[server] Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT

Added FLUSH_IPFW_AT_INIT and FLUSH_IPFW_AT_EXIT for ipfw firewalls to emulate the corresponding functionality that is implemented for iptables firewalls. Bug fix for ipfw firewalls to ensure that if the ipfw expire set is zero, then do not disable this set whenever the FLUSH_IPFW* variables are enabled. These changes were suggested by Jonathan Schulz.
2012-08-10 21:48:02 -04:00
parent c6f3fde537
commit 0af3bd0ee1
5 changed files with 121 additions and 65 deletions
--- a/server/config_init.c
+++ b/server/config_init.c
@@ -43,7 +43,7 @@ range_check(fko_srv_options_t *opts, char *var, char *val, int low, int high)
 {
    if (low > atoi(val) || high < atoi(val))
    {
-        fprintf(stderr, "[*] var %s value '%s' not in the range %d-%d",
+        fprintf(stderr, "[*] var %s value '%s' not in the range %d-%d\n",
            var, val, low, high);
        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
    }
@@ -150,6 +150,19 @@ validate_int_var_ranges(fko_srv_options_t *opts)
        opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL],
        1, RCHK_MAX_IPFW_PURGE_INTERVAL);

+    /* Make sure the active and expire sets are not identical whenever
+     * they are non-zero
+    */
+    if((opts->config[CONF_IPFW_ACTIVE_SET_NUM] > 0
+            && opts->config[CONF_IPFW_EXPIRE_SET_NUM] > 0)
+            && (opts->config[CONF_IPFW_ACTIVE_SET_NUM]
+                == opts->config[CONF_IPFW_EXPIRE_SET_NUM]))
+    {
+        fprintf(stderr,
+                "[*] Cannot set identical ipfw active and expire sets.\n");
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
 #elif FIREWALL_PF
    range_check(opts, "PF_EXPIRE_INTERVAL", opts->config[CONF_PF_EXPIRE_INTERVAL],
        1, RCHK_MAX_PF_EXPIRE_INTERVAL);
@@ -446,6 +459,17 @@ validate_options(fko_srv_options_t *opts)
            DEF_IPT_MASQUERADE_ACCESS);

 #elif FIREWALL_IPFW
+
+    /* Flush ipfw rules at init.
+    */
+    if(opts->config[CONF_FLUSH_IPFW_AT_INIT] == NULL)
+        set_config_entry(opts, CONF_FLUSH_IPFW_AT_INIT, DEF_FLUSH_IPFW_AT_INIT);
+
+    /* Flush ipfw rules at exit.
+    */
+    if(opts->config[CONF_FLUSH_IPFW_AT_EXIT] == NULL)
+        set_config_entry(opts, CONF_FLUSH_IPFW_AT_EXIT, DEF_FLUSH_IPFW_AT_EXIT);
+
    /* Set IPFW start rule number.
    */
    if(opts->config[CONF_IPFW_START_RULE_NUM] == NULL)