# vim: set et ts=4 sw=4:
#*****************************************************************************
#
#  Copyright (c) 2013-2016 Matteo Pasotti <matteo.pasotti@gmail.com>
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License version 2, as
#  published by the Free Software Foundation.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
#*****************************************************************************

package ManaTools::Module::Firewall;

use Modern::Perl '2011';
use autodie;
use Moose;
use Moose::Autobox;
use utf8;
use File::ShareDir ':ALL';
use I18N::LangTags::Detect;

use yui;
use ManaTools::Shared qw(trim);
use ManaTools::Shared::GUI;
use ManaTools::Shared::Firewall;
use ManaTools::Shared::Shorewall;
use ManaTools::Shared::Services;

use MDK::Common::Func qw(if_ partition);
use MDK::Common::System qw(getVarsFromSh);
use MDK::Common::Various qw(text2bool to_bool);
use MDK::Common::DataStructure qw(intersection);
use MDK::Common::File qw(substInFile output_with_perm);

use List::Util qw(any);
use List::MoreUtils qw(uniq);

use XML::Simple;

extends qw( ManaTools::Module );

# configName, configDir as attributes, must be before "with 'ManaTools::ConfigDirRole'"
has 'configName' => (
    is => 'ro',
    isa => 'Str',
    init_arg => undef,
    lazy => 1,
    default => 'manawall',
);

has 'configDir' => (
    is => 'ro',
    isa => 'Str',
    lazy => 1,
    builder => '_configDirBuilder',
);

sub _configDirBuilder {
    my $self = shift();
    my $confDir = $self->commandline()->conf_dir() || $self->defaultConfigDir();

    return $confDir;
}

with 'ManaTools::ConfigDirRole';


has '+name' => (
    default => 'manawall',
    required => 0,
    init_arg => undef,
);

sub _titleInitializer {
    my $self = shift;

    return ($self->loc->N("%s - Firewall Manager", $self->name()));
}


has 'dialog' => (
    is => 'rw',
    init_arg => undef
);

has 'sh_gui' => (
    is => 'rw',
    init_arg => undef,
    builder => '_SharedUGUIInitialize'
);


has 'all_servers' => (
    is => 'rw',
    init_arg => undef,
    isa => 'ArrayRef',
);

has 'ifw_rules' => (
    is => 'rw',
    init_arg => undef,
    isa => 'ArrayRef',
);

has 'wdg_ifw' => (
    is => 'rw',
    init_arg => undef,
    isa => 'ArrayRef',
    default => sub { [] },
);

has 'wdg_servers' => (
    is => 'rw',
    init_arg => undef,
    isa => 'ArrayRef',
    default => sub { [] },
);

has 'net' => (
    is => 'rw',
    init_arg => undef,
    isa => 'HashRef',
    builder => '_initNet',
);

has 'unlisted' => (
    is => 'rw',
    init_arg => undef,
    isa => 'ArrayRef',
    builder => '_initUnlisted',
);

has 'log_net_drop' => (
    is => 'rw',
    isa => 'Bool',
    default => sub { return 1; }
);

has 'aboutDialog' => (
    is => 'ro',
    init_arg => undef,
    isa => 'HashRef',
    lazy => 1,
    builder => '_setupAboutDialog',
);


has 'conf' => (
    is => 'ro',
    isa => 'Str',
    lazy => 1,
    builder => '_confBuilder',
);

sub _confBuilder {
    my $self = shift();
    my $confDir = $self->configPathName();

    return $confDir . "/spec.conf";
}

sub _setupAboutDialog {
  my $self = shift();
  return {
    name => "",
    version => $self->Version(),
    credits => $self->loc->N("Copyright (C) %s by Matteo Pasotti", '2013-2016'),
    license => "GPLv2",
    description => "",
    authors => "Matteo Pasotti &lt;matteo.pasotti\@gmail.com&gt;"
    };
}

sub _SharedUGUIInitialize {
    my $self = shift();

