[people/pmueller/ipfire-2.x.git] / src / misc-progs / setportfw.c

/* SmoothWall helper program - setportfw\r
 *\r
 * This program is distributed under the terms of the GNU General Public\r
 * Licence.  See the file COPYING for details.\r
 *\r
 * (c) Daniel Goscomb, 2001\r
 * Copyright (c) 2002/04/13 Steve Bootes - Added source ip support for aliases\r
 * \r
 * Modifications and improvements by Lawrence Manning.\r
 *\r
 * 10/04/01 Aslak added protocol support\r
 * This program reads the list of ports to forward and setups iptables\r
 * and rules in ipmasqadm to enable them.\r
 *\r
 * 02/11/03 Darren Critchley modifications to allow it to open multiple\r
 *							 source ip addresses\r
 * 02/25/03 Darren Critchley modifications to allow port ranges\r
 * 04/01/03 Darren Critchley modifications to allow gre protocol\r
 * 20/04/03 Robert Kerr Fixed root exploit, validated all variables properly,\r
 *                      tidied up the iptables logic, killed duplicated code,\r
 *                      removed srciptmp (unecessary)\r
 *\r
 * $Id: setportfw.c,v 1.3.2.6 2005/08/24 18:44:19 gespinasse Exp $\r
 * \r
 */\r
\r
#include <stdio.h>\r
#include <string.h>\r
#include <stdlib.h>\r
#include "libsmooth.h"\r
#include "setuid.h"\r
\r
struct keyvalue *kv = NULL;\r
FILE *fwdfile = NULL;\r
\r
void exithandler(void)\r
{\r
	if(kv)\r
		freekeyvalues(kv);\r
	if (fwdfile)\r
		fclose(fwdfile);\r
}\r
\r
int main(void)\r
{\r
	FILE *ipfile = NULL, *ifacefile = NULL;\r
	int count;\r
	char iface[STRING_SIZE];\r
	char locip[STRING_SIZE];\r
	char greenip[STRING_SIZE], greenmask[STRING_SIZE];\r
	char bluedev[STRING_SIZE], blueip[STRING_SIZE], bluemask[STRING_SIZE];\r
	char orangedev[STRING_SIZE], orangeip[STRING_SIZE], orangemask[STRING_SIZE];\r
	char *protocol;\r
	char *srcip;\r
	char *locport;\r
	char *remip;\r
	char *remport;\r
	char *origip;\r
	char *enabled;\r
	char s[STRING_SIZE];\r
	char *result;\r
	char *key1;\r
	char *key2;\r
	char command[STRING_SIZE];\r
\r
	if (!(initsetuid()))\r
		exit(1);\r
\r
	atexit(exithandler);\r
\r
	/* Read in and verify config */\r
	kv=initkeyvalues();\r
\r
	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))\r
	{\r
		fprintf(stderr, "Cannot read ethernet settings\n");\r
		exit(1);\r
	}\r
\r
	if (!findkey(kv, "GREEN_ADDRESS", greenip))\r
	{\r
		fprintf(stderr, "Cannot read GREEN_ADDRESS\n");\r
		exit(1);\r
	}\r
\r
	if (!VALID_IP(greenip))\r
	{\r
		fprintf(stderr, "Bad GREEN_ADDRESS: %s\n", greenip);\r
		exit(1);\r
	}\r
\r
	if (!findkey(kv, "GREEN_NETMASK", greenmask))\r
	{\r
		fprintf(stderr, "Cannot read GREEN_NETMASK\n");\r
		exit(1);\r
	}\r
\r
	if (!VALID_IP(greenmask))\r
	{\r
		fprintf(stderr, "Bad GREEN_NETMASK: %s\n", greenmask);\r
		exit(1);\r
	}\r
\r
	/* Get the BLUE interface details */\r
	findkey(kv, "BLUE_DEV", bluedev);\r
\r
	if (strlen(bluedev))\r
	{\r
\r
		if (!VALID_DEVICE(bluedev))\r
		{\r
			fprintf(stderr, "Bad BLUE_DEV: %s\n", bluedev);\r
