|
|
@ -7,37 +7,12 @@ import (
|
|
|
|
"bufio"
|
|
|
|
"bufio"
|
|
|
|
"strings"
|
|
|
|
"strings"
|
|
|
|
"strconv"
|
|
|
|
"strconv"
|
|
|
|
|
|
|
|
"encoding/binary"
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
const ReceiverSocketPath = "/tmp/fwoz.sock"
|
|
|
|
const ReceiverSocketPath = "/tmp/fwoz.sock"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func canAddRule(rule sandboxRule) bool {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for i := 0; i < len(sandboxRules); i++ {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if rule.SrcIf.Equal(sandboxRules[i].SrcIf) && rule.Whitelist != sandboxRules[i].Whitelist {
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func ruleExists(rule sandboxRule) int {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for i := 0; i < len(sandboxRules); i++ {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if rule.Whitelist == sandboxRules[i].Whitelist && rule.SrcIf.Equal(sandboxRules[i].SrcIf) && rule.DstIP.Equal(sandboxRules[i].DstIP) && rule.DstPort == sandboxRules[i].DstPort {
|
|
|
|
|
|
|
|
return i
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return -1
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost string, dstport uint16) error {
|
|
|
|
func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost string, dstport uint16) error {
|
|
|
|
policy := fw.PolicyForPath("*")
|
|
|
|
policy := fw.PolicyForPath("*")
|
|
|
|
rulestr := ""
|
|
|
|
rulestr := ""
|
|
|
@ -74,10 +49,34 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
|
|
|
|
|
|
|
|
|
|
|
|
if data == "dump" {
|
|
|
|
if data == "dump" {
|
|
|
|
log.Notice("Dumping oz-firewall rule set to client...")
|
|
|
|
log.Notice("Dumping oz-firewall rule set to client...")
|
|
|
|
banner := fmt.Sprintf("There are a total of %d rule(s).\n", len(sandboxRules))
|
|
|
|
rl := fw.PolicyForPath("*").rules
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
totalIRules := 0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for r := 0; r < len(rl); r++ {
|
|
|
|
|
|
|
|
if rl[r].saddr != nil {
|
|
|
|
|
|
|
|
totalIRules++
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
banner := fmt.Sprintf("There are a total of %d rule(s).\n", totalIRules)
|
|
|
|
|
|
|
|
|
|
|
|
c.Write([]byte(banner))
|
|
|
|
c.Write([]byte(banner))
|
|
|
|
|
|
|
|
|
|
|
|
for i := 0; i < len(sandboxRules); i++ {
|
|
|
|
for r := 0; r < len(rl); r++ {
|
|
|
|
|
|
|
|
ip := make([]byte, 4)
|
|
|
|
|
|
|
|
binary.BigEndian.PutUint32(ip, rl[r].addr)
|
|
|
|
|
|
|
|
hostname := ""
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if rl[r].hostname != "" {
|
|
|
|
|
|
|
|
hostname = " (" + rl[r].hostname + ") "
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ruledesc := fmt.Sprintf("id %v, %v | %v, src:%v -> %v%v: %v\n", rl[r].id, RuleModeString[rl[r].mode], RuleActionString[rl[r].rtype], rl[r].saddr, net.IP(ip), hostname, rl[r].port)
|
|
|
|
|
|
|
|
c.Write([]byte(ruledesc))
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* for i := 0; i < len(sandboxRules); i++ {
|
|
|
|
rulestr := ""
|
|
|
|
rulestr := ""
|
|
|
|
|
|
|
|
|
|
|
|
if sandboxRules[i].Whitelist {
|
|
|
|
if sandboxRules[i].Whitelist {
|
|
|
@ -88,7 +87,7 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
|
|
|
|
|
|
|
|
|
|
|
|
rulestr += " " + sandboxRules[i].SrcIf.String() + " -> " + sandboxRules[i].DstIP.String() + " : " + strconv.Itoa(int(sandboxRules[i].DstPort)) + "\n"
|
|
|
|
rulestr += " " + sandboxRules[i].SrcIf.String() + " -> " + sandboxRules[i].DstIP.String() + " : " + strconv.Itoa(int(sandboxRules[i].DstPort)) + "\n"
|
|
|
|
c.Write([]byte(rulestr))
|
|
|
|
c.Write([]byte(rulestr))
|
|
|
|
}
|
|
|
|
} */
|
|
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
return
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
@ -129,8 +128,6 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
|
|
|
|
srcip = net.IP{0,0,0,0}
|
|
|
|
srcip = net.IP{0,0,0,0}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
dstip := net.IP{0,0,0,0}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
dstport, err := strconv.Atoi(tokens[4])
|
|
|
|
dstport, err := strconv.Atoi(tokens[4])
|
|
|
|
|
|
|
|
|
|
|
|
if err != nil || dstport <= 0 || dstport > 65535 {
|
|
|
|
if err != nil || dstport <= 0 || dstport > 65535 {
|
|
|
@ -139,29 +136,8 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
rule := sandboxRule { srcip, dstip, uint16(dstport), w }
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if add && !canAddRule(rule) {
|
|
|
|
|
|
|
|
log.Notice("Could not add rule of mismatching type: ", rule)
|
|
|
|
|
|
|
|
c.Write([]byte("Error: cannot add rule that would result in mixed whitelist and blacklist"))
|
|
|
|
|
|
|
|
return
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
exists := ruleExists(rule)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if add && exists != -1 {
|
|
|
|
|
|
|
|
log.Notice("IP received request to add existing rule: ", rule)
|
|
|
|
|
|
|
|
c.Write([]byte("Error: cannot add already existing rule"))
|
|
|
|
|
|
|
|
return
|
|
|
|
|
|
|
|
} else if !add && exists == -1 {
|
|
|
|
|
|
|
|
log.Notice("IP received request to remove non-existent rule: ", rule)
|
|
|
|
|
|
|
|
c.Write([]byte("Error: could not remove non-existent rule"))
|
|
|
|
|
|
|
|
return
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if add {
|
|
|
|
if add {
|
|
|
|
log.Notice("Adding new rule to oz sandbox/fw: ", rule)
|
|
|
|
log.Noticef("Adding new rule to oz sandbox/fw: %v / %v -> %v : %v", w, srchost, dsthost, dstport)
|
|
|
|
sandboxRules = append(sandboxRules, rule)
|
|
|
|
|
|
|
|
err := addFWRule(fw, w, srchost, dsthost, uint16(dstport))
|
|
|
|
err := addFWRule(fw, w, srchost, dsthost, uint16(dstport))
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
log.Error("Error adding dynamic OZ firewall rule to fw-daemon: ", err)
|
|
|
|
log.Error("Error adding dynamic OZ firewall rule to fw-daemon: ", err)
|
|
|
@ -169,8 +145,7 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
|
|
|
|
log.Notice("XXX: rule also successfully added to fw-daemon")
|
|
|
|
log.Notice("XXX: rule also successfully added to fw-daemon")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
log.Notice("Removing new rule from oz sandbox/fw: ", rule)
|
|
|
|
log.Notice("Removing new rule from oz sandbox/fw... ")
|
|
|
|
sandboxRules = append(sandboxRules[:exists], sandboxRules[exists+1:]...)
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|