From 0e7a0e9a378c5b9605228075718f53012e87cadd Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Mon, 17 Oct 2011 23:03:28 -0400 Subject: [PATCH] Added --fw-list-all and --fw-flush Added new command line options --fw-list-all and --fw-flush to allow all firewall rules to be displayed including those not created by fwknopd, and allow all firewall rules created by fwknopd to be deleted. Also switched -D config dump output to stdout. --- doc/fwknopd.man.asciidoc | 11 ++++- server/access.c | 8 ++-- server/cmd_opts.h | 4 ++ server/config_init.c | 13 ++++-- server/fw_util_ipf.c | 3 ++ server/fw_util_ipfw.c | 94 +++++++++++++++++++++++++-------------- server/fw_util_ipfw.h | 1 + server/fw_util_iptables.c | 82 ++++++++++++++++++++++++---------- server/fw_util_iptables.h | 25 ++++++----- server/fw_util_pf.c | 5 ++- server/fwknopd.c | 9 +++- server/fwknopd_common.h | 2 + 12 files changed, 179 insertions(+), 78 deletions(-) diff --git a/doc/fwknopd.man.asciidoc b/doc/fwknopd.man.asciidoc index 20af2124..161875d6 100644 --- a/doc/fwknopd.man.asciidoc +++ b/doc/fwknopd.man.asciidoc @@ -63,9 +63,18 @@ COMMAND-LINE OPTIONS sent to stderr. This mode is usually used when testing and/or debugging. *--fw-list*:: - List all firewall rules that any running *fwknopd* daemon has created + List only firewall rules that any running *fwknopd* daemon has created and then exit. +*--fw-list-all*:: + List all firewall rules including those that have nothing to do with + *fwknopd*. + +*--fw-flush*:: + Flush any firewall rules created by a running *fwknopd* process. This + option allows the used to easily delete *fwknopd* firewall rules without + having to wait for them to be timed out. + *-K, --Kill*:: Kill the current *fwknopd* process. This provides a quick and easy way to stop *fwknopd* without having to look in the process table. diff --git a/server/access.c b/server/access.c index 995bdca9..cfbfe034 100644 --- a/server/access.c +++ b/server/access.c @@ -1023,7 +1023,7 @@ dump_access_list(fko_srv_options_t *opts) acc_stanza_t *acc = opts->acc_stanzas; - fprintf(stderr, "Current fwknopd access settings:\n"); + fprintf(stdout, "Current fwknopd access settings:\n"); if(!acc) { @@ -1033,7 +1033,7 @@ dump_access_list(fko_srv_options_t *opts) while(acc) { - fprintf(stderr, + fprintf(stdout, "SOURCE (%i): %s\n" "==============================================================\n" " OPEN_PORTS: %s\n" @@ -1068,12 +1068,12 @@ dump_access_list(fko_srv_options_t *opts) (acc->gpg_remote_id == NULL) ? "" : acc->gpg_remote_id ); - fprintf(stderr, "\n"); + fprintf(stdout, "\n"); acc = acc->next; } - fprintf(stderr, "\n"); + fprintf(stdout, "\n"); } /***EOF***/ diff --git a/server/cmd_opts.h b/server/cmd_opts.h index 5bcedd8e..3fe62a0a 100644 --- a/server/cmd_opts.h +++ b/server/cmd_opts.h @@ -107,6 +107,8 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = { */ enum { FW_LIST = 0x200, + FW_LIST_ALL, + FW_FLUSH, GPG_HOME_DIR, ROTATE_DIGEST_CACHE, NOOP /* Just to be a marker for the end */ @@ -129,6 +131,8 @@ static struct option cmd_opts[] = {"interface", 1, NULL, 'i'}, {"kill", 0, NULL, 'K'}, {"fw-list", 0, NULL, FW_LIST }, + {"fw-list-all", 0, NULL, FW_LIST_ALL }, + {"fw-flush", 0, NULL, FW_FLUSH }, {"gpg-home-dir", 1, NULL, GPG_HOME_DIR }, {"locale", 1, NULL, 'l' }, {"rotate-digest-cache", 0, NULL, ROTATE_DIGEST_CACHE }, diff --git a/server/config_init.c b/server/config_init.c index f4503228..d3bc305b 100644 --- a/server/config_init.c +++ b/server/config_init.c @@ -653,6 +653,13 @@ config_init(fko_srv_options_t *opts, int argc, char **argv) case FW_LIST: opts->fw_list = 1; break; + case FW_LIST_ALL: + opts->fw_list = 1; + opts->fw_list_all = 1; + break; + case FW_FLUSH: + opts->fw_flush = 1; + break; case GPG_HOME_DIR: if (is_valid_dir(optarg)) { @@ -718,16 +725,16 @@ dump_config(fko_srv_options_t *opts) { int i; - fprintf(stderr, "Current fwknopd config settings:\n"); + fprintf(stdout, "Current fwknopd config settings:\n"); for(i=0; iconfig[i] == NULL) ? "" : opts->config[i] ); - fprintf(stderr, "\n"); + fprintf(stdout, "\n"); } /* Print usage message... diff --git a/server/fw_util_ipf.c b/server/fw_util_ipf.c index 15800d97..51a53a5b 100644 --- a/server/fw_util_ipf.c +++ b/server/fw_util_ipf.c @@ -52,6 +52,9 @@ fw_dump_rules(fko_srv_options_t *opts) int i; int res, got_err = 0; + fprintf(stdout, "Listing fwknopd ipf rules...