			exit(1);\r
		}\r
\r
		if (!findkey(kv, "BLUE_ADDRESS", blueip))\r
		{\r
			fprintf(stderr, "Cannot read BLUE_ADDRESS\n");\r
			exit(1);\r
		}\r
\r
		if (!VALID_IP(blueip))\r
		{\r
			fprintf(stderr, "Bad BLUE_ADDRESS: %s\n", blueip);\r
			exit(1);\r
		}\r
\r
		if (!findkey(kv, "BLUE_NETMASK", bluemask))\r
		{\r
			fprintf(stderr, "Cannot read BLUE_NETMASK\n");\r
			exit(1);\r
		}\r
\r
		if (!VALID_IP(bluemask))\r
		{\r
			fprintf(stderr, "Bad BLUE_NETMASK: %s\n", bluemask);\r
			exit(1);\r
		}\r
\r
	}\r
\r
	/* Get the ORANGE interface details */\r
	findkey(kv, "ORANGE_DEV", orangedev);\r
\r
	if (strlen(orangedev))\r
	{\r
\r
		if (!VALID_DEVICE(orangedev))\r
		{\r
			fprintf(stderr, "Bad ORANGE_DEV: %s\n", orangedev);\r
			exit(1);\r
		}\r
\r
		if (!findkey(kv, "ORANGE_ADDRESS", orangeip))\r
		{\r
			fprintf(stderr, "Cannot read ORANGE_ADDRESS\n");\r
			exit(1);\r
		}\r
\r
		if (!VALID_IP(orangeip))\r
		{\r
			fprintf(stderr, "Bad ORANGE_ADDRESS: %s\n", orangeip);\r
			exit(1);\r
		}\r
\r
		if (!findkey(kv, "ORANGE_NETMASK", orangemask))\r
		{\r
			fprintf(stderr, "Cannot read ORANGE_NETMASK\n");\r
			exit(1);\r
		}\r
\r
		if (!VALID_IP(orangemask))\r
		{\r
			fprintf(stderr, "Bad ORANGE_NETMASK: %s\n", orangemask);\r
			exit(1);\r
		}\r
\r
	}\r
\r
\r
	if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))\r
	{\r
		fprintf(stderr, "Couldn't open local ip file\n");\r
		exit(1);\r
	}\r
	fgets(locip, STRING_SIZE, ipfile);\r
	if (locip[strlen(locip) - 1] == '\n')\r
		locip[strlen(locip) - 1] = '\0';\r
	fclose (ipfile);\r
	if (!VALID_IP(locip))\r
	{\r
		fprintf(stderr, "Bad local IP: %s\n", locip);\r
		exit(1);\r
	}\r
 	\r
	if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))\r
	{\r
		fprintf(stderr, "Couldn't open iface file\n");\r
		exit(1);\r
	}\r
	fgets(iface, STRING_SIZE, ifacefile);\r
	if (iface[strlen(iface) - 1] == '\n')\r
		iface[strlen(iface) - 1] = '\0';\r
	fclose (ifacefile);\r
	if (!VALID_DEVICE(iface))\r
	{\r
		fprintf(stderr, "Bad iface: %s\n", iface);\r
		exit(1);\r
	}\r
 	\r
	if (!(fwdfile = fopen(CONFIG_ROOT "/portfw/config", "r")))\r
	{\r
		fprintf(stderr, "Couldn't open portfw settings file\n");\r
		exit(1);\r
	}\r
\r
	safe_system("/sbin/iptables -t nat -F PORTFW");\r
	safe_system("/sbin/iptables -t mangle -F PORTFWMANGLE");\r
	safe_system("/sbin/iptables -F PORTFWACCESS");\r
\r
	while (fgets(s, STRING_SIZE, fwdfile) != NULL)\r
	{\r
		if (s[strlen(s) - 1] == '\n')\r
			s[strlen(s) - 1] = '\0';\r
		result = strtok(s, ",");\r
\r
		count = 0;\r
		key1 = NULL;\r
		key2 = NULL;\r
		protocol = NULL;\r
		srcip = NULL;\r
		locport = NULL;\r
		remip = NULL;\r
		origip = NULL;\r
		remport = NULL;\r
		enabled = NULL;\r
		while (result)\r
		{\r
			if (count == 0)\r
				key1 = result;\r
			else if (count == 1)\r
				key2 = result;\r
			else if (count == 2)\r
				protocol = result;\r
			else if (count == 3)\r
				locport = result;\r
			else if (count == 4)\r
