2010-09-20 Vadim Kurland <vadim@vk.crocodile.org> * NATCompiler.h (fwcompiler): fixed SF bug #3071667 "Compilation segfault with DNS address in NAT rule". Added rule processors to replace Run-time DNSName and Address Table objects in TSrc and TDst. 2010-09-13 Vadim Kurland <vadim@vk.crocodile.org> * VERSION (LIBFWBUILDER_MICRO_VERSION): started 4.1.2 2010-08-20 Vadim Kurland <vadim@fwbuilder.org> * v4.1.1 released 2010-08-19 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cpp (Compiler::_expandAddressRanges): fixed fwbuilder:ticket:1696 "Compiler ignores, but provides no warning, about rules with invalid address range being skipped". AddressRange object in the ticket had start address greater than the end address. * NATCompiler.cpp (classifyNATRule::processNext): fixed fwbuilder:ticket:1685 "iptables redirecting NAT rules in the OUTPUT chain". NAT rules should be allowed to translate from CustomService to TCP or UDP service, provided CustomService object is configured with matching protocol. 2010-08-14 Vadim Kurland <vadim@vk.crocodile.org> * set version to 4.1.1 2010-08-10 Vadim Kurland <vadim@vk.crocodile.org> * v4.1.0 released 2010-08-09 Vadim Kurland <vadim@vk.crocodile.org> * ObjectGroup.cpp (validateChild): fixed fwbuilder:ticket:1679 "Group allows invalid objects to be added (Policy, NAT, Routing)". Change done in ObjectGroup and ServiceGroup. 2010-06-17 Vadim Kurland <vadim@vk.crocodile.org> * ObjectMatcher.cpp (ObjectMatcher::checkComplexMatchForSubnet): added method to check object matching with subnets 2010-06-12 Vadim Kurland <vadim@vk.crocodile.org> * CustomService.cpp (CustomService::CustomService): fixed missing class variable initialization. * FWObjectDatabase.cpp (FWObjectDatabase::setPredictableIds): this method is used to replace random string object ids with predictable ones; useful for unit tests because it allows us to create data files that can be compared. Fixes fwbuilder:ticket:1517 * FWReference.cpp (FWReference::toXML): always use int id when saving to xml. This allows us to change string ids if necessary using call to FWObjectDatabase::changeStringId() and it will change both in id and ref attributes when objects are saved to xml file. This is needed for unit tests to let tests create .fwb files with predictable IDs that can be compared later. See fwbuilder:ticket:1517 * FWObjectDatabase.cpp (FWObjectDatabase::changeStringId): this method changes string ID associated with given int ID. Using this in unit tests to create .fwb files with predictable IDs that can be compared with golden files. See fwbuilder:ticket:1517 2010-06-02 vadim <vadim@vk.crocodile.org> * Preprocessor.cpp (Preprocessor::findMultiAddressObjectsUsedInRules): fixed #1485 "dns name object is recognized as an empty group when it appears in shared rule set" 2010-05-12 vadim <vadim@vk.crocodile.org> * Compiler.cpp (Compiler::epilog): fixed SourceForge bug #3000159 "libfwbuilder-4.0.1. calls exit warning.". Calling exit() or _exit() from a library function is discouraged, and as it turns out unnecessary in our case. 2010-04-24 Vadim Kurland <vadim@vk.crocodile.org> * PolicyCompiler.cpp (PolicyCompiler::checkForShadowingPlatformSpecific): added virtual function checkForShadowingPlatformSpecific() that should be reimplemented in specific PolicyCompiler classes to check if platform-specific rule options affect rule shadowing decision. Also bumped so version of fwbuilder and fwcompiler libraries to 9.1.0 2010-04-20 vadim <vadim@vk.crocodile.org> * RoutingCompiler.cpp (reachableAddressInRGtw::checkReachableIPAddress): fixes #1410 "Problem with route for 4.0.0-b2809". Compiler did not allow vlan subinterface as a gateway in a routing rule. 2010-04-08 vadim <vadim@vk.crocodile.org> * Compiler.cpp (Compiler::_expand_interface): fixes #1394 using existing virtual functions that expand multiple addresses to expand cluster interfaces. Renamed function _expandAddr to _expand_addr, added parameter bool expand_cluster_interfaces_fully to _expand_addr, _expand_addr_recursive and _expand_interface 2010-03-29 vadim <vadim@vk.crocodile.org> * PolicyCompiler.cpp (expandGroupsInItf::processNext): added rule processor expandGroupsInItf and moved expandGroupsInSrv from compiler for iptables. See fwbuilder:ticket:1374 "Rule with group of interfaces in the "Interface" column is not compiled the same as when the same interfaces are placed there without group" * RuleElement.cpp (RuleElementItf::checkItfChildOfThisFw): fixed fwbuilder:ticket:1372 group is not allowed in the "Interface" column. Group of interfaces should be allowed in the "Interface" rule element provided all group members are children of the same firewall. 2010-03-23 Vadim Kurland <vadim@vk.crocodile.org> * inet_net_pton.c (inet_cidr_pton_ipv4): fixed fwbuilder:ticket:1328 "IPv4 dialog takes incorrect ip addresses". Function inet_cidr_pton_ipv4 translated incomplete ipv4 addresses such as "1.0.0" incorrectly. The last octet in the result had random value because of use of unitialized memory. 2010-03-18 vadim <vadim@vk.crocodile.org> * Compiler.cpp (replaceFailoverInterfaceInRE::processNext): fixes fwbuilder:ticket:1344 "PF script generated or the cluster uses carp interfaces". 2010-03-16 vadim <vadim@vk.crocodile.org> * XMLTools.cpp (XMLTools::loadFile): passing error code returned by access() for better diagnostics. See fwbuilder:ticket:1334 2010-03-04 vadim <vadim@vk.crocodile.org> * ObjectMatcher.cpp (ObjectMatcher::dispatch): recognize multicast when matching Network and NetworkIPv6 objects. See fwbuilder:ticket:1298 2010-03-03 glitch.vk.crocodile.org <vadim@vk.crocodile.org> * FWObject.cpp (FWObject::findDuplicateLinksInTree): test/debugging method that walks the tree looking for objects referenced by two parents. Refs fwbuilder:ticket:1296 2010-03-02 glitch.vk.crocodile.org <vadim@vk.crocodile.org> * FWObject.cpp (FWObject::destroyChildren): fixed memory leak where objects were not destroyed if they had no children. 2010-02-28 vadim <vadim@vk.crocodile.org> * ../src/fwbuilder/ObjectMatcher.h (libfwbuilder): added virtual destructor. Fixes fwbuilder:ticket:1259 2010-02-27 vadim <vadim@vk.crocodile.org> * configure.in: find cppunit library for unit tests 2010-02-25 vadim <vadim@vk.crocodile.org> * FWObject.cpp (FWObject::getPrivateData): added facility for storing arbitrary blocks of user data with FWObject objects, keyed by a std::string key. 2010-02-23 vadim <vadim@vk.crocodile.org> * RuleElement.cpp (RuleElement::isAny): made isAny() a const method. Part of the great const-ification, see #2 * FWReference.h (libfwbuilder): added method getPinterIdDirect() that just returns int_id. This is a const method, it does not perform delayed initialization in case FWReference object only has string id for the object it points to. See #2 2010-02-18 glitch.vk.crocodile.org <vadim@vk.crocodile.org> * Firewall.cpp (Firewall::duplicate): fixed #1254 ""locked" status of the object is lost when data file is loaded". "Read-only" or "locked" status of the firewall object was lost when data file was loaded into the program. The bug affected only Firewall object. 2010-02-17 vadim <vadim@vk.crocodile.org> * ObjectMirror.cpp (ObjectMirror::getMirroredService): class ObjectMirror (refs fwbuilder:ticket:1241 "add mirror rule" checkbox for IOSACL) 2010-02-16 vadim <vadim@vk.crocodile.org> * Compiler.cpp (Compiler::correctForCluster): this method takes an Address object and replaces it with interface of a member firewall if it turns out to be cluster interface. refs fwbuilder:ticket:1235 2010-02-15 vadim <vadim@vk.crocodile.org> * XMLTools.h (libfwbuilder): definition of XMLFREEBUFF moved to libfwbuilder-config.h 2010-02-15 glitch.vk.crocodile.org <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (FWObjectDatabase::load): working on memory leaks with the help of valgrind. Refs fwbuilder:ticket:1229 2010-02-14 glitch.vk.crocodile.org <vadim@vk.crocodile.org> * Management.cpp (SNMPManagement::fromXML): refs fwbuilder:ticket:1229 memory leak problems 2010-02-02 vadim <vadim@vk.crocodile.org> * fwbuilder/ObjectMatcher.h (libfwbuilder): reimplemented ObjectMatcher class using generic base class Dispatch * fwbuilder/Dispatch.h (__DECLARE_DISPATCH_METHODS): generic class that implements double dispatch pattern. Helps avoid long chains of if-then-else statements that compare object type names. Refs fwbuilder:ticket:1186 * Interface.cpp (Interface::isLoopback): method isLoopback() will return true for cluster interface that has no ip address of its own but is mapped to loopback interfaces of cluster members. 2010-01-31 vadim <vadim@vk.crocodile.org> * ClusterGroup.cpp (ClusterGroup::getInterfaceForMemberFirewall): added a method for the often used pattern. See fwbuilder:ticket:1184 for the reference of other changes in fwbuilder that prompted this. 2010-01-30 vadim <vadim@vk.crocodile.org> * PolicyCompiler.cpp (PolicyCompiler::prolog): do not remove disabled rules in prolog() because some compilers might use RuleSet::insertRuleAtTop() and other similar methods from prolog() or addPredefinedPolicyRules() and these methods renumber rules. As the result, labels stop matching rule positions when this is done because labels are configured in prolog() method of the base class. See fwbuilder ticket 1173. Instead of dropping disabled rules in prolog(), will keep them and drop them in rule processor Begin which is always the first in all compilers. 2010-01-25 vadim <vadim@vk.crocodile.org> * ObjectMatcher.cpp (ObjectMatcher::checkComplexMatchForSingleAddress): if flag match_subnets is true, check if given address is inside the subnect defined by the address/netmask of obj2. * ObjectMatcher.cpp (ObjectMatcher::checkComplexMatch): if flag match_subnets is true, treat AddressRange objects in a special way: check range boundaries against subnet defined by the address/netmask of obj2. Exact match is when range boundaries exactly match beginning and the end of the subnet. Partial match is when either boundary (or both) is inside of the subnet. * ObjectMatcher.h (libfwbuilder): setting all flags through setter methods instead of passing parameters to constructor. Added flag "match_subnets" 2010-01-19 vadim <vadim@vk.crocodile.org> * Compiler.cpp (Compiler::_expand_interface): method _expand_interface (renamed, used to be _expandInterface) takes pointer to the rule as first argument. This makes it possible to generate error and warning messages associated with rules. 2010-01-18 vadim <vadim@vk.crocodile.org> * ../VERSION (LIBFWBUILDER_REVISION): Set version to 4.0.0 in preparation for public beta 2010-01-17 vadim <vadim@vk.crocodile.org> * FWObjectDatabase_15.xslt: incremented DTD version to 16, migration script changes value attribute "host_OS" of Firewall element from "linksys" to "sveasoft". 2010-01-15 vadim <vadim@vk.crocodile.org> * AddressTable::loadFromSource , DNSName::loadFromSource : When address table file needed to resolve AddressTable object can not be found, the object uses dummy test address but also sets an attribute ".error_msg" in this object to indicate that there was an error and the object is not real. * Compiler.cpp (checkForObjectsWithErrors::processNext): Rule processor Compiler::checkForObjectsWithErrors was added to check for the ".error_msg" attributes and translate them into error messages that can be associated with rules. This way, Preprocessor can convert MultiAddress objects without having to scan all rules which makes it faster and we still can associate errors that happen during this process with rules. 2010-01-09 vadim <vadim@vk.crocodile.org> * DNSName.cpp (DNSName::loadFromSource): method loadFromSource() now takes second argument "bool test_mode". When compiler runs in a test mode, it passes true in this argument to loadFromSource() to make it use dummy ip address in case it can not resolve requested DNS record. This helps test compiler on data files that use compile-time DNSName objects that do not resolve. The same argument is now available in AddressTable::loadFromSource() method. 2010-01-08 Vadim Kurland <vadim@vk.crocodile.org> * PolicyCompiler.cpp (PolicyCompiler::checkInterfacesForShadowing): include interface rule element in the shadowing detection algorithm. See ticket #1068 2010-01-07 Vadim Kurland <vadim@vk.crocodile.org> * FWObjectDatabase_tree_ops.cpp (FWObjectDatabase::findDuplicateIds): function to find objects with duplicate IDs in two object trees. 2009-12-24 vadim <vadim@vk.crocodile.org> * Preprocessor.cpp (Preprocessor::findMultiAddressObjectsUsedInRules): Eliminated bottleneck that caused noticeable delay in Preprocessor::compile(). Old code would find all MultiAddress objects in the tree and then check if they were used by the firewall we are compiling. This caused multiple tree walks. New approach is to walk all the rules of the firewall, looking for objects used in the rules. If the object is MultiAddress, it is pushed to the list, if it is a group, the group members are scanned in turn. Groups are scanned recursively. This way we first build a list of MultiAddress objects used in rules by doing single scan of the subtree rather than multiple scans of the whole tree. In addition, in single rule compile mode we scan only single rule rather than all rules of the firewall. 2009-12-11 vadim <vadim@vk.crocodile.org> * ../src/fwbuilder/Group.h (libfwbuilder): Added method getAllowedTypesOfChildren() that returns a list of allowed children object types (should reflect DTD) 2009-11-30 vadim <vadim@vk.crocodile.org> * RuleElement.cpp (RuleElement::toXML): RuleElement objects should have ID, but since DTD does not define one for them, will only keep this ID in the objects in memory and drop it before saving them to XML file. 2009-11-25 vadim <vadim@vk.crocodile.org> * fwbuilder.dtd.in (RuleSetOptions): added XML element RuleSetOptions (child of Policy, NAT, Routing). Moved option "ipt_mangle_only_rule_sets" from FirewallOptions to RuleSetOptions. See fwbuilder:ticket:650, fwbuilder:ticket:709 2009-11-20 vadim <vadim@vk.crocodile.org> * FWObject.cpp (FWObject::remove): Change in implicit behavior: removing an object does not move it to the Deleted Objects library anymore. This should be done in the GUI. 2009-11-14 vadim <vadim@vk.crocodile.org> * FWObject.cpp: Added method FWObject::findIf - generic method that searches for child objects that match criteria impemented by a predicate object passed as an argument. 2009-11-11 vadim <vadim@vk.crocodile.org> * Group.cpp (Group::isMember): Generic member that checks if given object is a member of the group. 2009-11-09 vadim <vadim@vk.crocodile.org> * fwbuilder.dtd.in (TODO): Added attribute "dedicated_failover" to the element Interface and corresponding class. 2009-11-04 Vadim Kurland <vadim@vk.crocodile.org> * fwbuilder.dtd.in: Added attribute any_opt to IPService 2009-11-02 Vadim Kurland <vadim@vk.crocodile.org> * IPService.cpp (IPService::hasIpOptions): Method hasIpOptions() returns true if IPService object has one or more of the IP options: lsrr, rr, ssrr, ts, rtr_alt * fwbuilder.dtd.in: Added attributes rtralt and rtralt_value to IPService 2009-10-13 vadim <vadim@vk.crocodile.org> * VERSION (VERSION): started v3.0.8 2009-09-18 vadim <vadim@vk.crocodile.org> * PolicyCompiler.cpp (ItfNegation::processNext): fix for bug #2710034 "PF Compiler in 3.0.3 Unprotected Interface Bug". When we expand "interface" rule element which uses negation, skip unprotected interfaces. 2009-08-28 vadim <vadim@vk.crocodile.org> * Interface.cpp (Interface::getOptionsObjectConst): Added Interface::getOptionsObjectconst(), Interface::isSlave() 2009-08-24 vadim <vadim@vk.crocodile.org> * Compiler_cluster.cpp (Compiler::processFailoverGroup): cluster interface may not need an ip address, but this depends on the failover protocol. Adding check for when the address is missing. See #337 2009-08-12 vadim <vadim@vk.crocodile.org> * NATCompiler.cpp (classifyNATRule::processNext): fixed bug #2836321: "SNAT rule that changes Trans Src and Trans Port does not work". Dual translation rule that changes source address and destination port was not supported. 2009-08-03 vadim <vadim@vk.crocodile.org> * Compiler.cpp (Compiler::_expandInterface): See #284: PolicyCompiler::ExpandMultipleAddresses and NATCompiler::ExpandMultipleAddresses should include subinterfaces 2009-08-02 vadim <vadim@vk.crocodile.org> * Interface.cpp (Interface::validateChild): DTD does not allow nested subinterfaces; only one level of subinterfaces is supported. Interface::validateChild() now checks for this condition. 2009-07-29 vadim <vadim@vk.crocodile.org> * snmp.h (class SNMPCrawler): Removed obsolete parameter skip_virtual - we never ignore virtual addresses. 2009-07-28 vadim <vadim@vk.crocodile.org> * Compiler_cluster.cpp (Compiler::populateClusterElements): while scanning interfaces-members of a failover group, use only those that are children of the firewall that we are compiling. fixes #242 "fwb_ipt generates duplicate automatic rules for heartbeat and other protocols" 2009-07-27 vadim <vadim@vk.crocodile.org> * Cluster.cpp (Cluster::getMembersList): cluster group members can be references to interfaces and subinterfaces; this change adds support for subinterfaces. 2009-07-26 vadim <vadim@vk.crocodile.org> * Compiler_cluster.cpp (Compiler::processFailoverGroup): While adding a copy of cluster interface to the firewall, make sure it has new unique ID instead of a copy of the ID of the cluster's interface object. If the ID is the same, RuleElementItf::validateChild() finds clusters' interface which is not a child of the firewall object and therefore is rejected. 2009-07-25 vadim <vadim@vk.crocodile.org> * Compiler.h (fwcompiler): Deprecated object caching in compiler, fixes #228 * Cluster.cpp (Cluster::getMembersList): need to scan not only StateSyncClusterGroup child objects but also all FailoverClusterGroup objects in order to find all member firewalls. The program used to look only at StateSyncClusterGroup objects, which meant it did not recognize any members if state sync group was empty. This fixes issue #4 in the bug #2826765: "problems and suggestions for 3.1.0-b1187". 2009-07-24 vadim <vadim@vk.crocodile.org> * Rule.cpp (PolicyRule::getBranch): fixed problem #4 "GUI crash when setting action to be a chain." reported in the bug #2826765: "problems and suggestions for 3.1.0-b1187". The GUI crashed when policy rule in the cluster policy was set to action "Chain". 2009-07-17 vadim <vadim@vk.crocodile.org> * Resources.cpp (Resources::getResourceStrList): This function provides a way to create lists of parameters in resource files. * fwbuilder.dtd.in (Library): fixed bug #2823424: "Deleting UserService object breaks data file format". When user deleted UserService object, it was moved to the "Deleted Objects" library which broke XML file because DTD did not allow UserService element as a child of Library 2009-07-16 vadim <vadim@vk.crocodile.org> * FWObjectDatabase_11.xslt: Bumped data file format to 12; system group "Clusters" moves to the top level of the tree. Fixes #167 2009-07-13 vadim <vadim@vk.crocodile.org> * PolicyCompiler.cpp (checkForZeroAddr::findZeroAddress): followup for bug #2820152: AddressRange object has an address but no netmask. Have to check for getNetmaskPtr() == NULL where necessary. 2009-07-11 vadim <vadim@vk.crocodile.org> * AddressRange.h (libfwbuilder): fixed bug #2820152: "Address ranges and other such need IPv4/v6 typing". AddressRange object should be recognized and removed from the rule if it is used in ipv6 rule set. To do this, add virtual method hasInetAddress() (should return true) to indicate that this object has an address. This works since virtual method getAddressPtr() has been implemented anyway. * VERSION (VERSION): started v3.0.6 in the current production branch 2009-07-09 Vadim Kurland <vadim@vk.crocodile.org> * Compiler_cluster.cpp (Compiler::populateClusterElements): user can now add loopback interface to the cluster object and use it in rules. This interface does not have failover group and has the usual 127.0.0.1/8 ip address. refers #163 2009-06-28 Vadim Kurland <vadim@vk.crocodile.org> * Firewall.cpp (Firewall::getIntrfacesByType()): Simple method to get a list of pointers to all intrfaces of given type. * Compiler_cluster.cpp (Compiler::processFailoverGroup): fixes #166: cluster should be allowed to have interfaces with the same name as interfaces of the member firewall (i.e. "eth0"). This is necessary to support failover protocols that do not create virtual interfaces, but rather operate over normal interfaces, such as heartbeat. 2009-06-24 vadim <vadim@vk.crocodile.org> * Rule.cpp (PolicyRule::getDirectionAsString): Direction "Undefined" is not allowed per DTD, have to assume it is "Both" if it is not "Inbound" or "Outbound". This is a last-minute fix which causes re-relase of 3.0.5 2009-06-23 vadim <vadim@vk.crocodile.org> * InetAddr.cpp (InetAddr::init_from_string): Fixes #112: use strtol instead of atoi so we can determine when the string could not be converted entirely. 2009-06-18 vadim <vadim@vk.crocodile.org> * Interface.cpp (Interface::isBridgePort): Refs #90 : deprecated attribute "bridgeport" in Interface object, using type set in the InterfaceOptions object. * Firewall.cpp (Firewall::duplicateInterfaces): Fixes #142 : Copy interfaces of the firewall before policies in Firewall::duplicate() because interfaces might be referenced in rules and should be coped before rule elements for the latter to set up references to the copies. 2009-06-17 vadim <vadim@vk.crocodile.org> * v3.0.5 released 2009-06-14 vadim <vadim@vk.crocodile.org> * Interface.h (libfwbuilder): Ticket #55: deprecated isExt() and setExt() methods. Platforms that care about interface being external should use security levels. Currently this is only PIX and it uses sec. levels already. 2009-06-09 vadim <vadim@vk.crocodile.org> * NATCompiler.cpp (classifyNATRule::processNext): fixed bug #2803689 "NAT rule matching dport but chaning sport is broken". NAT rules that match destination port but translate source port should be possible (and the opposite too). 2009-06-08 vadim <vadim@vk.crocodile.org> * Rule.cpp (PolicyRule::getDirectionAsString): should return string "Undefined" for the direction equal to PolicyRule::Undefined * NATCompiler.cpp (classifyNATRule::processNext): support for SDNAT rules that translate both addresses and ports. * NATCompiler.cpp (classifyNATRule::processNext): rules that translate only source port are now classified as SNAT, rules that translate only dest. port are classified as DNAT. Rules that try to translate one service type into another cause an error. 2009-06-03 vadim <vadim@vk.crocodile.org> * Compiler.cpp (recursiveGroupsInRE::isRecursiveGroup): fixed bug #2800625 "recursive groups cause infinite loop and crash in compiler". When a group included itself, compiler used to go into infinite loop and crash. 2009-06-01 vadim <vadim@vk.crocodile.org> * Compiler_cluster.cpp (Compiler::processStateSyncGroup): This method finds StateSyncClusterGroup objects and saves essential parameters in the Interface objects of the firewall so that compilers later can use this information to generate script to confgure state synchronisation. * IPService.cpp (IPService::addNamedProtocol): class IPService now has internal mapping table of protocols numbers and names. By default it comes with a list of typical protocols "ip", "icmp", "tcp" and "udp". More protocols can be added to the table using IPService::addNamedProtocol() method. After that, method IPService::getProtocolName() will return protocol name for the registered named protocols. This facility replaces CARPService class. 2009-05-30 vadim <vadim@vk.crocodile.org> * CARPService.cpp: Added trivial CARPService class that defines IP service with name "carp" and protocol number 112. There is no standard object of this type at this time and no XML DTD definition. Objects of this class are created internally by policy compilers. This is the same as VRRPService object. The purpose of having separate classes VRRPService and CARPService is to insert protocol name "vrrp" and "carp" in generated scripts. * Compiler.cpp (Compiler::_expand_group_recursive): ref #50: ignore various FWOptions child objects while expanding groups. In particular this skips ClusterGroupOptions object which is a child of FailoverClusterGroup and StateSyncClusterGroup objects. 2009-05-28 vadim <vadim@vk.crocodile.org> * InterfaceData.cpp (InterfaceData::guessSecurityLevel): set security level to 0 (insecure) by default. This makes all interfaces of the newly created firewall be "external" or "insecure" unless they were assigned labels or addresses from the private address space in which case guessSecurityLevel() assigns level 100. This addresses bug #2796760 "Display error when adding new FW with multiple interfaces". 2009-05-27 vadim <vadim@vk.crocodile.org> * XMLTools.cpp (XMLTools::version_compare): made it possible to compare version strings with different number of components. 2009-05-09 vadim <vadim@vk.crocodile.org> * Resources.cpp (map): additional checks to protect against empty items created in map<string,Resources*> when we try to get resource for non-existent platform or host os. 2009-05-08 vadim <vadim@vk.crocodile.org> * Compiler.cpp (Compiler::IsFirewallOrCluster): This new method compares given object with firewall or its parent cluster (if any). Compares only IDs of these objects. This operation is often used in compilers to check if an object in source or destination is firewall, however when policy belongs to a cluster, it is cluster object that is usually found in rules and we need generic method to check for both conditions. This method checks an object if it is firewall or its parent cluster. * PolicyCompiler.cpp (PolicyCompiler::prolog): compilers reassign position numbers to rules before compilation to protect against possible errors upstream. Positional rule numbers are almost not used anywhere except for compiler debugging. 2009-05-07 vadim <vadim@vk.crocodile.org> * FWObjectDatabase::_findFirewallByNameRecursive: Made this method find both Firewall and Cluster objects in the database. * RuleSet.cpp (RuleSet::insertRuleAtTop): methods insertRuleAtTop and appendRuleAtBottom now accept argument "hidden_rule". If this arg is true, added new rule becomes "hidden" (using Rule::setHidden()). Method RuleSet::renumberRules() assigns negative position numbers to hidden rules 2009-04-20 vadim <vadim@vk.crocodile.org> * RuleElement.cpp: Additional validation to make sure Inteval objects are not allowed in rule elements except for the RuleElementInterval 2009-04-17 vadim <vadim@vk.crocodile.org> * Cluster.cpp (Cluster::Cluster): Support for clusters of firewalls. * FWObjectDatabase_10.xslt: auto-upgrade transformation adds tree branch Clusters * VERSION: DTD version 11 * Merging patches from Secunet Security Networks AG to add support for Secuwall firewall. * VERSION: start v3.1.0 branch v3_1_secunet 2009-04-09 vadim <vadim@vk.crocodile.org> * VERSION: start v3.0.5 2009-04-08 Vadim Kurland <vadim@vk.crocodile.org> * v3.0.4 released, merged to the trunk, this comment is r256 2009-03-29 vadim <vadim@vk.crocodile.org> * v3.0.4 release 2009-03-25 vadim <vadim@vk.crocodile.org> * RuleElement.cpp (RuleElementTSrv::validateChild): fixed bug #2712575: "NAT RuleSetView allows TagService to be in Translated Svc". TagService object should not be allowed in "Translated Service" in NAT rules. 2009-02-21 vadim <vadim@vk.crocodile.org> * VERSION (LIBFWBUILDER_REVISION): because of internal changes in libfwbuilder in v3.0.4, bumping up so version to 8.2.0 2009-02-17 vadim <vadim@vk.crocodile.org> * Management.cpp (Management::fromXML): fixed bug #2609796 "internal object Management does not accept ipv6 address". Class Management should accept ipv6 address. 