\n"); + fflush(stdout); + zero_cmd_buffers(); /* TODO: Implement or get rid of me */ diff --git a/server/fw_util_ipfw.c b/server/fw_util_ipfw.c index 3a3d9d56..ee39f7eb 100644 --- a/server/fw_util_ipfw.c +++ b/server/fw_util_ipfw.c @@ -96,42 +96,70 @@ fw_dump_rules(fko_srv_options_t *opts) { int res, got_err = 0; - zero_cmd_buffers(); - - /* Create the list command for active rules - */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS, - opts->fw_config->fw_command, - opts->fw_config->active_set_num - ); - - //printf("(%i) CMD: '%s'\n", i, cmd_buf); - printf("\nActive Rules:\n"); - res = system(cmd_buf); - - /* Expect full success on this */ - if(! EXTCMD_IS_SUCCESS(res)) + if (opts->fw_list_all) { - log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); - got_err++; + fprintf(stdout, "Listing all ipfw rules...\n"); + fflush(stdout); + + zero_cmd_buffers(); + + /* Create the list command for all rules + */ + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_ALL_RULES_ARGS, + opts->fw_config->fw_command + ); + + res = system(cmd_buf); + + /* Expect full success on this */ + if(! EXTCMD_IS_SUCCESS(res)) + { + log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); + got_err++; + } } - - /* Create the list command for expired rules - */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS, - opts->fw_config->fw_command, - opts->fw_config->expire_set_num - ); - - //printf("(%i) CMD: '%s'\n", i, cmd_buf); - printf("\nExpired Rules:\n"); - res = system(cmd_buf); - - /* Expect full success on this */ - if(! EXTCMD_IS_SUCCESS(res)) + else { - log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); - got_err++; + fprintf(stdout, "Listing fwknopd ipfw rules...\n"); + fflush(stdout); + + zero_cmd_buffers(); + + /* Create the list command for active rules + */ + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS, + opts->fw_config->fw_command, + opts->fw_config->active_set_num + ); + + //printf("(%i) CMD: '%s'\n", i, cmd_buf); + printf("\nActive Rules:\n"); + res = system(cmd_buf); + + /* Expect full success on this */ + if(! EXTCMD_IS_SUCCESS(res)) + { + log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); + got_err++; + } + + /* Create the list command for expired rules + */ + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS, + opts->fw_config->fw_command, + opts->fw_config->expire_set_num + ); + + //printf("(%i) CMD: '%s'\n", i, cmd_buf); + printf("\nExpired Rules:\n"); + res = system(cmd_buf); + + /* Expect full success on this */ + if(! EXTCMD_IS_SUCCESS(res)) + { + log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); + got_err++; + } } return(got_err); diff --git a/server/fw_util_ipfw.h b/server/fw_util_ipfw.h index 247317bc..b3029e85 100644 --- a/server/fw_util_ipfw.h +++ b/server/fw_util_ipfw.h @@ -48,6 +48,7 @@ enum { #define IPFW_DEL_RULE_ARGS "set %u delete %u" #define IPFW_DEL_RULE_SET_ARGS "delete set %u" #define IPFW_LIST_RULES_ARGS "-d -S -T set %u list" +#define IPFW_LIST_ALL_RULES_ARGS "list" #define IPFW_LIST_SET_RULES_ARGS "set %u list" #define IPFW_LIST_EXP_SET_RULES_ARGS "-S set %u list" #define IPFW_LIST_SET_DYN_RULES_ARGS "-d set %u list" diff --git a/server/fw_util_iptables.c b/server/fw_util_iptables.c index 6d62a7e5..8d746fe2 100644 --- a/server/fw_util_iptables.c +++ b/server/fw_util_iptables.c @@ -138,31 +138,67 @@ fw_dump_rules(fko_srv_options_t *opts) struct fw_chain *ch = opts->fw_config->chain; - printf("Listing rules in fwknop chains...\n"); - for(i=0; i<(NUM_FWKNOP_ACCESS_TYPES); i++) + if (opts->fw_list_all == 1) { + fprintf(stdout, "Listing all iptables rules in applicable tables...\n"); + fflush(stdout); - if(fwc.chain[i].target[0] == '\0') - continue; - - zero_cmd_buffers(); - - /* Create the list command - */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS, - opts->fw_config->fw_command, - ch[i].table, - ch[i].to_chain - ); - - //printf("(%i) CMD: '%s'\n", i, cmd_buf); - res = system(cmd_buf); - - /* Expect full success on this */ - if(! EXTCMD_IS_SUCCESS(res)) + for(i=0; i<(NUM_FWKNOP_ACCESS_TYPES); i++) { - log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); - got_err++; + + if(fwc.chain[i].target[0] == '\0') + continue; + + zero_cmd_buffers(); + + /* Create the list command + */ + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_ALL_RULES_ARGS, + opts->fw_config->fw_command, + ch[i].table + ); + + //printf("(%i) CMD: '%s'\n", i, cmd_buf); + res = system(cmd_buf); + + /* Expect full success on this */ + if(! EXTCMD_IS_SUCCESS(res)) + { + log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); + got_err++; + } + } + } + else + { + fprintf(stdout, "Listing rules in fwknopd iptables chains...