More cleanup. Removed the direction field (src, dst, both) from the chain configuration directives. Remove the HOSTNAME parameter as it was not used.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@232 510a4753-2344-4c79-9c09-4d669213fbeb

doc/fwknopd.man.asciidoc

@@ -65,6 +65,9 @@ COMMAND-LINE OPTIONS
     Kill the current *fwknopd* process.  This provides a quick and easy
     way to stop *fwknopd* without having to look in the process table.
 
+*-l, --locale*='<locale>':: 
+   Set/override the system default locale setting.
+
 *-R, --Restart*::
     Restart the currently running *fwknopd* processes.  This option
     will preserve the command line options that were supplied to the
@@ -110,24 +113,12 @@ This section list the more prominent configuration variables used by
 *fwknopd*.  It is not a complete list.  See the 'fwknopd.conf' file for
 the full list and corresponding details.
 
-*HOSTNAME* '<hostname>'::
-    Force hostname to this value. If not set here, *fwknopd* will attempt
-    to use 'gethostname()' to determine the local hostname and use that.
-
 *FIREWALL_TYPE*  '<iptables|ipfw>'::
     Define the firewall type.  The default is 'iptables' for Linux systems,
     but this can be set to 'ipfw' for BSD systems.  Also supported is
     'external_cmd' to allow *fwknopd* to invoke an external command instead
     of interfacing with the firewall at all.
 
-*AUTH_MODE* '<PCAP|FILE_PCAP|ULOG_PCAP>'::
-    This defines the general strategy *fwknopd* uses to authenticate remote
-    clients.  Possible values are 'PCAP' (authenticate via regular pcap;
-    this is the default and puts the interface in promiscuous mode unless
-    ``ENABLE_PCAP_PROMISC'' is turned off), 'FILE_PCAP' (authenticate via
-    a pcap file that is built by a sniffer), 'ULOG_PCAP' (authenticate via
-    the ulogd pcap writer). *Note:* Currently, only 'PCAP' is implemented.
-
 *PCAP_INTF* '<interface>'::
     Define the ethernet interface on which *fwknopd* will sniff packets.
     Note that this is only used if the ``AUTH_MODE'' keyword above is set
@@ -228,9 +219,6 @@ the full list and corresponding details.
     that have no remaining dynamic rules associated with them will be
     removed.
 
-*PCAP_CMD_TIMEOUT* '<seconds>'::
-    Define the timeout for running a command.
-
 *GPG_HOME_DIR* '<path>'::
     If GPG keys are used instead of a Rijndael symmetric key, this is
     the default GPG keys directory.  Note that each access block in
@@ -239,16 +227,9 @@ the full list and corresponding details.
     the '$HOME/.gnupg' directory of the user running *fwknopd* (most
     likely root).
 
-*PCAP_PKT_FILE* '</path/to/sniff.pcap>'::
-    This gets used if AUTH_MODE is set to "FILE_PCAP".  This file must
-    be created by a sniffer process (or something like the ulogd pcap
-    writer).
-
-*BLACKLIST* '<ipaddr/mask,...ipaddr,etc>'::
-    Define a comma-separated set of IP addresses and/or networks that should
-    be globally blacklisted.  That is, any SPA packet that is from a source
-    IP (or has an internal --allow-ip) within a blacklisted network will be
-    ignored.
+*LOCALE* '<locale>':: 
+    Set the locale (via the LC_ALL variable).  This can be set to override
+    the default system locale. 
 
 *ENABLE_SPA_OVER_HTTP* '<Y/N>'::
     Allow *fwknopd* to acquire SPA data from HTTP requests (generated with
@@ -323,7 +304,7 @@ directive starts a new stanza.
 *FW_ACCESS_TIMEOUT*: '<seconds>'::
     Define the length of time access will be granted by *fwknopd* through the
     firewall after a valid knock sequence from a source IP address.  If
-    ``FW_ACCESS_TIMEOUT'' is not set then the default timeout of 60 seconds
+    ``FW_ACCESS_TIMEOUT'' is not set then the default timeout of 30 seconds
     will automatically be set.
 
