-/* SmoothWall helper program - restartsquid\r
- *\r
- * This program is distributed under the terms of the GNU General Public\r
- * Licence. See the file COPYING for details.\r
- *\r
- * (c) Lawrence Manning, 2001\r
- * Restarting squid with transparent proxying.\r
- *\r
- * 05/02/2004 - Roy Walker <rwalker@miracomnetwork.com>\r
- * Exclude red network from transparent proxy to allow browsing to alias IPs\r
- * Read in VPN settings and exclude each VPN network from transparent proxy\r
- * \r
- * $Id: restartsquid.c,v 1.7.2.8 2005/04/22 18:44:37 rkerr Exp $\r
- * \r
- */\r
- \r
-#include <stdio.h>\r
-#include <string.h>\r
-#include <unistd.h>\r
-#include <stdlib.h>\r
-#include <pwd.h>\r
-#include <sys/types.h>\r
-#include <sys/stat.h>\r
-#include <fcntl.h>\r
-#include "libsmooth.h"\r
-#include "setuid.h"\r
-\r
-int main(int argc, char *argv[])\r
-{\r
- int fd = -1;\r
- int enable = 0;\r
- int enablevpn = 0;\r
- int transparent = 0;\r
- int enable_blue = 0;\r
- int transparent_blue = 0;\r
- int running = 0;\r
- struct stat st;\r
- FILE *ipfile;\r
- char localip[STRING_SIZE] = "";\r
- struct keyvalue *net = NULL;\r
- struct keyvalue *squid = NULL;\r
- char buffer[STRING_SIZE];\r
- char proxy_port[STRING_SIZE];\r
- char s[STRING_SIZE];\r
- char green_dev[STRING_SIZE] = "";\r
- char blue_dev[STRING_SIZE] = "";\r
- char red_netaddress[STRING_SIZE] = "";\r
- char red_netmask[STRING_SIZE] = "";\r
- char configtype[STRING_SIZE] = "";\r
- char redtype[STRING_SIZE] = "";\r
- char enableredvpn[STRING_SIZE] = "";\r
- char enablebluevpn[STRING_SIZE] = "";\r
-\r
- if (!(initsetuid()))\r
- exit(1);\r
-\r
- /* Kill running squid */\r
- safe_system("/sbin/iptables -t nat -F SQUID");\r
- safe_system("/usr/sbin/squid -k shutdown >/dev/null 2>/dev/null");\r
- sleep(5);\r
- safe_system("/bin/killall -9 squid >/dev/null 2>/dev/null");\r
- \r
- /* See if proxy is enabled and / or transparent */\r
- if ((fd = open(CONFIG_ROOT "/proxy/enable", O_RDONLY)) != -1)\r
- {\r
- close(fd);\r
- enable = 1;\r
- }\r
- if ((fd = open(CONFIG_ROOT "/proxy/transparent", O_RDONLY)) != -1)\r
- {\r
- close(fd);\r
- transparent = 1;\r
- }\r
- if ((fd = open(CONFIG_ROOT "/proxy/enable_blue", O_RDONLY)) != -1)\r
- {\r
- close(fd);\r
- enable_blue = 1;\r
- }\r
- if ((fd = open(CONFIG_ROOT "/proxy/transparent_blue", O_RDONLY)) != -1)\r
- {\r
- close(fd);\r
- transparent_blue = 1;\r
- }\r
-\r
- /* Read the network configuration */\r
- net=initkeyvalues();\r
- if (!readkeyvalues(net, CONFIG_ROOT "/ethernet/settings"))\r
- {\r
- fprintf(stderr, "Cannot read ethernet settings\n");\r
- exit(1);\r
- }\r
- if (!findkey(net, "GREEN_DEV", green_dev))\r
- {\r
- fprintf(stderr, "Cannot read GREEN_DEV\n");\r
- exit(1);\r
- }\r
- if (!VALID_DEVICE(green_dev))\r
- {\r
- fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);\r
- exit(1);\r
- }\r
- if (!findkey(net, "CONFIG_TYPE", configtype))\r
- {\r
- fprintf(stderr, "Cannot read CONFIG_TYPE\n");\r
- exit(1);\r
- }\r
-\r
- findkey(net, "RED_TYPE", redtype);\r
- findkey(net, "RED_NETADDRESS", red_netaddress);\r
- findkey(net, "RED_NETMASK", red_netmask);\r
- findkey(net, "BLUE_DEV", blue_dev);\r
- freekeyvalues(net);\r
-\r
