}
fprintf(stdout, "\n");
+ fflush(stdout);
}
/***EOF***/
);
fprintf(stdout, "\n");
+ fflush(stdout);
}
/* Print usage message...
" --fw-list - List all firewall rules that fwknop has created\n"
" and then exit.\n"
" --fw-list-all - List all firewall rules in the complete policy,\n"
- " including those that have nothing to with fwknop.\n"
+ " including those that have nothing to do with\n"
+ " fwknop.\n"
" --fw-flush - Flush all firewall rules created by fwknop.\n"
"\n"
);
*/
void fw_config_init(fko_srv_options_t *opts);
void fw_initialize(const fko_srv_options_t *opts);
-int fw_cleanup(void);
+int fw_cleanup(const fko_srv_options_t *opts);
void check_firewall_rules(const fko_srv_options_t *opts);
int fw_dump_rules(const fko_srv_options_t *opts);
int process_spa_request(const fko_srv_options_t *opts, spa_data_t *spdat);
}
static int
-ipfw_set_exists(const char *fw_command, const unsigned short set_num)
+ipfw_set_exists(const fko_srv_options_t *opts,
+ const char *fw_command, const unsigned short set_num)
{
int res = 0;
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "ipfw_set_exists() CMD: '%s' (res: %d)",
+ cmd_buf, res);
+
if(!EXTCMD_IS_SUCCESS(res))
return(0);
res = system(cmd_buf);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "fw_dump_rules() CMD: '%s' (res: %d)",
+ cmd_buf, res);
+
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
opts->fw_config->active_set_num
);
- //printf("(%i) CMD: '%s'\n", i, cmd_buf);
printf("\nActive Rules:\n");
res = system(cmd_buf);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "fw_dump_rules() CMD: '%s' (res: %d)",
+ cmd_buf, res);
+
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
opts->fw_config->expire_set_num
);
- //printf("(%i) CMD: '%s'\n", i, cmd_buf);
printf("\nExpired Rules:\n");
res = system(cmd_buf);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "fw_dump_rules() CMD: '%s' (res: %d)",
+ cmd_buf, res);
+
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
/* For now, we just call fw_cleanup to start with clean slate.
*/
- res = fw_cleanup();
+ res = fw_cleanup(opts);
if(res != 0)
{
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "fw_initialize() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added check-state rule %u to set %u",
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "fw_initialize() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
if(EXTCMD_IS_SUCCESS(res))
log_msg(LOG_INFO, "Set ipfw set %u to disabled.",
fwc.expire_set_num);
else
- log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
+ log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
/* Now read the expire set in case there are existing
* rules to track.
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "fw_initialize() CMD: '%s' (res: %d)",
+ cmd_buf, res);
+
if(!EXTCMD_IS_SUCCESS(res))
{
- log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
+ log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
return;
}
- if(opts->verbose > 2)
- log_msg(LOG_INFO, "RES=%i, CMD_BUF: %s\nRULES LIST: %s", res, cmd_buf, cmd_out);
+ if(opts->verbose > 1)
+ log_msg(LOG_INFO, "RULES LIST: %s", cmd_out);
/* Find the first "# DISABLED" string (if any).
*/
int
-fw_cleanup(void)
+fw_cleanup(const fko_srv_options_t *opts)
{
int res, got_err = 0;
zero_cmd_buffers();
if(fwc.active_set_num > 0
- && ipfw_set_exists(fwc.fw_command, fwc.active_set_num))
+ && ipfw_set_exists(opts, fwc.fw_command, fwc.active_set_num))
{
/* Create the set delete command for active rules
*/
fwc.active_set_num
);
- //printf("CMD: '%s'\n", cmd_buf);
res = system(cmd_buf);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "fw_cleanup() CMD: '%s' (res: %d)",
+ cmd_buf, res);
+
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
exp_ts
);
-//--DSS tmp
-//fprintf(stderr, "ADD CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+
+ if (opts->verbose)
+ log_msg(LOG_INFO, "process_spa_request() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added Rule %u for %s, %s expires at %u",
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "check_firewall_rules() CMD: '%s' (res: %d)",
+ cmd_buf, res);
+
if(!EXTCMD_IS_SUCCESS(res))
{
- log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
+ log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
return;
}
- if(opts->verbose > 2)
- log_msg(LOG_INFO, "RES=%i, CMD_BUF: %s\nRULES LIST: %s", res, cmd_buf, cmd_out);
+ if(opts->verbose > 1)
+ log_msg(LOG_INFO, "RULES LIST: %s", cmd_out);
/* Find the first _exp_ string (if any).
