fw-daemon/sgfw/ipc.go

package sgfw

import (
	"fmt"
	"net"
	"os"
	"bufio"
	"strings"
	"strconv"
	"encoding/binary"
)

const ReceiverSocketPath = "/tmp/fwoz.sock"


func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost string, dstport uint16) error {
	policy := fw.PolicyForPath("*")
	rulestr := ""

	if whitelist {
		rulestr += "ALLOW"
	} else {
		rulestr += "DENY"
	}

	rulestr += "|" + dsthost + ":" + strconv.Itoa(int(dstport)) + "|SESSION|" + srchost
	_, err := policy.parseRule(rulestr, true)

	return err
}

func ReceiverLoop(fw *Firewall, c net.Conn) {
	defer c.Close()
	bio := bufio.NewReader(c)

	for {
		buf, err := bio.ReadBytes('\n')

		if err != nil {
			log.Notice("Error reading data from IPC client: ", err)
			return
		}

		data := string(buf)

		if data[len(data)-1] == '\n' {
			data = data[0:len(data)-1]
		}

		if data == "dump" {
			log.Notice("Dumping oz-firewall rule set to client...")
			rl := fw.PolicyForPath("*").rules

			totalIRules := 0

			for r := 0; r < len(rl); r++ {
				if rl[r].saddr != nil {
					totalIRules++
				}
			}

			banner := fmt.Sprintf("There are a total of %d rule(s).\n", totalIRules)

			c.Write([]byte(banner))

			for r := 0; r < len(rl); r++ {
				ip := make([]byte, 4)
		                binary.BigEndian.PutUint32(ip, rl[r].addr)
				hostname := ""

				if rl[r].hostname != "" {
					hostname = " (" + rl[r].hostname + ") "
				}

				ruledesc := fmt.Sprintf("id %v, %v | %v, src:%v -> %v%v: %v\n", rl[r].id, RuleModeString[rl[r].mode], RuleActionString[rl[r].rtype], rl[r].saddr, net.IP(ip), hostname, rl[r].port)
				c.Write([]byte(ruledesc))
			}

/*			for i := 0; i < len(sandboxRules); i++ {
				rulestr := ""

				if sandboxRules[i].Whitelist {
					rulestr += "whitelist"
				} else {
					rulestr += "blacklist"
				}

				rulestr += " " + sandboxRules[i].SrcIf.String() + " -> " + sandboxRules[i].DstIP.String() + " : " + strconv.Itoa(int(sandboxRules[i].DstPort)) + "\n"
				c.Write([]byte(rulestr))
			} */

			return
		} else {
			tokens := strings.Split(data, " ")

			if len(tokens) != 5 {
				log.Notice("IPC received invalid command: " + data)
				c.Write([]byte("Received bad number of parameters.\n"))
				return
			} else if tokens[0] != "add" && tokens[0] != "remove" {
				log.Notice("IPC received invalid command: " + data)
				c.Write([]byte("Unrecognized command.\n"))
				return
			} else if tokens[1] != "whitelist" && tokens[1] != "blacklist" {
				log.Notice("IPC received invalid command: " + data)
				c.Write([]byte("Bad command: must specify either whitelist or blacklist.\n"))
				return
			}

			add := true

			if tokens[0] == "remove" {
				add = false
			}

			w := true

			if tokens[1] == "blacklist" {
				w = false
			}

			srchost := tokens[2]
			dsthost := tokens[3]
			srcip := net.ParseIP(srchost)

			if srcip == nil {
				log.Notice("IP conversion failed: ", srchost)
				srcip = net.IP{0,0,0,0}
			}

			dstport, err := strconv.Atoi(tokens[4])

			if err != nil || dstport <= 0  || dstport > 65535 {
				log.Notice("IPC received invalid destination port: ", tokens[4])
				c.Write([]byte("Bad command: dst port was invalid"))
				return
			}

			if add {
				log.Noticef("Adding new rule to oz sandbox/fw: %v / %v -> %v : %v", w, srchost, dsthost, dstport)
				err := addFWRule(fw, w, srchost, dsthost, uint16(dstport))
				if err != nil {
					log.Error("Error adding dynamic OZ firewall rule to fw-daemon: ", err)
				} else {
					log.Notice("XXX: rule also successfully added to fw-daemon")
				}
			} else {
				log.Notice("Removing new rule from oz sandbox/fw... ")
			}


			log.Notice("IPC received command: " + data)
			c.Write([]byte("OK.\n"))
			return
		}


	}

}

func OzReceiver(fw *Firewall) {
	log.Notice("XXX: dispatching oz receiver...")
	os.Remove(ReceiverSocketPath)
	lfd, err := net.Listen("unix", ReceiverSocketPath)
	if err != nil {
	        log.Fatal("Could not open oz receiver socket:", err)
	}

	for {
		fd, err := lfd.Accept()
		if err != nil {
			log.Fatal("Could not accept receiver client:", err)
		}

		go ReceiverLoop(fw, fd)
        }

}
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()). 8 years ago			`package sgfw`

			`import (`
			`"fmt"`
			`"net"`
			`"os"`
			`"bufio"`
			`"strings"`
			`"strconv"`
Removed code for custom matching of firewall rules. 8 years ago			`"encoding/binary"`
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()). 8 years ago			`)`

			`const ReceiverSocketPath = "/tmp/fwoz.sock"`


Garbage dump commit of current progress. 8 years ago			`func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost string, dstport uint16) error {`
			`policy := fw.PolicyForPath("*")`
			`rulestr := ""`

			`if whitelist {`
			`rulestr += "ALLOW"`
			`} else {`
			`rulestr += "DENY"`
			`}`

			`rulestr += "\|" + dsthost + ":" + strconv.Itoa(int(dstport)) + "\|SESSION\|" + srchost`
			`_, err := policy.parseRule(rulestr, true)`

