From c179ee88d91a84fc75dc4602cca500e8fa72ed66 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 27 Apr 2014 15:04:07 +0200 Subject: initial commit This patch bootstrap the new nft-sync software. Basically, this software aims to support two different setups: 1) Rule-set repository server. The software serves the nft rule-set to clients that request the ruleset. Basically from the system that acts as repository, you have to run: # nft-sync -c ../contrib/nft-sync.conf.server Then, from the client: # nft-sync -c ../contrib/nft-sync.conf.client --fetch Which displays the nft rule-set in the standard output, so you can inspect the nft rule-set. Alternatively, the client can also retrieve and apply the nft rule-set using the pull command instead: # nft-sync -c ../contrib/nft-sync.conf.client --pull [ Note that this command above does not work in this bootstrap yet ] 2) Rule-set synchronization: In case of primary-backup and multiprimary firewall configurations, the software makes sure that the firewall cluster is deploying the same filtering policy. In this case, you have to launch the process: # nft-sync -c ../contrib/nft-sync.conf --sync [ Note that this command above does not work in this bootstrap yet ] This bootstrap provides the basic infrastructure as a proof-of-concept. Many of the necessary features are still lacking: * Implement --sync and --pull commands. * Interaction with nft through libnftnl, which allows the software to retrieve the local nft rule-set, as well as to parse it and apply it. * SSL support, specifically the repository mode needs it to make sure nobody can steal your filtering policy from the network. * IPv6 support. * Allow to serve different rule-sets in the repository mode. And many others that will be added progressively. Signed-off-by: Pablo Neira Ayuso --- .gitignore | 19 ++ COPYING.AGPLv3 | 661 +++++++++++++++++++++++++++++++++++++++++++ Make_global.am | 9 + Makefile.am | 10 + configure.in | 94 ++++++ contrib/nft-sync.conf.client | 11 + contrib/nft-sync.conf.server | 11 + include/Makefile.am | 9 + include/config.h | 40 +++ include/fd.h | 22 ++ include/init.h | 13 + include/logging.h | 30 ++ include/msg_buff.h | 21 ++ include/proto.h | 11 + include/tcp.h | 41 +++ include/timer.h | 19 ++ src/Makefile.am | 26 ++ src/client.c | 176 ++++++++++++ src/config-parser.y | 143 ++++++++++ src/config-scanner.l | 51 ++++ src/event.c | 79 ++++++ src/fd.c | 57 ++++ src/logging.c | 113 ++++++++ src/main.c | 134 +++++++++ src/msg_buff.c | 96 +++++++ src/server.c | 164 +++++++++++ src/tcp.c | 295 +++++++++++++++++++ src/timer.c | 50 ++++ tests/Makefile.am | 5 + tests/nft-sync-test.c | 61 ++++ 30 files changed, 2471 insertions(+) create mode 100644 .gitignore create mode 100644 COPYING.AGPLv3 create mode 100644 Make_global.am create mode 100644 Makefile.am create mode 100644 configure.in create mode 100644 contrib/nft-sync.conf.client create mode 100644 contrib/nft-sync.conf.server create mode 100644 include/Makefile.am create mode 100644 include/config.h create mode 100644 include/fd.h create mode 100644 include/init.h create mode 100644 include/logging.h create mode 100644 include/msg_buff.h create mode 100644 include/proto.h create mode 100644 include/tcp.h create mode 100644 include/timer.h create mode 100644 src/Makefile.am create mode 100644 src/client.c create mode 100644 src/config-parser.y create mode 100644 src/config-scanner.l create mode 100644 src/event.c create mode 100644 src/fd.c create mode 100644 src/logging.c create mode 100644 src/main.c create mode 100644 src/msg_buff.c create mode 100644 src/server.c create mode 100644 src/tcp.c create mode 100644 src/timer.c create mode 100644 tests/Makefile.am create mode 100644 tests/nft-sync-test.c diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..88e0bb8 --- /dev/null +++ b/.gitignore @@ -0,0 +1,19 @@ +.deps/ +.libs/ +.dirstamp +Makefile +Makefile.in +*.o +*.la +*.lo + +/aclocal.m4 +/autom4te.cache/ +/build-aux/ +/config.* +/configure +/libtool +src/nft-sync +src/config-*.c +src/config-*.h +tests/nft-sync-test diff --git a/COPYING.AGPLv3 b/COPYING.AGPLv3 new file mode 100644 index 0000000..dba13ed --- /dev/null +++ b/COPYING.AGPLv3 @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/Make_global.am b/Make_global.am new file mode 100644 index 0000000..6e7beb3 --- /dev/null +++ b/Make_global.am @@ -0,0 +1,9 @@ +AM_CPPFLAGS = -I$(top_srcdir)/include + +AM_CFLAGS = -std=gnu99 -W -Wall \ + -Wmissing-prototypes -Wwrite-strings -Wfloat-equal -Wshadow \ + -Wpointer-arith -Wbad-function-cast -Wsign-compare \ + -Waggregate-return -Wmissing-declarations -Wredundant-decls \ + -Wnested-externs -Winline -Wstrict-prototypes -Wundef \ + -Wno-unused-parameter \ + ${LIBMNL_CFLAGS} ${LIBNFTNL_CFLAGS} ${LIBEVENT_CFLAGS} diff --git a/Makefile.am b/Makefile.am new file mode 100644 index 0000000..fdafa2c --- /dev/null +++ b/Makefile.am @@ -0,0 +1,10 @@ +include Make_global.am + +ACLOCAL_AMFLAGS = -I m4 + +man_MANS = +EXTRA_DIST = $(man_MANS) Make_global.am m4 contrib + +SUBDIRS = src +DIST_SUBDIRS = include src tests +LIBS = @LIBMNL_LIBS@ @LIBNFTNL_LIBS@ diff --git a/configure.in b/configure.in new file mode 100644 index 0000000..d8ffef5 --- /dev/null +++ b/configure.in @@ -0,0 +1,94 @@ +AC_INIT(nft-sync, 0.1-alpha, pablo@netfilter.org) +AC_CONFIG_AUX_DIR([build-aux]) + +AC_CANONICAL_HOST +AC_CONFIG_MACRO_DIR([m4]) +AM_INIT_AUTOMAKE([-Wall foreign subdir-objects + tar-pax no-dist-gzip dist-bzip2 