DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Put locale code back in. More cleanup of config directives and options.

Browse Source 
git-svn-id: file:///home/mbr/svn/fwknop/trunk@231 510a4753-2344-4c79-9c09-4d669213fbeb
This commit is contained in:
Damien Stuart 2010-07-04 13:34:31 +00:00
parent b6c57aa6a0
commit 5f1f0650ea
8 changed files with 61 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/config_init.c
View File

@ -471,6 +471,9 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
case 'K':
opts->kill = 1;
break;
case 'l':
set_config_entry(opts, CONF_LOCALE, optarg);
break;
case 'O':
/* This was handled earlier */
break;
@ -545,6 +548,8 @@ usage(void)
" -K, --kill - Kill the currently running fwknopd.\n"
" --gpg-home-dir - Specify the GPG home directory.\n"
" --gpg-key - Specify the GPG key ID used for decryption.\n"
" -l, --locale - Provide a locale setting other than the system\n"
" default.\n"
" -O, --override-config - Specify a file with configuration entries that will\n"
" overide those in fwknopd.conf\n"
" -R, --restart - Force the currently running fwknopd to restart.\n"

3
server/config_init.h
View File

@ -61,7 +61,7 @@ enum {
/* Our getopt_long options string.
*/
#define GETOPTS_OPTION_STRING "a:c:C:Dfhi:KO:RSvV"
#define GETOPTS_OPTION_STRING "a:c:C:Dfhi:Kl:O:RSvV"
/* Our program command-line options...
*/
@ -77,6 +77,7 @@ static struct option cmd_opts[] =
{"kill", 0, NULL, 'K'},
{"gpg-home-dir", 1, NULL, GPG_HOME_DIR },
{"gpg-key", 1, NULL, GPG_KEY },
{"locale", 1, NULL, 'l' },
{"rotate-digest-cache", 0, NULL, ROTATE_DIGEST_CACHE },
{"override-config", 1, NULL, 'O' },
{"restart", 0, NULL, 'R'},

4
server/extcmd.c
View File

@ -133,9 +133,9 @@ _run_extcmd(uid_t user_uid, char *cmd, char *so_buf, size_t so_buf_sz, int timeo
return(retval);
}
/*** END TEST Section ***/
#if 0
#if 0 /* --DSS the original method that did not work on some systems */
/* Create the pipes we will use for getting stdout and stderr
* from the child process.
*/

2
server/fw_util.c
View File

@ -684,9 +684,7 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat)
snat_chain->table,
snat_chain->to_chain,
fst_proto,
//spadat->use_src_ip,
nat_ip,
//fst_port,
nat_port,
exp_ts,
snat_chain->target,

35
server/fwknopd.8
View File

@ -2,12 +2,12 @@
.\" Title: fwknopd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
.\" Date: 06/28/2010
.\" Date: 07/04/2010
.\" Manual: Fwknop Server
.\" Source: Fwknop Server
.\" Language: English
.\"
.TH "FWKNOPD" "8" "06/28/2010" "Fwknop Server" "Fwknop Server"
.TH "FWKNOPD" "8" "07/04/2010" "Fwknop Server" "Fwknop Server"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
@ -89,6 +89,11 @@ process\&. This provides a quick and easy way to stop
without having to look in the process table\&.
.RE
.PP
\fB\-l, \-\-locale\fR=\fI<locale>\fR
.RS 4
Set/override the system default locale setting\&.
.RE
.PP
\fB\-R, \-\-Restart\fR
.RS 4
Restart the currently running
@ -164,23 +169,6 @@ to allow
to invoke an external command instead of interfacing with the firewall at all\&.
.RE
.PP
\fBAUTH_MODE\fR \fI<PCAP|FILE_PCAP|ULOG_PCAP>\fR
.RS 4
This defines the general strategy
\fBfwknopd\fR
uses to authenticate remote clients\&. Possible values are
\fIPCAP\fR
(authenticate via regular pcap; this is the default and puts the interface in promiscuous mode unless \(lqENABLE_PCAP_PROMISC\(rq is turned off),
\fIFILE_PCAP\fR
(authenticate via a pcap file that is built by a sniffer),
\fIULOG_PCAP\fR
(authenticate via the ulogd pcap writer)\&.
\fBNote:\fR
Currently, only
\fIPCAP\fR
is implemented\&.
.RE
.PP
\fBPCAP_INTF\fR \fI<interface>\fR
.RS 4
Define the ethernet interface on which
@ -322,11 +310,6 @@ For
firewalls set the interval (in seconds) over those rules that have no remaining dynamic rules associated with them will be removed\&.
.RE
.PP
\fBPCAP_CMD_TIMEOUT\fR \fI<seconds>\fR
.RS 4
Define the timeout for running a command\&.
.RE
.PP
\fBGPG_HOME_DIR\fR \fI<path>\fR
.RS 4
If GPG keys are used instead of a Rijndael symmetric key, this is the default GPG keys directory\&. Note that each access block in
@ -340,9 +323,9 @@ directory of the user running
(most likely root)\&.
.RE
.PP
\fBPCAP_PKT_FILE\fR \fI</path/to/sniff\&.pcap>\fR
\fBLOCALE\fR \fI<locale>\fR
.RS 4
This gets used if AUTH_MODE is set to "FILE_PCAP"\&. This file must be created by a sniffer process (or something like the ulogd pcap writer)\&.
Set the locale (via the LC_ALL variable)\&. This can be set to override the default system locale\&.
.RE
.PP
\fBBLACKLIST\fR \fI<ipaddr/mask,\&...ipaddr,etc>\fR