- /* See if VPN software is enabled */\r
- net=initkeyvalues();\r
- if (!readkeyvalues(net, CONFIG_ROOT "/vpn/settings"))\r
- {\r
- fprintf(stderr, "Cannot read vpn settings\n");\r
- exit(1);\r
- }\r
- findkey(net, "ENABLED", enableredvpn);\r
- findkey(net, "ENABLED_BLUE", enablebluevpn);\r
- freekeyvalues(net);\r
- if ( (!strcmp(enableredvpn, "on") && VALID_IP(localip)) || \r
- (!strcmp(enablebluevpn, "on") && VALID_DEVICE(blue_dev)) ) {\r
- enablevpn = 1;\r
- }\r
-\r
- /* Retrieve the Squid pid file */\r
- if ((fd = open("/var/run/squid.pid", O_RDONLY)) != -1)\r
- {\r
- close(fd);\r
- running = 1;\r
- }\r
-\r
- /* Retrieve the RED ip address */\r
- stat(CONFIG_ROOT "/red/local-ipaddress", &st);\r
- if (S_ISREG(st.st_mode)) {\r
- if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))\r
- {\r
- fprintf(stderr, "Couldn't open ip file\n");\r
- exit(0); \r
- }\r
- if (fgets(localip, STRING_SIZE, ipfile))\r
- {\r
- if (localip[strlen(localip) - 1] == '\n')\r
- localip[strlen(localip) - 1] = '\0';\r
- }\r
- fclose(ipfile);\r
- if (!VALID_IP(localip))\r
- {\r
- fprintf(stderr, "Bad ip: %s\n", localip);\r
- exit(0);\r
- }\r
- }\r
-\r
- /* See if we need to flush the cache */\r
- if (argc >=2) {\r
- if (strcmp(argv[1], "-f") == 0) {\r
- if (stat("/var/log/cache/swap.state", &st) == 0) {\r
- struct passwd *pw;\r
- if((pw = getpwnam("squid"))) {\r
- endpwent(); /* probably paranoia, but just in case.. */\r
- unpriv_system("/bin/echo > /var/log/cache/swap.state", pw->pw_uid, pw->pw_gid);\r
- } else { endpwent(); }\r
- }\r
- }\r
- }\r
-\r
- if (enable || enable_blue)\r
- {\r
- safe_system("/usr/sbin/squid -D -z"); \r
- safe_system("/usr/sbin/squid -D");\r
- }\r
-\r
- /* Retrieve the proxy port */\r
- if (transparent || transparent_blue) {\r
- squid=initkeyvalues();\r
-\r
- if (!readkeyvalues(squid, CONFIG_ROOT "/proxy/settings"))\r
- {\r
- fprintf(stderr, "Cannot read proxy settings\n");\r
- exit(1);\r
- }\r
-\r
- if (!(findkey(squid, "PROXY_PORT", proxy_port)))\r
- {\r
- strcpy (proxy_port, "800");\r
- } else {\r
- if(strspn(proxy_port, NUMBERS) != strlen(proxy_port))\r
- {\r
- fprintf(stderr, "Invalid proxy port: %s, defaulting to 800\n", proxy_port);\r
- strcpy(proxy_port, "800");\r
- }\r
- }\r
- freekeyvalues(squid);\r
- }\r
-\r
- if (transparent && enable) {\r
- int count;\r
- char *result;\r
- char *name;\r
- char *type;\r
- char *running;\r
- char *vpn_network_mask;\r
- char *vpn_netaddress;\r
- char *vpn_netmask;\r
- FILE *file = NULL;\r
- char *conn_enabled;\r
- \r
- /* Darren Critchley - check to see if RED VPN is enabled before mucking with rules */\r
- if (!strcmp(enableredvpn, "on")) {\r
- /* Read the /vpn/config file - no check to see if VPN is enabled */\r
- if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {\r
- fprintf(stderr, "Couldn't open vpn config file");\r
- exit(1);\r
- }\r
-\r
- while (fgets(s, STRING_SIZE, file) != NULL) {\r
- if (s[strlen(s) - 1] == '\n')\r
- s[strlen(s) - 1] = '\0';\r
- running = strdup (s);\r
- result = strsep(&running, ",");\r
- count = 0;\r
- name = NULL;\r
- type = NULL;\r
- vpn_network_mask = NULL;\r
- conn_enabled = NULL;\r
- while (result) {\r
- if (count == 1)\r
- conn_enabled = result;\r
- if (count == 2)\r