    $self->sh_gui(ManaTools::Shared::GUI->new() );
}

sub _initAllServers {
    my $self = shift();
    my @all_servers = @{$self->get_servers()};
    return \@all_servers;
}

sub _initIFW {
    my $self = shift();
    my @ifw_rules = (
	{
        id => 'psd',
        name => $self->loc->N("Port scan detection"),
        ifw_rule => 'psd',
	},
    );
    return \@ifw_rules;
}

sub _initNet {
    my $self = shift();
    my $net = {};
    network::network::read_net_conf($net);
    return $net;
}

sub _initUnlisted {
    my $self = shift();
    my @unlisted = ();
    return \@unlisted;
}


# return the localized string from a hash and given the key
# by default en value
sub _localizedValue {
    my ($self, $hash, $key) = @_;

    return if !defined($hash->{$key});

    if (ref($hash->{$key}) ne "HASH") {
        # Force array is set for "title"
        return $hash->{$key}[0];
    }

    my @lang = I18N::LangTags::Detect::detect();
    # Adding default value as English (en)
    push @lang, 'en';
    foreach my $l ( @lang ) {
        return $hash->{$key}->{$l} if defined($hash->{$key}->{$l});
    }

    return;
}

#=============================================================

sub get_servers {
    my $self = shift();
    my $fh = undef;
    my @all_servers = ();
    my $xml = XML::Simple->new();
    my $data = $xml->XMLin($self->conf(),
        ContentKey => '-content',
        ForceArray => ['description'],
        KeyAttr=>{
            description => "xml:lang",
        }
    );

    foreach my $server (@{$data->{server}})
    {
        my $description = $self->_localizedValue(
            $server,
            'description'
        );
        push(@all_servers, {
               id => $server->{id},
               name => $description,
               pkg => $server->{packages},
               ports => $server->{ports},
               hide => (defined($server->{hide}) ? 1 : 0),
               default => (defined($server->{default}) ? 1 : 0),
               pos => (defined($server->{pos}) ? $server->{pos} : 0),
        });
    }
    my @sorted = sort { ${a}->{pos} <=> ${b}->{pos} } @all_servers;
    return \@sorted;
}

#=============================================================

sub check_ports_syntax {
    my ($ports) = @_;
    foreach (split ' ', $ports) {
        my ($nb, $range, $nb2) = m!^(\d+)(:(\d+))?/(tcp|udp|icmp)$! or return $_;
        foreach my $port ($nb, if_($range, $nb2)) {
            1 <= $port && $port <= 65535 or return $_;
        }
        $nb < $nb2 or return $_ if $range;
    }
    return '';
}

#=============================================================

=head2 port2server

=head3 INPUT

    $self: this object

    $ports: port object

=head3 DESCRIPTION

    This method retrieves the server from a given port

=cut

#=============================================================

sub port2server {
    my $self = shift();
    my ($port) = @_;
    for my $service(@{$self->all_servers()})
    {
        if(any { $port eq $_ } split(' ', $service->{ports}))
        {
            return $service;
        }
    }
    return 0;
}

#=============================================================

=head2 to_ports

=head3 INPUT

    $self: this object

=head3 DESCRIPTION

    This method converts from server definitions to port definitions

=cut

#=============================================================

sub to_ports {
    my ($self, $servers) = @_;
    my $ports = join(' ', (map { $_->{ports} } @$servers), @{$self->unlisted()});
    return $ports;
}

#=============================================================

=head2 from_ports

=head3 INPUT

    $self: this object

    $ports: ports object

=head3 DESCRIPTION

    This method does...

=cut

#=============================================================

sub from_ports {
    my $self = shift();
    my ($ports) = @_;

    my @l;
    foreach (split ' ', $ports) {
        if (my $s = $self->port2server($_)) {
            push @l, $s;
        } else {
            push (@{$self->unlisted()}, $_);
        }
    }
    my @result = [ uniq(@l) ], join(' ', @{$self->unlisted()});
    return \@result;
}

