DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Added --fw-list-all and --fw-flush

Browse Source 
Added new command line options --fw-list-all and --fw-flush to allow all
firewall rules to be displayed including those not created by fwknopd, and
allow all firewall rules created by fwknopd to be deleted.

Also switched -D config dump output to stdout.
This commit is contained in:
Michael Rash 2011-10-17 23:03:28 -04:00
parent e479e776db
commit 0e7a0e9a37
12 changed files with 179 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/fwknopd.man.asciidoc
View File

@ -63,9 +63,18 @@ COMMAND-LINE OPTIONS
sent to stderr. This mode is usually used when testing and/or debugging.
*--fw-list*::
List all firewall rules that any running *fwknopd* daemon has created
List only firewall rules that any running *fwknopd* daemon has created
and then exit.
*--fw-list-all*::
List all firewall rules including those that have nothing to do with
*fwknopd*.
*--fw-flush*::
Flush any firewall rules created by a running *fwknopd* process. This
option allows the used to easily delete *fwknopd* firewall rules without
having to wait for them to be timed out.
*-K, --Kill*::
Kill the current *fwknopd* process. This provides a quick and easy
way to stop *fwknopd* without having to look in the process table.

8
server/access.c
View File

@ -1023,7 +1023,7 @@ dump_access_list(fko_srv_options_t *opts)
acc_stanza_t *acc = opts->acc_stanzas;
fprintf(stderr, "Current fwknopd access settings:\n");
fprintf(stdout, "Current fwknopd access settings:\n");
if(!acc)
{
@ -1033,7 +1033,7 @@ dump_access_list(fko_srv_options_t *opts)
while(acc)
{
fprintf(stderr,
fprintf(stdout,
"SOURCE (%i): %s\n"
"==============================================================\n"
" OPEN_PORTS: %s\n"
@ -1068,12 +1068,12 @@ dump_access_list(fko_srv_options_t *opts)
(acc->gpg_remote_id == NULL) ? "<not set>" : acc->gpg_remote_id
);
fprintf(stderr, "\n");
fprintf(stdout, "\n");
acc = acc->next;
}
fprintf(stderr, "\n");
fprintf(stdout, "\n");
}
/***EOF***/

4
server/cmd_opts.h
View File

@ -107,6 +107,8 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
*/
enum {
FW_LIST = 0x200,
FW_LIST_ALL,
FW_FLUSH,
GPG_HOME_DIR,
ROTATE_DIGEST_CACHE,
NOOP /* Just to be a marker for the end */
@ -129,6 +131,8 @@ static struct option cmd_opts[] =
{"interface", 1, NULL, 'i'},
{"kill", 0, NULL, 'K'},
{"fw-list", 0, NULL, FW_LIST },
{"fw-list-all", 0, NULL, FW_LIST_ALL },
{"fw-flush", 0, NULL, FW_FLUSH },
{"gpg-home-dir", 1, NULL, GPG_HOME_DIR },
{"locale", 1, NULL, 'l' },
{"rotate-digest-cache", 0, NULL, ROTATE_DIGEST_CACHE },

13
server/config_init.c
View File

@ -653,6 +653,13 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
case FW_LIST:
opts->fw_list = 1;
break;
case FW_LIST_ALL:
opts->fw_list = 1;
opts->fw_list_all = 1;
break;
case FW_FLUSH:
opts->fw_flush = 1;
break;
case GPG_HOME_DIR:
if (is_valid_dir(optarg))
{
@ -718,16 +725,16 @@ dump_config(fko_srv_options_t *opts)
{
int i;
fprintf(stderr, "Current fwknopd config settings:\n");
fprintf(stdout, "Current fwknopd config settings:\n");
for(i=0; i<NUMBER_OF_CONFIG_ENTRIES; i++)
fprintf(stderr, "%3i. %-28s = '%s'\n",
fprintf(stdout, "%3i. %-28s = '%s'\n",
i,
config_map[i],
(opts->config[i] == NULL) ? "<not set>" : opts->config[i]
);
fprintf(stderr, "\n");
fprintf(stdout, "\n");
}
/* Print usage message...

