From e1a994169f35322bc3b62f473004c62a5a1c9e1d Mon Sep 17 00:00:00 2001 From: shw Date: Tue, 18 Apr 2017 21:58:10 +0000 Subject: [PATCH] Added removeall IPC command for stripping all rules matching a source interface. --- sgfw/ipc.go | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/sgfw/ipc.go b/sgfw/ipc.go index 1feae6f..46ad3f9 100644 --- a/sgfw/ipc.go +++ b/sgfw/ipc.go @@ -29,6 +29,32 @@ func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost string, dstport ui return err } +func removeAllByIP(fw *Firewall, srcip string) bool { +log.Notice("XXX: Attempting to remove all rules associated with Oz interface: ", srcip) + saddr := net.ParseIP(srcip) + + if saddr == nil { + return false + } + + policy := fw.PolicyForPath("*") + nrm := 0 + + for _, rr := range policy.rules { + if rr.saddr != nil && rr.saddr.Equal(saddr) { + log.Notice("XXX: removing ephemeral rules by Oz interface ", srcip, ": ", rr) + policy.removeRule(rr) + nrm++ + } + } + + if nrm == 0 { + log.Notice("XXX: did not remove any rules for interface") + } + + return true +} + func ReceiverLoop(fw *Firewall, c net.Conn) { defer c.Close() bio := bufio.NewReader(c) @@ -93,6 +119,12 @@ func ReceiverLoop(fw *Firewall, c net.Conn) { } else { tokens := strings.Split(data, " ") + if len(tokens) == 2 && tokens[0] == "removeall" { + log.Notice("Attempting to remove all: ", tokens[1]) + removeAllByIP(fw, tokens[1]) + return + } + if len(tokens) != 5 { log.Notice("IPC received invalid command: " + data) c.Write([]byte("Received bad number of parameters.\n"))