Added --fw-list-all and --fw-flush

Added new command line options --fw-list-all and --fw-flush to allow all
firewall rules to be displayed including those not created by fwknopd, and
allow all firewall rules created by fwknopd to be deleted.

Also switched -D config dump output to stdout.

doc/fwknopd.man.asciidoc

@@ -63,9 +63,18 @@ COMMAND-LINE OPTIONS
     sent to stderr. This mode is usually used when testing and/or debugging.
 
 *--fw-list*::
-    List all firewall rules that any running *fwknopd* daemon has created
+    List only firewall rules that any running *fwknopd* daemon has created
     and then exit.
 
+*--fw-list-all*::
+    List all firewall rules including those that have nothing to do with
+    *fwknopd*.
+
+*--fw-flush*::
+    Flush any firewall rules created by a running *fwknopd* process.  This
+    option allows the used to easily delete *fwknopd* firewall rules without
+    having to wait for them to be timed out.
+
 *-K, --Kill*::
     Kill the current *fwknopd* process.  This provides a quick and easy
     way to stop *fwknopd* without having to look in the process table.

server/access.c

@@ -1023,7 +1023,7 @@ dump_access_list(fko_srv_options_t *opts)
 
     acc_stanza_t    *acc = opts->acc_stanzas;
 
-    fprintf(stderr, "Current fwknopd access settings:\n");
+    fprintf(stdout, "Current fwknopd access settings:\n");
 
     if(!acc)
     {
@@ -1033,7 +1033,7 @@ dump_access_list(fko_srv_options_t *opts)
 
     while(acc)
     {
-        fprintf(stderr,
+        fprintf(stdout,
             "SOURCE (%i):  %s\n"
             "==============================================================\n"
             "                 OPEN_PORTS:  %s\n"
@@ -1068,12 +1068,12 @@ dump_access_list(fko_srv_options_t *opts)
             (acc->gpg_remote_id == NULL) ? "<not set>" : acc->gpg_remote_id
         );
 
-        fprintf(stderr, "\n");
+        fprintf(stdout, "\n");
 
         acc = acc->next;
     }
 
-    fprintf(stderr, "\n");
+    fprintf(stdout, "\n");
 }
 
 /***EOF***/

server/cmd_opts.h

@@ -107,6 +107,8 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
 */
 enum {
     FW_LIST         = 0x200,
+    FW_LIST_ALL,
+    FW_FLUSH,
     GPG_HOME_DIR,
     ROTATE_DIGEST_CACHE,
     NOOP /* Just to be a marker for the end */
@@ -129,6 +131,8 @@ static struct option cmd_opts[] =
     {"interface",           1, NULL, 'i'},
     {"kill",                0, NULL, 'K'},
     {"fw-list",             0, NULL, FW_LIST },
+    {"fw-list-all",         0, NULL, FW_LIST_ALL },
+    {"fw-flush",            0, NULL, FW_FLUSH },
     {"gpg-home-dir",        1, NULL, GPG_HOME_DIR },
     {"locale",              1, NULL, 'l' },
     {"rotate-digest-cache", 0, NULL, ROTATE_DIGEST_CACHE },

server/config_init.c

@@ -653,6 +653,13 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
             case FW_LIST:
                 opts->fw_list = 1;
                 break;
+            case FW_LIST_ALL:
+                opts->fw_list = 1;
+                opts->fw_list_all = 1;
+                break;
+            case FW_FLUSH:
+                opts->fw_flush = 1;
+                break;
             case GPG_HOME_DIR:
                 if (is_valid_dir(optarg))
                 {
@@ -718,16 +725,16 @@ dump_config(fko_srv_options_t *opts)
 {
     int i;
 
-    fprintf(stderr, "Current fwknopd config settings:\n");
+    fprintf(stdout, "Current fwknopd config settings:\n");
 
     for(i=0; i<NUMBER_OF_CONFIG_ENTRIES; i++)
-        fprintf(stderr, "%3i. %-28s =  '%s'\n",
+        fprintf(stdout, "%3i. %-28s =  '%s'\n",
             i,
             config_map[i],
             (opts->config[i] == NULL) ? "<not set>" : opts->config[i]
         );
 
-    fprintf(stderr, "\n");
+    fprintf(stdout, "\n");
 }
 
 /* Print usage message...

server/fw_util_ipf.c

@@ -52,6 +52,9 @@ fw_dump_rules(fko_srv_options_t *opts)
     int     i;
     int     res, got_err = 0;
 
+    fprintf(stdout, "Listing fwknopd ipf rules...\n");
+    fflush(stdout);
+
     zero_cmd_buffers();
 
     /* TODO: Implement or get rid of me */

server/fw_util_ipfw.c

@@ -96,42 +96,70 @@ fw_dump_rules(fko_srv_options_t *opts)
 {
     int     res, got_err = 0;
 
