From c179ee88d91a84fc75dc4602cca500e8fa72ed66 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 27 Apr 2014 15:04:07 +0200 Subject: initial commit This patch bootstrap the new nft-sync software. Basically, this software aims to support two different setups: 1) Rule-set repository server. The software serves the nft rule-set to clients that request the ruleset. Basically from the system that acts as repository, you have to run: # nft-sync -c ../contrib/nft-sync.conf.server Then, from the client: # nft-sync -c ../contrib/nft-sync.conf.client --fetch Which displays the nft rule-set in the standard output, so you can inspect the nft rule-set. Alternatively, the client can also retrieve and apply the nft rule-set using the pull command instead: # nft-sync -c ../contrib/nft-sync.conf.client --pull [ Note that this command above does not work in this bootstrap yet ] 2) Rule-set synchronization: In case of primary-backup and multiprimary firewall configurations, the software makes sure that the firewall cluster is deploying the same filtering policy. In this case, you have to launch the process: # nft-sync -c ../contrib/nft-sync.conf --sync [ Note that this command above does not work in this bootstrap yet ] This bootstrap provides the basic infrastructure as a proof-of-concept. Many of the necessary features are still lacking: * Implement --sync and --pull commands. * Interaction with nft through libnftnl, which allows the software to retrieve the local nft rule-set, as well as to parse it and apply it. * SSL support, specifically the repository mode needs it to make sure nobody can steal your filtering policy from the network. * IPv6 support. * Allow to serve different rule-sets in the repository mode. And many others that will be added progressively. Signed-off-by: Pablo Neira Ayuso --- tests/Makefile.am | 5 +++++ tests/nft-sync-test.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 tests/Makefile.am create mode 100644 tests/nft-sync-test.c (limited to 'tests') diff --git a/tests/Makefile.am b/tests/Makefile.am new file mode 100644 index 0000000..df0680f --- /dev/null +++ b/tests/Makefile.am @@ -0,0 +1,5 @@ +include $(top_srcdir)/Make_global.am + +check_PROGRAMS = nft-sync-test + +nft_sync_test_SOURCES = nft-sync-test.c ../src/tcp.c ../src/msg_buff.c diff --git a/tests/nft-sync-test.c b/tests/nft-sync-test.c new file mode 100644 index 0000000..a247d64 --- /dev/null +++ b/tests/nft-sync-test.c @@ -0,0 +1,61 @@ +#include +#include +#include + +#include "../include/tcp.h" +#include "../include/proto.h" +#include "../include/msg_buff.h" + +int main(void) +{ + struct tcp_client *c; + struct tcp_conf conf = { + .ipproto = AF_INET, + .port = 1234, + .client = { + .inet_addr = { inet_addr("127.0.0.1") }, + }, + }; + struct nft_sync_hdr *hdr; + struct msg_buff *msgb; + char buf[1024]; + fd_set fds; + + msgb = msgb_alloc(NFTS_MAX_REQUEST); + if (msgb == NULL) { + perror("msgb_alloc"); + exit(EXIT_FAILURE); + } + + hdr = msgb_put(msgb, sizeof(struct nft_sync_hdr) + strlen("fetch")); + hdr->len = htonl(sizeof(struct nft_sync_hdr) + strlen("fetch")); + memcpy(hdr->data, "fetch", strlen("fetch")); + + c = tcp_client_create(&conf); + if (c == NULL) { + fprintf(stderr, "cannot initialize TCP client\n"); + exit(EXIT_FAILURE); + } + + FD_ZERO(&fds); + FD_SET(tcp_client_get_fd(c), &fds); + /* Wait for connection ... */ + select(tcp_client_get_fd(c) + 1, NULL, &fds, NULL, NULL); + + if (tcp_client_send(c, msgb_data(msgb), msgb_len(msgb)) < 0) { + perror("cannot send to socket"); + exit(EXIT_FAILURE); + } + + FD_ZERO(&fds); + FD_SET(tcp_client_get_fd(c), &fds); + /* Wait to receive data after sending request ... */ + select(tcp_client_get_fd(c) + 1, &fds, NULL, NULL, NULL); + + if (tcp_client_recv(c, buf, sizeof(buf)) < 0) { + perror("cannot send to socket"); + exit(EXIT_FAILURE); + } + printf("[TEST OK] Received: %s\n", buf + sizeof(struct nft_sync_hdr)); + tcp_client_destroy(c); +} -- cgit v1.2.3