I've fixed few bugs discovered recently in discussions on this list
and made a nightly build 191. This is a first nightly build of v2.1.9
so it will want to upgrade your data file. Files are on the server in
the usual place at http://www.fwbuilder.org/nightly_builds/
Here is a snippet from the ChangeLog:
* Compiler.cpp (Compiler::expandGroupsInRuleElement): fixed bug
#1620925: "compile-time AddressTable object with empty file".
Compile-time AddressTable object that uses file with no addresses
should be treated as an empty group according to the "Ignore empty
groups" option. Changes are made as follows:
- Compiler::expandGroupsInRuleElement does not call
s->setAnyElement(); to set rule element to 'any' before adding
addresses from the group. This means that if group is empty, rule
element remains empty (not even 'any', just with no children,
i.e. with size()==0). Note that AddressTable::loadFromSource()
leaves AddressTable object empty if the file does not have any
- Compiler::emptyGroupsInRE specifically checks for run-time
MultiAddress objects and skips them so they wont be treated as
empty groups (since they are indeed empty). Compile-time
MultiAddress objects are treated as groups and algorithm that
depends on option 'ignore empty groups' is executed for both empty
regular groups and empty compile-time MultiAddress objects.
* PolicyCompiler_ipt_optimizer.cpp (optimize1::optimizeForRuleElement):
fixed bug #1623113: 'connlimit fails in compiled "address table" rules'
Module connlimit can only be used in iptables rules matching TCP
Such iptables commands have "-p tcp" and/or "-m tcp" options. If
a rule in fwbuilder uses TCP Service and connlimit option and has
multiple objects in src and dst, optimizer used to split it to minimize
matches. It however preserved connlimit option in all subrules,
even though some of them did not have TCP service after the split. This
lead to generation of incorrect iptables commands.
* PolicyCompiler_ipt.cpp (Branching::expandBranch): fixed bug
#1623338: "Can not disable rules in a branch". Compiler for
iptables ignored flag 'disabled' on rules in a branch.