Merge pull request #16 from douzzer/20220513-default_event-fallthrough_route

20220513-default_event-fallthrough_route

Author: LinuxJedi

ChangeLog.md

@@ -1,3 +1,34 @@
+# wolfSentry Release 0.4.0 (May 27, 2022)
+
+Preview Release 0.4.0 of the wolfSentry embedded firewall/IDPS has bug fixes and new features including:
+
+## New Features
+
+* User-defined key-value pairs in JSON configuration: allows user plugins to access custom config parameters in the wolfSentry config using the new wolfsentry_user_value_*() family of API functions.  Binary configuration data can be supplied in the configuration using base64 encoding, and are decoded at parse time and directly available to user plugins in the original raw binary form.  The key-value facility also supports a custom validator callback to enforce constraints on user-defined config params in the JSON.
+
+* User-defined address families: allows user plugins for custom address families and formats, using new wolfsentry_addr_family_*() API routines.  This allows idiomatic formats for non-Internet addresses in the JSON config, useful for various buses and device namespaces.
+
+* Formalization of the concepts of default events and fallthrough rules in the route tables.
+
+* A new subevent action list facility to support logging and notifications around the final decisions of the rule engine, alongside the existing subevents for rule insertions, matches, and deletions.
+
+* The main plugin interface (wolfsentry_action_callback_t) now passes two separate routes, a "trigger_route" with full attributes of the instant traffic, and a "rule_route" that matches that traffic.  In dynamic rule scenarios, plugins can manipulate the passed rule_route and set the WOLFSENTRY_ACTION_RES_INSERT bit in the to define a new rule that will match the traffic thereafter.  All actions in the chain retain readonly access to the unmodified trigger route for informational purposes.
+
+* The JSON DOM facility from CentiJSON is now included in the library by default (disabled by make NO_JSON_DOM=1), layered on the SAX facility used directly by the wolfSentry core to process the JSON config package.  The DOM facility can be used as a helper in user plugins and applications, for convenient JSON parsing, random access, and production.
+
+
+## Noteworthy Changes
+
+* In the JSON config, non-event-specific members of top level node "config-update" node have been moved to the new top level node "default-policies", which must appear after "event-insert".  "default-policies" members are "default-policy-static", "default-policy-dynamic", "default-event-static", and "default-event-dynamic".
+
+
+## Bug Fixes
+
+* In wolfsentry_config_json_init(), properly copy the load_flags from the caller into the _json_process_state.
+
+* The JSON SAX API routines (wolfsentry/centijson_sax.h) are now properly exported.
+
+
 # wolfSentry Release 0.3.0 (Dec 30, 2021)
 
 Preview Release 0.3.0 of the wolfSentry embedded firewall/IDPS has bug fixes and new features including:

Makefile

@@ -84,8 +84,8 @@ VISIBILITY_CFLAGS := -fvisibility=hidden -DHAVE_VISIBILITY=1
 DYNAMIC_CFLAGS := -fpic
 DYNAMIC_LDFLAGS := -shared
 
-$(BUILD_TOP)/src/json/centijson_sax.o: CFLAGS+=-DWOLFSENTRY -Wno-conversion -Wno-sign-conversion -Wno-sign-compare
-$(BUILD_TOP)/src/json/centijson_sax.So: CFLAGS+=-DWOLFSENTRY -Wno-conversion -Wno-sign-conversion -Wno-sign-compare
+$(BUILD_TOP)/src/json/centijson_%.o: CFLAGS+=-DWOLFSENTRY -Wno-conversion -Wno-sign-conversion -Wno-sign-compare
+$(BUILD_TOP)/src/json/centijson_%.So: CFLAGS+=-DWOLFSENTRY -Wno-conversion -Wno-sign-conversion -Wno-sign-compare
 
 ifeq "$(NO_STDIO)" "1"
     CFLAGS += -DWOLFSENTRY_NO_STDIO
@@ -96,6 +96,10 @@ ifeq "$(NO_JSON)" "1"
     CFLAGS += -DWOLFSENTRY_NO_JSON
 else
     SRCS += json/centijson_sax.c json/load_config.c
+    ifneq "$(NO_JSON_DOM)" "1"
+        CFLAGS += -DWOLFSENTRY_HAVE_JSON_DOM
+        SRCS += json/centijson_dom.c json/centijson_value.c
+    endif
 endif
 
 ifdef USER_SETTINGS_FILE
@@ -124,7 +128,7 @@ LIB_NAME := libwolfsentry.a
 
 INSTALL_LIBS := $(BUILD_TOP)/$(LIB_NAME)
 
