diff --git a/src/compiler_lib/CompilerDriver.cpp b/src/compiler_lib/CompilerDriver.cpp index 96b1688d2..3e224bfd3 100644 --- a/src/compiler_lib/CompilerDriver.cpp +++ b/src/compiler_lib/CompilerDriver.cpp @@ -634,7 +634,8 @@ QString CompilerDriver::determineOutputFileName(Cluster *cluster, bool cluster_member, const QString &ext) { - QString current_firewall_name = current_fw->getName().c_str(); + QString current_firewall_name = QString::fromUtf8( + current_fw->getName().c_str()); if (!cluster_member) { // standalone firewall diff --git a/src/libgui/pfAdvancedDialog.cpp b/src/libgui/pfAdvancedDialog.cpp index 1153059d2..6fd1ab48f 100644 --- a/src/libgui/pfAdvancedDialog.cpp +++ b/src/libgui/pfAdvancedDialog.cpp @@ -49,6 +49,7 @@ #include #include #include +#include using namespace std; @@ -80,12 +81,46 @@ pfAdvancedDialog::pfAdvancedDialog(QWidget *parent,FWObject *o) m_dialog->pf_fw_dir->setEnabled(false); fwopt->setStr("firewall_dir",""); } - data.registerOption(m_dialog->ipv4before, fwopt, "ipv4_6_order", QStringList() << "IPv4 before IPv6" <<"ipv4_first" << "IPv6 before IPv4" << "ipv6_first"); + + // see #1888: we now support rc.conf format for the output + // Set variables for backwards compatibility for users who configured + // custom name for the output .fw script before. + + if (!fwopt->getBool("generate_shell_script") && + !fwopt->getBool("generate_rc_conf_file")) + { + fwopt->setBool("generate_shell_script", true); + } + + QString init_script_name = fwopt->getStr("output_file").c_str(); + QString conf_file_name = fwopt->getStr("conf_file").c_str(); + if (!init_script_name.isEmpty() && conf_file_name.isEmpty()) + { + QFileInfo fi(init_script_name); + if (fi.isRelative()) + { + conf_file_name = QString(fi.completeBaseName() + ".conf"); + } else + { + conf_file_name = QString(fi.path() + "/" + + fi.completeBaseName() + ".conf"); + } + fwopt->setStr("conf_file", conf_file_name.toStdString()); + } + + data.registerOption(m_dialog->ipv4before, fwopt, + "ipv4_6_order", + QStringList() << "IPv4 before IPv6" + <<"ipv4_first" + << "IPv6 before IPv4" + << "ipv6_first"); data.registerOption( m_dialog->pf_log_prefix,fwopt, "log_prefix"); data.registerOption( m_dialog->pf_fallback_log,fwopt, "fallback_log"); - data.registerOption( m_dialog->pf_do_timeout_interval,fwopt,"pf_do_timeout_interval"); - data.registerOption( m_dialog->pf_timeout_interval,fwopt, "pf_timeout_interval"); + data.registerOption( m_dialog->pf_do_timeout_interval, fwopt, + "pf_do_timeout_interval"); + data.registerOption( m_dialog->pf_timeout_interval, fwopt, + "pf_timeout_interval"); data.registerOption( m_dialog->pf_do_timeout_frag,fwopt, "pf_do_timeout_frag"); data.registerOption( m_dialog->pf_timeout_frag,fwopt, "pf_timeout_frag"); data.registerOption( m_dialog->pf_do_limit_frags,fwopt, "pf_do_limit_frags"); @@ -184,45 +219,76 @@ pfAdvancedDialog::pfAdvancedDialog(QWidget *parent,FWObject *o) data.registerOption( m_dialog->compiler,fwopt, "compiler"); data.registerOption( m_dialog->compilerArgs,fwopt, "cmdline"); + + data.registerOption( m_dialog->generateShellScript, fwopt, + "generate_shell_script"); + data.registerOption( m_dialog->generateRcConfFile, fwopt, + "generate_rc_conf_file"); + data.registerOption( m_dialog->outputFileName, fwopt, "output_file"); - data.registerOption( m_dialog->fileNameOnFw, fwopt, "script_name_on_firewall"); - data.registerOption( m_dialog->confFileNameOnFw, fwopt, "conf_file_name_on_firewall"); + data.registerOption( m_dialog->confFileName, fwopt, "conf_file"); + + data.registerOption( m_dialog->fileNameOnFw, fwopt, + "script_name_on_firewall"); + data.registerOption( m_dialog->confFileNameOnFw, fwopt, + "conf_file_name_on_firewall"); data.registerOption( m_dialog->mgmt_ssh,fwopt, "mgmt_ssh"); data.registerOption( m_dialog->mgmt_addr,fwopt, "mgmt_addr"); data.registerOption( m