 Vadim Kurland <vadim@vk.crocodile.org>
* Makefile.in (INSTALL_STRIP): controlling build options via
env. var FWB_BUILD_OPTIONS. Currently provides control for "-g"
compiler/linker option and "-s" installer option.
* Compiler.cc (getCompiledScript): fixed bug#606047: resetting
position in the ostringstream stream 'output' so it can be used
again .
* Compiler.cc (findInterfaceFor): deep check to make sure we
compare against all addresses of each interface of the firewall
2002-09-02 Vadim Kurland <vadim@vk.crocodile.org>
* configure.in: set library so version number to 3.0.0
* removed fwbd from src/Makefile.in
2002-08-31 Vadim Kurland <vadim@vk.crocodile.org>
* Resources.hh (class Resources): class Resources moved from
fwbuilder to libfwbuilder
2002-08-28 Vadim Kurland <vadim@vk.crocodile.org>
* configure.in: detecting lwres. configure parameter '--with-lwres'
* Set Copyright to NetCitadel, LLC
* configure.in: checking for /usr/include/lwres/netdb.h which
comes with bind9
2002-08-26 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase.hh (class FWObjectDatabase): moved method
findFirewallByName from class Compiler to class FWObjectDatabase
* libfwbuilder-config.in (the_flags): script libfwbuilder-config
returns different combinations of libraries if called with
parameter "fwbuilder" or "fwcompiler"
2002-08-24 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler.cc (ExpandMultipleAddresses): added case for NONAT
* merged branch virt_iface : suport for virtual interfaces
2002-08-23 Vadim Kurland <vadim@vk.crocodile.org>
* Host.cc (getAddress): Host::getAddress returns address of
management interface if there is one, or address of the last
interface, or 0.0.0.0 if there are no interfaces
2002-08-22 Vadim Kurland <vadim@vk.crocodile.org>
* Host.hh (getManagementAddress): this method finds management
interface and copies its address into Management child object and
returns it.
* Interface.hh (isManagement): added methods to manipulate
attribute "mgmt"
* fwbuilder.dtd.in (TODO): added attribute "mgmt" to element
Interface. This attribute marks interface as "management"
interface, which is the one fwbd daemon is listening on and the
one to which we can run snmp queries etc.
2002-08-21 Vadim Kurland <vadim@vk.crocodile.org>
* Interface.cc: added method setDyn
* XML elements Host and Firewall: attribute
"address" is no longer REQUIRED. IP Address for these elements
should be defined in a child element Interface
2002-08-19 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (complexMatch): fixed bug #597418
(compiler placed code into chain OUTPUT if MAC address match was
requested for a Host with dynamic interface)
2002-08-17 Vadim Kurland <vadim@vk.crocodile.org>
* FWObjectDatabase.hh (class FWObjectDatabase): moved most of the
standard IDs to FWObjectDatabaseGUI class in fwbuilder.
2002-08-16 Vadim Kurland <vadim@vk.crocodile.org>
* IPAddress.cc (isMulticast): fixed bug #554286: crawler discovered
multicast addresses and created objects
2002-08-13 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler_ops.cc (cmpRules): fixed bug #594656: Outbound rule
shades an inbound rule. Now taking direction into account when
comparing policy rules.
2002-08-12 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (_expand_addr_recursive): expanding objects with
multiple addresses recursively, so that we can get all IPv4
objects and all interfaces
2002-08-09 Vadim Kurland <vadim@vk.crocodile.org>
* working in a branch virt_iface
* configure.in: set version to 0.10.9
* IPv4.hh (class IPv4): created class IPv4
* FWObjectDatabase.xslt: created auto-upgrade transformation, that
adds child element IPv4 to Interface and reassigns attributes
"address" and "netmask" from Interface to IPv4
2002-08-01 Vadim Kurland <vadim@vk.crocodile.org>
* v0.10.8 released
2002-07-29 Vadim Kurland <vadim@vk.crocodile.org>
* FWObject.cc (fromXML): fixed memory leak that occured because we
weren't free-ing memory buffers returned by xmlGetProp and
xmlGetNodeContent
2002-07-27 Vadim Kurland <vadim@vk.crocodile.org>
* XMLTools.hh (class XMLTools): made XMLTools::version_compare public
method
2002-07-26 Vadim Kurland <vadim@vk.crocodile.org>
* libfwbuilder-config.in (LIBFWBUILDER_LIBDIR): do not report
CFLAGS and LIBS for libsigc++
* BackgroundOp.hh (class BackgroundOp ): class BackgroundOp is not
derived from SigC::Object anymore
2002-07-20 Vadim Kurland <vadim@vk.crocodile.org>
* Rule.cc (PolicyRule): PolicyRule constructor _does not_ turn
logging on anymore. This should be done in the GUI
2002-07-18 Vadim Kurland <vadim@vk.crocodile.org>
* Firewall.cc (replaceRefToFirewall): fixed bug #580027:
Firewall::duplicate replaces references to the old firewall with
references to the new one in policy and NAT rules
2002-07-14 Vadim Kurland <vadim@vk.crocodile.org>
* dns.cc:
* BackgroundOp.cc: initializing tattr from constructor and
destroying it from destructor of both classes
* configure.in: a workaround for an algorithm for detection of
pthread library flags on OpenBSD (glib-config returns flags for
/usr/local/lib/pth/libpthread which is broken, we should be really
using libc_r instead)
* BackgroundOp.cc (start_operation): processing return codes from
pthread_create
* dns.hh (class DNS_bulkBackResolve_query):
* BackgroundOp.cc (start_operation): tattr is now member of the
class
2002-07-13 Vadim Zaliva <lord@crocodile.org>
* dns.cc (run_impl):
* BackgroundOp.cc (start_operation): setting detachable
attribute in pthread_create to avoid execution problem
OpenBSD.
2002-07-04 Vadim Kurland <vadim@vk.crocodile.org>
* autogen.sh: added script autogen.sh - this script regenerates
all critical scripts and config files (aclocal.m4, ltmain.sh and
ltconfig, configure etc) using aclocal, automake and libtool. This
needs to be done to properly build on different platforms.
2002-06-27 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (abort): method Compiler::abort modified. Now it has
dual function: if compiler is in testing mode
(test_mode==true) it prints error message and returns, otherwise
it throws exception with error message. Test mode can be activated
using method Compiler::setTestMode()
2002-06-25 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler.cc (processNext): added processor classifyNATRule
that decides on NAT rule type (code is based on variant developed
for iptables as the most comprehensive one)
* Compiler.cc (processNext): added rule processor
"createNewCompilerPass"
* set version to 0.10.8
2002-06-24 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (processNext): added universal rule processor
splitIfRuleElementMatchesFW that splits rule if one of the objects
in given rule element is firewall. Classes PolicyCompiler and
NATCompiler derive from this base class to create rule processors
that do this for specific rule elements.
2002-06-22 Vadim Kurland <vadim@vk.crocodile.org>
* Firewall..cc, Host.cc: removed methods Firewall::setDefaults
and Host::setDefaults. Now setting default properties and default
options in the GUI using resources
2002-06-21 Vadim Kurland <vadim@vk.crocodile.org>
* Firewall.cc (setDefaults): added code setting default values for
firewall options for PIX
2002-06-20 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (_expandAddressRanges): fixed bugs #571990 and #573038 -
AddressRange overrun for ranges that end with IP address ending
with 255
2002-06-16 Vadim Kurland <vadim@vk.crocodile.org>
* version 0.10.7 released
2002-06-14 Vadim Zaliva <lord@crocodile.org>
* Tools.cc (init): initializing threads and XML tools.
2002-06-03 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (complexMatch): fixed bug #564037: compiler should
place rules with destination address 255.255.255.255 into INPUT
chain
2002-06-02 Vadim Kurland <vadim@vk.crocodile.org>
* Set version to 0.10.7
* PolicyCompiler.cc (processNext): added rule processor that
converts policy rule to atomic rules by splitting it on time
interval rule element.
2002-05-25 Vadim Kurland <vadim@vk.crocodile.org>
* FWObject.cc (add): modified FWObject::add, added the second
parameter that controls whether method will validate object to be
added. Validation is on by default but can be turned off if
needed.
2002-05-23 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler.hh: added few standard rule processors for
Policyrule:
o ExpandGroups
o ExpandMultipleAddresses
o addressRanges
o splitServices
o separateTCPWithFlags
o verifyCustomServices
o ConvertToAtomicForAddresses
o ConvertToAtomic
o findMoreGeneralRule
o DetectShading
* NATCompiler.hh: added several rule processors for NATRule:
o ExpandGroups
o ExpandMultipleAddresses
o addressRanges
o ConvertToAtomicForAddresses
o ConvertToAtomic
* Compiler.hh: added several type-independent rule processors:
o Begin
o printTotalNumberOfRules
o simplePrintProgress
o Debug
* RuleProcessor.hh (fwcompiler ): class BasicRuleProcessor is
base class for the family of rule processors
* PolicyRuleProcessor , NATRuleProcessor: these classes inherit
all methods from BasicRuleProcessor and add proper type conversion
2002-05-20 Vadim Zaliva <lord@crocodile.org>
* RuleProcessor.hh (fwcompiler ): new processing framework
based on chained processor. Base class.
2002-05-18 Vadim Kurland <vadim@vk.crocodile.org>
* Makefile.in (INSTALL_SCRIPT): fixed bug #556840 (shell script
libfwbuilder-config should be installed without "-s" command
line option to install)
* Compiler.cc (findFirewallByName): added function that finds
firewall by name
2002-05-17 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler.cc (find_more_general_rule): better algorithm
to find more general rule. Reimplemented DetectShading
* Compiler_ops.cc (cmpRules): new method to compare rules.
* Compiler_ops.cc (operator<): improvements in comparison of
service objects
* FWObject.hh (class FWObject):
* TCPService.hh (class TCPService): made some methods "const"
* Compiler.cc (debugRule): moved method debugRule to the base
class Compiler
2002-05-16 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler.cc (for_each_const_rule): new implementations
of for_each_rule and for_each_const_rule
* Compiler.hh (x_any_fun2): using x_any_fun1 and x_any_fun2 to
call member functions that process rules in derived classes
for policy and NAt compilers
2002-05-15 Vadim Kurland <vadim@vk.crocodile.org>
* v0.10.6 released
2002-05-09 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (findInterfaceFor): method to find interface of
one object (usually firewall) that is connected to the same
subnet as the second object
* PolicyCompiler.cc (find_more_general_rule): using strict
comparison ('<' instead of '<=') to find more general rule
2002-05-08 <vadim@vk.crocodile.org>
* FWObject.cc (destroyChildren): this new method destroys all
children of this recursively; it ignores reference counter and
simply deletes everything.
* FWObject.cc (clearChildren): this method deletes all children of
this recursively or not (depending on parameter) but checks the
reference counter and deletes only objects with ref==0
2002-05-03 Vadim Kurland <vadim@vk.crocodile.org>
* NATCompiler.hh:
* PolicyCompiler.hh: added methods and classes for debugging
* Compiler.cc (_isMatchingFW): added matching for broadcast addresses
* IPAddress.cc (getBroadcastAddress): fixed bug (removed extra
htonl() conversion)
2002-04-27 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (error): now have three methods for warning and error
messages: warning, error, abort
2002-04-26 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (_isMatchingFW): method returns true if obj is
firewall, or any child of firewall or its address matches that of
any firewall's interfaces or address of the firewall object
* BackgroundOp.cc (BackgroundOp): BackgroundOp creates object of
class QueueLogger in constructor and deletes it in the
background_thread, after run_impl returns. Also using SyncFlag
flag "iamdead" which is protected by mutex to make sure background
thread won't use object if it was destroyed. With this flag we can
now delete object of class BackgroundOp any time without having to
worry about background operation not using it after it has been
deleted.
Classes derived from BackgroundOp should check flag
stop_program_flag using method check_stop after each system call
in run_impl and should immediately interrupt operation and return
from run_impl if check_stop throws exception.
2002-04-20 <vadim@vk.crocodile.org>
* Logger.hh (class Logger): logger can be switched to blackhole
mode. In this mode logger does not store text sent to it
and its method Logger::ready always returns false
* BackgroundOp.cc (start_operation): start_operation creates
objects of class QueueLogger and returns pointer to it. This
object is destroyed at the end of the background thread function,
after it makes sure all the text has been pulled out of the logger
by foreground thread, or logger has been disconnected.
* Logger.hh (class QueueLogger): moved class Logger and other
classes derived from it to a separate module. Added class
QueueLogger - logger working via internal queue<string>
* dns.cc (DNS_bulkBackResolve_Thread): assemble the whole string
before sending it to logger (instead of using locking manipulators
start and end)
2002-04-19 Vadim Kurland <vadim@vk.crocodile.org>
* Compiler.cc (createRuleLabel): nicer rule labels
* Compiler.cc (normalizePortRange): this method fixes port ranges
* PolicyCompiler.cc (_expandAddr): routine that replaces
references to host and firewall objects with references to their
interfaces again uses all interfaces for firewall.
