[ipfire-2.x.git] / src / misc-progs / openvpnctrl.c

#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <fcntl.h>
#include "setuid.h"
#include "netutil.h"
#include "libsmooth.h"

#define noovpndebug

// global vars
	struct keyvalue *kv = NULL;
	FILE *ifacefile = NULL;

char redif[STRING_SIZE];
char blueif[STRING_SIZE];
char orangeif[STRING_SIZE];
char enablered[STRING_SIZE] = "off";
char enableblue[STRING_SIZE] = "off";
char enableorange[STRING_SIZE] = "off";

// consts
char OVPNINPUT[STRING_SIZE] = "OVPNINPUT";
char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK";
char OVPNNAT[STRING_SIZE] = "OVPNNAT";
char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.4";

struct connection_struct {
	char name[STRING_SIZE];
	char type[STRING_SIZE];
	char proto[STRING_SIZE];
	char status[STRING_SIZE];
	char local_subnet[STRING_SIZE];
	char transfer_subnet[STRING_SIZE];
	char role[STRING_SIZE];
	char port[STRING_SIZE];
	struct connection_struct *next;
};

typedef struct connection_struct connection;

void exithandler(void)
{
	if(kv)
		freekeyvalues(kv);
	if (ifacefile)
		fclose(ifacefile);
}

void usage(void)
{
#ifdef ovpndebug
	printf("Wrapper for OpenVPN %s-debug\n", WRAPPERVERSION);
#else
	printf("Wrapper for OpenVPN %s\n", WRAPPERVERSION);
#endif
	printf("openvpnctrl <option>\n");
	printf(" Valid options are:\n");
	printf(" -s   --start\n");
	printf("      starts OpenVPN (implicitly creates chains and firewall rules)\n");
	printf(" -k   --kill\n");
	printf("      kills/stops OpenVPN\n");
	printf(" -r   --restart\n");
	printf("      restarts OpenVPN (implicitly creates chains and firewall rules)\n");
	printf(" -sn2n --start-net-2-net\n");
	printf("      starts all net2net connections\n");
	printf("      you may pass a connection name to the switch to only start a specific one\n");
	printf(" -kn2n --kill-net-2-net\n");
	printf("      kills all net2net connections\n");
	printf("      you may pass a connection name to the switch to only start a specific one\n");
	printf(" -d   --display\n");
	printf("      displays OpenVPN status to syslog\n");
	printf(" -fwr --firewall-rules\n");
	printf("      removes current OpenVPN chains and rules and resets them according to the config\n");
	printf(" -sdo --start-daemon-only\n");
	printf("      starts OpenVPN daemon only\n");
	exit(1);
}

connection *getConnections() {
	FILE *fp = NULL;

	if (!(fp = fopen(CONFIG_ROOT "/ovpn/ovpnconfig", "r"))) {
		fprintf(stderr, "Could not open openvpn n2n configuration file.\n");
		exit(1);
	}

	char line[STRING_SIZE] = "";
	char result[STRING_SIZE] = "";
	char *resultptr;
	int count;
	connection *conn_first = NULL;
	connection *conn_last = NULL;
	connection *conn_curr;

	while ((fgets(line, STRING_SIZE, fp) != NULL)) {
		if (line[strlen(line) - 1] == '\n')
			line[strlen(line) - 1] = '\0';

		conn_curr = (connection *)malloc(sizeof(connection));
		memset(conn_curr, 0, sizeof(connection));

		if (conn_first == NULL) {
			conn_first = conn_curr;
		} else {
			conn_last->next = conn_curr;
		}
		conn_last = conn_curr;

		count = 0;
		char *lineptr = &line;
		while (1) {
			if (*lineptr == NULL)
				break;

			resultptr = result;
			while (*lineptr != NULL) {
				if (*lineptr == ',') {
					lineptr++;
					break;
				}
				*resultptr++ = *lineptr++;
			}
			*resultptr = '\0';

			if (count == 1) {
				strcpy(conn_curr->status, result);
			} else if (count == 2) {
				strcpy(conn_curr->name, result);
			} else if (count == 4) {
				strcpy(conn_curr->type, result);
			} else if (count == 7) {
				strcpy(conn_curr->role, result);
			} else if (count == 9) {
				strcpy(conn_curr->local_subnet, result);
			} else if (count == 28) {
				strcpy(conn_curr->transfer_subnet, result);
			} else if (count == 29) {
				strcpy(conn_curr->proto, result);
			} else if (count == 30) {
				strcpy(conn_curr->port, result);
			}

			count++;
		}
	}

	fclose(fp);

	return conn_first;
}

int readPidFile(const char *pidfile) {
	FILE *fp = fopen(pidfile, "r");
	if (fp == NULL) {
		exit(1);
	}

	int pid = 0;
	fscanf(fp, "%d", &pid);
	fclose(fp);

	return pid;
}

int readExternalAddress(char* address) {
	FILE *fp = fopen("/var/ipfire/red/local-ipaddress", "r");
	if (!fp)
		goto ERROR;

	int r = fscanf(fp, "%s", address);
	fclose(fp);

	if (r < 0)
		goto ERROR;

	/* In case the read IP address is not valid, we empty
	 * the content of address and return non-zero. */
	if (!VALID_IP(address))
		goto ERROR;

	return 0;

ERROR:
	address = NULL;
	return 1;
}

void ovpnInit(void) {
	// Read OpenVPN configuration
	kv = initkeyvalues();
	if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings")) {
		fprintf(stderr, "Cannot read ovpn settings\n");
		exit(1);
	}

	if (!findkey(kv, "ENABLED", enablered)) {
		exit(1);
	}

	if (!findkey(kv, "ENABLED_BLUE", enableblue)){
		exit(1);
	}

	if (!findkey(kv, "ENABLED_ORANGE", enableorange)){
		exit(1);
	}
	freekeyvalues(kv);