3
server/fw_util_ipf.c
View File

@ -52,6 +52,9 @@ fw_dump_rules(fko_srv_options_t *opts)
int i;
int res, got_err = 0;
fprintf(stdout, "Listing fwknopd ipf rules...\n");
fflush(stdout);
zero_cmd_buffers();
/* TODO: Implement or get rid of me */

94
server/fw_util_ipfw.c
View File

@ -96,42 +96,70 @@ fw_dump_rules(fko_srv_options_t *opts)
{
int res, got_err = 0;
zero_cmd_buffers();
/* Create the list command for active rules
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS,
opts->fw_config->fw_command,
opts->fw_config->active_set_num
);
//printf("(%i) CMD: '%s'\n", i, cmd_buf);
printf("\nActive Rules:\n");
res = system(cmd_buf);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
if (opts->fw_list_all)
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
fprintf(stdout, "Listing all ipfw rules...\n");
fflush(stdout);
zero_cmd_buffers();
/* Create the list command for all rules
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_ALL_RULES_ARGS,
opts->fw_config->fw_command
);
res = system(cmd_buf);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
}
/* Create the list command for expired rules
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS,
opts->fw_config->fw_command,
opts->fw_config->expire_set_num
);
//printf("(%i) CMD: '%s'\n", i, cmd_buf);
printf("\nExpired Rules:\n");
res = system(cmd_buf);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
else
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
fprintf(stdout, "Listing fwknopd ipfw rules...\n");
fflush(stdout);
zero_cmd_buffers();
/* Create the list command for active rules
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS,
opts->fw_config->fw_command,
opts->fw_config->active_set_num
);
//printf("(%i) CMD: '%s'\n", i, cmd_buf);
printf("\nActive Rules:\n");
res = system(cmd_buf);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
/* Create the list command for expired rules
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS,
opts->fw_config->fw_command,
opts->fw_config->expire_set_num
);
//printf("(%i) CMD: '%s'\n", i, cmd_buf);
printf("\nExpired Rules:\n");
res = system(cmd_buf);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
}
return(got_err);

1
server/fw_util_ipfw.h
View File

@ -48,6 +48,7 @@ enum {
#define IPFW_DEL_RULE_ARGS "set %u delete %u"
#define IPFW_DEL_RULE_SET_ARGS "delete set %u"
#define IPFW_LIST_RULES_ARGS "-d -S -T set %u list"
#define IPFW_LIST_ALL_RULES_ARGS "list"
#define IPFW_LIST_SET_RULES_ARGS "set %u list"
#define IPFW_LIST_EXP_SET_RULES_ARGS "-S set %u list"
#define IPFW_LIST_SET_DYN_RULES_ARGS "-d set %u list"

82
server/fw_util_iptables.c
View File

@ -138,31 +138,67 @@ fw_dump_rules(fko_srv_options_t *opts)
struct fw_chain *ch = opts->fw_config->chain;
printf("Listing rules in fwknop chains...\n");
for(i=0; i<(NUM_FWKNOP_ACCESS_TYPES); i++)
if (opts->fw_list_all == 1)
{
fprintf(stdout, "Listing all iptables rules in applicable tables...\n");
fflush(stdout);
if(fwc.chain[i].target[0] == '\0')
continue;
zero_cmd_buffers();
/* Create the list command
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS,
opts->fw_config->fw_command,
ch[i].table,
ch[i].to_chain
);
//printf("(%i) CMD: '%s'\n", i, cmd_buf);
res = system(cmd_buf);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
for(i=0; i<(NUM_FWKNOP_ACCESS_TYPES); i++)
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
if(fwc.chain[i].target[0] == '\0')
continue;
zero_cmd_buffers();
/* Create the list command
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_ALL_RULES_ARGS,
opts->fw_config->fw_command,
ch[i].table
);
//printf("(%i) CMD: '%s'\n", i, cmd_buf);
res = system(cmd_buf);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
}
}
else
{
fprintf(stdout, "Listing rules in fwknopd iptables chains...\n");
fflush(stdout);
for(i=0; i<(NUM_FWKNOP_ACCESS_TYPES); i++)
{
if(fwc.chain[i].target[0] == '\0')
continue;
zero_cmd_buffers();
/* Create the list command
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS,
opts->fw_config->fw_command,
ch[i].table,
ch[i].to_chain
);
//printf("(%i) CMD: '%s'\n", i, cmd_buf);
res = system(cmd_buf);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
}
}
@ -784,7 +820,7 @@ check_firewall_rules(fko_srv_options_t *opts)
if(!EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
continue;
}

