[people/teissler/ipfire-2.x.git] / src / misc-progs / openvpnctrl.c

#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <fcntl.h>
#include "setuid.h"
#include "netutil.h"
#include "libsmooth.h"

#define noovpndebug

// global vars
	struct keyvalue *kv = NULL;
	FILE *ifacefile = NULL;

char redif[STRING_SIZE];
char blueif[STRING_SIZE];
char orangeif[STRING_SIZE];
char enablered[STRING_SIZE] = "off";
char enableblue[STRING_SIZE] = "off";
char enableorange[STRING_SIZE] = "off";

// consts
char OVPNINPUT[STRING_SIZE] = "OVPNINPUT";
char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK";
char OVPNNAT[STRING_SIZE] = "OVPNNAT";
char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.4";

struct connection_struct {
	char name[STRING_SIZE];
	char type[STRING_SIZE];
	char proto[STRING_SIZE];
	char status[STRING_SIZE];
	char local_subnet[STRING_SIZE];
	char transfer_subnet[STRING_SIZE];
	char role[STRING_SIZE];
	char port[STRING_SIZE];
	struct connection_struct *next;
};

typedef struct connection_struct connection;

void exithandler(void)
{
	if(kv)
		freekeyvalues(kv);
	if (ifacefile)
		fclose(ifacefile);
}

void usage(void)
{
#ifdef ovpndebug
	printf("Wrapper for OpenVPN %s-debug\n", WRAPPERVERSION);
#else
	printf("Wrapper for OpenVPN %s\n", WRAPPERVERSION);
#endif
	printf("openvpnctrl <option>\n");
	printf(" Valid options are:\n");
	printf(" -s   --start\n");
	printf("      starts OpenVPN (implicitly creates chains and firewall rules)\n");
	printf(" -k   --kill\n");
	printf("      kills/stops OpenVPN\n");
	printf(" -r   --restart\n");
	printf("      restarts OpenVPN (implicitly creates chains and firewall rules)\n");
	printf(" -sn2n --start-net-2-net\n");
	printf("      starts all net2net connections\n");
	printf("      you may pass a connection name to the switch to only start a specific one\n");
	printf(" -kn2n --kill-net-2-net\n");
	printf("      kills all net2net connections\n");
	printf("      you may pass a connection name to the switch to only start a specific one\n");
	printf(" -d   --display\n");
	printf("      displays OpenVPN status to syslog\n");
	printf(" -fwr --firewall-rules\n");
	printf("      removes current OpenVPN chains and rules and resets them according to the config\n");
	printf(" -sdo --start-daemon-only\n");
	printf("      starts OpenVPN daemon only\n");
	exit(1);
}

connection *getConnections() {
	FILE *fp = NULL;

	if (!(fp = fopen(CONFIG_ROOT "/ovpn/ovpnconfig", "r"))) {
		fprintf(stderr, "Could not open openvpn n2n configuration file.\n");
		exit(1);
	}

	char line[STRING_SIZE] = "";
	char result[STRING_SIZE] = "";
	char *resultptr;
	int count;
	connection *conn_first = NULL;
	connection *conn_last = NULL;
	connection *conn_curr;

	while ((fgets(line, STRING_SIZE, fp) != NULL)) {
		if (line[strlen(line) - 1] == '\n')
			line[strlen(line) - 1] = '\0';

		conn_curr = (connection *)malloc(sizeof(connection));
		memset(conn_curr, 0, sizeof(connection));

		if (conn_first == NULL) {
			conn_first = conn_curr;
		} else {
			conn_last->next = conn_curr;
		}
		conn_last = conn_curr;

		count = 0;
		char *lineptr = &line;
		while (1) {
			if (*lineptr == NULL)
				break;

			resultptr = result;
			while (*lineptr != NULL) {
				if (*lineptr == ',') {
					lineptr++;
					break;
				}
				*resultptr++ = *lineptr++;
			}
			*resultptr = '\0';

			if (count == 1) {
				strcpy(conn_curr->status, result);
			} else if (count == 2) {
				strcpy(conn_curr->name, result);
			} else if (count == 4) {
				strcpy(conn_curr->type, result);
			} else if (count == 7) {
				strcpy(conn_curr->role, result);
			} else if (count == 9) {
				strcpy(conn_curr->local_subnet, result);
			} else if (count == 28) {
				strcpy(conn_curr->transfer_subnet, result);
			} else if (count == 29) {
				strcpy(conn_curr->proto, result);
			} else if (count == 30) {
				strcpy(conn_curr->port, result);
			}

			count++;
		}
	}

	fclose(fp);

	return conn_first;
}

int readPidFile(const char *pidfile) {
	FILE *fp = fopen(pidfile, "r");
	if (fp == NULL) {
		exit(1);
	}

	int pid = 0;
	fscanf(fp, "%d", &pid);
	fclose(fp);

	return pid;
}

int readExternalAddress(char* address) {
	FILE *fp = fopen("/var/ipfire/red/local-ipaddress", "r");
	if (!fp)
		goto ERROR;

	int r = fscanf(fp, "%s", address);
	fclose(fp);

	if (r < 0)
		goto ERROR;

