Switchboard Security & Privacy Plug

Merge lp://staging/~davidmhewitt/switchboard-plug-security-privacy/fix-1312461-control-rule into lp://staging/~elementary-apps/switchboard-plug-security-privacy/trunk

  1. fix-1312461-control-rule
  2. Merge into trunk
Proposed by David Hewitt
Status: Merged
Approved by: Danielle Foré
Approved revision: 330
Merged at revision: 324
Proposed branch: lp://staging/~davidmhewitt/switchboard-plug-security-privacy/fix-1312461-control-rule
Merge into: lp://staging/~elementary-apps/switchboard-plug-security-privacy/trunk
Diff against target: 617 lines (+382/-70)
5 files modified
CMakeLists.txt (+1/-3)
data/CMakeLists.txt (+6/-0)
data/org.pantheon.security-privacy.gschema.xml (+12/-0)
src/UFWHelpers.vala (+153/-48)
src/Views/FirewallPanel.vala (+210/-19)
To merge this branch: bzr merge lp://staging/~davidmhewitt/switchboard-plug-security-privacy/fix-1312461-control-rule
Reviewer Review Type Date Requested Status
Adam Bieńkowski (community) code Approve
elementary Apps team Pending
Review via email: mp+319121@code.staging.launchpad.net

This proposal supersedes a proposal from 2017-03-05.

Commit message

Firewall:
* UFW rule creation now respects the IPv4/IPv6 flag set in the Rule structure.
* New dropdown in rule creation popover to specify IPv4/IPv6/Both rule.
* New rules are created as IPv4 by default.
* Use regular expressions to parse UFW command output
* Add a checkbox to enable/disable rules

Description of the change

The IPv6 checkbox was slightly confusing in that it looked like a control that you could modify. This branch turns the IPv6 status into a text field and adds a checkbox in the same place that allows you to enable/disable a rule.

To allow this functionality, the parsing and displaying of UFW rules has been improved as rules that had been set using the UFW command line were often incorrectly displayed and interpreted by the plug. This made the enable/disable functionality on those rules really buggy.

Disabled rules are stored in GSettings as UFW has no concept of a disabled rule. When a rule is disabled by the plug, it is deleted from UFW and stored in GSettings.

To post a comment you must log in.
Revision history for this message
Adam Bieńkowski (donadigo) wrote : Posted in a previous version of this proposal

I really don't like the validation of IP addresses with the regex. It makes the code look like clutter.
Instead you can use much simpler solution with GLib.InetAddress: by using "InetAddress.from_string" to parse the IP address you can check if it's null to make sure it's valid and you can also call "get_family" on it to retrive if it's IPv4 or IPv6 address.

Also, about this line:
while (iter.next ("(ssssiiii)", &to, &to_ports, &from, &from_ports, &action, &protocol, &direction, &version)) {

do you really need to use those C like arguments in order to retrieve needed variables? Does "out" not compile?

review: Needs Fixing (code)
Revision history for this message
David Hewitt (davidmhewitt) wrote : Posted in a previous version of this proposal

> I really don't like the validation of IP addresses with the regex. It makes
> the code look like clutter.
> Instead you can use much simpler solution with GLib.InetAddress: by using
> "InetAddress.from_string" to parse the IP address you can check if it's null
> to make sure it's valid and you can also call "get_family" on it to retrive if
> it's IPv4 or IPv6 address.
>
> Also, about this line:
> while (iter.next ("(ssssiiii)", &to, &to_ports, &from, &from_ports, &action,
> &protocol, &direction, &version)) {
>
> do you really need to use those C like arguments in order to retrieve needed
> variables? Does "out" not compile?

Thanks for the review, Adam. I'll try and fix the C like arguments, you're probably right that the out keyword will work.

As for using the InetAddress stuff, I tried that first and it wasn't suitable. Unfortunately, when you pass InetAddress.from_string an invalid IP Address, it throws an assertion instead of an exception meaning it terminates the program. Considering I'd be trying to use it to validate if something is an IP address or not, it's no help.

However, if you have any better solutions to check if a string is an IPv4 address, IPv6 address or something else, I'd be open to suggestions.

Revision history for this message
David Hewitt (davidmhewitt) wrote : Posted in a previous version of this proposal

> I really don't like the validation of IP addresses with the regex. It makes
> the code look like clutter.
> Instead you can use much simpler solution with GLib.InetAddress: by using
> "InetAddress.from_string" to parse the IP address you can check if it's null
> to make sure it's valid and you can also call "get_family" on it to retrive if
> it's IPv4 or IPv6 address.
>
> Also, about this line:
> while (iter.next ("(ssssiiii)", &to, &to_ports, &from, &from_ports, &action,
> &protocol, &direction, &version)) {
>
> do you really need to use those C like arguments in order to retrieve needed
> variables? Does "out" not compile?

My mistake, you can totally use InetAddress instead of the regular expressions, don't know what made me think it didn't work the first time. Thanks for the suggestion, that's saved a bunch of horrible code :)

I've implemented both suggestions!

Revision history for this message
Adam Bieńkowski (donadigo) wrote :

Besides 2 places where the code is a little bit inconsistent in code style, it looks good (code).

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches

to all changes: