webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-05-02 00:02:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into ppp-update

Browse Source
This commit is contained in:
Michael Tremer
2010-06-30 11:36:50 +02:00
parent 06b912c5c5 f0f385de20
commit 0b83e5a52e
16 changed files with 273 additions and 174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/etc/ipsec.user.conf Normal file
View File

@@ -0,0 +1,2 @@
# user connections that should not overwritten by the webif
#

2
config/etc/ipsec.user.secrets Normal file
View File

@@ -0,0 +1,2 @@
# user secrets that should not overwritten by the webif
#

2
config/rootfiles/common/stage2
View File

@@ -15,6 +15,8 @@ etc/hddtemp.db
etc/host.conf
etc/inittab
etc/inputrc
#etc/ipsec.user.conf
#etc/ipsec.user.secrets
etc/issue
etc/ld.so.conf
etc/logrotate.conf

2
config/rootfiles/common/strongswan
View File

@@ -1,4 +1,5 @@
etc/ipsec.conf
etc/ipsec.user.conf
#etc/ipsec.d
etc/ipsec.d/aacerts
etc/ipsec.d/acerts
@@ -9,6 +10,7 @@ etc/ipsec.d/ocspcerts
etc/ipsec.d/private
etc/ipsec.d/reqs
etc/ipsec.secrets
etc/ipsec.user.secrets
etc/strongswan.conf
#usr/lib/libcharon.a
#usr/lib/libcharon.la

1
config/rootfiles/core/38/filelists/files
View File

@@ -55,6 +55,7 @@ etc/rc.d/init.d/network
etc/rc.d/init.d/ntp
etc/rc.d/init.d/modules
usr/local/bin/ipsecctrl
usr/local/bin/rebuildhosts
usr/local/bin/syslogdctrl
usr/local/bin/wirelessctrl
usr/local/sbin/setup

3
config/rootfiles/core/38/update.sh
View File

@@ -61,6 +61,9 @@ echo boot >> /opt/pakfire/tmp/ROOTFILES
echo etc/sysconfig/lm_sensors >> /opt/pakfire/tmp/ROOTFILES
echo usr/lib/ipsec >> /opt/pakfire/tmp/ROOTFILES
echo usr/libexec/ipsec >> /opt/pakfire/tmp/ROOTFILES
# exclude squid cache from backup
sed -i -e "s|^var/log/cache|#var/log/cache|g" /opt/pakfire/tmp/ROOTFILES
# Backup the files
tar cjvf /var/ipfire/backup/core-upgrade_$KVER.tar.bz2 \
-C / -T /opt/pakfire/tmp/ROOTFILES --exclude='#*' > /dev/null 2>&1

0
config/rootfiles/core/39/exclude Normal file
View File

1
config/rootfiles/core/39/filelists/files Normal file
View File

@@ -0,0 +1 @@
etc/system-release

1
config/rootfiles/core/39/meta Normal file
View File

@@ -0,0 +1 @@
DEPS=""

42
config/rootfiles/core/39/update.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 3 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2010 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
/usr/local/bin/backupctrl exclude >/dev/null 2>&1
#
#Stop services
#
#Extract files
extract_files
#
#Start services
#
#Update Language cache
perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
#
#Finish
#Don't report the exitcode last command
exit 0

2
html/cgi-bin/ids.cgi
View File

@@ -143,7 +143,7 @@ if (-e "/etc/snort/snort.conf") {
# If see more than one dashed line, (start to) create rule file description
if ($dashlinecnt > 1) {
# Check for a line starting with a #
if ($ruleline =~ /^\#/) {
if ($ruleline =~ /^\#/ and $ruleline !~ /^\#alert/) {
# Create tempruleline
my $tempruleline = $ruleline;

6
html/cgi-bin/vpnmain.cgi
View File

@@ -289,6 +289,12 @@ sub writeipsecfiles {
#print CONF "\tdisablearrivalcheck=no\n";
print CONF "\n";
# Add user includes to config file
print CONF "include /etc/ipsec.user.conf\n";
print CONF "\n";
print SECRETS "include /etc/ipsec.user/secrets\n";
if (-f "${General::swroot}/certs/hostkey.pem") {
print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"
}

