From 5f1f0650ead7e1b8a70e5bbbef6aa6befb18a247 Mon Sep 17 00:00:00 2001 From: Damien Stuart Date: Sun, 4 Jul 2010 13:34:31 +0000 Subject: [PATCH] Put locale code back in. More cleanup of config directives and options. git-svn-id: file:///home/mbr/svn/fwknop/trunk@231 510a4753-2344-4c79-9c09-4d669213fbeb --- server/config_init.c | 5 ++++ server/config_init.h | 3 ++- server/extcmd.c | 4 ++-- server/fw_util.c | 2 -- server/fwknopd.8 | 35 +++++++-------------------- server/fwknopd.c | 36 ++++++++++++++++++++-------- server/fwknopd.conf | 41 +++++++++---------------------- server/fwknopd_common.h | 53 +++++------------------------------------ 8 files changed, 61 insertions(+), 118 deletions(-) diff --git a/server/config_init.c b/server/config_init.c index a65ae83d..9594e93e 100644 --- a/server/config_init.c +++ b/server/config_init.c @@ -471,6 +471,9 @@ config_init(fko_srv_options_t *opts, int argc, char **argv) case 'K': opts->kill = 1; break; + case 'l': + set_config_entry(opts, CONF_LOCALE, optarg); + break; case 'O': /* This was handled earlier */ break; @@ -545,6 +548,8 @@ usage(void) " -K, --kill - Kill the currently running fwknopd.\n" " --gpg-home-dir - Specify the GPG home directory.\n" " --gpg-key - Specify the GPG key ID used for decryption.\n" + " -l, --locale - Provide a locale setting other than the system\n" + " default.\n" " -O, --override-config - Specify a file with configuration entries that will\n" " overide those in fwknopd.conf\n" " -R, --restart - Force the currently running fwknopd to restart.\n" diff --git a/server/config_init.h b/server/config_init.h index 2c7d454a..ed5c6b9e 100644 --- a/server/config_init.h +++ b/server/config_init.h @@ -61,7 +61,7 @@ enum { /* Our getopt_long options string. */ -#define GETOPTS_OPTION_STRING "a:c:C:Dfhi:KO:RSvV" +#define GETOPTS_OPTION_STRING "a:c:C:Dfhi:Kl:O:RSvV" /* Our program command-line options... */ @@ -77,6 +77,7 @@ static struct option cmd_opts[] = {"kill", 0, NULL, 'K'}, {"gpg-home-dir", 1, NULL, GPG_HOME_DIR }, {"gpg-key", 1, NULL, GPG_KEY }, + {"locale", 1, NULL, 'l' }, {"rotate-digest-cache", 0, NULL, ROTATE_DIGEST_CACHE }, {"override-config", 1, NULL, 'O' }, {"restart", 0, NULL, 'R'}, diff --git a/server/extcmd.c b/server/extcmd.c index 1e20a5e1..c612b3c9 100644 --- a/server/extcmd.c +++ b/server/extcmd.c @@ -133,9 +133,9 @@ _run_extcmd(uid_t user_uid, char *cmd, char *so_buf, size_t so_buf_sz, int timeo return(retval); } -/*** END TEST Section ***/ -#if 0 +#if 0 /* --DSS the original method that did not work on some systems */ + /* Create the pipes we will use for getting stdout and stderr * from the child process. */ diff --git a/server/fw_util.c b/server/fw_util.c index b9ced848..2d08e405 100644 --- a/server/fw_util.c +++ b/server/fw_util.c @@ -684,9 +684,7 @@ process_spa_request(fko_srv_options_t *opts, spa_data_t *spadat) snat_chain->table, snat_chain->to_chain, fst_proto, - //spadat->use_src_ip, nat_ip, - //fst_port, nat_port, exp_ts, snat_chain->target, diff --git a/server/fwknopd.8 b/server/fwknopd.8 index 68180c2d..876c0c7c 100644 --- a/server/fwknopd.8 +++ b/server/fwknopd.8 @@ -2,12 +2,12 @@ .\" Title: fwknopd .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.75.2 -.\" Date: 06/28/2010 +.\" Date: 07/04/2010 .\" Manual: Fwknop Server .\" Source: Fwknop Server .\" Language: English .