				remip = result;\r
			else if (count == 5)\r
				remport = result;\r
			else if (count == 6)\r
				enabled = result;\r
			else if (count == 7)\r
				srcip = result;\r
			else if (count == 8)\r
				origip = result;\r
			count++;\r
			result = strtok(NULL, ",");\r
		}\r
		\r
		if (!(key1 && key2 && protocol && locport && remip && remport && enabled\r
			&& srcip && origip))\r
			break;\r
		\r
		if (!VALID_PROTOCOL(protocol))\r
		{\r
			fprintf(stderr, "Bad protocol: %s\n", protocol);\r
			exit(1);\r
		}\r
		if (strcmp(protocol, "gre") == 0)\r
		{\r
			locport = "0";\r
			remport = "0";\r
		}\r
		if (strcmp(origip,"0") && !VALID_IP_AND_MASK(origip))\r
		{\r
			fprintf(stderr, "Bad IP: %s\n", origip);\r
			exit(1);\r
		}\r
		if (!VALID_PORT_RANGE(locport))\r
		{\r
			fprintf(stderr, "Bad local port: %s\n", locport);\r
			exit(1);\r
		}\r
		if (!VALID_IP(remip))\r
		{\r
			fprintf(stderr, "Bad remote IP: %s\n", remip);\r
			exit(1);\r
		}\r
		if (!VALID_PORT_RANGE(remport))\r
		{\r
			fprintf(stderr, "Bad remote port: %s\n", remport);\r
			exit(1);\r
		}\r
\r
                /* check for source ip in config file. If it's there\r
                 * and it's not 0.0.0.0, use it; else use the\r
                 * local ip address. (This makes sure we can use old-style\r
                 * config files without the source ip) */\r
		if (!srcip || !strcmp(srcip, "0.0.0.0"))\r
			srcip = locip;\r
		if (strcmp(srcip,"0") && !VALID_IP(srcip))\r
		{\r
			fprintf(stderr, "Bad source IP: %s\n", srcip);\r
			exit(1);\r
		}\r
\r
		/* This may seem complicated... refer to portfw.pl for an explanation of\r
		 * the keys and their meaning in certain circumstances */\r
                        \r
		if (strcmp(enabled, "on") == 0)\r
		{\r
\r
			/* If key2 is a zero, then it is a portfw command, otherwise it is an\r
			 * external access command */\r
			if (strcmp(key2, "0") == 0) \r
			{\r
				memset(command, 0, STRING_SIZE);\r
				if (strcmp(protocol, "gre") == 0)\r
					snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s -j DNAT --to %s", protocol, srcip, remip);\r
				else \r
				{\r
					char *ctr;\r
					/* If locport contains a - we need to change it to a : */\r
					if ((ctr = strchr(locport, '-')) != NULL) {*ctr = ':';}\r
					/* If remport contains a : we need to change it to a - */\r
					if ((ctr = strchr(remport,':')) != NULL){*ctr = '-';}\r
					snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s --dport %s -j DNAT --to %s:%s", protocol, srcip, locport, remip, remport);\r
					safe_system(command);\r
					/* Now if remport contains a - we need to change it to a : */\r
					if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}\r
					snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 1", protocol, greenip, greenmask, srcip, locport);\r
					if (strlen(bluedev))\r
					{\r
						safe_system(command);\r
						snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 2", protocol, blueip, bluemask, srcip, locport);\r
					}\r
					if (strlen(orangedev))\r
					{\r
						safe_system(command);\r
						snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 3", protocol, orangeip, orangemask, srcip, locport);\r
					}\r
				}\r
				safe_system(command);\r
			}\r
\r
			/* if key2 is not "0" then it's an external access rule, if key2 is "0"\r
			 * then the portfw rule may contain external access information if origip\r
			 * is not "0" (the only defined not 0 value seems to be 0.0.0.0 - open\r
			 * to all; again, check portfw.pl for more details) */\r
			if(strcmp(key2, "0") || strcmp(origip,"0") )\r
			{\r
				memset(command, 0, STRING_SIZE);\r
				if (strcmp(protocol, "gre") == 0)\r
					snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s -j ACCEPT", iface, protocol, origip, remip);\r
				else\r
				{\r
					char *ctr;\r
					/* If remport contains a - we need to change it to a : */\r
					if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}\r
					snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", iface, protocol, origip, remip, remport);\r
				}\r
				safe_system(command);\r
			}\r
		}\r
	}\r
\r
	return 0;\r
}\r
Commit	Line	Data
cd1a2927 MT	1	/* SmoothWall helper program - setportfw\r
	2	*\r
	3	* This program is distributed under the terms of the GNU General Public\r
	4	* Licence. See the file COPYING for details.\r
	5	*\r
	6	* (c) Daniel Goscomb, 2001\r
	7	* Copyright (c) 2002/04/13 Steve Bootes - Added source ip support for aliases\r
	8	* \r
	9	* Modifications and improvements by Lawrence Manning.\r
	10	*\r
	11	* 10/04/01 Aslak added protocol support\r
	12	* This program reads the list of ports to forward and setups iptables\r
	13	* and rules in ipmasqadm to enable them.\r
	14	*\r
	15	* 02/11/03 Darren Critchley modifications to allow it to open multiple\r
	16	* source ip addresses\r
	17	* 02/25/03 Darren Critchley modifications to allow port ranges\r
	18	* 04/01/03 Darren Critchley modifications to allow gre protocol\r
	19	* 20/04/03 Robert Kerr Fixed root exploit, validated all variables properly,\r
	20	* tidied up the iptables logic, killed duplicated code,\r
	21	* removed srciptmp (unecessary)\r
	22	*\r
	23	* $Id: setportfw.c,v 1.3.2.6 2005/08/24 18:44:19 gespinasse Exp $\r
	24	* \r
	25	*/\r
	26	\r
	27	#include <stdio.h>\r
	28	#include <string.h>\r
	29	#include <stdlib.h>\r
	30	#include "libsmooth.h"\r
	31	#include "setuid.h"\r
	32	\r
	33	struct keyvalue *kv = NULL;\r
	34	FILE *fwdfile = NULL;\r
	35	\r
	36	void exithandler(void)\r
	37	{\r
	38	if(kv)\r
	39	freekeyvalues(kv);\r
	40	if (fwdfile)\r
	41	fclose(fwdfile);\r
	42	}\r
	43	\r
	44	int main(void)\r
	45	{\r
	46	FILE ipfile = NULL, ifacefile = NULL;\r
	47	int count;\r
	48	char iface[STRING_SIZE];\r
	49	char locip[STRING_SIZE];\r
	50	char greenip[STRING_SIZE], greenmask[STRING_SIZE];\r
	51	char bluedev[STRING_SIZE], blueip[STRING_SIZE], bluemask[STRING_SIZE];\r