#=============================================================

=head2 get_conf

=head3 INPUT

    $self: this object

    $disabled: boolean

    $o_ports: object representing ports

=head3 DESCRIPTION

    This method retrieves the configuration

=cut

#=============================================================

sub get_conf {
    my $self = shift();
    my ($disabled, $o_ports) = @_;
    my $possible_servers = undef;
    my $conf = ManaTools::Shared::Shorewall::read_();
    my $shorewall = (ManaTools::Shared::Shorewall::get_config_file('zones', '') && $conf);

    if ($o_ports) {
        return ($disabled, $self->from_ports($o_ports));
    } elsif ($shorewall) {
        # WARNING: this condition fails (the method fails)
        #          if manawall runs as unprivileged user
        #          cause it can't read the interfaces file
        return ($shorewall->{disabled}, $self->from_ports($shorewall->{ports}), $shorewall->{log_net_drop});
    } else {
        $self->sh_gui->ask_OkCancel({
        title => $self->loc->N("Firewall configuration"),
        text => $self->loc->N("drakfirewall configurator
                    This configures a personal firewall for this Mageia machine."),
        richtext => 1
        }) or return;

        $self->sh_gui->ask_OkCancel({
        title => $self->loc->N("Firewall configuration"),
        text => $self->loc->N("drakfirewall configurator
Make sure you have configured your Network/Internet access with
drakconnect before going any further."),
        richtext => 1
        }) or return;

        return($disabled, $possible_servers, '');
    }
}

sub set_ifw {
    # my ($do_pkgs, $enabled, $rules, $ports) = @_;
    my $self = shift();
    my ($enabled, $rules, $ports) = @_;
    if ($enabled)
    {
        my $ports_by_proto = ManaTools::Shared::Shorewall::ports_by_proto($ports);
        output_with_perm("$::prefix/etc/ifw/rules", 0644,
            (map { ". /etc/ifw/rules.d/$_\n" } @$rules),
             map {
                my $proto = $_;
                map {
                    my $multiport = /:/ && " -m multiport";
                    "iptables -A Ifw -m conntrack --ctstate NEW -p $proto$multiport --dport $_ -j IFWLOG --log-prefix NEW\n";
                } @{$ports_by_proto->{$proto}};
            } intersection([ qw(tcp udp) ], [ keys %$ports_by_proto ]),
        );
    }

    substInFile {
            undef $_ if m!^INCLUDE /etc/ifw/rules|^iptables -I INPUT 2 -j Ifw!;
    } "$::prefix/etc/shorewall/start";
    ManaTools::Shared::Shorewall::set_in_file('start', $enabled, "INCLUDE /etc/ifw/start", "INCLUDE /etc/ifw/rules", "iptables -I INPUT 1 -j Ifw");
    ManaTools::Shared::Shorewall::set_in_file('stop', $enabled, "iptables -D INPUT -j Ifw", "INCLUDE /etc/ifw/stop");
}

#=============================================================

=head2 choose_watched_services

=head3 INPUT

    $self: this object

    $servers: array of hashes representing servers

=head3 DESCRIPTION

    This method shows the main dialog to let users choose the allowed services

=cut

#=============================================================

sub choose_watched_services {
    my ($self, $servers) = @_;

    my @l = (@{$self->ifw_rules()}, @$servers, map { { ports => $_ } } @{$self->unlisted()});

    my $enabled = 1;
    $_->{ifw} = 1 foreach @l;

    my $retval = $self->ask_WatchedServices({
        title => $self->loc->N("Interactive Firewall"),
        icon => $self->icon(),
        # if_(!$::isEmbedded, banner_title => N("Interactive Firewall")),
        messages =>
            $self->loc->N("You can be warned when someone accesses to a service or tries to intrude into your computer.
Please select which network activities should be watched."),
	},
        [
        {
            id=>'useifw',
            text => $self->loc->N("Use Interactive Firewall"),
            val => $enabled,
            type => 'bool'
        },
        map {
                {
                text => (exists $_->{name} ? $_->{name} : $_->{ports}),
                val => $_->{ifw},
                type => 'bool',
                id => $_->{id},
                },
        } @l,
        ]);

    return if($retval == 0);

    for my $server(@{$self->wdg_ifw()})
    {
        for my $k(keys @l)
        {
            if(defined($l[$k]->{id}) && defined($server->{id}))
            {
                if($server->{id} eq 'useifw')
                {
                    $enabled = $server->{value};
                }
                else
                {
                    if($l[$k]->{id} eq $server->{id})
                    {
                        $l[$k]->{ifw} = $server->{value};
                        last;
                    }
                }
            }
        }
    }

    my ($rules, $ports) = partition { exists $_->{ifw_rule} } grep { $_->{ifw} } @l;
    $self->set_ifw($enabled, [ map { $_->{ifw_rule} } @$rules ], $self->to_ports($ports));

