From: ms Date: Sat, 24 Mar 2007 13:30:47 +0000 (+0000) Subject: upnp.cgi und status.cgi von Maniac eingebaut X-Git-Tag: v2.3-beta1~802 X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=5fd302326dd90d17abb8496d575c795a61c033d8 upnp.cgi und status.cgi von Maniac eingebaut IPSec aktualisiert git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@453 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8 --- diff --git a/config/kernel/kernel.config.i586 b/config/kernel/kernel.config.i586 index 2313c8af4c..b588bad390 100644 --- a/config/kernel/kernel.config.i586 +++ b/config/kernel/kernel.config.i586 @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit # Linux kernel version: 2.6.16.42-ipfire -# Mon Mar 19 13:34:52 2007 +# Sat Mar 24 12:58:07 2007 # CONFIG_X86_32=y CONFIG_SEMAPHORE_SLEEPERS=y @@ -66,7 +66,7 @@ CONFIG_MODULE_UNLOAD=y CONFIG_OBSOLETE_MODPARM=y CONFIG_MODVERSIONS=y # CONFIG_MODULE_SRCVERSION_ALL is not set -# CONFIG_KMOD is not set +CONFIG_KMOD=y # # Block layer @@ -217,7 +217,7 @@ CONFIG_ACPI_FAN=m CONFIG_ACPI_PROCESSOR=m CONFIG_ACPI_THERMAL=m # CONFIG_ACPI_ASUS is not set -CONFIG_ACPI_IBM=m +# CONFIG_ACPI_IBM is not set # CONFIG_ACPI_TOSHIBA is not set # CONFIG_ACPI_CUSTOM_DSDT is not set CONFIG_ACPI_BLACKLIST_YEAR=0 @@ -611,10 +611,11 @@ CONFIG_KLIPS=m # KLIPS options # CONFIG_KLIPS_ESP=y -# CONFIG_KLIPS_AH is not set +CONFIG_KLIPS_AH=y CONFIG_KLIPS_AUTH_HMAC_MD5=y CONFIG_KLIPS_AUTH_HMAC_SHA1=y -# CONFIG_KLIPS_ENC_CRYPTOAPI is not set +CONFIG_KLIPS_ENC_CRYPTOAPI=y +CONFIG_KLIPS_ENC_1DES=y CONFIG_KLIPS_ENC_3DES=y CONFIG_KLIPS_ENC_AES=y CONFIG_KLIPS_ENC_NULL=y @@ -1731,14 +1732,18 @@ CONFIG_REISERFS_PROC_INFO=y CONFIG_REISERFS_FS_XATTR=y CONFIG_REISERFS_FS_POSIX_ACL=y CONFIG_REISERFS_FS_SECURITY=y -# CONFIG_JFS_FS is not set +CONFIG_JFS_FS=m +CONFIG_JFS_POSIX_ACL=y +CONFIG_JFS_SECURITY=y +# CONFIG_JFS_DEBUG is not set +CONFIG_JFS_STATISTICS=y CONFIG_FS_POSIX_ACL=y CONFIG_XFS_FS=m CONFIG_XFS_EXPORT=y CONFIG_XFS_QUOTA=y CONFIG_XFS_SECURITY=y CONFIG_XFS_POSIX_ACL=y -CONFIG_XFS_RT=y +# CONFIG_XFS_RT is not set # CONFIG_OCFS2_FS is not set CONFIG_MINIX_FS=y # CONFIG_ROMFS_FS is not set @@ -1748,7 +1753,7 @@ CONFIG_QUOTACTL=y CONFIG_DNOTIFY=y # CONFIG_AUTOFS_FS is not set # CONFIG_AUTOFS4_FS is not set -CONFIG_FUSE_FS=m +# CONFIG_FUSE_FS is not set # # CD-ROM/DVD Filesystems @@ -1843,7 +1848,7 @@ CONFIG_NLS_DEFAULT="cp437" # CONFIG_NLS_CODEPAGE_437 is not set # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set -# CONFIG_NLS_CODEPAGE_850 is not set +CONFIG_NLS_CODEPAGE_850=y # CONFIG_NLS_CODEPAGE_852 is not set # CONFIG_NLS_CODEPAGE_855 is not set # CONFIG_NLS_CODEPAGE_857 is not set @@ -1864,7 +1869,7 @@ CONFIG_NLS_DEFAULT="cp437" # CONFIG_NLS_CODEPAGE_1250 is not set # CONFIG_NLS_CODEPAGE_1251 is not set # CONFIG_NLS_ASCII is not set -# CONFIG_NLS_ISO8859_1 is not set +CONFIG_NLS_ISO8859_1=y # CONFIG_NLS_ISO8859_2 is not set # CONFIG_NLS_ISO8859_3 is not set # CONFIG_NLS_ISO8859_4 is not set @@ -1877,7 +1882,7 @@ CONFIG_NLS_DEFAULT="cp437" # CONFIG_NLS_ISO8859_15 is not set # CONFIG_NLS_KOI8_R is not set # CONFIG_NLS_KOI8_U is not set -# CONFIG_NLS_UTF8 is not set +CONFIG_NLS_UTF8=y # # Instrumentation Support diff --git a/config/kernel/kernel.config.i586.smp b/config/kernel/kernel.config.i586.smp index f520f007a7..d6dbceb7b7 100644 --- a/config/kernel/kernel.config.i586.smp +++ b/config/kernel/kernel.config.i586.smp @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit # Linux kernel version: 2.6.16.42-ipfire -# Fri Mar 16 12:03:27 2007 +# Sat Mar 24 12:58:22 2007 # CONFIG_X86_32=y CONFIG_SEMAPHORE_SLEEPERS=y @@ -67,7 +67,7 @@ CONFIG_MODULE_UNLOAD=y CONFIG_OBSOLETE_MODPARM=y CONFIG_MODVERSIONS=y # CONFIG_MODULE_SRCVERSION_ALL is not set -# CONFIG_KMOD is not set +CONFIG_KMOD=y CONFIG_STOP_MACHINE=y # @@ -222,7 +222,7 @@ CONFIG_ACPI_FAN=m CONFIG_ACPI_PROCESSOR=m CONFIG_ACPI_THERMAL=m # CONFIG_ACPI_ASUS is not set -CONFIG_ACPI_IBM=m +# CONFIG_ACPI_IBM is not set # CONFIG_ACPI_TOSHIBA is not set # CONFIG_ACPI_CUSTOM_DSDT is not set CONFIG_ACPI_BLACKLIST_YEAR=0 @@ -617,10 +617,11 @@ CONFIG_KLIPS=m # KLIPS options # CONFIG_KLIPS_ESP=y -# CONFIG_KLIPS_AH is not set +CONFIG_KLIPS_AH=y CONFIG_KLIPS_AUTH_HMAC_MD5=y CONFIG_KLIPS_AUTH_HMAC_SHA1=y -# CONFIG_KLIPS_ENC_CRYPTOAPI is not set +CONFIG_KLIPS_ENC_CRYPTOAPI=y +CONFIG_KLIPS_ENC_1DES=y CONFIG_KLIPS_ENC_3DES=y CONFIG_KLIPS_ENC_AES=y CONFIG_KLIPS_ENC_NULL=y @@ -1734,14 +1735,18 @@ CONFIG_REISERFS_PROC_INFO=y CONFIG_REISERFS_FS_XATTR=y CONFIG_REISERFS_FS_POSIX_ACL=y CONFIG_REISERFS_FS_SECURITY=y -# CONFIG_JFS_FS is not set +CONFIG_JFS_FS=m +CONFIG_JFS_POSIX_ACL=y +CONFIG_JFS_SECURITY=y +# CONFIG_JFS_DEBUG is not set +CONFIG_JFS_STATISTICS=y CONFIG_FS_POSIX_ACL=y CONFIG_XFS_FS=m CONFIG_XFS_EXPORT=y CONFIG_XFS_QUOTA=y CONFIG_XFS_SECURITY=y CONFIG_XFS_POSIX_ACL=y -CONFIG_XFS_RT=y +# CONFIG_XFS_RT is not set # CONFIG_OCFS2_FS is not set CONFIG_MINIX_FS=y # CONFIG_ROMFS_FS is not set @@ -1751,7 +1756,7 @@ CONFIG_QUOTACTL=y