2009-01-23 vadim <vadim@vk.crocodile.org> * FWObjectDatabase_search.cpp (FWObjectDatabase::findWhereObjectIsUsed): fixes for bug #2412334: "feature request: where used -> directly". Function FWObjectDatabase::findWhereObjectIsUsed returns a set of pointers FWObject*. These pointers can be either parent of the given object, or FWReference objects pointing to it. Note the change: in previous versions this function tried to clean up returned set and replaced references with pointers to the group or rule that owns those references. This substitution is in fact task-specific and should be done in the caller. * DNSName.cpp (DNSName::loadFromSource): fixed bug #2526193: "typo in error message" 2009-01-10 vadim <vadim@vk.crocodile.org> * fwbuilder/snmp.cpp (SNMPVariable::create): using SNMPVariable_Bits for snmp repsonses of type OBJECT_ID. This is used in getAddressAndNetmask for IP-MIB data. * fwbuilder/snmp.cpp (SNMPVariable_Bits::toString): This class of SNMP variable now returns dot-separated text representation of its value. * InterfaceData.cpp (InterfaceData::InterfaceData): Converted InterfaceDatra to a proper class with constructors and destructor. Member addr_mask is now a list of InetAddrMask* so that it can contain both InetAddrMask and Inet6AddrMask objects. * snmp.cpp (SNMPQuery::getAddressAndNetmask): bug #2023261 "IPv6 - SNMP discovery of interfaces not working for IPv6". SNMP discovery can now read IPv6 addresses of interfaces using IP-MIB RFC4293. Not all snmp agents support this MIB, for example only recent versions of net-snmp support it. * snmp.cpp: code reformatting and refactoring in many places. 2009-01-02 vadim <vadim@vk.crocodile.org> * RoutingCompiler.cpp (rItfChildOfFw::processNext): using FWObject::isChildOf() instead of custom implementation. 2008-12-27 vadim <vadim@vk.crocodile.org> * CustomService.h (libfwbuilder): feature requests #1111267 "CustomService should specify protocol and parameters for it" and #2463048 "custom services should have IPv4/v6 setting". Added attributes "protocol" and "address_family" to the CustomService object. Corresponding XML attributes are "#IMPLIED", this helps avoid having to provide XSLT auto-upgrade script for this version. Class CustomService returns "any" for the protocol and "ipv4" for address family if these attributes are missing. 2008-12-25 vadim <vadim@vk.crocodile.org> * Compiler.cpp (Compiler::_expandAddressRanges): using FWObjectDatabase::createClass methods to create rules and other objects in compilers wherever the type is known at the (code) compile time. This makes code cleaner and speeds it up a little because of eliminated cast() and string comparison. 2008-12-24 vadim <vadim@vk.crocodile.org> * FWObjectDatabase_create_object.cpp (init_create_methods_table): using table of pointers to methods that create objects of different types to dispatch call to createFWObjectClass methods and avoid long chains of "if" operators that compare type names. * FWObjectDatabase_create_object.cpp (CALL_CREATE_OBJ_METHOD): added bunch of FWObjectDatabase::createClass methods for all known object types to create objects of the corresponding class and return a pointer to it. This provides a way to create an object without excessive use of dynamic_cast() and many 'if' operators to compare type name. 2008-12-23 vadim <vadim@vk.crocodile.org> * FWObject.cpp (FWObject::FWObject): Code refactoring and cleanup. Constructor that attached new object to the tree takes argument pointer to FWObjectDatabase instead of pointer to FWObject. This helps eliminate some unnecessary cast(). * InetAddrMask.cpp (InetAddrMask::dimension): fixed bug #2462927: "ip6tables: objects with netmask /32 lose netmask in script". InetAddrMask::dimension() returned incorrect value for ipv6 addresses with mask <= 32. 2008-12-22 vadim <vadim@vk.crocodile.org> * ObjectMatcher.h (libfwbuilder): refactored methods Compiler::complexMatch() and similar into separate class ObjectMatcher in fwbuilder. Using double dispatch pattern to properly dispatch calls depending on the obbject type to avoid multiple 'if' by object type. 2008-12-15 vadim <vadim@vk.crocodile.org> * RuleSet.h (libfwbuilder): changes for bug #2431602: "Feature request: Unified policies (IPv4/v6)". RuleSet object now has two variables that define which address family it should be compiled for - ipv4 or ipv6. It is possible to have both set, in which case the same ruleset will be compiled for both address families. Compilers already drop address objects that do not match address family of the ruleset, this means ruleset can contain a mix of ipv4 and ipv6 objects and compiler can produce two correct policies from the same rules. New attribute of the RuleSet object is "implied" in XML DTD for backward compatibility. 2008-12-13 Vadim Kurland <vadim@vk.crocodile.org> * VERSION (VERSION): started v3.0.4 * v3.0.3 released, merged to the trunk, this comment is r229 2008-12-08 Vadim Kurland <vadim@vk.crocodile.org> * DNSName.cpp (DNSName::DNSName): Need to set default values for the "dnsrec" and "dnsrectype" attributes because they must be preset to satisfy DTD. 2008-12-07 Vadim Kurland <vadim@vk.crocodile.org> * FWObjectDatabase_tree_ops.cpp (_recursivelyCopySubtree): additional fixes in algorithm that recursively copies object subtree between different data files. Making sure we do not create duplicates of groups referred to by other groups. 2008-12-05 User Vadim <vadim@vk.crocodile.org> * InetAddr.cpp (InetAddr::toString): Should use bits==128 because inet_net_ntop_ipv6 on FreeBSD applies mask constructed from the bits argument to the result, so with bits==0 it always returned "::/0" 2008-12-02 Vadim Kurland <vadim@vk.crocodile.org> * FWObjectDatabase_tree_ops.cpp (recursivelyCopySubtree): fixed bug #2375327: "Crash copying multiple groups between different data files". Using better algorithm to copy objects between different data files. * FWObjectDatabase_tree_ops.cpp (_recursivelyCopySubtree): Implemented additional check for object duplicates while copying objects. The problem happened when several object were copied in a batch operation (e.g. when user selected several objects in the GUI and then used copy/paste to copy them all). If some of these objects were groups that referred to other objects from the same batch, the program would copy the object and then create another copy of it when it copied the group using it. To avoid such multiplication it now creates special hidden attribute in the object when it makes a copy to keep track of the original object. When the same original object needs to be copied again, the program can find its copy in the target data tree using this attribute. This creates another problem because the attribute used to track original object is persistent for the duration of the program run. The scenario that leads to this is as follows: user copies object A, modifies it and then copies group B using the orignal of A. The end result is that the program does not recognize that the copy of A has changed and makes copy of group B use it anyway. This means the new group points at modified object A. This can not be easily fixed because we do not have "last_modified" attribute in each object. 2008-12-01 User Vadim <vadim@vk.crocodile.org> * Started v3.0.3 * v3.0.2 released, merged -r195:221 to trunk. This changelog record is in rev 223 2008-11-28 User Vadim <vadim@vk.crocodile.org> * InetAddr.cpp (InetAddr::toString): Our included copy of inet_net_ntop does not add "/netmask" to IPv6 addresses if argument #3 is -1 (bits). However, the same function included in libc on FreeBSD returns EINVAL for bits=-1. It appears the function in libc in FreeBSD is based on the same code as our copy, but has been updated and instead of doing check "if ((bits < -1) || (bits > 128))" probably checks for (bits < 0). Because of this, fwbuilder GUI crashed when user tried to create IPv6 network object on FreeBSD. To fix, will use bits=0 in call to inet_net_ntop in InetAddr::toString and then strip /0 that inet_net_ntop adds to the generated string. Both our copy of inet_net_ntop and the one shipped with FreeBSD add "/0" consistently, so this works on all platforms. 2008-11-15 Vadim Kurland <vadim@vk.crocodile.org> * AddressTable.cpp (AddressTable::AddressTable): fixed bug# 2293052 "Saving file with empy AddressTable produces corrupt XML". When new AddressTable object is created, its "filename" attribute is empty. If data file was saved right after such new AddressTable object was created, resultant file could not be loaded back into the program becaise it violated XML DTD. 2008-11-01 vadim <vadim@vk.crocodile.org> * fwbuilder/Rule.cpp (PolicyRule::PolicyRule): create rule elements exactly in the order defined by the DTD. Incorrect order caused errors in compilers ever since getSrc, getDst and other methods that return rule elements depend on the order. 2008-10-21 vadim <vadim@vk.crocodile.org> * PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): Optimisations in the code that detects rule shadowing. Combined with conversion of the most used rule and rule element attributes to class member variables, this yields improvement in shadowing detection of about x5. * RuleElement.h (class RuleElement): converted "neg" from dictionary item to class member variable to improve performance of policy compilers * Rule.h (class PolicyRule): converted "action" and "direction" from dictionary items to class member variables to improve performance of policy compilers. 2008-10-20 vadim <vadim@vk.crocodile.org> * PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): Using internal caching to speed-up shadowing detection. This cuts time of shadowing detection almost in half for large policies with many rules. * dns.cpp (list): getHostByName() used to insert duplicate IP addresses into the list of the results. Now making sure ip addresses in the result are unique. * Compiler.cpp (Compiler::_expand_addr_recursive): change in the algorithm used to decide which interfaces of the host or firewall object to use in a rule when this host or firewall object is found in source or destination. Previously, compiler would skip loopback interface unless user associated the rule with loopback by putting it in the "Interface" rule element. This made it impossible to create rules with address 127.0.0.1 in destination but attached to interface other than loopback (such rule is used for transparent proxy configuration). Now if user explicitly put loopback interface object into rule element, we always keep it. However when compiler expands interfaces from a host or firewall object, it will skip loopback as before, unless the rule is attached to loopback interface. 2008-10-18 vadim <vadim@vk.crocodile.org> * Address.cpp (Address::countInetAddresses): Added virtual method countInetAddresses() that returns total number of IP addresses given object has, counting all its children. 2008-10-13 Vadim Kurland <vadim@vk.crocodile.org> * Preprocessor.cpp (Preprocessor::isUsedByThisFirewall): explicitly checking for RuleElement and Rule objects in the set returned by findWhereUsed, this makes check if the object is used by the firewall slightly faster. 2008-10-11 Vadim Kurland <vadim@vk.crocodile.org> * PolicyCompiler.cpp (PolicyCompiler::prolog): assign name of the source rule set to combined_ruleset and temp_ruleset * FWObject.h (libfwbuilder): made getRO() public so it can be called from the GUI. * fwbuilder/XMLTools.cpp (XMLTools::readFile): Added support for compressed data files. The flag that controls compression on save is supposed to be set outside the API (in the GUI, via call to xmlSetCompressMode()). The API uses gzopen, gzread routines to read the file and therefore can transparently read both compressed and uncompressed .fwb files. 2008-10-05 vadim <vadim@vk.crocodile.org> * VERSION: started 3.0.2 2008-10-04 Vadim Kurland <vadim@vk.crocodile.org> * v3.0.1 released Oct 4, 2008. Merged branch "v3" r181:195 to trunk 2008-09-25 Vadim Kurland <vadim@vk.crocodile.org> * FWObject.cpp (FWObject::setInt): fixed bug #2128261: "fwbuilder thinks the file has changed when opened read-only". Operation "find where used" triggered "dirty" flag on the object tree even though it does not change anything. 2008-09-24 Vadim Kurland <vadim@vk.crocodile.org> * Network.cpp (Network::Network): set netmask to /32 when new Network object is created. This used to be the default in fwbuilder v2.1. New default of 0.0.0.0 appears to be confusing and error-prone, by user's requests changing default back to /32. * FWObjectDatabase.cpp (FWObjectTreeScanner::merge): at one point I've got bunch of data files where DeletedObjects library contained references to objects. This should not happen, but at the same time this is valid file structure so the code should be able to handle it. This change will make merge() just copy contents of the DeletedObjects library without asking the user. 2008-09-21 Vadim Kurland <vadim@vk.crocodile.org> * FWObject.cpp (FWObject::fromXML): converted attribute "ro" (read-only) from a dictionary variable to the member variable of class FWObject. We check read-only status of objects very often and dictionary lookups were slowing compiler down considerably. * FWObjectDatabase.cpp (FWObjectDatabase::getStringId): generate unique string object id on demand instead of in the call to generateUniqeueId. This helps speed up compiler operations by a factor of about 3 because we generate unique int ID every time object is created or copied, yet string ID is only needed when object is stored in external XML file. Also using sprintf to assemble string ID, it works faster than ostringstream. * RoutingCompiler.cpp (reachableAddressInRGtw::processNext): fixed crashes in RoutingCompiler that happened because Routing ruleset object being processed is disconnected from the firewall parent at the time compiler works with it. * RoutingCompiler.cpp (rItfChildOfFw::processNext): fixed compiler error "Error (iptables): The object "eth0" used as interface in the routing rule 0 (main) is not a child of the firewall the rule belongs to!" that also happened because Routing ruleset object being processed is disconnected from the firewall parent at the time compiler works with it. * Preprocessor.cpp (Preprocessor::isUsedByThisFirewall): added code to break infinite loop that happens when a group references itelf. * FWObjectDatabase.cpp (FWObjectDatabase::_findWhereUsed): fixed findWhereUsed 2008-09-16 Vadim Kurland <vadim@vk.crocodile.org> * IPv4.cpp (IPv4::fromXML): filter addresses and strip leading and trailing whitespaces and other non-digit characters before converting to InetAddr. This will help with annoying problem where v2.1 allowed such characters in address attributes of Address objects but v3.0 applies strict checks during file load and rejects such data files. 2008-09-13 Vadim Kurland <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (FWObjectDatabase::_findWhereUsed): fixed bug #2090332: "Where used search function does not always work.". WhereUsed function could not find firewall if it was used in its own rules. 2008-09-10 Vadim Kurland <vadim@vk.crocodile.org> * Firewall.cpp (Firewall::validateChild): making sure Firewall object has only one Routing child object. 2008-09-06 Vadim Kurland <vadim@vk.crocodile.org> * v3.0.0 released Sep 1, 2008. Merged branch "v3" r180 to trunk 2008-08-23 Vadim Kurland <vadim@vk.crocodile.org> * FWObject.cpp (FWObject::toXML): moved saving of XML attributes name and comment from FWObject::toXML to implementations of this virtual method in all classes that are supposed to have name and comment. Reason: name was initialized to empty string and FWObject::toXML did not save it to XML file if it was empty. This was done because some objects do not have name attribute per DTD, but all classes called FWObject::toXML (their base class) as part of their implementation of toXML. There were several classes that did not have their own implementation of this method and solely relied on FWObject::toXML. This caused problems when user created an object with empty name because it was saved into XML file w/o attribute name which violated DTD. Now each class that must have name or comment takes care of saving these attributes, and those that do not have it simply do not save it in their implementation of toXML. 2008-08-18 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cpp (Compiler::complexMatch): fixed bug (no #): policy compiler for iptables used chain OUTPUT instead of FORWARD if NetworkIPv6 was used in "source". * Compiler.cpp (Compiler::checkIfAddressesMatch): comparing both ipv4 and ipv6 addresses while searching for interface that matches given address. 2008-08-15 Vadim Kurland <vadim@vk.crocodile.org> * AddressTable.cpp (AddressTable::loadFromSource): when AddressTable object loads addresses from external file that contains mixed set of ipv4 and ipv6 addresses, it picks only addresses that belong to the same address family as that of the policy being compiled. So, if it compiles ipv4 policy, it loads only lines that look like ipv4 address (have a "." in them). If it compiles ipv6 policy, it loads only lines that look like ipv6 address (have a ":" in them). Lins that contain addresses that do not match address family are ignored. * Preprocessor.cpp (Preprocessor::isUsedByThisFirewall): fixed bug #2051629: "group with dns names are handled as empty". This bug triggered when object group that consisted of DNSName objects set to resolve at compile time was used in policy rule and at the same none of these DNSName objects were used in rules. If an object from the group was itself used in a rule, compiler properly converted it to address. But object was never used in rules by itself, it was not converted. 2008-08-12 Vadim Kurland <vadim@vk.crocodile.org> * Tools.cpp: Getting rid of sprintf, using ostringstream * Rule.cpp (PolicyRule::removeRef): fixed bug #2047991 "Drag & Drop in CHAIN actions, version 3". THe bug report consits of 3 parts, part 3 is "When I change the Action from CHAIN to ACCEPT and switch it back to CHAIN it still shows the last policy target I used. EVEN WHEN I DELETED this object meanwhile. I manually have to remove the policy object from the properties of the CHAIN action.". PolicyRule::removeRef removes references to RuleSets and TagSErvice objects from rule options when corresponding RuleSet or TagService object is deleted. 2008-08-03 Vadim Kurland <vadim@vk.crocodile.org> * Address.h (libfwbuilder): removed return type qualifier "const" from bool HasInetAddress() (no point in making it "const bool"). Gcc 4.3 issued warning on this 2008-07-27 Vadim Kurland <vadim@vk.crocodile.org> * FWObject.cpp (FWObject::replaceRef): moved replaceRef method from Firewall to FWObject so it can be used for both firewalls and groups. * FWObject.cpp (FWObject::findDependencies): method that generates list of pointers to the objects referenced by <this>, such asobjects used in rules and groups. 2008-07-26 Vadim Kurland <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (FWObjectDatabase::init_id_dict): registering standard string ids for standard objects, deleted objects and templates libraries. 2008-07-21 Vadim Kurland <vadim@vk.crocodile.org> * fwbuilder.pro: removed unnecessary override in target.path to make it install in a proper place on 64 bit machines' * Applied patch for gcc 4.3 per bug #2023676: "libfwbuilder does not build against gcc 4.3". 2008-07-20 Vadim Kurland <vadim@vk.crocodile.org> * NetworkIPv6.cpp (NetworkIPv6::NetworkIPv6): per bug #2023140: "Default prefix for IPv6 addresses" setting default netmask to /64 for NetworkIPv6 object. 2008-07-18 Vadim Kurland <vadim@vk.crocodile.org> * InetAddrMask.cpp (InetAddrMask::dimension): InetAddrMask::dimension returns MAXINT for netmask==0 and netmasks with length > 32 (in case of ipv6). Need double long and special integer arithmetics to calculate real dimension for ipv6 address/mask combinations with "short" masks. MAXINT should be good enough for our purposes for now. 2008-07-17 Vadim Kurland <vadim@vk.crocodile.org> * dns.cpp (list): Using getaddrinfo on all platforms to perform dns lookup for different address families (AF_INET or AF_INET6). It looks like for it to work on Windows Vista machine needs to be configured with routable ipv6 addresses. When machine only had Link-local address on fe80:: net, even when ipv6 was enabled, getaddrinfo sent proper dns request for AAAA record, got reply but did not pass it back to the application. Once machine was configured with routable ipv6 address, getaddrinfo started working as expected. This problem was not observed on Linux and Mac OS X. 2008-07-08 vadim <vadim@vk.crocodile.org> * fwcompiler.pro (LIBS): need to include -lfwbuilder while linking fwcompiler library on all Unix platforms because of the linker option -Wl,-Bsymbolic-functions . Discovered this on Ubuntu Hardy where libsnmp adds this option via net-snmp-config --libs 2008-07-07 Vadim Kurland <vadim@vk.crocodile.org> * RuleSet.cpp (RuleSet::shallowDuplicate): Added support for attribute top_rule_set in class RuleSet * fwbuilder.dtd.in: Added attribute "top_rule_set" to Policy, NAT and Routing elements 2008-07-06 Vadim Kurland <vadim@vk.crocodile.org> * RuleSet.cpp (RuleSet::fromXML): added support for attribute ipv6_rule_set in class RuleSet * fwbuilder.dtd.in: Added attribute "ipv6_rule_set" to elements Policy, NAT and Routing 2008-07-05 Vadim Kurland <vadim@vk.crocodile.org> * Compiler_ops.cpp (fwcompiler::checkForShadowing): taking into account attributes "tos" and "dscp" while considering IPService objects for shadowing. * fwbuilder.dtd.in: Added attributes for TOS and DSCP codes to IPService xml element 2008-07-02 Vadim Kurland <vadim@vk.crocodile.org> * InterfaceData.h (libfwbuilder): InterfaceData moved from fwbuilder to libfwbuilder; using InterfaceData in snmp crawler instead of creating temporary Interface objects. 2008-07-01 Vadim Kurland <vadim@vk.crocodile.org> * ICMP6Service.cpp (ICMP6Service::ICMP6Service): Added class ICMP6Service * fwbuilder.dtd.in: Added XML element ICMP6Service 2008-06-28 Vadim Kurland <vadim@vk.crocodile.org> * dns.cpp (DNS::getHostByAddr): class DNS has been radically simplified. Hard to support functions to get NS records and DNS zone tranfer have been removed. This class now only provides convenience wrappers around gethostbyname2 and gethostbyaddr functions. Wrapper functions now accept parameter that defines address family type (AF_INET or AF_INET6). * configure.in (HAVE_GOODLIBRESOLV): remove checks for thread-safe dns libraries, these are not widely used and the code was hard to maintain. * dns.cpp: get rid of compile warnings * DNSName.cpp (DNSName::loadFromSource): throw exception if compile-time DNSName object can not resolve dns record. 2008-06-08 Vadim Kurland <vadim@vk.crocodile.org> * merged branch "id-experiment" r98:HEAD * Rule.cpp (PolicyRule::getSrc): Caching pointers to rule elements in PolicyRule to avoid calls to getFirsTByType if possible * TCPUDPService.h (libfwbuilder): source and destination port ranges are stored as class member variables for tcp and udp services. 2008-06-07 Vadim Kurland <vadim@vk.crocodile.org> * FWReference.h (libfwbuilder): this class uses integer id of objects it points to. It keeps id (and its string representation) as class member variables to avoid access to the attribute map which should speed it up. Using postponed initialization to associate integer id with string id read from XML file (because by the time this class reads itself from XML file not all objects can be loaded yet so it is possible that the id of the object it points to is yet unknown). * FWObject.h (libfwbuilder): ID of all objects that inherit FWObject is now represented by an integer. String ID used in XML file is stored in a dictionary and used again when object is stored back in XML. However all internal operations with objects use integer ids * Changes to support integer object IDs everywhere. 2008-06-05 Vadim Kurland <vadim@vk.crocodile.org> * Compiler_ops.cpp (fwcompiler::checkForShadowing): compilers will include TagService and UserService in the rule shadowing analysis * VERSION (LIBFWBUILDER_CURRENT): Library so version set to 8.0.0 to allow for simultaneous installation of fwbuilder 2.1 and fwbuilder 3.0 * Compiler.cpp (Compiler::getErrors): compilers accumulate error and warning messages the generate in an internal buffer; these messages can later be added to the generated script. 2008-06-04 Vadim Kurland <vadim@vk.crocodile.org> * FWObjectDatabase_7.xslt, FWObjectDatabase_8.xslt: autoupgrade scripts that create missing TagService objects for all Tag actions. Scripts check if TagService element with required tagvalue attribute already exists in the same library and do not create duplicates. Also suppress duplicates if many rules use the same tag value. Duplicate TagService objects are not created inside of each library, but TagService objects with the same codes will be created if firewalls in different libraries need them. All rules with action Tag have their option "tagvalue" replaced with option "tagobject_id" pointing at existing or create TagService objects in the same library. 2008-05-31 Vadim Kurland <vadim@vk.crocodile.org> * InetAddr.cpp (InetAddr::init_from_string): Constructors of InetAddr accept string that represent just a number (with no '.' or ':' characters), which is interpreted as netmask length. Call to constructor with such string is equivalent to the constructor InetAddr(int). 2008-05-23 Vadim Kurland <vadim@vk.crocodile.org> * InetAddr.h (libfwbuilder): Class InetAddr represents both IPv4 and IPv6 addresses (depending on its member variable address_family). This simplifies design of the operators that perform address manipulations. The reason is that these operators should not modify object they are called with but rather return temporary object. The address family of this temporary object depends on address family of arguments, which makes it hard to use virtual operators. 2008-05-22 Vadim Kurland <vadim@vk.crocodile.org> * Changes for IPv6 support. All compilers and OSConfigurator classes now accept paraeter "bool ipv6_policy" to the constructor, which sets address familiy the compiler should process rules for. Supporting functions to allow rule processors ExpandMultipleAddresses, ExpandGroups and others to pick only those address objects that match current address familiy. 2008-05-18 Vadim Kurland <vadim@vk.crocodile.org> * Address.h (libfwbuilder): removed methods Address::getAddress and Address::getNetmask, will only use methods getAddressPtr() and getNetmaskPtr() (this way I can distinguish situation when a high level address object such as Interface does not have any child address objects). 2008-05-11 Vadim Kurland <vadim@vk.crocodile.org> * FWObjectDatabase_5.xslt: auto-upgrade transformation to set data format version to 6 and add tree branch for UserService objects. * VERSION (FWBUILDER_XML_VERSION): set current data format version to 6 * UserService.cpp (UserService::UserService): Added class UserService * fwbuilder.dtd.in: Added UserService XML element 2008-05-08 vadim <vadim@vk.crocodile.org> * PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): partial fix for bugs #1789059 "shadow issue when using action chain" and #1945149: "Shadowing test for rules with action "chain". The mechanism for rule shadowing detection we have at this time can only detect shadowing of one rule by another. In case of branching it is a combination of the branching rule and rules inside the branch that may shadow other rules. I plan to redesign this part of the code in the future, but it won't happen in upcoming v3. Meanwhile, I am fixing it in 2.1 by making compiler ignore rules with action Branch. 2008-04-28 Vadim Kurland <vadim@vk.crocodile.org> * fwbuilder.dtd.in: Now there can be multiple child Policy and NAT elements under Firewall element. Branch rule sets move from child element under PolicyRule to under Firewall. Elements Policy and NAT will now have the same set of "standard" attributes as other objects, this includes name, comment, id and ro. Migration xslt script adds attribute "name" with value "Policy" to all Policy elements except branch rulesets. Branch rulesets are moved from under PolicyRule to under Firewall and their name is taken from the PolicyRuleOptions/Option with name "branch_name". NAT elements get attribute "name" with value "NAT" (we never had NAT branches so far). 