Continue atoi() replacement with strtol() wrapper, closes issue #21
authorMichael Rash <mbr@cipherdyne.org>
Wed, 20 Feb 2013 04:11:01 +0000 (23:11 -0500)
committerMichael Rash <mbr@cipherdyne.org>
Wed, 20 Feb 2013 04:11:01 +0000 (23:11 -0500)
This commit completes the conversion to the strtol() wrapper function in order
to remove all atoi() calls.  In addition, variable max values are enforced
using more broadly defined RCHK_* values.

15 files changed:
client/config_init.c
client/fwknop.c
client/http_resolve_host.c
client/spa_comm.c
lib/fko_decode.c
lib/fko_util.c
server/access.c
server/config_init.c
server/config_init.h
server/fw_util_ipfw.c
server/fw_util_iptables.c
server/fwknopd.c
server/fwknopd_common.h
server/incoming_spa.c
server/pcap_capture.c

index d7232d5..38ea0f2 100644 (file)
@@ -139,7 +139,8 @@ parse_time_offset(const char *offset_str)
         exit(EXIT_FAILURE);
     }
 
-    offset = strtol_wrapper(offset_digits, 0, (2 << 15), EXIT_UPON_ERR, &is_err);
+    offset = strtol_wrapper(offset_digits, 0, (2 << 15),
+            EXIT_UPON_ERR, &is_err);
 
     /* Apply the offset_type value
     */
@@ -831,10 +832,11 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
                 break;
             case 'f':
                 options->fw_timeout = strtol_wrapper(optarg, 0,
-                        (2 << 15), NO_EXIT_UPON_ERR, &is_err);
+                        (2 << 16), NO_EXIT_UPON_ERR, &is_err);
                 if(is_err != FKO_SUCCESS)
                 {
-                    fprintf(stderr, "--fw-timeout must be >= 0\n");
+                    fprintf(stderr, "--fw-timeout must be within [%d-%d]\n",
+                            0, (2 << 16));
                     exit(EXIT_FAILURE);
                 }
                 break;
@@ -858,12 +860,14 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
             case 'K':
                 options->key_gen = 1;
                 strlcpy(options->key_gen_file, optarg, MAX_PATH_LEN);
+                break;
             case SPA_ICMP_TYPE:
                 options->spa_icmp_type = strtol_wrapper(optarg, 0,
                         MAX_ICMP_TYPE, NO_EXIT_UPON_ERR, &is_err);
                 if(is_err != FKO_SUCCESS)
                 {
-                    fprintf(stderr, "Unrecognized icmp type value: %s\n", optarg);
+                    fprintf(stderr, "Invalid icmp type '%s', must be in [%d-%d]\n",
+                            optarg, 0, MAX_ICMP_TYPE);
                     exit(EXIT_FAILURE);
                 }
                 break;
@@ -872,7 +876,8 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
                         MAX_ICMP_CODE, NO_EXIT_UPON_ERR, &is_err);
                 if(is_err != FKO_SUCCESS)
                 {
-                    fprintf(stderr, "Unrecognized icmp code value: %s\n", optarg);
+                    fprintf(stderr, "Invalid icmp code '%s', must be in [%d-%d]\n",
+                            optarg, 0, MAX_ICMP_CODE);
                     exit(EXIT_FAILURE);
                 }
                 break;
@@ -911,12 +916,7 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
                 break;
             case 'p':
                 options->spa_dst_port = strtol_wrapper(optarg, 0,
-                        MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
-                if(is_err != FKO_SUCCESS)
-                {
-                    fprintf(stderr, "Unrecognized port: %s\n", optarg);
-                    exit(EXIT_FAILURE);
-                }
+                        MAX_PORT, EXIT_UPON_ERR, &is_err);
                 break;
             case 'P':
                 if((options->spa_proto = proto_strtoint(optarg)) < 0)
@@ -956,12 +956,7 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
                 break;
             case 'S':
                 options->spa_src_port = strtol_wrapper(optarg, 0,
-                        MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
-                if(is_err != FKO_SUCCESS)
-                {
-                    fprintf(stderr, "Unrecognized port: %s\n", optarg);
-                    exit(EXIT_FAILURE);
-                }
+                        MAX_PORT, EXIT_UPON_ERR, &is_err);
                 break;
             case 'T':
                 options->test = 1;
@@ -1002,12 +997,8 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
                 options->nat_rand_port = 1;
                 break;
             case NAT_PORT:
-                options->nat_port = strtol_wrapper(optarg, 0, MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
-                if(is_err != FKO_SUCCESS)
-                {
-                    fprintf(stderr, "Unrecognized port: %s\n", optarg);
-                    exit(EXIT_FAILURE);
-                }
+                options->nat_port = strtol_wrapper(optarg, 0,
+                        MAX_PORT, EXIT_UPON_ERR, &is_err);
                 break;
             case TIME_OFFSET_PLUS:
                 options->time_offset_plus = parse_time_offset(optarg);
index 5601594..7fa047a 100644 (file)
@@ -523,7 +523,7 @@ get_rand_port(fko_ctx_t ctx)
 