-    zero_cmd_buffers();
+    if (opts->fw_list_all)
+    {
+        fprintf(stdout, "Listing all ipfw rules...\n");
+        fflush(stdout);
 
-    /* Create the list command for active rules
-    */
-    snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS,
-        opts->fw_config->fw_command,
-        opts->fw_config->active_set_num
-    );
+        zero_cmd_buffers();
 
-    //printf("(%i) CMD: '%s'\n", i, cmd_buf);
-    printf("\nActive Rules:\n");
-    res = system(cmd_buf);
+        /* Create the list command for all rules
+        */
+        snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_ALL_RULES_ARGS,
+            opts->fw_config->fw_command
+        );
 
-    /* Expect full success on this */
-    if(! EXTCMD_IS_SUCCESS(res))
-    {
-        log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); 
-        got_err++;
+        res = system(cmd_buf);
+
+        /* Expect full success on this */
+        if(! EXTCMD_IS_SUCCESS(res))
+        {
+            log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
+            got_err++;
+        }
     }
+    else
+    {
+        fprintf(stdout, "Listing fwknopd ipfw rules...\n");
+        fflush(stdout);
 
-    /* Create the list command for expired rules
-    */
-    snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS,
-        opts->fw_config->fw_command,
-        opts->fw_config->expire_set_num
-    );
+        zero_cmd_buffers();
+
+        /* Create the list command for active rules
+        */
+        snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS,
+            opts->fw_config->fw_command,
+            opts->fw_config->active_set_num
+        );
 
-    //printf("(%i) CMD: '%s'\n", i, cmd_buf);
-    printf("\nExpired Rules:\n");
-    res = system(cmd_buf);
+        //printf("(%i) CMD: '%s'\n", i, cmd_buf);
+        printf("\nActive Rules:\n");
+        res = system(cmd_buf);
 
-    /* Expect full success on this */
-    if(! EXTCMD_IS_SUCCESS(res))
-    {
-        log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); 
-        got_err++;
+        /* Expect full success on this */
+        if(! EXTCMD_IS_SUCCESS(res))
+        {
+            log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
+            got_err++;
+        }
+
+        /* Create the list command for expired rules
+        */
+        snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS,
+            opts->fw_config->fw_command,
+            opts->fw_config->expire_set_num
+        );
+
+        //printf("(%i) CMD: '%s'\n", i, cmd_buf);
+        printf("\nExpired Rules:\n");
+        res = system(cmd_buf);
+
+        /* Expect full success on this */
+        if(! EXTCMD_IS_SUCCESS(res))
+        {
+            log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); 
+            got_err++;
+        }
     }
 
     return(got_err);

server/fw_util_ipfw.h

@@ -48,6 +48,7 @@ enum {
 #define IPFW_DEL_RULE_ARGS           "set %u delete %u"
 #define IPFW_DEL_RULE_SET_ARGS       "delete set %u"
 #define IPFW_LIST_RULES_ARGS         "-d -S -T set %u list"
+#define IPFW_LIST_ALL_RULES_ARGS     "list"
 #define IPFW_LIST_SET_RULES_ARGS     "set %u list"
 #define IPFW_LIST_EXP_SET_RULES_ARGS "-S set %u list"
 #define IPFW_LIST_SET_DYN_RULES_ARGS "-d set %u list"

server/fw_util_iptables.c

@@ -138,31 +138,67 @@ fw_dump_rules(fko_srv_options_t *opts)
 
     struct fw_chain *ch = opts->fw_config->chain;
 
-    printf("Listing rules in fwknop chains...\n");
-    for(i=0; i<(NUM_FWKNOP_ACCESS_TYPES); i++)
+    if (opts->fw_list_all == 1)
     {
+        fprintf(stdout, "Listing all iptables rules in applicable tables...\n");
+        fflush(stdout);
 
-        if(fwc.chain[i].target[0] == '\0')
-            continue;
+        for(i=0; i<(NUM_FWKNOP_ACCESS_TYPES); i++)
+        {
 
-        zero_cmd_buffers();
+            if(fwc.chain[i].target[0] == '\0')
+                continue;
 
-        /* Create the list command
-        */
-        snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS,
-            opts->fw_config->fw_command,
-            ch[i].table,
-            ch[i].to_chain
-        );
+            zero_cmd_buffers();
 
-        //printf("(%i) CMD: '%s'\n", i, cmd_buf);
-        res = system(cmd_buf);
+            /* Create the list command
+            */
+            snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_ALL_RULES_ARGS,
+                opts->fw_config->fw_command,
+                ch[i].table
+            );
 
