| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] CPMI questions
Evaluating OPSEC/CPMI + FW-1 NG, RedHat 6.2.
Getting started with composite objects by writing a simple app that creates a security_rule to log all traffic. Based on CPMI sample code, trying to create security_rule in table fw_policies. I have three questions below ("QUESTION")
Comments and questions so far:
1. general
- for apps that are not turnaround-performance-critical, a ready-made synchronization layer ie. synchronous alternatives for handling the object callbacks would seem to give better structure to user code
- the CPMI OO schema would be well accompanied by an OO wrapping layer (C++ or java)
- an all-java client API (ie. not JNI on top of the native libs) interfacing to the server at TCP level could give more freedom from the currently supported platforms. For instance, the best platform for me would be HP-UX 11i which is not supported
==>> QUESTION: what would you recommend if I wanted to write synchronized CPMI user code instead of chaining asynch callbacks in a single thread (see sample code for the chained approach) ? See my current solution under "specific" below:
2. specific:
- QUESTION: in what order should I update the created objects ? Do I have to update each leaf object first, incl. owned objects, or is it enough to update the top-level created object ?
- for synchronization, I'm now using
o two threads, pthread_cond* funcs and a mutex
o the "client" thread contains the "business logic" ie. synchronous or synchronously wrapped CPMI calls
o the server receives callbacks and runs the OPSEC main loop
o a "receiver" synch layer encapsulates mutex-handling and copies the callback response
params to a data structure which is returned to the client thread on wait completion.
2. platform question
- QUESTION: what glibc version is officially supported for Linux OPSEC SDK ? (I'm getting a mysterious core dump from pthreads, and I'd like to eliminate some of the easiest causes) For now, I have to run on RH7.1, and at least I'd like to be able to emulate the officially supported 6.2
3. Doc/ sample code inconsistencies, bug candidates etc.
- there was no makefile in the downloaded NG API sample code. That would be convenient in order to determine the linking order. It took me short while to order the libs using .so symbol table info, but agreed, that doesn't look like the best way to go ;) .
QUESTION: Any "official" sample makefile out there ?
- there were possibly some minor bugs (?) in the sample code ie.
o unresolved symbols CPMIObjGetCreatorHost, CPMIObjGetCreateTime
o premature session end posted by one of the callbacks (was it bind...), never getting to the actual app code
o cpmi.conf didn't exactly work out of the box, but sorry, I didn't record the details.
o the classes.C and the schema definition were inconsistent. Ie. simple_action class in the html doc. No valid defaults are really generated for the missing members ie. src, dst... althought so implied in html
BR,
Markku Luotamo
PS. Unfortunately I don't personally yet have access to the partners support site, so forgive me, if I've posted stuff straight out of a FAQ
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