*/
strlcpy(exp_str, ndx, 11);
rule_exp = (time_t)atoll(exp_str);
-//fprintf(stderr, "RULE_EXP=%u, NOW=%u\n", rule_exp, now);
if(rule_exp <= now)
{
/* Backtrack and get the rule number and delete it.
fwc.expire_set_num
);
-//fprintf(stderr, "MOVE RULE CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+
+ if (opts->verbose)
+ log_msg(LOG_INFO, "check_firewall_rules() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Moved rule %s with expire time of %u to set %u.",
fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_EXPIRED;
}
else
- log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
+ log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
}
else
{
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "ipfw_purge_expired_rules() CMD: '%s' (res: %d)",
+ cmd_buf, res);
+
if(!EXTCMD_IS_SUCCESS(res))
{
- log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
+ log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
return;
}
{
co_end = cmd_out + strlen(cmd_out);
- if(opts->verbose > 2)
- log_msg(LOG_INFO, "RES=%i, CMD_BUF: %s\nEXP RULES LIST: %s", res, cmd_buf, cmd_out);
+ if(opts->verbose > 1)
+ log_msg(LOG_INFO, "EXP RULES LIST: %s", cmd_out);
/* Find the "## Dynamic rules" string.
*/
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "ipfw_purge_expired_rules() CMD: '%s' (res: %d)",
+ cmd_buf, res);
+
if(!EXTCMD_IS_SUCCESS(res))
{
- log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
+ log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
continue;
}
- log_msg(LOG_INFO, "Purged rule %u from set %u", curr_rule, fwc.expire_set_num);
+ log_msg(LOG_INFO, "Purged rule %u from set %u", curr_rule, fwc.expire_set_num);
fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_FREE;
}
static int
-add_jump_rule(const int chain_num)
+add_jump_rule(const fko_srv_options_t *opts, const int chain_num)
{
int res = 0;
fwc.chain[chain_num].to_chain
);
- //printf("(%i) CMD: '%s'\n", i, cmd_buf);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "add_jump_rule() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
if(EXTCMD_IS_SUCCESS(res))
log_msg(LOG_INFO, "Added jump rule from chain: %s to chain: %s",
fwc.chain[chain_num].from_chain,
ch[i].table
);
- //printf("(%i) CMD: '%s'\n", i, cmd_buf);
res = system(cmd_buf);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "fw_dump_rules() CMD: '%s' (res: %d)",
+ cmd_buf, res);
+
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
ch[i].to_chain
);
- //printf("(%i) CMD: '%s'\n", i, cmd_buf);
res = system(cmd_buf);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "fw_dump_rules() CMD: '%s' (res: %d)",
+ cmd_buf, res);
+
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
/* Quietly flush and delete all fwknop custom chains.
*/
static void
-delete_all_chains(void)
+delete_all_chains(const fko_srv_options_t *opts)
{
int i, res;
int jump_rule_num;
jump_rule_num
);
- //printf("CMD: '%s'\n", cmd_buf);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+
+ if (opts->verbose)
+ log_msg(LOG_INFO, "delete_all_chains() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
- log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
+ log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
}
zero_cmd_buffers();
fwc.chain[i].to_chain
);
- //printf("CMD: '%s'\n", cmd_buf);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+
+ if (opts->verbose)
+ log_msg(LOG_INFO, "delete_all_chains() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
- log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
+ log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
}
}
/* Create the fwknop custom chains (at least those that are configured).
