onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 11:17:31 +01:00
Code Issues Releases Wiki Activity

* PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): fixes

Browse Source 
#1123, #1124: Text label next to the option that translates into
--connlimit-above clause for the iptables "connlimit" module
now matches description in the iptables manual. Added checkbox
that allows the user to add negation to the generated code

fixes #1123, #1124
This commit is contained in:
Vadim Kurland 2010-01-21 03:50:38 +00:00
parent 628b675846
commit df34d27ca0
7 changed files with 210 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2402
#define BUILD_NUM 2403

7
doc/ChangeLog
View File

@ -1,5 +1,12 @@
2010-01-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printModules): fixes
#1123, #1124: Text label next to the option that translates into
--connlimit-above clause for the iptables "connlimit" module
now matches description in the iptables manual. Added checkbox
that allows the user to add negation to the generated code
(make it ! --connlimit-above NN)
* IOSObjectGroup.cpp (IOSObjectGroup::toString): Refs #1107: first
draft of the object-groups support for Cisco IOS. Controlled by a
checkbox in the "Advanced" settings dialog of the firewall object;

15
src/gui/RuleOptionsDialog.cpp
View File

@ -142,6 +142,8 @@ void RuleOptionsDialog::loadFWObject(FWObject *o)
data.registerOption(m_dialog->ipt_burst, ropt, "limit_burst");
data.registerOption(m_dialog->ipt_connlimit, ropt, "connlimit_value");
data.registerOption(m_dialog->ipt_connlimit_above_not, ropt,
"connlimit_above_not");
data.registerOption(m_dialog->ipt_connlimit_masklen, ropt,
"connlimit_masklen");
@ -347,3 +349,16 @@ void RuleOptionsDialog::cancelChanges()
close();
}
void RuleOptionsDialog::connlimitAboveLabelChange()
{
if (m_dialog->ipt_connlimit_above_not->isChecked())
m_dialog->ipt_connlimit_above_label->setText(
"Match if the number of existing connections is below this "
"(translates into option ! --connlimit-above)");
else
m_dialog->ipt_connlimit_above_label->setText(
"Match if the number of existing connections is above this "
"(translates into option --connlimit-above)");
}

2
src/gui/RuleOptionsDialog.h
View File

@ -61,7 +61,7 @@ public slots:
virtual void loadFWObject(libfwbuilder::FWObject *obj);
virtual void validate(bool*);
virtual void getHelpName(QString*);
virtual void connlimitAboveLabelChange();
};
#endif // __RULEOPTIONSDIALOG_H

