[server] update fw_config_init() to allow access stanza key information to be zeroed out upon error (#93)
This commit is contained in:
Michael Rash
parent
cb61fd886d
commit
6f6f7b8de2
@ -60,7 +60,7 @@
|
||||
* They should be implemented in each of the corresponding
|
||||
* fw_util_<fw-type>.c files.
|
||||
*/
|
||||
void fw_config_init(fko_srv_options_t * const opts);
|
||||
int fw_config_init(fko_srv_options_t * const opts);
|
||||
int fw_initialize(const fko_srv_options_t * const opts);
|
||||
int fw_cleanup(const fko_srv_options_t * const opts);
|
||||
void check_firewall_rules(const fko_srv_options_t * const opts);
|
||||
|
||||
@ -78,7 +78,7 @@ fw_config_init(fko_srv_options_t *opts)
|
||||
*/
|
||||
opts->fw_config = &fwc;
|
||||
|
||||
return;
|
||||
return 1;
|
||||
}
|
||||
|
||||
void
|
||||
|
||||
@ -193,7 +193,7 @@ fw_config_init(fko_srv_options_t * const opts)
|
||||
{
|
||||
log_msg(LOG_ERR, "[*] IPFW_START_RULE_NUM '%s' out of range [%d-%d].",
|
||||
opts->config[CONF_IPFW_START_RULE_NUM], 0, RCHK_MAX_IPFW_MAX_RULES);
|
||||
exit(EXIT_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
fwc.max_rules = strtol_wrapper(opts->config[CONF_IPFW_MAX_RULES],
|
||||
@ -202,7 +202,7 @@ fw_config_init(fko_srv_options_t * const opts)
|
||||
{
|
||||
log_msg(LOG_ERR, "[*] IPFW_MAX_RULES_INT '%s' out of range [%d-%d].",
|
||||
opts->config[CONF_IPFW_MAX_RULES], 0, RCHK_MAX_IPFW_MAX_RULES);
|
||||
exit(EXIT_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
fwc.active_set_num = strtol_wrapper(opts->config[CONF_IPFW_ACTIVE_SET_NUM],
|
||||
@ -211,7 +211,7 @@ fw_config_init(fko_srv_options_t * const opts)
|
||||
{
|
||||
log_msg(LOG_ERR, "[*] IPFW_ACTIVE_SET_NUM '%s' out of range [%d-%d].",
|
||||
opts->config[CONF_IPFW_ACTIVE_SET_NUM], 0, RCHK_MAX_IPFW_SET_NUM);
|
||||
exit(EXIT_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
fwc.expire_set_num = strtol_wrapper(opts->config[CONF_IPFW_EXPIRE_SET_NUM],
|
||||
@ -220,7 +220,7 @@ fw_config_init(fko_srv_options_t * const opts)
|
||||
{
|
||||
log_msg(LOG_ERR, "[*] IPFW_MAX_EXPIRE_SET_NUM '%s' out of range [%d-%d].",
|
||||
opts->config[CONF_IPFW_EXPIRE_SET_NUM], 0, RCHK_MAX_IPFW_SET_NUM);
|
||||
exit(EXIT_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
fwc.purge_interval = strtol_wrapper(opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL],
|
||||
@ -230,14 +230,14 @@ fw_config_init(fko_srv_options_t * const opts)
|
||||
log_msg(LOG_ERR, "[*] IPFW_EXPIRE_PURGE_INTERVAL '%s' out of range [%d-%d].",
|
||||
opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL], 0,
|
||||
RCHK_MAX_IPFW_PURGE_INTERVAL);
|
||||
exit(EXIT_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Let us find it via our opts struct as well.
|
||||
*/
|
||||
opts->fw_config = &fwc;
|
||||
|
||||
return;
|
||||
return 1;
|
||||
}
|
||||
|
||||
void
|
||||
|
||||
@ -421,7 +421,7 @@ create_fw_chains(const fko_srv_options_t * const opts)
|
||||
return(got_err);
|
||||
}
|
||||
|
||||
static void
|
||||
static int
|
||||
set_fw_chain_conf(const int type, const char * const conf_str)
|
||||
{
|
||||
int i, j, is_err;
|
||||
@ -435,7 +435,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
|
||||
if(conf_str == NULL)
|
||||
{
|
||||
log_msg(LOG_ERR, "[*] NULL conf_str.");
|
||||
exit(EXIT_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
chain->type = type;
|
||||
@ -468,7 +468,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
|
||||
log_msg(LOG_ERR, "[*] Custom Chain config parse error.\n"
|
||||
"Wrong number of fields for chain type %i\n"
|
||||
"Line: %s", type, conf_str);
|
||||
exit(EXIT_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Pull and set Target */
|
||||
@ -487,7 +487,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
|
||||
{
|
||||
log_msg(LOG_ERR, "[*] invalid jump rule position in Line: %s",
|
||||
conf_str);
|
||||
exit(EXIT_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Pull and set To_chain */
|
||||
@ -500,11 +500,12 @@ set_fw_chain_conf(const int type, const char * const conf_str)
|
||||
{
|
||||
log_msg(LOG_ERR, "[*] invalid to_chain rule position in Line: %s",
|
||||
conf_str);
|
||||
exit(EXIT_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
void
|
||||
int
|
||||
fw_config_init(fko_srv_options_t * const opts)
|
||||
{
|
||||
|
||||
@ -518,20 +519,25 @@ fw_config_init(fko_srv_options_t * const opts)
|
||||
* config struct. The IPT_INPUT is the only one that is
|
||||
* required. The rest are optional.