	/* In case the read IP address is not valid, we empty
	 * the content of address and return non-zero. */
	if (!VALID_IP(address))
		goto ERROR;

	return 0;

ERROR:
	address = NULL;
	return 1;
}

void ovpnInit(void) {
	// Read OpenVPN configuration
	kv = initkeyvalues();
	if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings")) {
		fprintf(stderr, "Cannot read ovpn settings\n");
		exit(1);
	}

	if (!findkey(kv, "ENABLED", enablered)) {
		exit(1);
	}

	if (!findkey(kv, "ENABLED_BLUE", enableblue)){
		exit(1);
	}

	if (!findkey(kv, "ENABLED_ORANGE", enableorange)){
		exit(1);
	}
	freekeyvalues(kv);

	// read interface settings

	// details for the red int
	memset(redif, 0, STRING_SIZE);
	if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))
	{
		if (fgets(redif, STRING_SIZE, ifacefile))
		{
			if (redif[strlen(redif) - 1] == '\n')
				redif[strlen(redif) - 1] = '\0';
		}
		fclose (ifacefile);
		ifacefile = NULL;

		if (!VALID_DEVICE(redif))
		{
			memset(redif, 0, STRING_SIZE);
		}
	}

	kv=initkeyvalues();
	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
		fprintf(stderr, "Cannot read ethernet settings\n");
		exit(1);
	}
	
	if (strcmp(enableblue, "on") == 0) {
		if (!findkey(kv, "BLUE_DEV", blueif)) {
			exit(1);
		}
	}

	if (strcmp(enableorange, "on") == 0) {
		if (!findkey(kv, "ORANGE_DEV", orangeif)) {
			exit(1);
		}
	}
	freekeyvalues(kv);
}

void executeCommand(char *command) {
#ifdef ovpndebug
	printf(strncat(command, "\n", 2));
#endif
	safe_system(strncat(command, " >/dev/null 2>&1", 17));
}

void addRule(const char *chain, const char *interface, const char *protocol, const char *port) {
	char command[STRING_SIZE];

	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -i %s -p %s --dport %s -j ACCEPT",
		chain, interface, protocol, port);
	executeCommand(command);
}

void flushChain(char *chain) {
	char str[STRING_SIZE];

	snprintf(str, STRING_SIZE - 1, "/sbin/iptables -F %s", chain);
	executeCommand(str);
}

void flushChainNAT(char *chain) {
	char str[STRING_SIZE];

	snprintf(str, STRING_SIZE - 1, "/sbin/iptables -t nat -F %s", chain);
	executeCommand(str);
}

char* calcTransferNetAddress(const connection* conn) {
	char *subnetmask = strdup(conn->transfer_subnet);
	char *address = strsep(&subnetmask, "/");

	if ((address == NULL) || (subnetmask == NULL)) {
		goto ERROR;
	}

	in_addr_t _address    = inet_addr(address);
	in_addr_t _subnetmask = inet_addr(subnetmask);
	_address &= _subnetmask;

	if (strcmp(conn->role, "server") == 0) {
		_address += 1 << 24;
	} else if (strcmp(conn->role, "client") == 0) {
		_address += 2 << 24;
	} else {
		goto ERROR;
	}

	struct in_addr address_info;
	address_info.s_addr = _address;

	return inet_ntoa(address_info);

ERROR:
	fprintf(stderr, "Could not determine transfer net address: %s\n", conn->name);

	free(address);
	return NULL;
}

char* getLocalSubnetAddress(const connection* conn) {
	kv = initkeyvalues();
	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
		fprintf(stderr, "Cannot read ethernet settings\n");
		exit(1);
	}

	const char *zones[] = {"GREEN", "BLUE", "ORANGE", NULL};
	char *zone = NULL;

