src/misc-progs/setfilters.c

   1 /* Derivated from SmoothWall helper programs
   2  *
   3  * This program is distributed under the terms of the GNU General Public
   4  * Licence.  See the file COPYING for details.
   5  *
   6  * (c) Daniel Goscomb, 2001
   7  *
   8  * Modifications and improvements by Lawrence Manning.
   9  *
  10  * 19/04/03 Robert Kerr Fixed root exploit
  11  *
  12  * 20/08/05 Achim Weber 20 Modified to have a binary for the new firewall options page in IPCop 1.4.8
  13  *
  14  * 02/10/05 Gilles Espinasse treat only ping actually
  15  *
  16  * $Id: setfilters.c,v 1.1.2.2 2006/02/07 20:54:16 gespinasse Exp $
  17  *
  18  */
  19
  20 #include <stdio.h>
  21 #include <stdlib.h>
  22 #include <string.h>
  23 #include "libsmooth.h"
  24 #include "setuid.h"
  25
  26 struct keyvalue *kv = NULL;
  27 FILE *ifacefile = NULL;
  28
  29 void exithandler(void)
  30 {
  31         if(kv)
  32                 freekeyvalues(kv);
  33 }
  34
  35 int main(void)
  36 {
  37         char iface[STRING_SIZE] = "";
  38         char command[STRING_SIZE];
  39         char disableping[STRING_SIZE];
  40         int redAvailable = 1;
  41
  42         if (!(initsetuid()))
  43                 exit(1);
  44
  45         atexit(exithandler);
  46
  47         /* Read in and verify config */
  48         kv=initkeyvalues();
  49
  50         if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) {
  51                 fprintf(stderr, "Cannot read firewall option settings\n");
  52                 exit(1);
  53         }
  54
  55         if (!findkey(kv, "DISABLEPING", disableping)) {
  56                 fprintf(stderr, "Cannot read DISABLEPING\n");
  57                 exit(1);
  58         }
  59
  60         if (strcmp(disableping, "NO") != 0 && strcmp(disableping, "ONLYRED") != 0 && strcmp(disableping, "ALL") != 0) {
  61                 fprintf(stderr, "Bad DISABLEPING: %s\n", disableping);
  62                 exit(1);
  63         }
  64
  65         if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {
  66                 redAvailable = 0;
  67         } else {
  68                 if (fgets(iface, STRING_SIZE, ifacefile)) {
  69                         if (iface[strlen(iface) - 1] == '\n')
  70                                 iface[strlen(iface) - 1] = '\0';
  71                 }
  72                 fclose (ifacefile);
  73                 if (!VALID_DEVICE(iface)) {
  74                         fprintf(stderr, "Bad iface: %s\n", iface);
  75                         exit(1);
  76                 }
  77                 redAvailable = 1;
  78         }
  79
  80         safe_system("/sbin/iptables -F GUIINPUT");
  81
  82         /* don't need to do anything if ping is disabled, so treat only other cases */
  83         if (strcmp(disableping, "NO") == 0
  84                 || (strcmp(disableping, "ONLYRED") == 0 && redAvailable == 0)) {
  85                 // We allow ping (icmp type 8) on every interfaces
  86                 // or RED is not available, so we can enable it on all (available) Interfaces
  87                 memset(command, 0, STRING_SIZE);
  88                 snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT");
  89                 safe_system(command);
  90         } else {
  91                 // Allow ping only on internal interfaces
  92                 if(strcmp(disableping, "ONLYRED") == 0) {
  93                         memset(command, 0, STRING_SIZE);
  94                         snprintf(command, STRING_SIZE - 1,
  95                                 "/sbin/iptables -A GUIINPUT -i ! %s  -p icmp --icmp-type 8 -j ACCEPT", iface);
  96                         safe_system(command);
  97                 }
  98         }
  99         return 0;
 100 }