From 25d252c11aea89a5ba5f46868847c72851a62a95 Mon Sep 17 00:00:00 2001
From: Gerry Reno <greno@verizon.net>
Date: Sun, 31 Aug 2014 00:29:17 -0400
Subject: [PATCH] more changes for firewalld

---
 README.md                  |  9 ++++++---
 configure.ac               | 37 +++++++++++++++++++++++++++++++++----
 fwknop.spec                | 10 +++++-----
 server/fw_util_firewalld.h | 38 +++++++++++++++++++-------------------
 4 files changed, 63 insertions(+), 31 deletions(-)

diff --git a/README.md b/README.md
index 32256f03..f095480b 100644
--- a/README.md
+++ b/README.md
@@ -9,9 +9,9 @@ default-drop filtering stance. The main application of SPA is to use a firewall
 to drop all attempts to connect to services such as SSH in order to make the
 exploitation of vulnerabilities (both 0-day and unpatched code) more difficult.
 Because there are no open ports, any service that is concealed by SPA naturally
-cannot be scanned for with Nmap. The fwknop project supports three different
-firewalls: iptables on Linux systems, pf on OpenBSD, and ipfw on FreeBSD and
-Mac OS X.
+cannot be scanned for with Nmap. The fwknop project supports four different
+firewalls: firewalld and iptables on Linux systems, pf on OpenBSD, and ipfw on
+FreeBSD and Mac OS X.
 
 SPA is essentially next generation Port Knocking (PK), but solves many of the
 limitations exhibited by PK while retaining its core benefits. PK limitations
@@ -103,6 +103,9 @@ the `INSTALL` file for the general basics on using autoconf.
       --with-gpgme-prefix=PFX prefix where GPGME is installed (optional)
       --with-gpg=/path/to/gpg Specify path to the gpg executable that gpgme will
                               use [default=check path]
+      --with-firewalld=/path/to/firewalld
+                              Specify path to the firewalld executable
+                              [default=check path]
       --with-iptables=/path/to/iptables
                               Specify path to the iptables executable
                               [default=check path]
diff --git a/configure.ac b/configure.ac
index e87eeab2..5084e23f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -476,6 +476,24 @@ AS_IF([test "$want_server" = yes], [
   AM_CONDITIONAL([USE_NDBM], [test x$use_ndbm = xyes])
   AM_CONDITIONAL([CONFIG_FILE_CACHE], [test x$want_file_cache = xyes])
 
+dnl Check for firewalld
+dnl
+  AC_ARG_WITH([firewall-cmd],
+    [AS_HELP_STRING([--with-firewall-cmd=/path/to/firewall-cmd],
+      [Specify path to the firewall-cmd executable @<:@default=check path@:>@])],
+    [
+      AS_IF([ test "x$withval" = xno ], [],
+        AS_IF([ test "x$withval" = x -o "x$withval" = xyes ],
+          [AC_MSG_ERROR([--with-firewall-cmd requires an argument specifying a path to firewall-cmd])],
+          [ FORCE_FIREWALLD_EXE=$withval ]
+        )
+      )
+    ],
+    [
+      AC_PATH_PROG(FIREWALLD_EXE, [firewall-cmd], [], [$APP_PATH])
+    ]
+  )
+
 dnl Check for iptables
 dnl
   AC_ARG_WITH([iptables],
@@ -550,6 +568,9 @@ dnl
 
 dnl If a firewall was forced. set the appropriate _EXE var and clear the others.
 dnl
+  AS_IF([test "x$FORCE_FIREWALLD_EXE" != x], [
+    FIREWALLD_EXE="$FORCE_FIREWALLD_EXE"    
+  ],[
   AS_IF([test "x$FORCE_IPTABLES_EXE" != x], [
     IPTABLES_EXE="$FORCE_IPTABLES_EXE"    
   ],[
@@ -571,12 +592,19 @@ dnl
       ]
     ]
   ]
-  ))))
+  ]
+  )))))
 
 dnl Determine which firewall exe we use (if we have one).
-dnl If iptables was found or specified, it wins, then we fallback to ipfw,
-dnl then pf, and otherwise we try ipf.
+dnl If firewalld was found or specified, it wins, then we fallback to iptables,
+dnl then ipfw, pf, and otherwise we try ipf.
 dnl
+  AS_IF([test "x$FIREWALLD_EXE" != x], [
+      FW_DEF="FW_FIREWALLD"
+      FIREWALL_TYPE="firewalld" 
+      FIREWALL_EXE=$FIREWALLD_EXE
+      AC_DEFINE_UNQUOTED([FIREWALL_FIREWALLD], [1], [The firewall type: firewalld.])
+  ],[
   AS_IF([test "x$IPTABLES_EXE" != x], [
       FW_DEF="FW_IPTABLES"
       FIREWALL_TYPE="iptables" 
@@ -604,7 +632,8 @@ dnl
         ]
     ]
   ]
-  ))))
+  ]
+  )))))
 
   AC_DEFINE_UNQUOTED([FIREWALL_EXE], ["$FIREWALL_EXE"],
     [Path to firewall command executable (it should match the firewall type).])
diff --git a/fwknop.spec b/fwknop.spec
index aa6084a7..8080759a 100644
--- a/fwknop.spec
+++ b/fwknop.spec
@@ -50,11 +50,11 @@ Requires:	libfko => 2.0.3, libpcap, iptables
 
 %description
 Fwknop implements an authorization scheme known as Single Packet Authorization
-(SPA) for Linux systems running iptables.  This mechanism requires only a
-single encrypted and non-replayed packet to communicate various pieces of
-information including desired access through an iptables policy. The main
-application of this program is to use iptables in a default-drop stance to
-protect services such as SSH with an additional layer of security in order
+(SPA) for Linux systems running firewalld or iptables.  This mechanism requires
+only a single encrypted and non-replayed packet to communicate various pieces of
+information including desired access through a firewalld or iptables policy. The
+main application of this program is to use firewalld or iptables in a default-drop
+stance to protect services such as SSH with an additional layer of security in order
 to make the exploitation of vulnerabilities (both 0-day and unpatched code)
 much more difficult.
 