	// Get net address of the local openvpn subnet.
	char *subnetmask = strdup(conn->local_subnet);
	char *address = strsep(&subnetmask, "/");

	if ((address == NULL) || (subnetmask == NULL)) {
		goto ERROR;
	}

	in_addr_t _address    = inet_addr(address);
	in_addr_t _subnetmask = inet_addr(subnetmask);

	in_addr_t _netaddr    = (_address &  _subnetmask);
	in_addr_t _broadcast  = (_address | ~_subnetmask);

	char zone_address_key[STRING_SIZE];
	char zone_address[STRING_SIZE];
	in_addr_t zone_addr;

	int i = 0;
	while (zones[i]) {
		zone = zones[i++];
		snprintf(zone_address_key, STRING_SIZE, "%s_ADDRESS", zone);

		if (!findkey(kv, zone_address_key, zone_address))
			continue;

		zone_addr = inet_addr(zone_address);
		if ((zone_addr > _netaddr) && (zone_addr < _broadcast)) {
			freekeyvalues(kv);

			return strdup(zone_address);
		}
	}

ERROR:
	fprintf(stderr, "Could not determine local subnet address: %s\n", conn->name);

	freekeyvalues(kv);
	return NULL;
}

void setFirewallRules(void) {
	char protocol[STRING_SIZE] = "";
	char dport[STRING_SIZE] = "";
	char dovpnip[STRING_SIZE] = "";

	kv = initkeyvalues();
	if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings"))
	{
		fprintf(stderr, "Cannot read ovpn settings\n");
		exit(1);
	}

	/* we got one device, so lets proceed further	*/	
	if (!findkey(kv, "DDEST_PORT", dport)){
		fprintf(stderr, "Cannot read DDEST_PORT\n");
		exit(1);
	}

	if (!findkey(kv, "DPROTOCOL", protocol)){
		fprintf(stderr, "Cannot read DPROTOCOL\n");
		exit(1);
	}

	if (!findkey(kv, "VPN_IP", dovpnip)){
		fprintf(stderr, "Cannot read VPN_IP\n");
	}
	freekeyvalues(kv);

	// Flush all chains.
	flushChain(OVPNINPUT);
	flushChain(OVPNBLOCK);
	flushChainNAT(OVPNNAT);

	// set firewall rules
	if (!strcmp(enablered, "on") && strlen(redif))
		addRule(OVPNINPUT, redif, protocol, dport);
	if (!strcmp(enableblue, "on") && strlen(blueif))
		addRule(OVPNINPUT, blueif, protocol, dport);
	if (!strcmp(enableorange, "on") && strlen(orangeif))
		addRule(OVPNINPUT, orangeif, protocol, dport);

	// read connection configuration
	connection *conn = getConnections();

	// set firewall rules for n2n connections
	char command[STRING_SIZE];
	char *local_subnet_address = NULL;
	char *transfer_subnet_address = NULL;
	while (conn != NULL) {
		if (strcmp(conn->type, "net") == 0) {
			addRule(OVPNINPUT, redif, conn->proto, conn->port);

			/* Block all communication from the transfer nets. */
			snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -s %s -j DROP",
				OVPNBLOCK, conn->transfer_subnet);
			executeCommand(command);

			local_subnet_address = getLocalSubnetAddress(conn);
			transfer_subnet_address = calcTransferNetAddress(conn);

			if ((local_subnet_address) && (transfer_subnet_address)) {
				snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s",
					OVPNNAT, transfer_subnet_address, local_subnet_address);
				executeCommand(command);
			}
		}

		conn = conn->next;
	}
}

void stopDaemon(void) {
	char command[STRING_SIZE];

	int pid = readPidFile("/var/run/openvpn.pid");
	if (!pid > 0) {
		exit(1);
	}

	fprintf(stderr, "Killing PID %d.\n", pid);
	kill(pid, SIGTERM);

	snprintf(command, STRING_SIZE - 1, "/bin/rm -f /var/run/openvpn.pid");
	executeCommand(command);
}

void startDaemon(void) {
	char command[STRING_SIZE];
	
	if (!((strcmp(enablered, "on") == 0) || (strcmp(enableblue, "on") == 0) || (strcmp(enableorange, "on") == 0))) {
		fprintf(stderr, "OpenVPN is not enabled on any interface\n");
		exit(1);
	} else {
		snprintf(command, STRING_SIZE-1, "/sbin/modprobe tun");
		executeCommand(command);
		snprintf(command, STRING_SIZE-1, "/usr/sbin/openvpn --config /var/ipfire/ovpn/server.conf");
		executeCommand(command);
	}
}

int startNet2Net(char *name) {
	connection *conn = NULL;
	connection *conn_iter;

	conn_iter = getConnections();

	while (conn_iter) {
		if ((strcmp(conn_iter->type, "net") == 0) && (strcmp(conn_iter->name, name) == 0)) {
			conn = conn_iter;
			break;
		}
		conn_iter = conn_iter->next;
	}

	if (conn == NULL) {
		fprintf(stderr, "Connection not found.\n");
		return 1;
	}

	if (strcmp(conn->status, "on") != 0) {
		fprintf(stderr, "Connection '%s' is not enabled.\n", conn->name);
		return 1;
	}

	fprintf(stderr, "Starting connection %s...\n", conn->name);

	char configfile[STRING_SIZE];
	snprintf(configfile, STRING_SIZE - 1, CONFIG_ROOT "/ovpn/n2nconf/%s/%s.conf",
		conn->name, conn->name);

