initial commit

This patch bootstrap the new nft-sync software. Basically, this
software aims to support two different setups:

1) Rule-set repository server. The software serves the nft rule-set to
   clients that request the ruleset.

   Basically from the system that acts as repository, you have to run:

   # nft-sync -c ../contrib/nft-sync.conf.server

   Then, from the client:

   # nft-sync -c ../contrib/nft-sync.conf.client --fetch

   Which displays the nft rule-set in the standard output, so you
   can inspect the nft rule-set.

   Alternatively, the client can also retrieve and apply the nft
   rule-set using the pull command instead:

   # nft-sync -c ../contrib/nft-sync.conf.client --pull

   [ Note that this command above does not work in this bootstrap yet ]

2) Rule-set synchronization: In case of primary-backup and multiprimary
   firewall configurations, the software makes sure that the firewall
   cluster is deploying the same filtering policy. In this case, you have
   to launch the process:

   # nft-sync -c ../contrib/nft-sync.conf --sync

   [ Note that this command above does not work in this bootstrap yet ]

This bootstrap provides the basic infrastructure as a proof-of-concept.
Many of the necessary features are still lacking:

* Implement --sync and --pull commands.

* Interaction with nft through libnftnl, which allows the software to
  retrieve the local nft rule-set, as well as to parse it and apply it.

* SSL support, specifically the repository mode needs it to make sure
  nobody can steal your filtering policy from the network.

* IPv6 support.

* Allow to serve different rule-sets in the repository mode.

And many others that will be added progressively.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

