onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 01:37:17 +01:00
Code Issues Releases Wiki Activity

see #1442 experimental support for HP ProCurve, using configlet to generate "safety net" config for IOS and ProCurve

Browse Source
This commit is contained in:
Vadim Kurland 2010-05-11 02:59:53 +00:00
parent ed96af1ed8
commit b002797fce
53 changed files with 7548 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2880
#define BUILD_NUM 2883

16
doc/ChangeLog
View File

@ -1,3 +1,17 @@
2010-05-10 vadim <vadim@vk.crocodile.org>
* CompilerDriver_procurve_acl_run.cpp (CompilerDriver_procurve_acl::run):
See #1442 Support for HP ProCurve. Added experimental support for
HP ProCurve "intelligent" switches (L3). Code is based on the policy
compiler for Cisco IOS extended access lists. Differences include
';' character for comments, different naming convention for Vlan
interfaces ("VLAN 2", with a space), requirement to unbind an ACL
from interface before it can be cleared.
* CompilerDriver_iosacl.cpp (CompilerDriver_iosacl::safetyNetInstall):
using configlet "safety_net" to add temporary ACL for the "safety
net" install method.
2010-05-05 Vadim Kurland <vadim@vk.crocodile.org>
* ProjectPanel_events.cpp (ProjectPanel::event): fixed #1443
@ -16,7 +30,7 @@
2010-05-04 Vadim Kurland <vadim@vk.crocodile.org>
* v 4.0.0 released
2010-05-02 Vadim Kurland <vadim@vk.crocodile.org>
* Helper.cpp (Helper::findInterfaceByNetzone): fixed #1439 "ssh

112
src/cisco_lib/CompilerDriver_iosacl.cpp
View File

@ -41,9 +41,11 @@
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "Configlet.h"
#include "CompilerDriver_iosacl.h"
#include "PolicyCompiler_iosacl.h"
#include <QString>
#include <QFileInfo>
#include <QDir>
@ -62,6 +64,8 @@ string fs_separator = "/";
CompilerDriver_iosacl::CompilerDriver_iosacl(FWObjectDatabase *db) :
CompilerDriver(db)
{
safety_net_install_option_name = "iosacl_acl_substitution";
safety_net_install_acl_addr_option_name = "iosacl_acl_temp_addr";
}
// create a copy of itself, including objdb
@ -87,25 +91,22 @@ void CompilerDriver_iosacl::printProlog(QTextStream &file, const string &prolog_
string CompilerDriver_iosacl::safetyNetInstall(Firewall *fw)
{
ostringstream output;
if ( fw->getOptionsObject()->getBool("iosacl_acl_substitution") )
if ( fw->getOptionsObject()->getBool(safety_net_install_option_name) )
{
/* Generate short temporary ACL and assign it to all
* interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500)
as well as ssh from given subnet to any.
*/
string platform = fw->getStr("platform");
string version = fw->getStr("version");
string temp_acl = "tmp_acl";
string temp_acl_addr = fw->getOptionsObject()->getStr(
"iosacl_acl_temp_addr");
safety_net_install_acl_addr_option_name);
if (temp_acl_addr.empty())
{
cerr << "Missing address for management host or subnet for temporary ACL.\nPlease enter it in the tab 'Script options' in 'Firewall Settings' dialog"
<< endl;
exit(-1);
QString err = QObject::tr("Missing address for management host or subnet "
"for the temporary ACL.\nPlease enter it in the "
"tab 'Script options' in 'Firewall Settings' dialog");
abort(fw, NULL, NULL, err.toStdString());
}
// if templ_acl_addr is ipv4 address, then we can not create this
@ -161,9 +162,9 @@ string CompilerDriver_iosacl::safetyNetInstall(Firewall *fw)
}
} catch(FWException &ex)
{
cerr << "Invalid netmask for management subnet: '"+netmask+"'"
<< endl;
exit(-1);
QString err = QObject::tr("Invalid netmask for management subnet: "
"'%1'").arg(netmask.c_str());
abort(fw, NULL, NULL, err.toStdString());
}
}
@ -173,92 +174,45 @@ string CompilerDriver_iosacl::safetyNetInstall(Firewall *fw)
a.isAny();
} catch(FWException &ex)
{
cerr << "Invalid address for management subnet: '"+addr+"'"
<< endl;
exit(-1);
QString err = QObject::tr("Invalid address for management subnet: "
"'%1'").arg(addr.c_str());
abort(fw, NULL, NULL, err.toStdString());
}
}
string xml_element = "clear_ip_acl";
if (tmp_acl_ipv6) xml_element = "clear_ipv6_acl";
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/iosacl_commands/" + xml_element);
output << endl;
string addr_family_prefix = "ip";
string access_group_cmd =
PolicyCompiler_iosacl::getAccessGroupCommandForAddressFamily(tmp_acl_v6);
output << "! temporary access list for \"safety net install\""
<< endl;
output << endl;
Configlet configlet(fw, "cisco", "safety_net_acl");
configlet.collapseEmptyStrings(true);
if (tmp_acl_v6)
{
addr_family_prefix = "ipv6";
output << clearACLcmd << " " << temp_acl << endl;
output << "ipv6 access-list " << temp_acl << endl;
if (slash_idx!=string::npos)
output << " permit ipv6 " << addr << " any " << endl;
else
output << " permit ipv6 host " << addr << " any " << endl;
output << " permit icmp any any " << endl;
output << " deny ipv6 any any " << endl;
output << "exit" << endl;
output << endl;
} else
configlet.setVariable("ipv4", false);
configlet.setVariable("ipv6", true);
configlet.setVariable("slash_notation", slash_idx!=string::npos);
configlet.setVariable("host_addr", slash_idx==string::npos);
configlet.setVariable("management_addr", addr.c_str());
configlet.setVariable("management_netm", "");
} else
{
// cisco uses "wildcards" instead of netmasks
//long nm = InetAddr(netmask).to32BitInt();
//struct in_addr na;
//na.s_addr = ~nm;
InetAddr nnm( ~(InetAddr(netmask)) );
addr_family_prefix = "ip";
output << clearACLcmd << " " << temp_acl << endl;
output << "ip access-list extended " << temp_acl << endl;
output << " permit ip "
<< addr << " " << nnm.toString() << " any " << endl;
output << " deny ip any any " << endl;
output << "exit" << endl;
output << endl;
configlet.setVariable("ipv4", true);
configlet.setVariable("ipv6", false);
configlet.setVariable("management_addr", addr.c_str());
configlet.setVariable("management_netm", nnm.toString().c_str());
}
// find management interface
int nmi = 0;
list<FWObject*> ll = fw->getByType(Interface::TYPENAME);
for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++)
{
Interface *intf = Interface::cast( *i );
if (intf->isManagement())
{
nmi++;
output << "interface " << intf->getName() << endl;
output << " no " << addr_family_prefix << " ";
output << access_group_cmd;
output << " in" << endl;
output << " no " << addr_family_prefix << " ";
output << access_group_cmd;
output << " out" << endl;
output << " " << addr_family_prefix << " ";
output << access_group_cmd;
output << " " << temp_acl << " in" << endl;
output << "exit" << endl;
configlet.setVariable("management_interface",
intf->getName().c_str());
break;
}
}
if (nmi==0)
{
cerr << "One of the interfaces of the firewall must be marked as management interface."
<< endl;
exit(-1);
}
output << configlet.expand().toStdString();
output << endl;
}
}

2
src/cisco_lib/CompilerDriver_iosacl.h
View File

@ -53,6 +53,8 @@ protected:
std::string nat_script;
std::string policy_script;
std::string routing_script;
std::string safety_net_install_option_name;
std::string safety_net_install_acl_addr_option_name;
std::string safetyNetInstall(libfwbuilder::Firewall *fw);
void printProlog(QTextStream &file, const std::string &prolog_code);

67
src/cisco_lib/CompilerDriver_procurve_acl.cpp Normal file
View File

@ -0,0 +1,67 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include <assert.h>
#include <string>
#include "CompilerDriver_procurve_acl.h"
#include "PolicyCompiler_procurve_acl.h"
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
CompilerDriver_procurve_acl::CompilerDriver_procurve_acl(FWObjectDatabase *db) :
CompilerDriver_iosacl(db)
{
safety_net_install_option_name = "procurve_acl_acl_substitution";
safety_net_install_acl_addr_option_name = "procurve_acl_acl_temp_addr";
}
// create a copy of itself, including objdb
CompilerDriver* CompilerDriver_procurve_acl::clone()
{
CompilerDriver_procurve_acl* new_cd = new CompilerDriver_procurve_acl(objdb);
if (inEmbeddedMode()) new_cd->setEmbeddedMode();
return new_cd;
}
void CompilerDriver_procurve_acl::printProlog(QTextStream &file,
const string &prolog_code)
{
file << endl;
file << ";" << endl;
file << "; Prolog script" << endl;
file << ";" << endl;
file << prolog_code << endl;
file << ";" << endl;
file << "; End of prolog script" << endl;
file << ";" << endl;
}

75
src/cisco_lib/CompilerDriver_procurve_acl.h Normal file
View File

@ -0,0 +1,75 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __COMPILER_DRIVER_PROCURVE_ACL_HH__
#define __COMPILER_DRIVER_PROCURVE_ACL_HH__
#include "CompilerDriver_iosacl.h"
#include <string>
#include <sstream>
#include <QTextStream>
namespace libfwbuilder {
class FWObjectDatabase;
class Cluster;
class ClusterGroup;
class Firewall;
class RuleSet;
class Interface;
};
namespace fwcompiler {
class CompilerDriver_procurve_acl : public CompilerDriver_iosacl {
protected:
void printProlog(QTextStream &file, const std::string &prolog_code);
virtual QString assembleManifest(libfwbuilder::Cluster *cluster,
libfwbuilder::Firewall* fw,
bool cluster_member);
virtual QString assembleFwScript(libfwbuilder::Cluster *cluster,
libfwbuilder::Firewall* fw,
bool cluster_member,
OSConfigurator *ocsnf);
public:
CompilerDriver_procurve_acl(libfwbuilder::FWObjectDatabase *db);
// create a copy of itself, including objdb
virtual CompilerDriver* clone();
virtual QString run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id);
};
};
#endif

