From 37db19faf96c8c2d4ce19eaf3254a177bfa1f863 Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@netcitadel.com>
Date: Fri, 18 Dec 2009 23:44:58 +0000
Subject: [PATCH] fixes #939  Add backup ssh access rule to the "stop" section
 of generated iptables script. Now with dialog control to make this optional

---
 build_num                                 |   2 +-
 src/gui/iptAdvancedDialog.cpp             |   2 +
 src/gui/iptadvanceddialog_q.ui            | 134 +++++++++++-----------
 src/iptlib/CompilerDriver_ipt_run.cpp     |  17 +--
 test/ipt/objects-for-regression-tests.fwb |  14 ++-
 5 files changed, 93 insertions(+), 76 deletions(-)

diff --git a/build_num b/build_num
index 3f07def5d..5be78076f 100644
--- a/build_num
+++ b/build_num
@@ -1 +1 @@
-#define BUILD_NUM 2197
+#define BUILD_NUM 2198
diff --git a/src/gui/iptAdvancedDialog.cpp b/src/gui/iptAdvancedDialog.cpp
index 3bb45a1cc..c8076eab0 100644
--- a/src/gui/iptAdvancedDialog.cpp
+++ b/src/gui/iptAdvancedDialog.cpp
@@ -146,6 +146,8 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o)
 
     data.registerOption(m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh");
     data.registerOption(m_dialog->mgmt_addr, fwoptions, "mgmt_addr");
+    data.registerOption(m_dialog->add_mgmt_ssh_rule_when_stoped,
+                        fwoptions, "add_mgmt_ssh_rule_when_stoped");
     data.registerOption(m_dialog->addVirtualsforNAT,
                         fwoptions, "manage_virtual_addr");
 
diff --git a/src/gui/iptadvanceddialog_q.ui b/src/gui/iptadvanceddialog_q.ui
index 3877c00ef..f9a450bee 100644
--- a/src/gui/iptadvanceddialog_q.ui
+++ b/src/gui/iptadvanceddialog_q.ui
@@ -9,7 +9,7 @@
     <x>0</x>
     <y>0</y>
     <width>671</width>
-    <height>772</height>
+    <height>812</height>
    </rect>
   </property>
   <property name="sizePolicy" >
@@ -24,7 +24,7 @@
   <property name="sizeGripEnabled" >
    <bool>false</bool>
   </property>
-  <layout class="QGridLayout" >
+  <layout class="QGridLayout" name="gridLayout_6" >
    <item row="0" column="0" >
     <widget class="QTabWidget" name="tabWidget" >
      <property name="sizePolicy" >
@@ -34,16 +34,13 @@
       </sizepolicy>
      </property>
      <property name="currentIndex" >
-      <number>4</number>
+      <number>0</number>
      </property>
      <widget class="QWidget" name="tab0" >
       <attribute name="title" >
        <string>Compiler</string>
       </attribute>
       <layout class="QGridLayout" name="gridLayout_5" >
-       <property name="verticalSpacing" >
-        <number>-1</number>
-       </property>
        <item row="0" column="0" colspan="3" >
         <widget class="QLabel" name="compilerLabel" >
          <property name="text" >
@@ -57,7 +54,7 @@
          </property>
         </widget>
        </item>
-       <item row="0" column="4" colspan="2" >
+       <item row="0" column="3" colspan="2" >
         <widget class="QLineEdit" name="compiler" >
          <property name="maximumSize" >
           <size>
@@ -86,7 +83,7 @@
          </property>
         </widget>
        </item>
-       <item row="1" column="4" colspan="2" >
+       <item row="1" column="3" colspan="2" >
         <widget class="QLineEdit" name="compilerArgs" >
          <property name="maximumSize" >
           <size>
@@ -96,7 +93,7 @@
          </property>
         </widget>
        </item>
-       <item row="2" column="0" colspan="6" >
+       <item row="2" column="0" colspan="5" >
         <widget class="QLabel" name="textLabel1_5" >
          <property name="sizePolicy" >
           <sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
@@ -115,7 +112,7 @@
          </property>
         </widget>
        </item>
-       <item row="3" column="4" colspan="2" >
+       <item row="3" column="3" colspan="2" >
         <widget class="QLineEdit" name="outputFileName" >
          <property name="maximumSize" >
           <size>
@@ -125,7 +122,7 @@
          </property>
         </widget>
