[ipfire-2.x.git] / src / misc-progs / captivectrl.c

/* This file is part of the IPFire Firewall.
*
* This program is distributed under the terms of the GNU General Public
* Licence.  See the file COPYING for details. */

#define _BSD_SOURCE
#define _XOPEN_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

#include "libsmooth.h"
#include "setuid.h"

#define CAPTIVE_PORTAL_SETTINGS		CONFIG_ROOT "/captive/settings"
#define ETHERNET_SETTINGS		CONFIG_ROOT "/ethernet/settings"

#define CLIENTS				CONFIG_ROOT "/captive/clients"
#define IPTABLES			"/sbin/iptables --wait"
#define HTTP_PORT			80
#define REDIRECT_PORT			1013

typedef struct client {
	char etheraddr[STRING_SIZE];
	char ipaddr[STRING_SIZE];
	time_t time_start;
	int expires;

	struct client* next;
} client_t;

static time_t parse_time(const char* s) {
	int t = 0;

	if (sscanf(s, "%d", &t) == 1) {
		return (time_t)t;
	}

	return -1;
}

static char* format_time(const time_t* t) {
	char buffer[STRING_SIZE];

	struct tm* tm = gmtime(t);
	if (tm == NULL)
		return NULL;

	strftime(buffer, sizeof(buffer), "%Y-%m-%dT%H:%M", tm);

	return strdup(buffer);
}

static client_t* read_clients(char* filename) {
	FILE* f = NULL;

	if (!(f = fopen(filename, "r"))) {
		fprintf(stderr, "Could not open configuration file: %s\n", filename);
		return NULL;;
	}

	char line[STRING_SIZE];

	client_t* client_first = NULL;
	client_t* client_last = NULL;
	client_t* client_curr;

	while ((fgets(line, STRING_SIZE, f) != NULL)) {
		if (line[strlen(line) - 1] == '\n')
			line[strlen(line) - 1] = '\0';

		client_curr = (client_t*)malloc(sizeof(client_t));
		memset(client_curr, 0, sizeof(client_t));

		if (client_first == NULL)
			client_first = client_curr;
		else
			client_last->next = client_curr;
		client_last = client_curr;

		unsigned int count = 0;
		char* lineptr = line;
		while (1) {
			if (!*lineptr)
				break;

			char* word = lineptr;
			while (*lineptr != '\0') {
				if (*lineptr == ',') {
					*lineptr = '\0';
					lineptr++;
					break;
				}
				lineptr++;
			}

			switch (count++) {
				// Ethernet address
				case 1:
					strcpy(client_curr->etheraddr, word);
					break;

				// IP address
				case 2:
					strcpy(client_curr->ipaddr, word);
					break;

				// Start time
				case 3:
					client_curr->time_start = parse_time(word);
					break;

				// Expire duration
				case 4:
					client_curr->expires = atoi(word);
					break;

				default:
					break;
			}
		}
	}

	if (f)
		fclose(f);

	return client_first;
}

static void flush_chains() {
	// filter
	safe_system(IPTABLES " -F CAPTIVE_PORTAL");
	safe_system(IPTABLES " -F CAPTIVE_PORTAL_CLIENTS");

	// nat
	safe_system(IPTABLES " -t nat -F CAPTIVE_PORTAL");
}

static int add_client_rules(const client_t* clients) {
	char command[STRING_SIZE];
	char match[STRING_SIZE];

	while (clients) {
		size_t len = 0;

		if (*clients->ipaddr && clients->expires > 0) {
			len += snprintf(match + len, sizeof(match) - len,
				"-s %s", clients->ipaddr);
		}

		len += snprintf(match + len, sizeof(match) - len,
			" -m mac --mac-source %s", clients->etheraddr);

		if (clients->expires > 0) {
			time_t expires = clients->time_start + clients->expires;

			char* time_start = format_time(&clients->time_start);
			char* time_end = format_time(&expires);

			len += snprintf(match + len, sizeof(match) - len,
				"-m time --datestart %s --datestop %s",
				time_start, time_end);

			free(time_start);
			free(time_end);
		}

		// filter
		snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL_CLIENTS"
			" %s -j RETURN", match);
		safe_system(command);