157
src/gui/ruleoptionsdialog_q.ui
View File

@ -40,7 +40,7 @@
<number>0</number>
</property>
<property name="currentIndex" >
<number>2</number>
<number>0</number>
</property>
<widget class="QWidget" name="ipt" >
<layout class="QGridLayout" >
@ -62,7 +62,7 @@
<enum>QTabWidget::Triangular</enum>
</property>
<property name="currentIndex" >
<number>0</number>
<number>3</number>
</property>
<widget class="QWidget" name="tab1" >
<attribute name="title" >
@ -457,75 +457,28 @@
<attribute name="title" >
<string>connlimit</string>
</attribute>
<layout class="QGridLayout" >
<property name="margin" >
<number>12</number>
</property>
<property name="spacing" >
<number>12</number>
</property>
<item row="2" column="2" colspan="2" >
<widget class="QLabel" name="textLabel5_2" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Minimum" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<layout class="QGridLayout" name="gridLayout_9" >
<item row="0" column="0" >
<widget class="QLabel" name="textLabel3_4" >
<property name="text" >
<string>bit</string>
<string>Module connlimit</string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="4" colspan="2" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="1" >
<widget class="QSpinBox" name="ipt_connlimit_masklen" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="maximum" >
<number>10000</number>
</property>
</widget>
</item>
<item row="2" column="0" >
<widget class="QLabel" name="textLabel3_3" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Minimum" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<item row="1" column="0" colspan="4" >
<widget class="QLabel" name="ipt_connlimit_above_label" >
<property name="text" >
<string>per network with netmask of </string>
<string>Match if the number of existing connections is above this (translates into option --connlimit-above)</string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="1" column="3" colspan="2" >
<item row="1" column="4" >
<widget class="QSpinBox" name="ipt_connlimit" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
@ -554,26 +507,87 @@
</property>
</spacer>
</item>
<item row="1" column="0" colspan="3" >
<widget class="QLabel" name="textLabel2_6" >
<item row="1" column="6" >
<widget class="QCheckBox" name="ipt_connlimit_above_not" >
<property name="text" >
<string>Number of allowed connections per client host</string>
<string>Negate</string>
</property>
</widget>
</item>
<item row="1" column="7" >
<spacer name="horizontalSpacer_3" >
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>168</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="0" >
<widget class="QLabel" name="textLabel3_3" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Minimum" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>per network with netmask of </string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="0" column="0" >
<widget class="QLabel" name="textLabel3_4" >
<item row="2" column="1" >
<widget class="QSpinBox" name="ipt_connlimit_masklen" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="maximum" >
<number>10000</number>
</property>
</widget>
</item>
<item row="2" column="2" >
<widget class="QLabel" name="textLabel5_2" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Minimum" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Module connlimit</string>
<string>bit</string>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="3" colspan="6" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="3" column="2" >
<spacer>
<property name="orientation" >
@ -2827,8 +2841,25 @@
</hint>
</hints>
</connection>
<connection>
<sender>ipt_connlimit_above_not</sender>
<signal>clicked()</signal>
<receiver>RuleOptionsDialog_q</receiver>
<slot>connlimitAboveLabelChange()</slot>
<hints>
<hint type="sourcelabel" >
<x>868</x>
<y>105</y>
</hint>
<hint type="destinationlabel" >
<x>566</x>
<y>162</y>
</hint>
</hints>
</connection>
</connections>
<slots>
<slot>changed()</slot>
<slot>connlimitAboveLabelChange()</slot>
</slots>
</ui>

5
src/iptlib/PolicyCompiler_PrintRule.cpp
View File

@ -273,7 +273,10 @@ string PolicyCompiler_ipt::PrintRule::_printModules(PolicyRule *rule)
if (ruleopt!=NULL && (lim=ruleopt->getInt("connlimit_value"))>0)
{
ostr << " -m connlimit --connlimit-above " << lim;
if (ruleopt->getBool("connlimit_above_not"))
ostr << " -m connlimit \\! --connlimit-above " << lim;
else
ostr << " -m connlimit --connlimit-above " << lim;
int ml=ruleopt->getInt("connlimit_masklen");
if (ml>0) ostr << " --connlimit-mask " << ml;

90
test/ipt/objects-for-regression-tests.fwb
View File

@ -19484,7 +19484,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id41D2945B" host_OS="linux24" lastCompiled="1247364023" lastInstalled="1142003872" lastModified="0" platform="iptables" version="" name="firewall29" comment="two dynamic interfaces in the same policy or NAT rule. Interfaces have a dot in their names&#10;" ro="False">
<Firewall id="id41D2945B" host_OS="linux24" lastCompiled="1247364023" lastInstalled="1142003872" lastModified="1264045729" platform="iptables" version="" name="firewall29" comment="two dynamic interfaces in the same policy or NAT rule. Interfaces have a dot in their names&#10;" ro="False">
<NAT id="id41D29482" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id41D29483" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -19568,7 +19568,93 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id41D29478" disabled="False" log="True" position="3" action="Deny" direction="Both" comment="">
<PolicyRule id="id50714X84264" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="should be --connlimit-above 10&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id41D2945B"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">10</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id380567X84915" disabled="False" group="" log="False" position="4" action="Accept" direction="Inbound" comment="should be ! --connlimit-above 10&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id41D2945B"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">True</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">10</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id41D29478" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>