\" -.TH "FWKNOPD" "8" "06/28/2010" "Fwknop Server" "Fwknop Server" +.TH "FWKNOPD" "8" "07/04/2010" "Fwknop Server" "Fwknop Server" .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- @@ -89,6 +89,11 @@ process\&. This provides a quick and easy way to stop without having to look in the process table\&. .RE .PP +\fB\-l, \-\-locale\fR=\fI\fR +.RS 4 +Set/override the system default locale setting\&. +.RE +.PP \fB\-R, \-\-Restart\fR .RS 4 Restart the currently running @@ -164,23 +169,6 @@ to allow to invoke an external command instead of interfacing with the firewall at all\&. .RE .PP -\fBAUTH_MODE\fR \fI\fR -.RS 4 -This defines the general strategy -\fBfwknopd\fR -uses to authenticate remote clients\&. Possible values are -\fIPCAP\fR -(authenticate via regular pcap; this is the default and puts the interface in promiscuous mode unless \(lqENABLE_PCAP_PROMISC\(rq is turned off), -\fIFILE_PCAP\fR -(authenticate via a pcap file that is built by a sniffer), -\fIULOG_PCAP\fR -(authenticate via the ulogd pcap writer)\&. -\fBNote:\fR -Currently, only -\fIPCAP\fR -is implemented\&. -.RE -.PP \fBPCAP_INTF\fR \fI\fR .RS 4 Define the ethernet interface on which @@ -322,11 +310,6 @@ For firewalls set the interval (in seconds) over those rules that have no remaining dynamic rules associated with them will be removed\&. .RE .PP -\fBPCAP_CMD_TIMEOUT\fR \fI\fR -.RS 4 -Define the timeout for running a command\&. -.RE -.PP \fBGPG_HOME_DIR\fR \fI\fR .RS 4 If GPG keys are used instead of a Rijndael symmetric key, this is the default GPG keys directory\&. Note that each access block in @@ -340,9 +323,9 @@ directory of the user running (most likely root)\&. .RE .PP -\fBPCAP_PKT_FILE\fR \fI\fR +\fBLOCALE\fR \fI\fR .RS 4 -This gets used if AUTH_MODE is set to "FILE_PCAP"\&. This file must be created by a sniffer process (or something like the ulogd pcap writer)\&. +Set the locale (via the LC_ALL variable)\&. This can be set to override the default system locale\&. .RE .PP \fBBLACKLIST\fR \fI\fR diff --git a/server/fwknopd.c b/server/fwknopd.c index b919dbf8..21688fed 100644 --- a/server/fwknopd.c +++ b/server/fwknopd.c @@ -48,6 +48,7 @@ main(int argc, char **argv) int res, last_sig, rpdb_count; char *spa_data, *version; char access_buf[MAX_LINE_LEN]; + char *locale; pid_t old_pid; fko_srv_options_t opts; @@ -133,6 +134,31 @@ main(int argc, char **argv) */ init_logging(&opts); +#if HAVE_LOCALE_H + /* Set the locale if specified. + */ + if(opts.config[CONF_LOCALE] != NULL + && strncasecmp(opts.config[CONF_LOCALE], "NONE", 4) != 0) + { + locale = setlocale(LC_ALL, opts.config[CONF_LOCALE]); + + if(locale == NULL) + { + log_msg(LOG_ERR, + "WARNING: Unable to set locale to '%s'.", + opts.config[CONF_LOCALE] + ); + } + else + { + if(opts.verbose) + log_msg(LOG_INFO, + "Locale set to '%s'.", opts.config[CONF_LOCALE] + ); + } + } +#endif + /* Make sure we have a valid run dir and path leading to digest file * in case it configured to be somewhere other than the run dir. */ @@ -190,16 +216,6 @@ main(int argc, char **argv) log_msg(LOG_INFO, "Re-starting %s", MY_NAME); } - /* We only support pcap capture at this point. - */ - if((strncasecmp(opts.config[CONF_AUTH_MODE], "pcap", 4)) != 0) - { - log_msg(LOG_ERR, - "Capture/auth mode other than 'PCAP' is not supported." - ); - exit(EXIT_FAILURE); - } - if(opts.verbose > 1 && opts.foreground) { dump_config(&opts); diff --git a/server/fwknopd.conf b/server/fwknopd.conf index bbbcfe9d..4ab7d5c0 100644 --- a/server/fwknopd.conf +++ b/server/fwknopd.conf @@ -30,20 +30,7 @@ # FIREWALL_TYPE iptables; -# This defines the general strategy fwknop uses to authenticate remote -# clients. Possible values are "PCAP" (authenticate via regular pcap; this -# is the default and puts the interface in promiscuous mode unless -# ENABLE_PCAP_PROMISC is turned off) FILE_PCAP (authenticate via a pcap file -# that is built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap -# writer). -# -# NOTE: At present, only "PCAP" supported. -# -AUTH_MODE PCAP; - -# Define the ethernet interface on which we will sniff packets. Note -# that this is only used if the AUTH_MODE keyword above is set to -# "PCAP". +# Define the ethernet interface on which we will sniff packets. # PCAP_INTF eth0; @@ -150,10 +137,6 @@ FLUSH_IPT_AT_EXIT Y; # #IPFW_DYNAMIC_INTERVAL 60; ### seconds -# Define the timeout for running a command -# -PCAP_CMD_TIMEOUT 10; - # If GPG keys are used instead of a Rijndael symmetric key, this is # the default GPG keys directory. Note that each access block in # fwknop access.conf can specify its own GPG directory to override @@ -161,17 +144,13 @@ PCAP_CMD_TIMEOUT 10; # #GPG_HOME_DIR /root/.gnupg; -# This gets used if AUTH_MODE is set to "FILE_PCAP". This file must -# be created by a sniffer process (or something like the ulogd pcap -# writer). -# -#PCAP_PKT_FILE /var/log/sniff.pcap; - # Define a comma-separated set of IP addresses and/or networks that should # be globally blacklisted. That is, any SPA packet that is from a source # IP (or has an internal --allow-ip) within a blacklisted network will be # ignored. # +# NOTE: Not Implemented yet. +# #BLACKLIST NONE; # Allow fwknopd to acquire SPA data from HTTP requests (generated with the @@ -194,6 +173,11 @@ ENABLE_SPA_OVER_HTTP N; ENABLE_TCP_SERVER N; TCPSERV_PORT 62201; +# Set/override the locale (via the LC_ALL locale category). Leave this +# entry commented out to have fwknopd honor the default system locale. +# +#LOCALE C; + # Override syslog identity and facility (the defaults are usually ok). # The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7} # or LOG_DAEMON (the default). @@ -201,6 +185,9 @@ TCPSERV_PORT 62201; #SYSLOG_IDENTITY fwknopd; #SYSLOG_FACILITY LOG_DAEMON; +# NOTE: The following EXTERNAL_CMD functionality is not yet implemented. +# This is a possible future feature of fwknopd. +# # The following four variables control whether a global set of "open" and # "close" commands are executed after receving a valid SPA packet. These # variables are used only if FIREWALL_TYPE is set to "external_cmd", but @@ -300,20 +287,14 @@ IPT_MASQUERADE_ACCESS MASQUERADE, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING # Directories - These will override compile-time defaults. # -#FWKNOP_DIR /var/log/fwknop; #FWKNOP_RUN_DIR /var/run/fwknop; -#FWKNOP_MOD_DIR /usr/lib/fwknop; #FWKNOP_CONF_DIR /etc/fwknop; -#FWKNOP_ERR_DIR $FWKNOP_DIR/errs; # Files # #ACCESS_FILE access.conf; #FWKNOP_PID_FILE $FWKNOP_RUN_DIR/fwknopd.pid; #DIGEST_FILE $FWKNOP_RUN_DIR/digest.cache; -#FWKNOP_CMDLINE_FILE $FWKNOP_RUN_DIR/fwknopd.cmd; -#TCPSERV_PID_FILE $FWKNOP_RUN_DIR/fwknop_serv.pid; -#PROC_IP_FORWARD_FILE /proc/sys/net/ipv4/ip_forward; # System binaries # diff --git a/server/fwknopd_common.h b/server/fwknopd_common.h index f54470cf..e952c167 100644 --- a/server/fwknopd_common.h +++ b/server/fwknopd_common.h @@ -80,14 +80,6 @@ */ #define MIN_SPA_DATA_SIZE 140 -/* Data collection modes -*/ -enum { - SPA_CAP_MODE_PCAP, - SPA_CAP_MODE_UDP, - SPA_CAP_MODE_TCP -}; - /* SPA message handling status code */ enum { @@ -123,38 +115,33 @@ enum { enum { CONF_CONFIG_FILE = 0, CONF_OVERRIDE_CONFIG, - //CONF_EMAIL_ADDRESSES, CONF_HOSTNAME, CONF_FIREWALL_TYPE, - CONF_AUTH_MODE, + //CONF_AUTH_MODE, CONF_PCAP_INTF, CONF_ENABLE_PCAP_PROMISC, CONF_PCAP_FILTER, CONF_ENABLE_SPA_PACKET_AGING, CONF_MAX_SPA_PACKET_AGE, CONF_ENABLE_DIGEST_PERSISTENCE, - //CONF_ENABLE_DIGEST_INCLUDE_SRC, CONF_ENABLE_IPT_FORWARDING, CONF_ENABLE_IPT_LOCAL_NAT, CONF_ENABLE_IPT_SNAT, CONF_SNAT_TRANSLATE_IP, - //CONF_ENABLE_PROC_IP_FORWARD, CONF_ENABLE_IPT_OUTPUT, - //CONF_ENABLE_COOKED_INTF, - //CONF_EXIT_INTERVAL, CONF_MAX_SNIFF_BYTES, CONF_FLUSH_IPT_AT_INIT, CONF_FLUSH_IPT_AT_EXIT, //CONF_IPFW_RULE_NUM, //CONF_IPFW_SET_NUM, //CONF_IPFW_DYNAMIC_INTERVAL, - CONF_PCAP_CMD_TIMEOUT, + //CONF_CMD_EXEC_TIMEOUT, //CONF_PCAP_PKT_FILE, //CONF_BLACKLIST, CONF_ENABLE_SPA_OVER_HTTP, CONF_ENABLE_TCP_SERVER, CONF_TCPSERV_PORT, - //CONF_LOCALE, + CONF_LOCALE, CONF_SYSLOG_IDENTITY, CONF_SYSLOG_FACILITY, //CONF_IPT_EXEC_TRIES, @@ -170,22 +157,11 @@ enum { CONF_IPT_DNAT_ACCESS, CONF_IPT_SNAT_ACCESS, CONF_IPT_MASQUERADE_ACCESS, - //CONF_FWKNOP_DIR, CONF_FWKNOP_RUN_DIR, - //CONF_FWKNOP_MOD_DIR, CONF_FWKNOP_CONF_DIR, - //CONF_FWKNOP_ERR_DIR, CONF_ACCESS_FILE, CONF_FWKNOP_PID_FILE, CONF_DIGEST_FILE, - //CONF_FWKNOP_CMDLINE_FILE, - //CONF_TCPSERV_PID_FILE, - //CONF_PROC_IP_FORWARD_FILE, - //CONF_EXE_GPG, - //CONF_EXE_MAIL, - //CONF_EXE_SENDMAIL, - //CONF_EXE_SH, - //CONF_EXE_MKNOD, CONF_EXE_IPTABLES, CONF_EXE_IPFW, @@ -204,41 +180,35 @@ enum { static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = { "CONFIG_FILE", "OVERRIDE_CONFIG", - //"EMAIL_ADDRESSES", "HOSTNAME", "FIREWALL_TYPE", - "AUTH_MODE", + //"AUTH_MODE", "PCAP_INTF", "ENABLE_PCAP_PROMISC", "PCAP_FILTER", "ENABLE_SPA_PACKET_AGING", "MAX_SPA_PACKET_AGE", "ENABLE_DIGEST_PERSISTENCE", - //"ENABLE_DIGEST_INCLUDE_SRC", "ENABLE_IPT_FORWARDING", "ENABLE_IPT_LOCAL_NAT", "ENABLE_IPT_SNAT", "SNAT_TRANSLATE_IP", - //"ENABLE_PROC_IP_FORWARD", "ENABLE_IPT_OUTPUT", - //"ENABLE_COOKED_INTF", - //"EXIT_INTERVAL", "MAX_SNIFF_BYTES", "FLUSH_IPT_AT_INIT", "FLUSH_IPT_AT_EXIT", //"IPFW_RULE_NUM", //"IPFW_SET_NUM", //"IPFW_DYNAMIC_INTERVAL", - "PCAP_CMD_TIMEOUT", + //"CMD_EXEC_TIMEOUT", //"PCAP_PKT_FILE", //"BLACKLIST", "ENABLE_SPA_OVER_HTTP", "ENABLE_TCP_SERVER", "TCPSERV_PORT", - //"LOCALE", + "LOCALE", "SYSLOG_IDENTITY", "SYSLOG_FACILITY", - //"IPT_EXEC_TRIES", //"ENABLE_EXTERNAL_CMDS", //"EXTERNAL_CMD_OPEN", //"EXTERNAL_CMD_CLOSE", @@ -251,22 +221,11 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = { "IPT_DNAT_ACCESS", "IPT_SNAT_ACCESS", "IPT_MASQUERADE_ACCESS", - //"FWKNOP_DIR", "FWKNOP_RUN_DIR", - //"FWKNOP_MOD_DIR", "FWKNOP_CONF_DIR", - //"FWKNOP_ERR_DIR", "ACCESS_FILE", "FWKNOP_PID_FILE", "DIGEST_FILE", - //"FWKNOP_CMDLINE_FILE", - //"TCPSERV_PID_FILE", - //"PROC_IP_FORWARD_FILE", - //"EXE_GPG", - //"EXE_MAIL", - //"EXE_SENDMAIL", - //"EXE_SH", - //"EXE_MKNOD", "EXE_IPTABLES", "EXE_IPFW",