onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-24 04:07:55 +01:00
Code Issues Releases Wiki Activity

2009-12-28 vadim <vadim@vk.crocodile.org>

Browse Source 
* instDialog_ui_ops.cpp (instDialog::setFlags): For the PIX
cluster, built-in installer installs generated configuration only
on the master member firewall. It determines which one is the
master by looking in the StateSyncGroup object (state
synchronization cluster group). Fixes #998
This commit is contained in:
Vadim Kurland 2009-12-29 02:08:19 +00:00
parent 6268344fd7
commit 1de87eae40
13 changed files with 155 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2284
#define BUILD_NUM 2285

8
doc/ChangeLog
View File

@ -1,3 +1,11 @@
2009-12-28 vadim <vadim@vk.crocodile.org>
* instDialog_ui_ops.cpp (instDialog::setFlags): For the PIX
cluster, built-in installer installs generated configuration only
on the master member firewall. It determines which one is the
master by looking in the StateSyncGroup object (state
synchronization cluster group). Fixes #998
2009-12-27 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::addDefaultPolicyRule):

1
src/gui/instDialog.h
View File

@ -168,6 +168,7 @@ class instDialog : public QDialog, public FakeWizard
bool checkIfNeedToInstall(libfwbuilder::Firewall *fw);
QTreeWidgetItem *createTreeItem(QTreeWidgetItem* parent,
libfwbuilder::Firewall *fw);
void setFlags(QTreeWidgetItem* item);
virtual void closeEvent(QCloseEvent *event);