CONFIG_DNOTIFY=y # CONFIG_AUTOFS_FS is not set # CONFIG_AUTOFS4_FS is not set -CONFIG_FUSE_FS=m +# CONFIG_FUSE_FS is not set # # CD-ROM/DVD Filesystems @@ -1846,7 +1851,7 @@ CONFIG_NLS_DEFAULT="cp437" # CONFIG_NLS_CODEPAGE_437 is not set # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set -# CONFIG_NLS_CODEPAGE_850 is not set +CONFIG_NLS_CODEPAGE_850=y # CONFIG_NLS_CODEPAGE_852 is not set # CONFIG_NLS_CODEPAGE_855 is not set # CONFIG_NLS_CODEPAGE_857 is not set @@ -1867,7 +1872,7 @@ CONFIG_NLS_DEFAULT="cp437" # CONFIG_NLS_CODEPAGE_1250 is not set # CONFIG_NLS_CODEPAGE_1251 is not set # CONFIG_NLS_ASCII is not set -# CONFIG_NLS_ISO8859_1 is not set +CONFIG_NLS_ISO8859_1=y # CONFIG_NLS_ISO8859_2 is not set # CONFIG_NLS_ISO8859_3 is not set # CONFIG_NLS_ISO8859_4 is not set @@ -1880,7 +1885,7 @@ CONFIG_NLS_DEFAULT="cp437" # CONFIG_NLS_ISO8859_15 is not set # CONFIG_NLS_KOI8_R is not set # CONFIG_NLS_KOI8_U is not set -# CONFIG_NLS_UTF8 is not set +CONFIG_NLS_UTF8=y # # Instrumentation Support diff --git a/doc/packages-list.txt b/doc/packages-list.txt index 11a128c9eb..4ef3fc036d 100644 --- a/doc/packages-list.txt +++ b/doc/packages-list.txt @@ -117,6 +117,7 @@ * ipp2p-0.8.2 * ipp2p-0.8.2-iptables * iproute2-2.6.16-060323 +* iptables-1.3.5 * iptables-1.3.7 * iptraf-3.0.0 * iptstate-2.1 diff --git a/html/cgi-bin/status.cgi b/html/cgi-bin/status.cgi index 51cdc5f9eb..a0acdda100 100644 --- a/html/cgi-bin/status.cgi +++ b/html/cgi-bin/status.cgi @@ -6,14 +6,13 @@ # # (c) The SmoothWall Team # -# $Id: status.cgi,v 1.6.2.7 2005/02/24 07:44:35 gespinasse Exp $ # use strict; # enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; +use warnings; +use CGI::Carp 'fatalsToBrowser'; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; @@ -31,35 +30,45 @@ my %cgiparams=(); # is also the name of the program my %servicenames = ( - $Lang::tr{'dhcp server'} => 'dhcpd', - $Lang::tr{'web server'} => 'httpd', - $Lang::tr{'cron server'} => 'fcron', - $Lang::tr{'dns proxy server'} => 'dnsmasq', - $Lang::tr{'logging server'} => 'syslogd', - $Lang::tr{'kernel logging server'} => 'klogd', - $Lang::tr{'ntp server'} => 'ntpd', - $Lang::tr{'secure shell server'} => 'sshd', - $Lang::tr{'vpn'} => 'pluto', - $Lang::tr{'web proxy'} => 'squid', - 'OpenVPN' => 'openvpn' + $Lang::tr{'dhcp server'} => 'dhcpd', + $Lang::tr{'web server'} => 'httpd', + $Lang::tr{'cron server'} => 'fcron', + $Lang::tr{'dns proxy server'} => 'dnsmasq', + $Lang::tr{'logging server'} => 'syslogd', + $Lang::tr{'kernel logging server'} => 'klogd', + $Lang::tr{'ntp server'} => 'ntpd', + $Lang::tr{'secure shell server'} => 'sshd', + $Lang::tr{'vpn'} => 'pluto', + $Lang::tr{'web proxy'} => 'squid', + 'OpenVPN' => 'openvpn' ); my $iface = ''; if (open(FILE, "${General::swroot}/red/iface")) { - $iface = ; - close FILE; - chomp $iface; + $iface = ; + close FILE; + chomp $iface; } $servicenames{"$Lang::tr{'intrusion detection system'} (RED)"} = "snort_${iface}"; $servicenames{"$Lang::tr{'intrusion detection system'} (GREEN)"} = "snort_$netsettings{'GREEN_DEV'}"; if ($netsettings{'ORANGE_DEV'} ne '') { - $servicenames{"$Lang::tr{'intrusion detection system'} (ORANGE)"} = "snort_$netsettings{'ORANGE_DEV'}"; + $servicenames{"$Lang::tr{'intrusion detection system'} (ORANGE)"} = "snort_$netsettings{'ORANGE_DEV'}"; } if ($netsettings{'BLUE_DEV'} ne '') { - $servicenames{"$Lang::tr{'intrusion detection system'} (BLUE)"} = "snort_$netsettings{'BLUE_DEV'}"; + $servicenames{"$Lang::tr{'intrusion detection system'} (BLUE)"} = "snort_$netsettings{'BLUE_DEV'}"; } +my %dhcpsettings=(); +my %netsettings=(); +my %dhcpinfo=(); +my %pppsettings=(); +my $output=''; + +&General::readhash("${General::swroot}/dhcp/settings", \%dhcpsettings); +&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); +&General::readhash("${General::swroot}/ppp/settings", \%pppsettings); + &Header::showhttpheaders(); &Header::getcgihash(\%cgiparams); @@ -80,16 +89,16 @@ my $lines = 0; my $key = ''; foreach $key (sort keys %servicenames) { - if ($lines % 2) { - print "\n"; } - else { - print "\n"; } - print "$key\n"; - my $shortname = $servicenames{$key}; - my $status = &isrunning($shortname); - print "$status\n"; - print "\n"; - $lines++; + if ($lines % 2) { + print "\n"; } + else { + print "\n"; } + print "$key\n"; + my $shortname = $servicenames{$key}; + my $status = &isrunning($shortname); + print "$status\n"; + print "\n"; + $lines++; } @@ -97,7 +106,7 @@ print "\n"; &Header::closebox(); -&Header::openbox('100%', 'left', $Lang::tr{'memory'}); +&Header::openbox('100%', 'center', $Lang::tr{'memory'}); print " + + + + +
"; my $ram=0; my $size=0; @@ -110,8 +119,8 @@ my $cached=0; open(FREE,'/usr/bin/free |'); while() { - if ($_ =~ m/^\s+total\s+used\s+free\s+shared\s+buffers\s+cached$/ ) - { + if ($_ =~ m/^\s+total\s+used\s+free\s+shared\s+buffers\s+cached$/ ) + { print < @@ -179,14 +188,14 @@ END ; &Header::closebox(); -&Header::openbox('100%', 'left', $Lang::tr{'disk usage'}); -print "
 
