Merge pull request #77 from danielinux/wolfip-support

Add support for wolfIP

Author: douzzer

.gitignore

@@ -25,6 +25,7 @@ wolfsentry/wolfsentry_options.h
 
 /examples/notification-demo/log_server/log_server
 /examples/notification-demo/udp_to_dbus/udp_to_dbus
+/examples/Linux-wolfIP/wolfip-wolfsentry-demo
 
 /scripts/analyzer-config.sh
 

Makefile

@@ -129,6 +129,23 @@ ifdef LWIP
         SRCS += lwip/packet_filter_glue.c
 endif
 
+ifdef WOLFIP
+        ifndef WOLFIP_TOP
+            WOLFIP_TOP := $(SRC_TOP)/../wolfip
+        endif
+        ifndef WOLFIP_CONFIG_DIR
+            WOLFIP_CONFIG_DIR := $(WOLFIP_TOP)
+        endif
+        ifndef WOLFIP_ENABLE_IPFILTER
+            WOLFIP_ENABLE_IPFILTER := 1
+        endif
+        WOLFIP_CFLAGS += -DWOLFSENTRY_WOLFIP -I$(WOLFIP_CONFIG_DIR) -I$(WOLFIP_TOP)
+        ifeq ($(WOLFIP_ENABLE_IPFILTER),1)
+            WOLFIP_CFLAGS += -DCONFIG_IPFILTER=1
+        endif
+        SRCS += wolfip/packet_filter_glue.c
+endif
+
 ifdef NETXDUO
         ifndef NETXDUO_TOP
             NETXDUO_TOP=$(THREADX_TOP)
@@ -166,7 +183,7 @@ ifndef C_WARNFLAGS
     endif
 endif
 
-CFLAGS := -I$(BUILD_TOP) -I$(SRC_TOP) $(OPTIM) $(DEBUG) $(C_WARNFLAGS) $(LWIP_CFLAGS) $(RUNTIME_CFLAGS) $(EXTRA_CFLAGS)
+CFLAGS := -I$(BUILD_TOP) -I$(SRC_TOP) $(OPTIM) $(DEBUG) $(C_WARNFLAGS) $(LWIP_CFLAGS) $(WOLFIP_CFLAGS) $(RUNTIME_CFLAGS) $(EXTRA_CFLAGS)
 LDFLAGS := $(EXTRA_LDFLAGS)
 
 VISIBILITY_CFLAGS := -fvisibility=hidden -DHAVE_VISIBILITY=1

examples/Linux-wolfIP/Makefile

@@ -0,0 +1,62 @@
+CC ?= gcc
+AR ?= ar
+
+WOLFSENTRY_PATH ?= ../../../wolfsentry
+WOLFSENTRY_LIB ?= $(WOLFSENTRY_PATH)/libwolfsentry.a
+WOLFIP_PATH ?= ../../../wolfip
+
+CFLAGS ?= -O2 -g
+CFLAGS += -D_GNU_SOURCE
+CFLAGS += -DCONFIG_IPFILTER=1
+CFLAGS += -Wall -Wextra -Wpedantic -std=c99
+CFLAGS += -std=c99
+CFLAGS += -I.
+CFLAGS += -I./wolfip
+CFLAGS += -I../../../wolfsentry/wolfsentry
+CFLAGS += -I../../../wolfsentry
+CFLAGS += -I$(WOLFIP_PATH)
+CFLAGS += -I$(WOLFIP_PATH)/src
+CFLAGS += -I$(WOLFIP_PATH)/src/port/posix
+CFLAGS += -pthread
+
+LDFLAGS ?= -pthread
+
+TARGET := wolfip-wolfsentry-demo
+
+APP_SRCS := main.c
+APP_OBJS := $(APP_SRCS:.c=.o)
+
+TAP_SRC := $(WOLFIP_PATH)/src/port/posix/tap_linux.c
+TAP_OBJ := tap_linux.o
+
+WOLFIP_SRC := $(WOLFIP_PATH)/src/wolfip.c
+WOLFIP_LIB := libwolfip.a
+WOLFIP_OBJ := wolfip.o
+
+.PHONY: all clean
+
+all: $(TARGET)
+
+$(TARGET): $(APP_OBJS) $(TAP_OBJ) $(WOLFIP_LIB) $(WOLFSENTRY_LIB)
+	$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@
+
+$(APP_OBJS): %.o : %.c
+	$(CC) $(CFLAGS) -c $< -o $@
+
+$(TAP_OBJ): $(TAP_SRC) wolfip/config.h
+	$(CC) $(CFLAGS) -c $< -o $@
+
+$(WOLFIP_OBJ): $(WOLFIP_SRC) wolfip/config.h
+	$(CC) $(CFLAGS) -c $< -o $@
+
+$(WOLFIP_LIB): $(WOLFIP_OBJ)
+	$(AR) rcs $@ $<
+
+$(WOLFSENTRY_LIB):
+	$(MAKE) -C $(WOLFSENTRY_PATH) libwolfsentry.a \
+		WOLFIP=1 \
+		WOLFIP_TOP=$(abspath $(WOLFIP_PATH)) \
+		WOLFIP_CONFIG_DIR=$(abspath $(CURDIR)/wolfip)
+
+clean:
+	$(RM) $(APP_OBJS) $(TAP_OBJ) $(WOLFIP_OBJ) $(WOLFIP_LIB) $(TARGET)