	52	char orangedev[STRING_SIZE], orangeip[STRING_SIZE], orangemask[STRING_SIZE];\r
	53	char *protocol;\r
	54	char *srcip;\r
	55	char *locport;\r
	56	char *remip;\r
	57	char *remport;\r
	58	char *origip;\r
	59	char *enabled;\r
	60	char s[STRING_SIZE];\r
	61	char *result;\r
	62	char *key1;\r
	63	char *key2;\r
	64	char command[STRING_SIZE];\r
65	\r
66	if (!(initsetuid()))\r
67	exit(1);\r
68	\r
69	atexit(exithandler);\r
70	\r
71	/* Read in and verify config */\r
72	kv=initkeyvalues();\r
73	\r
74	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))\r
75	{\r
76	fprintf(stderr, "Cannot read ethernet settings\n");\r
77	exit(1);\r
78	}\r
79	\r
80	if (!findkey(kv, "GREEN_ADDRESS", greenip))\r
81	{\r
82	fprintf(stderr, "Cannot read GREEN_ADDRESS\n");\r
83	exit(1);\r
84	}\r
85	\r
86	if (!VALID_IP(greenip))\r
87	{\r
88	fprintf(stderr, "Bad GREEN_ADDRESS: %s\n", greenip);\r
89	exit(1);\r
90	}\r
91	\r
92	if (!findkey(kv, "GREEN_NETMASK", greenmask))\r
93	{\r
94	fprintf(stderr, "Cannot read GREEN_NETMASK\n");\r
95	exit(1);\r
96	}\r
97	\r
98	if (!VALID_IP(greenmask))\r
99	{\r
100	fprintf(stderr, "Bad GREEN_NETMASK: %s\n", greenmask);\r
101	exit(1);\r
102	}\r
103	\r
104	/* Get the BLUE interface details */\r
105	findkey(kv, "BLUE_DEV", bluedev);\r
106	\r
107	if (strlen(bluedev))\r
108	{\r
109	\r
110	if (!VALID_DEVICE(bluedev))\r
111	{\r
112	fprintf(stderr, "Bad BLUE_DEV: %s\n", bluedev);\r
113	exit(1);\r
114	}\r
115	\r
116	if (!findkey(kv, "BLUE_ADDRESS", blueip))\r
117	{\r
118	fprintf(stderr, "Cannot read BLUE_ADDRESS\n");\r
119	exit(1);\r
120	}\r
121	\r
122	if (!VALID_IP(blueip))\r
123	{\r
124	fprintf(stderr, "Bad BLUE_ADDRESS: %s\n", blueip);\r
125	exit(1);\r
126	}\r
127	\r
128	if (!findkey(kv, "BLUE_NETMASK", bluemask))\r
129	{\r
130	fprintf(stderr, "Cannot read BLUE_NETMASK\n");\r
131	exit(1);\r
132	}\r
133	\r
134	if (!VALID_IP(bluemask))\r
135	{\r
136	fprintf(stderr, "Bad BLUE_NETMASK: %s\n", bluemask);\r
137	exit(1);\r
138	}\r
139	\r
140	}\r
141	\r
142	/* Get the ORANGE interface details */\r
143	findkey(kv, "ORANGE_DEV", orangedev);\r
144	\r
145	if (strlen(orangedev))\r
146	{\r
147	\r
148	if (!VALID_DEVICE(orangedev))\r
149	{\r
150	fprintf(stderr, "Bad ORANGE_DEV: %s\n", orangedev);\r
151	exit(1);\r
152	}\r
153	\r
154	if (!findkey(kv, "ORANGE_ADDRESS", orangeip))\r
155	{\r
156	fprintf(stderr, "Cannot read ORANGE_ADDRESS\n");\r
157	exit(1);\r
158	}\r
159	\r
160	if (!VALID_IP(orangeip))\r
161	{\r
162	fprintf(stderr, "Bad ORANGE_ADDRESS: %s\n", orangeip);\r
163	exit(1);\r
164	}\r
165	\r
166	if (!findkey(kv, "ORANGE_NETMASK", orangemask))\r
167	{\r
168	fprintf(stderr, "Cannot read ORANGE_NETMASK\n");\r
169	exit(1);\r
170	}\r
171	\r
172	if (!VALID_IP(orangemask))\r
173	{\r
174	fprintf(stderr, "Bad ORANGE_NETMASK: %s\n", orangemask);\r
175	exit(1);\r
176	}\r
177	\r
178	}\r
179	\r
180	\r
181	if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))\r
182	{\r
