Ensure that INPUT rules are added in --nat-local mode

This change ensures that INPUT rules are added when the fwknop client is used to request access to a local service with --nat-local mode.
2012-07-17 21:50:29 -04:00 · 2012-07-17 21:50:29 -04:00 · 6c73e160d9
commit 6c73e160d9
parent 981059452b
3 changed files with 25 additions and 6 deletions
--- a/1
+++ b/1
@ -16,6 +16,7 @@ fwknop-2.0.1 (07//2012):
      process to ensure that fwknop is not leaking memory.
    - [test suite] Bug fix on Mac OS X systems to account for libfko.dylib path
      instead of libfko.so.  This fixes the existence check for libfko.
+    - [test suite] Added tests for --nat-local mode.
    - Minor gcc warning fix: fko_decode.c:43:17: warning: variable ‘edata_size’
      set but not used [-Wunused-but-set-variable].

--- a/server/fw_util_iptables.c
+++ b/server/fw_util_iptables.c
@ -693,13 +693,10 @@ process_spa_request(const fko_srv_options_t *opts, const acc_stanza_t *acc, spa_
                log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);

        }
-
-        /* Make our FORWARD and NAT rules
-        */
-        if(fwd_chain->to_chain != NULL && strlen(fwd_chain->to_chain))
+        else if(fwd_chain->to_chain != NULL && strlen(fwd_chain->to_chain))
        {
-
-            /* Make sure the required jump rule exists
+            /* Make our FORWARD and NAT rules, and make sure the
+             * required jump rule exists
            */
            if (jump_rule_exists(IPT_FORWARD_ACCESS) == 0)
                add_jump_rule(opts, IPT_FORWARD_ACCESS);
--- a/test/test-fwknop.pl
+++ b/test/test-fwknop.pl
@ -967,6 +967,27 @@ my @tests = (
        'server_conf' => $nat_conf,
        'fatal'    => $NO
    },
+    {
+        'category' => 'Rijndael SPA',
+        'subcategory' => 'client+server',
+        'detail'   => "local NAT non-FORCE_NAT (tcp/22 ssh)",
+        'err_msg'  => "could not complete NAT SPA cycle",
+        'function' => \&spa_cycle,
+        'cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopCmd -A tcp/80 -a $fake_ip -D $loopback_ip --get-key " .
+            "$local_key_file --verbose --verbose --nat-local --nat-port 22",
+        'fwknopd_cmdline'  => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
+            "$fwknopdCmd -c $local_nat_fwknopd_conf -a $default_access_conf " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'server_positive_output_matches' => [qr/to\:$fake_ip\:22/i,
+            qr/FWKNOP_INPUT.*dport\s22.*\sACCEPT/],
+        'server_negative_output_matches' => [qr/to\:$internal_nat_host\:22/i],
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'server_conf' => $nat_conf,
+        'fatal'    => $NO
+    },
+
    {
        'category' => 'Rijndael SPA',
        'subcategory' => 'client+server',