From 669e448db5dfceaf7ec161d4236212b5e8dc22dd Mon Sep 17 00:00:00 2001 From: Jonathan Bennett Date: Thu, 31 Dec 2015 18:05:55 +0000 Subject: [PATCH] Add ENABLE_NAT_DNS config option --- server/cmd_opts.h | 1 + server/config_init.c | 4 ++++ server/fw_util_firewalld.c | 27 +++++++++++++++++++++++---- server/fw_util_iptables.c | 27 +++++++++++++++++++++++---- server/fwknopd.conf | 3 +++ server/fwknopd_common.h | 2 ++ 6 files changed, 56 insertions(+), 8 deletions(-) diff --git a/server/cmd_opts.h b/server/cmd_opts.h index 8e30bc24..a04c479d 100644 --- a/server/cmd_opts.h +++ b/server/cmd_opts.h @@ -72,6 +72,7 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = { //"ENABLE_EXT_CMD_PREFIX", //"EXT_CMD_PREFIX", "ENABLE_DESTINATION_RULE", + "ENABLE_NAT_DNS", #if FIREWALL_FIREWALLD "ENABLE_FIREWD_FORWARDING", "ENABLE_FIREWD_LOCAL_NAT", diff --git a/server/config_init.c b/server/config_init.c index bafc4a3d..bf90cd8e 100644 --- a/server/config_init.c +++ b/server/config_init.c @@ -880,6 +880,10 @@ validate_options(fko_srv_options_t *opts) #endif /* FIREWALL type */ + /* NAT DNS enabled*/ + if(opts->config[CONF_ENABLE_NAT_DNS] == NULL) + set_config_entry(opts, CONF_ENABLE_NAT_DNS, DEF_ENABLE_NAT_DNS); + /* GPG Home dir. */ if(opts->config[CONF_GPG_HOME_DIR] == NULL) diff --git a/server/fw_util_firewalld.c b/server/fw_util_firewalld.c index 3afd8ecb..998d607c 100644 --- a/server/fw_util_firewalld.c +++ b/server/fw_util_firewalld.c @@ -1385,17 +1385,29 @@ process_spa_request(const fko_srv_options_t * const opts, if((ndx != NULL) && (str_len <= MAX_HOSTNAME_LEN)) { strlcpy(nat_dst, spadat->nat_access, str_len+1); - if (! is_valid_ipv4_addr(nat_dst)) + if((! is_valid_ipv4_addr(nat_dst))) { - if (ipv4_resolve(nat_dst, nat_ip) == 0) + if(strncasecmp(opts->config[CONF_ENABLE_NAT_DNS], "Y", 1)==0) { - log_msg(LOG_INFO, "Resolved NAT IP in SPA message"); + if (ipv4_resolve(nat_dst, nat_ip) == 0) + { + log_msg(LOG_INFO, "Resolved NAT IP in SPA message"); + } + else + { + log_msg(LOG_INFO, "Unable to resolve Hostname in NAT SPA message"); + free_acc_port_list(port_list); + res = is_err; + return res; + } } else { - log_msg(LOG_INFO, "Invalid NAT IP in SPA message"); + log_msg(LOG_INFO, "Received Hostname in NAT SPA message, but hostname is disabled."); free_acc_port_list(port_list); + res = is_err; return res; + } } else @@ -1413,6 +1425,13 @@ process_spa_request(const fko_srv_options_t * const opts, return res; } } + else + { + log_msg(LOG_INFO, "Invalid NAT IP in SPA message"); + free_acc_port_list(port_list); + res = is_err; + return res; + } } if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG diff --git a/server/fw_util_iptables.c b/server/fw_util_iptables.c index 6ce25572..a280d9c1 100644 --- a/server/fw_util_iptables.c +++ b/server/fw_util_iptables.c @@ -1372,17 +1372,29 @@ process_spa_request(const fko_srv_options_t * const opts, if((ndx != NULL) && (str_len <= MAX_HOSTNAME_LEN)) { strlcpy(nat_dst, spadat->nat_access, str_len+1); - if (! is_valid_ipv4_addr(nat_dst)) + if((! is_valid_ipv4_addr(nat_dst))) { - if (ipv4_resolve(nat_dst, nat_ip) == 0) + if(strncasecmp(opts->config[CONF_ENABLE_NAT_DNS], "Y", 1)==0) { - log_msg(LOG_INFO, "Resolved NAT IP in SPA message"); + if (ipv4_resolve(nat_dst, nat_ip) == 0) + { + log_msg(LOG_INFO, "Resolved NAT IP in SPA message"); + } + else + { + log_msg(LOG_INFO, "Unable to resolve Hostname in NAT SPA message"); + free_acc_port_list(port_list); + res = is_err; + return res; + } } else { - log_msg(LOG_INFO, "Invalid NAT IP in SPA message"); + log_msg(LOG_INFO, "Received Hostname in NAT SPA message, but hostname is disabled."); free_acc_port_list(port_list); + res = is_err; return res; + } } else @@ -1400,6 +1412,13 @@ process_spa_request(const fko_srv_options_t * const opts, return res; } } + else + { + log_msg(LOG_INFO, "Invalid NAT IP in SPA message"); + free_acc_port_list(port_list); + res = is_err; + return res; + } } if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG diff --git a/server/fwknopd.conf b/server/fwknopd.conf index ed2afeb1..d6b31374 100644 --- a/server/fwknopd.conf +++ b/server/fwknopd.conf @@ -109,6 +109,9 @@ # #ENABLE_SPA_OVER_HTTP N; +# Allow fwknopd to resolve hostnames in NAT access messages +#ENABLE_NAT_DNS Y; + # Enable the fwknopd TCP server. This is a "dummy" TCP server that will # accept TCP connection requests on the specified TCPSERV_PORT. # If set to "Y", fwknopd will fork off a child process to listen for and diff --git a/server/fwknopd_common.h b/server/fwknopd_common.h index b60a154d..3fcc175f 100644 --- a/server/fwknopd_common.h +++ b/server/fwknopd_common.h @@ -95,6 +95,7 @@ #define DEF_RULES_CHECK_THRESHOLD "20" #define DEF_MAX_SNIFF_BYTES "1500" #define DEF_GPG_HOME_DIR "/root/.gnupg" +#define DEF_ENABLE_NAT_DNS "Y" #ifdef GPG_EXE #define DEF_GPG_EXE GPG_EXE #else @@ -260,6 +261,7 @@ enum { //CONF_ENABLE_EXT_CMD_PREFIX, //CONF_EXT_CMD_PREFIX, CONF_ENABLE_DESTINATION_RULE, + CONF_ENABLE_NAT_DNS, #if FIREWALL_FIREWALLD CONF_ENABLE_FIREWD_FORWARDING, CONF_ENABLE_FIREWD_LOCAL_NAT,