183	fprintf(stderr, "Couldn't open local ip file\n");\r
184	exit(1);\r
185	}\r
186	fgets(locip, STRING_SIZE, ipfile);\r
187	if (locip[strlen(locip) - 1] == '\n')\r
188	locip[strlen(locip) - 1] = '\0';\r
189	fclose (ipfile);\r
190	if (!VALID_IP(locip))\r
191	{\r
192	fprintf(stderr, "Bad local IP: %s\n", locip);\r
193	exit(1);\r
194	}\r
195	\r
196	if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))\r
197	{\r
198	fprintf(stderr, "Couldn't open iface file\n");\r
199	exit(1);\r
200	}\r
201	fgets(iface, STRING_SIZE, ifacefile);\r
202	if (iface[strlen(iface) - 1] == '\n')\r
203	iface[strlen(iface) - 1] = '\0';\r
204	fclose (ifacefile);\r
205	if (!VALID_DEVICE(iface))\r
206	{\r
207	fprintf(stderr, "Bad iface: %s\n", iface);\r
208	exit(1);\r
209	}\r
210	\r
211	if (!(fwdfile = fopen(CONFIG_ROOT "/portfw/config", "r")))\r
212	{\r
213	fprintf(stderr, "Couldn't open portfw settings file\n");\r
214	exit(1);\r
215	}\r
216	\r
217	safe_system("/sbin/iptables -t nat -F PORTFW");\r
218	safe_system("/sbin/iptables -t mangle -F PORTFWMANGLE");\r
219	safe_system("/sbin/iptables -F PORTFWACCESS");\r
220	\r
221	while (fgets(s, STRING_SIZE, fwdfile) != NULL)\r
222	{\r
223	if (s[strlen(s) - 1] == '\n')\r
224	s[strlen(s) - 1] = '\0';\r
225	result = strtok(s, ",");\r
226	\r
227	count = 0;\r
228	key1 = NULL;\r
229	key2 = NULL;\r
230	protocol = NULL;\r
231	srcip = NULL;\r
232	locport = NULL;\r
233	remip = NULL;\r
234	origip = NULL;\r
235	remport = NULL;\r
236	enabled = NULL;\r
237	while (result)\r
238	{\r
239	if (count == 0)\r
240	key1 = result;\r
241	else if (count == 1)\r
242	key2 = result;\r
243	else if (count == 2)\r
244	protocol = result;\r
245	else if (count == 3)\r
246	locport = result;\r
247	else if (count == 4)\r
248	remip = result;\r
249	else if (count == 5)\r
250	remport = result;\r
251	else if (count == 6)\r
252	enabled = result;\r
253	else if (count == 7)\r
254	srcip = result;\r
255	else if (count == 8)\r
256	origip = result;\r
257	count++;\r
258	result = strtok(NULL, ",");\r
259	}\r
260	\r
261	if (!(key1 && key2 && protocol && locport && remip && remport && enabled\r
262	&& srcip && origip))\r
263	break;\r
264	\r
265	if (!VALID_PROTOCOL(protocol))\r
266	{\r
267	fprintf(stderr, "Bad protocol: %s\n", protocol);\r
268	exit(1);\r
269	}\r
270	if (strcmp(protocol, "gre") == 0)\r
271	{\r
272	locport = "0";\r
273	remport = "0";\r
274	}\r
275	if (strcmp(origip,"0") && !VALID_IP_AND_MASK(origip))\r
276	{\r
277	fprintf(stderr, "Bad IP: %s\n", origip);\r
278	exit(1);\r
279	}\r
280	if (!VALID_PORT_RANGE(locport))\r
281	{\r
282	fprintf(stderr, "Bad local port: %s\n", locport);\r
283	exit(1);\r
284	}\r
285	if (!VALID_IP(remip))\r
286	{\r
287	fprintf(stderr, "Bad remote IP: %s\n", remip);\r
288	exit(1);\r
289	}\r
290	if (!VALID_PORT_RANGE(remport))\r
291	{\r
292	fprintf(stderr, "Bad remote port: %s\n", remport);\r
293	exit(1);\r
294	}\r
295	\r
296	/* check for source ip in config file. If it's there\r