        </item>
-       <item row="4" column="0" colspan="6" >
+       <item row="4" column="0" colspan="5" >
         <widget class="QLabel" name="label_4" >
          <property name="text" >
           <string>Generated script can be copied to the firewall machine under different name. If this field is left blank, the file name does not change.</string>
@@ -145,7 +142,7 @@
          </property>
         </widget>
        </item>
-       <item row="5" column="4" colspan="2" >
+       <item row="5" column="3" colspan="2" >
         <widget class="QLineEdit" name="fileNameOnFw" >
          <property name="maximumSize" >
           <size>
@@ -155,7 +152,7 @@
          </property>
         </widget>
        </item>
-       <item rowspan="2" row="6" column="0" colspan="6" >
+       <item row="6" column="0" colspan="5" >
         <widget class="Line" name="line4_2" >
          <property name="frameShape" >
           <enum>QFrame::HLine</enum>
@@ -168,7 +165,36 @@
          </property>
         </widget>
        </item>
-       <item rowspan="6" row="10" column="0" >
+       <item rowspan="2" row="7" column="0" >
+        <spacer name="verticalSpacer" >
+         <property name="orientation" >
+          <enum>Qt::Vertical</enum>
+         </property>
+         <property name="sizeType" >
+          <enum>QSizePolicy::Maximum</enum>
+         </property>
+         <property name="sizeHint" stdset="0" >
+          <size>
+           <width>0</width>
+           <height>0</height>
+          </size>
+         </property>
+        </spacer>
+       </item>
+       <item row="8" column="1" colspan="2" >
+        <widget class="QCheckBox" name="assumeFwIsPartOfAny" >
+         <property name="sizePolicy" >
+          <sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
+           <horstretch>0</horstretch>
+           <verstretch>0</verstretch>
+          </sizepolicy>
+         </property>
+         <property name="text" >
+          <string>Assume firewall is part of 'any'</string>
+         </property>
+        </widget>
+       </item>
+       <item rowspan="6" row="9" column="0" >
         <spacer>
          <property name="orientation" >
           <enum>Qt::Horizontal</enum>
@@ -184,7 +210,7 @@
          </property>
         </spacer>
        </item>
-       <item row="10" column="1" colspan="5" >
+       <item row="9" column="1" colspan="4" >
         <widget class="QCheckBox" name="acceptSessions" >
          <property name="sizePolicy" >
           <sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
@@ -197,7 +223,7 @@
          </property>
         </widget>
        </item>
-       <item row="11" column="1" colspan="5" >
+       <item row="10" column="1" colspan="4" >
         <widget class="QCheckBox" name="acceptESTBeforeFirst" >
          <property name="sizePolicy" >
           <sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
@@ -210,7 +236,7 @@
          </property>
         </widget>
        </item>
-       <item row="12" column="1" colspan="2" >
+       <item row="11" column="1" colspan="2" >
         <widget class="QCheckBox" name="dropInvalid" >
          <property name="text" >
           <string>Drop packets that are associated with
@@ -218,14 +244,14 @@ no known connection</string>
          </property>
         </widget>
        </item>
-       <item row="12" column="3" colspan="2" >
+       <item row="11" column="3" >
         <widget class="QCheckBox" name="logInvalid" >
          <property name="text" >
           <string>and log them</string>
          </property>
         </widget>
        </item>
-       <item row="12" column="5" >
+       <item row="11" column="4" >
         <spacer>
          <property name="orientation" >
           <enum>Qt::Horizontal</enum>
@@ -241,7 +267,7 @@ no known connection</string>
          </property>
         </spacer>
        </item>
-       <item row="13" column="1" colspan="5" >
+       <item row="12" column="1" colspan="4" >
