DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Start of addition of access requests via ipfw.

Browse Source 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@282 510a4753-2344-4c79-9c09-4d669213fbeb
This commit is contained in:
Damien Stuart 2010-08-23 02:43:43 +00:00
parent b0de05c70a
commit 51c21b318f
10 changed files with 558 additions and 228 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
server/config_init.c
View File

@ -292,6 +292,12 @@ validate_options(fko_srv_options_t *opts)
set_config_entry(opts, CONF_ENABLE_DIGEST_PERSISTENCE,
DEF_ENABLE_DIGEST_PERSISTENCE);
/* Max sniff bytes.
*/
if(opts->config[CONF_MAX_SNIFF_BYTES] == NULL)
set_config_entry(opts, CONF_MAX_SNIFF_BYTES, DEF_MAX_SNIFF_BYTES);
#if FIREWALL_IPTABLES
/* Enable IPT forwarding.
*/
if(opts->config[CONF_ENABLE_IPT_FORWARDING] == NULL)
@ -316,11 +322,6 @@ validate_options(fko_srv_options_t *opts)
set_config_entry(opts, CONF_ENABLE_IPT_OUTPUT,
DEF_ENABLE_IPT_OUTPUT);
/* Max sniff bytes.
*/
if(opts->config[CONF_MAX_SNIFF_BYTES] == NULL)
set_config_entry(opts, CONF_MAX_SNIFF_BYTES, DEF_MAX_SNIFF_BYTES);
/* Flush IPT at init.
*/
if(opts->config[CONF_FLUSH_IPT_AT_INIT] == NULL)
@ -331,37 +332,6 @@ validate_options(fko_srv_options_t *opts)
if(opts->config[CONF_FLUSH_IPT_AT_EXIT] == NULL)
set_config_entry(opts, CONF_FLUSH_IPT_AT_EXIT, DEF_FLUSH_IPT_AT_EXIT);
/* GPG Home dir.
*/
if(opts->config[CONF_GPG_HOME_DIR] == NULL)
set_config_entry(opts, CONF_GPG_HOME_DIR, DEF_GPG_HOME_DIR);
/* Enable SPA over HTTP.
*/
if(opts->config[CONF_ENABLE_SPA_OVER_HTTP] == NULL)
set_config_entry(opts, CONF_ENABLE_SPA_OVER_HTTP,
DEF_ENABLE_SPA_OVER_HTTP);
/* Enable TCP server.
*/
if(opts->config[CONF_ENABLE_TCP_SERVER] == NULL)
set_config_entry(opts, CONF_ENABLE_TCP_SERVER, DEF_ENABLE_TCP_SERVER);
/* TCP Server port.
*/
if(opts->config[CONF_TCPSERV_PORT] == NULL)
set_config_entry(opts, CONF_TCPSERV_PORT, DEF_TCPSERV_PORT);
/* Syslog identity.
*/
if(opts->config[CONF_SYSLOG_IDENTITY] == NULL)
set_config_entry(opts, CONF_SYSLOG_IDENTITY, DEF_SYSLOG_IDENTITY);
/* Syslog facility.
*/
if(opts->config[CONF_SYSLOG_FACILITY] == NULL)
set_config_entry(opts, CONF_SYSLOG_FACILITY, DEF_SYSLOG_FACILITY);
/* IPT input access.
*/
if(opts->config[CONF_IPT_INPUT_ACCESS] == NULL)
@ -398,6 +368,84 @@ validate_options(fko_srv_options_t *opts)
set_config_entry(opts, CONF_IPT_MASQUERADE_ACCESS,
DEF_IPT_MASQUERADE_ACCESS);
#elif FIREWALL_IPFW
/* Set IPFW start rule number.
*/
if(opts->config[CONF_IPFW_START_RULE_NUM] == NULL)
set_config_entry(opts, CONF_IPFW_START_RULE_NUM,
DEF_IPFW_START_RULE_NUM);
/* Set IPFW max rules.
*/
if(opts->config[CONF_IPFW_MAX_RULES] == NULL)
set_config_entry(opts, CONF_IPFW_MAX_RULES,
DEF_IPFW_MAX_RULES);
/* Set IPFW active set number.
*/
if(opts->config[CONF_IPFW_ACTIVE_SET_NUM] == NULL)
set_config_entry(opts, CONF_IPFW_ACTIVE_SET_NUM,
DEF_IPFW_ACTIVE_SET_NUM);
/* Set IPFW expire set number.
*/
if(opts->config[CONF_IPFW_EXPIRE_SET_NUM] == NULL)
set_config_entry(opts, CONF_IPFW_EXPIRE_SET_NUM,
DEF_IPFW_EXPIRE_SET_NUM);
/* Set IPFW Dynamic rule expiry interval.
*/
if(opts->config[CONF_IPFW_DYNAMIC_INTERVAL] == NULL)
set_config_entry(opts, CONF_IPFW_DYNAMIC_INTERVAL,
DEF_IPFW_DYNAMIC_INTERVAL);
/* Set IPFW Dynamic rule expiry interval.
*/
if(opts->config[CONF_IPFW_ADD_CHECK_STATE] == NULL)
set_config_entry(opts, CONF_IPFW_ADD_CHECK_STATE,
DEF_IPFW_ADD_CHECK_STATE);
#elif FIREWALL_IPF
/* --DSS Place-holder */
#elif FIREWALL_PF
/* --DSS Place-holder */
#endif /* FIREWALL type */
/* GPG Home dir.
*/
if(opts->config[CONF_GPG_HOME_DIR] == NULL)
set_config_entry(opts, CONF_GPG_HOME_DIR, DEF_GPG_HOME_DIR);
/* Enable SPA over HTTP.
*/
if(opts->config[CONF_ENABLE_SPA_OVER_HTTP] == NULL)
set_config_entry(opts, CONF_ENABLE_SPA_OVER_HTTP,
DEF_ENABLE_SPA_OVER_HTTP);
/* Enable TCP server.
*/
if(opts->config[CONF_ENABLE_TCP_SERVER] == NULL)
set_config_entry(opts, CONF_ENABLE_TCP_SERVER, DEF_ENABLE_TCP_SERVER);
/* TCP Server port.
*/
if(opts->config[CONF_TCPSERV_PORT] == NULL)
set_config_entry(opts, CONF_TCPSERV_PORT, DEF_TCPSERV_PORT);
/* Syslog identity.
*/
if(opts->config[CONF_SYSLOG_IDENTITY] == NULL)
set_config_entry(opts, CONF_SYSLOG_IDENTITY, DEF_SYSLOG_IDENTITY);
/* Syslog facility.
*/
if(opts->config[CONF_SYSLOG_FACILITY] == NULL)
set_config_entry(opts, CONF_SYSLOG_FACILITY, DEF_SYSLOG_FACILITY);
/* Some options just trigger some output of information, or trigger an
* external function, but do not actually start fwknopd. If any of those
* are set, we can return here an skip the validation routines as all

