DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity
1,807 Commits 15 Branches 0 Tags
7b70ed08d261dc9db9e026b215a72da2cbd58089
Commit Graph

446 Commits

Author SHA1 Message Date
Michael Rash
7b70ed08d2 [server] ensure to break out of while loop and close() UDP socket before returning 2014-10-23 23:05:21 -04:00
Michael Rash
0af8faa0b3 Merge branch 'udp_listener' into execvpe 2014-10-13 20:25:14 -04:00
Michael Rash
c70e1c72a0 [server] update firewalld code to use run_extcmd() instead of popen() and system() - allows execvpe() to be used 2014-10-12 21:57:04 -04:00
Michael Rash
62ee780d65 [server] make pid_status a static var at the top of each fw_util_*.c file 2014-10-10 14:20:18 -04:00
Michael Rash
6dd599f3de [server] update ipfw and pf firewall interace code to latest run_extcmd() API 2014-10-07 23:23:05 -04:00
Michael Rash
06f3db1de8 [server] restore shell stderr redirect when execvpe() is not available 2014-10-07 21:42:36 -04:00
Michael Rash
1905baa0e8 [server] minor macro usage update 2014-10-07 21:37:29 -04:00
Michael Rash
b7785a9304 [server] extend run_extcmd() to allow the caller to specify whether to collect stderr 2014-10-07 21:01:17 -04:00
Michael Rash
ed9e1ac236 added setgid() call for command execution along with CMD_EXEC_GROUP access.conf var 2014-10-07 16:18:14 -04:00
Michael Rash
248c4b301e added configure detection of execvpe() - doesn't exist on Mac OS X yet 2014-10-06 20:04:00 -04:00
Michael Rash
652b8cb80e [server] have run_extcmd() collect process exit status for calling function (in addition to return value) 2014-10-05 20:21:05 -04:00
Michael Rash
a47ddfcb1e [server] added WIFEXITED(status) check for external commands run via execvpe() 2014-10-04 21:14:49 -04:00
Michael Rash
841d732c07 [server] removed remaining popen() call for iptables firewalls 2014-10-04 19:56:26 -04:00
Michael Rash
87f3bbdd23 [server] hex_dump() '%' bug fix, minor verbose criteria update 2014-10-04 16:40:44 -04:00
Michael Rash
d71f386971 [server] add search_extcmd() to replace all popen() calls with the execvpe() no env strategy 2014-10-04 10:31:15 -04:00
Michael Rash
e271442aa9 [server] first cut at converting iptables commands to use execvpe() 2014-10-03 21:58:51 -04:00
Michael Rash
0d6917fa4e minor hex_dump() update to use a consistent macro definition for ascii str length 2014-10-03 14:40:48 -04:00
Michael Rash
ddbba5bc90 autoconf update to ensure libpcap is not linked against in --enable-udp-server mode 2014-09-29 11:42:11 -04:00
Michael Rash
52d34a70a2 fwknopd man page updates, added UDPSERV_SELECT_TIMEOUT config option 2014-09-28 22:32:20 -04:00
Michael Rash
52c9d51d7d consolidate signal handling a bit, UDP server msg size updates 2014-09-28 22:06:34 -04:00
Michael Rash
360905ec56 implement --packet-limit for UDP server mode 2014-09-28 21:19:19 -04:00
Michael Rash
5db3a12763 add signal handling code to UDP server mode 2014-09-28 20:30:09 -04:00
Michael Rash
0af7f72500 enforce MAX_SPA_PACKET_LEN restriction for incoming datagrams for UDP listener mode 2014-09-28 16:49:12 -04:00
Michael Rash
f2a3562f71 removed 2014-09-28 11:49:24 -04:00
Michael Rash
1fd0e7e960 first cut at UDP server mode 2014-09-28 11:49:04 -04:00
Michael Rash
c07afac883 calculate sizeof caddr for each client connection 2014-09-28 09:29:30 -04:00
Michael Rash
f7f97d3f30 [server] firewalld reports 'success' as a string upon command success in contrast to iptables 2014-09-03 23:15:34 -04:00
Gerry Reno
2da57da0cb more changes for firewalld 2014-08-31 16:13:46 -04:00
Gerry Reno
ac82b1ced2 more changes for firewalld 2014-08-31 13:51:08 -04:00
Gerry Reno
d47ebb602a more changes for firewalld 2014-08-31 02:23:39 -04:00
Gerry Reno
25d252c11a more changes for firewalld 2014-08-31 00:29:17 -04:00
Gerry Reno
e54383b518 first cut at firewalld 2014-08-31 00:06:37 -04:00
Michael Rash
eb0e8eb6a1 fwknopd man page updates for access.conf vars 2014-08-26 23:21:14 -04:00
Michael Rash
dfcfb2e47b minor code restructure for Ethernet FCS header processing 2014-08-21 21:08:27 -04:00
stubbsw
19f31c3e23 update to indicate Ethernet FCS support vs. bug 2014-08-19 06:54:18 -04:00
stubbsw
b98579ab8f workaround libpcap 4 extra bytes 
Workaround for libpcap returning a length that is 4 bytes longer than
the
packet on the wire. Observed on:

Linux beaglebone 3.8.13-bone50 #1 SMP Tue May 13 13:24:52 UTC 2014
armv7l GNU/Linux
ldd fwknopd
libfko.so.2 => /usr/local/lib/libfko.so.2 (0xb6f62000)
libpcap.so.0.8 => /usr/lib/arm-linux-gnueabihf/libpcap.so.0.8
(0xb6f20000)
libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0xb6e3b000)
/lib/ld-linux-armhf.so.3 (0xb6f94000)
libgcc_s.so.1 => /lib/arm-linux-gnueabihf/libgcc_s.so.1 (0xb6e17000)

Calculate the new pkt_end from the length in the ip header.
 2014-08-17 11:50:56 -04:00
Michael Rash
4fcd5b317a [server] fix shift operation bug in SOURCE subnet processing spotted by Coverity 2014-07-26 23:43:48 -04:00
Michael Rash
7df1186c66 fixed several socket handle leaks under error conditions spotted by Coverity 2014-07-22 11:30:33 -04:00
Michael Rash
641866deff [server] minor update print -> fprintf for PF firewall interface 2014-07-19 16:40:59 -04:00
Michael Rash
764d9ca26d fix gcc -Wstrlcpy-strlcat-size warnings 2014-07-19 16:30:53 -04:00
Michael Rash
74428adae6 [server] Bug fix for PF firewalls without ALTQ support on FreeBSD. 
With this commit PF rules are added correctly regardless of whether ALTQ support
is available or not. Thanks to Barry Allard for discovering and reporting this
issue. Closes issue #121 on github.
 2014-07-18 20:54:11 -04:00
Michael Rash
1dccab0fc8 [server] handle signal vars in dedicated function 2014-07-08 16:26:51 -05:00
Michael Rash
3c06948414 [server] alert the user when config file variable expansion references invalid var 2014-07-08 16:25:53 -05:00
Michael Rash
1b47173906 [test suite] add SYSLOG_FACILITY tests 2014-07-07 21:35:27 -05:00
Michael Rash
5c54ef00ad [server] refactor main() into a more natural breakdown of functions 2014-07-07 21:34:45 -05:00
Michael Rash
9f2e01eb01 [server] Fix uninitialized value usage after proper SPA authentication/decryption 
Bug fix discovered with the libfiu fault injection tag
"fko_get_username_init" combined with valgrind analysis. This bug
is only triggered after a valid authenticated and decrypted SPA
packet is sniffed by fwknopd:

==11181== Conditional jump or move depends on uninitialised value(s)
==11181==    at 0x113B6D: incoming_spa (incoming_spa.c:707)
==11181==    by 0x11559F: process_packet (process_packet.c:211)
==11181==    by 0x5270857: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.4.0)
==11181==    by 0x114BCC: pcap_capture (pcap_capture.c:270)
==11181==    by 0x10F32C: main (fwknopd.c:195)
==11181==  Uninitialised value was created by a stack allocation
==11181==    at 0x113476: incoming_spa (incoming_spa.c:294)
 2014-07-07 21:27:53 -05:00
Michael Rash
a2ff2a396c [server] call clean_exit() upon check_dir_path() error 2014-07-03 10:31:30 -04:00
Michael Rash
43b770320a [server] Require sig ID's or fingerprints when sigs are validated 
When validating access.conf stanzas make sure that one of
GPG_REMOTE_ID or GPG_FINGERPRINT_ID is specified whenever GnuPG
signatures are to be verified for incoming SPA packets. Signature
verification is the default, and can only be disabled with
GPG_DISABLE_SIG but this is NOT recommended.
 2014-06-30 11:52:42 -04:00
Michael Rash
77384a904e [server] add access.conf variable GPG_FINGERPRINT_ID 
Add a new GPG_FINGERPRINT_ID variable to the access.conf file
so that full GnuPG fingerprints can be required for incoming SPA packets
in addition to the appreviated GnuPG signatures listed in GPG_REMOTE_ID.
From the test suite, an example fingerprint is

GPG_FINGERPRINT_ID            00CC95F05BC146B6AC4038C9E36F443C6A3FAD56
 2014-06-30 11:11:09 -04:00
Michael Rash
11b9732c16 [server] Call clean_exit() from daemon parent process 
When becoming a daemon, make sure the fwknopd parent process calls
clean_exit() to release memory before calling exit().
 2014-06-30 10:09:39 -04:00