         <widget class="QCheckBox" name="bridge" >
          <property name="sizePolicy" >
           <sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
@@ -254,7 +280,7 @@ no known connection</string>
          </property>
         </widget>
        </item>
-       <item row="14" column="1" colspan="5" >
+       <item row="13" column="1" colspan="4" >
         <widget class="QCheckBox" name="shadowing" >
          <property name="sizePolicy" >
           <sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
@@ -267,7 +293,7 @@ no known connection</string>
          </property>
         </widget>
        </item>
-       <item row="15" column="1" colspan="5" >
+       <item row="14" column="1" colspan="4" >
         <widget class="QCheckBox" name="emptyGroups" >
          <property name="sizePolicy" >
           <sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
@@ -280,7 +306,7 @@ no known connection</string>
          </property>
         </widget>
        </item>
-       <item row="16" column="1" colspan="5" >
+       <item row="15" column="1" colspan="4" >
         <widget class="QCheckBox" name="localNAT" >
          <property name="sizePolicy" >
           <sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
@@ -293,7 +319,7 @@ no known connection</string>
          </property>
         </widget>
        </item>
-       <item row="17" column="1" colspan="5" >
+       <item row="16" column="1" colspan="4" >
         <widget class="QCheckBox" name="clampMSStoMTU" >
          <property name="sizePolicy" >
           <sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
@@ -313,14 +339,14 @@ in host settings dialog.
          </property>
         </widget>
        </item>
-       <item row="18" column="1" colspan="5" >
+       <item row="17" column="1" colspan="4" >
         <widget class="QCheckBox" name="makeTagClassifyTerminating" >
          <property name="text" >
           <string>Make Tag and Classify actions terminating</string>
          </property>
         </widget>
        </item>
-       <item row="19" column="1" colspan="5" >
+       <item row="18" column="1" colspan="4" >
         <widget class="QCheckBox" name="ipv6NeighborDiscovery" >
          <property name="toolTip" >
           <string>Compiler will automatically generate rules to permit ICMP6 packets used in IPv6
@@ -332,7 +358,7 @@ the rule that drops packets in state INVALID.</string>
          </property>
         </widget>
        </item>
-       <item row="20" column="1" >
+       <item row="19" column="1" >
         <widget class="QLabel" name="textLabel9" >
          <property name="text" >
           <string>Default action on 'Reject':</string>
@@ -342,10 +368,10 @@ the rule that drops packets in state INVALID.</string>
          </property>
         </widget>
        </item>
-       <item row="20" column="2" colspan="3" >
+       <item row="19" column="2" colspan="2" >
         <widget class="QComboBox" name="actionOnReject" />
        </item>
-       <item row="20" column="5" >
+       <item row="19" column="4" >
         <spacer>
          <property name="orientation" >
           <enum>Qt::Horizontal</enum>
@@ -361,7 +387,7 @@ the rule that drops packets in state INVALID.</string>
          </property>
         </spacer>
        </item>
-       <item rowspan="2" row="21" column="0" colspan="6" >
+       <item row="20" column="0" colspan="5" >
         <widget class="Line" name="line4" >
          <property name="frameShape" >
           <enum>QFrame::HLine</enum>
@@ -374,7 +400,7 @@ the rule that drops packets in state INVALID.</string>
          </property>
         </widget>
        </item>
-       <item row="23" column="0" >
+       <item rowspan="2" row="21" column="0" >
         <spacer>
          <property name="orientation" >
           <enum>Qt::Horizontal</enum>
@@ -390,16 +416,14 @@ the rule that drops packets in state INVALID.</string>
          </property>
         </spacer>
        </item>
