More cleanup. Removed the direction field (src, dst, both) from the chain configuration directives. Remove the HOSTNAME parameter as it was not used.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@232 510a4753-2344-4c79-9c09-4d669213fbeb
2010-07-04 21:12:51 +00:00 · 2010-07-04 21:12:51 +00:00 · 8129f86ddd
commit 8129f86ddd
parent 5f1f0650ea
7 changed files with 44 additions and 111 deletions
--- a/doc/fwknopd.man.asciidoc
+++ b/doc/fwknopd.man.asciidoc
@ -65,6 +65,9 @@ COMMAND-LINE OPTIONS
    Kill the current *fwknopd* process.  This provides a quick and easy
    way to stop *fwknopd* without having to look in the process table.
 *-l, --locale*='<locale>':: 
   Set/override the system default locale setting.
 *-R, --Restart*::
    Restart the currently running *fwknopd* processes.  This option
    will preserve the command line options that were supplied to the
@ -110,24 +113,12 @@ This section list the more prominent configuration variables used by
 *fwknopd*.  It is not a complete list.  See the 'fwknopd.conf' file for
 the full list and corresponding details.
 *HOSTNAME* '<hostname>'::
    Force hostname to this value. If not set here, *fwknopd* will attempt
    to use 'gethostname()' to determine the local hostname and use that.
 *FIREWALL_TYPE*  '<iptables|ipfw>'::
    Define the firewall type.  The default is 'iptables' for Linux systems,
    but this can be set to 'ipfw' for BSD systems.  Also supported is
    'external_cmd' to allow *fwknopd* to invoke an external command instead
    of interfacing with the firewall at all.
 *AUTH_MODE* '<PCAP|FILE_PCAP|ULOG_PCAP>'::
    This defines the general strategy *fwknopd* uses to authenticate remote
    clients.  Possible values are 'PCAP' (authenticate via regular pcap;
    this is the default and puts the interface in promiscuous mode unless
    ``ENABLE_PCAP_PROMISC'' is turned off), 'FILE_PCAP' (authenticate via
    a pcap file that is built by a sniffer), 'ULOG_PCAP' (authenticate via
    the ulogd pcap writer). *Note:* Currently, only 'PCAP' is implemented.
 *PCAP_INTF* '<interface>'::
    Define the ethernet interface on which *fwknopd* will sniff packets.
    Note that this is only used if the ``AUTH_MODE'' keyword above is set
@ -228,9 +219,6 @@ the full list and corresponding details.
    that have no remaining dynamic rules associated with them will be
    removed.
 *PCAP_CMD_TIMEOUT* '<seconds>'::
    Define the timeout for running a command.
 *GPG_HOME_DIR* '<path>'::
    If GPG keys are used instead of a Rijndael symmetric key, this is
    the default GPG keys directory.  Note that each access block in
@ -239,16 +227,9 @@ the full list and corresponding details.
    the '$HOME/.gnupg' directory of the user running *fwknopd* (most
    likely root).
-*PCAP_PKT_FILE* '</path/to/sniff.pcap>'::
+*LOCALE* '<locale>':: 
-    This gets used if AUTH_MODE is set to "FILE_PCAP".  This file must
+    Set the locale (via the LC_ALL variable).  This can be set to override
-    be created by a sniffer process (or something like the ulogd pcap
+    the default system locale. 
    writer).
 *BLACKLIST* '<ipaddr/mask,...ipaddr,etc>'::
    Define a comma-separated set of IP addresses and/or networks that should
    be globally blacklisted.  That is, any SPA packet that is from a source
    IP (or has an internal --allow-ip) within a blacklisted network will be
    ignored.
 *ENABLE_SPA_OVER_HTTP* '<Y/N>'::
    Allow *fwknopd* to acquire SPA data from HTTP requests (generated with
@ -323,7 +304,7 @@ directive starts a new stanza.
 *FW_ACCESS_TIMEOUT*: '<seconds>'::
    Define the length of time access will be granted by *fwknopd* through the
    firewall after a valid knock sequence from a source IP address.  If
-    ``FW_ACCESS_TIMEOUT'' is not set then the default timeout of 60 seconds
+    ``FW_ACCESS_TIMEOUT'' is not set then the default timeout of 30 seconds
    will automatically be set.
 *ENABLE_CMD_EXEC*: '<Y/N>'::
--- a/server/access.conf
+++ b/server/access.conf
@ -15,7 +15,7 @@
 #
 #          For example, a SOURCE that is a specific IP address should come
 #          before a SOURCE that specifies multiple IP's or a Subnet.  The
-#          SOURCE: "ANY" should be the last one.
+#          SOURCE: "ANY" (if used) should be the last one.