2
make.sh
View File

@@ -25,7 +25,7 @@
NAME="IPFire" # Software name
SNAME="ipfire" # Short name
VERSION="2.7" # Version number
CORE="38" # Core Level (Filename)
CORE="39" # Core Level (Filename)
PAKFIRE_CORE="38" # Core Level (PAKFIRE)
GIT_BRANCH=`git status | head -n1 | cut -d" " -f4` # Git Branch
SLOGAN="www.ipfire.org" # Software slogan

21
src/misc-progs/ipsecctrl.c
View File

@@ -141,16 +141,11 @@ int decode_line (char *s,
issue ipsec commmands to turn on connection 'name'
*/
void turn_connection_on (char *name, char *type) {
char command[STRING_SIZE];
FILE *file = NULL;
if (file = fopen("/var/run/vpn-watch.pid", "r")) {
safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
safe_system("unlink /var/run/vpn-watch.pid");
close(file);
}
/*
if you find a way to start a single connection without changing all add it
here. Change also vpn-watch.
*/
safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
safe_system("/usr/local/bin/vpn-watch &");
}
/*
issue ipsec commmands to turn off connection 'name'
@@ -193,6 +188,12 @@ int main(int argc, char *argv[]) {
/* Get vpnwatch pid */
if ((argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) {
safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
safe_system("unlink /var/run/vpn-watch.pid");
close(file);
}
/* FIXME: workaround for pclose() issue - still no real idea why
* this is happening */
@@ -338,6 +339,8 @@ int main(int argc, char *argv[]) {
// start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
safe_system("/usr/local/bin/vpn-watch &");
exit(0);
}

