ipcopAdvancedDialog::ipcopAdvancedDialog(QWidget *parent,FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::ipcopAdvancedDialog_q;
m_dialog->setupUi(this);
obj=o;
QStringList slm;
/*
* Set dialog title dynamically to reflect description set in the
* platform resource file. This is useful because the same dialog
* is used for ipcop, endian and oneshield platforms.
*/
string platform = obj->getStr("platform");
string description = Resources::platform_res[platform]->
getResourceStr("/FWBuilderResources/Target/description");
setWindowTitle(QObject::tr("%1 advanced settings").arg(description.c_str()));
FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject();
assert(fwoptions!=NULL);
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
/*
fwoptions->setStr("firewall_dir", "/etc/rc.d/");
fwoptions->setStr("admUser", "admin");
fwoptions->setStr("activationCmd", "/etc/rc.d/rc.firewall");
fwoptions->setStr("output_file", "rc.firewall.local");
*/
//QString s = fwoptions->getStr("ipv4_6_order")
data.registerOption(m_dialog->ipv4before, fwoptions, "ipv4_6_order",
QStringList() << tr("IPv4 before IPv6")
<<"ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first");
data.registerOption(m_dialog->logTCPseq, fwoptions, "log_tcp_seq");
data.registerOption(m_dialog->logTCPopt, fwoptions, "log_tcp_opt");
data.registerOption(m_dialog->logIPopt, fwoptions, "log_ip_opt");
data.registerOption(m_dialog->logNumsyslog, fwoptions,
"use_numeric_log_levels");
slm = getLogLevels( platform.c_str());
m_dialog->logLevel->clear();
m_dialog->logLevel->addItems( getScreenNames(slm));
data.registerOption(m_dialog-> logLevel, fwoptions, "log_level", slm);
data.registerOption(m_dialog->useULOG, fwoptions, "use_ULOG");
data.registerOption(m_dialog->cprange, fwoptions, "ulog_cprange");
data.registerOption(m_dialog->qthreshold, fwoptions, "ulog_qthreshold");
data.registerOption(m_dialog->nlgroup, fwoptions, "ulog_nlgroup");
data.registerOption(m_dialog->logprefix, fwoptions, "log_prefix");
slm=getLimitSuffixes( platform.c_str());
m_dialog->logLimitSuffix->clear();
m_dialog->logLimitSuffix->addItems(getScreenNames(slm));
data.registerOption(m_dialog-> logLimitSuffix, fwoptions,
"limit_suffix", slm);
data.registerOption(m_dialog->logLimitVal, fwoptions, "limit_value");
data.registerOption(m_dialog->logAll, fwoptions, "log_all");
data.registerOption(m_dialog->compiler, fwoptions, "compiler");
data.registerOption(m_dialog->compilerArgs, fwoptions, "cmdline");
data.registerOption(m_dialog->outputFileName, fwoptions, "output_file");
data.registerOption(m_dialog->assumeFwIsPartOfAny,
fwoptions, "firewall_is_part_of_any_and_networks");
data.registerOption(m_dialog->acceptSessions,
fwoptions, "accept_new_tcp_with_no_syn");
data.registerOption(m_dialog->bridge, fwoptions, "bridging_fw");
data.registerOption(m_dialog->shadowing, fwoptions, "check_shading");
data.registerOption(m_dialog->emptyGroups, fwoptions,
"ignore_empty_groups");
data.registerOption(m_dialog->localNAT, fwoptions, "local_nat");
slm=getActionsOnReject( platform.c_str());
m_dialog->actionOnReject->clear();
m_dialog->actionOnReject->addItems(getScreenNames(slm));
data.registerOption(m_dialog-> actionOnReject,
fwoptions,"action_on_reject", slm);
data.registerOption(m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh");
data.registerOption(m_dialog->mgmt_addr, fwoptions, "mgmt_addr");
data.registerOption(m_dialog->iptDebug, fwoptions, "debug");
data.registerOption(m_dialog->verifyInterfaces, fwoptions, "verify_interfaces");
data.registerOption(m_dialog->ipt_fw_dir, fwoptions, "firewall_dir");
data.registerOption(m_dialog->ipt_user, fwoptions, "admUser");
data.registerOption(m_dialog->altAddress, fwoptions, "altAddress");
data.registerOption(m_dialog->sshArgs, fwoptions, "sshArgs");
data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs");
data.registerOption(m_dialog->activationCmd, fwoptions, "activationCmd");
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
m_dialog->installScript->setText( pis->getCommand().c_str());
m_dialog->installScriptArgs->setText( pis->getArguments().c_str());
/* page "Prolog/Epilog" */
data.registerOption(m_dialog->prolog_script, fwoptions, "prolog_script");
data.registerOption(m_dialog->epilog_script, fwoptions, "epilog_script");
data.loadAll();
switchLOG_ULOG();
m_dialog->tabWidget->setCurrentIndex(0);
}
bool FirewallInstallerUnx::packInstallJobsList(Firewall* fw)
{
if (fwbdebug)
{
qDebug() << "FirewallInstallerUnx::packInstallJobList";
qDebug() << "cnf->user="******"Installation plan:\n"));
Management *mgmt = cnf->fwobj->getManagementObject();
assert(mgmt!=NULL);
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
if (pis->getCommand()!="")
{
QString cmd = pis->getCommand().c_str();
QString args = pis->getArguments().c_str();
job_list.push_back(
instJob(RUN_EXTERNAL_SCRIPT, cmd, args));
inst_dlg->addToLog(QString("Run script %1 %2\n").arg(cmd).arg(args));
return true;
}
/* read manifest from the conf file */
if (fwbdebug)
qDebug("FirewallInstaller::packInstallJobsList read manifest from %s",
#if QT_VERSION < QT_VERSION_CHECK(5, 0, 0)
cnf->script.toAscii().constData());
#else
cnf->script.toLatin1().constData());
#endif
/*
* Note that if output file is specified in firewall settings dialog,
* it can be an absolute path. In this case compiler puts additional
* generated files (if any) in the same directory. The manifest in the
* .fw file does not specify directory path so that the .fw file and
* all additional files can be moved together someplace else. We take
* dir path from the .fw file and if it is not empty, assume that all
* other files are located there as well.