\n"; +&Header::openbox('100%', 'center', $Lang::tr{'disk usage'}); +print "
\n"; open(DF,'/bin/df -B M -x rootfs|'); while() { - if ($_ =~ m/^Filesystem/ ) - { - print < @@ -197,11 +206,11 @@ while() END ; - } - else - { - my ($device,$size,$used,$free,$percent,$mount) = split; - print < @@ -211,35 +220,217 @@ END END ; - } + } +} +close DF; +print " + + + + + + +END +; + } + else + { + my ($device,$size,$used,$free,$percent,$mount) = split; + print < + + + + + + + +END +; + } } close DF; print "
$Lang::tr{'device'} $Lang::tr{'mounted on'}
$device $mount END ; - &percentbar($percent); - print < $percent
 \n

Inodes

\n"; + +open(DF,'/bin/df -i -x rootfs|'); +while() +{ + if ($_ =~ m/^Filesystem/ ) + { + print < +		$Lang::tr{'device'}$Lang::tr{'mounted on'}$Lang::tr{'size'}$Lang::tr{'used'}$Lang::tr{'free'}$Lang::tr{'percentage'}
$device$mount$size$used$free +END +; + &percentbar($percent); + print < +$percent
\n"; &Header::closebox(); -&Header::openbox('100%', 'left', $Lang::tr{'uptime and users'}); -my $output = `/usr/bin/who`; +&Header::openbox('100%', 'left', $Lang::tr{'interfaces'}); +$output = `/sbin/ifconfig`; +$output = &Header::cleanhtml($output,"y"); + +my @itfs = ('ORANGE','BLUE','GREEN'); +foreach my $itf (@itfs) { + my $ColorName=''; + my $lc_itf=lc($itf); + my $dev = $netsettings{"${itf}_DEV"}; + if ($dev){ + $ColorName = "${lc_itf}"; #dereference variable name... + $output =~ s/$dev/$dev<\/font><\/b>/ ; + } +} + +if (open(REDIFACE, "${General::swroot}/red/iface")) { + my $lc_itf='red'; + my $reddev = ; + close(REDIFACE); + chomp $reddev; + $output =~ s/$reddev/${reddev}<\/font><\/b>/; +} +print "
$output
\n"; +&Header::closebox(); + + +if ( $netsettings{'CONFIG_TYPE'} =~ /^(2|3|6|7)$/ && $netsettings{'RED_TYPE'} eq "DHCP") { + + print "\n"; + &Header::openbox('100%', 'left', "RED $Lang::tr{'dhcp configuration'}"); + if (-s "${General::swroot}/dhcpc/dhcpcd-$netsettings{'RED_DEV'}.info") { + + &General::readhash("${General::swroot}/dhcpc/dhcpcd-$netsettings{'RED_DEV'}.info", \%dhcpinfo); + + my $DNS1=`echo $dhcpinfo{'DNS'} | cut -f 1 -d ,`; + my $DNS2=`echo $dhcpinfo{'DNS'} | cut -f 2 -d ,`; + + my $lsetme=0; + my $leasetime=""; + if ($dhcpinfo{'LEASETIME'} ne "") { + $lsetme=$dhcpinfo{'LEASETIME'}; + $lsetme=($lsetme/60); + if ($lsetme > 59) { + $lsetme=($lsetme/60); $leasetime=$lsetme." Hour"; + } else { + $leasetime=$lsetme." Minute"; + } + if ($lsetme > 1) { + $leasetime=$leasetime."s"; + } + } + my $rentme=0; + my $rnwltime=""; + if ($dhcpinfo{'RENEWALTIME'} ne "") { + $rentme=$dhcpinfo{'RENEWALTIME'}; + $rentme=($rentme/60); + if ($rentme > 59){ + $rentme=($rentme/60); $rnwltime=$rentme." Hour"; + } else { + $rnwltime=$rentme." Minute"; + } + if ($rentme > 1){ + $rnwltime=$rnwltime."s"; + } + } + my $maxtme=0; + my $maxtime=""; + if ($dhcpinfo{'REBINDTIME'} ne "") { + $maxtme=$dhcpinfo{'REBINDTIME'}; + $maxtme=($maxtme/60); + if ($maxtme > 59){ + $maxtme=($maxtme/60); $maxtime=$maxtme." Hour"; + } else { + $maxtime=$maxtme." Minute"; + } + if ($maxtme > 1) { + $maxtime=$maxtime."s"; + } + } + + print ""; + if ($dhcpinfo{'HOSTNAME'}) { + print "\n"; + } else { + print "\n"; + } + print < + + + + + + +
$Lang::tr{'hostname'}$dhcpinfo{'HOSTNAME'}.$dhcpinfo{'DOMAIN'}
$Lang::tr{'domain'}$dhcpinfo{'DOMAIN'}
$Lang::tr{'gateway'}$dhcpinfo{'GATEWAY'}
$Lang::tr{'primary dns'}$DNS1
$Lang::tr{'secondary dns'}$DNS2
$Lang::tr{'dhcp server'}$dhcpinfo{'DHCPSIADDR'}
$Lang::tr{'def lease time'}$leasetime
$Lang::tr{'default renewal time'}$rnwltime
$Lang::tr{'max renewal time'}$maxtime
+END + ; + } + else + { + print "$Lang::tr{'no dhcp lease'}"; + } + &Header::closebox(); +} + +if ($dhcpsettings{'ENABLE_GREEN'} eq 'on' || $dhcpsettings{'ENABLE_BLUE'} eq 'on') { + + print ""; + &Header::CheckSortOrder; + &Header::PrintActualLeases; +} + +&Header::openbox('100%', 'left', $Lang::tr{'routing table entries'}); +$output = `/sbin/route -n`; $output = &Header::cleanhtml($output,"y"); print "
$output
\n"; &Header::closebox(); -&Header::openbox('100%', 'left', $Lang::tr{'loaded modules'}); -$output = qx+/bin/lsmod+; -($output = &Header::cleanhtml($output,"y")) =~ s/\[.*\]//g; -print "
\n$output\n
\n"; +&Header::openbox('100%', 'left', $Lang::tr{'arp table entries'}); +$output = `/sbin/arp -n`; +$output = &Header::cleanhtml($output,"y"); +print "
$output
\n"; &Header::closebox(); -&Header::openbox('100%', 'left', $Lang::tr{'kernel version'}); -print "
\n";
-print `/bin/uname -a`;
-print "
\n"; +&Header::openbox('100%', 'left', $Lang::tr{'loaded modules'}); +my $module = qx(/bin/lsmod | awk -F" " '{print \$1}'); +my $size = qx(/bin/lsmod | awk -F" " '{print \$2}'); +my $used = qx(/bin/lsmod | awk -F" " '{print \$3}'); +my @usedby = qx(/bin/lsmod | awk -F" " '{print \$4}'); +my @usedbyf; +my $usedbyline; + +foreach $usedbyline(@usedby) +{ +my $laenge = length($usedbyline); + +if ( $laenge > 30) + { + my $usedbylinef=substr($usedbyline,0,30); + $usedbyline="$usedbylinef ...\n"; + push(@usedbyf,$usedbyline); + } +else + {push(@usedbyf,$usedbyline);} +} +print <
$module
$size
$used
@usedbyf
+END +; + +print ""; &Header::closebox(); &Header::closebigbox(); @@ -248,35 +439,35 @@ print "\n"; sub isrunning { - my $cmd = $_[0]; - my $status = "$Lang::tr{'stopped'}"; - my $pid = ''; - my $testcmd = ''; - my $exename; + my $cmd = $_[0]; + my $status = "$Lang::tr{'stopped'}"; + my $pid = ''; + my $testcmd = ''; + my $exename; - $cmd =~ /(^[a-z]+)/; - $exename = $1; + $cmd =~ /(^[a-z]+)/; + $exename = $1; - if (open(FILE, "/var/run/${cmd}.pid")) - { - $pid = ; chomp $pid; - close FILE; - if (open(FILE, "/proc/${pid}/status")) - { - while () - { - if (/^Name:\W+(.*)/) { - $testcmd = $1; } - } - close FILE; - if ($testcmd =~ /$exename/) - { - $status = "$Lang::tr{'running'}"; - } - } - } + if (open(FILE, "/var/run/${cmd}.pid")) + { + $pid = ; chomp $pid; + close FILE; + if (open(FILE, "/proc/${pid}/status")) + { + while () + { + if (/^Name:\W+(.*)/) { + $testcmd = $1; } + } + close FILE; + if ($testcmd =~ /$exename/) + { + $status = "$Lang::tr{'running'}"; + } + } + } - return $status; + return $status; } sub percentbar diff --git a/html/cgi-bin/upnp.cgi b/html/cgi-bin/upnp.cgi index 3afaee2c47..2b7168c9cc 100644 --- a/html/cgi-bin/upnp.cgi +++ b/html/cgi-bin/upnp.cgi @@ -26,7 +26,7 @@ my %selected= () ; my %servicenames = ( - 'UPnP Daemon' => 'upnpd', + 'UPnP Daemon' => 'upnpd', ); &Header::showhttpheaders(); @@ -42,8 +42,14 @@ $upnpsettings{'UPSTREAM'} = '16000000'; $upnpsettings{'DESCRIPTION'} = 'gatedesc.xml'; $upnpsettings{'XML'} = '/etc/linuxigd'; $upnpsettings{'ENABLED'} = 'off'; -$upnpsettings{'GREEN'} = 'on'; -$upnpsettings{'BLUE'} = 'off'; +$upnpsettings{'GREENi'} = 'on'; +$upnpsettings{'BLUEi'} = 'off'; +$upnpsettings{'REDi'} = 'off'; +$upnpsettings{'ORANGEi'} = 'off'; +$upnpsettings{'GREENe'} = 'off'; +$upnpsettings{'BLUEe'} = 'off'; +$upnpsettings{'REDe'} = 'on'; +$upnpsettings{'ORANGEe'} = 'off'; ### Values that have to be initialized $upnpsettings{'ACTION'} = ''; @@ -60,9 +66,9 @@ if ($upnpsettings{'ACTION'} eq $Lang::tr{'save'}) { &General::writehash("${General::swroot}/upnp/settings", \%upnpsettings); - open (FILE, ">${General::swroot}/upnp/upnpd.conf") or die "Can't save the upnp config: $!"; - flock (FILE, 2); - + open (FILE, ">${General::swroot}/upnp/upnpd.conf") or die "Can't save the upnp config: $!"; + flock (FILE, 2); + print FILE <$errormessage\n"; - print " \n"; - &Header::closebox(); + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "$errormessage\n"; + print " \n"; + &Header::closebox(); } -$checked{'GREEN'}{'on'} = ''; -$checked{'GREEN'}{'off'} = ''; -$checked{'GREEN'}{"$upnpsettings{'GREEN'}"} = 'checked'; -$checked{'BLUE'}{'on'} = ''; -$checked{'BLUE'}{'off'} = ''; -$checked{'BLUE'}{"$upnpsettings{'BLUE'}"} = 'checked'; +$checked{'GREENi'}{'on'} = ''; +$checked{'GREENi'}{'off'} = ''; +$checked{'GREENi'}{"$upnpsettings{'GREENi'}"} = 'checked'; +$checked{'BLUEi'}{'on'} = ''; +$checked{'BLUEi'}{'off'} = ''; +$checked{'BLUEi'}{"$upnpsettings{'BLUEi'}"} = 'checked'; +$checked{'REDi'}{'on'} = ''; +$checked{'REDi'}{'off'} = ''; +$checked{'REDi'}{"$upnpsettings{'REDi'}"} = 'checked'; +$checked{'ORANGEi'}{'on'} = ''; +$checked{'ORANGEi'}{'off'} = ''; +$checked{'ORANGEi'}{"$upnpsettings{'ORANGEi'}"} = 'checked'; +$checked{'GREENe'}{'on'} = ''; +$checked{'GREENe'}{'off'} = ''; +$checked{'GREENe'}{"$upnpsettings{'GREENe'}"} = 'checked'; +$checked{'BLUEe'}{'on'} = ''; +$checked{'BLUEe'}{'off'} = ''; +$checked{'BLUEe'}{"$upnpsettings{'BLUEe'}"} = 'checked'; +$checked{'REDe'}{'on'} = ''; +$checked{'REDe'}{'off'} = ''; +$checked{'REDe'}{"$upnpsettings{'REDe'}"} = 'checked'; +$checked{'ORANGEe'}{'on'} = ''; +$checked{'ORANGEe'}{'off'} = ''; +$checked{'ORANGEe'}{"$upnpsettings{'ORANGEe'}"} = 'checked'; ############################################################################################################################ ############################################################################################################################ &Header::openbox('100%', 'center', 'UPnP'); print < - + +
END ; - if ( $message ne "" ) { - print "\n"; } - else { - print "\n"; } - print "
$message"; - } - - my $lines = 0; - my $key = ''; - foreach $key (sort keys %servicenames) - { - if ($lines % 2) { - print "
$key\n"; - my $shortname = $servicenames{$key}; - my $status = &isrunning($shortname); - print "$status\n"; - $lines++; - } - print <Alle Dienste: - - - -
- -
-
- - \n"; } + else { + print "\n"; } + print "
$Lang::tr{'options'} -
$Lang::tr{'interfaces'} -   $Lang::tr{'green'} - $netsettings{'GREEN_DEV'} -END -; - if (&Header::blue_used()){ + if ( $message ne "" ) { + print "
$message"; + } + + my $lines = 0; + my $key = ''; + foreach $key (sort keys %servicenames) + { + if ($lines % 2) { + print "
$key\n"; + my $shortname = $servicenames{$key}; + my $status = &isrunning($shortname); + print "$status\n"; + $lines++; + } print <  $Lang::tr{'wireless'} - $netsettings{'BLUE_DEV'} +
Alle Dienste: + + + +
END ; - } - print < - +#print <
+#
+#

+# +# +# +# +# +# +#
External Interface
 RED - $netsettings{'RED_DEV'}

+# $Lang::tr{'green'} - $netsettings{'GREEN_DEV'}

+#END +#; +# if (&Header::blue_used()){ +# print <$Lang::tr{'wireless'} - $netsettings{'BLUE_DEV'}

+#END +#; +# } +# if (&Header::orange_used()){ +# print <$Lang::tr{'dmz'} - $netsettings{'ORANGE_DEV'}

+#END +#; +# } +# print <


Internal Interface
 RED - $netsettings{'RED_DEV'}

+# $Lang::tr{'green'} - $netsettings{'GREEN_DEV'}

+#END +#; +# if (&Header::blue_used()){ +# print <$Lang::tr{'wireless'} - $netsettings{'BLUE_DEV'}

