DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Ensure that INPUT rules are added in --nat-local mode

Browse Source 
This change ensures that INPUT rules are added when the fwknop client is used to
request access to a local service with --nat-local mode.
This commit is contained in:
Michael Rash 2012-07-17 21:50:29 -04:00
parent 981059452b
commit 6c73e160d9
3 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -16,6 +16,7 @@ fwknop-2.0.1 (07//2012):
process to ensure that fwknop is not leaking memory. process to ensure that fwknop is not leaking memory.
- [test suite] Bug fix on Mac OS X systems to account for libfko.dylib path - [test suite] Bug fix on Mac OS X systems to account for libfko.dylib path
instead of libfko.so. This fixes the existence check for libfko. instead of libfko.so. This fixes the existence check for libfko.
- [test suite] Added tests for --nat-local mode.
- Minor gcc warning fix: fko_decode.c:43:17: warning: variable edata_size - Minor gcc warning fix: fko_decode.c:43:17: warning: variable edata_size
set but not used [-Wunused-but-set-variable]. set but not used [-Wunused-but-set-variable].

9
server/fw_util_iptables.c
View File

@ -693,13 +693,10 @@ process_spa_request(const fko_srv_options_t *opts, const acc_stanza_t *acc, spa_
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
} }
else if(fwd_chain->to_chain != NULL && strlen(fwd_chain->to_chain))
/* Make our FORWARD and NAT rules
*/
if(fwd_chain->to_chain != NULL && strlen(fwd_chain->to_chain))
{ {
/* Make our FORWARD and NAT rules, and make sure the
/* Make sure the required jump rule exists * required jump rule exists
*/ */
if (jump_rule_exists(IPT_FORWARD_ACCESS) == 0) if (jump_rule_exists(IPT_FORWARD_ACCESS) == 0)
add_jump_rule(opts, IPT_FORWARD_ACCESS); add_jump_rule(opts, IPT_FORWARD_ACCESS);

21
test/test-fwknop.pl
View File

@ -967,6 +967,27 @@ my @tests = (
'server_conf' => $nat_conf, 'server_conf' => $nat_conf,
'fatal' => $NO 'fatal' => $NO
}, },
{
'category' => 'Rijndael SPA',
'subcategory' => 'client+server',
'detail' => "local NAT non-FORCE_NAT (tcp/22 ssh)",
'err_msg' => "could not complete NAT SPA cycle",
'function' => \&spa_cycle,
'cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
"$fwknopCmd -A tcp/80 -a $fake_ip -D $loopback_ip --get-key " .
"$local_key_file --verbose --verbose --nat-local --nat-port 22",
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $valgrind_str " .
"$fwknopdCmd -c $local_nat_fwknopd_conf -a $default_access_conf " .
"-d $default_digest_file -p $default_pid_file $intf_str",
'server_positive_output_matches' => [qr/to\:$fake_ip\:22/i,
qr/FWKNOP_INPUT.*dport\s22.*\sACCEPT/],
'server_negative_output_matches' => [qr/to\:$internal_nat_host\:22/i],
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,
'server_conf' => $nat_conf,
'fatal' => $NO
},
{ {
'category' => 'Rijndael SPA', 'category' => 'Rijndael SPA',
'subcategory' => 'client+server', 'subcategory' => 'client+server',