onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-05-01 14:47:27 +02:00
Code Issues Releases Wiki Activity

set version to 4.1.1; working implementation of policy installer for ProCurve

Browse Source
This commit is contained in:
Vadim Kurland 2010-08-15 06:12:52 +00:00
parent 21582f8755
commit d672e836f7
26 changed files with 712 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
VERSION
View File

@ -2,17 +2,17 @@
FWB_MAJOR_VERSION=4
FWB_MINOR_VERSION=1
FWB_MICRO_VERSION=0
FWB_MICRO_VERSION=1
# VERSION must be a string rather than $var because of the build scripts
VERSION="4.1.0"
SHORTVERSION="410"
VERSION="4.1.1"
SHORTVERSION="411"
# RELEASE="1"
RELEASE="b@BUILD_NUM@"
BETA="no"
REQUIRED_LIBFWBUILDER_VERSION="4.1.0"
REQUIRED_LIBFWBUILDER_VERSION="4.1.1"

2
VERSION.h
View File

@ -1 +1 @@
#define VERSION "4.1.0"
#define VERSION "4.1.1"

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 3224
#define BUILD_NUM 3228

14
doc/ChangeLog
View File

@ -1,3 +1,17 @@
2010-08-14 Vadim Kurland <vadim@vk.crocodile.org>
* FirewallInstallerProcurve.cpp (FirewallInstallerProcurve::packInstallJobsList):
Policy installer for HP Procurve. Currently only works in line-by-line
mode (no support for scp). Tested with Procurve firmware K14.31 on
ProCurve J9470A Switch 3500-24. Caveat: manager access should not be
configured with user name (that is, no "password manager user-name foo")
* set version to 4.1.1
2010-08-10 Vadim Kurland <vadim@vk.crocodile.org>
* v4.1.0 released
2010-08-08 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator_ops.cpp (ObjectManipulator::actuallyDeleteObject):

8
src/gui/FirewallInstallerCisco.cpp
View File

@ -131,7 +131,7 @@ bool FirewallInstallerCisco::packInstallJobsList(Firewall*)
string platform = cnf->fwobj->getStr("platform");
if (cnf->useSCPForCisco)
if (cnf->useSCPForRouter)
{
QMap<QString,QString> all_files;
@ -245,10 +245,10 @@ void FirewallInstallerCisco::activatePolicy(const QString&, const QString&)
replaceMacrosInCommand(&activation);
activation.setVariable("using_scp", cnf->useSCPForCisco);
activation.setVariable("not_using_scp", ! cnf->useSCPForCisco);
activation.setVariable("using_scp", cnf->useSCPForRouter);
activation.setVariable("not_using_scp", ! cnf->useSCPForRouter);
if ( ! cnf->useSCPForCisco)
if ( ! cnf->useSCPForRouter)
{
activation.setVariable("fwbuilder_generated_configuration_lines",
config_lines.join("\n"));

1
src/gui/FirewallInstallerCisco.h
View File

@ -47,6 +47,7 @@ class FirewallInstallerCisco : public FirewallInstaller
{
Q_OBJECT;
protected:
QStringList config_lines;
virtual QString getDestinationDir(const QString &dir);

