DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Check for active_rules > 0 before decrementing

Browse Source 
In the fw_config struct the active_rules member is unsigned, so this change
ensures that we don't try to decrement it below zero whenever a firewall rule
is deleted or an error condition occurs.
This commit is contained in:
Michael Rash 2011-09-08 21:33:52 -04:00
parent 88b6d44f1f
commit c65e25c656
2 changed files with 30 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
server/fw_util_ipfw.c
View File

@ -489,8 +489,6 @@ check_firewall_rules(fko_srv_options_t *opts)
time_t now, rule_exp, min_exp = 0;
unsigned short curr_rule;
time(&now);
/* Just in case we somehow lose track and fall out-of-whack.
*/
if(fwc.active_rules > fwc.max_rules)
@ -499,7 +497,12 @@ check_firewall_rules(fko_srv_options_t *opts)
/* If there are no active rules or we have not yet
* reached our expected next expire time, continue.
*/
if(fwc.active_rules == 0 || fwc.next_expire > now)
if(fwc.active_rules == 0)
return;
time(&now);
if (fwc.next_expire > now)
return;
zero_cmd_buffers();
@ -534,7 +537,9 @@ check_firewall_rules(fko_srv_options_t *opts)
log_msg(LOG_ERR,
"Did not find expire comment in rules list %i.\n", i);
fwc.active_rules--;
if (fwc.active_rules > 0)
fwc.active_rules--;
return;
}
@ -577,7 +582,9 @@ check_firewall_rules(fko_srv_options_t *opts)
log_msg(LOG_ERR,
"Rule parse error while finding rule line start.");
fwc.active_rules--;
if (fwc.active_rules > 0)
fwc.active_rules--;
break;
}
@ -591,7 +598,9 @@ check_firewall_rules(fko_srv_options_t *opts)
log_msg(LOG_ERR,
"Rule parse error while finding rule number.");
fwc.active_rules--;
if (fwc.active_rules > 0)
fwc.active_rules--;
break;
}
@ -617,7 +626,9 @@ check_firewall_rules(fko_srv_options_t *opts)
rule_num_str, rule_exp, fwc.expire_set_num
);
fwc.active_rules--;
if (fwc.active_rules > 0)
fwc.active_rules--;
fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_EXPIRED;
}
else

23
server/fw_util_iptables.c
View File

@ -761,13 +761,6 @@ check_firewall_rules(fko_srv_options_t *opts)
*/
for(i = 0; i < NUM_FWKNOP_ACCESS_TYPES; i++)
{
/* Just in case we somehow lose track and fall out-of-whack,
* we be the hero and reset it to zero.
* (poet but don't know it :-o )
*/
if(ch[i].active_rules < 0)
ch[i].active_rules = 0;
/* If there are no active rules or we have not yet
* reached our expected next expire time, continue.
*/
@ -806,7 +799,9 @@ check_firewall_rules(fko_srv_options_t *opts)
log_msg(LOG_ERR,
"Did not find expire comment in rules list %i.\n", i);
ch[i].active_rules--;
if (ch[i].active_rules > 0)
ch[i].active_rules--;
continue;
}
@ -845,7 +840,9 @@ check_firewall_rules(fko_srv_options_t *opts)
log_msg(LOG_ERR,
"Rule parse error while finding rule line start in chain %i", i);
ch[i].active_rules--;
if (ch[i].active_rules > 0)
ch[i].active_rules--;
break;
}
rn_start++;
@ -859,7 +856,9 @@ check_firewall_rules(fko_srv_options_t *opts)
log_msg(LOG_ERR,
"Rule parse error while finding rule number in chain %i", i);
ch[i].active_rules--;
if (ch[i].active_rules > 0)
ch[i].active_rules--;
break;
}
@ -884,7 +883,9 @@ check_firewall_rules(fko_srv_options_t *opts)
);
rn_offset++;
ch[i].active_rules--;
if (ch[i].active_rules > 0)
ch[i].active_rules--;
}
else
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);