     strlcpy(port_str, rand_val, 6);
 
-    tmpint = strtol_wrapper(port_str, 0, 0, NO_EXIT_UPON_ERR, &is_err);
+    tmpint = strtol_wrapper(port_str, 0, -1, NO_EXIT_UPON_ERR, &is_err);
     if(is_err != FKO_SUCCESS)
     {
         fprintf(stderr,
index 8abcb37..5903a63 100644 (file)
@@ -225,7 +225,7 @@ parse_url(char *res_url, struct url* url)
     */
     if(strncasecmp(res_url, "https", 5) == 0)
     {
-        fprintf(stderr, "https is not yet supported for http-resolve-ip.\n");
+        fprintf(stderr, "[*] https is not yet supported for http-resolve-ip.\n");
         return(-1);
     }
 
@@ -244,7 +244,9 @@ parse_url(char *res_url, struct url* url)
         port = strtol_wrapper(e_ndx+1, 1, MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
         if(is_err != FKO_SUCCESS)
         {
-            fprintf(stderr, "resolve-url port value is invalid.\n");
+            fprintf(stderr,
+                "[*] resolve-url port value is invalid, must be in [%d-%d]\n",
+                1, MAX_PORT);
             return(-1);
         }
 
index 2c703a4..1f88b48 100644 (file)
@@ -558,10 +558,12 @@ send_spa_packet_http(const char *spa_data, const int sd_len,
         if(ndx)
         {
             *ndx = '\0';
-            proxy_port = strtol_wrapper(ndx+1, 0, MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
+            proxy_port = strtol_wrapper(ndx+1, 1, MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
             if(is_err != FKO_SUCCESS)
             {
-                fprintf(stderr, "proxy port value is invalid.\n");
+                fprintf(stderr,
+                    "[-] proxy port value is invalid, must be in [%d-%d]\n",
+                    1, MAX_PORT);
                 return 0;
             }
         }
index d645741..fc5a5ec 100644 (file)
@@ -228,7 +228,7 @@ fko_decode_spa_data(fko_ctx_t ctx)
     strlcpy(tbuf, ndx, t_size+1);
 
     ctx->timestamp = (unsigned int) strtol_wrapper(tbuf,
-            0, 0, NO_EXIT_UPON_ERR, &is_err);
+            0, -1, NO_EXIT_UPON_ERR, &is_err);
     if(is_err != FKO_SUCCESS)
     {
         free(tbuf);
index c4fccda..e1ad989 100644 (file)
@@ -95,6 +95,8 @@ strtol_wrapper(const char * const str, const int min,
         if(exit_upon_err == EXIT_UPON_ERR)
         {
             perror("strtol");
+            fprintf(stderr, "[*] Value %d out of range %d - %d\n",
+                val, min, max);
             exit(EXIT_FAILURE);
         }
     }
@@ -110,10 +112,10 @@ strtol_wrapper(const char * const str, const int min,
         }
     }
 