-        /* Expect full success on this */
-        if(! EXTCMD_IS_SUCCESS(res))
+            //printf("(%i) CMD: '%s'\n", i, cmd_buf);
+            res = system(cmd_buf);
+
+            /* Expect full success on this */
+            if(! EXTCMD_IS_SUCCESS(res))
+            {
+                log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); 
+                got_err++;
+            }
+        }
+    }
+    else
+    {
+        fprintf(stdout, "Listing rules in fwknopd iptables chains...\n");
+        fflush(stdout);
+
+        for(i=0; i<(NUM_FWKNOP_ACCESS_TYPES); i++)
         {
-            log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); 
-            got_err++;
+
+            if(fwc.chain[i].target[0] == '\0')
+                continue;
+
+            zero_cmd_buffers();
+
+            /* Create the list command
+            */
+            snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS,
+                opts->fw_config->fw_command,
+                ch[i].table,
+                ch[i].to_chain
+            );
+
+            //printf("(%i) CMD: '%s'\n", i, cmd_buf);
+            res = system(cmd_buf);
+
+            /* Expect full success on this */
+            if(! EXTCMD_IS_SUCCESS(res))
+            {
+                log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf); 
+                got_err++;
+            }
         }
     }
 
@@ -784,7 +820,7 @@ check_firewall_rules(fko_srv_options_t *opts)
 
         if(!EXTCMD_IS_SUCCESS(res))
         {
-            log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out); 
+            log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
             continue;
         }
 

server/fw_util_iptables.h

@@ -33,19 +33,20 @@
 
 #define SNAT_TARGET_BUFSIZE         64
 
-/* iptables command args            
+/* iptables command args
 */
-#define IPT_ADD_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
-#define IPT_ADD_OUT_RULE_ARGS "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
-#define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
-#define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1"
-#define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1"
-#define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1"
-#define IPT_NEW_CHAIN_ARGS "-t %s -N %s 2>&1"
-#define IPT_FLUSH_CHAIN_ARGS "-t %s -F %s 2>&1"
-#define IPT_DEL_CHAIN_ARGS "-t %s -X %s 2>&1"
-#define IPT_ADD_JUMP_RULE_ARGS "-t %s -I %s %i -j %s 2>&1"
-#define IPT_LIST_RULES_ARGS "-t %s -L %s --line-numbers -n 2>&1"
+#define IPT_ADD_RULE_ARGS       "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
+#define IPT_ADD_OUT_RULE_ARGS   "-t %s -A %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
+#define IPT_ADD_FWD_RULE_ARGS   "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
+#define IPT_ADD_DNAT_RULE_ARGS  "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1"
+#define IPT_ADD_SNAT_RULE_ARGS  "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1"
+#define IPT_DEL_RULE_ARGS       "-t %s -D %s %i 2>&1"
+#define IPT_NEW_CHAIN_ARGS      "-t %s -N %s 2>&1"
+#define IPT_FLUSH_CHAIN_ARGS    "-t %s -F %s 2>&1"
+#define IPT_DEL_CHAIN_ARGS      "-t %s -X %s 2>&1"
+#define IPT_ADD_JUMP_RULE_ARGS  "-t %s -I %s %i -j %s 2>&1"
+#define IPT_LIST_RULES_ARGS     "-t %s -L %s --line-numbers -n 2>&1"
+#define IPT_LIST_ALL_RULES_ARGS "-t %s -v -n -L --line-numbers 2>&1"
 
 #endif /* FW_UTIL_IPTABLES_H */
 

server/fw_util_pf.c

@@ -60,6 +60,8 @@ fw_dump_rules(fko_srv_options_t *opts)
 {
     int     res, got_err = 0;
 
+    printf("Listing fwknopd pf rules...\n");
+
     zero_cmd_buffers();
 
     /* Create the list command for active rules
@@ -133,7 +135,7 @@ anchor_active(fko_srv_options_t *opts)
 }
 
 static void
-delete_all_anchor_rules(fko_srv_options_t *opts)
+delete_all_anchor_rules(void)
 {
     int res = 0;
 
@@ -193,6 +195,7 @@ fw_initialize(fko_srv_options_t *opts)
 int
 fw_cleanup(void)
 {
+    delete_all_anchor_rules();
     return(0);
 }
 

server/fwknopd.c

@@ -181,12 +181,19 @@ main(int argc, char **argv)
         */
         fw_config_init(&opts);
 
-        if(opts.fw_list == 1)
+        if(opts.fw_list == 1 || opts.fw_list_all == 1)
         {
             fw_dump_rules(&opts);
             exit(EXIT_SUCCESS);
         }
 
+        if(opts.fw_flush == 1)
+        {
+            fprintf(stdout, "Deleting any existing firewall rules...\n");
+            fw_cleanup();
+            exit(EXIT_SUCCESS);
+        }
+
         /* Process the access.conf file.
         */
         parse_access_file(&opts);