From cfa02859ebb9ded3ad60cae952469653256729c2 Mon Sep 17 00:00:00 2001
From: Michael Rash <mbr@cipherdyne.org>
Date: Tue, 17 Nov 2015 20:48:37 -0800
Subject: [PATCH] [server] don't run firewall handling code for command-only
 modes

---
 server/access.c         |  8 +++++++-
 server/fwknopd.c        |  2 +-
 server/fwknopd_common.h |  4 +++-
 server/pcap_capture.c   | 21 ++++++++++++---------
 server/udp_server.c     | 21 ++++++++++++---------
 server/utils.c          |  2 +-
 6 files changed, 36 insertions(+), 22 deletions(-)

diff --git a/server/access.c b/server/access.c
index e8f37cb2..075ee069 100644
--- a/server/access.c
+++ b/server/access.c
@@ -1331,6 +1331,12 @@ acc_data_is_valid(fko_srv_options_t *opts,
         }
     }
 
+    /* For any non-command access stanza, we enable global firewall handling
+    */
+    if(!acc->enable_cmd_exec && !acc->enable_cmd_sudo_exec &&
+            acc->cmd_cycle_open == NULL)
+        opts->enable_fw = 1;
+
     return(1);
 }
 
@@ -1781,7 +1787,7 @@ parse_access_file(fko_srv_options_t *opts)
      * a valid KEY defined (valid meaning it has a value that is not
      * "__CHANGEME__".
     */
-    if (got_source == 0)
+    if(got_source == 0)
     {
         log_msg(LOG_ERR,
             "[*] Could not find valid SOURCE stanza in access file: '%s'",
diff --git a/server/fwknopd.c b/server/fwknopd.c
index e2db810c..b5bc2115 100644
--- a/server/fwknopd.c
+++ b/server/fwknopd.c
@@ -203,7 +203,7 @@ main(int argc, char **argv)
         /* Prepare the firewall - i.e. flush any old rules and (for iptables)
          * create fwknop chains.
         */
-        if(!opts.test && (fw_initialize(&opts) != 1))
+        if(!opts.test && opts.enable_fw && (fw_initialize(&opts) != 1))
             clean_exit(&opts, FW_CLEANUP, EXIT_FAILURE);
 
         /* If we are to acquire SPA data via a UDP socket, start it up here.
diff --git a/server/fwknopd_common.h b/server/fwknopd_common.h
index d5929bdf..1e4e2052 100644
--- a/server/fwknopd_common.h
+++ b/server/fwknopd_common.h
@@ -625,9 +625,11 @@ typedef struct fko_srv_options
     unsigned char   afl_fuzzing;        /* SPA pkts from stdin for AFL fuzzing */
     unsigned char   verbose;            /* Verbose mode flag */
     unsigned char   enable_udp_server;  /* Enable UDP server mode */
+    unsigned char   enable_fw;          /* Command modes by themselves don't
+                                           need firewall support. */
 
     unsigned char   firewd_disable_check_support; /* Don't use firewall-cmd ... -C */
-    unsigned char   ipt_disable_check_support; /* Don't use iptables -C */
+    unsigned char   ipt_disable_check_support;    /* Don't use iptables -C */
 
     /* Flag for permitting SPA packets regardless of directionality test
      * w.r.t. the sniffing interface.  This can sometimes be useful for SPA
diff --git a/server/pcap_capture.c b/server/pcap_capture.c
index 49b4db8e..6911ba26 100644
--- a/server/pcap_capture.c
+++ b/server/pcap_capture.c
@@ -334,19 +334,22 @@ pcap_capture(fko_srv_options_t *opts)
 
         if(!opts->test)
         {
-            /* Check for any expired firewall rules and deal with them.
-            */
-            if(rules_chk_threshold > 0)
+            if(opts->enable_fw)
             {
-                opts->check_rules_ctr++;
-                if ((opts->check_rules_ctr % rules_chk_threshold) == 0)
+                /* Check for any expired firewall rules and deal with them.
+                */
+                if(rules_chk_threshold > 0)
                 {
-                    chk_rm_all = 1;
-                    opts->check_rules_ctr = 0;
+                    opts->check_rules_ctr++;
+                    if ((opts->check_rules_ctr % rules_chk_threshold) == 0)
+                    {
+                        chk_rm_all = 1;
+                        opts->check_rules_ctr = 0;
+                    }
                 }
+                check_firewall_rules(opts, chk_rm_all);
+                chk_rm_all = 0;
             }
-            check_firewall_rules(opts, chk_rm_all);
-            chk_rm_all = 0;
 
             /* See if any CMD_CYCLE_CLOSE commands need to be executed.
             */
diff --git a/server/udp_server.c b/server/udp_server.c
index 933b250a..c5535a20 100644
--- a/server/udp_server.c
+++ b/server/udp_server.c
@@ -154,21 +154,24 @@ run_udp_server(fko_srv_options_t *opts)
             break;
         }
 
-        /* Check for any expired firewall rules and deal with them.
-        */
         if(!opts->test)
         {
-            if(rules_chk_threshold > 0)
+            /* Check for any expired firewall rules and deal with them.
+            */
+            if(opts->enable_fw)
             {
-                opts->check_rules_ctr++;
-                if ((opts->check_rules_ctr % rules_chk_threshold) == 0)
+                if(rules_chk_threshold > 0)
                 {
-                    chk_rm_all = 1;
-                    opts->check_rules_ctr = 0;
+                    opts->check_rules_ctr++;
+                    if ((opts->check_rules_ctr % rules_chk_threshold) == 0)
+                    {
+                        chk_rm_all = 1;
+                        opts->check_rules_ctr = 0;
+                    }
                 }
+                check_firewall_rules(opts, chk_rm_all);
+                chk_rm_all = 0;
             }
-            check_firewall_rules(opts, chk_rm_all);
-            chk_rm_all = 0;
 
             /* See if any CMD_CYCLE_CLOSE commands need to be executed.
             */
diff --git a/server/utils.c b/server/utils.c
index b71f794d..38a8a800 100644
--- a/server/utils.c
+++ b/server/utils.c
@@ -370,7 +370,7 @@ clean_exit(fko_srv_options_t *opts, unsigned int fw_cleanup_flag, unsigned int e
     }
 #endif
 
-    if(!opts->test && (fw_cleanup_flag == FW_CLEANUP))
+    if(!opts->test && opts->enable_fw && (fw_cleanup_flag == FW_CLEANUP))
         fw_cleanup(opts);
 
 #if USE_FILE_CACHE