DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[server] update fw_config_init() to allow access stanza key information to be zeroed out upon error (#93)

Browse Source
This commit is contained in:
Michael Rash 2013-07-06 15:05:09 -04:00
parent cb61fd886d
commit 6f6f7b8de2
6 changed files with 38 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
server/fw_util.h
View File

@ -60,7 +60,7 @@
* They should be implemented in each of the corresponding * They should be implemented in each of the corresponding
* fw_util_<fw-type>.c files. * fw_util_<fw-type>.c files.
*/ */
void fw_config_init(fko_srv_options_t * const opts); int fw_config_init(fko_srv_options_t * const opts);
int fw_initialize(const fko_srv_options_t * const opts); int fw_initialize(const fko_srv_options_t * const opts);
int fw_cleanup(const fko_srv_options_t * const opts); int fw_cleanup(const fko_srv_options_t * const opts);
void check_firewall_rules(const fko_srv_options_t * const opts); void check_firewall_rules(const fko_srv_options_t * const opts);

2
server/fw_util_ipf.c
View File

@ -78,7 +78,7 @@ fw_config_init(fko_srv_options_t *opts)
*/ */
opts->fw_config = &fwc; opts->fw_config = &fwc;
return; return 1;
} }
void void

12
server/fw_util_ipfw.c
View File

@ -193,7 +193,7 @@ fw_config_init(fko_srv_options_t * const opts)
{ {
log_msg(LOG_ERR, "[*] IPFW_START_RULE_NUM '%s' out of range [%d-%d].", log_msg(LOG_ERR, "[*] IPFW_START_RULE_NUM '%s' out of range [%d-%d].",
opts->config[CONF_IPFW_START_RULE_NUM], 0, RCHK_MAX_IPFW_MAX_RULES); opts->config[CONF_IPFW_START_RULE_NUM], 0, RCHK_MAX_IPFW_MAX_RULES);
exit(EXIT_FAILURE); return 0;
} }
fwc.max_rules = strtol_wrapper(opts->config[CONF_IPFW_MAX_RULES], fwc.max_rules = strtol_wrapper(opts->config[CONF_IPFW_MAX_RULES],
@ -202,7 +202,7 @@ fw_config_init(fko_srv_options_t * const opts)
{ {
log_msg(LOG_ERR, "[*] IPFW_MAX_RULES_INT '%s' out of range [%d-%d].", log_msg(LOG_ERR, "[*] IPFW_MAX_RULES_INT '%s' out of range [%d-%d].",
opts->config[CONF_IPFW_MAX_RULES], 0, RCHK_MAX_IPFW_MAX_RULES); opts->config[CONF_IPFW_MAX_RULES], 0, RCHK_MAX_IPFW_MAX_RULES);
exit(EXIT_FAILURE); return 0;
} }
fwc.active_set_num = strtol_wrapper(opts->config[CONF_IPFW_ACTIVE_SET_NUM], fwc.active_set_num = strtol_wrapper(opts->config[CONF_IPFW_ACTIVE_SET_NUM],
@ -211,7 +211,7 @@ fw_config_init(fko_srv_options_t * const opts)
{ {
log_msg(LOG_ERR, "[*] IPFW_ACTIVE_SET_NUM '%s' out of range [%d-%d].", log_msg(LOG_ERR, "[*] IPFW_ACTIVE_SET_NUM '%s' out of range [%d-%d].",
opts->config[CONF_IPFW_ACTIVE_SET_NUM], 0, RCHK_MAX_IPFW_SET_NUM); opts->config[CONF_IPFW_ACTIVE_SET_NUM], 0, RCHK_MAX_IPFW_SET_NUM);
exit(EXIT_FAILURE); return 0;
} }
fwc.expire_set_num = strtol_wrapper(opts->config[CONF_IPFW_EXPIRE_SET_NUM], fwc.expire_set_num = strtol_wrapper(opts->config[CONF_IPFW_EXPIRE_SET_NUM],
@ -220,7 +220,7 @@ fw_config_init(fko_srv_options_t * const opts)
{ {
log_msg(LOG_ERR, "[*] IPFW_MAX_EXPIRE_SET_NUM '%s' out of range [%d-%d].", log_msg(LOG_ERR, "[*] IPFW_MAX_EXPIRE_SET_NUM '%s' out of range [%d-%d].",
opts->config[CONF_IPFW_EXPIRE_SET_NUM], 0, RCHK_MAX_IPFW_SET_NUM); opts->config[CONF_IPFW_EXPIRE_SET_NUM], 0, RCHK_MAX_IPFW_SET_NUM);
exit(EXIT_FAILURE); return 0;
} }
fwc.purge_interval = strtol_wrapper(opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL], fwc.purge_interval = strtol_wrapper(opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL],
@ -230,14 +230,14 @@ fw_config_init(fko_srv_options_t * const opts)
log_msg(LOG_ERR, "[*] IPFW_EXPIRE_PURGE_INTERVAL '%s' out of range [%d-%d].", log_msg(LOG_ERR, "[*] IPFW_EXPIRE_PURGE_INTERVAL '%s' out of range [%d-%d].",
opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL], 0, opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL], 0,
RCHK_MAX_IPFW_PURGE_INTERVAL); RCHK_MAX_IPFW_PURGE_INTERVAL);
exit(EXIT_FAILURE); return 0;
} }
/* Let us find it via our opts struct as well. /* Let us find it via our opts struct as well.
*/ */
opts->fw_config = &fwc; opts->fw_config = &fwc;
return; return 1;
} }
void void