297	* and it's not 0.0.0.0, use it; else use the\r
298	* local ip address. (This makes sure we can use old-style\r
299	* config files without the source ip) */\r
300	if (!srcip \|\| !strcmp(srcip, "0.0.0.0"))\r
301	srcip = locip;\r
302	if (strcmp(srcip,"0") && !VALID_IP(srcip))\r
303	{\r
304	fprintf(stderr, "Bad source IP: %s\n", srcip);\r
305	exit(1);\r
306	}\r
307	\r
308	/* This may seem complicated... refer to portfw.pl for an explanation of\r
309	* the keys and their meaning in certain circumstances */\r
310	\r
311	if (strcmp(enabled, "on") == 0)\r
312	{\r
313	\r
314	/* If key2 is a zero, then it is a portfw command, otherwise it is an\r
315	* external access command */\r
316	if (strcmp(key2, "0") == 0) \r
317	{\r
318	memset(command, 0, STRING_SIZE);\r
319	if (strcmp(protocol, "gre") == 0)\r
320	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s -j DNAT --to %s", protocol, srcip, remip);\r
321	else \r
322	{\r
323	char *ctr;\r
324	/* If locport contains a - we need to change it to a : */\r
325	if ((ctr = strchr(locport, '-')) != NULL) {*ctr = ':';}\r
326	/* If remport contains a : we need to change it to a - */\r
327	if ((ctr = strchr(remport,':')) != NULL){*ctr = '-';}\r
328	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s --dport %s -j DNAT --to %s:%s", protocol, srcip, locport, remip, remport);\r
329	safe_system(command);\r
330	/* Now if remport contains a - we need to change it to a : */\r
331	if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}\r
332	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 1", protocol, greenip, greenmask, srcip, locport);\r
333	if (strlen(bluedev))\r
334	{\r
335	safe_system(command);\r
336	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 2", protocol, blueip, bluemask, srcip, locport);\r
337	}\r
338	if (strlen(orangedev))\r
339	{\r
340	safe_system(command);\r
341	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 3", protocol, orangeip, orangemask, srcip, locport);\r
342	}\r
343	}\r
344	safe_system(command);\r
345	}\r
346	\r
347	/* if key2 is not "0" then it's an external access rule, if key2 is "0"\r
348	* then the portfw rule may contain external access information if origip\r
349	* is not "0" (the only defined not 0 value seems to be 0.0.0.0 - open\r
350	* to all; again, check portfw.pl for more details) */\r
351	if(strcmp(key2, "0") \|\| strcmp(origip,"0") )\r
352	{\r
353	memset(command, 0, STRING_SIZE);\r
354	if (strcmp(protocol, "gre") == 0)\r
355	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s -j ACCEPT", iface, protocol, origip, remip);\r
356	else\r
357	{\r
358	char *ctr;\r
359	/* If remport contains a - we need to change it to a : */\r
360	if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}\r
361	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", iface, protocol, origip, remip, remport);\r
362	}\r
363	safe_system(command);\r
364	}\r
365	}\r
366	}\r
367	\r
368	return 0;\r
369	}\r