158
src/gui/instDialog_ui_ops.cpp
View File

@ -76,6 +76,7 @@
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#ifndef _WIN32
# include <unistd.h> // for access(2) and getdomainname
@ -114,11 +115,6 @@ bool instDialog::checkIfNeedToInstall(Firewall *fw)
QTreeWidgetItem* instDialog::createTreeItem(QTreeWidgetItem* parent,
Firewall *fw)
{
time_t lm = fw->getInt("lastModified");
time_t lc = fw->getInt("lastCompiled");
time_t li = fw->getInt("lastInstalled");
QDateTime dt;
QTreeWidgetItem* item;
QStringList sl;
sl.push_back(fw->getName().c_str());
@ -128,14 +124,78 @@ QTreeWidgetItem* instDialog::createTreeItem(QTreeWidgetItem* parent,
else
item = new QTreeWidgetItem(sl);
QString icn_filename = (":/Icons/"+fw->getTypeName()+"/icon").c_str();
QString icn_filename = (":/Icons/" + fw->getTypeName() + "/icon").c_str();
QPixmap pm;
if ( ! QPixmapCache::find( icn_filename, pm) )
if ( ! QPixmapCache::find(icn_filename, pm))
{
pm.load( icn_filename );
QPixmapCache::insert( icn_filename, pm);
pm.load(icn_filename);
QPixmapCache::insert(icn_filename, pm);
}
item->setIcon(0, QIcon(pm));
item->setData(0, Qt::UserRole, QVariant(fw->getId()));
// Mark cluster members
// If parent!=NULL, new tree item corresponds to the cluster member
item->setData(1, Qt::UserRole, QVariant(parent!=NULL));
// it is useful to know how many members does this cluster have. If this is
// not a cluster, store 0
list<Firewall*> members;
if (Cluster::isA(fw))
Cluster::cast(fw)->getMembersList(members);
int num_members = members.size();
item->setData(2, Qt::UserRole, QVariant(num_members));
return item;
}
void instDialog::setFlags(QTreeWidgetItem* item)
{
int obj_id = item->data(0, Qt::UserRole).toInt();
Firewall *fw = Firewall::cast(project->db()->findInIndex(obj_id));
QTreeWidgetItem* parent = item->parent();
time_t lm = fw->getInt("lastModified");
time_t lc = fw->getInt("lastCompiled");
time_t li = fw->getInt("lastInstalled");
QDateTime dt;
// need to skip the secondary cluster members if platform only
// allows installations on the primary (e.g. PIX). Note that
// platform attribute must be the same in the cluster and member
// firewalls objects. See #998
string platform = fw->getStr("platform");
bool install_only_on_primary_member = Resources::getTargetCapabilityBool(
platform, "install_only_on_primary");
Cluster *cluster = NULL;
FWObject *master_interface = NULL;
if (parent)
{
int obj_id = parent->data(0, Qt::UserRole).toInt();
cluster = Cluster::cast(project->db()->findInIndex(obj_id));
if (cluster)
{
FWObject *state_sync_group =
cluster->getFirstByType(StateSyncClusterGroup::TYPENAME);
string master_id = state_sync_group->getStr("master_iface");
for (FWObjectTypedChildIterator grp_it =
state_sync_group->findByType(FWObjectReference::TYPENAME);
grp_it != grp_it.end(); ++grp_it)
{
FWObject *iface = FWObjectReference::getObject(*grp_it);
if (FWObjectDatabase::getStringId(iface->getId()) == master_id)
{
master_interface = iface;
break;
}
}
}
}
item->setIcon( 0, QIcon(pm) );
// Real firewalls get checkbox for install
if (Firewall::isA(fw))
@ -144,23 +204,41 @@ QTreeWidgetItem* instDialog::createTreeItem(QTreeWidgetItem* parent,
if (operation==BATCH_INSTALL)
{
checked = checkIfNeedToInstall(fw);
if (parent)
if (cluster)
{
// override if checkIfNeedToCompile() is true for the
// parent cluster
int obj_id = parent->data(0, Qt::UserRole).toInt();
Cluster *cluster = Cluster::cast(project->db()->findInIndex(obj_id));
if (cluster && checkIfNeedToCompile(cluster))
// parent cluster.
if (checkIfNeedToCompile(cluster))
{
checked = true;
}
}
item->setCheckState(INSTALL_CHECKBOX_COLUMN,
checked?Qt::Checked:Qt::Unchecked);
}
if (parent==NULL)
// If this platform requires installation only on
// the master, disable and uncheck checkbox for the standby.
if (install_only_on_primary_member && master_interface != NULL)
{
// If parent==NULL, we are adding firewall that is not
// cluster member, it needs "compile" checkbox
QString txt = item->text(0);
if (master_interface->isChildOf(fw))
{
// Master
item->setText(0, QString("%1 (master)").arg(txt));
} else
{
// Standby
item->setText(0, QString("%1 (standby)").arg(txt));
item->setCheckState(INSTALL_CHECKBOX_COLUMN, Qt::Unchecked);
item->setFlags(Qt::NoItemFlags);
}
}
if (cluster==NULL)
{
// we are adding firewall that is not cluster member, it
// needs "compile" checkbox
checked = checkIfNeedToCompile(fw);
item->setCheckState(COMPILE_CHECKBOX_COLUMN,
checked?Qt::Checked:Qt::Unchecked);
@ -199,18 +277,6 @@ QTreeWidgetItem* instDialog::createTreeItem(QTreeWidgetItem* parent,
dt.setTime_t(li);
item->setText(LAST_INSTALLED_COLUMN, (li)?dt.toString():QString("Never"));
item->setData(0, Qt::UserRole, QVariant(fw->getId()));
// Mark cluster members
// If parent!=NULL, new tree item corresponds to the cluster member
item->setData(1, Qt::UserRole, QVariant(parent!=NULL));
// it is useful to know how many members does this cluster have. If this is
// not a cluster, store 0
item->setData(2, Qt::UserRole, QVariant(num_members));
return item;
}
/*
@ -378,6 +444,7 @@ void instDialog::fillCompileSelectList()
for (list<Cluster *>::iterator i=clusters.begin(); i!=clusters.end(); ++i)
{
cl = *i;
QTreeWidgetItem* cluster_item = createTreeItem(NULL, cl);
m_dialog->selectTable->addTopLevelItem(cluster_item);
@ -387,7 +454,7 @@ void instDialog::fillCompileSelectList()
for (list<Firewall*>::iterator member=members.begin();
member!=members.end(); ++member)
{
createTreeItem(cluster_item, *member);
QTreeWidgetItem *itm = createTreeItem(cluster_item, *member);
working_list_of_firewalls.remove(*member);
}
cluster_item->setExpanded(true);
@ -401,6 +468,13 @@ void instDialog::fillCompileSelectList()
m_dialog->selectTable->addTopLevelItem(fw_item);
}
QTreeWidgetItemIterator it(m_dialog->selectTable);
while (*it)
{
setFlags(*it);
++it;
}
creatingTable = false;
for (int i=0; i<m_dialog->selectTable->columnCount(); i++)
@ -692,16 +766,20 @@ void instDialog::setSelectStateAll(int column, Qt::CheckState select)
bool cluster_member = (*it)->data(1, Qt::UserRole).toBool();
int num_members = (*it)->data(2, Qt::UserRole).toInt();
// firewalls only get checkboxes for install,
if (column == INSTALL_CHECKBOX_COLUMN && Firewall::isA(o))
(*it)->setCheckState(column, select);
Qt::ItemFlags flags = (*it)->flags();
if (flags & Qt::ItemIsUserCheckable != 0)
{
// firewalls only get checkboxes for install,
if (column == INSTALL_CHECKBOX_COLUMN && Firewall::isA(o))
(*it)->setCheckState(column, select);
// Cluster gets checkbox for compile.
// Cluster should never get a checkbox if it has no members.
// Firewall that is not a cluster member gets compile checkbox
if ((column == COMPILE_CHECKBOX_COLUMN && Cluster::isA(o) && num_members) ||
(Firewall::isA(o) && !cluster_member))
(*it)->setCheckState(column, select);
// Cluster gets checkbox for compile.
// Cluster should never get a checkbox if it has no members.
// Firewall that is not a cluster member gets compile checkbox
if ((column == COMPILE_CHECKBOX_COLUMN && Cluster::isA(o) && num_members) ||
(Firewall::isA(o) && !cluster_member))
(*it)->setCheckState(column, select);
}
++it;
}
}