2008-04-21 Vadim Kurland <vadim@vk.crocodile.org> * DNSName.cpp (DNSName::fromXML): added support for attribute dnsrectype in DNSName object. If this attribute is missing in XML file, it is assumed to be "A" and will be inserted when object is saved back to XML * fwbuilder.dtd.in: changes for ipv6: added elements IPV6 and NetworkIPv6, new attribute dnsrectype for element DNSName * NetworkIPv6.cpp: class to represent ipv6 network * IPv6.cpp: class to represent IPv6 address * AddressTable.cpp (AddressTable::loadFromSource): preparing for ipv6: AddressTable object can read ipv6 addresses from file. 2007-09-02 vadim <vadim@vk.crocodile.org> * 2.1.14 release 2007-08-25 vadim <vadim@vk.crocodile.org> * qmake.inc.in: removed reference to @OPENSSL_CFLAGS_Q@ * configure.in: since we do not really use openssl for anything anymore, removing module src/fwbuilder/crypto and all checks for openssl in configure.in . Note that this also makes libfwbuilder and fwbuilder free of the licensing conflict between GPL and OpenSSL licenses (http://www.gnome.org/~markmc/openssl-and-the-gpl.html ) 2007-07-18 vadim <vadim@vk.crocodile.org> * Rule.h (libfwbuilder): using general data dictionary for interface_id and Interface_str 2007-07-06 vadim <vadim@vk.crocodile.org> * FWObject.cpp (FWObject::shallowDuplicate): fixed bug #1740766: "lock not saved". This method now copies the value of "ro" attribute (read-only). Clear it in the caller if neccessary. Method duplicate() clears it after calling shallowDuplicate in order to be able to modify the object, then restores this attribute to its original value. 2007-06-23 vadim <vadim@vk.crocodile.org> * v2.1.12 release 2007-05-22 vadim <vadim@vk.crocodile.org> * RuleElement.cpp (RuleElementItf::validateChild): permit objectgroup in the "Interface" rule element if all members of the group are Interface objects. 2007-05-09 vadim <vadim@vk.crocodile.org> * fwbuilder.dtd.in (TODO): Added attribute "unprotected" for Interface. If this attribute is True, compilers should skip this interface while assigning ACLs or policy rules. 2007-05-07 vadim <vadim@vk.crocodile.org> * fwbuilder.dtd.in: Added support for boolean attribute 'established' in TCPService. When this attribute is set to True, compilers should generate code to match TCP packet with port ranges defined in the object and ACK or RST flags set. If platform provides special option for this (typically called "established"), it should be used. * FWObjectDatabase_2.1.11.xslt: working on bugs #1676635: "no way to match on state if the action is drop" and #1671910: "2.1.8 In 'Branch' acton compiler doesn't insert NEW stanza". Adding rule option 'stateless=True' for rules with action NOT 'Accept' or 'Tag'. This is consistent with current hard-coded behavior of policy compilers that treat all other actions as stateless by default. This change provides a way for the user to override that. * FWObjectDatabase_2.1.11.xslt: changing existing rule option 'stateless' to True if action qualifies. 2007-05-06 vadim <vadim@vk.crocodile.org> * v2.1.12 started 2007-02-15 vadim <vadim@vk.crocodile.org> * configure.in: fixed bug #1659526: "--with-openssl-prefix adds obsolete -R option" * v2.1.10 started 2007-01-04 vadim <vadim@vk.crocodile.org> * PolicyCompiler.cpp (DetectShadowingForNonTerminatingRules::processNext): bug #1618381: "CLASSIFY/MARK are non-terminating". Non-terminating rules shadow each other "backwards", that is more general rule shadows other rules _above_ it. Added flag 'reverse' to the method find_more_general_rule and added new rule processor DetectShadowingForNonTerminatingRules that finds such cases of 'reverse' shadowing. Using it for rules in the mangle table for iptables. 2006-12-27 vadim <vadim@vk.crocodile.org> * Compiler.cpp (Compiler::expandGroupsInRuleElement): fixed bug #1620925: "compile-time AddressTable object with empty file". Compile-time AddressTable object that uses file with no addresses should be treated as an empty group according to the "Ignore empty groups" option. Changes are made as follows: - Compiler::expandGroupsInRuleElement does not call s->setAnyElement(); to set rule element to 'any' before adding addresses from the group. This means that if group is empty, rule element remains empty (not even 'any', just with no children, i.e. with size()==0). Note that AddressTable::loadFromSource() leaves AddressTable object empty if the file does not have any addresses. - Compiler::emptyGroupsInRE specifically checks for run-time MultiAddress objects and skips them so they wont be treated as empty groups (since they are indeed empty). Compile-time MultiAddress objects are treated as groups and algorithm that depends on option 'ignore empty groups' is executed for both empty regular groups and empty compile-time MultiAddress objects. 2006-12-26 vadim <vadim@vk.crocodile.org> * VERSION (LIBFWBUILDER_MICRO_VERSION): set version to 2.1.9 2006-12-03 vadim <vadim@vk.crocodile.org> * v2.1.8 released 2006-11-09 vadim <vadim@vk.crocodile.org> * set version to 2.1.8 * Applied patch #1593186: "xslt file for 2.1.1 broken" 2006-11-06 vadim <vadim@vk.crocodile.org> * Tools.cpp (libfwbuilder::cxx_strtok_r): need to initialize winsock dll on windows, this fixes bug #1590746: "problem with using "DNS Names" objects on MS Windows" 2006-10-30 vadim <vadim@vk.crocodile.org> * v2.1.7 released 2006-10-24 vadim <vadim@vk.crocodile.org> * Preprocessor.cpp (Preprocessor::convertObject): bugfix for a fix for the bug #1575355: while checking if an object is used in rules of a firewall, need to compare firewall objects's ID instead of a pointer. 2006-10-15 vadim <vadim@vk.crocodile.org> * Preprocessor.cpp (Preprocessor::convertObject): fixed bug #1575355: "Compiler tries to resove deleted AddressTable objects". Using findWhereUsed to find if MultiAddress object is used in firewall being compiled so we don't try to resolve objects that are not used anywhere. * FWObjectDatabase.cpp (FWObjectDatabase::findObjectsInGroup): code refactoring: moved methods findObjectsInGroup and findWhereUsed from the GUI to API. 2006-09-20 vadim <vadim@vk.crocodile.org> * PolicyCompiler.cpp (PolicyCompiler::checkForShadowing): ignore rules with action Return while detecting shadowing * FWObject.cpp (FWObject::shallowDuplicate): fixed bug #1562290: "GUI crashes in discovery druid". FWObject::shallowDuplicate should add to database index only if dbroot is defined. If dbroot==NULL, trying to copy it from parameter x of shallowDuplicate (the object we are duplicating), but need to check if dbroot is != NULL after that as well, because object we are dulicating may not belong to any object tree. This is the case with interface objects created in SNMPQuery::fetchInterfaces 2006-09-10 vadim <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (FWObjectDatabase::FWObjectDatabase): reindexing database in the copy constructor * a clean-up in many places where we create objects; always using FWObjectDatabase::create rather than straight 'new' * Added parameter 'prepopulate' to all object constructors that get FWObject *root parameter. Objects that automatically create children objects in this constructor do so only when prepopulate==true. Calling this constructor with prepopulate==false from createFromXML because children objects will be created when they are read from XML file. 2006-09-08 vadim <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (FWObjectDatabase::addToIndexRecursive): made this method public, it can be used to reindex whole database * FWObjectDatabase.cpp (FWObjectDatabase::create): removed last argument (bool with_root). Since we added autoindexing, all objects where always created with variable dbroot pointing at the database object that created them, regardless of the value of this argument. Added argument that specifies object's ID; this way we can create an object in FWObjectDatabase::createFromXML and set right ID roght away. Previously new objects were given unique IDs by FWObject constructor so FWObjectDatabase would add them to the index with this ID. However the ID would then be reset to its value read from XML file, so we ended up with lots of stale and incorrect entries in the index. 2006-09-05 vadim <vadim@vk.crocodile.org> * FWObjectDatabase_2.1.5.xslt: set version to 2.1.6 2006-08-31 vadim <vadim@vk.crocodile.org> * PolicyCompiler.cpp (checkForShadowing): working on bug #1544488: 'Error with DNS_name object when "resolve during run time"'. Can not detect shadowing if DNSName or AddressTable object used in a rule is configured to resolve at run time. Compiler will ignore rules using such objects while deteecting shadowing. 2006-08-21 vadim <vadim@vk.crocodile.org> * XMLTools.cpp (loadFile): loadFile normally reads file twice, first time to check its version and upgrade it and second time to load it and generate doc that will be used by the program. If the datafile is '-' (stdin), it can not be read twice, so in this case this method does not upgrade and just returns doc created for the file as is. Currently this is only used by compiler for PIX to generate 'fixup' or 'inspect' commands when it is called by the GUI with command line option '-i'. This is a special case and GUI guarantees that XML it sends to stdin of the compiler is built according to the latest DTD. 2006-08-17 vadim <vadim@vk.crocodile.org> * crypto.h (libfwbuilder): added missing virtual destructors to several classes to satisfy requirement of modern g++ (v4.1) 2006-06-24 vadim <vadim@vk.crocodile.org> * BackgroundOp.h (CHECK_STOP_AND_RETURN): converted macro CHECK_STOP to two macros: CHECK_STOP_AND_RETURN and CHECK_STOP_AND_THROW_EXCEPTION. Using both macros sparingly, to make sure we do not throw exception or exit thread using thread_exit from inside 'catch' statement. This is risky and unnecessary since we can always throw exception in internal methods and catch them in run_impl, where we can then check flag stop_program and exit background thread simply by calling 'return'. Macro CHECK_STOP_AND_RETURN is used in run_impl for this purpose. All other specific methods should throw exception using CHECK_STOP_AND_THROW_EXCEPTION 2006-06-23 vadim <vadim@vk.crocodile.org> * configure.in: changed default for --with-advanced-dns option to NO because modern Linux does not expose corresponding functions (they moved to private section in glibc) 2006-06-21 vadim <vadim@vk.crocodile.org> * qmake.inc.in: passing CXXFLAGS variable from environment to the build process * configure.in: Added option --without-advanced-dns that turns off checks for thread-safe resolver and dns zone transfers functions 2006-06-14 vadim <vadim@vk.crocodile.org> * PolicyCompiler.cpp (checkForShadowing): code that detects rule shadowing ignores rules with action Route. We really need a better algorithm... 2006-06-03 vadim <vadim@vk.crocodile.org> * Rule.cpp (getAction): New rule action: "Route", to be mapped to ROUTE target for iptables and 'route' option for pf and ipf 2006-05-20 vadim <vadim@vk.crocodile.org> * Preprocessor.cpp (convertObject): added virtual method that processes single object; overload this method in preprocessor classes derived from Preprocessor to do additional manipulations with objects. 2006-05-19 vadim <vadim@vk.crocodile.org> * Compiler.cpp (processNext): need to ensure replacement objects of the class MultiAddressRunTime have stable IDs so compilers can recognize them between passes. For example, compilers for policy rules and nat rules for PF should recognize the same AddressTable objects to avoid duplication 2006-05-16 vadim <vadim@vk.crocodile.org> * DNSName.cpp (loadFromSource): Using universal mutable address framework provided by class MultiAddress for DNSName. * dns.cpp (DNS::getHostByName): changed the type of returned object to list<IPAddress> so it can be sorted. This provides for a stable result - every time we use DNS::getHostByName to get list of ip addresses for a domain name, we will get them in the same order, therefore generated firewall rules will not change from compile to compile. * MultiAddress.cpp (MultiAddress): universal base class for mutable address objects that can be conerted into one or several IP address at compile or run time. AddressTable class inherits MultiAddress. DNSName will be converted later. 2006-05-07 vadim <vadim@vk.crocodile.org> * Compiler.h: added internal variable and interface to set the name for the ruleset compiler works on. Default name is empty; non-empty name is to be used to compile rules in branches. 2006-05-06 vadim <vadim@vk.crocodile.org> * Compiler.h (setSourceRuleSet): added ability to explicitly set ruleset compiler should process. Currently using this in compiler for pf to process anchor rulesets (branches) separately from the main rule set. * fwbuilder.dtd.in (TODO): element 'PolicyRule' can have a child element 'Policy'; this is how we implement subpolicy (branching in policy rules). Similarly, NAT rule may have child element 'NAT' for NAT rule branchng and RoutingRule may have child element 'Routing' 2006-05-05 vadim <vadim@vk.crocodile.org> * Rule.cpp (setAction): Added policy rule action 'Branch' for rule subsets. This will be translated into user-defined chain for iptables and anchor for PF 2006-04-23 vadim <vadim@vk.crocodile.org> * XMLTools.cpp (readFile): added support for reading of XML from stdin * FWObjectDatabase.cpp (saveToBuffer): added method for saving XML document into a memory buffer. Buffer is of type xmlChar** and needs to be freed with xmlFree() in the calling process. This can be used to pass XML to compilers via pipe to their standard input. 2006-04-21 vadim <vadim@vk.crocodile.org> * Rule.cpp (setDirection): always setting direction to one of the three values defined in the DTD: "Inbound","Outbound" or "Both". If setDirection is passed an unknown argument, using "Both" as the default. * Rule.cpp (getActionAsString): the same for actions: code enforces a value from the enumeration permitted by DTD. Using "Deny" as default. 2006-04-19 ilya <yalovoy@gmail.com> * fwbuilder.dtd.in: added element "inactive" to Firewall. Firewalls marked as inactive won't be picked for batch compile and install operations. 2006-04-13 vadim <vadim@vk.crocodile.org> * FWObjectDatabase_2.0.99.xslt: v2.0.99 is an intermediate version used to simplify migration chains. Migration scripts for previous versions of 2.0.x will convert directly to 2.0.99 to avoid having to go through multiple conversion stages that only change version number 2006-03-21 vadim <vadim@vk.crocodile.org> * AddressTable.cpp (AddressTableRunTime): AddressTableRunTime should _not_ use the same ID as original AddressTable object. If ID is identical, FWObjectDatabase::findById gets confused and returns original AddressTable object, which causes problems because AddressTable is not inherited from Address, so Compiler::getFirstOSrc and other similar methods can not cast it to Address and return NULL. 2006-03-20 vadim <vadim@vk.crocodile.org> * Compiler.cpp (cache_objects): switched from Compiler::objcache to object index in FWObjectDatabase. Replaced calls to Compiler::getCachedObject with calls to FWReference::getPointer() everywhere * ServiceGroup.cpp (validateChild): simplified check; need to permit all service objects as well as base class Group which is used in some compilers as a base class for a specialized group class, e.g. in compiler for pix. * Preprocessor.h: Class Preprocessor performs various operations on the original copy of the object database before other compilers are called to process rules. All other cmpilers create a local copy copy of the database and work with it, but Preprocessor works with the original database. Currently Preprocessor expands DNSName and AddressTable objects. Preprocessor can be overloaded as any other Compiler with customizations added eithe to its prolog() or compile() methods. 2006-03-18 vadim <vadim@vk.crocodile.org> * IPAddress.h, dns.h, BackgroundOp.h: fixes to make code compile with g++ 4.1; patch by Martin Michlmayr <tbm@cyrius.com> 2006-03-15 ilya <yalovoy@gmail.com> * FWOptions.cpp: added support for temporary object properties. The name of such property starts with a dot and corresponding XML attribute is not saved to the .fwb file. 2006-03-07 vadim <vadim@vk.crocodile.org> * FWObject.cpp : added support for temporary object properties. The name of such property starts with a dot and corresponding XML attribute is not saved to the .fwb file. 2006-03-06 vadim <vadim@vk.crocodile.org> * OSConfigurator.h: added simple mechanism to register virtual addresses added for NAT rules (just a counter for now) 2006-03-05 vadim <vadim@vk.crocodile.org> * PolicyCompiler.cpp (findZeroAddress): treating bridge port interfaces the same as unnumbered interfaces wherever algorithm applies to an interface w/o IP address * Interface.h (class Interface): added method Interface::isRegular * Interface.cpp: Added methods for 'bridgeport' attribute * fwbuilder.dtd.in (Interface): Added attribute 'bridgeport' to Interface. Will use this for bridging firewalls. 2006-03-04 vadim <vadim@vk.crocodile.org> * FWObjectDatabase.h (class FWObjectDatabase): completely eliminated singleton FWObjectDatabase::db * Group.cpp (Group): need to set dbroot in constructor of Group because it uses virtual inheritance and does not call FWObject constructor * FWObjectDatabase.cpp (recursivelyRemoveObjFromTree): there is no need to check for references pointing at certain types of objects, such as references and rulesets. This speeds up deleting objects by a large factor, especially when a firewall with lots of rules or a group with lots of objects is being deleted. * FWObject.cpp (getRoot): changed type of the object returned by method FWObject::getRoot to be FWObjectDatabase * FWObjectDatabase.cpp (addToIndex): methods to build and maintain object index ( index is defined as map<string,FWObject*> ) * FWObjectDatabase.h (class FWObjectDatabase): made generateUniqueId method static (it does not need an instance of FWObjectDatabase) * Interface.cpp (setPhysicalAddress): making sure we use method 'create' of the FWObjectDatabase instance the interface belongs to instead of a singleton FWObjectDatabase::db. This is important because method FWObjectDatabase::create updates internal index which is a part of FWObjectDatabase. * AddressTable.cpp (loadFile), FWObject.cpp (fromXML), FWObject.cpp (addCopyOf): same as above 2006-02-28 ilya <yalovoy@gmail.com> * Compiler: Recursive group preprocessing (DNSName, AddressTable) is fixed. 2006-02-24 ilya <yalovoy@gmail.com> * Firewall,fwbuilder.dtd : added new attributes: - lastModified - lastInstalled - lastCompiled and methods to deal with them 2006-02-15 ilya <yalovoy@gmail.com> * version 2.1.5 * Added Policy rule actions "Custom" and "Classify" * Added support for rule options for NAT rules 2006-02-09 vadim <vadim@vk.crocodile.org> * TagService.h (class TagService): added missing virtual methods getProtocolName and getProtocolNumber 2006-01-20 vadim <vadim@vk.crocodile.org> * dns.cpp (DNS_bulkBackResolve_query::run_impl): making sure running_mutex is unlocked before call to Cond::wait, also unlocking the mutex after Cond::wait returns. Here is why: method Cond::wait locks the mutex and calls pthread_cond_wait This is because pthread_cond_wait atomically unlocks the mutex and puts the thread into sleep mode waiting for for the condition variable to be signaled. Also once signal is caught, before returning to the calling thread, pthread_cond_wait locks the mutex again. Since we do nothing that would require this mutex here (we only use this mechanism to make sure we get control back when all worker threads terminate), we just unlock it and proceed with the loop. * snmp.cpp (many methods): using method Logger::operator<<(std::ostringstream &sstr) everywhere to avoid problems with formatting of the log entries in certain QT widgets. Sometimes QT automatically prints text strings passed to a widget in separate calls on a separate lines, this breaks formating if we use Logger in a chain-like call such as *logger << str1 << arg1 << str2 << arg2 Now we use ostringstream object to assembly the log line and then pass it to the Logger using *logger << str. * Logger.cpp (operator<<(std::ostringstream &sstr)): Added method for output of the log records from the ostringstream class. This method also purges ostringstream object so that subsequent uses of the same object do not cause duplication of log lines. 2006-01-03 vadim <vadim@vk.crocodile.org> * Compiler.cpp (getCompiledScriptLength): added method that returns the length of generated script. Using method sstream::tellp() 2005-12-16 ilya <yalovoy@gmail.com> * Compiller.cpp: AddressTables and DNSNames processed only if they included in current firewall. 2005-12-01 ilya <yalovoy@gmail.com> * version 2.1.4 new object type TagService Actions 'Mark' and 'Queue' renamed 'Tag' and 'Pipe' respectively. New service 'TagService'. * addresstable_test.cpp: unit-test for AddressTable object 2005-11-24 vadim <vadim@vk.crocodile.org> * Compiler.h: swapAddressTableObjectsInRE - rule process that replaces AddressTable objects with their AddressTableRunTime equivalents. * AddressTable.h (class AddressTableRunTime): new class AddressTableRunTime - used in compilers as a substitution for AddressTable. Class AddressTableRunTime inherits Address and therefore is easy to use in rule elements that expect address, such as Src,Dst with minimal or no changes in compilers. Rule processor derived from swapAddressTableObjectsInRE replace AddressTable objects that require run-time address expansion with their AddressTableRunTime equivalents. * Compiler.cpp (emptyGroupsInRE::processNext): making sure AddressTable object is not considered an empty group. Object of this type can be either processed by compiler in Compiler::prolog, in which case it is replaced with a collection of addresses, or left intact if configured in "run time" mode, in which case it looks like an empty group. * Compiler.cpp (Compiler::_expand_group_recursive): also need to exclude AddressTable objects from ExpandGroup processor 2005-11-23 Vadim <vadim@tourist.local> * commiting changes for AddressTable object: method AddressTable::loadFile() * new method Network& Network::operator=(const string &s) for reading IP address/mask pairs from a text file. * support for AddressTable objects in compilers (only compile-time at this time) 2005-11-14 Vadim <vadim@tourist.local> * version 2.1.3 new object type DNSName using this method in Compiler::prolog to resolve DNSName objects that are supposed to be resolved at compile-time Redesigned RuleOptionsDialog to make room for new options Added actions MARK and QUEUE with basic support in API and GUI Added new object type AddressTable 2005-10-24 vadim <vadim@tower.local> * configure.in: fixed bug #1304764: "configure script: Sun make check fails". Need to use ${MAKE-make} instead of $ac_make when checking for GNU make. *** Ported from 2.0.10 *** 2005-10-22 vadim <vadim@tower.local> * set version to 2.0.10 in branch fwb2-2.0-maint Need another bugfix release 2005-09-29 Vadim <vadim@tourist.local> * PolicyCompiler_ipt.cpp (InterfacePolicyRules): new rule processor: checks if the rule is associated with an interface and uses setInterfaceId to record its id. If the rule is associated with multiple interfaces, splits the rule accordingly. 2005-09-28 Vadim <vadim@tourist.local> * FWObjectDatabase_2.1.1.xslt: this autoupgrade XSLT transformation sets version to 2.1.2 and merges interface policies and global policy into one combined policy * PolicyCompiler.cpp (prolog): merged interface policies and global policy. Added XML element "Itf" (child of PolicyRule). Still keeping class InterfacePolicy just in case. * set version to 2.1.2 2005-09-26 Vadim <vadim@tourist.local> * fwbuilder.dtd.in (TODO): Added Routing element and corresponding classes. Using "fwbuilder-routing" patch provided by Tidei Maurizio <fwbuilder-routing at compal.de> * set version to 2.1.1 * FWObjectDatabase_2.0.9.xslt: transformation adds tree branch "DNS Names" 2005-09-20 <vadim@vk.crocodile.org> * fwbuilder.dtd.in: New element: DNSName (Illiya) * DNSName.cpp (DNSName): API support for DNSName object type 2005-08-17 <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (generateUniqueId): Adding process ID to the object ID to ensure its uniqueness. Before we only used time in seconds to generate object IDs which lead to ID duplicates if fwbedit was called in a quick succession to create objects. 2005-07-30 <vadim@vk.crocodile.org> * Started v2.1.0 2005-07-17 vadim <vadim@tower.local> * configure.in (HAVE_GOODLIBRESOLV): need to check architecture and use /usr/lib64/libresolv.a on 64 bit machines 2005-05-20 <vadim@vk.crocodile.org> * set version to 2.0.8 2005-05-08 <vadim@vk.crocodile.org> * v2.0.7 released 2005-05-02 <vadim@vk.crocodile.org> * snmp.cpp: Compiled all OIDs. The program may run on a system where MIBs are not installed, so we can not always use symbolic OID names Also using snmp_out_toggle_options to turn numeric output in all responses (equivalent to -On in snmp tools) 2005-05-01 <vadim@vk.crocodile.org> * snmp.cpp (walk): verbose error message, printing response->errstat code as well as corresponding error string; this should help debug snmp -related problems better * snmp.cpp (walk): using snmp_error to print last snmp error string 2005-03-30 <vadim@vk.crocodile.org> * FWOptions.cpp (toXML): fixed bug #1173801: '"&" character in prolog/epilog'. Needed to call xmlEncodeSpecialChars to encode special characters in firewall options 2005-03-20 <vadim@vk.crocodile.org> * Tools.cpp (init): fixed bug #1158870: "mutexes are not properly created on FreeBSD". Mutexes gethostbyname_mutex and gethostbyaddr_mutex were never created but used on OS where thread-safe resolver is not available. 2005-02-17 <vadim@vk.crocodile.org> * v2.0.6 released 2005-02-01 <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (recursivelyRemoveObjFromTree): checking if an object that needs to be recursively removed is in read-only library. This way we get an error message about an attempt to modify a library the object is in, which makes sense. Without this check, API tried to remove references to this object before removing the object itself. This means 1) if a reference existed somewhere in another read-only library, the error message said it was an attempt to modify that other library which was confusing and 2) we could end up with some references removed but the object itself could have been left in the tree if it was in read-only library. It seems to be better if the object is all references are intact of the object can not be removed at all. * FWObject.cpp (removeAllInstances): checking if an object is in read-only library before trying to remove it 2005-01-29 <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (merge): fixed bug #1105167: "Crash when importing a library that has been deleted". 2005-01-24 <vadim@vk.crocodile.org> * Compiler_ops.cpp (operator==): fixed bug #1108861: "two rules using MAC address matching shadow each other". Need to check for MAC addresses while processing rules for shadowing. 2005-01-07 <vadim@vk.crocodile.org> * v2.0.5 released 2004-12-22 <vadim@vk.crocodile.org> * Compiler.cpp (createRuleLabel): fixed bug #1068119: "additional whitespace for Rule comments in .fw file". Added extra space between rule number and interface spec in rule comments. 2004-12-04 <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (merge): Corrected error caused by the change made on 12/04/04. We now delete "deleted objects" from libraries we are merging in before calling FWObjectDatabase::merge. Ignoring "Deleted objects" here caused problems; in particular, deleted objects disappeared from a data file whenever it was opened. This happened because we merged user's data file into standard objects tree, so user's file was _source_ here, and deleted objects in it were ignored. 