X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=src%2Fmisc-progs%2Fwirelessctrl.c;h=7cffc89df9c224998f0de5247f51cce6ba136fc9;hb=8d76eb20852a695b15e6fd32076128a25fad01d1;hp=1f1b0f861e6a75913243938dd59482ee6328249e;hpb=ec36876e6ade2e04d29963d8dcfab5d5bf580a99;p=ipfire-2.x.git

diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c
index 1f1b0f861e..7cffc89df9 100644
--- a/src/misc-progs/wirelessctrl.c
+++ b/src/misc-progs/wirelessctrl.c
@@ -16,9 +16,11 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <signal.h>
-#include "setuid.h"
 #include <errno.h>
 
+#include "setuid.h"
+#include "netutil.h"
+
 FILE *fd = NULL;
 char blue_dev[STRING_SIZE] = "";
 char command[STRING_SIZE];
@@ -26,9 +28,9 @@ char command[STRING_SIZE];
 void exithandler(void) {
 	/* added comment mark to the drop rules to be able to collect the bytes by the collectd */
 	if (strlen(blue_dev) > 0) {
-		snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
+		snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
 		safe_system(command);
-		snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
+		snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
 		safe_system(command);
 	}
 
@@ -37,17 +39,17 @@ void exithandler(void) {
 }
 
 int main(void) {
-	char green_dev[STRING_SIZE] = "";
 	char buffer[STRING_SIZE];
 	char *index, *ipaddress, *macaddress, *enabled;
 	struct keyvalue *kv = NULL;
+	struct keyvalue* captive_settings = NULL;
 
 	if (!(initsetuid()))
 		exit(1);
 
 	/* flush wireless iptables */
-	safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null");
-	safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null");
+	safe_system("/sbin/iptables --wait -F WIRELESSINPUT > /dev/null 2> /dev/null");
+	safe_system("/sbin/iptables --wait -F WIRELESSFORWARD > /dev/null 2> /dev/null");
 
 	memset(buffer, 0, STRING_SIZE);
 
@@ -66,12 +68,11 @@ int main(void) {
 		exit(1);
 	}
 
-	/* Get the GREEN interface details */
-	if (findkey(kv, "GREEN_DEV", green_dev) > 0) {
-		if (!VALID_DEVICE(green_dev)) {
-			fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
-			exit(1);
-		}
+	// Read captive portal settings
+	captive_settings = initkeyvalues();
+	if (!readkeyvalues(captive_settings, CONFIG_ROOT "/captive/settings")) {
+		fprintf(stderr, "Could not read captive portal settings\n");
+		exit(1);
 	}
 
 	/* Get the BLUE interface details */
@@ -86,6 +87,15 @@ int main(void) {
 		exit(0);
 	}
 
+	// Check if the captive portal is enabled on blue. If so, we will
+	// just keep the chains flushed and do not add any rules.
+	char captive_enabled[STRING_SIZE];
+	if (findkey(captive_settings, "ENABLE_BLUE", captive_enabled) > 0) {
+		if (strcmp(captive_enabled, "on") == 0) {
+			return 0;
+		}
+	}
+
 	if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r")))
 		return 0;
 
@@ -104,21 +114,21 @@ int main(void) {
 			exit(1);
 		}
 
-		snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp  ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer);
+		snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -p tcp  ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer);
 		safe_system(command);
-		snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp  ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer);
+		snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -p tcp  ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer);
 		safe_system(command);
 	}
 
 	/* not allow blue to acces a samba server running on local fire*/
 	if (findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer, "on") == 0) {
-		snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
+		snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
 		safe_system(command);
-		snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
+		snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
 		safe_system(command);
-		snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
+		snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
 		safe_system(command);
-		snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
+		snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
 		safe_system(command);
 	}
 
@@ -130,26 +140,26 @@ int main(void) {
 		macaddress = strtok(NULL, ",");
 		enabled = strtok(NULL, ",");
 
-		if (strncmp(enabled, "on", 2) != 0) {
+		if (strcmp(enabled, "on") == 0) {
 			/* both specified, added security */
 			if ((strlen(macaddress) == 17) && (VALID_IP_AND_MASK(ipaddress))) {
-				snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
+				snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
 				safe_system(command);
-				snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
+				snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
 				safe_system(command);
 			} else {
 				/* correctly formed mac address is 17 chars */
 				if (strlen(macaddress) == 17) {
-					snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
+					snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
 					safe_system(command);
-					snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
+					snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
 					safe_system(command);
 				}
 
 				if (VALID_IP_AND_MASK(ipaddress)) {
-					snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
+					snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -s %s -i %s -j RETURN", ipaddress, blue_dev);
 					safe_system(command);
-					snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
+					snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
 					safe_system(command);
 				}
 			}
@@ -158,13 +168,13 @@ int main(void) {
 
 	/* with this rule you can disable the logging of the dropped wireless input packets*/
 	if (findkey(kv, "DROPWIRELESSINPUT", buffer) && strcmp(buffer, "on") == 0) {
-		snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
+		snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
 		safe_system(command);
 	}
 
 	/* with this rule you can disable the logging of the dropped wireless forward packets*/
 	if (findkey(kv, "DROPWIRELESSFORWARD", buffer) && strcmp(buffer, "on") == 0) {
-		snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
+		snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
 		safe_system(command);
 	}