[server / test suite] cleaner SNAT MASQUERADE support
This commit is contained in:
Michael Rash
parent
6bdfa95067
commit
17d1071aa8
@ -218,6 +218,7 @@ EXTRA_DIST = \
|
||||
test/conf/hmac_force_nat_forward_all_access.conf \
|
||||
test/conf/hmac_no_b64_cygwin_access.conf \
|
||||
test/conf/hmac_forward_all_access.conf \
|
||||
test/conf/hmac_forward_all_masq_access.conf \
|
||||
test/conf/hmac_forward_all_and_dnat_access.conf \
|
||||
test/conf/hmac_force_masq_no_dnat_access.conf \
|
||||
test/conf/multi_pkts.pcap \
|
||||
|
||||
@ -95,8 +95,8 @@ rule_exists_no_chk_support(const fko_srv_options_t * const opts,
|
||||
* maximize code coverage in conjunction with the test suite, and is never
|
||||
* compiled in for a production release of fwknop.
|
||||
*/
|
||||
if(run_extcmd_write("/bin/grep -v test", "/bin/echo test", &pid_status, opts) != 0)
|
||||
log_msg(LOG_WARNING, "Code coverage: Could not execute command");
|
||||
if(run_extcmd_write("/bin/grep -v test", "/bin/echo test", &pid_status, opts) == 0)
|
||||
log_msg(LOG_WARNING, "[ignore] Code coverage: Executed command");
|
||||
#endif
|
||||
|
||||
if(proto == IPPROTO_TCP)
|
||||
@ -1136,11 +1136,18 @@ static void snat_rule(const fko_srv_options_t * const opts,
|
||||
char snat_target[SNAT_TARGET_BUFSIZE] = {0};
|
||||
struct fw_chain *snat_chain = NULL;
|
||||
|
||||
log_msg(LOG_DEBUG, "snat_rule() forward_all: %d, nat_ip: %s, nat_port: %d",
|
||||
acc->forward_all, nat_ip, nat_port);
|
||||
log_msg(LOG_DEBUG,
|
||||
"snat_rule() forward_all: %d, nat_ip: %s, nat_port: %d, force_snat: %d, force_snat_ip: %s, force_masq: %d",
|
||||
acc->forward_all, nat_ip, nat_port, acc->force_snat,
|
||||
(acc->force_snat_ip == NULL) ? "(NONE)" : acc->force_snat_ip,
|
||||
acc->force_masquerade);
|
||||
|
||||
if(acc->forward_all)
|
||||
{
|
||||
/* Default to MASQUERADE */
|
||||
snat_chain = &(opts->fw_config->chain[FIREWD_MASQUERADE_ACCESS]);
|
||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, " ");
|
||||
|
||||
/* Add SNAT or MASQUERADE rules.
|
||||
*/
|
||||
if(acc->force_snat && is_valid_ipv4_addr(acc->force_snat_ip))
|
||||
@ -1150,12 +1157,6 @@ static void snat_rule(const fko_srv_options_t * const opts,
|
||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
|
||||
"--to-source %s", acc->force_snat_ip);
|
||||
}
|
||||
else if(acc->force_snat && acc->force_masquerade)
|
||||
{
|
||||
/* Using MASQUERADE */
|
||||
snat_chain = &(opts->fw_config->chain[FIREWD_MASQUERADE_ACCESS]);
|
||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, " ");
|
||||
}
|
||||
else if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
|
||||
&& is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP]))
|
||||
{
|
||||
@ -1164,12 +1165,6 @@ static void snat_rule(const fko_srv_options_t * const opts,
|
||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
|
||||
"--to-source %s", opts->config[CONF_SNAT_TRANSLATE_IP]);
|
||||
}
|
||||
else
|
||||
{
|
||||
/* Using MASQUERADE */
|
||||
snat_chain = &(opts->fw_config->chain[FIREWD_MASQUERADE_ACCESS]);
|
||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, " ");
|
||||
}
|
||||
|
||||
memset(rule_buf, 0, CMD_BUFSIZE);
|
||||
|
||||
|
||||
@ -89,8 +89,8 @@ rule_exists_no_chk_support(const fko_srv_options_t * const opts,
|
||||
* maximize code coverage in conjunction with the test suite, and is never
|
||||
* compiled in for a production release of fwknop.
|
||||
*/
|
||||
if(run_extcmd_write("/bin/grep -v test", "/bin/echo test", &pid_status, opts) != 0)
|
||||
log_msg(LOG_WARNING, "Code coverage: Could not execute command");
|
||||
if(run_extcmd_write("/bin/grep -v test", "/bin/echo test", &pid_status, opts) == 0)
|
||||
log_msg(LOG_WARNING, "[ignore] Code coverage: Executed command");
|
||||
#endif
|
||||
|
||||
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS,
|
||||
@ -1130,11 +1130,18 @@ static void snat_rule(const fko_srv_options_t * const opts,
|
||||
char snat_target[SNAT_TARGET_BUFSIZE] = {0};
|
||||
struct fw_chain *snat_chain = NULL;
|
||||
|
||||
log_msg(LOG_DEBUG, "snat_rule() forward_all: %d, nat_ip: %s, nat_port: %d",
|
||||
acc->forward_all, nat_ip, nat_port);
|
||||
log_msg(LOG_DEBUG,
|
||||
"snat_rule() forward_all: %d, nat_ip: %s, nat_port: %d, force_snat: %d, force_snat_ip: %s, force_masq: %d",
|
||||
acc->forward_all, nat_ip, nat_port, acc->force_snat,
|
||||
(acc->force_snat_ip == NULL) ? "(NONE)" : acc->force_snat_ip,
|
||||
acc->force_masquerade);
|
||||
|
||||
if(acc->forward_all)
|
||||
{
|
||||
/* Default to MASQUERADE */
|
||||
snat_chain = &(opts->fw_config->chain[IPT_MASQUERADE_ACCESS]);
|
||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, " ");
|
||||
|
||||
/* Add SNAT or MASQUERADE rules.
