From: RomanKubiak <r.kubiak@samsung.com>
Date: Tue, 4 Aug 2015 12:39:48 +0000 (+0200)
Subject: Packet copying is now optional.
X-Git-Tag: submit/tizen/20151110.144250~8
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=77d284df0a8ddad7f45ae032a60f6bac137bff1f;p=platform%2Fcore%2Fsecurity%2Fnether.git

Packet copying is now optional.

We need to copy packets to userspace to get
TCP/IP information (address, port, protocol)

This has been made optional now.

Change-Id: Ic753a8ecacdf460b2587f65457a80e1da9bb21a6
---

diff --git a/include/nether_Types.h b/include/nether_Types.h
index 146b62b..519f21c 100644
--- a/include/nether_Types.h
+++ b/include/nether_Types.h
@@ -65,33 +65,41 @@
 #endif // HAVE_SYSTEMD_JOURNAL
 
 #if defined(HAVE_CYNARA)
-#define NETHER_PRIMARY_BACKEND          NetherPolicyBackendType::cynaraBackend
-#define NETHER_BACKUP_BACKEND           NetherPolicyBackendType::fileBackend
+#define NETHER_PRIMARY_BACKEND			NetherPolicyBackendType::cynaraBackend
+#define NETHER_BACKUP_BACKEND			NetherPolicyBackendType::fileBackend
 #else
-#define NETHER_PRIMARY_BACKEND          NetherPolicyBackendType::fileBackend
-#define NETHER_BACKUP_BACKEND           NetherPolicyBackendType::dummyBackend
+#define NETHER_PRIMARY_BACKEND			NetherPolicyBackendType::fileBackend
+#define NETHER_BACKUP_BACKEND			NetherPolicyBackendType::dummyBackend
 #endif // HAVE_CYNARA
 
-#define NETHER_DEFAULT_VERDICT          NetherVerdict::allowAndLog
-#define NETHER_PACKET_BUFFER_SIZE       4096
-#define NETHER_INVALID_UID              (uid_t) -1
-#define NETHER_INVALID_GID              (gid_t) -1
-#define NETHER_NETWORK_ADDR_LEN         16 /* enough to hold ipv4 and ipv6 */
-#define NETHER_NETWORK_IPV4_ADDR_LEN    4
-#define NETHER_NETWORK_IPV6_ADDR_LEN    16
-#define NETHER_MAX_USER_LEN             32
-#define NETLINK_DROP_MARK               3
-#define NETLINK_ALLOWLOG_MARK           4
-#define NETHER_LOG_BACKEND              NetherLogBackendType::stderrBackend
-#define NETHER_IPTABLES_RESTORE_PATH    "/usr/sbin/iptables-restore"
+#if defined(COPY_PACKETS)
+#define NETLINK_COPY_PACKETS			1
+#else
+#define NETLINK_COPY_PACKETS			0
+#endif // COPY_PACKETS
+
 #ifndef NETHER_RULES_PATH
-#define NETHER_RULES_PATH             "/etc/nether/nether.rules"
+#define NETHER_RULES_PATH				"/etc/nether/nether.rules"
 #endif // NETHER_RULES_PATH
 
 #ifndef NETHER_POLICY_FILE
-#define NETHER_POLICY_FILE            "/etc/nether/nether.policy"
+#define NETHER_POLICY_FILE				"/etc/nether/nether.policy"
 #endif // NETHER_POLICY_FILE
 
+
+#define NETHER_DEFAULT_VERDICT			NetherVerdict::allowAndLog
+#define NETHER_PACKET_BUFFER_SIZE		4096
+#define NETHER_INVALID_UID				(uid_t) -1
+#define NETHER_INVALID_GID				(gid_t) -1
+#define NETHER_NETWORK_ADDR_LEN			16 /* enough to hold ipv4 and ipv6 */
+#define NETHER_NETWORK_IPV4_ADDR_LEN	4
+#define NETHER_NETWORK_IPV6_ADDR_LEN	16
+#define NETHER_MAX_USER_LEN				32
+#define NETLINK_DROP_MARK				3
+#define NETLINK_ALLOWLOG_MARK			4
+#define NETHER_LOG_BACKEND				NetherLogBackendType::stderrBackend
+#define NETHER_IPTABLES_RESTORE_PATH	"/usr/sbin/iptables-restore"
+
 enum class NetherPolicyBackendType : std::uint8_t
 {
 	cynaraBackend,
@@ -158,24 +166,25 @@ struct NetherPacket
 