diff --git a/server/fw_util_firewalld.h b/server/fw_util_firewalld.h
index 89faab6d..2fe789d2 100644
--- a/server/fw_util_firewalld.h
+++ b/server/fw_util_firewalld.h
@@ -35,25 +35,25 @@
 
 /* firewalld command args
 */
-#define FIREWD_CHK_RULE_ARGS       "--direct --passthrough -C %s %s"  /* 2>&1 is always added in the second %s */
-#define FIREWD_RULE_ARGS           "--direct --passthrough -t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
-#define FIREWD_OUT_RULE_ARGS       "--direct --passthrough -t %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
-#define FIREWD_FWD_RULE_ARGS       "--direct --passthrough -t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
-#define FIREWD_DNAT_RULE_ARGS      "--direct --passthrough -t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1"
-#define FIREWD_SNAT_RULE_ARGS      "--direct --passthrough -t %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1"
-#define FIREWD_TMP_COMMENT_ARGS    "--direct --passthrough -t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s 2>&1"
-#define FIREWD_TMP_CHK_RULE_ARGS   "--direct --passthrough -t %s -I %s %i -s 127.0.0.2 -p udp -j %s 2>&1"
-#define FIREWD_TMP_VERIFY_CHK_ARGS "--direct --passthrough -t %s -C %s -s 127.0.0.2 -p udp -j %s 2>&1"
-#define FIREWD_DEL_RULE_ARGS       "--direct --passthrough -t %s -D %s %i 2>&1"
-#define FIREWD_NEW_CHAIN_ARGS      "--direct --passthrough -t %s -N %s 2>&1"
-#define FIREWD_FLUSH_CHAIN_ARGS    "--direct --passthrough -t %s -F %s 2>&1"
-#define FIREWD_CHAIN_EXISTS_ARGS   "--direct --passthrough -t %s -L %s -n 2>&1"
-#define FIREWD_DEL_CHAIN_ARGS      "--direct --passthrough -t %s -X %s 2>&1"
-#define FIREWD_CHK_JUMP_RULE_ARGS  "--direct --passthrough -t %s -j %s 2>&1"
-#define FIREWD_ADD_JUMP_RULE_ARGS  "--direct --passthrough -t %s -I %s %i -j %s 2>&1"
-#define FIREWD_DEL_JUMP_RULE_ARGS  "--direct --passthrough -t %s -D %s -j %s 2>&1"  /* let firewalld work out the rule number */
-#define FIREWD_LIST_RULES_ARGS     "--direct --passthrough -t %s -L %s --line-numbers -n 2>&1"
-#define FIREWD_LIST_ALL_RULES_ARGS "--direct --passthrough -t %s -v -n -L --line-numbers 2>&1"
+#define FIREWD_CHK_RULE_ARGS       "--direct --passthrough ipv4 -C %s %s"  /* 2>&1 is always added in the second %s */
+#define FIREWD_RULE_ARGS           "--direct --passthrough ipv4 -t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
+#define FIREWD_OUT_RULE_ARGS       "--direct --passthrough ipv4 -t %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
+#define FIREWD_FWD_RULE_ARGS       "--direct --passthrough ipv4 -t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
+#define FIREWD_DNAT_RULE_ARGS      "--direct --passthrough ipv4 -t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1"
+#define FIREWD_SNAT_RULE_ARGS      "--direct --passthrough ipv4 -t %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1"
+#define FIREWD_TMP_COMMENT_ARGS    "--direct --passthrough ipv4 -t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s 2>&1"
+#define FIREWD_TMP_CHK_RULE_ARGS   "--direct --passthrough ipv4 -t %s -I %s %i -s 127.0.0.2 -p udp -j %s 2>&1"
+#define FIREWD_TMP_VERIFY_CHK_ARGS "--direct --passthrough ipv4 -t %s -C %s -s 127.0.0.2 -p udp -j %s 2>&1"
+#define FIREWD_DEL_RULE_ARGS       "--direct --passthrough ipv4 -t %s -D %s %i 2>&1"
+#define FIREWD_NEW_CHAIN_ARGS      "--direct --passthrough ipv4 -t %s -N %s 2>&1"
+#define FIREWD_FLUSH_CHAIN_ARGS    "--direct --passthrough ipv4 -t %s -F %s 2>&1"
+#define FIREWD_CHAIN_EXISTS_ARGS   "--direct --passthrough ipv4 -t %s -L %s -n 2>&1"
+#define FIREWD_DEL_CHAIN_ARGS      "--direct --passthrough ipv4 -t %s -X %s 2>&1"
+#define FIREWD_CHK_JUMP_RULE_ARGS  "--direct --passthrough ipv4 -t %s -j %s 2>&1"
+#define FIREWD_ADD_JUMP_RULE_ARGS  "--direct --passthrough ipv4 -t %s -I %s %i -j %s 2>&1"
+#define FIREWD_DEL_JUMP_RULE_ARGS  "--direct --passthrough ipv4 -t %s -D %s -j %s 2>&1"  /* let firewalld work out the rule number */
+#define FIREWD_LIST_RULES_ARGS     "--direct --passthrough ipv4 -t %s -L %s --line-numbers -n 2>&1"
+#define FIREWD_LIST_ALL_RULES_ARGS "--direct --passthrough ipv4 -t %s -v -n -L --line-numbers 2>&1"
 
 int validate_firewd_chain_conf(const char * const chain_str);