 *ENABLE_CMD_EXEC*: '<Y/N>'::

server/access.conf

@@ -15,7 +15,7 @@
 #
 #          For example, a SOURCE that is a specific IP address should come
 #          before a SOURCE that specifies multiple IP's or a Subnet.  The
-#          SOURCE: "ANY" should be the last one.
+#          SOURCE: "ANY" (if used) should be the last one.
 #
 #          At least one stanza MUST be defined.
 #
@@ -65,7 +65,7 @@
 # firewall after a valid SPA packet is received from the source IP address
 # that matches this stanza's SOURCE.
 #
-# If  FW_ACCESS_TIMEOUT is not set then the fwknopd default timeout of 60
+# If  FW_ACCESS_TIMEOUT is not set then the fwknopd default timeout of 30
 # seconds will automatically be set.
 #
 
@@ -161,12 +161,14 @@
 
 SOURCE: ANY;
 KEY: __CHANGEME__;
-FW_ACCESS_TIMEOUT: 30;
 
-## If you want to use GnuPG keys (recommended) then define the following
-## variables
+# If you want to use GnuPG keys (recommended) then define the following
+# variables
 #
 #GPG_HOME_DIR:   /root/.gnupg;
 #GPG_DECRYPT_ID: ABCD1234;
 #GPG_DECRYPT_PW: __CHANGEME__;
+# If you want to require GPG signatures:
+#GPG_REQUIRE_SIG: N;
+#GPG_IGNORE_SIG_VERIFY_ERROR: N;
 #GPG_REMOTE_ID:  1234ABCD;

server/config_init.c

@@ -214,12 +214,6 @@ validate_options(fko_srv_options_t *opts)
 {
     char tmp_path[MAX_PATH_LEN];
 
-    /* If a HOSTNAME was specified in the config file, set the opts->hostname
-     * value to it.
-    */
-    if(opts->config[CONF_HOSTNAME] != NULL && opts->config[CONF_HOSTNAME][0] != '\0')
-        strlcpy(opts->hostname, opts->config[CONF_HOSTNAME], MAX_HOSTNAME_LEN);
-
     /* If no conf dir is set in the config file, use the default.
     */
     if(opts->config[CONF_FWKNOP_CONF_DIR] == NULL)
@@ -302,15 +296,6 @@ set_preconfig_entries(fko_srv_options_t *opts)
     /* First, set any default or otherwise static settings here.  Some may
      * end up being overwritten via config file or command-line.
     */
-    /* Default Hostname (or unknown if gethostname cannot tell us).
-    */
-    if(gethostname(opts->hostname, MAX_HOSTNAME_LEN-1) < 0)
-        strcpy(opts->hostname, "UNKNOWN");
-
-    /* Set the conf hostname entry here in case it is not set in the conf
-     * file.
-    */
-    set_config_entry(opts, CONF_HOSTNAME, opts->hostname);
 
     /* Setup the local executables based on build-time info.
     */

server/fw_util.c

@@ -291,7 +291,7 @@ set_fw_chain_conf(int type, char *conf_str)
     /* Pull and set Target */
     strlcpy(chain->target, chain_fields[0], MAX_TARGET_NAME_LEN);
 
-    /* Pull and set Direction */
+    /* Pull and set Direction
     if(strcmp(chain_fields[1], FW_CHAIN_DIR_SRC_STR) == 0)
         chain->direction = FW_CHAIN_DIR_SRC;
     else if(strcmp(chain_fields[1], FW_CHAIN_DIR_DST_STR) == 0)
@@ -300,21 +300,21 @@ set_fw_chain_conf(int type, char *conf_str)
         chain->direction = FW_CHAIN_DIR_BOTH;
     else
         chain->direction = FW_CHAIN_DIR_UNKNOWN;
-
+*/
     /* Pull and set Table */
-    strlcpy(chain->table, chain_fields[2], MAX_TABLE_NAME_LEN);
+    strlcpy(chain->table, chain_fields[1], MAX_TABLE_NAME_LEN);
 
     /* Pull and set From_chain */
-    strlcpy(chain->from_chain, chain_fields[3], MAX_CHAIN_NAME_LEN);
+    strlcpy(chain->from_chain, chain_fields[2], MAX_CHAIN_NAME_LEN);
 
     /* Pull and set Jump_rule_position */
-    chain->jump_rule_pos = atoi(chain_fields[4]);
+    chain->jump_rule_pos = atoi(chain_fields[3]);
 
     /* Pull and set To_chain */
-    strlcpy(chain->to_chain, chain_fields[5], MAX_CHAIN_NAME_LEN);
+    strlcpy(chain->to_chain, chain_fields[4], MAX_CHAIN_NAME_LEN);
 
     /* Pull and set Jump_rule_position */
-    chain->rule_pos = atoi(chain_fields[6]);
+    chain->rule_pos = atoi(chain_fields[5]);
 