-INSTALL_HEADERS := wolfsentry/wolfsentry.h wolfsentry/wolfsentry_errcodes.h wolfsentry/wolfsentry_af.h wolfsentry/wolfsentry_util.h wolfsentry/wolfsentry_json.h wolfsentry/centijson_sax.h $(BUILD_TOP)/wolfsentry_options.h
+INSTALL_HEADERS := wolfsentry/wolfsentry.h wolfsentry/wolfsentry_errcodes.h wolfsentry/wolfsentry_af.h wolfsentry/wolfsentry_util.h wolfsentry/wolfsentry_json.h wolfsentry/centijson_sax.h wolfsentry/centijson_dom.h wolfsentry/centijson_value.h $(BUILD_TOP)/wolfsentry_options.h
 
 all: $(BUILD_TOP)/$(LIB_NAME)
 

Makefile.analyzers

@@ -194,6 +194,13 @@ no-json-test:
 	@$(MAKE) $(EXTRA_MAKE_FLAGS) $(QUIET_FLAG) -f $(THIS_MAKEFILE) VERY_QUIET=1 BUILD_TOP=NO_JSON-builds clean
 	@echo "NO_JSON test passed."
 
+.PHONY: no-json-dom-test
+no-json-dom-test:
+	@$(MAKE) $(EXTRA_MAKE_FLAGS) $(QUIET_FLAG) -f $(THIS_MAKEFILE) VERY_QUIET=1 BUILD_TOP=NO_JSON_DOM-builds clean
+	@$(MAKE) $(EXTRA_MAKE_FLAGS) $(QUIET_FLAG) -f $(THIS_MAKEFILE) VERY_QUIET=1 BUILD_TOP=NO_JSON_DOM-builds NO_JSON_DOM=1 test
+	@$(MAKE) $(EXTRA_MAKE_FLAGS) $(QUIET_FLAG) -f $(THIS_MAKEFILE) VERY_QUIET=1 BUILD_TOP=NO_JSON_DOM-builds clean
+	@echo "NO_JSON_DOM test passed."
+
 .PHONY: no-error-strings-test
 no-error-strings-test:
 	@$(MAKE) $(EXTRA_MAKE_FLAGS) $(QUIET_FLAG) -f $(THIS_MAKEFILE) VERY_QUIET=1 BUILD_TOP=no-error-strings-builds clean
@@ -238,7 +245,7 @@ dist-check:
 	@echo $@ 'passed.'
 
 .PHONY: check
-check: analyze-all dynamic-build-test c99-test m32-test singlethreaded-test no-json-test no-error-strings-test no-protocol-names-test no-stdio-test minimal-build-test dist-check
+check: analyze-all dynamic-build-test c99-test m32-test singlethreaded-test no-json-test no-json-dom-test no-error-strings-test no-protocol-names-test no-stdio-test minimal-build-test dist-check
 	@echo "all checks passed."
 
 # recipe to run the pre-push hook on the commit head, without actually pushing:

README.md

@@ -2,8 +2,7 @@
 
 ## Description
 
-wolfSentry is the wolfSSL IDPS (Intrusion Detection and Prevention System).  It
-is mainly used as a library, but can also be used as part of a kernel module.
+wolfSentry is the wolfSSL IDPS (Intrusion Detection and Prevention System).  It is mainly used as a library, but can also be used as part of a kernel module.
 