2004-12-03 <vadim@vk.crocodile.org> version 2.0.4 released 2004-11-30 <vadim@vk.crocodile.org> * CustomService.cpp (toXML): using xmlEncodeSpecialChars to encode special chars in custom service code (code may use '&' which is a special character and needs to be encoded before storing in XML) 2004-11-23 <vadim@vk.crocodile.org> * Compiler_ops.cpp (checkForShadowing): still working on the IPService object shadowing changes. ip fragments object was shadowing GRE object, which was incorrect. Hopefully this change finally fixes it. 2004-11-17 <vadim@vk.crocodile.org> * dns.cpp (init): fixed bug (no number): program crashed on FreeBSD 5.3 when using SNMP to obtain parameters for hosts and interfaces. Crash occurred because of use of uninitialized mutex variables in module dns.cpp 2004-11-15 <vadim@vk.crocodile.org> * Compiler_ops.cpp (checkForShadowing): fixed bug (no num): rule shadowing algorithm checks for IP flags in IP service object. IP service object with protocol 0 shades anything only if its flags are cleared. Two IP services shade each other only if they are completely equal (protocols and all flags settings are the same). However, IP service with protocol 0 shades other IP service with protocol !=0 if all flags settings are the same. 2004-11-12 <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (merge): changes in the object database merge algorithm: when an object database we are trying to merge has non-empty "Deleted objects" library, deleted objects from this library should be ignored (they used to be deleted from the current tree). Likewise, when current tree has non-empty "Deleted objects" library and objects in it match objects being merged in, objects should be removed from "Deleted objects" library to avoid creating duplicate IDs with objects being merged in. 2004-11-10 <vadim@vk.crocodile.org> * Compiler_ops.cpp (checkForShadowing): fixed bug (no number): rule shadowing algorithm now assumes that IPService object with protocol number '0' shadows any other service just like 'any' does. 2004-11-06 <vadim@vk.crocodile.org> * Compiler.cpp (complexMatch): fixed bug #1055937: "Any->all_multicasts not in INPUT Chain". Need to check if network objects are multicasts; assume that multicast always matches firewall object (e.g fwb_ipt will put rule with such network object in destination in INPUT chain) 2004-10-23 <vadim@vk.crocodile.org> * Compiler.cpp (_complexMatchWithInterface): fixed bug #1040773: need to match network address as well as broadcast. Packets sent to the network address (192.168.1.0 for net 192.168.1.0/24) go in the broadcast frame and behave just like IP broadcast packets (sent to 192.168.1.1255 for the same net) 2004-09-30 <vadim@vk.crocodile.org> * v2.0.3 released 2004-09-11 <vadim@vk.crocodile.org> * RuleElement.cpp (reset): added method RuleElement::reset(). This method clears all children of a rule element, sets it to 'any' and clears negation flag. 2004-09-08 <vadim@vk.crocodile.org> * Firewall.cpp (duplicate): fixed bug (no number): all references to the interfaces, as well as their IP and MAC addresses, in policy and NAT rules should be replaced when Firewall object is duplicated. Until now only references to the firewall object itself and to its interfaces were replaced with references to the newly created copies of object. References to IP and MAC addresses still pointed at the old objects. * FWObjectDatabase.cpp (IDcounter): fixed bug #1022788: "GUI corrupts XML file after creating a second firewall". Global object ID counter was getting reset every time new FWObjectDatabase object was created. This lead to the ID collision if user quickly created and deleted complex objects (such as Firewall) and used database merge. This should also fix bug #1022785: "GUI corrupts XML file after creating a host entry" * VERSION: set version to 2.0.3 2004-09-07 <vadim@vk.crocodile.org> *************************************************************** * merged branch fwb2 * *************************************************************** 2004-08-31 <vadim@vk.crocodile.org> * v2.0.2 released 2004-08-30 <vadim@vk.crocodile.org> * VERSION (RELEASE_NUM): version 2.0.2, revision 1 2004-08-21 <vadim@vk.crocodile.org> * qmake.inc.in: fixed bug #1012733: "configure --libdir=DIR will be ignored at installation". Needed to use macro _libdir to specify target directory for libraries. Used it in configure, qmake.in, libfwbuilder-config-2 and a .spec file 2004-08-20 <vadim@vk.crocodile.org> * fwbuilder.dtd.in (TODO): added element physAddress to list of child elements of Library (bug #1011617) 2004-08-12 <vadim@vk.crocodile.org> * v2.0.1 released 2004-08-04 <vadim@vk.crocodile.org> * XMLTools.cpp (loadFile): deleting .bak file prior to renaming the original one during autoupgrade procedure. Rename failed on windows if .bak file already existed. 2004-08-02 <vadim@vk.crocodile.org> * FWObject.cpp (deleteChildren): fixed bug #1001833: "memory leak" - children objects were not deleted when FWObjectDatabase object was destroyed. 2004-08-01 <vadim@vk.crocodile.org> * FWObject.cpp (getPath): fixed bug #1001725: "object with empty name can not be deleted". the problem was caused by the algorithm used in FWObject::getPath. If object had had a blank name, the path returned by this method would end with the name of its parent without slash. 2004-07-29 <vadim@vk.crocodile.org> * 2.0 released, CVS tag set. 2004-07-13 <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (scanAndAdd): pulling objects from other libs if they are used for interface network zone while saving to file w/o unnecessary object copying * fwbuilder.dtd.in (TODO): added PolicyRule and NATRule elements to the list of child elements of Library * RuleSet.cpp (deleteRule): do not put deleted rules into "Deleted objects" 2004-07-10 <vadim@vk.crocodile.org> * FWObject.cpp (_moveToDeletedObjects): now move deleted objects to the special library with id 'sysid99' rather than delete them completely. This serves two purposes: 1. can easily provide for undelete function which is very useful 2. can catch a situation when an object has been deleted fromt he external library but is still used in the data file 2004-06-30 <vadim@vk.crocodile.org> * configure.in: using autoconf macro AC_C_BIGENDIAN to determine endianness of the system 2004-06-28 <vadim@vk.crocodile.org> * Network.cpp (shallowDuplicate): fixed a bug where network objects would not get copied properly when data file was saved w/o copies of standard objects (through exportSubtree) 2004-06-16 <vadim@vk.crocodile.org> * Compiler_ops.cpp (checkForShadowing): fixed bug #906709: "A dynamic interface". Dynamic interface used to "shadow" old broadcast object (0.0.0.0) * IPAddress.cpp (to32BitInt()): fixed bug that occured on big endian architecture (e.g. Macintosh) because of incorrect usage of preprocessor directives to check BYTE_ORDER. This bug caused incorrect address arithmetics. * (_convert_range_to_networks): fixed bug #950857: "Incorrect conversion of address range" - address range that consisted of two IP addresses was converted to a set of networks incorrectly. 2004-06-05 <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (merge): fixed a bug in merge where the method would not ask the user for conflict resolution if user-defined libraries were different * FWObject.cpp (setReadOnly): setReadOnly does not change lastModified timestamp 2004-06-04 <vadim@vk.crocodile.org> * FWObjectDatabase.h (class FWObjectDatabase): added method that allows to reset "lastModified" time. Every time we load a database and merge it with the standard tree, lastModified timestamp changes. As the result, even if the user made no changes to the objects, the resultant tree is always different and RCS checks it in and bumps revision number up. Since user did nothing, it is confusing and uncessarily creates lots of revisions. 2004-06-02 <vadim@vk.crocodile.org> * fwbuilder.dtd.in: added attribute 'lastModified' to element FWBObjectDatabase. this attribute holds time of last modification done to any object in the database (GMT). Added support for this attribute in class FWObjectDatabase. This attribute is implied. 2004-05-05 <vadim@vk.crocodile.org> * Firewall.cpp (duplicate): Method Firewall::duplicate replaces references to the firewall, its interfaces and well as IPv4 and physical addresses of the interfaces in all rule sets with references to the copies of corresponding objects. Now firewall created from another one using 'duplicate' does not reference interfaces or addresses that belong to the original firewall object. 2004-04-24 <vadim@vk.crocodile.org> * libfwbuilder-config.h.win32: removed support and therefore a dependency on openssl in the code compiled on windows. 2004-04-12 <vadim@vk.crocodile.org> * FWObject.cpp (duplicate): fixed a bug that prevented copying of the database into another database object using method 'duplicate' if one or more subtrees were read-only. Need to add an object to the tree before calling duplicate (method isReadOnly checks flag 'init' in the tree root, so if an object has not been added to the tree, this check can not be done and read-only object causes 'duplicate' to throw an exception). 2004-04-10 <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (merge): implemented conflict resolution for the object tree merge operation. Uses external predicate class to hand control over to the user who should make a decision which copy of the object to use. Typically this predicate should show a dialog with information for user to chose from. 2004-04-06 <vadim@vk.crocodile.org> * FWObject.cpp (operator++): implemented a global tree iterator class 'tree_iterator'. This class can be used to walk the whole tree. 2004-04-04 <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (merge): implemented tree merge function. It adds objects that are not present in the tree and skips those that are already there. Only object IDs are compared. It does not resolve conflicts in a situation when a new object has the same Id as one of the old ones but some of its attributes are different. In this case it will assume the old object is the same as the new one and will skip it. Practically this means that if someone modified standard object instead of making a copy of it in fwbuilder 1, then the changes will be lost when data file is merged with a standard object tree. 2004-04-03 <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (exportSubtree): implemented subtree export. This method creates new FWObjectDatabase object and copies all objects from an object given as a parameter down the tree. It also scans for references to objects that do not belong to this subtree and creates relevant subtrees to ensure that the whole tree is consistent and references never point at non-existent objects. 2004-04-01 <vadim@vk.crocodile.org> * Resources.cpp (getInstaller): added method Resources::getInstaller() 2004-03-28 <vadim@vk.crocodile.org> * FWObjectDatabase_1.0.2.xslt: fixed bug that appeared only when used with libxml2 2.6.6 and libxslt 1.0.33 - '*Group' elements were not converted properly (losing all child elements). It worked on RH 9 with libxml2 2.5.4 and libxslt 1.0.27. Fix tested with libxml2 2.6.6 and libxslt 1.0.33 on Fedora C1 2004-03-26 <vadim@vk.crocodile.org> * changed file names and target directories as follows: - include files are installed in ${prefix}/include/fwb-2.0/fwbuilder and ${prefix}/include/fwb-2.0/fwcompiler - libraries are named libfwbuilder-2.0.so.6.0.0 and libfwcompiler-2.0.so.6.0.0 - DTD and migration scripts are installed in ${prefix}/share/libfwbuilder-2.0/ This should allow us to keep both old and new API on the same machine. These changes are done only for Unix installations. 2004-03-25 <vadim@vk.crocodile.org> * Tools.cpp (init): path for the directory where DTD is installed is now passed to API as a parameter to the method FWBObjectDatabase::load. There were too many problems with guessing where it is installed on different platforms. On Unix it is always installed in the absolute path which is encoded in LIBFWBUILDER_TEMPLATE_DIR macro defined in libfwbuilder-config.h. On Mac and windows it is installed in the subdirectory off the directory where GUI and compiler binaries are installed. There is no way we can know what this directory is inside API, so it should be passed from the GUI or compiler as a parameter. It was simpler to unify the approach and make it so it is always passed to the API from outside. 2004-03-23 <vadim@vk.crocodile.org> * FWObjectDatabase_1.0.2.xslt: migration makes 'Standard' tree read-only 2004-03-22 <vadim@vk.crocodile.org> * fwbuilder.dtd.in: read-only attribute is now part of DTD and is stored in the file. This allows us to lock down parts of the tree (e.g. 'Standard'). 2004-03-13 <vadim@vk.crocodile.org> * qmake.inc.in: qmake-based build 2004-03-10 <vadim@vk.crocodile.org> * manifest.cpp (save): applied patch sent by Carlo Wood needed to compile with g++ 3.5 2004-02-08 Vadim Zaliva <lord@crocodile.org> * libfwbuilder.info.in (Package): fink .info file tested to work with MacOS X 10.3, fink package manager version: 0.17.4 and fink distribution version: 0.6.2.cvs 2004-02-28 <vadim@vk.crocodile.org> * FWObject.cpp (setReadOnly): added a flag that marks an object and the whole subtree under it as read-only. All operations that modify objects check this flag and throw an expcetion if an attempt to modify read-only object is made. 2004-02-23 <vadim@vk.crocodile.org> * FWObjectDatabase.cpp: moved RCS classes to the GUI. This allows me to use portable functions provided by QT to call external programs (co, ci, rlog etc). 2004-02-22 <vadim@vk.crocodile.org> * FWObjectDatabase.cpp (coFile): basic integration with RCS. TODO: reimplement using exec(3) instead of system(3) 2004-02-08 <vadim@vk.crocodile.org> * fwbuilder.dtd.in (<!ENTITY % STD_ATTRIBUTES '): removed attribute 'library'; libraries are now child elements of FWObjectDatabase. * FWObject.cpp (getLibrary): this method returns the name of the library 'this' belongs to. It scans objects in the tree starting from 'this', climbing up from 'this' to its parent and so on, looking for an object of the type 'Library', then returns its name. 2004-01-20 <vadim@vk.crocodile.org> * FWObject.cpp (findObjectByName): added (non-virtual public) method findObjectByName. This method find a child object of a given type with given name. 2004-01-18 <vadim@vk.crocodile.org> * Library.h (class Library): this class supports new element "Library" * FWObjectDatabase_1.0.2.xslt: this transformation converts data file v1.0.2 to the new format where libraries are elements rather than attributes (v2.0.0) 2004-01-17 <vadim@vk.crocodile.org> * fwbuilder.dtd.in: DTD change: permitted element IPv4 to be a child of ObjectGroup. This does not require any changes in existing data files. * fwbuilder.dtd.in: DTD change: added element "Library" 2004-01-10 <vadim@vk.crocodile.org> * libfwbuilder-config.in (the_flags): added parameter "--includepath" to script libfwbuilder-config. This parameter is used to generate variables used in QT project files. 2003-12-30 <vadim@vk.crocodile.org> * XMLTools.cc (setDTD): Bug #868278: "fwbuilder GUI crashes while saving data to file on FreeBSD". The crash happens in the DTD validation routine xmlValidateDocument when fwbuilder is working with libxml2 v2.6.4. Tests seem to rule out bug in libxml2 (I used their example program "tree2.c" and added similar fragment for validation, it worked), so it must be something in our code. I can't seem to find the problem though. We recreate the tree from the objects in the memory, so doing validation here is mostly a double check. It should be relatively safe to just skip validation until I figure out what's wrong with it. 2003-12-27 <vadim@vk.crocodile.org> * taking into account different directory separation characters on unix and win32 * Resources can now be loaded from the directory defined by the relative path (assumed to be relative to the directory the binary was launched from) 2003-12-30 <vadim@vk.crocodile.org> * XMLTools.cc (setDTD): Bug #868278: "fwbuilder GUI crashes while saving data to file on FreeBSD". The crash happens in the DTD validation routine xmlValidateDocument when fwbuilder is working with libxml2 v2.6.4. Tests seem to rule out bug in libxml2 (I used their example program "tree2.c" and added similar fragment for validation, it worked), so it must be something in our code. I can't seem to find the problem though. We recreate the tree from the objects in the memory, so doing validation here is mostly a double check. It should be relatively safe to just skip validation until I figure out what's wrong with it. * XMLTools.hh: properly using xmlFree to free blocks of memory allocated by libxml2 2003-12-26 <vadim@vk.crocodile.org> * Compiler.cc (normalizePortRange): fixed a bug ('==' used instead of '=') Among other things, compiler failed to merge rules with tcp or udp services using "multiport" module in ipt because of this bug 2003-12-26 <vadim@vk.crocodile.org> * Makefile.in (FLIST): refactored xslt transformation scripts in migration. Now version number is a part of the script name rather than a directory; it is more convenient to deal with scripts named this way in the VC++ projects. * updated VC++ project files added autoupgrade XSLT scripts to the projects on windows, DTD is installed in the same dir where libraries are created * porting fwcompiler to win32. 2003-12-25 <vadim@vk.crocodile.org> * using xmlFree to free memory allocated inside libxml by xmlGetProp and friends, however since declaration of xmlFree is commented out in windows version of libxml (as of Dec 20003, v 2.6.3), we do not free this memory on windows :-( TODO: check why xmlFree is not available in windows version 2003-12-24 <vadim@vk.crocodile.org> * renamed all .cc files to .cpp and all .hh files to .h * added Visual C++ project files (.dsw and .dsp) * added directory src/test and couple of tests * made changes in fwbuilder to port it to win32. * platform dependent functions moved to Tools.cpp (cxx_sleep, cxx_strtok_r etc) 2003-12-22 <vadim@vk.crocodile.org> * got rid of GLIB everywhere, now using POSIX threads functions directly. * configure.in: removed check for GLIB, added check for pthreads *************************************************************** * VERSION (RELEASE_NUM): Created branch "fwb2", set package * * version to 2.0.0 and library so version to 6.0.0 * *************************************************************** 2003-12-18 <vadim@vk.crocodile.org> * libfwbuilder.info.in: fixed bug #862642: "fink packages do not work for 10.3". Changes have been made to the fink .info files to make libfwbuilder and fwbuilder build on Panther. * libfwbuilder.spec.in: fixed bug #855896: "do not quote RPM Group names". Group names in RPM .spec files should not be in quotes. * VERSION (RELEASE_NUM): set version to v1.0.2-2 2003-11-23 <vadim@vk.crocodile.org> * VERSION (LIBFWBUILDER_AGE): v1.0.2 released 2003-11-11 <vadim@vk.crocodile.org> * XMLTools.cc (loadAndParseFile): fixed bug #840427: Problems with libxml2. The GUI won't start if libxml2 v 2.6.2 was installed, the error looked like this: I/O warning : failed to load external entity "/resources.xml" Function xmlParseFile broke in libxml2 v2.6.2 so I had to switch to xmlParseMemory. 2003-11-09 <vadim@vk.crocodile.org> * IPAddress.cc (_convert_range_to_networks): fixed several bugs * Compiler.cc (_expandAddressRanges): implemented algorithm that converts address range into a set of networks rather than N hosts. Using method libfwbuilder::convertAddressRange. 2003-09-20 Vadim Kurland <vadim@vk.crocodile.org> * set version to 1.0.2. There are no changes in the code (so far) but version change allows me to insert some standard objects into existing user's object files. In particular, I need to add standard objects "broadcast" and "old-broadcast" that are used by "help me build policy" druid for rules permitting DHCP. 2003-09-02 Vadim Kurland <vadim@vk.crocodile.org> * 1.0.1 released 2003-07-21 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (isRecursiveGroup): fixed bug #774834: compiler hangs on a group referencing itself. If a group references itself, policy compilers used to hang or dump core. 2003-07-19 Vadim Kurland <vadim@vk.crocodile.org> * snmp.cc (fetchInterfaces): fixed bug #774462: wrong interface made external if fw was discovered by the crawler. * snmp.cc (fetchRoutingTable): fixed bug #773271: program crashes while doing network object discovery. 2003-07-05 Vadim Kurland <vadim@vk.crocodile.org> * XMLTools.cc: added method transformFileToFile that applies XSLT transformation to a file and stores the result in another file. This method is currently used for printing. This is done in order to fix printing on RH90. Somehow method transformDocumentToFile, when used in combination with FWObjectDatabase::saveXML, did not work on RH90. Somehow it did not load DTD properly, because of that XSLT transformation did not work (many things broke, in particular XSLT function id() did not work). Saving to a temporary file with FWObjectDatabase::saveFile and then applying transformation to this file in the new method worked. 2003-06-29 Vadim Kurland <vadim@vk.crocodile.org> * Compiler_ops.cc (operator==): need to take interfaces into account when comparing Address objects. Dynamic and unnumbered interfaces need to be compared by names (since method getAddress of different dynamic interfaces will return the same IPAddress object) 2003-06-20 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (_expandAddressRanges): fixed bug #742136: "iptables compiler hangs". All compilers hang if address range object with range start and end equal to 255.255.255.255 was used in the policy rule. * dns.cc (getHostByName): fixed bug #753946: "DNS lookup crash". DNS lookup of non-exsiting name caused crash on SuSE 8.2 * set version to 1.0.1 2003-05-21 Vadim Kurland <vadim@vk.crocodile.org> * v 1.0.0 released 2003-05-13 Vadim Kurland <vadim@vk.crocodile.org> * IPAddress.cc (IPRoute): fixed bug (no number) improper use of the constructor Interface(const Interface *iface) in place of the copying constructor Interface(const Interface &iface) * snmp.cc (fetchRoutingTable): fixed bug (no number): snmp crawler did not pick external interface properly (external interface is determined by looking for a defaul route). 2003-04-24 Vadim Kurland <vadim@vk.crocodile.org> * configure.in: improvements in the build process. Script configure eliminates duplicate CFLAGS and LIBS options and libraries and makes compile lines shorter. 2003-04-13 Vadim Kurland <vadim@vk.crocodile.org> * configure.in: Set version to 1.0.0, release "RC1" 2003-04-12 Vadim Kurland <vadim@vk.crocodile.org> * snmp.cc (fetchArpTable): fixed bug where this method failed to get MAC address for known IP address if net-snmp v5 was used to compile and link the program. 2003-04-05 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (complexMatch): made complexMatch properly match if the second argument is interface. 2003-04-04 Vadim Kurland <vadim@vk.crocodile.org> * new .spec file for unified RPM build 2003-04-02 Vadim Kurland <vadim@vk.crocodile.org> * configure.in: fixed bug #713582: Cannot build libfwbuilder from rpm src file on RH 8.0. Needed better way to check for presence of net-snmp or ucd-snmp libraries. RH 8.0 comes with both in a package net-snmp; script should be able to differentiate them and pick net-snmp. Script net-snmp-config is now present, using it for --libs flags. 2003-03-28 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (catchUnnumberedIfaceInRE): this method is used in rule processor checkForUnnumbered for all policy and nat compilers. It checks if unnumbered interface is used in a given rule element. Returns true if such interface was found. 2003-03-26 Vadim Kurland <vadim@vk.crocodile.org> * Makefile.in (CXXLINK): linking libfwbuilder.so and libfwcompiler.so with supporting libraries (libsnmp, libxml2, libxslt). This should help automatically set dependencies on the package. 2003-03-19 Vadim Kurland <vadim@vk.crocodile.org> * NATCompiler.cc (processNext): added new NAT rule type SDNAT for rules that translate both source and destination. 2003-03-16 Vadim Kurland <vadim@vk.crocodile.org> * XMLTools.cc (loadFile): better text for the xml file auto-upgrade warning dialog. * NATCompiler.cc (processNext): renamed processor addressRanges to ExpandAddressRanges 2003-03-13 Vadim Kurland <vadim@vk.crocodile.org> * rearranged top level Makefile so I can build tar file without having to run configure first 2003-03-09 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.hh: added bool fwcompiler::operator==(const Interval &o1,const Interval &o2); 2003-03-03 Vadim Kurland <vadim@vk.crocodile.org> * configure.in: platform and os resource files moved back to fwbuilder 2003-03-02 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.hh: converted everywhere from RuleElement::getFirst to Compiler::getFirstSrc , Compiler::getFirstDst etc. This helps improveme compile speed for all platforms, sometimes significantly. * FWObject.cc (getById): API cleanup: got rid of the third parameter for getById (parameter was called 'dereference'). Had to make minor changes in the GUI to accomodate this. 2003-03-01 Vadim Kurland <vadim@vk.crocodile.org> * configure.in: renamed var. HAVE_LIBBIND to HAVE_GOODLIBRESOLVE The new name better reflects its meaning. Removed checks for libdns and libisc, we don't seem to use these libraries anymore. Improved detection whether libresolv has advanced functions for zone transfers and error parsing. 2003-02-27 Vadim Kurland <vadim@vk.crocodile.org> * fwbuilder.dtd, Rule.cc (setAction): added action 'Accounting' 2003-02-17 Vadim Kurland <vadim@vk.crocodile.org> * macosx.xml.in: Added resource files for Mac OS X and ipfw 2003-01-21 Vadim Kurland <vadim@vk.crocodile.org> * Makefile.in (OS_DATAFILES): moved files with platform and os descriptions from the GUI to the API 2003-01-19 Vadim Kurland <vadim@vk.crocodile.org> * BackgroundOp.cc (start_operation): flag stop_program is now created as a dyhamic variable so that it can be checked even if BackgroundOp object has been destroyed while run_impls was stuck in a system call. See comment in the code. This fixes bug #637154: seg fault on snmp get / undo 2003-01-12 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (findAddressFor): using const arguments 2003-01-11 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (findAddressFor): added method Compiler::findAddressFor 2003-01-02 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (_expandInterface): virtual method that can be reimplemented in derived compiler class to properly deal with physAddress objects (see PolicyCompiler_ipt) 2002-12-28 Vadim Kurland <vadim@vk.crocodile.org> * snmp.cc (fetchInterfaces): fixed bug#617904: snmp does not get multiple addresses. The crawler and the tool that discovers host's interfaces using SNMP finds and creates appropriate IPv4 objects for interfaces that have multiple addresses. 2002-12-25 Vadim Kurland <vadim@vk.crocodile.org> * physAddress.hh (class physAddress): added XML element and libfwbuilder class to represent hardware (physical) address. This class works similarly to IPv4; it can only be a child of Interface. 2002-12-24 Vadim Kurland <vadim@vk.crocodile.org> * Interface.cc: Added support for unnumbered interfaces (working on feature req. #546881 "Unnumbered Interfaces cause bad compile" and some bug reports.) * set version to 0.10.13 2002-12-23 Vadim Kurland <vadim@vk.crocodile.org> * NATCompiler.cc (processNext): fixed bug #657195: NAT port mapping bug. * configure.in: set version to 0.10.12-3 (to avoid having to create temporary xslt transofrmation for data file upgrade. this transformation will be added later we support for MAC address object is introduced; version will be bumped up to 0.10.13 then). 2002-12-17 Vadim Kurland <vadim@vk.crocodile.org> * 0.10.12 released 2002-12-16 Vadim Kurland <vadim@vk.crocodile.org> * FWObjectDatabase.xslt: fixed bug #654505: 1.0.8 won't load file from 1.0.6 * using attribute 'exclude-result-prefixes' in xsl:stylesheet to fix the problem with extra namespace declaration added to the FWObjectDatabase element if upgrade of the data file was done using latest versions of libxml2 and libxslt. Added this attrbite to FWObjectDatabase.xslt transformation for upgrades _from_ versions 0.10.9, 0.10.10 and 0.10.11 2002-12-13 Vadim Kurland <vadim@vk.crocodile.org> * Rule.hh (class Rule): code cleanup - getting rid of getStr/setStr in compilers. Added few variables used in compilers. 