DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[server] local NAT should not be enabled by default

Browse Source
This commit is contained in:
Michael Rash 2015-12-07 16:51:19 -08:00
parent 35558097cc
commit 4f81dd7747
3 changed files with 13 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
server/fw_util_firewalld.c
View File

@ -872,8 +872,6 @@ set_fw_chain_conf(const int type, const char * const conf_str)
int
fw_config_init(fko_srv_options_t * const opts)
{
int enabled_local_nat = 0;
memset(&fwc, 0x0, sizeof(struct fw_config));
/* Set our firewall exe command path (firewall-cmd or iptables in most cases).
@ -904,22 +902,15 @@ fw_config_init(fko_srv_options_t * const opts)
if(set_fw_chain_conf(FIREWD_OUTPUT_ACCESS, opts->config[CONF_FIREWD_OUTPUT_ACCESS]) != 1)
return 0;
if(strncasecmp(opts->config[CONF_ENABLE_FIREWD_LOCAL_NAT], "Y", 1)==0)
{
if(set_fw_chain_conf(FIREWD_DNAT_ACCESS, opts->config[CONF_FIREWD_DNAT_ACCESS]))
enabled_local_nat = 1;
else
return 0;
}
/* The remaining access chains require ENABLE_FIREWD_FORWARDING = Y
/* The remaining access chains require ENABLE_FIREWD_FORWARDING
* or ENABLE_FIREWD_LOCAL_NAT
*/
if(strncasecmp(opts->config[CONF_ENABLE_FIREWD_FORWARDING], "Y", 1)==0)
if(strncasecmp(opts->config[CONF_ENABLE_FIREWD_FORWARDING], "Y", 1)==0
|| strncasecmp(opts->config[CONF_ENABLE_FIREWD_LOCAL_NAT], "Y", 1)==0)
{
if(set_fw_chain_conf(FIREWD_FORWARD_ACCESS, opts->config[CONF_FIREWD_FORWARD_ACCESS]) != 1)
return 0;
if (! enabled_local_nat)
if(set_fw_chain_conf(FIREWD_DNAT_ACCESS, opts->config[CONF_FIREWD_DNAT_ACCESS]) != 1)
return 0;

15
server/fw_util_iptables.c
View File

@ -864,8 +864,6 @@ set_fw_chain_conf(const int type, const char * const conf_str)
int
fw_config_init(fko_srv_options_t * const opts)
{
int enabled_local_nat = 0;
memset(&fwc, 0x0, sizeof(struct fw_config));
/* Set our firewall exe command path (iptables in most cases).
@ -889,22 +887,15 @@ fw_config_init(fko_srv_options_t * const opts)
if(set_fw_chain_conf(IPT_OUTPUT_ACCESS, opts->config[CONF_IPT_OUTPUT_ACCESS]) != 1)
return 0;
if(strncasecmp(opts->config[CONF_ENABLE_IPT_LOCAL_NAT], "Y", 1)==0)
{
if(set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]))
enabled_local_nat = 1;
else
return 0;
}
/* The remaining access chains require ENABLE_IPT_FORWARDING = Y
*/
if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0)
if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0
|| strncasecmp(opts->config[CONF_ENABLE_IPT_LOCAL_NAT], "Y", 1)==0)
{
if(set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]) != 1)
return 0;
if(! enabled_local_nat)
if(set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]) != 1)
return 0;

4
server/fwknopd_common.h
View File

@ -142,7 +142,7 @@
#define DEF_FLUSH_FIREWD_AT_INIT "Y"
#define DEF_FLUSH_FIREWD_AT_EXIT "Y"
#define DEF_ENABLE_FIREWD_FORWARDING "N"
#define DEF_ENABLE_FIREWD_LOCAL_NAT "Y"
#define DEF_ENABLE_FIREWD_LOCAL_NAT "N"
#define DEF_ENABLE_FIREWD_SNAT "N"
#define DEF_ENABLE_FIREWD_OUTPUT "N"
#define DEF_ENABLE_FIREWD_COMMENT_CHECK "Y"
@ -162,7 +162,7 @@
#define DEF_FLUSH_IPT_AT_INIT "Y"
#define DEF_FLUSH_IPT_AT_EXIT "Y"
#define DEF_ENABLE_IPT_FORWARDING "N"
#define DEF_ENABLE_IPT_LOCAL_NAT "Y"
#define DEF_ENABLE_IPT_LOCAL_NAT "N"
#define DEF_ENABLE_IPT_SNAT "N"
#define DEF_ENABLE_IPT_OUTPUT "N"
#define DEF_ENABLE_IPT_COMMENT_CHECK "Y"