exit(EXIT_FAILURE);
}
- offset = strtol_wrapper(offset_digits, 0, (2 << 15), EXIT_UPON_ERR, &is_err);
+ offset = strtol_wrapper(offset_digits, 0, (2 << 15),
+ EXIT_UPON_ERR, &is_err);
/* Apply the offset_type value
*/
break;
case 'f':
options->fw_timeout = strtol_wrapper(optarg, 0,
- (2 << 15), NO_EXIT_UPON_ERR, &is_err);
+ (2 << 16), NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
- fprintf(stderr, "--fw-timeout must be >= 0\n");
+ fprintf(stderr, "--fw-timeout must be within [%d-%d]\n",
+ 0, (2 << 16));
exit(EXIT_FAILURE);
}
break;
case 'K':
options->key_gen = 1;
strlcpy(options->key_gen_file, optarg, MAX_PATH_LEN);
+ break;
case SPA_ICMP_TYPE:
options->spa_icmp_type = strtol_wrapper(optarg, 0,
MAX_ICMP_TYPE, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
- fprintf(stderr, "Unrecognized icmp type value: %s\n", optarg);
+ fprintf(stderr, "Invalid icmp type '%s', must be in [%d-%d]\n",
+ optarg, 0, MAX_ICMP_TYPE);
exit(EXIT_FAILURE);
}
break;
MAX_ICMP_CODE, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
- fprintf(stderr, "Unrecognized icmp code value: %s\n", optarg);
+ fprintf(stderr, "Invalid icmp code '%s', must be in [%d-%d]\n",
+ optarg, 0, MAX_ICMP_CODE);
exit(EXIT_FAILURE);
}
break;
break;
case 'p':
options->spa_dst_port = strtol_wrapper(optarg, 0,
- MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
- if(is_err != FKO_SUCCESS)
- {
- fprintf(stderr, "Unrecognized port: %s\n", optarg);
- exit(EXIT_FAILURE);
- }
+ MAX_PORT, EXIT_UPON_ERR, &is_err);
break;
case 'P':
if((options->spa_proto = proto_strtoint(optarg)) < 0)
break;
case 'S':
options->spa_src_port = strtol_wrapper(optarg, 0,
- MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
- if(is_err != FKO_SUCCESS)
- {
- fprintf(stderr, "Unrecognized port: %s\n", optarg);
- exit(EXIT_FAILURE);
- }
+ MAX_PORT, EXIT_UPON_ERR, &is_err);
break;
case 'T':
options->test = 1;
options->nat_rand_port = 1;
break;
case NAT_PORT:
- options->nat_port = strtol_wrapper(optarg, 0, MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
- if(is_err != FKO_SUCCESS)
- {
- fprintf(stderr, "Unrecognized port: %s\n", optarg);
- exit(EXIT_FAILURE);
- }
+ options->nat_port = strtol_wrapper(optarg, 0,
+ MAX_PORT, EXIT_UPON_ERR, &is_err);
break;
case TIME_OFFSET_PLUS:
options->time_offset_plus = parse_time_offset(optarg);
strlcpy(port_str, rand_val, 6);
- tmpint = strtol_wrapper(port_str, 0, 0, NO_EXIT_UPON_ERR, &is_err);
+ tmpint = strtol_wrapper(port_str, 0, -1, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
fprintf(stderr,
*/
if(strncasecmp(res_url, "https", 5) == 0)
{
- fprintf(stderr, "https is not yet supported for http-resolve-ip.\n");
+ fprintf(stderr, "[*] https is not yet supported for http-resolve-ip.\n");
return(-1);
}
port = strtol_wrapper(e_ndx+1, 1, MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
- fprintf(stderr, "resolve-url port value is invalid.\n");
+ fprintf(stderr,
+ "[*] resolve-url port value is invalid, must be in [%d-%d]\n",
+ 1, MAX_PORT);
return(-1);
}