    # return something to say that we are done ok
    return ($rules, $ports);
}

#=============================================================

sub ask_WatchedServices {
    my $self = shift;

    my ($dlg_data,
        $items) = @_;

    my $old_title = yui::YUI::app()->applicationTitle();

    ## set new title to get it in dialog
    yui::YUI::app()->setApplicationTitle($dlg_data->{title});

    ## TODO remove title and icon when using Shared::Module::GUI::Dialog
    ## set new title to get it in dialog
    yui::YUI::app()->setApplicationTitle($dlg_data->{title});
    ## set icon if not already set by external launcher
    yui::YUI::app()->setApplicationIcon($dlg_data->{icon});

    my $factory  = yui::YUI::widgetFactory;
    my $optional = yui::YUI::optionalWidgetFactory;

    $self->dialog($factory->createMainDialog());
    my $layout    = $factory->createVBox($self->dialog);

    my $hbox_header = $factory->createHBox($layout);
    my $headLeft = $factory->createHBox($factory->createLeft($hbox_header));
    my $headRight = $factory->createHBox($factory->createRight($hbox_header));

    my $logoImage = $factory->createImage($headLeft, $dlg_data->{icon});
    my $labelAppDescription = $factory->createLabel($headRight,$dlg_data->{messages});
    $logoImage->setWeight($yui::YD_HORIZ,0);
    $labelAppDescription->setWeight($yui::YD_HORIZ,3);

    my $hbox_content = $factory->createHBox($layout);

    my $widgetContainer = $factory->createVBox($hbox_content);


    foreach my $item(@{$items})
    {
        if(defined($item->{label}))
        {
            $factory->createLabel($factory->createLeft($factory->createHBox($widgetContainer)), $item->{label});
        }
        elsif(defined($item->{text}))
        {
            my $ckbox = $factory->createCheckBox(
                $factory->createLeft($factory->createHBox($widgetContainer)),
                $item->{text},
                $item->{val}
            );
            $ckbox->setNotify(1);
            push @{$self->wdg_ifw()}, {
                id => $item->{id},
                widget => \$ckbox,
                value => $item->{val},
                };
            $ckbox->DISOWN();
        }
    }

    my $hbox_foot = $factory->createHBox($layout);
    my $vbox_foot_left = $factory->createVBox($factory->createLeft($hbox_foot));
    my $vbox_foot_right = $factory->createVBox($factory->createRight($hbox_foot));
    my $aboutButton = $factory->createPushButton($vbox_foot_left,$self->loc->N("&About"));
    my $cancelButton = $factory->createPushButton($vbox_foot_right,$self->loc->N("&Cancel"));
    my $okButton = $factory->createPushButton($vbox_foot_right,$self->loc->N("&OK"));

    my $retval = 0;

    # main loop
    while(1) {
        my $event     = $self->dialog->waitForEvent();
        my $eventType = $event->eventType();

        #event type checking
        if ($eventType == $yui::YEvent::CancelEvent) {
            last;
        }
        elsif ($eventType == $yui::YEvent::WidgetEvent) {
            ### Buttons and widgets ###
            my $widget = $event->widget();

            # loop on every checkbox representing servers
            foreach my $server(@{$self->wdg_ifw()})
            {
                if($widget == ${$server->{widget}})
                {
                    if($server->{id} eq 'useifw')
                    {
                        if(!${$server->{widget}}->value())
                        {
                            yui::YUI::ui()->blockEvents();
                            foreach my $server(@{$self->wdg_ifw()})
                            {
                                if($server->{id} ne 'useifw')
                                {
                                    ${$server->{widget}}->setValue(0);
                                    $server->{value} = ${$server->{widget}}->value();
                                }
                            }
                            yui::YUI::ui()->unblockEvents();
                            last;
                        }
                    }
                    else
                    {
                        $server->{value} = ${$server->{widget}}->value();
                    }
                }
            }
            if ($widget == $cancelButton) {
                last;
            }elsif ($widget == $aboutButton) {
                my $abtdlg = $self->aboutDialog();
                $abtdlg->{name} = $dlg_data->{title};
                $abtdlg->{description} = $self->loc->N("Graphical manager for interactive firewall rules");
                $self->sh_gui->AboutDialog($abtdlg
                );
            }elsif ($widget == $okButton) {
                $retval = 1;
                last;
            }
        }
    }

