[server] Added RULES_CHECK_THRESHOLD to define 'deep' rule expiration check frequency

The RULES_CHECK_THRESHOLD variable defines the number of times firewall rule
expiration times must be checked before a "deep" check is run. This allows
fwknopd to remove rules that contain a proper '_exp_<time>' even if a third party
program added them instead of fwknopd. The default value for this variable is 20,
and this typically results in this check being run every two seconds or so. To
disable this type of checking altogether, set this variable to zero.

doc/fwknopd.man.asciidoc

@@ -277,6 +277,14 @@ corresponding details.
     previously save digests. It is a good idea to leave this feature on
     to reduce the possibility of being vulnerable to a replay attack.
 
+*RULES_CHECK_THRESHOLD* '<count>'::
+    Defines the number of times firewall rule expiration times must be checked
+    before a "deep" check is run. This allows *fwknopd* to remove rules that
+    contain a proper '_exp_<time>' even if a third party program added them
+    instead of *fwknopd*. The default value for this variable is 20, and this
+    typically results in this check being run every two seconds or so. To
+    disable this type of checking altogether, set this variable to zero.
+
 *ENABLE_IPT_FORWARDING* '<Y/N>'::
     Allow SPA clients to request access to services through an iptables
     firewall instead of just to it (i.e. access through the FWKNOP_FORWARD

server/cmd_opts.h

@@ -52,6 +52,7 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
     "ENABLE_SPA_PACKET_AGING",
     "MAX_SPA_PACKET_AGE",
     "ENABLE_DIGEST_PERSISTENCE",
+    "RULES_CHECK_THRESHOLD",
     "CMD_EXEC_TIMEOUT",
     //"BLACKLIST",
     "ENABLE_SPA_OVER_HTTP",

server/config_init.c

@@ -149,6 +149,8 @@ validate_int_var_ranges(fko_srv_options_t *opts)
         1, RCHK_MAX_SPA_PACKET_AGE);
     range_check(opts, "MAX_SNIFF_BYTES", opts->config[CONF_MAX_SNIFF_BYTES],
         1, RCHK_MAX_SNIFF_BYTES);
+    range_check(opts, "RULES_CHECK_THRESHOLD", opts->config[CONF_RULES_CHECK_THRESHOLD],
+        0, RCHK_MAX_RULES_CHECK_THRESHOLD);
     range_check(opts, "TCPSERV_PORT", opts->config[CONF_TCPSERV_PORT],
         1, RCHK_MAX_TCPSERV_PORT);
     range_check(opts, "UDPSERV_PORT", opts->config[CONF_UDPSERV_PORT],
@@ -484,13 +486,20 @@ validate_options(fko_srv_options_t *opts)
         set_config_entry(opts, CONF_MAX_SPA_PACKET_AGE,
             DEF_MAX_SPA_PACKET_AGE);
 
-
     /* Enable digest persistence.
     */
     if(opts->config[CONF_ENABLE_DIGEST_PERSISTENCE] == NULL)
         set_config_entry(opts, CONF_ENABLE_DIGEST_PERSISTENCE,
             DEF_ENABLE_DIGEST_PERSISTENCE);
 
+    /* Set firewall rule "deep" collection interval - this allows
+     * fwknopd to remove rules with proper _exp_<time> expiration
+     * times even when added by a different program.
+    */
+    if(opts->config[CONF_RULES_CHECK_THRESHOLD] == NULL)
+        set_config_entry(opts, CONF_RULES_CHECK_THRESHOLD,
+            DEF_RULES_CHECK_THRESHOLD);
+
     /* Enable destination rule.
     */
     if(opts->config[CONF_ENABLE_DESTINATION_RULE] == NULL)

server/fwknopd_common.h

@@ -91,7 +91,7 @@
 #define DEF_ENABLE_SPA_PACKET_AGING     "Y"
 #define DEF_MAX_SPA_PACKET_AGE          "120"
 #define DEF_ENABLE_DIGEST_PERSISTENCE   "Y"
-#define DEF_RULES_CHECK_CTR             10
+#define DEF_RULES_CHECK_THRESHOLD       "20"
 #define DEF_MAX_SNIFF_BYTES             "1500"
 #define DEF_GPG_HOME_DIR                "/root/.gnupg"
 #ifdef  GPG_EXE
@@ -130,6 +130,7 @@
 #define RCHK_MAX_UDPSERV_SELECT_TIMEOUT (2 << 22)
 #define RCHK_MAX_PCAP_DISPATCH_COUNT    (2 << 22)
 #define RCHK_MAX_FW_TIMEOUT             (2 << 22)
+#define RCHK_MAX_RULES_CHECK_THRESHOLD  ((2 << 16) - 1)
 