if(ndx)
{
*ndx = '\0';
- proxy_port = strtol_wrapper(ndx+1, 0, MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
+ proxy_port = strtol_wrapper(ndx+1, 1, MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
- fprintf(stderr, "proxy port value is invalid.\n");
+ fprintf(stderr,
+ "[-] proxy port value is invalid, must be in [%d-%d]\n",
+ 1, MAX_PORT);
return 0;
}
}
strlcpy(tbuf, ndx, t_size+1);
ctx->timestamp = (unsigned int) strtol_wrapper(tbuf,
- 0, 0, NO_EXIT_UPON_ERR, &is_err);
+ 0, -1, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
free(tbuf);
if(exit_upon_err == EXIT_UPON_ERR)
{
perror("strtol");
+ fprintf(stderr, "[*] Value %d out of range %d - %d\n",
+ val, min, max);
exit(EXIT_FAILURE);
}
}
}
}
- /* allow max==0 to be an exception where we don't care about the
+ /* allow max == -1 to be an exception where we don't care about the
* maximum - note that the ERANGE check is still in place above
*/
- if((max > 0) && (val > max))
+ if((max >= 0) && (val > max))
{
*err = FKO_ERROR_INVALID_DATA;
if(exit_upon_err == EXIT_UPON_ERR)
return 0;
}
- mask = strtol_wrapper(ndx+1, 0, 0, NO_EXIT_UPON_ERR, &is_err);
+ mask = strtol_wrapper(ndx+1, 0, -1, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
fprintf(stderr,
if(is_err != FKO_SUCCESS)
{
log_msg(LOG_ERR,
- "Invalid port in access request: %s", pstr);
+ "Invalid port '%s' in access request, must be in [%d,%d]",
+ pstr, 0, MAX_PORT);
return(-1);
}
else if(CONF_VAR_IS(var, "FW_ACCESS_TIMEOUT"))
{
curr_acc->fw_access_timeout = strtol_wrapper(val, 0,
- (2 << 31), NO_EXIT_UPON_ERR, &is_err);
+ RCHK_MAX_FW_TIMEOUT, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
fprintf(stderr,
break;
case 'C':
opts->packet_ctr_limit = strtol_wrapper(optarg,
- 0, (2 << 31), NO_EXIT_UPON_ERR, &is_err);
+ 0, (2 << 30), NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
fprintf(stderr,
#include <getopt.h>
#include <sys/stat.h>
-/* For integer variable range checking
-*/
-#define RCHK_MAX_PCAP_LOOP_SLEEP 10000000 /* microseconds, 10 seconds */
-#define RCHK_MAX_SPA_PACKET_AGE 100000 /* seconds, can disable */
-#define RCHK_MAX_SNIFF_BYTES 1514
-#define RCHK_MAX_TCPSERV_PORT 65535
-
-#if FIREWALL_IPFW
- #define RCHK_MAX_IPFW_START_RULE_NUM 65535
- #define RCHK_MAX_IPFW_MAX_RULES 10000
- #define RCHK_MAX_IPFW_SET_NUM 31
- #define RCHK_MAX_IPFW_PURGE_INTERVAL 65535
-#elif FIREWALL_PF
- #define RCHK_MAX_PF_EXPIRE_INTERVAL 65535
-#endif
-
/* Function Prototypes
*/
void config_init(fko_srv_options_t *opts, int argc, char **argv);
void
fw_config_init(fko_srv_options_t * const opts)
{
+ int is_err;
memset(&fwc, 0x0, sizeof(struct fw_config));
*/
strlcpy(fwc.fw_command, opts->config[CONF_FIREWALL_EXE], MAX_PATH_LEN);
- fwc.start_rule_num = atoi(opts->config[CONF_IPFW_START_RULE_NUM]);
- fwc.max_rules = atoi(opts->config[CONF_IPFW_MAX_RULES]);
- fwc.active_set_num = atoi(opts->config[CONF_IPFW_ACTIVE_SET_NUM]);
- fwc.expire_set_num = atoi(opts->config[CONF_IPFW_EXPIRE_SET_NUM]);
