#include "nufw_source.h"
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <sys/types.h>
#include <inttypes.h>
#include <sys/stat.h>
#include <unistd.h>
#include <assert.h>
#include <strings.h>
#include <gcrypt.h>
#include <errno.h>
#include <nussl.h>
#include "security.h"
#include "structure.h"
#include <sys/socket.h>
#include <netdb.h>
Include dependency graph for nufw.h:
This graph shows which files directly or indirectly include this file:
Go to the source code of this file.
Data Structures | |
| struct | nuauth_conn |
| struct | queued_pckt |
Defines | |
| #define | USE_X509 1 |
| #define | KEYFILE "/nufw-key.pem" |
| #define | CERTFILE "/nufw-cert.pem" |
Functions | |
| int | init_x509_filenames () |
| void | tls_connect () |
| void * | packetsrv (void *data) |
| Packet server thread function. | |
| void * | authsrv (void *data) |
| int | auth_request_send (uint8_t type, struct queued_pckt *pckt) |
| void | close_tls_session () |
| void | shutdown_tls () |
| unsigned long | padd (packet_idl *packet) |
| int | psearch_and_destroy (uint32_t packet_id, uint32_t *mark) |
| void | clear_packet_list () |
| void | clean_old_packets () |
| void | process_usr1 (int signum) |
| void | process_usr2 (int signum) |
| void | process_poll (int signum) |
| void | process_hup (int signum) |
| int | send_icmp_unreach (char *payload) |
Variables | |
| nuauth_conn | tls |
| pthread_cond_t * | session_destroyed_cond |
| pthread_cond_t * | session_active_cond |
| pthread_mutex_t * | session_destroyed_mutex |
| pthread_mutex_t * | session_active_mutex |
| addrinfo * | adr_srv |
| int | raw_sock4 |
| int | raw_sock6 |
Some structures, functions, global variables and #define common to NuFW.
Definition in file nufw.h.
| #define CERTFILE "/nufw-cert.pem" |
Default value, prefixed with CONFIG_DIR, of cert_file
Definition at line 115 of file nufw.h.
Referenced by init_x509_filenames().
| #define KEYFILE "/nufw-key.pem" |
Default value, prefixed with CONFIG_DIR, of key_file
Definition at line 112 of file nufw.h.
Referenced by init_x509_filenames().
| #define USE_X509 1 |
| int auth_request_send | ( | uint8_t | type, | |
| struct queued_pckt * | pckt_datas | |||
| ) |
Send an authentication request to NuAuth. May restart TLS session and/or open TLS connection (if closed).
Create the thread authsrv() when opening a new session.
Packet maximum size is 512 bytes, and it's structure is nufw_to_nuauth_auth_message_t.
| type | Type of request (AUTH_REQUEST, AUTH_CONTROL, ...) | |
| pckt_datas | A pointer to a queued_pckt:: holding packet information |
Definition at line 639 of file packetsrv.c.
References nuauth_conn::auth_server_running, authreq_addr, authreq_port, close_tls_session(), DEBUG_AREA_GW, DEBUG_AREA_MAIN, DEBUG_AREA_PACKET, DEBUG_LEVEL_DEBUG, DEBUG_LEVEL_INFO, DEBUG_LEVEL_WARNING, debug_log_printf, IFNAMSIZ, nuv4_nufw_to_nuauth_auth_message_t::indev, queued_pckt::indev, log_area_printf(), nuv4_nufw_to_nuauth_auth_message_t::mark, queued_pckt::mark, nuv4_nufw_to_nuauth_auth_message_t::msg_length, nuv4_nufw_to_nuauth_auth_message_t::msg_type, nuauth_conn::mutex, nussl_write(), nuv4_nufw_to_nuauth_auth_message_t::outdev, queued_pckt::outdev, nuv4_nufw_to_nuauth_auth_message_t::packet_id, queued_pckt::packet_id, queued_pckt::payload, queued_pckt::payload_len, nuv4_nufw_to_nuauth_auth_message_t::physindev, queued_pckt::physindev, nuv4_nufw_to_nuauth_auth_message_t::physoutdev, queued_pckt::physoutdev, PROTO_NUFW_VERSION, nuv4_nufw_to_nuauth_auth_message_t::protocol_version, nuauth_conn::session, shutdown_tls(), nuv4_nufw_to_nuauth_auth_message_t::timestamp, queued_pckt::timestamp, tls, and tls_connect().