4
server/fw_util.h
View File

@ -46,8 +46,8 @@
/* Function prototypes
*/
void fw_config_init(fko_srv_options_t *opts);
void fw_initialize(void);
void fw_cleanup(void);
void fw_initialize(fko_srv_options_t *opts);
int fw_cleanup(void);
void check_firewall_rules(fko_srv_options_t *opts);
int fw_dump_rules(fko_srv_options_t *opts);
int process_spa_request(fko_srv_options_t *opts, spa_data_t *spdat);

19
server/fw_util_ipf.c
View File

@ -35,6 +35,9 @@
#include "access.h"
static struct fw_config fwc;
static char cmd_buf[CMD_BUFSIZE];
static char err_buf[CMD_BUFSIZE];
static char cmd_out[STANDARD_CMD_OUT_BUFSIZE];
/* Print all firewall rules currently instantiated by the running fwknopd
* daemon to stdout.
@ -44,8 +47,8 @@ fw_dump_rules(fko_srv_options_t *opts)
{
int i;
int res, got_err = 0;
char cmd_buf[CMD_BUFSIZE] = {0};
char err[CMD_BUFSIZE] = {0};
zero_cmd_buffers();
/* TODO: Implement or get rid of me */
@ -72,7 +75,7 @@ fw_config_init(fko_srv_options_t *opts)
}
void
fw_initialize(void)
fw_initialize(fko_srv_options_t *opts)
{
int res = 0;
@ -85,12 +88,13 @@ fw_initialize(void)
}
}
void
int
fw_cleanup(void)
{
/* TODO: Implement or get rid of me */
return(0);
}
/****************************************************************************/
@ -102,10 +106,7 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
{
/* TODO: Implement me */
char cmd_buf[CMD_BUFSIZE] = {0};
char err[CMD_BUFSIZE] = {0};
char nat_ip[16] = {0};
char snat_target[SNAT_TARGET_BUFSIZE] = {0};
char *ndx;
unsigned int nat_port = 0;;
@ -153,9 +154,6 @@ check_firewall_rules(fko_srv_options_t *opts)
/* TODO: Implement me */
char cmd_buf[CMD_BUFSIZE] = {0};
char err[CMD_BUFSIZE] = {0};
char cmd_out[STANDARD_CMD_OUT_BUFSIZE];
char exp_str[12];
char rule_num_str[6];
char *ndx, *rn_start, *rn_end, *tmp_mark;
@ -165,6 +163,7 @@ check_firewall_rules(fko_srv_options_t *opts)
time(&now);
zero_cmd_buffers();
}
#endif /* FIREWALL_IPF */

2
server/fw_util_ipf.h
View File

@ -26,8 +26,6 @@
#ifndef FW_UTIL_IPF_H
#define FW_UTIL_IPF_H
#define SNAT_TARGET_BUFSIZE 64
/* ipfw command args (gotta flesh these out)
*/
#define IPF_ADD_RULE_ARGS ""

