[server] send IPT_*_ACCESS vars through basic validation at fwknopd.conf parse time

2013-08-05 00:00:45 -04:00 · 2013-08-05 00:00:45 -04:00 · 8c73c7801b
commit 8c73c7801b
parent 5fa93c621a
6 changed files with 88 additions and 10 deletions
--- a/server/config_init.c
+++ b/server/config_init.c
@ -462,36 +462,84 @@ validate_options(fko_srv_options_t *opts)
        set_config_entry(opts, CONF_IPT_INPUT_ACCESS,
            DEF_IPT_INPUT_ACCESS);

+    if(validate_ipt_chain_conf(opts->config[CONF_IPT_INPUT_ACCESS]) != 1)
+    {
+        log_msg(LOG_ERR,
+            "Invalid IPT_INPUT_ACCESS specification, see fwknopd.conf comments"
+        );
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
    /* IPT output access.
    */
    if(opts->config[CONF_IPT_OUTPUT_ACCESS] == NULL)
        set_config_entry(opts, CONF_IPT_OUTPUT_ACCESS,
            DEF_IPT_OUTPUT_ACCESS);

+    if(validate_ipt_chain_conf(opts->config[CONF_IPT_OUTPUT_ACCESS]) != 1)
+    {
+        log_msg(LOG_ERR,
+            "Invalid IPT_OUTPUT_ACCESS specification, see fwknopd.conf comments"
+        );
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
    /* IPT forward access.
    */
    if(opts->config[CONF_IPT_FORWARD_ACCESS] == NULL)
        set_config_entry(opts, CONF_IPT_FORWARD_ACCESS,
            DEF_IPT_FORWARD_ACCESS);

+    if(validate_ipt_chain_conf(opts->config[CONF_IPT_FORWARD_ACCESS]) != 1)
+    {
+        log_msg(LOG_ERR,
+            "Invalid IPT_FORWARD_ACCESS specification, see fwknopd.conf comments"
+        );
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
    /* IPT dnat access.
    */
    if(opts->config[CONF_IPT_DNAT_ACCESS] == NULL)
        set_config_entry(opts, CONF_IPT_DNAT_ACCESS,
            DEF_IPT_DNAT_ACCESS);

+    if(validate_ipt_chain_conf(opts->config[CONF_IPT_DNAT_ACCESS]) != 1)
+    {
+        log_msg(LOG_ERR,
+            "Invalid IPT_DNAT_ACCESS specification, see fwknopd.conf comments"
+        );
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
    /* IPT snat access.
    */
    if(opts->config[CONF_IPT_SNAT_ACCESS] == NULL)
        set_config_entry(opts, CONF_IPT_SNAT_ACCESS,
            DEF_IPT_SNAT_ACCESS);

+    if(validate_ipt_chain_conf(opts->config[CONF_IPT_SNAT_ACCESS]) != 1)
+    {
+        log_msg(LOG_ERR,
+            "Invalid IPT_SNAT_ACCESS specification, see fwknopd.conf comments"
+        );
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
    /* IPT masquerade access.
    */
    if(opts->config[CONF_IPT_MASQUERADE_ACCESS] == NULL)
        set_config_entry(opts, CONF_IPT_MASQUERADE_ACCESS,
            DEF_IPT_MASQUERADE_ACCESS);

+    if(validate_ipt_chain_conf(opts->config[CONF_IPT_MASQUERADE_ACCESS]) != 1)
+    {
+        log_msg(LOG_ERR,
+            "Invalid IPT_MASQUERADE_ACCESS specification, see fwknopd.conf comments"
+        );
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
    /* Check for the iptables 'comment' match at init time
    */
    if(opts->config[CONF_ENABLE_IPT_COMMENT_CHECK] == NULL)
--- a/server/fw_util_iptables.c
+++ b/server/fw_util_iptables.c
@ -728,18 +728,18 @@ set_fw_chain_conf(const int type, const char * const conf_str)
            else
                tbuf[i++] = *ndx;
        }
-        ndx++;
        if(*ndx != '\0'
                && *ndx != ' '
                && *ndx != ','
                && *ndx != '_'
                && isalnum(*ndx) == 0)
        {
-            log_msg(LOG_ERR, "[*] Custom Chain config parse error: "
+            log_msg(LOG_ERR, "[*] Custom chain config parse error: "
                "invalid character '%c' for chain type %i, "
                "line: %s", *ndx, type, conf_str);
            return 0;
        }
+        ndx++;
    }

