DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[server] bug fix to honor client timeout SPA messages in --nat-local mode, fixes #173

Browse Source
This commit is contained in:
Michael Rash 2015-12-04 19:36:51 -08:00
parent d4ca18dae6
commit 988075b52b
7 changed files with 109 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/fko_nat_access.c
View File

@ -93,7 +93,8 @@ fko_set_spa_nat_access(fko_ctx_t ctx, const char * const msg)
ctx->message_type = FKO_CLIENT_TIMEOUT_NAT_ACCESS_MSG;
}
else
if(ctx->message_type != FKO_LOCAL_NAT_ACCESS_MSG)
if(ctx->message_type != FKO_LOCAL_NAT_ACCESS_MSG
&& ctx->message_type != FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG)
ctx->message_type = FKO_NAT_ACCESS_MSG;
return(FKO_SUCCESS);

18
server/fw_util_firewalld.c
View File

@ -872,6 +872,8 @@ set_fw_chain_conf(const int type, const char * const conf_str)
int
fw_config_init(fko_srv_options_t * const opts)
{
int enabled_local_nat = 0;
memset(&fwc, 0x0, sizeof(struct fw_config));
/* Set our firewall exe command path (firewall-cmd or iptables in most cases).
@ -902,6 +904,14 @@ fw_config_init(fko_srv_options_t * const opts)
if(set_fw_chain_conf(FIREWD_OUTPUT_ACCESS, opts->config[CONF_FIREWD_OUTPUT_ACCESS]) != 1)
return 0;
if(strncasecmp(opts->config[CONF_ENABLE_FIREWD_LOCAL_NAT], "Y", 1)==0)
{
if(set_fw_chain_conf(FIREWD_DNAT_ACCESS, opts->config[CONF_FIREWD_DNAT_ACCESS]))
enabled_local_nat = 1;
else
return 0;
}
/* The remaining access chains require ENABLE_FIREWD_FORWARDING = Y
*/
if(strncasecmp(opts->config[CONF_ENABLE_FIREWD_FORWARDING], "Y", 1)==0)
@ -909,8 +919,9 @@ fw_config_init(fko_srv_options_t * const opts)
if(set_fw_chain_conf(FIREWD_FORWARD_ACCESS, opts->config[CONF_FIREWD_FORWARD_ACCESS]) != 1)
return 0;
if(set_fw_chain_conf(FIREWD_DNAT_ACCESS, opts->config[CONF_FIREWD_DNAT_ACCESS]) != 1)
return 0;
if (! enabled_local_nat)
if(set_fw_chain_conf(FIREWD_DNAT_ACCESS, opts->config[CONF_FIREWD_DNAT_ACCESS]) != 1)
return 0;
/* Requires ENABLE_FIREWD_SNAT = Y
*/
@ -1399,7 +1410,8 @@ process_spa_request(const fko_srv_options_t * const opts,
}
}
if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG)
if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG
|| spadat->message_type == FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG)
{
firewd_rule(opts, NULL, FIREWD_RULE_ARGS, spadat->use_src_ip,
(fwc.use_destination ? spadat->pkt_destination_ip : FIREWD_ANY_IP),

18
server/fw_util_iptables.c
View File

@ -864,6 +864,8 @@ set_fw_chain_conf(const int type, const char * const conf_str)
int
fw_config_init(fko_srv_options_t * const opts)
{
int enabled_local_nat = 0;
memset(&fwc, 0x0, sizeof(struct fw_config));
/* Set our firewall exe command path (iptables in most cases).
@ -887,6 +889,14 @@ fw_config_init(fko_srv_options_t * const opts)
if(set_fw_chain_conf(IPT_OUTPUT_ACCESS, opts->config[CONF_IPT_OUTPUT_ACCESS]) != 1)
return 0;
if(strncasecmp(opts->config[CONF_ENABLE_IPT_LOCAL_NAT], "Y", 1)==0)
{
if(set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]))
enabled_local_nat = 1;
else
return 0;
}
/* The remaining access chains require ENABLE_IPT_FORWARDING = Y
*/
if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0)
@ -894,8 +904,9 @@ fw_config_init(fko_srv_options_t * const opts)
if(set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]) != 1)
return 0;
if(set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]) != 1)
return 0;
if(! enabled_local_nat)
if(set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]) != 1)
return 0;
/* Requires ENABLE_IPT_SNAT = Y
*/
@ -1385,7 +1396,8 @@ process_spa_request(const fko_srv_options_t * const opts,
}
}
if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG)
if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG
|| spadat->message_type == FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG)
{
ipt_rule(opts, NULL, IPT_RULE_ARGS, spadat->use_src_ip,
(fwc.use_destination ? spadat->pkt_destination_ip : IPT_ANY_IP),

