initial commit

This patch bootstrap the new nft-sync software. Basically, this
software aims to support two different setups:

1) Rule-set repository server. The software serves the nft rule-set to
   clients that request the ruleset.

   Basically from the system that acts as repository, you have to run:

   # nft-sync -c ../contrib/nft-sync.conf.server

   Then, from the client:

   # nft-sync -c ../contrib/nft-sync.conf.client --fetch

   Which displays the nft rule-set in the standard output, so you
   can inspect the nft rule-set.

   Alternatively, the client can also retrieve and apply the nft
   rule-set using the pull command instead:

   # nft-sync -c ../contrib/nft-sync.conf.client --pull

   [ Note that this command above does not work in this bootstrap yet ]

2) Rule-set synchronization: In case of primary-backup and multiprimary
   firewall configurations, the software makes sure that the firewall
   cluster is deploying the same filtering policy. In this case, you have
   to launch the process:

   # nft-sync -c ../contrib/nft-sync.conf --sync

   [ Note that this command above does not work in this bootstrap yet ]

This bootstrap provides the basic infrastructure as a proof-of-concept.
Many of the necessary features are still lacking:

* Implement --sync and --pull commands.

* Interaction with nft through libnftnl, which allows the software to
  retrieve the local nft rule-set, as well as to parse it and apply it.

* SSL support, specifically the repository mode needs it to make sure
  nobody can steal your filtering policy from the network.

* IPv6 support.

* Allow to serve different rule-sets in the repository mode.

And many others that will be added progressively.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 113 insertions, 0 deletions

diff --git a/src/logging.c b/src/logging.c
new file mode 100644
index 0000000..9907e5f
--- /dev/null
+++ b/src/logging.c
@@ -0,0 +1,113 @@
+/*
+ * (C) 2014 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+#include <syslog.h>
+
+#include "config.h"
+#include "logging.h"
+
+static struct {
+	const char	*text;
+	const char	*color;
+} logging[NFTS_LOG_MAX] = {
+	[NFTS_LOG_DEBUG] = {
+		.text	= "DEBUG",
+		.color	= "\033[1;33m",
+	},
+        [NFTS_LOG_INFO] = {
+		.text	= "INFO",
+		.color	= "\033[1;32m",
+	},
+        [NFTS_LOG_NOTICE] = {
+		.text	= "NOTICE",
+		.color	= "\033[1;36m",
+	},
+        [NFTS_LOG_ERROR] = {
+		.text	= "ERROR",
+		.color	= "\033[1;33m",
+	},
+        [NFTS_LOG_FATAL] = {
+		.text	= "FATAL",
+		.color	= "\033[1;31m",
+	},
+};
+
+int nft_sync_log_init(struct nft_sync_inst *inst)
+{
+	int ret = 0;
+
+	switch (inst->log.type) {
+	case NFTS_LOG_T_SYSLOG:
+		break;
+	case NFTS_LOG_T_FILE:
+		if (inst->log.fd == NULL)
+			inst->log.fd = stdout;
+		else {
+			inst->log.fd = fopen(inst->log.filename, "w+");
+			if (inst->log.fd == NULL)
+				return -1;
+		}
+		break;
+	}
+
+	return ret;
+}
+
+void nft_sync_log_fini(struct nft_sync_inst *inst)
+{
+	switch (inst->log.type) {
+	case NFTS_LOG_T_SYSLOG:
+		break;
+	case NFTS_LOG_T_FILE:
+		if (inst->log.fd != NULL)
+			fclose(inst->log.fd);
+		break;
+	}
+}
+
+void nft_sync_log(struct nft_sync_inst *inst, int prio,
+		  const char *format, ...)
+{
+	time_t t;
+	char *timebuf = NULL;
+	va_list args;
+
+	switch (inst->log.type) {
+	case NFTS_LOG_T_FILE:
+		t = time(NULL);
+		timebuf = ctime(&t);
+		timebuf[strlen(timebuf) - 1]='\0';
+		break;
+	case NFTS_LOG_T_SYSLOG:
+		break;
+	}
+
+	switch (inst->log.type) {
+	case NFTS_LOG_T_FILE:
+		va_start(args, format);
+		fprintf(inst->log.fd, "%s[%s] [%s] ",
+			inst->log.color ? logging[prio].color : "", timebuf,
+			logging[prio].text);
+		vfprintf(inst->log.fd, format, args);
+		va_end(args);
+		fprintf(inst->log.fd, "%s\n",
+			inst->log.color ? "\033[1;0m" : "");
+		fflush(inst->log.fd);
+		break;
+	case NFTS_LOG_T_SYSLOG:
+		va_start(args, format);
+		vsyslog(prio, format, args);
+		va_end(args);
+		break;
+	}
+}