-    /* allow max==0 to be an exception where we don't care about the
+    /* allow max == -1 to be an exception where we don't care about the
      * maximum - note that the ERANGE check is still in place above
     */
-    if((max > 0) && (val > max))
+    if((max >= 0) && (val > max))
     {
         *err = FKO_ERROR_INVALID_DATA;
         if(exit_upon_err == EXIT_UPON_ERR)
index 0abe4e8..bf2726f 100644 (file)
@@ -249,7 +249,7 @@ add_source_mask(fko_srv_options_t *opts, acc_stanza_t *acc, const char *ip)
                 return 0;
             }
 
-            mask = strtol_wrapper(ndx+1, 0, 0, NO_EXIT_UPON_ERR, &is_err);
+            mask = strtol_wrapper(ndx+1, 0, -1, NO_EXIT_UPON_ERR, &is_err);
             if(is_err != FKO_SUCCESS)
             {
                 fprintf(stderr,
@@ -395,7 +395,8 @@ parse_proto_and_port(char *pstr, int *proto, int *port)
     if(is_err != FKO_SUCCESS)
     {
         log_msg(LOG_ERR,
-            "Invalid port in access request: %s", pstr);
+            "Invalid port '%s' in access request, must be in [%d,%d]",
+            pstr, 0, MAX_PORT);
         return(-1);
     }
 
@@ -1074,7 +1075,7 @@ parse_access_file(fko_srv_options_t *opts)
         else if(CONF_VAR_IS(var, "FW_ACCESS_TIMEOUT"))
         {
             curr_acc->fw_access_timeout = strtol_wrapper(val, 0,
-                    (2 << 31), NO_EXIT_UPON_ERR, &is_err);
+                    RCHK_MAX_FW_TIMEOUT, NO_EXIT_UPON_ERR, &is_err);
             if(is_err != FKO_SUCCESS)
             {
                 fprintf(stderr,
index 6cb27f2..dff1e7a 100644 (file)
@@ -770,7 +770,7 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
                 break;
             case 'C':
                 opts->packet_ctr_limit = strtol_wrapper(optarg,
-                        0, (2 << 31), NO_EXIT_UPON_ERR, &is_err);
+                        0, (2 << 30), NO_EXIT_UPON_ERR, &is_err);
                 if(is_err != FKO_SUCCESS)
                 {
                     fprintf(stderr,
index c3eb94e..7cf979e 100644 (file)
 #include <getopt.h>
 #include <sys/stat.h>
 
-/* For integer variable range checking
-*/
-#define RCHK_MAX_PCAP_LOOP_SLEEP            10000000  /* microseconds, 10 seconds */
-#define RCHK_MAX_SPA_PACKET_AGE             100000  /* seconds, can disable */
-#define RCHK_MAX_SNIFF_BYTES                1514
-#define RCHK_MAX_TCPSERV_PORT               65535
-
-#if FIREWALL_IPFW
-  #define RCHK_MAX_IPFW_START_RULE_NUM      65535
-  #define RCHK_MAX_IPFW_MAX_RULES           10000
-  #define RCHK_MAX_IPFW_SET_NUM             31
-  #define RCHK_MAX_IPFW_PURGE_INTERVAL      65535
-#elif FIREWALL_PF
-  #define RCHK_MAX_PF_EXPIRE_INTERVAL       65535
-#endif
-
 /* Function Prototypes
 */
 void config_init(fko_srv_options_t *opts, int argc, char **argv);
index 6a8b05b..a9c84c1 100644 (file)
@@ -183,6 +183,7 @@ fw_dump_rules(const fko_srv_options_t * const opts)
 void
 fw_config_init(fko_srv_options_t * const opts)
 {
+    int         is_err;
 
     memset(&fwc, 0x0, sizeof(struct fw_config));
 
@@ -190,11 +191,51 @@ fw_config_init(fko_srv_options_t * const opts)
     */
     strlcpy(fwc.fw_command, opts->config[CONF_FIREWALL_EXE], MAX_PATH_LEN);
 