	// read interface settings

	// details for the red int
	memset(redif, 0, STRING_SIZE);
	if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))
	{
		if (fgets(redif, STRING_SIZE, ifacefile))
		{
			if (redif[strlen(redif) - 1] == '\n')
				redif[strlen(redif) - 1] = '\0';
		}
		fclose (ifacefile);
		ifacefile = NULL;

		if (!VALID_DEVICE(redif))
		{
			memset(redif, 0, STRING_SIZE);
		}
	}

	kv=initkeyvalues();
	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
		fprintf(stderr, "Cannot read ethernet settings\n");
		exit(1);
	}
	
	if (strcmp(enableblue, "on") == 0) {
		if (!findkey(kv, "BLUE_DEV", blueif)) {
			exit(1);
		}
	}

	if (strcmp(enableorange, "on") == 0) {
		if (!findkey(kv, "ORANGE_DEV", orangeif)) {
			exit(1);
		}
	}
	freekeyvalues(kv);
}

void executeCommand(char *command) {
#ifdef ovpndebug
	printf(strncat(command, "\n", 2));
#endif
	safe_system(strncat(command, " >/dev/null 2>&1", 17));
}

void addRule(const char *chain, const char *interface, const char *protocol, const char *port) {
	char command[STRING_SIZE];

	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -i %s -p %s --dport %s -j ACCEPT",
		chain, interface, protocol, port);
	executeCommand(command);
}

void flushChain(char *chain) {
	char str[STRING_SIZE];

	snprintf(str, STRING_SIZE - 1, "/sbin/iptables -F %s", chain);
	executeCommand(str);
}

void flushChainNAT(char *chain) {
	char str[STRING_SIZE];

	snprintf(str, STRING_SIZE - 1, "/sbin/iptables -t nat -F %s", chain);
	executeCommand(str);
}

char* calcTransferNetAddress(const connection* conn) {
	char *subnetmask = strdup(conn->transfer_subnet);
	char *address = strsep(&subnetmask, "/");

	if ((address == NULL) || (subnetmask == NULL)) {
		goto ERROR;
	}

	in_addr_t _address    = inet_addr(address);
	in_addr_t _subnetmask = inet_addr(subnetmask);
	_address &= _subnetmask;

	if (strcmp(conn->role, "server") == 0) {
		_address += 1 << 24;
	} else if (strcmp(conn->role, "client") == 0) {
		_address += 2 << 24;
	} else {
		goto ERROR;
	}

	struct in_addr address_info;
	address_info.s_addr = _address;

	return inet_ntoa(address_info);

ERROR:
	fprintf(stderr, "Could not determine transfer net address: %s\n", conn->name);

	free(address);
	return NULL;
}

char* getLocalSubnetAddress(const connection* conn) {
	kv = initkeyvalues();
	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
		fprintf(stderr, "Cannot read ethernet settings\n");
		exit(1);
	}

	const char *zones[] = {"GREEN", "BLUE", "ORANGE", NULL};
	char *zone = NULL;

	// Get net address of the local openvpn subnet.
	char *subnetmask = strdup(conn->local_subnet);
	char *address = strsep(&subnetmask, "/");

	if ((address == NULL) || (subnetmask == NULL)) {
		goto ERROR;
	}

	in_addr_t _address    = inet_addr(address);
	in_addr_t _subnetmask = inet_addr(subnetmask);

	in_addr_t _netaddr    = (_address &  _subnetmask);
	in_addr_t _broadcast  = (_address | ~_subnetmask);

	char zone_address_key[STRING_SIZE];
	char zone_address[STRING_SIZE];
	in_addr_t zone_addr;

	int i = 0;
	while (zones[i]) {
		zone = zones[i++];
		snprintf(zone_address_key, STRING_SIZE, "%s_ADDRESS", zone);

		if (!findkey(kv, zone_address_key, zone_address))
			continue;

		zone_addr = inet_addr(zone_address);
		if ((zone_addr > _netaddr) && (zone_addr < _broadcast)) {
			freekeyvalues(kv);

			return strdup(zone_address);
		}
	}

ERROR:
	fprintf(stderr, "Could not determine local subnet address: %s\n", conn->name);

	freekeyvalues(kv);
	return NULL;
}

void setFirewallRules(void) {
	char command[STRING_SIZE];
	char protocol[STRING_SIZE] = "";
	char dport[STRING_SIZE] = "";
	char dovpnip[STRING_SIZE] = "";

	kv = initkeyvalues();
	if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings"))
	{
		fprintf(stderr, "Cannot read ovpn settings\n");
		exit(1);
	}

	/* we got one device, so lets proceed further	*/	
	if (!findkey(kv, "DDEST_PORT", dport)){
		fprintf(stderr, "Cannot read DDEST_PORT\n");
		exit(1);
	}

	if (!findkey(kv, "DPROTOCOL", protocol)){
		fprintf(stderr, "Cannot read DPROTOCOL\n");
		exit(1);
	}

	if (!findkey(kv, "VPN_IP", dovpnip)){
		fprintf(stderr, "Cannot read VPN_IP\n");
	}
	freekeyvalues(kv);

	// Flush all chains.
	flushChain(OVPNINPUT);
	flushChain(OVPNBLOCK);
	flushChainNAT(OVPNNAT);

	// set firewall rules
	if (!strcmp(enablered, "on") && strlen(redif))
		addRule(OVPNINPUT, redif, protocol, dport);
	if (!strcmp(enableblue, "on") && strlen(blueif))
		addRule(OVPNINPUT, blueif, protocol, dport);
	if (!strcmp(enableorange, "on") && strlen(orangeif))
		addRule(OVPNINPUT, orangeif, protocol, dport);

	/* Allow ICMP error messages to pass. */
	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -p icmp"
		" -m conntrack --ctstate RELATED -j RETURN", OVPNBLOCK);
	executeCommand(command);

	// read connection configuration
	connection *conn = getConnections();

	// set firewall rules for n2n connections
	char *local_subnet_address = NULL;
	char *transfer_subnet_address = NULL;
	while (conn != NULL) {
		if (strcmp(conn->type, "net") == 0) {
			addRule(OVPNINPUT, redif, conn->proto, conn->port);

