iptables config gui

["Timothy A. Chagnon" <tchagnon nc rr com>]

To Tyler Larson and anyone else interested in the firewall configuration
program:

I've just subscribed to this list today in hopes of getting something
going with Tyler's proposed Firewall Configuration GUI.  I've read all
the archives and the spec here: http://www.tlarson.com/fireconf/spec

I agree on the tack that Tyler is taking with this and I would very much
like to get on board this project (and light a fire under it).  I've
been toying with this idea myself for a couple months now and I've
gotten very familiar with iptables.  I'm normally a C/C++/php
programmer, but I'm sure I can pick up python on the way.  I'm not so up
on the GTK/Glade/GUI thing, but I can be very helpful for data
structures and parsing.

To get this thing started up again, I've written a pseudo code layout of
all the data structures we'll need to interface with iptables, which I'm
attaching.

Also, I took a look at the preliminary GUI from that fireconf tar ball
and it looks good so far.  My suggestion for making a Basic/Advanced
division is to use the notebook widget.  We can put all the stuff
currently below the bonobono dock bar into the Advanced tab, then some
more basic stuff in the basic tab.  The basic will come up when the app
is started, but Advanced is just a click away.  I played with glade a
bit to try it out.  I can email the tarball to anyone who's interested.

-Tim
-- 
Timothy A. Chagnon <tchagnon nc rr com>

Data Structures for IPTables Firewall Configuration
Copyright 2004 Timothy A. Chagnon

// !! this is pseudo code !!
// based on observations of iptables workings
// lists are some sort of oo linked listy thing
//
// this is all just data structures, no functions yet.

class firewall
	list	tables	// of class table

class table
	string	name
	list	chains	// of class chain

class chain
	string	name
	boolean	is_built_in
	
	target	def_policy	// the default target for this chain
						// this is only set if this chain is built in
	
	long	packet_count
	long	byte_count
	
	int 	references  // how many other chains ref it in a rule

	list	rules	// of class rule

class rule
	long	packet_count
	long	byte_count

	target	target
	proto	protocol

	enum	fragment  // options for --, -f, or !f

	iface	if_in	// this should be a class, for eth0, eth1, any, lo, etc...
	iface	if_out

	address	source	// this should be a class for an IP and netmask/metric
	address destination

	list	match_extensions	// this is another "extensible stuff" area
								// we need to have a match_extn class

class target
	boolean	is_predef	// is this target one of the predefined targets?
	enum	predef_targ // this contains the ACCEPT, REJECT, QUEUE, and DROP
						// targets, plus a null if it's a user chain
						
	string	chain_name	// this is where we put the chain name if it's not one
						// of the predefined ones

	// we should certainly put a get_target() function in this class to return
	// the target name regardless of whether it's a pre defined one or a chain

class iface
	string	name    	// this would be eth0, eth1, tr0, lo, or any

	// we may need other vars here later for mac-address, ipaddress, netmask, etc.
	// also we'll want some functions to interface with the system

class address
	32-bit	ip		// the ipaddress
	int		metric	// the netmask in metric format i.e. 24 for 255.255.255.0

class proto
	string	name
	int 	iana-number	// we should be getting these from /etc/protocols

	//  probably should move prot_opts from rule to here
	// functions for checking with /etc/protocols and other stuff

	// this is where inheritancy really kicks in.  this will really just be a
	// base class to all the different protocol classes. 
	// The children classes will have all the particular options for each proto.
	// This is where much of the "extra stuff" we don't want to implement right
	// away will be.
	// Obviously we'll want to make children of this for
	// tcp and udp to start, but eventually we'll need ones for others like icmp

class match_extn
	string name		// for use after the --match option of iptables to turn on
					// this extension

	//  again this will be a base class for each of the different extensions
	
	//  if we don't want to implement all these matches we should make a default
	//  class with just a string for the options, then put a text box in the gui

// That's it for now.  I think that just about covers everything we'll encounter
// for iptables data.