1.6]) + +dnl kernel style compile messages +m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) + +AC_PROG_CC +AC_DISABLE_STATIC +AM_PROG_LIBTOOL +AC_PROG_INSTALL +AC_PROG_LN_S +AM_PROG_LEX +AC_PROG_YACC + +case "$host" in +*-*-linux*) ;; +*) AC_MSG_ERROR([Linux only, dude!]);; +esac + +dnl Dependencies +if test -z "$ac_cv_prog_YACC" +then + echo "*** Error: No suitable bison/yacc found. ***" + echo " Please install the 'bison' package." + exit 1 +fi +if test -z "$ac_cv_prog_LEX" +then + echo "*** Error: No suitable flex/lex found. ***" + echo " Please install the 'flex' package." + exit 1 +fi + +AC_MSG_CHECKING(flex version) +flex_version=`$ac_cv_prog_LEX --version | sed 's/version//g' | awk '/flex/ {print $2}'` +flex_major=`echo $flex_version| cut -d . -f 1` +flex_minor=`echo $flex_version| cut -d . -f 2` +flex_rev=`echo $flex_version| cut -d . -f 3` + +if test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test "$flex_rev" -ge "33"; then + AC_MSG_RESULT([$flex_version. OK]) +else + AC_MSG_WARN([flex version $flex_version found. + Version 2.5.33 or greater is required. You may experience problems + while compilating the conntrack-tools. Please, consider to upgrade + flex.]) +fi + +PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3]) +PKG_CHECK_MODULES([LIBNFTNL], [libnftnl >= 1.0.0]) +AC_CHECK_HEADER([ev.h], + AC_CHECK_LIB([ev], [ev_loop_new], [BUILD_LIBEV=$WITH_LIBEV], + [test x$WITH_LIBEV != xauto && AC_MSG_ERROR("libev not found")]), + [test x$WITH_LIBEV != xauto && AC_MSG_ERROR("ev.h not found")]) + +AC_CHECK_HEADERS(arpa/inet.h) +dnl check for inet_pton +AC_CHECK_FUNCS(inet_pton) +dnl Some systems have it, but not IPv6 +if test "$ac_cv_func_inet_pton" = "yes" ; then +AC_MSG_CHECKING(if inet_pton supports IPv6) +AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_INET_H +#include +#endif +int main() + { + struct in6_addr addr6; + if (inet_pton(AF_INET6, "::1", &addr6) < 1) + exit(1); + else + exit(0); + } + ]])],[ AC_MSG_RESULT(yes) + AC_DEFINE_UNQUOTED(HAVE_INET_PTON_IPV6, 1, [Define to 1 if inet_pton supports IPv6.]) + ],[AC_MSG_RESULT(no)],[AC_MSG_RESULT(no)]) +fi + +AC_CONFIG_FILES([Makefile src/Makefile include/Makefile tests/Makefile]) +AC_OUTPUT diff --git a/contrib/nft-sync.conf.client b/contrib/nft-sync.conf.client new file mode 100644 index 0000000..6429a3f --- /dev/null +++ b/contrib/nft-sync.conf.client @@ -0,0 +1,11 @@ +# +# This the nft-sync configuration file. This software is still under +# development. Changes in the configuration file may still happen at this +# stage. +# + +# Connect to socket listener to this address +remote-address 127.0.0.1:1234 + +# Display logging to the standard output +logging stdout diff --git a/contrib/nft-sync.conf.server b/contrib/nft-sync.conf.server new file mode 100644 index 0000000..e60eab0 --- /dev/null +++ b/contrib/nft-sync.conf.server @@ -0,0 +1,11 @@ +# +# This the nft-sync configuration file. This software is still under +# development. Changes in the configuration file may still happen at this +# stage. +# + +# Bind listener socket to this address +local-address 127.0.0.1:1234 + +# Display logging to the standard output +logging stdout diff --git a/include/Makefile.am b/include/Makefile.am new file mode 100644 index 0000000..7cc5338 --- /dev/null +++ b/include/Makefile.am @@ -0,0 +1,9 @@ +noinst_HEADERS = config.h \ + fd.h \ + init.h \ + logging.h \ + msg_buff.h \ + proto.h \ + tcp.h \ + timer.h + diff --git a/include/config.h b/include/config.h new file mode 100644 index 0000000..66580a4 --- /dev/null +++ b/include/config.h @@ -0,0 +1,40 @@ +#ifndef _NFT_CONFIG_H_ +#define _NFT_CONFIG_H_ + +#include +#include +#include "tcp.h" +#include "fd.h" +#include "proto.h" + +enum nft_sync_mode { + NFTS_MODE_SERVER = (1 << 0), + NFTS_MODE_CLIENT = (1 << 1), +}; + +enum nft_sync_cmd { + NFTS_CMD_NONE = 0, + NFTS_CMD_FETCH, + NFTS_CMD_MAX +}; + +struct nft_sync_inst { + enum nft_sync_mode mode; + enum nft_sync_cmd cmd; + bool stop; + struct { + bool color; + int type; + char filename[PATH_MAX]; + FILE *fd; + } log; + struct tcp_conf tcp; + struct nft_fd tcp_client_nfd; + struct nft_fd tcp_server_fd; +}; + +extern struct nft_sync_inst nfts_inst; + +int nft_sync_config_parse(const char *filename); + +#endif /* _NFT_CONFIG_H_ */ diff --git a/include/fd.h b/include/fd.h new file mode 100644 index 0000000..b3f92cd --- /dev/null +++ b/include/fd.h @@ -0,0 +1,22 @@ +#ifndef _NFT_SYNC_FD_H_ +#define _NFT_SYNC_FD_H_ + +#include +#include + +struct nft_fd { + struct event event; + void (*cb)(struct nft_fd *, uint32_t); + int fd; + void *data; +}; + +void nft_fd_setup(struct nft_fd *ofd, int fd, + void (*cb)(struct nft_fd *fd, uint32_t mask), void *data); +void nft_fd_register(struct nft_fd *fd, uint32_t events); +void nft_fd_unregister(struct nft_fd *fd); + +struct nft_fd *nft_fd_alloc(void); +void nft_fd_free(struct nft_fd *nfd); + +#endif diff --git a/include/init.h b/include/init.h new file mode 100644 index 0000000..a0210d5 --- /dev/null +++ b/include/init.h @@ -0,0 +1,13 @@ +#ifndef _NFT_SYNC_EVENT_H_ +#define _NFT_SYNC_EVENT_H_ + +int nft_sync_event_init(void); +void nft_sync_event_loop(void); +void nft_sync_event_fini(void); + +struct nft_sync_inst; + +int tcp_server_start(struct nft_sync_inst *); +int tcp_client_start(struct nft_sync_inst *inst); + +#endif diff --git a/include/logging.h b/include/logging.h new file mode 100644 index 0000000..e15170c --- /dev/null +++ b/include/logging.h @@ -0,0 +1,30 @@ +#ifndef _NFT_SYNC_LOGGING_H_ +#define _NFT_SYNC_LOGGING_H_ + +enum nft_sync_logging_type { + NFTS_LOG_T_FILE = 0, + NFTS_LOG_T_SYSLOG, +}; + +enum nft_sync_logging_prio { + NFTS_LOG_DEBUG = 0, + NFTS_LOG_INFO, + NFTS_LOG_NOTICE, + NFTS_LOG_ERROR, + NFTS_LOG_FATAL, + NFTS_LOG_MAX +}; + +struct nft_sync_inst; + +int nft_sync_log_init(struct nft_sync_inst *inst); +void nft_sync_log(struct nft_sync_inst *inst, int priority, + const char *format, ...); +void nft_sync_log_fini(struct nft_sync_inst *inst); + +#include "config.h" + +#define nfts_log(prio, fmt, args...) \ + nft_sync_log(&nfts_inst, prio, fmt, ##args) + +#endif diff --git a/include/msg_buff.h b/include/msg_buff.h new file mode 100644 index 0000000..f4eea36 --- /dev/null +++ b/include/msg_buff.h @@ -0,0 +1,21 @@ +#ifndef _MSG_BUFF_H_ +#define _MSG_BUFF_H_ + +#include + +struct msg_buff; + +struct msg_buff *msgb_alloc(uint32_t size); +void msgb_free(struct msg_buff *msgb); + +uint32_t msgb_len(struct msg_buff *msgb); +uint32_t msgb_size(struct msg_buff *msgb); + +unsigned char *msgb_data(struct msg_buff *msgb); +unsigned char *msgb_tail(struct msg_buff *msgb); + +void *msgb_put(struct msg_buff *msgb, uint32_t len); +void *msgb_pull(struct msg_buff *msgb, uint32_t len); +void msgb_burp(struct msg_buff *msgb); + +#endif diff --git a/include/proto.h b/include/proto.h new file mode 100644 index 0000000..668f6a3 --- /dev/null +++ b/include/proto.h @@ -0,0 +1,11 @@ +#ifndef _NFT_SYNC_PROTO_H_ +#define _NFT_SYNC_PROTO_H_ + +struct nft_sync_hdr { + uint32_t len; + char data[0]; +}; + +#define NFTS_MAX_REQUEST 1024 + +#endif diff --git a/include/tcp.h b/include/tcp.h new file mode 100644 index 0000000..20c6092 --- /dev/null +++ b/include/tcp.h @@ -0,0 +1,41 @@ +#ifndef _TCP_H_ +#define _TCP_H_ + +#include + +struct tcp_conf { + int ipproto; + unsigned short port; + union { + struct { + struct in_addr inet_addr; + } ipv4; + struct { + struct in6_addr inet_addr6; + int scope_id; + } ipv6; + } server; + union { + struct in_addr inet_addr; + struct in6_addr inet_addr6; + } client; +}; + +struct tcp_server; + +struct tcp_server *tcp_server_create(struct tcp_conf *conf); +void tcp_server_destroy(struct tcp_server *c); +int tcp_server_get_fd(struct tcp_server *c); +int tcp_server_accept(struct tcp_server *c, struct sockaddr_in *addr); + +struct tcp_client; + +struct tcp_client *tcp_client_create(struct tcp_conf *conf); +void tcp_client_destroy(struct tcp_client *c); +int tcp_client_get_fd(struct tcp_client *c); +ssize_t tcp_client_send(struct tcp_client *c, const void *data, int size); +ssize_t tcp_client_recv(struct tcp_client *c, void *data, int size); +void tcp_client_set_data(struct tcp_client *c, void *data); +void *tcp_client_get_data(struct tcp_client *c); + +#endif /*_TCP_H_ */ diff --git a/include/timer.h b/include/timer.h new file mode 100644 index 0000000..e3b7b74 --- /dev/null +++ b/include/timer.h @@ -0,0 +1,19 @@ +#ifndef _NFT_SYNC_TIMER_H +#define _NFT_SYNC_TIMER_H_ + +#include + +struct nft_timer { + struct event event; + void (*callback)(struct nft_timer *); + void *data; +}; + +void *nft_timer_data(struct nft_timer *timer); +void nft_timer_setup(struct nft_timer *timer, void (*cb)(struct nft_timer *), + void *data); +void nft_timer_add(struct nft_timer *timer, unsigned int sec, + unsigned int usec); +void nft_timer_del(struct nft_timer *timer); + +#endif diff --git a/src/Makefile.am b/src/Makefile.am new file mode 100644 index 0000000..5c09b24 --- /dev/null +++ b/src/Makefile.am @@ -0,0 +1,26 @@ +include $(top_srcdir)/Make_global.am + +sbin_PROGRAMS = nft-sync + +AM_YFLAGS = -d + +CLEANFILES = config-parser.c \ + config-scanner.c + +nft_sync_SOURCES = event.c \ + logging.c \ + msg_buff.c \ + server.c \ + client.c \ + tcp.c \ + timer.c \ + main.c \ + fd.c \ + config-parser.y \ + config-scanner.l +nft_sync_LDADD = ${LIBMNL_LIBS} ${LIBNFTNL_LIBS} -lev + +# yacc and lex generate dirty code +config-scanner.o config-parser.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls + +EXTRA_DIST = config-parser.h diff --git a/src/client.c b/src/client.c new file mode 100644 index 0000000..d509a52 --- /dev/null +++ b/src/client.c @@ -0,0 +1,176 @@ +/* + * (C) 2014 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "init.h" +#include "logging.h" +#include "msg_buff.h" +#include "proto.h" +#include "config.h" + +static void print_payload(struct msg_buff *msgb) +{ + write(1, msgb_data(msgb) + sizeof(struct nft_sync_hdr), + msgb_len(msgb) - sizeof(struct nft_sync_hdr)); + write(1, "\n", 1); +} + +static int process_response(struct msg_buff *msgb, int len) +{ + switch (nfts_inst.cmd) { + case NFTS_CMD_NONE: + break; + case NFTS_CMD_FETCH: + print_payload(msgb); + /* We're done, stop running this process */ + nfts_inst.stop = true; + return 0; + /* TODO: We'll have a pull command at some point, the code to parse + * the xml/json ruleset should go here. + */ + default: + break; + } + return -1; +} + +static void tcp_client_established_cb(struct nft_fd *nfd, uint32_t mask) +{ + struct tcp_client *c = nfd->data; + struct nft_sync_hdr *hdr; + char buf[sizeof(struct nft_sync_hdr)]; + struct msg_buff *msgb = tcp_client_get_data(c); + int ret, len; + + if (msgb == NULL) { + /* Retrieve the header first to know the response length */ + ret = tcp_client_recv(c, buf, sizeof(buf)); + if (ret < 0) { + nfts_log(NFTS_LOG_ERROR, "cannot received from socket"); + goto err1; + } else if (ret == 0) { + nfts_log(NFTS_LOG_ERROR, + "connection