 #
 #          At least one stanza MUST be defined.
 #
@ -65,7 +65,7 @@
 # firewall after a valid SPA packet is received from the source IP address
 # that matches this stanza's SOURCE.
 #
-# If  FW_ACCESS_TIMEOUT is not set then the fwknopd default timeout of 60
+# If  FW_ACCESS_TIMEOUT is not set then the fwknopd default timeout of 30
 # seconds will automatically be set.
 #
@ -161,12 +161,14 @@
 SOURCE: ANY;
 KEY: __CHANGEME__;
 FW_ACCESS_TIMEOUT: 30;
-## If you want to use GnuPG keys (recommended) then define the following
+# If you want to use GnuPG keys (recommended) then define the following
-## variables
+# variables
 #
 #GPG_HOME_DIR:   /root/.gnupg;
 #GPG_DECRYPT_ID: ABCD1234;
 #GPG_DECRYPT_PW: __CHANGEME__;
 # If you want to require GPG signatures:
 #GPG_REQUIRE_SIG: N;
 #GPG_IGNORE_SIG_VERIFY_ERROR: N;
 #GPG_REMOTE_ID:  1234ABCD;
--- a/server/config_init.c
+++ b/server/config_init.c
@ -214,12 +214,6 @@ validate_options(fko_srv_options_t *opts)
 {
    char tmp_path[MAX_PATH_LEN];
    /* If a HOSTNAME was specified in the config file, set the opts->hostname
     * value to it.
    */
    if(opts->config[CONF_HOSTNAME] != NULL && opts->config[CONF_HOSTNAME][0] != '\0')
        strlcpy(opts->hostname, opts->config[CONF_HOSTNAME], MAX_HOSTNAME_LEN);
    /* If no conf dir is set in the config file, use the default.
    */
    if(opts->config[CONF_FWKNOP_CONF_DIR] == NULL)
@ -302,15 +296,6 @@ set_preconfig_entries(fko_srv_options_t *opts)
    /* First, set any default or otherwise static settings here.  Some may
     * end up being overwritten via config file or command-line.
    */
    /* Default Hostname (or unknown if gethostname cannot tell us).
    */
    if(gethostname(opts->hostname, MAX_HOSTNAME_LEN-1) < 0)
        strcpy(opts->hostname, "UNKNOWN");
    /* Set the conf hostname entry here in case it is not set in the conf
     * file.
    */
    set_config_entry(opts, CONF_HOSTNAME, opts->hostname);
    /* Setup the local executables based on build-time info.
    */
--- a/server/fw_util.c
+++ b/server/fw_util.c
@ -291,7 +291,7 @@ set_fw_chain_conf(int type, char *conf_str)
    /* Pull and set Target */
    strlcpy(chain->target, chain_fields[0], MAX_TARGET_NAME_LEN);
-    /* Pull and set Direction */
+    /* Pull and set Direction
    if(strcmp(chain_fields[1], FW_CHAIN_DIR_SRC_STR) == 0)
        chain->direction = FW_CHAIN_DIR_SRC;
    else if(strcmp(chain_fields[1], FW_CHAIN_DIR_DST_STR) == 0)
@ -300,21 +300,21 @@ set_fw_chain_conf(int type, char *conf_str)
        chain->direction = FW_CHAIN_DIR_BOTH;
    else
        chain->direction = FW_CHAIN_DIR_UNKNOWN;
-
+*/
    /* Pull and set Table */
-    strlcpy(chain->table, chain_fields[2], MAX_TABLE_NAME_LEN);
+    strlcpy(chain->table, chain_fields[1], MAX_TABLE_NAME_LEN);
    /* Pull and set From_chain */
-    strlcpy(chain->from_chain, chain_fields[3], MAX_CHAIN_NAME_LEN);
+    strlcpy(chain->from_chain, chain_fields[2], MAX_CHAIN_NAME_LEN);
    /* Pull and set Jump_rule_position */
-    chain->jump_rule_pos = atoi(chain_fields[4]);
+    chain->jump_rule_pos = atoi(chain_fields[3]);
    /* Pull and set To_chain */
-    strlcpy(chain->to_chain, chain_fields[5], MAX_CHAIN_NAME_LEN);
+    strlcpy(chain->to_chain, chain_fields[4], MAX_CHAIN_NAME_LEN);
    /* Pull and set Jump_rule_position */
-    chain->rule_pos = atoi(chain_fields[6]);
+    chain->rule_pos = atoi(chain_fields[5]);
 }
--- a/server/fwknopd.8
+++ b/server/fwknopd.8
@ -147,15 +147,6 @@ The access control directives are contained in the \fIaccess\&.conf\fR file\&. A
 .sp
 This section list the more prominent configuration variables used by \fBfwknopd\fR\&. It is not a complete list\&. See the \fIfwknopd\&.conf\fR file for the full list and corresponding details\&.
