/*-
* Copyright (c) 2022 Michael Pounov <misho@elwix.org>
*
*
* Redistribution and use in source forms, with and without modification,
* are permitted provided that this entire comment appears intact.
*
* Redistribution in binary form may occur without any restrictions.
* Obviously, it would be nice if you gave credit where credit is due
* but requiring it would be too onerous.
*
* This software is provided ``AS IS'' without any warranties of any kind.
*
* command line interface for sync state of IP firewall
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/param.h>
#include <netinet/in.h>
#include <net/if.h>
#include <net/if_dl.h>
#include <arpa/inet.h>
#include <netinet/ip_fw.h>
#include <err.h>
#include <sysexits.h>
#include "ipfw2.h"
typedef union {
struct sockaddr_storage ss;
struct sockaddr sa;
struct sockaddr_un sun;
struct sockaddr_in sin;
struct sockaddr_in6 sin6;
struct sockaddr_dl sdl;
} sockaddr_t;
#define E_SOCKADDR_INIT { .ss = { 0 } }
#define E_SOCKADDR_MAX MIN(sizeof(sockaddr_t), 0xff)
#define SYNC_SHIFT_ARG { ac--; av++; }
#define DEF_SYNC_PORT 20611
void
ipfw_config_sync(int ac, char **av)
{
u_short port;
sockaddr_t *sa = NULL;
int len, j, i = 0;
char *str, *buf, show[BUFSIZ], host[64];
void *ptr;
ipfw_obj_header *oh;
struct ipfw_sync_cfg *cfg;
SYNC_SHIFT_ARG;
len = sizeof(*oh) + sizeof(*cfg);
buf = malloc(len);
if (!buf)
errx(EX_OSERR, "malloc failed");
else
memset(buf, 0, len);
oh = (ipfw_obj_header*) buf;
cfg = (struct ipfw_sync_cfg*) (oh + 1);
oh->ntlv.head.length = sizeof(oh->ntlv);
if (ac && !strcmp(*av, "edge")) {
SYNC_SHIFT_ARG;
if (ac && !strcmp(*av, "port"))
SYNC_SHIFT_ARG;
if (!ac)
errx(EX_DATAERR, "missing edge port\n");
strlcpy(host, *av, sizeof host);
if ((str = strchr(host, ','))) {
*str++ = 0;
port = strtol(str, NULL, 10);
if (!port)
errx(EX_DATAERR, "incorrect port number\n");
} else {
port = strtol(host, NULL, 10);
if (!port)
errx(EX_DATAERR, "incorrect port number\n");
strlcpy(host, "0.0.0.0", sizeof host);
}
strlcpy(oh->ntlv.name, "edge", sizeof(oh->ntlv.name));
strlcpy(cfg->name, "edge", sizeof(cfg->name));
cfg->mode = CFG_SYNC_EDGE;
cfg->addrs = 1;
cfg->addr[0].addr.sa_family = strchr(host, ':') ? AF_INET6 : AF_INET;
if (cfg->addr[0].addr.sa_family == AF_INET) {
cfg->addr[0].ip4.sin_len = sizeof cfg->addr[0].ip4;
cfg->addr[0].ip4.sin_port = htons(port);
if (inet_pton(AF_INET, host, &cfg->addr[0].ip4.sin_addr) != 1)
errx(EX_DATAERR, "invalid edge IPv4 address\n");
} else {
cfg->addr[0].ip6.sin6_len = sizeof cfg->addr[0].ip6;
cfg->addr[0].ip6.sin6_port = htons(port);
if (inet_pton(AF_INET6, host, &cfg->addr[0].ip6.sin6_addr) != 1)
errx(EX_DATAERR, "invalid edge IPv6 address\n");
}
} else if (!strcmp(*av, "collector")) {
SYNC_SHIFT_ARG;
if (!ac)
errx(EX_DATAERR, "missing destination(s) address[,port]\n");
while (ac && *av) {
ptr = realloc(sa, E_SOCKADDR_MAX * (i + 1));
if (!ptr) {
free(sa);
errx(EX_DATAERR, "not enough memory for collectors\n");