2002-04-18 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler.cc (operator): rule inspectors splitServices
and verifyCustomServices moved to the base class PolicyCompiler
* CustomService.cc: custom service has pseudo-protocol number 65000
2002-04-17 Vadim Kurland <vadim@vk.crocodile.org>
* Rule.hh (class NATRule): some new NATRule types, additional methods
to set and get rule type
2002-04-17 <vadim@vk.crocodile.org>
* PolicyCompiler.cc (convertToAtomicForAddresses): this processor
splits composite rule onto bunch of atomic rules by its Src and
Dst. It ignores Srv. This processor is used in ipt compiler
(iptables supports multiple ports in service, so we don't convert
to atomic rules for service)
* NATCompiler.cc (convertToAtomicForAddresses): this processor
splits composite rule onto bunch of atomic rules by its OSrc,ODst,
TSrc,TDst. It ignores OSrv and TSrv. This processor is used in
ipt compiler (iptables supports multiple ports in service, so we don't
convert to atomic rules for services)
* NATCompiler.cc (expandMultipleAddresses):
* PolicyCompiler.cc (expandMultipleAddresses): these methods moved
to the base classes PolicyCompiler and NATCompiler
* Compiler.hh: _expandAddressRange : method expands AddressRange
objects in rule elements. This method is used in both
PolicyCompiler and NATCompiler
2002-04-15 <vadim@vk.crocodile.org>
* Compiler.hh: added caching for frequently used objects for all
compilers
2002-04-11 Vadim Kurland <vadim@vk.crocodile.org>
* IPAddress.hh (class IPAddress): added IPAddress::operator guint32()
* IPAddress.cc (to32BitInt): converted from
IPAddress::operator ulong() to guint32 IPAddress::to32BitInt()
for portability to 64-bit architectures (e.g. Alpha). Used type
guint32 instead of ulong everywhere
2002-04-09 <vadim@vk.crocodile.org>
* configure.in: checking for ccache and using it if present
2002-04-08 <vadim@vk.crocodile.org>
* configure.in: automatic determination whether we have bind library
(sets HAVE_LIBBIND)
2002-04-07 Vadim Kurland <vadim@vk.crocodile.org>
* configure.in: Set package version to 0.10.6, library libtool
version to 2.0.0
2002-04-06 <vadim@vk.crocodile.org>
* Compiler.cc (_do_expandGroups): fixed bug #538774: expand groups
recursively (permits groups within groups)
2002-04-03 Vadim Zaliva <lord@crocodile.org>
* FWObject.hh (findByType>): findByType iterator-based method.
2002-03-31 Vadim Zaliva <lord@crocodile.org>
* Tools.cc (init): initialize openssl library
and loading error strings. (Bug #537633).
* crypto.cc (Key): Key generation progress indicator
callback.
2002-03-30 Vadim Zaliva <lord@crocodile.org>
* FWObject.hh (FWObject*>): const attribute iterators.
(FWObject*>): replaced std::vector with std::list.
2002-03-29 Vadim Kurland <vadim@vk.crocodile.org>
* Version 0.10.5 released
2002-03-21 Vadim Kurland <vadim@crocodile.org>
* FWObjectDatabase.xslt: fixed bug #532457 - port range end for
traceroute increased
2002-03-19 Vadim Zaliva <lord@crocodile.org>
* fwbd.c:
* fwbd.h:
* crypto.hh:
* crypto.cc:
* Tools.cc: Compilation w/o openssl
2002-03-19 Vadim Kurland <vadim@crocodile.org>
* configure.in: added supprot for the following options:
"--with-openssl=no" or "--without-openssl"
"--with-ucd-snmp=no" or "--without-ucd-snmp"
"--with-ucdsnmp=no" or "--without-ucdsnmp"
2002-03-18 Vadim Zaliva <lord@crocodile.org>
* XMLTools.cc: Workaround for for difference in
linefeeds handling in libxml-2.4.10 and 2.4.16.
2002-03-16 Vadim Zaliva <lord@crocodile.org>
* dns.cc: compilation problem for BSD systems.
2002-03-15 Vadim Kurland <vadim@crocodile.org>
* NATCompiler.hh: renamed macros
DECLARE_RULE_PROCESSOR -> DECLARE_NAT_RULE_PROCESSOR
DECLARE_RULE_INSPECTOR -> DECLARE_NAT_RULE_INSPECTOR
* PolicyCompiler.hh: renamed macros
DECLARE_RULE_PROCESSOR -> DECLARE_POLICY_RULE_PROCESSOR
DECLARE_RULE_INSPECTOR -> DECLARE_POLICY_RULE_INSPECTOR
2002-03-14 Vadim Kurland <vadim@crocodile.org>
* aclocal.m4 (AM_PATH_OPENSSL): added macro to determine presence
and location of openssl library
2002-03-12 Vadim Zaliva <lord@crocodile.org>
* Tools.cc (init): library initialization method.
* dns.cc: using gethostbyname and gethostbyaddr on systems where
are no re-enterant versions of these functions are present.
* configure.in:
(strtok_r): checking for strtok_r presence and using
generic replacement only if no standard one present.
* Tools.cc (strtok_r): portable strtok_r implementation
for platforms missing it.
* manifest.hh:
* manifest.cc:
* win32modules.def.in (XML_PATH):
* configure_win32.in:
* dns.cc:
* dns.hh: New win32 patch from Igor Morozov <igor@grad.kiev.ua>
2002-03-06 Vadim Zaliva <lord@crocodile.org>
* dns.cc: using HAVE_GETHOSTBYADDR_R_* macros
* libfwbuilder-config.h.in:
* configure.in: added check for number of arguments in gethostbyaddr_r
2002-03-05 Vadim Zaliva <lord@crocodile.org>
* crypto.cc (X509_entry): bugfix for wrong certificate
entries. Found and fixed by Jeremy T. Bouse.
2002-03-04 Vadim Zaliva <lord@crocodile.org>
* crypto.cc: patch for Jeremy T. Bouse <Jeremy.Bouse@undergrid.net>
correcting problems with wrong certificate expiration date and
certificate format version.
2002-03-01 Vadim Kurland <vadim@crocodile.org>
* OSNetworkConfigurator.hh: added virtual method
addVirtualAddressForNAT. This way we can concentrate all knowledge
of particular OS in the class OSNetworkConfigurator and its
descendants
* OSNetworkConfigurator.cc: added OSNetworkConfigurator - simple
base interface class for OS network configurator classes
* 0.10.4/FWObjectDatabase.xslt: transformation also changes
platform name 'ipfilter' -> 'ipf'
* 0.10.3/FWObjectDatabase.xslt: transformation 0.10.3->0.10.4 adds
namespace using xmlns in the root element. Transformation does not
set namespace prefix. Since we use only one namespace, we can use
it as a default namespace and do not need prefix.
* 0.10.4/FWObjectDatabase.xslt: this transformation assumes there
is always namespace declaration in the root element. This
transformation uses its own locally defined prefix 'fwb' to match
elements with namespace. This prefix is used only within this
transformation and is not added to the output. The output tree has
namespace declaration in its root element, just like input does.
2002-02-28 Vadim Zaliva <lord@crocodile.org>
* XMLTools.cc: Workaround for bug #73088 in Gnome
bugzilla. To be removed than it will be fixed.
2002-02-28 Vadim Kurland <vadim@crocodile.org>
* 0.10.3/FWObjectDatabase.xslt: transformation adds namespace to
all elements
2002-02-27 Vadim Zaliva <lord@crocodile.org>
* FWObjectDatabase.cc (saveXML):
(saveFile): Removed explicit namespace specification in saved file.
It is defined via DTD.
2002-02-27 Vadim Kurland <vadim@crocodile.org>
* configure.in: patched fragment checking for resolv.h header file
so it won't add -I/usr/include This fixes bug #504485
2002-02-22 Vadim Kurland <vadim@crocodile.org>
* Rule.hh (class NATRule): added methods dealing with NAT rule
type (SNAT/DNAT/REDIR/BINAT etc) NAT rule type is needed for
compiler classes and is not stored in XML file.
* Compiler.hh: made methods Compiler::warning and Compiler::abort
public
2002-02-21 Vadim Kurland <vadim@crocodile.org>
* configure.in: fixed bug #520845 (configure fails on solaris)
2002-02-20 Vadim Kurland <vadim@crocodile.org>
* Firewall.cc (Firewall): assigning default values to host_OS and
platform in constructor
2002-02-20 Vadim Zaliva <lord@crocodile.org>
* configure.in: replaces AM_ macros with AC_ macros
2002-02-19 Vadim Zaliva <lord@crocodile.org>
* Tools.cc (substituteMacros): macro substitutor.
2002-02-19 Vadim Kurland <vadim@crocodile.org>
* PolicyCompiler.cc (find_more_general_rule): checking interfaces
in find_more_general_rule
2002-02-18 <vadim@crocodile.org>
* Compiler.hh: Compiler::prolog now returns number of rules to
be processed
2002-02-15 Vadim Zaliva <lord@crocodile.org>
* configure_win32.in:
* win32modules.def.in: files to compile under win32
2002-02-14 Vadim Kurland <vadim@crocodile.org>
* UDPService.cc (UDPService):
* TCPService.cc (TCPService):
* ICMPService.cc (ICMPService): assigning values to those
attributes that are defined as REQUIRED in DTD. This fixed bug #517198
2002-02-11 Vadim Kurland <vadim@crocodile.org>
* fixed bug #516033 (tcp-flags... - added missing flags PSH and URG)
* FWObjectDatabase.xslt: autoupgrade transofrmation adds new TCP flags
* TCPService.cc: added support for flags PSH and URG.
Added methods dealing with TCP flags
* fwbuilder.dtd.in (TODO): added missing TCP flags to DTD
2002-02-10 Vadim Kurland <vadim@crocodile.org>
* Compiler.hh: removed optimize() as a separate method. Will
implement optimizations (if any) in the compile() method
* IPAddress.cc (operator+): bugfix: to do arithmetics on addresses
I need to convert to host byteorder
2002-02-07 Vadim Zaliva <lord@crocodile.org>
* Management.cc:
* Management.hh (class PolicyInstallScript): Added PolicyInstallScript under
Management.
2002-02-06 Vadim Kurland <vadim@crocodile.org>
* Service.hh (class Service): added virtual method getProtocolNumber()
* fwbuilder.dtd.in:
* Rule.cc (setAction):
added standard actions "Scrub","Return","Skip","Continue"
* PolicyCompiler.hh: minor parameter type changes
* IPAddress.cc (getLength): added method Netmask::getLength
(returns length of the netmask counting bits set to '1' from left
to right)
* FWOptions.hh (class FirewallOptions): removed method isDefault
(to move knowledge of particular firewall platform parameters from
API to the GUI)
2002-02-05 Vadim Zaliva <lord@crocodile.org>
* ManifestFile.txt: Manifest file format draft.
* manifest.cc:
* manifest.cc: Simple class to work with Manifest files.
2002-02-05 Vadim Kurland <vadim@crocodile.org>
* Interval.hh (class Interval):
* Service.hh (class Service):
* Address.hh (class Address): added method bool isAny() to
classes Address, Service, Interval
2002-02-04 Vadim Kurland <vadim@crocodile.org>
* AddressRange.hh (class AddressRange): derived AddressRange
from Address
* Address.hh (class Address): added class Address - a base class
for all other classes that can have an address and netmask and can
be children objects of RuleElementSrc,RuleElementDst and other rule
elements holding addresses.
* RuleElement.hh (libfwbuilder): added method getFirst to all
classes derived from RuleElement. This method returns pointer to
the first child object; the pointer has an appropriate type.
2002-02-03 Vadim Kurland <vadim@crocodile.org>
* Policy.hh (class Policy):
* NAT.hh (class NAT): added wrapper methods that return PolicyRule*
and NATRule* respectively for proper typization
* Rule.hh (class PolicyRule): added methods getAction, setAction,
getDirection, setDirection and enum types for action and direction
* FWObjectDatabase.cc (FWObjectDatabase): added copying constructor
* Rule.cc (PolicyRule): PolicyRule and NATRule now create their
children objects in constructor. I also got rid of getElements and
other methods which worked with set of rule elements and their
names. This is now done in the GUI. Also added methods with
proper typization to classes PolicyRule and NATRule to provide a
way to access individual rule elements (methods getSrc(), getDst()
etc)
2002-02-03 Vadim Zaliva <lord@crocodile.org>
* Management.cc:
* Management.hh: Enabled attribute management.
* fwbuilder.dtd.in: added 'enabled' attribute to SNMP
and FWBD management elements.
(PolicyInstallElement): added
2002-02-02 Vadim Kurland <vadim@crocodile.org>
* Firewall.cc (Firewall): adding FirewallOptions, Policy, NAT
in constructor
* Host.cc (Host): adding HostOptions in constructor
* FWIntervalReference.hh (class FWIntervalReference): removed
constructor FWIntervalReference(FWObject *)
* FWServiceReference.hh (class FWServiceReference): removed
constructor FWServiceReference(Service *)
* FWObjectReference.hh (class FWObjectReference): removed constructor
FWObjectReference(FWObject *)
* FWReference.hh (class FWReference): removed constructor
FWReference(FWObject *)
* FWObject.cc (FWObject): added costructor
FWObject(const FWObject *root) to class FWObject and all
derived classes. Parameter 'root' is a pointer at the root
object of the tree we are going to add newly created object to.
2002-01-30 Vadim Kurland <vadim@crocodile.org>
* Compiler.hh: reorganization of classes in order to accomodate
both PolicyCompiler and NATCompiler and provide better typization
2002-01-29 Vadim Kurland <vadim@crocodile.org>
* PolicyCompiler.hh: moved some methods from class Compiler
to class PolicyCompiler
* ObjectGroup.cc (validateChild): ObjectGroup::validate now
permits adding reference to Interface
* ObjectGroup.cc (validateChild) and ServiceGroup.cc (validateChild):
using class::cast for type instead of hardcoded type names
2002-01-26 Vadim Zaliva <lord@crocodile.org>
* crypto.cc (getFingerprint): introduced method to get
public key fingerprint.
* Management.cc (fromXML, toXML, removePublicKey):
* fwbuilder.dtd.in: PublicKey element is now optional.
* XMLTools.cc (setDTD): reporting validation errors to user.
* FWObject.cc (fromXML): setting 'failed_element' exception
property.
2002-01-25 Vadim Zaliva <lord@crocodile.org>
* Management.cc (isEmpty): bugfix.
* FWObject.cc (getFirstByType): getFirstByType and getByType methods are now
constant.
2002-01-24 Vadim Zaliva <lord@crocodile.org>
* Management.cc (duplicate): duplicate methods added to all management classes.
* FWObject.cc (duplicate):
* Network.cc (duplicate):
* AddressRange.cc (duplicate): New duplicate/operator= coupuling.
Now operator= uses duplicate and only duplicate needs to be overloaded.
Also, duplicate takes second parameter: 'preserve_id'.
2002-01-23 Vadim Kurland <vadim@crocodile.org>
* FWObjectDatabase.xslt: updated autoupgrade transformation, now
it adds subelement Management to Host and Firewall elements and
moves snmp community attributes to Management/SNMPManagement
2002-01-23 Vadim Zaliva <lord@crocodile.org>
* FWObject.hh (FWObject*>): now FWObject and all its subclasses
toXML/fromXML methods can throw FWExcepton.