+#END +#; +# } +# if (&Header::orange_used()){ +# print <$Lang::tr{'dmz'} - $netsettings{'ORANGE_DEV'}

+#END +#; +# } +# print <
+print < +

+ + + @@ -174,6 +234,7 @@ END +
$Lang::tr{'options'}


Debug Mode:
Forward Rules:
Forward Chain:
Up Strean:
Description Document:
XML Document:




@@ -190,33 +251,33 @@ END sub isrunning { - my $cmd = $_[0]; - my $status = "$Lang::tr{'stopped'}"; - my $pid = ''; - my $testcmd = ''; - my $exename; - - $cmd =~ /(^[a-z]+)/; - $exename = $1; - - if (open(FILE, "/var/run/${cmd}.pid")) - { - $pid = ; chomp $pid; - close FILE; - if (open(FILE, "/proc/${pid}/status")) - { - while () - { - if (/^Name:\W+(.*)/) { - $testcmd = $1; } - } - close FILE; - if ($testcmd =~ /$exename/) - { - $status = "$Lang::tr{'running'}"; - } - } - } - - return $status; -} + my $cmd = $_[0]; + my $status = "$Lang::tr{'stopped'}"; + my $pid = ''; + my $testcmd = ''; + my $exename; + + $cmd =~ /(^[a-z]+)/; + $exename = $1; + + if (open(FILE, "/var/run/${cmd}.pid")) + { + $pid = ; chomp $pid; + close FILE; + if (open(FILE, "/proc/${pid}/status")) + { + while () + { + if (/^Name:\W+(.*)/) { + $testcmd = $1; } + } + close FILE; + if ($testcmd =~ /$exename/) + { + $status = "$Lang::tr{'running'}"; + } + } + } + + return $status; +} \ No newline at end of file diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 794bf7e1be..e76404138c 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1,25 +1,4 @@ #!/usr/bin/perl -# -# This file is part of the IPCop Firewall. -# -# IPCop is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# IPCop is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with IPCop; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# Copyright (C) 2003-05-25 Mark Wormgoor -# -# $Id: vpnmain.cgi,v 1.10.2.104 2006/11/30 12:43:10 franck78 Exp $ -# use Net::DNS; use File::Copy; @@ -56,9 +35,6 @@ my $errormessage = ''; &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; -$cgiparams{'ENABLED_GREEN'} = 'off'; -$cgiparams{'ENABLED_ORANGE'} = 'off'; -$cgiparams{'ENABLED_BLUE'} = 'off'; $cgiparams{'EDIT_ADVANCED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; @@ -124,10 +100,7 @@ sub valid_dns_host { ### Just return true is one interface is vpn enabled ### sub vpnenabled { - return ($vpnsettings{'ENABLED'} eq 'on' || - $vpnsettings{'ENABLED_GREEN'} eq 'on' || - $vpnsettings{'ENABLED_ORANGE'} eq 'on' || - $vpnsettings{'ENABLED_BLUE'} eq 'on'); + return ($vpnsettings{'ENABLED'} eq 'on'); } ### ### old version: maintain serial number to one, without explication. @@ -232,9 +205,6 @@ sub makeconnname ($) { ### the side is always defined as 'left'. ### configihash[14]: 'VHOST' is allowed ### -###Type=Net : GUI can choose to be left or right. This serve nothing in the conf! -### interface is fixed to RED only. No special reason for this also. -### sub writeipsecfiles { my %lconfighash = (); @@ -249,11 +219,15 @@ sub writeipsecfiles { print CONF "version 2\n\n"; print CONF "config setup\n"; #create an ipsec Interface for each 'enabled' ones + #loop trought configuration and add physical interfaces to the list my $interfaces = "\tinterfaces=\""; - $interfaces .= "%defaultroute " if ($lvpnsettings{'ENABLED'} eq 'on'); - $interfaces .= "ipsec1=$netsettings{'GREEN_DEV'} " if ($lvpnsettings{'ENABLED_GREEN'} eq 'on'); - $interfaces .= "ipsec2=$netsettings{'BLUE_DEV'} " if ($lvpnsettings{'ENABLED_BLUE'} eq 'on'); - $interfaces .= "ipsec3=$netsettings{'ORANGE_DEV'} " if ($lvpnsettings{'ENABLED_ORANGE'} eq 'on'); + foreach my $key (keys %lconfighash) { + next if ($lconfighash{$key}[0] ne 'on'); + $interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED'); + $interfaces .= "ipsec1=$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN'); + $interfaces .= "ipsec2=$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE'); + $interfaces .= "ipsec3=$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE'); + } print CONF $interfaces . "\"\n"; my $plutodebug = ''; # build debug list @@ -266,8 +240,6 @@ sub writeipsecfiles { # deprecated in ipsec.conf version 2 #print CONF "\tplutoload=%search\n"; #print CONF "\tplutostart=%search\n"; - print CONF "\tplutoload=%search\n"; - print CONF "\tplutostart=%search\n"; print CONF "\tuniqueids=yes\n"; print CONF "\tnat_traversal=yes\n"; print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne ''); @@ -301,47 +273,39 @@ sub writeipsecfiles { #remote peer is not set? => use '%any' $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq ''); - my ($L,$R); #Local & Remote sides - - print CONF "conn $lconfighash{$key}[1]\n"; - #always choose LEFT localside for roadwarrior - if ($lconfighash{$key}[3] eq 'host' || $lconfighash{$key}[6] eq 'left') { - $L = 'left'; - $R = 'right'; - } else { - $R = 'left'; - $L = 'right'; - } - print CONF "\t${L}="; + my $localside; if ($lconfighash{$key}[26] eq 'BLUE') { - print CONF "$netsettings{'BLUE_ADDRESS'}\n"; - } elsif ($lconfighash{$key}[26] eq 'ORANGE') { - print CONF "$netsettings{'ORANGE_ADDRESS'}\n"; + $localside = $netsettings{'BLUE_ADDRESS'}; } elsif ($lconfighash{$key}[26] eq 'GREEN') { - print CONF "$netsettings{'GREEN_ADDRESS'}\n"; - } elsif ($lconfighash{$key}[26] eq 'RED') { - print CONF "$lvpnsettings{'VPN_IP'}\n"; - print CONF "\t${L}nexthop=%defaultroute\n" if ($lvpnsettings{'VPN_IP'} ne '%defaultroute'); + $localside = $netsettings{'GREEN_ADDRESS'}; + } elsif ($lconfighash{$key}[26] eq 'ORANGE') { + $localside = $netsettings{'ORANGE_ADDRESS'}; + } else { # it is RED + $localside = $lvpnsettings{'VPN_IP'}; } - print CONF "\t${L}subnet=$lconfighash{$key}[8]\n"; - print CONF "\t${R}=$lconfighash{$key}[10]\n"; + print CONF "conn $lconfighash{$key}[1] #$lconfighash{$key}[26]\n"; + print CONF "\tleft=$localside\n"; + print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute'); + print CONF "\tleftsubnet=$lconfighash{$key}[8]\n"; + + print CONF "\tright=$lconfighash{$key}[10]\n"; if ($lconfighash{$key}[3] eq 'net') { - print CONF "\t${R}subnet=$lconfighash{$key}[11]\n"; - print CONF "\t${R}nexthop=%defaultroute\n"; - } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed? + print CONF "\trightsubnet=$lconfighash{$key}[11]\n"; + print CONF "\trightnexthop=%defaultroute\n"; + } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors? print CONF "\trightsubnet=vhost:%no,%priv\n"; } # Local Cert and Remote Cert (unless auth is DN dn-auth) if ($lconfighash{$key}[4] eq 'cert') { - print CONF "\t${L}cert=${General::swroot}/certs/hostcert.pem\n"; - print CONF "\t${R}cert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn'); + print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; + print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn'); } # Local and Remote IDs - print CONF "\t${L}id=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]); - print CONF "\t${R}id=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]); + print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]); + print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]); # Algorithms if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { @@ -406,16 +370,6 @@ sub writeipsecfiles { # Build Authentication details: LEFTid RIGHTid : PSK psk my $psk_line; if ($lconfighash{$key}[4] eq 'psk') { - my $localside; - if ($lconfighash{$key}[26] eq 'BLUE') { - $localside = $netsettings{'BLUE_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'GREEN') { - $localside = $netsettings{'GREEN_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'ORANGE') { - $localside = $netsettings{'ORANGE_ADDRESS'}; - } else { # it is RED - $localside = $lvpnsettings{'VPN_IP'}; - } $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; @@ -472,7 +426,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg } map ($vpnsettings{$_} = $cgiparams{$_}, - ('ENABLED','ENABLED_GREEN','ENABLED_ORANGE','ENABLED_BLUE','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', + ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', 'DBG_KLIPS','DBG_DNS','DBG_NAT_T')); $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; @@ -881,7 +835,7 @@ END # Create empty CRL cannot be done because we don't have # the private key for this CAROOT - # Ipcop can only import certificates + # IPFire can only import certificates &General::log("ipsec", "p12 import completed!"); &cleanssldatabase(); @@ -1072,7 +1026,7 @@ END - + @@ -1186,10 +1140,10 @@ END &writeipsecfiles(); system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); } else { + system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); $confighash{$cgiparams{'KEY'}}[0] = 'off'; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); } sleep $sleepDelay; } else { @@ -1278,7 +1232,7 @@ END $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; + #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6]; $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9]; @@ -1323,11 +1277,6 @@ END goto VPNCONF_ERROR; } - if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) { - $errormessage = $Lang::tr{'ipcop side is invalid'}; - goto VPNCONF_ERROR; - } - # Check if there is no other entry with this name if (! $cgiparams{'KEY'}) { #only for add foreach my $key (keys %confighash) { @@ -1394,8 +1343,8 @@ END ) { $errormessage = $Lang::tr{'invalid local-remote id'} . '
' . 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*
' . - 'FQDN: @ipcop.org
' . - 'USER_FQDN: franck@ipcop.org
' . + 'FQDN: @ipfire.org
' . + 'USER_FQDN: info@ipfire.org
' . 'IPV4_ADDR: @123.123.123.123'; goto VPNCONF_ERROR; } @@ -1786,7 +1735,6 @@ END $confighash{$key}[4] = 'cert'; } if ($cgiparams{'TYPE'} eq 'net') { - $confighash{$key}[6] = $cgiparams{'SIDE'}; $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; } $confighash{$key}[7] = $cgiparams{'LOCAL_ID'}; @@ -1813,6 +1761,7 @@ END $confighash{$key}[14] = $cgiparams{'VHOST'}; #free unused fields! + $confighash{$key}[6] = 'off'; $confighash{$key}[15] = 'off'; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); @@ -1828,7 +1777,6 @@ END goto VPNCONF_END; } else { # add new connection $cgiparams{'ENABLED'} = 'on'; - $cgiparams{'SIDE'} = 'left'; if ( ! -f "${General::swroot}/private/cakey.pem" ) { $cgiparams{'AUTH'} = 'psk'; } elsif ( ! -f "${General::swroot}/ca/cacert.pem") { @@ -1878,24 +1826,11 @@ END $checked{'ENABLED'}{'off'} = ''; $checked{'ENABLED'}{'on'} = ''; $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - $checked{'ENABLED_GREEN'}{'off'} = ''; - $checked{'ENABLED_GREEN'}{'on'} = ''; - $checked{'ENABLED_GREEN'}{$cgiparams{'ENABLED_GREEN'}} = "checked='checked'"; - $checked{'ENABLED_ORANGE'}{'off'} = ''; - $checked{'ENABLED_ORANGE'}{'on'} = ''; - $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = "checked='checked'"; - $checked{'ENABLED_BLUE'}{'off'} = ''; - $checked{'ENABLED_BLUE'}{'on'} = ''; - $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = "checked='checked'"; $checked{'EDIT_ADVANCED'}{'off'} = ''; $checked{'EDIT_ADVANCED'}{'on'} = ''; $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'"; - $selected{'SIDE'}{'left'} = ''; - $selected{'SIDE'}{'right'} = ''; - $selected{'SIDE'}{$cgiparams{'SIDE'}} = "selected='selected'"; - $checked{'AUTH'}{'psk'} = ''; $checked{'AUTH'}{'certreq'} = ''; $checked{'AUTH'}{'certgen'} = ''; @@ -1964,69 +1899,53 @@ END print ""; } print ""; + print ''; + my $disabled; + my $blob; if ($cgiparams{'TYPE'} eq 'host') { - - print ""; - print ""; - print < - - - - + $disabled = "disabled='disabled'"; + $blob = "*"; + }; + + print ""; + print ""; + print <$Lang::tr{'remote host/ip'}: $blob - - -END - ; - } else { - print < - - - - - -END - ; - } - print < - - - + + + + + + + + + + + - - - - - - - - - - + + + END ; if (!$cgiparams{'KEY'}) { @@ -2502,7 +2421,7 @@ EOF $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); $checked{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'} eq 'on' ? "checked='checked'" : '' ; map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '', - ('ENABLED','ENABLED_GREEN','ENABLED_ORANGE','ENABLED_BLUE','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', + ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', 'DBG_KLIPS','DBG_DNS','DBG_NAT_T')); @@ -2518,47 +2437,27 @@ EOF } &Header::openbox('100%', 'left', $Lang::tr{'global settings'}); - my $checkbox=""; print <
$Lang::tr{'organization name'}:
$Lang::tr{'ipcops hostname'}:
$Lang::tr{'IPFires hostname'}:
$Lang::tr{'your e-mail'}: *
$Lang::tr{'enabled'}