			/* Block all communication from the transfer nets. */
			snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -s %s -j DROP",
				OVPNBLOCK, conn->transfer_subnet);
			executeCommand(command);

			local_subnet_address = getLocalSubnetAddress(conn);
			transfer_subnet_address = calcTransferNetAddress(conn);

			if ((local_subnet_address) && (transfer_subnet_address)) {
				snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s",
					OVPNNAT, transfer_subnet_address, local_subnet_address);
				executeCommand(command);
			}
		}

		conn = conn->next;
	}
}

void stopDaemon(void) {
	char command[STRING_SIZE];

	int pid = readPidFile("/var/run/openvpn.pid");
	if (!pid > 0) {
		exit(1);
	}

	fprintf(stderr, "Killing PID %d.\n", pid);
	kill(pid, SIGTERM);

	snprintf(command, STRING_SIZE - 1, "/bin/rm -f /var/run/openvpn.pid");
	executeCommand(command);
}

void startDaemon(void) {
	char command[STRING_SIZE];
	
	if (!((strcmp(enablered, "on") == 0) || (strcmp(enableblue, "on") == 0) || (strcmp(enableorange, "on") == 0))) {
		fprintf(stderr, "OpenVPN is not enabled on any interface\n");
		exit(1);
	} else {
		snprintf(command, STRING_SIZE-1, "/sbin/modprobe tun");
		executeCommand(command);
		snprintf(command, STRING_SIZE-1, "/usr/sbin/openvpn --config /var/ipfire/ovpn/server.conf");
		executeCommand(command);
	}
}

int startNet2Net(char *name) {
	connection *conn = NULL;
	connection *conn_iter;

	conn_iter = getConnections();

	while (conn_iter) {
		if ((strcmp(conn_iter->type, "net") == 0) && (strcmp(conn_iter->name, name) == 0)) {
			conn = conn_iter;
			break;
		}
		conn_iter = conn_iter->next;
	}

	if (conn == NULL) {
		fprintf(stderr, "Connection not found.\n");
		return 1;
	}

	if (strcmp(conn->status, "on") != 0) {
		fprintf(stderr, "Connection '%s' is not enabled.\n", conn->name);
		return 1;
	}

	fprintf(stderr, "Starting connection %s...\n", conn->name);

	char configfile[STRING_SIZE];
	snprintf(configfile, STRING_SIZE - 1, CONFIG_ROOT "/ovpn/n2nconf/%s/%s.conf",
		conn->name, conn->name);

	FILE *fp = fopen(configfile, "r");
	if (fp == NULL) {
		fprintf(stderr, "Could not find configuration file for connection '%s' at '%s'.\n",
			conn->name, configfile);
		return 2;
	}
	fclose(fp);

	// Make sure all firewall rules are up to date.
	setFirewallRules();

	// Get the external IP address.
	char address[STRING_SIZE] = "";
	int r = readExternalAddress(address);
	if (r) {
		fprintf(stderr, "Could not read the external address\n");
		exit(1);
	}

	char command[STRING_SIZE];
	snprintf(command, STRING_SIZE-1, "/sbin/modprobe tun");
	executeCommand(command);
	snprintf(command, STRING_SIZE-1, "/usr/sbin/openvpn --local %s --config %s", address, configfile);
	executeCommand(command);

	return 0;
}

int killNet2Net(char *name) {
	connection *conn = NULL;
	connection *conn_iter;

	conn_iter = getConnections();

	while (conn_iter) {
		if (strcmp(conn_iter->name, name) == 0) {
			conn = conn_iter;
			break;
		}
		conn_iter = conn_iter->next;
	}

	if (conn == NULL) {
		fprintf(stderr, "Connection not found.\n");
		return 1;
	}

	char pidfile[STRING_SIZE];
	snprintf(pidfile, STRING_SIZE - 1, "/var/run/%sn2n.pid", conn->name);

	int pid = readPidFile(pidfile);
	if (!pid > 0) {
		fprintf(stderr, "Could not read pid file of connection %s.", conn->name);
		return 1;
	}

	fprintf(stderr, "Killing connection %s (PID %d)...\n", conn->name, pid);
	kill(pid, SIGTERM);

	char command[STRING_SIZE];
	snprintf(command, STRING_SIZE - 1, "/bin/rm -f %s", pidfile);
	executeCommand(command);

	return 0;
}

void startAllNet2Net() {
	int exitcode = 0, _exitcode = 0;

	connection *conn = getConnections();

	while(conn) {
		/* Skip all connections that are not of type "net" or disabled. */
		if ((strcmp(conn->type, "net") != 0) || (strcmp(conn->status, "on") != 0)) {
			conn = conn->next;
			continue;
		}

		_exitcode = startNet2Net(conn->name);
		conn = conn->next;

		if (_exitcode > exitcode) {
			exitcode = _exitcode;
		}
	}

	exit(exitcode);
}

void killAllNet2Net() {
	int exitcode = 0, _exitcode = 0;

	connection *conn = getConnections();

	while(conn) {
		/* Skip all connections that are not of type "net". */
		if (strcmp(conn->type, "net") != 0) {
			conn = conn->next;
			continue;
		}

		_exitcode = killNet2Net(conn->name);
		conn = conn->next;

		if (_exitcode > exitcode) {
			exitcode = _exitcode;
		}
	}

	exit(exitcode);
}

void displayopenvpn(void) {
	char command[STRING_SIZE];

	snprintf(command, STRING_SIZE - 1, "/bin/killall -sSIGUSR2 openvpn");
	executeCommand(command);
}

int main(int argc, char *argv[]) {
	if (!(initsetuid()))
	    exit(1);
	if(argc < 2)
	    usage();

	if(argc == 3) {
		ovpnInit();