*/
// compilers always write file names into manifest in Utf8
#if QT_VERSION < QT_VERSION_CHECK(5, 0, 0)
QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8"));
#endif
QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8"));
//key: local_file_name val: remote_file_name
QMap<QString,QString> all_files;
// readManifest() modifies cnf !
if (readManifest(cnf->script, &all_files))
{
QMap<QString, QString>::iterator it;
for (it=all_files.begin(); it!=all_files.end(); ++it)
{
QString local_name = it.key();
QString remote_name = it.value();
job_list.push_back(instJob(COPY_FILE, local_name, remote_name));
inst_dlg->addToLog(QString("Copy file: %1 --> %2\n")
.arg(local_name)
#if QT_VERSION < QT_VERSION_CHECK(5, 0, 0)
.arg(remote_name).toAscii().constData());
#else
.arg(remote_name).toLatin1().constData());
#endif
}
iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::iptAdvancedDialog_q;
m_dialog->setupUi(this);
obj=o;
QStringList slm;
string platform = obj->getStr("platform");
string description = Resources::platform_res[platform]->
getResourceStr("/FWBuilderResources/Target/description");
setWindowTitle(QObject::tr("%1 advanced settings").arg(description.c_str()));
FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject();
assert(fwoptions!=NULL);
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
if (fwbdebug)
qDebug("%s",Resources::getTargetOptionStr(
obj->getStr("host_OS"),"user_can_change_install_dir").c_str());
//QString s = fwoptions->getStr("ipv4_6_order")
data.registerOption(m_dialog->ipv4before, fwoptions, "ipv4_6_order",
QStringList() << tr("IPv4 before IPv6")
<<"ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first");
data.registerOption(m_dialog->logTCPseq, fwoptions, "log_tcp_seq");
data.registerOption(m_dialog->logTCPopt, fwoptions, "log_tcp_opt");
data.registerOption(m_dialog->logIPopt, fwoptions, "log_ip_opt");
data.registerOption(m_dialog->logNumsyslog, fwoptions,
"use_numeric_log_levels");
slm = getLogLevels( obj->getStr("platform").c_str());
m_dialog->logLevel->clear();
m_dialog->logLevel->addItems( getScreenNames(slm));
data.registerOption(m_dialog-> logLevel, fwoptions, "log_level", slm);
data.registerOption(m_dialog->useULOG, fwoptions, "use_ULOG");
data.registerOption(m_dialog->cprange, fwoptions, "ulog_cprange");
data.registerOption(m_dialog->qthreshold, fwoptions, "ulog_qthreshold");
data.registerOption(m_dialog->nlgroup, fwoptions, "ulog_nlgroup");
data.registerOption(m_dialog->logprefix, fwoptions, "log_prefix");
slm=getLimitSuffixes( obj->getStr("platform").c_str());
m_dialog->logLimitSuffix->clear();
m_dialog->logLimitSuffix->addItems(getScreenNames(slm));
data.registerOption(m_dialog-> logLimitSuffix, fwoptions,
"limit_suffix", slm);
data.registerOption(m_dialog->logLimitVal, fwoptions, "limit_value");
data.registerOption(m_dialog->logAll, fwoptions, "log_all");
data.registerOption(m_dialog->compiler, fwoptions, "compiler");
data.registerOption(m_dialog->compilerArgs, fwoptions, "cmdline");
data.registerOption(m_dialog->outputFileName, fwoptions, "output_file");
data.registerOption(m_dialog->fileNameOnFw, fwoptions, "script_name_on_firewall");
data.registerOption(m_dialog->assumeFwIsPartOfAny,
fwoptions, "firewall_is_part_of_any_and_networks");
data.registerOption(m_dialog->acceptSessions,
fwoptions, "accept_new_tcp_with_no_syn");
data.registerOption(m_dialog->dropInvalid, fwoptions, "drop_invalid");
data.registerOption(m_dialog->logInvalid, fwoptions, "log_invalid");
data.registerOption(m_dialog->acceptESTBeforeFirst, fwoptions,
"accept_established");
data.registerOption(m_dialog->bridge, fwoptions, "bridging_fw");
data.registerOption(m_dialog->shadowing, fwoptions, "check_shading");
data.registerOption(m_dialog->emptyGroups, fwoptions,
"ignore_empty_groups");
data.registerOption(m_dialog->localNAT, fwoptions, "local_nat");
data.registerOption(m_dialog->clampMSStoMTU, fwoptions, "clamp_mss_to_mtu");
data.registerOption(m_dialog->ipv6NeighborDiscovery,
fwoptions, "add_rules_for_ipv6_neighbor_discovery");
slm = getActionsOnReject( obj->getStr("platform").c_str());
m_dialog->actionOnReject->clear();
m_dialog->actionOnReject->addItems(getScreenNames(slm));
data.registerOption(m_dialog-> actionOnReject,
fwoptions,"action_on_reject", slm);
data.registerOption(m_dialog->useModuleSet, fwoptions, "use_m_set");
data.registerOption(m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh");
data.registerOption(m_dialog->mgmt_addr, fwoptions, "mgmt_addr");
data.registerOption(m_dialog->add_mgmt_ssh_rule_when_stoped,
fwoptions, "add_mgmt_ssh_rule_when_stoped");
data.registerOption(m_dialog->addVirtualsforNAT,
fwoptions, "manage_virtual_addr");
data.registerOption(m_dialog->configureInterfaces,
fwoptions, "configure_interfaces");
data.registerOption(m_dialog->clearUnknownInterfaces,
fwoptions, "clear_unknown_interfaces");
data.registerOption(m_dialog->configure_vlan_interfaces,
fwoptions, "configure_vlan_interfaces");
data.registerOption(m_dialog->configure_bridge_interfaces,
fwoptions, "configure_bridge_interfaces");