 /* FirewallD-specific defines
 */
@@ -236,6 +237,7 @@ enum {
     CONF_ENABLE_SPA_PACKET_AGING,
     CONF_MAX_SPA_PACKET_AGE,
     CONF_ENABLE_DIGEST_PERSISTENCE,
+    CONF_RULES_CHECK_THRESHOLD,
     CONF_CMD_EXEC_TIMEOUT,
     //CONF_BLACKLIST,
     CONF_ENABLE_SPA_OVER_HTTP,

server/pcap_capture.c

@@ -65,6 +65,7 @@ pcap_capture(fko_srv_options_t *opts)
     int                 pcap_file_mode = 0;
     int                 status;
     int                 useconds;
+    int                 rules_chk_threshold;
     int                 pcap_dispatch_count;
     int                 max_sniff_bytes;
     int                 is_err;
@@ -79,7 +80,7 @@ pcap_capture(fko_srv_options_t *opts)
             0, RCHK_MAX_PCAP_LOOP_SLEEP, NO_EXIT_UPON_ERR, &is_err);
     if(is_err != FKO_SUCCESS)
     {
-        log_msg(LOG_ERR, "[*] invalid PCAP_LOOP_SLEEP_value");
+        log_msg(LOG_ERR, "[*] invalid PCAP_LOOP_SLEEP value");
         clean_exit(opts, FW_CLEANUP, EXIT_FAILURE);
     }
 
@@ -91,6 +92,14 @@ pcap_capture(fko_srv_options_t *opts)
         clean_exit(opts, FW_CLEANUP, EXIT_FAILURE);
     }
 
+    rules_chk_threshold = strtol_wrapper(opts->config[CONF_RULES_CHECK_THRESHOLD],
+            0, RCHK_MAX_RULES_CHECK_THRESHOLD, NO_EXIT_UPON_ERR, &is_err);
+    if(is_err != FKO_SUCCESS)
+    {
+        log_msg(LOG_ERR, "[*] invalid RULES_CHECK_THRESHOLD");
+        clean_exit(opts, FW_CLEANUP, EXIT_FAILURE);
+    }
+
     /* Set promiscuous mode if ENABLE_PCAP_PROMISC is set to 'Y'.
     */
     if(strncasecmp(opts->config[CONF_ENABLE_PCAP_PROMISC], "Y", 1) == 0)
@@ -325,11 +334,14 @@ pcap_capture(fko_srv_options_t *opts)
         */
         if(!opts->test)
         {
-            opts->check_rules_ctr++;
-            if(opts->check_rules_ctr % DEF_RULES_CHECK_CTR == 0)
+            if(rules_chk_threshold > 0)
             {
-                chk_rm_all = 1;
-                opts->check_rules_ctr = 0;
+                opts->check_rules_ctr++;
+                if ((opts->check_rules_ctr % rules_chk_threshold) == 0)
+                {
+                    chk_rm_all = 1;
+                    opts->check_rules_ctr = 0;
+                }
             }
             check_firewall_rules(opts, chk_rm_all);
             chk_rm_all = 0;

server/udp_server.c

@@ -54,6 +54,7 @@ run_udp_server(fko_srv_options_t *opts)
 {
     int                 s_sock, sfd_flags, selval, pkt_len;
     int                 is_err, s_timeout, rv=1, chk_rm_all=0;
+    int                 rules_chk_threshold;
     fd_set              sfd_set;
     struct sockaddr_in  saddr, caddr;
     struct timeval      tv;
@@ -76,6 +77,13 @@ run_udp_server(fko_srv_options_t *opts)
         log_msg(LOG_ERR, "[*] Invalid max UDPSERV_SELECT_TIMEOUT value.");
         return -1;
     }
+    rules_chk_threshold = strtol_wrapper(opts->config[CONF_RULES_CHECK_THRESHOLD],
+            0, RCHK_MAX_RULES_CHECK_THRESHOLD, NO_EXIT_UPON_ERR, &is_err);
+    if(is_err != FKO_SUCCESS)
+    {
+        log_msg(LOG_ERR, "[*] invalid RULES_CHECK_THRESHOLD");
+        clean_exit(opts, FW_CLEANUP, EXIT_FAILURE);
+    }
 
     log_msg(LOG_INFO, "Kicking off UDP server to listen on port %i.", port);
 
@@ -149,11 +157,14 @@ run_udp_server(fko_srv_options_t *opts)
         */
         if(!opts->test)
         {
-            opts->check_rules_ctr++;
-            if(opts->check_rules_ctr % DEF_RULES_CHECK_CTR == 0)
+            if(rules_chk_threshold > 0)
             {
-                chk_rm_all = 1;
-                opts->check_rules_ctr = 0;
+                opts->check_rules_ctr++;
+                if ((opts->check_rules_ctr % rules_chk_threshold) == 0)
+                {
+                    chk_rm_all = 1;
+                    opts->check_rules_ctr = 0;
+                }
             }
             check_firewall_rules(opts, chk_rm_all);
             chk_rm_all = 0;