* fwbuilder.dtd.in: added Management element under Host, Firewall,
Gateway.
2002-01-22 Vadim Zaliva <lord@crocodile.org>
* dns.cc: changes to work with Solaris gethostbyaddr_r
2002-01-21 Vadim Zaliva <lord@crocodile.org>
* dns.cc (getHostByName): when gethostbyname_r is not present,
simple gethostbyname is used. This is fix for FreeBSD where they
do not have currently thread safe gethostbyname. In this cass all
host resolution will be serialized and while it work it could be quite
slow. This will especially affect SNMP crawler.
2002-01-19 Vadim Zaliva <lord@crocodile.org>
* crypto.cc (asString): increased number of pkcs#12 iterations.
* XMLTools.cc (convert): reporting what transformation failed.
2002-01-18 Vadim Zaliva <lord@crocodile.org>
* Tools.cc (unbase64): convinience function doing base64 decoding.
* crypto.cc (asString): use base64 encoding for PKCS#12 data.
(KeyAndCert): base64 decoding of PKCS#12 data.
* XMLTools.cc (quote_linefeeds): add linefeed for readability
2002-01-17 Vadim Kurland <vadim@crocodile.org>
* configure.in: set version to 0.10.5
* fwbuilder.dtd.in : added element AddressRange
* AddressRange.hh (class AddressRange): added class AddressRange
2002-01-16 Vadim Zaliva <lord@crocodile.org>
* libfwbuilder-config.in (ord_libs): added libfwbd
2002-01-16 Vadim Kurland <vadim@crocodile.org>
* configure.in: added filters to remove '-I/usr/include' from
various variables from which CFLAGS is composed in the end
Still have one more instance left (comes from checks for resolv.h)
2002-01-16 Vadim Zaliva <lord@crocodile.org>
* crypto.hh (class KeyAndCert): PKCS12 support. Minor error handling
cleanup.
2002-01-15 Vadim Zaliva <lord@crocodile.org>
* FWException.hh (class FWException): toString() is const method.
2002-01-14 Vadim Zaliva <lord@crocodile.org>
* crypto.cc: Certificate generation code (ctor)
2002-01-13 Vadim Kurland <vadim@crocodile.org>
* FWObject.hh (createRef): streamlined code in createRef virtual
method
2002-01-12 Vadim Zaliva <lord@crocodile.org>
* crypto.cc: certificates management code
* RuleElement.cc: Serice-relate methods return values and parameters
types are now more specialized.
* FWServiceReference.cc (setPointer): more specialized parameter.
* ServiceGroup.cc (createRef): return value and parameters types
are now more specialized (this turned out to be wrong change --vk).
* Service.hh: added base class for TCP, UDP, ICMP, IP and Custom services.
* FWObject.hh (libfwbuilder): added FWObject::constcast()
2002-01-11 Vadim Kurland <vadim@crocodile.org>
* Interface.hh (class Interface): added methods getAddress and
getNetmask
* Host.hh (class Host): added methods getAddress and getNetmask
* Makefile.in: added directories and basic classes for compiler
framework
2002-01-11 Vadim Zaliva <lord@crocodile.org>
* crypto.hh: misc classes for keys/certificates management.
2002-01-09 Vadim Zaliva <lord@crocodile.org>
* fwbd.c (load_certificates):
* fwbdclient.c (main): manual certificate loading.
2002-01-08 Vadim Kurland <vadim@crocodile.org>
* IPAddress.cc (_convert_range_to_networks): added number of
methods for address arithmetics and other manipulations with
addresses, netmasks and ip networks
2002-01-07 Vadim Zaliva <lord@crocodile.org>
* fwbdclient.c (main): quote command implemented
* fwbd.c (send_protocol_line): sending protocol lines
2002-01-06 Vadim Zaliva <lord@crocodile.org>
* fwbdclient.c: connection establishment, command parsing.
* configure.in: libreadline detection for fwdbclient.
2001-12-29 Vadim Zaliva <lord@crocodile.org>
* version 0.10.4 released
2001-12-28 Vadim Zaliva <lord@crocodile.org>
* FWObject.cc (findAllReferences): opimized findAllReferences method.
2001-12-27 Vadim Zaliva <lord@crocodile.org>
* XMLTools.cc (setDTD): fixed bug #497234 - crashing on upgrade conversion.
* ThreadTools.hh:
* ThreadTools.cc: ability to restart TimeoutCounter.
2001-12-20 Vadim Zaliva <lord@crocodile.org>
* FWObject.cc (findAllReferences): method to find all references
to given object.
* XMLTools.cc (setDTD): validating document after DTD is set.
(bug #495276
2001-12-19 Vadim Zaliva <lord@crocodile.org>
* src/fwbuilder sources moved to src/fwbuilder directory. Including all
our files with "fwbuilder/" prefix.
* Rule.cc (toXML):
* Host.cc (toXML):
* Firewall.cc (toXML): Forming common object XML part at one place.
* FWObject.cc (fromXML): preserving linefeeds in comments
2001-12-17 Vadim Zaliva <lord@crocodile.org>
* FWObject.cc (dump):
* XMLTools.cc (loadFile):
* FWException.hh:
* FWObject.hh:
* configure.in:
* Constants.hh: g++3 compilation.
* snmp.cc (run_impl): ignoring networks with netmask 255.255.255.255 and
ones belonging to p2p interface found in crawl.
2001-12-16 Vadim Zaliva <lord@crocodile.org>
* Integration of first part of win32 port by
Igor Morozov <igor@grad.kiev.ua>
2001-12-10 Vadim Kurland <vadim@crocodile.org>
* Host.cc (toXML): added virtual method toXML to the class Host
to fix bug #491279
* set version to 0.10.3
2001-12-05 Vadim Kurland <vadim@crocodile.org>
* Host.cc (setDefaults): added support for HostOptions and
defaults
* FWOptions.hh (class HostOptions): added class HostOptions
* configure.in: set version number to 0.10.2
2001-11-28 Vadim Kurland <vadim@crocodile.org>
* version 0.10.1 released
2001-11-25 Vadim Zaliva <lord@crocodile.org>
* configure.in:
* libfwbuilder-config.h.in:
* XMLTools.cc: check for libxslt/xsltconfig.h
2001-11-23 Vadim Kurland <vadim@crocodile.org>
* FWObjectDatabase.xslt: transformation adds FirewallOption/Option
named "accept_established"
2001-11-18 Vadim Kurland <vadim@crocodile.org>
* fwbuilder.dtd.in (TODO): changed attribute name "alias" -> "label"
made it specific to Interface only
2001-11-16 Vadim Kurland <vadim@crocodile.org>
* FWObjectDatabase.xslt: autoupgrade transformation changes attribute
"ext" to "security_level" and adds element Interface to Host
* Interface.cc (setSecurityZone): added attribute "security_level"
to element Interface and support for it in the class Interface
* FWObject.cc (setAlias): added attribute "alias" and support for
it in the class FWObject
2001-11-15 Vadim Kurland <vadim@crocodile.org>
* InterfacePolicy.cc: added comment to InterfacePolicy
2001-11-12 Vadim Kurland <vadim@crocodile.org>
* Interface.cc (Interface): added processing for physAddress
* fwbuilder.dtd.in (TODO): added attribute "physAddress" to
element Interface
* set package version to 0.10.1 and SO_VERSION to 1.0.0
2001-11-11 Vadim Kurland <vadim@crocodile.org>
* Network.cc (duplicate): added virtual method duplicate. This is
needed because class Network stores address and netmask not in
the dictionary "data" and FWObject::duplicate does not copy them
* libfwbuilder.spec.in (Obsoletes): added call to libtoolize per
bug #480081
* migration/Makefile.in: per bug #480656 added missing
transofrmations
2001-10-30 Vadim Zaliva <lord@crocodile.org>
* FWObject.cc: removed recursive iterators - unused code.
2001-10-19 Vadim Zaliva <lord@crocodile.org>
* snmp.cc (fetchRoutingTable): crawler detects "external" interface
by "default" route.
2001-10-04 Vadim Kurland <vadim@crocodile.org>
* fwbuilder.dtd.in: added attribute ID to FWObjectDatabase
2001-09-21 Vadim Zaliva <lord@crocodile.org>
* configure.in: checking for ucd-snmp patched
by mandrake (in Mandrake Linux 8.1)
* snmp.cc: buffer override safe ucd-snmp interface
2001-09-28 Vadim Kurland <vadim@crocodile.org>
* RuleElement.cc (addRef): added virtual removeRef and addRef
which add and remove appropriate "any" if rule element is empty
2001-09-24 Vadim Kurland <vadim@crocodile.org>
* FWObject.cc (getFirstByType): bugfix
(removeAllInstances): applied changes by vz
2001-09-22 Vadim Kurland <vadim@crocodile.org>
* Makefile.in: added "install_lib" Makefile target
* libfwbuilder-config.in (prefix): added option "staticlibs"
* FWObject.cc: removeAllInstances and removeAllReferences
reimplemented using for_each and find_if
* FWObject.hh (FWObject*>): added removeAllReferences method
2001-09-21 Vadim Zaliva <lord@crocodile.org>
* using namespace 'libfwbuilder'.
2001-09-20 Vadim Kurland <vadim@crocodile.org>
* Rule.cc (fromXML): fixed bug #451490: added xslt code to
upgrade transformations, removed old code from Rule.cc
2001-09-20 Vadim Zaliva <lord@crocodile.org>
* Constants.cc:
* Constants.hh: Class holding libraty constants
* XMLTools.hh (class XMLTools): possibility to pass version number
while loading file.
2001-09-19 Vadim Zaliva <lord@crocodile.org>
* libfwbuilder-config.h.in: prefix macros with LIBFWBUILDER_
2001-09-19 Vadim Kurland <vadim@crocodile.org>
* Makefile.in (all): added script libfwbuilder-config
moved data migration script from fwbuilder
2001-09-18 Vadim Zaliva <lord@crocodile.org>
* Makefile.in (SOURCES): dns, snmp and HostsFile moved
here from fwbuilder.
* BackgroundOp.hh (Object): moved here from 'fwbuilder' module.
monitor_operation() is now public.
* configure.in: Added check for libsigc++, removed
PIXMAPS variables.
2001-09-17 Vadim Zaliva <lord@crocodile.org>
* Pool.hh: moved from GUI.
* SyncQueue.hh (class SyncQueue): SyncQueue moved
to separate header file.
(class SyncQueue): added shutdown mechanism to queue.
* libfwbuilder.spec.in (Group): changed group to
'System Environment/Libraries'
2001-09-17 Vadim Kurland <vadim@crocodile.org>
* Makefile.in (LTCXXLINK): using libtool for API library
2001-09-17 Vadim Zaliva <lord@crocodile.org>
* FWObject.hh:
* FWObject.cc: Internal code brush-up. Removed NULL pointer
checks in children list. Use stl algorithms wherether it is possible.
2001-09-16 Vadim Kurland <vadim@crocodile.org>
* OptionsDlg.cc and many other dialogs: corrected buttons size and
layout
* InterfaceDialog.cc (InterfaceDialog): added support for "delete"
event
* OptionsDlg.cc (OptionsDlg): redesigned Options dialog using
two-pane window with options represented in a tree-like vew
* BuiltinDialog.hh (setLibrary): BuiltinDialog now remembers
the name of the tree the object it shows belongs to.
* OptionsDlg.cc (OptionsDlg): added GUI elements to support
ObjectTree view modes "Split" and "Combined"
* FWObjectBook.cc (build): implemented ObjectTree view modes:
"Split" mode shows libraries in a separate trees,
"Combined" mode shows all libraries in one combined tree
* ObjectTree.cc (ObjectTree): ObjectTree can now filter objects
by their attribute "library"
* main_window.cc (main_window()): now using FWObjectBook
instead of the tree
* FWObjectBook.cc (FWObjectBook): added class FWObjectBook -
a collection of many object tree widgets. This widget is used
to show objects from different libraries in different pages
2001-09-14 Vadim Zaliva <lord@crocodile.org>
* api/ moved doc++ comments from .cc to .hh files
* dns.cc (DNS_bulkBackResolve_Thread): using our Cond and Mutex
classes instead of GCond and GMutex.
* ThreadTools.hh (class Cond): Conditional Variable implemented.
(_Tp>): Synchronized Queue implemented.
2001-09-13 Vadim Zaliva <lord@crocodile.org>
* snmp.cc (special): ignore 0.0.0.0/* networks.
(run_impl): timestamps for start/end of scan.
* FWObject.cc (fromXML): library addtribute and
access methods added.
* fwbuilder.dtd.in (TODO): added 'library' attribute
to list of standard object's attributes.
2001-09-12 Vadim Zaliva <lord@crocodile.org>
* snmp.cc (fetchInterfaces): reading operational and admin
status of interface.
(run_impl): ignoring routes which use interface which
is currently down.
(guessInterface): guessing interface for routes where it is
not specified.
* Interface.hh (class Interface): added operational
status attribute.
2001-09-12 Vadim Kurland <vadim@crocodile.org>
* DiscoveryDruidP51Dialog.cc (DiscoveryDruidP51Dialog): changed
checkboxes to make their meaning consistent
* main_window.hh (Window): moved bunch of methods from ObjectTree
to main_window
2001-09-11 Vadim Zaliva <lord@crocodile.org>
* snmp.cc (fetchInterfaces): rewrote of interface fetch code
to work around bug observed of following SNMP implementation:
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7), RELEASE SOFTWARE (fc1)
with uptime of 338 days.
2001-09-10 Vadim Kurland <vadim@crocodile.org>
* main_window_menu.cc (build_menu): renamed menu item for the
network discovery Druid
* DiscoveryDruidP70Dialog.cc (fillListOfNetworks): all the
networks and hosts in the list of nodes discovered by druid or DNS
import are now checked by default
* DiscoveryDruidP65Dialog.cc (execute): added checkbox to the
object discovery druid page: "Avoid point-to-point links"
* All dialogs: removed large icon in all dialogs. All dialogs have
been adjusted to look nice in different screen resolutions
* main_window2.cc : setting main window size depending on the
screen dimentions
2001-09-10 Vadim Zaliva <lord@crocodile.org>
* snmp.cc (run_impl): task #36517: added option controlling
wherether to try to crawl to the other side of
point-to-point routes.
