9b7c1a8ce6
This commit adds a new configuration variable "FORCE_NAT" to the access.conf
file:
For any valid SPA packet, force the requested connection to be NAT'd
through to the specified (usually internal) IP and port value. This is
useful if there are multiple internal systems running a service such as
SSHD, and you want to give transparent access to only one internal system
for each stanza in the access.conf file. This way, multiple external
users can each directly access only one internal system per SPA key.
This commit also implements a few minor code cleanups.
179 lines
4.0 KiB
C
179 lines
4.0 KiB
C
/*
|
|
*****************************************************************************
|
|
*
|
|
* File: fw_util_ipf.c
|
|
*
|
|
* Author: Damien S. Stuart
|
|
*
|
|
* Purpose: Fwknop routines for managing ipf firewall rules.
|
|
*
|
|
* Copyright 2010 Damien Stuart (dstuart@dstuart.org)
|
|
*
|
|
* License (GNU Public License):
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version 2
|
|
* of the License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
|
|
* USA
|
|
*
|
|
*****************************************************************************
|
|
*/
|
|
#include "fwknopd_common.h"
|
|
|
|
#if FIREWALL_IPF
|
|
|
|
#include "fw_util.h"
|
|
#include "utils.h"
|
|
#include "log_msg.h"
|
|
#include "extcmd.h"
|
|
#include "access.h"
|
|
|
|
static struct fw_config fwc;
|
|
static char cmd_buf[CMD_BUFSIZE];
|
|
static char err_buf[CMD_BUFSIZE];
|
|
static char cmd_out[STANDARD_CMD_OUT_BUFSIZE];
|
|
|
|
/* Print all firewall rules currently instantiated by the running fwknopd
|
|
* daemon to stdout.
|
|
*/
|
|
int
|
|
fw_dump_rules(const fko_srv_options_t *opts)
|
|
{
|
|
int i;
|
|
int res, got_err = 0;
|
|
|
|
fprintf(stdout, "Listing fwknopd ipf rules...\n");
|
|
fflush(stdout);
|
|
|
|
zero_cmd_buffers();
|
|
|
|
/* TODO: Implement or get rid of me */
|
|
|
|
return(got_err);
|
|
}
|
|
|
|
void
|
|
fw_config_init(fko_srv_options_t *opts)
|
|
{
|
|
/* TODO: Implement me */
|
|
|
|
memset(&fwc, 0x0, sizeof(struct fw_config));
|
|
|
|
/* Set our firewall exe command path (iptables in most cases).
|
|
*/
|
|
strlcpy(fwc.fw_command, opts->config[CONF_FIREWALL_EXE], MAX_PATH_LEN);
|
|
|
|
|
|
/* Let us find it via our opts struct as well.
|
|
*/
|
|
opts->fw_config = &fwc;
|
|
|
|
return;
|
|
}
|
|
|
|
void
|
|
fw_initialize(const fko_srv_options_t *opts)
|
|
{
|
|
int res = 0;
|
|
|
|
/* TODO: Implement me */
|
|
|
|
if(res != 0)
|
|
{
|
|
fprintf(stderr, "Warning: Errors detected during fwknop custom chain creation.\n");
|
|
clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
|
|
}
|
|
}
|
|
|
|
int
|
|
fw_cleanup(void)
|
|
{
|
|
|
|
/* TODO: Implement or get rid of me */
|
|
|
|
return(0);
|
|
}
|
|
|
|
/****************************************************************************/
|
|
|
|
/* Rule Processing - Create an access request...
|
|
*/
|
|
int
|
|
process_spa_request(const fko_srv_options_t *opts, const acc_stanza_t *acc, spa_data_t *spadat)
|
|
{
|
|
/* TODO: Implement me */
|
|
|
|
char nat_ip[MAX_IPV4_STR_LEN] = {0};
|
|
char *ndx;
|
|
|
|
unsigned int nat_port = 0;;
|
|
|
|
acc_port_list_t *port_list = NULL;
|
|
acc_port_list_t *ple;
|
|
|
|
unsigned int fst_proto;
|
|
unsigned int fst_port;
|
|
|
|
int res = 0;
|
|
time_t now;
|
|
unsigned int exp_ts;
|
|
|
|
/* Parse and expand our access message.
|
|
*/
|
|
expand_acc_port_list(&port_list, spadat->spa_message_remain);
|
|
|
|
/* Start at the top of the proto-port list...
|
|
*/
|
|
ple = port_list;
|
|
|
|
/* Remember the first proto/port combo in case we need them
|
|
* for NAT access requests.
|
|
*/
|
|
fst_proto = ple->proto;
|
|
fst_port = ple->port;
|
|
|
|
/* Set our expire time value.
|
|
*/
|
|
time(&now);
|
|
exp_ts = now + spadat->fw_access_timeout;
|
|
|
|
/* TODO: Implement me */
|
|
|
|
return(res);
|
|
}
|
|
|
|
/* Iterate over the configure firewall access chains and purge expired
|
|
* firewall rules.
|
|
*/
|
|
void
|
|
check_firewall_rules(const fko_srv_options_t *opts)
|
|
{
|
|
|
|
/* TODO: Implement me */
|
|
|
|
char exp_str[12];
|
|
char rule_num_str[6];
|
|
char *ndx, *rn_start, *rn_end, *tmp_mark;
|
|
|
|
int i, res, rn_offset;
|
|
time_t now, rule_exp, min_exp = 0;
|
|
|
|
time(&now);
|
|
|
|
zero_cmd_buffers();
|
|
}
|
|
|
|
#endif /* FIREWALL_IPF */
|
|
|
|
/***EOF***/
|