-       <item rowspan="2" row="22" column="1" colspan="2" >
+       <item row="21" column="1" colspan="4" >
         <widget class="QCheckBox" name="mgmt_ssh" >
          <property name="text" >
-          <string>Always permit ssh access from
-the management workstation
-with this address:</string>
+          <string>Always permit ssh access from the management workstation with this address:</string>
          </property>
         </widget>
        </item>
-       <item row="23" column="4" colspan="2" >
+       <item row="22" column="1" colspan="4" >
         <widget class="QLineEdit" name="mgmt_addr" >
          <property name="sizePolicy" >
           <sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
@@ -415,6 +439,14 @@ with this address:</string>
          </property>
         </widget>
        </item>
+       <item row="23" column="1" colspan="4" >
+        <widget class="QCheckBox" name="add_mgmt_ssh_rule_when_stoped" >
+         <property name="text" >
+          <string>Install the rule for ssh access from the management workstation when the firewall 
+is stopped</string>
+         </property>
+        </widget>
+       </item>
        <item row="24" column="1" >
         <spacer>
          <property name="orientation" >
@@ -431,35 +463,6 @@ with this address:</string>
          </property>
         </spacer>
        </item>
-       <item row="8" column="0" >
-        <spacer name="verticalSpacer" >
-         <property name="orientation" >
-          <enum>Qt::Vertical</enum>
-         </property>
-         <property name="sizeType" >
-          <enum>QSizePolicy::Maximum</enum>
-         </property>
-         <property name="sizeHint" stdset="0" >
-          <size>
-           <width>0</width>
-           <height>0</height>
-          </size>
-         </property>
-        </spacer>
-       </item>
-       <item row="9" column="1" >
-        <widget class="QCheckBox" name="assumeFwIsPartOfAny" >
-         <property name="sizePolicy" >
-          <sizepolicy vsizetype="Fixed" hsizetype="Minimum" >
-           <horstretch>0</horstretch>
-           <verstretch>0</verstretch>
-          </sizepolicy>
-         </property>
-         <property name="text" >
-          <string>Assume firewall is part of 'any'</string>
-         </property>
-        </widget>
-       </item>
       </layout>
      </widget>
      <widget class="QWidget" name="tab1" >
@@ -1609,7 +1612,6 @@ with this address:</string>
   <tabstop>ipv4before</tabstop>
   <tabstop>buttonHelp</tabstop>
  </tabstops>
- <includes/>
  <resources/>
  <connections>
   <connection>
diff --git a/src/iptlib/CompilerDriver_ipt_run.cpp b/src/iptlib/CompilerDriver_ipt_run.cpp
index dad15da6e..c289f276c 100644
--- a/src/iptlib/CompilerDriver_ipt_run.cpp
+++ b/src/iptlib/CompilerDriver_ipt_run.cpp
@@ -605,13 +605,16 @@ string CompilerDriver_ipt::run(const std::string &cluster_id,
         Configlet stop_action(fw, "linux24", "stop_action");
         stop_action.collapseEmptyStrings(true);
 
-        std::auto_ptr<PolicyCompiler_ipt> policy_compiler = createPolicyCompiler(
-            fw, false, NULL,  NULL);
-        PolicyCompiler_ipt::PrintRule* print_rule =
-            policy_compiler->createPrintRuleProcessor();
-
-        print_rule->setContext(policy_compiler.get());
-        print_rule->_printBackupSSHAccessRules(&stop_action);
+        if (fw->getOptionsObject()->getBool("add_mgmt_ssh_rule_when_stoped"))
+        {
+            std::auto_ptr<PolicyCompiler_ipt> policy_compiler = createPolicyCompiler(
+                fw, false, NULL,  NULL);
+            PolicyCompiler_ipt::PrintRule* print_rule =
+                policy_compiler->createPrintRuleProcessor();
+            print_rule->setContext(policy_compiler.get());
+            print_rule->_printBackupSSHAccessRules(&stop_action);
+        } else
+            stop_action->setVariable("mgmt_access", 0);
 
         script_skeleton.setVariable("stop_action", stop_action.expand());
 