239
server/fw_util_ipfw.c
View File

@ -35,6 +35,31 @@
#include "access.h"
static struct fw_config fwc;
static char cmd_buf[CMD_BUFSIZE];
static char err_buf[CMD_BUFSIZE];
static char cmd_out[STANDARD_CMD_OUT_BUFSIZE];
unsigned short
get_next_rule_num(void)
{
unsigned short i, next_rule;
for(i=0; i < fwc.max_rules; i++)
{
if(fwc.rule_map[i] == 0)
return(fwc.start_rule_num + i);
}
return(0);
}
void
zero_cmd_buffers(void)
{
memset(cmd_buf, 0x0, CMD_BUFSIZE);
memset(err_buf, 0x0, CMD_BUFSIZE);
memset(cmd_out, 0x0, STANDARD_CMD_OUT_BUFSIZE);
}
/* Print all firewall rules currently instantiated by the running fwknopd
* daemon to stdout.
@ -42,12 +67,45 @@ static struct fw_config fwc;
int
fw_dump_rules(fko_srv_options_t *opts)
{
int i;
int res, got_err = 0;
char cmd_buf[CMD_BUFSIZE] = {0};
char err[CMD_BUFSIZE] = {0};
/* TODO: Implement me */
zero_cmd_buffers();
/* Create the list command for active rules
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS,
opts->fw_config->fw_command,
opts->fw_config->active_set_num
);
//printf("(%i) CMD: '%s'\n", i, cmd_buf);
printf("\nActive Rules:\n");
res = system(cmd_buf);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
/* Create the list command for expired rules
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS,
opts->fw_config->fw_command,
opts->fw_config->expire_set_num
);
//printf("(%i) CMD: '%s'\n", i, cmd_buf);
printf("\nExpired Rules:\n");
res = system(cmd_buf);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
return(got_err);
}
@ -56,15 +114,16 @@ void
fw_config_init(fko_srv_options_t *opts)
{
/* TODO: Implement me */
memset(&fwc, 0x0, sizeof(struct fw_config));
/* Set our firewall exe command path (iptables in most cases).
*/
strlcpy(fwc.fw_command, opts->config[CONF_FIREWALL_EXE], MAX_PATH_LEN);
fwc.start_rule_num = atoi(opts->config[CONF_IPFW_START_RULE_NUM]);
fwc.max_rules = atoi(opts->config[CONF_IPFW_MAX_RULES]);
fwc.active_set_num = atoi(opts->config[CONF_IPFW_ACTIVE_SET_NUM]);
fwc.expire_set_num = atoi(opts->config[CONF_IPFW_EXPIRE_SET_NUM]);
/* Let us find it via our opts struct as well.
*/
@ -74,25 +133,110 @@ fw_config_init(fko_srv_options_t *opts)
}
void
fw_initialize(void)
fw_initialize(fko_srv_options_t *opts)
{
int res = 0;
/* TODO: Implement me */
/* For now, we just call fw_cleanup to start with clean slate.
*/
res = fw_cleanup();
if(res != 0)
{
fprintf(stderr, "Warning: Errors detected during fwknop custom chain creation.\n");
fprintf(stderr, "Fatal: Errors detected during ipfw rules initialization.\n");
exit(EXIT_FAILURE);
}
/* Allocate our rule_map array for tracking active (and expired) rules.
*/
fwc.rule_map = calloc(fwc.max_rules, sizeof(char));
if(fwc.rule_map == NULL)
{
fprintf(stderr, "Fatal: Memory allocation error in fw_initialize.\n");
exit(EXIT_FAILURE);
}
/* Create a check-state rule if necessary.
*/
if(strncasecmp(opts->config[CONF_IPFW_ADD_CHECK_STATE], "Y", 1) == 0)
{
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_ADD_CHECK_STATE_ARGS,
fwc.fw_command,
fwc.start_rule_num,
fwc.active_set_num
);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added check-state rule %u to set %u",
fwc.start_rule_num,
fwc.active_set_num
);
(fwc.rule_map)[0] = 1;
}
else
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
}
}
void
int
fw_cleanup(void)
{
int res, got_err = 0;
/* TODO: Implement me */
zero_cmd_buffers();
if(fwc.active_set_num > 0)
{
/* Create the set delete command for active rules
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_DEL_RULE_SET_ARGS,
fwc.fw_command,
fwc.active_set_num
);
//printf("CMD: '%s'\n", cmd_buf);
res = system(cmd_buf);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
}
if(fwc.expire_set_num > 0)
{
/* Create the set delete command for active rules
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_DEL_RULE_SET_ARGS,
fwc.fw_command,
fwc.expire_set_num
);
//printf("CMD: '%s'\n", cmd_buf);
res = system(cmd_buf);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
}
/* Free the rule map.
*/
free(fwc.rule_map);
return(got_err);
}
/****************************************************************************/
@ -104,13 +248,10 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
{
/* TODO: Implement me */
char cmd_buf[CMD_BUFSIZE] = {0};
char err[CMD_BUFSIZE] = {0};
char nat_ip[16] = {0};
char snat_target[SNAT_TARGET_BUFSIZE] = {0};
char *ndx;
unsigned int nat_port = 0;;
unsigned short rule_num;
acc_port_list_t *port_list = NULL;
acc_port_list_t *ple;
@ -141,22 +282,72 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
time(&now);
exp_ts = now + spadat->fw_access_timeout;
/* TODO: Implement me */
/* For straight access requests, we currently support multiple proto/port
* request.
*/
if(spadat->message_type == FKO_ACCESS_MSG
|| spadat->message_type == FKO_CLIENT_TIMEOUT_ACCESS_MSG)
{
rule_num = get_next_rule_num();
/* Create an access command for each proto/port for the source ip.
*/
while(ple != NULL)
{
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_ADD_RULE_ARGS,
fwc.fw_command,
rule_num,
fwc.active_set_num,
ple->proto,
spadat->use_src_ip,
ple->port,
exp_ts
);
//--DSS tmp
//fprintf(stderr, "ADD CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added Rule %u for %s, %s expires at %u",
rule_num,
spadat->use_src_ip,
spadat->spa_message_remain, exp_ts
);
(fwc.rule_map)[fwc.start_rule_num + rule_num] = 1;
/* Reset the next expected expire time for this chain if it
* is warranted.
*/
if(fwc.next_expire < now || exp_ts < fwc.next_expire)
fwc.next_expire = exp_ts;
}
else
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
ple = ple->next;
}
}
else
{
/* No other modes supported yet.
*/
return(-1);
}
return(res);
}
/* Iterate over the configure firewall access chains and purge expired
/* Iterate over the current rule set and purge expired
* firewall rules.
*/
void
check_firewall_rules(fko_srv_options_t *opts)
{
/* TODO: Implement me */
char cmd_buf[CMD_BUFSIZE] = {0};
char err[CMD_BUFSIZE] = {0};
char cmd_out[STANDARD_CMD_OUT_BUFSIZE];
char exp_str[12];
char rule_num_str[6];
char *ndx, *rn_start, *rn_end, *tmp_mark;
@ -166,6 +357,8 @@ check_firewall_rules(fko_srv_options_t *opts)
time(&now);
zero_cmd_buffers();
}
#endif /* FIREWALL_IPFW */