    $self->dialog->destroy();

    #restore old application title
    yui::YUI::app()->setApplicationTitle($old_title);

    return $retval;
}


#=============================================================

=head2 choose_allowed_services

=head3 INPUT

    $self: this object

    $disabled: boolean

    $servers: array of hashes representing servers

=head3 DESCRIPTION

    This method shows the main dialog to let users choose the allowed services

=cut

#=============================================================

sub choose_allowed_services {
    my ($self, $disabled, $servers) = @_;

    $_->{on} = 0 foreach @{$self->all_servers()};
    $_->{on} = 1 foreach @$servers;
    my @l = grep { $_->{on} || !$_->{hide} } @{$self->all_servers()};

    my $dialog_data = {
        title => $self->loc->N("Firewall"),
        icon => $self->icon(),
        # if_(!$::isEmbedded, banner_title => $self->loc->N("Firewall")),
        banner_title => $self->loc->N("Firewall"),
    };

    my $items = [
        { label => $self->loc->N("Which services would you like to allow the Internet to connect to?"), title => 1 },
        if_($self->net()->{PROFILE} && network::network::netprofile_count() > 0, { label => $self->loc->N("Those settings will be saved for the network profile <b>%s</b>", $self->net()->{PROFILE}) }),
        { text => $self->loc->N("Everything (no firewall)"), val => \$disabled, type => 'bool' },
        (map { { text => $_->{name}, val => \$_->{on}, type => 'bool', disabled => sub { $disabled }, id => $_->{id} } } @l),
    ];

    return if(!$self->ask_AllowedServices($dialog_data, $items));

    for my $server(@{$self->wdg_servers()})
    {
        for my $k(keys @l)
        {
            if(defined($l[$k]->{id}) && defined($server->{id}))
            {
                if($l[$k]->{id} eq $server->{id})
                {
                    $l[$k]->{on} = ${$server->{value}};
                    last;
                }
            }
            else
            {
                # fake server, the checkbox allowing the user to disable the firewall
                # if Everything checkbox is selected, value = 1 then firewall disabled = 1
                $disabled = ${$server->{value}};
                last;
            }
        }
    }

    return ($disabled, [ grep { $_->{on} } @l ]);
}

#=============================================================

sub ask_AllowedServices {
    my $self = shift;

    my ($dlg_data,
        $items) = @_;

    my $old_title = yui::YUI::app()->applicationTitle();

    ## set new title to get it in dialog
    yui::YUI::app()->setApplicationTitle($dlg_data->{title});

    my $factory  = yui::YUI::widgetFactory;
    my $optional = yui::YUI::optionalWidgetFactory;

    $self->dialog($factory->createMainDialog());
    my $layout    = $factory->createVBox($self->dialog);

    ## TODO remove title and icon when using Shared::Module::GUI::Dialog
    ## set new title to get it in dialog
    yui::YUI::app()->setApplicationTitle($dlg_data->{title});
    ## set icon if not already set by external launcher
    yui::YUI::app()->setApplicationIcon($dlg_data->{icon});


    my $hbox_header = $factory->createHBox($layout);
    my $headLeft = $factory->createHBox($factory->createLeft($hbox_header));
    my $headRight = $factory->createHBox($factory->createRight($hbox_header));

    my $logoImage = $factory->createImage($headLeft, $dlg_data->{icon});
    my $labelAppDescription = $factory->createLabel($headRight,$dlg_data->{title});
    $logoImage->setWeight($yui::YD_HORIZ,0);
    $labelAppDescription->setWeight($yui::YD_HORIZ,3);

    my $hbox_content = $factory->createHBox($layout);

    my $widgetContainer = $factory->createVBox($hbox_content);

    my $evry = undef;