} else
sa = ptr;
memset(sa + i, 0, E_SOCKADDR_MAX);
if ((str = strchr(*av, ','))) {
*str++ = 0;
port = strtol(str, NULL, 10);
if (!port) {
free(sa);
errx(EX_DATAERR, "incorrect port number\n");
}
} else
port = DEF_SYNC_PORT;
sa[i].sa.sa_family = strchr(*av, ':') ? AF_INET6 : AF_INET;
if (sa[i].sa.sa_family == AF_INET) {
sa[i].sa.sa_len = sizeof sa[i].sin;
sa[i].sin.sin_port = htons(port);
if (inet_pton(AF_INET, *av, &sa[i].sin.sin_addr) != 1) {
free(sa);
errx(EX_DATAERR, "invalid collector address\n");
}
cfg->addr[1 + i].ip4.sin_len = sizeof cfg->addr[1 + i].ip4;
cfg->addr[1 + i].ip4.sin_family = AF_INET;
cfg->addr[1 + i].ip4.sin_port = htons(port);
memcpy(&cfg->addr[1 + i].ip4.sin_addr, &sa[i].sin.sin_addr,
sizeof cfg->addr[1 + i].ip4.sin_addr);
} else {
sa[i].sa.sa_len = sizeof sa[i].sin6;
sa[i].sin6.sin6_port = htons(port);
if (inet_pton(AF_INET6, *av, &sa[i].sin6.sin6_addr) != 1) {
free(sa);
errx(EX_DATAERR, "invalid collector address\n");
}
cfg->addr[1 + i].ip6.sin6_len = sizeof cfg->addr[1 + i].ip6;
cfg->addr[1 + i].ip6.sin6_family = AF_INET6;
cfg->addr[1 + i].ip6.sin6_port = htons(port);
memcpy(&cfg->addr[1 + i].ip6.sin6_addr, &sa[i].sin6.sin6_addr,
sizeof cfg->addr[1 + i].ip6.sin6_addr);
}
i++;
SYNC_SHIFT_ARG;
if (i == 2) /* maximum 2 collectors at same time */
break;
}
free(sa);
strlcpy(oh->ntlv.name, "collector", sizeof(oh->ntlv.name));
strlcpy(cfg->name, "collector", sizeof(cfg->name));
cfg->mode = CFG_SYNC_COLLECTOR;
cfg->addrs = MIN(i, 2);
} else
errx(EX_DATAERR, "missing type of service edge or collector\n");
i = do_set3(IP_FW_SYNC_XCONFIG, &oh->opheader, len);
if (i)
err(1, "setsockopt(%s)", "IP_FW_SYNC_XCONFIG");
if (!g_co.do_quiet) {
/* After every modification, we show the resultant rule. */
if (cfg->mode == CFG_SYNC_EDGE) {
printf("edge port %hu\n", ntohs(cfg->addr[0].ip4.sin_port));
} else {
printf("collector");
for (j = 1; j < cfg->addrs + 1; j++) {
if (cfg->addr[j].addr.sa_family == AF_INET)
printf(" %s,%hu",
inet_ntop(AF_INET, &cfg->addr[j].ip4.sin_addr,
show, sizeof show),
ntohs(cfg->addr[j].ip4.sin_port));
else
printf(" %s,%hu",
inet_ntop(AF_INET6, &cfg->addr[j].ip6.sin6_addr,
show, sizeof show),
ntohs(cfg->addr[j].ip6.sin6_port));
}
printf("\n");
}
}
free(buf);
}
void
ipfw_show_sync(int ac, char **av)
{
ipfw_obj_header *oh;
struct ipfw_sync_cfg *cfg;
size_t sz;
char show[BUFSIZ];
int i;
SYNC_SHIFT_ARG;
sz = sizeof *oh + sizeof *cfg;
while (42) {
if (!(oh = malloc(sz)))
return;
else
memset(oh, 0, sz);
cfg = (struct ipfw_sync_cfg*) (oh + 1);
oh->ntlv.head.length = sizeof(oh->ntlv);
strlcpy(oh->ntlv.name, ac ? *av : "", sizeof(oh->ntlv.name));
strlcpy(cfg->name, ac ? *av : "", sizeof(cfg->name));
if (do_get3(IP_FW_SYNC_XGETCONFIG, &oh->opheader, &sz)) {
free(oh);
if (errno == ENOMEM)
continue;
return;
}
break;
}
i = strtol(cfg->name, NULL, 10);
if (!ac || !strcmp(*av, "edge"))
printf("ipfw sync %s edge\n", (i & CFG_SYNC_EDGE) ? "start" : "stop");