Referenced by packetsrv_ipq_process().
Here is the call graph for this function:
| void* authsrv | ( | void * | data | ) |
Thread waiting to authentication server (NuAuth) answer. Call auth_packet_to_decision() on new packet.
Definition at line 321 of file authsrv.c.
References auth_packet_to_decision(), nuauth_conn::auth_server_mutex, nuauth_conn::auth_server_running, DEBUG_AREA_GW, DEBUG_LEVEL_VERBOSE_DEBUG, log_area_printf(), nuauth_conn::mutex, nussl_get_error(), nussl_read(), NUSSL_SOCK_TIMEOUT, nuauth_conn::session, and tls.
Referenced by create_authserver().
Here is the call graph for this function:
| void clean_old_packets | ( | ) |
Walk in the packet list (packets_list) and remove old packets (using packet_timeout limit).
Definition at line 218 of file common.c.
References DEBUG_AREA_PACKET, DEBUG_LEVEL_DEBUG, debug_log_printf, Packet_Ids::id, IPQ_SET_VERDICT, packet_timeout, packets_list, psuppress(), packets_list_t::start, and Packet_Ids::timestamp.
Referenced by main().
Here is the call graph for this function:
| void clear_packet_list | ( | ) |
Clear packet list: delete all elements
Definition at line 202 of file common.c.
References packets_list_t::end, packets_list_t::length, Packet_Ids::next, packets_list, and packets_list_t::start.
Referenced by nufw_prepare_quit().
| void close_tls_session | ( | ) |
Close the TLS session
Definition at line 79 of file common.c.
References nuauth_conn::auth_server_mutex, nussl_session_destroy(), nuauth_conn::session, and tls.
Referenced by auth_request_send(), nufw_prepare_quit(), and shutdown_tls().
Here is the call graph for this function:
| int init_x509_filenames | ( | ) |
Inialialize key_file and cert_file variables
Definition at line 119 of file tls.c.
References cert_file, CERTFILE, DEBUG_AREA_MAIN, DEBUG_LEVEL_WARNING, key_file, KEYFILE, and log_area_printf().
Referenced by init_checks(), and tls_connect().
Here is the call graph for this function:
| void* packetsrv | ( | void * | void_arg | ) |
Packet server thread function.
Connect to netfilter to ask a netlink. Read packet on this link. Check if packet useful for NuFW. If yes, add it to packet list and/or send it to NuAuth.
When using NetFilter queue, it uses treat_packet() as callback. In ipq mode it uses an internal packet parser and process mechanism.
Definition at line 376 of file packetsrv.c.
References DEBUG_AREA_MAIN, DEBUG_AREA_PACKET, DEBUG_LEVEL_CRITICAL, DEBUG_LEVEL_DEBUG, DEBUG_LEVEL_FATAL, DEBUG_LEVEL_MESSAGE, DEBUG_LEVEL_SERIOUS_MESSAGE, DEBUG_LEVEL_SERIOUS_WARNING, DEBUG_LEVEL_WARNING, err, hndl, log_area_printf(), packetsrv_ipq_process(), nufw_threadargument::parent_pid, pckt_rx, and nufw_threadargument::thread.
Referenced by create_thread().
Here is the call graph for this function:
| unsigned long padd | ( | packet_idl * | current | ) |
Try to add a packet to the end of packets_list. If we exceed max length (track_size), just drop the packet.
Definition at line 114 of file common.c.
References DEBUG_AREA_PACKET, DEBUG_LEVEL_WARNING, packets_list_t::end, Packet_Ids::id, IPQ_SET_VERDICT, packets_list_t::length, log_area_printf(), Packet_Ids::next, packets_list, packets_list_t::start, Packet_Ids::timestamp, and track_size.
Referenced by packetsrv_ipq_process().
Here is the call graph for this function:
| void process_hup | ( | int | signum | ) |
Restart current TLS connection.