18
server/fw_util_ipfw.h
View File

@ -26,17 +26,15 @@
#ifndef FW_UTIL_IPFW_H
#define FW_UTIL_IPFW_H
#define SNAT_TARGET_BUFSIZE 64
/* ipfw command args (gotta flesh these out)
/* ipfw command args
*/
#define IPFW_ADD_RULE_ARGS ""
#define IPFW_ADD_OUT_RULE_ARGS ""
#define IPFW_ADD_FWD_RULE_ARGS ""
#define IPFW_ADD_DNAT_RULE_ARGS ""
#define IPFW_ADD_SNAT_RULE_ARGS ""
#define IPFW_DEL_RULE_ARGS ""
#define IPFW_LIST_RULES_ARGS ""
#define IPFW_ADD_RULE_ARGS "add %u set %u pass %u from %s to me dst-port %u setup keep-state // _exp_%u"
#define IPFW_ADD_CHECK_STATE_ARGS "add %u set %u check-state"
#define IPFW_MOVE_RULE_ARGS "set move rule %u to %u"
#define IPFW_MOVE_SET_ARGS "set move %u to %u"
#define IPFW_DEL_RULE_ARGS "set %u delete %u"
#define IPFW_DEL_RULE_SET_ARGS "delete set %u"
#define IPFW_LIST_RULES_ARGS "-d -S -T set %u list"
#endif /* FW_UTIL_IPFW_H */