- name = result;\r
- if (count == 4)\r
- type = result;\r
- if (count == 12 )\r
- vpn_network_mask = result;\r
- count++;\r
- result = strsep(&running, ",");\r
- }\r
- \r
- if (strspn(name, LETTERS_NUMBERS) != strlen(name)) {\r
- fprintf(stderr, "Bad connection name: %s\n", name);\r
- exit(1);\r
- }\r
- \r
- if (! (strcmp(type, "net") == 0)) {\r
- continue;\r
- }\r
- \r
- /* Darren Critchley - new check to see if connection is enabled */\r
- if (! (strcmp(conn_enabled, "on") == 0)) {\r
- continue;\r
- }\r
- \r
- result = strsep(&vpn_network_mask, "/");\r
- count = 0;\r
- vpn_netaddress = NULL;\r
- vpn_netmask = NULL;\r
- while (result) {\r
- if (count == 0)\r
- vpn_netaddress = result;\r
- if (count == 1)\r
- vpn_netmask = result;\r
- count++;\r
- result = strsep(&vpn_network_mask, "/");\r
- }\r
- \r
- if (!VALID_IP(vpn_netaddress)) {\r
- fprintf(stderr, "Bad network for vpn connection %s: %s\n", name, vpn_netaddress);\r
- continue;\r
- }\r
- \r
- if ((!VALID_IP(vpn_netmask)) && (!VALID_SHORT_MASK(vpn_netmask))) {\r
- fprintf(stderr, "Bad mask for vpn connection %s: %s\n", name, vpn_netmask);\r
- continue;\r
- }\r
- \r
- memset(buffer, 0, STRING_SIZE);\r
- if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s/%s --dport 80 -j RETURN", green_dev, vpn_netaddress, vpn_netmask) >= STRING_SIZE )\r
- {\r
- fprintf(stderr, "Command too long\n");\r
- exit(1);\r
- }\r
- safe_system(buffer);\r
- }\r
- } \r
- \r
- memset(buffer, 0, STRING_SIZE);\r
- if ( ( (strcmp(configtype, "2")==0) || (strcmp(configtype, "3")==0) || \r
- (strcmp(configtype, "6")==0) || (strcmp(configtype, "7")==0) ) &&\r
- (VALID_IP(red_netaddress)) && (VALID_IP(red_netmask)) && \r
- (strcmp(redtype, "STATIC")==0) ) \r
- {\r
- memset(buffer, 0, STRING_SIZE);\r
- if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s/%s --dport 80 -j RETURN", green_dev, red_netaddress, red_netmask) >= STRING_SIZE )\r
- {\r
- fprintf(stderr, "Command too long\n");\r
- exit(1);\r
- }\r
- safe_system(buffer);\r
- } else if (VALID_IP(localip)) {\r
- memset(buffer, 0, STRING_SIZE);\r
- if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s --dport 80 -j RETURN", green_dev, localip) >= STRING_SIZE )\r
- {\r
- fprintf(stderr, "Command too long\n");\r
- exit(1);\r
- }\r
- safe_system(buffer);\r
- }\r
-\r
- memset(buffer, 0, STRING_SIZE);\r
- if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80 -j REDIRECT --to-port %s", green_dev, proxy_port) >= STRING_SIZE )\r
- {\r
- fprintf(stderr, "Command too long\n");\r
- exit(1);\r
- }\r
- safe_system(buffer);\r
- }\r
-\r
- if (transparent_blue && enable_blue) {\r
- int count;\r
- char *result;\r
- char *name;\r
- char *type;\r
- char *running;\r
- char *vpn_network_mask;\r
- char *vpn_netaddress;\r
- char *vpn_netmask;\r
- char *conn_enabled;\r
- FILE *file = NULL;\r
-\r
- if (! VALID_DEVICE(blue_dev))\r
- {\r
- fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);\r
- exit(1);\r
- }\r
-\r
- /* Darren Critchley - check to see if BLUE VPN is enabled before mucking with rules */\r
- if (!strcmp(enablebluevpn, "on")) {\r
- /* Read the /vpn/config file - no check to see if VPN is enabled */\r
- if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {\r
