static int read_configs(void)
{
int i;
char buf[2000], *sep;
FILE *f;
LOCK
f = fopen(_config_file_name , "r");
free_configs();
if (!f)
{
UNLOCK
return 0;
}
void
clean_exit(fko_srv_options_t *opts, unsigned int fw_cleanup_flag, unsigned int exit_status)
{
if(fw_cleanup_flag == FW_CLEANUP)
fw_cleanup(opts);
#if USE_FILE_CACHE
free_replay_list(opts);
#endif
free_logging();
free_configs(opts);
exit(exit_status);
}
static int handle_signals(fko_srv_options_t *opts)
{
int last_sig = 0, rv = 1;
if(got_signal) {
last_sig = got_signal;
got_signal = 0;
if(got_sighup)
{
log_msg(LOG_WARNING, "Got SIGHUP. Re-reading configs.");
free_configs(opts);
if(opts->tcp_server_pid > 0)
kill(opts->tcp_server_pid, SIGTERM);
usleep(1000000);
got_sighup = 0;
rv = 0; /* this means fwknopd will not exit */
}
else if(got_sigint)
{
log_msg(LOG_WARNING, "Got SIGINT. Exiting...");
got_sigint = 0;
}
else if(got_sigterm)
{
log_msg(LOG_WARNING, "Got SIGTERM. Exiting...");
got_sigterm = 0;
}
else
{
log_msg(LOG_WARNING,
"Got signal %i. No defined action but to exit.", last_sig);
}
}
else if (opts->packet_ctr_limit > 0
&& opts->packet_ctr >= opts->packet_ctr_limit)
{
log_msg(LOG_INFO,
"Packet count limit (%d) reached. Exiting...",
opts->packet_ctr_limit);
}
else /* got_signal was not set (should be if we are here) */
{
log_msg(LOG_WARNING,
"Capture ended without signal. Exiting...");
}
return rv;
}
/* free up memory and exit
*/
static void
clean_exit(fko_ctx_t ctx, fko_cli_options_t *opts,
char *key, int *key_len, char *hmac_key, int *hmac_key_len,
unsigned int exit_status)
{
if(fko_destroy(ctx) == FKO_ERROR_ZERO_OUT_DATA)
log_msg(LOG_VERBOSITY_ERROR,
"[*] Could not zero out sensitive data buffer.");
ctx = NULL;
free_configs(opts);
zero_buf_wrapper(key, *key_len);
zero_buf_wrapper(hmac_key, *hmac_key_len);
*key_len = 0;
*hmac_key_len = 0;
exit(exit_status);
}
/* free up memory and exit
*/
static void
clean_exit(fko_ctx_t ctx, fko_cli_options_t *opts,
char *key, int *key_len, char *hmac_key, int *hmac_key_len,
unsigned int exit_status)
{
#if HAVE_LIBFIU
if(opts->fault_injection_tag[0] != 0x0)
fiu_disable(opts->fault_injection_tag);
#endif
if(fko_destroy(ctx) == FKO_ERROR_ZERO_OUT_DATA)
log_msg(LOG_VERBOSITY_ERROR,
"[*] Could not zero out sensitive data buffer.");
ctx = NULL;
free_configs(opts);
zero_buf_wrapper(key, *key_len);
zero_buf_wrapper(hmac_key, *hmac_key_len);
*key_len = 0;
*hmac_key_len = 0;
exit(exit_status);
}
void
clean_exit(fko_srv_options_t *opts, unsigned int fw_cleanup_flag, unsigned int exit_status)
{
#if HAVE_LIBFIU
if(opts->config[CONF_FAULT_INJECTION_TAG] != NULL)
{
fiu_disable(opts->config[CONF_FAULT_INJECTION_TAG]);
}
#endif
if(!opts->test && (fw_cleanup_flag == FW_CLEANUP))
fw_cleanup(opts);
#if USE_FILE_CACHE
free_replay_list(opts);
#endif
free_logging();
free_configs(opts);
exit(exit_status);
}
int
main(int argc, char **argv)
{
int res, last_sig, rp_cache_count;
char *locale;
pid_t old_pid;
fko_srv_options_t opts;
while(1)
{
/* Handle command line
*/
config_init(&opts, argc, argv);
/* Process any options that do their thing and exit. */
/* Kill the currently running fwknopd?
