[people/pmueller/ipfire-2.x.git] / src / misc-progs / setfilters.c

/* Derivated from SmoothWall helper programs\r
 *\r
 * This program is distributed under the terms of the GNU General Public\r
 * Licence.  See the file COPYING for details.\r
 *\r
 * (c) Daniel Goscomb, 2001\r
 *\r
 * Modifications and improvements by Lawrence Manning.\r
 *\r
 * 19/04/03 Robert Kerr Fixed root exploit\r
 *\r
 * 20/08/05 Achim Weber 20 Modified to have a binary for the new firewall options page in IPCop 1.4.8\r
 *\r
 * 02/10/05 Gilles Espinasse treat only ping actually\r
 *\r
 * $Id: setfilters.c,v 1.1.2.2 2006/02/07 20:54:16 gespinasse Exp $\r
 *\r
 */\r
\r
#include <stdio.h>\r
#include <stdlib.h>\r
#include <string.h>\r
#include "libsmooth.h"\r
#include "setuid.h"\r
\r
struct keyvalue *kv = NULL;\r
FILE *ifacefile = NULL;\r
\r
void exithandler(void)\r
{\r
	if(kv)\r
		freekeyvalues(kv);\r
}\r
\r
int main(void)\r
{\r
	char iface[STRING_SIZE] = "";\r
	char command[STRING_SIZE];\r
	char disableping[STRING_SIZE];\r
	int redAvailable = 1;\r
\r
	if (!(initsetuid()))\r
		exit(1);\r
\r
	atexit(exithandler);\r
\r
	/* Read in and verify config */\r
	kv=initkeyvalues();\r
\r
	if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) {\r
		fprintf(stderr, "Cannot read firewall option settings\n");\r
		exit(1);\r
	}\r
\r
	if (!findkey(kv, "DISABLEPING", disableping)) {\r
		fprintf(stderr, "Cannot read DISABLEPING\n");\r
		exit(1);\r
	}\r
\r
	if (strcmp(disableping, "NO") != 0 && strcmp(disableping, "ONLYRED") != 0 && strcmp(disableping, "ALL") != 0) {\r
		fprintf(stderr, "Bad DISABLEPING: %s\n", disableping);\r
		exit(1);\r
	}\r
\r
	if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {\r
		redAvailable = 0;\r
	} else {\r
		if (fgets(iface, STRING_SIZE, ifacefile)) {\r
			if (iface[strlen(iface) - 1] == '\n')\r
				iface[strlen(iface) - 1] = '\0';\r
		}\r
		fclose (ifacefile);\r
		if (!VALID_DEVICE(iface)) {\r
			fprintf(stderr, "Bad iface: %s\n", iface);\r
			exit(1);\r
		}\r
		redAvailable = 1;\r
	}\r
\r
	safe_system("/sbin/iptables -F GUIINPUT");\r
\r
	/* don't need to do anything if ping is disabled, so treat only other cases */\r
	if (strcmp(disableping, "NO") == 0\r
		|| (strcmp(disableping, "ONLYRED") == 0 && redAvailable == 0)) {\r
		// We allow ping (icmp type 8) on every interfaces\r
		// or RED is not available, so we can enable it on all (available) Interfaces\r
		memset(command, 0, STRING_SIZE);\r
		snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT");\r
		safe_system(command);\r
	} else {\r
		// Allow ping only on internal interfaces\r
		if(strcmp(disableping, "ONLYRED") == 0) {\r
			memset(command, 0, STRING_SIZE);\r
			snprintf(command, STRING_SIZE - 1,\r
				"/sbin/iptables -A GUIINPUT -i ! %s  -p icmp --icmp-type 8 -j ACCEPT", iface);\r
			safe_system(command);\r
		}\r
	}\r
	return 0;\r
}\r
Commit	Line	Data
cd1a2927 MT	1	/* Derivated from SmoothWall helper programs\r
	2	*\r