_dialog->pf_set_tcp_first, fwopt, "pf_set_tcp_first"); data.registerOption( m_dialog->pf_tcp_first, fwopt, "pf_tcp_first"); - data.registerOption( m_dialog->pf_set_tcp_opening, fwopt, "pf_set_tcp_opening"); + data.registerOption( m_dialog->pf_set_tcp_opening, fwopt, + "pf_set_tcp_opening"); data.registerOption( m_dialog->pf_tcp_opening, fwopt, "pf_tcp_opening"); - data.registerOption( m_dialog->pf_set_tcp_established, fwopt, "pf_set_tcp_established"); - data.registerOption( m_dialog->pf_tcp_established, fwopt, "pf_tcp_established"); - data.registerOption( m_dialog->pf_set_tcp_closing, fwopt, "pf_set_tcp_closing"); + data.registerOption( m_dialog->pf_set_tcp_established, fwopt, + "pf_set_tcp_established"); + data.registerOption( m_dialog->pf_tcp_established, fwopt, + "pf_tcp_established"); + data.registerOption( m_dialog->pf_set_tcp_closing, fwopt, + "pf_set_tcp_closing"); data.registerOption( m_dialog->pf_tcp_closing, fwopt, "pf_tcp_closing"); - data.registerOption( m_dialog->pf_set_tcp_finwait, fwopt, "pf_set_tcp_finwait"); - data.registerOption( m_dialog->pf_tcp_finwait, fwopt, "pf_tcp_finwait"); - data.registerOption( m_dialog->pf_set_tcp_closed, fwopt, "pf_set_tcp_closed"); - data.registerOption( m_dialog->pf_tcp_closed, fwopt, "pf_tcp_closed"); - data.registerOption( m_dialog->pf_set_udp_first, fwopt, "pf_set_udp_first"); - data.registerOption( m_dialog->pf_udp_first, fwopt, "pf_udp_first"); - data.registerOption( m_dialog->pf_set_udp_single, fwopt, "pf_set_udp_single"); + data.registerOption( m_dialog->pf_set_tcp_finwait, fwopt, + "pf_set_tcp_finwait"); + data.registerOption( m_dialog->pf_tcp_finwait, fwopt, + "pf_tcp_finwait"); + data.registerOption( m_dialog->pf_set_tcp_closed, fwopt, + "pf_set_tcp_closed"); + data.registerOption( m_dialog->pf_tcp_closed, fwopt, + "pf_tcp_closed"); + data.registerOption( m_dialog->pf_set_udp_first, fwopt, + "pf_set_udp_first"); + data.registerOption( m_dialog->pf_udp_first, fwopt, + "pf_udp_first"); + data.registerOption( m_dialog->pf_set_udp_single, fwopt, + "pf_set_udp_single"); data.registerOption( m_dialog->pf_udp_single, fwopt, "pf_udp_single"); - data.registerOption( m_dialog->pf_set_udp_multiple, fwopt, "pf_set_udp_multiple"); + data.registerOption( m_dialog->pf_set_udp_multiple, fwopt, + "pf_set_udp_multiple"); data.registerOption( m_dialog->pf_udp_multiple, fwopt, "pf_udp_multiple"); - data.registerOption( m_dialog->pf_set_icmp_first, fwopt, "pf_set_icmp_first"); + data.registerOption( m_dialog->pf_set_icmp_first, fwopt, + "pf_set_icmp_first"); data.registerOption( m_dialog->pf_icmp_first, fwopt, "pf_icmp_first"); - data.registerOption( m_dialog->pf_set_icmp_error, fwopt, "pf_set_icmp_error"); + data.registerOption( m_dialog->pf_set_icmp_error, fwopt, + "pf_set_icmp_error"); data.registerOption( m_dialog->pf_icmp_error, fwopt, "pf_icmp_error"); - data.registerOption( m_dialog->pf_set_other_first, fwopt, "pf_set_other_first"); + data.registerOption( m_dialog->pf_set_other_first, fwopt, + "pf_set_other_first"); data.registerOption( m_dialog->pf_other_first, fwopt, "pf_other_first"); - data.registerOption( m_dialog->pf_set_other_single, fwopt, "pf_set_other_single"); + data.registerOption( m_dialog->pf_set_other_single, fwopt, + "pf_set_other_single"); data.registerOption( m_dialog->pf_other_single, fwopt, "pf_other_single"); - data.registerOption( m_dialog->pf_set_other_multiple, fwopt, "pf_set_other_multiple"); - data.registerOption( m_dialog->pf_other_multiple, fwopt, "pf_other_multiple"); + data.registerOption( m_dialog->pf_set_other_multiple, fwopt, + "pf_set_other_multiple"); + data.registerOption( m_dialog->pf_other_multiple, fwopt, + "pf_other_multiple"); - data.registerOption( m_dialog->pf_set_adaptive, fwopt, "pf_set_adaptive"); - data.registerOption( m_dialog->pf_adaptive_start, fwopt, "pf_adaptive_start"); - data.registerOption( m_dialog->pf_adaptive_end, fwopt, "pf_adaptive_end"); + data.registerOption( m_dialog->pf_set_adaptive, fwopt, + "pf_set_adaptive"); + data.registerOption( m_dialog->pf_adaptive_start, fwopt, + "pf_adaptive_start"); + data.registerOption( m_dialog->pf_adaptive_end, fwopt, + "pf_adaptive_end"); PolicyInstallScript *pis = mgmt->getPolicyInstallScript(); diff --git a/src/libgui/pfadvanceddialog_q.ui b/src/libgui/pfadvanceddialog_q.ui index 0e7e58f0f..3f9e67894 100644 --- a/src/libgui/pfadvanceddialog_q.ui +++ b/src/libgui/pfadvanceddialog_q.ui @@ -10,7 +10,7 @@ 0 0 700 - 550 + 743 @@ -100,7 +100,7 @@ Compiler - + @@ -114,7 +114,7 @@ - + @@ -124,230 +124,7 @@ - - - - Generated script (.fw file) and configuration (.conf) file can be copied to the firewall machine under different names. If these fields are left blank, the file name does not change. - - - true - - - - - - - Script (.fw) file name on the firewall - - - - - - - - 32767 - 22 - - - - - - - - .conf file name on the firewall - - - - - - - - 32767 - 22 - - - - - - - - - - - true - - - - 0 - - - - - Accept TCP sessions opened prior to firewall restart - - - - - - - - 0 - 0 - - - - Modulate state for all stateful rules (applies only to TCP services) - - - - - - - Optimization: - - - Qt::AlignCenter - - - false - - - - - - - - - - State policy: - - - - - - - States can be bound to interfaces or match packets on any interface. The latter can be useful in case of an assymmetric routing. - - - - - - - Qt::Horizontal - - - - 40 - 20 - - - - - - - - - 0 - 0 - - - - Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule. - - - Detect rule shadowing in policy - - - - - - - - 0 - 0 - - - - If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works! - - - Ignore empty groups in rules - - - - - - - - - - - - - true - - - - 0 - - - - - - 0 - 0 - - - - Always permit ssh access from -the management workstation -with this address: - - - - - - - - 0 - 0 - - - - - 32767 - 22 - - - - - - - - - - - Qt::Vertical - - - - 20 - 11 - - - - - - - - - 32767 - 22 - - - - - + @@ -366,8 +143,8 @@ with this address: - - + + 32767 @@ -376,35 +153,345 @@ with this address: - - - - - 0 - 0 - + + + + System configuration and firewall initialization script format - - (if left blank, the file name is constructed of the firewall object name and extension ".fw") - - - Qt::AlignVCenter - - - true + + false + + + + + + + shell script with extension .fw + + + + + + + file in rc.conf format + + + + + + + Qt::Horizontal + + + + 208 + 20 + + + + + + + - - - - Output file name: - - - Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter + + + + Names of generated files + + + + + Initialization script name (can be full path): + + + Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter + + + + + + + + 32767 + 22 + + + + + + + + PF configuration file name (can be full path): + + + Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter + + + + + + + + 32767 + 22 + + + + + + + + + 0 + 0 + + + + (if left blank, the file name is constructed of the firewall object name and extension ".fw" or ".conf" depending on the format) + + + Qt::AlignVCenter + + + true + + + + + + + + Names of the files on the firewall + + + false + + + + + + Initialization script (.fw file) and PF configuration file can be copied to the firewall machine under different names. If these fields are left blank, the file name does not change. + + + true + + + + + + + Initialization script name on the firewall + + + + + + + + 32767 + 22 + + + + + + + + PF configuration file name on the firewall + + + + + + + + 32767 + 22 + + + + + + + + + + + + + + false + + + + 9 + + + + + Accept TCP sessions opened prior to firewall restart + + + + + + + + 0 + 0 + + + + Modulate state for all stateful rules (applies only to TCP services) + + + + + + + + 0 + 0 + + + + Shadowing happens because a rule is a superset