From e66f654a8a36619ea27f8fbe6a80779794edef9e Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@slot.vk.crocodile.org>
Date: Fri, 28 Jan 2011 12:13:01 -0800
Subject: [PATCH] see #1983 "ASA multiple interfaces have the same security
 level". Algorithm that guesses security level recognizes interface labels
 that contain word "dmz". Interfaces that could not be recognized by their
 label and that have ip addresses not in RFC1918 ranges still get security
 level 0

---
 .../src/fwbuilder/InterfaceData.cpp           | 19 +++++++++----------
 src/libgui/newFirewallDialog.cpp              | 16 +++++++++++-----
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/src/libfwbuilder/src/fwbuilder/InterfaceData.cpp b/src/libfwbuilder/src/fwbuilder/InterfaceData.cpp
index d34756546..302a1c045 100644
--- a/src/libfwbuilder/src/fwbuilder/InterfaceData.cpp
+++ b/src/libfwbuilder/src/fwbuilder/InterfaceData.cpp
@@ -158,22 +158,21 @@ void InterfaceData::guessSecurityLevel(const string&)
     for (string::size_type i=0; i<llbl.length(); i++)
         llbl[i] = tolower( llbl[i] );
 
-    if ( llbl=="outside" ||
-         llbl=="out" ||
-         llbl=="external" ||
-         llbl=="external net" ||
+    if ( llbl=="out" ||
          llbl=="ext" ||
          llbl=="internet" ||
          llbl=="wan" ||
          llbl=="dsl" ||
-         llbl=="cable") securityLevel = 0;
+         llbl=="cable" ||
+         llbl.find("outside")!=string::npos ||
+         llbl.find("external")!=string::npos) securityLevel = 0;
 
-    if ( llbl=="inside" ||
-         llbl=="lan" ||
+    if ( llbl=="lan" ||
          llbl=="in" ||
-         llbl=="internal" ||
-         llbl=="internal_net" ||
-         llbl=="internal net" ) securityLevel = 100;
+         llbl.find("inside")!=string::npos ||
+         llbl.find("internal")!=string::npos ) securityLevel = 100;
+
+    if ( llbl.find("dmz")!=string::npos ) securityLevel = 50;
 
     if ( (*(addr_mask.front()->getAddressPtr()))==InetAddr::getLoopbackAddr())
         securityLevel = 100; 
diff --git a/src/libgui/newFirewallDialog.cpp b/src/libgui/newFirewallDialog.cpp
index a2555f386..706729532 100644
--- a/src/libgui/newFirewallDialog.cpp
+++ b/src/libgui/newFirewallDialog.cpp
@@ -702,10 +702,14 @@ void newFirewallDialog::fillInterfaceSLList()
         {
             if (!gotIPv4) address = iface.addresses.values().first();
             if ( address.ipv4 )
-                iam = new InetAddrMask(InetAddr(address.address.toStdString()), InetAddr(address.netmask.toStdString()));
+                iam = new InetAddrMask(
+                    InetAddr(address.address.toStdString()),
+                    InetAddr(address.netmask.toStdString()));
             else
             {
-                iam = new InetAddrMask(InetAddr(AF_INET6, address.address.toStdString()), InetAddr(AF_INET6, address.netmask.toStdString()));
+                iam = new InetAddrMask(
+                    InetAddr(AF_INET6, address.address.toStdString()),
+                    InetAddr(AF_INET6, address.netmask.toStdString()));
             }
             idata.addr_mask.push_back(iam);
         }
@@ -714,12 +718,14 @@ void newFirewallDialog::fillInterfaceSLList()
         {
             try
             {
-                idata.guessSecurityLevel( readPlatform(m_dialog->platform).toStdString() );
+                idata.guessSecurityLevel(
+                    readPlatform(m_dialog->platform).toStdString() );
             }
             catch (FWException &ex)
             {
-                QMessageBox::warning( this,"Firewall Builder", ex.toString().c_str(),
-                                      "&Continue", QString::null, QString::null, 0, 1 );
+                QMessageBox::warning(
+                    this,"Firewall Builder", ex.toString().c_str(),
+                    "&Continue", QString::null, QString::null, 0, 1 );
                 showPage( 2 );
                 return;
             }