25
server/fw_util_iptables.h
View File

@ -33,19 +33,20 @@
#define SNAT_TARGET_BUFSIZE 64
/* iptables command args
/* iptables command args
*/
#define IPT_ADD_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
#define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
#define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
#define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1"
#define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1"
#define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1"
#define IPT_NEW_CHAIN_ARGS "-t %s -N %s 2>&1"
#define IPT_FLUSH_CHAIN_ARGS "-t %s -F %s 2>&1"
#define IPT_DEL_CHAIN_ARGS "-t %s -X %s 2>&1"
#define IPT_ADD_JUMP_RULE_ARGS "-t %s -I %s %i -j %s 2>&1"
#define IPT_LIST_RULES_ARGS "-t %s -L %s --line-numbers -n 2>&1"
#define IPT_ADD_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
#define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
#define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
#define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1"
#define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1"
#define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1"
#define IPT_NEW_CHAIN_ARGS "-t %s -N %s 2>&1"
#define IPT_FLUSH_CHAIN_ARGS "-t %s -F %s 2>&1"
#define IPT_DEL_CHAIN_ARGS "-t %s -X %s 2>&1"
#define IPT_ADD_JUMP_RULE_ARGS "-t %s -I %s %i -j %s 2>&1"
#define IPT_LIST_RULES_ARGS "-t %s -L %s --line-numbers -n 2>&1"
#define IPT_LIST_ALL_RULES_ARGS "-t %s -v -n -L --line-numbers 2>&1"
#endif /* FW_UTIL_IPTABLES_H */

5
server/fw_util_pf.c
View File

@ -60,6 +60,8 @@ fw_dump_rules(fko_srv_options_t *opts)
{
int res, got_err = 0;
printf("Listing fwknopd pf rules...\n");
zero_cmd_buffers();
/* Create the list command for active rules
@ -133,7 +135,7 @@ anchor_active(fko_srv_options_t *opts)
}
static void
delete_all_anchor_rules(fko_srv_options_t *opts)
delete_all_anchor_rules(void)
{
int res = 0;
@ -193,6 +195,7 @@ fw_initialize(fko_srv_options_t *opts)
int
fw_cleanup(void)
{
delete_all_anchor_rules();
return(0);
}

9
server/fwknopd.c
View File

@ -181,12 +181,19 @@ main(int argc, char **argv)
*/
fw_config_init(&opts);
if(opts.fw_list == 1)
if(opts.fw_list == 1 || opts.fw_list_all == 1)
{
fw_dump_rules(&opts);
exit(EXIT_SUCCESS);
}
if(opts.fw_flush == 1)
{
fprintf(stdout, "Deleting any existing firewall rules...\n");
fw_cleanup();
exit(EXIT_SUCCESS);
}
/* Process the access.conf file.
*/
parse_access_file(&opts);

2
server/fwknopd_common.h
View File

@ -404,6 +404,8 @@ typedef struct fko_srv_options
unsigned char restart; /* Restart fwknopd flag */
unsigned char status; /* Get fwknopd status flag */
unsigned char fw_list; /* List current firewall rules */
unsigned char fw_list_all; /* List all current firewall rules */
unsigned char fw_flush; /* Flush current firewall rules */
unsigned char test; /* Test mode flag */
unsigned char verbose; /* Verbose mode flag */