230
src/gui/FirewallInstallerProcurve.cpp Normal file
View File

@ -0,0 +1,230 @@
/*
Firewall Builder
Copyright (C) 2008 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include "global.h"
#include "utils.h"
#include "utils_no_qt.h"
#include "FirewallInstallerProcurve.h"
#include "instDialog.h"
#include "SSHPIX.h"
#include "SSHIOS.h"
#include "SSHProcurve.h"
#include "Configlet.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/XMLTools.h"
#include <QFileInfo>
#include <QTextStream>
#include <QMessageBox>
#include <QtDebug>
using namespace std;
using namespace libfwbuilder;
FirewallInstallerProcurve::FirewallInstallerProcurve(instDialog *_dlg,
instConf *_cnf, const QString &_p):
FirewallInstallerCisco(_dlg, _cnf, _p)
{
}
bool FirewallInstallerProcurve::packInstallJobsList(Firewall*)
{
if (fwbdebug)
qDebug("FirewallInstallerProcurve::packInstallJobList script=%s",
cnf->script.toAscii().constData());
job_list.clear();
Management *mgmt = cnf->fwobj->getManagementObject();
assert(mgmt!=NULL);
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
if (pis->getCommand()!="")
{
QString cmd = pis->getCommand().c_str();
QString args = pis->getArguments().c_str();
job_list.push_back(
instJob(RUN_EXTERNAL_SCRIPT, cmd, args));
inst_dlg->addToLog(QString("Run script %1 %2\n").arg(cmd).arg(args));
return true;
}
// Load configuration file early so we can abort installation if
// it is not accessible
QString ff;
QFileInfo script_info(cnf->script);
if (script_info.isAbsolute()) ff = cnf->script;
else ff = cnf->wdir + "/" + cnf->script;
QFile data(ff);
if (data.open(QFile::ReadOnly))
{
QTextStream strm(&data);
QString line;
do
{
line = strm.readLine();
config_lines.push_back(line.trimmed());
} while (!strm.atEnd());
} else
{
QMessageBox::critical(
inst_dlg, "Firewall Builder",
tr("Can not read generated script %1").arg(ff),
tr("&Continue"), QString::null,QString::null,
0, 1 );
return false;
}
#ifdef SCP_SUPPORT_FOR_PROCURVE
if (cnf->useSCPForRouter)
{
QMap<QString,QString> all_files;
// readManifest() modifies cnf (assigns cnf->remote_script) !
if (readManifest(cnf->script, &all_files))
{
QMap<QString, QString>::iterator it;
for (it=all_files.begin(); it!=all_files.end(); ++it)
{
QString local_name = it.key();
QString remote_name = it.value();
job_list.push_back(instJob(COPY_FILE, local_name, remote_name));
}
}
QString cmd = getActivationCmd();
job_list.push_back(instJob(ACTIVATE_POLICY, cmd, ""));
} else
{
job_list.push_back(instJob(ACTIVATE_POLICY, cnf->script, ""));
}
#endif
job_list.push_back(instJob(ACTIVATE_POLICY, cnf->script, ""));
return true;
}
void FirewallInstallerProcurve::activatePolicy(const QString&, const QString&)
{
QStringList args;
packSSHArgs(args);
if (cnf->verbose) inst_dlg->displayCommand(args);
SSHProcurve *ssh_object = NULL;
ssh_object = new SSHProcurve(inst_dlg,
cnf->fwobj->getName().c_str(),
args,
cnf->pwd,
cnf->epwd,
list<string>());
/*
* TODO:
* the structure of scriptlets (command templates) for PIX and
* IOS is nice and generic, it uses generalized "pre_config"
* and "post_config" hooks in SSHPIX / SSHIOS classes. Need to
* do the same for Unix firewalls.
*/
QString cmd = "";
QStringList pre_config_commands;
QStringList post_config_commands;
string version = cnf->fwobj->getStr("version");
string host_os = cnf->fwobj->getStr("host_OS");
string os_family = Resources::os_res[host_os]->
getResourceStr("/FWBuilderResources/Target/family");
// installer configlets should be different for each OS, but if
// some OS can use the same script, it will be placed in the file
// under os_family name. For example:
// for PIX configlet is in src/res/configlets/pix_os
// but since fwsm and pix can use the same script and fwsm_os.xml
// declares family as "pix_os", it uses the same configlet.
Configlet pre_config(host_os, os_family, "installer_commands_pre_config");
pre_config.removeComments();
pre_config.setVariable("test", cnf->testRun);
pre_config.setVariable("run", ! cnf->testRun);
pre_config.setVariable("schedule_rollback", cnf->rollback);
pre_config.setVariable("cancel_rollback", cnf->cancelRollbackIfSuccess);
pre_config.setVariable("save_standby", cnf->saveStandby);
replaceMacrosInCommand(&pre_config);
Configlet post_config(host_os, os_family, "installer_commands_post_config");
post_config.removeComments();
post_config.setVariable("test", cnf->testRun);
post_config.setVariable("run", ! cnf->testRun);
post_config.setVariable("schedule_rollback", cnf->rollback);
post_config.setVariable("cancel_rollback", cnf->cancelRollbackIfSuccess);
post_config.setVariable("save_standby", cnf->saveStandby);
replaceMacrosInCommand(&post_config);
ssh_object->loadPreConfigCommands(
pre_config.expand().split("\n", QString::SkipEmptyParts) );
ssh_object->loadPostConfigCommands(
post_config.expand().split("\n", QString::SkipEmptyParts) );
Configlet activation(host_os, os_family, "installer_commands_reg_user");
activation.removeComments();
replaceMacrosInCommand(&activation);
activation.setVariable("using_scp", false);
activation.setVariable("not_using_scp", true);
if ( ! cnf->useSCPForRouter)
{
activation.setVariable("fwbuilder_generated_configuration_lines",
config_lines.join("\n"));
}
ssh_object->loadActivationCommands(
activation.expand().split("\n", QString::SkipEmptyParts) );
runSSHSession(ssh_object);
return;
}