105
server/fw_util_iptables.c
View File

@ -36,6 +36,17 @@
#include "access.h"
static struct fw_config fwc;
static char cmd_buf[CMD_BUFSIZE];
static char err_buf[CMD_BUFSIZE];
static char cmd_out[STANDARD_CMD_OUT_BUFSIZE];
void
zero_cmd_buffers(void)
{
memset(cmd_buf, 0x0, CMD_BUFSIZE);
memset(err_buf, 0x0, CMD_BUFSIZE);
memset(cmd_out, 0x0, STANDARD_CMD_OUT_BUFSIZE);
}
static int
jump_rule_exists(int chain_num)
@ -92,8 +103,6 @@ fw_dump_rules(fko_srv_options_t *opts)
{
int i;
int res, got_err = 0;
char cmd_buf[CMD_BUFSIZE] = {0};
char err[CMD_BUFSIZE] = {0};
struct fw_chain *ch = opts->fw_config->chain;
@ -104,6 +113,8 @@ fw_dump_rules(fko_srv_options_t *opts)
if(fwc.chain[i].target[0] == '\0')
continue;
zero_cmd_buffers();
/* Create the list command
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS,
@ -118,7 +129,7 @@ fw_dump_rules(fko_srv_options_t *opts)
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err);
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
}
@ -133,8 +144,6 @@ delete_all_chains(void)
{
int i, res;
int jump_rule_num;
char cmd_buf[CMD_BUFSIZE] = {0};
char err[CMD_BUFSIZE] = {0};
for(i=0; i<(NUM_FWKNOP_ACCESS_TYPES); i++)
{
@ -146,6 +155,8 @@ delete_all_chains(void)
*/
if((jump_rule_num = jump_rule_exists(i)) > 0)
{
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_RULE_ARGS,
fwc.fw_command,
fwc.chain[i].table,
@ -154,13 +165,13 @@ delete_all_chains(void)
);
//printf("CMD: '%s'\n", cmd_buf);
res = run_extcmd(cmd_buf, err, CMD_BUFSIZE, 0);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err);
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
}
memset(cmd_buf, 0x0, CMD_BUFSIZE);
zero_cmd_buffers();
/* Now flush and remove the chain.
*/
@ -175,10 +186,10 @@ delete_all_chains(void)
);
//printf("CMD: '%s'\n", cmd_buf);
res = run_extcmd(cmd_buf, err, CMD_BUFSIZE, 0);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err);
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
}
}
@ -189,14 +200,14 @@ create_fw_chains(void)
{
int i;
int res, got_err = 0;
char cmd_buf[CMD_BUFSIZE] = {0};
char err[CMD_BUFSIZE] = {0};
for(i=0; i<(NUM_FWKNOP_ACCESS_TYPES); i++)
{
if(fwc.chain[i].target[0] == '\0')
continue;
zero_cmd_buffers();
/* Create the custom chain.
*/
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_NEW_CHAIN_ARGS,
@ -206,16 +217,16 @@ create_fw_chains(void)
);
//printf("(%i) CMD: '%s'\n", i, cmd_buf);
res = run_extcmd(cmd_buf, err, CMD_BUFSIZE, 0);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err);
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
memset(cmd_buf, 0x0, CMD_BUFSIZE);
zero_cmd_buffers();
/* Then create the jump rule to that chain.
*/
@ -228,12 +239,12 @@ create_fw_chains(void)
);
//printf("(%i) CMD: '%s'\n", i, cmd_buf);
res = run_extcmd(cmd_buf, err, CMD_BUFSIZE, 0);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err);
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
}
@ -289,16 +300,6 @@ set_fw_chain_conf(int type, char *conf_str)
/* Pull and set Target */
strlcpy(chain->target, chain_fields[0], MAX_TARGET_NAME_LEN);
/* Pull and set Direction
if(strcmp(chain_fields[1], FW_CHAIN_DIR_SRC_STR) == 0)
chain->direction = FW_CHAIN_DIR_SRC;
else if(strcmp(chain_fields[1], FW_CHAIN_DIR_DST_STR) == 0)
chain->direction = FW_CHAIN_DIR_DST;
else if(strcmp(chain_fields[1], FW_CHAIN_DIR_BOTH_STR) == 0)
chain->direction = FW_CHAIN_DIR_BOTH;
else
chain->direction = FW_CHAIN_DIR_UNKNOWN;
*/
/* Pull and set Table */
strlcpy(chain->table, chain_fields[1], MAX_TABLE_NAME_LEN);
@ -373,7 +374,7 @@ fw_config_init(fko_srv_options_t *opts)
}
void
fw_initialize(void)
fw_initialize(fko_srv_options_t *opts)
{
int res;
@ -392,10 +393,11 @@ fw_initialize(void)
}
}
void
int
fw_cleanup(void)
{
delete_all_chains();
return(0);
}
/****************************************************************************/
@ -405,8 +407,6 @@ fw_cleanup(void)
int
process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
{
char cmd_buf[CMD_BUFSIZE] = {0};
char err[CMD_BUFSIZE] = {0};
char nat_ip[16] = {0};
char snat_target[SNAT_TARGET_BUFSIZE] = {0};
char *ndx;
@ -458,7 +458,7 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
*/
while(ple != NULL)
{
memset(cmd_buf, 0x0, CMD_BUFSIZE);
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_RULE_ARGS,
opts->fw_config->fw_command,
@ -473,7 +473,7 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
//--DSS tmp
//fprintf(stderr, "ADD CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err, CMD_BUFSIZE, 0);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added Rule to %s for %s, %s expires at %u",
@ -490,14 +490,14 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
in_chain->next_expire = exp_ts;
}
else
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err);
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
/* If we have to make an corresponding OUTPUT rule if out_chain target
* is not NULL.
*/
if(out_chain->to_chain != NULL && strlen(out_chain->to_chain))
{
memset(cmd_buf, 0x0, CMD_BUFSIZE);
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_OUT_RULE_ARGS,
opts->fw_config->fw_command,
@ -512,7 +512,7 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
//--DSS tmp
//fprintf(stderr, "ADD OUTPUT CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err, CMD_BUFSIZE, 0);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added OUTPUT Rule to %s for %s, %s expires at %u",
@ -529,7 +529,7 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
out_chain->next_expire = exp_ts;
}
else
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err);
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
}
@ -563,7 +563,7 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
*/
if(fwd_chain->to_chain != NULL && strlen(fwd_chain->to_chain))
{
memset(cmd_buf, 0x0, CMD_BUFSIZE);
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_FWD_RULE_ARGS,
opts->fw_config->fw_command,
@ -579,7 +579,7 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
//--DSS tmp
//fprintf(stderr, "ADD OUTPUT CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err, CMD_BUFSIZE, 0);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added FORWARD Rule to %s for %s, %s expires at %u",
@ -596,12 +596,12 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
fwd_chain->next_expire = exp_ts;
}
else
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err);
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
}
if(dnat_chain->to_chain != NULL && strlen(dnat_chain->to_chain))
{
memset(cmd_buf, 0x0, CMD_BUFSIZE);
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_DNAT_RULE_ARGS,
opts->fw_config->fw_command,
@ -618,7 +618,7 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
//--DSS tmp
//fprintf(stderr, "ADD DNAT CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err, CMD_BUFSIZE, 0);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added DNAT Rule to %s for %s, %s expires at %u",
@ -635,14 +635,14 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
dnat_chain->next_expire = exp_ts;
}
else
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err);
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
}
/* If SNAT (or MASQUERADE) is wanted, then we add those rules here as well.
*/
if(strncasecmp(opts->config[CONF_ENABLE_IPT_SNAT], "Y", 1) == 0)
{
memset(cmd_buf, 0x0, CMD_BUFSIZE);
zero_cmd_buffers();
/* Setup some parameter depending on whether we are using SNAT
* or MASQUERADE.
@ -675,7 +675,7 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
snat_target
);
res = run_extcmd(cmd_buf, err, CMD_BUFSIZE, 0);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added Source NAT Rule to %s for %s, %s expires at %u",
@ -692,7 +692,7 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
snat_chain->next_expire = exp_ts;
}
else
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err);
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
}
}
@ -705,9 +705,6 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
void
check_firewall_rules(fko_srv_options_t *opts)
{
char cmd_buf[CMD_BUFSIZE] = {0};
char err[CMD_BUFSIZE] = {0};
char cmd_out[STANDARD_CMD_OUT_BUFSIZE];
char exp_str[12];
char rule_num_str[6];
char *ndx, *rn_start, *rn_end, *tmp_mark;
@ -736,6 +733,8 @@ check_firewall_rules(fko_srv_options_t *opts)
if(ch[i].active_rules == 0 || ch[i].next_expire > now)
continue;
zero_cmd_buffers();
rn_offset = 0;
/* There should be a rule to delete. Get the current list of
@ -747,8 +746,6 @@ check_firewall_rules(fko_srv_options_t *opts)
ch[i].to_chain
);
memset(cmd_out, 0x0, STANDARD_CMD_OUT_BUFSIZE);
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
if(!EXTCMD_IS_SUCCESS(res))
@ -827,7 +824,7 @@ check_firewall_rules(fko_srv_options_t *opts)
strlcpy(rule_num_str, rn_start, (rn_end - rn_start)+1);
memset(cmd_buf, 0x0, CMD_BUFSIZE);
zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_RULE_ARGS,
opts->fw_config->fw_command,
@ -838,7 +835,7 @@ check_firewall_rules(fko_srv_options_t *opts)
//fprintf(stderr, "DELETE RULE CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err, CMD_BUFSIZE, 0);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Removed rule %s from %s with expire time of %u.",
@ -849,7 +846,7 @@ check_firewall_rules(fko_srv_options_t *opts)
ch[i].active_rules--;
}
else
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err);
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
}
else