Definition at line 410 of file nutcpc.c.
References connected, DEBUG_LEVEL_FATAL, forced_reconnect, log_printf(), nuauth_conn::mutex, nu_client_reset(), session, shutdown_tls(), and tls.
Here is the call graph for this function:
| void process_poll | ( | int | signum | ) |
| void process_usr1 | ( | int | signum | ) |
Increase debug verbosity.
Definition at line 59 of file audit.c.
References debug_level, DEBUG_LEVEL_FATAL, and log_printf().
Here is the call graph for this function:
| void process_usr2 | ( | int | signum | ) |
Decrease debug verbosity.
Definition at line 72 of file audit.c.
References debug_level, DEBUG_LEVEL_FATAL, and log_printf().
Here is the call graph for this function:
| int psearch_and_destroy | ( | uint32_t | packet_id, | |
| uint32_t * | nfmark | |||
| ) |
Search an entry in packet list (packets_list), and drop and suppress old packets (using packet_timeout). If the packet can be found, delete it and copy it's mark into nfmark.
Definition at line 148 of file common.c.
References DEBUG_AREA_PACKET, DEBUG_LEVEL_INFO, debug_log_printf, Packet_Ids::id, IPQ_SET_VERDICT, log_area_printf(), Packet_Ids::next, packet_timeout, packets_list, psuppress(), packets_list_t::start, and Packet_Ids::timestamp.
Referenced by auth_process_answer(), and packetsrv_ipq_process().
Here is the call graph for this function:
| int send_icmp_unreach | ( | char * | payload | ) |
Definition at line 333 of file common.c.
References send_icmp_ipv4_unreach(), and send_icmp_ipv6_unreach().
Referenced by auth_process_answer().
Here is the call graph for this function:
| void shutdown_tls | ( | ) |
Halt TLS threads and close socket
Definition at line 609 of file packetsrv.c.
References nuauth_conn::auth_server, nuauth_conn::auth_server_running, close_tls_session(), DEBUG_AREA_GW, DEBUG_LEVEL_CRITICAL, log_area_printf(), and tls.
Referenced by auth_request_send(), and process_hup().
Here is the call graph for this function:
| void tls_connect | ( | ) |
Create a TLS connection to NuAuth: create a TCP socket and connect to NuAuth using adr_srv.
If x509 is enable (USE_X509 equals to 1), create credentials and check NuAuth's one. This function modify the tls variable and in particular set tls.session.
Definition at line 183 of file tls.c.
References authreq_addr, authreq_port, ca_file, cert_file, create_authserver(), crl_file, DEBUG_AREA_GW, DEBUG_AREA_MAIN, DEBUG_LEVEL_DEBUG, DEBUG_LEVEL_FATAL, DEBUG_LEVEL_WARNING, init_x509_filenames(), key_file, log_area_printf(), nuauth_cert_dn, nufw_strict_tls, nussl_get_error(), NUSSL_OK, nussl_open_connection(), nussl_session_create(), nussl_session_destroy(), nussl_set_hostinfo(), nussl_set_read_timeout(), nussl_ssl_disable_certificate_check(), nussl_ssl_set_crl_file(), nussl_ssl_set_keypair(), nussl_ssl_trust_cert_file(), nuauth_conn::session, and tls.
Referenced by auth_request_send(), and main().
Here is the call graph for this function:
| struct addrinfo* adr_srv |
Address informations of NuAuth server: hostname authreq_addr, port authreq_port. Used in tls_connect().
Definition at line 156 of file nufw.h.
Referenced by nufw_prepare_quit().
| int raw_sock4 |
| int raw_sock6 |
| pthread_cond_t* session_active_cond |
| pthread_mutex_t* session_active_mutex |
| pthread_cond_t* session_destroyed_cond |
| pthread_mutex_t* session_destroyed_mutex |
| struct nuauth_conn tls |
Definition at line 143 of file nufw.h.
Referenced by auth_request_send(), authsrv(), close_tls_session(), create_authserver(), create_thread(), main(), nufw_prepare_quit(), nufw_stop_thread(), process_hup(), shutdown_tls(), and tls_connect().
1.4.7