353
src/cisco_lib/CompilerDriver_procurve_acl_run.cpp Normal file
View File

@ -0,0 +1,353 @@
/*
Firewall Builder
Copyright (C) 2010 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include <fstream>
#include <iostream>
#include <algorithm>
#include <functional>
#include <stdexcept>
#include <memory>
#include <assert.h>
#include <cstring>
#include <iomanip>
#include "CompilerDriver_procurve_acl.h"
#include "PolicyCompiler_procurve_acl.h"
#include "RoutingCompiler_procurve_acl.h"
#include "OSConfigurator_procurve.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Routing.h"
#include "fwcompiler/Preprocessor.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include <QStringList>
#include <QFileInfo>
#include <QFile>
#include <QTextStream>
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
QString CompilerDriver_procurve_acl::assembleManifest(Cluster *cluster, Firewall* fw, bool cluster_member)
{
QString script_buffer;
QTextStream script(&script_buffer, QIODevice::WriteOnly);
QString ofname = determineOutputFileName(cluster, fw, cluster_member, ".fw");
script << ";" << MANIFEST_MARKER << "* " << ofname << endl;
return script_buffer;
}
QString CompilerDriver_procurve_acl::assembleFwScript(Cluster *cluster,
Firewall *fw,
bool cluster_member,
OSConfigurator *oscnf)
{
Configlet script_skeleton(fw, "procurve", "script_skeleton");
Configlet top_comment(fw, "procurve", "top_comment");
script_skeleton.setVariable("system_configuration_script",
QString::fromUtf8(system_configuration_script.c_str()));
script_skeleton.setVariable("policy_script",
QString::fromUtf8(policy_script.c_str()));
script_skeleton.setVariable("nat_script",
QString::fromUtf8(nat_script.c_str()));
script_skeleton.setVariable("routing_script",
QString::fromUtf8(routing_script.c_str()));
FWOptions* options = fw->getOptionsObject();
options->setStr("prolog_script", options->getStr("procurve_acl_prolog_script"));
options->setStr("epilog_script", options->getStr("procurve_acl_epilog_script"));
assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, ";");
return script_skeleton.expand();
}
QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
cluster = Cluster::cast(
objdb->findInIndex(objdb->getIntId(cluster_id)));
Firewall *fw = Firewall::cast(
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
try
{
// Copy rules from the cluster object
populateClusterElements(cluster, fw);
commonChecks2(cluster, fw);
// Note that fwobjectname may be different from the name of the
// firewall fw This happens when we compile a member of a cluster
current_firewall_name = fw->getName().c_str();
QString ofname = determineOutputFileName(cluster, fw, !cluster_id.empty(), ".fw");
FWOptions* options = fw->getOptionsObject();
string fwvers = fw->getStr("version");
if (fwvers == "") fw->setStr("version", "K.13");
string platform = fw->getStr("platform");
bool procurve_acl_acl_basic = options->getBool("procurve_acl_acl_basic");
bool procurve_acl_acl_no_clear = options->getBool("procurve_acl_acl_no_clear");
bool procurve_acl_acl_substitution = options->getBool("procurve_acl_acl_substitution");
bool procurve_acl_add_clear_statements = options->getBool("procurve_acl_add_clear_statements");
if ( !procurve_acl_acl_basic &&
!procurve_acl_acl_no_clear &&
!procurve_acl_acl_substitution )
{
if ( procurve_acl_add_clear_statements )
options->setBool("procurve_acl_acl_basic",true);
else
options->setBool("procurve_acl_acl_no_clear",true);
}
std::auto_ptr<OSConfigurator_procurve> oscnf(new OSConfigurator_procurve(objdb, fw, false));
oscnf->prolog();
oscnf->processFirewallOptions();
list<FWObject*> all_policies = fw->getByType(Policy::TYPENAME);
vector<int> ipv4_6_runs;
if (!single_rule_compile_on)
system_configuration_script = safetyNetInstall(fw);
// command line options -4 and -6 control address family for which
// script will be generated. If "-4" is used, only ipv4 part will
// be generated. If "-6" is used, only ipv6 part will be generated.
// If neither is used, both parts will be done.
if (options->getStr("ipv4_6_order").empty() ||
options->getStr("ipv4_6_order") == "ipv4_first")
{
if (ipv4_run) ipv4_6_runs.push_back(AF_INET);
if (ipv6_run) ipv4_6_runs.push_back(AF_INET6);
}
if (options->getStr("ipv4_6_order") == "ipv6_first")
{
if (ipv6_run) ipv4_6_runs.push_back(AF_INET6);
if (ipv4_run) ipv4_6_runs.push_back(AF_INET);
}
for (vector<int>::iterator i=ipv4_6_runs.begin();
i!=ipv4_6_runs.end(); ++i)
{
int policy_af = *i;
bool ipv6_policy = (policy_af == AF_INET6);
// Count rules for each address family
int policy_count = 0;
for (list<FWObject*>::iterator p=all_policies.begin();
p!=all_policies.end(); ++p)
{
Policy *policy = Policy::cast(*p);
if (policy->matchingAddressFamily(policy_af)) policy_count++;
}
if (policy_count)
{
std::auto_ptr<Preprocessor> prep(new Preprocessor(objdb, fw, false));
if (inTestMode()) prep->setTestMode();
if (inEmbeddedMode()) prep->setEmbeddedMode();
prep->compile();
}
for (list<FWObject*>::iterator p=all_policies.begin();
p!=all_policies.end(); ++p )
{
Policy *policy = Policy::cast(*p);
if (!policy->matchingAddressFamily(policy_af)) continue;
PolicyCompiler_procurve_acl c(objdb, fw, ipv6_policy, oscnf.get());
c.setSourceRuleSet( policy );
c.setRuleSetName(policy->getName());
c.setSingleRuleCompileMode(single_rule_id);
if (inTestMode()) c.setTestMode();
if (inEmbeddedMode()) c.setEmbeddedMode();
c.setDebugLevel( dl );
if (rule_debug_on) c.setDebugRule( drp );
c.setVerbose( verbose );
if ( c.prolog() > 0 )
{
c.compile();
c.epilog();
if (!single_rule_compile_on)
{
if (ipv6_policy)
{
policy_script += "\n\n";
policy_script += "; ================ IPv6\n";
policy_script += "\n\n";
} else
{
policy_script += "\n\n";
policy_script += "; ================ IPv4\n";
policy_script += "\n\n";
}
}
if (c.haveErrorsAndWarnings())
{
all_errors.push_back(c.getErrors("").c_str());
}
policy_script += c.getCompiledScript();
} else
info(" Nothing to compile in Policy");
}
if (!ipv6_policy)
{
list<FWObject*> all_routing = fw->getByType(Routing::TYPENAME);
RuleSet *routing = RuleSet::cast(all_routing.front());
// currently routing is supported only for ipv4
RoutingCompiler_procurve_acl r(objdb, fw, false, oscnf.get());
r.setSourceRuleSet(routing);
r.setRuleSetName(routing->getName());
r.setSingleRuleCompileMode(single_rule_id);
if (inTestMode()) r.setTestMode();
if (inEmbeddedMode()) r.setEmbeddedMode();
r.setDebugLevel( dl );
if (rule_debug_on) r.setDebugRule( drp );
r.setVerbose( verbose );
if ( r.prolog() > 0 )
{
r.compile();
r.epilog();
if (r.haveErrorsAndWarnings())
{
all_errors.push_back(r.getErrors("").c_str());
}
routing_script += r.getCompiledScript();
} else
info(" Nothing to compile in Routing");
}
}
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());
}
if (single_rule_compile_on)
{
return formSingleRuleCompileOutput(
QString::fromUtf8((policy_script + routing_script).c_str()));
}
QString script_buffer = assembleFwScript(
cluster, fw, !cluster_id.empty(), oscnf.get());
QFileInfo finfo(ofname);
if (finfo.isRelative())
{
// if fw_file_name is relative, it is relative to the
// directory the program started in, which can be
// different from wdir and different from the current dir
// at this point because we do chdir to the directory
// defined by the -d command line option
QFileInfo new_finfo(start_current_dir, ofname);
ofname = new_finfo.absoluteFilePath();
}
info("Output file name: " + ofname.toStdString());
QFile fw_file(ofname);
if (fw_file.open(QIODevice::WriteOnly))
{
QTextStream fw_str(&fw_file);
fw_str << script_buffer;
fw_file.close();
fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner |
QFile::ReadGroup | QFile::ReadOther |
QFile::ExeOwner |
QFile::ExeGroup |
QFile::ExeOther );
info(" Compiled successfully");
} else
{
QString err(" Failed to open file %1 for writing: %2; Current dir: %3");
abort(err.arg(fw_file.fileName()).arg(fw_file.error()).arg(QDir::current().path()).toStdString());
}
}
catch (FatalErrorInSingleRuleCompileMode &ex)
{
return QString::fromUtf8(getErrors("").c_str());
}
return "";
}

3
src/cisco_lib/OSConfigurator_ios.h
View File

@ -46,8 +46,7 @@ namespace fwcompiler {
virtual ~OSConfigurator_ios() {};
OSConfigurator_ios(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw,
bool ipv6_policy) :
OSConfigurator(_db, fw, ipv6_policy) {}
bool ipv6_policy) : OSConfigurator(_db, fw, ipv6_policy) {}
virtual int prolog();

68
src/cisco_lib/OSConfigurator_procurve.cpp Normal file
View File

@ -0,0 +1,68 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "OSConfigurator_procurve.h"
#include "Helper.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include <list>
#include <algorithm>
#include <functional>
#include <assert.h>
#include <iostream>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
string OSConfigurator_procurve::myPlatformName() { return "procurve"; }
int OSConfigurator_procurve::prolog()
{
string host_os = fw->getStr("host_OS");
if (host_os!="procurve")
abort("Unsupported OS " + host_os );
return Compiler::prolog();
}
void OSConfigurator_procurve::processFirewallOptions()
{
if ( fw->getOptionsObject()->getBool("procurve_set_host_name") )
{
output << "hostname " << fw->getName() << endl;
output << endl;
}
}

55
src/cisco_lib/OSConfigurator_procurve.h Normal file
View File

@ -0,0 +1,55 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef _OSNETWORKCONFIGURATOR_PROCURVE_HH
#define _OSNETWORKCONFIGURATOR_PROCURVE_HH
#include "config.h"
#include "OSConfigurator_ios.h"
#include <map>
namespace fwcompiler {
class OSConfigurator_procurve : public OSConfigurator_ios {
public:
virtual ~OSConfigurator_procurve() {};
OSConfigurator_procurve(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw,
bool ipv6_policy) :
OSConfigurator_ios(_db, fw, ipv6_policy) {}
virtual int prolog();
virtual std::string myPlatformName();
virtual void processFirewallOptions();
};
};
#endif

9
src/cisco_lib/PolicyCompiler_cisco_acls.cpp
View File

@ -261,6 +261,15 @@ bool PolicyCompiler_cisco::pickACL::processNext()
* and can be used for both.
*/
/*
* TODO: Here we hardcode this option to True for IOS. Instead of
* doing it here, just set option "generate_out_acl" to true in
* PolicyCompiler_iosacl::prolog(). It is done that way in
* PolicyCompiler_procurveacl already. This way, base class
* PolicyCompiler_cisco does not need to be aware of the actual
* platform.
*/
bool generate_out_acl = false;
if (compiler->myPlatformName()=="pix")

12
src/cisco_lib/PolicyCompiler_iosacl.cpp
View File

@ -67,8 +67,9 @@ PolicyCompiler_iosacl::PolicyCompiler_iosacl(FWObjectDatabase *_db,
OSConfigurator *_oscnf) :
PolicyCompiler_cisco(_db, fw, ipv6_policy, _oscnf)
{
resetinbound=false;
fragguard=false;
resetinbound = false;
fragguard = false;
comment_symbol = "!";
}
int PolicyCompiler_iosacl::prolog()
@ -83,8 +84,6 @@ int PolicyCompiler_iosacl::prolog()
object_groups = new Group();
dbcopy->add( object_groups );
// output << "!################" << endl;
return PolicyCompiler::prolog();
}
@ -483,7 +482,7 @@ void PolicyCompiler_iosacl::compile()
}
}
string PolicyCompiler_iosacl::printAccessGroupCmd(ciscoACL *acl)
string PolicyCompiler_iosacl::printAccessGroupCmd(ciscoACL *acl, bool neg)
{
ostringstream str;
@ -497,6 +496,7 @@ string PolicyCompiler_iosacl::printAccessGroupCmd(ciscoACL *acl)
if (acl->direction()=="out" || acl->direction()=="Outbound") dir="out";
str << "interface " << acl->getInterface()->getName() << endl;
if (neg) str << " no";
str << " " << addr_family_prefix << " ";
str << getAccessGroupCommandForAddressFamily(ipv6);
str << " " << acl->workName() << " " << dir << endl;
@ -512,7 +512,7 @@ void PolicyCompiler_iosacl::epilog()
for (map<string,ciscoACL*>::iterator i=acls.begin(); i!=acls.end(); ++i)
{
ciscoACL *acl=(*i).second;
if (acl->size()!=0) output << printAccessGroupCmd(acl);
if (acl->size()!=0) output << printAccessGroupCmd(acl, false);
}
output << endl;