36
server/fwknopd.c
View File

@ -48,6 +48,7 @@ main(int argc, char **argv)
int res, last_sig, rpdb_count;
char *spa_data, *version;
char access_buf[MAX_LINE_LEN];
char *locale;
pid_t old_pid;
fko_srv_options_t opts;
@ -133,6 +134,31 @@ main(int argc, char **argv)
*/
init_logging(&opts);
#if HAVE_LOCALE_H
/* Set the locale if specified.
*/
if(opts.config[CONF_LOCALE] != NULL
&& strncasecmp(opts.config[CONF_LOCALE], "NONE", 4) != 0)
{
locale = setlocale(LC_ALL, opts.config[CONF_LOCALE]);
if(locale == NULL)
{
log_msg(LOG_ERR,
"WARNING: Unable to set locale to '%s'.",
opts.config[CONF_LOCALE]
);
}
else
{
if(opts.verbose)
log_msg(LOG_INFO,
"Locale set to '%s'.", opts.config[CONF_LOCALE]
);
}
}
#endif
/* Make sure we have a valid run dir and path leading to digest file
* in case it configured to be somewhere other than the run dir.
*/
@ -190,16 +216,6 @@ main(int argc, char **argv)
log_msg(LOG_INFO, "Re-starting %s", MY_NAME);
}
/* We only support pcap capture at this point.
*/
if((strncasecmp(opts.config[CONF_AUTH_MODE], "pcap", 4)) != 0)
{
log_msg(LOG_ERR,
"Capture/auth mode other than 'PCAP' is not supported."
);
exit(EXIT_FAILURE);
}
if(opts.verbose > 1 && opts.foreground)
{
dump_config(&opts);