 .PP
 \fBHOSTNAME\fR \fI<hostname>\fR
 .RS 4
 Force hostname to this value\&. If not set here,
 \fBfwknopd\fR
 will attempt to use
 \fIgethostname()\fR
 to determine the local hostname and use that\&.
 .RE
 .PP
 \fBFIREWALL_TYPE\fR \fI<iptables|ipfw>\fR
 .RS 4
 Define the firewall type\&. The default is
@ -328,11 +319,6 @@ directory of the user running
 Set the locale (via the LC_ALL variable)\&. This can be set to override the default system locale\&.
 .RE
 .PP
 \fBBLACKLIST\fR \fI<ipaddr/mask,\&...ipaddr,etc>\fR
 .RS 4
 Define a comma\-separated set of IP addresses and/or networks that should be globally blacklisted\&. That is, any SPA packet that is from a source IP (or has an internal \-\-allow\-ip) within a blacklisted network will be ignored\&.
 .RE
 .PP
 \fBENABLE_SPA_OVER_HTTP\fR \fI<Y/N>\fR
 .RS 4
 Allow
@ -398,7 +384,7 @@ Define the key used for decrypting an incoming SPA packet that is using its buil
 .RS 4
 Define the length of time access will be granted by
 \fBfwknopd\fR
-through the firewall after a valid knock sequence from a source IP address\&. If \(lqFW_ACCESS_TIMEOUT\(rq is not set then the default timeout of 60 seconds will automatically be set\&.
+through the firewall after a valid knock sequence from a source IP address\&. If \(lqFW_ACCESS_TIMEOUT\(rq is not set then the default timeout of 30 seconds will automatically be set\&.
 .RE
 .PP
 \fBENABLE_CMD_EXEC\fR: \fI<Y/N>\fR
--- a/server/fwknopd.conf
+++ b/server/fwknopd.conf
@ -8,19 +8,21 @@
 # by fwknop is known as Single Packet Authorization (SPA).  More information
 # about SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html
 #
-# Note there are no access control directives in this file.  All access
+# There are no access control directives in this file.  All access
 # control directives are located in the file "/etc/fwknop/access.conf".
 # You will need to edit the access.conf file in order for fwknop to function
 # correctly.
 #
 # It is also important to note that there are some subtle (and some not
 # so subtle) differences between this configuration file, its parameters
 # and valid values and the configuration file used by the legacy Perl
 # version  of fwknopd.  Please pay careful attention to the format and
 # values used in this file if you are migrating from the legacy Perl 
 # version.
 #
 ##############################################################################
 #
 # Machine hostname. If not set, fwknopd will attempt to use gethostname()
 # to determine the local hostname and use that.
 #
 #HOSTNAME                    __CHANGEME__;
 # Define the firewall type.  The default is "iptables" for Linux systems,
 # but this can be set to "ipfw" for *BSD systems.  Also supported is
 # "external_cmd" to allow fwknop to invoke an external command instead of
@ -144,15 +146,6 @@ FLUSH_IPT_AT_EXIT           Y;
 #
 #GPG_HOME_DIR        /root/.gnupg;
 # Define a comma-separated set of IP addresses and/or networks that should
 # be globally blacklisted.  That is, any SPA packet that is from a source
 # IP (or has an internal --allow-ip) within a blacklisted network will be
 # ignored.
 #
 # NOTE: Not Implemented yet.
 #
 #BLACKLIST                   NONE;
 # Allow fwknopd to acquire SPA data from HTTP requests (generated with the
 # fwknop client in --HTTP mode).  Note that the PCAP_FILTER variable would
 # need to be updated when this is enabled to sniff traffic over TCP/80
@ -245,10 +238,6 @@ TCPSERV_PORT                62201;
 # "Target":
 #   Can be any legitimate iptables target, but should usually just be "DROP".
 #
 # "Direction":
 #   Can be "src", "dst", or "both", which correspond to the INPUT, OUTPUT,
 #   and FORWARD chains.
 #
 # "Table":
 #   Can be any iptables table, but the default is "filter".
 #
@ -265,25 +254,25 @@ TCPSERV_PORT                62201;
 # "Rule_position":
 #   Defines the position where rule are added within the To_chain.
 #
-IPT_INPUT_ACCESS        ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1;
+IPT_INPUT_ACCESS        ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1;
 # The IPT_OUTPUT_ACCESS variable is only used if ENABLE_IPT_OUTPUT is enabled
 #
-IPT_OUTPUT_ACCESS       ACCEPT, dst, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;
+IPT_OUTPUT_ACCESS       ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1;
