New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/connlog/v3.8 #23

Merged
merged 8 commits into from Nov 18, 2017
Next

rules: new broadcast handling

Allow use of 'network(broadcast)' in the rules to manually create
broadcast rules.
  • Loading branch information...
inliniac committed Dec 24, 2016
commit d9715646503fdf8c47ea4b6db7ebe51ae77d1c4b
Copy path View file
@@ -86,6 +86,7 @@
#define VRMR_MAX_HOST 32
#define VRMR_MAX_NETWORK 32
#define VRMR_MAX_BROADCAST (VRMR_MAX_NETWORK + 11) /* network(broadcast) */
#define VRMR_MAX_ZONE 32
#define VRMR_MAX_NET_ZONE VRMR_MAX_NETWORK+VRMR_MAX_ZONE
@@ -747,6 +748,7 @@ struct vrmr_zone {
/* for names */
char host_name[VRMR_MAX_HOST];
char network_name[VRMR_MAX_NETWORK];
char broadcast_name[VRMR_MAX_BROADCAST]; /* network(broadcast) */
char zone_name[VRMR_MAX_ZONE];
/* pointers to parent zone and network (NULL if zone/network) */
@@ -819,6 +821,7 @@ struct vrmr_rule_cache {
char from_any; /* from is 'any' */
char to_any; /* to is 'any' */
char to_broadcast;
char service_any; /* service is 'any' */
struct vrmr_zone *from; /* from data */
Copy path View file
@@ -37,7 +37,9 @@
* -1: invalid query
*/
static int
determine_action(const int debuglvl, struct vrmr_config *cfg, char *query, char *action, size_t size, struct vrmr_rule_options *option)
determine_action(const int debuglvl, struct vrmr_config *cfg, char *query,
char *action, size_t size,
struct vrmr_rule_options *option, int broadcast)
{
int action_type = 0;
@@ -60,6 +62,8 @@ determine_action(const int debuglvl, struct vrmr_config *cfg, char *query, char
if(action_type == VRMR_AT_ACCEPT)
{
(void)strlcpy(action, "NEWACCEPT", size);
if (broadcast)
(void)strlcpy(action, "ACCEPT", size);
}
else if(action_type == VRMR_AT_DROP)
{
@@ -140,6 +144,8 @@ determine_action(const int debuglvl, struct vrmr_config *cfg, char *query, char
else if(action_type == VRMR_AT_NFQUEUE)
{
(void)strlcpy(action, "NEWNFQUEUE", size);
if (broadcast)
(void)strlcpy(action, "NFQUEUE", size);
}
else if(action_type == VRMR_AT_NFLOG)
{
@@ -362,13 +368,23 @@ vrmr_rules_analyze_rule( const int debuglvl,
if(strcasecmp(rule_ptr->to, "firewall(any)") == 0)
create->to_firewall_any = TRUE;
}
else if(strcasecmp(rule_ptr->to, "any") == 0)
{
else if(strcasecmp(rule_ptr->to, "any") == 0) {
/* we get the data later */
create->to_any = TRUE;
}
else
{
} else if (strstr(rule_ptr->to, "(broadcast)") != NULL) {
char network_name[VRMR_VRMR_MAX_HOST_NET_ZONE];
strlcpy(network_name, rule_ptr->to, sizeof(network_name));
network_name[strlen(network_name) - 11] = '\0';
/* get the pointer to the zonedata in the ZonedataList */
if(!(create->to = vrmr_search_zonedata(debuglvl, zones, network_name)))
{
vrmr_error(-1, "Error", "'to' zone '%s' not found (in: %s).", rule_ptr->to, __FUNC__);
return(-1);
}
create->to_broadcast = TRUE;
} else {
/* get the pointer to the zonedata in the ZonedataList */
if(!(create->to = vrmr_search_zonedata(debuglvl, zones, rule_ptr->to)))
{
@@ -420,7 +436,9 @@ vrmr_rules_analyze_rule( const int debuglvl,
create->option = *rule_ptr->opt;
/* determine which action to take (ACCEPT, DROP, REJECT etc.). */
if(determine_action(debuglvl, cnf, vrmr_rules_itoaction(rule_ptr->action), create->action, sizeof(create->action), &create->option) == 0)
if(determine_action(debuglvl, cnf, vrmr_rules_itoaction(rule_ptr->action),
create->action, sizeof(create->action), &create->option,
create->to_broadcast) == 0)
{
if(debuglvl >= HIGH)
vrmr_debug(__FUNC__, "determine_action succes, create->action = %s",
@@ -3712,13 +3730,14 @@ vrmr_rules_determine_ruletype(const int debuglvl, struct vrmr_rule *rule_ptr)
