onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 03:37:15 +01:00
Code Issues Releases Wiki Activity

* iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog):

Browse Source 
fixed bug #2820840: "IPT: prolog script+iptables-restore silent
incompatibility". With this fix the GUI does not allow for the
prolog script to be placed after policy reset if iptables-restore
is used to activate iptables rules. Also policy compiler for
iptables checks for this condition and aborts with an error
message if prolog place is set to "after reset" but
iptables-restore is used to activate policy. Configuration may end
up with this combination of options if user set prolog place to
"after reset" first and switched activation method to
iptables-restore later.
This commit is contained in:
Vadim Kurland 2009-07-13 23:14:55 +00:00
parent a08e47cc69
commit 8ae2ef2d9c
8 changed files with 56 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 1151
#define BUILD_NUM 1152

12
doc/ChangeLog
View File

@ -1,5 +1,17 @@
2009-07-13 vadim <vadim@vk.crocodile.org>
* iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog):
fixed bug #2820840: "IPT: prolog script+iptables-restore silent
incompatibility". With this fix the GUI does not allow for the
prolog script to be placed after policy reset if iptables-restore
is used to activate iptables rules. Also policy compiler for
iptables checks for this condition and aborts with an error
message if prolog place is set to "after reset" but
iptables-restore is used to activate policy. Configuration may end
up with this combination of options if user set prolog place to
"after reset" first and switched activation method to
iptables-restore later.
* ACL.cpp (ciscoACL::addRemark): fixed bug #1778536 "IOSACL -
remark command". Remarks now include rule comments; if comment
consists of several lines, each line is added using separate

18
src/gui/iptAdvancedDialog.cpp
View File

@ -160,11 +160,23 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o)
data.registerOption(m_dialog->prolog_script, fwoptions,
"prolog_script");
slm = getPrologPlaces( obj->getStr("platform").c_str());
QStringList prologPlaces_ipt;
prologPlaces_ipt.push_back(QObject::tr("on top of the script"));
prologPlaces_ipt.push_back("top");
prologPlaces_ipt.push_back(QObject::tr("after interface configuration"));
prologPlaces_ipt.push_back("after_interfaces");
// bug #2820840: can't put prolog "after policy reset" if iptables-restore
if (!fwoptions->getBool("use_iptables_restore"))
{
prologPlaces_ipt.push_back(QObject::tr("after policy reset"));
prologPlaces_ipt.push_back("after_flush");
}
m_dialog->prologPlace->clear();
m_dialog->prologPlace->addItems(getScreenNames(slm));
m_dialog->prologPlace->addItems(getScreenNames(prologPlaces_ipt));
data.registerOption(m_dialog-> prologPlace, fwoptions,
"prolog_place", slm);
"prolog_place", prologPlaces_ipt);
data.registerOption(m_dialog->epilog_script, fwoptions,
"epilog_script");

22
src/gui/pfAdvancedDialog.cpp
View File

@ -190,10 +190,26 @@ pfAdvancedDialog::pfAdvancedDialog(QWidget *parent,FWObject *o)
/* page "Prolog/Epilog" */
slm = getPrologPlaces( obj->getStr("platform").c_str());
QStringList prologPlaces_pf;
prologPlaces_pf.push_back(QObject::tr("in the activation shell script"));
prologPlaces_pf.push_back("fw_file");
prologPlaces_pf.push_back(QObject::tr("in the pf rule file, at the very top"));
prologPlaces_pf.push_back("pf_file_top");
prologPlaces_pf.push_back(QObject::tr("in the pf rule file, after set comamnds"));
prologPlaces_pf.push_back("pf_file_after_set");
prologPlaces_pf.push_back(QObject::tr("in the pf rule file, after scrub comamnds"));
prologPlaces_pf.push_back("pf_file_after_scrub");
prologPlaces_pf.push_back(QObject::tr("in the pf rule file, after table definitions"));
prologPlaces_pf.push_back("pf_file_after_tables");
m_dialog->prologPlace->clear();
m_dialog->prologPlace->addItems(getScreenNames(slm));
data.registerOption( m_dialog->prologPlace, fwopt, "prolog_place", slm);
m_dialog->prologPlace->addItems(getScreenNames(prologPlaces_pf));
data.registerOption( m_dialog->prologPlace, fwopt, "prolog_place",
prologPlaces_pf);
data.registerOption( m_dialog->prolog_script, fwopt, "prolog_script");
data.registerOption( m_dialog->epilog_script, fwopt, "epilog_script");