	FILE *fp = fopen(configfile, "r");
	if (fp == NULL) {
		fprintf(stderr, "Could not find configuration file for connection '%s' at '%s'.\n",
			conn->name, configfile);
		return 2;
	}
	fclose(fp);

	// Make sure all firewall rules are up to date.
	setFirewallRules();

	// Get the external IP address.
	char address[STRING_SIZE] = "";
	int r = readExternalAddress(address);
	if (r) {
		fprintf(stderr, "Could not read the external address\n");
		exit(1);
	}

	char command[STRING_SIZE];
	snprintf(command, STRING_SIZE-1, "/sbin/modprobe tun");
	executeCommand(command);
	snprintf(command, STRING_SIZE-1, "/usr/sbin/openvpn --local %s --config %s", address, configfile);
	executeCommand(command);

	return 0;
}

int killNet2Net(char *name) {
	connection *conn = NULL;
	connection *conn_iter;

	conn_iter = getConnections();

	while (conn_iter) {
		if (strcmp(conn_iter->name, name) == 0) {
			conn = conn_iter;
			break;
		}
		conn_iter = conn_iter->next;
	}

	if (conn == NULL) {
		fprintf(stderr, "Connection not found.\n");
		return 1;
	}

	char pidfile[STRING_SIZE];
	snprintf(pidfile, STRING_SIZE - 1, "/var/run/%sn2n.pid", conn->name);

	int pid = readPidFile(pidfile);
	if (!pid > 0) {
		fprintf(stderr, "Could not read pid file of connection %s.", conn->name);
		return 1;
	}

	fprintf(stderr, "Killing connection %s (PID %d)...\n", conn->name, pid);
	kill(pid, SIGTERM);

	char command[STRING_SIZE];
	snprintf(command, STRING_SIZE - 1, "/bin/rm -f %s", pidfile);
	executeCommand(command);

	return 0;
}

void startAllNet2Net() {
	int exitcode = 0, _exitcode = 0;

	connection *conn = getConnections();

	while(conn) {
		/* Skip all connections that are not of type "net" or disabled. */
		if ((strcmp(conn->type, "net") != 0) || (strcmp(conn->status, "on") != 0)) {
			conn = conn->next;
			continue;
		}

		_exitcode = startNet2Net(conn->name);
		conn = conn->next;

		if (_exitcode > exitcode) {
			exitcode = _exitcode;
		}
	}

	exit(exitcode);
}

void killAllNet2Net() {
	int exitcode = 0, _exitcode = 0;

	connection *conn = getConnections();

	while(conn) {
		/* Skip all connections that are not of type "net". */
		if (strcmp(conn->type, "net") != 0) {
			conn = conn->next;
			continue;
		}

		_exitcode = killNet2Net(conn->name);
		conn = conn->next;

		if (_exitcode > exitcode) {
			exitcode = _exitcode;
		}
	}

	exit(exitcode);
}

void displayopenvpn(void) {
	char command[STRING_SIZE];

	snprintf(command, STRING_SIZE - 1, "/bin/killall -sSIGUSR2 openvpn");
	executeCommand(command);
}

int main(int argc, char *argv[]) {
	if (!(initsetuid()))
	    exit(1);
	if(argc < 2)
	    usage();

	if(argc == 3) {
		ovpnInit();

		if( (strcmp(argv[1], "-sn2n") == 0) || (strcmp(argv[1], "--start-net-2-net") == 0) ) {
			startNet2Net(argv[2]);
			return 0;
		}
		else if( (strcmp(argv[1], "-kn2n") == 0) || (strcmp(argv[1], "--kill-net-2-net") == 0) ) {
			killNet2Net(argv[2]);
			return 0;
		} else {
			usage();
			return 1;
		}
	}
	else if(argc == 2) {
		if( (strcmp(argv[1], "-k") == 0) || (strcmp(argv[1], "--kill") == 0) ) {
			stopDaemon();
			return 0;
		}
		else if( (strcmp(argv[1], "-d") == 0) || (strcmp(argv[1], "--display") == 0) ) {
			displayopenvpn();
			return 0;
		}
		else {
			ovpnInit();
			
			if( (strcmp(argv[1], "-s") == 0) || (strcmp(argv[1], "--start") == 0) ) {
				setFirewallRules();
				startDaemon();
				return 0;
			}
			else if( (strcmp(argv[1], "-sn2n") == 0) || (strcmp(argv[1], "--start-net-2-net") == 0) ) {
				startAllNet2Net();
				return 0;
			}
			else if( (strcmp(argv[1], "-kn2n") == 0) || (strcmp(argv[1], "--kill-net-2-net") == 0) ) {
				killAllNet2Net();
				return 0;
			}
			else if( (strcmp(argv[1], "-sdo") == 0) || (strcmp(argv[1], "--start-daemon-only") == 0) ) {
				startDaemon();
				return 0;
			}
			else if( (strcmp(argv[1], "-r") == 0) || (strcmp(argv[1], "--restart") == 0) ) {
				stopDaemon();
				setFirewallRules();
				startDaemon();
				return 0;
			}
			else if( (strcmp(argv[1], "-fwr") == 0) || (strcmp(argv[1], "--firewall-rules") == 0) ) {
				setFirewallRules();
				return 0;
			}
			else {
				usage();
				return 0;
			}
		}
	}
	else {
		usage();
		return 0;
	}
return 0;
}
Commit	Line	Data
39877197	1	#include <signal.h>
6e13d0a5 MT	2	#include <stdio.h>
	3	#include <string.h>
	4	#include <unistd.h>
	5	#include <stdlib.h>
	6	#include <sys/types.h>
3d1fbbb0 MT	7	#include <arpa/inet.h>
3d1fbbb0 MT	8	#include <netinet/in.h>
6e13d0a5 MT	9	#include <fcntl.h>
6e13d0a5 MT	10	#include "setuid.h"
52e54c1c	11	#include "netutil.h"
6e13d0a5 MT	12	#include "libsmooth.h"
6e13d0a5 MT	13
c894a342	14	#define noovpndebug
6e13d0a5 MT	15
	16	// global vars
	17	struct keyvalue *kv = NULL;
	18	FILE *ifacefile = NULL;
	19
	20	char redif[STRING_SIZE];
	21	char blueif[STRING_SIZE];
	22	char orangeif[STRING_SIZE];
	23	char enablered[STRING_SIZE] = "off";
	24	char enableblue[STRING_SIZE] = "off";
	25	char enableorange[STRING_SIZE] = "off";
	26
	27	// consts
ab4876ad	28	char OVPNINPUT[STRING_SIZE] = "OVPNINPUT";
c31f18b6	29	char OVPNBLOCK[STRING_SIZE] = "OVPNBLOCK";
3d1fbbb0	30	char OVPNNAT[STRING_SIZE] = "OVPNNAT";
ab4876ad	31	char WRAPPERVERSION[STRING_SIZE] = "ipfire-2.2.4";
6925b8ef AF	32
	33	struct connection_struct {
	34	char name[STRING_SIZE];
91a0a221	35	char type[STRING_SIZE];
6925b8ef	36	char proto[STRING_SIZE];
99b01b84	37	char status[STRING_SIZE];
3d1fbbb0 MT	38	char local_subnet[STRING_SIZE];
	39	char transfer_subnet[STRING_SIZE];
	40	char role[STRING_SIZE];
ab4876ad	41	char port[STRING_SIZE];
6925b8ef AF	42	struct connection_struct *next;
	43	};
	44
	45	typedef struct connection_struct connection;
6e13d0a5 MT	46
	47	void exithandler(void)
	48	{
	49	if(kv)
	50	freekeyvalues(kv);
	51	if (ifacefile)
	52	fclose(ifacefile);
	53	}
	54
	55	void usage(void)
	56	{
	57	#ifdef ovpndebug
07081137	58	printf("Wrapper for OpenVPN %s-debug\n", WRAPPERVERSION);
6e13d0a5	59	#else
07081137	60	printf("Wrapper for OpenVPN %s\n", WRAPPERVERSION);
6e13d0a5 MT	61	#endif
	62	printf("openvpnctrl <option>\n");
	63	printf(" Valid options are:\n");
	64	printf(" -s --start\n");
	65	printf(" starts OpenVPN (implicitly creates chains and firewall rules)\n");
	66	printf(" -k --kill\n");
	67	printf(" kills/stops OpenVPN\n");
	68	printf(" -r --restart\n");
	69	printf(" restarts OpenVPN (implicitly creates chains and firewall rules)\n");
64f0c354 MT	70	printf(" -sn2n --start-net-2-net\n");
	71	printf(" starts all net2net connections\n");
	72	printf(" you may pass a connection name to the switch to only start a specific one\n");
	73	printf(" -kn2n --kill-net-2-net\n");
	74	printf(" kills all net2net connections\n");
	75	printf(" you may pass a connection name to the switch to only start a specific one\n");
6e13d0a5 MT	76	printf(" -d --display\n");
	77	printf(" displays OpenVPN status to syslog\n");
	78	printf(" -fwr --firewall-rules\n");
	79	printf(" removes current OpenVPN chains and rules and resets them according to the config\n");
	80	printf(" -sdo --start-daemon-only\n");
afabe9f7	81	printf(" starts OpenVPN daemon only\n");
6e13d0a5 MT	82	exit(1);
	83	}
	84
6925b8ef AF	85	connection *getConnections() {
	86	FILE *fp = NULL;
	87
	88	if (!(fp = fopen(CONFIG_ROOT "/ovpn/ovpnconfig", "r"))) {
	89	fprintf(stderr, "Could not open openvpn n2n configuration file.\n");
	90	exit(1);
	91	}
	92
	93	char line[STRING_SIZE] = "";
d4f2fb97 MT	94	char result[STRING_SIZE] = "";
d4f2fb97 MT	95	char *resultptr;
6925b8ef AF	96	int count;
	97	connection *conn_first = NULL;
	98	connection *conn_last = NULL;
	99	connection *conn_curr;
	100
	101	while ((fgets(line, STRING_SIZE, fp) != NULL)) {
	102	if (line[strlen(line) - 1] == '\n')
	103	line[strlen(line) - 1] = '\0';
	104
	105	conn_curr = (connection *)malloc(sizeof(connection));
	106	memset(conn_curr, 0, sizeof(connection));
	107
	108	if (conn_first == NULL) {
	109	conn_first = conn_curr;
	110	} else {
	111	conn_last->next = conn_curr;
	112	}
	113	conn_last = conn_curr;
	114
	115	count = 0;
d4f2fb97 MT	116	char *lineptr = &line;
	117	while (1) {
	118	if (*lineptr == NULL)
	119	break;
	120
	121	resultptr = result;
	122	while (*lineptr != NULL) {
	123	if (*lineptr == ',') {
	124	lineptr++;
	125	break;
	126	}
	127	resultptr++ = lineptr++;
	128	}
	129	*resultptr = '\0';
	130
99b01b84 MT	131	if (count == 1) {
	132	strcpy(conn_curr->status, result);
	133	} else if (count == 2) {
6925b8ef	134	strcpy(conn_curr->name, result);
91a0a221 MT	135	} else if (count == 4) {
91a0a221 MT	136	strcpy(conn_curr->type, result);
3d1fbbb0 MT	137	} else if (count == 7) {
	138	strcpy(conn_curr->role, result);
	139	} else if (count == 9) {
	140	strcpy(conn_curr->local_subnet, result);
	141	} else if (count == 28) {
	142	strcpy(conn_curr->transfer_subnet, result);
d4f2fb97	143	} else if (count == 29) {
6925b8ef	144	strcpy(conn_curr->proto, result);
d4f2fb97	145	} else if (count == 30) {
ab4876ad	146	strcpy(conn_curr->port, result);
6925b8ef AF	147	}
6925b8ef AF	148
6925b8ef AF	149	count++;
	150	}
	151	}
	152
	153	fclose(fp);
	154
	155	return conn_first;
	156	}
	157
80ca8bd0 MT	158	int readPidFile(const char *pidfile) {
	159	FILE *fp = fopen(pidfile, "r");
	160	if (fp == NULL) {
80ca8bd0 MT	161	exit(1);
	162	}
	163
	164	int pid = 0;
	165	fscanf(fp, "%d", &pid);
	166	fclose(fp);
	167
	168	return pid;
	169	}
	170
e1a51ebb SS	171	int readExternalAddress(char* address) {
	172	FILE *fp = fopen("/var/ipfire/red/local-ipaddress", "r");
	173	if (!fp)
	174	goto ERROR;
	175
	176	int r = fscanf(fp, "%s", address);
	177	fclose(fp);
	178
	179	if (r < 0)
	180	goto ERROR;
	181
	182	/* In case the read IP address is not valid, we empty
	183	* the content of address and return non-zero. */
	184	if (!VALID_IP(address))
	185	goto ERROR;
	186
	187	return 0;
	188
	189	ERROR:
	190	address = NULL;
	191	return 1;
	192	}
	193
6e13d0a5	194	void ovpnInit(void) {
6e13d0a5 MT	195	// Read OpenVPN configuration
	196	kv = initkeyvalues();
	197	if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings")) {
	198	fprintf(stderr, "Cannot read ovpn settings\n");
	199	exit(1);
	200	}
	201
	202	if (!findkey(kv, "ENABLED", enablered)) {
6e13d0a5 MT	203	exit(1);
	204	}
	205
	206	if (!findkey(kv, "ENABLED_BLUE", enableblue)){
6e13d0a5 MT	207	exit(1);
	208	}
	209
	210	if (!findkey(kv, "ENABLED_ORANGE", enableorange)){
6e13d0a5 MT	211	exit(1);
	212	}
	213	freekeyvalues(kv);
	214
	215	// read interface settings
	216
	217	// details for the red int
	218	memset(redif, 0, STRING_SIZE);
	219	if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))
	220	{
	221	if (fgets(redif, STRING_SIZE, ifacefile))
	222	{
	223	if (redif[strlen(redif) - 1] == '\n')
	224	redif[strlen(redif) - 1] = '\0';
	225	}
	226	fclose (ifacefile);
	227	ifacefile = NULL;
	228
	229	if (!VALID_DEVICE(redif))
	230	{
	231	memset(redif, 0, STRING_SIZE);
	232	}
	233	}
	234
	235	kv=initkeyvalues();
3ad23ee1	236	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
6e13d0a5 MT	237	fprintf(stderr, "Cannot read ethernet settings\n");
	238	exit(1);
	239	}
	240
3ad23ee1 MT	241	if (strcmp(enableblue, "on") == 0) {
3ad23ee1 MT	242	if (!findkey(kv, "BLUE_DEV", blueif)) {
6e13d0a5 MT	243	exit(1);
	244	}
	245	}
3ad23ee1 MT	246
	247	if (strcmp(enableorange, "on") == 0) {
	248	if (!findkey(kv, "ORANGE_DEV", orangeif)) {
6e13d0a5 MT	249	exit(1);
6e13d0a5 MT	250	}
3ad23ee1	251	}
6e13d0a5 MT	252	freekeyvalues(kv);
	253	}
	254
	255	void executeCommand(char *command) {
	256	#ifdef ovpndebug
	257	printf(strncat(command, "\n", 2));
	258	#endif
	259	safe_system(strncat(command, " >/dev/null 2>&1", 17));
	260	}
	261
ab4876ad MT	262	void addRule(const char chain, const char interface, const char protocol, const char port) {
ab4876ad MT	263	char command[STRING_SIZE];
07081137	264
ab4876ad MT	265	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -i %s -p %s --dport %s -j ACCEPT",
	266	chain, interface, protocol, port);
	267	executeCommand(command);
6e13d0a5 MT	268	}
	269
	270	void flushChain(char *chain) {
	271	char str[STRING_SIZE];
	272
ab4876ad	273	snprintf(str, STRING_SIZE - 1, "/sbin/iptables -F %s", chain);
6e13d0a5	274	executeCommand(str);
6e13d0a5 MT	275	}
6e13d0a5 MT	276
3d1fbbb0 MT	277	void flushChainNAT(char *chain) {
	278	char str[STRING_SIZE];
	279
ab4876ad	280	snprintf(str, STRING_SIZE - 1, "/sbin/iptables -t nat -F %s", chain);
6e13d0a5	281	executeCommand(str);
6e13d0a5 MT	282	}
6e13d0a5 MT	283
3d1fbbb0	284	char* calcTransferNetAddress(const connection* conn) {
a19ff965 MT	285	char *subnetmask = strdup(conn->transfer_subnet);
a19ff965 MT	286	char *address = strsep(&subnetmask, "/");
3d1fbbb0	287
cdbe3504 MT	288	if ((address == NULL) \|\| (subnetmask == NULL)) {
	289	goto ERROR;
	290	}
	291
a19ff965 MT	292	in_addr_t _address = inet_addr(address);
	293	in_addr_t _subnetmask = inet_addr(subnetmask);
	294	_address &= _subnetmask;
3d1fbbb0	295
a19ff965 MT	296	if (strcmp(conn->role, "server") == 0) {
	297	_address += 1 << 24;
	298	} else if (strcmp(conn->role, "client") == 0) {
	299	_address += 2 << 24;
3d1fbbb0 MT	300	} else {
	301	goto ERROR;
	302	}
	303
a19ff965 MT	304	struct in_addr address_info;
	305	address_info.s_addr = _address;
	306
	307	return inet_ntoa(address_info);
3d1fbbb0 MT	308
3d1fbbb0 MT	309	ERROR:
a19ff965 MT	310	fprintf(stderr, "Could not determine transfer net address: %s\n", conn->name);
a19ff965 MT	311
3d1fbbb0 MT	312	free(address);
	313	return NULL;
	314	}
	315
	316	char* getLocalSubnetAddress(const connection* conn) {
	317	kv = initkeyvalues();
	318	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
	319	fprintf(stderr, "Cannot read ethernet settings\n");
