2 * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
4 * Contact: Roman Kubiak (r.kubiak@samsung.com)
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License
21 * @author Roman Kubiak (r.kubiak@samsung.com)
22 * @brief nether main program
25 #include "nether_Types.h"
26 #include "nether_Utils.h"
27 #include "nether_Manager.h"
28 #include "nether_Daemon.h"
31 void showHelp(char *arg);
33 int main(int argc, char *argv[])
36 struct NetherConfig netherConfig;
38 static struct option longOptions[] =
40 #if defined(HAVE_AUDIT)
41 {"enable-audit", no_argument, &netherConfig.enableAudit, 0},
43 {"daemon", no_argument, &netherConfig.daemonMode, 0},
44 {"no-rules", no_argument, &netherConfig.noRules, 0},
45 {"log", required_argument, 0, 'l'},
46 {"log-args", required_argument, 0, 'L'},
47 {"default-verdict", required_argument, 0, 'V'},
48 {"primary-backend", required_argument, 0, 'p'},
49 {"primary-backend-args", required_argument, 0, 'P'},
50 {"backup-backend", required_argument, 0, 'b'},
51 {"backup-backend-args", required_argument, 0, 'B'},
52 {"queue-num", required_argument, 0, 'q'},
53 {"mark-deny", required_argument, 0, 'm'},
54 {"mark-allow-log", required_argument, 0, 'M'},
55 {"rules-path", required_argument, 0, 'r'},
56 {"iptables-restore-path", required_argument, 0, 'i'},
57 {"help", no_argument, 0, 'h'},
63 c = getopt_long (argc, argv, ":daxl:L:V:p:P:b:B:q:m:M:a:r:i:h", longOptions, &optionIndex);
74 netherConfig.daemonMode = 1;
77 netherConfig.noRules = 1;
80 #if defined(HAVE_AUDIT)
82 netherConfig.enableAudit = 1;
86 netherConfig.logBackend = stringToLogBackendType(optarg);
90 netherConfig.logBackendArgs = optarg;
94 netherConfig.defaultVerdict = stringToVerdict (optarg);
98 netherConfig.primaryBackendType = stringToBackendType (optarg);
102 netherConfig.primaryBackendArgs = optarg;
106 netherConfig.backupBackendType = stringToBackendType (optarg);
110 netherConfig.backupBackendArgs = optarg;
114 if (atoi(optarg) < 0 || atoi(optarg) >= 65535)
116 cerr << "Queue number is invalid (must be >= 0 and < 65535): " << atoi(optarg);
119 netherConfig.queueNumber = atoi(optarg);
123 if (atoi(optarg) <= 0 || atoi(optarg) >= 255)
125 cerr << "Packet mark for DENY is invalid (must be > 0 and < 255): " << atoi(optarg);
128 netherConfig.markDeny = atoi(optarg);
132 if (atoi(optarg) <= 0 || atoi(optarg) >= 255)
134 cerr << "Packet mark for ALLOW_LOG is invalid (must be > 0 and < 255): " << atoi(optarg);
137 netherConfig.markAllowAndLog = atoi(optarg);
141 netherConfig.rulesPath = optarg;
145 netherConfig.iptablesRestorePath = optarg;
153 switch (netherConfig.logBackend)
156 logger::Logger::setLogBackend (new logger::StderrBackend(false));
159 logger::Logger::setLogBackend (new logger::SyslogBackend());
162 logger::Logger::setLogBackend (new logger::FileBackend(netherConfig.logBackendArgs));
164 #if defined(HAVE_SYSTEMD_JOURNAL)
166 logger::Logger::setLogBackend (new logger::SystemdJournalBackend());
170 logger::Logger::setLogBackend (new logger::StderrBackend(false));
174 LOGD("NETHER OPTIONS:"
178 << " daemon=" << netherConfig.daemonMode
179 << " queue=" << netherConfig.queueNumber);