51
server/incoming_spa.c
View File

@ -794,37 +794,52 @@ static int
check_nat_access_types(fko_srv_options_t *opts, acc_stanza_t *acc,
spa_data_t *spadat, const int stanza_num)
{
if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG
|| spadat->message_type == FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG
|| spadat->message_type == FKO_NAT_ACCESS_MSG
int unsupported=0, not_enabled=0;
if(spadat->message_type == FKO_NAT_ACCESS_MSG
|| spadat->message_type == FKO_CLIENT_TIMEOUT_NAT_ACCESS_MSG)
{
#if FIREWALL_FIREWALLD
if(strncasecmp(opts->config[CONF_ENABLE_FIREWD_FORWARDING], "Y", 1)!=0)
{
log_msg(LOG_WARNING,
"(stanza #%d) SPA packet from %s requested NAT access, but is not enabled",
stanza_num, spadat->pkt_source_ip
);
return 0;
}
not_enabled = 1;
#elif FIREWALL_IPTABLES
if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)!=0)
{
log_msg(LOG_WARNING,
"(stanza #%d) SPA packet from %s requested NAT access, but is not enabled",
stanza_num, spadat->pkt_source_ip
);
return 0;
}
not_enabled = 1;
#else
unsupported = 1;
#endif
}
else if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG
|| spadat->message_type == FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG)
{
#if FIREWALL_FIREWALLD
if(strncasecmp(opts->config[CONF_ENABLE_FIREWD_LOCAL_NAT], "Y", 1)!=0)
not_enabled = 1;
#elif FIREWALL_IPTABLES
if(strncasecmp(opts->config[CONF_ENABLE_IPT_LOCAL_NAT], "Y", 1)!=0)
not_enabled = 1;
#else
unsupported = 1;
#endif
}
if(not_enabled)
{
log_msg(LOG_WARNING,
"(stanza #%d) SPA packet from %s requested NAT access, but is not enabled",
stanza_num, spadat->pkt_source_ip
);
return 0;
}
else if(unsupported)
{
log_msg(LOG_WARNING,
"(stanza #%d) SPA packet from %s requested unsupported NAT access",
stanza_num, spadat->pkt_source_ip
);
return 0;
#endif
}
return 1;
}

1
test/conf/firewd_local_nat_fwknopd.conf
View File

@ -1,2 +1 @@
ENABLE_FIREWD_FORWARDING Y;
ENABLE_FIREWD_LOCAL_NAT Y;

1
test/conf/ipt_local_nat_fwknopd.conf
View File

@ -1,2 +1 @@
ENABLE_IPT_FORWARDING Y;
ENABLE_IPT_LOCAL_NAT Y;