(point2point): detecting point-to-point routes
using interface information.
* IPAddress.hh (class IPNetwork): method for getting
broadcast address of network.
* snmp.cc (fetchRoutingTable): fetching interface
and gateway information.
(run_impl): task #37813 - adding route gateway
as crawler input.
(run_impl): task #36520 - skipping interface broadcasts found
in routing table from crawler output.
2001-09-09 Vadim Zaliva <lord@crocodile.org>
* IPAddress.hh (class IPRoute): interface and gateway
fields added.
2001-09-08 Vadim Kurland <vadim@crocodile.org>
* fwbuilder.dtd.in (TODO): Added object Gateway to DTD.
Added HostOptions to Host.
* FirewallDialog.cc (FirewallDialog): new iptables option: "Accept
established TCP sessions after firewall restart". This option is
ON by default. Autoupgrade transformation adds this option to
existing firewalls.
2001-09-06 Vadim Kurland <vadim@crocodile.org>
* PolicyListElement.cc (PolicyListRuleOpt): Rule element "Options"
now shows logging icon and options icon. "Log" rule element can
now be retired. Without "Log" column policy list is more clean and
compact, especially for Interface policies
* FindDialog.cc (on_find_clicked): using OptionMenuWidget;
implemented partial match search
* OptionMenuWidget.cc (on_menu_selection_changed): OptionMenuWidget
keeps track of the menu state and generates signal "changed" only
when menu choice actually changed
2001-09-05 Vadim Kurland <vadim@crocodile.org>
* ObjectTree.cc: newly created object can now be deleted without
saving
* DialogPlugin.hh: added methods which load and save data from
groups of dialog widgets
* ObjectTree.cc (on_delobj): added "Delete" menu item
2001-09-04 Vadim Kurland <vadim@crocodile.org>
* FirewallDialog.cc: FirewallDialog now calls setDefaults method
of the firewall object to set default values for all
platform-specific firewall parameters and OS-specific network
parameters
* Firewall.hh (class Firewall): added doc++ comments to some methods
2001-09-03 Vadim Zaliva <lord@crocodile.org>
* configure.in: dynamic link with libxml2 and libxslt.
* snmp.cc (run_impl): task #36519 - ignoring IPs on loopback.
* IPAddress.hh (class IPNetwork): added isBroadcast() and isMulticast()
methods.
2001-09-02 Vadim Kurland <vadim@crocodile.org>
* policy.c (processElementaryPolicyRule): further fixes for bug
#455794
* iptables.c (prologue): Implemented support for various kernel
parameters
* FirewallDialog.cc (on_host_os_changed): Implemented host OS support
for Firewall Object
2001-08-28 Vadim Kurland <vadim@crocodile.org>
* iptables.c (printARPEntryCommands): improved code which generates
commands to add ARP entries for static NAT. Now it adds ARP entries
for SNAT translations using "other" IP addresses
2001-08-27 Vadim Kurland <vadim@crocodile.org>
* policy.c (processElementaryPolicyRule): fixed bug #455794 (wrong
code generated for the loopback interface policy rule with src and
dst being firewall object)
2001-08-26 Vadim Kurland <vadim@crocodile.org>
* FirewallDialog.cc (wrk2dlg): added "Load modules" checkbox
back to the Firewall Dialog "iptables" tab. Also added an option
for setting up PATH environment variable in iptables script
2001-08-25 Vadim Kurland <vadim@crocodile.org>
* nat.c (printNatRule): fixed bug 449638 (port mapping in DNAT rules)
* iptables.c (parseOptions): fixed bugs 448693 and 453966 (sttting
rule options did not generate any code in iptables script)
* FindDialog.cc: Implemented "Find" feature
2001-08-24 Vadim Kurland <vadim@crocodile.org>
* PolicyListItem.cc (paint): fixed bug 449133 (GUI was hanging if
very long word was entered in the comment field in the policy)
* PolicyListElement.cc (add_item_to_policy): fixd bug 454812 (GUI
used to allow duplicates in policy rule elements)
2001-08-19 Vadim Zaliva <lord@crocodile.org>
* configure.in: Checking for /usr/include/bind
and libbind_r.a.
2001-08-18 Vadim Zaliva <lord@crocodile.org>
* Makefile (install): if doc++ present, geenerales
API class reference and installs it under DOCDIR/classref.
* configure.in: checking for doc++ presense.
2001-08-14 Vadim Zaliva <lord@crocodile.org>
* dns.cc (findA): renamed variable 'nsaddr' to avoid
name clash with macro in older versions of 'bind'.
2001-08-05 Vadim Zaliva <lord@crocodile.org>
* Merger 0.9.4 branch into main trunk.
2001-08-05 Vadim Kurland <vadim@crocodile.org>
* DiscoveryDruidP65Dialog.cc: fixed bug #448130 where project did
not link because of the missing method in class
DiscoveryDruidP65Dialog if compiled without support for SNMP
* NetworkDialog.cc (dlg2wrk): fixed bug #448213 where netmask
could not be set in NetworkDialog
2001-08-04 Vadim Zaliva <lord@crocodile.org>
* CodingConventions.txt: Proposed project coding conventions
document.
* FWObject.hh:
* DialogFactory.hh:
* BuiltinDialog.cc (BuiltinDialog):
* DialogFactory.cc (class DefaultDialogFactory): removing
GUI dependencies from data layer. Switching from
Fatory Method to AbstractFactory pattern for
dialog creation.
2001-08-04 Vadim Kurland <vadim@crocodile.org>
* DiscoveryDruidP65Dialog.cc (on_save_to_file_clicked): added
ability to save network scan log to a file
2001-08-03 Vadim Zaliva <lord@crocodile.org>
* api/: starting work on API.
2001-08-02 Vadim Kurland <vadim@crocodile.org>
* iptables.c (processTime): time matching support implemented in
iptables policy compiler (requires patch from patch-o-matic)
2001-07-30 Vadim Kurland <vadim@crocodile.org>
* iptables.c: added support for drop-table
(requires patch-o-matic)
* iptables.c (processSrv): added support for ipv4options patch
(requires patch-o-matic)
* nat.c (processNATRule): added support for NETMAP target (requires
patch from patch-o-matic)
* iptables.c (prologue): corrected script to take into account
different path to arp and route in different distributions
2001-07-29 Vadim Kurland <vadim@crocodile.org>
* policy.c (processElementaryPolicyRule): added recognition of
broadcast addresses. If destination object in the rule is
broadcast, compiler should generate code into INPUT chain
* CustomService.hh (class CustomService): added class CustomService
* iptables.c (processSrv): added support for CustomService in
iptables compiler
* set version to 0.9.4
* added autoupgrade xslt transformations for upgrade 0.9.3->0.9.4
2001-07-24 Vadim Kurland <vadim@crocodile.org>
* iptables.c (printARPEntryCommands): now we can manage static ARP
entries and associated routes needed for DNAT translations via
Firewall Builder
2001-07-22 Vadim Kurland <vadim@crocodile.org>
* NetworkDialog.cc (NetworkDialog): switched to IPAddresswidget for
address and netmask
* HostDialog.cc, FirewallDialog.cc: switched to IPAddressWidget
for address
2001-07-21 Vadim Kurland <vadim@crocodile.org>
* PolicyList.cc (on_button_release_event): free space in the policy
or NAT view is now clickable: right mouse button click brings
pop-up menu with options for adding new rules at the top or bottom
of the policy
* OptionsDlg.cc (run): added UI parameters "Autosave" - if true,
data in all dialogs is automatically saved when user switches
between objects
2001-07-20 Vadim Kurland <vadim@crocodile.org>
* policy.c (processPolicyERule): compiler now correctly processes
case where firewall object used in both src and dst in the policy
rule
(rulePrologue): now using separate temporary chains for INPUT,OUTPUT
and FORWARD in rules with negation.
(optimisePolicyRules): improved rule optimiser
2001-07-19 Vadim Zaliva <lord@crocodile.org>
* BackgroundOp.hh (class Logger): added 'start' and 'end' manipulators
to lock synchornized output.
* dns.cc (DNS_bulkBackResolve_Thread): synchronized output from several
resovled threads.
2001-07-19 Vadim Kurland <vadim@crocodile.org>
* iptables.c (parseOptions): added rule option "stateless" - now
user can mark certain rules as not requiring stateful
inspection. This feature, if used properly, can improve
performance without compromising security
* RuleOptionsDialog.cc (RuleOptionsDialog): added checkbox for
rule option "stateless"
2001-07-18 Vadim Zaliva <lord@crocodile.org>
* HostsFile.cc (parse): skipping IPv6 addresses
* IPAddress.cc (operator=): detecting IPv6 addresses.
2001-07-17 Vadim Kurland <vadim@crocodile.org>
* policy.c (processPolicyERule): fixed bug #441979 in iptables
compiler (Iface rules wrong when direction both)
2001-07-17 Vadim Zaliva <lord@crocodile.org>
* snmp.cc (run_impl): Distinguishing point-to-point routes
and adding them as hosts, rather as networks.
* dns.hh (class DNS_findA_query): Handling mulpiple PTR records.
2001-07-16 Vadim Zaliva <lord@crocodile.org>
* HostsFile.cc (parse): More decent parser, hanlding
empty lines, end of line comments and multiple hosts aliases.
2001-07-15 Vadim Kurland <vadim@crocodile.org>
* DiscoveryDruidP05Dialog.cc (DiscoveryDruidP05Dialog): Now option
"Perform network scan using SNMP queries" will be disabled, and
explanatory text added, if program is compiled with no SNMP support
2001-07-14 Vadim Zaliva <lord@crocodile.org>
* dns.cc: implemented getHostByAddress with DNS timeout.
2001-07-14 Vadim Kurland <vadim@crocodile.org>
* nat.c (processNATRule): support for REDIRECT in iptables
2001-07-13 Vadim Kurland <vadim@crocodile.org>
* snmp.cc (init): added parameters for dns timeout
(isvirtual): bugfix in virtual address detection method
* TableOfObjects.cc (addObject): If object has multiple names in DNS,
this widget will show all of them in combo box
* FilterDialog.cc (FilterDialog): Now can filter by address and name
2001-07-13 Vadim Zaliva <lord@crocodile.org>
* snmp.cc (run_impl): optinally resolve found hosts.
(isvirtual): detection and removed virtual IPs.
* snmp.hh (class CrawlerFind): return DNS info in availiable.
* dns.cc (run_impl): Multu-threaded back-resolving
implemented.
* Pool.hh (Pool): tiny memory leak corrected.
2001-07-12 Vadim Kurland <vadim@crocodile.org>
* DiscoveryDruidP70Dialog.cc (on_filter_clicked): now user can
apply filter to objects found by crawler
2001-07-11 Vadim Kurland <vadim@crocodile.org>
* fwcompiler.c (cmpTriplet): fixed bug #440557
* iptables.c (prologue): now setting default policy before flushing
all chains
* iptables.c (processSrv): fixed bug #440390
2001-07-10 Vadim Kurland <vadim@crocodile.org>
* DiscoveryDruidP70Dialog.hh (class DiscoveryDruidP70Dialog):
one more page to DiscoveryDruid (picking objects discovered by
SNMP crawler)
2001-07-10 Vadim Zaliva <lord@crocodile.org>
* snmp.cc (fetchRoutingTable): discovering
networks from network host routing table.
2001-07-09 Vadim Kurland <vadim@crocodile.org>
* DiscoveryDruidP65Dialog.cc: using pool for
SNMPCrawler operations. Now it is safe to interrupt crawler in
the middle of the process
2001-07-08 Vadim Kurland <vadim@crocodile.org>
* DiscoveryDruidP50Dialog.cc (DiscoveryDruidP50Dialog):
* DiscoveryDruidP53Dialog.cc (DiscoveryDruidP53Dialog):
* DiscoveryDruidP65Dialog.cc (DiscoveryDruidP65Dialog):
GUI for SNMP crawler
2001-07-08 Vadim Zaliva <lord@crocodile.org>
* dns.hh (class DNS_bulkBackResolve_query): operation
for groups of IPs.
* dns.cc (getHostByAddr): method added
* snmp.cc
* snmp.hh (class SNMPCrawler): retries, timeout, community
parameters added.
2001-07-07 Vadim Kurland <vadim@crocodile.org>
* ListOfIcons.cc (addObject): fixed bug: pop-up menu in group view
now correctly activates "Open", "Copy" and "Cut" items
* ObjectTree.cc (on_button_release_event): fixed bug: gui crashed
after "Help me build policy" Druid if Policy or NAT were showing in
the right pane of the main window (Support request #437759)
2001-07-06 Vadim Kurland <vadim@crocodile.org>
* InterfaceDialog.cc (on_addr_focus_out_event): fixed bug: gui crashed
if user hit TAB on empty "Address" field
2001-07-06 Vadim Zaliva <lord@crocodile.org>
* FirewallDialog.cc:
* snmp.cc:
* snmp.hh:
* config.h.in:
* configure.in: better check for libsnmp
2001-06-28 Vadim Zaliva <lord@crocodile.org>
* snmp.hh:
* snmp.cc (run_impl): implemented simple single threaded
SNMP crawler.
2001-06-26 Vadim Kurland <vadim@crocodile.org>
* main_window.cc (on_feedback_activate): menu item "Feedback" added
* GenericBackgroundOpDialog.hh (Window): class SNMPOpDialog renamed
to GenericBackgroundOpDialog
2001-06-20 Vadim Kurland <vadim@crocodile.org>
* FirewallDialog.cc (addOptionsMenu): Now using OptionsMenu widget
where appropriate
2001-06-18 Vadim Kurland <vadim@crocodile.org>
* main_window.cc (on_release_notes_activate): open Release Notes
in the default browser configured for "file://" URLs. Now we have
choice : we can use our own mini browser MiniBrowserDialog or
standard URL display program configured in system Gnome
preferences
* MiniBrowserDialog.hh (class MiniBrowserDialog): mini-browser dialog
using HTMLViewer widget
* htmlviewer.cc (HTMLViewer): primitive gtk-- wrapper widget for
gtk-xmhtml widget. This widget will be used to show ReleaseNotes
etc.