-    fwc.start_rule_num = atoi(opts->config[CONF_IPFW_START_RULE_NUM]);
-    fwc.max_rules      = atoi(opts->config[CONF_IPFW_MAX_RULES]);
-    fwc.active_set_num = atoi(opts->config[CONF_IPFW_ACTIVE_SET_NUM]);
-    fwc.expire_set_num = atoi(opts->config[CONF_IPFW_EXPIRE_SET_NUM]);
-    fwc.purge_interval = atoi(opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL]);
+    fwc.start_rule_num = strtol_wrapper(opts->config[CONF_IPFW_START_RULE_NUM],
+            0, RCHK_MAX_IPFW_MAX_RULES, NO_EXIT_UPON_ERR, &is_err);
+    if(is_err != FKO_SUCCESS)
+    {
+        fprintf(stderr, "[*] IPFW_START_RULE_NUM '%s' out of range [%d-%d].\n",
+                opts->config[CONF_IPFW_START_RULE_NUM], 0, RCHK_MAX_IPFW_MAX_RULES);
+        exit(EXIT_FAILURE);
+    }
+
+    fwc.max_rules = strtol_wrapper(opts->config[CONF_IPFW_MAX_RULES],
+            0, RCHK_MAX_IPFW_MAX_RULES, NO_EXIT_UPON_ERR, &is_err);
+    if(is_err != FKO_SUCCESS)
+    {
+        fprintf(stderr, "[*] IPFW_MAX_RULES_INT '%s' out of range [%d-%d].\n",
+                opts->config[CONF_IPFW_MAX_RULES], 0, RCHK_MAX_IPFW_MAX_RULES);
+        exit(EXIT_FAILURE);
+    }
+
+    fwc.active_set_num = strtol_wrapper(opts->config[CONF_IPFW_ACTIVE_SET_NUM],
+            0, RCHK_MAX_IPFW_SET_NUM, NO_EXIT_UPON_ERR, &is_err);
+    if(is_err != FKO_SUCCESS)
+    {
+        fprintf(stderr, "[*] IPFW_ACTIVE_SET_NUM '%s' out of range [%d-%d].\n",
+                opts->config[CONF_IPFW_ACTIVE_SET_NUM], 0, RCHK_MAX_IPFW_SET_NUM);
+        exit(EXIT_FAILURE);
+    }
+
+    fwc.expire_set_num = strtol_wrapper(opts->config[CONF_IPFW_EXPIRE_SET_NUM],
+            0, RCHK_MAX_IPFW_SET_NUM, NO_EXIT_UPON_ERR, &is_err);
+    if(is_err != FKO_SUCCESS)
+    {
+        fprintf(stderr, "[*] IPFW_MAX_EXPIRE_SET_NUM '%s' out of range [%d-%d].\n",
+                opts->config[CONF_IPFW_EXPIRE_SET_NUM], 0, RCHK_MAX_IPFW_SET_NUM);
+        exit(EXIT_FAILURE);
+    }
+
+    fwc.purge_interval = strtol_wrapper(opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL],
+            0, RCHK_MAX_IPFW_PURGE_INTERVAL, NO_EXIT_UPON_ERR, &is_err);
+    if(is_err != FKO_SUCCESS)
+    {
+        fprintf(stderr, "[*] IPFW_EXPIRE_PURGE_INTERVAL '%s' out of range [%d-%d].\n",
+                opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL], 0,
+                RCHK_MAX_IPFW_PURGE_INTERVAL);
+        exit(EXIT_FAILURE);
+    }
 
     /* Let us find it via our opts struct as well.
     */
@@ -206,7 +247,7 @@ fw_config_init(fko_srv_options_t * const opts)
 void
 fw_initialize(const fko_srv_options_t * const opts)
 {
-    int             res = 0;
+    int             res = 0, is_err;
     unsigned short  curr_rule;
     char           *ndx;
 
@@ -332,13 +373,16 @@ fw_initialize(const fko_srv_options_t * const opts)
 
         if(isdigit(*ndx))
         {
-            curr_rule = atoi(ndx);
+            curr_rule = strtol_wrapper(ndx, 0, -1, NO_EXIT_UPON_ERR, &is_err);
 