    /* Sanity check - j should be the number of chain fields
@ -747,7 +747,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
    */
    if(j != FW_NUM_CHAIN_FIELDS)
    {
-        log_msg(LOG_ERR, "[*] Custom Chain config parse error: "
+        log_msg(LOG_ERR, "[*] Custom chain config parse error: "
            "wrong number of fields for chain type %i, "
            "line: %s", type, conf_str);
        return 0;
@ -1499,6 +1499,39 @@ check_firewall_rules(const fko_srv_options_t * const opts)
    }
 }

+int
+validate_ipt_chain_conf(const char * const chain_str)
+{
+    int         j, rv  = 1;
+    const char   *ndx  = chain_str;
+
+    j = 1;
+    while(*ndx != '\0')
+    {
+        if(*ndx == ',')
+            j++;
+
+        if(*ndx != '\0'
+                && *ndx != ' '
+                && *ndx != ','
+                && *ndx != '_'
+                && isalnum(*ndx) == 0)
+        {
+            rv = 0;
+            break;
+        }
+        ndx++;
+    }
+
+    /* Sanity check - j should be the number of chain fields
+     * (excluding the type).
+    */
+    if(j != FW_NUM_CHAIN_FIELDS)
+        rv = 0;
+
+    return rv;
+}
+
 #endif /* FIREWALL_IPTABLES */

 /***EOF***/
--- a/server/fw_util_iptables.h
+++ b/server/fw_util_iptables.h
@ -55,6 +55,8 @@
 #define IPT_LIST_RULES_ARGS     "-t %s -L %s --line-numbers -n 2>&1"
 #define IPT_LIST_ALL_RULES_ARGS "-t %s -v -n -L --line-numbers 2>&1"

+int validate_ipt_chain_conf(const char * const chain_str);
+
 #endif /* FW_UTIL_IPTABLES_H */

 /***EOF***/
--- a/server/fwknopd.conf
+++ b/server/fwknopd.conf
@ -248,7 +248,7 @@
 # added with the IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS keyword.
 # The format for these variables is:
 #
-#   <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>,\
+#   <Target>,<Table>,<From_chain>,<Jump_rule_position>,\
 #       <To_chain>,<Rule_position>.
 #
 # "Target":
--- a/test/test-fwknop.pl
+++ b/test/test-fwknop.pl
@ -552,7 +552,7 @@ my @tests = (

    {
        'category' => 'Look for crashes',
-        'detail'   => 'checking for segfault/core dump messages (1)',
+        'detail'   => 'checking for segfault/core dump messages (2)',
        'function' => \&look_for_crashes,
        'fatal'    => $NO
    }
--- a/test/tests/basic_operations.pl
+++ b/test/tests/basic_operations.pl
@ -706,7 +706,6 @@
            "$fwknopdCmd -c $cf{'invalid_ipt_input_chain'} -a $cf{'def_access'} " .
            "-d $default_digest_file -p $default_pid_file $intf_str",
        'function' => \&generic_exec,
-        'positive_output_matches' => [qr/wrong\snumber\sof\sfields/i],
        'exec_err' => $YES,
        'fatal'    => $NO
    },
@ -719,7 +718,6 @@
            "$fwknopdCmd -c $cf{'invalid_ipt_input_chain2'} -a $cf{'def_access'} " .
            "-d $default_digest_file -p $default_pid_file $intf_str",
        'function' => \&generic_exec,
-        'positive_output_matches' => [qr/load\starget.*AACCEPT/],
        'exec_err' => $YES,
        'fatal'    => $NO
    },
@ -732,7 +730,6 @@
            "$fwknopdCmd -c $cf{'invalid_ipt_input_chain3'} -a $cf{'def_access'} " .
            "-d $default_digest_file -p $default_pid_file $intf_str",
        'function' => \&generic_exec,
-        'positive_output_matches' => [qr/Table\sdoes\snot\sexist/],
        'exec_err' => $YES,
        'fatal'    => $NO
    },
@ -757,7 +754,6 @@
            "$fwknopdCmd -c $cf{'invalid_ipt_input_chain5'} -a $cf{'def_access'} " .
            "-d $default_digest_file -p $default_pid_file $intf_str",
        'function' => \&generic_exec,
-        'positive_output_matches' => [qr/invalid\scharacter/],
        'exec_err' => $YES,
        'fatal'    => $NO
    },
@ -770,7 +766,6 @@
            "$fwknopdCmd -c $cf{'invalid_ipt_input_chain6'} -a $cf{'def_access'} " .
            "-d $default_digest_file -p $default_pid_file $intf_str",
        'function' => \&generic_exec,
-        'positive_output_matches' => [qr/invalid\scharacter/],
        'exec_err' => $YES,
        'fatal'    => $NO
    },