2002-12-02 Vadim Kurland <vadim@vk.crocodile.org> * Rule.cc (duplicate): code cleanup: keeping NAT rule type and interface_id in a private class member variables 2002-12-01 Vadim Kurland <vadim@vk.crocodile.org> * NATCompiler.cc (processNext): added basic support for Load Balancing rules and some new rule types in both NAT and Policy. 2002-11-28 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.hh: added new rule processor emptyGroupsInRE that finds and eliminates empty groups in rule elements. PolicyCompiler and NATCompiler both inherit from this processor and create their own sets of processors that check for empty groups in particular rule elemetns (like in Src, Dst, Srv, OSrc etc.) * Rule.hh (class Rule): added members and methods to class Rule to support operations specific to fwcompiler classes. Rules can have boolean flags "fallback", "hidden" and may have a label. These parameters are not being stored in XML file. Had to add virtual method duplicate to make sure these parameters get copied when rules are duplicated. 2002-11-24 Vadim Kurland <vadim@vk.crocodile.org> * fwbuilder.dtd.in (TCPService): added attributes for TCP flag masks in TCPService element. * TCPService.hh (class TCPService): added support for TCP flag masks. Rearranged methods dealing with flags and masks. * Compiler_ops.cc (operator<=): commented out operator<= for both Address and Service - to be removed after some additional testing. * Compiler.hh (checkForShading): renamed operator< to checkForShading, both for Address and Service. Operator== stays. * PolicyCompiler.cc (checkForShading): separated checkForShading and cmpRules methods in both PolicyCompiler and NATCompiler 2002-11-21 Vadim Kurland <vadim@vk.crocodile.org> * NATCompiler.cc (processNext): fix for bug #642161: problem with NAT rules that translate port numbers but do not change addresses. 2002-11-16 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (complexMatch): made changes to fix bug #637694: bridge enabled / management. Background: if firewall object is used in destination of the rule of the bridging firewall, chain needs to be still INPUT. Changes in complexMatch allow calling method to pass flags to control whether complexMatch would match on broadcasts and multicasts. 2002-11-15 Vadim Kurland <vadim@vk.crocodile.org> * PolicyCompiler.cc (cmpRules): fixed bug with rule shading detection: rules are considered not shading each other if any rule element has negation turned on. It is too difficult to correctly detect shading if there is negation somewhere. 2002-11-14 Vadim Kurland <vadim@vk.crocodile.org> * Management.cc (toXML): fixed bug #635849: old and annoying problem where GUI detected non-existent change in the data tree once the user opened firewall object or any of the policy objects (InterfacePolicy, Policy or NAT). It then asked if the user wants to save the data before exiting the GUI. 2002-10-29 Vadim Kurland <vadim@vk.crocodile.org> * 0.10.11 released 2002-10-24 Vadim Kurland <vadim@vk.crocodile.org> * Compiler_ops.cc (operator==): taking TCP flags into account while comparing policy rule objects 2002-10-21 Vadim Kurland <vadim@vk.crocodile.org> * PolicyCompiler.cc (findZeroAddress): fixed bug #626238: 0.0.0.0/8 not detected correctly 2002-10-20 Vadim Kurland <vadim@vk.crocodile.org> * FWObjectDatabase.xslt: setting FirewallOptions/Option with name 'check_shading' and value 'true' for all firewalls : rule shading check is ON by default as of this version. * Compiler.cc (Begin::processNext): compilers now work on a copy of rule set. This allows for multiple passes to be created by simply creating another set of rule processors and calling runRuleProcessors again. 2002-10-19 Vadim Kurland <vadim@vk.crocodile.org> * snmp.cc (fetchInterfaces) : now works with net-snmp library 2002-10-18 Vadim Kurland <vadim@vk.crocodile.org> * FWObject.cc (shallowDuplicate): new method: copies attributes of an object given as an argument, but does not change children. 2002-10-13 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.hh: output is now stringstream (so we can read and write to it) 2002-09-30 Vadim Kurland <vadim@vk.crocodile.org> * release 0.10.10 2002-09-24 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (complexMatch): this method now scans virtual addresses on interfaces; it also avoid false positives with objects with multiple interfaces, where one interface matches. 2002-09-23 Vadim Kurland <vadim@vk.crocodile.org> * PolicyCompiler.cc (processNext): added generic rule processor to eliminate duplicates in rule elements. * Compiler.cc (createRuleLabel): code cleanup in createRuleLabel 2002-09-21 Vadim Kurland <vadim@vk.crocodile.org> * IPAddress.cc (to32BitInt): applied patch #612667 that fixes bug #571882 - address arithmetics broken on SPARC 2002-09-20 Vadim Kurland <vadim@vk.crocodile.org> * XMLTools.cc (cleanForNVTASCII): this method makes sure all characters in str conform to NVT ASCII coding (codes are <127). This must be true for example for sysDesc MIB variables. * dns.cc (run_impl): fixed bug in DNS_bulkBackResolve_query which happened if there were more threads than IPs to be resolved. * PolicyCompiler.cc (checkForZeroAddr): better diagnostics message 2002-09-19 Vadim Kurland <vadim@vk.crocodile.org> * IPAddress.cc (_convert_range_to_networks): fixed bug where this method cycled indefinitely if input data were start=N.N.N.0 and end=N.N.N.255 * PolicyCompiler.cc (checkForZeroAddr): in addition for checking for objects with address 0.0.0.0, this rule processor also checks for hosts with no interfaces. 2002-09-15 Vadim Kurland <vadim@vk.crocodile.org> * PolicyCompiler.cc (checkForZeroAddr): this processor checks for host and network objects with address 0.0.0.0, which is equivalent to 'any'. This is an error, compilation is aborted. This fixes bug #607380: host with no IP creates any rule. * Compiler.cc (complexMatch): fixed bug #605944: multicast addresses in FORWARD chain * XMLTools.cc (saveFile): setting utf-8 encoding on saved xml files. * XMLTools.cc (cleanForUTF8): added method that cleans up character string, replacing characters that do not conform with UTF8 encoding with '?' 2002-09-10 Vadim Kurland <vadim@vk.crocodile.org> * version 0.10.9 released 2002-09-08 Vadim Kurland <vadim@vk.crocodile.org> * snmp.cc (walk): using function snprint_objid from libsnmp. Added corresponding check to configure.in. Thanks to mithrandir@alwaysonline.net.au for patch. * minor code cleanup. Changes to configure and Makefiles to support compile and linking with STLport 2002-09-07 Vadim Kurland <vadim@vk.crocodile.org> * Makefile.in (INSTALL_STRIP): controlling build options via env. var FWB_BUILD_OPTIONS. Currently provides control for "-g" compiler/linker option and "-s" installer option. * Compiler.cc (getCompiledScript): fixed bug#606047: resetting position in the ostringstream stream 'output' so it can be used again . * Compiler.cc (findInterfaceFor): deep check to make sure we compare against all addresses of each interface of the firewall 2002-09-02 Vadim Kurland <vadim@vk.crocodile.org> * configure.in: set library so version number to 3.0.0 * removed fwbd from src/Makefile.in 2002-08-31 Vadim Kurland <vadim@vk.crocodile.org> * Resources.hh (class Resources): class Resources moved from fwbuilder to libfwbuilder 2002-08-28 Vadim Kurland <vadim@vk.crocodile.org> * configure.in: detecting lwres. configure parameter '--with-lwres' * Set Copyright to NetCitadel, LLC * configure.in: checking for /usr/include/lwres/netdb.h which comes with bind9 2002-08-26 Vadim Kurland <vadim@vk.crocodile.org> * FWObjectDatabase.hh (class FWObjectDatabase): moved method findFirewallByName from class Compiler to class FWObjectDatabase * libfwbuilder-config.in (the_flags): script libfwbuilder-config returns different combinations of libraries if called with parameter "fwbuilder" or "fwcompiler" 2002-08-24 Vadim Kurland <vadim@vk.crocodile.org> * NATCompiler.cc (ExpandMultipleAddresses): added case for NONAT * merged branch virt_iface : suport for virtual interfaces 2002-08-23 Vadim Kurland <vadim@vk.crocodile.org> * Host.cc (getAddress): Host::getAddress returns address of management interface if there is one, or address of the last interface, or 0.0.0.0 if there are no interfaces 2002-08-22 Vadim Kurland <vadim@vk.crocodile.org> * Host.hh (getManagementAddress): this method finds management interface and copies its address into Management child object and returns it. * Interface.hh (isManagement): added methods to manipulate attribute "mgmt" * fwbuilder.dtd.in (TODO): added attribute "mgmt" to element Interface. This attribute marks interface as "management" interface, which is the one fwbd daemon is listening on and the one to which we can run snmp queries etc. 2002-08-21 Vadim Kurland <vadim@vk.crocodile.org> * Interface.cc: added method setDyn * XML elements Host and Firewall: attribute "address" is no longer REQUIRED. IP Address for these elements should be defined in a child element Interface 2002-08-19 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (complexMatch): fixed bug #597418 (compiler placed code into chain OUTPUT if MAC address match was requested for a Host with dynamic interface) 2002-08-17 Vadim Kurland <vadim@vk.crocodile.org> * FWObjectDatabase.hh (class FWObjectDatabase): moved most of the standard IDs to FWObjectDatabaseGUI class in fwbuilder. 2002-08-16 Vadim Kurland <vadim@vk.crocodile.org> * IPAddress.cc (isMulticast): fixed bug #554286: crawler discovered multicast addresses and created objects 2002-08-13 Vadim Kurland <vadim@vk.crocodile.org> * Compiler_ops.cc (cmpRules): fixed bug #594656: Outbound rule shades an inbound rule. Now taking direction into account when comparing policy rules. 2002-08-12 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (_expand_addr_recursive): expanding objects with multiple addresses recursively, so that we can get all IPv4 objects and all interfaces 2002-08-09 Vadim Kurland <vadim@vk.crocodile.org> * working in a branch virt_iface * configure.in: set version to 0.10.9 * IPv4.hh (class IPv4): created class IPv4 * FWObjectDatabase.xslt: created auto-upgrade transformation, that adds child element IPv4 to Interface and reassigns attributes "address" and "netmask" from Interface to IPv4 2002-08-01 Vadim Kurland <vadim@vk.crocodile.org> * v0.10.8 released 2002-07-29 Vadim Kurland <vadim@vk.crocodile.org> * FWObject.cc (fromXML): fixed memory leak that occured because we weren't free-ing memory buffers returned by xmlGetProp and xmlGetNodeContent 2002-07-27 Vadim Kurland <vadim@vk.crocodile.org> * XMLTools.hh (class XMLTools): made XMLTools::version_compare public method 2002-07-26 Vadim Kurland <vadim@vk.crocodile.org> * libfwbuilder-config.in (LIBFWBUILDER_LIBDIR): do not report CFLAGS and LIBS for libsigc++ * BackgroundOp.hh (class BackgroundOp ): class BackgroundOp is not derived from SigC::Object anymore 2002-07-20 Vadim Kurland <vadim@vk.crocodile.org> * Rule.cc (PolicyRule): PolicyRule constructor _does not_ turn logging on anymore. This should be done in the GUI 2002-07-18 Vadim Kurland <vadim@vk.crocodile.org> * Firewall.cc (replaceRefToFirewall): fixed bug #580027: Firewall::duplicate replaces references to the old firewall with references to the new one in policy and NAT rules 2002-07-14 Vadim Kurland <vadim@vk.crocodile.org> * dns.cc: * BackgroundOp.cc: initializing tattr from constructor and destroying it from destructor of both classes * configure.in: a workaround for an algorithm for detection of pthread library flags on OpenBSD (glib-config returns flags for /usr/local/lib/pth/libpthread which is broken, we should be really using libc_r instead) * BackgroundOp.cc (start_operation): processing return codes from pthread_create * dns.hh (class DNS_bulkBackResolve_query): * BackgroundOp.cc (start_operation): tattr is now member of the class 2002-07-13 Vadim Zaliva <lord@crocodile.org> * dns.cc (run_impl): * BackgroundOp.cc (start_operation): setting detachable attribute in pthread_create to avoid execution problem OpenBSD. 2002-07-04 Vadim Kurland <vadim@vk.crocodile.org> * autogen.sh: added script autogen.sh - this script regenerates all critical scripts and config files (aclocal.m4, ltmain.sh and ltconfig, configure etc) using aclocal, automake and libtool. This needs to be done to properly build on different platforms. 2002-06-27 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (abort): method Compiler::abort modified. Now it has dual function: if compiler is in testing mode (test_mode==true) it prints error message and returns, otherwise it throws exception with error message. Test mode can be activated using method Compiler::setTestMode() 2002-06-25 Vadim Kurland <vadim@vk.crocodile.org> * NATCompiler.cc (processNext): added processor classifyNATRule that decides on NAT rule type (code is based on variant developed for iptables as the most comprehensive one) * Compiler.cc (processNext): added rule processor "createNewCompilerPass" * set version to 0.10.8 2002-06-24 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (processNext): added universal rule processor splitIfRuleElementMatchesFW that splits rule if one of the objects in given rule element is firewall. Classes PolicyCompiler and NATCompiler derive from this base class to create rule processors that do this for specific rule elements. 2002-06-22 Vadim Kurland <vadim@vk.crocodile.org> * Firewall..cc, Host.cc: removed methods Firewall::setDefaults and Host::setDefaults. Now setting default properties and default options in the GUI using resources 2002-06-21 Vadim Kurland <vadim@vk.crocodile.org> * Firewall.cc (setDefaults): added code setting default values for firewall options for PIX 2002-06-20 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (_expandAddressRanges): fixed bugs #571990 and #573038 - AddressRange overrun for ranges that end with IP address ending with 255 2002-06-16 Vadim Kurland <vadim@vk.crocodile.org> * version 0.10.7 released 2002-06-14 Vadim Zaliva <lord@crocodile.org> * Tools.cc (init): initializing threads and XML tools. 2002-06-03 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (complexMatch): fixed bug #564037: compiler should place rules with destination address 255.255.255.255 into INPUT chain 2002-06-02 Vadim Kurland <vadim@vk.crocodile.org> * Set version to 0.10.7 * PolicyCompiler.cc (processNext): added rule processor that converts policy rule to atomic rules by splitting it on time interval rule element. 2002-05-25 Vadim Kurland <vadim@vk.crocodile.org> * FWObject.cc (add): modified FWObject::add, added the second parameter that controls whether method will validate object to be added. Validation is on by default but can be turned off if needed. 2002-05-23 Vadim Kurland <vadim@vk.crocodile.org> * PolicyCompiler.hh: added few standard rule processors for Policyrule: o ExpandGroups o ExpandMultipleAddresses o addressRanges o splitServices o separateTCPWithFlags o verifyCustomServices o ConvertToAtomicForAddresses o ConvertToAtomic o findMoreGeneralRule o DetectShading * NATCompiler.hh: added several rule processors for NATRule: o ExpandGroups o ExpandMultipleAddresses o addressRanges o ConvertToAtomicForAddresses o ConvertToAtomic * Compiler.hh: added several type-independent rule processors: o Begin o printTotalNumberOfRules o simplePrintProgress o Debug * RuleProcessor.hh (fwcompiler ): class BasicRuleProcessor is base class for the family of rule processors * PolicyRuleProcessor , NATRuleProcessor: these classes inherit all methods from BasicRuleProcessor and add proper type conversion 2002-05-20 Vadim Zaliva <lord@crocodile.org> * RuleProcessor.hh (fwcompiler ): new processing framework based on chained processor. Base class. 2002-05-18 Vadim Kurland <vadim@vk.crocodile.org> * Makefile.in (INSTALL_SCRIPT): fixed bug #556840 (shell script libfwbuilder-config should be installed without "-s" command line option to install) * Compiler.cc (findFirewallByName): added function that finds firewall by name 2002-05-17 Vadim Kurland <vadim@vk.crocodile.org> * PolicyCompiler.cc (find_more_general_rule): better algorithm to find more general rule. Reimplemented DetectShading * Compiler_ops.cc (cmpRules): new method to compare rules. * Compiler_ops.cc (operator<): improvements in comparison of service objects * FWObject.hh (class FWObject): * TCPService.hh (class TCPService): made some methods "const" * Compiler.cc (debugRule): moved method debugRule to the base class Compiler 2002-05-16 Vadim Kurland <vadim@vk.crocodile.org> * PolicyCompiler.cc (for_each_const_rule): new implementations of for_each_rule and for_each_const_rule * Compiler.hh (x_any_fun2): using x_any_fun1 and x_any_fun2 to call member functions that process rules in derived classes for policy and NAt compilers 2002-05-15 Vadim Kurland <vadim@vk.crocodile.org> * v0.10.6 released 2002-05-09 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (findInterfaceFor): method to find interface of one object (usually firewall) that is connected to the same subnet as the second object * PolicyCompiler.cc (find_more_general_rule): using strict comparison ('<' instead of '<=') to find more general rule 2002-05-08 <vadim@vk.crocodile.org> * FWObject.cc (destroyChildren): this new method destroys all children of this recursively; it ignores reference counter and simply deletes everything. * FWObject.cc (clearChildren): this method deletes all children of this recursively or not (depending on parameter) but checks the reference counter and deletes only objects with ref==0 2002-05-03 Vadim Kurland <vadim@vk.crocodile.org> * NATCompiler.hh: * PolicyCompiler.hh: added methods and classes for debugging * Compiler.cc (_isMatchingFW): added matching for broadcast addresses * IPAddress.cc (getBroadcastAddress): fixed bug (removed extra htonl() conversion) 2002-04-27 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (error): now have three methods for warning and error messages: warning, error, abort 2002-04-26 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (_isMatchingFW): method returns true if obj is firewall, or any child of firewall or its address matches that of any firewall's interfaces or address of the firewall object * BackgroundOp.cc (BackgroundOp): BackgroundOp creates object of class QueueLogger in constructor and deletes it in the background_thread, after run_impl returns. Also using SyncFlag flag "iamdead" which is protected by mutex to make sure background thread won't use object if it was destroyed. With this flag we can now delete object of class BackgroundOp any time without having to worry about background operation not using it after it has been deleted. Classes derived from BackgroundOp should check flag stop_program_flag using method check_stop after each system call in run_impl and should immediately interrupt operation and return from run_impl if check_stop throws exception. 2002-04-20 <vadim@vk.crocodile.org> * Logger.hh (class Logger): logger can be switched to blackhole mode. In this mode logger does not store text sent to it and its method Logger::ready always returns false * BackgroundOp.cc (start_operation): start_operation creates objects of class QueueLogger and returns pointer to it. This object is destroyed at the end of the background thread function, after it makes sure all the text has been pulled out of the logger by foreground thread, or logger has been disconnected. * Logger.hh (class QueueLogger): moved class Logger and other classes derived from it to a separate module. Added class QueueLogger - logger working via internal queue<string> * dns.cc (DNS_bulkBackResolve_Thread): assemble the whole string before sending it to logger (instead of using locking manipulators start and end) 2002-04-19 Vadim Kurland <vadim@vk.crocodile.org> * Compiler.cc (createRuleLabel): nicer rule labels * Compiler.cc (normalizePortRange): this method fixes port ranges * PolicyCompiler.cc (_expandAddr): routine that replaces references to host and firewall objects with references to their interfaces again uses all interfaces for firewall. 2002-04-18 Vadim Kurland <vadim@vk.crocodile.org> * PolicyCompiler.cc (operator): rule inspectors splitServices and verifyCustomServices moved to the base class PolicyCompiler * CustomService.cc: custom service has pseudo-protocol number 65000 2002-04-17 Vadim Kurland <vadim@vk.crocodile.org> * Rule.hh (class NATRule): some new NATRule types, additional methods to set and get rule type 2002-04-17 <vadim@vk.crocodile.org> * PolicyCompiler.cc (convertToAtomicForAddresses): this processor splits composite rule onto bunch of atomic rules by its Src and Dst. It ignores Srv. This processor is used in ipt compiler (iptables supports multiple ports in service, so we don't convert to atomic rules for service) * NATCompiler.cc (convertToAtomicForAddresses): this processor splits composite rule onto bunch of atomic rules by its OSrc,ODst, TSrc,TDst. It ignores OSrv and TSrv. This processor is used in ipt compiler (iptables supports multiple ports in service, so we don't convert to atomic rules for services) * NATCompiler.cc (expandMultipleAddresses): * PolicyCompiler.cc (expandMultipleAddresses): these methods moved to the base classes PolicyCompiler and NATCompiler * Compiler.hh: _expandAddressRange : method expands AddressRange objects in rule elements. This method is used in both PolicyCompiler and NATCompiler 2002-04-15 <vadim@vk.crocodile.org> * Compiler.hh: added caching for frequently used objects for all compilers 2002-04-11 Vadim Kurland <vadim@vk.crocodile.org> * IPAddress.hh (class IPAddress): added IPAddress::operator guint32() * IPAddress.cc (to32BitInt): converted from IPAddress::operator ulong() to guint32 IPAddress::to32BitInt() for portability to 64-bit architectures (e.g. Alpha). Used type guint32 instead of ulong everywhere 2002-04-09 <vadim@vk.crocodile.org> * configure.in: checking for ccache and using it if present 2002-04-08 <vadim@vk.crocodile.org> * configure.in: automatic determination whether we have bind library (sets HAVE_LIBBIND) 2002-04-07 Vadim Kurland <vadim@vk.crocodile.org> * configure.in: Set package version to 0.10.6, library libtool version to 2.0.0 2002-04-06 <vadim@vk.crocodile.org> * Compiler.cc (_do_expandGroups): fixed bug #538774: expand groups recursively (permits groups within groups) 2002-04-03 Vadim Zaliva <lord@crocodile.org> * FWObject.hh (findByType>): findByType iterator-based method. 2002-03-31 Vadim Zaliva <lord@crocodile.org> * Tools.cc (init): initialize openssl library and loading error strings. (Bug #537633). * crypto.cc (Key): Key generation progress indicator callback. 2002-03-30 Vadim Zaliva <lord@crocodile.org> * FWObject.hh (FWObject*>): const attribute iterators. (FWObject*>): replaced std::vector with std::list. 2002-03-29 Vadim Kurland <vadim@vk.crocodile.org> * Version 0.10.5 released 2002-03-21 Vadim Kurland <vadim@crocodile.org> * FWObjectDatabase.xslt: fixed bug #532457 - port range end for traceroute increased 2002-03-19 Vadim Zaliva <lord@crocodile.org> * fwbd.c: * fwbd.h: * crypto.hh: * crypto.cc: * Tools.cc: Compilation w/o openssl 2002-03-19 Vadim Kurland <vadim@crocodile.org> * configure.in: added supprot for the following options: "--with-openssl=no" or "--without-openssl" "--with-ucd-snmp=no" or "--without-ucd-snmp" "--with-ucdsnmp=no" or "--without-ucdsnmp" 2002-03-18 Vadim Zaliva <lord@crocodile.org> * XMLTools.cc: Workaround for for difference in linefeeds handling in libxml-2.4.10 and 2.4.16. 2002-03-16 Vadim Zaliva <lord@crocodile.org> * dns.cc: compilation problem for BSD systems. 2002-03-15 Vadim Kurland <vadim@crocodile.org> * NATCompiler.hh: renamed macros DECLARE_RULE_PROCESSOR -> DECLARE_NAT_RULE_PROCESSOR DECLARE_RULE_INSPECTOR -> DECLARE_NAT_RULE_INSPECTOR * PolicyCompiler.hh: renamed macros DECLARE_RULE_PROCESSOR -> DECLARE_POLICY_RULE_PROCESSOR DECLARE_RULE_INSPECTOR -> DECLARE_POLICY_RULE_INSPECTOR 2002-03-14 Vadim Kurland <vadim@crocodile.org> * aclocal.m4 (AM_PATH_OPENSSL): added macro to determine presence and location of openssl library 2002-03-12 Vadim Zaliva <lord@crocodile.org> * Tools.cc (init): library initialization method. * dns.cc: using gethostbyname and gethostbyaddr on systems where are no re-enterant versions of these functions are present. * configure.in: (strtok_r): checking for strtok_r presence and using generic replacement only if no standard one present. * Tools.cc (strtok_r): portable strtok_r implementation for platforms missing it. * manifest.hh: * manifest.cc: * win32modules.def.in (XML_PATH): * configure_win32.in: * dns.cc: * dns.hh: New win32 patch from Igor Morozov <igor@grad.kiev.ua> 2002-03-06 Vadim Zaliva <lord@crocodile.org> * dns.cc: using HAVE_GETHOSTBYADDR_R_* macros * libfwbuilder-config.h.in: * configure.in: added check for number of arguments in gethostbyaddr_r 2002-03-05 Vadim Zaliva <lord@crocodile.org> * crypto.cc (X509_entry): bugfix for wrong certificate entries. Found and fixed by Jeremy T. Bouse. 2002-03-04 Vadim Zaliva <lord@crocodile.org> * crypto.cc: patch for Jeremy T. Bouse <Jeremy.Bouse@undergrid.net> correcting problems with wrong certificate expiration date and certificate format version. 2002-03-01 Vadim Kurland <vadim@crocodile.org> * OSNetworkConfigurator.hh: added virtual method addVirtualAddressForNAT. This way we can concentrate all knowledge of particular OS in the class OSNetworkConfigurator and its descendants * OSNetworkConfigurator.cc: added OSNetworkConfigurator - simple base interface class for OS network configurator classes * 0.10.4/FWObjectDatabase.xslt: transformation also changes platform name 'ipfilter' -> 'ipf' * 0.10.3/FWObjectDatabase.xslt: transformation 0.10.3->0.10.4 adds namespace using xmlns in the root element. Transformation does not set namespace prefix. Since we use only one namespace, we can use it as a default namespace and do not need prefix. * 0.10.4/FWObjectDatabase.xslt: this transformation assumes there is always namespace declaration in the root element. This transformation uses its own locally defined prefix 'fwb' to match elements with namespace. This prefix is used only within this transformation and is not added to the output. The output tree has namespace declaration in its root element, just like input does. 2002-02-28 Vadim Zaliva <lord@crocodile.org> * XMLTools.cc: Workaround for bug #73088 in Gnome bugzilla. To be removed than it will be fixed. 2002-02-28 Vadim Kurland <vadim@crocodile.org> * 0.10.3/FWObjectDatabase.xslt: transformation adds namespace to all elements 2002-02-27 Vadim Zaliva <lord@crocodile.org> * FWObjectDatabase.cc (saveXML): (saveFile): Removed explicit namespace specification in saved file. It is defined via DTD. 2002-02-27 Vadim Kurland <vadim@crocodile.org> * configure.in: patched fragment checking for resolv.h header file so it won't add -I/usr/include This fixes bug #504485 2002-02-22 Vadim Kurland <vadim@crocodile.org> * Rule.hh (class NATRule): added methods dealing with NAT rule type (SNAT/DNAT/REDIR/BINAT etc) NAT rule type is needed for compiler classes and is not stored in XML file. * Compiler.hh: made methods Compiler::warning and Compiler::abort public 2002-02-21 Vadim Kurland <vadim@crocodile.org> * configure.in: fixed bug #520845 (configure fails on solaris) 2002-02-20 Vadim Kurland <vadim@crocodile.org> * Firewall.cc (Firewall): assigning default values to host_OS and platform in constructor 2002-02-20 Vadim Zaliva <lord@crocodile.org> * configure.in: replaces AM_ macros with AC_ macros 2002-02-19 Vadim Zaliva <lord@crocodile.org> * Tools.cc (substituteMacros): macro substitutor. 