	3	* This program is distributed under the terms of the GNU General Public\r
	4	* Licence. See the file COPYING for details.\r
	5	*\r
	6	* (c) Daniel Goscomb, 2001\r
	7	*\r
	8	* Modifications and improvements by Lawrence Manning.\r
	9	*\r
	10	* 19/04/03 Robert Kerr Fixed root exploit\r
	11	*\r
	12	* 20/08/05 Achim Weber 20 Modified to have a binary for the new firewall options page in IPCop 1.4.8\r
	13	*\r
	14	* 02/10/05 Gilles Espinasse treat only ping actually\r
	15	*\r
	16	* $Id: setfilters.c,v 1.1.2.2 2006/02/07 20:54:16 gespinasse Exp $\r
	17	*\r
	18	*/\r
	19	\r
	20	#include <stdio.h>\r
	21	#include <stdlib.h>\r
	22	#include <string.h>\r
	23	#include "libsmooth.h"\r
	24	#include "setuid.h"\r
	25	\r
	26	struct keyvalue *kv = NULL;\r
	27	FILE *ifacefile = NULL;\r
	28	\r
	29	void exithandler(void)\r
	30	{\r
	31	if(kv)\r
	32	freekeyvalues(kv);\r
	33	}\r
	34	\r
	35	int main(void)\r
	36	{\r
	37	char iface[STRING_SIZE] = "";\r
	38	char command[STRING_SIZE];\r
	39	char disableping[STRING_SIZE];\r
	40	int redAvailable = 1;\r
	41	\r
	42	if (!(initsetuid()))\r
	43	exit(1);\r
	44	\r
	45	atexit(exithandler);\r
	46	\r
	47	/* Read in and verify config */\r
	48	kv=initkeyvalues();\r
	49	\r
	50	if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) {\r
	51	fprintf(stderr, "Cannot read firewall option settings\n");\r
	52	exit(1);\r
	53	}\r
	54	\r
	55	if (!findkey(kv, "DISABLEPING", disableping)) {\r
	56	fprintf(stderr, "Cannot read DISABLEPING\n");\r
	57	exit(1);\r
	58	}\r
	59	\r
	60	if (strcmp(disableping, "NO") != 0 && strcmp(disableping, "ONLYRED") != 0 && strcmp(disableping, "ALL") != 0) {\r
	61	fprintf(stderr, "Bad DISABLEPING: %s\n", disableping);\r
	62	exit(1);\r
	63	}\r
	64	\r
65	if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {\r
66	redAvailable = 0;\r
67	} else {\r
68	if (fgets(iface, STRING_SIZE, ifacefile)) {\r
69	if (iface[strlen(iface) - 1] == '\n')\r
70	iface[strlen(iface) - 1] = '\0';\r
71	}\r
72	fclose (ifacefile);\r
73	if (!VALID_DEVICE(iface)) {\r
74	fprintf(stderr, "Bad iface: %s\n", iface);\r
75	exit(1);\r
76	}\r
77	redAvailable = 1;\r
78	}\r
79	\r
80	safe_system("/sbin/iptables -F GUIINPUT");\r
81	\r
82	/* don't need to do anything if ping is disabled, so treat only other cases */\r
83	if (strcmp(disableping, "NO") == 0\r
84	\|\| (strcmp(disableping, "ONLYRED") == 0 && redAvailable == 0)) {\r
85	// We allow ping (icmp type 8) on every interfaces\r
86	// or RED is not available, so we can enable it on all (available) Interfaces\r
87	memset(command, 0, STRING_SIZE);\r
88	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT");\r
89	safe_system(command);\r
90	} else {\r
91	// Allow ping only on internal interfaces\r
92	if(strcmp(disableping, "ONLYRED") == 0) {\r
93	memset(command, 0, STRING_SIZE);\r
94	snprintf(command, STRING_SIZE - 1,\r
95	"/sbin/iptables -A GUIINPUT -i ! %s -p icmp --icmp-type 8 -j ACCEPT", iface);\r
96	safe_system(command);\r
97	}\r
98	}\r
99	return 0;\r
100	}\r