[server] update fw_config_init() to allow access stanza key information to be zeroed...
authorMichael Rash <mbr@cipherdyne.org>
Sat, 6 Jul 2013 19:05:09 +0000 (15:05 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Sat, 6 Jul 2013 19:05:09 +0000 (15:05 -0400)
server/fw_util.h
server/fw_util_ipf.c
server/fw_util_ipfw.c
server/fw_util_iptables.c
server/fw_util_pf.c
server/fwknopd.c

index fcfe9b2..05068a5 100644 (file)
@@ -60,7 +60,7 @@
  *       They should be implemented in each of the corresponding
  *       fw_util_<fw-type>.c files.
 */
-void fw_config_init(fko_srv_options_t * const opts);
+int fw_config_init(fko_srv_options_t * const opts);
 int fw_initialize(const fko_srv_options_t * const opts);
 int fw_cleanup(const fko_srv_options_t * const opts);
 void check_firewall_rules(const fko_srv_options_t * const opts);
index 8a7e4c0..94736ff 100644 (file)
@@ -78,7 +78,7 @@ fw_config_init(fko_srv_options_t *opts)
     */
     opts->fw_config = &fwc;
 
-    return;
+    return 1;
 }
 
 void
index bfd8a82..14c1c8c 100644 (file)
@@ -193,7 +193,7 @@ fw_config_init(fko_srv_options_t * const opts)
     {
         log_msg(LOG_ERR, "[*] IPFW_START_RULE_NUM '%s' out of range [%d-%d].",
                 opts->config[CONF_IPFW_START_RULE_NUM], 0, RCHK_MAX_IPFW_MAX_RULES);
-        exit(EXIT_FAILURE);
+        return 0;
     }
 
     fwc.max_rules = strtol_wrapper(opts->config[CONF_IPFW_MAX_RULES],
@@ -202,7 +202,7 @@ fw_config_init(fko_srv_options_t * const opts)
     {
         log_msg(LOG_ERR, "[*] IPFW_MAX_RULES_INT '%s' out of range [%d-%d].",
                 opts->config[CONF_IPFW_MAX_RULES], 0, RCHK_MAX_IPFW_MAX_RULES);
-        exit(EXIT_FAILURE);
+        return 0;
     }
 
     fwc.active_set_num = strtol_wrapper(opts->config[CONF_IPFW_ACTIVE_SET_NUM],
@@ -211,7 +211,7 @@ fw_config_init(fko_srv_options_t * const opts)
     {
         log_msg(LOG_ERR, "[*] IPFW_ACTIVE_SET_NUM '%s' out of range [%d-%d].",
                 opts->config[CONF_IPFW_ACTIVE_SET_NUM], 0, RCHK_MAX_IPFW_SET_NUM);
-        exit(EXIT_FAILURE);
+        return 0;
     }
 
     fwc.expire_set_num = strtol_wrapper(opts->config[CONF_IPFW_EXPIRE_SET_NUM],
@@ -220,7 +220,7 @@ fw_config_init(fko_srv_options_t * const opts)
     {
         log_msg(LOG_ERR, "[*] IPFW_MAX_EXPIRE_SET_NUM '%s' out of range [%d-%d].",
                 opts->config[CONF_IPFW_EXPIRE_SET_NUM], 0, RCHK_MAX_IPFW_SET_NUM);
-        exit(EXIT_FAILURE);
+        return 0;
     }
 
     fwc.purge_interval = strtol_wrapper(opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL],
@@ -230,14 +230,14 @@ fw_config_init(fko_srv_options_t * const opts)
         log_msg(LOG_ERR, "[*] IPFW_EXPIRE_PURGE_INTERVAL '%s' out of range [%d-%d].",
                 opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL], 0,
                 RCHK_MAX_IPFW_PURGE_INTERVAL);
-        exit(EXIT_FAILURE);
+        return 0;
     }
 
     /* Let us find it via our opts struct as well.
     */
     opts->fw_config = &fwc;
 
-    return;
+    return 1;
 }
 
 void
index 8da0fc9..aca7422 100644 (file)
@@ -421,7 +421,7 @@ create_fw_chains(const fko_srv_options_t * const opts)
     return(got_err);
 }
 
-static void
+static int
 set_fw_chain_conf(const int type, const char * const conf_str)
 {
     int i, j, is_err;
@@ -435,7 +435,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
     if(conf_str == NULL)
     {
         log_msg(LOG_ERR, "[*] NULL conf_str.");
-        exit(EXIT_FAILURE);
+        return 0;
     }
 
     chain->type = type;
@@ -468,7 +468,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
         log_msg(LOG_ERR, "[*] Custom Chain config parse error.\n"
             "Wrong number of fields for chain type %i\n"
             "Line: %s", type, conf_str);
-        exit(EXIT_FAILURE);
+        return 0;
     }
 