42
server/fw_util_iptables.c
View File

@ -421,7 +421,7 @@ create_fw_chains(const fko_srv_options_t * const opts)
return(got_err); return(got_err);
} }
static void static int
set_fw_chain_conf(const int type, const char * const conf_str) set_fw_chain_conf(const int type, const char * const conf_str)
{ {
int i, j, is_err; int i, j, is_err;
@ -435,7 +435,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
if(conf_str == NULL) if(conf_str == NULL)
{ {
log_msg(LOG_ERR, "[*] NULL conf_str."); log_msg(LOG_ERR, "[*] NULL conf_str.");
exit(EXIT_FAILURE); return 0;
} }
chain->type = type; chain->type = type;
@ -468,7 +468,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
log_msg(LOG_ERR, "[*] Custom Chain config parse error.\n" log_msg(LOG_ERR, "[*] Custom Chain config parse error.\n"
"Wrong number of fields for chain type %i\n" "Wrong number of fields for chain type %i\n"
"Line: %s", type, conf_str); "Line: %s", type, conf_str);
exit(EXIT_FAILURE); return 0;
} }
/* Pull and set Target */ /* Pull and set Target */
@ -487,7 +487,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
{ {
log_msg(LOG_ERR, "[*] invalid jump rule position in Line: %s", log_msg(LOG_ERR, "[*] invalid jump rule position in Line: %s",
conf_str); conf_str);
exit(EXIT_FAILURE); return 0;
} }
/* Pull and set To_chain */ /* Pull and set To_chain */
@ -500,11 +500,12 @@ set_fw_chain_conf(const int type, const char * const conf_str)
{ {
log_msg(LOG_ERR, "[*] invalid to_chain rule position in Line: %s", log_msg(LOG_ERR, "[*] invalid to_chain rule position in Line: %s",
conf_str); conf_str);
exit(EXIT_FAILURE); return 0;
} }
return 1;
} }
void int
fw_config_init(fko_srv_options_t * const opts) fw_config_init(fko_srv_options_t * const opts)
{ {
@ -518,20 +519,25 @@ fw_config_init(fko_srv_options_t * const opts)
* config struct. The IPT_INPUT is the only one that is * config struct. The IPT_INPUT is the only one that is
* required. The rest are optional. * required. The rest are optional.
*/ */
set_fw_chain_conf(IPT_INPUT_ACCESS, opts->config[CONF_IPT_INPUT_ACCESS]); if(set_fw_chain_conf(IPT_INPUT_ACCESS, opts->config[CONF_IPT_INPUT_ACCESS]) != 1)
return 0;
/* The FWKNOP_OUTPUT_ACCESS requires ENABLE_IPT_OUTPUT_ACCESS be Y /* The FWKNOP_OUTPUT_ACCESS requires ENABLE_IPT_OUTPUT_ACCESS be Y
*/ */
if(strncasecmp(opts->config[CONF_ENABLE_IPT_OUTPUT], "Y", 1)==0) if(strncasecmp(opts->config[CONF_ENABLE_IPT_OUTPUT], "Y", 1)==0)