return(VRMR_RT_ERROR);
}
/* output */
/* output: when source is firewall */
if(strncasecmp(rule_ptr->from, "firewall", 8) == 0)
{
ruletype = VRMR_RT_OUTPUT;
}
/* input */
else if(strncasecmp(rule_ptr->to, "firewall", 8) == 0)
/* input: when dest is firewall, or when dest is broadcast
* When src is firewall and dest broadcast it's output. */
else if (strncasecmp(rule_ptr->to, "firewall", 8) == 0)
{
ruletype = VRMR_RT_INPUT;
}
Copy path View file
@@ -1166,16 +1166,23 @@ vrmr_add_broadcasts_zonelist(const int debuglvl, struct vrmr_zones *zones)
int
vrmr_validate_zonename(const int debuglvl, const char *zonename, int onlyvalidate, char *zone, char *network, char *host, regex_t *reg_ex, char quiet)
{
char name[VRMR_VRMR_MAX_HOST_NET_ZONE];
int retval=0;
/* this initalization pleases splint */
regmatch_t reg_match[8] = {{0,0}, {0,0}, {0,0}, {0,0}, {0,0}, {0,0}, {0,0}, {0,0}};
if(debuglvl >= MEDIUM)
vrmr_debug(__FUNC__, "checking: %s, onlyvalidate: %s.", zonename, onlyvalidate ? "Yes" : "No");
strlcpy(name, zonename, sizeof(name));
if (strstr(zonename, "(broadcast)") != NULL) {
name[strlen(name) - 11] = '\0';
}
if(onlyvalidate == 1)
{
if(regexec(reg_ex, zonename, 0, NULL, 0) != 0)
if(regexec(reg_ex, name, 0, NULL, 0) != 0)
{
if(quiet == VRMR_VERBOSE)
vrmr_error(-1, "Error", "zonename '%s' is invalid. A zonename can contain normal letters and numbers and the underscore (_) and minus (-) characters.", zonename);
@@ -1189,7 +1196,7 @@ vrmr_validate_zonename(const int debuglvl, const char *zonename, int onlyvalidat
if(onlyvalidate == 0)
{
if(regexec(reg_ex, zonename, 8, reg_match, 0) != 0)
if(regexec(reg_ex, name, 8, reg_match, 0) != 0)
{
if(quiet == VRMR_VERBOSE)
vrmr_error(-1, "Error", "zonename '%s' is invalid. A zonename can contain normal letters and numbers and the underscore (_) and minus (-) characters.", zonename);
@@ -1215,24 +1222,24 @@ vrmr_validate_zonename(const int debuglvl, const char *zonename, int onlyvalidat
}
else
{
(void)range_strcpy(zone, zonename, (size_t)reg_match[1].rm_so, (size_t)reg_match[1].rm_eo, VRMR_MAX_ZONE);
(void)range_strcpy(zone, name, (size_t)reg_match[1].rm_so, (size_t)reg_match[1].rm_eo, VRMR_MAX_ZONE);
if(debuglvl >= HIGH)
vrmr_debug(__FUNC__, "zone: %s.", zone);
}
}
else
{
(void)range_strcpy(network, zonename, (size_t)reg_match[1].rm_so, (size_t)reg_match[1].rm_eo, VRMR_MAX_NETWORK);
(void)range_strcpy(zone, zonename, (size_t)reg_match[4].rm_so, (size_t)reg_match[4].rm_eo, VRMR_MAX_ZONE);
(void)range_strcpy(network, name, (size_t)reg_match[1].rm_so, (size_t)reg_match[1].rm_eo, VRMR_MAX_NETWORK);
(void)range_strcpy(zone, name, (size_t)reg_match[4].rm_so, (size_t)reg_match[4].rm_eo, VRMR_MAX_ZONE);
if(debuglvl >= HIGH)
vrmr_debug(__FUNC__, "zone: %s, network: %s.", zone, network);
}
}
else
{
(void)range_strcpy(host, zonename, (size_t)reg_match[1].rm_so, (size_t)reg_match[1].rm_eo, VRMR_MAX_HOST);
(void)range_strcpy(network, zonename, (size_t)reg_match[4].rm_so, (size_t)reg_match[4].rm_eo, VRMR_MAX_NETWORK);
(void)range_strcpy(zone, zonename, (size_t)reg_match[7].rm_so, (size_t)reg_match[7].rm_eo, VRMR_MAX_ZONE);
(void)range_strcpy(host, name, (size_t)reg_match[1].rm_so, (size_t)reg_match[1].rm_eo, VRMR_MAX_HOST);
(void)range_strcpy(network, name, (size_t)reg_match[4].rm_so, (size_t)reg_match[4].rm_eo, VRMR_MAX_NETWORK);
(void)range_strcpy(zone, name, (size_t)reg_match[7].rm_so, (size_t)reg_match[7].rm_eo, VRMR_MAX_ZONE);
if(debuglvl >= HIGH)
vrmr_debug(__FUNC__, "zone: %s, network: %s, host: %s.", zone, network, host);
}
Oops, something went wrong.
ProTip! Use n and p to navigate between commits in a pull request.