		// nat
		snprintf(command, sizeof(command), IPTABLES " -t nat -A CAPTIVE_PORTAL"
			" %s -j RETURN", match);
		safe_system(command);

		// Move on to the next client
		clients = clients->next;
	}

	return 0;
}

static char* get_key(struct keyvalue* settings, char* key) {
	char value[STRING_SIZE];

	if (!findkey(settings, key, value))
		return NULL;

	return strdup(value);
}

static int add_interface_rule(const char* intf, int allow_webif_access) {
	int r;
	char command[STRING_SIZE];

	if ((intf == NULL) || (strlen(intf) == 0)) {
		fprintf(stderr, "Empty interface given\n");
		return -1;
	}

	snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL -i %s"
		" -j CAPTIVE_PORTAL_CLIENTS", intf);
	r = safe_system(command);
	if (r)
		return r;

#if 0
	snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL -o %s"
		" -j CAPTIVE_PORTAL_CLIENTS", intf);
	r = safe_system(command);
	if (r)
		return r;
#endif

	if (allow_webif_access) {
		snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL_CLIENTS"
			" -i %s -p tcp --dport 444 -j RETURN", intf);
		r = safe_system(command);
		if (r)
			return r;
	}

	// Redirect all unauthenticated clients
	snprintf(command, sizeof(command), IPTABLES " -t nat -A CAPTIVE_PORTAL -i %s"
		" -p tcp --dport %d -j REDIRECT --to-ports %d", intf, HTTP_PORT, REDIRECT_PORT);
	r = safe_system(command);
	if (r)
		return r;

	return 0;
}

static int add_interface_rules(struct keyvalue* captive_portal_settings, struct keyvalue* ethernet_settings) {
	const char* intf;
	char* setting;
	int r = 0;

	setting = get_key(captive_portal_settings, "ENABLE_GREEN");
	if (setting && (strcmp(setting, "on") == 0)) {
		free(setting);

		intf = get_key(ethernet_settings, "GREEN_DEV");
		r = add_interface_rule(intf, /* allow webif access from green */ 1);
		if (r)
			return r;
	}

	setting = get_key(captive_portal_settings, "ENABLE_BLUE");
	if (setting && (strcmp(setting, "on") == 0)) {
		free(setting);

		intf = get_key(ethernet_settings, "BLUE_DEV");
		r = add_interface_rule(intf, /* do not allow webif access */ 0);
		if (r)
			return r;
	}

	// Always pass DNS packets through all firewall rules
	r = safe_system(IPTABLES " -A CAPTIVE_PORTAL_CLIENTS -p udp --dport 53 -j RETURN");
	if (r)
		return r;

	r = safe_system(IPTABLES " -A CAPTIVE_PORTAL_CLIENTS -p tcp --dport 53 -j RETURN");
	if (r)
		return r;

	char command[STRING_SIZE];
	snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL_CLIENTS"
		" -p tcp --dport %d -j RETURN", REDIRECT_PORT);
	r = safe_system(command);
	if (r)
		return r;

	// Add the last rule
	r = safe_system(IPTABLES " -A CAPTIVE_PORTAL_CLIENTS -j DROP");
	if (r)
		return r;

	return r;
}

int main(int argc, char** argv) {
	int r = 0;
	char* intf = NULL;
	client_t* clients = NULL;

	if (!(initsetuid()))
		exit(2);

	struct keyvalue* ethernet_settings = initkeyvalues();
	if (!readkeyvalues(ethernet_settings, ETHERNET_SETTINGS)) {
		fprintf(stderr, "Could not read %s\n", ETHERNET_SETTINGS);
		r = 1;
		goto END;
	}

	struct keyvalue* captive_portal_settings = initkeyvalues();
	if (!readkeyvalues(captive_portal_settings, CAPTIVE_PORTAL_SETTINGS)) {
		fprintf(stderr, "Could not read %s\n", CAPTIVE_PORTAL_SETTINGS);
		r = 1;
		goto END;
	}

	clients = read_clients(CLIENTS);

