Rc add zfw calls #1000
Rc add zfw calls #1000
Conversation
…opt/openziti/bin directly vs pointing at symbolic link in /usr/sbn
…ent service so zfw can then remove the link route
…d rules and dns range rules if running in -f, --diverterFw mode
…er or firewall mode/interfaces via environmental variables
… to diverterIf now that it is a list of interfaces
…pt/openziti/bin via ZFW_OBJECT_PATH env var
… driver call backs rather than direct ip route system call
… conflict no longer exists
| unsigned char count = 0; | ||
| int rndm; | ||
| uv_random(NULL, NULL, &rndm, sizeof(rndm), 0, NULL); | ||
| random_port = htons(1024 + rndm % (65535 - 1023)); |
There was a problem hiding this comment.
Is htons (network byte order) really needed here? I could see it if the port value was going into a packet that gets put on the wire and received by hosts of any architecture, but I think we're just passing a command line option to a local process?
There was a problem hiding this comment.
No its not. I had copied this function over from where I needed to pass it directly to an ebpf map key which stores the port in network order but here it can be in host order, so the htons can be omitted.
| } | ||
| else if (pid == 0) | ||
| { | ||
| execv("/opt/openziti/bin/user/user_rules.sh", parmList); |
There was a problem hiding this comment.
are the parameters being used by user_rules.sh? specifically, should zfw_path be passed?
There was a problem hiding this comment.
excecv statement should have been execv(zfw_path, parmList) , so yes this should be changed.
| close(fd); | ||
| char *protocols[2] = {"tcp", "udp"}; | ||
| for(int x = 0; x < 2; x++){ | ||
| char *const parmList[] = {zfw_path, "-I", "-c", prefix, "-m", prefix_len, "-l", "1" , "-h", "65535", "-t", "65535", "-p", protocols[x], NULL}; |
There was a problem hiding this comment.
prefix is an int value here. should this be a string IP?
There was a problem hiding this comment.
prefix is a char array line 2621 char prefix[INET_ADDRSTRLEN];
This pull request adds system calls to zfw for the purpose allowing bi-directional transparency. I allows user to specify diverter function either via command line argument or environmental variable with command line taking precedence. ```-D, diverter or ZITI_DIVERTER =. I also added a more restrictive option which in addition to transparency support also provides full firewall filtering -f, --diverter-fw | DIVERTER_FIREWALL=. It assumes zfw binaries/ebpf objects are in /opt/openziti/bin by default but can be modified via environmental variable ZFW_OBJECT_PATH=.