- fwc.purge_interval = atoi(opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL]);
+ fwc.start_rule_num = strtol_wrapper(opts->config[CONF_IPFW_START_RULE_NUM],
+ 0, RCHK_MAX_IPFW_MAX_RULES, NO_EXIT_UPON_ERR, &is_err);
+ if(is_err != FKO_SUCCESS)
+ {
+ fprintf(stderr, "[*] IPFW_START_RULE_NUM '%s' out of range [%d-%d].\n",
+ opts->config[CONF_IPFW_START_RULE_NUM], 0, RCHK_MAX_IPFW_MAX_RULES);
+ exit(EXIT_FAILURE);
+ }
+
+ fwc.max_rules = strtol_wrapper(opts->config[CONF_IPFW_MAX_RULES],
+ 0, RCHK_MAX_IPFW_MAX_RULES, NO_EXIT_UPON_ERR, &is_err);
+ if(is_err != FKO_SUCCESS)
+ {
+ fprintf(stderr, "[*] IPFW_MAX_RULES_INT '%s' out of range [%d-%d].\n",
+ opts->config[CONF_IPFW_MAX_RULES], 0, RCHK_MAX_IPFW_MAX_RULES);
+ exit(EXIT_FAILURE);
+ }
+
+ fwc.active_set_num = strtol_wrapper(opts->config[CONF_IPFW_ACTIVE_SET_NUM],
+ 0, RCHK_MAX_IPFW_SET_NUM, NO_EXIT_UPON_ERR, &is_err);
+ if(is_err != FKO_SUCCESS)
+ {
+ fprintf(stderr, "[*] IPFW_ACTIVE_SET_NUM '%s' out of range [%d-%d].\n",
+ opts->config[CONF_IPFW_ACTIVE_SET_NUM], 0, RCHK_MAX_IPFW_SET_NUM);
+ exit(EXIT_FAILURE);
+ }
+
+ fwc.expire_set_num = strtol_wrapper(opts->config[CONF_IPFW_EXPIRE_SET_NUM],
+ 0, RCHK_MAX_IPFW_SET_NUM, NO_EXIT_UPON_ERR, &is_err);
+ if(is_err != FKO_SUCCESS)
+ {
+ fprintf(stderr, "[*] IPFW_MAX_EXPIRE_SET_NUM '%s' out of range [%d-%d].\n",
+ opts->config[CONF_IPFW_EXPIRE_SET_NUM], 0, RCHK_MAX_IPFW_SET_NUM);
+ exit(EXIT_FAILURE);
+ }
+
+ fwc.purge_interval = strtol_wrapper(opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL],
+ 0, RCHK_MAX_IPFW_PURGE_INTERVAL, NO_EXIT_UPON_ERR, &is_err);
+ if(is_err != FKO_SUCCESS)
+ {
+ fprintf(stderr, "[*] IPFW_EXPIRE_PURGE_INTERVAL '%s' out of range [%d-%d].\n",
+ opts->config[CONF_IPFW_EXPIRE_PURGE_INTERVAL], 0,
+ RCHK_MAX_IPFW_PURGE_INTERVAL);
+ exit(EXIT_FAILURE);
+ }
/* Let us find it via our opts struct as well.
*/
void
fw_initialize(const fko_srv_options_t * const opts)
{
- int res = 0;
+ int res = 0, is_err;
unsigned short curr_rule;
char *ndx;
if(isdigit(*ndx))
{
- curr_rule = atoi(ndx);
+ curr_rule = strtol_wrapper(ndx, 0, -1, NO_EXIT_UPON_ERR, &is_err);
- if(curr_rule >= fwc.start_rule_num
- && curr_rule < fwc.start_rule_num + fwc.max_rules)
+ if(is_err == FKO_SUCCESS)
{
- fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_EXPIRED;
- fwc.total_rules++;
+ if(curr_rule >= fwc.start_rule_num
+ && curr_rule < fwc.start_rule_num + fwc.max_rules)
+ {
+ fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_EXPIRED;
+ fwc.total_rules++;
+ }
}
}
else
}
}
-
int
fw_cleanup(const fko_srv_options_t * const opts)
{
char rule_num_str[6];
char *ndx, *rn_start, *rn_end, *tmp_mark;
- int i=0, res=0;
+ int i=0, res=0, is_err;
time_t now, rule_exp, min_exp = 0;
unsigned short curr_rule;
strlcpy(rule_num_str, rn_start, (rn_end - rn_start)+1);
- curr_rule = atoi(rule_num_str);
+ curr_rule = strtol_wrapper(rule_num_str, 0, -1, NO_EXIT_UPON_ERR, &is_err);
- zero_cmd_buffers();
+ if(is_err == FKO_SUCCESS)
+ {
+ zero_cmd_buffers();
- /* Move the rule to the expired rules set.