data.registerOption(m_dialog->configure_bonding_interfaces,
fwoptions, "configure_bonding_interfaces");
data.registerOption(m_dialog->iptDebug, fwoptions, "debug");
data.registerOption(m_dialog->verifyInterfaces, fwoptions, "verify_interfaces");
data.registerOption(m_dialog->loadModules, fwoptions, "load_modules");
data.registerOption(m_dialog->iptablesRestoreActivation,
fwoptions, "use_iptables_restore");
data.registerOption(m_dialog->ipt_fw_dir, fwoptions, "firewall_dir");
data.registerOption(m_dialog->ipt_user, fwoptions, "admUser");
data.registerOption(m_dialog->altAddress, fwoptions, "altAddress");
data.registerOption(m_dialog->sshArgs, fwoptions, "sshArgs");
data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs");
data.registerOption(m_dialog->activationCmd, fwoptions, "activationCmd");
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
m_dialog->installScript->setText( pis->getCommand().c_str());
m_dialog->installScriptArgs->setText( pis->getArguments().c_str());
/* page "Prolog/Epilog" */
data.registerOption(m_dialog->prolog_script, fwoptions,
"prolog_script");
QStringList prologPlaces_ipt;
prologPlaces_ipt.push_back(QObject::tr("on top of the script"));
prologPlaces_ipt.push_back("top");
prologPlaces_ipt.push_back(QObject::tr("after interface configuration"));
prologPlaces_ipt.push_back("after_interfaces");
// bug #2820840: can't put prolog "after policy reset" if iptables-restore
if (!fwoptions->getBool("use_iptables_restore"))
{
prologPlaces_ipt.push_back(QObject::tr("after policy reset"));
prologPlaces_ipt.push_back("after_flush");
}
m_dialog->prologPlace->clear();
m_dialog->prologPlace->addItems(getScreenNames(prologPlaces_ipt));
data.registerOption(m_dialog-> prologPlace, fwoptions,
"prolog_place", prologPlaces_ipt);
data.registerOption(m_dialog->epilog_script, fwoptions,
"epilog_script");
data.loadAll();
switchLOG_ULOG();
if (!Resources::getTargetOptionBool(
obj->getStr("host_OS"), "user_can_change_install_dir"))
{
m_dialog->ipt_fw_dir->setEnabled(false);
//fwoptions->setStr("firewall_dir", "");
}
string version = obj->getStr("version");
bool can_use_module_set = (XMLTools::version_compare(version, "1.4.1.1") >= 0);
if (!can_use_module_set)
m_dialog->useModuleSet->setChecked(false);
m_dialog->useModuleSet->setEnabled(can_use_module_set);
m_dialog->tabWidget->setCurrentIndex(0);
}
bool FirewallInstallerProcurve::packInstallJobsList(Firewall*)
{
if (fwbdebug)
qDebug("FirewallInstallerProcurve::packInstallJobList script=%s",
cnf->script.toLatin1().constData());
job_list.clear();
Management *mgmt = cnf->fwobj->getManagementObject();
assert(mgmt!=nullptr);
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
if (pis->getCommand()!="")
{
QString cmd = pis->getCommand().c_str();
QString args = pis->getArguments().c_str();
job_list.push_back(
instJob(RUN_EXTERNAL_SCRIPT, cmd, args));
inst_dlg->addToLog(QString("Run script %1 %2\n").arg(cmd).arg(args));
return true;
}
// Load configuration file early so we can abort installation if
// it is not accessible
QString ff;
QFileInfo script_info(cnf->script);
if (script_info.isAbsolute()) ff = cnf->script;
else ff = cnf->wdir + "/" + cnf->script;
QFile data(ff);
if (data.open(QFile::ReadOnly))
{
QTextStream strm(&data);
QString line;
do
{
line = strm.readLine();
config_lines.push_back(line.trimmed());
} while (!strm.atEnd());
} else
{
QMessageBox::critical(
inst_dlg, "Firewall Builder",
tr("Can not read generated script %1").arg(ff),
tr("&Continue"), QString::null,QString::null,
0, 1 );
return false;
}
#ifdef SCP_SUPPORT_FOR_PROCURVE
if (cnf->useSCPForRouter)
{
QMap<QString,QString> all_files;
// readManifest() modifies cnf (assigns cnf->remote_script) !
if (readManifest(cnf->script, &all_files))
{
QMap<QString, QString>::iterator it;
for (it=all_files.begin(); it!=all_files.end(); ++it)
{
QString local_name = it.key();
QString remote_name = it.value();
job_list.push_back(instJob(COPY_FILE, local_name, remote_name));
}
}
QString cmd = getActivationCmd();
job_list.push_back(instJob(ACTIVATE_POLICY, cmd, ""));
} else
{
job_list.push_back(instJob(ACTIVATE_POLICY, cnf->script, ""));
}
#endif
job_list.push_back(instJob(ACTIVATE_POLICY, cnf->script, ""));
return true;
}
pfAdvancedDialog::pfAdvancedDialog(QWidget *parent,FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::pfAdvancedDialog_q;
m_dialog->setupUi(this);
obj=o;
QStringList slm;
string version = obj->getStr("version");
FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject();
assert(fwopt!=nullptr);
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=nullptr);
if (fwbdebug)
qDebug("%s", Resources::getTargetOptionStr(
obj->getStr("host_OS"),"user_can_change_install_dir").c_str());
if (!Resources::getTargetOptionBool(
obj->getStr("host_OS"),"user_can_change_install_dir"))
{
m_dialog->pf_fw_dir->setEnabled(false);
fwopt->setStr("firewall_dir","");
}
// see #1888: we now support rc.conf format for the output
// Set variables for backwards compatibility for users who configured
// custom name for the output .fw script before.