*/
static int
-create_fw_chains(void)
+create_fw_chains(const fko_srv_options_t *opts)
{
int i;
int res, got_err = 0;
fwc.chain[i].to_chain
);
- //printf("(%i) CMD: '%s'\n", i, cmd_buf);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "create_fw_chains() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
{
- log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
+ log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
got_err++;
}
/* Then create the jump rule to that chain.
*/
- res = add_jump_rule(i);
+ res = add_jump_rule(opts, i);
/* Expect full success on this */
if(! EXTCMD_IS_SUCCESS(res))
/* Flush the chains (just in case) so we can start fresh.
*/
- delete_all_chains();
+ delete_all_chains(opts);
/* Now create any configured chains.
*/
- res = create_fw_chains();
+ res = create_fw_chains(opts);
if(res != 0)
{
}
int
-fw_cleanup(void)
+fw_cleanup(const fko_srv_options_t *opts)
{
- delete_all_chains();
+ delete_all_chains(opts);
return(0);
}
* required chain
*/
if(jump_rule_exists(IPT_INPUT_ACCESS) == 0)
- add_jump_rule(IPT_INPUT_ACCESS);
+ add_jump_rule(opts, IPT_INPUT_ACCESS);
if(out_chain->to_chain != NULL && strlen(out_chain->to_chain))
if(jump_rule_exists(IPT_OUTPUT_ACCESS) == 0)
- add_jump_rule(IPT_OUTPUT_ACCESS);
+ add_jump_rule(opts, IPT_OUTPUT_ACCESS);
/* Create an access command for each proto/port for the source ip.
*/
in_chain->target
);
-//--DSS tmp
-//fprintf(stderr, "ADD CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+
+ if (opts->verbose)
+ log_msg(LOG_INFO, "process_spa_request() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added Rule to %s for %s, %s expires at %u",
out_chain->target
);
-//--DSS tmp
-//fprintf(stderr, "ADD OUTPUT CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+
+ if (opts->verbose)
+ log_msg(LOG_INFO, "process_spa_request() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added OUTPUT Rule to %s for %s, %s expires at %u",
/* Make sure the required jump rule exists
*/
if (jump_rule_exists(IPT_FORWARD_ACCESS) == 0)
- add_jump_rule(IPT_FORWARD_ACCESS);
+ add_jump_rule(opts, IPT_FORWARD_ACCESS);
zero_cmd_buffers();
fwd_chain->target
);
-//--DSS tmp
-//fprintf(stderr, "ADD OUTPUT CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+
+ if (opts->verbose)
+ log_msg(LOG_INFO, "process_spa_request() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added FORWARD Rule to %s for %s, %s expires at %u",
/* Make sure the required jump rule exists
*/
if (jump_rule_exists(IPT_DNAT_ACCESS) == 0)
- add_jump_rule(IPT_DNAT_ACCESS);
+ add_jump_rule(opts, IPT_DNAT_ACCESS);
zero_cmd_buffers();
nat_port
);
-//--DSS tmp
-//fprintf(stderr, "ADD DNAT CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+
+ if (opts->verbose)
+ log_msg(LOG_INFO, "process_spa_request() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added DNAT Rule to %s for %s, %s expires at %u",
);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+
+ if (opts->verbose)
+ log_msg(LOG_INFO, "process_spa_request() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Added Source NAT Rule to %s for %s, %s expires at %u",
res = run_extcmd(cmd_buf, cmd_out, STANDARD_CMD_OUT_BUFSIZE, 0);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "check_firewall_rules() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
if(!EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, cmd_out);
continue;
}
- if(opts->verbose > 2)
+ if(opts->verbose > 1)
log_msg(LOG_INFO, "RES=%i, CMD_BUF: %s\nRULES LIST: %s", res, cmd_buf, cmd_out);
ndx = strstr(cmd_out, EXPIRE_COMMENT_PREFIX);
strlcpy(exp_str, ndx, 11);
rule_exp = (time_t)atoll(exp_str);
-//fprintf(stderr, "RULE_EXP=%u, NOW=%u\n", rule_exp, now);
if(rule_exp <= now)
{
/* Backtrack and get the rule number and delete it.
