You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
fw-daemon/sgfw/rules.go

333 lines
7.2 KiB

package sgfw
import (
"encoding/binary"
"fmt"
"io/ioutil"
"net"
"os"
"path"
"strconv"
"strings"
"unicode"
nfqueue "github.com/subgraph/go-nfnetlink/nfqueue"
// "github.com/subgraph/go-nfnetlink"
"github.com/subgraph/go-procsnitch"
)
const matchAny = 0
const noAddress = uint32(0xffffffff)
type Rule struct {
id uint
policy *Policy
mode RuleMode
rtype RuleAction
hostname string
addr uint32
saddr net.IP
port uint16
}
func (r *Rule) String() string {
return r.getString(false)
}
func (r *Rule) getString(redact bool) string {
rtype := RuleActionString[RULE_ACTION_DENY]
if r.rtype == RULE_ACTION_ALLOW {
rtype = RuleActionString[RULE_ACTION_ALLOW]
}
rmode := ""
if r.mode == RULE_MODE_SYSTEM {
rmode = "|" + RuleModeString[RULE_MODE_SYSTEM]
}
return fmt.Sprintf("%s|%s%s", rtype, r.AddrString(redact), rmode)
}
func (r *Rule) AddrString(redact bool) string {
addr := "*"
port := "*"
if r.hostname != "" {
addr = r.hostname
} else if r.addr != matchAny && r.addr != noAddress {
bs := make([]byte, 4)
binary.BigEndian.PutUint32(bs, r.addr)
addr = fmt.Sprintf("%d.%d.%d.%d", bs[0], bs[1], bs[2], bs[3])
}
if r.port != matchAny {
port = fmt.Sprintf("%d", r.port)
}
if redact && addr != "*" {
addr = STR_REDACTED
}
return fmt.Sprintf("%s:%s", addr, port)
}
type RuleList []*Rule
func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string) bool {
xip := make(net.IP, 4)
binary.BigEndian.PutUint32(xip, r.addr)
log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", xip, " : ", r.port)
if r.port != matchAny && r.port != dstPort {
return false
}
if r.addr == matchAny {
return true
}
if r.hostname != "" {
return r.hostname == hostname
}
return r.addr == binary.BigEndian.Uint32(dst.To4())
}
func (rl *RuleList) filterPacket(p *nfqueue.NFQPacket, pinfo *procsnitch.Info, srcip net.IP, hostname string) FilterResult {
_, dstip := getPacketIP4Addrs(p)
_, dstp := getPacketPorts(p)
return rl.filter(p, srcip, dstip, dstp, hostname, pinfo)
}
func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint16, hostname string, pinfo *procsnitch.Info) FilterResult {
if rl == nil {
return FILTER_PROMPT
}
result := FILTER_PROMPT
// saddr_ip := make(net.IP, 4)
// binary.BigEndian.PutUint32(saddr_ip, r.saddr)
for _, r := range *rl {
log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr)
if r.saddr == nil && src != nil {
log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src)
continue
} else if r.saddr != nil && !r.saddr.Equal(src) {
log.Notice("! Skipping comparison of mismatching source ips")
}
if r.match(src, dst, dstPort, hostname) {
log.Notice("+ MATCH SUCCEEDED")
dstStr := dst.String()
if FirewallConfig.LogRedact {
dstStr = STR_REDACTED
}
srcStr := STR_UNKNOWN
if pkt != nil {
srcip, _ := getPacketIP4Addrs(pkt)
srcp, _ := getPacketPorts(pkt)
srcStr = fmt.Sprintf("%s:%d", srcip, srcp)
}
log.Noticef("%s > %s %s %s -> %s:%d",
r.getString(FirewallConfig.LogRedact),
pinfo.ExePath, "TCP",
srcStr,
dstStr, dstPort)
if r.rtype == RULE_ACTION_DENY {
return FILTER_DENY
} else if r.rtype == RULE_ACTION_ALLOW {
result = FILTER_ALLOW
}
} else { log.Notice("+ MATCH FAILED") }
}
log.Notice("--- RESULT = ", result)
return result
}
func parseError(s string) error {
return fmt.Errorf("unable to parse rule string: %s", s)
}
func (r *Rule) parse(s string) bool {
r.addr = noAddress
r.saddr = nil
parts := strings.Split(s, "|")
if len(parts) < 2 {
return false
}
