diff --git a/server/fw_util.h b/server/fw_util.h index 2695d161..bc360fe7 100644 --- a/server/fw_util.h +++ b/server/fw_util.h @@ -36,6 +36,8 @@ #define STANDARD_CMD_OUT_BUFSIZE 4096 +#define EXPIRE_COMMENT_PREFIX "_exp_" + #if FIREWALL_IPTABLES #include "fw_util_iptables.h" #elif FIREWALL_IPFW diff --git a/server/fw_util_ipfw.c b/server/fw_util_ipfw.c index 7bab6d9c..5434a9ed 100644 --- a/server/fw_util_ipfw.c +++ b/server/fw_util_ipfw.c @@ -525,7 +525,7 @@ check_firewall_rules(fko_srv_options_t *opts) /* Find the first _exp_ string (if any). */ - ndx = strstr(cmd_out, "_exp_"); + ndx = strstr(cmd_out, EXPIRE_COMMENT_PREFIX); if(ndx == NULL) { @@ -543,7 +543,7 @@ check_firewall_rules(fko_srv_options_t *opts) while (ndx != NULL) { /* Jump forward and extract the timestamp */ - ndx +=5; + ndx += strlen(EXPIRE_COMMENT_PREFIX); /* remember this spot for when we look for the next * rule. @@ -634,7 +634,7 @@ check_firewall_rules(fko_srv_options_t *opts) /* Push our tracking index forward beyond (just processed) _exp_ * string so we can continue to the next rule in the list. */ - ndx = strstr(tmp_mark, "_exp_"); + ndx = strstr(tmp_mark, EXPIRE_COMMENT_PREFIX); } /* Set the next pending expire time accordingly. 0 if there are no diff --git a/server/fw_util_ipfw.h b/server/fw_util_ipfw.h index c6ec0b42..247317bc 100644 --- a/server/fw_util_ipfw.h +++ b/server/fw_util_ipfw.h @@ -40,7 +40,7 @@ enum { /* ipfw command args */ -#define IPFW_ADD_RULE_ARGS "add %u set %u pass %u from %s to me dst-port %u setup keep-state // _exp_%u" +#define IPFW_ADD_RULE_ARGS "add %u set %u pass %u from %s to me dst-port %u setup keep-state // " EXPIRE_COMMENT_PREFIX "%u" #define IPFW_ADD_CHECK_STATE_ARGS "add %u set %u check-state" #define IPFW_MOVE_RULE_ARGS "set move rule %u to %u" #define IPFW_MOVE_SET_ARGS "set move %u to %u" diff --git a/server/fw_util_iptables.c b/server/fw_util_iptables.c index 79bd174c..91a791c0 100644 --- a/server/fw_util_iptables.c +++ b/server/fw_util_iptables.c @@ -798,7 +798,7 @@ check_firewall_rules(fko_srv_options_t *opts) if(opts->verbose > 2) log_msg(LOG_INFO, "RES=%i, CMD_BUF: %s\nRULES LIST: %s", res, cmd_buf, cmd_out); - ndx = strstr(cmd_out, "_exp_"); + ndx = strstr(cmd_out, EXPIRE_COMMENT_PREFIX); if(ndx == NULL) { /* we did not find an expected rule. @@ -815,7 +815,7 @@ check_firewall_rules(fko_srv_options_t *opts) while (ndx != NULL) { /* Jump forward and extract the timestamp */ - ndx +=5; + ndx += strlen(EXPIRE_COMMENT_PREFIX); /* remember this spot for when we look for the next * rule. @@ -901,7 +901,7 @@ check_firewall_rules(fko_srv_options_t *opts) /* Push our tracking index forward beyond (just processed) _exp_ * string so we can continue to the next rule in the list. */ - ndx = strstr(tmp_mark, "_exp_"); + ndx = strstr(tmp_mark, EXPIRE_COMMENT_PREFIX); } /* Set the next pending expire time accordingly. 0 if there are no diff --git a/server/fw_util_iptables.h b/server/fw_util_iptables.h index fe2dfada..e4ab0a8e 100644 --- a/server/fw_util_iptables.h +++ b/server/fw_util_iptables.h @@ -35,11 +35,11 @@ /* iptables command args */ -#define IPT_ADD_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment _exp_%u -j %s 2>&1" -#define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment _exp_%u -j %s 2>&1" -#define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment _exp_%u -j %s 2>&1" -#define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment _exp_%u -j %s --to-destination %s:%i 2>&1" -#define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment _exp_%u -j %s %s 2>&1" +#define IPT_ADD_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" +#define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" +#define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1" +#define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1" +#define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1" #define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1" #define IPT_NEW_CHAIN_ARGS "-t %s -N %s 2>&1" #define IPT_FLUSH_CHAIN_ARGS "-t %s -F %s 2>&1" diff --git a/server/fw_util_pf.c b/server/fw_util_pf.c index a04d2dec..c29f78f4 100644 --- a/server/fw_util_pf.c +++ b/server/fw_util_pf.c @@ -394,7 +394,7 @@ check_firewall_rules(fko_srv_options_t *opts) /* Find the first _exp_ string (if any). */ - ndx = strstr(cmd_out, "_exp_"); + ndx = strstr(cmd_out, EXPIRE_COMMENT_PREFIX); if(ndx == NULL) { @@ -414,7 +414,7 @@ check_firewall_rules(fko_srv_options_t *opts) { /* Jump forward and extract the timestamp */ - ndx +=5; + ndx += strlen(EXPIRE_COMMENT_PREFIX); /* remember this spot for when we look for the next * rule. @@ -499,7 +499,7 @@ check_firewall_rules(fko_srv_options_t *opts) /* Push our tracking index forward beyond (just processed) _exp_ * string so we can continue to the next rule in the list. */ - ndx = strstr(tmp_mark, "_exp_"); + ndx = strstr(tmp_mark, EXPIRE_COMMENT_PREFIX); } diff --git a/server/fw_util_pf.h b/server/fw_util_pf.h index 5e333f06..e63ce916 100644 --- a/server/fw_util_pf.h +++ b/server/fw_util_pf.h @@ -37,7 +37,7 @@ /* pf command args */ -#define PF_ADD_RULE_ARGS "pass in quick proto %u from %s to any port %u keep state label _exp_%u" +#define PF_ADD_RULE_ARGS "pass in quick proto %u from %s to any port %u keep state label " EXPIRE_COMMENT_PREFIX "%u" #define PF_WRITE_ANCHOR_RULES_ARGS "-a %s -f -" #define PF_LIST_ANCHOR_RULES_ARGS "-a %s -s rules 2>&1" #define PF_LIST_ALL_RULES_ARGS "-s rules 2>&1" /* to check for fwknop anchor */