41
server/fwknopd.conf
View File

@ -30,20 +30,7 @@
#
FIREWALL_TYPE iptables;
# This defines the general strategy fwknop uses to authenticate remote
# clients. Possible values are "PCAP" (authenticate via regular pcap; this
# is the default and puts the interface in promiscuous mode unless
# ENABLE_PCAP_PROMISC is turned off) FILE_PCAP (authenticate via a pcap file
# that is built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap
# writer).
#
# NOTE: At present, only "PCAP" supported.
#
AUTH_MODE PCAP;
# Define the ethernet interface on which we will sniff packets. Note
# that this is only used if the AUTH_MODE keyword above is set to
# "PCAP".
# Define the ethernet interface on which we will sniff packets.
#
PCAP_INTF eth0;
@ -150,10 +137,6 @@ FLUSH_IPT_AT_EXIT Y;
#
#IPFW_DYNAMIC_INTERVAL 60; ### seconds
# Define the timeout for running a command
#
PCAP_CMD_TIMEOUT 10;
# If GPG keys are used instead of a Rijndael symmetric key, this is
# the default GPG keys directory. Note that each access block in
# fwknop access.conf can specify its own GPG directory to override
@ -161,17 +144,13 @@ PCAP_CMD_TIMEOUT 10;
#
#GPG_HOME_DIR /root/.gnupg;
# This gets used if AUTH_MODE is set to "FILE_PCAP". This file must
# be created by a sniffer process (or something like the ulogd pcap
# writer).
#
#PCAP_PKT_FILE /var/log/sniff.pcap;
# Define a comma-separated set of IP addresses and/or networks that should
# be globally blacklisted. That is, any SPA packet that is from a source
# IP (or has an internal --allow-ip) within a blacklisted network will be
# ignored.
#
# NOTE: Not Implemented yet.
#
#BLACKLIST NONE;
# Allow fwknopd to acquire SPA data from HTTP requests (generated with the
@ -194,6 +173,11 @@ ENABLE_SPA_OVER_HTTP N;
ENABLE_TCP_SERVER N;
TCPSERV_PORT 62201;
# Set/override the locale (via the LC_ALL locale category). Leave this
# entry commented out to have fwknopd honor the default system locale.
#
#LOCALE C;
# Override syslog identity and facility (the defaults are usually ok).
# The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}
# or LOG_DAEMON (the default).
@ -201,6 +185,9 @@ TCPSERV_PORT 62201;
#SYSLOG_IDENTITY fwknopd;
#SYSLOG_FACILITY LOG_DAEMON;
# NOTE: The following EXTERNAL_CMD functionality is not yet implemented.
# This is a possible future feature of fwknopd.
#
# The following four variables control whether a global set of "open" and
# "close" commands are executed after receving a valid SPA packet. These
# variables are used only if FIREWALL_TYPE is set to "external_cmd", but
@ -300,20 +287,14 @@ IPT_MASQUERADE_ACCESS MASQUERADE, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING
# Directories - These will override compile-time defaults.
#
#FWKNOP_DIR /var/log/fwknop;
#FWKNOP_RUN_DIR /var/run/fwknop;
#FWKNOP_MOD_DIR /usr/lib/fwknop;
#FWKNOP_CONF_DIR /etc/fwknop;
#FWKNOP_ERR_DIR $FWKNOP_DIR/errs;
# Files
#
#ACCESS_FILE access.conf;
#FWKNOP_PID_FILE $FWKNOP_RUN_DIR/fwknopd.pid;
#DIGEST_FILE $FWKNOP_RUN_DIR/digest.cache;
#FWKNOP_CMDLINE_FILE $FWKNOP_RUN_DIR/fwknopd.cmd;
#TCPSERV_PID_FILE $FWKNOP_RUN_DIR/fwknop_serv.pid;
#PROC_IP_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
# System binaries
#