2001-06-17 Vadim Kurland <vadim@crocodile.org>
* BuiltinDialog.cc (BuiltinDialog): GUI now does not permit
creation of objects with empty names. Some logic cleanup in
"Apply"/"Undo" functions
2001-06-17 Vadim Zaliva <lord@crocodile.org>
* dns.cc (findA): timeout check in findA() methods.
* XMLTools.cc (saveFile): ident XML files on save.
2001-06-14 Vadim Zaliva <lord@crocodile.org>
* configure.in: Checking for actual presence of static version
of libresolv.a, if not found - try dynamic.
2001-06-13 Vadim Kurland <vadim@crocodile.org>
* main_window.cc (on_install): support for optional policy install
script added
2001-06-11 Vadim Zaliva <lord@crocodile.org>
* configure.in: unconditionally link with libresolv.a
2001-06-11 Vadim Kurland <vadim@crocodile.org>
* DiscoveryDruid.cc (on_prepare): implemented GUI for importing
hosts from DNS zone
* iptables/iptables.c (parseOptions): bug 429427 fixed (garbage
after the end of rule action)
* iptables/nat.c: bug 426874 fixed (implemented NAT on firewalls
with dynamic address on external interface)
* iptables/iptables.c: bug 424440 fixed (added correct clean-up code
on top of iptables script to remove all "old" rules in all
chains)
* iptables/nat.c: bug 422345 fixed (implemented support for
negations in NAT, in particular negated original dest.)
* iptables/nat.c: bug 424435 fixed (implemented negation in NAT)
2001-06-09 Vadim Kurland <vadim@crocodile.org>
* iptables.c (parseOptions): fixed bug 431705 - log options
an logging limits processing in iptables compiler
* DiscoveryDruid.cc (on_next): Objects Discovery Druid class
* DiscoveryDruidP40Dialog.cc (newObject): reads hosts(5) file and
creates objects
2001-06-08 Vadim Zaliva <lord@crocodile.org>
* Makefile.in: bulk compilation of all GLADE-generated
sources to decrease build time.
* HostsFile.hh:
* HostsFile.cc: hosts(5) file parser
2001-06-07 Vadim Zaliva <lord@crocodile.org>
* dns.cc: Made background operations of getNS()
and findA() operations.
* config.h.in:
* configure.in: checking for functions from bind8
api.
* dns.cc: code cleanup. works with bind8
on Linux.
(HAVE_BIND8): conditional compilation
to compile on systems without proper
bind libraries.
2001-06-06 Vadim Zaliva <lord@crocodile.org>
* dns.cc (findA): first working version
* configure.in: checking for libbind_r.a
2001-06-04 Vadim Zaliva <lord@crocodile.org>
* snmp.hh:
* snmp.cc:
* FirewallDialog.cc (on_snmp_get_released): Using SNMP
timeout and retries from preferences.
2001-05-30 Vadim Zaliva <lord@crocodile.org>
* configure.in: libresolv detection
2001-05-29 Vadim Zaliva <lord@crocodile.org>
* dns.cc (getHostByName): using gethostbyname_r
with 5 (solaris) or six (linux) parameters.
* configure.in: detecting arity of gethostbyname_r
* dns.hh: DNS lookup wrapper interface.
* dns.cc: DNS lookup wrapper implementation for Linux.
2001-05-23 Vadim Zaliva <lord@crocodile.org>
* main_window_menu.cc (build_menu):
* main_window.cc (on_tools_scan): Added Tools menu with
Scan submenu.
2001-05-20 Vadim Kurland <vadim@voyager.crocodile.org>
* BackgroundOp.cc: background op. classes redesign
2001-05-18 Vadim Zaliva <lord@crocodile.org>
* snmp.cc (run_impl):
(run_impl): handling problem with present, but
not configured interfaces.
* snmp.hh (run_impl):
* FirewallDialog.cc (on_snmp_get_released):
(on_snmp_get_descr_released):
Running SNMP queries in background, without
GUI freeze.
2001-05-18 Vadim Kurland <vadim@voyager.crocodile.org>
* ListOfIcons.cc (addObject): fixed bug #425023
2001-05-17 Vadim Kurland <vadim@voyager.crocodile.org>
* OptionsDlg.cc (OptionsDlg): removed snmpget and snmpwalk paths
parameters
2001-05-16 Vadim Kurland <vadim@voyager.crocodile.org>
* PolicyListItem.cc (PolicyListObjectItem): translated
source/dest/service now shows as "Original" if no translation is
needed.
2001-05-15 Vadim Zaliva <lord@crocodile.org>
* snmp.cc:
* snmp.hh:
* FirewallDialog.cc (wrk2dlg):
* config.h.in:
* configure.in: detecting presense of ucd-snmp library
* merger snmp-lib-integration branch.
2001-05-12 Vadim Zaliva <lord@crocodile.org>
* XMLTools.cc (parseFile): detecting DTD validation
errors during file load.
2001-05-11 Vadim Kurland <vadim@voyager.crocodile.org>
* FWObjectDatabase.xslt: making sure attribute action is never
empty in PolicyRule
2001-05-11 Vadim Zaliva <lord@crocodile.org>
* fwcompiler.c (main): using DTD when loading data file.
2001-05-11 Vadim Kurland <vadim@voyager.crocodile.org>
* FWObjectDatabase.xslt (xmlns): transformation from 0.8.7 to 0.9.0:
fixed bug where InterfacePolicy objects created by this script
where duplicated
* FirewallDialog.cc (on_snmp_get_released): now user doesn't have
to press "Apply" before pulling information from the firewall via
SNMP
2001-05-14 Vadim Zaliva <lord@crocodile.org>
* snmp.cc: getting interfaces information
using snmp library.
2001-05-11 Vadim Zaliva <lord@crocodile.org>
* snmp.hh (class SNMPConnection):
* snmp.cc (class SNMPConnection): implemented simple
C++ wrapper to ucd-snmp library.
(run): getting system info using library.
* configure.in: check for ucd-snmp library
2001-05-11 Vadim Kurland <vadim@voyager.crocodile.org>
* fwcompiler.c (cmpObjects): now we recognize the case when "Host"
object has the same address as "Firewall" object and can generate
appropriate rules
2001-05-10 Vadim Kurland <vadim@voyager.crocodile.org>
* policy-text.xsl: implemented negation in policy printing
* helpers.cc (checkObjectName): allowed ':' in object names
* iptables.c : two bugfixes:
added "iptables -N temp_rule_name"
corrected processing of SNAT rules where translated source is not
firewall.
2001-05-06 Vadim Kurland <vadim@voyager.crocodile.org>
* StandardRulesDruid2.cc (generateRulesForHostProtection): fixed bug:
policy rules should not have direction, but druid used to insert
direction in "allow all outgoing connections" rule for host
protection firewall
2001-05-05 Vadim Kurland <vadim@voyager.crocodile.org>
* iptables.c (parseOptions): bugfix: "--reject-with tcp-reset"
requires "-p tcp"
2001-04-30 Vadim Zaliva <lord@crocodile.org>
* FWObject.hh (class FWObject): using 'vector' instead
of 'list'.
* FWObject.cc (sortChildren): sorting children by name.
2001-04-28 Vadim Zaliva <lord@crocodile.org>
* Makefile.in:
* fwbuilder-packages"
* fwbuilder.bts:
* fwbuilder.appmap: Bug-Buddy 1.2 support
2001-04-27 Vadim Zaliva <lord@crocodile.org>
* Makefile.in (uninstall): installing bug buddy data files
* XMLTools.cc: '-' as output file name prints to stdout.
* PrintDialog.cc (run): fixed bug with passing currenlty
selected node to XSLT transformation.
2001-04-26 Vadim Zaliva <lord@crocodile.org>
* XMLTools.cc (setDTD):
* FWObjectDatabase.cc (saveXML):
* PrintDialog.cc (run): do not use temporaty files
for printing.
2001-04-25 Vadim Zaliva <lord@crocodile.org>
* PrintDialog.cc (run):
* FWObjectDatabase.cc (saveFile): Print w/o saving file.
(Task #30300)
2001-04-25 Vadim Kurland <vadim@voyager.crocodile.org>
* InterfacePolicy.cc: Added "Srv" to InterfacePolicy
* Rule.cc (fromXML): now show warning dialog if general policy
rule has interface or direction specified. Rule will be loaded
with interface and direction attirbutes erased.
* fwcompiler.c (scan_Policy): now print error message and bail out
if general policy rule has interface or direction specified.
2001-04-24 Vadim Kurland <vadim@voyager.crocodile.org>
* configure.in : correct checking for paths for libxml2 and libxslt
Now configure will use dynamic libraries if static ones could
not be found
2001-04-23 Vadim Kurland <vadim@voyager.crocodile.org>
* policy-ascii.xsl (ref): plain ascii printing transformation
2001-04-22 Vadim Kurland <vadim@voyager.crocodile.org>
* iptables.c (processTCPorUDP): --tcp-flags and --syn are
now supported
* FWObjectDatabase.xslt: fixed typo
(line 130, was: UPD, should be: UDP)
* FirewallDialog.cc (on_find_compiler_clicked): implemented
"browse" button callback for custom compiler lookup
* resources.xml.in: ipchains is gone. Now it even won't show up in
platforms drop-down menu in FirewallDialog
2001-04-22 Vadim Zaliva <lord@crocodile.org>
* XMLTools.cc: protected access to XML/XSLT
library params with locks.
2001-04-21 Vadim Zaliva <lord@crocodile.org>
* PrintDialog.cc (run): XSLT specific code moved
to XMLTools.cc. As result, XSLT error messsages
during print are caught and shown to user.
* XMLTools.hh:
* XMLTools.cc (transformDocument): complete XSLT/XML
error interception.
2001-04-19 Vadim Zaliva <lord@crocodile.org>
* XMLTools.cc (convert): intercepting conversion
error messages and reporting them to the user.
2001-04-18 Vadim Zaliva <lord@crocodile.org>
* XMLTools.cc (convert): comparing version numbers
(loadFile): making backup copy of converted files.
restoring from backup if conversion failed.
(loadFile): showing confirmation dialog.
* XMLTools.hh:
* XMLTools.hh: migrating data files on load using XSLT transformations.
* fwbuilder.spec.in (Group): filters and migration dirs added.
* Makefile.in (install): makefile added
2001-04-16 Vadim Zaliva <lord@crocodile.org>
* XMLTools.cc (saveFile):
* Preferences.cc (savePrefs):
* FWObjectDatabase.cc (saveFile):
Consolidated XML files saving, with DTD/doctype
handling into one place.
* Makefile.in: installing/uninstalling
preferences DTD.
* XMLTools.cc (loadFile):
* Preferences.cc (loadPrefs):
* FWObjectDatabase.cc (load):
Consolidated XML files loading with version checking
and validation into one place
* fwbuilder_preferences.dtd.in: minor syntax tweaking
* fwbuilder_prefs.xml.in: added DOCTYPE
* fwbuilder_preferences.dtd.in:
* configure.in: setting preferences file version
using autoconf.
* FWObjectDatabase.cc (saveFile): do not specify
full path to DTD when saving.
* fwbuilder.cc (main):
* XMLTools.cc (fwbExternalEntityLoader): loading DTD files
from template directory.
* translate087preferences.xsl: initial version
from from Friedhelm Duesterhoeft.
* translate087objects.xsl: new version
from Friedhelm Duesterhoeft.
added NATRuleOptions
added FirewallOptions
added PolicyRuleOptions
added fixed version 1.0 to FWObjectDatabase
* fwbuilder_preferences.dtd: DTD for preferences
file from Friedhelm Duesterhoeft.
* main_window.cc (on_print_activate): passing id of
currently selected node to print dialogue
* PrintDialog.cc (PrintDialog): added controls allowing
to choose between printing all tree and current object only.
Passing ID of currenlty selected node to XSLT processor.
2001-04-14 Vadim Kurland <vadim@voyager.crocodile.org>
* ICMPServiceDialog.cc (dlg2wrk): ICMP dialog now supports
"Any icmp type" and provides verbose ICMP types and codes names.
Support for "any icmp" tested with iptables compiler
* fixes and improvements in fwbuilder.spec - incorporated patches
from Carlo Wood
2001-04-13 Vadim Kurland <vadim@voyager.crocodile.org>
* Resources.cc (getResourceInt): added couple of convenient
methods
* moved SmallIconsSize and LargeIconsSize from preferences
to resources
2001-04-11 Vadim Zaliva <lord@crocodile.org>
* FWObjectDatabase.cc (load): checking for version attribute.
* XMLTools.cc (getXmlNodeByPath): moved all xml helpers to
this class.
2001-04-11 Vadim Kurland <vadim@voyager.crocodile.org>
* ObjectTree.cc (TreePopupMenu): added function "Duplicate" to
menu "Edit" and popup menu in the tree
2001-04-10 Vadim Kurland <vadim@voyager.crocodile.org>
* configure.in: now statically linking with gtk--,
libxml2 and libxslt
2001-04-10 Vadim Zaliva <lord@crocodile.org>
* PrintDialog.cc (savePrefs): Printing preferences load/save.
* fwbuilder_prefs.xml.in: added Printing preferences
2001-04-10 Vadim Kurland <vadim@voyager.crocodile.org>
* FWObjectDatabase.cc (saveFile): fixed file saving for libxml2
2001-04-09 Vadim Zaliva <lord@crocodile.org>
* Requirements:
* configure.in:
* Makefile.in (XSLT_CFLAGS): Added libxslt detection and
usage.
* configure.in: libxml2 detection
* translate087objects.xsl: new delivery from Friedhelm Duesterhoeft.
It conforms DTD v1.40.
2001-04-08 Vadim Zaliva <lord@crocodile.org>
* Makefile.in (depend): passing file names to 'makedepend'.
