DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[Server] slightly broadens FORWARD rule matching, disables rewriting sport for snat

Browse Source
This commit is contained in:
Jonathan Bennett 2016-05-29 14:13:53 -05:00
parent 246d8a1db7
commit d448004f38
4 changed files with 28 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
server/fw_util_firewalld.c
View File

@ -1279,9 +1279,9 @@ static void forward_access_rule(const fko_srv_options_t * const opts,
"forward_access_rule() forward_all: %d, nat_ip: %s, nat_port: %d",
acc->forward_all, nat_ip, nat_port);
memset(rule_buf, 0, CMD_BUFSIZE);
if(acc->forward_all)
{
memset(rule_buf, 0, CMD_BUFSIZE);
snprintf(rule_buf, CMD_BUFSIZE-1, FIREWD_FWD_ALL_RULE_ARGS,
fwd_chain->table,
@ -1300,8 +1300,16 @@ static void forward_access_rule(const fko_srv_options_t * const opts,
{
/* Make the FORWARD access rule
*/
firewd_rule(opts, NULL, FIREWD_FWD_RULE_ARGS, spadat->use_src_ip,
nat_ip, fst_proto, nat_port, NULL, NAT_ANY_PORT,
snprintf(rule_buf, CMD_BUFSIZE-1, FIREWD_FWD_RULE_ARGS,
fwd_chain->table,
fst_proto,
spadat->use_src_ip,
nat_port,
exp_ts,
fwd_chain->target
);
firewd_rule(opts, rule_buf, NULL, spadat->use_src_ip,
NULL, fst_proto, nat_port, NULL, NAT_ANY_PORT,
fwd_chain, exp_ts, now, "FORWARD", spadat->spa_message_remain);
}
return;
@ -1433,7 +1441,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]);
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
"--to-source %s:%i", acc->force_snat_ip, fst_port);
"--to-source %s", acc->force_snat_ip);
}
else if(acc->force_snat && acc->force_masquerade)
{
@ -1448,8 +1456,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]);
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
"--to-source %s:%i", opts->config[CONF_SNAT_TRANSLATE_IP],
fst_port);
"--to-source %s", opts->config[CONF_SNAT_TRANSLATE_IP]);
}
else
{

2
server/fw_util_firewalld.h
View File

@ -46,7 +46,7 @@
#define FIREWD_CHK_RULE_ARGS "-C %s %s" /* the other macros add SH_REDIR if necessary */
#define FIREWD_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
#define FIREWD_OUT_RULE_ARGS "-t %s -p %i -d %s -s %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
#define FIREWD_FWD_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
#define FIREWD_FWD_RULE_ARGS "-t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
#define FIREWD_FWD_ALL_RULE_ARGS "-t %s -s %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
#define FIREWD_DNAT_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i" SH_REDIR
#define FIREWD_DNAT_ALL_RULE_ARGS "-t %s -s %s -d %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s" SH_REDIR

19
server/fw_util_iptables.c
View File

@ -1262,9 +1262,9 @@ static void forward_access_rule(const fko_srv_options_t * const opts,
"forward_access_rule() forward_all: %d, nat_ip: %s, nat_port: %d",
acc->forward_all, nat_ip, nat_port);
memset(rule_buf, 0, CMD_BUFSIZE);
if(acc->forward_all)
{
memset(rule_buf, 0, CMD_BUFSIZE);
snprintf(rule_buf, CMD_BUFSIZE-1, IPT_FWD_ALL_RULE_ARGS,
fwd_chain->table,
@ -1281,10 +1281,18 @@ static void forward_access_rule(const fko_srv_options_t * const opts,
}
else
{
snprintf(rule_buf, CMD_BUFSIZE-1, IPT_FWD_RULE_ARGS,
fwd_chain->table,
fst_proto,
spadat->use_src_ip,
nat_port,
exp_ts,
fwd_chain->target
);
/* Make the FORWARD access rule
*/
ipt_rule(opts, NULL, IPT_FWD_RULE_ARGS, spadat->use_src_ip,
nat_ip, fst_proto, nat_port, NULL, NAT_ANY_PORT,
ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip,
NULL, fst_proto, nat_port, NULL, NAT_ANY_PORT,
fwd_chain, exp_ts, now, "FORWARD", spadat->spa_message_remain);
}
return;
@ -1416,7 +1424,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]);
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
"--to-source %s:%i", acc->force_snat_ip, fst_port);
"--to-source %s", acc->force_snat_ip);
}
else if(acc->force_snat && acc->force_masquerade)
{
@ -1431,8 +1439,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]);
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
"--to-source %s:%i", opts->config[CONF_SNAT_TRANSLATE_IP],
fst_port);
"--to-source %s", opts->config[CONF_SNAT_TRANSLATE_IP]);
}
else
{

2
server/fw_util_iptables.h
View File

@ -43,7 +43,7 @@
#define IPT_CHK_RULE_ARGS "-C %s %s" /* the other macros add SH_REDIR if necessary */
#define IPT_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
#define IPT_OUT_RULE_ARGS "-t %s -p %i -d %s -s %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
#define IPT_FWD_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
#define IPT_FWD_RULE_ARGS "-t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
#define IPT_FWD_ALL_RULE_ARGS "-t %s -s %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
#define IPT_DNAT_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i" SH_REDIR
#define IPT_DNAT_ALL_RULE_ARGS "-t %s -s %s -d %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s" SH_REDIR