330
src/misc-progs/rebuildhosts.c
View File

@@ -1,154 +1,176 @@
/* IPCop helper program - rebuildhosts
*
* This program is distributed under the terms of the GNU General Public
* Licence. See the file COPYING for details.
*
* (c) Alan Hourihane, 2003
*
*
* $Id: rebuildhosts.c,v 1.3.2.6 2005/07/11 10:56:47 franck78 Exp $
*
*/
#include "libsmooth.h"
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <signal.h>
#include "setuid.h"
FILE *fd = NULL;
FILE *hosts = NULL;
struct keyvalue *kv = NULL;
void exithandler(void)
{
if (kv)
freekeyvalues(kv);
if (fd)
fclose(fd);
if (hosts)
fclose(hosts);
}
int main(int argc, char *argv[])
{
int fdpid;
char hostname[STRING_SIZE];
char domainname[STRING_SIZE] = "";
char buffer[STRING_SIZE];
char address[STRING_SIZE];
char *active, *ip, *host, *domain;
int pid;
if (!(initsetuid()))
exit(1);
atexit(exithandler);
memset(buffer, 0, STRING_SIZE);
kv = initkeyvalues();
if (!(readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")))
{
fprintf(stderr, "Couldn't read ethernet settings\n");
exit(1);
}
findkey(kv, "GREEN_ADDRESS", address);
freekeyvalues(kv);
kv = initkeyvalues();
if (!(readkeyvalues(kv, CONFIG_ROOT "/main/settings")))
{
fprintf(stderr, "Couldn't read main settings\n");
exit(1);
}
strcpy(hostname, SNAME );
findkey(kv, "HOSTNAME", hostname);
findkey(kv, "DOMAINNAME", domainname);
freekeyvalues(kv);
kv = NULL;
if (!(fd = fopen(CONFIG_ROOT "/main/hosts", "r")))
{
fprintf(stderr, "Couldn't open main hosts file\n");
exit(1);
}
if (!(hosts = fopen("/etc/hosts", "w")))
{
fprintf(stderr, "Couldn't open /etc/hosts file\n");
fclose(fd);
fd = NULL;
exit(1);
}
fprintf(hosts, "127.0.0.1\tlocalhost\n");
if (strlen(domainname))
fprintf(hosts, "%s\t%s.%s\t%s\n",address,hostname,domainname,hostname);
else
fprintf(hosts, "%s\t%s\n",address,hostname);
while (fgets(buffer, STRING_SIZE, fd))
{
buffer[strlen(buffer) - 1] = 0;
if (buffer[0]==',') continue; /* disabled if empty field */
active = strtok(buffer, ",");
if (strcmp(active, "off")==0) continue; /* or 'off' */
ip = strtok(NULL, ",");
host = strtok(NULL, ",");
domain = strtok(NULL, ",");
if (!(ip && host))
continue; // bad line ? skip
if (!VALID_IP(ip))
{
fprintf(stderr, "Bad IP: %s\n", ip);
continue; /* bad ip, skip */
}
if (strspn(host, LETTERS_NUMBERS "-") != strlen(host))
{
fprintf(stderr, "Bad Host: %s\n", host);
continue; /* bad name, skip */
}
if (domain)
fprintf(hosts, "%s\t%s.%s\t%s\n",ip,host,domain,host);
else
fprintf(hosts, "%s\t%s\n",ip,host);
}
fclose(fd);
fd = NULL;
fclose(hosts);
hosts = NULL;
if ((fdpid = open("/var/run/dnsmasq.pid", O_RDONLY)) == -1)
{
fprintf(stderr, "Couldn't open pid file\n");
exit(1);
}
if (read(fdpid, buffer, STRING_SIZE - 1) == -1)
{
fprintf(stderr, "Couldn't read from pid file\n");
close(fdpid);
exit(1);
}
close(fdpid);
pid = atoi(buffer);
if (pid <= 1)
{
fprintf(stderr, "Bad pid value\n");
exit(1);
}
if (kill(pid, SIGHUP) == -1)
{
fprintf(stderr, "Unable to send SIGHUP\n");
exit(1);
}
return 0;
}
/* IPCop helper program - rebuildhosts
*
* This program is distributed under the terms of the GNU General Public
* Licence. See the file COPYING for details.
*
* (c) Alan Hourihane, 2003
*
*
* $Id: rebuildhosts.c,v 1.3.2.6 2005/07/11 10:56:47 franck78 Exp $
*
*/
#include "libsmooth.h"
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <signal.h>
#include "setuid.h"
FILE *fd = NULL;
FILE *hosts = NULL;
FILE *gw = NULL;
struct keyvalue *kv = NULL;
void exithandler(void)
{
if (kv)
freekeyvalues(kv);
if (fd)
fclose(fd);
if (hosts)
fclose(hosts);
if (gw)
fclose(gw);
}
int main(int argc, char *argv[])
{
int fdpid;
char hostname[STRING_SIZE];
char domainname[STRING_SIZE] = "";
char gateway[STRING_SIZE] = "";
char buffer[STRING_SIZE];
char address[STRING_SIZE];
char *active, *ip, *host, *domain;
int pid;
if (!(initsetuid()))
exit(1);
atexit(exithandler);
memset(buffer, 0, STRING_SIZE);
kv = initkeyvalues();
if (!(readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")))
{
fprintf(stderr, "Couldn't read ethernet settings\n");
exit(1);
}
findkey(kv, "GREEN_ADDRESS", address);
freekeyvalues(kv);
kv = initkeyvalues();
if (!(readkeyvalues(kv, CONFIG_ROOT "/main/settings")))
{
fprintf(stderr, "Couldn't read main settings\n");
exit(1);
}
strcpy(hostname, SNAME );
findkey(kv, "HOSTNAME", hostname);
findkey(kv, "DOMAINNAME", domainname);
freekeyvalues(kv);
kv = NULL;
if (!(gw = fopen(CONFIG_ROOT "/red/remote-ipaddress", "r")))
{
fprintf(stderr, "Couldn't open remote-ipaddress file\n");
fclose(gw);
gw = NULL;
exit(1);
}
if (fgets(gateway, STRING_SIZE, gw) == NULL)
{
fprintf(stderr, "Couldn't read remote-ipaddress\n");
exit(1);
}
if (!(fd = fopen(CONFIG_ROOT "/main/hosts", "r")))
{
fprintf(stderr, "Couldn't open main hosts file\n");
exit(1);
}
if (!(hosts = fopen("/etc/hosts", "w")))
{
fprintf(stderr, "Couldn't open /etc/hosts file\n");
fclose(fd);
fd = NULL;
exit(1);
}
fprintf(hosts, "127.0.0.1\tlocalhost\n");
if (strlen(domainname))
fprintf(hosts, "%s\t%s.%s\t%s\n",address,hostname,domainname,hostname);
else
fprintf(hosts, "%s\t%s\n",address,hostname);
fprintf(hosts, "%s\tgateway\n",gateway);
while (fgets(buffer, STRING_SIZE, fd))
{
buffer[strlen(buffer) - 1] = 0;
if (buffer[0]==',') continue; /* disabled if empty field */
active = strtok(buffer, ",");
if (strcmp(active, "off")==0) continue; /* or 'off' */
ip = strtok(NULL, ",");
host = strtok(NULL, ",");
domain = strtok(NULL, ",");
if (!(ip && host))
continue; // bad line ? skip
if (!VALID_IP(ip))
{
fprintf(stderr, "Bad IP: %s\n", ip);
continue; /* bad ip, skip */
}
if (strspn(host, LETTERS_NUMBERS "-") != strlen(host))
{
fprintf(stderr, "Bad Host: %s\n", host);
continue; /* bad name, skip */
}
if (domain)
fprintf(hosts, "%s\t%s.%s\t%s\n",ip,host,domain,host);
else
fprintf(hosts, "%s\t%s\n",ip,host);
}
fclose(fd);
fd = NULL;
fclose(hosts);
hosts = NULL;
if ((fdpid = open("/var/run/dnsmasq.pid", O_RDONLY)) == -1)
{
fprintf(stderr, "Couldn't open pid file\n");
exit(1);
}
if (read(fdpid, buffer, STRING_SIZE - 1) == -1)
{
fprintf(stderr, "Couldn't read from pid file\n");
close(fdpid);
exit(1);
}
close(fdpid);
pid = atoi(buffer);
if (pid <= 1)
{
fprintf(stderr, "Bad pid value\n");
exit(1);
}
if (kill(pid, SIGHUP) == -1)
{
fprintf(stderr, "Unable to send SIGHUP\n");
exit(1);
}
return 0;
}

