]>
Commit | Line | Data |
---|---|---|
cd1a2927 MT |
1 | /* Derivated from SmoothWall helper programs\r |
2 | *\r | |
3 | * This program is distributed under the terms of the GNU General Public\r | |
4 | * Licence. See the file COPYING for details.\r | |
5 | *\r | |
6 | * (c) Daniel Goscomb, 2001\r | |
7 | *\r | |
8 | * Modifications and improvements by Lawrence Manning.\r | |
9 | *\r | |
10 | * 19/04/03 Robert Kerr Fixed root exploit\r | |
11 | *\r | |
12 | * 20/08/05 Achim Weber 20 Modified to have a binary for the new firewall options page in IPCop 1.4.8\r | |
13 | *\r | |
14 | * 02/10/05 Gilles Espinasse treat only ping actually\r | |
15 | *\r | |
16 | * $Id: setfilters.c,v 1.1.2.2 2006/02/07 20:54:16 gespinasse Exp $\r | |
17 | *\r | |
18 | */\r | |
19 | \r | |
20 | #include <stdio.h>\r | |
21 | #include <stdlib.h>\r | |
22 | #include <string.h>\r | |
23 | #include "libsmooth.h"\r | |
24 | #include "setuid.h"\r | |
25 | \r | |
26 | struct keyvalue *kv = NULL;\r | |
27 | FILE *ifacefile = NULL;\r | |
28 | \r | |
29 | void exithandler(void)\r | |
30 | {\r | |
31 | if(kv)\r | |
32 | freekeyvalues(kv);\r | |
33 | }\r | |
34 | \r | |
35 | int main(void)\r | |
36 | {\r | |
37 | char iface[STRING_SIZE] = "";\r | |
38 | char command[STRING_SIZE];\r | |
39 | char disableping[STRING_SIZE];\r | |
40 | int redAvailable = 1;\r | |
41 | \r | |
42 | if (!(initsetuid()))\r | |
43 | exit(1);\r | |
44 | \r | |
45 | atexit(exithandler);\r | |
46 | \r | |
47 | /* Read in and verify config */\r | |
48 | kv=initkeyvalues();\r | |
49 | \r | |
50 | if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) {\r | |
51 | fprintf(stderr, "Cannot read firewall option settings\n");\r | |
52 | exit(1);\r | |
53 | }\r | |
54 | \r | |
55 | if (!findkey(kv, "DISABLEPING", disableping)) {\r | |
56 | fprintf(stderr, "Cannot read DISABLEPING\n");\r | |
57 | exit(1);\r | |
58 | }\r | |
59 | \r | |
60 | if (strcmp(disableping, "NO") != 0 && strcmp(disableping, "ONLYRED") != 0 && strcmp(disableping, "ALL") != 0) {\r | |
61 | fprintf(stderr, "Bad DISABLEPING: %s\n", disableping);\r | |
62 | exit(1);\r | |
63 | }\r | |
64 | \r | |
65 | if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {\r | |
66 | redAvailable = 0;\r | |
67 | } else {\r | |
68 | if (fgets(iface, STRING_SIZE, ifacefile)) {\r | |
69 | if (iface[strlen(iface) - 1] == '\n')\r | |
70 | iface[strlen(iface) - 1] = '\0';\r | |
71 | }\r | |
72 | fclose (ifacefile);\r | |
73 | if (!VALID_DEVICE(iface)) {\r | |
74 | fprintf(stderr, "Bad iface: %s\n", iface);\r | |
75 | exit(1);\r | |
76 | }\r | |
77 | redAvailable = 1;\r | |
78 | }\r | |
79 | \r | |
80 | safe_system("/sbin/iptables -F GUIINPUT");\r | |
81 | \r | |
82 | /* don't need to do anything if ping is disabled, so treat only other cases */\r | |
83 | if (strcmp(disableping, "NO") == 0\r | |
84 | || (strcmp(disableping, "ONLYRED") == 0 && redAvailable == 0)) {\r | |
85 | // We allow ping (icmp type 8) on every interfaces\r | |
86 | // or RED is not available, so we can enable it on all (available) Interfaces\r | |
87 | memset(command, 0, STRING_SIZE);\r | |
88 | snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT");\r | |
89 | safe_system(command);\r | |
90 | } else {\r | |
91 | // Allow ping only on internal interfaces\r | |
92 | if(strcmp(disableping, "ONLYRED") == 0) {\r | |
93 | memset(command, 0, STRING_SIZE);\r | |
94 | snprintf(command, STRING_SIZE - 1,\r | |
95 | "/sbin/iptables -A GUIINPUT -i ! %s -p icmp --icmp-type 8 -j ACCEPT", iface);\r | |
96 | safe_system(command);\r | |
97 | }\r | |
98 | }\r | |
99 | return 0;\r | |
100 | }\r |