- fprintf(stderr, "Couldn't open vpn config file");\r
- exit(1);\r
- }\r
- while (fgets(s, STRING_SIZE, file) != NULL) {\r
- if (s[strlen(s) - 1] == '\n')\r
- s[strlen(s) - 1] = '\0';\r
- running = strdup (s);\r
- result = strsep(&running, ",");\r
- count = 0;\r
- name = NULL;\r
- type = NULL;\r
- vpn_network_mask = NULL;\r
- conn_enabled = NULL;\r
- while (result) {\r
- if (count == 1)\r
- conn_enabled = result;\r
- if (count == 2)\r
- name = result;\r
- if (count == 4)\r
- type = result;\r
- if (count == 12 )\r
- vpn_network_mask = result;\r
- count++;\r
- result = strsep(&running, ",");\r
- }\r
- \r
- if (strspn(name, LETTERS_NUMBERS) != strlen(name)) {\r
- fprintf(stderr, "Bad connection name: %s\n", name);\r
- exit(1);\r
- }\r
- \r
- if (! (strcmp(type, "net") == 0)) {\r
- continue;\r
- }\r
- \r
- /* Darren Critchley - new check to see if connection is enabled */\r
- if (! (strcmp(conn_enabled, "on") == 0)) {\r
- continue;\r
- }\r
- \r
- result = strsep(&vpn_network_mask, "/");\r
- count = 0;\r
- vpn_netaddress = NULL;\r
- vpn_netmask = NULL;\r
- while (result) {\r
- if (count == 0)\r
- vpn_netaddress = result;\r
- if (count == 1)\r
- vpn_netmask = result;\r
- count++;\r
- result = strsep(&vpn_network_mask, "/");\r
- }\r
- \r
- if (!VALID_IP(vpn_netaddress)) {\r
- fprintf(stderr, "Bad network for vpn connection %s: %s\n", name, vpn_netaddress);\r
- continue;\r
- }\r
- \r
- if ((!VALID_IP(vpn_netmask)) && (!VALID_SHORT_MASK(vpn_netmask))) {\r
- fprintf(stderr, "Bad mask for vpn connection %s: %s\n", name, vpn_netmask);\r
- continue;\r
- }\r
- \r
- memset(buffer, 0, STRING_SIZE);\r
- if (snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s/%s --dport 80 -j RETURN", blue_dev, vpn_netaddress, vpn_netmask) >= STRING_SIZE )\r
- {\r
- fprintf(stderr, "Command too long\n");\r
- exit(1);\r
- }\r
- safe_system(buffer);\r
- }\r
- }\r
- \r
- memset(buffer, 0, STRING_SIZE);\r
- if ( ( (strcmp(configtype, "2")==0) || (strcmp(configtype, "3")==0) ||\r
- (strcmp(configtype, "6")==0) || (strcmp(configtype, "7")==0) ) &&\r
- (VALID_IP(red_netaddress)) && (VALID_IP(red_netmask)) &&\r
- (strcmp(redtype, "STATIC")==0) )\r
- {\r
- memset(buffer, 0, STRING_SIZE);\r
- if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s/%s --dport 80 -j RETURN", blue_dev, red_netaddress, red_netmask) >= STRING_SIZE )\r
- {\r
- fprintf(stderr, "Command too long\n");\r
- exit(1);\r
- }\r
- safe_system(buffer);\r
- } else if (VALID_IP(localip)) {\r
- memset(buffer, 0, STRING_SIZE);\r
- if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s --dport 80 -j RETURN", blue_dev, localip) >= STRING_SIZE )\r
- {\r
- fprintf(stderr, "Command too long\n");\r
- exit(1);\r
- }\r
- safe_system(buffer);\r
- }\r
-\r
- memset(buffer, 0, STRING_SIZE);\r
- if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80 -j REDIRECT --to-port %s", blue_dev, proxy_port) >= STRING_SIZE )\r
- {\r
- fprintf(stderr, "Command too long\n");\r
- exit(1);\r
- }\r
- safe_system(buffer);\r
- }\r
- \r
- return 0;\r
-}\r
+/* SmoothWall helper program - restartsquid
+ *
+ * This program is distributed under the terms of the GNU General Public
+ * Licence. See the file COPYING for details.
