Skip to content

Commit

Permalink
use uniform exit code and exit when firewall rule parsing fails
Browse files Browse the repository at this point in the history
  • Loading branch information
@mwarning
mwarning committed Jun 19, 2019
1 parent 969a0c7 commit ae3b2f9
Showing 1 changed file with 41 additions and 43 deletions.
84 changes: 41 additions & 43 deletions src/conf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,7 @@ static const struct {

static void config_notnull(const void *parm, const char *parmname);
static int parse_boolean(const char *);
static int _parse_firewall_rule(t_firewall_ruleset *ruleset, char *leftover);
static void _parse_firewall_rule(t_firewall_ruleset *ruleset, char *leftover);
static void parse_firewall_ruleset(const char *, FILE *, const char *, int *);

static OpCodes config_parse_opcode(const char *cp, const char *filename, int linenum);
Expand Down Expand Up @@ -382,7 +382,7 @@ parse_empty_ruleset_policy(char *ptr, const char *filename, int lineno)
if (ruleset == NULL) {
debug(LOG_ERR, "Unrecognized FirewallRuleSet name: %s at line %d in %s", rulesetname, lineno, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}

/* find next whitespace delimited word; this is policy name */
Expand All @@ -407,7 +407,7 @@ parse_empty_ruleset_policy(char *ptr, const char *filename, int lineno)
} else {
debug(LOG_ERR, "Unknown EmptyRuleSetPolicy directive: %s at line %d in %s", policy, lineno, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}

debug(LOG_DEBUG, "Set EmptyRuleSetPolicy for %s to %s", rulesetname, policy);
Expand Down Expand Up @@ -436,7 +436,7 @@ parse_firewall_ruleset(const char *rulesetname, FILE *fd, const char *filename,
if (ruleset == NULL) {
debug(LOG_ERR, "Unrecognized FirewallRuleSet name: %s", rulesetname);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}

/* Parsing the rules in the set */
Expand All @@ -459,7 +459,7 @@ parse_firewall_ruleset(const char *rulesetname, FILE *fd, const char *filename,
if (p2[0] == '\0') {
debug(LOG_ERR, "FirewallRule incomplete on line %d in %s", *linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
/* terminate first word, point past it */
*p2 = '\0';
Expand All @@ -482,7 +482,7 @@ parse_firewall_ruleset(const char *rulesetname, FILE *fd, const char *filename,
default:
debug(LOG_ERR, "Bad option %s parsing FirewallRuleSet on line %d in %s", p1, *linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
break;
}
}
Expand All @@ -492,7 +492,7 @@ parse_firewall_ruleset(const char *rulesetname, FILE *fd, const char *filename,
/** @internal
Helper for parse_firewall_ruleset. Parses a single rule in a ruleset
*/
static int
static void
_parse_firewall_rule(t_firewall_ruleset *ruleset, char *leftover)
{
int i;
Expand Down Expand Up @@ -530,7 +530,7 @@ _parse_firewall_rule(t_firewall_ruleset *ruleset, char *leftover)
} else {
debug(LOG_ERR, "Invalid rule type %s, expecting "
"\"block\",\"drop\",\"allow\",\"log\" or \"ulog\"", token);
return -1;
exit(1);
}

/* Parse the remainder */
Expand All @@ -549,7 +549,7 @@ _parse_firewall_rule(t_firewall_ruleset *ruleset, char *leftover)
if (protocol == NULL ||
!(strncmp(protocol, "tcp", 3) == 0 || strncmp(protocol, "udp", 3) == 0)) {
debug(LOG_ERR, "Port without tcp or udp protocol");
return -3; /*< Fail */
exit(1);
}
TO_NEXT_WORD(leftover, finished);
/* Get port now */
Expand All @@ -560,7 +560,7 @@ _parse_firewall_rule(t_firewall_ruleset *ruleset, char *leftover)
all_nums = 0; /*< No longer only digits or : */
if (!all_nums) {
debug(LOG_ERR, "Invalid port %s", port);
return -3; /*< Fail */
exit(1);
}
}

Expand All @@ -581,7 +581,7 @@ _parse_firewall_rule(t_firewall_ruleset *ruleset, char *leftover)
if (strcmp(other_kw, "to") || finished) {
debug(LOG_ERR, "Invalid or unexpected keyword %s, "
"expecting \"to\"", other_kw);
return -4; /*< Fail */
exit(1);
}

/* Get IP address/mask now */
Expand All @@ -594,7 +594,7 @@ _parse_firewall_rule(t_firewall_ruleset *ruleset, char *leftover)
all_nums = 0; /*< No longer only digits or . or / */
if (!all_nums) {
debug(LOG_ERR, "Invalid mask %s", mask);
return -5; /*< Fail */
exit(1);
}
}

Expand Down Expand Up @@ -625,8 +625,6 @@ _parse_firewall_rule(t_firewall_ruleset *ruleset, char *leftover)
tmp2 = tmp2->next;
tmp2->next = tmp;
}

return 1;
}

int
Expand Down Expand Up @@ -731,7 +729,7 @@ config_read(const char *filename)
if (p1[0] == '\0') {
debug(LOG_ERR, "Option %s requires argument on line %d in %s", s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}