6
src/cisco_lib/PolicyCompiler_iosacl.h
View File

@ -55,8 +55,12 @@ namespace fwcompiler {
protected:
std::string comment_symbol;
virtual void addDefaultPolicyRule();
virtual void _printClearCommands();
/**
* dynamic interfaces can not be used in policy rules in IOS ACLs
*/
@ -277,7 +281,7 @@ namespace fwcompiler {
protected:
virtual std::string myPlatformName();
std::string printAccessGroupCmd(ciscoACL *acl);
std::string printAccessGroupCmd(ciscoACL *acl, bool neg=false);
public:

48
src/cisco_lib/PolicyCompiler_iosacl_writers.cpp
View File

@ -115,11 +115,21 @@ bool PolicyCompiler_iosacl::printClearCommands::processNext()
{
PolicyCompiler_iosacl *iosacl_comp=dynamic_cast<PolicyCompiler_iosacl*>(compiler);
string vers = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
slurp();
if (tmp_queue.size()==0) return false;
iosacl_comp->_printClearCommands();
return true;
}
void PolicyCompiler_iosacl::_printClearCommands()
{
string vers = fw->getStr("version");
string platform = fw->getStr("platform");
string xml_element = "clear_ip_acl";
if (iosacl_comp->ipv6) xml_element = "clear_ipv6_acl";
if (ipv6) xml_element = "clear_ipv6_acl";
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
@ -127,37 +137,30 @@ bool PolicyCompiler_iosacl::printClearCommands::processNext()
assert( !clearACLCmd.empty());
slurp();
if (tmp_queue.size()==0) return false;
if (!compiler->inSingleRuleCompileMode())
if (!inSingleRuleCompileMode())
{
// No need to output "clear" commands in single rule compile mode
if ( compiler->fw->getOptionsObject()->getBool("iosacl_acl_basic") ||
compiler->fw->getOptionsObject()->getBool("iosacl_acl_substitution"))
if ( fw->getOptionsObject()->getBool("iosacl_acl_basic") ||
fw->getOptionsObject()->getBool("iosacl_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=iosacl_comp->acls.begin();
i!=iosacl_comp->acls.end(); ++i)
for (map<string,ciscoACL*>::iterator i=acls.begin(); i!=acls.end(); ++i)
{
ciscoACL *acl=(*i).second;
compiler->output << clearACLCmd << " " << acl->workName() << endl;
ciscoACL *acl = (*i).second;
output << clearACLCmd << " " << acl->workName() << endl;
}
compiler->output << endl;
output << endl;
for (FWObject::iterator i=iosacl_comp->object_groups->begin();
i!=iosacl_comp->object_groups->end(); ++i)
for (FWObject::iterator i=object_groups->begin(); i!=object_groups->end(); ++i)
{
BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);
compiler->output << "no " << og->getObjectGroupHeader();
output << "no " << og->getObjectGroupHeader();
}
}
}
compiler->output << endl;
return true;
output << endl;
}
void PolicyCompiler_iosacl::PrintCompleteACLs::printRulesForACL::operator()(
Rule* rule)
@ -218,7 +221,8 @@ string PolicyCompiler_iosacl::PrintRule::_printRule(PolicyRule *rule)
ostringstream ruleout;
ostringstream aclstr;
compiler->output << compiler->printComment(rule, current_rule_label1, "!");
compiler->output << compiler->printComment(
rule, current_rule_label1, iosacl_comp->comment_symbol);
// string err = rule->getStr(".error_msg");
// if (!err.empty()) ruleout << "! " << err << endl;

75
src/cisco_lib/PolicyCompiler_procurve_acl.cpp Normal file
View File

@ -0,0 +1,75 @@
/*
Firewall Builder
Copyright (C) 2010 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "PolicyCompiler_procurve_acl.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/RuleSet.h"
#include <assert.h>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
string PolicyCompiler_procurve_acl::myPlatformName() { return "procurve_acl"; }
PolicyCompiler_procurve_acl::PolicyCompiler_procurve_acl(FWObjectDatabase *_db,
Firewall *fw,
bool ipv6_policy,
OSConfigurator *_oscnf) :
PolicyCompiler_iosacl(_db, fw, ipv6_policy, _oscnf)
{
comment_symbol = ";";
}
int PolicyCompiler_procurve_acl::prolog()
{
string platform = fw->getStr("platform");
if (platform!="procurve_acl")
abort("Unsupported platform " + platform );
/* This is optional for PIX (controller by a checkbox in
* "asvanced" settings dialog) and is hardcoded as "true" for
* iosacl in PolicyCompiler_cisco::pickACL::processNext(). I do
* not want a function in the base class PolicyCompiler_cisco be
* aware of yet another platform, especially one that is not
* strictly speaking Cisco. Just set this option here which is
* equivalent to hardcoding it to true.
*
* TODO: use the same method in PolicyCompiler_iosacl
*/
fw->getOptionsObject()->setBool("generate_out_acl", true);
return PolicyCompiler::prolog();
}

66
src/cisco_lib/PolicyCompiler_procurve_acl.h Normal file
View File

@ -0,0 +1,66 @@
/*
Firewall Builder
Copyright (C) 2010 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __POLICYCOMPILER_PROCURVE_ACL_HH
#define __POLICYCOMPILER_PROCURVE_ACL_HH
#include <fwbuilder/libfwbuilder-config.h>
#include "PolicyCompiler_iosacl.h"
namespace libfwbuilder {
class FWObjectDatabase;
class Firewall;
};
namespace fwcompiler {
class OSConfigurator;
};
namespace fwcompiler {
class PolicyCompiler_procurve_acl : public PolicyCompiler_iosacl {
protected:
virtual std::string myPlatformName();
virtual void _printClearCommands();
public:
PolicyCompiler_procurve_acl(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf);
virtual ~PolicyCompiler_procurve_acl() {}
virtual int prolog();
};
}
#endif

74
src/cisco_lib/PolicyCompiler_procurve_acl_writers.cpp Normal file
View File

@ -0,0 +1,74 @@
/*
Firewall Builder
Copyright (C) 2010 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "PolicyCompiler_procurve_acl.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Resources.h"
#include <iostream>
#include <assert.h>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
void PolicyCompiler_procurve_acl::_printClearCommands()
{
string vers = fw->getStr("version");
string platform = fw->getStr("platform");
string xml_element = "clear_ip_acl";
if (ipv6) xml_element = "clear_ipv6_acl";
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/procurve_acl_commands/" + xml_element);
assert( !clearACLCmd.empty());
if (!inSingleRuleCompileMode())
{
// No need to output "clear" commands in single rule compile mode
if ( fw->getOptionsObject()->getBool("procurve_acl_acl_basic") ||
fw->getOptionsObject()->getBool("procurve_acl_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=acls.begin(); i!=acls.end(); ++i)
{
ciscoACL *acl = (*i).second;
output << printAccessGroupCmd(acl, true);
output << clearACLCmd << " " << acl->workName() << endl;
output << endl;
}
output << endl;
}
}
output << endl;
}

3
src/cisco_lib/RoutingCompiler_iosacl.h
View File

@ -76,8 +76,7 @@ namespace fwcompiler
RoutingCompiler_iosacl(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw, bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf) :
RoutingCompiler_cisco(_db, fw, ipv6_policy, _oscnf) {};
fwcompiler::OSConfigurator *_oscnf) : RoutingCompiler_cisco(_db, fw, ipv6_policy, _oscnf) {};
virtual int prolog();
virtual void compile();

50
src/cisco_lib/RoutingCompiler_procurve_acl.cpp Normal file
View File

@ -0,0 +1,50 @@
/*
Firewall Builder
Copyright (C) 2010 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id: RoutingCompiler_procurve.cpp -1 $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "RoutingCompiler_procurve_acl.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include <assert.h>
using namespace libfwbuilder;
using namespace fwcompiler;
string RoutingCompiler_procurve_acl::myPlatformName() { return "procurve_acl"; }
int RoutingCompiler_procurve_acl::prolog()
{
int n = RoutingCompiler_cisco::prolog();
if (fw->getStr("platform")!="procurve_acl")
abort("Unsupported platform " + fw->getStr("platform") );
return n;
}

64
src/cisco_lib/RoutingCompiler_procurve_acl.h Normal file
View File

@ -0,0 +1,64 @@
/*
Firewall Builder
Copyright (C) 2010 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id: RoutingCompiler_procurve.h -1 $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __ROUTINGCOMPILER_PROCURVE_ACL_HH__
#define __ROUTINGCOMPILER_PROCURVE_ACL_HH__
#include <fwbuilder/libfwbuilder-config.h>
#include "config.h"
#include "RoutingCompiler_iosacl.h"
namespace libfwbuilder {
class RuleElementRDst;
class RuleElementRItf;
class RuleElementRGtw;
};
namespace fwcompiler
{
class RoutingCompiler_procurve_acl : public RoutingCompiler_iosacl
{
protected:
virtual std::string myPlatformName();
public:
RoutingCompiler_procurve_acl(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw, bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf) :
RoutingCompiler_iosacl(_db, fw, ipv6_policy, _oscnf) {}
virtual int prolog();
};
}
#endif

10
src/cisco_lib/cisco_lib.pro
View File

@ -24,6 +24,12 @@ SOURCES = PolicyCompiler_cisco.cpp \
NATCompiler_pix_writers.cpp \
OSConfigurator_pix_os.cpp \
OSConfigurator_pix_os_fixups.cpp \
CompilerDriver_procurve_acl.cpp \
CompilerDriver_procurve_acl_run.cpp \
OSConfigurator_procurve.cpp \
PolicyCompiler_procurve_acl.cpp \
PolicyCompiler_procurve_acl_writers.cpp \
RoutingCompiler_procurve_acl.cpp \
BaseObjectGroup.cpp \
PIXObjectGroup.cpp \
IOSObjectGroup.cpp \
@ -45,6 +51,10 @@ HEADERS = ../../config.h \
CompilerDriver_pix.h \
NATCompiler_pix.h \
OSConfigurator_pix_os.h \
CompilerDriver_procurve_acl.h \
OSConfigurator_procurve.h \
PolicyCompiler_procurve_acl.h \
RoutingCompiler_procurve_acl.h \
BaseObjectGroup.h \
PIXObjectGroup.h \
IOSObjectGroup.h \

2
src/compiler_lib/compiler_lib.pro
View File

@ -15,6 +15,7 @@ SOURCES = CompilerDriver.cpp \
linux24Interfaces.cpp \
bsdInterfaces.cpp \
iosInterfaces.cpp \
procurveInterfaces.cpp \
pixInterfaces.cpp \
interfacePropertiesObjectFactory.cpp
@ -25,6 +26,7 @@ HEADERS = ../../config.h \
linux24Interfaces.h \
bsdInterfaces.h \
iosInterfaces.h \
procurveInterfaces.h \
pixInterfaces.h \
interfacePropertiesObjectFactory.h

14
src/compiler_lib/interfaceProperties.cpp
View File

@ -63,6 +63,20 @@ bool interfaceProperties::looksLikeVlanInterface(const QString &int_name)
return parseVlan(int_name, NULL, NULL);
}
// simple name validation: does not allow space and "-"
// However some platform permit space (procurve).
bool interfaceProperties::basicValidateInterfaceName(const QString &obj_name,
QString &err)
{
if (obj_name.indexOf(' ') != -1 || obj_name.indexOf('-') != -1)
{
err = QObject::tr("Interface name can not contain white space and \"-\"");
return false;
}
return true;
}
/*
* While looksLikeVlanInterface only checks interface name format,
* this method does more detailed check to determine if the interface

4
src/compiler_lib/interfaceProperties.h
View File

@ -55,6 +55,10 @@ public:
interfaceProperties() {}
virtual ~interfaceProperties() {}
// simple name validation: does not allow space and "-"
// However some platform permit space (procurve).
virtual bool basicValidateInterfaceName(const QString &name, QString &err);
virtual void rearrangeInterfaces(
std::map<int,libfwbuilder::InterfaceData> &interfaces,
std::list<libfwbuilder::InterfaceData*> &interface_tree)