9 files changed, 206 insertions, 0 deletions

diff --git a/include/Makefile.am b/include/Makefile.am
new file mode 100644
index 0000000..7cc5338
--- /dev/null
+++ b/include/Makefile.am
@@ -0,0 +1,9 @@
+noinst_HEADERS =	config.h	\
+			fd.h		\
+			init.h		\
+			logging.h	\
+			msg_buff.h	\
+			proto.h		\
+			tcp.h		\
+			timer.h
+
diff --git a/include/config.h b/include/config.h
new file mode 100644
index 0000000..66580a4
--- /dev/null
+++ b/include/config.h
@@ -0,0 +1,40 @@
+#ifndef _NFT_CONFIG_H_
+#define _NFT_CONFIG_H_
+
+#include <limits.h>
+#include <stdbool.h>
+#include "tcp.h"
+#include "fd.h"
+#include "proto.h"
+
+enum nft_sync_mode {
+	NFTS_MODE_SERVER	= (1 << 0),
+	NFTS_MODE_CLIENT	= (1 << 1),
+};
+
+enum nft_sync_cmd {
+	NFTS_CMD_NONE		= 0,
+	NFTS_CMD_FETCH,
+	NFTS_CMD_MAX
+};
+
+struct nft_sync_inst {
+	enum nft_sync_mode	mode;
+	enum nft_sync_cmd	cmd;
+	bool			stop;
+	struct {
+		bool		color;
+		int		type;
+		char		filename[PATH_MAX];
+		FILE		*fd;
+	} log;
+	struct tcp_conf		tcp;
+	struct nft_fd		tcp_client_nfd;
+	struct nft_fd		tcp_server_fd;
+};
+
+extern struct nft_sync_inst nfts_inst;
+
+int nft_sync_config_parse(const char *filename);
+
+#endif /* _NFT_CONFIG_H_ */
diff --git a/include/fd.h b/include/fd.h
new file mode 100644
index 0000000..b3f92cd
--- /dev/null
+++ b/include/fd.h
@@ -0,0 +1,22 @@
+#ifndef _NFT_SYNC_FD_H_
+#define _NFT_SYNC_FD_H_
+
+#include <event.h>
+#include <stdint.h>
+
+struct nft_fd {
+	struct event		event;
+	void			(*cb)(struct nft_fd *, uint32_t);
+	int			fd;
+	void			*data;
+};
+
+void nft_fd_setup(struct nft_fd *ofd, int fd,
+		  void (*cb)(struct nft_fd *fd, uint32_t mask), void *data);
+void nft_fd_register(struct nft_fd *fd, uint32_t events);
+void nft_fd_unregister(struct nft_fd *fd);
+
+struct nft_fd *nft_fd_alloc(void);
+void nft_fd_free(struct nft_fd *nfd);
+
+#endif
diff --git a/include/init.h b/include/init.h
new file mode 100644
index 0000000..a0210d5
--- /dev/null
+++ b/include/init.h
@@ -0,0 +1,13 @@
+#ifndef _NFT_SYNC_EVENT_H_
+#define _NFT_SYNC_EVENT_H_
+
+int nft_sync_event_init(void);
+void nft_sync_event_loop(void);
+void nft_sync_event_fini(void);
+
+struct nft_sync_inst;
+
+int tcp_server_start(struct nft_sync_inst *);
+int tcp_client_start(struct nft_sync_inst *inst);
+
+#endif
diff --git a/include/logging.h b/include/logging.h
new file mode 100644
index 0000000..e15170c
--- /dev/null
+++ b/include/logging.h
@@ -0,0 +1,30 @@
+#ifndef _NFT_SYNC_LOGGING_H_
+#define _NFT_SYNC_LOGGING_H_
+
+enum nft_sync_logging_type {
+	NFTS_LOG_T_FILE		= 0,
+	NFTS_LOG_T_SYSLOG,
+};
+
+enum nft_sync_logging_prio {
+	NFTS_LOG_DEBUG		= 0,
+	NFTS_LOG_INFO,
+	NFTS_LOG_NOTICE,
+	NFTS_LOG_ERROR,
+	NFTS_LOG_FATAL,
+	NFTS_LOG_MAX
+};
+
+struct nft_sync_inst;
+
+int nft_sync_log_init(struct nft_sync_inst *inst);
+void nft_sync_log(struct nft_sync_inst *inst, int priority,
+                  const char *format, ...);
+void nft_sync_log_fini(struct nft_sync_inst *inst);
+
+#include "config.h"
+
+#define nfts_log(prio, fmt, args...) 	\
+	nft_sync_log(&nfts_inst, prio, fmt, ##args)
+
+#endif
diff --git a/include/msg_buff.h b/include/msg_buff.h
new file mode 100644
index 0000000..f4eea36
--- /dev/null
+++ b/include/msg_buff.h
@@ -0,0 +1,21 @@
+#ifndef _MSG_BUFF_H_
+#define _MSG_BUFF_H_
+
+#include <stdint.h>
+
+struct msg_buff;
+
+struct msg_buff *msgb_alloc(uint32_t size);
+void msgb_free(struct msg_buff *msgb);
+
+uint32_t msgb_len(struct msg_buff *msgb);
+uint32_t msgb_size(struct msg_buff *msgb);
+
+unsigned char *msgb_data(struct msg_buff *msgb);
+unsigned char *msgb_tail(struct msg_buff *msgb);
+
+void *msgb_put(struct msg_buff *msgb, uint32_t len);
+void *msgb_pull(struct msg_buff *msgb, uint32_t len);
+void msgb_burp(struct msg_buff *msgb);
+
+#endif
diff --git a/include/proto.h b/include/proto.h
new file mode 100644
index 0000000..668f6a3
--- /dev/null
+++ b/include/proto.h
@@ -0,0 +1,11 @@
+#ifndef _NFT_SYNC_PROTO_H_
+#define _NFT_SYNC_PROTO_H_
+
+struct nft_sync_hdr {
+	uint32_t	len;
+	char		data[0];
+};
+
+#define NFTS_MAX_REQUEST	1024
+
+#endif
diff --git a/include/tcp.h b/include/tcp.h
new file mode 100644
index 0000000..20c6092
--- /dev/null
+++ b/include/tcp.h
@@ -0,0 +1,41 @@
+#ifndef _TCP_H_
+#define _TCP_H_
+
+#include <arpa/inet.h>
+
+struct tcp_conf {
+	int ipproto;
+	unsigned short port;
+	union {
+		struct {
+			struct in_addr inet_addr;
+		} ipv4;
+		struct {
+			struct in6_addr inet_addr6;
+			int scope_id;
+		} ipv6;
+	} server;
+	union {
+		struct in_addr inet_addr;
+		struct in6_addr inet_addr6;
+	} client;
+};
+
+struct tcp_server;
+
+struct tcp_server *tcp_server_create(struct tcp_conf *conf);
+void tcp_server_destroy(struct tcp_server *c);
+int tcp_server_get_fd(struct tcp_server *c);
+int tcp_server_accept(struct tcp_server *c, struct sockaddr_in *addr);
+
+struct tcp_client;
+
+struct tcp_client *tcp_client_create(struct tcp_conf *conf);
+void tcp_client_destroy(struct tcp_client *c);
+int tcp_client_get_fd(struct tcp_client *c);
+ssize_t tcp_client_send(struct tcp_client *c, const void *data, int size);
+ssize_t tcp_client_recv(struct tcp_client *c, void *data, int size);
+void tcp_client_set_data(struct tcp_client *c, void *data);
+void *tcp_client_get_data(struct tcp_client *c);
+
+#endif /*_TCP_H_ */
diff --git a/include/timer.h b/include/timer.h
new file mode 100644
index 0000000..e3b7b74
--- /dev/null
+++ b/include/timer.h
@@ -0,0 +1,19 @@
+#ifndef _NFT_SYNC_TIMER_H
+#define _NFT_SYNC_TIMER_H_
+
+#include <event.h>
+
+struct nft_timer {
+	struct event event;
+	void (*callback)(struct nft_timer *);
+	void *data;
+};
+
+void *nft_timer_data(struct nft_timer *timer);
+void nft_timer_setup(struct nft_timer *timer, void (*cb)(struct nft_timer *),
+		     void *data);
+void nft_timer_add(struct nft_timer *timer, unsigned int sec,
+		   unsigned int usec);
+void nft_timer_del(struct nft_timer *timer);
+
+#endif