|
||||
*/
|
||||
set_fw_chain_conf(IPT_INPUT_ACCESS, opts->config[CONF_IPT_INPUT_ACCESS]);
|
||||
if(set_fw_chain_conf(IPT_INPUT_ACCESS, opts->config[CONF_IPT_INPUT_ACCESS]) != 1)
|
||||
return 0;
|
||||
|
||||
/* The FWKNOP_OUTPUT_ACCESS requires ENABLE_IPT_OUTPUT_ACCESS be Y
|
||||
*/
|
||||
if(strncasecmp(opts->config[CONF_ENABLE_IPT_OUTPUT], "Y", 1)==0)
|
||||
set_fw_chain_conf(IPT_OUTPUT_ACCESS, opts->config[CONF_IPT_OUTPUT_ACCESS]);
|
||||
if(set_fw_chain_conf(IPT_OUTPUT_ACCESS, opts->config[CONF_IPT_OUTPUT_ACCESS]) != 1)
|
||||
return 0;
|
||||
|
||||
/* The remaining access chains require ENABLE_IPT_FORWARDING = Y
|
||||
*/
|
||||
if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0)
|
||||
{
|
||||
|
||||
set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]);
|
||||
set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]);
|
||||
if(set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]) != 1)
|
||||
return 0;
|
||||
|
||||
if(set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]) != 1)
|
||||
return 0;
|
||||
|
||||
/* SNAT (whichever mode) requires ENABLE_IPT_SNAT = Y
|
||||
*/
|
||||
@ -545,11 +551,17 @@ fw_config_init(fko_srv_options_t * const opts)
|
||||
* this.
|
||||
*
|
||||
*/
|
||||
if(opts->config[CONF_SNAT_TRANSLATE_IP] != NULL
|
||||
&& strncasecmp(opts->config[CONF_SNAT_TRANSLATE_IP], "__CHANGEME__", 10)!=0)
|
||||
set_fw_chain_conf(IPT_SNAT_ACCESS, opts->config[CONF_IPT_SNAT_ACCESS]);
|
||||
if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
|
||||
&& (strncasecmp(opts->config[CONF_SNAT_TRANSLATE_IP], "__CHANGEME__", 10)) != 0)
|
||||
{
|
||||
if(set_fw_chain_conf(IPT_SNAT_ACCESS, opts->config[CONF_IPT_SNAT_ACCESS]) != 1)
|
||||
return 0;
|
||||
}
|
||||
else
|
||||
set_fw_chain_conf(IPT_MASQUERADE_ACCESS, opts->config[CONF_IPT_MASQUERADE_ACCESS]);
|
||||
{
|
||||
if(set_fw_chain_conf(IPT_MASQUERADE_ACCESS, opts->config[CONF_IPT_MASQUERADE_ACCESS]) != 1)
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -557,7 +569,7 @@ fw_config_init(fko_srv_options_t * const opts)
|
||||
*/
|
||||
opts->fw_config = &fwc;
|
||||
|
||||
return;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
|
||||
@ -159,7 +159,7 @@ fw_config_init(fko_srv_options_t * const opts)
|
||||
*/
|
||||
opts->fw_config = &fwc;
|
||||
|
||||
return;
|
||||
return 1;
|
||||
}
|
||||
|
||||
void
|
||||
|
||||
@ -181,7 +181,8 @@ main(int argc, char **argv)
|
||||
* via fw_rules_dump() in --fw-list mode before changing around any rules
|
||||
* of an existing fwknopd process.
|
||||
*/
|
||||
fw_config_init(&opts);
|
||||
if(fw_config_init(&opts) != 1)
|
||||
clean_exit(&opts, FW_CLEANUP, EXIT_FAILURE);
|
||||
|
||||
if(opts.fw_list == 1 || opts.fw_list_all == 1)
|
||||
{
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user