* PrintDialog.cc (PrintDialog): added
2001-04-08 Vadim Kurland <vadim@voyager.crocodile.org>
* StandardRulesDruid.cc (StandardRulesDruid): Druid redesigned. Now
druid offers different questions for three network configurations:
1. firewall protects local host
2. firewall protects only internal network
3. firewall protects internal network and DMZ
* post-glade.pl: modifications to this script allow for incremental
compile after GUI changes made by glade
2001-04-07 Vadim Kurland <vadim@voyager.crocodile.org>
* StandardRulesDruid.cc: druid corrected for new policy formats
* New firewall option added: no_iochains_for_any.
2001-04-06 Vadim Kurland <vadim@voyager.crocodile.org>
* iptables.c (parseOptions): implemented full support for firewall
options and policy rule options
2001-04-04 Vadim Kurland <vadim@voyager.crocodile.org>
* iptables.c : now compiler generates separate chain for each
policy rule and implements logging and action in this
chain. Support for rule options has been implemented too.
* fwbuilder.dtd : added comment to PolicyRule
* iptables.c (processInterfacePolicyRule): now correctly processing
negation in source and destination in iptables compiler
2001-04-01 Vadim Kurland <vadim@voyager.crocodile.org>
* fwbuilder.cc (main): fixed bug when exception thrown while
loading preferences caused core dump
2001-04-01 Vadim Zaliva <lord@crocodile.org>
* Preferences.cc (loadPrefs): versioning of preferences file.
2001-04-01 Vadim Kurland <vadim@voyager.crocodile.org>
* iptables.c: iptables compiler now takes into account cases when
firewall has multiple interfaces and cases when firewall's
interfaces have dynamic address
2001-03-29 Vadim Kurland <vadim@voyager.crocodile.org>
* fwcompiler.c Policy attached to firewall interface is now processed
before "main" firewall policy
* iptables.c compiler generates code for chains INPUT and OUTPUT
if policy rule applies to the firewall object; otherwise it
generates code for the FORWARD chain
2001-03-25 Vadim Kurland <vadim@voyager.crocodile.org>
* Implemented Scratch pad which works as a mirror of the main
obejcts tree. All dialogs edit object's copies in scratch pad,
which then gets copied back to the main object tree when user
clicks "Apply" button. This provides for "Undo" function in all
dialogs, including complex ones such as policy editing
2001-03-23 Vadim Kurland <vadim@voyager.crocodile.org>
* ExecBgr.cc : background operations use exceptions to handle
errors now. Many improvements have been made to error handling
and more controls added.
2001-03-22 Vadim Kurland <vadim@voyager.crocodile.org>
* InterfacePolicy.cc (InterfacePolicy): class for policy attached
to firewall interface
* FirewallDialog.cc (showInterfacePolicy): FirewallDialog now
shows and allows to edit policy attached to firewall interfaces
2001-03-21 Vadim Kurland <vadim@voyager.crocodile.org>
* PolicyListItem.cc (PolicyListObjectItem): first attempt at
showing objects properties in a pop-up window (using tooltips
for now) when mouse is over the object's icon in policy
* Now using glade-- v0.5.11f (current cvs checkout). This fixed
problem with radio buttons in OptionsDialog
2001-03-19 Vadim Kurland <vadim@voyager.crocodile.org>
* fwbuilder.dtd (NATRule): added attribute "disabled"
2001-03-18 Vadim Kurland <vadim@voyager.crocodile.org>
* fwbuilder.dtd (Host, Firewall): netmask is gone
2001-03-16 Vadim Kurland <vadim@voyager.crocodile.org>
* FWIntervalReference.hh (class FWIntervalReference): yet another
type of reference
2001-03-15 Vadim Kurland <vadim@voyager.crocodile.org>
* fwbuilder.dtd (): added %STD_ATTRIBUTES to NAT and Policy
created element Option
added attribute "dyn" to Interface
* FirewallOptions.cc (fromXML): now we store firewall
platform-specific options in class FirewallOptions instead of
Firewall
2001-03-14 Vadim Kurland <vadim@voyager.crocodile.org>
* FWData.hh: this class is used to store "options" data for policy
and NAT rules and firewall objects
* RuleElement.cc (RuleElement): all specific rule elements are now
inherited from RuleElement and corresponding Group (ObjectGroup,
ServiceGroup, IntervalGroup) using virtual inheritance
2001-03-14 Vadim Zaliva <lord@crocodile.org>
* FWObjectDatabase.cc (saveFile): adding DOCTYPE to generated XML
documents.
2001-03-12 Vadim Kurland <vadim@voyager.crocodile.org>
* FirewallDialog.cc (dlg2wrk): "dynamic address" is now an option
for interface, not firewall object
* Interface.cc (Interface): added attribute "dynamic address"
2001-03-11 Vadim Kurland <vadim@voyager.crocodile.org>
* UDPService.hh (class UDPService): class and file renamed
* TCPService.hh (class TCPService): class and file renamed
* ICMPService.hh (class ICMPService): class and file renamed
* IPService.hh (class IPService): class and file renamed
* Host.hh (class Host): class and file renamed
* Network.hh (class Network): class and file renamed
* Firewall.hh (class Firewall): class and file renamed
* Interval.hh (class Interval): class and file renamed
* RuleElement.hh: new classes RuleElementSrc, RuleElementDst etc.
* resources.xml.in: platforms and RuleElement descriptors added
* Group.cc (setAnyElement): few methods added to Group. These methods
support RuleElement and its descendants
2001-03-10 Vadim Kurland <vadim@voyager.crocodile.org>
* RuleSet.hh: new class. Policy and NAT are now derived from
RuleSet
2001-03-09 Vadim Kurland <vadim@voyager.crocodile.org>
* Resources.cc (getPlatforms): created few new specialized methods
in Resources
2001-03-07 Vadim Kurland <vadim@voyager.crocodile.org>
* FWObject.cc (validateChild): this virtual method checks child's
type and prevents loops.
* ServiceGroup.hh (class ServiceGroup): classes ServiceGroup,
ObjectGroup and IntervalGroup created.
2001-03-04 Vadim Kurland <vadim@voyager.crocodile.org>
* FWObject.hh (FWObject*>): method bool isSystem() replaced old
Permissions. Permissions completely eliminated.
* Makefile.in (install): installs/uninstalls resources file
* fwbuilder.cc (main): loading resources just before preferences
* resources.xml: resources data moved from the old preferences
template file
* Resources.hh (class Resources): class Resources created
2001-03-04 Vadim Zaliva <lord@crocodile.org>
* FWObjectDatabase.cc (saveFile): setting DTD when saving file.
2001-03-03 Vadim Kurland <vadim@voyager.crocodile.org>
* Preferences.cc (getResource): handful of methods for resources
manipulation. These methods will eventually move to a dedicated
class Resources.
* FWObject.cc (checkPermission): now permissions are stored in
Preferences instead of the object itself. setPermissions method
will be phased out soon. In the future permissions will move from
Preferences to Resources.
* FWObjectDatabase.hh (class FWObjectDatabase): fixed typo in
definition of struct StandardObjects
2001-02-25 Vadim Zaliva <lord@crocodile.org>
* FWReference.cc: 'id' based implementation.
* FWObject.hh (FWObject*>): getById getByType methods replacing
old one: get().
2001-02-08 Vadim Zaliva <lord@crocodile.org>
* fwbuilder.dtd (Firewall): Firewall has Address optional - it may
not be defined in certain situations. Added notion of interval
groups. Reorganized 'Time' element content.
2001-02-07 Vadim Zaliva <lord@crocodile.org>
* fwbuilder.dtd (PolicyRule): 'When' reference add to NAT, PolicyRule.
* Makefile.in: AnyTime, AnyService classes removed.
2001-02-01 Vadim Zaliva <lord@crocodile.org>
* configure.in: version 0.8.7
* fwbuilder.dtd: this could be called first
prototype of DTD which we will use in future.
2001-02-01 Vadim Kurland <vadim@voyager.crocodile.org>
* fwcompiler.c (main): static arrays eliminated in favor of
GSList (from glib)
2001-01-31 Vadim Kurland <vadim@voyager.crocodile.org>
* Makefile.in (GLIB_CFLAGS): need GLIB CFLAGS to compile fwbuilder.c
2001-01-29 Vadim Zaliva <lord@crocodile.org>
* fwbuilder.dtd (TODO): typing of attributes.
(TODO): compiler-specific options added.
2001-01-28 Vadim Zaliva <lord@crocodile.org>
* Makefile.in (distclean): fwbuilder.spec removed.
* fwbuilder.spec.in (Group): Credits and FAQ files added
to RPM.
* Incorporated patch from
Jeremy T. Bouse <undrgrid@toons.UnderGrid.net> to
support libxml2.
2001-01-27 Vadim Zaliva <lord@crocodile.org>
* fwbuilder.dtd: major rework of DTD.
2001-01-24 Vadim Kurland <vadim@voyager.crocodile.org>
* iptables.c (processSNAT): implemented MASQUERADE versus SNAT support
for dynamic addresses
* README.examples: minor corrections to the example description
2001-01-23 Vadim Zaliva <lord@crocodile.org>
* Preferences.cc (Preferences): corrected problem
with not detecting problem when preferences
file could not be written.
2001-01-23 Vadim Kurland <vadim@voyager.crocodile.org>
* FirewallDialog.cc (on_snmp_get_descr_released): getting firewall
description, location and contact via SNMP
(wrk2dlg): storing parameters for ipfilter platform
* snmp.cc (run): SNMP_sysdesc_query implemented
* iptables.c (prologue): logging parameters implemented
2001-01-22 Vadim Kurland <vadim@voyager.crocodile.org>
* FirewallObject.cc (fromXML): loading platform-specific parameters
* FirewallDialog.cc (FirewallDialog): fixed checkboxes alignment
2001-01-21 Vadim Zaliva <lord@crocodile.org>
* all xml files moved to etc.
2001-01-21 Vadim Kurland <vadim@voyager.crocodile.org>
* FirewallDialog.cc (wrk2dlg): new options for ipchains and iptables
platforms
* StandardRulesDruid.cc (on_finish): automatic generation of
"net_junk" rule disabled
* FirewallDialog.cc (dlg2wrk): check address validity before we
save the data
* iptables.c (prologue): code produced by this compiler works!
* FirewallDialog.cc (wrk2dlg): additional parameters for iptables
firewalls
2001-01-20 Vadim Kurland <vadim@voyager.crocodile.org>
* iptables.c: compiler produces code with no syntax errors
2001-01-20 Vadim Zaliva <lord@crocodile.org>
* listicons.sh: rewritten to shell/sed to avoid gawk.
(for solaris).
2001-01-20 Vadim Kurland <vadim@voyager.crocodile.org>
* configure.in (TEMPLATE_DIR): fixed bug where bogus directory
path was stored in config.h during RPM build
* fwbuilder.cc (main): fixed bug when we needed to report error
which happened while loading Preferences but MessageDialog in
turn needed Preferences to be already loaded.
2001-01-17 Vadim Kurland <vadim@voyager.crocodile.org>
* Makefile.in (uninstall): uninstall target created
* src/gui/main_window.cc (on_saveas1_activate): saveas does not
erase current loaded object file name anymore, so we can figure
out current working directory and open file selector dialog in
that directory
* src/gui/Preferences.cc (getWdir): this how we chose working
directory to load/store files and to pass as a parameter to
compiler: We use directory set in preferences if there was no
object file loaded yet, and directory where it was loaded from
otherwise
* src/gui/NATDialog.cc (NATDialog): fixed bug #128967
2001-01-16 Vadim Kurland <vadim@voyager.crocodile.org>
* examples/README: added example description file
examples/objects.xml: example objects file
2001-01-15 Vadim Kurland <vadim@voyager.crocodile.org>
* src/gui/PolicyListItem.cc (paint): long comment text line
folding implemented
2001-01-15 Vadim Zaliva <lord@crocodile.org>
* src/gui/GroupDialog.cc (GroupDialog): compiler warrning avoided.
* src/gui/BackgroundOp.hh (Data ): run_impl is pure virtual now.
* src/gui/Rule.cc: removed some debug output to stderr.
2001-01-15 Vadim Kurland <vadim@voyager.crocodile.org>
* src/gui/PolicyListItem.cc (PolicyListCommentItem): class for Policy
rule comment
2001-01-15 Vadim Zaliva <lord@crocodile.org>
* src/gui/FWObjectDatabase.cc (load): better detection of
invalid input file structure.
2001-01-15 Vadim Kurland <vadim@voyager.crocodile.org>
* changed #include <gnome-xml/parser.h> to #include <parser.h>
everywhere to resolve build problem with libxml in unusual place
* src/gui/HostObject.cc (HostObject): set default snmp read
community to "public" as a wide spread default value. If object has
different community string, its value will be read from XML file and
will override default.
* src/gui/NetworkDialog.cc (on_obj_addr_focus_out_event): automatically
sets suggested netmask based on network's IP address
* src/gui/HostDialog.cc (dlg2wrk): now checks address syntax
* src/gui/NetworkDialog.cc (dlg2wrk): now checks address and
netmask syntax
* src/gui/helpers.cc (checkIPaddress): checks IP address validity
(getNaturalNetmask): returns "natural"
classfull netmask for given IP address
2001-01-14 Vadim Kurland <vadim@voyager.crocodile.org>
* configure.in (FWB_MICRO_VERSION): set version to 0.8.6
* configure.in : Now we define version in configure.in
2001-01-09 Vadim Kurland <vadim@voyager.crocodile.org>
* src/gui/MessageDialog.hh (class MessageDialog): added new dialog
type (error with message text and error code); also changed all
static dialog creation methods so they accept const string& as
parameters
* added error dialogs everywhere
2001-01-09 Vadim Zaliva <lord@crocodile.org>
* src/gui/main_window.cc: catch loading/saving errors.
* src/gui/fwbuilder.cc (main): handling initial
file loading errors.
* src/gui/FWObjectDatabase.hh (class FWObjectDatabase):
* src/gui/FWObjectDatabase.cc: load/save methods
now throw exceptions.
* src/gui/fwbuilder.cc (main): handling load preferences
error.
* src/gui/OptionsDlg.cc (run): catching save error.
* src/gui/Preferences.cc: throwing exceptions
on save/load errors.
* src/gui/FWException.cc:
* src/gui/FWException.hh: Base exception class.
2001-01-08 Vadim Kurland <vadim@voyager.crocodile.org>
* src/gui/FWObject.cc (setDirty): method sets "dirty" flag for
the object and possibly its children.
