From e6010add123c04e5a28355d2a311e51bc28b2f76 Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@netcitadel.com>
Date: Fri, 2 Jan 2009 00:53:35 +0000
Subject: [PATCH]  only sending keepalive chars to unix firewalls; prperly
 setting installation status to "failure" if user refuses to accept firewall
 host ssh key

---
 build_num                                 |  2 +-
 src/gui/SSHPIX.cpp                        |  6 +++---
 src/gui/SSHSession.cpp                    |  4 +++-
 src/gui/SSHSession.h                      |  1 +
 src/gui/SSHUnx.cpp                        | 21 ++++++++++++---------
 src/gui/instDialog_installer.cpp          |  1 +
 test/pix/objects-for-regression-tests.fwb |  2 +-
 7 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/build_num b/build_num
index fa714f393..aba5b3030 100644
--- a/build_num
+++ b/build_num
@@ -1 +1 @@
-#define BUILD_NUM 728
+#define BUILD_NUM 729
diff --git a/src/gui/SSHPIX.cpp b/src/gui/SSHPIX.cpp
index 99b9f183e..cc4aa7ee1 100644
--- a/src/gui/SSHPIX.cpp
+++ b/src/gui/SSHPIX.cpp
@@ -206,9 +206,9 @@ void SSHPIX::stateMachine()
 
             stopHeartBeat();
 
-            int res =QMessageBox::warning( parent, tr("New RSA key"), msg,
-                                           tr("Yes"), tr("No"), 0,
-                                           0, -1 );
+            int res = QMessageBox::warning( parent, tr("New RSA key"), msg,
+                                            tr("Yes"), tr("No"), 0,
+                                            0, -1 );
 
             if (fwbdebug)
                 qDebug("User said: res=%d", res);
diff --git a/src/gui/SSHSession.cpp b/src/gui/SSHSession.cpp
index d5fd7e783..4a2708c69 100644
--- a/src/gui/SSHSession.cpp
+++ b/src/gui/SSHSession.cpp
@@ -81,6 +81,7 @@ SSHSession::SSHSession(QWidget *_par,
     closeStdin = false;
     error = false;
     endOfCopy = false;
+    send_keepalive = false;
 
     proc = NULL;
     retcode = 0;
@@ -382,12 +383,13 @@ void SSHSession::stopHeartBeat()
 {
     if (fwbdebug) qDebug("SSHSession::stopHeartBeat");
     heartBeatTimer->stop();
+    send_keepalive = false;
 }
 
 void SSHSession::heartBeat()
 {
     if (fwbdebug) qDebug("SSHSession::heartBeat");
-    proc->write("\n");
+    if (send_keepalive) proc->write("\n");
     readFromStderr();
     readFromStdout();
     if (endOfCopy && closeStdin)
diff --git a/src/gui/SSHSession.h b/src/gui/SSHSession.h
index 469824ce5..04cebac82 100644
--- a/src/gui/SSHSession.h
+++ b/src/gui/SSHSession.h
@@ -67,6 +67,7 @@ class SSHSession : public QObject {
     bool       enable;
     bool       configure;
     bool       endOfCopy;
+    bool       send_keepalive;
     
     enum State { NONE,
                  LOGGEDIN,
diff --git a/src/gui/SSHUnx.cpp b/src/gui/SSHUnx.cpp
index 0cb2f6c59..568171ff4 100644
--- a/src/gui/SSHUnx.cpp
+++ b/src/gui/SSHUnx.cpp
@@ -151,18 +151,20 @@ void SSHUnx::stateMachine()
             proc->write( "\n" );
             break;
         }
-/* we may get to LOGGEDIN state directly from NONE, for example when
- * password is supplied on command line to plink.exe
- */
+        // we may get to LOGGEDIN state directly from NONE, for
+        // example when password is supplied on command line to
+        // plink.exe
         if (cmpPrompt(stdoutBuffer,normal_prompt) ||
             cmpPrompt(stdoutBuffer,fwb_prompt))
         {
-            state=PUSHING_CONFIG;
+            state = PUSHING_CONFIG;
+            // start sending keepalive chars (just "\n", done in
+            // SSHSession::heartBeat()) to keep session alive and to
+            // force firewall to restore session state after policy
+            // has been reloaded  and state possibly purged.
+            send_keepalive = true;
             if (!quiet) emit printStdout_sign( tr("Logged in") + "\n" );
-            if (fwbdebug)
-                qDebug("SSHUnx::stateMachine logged in");
-//            proc->write( "\n" );
-//            stdoutBuffer="";
+            if (fwbdebug) qDebug("SSHUnx::stateMachine logged in");
             goto push_files;
         }
 
@@ -242,7 +244,8 @@ void SSHUnx::stateMachine()
 
 /* we get to this state when previous ssh or scp command terminates */
     case FINISH:
-        if ( (proc->state()==QProcess::NotRunning) && (proc->exitStatus()==QProcess::NormalExit))
+        if ( (proc->state()==QProcess::NotRunning) &&
+             (proc->exitStatus()==QProcess::NormalExit))
         {
             emit printStdout_sign( "\n");
             emit printStdout_sign( tr("Done") );
diff --git a/src/gui/instDialog_installer.cpp b/src/gui/instDialog_installer.cpp
index 3514214fe..b325177c8 100644
--- a/src/gui/instDialog_installer.cpp
+++ b/src/gui/instDialog_installer.cpp
@@ -189,5 +189,6 @@ void instDialog::installerError()
     opError(cnf.fwobj);
     currentProgressBar->setValue(currentProgressBar->maximum());
     QTimer::singleShot( 0, this, SLOT(mainLoopInstall()));
+    opListMapping[cnf.fwobj->getId()]->setText(1, tr("Failure"));
 }
 
diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb
index b554584fa..a2ac1caf7 100644
--- a/test/pix/objects-for-regression-tests.fwb
+++ b/test/pix/objects-for-regression-tests.fwb
@@ -13899,7 +13899,7 @@ no sysopt nodnsalias outbound
           <Option name="xlate_ss">0</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id47B7A69C21818" host_OS="pix_os" inactive="False" lastCompiled="1230855485" lastInstalled="1230855510" lastModified="1230855132" platform="pix" version="7.0" name="pix515" comment="Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network.&#10;This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall." ro="False">
+      <Firewall id="id47B7A69C21818" host_OS="pix_os" inactive="False" lastCompiled="1230857551" lastInstalled="1230857537" lastModified="1230855132" platform="pix" version="7.0" name="pix515" comment="Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network.&#10;This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall." ro="False">
         <NAT id="id47B7A71321818" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id47B7A71421818" disabled="False" position="0" comment="">
             <OSrc neg="False">