			`return err`
			`}`

			`func ReceiverLoop(fw *Firewall, c net.Conn) {`
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()). 8 years ago			`defer c.Close()`
			`bio := bufio.NewReader(c)`

			`for {`
			`buf, err := bio.ReadBytes('\n')`

			`if err != nil {`
			`log.Notice("Error reading data from IPC client: ", err)`
			`return`
			`}`

			`data := string(buf)`

			`if data[len(data)-1] == '\n' {`
			`data = data[0:len(data)-1]`
			`}`

			`if data == "dump" {`
			`log.Notice("Dumping oz-firewall rule set to client...")`
Removed code for custom matching of firewall rules. 8 years ago			`rl := fw.PolicyForPath("*").rules`

			`totalIRules := 0`

			`for r := 0; r < len(rl); r++ {`
			`if rl[r].saddr != nil {`
			`totalIRules++`
			`}`
			`}`

			`banner := fmt.Sprintf("There are a total of %d rule(s).\n", totalIRules)`

Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()). 8 years ago			`c.Write([]byte(banner))`

Removed code for custom matching of firewall rules. 8 years ago			`for r := 0; r < len(rl); r++ {`
			`ip := make([]byte, 4)`
			`binary.BigEndian.PutUint32(ip, rl[r].addr)`
			`hostname := ""`

			`if rl[r].hostname != "" {`
			`hostname = " (" + rl[r].hostname + ") "`
			`}`

			`ruledesc := fmt.Sprintf("id %v, %v \| %v, src:%v -> %v%v: %v\n", rl[r].id, RuleModeString[rl[r].mode], RuleActionString[rl[r].rtype], rl[r].saddr, net.IP(ip), hostname, rl[r].port)`
			`c.Write([]byte(ruledesc))`
			`}`

			`/* for i := 0; i < len(sandboxRules); i++ {`
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()). 8 years ago			`rulestr := ""`

			`if sandboxRules[i].Whitelist {`
			`rulestr += "whitelist"`
			`} else {`
			`rulestr += "blacklist"`
			`}`

			`rulestr += " " + sandboxRules[i].SrcIf.String() + " -> " + sandboxRules[i].DstIP.String() + " : " + strconv.Itoa(int(sandboxRules[i].DstPort)) + "\n"`
			`c.Write([]byte(rulestr))`
Removed code for custom matching of firewall rules. 8 years ago			`} */`
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()). 8 years ago
			`return`
			`} else {`
			`tokens := strings.Split(data, " ")`

			`if len(tokens) != 5 {`
			`log.Notice("IPC received invalid command: " + data)`
			`c.Write([]byte("Received bad number of parameters.\n"))`
			`return`
			`} else if tokens[0] != "add" && tokens[0] != "remove" {`
			`log.Notice("IPC received invalid command: " + data)`
			`c.Write([]byte("Unrecognized command.\n"))`
			`return`
			`} else if tokens[1] != "whitelist" && tokens[1] != "blacklist" {`
			`log.Notice("IPC received invalid command: " + data)`
			`c.Write([]byte("Bad command: must specify either whitelist or blacklist.\n"))`
			`return`
			`}`

			`add := true`

			`if tokens[0] == "remove" {`
			`add = false`
			`}`

			`w := true`

			`if tokens[1] == "blacklist" {`
			`w = false`
			`}`

Garbage dump commit of current progress. 8 years ago			`srchost := tokens[2]`
			`dsthost := tokens[3]`
			`srcip := net.ParseIP(srchost)`
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()). 8 years ago
			`if srcip == nil {`
Garbage dump commit of current progress. 8 years ago			`log.Notice("IP conversion failed: ", srchost)`
			`srcip = net.IP{0,0,0,0}`
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()). 8 years ago			`}`

			`dstport, err := strconv.Atoi(tokens[4])`

			`if err != nil \|\| dstport <= 0 \|\| dstport > 65535 {`
			`log.Notice("IPC received invalid destination port: ", tokens[4])`
			`c.Write([]byte("Bad command: dst port was invalid"))`
			`return`
			`}`

			`if add {`
Removed code for custom matching of firewall rules. 8 years ago			`log.Noticef("Adding new rule to oz sandbox/fw: %v / %v -> %v : %v", w, srchost, dsthost, dstport)`
Garbage dump commit of current progress. 8 years ago			`err := addFWRule(fw, w, srchost, dsthost, uint16(dstport))`
			`if err != nil {`
			`log.Error("Error adding dynamic OZ firewall rule to fw-daemon: ", err)`
			`} else {`
			`log.Notice("XXX: rule also successfully added to fw-daemon")`
			`}`
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()). 8 years ago			`} else {`
Removed code for custom matching of firewall rules. 8 years ago			`log.Notice("Removing new rule from oz sandbox/fw... ")`
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()). 8 years ago			`}`


			`log.Notice("IPC received command: " + data)`
			`c.Write([]byte("OK.\n"))`
			`return`
			`}`


			`}`

			`}`

Garbage dump commit of current progress. 8 years ago			`func OzReceiver(fw *Firewall) {`
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()). 8 years ago			`log.Notice("XXX: dispatching oz receiver...")`
			`os.Remove(ReceiverSocketPath)`
			`lfd, err := net.Listen("unix", ReceiverSocketPath)`
			`if err != nil {`
			`log.Fatal("Could not open oz receiver socket:", err)`
			`}`

			`for {`
			`fd, err := lfd.Accept()`
			`if err != nil {`
			`log.Fatal("Could not accept receiver client:", err)`
			`}`

Garbage dump commit of current progress. 8 years ago			`go ReceiverLoop(fw, fd)`
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()). 8 years ago			`}`

			`}`