60
src/gui/FirewallInstallerProcurve.h Normal file
View File

@ -0,0 +1,60 @@
/*
Firewall Builder
Copyright (C) 2008 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __FIREWALLINSTALLERPROCURVE_H_
#define __FIREWALLINSTALLERPROCURVE_H_
#include "../../config.h"
#include "FirewallInstallerCisco.h"
#include <qstring.h>
#include <qstringlist.h>
#include <qprocess.h>
#include <qobject.h>
#include <QStringList>
namespace libfwbuilder
{
class Firewall;
}
class FirewallInstallerProcurve : public FirewallInstallerCisco
{
Q_OBJECT;
public:
FirewallInstallerProcurve(instDialog *_dlg, instConf *_cnf, const QString &_p);
virtual bool packInstallJobsList(libfwbuilder::Firewall*);
virtual void activatePolicy(const QString &script, const QString &args);
};
#endif

44
src/gui/SSHCisco.cpp
View File

@ -88,6 +88,8 @@ SSHCisco::SSHCisco(QWidget *_par,
errorsEnabledState.push_back("An object-group with the same id but different type");
local_event_loop = new QEventLoop();
comment_symbol = '!';
}
void SSHCisco::loadPreConfigCommands(const QStringList &cl)
@ -140,9 +142,18 @@ bool SSHCisco::checkForErrors()
switch (state)
{
case LOGGEDIN: errptr= &errorsLoggedin; break;
case ENABLE: errptr= &errorsEnabledState; break;
default: errptr= &errorsInit; break;
case LOGGEDIN:
case WAITING_FOR_ENABLE:
errptr = &errorsLoggedin;
break;
case ENABLE:
errptr = &errorsEnabledState;
break;
default:
errptr = &errorsInit;
break;
}
for (QStringList::const_iterator i=errptr->begin();
@ -185,6 +196,7 @@ void SSHCisco::stateMachine()
proc->write( (pwd + "\n").toAscii() );
break;
}
/* we may get to LOGGEDIN state directly from NONE, for example when
* password is supplied on command line to plink.exe
*/
@ -395,25 +407,27 @@ void SSHCisco::stateMachine()
do {
s = activation_commands.front();
activation_commands.pop_front();
} while (stripComments && s[0]=='!');
emit updateProgressBar_sign(activation_commands.size(),false);
emit updateProgressBar_sign(activation_commands.size(),false);
s.replace('\"','\'');
s.replace('\"','\'');
if (!verbose)
{
QString rl="";
if (s.indexOf("! Rule ")!=-1) rl=s.mid(7);
if ( !rl.isEmpty())
if (!quiet)
{
emit printStdout_sign( tr("Rule %1").arg(rl) + "\n" );
QString rl="";
if (s.indexOf(QString("%1 Rule ").arg(comment_symbol)) != -1)
rl = s.mid(7);
if ( !rl.isEmpty())
{
emit printStdout_sign( tr("Rule %1").arg(rl) + "\n" );
}
}
}
} while (stripComments && s[0] == comment_symbol);
sendCommand(s);
break;
} else
{
/* activation_commands.size()==0 */
@ -442,7 +456,7 @@ void SSHCisco::stateMachine()
}
stdoutBuffer="";
state=EXIT;
state = EXIT;
proc->write( "exit\n");
}
break;

