From 30482bf15bf220fe7f610230c2cc86911f90b369 Mon Sep 17 00:00:00 2001
From: shw <shw@subgraph.com>
Date: Tue, 18 Apr 2017 22:41:46 +0000
Subject: [PATCH] Support for wildcard ports in dynamic OZ/fw rules. Modified
 behavior for source interface-based rules to allow for fallthrough policies.

---
 sgfw/ipc.go   | 19 +++++++++++++------
 sgfw/rules.go |  5 +++++
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/sgfw/ipc.go b/sgfw/ipc.go
index 46ad3f9..5d88d9a 100644
--- a/sgfw/ipc.go
+++ b/sgfw/ipc.go
@@ -13,7 +13,7 @@ import (
 const ReceiverSocketPath = "/tmp/fwoz.sock"
 
 
-func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost string, dstport uint16) error {
+func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost, dstport string) error {
 	policy := fw.PolicyForPath("*")
 	rulestr := ""
 
@@ -23,7 +23,7 @@ func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost string, dstport ui
 		rulestr += "DENY"
 	}
 
-	rulestr += "|" + dsthost + ":" + strconv.Itoa(int(dstport)) + "|SESSION|" + srchost
+	rulestr += "|" + dsthost + ":" + dstport + "|SESSION|" + srchost
 	_, err := policy.parseRule(rulestr, true)
 
 	return err
@@ -98,7 +98,13 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
 					hostname = " (" + rl[r].hostname + ") "
 				}
 
-				ruledesc := fmt.Sprintf("id %v, %v | %v, src:%v -> %v%v: %v\n", rl[r].id, RuleModeString[rl[r].mode], RuleActionString[rl[r].rtype], rl[r].saddr, net.IP(ip), hostname, rl[r].port)
+				portstr := strconv.Itoa(int(rl[r].port))
+
+				if rl[r].port == 0 {
+					portstr = "*"
+				}
+
+				ruledesc := fmt.Sprintf("id %v, %v | %v, src:%v -> %v%v: %v\n", rl[r].id, RuleModeString[rl[r].mode], RuleActionString[rl[r].rtype], rl[r].saddr, net.IP(ip), hostname, portstr)
 				c.Write([]byte(ruledesc))
 			}
 
@@ -160,9 +166,10 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
 				srcip = net.IP{0,0,0,0}
 			}
 
-			dstport, err := strconv.Atoi(tokens[4])
+			dstport := tokens[4]
+			dstp, err := strconv.Atoi(dstport)
 
-			if err != nil || dstport <= 0  || dstport > 65535 {
+			if dstport != "*" && (err != nil || dstp < 0  || dstp > 65535) {
 				log.Notice("IPC received invalid destination port: ", tokens[4])
 				c.Write([]byte("Bad command: dst port was invalid"))
 				return
@@ -170,7 +177,7 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
 
 			if add {
 				log.Noticef("Adding new rule to oz sandbox/fw: %v / %v -> %v : %v", w, srchost, dsthost, dstport)
-				err := addFWRule(fw, w, srchost, dsthost, uint16(dstport))
+				err := addFWRule(fw, w, srchost, dsthost, dstport)
 				if err != nil {
 					log.Error("Error adding dynamic OZ firewall rule to fw-daemon: ", err)
 				} else {
diff --git a/sgfw/rules.go b/sgfw/rules.go
index a9c2f71..2375e69 100644
--- a/sgfw/rules.go
+++ b/sgfw/rules.go
@@ -108,6 +108,7 @@ log.Notice("! Skipping comparison against incompatible rule types: rule src = ",
 			continue
 		} else if r.saddr != nil && !r.saddr.Equal(src) {
 log.Notice("! Skipping comparison of mismatching source ips")
+			continue
 		}
 		if r.match(src, dst, dstPort, hostname) {
 log.Notice("+ MATCH SUCCEEDED")
@@ -130,6 +131,10 @@ log.Notice("+ MATCH SUCCEEDED")
 				return FILTER_DENY
 			} else if r.rtype == RULE_ACTION_ALLOW {
 				result = FILTER_ALLOW
+
+				if r.saddr != nil {
+					return result
+				}
 			}
 		} else { log.Notice("+ MATCH FAILED") }
 	}