 At a high level, wolfSentry is a dynamically configurable logic hub, arbitrarily associating user-defined events with user-defined actions, contextualized by connection attributes, tracking the evolution of the client-server relationship. At a low level, wolfSentry is an embedded firewall engine (both static and fully dynamic), with O(log n) lookup of known hosts/netblocks.
 
@@ -57,8 +56,9 @@ Build and test libwolfsentry.a without support for multithreading:
 
 `make -j SINGLETHREADED=1 test`
 
-Other available make flags are `STATIC=1` and `STRIPPED=1`, and the defaults values
-for `DEBUG`, `OPTIM`, and `C_WARNFLAGS` can also be usefully overridden.
+Other available make flags are `STATIC=1`, `STRIPPED=1`, `NO_JSON=1`, and
+`NO_JSON_DOM=1`, and the defaults values for `DEBUG`, `OPTIM`, and `C_WARNFLAGS`
+can also be usefully overridden.
 
 Build with a user-supplied makefile preamble to override defaults:
 

examples/Linux-LWIP/echo-config.json

@@ -2,8 +2,7 @@
     "wolfsentry-config-version" : 1,
     "config-update" : {
 	"max-connection-count" : 5,
-	"penalty-box-duration" : "1h",
-	"default-policy-static" : "reject"
+	"penalty-box-duration" : "1h"
     },
     "events-insert" : [
         {
@@ -34,6 +33,10 @@
 	    "label" : "call-in-from-echo"
 	}
     ],
+    "default-policies" : {
+	"default-policy-static" : "reject",
+	"default-event-static" : "static-route-parent"
+    },
     "static-routes-insert" : [
 	{
 	    "parent-event" : "static-route-parent",

examples/Linux-LWIP/sentry.c

@@ -20,11 +20,12 @@ static wolfsentry_errcode_t test_action(
     void *caller_arg,
     const struct wolfsentry_event *trigger_event,
     wolfsentry_action_type_t action_type,
+    const struct wolfsentry_route *target_route,
     struct wolfsentry_route_table *route_table,
-    const struct wolfsentry_route *route,
+    const struct wolfsentry_route *rule_route,
     wolfsentry_action_res_t *action_results)
 {
-    const struct wolfsentry_event *parent_event = wolfsentry_route_parent_event(route);
+    const struct wolfsentry_event *parent_event = wolfsentry_route_parent_event(rule_route);
     (void)wolfsentry;
     (void)handler_arg;
     (void)route_table;

examples/STM32-LWIP-WOLFSSL/Src/sentry.c

@@ -14,8 +14,7 @@ static const char *wolfsentry_config_data = "{\n"
 "    \"wolfsentry-config-version\" : 1,\n"
 "    \"config-update\" : {\n"
 " 	 \"max-connection-count\" : 0,\n"
-"    \"penalty-box-duration\" : \"1h\",\n"
-"    \"default-policy-static\" : \"reject\"\n"
+"    \"penalty-box-duration\" : \"1h\"\n"
 "    },\n"
 "    \"events-insert\" : [\n"
 "        {\n"
@@ -46,6 +45,10 @@ static const char *wolfsentry_config_data = "{\n"
 "       \"label\" : \"call-in-from-echo\"\n"
 "   }\n"
 "   ],\n"
+"   \"default-policies\" : {\n"
+"	\"default-policy-static\" : \"reject\",\n"
+"	\"default-event-static\" : \"static-route-parent\"\n"
+"   },\n"
 "    \"static-routes-insert\" : [\n"
 "{\n"
 "       \"parent-event\" : \"static-route-parent\",\n"
@@ -107,11 +110,12 @@ static wolfsentry_errcode_t test_action(
     void *caller_arg,
     const struct wolfsentry_event *trigger_event,
     wolfsentry_action_type_t action_type,
+    const struct wolfsentry_route *target_route,
     struct wolfsentry_route_table *route_table,
-    const struct wolfsentry_route *route,
+    const struct wolfsentry_route *rule_route,
     wolfsentry_action_res_t *action_results)
 {
-    const struct wolfsentry_event *parent_event = wolfsentry_route_parent_event(route);
+    const struct wolfsentry_event *parent_event = wolfsentry_route_parent_event(rule_route);
     (void)wolfsentry;
     (void)handler_arg;
     (void)route_table;