		if( (strcmp(argv[1], "-sn2n") == 0) || (strcmp(argv[1], "--start-net-2-net") == 0) ) {
			startNet2Net(argv[2]);
			return 0;
		}
		else if( (strcmp(argv[1], "-kn2n") == 0) || (strcmp(argv[1], "--kill-net-2-net") == 0) ) {
			killNet2Net(argv[2]);
			return 0;
		} else {
			usage();
			return 1;
		}
	}
	else if(argc == 2) {
		if( (strcmp(argv[1], "-k") == 0) || (strcmp(argv[1], "--kill") == 0) ) {
			stopDaemon();
			return 0;
		}
		else if( (strcmp(argv[1], "-d") == 0) || (strcmp(argv[1], "--display") == 0) ) {
			displayopenvpn();
			return 0;
		}
		else {
			ovpnInit();
			
			if( (strcmp(argv[1], "-s") == 0) || (strcmp(argv[1], "--start") == 0) ) {
				setFirewallRules();
				startDaemon();
				return 0;
			}
			else if( (strcmp(argv[1], "-sn2n") == 0) || (strcmp(argv[1], "--start-net-2-net") == 0) ) {
				startAllNet2Net();
				return 0;
			}
			else if( (strcmp(argv[1], "-kn2n") == 0) || (strcmp(argv[1], "--kill-net-2-net") == 0) ) {
				killAllNet2Net();
				return 0;
			}
			else if( (strcmp(argv[1], "-sdo") == 0) || (strcmp(argv[1], "--start-daemon-only") == 0) ) {
				startDaemon();
				return 0;
			}
			else if( (strcmp(argv[1], "-r") == 0) || (strcmp(argv[1], "--restart") == 0) ) {
				stopDaemon();
				setFirewallRules();
				startDaemon();
				return 0;
			}
			else if( (strcmp(argv[1], "-fwr") == 0) || (strcmp(argv[1], "--firewall-rules") == 0) ) {
				setFirewallRules();
				return 0;
			}
			else {
				usage();
				return 0;
			}
		}
	}
	else {
		usage();
		return 0;
	}
return 0;
}
Commit	Line	Data
39877197	1	#include <signal.h>
6e13d0a5 MT	2	#include <stdio.h>
	3	#include <string.h>
	4	#include <unistd.h>
	5	#include <stdlib.h>
	6	#include <sys/types.h>
3d1fbbb0 MT	7	#include <arpa/inet.h>
3d1fbbb0 MT	8	#include <netinet/in.h>
6e13d0a5 MT	9	#include <fcntl.h>
6e13d0a5 MT	10	#include "setuid.h"
52e54c1c	11	#include "netutil.h"
6e13d0a5 MT	12	#include "libsmooth.h"
6e13d0a5 MT	13
c894a342	14	#define noovpndebug
6e13d0a5 MT	15
	16	// global vars
	17	struct keyvalue *kv = NULL;
	18	FILE *ifacefile = NULL;
	19
	20	char redif[STRING_SIZE];
	21	char blueif[STRING_SIZE];
	22	char orangeif[STRING_SIZE];
	23	char enablered[STRING_SIZE] = "off";
	24	char enableblue[STRING_SIZE] = "off";
	25	char enableorange[STRING_SIZE] = "off";
	26
	27	// consts
ab4876ad	28	char OVPNINPUT[STRING_SIZE] = "OVPNINPUT";
c31f18b6	29	char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK";
3d1fbbb0	30	char OVPNNAT[STRING_SIZE] = "OVPNNAT";
ab4876ad	31	char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.4";
6925b8ef AF	32
	33	struct connection_struct {
	34	char name[STRING_SIZE];
91a0a221	35	char type[STRING_SIZE];
6925b8ef	36	char proto[STRING_SIZE];
99b01b84	37	char status[STRING_SIZE];
3d1fbbb0 MT	38	char local_subnet[STRING_SIZE];
	39	char transfer_subnet[STRING_SIZE];
	40	char role[STRING_SIZE];
ab4876ad	41	char port[STRING_SIZE];
6925b8ef AF	42	struct connection_struct *next;
	43	};
	44
	45	typedef struct connection_struct connection;
6e13d0a5 MT	46
	47	void exithandler(void)
	48	{
	49	if(kv)
	50	freekeyvalues(kv);
	51	if (ifacefile)
	52	fclose(ifacefile);
	53	}
	54
	55	void usage(void)
	56	{
	57	#ifdef ovpndebug
07081137	58	printf("Wrapper for OpenVPN %s-debug\n", WRAPPERVERSION);
6e13d0a5	59	#else
07081137	60	printf("Wrapper for OpenVPN %s\n", WRAPPERVERSION);
6e13d0a5 MT	61	#endif
	62	printf("openvpnctrl <option>\n");
	63	printf(" Valid options are:\n");
	64	printf(" -s --start\n");
	65	printf(" starts OpenVPN (implicitly creates chains and firewall rules)\n");
	66	printf(" -k --kill\n");
	67	printf(" kills/stops OpenVPN\n");
	68	printf(" -r --restart\n");
	69	printf(" restarts OpenVPN (implicitly creates chains and firewall rules)\n");
64f0c354 MT	70	printf(" -sn2n --start-net-2-net\n");
	71	printf(" starts all net2net connections\n");
	72	printf(" you may pass a connection name to the switch to only start a specific one\n");
	73	printf(" -kn2n --kill-net-2-net\n");
	74	printf(" kills all net2net connections\n");
	75	printf(" you may pass a connection name to the switch to only start a specific one\n");
6e13d0a5 MT	76	printf(" -d --display\n");
	77	printf(" displays OpenVPN status to syslog\n");
	78	printf(" -fwr --firewall-rules\n");
	79	printf(" removes current OpenVPN chains and rules and resets them according to the config\n");
	80	printf(" -sdo --start-daemon-only\n");
afabe9f7	81	printf(" starts OpenVPN daemon only\n");
6e13d0a5 MT	82	exit(1);
	83	}
	84