);
-//fprintf(stderr, "DELETE RULE CMD: %s\n", cmd_buf);
res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+
+ if (opts->verbose)
+ log_msg(LOG_INFO, "check_firewall_rules() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
+
if(EXTCMD_IS_SUCCESS(res))
{
log_msg(LOG_INFO, "Removed rule %s from %s with expire time of %u.",
}
static void
-delete_all_anchor_rules(void)
+delete_all_anchor_rules(const fko_srv_options_t *opts)
{
int res = 0;
}
int
-fw_cleanup(void)
+fw_cleanup(const fko_srv_options_t *opts)
{
- delete_all_anchor_rules();
+ delete_all_anchor_rules(opts);
return(0);
}
if(opts.fw_flush == 1)
{
fprintf(stdout, "Deleting any existing firewall rules...\n");
- fw_cleanup();
+ fw_cleanup(&opts);
exit(EXIT_SUCCESS);
}
/* Other cleanup.
*/
- fw_cleanup();
+ fw_cleanup(&opts);
free_logging();
#if USE_FILE_CACHE
/* At this point, we assume the SPA data is valid. Now we need to see
* if it meets our access criteria.
*/
- if(opts->verbose > 2)
+ if(opts->verbose > 1)
log_msg(LOG_INFO, "SPA Decode (res=%i):\n%s", res, dump_ctx(ctx));
/* First, if this is a GPG message, and GPG_REMOTE_ID list is not empty,
*/
status = WEXITSTATUS(res);
- if(opts->verbose > 2)
+ if(opts->verbose > 1)
log_msg(LOG_WARNING,
"CMD_EXEC: command returned %i", status);
/* In case this is a re-init.
*/
free_logging();
-
+
/* Allocate memory for the log_name and set the my_name to point to the
* appropriate name. The name should already be set in the config struct
* but if it is not, fallback to the default as defined by 'MY_NAME'.
&identify_loopback_intf();
my $default_client_args = "LD_LIBRARY_PATH=$lib_dir $fwknopCmd -A tcp/22 -a $fake_ip " .
- "-D $loopback_ip --get-key $local_key_file --verbose";
+ "-D $loopback_ip --get-key $local_key_file --verbose --verbose";
my $default_client_gpg_args = "LD_LIBRARY_PATH=$lib_dir $default_client_args " .
"--gpg-recipient-key $gpg_server_key " .
"-d $default_digest_file -p $default_pid_file";
my $default_server_gpg_args = "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd -c $default_conf " .
- "-a $gpg_access_conf -i $loopback_intf --foreground --verbose " .
+ "-a $gpg_access_conf -i $loopback_intf --foreground --verbose --verbose " .
"-d $default_digest_file -p $default_pid_file";
### point the compiled binaries at the local libary path
'err_msg' => 'start error',
'function' => \&server_start,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --foreground --verbose",
+ "-i $loopback_intf --foreground --verbose --verbose",
'fatal' => $NO
},
{
'err_msg' => 'stop error',
'function' => \&server_stop,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --foreground --verbose",
+ "-i $loopback_intf --foreground --verbose --verbose",
'fatal' => $NO
},
{
'err_msg' => 'did not write PID',
'function' => \&write_pid,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --foreground --verbose",
+ "-i $loopback_intf --foreground --verbose --verbose",
'fatal' => $NO
},
'err_msg' => 'did not exit after one packet',
'function' => \&server_packet_limit,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --packet-limit 1 --foreground --verbose",
+ "-i $loopback_intf --packet-limit 1 --foreground --verbose --verbose",
'fatal' => $NO
},
{
'err_msg' => 'did not ignore small packets',
'function' => \&server_ignore_small_packets,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --packet-limit 1 --foreground --verbose",
+ "-i $loopback_intf --packet-limit 1 --foreground --verbose --verbose",
'fatal' => $NO
},
{
'function' => \&server_bpf_ignore_packet,
'cmdline' => $default_client_args,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --packet-limit 1 --foreground --verbose " .
