void fw_config_init(fko_srv_options_t *opts) { memset(&fwc, 0x0, sizeof(struct fw_config)); /* Set our firewall exe command path (iptables in most cases). */ strlcpy(fwc.fw_command, opts->config[CONF_FIREWALL_EXE], MAX_PATH_LEN); /* Pull the fwknop chain config info and setup our internal * config struct. The IPT_INPUT is the only one that is * required. The rest are optional. */ set_fw_chain_conf(IPT_INPUT_ACCESS, opts->config[CONF_IPT_INPUT_ACCESS]); /* The FWKNOP_OUTPUT_ACCESS requires ENABLE_IPT_OUTPUT_ACCESS be Y */ if(strncasecmp(opts->config[CONF_ENABLE_IPT_OUTPUT], "Y", 1)==0) set_fw_chain_conf(IPT_OUTPUT_ACCESS, opts->config[CONF_IPT_OUTPUT_ACCESS]); /* The remaining access chains require ENABLE_IPT_FORWARDING = Y */ if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0) { set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]); set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]); /* SNAT (whichever mode) requires ENABLE_IPT_SNAT = Y */ if(strncasecmp(opts->config[CONF_ENABLE_IPT_SNAT], "Y", 1)==0) { /* If an SNAT_TRANSLATE_IP is specified use the SNAT_ACCESS mode. * Otherwise, use MASQUERADE_ACCESS. * * XXX: --DSS: Not sure if using the TRANSLATE_IP parameter as * the determining factor is the best why to handle * this. * */ if(opts->config[CONF_SNAT_TRANSLATE_IP] != NULL && strncasecmp(opts->config[CONF_SNAT_TRANSLATE_IP], "__CHANGEME__", 10)!=0) set_fw_chain_conf(IPT_SNAT_ACCESS, opts->config[CONF_IPT_SNAT_ACCESS]); else set_fw_chain_conf(IPT_MASQUERADE_ACCESS, opts->config[CONF_IPT_MASQUERADE_ACCESS]); } } /* Let us find it via our opts struct as well. */ opts->fw_config = &fwc; return; }
int fw_config_init(fko_srv_options_t * const opts) { memset(&fwc, 0x0, sizeof(struct fw_config)); /* Set our firewall exe command path (iptables in most cases). */ strlcpy(fwc.fw_command, opts->config[CONF_FIREWALL_EXE], sizeof(fwc.fw_command)); #if HAVE_LIBFIU fiu_return_on("fw_config_init", 0); #endif /* Pull the fwknop chain config info and setup our internal * config struct. The IPT_INPUT is the only one that is * required. The rest are optional. */ if(set_fw_chain_conf(IPT_INPUT_ACCESS, opts->config[CONF_IPT_INPUT_ACCESS]) != 1) return 0; /* The FWKNOP_OUTPUT_ACCESS requires ENABLE_IPT_OUTPUT_ACCESS == Y */ if(strncasecmp(opts->config[CONF_ENABLE_IPT_OUTPUT], "Y", 1)==0) if(set_fw_chain_conf(IPT_OUTPUT_ACCESS, opts->config[CONF_IPT_OUTPUT_ACCESS]) != 1) return 0; /* The remaining access chains require ENABLE_IPT_FORWARDING = Y */ if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0) { if(set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]) != 1) return 0; if(set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]) != 1) return 0; /* Requires ENABLE_IPT_SNAT = Y */ if(strncasecmp(opts->config[CONF_ENABLE_IPT_SNAT], "Y", 1)==0) { if(set_fw_chain_conf(IPT_MASQUERADE_ACCESS, opts->config[CONF_IPT_MASQUERADE_ACCESS]) != 1) return 0; if(set_fw_chain_conf(IPT_SNAT_ACCESS, opts->config[CONF_IPT_SNAT_ACCESS]) != 1) return 0; } } if(strncasecmp(opts->config[CONF_ENABLE_DESTINATION_RULE], "Y", 1)==0) { fwc.use_destination = 1; } /* Let us find it via our opts struct as well. */ opts->fw_config = &fwc; return 1; }
int fw_config_init(fko_srv_options_t * const opts) { memset(&fwc, 0x0, sizeof(struct fw_config)); /* Set our firewall exe command path (iptables in most cases). */ strlcpy(fwc.fw_command, opts->config[CONF_FIREWALL_EXE], sizeof(fwc.fw_command)); /* Pull the fwknop chain config info and setup our internal * config struct. The IPT_INPUT is the only one that is * required. The rest are optional. */ if(set_fw_chain_conf(IPT_INPUT_ACCESS, opts->config[CONF_IPT_INPUT_ACCESS]) != 1) return 0; /* The FWKNOP_OUTPUT_ACCESS requires ENABLE_IPT_OUTPUT_ACCESS be Y */ if(strncasecmp(opts->config[CONF_ENABLE_IPT_OUTPUT], "Y", 1)==0) if(set_fw_chain_conf(IPT_OUTPUT_ACCESS, opts->config[CONF_IPT_OUTPUT_ACCESS]) != 1) return 0; /* The remaining access chains require ENABLE_IPT_FORWARDING = Y */ if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0) { if(set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]) != 1) return 0; if(set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]) != 1) return 0; /* SNAT (whichever mode) requires ENABLE_IPT_SNAT = Y */ if(strncasecmp(opts->config[CONF_ENABLE_IPT_SNAT], "Y", 1)==0) { if(opts->config[CONF_SNAT_TRANSLATE_IP] == NULL || ! is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP])) { fwc.use_masquerade = 1; if(set_fw_chain_conf(IPT_MASQUERADE_ACCESS, opts->config[CONF_IPT_MASQUERADE_ACCESS]) != 1) return 0; } else { if(is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP])) { if(set_fw_chain_conf(IPT_SNAT_ACCESS, opts->config[CONF_IPT_SNAT_ACCESS]) != 1) return 0; } else { return 0; } } } } /* Let us find it via our opts struct as well. */ opts->fw_config = &fwc; return 1; }