of +a subsequent rule and any packets potentially matched +by the subsequent rule have already been matched by +the prior rule. + + + Detect rule shadowing + + + + + + + + 0 + 0 + + + + If the option is deactivated, compiler treats empty groups as +an error and aborts processing the policy. If this option is +activated, compiler removes all empty groups from all rule +elements. If rule element becomes 'any' after the last empty +group has been removed, the whole rule will be ignored. Use +this option only if you fully understand how it works! + + + Ignore empty groups + + + + + + + + + + + + Optimization: + + + Qt::AlignCenter + + + false + + + + + + + + + + State policy: + + + + + + + States can be bound to interfaces or match packets +on any interface. The latter can be useful in case of +an assymmetric routing. + + + + + + + Qt::Horizontal + + + + 40 + 20 + + + + + + + + + + + + + 0 + 0 + + + + Always permit ssh access from +the management workstation +with this address: + + + + + + + + 0 + 0 + + + + + 32767 + 22 + + + + + + + + + + Qt::Vertical + + + + 20 + 11 + + + + @@ -583,7 +670,7 @@ with this address: - -1 + 6 @@ -2380,29 +2467,24 @@ with this address: + pf_do_scrub tabWidget compiler compilerArgs + generateShellScript + generateRcConfFile + outputFileName + confFileName fileNameOnFw confFileNameOnFw pf_accept_new_tcp_with_no_syn pf_modulate_state + pf_check_shadowing + pf_ignore_empty_groups pf_optimization + pf_state_policy mgmt_ssh mgmt_addr - pf_scrub_no_df - pf_scrub_random_id - pf_scrub_use_minttl - pf_scrub_minttl - pf_scrub_use_maxmss - pf_scrub_maxmss - pf_do_scrub - pf_scrub_reassemble - pf_scrub_fragm_crop - pf_scrub_fragm_drop_ovl - pf_do_limit_frags - pf_limit_frags - pf_do_limit_states pf_limit_states pf_do_limit_src_nodes pf_limit_src_nodes @@ -2471,6 +2553,19 @@ with this address: buttonOk buttonCancel buttonHelp + pf_scrub_fragm_drop_ovl + pf_do_limit_frags + pf_scrub_reassemble + pf_scrub_fragm_crop + pf_limit_frags + pf_do_limit_states + pf_scrub_reassemble_tcp + pf_scrub_use_maxmss + pf_scrub_minttl + pf_scrub_maxmss + pf_scrub_no_df + pf_scrub_random_id + pf_scrub_use_minttl diff --git a/src/pflib/CompilerDriver_pf.cpp b/src/pflib/CompilerDriver_pf.cpp index ad738c668..c42f033f6 100644 --- a/src/pflib/CompilerDriver_pf.cpp +++ b/src/pflib/CompilerDriver_pf.cpp @@ -68,60 +68,59 @@ CompilerDriver* CompilerDriver_pf::clone() return new_cd; } -string CompilerDriver_pf::getConfFileName(const string &ruleset_name, - const string &fwobjectname, - const string &fw_file_name) +QString CompilerDriver_pf::getConfFileName(const QString &ruleset_name, + const QString &fwobjectname, + const QString &conf_file_name) { - QString conf_file_name; - string suffix = string("-") + ruleset_name; + QString suffix = QString("-") + ruleset_name; if (ruleset_name == "__main__") suffix = ""; - if (fw_file_name.empty()) + if (conf_file_name.isEmpty()) { return fwobjectname + suffix + ".conf"; } QString new_name; - QFileInfo fi(fw_file_name.c_str()); + QFileInfo fi(conf_file_name); if (fi.isRelative()) { - new_name = QString(fi.completeBaseName() + suffix.c_str() + ".conf"); + new_name = QString(fi.completeBaseName() + suffix + ".conf"); } else { - new_name = QString(fi.path() + "/" + fi.completeBaseName() + suffix.c_str() + ".conf"); + new_name = QString(fi.path() + "/" + fi.completeBaseName() + suffix + ".conf"); } - return new_name.toUtf8().constData(); + return new_name; } -string CompilerDriver_pf::getRemoteConfFileName(const string &ruleset_name, - const string &local_conf_name, - const string &remote_fw_name, - const string &remote_conf_name) +QString CompilerDriver_pf::getRemoteConfFileName(const QString &ruleset_name, + const QString &local_conf_name, + const QString &remote_fw_name, + const QString &remote_conf_name) { QString conf_file_name; - string suffix = string("-") + ruleset_name; + QString suffix = QString("-") + ruleset_name; if (ruleset_name == "__main__") suffix = ""; - if (remote_conf_name.empty() && remote_fw_name.empty()) + if (remote_conf_name.isEmpty() && remote_fw_name.isEmpty()) { // local_conf_name may be a relative or absolute path. Return // just the file name - QFileInfo fi(local_conf_name.c_str()); - return fi.fileName().toStdString(); + QFileInfo fi(local_conf_name); + return fi.fileName(); } QFileInfo fi; - if (!remote_conf_name.empty()) fi = QFileInfo(remote_conf_name.c_str()); + if (!remote_conf_name.isEmpty()) fi = QFileInfo(remote_conf_name); else - if (!remote_fw_name.empty()) fi = QFileInfo(remote_fw_name.c_str()); + if (!remote_fw_name.isEmpty()) fi = QFileInfo(remote_fw_name); - string new_name = fi.completeBaseName().toStdString() + suffix + ".conf"; + QString new_name = fi.completeBaseName() + suffix + ".conf"; QString path = fi.path(); if (path == ".") return new_name; - else return path.toStdString() + "/" + new_name; + else return path + "/" + new_name; } string CompilerDriver_pf::printTimeout(FWOptions* options, diff --git a/src/pflib/CompilerDriver_pf.h b/src/pflib/CompilerDriver_pf.h index fb55f913e..95d4c7a63 100644 --- a/src/pflib/CompilerDriver_pf.h +++ b/src/pflib/CompilerDriver_pf.h @@ -50,14 +50,16 @@ namespace libfwbuilder { }; -class MapOstringStream : public std::map { +class MapOstringStream : public std::map +{ public: MapOstringStream() {} ~MapOstringStream(); void clear(); }; -class MapTableFactory : public std::map { +class MapTableFactory : public std::map +{ public: MapTableFactory() {} ~MapTableFactory(); @@ -71,14 +73,16 @@ namespace fwcompiler { class CompilerDriver_pf : public CompilerDriver { + QString conf_file_name; + // Note that in the following maps ruleset name will be // "__main__" for both main Policy and NAT rulesets. // map ruleset_name -> conf file name - std::map conf_files; + std::map conf_files; // map ruleset_name -> remote conf file name - std::map remote_conf_files; + std::map remote_conf_files; // map ruleset_name -> generated script // std::map generated_scripts; @@ -104,13 +108,15 @@ protected: std::string routing_script; - std::string getConfFileName(const std::string &ruleset_name, - const std::string &fwobjectname, - const std::string &fw_file_name); - std::string getRemoteConfFileName(const std::string &ruleset_name, - const std::string &local_file_name, - const std::string &remote_fw_file_name, - const std::string &remote_conf_file_name); + QString getConfFileName(const QString &ruleset_name, + const QString &fwobjectname, + const QString &conf_file_name); + + QString getRemoteConfFileName(const QString &ruleset_name, + const QString &local_file_name, + const QString &remote_fw_file_name, + const QString &remote_conf_file_name); + std::string printTimeout(libfwbuilder::FWOptions* options, const std::string &OnOffOption, const std::string &ValOption, diff --git a/src/pflib/CompilerDriver_pf_run.cpp b/src/pflib/CompilerDriver_pf_run.cpp index 986f40ef3..d2f78c438 100644 --- a/src/pflib/CompilerDriver_pf_run.cpp +++ b/src/pflib/CompilerDriver_pf_run.cpp @@ -114,8 +114,8 @@ QString CompilerDriver_pf::printActivationCommands(Firewall *fw) string pfctl_dbg = (debug)?"-v ":""; QStringList activation_commands; - QString remote_file = remote_conf_files["__main__"].c_str(); - if (remote_file.isEmpty()) remote_file = conf_files["__main__"].c_str(); + QString remote_file = remote_conf_files["__main__"]; + if (remote_file.isEmpty()) remote_file = conf_files["__main__"]; if (remote_file[0] != '/') remote_file = "${FWDIR}/" + remote_file; remote_file = this->escapeFileName(remote_file); @@ -123,18 +123,19 @@ QString CompilerDriver_pf::printActivationCommands(Firewall *fw) composeActivationCommand( fw, pfctl_dbg, "", fw->getStr("version"), remote_file.toStdString())); - for (map::iterator i=conf_files.begin(); + for (map::iterator i=conf_files.begin(); i!