From 6e54e9452ac74dd20755bebb939a31df2507fe05 Mon Sep 17 00:00:00 2001
From: Michael Rash <mbr@cipherdyne.org>
Date: Thu, 26 May 2016 19:21:07 -0700
Subject: [PATCH] [test suite] add ENABLE_RULE_PREPEND test

---
 Makefile.am                    |  1 +
 server/config_init.c           |  4 ++--
 server/fw_util_firewalld.c     |  2 +-
 server/fw_util_iptables.c      |  2 +-
 server/fwknopd_common.h        |  4 ++--
 test/conf/prepend_fwknopd.conf |  3 +++
 test/test-fwknop.pl            |  1 +
 test/tests/rijndael_hmac.pl    | 16 ++++++++++++++++
 8 files changed, 27 insertions(+), 6 deletions(-)
 create mode 100644 test/conf/prepend_fwknopd.conf

diff --git a/Makefile.am b/Makefile.am
index 0c6f79d0..b0f55f86 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -137,6 +137,7 @@ EXTRA_DIST = \
     test/conf/default_access.conf \
     test/conf/default_fwknopd.conf \
     test/conf/portrange_fwknopd.conf \
+    test/conf/prepend_fwknopd.conf \
     test/conf/ipt_custom_input_chain_fwknopd.conf \
     test/conf/firewd_custom_input_chain_fwknopd.conf \
     test/conf/ipt_custom_nat_chain_fwknopd.conf \
diff --git a/server/config_init.c b/server/config_init.c
index ba45d1df..e0cf3de3 100644
--- a/server/config_init.c
+++ b/server/config_init.c
@@ -884,8 +884,8 @@ validate_options(fko_srv_options_t *opts)
         set_config_entry(opts, CONF_ENABLE_X_FORWARDED_FOR, DEF_ENABLE_X_FORWARDED_FOR);
 
     /* Prepend firewall rules*/
-    if(opts->config[CONF_ENABLE_PREPEND] == NULL)
-        set_config_entry(opts, CONF_ENABLE_PREPEND, DEF_ENABLE_PREPEND);
+    if(opts->config[CONF_ENABLE_RULE_PREPEND] == NULL)
+        set_config_entry(opts, CONF_ENABLE_RULE_PREPEND, DEF_ENABLE_RULE_PREPEND);
 
     /* NAT DNS enabled*/
     if(opts->config[CONF_ENABLE_NAT_DNS] == NULL)
diff --git a/server/fw_util_firewalld.c b/server/fw_util_firewalld.c
index 2800edef..aea4fee8 100644
--- a/server/fw_util_firewalld.c
+++ b/server/fw_util_firewalld.c
@@ -1171,7 +1171,7 @@ create_rule(const fko_srv_options_t * const opts,
 
     zero_cmd_buffers();
 
-    if (strncasecmp(opts->config[CONF_ENABLE_PREPEND], "Y", 1) == 0) {
+    if (strncasecmp(opts->config[CONF_ENABLE_RULE_PREPEND], "Y", 1) == 0) {
         snprintf(cmd_buf, CMD_BUFSIZE-1, "%s -I %s %s",
                 opts->fw_config->fw_command, fw_chain, fw_rule);
     } else {
diff --git a/server/fw_util_iptables.c b/server/fw_util_iptables.c
index cf84a5d4..39c89e53 100644
--- a/server/fw_util_iptables.c
+++ b/server/fw_util_iptables.c
@@ -1154,7 +1154,7 @@ create_rule(const fko_srv_options_t * const opts,
 
     zero_cmd_buffers();
 
-    if (strncasecmp(opts->config[CONF_ENABLE_PREPEND], "Y", 1) == 0) {
+    if (strncasecmp(opts->config[CONF_ENABLE_RULE_PREPEND], "Y", 1) == 0) {
         snprintf(cmd_buf, CMD_BUFSIZE-1, "%s -I %s %s",
                 opts->fw_config->fw_command, fw_chain, fw_rule);
     } else {
diff --git a/server/fwknopd_common.h b/server/fwknopd_common.h
index 97790866..e47e2e10 100644
--- a/server/fwknopd_common.h
+++ b/server/fwknopd_common.h
@@ -95,7 +95,7 @@
 #define DEF_MAX_SNIFF_BYTES             "1500"
 #define DEF_GPG_HOME_DIR                "/root/.gnupg"
 #define DEF_ENABLE_X_FORWARDED_FOR      "N"
-#define DEF_ENABLE_PREPEND              "N"
+#define DEF_ENABLE_RULE_PREPEND         "N"
 #define DEF_ENABLE_NAT_DNS              "Y"
 #ifdef  GPG_EXE
   #define DEF_GPG_EXE                   GPG_EXE
@@ -282,7 +282,7 @@ enum {
     //CONF_EXT_CMD_PREFIX,
     CONF_ENABLE_X_FORWARDED_FOR,
     CONF_ENABLE_DESTINATION_RULE,
-    CONF_ENABLE_PREPEND,
+    CONF_ENABLE_RULE_PREPEND,
     CONF_ENABLE_NAT_DNS,
 #if FIREWALL_FIREWALLD
     CONF_ENABLE_FIREWD_FORWARDING,
diff --git a/test/conf/prepend_fwknopd.conf b/test/conf/prepend_fwknopd.conf
new file mode 100644
index 00000000..ad64ad6e
--- /dev/null
+++ b/test/conf/prepend_fwknopd.conf
@@ -0,0 +1,3 @@
+# default config - no variables set to allow defaults to be preserved
+
+ENABLE_RULE_PREPEND         Y;
diff --git a/test/test-fwknop.pl b/test/test-fwknop.pl
index 1cb12112..816defcb 100755
--- a/test/test-fwknop.pl
+++ b/test/test-fwknop.pl
@@ -434,6 +434,7 @@ our %cf = (
     'include_m1_hmac_access'       => "$conf_dir/include_m1_hmac_access.conf",
     'include_def_hmac_access'      => "$conf_dir/include_def_hmac_access.conf",
     'include_keys1_hmac_access'    => "$conf_dir/include_keys1_hmac_access.conf",
+    'prepend_fwknopd'              => "$conf_dir/prepend_fwknopd.conf",
     'hmac_cmd_access'              => "$conf_dir/hmac_cmd_access.conf",
     'hmac_cmd_setuid_access'       => "$conf_dir/hmac_cmd_setuid_access.conf",
     'hmac_cmd_giduid_access'       => "$conf_dir/hmac_cmd_giduid_access.conf",
diff --git a/test/tests/rijndael_hmac.pl b/test/tests/rijndael_hmac.pl
index 87a730d7..9860088a 100644
--- a/test/tests/rijndael_hmac.pl
+++ b/test/tests/rijndael_hmac.pl
@@ -202,6 +202,22 @@
             qr/SOURCE\s.*123\.3\.3\.3/
          ],
     },
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'complete cycle prepend',
+        'function' => \&spa_cycle,
+        'cmdline'  => $default_client_hmac_args,
+        'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'prepend_fwknopd'} -a $cf{'hmac_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_b64_key'},
+        'server_positive_output_matches' => [
+            qr/\s\-I\sFWKNOP_INPUT.*\s\-s\s127.0.0.2/
+         ],
+    },
+
     {
         'category' => 'Rijndael+HMAC',
         'subcategory' => 'client+server',