2
src/gui/SSHCisco.h
View File

@ -59,6 +59,8 @@ protected:
QStringList pre_config_commands;
QStringList post_config_commands;
QStringList activation_commands;
char comment_symbol;
public:

192
src/gui/SSHProcurve.cpp Normal file
View File

@ -0,0 +1,192 @@
/*
Firewall Builder
Copyright (C) 2003 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include "global.h"
#include "SSHProcurve.h"
#include <QtDebug>
using namespace std;
/*
* HP "normal" prompt looks something like this:
*
* ProCurve Switch 3500-24> [
*
* Enable password prompt also uses ansi codes:
* Password: [?25h[?25h[?25l
*
* once in enable mode, the prompt looks like this:
*
* ProCurve Switch 3500-24# ^[[24;1H^[[24;26H^[[24;1H^[[?25h^[[24;26H
*
* but we clear all ANSI sequences in SSHSession::readFromStdout()
*/
SSHProcurve::SSHProcurve(QWidget *_par,
const QString &_h,
const QStringList &args,
const QString &_p,
const QString &_ep,
const std::list<std::string> &_in) :
SSHCisco(_par,_h,args,_p,_ep,_in)
{
normal_prompt = "> *$";
enable_prompt = "# *$"; // matches config prompt too
epwd_prompt = "Password: *$";
hp_greeting_prompt = "Press any key to continue *$";
pwd_prompt_1 = "'s password: $";
pwd_prompt_2 = "Password: ";
comment_symbol = ';';
errorsLoggedin.push_back("Unable to verify password");
}
SSHProcurve::~SSHProcurve()
{
}
// Procurve state machine needs to be able to deal with
// "reload after ... " command
void SSHProcurve::stateMachine()
{
if (checkForErrors()) return;
switch (state)
{
case NONE:
/*
* Procurve prints a full page greeting right after it accepts user password
* and provides prompt "Press any key to continue". Press "any key" to
* proceed.
*/
if (cmpPrompt(stdoutBuffer, QRegExp(hp_greeting_prompt)))
{
stdoutBuffer="";
proc->write("\n");
break;
} else
SSHCisco::stateMachine();
break;
case SCHEDULE_RELOAD_DIALOG:
if ( cmpPrompt(stdoutBuffer,
QRegExp("Do you want to save current configuration [y/n]?")) )
{
stdoutBuffer="";
proc->write( "no\n" );
break;
}
if ( cmpPrompt(
stdoutBuffer,
QRegExp("System will be rebooted at the scheduled time .*Do you want to continue [y/n]? ")) )
{
stdoutBuffer="";
proc->write( "y\n" );
state = ENABLE;
break;
}
break;
case PUSHING_CONFIG:
if ( cmpPrompt(stdoutBuffer, QRegExp("Destination filename [.*]?")) )
{
stdoutBuffer="";
proc->write("\n"); // accept default file name
} else
SSHCisco::stateMachine();
break;
case EXIT_FROM_CONFIG:
if ( cmpPrompt(stdoutBuffer,QRegExp(enable_prompt)) )
{
/*
* Execute post_config_commands
*/
if (post_config_commands.size()>0)
{
stdoutBuffer = "";
QString cmd = post_config_commands.front();
post_config_commands.pop_front();
sendCommand(cmd);
break;
}
stdoutBuffer="";
state = EXIT;
// Use command "logout" to log out from enable mode
// instead of exit, which exits to normal mode.
proc->write( "logout\n");
}
break;
case EXIT:
if ( cmpPrompt(stdoutBuffer,QRegExp("Do you want to log out [y/n]?")) )
{
stdoutBuffer="";
proc->write("y\n"); // accept default file name
state = FINISH;
}
break;
default:
SSHCisco::stateMachine();
break;
}
}
/*
* for some reason ssh session to a ProCurve always finishes with
* return code 255
*/
void SSHProcurve::finished(int retcode)
{
if (fwbdebug) qDebug("SSHProcurve::processExited proc=%p retcode=%d",
proc, retcode);
// background process has exited now, we do not need proc object anymore
cleanUp();
QString exitStatus = (retcode)?QObject::tr("ERROR"):QObject::tr("OK");
emit printStdout_sign(tr("SSH session terminated, exit status: %1").
arg(retcode) + "\n");
// ignoring return code, this is different from SSHSession
sessionComplete(false);
if (fwbdebug) qDebug("SSHProcurve::processExited done");
}