from server has been closed\n"); + /* FIXME retry every N seconds using a timer, + * otherwise this sucks up the CPU by retrying to + * connect very hard. + */ + goto err1; + } + + hdr = (struct nft_sync_hdr *)buf; + len = ntohl(hdr->len); + + /* Allocate a message for the entire response */ + msgb = msgb_alloc(len); + if (msgb == NULL) { + nfts_log(NFTS_LOG_ERROR, "OOM"); + goto err1; + } + memcpy(msgb_data(msgb), buf, sizeof(buf)); + msgb_put(msgb, sizeof(buf)); + + /* Attach this message to the client */ + tcp_client_set_data(c, msgb); + } + + /* Retrieve as much data as we can in this round */ + ret = tcp_client_recv(c, msgb_tail(msgb), + msgb_size(msgb) - msgb_len(msgb)); + if (ret < 0) { + nfts_log(NFTS_LOG_ERROR, "cannot received from socket"); + goto err1; + } else if (ret == 0) { + nfts_log(NFTS_LOG_ERROR, + "connection from server has been closed\n"); + goto err1; + } + msgb_put(msgb, ret); + + /* Not enough data to process the response yet */ + if (msgb_len(msgb) < msgb_size(msgb)) + return; + + if (process_response(msgb, len) < 0) { + nfts_log(NFTS_LOG_ERROR, "discarding malformed response"); + goto err1; + } + /* Detach this message from the client */ + tcp_client_set_data(c, NULL); +err1: + msgb_free(msgb); + close(tcp_client_get_fd(c)); + nft_fd_unregister(nfd); + tcp_client_destroy(c); +} + +static void tcp_client_connect_cb(struct nft_fd *nfd, uint32_t mask) +{ + struct nft_sync_hdr *hdr; + struct tcp_client *c = nfd->data; + struct msg_buff *msgb; + int len; + + msgb = msgb_alloc(NFTS_MAX_REQUEST); + if (msgb == NULL) { + nfts_log(NFTS_LOG_ERROR, "OOM"); + return; + } + + switch (nfts_inst.cmd) { + case NFTS_CMD_FETCH: + len = strlen("fetch") + sizeof(struct nft_sync_hdr); + hdr = msgb_put(msgb, sizeof(struct nft_sync_hdr)); + hdr->len = htonl(len); + memcpy(hdr->data, "fetch", strlen("fetch")); + msgb_put(msgb, strlen("fetch")); + break; + default: + nfts_log(NFTS_LOG_ERROR, "Unknown command"); + return; + } + + if (tcp_client_send(c, msgb_data(msgb), msgb_len(msgb)) < 0) { + nfts_log(NFTS_LOG_ERROR, "cannot send to socket: %s", + strerror(errno)); + exit(EXIT_FAILURE); + } + + /* Now that we got connected, register the descriptor again to + * permanently listen for incoming data. + */ + nft_fd_setup(&nfts_inst.tcp_client_nfd, tcp_client_get_fd(c), + tcp_client_established_cb, c); + nft_fd_register(nfd, EV_READ | EV_PERSIST); +} + +int tcp_client_start(struct nft_sync_inst *inst) +{ + struct tcp_client *c; + + c = tcp_client_create(&inst->tcp); + if (c == NULL) { + fprintf(stderr, "cannot initialize TCP client\n"); + return -1; + } + + nft_fd_setup(&inst->tcp_client_nfd, tcp_client_get_fd(c), + tcp_client_connect_cb, c); + nft_fd_register(&inst->tcp_client_nfd, EV_WRITE); + + return 0; +} diff --git a/src/config-parser.y b/src/config-parser.y new file mode 100644 index 0000000..41c37b9 --- /dev/null +++ b/src/config-parser.y @@ -0,0 +1,143 @@ +%{ +/* + * (C) 2014 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ + +#include +#include +#include +#include +#include +#include +#include + +#include "config.h" +#include "logging.h" + +extern char *yytext; +extern int yylineno; + +static int parse_addr(const char *text, struct in_addr *addr, + uint16_t *port) +{ + char *colon = strchr(text, ':'); + + if (colon == NULL) { + fprintf(stderr, "missing `:' to indicate port\n"); + return -1; + } + *colon = '\0'; + + if (inet_pton(AF_INET, text, addr) < 0) { + fprintf(stderr, "%s not valid IPv4 address\n", text); + return -1; + } + *port = atoi(colon + 1); + + return 0; +} + +%} + +%union { + int val; + char *string; +} + +%token T_LOCAL_ADDR +%token T_REMOTE_ADDR +%token T_ADDR +%token T_NUMBER +%token T_LOG +%token T_MODE + +%token T_STRING +%token T_INTEGER + +%% + +configfile : + | sections + ; + +sections : section + | sections section + ; + +section : network + | log + ; + +network : local_addr + | remote_addr + ; + +local_addr : T_LOCAL_ADDR T_STRING + { + nfts_inst.tcp.ipproto = AF_INET; + if (parse_addr($2, + &nfts_inst.tcp.server.ipv4.inet_addr, + &nfts_inst.tcp.port) < 0) + break; + + nfts_inst.mode = NFTS_MODE_SERVER; + } + ; + +remote_addr : T_REMOTE_ADDR T_STRING + { + nfts_inst.tcp.ipproto = AF_INET; + if (parse_addr($2, &nfts_inst.tcp.client.inet_addr, + &nfts_inst.tcp.port) < 0) + break; + + nfts_inst.mode = NFTS_MODE_CLIENT; + } + ; + +log : T_LOG T_STRING + { + if (strcmp($2, "syslog") == 0) { + nfts_inst.log.type = NFTS_LOG_T_SYSLOG; + } else if (strcmp($2, "stdout") == 0) { + nfts_inst.log.type = NFTS_LOG_T_FILE; + nfts_inst.log.color = true; + } else { + nfts_inst.log.type = NFTS_LOG_T_FILE; + strncpy(nfts_inst.log.filename, $2, PATH_MAX); + nfts_inst.log.filename[PATH_MAX - 1] = '\0'; + } + } + ; + +%% + +int __attribute__((noreturn)) yyerror(char *msg) +{ + fprintf(stderr, "parsing config file in line (%d), symbol '%s': %s\n", + yylineno, yytext, msg); + exit(EXIT_FAILURE); +} + +int nft_sync_config_parse(const char *filename) +{ + FILE *fp; + + fp = fopen(filename, "r"); + if (!fp) { + fprintf(stderr, "Cannot open configuration file %s\n", + filename); + return -1; + } + + yyrestart(fp); + yyparse(); + fclose(fp); + + return 0; +} diff --git a/src/config-scanner.l b/src/config-scanner.l new file mode 100644 index 0000000..d3ad91e --- /dev/null +++ b/src/config-scanner.l @@ -0,0 +1,51 @@ +%{ +/* + * (C) 2014 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ + +#include +#include "config-parser.h" +%} + +%option yylineno +%option noinput +%option nounput + +ws [ \t]+ +comment #.