|
||||
*/
|
||||
if(acc->force_snat && is_valid_ipv4_addr(acc->force_snat_ip))
|
||||
@ -1144,12 +1151,6 @@ static void snat_rule(const fko_srv_options_t * const opts,
|
||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
|
||||
"--to-source %s", acc->force_snat_ip);
|
||||
}
|
||||
else if(acc->force_snat && acc->force_masquerade)
|
||||
{
|
||||
/* Using MASQUERADE */
|
||||
snat_chain = &(opts->fw_config->chain[IPT_MASQUERADE_ACCESS]);
|
||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, " ");
|
||||
}
|
||||
else if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
|
||||
&& is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP]))
|
||||
{
|
||||
@ -1158,12 +1159,6 @@ static void snat_rule(const fko_srv_options_t * const opts,
|
||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
|
||||
"--to-source %s", opts->config[CONF_SNAT_TRANSLATE_IP]);
|
||||
}
|
||||
else
|
||||
{
|
||||
/* Using MASQUERADE */
|
||||
snat_chain = &(opts->fw_config->chain[IPT_MASQUERADE_ACCESS]);
|
||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, " ");
|
||||
}
|
||||
|
||||
memset(rule_buf, 0, CMD_BUFSIZE);
|
||||
|
||||
|
||||
@ -437,6 +437,7 @@ our %cf = (
|
||||
'hmac_force_masq_access' => "$conf_dir/hmac_force_masq_access.conf",
|
||||
'hmac_force_masq_no_dnat_access' => "$conf_dir/hmac_force_masq_no_dnat_access.conf",
|
||||
'hmac_forward_all_access' => "$conf_dir/hmac_forward_all_access.conf",
|
||||
'hmac_forward_all_masq_access' => "$conf_dir/hmac_forward_all_masq_access.conf",
|
||||
'hmac_forward_all_and_dna_access' => "$conf_dir/hmac_forward_all_and_dnat_access.conf",
|
||||
'cmd_access' => "$conf_dir/cmd_access.conf",
|
||||
'cmd_setuid_access' => "$conf_dir/cmd_setuid_access.conf",
|
||||
@ -6879,6 +6880,8 @@ sub os_fw_detect() {
|
||||
$FW_TYPE = 'firewalld';
|
||||
$FW_PREFIX = 'FIREWD';
|
||||
$fw_conf_prefix = 'firewd';
|
||||
} else {
|
||||
$fw_bin = &find_command('iptables');
|
||||
}
|
||||
}
|
||||
} else {
|
||||
|
||||
@ -1453,7 +1453,7 @@
|
||||
{
|
||||
'category' => 'Rijndael+HMAC',
|
||||
'subcategory' => 'client+server',
|
||||
'detail' => "FORWARD_ALL snat translate IP",
|
||||
'detail' => "FORWARD_ALL SNAT translate IP",
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
||||
$cf{'rc_hmac_b64_key'},
|
||||
@ -1469,6 +1469,25 @@
|
||||
'server_conf' => $cf{"${fw_conf_prefix}_snat_translate_ip"},
|
||||
'key_file' => $cf{'rc_hmac_b64_key'},
|
||||
},
|
||||
{
|
||||
'category' => 'Rijndael+HMAC',
|
||||
'subcategory' => 'client+server',
|
||||
'detail' => "FORWARD_ALL MASQUERADE",
|
||||
'function' => \&spa_cycle,
|
||||
'cmdline' => "$default_client_args_no_get_key --rc-file " .
|
||||
$cf{'rc_hmac_b64_key'},
|
||||
'fwknopd_cmdline' => qq/$fwknopdCmd -c $cf{"${fw_conf_prefix}_snat_no_translate_ip"} -a $cf{'hmac_forward_all_masq_access'} / .
|
||||
"-d $default_digest_file -p $default_pid_file $intf_str",
|
||||
'server_positive_output_matches' => [
|
||||
qr/\sMASQUERADE\s.*all/],
|
||||
'server_negative_output_matches' => [
|
||||
qr/\*\/\sto\:$internal_nat_host\:22/i,
|
||||
qr/\*\/\sto\:$force_nat_host\:22/i],
|
||||
'fw_rule_created' => $NEW_RULE_REQUIRED,
|
||||
'fw_rule_removed' => $NEW_RULE_REMOVED,
|
||||
'server_conf' => $cf{"${fw_conf_prefix}_snat_no_translate_ip"},
|
||||
'key_file' => $cf{'rc_hmac_b64_key'},
|
||||
},
|
||||
|
||||
{
|
||||
'category' => 'Rijndael+HMAC',
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user