From: Michael Rash <mbr@cipherdyne.org>
Date: Mon, 28 May 2012 18:19:52 +0000 (-0400)
Subject: updated PF anchor check to not rely on listing the PF policy
X-Git-Tag: fwknop-2.0.1-pre1~9
X-Git-Url: http://www.cipherdyne.com/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff_plain;h=8a73e6dee88f9d416fc028fe2e26bfa37b984cb5

updated PF anchor check to not rely on listing the PF policy
---

diff --git a/server/fw_util_pf.c b/server/fw_util_pf.c
index 217387e..d883f9d 100644
--- a/server/fw_util_pf.c
+++ b/server/fw_util_pf.c
@@ -91,17 +91,16 @@ static int
 anchor_active(const fko_srv_options_t *opts)
 {
     int    res = 0;
-    char  *ndx = NULL;
     char   anchor_search_str[MAX_PF_ANCHOR_SEARCH_LEN] = {0};
 
     /* Build our anchor search string
     */
-    snprintf(anchor_search_str, MAX_PF_ANCHOR_SEARCH_LEN-1, "%s%s\" ",
-        "anchor \"", opts->fw_config->anchor);
+    snprintf(anchor_search_str, MAX_PF_ANCHOR_SEARCH_LEN-1, "%s\n",
+        opts->fw_config->anchor);
 
     zero_cmd_buffers();
 
-    snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " PF_LIST_ALL_RULES_ARGS,
+    snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " PF_ANCHOR_CHECK_ARGS,
         opts->fw_config->fw_command
     );
 
@@ -113,23 +112,11 @@ anchor_active(const fko_srv_options_t *opts)
         return 0;
     }
 
-    /* first check for the anchor at the very first rule position
+    /* Check to see if the anchor exists and is linked into the main policy
     */
-    if (strncmp(cmd_out, anchor_search_str, strlen(anchor_search_str)) != 0)
-    {
-        anchor_search_str[0] = '\0';
-
-        /* look for the anchor in the middle of the rule set, but make sure
-         * it appears only after a newline
-        */
-        snprintf(anchor_search_str, MAX_PF_ANCHOR_SEARCH_LEN-1, "%s%s\" ",
-            "\nanchor \"", opts->fw_config->anchor);
 
-        ndx = strstr(cmd_out, anchor_search_str);
-
-        if(ndx == NULL)
-            return 0;
-    }
+    if(strstr(cmd_out, anchor_search_str) == NULL)
+        return 0;
 
     return 1;
 }
diff --git a/server/fw_util_pf.h b/server/fw_util_pf.h
index e63ce91..764b66e 100644
--- a/server/fw_util_pf.h
+++ b/server/fw_util_pf.h
@@ -40,7 +40,7 @@
 #define PF_ADD_RULE_ARGS              "pass in quick proto %u from %s to any port %u keep state label " EXPIRE_COMMENT_PREFIX "%u"
 #define PF_WRITE_ANCHOR_RULES_ARGS    "-a %s -f -"
 #define PF_LIST_ANCHOR_RULES_ARGS     "-a %s -s rules 2>&1"
-#define PF_LIST_ALL_RULES_ARGS        "-s rules 2>&1"  /* to check for fwknop anchor */
+#define PF_ANCHOR_CHECK_ARGS          "-s Anchor 2>&1"  /* to check for fwknop anchor */
 #define PF_DEL_ALL_ANCHOR_RULES       "-a %s -F all 2>&1"
 
 #endif /* FW_UTIL_PF_H */