 struct NetherConfig
 {
-	NetherVerdict defaultVerdict                = NETHER_DEFAULT_VERDICT;
-	NetherPolicyBackendType primaryBackendType  = NETHER_PRIMARY_BACKEND;
-	NetherPolicyBackendType backupBackendType   = NETHER_BACKUP_BACKEND;
-	NetherLogBackendType logBackend             = NETHER_LOG_BACKEND;
-	uint8_t markDeny                            = NETLINK_DROP_MARK;
-	uint8_t markAllowAndLog                     = NETLINK_ALLOWLOG_MARK;
-	int primaryBackendRetries                   = 3;
-	int backupBackendRetries                    = 3;
-	int debugMode                               = 0;
-	int daemonMode                              = 0;
-	int queueNumber                             = 0;
-	int enableAudit                             = 0;
-	int noRules                                 = 0;
-	std::string backupBackendArgs               = NETHER_POLICY_FILE;
+	NetherVerdict defaultVerdict				= NETHER_DEFAULT_VERDICT;
+	NetherPolicyBackendType primaryBackendType	= NETHER_PRIMARY_BACKEND;
+	NetherPolicyBackendType backupBackendType	= NETHER_BACKUP_BACKEND;
+	NetherLogBackendType logBackend				= NETHER_LOG_BACKEND;
+	uint8_t markDeny							= NETLINK_DROP_MARK;
+	uint8_t markAllowAndLog						= NETLINK_ALLOWLOG_MARK;
+	int primaryBackendRetries					= 3;
+	int backupBackendRetries					= 3;
+	int debugMode								= 0;
+	int daemonMode								= 0;
+	int queueNumber								= 0;
+	int enableAudit								= 0;
+	int noRules									= 0;
+	int copyPackets								= NETLINK_COPY_PACKETS;
+	std::string backupBackendArgs				= NETHER_POLICY_FILE;
 	std::string primaryBackendArgs;
 	std::string logBackendArgs;
-	std::string rulesPath                       = NETHER_RULES_PATH;
-	std::string iptablesRestorePath             = NETHER_IPTABLES_RESTORE_PATH;
+	std::string rulesPath						= NETHER_RULES_PATH;
+	std::string iptablesRestorePath				= NETHER_IPTABLES_RESTORE_PATH;
 };
 
 class NetherVerdictListener
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 54cc564..634c635 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -61,6 +61,10 @@ IF (Boost_FOUND)
 	ADD_DEFINITIONS (-DHAVE_BOOST=1)
 ENDIF ()
 
+IF (COPY_PACKETS)
+	ADD_DEFINITIONS (-DNETLINK_COPY_PACKETS=1)
+ENDIF ()
+
 INCLUDE_DIRECTORIES(../include
 	${CYNARA_INCLUDE_DIRS}
 	${NETFILTER_INCLUDE_DIRS}
diff --git a/src/nether_Main.cpp b/src/nether_Main.cpp
index d5883e9..13d29b1 100644
--- a/src/nether_Main.cpp
+++ b/src/nether_Main.cpp
@@ -42,6 +42,7 @@ int main(int argc, char *argv[])
 #endif
 		{"daemon",                  no_argument,        &netherConfig.daemonMode,   0},
 		{"no-rules",                no_argument,        &netherConfig.noRules,      0},
+		{"copy-packets",			no_argument,		&netherConfig.copyPackets,	0},
 		{"log",                     required_argument,  0,                          'l'},
 		{"log-args",                required_argument,  0,                          'L'},
 		{"default-verdict",         required_argument,  0,                          'V'},
@@ -60,7 +61,7 @@ int main(int argc, char *argv[])
 
 	while(1)
 	{
-		c = getopt_long(argc, argv, ":daxl:L:V:p:P:b:B:q:m:M:a:r:i:h", longOptions, &optionIndex);
+		c = getopt_long(argc, argv, ":daxcl:L:V:p:P:b:B:q:m:M:a:r:i:h", longOptions, &optionIndex);
 
 		if(c == -1)
 			break;
@@ -73,10 +74,15 @@ int main(int argc, char *argv[])
 			case 'd':
 				netherConfig.daemonMode             = 1;
 				break;
+
 			case 'x':
 				netherConfig.noRules                = 1;
 				break;
 
+			case 'c':
+				netherConfig.copyPackets			= 1;
+				break;
+
 #if defined(HAVE_AUDIT)
 			case 'a':
 				netherConfig.enableAudit            = 1;
@@ -218,6 +224,7 @@ void showHelp(char *arg)
 	cout<< "Usage:\t"<< arg << " [OPTIONS]\n\n";
 	cout<< "  -d,--daemon\t\t\t\tRun as daemon in the background (default:no)\n";
 	cout<< "  -x,--no-rules\t\t\t\tDon't load iptables rules on start (default:no)\n";
+	cout<< "  -c,--copy-packets\t\t\tCopy entire packets, needed to read TCP/IP information (default:no)\n";
 	cout<< "  -l,--log=<backend>\t\t\tSet logging backend STDERR,SYSLOG";
 #if defined(HAVE_SYSTEMD_JOURNAL)
 	cout << ",JOURNAL\n";
diff --git a/src/nether_Netlink.cpp b/src/nether_Netlink.cpp
index c0a9994..1f5084c 100644
--- a/src/nether_Netlink.cpp
+++ b/src/nether_Netlink.cpp
@@ -68,7 +68,7 @@ bool NetherNetlink::initialize()
 	if(nfq_set_queue_flags(queueHandle, NFQA_CFG_F_SECCTX, NFQA_CFG_F_SECCTX))
 		LOGI("This kernel version does not allow to retrieve security context");
 
-	if(nfq_set_mode(queueHandle, NFQNL_COPY_META, 0xffff) < 0)
+	if(nfq_set_mode(queueHandle, netherConfig.copyPackets ? NFQNL_COPY_PACKET : NFQNL_COPY_META, 0xffff) < 0)
 	{
 		LOGE("Can't set packet_copy mode");
 		nfq_destroy_queue(queueHandle);