	// Clean up all old rules
	flush_chains();

	// Add all client rules
	r = add_client_rules(clients);
	if (r)
		goto END;

	// Add all interface rules
	r = add_interface_rules(captive_portal_settings, ethernet_settings);
	if (r)
		goto END;

END:
	while (clients) {
		client_t* head = clients;
		clients = clients->next;

		free(head);
	}

	if (ethernet_settings)
		freekeyvalues(ethernet_settings);

	if (captive_portal_settings)
		freekeyvalues(captive_portal_settings);

	if (intf)
		free(intf);

	return r;
}
Commit	Line	Data
ee40139d MT	1	/* This file is part of the IPFire Firewall.
	2	*
	3	* This program is distributed under the terms of the GNU General Public
	4	* Licence. See the file COPYING for details. */
	5
7ef66b61 MT	6	#define _BSD_SOURCE
	7	#define _XOPEN_SOURCE
	8
ee40139d MT	9	#include <stdio.h>
	10	#include <stdlib.h>
	11	#include <string.h>
7ef66b61	12	#include <time.h>
ee40139d MT	13
	14	#include "libsmooth.h"
	15	#include "setuid.h"
	16
	17	#define CAPTIVE_PORTAL_SETTINGS CONFIG_ROOT "/captive/settings"
	18	#define ETHERNET_SETTINGS CONFIG_ROOT "/ethernet/settings"
	19
	20	#define CLIENTS CONFIG_ROOT "/captive/clients"
	21	#define IPTABLES "/sbin/iptables --wait"
	22	#define HTTP_PORT 80
	23	#define REDIRECT_PORT 1013
	24
	25	typedef struct client {
	26	char etheraddr[STRING_SIZE];
	27	char ipaddr[STRING_SIZE];
7ef66b61 MT	28	time_t time_start;
7ef66b61 MT	29	int expires;
ee40139d MT	30
	31	struct client* next;
	32	} client_t;
	33
7ef66b61 MT	34	static time_t parse_time(const char* s) {
7ef66b61 MT	35	int t = 0;
ee40139d	36
7ef66b61 MT	37	if (sscanf(s, "%d", &t) == 1) {
7ef66b61 MT	38	return (time_t)t;
ee40139d MT	39	}
	40
	41	return -1;
	42	}
	43
7ef66b61	44	static char* format_time(const time_t* t) {
ee40139d	45	char buffer[STRING_SIZE];
7ef66b61 MT	46
	47	struct tm* tm = gmtime(t);
	48	if (tm == NULL)
	49	return NULL;
	50
	51	strftime(buffer, sizeof(buffer), "%Y-%m-%dT%H:%M", tm);
ee40139d MT	52
	53	return strdup(buffer);
	54	}
	55
	56	static client_t* read_clients(char* filename) {
	57	FILE* f = NULL;
	58
	59	if (!(f = fopen(filename, "r"))) {
	60	fprintf(stderr, "Could not open configuration file: %s\n", filename);
	61	return NULL;;
	62	}
	63
	64	char line[STRING_SIZE];
	65
	66	client_t* client_first = NULL;
	67	client_t* client_last = NULL;
	68	client_t* client_curr;
	69
	70	while ((fgets(line, STRING_SIZE, f) != NULL)) {
	71	if (line[strlen(line) - 1] == '\n')
	72	line[strlen(line) - 1] = '\0';
	73
	74	client_curr = (client_t*)malloc(sizeof(client_t));
	75	memset(client_curr, 0, sizeof(client_t));
	76
	77	if (client_first == NULL)
	78	client_first = client_curr;
	79	else
	80	client_last->next = client_curr;
	81	client_last = client_curr;
	82
	83	unsigned int count = 0;
	84	char* lineptr = line;
	85	while (1) {
	86	if (!*lineptr)
	87	break;
	88
	89	char* word = lineptr;
	90	while (*lineptr != '\0') {
	91	if (*lineptr == ',') {
	92	*lineptr = '\0';
	93	lineptr++;
	94	break;
	95	}
	96	lineptr++;
	97	}
	98
	99	switch (count++) {
	100	// Ethernet address
	101	case 1:
	102	strcpy(client_curr->etheraddr, word);
	103	break;
	104
	105	// IP address
	106	case 2:
	107	strcpy(client_curr->ipaddr, word);
	108	break;
	109
	110	// Start time
	111	case 3:
	112	client_curr->time_start = parse_time(word);
	113	break;
	114
7ef66b61	115	// Expire duration
ee40139d	116	case 4:
7ef66b61	117	client_curr->expires = atoi(word);
ee40139d MT	118	break;
	119
	120	default:
	121	break;
	122	}
	123	}
	124	}
	125
	126	if (f)
	127	fclose(f);
	128
	129	return client_first;
	130	}
	131
	132	static void flush_chains() {
	133	// filter
	134	safe_system(IPTABLES " -F CAPTIVE_PORTAL");
	135	safe_system(IPTABLES " -F CAPTIVE_PORTAL_CLIENTS");
	136
	137	// nat
	138	safe_system(IPTABLES " -t nat -F CAPTIVE_PORTAL");
	139	}
	140
	141	static int add_client_rules(const client_t* clients) {
	142	char command[STRING_SIZE];
	143	char match[STRING_SIZE];
	144
	145	while (clients) {
5fbeaf13 MT	146	size_t len = 0;
5fbeaf13 MT	147
0c24f0a9	148	if (*clients->ipaddr && clients->expires > 0) {
5fbeaf13 MT	149	len += snprintf(match + len, sizeof(match) - len,
	150	"-s %s", clients->ipaddr);
	151	}
	152
	153	len += snprintf(match + len, sizeof(match) - len,
0c24f0a9 MT	154	" -m mac --mac-source %s", clients->etheraddr);
	155
	156	if (clients->expires > 0) {
	157	time_t expires = clients->time_start + clients->expires;
	158
	159	char* time_start = format_time(&clients->time_start);
	160	char* time_end = format_time(&expires);
ee40139d	161
0c24f0a9 MT	162	len += snprintf(match + len, sizeof(match) - len,
	163	"-m time --datestart %s --datestop %s",
	164	time_start, time_end);
	165
	166	free(time_start);
	167	free(time_end);
	168	}
ee40139d MT	169
	170	// filter
	171	snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL_CLIENTS"
	172	" %s -j RETURN", match);
	173	safe_system(command);
	174
	175	// nat
	176	snprintf(command, sizeof(command), IPTABLES " -t nat -A CAPTIVE_PORTAL"
	177	" %s -j RETURN", match);
	178	safe_system(command);
	179
	180	// Move on to the next client
	181	clients = clients->next;
	182	}
	183
	184	return 0;
	185	}
	186
	187	static char* get_key(struct keyvalue* settings, char* key) {
	188	char value[STRING_SIZE];
	189
	190	if (!findkey(settings, key, value))
	191	return NULL;
	192
	193	return strdup(value);
	194	}
	195
	196	static int add_interface_rule(const char* intf, int allow_webif_access) {
	197	int r;
	198	char command[STRING_SIZE];
	199
	200	if ((intf == NULL) \|\| (strlen(intf) == 0)) {
	201	fprintf(stderr, "Empty interface given\n");
	202	return -1;
	203	}
	204
	205	snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL -i %s"
	206	" -j CAPTIVE_PORTAL_CLIENTS", intf);
	207	r = safe_system(command);
	208	if (r)
	209	return r;
	210
	211	#if 0
	212	snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL -o %s"
	213	" -j CAPTIVE_PORTAL_CLIENTS", intf);
	214	r = safe_system(command);
	215	if (r)
	216	return r;
	217	#endif
	218
	219	if (allow_webif_access) {
	220	snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL_CLIENTS"
	221	" -i %s -p tcp --dport 444 -j RETURN", intf);