2
server/fwknopd.c
View File

@ -259,7 +259,7 @@ main(int argc, char **argv)
/* Prepare the firewall - i.e. flush any old rules and (for iptables)
* create fwknop chains.
*/
fw_initialize();
fw_initialize(&opts);
/* If the TCP server option was set, fire it up here.
*/

44
server/fwknopd.conf
View File

@ -150,6 +150,7 @@
#SYSLOG_IDENTITY fwknopd;
#SYSLOG_FACILITY LOG_DAEMON;
##############################################################################
# NOTE: The following EXTERNAL_CMD functionality is not yet implemented.
# This is a possible future feature of fwknopd.
#
@ -193,6 +194,9 @@
#ENABLE_EXT_CMD_PREFIX N;
#EXT_CMD_PREFIX FWKNOP_;
##############################################################################
# Parameters specific to iptables:
#
# fwknopd adds allow rules to a custom iptables chain "FWKNOP_INPUT".
# This chain is called from the INPUT chain, and by default no other
# iptables chains are used. However, additional chains can be added
@ -246,6 +250,46 @@
#IPT_SNAT_ACCESS SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
#IPT_MASQUERADE_ACCESS MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
##############################################################################
# Parameters specific to ipfw:
#
#
# This variable defines the rule number that fwknopd uses to insert an ipfw
# pass rule. You would most likely want to change this parameter to a
# number that makes sense in your current ipfw firewall configuration.
#
#IPFW_START_RULE_NUM 10000;
# This variable defines the maximum number of rules fwknopd will create at
# a time. This also tells fwknopd where to stop when flushing all rules.
#
#IPFW_MAX_RULES 1000;
# This variable defines the rule set fwknopd uses for active rules. By
# default, it is set 0, but can be set to any number between 0 and 31 in
# case you want to keep fwknopd generated rules segregated from the default
# ruleset.
#
#IPFW_ACTIVE_SET_NUM 1;
# This variable defines the rule set that will be used to store expired rules
# that still have a dynamic rule associated to them. That set will be disabled
# by fwknop and should not be enabled while fwknop is running. Not used when
# ipfw isn't using dynamic rules.
#
#IPFW_EXPIRE_SET_NUM 2;
# Set the interval (in seconds) over which rules that
# have no remaining dynamic rules associated with them will be removed.
#
#IPFW_DYNAMIC_INTERVAL 60;
# Set this variable to "Y" if you want fwknopd to create its own "check-state"
# rule as the first rule in the set. This would only be needed if there
# was not already a check-state rule in the current firewall configuration.
#
# IPFW_ADD_CHECK_STATE N;
# Directories - These can override compile-time defaults.
#
#FWKNOP_RUN_DIR /var/run/fwknop;