 # The IPT_FORWARD_ACCESS variable is only used if ENABLE_IPT_FORWARDING is
 # enabled.
 #
-IPT_FORWARD_ACCESS      ACCEPT, src, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
+IPT_FORWARD_ACCESS      ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1;
-IPT_DNAT_ACCESS         DNAT, src, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;
+IPT_DNAT_ACCESS         DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1;
 # The IPT_SNAT_ACCESS variable is not used unless both ENABLE_IPT_SNAT and
 # ENABLE_IPT_FORWARDING are enabled.  Also, the external static IP must be
 # set with the SNAT_TRANSLATE_IP variable.  The default is to use the
 # IPT_MASQUERADE_ACCESS variable.
 #
-IPT_SNAT_ACCESS         SNAT, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
+IPT_SNAT_ACCESS         SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
-IPT_MASQUERADE_ACCESS   MASQUERADE, src, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
+IPT_MASQUERADE_ACCESS   MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
 # Directories - These will override compile-time defaults.
 #
--- a/server/fwknopd_common.h
+++ b/server/fwknopd_common.h
@ -65,7 +65,7 @@
 #define DEF_PID_FILENAME            MY_NAME".pid"
 #define DEF_DIGEST_CACHE_FILENAME   "digest.cache"
-#define DEF_FW_ACCESS_TIMEOUT   60
+#define DEF_FW_ACCESS_TIMEOUT   30
 #define DEF_INTERFACE           "eth0"
@ -115,9 +115,7 @@ enum {
 enum {
    CONF_CONFIG_FILE = 0,
    CONF_OVERRIDE_CONFIG,
    CONF_HOSTNAME,
    CONF_FIREWALL_TYPE,
    //CONF_AUTH_MODE,
    CONF_PCAP_INTF,
    CONF_ENABLE_PCAP_PROMISC,
    CONF_PCAP_FILTER,
@ -136,7 +134,6 @@ enum {
    //CONF_IPFW_SET_NUM,
    //CONF_IPFW_DYNAMIC_INTERVAL,
    //CONF_CMD_EXEC_TIMEOUT,
    //CONF_PCAP_PKT_FILE,
    //CONF_BLACKLIST,
    CONF_ENABLE_SPA_OVER_HTTP,
    CONF_ENABLE_TCP_SERVER,
@ -180,9 +177,7 @@ enum {
 static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
    "CONFIG_FILE",
    "OVERRIDE_CONFIG",
    "HOSTNAME",
    "FIREWALL_TYPE",
    //"AUTH_MODE",
    "PCAP_INTF",
    "ENABLE_PCAP_PROMISC",
    "PCAP_FILTER",
@ -201,7 +196,6 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
    //"IPFW_SET_NUM",
    //"IPFW_DYNAMIC_INTERVAL",
    //"CMD_EXEC_TIMEOUT",
    //"PCAP_PKT_FILE",
    //"BLACKLIST",
    "ENABLE_SPA_OVER_HTTP",
    "ENABLE_TCP_SERVER",
@ -293,9 +287,9 @@ typedef struct acc_stanza
 /* Firewall-related data and types. */
 /* --DSS XXX: These are arbitrary. We should determine appropriate values.
 */
-#define MAX_TABLE_NAME_LEN      16
+#define MAX_TABLE_NAME_LEN      64
-#define MAX_CHAIN_NAME_LEN      32
+#define MAX_CHAIN_NAME_LEN      64
-#define MAX_TARGET_NAME_LEN     32
+#define MAX_TARGET_NAME_LEN     64
 /* Fwknop custom chain types
 */
@ -309,25 +303,25 @@ enum {
    NUM_FWKNOP_ACCESS_TYPES  /* Leave this entry last */
 };
 /* Fwknop chain directions
 #define FW_CHAIN_DIR_SRC_STR    "src"
 #define FW_CHAIN_DIR_DST_STR    "dst"
 #define FW_CHAIN_DIR_BOTH_STR   "both"
 /* Fwknop chain directions
 */
 enum {
    FW_CHAIN_DIR_UNKNOWN,
    FW_CHAIN_DIR_SRC,
    FW_CHAIN_DIR_DST,
    FW_CHAIN_DIR_BOTH
 };
 */
 /* Structure to define an fwknop firewall chain configuration.
 */
 struct fw_chain {
    int     type;
    char    target[MAX_TARGET_NAME_LEN];
-    int     direction;
+    //int     direction;
    char    table[MAX_TABLE_NAME_LEN];
    char    from_chain[MAX_CHAIN_NAME_LEN];
    int     jump_rule_pos;
@ -339,7 +333,7 @@ struct fw_chain {
 /* Based on the fw_chain fields (not counting type)
 */
-#define FW_NUM_CHAIN_FIELDS 7
+#define FW_NUM_CHAIN_FIELDS 6
 struct fw_config {
    struct fw_chain chain[NUM_FWKNOP_ACCESS_TYPES];
@ -415,10 +409,6 @@ typedef struct fko_srv_options
    */
    struct fw_config *fw_config;
    /* Misc
    */
    char            hostname[MAX_HOSTNAME_LEN];
 } fko_srv_options_t;
 extern fko_srv_options_t options;