60
src/gui/SSHProcurve.h Normal file
View File

@ -0,0 +1,60 @@
/*
Firewall Builder
Copyright (C) 2003 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __SSHPROCURVE_H_
#define __SSHPROCURVE_H_
#include "../../config.h"
#include "global.h"
#include "SSHCisco.h"
#include <QString>
class SSHProcurve : public SSHCisco {
Q_OBJECT;
QString hp_greeting_prompt;
public:
SSHProcurve(QWidget *parent,
const QString &host,
const QStringList &args,
const QString &pwd,
const QString &epwd,
const std::list<std::string> &in);
virtual ~SSHProcurve();
virtual void stateMachine();
public slots:
virtual void finished( int code );
};
#endif

60
src/gui/SSHSession.cpp
View File

@ -101,7 +101,7 @@ SSHSession::SSHSession(QWidget *_par,
incremental=false;
dry_run=false;
testRun=false;
stripComments=false;
stripComments = false;
wdir="";
script="";
backupFile="";
@ -245,6 +245,13 @@ void SSHSession::setOptions(instConf *cnf)
setSaveDiff(cnf->save_diff);
setDiffPgm(cnf->diff_pgm);
setDiffFile(cnf->diff_file);
// do not send comments to cisco and procurve devices
// We used to provide an option for this on instOptions dialog but
// it has been disabled. Possibly we'll re-enable it in the future, but
// it seems wasteful to send comments to devices. Besides, Procurve
// does not like it anyway.
stripComments = true;
}
void SSHSession::terminate()
@ -507,8 +514,8 @@ void SSHSession::stopHeartBeat()
void SSHSession::heartBeat()
{
if (fwbdebug)
qDebug() << "SSHSession::heartBeat begin" << QTime::currentTime().toString();
// if (fwbdebug)
// qDebug() << "SSHSession::heartBeat begin" << QTime::currentTime().toString();
if (send_keepalive) proc->write("\n");
readFromStderr();
readFromStdout();
@ -517,8 +524,8 @@ void SSHSession::heartBeat()
allDataSent();
endOfCopy = false;
}
if (fwbdebug)
qDebug() << "SSHSession::heartBeat end " << QTime::currentTime().toString();
// if (fwbdebug)
// qDebug() << "SSHSession::heartBeat end " << QTime::currentTime().toString();
}
void SSHSession::readFromStdout()
@ -530,15 +537,31 @@ void SSHSession::readFromStdout()
if (proc)
{
QByteArray ba = proc->readAllStandardOutput();
int basize = ba.size();
if (basize==0) return;
QString buf(ba);
/* regex to match minimal set of ANSI terminal codes used by HP Procurve
* and Linux if shell prompt is configured to show colors.
*
* Matches ESC [ n ; m H (move cursor to position), ESC ? 25 l and ESC ? 25 h
* (hide and show cursor) and a few others
*/
QRegExp suppress_ansi_codes(
"\x1B\\[((\\d*A)|(\\d*B)|(\\d*C)|(\\d*D)|(\\d*G)|(\\?\\d+l)|(\\d*J)|(2K)|(\\d*;\\d*[fHmr])|(\\?25h)|(\\?25l))");
QRegExp cursor_next_line("\x1B\\d*E");
while (buf.indexOf(suppress_ansi_codes) != -1)
buf.replace(suppress_ansi_codes, "");
buf.replace(cursor_next_line, "\n");
stdoutBuffer.append(buf);
if (fwbdebug) qDebug() << buf;
if (fwbdebug) qDebug() << buf.toAscii().constData() << "\n";
bool endsWithLF = buf.endsWith("\n");
QString lastLine = "";
@ -631,14 +654,8 @@ void SSHSession::sessionComplete(bool err)
if (fwbdebug) qDebug("SSHSession::sessionComplete done");
}
void SSHSession::finished(int retcode)
void SSHSession::cleanUp()
{
if (fwbdebug) qDebug("SSHSession::processExited");
if (fwbdebug) qDebug("SSHSession::processExited proc=%p retcode=%d",
proc, retcode);
// background process has exited now, we do not need proc object anymore
disconnect(proc, SIGNAL(readyReadStandardOutput()),
this, SLOT(readFromStdout() ) );
disconnect(proc, SIGNAL(readyReadStandardError()),
@ -648,16 +665,23 @@ void SSHSession::finished(int retcode)
delete proc;
proc = NULL;
}
QString exitStatus = (retcode)?QObject::tr("ERROR"):QObject::tr("OK");
void SSHSession::finished(int retcode)
{
if (fwbdebug) qDebug("SSHSession::processExited proc=%p retcode=%d",
proc, retcode);
// background process has exited now, we do not need proc object anymore
cleanUp();
//QString exitStatus = (retcode)?QObject::tr("ERROR"):QObject::tr("OK");
emit printStdout_sign(tr("SSH session terminated, exit status: %1")
.arg(retcode) + "\n");
emit printStdout_sign(tr("SSH session terminated, exit status: %1").arg(
retcode) + "\n");
sessionComplete( retcode!=0 );
if (fwbdebug) qDebug("SSHSession::processExited done");
// if (retcode) error=true;
// emit sessionFinished_sign();
}
bool SSHSession::cmpPrompt(const QString &str, const QString &prompt)