180 LOGD("primary-backend=" << backendTypeToString (netherConfig.primaryBackendType)
181 << " primary-backend-args=" << netherConfig.primaryBackendArgs);
182 LOGD("backup-backend=" << backendTypeToString (netherConfig.backupBackendType)
183 << " backup-backend-args=" << netherConfig.backupBackendArgs);
184 LOGD("default-verdict=" << verdictToString(netherConfig.defaultVerdict)
185 << " mark-deny=" << (int)netherConfig.markDeny
186 << " mark-allow-log=" << (int)netherConfig.markAllowAndLog);
187 LOGD("log-backend=" << logBackendTypeToString(netherConfig.logBackend)
188 << " log-backend-args=" << netherConfig.logBackendArgs);
189 LOGD("enable-audit=" << (netherConfig.enableAudit ? "yes" : "no")
190 << " rules-path=" << netherConfig.rulesPath);
191 LOGD("no-rules=" << (netherConfig.noRules ? "yes" : "no")
192 << " iptables-restore-path=" << netherConfig.iptablesRestorePath);
194 NetherManager manager (netherConfig);
196 if (!manager.initialize())
198 LOGE("NetherManager failed to initialize, exiting");
202 if (netherConfig.daemonMode)
206 LOGE("Failed to run as daemon: " << strerror(errno));
216 void showHelp(char *arg)
218 cout<< "Usage:\t"<< arg << " [OPTIONS]\n\n";
219 cout<< " -d,--daemon\t\t\t\tRun as daemon in the background (default:no)\n";
220 cout<< " -x,--no-rules\t\t\t\tDon't load iptables rules on start (default:no)\n";
221 cout<< " -l,--log=<backend>\t\t\tSet logging backend STDERR,SYSLOG";
222 #if defined(HAVE_SYSTEMD_JOURNAL)
223 cout << ",JOURNAL\n";
225 cout<< "(default:"<< logBackendTypeToString(NETHER_LOG_BACKEND) << ")\n";
226 cout<< " -L,--log-args=<arguments>\t\tSet logging backend arguments\n";
227 cout<< " -V,--verdict=<verdict>\t\tWhat verdict to cast when policy backend is not available\n\t\t\t\t\tACCEPT,ALLOW_LOG,DENY (default:"<<verdictToString(NETHER_DEFAULT_VERDICT)<<")\n";
228 cout<< " -p,--primary-backend=<module>\t\tPrimary policy backend\n\t\t\t\t\t";
229 #if defined(HAVE_CYNARA)
232 cout<< ",FILE,NONE (defualt:"<< backendTypeToString(NETHER_PRIMARY_BACKEND)<<")\n";
233 cout<< " -P,--primary-backend-args=<arguments>\tPrimary policy backend arguments\n";
234 cout<< " -b,--backup-backend=<module>\t\tBackup policy backend\n\t\t\t\t\t";
235 #if defined(HAVE_CYNARA)
238 cout<< ",FILE,NONE (defualt:"<< backendTypeToString(NETHER_BACKUP_BACKEND)<< ")\n";
239 cout<< " -B,--backup-backend-args=<arguments>\tBackup policy backend arguments (default:" << NETHER_POLICY_FILE << ")\n";
240 cout<< " -q,--queue-num=<queue number>\t\tNFQUEUE queue number to use for receiving packets\n";
241 cout<< " -m,--mark-deny=<mark>\t\t\tPacket mark to use for DENY verdicts (default:"<< NETLINK_DROP_MARK << ")\n";
242 cout<< " -M,--mark-allow-log=<mark>\t\tPacket mark to use for ALLOW_LOG verdicts (default:" << NETLINK_ALLOWLOG_MARK << ")\n";
243 #if defined(HAVE_AUDIT)
244 cout<< " -a,--enable-audit\t\t\tEnable the auditing subsystem (default: no)\n";
246 cout<< " -r,--rules-path=<path>\t\tPath to iptables rules file (default:" << NETHER_RULES_PATH << ")\n";
247 cout<< " -i,--iptables-restore-path=<path>\tPath to iptables-restore command (default:" << NETHER_IPTABLES_RESTORE_PATH << ")\n";
248 cout<< " -h,--help\t\t\t\tshow help information\n";