initial commit

This patch bootstrap the new nft-sync software. Basically, this
software aims to support two different setups:

1) Rule-set repository server. The software serves the nft rule-set to
   clients that request the ruleset.

   Basically from the system that acts as repository, you have to run:

   # nft-sync -c ../contrib/nft-sync.conf.server

   Then, from the client:

   # nft-sync -c ../contrib/nft-sync.conf.client --fetch

   Which displays the nft rule-set in the standard output, so you
   can inspect the nft rule-set.

   Alternatively, the client can also retrieve and apply the nft
   rule-set using the pull command instead:

   # nft-sync -c ../contrib/nft-sync.conf.client --pull

   [ Note that this command above does not work in this bootstrap yet ]

2) Rule-set synchronization: In case of primary-backup and multiprimary
   firewall configurations, the software makes sure that the firewall
   cluster is deploying the same filtering policy. In this case, you have
   to launch the process:

   # nft-sync -c ../contrib/nft-sync.conf --sync

   [ Note that this command above does not work in this bootstrap yet ]

This bootstrap provides the basic infrastructure as a proof-of-concept.
Many of the necessary features are still lacking:

* Implement --sync and --pull commands.

* Interaction with nft through libnftnl, which allows the software to
  retrieve the local nft rule-set, as well as to parse it and apply it.

* SSL support, specifically the repository mode needs it to make sure
  nobody can steal your filtering policy from the network.

* IPv6 support.

* Allow to serve different rule-sets in the repository mode.

And many others that will be added progressively.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2 files changed, 66 insertions, 0 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
new file mode 100644
index 0000000..df0680f
--- /dev/null
+++ b/tests/Makefile.am
@@ -0,0 +1,5 @@
+include $(top_srcdir)/Make_global.am
+
+check_PROGRAMS =	nft-sync-test
+
+nft_sync_test_SOURCES = nft-sync-test.c ../src/tcp.c ../src/msg_buff.c
diff --git a/tests/nft-sync-test.c b/tests/nft-sync-test.c
new file mode 100644
index 0000000..a247d64
--- /dev/null
+++ b/tests/nft-sync-test.c
@@ -0,0 +1,61 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "../include/tcp.h"
+#include "../include/proto.h"
+#include "../include/msg_buff.h"
+
+int main(void)
+{
+	struct tcp_client *c;
+	struct tcp_conf conf = {
+		.ipproto	= AF_INET,
+		.port		= 1234,
+		.client		= {
+			.inet_addr	= { inet_addr("127.0.0.1") },
+		},
+	};
+	struct nft_sync_hdr *hdr;
+	struct msg_buff *msgb;
+	char buf[1024];
+	fd_set fds;
+
+	msgb = msgb_alloc(NFTS_MAX_REQUEST);
+	if (msgb == NULL) {
+		perror("msgb_alloc");
+		exit(EXIT_FAILURE);
+	}
+
+	hdr = msgb_put(msgb, sizeof(struct nft_sync_hdr) + strlen("fetch"));
+	hdr->len = htonl(sizeof(struct nft_sync_hdr) + strlen("fetch"));
+	memcpy(hdr->data, "fetch", strlen("fetch"));
+
+	c = tcp_client_create(&conf);
+	if (c == NULL) {
+		fprintf(stderr, "cannot initialize TCP client\n");
+		exit(EXIT_FAILURE);
+	}
+
+	FD_ZERO(&fds);
+	FD_SET(tcp_client_get_fd(c), &fds);
+	/* Wait for connection ... */
+	select(tcp_client_get_fd(c) + 1, NULL, &fds, NULL, NULL);
+
+	if (tcp_client_send(c, msgb_data(msgb), msgb_len(msgb)) < 0) {
+		perror("cannot send to socket");
+		exit(EXIT_FAILURE);
+	}
+
+	FD_ZERO(&fds);
+	FD_SET(tcp_client_get_fd(c), &fds);
+	/* Wait to receive data after sending request ... */
+	select(tcp_client_get_fd(c) + 1, &fds, NULL, NULL, NULL);
+
+	if (tcp_client_recv(c, buf, sizeof(buf)) < 0) {
+		perror("cannot send to socket");
+		exit(EXIT_FAILURE);
+	}
+	printf("[TEST OK] Received: %s\n", buf + sizeof(struct nft_sync_hdr));
+	tcp_client_destroy(c);
+}