if len(parts) >= 3 && parts[2] == "SYSTEM" {
r.mode = RULE_MODE_SYSTEM
if len(parts) > 4 {
r.saddr = net.ParseIP(parts[3])
}
} else if len(parts) > 3 {
r.saddr = net.ParseIP(parts[3])
} else if len(parts) > 2 {
r.saddr = net.ParseIP(parts[2])
}
fmt.Println("----- rule parser: srcip = ", r.saddr)
return r.parseVerb(parts[0]) && r.parseTarget(parts[1])
}
func (r *Rule) parseVerb(v string) bool {
switch v {
case RuleActionString[RULE_ACTION_ALLOW]:
r.rtype = RULE_ACTION_ALLOW
return true
case RuleActionString[RULE_ACTION_DENY]:
r.rtype = RULE_ACTION_DENY
return true
}
return false
}
func (r *Rule) parseTarget(t string) bool {
addrPort := strings.Split(t, ":")
if len(addrPort) != 2 {
return false
}
return r.parseAddr(addrPort[0]) && r.parsePort(addrPort[1])
}
func (r *Rule) parseAddr(a string) bool {
if a == "*" {
r.hostname = ""
r.addr = matchAny
return true
}
if strings.IndexFunc(a, unicode.IsLetter) != -1 {
r.hostname = a
return true
}
ip := net.ParseIP(a)
if ip == nil {
return false
}
r.addr = binary.BigEndian.Uint32(ip.To4())
return true
}
func (r *Rule) parsePort(p string) bool {
if p == "*" {
r.port = matchAny
return true
}
var err error
port, err := strconv.ParseUint(p, 10, 16)
if err != nil || port == 0 || port > 0xFFFF {
return false
}
r.port = uint16(port)
return true
}
const ruleFile = "/var/lib/sgfw/sgfw_rules"
func maybeCreateDir(dir string) error {
_, err := os.Stat(dir)
if os.IsNotExist(err) {
return os.MkdirAll(dir, 0755)
}
return err
}
func rulesPath() (string, error) {
if err := maybeCreateDir(path.Dir(ruleFile)); err != nil {
return ruleFile, err
}
return ruleFile, nil
}
func (fw *Firewall) saveRules() {
fw.lock.Lock()
defer fw.lock.Unlock()
p, err := rulesPath()
if err != nil {
log.Warningf("Failed to open %s for writing: %v", p, err)
return
}
f, err := os.Create(p)
if err != nil {
log.Warningf("Failed to open %s for writing: %v", p, err)
return
}
defer f.Close()
for _, p := range fw.policies {
savePolicy(f, p)
}
}
func savePolicy(f *os.File, p *Policy) {
p.lock.Lock()
defer p.lock.Unlock()
if !p.hasPersistentRules() {
return
}
if !writeLine(f, "["+p.path+"]") {
return
}
for _, r := range p.rules {
if r.mode != RULE_MODE_SESSION {
if !writeLine(f, r.String()) {
return
}
}
}
}
func writeLine(f *os.File, line string) bool {
_, err := f.WriteString(line + "\n")
if err != nil {
log.Warningf("Error writing to rule file: %v", err)
return false
}
return true
}
func (fw *Firewall) loadRules() {
fw.lock.Lock()
defer fw.lock.Unlock()
fw.clearRules()
p, err := rulesPath()
if err != nil {
log.Warningf("Failed to open %s for reading: %v", p, err)
return
}
bs, err := ioutil.ReadFile(p)
if err != nil {
if !os.IsNotExist(err) {
log.Warningf("Failed to open %s for reading: %v", p, err)
}
return
}
var policy *Policy
for _, line := range strings.Split(string(bs), "\n") {
if strings.HasPrefix(line, "[") && strings.HasSuffix(line, "]") {
policy = fw.processPathLine(line)
} else if len(strings.TrimSpace(line)) > 0 {
processRuleLine(policy, line)
}
}
}
func (fw *Firewall) processPathLine(line string) *Policy {
path := line[1 : len(line)-1]
policy := fw.policyForPath(path)
policy.lock.Lock()
defer policy.lock.Unlock()
policy.rules = nil
return policy
}
func processRuleLine(policy *Policy, line string) {
if policy == nil {
log.Warningf("Cannot process rule line without first seeing path line: %s", line)
return
}
_, err := policy.parseRule(line, true)
if err != nil {
log.Warningf("Error parsing rule (%s): %v", line, err)
return
}
}