2002-02-19 Vadim Kurland <vadim@crocodile.org> * PolicyCompiler.cc (find_more_general_rule): checking interfaces in find_more_general_rule 2002-02-18 <vadim@crocodile.org> * Compiler.hh: Compiler::prolog now returns number of rules to be processed 2002-02-15 Vadim Zaliva <lord@crocodile.org> * configure_win32.in: * win32modules.def.in: files to compile under win32 2002-02-14 Vadim Kurland <vadim@crocodile.org> * UDPService.cc (UDPService): * TCPService.cc (TCPService): * ICMPService.cc (ICMPService): assigning values to those attributes that are defined as REQUIRED in DTD. This fixed bug #517198 2002-02-11 Vadim Kurland <vadim@crocodile.org> * fixed bug #516033 (tcp-flags... - added missing flags PSH and URG) * FWObjectDatabase.xslt: autoupgrade transofrmation adds new TCP flags * TCPService.cc: added support for flags PSH and URG. Added methods dealing with TCP flags * fwbuilder.dtd.in (TODO): added missing TCP flags to DTD 2002-02-10 Vadim Kurland <vadim@crocodile.org> * Compiler.hh: removed optimize() as a separate method. Will implement optimizations (if any) in the compile() method * IPAddress.cc (operator+): bugfix: to do arithmetics on addresses I need to convert to host byteorder 2002-02-07 Vadim Zaliva <lord@crocodile.org> * Management.cc: * Management.hh (class PolicyInstallScript): Added PolicyInstallScript under Management. 2002-02-06 Vadim Kurland <vadim@crocodile.org> * Service.hh (class Service): added virtual method getProtocolNumber() * fwbuilder.dtd.in: * Rule.cc (setAction): added standard actions "Scrub","Return","Skip","Continue" * PolicyCompiler.hh: minor parameter type changes * IPAddress.cc (getLength): added method Netmask::getLength (returns length of the netmask counting bits set to '1' from left to right) * FWOptions.hh (class FirewallOptions): removed method isDefault (to move knowledge of particular firewall platform parameters from API to the GUI) 2002-02-05 Vadim Zaliva <lord@crocodile.org> * ManifestFile.txt: Manifest file format draft. * manifest.cc: * manifest.cc: Simple class to work with Manifest files. 2002-02-05 Vadim Kurland <vadim@crocodile.org> * Interval.hh (class Interval): * Service.hh (class Service): * Address.hh (class Address): added method bool isAny() to classes Address, Service, Interval 2002-02-04 Vadim Kurland <vadim@crocodile.org> * AddressRange.hh (class AddressRange): derived AddressRange from Address * Address.hh (class Address): added class Address - a base class for all other classes that can have an address and netmask and can be children objects of RuleElementSrc,RuleElementDst and other rule elements holding addresses. * RuleElement.hh (libfwbuilder): added method getFirst to all classes derived from RuleElement. This method returns pointer to the first child object; the pointer has an appropriate type. 2002-02-03 Vadim Kurland <vadim@crocodile.org> * Policy.hh (class Policy): * NAT.hh (class NAT): added wrapper methods that return PolicyRule* and NATRule* respectively for proper typization * Rule.hh (class PolicyRule): added methods getAction, setAction, getDirection, setDirection and enum types for action and direction * FWObjectDatabase.cc (FWObjectDatabase): added copying constructor * Rule.cc (PolicyRule): PolicyRule and NATRule now create their children objects in constructor. I also got rid of getElements and other methods which worked with set of rule elements and their names. This is now done in the GUI. Also added methods with proper typization to classes PolicyRule and NATRule to provide a way to access individual rule elements (methods getSrc(), getDst() etc) 2002-02-03 Vadim Zaliva <lord@crocodile.org> * Management.cc: * Management.hh: Enabled attribute management. * fwbuilder.dtd.in: added 'enabled' attribute to SNMP and FWBD management elements. (PolicyInstallElement): added 2002-02-02 Vadim Kurland <vadim@crocodile.org> * Firewall.cc (Firewall): adding FirewallOptions, Policy, NAT in constructor * Host.cc (Host): adding HostOptions in constructor * FWIntervalReference.hh (class FWIntervalReference): removed constructor FWIntervalReference(FWObject *) * FWServiceReference.hh (class FWServiceReference): removed constructor FWServiceReference(Service *) * FWObjectReference.hh (class FWObjectReference): removed constructor FWObjectReference(FWObject *) * FWReference.hh (class FWReference): removed constructor FWReference(FWObject *) * FWObject.cc (FWObject): added costructor FWObject(const FWObject *root) to class FWObject and all derived classes. Parameter 'root' is a pointer at the root object of the tree we are going to add newly created object to. 2002-01-30 Vadim Kurland <vadim@crocodile.org> * Compiler.hh: reorganization of classes in order to accomodate both PolicyCompiler and NATCompiler and provide better typization 2002-01-29 Vadim Kurland <vadim@crocodile.org> * PolicyCompiler.hh: moved some methods from class Compiler to class PolicyCompiler * ObjectGroup.cc (validateChild): ObjectGroup::validate now permits adding reference to Interface * ObjectGroup.cc (validateChild) and ServiceGroup.cc (validateChild): using class::cast for type instead of hardcoded type names 2002-01-26 Vadim Zaliva <lord@crocodile.org> * crypto.cc (getFingerprint): introduced method to get public key fingerprint. * Management.cc (fromXML, toXML, removePublicKey): * fwbuilder.dtd.in: PublicKey element is now optional. * XMLTools.cc (setDTD): reporting validation errors to user. * FWObject.cc (fromXML): setting 'failed_element' exception property. 2002-01-25 Vadim Zaliva <lord@crocodile.org> * Management.cc (isEmpty): bugfix. * FWObject.cc (getFirstByType): getFirstByType and getByType methods are now constant. 2002-01-24 Vadim Zaliva <lord@crocodile.org> * Management.cc (duplicate): duplicate methods added to all management classes. * FWObject.cc (duplicate): * Network.cc (duplicate): * AddressRange.cc (duplicate): New duplicate/operator= coupuling. Now operator= uses duplicate and only duplicate needs to be overloaded. Also, duplicate takes second parameter: 'preserve_id'. 2002-01-23 Vadim Kurland <vadim@crocodile.org> * FWObjectDatabase.xslt: updated autoupgrade transformation, now it adds subelement Management to Host and Firewall elements and moves snmp community attributes to Management/SNMPManagement 2002-01-23 Vadim Zaliva <lord@crocodile.org> * FWObject.hh (FWObject*>): now FWObject and all its subclasses toXML/fromXML methods can throw FWExcepton. * fwbuilder.dtd.in: added Management element under Host, Firewall, Gateway. 2002-01-22 Vadim Zaliva <lord@crocodile.org> * dns.cc: changes to work with Solaris gethostbyaddr_r 2002-01-21 Vadim Zaliva <lord@crocodile.org> * dns.cc (getHostByName): when gethostbyname_r is not present, simple gethostbyname is used. This is fix for FreeBSD where they do not have currently thread safe gethostbyname. In this cass all host resolution will be serialized and while it work it could be quite slow. This will especially affect SNMP crawler. 2002-01-19 Vadim Zaliva <lord@crocodile.org> * crypto.cc (asString): increased number of pkcs#12 iterations. * XMLTools.cc (convert): reporting what transformation failed. 2002-01-18 Vadim Zaliva <lord@crocodile.org> * Tools.cc (unbase64): convinience function doing base64 decoding. * crypto.cc (asString): use base64 encoding for PKCS#12 data. (KeyAndCert): base64 decoding of PKCS#12 data. * XMLTools.cc (quote_linefeeds): add linefeed for readability 2002-01-17 Vadim Kurland <vadim@crocodile.org> * configure.in: set version to 0.10.5 * fwbuilder.dtd.in : added element AddressRange * AddressRange.hh (class AddressRange): added class AddressRange 2002-01-16 Vadim Zaliva <lord@crocodile.org> * libfwbuilder-config.in (ord_libs): added libfwbd 2002-01-16 Vadim Kurland <vadim@crocodile.org> * configure.in: added filters to remove '-I/usr/include' from various variables from which CFLAGS is composed in the end Still have one more instance left (comes from checks for resolv.h) 2002-01-16 Vadim Zaliva <lord@crocodile.org> * crypto.hh (class KeyAndCert): PKCS12 support. Minor error handling cleanup. 2002-01-15 Vadim Zaliva <lord@crocodile.org> * FWException.hh (class FWException): toString() is const method. 2002-01-14 Vadim Zaliva <lord@crocodile.org> * crypto.cc: Certificate generation code (ctor) 2002-01-13 Vadim Kurland <vadim@crocodile.org> * FWObject.hh (createRef): streamlined code in createRef virtual method 2002-01-12 Vadim Zaliva <lord@crocodile.org> * crypto.cc: certificates management code * RuleElement.cc: Serice-relate methods return values and parameters types are now more specialized. * FWServiceReference.cc (setPointer): more specialized parameter. * ServiceGroup.cc (createRef): return value and parameters types are now more specialized (this turned out to be wrong change --vk). * Service.hh: added base class for TCP, UDP, ICMP, IP and Custom services. * FWObject.hh (libfwbuilder): added FWObject::constcast() 2002-01-11 Vadim Kurland <vadim@crocodile.org> * Interface.hh (class Interface): added methods getAddress and getNetmask * Host.hh (class Host): added methods getAddress and getNetmask * Makefile.in: added directories and basic classes for compiler framework 2002-01-11 Vadim Zaliva <lord@crocodile.org> * crypto.hh: misc classes for keys/certificates management. 2002-01-09 Vadim Zaliva <lord@crocodile.org> * fwbd.c (load_certificates): * fwbdclient.c (main): manual certificate loading. 2002-01-08 Vadim Kurland <vadim@crocodile.org> * IPAddress.cc (_convert_range_to_networks): added number of methods for address arithmetics and other manipulations with addresses, netmasks and ip networks 2002-01-07 Vadim Zaliva <lord@crocodile.org> * fwbdclient.c (main): quote command implemented * fwbd.c (send_protocol_line): sending protocol lines 2002-01-06 Vadim Zaliva <lord@crocodile.org> * fwbdclient.c: connection establishment, command parsing. * configure.in: libreadline detection for fwdbclient. 2001-12-29 Vadim Zaliva <lord@crocodile.org> * version 0.10.4 released 2001-12-28 Vadim Zaliva <lord@crocodile.org> * FWObject.cc (findAllReferences): opimized findAllReferences method. 2001-12-27 Vadim Zaliva <lord@crocodile.org> * XMLTools.cc (setDTD): fixed bug #497234 - crashing on upgrade conversion. * ThreadTools.hh: * ThreadTools.cc: ability to restart TimeoutCounter. 2001-12-20 Vadim Zaliva <lord@crocodile.org> * FWObject.cc (findAllReferences): method to find all references to given object. * XMLTools.cc (setDTD): validating document after DTD is set. (bug #495276 2001-12-19 Vadim Zaliva <lord@crocodile.org> * src/fwbuilder sources moved to src/fwbuilder directory. Including all our files with "fwbuilder/" prefix. * Rule.cc (toXML): * Host.cc (toXML): * Firewall.cc (toXML): Forming common object XML part at one place. * FWObject.cc (fromXML): preserving linefeeds in comments 2001-12-17 Vadim Zaliva <lord@crocodile.org> * FWObject.cc (dump): * XMLTools.cc (loadFile): * FWException.hh: * FWObject.hh: * configure.in: * Constants.hh: g++3 compilation. * snmp.cc (run_impl): ignoring networks with netmask 255.255.255.255 and ones belonging to p2p interface found in crawl. 2001-12-16 Vadim Zaliva <lord@crocodile.org> * Integration of first part of win32 port by Igor Morozov <igor@grad.kiev.ua> 2001-12-10 Vadim Kurland <vadim@crocodile.org> * Host.cc (toXML): added virtual method toXML to the class Host to fix bug #491279 * set version to 0.10.3 2001-12-05 Vadim Kurland <vadim@crocodile.org> * Host.cc (setDefaults): added support for HostOptions and defaults * FWOptions.hh (class HostOptions): added class HostOptions * configure.in: set version number to 0.10.2 2001-11-28 Vadim Kurland <vadim@crocodile.org> * version 0.10.1 released 2001-11-25 Vadim Zaliva <lord@crocodile.org> * configure.in: * libfwbuilder-config.h.in: * XMLTools.cc: check for libxslt/xsltconfig.h 2001-11-23 Vadim Kurland <vadim@crocodile.org> * FWObjectDatabase.xslt: transformation adds FirewallOption/Option named "accept_established" 2001-11-18 Vadim Kurland <vadim@crocodile.org> * fwbuilder.dtd.in (TODO): changed attribute name "alias" -> "label" made it specific to Interface only 2001-11-16 Vadim Kurland <vadim@crocodile.org> * FWObjectDatabase.xslt: autoupgrade transformation changes attribute "ext" to "security_level" and adds element Interface to Host * Interface.cc (setSecurityZone): added attribute "security_level" to element Interface and support for it in the class Interface * FWObject.cc (setAlias): added attribute "alias" and support for it in the class FWObject 2001-11-15 Vadim Kurland <vadim@crocodile.org> * InterfacePolicy.cc: added comment to InterfacePolicy 2001-11-12 Vadim Kurland <vadim@crocodile.org> * Interface.cc (Interface): added processing for physAddress * fwbuilder.dtd.in (TODO): added attribute "physAddress" to element Interface * set package version to 0.10.1 and SO_VERSION to 1.0.0 2001-11-11 Vadim Kurland <vadim@crocodile.org> * Network.cc (duplicate): added virtual method duplicate. This is needed because class Network stores address and netmask not in the dictionary "data" and FWObject::duplicate does not copy them * libfwbuilder.spec.in (Obsoletes): added call to libtoolize per bug #480081 * migration/Makefile.in: per bug #480656 added missing transofrmations 2001-10-30 Vadim Zaliva <lord@crocodile.org> * FWObject.cc: removed recursive iterators - unused code. 2001-10-19 Vadim Zaliva <lord@crocodile.org> * snmp.cc (fetchRoutingTable): crawler detects "external" interface by "default" route. 2001-10-04 Vadim Kurland <vadim@crocodile.org> * fwbuilder.dtd.in: added attribute ID to FWObjectDatabase 2001-09-21 Vadim Zaliva <lord@crocodile.org> * configure.in: checking for ucd-snmp patched by mandrake (in Mandrake Linux 8.1) * snmp.cc: buffer override safe ucd-snmp interface 2001-09-28 Vadim Kurland <vadim@crocodile.org> * RuleElement.cc (addRef): added virtual removeRef and addRef which add and remove appropriate "any" if rule element is empty 2001-09-24 Vadim Kurland <vadim@crocodile.org> * FWObject.cc (getFirstByType): bugfix (removeAllInstances): applied changes by vz 2001-09-22 Vadim Kurland <vadim@crocodile.org> * Makefile.in: added "install_lib" Makefile target * libfwbuilder-config.in (prefix): added option "staticlibs" * FWObject.cc: removeAllInstances and removeAllReferences reimplemented using for_each and find_if * FWObject.hh (FWObject*>): added removeAllReferences method 2001-09-21 Vadim Zaliva <lord@crocodile.org> * using namespace 'libfwbuilder'. 2001-09-20 Vadim Kurland <vadim@crocodile.org> * Rule.cc (fromXML): fixed bug #451490: added xslt code to upgrade transformations, removed old code from Rule.cc 2001-09-20 Vadim Zaliva <lord@crocodile.org> * Constants.cc: * Constants.hh: Class holding libraty constants * XMLTools.hh (class XMLTools): possibility to pass version number while loading file. 2001-09-19 Vadim Zaliva <lord@crocodile.org> * libfwbuilder-config.h.in: prefix macros with LIBFWBUILDER_ 2001-09-19 Vadim Kurland <vadim@crocodile.org> * Makefile.in (all): added script libfwbuilder-config moved data migration script from fwbuilder 2001-09-18 Vadim Zaliva <lord@crocodile.org> * Makefile.in (SOURCES): dns, snmp and HostsFile moved here from fwbuilder. * BackgroundOp.hh (Object): moved here from 'fwbuilder' module. monitor_operation() is now public. * configure.in: Added check for libsigc++, removed PIXMAPS variables. 2001-09-17 Vadim Zaliva <lord@crocodile.org> * Pool.hh: moved from GUI. * SyncQueue.hh (class SyncQueue): SyncQueue moved to separate header file. (class SyncQueue): added shutdown mechanism to queue. * libfwbuilder.spec.in (Group): changed group to 'System Environment/Libraries' 2001-09-17 Vadim Kurland <vadim@crocodile.org> * Makefile.in (LTCXXLINK): using libtool for API library 2001-09-17 Vadim Zaliva <lord@crocodile.org> * FWObject.hh: * FWObject.cc: Internal code brush-up. Removed NULL pointer checks in children list. Use stl algorithms wherether it is possible. 2001-09-16 Vadim Kurland <vadim@crocodile.org> * OptionsDlg.cc and many other dialogs: corrected buttons size and layout * InterfaceDialog.cc (InterfaceDialog): added support for "delete" event * OptionsDlg.cc (OptionsDlg): redesigned Options dialog using two-pane window with options represented in a tree-like vew * BuiltinDialog.hh (setLibrary): BuiltinDialog now remembers the name of the tree the object it shows belongs to. * OptionsDlg.cc (OptionsDlg): added GUI elements to support ObjectTree view modes "Split" and "Combined" * FWObjectBook.cc (build): implemented ObjectTree view modes: "Split" mode shows libraries in a separate trees, "Combined" mode shows all libraries in one combined tree * ObjectTree.cc (ObjectTree): ObjectTree can now filter objects by their attribute "library" * main_window.cc (main_window()): now using FWObjectBook instead of the tree * FWObjectBook.cc (FWObjectBook): added class FWObjectBook - a collection of many object tree widgets. This widget is used to show objects from different libraries in different pages 2001-09-14 Vadim Zaliva <lord@crocodile.org> * api/ moved doc++ comments from .cc to .hh files * dns.cc (DNS_bulkBackResolve_Thread): using our Cond and Mutex classes instead of GCond and GMutex. * ThreadTools.hh (class Cond): Conditional Variable implemented. (_Tp>): Synchronized Queue implemented. 2001-09-13 Vadim Zaliva <lord@crocodile.org> * snmp.cc (special): ignore 0.0.0.0/* networks. (run_impl): timestamps for start/end of scan. * FWObject.cc (fromXML): library addtribute and access methods added. * fwbuilder.dtd.in (TODO): added 'library' attribute to list of standard object's attributes. 2001-09-12 Vadim Zaliva <lord@crocodile.org> * snmp.cc (fetchInterfaces): reading operational and admin status of interface. (run_impl): ignoring routes which use interface which is currently down. (guessInterface): guessing interface for routes where it is not specified. * Interface.hh (class Interface): added operational status attribute. 2001-09-12 Vadim Kurland <vadim@crocodile.org> * DiscoveryDruidP51Dialog.cc (DiscoveryDruidP51Dialog): changed checkboxes to make their meaning consistent * main_window.hh (Window): moved bunch of methods from ObjectTree to main_window 2001-09-11 Vadim Zaliva <lord@crocodile.org> * snmp.cc (fetchInterfaces): rewrote of interface fetch code to work around bug observed of following SNMP implementation: IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7), RELEASE SOFTWARE (fc1) with uptime of 338 days. 2001-09-10 Vadim Kurland <vadim@crocodile.org> * main_window_menu.cc (build_menu): renamed menu item for the network discovery Druid * DiscoveryDruidP70Dialog.cc (fillListOfNetworks): all the networks and hosts in the list of nodes discovered by druid or DNS import are now checked by default * DiscoveryDruidP65Dialog.cc (execute): added checkbox to the object discovery druid page: "Avoid point-to-point links" * All dialogs: removed large icon in all dialogs. All dialogs have been adjusted to look nice in different screen resolutions * main_window2.cc : setting main window size depending on the screen dimentions 2001-09-10 Vadim Zaliva <lord@crocodile.org> * snmp.cc (run_impl): task #36517: added option controlling wherether to try to crawl to the other side of point-to-point routes. (point2point): detecting point-to-point routes using interface information. * IPAddress.hh (class IPNetwork): method for getting broadcast address of network. * snmp.cc (fetchRoutingTable): fetching interface and gateway information. (run_impl): task #37813 - adding route gateway as crawler input. (run_impl): task #36520 - skipping interface broadcasts found in routing table from crawler output. 2001-09-09 Vadim Zaliva <lord@crocodile.org> * IPAddress.hh (class IPRoute): interface and gateway fields added. 2001-09-08 Vadim Kurland <vadim@crocodile.org> * fwbuilder.dtd.in (TODO): Added object Gateway to DTD. Added HostOptions to Host. * FirewallDialog.cc (FirewallDialog): new iptables option: "Accept established TCP sessions after firewall restart". This option is ON by default. Autoupgrade transformation adds this option to existing firewalls. 2001-09-06 Vadim Kurland <vadim@crocodile.org> * PolicyListElement.cc (PolicyListRuleOpt): Rule element "Options" now shows logging icon and options icon. "Log" rule element can now be retired. Without "Log" column policy list is more clean and compact, especially for Interface policies * FindDialog.cc (on_find_clicked): using OptionMenuWidget; implemented partial match search * OptionMenuWidget.cc (on_menu_selection_changed): OptionMenuWidget keeps track of the menu state and generates signal "changed" only when menu choice actually changed 2001-09-05 Vadim Kurland <vadim@crocodile.org> * ObjectTree.cc: newly created object can now be deleted without saving * DialogPlugin.hh: added methods which load and save data from groups of dialog widgets * ObjectTree.cc (on_delobj): added "Delete" menu item 2001-09-04 Vadim Kurland <vadim@crocodile.org> * FirewallDialog.cc: FirewallDialog now calls setDefaults method of the firewall object to set default values for all platform-specific firewall parameters and OS-specific network parameters * Firewall.hh (class Firewall): added doc++ comments to some methods 2001-09-03 Vadim Zaliva <lord@crocodile.org> * configure.in: dynamic link with libxml2 and libxslt. * snmp.cc (run_impl): task #36519 - ignoring IPs on loopback. * IPAddress.hh (class IPNetwork): added isBroadcast() and isMulticast() methods. 2001-09-02 Vadim Kurland <vadim@crocodile.org> * policy.c (processElementaryPolicyRule): further fixes for bug #455794 * iptables.c (prologue): Implemented support for various kernel parameters * FirewallDialog.cc (on_host_os_changed): Implemented host OS support for Firewall Object 2001-08-28 Vadim Kurland <vadim@crocodile.org> * iptables.c (printARPEntryCommands): improved code which generates commands to add ARP entries for static NAT. Now it adds ARP entries for SNAT translations using "other" IP addresses 2001-08-27 Vadim Kurland <vadim@crocodile.org> * policy.c (processElementaryPolicyRule): fixed bug #455794 (wrong code generated for the loopback interface policy rule with src and dst being firewall object) 2001-08-26 Vadim Kurland <vadim@crocodile.org> * FirewallDialog.cc (wrk2dlg): added "Load modules" checkbox back to the Firewall Dialog "iptables" tab. Also added an option for setting up PATH environment variable in iptables script 2001-08-25 Vadim Kurland <vadim@crocodile.org> * nat.c (printNatRule): fixed bug 449638 (port mapping in DNAT rules) * iptables.c (parseOptions): fixed bugs 448693 and 453966 (sttting rule options did not generate any code in iptables script) * FindDialog.cc: Implemented "Find" feature 2001-08-24 Vadim Kurland <vadim@crocodile.org> * PolicyListItem.cc (paint): fixed bug 449133 (GUI was hanging if very long word was entered in the comment field in the policy) * PolicyListElement.cc (add_item_to_policy): fixd bug 454812 (GUI used to allow duplicates in policy rule elements) 2001-08-19 Vadim Zaliva <lord@crocodile.org> * configure.in: Checking for /usr/include/bind and libbind_r.a. 2001-08-18 Vadim Zaliva <lord@crocodile.org> * Makefile (install): if doc++ present, geenerales API class reference and installs it under DOCDIR/classref. * configure.in: checking for doc++ presense. 2001-08-14 Vadim Zaliva <lord@crocodile.org> * dns.cc (findA): renamed variable 'nsaddr' to avoid name clash with macro in older versions of 'bind'. 2001-08-05 Vadim Zaliva <lord@crocodile.org> * Merger 0.9.4 branch into main trunk. 2001-08-05 Vadim Kurland <vadim@crocodile.org> * DiscoveryDruidP65Dialog.cc: fixed bug #448130 where project did not link because of the missing method in class DiscoveryDruidP65Dialog if compiled without support for SNMP * NetworkDialog.cc (dlg2wrk): fixed bug #448213 where netmask could not be set in NetworkDialog 2001-08-04 Vadim Zaliva <lord@crocodile.org> * CodingConventions.txt: Proposed project coding conventions document. * FWObject.hh: * DialogFactory.hh: * BuiltinDialog.cc (BuiltinDialog): * DialogFactory.cc (class DefaultDialogFactory): removing GUI dependencies from data layer. Switching from Fatory Method to AbstractFactory pattern for dialog creation. 2001-08-04 Vadim Kurland <vadim@crocodile.org> * DiscoveryDruidP65Dialog.cc (on_save_to_file_clicked): added ability to save network scan log to a file 2001-08-03 Vadim Zaliva <lord@crocodile.org> * api/: starting work on API. 2001-08-02 Vadim Kurland <vadim@crocodile.org> * iptables.c (processTime): time matching support implemented in iptables policy compiler (requires patch from patch-o-matic) 2001-07-30 Vadim Kurland <vadim@crocodile.org> * iptables.c: added support for drop-table (requires patch-o-matic) * iptables.c (processSrv): added support for ipv4options patch (requires patch-o-matic) * nat.c (processNATRule): added support for NETMAP target (requires patch from patch-o-matic) * iptables.c (prologue): corrected script to take into account different path to arp and route in different distributions 2001-07-29 Vadim Kurland <vadim@crocodile.org> * policy.c (processElementaryPolicyRule): added recognition of broadcast addresses. If destination object in the rule is broadcast, compiler should generate code into INPUT chain * CustomService.hh (class CustomService): added class CustomService * iptables.c (processSrv): added support for CustomService in iptables compiler * set version to 0.9.4 * added autoupgrade xslt transformations for upgrade 0.9.3->0.9.4 2001-07-24 Vadim Kurland <vadim@crocodile.org> * iptables.c (printARPEntryCommands): now we can manage static ARP entries and associated routes needed for DNAT translations via Firewall Builder 2001-07-22 Vadim Kurland <vadim@crocodile.org> * NetworkDialog.cc (NetworkDialog): switched to IPAddresswidget for address and netmask * HostDialog.cc, FirewallDialog.cc: switched to IPAddressWidget for address 2001-07-21 Vadim Kurland <vadim@crocodile.org> * PolicyList.cc (on_button_release_event): free space in the policy or NAT view is now clickable: right mouse button click brings pop-up menu with options for adding new rules at the top or bottom of the policy * OptionsDlg.cc (run): added UI parameters "Autosave" - if true, data in all dialogs is automatically saved when user switches between objects 2001-07-20 Vadim Kurland <vadim@crocodile.org> * policy.c (processPolicyERule): compiler now correctly processes case where firewall object used in both src and dst in the policy rule (rulePrologue): now using separate temporary chains for INPUT,OUTPUT and FORWARD in rules with negation. (optimisePolicyRules): improved rule optimiser 2001-07-19 Vadim Zaliva <lord@crocodile.org> * BackgroundOp.hh (class Logger): added 'start' and 'end' manipulators to lock synchornized output. * dns.cc (DNS_bulkBackResolve_Thread): synchronized output from several resovled threads. 2001-07-19 Vadim Kurland <vadim@crocodile.org> * iptables.c (parseOptions): added rule option "stateless" - now user can mark certain rules as not requiring stateful inspection. This feature, if used properly, can improve performance without compromising security * RuleOptionsDialog.cc (RuleOptionsDialog): added checkbox for rule option "stateless" 2001-07-18 Vadim Zaliva <lord@crocodile.org> * HostsFile.cc (parse): skipping IPv6 addresses * IPAddress.cc (operator=): detecting IPv6 addresses. 2001-07-17 Vadim Kurland <vadim@crocodile.org> * policy.c (processPolicyERule): fixed bug #441979 in iptables compiler (Iface rules wrong when direction both) 2001-07-17 Vadim Zaliva <lord@crocodile.org> * snmp.cc (run_impl): Distinguishing point-to-point routes and adding them as hosts, rather as networks. * dns.hh (class DNS_findA_query): Handling mulpiple PTR records. 2001-07-16 Vadim Zaliva <lord@crocodile.org> * HostsFile.cc (parse): More decent parser, hanlding empty lines, end of line comments and multiple hosts aliases. 2001-07-15 Vadim Kurland <vadim@crocodile.org> * DiscoveryDruidP05Dialog.cc (DiscoveryDruidP05Dialog): Now option "Perform network scan using SNMP queries" will be disabled, and explanatory text added, if program is compiled with no SNMP support 2001-07-14 Vadim Zaliva <lord@crocodile.org> * dns.cc: implemented getHostByAddress with DNS timeout. 