-            if(curr_rule >= fwc.start_rule_num
-              && curr_rule < fwc.start_rule_num + fwc.max_rules)
+            if(is_err == FKO_SUCCESS)
             {
-                fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_EXPIRED;
-                fwc.total_rules++;
+                if(curr_rule >= fwc.start_rule_num
+                  && curr_rule < fwc.start_rule_num + fwc.max_rules)
+                {
+                    fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_EXPIRED;
+                    fwc.total_rules++;
+                }
             }
         }
         else
@@ -350,7 +394,6 @@ fw_initialize(const fko_srv_options_t * const opts)
     }
 }
 
-
 int
 fw_cleanup(const fko_srv_options_t * const opts)
 {
@@ -559,7 +602,7 @@ check_firewall_rules(const fko_srv_options_t * const opts)
     char            rule_num_str[6];
     char           *ndx, *rn_start, *rn_end, *tmp_mark;
 
-    int             i=0, res=0;
+    int             i=0, res=0, is_err;
     time_t          now, rule_exp, min_exp = 0;
     unsigned short  curr_rule;
 
@@ -683,37 +726,44 @@ check_firewall_rules(const fko_srv_options_t * const opts)
 
             strlcpy(rule_num_str, rn_start, (rn_end - rn_start)+1);
 
-            curr_rule = atoi(rule_num_str);
+            curr_rule = strtol_wrapper(rule_num_str, 0, -1, NO_EXIT_UPON_ERR, &is_err);
 
-            zero_cmd_buffers();
+            if(is_err == FKO_SUCCESS)
+            {
+                zero_cmd_buffers();
 
-            /* Move the rule to the expired rules set.
-            */
-            snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_MOVE_RULE_ARGS,
-                opts->fw_config->fw_command,
-                curr_rule,
-                fwc.expire_set_num
-            );
+                /* Move the rule to the expired rules set.
+                */
+                snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_MOVE_RULE_ARGS,
+                    opts->fw_config->fw_command,
+                    curr_rule,
+                    fwc.expire_set_num
+                );
 
-            res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+                res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
 
-            if (opts->verbose)
-                log_msg(LOG_INFO, "check_firewall_rules() CMD: '%s' (res: %d, err: %s)",
-                    cmd_buf, res, err_buf);
+                if (opts->verbose)
+                    log_msg(LOG_INFO, "check_firewall_rules() CMD: '%s' (res: %d, err: %s)",
+                        cmd_buf, res, err_buf);
 
-            if(EXTCMD_IS_SUCCESS(res))
-            {
-                log_msg(LOG_INFO, "Moved rule %s with expire time of %u to set %u.",
-                    rule_num_str, rule_exp, fwc.expire_set_num
-                );
+                if(EXTCMD_IS_SUCCESS(res))
+                {
+                    log_msg(LOG_INFO, "Moved rule %s with expire time of %u to set %u.",
+                        rule_num_str, rule_exp, fwc.expire_set_num
+                    );
 
-                if (fwc.active_rules > 0)
-                    fwc.active_rules--;
+                    if (fwc.active_rules > 0)
+                        fwc.active_rules--;
 
-                fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_EXPIRED;
+                    fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_EXPIRED;
+                }
+                else
+                    log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
             }
             else
+            {
                 log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
+            }
         }
         else
         {
@@ -745,9 +795,7 @@ void
 ipfw_purge_expired_rules(const fko_srv_options_t *opts)
 {
     char           *ndx, *co_end;
-
-    int             i, res;
-
+    int             i, res, is_err;
     unsigned short  curr_rule;
 
