[server] send IPT_*_ACCESS vars through basic validation at fwknopd.conf parse time
authorMichael Rash <mbr@cipherdyne.org>
Mon, 5 Aug 2013 04:00:45 +0000 (00:00 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Mon, 5 Aug 2013 04:00:45 +0000 (00:00 -0400)
server/config_init.c
server/fw_util_iptables.c
server/fw_util_iptables.h
server/fwknopd.conf
test/test-fwknop.pl
test/tests/basic_operations.pl

index 505ffae..b663314 100644 (file)
@@ -462,36 +462,84 @@ validate_options(fko_srv_options_t *opts)
         set_config_entry(opts, CONF_IPT_INPUT_ACCESS,
             DEF_IPT_INPUT_ACCESS);
 
+    if(validate_ipt_chain_conf(opts->config[CONF_IPT_INPUT_ACCESS]) != 1)
+    {
+        log_msg(LOG_ERR,
+            "Invalid IPT_INPUT_ACCESS specification, see fwknopd.conf comments"
+        );
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
     /* IPT output access.
     */
     if(opts->config[CONF_IPT_OUTPUT_ACCESS] == NULL)
         set_config_entry(opts, CONF_IPT_OUTPUT_ACCESS,
             DEF_IPT_OUTPUT_ACCESS);
 
+    if(validate_ipt_chain_conf(opts->config[CONF_IPT_OUTPUT_ACCESS]) != 1)
+    {
+        log_msg(LOG_ERR,
+            "Invalid IPT_OUTPUT_ACCESS specification, see fwknopd.conf comments"
+        );
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
     /* IPT forward access.
     */
     if(opts->config[CONF_IPT_FORWARD_ACCESS] == NULL)
         set_config_entry(opts, CONF_IPT_FORWARD_ACCESS,
             DEF_IPT_FORWARD_ACCESS);
 
+    if(validate_ipt_chain_conf(opts->config[CONF_IPT_FORWARD_ACCESS]) != 1)
+    {
+        log_msg(LOG_ERR,
+            "Invalid IPT_FORWARD_ACCESS specification, see fwknopd.conf comments"
+        );
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
     /* IPT dnat access.
     */
     if(opts->config[CONF_IPT_DNAT_ACCESS] == NULL)
         set_config_entry(opts, CONF_IPT_DNAT_ACCESS,
             DEF_IPT_DNAT_ACCESS);
 
+    if(validate_ipt_chain_conf(opts->config[CONF_IPT_DNAT_ACCESS]) != 1)
+    {
+        log_msg(LOG_ERR,
+            "Invalid IPT_DNAT_ACCESS specification, see fwknopd.conf comments"
+        );
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
     /* IPT snat access.
     */
     if(opts->config[CONF_IPT_SNAT_ACCESS] == NULL)
         set_config_entry(opts, CONF_IPT_SNAT_ACCESS,
             DEF_IPT_SNAT_ACCESS);
 
+    if(validate_ipt_chain_conf(opts->config[CONF_IPT_SNAT_ACCESS]) != 1)
+    {
+        log_msg(LOG_ERR,
+            "Invalid IPT_SNAT_ACCESS specification, see fwknopd.conf comments"
+        );
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
     /* IPT masquerade access.
     */
     if(opts->config[CONF_IPT_MASQUERADE_ACCESS] == NULL)
         set_config_entry(opts, CONF_IPT_MASQUERADE_ACCESS,
             DEF_IPT_MASQUERADE_ACCESS);
 
+    if(validate_ipt_chain_conf(opts->config[CONF_IPT_MASQUERADE_ACCESS]) != 1)
+    {
+        log_msg(LOG_ERR,
+            "Invalid IPT_MASQUERADE_ACCESS specification, see fwknopd.conf comments"
+        );
+        clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
+    }
+
     /* Check for the iptables 'comment' match at init time
     */
     if(opts->config[CONF_ENABLE_IPT_COMMENT_CHECK] == NULL)
index 2b05415..142dd28 100644 (file)
@@ -728,18 +728,18 @@ set_fw_chain_conf(const int type, const char * const conf_str)
             else
                 tbuf[i++] = *ndx;
         }
-        ndx++;
         if(*ndx != '\0'
                 && *ndx != ' '
                 && *ndx != ','
                 && *ndx != '_'
                 && isalnum(*ndx) == 0)
         {
-            log_msg(LOG_ERR, "[*] Custom Chain config parse error: "
+            log_msg(LOG_ERR, "[*] Custom chain config parse error: "
                 "invalid character '%c' for chain type %i, "
                 "line: %s", *ndx, type, conf_str);
             return 0;
         }
+        ndx++;
     }
 