233
server/fwknopd_common.h
View File

@ -75,13 +75,7 @@
#define DEF_ENABLE_SPA_PACKET_AGING "Y"
#define DEF_MAX_SPA_PACKET_AGE "120"
#define DEF_ENABLE_DIGEST_PERSISTENCE "Y"
#define DEF_ENABLE_IPT_FORWARDING "N"
#define DEF_ENABLE_IPT_LOCAL_NAT "Y"
#define DEF_ENABLE_IPT_SNAT "N"
#define DEF_ENABLE_IPT_OUTPUT "N"
#define DEF_MAX_SNIFF_BYTES "1500"
#define DEF_FLUSH_IPT_AT_INIT "Y"
#define DEF_FLUSH_IPT_AT_EXIT "Y"
#define DEF_GPG_HOME_DIR "/root/.gnupg"
#define DEF_ENABLE_SPA_OVER_HTTP "N"
#define DEF_ENABLE_TCP_SERVER "N"
@ -89,14 +83,45 @@
#define DEF_SYSLOG_IDENTITY MY_NAME
#define DEF_SYSLOG_FACILITY "LOG_DAEMON"
#define DEF_IPT_INPUT_ACCESS "ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1"
#define DEF_IPT_OUTPUT_ACCESS "ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1"
#define DEF_IPT_FORWARD_ACCESS "ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1"
#define DEF_IPT_DNAT_ACCESS "DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1"
#define DEF_IPT_SNAT_ACCESS "SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1"
#define DEF_IPT_MASQUERADE_ACCESS "MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1"
#define DEF_FW_ACCESS_TIMEOUT 30
#define DEF_FW_ACCESS_TIMEOUT 30
/* Iptables-specific defines
*/
#if FIREWALL_IPTABLES
#define DEF_FLUSH_IPT_AT_INIT "Y"
#define DEF_FLUSH_IPT_AT_EXIT "Y"
#define DEF_ENABLE_IPT_FORWARDING "N"
#define DEF_ENABLE_IPT_LOCAL_NAT "Y"
#define DEF_ENABLE_IPT_SNAT "N"
#define DEF_ENABLE_IPT_OUTPUT "N"
#define DEF_IPT_INPUT_ACCESS "ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1"
#define DEF_IPT_OUTPUT_ACCESS "ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1"
#define DEF_IPT_FORWARD_ACCESS "ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1"
#define DEF_IPT_DNAT_ACCESS "DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1"
#define DEF_IPT_SNAT_ACCESS "SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1"
#define DEF_IPT_MASQUERADE_ACCESS "MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1"
/* Ipfw-specific defines
*/
#elif FIREWALL_IPFW
#define DEF_IPFW_START_RULE_NUM "10000"
#define DEF_IPFW_MAX_RULES "1000"
#define DEF_IPFW_ACTIVE_SET_NUM "1"
#define DEF_IPFW_EXPIRE_SET_NUM "2"
#define DEF_IPFW_DYNAMIC_INTERVAL "60"
#define DEF_IPFW_ADD_CHECK_STATE "N"
#elif FIREWALL_IPF
/* --DSS Place-holder */
#elif FIREWALL_PF
/* --DSS Place-holder */
#endif /* FIREWALL Type */
/* fwknopd-specific limits
*/
@ -120,21 +145,11 @@ enum {
CONF_PCAP_INTF,
CONF_ENABLE_PCAP_PROMISC,
CONF_PCAP_FILTER,
CONF_MAX_SNIFF_BYTES,
CONF_ENABLE_SPA_PACKET_AGING,
CONF_MAX_SPA_PACKET_AGE,
CONF_ENABLE_DIGEST_PERSISTENCE,
CONF_ENABLE_IPT_FORWARDING,
CONF_ENABLE_IPT_LOCAL_NAT,
CONF_ENABLE_IPT_SNAT,
CONF_SNAT_TRANSLATE_IP,
CONF_ENABLE_IPT_OUTPUT,
CONF_MAX_SNIFF_BYTES,
CONF_FLUSH_IPT_AT_INIT,
CONF_FLUSH_IPT_AT_EXIT,
//CONF_IPFW_RULE_NUM,
//CONF_IPFW_SET_NUM,
//CONF_IPFW_DYNAMIC_INTERVAL,
//CONF_CMD_EXEC_TIMEOUT,
CONF_CMD_EXEC_TIMEOUT,
//CONF_BLACKLIST,
CONF_ENABLE_SPA_OVER_HTTP,
CONF_ENABLE_TCP_SERVER,
@ -149,20 +164,39 @@ enum {
//CONF_EXTERNAL_CMD_ALARM,
//CONF_ENABLE_EXT_CMD_PREFIX,
//CONF_EXT_CMD_PREFIX,
#if FIREWALL_IPTABLES
CONF_ENABLE_IPT_FORWARDING,
CONF_ENABLE_IPT_LOCAL_NAT,
CONF_ENABLE_IPT_SNAT,
CONF_SNAT_TRANSLATE_IP,
CONF_ENABLE_IPT_OUTPUT,
CONF_FLUSH_IPT_AT_INIT,
CONF_FLUSH_IPT_AT_EXIT,
CONF_IPT_INPUT_ACCESS,
CONF_IPT_OUTPUT_ACCESS,
CONF_IPT_FORWARD_ACCESS,
CONF_IPT_DNAT_ACCESS,
CONF_IPT_SNAT_ACCESS,
CONF_IPT_MASQUERADE_ACCESS,
#elif FIREWALL_IPFW
CONF_IPFW_START_RULE_NUM,
CONF_IPFW_MAX_RULES,
CONF_IPFW_ACTIVE_SET_NUM,
CONF_IPFW_EXPIRE_SET_NUM,
CONF_IPFW_DYNAMIC_INTERVAL,
CONF_IPFW_ADD_CHECK_STATE,
#elif FIREWALL_IPF
/* --DSS Place-holder */
#elif FIREWALL_PF
/* --DSS Place-holder */
#endif /* FIREWALL type */
CONF_FWKNOP_RUN_DIR,
CONF_FWKNOP_CONF_DIR,
CONF_ACCESS_FILE,
CONF_FWKNOP_PID_FILE,
CONF_DIGEST_FILE,
CONF_FIREWALL_EXE,
CONF_GPG_HOME_DIR,
CONF_FIREWALL_EXE,
NUMBER_OF_CONFIG_ENTRIES /* Marks the end and number of entries */
};
@ -180,21 +214,11 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
"PCAP_INTF",
"ENABLE_PCAP_PROMISC",
"PCAP_FILTER",
"MAX_SNIFF_BYTES",
"ENABLE_SPA_PACKET_AGING",
"MAX_SPA_PACKET_AGE",
"ENABLE_DIGEST_PERSISTENCE",