21
src/res/help/en_US/release_notes_3.1.0.html
View File

@ -495,11 +495,28 @@ rule sets of this object rather than in the actual firewalls.
have IP addresses and these addresses must be different but
belong to the same subnet.
</li>
</ul>
</p>
<p>
Built-in policy installer treats PIX clusters in a special way:
<ul>
<li> For the PIX cluster, built-in installer installs generated
configuration only on the master PIX unit. It determines which
one is the master by looking in the StateSyncGroup object (state
synchronization cluster group).
</li>
<li>
Dialog where user enters authentication credentials and other
parameters for the installer has a checkbox that makes installer
initiate copy of the configuration to the standby PIX if
installation was successfull.
</li>
</ul>
</p>
<a name="bridge"></a>
<h2>Changes in the support for bridging firewalls</h2>

1
src/res/platform/fwsm.xml
View File

@ -134,6 +134,7 @@ nameif %in %il security%sl
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<supports_cluster>True</supports_cluster>
<install_only_on_primary>True</install_only_on_primary>
<actions>
<Accept>
<supported>True</supported>

1
src/res/platform/iosacl.xml
View File

@ -113,6 +113,7 @@ interface %in
<unprotected_interfaces>True</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<supports_cluster>False</supports_cluster>
<install_only_on_primary>False</install_only_on_primary>
<actions>
<Accept>
<supported>True</supported>

1
src/res/platform/ipf.xml
View File

@ -38,6 +38,7 @@
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<supports_cluster>False</supports_cluster>
<install_only_on_primary>False</install_only_on_primary>
<actions>
<Accept>
<supported>True</supported>

1
src/res/platform/ipfw.xml
View File

@ -36,6 +36,7 @@
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<supports_cluster>False</supports_cluster>
<install_only_on_primary>False</install_only_on_primary>
<actions>
<Accept>
<supported>True</supported>

1
src/res/platform/iptables.xml
View File

@ -47,6 +47,7 @@
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<supports_cluster>True</supports_cluster>
<install_only_on_primary>False</install_only_on_primary>
<actions>
<Accept>
<supported>True</supported>

1
src/res/platform/pf.xml
View File

@ -41,6 +41,7 @@
<unprotected_interfaces>True</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<supports_cluster>True</supports_cluster>
<install_only_on_primary>False</install_only_on_primary>
<actions>
<Accept>
<supported>True</supported>

1
src/res/platform/pix.xml
View File

@ -358,6 +358,7 @@
<unprotected_interfaces>True</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<supports_cluster>True</supports_cluster>
<install_only_on_primary>True</install_only_on_primary>
<actions>
<Accept>
<supported>True</supported>

1
src/res/platform/unknown.xml
View File

@ -28,6 +28,7 @@
<unprotected_interfaces>False</unprotected_interfaces>
<supports_prolog_epilog>False</supports_prolog_epilog>
<supports_cluster>False</supports_cluster>
<install_only_on_primary>False</install_only_on_primary>
<actions>
<Accept>
<supported>True</supported>