fixed bugs 2689958 2689987 2689978

build_num

@@ -1 +1 @@
-#define BUILD_NUM 782
+#define BUILD_NUM 783

doc/ChangeLog

@@ -1,3 +1,18 @@
+2009-03-17  vadim  <vadim@vk.crocodile.org>
+
+	* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
+	bug #2689978: "IOS ACL 'safety net' doesn't support
+	IPv6?". Compiler did not process properly ipv6 address entered in
+	the "safety net" install script option parameter.
+
+	* iosaclAdvancedDialog.cpp, pixAdvancedDialog.cpp: fixed bug
+	#2689987: "Typo in "script options" tab in 'Firewall settings'".
+
+	* IPv6Dialog.cpp (IPv6Dialog::changed): fixed bug #2689958 "Error
+	changing properties of a IPv6 address". Button "Apply" would stay
+	greyed out when user changed network prefix length in IPv6 address
+	dialog.
+
 2009-03-12  vadim  <vadim@vk.crocodile.org>
 
 	* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed

src/gui/iosacladvanceddialog_q.ui

@@ -295,7 +295,7 @@ workstation with this address:</string>
              <enum>Qt::ClickFocus</enum>
             </property>
             <property name="text" >
-             <string>Do not clear access lists and object group, just generate IOSACL commands for the new ones. Use this optin if you have your own policy installation scripts.</string>
+             <string>Do not clear access lists and object group, just generate IOSACL commands for the new ones. Use this option if you have your own policy installation scripts.</string>
             </property>
             <property name="alignment" >
              <set>Qt::AlignVCenter</set>

src/gui/ipv6dialog_q.ui

@@ -27,9 +27,6 @@
      <property name="spacing" >
       <number>2</number>
      </property>
-     <property name="margin" >
-      <number>0</number>
-     </property>
      <item>
       <widget class="QFrame" name="frame3" >
        <property name="sizePolicy" >
@@ -409,5 +406,24 @@
     </hint>
    </hints>
   </connection>
+  <connection>
+   <sender>netmask</sender>
+   <signal>textChanged(QString)</signal>
+   <receiver>IPv6Dialog_q</receiver>
+   <slot>changed()</slot>
+   <hints>
+    <hint type="sourcelabel" >
+     <x>228</x>
+     <y>141</y>
+    </hint>
+    <hint type="destinationlabel" >
+     <x>310</x>
+     <y>129</y>
+    </hint>
+   </hints>
+  </connection>
  </connections>
+ <slots>
+  <slot>changed()</slot>
+ </slots>
 </ui>

src/gui/pixadvanceddialog_q.ui

@@ -3790,7 +3790,7 @@ workstation with this address:</string>
              <enum>Qt::ClickFocus</enum>
             </property>
             <property name="text" >
-             <string>Do not clear access lists and object group, just generate PIX commands for the new ones. Use this optin if you have your own policy installation scripts.</string>
+             <string>Do not clear access lists and object group, just generate PIX commands for the new ones. Use this option if you have your own policy installation scripts.</string>
             </property>
             <property name="alignment" >
              <set>Qt::AlignVCenter</set>

src/iosacl/PolicyCompiler_iosacl.cpp

@@ -119,38 +119,49 @@ int PolicyCompiler_iosacl::prolog()
             string::size_type slash_idx = temp_acl_addr.find('/');
             string addr = temp_acl_addr;
             string netmask = "255.255.255.255";
+            bool tmp_acl_v6 = false;
 
-            if (slash_idx!=string::npos)
-            {
-                addr = temp_acl_addr.substr(0,slash_idx);
-                netmask = temp_acl_addr.substr(slash_idx+1);
-                try
-                {
-                    if (netmask.find(".")!=string::npos)
-                    {
-                        InetAddr nm(netmask);
-                        nm.getLength(); // to avoid warning abt unused var
-                    } else
-                    {
-                        int nm_length;
-                        istringstream  str(netmask);
-                        str >> nm_length;
-                        InetAddr nm(nm_length);
-                        netmask = nm.toString();
-                    }
-                } catch(FWException &ex)
-                {
-                    abort("Invalid netmask for management subnet: '"+netmask+"'");
-                }
-            }
+            // check if addr is v6
 
             try
             {
-                InetAddr a(addr);
-                a.isAny();
+                InetAddr addrv6(AF_INET6, temp_acl_addr);
+                tmp_acl_v6 = true;
             } catch(FWException &ex)
             {
-                abort("Invalid address for management subnet: '"+addr+"'");
+                // Assume cnf->maddr is ipv4 
+                if (slash_idx!=string::npos)
+                {
+                    addr = temp_acl_addr.substr(0,slash_idx);
+                    netmask = temp_acl_addr.substr(slash_idx+1);
+                    try
+                    {
+                        if (netmask.find(".")!=string::npos)
+                        {
+                            InetAddr nm(netmask);
+                            nm.getLength(); // to avoid warning abt unused var
+                        } else
+                        {
+                            int nm_length;
+                            istringstream  str(netmask);
+                            str >> nm_length;
+                            InetAddr nm(nm_length);
+                            netmask = nm.toString();
+                        }
+                    } catch(FWException &ex)
+                    {
+                        abort("Invalid netmask for management subnet: '"+netmask+"'");
+                    }
+                }
+
+                try
+                {
+                    InetAddr a(addr);
+                    a.isAny();
+                } catch(FWException &ex)
+                {
+                    abort("Invalid address for management subnet: '"+addr+"'");
+                }
             }
 
             string xml_element = "clear_ip_acl";
@@ -162,26 +173,37 @@ int PolicyCompiler_iosacl::prolog()
 
             output << endl;
 
-
-            // cisco uses "wildcards" instead of netmasks
-
-            //long nm = InetAddr(netmask).to32BitInt();
-            //struct in_addr na;
-            //na.s_addr = ~nm;
-            InetAddr nnm( ~(InetAddr(netmask)) );
-
             string addr_family_prefix = "ip";
-            if (ipv6) addr_family_prefix = "ipv6";
 
-            output << clearACLcmd << " " << temp_acl << endl;
-            output << addr_family_prefix
-                   << " access-list extended " << temp_acl << endl;
-            output << "  permit ip "
-                   << addr << " " << nnm.toString() << " any " << endl;
-            output << "  deny " << addr_family_prefix
-                   << " any any " << endl;
-            output << "exit" << endl;
-            output << endl;
+            if (ipv6 && tmp_acl_v6)
+            {
+                addr_family_prefix = "ipv6";
+                output << clearACLcmd << " " << temp_acl << endl;
+                output << "ipv6 access-list " << temp_acl << endl;
+                output << "  permit ipv6 " << addr << " any " << endl;
+                output << "  deny ipv6 any any " << endl;
+                output << "exit" << endl;
+                output << endl;
+            }
+
+            if (!ipv6 && !tmp_acl_v6)
+            {
+                // cisco uses "wildcards" instead of netmasks
+
+                //long nm = InetAddr(netmask).to32BitInt();
+                //struct in_addr na;
+                //na.s_addr = ~nm;
+                InetAddr nnm( ~(InetAddr(netmask)) );
+                addr_family_prefix = "ip";
+                output << clearACLcmd << " " << temp_acl << endl;
+                output << "ip access-list extended " << temp_acl << endl;
+                output << "  permit ip "
+                       << addr << " " << nnm.toString() << " any " << endl;
+                output << "  deny ip any any " << endl;
+                output << "exit" << endl;
+                output << endl;
+            }
+
 
             // find management interface
             int nmi = 0;