"ENABLE_IPT_FORWARDING",
"ENABLE_IPT_LOCAL_NAT",
"ENABLE_IPT_SNAT",
"SNAT_TRANSLATE_IP",
"ENABLE_IPT_OUTPUT",
"MAX_SNIFF_BYTES",
"FLUSH_IPT_AT_INIT",
"FLUSH_IPT_AT_EXIT",
//"IPFW_RULE_NUM",
//"IPFW_SET_NUM",
//"IPFW_DYNAMIC_INTERVAL",
//"CMD_EXEC_TIMEOUT",
"CMD_EXEC_TIMEOUT",
//"BLACKLIST",
"ENABLE_SPA_OVER_HTTP",
"ENABLE_TCP_SERVER",
@ -208,20 +232,39 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
//"EXTERNAL_CMD_ALARM",
//"ENABLE_EXT_CMD_PREFIX",
//"EXT_CMD_PREFIX",
#if FIREWALL_IPTABLES
"ENABLE_IPT_FORWARDING",
"ENABLE_IPT_LOCAL_NAT",
"ENABLE_IPT_SNAT",
"SNAT_TRANSLATE_IP",
"ENABLE_IPT_OUTPUT",
"FLUSH_IPT_AT_INIT",
"FLUSH_IPT_AT_EXIT",
"IPT_INPUT_ACCESS",
"IPT_OUTPUT_ACCESS",
"IPT_FORWARD_ACCESS",
"IPT_DNAT_ACCESS",
"IPT_SNAT_ACCESS",
"IPT_MASQUERADE_ACCESS",
#elif FIREWALL_IPFW
"IPFW_START_RULE_NUM",
"IPFW_MAX_RULES",
"IPFW_ACTIVE_SET_NUM",
"IPFW_EXPIRE_SET_NUM",
"IPFW_DYNAMIC_INTERVAL",
"IPFW_ADD_CHECK_STATE",
#elif FIREWALL_IPF
/* --DSS Place-holder */
#elif FIREWALL_PF
/* --DSS Place-holder */
#endif /* FIREWALL type */
"FWKNOP_RUN_DIR",
"FWKNOP_CONF_DIR",
"ACCESS_FILE",
"FWKNOP_PID_FILE",
"DIGEST_FILE",
"FIREWALL_EXE",
"GPG_HOME_DIR",
"FIREWALL_EXE",
};
/* A simple linked list of uints for the access stanza items that allow
@ -282,60 +325,71 @@ typedef struct acc_stanza
/* Firewall-related data and types. */
/* --DSS XXX: These are arbitrary. We should determine appropriate values.
*/
#define MAX_TABLE_NAME_LEN 64
#define MAX_CHAIN_NAME_LEN 64
#define MAX_TARGET_NAME_LEN 64
/* Fwknop custom chain types
*/
enum {
IPT_INPUT_ACCESS,
IPT_OUTPUT_ACCESS,
IPT_FORWARD_ACCESS,
IPT_DNAT_ACCESS,
IPT_SNAT_ACCESS,
IPT_MASQUERADE_ACCESS,
NUM_FWKNOP_ACCESS_TYPES /* Leave this entry last */
};
#if FIREWALL_IPTABLES
/* --DSS XXX: These are arbitrary. We should determine appropriate values.
*/
#define MAX_TABLE_NAME_LEN 64
#define MAX_CHAIN_NAME_LEN 64
#define MAX_TARGET_NAME_LEN 64
/* Fwknop chain directions
#define FW_CHAIN_DIR_SRC_STR "src"
#define FW_CHAIN_DIR_DST_STR "dst"
#define FW_CHAIN_DIR_BOTH_STR "both"
/* Fwknop custom chain types
*/
enum {
IPT_INPUT_ACCESS,
IPT_OUTPUT_ACCESS,
IPT_FORWARD_ACCESS,
IPT_DNAT_ACCESS,
IPT_SNAT_ACCESS,
IPT_MASQUERADE_ACCESS,
NUM_FWKNOP_ACCESS_TYPES /* Leave this entry last */
};
enum {
FW_CHAIN_DIR_UNKNOWN,
FW_CHAIN_DIR_SRC,
FW_CHAIN_DIR_DST,
FW_CHAIN_DIR_BOTH
};
*/
/* Structure to define an fwknop firewall chain configuration.
*/
struct fw_chain {
int type;
char target[MAX_TARGET_NAME_LEN];
//int direction;
char table[MAX_TABLE_NAME_LEN];
char from_chain[MAX_CHAIN_NAME_LEN];
int jump_rule_pos;
char to_chain[MAX_CHAIN_NAME_LEN];
int rule_pos;
int active_rules;
time_t next_expire;
};
/* Structure to define an fwknop firewall chain configuration.
*/
struct fw_chain {
int type;
char target[MAX_TARGET_NAME_LEN];
//int direction;
char table[MAX_TABLE_NAME_LEN];
char from_chain[MAX_CHAIN_NAME_LEN];
int jump_rule_pos;
char to_chain[MAX_CHAIN_NAME_LEN];
int rule_pos;
int active_rules;
time_t next_expire;
};
/* Based on the fw_chain fields (not counting type)
*/
#define FW_NUM_CHAIN_FIELDS 6
/* Based on the fw_chain fields (not counting type)
*/
#define FW_NUM_CHAIN_FIELDS 6
struct fw_config {
struct fw_chain chain[NUM_FWKNOP_ACCESS_TYPES];
char fw_command[MAX_PATH_LEN];
};
struct fw_config {
struct fw_chain chain[NUM_FWKNOP_ACCESS_TYPES];
char fw_command[MAX_PATH_LEN];
};
#elif FIREWALL_IPFW
struct fw_config {
unsigned short start_rule_num;
unsigned short max_rules;
unsigned short active_set_num;
unsigned short expire_set_num;
unsigned char *rule_map;
time_t next_expire;
char fw_command[MAX_PATH_LEN];
};
#elif FIREWALL_IPF
/* --DSS Place-holder */
#elif FIREWALL_PF
/* --DSS Place-holder */
#endif /* FIREWALL type */
/* SPA Packet info struct.
*/
@ -377,7 +431,6 @@ typedef struct fko_srv_options
unsigned char foreground; /* Run in foreground flag */
unsigned char kill; /* flag to initiate kill of fwknopd */
unsigned char rotate_digest_cache;/* flag to force rotation of digest */
//unsigned char no_locale; /* Flag to not allow setting locale */
unsigned char restart; /* Restart fwknopd flag */
unsigned char status; /* Get fwknopd status flag */
unsigned char fw_list; /* List current firewall rules */