=conf_files.end(); ++i) { - QString remote_file = remote_conf_files[i->first].c_str(); - if (remote_file.isEmpty()) remote_file = i->second.c_str(); + QString remote_file = remote_conf_files[i->first]; + if (remote_file.isEmpty()) remote_file = i->second; if (remote_file[0] != '/') remote_file = "${FWDIR}/" + remote_file; remote_file = this->escapeFileName(remote_file); if (i->first != "__main__") activation_commands.push_back( composeActivationCommand( - fw, pfctl_dbg, i->first, fw->getStr("version"), remote_file.toStdString())); + fw, pfctl_dbg, i->first.toStdString(), + fw->getStr("version"), remote_file.toStdString())); } return activation_commands.join("\n"); @@ -148,15 +149,16 @@ QString CompilerDriver_pf::assembleManifest(Cluster*, Firewall* fw, bool ) script << MANIFEST_MARKER << "* " << this->escapeFileName(fw_file_info.fileName()); string remote_name = fw->getOptionsObject()->getStr("script_name_on_firewall"); - if (!remote_name.empty()) script << " " << this->escapeFileName(remote_name.c_str()); + if (!remote_name.empty()) + script << " " << this->escapeFileName(remote_name.c_str()); script << "\n"; - for (map::iterator i=conf_files.begin(); + for (map::iterator i=conf_files.begin(); i!=conf_files.end(); ++i) { - string ruleset_name = i->first; - QString file_name = QFileInfo(i->second.c_str()).fileName(); - QString remote_file_name = remote_conf_files[ruleset_name].c_str(); + QString ruleset_name = i->first; + QString file_name = QFileInfo(i->second).fileName(); + QString remote_file_name = remote_conf_files[ruleset_name]; script << MANIFEST_MARKER << " " << this->escapeFileName(file_name); if (!remote_file_name.isEmpty() && remote_file_name != file_name) script << " " << this->escapeFileName(remote_file_name); @@ -223,9 +225,25 @@ QString CompilerDriver_pf::run(const std::string &cluster_id, // Note that fwobjectname may be different from the name of the // firewall fw This happens when we compile a member of a cluster - current_firewall_name = fw->getName().c_str(); + current_firewall_name = QString::fromUtf8(fw->getName().c_str()); - fw_file_name = determineOutputFileName(cluster, fw, !cluster_id.empty(), ".fw"); + fw_file_name = determineOutputFileName( + cluster, fw, !cluster_id.empty(), ".fw"); + + conf_file_name = QString::fromUtf8(options->getStr("conf_file").c_str()); + + if (!fw_file_name.isEmpty() && conf_file_name.isEmpty()) + { + QFileInfo fi(fw_file_name); + if (fi.isRelative()) + { + conf_file_name = QString(fi.completeBaseName() + ".conf"); + } else + { + conf_file_name = QString(fi.path() + "/" + + fi.completeBaseName() + ".conf"); + } + } string firewall_dir = options->getStr("firewall_dir"); if (firewall_dir=="") firewall_dir="/etc/fw"; @@ -269,8 +287,10 @@ QString CompilerDriver_pf::run(const std::string &cluster_id, oscnf->prolog(); - string remote_fw_name = options->getStr("script_name_on_firewall"); - string remote_conf_name = options->getStr("conf_file_name_on_firewall"); + QString remote_fw_name = QString::fromUtf8( + options->getStr("script_name_on_firewall").c_str()); + QString remote_conf_name = QString::fromUtf8( + options->getStr("conf_file_name_on_firewall").c_str()); list all_policies = fw->getByType(Policy::TYPENAME); list all_nat = fw->getByType(NAT::TYPENAME); @@ -345,15 +365,15 @@ QString CompilerDriver_pf::run(const std::string &cluster_id, if (!nat->matchingAddressFamily(policy_af)) continue; - string ruleset_name = nat->getName(); + QString ruleset_name = QString::fromUtf8(nat->getName().c_str()); - if (ruleset_name.find("/*")!