 }
 

server/fwknopd.8

@@ -147,15 +147,6 @@ The access control directives are contained in the \fIaccess\&.conf\fR file\&. A
 .sp
 This section list the more prominent configuration variables used by \fBfwknopd\fR\&. It is not a complete list\&. See the \fIfwknopd\&.conf\fR file for the full list and corresponding details\&.
 .PP
-\fBHOSTNAME\fR \fI<hostname>\fR
-.RS 4
-Force hostname to this value\&. If not set here,
-\fBfwknopd\fR
-will attempt to use
-\fIgethostname()\fR
-to determine the local hostname and use that\&.
-.RE
-.PP
 \fBFIREWALL_TYPE\fR \fI<iptables|ipfw>\fR
 .RS 4
 Define the firewall type\&. The default is
@@ -328,11 +319,6 @@ directory of the user running
 Set the locale (via the LC_ALL variable)\&. This can be set to override the default system locale\&.
 .RE
 .PP
-\fBBLACKLIST\fR \fI<ipaddr/mask,\&...ipaddr,etc>\fR
-.RS 4
-Define a comma\-separated set of IP addresses and/or networks that should be globally blacklisted\&. That is, any SPA packet that is from a source IP (or has an internal \-\-allow\-ip) within a blacklisted network will be ignored\&.
-.RE
-.PP
 \fBENABLE_SPA_OVER_HTTP\fR \fI<Y/N>\fR
 .RS 4
 Allow
@@ -398,7 +384,7 @@ Define the key used for decrypting an incoming SPA packet that is using its buil
 .RS 4
 Define the length of time access will be granted by
 \fBfwknopd\fR
-through the firewall after a valid knock sequence from a source IP address\&. If \(lqFW_ACCESS_TIMEOUT\(rq is not set then the default timeout of 60 seconds will automatically be set\&.
+through the firewall after a valid knock sequence from a source IP address\&. If \(lqFW_ACCESS_TIMEOUT\(rq is not set then the default timeout of 30 seconds will automatically be set\&.
 .RE
 .PP
 \fBENABLE_CMD_EXEC\fR: \fI<Y/N>\fR

server/fwknopd.conf

@@ -8,19 +8,21 @@
 # by fwknop is known as Single Packet Authorization (SPA).  More information
 # about SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html
 #
-# Note there are no access control directives in this file.  All access
+# There are no access control directives in this file.  All access
 # control directives are located in the file "/etc/fwknop/access.conf".
 # You will need to edit the access.conf file in order for fwknop to function
 # correctly.
 #
+# It is also important to note that there are some subtle (and some not
+# so subtle) differences between this configuration file, its parameters
+# and valid values and the configuration file used by the legacy Perl
+# version  of fwknopd.  Please pay careful attention to the format and
+# values used in this file if you are migrating from the legacy Perl 
+# version.
+#
 ##############################################################################
 #
 
-# Machine hostname. If not set, fwknopd will attempt to use gethostname()
-# to determine the local hostname and use that.
-#
-#HOSTNAME                    __CHANGEME__;
-
 # Define the firewall type.  The default is "iptables" for Linux systems,
 # but this can be set to "ipfw" for *BSD systems.  Also supported is
 # "external_cmd" to allow fwknop to invoke an external command instead of
@@ -144,15 +146,6 @@ FLUSH_IPT_AT_EXIT           Y;
 #
 #GPG_HOME_DIR        /root/.gnupg;
 
-# Define a comma-separated set of IP addresses and/or networks that should
-# be globally blacklisted.  That is, any SPA packet that is from a source
-# IP (or has an internal --allow-ip) within a blacklisted network will be
-# ignored.
-#
-# NOTE: Not Implemented yet.
-#
-#BLACKLIST                   NONE;
-
 # Allow fwknopd to acquire SPA data from HTTP requests (generated with the
 # fwknop client in --HTTP mode).  Note that the PCAP_FILTER variable would
 # need to be updated when this is enabled to sniff traffic over TCP/80
@@ -245,10 +238,6 @@ TCPSERV_PORT                62201;
 # "Target":
 #   Can be any legitimate iptables target, but should usually just be "DROP".
 #
-# "Direction":
-#   Can be "src", "dst", or "both", which correspond to the INPUT, OUTPUT,
-#   and FORWARD chains.
-#
 # "Table":
 #   Can be any iptables table, but the default is "filter".
 #
@@ -265,25 +254,25 @@ TCPSERV_PORT                62201;
 # "Rule_position":
 #   Defines the position where rule are added within the To_chain.
 #
-IPT_INPUT_ACCESS        ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1;
+IPT_INPUT_ACCESS        ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1;
 
 # The IPT_OUTPUT_ACCESS variable is only used if ENABLE_IPT_OUTPUT is enabled
 #
-IPT_OUTPUT_ACCESS       ACCEPT, dst, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;
+IPT_OUTPUT_ACCESS       ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;
 
 # The IPT_FORWARD_ACCESS variable is only used if ENABLE_IPT_FORWARDING is
 # enabled.
 #
-IPT_FORWARD_ACCESS      ACCEPT, src, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
-IPT_DNAT_ACCESS         DNAT, src, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;
+IPT_FORWARD_ACCESS      ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
+IPT_DNAT_ACCESS         DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;
 
