DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity
1,949 Commits 15 Branches 0 Tags
e4fae829bc0ef8a080c1b58e82e1b3d182a2a65c
Commit Graph

489 Commits

Author SHA1 Message Date
Damien Stuart
e4fae829bc Refactor of Makefile.am files to fix issues caused by referencing source files in other directories - which broke make dist and make distclean targets. 2015-02-17 14:37:20 -05:00
Damien Stuart
987455b902 Remove commented out entries from the client and server Makefile.am. 2015-02-14 12:40:58 -05:00
Damien Stuart
b152d15970 Refactored how the cunit tests are processed so "make dist" does not fail and builds with c-unit-tests enabled work on systems with firewalld (added fw_util_firewalld.c for server tests). 2015-02-14 12:29:30 -05:00
Michael Rash
e8cfeaf772 Merge pull request #142 from fjoncourt/c_unit_testing 
C unit testing - excellent, thank you Franck. I'll work on the relative path issue you mentioned as well.
 2015-01-17 09:11:29 -05:00
Michael Rash
6b7a3bbdae [server] Add FORWARD_ALL access.conf wildcard 
This is a significant commit that allows iptables firewalls to be used
as an "SPA gateway" for all ports/protocols upon providing a valid SPA
packet. Additional commits will be made to extend this capability, but
this commit adds two new access.conf keywords: FORWARD_ALL and
DISABLE_DNAT. These are used in conjunction to add ACCEPT rules for all
ports/protocols in the FORWARD chain, and also disable DNAT rules at the
same time. Then, by buildling the SNAT chain to provide translation for
an internal network (where an SPA cliet is located), but DROP all
forwarded traffic by default at the same time, SPA can be used to gain
access to the internet. So, this would allow, say, an RFC 1918 internal
network to have IP's assigned via DHCP but they wouldn't be able to
access the internet before sending a SPA packet to the gateway. This
scenario was suggested by spartan1833 to the fwknop list and tracked via
github issue 131.

