#endif // HAVE_SYSTEMD_JOURNAL
#if defined(HAVE_CYNARA)
-#define NETHER_PRIMARY_BACKEND NetherPolicyBackendType::cynaraBackend
-#define NETHER_BACKUP_BACKEND NetherPolicyBackendType::fileBackend
+#define NETHER_PRIMARY_BACKEND NetherPolicyBackendType::cynaraBackend
+#define NETHER_BACKUP_BACKEND NetherPolicyBackendType::fileBackend
#else
-#define NETHER_PRIMARY_BACKEND NetherPolicyBackendType::fileBackend
-#define NETHER_BACKUP_BACKEND NetherPolicyBackendType::dummyBackend
+#define NETHER_PRIMARY_BACKEND NetherPolicyBackendType::fileBackend
+#define NETHER_BACKUP_BACKEND NetherPolicyBackendType::dummyBackend
#endif // HAVE_CYNARA
-#define NETHER_DEFAULT_VERDICT NetherVerdict::allowAndLog
-#define NETHER_PACKET_BUFFER_SIZE 4096
-#define NETHER_INVALID_UID (uid_t) -1
-#define NETHER_INVALID_GID (gid_t) -1
-#define NETHER_NETWORK_ADDR_LEN 16 /* enough to hold ipv4 and ipv6 */
-#define NETHER_NETWORK_IPV4_ADDR_LEN 4
-#define NETHER_NETWORK_IPV6_ADDR_LEN 16
-#define NETHER_MAX_USER_LEN 32
-#define NETLINK_DROP_MARK 3
-#define NETLINK_ALLOWLOG_MARK 4
-#define NETHER_LOG_BACKEND NetherLogBackendType::stderrBackend
-#define NETHER_IPTABLES_RESTORE_PATH "/usr/sbin/iptables-restore"
+#if defined(COPY_PACKETS)
+#define NETLINK_COPY_PACKETS 1
+#else
+#define NETLINK_COPY_PACKETS 0
+#endif // COPY_PACKETS
+
#ifndef NETHER_RULES_PATH
-#define NETHER_RULES_PATH "/etc/nether/nether.rules"
+#define NETHER_RULES_PATH "/etc/nether/nether.rules"
#endif // NETHER_RULES_PATH
#ifndef NETHER_POLICY_FILE
-#define NETHER_POLICY_FILE "/etc/nether/nether.policy"
+#define NETHER_POLICY_FILE "/etc/nether/nether.policy"
#endif // NETHER_POLICY_FILE
+
+#define NETHER_DEFAULT_VERDICT NetherVerdict::allowAndLog
+#define NETHER_PACKET_BUFFER_SIZE 4096
+#define NETHER_INVALID_UID (uid_t) -1
+#define NETHER_INVALID_GID (gid_t) -1
+#define NETHER_NETWORK_ADDR_LEN 16 /* enough to hold ipv4 and ipv6 */
+#define NETHER_NETWORK_IPV4_ADDR_LEN 4
+#define NETHER_NETWORK_IPV6_ADDR_LEN 16
+#define NETHER_MAX_USER_LEN 32
+#define NETLINK_DROP_MARK 3
+#define NETLINK_ALLOWLOG_MARK 4
+#define NETHER_LOG_BACKEND NetherLogBackendType::stderrBackend
+#define NETHER_IPTABLES_RESTORE_PATH "/usr/sbin/iptables-restore"
+
enum class NetherPolicyBackendType : std::uint8_t
{
cynaraBackend,
struct NetherConfig
{
- NetherVerdict defaultVerdict = NETHER_DEFAULT_VERDICT;
- NetherPolicyBackendType primaryBackendType = NETHER_PRIMARY_BACKEND;
- NetherPolicyBackendType backupBackendType = NETHER_BACKUP_BACKEND;
- NetherLogBackendType logBackend = NETHER_LOG_BACKEND;
- uint8_t markDeny = NETLINK_DROP_MARK;
- uint8_t markAllowAndLog = NETLINK_ALLOWLOG_MARK;
- int primaryBackendRetries = 3;
- int backupBackendRetries = 3;
- int debugMode = 0;
- int daemonMode = 0;
- int queueNumber = 0;
- int enableAudit = 0;
- int noRules = 0;
- std::string backupBackendArgs = NETHER_POLICY_FILE;
+ NetherVerdict defaultVerdict = NETHER_DEFAULT_VERDICT;
+ NetherPolicyBackendType primaryBackendType = NETHER_PRIMARY_BACKEND;
+ NetherPolicyBackendType backupBackendType = NETHER_BACKUP_BACKEND;
+ NetherLogBackendType logBackend = NETHER_LOG_BACKEND;
+ uint8_t markDeny = NETLINK_DROP_MARK;
+ uint8_t markAllowAndLog = NETLINK_ALLOWLOG_MARK;
+ int primaryBackendRetries = 3;
+ int backupBackendRetries = 3;
+ int debugMode = 0;
+ int daemonMode = 0;
+ int queueNumber = 0;
+ int enableAudit = 0;
+ int noRules = 0;
+ int copyPackets = NETLINK_COPY_PACKETS;
+ std::string backupBackendArgs = NETHER_POLICY_FILE;
std::string primaryBackendArgs;
std::string logBackendArgs;
- std::string rulesPath = NETHER_RULES_PATH;
- std::string iptablesRestorePath = NETHER_IPTABLES_RESTORE_PATH;
+ std::string rulesPath = NETHER_RULES_PATH;
+ std::string iptablesRestorePath = NETHER_IPTABLES_RESTORE_PATH;
};
class NetherVerdictListener
#endif
{"daemon", no_argument, &netherConfig.daemonMode, 0},
{"no-rules", no_argument, &netherConfig.noRules, 0},
+ {"copy-packets", no_argument, &netherConfig.copyPackets, 0},
{"log", required_argument, 0, 'l'},
{"log-args", required_argument, 0, 'L'},
{"default-verdict", required_argument, 0, 'V'},
while(1)
{
- c = getopt_long(argc, argv, ":daxl:L:V:p:P:b:B:q:m:M:a:r:i:h", longOptions, &optionIndex);
+ c = getopt_long(argc, argv, ":daxcl:L:V:p:P:b:B:q:m:M:a:r:i:h", longOptions, &optionIndex);
if(c == -1)
break;
case 'd':
netherConfig.daemonMode = 1;
break;
+
case 'x':
netherConfig.noRules = 1;
break;
+ case 'c':
+ netherConfig.copyPackets = 1;
+ break;
+
#if defined(HAVE_AUDIT)
case 'a':
netherConfig.enableAudit = 1;
cout<< "Usage:\t"<< arg << " [OPTIONS]\n\n";
cout<< " -d,--daemon\t\t\t\tRun as daemon in the background (default:no)\n";
cout<< " -x,--no-rules\t\t\t\tDon't load iptables rules on start (default:no)\n";
+ cout<< " -c,--copy-packets\t\t\tCopy entire packets, needed to read TCP/IP information (default:no)\n";
cout<< " -l,--log=<backend>\t\t\tSet logging backend STDERR,SYSLOG";
#if defined(HAVE_SYSTEMD_JOURNAL)
cout << ",JOURNAL\n";
projects / platform / core / security / nether.git / commitdiff