Permalink
Browse files

[server] iptables 'comment' match check

Implemented a new check to ensure that the iptables 'comment' match exists to
ensure the proper environment for fwknopd operations.  This check is controlled
by the new ENABLE_IPT_COMMENT_CHECK variable, and was suggested by Hank
Leininger.
  • Loading branch information...
1 parent a087b11 commit 543de16613b89723ef1350df3e59df126586800e @mrash committed Aug 12, 2012
Showing with 119 additions and 14 deletions.
  1. +5 −0 CREDITS
  2. +4 −0 ChangeLog
  3. +1 −0 server/cmd_opts.h
  4. +6 −0 server/config_init.c
  5. +1 −0 server/fw_util.h
  6. +74 −1 server/fw_util_iptables.c
  7. +1 −0 server/fw_util_iptables.h
  8. +9 −0 server/fwknopd.conf
  9. +14 −12 server/fwknopd_common.h
  10. +4 −1 todo.org
View
@@ -48,3 +48,8 @@ Geoff Carstairs
This allows for better access control for multple users requiring access
to multiple internal systems, in a manner that is transparent to the
user. The result was the FORCE_NAT mode.
+
+Hank Leininger
+ - For iptables firewalls, suggested a check for the 'comment' match to
+ ensure the local environment will properly support fwknopd operations.
+ The result is the new ENABLE_IPT_COMMENT_CHECK functionality.
View
@@ -58,6 +58,10 @@ fwknop-2.0.2 (08//2012):
- [test suite] Added GPG tests for keyrings that have no associated
passphrases.
+ - [server] Implemented a new check to ensure that the iptables 'comment'
+ match exists to ensure the proper environment for fwknopd operations.
+ This check is controlled by the new ENABLE_IPT_COMMENT_CHECK variable,
+ and was suggested by Hank Leininger.
fwknop-2.0.1 (07/23/2012):
- [server] Bug fix where the same encryption key used for two stanzas in
View
@@ -78,6 +78,7 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
"IPT_DNAT_ACCESS",
"IPT_SNAT_ACCESS",
"IPT_MASQUERADE_ACCESS",
+ "ENABLE_IPT_COMMENT_CHECK",
#elif FIREWALL_IPFW
"FLUSH_IPFW_AT_INIT",
"FLUSH_IPFW_AT_EXIT",
View
@@ -458,6 +458,12 @@ validate_options(fko_srv_options_t *opts)
set_config_entry(opts, CONF_IPT_MASQUERADE_ACCESS,
DEF_IPT_MASQUERADE_ACCESS);
+ /* Check for the iptables 'comment' match at init time
+ */
+ if(opts->config[CONF_ENABLE_IPT_COMMENT_CHECK] == NULL)
+ set_config_entry(opts, CONF_ENABLE_IPT_COMMENT_CHECK,
+ DEF_ENABLE_IPT_COMMENT_CHECK);
+
#elif FIREWALL_IPFW
/* Flush ipfw rules at init.
View
@@ -37,6 +37,7 @@
#define STANDARD_CMD_OUT_BUFSIZE 4096
#define EXPIRE_COMMENT_PREFIX "_exp_"
+#define TMP_COMMENT "__TMPCOMMENT__"
#if FIREWALL_IPTABLES
#include "fw_util_iptables.h"
View
@@ -53,6 +53,70 @@ zero_cmd_buffers(void)
}
static int
+comment_match_exists(const fko_srv_options_t *opts)
+{
+ int res = 1;
+ char *ndx = NULL;
+ struct fw_chain *in_chain = &(opts->fw_config->chain[IPT_INPUT_ACCESS]);
+
+ zero_cmd_buffers();
+
+ /* Add a harmless rule to the iptables OUTPUT chain that uses the comment
+ * match and make sure it exists. If not, return zero. Otherwise, delete
+ * the rule and return true.
+ */
+ snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_TMP_COMMENT_ARGS,
+ opts->fw_config->fw_command,
+ in_chain->table,
+ in_chain->to_chain,
+ 1, /* first rule */
+ in_chain->target
+ );
+
+ res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+
+ if (opts->verbose)
+ log_msg(LOG_INFO, "comment_match_exists() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
+ zero_cmd_buffers();
+
+ snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS,
+ opts->fw_config->fw_command,
+ in_chain->table,
+ in_chain->to_chain
+ );
+
+ res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
+
+ if(!EXTCMD_IS_SUCCESS(res))
+ log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
+
+ ndx = strstr(cmd_out, TMP_COMMENT);
+ if(ndx == NULL)
+ res = 0; /* did not find the tmp comment */
+ else
+ res = 1;
+
+ if(res == 1)
+ {
+ /* Delete the tmp comment rule
+ */
+ zero_cmd_buffers();
+
+ snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_RULE_ARGS,
+ opts->fw_config->fw_command,
+ in_chain->table,
+ in_chain->to_chain,
+ 1
+ );
+ run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+ }
+
+ return res;
+}
+
+static int
add_jump_rule(const fko_srv_options_t *opts, const int chain_num)
{
int res = 0;
@@ -205,7 +269,7 @@ fw_dump_rules(const fko_srv_options_t *opts)
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
- log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
+ log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
}
@@ -466,6 +530,15 @@ fw_initialize(const fko_srv_options_t *opts)
fprintf(stderr, "Warning: Errors detected during fwknop custom chain creation.\n");
exit(EXIT_FAILURE);
}
+
+ /* Make sure that the 'comment' match is available
+ */
+ if((strncasecmp(opts->config[CONF_ENABLE_IPT_COMMENT_CHECK], "Y", 1) == 0)
+ && (comment_match_exists(opts) != 1))
+ {
+ fprintf(stderr, "Warning: Could not use the 'comment' match.\n");
+ exit(EXIT_FAILURE);
+ }
}
int
@@ -40,6 +40,7 @@
#define IPT_ADD_FWD_RULE_ARGS "-t %s -A %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
#define IPT_ADD_DNAT_RULE_ARGS "-t %s -A %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1"
#define IPT_ADD_SNAT_RULE_ARGS "-t %s -A %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1"
+#define IPT_TMP_COMMENT_ARGS "-t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s 2>&1"
#define IPT_DEL_RULE_ARGS "-t %s -D %s %i 2>&1"
#define IPT_NEW_CHAIN_ARGS "-t %s -N %s 2>&1"
#define IPT_FLUSH_CHAIN_ARGS "-t %s -F %s 2>&1"
View
@@ -264,6 +264,15 @@
#IPT_SNAT_ACCESS SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
#IPT_MASQUERADE_ACCESS MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1;
+# The ENABLE_COMMENT_MATCH_CHECK variable instructs fwknopd to check for the
+# iptables 'comment' match at start up. If it's not found, then fwknopd will
+# exit and throw an error. This variable is enabled by default, but can be
+# disabled if you want fwknopd to run without being sure that the comment match
+# if available (not recommended, since the comment match enables new SPA rules
+# to be timed out).
+#
+#ENABLE_IPT_COMMENT_CHECK Y;
+
##############################################################################
# Parameters specific to ipfw:
#
View
@@ -104,18 +104,19 @@
*/
#if FIREWALL_IPTABLES
- #define DEF_FLUSH_IPT_AT_INIT "Y"
- #define DEF_FLUSH_IPT_AT_EXIT "Y"
- #define DEF_ENABLE_IPT_FORWARDING "N"
- #define DEF_ENABLE_IPT_LOCAL_NAT "Y"
- #define DEF_ENABLE_IPT_SNAT "N"
- #define DEF_ENABLE_IPT_OUTPUT "N"
- #define DEF_IPT_INPUT_ACCESS "ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1"
- #define DEF_IPT_OUTPUT_ACCESS "ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1"
- #define DEF_IPT_FORWARD_ACCESS "ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1"
- #define DEF_IPT_DNAT_ACCESS "DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1"
- #define DEF_IPT_SNAT_ACCESS "SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1"
- #define DEF_IPT_MASQUERADE_ACCESS "MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1"
+ #define DEF_FLUSH_IPT_AT_INIT "Y"
+ #define DEF_FLUSH_IPT_AT_EXIT "Y"
+ #define DEF_ENABLE_IPT_FORWARDING "N"
+ #define DEF_ENABLE_IPT_LOCAL_NAT "Y"
+ #define DEF_ENABLE_IPT_SNAT "N"
+ #define DEF_ENABLE_IPT_OUTPUT "N"
+ #define DEF_ENABLE_IPT_COMMENT_CHECK "Y"
+ #define DEF_IPT_INPUT_ACCESS "ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1"
+ #define DEF_IPT_OUTPUT_ACCESS "ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1"
+ #define DEF_IPT_FORWARD_ACCESS "ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1"
+ #define DEF_IPT_DNAT_ACCESS "DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1"
+ #define DEF_IPT_SNAT_ACCESS "SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1"
+ #define DEF_IPT_MASQUERADE_ACCESS "MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1"
/* Ipfw-specific defines
*/
@@ -201,6 +202,7 @@ enum {
CONF_IPT_DNAT_ACCESS,
CONF_IPT_SNAT_ACCESS,
CONF_IPT_MASQUERADE_ACCESS,
+ CONF_ENABLE_IPT_COMMENT_CHECK,
#elif FIREWALL_IPFW
CONF_FLUSH_IPFW_AT_INIT,
CONF_FLUSH_IPFW_AT_EXIT,
View
@@ -1,6 +1,9 @@
* fwknop tasks
This is the main todo org mode file for the fwknop project
-** fwknopd iptables comment match detection
+** COMPLETED
+ This bucket is for completed tasks.
+*** fwknopd iptables comment match detection
+ :CLOSED: <2012-08-12 Sun>
Hank Leininger suggested that fwknopd do better detection for the iptables
comment match since it is required for the expiration of SPA rules.
** Include files for access.conf

0 comments on commit 543de16

Please sign in to comment.