Additional commits will be made to fully support this feature.
 2015-01-17 08:38:32 -05:00
Michael Rash
08bc935796 [server] remove redundant mk_chain() calls 2015-01-06 16:39:45 -05:00
Michael Rash
1f9e939c95 [server] consolidate iptables rule additions into a single ipt_rule() function 2015-01-06 15:30:12 -05:00
Franck Joncourt
1c81aef39d Fixed file permissions 2014-12-31 09:51:08 +01:00
Michael Rash
1ece9d022b [server] consolidate create_chain() and add_jump_rule() into a single function 2014-12-30 10:42:31 -05:00
Franck Joncourt
b7ecb3334a Merge upstream changes to our changes 2014-12-28 15:00:24 +01:00
Michael Rash
9dc56d6bb7 [test suite / server] rule deletion/addition tests mid-cycle 2014-12-15 17:06:07 -08:00
Michael Rash
fd582487db [server] minor typo fix 2014-12-15 17:03:08 -08:00
Michael Rash
67f969f2c7 [server] compilation bug fix for firewalld platforms in DESTINATION processing code 2014-12-10 17:06:45 -08:00
Michael Rash
74f114603b check fiu_init() and fiu_enable() return values 2014-12-07 16:29:30 -05:00
Michael Rash
76b1c6dd50 Merge branch 'spa_destination_ip' 2014-12-04 20:07:05 -05:00
Michael Rash
d6dee352af minor update to get DESTINATION filtering tests passing 2014-12-03 20:57:06 -05:00
Michael Rash
285ec0ddcb [server] add AFL support for fuzzing SPA Rijndael decryption routine directly with --afl-pkt-file 2014-12-03 20:25:05 -05:00
Grant Pannell
af6087c48d Keep the documentation consistent 2014-11-29 15:14:31 +10:30
Grant Pannell
624872ef48 Add DESTINATION access.conf directive and ENABLE_DESTINATION_RULE fwknopd.conf directive 2014-11-29 15:05:06 +10:30
Michael Rash
7a2763a133 [server] minor fix to add AFL_FUZZING macro 2014-11-28 19:18:38 -05:00
Michael Rash
01e294aed3 [test suite] use -A mode for AFL fuzzing, make sure fwknopd does not init digest cache in -A mode 2014-11-28 19:13:35 -05:00
Michael Rash
7938e6fbbf [server] manpage update 2014-11-26 08:46:24 -05:00
Michael Rash
a64542c7a4 [server] add --run-dir command line arg 2014-11-25 22:06:56 -05:00
Michael Rash
82cf8b1c9c [server] Enforce proper bounds checking on digest cache file import 
Bug fix to ensure that proper bounds are enforced when importing digest
cache files from previous fwknopd executions. This bug
was discovered through fuzzing with American Fuzzy Lop (AFL) as driven
by the test/afl/fuzzing-wrappers/server-digest-cache.sh wrapper.
Previous to this fix, fwknopd could be made to crash through a malicious
digest cache file (normally in /var/run/fwknop/digest.cache) upon
initial import.
 2014-11-25 22:05:15 -05:00
Michael Rash
8872e50818 [test suite] use digest tracking override for ALF fwknopd fuzzing 2014-11-25 15:04:30 -05:00
Michael Rash
a72b69eee7 manpage updates 2014-11-15 10:51:48 -05:00
Michael Rash
d2880021ca [server] document --udp-server option 2014-11-15 10:45:59 -05:00
Michael Rash
2e1d076160 [server] minor status wording update 2014-11-15 00:16:17 -05:00
Michael Rash
aaa44656bc [server] add support for American Fuzzy Lop (ALF) fuzzing 2014-11-13 20:55:04 -05:00
Michael Rash
7022d79ca7 [server] minor code cleanup 2014-11-06 20:24:50 -05:00
Michael Rash
a8879231c3 [server] add run_extcmd_write() call in code coverage mode 2014-11-06 20:24:33 -05:00
Michael Rash
0c59f6e500 add CODE_COVERAGE macro for ./configure --enable-profile-coverage 2014-11-06 20:23:40 -05:00
Michael Rash
04f8b9669a [server] check number of cmd args even when execvpe() is not available 2014-11-05 23:19:51 -05:00
Michael Rash
e7942f48e0 [server] allow loop restart after select() sets EINTR (since we handle signals) - fixes cmd execution through UDP on FreeBSD 2014-11-04 22:44:59 -05:00
Michael Rash
c5f0389281 [server] minor code restructure, use FD_ISSET() test on file descriptors 2014-11-04 22:43:04 -05:00
Michael Rash
50009115b3 [server] bug fix to close write filehandle in _run_extcmd_write() 2014-11-01 12:03:49 -04:00
Michael Rash
34e38fe39e [server] first pass at eliminating popen() write calls with run_extcmd_write() (used for PF firewalls) 2014-10-28 21:28:21 -04:00
Michael Rash
d2abbd8720 [test suite] more code coverage tests 2014-10-25 22:29:49 -04:00
Michael Rash
17608dd01d [test suite] additional code coverage 2014-10-25 08:42:30 -04:00
Michael Rash
58d47cb385 [test suite] additional code coverage for a few areas 2014-10-24 20:39:40 -04:00
Michael Rash
7b70ed08d2 [server] ensure to break out of while loop and close() UDP socket before returning 2014-10-23 23:05:21 -04:00
Michael Rash
0af8faa0b3 Merge branch 'udp_listener' into execvpe 2014-10-13 20:25:14 -04:00
Michael Rash
c70e1c72a0 [server] update firewalld code to use run_extcmd() instead of popen() and system() - allows execvpe() to be used 2014-10-12 21:57:04 -04:00
Michael Rash
62ee780d65 [server] make pid_status a static var at the top of each fw_util_*.c file 2014-10-10 14:20:18 -04:00
Michael Rash
6dd599f3de [server] update ipfw and pf firewall interace code to latest run_extcmd() API 2014-10-07 23:23:05 -04:00
Michael Rash
06f3db1de8 [server] restore shell stderr redirect when execvpe() is not available 2014-10-07 21:42:36 -04:00
Michael Rash
1905baa0e8 [server] minor macro usage update 2014-10-07 21:37:29 -04:00
Michael Rash
b7785a9304 [server] extend run_extcmd() to allow the caller to specify whether to collect stderr 2014-10-07 21:01:17 -04:00
Michael Rash
ed9e1ac236 added setgid() call for command execution along with CMD_EXEC_GROUP access.conf var 2014-10-07 16:18:14 -04:00
Michael Rash
248c4b301e added configure detection of execvpe() - doesn't exist on Mac OS X yet 2014-10-06 20:04:00 -04:00