/* terminate option, point past it */
Expand All @@ -749,7 +747,7 @@ config_read(const char *filename)
if (sscanf(p1, "%d", &config.session_timeout) < 1 || config.session_timeout < 0) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oDaemon:
Expand All @@ -762,14 +760,14 @@ config_read(const char *filename)
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s. Valid debuglevel %d..%d",
p1, s, linenum, filename, LOG_EMERG, LOG_DEBUG);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oMaxClients:
if (sscanf(p1, "%d", &config.maxclients) < 1 || config.maxclients < 1) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oGatewayName:
Expand All @@ -790,21 +788,21 @@ config_read(const char *filename)
if (sscanf(p1, "%u", &config.gw_port) < 1) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oFasPort:
if (sscanf(p1, "%u", &config.fas_port) < 1) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oFasSecureEnabled:
if (sscanf(p1, "%d", &config.fas_secure_enabled) < 1) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oFasPath:
Expand All @@ -821,15 +819,15 @@ config_read(const char *filename)
if (!((stat(p1, &sb) == 0) && S_ISREG(sb.st_mode) && (sb.st_mode & S_IXUSR))) {
debug(LOG_ERR, "binauth program does not exist or is not executeable: %s", p1);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oPreAuth:
config.preauth = safe_strdup(p1);
if (!((stat(p1, &sb) == 0) && S_ISREG(sb.st_mode) && (sb.st_mode & S_IXUSR))) {
debug(LOG_ERR, "preauth program does not exist or is not executeable: %s", p1);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oFirewallRuleSet:
Expand All @@ -853,7 +851,7 @@ config_read(const char *filename)
else {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oWebRoot:
Expand All @@ -880,14 +878,14 @@ config_read(const char *filename)
if (sscanf(p1, "%d", &config.auth_idle_timeout) < 1 || config.auth_idle_timeout < 0) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oPreauthIdleTimeout:
if (sscanf(p1, "%d", &config.preauth_idle_timeout) < 1 || config.preauth_idle_timeout < 0) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oNdsctlSocket:
Expand All @@ -900,14 +898,14 @@ config_read(const char *filename)
} else {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oMSSValue:
if (sscanf(p1, "%d", &config.mss_value) < 1) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oTrafficControl:
Expand All @@ -916,28 +914,28 @@ config_read(const char *filename)
} else {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oDownloadLimit:
if (sscanf(p1, "%d", &config.download_limit) < 1 || config.download_limit < 0) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oUploadLimit:
if (sscanf(p1, "%d", &config.upload_limit) < 1 || config.upload_limit < 0) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oUploadIFB:
if(sscanf(p1, "%d", &config.upload_ifb) < 1 || config.upload_ifb < 0) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oFWMarkAuthenticated:
Expand All @@ -947,7 +945,7 @@ config_read(const char *filename)
config.fw_mark_authenticated == config.fw_mark_trusted) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oFWMarkBlocked:
Expand All @@ -957,7 +955,7 @@ config_read(const char *filename)
config.fw_mark_blocked == config.fw_mark_trusted) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oFWMarkTrusted:
Expand All @@ -967,27 +965,27 @@ config_read(const char *filename)
config.fw_mark_trusted == config.fw_mark_blocked) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oCheckInterval:
if (sscanf(p1, "%i", &config.checkinterval) < 1 || config.checkinterval < 1) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oSyslogFacility:
if (sscanf(p1, "%d", &config.syslog_facility) < 1) {
debug(LOG_ERR, "Bad arg %s to option %s on line %d in %s", p1, s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
break;
case oBadOption:
debug(LOG_ERR, "Bad option %s on line %d in %s", s, linenum, filename);
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
break;
}
}
Expand All @@ -1000,13 +998,13 @@ config_read(const char *filename)
// } else {
// debug(LOG_ERR, "fasremoteip - %s - is NOT a valid IPv4 address format...", config.fas_remoteip);
// debug(LOG_ERR, "Exiting...");
// exit(-1);
// exit(1);
// }
} else {
if (config.fas_port == 80) {
debug(LOG_ERR, "Invalid fasport - port 80 is reserved and cannot be used for local FAS...");
debug(LOG_ERR, "Exiting...");
exit(-1);
exit(1);
}
}

Expand Down Expand Up @@ -1430,19 +1428,19 @@ config_validate(void)

if (missing_parms) {
debug(LOG_ERR, "Configuration is not complete, exiting...");
exit(-1);
exit(1);
}

if (config.preauth_idle_timeout > 0 && config.checkinterval >= (60 * config.preauth_idle_timeout) / 2) {
debug(LOG_ERR, "Setting checkinterval (%ds) must be smaller than half of preauth_idle_timeout (%ds)",
config.checkinterval, 60 * config.preauth_idle_timeout);
exit(-1);
exit(1);
}

if (config.auth_idle_timeout > 0 && config.checkinterval >= (60 * config.auth_idle_timeout) / 2) {
debug(LOG_ERR, "Setting checkinterval (%ds) must be smaller than half of auth_idle_timeout (%ds)",
config.checkinterval, 60 * config.auth_idle_timeout);
exit(-1);
exit(1);
}
}

Expand Down

0 comments on commit ae3b2f9

Please sign in to comment.