30
src/scripts/vpn-watch
View File

@@ -1,6 +1,6 @@
#!/usr/bin/perl
##################################################
##### VPN-Watch.pl Version 0.4c #####
##### VPN-Watch.pl Version 0.5 #####
##################################################
# #
# VPN-Watch is part of the IPFire Firewall #
@@ -24,13 +24,17 @@ if ( -e $file ){
}
system("echo $$ > $file");
my $round=0;
while ( $i == 0){
if ($debug){logger("We will wait 60 seconds before next action.");}
sleep(60);
if (open(FILE, "<${General::swroot}/vpn/config")) {
@vpnsettings = <FILE>;
$round++;
# Reset roundcounter after 10 min. To do established check.
if ($round > 9) { $round=0 }
if (open(FILE, "<${General::swroot}/vpn/config")) { @vpnsettings = <FILE>;
close(FILE);
unless(@vpnsettings) {exit 1;}
}
@@ -50,12 +54,21 @@ foreach (@vpnsettings){
my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip);
if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}}
my $ipmatch= `echo "$status" | grep $remoteip | grep $settings[2]`;
my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`;
my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`;
if ( $ipmatch eq '' ){
logger("Remote IP for host $remotehostname-$remoteip has changed, restarting ipsec.");
system("/usr/local/bin/ipsecctrl S");
logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec.");
system("/usr/local/bin/ipsecctrl S $settings[0]");
last; #all connections will reloaded
#remove this if ipsecctrl can restart single con again
}
if ( ($round = 0) && ($established eq '')) {
logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec.");
system("/usr/local/bin/ipsecctrl S $settings[0]");
last; #all connections will reloaded
#remove this if ipsecctrl can restart single con again
}
}
if ($debug){logger("All connections may be fine nothing was done.");}
@@ -65,4 +78,3 @@ sub logger {
my $log = shift;
system("logger -t vpnwatch \"$log\"");
}