set_fw_chain_conf(IPT_OUTPUT_ACCESS, opts->config[CONF_IPT_OUTPUT_ACCESS]); if(set_fw_chain_conf(IPT_OUTPUT_ACCESS, opts->config[CONF_IPT_OUTPUT_ACCESS]) != 1)
return 0;
/* The remaining access chains require ENABLE_IPT_FORWARDING = Y /* The remaining access chains require ENABLE_IPT_FORWARDING = Y
*/ */
if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0) if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0)
{ {
set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]); if(set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]) != 1)
set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]); return 0;
if(set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]) != 1)
return 0;
/* SNAT (whichever mode) requires ENABLE_IPT_SNAT = Y /* SNAT (whichever mode) requires ENABLE_IPT_SNAT = Y
*/ */
@ -545,11 +551,17 @@ fw_config_init(fko_srv_options_t * const opts)
* this. * this.
* *
*/ */
if(opts->config[CONF_SNAT_TRANSLATE_IP] != NULL if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
&& strncasecmp(opts->config[CONF_SNAT_TRANSLATE_IP], "__CHANGEME__", 10)!=0) && (strncasecmp(opts->config[CONF_SNAT_TRANSLATE_IP], "__CHANGEME__", 10)) != 0)
set_fw_chain_conf(IPT_SNAT_ACCESS, opts->config[CONF_IPT_SNAT_ACCESS]); {
if(set_fw_chain_conf(IPT_SNAT_ACCESS, opts->config[CONF_IPT_SNAT_ACCESS]) != 1)
return 0;
}
else else
set_fw_chain_conf(IPT_MASQUERADE_ACCESS, opts->config[CONF_IPT_MASQUERADE_ACCESS]); {
if(set_fw_chain_conf(IPT_MASQUERADE_ACCESS, opts->config[CONF_IPT_MASQUERADE_ACCESS]) != 1)
return 0;
}
} }
} }
@ -557,7 +569,7 @@ fw_config_init(fko_srv_options_t * const opts)
*/ */
opts->fw_config = &fwc; opts->fw_config = &fwc;
return; return 1;
} }
int int

2
server/fw_util_pf.c
View File

@ -159,7 +159,7 @@ fw_config_init(fko_srv_options_t * const opts)
*/ */
opts->fw_config = &fwc; opts->fw_config = &fwc;
return; return 1;
} }
void void

3
server/fwknopd.c
View File

@ -181,7 +181,8 @@ main(int argc, char **argv)
* via fw_rules_dump() in --fw-list mode before changing around any rules * via fw_rules_dump() in --fw-list mode before changing around any rules
* of an existing fwknopd process. * of an existing fwknopd process.
*/ */
fw_config_init(&opts); if(fw_config_init(&opts) != 1)
clean_exit(&opts, FW_CLEANUP, EXIT_FAILURE);
if(opts.fw_list == 1 || opts.fw_list_all == 1) if(opts.fw_list == 1 || opts.fw_list_all == 1)
{ {