virtual const bool reload() { return (true); };
virtual const bool isValid() = 0;
virtual const int getDescriptor() { return (-1); }
- virtual const NetherDescriptorStatus getDescriptorStatus() { return (unknownStatus); }
+ virtual const NetherDescriptorStatus getDescriptorStatus() { return (NetherDescriptorStatus::unknownStatus); }
virtual const bool processEvents() = 0;
protected:
#include <errno.h>
#include <iostream>
#include <sstream>
-#include <unistd.h>
#include <memory>
+#include <cstdint>
#include <sys/types.h>
+#include <unistd.h>
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
#endif // HAVE_SYSTEMD_JOURNAL
#if defined(HAVE_CYNARA)
- #define NETHER_PRIMARY_BACKEND cynaraBackend
- #define NETHER_BACKUP_BACKEND fileBackend
+ #define NETHER_PRIMARY_BACKEND NetherPolicyBackendType::cynaraBackend
+ #define NETHER_BACKUP_BACKEND NetherPolicyBackendType::fileBackend
#else
#define NETHER_PRIMARY_BACKEND fileBackend
#define NETHER_BACKUP_BACKEND dummyBackend
#endif // HAVE_CYNARA
-#define NETHER_DEFAULT_VERDICT allowAndLog
+#define NETHER_DEFAULT_VERDICT NetherVerdict::allowAndLog
#define NETHER_PACKET_BUFFER_SIZE 4096
#define NETHER_INVALID_UID (uid_t) -1
#define NETHER_INVALID_GID (gid_t) -1
#define NETHER_MAX_USER_LEN 32
#define NETLINK_DROP_MARK 3
#define NETLINK_ALLOWLOG_MARK 4
-#define NETHER_LOG_BACKEND stderrBackend
+#define NETHER_LOG_BACKEND NetherLogBackendType::stderrBackend
#define NETHER_IPTABLES_RESTORE_PATH "/usr/sbin/iptables-restore"
#ifndef NETHER_RULES_PATH
#define NETHER_RULES_PATH "/etc/nether/nether.rules"
#define NETHER_POLICY_FILE "/etc/nether/nether.policy"
#endif // NETHER_POLICY_FILE
-enum NetherPolicyBackendType
+enum class NetherPolicyBackendType : std::uint8_t
{
cynaraBackend,
fileBackend,
dummyBackend
};
-enum NetherLogBackendType
+enum class NetherLogBackendType : std::uint8_t
{
stderrBackend,
syslogBackend,
nullBackend
};
-enum NetherVerdict
+enum class NetherVerdict : std::uint8_t
{
allow,
allowAndLog,
noVerdictYet
};
-enum NetherDescriptorStatus
+enum class NetherDescriptorStatus : std::uint8_t
{
readOnly,
writeOnly,
unknownStatus
};
-enum NetherTransportType
+enum class NetherTransportType : std::uint8_t
{
TCP,
UDP,
unknownTransportType
};
-enum NetherProtocolType
+enum class NetherProtocolType : std::uint8_t
{
IPv4,
IPv6,
if (verdictAsString)
{
if (strncasecmp (verdictAsString, "allow_log", 9) == 0)
- return (allowAndLog);
+ return (NetherVerdict::allowAndLog);
if (strncasecmp (verdictAsString, "allow", 6) == 0)
- return (allow);
+ return (NetherVerdict::allow);
if (strncasecmp (verdictAsString, "deny", 4) == 0)
- return (deny);
+ return (NetherVerdict::deny);
}
- return (allowAndLog);
+ return (NetherVerdict::allowAndLog);
}
static const NetherPolicyBackendType stringToBackendType (char *backendAsString)
{
if (strcasecmp (backendAsString, "cynara") == 0)
- return (cynaraBackend);
+ return (NetherPolicyBackendType::cynaraBackend);
if (strcasecmp (backendAsString, "file") == 0)
- return (fileBackend);
+ return (NetherPolicyBackendType::fileBackend);
if (strcasecmp (backendAsString, "dummy") == 0)
- return (dummyBackend);
+ return (NetherPolicyBackendType::dummyBackend);
- return (dummyBackend);
+ return (NetherPolicyBackendType::dummyBackend);
}
static const NetherLogBackendType stringToLogBackendType(char *backendAsString)
{
if (strcasecmp (backendAsString, "stderr") == 0)
- return (stderrBackend);
+ return (NetherLogBackendType::stderrBackend);
if (strcasecmp (backendAsString, "syslog") == 0)
- return (syslogBackend);
+ return (NetherLogBackendType::syslogBackend);
if (strcasecmp (backendAsString, "journal") == 0)
- return (journalBackend);
+ return (NetherLogBackendType::journalBackend);
if (strcasecmp (backendAsString, "file") == 0)
- return (logfileBackend);
+ return (NetherLogBackendType::logfileBackend);
