1: /*-
2: * Copyright (c) 2022 Michael Pounov <misho@elwix.org>
3: *
4: *
5: * Redistribution and use in source forms, with and without modification,
6: * are permitted provided that this entire comment appears intact.
7: *
8: * Redistribution in binary form may occur without any restrictions.
9: * Obviously, it would be nice if you gave credit where credit is due
10: * but requiring it would be too onerous.
11: *
12: * This software is provided ``AS IS'' without any warranties of any kind.
13: *
14: * command line interface for sync state of IP firewall
15: */
16: #include <stdio.h>
17: #include <stdlib.h>
18: #include <string.h>
19: #include <unistd.h>
20: #include <errno.h>
21: #include <sys/socket.h>
22: #include <sys/un.h>
23: #include <sys/param.h>
24: #include <netinet/in.h>
25: #include <net/if.h>
26: #include <net/if_dl.h>
27: #include <arpa/inet.h>
28: #include <netinet/ip_fw.h>
29: #include <err.h>
30: #include <sysexits.h>
31:
32: #include "ipfw2.h"
33:
34: typedef union {
35: struct sockaddr_storage ss;
36: struct sockaddr sa;
37: struct sockaddr_un sun;
38: struct sockaddr_in sin;
39: struct sockaddr_in6 sin6;
40: struct sockaddr_dl sdl;
41: } sockaddr_t;
42: #define E_SOCKADDR_INIT { .ss = { 0 } }
43: #define E_SOCKADDR_MAX MIN(sizeof(sockaddr_t), 0xff)
44:
45: #define SYNC_SHIFT_ARG { ac--; av++; }
46: #define DEF_SYNC_PORT 20611
47:
48: void
49: ipfw_config_sync(int ac, char **av)
50: {
51: u_short port;
52: sockaddr_t *sa = NULL;
53: int len, j, i = 0;
54: char *str, *buf, show[BUFSIZ], host[64];
55: void *ptr;
56: ipfw_obj_header *oh;
57: struct ipfw_sync_cfg *cfg;
58:
59: SYNC_SHIFT_ARG;
60:
61: len = sizeof(*oh) + sizeof(*cfg);
62: buf = malloc(len);
63: if (!buf)
64: errx(EX_OSERR, "malloc failed");
65: else
66: memset(buf, 0, len);
67: oh = (ipfw_obj_header*) buf;
68: cfg = (struct ipfw_sync_cfg*) (oh + 1);
69: oh->ntlv.head.length = sizeof(oh->ntlv);
70:
71: if (ac && !strcmp(*av, "edge")) {
72: SYNC_SHIFT_ARG;
73: if (ac && !strcmp(*av, "port"))
74: SYNC_SHIFT_ARG;
75: if (!ac)
76: errx(EX_DATAERR, "missing edge port\n");
77:
78: strlcpy(host, *av, sizeof host);
79: if ((str = strchr(host, ','))) {
80: *str++ = 0;
81: port = strtol(str, NULL, 10);
82: if (!port)
83: errx(EX_DATAERR, "incorrect port number\n");
84: } else {
85: port = strtol(host, NULL, 10);
86: if (!port)
87: errx(EX_DATAERR, "incorrect port number\n");
88: strlcpy(host, "0.0.0.0", sizeof host);
89: }
90:
91: strlcpy(oh->ntlv.name, "edge", sizeof(oh->ntlv.name));
92: strlcpy(cfg->name, "edge", sizeof(cfg->name));
93: cfg->mode = CFG_SYNC_EDGE;
94: cfg->addrs = 1;
95: cfg->addr[0].addr.sa_family = strchr(host, ':') ? AF_INET6 : AF_INET;
96: if (cfg->addr[0].addr.sa_family == AF_INET) {
97: cfg->addr[0].ip4.sin_len = sizeof cfg->addr[0].ip4;
98: cfg->addr[0].ip4.sin_port = htons(port);
99: if (inet_pton(AF_INET, host, &cfg->addr[0].ip4.sin_addr) != 1)
100: errx(EX_DATAERR, "invalid edge IPv4 address\n");
101: } else {
102: cfg->addr[0].ip6.sin6_len = sizeof cfg->addr[0].ip6;
103: cfg->addr[0].ip6.sin6_port = htons(port);
104: if (inet_pton(AF_INET6, host, &cfg->addr[0].ip6.sin6_addr) != 1)
105: errx(EX_DATAERR, "invalid edge IPv6 address\n");
106: }
107: } else if (!strcmp(*av, "collector")) {
108: SYNC_SHIFT_ARG;
109: if (!ac)
110: errx(EX_DATAERR, "missing destination(s) address[,port]\n");
111: while (ac && *av) {
112: ptr = realloc(sa, E_SOCKADDR_MAX * (i + 1));
113: if (!ptr) {
114: free(sa);
115: errx(EX_DATAERR, "not enough memory for collectors\n");
116: } else
117: sa = ptr;