     /* First, we get the current active dynamic rules for the expired rule
@@ -825,11 +873,14 @@ ipfw_purge_expired_rules(const fko_srv_options_t *opts)
             */
             if(isdigit(*ndx))
             {
-                curr_rule = atoi(ndx);
-
-                if(curr_rule >= fwc.start_rule_num
-                  && curr_rule < fwc.start_rule_num + fwc.max_rules)
-                    fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_TMP_MARKED;
+                curr_rule = strtol_wrapper(ndx, 0, -1, NO_EXIT_UPON_ERR, &is_err);
+
+                if(is_err == FKO_SUCCESS)
+                {
+                    if(curr_rule >= fwc.start_rule_num
+                      && curr_rule < fwc.start_rule_num + fwc.max_rules)
+                        fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_TMP_MARKED;
+                }
             }
 
             ndx = strchr(ndx, '\n');
index 5569c7a..f7091b3 100644 (file)
@@ -492,7 +492,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
 
     /* Pull and set Jump_rule_position */
     chain->jump_rule_pos = strtol_wrapper(chain_fields[3],
-            0, (2 << 15), NO_EXIT_UPON_ERR, &is_err);
+            0, RCHK_MAX_IPT_RULE_NUM, NO_EXIT_UPON_ERR, &is_err);
     if(is_err != FKO_SUCCESS)
     {
         log_msg(LOG_ERR, "[*] invalid jump rule position in Line: %s\n",
@@ -505,7 +505,7 @@ set_fw_chain_conf(const int type, const char * const conf_str)
 
     /* Pull and set to_chain rule position */
     chain->rule_pos = strtol_wrapper(chain_fields[5],
-            0, (2 << 15), NO_EXIT_UPON_ERR, &is_err);
+            0, RCHK_MAX_IPT_RULE_NUM, NO_EXIT_UPON_ERR, &is_err);
     if(is_err != FKO_SUCCESS)
     {
         log_msg(LOG_ERR, "[*] invalid to_chain rule position in Line: %s\n",
@@ -1159,7 +1159,7 @@ check_firewall_rules(const fko_srv_options_t * const opts)
 
                 strlcpy(rule_num_str, rn_start, (rn_end - rn_start)+1);
 
-                rule_num = strtol_wrapper(rule_num_str, rn_offset, (2 << 15),
+                rule_num = strtol_wrapper(rule_num_str, rn_offset, RCHK_MAX_IPT_RULE_NUM,
                         NO_EXIT_UPON_ERR, &is_err);
                 if(is_err != FKO_SUCCESS)
                 {
index 1b3d6dd..bf4e1bd 100644 (file)
@@ -691,7 +691,7 @@ get_running_pid(const fko_srv_options_t *opts)
             buf[PID_BUFLEN-1] = '\0';
             /* max pid value is configurable on Linux
             */
-            rpid = (pid_t) strtol_wrapper(buf, 0, (2 << 31),
+            rpid = (pid_t) strtol_wrapper(buf, 0, (2 << 30),
                     NO_EXIT_UPON_ERR, &is_err);
             if(is_err != FKO_SUCCESS)
                 rpid = 0;
index 7a5b8ec..7ad8274 100644 (file)
 
 #define DEF_FW_ACCESS_TIMEOUT           30
 
+/* For integer variable range checking
+*/
+#define RCHK_MAX_PCAP_LOOP_SLEEP        (2 << 22)
+#define RCHK_MAX_SPA_PACKET_AGE         100000  /* seconds, can disable */
+#define RCHK_MAX_SNIFF_BYTES            (2 << 14)
+#define RCHK_MAX_TCPSERV_PORT           ((2 << 16) - 1)
+#define RCHK_MAX_PCAP_DISPATCH_COUNT    (2 << 22)
+#define RCHK_MAX_FW_TIMEOUT             (2 << 22)
+
 /* Iptables-specific defines
 */
 #if FIREWALL_IPTABLES
   #define DEF_IPT_SNAT_ACCESS           "SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1"
   #define DEF_IPT_MASQUERADE_ACCESS     "MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1"
 
