Add ENABLE_NAT_DNS config option

server/cmd_opts.h

@@ -72,6 +72,7 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
     //"ENABLE_EXT_CMD_PREFIX",
     //"EXT_CMD_PREFIX",
     "ENABLE_DESTINATION_RULE",
+    "ENABLE_NAT_DNS",
 #if FIREWALL_FIREWALLD
     "ENABLE_FIREWD_FORWARDING",
     "ENABLE_FIREWD_LOCAL_NAT",

server/config_init.c

@@ -880,6 +880,10 @@ validate_options(fko_srv_options_t *opts)
 
 #endif /* FIREWALL type */
 
+    /* NAT DNS enabled*/
+    if(opts->config[CONF_ENABLE_NAT_DNS] == NULL)
+        set_config_entry(opts, CONF_ENABLE_NAT_DNS, DEF_ENABLE_NAT_DNS);
+
     /* GPG Home dir.
     */
     if(opts->config[CONF_GPG_HOME_DIR] == NULL)

server/fw_util_firewalld.c

@@ -1385,7 +1385,9 @@ process_spa_request(const fko_srv_options_t * const opts,
             if((ndx != NULL) && (str_len <= MAX_HOSTNAME_LEN))
             {
                 strlcpy(nat_dst, spadat->nat_access, str_len+1);
-                if (! is_valid_ipv4_addr(nat_dst))
+                if((! is_valid_ipv4_addr(nat_dst)))
+                {
+                    if(strncasecmp(opts->config[CONF_ENABLE_NAT_DNS], "Y", 1)==0)
                     {
                         if (ipv4_resolve(nat_dst, nat_ip) == 0)
                         {
@@ -1393,12 +1395,22 @@ process_spa_request(const fko_srv_options_t * const opts,
                         }
                         else
                         {
-                        log_msg(LOG_INFO, "Invalid NAT IP in SPA message");
+                            log_msg(LOG_INFO, "Unable to resolve Hostname in NAT SPA message");
                             free_acc_port_list(port_list);
+                            res = is_err;
                             return res;
                         }
                     }
                     else
+                    {
+                        log_msg(LOG_INFO, "Received Hostname in NAT SPA message, but hostname is disabled.");
+                        free_acc_port_list(port_list);
+                        res = is_err;
+                        return res;
+
+                    }
+                }
+                else
                 {
                     strlcpy(nat_ip, nat_dst, MAX_IPV4_STR_LEN);
                 }
@@ -1413,6 +1425,13 @@ process_spa_request(const fko_srv_options_t * const opts,
                     return res;
                 }
             }
+            else
+            {
+                log_msg(LOG_INFO, "Invalid NAT IP in SPA message");
+                free_acc_port_list(port_list);
+                res = is_err;
+                return res;
+            }
         }
 
         if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG

server/fw_util_iptables.c

@@ -1372,7 +1372,9 @@ process_spa_request(const fko_srv_options_t * const opts,
             if((ndx != NULL) && (str_len <= MAX_HOSTNAME_LEN))
             {
                 strlcpy(nat_dst, spadat->nat_access, str_len+1);
-                if (! is_valid_ipv4_addr(nat_dst))
+                if((! is_valid_ipv4_addr(nat_dst)))
+                {
+                    if(strncasecmp(opts->config[CONF_ENABLE_NAT_DNS], "Y", 1)==0)
                     {
                         if (ipv4_resolve(nat_dst, nat_ip) == 0)
                         {
@@ -1380,12 +1382,22 @@ process_spa_request(const fko_srv_options_t * const opts,
                         }
                         else
                         {
-                        log_msg(LOG_INFO, "Invalid NAT IP in SPA message");
+                            log_msg(LOG_INFO, "Unable to resolve Hostname in NAT SPA message");
                             free_acc_port_list(port_list);
+                            res = is_err;
                             return res;
                         }
                     }
                     else
+                    {
+                        log_msg(LOG_INFO, "Received Hostname in NAT SPA message, but hostname is disabled.");
+                        free_acc_port_list(port_list);
+                        res = is_err;
+                        return res;
+
+                    }
+                }
+                else
                 {
                     strlcpy(nat_ip, nat_dst, MAX_IPV4_STR_LEN);
                 }
@@ -1400,6 +1412,13 @@ process_spa_request(const fko_srv_options_t * const opts,
                     return res;
                 }
             }
+            else
+            {
+                log_msg(LOG_INFO, "Invalid NAT IP in SPA message");
+                free_acc_port_list(port_list);
+                res = is_err;
+                return res;
+            }
         }
 
         if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG

server/fwknopd.conf

@@ -109,6 +109,9 @@
 #
 #ENABLE_SPA_OVER_HTTP        N;
 
+# Allow fwknopd to resolve hostnames in NAT access messages
+#ENABLE_NAT_DNS              Y;
+
 # Enable the fwknopd TCP server.  This is a "dummy" TCP server that will
 # accept TCP connection requests on the specified TCPSERV_PORT.
 # If set to "Y", fwknopd will fork off a child process to listen for and

server/fwknopd_common.h

@@ -95,6 +95,7 @@
 #define DEF_RULES_CHECK_THRESHOLD       "20"
 #define DEF_MAX_SNIFF_BYTES             "1500"
 #define DEF_GPG_HOME_DIR                "/root/.gnupg"
+#define DEF_ENABLE_NAT_DNS              "Y"
 #ifdef  GPG_EXE
   #define DEF_GPG_EXE                   GPG_EXE
 #else
@@ -260,6 +261,7 @@ enum {
     //CONF_ENABLE_EXT_CMD_PREFIX,
     //CONF_EXT_CMD_PREFIX,
     CONF_ENABLE_DESTINATION_RULE,
+    CONF_ENABLE_NAT_DNS,
 #if FIREWALL_FIREWALLD
     CONF_ENABLE_FIREWD_FORWARDING,
     CONF_ENABLE_FIREWD_LOCAL_NAT,