19
src/gui/SSHSession.h
View File

@ -160,8 +160,9 @@ class SSHSession : public QObject {
protected:
void sendCommand(const QString &cmd);
virtual void sendCommand(const QString &cmd);
void cleanUp();
public:
SSHSession(QWidget *parent,
@ -204,13 +205,13 @@ public:
QString findKeyFingerprint(QString &buffer);
public slots:
void readFromStdout();
void readFromStderr();
void finished( int code );
void readyToSend();
void sendLine();
void allDataSent();
void heartBeat();
virtual void readFromStdout();
virtual void readFromStderr();
virtual void finished( int code );
void readyToSend();
void sendLine();
void allDataSent();
void heartBeat();
signals:

4
src/gui/gui.pro
View File

@ -32,6 +32,7 @@ HEADERS += ../../config.h \
SSHCisco.h \
SSHPIX.h \
SSHIOS.h \
SSHProcurve.h \
debugDialog.h \
findDialog.h \
longTextDialog.h \
@ -126,6 +127,7 @@ HEADERS += ../../config.h \
instDialog.h \
FirewallInstaller.h \
FirewallInstallerCisco.h \
FirewallInstallerProcurve.h \
FirewallInstallerUnx.h \
newFirewallDialog.h \
newClusterDialog.h \
@ -207,6 +209,7 @@ SOURCES += ProjectPanel.cpp \
SSHCisco.cpp \
SSHPIX.cpp \
SSHIOS.cpp \
SSHProcurve.cpp \
debugDialog.cpp \
findDialog.cpp \
longTextDialog.cpp \
@ -304,6 +307,7 @@ SOURCES += ProjectPanel.cpp \
instDialog_installer.cpp \
FirewallInstaller.cpp \
FirewallInstallerCisco.cpp \
FirewallInstallerProcurve.cpp \
FirewallInstallerUnx.cpp \
newFirewallDialog.cpp \
newFirewallDialog_from_template.cpp \

2
src/gui/instConf.h
View File

@ -53,7 +53,7 @@ class instConf {
bool cancelRollbackIfSuccess;
bool saveStandby;
bool batchInstall;
bool useSCPForCisco;
bool useSCPForRouter; // use scp for cisco ios, pix and hp procurve
QString pgm;
QString wdir;

11
src/gui/instDialog.cpp
View File

@ -658,10 +658,13 @@ bool instDialog::checkSSHPathConfiguration(Firewall *fw)
bool instDialog::isCiscoFamily()
{
string platform = cnf.fwobj->getStr("platform");
return (platform=="pix" ||
platform=="fwsm" ||
platform=="iosacl" ||
platform=="procurve_acl");
return (platform=="pix" || platform=="fwsm" || platform=="iosacl");
}
bool instDialog::isProcurve()
{
string platform = cnf.fwobj->getStr("platform");
return (platform=="procurve_acl");
}
/*