examples/STM32-LWIP/Src/sentry.c

@@ -14,8 +14,7 @@ static const char *wolfsentry_config_data = "{\n"
 "    \"wolfsentry-config-version\" : 1,\n"
 "    \"config-update\" : {\n"
 " 	 \"max-connection-count\" : 5,\n"
-"    \"penalty-box-duration\" : \"1h\",\n"
-"    \"default-policy-static\" : \"reject\"\n"
+"    \"penalty-box-duration\" : \"1h\"\n"
 "    },\n"
 "    \"events-insert\" : [\n"
 "        {\n"
@@ -46,6 +45,10 @@ static const char *wolfsentry_config_data = "{\n"
 "       \"label\" : \"call-in-from-echo\"\n"
 "   }\n"
 "   ],\n"
+"   \"default-policies\" : {\n"
+"	\"default-policy-static\" : \"reject\",\n"
+"	\"default-event-static\" : \"static-route-parent\"\n"
+"   },\n"
 "    \"static-routes-insert\" : [\n"
 "{\n"
 "       \"parent-event\" : \"static-route-parent\",\n"
@@ -107,11 +110,12 @@ static wolfsentry_errcode_t test_action(
     void *caller_arg,
     const struct wolfsentry_event *trigger_event,
     wolfsentry_action_type_t action_type,
+    const struct wolfsentry_route *target_route,
     struct wolfsentry_route_table *route_table,
-    const struct wolfsentry_route *route,
+    const struct wolfsentry_route *rule_route,
     wolfsentry_action_res_t *action_results)
 {
-    const struct wolfsentry_event *parent_event = wolfsentry_route_parent_event(route);
+    const struct wolfsentry_event *parent_event = wolfsentry_route_parent_event(rule_route);
     (void)wolfsentry;
     (void)handler_arg;
     (void)route_table;

src/actions.c

@@ -121,13 +121,14 @@ wolfsentry_errcode_t wolfsentry_action_insert(struct wolfsentry_context *wolfsen
 
     if ((ret = wolfsentry_action_new_1(wolfsentry, label, label_len, flags, handler, handler_arg, &new)) < 0)
         return ret;
-    if ((ret = wolfsentry_id_generate(wolfsentry, WOLFSENTRY_OBJECT_TYPE_ACTION, &new->header.id)) < 0) {
+    if ((ret = wolfsentry_id_allocate(wolfsentry, &new->header)) < 0) {
         WOLFSENTRY_FREE(new); // GCOV_EXCL_LINE
         return ret; // GCOV_EXCL_LINE
     }
     if (id)
         *id = new->header.id;
     if ((ret = wolfsentry_table_ent_insert(wolfsentry, &new->header, &wolfsentry->actions->header, 1 /* unique_p */)) < 0) {
+        wolfsentry_table_ent_delete_by_id_1(wolfsentry, &new->header);
         WOLFSENTRY_FREE(new);
         WOLFSENTRY_ERROR_RERETURN(ret);
     }
@@ -449,37 +450,41 @@ wolfsentry_errcode_t wolfsentry_action_list_dispatch(
     struct wolfsentry_event *action_event,
     struct wolfsentry_event *trigger_event,
     wolfsentry_action_type_t action_type,
+    const struct wolfsentry_route *target_route,
     struct wolfsentry_route_table *route_table,
-    struct wolfsentry_route *route,
+    struct wolfsentry_route *rule_route,
     wolfsentry_action_res_t *action_results)
 {
     wolfsentry_errcode_t ret;
     struct wolfsentry_action_list_ent *i;
 
