]> git.ipfire.org Git - ipfire-2.x.git/blob - src/misc-progs/captivectrl.c
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
captivectrl: Change format of clients configuration
[ipfire-2.x.git] / src / misc-progs / captivectrl.c
1 /* This file is part of the IPFire Firewall.
2 *
3 * This program is distributed under the terms of the GNU General Public
4 * Licence. See the file COPYING for details. */
5
6 #define _BSD_SOURCE
7 #define _XOPEN_SOURCE
8
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <time.h>
13
14 #include "libsmooth.h"
15 #include "setuid.h"
16
17 #define CAPTIVE_PORTAL_SETTINGS CONFIG_ROOT "/captive/settings"
18 #define ETHERNET_SETTINGS CONFIG_ROOT "/ethernet/settings"
19
20 #define CLIENTS CONFIG_ROOT "/captive/clients"
21 #define IPTABLES "/sbin/iptables --wait"
22 #define HTTP_PORT 80
23 #define REDIRECT_PORT 1013
24
25 typedef struct client {
26 char etheraddr[STRING_SIZE];
27 char ipaddr[STRING_SIZE];
28 time_t time_start;
29 int expires;
30
31 struct client* next;
32 } client_t;
33
34 static time_t parse_time(const char* s) {
35 int t = 0;
36
37 if (sscanf(s, "%d", &t) == 1) {
38 return (time_t)t;
39 }
40
41 return -1;
42 }
43
44 static char* format_time(const time_t* t) {
45 char buffer[STRING_SIZE];
46
47 struct tm* tm = gmtime(t);
48 if (tm == NULL)
49 return NULL;
50
51 strftime(buffer, sizeof(buffer), "%Y-%m-%dT%H:%M", tm);
52
53 return strdup(buffer);
54 }
55
56 static client_t* read_clients(char* filename) {
57 FILE* f = NULL;
58
59 if (!(f = fopen(filename, "r"))) {
60 fprintf(stderr, "Could not open configuration file: %s\n", filename);
61 return NULL;;
62 }
63
64 char line[STRING_SIZE];
65
66 client_t* client_first = NULL;
67 client_t* client_last = NULL;
68 client_t* client_curr;
69
70 while ((fgets(line, STRING_SIZE, f) != NULL)) {
71 if (line[strlen(line) - 1] == '\n')
72 line[strlen(line) - 1] = '\0';
73
74 client_curr = (client_t*)malloc(sizeof(client_t));
75 memset(client_curr, 0, sizeof(client_t));
76
77 if (client_first == NULL)
78 client_first = client_curr;
79 else
80 client_last->next = client_curr;
81 client_last = client_curr;
82
83 unsigned int count = 0;
84 char* lineptr = line;
85 while (1) {
86 if (!*lineptr)
87 break;
88
89 char* word = lineptr;
90 while (*lineptr != '\0') {
91 if (*lineptr == ',') {
92 *lineptr = '\0';
93 lineptr++;
94 break;
95 }
96 lineptr++;
97 }
98
99 switch (count++) {
100 // Ethernet address
101 case 1:
102 strcpy(client_curr->etheraddr, word);
103 break;
104
105 // IP address
106 case 2:
107 strcpy(client_curr->ipaddr, word);
108 break;
109
110 // Start time
111 case 3:
112 client_curr->time_start = parse_time(word);
113 break;
114
115 // Expire duration
116 case 4:
117 client_curr->expires = atoi(word);
118 break;
119
120 default:
121 break;
122 }
123 }
124 }
125
126 if (f)
127 fclose(f);
128
129 return client_first;
130 }
131
132 static void flush_chains() {
133 // filter
134 safe_system(IPTABLES " -F CAPTIVE_PORTAL");
135 safe_system(IPTABLES " -F CAPTIVE_PORTAL_CLIENTS");
136
137 // nat
138 safe_system(IPTABLES " -t nat -F CAPTIVE_PORTAL");
139 }
140
141 static int add_client_rules(const client_t* clients) {
142 char command[STRING_SIZE];
143 char match[STRING_SIZE];
144
145 while (clients) {
146 time_t expires = clients->time_start + clients->expires;
147
148 char* time_start = format_time(&clients->time_start);
149 char* time_end = format_time(&expires);
150
151 snprintf(match, sizeof(match), "-s %s -m mac --mac-source %s"
152 " -m time --datestart %s --datestop %s", clients->ipaddr,
153 clients->etheraddr, time_start, time_end);
154
155 free(time_start);
156 free(time_end);
157
158 // filter
159 snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL_CLIENTS"
160 " %s -j RETURN", match);
161 safe_system(command);
162
163 // nat
164 snprintf(command, sizeof(command), IPTABLES " -t nat -A CAPTIVE_PORTAL"
165 " %s -j RETURN", match);
166 safe_system(command);
167
168 // Move on to the next client
169 clients = clients->next;
170 }
171
172 return 0;
173 }
