diff --git a/build_num b/build_num index 9abd0a890..1387c1ff7 100644 --- a/build_num +++ b/build_num @@ -1 +1 @@ -#define BUILD_NUM 2884 +#define BUILD_NUM 2890 diff --git a/doc/ChangeLog b/doc/ChangeLog index 92ff90577..58821a356 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,18 @@ +2010-05-11 vadim + + * PolicyCompiler_procurve_acl_writers.cpp (PolicyCompiler_procurve_acl::printAccessGroupCmd): + ProCurve uses different syntax for vlan ACLs and ACLs bound to + switch ports. Enabled "advanced interface settings" dialog for + ProCurve interfaces. + + * InterfaceDialog.cpp (InterfaceDialog::loadFWObject): button + "Advanced interface settings" is controlled by element + in the host OS xml resource + file. Before, it was controlled by the element + . I need this button and associated dialog + for vlan interfaces on ProCurves, where vlan interfaces are not + subinterfaces. + 2010-05-10 vadim * CompilerDriver_procurve_acl_run.cpp (CompilerDriver_procurve_acl::run): diff --git a/src/cisco_lib/PolicyCompiler_iosacl.h b/src/cisco_lib/PolicyCompiler_iosacl.h index 40f4100af..fea18b0f5 100644 --- a/src/cisco_lib/PolicyCompiler_iosacl.h +++ b/src/cisco_lib/PolicyCompiler_iosacl.h @@ -281,7 +281,7 @@ namespace fwcompiler { protected: virtual std::string myPlatformName(); - std::string printAccessGroupCmd(ciscoACL *acl, bool neg=false); + virtual std::string printAccessGroupCmd(ciscoACL *acl, bool neg=false); public: diff --git a/src/cisco_lib/PolicyCompiler_procurve_acl.h b/src/cisco_lib/PolicyCompiler_procurve_acl.h index b710cbe60..cb2aa00fc 100644 --- a/src/cisco_lib/PolicyCompiler_procurve_acl.h +++ b/src/cisco_lib/PolicyCompiler_procurve_acl.h @@ -47,8 +47,8 @@ namespace fwcompiler { protected: virtual std::string myPlatformName(); - virtual void _printClearCommands(); + virtual std::string printAccessGroupCmd(ciscoACL *acl, bool neg=false); public: diff --git a/src/cisco_lib/PolicyCompiler_procurve_acl_writers.cpp b/src/cisco_lib/PolicyCompiler_procurve_acl_writers.cpp index 91b492204..df473dcea 100644 --- a/src/cisco_lib/PolicyCompiler_procurve_acl_writers.cpp +++ b/src/cisco_lib/PolicyCompiler_procurve_acl_writers.cpp @@ -27,11 +27,15 @@ #include "fwbuilder/Firewall.h" #include "fwbuilder/Resources.h" +#include "fwbuilder/RuleSet.h" #include #include +#include +#include + using namespace libfwbuilder; using namespace fwcompiler; @@ -71,4 +75,53 @@ void PolicyCompiler_procurve_acl::_printClearCommands() output << endl; } +string PolicyCompiler_procurve_acl::printAccessGroupCmd(ciscoACL *acl, bool neg) +{ + if (getSourceRuleSet()->isTop()) + { + QString dir; + if (acl->direction()=="in" || acl->direction()=="Inbound") dir="in"; + if (acl->direction()=="out" || acl->direction()=="Outbound") dir="out"; + + QString addr_family_prefix = "ip"; + if (ipv6) addr_family_prefix = "ipv6"; + + // ProCurve uses different syntax for vlan ACLs + Interface *intf = acl->getInterface(); + FWOptions *ifopt = intf->getOptionsObject(); + string itype = ifopt->getStr("type"); + + if (itype == "8021q") + { + int vlan_id = ifopt->getInt("vlan_id"); + QStringList outp; + if (neg) outp.push_back("no"); + outp.push_back("vlan"); + outp.push_back(QString("%1").arg(vlan_id)); + outp.push_back(addr_family_prefix); + outp.push_back(getAccessGroupCommandForAddressFamily(ipv6).c_str()); + outp.push_back(acl->workName().c_str()); + outp.push_back(dir); + return outp.join(" ").toStdString() + "\n"; + } else + { + QStringList outp; + QStringList outp_combined; + outp_combined.push_back( + QString("interface %1").arg(intf->getName().c_str())); + + if (neg) outp.push_back("no"); + outp.push_back(addr_family_prefix); + outp.push_back(getAccessGroupCommandForAddressFamily(ipv6).c_str()); + outp.push_back(acl->workName().c_str()); + outp.push_back(dir); + + outp_combined.push_back(" " + outp.join(" ")); + outp_combined.push_back("exit"); + return outp_combined.join("\n").toStdString(); + } + } + return ""; +} + diff --git a/src/gui/DialogFactory.cpp b/src/gui/DialogFactory.cpp index 96dcc23e7..a09b287be 100644 --- a/src/gui/DialogFactory.cpp +++ b/src/gui/DialogFactory.cpp @@ -295,7 +295,8 @@ QWidget *DialogFactory::createIfaceDialog(QWidget *parent,FWObject *o) QObject::tr("Support module for %1 is not available"). arg(host_OS.c_str()).toLocal8Bit().constData())); - string dlgname = os->Resources::getResourceStr("/FWBuilderResources/Target/interface_dialog"); + string dlgname = os->Resources::getResourceStr( + "/FWBuilderResources/Target/interface_dialog"); // add further dlgname support here ... diff --git a/src/gui/InterfaceDialog.cpp b/src/gui/InterfaceDialog.cpp index 72445f16b..b886ada5b 100644 --- a/src/gui/InterfaceDialog.cpp +++ b/src/gui/InterfaceDialog.cpp @@ -193,6 +193,8 @@ void InterfaceDialog::loadFWObject(FWObject *o) FWObject *f = s->getParentHost(); + m_dialog->advancedconfig->setEnabled(true); + /* if parent is a host, hide firewall related settings */ if (Host::isA(f)) { @@ -218,21 +220,32 @@ void InterfaceDialog::loadFWObject(FWObject *o) { // platform specific supports_security_levels = - Resources::getTargetCapabilityBool(f->getStr("platform"), "security_levels"); + Resources::getTargetCapabilityBool( + f->getStr("platform"), "security_levels"); supports_network_zones = - Resources::getTargetCapabilityBool(f->getStr("platform"), "network_zones"); + Resources::getTargetCapabilityBool( + f->getStr("platform"), "network_zones"); supports_unprotected = - Resources::getTargetCapabilityBool(f->getStr("platform"), "unprotected_interfaces"); + Resources::getTargetCapabilityBool( + f->getStr("platform"), "unprotected_interfaces"); // OS specific supports_advanced_ifaces = - Resources::getTargetCapabilityBool(f->getStr("host_OS"), - "supports_subinterfaces"); + Resources::getTargetCapabilityBool( + f->getStr("host_OS"), "supports_advanced_interface_options"); + // disable advanced options dialog if this is main interface of a cluster - if (Cluster::isA(s->getParent())) - supports_advanced_ifaces = false; + if (Cluster::isA(s->getParent())) supports_advanced_ifaces = false; + } catch (FWException &ex) { } + if (fwbdebug) + qDebug() << "parent=" << f->getName().c_str() + << "Firewall::isA(f)=" << Firewall::isA(f) + << "host_OS=" << f->getStr("host_OS").c_str() + << "supports_advanced_ifaces=" << supports_advanced_ifaces; + + /* if parent is a firewall or a fw cluster, it is more complex ... */ if (Firewall::isA(f) || Cluster::isA(f)) { @@ -270,8 +283,7 @@ void InterfaceDialog::loadFWObject(FWObject *o) // well. Current implementation can not generate configuration // code for interfaces and subinterfaces of member firewalls // from cluster interface or subinterface objects - m_dialog->interfaceOptionsGroup->setEnabled( - !Cluster::isA(s->getParentHost())); + m_dialog->interfaceOptionsGroup->setEnabled(!Cluster::isA(f)); if (supports_network_zones) { diff --git a/src/res/os/dd-wrt-jffs.xml b/src/res/os/dd-wrt-jffs.xml index 16348c96d..89e9e0471 100644 --- a/src/res/os/dd-wrt-jffs.xml +++ b/src/res/os/dd-wrt-jffs.xml @@ -35,6 +35,7 @@ True True + True True diff --git a/src/res/os/dd-wrt-nvram.xml b/src/res/os/dd-wrt-nvram.xml index d150749aa..bca77b1b7 100644 --- a/src/res/os/dd-wrt-nvram.xml +++ b/src/res/os/dd-wrt-nvram.xml @@ -35,6 +35,7 @@ True True + True True diff --git a/src/res/os/endian.xml b/src/res/os/endian.xml index bb8bcddca..ef0bb48e3 100644 --- a/src/res/os/endian.xml +++ b/src/res/os/endian.xml @@ -34,6 +34,7 @@ True + False diff --git a/src/res/os/freebsd.xml b/src/res/os/freebsd.xml index ca7fe18e8..ef8ccd6b8 100644 --- a/src/res/os/freebsd.xml +++ b/src/res/os/freebsd.xml @@ -25,6 +25,7 @@ False True + True True diff --git a/src/res/os/fwsm_os.xml b/src/res/os/fwsm_os.xml index ccf646442..dfd4930e6 100644 --- a/src/res/os/fwsm_os.xml +++ b/src/res/os/fwsm_os.xml @@ -15,6 +15,7 @@ False + False diff --git a/src/res/os/ios.xml b/src/res/os/ios.xml index d5d1584d4..9729f3206 100644 --- a/src/res/os/ios.xml +++ b/src/res/os/ios.xml @@ -18,6 +18,10 @@ + + False + + diff --git a/src/res/os/ipcop.xml b/src/res/os/ipcop.xml index f17283ece..35e5c5e3f 100644 --- a/src/res/os/ipcop.xml +++ b/src/res/os/ipcop.xml @@ -34,6 +34,7 @@ True + False diff --git a/src/res/os/linux24.xml b/src/res/os/linux24.xml index 089c8c100..2db0c90aa 100644 --- a/src/res/os/linux24.xml +++ b/src/res/os/linux24.xml @@ -32,6 +32,7 @@ True True + True True diff --git a/src/res/os/macosx.xml b/src/res/os/macosx.xml index abc04a4ab..1694b705f 100644 --- a/src/res/os/macosx.xml +++ b/src/res/os/macosx.xml @@ -22,6 +22,7 @@ False + False diff --git a/src/res/os/oneshield.xml b/src/res/os/oneshield.xml index 2bca016d0..a788e04ee 100644 --- a/src/res/os/oneshield.xml +++ b/src/res/os/oneshield.xml @@ -34,6 +34,7 @@ True + False diff --git a/src/res/os/openbsd.xml b/src/res/os/openbsd.xml index ff3659d75..3fcccb223 100644 --- a/src/res/os/openbsd.xml +++ b/src/res/os/openbsd.xml @@ -24,6 +24,7 @@ False True + True True diff --git a/src/res/os/openwrt.xml b/src/res/os/openwrt.xml index 49bcd5bf8..6af892497 100644 --- a/src/res/os/openwrt.xml +++ b/src/res/os/openwrt.xml @@ -35,6 +35,7 @@ True True + True True diff --git a/src/res/os/pix_os.xml b/src/res/os/pix_os.xml index 3897a711b..d2fd19e1a 100644 --- a/src/res/os/pix_os.xml +++ b/src/res/os/pix_os.xml @@ -24,6 +24,7 @@ False True + True True diff --git a/src/res/os/procurve.xml b/src/res/os/procurve.xml index 70ddcd989..08e1b6801 100644 --- a/src/res/os/procurve.xml +++ b/src/res/os/procurve.xml @@ -6,6 +6,7 @@ fwb_procurve procurve procurve + vlan_only false @@ -21,6 +22,7 @@ True False + True False @@ -29,14 +31,12 @@ ethernet,Ethernet + 8021q,VLAN + unknown,Unknown - - 8021q,VLAN - unknown,Unknown - diff --git a/src/res/os/secuwall.xml b/src/res/os/secuwall.xml index e1404b6fc..2d8317f4a 100644 --- a/src/res/os/secuwall.xml +++ b/src/res/os/secuwall.xml @@ -42,6 +42,7 @@ True True + True True diff --git a/src/res/os/solaris.xml b/src/res/os/solaris.xml index 3f9e65f7c..224cf0cac 100644 --- a/src/res/os/solaris.xml +++ b/src/res/os/solaris.xml @@ -22,6 +22,7 @@ False + False diff --git a/src/res/os/sveasoft.xml b/src/res/os/sveasoft.xml index 9a8d39750..acf5cc952 100644 --- a/src/res/os/sveasoft.xml +++ b/src/res/os/sveasoft.xml @@ -32,6 +32,7 @@ True + False diff --git a/src/res/os/unknown_os.xml b/src/res/os/unknown_os.xml index 805e98af7..2a8741331 100644 --- a/src/res/os/unknown_os.xml +++ b/src/res/os/unknown_os.xml @@ -20,6 +20,7 @@ False + False diff --git a/test/procurve_acl/objects-for-regression-tests.fwb b/test/procurve_acl/objects-for-regression-tests.fwb index 6ccd980f0..ff0eeda03 100644 --- a/test/procurve_acl/objects-for-regression-tests.fwb +++ b/test/procurve_acl/objects-for-regression-tests.fwb @@ -1,6 +1,6 @@ - + @@ -598,7 +598,7 @@ - + @@ -1044,7 +1044,48 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1102,6 +1143,26 @@ + + + + + + + + + + + + + + + + + + + +