if (!fwopt->getBool("generate_shell_script") &&
!fwopt->getBool("generate_rc_conf_file"))
{
fwopt->setBool("generate_shell_script", true);
}
if (!Resources::getTargetOptionBool(obj->getStr("host_OS"),
"rc_conf_format_supported"))
{
fwopt->setBool("generate_shell_script", true);
fwopt->setBool("generate_rc_conf_file", false);
}
m_dialog->generateShellScript->setEnabled(
Resources::getTargetOptionBool(obj->getStr("host_OS"),
"rc_conf_format_supported"));
m_dialog->generateRcConfFile->setEnabled(
Resources::getTargetOptionBool(obj->getStr("host_OS"),
"rc_conf_format_supported"));
QString init_script_name = QString::fromUtf8(
fwopt->getStr("output_file").c_str()).trimmed();
QString conf_file_name = QString::fromUtf8(
fwopt->getStr("conf1_file").c_str()).trimmed();
if (!init_script_name.isEmpty() && conf_file_name.isEmpty())
{
conf_file_name =
fwcompiler::CompilerDriver::getConfFileNameFromFwFileName(
init_script_name, ".conf");
fwopt->setStr("conf1_file", conf_file_name.toUtf8().constData());
}
data.registerOption(m_dialog->ipv4before, fwopt,
"ipv4_6_order",
QStringList() << tr("IPv4 before IPv6")
<<"ipv4_first"
<< tr("IPv6 before IPv4")
<< "ipv6_first");
data.registerOption( m_dialog->pf_log_prefix,fwopt, "log_prefix");
data.registerOption( m_dialog->pf_fallback_log,fwopt, "fallback_log");
data.registerOption( m_dialog->pf_do_timeout_interval, fwopt,
"pf_do_timeout_interval");
data.registerOption( m_dialog->pf_timeout_interval, fwopt,
"pf_timeout_interval");
data.registerOption( m_dialog->pf_do_timeout_frag,fwopt, "pf_do_timeout_frag");
data.registerOption( m_dialog->pf_timeout_frag,fwopt, "pf_timeout_frag");
data.registerOption( m_dialog->pf_do_limit_frags,fwopt, "pf_do_limit_frags");
data.registerOption( m_dialog->pf_limit_frags,fwopt, "pf_limit_frags");
data.registerOption( m_dialog->pf_do_limit_states,fwopt, "pf_do_limit_states");
data.registerOption( m_dialog->pf_limit_states,fwopt, "pf_limit_states");
data.registerOption( m_dialog->pf_do_limit_src_nodes,fwopt,
"pf_do_limit_src_nodes");
data.registerOption( m_dialog->pf_limit_src_nodes, fwopt, "pf_limit_src_nodes");
data.registerOption( m_dialog->pf_do_limit_tables, fwopt, "pf_do_limit_tables");
data.registerOption( m_dialog->pf_limit_tables,fwopt, "pf_limit_tables");
data.registerOption( m_dialog->pf_do_limit_table_entries,fwopt,
"pf_do_limit_table_entries");
data.registerOption( m_dialog->pf_limit_table_entries,fwopt,"pf_limit_table_entries");
// Prepare mapping for pf_optimization:
slm.clear();
slm.push_back("");
slm.push_back("");
slm.push_back(QObject::tr("Aggressive"));
slm.push_back("aggressive");
slm.push_back(QObject::tr("Conservative"));
slm.push_back("conservative");
slm.push_back(QObject::tr("For high latency"));
slm.push_back("high-latency");
slm.push_back(QObject::tr("Normal"));
slm.push_back("normal");
m_dialog->pf_optimization->clear();
m_dialog->pf_optimization->addItems(getScreenNames(slm));
data.registerOption( m_dialog->pf_optimization, fwopt, "pf_optimization", slm);
// Prepare state_policy combo box
slm.clear();
slm.push_back("");
slm.push_back("");
slm.push_back(QObject::tr("Bound to interfaces"));
slm.push_back("if-bound");
slm.push_back(QObject::tr("Floating"));
slm.push_back("floating");
m_dialog->pf_state_policy->clear();
m_dialog->pf_state_policy->addItems(getScreenNames(slm));
data.registerOption( m_dialog->pf_state_policy, fwopt, "pf_state_policy", slm);
m_dialog->pf_state_policy->setEnabled(
XMLTools::version_compare(version, "3.5") >= 0);
// Prepare block_policy combo box
slm.clear();
slm.push_back("");
slm.push_back("");
slm.push_back(QObject::tr("Drop"));
slm.push_back("drop");
slm.push_back(QObject::tr("Return"));
slm.push_back("return");
m_dialog->pf_block_policy->clear();
m_dialog->pf_block_policy->addItems(getScreenNames(slm));
data.registerOption( m_dialog->pf_block_policy, fwopt, "pf_block_policy", slm);
m_dialog->pf_block_policy->setEnabled(
XMLTools::version_compare(version, "3.5") >= 0);
// set debug combo box
slm.clear();
slm.push_back("");
slm.push_back("");
slm.push_back("emerg");
slm.push_back("emerg");
slm.push_back("alert");
slm.push_back("alert");
slm.push_back("crit");
slm.push_back("crit");
slm.push_back("err");
slm.push_back("err");
slm.push_back("warning");
slm.push_back("warning");
slm.push_back("notice");
slm.push_back("notice");
slm.push_back("info");
slm.push_back("info");
slm.push_back("debug");
slm.push_back("debug");
m_dialog->pf_set_debug->clear();
m_dialog->pf_set_debug->addItems(getScreenNames(slm));
data.registerOption( m_dialog->pf_set_debug, fwopt, "pf_set_debug", slm);
m_dialog->pf_set_debug->setEnabled(
XMLTools::version_compare(version, "3.5") >= 0);
data.registerOption( m_dialog->pf_check_shadowing,fwopt, "check_shading");
data.registerOption( m_dialog->pf_preserve_group_names, fwopt,
"preserve_group_names");
