| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] CPMI questions
- To: [email protected]
- Subject: Re: [FW-1] CPMI questions
- From: Luotamo Markku <[email protected]>
- Date: Mon, 4 Mar 2002 15:24:47 +0200
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcHDcff2mrF0ey0YEdanOQAADqEHKQADD+Ow
- Thread-topic: CPMI questions
My questions condensed from a previous long mail of mine:
- sample CPMI makefile for Linux/Unixes ?
- glibc version supported for Linux OPSEC SDK for NG ?
- is there some "usual" way to program CPMI callbacks and thus to structure CPMI user code ? (ie. more usual than my two-thread synchronization mechanism)
- in what order should I create and /or update a compound object such as security_rule vs. its owned objects
BR & thanks in advance,
Markku Luotamo
> -----Original Message-----
> From: Luotamo Markku (EXT-Netrical/Helsinki)
> Sent: 04. March 2002 13:45
> To: [email protected]
> Subject: [FW-1] CPMI questions
>
>
> Evaluating OPSEC/CPMI + FW-1 NG, RedHat 6.2.
> Getting started with composite objects by writing a simple
> app that creates a security_rule to log all traffic. Based on
> CPMI sample code, trying to create security_rule in table
> fw_policies. I have three questions below ("QUESTION")
>
>
> Comments and questions so far:
>
> 1. general
> - for apps that are not turnaround-performance-critical, a
> ready-made synchronization layer ie. synchronous alternatives
> for handling the object callbacks would seem to give better
> structure to user code
> - the CPMI OO schema would be well accompanied by an OO
> wrapping layer (C++ or java)
> - an all-java client API (ie. not JNI on top of the native
> libs) interfacing to the server at TCP level could give more
> freedom from the currently supported platforms. For instance,
> the best platform for me would be HP-UX 11i which is not supported
> ==>> QUESTION: what would you recommend if I wanted to write
> synchronized CPMI user code instead of chaining asynch
> callbacks in a single thread (see sample code for the chained
> approach) ? See my current solution under "specific" below:
>
> 2. specific:
> - QUESTION: in what order should I update the created objects
> ? Do I have to update each leaf object first, incl. owned
> objects, or is it enough to update the top-level created object ?
>
> - for synchronization, I'm now using
> o two threads, pthread_cond* funcs and a mutex
> o the "client" thread contains the "business logic" ie.
> synchronous or synchronously wrapped CPMI calls
> o the server receives callbacks and runs the OPSEC main loop
> o a "receiver" synch layer encapsulates mutex-handling and
> copies the callback response
> params to a data structure which is returned to the client
> thread on wait completion.
>
>
> 2. platform question
>
> - QUESTION: what glibc version is officially supported for
> Linux OPSEC SDK ? (I'm getting a mysterious core dump from
> pthreads, and I'd like to eliminate some of the easiest
> causes) For now, I have to run on RH7.1, and at least I'd
> like to be able to emulate the officially supported 6.2
>
> 3. Doc/ sample code inconsistencies, bug candidates etc.
> - there was no makefile in the downloaded NG API sample code.
> That would be convenient in order to determine the linking
> order. It took me short while to order the libs using .so
> symbol table info, but agreed, that doesn't look like the
> best way to go ;) .
> QUESTION: Any "official" sample makefile out there ?
> - there were possibly some minor bugs (?) in the sample code ie.
> o unresolved symbols CPMIObjGetCreatorHost, CPMIObjGetCreateTime
> o premature session end posted by one of the callbacks (was
> it bind...), never getting to the actual app code
> o cpmi.conf didn't exactly work out of the box, but sorry,
> I didn't record the details.
> o the classes.C and the schema definition were
> inconsistent. Ie. simple_action class in the html doc. No
> valid defaults are really generated for the missing members
> ie. src, dst... althought so implied in html
>
> BR,
>
> Markku Luotamo
>
> PS. Unfortunately I don't personally yet have access to the
> partners support site, so forgive me, if I've posted stuff
> straight out of a FAQ
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