    foreach my $item(@{$items})
    {
        if(defined($item->{label}))
        {
            $factory->createLabel($factory->createLeft($factory->createHBox($widgetContainer)), $item->{label});
        }
        elsif(defined($item->{text}))
        {
            my $ckbox = $factory->createCheckBox(
                    $factory->createLeft($factory->createHBox($widgetContainer)),
                    $item->{text},
                    ${$item->{val}}
            );
            $ckbox->setNotify(1);
            if(!defined($item->{id}))
            {
                $evry = $ckbox;
            }
            if(defined($item->{disabled}))
            {
                $ckbox->setEnabled(!$item->{disabled}->());
            }
            push @{$self->wdg_servers()}, {
                id => $item->{id},
                widget => \$ckbox,
                value => $item->{val},
                };
            $ckbox->DISOWN();
        }
    }

    my $hbox_foot = $factory->createHBox($layout);
    my $vbox_foot_left = $factory->createVBox($factory->createLeft($hbox_foot));
    my $vbox_foot_right = $factory->createVBox($factory->createRight($hbox_foot));
    my $advButton = $factory->createPushButton($vbox_foot_left,$self->loc->N("A&dvanced"));
    my $aboutButton = $factory->createPushButton($vbox_foot_left,$self->loc->N("&About"));
    my $cancelButton = $factory->createPushButton($vbox_foot_right,$self->loc->N("&Cancel"));
    my $okButton = $factory->createPushButton($vbox_foot_right,$self->loc->N("&OK"));

    my $retval = 0;

    # main loop
    while(1) {
        my $event     = $self->dialog->waitForEvent();
        my $eventType = $event->eventType();

        #event type checking
        if ($eventType == $yui::YEvent::CancelEvent) {
            last;
        }
        elsif ($eventType == $yui::YEvent::WidgetEvent) {
            ### Buttons and widgets ###
            my $widget = $event->widget();

            # loop on every checkbox representing servers
            foreach my $server(@{$self->wdg_servers()})
            {
                if($widget == ${$server->{widget}})
                {
                    ${$server->{value}} = !${$server->{value}};
                }
            }

            if ($widget == $cancelButton) {
                last;
            }elsif ($widget == $aboutButton) {
                my $abtdlg = $self->aboutDialog();
                $abtdlg->{name} = $dlg_data->{title};
                $abtdlg->{description} = $self->loc->N("Graphical manager for firewall rules");
                $self->sh_gui->AboutDialog($abtdlg);
            }elsif ($widget == $okButton) {
                $retval = 1;
                last;
            }
            elsif ($widget == $advButton) {
                $self->ask_CustomPorts();
            }
            elsif ($widget == $evry) {
                foreach my $wdg_ckbox(@{$self->wdg_servers()})
                {
                    if(defined($wdg_ckbox->{id}))
                    {
                        ${$wdg_ckbox->{widget}}->setEnabled(!${$wdg_ckbox->{widget}}->isEnabled());
                    }
                }
            }
        }
    }

    $self->dialog->destroy();

    #restore old application title
    yui::YUI::app()->setApplicationTitle($old_title);

    return $retval;
}

sub ask_CustomPorts {
    my $self = shift();

    my $adv_msg = $self->loc->N("You can enter miscellaneous ports.
Valid examples are: 139/tcp 139/udp 600:610/tcp 600:610/udp.
Have a look at /etc/services for information.");

    my $old_title = yui::YUI::app()->applicationTitle();
    my $win_title = $self->loc->N("Define miscellaneus ports");

    ## set new title to get it in dialog
    yui::YUI::app()->setApplicationTitle($win_title);

    my $factory  = yui::YUI::widgetFactory;
    my $optional = yui::YUI::optionalWidgetFactory;

    my $advdlg = $factory->createPopupDialog();
    my $layout    = $factory->createVBox($advdlg);

    my $hbox_header = $factory->createHBox($layout);
    my $headLeft = $factory->createHBox($factory->createLeft($hbox_header));
    my $headRight = $factory->createHBox($factory->createRight($hbox_header));

    my $labelAppDescription = $factory->createLabel($headRight,$self->loc->N("Other ports"));
    $labelAppDescription->setWeight($yui::YD_HORIZ,3);