data.registerOption( m_dialog->pf_ignore_empty_groups,fwopt,
"ignore_empty_groups");
// data.registerOption( pf_use_tables, fwopt, "use_tables");
data.registerOption( m_dialog->pf_accept_new_tcp_with_no_syn,fwopt, "accept_new_tcp_with_no_syn");
data.registerOption( m_dialog->pf_modulate_state,fwopt, "pf_modulate_state");
data.registerOption( m_dialog->pf_scrub_random_id,fwopt, "pf_scrub_random_id");
data.registerOption( m_dialog->pf_do_scrub,fwopt, "pf_do_scrub");
// radio buttons
// the following pf_scrub options are available in PF <= 4.5
data.registerOption( m_dialog->pf_scrub_reassemble, fwopt,
"pf_scrub_reassemble");
data.registerOption( m_dialog->pf_scrub_fragm_crop, fwopt,
"pf_scrub_fragm_crop");
data.registerOption( m_dialog->pf_scrub_fragm_drop_ovl, fwopt,
"pf_scrub_fragm_drop_ovl");
// pf_scrub_reassemble_tcp is available in all versions
data.registerOption( m_dialog->pf_scrub_reassemble_tcp, fwopt,
"pf_scrub_reassemble_tcp");
data.registerOption( m_dialog->pf_scrub_use_minttl, fwopt,
"pf_scrub_use_minttl");
data.registerOption( m_dialog->pf_scrub_use_maxmss, fwopt,
"pf_scrub_use_maxmss");
data.registerOption( m_dialog->pf_scrub_maxmss,fwopt, "pf_scrub_maxmss");
data.registerOption( m_dialog->pf_scrub_minttl,fwopt, "pf_scrub_minttl");
data.registerOption( m_dialog->pf_scrub_no_df,fwopt, "pf_scrub_no_df");
data.registerOption( m_dialog->pf_fw_dir,fwopt, "firewall_dir");
data.registerOption( m_dialog->pf_user,fwopt, "admUser");
data.registerOption( m_dialog->altAddress,fwopt, "altAddress");
data.registerOption( m_dialog->sshArgs, fwopt, "sshArgs");
data.registerOption( m_dialog->scpArgs, fwopt, "scpArgs");
data.registerOption( m_dialog->activationCmd, fwopt, "activationCmd");
data.registerOption( m_dialog->pf_manage_virtual_addr, fwopt,
"manage_virtual_addr");
data.registerOption( m_dialog->pf_configure_interfaces, fwopt,
"configure_interfaces");
data.registerOption( m_dialog->pf_configure_carp_interfaces, fwopt,
"configure_carp_interfaces");
data.registerOption( m_dialog->pf_configure_pfsync_interfaces, fwopt,
"configure_pfsync_interfaces");
data.registerOption( m_dialog->pf_configure_vlan_interfaces, fwopt,
"configure_vlan_interfaces");
data.registerOption( m_dialog->pf_configure_bridge_interfaces, fwopt,
"configure_bridge_interfaces");
data.registerOption( m_dialog->pf_debug,fwopt, "debug");
data.registerOption( m_dialog->pf_flush_states, fwopt, "pf_flush_states");
data.registerOption( m_dialog->compiler,fwopt, "compiler");
data.registerOption( m_dialog->compilerArgs,fwopt, "cmdline");
data.registerOption( m_dialog->generateShellScript, fwopt,
"generate_shell_script");
data.registerOption( m_dialog->generateRcConfFile, fwopt,
"generate_rc_conf_file");
data.registerOption( m_dialog->outputFileName, fwopt, "output_file");
data.registerOption( m_dialog->confFileName, fwopt, "conf1_file");
data.registerOption( m_dialog->fileNameOnFw, fwopt,
"script_name_on_firewall");
data.registerOption( m_dialog->confFileNameOnFw, fwopt,
"conf_file_name_on_firewall");
data.registerOption( m_dialog->mgmt_ssh,fwopt, "mgmt_ssh");
data.registerOption( m_dialog->mgmt_addr,fwopt, "mgmt_addr");
data.registerOption( m_dialog->pf_set_tcp_first, fwopt, "pf_set_tcp_first");
data.registerOption( m_dialog->pf_tcp_first, fwopt, "pf_tcp_first");
data.registerOption( m_dialog->pf_set_tcp_opening, fwopt,
"pf_set_tcp_opening");
data.registerOption( m_dialog->pf_tcp_opening, fwopt, "pf_tcp_opening");
data.registerOption( m_dialog->pf_set_tcp_established, fwopt,
"pf_set_tcp_established");
data.registerOption( m_dialog->pf_tcp_established, fwopt,
"pf_tcp_established");
data.registerOption( m_dialog->pf_set_tcp_closing, fwopt,
"pf_set_tcp_closing");
data.registerOption( m_dialog->pf_tcp_closing, fwopt, "pf_tcp_closing");
data.registerOption( m_dialog->pf_set_tcp_finwait, fwopt,
"pf_set_tcp_finwait");
data.registerOption( m_dialog->pf_tcp_finwait, fwopt,
"pf_tcp_finwait");
data.registerOption( m_dialog->pf_set_tcp_closed, fwopt,
"pf_set_tcp_closed");
data.registerOption( m_dialog->pf_tcp_closed, fwopt,
"pf_tcp_closed");
data.registerOption( m_dialog->pf_set_udp_first, fwopt,
"pf_set_udp_first");
data.registerOption( m_dialog->pf_udp_first, fwopt,
"pf_udp_first");
data.registerOption( m_dialog->pf_set_udp_single, fwopt,
"pf_set_udp_single");
data.registerOption( m_dialog->pf_udp_single, fwopt, "pf_udp_single");
data.registerOption( m_dialog->pf_set_udp_multiple, fwopt,
"pf_set_udp_multiple");
data.registerOption( m_dialog->pf_udp_multiple, fwopt, "pf_udp_multiple");
data.registerOption( m_dialog->pf_set_icmp_first, fwopt,
"pf_set_icmp_first");
data.registerOption( m_dialog->pf_icmp_first, fwopt, "pf_icmp_first");
data.registerOption( m_dialog->pf_set_icmp_error, fwopt,
"pf_set_icmp_error");
data.registerOption( m_dialog->pf_icmp_error, fwopt, "pf_icmp_error");