if (strcasecmp (backendAsString, "null") == 0)
- return (nullBackend);
+ return (NetherLogBackendType::nullBackend);
- return (nullBackend);
+ return (NetherLogBackendType::nullBackend);
}
static const std::string logBackendTypeToString(const NetherLogBackendType backendType)
{
switch (backendType)
{
- case stderrBackend:
+ case NetherLogBackendType::stderrBackend:
return ("stderr");
- case syslogBackend:
+ case NetherLogBackendType::syslogBackend:
return ("syslog");
- case journalBackend:
+ case NetherLogBackendType::journalBackend:
return ("journal");
- case logfileBackend:
+ case NetherLogBackendType::logfileBackend:
return ("file");
- case nullBackend:
+ case NetherLogBackendType::nullBackend:
return ("null");
}
return ("null");
{
switch (backendType)
{
- case cynaraBackend:
+ case NetherPolicyBackendType::cynaraBackend:
return ("cynara");
- case fileBackend:
+ case NetherPolicyBackendType::fileBackend:
return ("file");
- case dummyBackend:
+ case NetherPolicyBackendType::dummyBackend:
default:
return ("dummy");
}
{
switch (verdict)
{
- case allow:
+ case NetherVerdict::allow:
return ("ALLOW");
- case allowAndLog:
+ case NetherVerdict::allowAndLog:
return ("ALLOW_LOG");
- case deny:
+ case NetherVerdict::deny:
return ("DENY");
}
}
{
switch (transportType)
{
- case TCP:
+ case NetherTransportType::TCP:
return ("TCP");
- case UDP:
+ case NetherTransportType::UDP:
return ("UDP");
- case ICMP:
+ case NetherTransportType::ICMP:
return ("ICMP");
- case IGMP:
+ case NetherTransportType::IGMP:
return ("IGMP");
- case unknownTransportType:
+ case NetherTransportType::unknownTransportType:
default:
return ("UNKNOWN");
}
{
switch (protocolType)
{
- case IPv4:
+ case NetherProtocolType::IPv4:
return ("IPv4");
- case IPv6:
+ case NetherProtocolType::IPv6:
return ("IPv6");
default:
return ("UNKNOWN");
NetherCynaraBackend *backend = static_cast<NetherCynaraBackend *>(data);
if (status == CYNARA_STATUS_FOR_READ)
- backend->setCynaraDescriptor(newFd, readOnly);
+ backend->setCynaraDescriptor(newFd, NetherDescriptorStatus::readOnly);
if (status == CYNARA_STATUS_FOR_RW)
- backend->setCynaraDescriptor(newFd, readWrite);
+ backend->setCynaraDescriptor(newFd, NetherDescriptorStatus::readWrite);
}
void NetherCynaraBackend::checkCallback(cynara_check_id check_id,
{
case CYNARA_API_ACCESS_ALLOWED:
LOGD(cynaraErrorCodeToString(cynaraLastResult).c_str());
- return (castVerdict(packet, allow));
+ return (castVerdict(packet, NetherVerdict::allow));
case CYNARA_API_ACCESS_DENIED:
LOGD(cynaraErrorCodeToString(cynaraLastResult).c_str());
- return (castVerdict(packet, deny));
+ return (castVerdict(packet, NetherVerdict::deny));
case CYNARA_API_CACHE_MISS:
cynaraLastResult = cynara_async_create_request(cynaraContext,
responseQueue[checkId] = -1;
if (cynaraResult == CYNARA_API_ACCESS_ALLOWED)
- castVerdict (packetId, allow);
+ castVerdict (packetId, NetherVerdict::allow);
else
- castVerdict (packetId, deny);
+ castVerdict (packetId, NetherVerdict::deny);
return;
}
}
switch (netherConfig.logBackend)
{
- case stderrBackend:
+ case NetherLogBackendType::stderrBackend:
logger::Logger::setLogBackend (new logger::StderrBackend(false));
break;
- case syslogBackend:
+ case NetherLogBackendType::syslogBackend:
logger::Logger::setLogBackend (new logger::SyslogBackend());
break;
- case logfileBackend:
+ case NetherLogBackendType::logfileBackend:
logger::Logger::setLogBackend (new logger::FileBackend(netherConfig.logBackendArgs));
break;
#if defined(HAVE_SYSTEMD_JOURNAL)
- case journalBackend:
+ case NetherLogBackendType::journalBackend:
logger::Logger::setLogBackend (new logger::SystemdJournalBackend());
break;
#endif
if ((backendDescriptor = netherPrimaryPolicyBackend->getDescriptor()) >= 0)
{
- if (netherPrimaryPolicyBackend->getDescriptorStatus() == readOnly)
