Release Notes for policy compiler for iptables firewalls, v0.9.2 fwb_iptables generates shell script which needs to be executed on a target firewall. Script file name is that of the firewall object plus ".fw" extension. Compiler honors all rule elements and all the options available in GUI: source, destination, service, target, direction, action, logging. Compiler creates separate chain for each rule in order to generate one rule for logging and another one to implement ruquested action (Drop, Reject, Accept). This separate chain can be used for accounting in the future. Negation in Source, Destination or Service is implemented by means of yet another auxiliary chain, which includes rules with objects, specified in GUI, and action set to "RETURN". The very last rule in this auxiliary chain has soure and destination set to "0/0" and actually implements action, specified in GUI. This algorithm correctly processes negation in rules where multiple objects are specified as soure, or destination or service. Custom logging prefix: each rule defined in GUI can now have custom logging prefix. Compiler recognizes following pseudo-format sequences : '%N' will be replaced with rule number '%A' will be replaced with rule action Custom logging prefix can be specified in GUI via rule options dialog. Processing of object "Any": Object "Any" should include the firewall itself. In the iptables packets originated on the firewall will be processed by OUTPUT chain, and packets headed for the firewall will be processed by INPUT chain. To take this into acocunt, compiler generates rules for these two chains in addition to FORWARD chain if one or more objects in the rule are "Any". This behaviour can be changed by the option in Firewall object's platform-specific options tab. Option is called "Assume firewall object is part of 'Any' or network objects". If this option is deactivated, code will not be generated in INPUT and OUTPUT chains and special dedicated rules are needed to provide access to and from firewall itself. Rules with service set to "Any" generate iptables code which does not specify protocol at all. We rely on iptables implementation for statefullness here.