 # The IPT_SNAT_ACCESS variable is not used unless both ENABLE_IPT_SNAT and
 # ENABLE_IPT_FORWARDING are enabled.  Also, the external static IP must be
 # set with the SNAT_TRANSLATE_IP variable.  The default is to use the
 # IPT_MASQUERADE_ACCESS variable.
 #
-IPT_SNAT_ACCESS         SNAT, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
-IPT_MASQUERADE_ACCESS   MASQUERADE, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
+IPT_SNAT_ACCESS         SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
+IPT_MASQUERADE_ACCESS   MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
 
 # Directories - These will override compile-time defaults.
 #

server/fwknopd_common.h

@@ -65,7 +65,7 @@
 #define DEF_PID_FILENAME            MY_NAME".pid"
 #define DEF_DIGEST_CACHE_FILENAME   "digest.cache"
 
-#define DEF_FW_ACCESS_TIMEOUT   60
+#define DEF_FW_ACCESS_TIMEOUT   30
 
 #define DEF_INTERFACE           "eth0"
 
@@ -115,9 +115,7 @@ enum {
 enum {
     CONF_CONFIG_FILE = 0,
     CONF_OVERRIDE_CONFIG,
-    CONF_HOSTNAME,
     CONF_FIREWALL_TYPE,
-    //CONF_AUTH_MODE,
     CONF_PCAP_INTF,
     CONF_ENABLE_PCAP_PROMISC,
     CONF_PCAP_FILTER,
@@ -136,7 +134,6 @@ enum {
     //CONF_IPFW_SET_NUM,
     //CONF_IPFW_DYNAMIC_INTERVAL,
     //CONF_CMD_EXEC_TIMEOUT,
-    //CONF_PCAP_PKT_FILE,
     //CONF_BLACKLIST,
     CONF_ENABLE_SPA_OVER_HTTP,
     CONF_ENABLE_TCP_SERVER,
@@ -180,9 +177,7 @@ enum {
 static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
     "CONFIG_FILE",
     "OVERRIDE_CONFIG",
-    "HOSTNAME",
     "FIREWALL_TYPE",
-    //"AUTH_MODE",
     "PCAP_INTF",
     "ENABLE_PCAP_PROMISC",
     "PCAP_FILTER",
@@ -201,7 +196,6 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
     //"IPFW_SET_NUM",
     //"IPFW_DYNAMIC_INTERVAL",
     //"CMD_EXEC_TIMEOUT",
-    //"PCAP_PKT_FILE",
     //"BLACKLIST",
     "ENABLE_SPA_OVER_HTTP",
     "ENABLE_TCP_SERVER",
@@ -293,9 +287,9 @@ typedef struct acc_stanza
 /* Firewall-related data and types. */
 /* --DSS XXX: These are arbitrary. We should determine appropriate values.
 */
-#define MAX_TABLE_NAME_LEN      16
-#define MAX_CHAIN_NAME_LEN      32
-#define MAX_TARGET_NAME_LEN     32
+#define MAX_TABLE_NAME_LEN      64
+#define MAX_CHAIN_NAME_LEN      64
+#define MAX_TARGET_NAME_LEN     64
 
 /* Fwknop custom chain types
 */
@@ -309,25 +303,25 @@ enum {
     NUM_FWKNOP_ACCESS_TYPES  /* Leave this entry last */
 };
 
+/* Fwknop chain directions
 #define FW_CHAIN_DIR_SRC_STR    "src"
 #define FW_CHAIN_DIR_DST_STR    "dst"
 #define FW_CHAIN_DIR_BOTH_STR   "both"
 
-/* Fwknop chain directions
-*/
 enum {
     FW_CHAIN_DIR_UNKNOWN,
     FW_CHAIN_DIR_SRC,
     FW_CHAIN_DIR_DST,
     FW_CHAIN_DIR_BOTH
 };
+*/
 
 /* Structure to define an fwknop firewall chain configuration.
 */
 struct fw_chain {
     int     type;
     char    target[MAX_TARGET_NAME_LEN];
-    int     direction;
+    //int     direction;
     char    table[MAX_TABLE_NAME_LEN];
     char    from_chain[MAX_CHAIN_NAME_LEN];
     int     jump_rule_pos;
@@ -339,7 +333,7 @@ struct fw_chain {
 
 /* Based on the fw_chain fields (not counting type)
 */
-#define FW_NUM_CHAIN_FIELDS 7
+#define FW_NUM_CHAIN_FIELDS 6
 
 struct fw_config {
     struct fw_chain chain[NUM_FWKNOP_ACCESS_TYPES];
@@ -415,10 +409,6 @@ typedef struct fko_srv_options
     */
     struct fw_config *fw_config;
 
-    /* Misc
-    */
-    char            hostname[MAX_HOSTNAME_LEN];
-
 } fko_srv_options_t;
 
 extern fko_srv_options_t options;