data.registerOption( m_dialog->pf_set_other_first, fwopt,
"pf_set_other_first");
data.registerOption( m_dialog->pf_other_first, fwopt, "pf_other_first");
data.registerOption( m_dialog->pf_set_other_single, fwopt,
"pf_set_other_single");
data.registerOption( m_dialog->pf_other_single, fwopt, "pf_other_single");
data.registerOption( m_dialog->pf_set_other_multiple, fwopt,
"pf_set_other_multiple");
data.registerOption( m_dialog->pf_other_multiple, fwopt,
"pf_other_multiple");
data.registerOption( m_dialog->pf_set_adaptive, fwopt,
"pf_set_adaptive");
data.registerOption( m_dialog->pf_adaptive_start, fwopt,
"pf_adaptive_start");
data.registerOption( m_dialog->pf_adaptive_end, fwopt,
"pf_adaptive_end");
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
m_dialog->installScript->setText( pis->getCommand().c_str());
m_dialog->installScriptArgs->setText( pis->getArguments().c_str());
/* page "Prolog/Epilog" */
QStringList prologPlaces_pf;
prologPlaces_pf.push_back(QObject::tr("in the activation shell script"));
prologPlaces_pf.push_back("fw_file");
prologPlaces_pf.push_back(QObject::tr("in the pf rule file, at the very top"));
prologPlaces_pf.push_back("pf_file_top");
prologPlaces_pf.push_back(QObject::tr("in the pf rule file, after set comamnds"));
prologPlaces_pf.push_back("pf_file_after_set");
prologPlaces_pf.push_back(QObject::tr("in the pf rule file, after scrub comamnds"));
prologPlaces_pf.push_back("pf_file_after_scrub");
prologPlaces_pf.push_back(QObject::tr("in the pf rule file, after table definitions"));
prologPlaces_pf.push_back("pf_file_after_tables");
m_dialog->prologPlace->clear();
m_dialog->prologPlace->addItems(getScreenNames(prologPlaces_pf));
data.registerOption( m_dialog->prologPlace, fwopt, "prolog_place",
prologPlaces_pf);
data.registerOption( m_dialog->prolog_script, fwopt, "prolog_script");
data.registerOption( m_dialog->epilog_script, fwopt, "epilog_script");
data.loadAll();
doScrubToggled();
ltToggled();
m_dialog->tabWidget->setCurrentIndex(0);
}
ipfAdvancedDialog::ipfAdvancedDialog(QWidget *parent,FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::ipfAdvancedDialog_q;
m_dialog->setupUi(this);
obj=o;
QStringList slm;
FWOptions *fwopt=(Firewall::cast(obj))->getOptionsObject();
assert(fwopt!=NULL);
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
if (fwbdebug)
qDebug("%s",Resources::getTargetOptionStr(
obj->getStr("host_OS"),"user_can_change_install_dir").c_str());
if (!Resources::getTargetOptionBool(
obj->getStr("host_OS"),"user_can_change_install_dir"))
{
m_dialog->ipf_fw_dir->setEnabled(false);
fwopt->setStr("firewall_dir","");
}
m_dialog->tabWidget->setTabEnabled(6,false); //Disable tab
data.registerOption(m_dialog->ipv4before_2, fwopt, "ipv4_6_order",
QStringList() << tr("IPv4 before IPv6") <<"ipv4_first" << tr("IPv6 before IPv4") << "ipv6_first");
data.registerOption( m_dialog->ipf_log_or_block,fwopt, "ipf_log_or_block" );
data.registerOption( m_dialog->ipf_log_body,fwopt, "ipf_log_body" );
data.registerOption( m_dialog->ipf_check_shadowing,fwopt, "check_shading" );
data.registerOption( m_dialog->ipf_eliminate_duplicates,fwopt, "eliminate_duplicates");
data.registerOption( m_dialog->ipf_accept_new_tcp_with_no_syn,fwopt, "accept_new_tcp_with_no_syn");
data.registerOption( m_dialog->ipf_ignore_empty_groups,fwopt, "ignore_empty_groups");
data.registerOption( m_dialog->ipf_return_icmp_as_dest,fwopt, "ipf_return_icmp_as_dest");
data.registerOption( m_dialog->ipf_nat_raudio_proxy,fwopt, "ipf_nat_raudio_proxy");
data.registerOption( m_dialog->ipf_nat_h323_proxy,fwopt, "ipf_nat_h323_proxy");
data.registerOption( m_dialog->ipf_nat_ipsec_proxy,fwopt, "ipf_nat_ipsec_proxy");
data.registerOption( m_dialog->ipf_nat_pptp_proxy,fwopt, "ipf_nat_pptp_proxy");
data.registerOption( m_dialog->ipf_nat_irc_proxy,fwopt, "ipf_nat_irc_proxy");
data.registerOption( m_dialog->ipf_nat_ftp_proxy,fwopt, "ipf_nat_ftp_proxy");
data.registerOption( m_dialog->ipf_nat_rcmd_proxy,fwopt, "ipf_nat_rcmd_proxy");
data.registerOption( m_dialog->ipf_nat_krcmd_proxy,fwopt, "ipf_nat_krcmd_proxy");
data.registerOption( m_dialog->ipf_nat_ekshell_proxy,fwopt, "ipf_nat_ekshell_proxy");
data.registerOption( m_dialog->ipf_fw_dir,fwopt, "firewall_dir" );
data.registerOption( m_dialog->ipf_user,fwopt, "admUser" );
data.registerOption( m_dialog->altAddress, fwopt, "altAddress");
data.registerOption( m_dialog->sshArgs, fwopt, "sshArgs");
data.registerOption( m_dialog->scpArgs, fwopt, "scpArgs");
data.registerOption( m_dialog->activationCmd, fwopt, "activationCmd");
data.registerOption( m_dialog->ipf_manage_virtual_addr,fwopt, "manage_virtual_addr");
data.registerOption( m_dialog->ipf_configure_interfaces,fwopt, "configure_interfaces");
data.registerOption( m_dialog->ipf_debug,fwopt, "debug" );
data.registerOption( m_dialog->ipf_optimize,fwopt, "optimize" );
data.registerOption( m_dialog->ipf_dynAddr,fwopt, "dynAddr" );
slm = getLogLevels( obj->getStr("platform").c_str() );
m_dialog->logLevel->clear();
m_dialog->logLevel->addItems( getScreenNames( slm ));
data.registerOption( m_dialog->logLevel, fwopt, "ipf_log_level", slm);
slm = getLogFacilities( obj->getStr("platform").c_str() );
m_dialog->logFacility->clear();
m_dialog->logFacility->addItems( getScreenNames( slm ));
data.registerOption( m_dialog->logFacility, fwopt, "ipf_log_facility", slm);
data.registerOption( m_dialog->compiler, fwopt, "compiler" );
data.registerOption( m_dialog->compilerArgs, fwopt, "cmdline" );
data.registerOption( m_dialog->outputFileName, fwopt, "output_file" );
data.registerOption( m_dialog->fileNameOnFw, fwopt, "script_name_on_firewall");
data.registerOption( m_dialog->ipfConfFileNameOnFw, fwopt, "ipf_conf_file_name_on_firewall");
data.registerOption( m_dialog->natConfFileNameOnFw, fwopt, "nat_conf_file_name_on_firewall");
slm=getActionsOnReject( obj->getStr("platform").c_str() );
m_dialog->actionOnReject->clear();
m_dialog->actionOnReject->addItems(getScreenNames(slm));
data.registerOption( m_dialog->actionOnReject, fwopt, "action_on_reject",slm);
data.registerOption( m_dialog->mgmt_ssh, fwopt, "mgmt_ssh" );
data.registerOption( m_dialog->mgmt_addr, fwopt, "mgmt_addr" );
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
m_dialog->installScript->setText( pis->getCommand().c_str() );
m_dialog->installScriptArgs->setText( pis->getArguments().c_str() );
/* page "Prolog/Epilog" */
data.registerOption( m_dialog->prolog_script, fwopt, "prolog_script" );
data.registerOption( m_dialog->epilog_script, fwopt, "epilog_script" );
data.loadAll();
m_dialog->tabWidget->setCurrentIndex(0);
}
secuwallAdvancedDialog::secuwallAdvancedDialog(QWidget *parent, FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::secuwallAdvancedDialog_q;
m_dialog->setupUi(this);
obj=o;
QStringList slm;
string platform = obj->getStr("platform");
string description = Resources::platform_res[platform]->
getResourceStr("/FWBuilderResources/Target/description");
setWindowTitle(QObject::tr("%1 advanced settings").arg(description.c_str()));
FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject();
assert(fwoptions!=NULL);
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
data.registerOption(m_dialog->logTCPseq, fwoptions, "log_tcp_seq");
data.registerOption(m_dialog->logTCPopt, fwoptions, "log_tcp_opt");
data.registerOption(m_dialog->logIPopt, fwoptions, "log_ip_opt");
data.registerOption(m_dialog->logNumsyslog, fwoptions,
"use_numeric_log_levels");
slm = getLogLevels(obj->getStr("platform").c_str());
m_dialog->logLevel->clear();
m_dialog->logLevel->addItems(getScreenNames(slm));
data.registerOption(m_dialog-> logLevel, fwoptions, "log_level", slm);
data.registerOption(m_dialog->useULOG, fwoptions, "use_ULOG");
data.registerOption(m_dialog->cprange, fwoptions, "ulog_cprange");
data.registerOption(m_dialog->qthreshold, fwoptions, "ulog_qthreshold");
data.registerOption(m_dialog->nlgroup, fwoptions, "ulog_nlgroup");
data.registerOption(m_dialog->logprefix, fwoptions, "log_prefix");
slm=getLimitSuffixes(obj->getStr("platform").c_str());
m_dialog->logLimitSuffix->clear();
m_dialog->logLimitSuffix->addItems(getScreenNames(slm));
data.registerOption(m_dialog-> logLimitSuffix, fwoptions,
"limit_suffix", slm);
data.registerOption(m_dialog->logLimitVal, fwoptions, "limit_value");
data.registerOption(m_dialog->logAll, fwoptions, "log_all");
data.registerOption(m_dialog->compiler, fwoptions, "compiler");
data.registerOption(m_dialog->compilerArgs, fwoptions, "cmdline");
data.registerOption(m_dialog->assumeFwIsPartOfAny,
fwoptions, "firewall_is_part_of_any_and_networks");
data.registerOption(m_dialog->acceptSessions,
fwoptions, "accept_new_tcp_with_no_syn");
data.registerOption(m_dialog->dropInvalid, fwoptions, "drop_invalid");
data.registerOption(m_dialog->logInvalid, fwoptions, "log_invalid");
data.registerOption(m_dialog->acceptESTBeforeFirst, fwoptions,
"accept_established");
data.registerOption(m_dialog->bridge, fwoptions, "bridging_fw");
data.registerOption(m_dialog->shadowing, fwoptions, "check_shading");
data.registerOption(m_dialog->emptyGroups, fwoptions,
"ignore_empty_groups");
data.registerOption(m_dialog->localNAT, fwoptions, "local_nat");
data.registerOption(m_dialog->clampMSStoMTU, fwoptions, "clamp_mss_to_mtu");
slm = getActionsOnReject(obj->getStr("platform").c_str());
m_dialog->actionOnReject->clear();
m_dialog->actionOnReject->addItems(getScreenNames(slm));
data.registerOption(m_dialog-> actionOnReject,
fwoptions,"action_on_reject", slm);
data.registerOption(m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh");
data.registerOption(m_dialog->mgmt_addr, fwoptions, "mgmt_addr");
data.registerOption(m_dialog->add_mgmt_ssh_rule_when_stoped,
fwoptions, "add_mgmt_ssh_rule_when_stoped");
data.registerOption(m_dialog->addVirtualsforNAT,
fwoptions, "manage_virtual_addr");
data.registerOption(m_dialog->configureInterfaces,
fwoptions, "configure_interfaces");
data.registerOption(m_dialog->iptDebug, fwoptions, "debug");
data.registerOption(m_dialog->verifyInterfaces, fwoptions, "verify_interfaces");
data.registerOption(m_dialog->allowReboot, fwoptions, "allow_reboot");
data.registerOption(m_dialog->iptablesRestoreActivation,
fwoptions, "use_iptables_restore");
data.registerOption(m_dialog->altAddress, fwoptions, "altAddress");
data.registerOption(m_dialog->sshArgs, fwoptions, "sshArgs");
data.registerOption(m_dialog->scpArgs, fwoptions, "scpArgs");
data.registerOption(m_dialog->activationCmd, fwoptions, "activationCmd");
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
m_dialog->installScript->setText(pis->getCommand().c_str());
m_dialog->installScriptArgs->setText(pis->getArguments().c_str());
/* page "Prolog/Epilog" */
data.registerOption(m_dialog->prolog_script, fwoptions,
"prolog_script");
QStringList prologPlaces_ipt;
prologPlaces_ipt.push_back(QObject::tr("on top of the script"));
prologPlaces_ipt.push_back("top");
prologPlaces_ipt.push_back(QObject::tr("after interface configuration"));
prologPlaces_ipt.push_back("after_interfaces");
// bug #2820840: can't put prolog "after policy reset" if iptables-restore
if (!fwoptions->getBool("use_iptables_restore"))
{
prologPlaces_ipt.push_back(QObject::tr("after policy reset"));
prologPlaces_ipt.push_back("after_flush");
}
m_dialog->prologPlace->clear();
m_dialog->prologPlace->addItems(getScreenNames(prologPlaces_ipt));
data.registerOption(m_dialog-> prologPlace, fwoptions,
"prolog_place", prologPlaces_ipt);
data.registerOption(m_dialog->epilog_script, fwoptions,
"epilog_script");
data.loadAll();
/* Now set sane values after loading data */
/* secuwall supports currently only LOG, not ULOG */
m_dialog->useLOG->setChecked(true);
switchLOG_ULOG();
m_dialog->useULOG->setEnabled(false);
m_dialog->tabWidget->setCurrentIndex(0);
}
bool FirewallInstallerUnx::packInstallJobsList(Firewall* fw)
{
if (fwbdebug)
{
qDebug() << "FirewallInstallerUnx::packInstallJobList";
qDebug() << "cnf->user="******"Installation plan:\n"));
Management *mgmt = cnf->fwobj->getManagementObject();
assert(mgmt!=NULL);
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
if (pis->getCommand()!="")
{
QString cmd = pis->getCommand().c_str();
QString args = pis->getArguments().c_str();
job_list.push_back(
instJob(RUN_EXTERNAL_SCRIPT, cmd, args));
inst_dlg->addToLog(QString("Run script %1 %2\n").arg(cmd).arg(args));
return true;
}
/* read manifest from the conf file */
if (fwbdebug)
qDebug("FirewallInstaller::packInstallJobsList read manifest from %s",
cnf->script.toAscii().constData());
/*
* Note that if output file is specified in firewall settings dialog,
* it can be an absolute path. In this case compiler puts additional
* generated files (if any) in the same directory. The manifest in the
* .fw file does not specify directory path so that the .fw file and
* all additional files can be moved together someplace else. We take
* dir path from the .fw file and if it is not empty, assume that all
* other files are located there as well.
*/
// compilers always write file names into manifest in Utf8
QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8"));
QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8"));
//key: local_file_name val: remote_file_name
QMap<QString,QString> all_files;
// readManifest() modifies cnf !
if (readManifest(cnf->script, &all_files))
{
QMap<QString, QString>::iterator it;
for (it=all_files.begin(); it!=all_files.end(); ++it)
{
QString local_name = it.key();
QString remote_name = it.value();
job_list.push_back(instJob(COPY_FILE, local_name, remote_name));
inst_dlg->addToLog(QString("Copy file: %1 --> %2\n")
.arg(local_name)
.arg(remote_name).toAscii().constData());
}
} else
{
inst_dlg->opError(fw);
return false;
}
if (job_list.size()==0)
{
QMessageBox::critical(
inst_dlg, "Firewall Builder",
tr("Incorrect manifest format in generated script. "
"Line with \"*\" is missing, can not find any files "
"to copy to the firewall.\n%1").arg(cnf->script),
tr("&Continue"), QString::null,QString::null,
0, 1 );
return false;
}
if (cnf->copyFWB)
{
QString dest_dir = getDestinationDir(cnf->fwdir);
QFileInfo fwbfile_base(cnf->fwbfile);
job_list.push_back(instJob(
COPY_FILE,
fwbfile_base.fileName(),
dest_dir));
inst_dlg->addToLog(QString("Copy data file: %1 --> %2\n")
.arg(fwbfile_base.fileName())
.arg(dest_dir).toAscii().constData());
}
QString cmd = getActivationCmd();
job_list.push_back(instJob(ACTIVATE_POLICY, cmd, ""));
inst_dlg->addToLog(QString("Run script %1\n").arg(cmd));
inst_dlg->addToLog(QString("\n"));
return true;
}