     /* Sanity check - j should be the number of chain fields
@@ -747,7 +747,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
     */
     if(j != FW_NUM_CHAIN_FIELDS)
     {
-        log_msg(LOG_ERR, "[*] Custom Chain config parse error: "
+        log_msg(LOG_ERR, "[*] Custom chain config parse error: "
             "wrong number of fields for chain type %i, "
             "line: %s", type, conf_str);
         return 0;
@@ -1499,6 +1499,39 @@ check_firewall_rules(const fko_srv_options_t * const opts)
     }
 }
 
+int
+validate_ipt_chain_conf(const char * const chain_str)
+{
+    int         j, rv  = 1;
+    const char   *ndx  = chain_str;
+
+    j = 1;
+    while(*ndx != '\0')
+    {
+        if(*ndx == ',')
+            j++;
+
+        if(*ndx != '\0'
+                && *ndx != ' '
+                && *ndx != ','
+                && *ndx != '_'
+                && isalnum(*ndx) == 0)
+        {
+            rv = 0;
+            break;
+        }
+        ndx++;
+    }
+
+    /* Sanity check - j should be the number of chain fields
+     * (excluding the type).
+    */
+    if(j != FW_NUM_CHAIN_FIELDS)
+        rv = 0;
+
+    return rv;
+}
+
 #endif /* FIREWALL_IPTABLES */
 
 /***EOF***/
index 1ec1293..127cd65 100644 (file)
@@ -55,6 +55,8 @@
 #define IPT_LIST_RULES_ARGS     "-t %s -L %s --line-numbers -n 2>&1"
 #define IPT_LIST_ALL_RULES_ARGS "-t %s -v -n -L --line-numbers 2>&1"
 
+int validate_ipt_chain_conf(const char * const chain_str);
+
 #endif /* FW_UTIL_IPTABLES_H */
 
 /***EOF***/
index 7438483..acf7a77 100644 (file)
 # added with the IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS keyword.
 # The format for these variables is:
 #
-#   <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>,\
+#   <Target>,<Table>,<From_chain>,<Jump_rule_position>,\
 #       <To_chain>,<Rule_position>.
 #
 # "Target":
index 65dc374..f410c68 100755 (executable)
@@ -552,7 +552,7 @@ my @tests = (
 
     {
         'category' => 'Look for crashes',
-        'detail'   => 'checking for segfault/core dump messages (1)',
+        'detail'   => 'checking for segfault/core dump messages (2)',
         'function' => \&look_for_crashes,
         'fatal'    => $NO
     }
index 9717b4a..38186ec 100644 (file)
             "$fwknopdCmd -c $cf{'invalid_ipt_input_chain'} -a $cf{'def_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'function' => \&generic_exec,
-        'positive_output_matches' => [qr/wrong\snumber\sof\sfields/i],
         'exec_err' => $YES,
         'fatal'    => $NO
     },
             "$fwknopdCmd -c $cf{'invalid_ipt_input_chain2'} -a $cf{'def_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'function' => \&generic_exec,
-        'positive_output_matches' => [qr/load\starget.*AACCEPT/],
         'exec_err' => $YES,
         'fatal'    => $NO
     },
             "$fwknopdCmd -c $cf{'invalid_ipt_input_chain3'} -a $cf{'def_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'function' => \&generic_exec,
-        'positive_output_matches' => [qr/Table\sdoes\snot\sexist/],
         'exec_err' => $YES,
         'fatal'    => $NO
     },
             "$fwknopdCmd -c $cf{'invalid_ipt_input_chain5'} -a $cf{'def_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'function' => \&generic_exec,
-        'positive_output_matches' => [qr/invalid\scharacter/],
         'exec_err' => $YES,
         'fatal'    => $NO
     },
             "$fwknopdCmd -c $cf{'invalid_ipt_input_chain6'} -a $cf{'def_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'function' => \&generic_exec,
-        'positive_output_matches' => [qr/invalid\scharacter/],
         'exec_err' => $YES,
         'fatal'    => $NO
     },