+ *
+ * (c) Lawrence Manning, 2001
+ * Restarting squid with transparent proxying.
+ *
+ * 05/02/2004 - Roy Walker <rwalker@miracomnetwork.com>
+ * Exclude red network from transparent proxy to allow browsing to alias IPs
+ * Read in VPN settings and exclude each VPN network from transparent proxy
+ *
+ * $Id: restartsquid.c,v 1.7.2.8 2005/04/22 18:44:37 rkerr Exp $
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <pwd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include "libsmooth.h"
+#include "setuid.h"
+
+int main(int argc, char *argv[])
+{
+ int fd = -1;
+ int enable = 0;
+ int enablevpn = 0;
+ int transparent = 0;
+ int enable_blue = 0;
+ int transparent_blue = 0;
+ int running = 0;
+ struct stat st;
+ FILE *ipfile;
+ char localip[STRING_SIZE] = "";
+ struct keyvalue *net = NULL;
+ struct keyvalue *squid = NULL;
+ char buffer[STRING_SIZE];
+ char proxy_port[STRING_SIZE];
+ char s[STRING_SIZE];
+ char green_dev[STRING_SIZE] = "";
+ char blue_dev[STRING_SIZE] = "";
+ char red_netaddress[STRING_SIZE] = "";
+ char red_netmask[STRING_SIZE] = "";
+ char configtype[STRING_SIZE] = "";
+ char redtype[STRING_SIZE] = "";
+ char enableredvpn[STRING_SIZE] = "";
+ char enablebluevpn[STRING_SIZE] = "";
+
+ if (!(initsetuid()))
+ exit(1);
+
+ /* Kill running squid */
+ safe_system("/sbin/iptables -t nat -F SQUID");
+ safe_system("/usr/sbin/squid -k shutdown >/dev/null 2>/dev/null");
+ sleep(5);
+ safe_system("/bin/killall -9 squid squidGuard >/dev/null 2>/dev/null");
+
+ /* See if proxy is enabled and / or transparent */
+ if ((fd = open(CONFIG_ROOT "/proxy/enable", O_RDONLY)) != -1)
+ {
+ close(fd);
+ enable = 1;
+ }
+ if ((fd = open(CONFIG_ROOT "/proxy/transparent", O_RDONLY)) != -1)
+ {
+ close(fd);
+ transparent = 1;
+ }
+ if ((fd = open(CONFIG_ROOT "/proxy/enable_blue", O_RDONLY)) != -1)
+ {
+ close(fd);
+ enable_blue = 1;
+ }
+ if ((fd = open(CONFIG_ROOT "/proxy/transparent_blue", O_RDONLY)) != -1)
+ {
+ close(fd);
+ transparent_blue = 1;
+ }
+
+ /* Read the network configuration */
+ net=initkeyvalues();
+ if (!readkeyvalues(net, CONFIG_ROOT "/ethernet/settings"))
+ {
+ fprintf(stderr, "Cannot read ethernet settings\n");
+ exit(1);
+ }
+ if (!findkey(net, "GREEN_DEV", green_dev))
+ {
+ fprintf(stderr, "Cannot read GREEN_DEV\n");
+ exit(1);
+ }
+ if (!VALID_DEVICE(green_dev))
+ {
+ fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
+ exit(1);
+ }
+ if (!findkey(net, "CONFIG_TYPE", configtype))
+ {
+ fprintf(stderr, "Cannot read CONFIG_TYPE\n");
+ exit(1);
+ }
+
+ findkey(net, "RED_TYPE", redtype);
+ findkey(net, "RED_NETADDRESS", red_netaddress);
+ findkey(net, "RED_NETMASK", red_netmask);
+ findkey(net, "BLUE_DEV", blue_dev);
+ freekeyvalues(net);
+
+ /* See if VPN software is enabled */
+ net=initkeyvalues();
+ if (!readkeyvalues(net, CONFIG_ROOT "/vpn/settings"))
+ {
+ fprintf(stderr, "Cannot read vpn settings\n");