* src/gui/FWObject.cc (isDirty): method checks dirty flag for this
object and possibly its children
* src/gui/FWObject.hh (FWObject*>): boolean flag "dirty" -
indicates data has been modified.
* src/gui/FWObjectDatabase.cc (saveIfModified): this method checks
for unsaved data in the database and asks user whether they want
to save it
* src/gui/FWObjectDatabase.cc (load): now checking for unsaved
data before loading
* src/gui/MessageDialog.cc (MessageDialog): new dialog type:
question dialog with three buttons - "Yes", "No", "Cancel"
* src/gui/main_window.cc (destroy_handler): now checking for unsaved
data if main window gets destroyed
* src/gui/FileSel.cc (FileSel): file selector dialog now opens
in the working directory
* src/gui/CompileDialog.cc (CompileDialog): passing working dir
parameter to compiler via command line ( "-d" )
* src/gui/OptionsDlg.cc (OptionsDlg): "Working directory" option
added to Options dialog
2001-01-08 Vadim Zaliva <lord@crocodile.org>
* src/compiler-framework/fwcompiler.c (main): -d option added.
* src/gui/main_window.cc (on_compile):
* src/gui/CompileDialog.hh (class CompileDialog):
* src/gui/CompileDialog.cc (run):
* src/gui/FWObjectDatabase.cc (getFileName):
* src/gui/FWObjectDatabase.hh (class FWObjectDatabase):
Passing file name parameter to compiler
* src/gui/main_window.cc (on_new1_activate):
* src/gui/FWObjectDatabase.cc:
* src/gui/FWObjectDatabase.hh (class FWObjectDatabase):
* src/gui/fwbuilder.cc (main): loading file from
command line (-f, --file).
Loading default database on startup.
2001-01-08 Vadim Kurland <vadim@voyager.crocodile.org>
* configure.in (DOCDIR): checking for docs directory ( /usr/doc
versus /usr/share/doc )
* src/gui/DialogPlugin.cc: dialog text typo corrected
* src/gui/FWObjectDatabase.cc (FWObjectDatabase): now setting
permissions for objects created as a part of empty database
* src/gui/FWObject.cc (setPermission): setPermission method
added
2001-01-07 Vadim Kurland <vadim@voyager.crocodile.org>
* src/iptables/iptables.c: first version of iptables compiler,
based on ipchains compiler
* src/gui/fwbuilder_prefs.xml: added definition for iptables
Policy and NAT
* configure.in (PACKAGE_PIXMAPS_DIR): added iptables support
* src/iptables/Makefile.in: added directory and Makefile.in for
iptables. Started development for iptables
2001-01-07 Vadim Zaliva <lord@crocodile.org>
* src/gui/main_window_menu.cc (build_menu): Objects renamed to Insert.
* src/compiler-framework/fwcompiler.c (main): restring changes
lost in CVS reorg.
* src/gui/FWObjectDatabase.cc (setFileName):
* src/gui/main_window.hh (class Main_window):
* src/gui/main_window.cc (on_saveas1_activate):
(on_new1_activate):
* src/gui/main_window2.cc (OpenObject): Save, SaveAs, New implemented.
2001-01-06 Vadim Zaliva <lord@crocodile.org>
* src/gui/main_window_menu.cc (build_menu): "Objects" menu
created.
* src/gui/fwbuilder.cc (main): do now load default files
on startup.
* src/gui/Preferences.hh: misc cleanup
* src/gui/Preferences.cc (Preferences): copying default preferences file
to ~/.fwuilded. No longer we create ~/fwbuilder directory.
2001-01-05 Vadim Kurland <vadim@voyager.crocodile.org>
* src/gui/ObjectTree.cc (on_pasteobj): checks permissions
(on_cutobj): check permissions
(on_copyobj): check permissions
* src/gui/FWObject.hh (FWObject*>): added set of permissions for
FWObject
* src/gui/ObjectTree.cc (TreePopupMenu): pop-up menu has its items
deactivated if object can not be removed or copied
* src/gui/ListOfIcons.cc (on_button_release_event): pop-up menu
has its items deactivated just like that in ObjectTree.cc
* src/gui/GroupDialog.cc (dlg2wrk): fixed bug in object removal
2001-01-04 Vadim Kurland <vadim@voyager.crocodile.org>
* Makefile.in (distclean): now even cleaner
* src/gui/main_window.cc (Main_window): fixed bug where program
used to give Gtk-CRITICAL warning on exit ( Bug ID 127496 )
2001-01-04 Vadim Zaliva <lord@crocodile.org>
* fwbuilder.spec: version 0.8.3 released
2001-01-03 Vadim Kurland <vadim@voyager.crocodile.org>
* Makefile.in (rpm): added makefile target "rpm". This will build
snapshot usoing cvs export and then run script build_rpm.sh
* build_rpm.sh: this script will build rpms
* Version number for snapshot is taken from fwbuilder.spec
file. To generate snapshot and tar.gz for RPM one needs to edit
fwbuilder.spec file and then do "make tar"
2001-01-03 Vadim Zaliva <lord@crocodile.org>
* fwbuilder.spec: created SPEC file for building RPM package
* doc/Makefile (install): install-doc is separate target
* src/gui/Tools.cc:
* src/gui/Tools.hh: Added new files for misc tools
* src/gui/Preferences.cc (getNodeByPath):
* src/gui/PolicyListElement.cc (popup_menu):
* src/gui/GroupDialog.cc (GroupDialog):
* src/gui/ListOfIcons.cc (on_button_release_event):
(on_button_release_event): replaced g_new/g_free/g_strdup
with new, delete, cxx_strdup.
* src/gui/HostObject.cc (get_if_names):
* src/gui/FWObject.cc (getPath):
(FWObject):
* src/compiler-framework/fwcompiler.h: Copyright added.
* src/compiler-framework/Makefile.in: install goal added.
* src/ipfilter/Makefile.in:
* src/ipchains/Makefile.in: 'install' goal corrected.
2001-01-02 Vadim Kurland <vadim@voyager.crocodile.org>
* merging fwbuilder and fwcompiler in one CVS tree
* added Makefile.in in doc subdir. Documents will be installed
in $(prefix)/doc
2001-01-02 Vadim Zaliva <lord@crocodile.org>
* src/MessageDialog_glade.cc: removed icon init to avoid
runtime warnings.
2000-12-27 Vadim Kurland <vadim@voyager.crocodile.org>
* src/*.cc: converted to isA and cast methods everywhere
2000-12-27 Vadim Zaliva <lord@crocodile.org>
* src/*.hh: isA() and cast() methods added to all
subclasses of FWObject.
* src/ListOfIcons.cc (addObject): fixed chrash when showing group
with references.
2000-12-26 Vadim Zaliva <lord@crocodile.org>
* src/Makefile.in (install): install also installs icons
2000-12-25 Vadim Zaliva <lord@crocodile.org>
* Makefile.in (distclean): 'distclean' goal added.
2000-12-23 Vadim Kurland <vadim@voyager.crocodile.org>
* src/Preferences.cc (Preferences): now program looks for
fwbuilder_prefs.xml and objects_init.xml in the directory
defined by INIT_DIR
* config.h.in: added #define for INIT_DIR
* src/Makefile.in (PACKAGE_PIXMAPS_DIR): PACKAGE_PIXMPAP_DIR is
now defined relatively to $prefix
2000-12-21 Vadim Kurland <vadim@voyager.crocodile.org>
* added copyright notice to all .cc and .hh files, except those
generated by glade
* src/Rule.cc (Rule): read "hidden" status from preferences
in constructor
* src/RuleElement.cc (RuleElement): read "hidden" status from
preferences in constructor
2000-12-20 Vadim Kurland <vadim@voyager.crocodile.org>
* acsite.m4: redefined macro AC_TRY_RUN_NATIVE to fix an error
with gcc 2.96 (originally macro defined exit(int) which
conflicted with previous definition in
/usr/include/stdlib.h). gcc 2.91 just issued warning on this,
while gcc 2.96 considered this to be an error
* configure.in: rule checking for /usr/include/g++-3 has been refined.
If system has been upgraded from RH 6.2 to RH 7.0 then both
/usr/include/g++-2 and /usr/include/g++-3 exist. We should pick
only /usr/include/g++-3 in this case
2000-12-19 Vadim Kurland <vadim@voyager.crocodile.org>
* src/fwbuilder_prefs.xml.in: fwbuilder_prefs.xml is now generated
by configure
* src/Makefile.in (snapshot): added target "snapshot"
* src/PolicyListItem.cc (paint): switched to queue_draw everywhere
and updated drawing method to use Gdk_GC consistently
* src/NAT.cc (updateMainMenu): enable/disable main menu items
* src/Policy.cc (updateMainMenu): enable/disable main menu items
* src/FirewallObject.cc (updateMainMenu): enable/disable main menu
items in "Policy"
2000-12-18 Vadim Kurland <vadim@voyager.crocodile.org>
* src/FWObject.cc (updateMainMenu): this virtual method
enables or disables appropriate main menu items.
* aclocal.m4: added functions which test for particluar headers:
AC_TEST_FILES and AC_SEARCH_HEADERS
* Makefile.in: subdirectories processing is done through .PHONY target
* doc/Requirements: updated requirements
* bugfixes
2000-12-16 Vadim Kurland <vadim@voyager.crocodile.org>
* src/StandardRulesDruid.cc (on_finish): bugfixes
* doc/README: descriptions of all object types added
* AUTHORS (Credits): updated AUTHORS file
* src/objects_init.xml: added group "Time" and object "AnyTime"
* src/fwbuilder_prefs.xml: definition for TIME object; added
time to policy definition for all supported platforms
* src/AnyTime.cc: initial implementation
* src/TimeObject.cc: Initial implementation of TimeObject
* src/main_window.cc (Main_window): left and right panels in the main
window simplified and are not built by glade anymore
2000-12-15 Vadim Kurland <vadim@voyager.crocodile.org>
* src/main_window_menu.cc (build_menu): another way to build menus.
* src/main_window.cc (extractPolicyList): trying to avoid excessive
use of dynamic_cast. I now tell PolicyDialog from NATDialog using
widget name
* dynamic_cast replaced everywhere, now using getTypeName()
2000-12-14 Vadim Kurland <vadim@voyager.crocodile.org>
* src/fwbuilder.cc (main): no need to initialize imlib if
compile with gnome support - gnome_init does it
2000-12-14 Vadim Kurland <vadim@voyager.crocodile.org>
* Global key accelerator group implemented
2000-12-14 Vadim Zaliva <lord@crocodile.org>
* src/GroupDialog_glade.cc (N_): get rid of one more nasty
compilation warnings.
2000-12-13 Vadim Kurland <vadim@voyager.crocodile.org>
* gnome-wrappers/iconlist.{cc,hh} : wrapper for gnome widget
icon_list
* GroupDialog now uses our wrapper class IconList
* Doubleclick on the object in a group view opens object
2000-12-13 Vadim Zaliva <lord@crocodile.org>
* src/main_window_menu.cc (GNOMEUIINFO_MENU_NEW_SUBTREE): workaround
to solve compilation problem under gcc 2.96
* src/Makefile.in ($(GNOME_WRAPPERS_LIB)): add dependency
to gnome-wrappers/*.o which does not work.
* src/Iconlist.cc (IconList):
* src/TextDlg.cc (TextDlg):
* src/BackgroundOpDisplay.cc (ConnectSignals):
* src/NATDialog.cc (NATDialog):
* src/PolicyDialog.cc (PolicyDialog):
* src/PolicyList.cc (PolicyList):
* src/PolicyListItem.cc (PolicyListItem):
* src/PolicyListElement.cc (PolicyListRuleNum):
(constructor):
* src/GroupDialog.cc (GroupDialog):
* src/About.cc (About): gcc 2.96 compilatiom pb. Corrected syntax
of taking address of method.
* src/PolicyListElement.cc (request_focus):
focus() renamed to request_focus()
* src/PolicyListElement.hh: get_row(), get_col() return type added.
focus() renamed to request_focus()
* src/PolicyListElement.cc (popup_menu): unused variable pl commented
* src/Preferences.cc (getNodeByRelPath): commented out unused method.
* configure: removed exit() method prototype which conflicts
with one from stdlib.
* src/PolicyList.hh:
* src/PolicyList.cc (request_focus): focus() renamed to request_focus()
* src/gnome-wrappers/wrappers.hh: undef syntax corrected
to avoid compiler warnings.
* src/Makefile.in (clean): clean target added
2000-12-12 Vadim Kurland <vadim@voyager.crocodile.org>
* configure.in, Makefile.in reimplemented. Now we do not use
those built by glade for us.
2000-12-11 Vadim Kurland <vadim@voyager.crocodile.org>
* FWObject::map is now map<const gchar*,const gchar*,ltstr>
* FWObject can now store data of three types: String, Int, Bool
2000-12-3 Vadim Kurland <vadim@voyager.crocodile.org>
* PolicyListItem drawing method reimplemented using plain
gdk routines. Everything works just fine.
* bugfixes
* ICMP code -1 now means any code. Compiler generates
code which takes only icmp type into consideration
2000-12-2 Vadim Kurland <vadim@voyager.crocodile.org>
* Class PolicyListItem completely reimplemented as custom widget
derived from Gtk::Widget. It turned out to be surprisingly
simpler to do it this way.
* Class LabelWithEffects is not needed anymore; files have been
removed from CVS
* Still working on a bug where object tree lines lose color once
policy has been displayed. Something is wrong with style or
Gdk_GC processing in PolicyListItem
2000-12-1 Vadim Kurland <vadim@voyager.crocodile.org>
* Implemented "disable rule" function in GUI
* LabelWithEffects can now display text string with pixmap background
( used in PolicyListRuleNum class to display rule number which
can be double-crossed if rule is disabled )
2000-11-29 Vadim Kurland <vadim@voyager.crocodile.org>
* Policy rule drag&drop methods now use actual rule screen
snapshot as a drag icon
* Added some imlib image manipulation to this snapshot to make
it easily distinguishable from the rest of the picture on
the screen.
