mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-11 19:55:52 +02:00
8cc93ee11f
This changes the behaviour of the wirelessctrl binary that will no longer create useless rules in the WIRELESSINPUT and WIRELESSFORWARD chains that have no use at all. So we keep this chain empty if /var/ipfire/wireless/nodrop is existant.
198 lines
7.5 KiB
C
198 lines
7.5 KiB
C
/* IPCop helper program - wirelessctrl
|
|
*
|
|
* This program is distributed under the terms of the GNU General Public
|
|
* Licence. See the file COPYING for details.
|
|
*
|
|
* (c) Alan Hourihane, 2003
|
|
*
|
|
* $Id: wirelessctrl.c,v 1.2.2.5 2005/07/11 10:56:47 franck78 Exp $
|
|
*
|
|
*/
|
|
|
|
#include "libsmooth.h"
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <fcntl.h>
|
|
#include <string.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <signal.h>
|
|
#include "setuid.h"
|
|
#include <errno.h>
|
|
|
|
FILE *fd = NULL;
|
|
char blue_dev[STRING_SIZE] = "";
|
|
char command[STRING_SIZE];
|
|
|
|
void exithandler(void)
|
|
{
|
|
/* added comment mark to the drop rules to be able to collect the bytes by the collectd */
|
|
if(strlen(blue_dev))
|
|
{
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
|
|
safe_system(command);
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
|
|
safe_system(command);
|
|
}
|
|
|
|
if (fd)
|
|
fclose(fd);
|
|
}
|
|
|
|
int main(void)
|
|
{
|
|
char green_dev[STRING_SIZE] = "";
|
|
char buffer[STRING_SIZE];
|
|
char *index, *ipaddress, *macaddress, *enabled;
|
|
struct keyvalue *kv = NULL;
|
|
|
|
if (!(initsetuid()))
|
|
exit(1);
|
|
|
|
/* flush wireless iptables */
|
|
safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null");
|
|
safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null");
|
|
|
|
memset(buffer, 0, STRING_SIZE);
|
|
|
|
/* Init the keyvalue structure */
|
|
kv=initkeyvalues();
|
|
|
|
/* Read in the current values */
|
|
if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
|
|
{
|
|
fprintf(stderr, "Cannot read ethernet settings\n");
|
|
exit(1);
|
|
}
|
|
|
|
/* Read in the firewall values */
|
|
if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings"))
|
|
{
|
|
fprintf(stderr, "Cannot read optionsfw settings\n");
|
|
exit(1);
|
|
}
|
|
|
|
/* Get the GREEN interface details */
|
|
if(!findkey(kv, "GREEN_DEV", green_dev))
|
|
{
|
|
fprintf(stderr, "Cannot read GREEN_DEV\n");
|
|
exit(1);
|
|
}
|
|
if (!VALID_DEVICE(green_dev))
|
|
{
|
|
fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
|
|
exit(1);
|
|
}
|
|
/* Get the BLUE interface details */
|
|
if(!findkey(kv, "BLUE_DEV", blue_dev))
|
|
{
|
|
fprintf(stderr, "Cannot read BLUE_DEV\n");
|
|
exit(1);
|
|
}
|
|
if (strlen(blue_dev) && !VALID_DEVICE(blue_dev))
|
|
{
|
|
fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
|
|
exit(1);
|
|
}
|
|
if(! strlen(blue_dev) > 0)
|
|
{
|
|
fprintf(stderr, "No BLUE interface\n");
|
|
exit(0);
|
|
}
|
|
|
|
if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r")))
|
|
return 0;
|
|
|
|
/* register exit handler to ensure the block rule is always present */
|
|
atexit(exithandler);
|
|
|
|
if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r")))
|
|
{
|
|
exit(0);
|
|
}
|
|
|
|
/* restrict blue access tp the proxy port */
|
|
if(findkey(kv, "DROPPROXY", buffer) && strcmp(buffer,"off")){
|
|
/* Read the proxy values */
|
|
if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer)))
|
|
{
|
|
fprintf(stderr, "Cannot read proxy settings\n");
|
|
exit(1);
|
|
}
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer);
|
|
safe_system(command);
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer);
|
|
safe_system(command);
|
|
}
|
|
|
|
/* not allow blue to acces a samba server running on local fire*/
|
|
if(findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer,"off")){
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
|
|
safe_system(command);
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
|
|
safe_system(command);
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
|
|
safe_system(command);
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
|
|
safe_system(command);
|
|
}
|
|
|
|
while (fgets(buffer, STRING_SIZE, fd))
|
|
{
|
|
buffer[strlen(buffer) - 1] = 0;
|
|
|
|
index = strtok(buffer, ",");
|
|
ipaddress = strtok(NULL, ",");
|
|
macaddress = strtok(NULL, ",");
|
|
enabled = strtok(NULL, ",");
|
|
|
|
if (!strncmp(enabled, "on", 2)) {
|
|
|
|
/* both specified, added security */
|
|
if ((strlen(macaddress) == 17) &&
|
|
(VALID_IP(ipaddress))) {
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
|
|
safe_system(command);
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev);
|
|
safe_system(command);
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev);
|
|
safe_system(command);
|
|
} else {
|
|
|
|
/* correctly formed mac address is 17 chars */
|
|
if (strlen(macaddress) == 17) {
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
|
|
safe_system(command);
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev);
|
|
safe_system(command);
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev);
|
|
safe_system(command);
|
|
}
|
|
|
|
if (VALID_IP(ipaddress)) {
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
|
|
safe_system(command);
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev);
|
|
safe_system(command);
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev);
|
|
safe_system(command);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/* with this rule you can disable the logging of the dropped wireless input packets*/
|
|
if(!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off")){
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
|
|
safe_system(command);
|
|
}
|
|
/* with this rule you can disable the logging of the dropped wireless forward packets*/
|
|
if(!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off")){
|
|
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
|
|
safe_system(command);
|
|
}
|
|
|
|
return 0;
|
|
}
|