6925b8ef AF	85	connection *getConnections() {
	86	FILE *fp = NULL;
	87
	88	if (!(fp = fopen(CONFIG_ROOT "/ovpn/ovpnconfig", "r"))) {
	89	fprintf(stderr, "Could not open openvpn n2n configuration file.\n");
	90	exit(1);
	91	}
	92
	93	char line[STRING_SIZE] = "";
d4f2fb97 MT	94	char result[STRING_SIZE] = "";
d4f2fb97 MT	95	char *resultptr;
6925b8ef AF	96	int count;
	97	connection *conn_first = NULL;
	98	connection *conn_last = NULL;
	99	connection *conn_curr;
	100
	101	while ((fgets(line, STRING_SIZE, fp) != NULL)) {
	102	if (line[strlen(line) - 1] == '\n')
	103	line[strlen(line) - 1] = '\0';
	104
	105	conn_curr = (connection *)malloc(sizeof(connection));
	106	memset(conn_curr, 0, sizeof(connection));
	107
	108	if (conn_first == NULL) {
	109	conn_first = conn_curr;
	110	} else {
	111	conn_last->next = conn_curr;
	112	}
	113	conn_last = conn_curr;
	114
	115	count = 0;
d4f2fb97 MT	116	char *lineptr = &line;
	117	while (1) {
	118	if (*lineptr == NULL)
	119	break;
	120
	121	resultptr = result;
	122	while (*lineptr != NULL) {
	123	if (*lineptr == ',') {
	124	lineptr++;
	125	break;
	126	}
	127	resultptr++ = lineptr++;
	128	}
	129	*resultptr = '\0';
	130
99b01b84 MT	131	if (count == 1) {
	132	strcpy(conn_curr->status, result);
	133	} else if (count == 2) {
6925b8ef	134	strcpy(conn_curr->name, result);
91a0a221 MT	135	} else if (count == 4) {
91a0a221 MT	136	strcpy(conn_curr->type, result);
3d1fbbb0 MT	137	} else if (count == 7) {
	138	strcpy(conn_curr->role, result);
	139	} else if (count == 9) {
	140	strcpy(conn_curr->local_subnet, result);
	141	} else if (count == 28) {
	142	strcpy(conn_curr->transfer_subnet, result);
d4f2fb97	143	} else if (count == 29) {
6925b8ef	144	strcpy(conn_curr->proto, result);
d4f2fb97	145	} else if (count == 30) {
ab4876ad	146	strcpy(conn_curr->port, result);
6925b8ef AF	147	}
6925b8ef AF	148
6925b8ef AF	149	count++;
	150	}
	151	}
	152
	153	fclose(fp);
	154
	155	return conn_first;
	156	}
	157
80ca8bd0 MT	158	int readPidFile(const char *pidfile) {
	159	FILE *fp = fopen(pidfile, "r");
	160	if (fp == NULL) {
80ca8bd0 MT	161	exit(1);
	162	}
	163
	164	int pid = 0;
	165	fscanf(fp, "%d", &pid);
	166	fclose(fp);
	167
	168	return pid;
	169	}
	170
e1a51ebb SS	171	int readExternalAddress(char* address) {
	172	FILE *fp = fopen("/var/ipfire/red/local-ipaddress", "r");
	173	if (!fp)
	174	goto ERROR;
	175
	176	int r = fscanf(fp, "%s", address);
	177	fclose(fp);
	178
	179	if (r < 0)
	180	goto ERROR;
	181
	182	/* In case the read IP address is not valid, we empty
	183	* the content of address and return non-zero. */
	184	if (!VALID_IP(address))
	185	goto ERROR;
	186
	187	return 0;
	188
	189	ERROR:
	190	address = NULL;
	191	return 1;
	192	}
	193
6e13d0a5	194	void ovpnInit(void) {
6e13d0a5 MT	195	// Read OpenVPN configuration
	196	kv = initkeyvalues();
	197	if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings")) {
	198	fprintf(stderr, "Cannot read ovpn settings\n");
	199	exit(1);
	200	}
	201
	202	if (!findkey(kv, "ENABLED", enablered)) {
6e13d0a5 MT	203	exit(1);
	204	}
	205
	206	if (!findkey(kv, "ENABLED_BLUE", enableblue)){
6e13d0a5 MT	207	exit(1);
	208	}
	209
	210	if (!findkey(kv, "ENABLED_ORANGE", enableorange)){
6e13d0a5 MT	211	exit(1);
	212	}
	213	freekeyvalues(kv);
	214
	215	// read interface settings
	216
	217	// details for the red int
	218	memset(redif, 0, STRING_SIZE);
	219	if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))
	220	{
	221	if (fgets(redif, STRING_SIZE, ifacefile))
	222	{
	223	if (redif[strlen(redif) - 1] == '\n')
	224	redif[strlen(redif) - 1] = '\0';
	225	}
	226	fclose (ifacefile);
	227	ifacefile = NULL;
	228
	229	if (!VALID_DEVICE(redif))
	230	{
	231	memset(redif, 0, STRING_SIZE);
	232	}
	233	}
	234
	235	kv=initkeyvalues();
3ad23ee1	236	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
6e13d0a5 MT	237	fprintf(stderr, "Cannot read ethernet settings\n");
	238	exit(1);
	239	}
	240
3ad23ee1 MT	241	if (strcmp(enableblue, "on") == 0) {
3ad23ee1 MT	242	if (!findkey(kv, "BLUE_DEV", blueif)) {
6e13d0a5 MT	243	exit(1);
	244	}
	245	}
3ad23ee1 MT	246
	247	if (strcmp(enableorange, "on") == 0) {
	248	if (!findkey(kv, "ORANGE_DEV", orangeif)) {
6e13d0a5 MT	249	exit(1);
6e13d0a5 MT	250	}
3ad23ee1	251	}
6e13d0a5 MT	252	freekeyvalues(kv);
	253	}
	254
	255	void executeCommand(char *command) {
	256	#ifdef ovpndebug
	257	printf(strncat(command, "\n", 2));
	258	#endif
	259	safe_system(strncat(command, " >/dev/null 2>&1", 17));
	260	}
	261