	222	r = safe_system(command);
	223	if (r)
	224	return r;
	225	}
	226
	227	// Redirect all unauthenticated clients
	228	snprintf(command, sizeof(command), IPTABLES " -t nat -A CAPTIVE_PORTAL -i %s"
	229	" -p tcp --dport %d -j REDIRECT --to-ports %d", intf, HTTP_PORT, REDIRECT_PORT);
	230	r = safe_system(command);
	231	if (r)
	232	return r;
233
234	return 0;
235	}
236
237	static int add_interface_rules(struct keyvalue* captive_portal_settings, struct keyvalue* ethernet_settings) {
238	const char* intf;
239	char* setting;
240	int r = 0;
241
242	setting = get_key(captive_portal_settings, "ENABLE_GREEN");
243	if (setting && (strcmp(setting, "on") == 0)) {
244	free(setting);
245
246	intf = get_key(ethernet_settings, "GREEN_DEV");
247	r = add_interface_rule(intf, /* allow webif access from green */ 1);
248	if (r)
249	return r;
250	}
251
252	setting = get_key(captive_portal_settings, "ENABLE_BLUE");
253	if (setting && (strcmp(setting, "on") == 0)) {
254	free(setting);
255
256	intf = get_key(ethernet_settings, "BLUE_DEV");
257	r = add_interface_rule(intf, /* do not allow webif access */ 0);
258	if (r)
259	return r;
260	}
261
262	// Always pass DNS packets through all firewall rules
263	r = safe_system(IPTABLES " -A CAPTIVE_PORTAL_CLIENTS -p udp --dport 53 -j RETURN");
264	if (r)
265	return r;
266
267	r = safe_system(IPTABLES " -A CAPTIVE_PORTAL_CLIENTS -p tcp --dport 53 -j RETURN");
268	if (r)
269	return r;
270
271	char command[STRING_SIZE];
272	snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL_CLIENTS"
273	" -p tcp --dport %d -j RETURN", REDIRECT_PORT);
274	r = safe_system(command);
275	if (r)
276	return r;
277
278	// Add the last rule
279	r = safe_system(IPTABLES " -A CAPTIVE_PORTAL_CLIENTS -j DROP");
280	if (r)
281	return r;
282
283	return r;
284	}
285
286	int main(int argc, char** argv) {
287	int r = 0;
288	char* intf = NULL;
289	client_t* clients = NULL;
290
291	if (!(initsetuid()))
292	exit(2);
293
294	struct keyvalue* ethernet_settings = initkeyvalues();
295	if (!readkeyvalues(ethernet_settings, ETHERNET_SETTINGS)) {
296	fprintf(stderr, "Could not read %s\n", ETHERNET_SETTINGS);
297	r = 1;
298	goto END;
299	}
300
301	struct keyvalue* captive_portal_settings = initkeyvalues();
302	if (!readkeyvalues(captive_portal_settings, CAPTIVE_PORTAL_SETTINGS)) {
303	fprintf(stderr, "Could not read %s\n", CAPTIVE_PORTAL_SETTINGS);
304	r = 1;
305	goto END;
306	}
307
308	clients = read_clients(CLIENTS);
309
310	// Clean up all old rules
311	flush_chains();
312
313	// Add all client rules
314	r = add_client_rules(clients);
315	if (r)
316	goto END;
317
318	// Add all interface rules
319	r = add_interface_rules(captive_portal_settings, ethernet_settings);
320	if (r)
321	goto END;
322
323	END:
324	while (clients) {
325	client_t* head = clients;
326	clients = clients->next;
327
328	free(head);
329	}
330
331	if (ethernet_settings)
332	freekeyvalues(ethernet_settings);
333
334	if (captive_portal_settings)
335	freekeyvalues(captive_portal_settings);
336
337	if (intf)
338	free(intf);
339
340	return r;
341	}