*$ +nl [\n\r] + +is_on [o|O][n|N] +is_off [o|O][f|F][f|F] +integer [\-\+]?[0-9]+ +string [a-zA-Z0-9][a-zA-Z0-9\.\-\_\/\:]* + +%% +"local-address" { return T_LOCAL_ADDR; } +"remote-address" { return T_REMOTE_ADDR; } +"logging" { return T_LOG; } +"mode" { return T_MODE; } + +{integer} { yylval.val = atoi(yytext); return T_INTEGER; } +{string} { yylval.string = strdup(yytext); return T_STRING; } + +{comment} ; +{ws} ; +{nl} ; + +<> { yyterminate(); } + +. { return yytext[0]; } + +%% + +int +yywrap() +{ + return 1; +} diff --git a/src/event.c b/src/event.c new file mode 100644 index 0000000..464b689 --- /dev/null +++ b/src/event.c @@ -0,0 +1,79 @@ +/* + * (C) 2014 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ +#include +#include +#include + +#include "init.h" +#include "logging.h" + +static int sigtype; +static struct event_base *ev_base; +static struct event sigterm_event, sigusr1_event, sigint_event; + +static void sigterm_callback(int fd, short event, void *data) +{ + sigtype = SIGTERM; +} + +static void sigint_callback(int fd, short event, void *data) +{ + sigtype = SIGINT; +} + +static void sigusr1_callback(int fd, short event, void *data) +{ + sigtype = SIGUSR1; +} + +int nft_sync_event_init(void) +{ + ev_base = event_init(); + if (ev_base == NULL) + return -1; + + signal_set(&sigint_event, SIGINT, sigint_callback, NULL); + signal_add(&sigint_event, NULL); + signal_set(&sigterm_event, SIGTERM, sigterm_callback, NULL); + signal_add(&sigterm_event, NULL); + signal_set(&sigusr1_event, SIGUSR1, sigusr1_callback, NULL); + signal_add(&sigusr1_event, NULL); + + return 0; +} + +void nft_sync_event_loop(void) +{ + while (!sigtype && !nfts_inst.stop) + event_loop(EVLOOP_ONCE); + + switch (sigtype) { + case SIGINT: + nfts_log(NFTS_LOG_NOTICE, "Received SIGINT, closing."); + break; + case SIGTERM: + nfts_log(NFTS_LOG_NOTICE, "Received SIGTERM, closing."); + break; + case SIGUSR1: + nfts_log(NFTS_LOG_NOTICE, "Received SIGUSR1"); + /* TODO: reload configuration file */ + break; + default: + nfts_log(NFTS_LOG_INFO, "Closing process"); + break; + } +} + +void nft_sync_event_fini(void) +{ + signal_del(&sigterm_event); + signal_del(&sigusr1_event); + signal_del(&sigint_event); + event_base_free(ev_base); +} diff --git a/src/fd.c b/src/fd.c new file mode 100644 index 0000000..46b443a --- /dev/null +++ b/src/fd.c @@ -0,0 +1,57 @@ +/* + * (C) 2014 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ + +#include +#include +#include +#include + +static void nft_fd_cb(int _fd, short mask, void *data) +{ + struct nft_fd *nfd = data; + + nfd->cb(nfd, mask); +} + +void nft_fd_setup(struct nft_fd *nfd, int fd, + void (*cb)(struct nft_fd *fd, uint32_t mask), void *data) +{ + /* add assertion */ + + nfd->fd = fd; + nfd->cb = cb; + nfd->data = data; +} + +void nft_fd_register(struct nft_fd *nfd, uint32_t events) +{ + unsigned short mask = events; + + /* add assertion */ + + event_set(&nfd->event, nfd->fd, mask, nft_fd_cb, nfd); + event_add(&nfd->event, NULL); +} + +void nft_fd_unregister(struct nft_fd *fd) +{ + /* add assertion */ + event_del(&fd->event); + fd->fd = -1; +} + +struct nft_fd *nft_fd_alloc(void) +{ + return calloc(1, sizeof(struct nft_fd)); +} + +void nft_fd_free(struct nft_fd *nfd) +{ + free(nfd); +} diff --git a/src/logging.c b/src/logging.c new file mode 100644 index 0000000..9907e5f --- /dev/null +++ b/src/logging.c @@ -0,0 +1,113 @@ +/* + * (C) 2014 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ + +#include +#include +#include +#include +#include + +#include "config.h" +#include "logging.h" + +static struct { + const char *text; + const char *color; +} logging[NFTS_LOG_MAX] = { + [NFTS_LOG_DEBUG] = { + .text = "DEBUG", + .color = "\033[1;33m", + }, + [NFTS_LOG_INFO] = { + .text = "INFO", + .color = "\033[1;32m", + }, + [NFTS_LOG_NOTICE] = { + .text = "NOTICE", + .color = "\033[1;36m", + }, + [NFTS_LOG_ERROR] = { + .text = "ERROR", + .color = "\033[1;33m", + }, + [NFTS_LOG_FATAL] = { + .text = "FATAL", + .color = "\033[1;31m", + }, +}; + +int nft_sync_log_init(struct nft_sync_inst *inst) +{ + int ret = 0; + + switch (inst->log.type) { + case NFTS_LOG_T_SYSLOG: + break; + case NFTS_LOG_T_FILE: + if (inst->log.fd == NULL) + inst->log.fd = stdout; + else { + inst->log.fd = fopen(inst->log.filename, "w+"); + if (inst->log.fd == NULL) + return -1; + } + break; + } + + return ret; +} + +void nft_sync_log_fini(struct nft_sync_inst *inst) +{ + switch (inst->log.type) { + case NFTS_LOG_T_SYSLOG: + break; + case NFTS_LOG_T_FILE: + if (inst->log.fd != NULL) + fclose(inst->log.fd); + break; + } +} + +void nft_sync_log(struct nft_sync_inst *inst, int prio, + const char *format, ...) +{ + time_t t; + char *timebuf = NULL; + va_list args; + + switch (inst->log.type) { + case NFTS_LOG_T_FILE: + t = time(NULL); + timebuf = ctime(&t); + timebuf[strlen(timebuf) - 1]='\0'; + break; + case NFTS_LOG_T_SYSLOG: + break; + } + + switch (inst->log.type) { + case NFTS_LOG_T_FILE: + va_start(args, format); + fprintf(inst->log.fd, "%s[%s] [%s] ", + inst->log.color ? logging[prio].color : "", timebuf, + logging[prio].text); + vfprintf(inst->log.fd, format, args); + va_end(args); + fprintf(inst->log.fd, "%s\n", + inst->log.color ? "\033[1;0m" : ""); + fflush(inst->log.fd); + break; + case NFTS_LOG_T_SYSLOG: + va_start(args, format); + vsyslog(prio, format, args); + va_end(args); + break; + } +} diff --git a/src/main.c b/src/main.c new file mode 100644 index 0000000..af0a7a5 --- /dev/null +++ b/src/main.c @@ -0,0 +1,134 @@ +/* + * (C) 2014 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * Thanks to the NLnet Foundation for making the bootstrap + * of this project possible! + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "init.h" +#include "logging.h" +#include "msg_buff.h" +#include "proto.h" + +struct nft_sync_inst nfts_inst; + +static void print_usage(const char *prog_name) +{ + fprintf(stderr, + "%s (c) 2014 by Pablo Neira Ayuso \n" + "Usage: %s [-h] [-c]\n" + " [ --help ]\n" + " [ --config= ]\n" + " [ --fetch ]\n", prog_name, prog_name); +} + +static const struct option options[] = { + { .name = "help", .has_arg = false, .val = 'h' }, + { .name = "config", .has_arg = false, .val = 'c' }, + { .name = "fetch", .has_arg = false, .val = 'f' }, + { NULL }, +}; + +#define NFT_SYNC_CONF_DEFAULT "/etc/nft-sync.conf" + +static int set_cmd(int cmd) +{ + if (nfts_inst.cmd) { + fprintf(stderr, + "Cannot specify multiple commands at the same time\n"); + return -1; + } + nfts_inst.cmd = cmd; + return 0; +} + +int main(int argc, char *argv[]) +{ + int ret = EXIT_FAILURE, c; + const char *config = NFT_SYNC_CONF_DEFAULT; + + while ((c = getopt_long(argc, argv, "hc:f", options, NULL)) != -1) { + switch (c) { + case 'h': + print_usage(argv[0]); + return EXIT_SUCCESS; + case 'c': + config = optarg; + break; + case 'f': + set_cmd(NFTS_CMD_FETCH); + break; + default: + fprintf(stderr, "Unknown option -%c\n", c); + return EXIT_FAILURE; + } + } + + if (nft_sync_config_parse(config) < 0) + return EXIT_FAILURE; + + if (nft_sync_event_init() < 0) { + fprintf(stderr, "Cannot start libev: %s\n", strerror(errno)); + goto err; + } + + if (nft_sync_log_init(&nfts_inst) < 0) { + fprintf(stderr, "Cannot start logging: %s\n", strerror(errno)); + goto err; + } + + if (nfts_inst.mode & NFTS_MODE_SERVER) { + if (tcp_server_start(&nfts_inst) < 0) { + nfts_log(NFTS_LOG_FATAL, + "Cannot start TCP server: %s\n", + strerror(errno)); + goto err; + } + nfts_log(NFTS_LOG_INFO, "listening at %s", + inet_ntoa(nfts_inst.tcp.server.ipv4.inet_addr)); + } + + if (nfts_inst.mode & NFTS_MODE_CLIENT) { + if (!nfts_inst.cmd) { + nfts_log(NFTS_LOG_FATAL, + "Client needs some command, eg. --fetch", + strerror(errno)); + goto err; + } + if (tcp_client_start(&nfts_inst) < 0) { + nfts_log(NFTS_LOG_FATAL, + "Cannot start TCP client: %s", + strerror(errno)); + goto err; + } + nfts_log(NFTS_LOG_INFO, "connecting to %s", + inet_ntoa(nfts_inst.tcp.client.inet_addr)); + } + + /* TODO: add switch to allow to daemonize this process */ + + nft_sync_event_loop(); + + nft_sync_event_fini(); + + ret = EXIT_SUCCESS; +err: + nft_sync_log_fini(&nfts_inst); + + return ret; +} diff --git a/src/msg_buff.c b/src/msg_buff.c new file mode 100644 index 0000000..c148516 --- /dev/null +++ b/src/msg_buff.c @@ -0,0 +1,96 @@ +/* + * (C) 2014 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ + +#include +#include +#include +#include "msg_buff.h" + +struct msg_buff { + uint16_t len; + unsigned char *head; + unsigned char *data; + unsigned char *tail; + unsigned char *end; + + unsigned char _data[0]; +}; + +struct msg_buff *msgb_alloc(uint32_t size) +{ + struct msg_buff *msgb; + + msgb = malloc(sizeof(struct msg_buff) + size); + if (msgb == NULL) + return NULL; + + msgb->len = 0; + msgb->head = msgb->_data; + msgb->data = msgb->tail = msgb->_data; + msgb->end = msgb->_data + size; + + return msgb; +} + +void msgb_free(struct msg_buff *msgb) +{ + free(msgb); +} + +uint32_t msgb_size(struct msg_buff *msgb) +{ + return msgb->end - msgb->head; +} + +uint32_t msgb_len(struct msg_buff *msgb) +{ + return msgb->len; +} + +void *msgb_put(struct msg_buff *msgb, uint32_t len) +{ + void *data = msgb->tail; + + msgb->len += len; + msgb->tail += len; + + return data; +} + +void *msgb_pull(struct msg_buff *msgb, uint32_t len) +{ + void *ptr = msgb->data; + + if (len > msgb->len) + return NULL; + + msgb->len -= len; + msgb->data += len; + + return ptr; +} + +unsigned char *msgb_data(struct msg_buff *msgb) +{ + return msgb->data; +} + +unsigned char *msgb_tail(struct msg_buff *msgb) +{ + return msgb->tail; +} + +void msgb_burp(struct msg_buff *msgb) +{ + void *data = msgb->data; + int len = msgb->len; + + msgb->data = msgb->head; + memcpy(msgb->data, data, len); +} diff --git a/src/server.c b/src/server.c new file mode 100644 index 0000000..cd4ac0a --- /dev/null +++ b/src/server.c @@ -0,0 +1,164 @@ +/* + * (C) 2014 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "init.h" +#include "logging.h" +#include "msg_buff.h" +#include "proto.h" +#include "config.h" +#include "proto.h" + +static int send_ruleset(struct nft_fd *nfd) +{ + struct msg_buff *msgb; + struct nft_sync_hdr *hdr; + /* TODO: send real ruleset in json/xml format here, replace this + * code with the real libnftnl code. + */ + const char *ruleset = "this is the ruleset in XML/JSON format"; + int ret, ruleset_len = strlen(ruleset); + + msgb = msgb_alloc(sizeof(struct nft_sync_hdr) + ruleset_len); + if (msgb == NULL) + return -1; + + hdr = msgb_put(msgb, sizeof(struct nft_sync_hdr) + ruleset_len); + hdr->len = htonl(sizeof(struct nft_sync_hdr) + ruleset_len); + memcpy(hdr->data, ruleset, ruleset_len); + + ret = send(nfd->fd, msgb_data(msgb), msgb_len(msgb), 0); + msgb_free(msgb); + + return ret; +} + +static int nfts_parse_request(struct nft_fd *nfd, const char *req) +{ + int ret = -1; + + if (strncmp(req, "fetch", strlen("fetch")) == 0) + ret = send_ruleset(nfd); + + return ret; +} + +static void tcp_server_established_cb(struct nft_fd *nfd, uint32_t mask) +{ + struct msg_buff *msgb = nfd->data; + struct nft_sync_hdr *hdr; + uint32_t len; + int ret; + + ret = recv(nfd->fd, msgb_tail(msgb), + msgb_size(msgb) - msgb_len(msgb), 0); + if (ret == 0) + goto err1; + else if (ret < 0) { + nfts_log(NFTS_LOG_ERROR, "cannot receive from client"); + goto err1; + } + msgb_put(msgb, ret); + + /* Not enough room for header yet, grab more bytes later */ + if (msgb_len(msgb) < sizeof(struct nft_sync_hdr)) + return; + + hdr = (struct nft_sync_hdr *) msgb_data(msgb); + + len = ntohl(hdr->len); + + if (len >= NFTS_MAX_REQUEST) { + nfts_log(NFTS_LOG_ERROR, "discarding message too large %d", + len, NFTS_MAX_REQUEST); + goto err1; + } + + /* Not enough data to process this request yet */ + if (len < (uint32_t)ret) + return; + + hdr = msgb_pull(msgb, len); + if (hdr == NULL) { + nfts_log(NFTS_LOG_FATAL, "cannot pull out header"); + goto err1; + } + + if (nfts_parse_request(nfd, hdr->data) < 0) { + nfts_log(NFTS_LOG_ERROR, "discarding malformed request"); + goto err1; + } + + /* There's still some pending bytes from the stream in the message, + * move them at the head of the message buffer. + */ + if (msgb_len(msgb) > 0) + msgb_burp(msgb); + + return; +err1: + nfts_log(NFTS_LOG_NOTICE, "closing connection"); + msgb_free(msgb); + close(nfd->fd); + nft_fd_unregister(nfd); + nft_fd_free(nfd); +} + +static void tcp_server_cb(struct nft_fd *nfd, uint32_t mask) +{ + struct nft_fd *accept_nfd; + struct msg_buff *msgb; + struct sockaddr_in addr; + int fd; + + msgb = msgb_alloc(NFTS_MAX_REQUEST); + if (msgb == NULL) { + nfts_log(NFTS_LOG_ERROR, "OOM"); + return; + } + + fd = tcp_server_accept(nfd->data, &addr); + if (fd < 0) { + msgb_free(msgb); + nfts_log(NFTS_LOG_ERROR, "failed to accept socket"); + return; + } + nfts_log(NFTS_LOG_NOTICE, "accepted new connection from %s", + inet_ntoa(addr.sin_addr)); + + accept_nfd = nft_fd_alloc(); + nft_fd_setup(accept_nfd, fd, tcp_server_established_cb, msgb); + nft_fd_register(accept_nfd, EV_READ | EV_PERSIST); +} + +int tcp_server_start(struct nft_sync_inst *inst) +{ + struct tcp_server *s; + + nfts_inst.tcp.ipproto = AF_INET; + nfts_inst.tcp.port = 1234; + + s = tcp_server_create(&inst->tcp); + if (s == NULL) + return -1; + + nft_fd_setup(&inst->tcp_server_fd, tcp_server_get_fd(s), + tcp_server_cb, s); + nft_fd_register(&inst->tcp_server_fd, EV_READ | EV_PERSIST); + + return 0; +} diff --git a/src/tcp.c b/src/tcp.c new file mode 100644 index 0000000..ced350a --- /dev/null +++ b/src/tcp.c @@ -0,0 +1,295 @@ +/* + * (C) 2014 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "logging.h" + +/* + * TCP server side + */ + +struct tcp_server { + int fd; + union { + struct sockaddr_in ipv4; + struct sockaddr_in6 ipv6; + } addr; +}; + +#define TCP_SERVER_LISTEN 20 + +struct tcp_server *tcp_server_create(struct tcp_conf *conf) +{ + int ret, on = 1; + struct tcp_server *c; + socklen_t socklen = sizeof(int); + + c = calloc(1, sizeof(struct tcp_server)); + if (c == NULL) + return NULL; + + switch (conf->ipproto) { + case AF_INET: + c->addr.ipv4.sin_family = AF_INET; + c->addr.ipv4.sin_port = htons(conf->port); + c->addr.ipv4.sin_addr = conf->server.ipv4.inet_addr; + socklen = sizeof(struct sockaddr_in); + break; + + case AF_INET6: + c->addr.ipv6.sin6_family = AF_INET6; + c->addr.ipv6.sin6_port = htons(conf->port); + c->addr.ipv6.sin6_addr = conf->server.ipv6.inet_addr6; + c->addr.ipv6.sin6_scope_id = conf->server.ipv6.scope_id; + socklen = sizeof(struct sockaddr_in6); + break; + } + + c->fd = socket(conf->ipproto, SOCK_STREAM, 0); + if (c->fd < 0) + goto err1; + + ret = setsockopt(c->fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(int)); + if (ret < 0) + goto err2; + + ret = setsockopt(c->fd, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(int)); + if (ret < 0) + goto err2; + + ret = bind(c->fd, (struct sockaddr *) &c->addr, socklen); + if (ret < 0) + goto err2; + + ret = listen(c->fd, TCP_SERVER_LISTEN); + if (ret < 0) + goto err2; + + ret = fcntl(c->fd, F_SETFL, O_NONBLOCK); + if (ret < 0) + goto err2; + + return c; +err2: + close(c->fd); +err1: + free(c); + return NULL; +} + +void tcp_server_destroy(struct tcp_server *c) +{ + close(c->fd); + free(c); +} + +int tcp_server_get_fd(struct tcp_server *c) +{ + return c->fd; +} + +int tcp_server_accept(struct tcp_server *c, struct sockaddr_in *addr) +{ + int err, fd; + socklen_t socklen = sizeof(struct sockaddr_in); + + err = accept(c->fd, (struct sockaddr *)addr, &socklen); + if (err < 0 && errno != EAGAIN) + return -1; + + fd = err; + + err = fcntl(fd, F_SETFL, O_NONBLOCK); + if (err < 0) { + close(fd); + return -1; + } + + return fd; +} + +/* + * TCP client side + */ + +enum tcp_client_state { + TCP_DISCONNECTED = 0, + TCP_CONNECTING, + TCP_CONNECTED +}; + +struct tcp_client { + int fd; + enum tcp_client_state state; + union { + struct sockaddr_in ipv4; + struct sockaddr_in6 ipv6; + } addr; + socklen_t socklen; + struct nft_timer timer; + void *data; +}; + +#define TCP_CONNECT_TIMEOUT 1 + +static int tcp_client_init(struct tcp_client *c, struct tcp_conf *conf) +{ + int ret = 0; + + c->fd = socket(conf->ipproto, SOCK_STREAM, 0); + if (c->fd < 0) + return -1; + + switch (conf->ipproto) { + case AF_INET: + c->addr.ipv4.sin_family = AF_INET; + c->addr.ipv4.sin_port = htons(conf->port); + c->addr.ipv4.sin_addr = conf->client.inet_addr; + c->socklen = sizeof(struct sockaddr_in); + break; + case AF_INET6: + c->addr.ipv6.sin6_family = AF_INET6; + c->addr.ipv6.sin6_port = htons(conf->port); + c->addr.ipv6.sin6_addr = conf->client.inet_addr6; + c->socklen = sizeof(struct sockaddr_in6); + break; + default: + ret = -1; + break; + } + + if (ret < 0) + goto err1; + + ret = fcntl(c->fd, F_SETFL, O_NONBLOCK); + if (ret < 0) + goto err1; + + ret = connect(c->fd, (struct sockaddr *)&c->addr, c->socklen); + if (ret < 0) { + switch (errno) { + case EINPROGRESS: + c->state = TCP_CONNECTING; + break; + default: /* ECONNREFUSED */ + c->state = TCP_DISCONNECTED; + goto err1; + } + } else { + /* very unlikely at this stage. */ + c->state = TCP_CONNECTED; + } + return 0; +err1: + close(c->fd); + return ret; +} + +int tcp_client_get_fd(struct tcp_client *c) +{ + return c->fd; +} + +struct tcp_client *tcp_client_create(struct tcp_conf *conf) +{ + struct tcp_client *c; + + c = calloc(1, sizeof(struct tcp_client)); + if (c == NULL) + return NULL; + + if (tcp_client_init(c, conf) < 0) { + free(c); + return NULL; + } + + return c; +} + +void tcp_client_destroy(struct tcp_client *c) +{ + close(c->fd); + free(c); +} + +ssize_t tcp_client_send(struct tcp_client *c, const void *data, int size) +{ + ssize_t ret = 0; + + switch (c->state) { + case TCP_DISCONNECTED: + ret = -1; + break; + case TCP_CONNECTING: + ret = connect(c->fd, (struct sockaddr *)&c->addr, c->socklen); + if (ret < 0) + return ret; + + c->state = TCP_CONNECTED; + /* fall through ... */ + case TCP_CONNECTED: + ret = send(c->fd, data, size, 0); + if (ret <= 0) { + /* errno == EPIPE || errno == ECONNRESET */ + c->state = TCP_DISCONNECTED; + return ret; + } + break; + } + return ret; +} + +ssize_t tcp_client_recv(struct tcp_client *c, void *data, int size) +{ + ssize_t ret = 0; + + switch (c->state) { + case TCP_DISCONNECTED: + ret = -1; + break; + case TCP_CONNECTING: + ret = connect(c->fd, (struct sockaddr *)&c->addr, c->socklen); + if (ret < 0) + return ret; + + c->state = TCP_CONNECTED; + /* fall through ... */ + case TCP_CONNECTED: + ret = recv(c->fd, data, size, 0); + if (ret <= 0) { + /* errno == ENOTCONN */ + c->state = TCP_DISCONNECTED; + return ret; + } + } + return ret; +} + +void tcp_client_set_data(struct tcp_client *c, void *data) +{ + c->data = data; +} + +void *tcp_client_get_data(struct tcp_client *c) +{ + return c->data; +} diff --git a/src/timer.c b/src/timer.c new file mode 100644 index 0000000..7e39076 --- /dev/null +++ b/src/timer.c @@ -0,0 +1,50 @@ +/* + * (C) 2014 by Pablo Neira Ayuso + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ + +#include +#include "timer.h" + +void *nft_timer_data(struct nft_timer *timer) +{ + return timer->data; +} + +static void nft_timer_callback(int fd, short mask, void *data) +{ + struct nft_timer *timer = data; + + timer->callback(timer); +} + +void nft_timer_setup(struct nft_timer *timer, void (*cb)(struct nft_timer *), + void *data) +{ + // assert: evtimer_pending(timer->event, NULL) == 0; + timer->callback = cb; +} + +void nft_timer_add(struct nft_timer *timer, unsigned int sec, + unsigned int usec) +{ + struct timeval tv = { + .tv_sec = sec, + .tv_usec = usec, + }; + + if (evtimer_pending(&timer->event, NULL)) + evtimer_del(&timer->event); + + evtimer_set(&timer->event, nft_timer_callback, timer); + evtimer_add(&timer->event, &tv); +} + +void nft_timer_del(struct nft_timer *timer) +{ + evtimer_del(&timer->event); +} diff --git a/tests/Makefile.am b/tests/Makefile.am new file mode 100644 index 0000000..df0680f --- /dev/null +++ b/tests/Makefile.am @@ -0,0 +1,5 @@ +include $(top_srcdir)/Make_global.am + +check_PROGRAMS = nft-sync-test + +nft_sync_test_SOURCES = nft-sync-test.c ../src/tcp.c ../src/msg_buff.c diff --git a/tests/nft-sync-test.c b/tests/nft-sync-test.c new file mode 100644 index 0000000..a247d64 --- /dev/null +++ b/tests/nft-sync-test.c @@ -0,0 +1,61 @@ +#include +#include +#include + +#include "../include/tcp.h" +#include "../include/proto.h" +#include "../include/msg_buff.h" + +int main(void) +{ + struct tcp_client *c; + struct tcp_conf conf = { + .ipproto = AF_INET, + .port = 1234, + .client = { + .inet_addr = { inet_addr("127.0.0.1") }, + }, + }; + struct nft_sync_hdr *hdr; + struct msg_buff *msgb; + char buf[1024]; + fd_set fds; + + msgb = msgb_alloc(NFTS_MAX_REQUEST); + if (msgb == NULL) { + perror("msgb_alloc"); + exit(EXIT_FAILURE); + } + + hdr = msgb_put(msgb, sizeof(struct nft_sync_hdr) + strlen("fetch")); + hdr->len = htonl(sizeof(struct nft_sync_hdr) + strlen("fetch")); + memcpy(hdr->data, "fetch", strlen("fetch")); + + c = tcp_client_create(&conf); + if (c == NULL) { + fprintf(stderr, "cannot initialize TCP client\n"); + exit(EXIT_FAILURE); + } + + FD_ZERO(&fds); + FD_SET(tcp_client_get_fd(c), &fds); + /* Wait for connection ... */ + select(tcp_client_get_fd(c) + 1, NULL, &fds, NULL, NULL); + + if (tcp_client_send(c, msgb_data(msgb), msgb_len(msgb)) < 0) { + perror("cannot send to socket"); + exit(EXIT_FAILURE); + } + + FD_ZERO(&fds); + FD_SET(tcp_client_get_fd(c), &fds); + /* Wait to receive data after sending request ... */ + select(tcp_client_get_fd(c) + 1, &fds, NULL, NULL, NULL); + + if (tcp_client_recv(c, buf, sizeof(buf)) < 0) { + perror("cannot send to socket"); + exit(EXIT_FAILURE); + } + printf("[TEST OK] Received: %s\n", buf + sizeof(struct nft_sync_hdr)); + tcp_client_destroy(c); +} -- cgit v1.2.3