*/
if(opts.kill == 1)
{
old_pid = get_running_pid(&opts);
if(old_pid > 0)
{
res = kill(old_pid, SIGTERM);
if(res == 0)
{
fprintf(stderr, "Killed fwknopd (pid=%i)\n", old_pid);
exit(EXIT_SUCCESS);
}
else
{
perror("Unable to kill fwknop: ");
exit(EXIT_FAILURE);
}
}
else
{
fprintf(stderr, "No running fwknopd detected.\n");
exit(EXIT_FAILURE);
}
}
/* Status of the currently running fwknopd?
*/
if(opts.status == 1)
{
old_pid = write_pid_file(&opts);
if(old_pid > 0)
fprintf(stderr, "Detected fwknopd is running (pid=%i).\n", old_pid);
else
fprintf(stderr, "No running fwknopd detected.\n");
exit(EXIT_SUCCESS);
}
/* Restart the currently running fwknopd?
*/
if(opts.restart == 1 || opts.status == 1)
{
old_pid = get_running_pid(&opts);
if(old_pid > 0)
{
res = kill(old_pid, SIGHUP);
if(res == 0)
{
fprintf(stderr, "Sent restart signal to fwknopd (pid=%i)\n", old_pid);
exit(EXIT_SUCCESS);
}
else
{
perror("Unable to send signal to fwknop: ");
exit(EXIT_FAILURE);
}
}
else
{
fprintf(stderr, "No running fwknopd detected.\n");
exit(EXIT_FAILURE);
}
}
/* Initialize logging.
*/
init_logging(&opts);
#if HAVE_LOCALE_H
/* Set the locale if specified.
*/
if(opts.config[CONF_LOCALE] != NULL
&& strncasecmp(opts.config[CONF_LOCALE], "NONE", 4) != 0)
{
locale = setlocale(LC_ALL, opts.config[CONF_LOCALE]);
if(locale == NULL)
{
log_msg(LOG_ERR,
"WARNING: Unable to set locale to '%s'.",
opts.config[CONF_LOCALE]
);
}
else
{
if(opts.verbose)
log_msg(LOG_INFO,
"Locale set to '%s'.", opts.config[CONF_LOCALE]
);
}
}
#endif
/* Make sure we have a valid run dir and path leading to digest file
* in case it configured to be somewhere other than the run dir.
*/
check_dir_path((const char *)opts.config[CONF_FWKNOP_RUN_DIR], "Run", 0);
#if USE_FILE_CACHE
check_dir_path((const char *)opts.config[CONF_DIGEST_FILE], "Run", 1);
#else
check_dir_path((const char *)opts.config[CONF_DIGEST_DB_FILE], "Run", 1);
#endif
/* Process the access.conf file.
*/
parse_access_file(&opts);
/* Show config (including access.conf vars) and exit dump config was
* wanted.
*/
if(opts.dump_config == 1)
{
dump_config(&opts);
dump_access_list(&opts);
exit(EXIT_SUCCESS);
}
/* Initialize the firewall rules handler based on the fwknopd.conf
* file, but (for iptables firewalls) don't flush any rules or create
* any chains yet. This allows us to dump the current firewall rules
* via fw_rules_dump() in --fw-list mode before changing around any rules
* of an existing fwknopd process.
*/
fw_config_init(&opts);
if(opts.fw_list == 1)
{
fw_dump_rules(&opts);
exit(EXIT_SUCCESS);
}
/* If we are a new process (just being started), proceed with normal
* start-up. Otherwise, we are here as a result of a signal sent to an
* existing process and we want to restart.
*/
if(get_running_pid(&opts) != getpid())
{
/* If foreground mode is not set, the fork off and become a daemon.
* Otherwise, attempt to get the pid file lock and go on.