+ if (netherPrimaryPolicyBackend->getDescriptorStatus() == NetherDescriptorStatus::readOnly)
{
FD_SET(backendDescriptor, &watchedReadDescriptorsSet);
}
- else if (netherPrimaryPolicyBackend->getDescriptorStatus() == readWrite)
+ else if (netherPrimaryPolicyBackend->getDescriptorStatus() == NetherDescriptorStatus::readWrite)
{
FD_SET(backendDescriptor, &watchedReadDescriptorsSet);
FD_SET(backendDescriptor, &watchedWriteDescriptorsSet);
{
switch (primary ? netherConfig.primaryBackendType : netherConfig.backupBackendType)
{
- case cynaraBackend:
+ case NetherPolicyBackendType::cynaraBackend:
#ifdef HAVE_CYNARA
return new NetherCynaraBackend(netherConfig);
#else
return new NetherDummyBackend(netherConfig);
#endif
- case fileBackend:
+ case NetherPolicyBackendType::fileBackend:
return new NetherFileBackend(netherConfig);
- case dummyBackend:
+ case NetherPolicyBackendType::dummyBackend:
default:
return new NetherDummyBackend(netherConfig);
}
int ret = 0;
LOGD("id=" << packetId << " verdict=" << verdictToString(verdict));
- if (verdict == allow)
+ if (verdict == NetherVerdict::allow)
ret = nfq_set_verdict (queueHandle, packetId, NF_ACCEPT, 0, NULL);
- if (verdict == deny)
+ if (verdict == NetherVerdict::deny)
ret = nfq_set_verdict2 (queueHandle, packetId, NF_ACCEPT, netherConfig.markDeny, 0, NULL);
- if (verdict == allowAndLog)
+ if (verdict == NetherVerdict::allowAndLog)
ret = nfq_set_verdict2 (queueHandle, packetId, NF_ACCEPT, netherConfig.markAllowAndLog, 0, NULL);
if (ret == -1)
switch(ipVersion)
{
case 4:
- packet.protocolType = IPv4;
+ packet.protocolType = NetherProtocolType::IPv4;
decodeIPv4Packet(packet, payload);
break;
case 6:
- packet.protocolType = IPv6;
+ packet.protocolType = NetherProtocolType::IPv6;
decodeIPv6Packet(packet, payload);
break;
default:
- packet.transportType = unknownTransportType;
- packet.protocolType = unknownProtocolType;
+ packet.transportType = NetherTransportType::unknownTransportType;
+ packet.protocolType = NetherProtocolType::unknownProtocolType;
break;
}
}
switch(nextProto)
{
case IP_PROTOCOL_UDP:
- packet.transportType = UDP;
+ packet.transportType = NetherTransportType::UDP;
decodeUdp(packet, &payload[startOfIpPayload]);
break;
case IP_PROTOCOL_TCP:
- packet.transportType = TCP;
+ packet.transportType = NetherTransportType::TCP;
decodeTcp(packet, &payload[startOfIpPayload]);
break;
case IP_PROTOCOL_ICMP:
- packet.transportType = ICMP;
+ packet.transportType = NetherTransportType::ICMP;
break;
case IP_PROTOCOL_IGMP:
- packet.transportType = IGMP;
+ packet.transportType = NetherTransportType::IGMP;
break;
default:
- packet.transportType = unknownTransportType;
+ packet.transportType = NetherTransportType::unknownTransportType;
break;
}
}
switch(nextProto)
{
case IP_PROTOCOL_UDP:
- packet.transportType = UDP;
+ packet.transportType = NetherTransportType::UDP;
decodeUdp(packet, &payload[startOfIpPayload]);
break;
case IP_PROTOCOL_TCP:
- packet.transportType = TCP;
+ packet.transportType = NetherTransportType::TCP;
decodeTcp(packet, &payload[startOfIpPayload]);
break;
case IP_PROTOCOL_ICMP:
- packet.transportType = ICMP;
+ packet.transportType = NetherTransportType::ICMP;
break;
case IP_PROTOCOL_IGMP:
- packet.transportType = IGMP;
+ packet.transportType = NetherTransportType::IGMP;
default:
- packet.transportType = unknownTransportType;
+ packet.transportType = NetherTransportType::unknownTransportType;
break;
}
}
{
switch(type)
{
- case IPv4:
+ case NetherProtocolType::IPv4:
return (stringFormat("%u.%u.%u.%u", src[0]&0xff,src[1]&0xff,src[2]&0xff,src[3]&0xff));
- case IPv6:
+ case NetherProtocolType::IPv6:
return (stringFormat("%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x",
ntohs(*(uint16_t*) &src[0]), ntohs(*(uint16_t*) &src[2]),
ntohs(*(uint16_t*) &src[4]), ntohs(*(uint16_t*) &src[6]),
projects / platform / core / security / nether.git / commitdiff