ab4876ad MT	262	void addRule(const char chain, const char interface, const char protocol, const char port) {
ab4876ad MT	263	char command[STRING_SIZE];
07081137	264
ab4876ad MT	265	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -i %s -p %s --dport %s -j ACCEPT",
	266	chain, interface, protocol, port);
	267	executeCommand(command);
6e13d0a5 MT	268	}
	269
	270	void flushChain(char *chain) {
	271	char str[STRING_SIZE];
	272
ab4876ad	273	snprintf(str, STRING_SIZE - 1, "/sbin/iptables -F %s", chain);
6e13d0a5	274	executeCommand(str);
6e13d0a5 MT	275	}
6e13d0a5 MT	276
3d1fbbb0 MT	277	void flushChainNAT(char *chain) {
	278	char str[STRING_SIZE];
	279
ab4876ad	280	snprintf(str, STRING_SIZE - 1, "/sbin/iptables -t nat -F %s", chain);
6e13d0a5	281	executeCommand(str);
6e13d0a5 MT	282	}
6e13d0a5 MT	283
3d1fbbb0	284	char* calcTransferNetAddress(const connection* conn) {
a19ff965 MT	285	char *subnetmask = strdup(conn->transfer_subnet);
a19ff965 MT	286	char *address = strsep(&subnetmask, "/");
3d1fbbb0	287
cdbe3504 MT	288	if ((address == NULL) \|\| (subnetmask == NULL)) {
	289	goto ERROR;
	290	}
	291
a19ff965 MT	292	in_addr_t _address = inet_addr(address);
	293	in_addr_t _subnetmask = inet_addr(subnetmask);
	294	_address &= _subnetmask;
3d1fbbb0	295
a19ff965 MT	296	if (strcmp(conn->role, "server") == 0) {
	297	_address += 1 << 24;
	298	} else if (strcmp(conn->role, "client") == 0) {
	299	_address += 2 << 24;
3d1fbbb0 MT	300	} else {
	301	goto ERROR;
	302	}
	303
a19ff965 MT	304	struct in_addr address_info;
	305	address_info.s_addr = _address;
	306
	307	return inet_ntoa(address_info);
3d1fbbb0 MT	308
3d1fbbb0 MT	309	ERROR:
a19ff965 MT	310	fprintf(stderr, "Could not determine transfer net address: %s\n", conn->name);
a19ff965 MT	311
3d1fbbb0 MT	312	free(address);
	313	return NULL;
	314	}
	315
	316	char* getLocalSubnetAddress(const connection* conn) {
	317	kv = initkeyvalues();
	318	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
	319	fprintf(stderr, "Cannot read ethernet settings\n");
	320	exit(1);
	321	}
	322
	323	const char *zones[] = {"GREEN", "BLUE", "ORANGE", NULL};
	324	char *zone = NULL;
	325
	326	// Get net address of the local openvpn subnet.
	327	char *subnetmask = strdup(conn->local_subnet);
	328	char *address = strsep(&subnetmask, "/");
	329
	330	if ((address == NULL) \|\| (subnetmask == NULL)) {
	331	goto ERROR;
	332	}
	333
	334	in_addr_t _address = inet_addr(address);
	335	in_addr_t _subnetmask = inet_addr(subnetmask);
	336
	337	in_addr_t _netaddr = (_address & _subnetmask);
	338	in_addr_t _broadcast = (_address \| ~_subnetmask);
	339
	340	char zone_address_key[STRING_SIZE];
	341	char zone_address[STRING_SIZE];
	342	in_addr_t zone_addr;
	343
	344	int i = 0;
	345	while (zones[i]) {
	346	zone = zones[i++];
	347	snprintf(zone_address_key, STRING_SIZE, "%s_ADDRESS", zone);
	348
	349	if (!findkey(kv, zone_address_key, zone_address))
	350	continue;
	351
	352	zone_addr = inet_addr(zone_address);
	353	if ((zone_addr > _netaddr) && (zone_addr < _broadcast)) {
	354	freekeyvalues(kv);
	355
	356	return strdup(zone_address);
	357	}
	358	}
	359
	360	ERROR:
a19ff965 MT	361	fprintf(stderr, "Could not determine local subnet address: %s\n", conn->name);
a19ff965 MT	362
3d1fbbb0 MT	363	freekeyvalues(kv);
	364	return NULL;
	365	}
	366
6e13d0a5	367	void setFirewallRules(void) {
5c3de120	368	char command[STRING_SIZE];
6e13d0a5 MT	369	char protocol[STRING_SIZE] = "";
	370	char dport[STRING_SIZE] = "";
	371	char dovpnip[STRING_SIZE] = "";
	372
6e13d0a5 MT	373	kv = initkeyvalues();
	374	if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings"))
	375	{
	376	fprintf(stderr, "Cannot read ovpn settings\n");
	377	exit(1);
	378	}
	379
	380	/* we got one device, so lets proceed further */
	381	if (!findkey(kv, "DDEST_PORT", dport)){
	382	fprintf(stderr, "Cannot read DDEST_PORT\n");
	383	exit(1);
	384	}
	385
	386	if (!findkey(kv, "DPROTOCOL", protocol)){
	387	fprintf(stderr, "Cannot read DPROTOCOL\n");
	388	exit(1);
	389	}
	390
	391	if (!findkey(kv, "VPN_IP", dovpnip)){
	392	fprintf(stderr, "Cannot read VPN_IP\n");
6e13d0a5 MT	393	}
	394	freekeyvalues(kv);
	395
07081137	396	// Flush all chains.
ab4876ad	397	flushChain(OVPNINPUT);
2181b555	398	flushChain(OVPNBLOCK);
3d1fbbb0	399	flushChainNAT(OVPNNAT);
07081137	400
6e13d0a5 MT	401	// set firewall rules
6e13d0a5 MT	402	if (!strcmp(enablered, "on") && strlen(redif))
ab4876ad	403	addRule(OVPNINPUT, redif, protocol, dport);
6e13d0a5	404	if (!strcmp(enableblue, "on") && strlen(blueif))