+ "-i $loopback_intf --packet-limit 1 --foreground --verbose --verbose " .
qq|-P "udp port $non_std_spa_port"|,
'fatal' => $NO
},
'function' => \&spa_cycle,
'cmdline' => $default_client_args,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --foreground --verbose",
+ "-i $loopback_intf --foreground --verbose --verbose",
'fatal' => $NO
},
{
'function' => \&spa_over_non_std_port,
'cmdline' => "$default_client_args --server-port $non_std_spa_port",
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --foreground --verbose " .
+ "-i $loopback_intf --foreground --verbose --verbose " .
qq|-P "udp port $non_std_spa_port"|,
'fatal' => $NO
},
'function' => \&replay_detection,
'cmdline' => $default_client_args,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --foreground --verbose",
+ "-i $loopback_intf --foreground --verbose --verbose",
'fatal' => $NO
},
{
'function' => \&altered_non_base64_spa_data,
'cmdline' => $default_client_args,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --foreground --verbose",
+ "-i $loopback_intf --foreground --verbose --verbose",
'fatal' => $NO
},
{
'function' => \&altered_base64_spa_data,
'cmdline' => $default_client_args,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --foreground --verbose",
+ "-i $loopback_intf --foreground --verbose --verbose",
'fatal' => $NO
},
{
'function' => \&appended_spa_data,
'cmdline' => $default_client_args,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --foreground --verbose",
+ "-i $loopback_intf --foreground --verbose --verbose",
'fatal' => $NO
},
{
'function' => \&prepended_spa_data,
'cmdline' => $default_client_args,
'fwknopd_cmdline' => "LD_LIBRARY_PATH=$lib_dir $fwknopdCmd $default_server_conf_args " .
- "-i $loopback_intf --foreground --verbose",
+ "-i $loopback_intf --foreground --verbose --verbose",
'fatal' => $NO
},
my $rv = &client_server_interaction($test_hr, [],
$USE_CLIENT, $REQUIRE_FW_RULE, $NO_FORCE_STOP);
- sleep 2;
+ sleep 3;
### the firewall rule should be timed out (3 second timeout
### as defined in the access.conf file
sub spa_over_non_std_port() {
my $test_hr = shift;
- my $rv = &client_server_interaction($test_hr, [],
- $USE_CLIENT, $REQUIRE_FW_RULE, $NO_FORCE_STOP);
-
- sleep 2;
-
- ### the firewall rule should be timed out (3 second timeout
- ### as defined in the access.conf file
- if (&is_fw_rule_active()) {
- &write_test_file("[-] new fw rule not timed out.\n");
- $rv = 0;
- } else {
- &write_test_file("[+] new fw rule timed out.\n");
- }
-
- if (&is_fwknopd_running()) {
- &stop_fwknopd();
- unless (&file_find_regex([qr/Got\sSIGTERM/],
- $server_test_file)) {
- $rv = 0;
- }
- } else {
- &write_test_file("[-] server is not running.\n");
- $rv = 0;
- }
+ my $rv = &spa_cycle($test_hr);
unless (&file_find_regex([qr/PCAP\sfilter.*\s$non_std_spa_port/],
$server_test_file)) {
sub is_fw_rule_active() {
return 1 if &run_cmd("LD_LIBRARY_PATH=$lib_dir $fwknopdCmd " .
"$default_server_conf_args " .
- "--fw-list | grep $fake_ip |grep _exp_",
+ qq{--fw-list | grep -v "# DISABLED" |grep $fake_ip |grep _exp_},
$cmd_out_tmp, $current_test_file);
return 0;
}
projects / fwknop.git / commitdiff