47
test/tests/rijndael_hmac.pl
View File

@ -1926,13 +1926,52 @@
'fwknopd_cmdline' => qq/$fwknopdCmd -c $cf{"${fw_conf_prefix}_local_nat"} -a $cf{'hmac_access'} / .
"-d $default_digest_file -p $default_pid_file $intf_str",
'server_positive_output_matches' => [qr|\s\*\/\sto\:$loopback_ip\:22|i,
qr/ACCEPT\s{2}.*\s0\.0\.0\.0\/0\s+tcp\sdpt\:22\s/],
qr/ACCEPT\s{2}.*\s0\.0\.0\.0\/0\s+tcp\sdpt\:22\s/,
qr/local NAT rule to FWKNOP_INPUT/],
'server_negative_output_matches' => [qr/\*\/\sto\:$internal_nat_host\:22/i],
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,
'server_conf' => $cf{"${fw_conf_prefix}_local_nat"},
'key_file' => $cf{'rc_hmac_b64_key'},
},
{
'category' => 'Rijndael+HMAC',
'subcategory' => 'client+server',
'detail' => "local (non-force) NAT -f 2 timeout",
'function' => \&spa_cycle,
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --rc-file " .
"$cf{'rc_hmac_b64_key'} $verbose_str --nat-local --nat-port 80 -f 2",
'fwknopd_cmdline' => qq/$fwknopdCmd -c $cf{"${fw_conf_prefix}_local_nat"} -a $cf{'hmac_access'} / .
"-d $default_digest_file -p $default_pid_file $intf_str",
'server_positive_output_matches' => [qr|\s\*\/\sto\:$loopback_ip\:22|i,
qr/ACCEPT\s{2}.*\s0\.0\.0\.0\/0\s+tcp\sdpt\:22\s/,
qr/local NAT rule to FWKNOP_INPUT/],
'server_negative_output_matches' => [qr/\*\/\sto\:$internal_nat_host\:22/i],
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,
'server_conf' => $cf{"${fw_conf_prefix}_local_nat"},
'key_file' => $cf{'rc_hmac_b64_key'},
},
{
'category' => 'Rijndael+HMAC',
'subcategory' => 'client+server',
'detail' => "local (non-force) NAT -f 0 timeout",
'function' => \&spa_cycle,
'cmdline' => "$fwknopCmd -A tcp/22 -a $fake_ip -D $loopback_ip --rc-file " .
"$cf{'rc_hmac_b64_key'} $verbose_str --nat-local --nat-port 80 -f 0",
'fwknopd_cmdline' => qq/$fwknopdCmd -c $cf{"${fw_conf_prefix}_local_nat"} -a $cf{'hmac_access'} / .
"-d $default_digest_file -p $default_pid_file $intf_str",
'server_positive_output_matches' => [qr|\s\*\/\sto\:$loopback_ip\:22|i,
qr/ACCEPT\s{2}.*\s0\.0\.0\.0\/0\s+tcp\sdpt\:22\s/,
qr/local NAT rule to FWKNOP_INPUT/],
'server_negative_output_matches' => [qr/\*\/\sto\:$internal_nat_host\:22/i],
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,
'server_conf' => $cf{"${fw_conf_prefix}_local_nat"},
'key_file' => $cf{'rc_hmac_b64_key'},
},
{
'category' => 'Rijndael+HMAC',
'subcategory' => 'client+server',
@ -1943,7 +1982,8 @@
'fwknopd_cmdline' => qq/$fwknopdCmd -c $cf{"${fw_conf_prefix}_local_nat"} -a $cf{'hmac_access'} / .
"-d $default_digest_file -p $default_pid_file $intf_str",
'server_positive_output_matches' => [qr|\s\*\/\sto\:$loopback_ip\:22|i,
qr/ACCEPT\s{2}.*\s0\.0\.0\.0\/0\s+tcp\sdpt\:22\s/],
qr/ACCEPT\s{2}.*\s0\.0\.0\.0\/0\s+tcp\sdpt\:22\s/,
qr/local NAT rule to FWKNOP_INPUT/],
'server_negative_output_matches' => [qr/\*\/\sto\:$internal_nat_host\:22/i],
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,
@ -1962,7 +2002,8 @@
'fwknopd_cmdline' => qq/$fwknopdCmd -c $cf{"${fw_conf_prefix}_local_nat"} -a $cf{'hmac_access'} / .
"-d $default_digest_file -p $default_pid_file $intf_str",
'server_positive_output_matches' => [qr|\s\*\/\sto\:$loopback_ip\:22|i,
qr/ACCEPT\s{2}.*\s0\.0\.0\.0\/0\s+tcp\sdpt\:22\s/],
qr/ACCEPT\s{2}.*\s0\.0\.0\.0\/0\s+tcp\sdpt\:22\s/,
qr/local NAT rule to FWKNOP_INPUT/],
'server_negative_output_matches' => [qr/\*\/\sto\:$internal_nat_host\:22/i],
'fw_rule_created' => $NEW_RULE_REQUIRED,
'fw_rule_removed' => $NEW_RULE_REMOVED,