3
src/compiler_lib/interfacePropertiesObjectFactory.cpp
View File

@ -29,6 +29,7 @@
#include "iosInterfaces.h"
#include "bsdInterfaces.h"
#include "pixInterfaces.h"
#include "procurveInterfaces.h"
#include "fwbuilder/FWObject.h"
#include "fwbuilder/Resources.h"
@ -62,6 +63,8 @@ interfaceProperties* interfacePropertiesObjectFactory::getInterfacePropertiesObj
if (os_family == "openbsd" || os_family == "freebsd") return new bsdInterfaces();
if (os_family == "procurve") return new procurveInterfaces();
// by default return object of the base class. It performs some
// reasonable default actions.
return new interfaceProperties();

116
src/compiler_lib/procurveInterfaces.cpp Normal file
View File

@ -0,0 +1,116 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "procurveInterfaces.h"
#include "fwbuilder/Interface.h"
#include <QRegExp>
#include <QObject>
using namespace std;
using namespace libfwbuilder;
// simple name validation: does not allow space and "-"
// However some platform permit space (procurve).
bool procurveInterfaces::basicValidateInterfaceName(const QString &name, QString &err)
{
err = "";
return true;
}
/*
* The difference is that in ProCurve, vlan interfaces have names like
* "VLAN 2". We should permit white space between "vlan" and the
* number. It is unclear whether "vlan" and "Vlan" are allowed besides
* "VLAN".
*/
bool procurveInterfaces::parseVlan(
const QString &name, QString *base_name, int *vlan_id)
{
QRegExp vlan_name_pattern("(vlan|Vlan|VLAN) (\\d{1,})");
if (vlan_name_pattern.indexIn(name) != -1)
{
if (base_name!=NULL) *base_name = vlan_name_pattern.cap(1);
if (vlan_id!=NULL) *vlan_id = vlan_name_pattern.cap(2).toInt();
return true;
}
return false;
}
/*
* In ProCurve, parent interface and vlan interface names have nothing
* in common and can not be verified.
*/
bool procurveInterfaces::isValidVlanInterfaceName(const QString &subint_name,
const QString &parent_name,
QString &err)
{
if (!looksLikeVlanInterface(subint_name))
{
err = QObject::tr("'%1' is not a valid vlan interface name").arg(subint_name);
return false;
}
QString parent_name_from_regex;
int vlan_id;
if (parseVlan(subint_name, &parent_name_from_regex, &vlan_id))
{
if (vlan_id > 4095)
{
err = QObject::tr("'%1' looks like a name of a vlan interface "
"but vlan ID it defines is outside of the valid range."
"").arg(subint_name);
return false;
}
}
return true;
}
/*
* many switch ports can be part of the same vlan. It would be ideal
* if I could make interface objects that represent siwtch ports a
* subinterfaces of a vlan interface. Unfortunately this is reverse of
* our normal model, where vlans are subinterfaces of ethernet
* interface objects. Until I figure this out, there will be no
* restrictions on ProCurve interface objects.
*/
bool procurveInterfaces::validateInterface(FWObject *target,
FWObject *intf,
bool check_types,
QString &err)
{
return true;
}
bool procurveInterfaces::validateInterface(FWObject *target,
const QString &interface_name,
QString &err)
{
return true;
}

55
src/compiler_lib/procurveInterfaces.h Normal file
View File

@ -0,0 +1,55 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef PROCURVE_INTERFACE_PROPERTIES_HH
#define PROCURVE_INTERFACE_PROPERTIES_HH
#include "interfaceProperties.h"
class procurveInterfaces : public interfaceProperties
{
public:
procurveInterfaces() : interfaceProperties() {}
// simple name validation: does not allow space and "-"
// However some platform permit space (procurve).
virtual bool basicValidateInterfaceName(const QString &name, QString &err);
virtual bool parseVlan(const QString&, QString*, int*);
virtual bool isValidVlanInterfaceName(const QString &,
const QString &,
QString&);
virtual bool validateInterface(libfwbuilder::FWObject *parent,
const QString &inetrface_name,
QString &err);
virtual bool validateInterface(libfwbuilder::FWObject *parent,
libfwbuilder::FWObject *intf,
bool check_types,
QString &err);
};
#endif

67
src/compiler_lib/unit_tests/interfacePropertiesTest.cpp
View File

@ -330,3 +330,70 @@ void interfacePropertiesTest::isValidVlanInterfaceNamePIX()
parent = "Ethernet0/0";
CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("Ethernet0/0.99999", parent, err) == false);
}
void interfacePropertiesTest::isValidVlanInterfaceNameProCurve()
{
QString err, parent;
/*
* As of 05/10/2010 we do not restrict interfaces for ProCurve
*
Vlan interface name parent ok/not ok
vlan 2 anything true
vlan2 anything false
Ethernet0/0.101 FastEthernet0/1 false
Ethernet0/0.99999 Ethernet0/0 false
*/
interfaceProperties *int_prop = getIntProps("procurve");
parent = "FastEthernet0/1";
CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan 2", parent, err) == true);
CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("VLAN 2", parent, err) == true);
CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("Vlan 2", parent, err) == true);
CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan2", parent, err) == false);
CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan 101", parent, err) == true);
CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("vlan101", parent, err) == false);
CPPUNIT_ASSERT (int_prop->isValidVlanInterfaceName("Ethernet0/0.101", parent, err) == false);
}
void interfacePropertiesTest::validateInterfaceProCurve()
{
string host_OS = "procurve";
Resources* os_res = Resources::os_res[host_OS];
string os_family = host_OS;
if (os_res!=NULL)
os_family = os_res->getResourceStr("/FWBuilderResources/Target/family");
interfaceProperties * int_prop = interfacePropertiesObjectFactory::getInterfacePropertiesObject(os_family);
CPPUNIT_ASSERT(int_prop != NULL);
QString err;
Firewall fw;
fw.setStr("host_OS", host_OS);
db->add(&fw);
Interface* parent = Interface::cast(db->create(Interface::TYPENAME));
Interface* iface = Interface::cast(db->create(Interface::TYPENAME));
Interface* subiface = Interface::cast(db->create(Interface::TYPENAME));
fw.add(parent);
init();
Resources("../../res/resources.xml");
iface->setName("vlan 2");
CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast<FWObject*>(fw),
dynamic_cast<FWObject*>(iface), false, err)
== true);
iface->setName("vlan 34324");
CPPUNIT_ASSERT(int_prop->validateInterface(dynamic_cast<FWObject*>(fw),
dynamic_cast<FWObject*>(iface), false, err)
== false);
}

2
src/compiler_lib/unit_tests/interfacePropertiesTest.h
View File

@ -63,6 +63,8 @@ public:
void isValidVlanInterfaceNameBSD();
void isValidVlanInterfaceNameIOS();
void isValidVlanInterfaceNamePIX();
void isValidVlanInterfaceNameProCurve();
void validateInterfaceProCurve();
void setUp();

3
src/gui/CompilerDriverFactory.cpp
View File

@ -35,6 +35,7 @@
#include "CompilerDriver_ipfw.h"
#include "CompilerDriver_iosacl.h"
#include "CompilerDriver_pix.h"
#include "CompilerDriver_procurve_acl.h"
#include <string>
@ -53,6 +54,8 @@ CompilerDriver* CompilerDriverFactory::createCompilerDriver(Firewall *fw)
if (platform == "iosacl") return new CompilerDriver_iosacl(fw->getRoot());
if (platform == "pix" || platform == "fwsm")
return new CompilerDriver_pix(fw->getRoot());
if (platform == "procurve_acl")
return new CompilerDriver_procurve_acl(fw->getRoot());
return NULL;
}

19
src/gui/CompilerOutputPanel.cpp
View File

@ -110,9 +110,6 @@ void CompilerOutputPanel::loadFWObject(FWObject *obj)
Rule *rule = Rule::cast(obj);
CompilerDriver *dr = CompilerDriverFactory::createCompilerDriver(fw);
// run in test mode to prevent fatal errors from causing exit
dr->setTestMode();
dr->setEmbeddedMode();
QTextCharFormat format;
QTextCharFormat normal_format;
@ -141,6 +138,22 @@ void CompilerOutputPanel::loadFWObject(FWObject *obj)
//m_widget->compiler_output_panel->clear();
if (dr == NULL)
{
// we have no compiler for this platform or unknown platform
format = error_format;
cursor.insertText(
QObject::tr("Compiler for firewall platform %1 not found")
.arg(fw->getStr("platform").c_str()), format);
cursor.insertText("\n");
cursor.insertBlock();
return;
}
// run in test mode to prevent fatal errors from causing exit
dr->setTestMode();
dr->setEmbeddedMode();
try
{
QMapIterator<QString,QString> it(

2
src/gui/DialogFactory.cpp
View File

@ -65,6 +65,7 @@
#include "iosaclAdvancedDialog.h"
#include "ipcopAdvancedDialog.h"
#include "secuwallAdvancedDialog.h"
#include "procurveaclAdvancedDialog.h"
#include "linux24IfaceOptsDialog.h"
#include "secuwallIfaceOptsDialog.h"
@ -242,6 +243,7 @@ QWidget *DialogFactory::createFWDialog(QWidget *parent, FWObject *o)
if (dlgname=="pf") return new pfAdvancedDialog(parent,o);
if (dlgname=="pix") return new pixAdvancedDialog(parent,o);
if (dlgname=="secuwall") return new secuwallAdvancedDialog(parent,o);
if (dlgname=="procurveacl") return new procurveaclAdvancedDialog(parent,o);
cerr << "Firewall settings dialog for " << dlgname
<< " is not implemented" << endl;

19
src/gui/InterfaceDialog.cpp
View File

@ -374,7 +374,17 @@ void InterfaceDialog::validate(bool *res)
return;
}
if (obj_name.indexOf(' ') != -1 || obj_name.indexOf('-') != -1)
interfaceProperties *int_prop =
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
Interface::cast(obj)->getParentHost());
QString err;
/*
* TODO:
* See if basicValidateInterfaceName() can be rolled into
* validateInterface()
*/
if ( ! int_prop->basicValidateInterfaceName(obj_name, err))
{
*res = false;
if (QApplication::focusWidget() != NULL)
@ -382,7 +392,7 @@ void InterfaceDialog::validate(bool *res)
blockSignals(true);
QMessageBox::critical(
this,"Firewall Builder",
tr("Interface name can not contain white space and '-'"),
err,
tr("&Continue"), QString::null,QString::null,
0, 1 );
blockSignals(false);
@ -390,11 +400,6 @@ void InterfaceDialog::validate(bool *res)
return;
}
interfaceProperties *int_prop =
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
Interface::cast(obj)->getParentHost());
QString err;
if ( ! int_prop->validateInterface(obj->getParent(), obj_name, err))
{
/*

3
src/gui/gui.pro
View File

@ -104,6 +104,7 @@ HEADERS += ../../config.h \
linksysAdvancedDialog.h \
freebsdAdvancedDialog.h \
openbsdAdvancedDialog.h \
procurveaclAdvancedDialog.h \
solarisAdvancedDialog.h \
macosxAdvancedDialog.h \
secuwallAdvancedDialog.h \
@ -274,6 +275,7 @@ SOURCES += ProjectPanel.cpp \
linksysAdvancedDialog.cpp \
freebsdAdvancedDialog.cpp \
openbsdAdvancedDialog.cpp \
procurveaclAdvancedDialog.cpp \
solarisAdvancedDialog.cpp \
macosxAdvancedDialog.cpp \
secuwallAdvancedDialog.cpp \
@ -389,6 +391,7 @@ FORMS = FWBMainWindow_q.ui \
pixosadvanceddialog_q.ui \
iosacladvanceddialog_q.ui \
iosadvanceddialog_q.ui \
procurveacladvanceddialog_q.ui \
simpletexteditor_q.ui \
simpleinteditor_q.ui \
aboutdialog_q.ui \

