occtl: print the restricted ports for the client

src/ctl.proto

@@ -1,3 +1,5 @@
+import "ipc.proto";
+
 /* STATUS */
 message status_rep
 {
@@ -50,6 +52,7 @@ message user_info_rep
 	required uint32 dpd = 28;
 	required uint32 keepalive = 29;
 	required bool restrict_to_routes = 30;
+	repeated fw_port_st fw_ports = 31;
 }
 
 message user_list_rep

src/main-ctl-unix.c

@@ -398,6 +398,9 @@ static int append_user_info(method_ctx *ctx,
 	rep->iroutes = ctmp->config->iroutes;
 	rep->n_iroutes = ctmp->config->n_iroutes;
 
+	rep->n_fw_ports = ctmp->config->n_fw_ports;
+	rep->fw_ports = ctmp->config->fw_ports;
+
 	return 0;
 }
 

src/occtl/occtl.h

@@ -28,6 +28,7 @@ void pager_stop(FILE* fp);
 void print_time_ival7(char output[MAX_TMPSTR_SIZE], time_t t1, time_t t2);
 void print_iface_stats(const char *iface, time_t since, FILE * out, cmd_params_st *params, unsigned have_more);
 int print_list_entries(FILE* out, cmd_params_st *params, const char* name, char **val, unsigned vsize, unsigned have_more);
+int print_fwport_entries(FILE* out, cmd_params_st *params, const char* name, FwPortSt **val, unsigned vsize, unsigned have_more);
 void print_start_block(FILE *out, cmd_params_st *params);
 void print_end_block(FILE *out, cmd_params_st *params, unsigned have_more);
 void print_array_block(FILE *out, cmd_params_st *params);

src/occtl/print.c

@@ -30,6 +30,7 @@
 #include <occtl/occtl.h>
 #include <common.h>
 #include <json.h>
+#include <vpn.h>
 #include <c-strcase.h>
 
 #define MAX_STR_SIZE 512
@@ -68,6 +69,42 @@ int print_list_entries(FILE* out, cmd_params_st *params, const char* name, char
 	return i;
 }
 
+int print_fwport_entries(FILE* out, cmd_params_st *params, const char* name, FwPortSt **val, unsigned vsize, unsigned have_more)
+{
+	unsigned int i = 0;
+	char tmp[64];
+
+	if (HAVE_JSON(params)) {
+		fprintf(out, "    \"%s\":\t[", name);
+		for (i=0;i<vsize;i++) {
+			if (val[i]->port)
+				snprintf(tmp, sizeof(tmp), "%s%s(%d)", val[i]->negate?"!":"", proto_to_str(val[i]->proto), val[i]->port);
+			else
+				snprintf(tmp, sizeof(tmp), "%s%s()", val[i]->negate?"!":"", proto_to_str(val[i]->proto));
+
+			if (i==0)
+				fprintf(out, "\"%s\"", tmp);
+			else
+				fprintf(out, ", \"%s\"", tmp);
+		}
+		fprintf(out, "]%s\n", have_more?",":"");
+	} else {
+		for (i=0;i<vsize;i++) {
+			if (val[i]->port)
+				snprintf(tmp, sizeof(tmp), "%s%s(%d)", val[i]->negate?"!":"", proto_to_str(val[i]->proto), val[i]->port);
+			else
+				snprintf(tmp, sizeof(tmp), "%s%s()", val[i]->negate?"!":"", proto_to_str(val[i]->proto));
+			if (i==0)
+				fprintf(out, "\t%s: %s", name, tmp);
+			else
+				fprintf(out, ", %s", tmp);
+		}
+		fprintf(out, "\n");
+	}
+
+	return i;
+}
+
 void print_start_block(FILE *out, cmd_params_st *params)
 {
 	if (HAVE_JSON(params))

src/occtl/unix.c

@@ -972,7 +972,10 @@ int common_info_cmd(UserListRep * args, FILE *out, cmd_params_st *params)
 		if (print_list_entries(out, params, "iRoutes", args->user[i]->iroutes, args->user[i]->n_iroutes, 1) < 0)
 			goto error_parse;
 
-		print_single_value(out, params, "Restricted to routes", args->user[i]->restrict_to_routes?"True":"False", 0);
+		print_single_value(out, params, "Restricted to routes", args->user[i]->restrict_to_routes?"True":"False", 1);
+
+		if (print_fwport_entries(out, params, "Restricted to ports", args->user[i]->fw_ports, args->user[i]->n_fw_ports, 0) < 0)
+			goto error_parse;
 
 		print_end_block(out, params, i<(args->n_user-1)?1:0);
 

src/vpn.h

@@ -68,9 +68,29 @@ typedef enum fw_proto_t {
 	PROTO_SCTP,
 	PROTO_ESP,
 	PROTO_ICMP,
-	PROTO_ICMPv6
+	PROTO_ICMPv6,
+
+	/* fix proto2str below if anything is added */
+	PROTO_MAX
 } fw_proto_t;
 
+
+inline static const char *proto_to_str(fw_proto_t proto)
+{
+	const char *proto2str[] = {
+		"udp",
+		"tcp",
+		"sctp",
+		"esp",
+		"icmp",
+		"icmpv6"
+	};
+
+	if (proto < 0 || proto >= PROTO_MAX)
+		return "unknown";
+	return proto2str[proto];
+}
+
 /* Banning works with a point system. A wrong password
  * attempt gives you PASSWORD_POINTS, and you are banned
  * when the maximum ban score is reached.