2001-07-14 Vadim Kurland <vadim@crocodile.org> * nat.c (processNATRule): support for REDIRECT in iptables 2001-07-13 Vadim Kurland <vadim@crocodile.org> * snmp.cc (init): added parameters for dns timeout (isvirtual): bugfix in virtual address detection method * TableOfObjects.cc (addObject): If object has multiple names in DNS, this widget will show all of them in combo box * FilterDialog.cc (FilterDialog): Now can filter by address and name 2001-07-13 Vadim Zaliva <lord@crocodile.org> * snmp.cc (run_impl): optinally resolve found hosts. (isvirtual): detection and removed virtual IPs. * snmp.hh (class CrawlerFind): return DNS info in availiable. * dns.cc (run_impl): Multu-threaded back-resolving implemented. * Pool.hh (Pool): tiny memory leak corrected. 2001-07-12 Vadim Kurland <vadim@crocodile.org> * DiscoveryDruidP70Dialog.cc (on_filter_clicked): now user can apply filter to objects found by crawler 2001-07-11 Vadim Kurland <vadim@crocodile.org> * fwcompiler.c (cmpTriplet): fixed bug #440557 * iptables.c (prologue): now setting default policy before flushing all chains * iptables.c (processSrv): fixed bug #440390 2001-07-10 Vadim Kurland <vadim@crocodile.org> * DiscoveryDruidP70Dialog.hh (class DiscoveryDruidP70Dialog): one more page to DiscoveryDruid (picking objects discovered by SNMP crawler) 2001-07-10 Vadim Zaliva <lord@crocodile.org> * snmp.cc (fetchRoutingTable): discovering networks from network host routing table. 2001-07-09 Vadim Kurland <vadim@crocodile.org> * DiscoveryDruidP65Dialog.cc: using pool for SNMPCrawler operations. Now it is safe to interrupt crawler in the middle of the process 2001-07-08 Vadim Kurland <vadim@crocodile.org> * DiscoveryDruidP50Dialog.cc (DiscoveryDruidP50Dialog): * DiscoveryDruidP53Dialog.cc (DiscoveryDruidP53Dialog): * DiscoveryDruidP65Dialog.cc (DiscoveryDruidP65Dialog): GUI for SNMP crawler 2001-07-08 Vadim Zaliva <lord@crocodile.org> * dns.hh (class DNS_bulkBackResolve_query): operation for groups of IPs. * dns.cc (getHostByAddr): method added * snmp.cc * snmp.hh (class SNMPCrawler): retries, timeout, community parameters added. 2001-07-07 Vadim Kurland <vadim@crocodile.org> * ListOfIcons.cc (addObject): fixed bug: pop-up menu in group view now correctly activates "Open", "Copy" and "Cut" items * ObjectTree.cc (on_button_release_event): fixed bug: gui crashed after "Help me build policy" Druid if Policy or NAT were showing in the right pane of the main window (Support request #437759) 2001-07-06 Vadim Kurland <vadim@crocodile.org> * InterfaceDialog.cc (on_addr_focus_out_event): fixed bug: gui crashed if user hit TAB on empty "Address" field 2001-07-06 Vadim Zaliva <lord@crocodile.org> * FirewallDialog.cc: * snmp.cc: * snmp.hh: * config.h.in: * configure.in: better check for libsnmp 2001-06-28 Vadim Zaliva <lord@crocodile.org> * snmp.hh: * snmp.cc (run_impl): implemented simple single threaded SNMP crawler. 2001-06-26 Vadim Kurland <vadim@crocodile.org> * main_window.cc (on_feedback_activate): menu item "Feedback" added * GenericBackgroundOpDialog.hh (Window): class SNMPOpDialog renamed to GenericBackgroundOpDialog 2001-06-20 Vadim Kurland <vadim@crocodile.org> * FirewallDialog.cc (addOptionsMenu): Now using OptionsMenu widget where appropriate 2001-06-18 Vadim Kurland <vadim@crocodile.org> * main_window.cc (on_release_notes_activate): open Release Notes in the default browser configured for "file://" URLs. Now we have choice : we can use our own mini browser MiniBrowserDialog or standard URL display program configured in system Gnome preferences * MiniBrowserDialog.hh (class MiniBrowserDialog): mini-browser dialog using HTMLViewer widget * htmlviewer.cc (HTMLViewer): primitive gtk-- wrapper widget for gtk-xmhtml widget. This widget will be used to show ReleaseNotes etc. 2001-06-17 Vadim Kurland <vadim@crocodile.org> * BuiltinDialog.cc (BuiltinDialog): GUI now does not permit creation of objects with empty names. Some logic cleanup in "Apply"/"Undo" functions 2001-06-17 Vadim Zaliva <lord@crocodile.org> * dns.cc (findA): timeout check in findA() methods. * XMLTools.cc (saveFile): ident XML files on save. 2001-06-14 Vadim Zaliva <lord@crocodile.org> * configure.in: Checking for actual presence of static version of libresolv.a, if not found - try dynamic. 2001-06-13 Vadim Kurland <vadim@crocodile.org> * main_window.cc (on_install): support for optional policy install script added 2001-06-11 Vadim Zaliva <lord@crocodile.org> * configure.in: unconditionally link with libresolv.a 2001-06-11 Vadim Kurland <vadim@crocodile.org> * DiscoveryDruid.cc (on_prepare): implemented GUI for importing hosts from DNS zone * iptables/iptables.c (parseOptions): bug 429427 fixed (garbage after the end of rule action) * iptables/nat.c: bug 426874 fixed (implemented NAT on firewalls with dynamic address on external interface) * iptables/iptables.c: bug 424440 fixed (added correct clean-up code on top of iptables script to remove all "old" rules in all chains) * iptables/nat.c: bug 422345 fixed (implemented support for negations in NAT, in particular negated original dest.) * iptables/nat.c: bug 424435 fixed (implemented negation in NAT) 2001-06-09 Vadim Kurland <vadim@crocodile.org> * iptables.c (parseOptions): fixed bug 431705 - log options an logging limits processing in iptables compiler * DiscoveryDruid.cc (on_next): Objects Discovery Druid class * DiscoveryDruidP40Dialog.cc (newObject): reads hosts(5) file and creates objects 2001-06-08 Vadim Zaliva <lord@crocodile.org> * Makefile.in: bulk compilation of all GLADE-generated sources to decrease build time. * HostsFile.hh: * HostsFile.cc: hosts(5) file parser 2001-06-07 Vadim Zaliva <lord@crocodile.org> * dns.cc: Made background operations of getNS() and findA() operations. * config.h.in: * configure.in: checking for functions from bind8 api. * dns.cc: code cleanup. works with bind8 on Linux. (HAVE_BIND8): conditional compilation to compile on systems without proper bind libraries. 2001-06-06 Vadim Zaliva <lord@crocodile.org> * dns.cc (findA): first working version * configure.in: checking for libbind_r.a 2001-06-04 Vadim Zaliva <lord@crocodile.org> * snmp.hh: * snmp.cc: * FirewallDialog.cc (on_snmp_get_released): Using SNMP timeout and retries from preferences. 2001-05-30 Vadim Zaliva <lord@crocodile.org> * configure.in: libresolv detection 2001-05-29 Vadim Zaliva <lord@crocodile.org> * dns.cc (getHostByName): using gethostbyname_r with 5 (solaris) or six (linux) parameters. * configure.in: detecting arity of gethostbyname_r * dns.hh: DNS lookup wrapper interface. * dns.cc: DNS lookup wrapper implementation for Linux. 2001-05-23 Vadim Zaliva <lord@crocodile.org> * main_window_menu.cc (build_menu): * main_window.cc (on_tools_scan): Added Tools menu with Scan submenu. 2001-05-20 Vadim Kurland <vadim@voyager.crocodile.org> * BackgroundOp.cc: background op. classes redesign 2001-05-18 Vadim Zaliva <lord@crocodile.org> * snmp.cc (run_impl): (run_impl): handling problem with present, but not configured interfaces. * snmp.hh (run_impl): * FirewallDialog.cc (on_snmp_get_released): (on_snmp_get_descr_released): Running SNMP queries in background, without GUI freeze. 2001-05-18 Vadim Kurland <vadim@voyager.crocodile.org> * ListOfIcons.cc (addObject): fixed bug #425023 2001-05-17 Vadim Kurland <vadim@voyager.crocodile.org> * OptionsDlg.cc (OptionsDlg): removed snmpget and snmpwalk paths parameters 2001-05-16 Vadim Kurland <vadim@voyager.crocodile.org> * PolicyListItem.cc (PolicyListObjectItem): translated source/dest/service now shows as "Original" if no translation is needed. 2001-05-15 Vadim Zaliva <lord@crocodile.org> * snmp.cc: * snmp.hh: * FirewallDialog.cc (wrk2dlg): * config.h.in: * configure.in: detecting presense of ucd-snmp library * merger snmp-lib-integration branch. 2001-05-12 Vadim Zaliva <lord@crocodile.org> * XMLTools.cc (parseFile): detecting DTD validation errors during file load. 2001-05-11 Vadim Kurland <vadim@voyager.crocodile.org> * FWObjectDatabase.xslt: making sure attribute action is never empty in PolicyRule 2001-05-11 Vadim Zaliva <lord@crocodile.org> * fwcompiler.c (main): using DTD when loading data file. 2001-05-11 Vadim Kurland <vadim@voyager.crocodile.org> * FWObjectDatabase.xslt (xmlns): transformation from 0.8.7 to 0.9.0: fixed bug where InterfacePolicy objects created by this script where duplicated * FirewallDialog.cc (on_snmp_get_released): now user doesn't have to press "Apply" before pulling information from the firewall via SNMP 2001-05-14 Vadim Zaliva <lord@crocodile.org> * snmp.cc: getting interfaces information using snmp library. 2001-05-11 Vadim Zaliva <lord@crocodile.org> * snmp.hh (class SNMPConnection): * snmp.cc (class SNMPConnection): implemented simple C++ wrapper to ucd-snmp library. (run): getting system info using library. * configure.in: check for ucd-snmp library 2001-05-11 Vadim Kurland <vadim@voyager.crocodile.org> * fwcompiler.c (cmpObjects): now we recognize the case when "Host" object has the same address as "Firewall" object and can generate appropriate rules 2001-05-10 Vadim Kurland <vadim@voyager.crocodile.org> * policy-text.xsl: implemented negation in policy printing * helpers.cc (checkObjectName): allowed ':' in object names * iptables.c : two bugfixes: added "iptables -N temp_rule_name" corrected processing of SNAT rules where translated source is not firewall. 2001-05-06 Vadim Kurland <vadim@voyager.crocodile.org> * StandardRulesDruid2.cc (generateRulesForHostProtection): fixed bug: policy rules should not have direction, but druid used to insert direction in "allow all outgoing connections" rule for host protection firewall 2001-05-05 Vadim Kurland <vadim@voyager.crocodile.org> * iptables.c (parseOptions): bugfix: "--reject-with tcp-reset" requires "-p tcp" 2001-04-30 Vadim Zaliva <lord@crocodile.org> * FWObject.hh (class FWObject): using 'vector' instead of 'list'. * FWObject.cc (sortChildren): sorting children by name. 2001-04-28 Vadim Zaliva <lord@crocodile.org> * Makefile.in: * fwbuilder-packages" * fwbuilder.bts: * fwbuilder.appmap: Bug-Buddy 1.2 support 2001-04-27 Vadim Zaliva <lord@crocodile.org> * Makefile.in (uninstall): installing bug buddy data files * XMLTools.cc: '-' as output file name prints to stdout. * PrintDialog.cc (run): fixed bug with passing currenlty selected node to XSLT transformation. 2001-04-26 Vadim Zaliva <lord@crocodile.org> * XMLTools.cc (setDTD): * FWObjectDatabase.cc (saveXML): * PrintDialog.cc (run): do not use temporaty files for printing. 2001-04-25 Vadim Zaliva <lord@crocodile.org> * PrintDialog.cc (run): * FWObjectDatabase.cc (saveFile): Print w/o saving file. (Task #30300) 2001-04-25 Vadim Kurland <vadim@voyager.crocodile.org> * InterfacePolicy.cc: Added "Srv" to InterfacePolicy * Rule.cc (fromXML): now show warning dialog if general policy rule has interface or direction specified. Rule will be loaded with interface and direction attirbutes erased. * fwcompiler.c (scan_Policy): now print error message and bail out if general policy rule has interface or direction specified. 2001-04-24 Vadim Kurland <vadim@voyager.crocodile.org> * configure.in : correct checking for paths for libxml2 and libxslt Now configure will use dynamic libraries if static ones could not be found 2001-04-23 Vadim Kurland <vadim@voyager.crocodile.org> * policy-ascii.xsl (ref): plain ascii printing transformation 2001-04-22 Vadim Kurland <vadim@voyager.crocodile.org> * iptables.c (processTCPorUDP): --tcp-flags and --syn are now supported * FWObjectDatabase.xslt: fixed typo (line 130, was: UPD, should be: UDP) * FirewallDialog.cc (on_find_compiler_clicked): implemented "browse" button callback for custom compiler lookup * resources.xml.in: ipchains is gone. Now it even won't show up in platforms drop-down menu in FirewallDialog 2001-04-22 Vadim Zaliva <lord@crocodile.org> * XMLTools.cc: protected access to XML/XSLT library params with locks. 2001-04-21 Vadim Zaliva <lord@crocodile.org> * PrintDialog.cc (run): XSLT specific code moved to XMLTools.cc. As result, XSLT error messsages during print are caught and shown to user. * XMLTools.hh: * XMLTools.cc (transformDocument): complete XSLT/XML error interception. 2001-04-19 Vadim Zaliva <lord@crocodile.org> * XMLTools.cc (convert): intercepting conversion error messages and reporting them to the user. 2001-04-18 Vadim Zaliva <lord@crocodile.org> * XMLTools.cc (convert): comparing version numbers (loadFile): making backup copy of converted files. restoring from backup if conversion failed. (loadFile): showing confirmation dialog. * XMLTools.hh: * XMLTools.hh: migrating data files on load using XSLT transformations. * fwbuilder.spec.in (Group): filters and migration dirs added. * Makefile.in (install): makefile added 2001-04-16 Vadim Zaliva <lord@crocodile.org> * XMLTools.cc (saveFile): * Preferences.cc (savePrefs): * FWObjectDatabase.cc (saveFile): Consolidated XML files saving, with DTD/doctype handling into one place. * Makefile.in: installing/uninstalling preferences DTD. * XMLTools.cc (loadFile): * Preferences.cc (loadPrefs): * FWObjectDatabase.cc (load): Consolidated XML files loading with version checking and validation into one place * fwbuilder_preferences.dtd.in: minor syntax tweaking * fwbuilder_prefs.xml.in: added DOCTYPE * fwbuilder_preferences.dtd.in: * configure.in: setting preferences file version using autoconf. * FWObjectDatabase.cc (saveFile): do not specify full path to DTD when saving. * fwbuilder.cc (main): * XMLTools.cc (fwbExternalEntityLoader): loading DTD files from template directory. * translate087preferences.xsl: initial version from from Friedhelm Duesterhoeft. * translate087objects.xsl: new version from Friedhelm Duesterhoeft. added NATRuleOptions added FirewallOptions added PolicyRuleOptions added fixed version 1.0 to FWObjectDatabase * fwbuilder_preferences.dtd: DTD for preferences file from Friedhelm Duesterhoeft. * main_window.cc (on_print_activate): passing id of currently selected node to print dialogue * PrintDialog.cc (PrintDialog): added controls allowing to choose between printing all tree and current object only. Passing ID of currenlty selected node to XSLT processor. 2001-04-14 Vadim Kurland <vadim@voyager.crocodile.org> * ICMPServiceDialog.cc (dlg2wrk): ICMP dialog now supports "Any icmp type" and provides verbose ICMP types and codes names. Support for "any icmp" tested with iptables compiler * fixes and improvements in fwbuilder.spec - incorporated patches from Carlo Wood 2001-04-13 Vadim Kurland <vadim@voyager.crocodile.org> * Resources.cc (getResourceInt): added couple of convenient methods * moved SmallIconsSize and LargeIconsSize from preferences to resources 2001-04-11 Vadim Zaliva <lord@crocodile.org> * FWObjectDatabase.cc (load): checking for version attribute. * XMLTools.cc (getXmlNodeByPath): moved all xml helpers to this class. 2001-04-11 Vadim Kurland <vadim@voyager.crocodile.org> * ObjectTree.cc (TreePopupMenu): added function "Duplicate" to menu "Edit" and popup menu in the tree 2001-04-10 Vadim Kurland <vadim@voyager.crocodile.org> * configure.in: now statically linking with gtk--, libxml2 and libxslt 2001-04-10 Vadim Zaliva <lord@crocodile.org> * PrintDialog.cc (savePrefs): Printing preferences load/save. * fwbuilder_prefs.xml.in: added Printing preferences 2001-04-10 Vadim Kurland <vadim@voyager.crocodile.org> * FWObjectDatabase.cc (saveFile): fixed file saving for libxml2 2001-04-09 Vadim Zaliva <lord@crocodile.org> * Requirements: * configure.in: * Makefile.in (XSLT_CFLAGS): Added libxslt detection and usage. * configure.in: libxml2 detection * translate087objects.xsl: new delivery from Friedhelm Duesterhoeft. It conforms DTD v1.40. 2001-04-08 Vadim Zaliva <lord@crocodile.org> * Makefile.in (depend): passing file names to 'makedepend'. * PrintDialog.cc (PrintDialog): added 2001-04-08 Vadim Kurland <vadim@voyager.crocodile.org> * StandardRulesDruid.cc (StandardRulesDruid): Druid redesigned. Now druid offers different questions for three network configurations: 1. firewall protects local host 2. firewall protects only internal network 3. firewall protects internal network and DMZ * post-glade.pl: modifications to this script allow for incremental compile after GUI changes made by glade 2001-04-07 Vadim Kurland <vadim@voyager.crocodile.org> * StandardRulesDruid.cc: druid corrected for new policy formats * New firewall option added: no_iochains_for_any. 2001-04-06 Vadim Kurland <vadim@voyager.crocodile.org> * iptables.c (parseOptions): implemented full support for firewall options and policy rule options 2001-04-04 Vadim Kurland <vadim@voyager.crocodile.org> * iptables.c : now compiler generates separate chain for each policy rule and implements logging and action in this chain. Support for rule options has been implemented too. * fwbuilder.dtd : added comment to PolicyRule * iptables.c (processInterfacePolicyRule): now correctly processing negation in source and destination in iptables compiler 2001-04-01 Vadim Kurland <vadim@voyager.crocodile.org> * fwbuilder.cc (main): fixed bug when exception thrown while loading preferences caused core dump 2001-04-01 Vadim Zaliva <lord@crocodile.org> * Preferences.cc (loadPrefs): versioning of preferences file. 2001-04-01 Vadim Kurland <vadim@voyager.crocodile.org> * iptables.c: iptables compiler now takes into account cases when firewall has multiple interfaces and cases when firewall's interfaces have dynamic address 2001-03-29 Vadim Kurland <vadim@voyager.crocodile.org> * fwcompiler.c Policy attached to firewall interface is now processed before "main" firewall policy * iptables.c compiler generates code for chains INPUT and OUTPUT if policy rule applies to the firewall object; otherwise it generates code for the FORWARD chain 2001-03-25 Vadim Kurland <vadim@voyager.crocodile.org> * Implemented Scratch pad which works as a mirror of the main obejcts tree. All dialogs edit object's copies in scratch pad, which then gets copied back to the main object tree when user clicks "Apply" button. This provides for "Undo" function in all dialogs, including complex ones such as policy editing 2001-03-23 Vadim Kurland <vadim@voyager.crocodile.org> * ExecBgr.cc : background operations use exceptions to handle errors now. Many improvements have been made to error handling and more controls added. 2001-03-22 Vadim Kurland <vadim@voyager.crocodile.org> * InterfacePolicy.cc (InterfacePolicy): class for policy attached to firewall interface * FirewallDialog.cc (showInterfacePolicy): FirewallDialog now shows and allows to edit policy attached to firewall interfaces 2001-03-21 Vadim Kurland <vadim@voyager.crocodile.org> * PolicyListItem.cc (PolicyListObjectItem): first attempt at showing objects properties in a pop-up window (using tooltips for now) when mouse is over the object's icon in policy * Now using glade-- v0.5.11f (current cvs checkout). This fixed problem with radio buttons in OptionsDialog 2001-03-19 Vadim Kurland <vadim@voyager.crocodile.org> * fwbuilder.dtd (NATRule): added attribute "disabled" 2001-03-18 Vadim Kurland <vadim@voyager.crocodile.org> * fwbuilder.dtd (Host, Firewall): netmask is gone 2001-03-16 Vadim Kurland <vadim@voyager.crocodile.org> * FWIntervalReference.hh (class FWIntervalReference): yet another type of reference 2001-03-15 Vadim Kurland <vadim@voyager.crocodile.org> * fwbuilder.dtd (): added %STD_ATTRIBUTES to NAT and Policy created element Option added attribute "dyn" to Interface * FirewallOptions.cc (fromXML): now we store firewall platform-specific options in class FirewallOptions instead of Firewall 2001-03-14 Vadim Kurland <vadim@voyager.crocodile.org> * FWData.hh: this class is used to store "options" data for policy and NAT rules and firewall objects * RuleElement.cc (RuleElement): all specific rule elements are now inherited from RuleElement and corresponding Group (ObjectGroup, ServiceGroup, IntervalGroup) using virtual inheritance 2001-03-14 Vadim Zaliva <lord@crocodile.org> * FWObjectDatabase.cc (saveFile): adding DOCTYPE to generated XML documents. 2001-03-12 Vadim Kurland <vadim@voyager.crocodile.org> * FirewallDialog.cc (dlg2wrk): "dynamic address" is now an option for interface, not firewall object * Interface.cc (Interface): added attribute "dynamic address" 2001-03-11 Vadim Kurland <vadim@voyager.crocodile.org> * UDPService.hh (class UDPService): class and file renamed * TCPService.hh (class TCPService): class and file renamed * ICMPService.hh (class ICMPService): class and file renamed * IPService.hh (class IPService): class and file renamed * Host.hh (class Host): class and file renamed * Network.hh (class Network): class and file renamed * Firewall.hh (class Firewall): class and file renamed * Interval.hh (class Interval): class and file renamed * RuleElement.hh: new classes RuleElementSrc, RuleElementDst etc. * resources.xml.in: platforms and RuleElement descriptors added * Group.cc (setAnyElement): few methods added to Group. These methods support RuleElement and its descendants 2001-03-10 Vadim Kurland <vadim@voyager.crocodile.org> * RuleSet.hh: new class. Policy and NAT are now derived from RuleSet 2001-03-09 Vadim Kurland <vadim@voyager.crocodile.org> * Resources.cc (getPlatforms): created few new specialized methods in Resources 2001-03-07 Vadim Kurland <vadim@voyager.crocodile.org> * FWObject.cc (validateChild): this virtual method checks child's type and prevents loops. * ServiceGroup.hh (class ServiceGroup): classes ServiceGroup, ObjectGroup and IntervalGroup created. 2001-03-04 Vadim Kurland <vadim@voyager.crocodile.org> * FWObject.hh (FWObject*>): method bool isSystem() replaced old Permissions. Permissions completely eliminated. * Makefile.in (install): installs/uninstalls resources file * fwbuilder.cc (main): loading resources just before preferences * resources.xml: resources data moved from the old preferences template file * Resources.hh (class Resources): class Resources created 2001-03-04 Vadim Zaliva <lord@crocodile.org> * FWObjectDatabase.cc (saveFile): setting DTD when saving file. 2001-03-03 Vadim Kurland <vadim@voyager.crocodile.org> * Preferences.cc (getResource): handful of methods for resources manipulation. These methods will eventually move to a dedicated class Resources. * FWObject.cc (checkPermission): now permissions are stored in Preferences instead of the object itself. setPermissions method will be phased out soon. In the future permissions will move from Preferences to Resources. * FWObjectDatabase.hh (class FWObjectDatabase): fixed typo in definition of struct StandardObjects 2001-02-25 Vadim Zaliva <lord@crocodile.org> * FWReference.cc: 'id' based implementation. * FWObject.hh (FWObject*>): getById getByType methods replacing old one: get(). 2001-02-08 Vadim Zaliva <lord@crocodile.org> * fwbuilder.dtd (Firewall): Firewall has Address optional - it may not be defined in certain situations. Added notion of interval groups. Reorganized 'Time' element content. 2001-02-07 Vadim Zaliva <lord@crocodile.org> * fwbuilder.dtd (PolicyRule): 'When' reference add to NAT, PolicyRule. * Makefile.in: AnyTime, AnyService classes removed. 2001-02-01 Vadim Zaliva <lord@crocodile.org> * configure.in: version 0.8.7 * fwbuilder.dtd: this could be called first prototype of DTD which we will use in future. 2001-02-01 Vadim Kurland <vadim@voyager.crocodile.org> * fwcompiler.c (main): static arrays eliminated in favor of GSList (from glib) 2001-01-31 Vadim Kurland <vadim@voyager.crocodile.org> * Makefile.in (GLIB_CFLAGS): need GLIB CFLAGS to compile fwbuilder.c 2001-01-29 Vadim Zaliva <lord@crocodile.org> * fwbuilder.dtd (TODO): typing of attributes. (TODO): compiler-specific options added. 2001-01-28 Vadim Zaliva <lord@crocodile.org> * Makefile.in (distclean): fwbuilder.spec removed. * fwbuilder.spec.in (Group): Credits and FAQ files added to RPM. * Incorporated patch from Jeremy T. Bouse <undrgrid@toons.UnderGrid.net> to support libxml2. 2001-01-27 Vadim Zaliva <lord@crocodile.org> * fwbuilder.dtd: major rework of DTD. 2001-01-24 Vadim Kurland <vadim@voyager.crocodile.org> * iptables.c (processSNAT): implemented MASQUERADE versus SNAT support for dynamic addresses * README.examples: minor corrections to the example description 2001-01-23 Vadim Zaliva <lord@crocodile.org> * Preferences.cc (Preferences): corrected problem with not detecting problem when preferences file could not be written. 2001-01-23 Vadim Kurland <vadim@voyager.crocodile.org> * FirewallDialog.cc (on_snmp_get_descr_released): getting firewall description, location and contact via SNMP (wrk2dlg): storing parameters for ipfilter platform * snmp.cc (run): SNMP_sysdesc_query implemented * iptables.c (prologue): logging parameters implemented 2001-01-22 Vadim Kurland <vadim@voyager.crocodile.org> * FirewallObject.cc (fromXML): loading platform-specific parameters * FirewallDialog.cc (FirewallDialog): fixed checkboxes alignment 2001-01-21 Vadim Zaliva <lord@crocodile.org> * all xml files moved to etc. 2001-01-21 Vadim Kurland <vadim@voyager.crocodile.org> * FirewallDialog.cc (wrk2dlg): new options for ipchains and iptables platforms * StandardRulesDruid.cc (on_finish): automatic generation of "net_junk" rule disabled * FirewallDialog.cc (dlg2wrk): check address validity before we save the data * iptables.c (prologue): code produced by this compiler works! * FirewallDialog.cc (wrk2dlg): additional parameters for iptables firewalls 2001-01-20 Vadim Kurland <vadim@voyager.crocodile.org> * iptables.c: compiler produces code with no syntax errors 2001-01-20 Vadim Zaliva <lord@crocodile.org> * listicons.sh: rewritten to shell/sed to avoid gawk. (for solaris). 2001-01-20 Vadim Kurland <vadim@voyager.crocodile.org> * configure.in (TEMPLATE_DIR): fixed bug where bogus directory path was stored in config.h during RPM build * fwbuilder.cc (main): fixed bug when we needed to report error which happened while loading Preferences but MessageDialog in turn needed Preferences to be already loaded. 2001-01-17 Vadim Kurland <vadim@voyager.crocodile.org> * Makefile.in (uninstall): uninstall target created * src/gui/main_window.cc (on_saveas1_activate): saveas does not erase current loaded object file name anymore, so we can figure out current working directory and open file selector dialog in that directory * src/gui/Preferences.cc (getWdir): this how we chose working directory to load/store files and to pass as a parameter to compiler: We use directory set in preferences if there was no object file loaded yet, and directory where it was loaded from otherwise * src/gui/NATDialog.cc (NATDialog): fixed bug #128967 2001-01-16 Vadim Kurland <vadim@voyager.crocodile.org> * examples/README: added example description file examples/objects.xml: example objects file 2001-01-15 Vadim Kurland <vadim@voyager.crocodile.org> * src/gui/PolicyListItem.cc (paint): long comment text line folding implemented 2001-01-15 Vadim Zaliva <lord@crocodile.org> * src/gui/GroupDialog.cc (GroupDialog): compiler warrning avoided. * src/gui/BackgroundOp.hh (Data ): run_impl is pure virtual now. * src/gui/Rule.cc: removed some debug output to stderr. 2001-01-15 Vadim Kurland <vadim@voyager.crocodile.org> * src/gui/PolicyListItem.cc (PolicyListCommentItem): class for Policy rule comment 2001-01-15 Vadim Zaliva <lord@crocodile.org> * src/gui/FWObjectDatabase.cc (load): better detection of invalid input file structure. 