118: memset(sa + i, 0, E_SOCKADDR_MAX);
119: if ((str = strchr(*av, ','))) {
120: *str++ = 0;
121: port = strtol(str, NULL, 10);
122: if (!port) {
123: free(sa);
124: errx(EX_DATAERR, "incorrect port number\n");
125: }
126: } else
127: port = DEF_SYNC_PORT;
128: sa[i].sa.sa_family = strchr(*av, ':') ? AF_INET6 : AF_INET;
129: if (sa[i].sa.sa_family == AF_INET) {
130: sa[i].sa.sa_len = sizeof sa[i].sin;
131: sa[i].sin.sin_port = htons(port);
132: if (inet_pton(AF_INET, *av, &sa[i].sin.sin_addr) != 1) {
133: free(sa);
134: errx(EX_DATAERR, "invalid collector address\n");
135: }
136:
137: cfg->addr[1 + i].ip4.sin_len = sizeof cfg->addr[1 + i].ip4;
138: cfg->addr[1 + i].ip4.sin_family = AF_INET;
139: cfg->addr[1 + i].ip4.sin_port = htons(port);
140: memcpy(&cfg->addr[1 + i].ip4.sin_addr, &sa[i].sin.sin_addr,
141: sizeof cfg->addr[1 + i].ip4.sin_addr);
142: } else {
143: sa[i].sa.sa_len = sizeof sa[i].sin6;
144: sa[i].sin6.sin6_port = htons(port);
145: if (inet_pton(AF_INET6, *av, &sa[i].sin6.sin6_addr) != 1) {
146: free(sa);
147: errx(EX_DATAERR, "invalid collector address\n");
148: }
149:
150: cfg->addr[1 + i].ip6.sin6_len = sizeof cfg->addr[1 + i].ip6;
151: cfg->addr[1 + i].ip6.sin6_family = AF_INET6;
152: cfg->addr[1 + i].ip6.sin6_port = htons(port);
153: memcpy(&cfg->addr[1 + i].ip6.sin6_addr, &sa[i].sin6.sin6_addr,
154: sizeof cfg->addr[1 + i].ip6.sin6_addr);
155: }
156:
157: i++;
158: SYNC_SHIFT_ARG;
159:
160: if (i == 2) /* maximum 2 collectors at same time */
161: break;
162: }
163: free(sa);
164:
165: strlcpy(oh->ntlv.name, "collector", sizeof(oh->ntlv.name));
166: strlcpy(cfg->name, "collector", sizeof(cfg->name));
167: cfg->mode = CFG_SYNC_COLLECTOR;
168: cfg->addrs = MIN(i, 2);
169: } else
170: errx(EX_DATAERR, "missing type of service edge or collector\n");
171:
172: i = do_set3(IP_FW_SYNC_XCONFIG, &oh->opheader, len);
173: if (i)
174: err(1, "setsockopt(%s)", "IP_FW_SYNC_XCONFIG");
175:
176: if (!g_co.do_quiet) {
177: /* After every modification, we show the resultant rule. */
178: if (cfg->mode == CFG_SYNC_EDGE) {
179: printf("edge port %hu\n", ntohs(cfg->addr[0].ip4.sin_port));
180: } else {
181: printf("collector");
182: for (j = 1; j < cfg->addrs + 1; j++) {
183: if (cfg->addr[j].addr.sa_family == AF_INET)
184: printf(" %s,%hu",
185: inet_ntop(AF_INET, &cfg->addr[j].ip4.sin_addr,
186: show, sizeof show),
187: ntohs(cfg->addr[j].ip4.sin_port));
188: else
189: printf(" %s,%hu",
190: inet_ntop(AF_INET6, &cfg->addr[j].ip6.sin6_addr,
191: show, sizeof show),
192: ntohs(cfg->addr[j].ip6.sin6_port));
193: }
194: printf("\n");
195: }
196: }
197:
198: free(buf);
199: }
200:
201: void
202: ipfw_show_sync(int ac, char **av)
203: {
204: ipfw_obj_header *oh;
205: struct ipfw_sync_cfg *cfg;
206: size_t sz;
207: char show[BUFSIZ];
208: int i;
209:
210: SYNC_SHIFT_ARG;
211:
212: sz = sizeof *oh + sizeof *cfg;
213: while (42) {
214: if (!(oh = malloc(sz)))
215: return;
216: else
217: memset(oh, 0, sz);
218: cfg = (struct ipfw_sync_cfg*) (oh + 1);
219: oh->ntlv.head.length = sizeof(oh->ntlv);
220: strlcpy(oh->ntlv.name, ac ? *av : "", sizeof(oh->ntlv.name));
221: strlcpy(cfg->name, ac ? *av : "", sizeof(cfg->name));
222:
223: if (do_get3(IP_FW_SYNC_XGETCONFIG, &oh->opheader, &sz)) {
224: free(oh);
225: if (errno == ENOMEM)
226: continue;
227: return;
228: }
229:
230: break;
231: }
232:
233: i = strtol(cfg->name, NULL, 10);
234: if (!ac || !strcmp(*av, "edge"))
235: printf("ipfw sync %s edge\n", (i & CFG_SYNC_EDGE) ? "start" : "stop");
236: if (!ac || !strcmp(*av, "collector"))