ab4876ad	405	addRule(OVPNINPUT, blueif, protocol, dport);
6e13d0a5	406	if (!strcmp(enableorange, "on") && strlen(orangeif))
ab4876ad	407	addRule(OVPNINPUT, orangeif, protocol, dport);
6925b8ef	408
5c3de120 MT	409	/* Allow ICMP error messages to pass. */
	410	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -p icmp"
	411	" -m conntrack --ctstate RELATED -j RETURN", OVPNBLOCK);
	412	executeCommand(command);
	413
91a0a221 MT	414	// read connection configuration
	415	connection *conn = getConnections();
	416
6925b8ef	417	// set firewall rules for n2n connections
3d1fbbb0 MT	418	char *local_subnet_address = NULL;
3d1fbbb0 MT	419	char *transfer_subnet_address = NULL;
7d653d51	420	while (conn != NULL) {
91a0a221	421	if (strcmp(conn->type, "net") == 0) {
ab4876ad	422	addRule(OVPNINPUT, redif, conn->proto, conn->port);
3d1fbbb0	423
c31f18b6	424	/* Block all communication from the transfer nets. */
ab4876ad	425	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -s %s -j DROP",
c31f18b6 MT	426	OVPNBLOCK, conn->transfer_subnet);
	427	executeCommand(command);
	428
3d1fbbb0 MT	429	local_subnet_address = getLocalSubnetAddress(conn);
	430	transfer_subnet_address = calcTransferNetAddress(conn);
	431
cdbe3504	432	if ((local_subnet_address) && (transfer_subnet_address)) {
ab4876ad	433	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s",
cdbe3504 MT	434	OVPNNAT, transfer_subnet_address, local_subnet_address);
	435	executeCommand(command);
	436	}
91a0a221 MT	437	}
91a0a221 MT	438
6925b8ef AF	439	conn = conn->next;
6925b8ef AF	440	}
6e13d0a5 MT	441	}
	442
	443	void stopDaemon(void) {
	444	char command[STRING_SIZE];
	445
2bcff894	446	int pid = readPidFile("/var/run/openvpn.pid");
80ca8bd0	447	if (!pid > 0) {
2bcff894 MT	448	exit(1);
	449	}
	450
	451	fprintf(stderr, "Killing PID %d.\n", pid);
	452	kill(pid, SIGTERM);
	453
6e13d0a5 MT	454	snprintf(command, STRING_SIZE - 1, "/bin/rm -f /var/run/openvpn.pid");
	455	executeCommand(command);
	456	}
	457
	458	void startDaemon(void) {
	459	char command[STRING_SIZE];
	460
3ad23ee1	461	if (!((strcmp(enablered, "on") == 0) \|\| (strcmp(enableblue, "on") == 0) \|\| (strcmp(enableorange, "on") == 0))) {
6e13d0a5 MT	462	fprintf(stderr, "OpenVPN is not enabled on any interface\n");
	463	exit(1);
	464	} else {
7d3af7f7 MT	465	snprintf(command, STRING_SIZE-1, "/sbin/modprobe tun");
7d3af7f7 MT	466	executeCommand(command);
072cd997	467	snprintf(command, STRING_SIZE-1, "/usr/sbin/openvpn --config /var/ipfire/ovpn/server.conf");
6e13d0a5 MT	468	executeCommand(command);
	469	}
	470	}
	471
99b01b84	472	int startNet2Net(char *name) {
6925b8ef AF	473	connection *conn = NULL;
	474	connection *conn_iter;
	475
	476	conn_iter = getConnections();
	477
	478	while (conn_iter) {
91a0a221	479	if ((strcmp(conn_iter->type, "net") == 0) && (strcmp(conn_iter->name, name) == 0)) {
6925b8ef AF	480	conn = conn_iter;
	481	break;
	482	}
	483	conn_iter = conn_iter->next;
	484	}
	485
	486	if (conn == NULL) {
	487	fprintf(stderr, "Connection not found.\n");
99b01b84 MT	488	return 1;
	489	}
	490
	491	if (strcmp(conn->status, "on") != 0) {
	492	fprintf(stderr, "Connection '%s' is not enabled.\n", conn->name);
	493	return 1;
6925b8ef AF	494	}
6925b8ef AF	495
99b01b84 MT	496	fprintf(stderr, "Starting connection %s...\n", conn->name);
99b01b84 MT	497
39877197 MT	498	char configfile[STRING_SIZE];
	499	snprintf(configfile, STRING_SIZE - 1, CONFIG_ROOT "/ovpn/n2nconf/%s/%s.conf",
	500	conn->name, conn->name);
	501
	502	FILE *fp = fopen(configfile, "r");
	503	if (fp == NULL) {
	504	fprintf(stderr, "Could not find configuration file for connection '%s' at '%s'.\n",
	505	conn->name, configfile);
99b01b84	506	return 2;
39877197 MT	507	}
	508	fclose(fp);
	509
07081137 MT	510	// Make sure all firewall rules are up to date.
	511	setFirewallRules();
	512
e1a51ebb SS	513	// Get the external IP address.
	514	char address[STRING_SIZE] = "";
	515	int r = readExternalAddress(address);
	516	if (r) {
	517	fprintf(stderr, "Could not read the external address\n");
	518	exit(1);
	519	}
	520
6925b8ef	521	char command[STRING_SIZE];
81a789d9 MT	522	snprintf(command, STRING_SIZE-1, "/sbin/modprobe tun");
81a789d9 MT	523	executeCommand(command);
e1a51ebb	524	snprintf(command, STRING_SIZE-1, "/usr/sbin/openvpn --local %s --config %s", address, configfile);
6925b8ef	525	executeCommand(command);
99b01b84 MT	526
99b01b84 MT	527	return 0;
6925b8ef AF	528	}
6925b8ef AF	529
99b01b84	530	int killNet2Net(char *name) {
39877197 MT	531	connection *conn = NULL;