examples/Linux-wolfIP/README.md

@@ -0,0 +1,77 @@
+# Linux wolfIP + wolfSentry Demo
+
+This example runs a single wolfIP instance on a TAP interface and forwards
+wolfIP packet-filter events into wolfSentry via the wolfIP glue layer.  The
+installed wolfSentry actions log every inbound Ethernet frame and drop every
+seventh inbound ICMP echo request while logging the drop decision.
+
+## Prerequisites
+
+* Linux host with `/dev/net/tun` access (run the demo with `sudo`).
+* `libpcap` is **not** required.
+* Build `wolfsentry` with wolfIP support enabled so the packet-filter glue is
+  present:
+
+  ```sh
+  cd ../../wolfsentry
+  make WOLFIP=1 WOLFIP_CONFIG_DIR=examples/Linux-wolfIP/wolfip
+  ```
+
+  The example will then compile its own copy of wolfIP from `$(WOLFIP_PATH)`
+  using the local configuration in `wolfip/config.h`, so you do not need to
+  build wolfIP separately.  Edit that file if you need different Ethernet/TAP
+  settings, such as the wolfIP and host IP addresses or the TAP interface name.
+
+## Build the demo
+
+```sh
+cd wolfsentry/examples/Linux-wolfIP
+make            # override WOLFIP_PATH=/path/to/wolfip if needed
+```
+
+The Makefile first builds a local `libwolfip.a` from
+`$(WOLFIP_PATH)/src/wolfip.c`, picking up the Ethernet/TAP configuration in
+`wolfip/config.h`, and then links the demo against that static library plus
+`../../../wolfsentry/libwolfsentry.a`.  Override `WOLFIP_PATH` if your source
+tree lives elsewhere.  If `libwolfsentry.a` is missing or older than the
+example sources, the Makefile automatically runs
+`make WOLFIP=1 WOLFIP_CONFIG_DIR=examples/Linux-wolfIP/wolfip` inside
+`../../wolfsentry` so the packet-filter glue is rebuilt with the local config.
+
+## Run the demo
+
+```sh
+sudo ./wolfip-wolfsentry-demo
+```
+
+The program:
+
+1. Initializes wolfSentry, registers two actions (`log-event` and
+   `icmp-mod7`), and loads `wolfip-config.json`.
+2. Installs wolfSentry as the wolfIP packet filter for Ethernet, IPv4 and
+   ICMP events.
+3. Brings up wolfIP on a TAP interface (default host IP `10.10.10.1`,
+   wolfIP address `10.10.10.2`) and enters the polling loop.
+
+While it runs you can exercise it from the host by pinging
+`10.10.10.2`.  The demo now starts a background
+`ping -I wolfip0 -c 100 10.10.10.2` process automatically so you immediately
+get traffic; it stops after 100 packets, and you can launch your own ping if
+you prefer.  ICMP echo requests are accepted except when the running counter is
+a multiple of 7 – only those discarded packets are logged.
+
+The demo links in wolfIP's POSIX TAP driver (`tap_linux.c`), so the call to
+`tap_init()` inside the sample automatically creates, configures, and brings up
+the TAP interface on the host (default name `wolfip0`).  No manual `ip`
+commands are required beyond running the binary with sufficient privileges.
+
+Stop the demo with `Ctrl+C`.
+
+## Cleaning up
+
+```sh
+make clean
+```
+
+This removes the local binary and object files; it does not touch the
+wolfIP/wolfSentry build outputs.