237: printf("ipfw sync %s collector\n", (i & CFG_SYNC_COLLECTOR) ? "start" : "stop");
238: if ((!ac || !strcmp(*av, "edge")) && cfg->mode & CFG_SYNC_EDGE)
239: printf("ipfw sync config edge port %hu\n", ntohs(cfg->addr[0].ip4.sin_port));
240: if ((!ac || !strcmp(*av, "collector")) && cfg->mode & CFG_SYNC_COLLECTOR) {
241: printf("ipfw sync config collector");
242: for (i = 1; i < cfg->addrs + 1; i++) {
243: if (cfg->addr[i].addr.sa_family == AF_INET)
244: printf(" %s,%hu",
245: inet_ntop(AF_INET, &cfg->addr[i].ip4.sin_addr,
246: show, sizeof show),
247: ntohs(cfg->addr[i].ip4.sin_port));
248: else
249: printf(" %s,%hu",
250: inet_ntop(AF_INET6, &cfg->addr[i].ip6.sin6_addr,
251: show, sizeof show),
252: ntohs(cfg->addr[i].ip6.sin6_port));
253: }
254: printf("\n");
255: }
256: }
257:
258: void
259: ipfw_start_sync(int ac, char **av)
260: {
261: int *n;
262: ipfw_obj_header *oh;
263: size_t sz;
264: char *buf;
265:
266: SYNC_SHIFT_ARG;
267:
268: sz = sizeof *oh + sizeof(int);
269: buf = malloc(sz);
270: if (!buf)
271: errx(EX_OSERR, "malloc failed");
272: else
273: memset(buf, 0, sz);
274: oh = (ipfw_obj_header*) buf;
275: n = (int*) (oh + 1);
276: oh->ntlv.head.length = sizeof(oh->ntlv);
277:
278: if (!ac || !strcmp(*av, "edge")) {
279: *n = CFG_SYNC_EDGE;
280: }
281: if (!ac || !strcmp(*av, "collector")) {
282: *n |= CFG_SYNC_COLLECTOR;
283: }
284:
285: if (do_set3(IP_FW_SYNC_START, &oh->opheader, sz))
286: err(1, "setsockopt(%s)", "IP_FW_SYNC_START");
287:
288: if (!g_co.do_quiet) {
289: if (!ac || !strcmp(*av, "edge"))
290: printf("ipfw sync start edge\n");
291: if (!ac || !strcmp(*av, "collector"))
292: printf("ipfw sync start collector\n");
293: }
294: }
295:
296: void
297: ipfw_stop_sync(int ac, char **av)
298: {
299: int *n;
300: ipfw_obj_header *oh;
301: size_t sz;
302: char *buf;
303:
304: SYNC_SHIFT_ARG;
305:
306: sz = sizeof *oh + sizeof(int);
307: buf = malloc(sz);
308: if (!buf)
309: errx(EX_OSERR, "malloc failed");
310: else
311: memset(buf, 0, sz);
312: oh = (ipfw_obj_header*) buf;
313: n = (int*) (oh + 1);
314: oh->ntlv.head.length = sizeof(oh->ntlv);
315:
316: if (!ac || !strcmp(*av, "edge")) {
317: *n = CFG_SYNC_EDGE;
318: }
319: if (!ac || !strcmp(*av, "collector")) {
320: *n |= CFG_SYNC_COLLECTOR;
321: }
322:
323: if (do_set3(IP_FW_SYNC_STOP, &oh->opheader, sz))
324: err(1, "setsockopt(%s)", "IP_FW_SYNC_STOP");
325:
326: if (!g_co.do_quiet) {
327: if (!ac || !strcmp(*av, "edge"))
328: printf("ipfw sync stop edge\n");
329: if (!ac || !strcmp(*av, "collector"))
330: printf("ipfw sync stop collector\n");
331: }
332: }
333:
334: void
335: ipfw_flush_sync(int ac, char **av)
336: {
337: int *n;
338: ipfw_obj_header *oh;
339: size_t sz;
340: char *buf;
341:
342: SYNC_SHIFT_ARG;
343:
344: sz = sizeof *oh + sizeof(int);
345: buf = malloc(sz);
346: if (!buf)
347: errx(EX_OSERR, "malloc failed");
348: else
349: memset(buf, 0, sz);
350: oh = (ipfw_obj_header*) buf;
351: n = (int*) (oh + 1);
352: oh->ntlv.head.length = sizeof(oh->ntlv);
353:
354: if (!ac || !strcmp(*av, "edge")) {
355: *n = CFG_SYNC_EDGE;
356: }
357: if (!ac || !strcmp(*av, "collector")) {
358: *n |= CFG_SYNC_COLLECTOR;
359: }
360:
361: if (do_set3(IP_FW_SYNC_DESTROY, &oh->opheader, sz))
362: err(1, "setsockopt(%s)", "IP_FW_SYNC_DESTROY");
363:
364: if (!g_co.do_quiet) {
365: if (!ac || !strcmp(*av, "edge"))
366: printf("ipfw sync flush edge\n");
367: if (!ac || !strcmp(*av, "collector"))
368: printf("ipfw sync flush collector\n");
369: }
370: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>