14
src/gui/platforms.cpp
View File

@ -319,6 +319,13 @@ bool isDefaultPolicyRuleOptions(FWOptions *opt)
{
res = !opt->getBool("iosacl_add_mirror_rule");
}
// all rules are stateless for HP Procurve ACL
if (platform=="procurve_acl")
{
res = !opt->getBool("procurve_acl_add_mirror_rule");
}
}
return res;
}
@ -406,7 +413,12 @@ void getVersionsForPlatform(const QString &platform, std::list<QStringPair> &res
res.push_back(QStringPair("1.4.3", QObject::tr("1.4.3 or later")));
} else
{
if (platform=="pix" || platform=="fwsm" || platform=="iosacl")
// we list supported versions for the following platforms in
// corresponding resource .xml file
if (platform=="pix" ||
platform=="fwsm" ||
platform=="iosacl" ||
platform=="procurve_acl")
{
QString lst = Resources::platform_res[
platform.toAscii().constData()]->getResourceStr(

382
src/gui/procurveaclAdvancedDialog.cpp Normal file
View File

@ -0,0 +1,382 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include "global.h"
#include "utils.h"
#include "utils_no_qt.h"
#include "procurveaclAdvancedDialog.h"
#include "SimpleTextEditor.h"
#include "FWWindow.h"
#include "FWBSettings.h"
#include "FWCmdChange.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/XMLTools.h"
#include <memory>
#include <qcheckbox.h>
#include <qspinbox.h>
#include <qcombobox.h>
#include <qradiobutton.h>
#include <qlineedit.h>
#include <qstackedwidget.h>
#include <qregexp.h>
#include <qtextedit.h>
#include <qtabwidget.h>
#include <qlistwidget.h>
#include <qlabel.h>
#include <qprocess.h>
#include <qfile.h>
#include <iostream>
#include <sstream>
#include <libxml/xmlmemory.h>
using namespace std;
using namespace libfwbuilder;
procurveaclAdvancedDialog::~procurveaclAdvancedDialog()
{
delete m_dialog;
}
procurveaclAdvancedDialog::procurveaclAdvancedDialog(QWidget *parent,FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::procurveaclAdvancedDialog_q;
m_dialog->setupUi(this);
obj=o;
Firewall *fw=Firewall::cast(obj);
FWOptions *fwopt=fw->getOptionsObject();
string vers="version_"+obj->getStr("version");
string platform = obj->getStr("platform"); // should be 'procurve_acl'
QString s;
QStringList logLevels;
QStringList logLevelMapping;
logLevelMapping.push_back("");
logLevelMapping.push_back("");
/* filling pop-down menu and pushing the same strings to the mapping
* list at the same time so we could use translation
*/
s=QObject::tr("0 - System Unusable");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("0");
s=QObject::tr("1 - Take Immediate Action");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("1");
s=QObject::tr("2 - Critical Condition");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("2");
s=QObject::tr("3 - Error Message");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("3");
s=QObject::tr("4 - Warning Message");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("4");
s=QObject::tr("5 - Normal but significant condition");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("5");
s=QObject::tr("6 - Informational");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("6");
s=QObject::tr("7 - Debug Message");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("7");
/* do not need to translate syslog facilities, but will use the same
* method just in case */
QStringList syslogFacilities;
QStringList syslogFacilityMapping;
syslogFacilities.push_back("");
syslogFacilityMapping.push_back("");
syslogFacilityMapping.push_back("");
syslogFacilities.push_back("LOCAL0");
syslogFacilityMapping.push_back("LOCAL0");
syslogFacilityMapping.push_back("16");
syslogFacilities.push_back("LOCAL1");
syslogFacilityMapping.push_back("LOCAL1");
syslogFacilityMapping.push_back("17");
syslogFacilities.push_back("LOCAL2");
syslogFacilityMapping.push_back("LOCAL2");
syslogFacilityMapping.push_back("18");
syslogFacilities.push_back("LOCAL3");
syslogFacilityMapping.push_back("LOCAL3");
syslogFacilityMapping.push_back("19");
syslogFacilities.push_back("LOCAL4");
syslogFacilityMapping.push_back("LOCAL4");
syslogFacilityMapping.push_back("20");
syslogFacilities.push_back("LOCAL5");
syslogFacilityMapping.push_back("LOCAL5");
syslogFacilityMapping.push_back("21");
syslogFacilities.push_back("LOCAL6");
syslogFacilityMapping.push_back("LOCAL6");
syslogFacilityMapping.push_back("22");
syslogFacilities.push_back("LOCAL7");
syslogFacilityMapping.push_back("LOCAL7");
syslogFacilityMapping.push_back("23");
FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject();
assert(fwoptions!=NULL);
bool f1=fwoptions->getBool("procurve_acl_acl_basic");
bool f2=fwoptions->getBool("procurve_acl_acl_no_clear");
bool f3=fwoptions->getBool("procurve_acl_acl_substitution");
bool f4=fwoptions->getBool("procurve_acl_add_clear_statements");
/*
* If none of the new procurve_acl_acl_* options is set and old procurve_acl_add_clear_statements
* option is true, set procurve_acl_acl_basic to true.
*
* If old option procurve_acl_add_clear_statements iss false, set
* procurve_acl_acl_no_clear to true
*/
if (!f1 && !f2 && !f3)
{
if ( f4 ) fwoptions->setBool("procurve_acl_acl_basic",true);
else fwoptions->setBool("procurve_acl_acl_no_clear",true);
}
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
data.registerOption(m_dialog->ipv4before_2, fwoptions,
"ipv4_6_order",
QStringList() << "IPv4 before IPv6"
<< "ipv4_first"
<< "IPv6 before IPv4"
<< "ipv6_first"
);
/* Page "Compiler Options" */
data.registerOption( m_dialog->outputFileName, fwoptions,
"output_file" );
data.registerOption( m_dialog->procurve_acl_check_shadowing, fwoptions,
"check_shading" );
data.registerOption( m_dialog->procurve_acl_ignore_empty_groups, fwoptions,
"ignore_empty_groups" );
data.registerOption( m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh" );
data.registerOption( m_dialog->mgmt_addr, fwoptions, "mgmt_addr" );
/*
data.registerOption( m_dialog->procurve_acl_acl_alwaysNew, fwoptions,
"procurve_acl_acl_always_new" );
*/
/* Page Script options */
data.registerOption( m_dialog->procurve_acl_acl_basic, fwoptions,
"procurve_acl_acl_basic" );
data.registerOption( m_dialog->procurve_acl_acl_no_clear, fwoptions,
"procurve_acl_acl_no_clear" );
data.registerOption( m_dialog->procurve_acl_acl_substitution, fwoptions,
"procurve_acl_acl_substitution" );
data.registerOption( m_dialog->procurve_acl_acl_temp_addr, fwoptions,
"procurve_acl_acl_temp_addr" );
/* Page Installer */
data.registerOption( m_dialog->user, fwoptions, "admUser");
data.registerOption( m_dialog->altAddress, fwoptions, "altAddress");
data.registerOption( m_dialog->sshArgs, fwoptions, "sshArgs");
data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs");
data.registerOption( m_dialog->use_scp, fwoptions, "use_scp");
data.registerOption( m_dialog->filesystem, fwoptions, "filesystem");
data.registerOption( m_dialog->filesystem, fwoptions, "firewall_dir");
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
m_dialog->installScript->setText(pis->getCommand().c_str() );
m_dialog->installScriptArgs->setText( pis->getArguments().c_str() );
/* page "Prolog/Epilog" */
data.registerOption( m_dialog->procurve_acl_prolog_script, fwoptions,
"procurve_acl_prolog_script" );
data.registerOption( m_dialog->procurve_acl_epilog_script, fwoptions,
"procurve_acl_epilog_script" );
/* page Logging */
data.registerOption(m_dialog->generate_logging_commands, fwoptions,
"procurve_acl_generate_logging_commands");
data.registerOption(m_dialog->syslog_host, fwoptions, "procurve_acl_syslog_host");
m_dialog->syslog_facility->clear();
m_dialog->syslog_facility->addItems( syslogFacilities );
data.registerOption( m_dialog->syslog_facility, fwoptions,
"procurve_acl_syslog_facility", syslogFacilityMapping);
m_dialog->logging_trap_level->clear();
m_dialog->logging_trap_level->addItems(logLevels);
data.registerOption( m_dialog->logging_trap_level, fwoptions,
"procurve_acl_logging_trap_level", logLevelMapping);
data.registerOption(m_dialog->logging_timestamp, fwoptions,
"procurve_acl_logging_timestamp");
data.registerOption(m_dialog->logging_buffered, fwoptions,
"procurve_acl_logging_buffered");
m_dialog->logging_buffered_level->clear();
m_dialog->logging_buffered_level->addItems(logLevels);
data.registerOption( m_dialog->logging_buffered_level, fwoptions,
"procurve_acl_logging_buffered_level", logLevelMapping);
data.registerOption(m_dialog->logging_console, fwoptions,
"procurve_acl_logging_console");
m_dialog->logging_console_level->clear();
m_dialog->logging_console_level->addItems(logLevels);
data.registerOption( m_dialog->logging_console_level,fwoptions,
"procurve_acl_logging_console_level", logLevelMapping);
data.loadAll();
scriptACLModeChanged();
toggleGenerateLogging();
m_dialog->tabWidget->setCurrentIndex(0);
}
/*
* store all data in the object
*/
void procurveaclAdvancedDialog::accept()
{
ProjectPanel *project = mw->activeProject();
std::auto_ptr<FWCmdChange> cmd( new FWCmdChange(project, obj));
// new_state is a copy of the fw object
FWObject* new_state = cmd->getNewState();
FWOptions* options = Firewall::cast(new_state)->getOptionsObject();
assert(options!=NULL);
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
data.saveAll(options);
const InetAddr *mgmt_addr = Firewall::cast(obj)->getManagementAddress();
if (mgmt_addr)
mgmt->setAddress(*mgmt_addr);
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
pis->setCommand( m_dialog->installScript->text().toLatin1().constData() );
pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData() );
if (!cmd->getOldState()->cmp(new_state, true))
project->undoStack->push(cmd.release());
QDialog::accept();
}
void procurveaclAdvancedDialog::reject()
{
QDialog::reject();
}
void procurveaclAdvancedDialog::editProlog()
{
SimpleTextEditor edt(this,
m_dialog->procurve_acl_prolog_script->toPlainText(),
true, tr( "Script Editor" ) );
if ( edt.exec() == QDialog::Accepted )
m_dialog->procurve_acl_prolog_script->setText( edt.text() );
}
void procurveaclAdvancedDialog::editEpilog()
{
SimpleTextEditor edt(this,
m_dialog->procurve_acl_epilog_script->toPlainText(),
true, tr( "Script Editor" ) );
if ( edt.exec() == QDialog::Accepted )
m_dialog->procurve_acl_epilog_script->setText( edt.text() );
}
void procurveaclAdvancedDialog::scriptACLModeChanged()
{
m_dialog->procurve_acl_acl_temp_lbl->setEnabled(
m_dialog->procurve_acl_acl_substitution->isChecked());
m_dialog->procurve_acl_acl_temp_addr->setEnabled(
m_dialog->procurve_acl_acl_substitution->isChecked());
}
void procurveaclAdvancedDialog::toggleGenerateLogging()
{
m_dialog->syslog_controls->setEnabled(
m_dialog->generate_logging_commands->isChecked());
m_dialog->other_logging_controls->setEnabled(
m_dialog->generate_logging_commands->isChecked());
}