if (!ac || !strcmp(*av, "collector"))
printf("ipfw sync %s collector\n", (i & CFG_SYNC_COLLECTOR) ? "start" : "stop");
if ((!ac || !strcmp(*av, "edge")) && cfg->mode & CFG_SYNC_EDGE)
printf("ipfw sync config edge port %hu\n", ntohs(cfg->addr[0].ip4.sin_port));
if ((!ac || !strcmp(*av, "collector")) && cfg->mode & CFG_SYNC_COLLECTOR) {
printf("ipfw sync config collector");
for (i = 1; i < cfg->addrs + 1; i++) {
if (cfg->addr[i].addr.sa_family == AF_INET)
printf(" %s,%hu",
inet_ntop(AF_INET, &cfg->addr[i].ip4.sin_addr,
show, sizeof show),
ntohs(cfg->addr[i].ip4.sin_port));
else
printf(" %s,%hu",
inet_ntop(AF_INET6, &cfg->addr[i].ip6.sin6_addr,
show, sizeof show),
ntohs(cfg->addr[i].ip6.sin6_port));
}
printf("\n");
}
}
void
ipfw_start_sync(int ac, char **av)
{
int *n;
ipfw_obj_header *oh;
size_t sz;
char *buf;
SYNC_SHIFT_ARG;
sz = sizeof *oh + sizeof(int);
buf = malloc(sz);
if (!buf)
errx(EX_OSERR, "malloc failed");
else
memset(buf, 0, sz);
oh = (ipfw_obj_header*) buf;
n = (int*) (oh + 1);
oh->ntlv.head.length = sizeof(oh->ntlv);
if (!ac || !strcmp(*av, "edge")) {
*n = CFG_SYNC_EDGE;
}
if (!ac || !strcmp(*av, "collector")) {
*n |= CFG_SYNC_COLLECTOR;
}
if (do_set3(IP_FW_SYNC_START, &oh->opheader, sz))
err(1, "setsockopt(%s)", "IP_FW_SYNC_START");
if (!g_co.do_quiet) {
if (!ac || !strcmp(*av, "edge"))
printf("ipfw sync start edge\n");
if (!ac || !strcmp(*av, "collector"))
printf("ipfw sync start collector\n");
}
}
void
ipfw_stop_sync(int ac, char **av)
{
int *n;
ipfw_obj_header *oh;
size_t sz;
char *buf;
SYNC_SHIFT_ARG;
sz = sizeof *oh + sizeof(int);
buf = malloc(sz);
if (!buf)
errx(EX_OSERR, "malloc failed");
else
memset(buf, 0, sz);
oh = (ipfw_obj_header*) buf;
n = (int*) (oh + 1);
oh->ntlv.head.length = sizeof(oh->ntlv);
if (!ac || !strcmp(*av, "edge")) {
*n = CFG_SYNC_EDGE;
}
if (!ac || !strcmp(*av, "collector")) {
*n |= CFG_SYNC_COLLECTOR;
}
if (do_set3(IP_FW_SYNC_STOP, &oh->opheader, sz))
err(1, "setsockopt(%s)", "IP_FW_SYNC_STOP");
if (!g_co.do_quiet) {
if (!ac || !strcmp(*av, "edge"))
printf("ipfw sync stop edge\n");
if (!ac || !strcmp(*av, "collector"))
printf("ipfw sync stop collector\n");
}
}
void
ipfw_flush_sync(int ac, char **av)
{
int *n;
ipfw_obj_header *oh;
size_t sz;
char *buf;
SYNC_SHIFT_ARG;
sz = sizeof *oh + sizeof(int);
buf = malloc(sz);
if (!buf)
errx(EX_OSERR, "malloc failed");
else
memset(buf, 0, sz);
oh = (ipfw_obj_header*) buf;
n = (int*) (oh + 1);
oh->ntlv.head.length = sizeof(oh->ntlv);
if (!ac || !strcmp(*av, "edge")) {
*n = CFG_SYNC_EDGE;
}
if (!ac || !strcmp(*av, "collector")) {
*n |= CFG_SYNC_COLLECTOR;
}
if (do_set3(IP_FW_SYNC_DESTROY, &oh->opheader, sz))
err(1, "setsockopt(%s)", "IP_FW_SYNC_DESTROY");
if (!g_co.do_quiet) {
if (!ac || !strcmp(*av, "edge"))
printf("ipfw sync flush edge\n");
if (!ac || !strcmp(*av, "collector"))
printf("ipfw sync flush collector\n");
}
}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>