174
175 static char* get_key(struct keyvalue* settings, char* key) {
176 char value[STRING_SIZE];
177
178 if (!findkey(settings, key, value))
179 return NULL;
180
181 return strdup(value);
182 }
183
184 static int add_interface_rule(const char* intf, int allow_webif_access) {
185 int r;
186 char command[STRING_SIZE];
187
188 if ((intf == NULL) || (strlen(intf) == 0)) {
189 fprintf(stderr, "Empty interface given\n");
190 return -1;
191 }
192
193 snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL -i %s"
194 " -j CAPTIVE_PORTAL_CLIENTS", intf);
195 r = safe_system(command);
196 if (r)
197 return r;
198
199 #if 0
200 snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL -o %s"
201 " -j CAPTIVE_PORTAL_CLIENTS", intf);
202 r = safe_system(command);
203 if (r)
204 return r;
205 #endif
206
207 if (allow_webif_access) {
208 snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL_CLIENTS"
209 " -i %s -p tcp --dport 444 -j RETURN", intf);
210 r = safe_system(command);
211 if (r)
212 return r;
213 }
214
215 // Redirect all unauthenticated clients
216 snprintf(command, sizeof(command), IPTABLES " -t nat -A CAPTIVE_PORTAL -i %s"
217 " -p tcp --dport %d -j REDIRECT --to-ports %d", intf, HTTP_PORT, REDIRECT_PORT);
218 r = safe_system(command);
219 if (r)
220 return r;
221
222 return 0;
223 }
224
225 static int add_interface_rules(struct keyvalue* captive_portal_settings, struct keyvalue* ethernet_settings) {
226 const char* intf;
227 char* setting;
228 int r = 0;
229
230 setting = get_key(captive_portal_settings, "ENABLE_GREEN");
231 if (setting && (strcmp(setting, "on") == 0)) {
232 free(setting);
233
234 intf = get_key(ethernet_settings, "GREEN_DEV");
235 r = add_interface_rule(intf, /* allow webif access from green */ 1);
236 if (r)
237 return r;
238 }
239
240 setting = get_key(captive_portal_settings, "ENABLE_BLUE");
241 if (setting && (strcmp(setting, "on") == 0)) {
242 free(setting);
243
244 intf = get_key(ethernet_settings, "BLUE_DEV");
245 r = add_interface_rule(intf, /* do not allow webif access */ 0);
246 if (r)
247 return r;
248 }
249
250 // Always pass DNS packets through all firewall rules
251 r = safe_system(IPTABLES " -A CAPTIVE_PORTAL_CLIENTS -p udp --dport 53 -j RETURN");
252 if (r)
253 return r;
254
255 r = safe_system(IPTABLES " -A CAPTIVE_PORTAL_CLIENTS -p tcp --dport 53 -j RETURN");
256 if (r)
257 return r;
258
259 char command[STRING_SIZE];
260 snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL_CLIENTS"
261 " -p tcp --dport %d -j RETURN", REDIRECT_PORT);
262 r = safe_system(command);
263 if (r)
264 return r;
265
266 // Add the last rule
267 r = safe_system(IPTABLES " -A CAPTIVE_PORTAL_CLIENTS -j DROP");
268 if (r)
269 return r;
270
271 return r;
272 }
273
274 int main(int argc, char** argv) {
275 int r = 0;
276 char* intf = NULL;
277 client_t* clients = NULL;
278
279 if (!(initsetuid()))
280 exit(2);
281
282 struct keyvalue* ethernet_settings = initkeyvalues();
283 if (!readkeyvalues(ethernet_settings, ETHERNET_SETTINGS)) {
284 fprintf(stderr, "Could not read %s\n", ETHERNET_SETTINGS);
285 r = 1;
286 goto END;
287 }
288
289 struct keyvalue* captive_portal_settings = initkeyvalues();
290 if (!readkeyvalues(captive_portal_settings, CAPTIVE_PORTAL_SETTINGS)) {
291 fprintf(stderr, "Could not read %s\n", CAPTIVE_PORTAL_SETTINGS);
292 r = 1;
293 goto END;
294 }
295
296 clients = read_clients(CLIENTS);
297
298 // Clean up all old rules
299 flush_chains();
300
301 // Add all client rules
302 r = add_client_rules(clients);
303 if (r)
304 goto END;
305
306 // Add all interface rules
307 r = add_interface_rules(captive_portal_settings, ethernet_settings);
308 if (r)
309 goto END;
310
311 END:
312 while (clients) {
313 client_t* head = clients;
314 clients = clients->next;
315
316 free(head);
317 }
318
319 if (ethernet_settings)
320 freekeyvalues(ethernet_settings);
321
322 if (captive_portal_settings)
323 freekeyvalues(captive_portal_settings);
324
325 if (intf)
326 free(intf);
327
328 return r;
329 }
IPFire 2.x development tree