1
src/gui/instDialog.h
View File

@ -225,6 +225,7 @@ protected:
void findFirewalls();
bool isCiscoFamily();
bool isProcurve();
void interpretLogLine(const QString &buf);

8
src/gui/instDialog_installer.cpp
View File

@ -31,6 +31,7 @@
#include "instDialog.h"
#include "FirewallInstallerCisco.h"
#include "FirewallInstallerUnx.h"
#include "FirewallInstallerProcurve.h"
#include "FWBSettings.h"
#include "FWWindow.h"
#include "instOptionsDialog.h"
@ -117,7 +118,12 @@ bool instDialog::runInstaller(Firewall *fw, bool cancelAllVisible)
if (isCiscoFamily())
installer = new FirewallInstallerCisco(this, &cnf, fwb_prompt);
else
installer = new FirewallInstallerUnx(this, &cnf, fwb_prompt);
{
if (isProcurve())
installer = new FirewallInstallerProcurve(this, &cnf, fwb_prompt);
else
installer = new FirewallInstallerUnx(this, &cnf, fwb_prompt);
}
if (!installer->packInstallJobsList(fw))
{

10
src/gui/instDialog_ui_ops.cpp
View File

@ -735,10 +735,6 @@ void instDialog::saveLog()
*/
void instDialog::addToLog(const QString &buf)
{
// if (fwbdebug)
// qDebug() << "instDialog::addToLog" << QTime::currentTime().toString()
// << "buf.size()=" << buf.size();
if (buf.isEmpty()) return;
foreach(QString line, buf.trimmed().split("\n"))
@ -764,10 +760,6 @@ void instDialog::addToLog(const QString &buf)
}
}
// if (fwbdebug)
// qDebug() << "instDialog::addToLog" << QTime::currentTime().toString()
// << "errors and warnings scan done";
/* See sourceforge bug https://sourceforge.net/tracker/?func=detail&aid=2847263&group_id=5314&atid=1070394
*
* QTextEditor::insertHtml() becomes incrementally slow as the
@ -1196,7 +1188,7 @@ void instDialog::readInstallerOptionsFromFirewallObject(Firewall *fw)
#endif
cnf.sshArgs = fwopt->getStr("sshArgs").c_str();
cnf.scpArgs = fwopt->getStr("scpArgs").c_str();
cnf.useSCPForCisco = fwopt->getBool("use_scp");
cnf.useSCPForRouter = fwopt->getBool("use_scp");
cnf.activationCmd = fwopt->getStr("activationCmd").c_str();

9
src/gui/instOptionsDialog.cpp
View File

@ -131,9 +131,12 @@ instOptionsDialog::instOptionsDialog(QWidget *parent, instConf *_cnf, bool cance
QString platform = cnf->fwobj->getStr("platform").c_str();
string version = cnf->fwobj->getStr("version");
if (platform=="pix" || platform=="fwsm" || platform=="iosacl")
if (platform=="pix" || platform=="fwsm" ||
platform=="iosacl" ||
platform=="procurve_acl" )
{
m_dialog->copyFWB->hide();
if (platform == "iosacl")
{
if (XMLTools::version_compare(version, "12.4") >= 0)
@ -148,7 +151,9 @@ instOptionsDialog::instOptionsDialog(QWidget *parent, instConf *_cnf, bool cance
"Cancel reboot if policy activation was successfull");
}
}
if (platform=="iosacl") m_dialog->PIXgroupBox->hide();
m_dialog->PIXgroupBox->hide();
} else
{
m_dialog->rollback->setText("Schedule reboot in ");

8
src/gui/procurveaclAdvancedDialog.cpp
View File

@ -82,6 +82,14 @@ procurveaclAdvancedDialog::procurveaclAdvancedDialog(QWidget *parent,FWObject *o
FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject();
assert(fwoptions!=NULL);
// As of 4.1.0 we do not support scp install method for Procurve
// I could not figure out how to copy configuration to the switch
// even when "ip ssh filetransfer" command has been executed and scp
// seems to work - I ran into problems with file permissions that
// I could not resolve. This will remain a low priority TODO item.
// See also commented out code in FirewallInstallerProcurve.cpp
m_dialog->SCPgroupBox->setEnabled(false);
string vers="version_"+obj->getStr("version");
string platform = obj->getStr("platform"); // should be 'procurve_acl'

