DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

updated PF anchor check to not rely on listing the PF policy

Browse Source
This commit is contained in:
Michael Rash 2012-05-28 14:19:52 -04:00
parent 5c26c0abaa
commit 8a73e6dee8
2 changed files with 7 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
server/fw_util_pf.c
View File

@ -91,17 +91,16 @@ static int
anchor_active(const fko_srv_options_t *opts) anchor_active(const fko_srv_options_t *opts)
{ {
int res = 0; int res = 0;
char *ndx = NULL;
char anchor_search_str[MAX_PF_ANCHOR_SEARCH_LEN] = {0}; char anchor_search_str[MAX_PF_ANCHOR_SEARCH_LEN] = {0};
/* Build our anchor search string /* Build our anchor search string
*/ */
snprintf(anchor_search_str, MAX_PF_ANCHOR_SEARCH_LEN-1, "%s%s\" ", snprintf(anchor_search_str, MAX_PF_ANCHOR_SEARCH_LEN-1, "%s\n",
"anchor \"", opts->fw_config->anchor); opts->fw_config->anchor);
zero_cmd_buffers(); zero_cmd_buffers();
snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " PF_LIST_ALL_RULES_ARGS, snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " PF_ANCHOR_CHECK_ARGS,
opts->fw_config->fw_command opts->fw_config->fw_command
); );
@ -113,23 +112,11 @@ anchor_active(const fko_srv_options_t *opts)
return 0; return 0;
} }
/* first check for the anchor at the very first rule position /* Check to see if the anchor exists and is linked into the main policy
*/ */
if (strncmp(cmd_out, anchor_search_str, strlen(anchor_search_str)) != 0)
{
anchor_search_str[0] = '\0';
/* look for the anchor in the middle of the rule set, but make sure if(strstr(cmd_out, anchor_search_str) == NULL)
* it appears only after a newline return 0;
*/
snprintf(anchor_search_str, MAX_PF_ANCHOR_SEARCH_LEN-1, "%s%s\" ",
"\nanchor \"", opts->fw_config->anchor);
ndx = strstr(cmd_out, anchor_search_str);
if(ndx == NULL)
return 0;
}
return 1; return 1;
} }

2
server/fw_util_pf.h
View File

@ -40,7 +40,7 @@
#define PF_ADD_RULE_ARGS "pass in quick proto %u from %s to any port %u keep state label " EXPIRE_COMMENT_PREFIX "%u" #define PF_ADD_RULE_ARGS "pass in quick proto %u from %s to any port %u keep state label " EXPIRE_COMMENT_PREFIX "%u"
#define PF_WRITE_ANCHOR_RULES_ARGS "-a %s -f -" #define PF_WRITE_ANCHOR_RULES_ARGS "-a %s -f -"
#define PF_LIST_ANCHOR_RULES_ARGS "-a %s -s rules 2>&1" #define PF_LIST_ANCHOR_RULES_ARGS "-a %s -s rules 2>&1"
#define PF_LIST_ALL_RULES_ARGS "-s rules 2>&1" /* to check for fwknop anchor */ #define PF_ANCHOR_CHECK_ARGS "-s Anchor 2>&1" /* to check for fwknop anchor */
#define PF_DEL_ALL_ANCHOR_RULES "-a %s -F all 2>&1" #define PF_DEL_ALL_ANCHOR_RULES "-a %s -F all 2>&1"
#endif /* FW_UTIL_PF_H */ #endif /* FW_UTIL_PF_H */