+ exit(1);
+ }
+ findkey(net, "ENABLED", enableredvpn);
+ findkey(net, "ENABLED_BLUE", enablebluevpn);
+ freekeyvalues(net);
+ if ( (!strcmp(enableredvpn, "on") && VALID_IP(localip)) ||
+ (!strcmp(enablebluevpn, "on") && VALID_DEVICE(blue_dev)) ) {
+ enablevpn = 1;
+ }
+
+ /* Retrieve the Squid pid file */
+ if ((fd = open("/var/run/squid.pid", O_RDONLY)) != -1)
+ {
+ close(fd);
+ running = 1;
+ }
+
+ /* Retrieve the RED ip address */
+ stat(CONFIG_ROOT "/red/local-ipaddress", &st);
+ if (S_ISREG(st.st_mode)) {
+ if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))
+ {
+ fprintf(stderr, "Couldn't open ip file\n");
+ exit(0);
+ }
+ if (fgets(localip, STRING_SIZE, ipfile))
+ {
+ if (localip[strlen(localip) - 1] == '\n')
+ localip[strlen(localip) - 1] = '\0';
+ }
+ fclose(ipfile);
+ if (!VALID_IP(localip))
+ {
+ fprintf(stderr, "Bad ip: %s\n", localip);
+ exit(0);
+ }
+ }
+
+ /* See if we need to flush the cache */
+ if (argc >=2) {
+ if (strcmp(argv[1], "-f") == 0) {
+ if (stat("/var/log/cache/swap.state", &st) == 0) {
+ struct passwd *pw;
+ if((pw = getpwnam("squid"))) {
+ endpwent(); /* probably paranoia, but just in case.. */
+ unpriv_system("/bin/echo > /var/log/cache/swap.state", pw->pw_uid, pw->pw_gid);
+ } else { endpwent(); }
+ }
+ }
+ }
+
+ if (enable || enable_blue)
+ {
+ safe_system("/usr/sbin/squid -D -z");
+ safe_system("/usr/sbin/squid -D");
+ }
+
+ /* Retrieve the proxy port */
+ if (transparent || transparent_blue) {
+ squid=initkeyvalues();
+
+ if (!readkeyvalues(squid, CONFIG_ROOT "/proxy/settings"))
+ {
+ fprintf(stderr, "Cannot read proxy settings\n");
+ exit(1);
+ }
+
+ if (!(findkey(squid, "PROXY_PORT", proxy_port)))
+ {
+ strcpy (proxy_port, "800");
+ } else {
+ if(strspn(proxy_port, NUMBERS) != strlen(proxy_port))
+ {
+ fprintf(stderr, "Invalid proxy port: %s, defaulting to 800\n", proxy_port);
+ strcpy(proxy_port, "800");
+ }
+ }
+ freekeyvalues(squid);
+ }
+
+ if (transparent && enable) {
+ int count;
+ char *result;
+ char *name;
+ char *type;
+ char *running;
+ char *vpn_network_mask;
+ char *vpn_netaddress;
+ char *vpn_netmask;
+ FILE *file = NULL;
+ char *conn_enabled;
+
+ /* Darren Critchley - check to see if RED VPN is enabled before mucking with rules */
+ if (!strcmp(enableredvpn, "on")) {
+ /* Read the /vpn/config file - no check to see if VPN is enabled */
+ if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {
+ fprintf(stderr, "Couldn't open vpn config file");
+ exit(1);
+ }
+
+ while (fgets(s, STRING_SIZE, file) != NULL) {
+ if (s[strlen(s) - 1] == '\n')
+ s[strlen(s) - 1] = '\0';
+ running = strdup (s);
+ result = strsep(&running, ",");
+ count = 0;
+ name = NULL;
+ type = NULL;
+ vpn_network_mask = NULL;
+ conn_enabled = NULL;
+ while (result) {
+ if (count == 1)
+ conn_enabled = result;
+ if (count == 2)
+ name = result;
+ if (count == 4)
+ type = result;