    my $hbox_content = $factory->createHBox($layout);
    my $vbox_inputs = $factory->createVBox($hbox_content);
    my $labelAdvMessage = $factory->createLabel($factory->createHBox($vbox_inputs), $adv_msg);
    my $txtPortsList = $factory->createInputField($vbox_inputs,'');
    $txtPortsList->setValue(join(' ',@{$self->unlisted()}));
    my $ckbLogFWMessages = $factory->createCheckBox($factory->createHBox($vbox_inputs), $self->loc->N("Log firewall messages in system logs"), $self->log_net_drop());
    my $hbox_foot = $factory->createHBox($layout);
    my $vbox_foot_left = $factory->createVBox($factory->createLeft($hbox_foot));
    my $vbox_foot_right = $factory->createVBox($factory->createRight($hbox_foot));
    my $cancelButton = $factory->createPushButton($vbox_foot_right,$self->loc->N("&Cancel"));
    my $okButton = $factory->createPushButton($vbox_foot_right,$self->loc->N("&OK"));

    my $retval = 0;

    # main loop
    while(1) {
        my $event     = $advdlg->waitForEvent();
        my $eventType = $event->eventType();

        #event type checking
        if ($eventType == $yui::YEvent::CancelEvent) {
            last;
        }
        elsif ($eventType == $yui::YEvent::WidgetEvent) {
            ### Buttons and widgets ###
            my $widget = $event->widget();
            if( $widget == $cancelButton )
            {
                $retval = 0;
                last;
            }
            elsif( $widget == $okButton )
            {
                if(scalar(@{$self->unlisted()}) > 0)
                {
                    $self->unlisted([]);
                }
                my $invalid_ports = check_ports_syntax($txtPortsList->value());
                if(ManaTools::Shared::trim($invalid_ports) eq '')
                {
                    if($txtPortsList->value() =~m/\s+/g)
                    {
                        my @unlstd = split(' ', $txtPortsList->value());
                        foreach my $p(@unlstd)
                        {
                            push(@{$self->unlisted()},$p);
                        }
                    }
                    else
                    {
                        if(ManaTools::Shared::trim($txtPortsList->value()) ne '')
                        {
                            push(@{$self->unlisted()}, ManaTools::Shared::trim($txtPortsList->value()));
                        }
                    }
                    $retval = 1;
                }
 				else
                {
 				    $self->sh_gui->warningMsgBox({
                        title=>$self->loc->N("Invalid port given"),
 				        text=> $self->loc->N("Invalid port given: %s.
The proper format is \"port/tcp\" or \"port/udp\",
where port is between 1 and 65535.

You can also give a range of ports (eg: 24300:24350/udp)", $invalid_ports)
                    });
                    $retval = 0;
                }
                last;
            }
        }
    }

    $advdlg->destroy();

    #restore old application title
    yui::YUI::app()->setApplicationTitle($old_title);

    return $retval;
}

sub get_zones {
    my $self = shift();
    my $confref = shift();
    my $disabled = shift();
    my $conf = ${$confref};
    my $interfacesfile = ManaTools::Shared::Shorewall::get_config_file('interfaces', $conf->{version} || '');
    network::network::read_net_conf($self->net());
    #- find all interfaces but alias interfaces
    my @all_intf = grep { !/:/ } uniq(keys(%{$self->net()->{ifcfg}}), detect_devices::get_net_interfaces());
    my %net_zone = map { $_ => undef } @all_intf;
    $net_zone{$_} = 1 foreach ManaTools::Shared::Shorewall::get_net_zone_interfaces($interfacesfile, $self->net(), \@all_intf);

    # if firewall/shorewall is not disabled (i.e. everything has been allowed)
    # then ask for network interfaces to protect
    if(!$disabled)
    {
        my $retvals = $self->sh_gui->ask_multiple_fromList({
            title => $self->loc->N("Firewall configuration"),
            header => $self->loc->N("Please select the interfaces that will be protected by the firewall.

All interfaces directly connected to Internet should be selected,
while interfaces connected to a local network may be unselected.

If you intend to use Mageia Internet Connection sharing,
unselect interfaces which will be connected to local network.