72
src/gui/procurveaclAdvancedDialog.h Normal file
View File

@ -0,0 +1,72 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __PROCURVEACLADVANCEDDIALOG_H_
#define __PROCURVEACLADVANCEDDIALOG_H_
#include <ui_procurveacladvanceddialog_q.h>
#include "DialogData.h"
#include <QDialog>
#include <string>
class QWidget;
class QSpinBox;
class QComboBox;
class QCheckBox;
class QProcess;
namespace libfwbuilder {
class FWObject;
};
class procurveaclAdvancedDialog : public QDialog
{
Q_OBJECT
libfwbuilder::FWObject *obj;
DialogData data;
Ui::procurveaclAdvancedDialog_q *m_dialog;
public:
procurveaclAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o);
~procurveaclAdvancedDialog();
protected slots:
virtual void accept();
virtual void reject();
virtual void editProlog();
virtual void editEpilog();
virtual void scriptACLModeChanged();
virtual void toggleGenerateLogging();
};
#endif // __PROCURVEACLADVANCEDDIALOG_H

1292
src/gui/procurveacladvanceddialog_q.ui Normal file
View File

@ -0,0 +1,1292 @@
<?xml version="1.0" encoding="UTF-8"?>
<ui version="4.0">
<class>procurveaclAdvancedDialog_q</class>
<widget class="QDialog" name="procurveaclAdvancedDialog_q">
<property name="enabled">
<bool>true</bool>
</property>
<property name="geometry">
<rect>
<x>0</x>
<y>0</y>
<width>743</width>
<height>733</height>
</rect>
</property>
<property name="windowTitle">
<string>HP ProCurve ACL Firewall Settings</string>
</property>
<property name="sizeGripEnabled">
<bool>false</bool>
</property>
<layout class="QGridLayout" name="gridLayout_5">
<item row="0" column="0">
<widget class="QTabWidget" name="tabWidget">
<property name="currentIndex">
<number>1</number>
</property>
<widget class="QWidget" name="compiler_tab">
<attribute name="title">
<string>Compiler Options</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_9">
<item row="0" column="0">
<widget class="QLabel" name="textLabel1_5">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Output file name (if left blank, the file name is constructed of the firewall object name and extension &quot;.fw&quot;)</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QLineEdit" name="outputFileName">
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<size>
<width>32767</width>
<height>22</height>
</size>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2">
<widget class="QGroupBox" name="groupBox">
<property name="enabled">
<bool>false</bool>
</property>
<property name="title">
<string/>
</property>
<layout class="QGridLayout" name="gridLayout_4">
<property name="verticalSpacing">
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QRadioButton" name="separate_acls_for_interfaces">
<property name="toolTip">
<string>Compiler creates multiple access lists from the same policy,
two for each interface: one for inbound and another for
outbound. If the policy is written in a such way that no rule
can possibly be associated with an interface, this interface
gets no access list at all. Also, interfaces marked as
&quot;unprotected&quot; never get access list regardless of how the policy
rules are designed.
</string>
</property>
<property name="text">
<string>Generate separate access list for each interface</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QRadioButton" name="one_acl_for_all_interfaces">
<property name="toolTip">
<string>Compiler creates one access list and assigns it to all
interfaces.
</string>
</property>
<property name="text">
<string>Create one access list and attach it to all interfaces</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="2" column="0" colspan="2">
<widget class="QGroupBox" name="frame114">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="title">
<string>Policy Compiler Options</string>
</property>
<property name="flat">
<bool>false</bool>
</property>
<property name="checkable">
<bool>false</bool>
</property>
<layout class="QGridLayout" name="gridLayout_6">
<property name="verticalSpacing">
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QCheckBox" name="procurve_acl_ignore_empty_groups">
<property name="toolTip">
<string>If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works!</string>
</property>
<property name="text">
<string>Ignore empty groups in rules</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="procurve_acl_check_shadowing">
<property name="toolTip">
<string>Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule.</string>
</property>
<property name="text">
<string>Detect rule shadowing in the policy</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="3" column="0" colspan="2">
<widget class="QCheckBox" name="mgmt_ssh">
<property name="text">
<string>Always permit ssh access from the management workstation with this address:</string>
</property>
<property name="checkable">
<bool>true</bool>
</property>
<property name="checked">
<bool>false</bool>
</property>
</widget>
</item>
<item row="4" column="0">
<widget class="QLineEdit" name="mgmt_addr">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<size>
<width>32767</width>
<height>22</height>
</size>
</property>
</widget>
</item>
<item row="4" column="1">
<spacer name="horizontalSpacer_2">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>328</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="5" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>170</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
<widget class="QWidget" name="script_options_tab">
<attribute name="title">
<string>Script Options</string>
</attribute>
<layout class="QGridLayout">
<property name="leftMargin">
<number>20</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>20</number>
</property>
<property name="bottomMargin">
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QGroupBox" name="buttonGroup10">
<property name="sizePolicy">
<sizepolicy hsizetype="Preferred" vsizetype="Expanding">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="title">
<string/>
</property>
<layout class="QGridLayout" name="gridLayout_7">
<item row="0" column="0">
<widget class="QRadioButton" name="procurve_acl_acl_basic">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string/>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QLabel" name="textLabel2_3">
<property name="text">
<string>Clear all access lists then install new ones. This method may interrupt access to the firewall if you manage it remotely via tunnel.</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
<property name="buddy">
<cstring>procurve_acl_acl_basic</cstring>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QRadioButton" name="procurve_acl_acl_no_clear">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string/>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QLabel" name="textLabel3">
<property name="focusPolicy">
<enum>Qt::ClickFocus</enum>
</property>
<property name="text">
<string>Do not clear access lists, just generate commands for the new ones. Use this option if you have your own policy installation scripts.</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
<property name="buddy">
<cstring>procurve_acl_acl_no_clear</cstring>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QRadioButton" name="procurve_acl_acl_substitution">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string/>
</property>
</widget>
</item>
<item row="2" column="1">
<widget class="QLabel" name="textLabel4">
<property name="text">
<string>&quot;Safety net&quot; method:
First, create temporary access list to permit connections from the management subnet specified below to the firewall and assign it to outside interface. This temporary ACL helps maintain session between management station and the firewall while access lists are reloaded in case connection comes over IPSEC tunnel. Then clear permanent lists, recreate them and assign to interfaces. This method ensures that remote access to the firewall is maintained without interruption at a cost of slightly larger configuration.</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
<property name="buddy">
<cstring>procurve_acl_acl_substitution</cstring>
</property>
</widget>
</item>
<item row="3" column="1">
<widget class="QFrame" name="frame5">
<property name="frameShape">
<enum>QFrame::NoFrame</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Sunken</enum>
</property>
<layout class="QGridLayout">
<property name="leftMargin">
<number>0</number>
</property>
<property name="topMargin">
<number>11</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>11</number>
</property>
<item row="0" column="0" colspan="3">
<widget class="QLabel" name="procurve_acl_acl_temp_lbl">
<property name="text">
<string>Temporary access list should permit access from this address or subnet (use prefix notation to specify subnet, e.g. 192.0.2.0/24):</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="2">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>120</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="1">
<widget class="QLineEdit" name="procurve_acl_acl_temp_addr">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>199</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<size>
<width>500</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
<item row="1" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>110</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</item>
<item row="4" column="1">
<spacer name="verticalSpacer">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>600</width>
<height>239</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="installer_tab">
<attribute name="title">
<string>Installer</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_8">
<item row="0" column="0">
<widget class="QGroupBox" name="groupBox2">
<property name="title">
<string>Built-in installer</string>
</property>
<layout class="QGridLayout" name="gridLayout">
<item row="0" column="0">
<widget class="QLabel" name="textLabel1_2">
<property name="text">
<string>User name used to authenticate to the firewall (leave this empty if you use putty session):</string>
</property>
<property name="alignment">
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QLineEdit" name="user">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QLabel" name="textLabel1_3">
<property name="text">
<string>Alternative name or address used to communicate with the firewall (also putty session name on Windows)</string>
</property>
<property name="alignment">
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QLineEdit" name="altAddress">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
</widget>
</item>
<item row="2" column="0" colspan="2">
<layout class="QHBoxLayout">
<item>
<widget class="QLabel" name="textLabel1_7">
<property name="text">
<string>Additional command line parameters for ssh</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="sshArgs">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
<item row="3" column="0" colspan="2">
<layout class="QHBoxLayout" name="_2">
<item>
<widget class="QLabel" name="textLabel1_8">
<property name="text">
<string>Additional command line parameters for scp</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="scpArgs">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</widget>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="SCPgroupBox">
<property name="title">
<string/>
</property>
<layout class="QGridLayout" name="gridLayout_3">
<item row="0" column="0" colspan="2">
<widget class="QLabel" name="label">
<property name="text">
<string>Instead of running generated configuration on the router line by line, installer can use scp to copy the file and then &quot;copy file running-config&quot; command to activate it. Ssh v2 and scp servers should be configured on the router for this to work. This method works for IOS v12.4 or later and is much faster than running configuration line by line.</string>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2">
<widget class="QCheckBox" name="use_scp">
<property name="text">
<string>Copy generated configuration file to the router using scp</string>
</property>
</widget>
</item>
<item row="2" column="0" colspan="2">
<widget class="QLabel" name="label_3">
<property name="text">
<string>File system on the router where configuration file should be saved if it is copied with scp. Examples: &quot;flash:&quot;, &quot;disk0:&quot;. Should end with a colon &quot;:&quot;. If this input field is left blank, installer uses &quot;nvram:&quot;:</string>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="3" column="0">
<widget class="QLineEdit" name="filesystem"/>
</item>
<item row="3" column="1">
<spacer name="horizontalSpacer">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>398</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</item>
<item row="2" column="0">
<widget class="QGroupBox" name="groupBox1">
<property name="title">
<string>External install script</string>
</property>
<layout class="QGridLayout" name="gridLayout_2">
<property name="verticalSpacing">
<number>-1</number>
</property>
<item row="0" column="0">
<layout class="QHBoxLayout" name="horizontalLayout">
<item>
<widget class="QLabel" name="textLabel5_2">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Policy install script (using built-in installer if this field is blank):</string>
</property>
<property name="alignment">
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="installScript">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
<item row="1" column="0">
<layout class="QHBoxLayout" name="horizontalLayout_2">
<item>
<widget class="QLabel" name="textLabel6_2">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Command line options for the script:</string>
</property>
<property name="alignment">
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="installScriptArgs">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</widget>
</item>
<item row="3" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
<widget class="QWidget" name="prolog_epilog_tab">
<attribute name="title">
<string>Prolog/Epilog</string>
</attribute>
<layout class="QGridLayout">
<property name="leftMargin">
<number>20</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>20</number>
</property>
<property name="bottomMargin">
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QGroupBox" name="frame146">
<property name="title">
<string/>
</property>
<layout class="QGridLayout">
<property name="margin">
<number>6</number>
</property>
<item row="2" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="1">
<widget class="QPushButton" name="edit_prolog_button">
<property name="text">
<string>Edit</string>
</property>
</widget>
</item>
<item row="0" column="0">
<widget class="QLabel" name="textLabel2">
<property name="text">
<string>The following commands will be added verbatim on top of generated configuration</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2">
<widget class="QTextEdit" name="procurve_acl_prolog_script"/>
</item>
</layout>
</widget>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="frame147">
<property name="title">
<string/>
</property>
<layout class="QGridLayout">
<property name="margin">
<number>6</number>
</property>
<item row="2" column="1">
<widget class="QPushButton" name="edit_epilog_button">
<property name="text">
<string>Edit</string>
</property>
</widget>
</item>
<item row="2" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="0" colspan="2">
<widget class="QTextEdit" name="procurve_acl_epilog_script"/>
</item>
<item row="0" column="0" colspan="2">
<widget class="QLabel" name="textLabel2_2">
<property name="text">
<string>The following commands will be added verbatim after generated configuration</string>
</property>
<property name="textFormat">
<enum>Qt::RichText</enum>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
<property name="margin">
<number>0</number>
</property>
</widget>
</item>
</layout>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="logging_tab">
<attribute name="title">
<string>Logging</string>
</attribute>
<layout class="QGridLayout">
<item row="0" column="0">
<widget class="QCheckBox" name="generate_logging_commands">
<property name="text">
<string>Generate logging commands</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="syslog_controls">
<property name="title">
<string>Syslog</string>
</property>
<layout class="QGridLayout">
<property name="margin">
<number>12</number>
</property>
<item row="0" column="1" colspan="2">
<widget class="QLineEdit" name="syslog_host"/>
</item>
<item row="0" column="0">
<widget class="QLabel" name="label599">
<property name="text">
<string>Syslog host (name or IP address):</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QLabel" name="label598">
<property name="text">
<string>syslog facility:</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="3" column="0">
<widget class="QLabel" name="label640">
<property name="text">
<string>syslog level ('logging trap'):</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="1" colspan="2">
<widget class="QComboBox" name="syslog_facility"/>
</item>
<item row="3" column="1" colspan="2">
<widget class="QComboBox" name="logging_trap_level"/>
</item>
<item row="5" column="0" colspan="3">
<widget class="Line" name="hseparator39">
<property name="frameShape">
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="7" column="0" colspan="3">
<widget class="Line" name="hseparator40">
<property name="frameShape">
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="8" column="0" colspan="3">
<widget class="QLabel" name="label641">
<property name="text">
<string>The logging timestamp command requires that the clock command be set.</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="9" column="0" colspan="3">
<widget class="QCheckBox" name="logging_timestamp">
<property name="text">
<string>Enable logging timestamps on syslog file</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="2" column="0">
<widget class="QGroupBox" name="other_logging_controls">
<property name="title">
<string>Other logging destinations and levels:</string>
</property>
<layout class="QGridLayout">
<property name="margin">
<number>12</number>
</property>
<item row="0" column="0">
<widget class="QCheckBox" name="logging_buffered">
<property name="text">
<string>Internal buffer</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="logging_console">
<property name="text">
<string>Console</string>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QComboBox" name="logging_buffered_level"/>
</item>
<item row="1" column="1">
<widget class="QComboBox" name="logging_console_level"/>
</item>
</layout>
</widget>
</item>
<item row="3" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>675</width>
<height>121</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
<widget class="QWidget" name="ipv6_tab">
<attribute name="title">
<string>IPv6</string>
</attribute>
<layout class="QGridLayout">
<item row="1" column="0">
<widget class="QLabel" name="label_2">
<property name="text">
<string>The order in which ipv4 and ipv6 rules should be generated:</string>
</property>
</widget>
</item>
<item row="1" column="1">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="0">
<widget class="QComboBox" name="ipv4before_2">
<item>
<property name="text">
<string>IPv4 before IPv6</string>
</property>
</item>
<item>
<property name="text">
<string>IPv6 before IPv4</string>
</property>
</item>
</widget>
</item>
<item row="3" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
</item>
<item row="1" column="0">
<layout class="QHBoxLayout">
<item>
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item>
<layout class="QHBoxLayout">
<item>
<widget class="QPushButton" name="ok_button">
<property name="text">
<string>OK</string>
</property>
</widget>
</item>
<item>
<widget class="QLabel" name="label583">
<property name="alignment">
<set>Qt::AlignCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QPushButton" name="cancel_button">
<property name="text">
<string>Cancel</string>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</item>
</layout>
</widget>
<tabstops>
<tabstop>outputFileName</tabstop>
<tabstop>separate_acls_for_interfaces</tabstop>
<tabstop>one_acl_for_all_interfaces</tabstop>
<tabstop>procurve_acl_ignore_empty_groups</tabstop>
<tabstop>procurve_acl_check_shadowing</tabstop>
<tabstop>mgmt_ssh</tabstop>
<tabstop>mgmt_addr</tabstop>
<tabstop>procurve_acl_acl_basic</tabstop>
<tabstop>procurve_acl_acl_no_clear</tabstop>
<tabstop>procurve_acl_acl_substitution</tabstop>
<tabstop>procurve_acl_acl_temp_addr</tabstop>
<tabstop>user</tabstop>
<tabstop>altAddress</tabstop>
<tabstop>sshArgs</tabstop>
<tabstop>scpArgs</tabstop>
<tabstop>use_scp</tabstop>
<tabstop>filesystem</tabstop>
<tabstop>installScript</tabstop>
<tabstop>installScriptArgs</tabstop>
<tabstop>procurve_acl_prolog_script</tabstop>
<tabstop>edit_prolog_button</tabstop>
<tabstop>procurve_acl_epilog_script</tabstop>
<tabstop>edit_epilog_button</tabstop>
<tabstop>generate_logging_commands</tabstop>
<tabstop>syslog_host</tabstop>
<tabstop>syslog_facility</tabstop>
<tabstop>logging_trap_level</tabstop>
<tabstop>logging_timestamp</tabstop>
<tabstop>logging_buffered</tabstop>
<tabstop>logging_console</tabstop>
<tabstop>logging_buffered_level</tabstop>
<tabstop>logging_console_level</tabstop>
<tabstop>ipv4before_2</tabstop>
<tabstop>ok_button</tabstop>
<tabstop>cancel_button</tabstop>
<tabstop>textLabel3</tabstop>
<tabstop>tabWidget</tabstop>
</tabstops>
<resources/>
<connections>
<connection>
<sender>ok_button</sender>
<signal>clicked()</signal>
<receiver>procurveaclAdvancedDialog_q</receiver>
<slot>accept()</slot>
<hints>
<hint type="sourcelabel">
<x>584</x>
<y>703</y>
</hint>
<hint type="destinationlabel">
<x>371</x>
<y>366</y>
</hint>
</hints>
</connection>
<connection>
<sender>cancel_button</sender>
<signal>clicked()</signal>
<receiver>procurveaclAdvancedDialog_q</receiver>
<slot>reject()</slot>
<hints>
<hint type="sourcelabel">
<x>689</x>
<y>703</y>
</hint>
<hint type="destinationlabel">
<x>371</x>
<y>366</y>
</hint>
</hints>
</connection>
<connection>
<sender>edit_prolog_button</sender>
<signal>clicked()</signal>
<receiver>procurveaclAdvancedDialog_q</receiver>
<slot>editProlog()</slot>
<hints>
<hint type="sourcelabel">
<x>671</x>
<y>318</y>
</hint>
<hint type="destinationlabel">
<x>371</x>
<y>366</y>
</hint>
</hints>
</connection>
<connection>
<sender>edit_epilog_button</sender>
<signal>clicked()</signal>
<receiver>procurveaclAdvancedDialog_q</receiver>
<slot>editEpilog()</slot>
<hints>
<hint type="sourcelabel">
<x>671</x>
<y>628</y>
</hint>
<hint type="destinationlabel">
<x>371</x>
<y>366</y>
</hint>
</hints>
</connection>
<connection>
<sender>procurve_acl_acl_basic</sender>
<signal>toggled(bool)</signal>
<receiver>procurveaclAdvancedDialog_q</receiver>
<slot>scriptACLModeChanged()</slot>
<hints>
<hint type="sourcelabel">
<x>60</x>
<y>75</y>
</hint>
<hint type="destinationlabel">
<x>371</x>
<y>366</y>
</hint>
</hints>
</connection>
<connection>
<sender>procurve_acl_acl_no_clear</sender>
<signal>toggled(bool)</signal>
<receiver>procurveaclAdvancedDialog_q</receiver>
<slot>scriptACLModeChanged()</slot>
<hints>
<hint type="sourcelabel">
<x>60</x>
<y>117</y>
</hint>
<hint type="destinationlabel">
<x>371</x>
<y>366</y>
</hint>
</hints>
</connection>
<connection>
<sender>procurve_acl_acl_substitution</sender>
<signal>toggled(bool)</signal>
<receiver>procurveaclAdvancedDialog_q</receiver>
<slot>scriptACLModeChanged()</slot>
<hints>
<hint type="sourcelabel">
<x>60</x>
<y>207</y>
</hint>
<hint type="destinationlabel">
<x>371</x>
<y>366</y>
</hint>
</hints>
</connection>
</connections>
<slots>
<slot>editProlog()</slot>
<slot>editEpilog()</slot>
<slot>scriptACLModeChanged()</slot>
</slots>
</ui>

