///////////////////////////////////////////////////////////////////////////////
// Main program
///////////////////////////////////////////////////////////////////////////////
int main(int argc, char **argv)
{
std::string rules;
int i = 0;
std::string str;
while (std::getline(std::cin, str))
{
if (str.empty() || str[0] == 'q' || str[0] == 'Q')
break;
str += '\n';
bool r = false;
boost::spirit::utree result;
BOOST_TEST(r = test_rhs(str, result));
if (r && result.which() != boost::spirit::utree_type::nil_type)
{
BOOST_TEST(r = test_rule(str));
if (r)
{
rules += "rule" + boost::lexical_cast<std::string>(++i)
+ " = " + str + "\n";
}
}
}
// now test grammar rule
BOOST_TEST(test_grammar(rules));
return boost::report_errors();
}
gboolean
test_ruleset(xmlNode *ruleset, GHashTable *node_hash, ha_time_t *now)
{
gboolean ruleset_default = TRUE;
xml_child_iter_filter(
ruleset, rule, XML_TAG_RULE,
ruleset_default = FALSE;
if(test_rule(rule, node_hash, RSC_ROLE_UNKNOWN, now)) {
return TRUE;
}
);
gboolean
test_ruleset(xmlNode * ruleset, GHashTable * node_hash, crm_time_t * now)
{
gboolean ruleset_default = TRUE;
xmlNode *rule = NULL;
for (rule = __xml_first_child(ruleset); rule != NULL; rule = __xml_next_element(rule)) {
if (crm_str_eq((const char *)rule->name, XML_TAG_RULE, TRUE)) {
ruleset_default = FALSE;
if (test_rule(rule, node_hash, RSC_ROLE_UNKNOWN, now)) {
return TRUE;
}
}
}
return ruleset_default;
}
gboolean
test_expression(xmlNode * expr, GHashTable * node_hash, enum rsc_role_e role, crm_time_t * now)
{
gboolean accept = FALSE;
const char *uname = NULL;
switch (find_expression_type(expr)) {
case nested_rule:
accept = test_rule(expr, node_hash, role, now);
break;
case attr_expr:
case loc_expr:
/* these expressions can never succeed if there is
* no node to compare with
*/
if (node_hash != NULL) {
accept = test_attr_expression(expr, node_hash, now);
}
break;
case time_expr:
accept = test_date_expression(expr, now);
break;
case role_expr:
accept = test_role_expression(expr, role, now);
break;
default:
CRM_CHECK(FALSE /* bad type */ , return FALSE);
accept = FALSE;
}
if (node_hash) {
uname = g_hash_table_lookup(node_hash, "#uname");
}
crm_trace("Expression %s %s on %s",
ID(expr), accept ? "passed" : "failed", uname ? uname : "all ndoes");
return accept;
}
int pf_block_probe(char *incoming_ip, int portnum, struct opt *opts)
{
struct pfioc_rule pr;
struct pfioc_pooladdr paddr;
struct sockaddr ifr;
char curr_ipv4[16];
char *ifname = opts->ifname;
short test_result = 0;
int pf_dev_fd, ret = 1, sockfd;
static int num_rules_added = 0; /* the rule number to add the next rule after */
memset(&pr, 0, sizeof(struct pfioc_rule));
memset(&pr.rule, 0, sizeof(struct pf_rule));
memset(&paddr, 0, sizeof(struct pfioc_pooladdr));
if((sockfd = get_dgram_socket()) < 0) {
(void)logmsg("get_dgram_socket() no socket for getipv4()");
(void)report_status_and_bail(BAIL_OUT, errno);
}
if(! (get_interface_ipv4(sockfd, ifname, &ifr, curr_ipv4))) {
(void)logmsg("Unable to obtain ipv4 for interface %s\n", ifname);
(void)close(sockfd);
(void)report_status_and_bail(BAIL_OUT, errno);
}
else
(void)close(sockfd);
/* init rule structure */
pr.rule.action = PF_DROP;
pr.rule.quick = 1;
pr.rule.log = 1;
pr.rule.af = AF_INET;
pr.rule.proto = IPPROTO_TCP;
pr.rule.src.addr.type = PF_ADDR_ADDRMASK;
memset(&pr.rule.src.addr.v.a.mask.v4, 255, 4); /* match only this host:port */
inet_pton(AF_INET, incoming_ip, &pr.rule.src.addr.v.a.addr.v4);
pr.rule.src.addr.type = PF_ADDR_ADDRMASK;
memset(&pr.rule.dst.addr.v.a.mask.v4, 255, 4);
inet_pton(AF_INET, curr_ipv4, &pr.rule.dst.addr.v.a.addr.v4);
pr.rule.dst.port_op = PF_OP_EQ;
pr.rule.keep_state = 0;
pr.rule.flags = TH_SYN;
pr.rule.flagset = (TH_SYN | TH_ACK | TH_FIN | TH_RST);
pr.rule.dst.port[0] = htons(portnum);
pf_dev_fd = open("/dev/pf", O_RDWR);
if(pf_dev_fd < 0) {
(void)logmsg("failed to open /dev/pf, *not* adding rule\n");
(void)logmsg("connection attempt from %s on port %d _NOT_ BLOCKED\n", incoming_ip, portnum);
(void)report_status_and_bail(DO_NOT_BAIL, errno);
(void)close(pf_dev_fd);
ret = 0;
}
/* check the rule doesn't already exist in rules added so far */
if(ret)
test_result = test_rule(incoming_ip, &pf_dev_fd, portnum, num_rules_added, opts->flags);
if(test_result && ret) {
if((ioctl(pf_dev_fd, DIOCBEGINADDRS, &paddr)) < 0)
logmsg("err: ioctl DIOCBEGINADDRS");
pr.action = PF_CHANGE_GET_TICKET;
pr.pool_ticket = paddr.ticket;
if((ioctl(pf_dev_fd, DIOCCHANGERULE, &pr)) < 0)
logmsg("err: ioctl DIOCCHANGERULE");
pr.action = PF_CHANGE_ADD_AFTER;
pr.nr = num_rules_added;
if((ioctl(pf_dev_fd, DIOCCHANGERULE, &pr)) < 0)
logmsg("err: ioctl DIOCCHANGERULE");
num_rules_added++; /* static */
(void)logmsg("added blocking filter rule for remote host %s on port %d", incoming_ip, portnum);
} else if(test_result == 0)
/* some moron may attempt to fill up the log file!
* this *may* become an issue during testing.
* Here, a zero tolerance response could be taken
* for repeat offenders; for now, just ignore and log */
(void)logmsg("rule already exists, ignoring");
else {
(void)logmsg("connection %s on port %d", incoming_ip, portnum);
(void)logmsg("ioctl: error searching current ruleset - *no* rule added");
}
(void)close(pf_dev_fd);
return ret;
}