2
src/res/configlets/procurve/installer_commands_post_config
View File

@ -13,7 +13,7 @@
{{if cancel_rollback}}
reload cancel
no reload
{{endif}}
{{if run}}

4
src/res/configlets/procurve/installer_commands_pre_config
View File

@ -13,10 +13,10 @@
##
terminal width 256
terminal length 0
no page
{{if schedule_rollback}}
reload in {{$rbtimeout}}
reload after {{$rbtimeout}}
{{endif}}

23
test/iosacl/objects-for-regression-tests.fwb
View File

@ -101,29 +101,19 @@
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
@ -2201,7 +2191,7 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id464359FE16989" host_OS="ios" inactive="False" lastCompiled="1244751217" lastInstalled="0" lastModified="1269896424" platform="iosacl" version="12.x" name="c3620" comment="" ro="False">
<Firewall id="id464359FE16989" host_OS="ios" inactive="False" lastCompiled="1281749780" lastInstalled="0" lastModified="1281750719" platform="iosacl" version="12.1" name="c3620" comment="" ro="False">
<NAT id="id46435A0216989" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -2535,6 +2525,7 @@
<Option name="check_shading">False</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="filesystem">/etc</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
@ -2550,16 +2541,17 @@
<Option name="iosacl_generate_logging_commands">True</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">True</Option>
<Option name="iosacl_logging_buffered_level">5</Option>
<Option name="iosacl_logging_buffered_level">6</Option>
<Option name="iosacl_logging_console">True</Option>
<Option name="iosacl_logging_console_level">5</Option>
<Option name="iosacl_logging_console_level">6</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">2</Option>
<Option name="iosacl_logging_trap_level">3</Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_use_acl_remarks">True</Option>
<Option name="iosacl_use_object_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
@ -2570,7 +2562,7 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr">10.3.14.40</Option>
<Option name="mgmt_addr">10.3.14.41</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
@ -2598,6 +2590,7 @@
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="use_scp">False</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>

18
test/procurve_acl/objects-for-regression-tests.fwb
View File

@ -101,17 +101,29 @@
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
@ -1267,7 +1279,7 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id19020X65694" host_OS="ios" inactive="False" lastCompiled="1251228621" lastInstalled="0" lastModified="1237473586" platform="iosacl" version="12.x" name="firewall-ipv6-1" comment="" ro="False">
<Firewall id="id19020X65694" host_OS="ios" inactive="True" lastCompiled="1251228621" lastInstalled="0" lastModified="1281852582" platform="iosacl" version="12.1" name="firewall-ipv6-1" comment="" ro="False">
<NAT id="id19428X65694" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -1782,7 +1794,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id10507X97727" host_OS="ios" inactive="False" lastCompiled="1251228623" lastInstalled="0" lastModified="1236920290" platform="iosacl" version="12.x" name="firewall-ipv6-2" comment="" ro="False">
<Firewall id="id10507X97727" host_OS="ios" inactive="True" lastCompiled="1251228623" lastInstalled="0" lastModified="1281852584" platform="iosacl" version="12.1" name="firewall-ipv6-2" comment="" ro="False">
<NAT id="id10713X97727" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -2297,7 +2309,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id12133X53662" host_OS="ios" inactive="False" lastCompiled="1251228625" lastInstalled="0" lastModified="1237437327" platform="iosacl" version="12.x" name="firewall-ipv6-3" comment="test &quot;safety net&quot; install in case when there are many rulesets" ro="False">
<Firewall id="id12133X53662" host_OS="ios" inactive="True" lastCompiled="1251228625" lastInstalled="0" lastModified="1281852587" platform="iosacl" version="12.1" name="firewall-ipv6-3" comment="test &quot;safety net&quot; install in case when there are many rulesets" ro="False">
<NAT id="id12339X53662" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>