191
src/procurve_acl/procurve_acl.cpp Normal file
View File

@ -0,0 +1,191 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include <fstream>
#include <iostream>
#include <sstream>
#include <map>
#include <algorithm>
#include <functional>
#ifdef _WIN32
# include <direct.h>
#else
# include <unistd.h>
#endif
#include <time.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <ctype.h>
#include <assert.h>
#include <cstring>
#include "CompilerDriver_procurve_acl.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Tools.h"
#include <QApplication>
#include <QStringList>
#include <QTextCodec>
#include "../common/init.cpp"
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
FWObjectDatabase *objdb = NULL;
class UpgradePredicate: public XMLTools::UpgradePredicate
{
public:
virtual bool operator()(const string &msg) const
{
msg.size(); // to make compiler happy about unused parameter
cout << "Data file has been created in the old version of Firewall Builder.\nLoad it in the GUI to convert it to the new version." << endl;
return false;
}
};
void usage(const char *name)
{
cout << "Firewall Builder: policy compiler for HP ProCurve ACL" << endl;
cout << "Copyright 2010 NetCitadel, LLC" << endl;
cout << "Version " << VERSION << "-" << build_num.toStdString() << endl;
cout << "Usage: " << name << " [-tvV] [-f filename.xml] [-d destdir] [-o output.fw] firewall_object_name" << endl;
}
int main(int argc, char **argv)
{
QApplication app(argc, argv, false);
// compilers always write file names into manifest in Utf8
QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8"));
QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8"));
QStringList args = app.arguments();
if (args.size()<=1)
{
usage(argv[0]);
exit(1);
}
QString last_arg;
string filename;
for (int idx=0; idx < args.size(); idx++)
{
QString arg = args.at(idx);
last_arg = arg;
if (arg == "-r")
{
idx++;
respath = string(args.at(idx).toLatin1().constData());
continue;
}
if (arg == "-V")
{
usage(argv[0]);
exit(0);
}
if (arg == "-f")
{
idx++;
filename = string(args.at(idx).toLatin1().constData());
continue;
}
}
if (filename.empty())
{
usage(argv[0]);
exit(1);
}
init(argv);
try
{
new Resources(respath+FS_SEPARATOR+"resources.xml");
/* create database */
objdb = new FWObjectDatabase();
/* load the data file */
UpgradePredicate upgrade_predicate;
cout << " *** Loading data ...";
objdb->setReadOnly( false );
objdb->load( filename, &upgrade_predicate, librespath);
objdb->setFileName(filename);
objdb->reIndex();
cout << " done\n";
FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID);
if (slib && slib->isReadOnly()) slib->setReadOnly(false);
CompilerDriver_procurve_acl driver(objdb);
if (!driver.prepare(args))
{
usage(argv[0]);
exit(1);
}
driver.compile();
delete objdb;
return 0;
} catch(libfwbuilder::FWException &ex)
{
cerr << ex.toString() << endl;
return 1;
} catch (std::string s)
{
cerr << s << endl;
return 1;
} catch (std::exception ex)
{
cerr << "exception: " << ex.what() << endl;
return 1;
} catch (...)
{
cerr << "Unsupported exception";
return 1;
}
return 0;
}