- */
- snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_MOVE_RULE_ARGS,
- opts->fw_config->fw_command,
- curr_rule,
- fwc.expire_set_num
- );
+ /* Move the rule to the expired rules set.
+ */
+ snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_MOVE_RULE_ARGS,
+ opts->fw_config->fw_command,
+ curr_rule,
+ fwc.expire_set_num
+ );
- res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
+ res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, 0);
- if (opts->verbose)
- log_msg(LOG_INFO, "check_firewall_rules() CMD: '%s' (res: %d, err: %s)",
- cmd_buf, res, err_buf);
+ if (opts->verbose)
+ log_msg(LOG_INFO, "check_firewall_rules() CMD: '%s' (res: %d, err: %s)",
+ cmd_buf, res, err_buf);
- if(EXTCMD_IS_SUCCESS(res))
- {
- log_msg(LOG_INFO, "Moved rule %s with expire time of %u to set %u.",
- rule_num_str, rule_exp, fwc.expire_set_num
- );
+ if(EXTCMD_IS_SUCCESS(res))
+ {
+ log_msg(LOG_INFO, "Moved rule %s with expire time of %u to set %u.",
+ rule_num_str, rule_exp, fwc.expire_set_num
+ );
- if (fwc.active_rules > 0)
- fwc.active_rules--;
+ if (fwc.active_rules > 0)
+ fwc.active_rules--;
- fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_EXPIRED;
+ fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_EXPIRED;
+ }
+ else
+ log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
}
else
+ {
log_msg(LOG_ERR, "Error %i from cmd:'%s': %s", res, cmd_buf, err_buf);
+ }
}
else
{
ipfw_purge_expired_rules(const fko_srv_options_t *opts)
{
char *ndx, *co_end;
-
- int i, res;
-
+ int i, res, is_err;
unsigned short curr_rule;
/* First, we get the current active dynamic rules for the expired rule
*/
if(isdigit(*ndx))
{
- curr_rule = atoi(ndx);
-
- if(curr_rule >= fwc.start_rule_num
- && curr_rule < fwc.start_rule_num + fwc.max_rules)
- fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_TMP_MARKED;
+ curr_rule = strtol_wrapper(ndx, 0, -1, NO_EXIT_UPON_ERR, &is_err);
+
+ if(is_err == FKO_SUCCESS)
+ {
+ if(curr_rule >= fwc.start_rule_num
+ && curr_rule < fwc.start_rule_num + fwc.max_rules)
+ fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_TMP_MARKED;
+ }
}
ndx = strchr(ndx, '\n');
/* Pull and set Jump_rule_position */
chain->jump_rule_pos = strtol_wrapper(chain_fields[3],
- 0, (2 << 15), NO_EXIT_UPON_ERR, &is_err);
+ 0, RCHK_MAX_IPT_RULE_NUM, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
log_msg(LOG_ERR, "[*] invalid jump rule position in Line: %s\n",
/* Pull and set to_chain rule position */
chain->rule_pos = strtol_wrapper(chain_fields[5],
- 0, (2 << 15), NO_EXIT_UPON_ERR, &is_err);
+ 0, RCHK_MAX_IPT_RULE_NUM, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
log_msg(LOG_ERR, "[*] invalid to_chain rule position in Line: %s\n",
strlcpy(rule_num_str, rn_start, (rn_end - rn_start)+1);
- rule_num = strtol_wrapper(rule_num_str, rn_offset, (2 << 15),
+ rule_num = strtol_wrapper(rule_num_str, rn_offset, RCHK_MAX_IPT_RULE_NUM,
NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
buf[PID_BUFLEN-1] = '\0';
/* max pid value is configurable on Linux
*/
- rpid = (pid_t) strtol_wrapper(buf, 0, (2 << 31),
+ rpid = (pid_t) strtol_wrapper(buf, 0, (2 << 30),
NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
rpid = 0;
#define DEF_FW_ACCESS_TIMEOUT 30
+/* For integer variable range checking
+*/
+#define RCHK_MAX_PCAP_LOOP_SLEEP (2 << 22)
+#define RCHK_MAX_SPA_PACKET_AGE 100000 /* seconds, can disable */
+#define RCHK_MAX_SNIFF_BYTES (2 << 14)
+#define RCHK_MAX_TCPSERV_PORT ((2 << 16) - 1)
+#define RCHK_MAX_PCAP_DISPATCH_COUNT (2 << 22)
+#define RCHK_MAX_FW_TIMEOUT (2 << 22)
+
/* Iptables-specific defines
*/
#if FIREWALL_IPTABLES
#define DEF_IPT_SNAT_ACCESS "SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1"
#define DEF_IPT_MASQUERADE_ACCESS "MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1"
+ #define RCHK_MAX_IPT_RULE_NUM (2 << 15)
+
/* Ipfw-specific defines
*/
#elif FIREWALL_IPFW
#define DEF_FLUSH_IPFW_AT_INIT "Y"
#define DEF_FLUSH_IPFW_AT_EXIT "Y"
#define DEF_IPFW_START_RULE_NUM "10000"
- #define DEF_IPFW_MAX_RULES "1000"
+ #define DEF_IPFW_MAX_RULES "65535"
#define DEF_IPFW_ACTIVE_SET_NUM "1"
#define DEF_IPFW_EXPIRE_SET_NUM "2"
#define DEF_IPFW_EXPIRE_PURGE_INTERVAL "30"
#define DEF_IPFW_ADD_CHECK_STATE "N"
+ #define RCHK_MAX_IPFW_START_RULE_NUM ((2 << 16) - 1)
+ #define RCHK_MAX_IPFW_MAX_RULES ((2 << 16) - 1)
+ #define RCHK_MAX_IPFW_SET_NUM ((2 << 5) - 1)
+ #define RCHK_MAX_IPFW_PURGE_INTERVAL ((2 << 16) - 1)
+
#elif FIREWALL_PF
- #define DEF_PF_ANCHOR_NAME "fwknop"
- #define DEF_PF_EXPIRE_INTERVAL "30"
+ #define DEF_PF_ANCHOR_NAME "fwknop"
+ #define DEF_PF_EXPIRE_INTERVAL "30"
+
+ #define RCHK_MAX_PF_EXPIRE_INTERVAL ((2 << 16) - 1)
#elif FIREWALL_IPF
if(strncasecmp(opts->config[CONF_ENABLE_SPA_PACKET_AGING], "Y", 1) == 0)
{
conf_pkt_age = strtol_wrapper(opts->config[CONF_MAX_SPA_PACKET_AGE],
- 0, (2 << 31), NO_EXIT_UPON_ERR, &is_err);
+ 0, RCHK_MAX_SPA_PACKET_AGE, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
log_msg(LOG_ERR, "[*] invalid MAX_SPA_PACKET_AGE\n");
#endif
useconds = strtol_wrapper(opts->config[CONF_PCAP_LOOP_SLEEP],
- 0, (2 << 31), NO_EXIT_UPON_ERR, &is_err);
+ 0, RCHK_MAX_PCAP_LOOP_SLEEP, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
log_msg(LOG_ERR, "[*] invalid PCAP_LOOP_SLEEP_value\n");
}
max_sniff_bytes = strtol_wrapper(opts->config[CONF_MAX_SNIFF_BYTES],
- 0, (2 << 14), NO_EXIT_UPON_ERR, &is_err);
+ 0, RCHK_MAX_SNIFF_BYTES, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
log_msg(LOG_ERR, "[*] invalid MAX_SNIFF_BYTES\n");
}
pcap_dispatch_count = strtol_wrapper(opts->config[CONF_PCAP_DISPATCH_COUNT],
- 0, (2 << 31), NO_EXIT_UPON_ERR, &is_err);
+ 0, RCHK_MAX_PCAP_DISPATCH_COUNT, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
log_msg(LOG_ERR, "[*] invalid PCAP_DISPATCH_COUNT\n");
projects / fwknop.git / commitdiff