diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-04-27 15:04:07 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-05-02 18:31:13 +0200 |
commit | c179ee88d91a84fc75dc4602cca500e8fa72ed66 (patch) | |
tree | b6b149622e02c81265a673145d6b9a260776f799 /src/msg_buff.c |
initial commit
This patch bootstrap the new nft-sync software. Basically, this
software aims to support two different setups:
1) Rule-set repository server. The software serves the nft rule-set to
clients that request the ruleset.
Basically from the system that acts as repository, you have to run:
# nft-sync -c ../contrib/nft-sync.conf.server
Then, from the client:
# nft-sync -c ../contrib/nft-sync.conf.client --fetch
Which displays the nft rule-set in the standard output, so you
can inspect the nft rule-set.
Alternatively, the client can also retrieve and apply the nft
rule-set using the pull command instead:
# nft-sync -c ../contrib/nft-sync.conf.client --pull
[ Note that this command above does not work in this bootstrap yet ]
2) Rule-set synchronization: In case of primary-backup and multiprimary
firewall configurations, the software makes sure that the firewall
cluster is deploying the same filtering policy. In this case, you have
to launch the process:
# nft-sync -c ../contrib/nft-sync.conf --sync
[ Note that this command above does not work in this bootstrap yet ]
This bootstrap provides the basic infrastructure as a proof-of-concept.
Many of the necessary features are still lacking:
* Implement --sync and --pull commands.
* Interaction with nft through libnftnl, which allows the software to
retrieve the local nft rule-set, as well as to parse it and apply it.
* SSL support, specifically the repository mode needs it to make sure
nobody can steal your filtering policy from the network.
* IPv6 support.
* Allow to serve different rule-sets in the repository mode.
And many others that will be added progressively.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/msg_buff.c')
-rw-r--r-- | src/msg_buff.c | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/src/msg_buff.c b/src/msg_buff.c new file mode 100644 index 0000000..c148516 --- /dev/null +++ b/src/msg_buff.c @@ -0,0 +1,96 @@ +/* + * (C) 2014 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ + +#include <stdlib.h> +#include <stdint.h> +#include <string.h> +#include "msg_buff.h" + +struct msg_buff { + uint16_t len; + unsigned char *head; + unsigned char *data; + unsigned char *tail; + unsigned char *end; + + unsigned char _data[0]; +}; + +struct msg_buff *msgb_alloc(uint32_t size) +{ + struct msg_buff *msgb; + + msgb = malloc(sizeof(struct msg_buff) + size); + if (msgb == NULL) + return NULL; + + msgb->len = 0; + msgb->head = msgb->_data; + msgb->data = msgb->tail = msgb->_data; + msgb->end = msgb->_data + size; + + return msgb; +} + +void msgb_free(struct msg_buff *msgb) +{ + free(msgb); +} + +uint32_t msgb_size(struct msg_buff *msgb) +{ + return msgb->end - msgb->head; +} + +uint32_t msgb_len(struct msg_buff *msgb) +{ + return msgb->len; +} + +void *msgb_put(struct msg_buff *msgb, uint32_t len) +{ + void *data = msgb->tail; + + msgb->len += len; + msgb->tail += len; + + return data; +} + +void *msgb_pull(struct msg_buff *msgb, uint32_t len) +{ + void *ptr = msgb->data; + + if (len > msgb->len) + return NULL; + + msgb->len -= len; + msgb->data += len; + + return ptr; +} + +unsigned char *msgb_data(struct msg_buff *msgb) +{ + return msgb->data; +} + +unsigned char *msgb_tail(struct msg_buff *msgb) +{ + return msgb->tail; +} + +void msgb_burp(struct msg_buff *msgb) +{ + void *data = msgb->data; + int len = msgb->len; + + msgb->data = msgb->head; + memcpy(msgb->data, data, len); +} |