diff --git a/test/ipt/objects-for-regression-tests.fwb b/test/ipt/objects-for-regression-tests.fwb
index 52e22fa0f..0b7b5b8bd 100644
--- a/test/ipt/objects-for-regression-tests.fwb
+++ b/test/ipt/objects-for-regression-tests.fwb
@@ -2942,7 +2942,7 @@
       </ServiceGroup>
     </ServiceGroup>
     <ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
-      <Firewall id="fw-firewall2" host_OS="linux24" inactive="False" lastCompiled="1251648535" lastInstalled="1142003872" lastModified="1257712157" platform="iptables" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
+      <Firewall id="fw-firewall2" host_OS="linux24" inactive="False" lastCompiled="1261179871" lastInstalled="1142003872" lastModified="1261179770" platform="iptables" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
         <NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="nat-firewall2-0" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -4799,14 +4799,21 @@
           <Option name="accept_new_tcp_with_no_syn">False</Option>
           <Option name="action_on_reject">ICMP net unreachable</Option>
           <Option name="activationCmd"></Option>
+          <Option name="add_mgmt_ssh_rule_when_stoped">True</Option>
+          <Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
           <Option name="admUser"></Option>
           <Option name="altAddress"></Option>
           <Option name="bridging_fw">False</Option>
           <Option name="check_shading">False</Option>
           <Option name="clamp_mss_to_mtu">False</Option>
+          <Option name="classify_mark_terminating">False</Option>
+          <Option name="clear_unknown_interfaces">False</Option>
           <Option name="cmdline">-v</Option>
           <Option name="compiler"></Option>
+          <Option name="configure_bonding_interfaces">False</Option>
+          <Option name="configure_bridge_interfaces">False</Option>
           <Option name="configure_interfaces">True</Option>
+          <Option name="configure_vlan_interfaces">False</Option>
           <Option name="debug">False</Option>
           <Option name="drop_invalid">True</Option>
           <Option name="dyn_addr">False</Option>
@@ -4818,6 +4825,7 @@
           <Option name="inst_cmdline"></Option>
           <Option name="inst_script"></Option>
           <Option name="install_script"></Option>
+          <Option name="ipv4_6_order">ipv4_first</Option>
           <Option name="limit_suffix">/second</Option>
           <Option name="limit_value">5</Option>
           <Option name="linux24_accept_redirects"></Option>
@@ -4863,7 +4871,9 @@
           <Option name="platform">iptables</Option>
           <Option name="prolog_place">top</Option>
           <Option name="prolog_script"></Option>
+          <Option name="scpArgs"></Option>
           <Option name="script_env_path"></Option>
+          <Option name="script_name_on_firewall"></Option>
           <Option name="snmp_contact"></Option>
           <Option name="snmp_description"></Option>
           <Option name="snmp_location"></Option>
@@ -45401,7 +45411,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
           <Option name="verify_interfaces">False</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id304832X79913" host_OS="linux24" inactive="False" lastCompiled="1260914872" lastInstalled="0" lastModified="1260914853" platform="iptables" version="1.4.0" name="firewall-ipv6-7" comment="one interface has dynamic address, testing functions that get the address at run time" ro="False">
+      <Firewall id="id304832X79913" host_OS="linux24" inactive="False" lastCompiled="1261179782" lastInstalled="0" lastModified="1260914853" platform="iptables" version="1.4.0" name="firewall-ipv6-7" comment="one interface has dynamic address, testing functions that get the address at run time" ro="False">
         <NAT id="id304996X79913" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
           <RuleSetOptions/>
         </NAT>