]>
git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/misc-progs/setfilters.c
1 /* Derivated from SmoothWall helper programs
3 * This program is distributed under the terms of the GNU General Public
4 * Licence. See the file COPYING for details.
6 * (c) Daniel Goscomb, 2001
8 * Modifications and improvements by Lawrence Manning.
10 * 19/04/03 Robert Kerr Fixed root exploit
12 * 20/08/05 Achim Weber 20 Modified to have a binary for the new firewall options page in IPCop 1.4.8
14 * 02/10/05 Gilles Espinasse treat only ping actually
16 * $Id: setfilters.c,v 1.1.2.2 2006/02/07 20:54:16 gespinasse Exp $
23 #include "libsmooth.h"
26 struct keyvalue
*kv
= NULL
;
27 FILE *ifacefile
= NULL
;
29 void exithandler(void)
37 char iface
[STRING_SIZE
] = "";
38 char command
[STRING_SIZE
];
39 char disableping
[STRING_SIZE
];
47 /* Read in and verify config */
50 if (!readkeyvalues(kv
, CONFIG_ROOT
"/optionsfw/settings")) {
51 fprintf(stderr
, "Cannot read firewall option settings\n");
55 if (!findkey(kv
, "DISABLEPING", disableping
)) {
56 fprintf(stderr
, "Cannot read DISABLEPING\n");
60 if (strcmp(disableping
, "NO") != 0 && strcmp(disableping
, "ONLYRED") != 0 && strcmp(disableping
, "ALL") != 0) {
61 fprintf(stderr
, "Bad DISABLEPING: %s\n", disableping
);
65 if (!(ifacefile
= fopen(CONFIG_ROOT
"/red/iface", "r"))) {
68 if (fgets(iface
, STRING_SIZE
, ifacefile
)) {
69 if (iface
[strlen(iface
) - 1] == '\n')
70 iface
[strlen(iface
) - 1] = '\0';
73 if (!VALID_DEVICE(iface
)) {
74 fprintf(stderr
, "Bad iface: %s\n", iface
);
80 safe_system("/sbin/iptables -F GUIINPUT");
82 /* don't need to do anything if ping is disabled, so treat only other cases */
83 if (strcmp(disableping
, "NO") == 0
84 || (strcmp(disableping
, "ONLYRED") == 0 && redAvailable
== 0)) {
85 // We allow ping (icmp type 8) on every interfaces
86 // or RED is not available, so we can enable it on all (available) Interfaces
87 memset(command
, 0, STRING_SIZE
);
88 snprintf(command
, STRING_SIZE
- 1, "/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT");
91 // Allow ping only on internal interfaces
92 if(strcmp(disableping
, "ONLYRED") == 0) {
93 memset(command
, 0, STRING_SIZE
);
94 snprintf(command
, STRING_SIZE
- 1,
95 "/sbin/iptables -A GUIINPUT -i ! %s -p icmp --icmp-type 8 -j ACCEPT", iface
);