+ if (count == 12 )
+ vpn_network_mask = result;
+ count++;
+ result = strsep(&running, ",");
+ }
+
+ if (strspn(name, LETTERS_NUMBERS) != strlen(name)) {
+ fprintf(stderr, "Bad connection name: %s\n", name);
+ exit(1);
+ }
+
+ if (! (strcmp(type, "net") == 0)) {
+ continue;
+ }
+
+ /* Darren Critchley - new check to see if connection is enabled */
+ if (! (strcmp(conn_enabled, "on") == 0)) {
+ continue;
+ }
+
+ result = strsep(&vpn_network_mask, "/");
+ count = 0;
+ vpn_netaddress = NULL;
+ vpn_netmask = NULL;
+ while (result) {
+ if (count == 0)
+ vpn_netaddress = result;
+ if (count == 1)
+ vpn_netmask = result;
+ count++;
+ result = strsep(&vpn_network_mask, "/");
+ }
+
+ if (!VALID_IP(vpn_netaddress)) {
+ fprintf(stderr, "Bad network for vpn connection %s: %s\n", name, vpn_netaddress);
+ continue;
+ }
+
+ if ((!VALID_IP(vpn_netmask)) && (!VALID_SHORT_MASK(vpn_netmask))) {
+ fprintf(stderr, "Bad mask for vpn connection %s: %s\n", name, vpn_netmask);
+ continue;
+ }
+
+ memset(buffer, 0, STRING_SIZE);
+ if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s/%s --dport 80 -j RETURN", green_dev, vpn_netaddress, vpn_netmask) >= STRING_SIZE )
+ {
+ fprintf(stderr, "Command too long\n");
+ exit(1);
+ }
+ safe_system(buffer);
+ }
+ }
+
+ memset(buffer, 0, STRING_SIZE);
+ if ( ( (strcmp(configtype, "2")==0) || (strcmp(configtype, "3")==0) ||
+ (strcmp(configtype, "6")==0) || (strcmp(configtype, "7")==0) ) &&
+ (VALID_IP(red_netaddress)) && (VALID_IP(red_netmask)) &&
+ (strcmp(redtype, "STATIC")==0) )
+ {
+ memset(buffer, 0, STRING_SIZE);
+ if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s/%s --dport 80 -j RETURN", green_dev, red_netaddress, red_netmask) >= STRING_SIZE )
+ {
+ fprintf(stderr, "Command too long\n");
+ exit(1);
+ }
+ safe_system(buffer);
+ } else if (VALID_IP(localip)) {
+ memset(buffer, 0, STRING_SIZE);
+ if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s --dport 80 -j RETURN", green_dev, localip) >= STRING_SIZE )
+ {
+ fprintf(stderr, "Command too long\n");
+ exit(1);
+ }
+ safe_system(buffer);
+ }
+
+ memset(buffer, 0, STRING_SIZE);
+ if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80 -j REDIRECT --to-port %s", green_dev, proxy_port) >= STRING_SIZE )
+ {
+ fprintf(stderr, "Command too long\n");
+ exit(1);
+ }
+ safe_system(buffer);
+ }
+
+ if (transparent_blue && enable_blue) {
+ int count;
+ char *result;
+ char *name;
+ char *type;
+ char *running;
+ char *vpn_network_mask;
+ char *vpn_netaddress;
+ char *vpn_netmask;
+ char *conn_enabled;
+ FILE *file = NULL;
+
+ if (! VALID_DEVICE(blue_dev))
+ {
+ fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
+ exit(1);
+ }
+
+ /* Darren Critchley - check to see if BLUE VPN is enabled before mucking with rules */
+ if (!strcmp(enablebluevpn, "on")) {
+ /* Read the /vpn/config file - no check to see if VPN is enabled */
