Support for wildcard ports in dynamic OZ/fw rules.

Modified behavior for source interface-based rules to allow for fallthrough policies.
shw_dev
shw 8 years ago
parent e1a994169f
commit 30482bf15b

@ -13,7 +13,7 @@ import (
const ReceiverSocketPath = "/tmp/fwoz.sock" const ReceiverSocketPath = "/tmp/fwoz.sock"
func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost string, dstport uint16) error { func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost, dstport string) error {
policy := fw.PolicyForPath("*") policy := fw.PolicyForPath("*")
rulestr := "" rulestr := ""
@ -23,7 +23,7 @@ func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost string, dstport ui
rulestr += "DENY" rulestr += "DENY"
} }
rulestr += "|" + dsthost + ":" + strconv.Itoa(int(dstport)) + "|SESSION|" + srchost rulestr += "|" + dsthost + ":" + dstport + "|SESSION|" + srchost
_, err := policy.parseRule(rulestr, true) _, err := policy.parseRule(rulestr, true)
return err return err
@ -98,7 +98,13 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
hostname = " (" + rl[r].hostname + ") " hostname = " (" + rl[r].hostname + ") "
} }
ruledesc := fmt.Sprintf("id %v, %v | %v, src:%v -> %v%v: %v\n", rl[r].id, RuleModeString[rl[r].mode], RuleActionString[rl[r].rtype], rl[r].saddr, net.IP(ip), hostname, rl[r].port) portstr := strconv.Itoa(int(rl[r].port))
if rl[r].port == 0 {
portstr = "*"
}
ruledesc := fmt.Sprintf("id %v, %v | %v, src:%v -> %v%v: %v\n", rl[r].id, RuleModeString[rl[r].mode], RuleActionString[rl[r].rtype], rl[r].saddr, net.IP(ip), hostname, portstr)
c.Write([]byte(ruledesc)) c.Write([]byte(ruledesc))
} }
@ -160,9 +166,10 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
srcip = net.IP{0,0,0,0} srcip = net.IP{0,0,0,0}
} }
dstport, err := strconv.Atoi(tokens[4]) dstport := tokens[4]
dstp, err := strconv.Atoi(dstport)
if err != nil || dstport <= 0 || dstport > 65535 { if dstport != "*" && (err != nil || dstp < 0 || dstp > 65535) {
log.Notice("IPC received invalid destination port: ", tokens[4]) log.Notice("IPC received invalid destination port: ", tokens[4])
c.Write([]byte("Bad command: dst port was invalid")) c.Write([]byte("Bad command: dst port was invalid"))
return return
@ -170,7 +177,7 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
if add { if add {
log.Noticef("Adding new rule to oz sandbox/fw: %v / %v -> %v : %v", w, srchost, dsthost, dstport) log.Noticef("Adding new rule to oz sandbox/fw: %v / %v -> %v : %v", w, srchost, dsthost, dstport)
err := addFWRule(fw, w, srchost, dsthost, uint16(dstport)) err := addFWRule(fw, w, srchost, dsthost, dstport)
if err != nil { if err != nil {
log.Error("Error adding dynamic OZ firewall rule to fw-daemon: ", err) log.Error("Error adding dynamic OZ firewall rule to fw-daemon: ", err)
} else { } else {

@ -108,6 +108,7 @@ log.Notice("! Skipping comparison against incompatible rule types: rule src = ",
continue continue
} else if r.saddr != nil && !r.saddr.Equal(src) { } else if r.saddr != nil && !r.saddr.Equal(src) {
log.Notice("! Skipping comparison of mismatching source ips") log.Notice("! Skipping comparison of mismatching source ips")
continue
} }
if r.match(src, dst, dstPort, hostname) { if r.match(src, dst, dstPort, hostname) {
log.Notice("+ MATCH SUCCEEDED") log.Notice("+ MATCH SUCCEEDED")
@ -130,6 +131,10 @@ log.Notice("+ MATCH SUCCEEDED")
return FILTER_DENY return FILTER_DENY
} else if r.rtype == RULE_ACTION_ALLOW { } else if r.rtype == RULE_ACTION_ALLOW {
result = FILTER_ALLOW result = FILTER_ALLOW
if r.saddr != nil {
return result
}
} }
} else { log.Notice("+ MATCH FAILED") } } else { log.Notice("+ MATCH FAILED") }
} }

Loading…
Cancel
Save