+    if (action_results == NULL)
+        WOLFSENTRY_ERROR_RETURN(INVALID_ARG);
+
     if (*action_results & WOLFSENTRY_ACTION_RES_STOP)
         WOLFSENTRY_ERROR_RETURN(ALREADY_STOPPED);
 
     if (action_type == WOLFSENTRY_ACTION_TYPE_INSERT) {
-        if (WOLFSENTRY_CHECK_BITS(route->flags, WOLFSENTRY_ROUTE_FLAG_INSERT_ACTIONS_CALLED))
+        if (WOLFSENTRY_CHECK_BITS(rule_route->flags, WOLFSENTRY_ROUTE_FLAG_INSERT_ACTIONS_CALLED))
             WOLFSENTRY_ERROR_RETURN(ALREADY);
         else {
             wolfsentry_route_flags_t flags_before;
             wolfsentry_route_flags_t flags_after;
             WOLFSENTRY_ATOMIC_UPDATE(
-                route->flags,
+                rule_route->flags,
                 (wolfsentry_route_flags_t)WOLFSENTRY_ROUTE_FLAG_INSERT_ACTIONS_CALLED,
                 (wolfsentry_route_flags_t)WOLFSENTRY_ROUTE_FLAG_NONE,
                 &flags_before,
                 &flags_after);
         }
     } else if (action_type == WOLFSENTRY_ACTION_TYPE_DELETE) {
-        if (WOLFSENTRY_CHECK_BITS(route->flags, WOLFSENTRY_ROUTE_FLAG_DELETE_ACTIONS_CALLED))
+        if (WOLFSENTRY_CHECK_BITS(rule_route->flags, WOLFSENTRY_ROUTE_FLAG_DELETE_ACTIONS_CALLED))
             WOLFSENTRY_ERROR_RETURN(ALREADY);
         else {
             wolfsentry_route_flags_t flags_before;
             wolfsentry_route_flags_t flags_after;
             WOLFSENTRY_ATOMIC_UPDATE(
-                route->flags,
+                rule_route->flags,
                 (wolfsentry_route_flags_t)WOLFSENTRY_ROUTE_FLAG_DELETE_ACTIONS_CALLED,
                 (wolfsentry_route_flags_t)WOLFSENTRY_ROUTE_FLAG_NONE,
                 &flags_before,
@@ -494,11 +499,11 @@ wolfsentry_errcode_t wolfsentry_action_list_dispatch(
     for (i = (struct wolfsentry_action_list_ent *)action_event->action_list.header.head;
          i;
          i = (struct wolfsentry_action_list_ent *)i->header.next) {
-        if (! (route->flags & WOLFSENTRY_ROUTE_FLAG_DONT_COUNT_HITS))
+        if (! (rule_route->flags & WOLFSENTRY_ROUTE_FLAG_DONT_COUNT_HITS))
             WOLFSENTRY_ATOMIC_INCREMENT(i->action->header.hitcount, 1);
         if (WOLFSENTRY_CHECK_BITS(i->action->flags, WOLFSENTRY_ACTION_FLAG_DISABLED))
             continue;
-        if ((ret = i->action->handler(wolfsentry, i->action, i->action->handler_arg, caller_arg, trigger_event, action_type, route_table, route, action_results)) < 0)
+        if ((ret = i->action->handler(wolfsentry, i->action, i->action->handler_arg, caller_arg, trigger_event, action_type, target_route, route_table, rule_route, action_results)) < 0)
             return ret;
         if (WOLFSENTRY_CHECK_BITS(*action_results, WOLFSENTRY_ACTION_RES_STOP))
             WOLFSENTRY_RETURN_OK;
@@ -515,3 +520,18 @@ wolfsentry_errcode_t wolfsentry_action_table_init(
     action_table->header.ent_type = WOLFSENTRY_OBJECT_TYPE_ACTION;
     WOLFSENTRY_RETURN_OK;
 }
+
+wolfsentry_errcode_t wolfsentry_action_table_clone_header(
+    struct wolfsentry_context *wolfsentry,
+    struct wolfsentry_table_header *src_table,
+    struct wolfsentry_context *dest_context,
+    struct wolfsentry_table_header *dest_table,
+    wolfsentry_clone_flags_t flags)
+{
+    (void)wolfsentry;
+    (void)src_table;
+    (void)dest_context;
+    (void)dest_table;
+    (void)flags;
+    WOLFSENTRY_RETURN_OK;
+}