$Lang::tr{'interface'}
$Lang::tr{'local subnet'} 
$Lang::tr{'remote host/ip'}: *
$Lang::tr{'host ip'}: 
$Lang::tr{'ipcop side'} - $Lang::tr{'remote host/ip'}:
$Lang::tr{'local subnet'} $Lang::tr{'remote subnet'}
$Lang::tr{'dpd action'}:  ? -
$Lang::tr{'vpn local id'}: * +
($Lang::tr{'eg'} @xy.example.com)		$Lang::tr{'vpn remote id'}: *

$Lang::tr{'dpd action'}:  ? +
$Lang::tr{'options'}
$Lang::tr{'vpn local id'}: * -
($Lang::tr{'eg'} @xy.example.com)		$Lang::tr{'vpn remote id'}: *
$Lang::tr{'remark title'} *
$Lang::tr{'remark title'} *
- + - - END ; - if ($netsettings{'ORANGE_DEV'} ne '') { - $checkbox=<$Lang::tr{'vpn on orange'}: - -END - ;} - print < - - $checkbox END ; - if ($netsettings{'BLUE_DEV'} ne '') { - $checkbox=<$Lang::tr{'vpn on blue'}: - -END - ;} print < - - $checkbox
$Lang::tr{'local vpn hostname/ip'}:$Lang::tr{'vpn red name'}: $Lang::tr{'enabled'}$Lang::tr{'vpn on green'}:$Lang::tr{'enabled'}
$Lang::tr{'enabled'}$Lang::tr{'override mtu'}: *
$Lang::tr{'enabled'}$Lang::tr{'vpn delayed start'}: **

$Lang::tr{'vpn watch'}:

@@ -2587,7 +2486,6 @@ END ; print ""; &Header::closebox(); - undef ($checkbox); &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'}); print < "; } print "$confighash{$key}[25]"; + # get real state my $active = "
$Lang::tr{'capsclosed'}
"; - if ($confighash{$key}[0] eq 'off') { - $active = "
$Lang::tr{'capsclosed'}
"; - } else { - foreach my $line (@status) { - if ($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) { - $active = "
$Lang::tr{'capsopen'}
"; - } + foreach my $line (@status) { + if ($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) { + $active = "
$Lang::tr{'capsopen'}
"; } } + # move to blueif really down + if ($confighash{$key}[0] eq 'off' && $active =~ /${Header::colourred}/ ) { + $active = "
$Lang::tr{'capsclosed'}
"; + } print <$active @@ -2825,14 +2724,15 @@ END END ; } - + + my $rowcolor = 0; if (keys %cahash > 0) { - foreach my $key (keys %cahash) { - if (($key + 1) % 2) { - print "\n"; - } else { - print "\n"; - } + foreach my $key (keys %cahash) { + if ($rowcolor++ % 2) { + print "\n"; + } else { + print "\n"; + } print "$cahash{$key}[0]\n"; print "$cahash{$key}[1]\n"; print <Seminole Canada Gas Company.\n"; - &Header::closebigbox(); &Header::closepage(); diff --git a/lfs/iptables b/lfs/iptables index 52e2c13f5c..1584575547 100644 --- a/lfs/iptables +++ b/lfs/iptables @@ -26,7 +26,7 @@ include Config -VER = 1.3.7 +VER = 1.3.5 THISAPP = iptables-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -47,7 +47,7 @@ netfilter-layer7-v2.9.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.9.tar.gz libnfnetlink-0.0.25.tar.bz2 = $(URL_IPFIRE)/libnfnetlink-0.0.25.tar.bz2 libnetfilter_queue-0.0.13.tar.bz2 = $(URL_IPFIRE)/libnetfilter_queue-0.0.13.tar.bz2 -$(DL_FILE)_MD5 = dd965bdacbb86ce2a6498829fddda6b7 +$(DL_FILE)_MD5 = 00fb916fa8040ca992a5ace56d905ea5 netfilter-layer7-v2.9.tar.gz_MD5 = ebf9043a5352ebe6dbd721989ef83dee libnfnetlink-0.0.25.tar.bz2_MD5 = fc915a2e66d282e524af6ef939042d7d libnetfilter_queue-0.0.13.tar.bz2_MD5 = 660cbfd3dc8c10bf9b1803cd2b688256 diff --git a/lfs/linux b/lfs/linux index 31a43c693c..616241ca12 100644 --- a/lfs/linux +++ b/lfs/linux @@ -50,14 +50,14 @@ endif objects =$(DL_FILE) \ mISDN-CVS-2007-01-26.tar.bz2 \ squashfs3.2-r2.tar.gz \ - iptables-1.3.7.tar.bz2 \ + iptables-1.3.5.tar.bz2 \ patch-o-matic-ng-20061210.tar.bz2 \ netfilter-layer7-v2.9.tar.gz \ patch-2.6.16-nath323-1.3.bz2 $(DL_FILE) = $(DL_FROM)/$(DL_FILE) patch-o-matic-ng-20061210.tar.bz2 = $(URL_IPFIRE)/patch-o-matic-ng-20061210.tar.bz2 -iptables-1.3.7.tar.bz2 = $(URL_IPFIRE)/iptables-1.3.7.tar.bz2 +iptables-1.3.5.tar.bz2 = $(URL_IPFIRE)/iptables-1.3.5.tar.bz2 netfilter-layer7-v2.9.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.9.tar.gz patch-2.6.16-nath323-1.3.bz2 = $(URL_IPFIRE)/patch-2.6.16-nath323-1.3.bz2 squashfs3.2-r2.tar.gz = $(URL_IPFIRE)/squashfs3.2-r2.tar.gz @@ -65,7 +65,7 @@ mISDN-CVS-2007-01-26.tar.bz2 = $(URL_IPFIRE)/mISDN-CVS-2007-01-26.tar.bz2 $(DL_FILE)_MD5 = 87e998bb87839b962702815dd5aecc73 patch-o-matic-ng-20061210.tar.bz2_MD5 = 76edac76301b45f89e467b41c8cf4393 -iptables-1.3.7.tar.bz2_MD5 = dd965bdacbb86ce2a6498829fddda6b7 +iptables-1.3.5.tar.bz2_MD5 = 00fb916fa8040ca992a5ace56d905ea5 netfilter-layer7-v2.9.tar.gz_MD5 = ebf9043a5352ebe6dbd721989ef83dee patch-2.6.16-nath323-1.3.bz2_MD5 = f926409ff703a307baf54b57ab75d138 squashfs3.2-r2.tar.gz_MD5 = bf360b92eba9e6d5610196ce2e02fcd1 @@ -124,8 +124,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Patch-o-matic cd $(DIR_SRC) && rm -rf iptables-* patch-o-matic* - cd $(DIR_SRC) && tar xfj $(DIR_DL)/iptables-1.3.7.tar.bz2 - cd $(DIR_SRC) && ln -sf iptables-1.3.7 iptables + cd $(DIR_SRC) && tar xfj $(DIR_DL)/iptables-1.3.5.tar.bz2 + cd $(DIR_SRC) && ln -sf iptables-1.3.5 iptables cd $(DIR_SRC) && tar xfj $(DIR_DL)/patch-o-matic-ng-20061210.tar.bz2 cd $(DIR_SRC)/patch-o-matic-ng* && \ ./runme --batch --kernel-path=$(ROOT)/usr/src/$(THISAPP)/ \ @@ -151,7 +151,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) ifeq "$(SMP)" "" # Only do this once on the non-SMP pass - cd $(DIR_SRC) && tar czf $(DIR_DL)/iptables-fixed.tar.gz iptables-1.3.7 + cd $(DIR_SRC) && tar czf $(DIR_DL)/iptables-fixed.tar.gz iptables-1.3.5 endif # Bootsplash diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index e27ae6e7b9..aca8357362 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -151,6 +151,14 @@ case "$1" in # Accept everything connected /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + + # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything + /sbin/iptables -N IPSECVIRTUAL + /sbin/iptables -N OPENSSLVIRTUAL + /sbin/iptables -A INPUT -j IPSECVIRTUAL + /sbin/iptables -A INPUT -j OPENSSLVIRTUAL + /sbin/iptables -A FORWARD -j IPSECVIRTUAL + /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL # localhost and ethernet. /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT @@ -167,19 +175,17 @@ case "$1" in # we end up with orange -> orange traffic passing through IPFire [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT - # accept all traffic from ipsec interfaces - /sbin/iptables -A INPUT -i ipsec+ -j ACCEPT - /sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT - # allow DHCP on BLUE to be turned on/off /sbin/iptables -N DHCPBLUEINPUT /sbin/iptables -A INPUT -j DHCPBLUEINPUT - # IPSec chains - /sbin/iptables -N IPSECRED - /sbin/iptables -A INPUT -j IPSECRED - /sbin/iptables -N IPSECBLUE - /sbin/iptables -A INPUT -j IPSECBLUE + # IPSec + /sbin/iptables -N IPSECPHYSICAL + /sbin/iptables -A INPUT -j IPSECPHYSICAL + + # OPenSSL + /sbin/iptables -N OPENSSLPHYSICAL + /sbin/iptables -A INPUT -j OPENSSLPHYSICAL # WIRELESS chains /sbin/iptables -N WIRELESSINPUT diff --git a/src/install+setup/install/main.c b/src/install+setup/install/main.c index 3288a168e4..9bd629dc10 100644 --- a/src/install+setup/install/main.c +++ b/src/install+setup/install/main.c @@ -547,9 +547,9 @@ int main(int argc, char *argv[]) if (strlen(driver) > 1) { fprintf(flog, "Fixing up ipfirerd.img\n"); mkdir("/harddisk/initrd", S_IRWXU|S_IRWXG|S_IRWXO); - snprintf(commandstring, STRING_SIZE, "/sbin/chroot /harddisk /sbin/mkinitrd -v --with=scsi_mod %s --with=sd_mod --with=sr_mod /boot/ipfirerd.img %s-ipfire", driver, KERNEL_VERSION); + snprintf(commandstring, STRING_SIZE, "/sbin/chroot /harddisk /sbin/mkinitrd --with=scsi_mod %s --with=sd_mod --with=sr_mod /boot/ipfirerd.img %s-ipfire", driver, KERNEL_VERSION); runcommandwithstatus(commandstring, ctr[TR_BUILDING_INITRD]); - snprintf(commandstring, STRING_SIZE, "/sbin/chroot /harddisk /sbin/mkinitrd -v --with=scsi_mod %s --with=sd_mod --with=sr_mod /boot/ipfirerd-smp.img %s-ipfire-smp", driver, KERNEL_VERSION); + snprintf(commandstring, STRING_SIZE, "/sbin/chroot /harddisk /sbin/mkinitrd --with=scsi_mod %s --with=sd_mod --with=sr_mod /boot/ipfirerd-smp.img %s-ipfire-smp", driver, KERNEL_VERSION); runcommandwithstatus(commandstring, ctr[TR_BUILDING_INITRD]); mysystem("/sbin/chroot /harddisk /bin/mv /boot/grub/scsigrub.conf /boot/grub/grub.conf"); } diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index 7abaa3e603..bd2c082de1 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -11,7 +11,7 @@ SUID_PROGS = setdmzholes setportfw setfilters setxtaccess restartdhcp restartsno restartapplejuice setdate rebuildhosts \ restartsyslogd logwatch openvpnctrl timecheckctrl \ restartwireless getipstat qosctrl launch-ether-wake \ - redctrl extrahdctrl sambactrl + redctrl extrahdctrl sambactrl upnpctrl install : all install -m 755 $(PROGS) /usr/local/bin @@ -48,6 +48,9 @@ redctrl: redctrl.c setuid.o ../install+setup/libsmooth/varval.o extrahdctrl: extrahdctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ extrahdctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ + +upnpctrl: upnpctrl.c setuid.o ../install+setup/libsmooth/varval.o + $(COMPILE) -I../install+setup/libsmooth/ upnpctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ sambactrl: sambactrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ sambactrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 408dfad907..63e042a911 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -3,8 +3,6 @@ * File originally from the Smoothwall project * (c) 2001 Smoothwall Team * - * $Id: ipsecctrl.c,v 1.5.2.14 2005/05/15 12:58:28 rkerr Exp $ - * */ #include "libsmooth.h" @@ -17,6 +15,40 @@ #include #include "setuid.h" +/* + This module is responsible for start stop of the vpn system. + + 1) it allows AH & ESP to get in from interface where a vpn is mounted + The NAT traversal is used on the udp 4500 port. + + 2) it starts the ipsec daemon + The RED interface is a problem because it can be up or down a startup. + Then, the state change and it must not affect other VPN mounted on + other interface. + Unfortunatly, openswan 1 cannot do that correctly. It cannot use an + interface without restarting everything. + + IPCop should control vpn this way: + + rc.netaddrsesup.up + call ipsecctrl once to start vpns on all interface + RED based vpn won't start because "auto=ignore" instead off "auto=start" + + rc.updatered + call ipsectrl to turn on or off vpn based on RED + + but now it is only: + + rc.updatered + call ipsectrl S at every event on RED. + Consequence: BLUE vpn is not started until RED goes up. + + +*/ + +#define phystable "IPSECPHYSICAL" +#define virtualtable "IPSECVIRTUAL" + void usage() { fprintf (stderr, "Usage:\n"); fprintf (stderr, "\tipsecctrl S [connectionkey]\n"); @@ -27,43 +59,66 @@ void usage() { fprintf (stderr, "\t\tR : Reload Certificates and Secrets\n"); } -void loadalgmodules() { +void load_modules() { safe_system("/sbin/modprobe ipsec"); } -void ipsecrules(char *chain, char *interface) -{ +/* + ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface +*/ +void open_physical (char *interface, int nat_traversal_port) { char str[STRING_SIZE]; - sprintf(str, "/sbin/iptables -A %s -p 47 -i %s -j ACCEPT", chain, interface); + // GRE ??? + sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface); safe_system(str); - sprintf(str, "/sbin/iptables -A %s -p 50 -i %s -j ACCEPT", chain, interface); + // ESP + sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface); safe_system(str); - sprintf(str, "/sbin/iptables -A %s -p 51 -i %s -j ACCEPT", chain, interface); + // AH + sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface); safe_system(str); - sprintf(str, "/sbin/iptables -A %s -p udp -i %s --sport 500 --dport 500 -j ACCEPT", chain, interface); + // IKE + sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface); safe_system(str); - sprintf(str, "/sbin/iptables -A %s -p udp -i %s --dport 4500 -j ACCEPT", chain, interface); + + if (! nat_traversal_port) + return; + + sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port); safe_system(str); } -void addaliasinterfaces(char *configtype, char *redtype, char *redif, char *enablered, char*enableblue) +/* + Basic control for what can flow from/to ipsecX interfaces. + + rc.firewall call this chain just before ACCEPTing everything + from green (-i DEV_GREEN -j ACCEPT). +*/ +void open_virtual (void) { + // allow anything from any ipsec to go on all interface, including other ipsec + safe_system("/sbin/iptables -A " virtualtable " -i ipsec+ -j ACCEPT"); + //todo: BOT extension?; allowing ipsec0<<==port-list-filter==>>GREEN ? +} + +void ipsec_norules() { + /* clear input rules */ + safe_system("/sbin/iptables -F " phystable); + safe_system("/sbin/iptables -F " virtualtable); + + // unmap red alias ???? +} + + +void add_alias_interfaces(char *configtype, + char *redtype, + char *redif, + int offset) //reserve room for ipsec0=red, ipsec1=green, ipsec2=orange,ipsec3=blue { FILE *file = NULL; char s[STRING_SIZE]; - char *sptr; - char *aliasip=NULL; - char *enabled=NULL; - char *comment=NULL; - int count=0; int alias=0; - int add=0; - if ( strcmp(enablered, "on") == 0 ) - add += 1; - if ( strcmp(enableblue, "on") == 0 ) - add += 1; - /* Check for CONFIG_TYPE=2 or 3 i.e. RED ethernet present. If not, * exit gracefully. This is not an error... */ if (!((strcmp(configtype, "2")==0) || (strcmp(configtype, "3")==0) || (strcmp(configtype, "6")==0) || (strcmp(configtype, "7")==0))) @@ -79,16 +134,15 @@ void addaliasinterfaces(char *configtype, char *redtype, char *redif, char *enab fprintf(stderr, "Unable to open aliases configuration file\n"); return; } - - while (fgets(s, STRING_SIZE, file) != NULL && (add+alias) < 16) + while (fgets(s, STRING_SIZE, file) != NULL && (offset+alias) < 16 ) { if (s[strlen(s) - 1] == '\n') s[strlen(s) - 1] = '\0'; - sptr = strtok(s, ","); - count = 0; - aliasip = NULL; - enabled = NULL; - comment = NULL; + int count = 0; + char *aliasip=NULL; + char *enabled=NULL; + char *comment=NULL; + char *sptr = strtok(s, ","); while (sptr) { if (count == 0) @@ -113,213 +167,333 @@ void addaliasinterfaces(char *configtype, char *redtype, char *redif, char *enab if (strcmp(enabled, "on") == 0) { memset(s, 0, STRING_SIZE); - snprintf(s, STRING_SIZE-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", alias+add, redif, alias); + snprintf(s, STRING_SIZE-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", offset+alias, redif, alias); safe_system(s); alias++; } } } +/* + return values from the vpn config file or false if not 'on' +*/ +int decode_line (char *s, + char **key, + char **name, + char **type, + char **interface + ) { + int count = 0; + *key = NULL; + *name = NULL; + *type = NULL; + + if (s[strlen(s) - 1] == '\n') + s[strlen(s) - 1] = '\0'; + + char *result = strsep(&s, ","); + while (result) { + if (count == 0) + *key = result; + if ((count == 1) && strcmp(result, "on") != 0) + return 0; // a disabled line + if (count == 2) + *name = result; + if (count == 4) + *type = result; + if (count == 27) + *interface = result; + count++; + result = strsep(&s, ","); + } + + // check other syntax + if (! *name) + return 0; + + if (strspn(*name, LETTERS_NUMBERS) != strlen(*name)) { + fprintf(stderr, "Bad connection name: %s\n", *name); + return 0; + } + + if (! (strcmp(*type, "host") == 0 || strcmp(*type, "net") == 0)) { + fprintf(stderr, "Bad connection type: %s\n", *type); + return 0; + } + + if (! (strcmp(*interface, "RED") == 0 || strcmp(*interface, "GREEN") == 0 || + strcmp(*interface, "ORANGE") == 0 || strcmp(*interface, "BLUE") == 0)) { + fprintf(stderr, "Bad interface name: %s\n", *interface); + return 0; + } + //it's a valid & active line + return 1; +} + +/* + issue ipsec commmands to turn on connection 'name' +*/ +void turn_connection_on (char *name, char *type) { + char command[STRING_SIZE]; + + safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null"); + memset(command, 0, STRING_SIZE); + snprintf(command, STRING_SIZE - 1, + "/usr/sbin/ipsec auto --replace %s >/dev/null", name); + safe_system(command); + if (strcmp(type, "net") == 0) { + memset(command, 0, STRING_SIZE); + snprintf(command, STRING_SIZE - 1, + "/usr/sbin/ipsec auto --asynchronous --up %s >/dev/null", name); + safe_system(command); + } +} +/* + issue ipsec commmands to turn off connection 'name' +*/ +void turn_connection_off (char *name) { + char command[STRING_SIZE]; + + memset(command, 0, STRING_SIZE); + snprintf(command, STRING_SIZE - 1, + "/usr/sbin/ipsec auto --down %s >/dev/null", name); + safe_system(command); + memset(command, 0, STRING_SIZE); + snprintf(command, STRING_SIZE - 1, + "/usr/sbin/ipsec auto --delete %s >/dev/null", name); + safe_system(command); + safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null"); +} + + int main(int argc, char *argv[]) { - int count; - char s[STRING_SIZE]; + char configtype[STRING_SIZE]; char redtype[STRING_SIZE] = ""; - char command[STRING_SIZE]; - char *result; - char *key; - char *enabled; - char *name; - char *type; - char *running; - FILE *file = NULL; struct keyvalue *kv = NULL; - char enablered[STRING_SIZE] = "off"; - char enableblue[STRING_SIZE] = "off"; - char redif[STRING_SIZE] = "";; - char blueif[STRING_SIZE] = ""; - FILE *ifacefile = NULL; - if (!(initsetuid())) - exit(1); - if (argc < 2) { usage(); exit(1); } + if (!(initsetuid())) + exit(1); /* FIXME: workaround for pclose() issue - still no real idea why * this is happening */ signal(SIGCHLD, SIG_DFL); - /* Init the keyvalue structure */ - kv=initkeyvalues(); + /* handle operations that doesn't need start the ipsec system */ + if (argc == 2) { + if (strcmp(argv[1], "D") == 0) { + safe_system("/usr/local/bin/vpn-watch --stop"); + ipsec_norules(); + /* Only shutdown pluto if it really is running */ + int fd; + /* Get pluto pid */ + if ((fd = open("/var/run/pluto.pid", O_RDONLY)) != -1) { + safe_system("/etc/rc.d/ipsec stop 2> /dev/null >/dev/null"); + close(fd); + } + exit(0); + } - /* Read in the current values */ + if (strcmp(argv[1], "R") == 0) { + safe_system("/usr/sbin/ipsec auto --rereadall"); + exit(0); + } + } + + /* stop the watch script as soon as possible */ + safe_system("/usr/local/bin/vpn-watch --stop"); + + /* clear iptables vpn rules */ + ipsec_norules(); + + /* read vpn config */ + kv=initkeyvalues(); if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings")) { fprintf(stderr, "Cannot read vpn settings\n"); exit(1); } - findkey(kv, "ENABLED", enablered); - findkey(kv, "ENABLED_BLUE", enableblue); + /* check is the vpn system is enabled */ + { + char s[STRING_SIZE]; + findkey(kv, "ENABLED", s); + freekeyvalues(kv); + if (strcmp (s, "on") != 0) + exit(0); + } - freekeyvalues(kv); + /* read interface settings */ kv=initkeyvalues(); - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) { fprintf(stderr, "Cannot read ethernet settings\n"); exit(1); } - if (!findkey(kv, "CONFIG_TYPE", configtype)) { fprintf(stderr, "Cannot read CONFIG_TYPE\n"); exit(1); } - findkey(kv, "RED_TYPE", redtype); - findkey(kv, "BLUE_DEV", blueif); - freekeyvalues(kv); - memset(redif, 0, STRING_SIZE); - - if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) - { - if (fgets(redif, STRING_SIZE, ifacefile)) - { - if (redif[strlen(redif) - 1] == '\n') - redif[strlen(redif) - 1] = '\0'; - } - fclose (ifacefile); - ifacefile = NULL; - if (!VALID_DEVICE(redif)) - { - memset(redif, 0, STRING_SIZE); - } - } - safe_system("/sbin/iptables -F IPSECRED"); - if (!strcmp(enablered, "on") && strlen(redif)) { - ipsecrules("IPSECRED", redif); - } + /* Loop through the config file to find physical interface that will accept IPSEC */ + int enable_red=0; // states 0: not used + int enable_green=0; // 1: error condition + int enable_orange=0; // 2: good + int enable_blue=0; + char if_red[STRING_SIZE] = ""; + char if_green[STRING_SIZE] = ""; + char if_orange[STRING_SIZE] = ""; + char if_blue[STRING_SIZE] = ""; + char s[STRING_SIZE]; + FILE *file = NULL; - safe_system("/sbin/iptables -F IPSECBLUE"); - if (!strcmp(enableblue, "on")) { - if (VALID_DEVICE(blueif)) - ipsecrules("IPSECBLUE", blueif); - else - { - fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n"); - exit(1); - } + if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) { + fprintf(stderr, "Couldn't open vpn settings file"); + exit(1); } + while (fgets(s, STRING_SIZE, file) != NULL) { + char *key; + char *name; + char *type; + char *interface; + if (!decode_line(s,&key,&name,&type,&interface)) + continue; + /* search interface */ + if (!enable_red && strcmp (interface, "RED") == 0) { + // when RED is up, find interface name in special file + FILE *ifacefile = NULL; + if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) { + if (fgets(if_red, STRING_SIZE, ifacefile)) { + if (if_red[strlen(if_red) - 1] == '\n') + if_red[strlen(if_red) - 