DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[server] don't run firewall handling code for command-only modes

Browse Source
This commit is contained in:
Michael Rash 2015-11-17 20:48:37 -08:00
parent 882624a2a0
commit cfa02859eb
6 changed files with 36 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
server/access.c
View File

@ -1331,6 +1331,12 @@ acc_data_is_valid(fko_srv_options_t *opts,
}
}
/* For any non-command access stanza, we enable global firewall handling
*/
if(!acc->enable_cmd_exec && !acc->enable_cmd_sudo_exec &&
acc->cmd_cycle_open == NULL)
opts->enable_fw = 1;
return(1);
}
@ -1781,7 +1787,7 @@ parse_access_file(fko_srv_options_t *opts)
* a valid KEY defined (valid meaning it has a value that is not
* "__CHANGEME__".
*/
if (got_source == 0)
if(got_source == 0)
{
log_msg(LOG_ERR,
"[*] Could not find valid SOURCE stanza in access file: '%s'",

2
server/fwknopd.c
View File

@ -203,7 +203,7 @@ main(int argc, char **argv)
/* Prepare the firewall - i.e. flush any old rules and (for iptables)
* create fwknop chains.
*/
if(!opts.test && (fw_initialize(&opts) != 1))
if(!opts.test && opts.enable_fw && (fw_initialize(&opts) != 1))
clean_exit(&opts, FW_CLEANUP, EXIT_FAILURE);
/* If we are to acquire SPA data via a UDP socket, start it up here.

4
server/fwknopd_common.h
View File

@ -625,9 +625,11 @@ typedef struct fko_srv_options
unsigned char afl_fuzzing; /* SPA pkts from stdin for AFL fuzzing */
unsigned char verbose; /* Verbose mode flag */
unsigned char enable_udp_server; /* Enable UDP server mode */
unsigned char enable_fw; /* Command modes by themselves don't
need firewall support. */
unsigned char firewd_disable_check_support; /* Don't use firewall-cmd ... -C */
unsigned char ipt_disable_check_support; /* Don't use iptables -C */
unsigned char ipt_disable_check_support; /* Don't use iptables -C */
/* Flag for permitting SPA packets regardless of directionality test
* w.r.t. the sniffing interface. This can sometimes be useful for SPA

21
server/pcap_capture.c
View File

@ -334,19 +334,22 @@ pcap_capture(fko_srv_options_t *opts)
if(!opts->test)
{
/* Check for any expired firewall rules and deal with them.
*/
if(rules_chk_threshold > 0)
if(opts->enable_fw)
{
opts->check_rules_ctr++;
if ((opts->check_rules_ctr % rules_chk_threshold) == 0)
/* Check for any expired firewall rules and deal with them.
*/
if(rules_chk_threshold > 0)
{
chk_rm_all = 1;
opts->check_rules_ctr = 0;
opts->check_rules_ctr++;
if ((opts->check_rules_ctr % rules_chk_threshold) == 0)
{
chk_rm_all = 1;
opts->check_rules_ctr = 0;
}
}
check_firewall_rules(opts, chk_rm_all);
chk_rm_all = 0;
}
check_firewall_rules(opts, chk_rm_all);
chk_rm_all = 0;
/* See if any CMD_CYCLE_CLOSE commands need to be executed.
*/

21
server/udp_server.c
View File

@ -154,21 +154,24 @@ run_udp_server(fko_srv_options_t *opts)
break;
}
/* Check for any expired firewall rules and deal with them.
*/
if(!opts->test)
{
if(rules_chk_threshold > 0)
/* Check for any expired firewall rules and deal with them.
*/
if(opts->enable_fw)
{
opts->check_rules_ctr++;
if ((opts->check_rules_ctr % rules_chk_threshold) == 0)
if(rules_chk_threshold > 0)
{
chk_rm_all = 1;
opts->check_rules_ctr = 0;
opts->check_rules_ctr++;
if ((opts->check_rules_ctr % rules_chk_threshold) == 0)
{
chk_rm_all = 1;
opts->check_rules_ctr = 0;
}
}
check_firewall_rules(opts, chk_rm_all);
chk_rm_all = 0;
}
check_firewall_rules(opts, chk_rm_all);
chk_rm_all = 0;
/* See if any CMD_CYCLE_CLOSE commands need to be executed.
*/

2
server/utils.c
View File

@ -370,7 +370,7 @@ clean_exit(fko_srv_options_t *opts, unsigned int fw_cleanup_flag, unsigned int e
}
#endif
if(!opts->test && (fw_cleanup_flag == FW_CLEANUP))
if(!opts->test && opts->enable_fw && (fw_cleanup_flag == FW_CLEANUP))
fw_cleanup(opts);
#if USE_FILE_CACHE