\n"); + fflush(stdout); + + for(i=0; i<(NUM_FWKNOP_ACCESS_TYPES); i++) + { + + if(fwc.chain[i].target[0] == '\0') + continue; + + zero_cmd_buffers(); + + /* Create the list command + */ + snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS, + opts->fw_config->fw_command, + ch[i].table, + ch[i].to_chain + ); + + //printf("(%i) CMD: '%s'\n", i, cmd_buf); + res = system(cmd_buf); + + /* Expect full success on this */ + if(! EXTCMD_IS_SUCCESS(res)) + { + log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); + got_err++; + } } } @@ -784,7 +820,7 @@ check_firewall_rules(fko_srv_options_t *opts) if(!EXTCMD_IS_SUCCESS(res)) { - log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out); + log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out); continue; } diff --git a/server/fw_util_iptables.h b/server/fw_util_iptables.h index e4ab0a8e..d8ef36b8 100644 --- a/server/fw_util_iptables.h +++ b/server/fw_util_iptables.h @@ -33,19 +33,20 @@ #define SNAT_TARGET_BUFSIZE 64 -/* iptables command args +/* iptables command args */ -#define IPT_ADD_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" -#define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" -#define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" -#define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1" -#define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1" -#define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1" -#define IPT_NEW_CHAIN_ARGS "-t %s -N %s 2>&1" -#define IPT_FLUSH_CHAIN_ARGS "-t %s -F %s 2>&1" -#define IPT_DEL_CHAIN_ARGS "-t %s -X %s 2>&1" -#define IPT_ADD_JUMP_RULE_ARGS "-t %s -I %s %i -j %s 2>&1" -#define IPT_LIST_RULES_ARGS "-t %s -L %s --line-numbers -n 2>&1" +#define IPT_ADD_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" +#define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" +#define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" +#define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1" +#define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1" +#define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1" +#define IPT_NEW_CHAIN_ARGS "-t %s -N %s 2>&1" +#define IPT_FLUSH_CHAIN_ARGS "-t %s -F %s 2>&1" +#define IPT_DEL_CHAIN_ARGS "-t %s -X %s 2>&1" +#define IPT_ADD_JUMP_RULE_ARGS "-t %s -I %s %i -j %s 2>&1" +#define IPT_LIST_RULES_ARGS "-t %s -L %s --line-numbers -n 2>&1" +#define IPT_LIST_ALL_RULES_ARGS "-t %s -v -n -L --line-numbers 2>&1" #endif /* FW_UTIL_IPTABLES_H */ diff --git a/server/fw_util_pf.c b/server/fw_util_pf.c index c29f78f4..9f0c3727 100644 --- a/server/fw_util_pf.c +++ b/server/fw_util_pf.c @@ -60,6 +60,8 @@ fw_dump_rules(fko_srv_options_t *opts) { int res, got_err = 0; + printf("Listing fwknopd pf rules...\n"); + zero_cmd_buffers(); /* Create the list command for active rules @@ -133,7 +135,7 @@ anchor_active(fko_srv_options_t *opts) } static void -delete_all_anchor_rules(fko_srv_options_t *opts) +delete_all_anchor_rules(void) { int res = 0; @@ -193,6 +195,7 @@ fw_initialize(fko_srv_options_t *opts) int fw_cleanup(void) { + delete_all_anchor_rules(); return(0); } diff --git a/server/fwknopd.c b/server/fwknopd.c index 4005a408..5783d760 100644 --- a/server/fwknopd.c +++ b/server/fwknopd.c @@ -181,12 +181,19 @@ main(int argc, char **argv) */ fw_config_init(&opts); - if(opts.fw_list == 1) + if(opts.fw_list == 1 || opts.fw_list_all == 1) { fw_dump_rules(&opts); exit(EXIT_SUCCESS); } + if(opts.fw_flush == 1) + { + fprintf(stdout, "Deleting any existing firewall rules...\n"); + fw_cleanup(); + exit(EXIT_SUCCESS); + } + /* Process the access.conf file. */ parse_access_file(&opts); diff --git a/server/fwknopd_common.h b/server/fwknopd_common.h index fc19ad60..1af650c5 100644 --- a/server/fwknopd_common.h +++ b/server/fwknopd_common.h @@ -404,6 +404,8 @@ typedef struct fko_srv_options unsigned char restart; /* Restart fwknopd flag */ unsigned char status; /* Get fwknopd status flag */ unsigned char fw_list; /* List current firewall rules */ + unsigned char fw_list_all; /* List all current firewall rules */ + unsigned char fw_flush; /* Flush current firewall rules */ unsigned char test; /* Test mode flag */ unsigned char verbose; /* Verbose mode flag */