[fwbuilder-commits] [SCM] Firewall Builder GUI and Policy Compilers Open Source Code branch, develo
Brought to you by:
mikehorn
Menu
▾
▴
[fwbuilder-commits] [SCM] Firewall Builder GUI and Policy Compilers Open Source Code branch, development, updated. v5.0.0-73-g8e2fabc
|
From: <gi...@ir...> - 2011-11-28 21:45:25
|
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Firewall Builder GUI and Policy Compilers Open Source Code".
The branch, development has been updated
via 8e2fabca2cdda50bfa862f41d511a79a3e697fab (commit)
from b7eb40b78ea8a25ddd3f76e2dd5dcc62c0ffd529 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 8e2fabca2cdda50bfa862f41d511a79a3e697fab
Author: Vadim Kurland <va...@ne...>
Date: Mon Nov 28 13:43:17 2011 -0800
fixed SF bug #3443609 Return of ID: 3059893": iptables "--set" option
deprecated". Need to use --match-set instead of --set if iptables
version is >= 1.4.4. The fix done for #3059893 was only in the policy
compiler but needs to be done in both policy and nat compilers.
diff --git a/doc/ChangeLog b/doc/ChangeLog
index b73b426..88399e5 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,5 +1,12 @@
2011-11-28 Vadim Kurland <va...@ne...>
+ * NATCompiler_PrintRule.cpp (_printIpSetMatch): fixed SF bug
+ #3443609 Return of ID: 3059893": iptables "--set" option
+ deprecated". Need to use --match-set instead of --set if iptables
+ version is >= 1.4.4. The fix done for #3059893 was only in the
+ policy compiler but needs to be done in both policy and nat
+ compilers.
+
* PolicyCompiler_PrintRule.cpp (_printDirectionAndInterface): more
fixes for SF bug #3439613. Adding "-i" / "-o" clause to match
parent bridge interface. This allows us to correctly match which
diff --git a/src/iptlib/NATCompiler_PrintRule.cpp b/src/iptlib/NATCompiler_PrintRule.cpp
index 6bac2a3..ea19d17 100644
--- a/src/iptlib/NATCompiler_PrintRule.cpp
+++ b/src/iptlib/NATCompiler_PrintRule.cpp
@@ -506,7 +506,14 @@ string NATCompiler_ipt::PrintRule::_printIpSetMatch(Address *o, RuleElement *re
string suffix = "dst";
if (RuleElementOSrc::isA(rel)) suffix = "src";
if (RuleElementODst::isA(rel)) suffix = "dst";
- string set_match = "--set " + set_name + " " + suffix;
+
+ string set_match_option;
+ if (XMLTools::version_compare(version, "1.4.4")>=0)
+ set_match_option = "--match-set";
+ else
+ set_match_option = "--set";
+
+ string set_match = set_match_option + " " + set_name + " " + suffix;
ostringstream ostr;
ostr << "-m set " << _printSingleOptionWithNegation("", rel, set_match);
return ostr.str();
diff --git a/src/res/help/en_US/release_notes_5.0.1.html b/src/res/help/en_US/release_notes_5.0.1.html
index ecba1b7..91ae0f1 100644
--- a/src/res/help/en_US/release_notes_5.0.1.html
+++ b/src/res/help/en_US/release_notes_5.0.1.html
@@ -346,8 +346,8 @@
</p>
</li>
- <ul>
<li>
+ <p>
SF bug #3439613. physdev module does not allow --physdev-out
for non-bridged traffic anymore. We should add
--physdev-is-bridged to make sure this matches only bridged
@@ -362,8 +362,19 @@
with virtual machines. Note that the "-i br0" / "-o br0" clause
is only added when there is more than one bridge interface and
bridge port name ends with a wild card symbol "+"
+ </p>
</li>
- </ul>
+
+ <li>
+ <p>
+ fixed SF bug #3443609 Return of ID: 3059893": iptables "--set"
+ option deprecated". Need to use --match-set instead of --set if
+ iptables version is >= 1.4.4. The fix done for #3059893 was only
+ in the policy compiler but needs to be done in both policy and
+ nat compilers.
+ </p>
+ </li>
+
</ul>
diff --git a/test/ipt/rc.firewall.local b/test/ipt/rc.firewall.local
index dec9492..e669008 100755
--- a/test/ipt/rc.firewall.local
+++ b/test/ipt/rc.firewall.local
@@ -4,7 +4,7 @@
#
# Firewall Builder fwb_ipt v5.0.1.3590
#
-# Generated Mon Nov 28 12:23:41 2011 PST by vadim
+# Generated Mon Nov 28 13:42:52 2011 PST by vadim
#
# files: * rc.firewall.local /etc/rc.d//rc.firewall.local
#
-----------------------------------------------------------------------
Summary of changes:
doc/ChangeLog | 7 +++++++
src/iptlib/NATCompiler_PrintRule.cpp | 9 ++++++++-
src/res/help/en_US/release_notes_5.0.1.html | 19 +++++++++++++++----
test/ipt/rc.firewall.local | 2 +-
4 files changed, 31 insertions(+), 6 deletions(-)
hooks/post-receive
--
Firewall Builder GUI and Policy Compilers Open Source Code
|