	532	connection *conn_iter;
	533
	534	conn_iter = getConnections();
	535
	536	while (conn_iter) {
	537	if (strcmp(conn_iter->name, name) == 0) {
	538	conn = conn_iter;
	539	break;
	540	}
	541	conn_iter = conn_iter->next;
	542	}
	543
	544	if (conn == NULL) {
	545	fprintf(stderr, "Connection not found.\n");
99b01b84	546	return 1;
39877197 MT	547	}
	548
	549	char pidfile[STRING_SIZE];
80ca8bd0	550	snprintf(pidfile, STRING_SIZE - 1, "/var/run/%sn2n.pid", conn->name);
39877197	551
2bcff894	552	int pid = readPidFile(pidfile);
80ca8bd0	553	if (!pid > 0) {
99b01b84 MT	554	fprintf(stderr, "Could not read pid file of connection %s.", conn->name);
99b01b84 MT	555	return 1;
39877197 MT	556	}
39877197 MT	557
99b01b84	558	fprintf(stderr, "Killing connection %s (PID %d)...\n", conn->name, pid);
39877197 MT	559	kill(pid, SIGTERM);
39877197 MT	560
d4c8b6be MT	561	char command[STRING_SIZE];
	562	snprintf(command, STRING_SIZE - 1, "/bin/rm -f %s", pidfile);
	563	executeCommand(command);
	564
99b01b84	565	return 0;
6925b8ef AF	566	}
6925b8ef AF	567
64f0c354	568	void startAllNet2Net() {
99b01b84 MT	569	int exitcode = 0, _exitcode = 0;
99b01b84 MT	570
64f0c354 MT	571	connection *conn = getConnections();
	572
	573	while(conn) {
99b01b84 MT	574	/* Skip all connections that are not of type "net" or disabled. */
	575	if ((strcmp(conn->type, "net") != 0) \|\| (strcmp(conn->status, "on") != 0)) {
	576	conn = conn->next;
	577	continue;
	578	}
	579
	580	_exitcode = startNet2Net(conn->name);
64f0c354	581	conn = conn->next;
99b01b84 MT	582
	583	if (_exitcode > exitcode) {
	584	exitcode = _exitcode;
	585	}
64f0c354 MT	586	}
64f0c354 MT	587
99b01b84	588	exit(exitcode);
64f0c354 MT	589	}
	590
	591	void killAllNet2Net() {
99b01b84 MT	592	int exitcode = 0, _exitcode = 0;
99b01b84 MT	593
64f0c354 MT	594	connection *conn = getConnections();
	595
	596	while(conn) {
99b01b84 MT	597	/* Skip all connections that are not of type "net". */
	598	if (strcmp(conn->type, "net") != 0) {
	599	conn = conn->next;
	600	continue;
	601	}
	602
	603	_exitcode = killNet2Net(conn->name);
64f0c354	604	conn = conn->next;
99b01b84 MT	605
	606	if (_exitcode > exitcode) {
	607	exitcode = _exitcode;
	608	}
64f0c354 MT	609	}
64f0c354 MT	610
99b01b84	611	exit(exitcode);
64f0c354 MT	612	}
64f0c354 MT	613
6e13d0a5 MT	614	void displayopenvpn(void) {
	615	char command[STRING_SIZE];
	616
	617	snprintf(command, STRING_SIZE - 1, "/bin/killall -sSIGUSR2 openvpn");
	618	executeCommand(command);
	619	}
	620
	621	int main(int argc, char *argv[]) {
	622	if (!(initsetuid()))
	623	exit(1);
	624	if(argc < 2)
	625	usage();
6925b8ef AF	626
6925b8ef AF	627	if(argc == 3) {
91a0a221 MT	628	ovpnInit();
91a0a221 MT	629
6925b8ef AF	630	if( (strcmp(argv[1], "-sn2n") == 0) \|\| (strcmp(argv[1], "--start-net-2-net") == 0) ) {
	631	startNet2Net(argv[2]);
	632	return 0;
	633	}
	634	else if( (strcmp(argv[1], "-kn2n") == 0) \|\| (strcmp(argv[1], "--kill-net-2-net") == 0) ) {
	635	killNet2Net(argv[2]);
	636	return 0;
	637	} else {
	638	usage();
	639	return 1;
	640	}
	641	}
	642	else if(argc == 2) {
6e13d0a5 MT	643	if( (strcmp(argv[1], "-k") == 0) \|\| (strcmp(argv[1], "--kill") == 0) ) {
	644	stopDaemon();
	645	return 0;
	646	}
	647	else if( (strcmp(argv[1], "-d") == 0) \|\| (strcmp(argv[1], "--display") == 0) ) {
	648	displayopenvpn();
	649	return 0;
	650	}
6e13d0a5 MT	651	else {
	652	ovpnInit();
	653
	654	if( (strcmp(argv[1], "-s") == 0) \|\| (strcmp(argv[1], "--start") == 0) ) {
6e13d0a5 MT	655	setFirewallRules();
	656	startDaemon();
	657	return 0;
	658	}
64f0c354 MT	659	else if( (strcmp(argv[1], "-sn2n") == 0) \|\| (strcmp(argv[1], "--start-net-2-net") == 0) ) {
	660	startAllNet2Net();
	661	return 0;
	662	}
	663	else if( (strcmp(argv[1], "-kn2n") == 0) \|\| (strcmp(argv[1], "--kill-net-2-net") == 0) ) {
	664	killAllNet2Net();
	665	return 0;
	666	}
6e13d0a5 MT	667	else if( (strcmp(argv[1], "-sdo") == 0) \|\| (strcmp(argv[1], "--start-daemon-only") == 0) ) {
	668	startDaemon();
	669	return 0;
	670	}
	671	else if( (strcmp(argv[1], "-r") == 0) \|\| (strcmp(argv[1], "--restart") == 0) ) {
	672	stopDaemon();
6e13d0a5 MT	673	setFirewallRules();
	674	startDaemon();
	675	return 0;
	676	}
	677	else if( (strcmp(argv[1], "-fwr") == 0) \|\| (strcmp(argv[1], "--firewall-rules") == 0) ) {
6e13d0a5 MT	678	setFirewallRules();
	679	return 0;
	680	}
	681	else {
	682	usage();
	683	return 0;
	684	}
	685	}
	686	}
	687	else {
	688	usage();
	689	return 0;
	690	}
	691	return 0;
	692	}
	693