53
server/fwknopd_common.h
View File

@ -80,14 +80,6 @@
*/
#define MIN_SPA_DATA_SIZE 140
/* Data collection modes
*/
enum {
SPA_CAP_MODE_PCAP,
SPA_CAP_MODE_UDP,
SPA_CAP_MODE_TCP
};
/* SPA message handling status code
*/
enum {
@ -123,38 +115,33 @@ enum {
enum {
CONF_CONFIG_FILE = 0,
CONF_OVERRIDE_CONFIG,
//CONF_EMAIL_ADDRESSES,
CONF_HOSTNAME,
CONF_FIREWALL_TYPE,
CONF_AUTH_MODE,
//CONF_AUTH_MODE,
CONF_PCAP_INTF,
CONF_ENABLE_PCAP_PROMISC,
CONF_PCAP_FILTER,
CONF_ENABLE_SPA_PACKET_AGING,
CONF_MAX_SPA_PACKET_AGE,
CONF_ENABLE_DIGEST_PERSISTENCE,
//CONF_ENABLE_DIGEST_INCLUDE_SRC,
CONF_ENABLE_IPT_FORWARDING,
CONF_ENABLE_IPT_LOCAL_NAT,
CONF_ENABLE_IPT_SNAT,
CONF_SNAT_TRANSLATE_IP,
//CONF_ENABLE_PROC_IP_FORWARD,
CONF_ENABLE_IPT_OUTPUT,
//CONF_ENABLE_COOKED_INTF,
//CONF_EXIT_INTERVAL,
CONF_MAX_SNIFF_BYTES,
CONF_FLUSH_IPT_AT_INIT,
CONF_FLUSH_IPT_AT_EXIT,
//CONF_IPFW_RULE_NUM,
//CONF_IPFW_SET_NUM,
//CONF_IPFW_DYNAMIC_INTERVAL,
CONF_PCAP_CMD_TIMEOUT,
//CONF_CMD_EXEC_TIMEOUT,
//CONF_PCAP_PKT_FILE,
//CONF_BLACKLIST,
CONF_ENABLE_SPA_OVER_HTTP,
CONF_ENABLE_TCP_SERVER,
CONF_TCPSERV_PORT,
//CONF_LOCALE,
CONF_LOCALE,
CONF_SYSLOG_IDENTITY,
CONF_SYSLOG_FACILITY,
//CONF_IPT_EXEC_TRIES,
@ -170,22 +157,11 @@ enum {
CONF_IPT_DNAT_ACCESS,
CONF_IPT_SNAT_ACCESS,
CONF_IPT_MASQUERADE_ACCESS,
//CONF_FWKNOP_DIR,
CONF_FWKNOP_RUN_DIR,
//CONF_FWKNOP_MOD_DIR,
CONF_FWKNOP_CONF_DIR,
//CONF_FWKNOP_ERR_DIR,
CONF_ACCESS_FILE,
CONF_FWKNOP_PID_FILE,
CONF_DIGEST_FILE,
//CONF_FWKNOP_CMDLINE_FILE,
//CONF_TCPSERV_PID_FILE,
//CONF_PROC_IP_FORWARD_FILE,
//CONF_EXE_GPG,
//CONF_EXE_MAIL,
//CONF_EXE_SENDMAIL,
//CONF_EXE_SH,
//CONF_EXE_MKNOD,
CONF_EXE_IPTABLES,
CONF_EXE_IPFW,
@ -204,41 +180,35 @@ enum {
static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
"CONFIG_FILE",
"OVERRIDE_CONFIG",
//"EMAIL_ADDRESSES",
"HOSTNAME",
"FIREWALL_TYPE",
"AUTH_MODE",
//"AUTH_MODE",
"PCAP_INTF",
"ENABLE_PCAP_PROMISC",
"PCAP_FILTER",
"ENABLE_SPA_PACKET_AGING",
"MAX_SPA_PACKET_AGE",
"ENABLE_DIGEST_PERSISTENCE",
//"ENABLE_DIGEST_INCLUDE_SRC",
"ENABLE_IPT_FORWARDING",
"ENABLE_IPT_LOCAL_NAT",
"ENABLE_IPT_SNAT",
"SNAT_TRANSLATE_IP",
//"ENABLE_PROC_IP_FORWARD",
"ENABLE_IPT_OUTPUT",
//"ENABLE_COOKED_INTF",
//"EXIT_INTERVAL",
"MAX_SNIFF_BYTES",
"FLUSH_IPT_AT_INIT",
"FLUSH_IPT_AT_EXIT",
//"IPFW_RULE_NUM",
//"IPFW_SET_NUM",
//"IPFW_DYNAMIC_INTERVAL",
"PCAP_CMD_TIMEOUT",
//"CMD_EXEC_TIMEOUT",
//"PCAP_PKT_FILE",
//"BLACKLIST",
"ENABLE_SPA_OVER_HTTP",
"ENABLE_TCP_SERVER",
"TCPSERV_PORT",
//"LOCALE",
"LOCALE",
"SYSLOG_IDENTITY",
"SYSLOG_FACILITY",
//"IPT_EXEC_TRIES",
//"ENABLE_EXTERNAL_CMDS",
//"EXTERNAL_CMD_OPEN",
//"EXTERNAL_CMD_CLOSE",
@ -251,22 +221,11 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
"IPT_DNAT_ACCESS",
"IPT_SNAT_ACCESS",
"IPT_MASQUERADE_ACCESS",
//"FWKNOP_DIR",
"FWKNOP_RUN_DIR",
//"FWKNOP_MOD_DIR",
"FWKNOP_CONF_DIR",
//"FWKNOP_ERR_DIR",
"ACCESS_FILE",
"FWKNOP_PID_FILE",
"DIGEST_FILE",
//"FWKNOP_CMDLINE_FILE",
//"TCPSERV_PID_FILE",
//"PROC_IP_FORWARD_FILE",
//"EXE_GPG",
//"EXE_MAIL",
//"EXE_SENDMAIL",
//"EXE_SH",
//"EXE_MKNOD",
"EXE_IPTABLES",
"EXE_IPFW",