33
src/procurve_acl/procurve_acl.pro Normal file
View File

@ -0,0 +1,33 @@
#-*- mode: makefile; tab-width: 4; -*-
#
include(../../qmake.inc)
#
#
# PACKAGE = fwbuilder-procurve_acl-$$FWB_VERSION
#
# QMAKE_CXXFLAGS_DEBUG += -DPACKAGE="\"$$PACKAGE\""
# QMAKE_CXXFLAGS_RELEASE += -DPACKAGE="\"$$PACKAGE\""
SOURCES = procurve_acl.cpp
HEADERS = ../../config.h
!win32 {
QMAKE_COPY = ../../install.sh -m 0755 -s
}
win32:CONFIG += console
INCLUDEPATH += ../common ../cisco_lib/ ../compiler_lib
win32:LIBS += ../common/release/common.lib ../cisco_lib/release/fwbcisco.lib ../compiler_lib/release/compilerdriver.lib
!win32:LIBS += ../common/libcommon.a ../cisco_lib/libfwbcisco.a ../compiler_lib/libcompilerdriver.a
win32:PRE_TARGETDEPS = ../common/release/common.lib ../cisco_lib/release/fwbcisco.lib ../compiler_lib/release/compilerdriver.lib
!win32:PRE_TARGETDEPS = ../common/libcommon.a ../cisco_lib/libfwbcisco.a ../compiler_lib/libcompilerdriver.a
LIBS += $$LIBS_FWCOMPILER
TARGET = fwb_procurve_acl

50
src/res/configlets/ios/safety_net_acl Normal file
View File

@ -0,0 +1,50 @@
## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/ios/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
! temporary access list for "safety net install"
{{if ipv4}}
no ip access-list extended tmp_acl
ip access-list extended tmp_acl
permit ip {{$management_addr}} {{$management_netm}} any
deny ip any any
exit
interface {{$management_interface}}
no ip access-group in
no ip access-group out
ip access-group tmp_acl in
exit
{{endif}}
{{if ipv6}}
no ipv6 access-list tmp_acl
ipv6 access-list tmp_acl
{{if slash_notation}}
permit ipv6 {{$management_addr}} any
{{endif}}
{{if host_addr}}
permit ipv6 host {{$management_addr}} any
{{endif}}
permit icmp any any
deny ipv6 any any
exit
interface {{$management_interface}}
no ipv6 traffic-filter in
no ipv6 traffic-filter out
ipv6 traffic-filter tmp_acl in
exit
{{endif}}

54
src/res/configlets/procurve/safety_net_acl Normal file
View File

@ -0,0 +1,54 @@
## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/procurve/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
; temporary access list for "safety net install"
{{if ipv4}}
interface {{$management_interface}}
no ip access-group in
no ip access-group out
no ip access-group tmp_acl in
exit
no ip access-list extended tmp_acl
ip access-list extended tmp_acl
permit ip {{$management_addr}} {{$management_netm}} any
deny ip any any
exit
interface {{$management_interface}}
ip access-group tmp_acl in
exit
{{endif}}
{{if ipv6}}
no ipv6 access-list tmp_acl
ipv6 access-list tmp_acl
{{if slash_notation}}
permit ipv6 {{$management_addr}} any
{{endif}}
{{if host_addr}}
permit ipv6 host {{$management_addr}} any
{{endif}}
permit icmp any any
deny ipv6 any any
exit
interface {{$management_interface}}
no ipv6 traffic-filter in
no ipv6 traffic-filter out
ipv6 traffic-filter tmp_acl in
exit
{{endif}}

42
src/res/configlets/procurve/script_skeleton Normal file
View File

@ -0,0 +1,42 @@
## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/procurve/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
{{$top_comment}}
{{$errors_and_warnings}}
;
; Prolog script:
;
{{$prolog_script}}
;
; End of prolog script:
;
{{$other_os_configuration_commands}}
{{$system_configuration_script}}
{{$policy_script}}
{{$nat_script}}
{{$routing_script}}
;
; Epilog script:
;
{{$epilog_script}}
; End of epilog script:
;

12
src/res/configlets/procurve/top_comment Normal file
View File

@ -0,0 +1,12 @@
;
; This is automatically generated file. DO NOT MODIFY !
;
; Firewall Builder fwb_procurve_acl v{{$version}}-{{$build}}
;
; Generated {{$timestamp}} {{$tz}} by {{$user}}
;
; Compiled for {{$platform}} {{$fw_version}}
;
{{$manifest}}
;
{{$comment}}

45
src/res/os/procurve.xml Normal file
View File

@ -0,0 +1,45 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources>
<Target name="procurve">
<description>HP ProCurve</description>
<status>active</status>
<compiler>fwb_procurve</compiler>
<family>procurve</family>
<dialog>procurve</dialog>
<options>
<user_can_change_install_dir>false</user_can_change_install_dir>
<default>
</default>
<activation>
<fwdir>nvram:</fwdir>
<fwdir_test>nvram:</fwdir_test>
</activation>
</options>
<capabilities>
<supports_routing>True</supports_routing>
<supports_subinterfaces>False</supports_subinterfaces>
<supports_cluster>False</supports_cluster>
</capabilities>
<interfaces>
<cluster>
</cluster>
<firewall>
<string>ethernet,Ethernet</string>
</firewall>
</interfaces>
<subinterfaces>
<ethernet>
<string>8021q,VLAN</string>
<string>unknown,Unknown</string>
</ethernet>
</subinterfaces>
</Target>
</FWBuilderResources>

125
src/res/platform/procurve_acl.xml Normal file
View File

@ -0,0 +1,125 @@
<?xml version="1.0"?>
<FWBuilderResources>
<Target name="procurve_acl">
<description>HP ProCurve ACL</description>
<status>active</status>
<group>procurve_acl</group>
<compiler>fwb_procurve_acl</compiler>
<dialog>procurveacl</dialog>
<supported_os>procurve</supported_os>
<versions>K.13</versions>
<options>
<default>
<procurve_acl_include_comments>true</procurve_acl_include_comments>
<procurve_acl_add_clear_statements>true</procurve_acl_add_clear_statements>
<procurve_acl_assume_fw_part_of_any>true</procurve_acl_assume_fw_part_of_any>
</default>
<version_K.13>
<procurve_acl_include_comments>true</procurve_acl_include_comments>
<procurve_acl_add_clear_statements>true</procurve_acl_add_clear_statements>
<procurve_acl_assume_fw_part_of_any>true</procurve_acl_assume_fw_part_of_any>
<procurve_acl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list extended</clear_ip_acl>
<clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl>
<ip_addr_static>
interface %in
ip address %a %n
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp
</ip_addr_dyn>
</procurve_acl_commands>
</version_K.13>
</options>
<capabilities>
<negation_in_interface_policy>False</negation_in_interface_policy>
<negation_in_policy>False</negation_in_policy>
<negation_in_nat>False</negation_in_nat>
<logging_in_policy>True</logging_in_policy>
<options_in_policy>True</options_in_policy>
<supports_nat>False</supports_nat>
<actions_in_nat>False</actions_in_nat>
<supports_time>False</supports_time>
<supports_accounting>False</supports_accounting>
<supports_routing_itf>True</supports_routing_itf>
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>True</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<supports_cluster>False</supports_cluster>
<install_only_on_primary>False</install_only_on_primary>
<actions>
<Accept>
<supported>True</supported>
<description>Accept</description>
<dialog_page>None</dialog_page>
</Accept>
<Deny>
<supported>True</supported>
<description>Deny</description>
<dialog_page>None</dialog_page>
</Deny>
<Reject>
<supported>False</supported>
<description>Reject</description>
<dialog_page>Reject</dialog_page>
</Reject>
<Accounting>
<supported>False</supported>
<description>Accounting</description>
<dialog_page>None</dialog_page>
</Accounting>
<Tag>
<supported>False</supported>
<description>Tag</description>
<dialog_page>None</dialog_page>
</Tag>
<Pipe>
<supported>False</supported>
<description>Pipe</description>
<dialog_page>None</dialog_page>
</Pipe>
<Classify>
<supported>False</supported>
<description>Classify</description>
<dialog_page>None</dialog_page>
</Classify>
<Custom>
<supported>False</supported>
<description>Custom</description>
<dialog_page>None</dialog_page>
</Custom>
<Branch>
<supported>False</supported>
<description>Branch</description>
<dialog_page>None</dialog_page>
</Branch>
<Route>
<supported>False</supported>
<description>Route</description>
<dialog_page>None</dialog_page>
</Route>
<Translate>
<supported>False</supported>
<description>Translate</description>
<dialog_page>None</dialog_page>
</Translate>
<NATBranch>
<supported>False</supported>
<description>Branch</description>
<dialog_page>None</dialog_page>
</NATBranch>
</actions>
</capabilities>
</Target>
</FWBuilderResources>

1
src/src.pro
View File

@ -32,5 +32,6 @@ SUBDIRS += common \
ipfw \
iosacl \
pix \
procurve_acl \
transfer_agents

14
test/procurve_acl/addr-table-1.tbl Normal file
View File

@ -0,0 +1,14 @@
# this is a comment
#
; this should be a comment too
;
192.168.1.1
192.168.1.2/32
192.168.1.3/30
192.168.2.128/25
192.168.1.200/32 # comment again
192.168.1.201/32 # this should work, too

57
test/procurve_acl/block-hosts.tbl Normal file
View File

@ -0,0 +1,57 @@
#
# use this table to test run-time AddressTable object
# (this is just a small collection of addresses that sent spam to me
# on Nov 20 2005)
#
151.8.224.178 # this is also a comment
168.156.76.20
193.207.126.36
195.136.186.35
196.15.136.15
201.10.180.138
201.17.93.16
201.36.156.121
202.103.25.253
202.96.112.93
203.162.3.209
203.209.124.144
210.106.193.237
210.222.114.102
211.144.143.143
211.172.218.237
211.250.16.132
212.100.212.100
212.21.241.31
218.104.138.146
218.18.72.252
218.39.114.122
218.55.115.43
219.132.104.160
220.71.17.86
220.81.50.105
220.91.99.46
221.14.249.242
221.166.177.135
221.198.33.38
221.202.160.233
221.205.54.125
221.217.44.248
222.100.212.223
222.121.118.144
222.174.113.2
58.231.13.78
58.33.181.83
58.53.82.190
61.150.47.112
61.184.14.102
64.106.85.186
70.228.60.100
80.243.72.149
80.249.77.34
80.51.236.6
81.196.74.125
81.2.36.254
82.117.221.205
82.143.196.17
82.77.37.174
84.90.8.198

3752
test/procurve_acl/objects-for-regression-tests.fwb Normal file
View File

File diff suppressed because it is too large Load Diff

28
test/procurve_acl/quick-cmp.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/sh
DIFFCMD="diff -C 5 -c -b -B -w -I \"Generated\" -I 'Activating ' -I 'Firewall Builder fwb_procurve_acl v' -I 'Can not find file' -I '====' -I 'log '"
for f in $(ls *.fw.orig)
do
V="$f <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
echo "echo \"$V\" | cut -c1-72"
new_f=$(echo $f | sed 's/.orig//')
echo "$DIFFCMD $f $new_f"
done
exit 0
run_diffs_for_file() {
xmlfile=$1
folder=$2
fwbedit list -f $xmlfile -o $folder -c -F%name% | sort | while read fwobj; do
V="$fwobj <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
echo "echo \"$V\" | cut -c1-72"
echo "$DIFFCMD ${fwobj}.fw.orig ${fwobj}.fw"
done
}
run_diffs_for_file objects-for-regression-tests.fwb /User/Firewalls
# run_diffs_for_file cluster-tests.fwb /User/Clusters

8
test/procurve_acl/recycle Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
for f in *.fw; do
j=${f}.orig
mv $f $j
done

22
test/procurve_acl/run.all Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
XMLFILE="objects-for-regression-tests.fwb"
fwbedit list -f $XMLFILE -o /User/Firewalls -c -F%name% | \
sort | while read fwobj
do
echo "echo"
echo "echo \"============================ $fwobj\""
echo "fwb_procurve_acl -v -f $XMLFILE -xt $fwobj"
done
exit 0
XMLFILE="cluster-tests.fwb"
fwbedit list -f $XMLFILE -o /User/Clusters -c -F%name% | \
sort | while read fwobj
do
echo "echo"
echo "echo \"============================ $fwobj\""
echo "fwb_procurve_acl -v -f $XMLFILE -xt -xc $fwobj"
done