2001-01-15 Vadim Kurland <vadim@voyager.crocodile.org> * changed #include <gnome-xml/parser.h> to #include <parser.h> everywhere to resolve build problem with libxml in unusual place * src/gui/HostObject.cc (HostObject): set default snmp read community to "public" as a wide spread default value. If object has different community string, its value will be read from XML file and will override default. * src/gui/NetworkDialog.cc (on_obj_addr_focus_out_event): automatically sets suggested netmask based on network's IP address * src/gui/HostDialog.cc (dlg2wrk): now checks address syntax * src/gui/NetworkDialog.cc (dlg2wrk): now checks address and netmask syntax * src/gui/helpers.cc (checkIPaddress): checks IP address validity (getNaturalNetmask): returns "natural" classfull netmask for given IP address 2001-01-14 Vadim Kurland <vadim@voyager.crocodile.org> * configure.in (FWB_MICRO_VERSION): set version to 0.8.6 * configure.in : Now we define version in configure.in 2001-01-09 Vadim Kurland <vadim@voyager.crocodile.org> * src/gui/MessageDialog.hh (class MessageDialog): added new dialog type (error with message text and error code); also changed all static dialog creation methods so they accept const string& as parameters * added error dialogs everywhere 2001-01-09 Vadim Zaliva <lord@crocodile.org> * src/gui/main_window.cc: catch loading/saving errors. * src/gui/fwbuilder.cc (main): handling initial file loading errors. * src/gui/FWObjectDatabase.hh (class FWObjectDatabase): * src/gui/FWObjectDatabase.cc: load/save methods now throw exceptions. * src/gui/fwbuilder.cc (main): handling load preferences error. * src/gui/OptionsDlg.cc (run): catching save error. * src/gui/Preferences.cc: throwing exceptions on save/load errors. * src/gui/FWException.cc: * src/gui/FWException.hh: Base exception class. 2001-01-08 Vadim Kurland <vadim@voyager.crocodile.org> * src/gui/FWObject.cc (setDirty): method sets "dirty" flag for the object and possibly its children. * src/gui/FWObject.cc (isDirty): method checks dirty flag for this object and possibly its children * src/gui/FWObject.hh (FWObject*>): boolean flag "dirty" - indicates data has been modified. * src/gui/FWObjectDatabase.cc (saveIfModified): this method checks for unsaved data in the database and asks user whether they want to save it * src/gui/FWObjectDatabase.cc (load): now checking for unsaved data before loading * src/gui/MessageDialog.cc (MessageDialog): new dialog type: question dialog with three buttons - "Yes", "No", "Cancel" * src/gui/main_window.cc (destroy_handler): now checking for unsaved data if main window gets destroyed * src/gui/FileSel.cc (FileSel): file selector dialog now opens in the working directory * src/gui/CompileDialog.cc (CompileDialog): passing working dir parameter to compiler via command line ( "-d" ) * src/gui/OptionsDlg.cc (OptionsDlg): "Working directory" option added to Options dialog 2001-01-08 Vadim Zaliva <lord@crocodile.org> * src/compiler-framework/fwcompiler.c (main): -d option added. * src/gui/main_window.cc (on_compile): * src/gui/CompileDialog.hh (class CompileDialog): * src/gui/CompileDialog.cc (run): * src/gui/FWObjectDatabase.cc (getFileName): * src/gui/FWObjectDatabase.hh (class FWObjectDatabase): Passing file name parameter to compiler * src/gui/main_window.cc (on_new1_activate): * src/gui/FWObjectDatabase.cc: * src/gui/FWObjectDatabase.hh (class FWObjectDatabase): * src/gui/fwbuilder.cc (main): loading file from command line (-f, --file). Loading default database on startup. 2001-01-08 Vadim Kurland <vadim@voyager.crocodile.org> * configure.in (DOCDIR): checking for docs directory ( /usr/doc versus /usr/share/doc ) * src/gui/DialogPlugin.cc: dialog text typo corrected * src/gui/FWObjectDatabase.cc (FWObjectDatabase): now setting permissions for objects created as a part of empty database * src/gui/FWObject.cc (setPermission): setPermission method added 2001-01-07 Vadim Kurland <vadim@voyager.crocodile.org> * src/iptables/iptables.c: first version of iptables compiler, based on ipchains compiler * src/gui/fwbuilder_prefs.xml: added definition for iptables Policy and NAT * configure.in (PACKAGE_PIXMAPS_DIR): added iptables support * src/iptables/Makefile.in: added directory and Makefile.in for iptables. Started development for iptables 2001-01-07 Vadim Zaliva <lord@crocodile.org> * src/gui/main_window_menu.cc (build_menu): Objects renamed to Insert. * src/compiler-framework/fwcompiler.c (main): restring changes lost in CVS reorg. * src/gui/FWObjectDatabase.cc (setFileName): * src/gui/main_window.hh (class Main_window): * src/gui/main_window.cc (on_saveas1_activate): (on_new1_activate): * src/gui/main_window2.cc (OpenObject): Save, SaveAs, New implemented. 2001-01-06 Vadim Zaliva <lord@crocodile.org> * src/gui/main_window_menu.cc (build_menu): "Objects" menu created. * src/gui/fwbuilder.cc (main): do now load default files on startup. * src/gui/Preferences.hh: misc cleanup * src/gui/Preferences.cc (Preferences): copying default preferences file to ~/.fwuilded. No longer we create ~/fwbuilder directory. 2001-01-05 Vadim Kurland <vadim@voyager.crocodile.org> * src/gui/ObjectTree.cc (on_pasteobj): checks permissions (on_cutobj): check permissions (on_copyobj): check permissions * src/gui/FWObject.hh (FWObject*>): added set of permissions for FWObject * src/gui/ObjectTree.cc (TreePopupMenu): pop-up menu has its items deactivated if object can not be removed or copied * src/gui/ListOfIcons.cc (on_button_release_event): pop-up menu has its items deactivated just like that in ObjectTree.cc * src/gui/GroupDialog.cc (dlg2wrk): fixed bug in object removal 2001-01-04 Vadim Kurland <vadim@voyager.crocodile.org> * Makefile.in (distclean): now even cleaner * src/gui/main_window.cc (Main_window): fixed bug where program used to give Gtk-CRITICAL warning on exit ( Bug ID 127496 ) 2001-01-04 Vadim Zaliva <lord@crocodile.org> * fwbuilder.spec: version 0.8.3 released 2001-01-03 Vadim Kurland <vadim@voyager.crocodile.org> * Makefile.in (rpm): added makefile target "rpm". This will build snapshot usoing cvs export and then run script build_rpm.sh * build_rpm.sh: this script will build rpms * Version number for snapshot is taken from fwbuilder.spec file. To generate snapshot and tar.gz for RPM one needs to edit fwbuilder.spec file and then do "make tar" 2001-01-03 Vadim Zaliva <lord@crocodile.org> * fwbuilder.spec: created SPEC file for building RPM package * doc/Makefile (install): install-doc is separate target * src/gui/Tools.cc: * src/gui/Tools.hh: Added new files for misc tools * src/gui/Preferences.cc (getNodeByPath): * src/gui/PolicyListElement.cc (popup_menu): * src/gui/GroupDialog.cc (GroupDialog): * src/gui/ListOfIcons.cc (on_button_release_event): (on_button_release_event): replaced g_new/g_free/g_strdup with new, delete, cxx_strdup. * src/gui/HostObject.cc (get_if_names): * src/gui/FWObject.cc (getPath): (FWObject): * src/compiler-framework/fwcompiler.h: Copyright added. * src/compiler-framework/Makefile.in: install goal added. * src/ipfilter/Makefile.in: * src/ipchains/Makefile.in: 'install' goal corrected. 2001-01-02 Vadim Kurland <vadim@voyager.crocodile.org> * merging fwbuilder and fwcompiler in one CVS tree * added Makefile.in in doc subdir. Documents will be installed in $(prefix)/doc 2001-01-02 Vadim Zaliva <lord@crocodile.org> * src/MessageDialog_glade.cc: removed icon init to avoid runtime warnings. 2000-12-27 Vadim Kurland <vadim@voyager.crocodile.org> * src/*.cc: converted to isA and cast methods everywhere 2000-12-27 Vadim Zaliva <lord@crocodile.org> * src/*.hh: isA() and cast() methods added to all subclasses of FWObject. * src/ListOfIcons.cc (addObject): fixed chrash when showing group with references. 2000-12-26 Vadim Zaliva <lord@crocodile.org> * src/Makefile.in (install): install also installs icons 2000-12-25 Vadim Zaliva <lord@crocodile.org> * Makefile.in (distclean): 'distclean' goal added. 2000-12-23 Vadim Kurland <vadim@voyager.crocodile.org> * src/Preferences.cc (Preferences): now program looks for fwbuilder_prefs.xml and objects_init.xml in the directory defined by INIT_DIR * config.h.in: added #define for INIT_DIR * src/Makefile.in (PACKAGE_PIXMAPS_DIR): PACKAGE_PIXMPAP_DIR is now defined relatively to $prefix 2000-12-21 Vadim Kurland <vadim@voyager.crocodile.org> * added copyright notice to all .cc and .hh files, except those generated by glade * src/Rule.cc (Rule): read "hidden" status from preferences in constructor * src/RuleElement.cc (RuleElement): read "hidden" status from preferences in constructor 2000-12-20 Vadim Kurland <vadim@voyager.crocodile.org> * acsite.m4: redefined macro AC_TRY_RUN_NATIVE to fix an error with gcc 2.96 (originally macro defined exit(int) which conflicted with previous definition in /usr/include/stdlib.h). gcc 2.91 just issued warning on this, while gcc 2.96 considered this to be an error * configure.in: rule checking for /usr/include/g++-3 has been refined. If system has been upgraded from RH 6.2 to RH 7.0 then both /usr/include/g++-2 and /usr/include/g++-3 exist. We should pick only /usr/include/g++-3 in this case 2000-12-19 Vadim Kurland <vadim@voyager.crocodile.org> * src/fwbuilder_prefs.xml.in: fwbuilder_prefs.xml is now generated by configure * src/Makefile.in (snapshot): added target "snapshot" * src/PolicyListItem.cc (paint): switched to queue_draw everywhere and updated drawing method to use Gdk_GC consistently * src/NAT.cc (updateMainMenu): enable/disable main menu items * src/Policy.cc (updateMainMenu): enable/disable main menu items * src/FirewallObject.cc (updateMainMenu): enable/disable main menu items in "Policy" 2000-12-18 Vadim Kurland <vadim@voyager.crocodile.org> * src/FWObject.cc (updateMainMenu): this virtual method enables or disables appropriate main menu items. * aclocal.m4: added functions which test for particluar headers: AC_TEST_FILES and AC_SEARCH_HEADERS * Makefile.in: subdirectories processing is done through .PHONY target * doc/Requirements: updated requirements * bugfixes 2000-12-16 Vadim Kurland <vadim@voyager.crocodile.org> * src/StandardRulesDruid.cc (on_finish): bugfixes * doc/README: descriptions of all object types added * AUTHORS (Credits): updated AUTHORS file * src/objects_init.xml: added group "Time" and object "AnyTime" * src/fwbuilder_prefs.xml: definition for TIME object; added time to policy definition for all supported platforms * src/AnyTime.cc: initial implementation * src/TimeObject.cc: Initial implementation of TimeObject * src/main_window.cc (Main_window): left and right panels in the main window simplified and are not built by glade anymore 2000-12-15 Vadim Kurland <vadim@voyager.crocodile.org> * src/main_window_menu.cc (build_menu): another way to build menus. * src/main_window.cc (extractPolicyList): trying to avoid excessive use of dynamic_cast. I now tell PolicyDialog from NATDialog using widget name * dynamic_cast replaced everywhere, now using getTypeName() 2000-12-14 Vadim Kurland <vadim@voyager.crocodile.org> * src/fwbuilder.cc (main): no need to initialize imlib if compile with gnome support - gnome_init does it 2000-12-14 Vadim Kurland <vadim@voyager.crocodile.org> * Global key accelerator group implemented 2000-12-14 Vadim Zaliva <lord@crocodile.org> * src/GroupDialog_glade.cc (N_): get rid of one more nasty compilation warnings. 2000-12-13 Vadim Kurland <vadim@voyager.crocodile.org> * gnome-wrappers/iconlist.{cc,hh} : wrapper for gnome widget icon_list * GroupDialog now uses our wrapper class IconList * Doubleclick on the object in a group view opens object 2000-12-13 Vadim Zaliva <lord@crocodile.org> * src/main_window_menu.cc (GNOMEUIINFO_MENU_NEW_SUBTREE): workaround to solve compilation problem under gcc 2.96 * src/Makefile.in ($(GNOME_WRAPPERS_LIB)): add dependency to gnome-wrappers/*.o which does not work. * src/Iconlist.cc (IconList): * src/TextDlg.cc (TextDlg): * src/BackgroundOpDisplay.cc (ConnectSignals): * src/NATDialog.cc (NATDialog): * src/PolicyDialog.cc (PolicyDialog): * src/PolicyList.cc (PolicyList): * src/PolicyListItem.cc (PolicyListItem): * src/PolicyListElement.cc (PolicyListRuleNum): (constructor): * src/GroupDialog.cc (GroupDialog): * src/About.cc (About): gcc 2.96 compilatiom pb. Corrected syntax of taking address of method. * src/PolicyListElement.cc (request_focus): focus() renamed to request_focus() * src/PolicyListElement.hh: get_row(), get_col() return type added. focus() renamed to request_focus() * src/PolicyListElement.cc (popup_menu): unused variable pl commented * src/Preferences.cc (getNodeByRelPath): commented out unused method. * configure: removed exit() method prototype which conflicts with one from stdlib. * src/PolicyList.hh: * src/PolicyList.cc (request_focus): focus() renamed to request_focus() * src/gnome-wrappers/wrappers.hh: undef syntax corrected to avoid compiler warnings. * src/Makefile.in (clean): clean target added 2000-12-12 Vadim Kurland <vadim@voyager.crocodile.org> * configure.in, Makefile.in reimplemented. Now we do not use those built by glade for us. 2000-12-11 Vadim Kurland <vadim@voyager.crocodile.org> * FWObject::map is now map<const gchar*,const gchar*,ltstr> * FWObject can now store data of three types: String, Int, Bool 2000-12-3 Vadim Kurland <vadim@voyager.crocodile.org> * PolicyListItem drawing method reimplemented using plain gdk routines. Everything works just fine. * bugfixes * ICMP code -1 now means any code. Compiler generates code which takes only icmp type into consideration 2000-12-2 Vadim Kurland <vadim@voyager.crocodile.org> * Class PolicyListItem completely reimplemented as custom widget derived from Gtk::Widget. It turned out to be surprisingly simpler to do it this way. * Class LabelWithEffects is not needed anymore; files have been removed from CVS * Still working on a bug where object tree lines lose color once policy has been displayed. Something is wrong with style or Gdk_GC processing in PolicyListItem 2000-12-1 Vadim Kurland <vadim@voyager.crocodile.org> * Implemented "disable rule" function in GUI * LabelWithEffects can now display text string with pixmap background ( used in PolicyListRuleNum class to display rule number which can be double-crossed if rule is disabled ) 2000-11-29 Vadim Kurland <vadim@voyager.crocodile.org> * Policy rule drag&drop methods now use actual rule screen snapshot as a drag icon * Added some imlib image manipulation to this snapshot to make it easily distinguishable from the rest of the picture on the screen. 2000-11-28 Vadim Kurland <vadim@voyager.crocodile.org> * Got rid of "path" and all supporting methods. Now we keep pointer to parent in each FWObject, which allows us to easily reconstruct path string on demand * pop-down menu appears on mouse button release (instead of button press) in ObjectTree, PolicyList and IconsList * added attribute "hidden". Now each object can be made hidden, so it won't show up in ObjectTree and groups. There is no GUI mechanism to set this attribute as of yet 2000-11-26 Vadim Kurland <vadim@voyager.crocodile.org> * algorithm refinements for "any" objects and services. Now GUI inserts reference to the object "Any" instead of keeping rule element empty. This simplified somewhat algorithms for objects removals and additions in rule elements as we now gaurantee that rule elements are never empty * doc/README updated with compilation and installation instructions * Makefile.am updated for proper binary and *.xml files install, as well as icons install. See README for details. 2000-11-25 Vadim Kurland <vadim@voyager.crocodile.org> * Druid now helps to build more or less complete basic policy. If you don't know where to start with new firewall - start with menu item "Help build firewall policy" * Object can now be dragged between policy elements * Menu item "compile" now actually calls compiler in the background and shows its progress or errors in the dialog window. * policy rules can now be dragged to swap places and move rules up or down. 2000-11-24 Vadim Kurland <vadim@voyager.crocodile.org> * FWObject is now derived from list, not map. This made manipulation of the order in which children are presented much easier. This change was needed for proper implementation of Policy rules addition and insertion * some changes to fwbuilder_prefs.xml * bugfixes 2000-11-13 Vadim Kurland <vadim@voyager.crocodile.org> * Druid is now called "Standard Protection Rules Druid" and generates three types of rules: - anti-spoofing rule - rule dropping "short" fragments - rule dropping "network junk", that is packets coming from outside but not headed for our network * Druid consists of three pages, plus "final" page * program now automatically creates working directory in user's home and copies default preferences file and initial objects database there. See doc/README * Again new icons 2000-11-12 Vadim Kurland <vadim@voyager.crocodile.org> * Now all object dialogs check object's name for syntax before saving. Name must consist of alphanumeric characters and should not start with number 2000-11-11 Vadim Kurland <vadim@voyager.crocodile.org> * New policy element added: "Direction". This, together with "Target", helps build anti-spoofing and other direction-dependant rules. * Anti-spoofing druid now actually builds rule on top of the policy * Preferences dialog now allows turning on and off visibility of individual policy elements * Original icons with transparent background restored * ICMP code and type terminology fixed 2000-11-9 Vadim Kurland <vadim@voyager.crocodile.org> * Preferences and database are stored in user's home directory now 2000-11-8 Vadim Kurland <vadim@voyager.crocodile.org> * Converting icons to .png using imlib 2000-11-7 Vadim Kurland <vadim@voyager.crocodile.org> * Druid for generating anti-spoofing rules implemented 2000-11-4 Vadim Kurland <vadim@voyager.crocodile.org> * gnome-wrappers added. Dependency on gnome-- eliminated * preparations for "anti-spoofing rules" druid * main menu generating code streamlined using GnomeUIInfo for all menu items and submenus * bugfixes 2000-11-3 Vadim Kurland <vadim@voyager.crocodile.org> * Some new icons 2000-11-1 Vadim Kurland <vadim@voyager.crocodile.org> * Icons can be of two different sizes now: large ones for object dialogs and small ones for policy * Preferences code streamlined 2000-10-31 Vadim Kurland <vadim@voyager.crocodile.org> * Main menu code rewritten. I use gnome-- libraries and code for menus and some other things. Getting ready to use "Druid" widget for firewall policy Wizard * Got rid of dynamic menu item. It was ugly from UI standpoint * "About" dialog added 2000-10-29 Vadim Kurland <vadim@voyager.crocodile.org> * PortRange object is gone, use TCP and UDP instead * IP Object and dialog created 2000-10-27 Vadim Kurland <vadim@voyager.crocodile.org> * Additional icons 2000-10-24 Vadim Kurland <vadim@voyager.crocodile.org> * Preferences dialogs for different firewall platforms have been implemented * Preferences for ipchains firewall implemented in both builder and compiler 2000-10-19 Vadim Kurland <vadim@voyager.crocodile.org> * Interfaces can now be marked as "external" and "internal" via GUI This feature will help implementing NAT on various platforms (such as ipchains, cisco) * NAT rules are now properly displayed and can be edited and stored. 2000-10-19 Vadim Kurland <vadim@voyager.crocodile.org> * Bugfixes in PolicyList 2000-10-15 Vadim Kurland <vadim@voyager.crocodile.org> * Bugfixes 2000-10-14 Vadim Kurland <vadim@voyager.crocodile.org> * Bugfixes * Now BuiltinDialog may appear with or without buttons "Save" and "Undo" depending on the object definition in fwbuilder_pref.xml * "Move rule up" and "Move rule down" implemented 2000-10-12 Vadim Kurland <vadim@voyager.crocodile.org> * completely got rid of direct references to rule descriptors in fwbuilder.xml. Now we recalculate descriptors for policies, rules and rule elements when we need them 2000-10-11 Vadim Kurland <vadim@voyager.crocodile.org> * unnessesary references to rule and rule element descriptors removed from XML representation. Now these descriptors are being calculated when respective objects are built. This makes XML file much cleaner 2000-10-10 Vadim Kurland <vadim@voyager.crocodile.org> * XML paths for all objects and preferences now include root element (FWObjectDatabase or FWBuilderPreferences). This makes design more systematic and allows for code reuse between builder and compiler. 2000-10-09 Vadim Kurland <vadim@voyager.crocodile.org> * minor changes to rule element descriptors. Adjustments for compiler 2000-10-08 Vadim Kurland <vadim@voyager.crocodile.org> * Descriptors now are part of preferences. 2000-10-08 Vadim Kurland <vadim@voyager.crocodile.org> * Changes in XML storage: now XML nodes are named after respective objects, with object type stored as attribute "_type" This is needed to eliminate confusion between two different ways to handle object's path in the tree: one way is to compose path from XML nodes names, another way is to use object's names. We will assume path consists of XML nodes names, which are now the same as corresponding objects names. Next big step will be moving subtree "/Descriptors/" from the main tree to Preferences. We already working with descriptors using their path, so it won't be difficult to rewrite relevant pieces of code to use preferences instead. 2000-10-07 Vadim Kurland <vadim@voyager.crocodile.org> * Accomodations for the policy compiler. Paths to compilers for all supported platforms are now stored in Preferences * Class Preferences now keeps data in XML tree instead of map<string,string>. Preferences should be accessed via Preferences::getOpt method by their XML tree path 2000-10-01 Vadim Kurland <vadim@voyager.crocodile.org> * Further code refinement in rule element negation 2000-09-30 Vadim Kurland <vadim@voyager.crocodile.org> * Rule element negation implemented in GUI 2000-09-26 Vadim Kurland <vadim@voyager.crocodile.org> * Code cleanup. XPM icon file names for all object types are now stored in XML file 2000-09-05 Vadim Kurland <vadim@voyager.crocodile.org> * New class: TypeDescriptor. Objects of this class contain descriptive information for various object types used in the system. Objects get stored in the static part of XML database under "Descriptors". Verbose description for a given type can be retrieved using the following code fragment: here s contains type name ("FW") and ss will get description ("Firewall") from the type descriptor FWObject *typedsc=FWObjectsDatabase::db->get("/Descriptors/Types/"+s); ss=typedsc->getStr("description"); GroupDialog shows allowed group members types using verbose descriptions taken from TypeDescriptor for each type 2000-09-04 Vadim Kurland <vadim@voyager.crocodile.org> * Classes ICMPObject, UDPObject and TCPObject have been adopted for storing data in XML * Class Group has got a list of types allowed for its children. It is comma separated list of type names stored as string attribute "allowed_types" and provides for easy search and checks by name. GroupDialog now shows all allowed types in the dialog. Upon creation each group inherits allowed types from its ancestor, although group may have this set trimmed for stricter control * New method: FWObject::getParent(): looks for a parent of given object using its path 2000-09-02 Vadim Kurland <vadim@voyager.crocodile.org> * All type comparisons converted to getTypeName(). FWObject::GetType() is obsolete now and is scheduled for removal. enum FWObjectType is also going to be phased out * RuleElementDescriptor now holds list of allowed object type names instead of integer with a bitmask of values from enum FWObjectType * class FWObjectDialog has been created. This is generic dialog for all classes which are not supposed to be visible for regular user. ObjectTree shows these objects after pressing magic key "F6", so this dialog can then be used to open and potentially edit objects XML attributes. * bug fixes in the area of interfaces processing for both hosts and firewalls 2000-08-27 Vadim Kurland <vadim@voyager.crocodile.org> * src/FWObjectClipboard.cc: FWObjectClipboard is now derived from FWObjectReference 2000-08-27 Vadim Kurland <vadim@voyager.crocodile.org> * src/fwbuilder.xml: Each Policy, Rule and RuleElement have now an attribute pointing to the corresponding descriptor as follows: Policy -> RuleDescriptor (record RD in xml file) Rule -> RuleDescriptor (record RD in xml file) RuleElement -> RuleElementDescriptor (record RED in xml file) This simplified descriptors manipulation significantly and allowed us to get rid of bunch of calls to FWObject::get * src/FWObject.cc (xfind): Method deprecated in favor of FWObject::get Code has been cleaned so FWObject::xfind is not used anymore. 2000-08-27 Vadim Kurland <vadim@voyager.crocodile.org> * src/FWObject.cc (xfind): Method deprecated in favor of FWObject::get Code has been cleaned so FWObject::xfind is not used anymore. 2000-08-21 Vadim Kurland <vadim@tahoe.crocodile.org> * src/Policy.cc (AppendRuleAfter): Now adding rules above and below of the given rule work properly 2000-08-20 Vadim Kurland <vadim@tahoe.crocodile.org> * src/PolicyList.hh: Individual classes for standard policy elements have been added. These are: PolicyListRuleAction PolicyListRuleLog PolicyListRuleTarget PolicyListRuleComment * src/fwbuilder.xml: Following classes where converted to the new system of tree-like data storage: RuleDescriptor (Policy rule descriptor ) RuleElementDescriptor (rule element descriptor) Rule (policy rule) RuleElement Policy data storage and loading for these classes have been implemented and tested. This is the fisrt time we can store firewall policy and then load it back! * src/ObjectTree.cc (on_key_press_event): Secret keys for the left panel: press F5 to rebuild the tree press F6 to toggle boolean flag show_all and rebuild the tree. The "show_all" flag, if true, forces tree to show all the elements ignoring their showInTree method * src/PolicyListElement.cc: PolicyListElement methods are now in a separate file 2000-08-17 Vadim Kurland <vadim@tahoe.crocodile.org> * src/FWObject.cc (fromXML): added protected method fromXML. I need to be able to initalize some fields in FWObjectsDatabase before we load data from XML file. Since XML parsing used to happen in the FWObject constructor, I could not initialize "path" field for the database object before actual XML parsing would happen. Hence method fromXML (addChild): This is where we keep track of the full path to the object. Every time we add object to another object, we take path of the parent, add slash "/" and name of the child at the end. The result gets stored in the child using setPath method. This way we keep track of the full path to every object in the database. For this algorithm to work, the "root" object - database itself - has to be "seeded" with its path name "/Database". That is why we needed fromXML method (see above) 2000-08-17 Vadim Zaliva <lord@crocodile.org> * src/FWObject.hh (FWObject*>): find renamed to xfind to avoid name conflict with STL method. (FWObject*>): set/get Str/Int using const and reference to pass names. * src/FWObjectDatabase.cc (load): * src/FWObject.cc (resolveReferences): resolving references on load * src/FWObject.hh: * src/FWObjectReference.hh: * src/FWObjectReference.cc: New tree object - reference to another one 2000-08-16 Vadim Zaliva <lord@crocodile.org> * src/fwbuilder.xml: sample data file * src/Group.hh: * src/Group.cc: * src/FWObjectDatabase.cc: * src/FWObjectDatabase.hh: * src/FWObject.cc: * src/FWObject.hh: * src/HostObject.cc: * src/HostObject.hh: Loading xml files sekeleton. 2000-08-15 Vadim Zaliva <lord@crocodile.org> * src/FWObjectDatabase.hh (class FWObjectsDatabase): removed methods which are already present in FWObjects. object_db variable removed and replaced with singelton. 2000-08-14 Vadim Zaliva <lord@crocodile.org> * src/FileSel.cc (FileSel): default extension changed to .xml * src/FWObjectDatabase.cc (saveAs): database is now saved as root of xml tree. * src/FWObject.hh: FWObjectType converted to enum. Added value DATABASE. * src/FWObject.cc (toXML): saving to XML uses different schema - not nodes are object types. * src/FWObject.hh (FWObject*>): Find renamed to find() to matching coding style. * src/FWObject.cc (toXML): saving method added. * src/FWObjectDatabase.cc (saveAs): remembering filename we were loading to to use it for saving. Saving XML implemented. 2000-07-27 Vadim Zaliva <lord@crocodile.org> * src/Preferences.cc (LoadPrefsFile): loading preferences from XML file. (SavePrefsFile): saving preferences in XML. * src/Preferences.hh: loadPrefsFile protected method added * src/Makefile.in (LIBS): added list of libraries detected by autoconf to link flags. * src/fwbuilder_prefs.xml: created this file for storing user preferences. * configure.in: added check for libxml 2000/4/29 23:51:53 PDT policy sheet implemented as CList with multiple lines per one rule 2000/4/30 12:58:07 PDT gen_popup_menu (generic popup menu class) implemented