+ if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {
+ fprintf(stderr, "Couldn't open vpn config file");
+ exit(1);
+ }
+ while (fgets(s, STRING_SIZE, file) != NULL) {
+ if (s[strlen(s) - 1] == '\n')
+ s[strlen(s) - 1] = '\0';
+ running = strdup (s);
+ result = strsep(&running, ",");
+ count = 0;
+ name = NULL;
+ type = NULL;
+ vpn_network_mask = NULL;
+ conn_enabled = NULL;
+ while (result) {
+ if (count == 1)
+ conn_enabled = result;
+ if (count == 2)
+ name = result;
+ if (count == 4)
+ type = result;
+ if (count == 12 )
+ vpn_network_mask = result;
+ count++;
+ result = strsep(&running, ",");
+ }
+
+ if (strspn(name, LETTERS_NUMBERS) != strlen(name)) {
+ fprintf(stderr, "Bad connection name: %s\n", name);
+ exit(1);
+ }
+
+ if (! (strcmp(type, "net") == 0)) {
+ continue;
+ }
+
+ /* Darren Critchley - new check to see if connection is enabled */
+ if (! (strcmp(conn_enabled, "on") == 0)) {
+ continue;
+ }
+
+ result = strsep(&vpn_network_mask, "/");
+ count = 0;
+ vpn_netaddress = NULL;
+ vpn_netmask = NULL;
+ while (result) {
+ if (count == 0)
+ vpn_netaddress = result;
+ if (count == 1)
+ vpn_netmask = result;
+ count++;
+ result = strsep(&vpn_network_mask, "/");
+ }
+
+ if (!VALID_IP(vpn_netaddress)) {
+ fprintf(stderr, "Bad network for vpn connection %s: %s\n", name, vpn_netaddress);
+ continue;
+ }
+
+ if ((!VALID_IP(vpn_netmask)) && (!VALID_SHORT_MASK(vpn_netmask))) {
+ fprintf(stderr, "Bad mask for vpn connection %s: %s\n", name, vpn_netmask);
+ continue;
+ }
+
+ memset(buffer, 0, STRING_SIZE);
+ if (snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s/%s --dport 80 -j RETURN", blue_dev, vpn_netaddress, vpn_netmask) >= STRING_SIZE )
+ {
+ fprintf(stderr, "Command too long\n");
+ exit(1);
+ }
+ safe_system(buffer);
+ }
+ }
+
+ memset(buffer, 0, STRING_SIZE);
+ if ( ( (strcmp(configtype, "2")==0) || (strcmp(configtype, "3")==0) ||
+ (strcmp(configtype, "6")==0) || (strcmp(configtype, "7")==0) ) &&
+ (VALID_IP(red_netaddress)) && (VALID_IP(red_netmask)) &&
+ (strcmp(redtype, "STATIC")==0) )
+ {
+ memset(buffer, 0, STRING_SIZE);
+ if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s/%s --dport 80 -j RETURN", blue_dev, red_netaddress, red_netmask) >= STRING_SIZE )
+ {
+ fprintf(stderr, "Command too long\n");
+ exit(1);
+ }
+ safe_system(buffer);
+ } else if (VALID_IP(localip)) {
+ memset(buffer, 0, STRING_SIZE);
+ if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s --dport 80 -j RETURN", blue_dev, localip) >= STRING_SIZE )
+ {
+ fprintf(stderr, "Command too long\n");
+ exit(1);
+ }
+ safe_system(buffer);
+ }
+
+ memset(buffer, 0, STRING_SIZE);
+ if( snprintf(buffer, STRING_SIZE - 1, "/sbin/iptables -t nat -A SQUID -i %s -p tcp --dport 80 -j REDIRECT --to-port %s", blue_dev, proxy_port) >= STRING_SIZE )
+ {
+ fprintf(stderr, "Command too long\n");
+ exit(1);
+ }
+ safe_system(buffer);
+ }
+
+ return 0;
+}