diff options
author | Andrew Cady <d@jerkface.net> | 2020-08-21 08:10:26 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2020-08-21 08:15:23 -0400 |
commit | 22fd38896ae61ba66a41d5f4d27f9e1096a7ca1e (patch) | |
tree | fd3fa09175124f0f18bdda5d11bb62c281c82565 | |
parent | 472f2f06be419bdf6bfbe794db9db0a53955fd85 (diff) |
Change enum rules_policy to bool enforce_whitelist
This reflects the fact that the rules constitute a whitelist.
-rw-r--r-- | main.c | 44 |
1 files changed, 19 insertions, 25 deletions
@@ -44,7 +44,7 @@ char config_path[500] = "/etc/tuntox/"; | |||
44 | /* Limit hostname and port in server */ | 44 | /* Limit hostname and port in server */ |
45 | int nrules = 0; | 45 | int nrules = 0; |
46 | char rules_file[500] = "/etc/tuntox/rules"; | 46 | char rules_file[500] = "/etc/tuntox/rules"; |
47 | enum rules_policy_enum rules_policy = NONE; | 47 | bool enforce_whitelist = false; |
48 | rule *rules = NULL; | 48 | rule *rules = NULL; |
49 | 49 | ||
50 | /* Ports and hostname for port forwarding */ | 50 | /* Ports and hostname for port forwarding */ |
@@ -424,30 +424,24 @@ int handle_ping_frame(protocol_frame *rcvd_frame) | |||
424 | 424 | ||
425 | bool check_requested_tunnel_against_rules(char *hostname, in_port_t port) | 425 | bool check_requested_tunnel_against_rules(char *hostname, in_port_t port) |
426 | { | 426 | { |
427 | switch(rules_policy) | 427 | if (!enforce_whitelist) return true; |
428 | { | ||
429 | case NONE: | ||
430 | return true; | ||
431 | case VALIDATE: | ||
432 | if(nrules > 0) | ||
433 | { | ||
434 | rule candidate, *found = NULL; | ||
435 | candidate.host = hostname; | ||
436 | candidate.port = port; | ||
437 | 428 | ||
438 | LL_SEARCH(rules, found, &candidate, rule_match); | 429 | if (nrules <= 0) |
439 | if(!found) | 430 | { |
440 | { | 431 | log_printf(l_warning, "filter option active but no allowed host/port. all requests will be dropped.\n"); |
441 | log_printf(L_WARNING, "Rejected, request not in rules\n"); | ||
442 | } | ||
443 | return found; | ||
444 | } | ||
445 | log_printf(L_WARNING, "Filter option active but no allowed host/port. All requests will be dropped.\n"); | ||
446 | return false; | ||
447 | default: | ||
448 | log_printf(L_WARNING, "BUG: invalid rules_policy (impossible!)\n"); | ||
449 | return false; | 432 | return false; |
450 | } | 433 | } |
434 | |||
435 | rule candidate, *found = NULL; | ||
436 | candidate.host = hostname; | ||
437 | candidate.port = port; | ||
438 | |||
439 | LL_SEARCH(rules, found, &candidate, rule_match); | ||
440 | if(!found) | ||
441 | { | ||
442 | log_printf(L_WARNING, "Rejected, request not in rules\n"); | ||
443 | } | ||
444 | return found; | ||
451 | } | 445 | } |
452 | 446 | ||
453 | int handle_request_tunnel_frame(protocol_frame *rcvd_frame) | 447 | int handle_request_tunnel_frame(protocol_frame *rcvd_frame) |
@@ -847,7 +841,7 @@ void load_rules() | |||
847 | nrules = valid_rules; | 841 | nrules = valid_rules; |
848 | 842 | ||
849 | log_printf(L_INFO, "Loaded %d rules\n", nrules); | 843 | log_printf(L_INFO, "Loaded %d rules\n", nrules); |
850 | if (nrules==0 && rules_policy != NONE){ | 844 | if (nrules==0 && enforce_whitelist){ |
851 | log_printf(L_WARNING, "No rules loaded! NO CONNECTIONS WILL BE ALLOWED!\n"); | 845 | log_printf(L_WARNING, "No rules loaded! NO CONNECTIONS WILL BE ALLOWED!\n"); |
852 | } | 846 | } |
853 | } | 847 | } |
@@ -1376,7 +1370,7 @@ int main(int argc, char *argv[]) | |||
1376 | break; | 1370 | break; |
1377 | case 'f': | 1371 | case 'f': |
1378 | strncpy(rules_file, optarg, sizeof(rules_file) - 1); | 1372 | strncpy(rules_file, optarg, sizeof(rules_file) - 1); |
1379 | rules_policy = VALIDATE; | 1373 | enforce_whitelist = true; |
1380 | log_printf(L_INFO, "Filter policy set to VALIDATE\n"); | 1374 | log_printf(L_INFO, "Filter policy set to VALIDATE\n"); |
1381 | break; | 1375 | break; |
1382 | case 's': | 1376 | case 's': |
@@ -1477,7 +1471,7 @@ int main(int argc, char *argv[]) | |||
1477 | log_printf(L_INFO, "Server in ToxID whitelisting mode - only clients listed with -i can connect"); | 1471 | log_printf(L_INFO, "Server in ToxID whitelisting mode - only clients listed with -i can connect"); |
1478 | } | 1472 | } |
1479 | 1473 | ||
1480 | if((!client_mode) && (rules_policy != NONE)) | 1474 | if((!client_mode) && enforce_whitelist) |
1481 | { | 1475 | { |
1482 | load_rules(); | 1476 | load_rules(); |
1483 | } | 1477 | } |