Which interfaces should be protected?
"),
        list => [
            map {
                {
                id => $_,
                text => network::tools::get_interface_description($self->net(), $_),
                val => \$net_zone{$_},
                type => 'bool'
                };
            } (sort keys %net_zone) ]
            });

        if(!defined($retvals))
        {
            return 0;
        }
        else
        {
            # it was: ($conf->{net_zone}, $conf->{loc_zone}) = partition { $net_zone{$_} } keys %net_zone;
            foreach my $net_int (@{$retvals})
            {
                push (@{$conf->{net_zone}}, $net_int);
            }
            return $retvals;
        }
    }

    foreach my $net_int(keys %net_zone)
    {
        push (@{$conf->{net_zone}}, $net_int);
    }
    return keys %net_zone;
}

#=============================================================

=head2 set_ports

=head3 INPUT

    $self: this object

=head3 DESCRIPTION

    This method extends Module::start and is invoked to
    start  host manager

=cut

#=============================================================

sub set_ports {
    my ($self, $disabled, $ports, $log_net_drop) = @_;

    if (!$disabled || -x "$::prefix/sbin/shorewall") {
        # $do_pkgs->ensure_files_are_installed([ [ qw(shorewall shorewall) ], [ qw(shorewall-ipv6 shorewall6) ] ], $::isInstall) or return;
        my $conf = ManaTools::Shared::Shorewall::read_();
        if(!$self->get_zones(\$conf,$disabled))
        {
            # Cancel button has been pressed, aborting
            return 0;
        }
        my $shorewall = (ManaTools::Shared::Shorewall::get_config_file('zones', '') && $conf);
        if (!$shorewall) {
            print ("unable to read shorewall configuration, skipping installation");
            return 0;
        }

        $shorewall->{disabled} = $disabled;
        $shorewall->{ports} = $ports;
        $shorewall->{log_net_drop} = $log_net_drop;

        print ($disabled ? "disabling shorewall" : "configuring shorewall to allow ports: $ports");

        # NOTE: the 2nd param is undef in this case!
        if(!ManaTools::Shared::Shorewall::write_($shorewall))
        {
            # user action request
            my $action = $self->sh_gui->ask_fromList({
            title => $self->loc->N("Firewall"),
            header => $self->loc->N("Your firewall configuration has been manually edited and contains
    rules that may conflict with the configuration that has just been set up.
    What do you want to do?"),
            list => [ "keep", "drop"],
            default => "keep",
            });
            ManaTools::Shared::Shorewall::write_($shorewall,$action);
            return 1;
        }
    }
    return 0;
}

#=============================================================

=head2 start

=head3 INPUT

    $self: this object

=head3 DESCRIPTION

    This method extends Module::start and is invoked to
    start  host manager

=cut

#=============================================================

sub start {
    my $self = shift;

    my @server = ();
    $self->wdg_servers(@server);

    eval {
        # init servers definitions
        $self->all_servers($self->_initAllServers());
    };
    if ($@) {
        warn $@;
        return;
    }
    # initialize ifw_rules here
    $self->ifw_rules($self->_initIFW());

    my ($disabled, $servers, $log_net_drop) = $self->get_conf(undef) or return;

    # $log_net_drop: network::shorewall log_net_drop attribute
    $self->log_net_drop($log_net_drop);
    undef($log_net_drop);
    ($disabled, $servers) = $self->choose_allowed_services($disabled, @$servers) or return;

    my $system_file = '/etc/sysconfig/drakx-net';
    my %global_settings = getVarsFromSh($system_file);

    if (!$disabled && (!defined($global_settings{IFW}) || text2bool($global_settings{IFW}))) {
        $self->choose_watched_services($servers) or return;
    }

    # preparing services when required ( look at $self->all_servers() )
    foreach (@$servers) {
        exists $_->{prepare} and $_->{prepare}();
    }

    my $ports = $self->to_ports($servers);

    $self->set_ports($disabled, $ports, $self->log_net_drop()) or return;

    # restart mandi
    my $services = ManaTools::Shared::Services->new();
    $services->is_service_running("mandi") and $services->restart("mandi");

    # restarting services if needed
    foreach my $service (@$servers) {
        if ($service->{restart}) {
            $services->is_service_running($_) and $services->restart($_) foreach split(' ', $service->{restart});
        }
    }

    # clearing pending ifw notifications in net_applet
    system('killall -s SIGUSR1 net_applet');

    return ($disabled, $ports);
};

1;