#define NETHER_MAX_USER_LEN 32
#define NETLINK_DROP_MARK 3
#define NETLINK_ALLOWLOG_MARK 4
+#define NETLINK_QUEUE_NUM 0
#define NETHER_LOG_BACKEND NetherLogBackendType::stderrBackend
#define NETHER_IPTABLES_RESTORE_PATH "/usr/sbin/iptables-restore"
int backupBackendRetries = 3;
int debugMode = 0;
int daemonMode = 0;
- int queueNumber = 0;
+ int queueNumber = NETLINK_QUEUE_NUM;
int enableAudit = 0;
int noRules = 0;
int copyPackets = NETLINK_COPY_PACKETS;
+ int relaxed = 0;
int interfaceInfo = NETLINK_INTERFACE_INFO;
std::string backupBackendArgs = NETHER_POLICY_FILE;
std::string rulesPath = NETHER_RULES_PATH;
{"no-rules", no_argument, &netherConfig.noRules, 0},
{"copy-packets", no_argument, &netherConfig.copyPackets, 0},
{"interface-info", no_argument, &netherConfig.interfaceInfo, 0},
+ {"relaxed", no_argument, &netherConfig.relaxed, 0},
{"log", required_argument, 0, 'l'},
{"log-args", required_argument, 0, 'L'},
{"default-verdict", required_argument, 0, 'V'},
while(1)
{
- c = getopt_long(argc, argv, ":daxcIl:L:V:p:P:b:B:q:m:M:a:r:i:h", longOptions, &optionIndex);
+ c = getopt_long(argc, argv, ":daxcIRl:L:V:p:P:b:B:q:m:M:a:r:i:h", longOptions, &optionIndex);
if(c == -1)
break;
netherConfig.enableAudit = 1;
break;
#endif
+ case 'R':
+ netherConfig.relaxed = 1;
+ break;
+
case 'l':
netherConfig.logBackend = stringToLogBackendType(optarg);
break;
<< " iptables-restore-path=" << netherConfig.iptablesRestorePath);
LOGD("interface-info=" << (netherConfig.interfaceInfo ? "yes" : "no")
<< " copy-packets=" << (netherConfig.copyPackets ? "yes" : "no"));
+ LOGD("relaxed=" << (netherConfig.relaxed ? "yes" : "no"));
NetherManager manager(netherConfig);
cout<< " -x,--no-rules\t\t\t\tDon't load iptables rules on start (default:no)\n";
cout<< " -c,--copy-packets\t\t\tCopy entire packets, needed to read TCP/IP information (default:no)\n";
cout<< " -I,--interface-info\t\t\tGet interface info for every packet (default:no)\n";
+ cout<< " -R,--relaxed\t\t\t\tRun in relaxed mode, instrad of deny do ACCEPT_LOG(default:no)\n";
cout<< " -l,--log=<backend>\t\t\tSet logging backend STDERR,SYSLOG";
#if defined(HAVE_SYSTEMD_JOURNAL)
cout << ",JOURNAL\n";
#endif
cout<< ",FILE,NONE (defualt:"<< backendTypeToString(NETHER_BACKUP_BACKEND)<< ")\n";
cout<< " -B,--backup-backend-args=<arguments>\tBackup policy backend arguments (default:" << NETHER_POLICY_FILE << ")\n";
- cout<< " -q,--queue-num=<queue number>\t\tNFQUEUE queue number to use for receiving packets\n";
+ cout<< " -q,--queue-num=<queue number>\t\tNFQUEUE queue number to use for receiving packets (default:" << NETLINK_QUEUE_NUM << ")\n";
cout<< " -m,--mark-deny=<mark>\t\t\tPacket mark to use for DENY verdicts (default:"<< NETLINK_DROP_MARK << ")\n";
cout<< " -M,--mark-allow-log=<mark>\t\tPacket mark to use for ALLOW_LOG verdicts (default:" << NETLINK_ALLOWLOG_MARK << ")\n";
#if defined(HAVE_AUDIT)
if(verdict == NetherVerdict::allow)
ret = nfq_set_verdict(queueHandle, packetId, NF_ACCEPT, 0, NULL);
+
if(verdict == NetherVerdict::deny)
- ret = nfq_set_verdict2(queueHandle, packetId, NF_ACCEPT, netherConfig.markDeny, 0, NULL);
+ ret = nfq_set_verdict2(queueHandle,
+ packetId,
+ NF_ACCEPT,
+ /* if we're relaxed, let's not stress out */
+ netherConfig.relaxed ? netherConfig.markAllowAndLog : netherConfig.markDeny,
+ 0,
+ NULL);
+
if(verdict == NetherVerdict::allowAndLog)
ret = nfq_set_verdict2(queueHandle, packetId, NF_ACCEPT, netherConfig.markAllowAndLog, 0, NULL);