2000-11-28 Vadim Kurland <vadim@voyager.crocodile.org>
* Got rid of "path" and all supporting methods. Now we keep
pointer to parent in each FWObject, which allows us to easily
reconstruct path string on demand
* pop-down menu appears on mouse button release (instead of button
press) in ObjectTree, PolicyList and IconsList
* added attribute "hidden". Now each object can be made
hidden, so it won't show up in ObjectTree and groups. There is
no GUI mechanism to set this attribute as of yet
2000-11-26 Vadim Kurland <vadim@voyager.crocodile.org>
* algorithm refinements for "any" objects and services. Now
GUI inserts reference to the object "Any" instead of keeping
rule element empty. This simplified somewhat algorithms for
objects removals and additions in rule elements as we now
gaurantee that rule elements are never empty
* doc/README updated with compilation and installation instructions
* Makefile.am updated for proper binary and *.xml files install,
as well as icons install. See README for details.
2000-11-25 Vadim Kurland <vadim@voyager.crocodile.org>
* Druid now helps to build more or less complete basic policy.
If you don't know where to start with new firewall - start
with menu item "Help build firewall policy"
* Object can now be dragged between policy elements
* Menu item "compile" now actually calls compiler in the background
and shows its progress or errors in the dialog window.
* policy rules can now be dragged to swap places and move rules
up or down.
2000-11-24 Vadim Kurland <vadim@voyager.crocodile.org>
* FWObject is now derived from list, not map. This made
manipulation of the order in which children are presented
much easier. This change was needed for proper implementation
of Policy rules addition and insertion
* some changes to fwbuilder_prefs.xml
* bugfixes
2000-11-13 Vadim Kurland <vadim@voyager.crocodile.org>
* Druid is now called "Standard Protection Rules Druid" and
generates three types of rules:
- anti-spoofing rule
- rule dropping "short" fragments
- rule dropping "network junk", that is packets coming from
outside but not headed for our network
* Druid consists of three pages, plus "final" page
* program now automatically creates working directory
in user's home and copies default preferences file and initial
objects database there. See doc/README
* Again new icons
2000-11-12 Vadim Kurland <vadim@voyager.crocodile.org>
* Now all object dialogs check object's name for syntax before
saving. Name must consist of alphanumeric characters and should
not start with number
2000-11-11 Vadim Kurland <vadim@voyager.crocodile.org>
* New policy element added: "Direction". This, together with "Target",
helps build anti-spoofing and other direction-dependant rules.
* Anti-spoofing druid now actually builds rule on top of the policy
* Preferences dialog now allows turning on and off visibility of
individual policy elements
* Original icons with transparent background restored
* ICMP code and type terminology fixed
2000-11-9 Vadim Kurland <vadim@voyager.crocodile.org>
* Preferences and database are stored in user's home directory now
2000-11-8 Vadim Kurland <vadim@voyager.crocodile.org>
* Converting icons to .png using imlib
2000-11-7 Vadim Kurland <vadim@voyager.crocodile.org>
* Druid for generating anti-spoofing rules implemented
2000-11-4 Vadim Kurland <vadim@voyager.crocodile.org>
* gnome-wrappers added. Dependency on gnome-- eliminated
* preparations for "anti-spoofing rules" druid
* main menu generating code streamlined using GnomeUIInfo for all
menu items and submenus
* bugfixes
2000-11-3 Vadim Kurland <vadim@voyager.crocodile.org>
* Some new icons
2000-11-1 Vadim Kurland <vadim@voyager.crocodile.org>
* Icons can be of two different sizes now: large ones for
object dialogs and small ones for policy
* Preferences code streamlined
2000-10-31 Vadim Kurland <vadim@voyager.crocodile.org>
* Main menu code rewritten. I use gnome-- libraries and code
for menus and some other things. Getting ready to use "Druid"
widget for firewall policy Wizard
* Got rid of dynamic menu item. It was ugly from UI standpoint
* "About" dialog added
2000-10-29 Vadim Kurland <vadim@voyager.crocodile.org>
* PortRange object is gone, use TCP and UDP instead
* IP Object and dialog created
2000-10-27 Vadim Kurland <vadim@voyager.crocodile.org>
* Additional icons
2000-10-24 Vadim Kurland <vadim@voyager.crocodile.org>
* Preferences dialogs for different firewall platforms have been
implemented
* Preferences for ipchains firewall implemented in both builder
and compiler
2000-10-19 Vadim Kurland <vadim@voyager.crocodile.org>
* Interfaces can now be marked as "external" and "internal" via GUI
This feature will help implementing NAT on various platforms
(such as ipchains, cisco)
* NAT rules are now properly displayed and can be edited and stored.
2000-10-19 Vadim Kurland <vadim@voyager.crocodile.org>
* Bugfixes in PolicyList
2000-10-15 Vadim Kurland <vadim@voyager.crocodile.org>
* Bugfixes
2000-10-14 Vadim Kurland <vadim@voyager.crocodile.org>
* Bugfixes
* Now BuiltinDialog may appear with or without buttons "Save" and
"Undo" depending on the object definition in fwbuilder_pref.xml
* "Move rule up" and "Move rule down" implemented
2000-10-12 Vadim Kurland <vadim@voyager.crocodile.org>
* completely got rid of direct references to rule descriptors in
fwbuilder.xml. Now we recalculate descriptors for policies, rules
and rule elements when we need them
2000-10-11 Vadim Kurland <vadim@voyager.crocodile.org>
* unnessesary references to rule and rule element descriptors
removed from XML representation. Now these descriptors are
being calculated when respective objects are built. This makes
XML file much cleaner
2000-10-10 Vadim Kurland <vadim@voyager.crocodile.org>
* XML paths for all objects and preferences now include
root element (FWObjectDatabase or FWBuilderPreferences). This
makes design more systematic and allows for code reuse between
builder and compiler.
2000-10-09 Vadim Kurland <vadim@voyager.crocodile.org>
* minor changes to rule element descriptors. Adjustments for
compiler
2000-10-08 Vadim Kurland <vadim@voyager.crocodile.org>
* Descriptors now are part of preferences.
2000-10-08 Vadim Kurland <vadim@voyager.crocodile.org>
* Changes in XML storage: now XML nodes are named after
respective objects, with object type stored as attribute "_type"
This is needed to eliminate confusion between two different ways
to handle object's path in the tree: one way is to compose
path from XML nodes names, another way is to use object's names.
We will assume path consists of XML nodes names, which are
now the same as corresponding objects names.
Next big step will be moving subtree "/Descriptors/" from
the main tree to Preferences. We already working with descriptors
using their path, so it won't be difficult to rewrite relevant
pieces of code to use preferences instead.
2000-10-07 Vadim Kurland <vadim@voyager.crocodile.org>
* Accomodations for the policy compiler. Paths to compilers
for all supported platforms are now stored in Preferences
* Class Preferences now keeps data in XML tree instead
of map<string,string>. Preferences should be accessed via
Preferences::getOpt method by their XML tree path
2000-10-01 Vadim Kurland <vadim@voyager.crocodile.org>
* Further code refinement in rule element negation
2000-09-30 Vadim Kurland <vadim@voyager.crocodile.org>
* Rule element negation implemented in GUI
2000-09-26 Vadim Kurland <vadim@voyager.crocodile.org>
* Code cleanup. XPM icon file names for all object types are
now stored in XML file
2000-09-05 Vadim Kurland <vadim@voyager.crocodile.org>
* New class: TypeDescriptor. Objects of this class contain
descriptive information for various object types used in the system.
Objects get stored in the static part of XML database under
"Descriptors". Verbose description for a given type can be retrieved
using the following code fragment:
here s contains type name ("FW") and ss will get description
("Firewall") from the type descriptor
FWObject *typedsc=FWObjectsDatabase::db->get("/Descriptors/Types/"+s);
ss=typedsc->getStr("description");
GroupDialog shows allowed group members types using verbose
descriptions taken from TypeDescriptor for each type
2000-09-04 Vadim Kurland <vadim@voyager.crocodile.org>
* Classes ICMPObject, UDPObject and TCPObject have been adopted for
storing data in XML
* Class Group has got a list of types allowed for its children.
It is comma separated list of type names stored as string attribute
"allowed_types" and provides for easy search and checks by name.
GroupDialog now shows all allowed types in the dialog. Upon creation
each group inherits allowed types from its ancestor, although group
may have this set trimmed for stricter control
* New method: FWObject::getParent(): looks for a parent of given
object using its path
2000-09-02 Vadim Kurland <vadim@voyager.crocodile.org>
* All type comparisons converted to getTypeName(). FWObject::GetType()
is obsolete now and is scheduled for removal. enum FWObjectType is also
going to be phased out
* RuleElementDescriptor now holds list of allowed object type names
instead of integer with a bitmask of values from enum FWObjectType
* class FWObjectDialog has been created. This is generic dialog for
all classes which are not supposed to be visible for regular user.
ObjectTree shows these objects after pressing magic key "F6", so
this dialog can then be used to open and potentially edit objects
XML attributes.
* bug fixes in the area of interfaces processing for both hosts and
firewalls
2000-08-27 Vadim Kurland <vadim@voyager.crocodile.org>
* src/FWObjectClipboard.cc: FWObjectClipboard is now derived from
FWObjectReference
2000-08-27 Vadim Kurland <vadim@voyager.crocodile.org>
* src/fwbuilder.xml: Each Policy, Rule and RuleElement have now an
attribute pointing to the corresponding descriptor as follows:
Policy -> RuleDescriptor (record RD in xml file)
Rule -> RuleDescriptor (record RD in xml file)
RuleElement -> RuleElementDescriptor (record RED in xml file)
This simplified descriptors manipulation significantly and allowed us
to get rid of bunch of calls to FWObject::get
* src/FWObject.cc (xfind): Method deprecated in favor of FWObject::get
Code has been cleaned so FWObject::xfind is not used anymore.
2000-08-27 Vadim Kurland <vadim@voyager.crocodile.org>
* src/FWObject.cc (xfind): Method deprecated in favor of FWObject::get
Code has been cleaned so FWObject::xfind is not used anymore.
2000-08-21 Vadim Kurland <vadim@tahoe.crocodile.org>
* src/Policy.cc (AppendRuleAfter): Now adding rules above and below
of the given rule work properly
2000-08-20 Vadim Kurland <vadim@tahoe.crocodile.org>
* src/PolicyList.hh: Individual classes for standard policy elements
have been added. These are:
PolicyListRuleAction
PolicyListRuleLog
PolicyListRuleTarget
PolicyListRuleComment
* src/fwbuilder.xml: Following classes where converted to the new
system of tree-like data storage:
RuleDescriptor (Policy rule descriptor )
RuleElementDescriptor (rule element descriptor)
Rule (policy rule)
RuleElement
Policy
data storage and loading for these classes have been implemented
and tested.
This is the fisrt time we can store firewall policy and then load
it back!
* src/ObjectTree.cc (on_key_press_event):
Secret keys for the left panel:
press F5 to rebuild the tree
press F6 to toggle boolean flag show_all and rebuild the tree.
The "show_all" flag, if true, forces tree to show all the elements
ignoring their showInTree method
* src/PolicyListElement.cc: PolicyListElement methods are now in
a separate file
2000-08-17 Vadim Kurland <vadim@tahoe.crocodile.org>
* src/FWObject.cc (fromXML): added protected method fromXML. I need
to be able to initalize some fields in FWObjectsDatabase
before we load data from XML file. Since XML parsing used to happen in
the FWObject constructor, I could not initialize "path" field for
the database object before actual XML parsing would happen. Hence
method fromXML
(addChild): This is where we keep track of the full path to the object.
Every time we add object to another object, we take path of the parent,
add slash "/" and name of the child at the end. The result gets stored
in the child using setPath method. This way we keep track of the full
path to every object in the database. For this algorithm to work,
the "root" object - database itself - has to be "seeded" with its path
name "/Database". That is why we needed fromXML method (see above)
2000-08-17 Vadim Zaliva <lord@crocodile.org>
* src/FWObject.hh (FWObject*>): find renamed to xfind to avoid name
conflict with STL method.
(FWObject*>): set/get Str/Int using const and reference to pass names.
* src/FWObjectDatabase.cc (load):
* src/FWObject.cc (resolveReferences):
resolving references on load
* src/FWObject.hh:
* src/FWObjectReference.hh:
* src/FWObjectReference.cc:
New tree object - reference to another one
2000-08-16 Vadim Zaliva <lord@crocodile.org>
* src/fwbuilder.xml: sample data file
* src/Group.hh:
* src/Group.cc:
* src/FWObjectDatabase.cc:
* src/FWObjectDatabase.hh:
* src/FWObject.cc:
* src/FWObject.hh:
* src/HostObject.cc:
* src/HostObject.hh:
Loading xml files sekeleton.
2000-08-15 Vadim Zaliva <lord@crocodile.org>
* src/FWObjectDatabase.hh (class FWObjectsDatabase): removed methods
which are already present in FWObjects.
object_db variable removed and replaced with singelton.
2000-08-14 Vadim Zaliva <lord@crocodile.org>
* src/FileSel.cc (FileSel): default extension changed to .xml
* src/FWObjectDatabase.cc (saveAs): database is now saved as root of
xml tree.
* src/FWObject.hh: FWObjectType converted to enum. Added value DATABASE.
* src/FWObject.cc (toXML): saving to XML uses different schema - not nodes
are object types.
* src/FWObject.hh (FWObject*>): Find renamed to find() to matching coding
style.
* src/FWObject.cc (toXML): saving method added.
* src/FWObjectDatabase.cc (saveAs): remembering filename we were loading to
to use it for saving. Saving XML implemented.
2000-07-27 Vadim Zaliva <lord@crocodile.org>
* src/Preferences.cc (LoadPrefsFile): loading preferences from XML file.
(SavePrefsFile): saving preferences in XML.
* src/Preferences.hh: loadPrefsFile protected method added
* src/Makefile.in (LIBS): added list of libraries detected by autoconf
to link flags.
* src/fwbuilder_prefs.xml: created this file for storing user preferences.
* configure.in: added check for libxml
2000/4/29 23:51:53 PDT
policy sheet implemented as CList with multiple lines per one rule
2000/4/30 12:58:07 PDT
gen_popup_menu (generic popup menu class) implemented