32
src/gui/platforms.cpp
View File

@ -50,8 +50,6 @@ QStringList logFacilities;
QStringList actionsOnReject;
QStringList routeOptions_pf_ipf;
QStringList routeLoadOptions_pf;
QStringList prologPlaces_ipt;
QStringList prologPlaces_pf;
QStringList limitSuffixes;
void init_platforms()
@ -156,28 +154,6 @@ void init_platforms()
routeLoadOptions_pf.push_back(QObject::tr("Round Robin"));
routeLoadOptions_pf.push_back("round_robin");
prologPlaces_ipt.push_back(QObject::tr("on top of the script"));
prologPlaces_ipt.push_back("top");
prologPlaces_ipt.push_back(QObject::tr("after interface configuration"));
prologPlaces_ipt.push_back("after_interfaces");
prologPlaces_ipt.push_back(QObject::tr("after policy reset"));
prologPlaces_ipt.push_back("after_flush");
prologPlaces_pf.push_back(QObject::tr("in the activation shell script"));
prologPlaces_pf.push_back("fw_file");
prologPlaces_pf.push_back(QObject::tr("in the pf rule file, at the very top"));
prologPlaces_pf.push_back("pf_file_top");
prologPlaces_pf.push_back(QObject::tr("in the pf rule file, after set comamnds"));
prologPlaces_pf.push_back("pf_file_after_set");
prologPlaces_pf.push_back(QObject::tr("in the pf rule file, after scrub comamnds"));
prologPlaces_pf.push_back("pf_file_after_scrub");
prologPlaces_pf.push_back(QObject::tr("in the pf rule file, after table definitions"));
prologPlaces_pf.push_back("pf_file_after_tables");
limitSuffixes.push_back("");
limitSuffixes.push_back("");
limitSuffixes.push_back(QObject::tr("/day"));
@ -483,14 +459,6 @@ const QStringList& getRouteLoadOptions_pf(const QString&)
return routeLoadOptions_pf;
}
const QStringList& getPrologPlaces(const QString &platform)
{
if (platform=="pf")
return prologPlaces_pf;
else
return prologPlaces_ipt;
}
const QStringList& getLimitSuffixes(const QString&)
{
return limitSuffixes;

5
src/gui/platforms.h
View File

@ -86,11 +86,6 @@ const QStringList& getRouteOptions_pf_ipf(const QString &platform);
const QStringList& getRouteLoadOptions_pf(const QString &platform);
/**
* returns a list of Prolog places (mapping list)
*/
const QStringList& getPrologPlaces(const QString &platform);
/**
* returns a list of Limit Suffixes (mapping list)
*/

7
src/ipt/ipt.cpp
View File

@ -773,6 +773,13 @@ int main(int argc, char **argv)
}
}
if (fw->getOptionsObject()->getStr("prolog_place") == "after_flush" &&
fw->getOptionsObject()->getBool("use_iptables_restore"))
{
throw FWException("Prolog place \"after policy reset\" can not be used"
" when policy is activated with iptables-restore");
}
string firewall_dir = options->getStr("firewall_dir");
if (firewall_dir=="") firewall_dir="/etc";

3
test/ipt/objects-for-regression-tests.fwb
View File

@ -19599,7 +19599,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id439254F225682" host_OS="linux24" inactive="False" lastCompiled="1247364062" lastInstalled="1142003872" lastModified="1215124221" platform="iptables" version="" name="firewall35" comment="testing AddressTable object&#10;&#10;like firewall34, but uses different script format" ro="False">
<Firewall id="id439254F225682" host_OS="linux24" inactive="False" lastCompiled="1247364062" lastInstalled="1142003872" lastModified="1247524742" platform="iptables" version="" name="firewall35" comment="testing AddressTable object&#10;&#10;like firewall34, but uses different script format" ro="False">
<NAT id="id4392558E25682" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4392558F25682" disabled="False" position="0" comment="">
<OSrc neg="True">
@ -19968,6 +19968,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="proxy_arp">False</Option>
<Option name="scpArgs"></Option>
<Option name="script_env_path"></Option>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>