+  #define RCHK_MAX_IPT_RULE_NUM         (2 << 15)
+
 /* Ipfw-specific defines
 */
 #elif FIREWALL_IPFW
   #define DEF_FLUSH_IPFW_AT_INIT         "Y"
   #define DEF_FLUSH_IPFW_AT_EXIT         "Y"
   #define DEF_IPFW_START_RULE_NUM        "10000"
-  #define DEF_IPFW_MAX_RULES             "1000"
+  #define DEF_IPFW_MAX_RULES             "65535"
   #define DEF_IPFW_ACTIVE_SET_NUM        "1"
   #define DEF_IPFW_EXPIRE_SET_NUM        "2"
   #define DEF_IPFW_EXPIRE_PURGE_INTERVAL "30"
   #define DEF_IPFW_ADD_CHECK_STATE       "N"
 
+  #define RCHK_MAX_IPFW_START_RULE_NUM   ((2 << 16) - 1)
+  #define RCHK_MAX_IPFW_MAX_RULES        ((2 << 16) - 1)
+  #define RCHK_MAX_IPFW_SET_NUM          ((2 << 5) - 1)
+  #define RCHK_MAX_IPFW_PURGE_INTERVAL   ((2 << 16) - 1)
+
 #elif FIREWALL_PF
 
-  #define DEF_PF_ANCHOR_NAME "fwknop"
-  #define DEF_PF_EXPIRE_INTERVAL "30"
+  #define DEF_PF_ANCHOR_NAME             "fwknop"
+  #define DEF_PF_EXPIRE_INTERVAL         "30"
+
+  #define RCHK_MAX_PF_EXPIRE_INTERVAL    ((2 << 16) - 1)
 
 #elif FIREWALL_IPF
 
index 561c237..fa8b304 100644 (file)
@@ -295,7 +295,7 @@ incoming_spa(fko_srv_options_t *opts)
     if(strncasecmp(opts->config[CONF_ENABLE_SPA_PACKET_AGING], "Y", 1) == 0)
     {
         conf_pkt_age = strtol_wrapper(opts->config[CONF_MAX_SPA_PACKET_AGE],
-                0, (2 << 31), NO_EXIT_UPON_ERR, &is_err);
+                0, RCHK_MAX_SPA_PACKET_AGE, NO_EXIT_UPON_ERR, &is_err);
         if(is_err != FKO_SUCCESS)
         {
             log_msg(LOG_ERR, "[*] invalid MAX_SPA_PACKET_AGE\n");
index d78cf64..d5d1af7 100644 (file)
@@ -70,7 +70,7 @@ pcap_capture(fko_srv_options_t *opts)
 #endif
 
     useconds = strtol_wrapper(opts->config[CONF_PCAP_LOOP_SLEEP],
-            0, (2 << 31), NO_EXIT_UPON_ERR, &is_err);
+            0, RCHK_MAX_PCAP_LOOP_SLEEP, NO_EXIT_UPON_ERR, &is_err);
     if(is_err != FKO_SUCCESS)
     {
         log_msg(LOG_ERR, "[*] invalid PCAP_LOOP_SLEEP_value\n");
@@ -78,7 +78,7 @@ pcap_capture(fko_srv_options_t *opts)
     }
 
     max_sniff_bytes = strtol_wrapper(opts->config[CONF_MAX_SNIFF_BYTES],
-            0, (2 << 14), NO_EXIT_UPON_ERR, &is_err);
+            0, RCHK_MAX_SNIFF_BYTES, NO_EXIT_UPON_ERR, &is_err);
     if(is_err != FKO_SUCCESS)
     {
         log_msg(LOG_ERR, "[*] invalid MAX_SNIFF_BYTES\n");
@@ -196,7 +196,7 @@ pcap_capture(fko_srv_options_t *opts)
     }
 
     pcap_dispatch_count = strtol_wrapper(opts->config[CONF_PCAP_DISPATCH_COUNT],
-            0, (2 << 31), NO_EXIT_UPON_ERR, &is_err);
+            0, RCHK_MAX_PCAP_DISPATCH_COUNT, NO_EXIT_UPON_ERR, &is_err);
     if(is_err != FKO_SUCCESS)
     {
         log_msg(LOG_ERR, "[*] invalid PCAP_DISPATCH_COUNT\n");