=string::npos) + if (ruleset_name.endsWith("/*")) { QString err("The name of the policy ruleset %1" " ends with '/*', assuming it is externally" " controlled and skipping it."); warning(fw, nat, NULL, - err.arg(ruleset_name.c_str()).toStdString()); + err.arg(ruleset_name).toStdString()); continue; } @@ -415,9 +435,7 @@ QString CompilerDriver_pf::run(const std::string &cluster_id, all_errors.push_back(n.getErrors("").c_str()); conf_files[ruleset_name] = getConfFileName( - ruleset_name, - current_firewall_name.toUtf8().constData(), - fw_file_name.toUtf8().constData()); + ruleset_name, current_firewall_name, conf_file_name); remote_conf_files[ruleset_name] = getRemoteConfFileName( @@ -436,15 +454,15 @@ QString CompilerDriver_pf::run(const std::string &cluster_id, p!=all_policies.end(); ++p ) { Policy *policy = Policy::cast(*p); - string ruleset_name = policy->getName(); + QString ruleset_name = QString::fromUtf8(policy->getName().c_str()); - if (ruleset_name.find("/*")!=string::npos) + if (ruleset_name.endsWith("/*")) { QString err("The name of the policy ruleset %1" " ends with '/*', assuming it is externally" " controlled and skipping it."); warning(fw, policy, NULL, - err.arg(ruleset_name.c_str()).toStdString()); + err.arg(ruleset_name).toStdString()); continue; } @@ -507,9 +525,7 @@ QString CompilerDriver_pf::run(const std::string &cluster_id, all_errors.push_back(c.getErrors("").c_str()); conf_files[ruleset_name] = getConfFileName( - ruleset_name, - current_firewall_name.toUtf8().constData(), - fw_file_name.toUtf8().constData()); + ruleset_name, current_firewall_name, conf_file_name); remote_conf_files[ruleset_name] = getRemoteConfFileName( ruleset_name, @@ -560,10 +576,10 @@ QString CompilerDriver_pf::run(const std::string &cluster_id, QString buffer; QTextStream pf_str(&buffer); - for (map::iterator fi=generated_scripts.begin(); + for (map::iterator fi=generated_scripts.begin(); fi!=generated_scripts.end(); fi++) { - string ruleset_name = fi->first; + QString ruleset_name = fi->first; ostringstream *strm = fi->second; pf_str << table_factories[ruleset_name]->PrintTables(); pf_str << QString::fromUtf8(strm->str().c_str()); @@ -580,14 +596,14 @@ QString CompilerDriver_pf::run(const std::string &cluster_id, /* * now write generated scripts to files */ - for (map::iterator fi=generated_scripts.begin(); + for (map::iterator fi=generated_scripts.begin(); fi!=generated_scripts.end(); fi++) { - string ruleset_name = fi->first; - QString file_name = conf_files[ruleset_name].c_str(); + QString ruleset_name = fi->first; + QString file_name = conf_files[ruleset_name]; ostringstream *strm = fi->second; - if (ruleset_name.find("/*")!=string::npos) continue; + if (ruleset_name.contains("/*")) continue; file_name = getAbsOutputFileName(file_name); @@ -669,10 +685,10 @@ MapOstringStream::~MapOstringStream() void MapOstringStream::clear() { - std::map::iterator it; + std::map::iterator it; for (it=begin(); it!=end(); ++it) delete it->second; - std::map::clear(); + std::map::clear(); } MapTableFactory::~MapTableFactory() @@ -682,9 +698,9 @@ MapTableFactory::~MapTableFactory() void MapTableFactory::clear() { - std::map::iterator it; + std::map::iterator it; for (it=begin(); it!=end(); ++it) delete it->second; - std::map::clear(); + std::map::clear(); } diff --git a/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.cpp b/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.cpp index 0ff726e7f..4cd8b96f8 100644 --- a/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.cpp +++ b/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.cpp @@ -134,7 +134,7 @@ void GeneratedScriptTest::ManifestTest_2() QString res = Configlet::findConfigletInFile("top_comment", "pf2.fw"); // find manifest and compare CPPUNIT_ASSERT(res.indexOf("# files: * pf2.fw") != -1); - CPPUNIT_ASSERT(res.indexOf("# files: pf2.conf") != -1); + CPPUNIT_ASSERT(res.indexOf("# files: ipf2-1.conf") != -1); delete objdb; } @@ -210,6 +210,34 @@ void GeneratedScriptTest::ManifestTest_7() delete objdb; } +void GeneratedScriptTest::ManifestTest_8() +{ + /* + * generated .fw and .conf files have different base names + */ + objdb = new FWObjectDatabase(); + runCompiler("test1.fwb", "pf5", "pf5.fw"); + QString res = Configlet::findConfigletInFile("top_comment", "pf5.fw"); + // find manifest and compare + CPPUNIT_ASSERT(res.indexOf("# files: * pf5.fw") != -1); + CPPUNIT_ASSERT(res.indexOf("# files: pf.conf") != -1); + delete objdb; +} + +void GeneratedScriptTest::ManifestTest_9() +{ + /* + * generated .fw and .conf files have different base names + */ + objdb = new FWObjectDatabase(); + runCompiler("test1.fwb", "pf6", "/tmp/pf6.fw"); + QString res = Configlet::findConfigletInFile("top_comment", "/tmp/pf6.fw"); + // find manifest and compare + CPPUNIT_ASSERT(res.indexOf("# files: * /tmp/pf6.fw /etc/fw/pf6.fw") != -1); + CPPUNIT_ASSERT(res.indexOf("# files: /tmp/pf.conf /etc/pf.conf") != -1); + delete objdb; +} + // ************************************************************************ void GeneratedScriptTest::FwCommentTest() @@ -242,7 +270,7 @@ void GeneratedScriptTest::ActivationCommandsTest_2() objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "pf2.fw") .split(QRegExp("\\s+")).join(" "); - CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/pf2.conf") != -1); + CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/ipf2-1.conf") != -1); delete objdb; } @@ -283,4 +311,22 @@ void GeneratedScriptTest::ActivationCommandsTest_7() delete objdb; } +void GeneratedScriptTest::ActivationCommandsTest_8() +{ + objdb = new FWObjectDatabase(); + QString res = Configlet::findConfigletInFile("activation", "pf5.fw") + .split(QRegExp("\\s+")).join(" "); + CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/fw/pf5.conf") != -1); + delete objdb; +} + +void GeneratedScriptTest::ActivationCommandsTest_9() +{ + objdb = new FWObjectDatabase(); + QString res = Configlet::findConfigletInFile("activation", "/tmp/pf6.fw") + .split(QRegExp("\\s+")).join(" "); + CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/fw/pf6.conf") != -1); + delete objdb; +} + diff --git a/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.h b/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.h index af3464441..c3bace5e0 100644 --- a/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.h +++ b/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.h @@ -57,6 +57,8 @@ public: void ManifestTest_5(); void ManifestTest_6(); void ManifestTest_7(); + void ManifestTest_8(); + void ManifestTest_9(); void FwCommentTest(); void ActivationCommandsTest_1(); void ActivationCommandsTest_2(); @@ -65,6 +67,8 @@ public: // void ActivationCommandsTest_5(); void ActivationCommandsTest_6(); void ActivationCommandsTest_7(); + void ActivationCommandsTest_8(); + void ActivationCommandsTest_9(); CPPUNIT_TEST_SUITE(GeneratedScriptTest); @@ -91,6 +95,12 @@ public: CPPUNIT_TEST(ManifestTest_7); CPPUNIT_TEST(ActivationCommandsTest_7); + CPPUNIT_TEST(ManifestTest_8); + CPPUNIT_TEST(ActivationCommandsTest_8); + + CPPUNIT_TEST(ManifestTest_9); + CPPUNIT_TEST(ActivationCommandsTest_9); + CPPUNIT_TEST(FwCommentTest); CPPUNIT_TEST_SUITE_END(); diff --git a/src/unit_tests/generatedScriptTestsPF/test1.fwb b/src/unit_tests/generatedScriptTestsPF/test1.fwb index eee0404d1..fb4be7e1e 100644 --- a/src/unit_tests/generatedScriptTestsPF/test1.fwb +++ b/src/unit_tests/generatedScriptTestsPF/test1.fwb @@ -1,6 +1,6 @@ - + @@ -143,6 +143,12 @@ + + + + + + @@ -205,6 +211,7 @@ + @@ -442,7 +449,7 @@ - + @@ -466,7 +473,7 @@ - + @@ -507,6 +514,7 @@ + @@ -523,7 +531,7 @@ - + @@ -547,7 +555,7 @@ - + @@ -590,12 +598,14 @@ + + @@ -638,7 +648,7 @@ - + @@ -662,7 +672,7 @@ - + @@ -716,6 +726,7 @@ + @@ -814,7 +825,7 @@ - + @@ -838,7 +849,7 @@ - + @@ -892,6 +903,7 @@ + @@ -990,7 +1002,7 @@ - + @@ -1014,7 +1026,7 @@ - + @@ -1057,12 +1069,14 @@ + + @@ -1103,6 +1117,364 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +