To Tyler Larson and anyone else interested in the firewall configuration program: I've just subscribed to this list today in hopes of getting something going with Tyler's proposed Firewall Configuration GUI. I've read all the archives and the spec here: http://www.tlarson.com/fireconf/spec I agree on the tack that Tyler is taking with this and I would very much like to get on board this project (and light a fire under it). I've been toying with this idea myself for a couple months now and I've gotten very familiar with iptables. I'm normally a C/C++/php programmer, but I'm sure I can pick up python on the way. I'm not so up on the GTK/Glade/GUI thing, but I can be very helpful for data structures and parsing. To get this thing started up again, I've written a pseudo code layout of all the data structures we'll need to interface with iptables, which I'm attaching. Also, I took a look at the preliminary GUI from that fireconf tar ball and it looks good so far. My suggestion for making a Basic/Advanced division is to use the notebook widget. We can put all the stuff currently below the bonobono dock bar into the Advanced tab, then some more basic stuff in the basic tab. The basic will come up when the app is started, but Advanced is just a click away. I played with glade a bit to try it out. I can email the tarball to anyone who's interested. -Tim -- Timothy A. Chagnon <tchagnon@xxxxxxxxx>
Data Structures for IPTables Firewall Configuration Copyright 2004 Timothy A. Chagnon // !! this is pseudo code !! // based on observations of iptables workings // lists are some sort of oo linked listy thing // // this is all just data structures, no functions yet. class firewall list tables // of class table class table string name list chains // of class chain class chain string name boolean is_built_in target def_policy // the default target for this chain // this is only set if this chain is built in long packet_count long byte_count int references // how many other chains ref it in a rule list rules // of class rule class rule long packet_count long byte_count target target proto protocol enum fragment // options for --, -f, or !f iface if_in // this should be a class, for eth0, eth1, any, lo, etc... iface if_out address source // this should be a class for an IP and netmask/metric address destination list match_extensions // this is another "extensible stuff" area // we need to have a match_extn class class target boolean is_predef // is this target one of the predefined targets? enum predef_targ // this contains the ACCEPT, REJECT, QUEUE, and DROP // targets, plus a null if it's a user chain string chain_name // this is where we put the chain name if it's not one // of the predefined ones // we should certainly put a get_target() function in this class to return // the target name regardless of whether it's a pre defined one or a chain class iface string name // this would be eth0, eth1, tr0, lo, or any // we may need other vars here later for mac-address, ipaddress, netmask, etc. // also we'll want some functions to interface with the system class address 32-bit ip // the ipaddress int metric // the netmask in metric format i.e. 24 for 255.255.255.0 class proto string name int iana-number // we should be getting these from /etc/protocols // probably should move prot_opts from rule to here // functions for checking with /etc/protocols and other stuff // this is where inheritancy really kicks in. this will really just be a // base class to all the different protocol classes. // The children classes will have all the particular options for each proto. // This is where much of the "extra stuff" we don't want to implement right // away will be. // Obviously we'll want to make children of this for // tcp and udp to start, but eventually we'll need ones for others like icmp class match_extn string name // for use after the --match option of iptables to turn on // this extension // again this will be a base class for each of the different extensions // if we don't want to implement all these matches we should make a default // class with just a string for the options, then put a text box in the gui // That's it for now. I think that just about covers everything we'll encounter // for iptables data.