     /* Pull and set Target */
@@ -487,7 +487,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
     {
         log_msg(LOG_ERR, "[*] invalid jump rule position in Line: %s",
             conf_str);
-        exit(EXIT_FAILURE);
+        return 0;
     }
 
     /* Pull and set To_chain */
@@ -500,11 +500,12 @@ set_fw_chain_conf(const int type, const char * const conf_str)
     {
         log_msg(LOG_ERR, "[*] invalid to_chain rule position in Line: %s",
             conf_str);
-        exit(EXIT_FAILURE);
+        return 0;
     }
+    return 1;
 }
 
-void
+int
 fw_config_init(fko_srv_options_t * const opts)
 {
 
@@ -518,20 +519,25 @@ fw_config_init(fko_srv_options_t * const opts)
      * config struct.  The IPT_INPUT is the only one that is
      * required. The rest are optional.
     */
-    set_fw_chain_conf(IPT_INPUT_ACCESS, opts->config[CONF_IPT_INPUT_ACCESS]);
+    if(set_fw_chain_conf(IPT_INPUT_ACCESS, opts->config[CONF_IPT_INPUT_ACCESS]) != 1)
+        return 0;
 
     /* The FWKNOP_OUTPUT_ACCESS requires ENABLE_IPT_OUTPUT_ACCESS be Y
     */
     if(strncasecmp(opts->config[CONF_ENABLE_IPT_OUTPUT], "Y", 1)==0)
-        set_fw_chain_conf(IPT_OUTPUT_ACCESS, opts->config[CONF_IPT_OUTPUT_ACCESS]);
+        if(set_fw_chain_conf(IPT_OUTPUT_ACCESS, opts->config[CONF_IPT_OUTPUT_ACCESS]) != 1)
+            return 0;
 
     /* The remaining access chains require ENABLE_IPT_FORWARDING = Y
     */
     if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0)
     {
 
-        set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]);
-        set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]);
+        if(set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]) != 1)
+            return 0;
+
+        if(set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]) != 1)
+            return 0;
 
         /* SNAT (whichever mode) requires ENABLE_IPT_SNAT = Y
         */
@@ -545,11 +551,17 @@ fw_config_init(fko_srv_options_t * const opts)
              *             this.
              *
             */
-            if(opts->config[CONF_SNAT_TRANSLATE_IP] != NULL
-              && strncasecmp(opts->config[CONF_SNAT_TRANSLATE_IP], "__CHANGEME__", 10)!=0)
-                set_fw_chain_conf(IPT_SNAT_ACCESS, opts->config[CONF_IPT_SNAT_ACCESS]);
+            if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
+              && (strncasecmp(opts->config[CONF_SNAT_TRANSLATE_IP], "__CHANGEME__", 10)) != 0)
+            {
+                if(set_fw_chain_conf(IPT_SNAT_ACCESS, opts->config[CONF_IPT_SNAT_ACCESS]) != 1)
+                    return 0;
+            }
             else
-                set_fw_chain_conf(IPT_MASQUERADE_ACCESS, opts->config[CONF_IPT_MASQUERADE_ACCESS]);
+            {
+                if(set_fw_chain_conf(IPT_MASQUERADE_ACCESS, opts->config[CONF_IPT_MASQUERADE_ACCESS]) != 1)
+                    return 0;
+            }
         }
     }
 
@@ -557,7 +569,7 @@ fw_config_init(fko_srv_options_t * const opts)
     */
     opts->fw_config = &fwc;
 
-    return;
+    return 1;
 }
 
 int
index 2d0b01f..273ba7d 100644 (file)
@@ -159,7 +159,7 @@ fw_config_init(fko_srv_options_t * const opts)
     */
     opts->fw_config = &fwc;
 
-    return;
+    return 1;
 }
 
 void
index b3890fe..c600b39 100644 (file)
@@ -181,7 +181,8 @@ main(int argc, char **argv)
          * via fw_rules_dump() in --fw-list mode before changing around any rules
          * of an existing fwknopd process.
         */
-        fw_config_init(&opts);
+        if(fw_config_init(&opts) != 1)
+            clean_exit(&opts, FW_CLEANUP, EXIT_FAILURE);
 
         if(opts.fw_list == 1 || opts.fw_list_all == 1)
         {