*/
if(opts.foreground == 0)
{
daemonize_process(&opts);
}
else
{
old_pid = write_pid_file(&opts);
if(old_pid > 0)
{
fprintf(stderr,
"* An instance of fwknopd is already running: (PID=%i).\n", old_pid
);
exit(EXIT_FAILURE);
}
else if(old_pid < 0)
{
fprintf(stderr, "* PID file error. The lock may not be effective.\n");
}
}
log_msg(LOG_INFO, "Starting %s", MY_NAME);
}
else
{
log_msg(LOG_INFO, "Re-starting %s", MY_NAME);
}
if(opts.verbose > 1 && opts.foreground)
{
dump_config(&opts);
dump_access_list(&opts);
}
/* Initialize the digest cache for replay attack detection (either
* with dbm support or with the default simple cache file strategy)
* if so configured.
*/
if(strncasecmp(opts.config[CONF_ENABLE_DIGEST_PERSISTENCE], "Y", 1) == 0)
{
rp_cache_count = replay_cache_init(&opts);
if(rp_cache_count < 0)
{
log_msg(LOG_WARNING,
"Error opening digest cache file. Incoming digests will not be remembered."
);
strlcpy(opts.config[CONF_ENABLE_DIGEST_PERSISTENCE], "N", 2);
}
if(opts.verbose)
log_msg(LOG_ERR,
"Using Digest Cache: '%s' (entry count = %i)",
#if USE_FILE_CACHE
opts.config[CONF_DIGEST_FILE], rp_cache_count
#else
opts.config[CONF_DIGEST_DB_FILE], rp_cache_count
#endif
);
}
/* Prepare the firewall - i.e. flush any old rules and (for iptables)
* create fwknop chains.
*/
fw_initialize(&opts);
/* If the TCP server option was set, fire it up here.
*/
if(strncasecmp(opts.config[CONF_ENABLE_TCP_SERVER], "Y", 1) == 0)
{
if(atoi(opts.config[CONF_TCPSERV_PORT]) <= 0
|| atoi(opts.config[CONF_TCPSERV_PORT]) > 65535)
{
log_msg(LOG_WARNING,
"WARNING: ENABLE_TCP_SERVER is set, but TCPSERV_PORT is not valid. TCP server not started!"
);
}
else
{
run_tcp_server(&opts);
}
}
/* Intiate pcap capture mode...
*/
pcap_capture(&opts);
if(got_signal) {
last_sig = got_signal;
got_signal = 0;
if(got_sighup)
{
log_msg(LOG_WARNING, "Got SIGHUP. Re-reading configs.");
free_configs(&opts);
kill(opts.tcp_server_pid, SIGTERM);
usleep(1000000);
got_sighup = 0;
}
else if(got_sigint)
{
log_msg(LOG_WARNING, "Got SIGINT. Exiting...");
got_sigint = 0;
break;
}
else if(got_sigterm)
{
log_msg(LOG_WARNING, "Got SIGTERM. Exiting...");
got_sigterm = 0;
break;
}
else
{
log_msg(LOG_WARNING,
"Got signal %i. No defined action but to exit.", last_sig);
break;
}
}
else if (opts.packet_ctr_limit > 0
&& opts.packet_ctr >= opts.packet_ctr_limit)
{
log_msg(LOG_INFO,
"Packet count limit (%d) reached. Exiting...",
opts.packet_ctr_limit);
break;
}
else /* got_signal was not set (should be if we are here) */
{
log_msg(LOG_WARNING,
"Capture ended without signal. Exiting...");
break;
}
}
log_msg(LOG_INFO, "Shutting Down fwknopd.");
/* Kill the TCP server (if we have one running).
*/
if(opts.tcp_server_pid > 0)
{
log_msg(LOG_INFO, "Killing the TCP server (pid=%i)",
opts.tcp_server_pid);
kill(opts.tcp_server_pid, SIGTERM);
/* --DSS XXX: This seems to be necessary if the tcp server
* was restarted by this program. We need to
* investigate and fix this. For now, this works
* (it is kludgy, but does no harm afaik).
*/
kill(opts.tcp_server_pid, SIGKILL);
}
/* Other cleanup.
*/
fw_cleanup();
free_logging();
#if USE_FILE_CACHE
free_replay_list(&opts);
#endif
free_configs(&opts);
return(0);
}