1] = '\0'; + } + fclose (ifacefile); - /* Only shutdown pluto if it really is running */ - if (argc == 2) { - if (strcmp(argv[1], "D") == 0) { - int fd; - /* Get pluto pid */ - if ((fd = open("/var/run/pluto.pid", O_RDONLY)) != -1) { - safe_system("/etc/rc.d/init.d/ipsec stop 2> /dev/null >/dev/null"); - close(fd); + if (VALID_DEVICE(if_red)) + enable_red+=2; // present and running } } - } - - if ((strcmp(enablered, "on") || !strlen(redif)) && strcmp(enableblue, "on")) - exit(0); - if (argc == 2) { - if (strcmp(argv[1], "S") == 0) { - loadalgmodules(); - safe_system("/usr/sbin/ipsec tncfg --clear >/dev/null"); - safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null"); - addaliasinterfaces(configtype, redtype, redif, enablered, enableblue); - } else if (strcmp(argv[1], "R") == 0) { - safe_system("/usr/sbin/ipsec auto --rereadall"); - } else { - fprintf(stderr, "Bad arg\n"); - usage(); - exit(1); + if (!enable_green && strcmp (interface, "GREEN") == 0) { + enable_green = 1; + findkey(kv, "GREEN_DEV", if_green); + if (VALID_DEVICE(if_green)) + enable_green++; + else + fprintf(stderr, "IPSec enabled on green but green interface is invalid or not found\n"); } - } else if (strspn(argv[2], NUMBERS) == strlen(argv[2])) { - if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) { - fprintf(stderr, "Couldn't open vpn settings file"); - exit(1); + + if (!enable_orange && strcmp (interface, "ORANGE") == 0) { + enable_orange = 1; + findkey(kv, "ORANGE_DEV", if_orange); + if (VALID_DEVICE(if_orange)) + enable_orange++; + else + fprintf(stderr, "IPSec enabled on orange but orange interface is invalid or not found\n"); } - while (fgets(s, STRING_SIZE, file) != NULL) { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - running = strdup (s); - result = strsep(&running, ","); - count = 0; - key = NULL; - name = NULL; - enabled = NULL; - type = NULL; - while (result) { - if (count == 0) - key = result; - if (count == 1) - enabled = result; - if (count == 2) - name = result; - if (count == 4) - type = result; - count++; - result = strsep(&running, ","); - } - if (strcmp(key, argv[2]) != 0) - continue; - - if (!(name && enabled)) - continue; - - if (strspn(name, LETTERS_NUMBERS) != strlen(name)) { - fprintf(stderr, "Bad connection name: %s\n", name); - goto EXIT; - } - if (! (strcmp(type, "host") == 0 || strcmp(type, "net") == 0)) { - fprintf(stderr, "Bad connection type: %s\n", type); - goto EXIT; - } - - if (strcmp(argv[1], "S") == 0 && strcmp(enabled, "on") == 0) { - safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null"); - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec auto --replace %s >/dev/null", name); - safe_system(command); - if (strcmp(type, "net") == 0) { - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec auto --asynchronous --up %s >/dev/null", name); - safe_system(command); - } - } else if (strcmp(argv[1], "D") == 0) { - safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null"); - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec auto --down %s >/dev/null", name); - safe_system(command); - memset(command, 0, STRING_SIZE); - snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec auto --delete %s >/dev/null", name); - safe_system(command); - } + if (!enable_blue && strcmp (interface, "BLUE") == 0) { + enable_blue++; + findkey(kv, "BLUE_DEV", if_blue); + if (VALID_DEVICE(if_blue)) + enable_blue++; + else + fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n"); + } - } else { + } + fclose(file); + freekeyvalues(kv); + + // do nothing if something is in error condition + if ((enable_red==1) || (enable_green==1) || (enable_orange==1) || (enable_blue==1) ) + exit(1); + + // exit if nothing to do + if ( (enable_red+enable_green+enable_orange+enable_blue) == 0 ) + exit(0); + + // open needed ports + // todo: read a nat_t indicator to allow or not openning UDP/4500 + if (enable_red==2) + open_physical(if_red, 4500); + + if (enable_green==2) + open_physical(if_green, 4500); + + if (enable_orange==2) + open_physical(if_orange, 4500); + + if (enable_blue==2) + open_physical(if_blue, 4500); + + // then open the ipsecX + open_virtual(); + + // start the system + if ((argc == 2) && strcmp(argv[1], "S") == 0) { + load_modules(); + safe_system("/usr/sbin/ipsec tncfg --clear >/dev/null"); + safe_system("/etc/rc.d/ipsec restart >/dev/null"); + add_alias_interfaces(configtype, redtype, if_red, (enable_red+enable_green+enable_orange+enable_blue) >>1 ); + safe_system("/usr/local/bin/vpn-watch --start"); + exit(0); + } + + // it is a selective start or stop + // second param is only a number 'key' + if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) { + ipsec_norules(); fprintf(stderr, "Bad arg\n"); usage(); exit(1); } -EXIT: - if (file) - fclose(file); + // search the vpn pointed by 'key' + if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) { + ipsec_norules(); + fprintf(stderr, "Couldn't open vpn settings file"); + exit(1); + } + while (fgets(s, STRING_SIZE, file) != NULL) { + char *key; + char *name; + char *type; + char *interface; + if (!decode_line(s,&key,&name,&type,&interface)) + continue; + + // start/stop a vpn if belonging to specified interface + if (strcmp(argv[1], interface) == 0 ) { + if (strcmp(argv[2], "0")==0) + turn_connection_off (name); + else + turn_connection_on (name, type); + continue; + } + // is it the 'key' requested ? + if (strcmp(argv[2], key) != 0) + continue; + // Start or Delete this Connection + if (strcmp(argv[1], "S") == 0) + turn_connection_on (name, type); + else + if (strcmp(argv[1], "D") == 0) + turn_connection_off (name); + else { + ipsec_norules(); + fprintf(stderr, "Bad command\n"); + exit(1); + } + } + fclose(file); + safe_system("/usr/local/bin/vpn-watch --start"); return 0; } diff --git a/src/misc-progs/sambactrl.c b/src/misc-progs/sambactrl.c index 568af05e36..463f915ca6 100644 --- a/src/misc-progs/sambactrl.c +++ b/src/misc-progs/sambactrl.c @@ -27,7 +27,6 @@ int main(int argc, char *argv[]) { snprintf(command, BUFFER_SIZE-1, "/usr/bin/smbpasswd -d %s", argv[2]); safe_system(command); - printf(command); return 0; } @@ -35,7 +34,6 @@ int main(int argc, char *argv[]) { snprintf(command, BUFFER_SIZE-1, "/usr/bin/smbpasswd -e %s", argv[2]); safe_system(command); - printf(command); return 0; } @@ -43,10 +41,8 @@ int main(int argc, char *argv[]) { snprintf(command, BUFFER_SIZE-1, "/usr/bin/smbpasswd -x %s", argv[2]); safe_system(command); - printf(command); snprintf(command, BUFFER_SIZE-1, "/usr/sbin/userdel %s", argv[2]); safe_system(command); - printf(command); return 0; } @@ -56,10 +52,17 @@ int main(int argc, char *argv[]) return 0; } + if (strcmp(argv[1], "smbsafeconfpdc")==0) + { + safe_system("/bin/cat /var/ipfire/samba/global /var/ipfire/samba/pdc /var/ipfire/samba/shares > /var/ipfire/samba/smb.conf"); + return 0; + } + if (strcmp(argv[1], "smbglobalreset")==0) { safe_system("/bin/cat /var/ipfire/samba/default.global /var/ipfire/samba/shares > /var/ipfire/samba/smb.conf"); safe_system("/bin/cat /var/ipfire/samba/default.settings > /var/ipfire/samba/settings"); + safe_system("/bin/cat /var/ipfire/samba/default.global > /var/ipfire/samba/global"); return 0; } @@ -85,9 +88,19 @@ int main(int argc, char *argv[]) return 0; } + if (strcmp(argv[1], "smbstatus")==0) + { + snprintf(command, BUFFER_SIZE-1, "/usr/sbin/smbstatus"); + safe_system(command); + printf(command); + return 0; + } + if (strcmp(argv[1], "smbuseradd")==0) { - snprintf(command, BUFFER_SIZE-1, "/usr/sbin/useradd -c 'Samba User' -d /opt/samba -g 2110 -p %s -s /bin/false %s", argv[3], argv[2]); + snprintf(command, BUFFER_SIZE-1, "/usr/sbin/groupadd sambauser"); + safe_system(command); + snprintf(command, BUFFER_SIZE-1, "/usr/sbin/useradd -c 'Samba User' -m -g %s -p %s -s %s %s", argv[4], argv[3], argv[5], argv[2]); safe_system(command); printf(command); snprintf(command, BUFFER_SIZE-1, "/usr/bin/printf '%s\n%s\n' | /usr/bin/smbpasswd -as %s", argv[3], argv[3], argv[2]); @@ -96,6 +109,19 @@ int main(int argc, char *argv[]) return 0; } + if (strcmp(argv[1], "smbpcadd")==0) + { + snprintf(command, BUFFER_SIZE-1, "/usr/sbin/groupadd sambawks"); + safe_system(command); + snprintf(command, BUFFER_SIZE-1, "/usr/sbin/useradd -c 'Samba Workstation' -g %s -s %s %s", argv[3], argv[4], argv[2]); + safe_system(command); + printf(command); + snprintf(command, BUFFER_SIZE-1, "/usr/bin/smbpasswd -a -m %s", argv[2]); + safe_system(command); + printf(command); + return 0; + } + if (strcmp(argv[1], "smbchangepw")==0) { snprintf(command, BUFFER_SIZE-1, "/usr/bin/printf '%s\n%s\n' | /usr/bin/smbpasswd -as %s", argv[3], argv[3], argv[2]); diff --git a/src/misc-progs/upnpctrl.c b/src/misc-progs/upnpctrl.c new file mode 100644 index 0000000000..d133c163ce --- /dev/null +++ b/src/misc-progs/upnpctrl.c @@ -0,0 +1,47 @@ +#include +#include +#include +#include +#include +#include +#include "setuid.h" + +#define BUFFER_SIZE 1024 + +char command[BUFFER_SIZE]; + +int main(int argc, char *argv[]) +{ + + if (!(initsetuid())) + exit(1); + + // Check what command is asked + if (argc==1) + { + fprintf (stderr, "Missing upnpctrl command!\n"); + return 1; + } + + if (strcmp(argv[1], "start")==0) + { + snprintf(command, BUFFER_SIZE-1, "route add -net 239.0.0.0 netmask 255.0.0.0 %s", argv[2]); + safe_system(command); + printf(command); + snprintf(command, BUFFER_SIZE-1, "/usr/sbin/upnpd %s %s", argv[2], argv[3] ); + safe_system(command); + printf(command); + return 0; + } + + if (strcmp(argv[1], "stop")==0) + { + snprintf(command, BUFFER_SIZE-1, "killall upnpd"); + safe_system(command); + printf(command); + snprintf(command, BUFFER_SIZE-1, "route del -net 239.0.0.0 netmask 255.0.0.0 %s", argv[2]); + safe_system(command); + printf(command); + return 0; + } +}