	320	exit(1);
	321	}
	322
	323	const char *zones[] = {"GREEN", "BLUE", "ORANGE", NULL};
	324	char *zone = NULL;
	325
	326	// Get net address of the local openvpn subnet.
	327	char *subnetmask = strdup(conn->local_subnet);
	328	char *address = strsep(&subnetmask, "/");
	329
	330	if ((address == NULL) \|\| (subnetmask == NULL)) {
	331	goto ERROR;
	332	}
	333
	334	in_addr_t _address = inet_addr(address);
	335	in_addr_t _subnetmask = inet_addr(subnetmask);
	336
	337	in_addr_t _netaddr = (_address & _subnetmask);
	338	in_addr_t _broadcast = (_address \| ~_subnetmask);
	339
	340	char zone_address_key[STRING_SIZE];
	341	char zone_address[STRING_SIZE];
	342	in_addr_t zone_addr;
	343
	344	int i = 0;
	345	while (zones[i]) {
	346	zone = zones[i++];
	347	snprintf(zone_address_key, STRING_SIZE, "%s_ADDRESS", zone);
	348
	349	if (!findkey(kv, zone_address_key, zone_address))
	350	continue;
	351
	352	zone_addr = inet_addr(zone_address);
	353	if ((zone_addr > _netaddr) && (zone_addr < _broadcast)) {
	354	freekeyvalues(kv);
	355
	356	return strdup(zone_address);
	357	}
	358	}
	359
	360	ERROR:
a19ff965 MT	361	fprintf(stderr, "Could not determine local subnet address: %s\n", conn->name);
a19ff965 MT	362
3d1fbbb0 MT	363	freekeyvalues(kv);
	364	return NULL;
	365	}
	366
6e13d0a5 MT	367	void setFirewallRules(void) {
	368	char protocol[STRING_SIZE] = "";
	369	char dport[STRING_SIZE] = "";
	370	char dovpnip[STRING_SIZE] = "";
	371
6e13d0a5 MT	372	kv = initkeyvalues();
	373	if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings"))
	374	{
	375	fprintf(stderr, "Cannot read ovpn settings\n");
	376	exit(1);
	377	}
	378
	379	/* we got one device, so lets proceed further */
	380	if (!findkey(kv, "DDEST_PORT", dport)){
	381	fprintf(stderr, "Cannot read DDEST_PORT\n");
	382	exit(1);
	383	}
	384
	385	if (!findkey(kv, "DPROTOCOL", protocol)){
	386	fprintf(stderr, "Cannot read DPROTOCOL\n");
	387	exit(1);
	388	}
	389
	390	if (!findkey(kv, "VPN_IP", dovpnip)){
	391	fprintf(stderr, "Cannot read VPN_IP\n");
6e13d0a5 MT	392	}
	393	freekeyvalues(kv);
	394
07081137	395	// Flush all chains.
ab4876ad	396	flushChain(OVPNINPUT);
2181b555	397	flushChain(OVPNBLOCK);
3d1fbbb0	398	flushChainNAT(OVPNNAT);
07081137	399
6e13d0a5 MT	400	// set firewall rules
6e13d0a5 MT	401	if (!strcmp(enablered, "on") && strlen(redif))
ab4876ad	402	addRule(OVPNINPUT, redif, protocol, dport);
6e13d0a5	403	if (!strcmp(enableblue, "on") && strlen(blueif))
ab4876ad	404	addRule(OVPNINPUT, blueif, protocol, dport);
6e13d0a5	405	if (!strcmp(enableorange, "on") && strlen(orangeif))
ab4876ad	406	addRule(OVPNINPUT, orangeif, protocol, dport);
6925b8ef	407
91a0a221 MT	408	// read connection configuration
	409	connection *conn = getConnections();
	410
6925b8ef	411	// set firewall rules for n2n connections
91a0a221	412	char command[STRING_SIZE];
3d1fbbb0 MT	413	char *local_subnet_address = NULL;
3d1fbbb0 MT	414	char *transfer_subnet_address = NULL;
7d653d51	415	while (conn != NULL) {
91a0a221	416	if (strcmp(conn->type, "net") == 0) {
ab4876ad	417	addRule(OVPNINPUT, redif, conn->proto, conn->port);
3d1fbbb0	418
c31f18b6	419	/* Block all communication from the transfer nets. */
ab4876ad	420	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -s %s -j DROP",
c31f18b6 MT	421	OVPNBLOCK, conn->transfer_subnet);
	422	executeCommand(command);
	423
3d1fbbb0 MT	424	local_subnet_address = getLocalSubnetAddress(conn);
	425	transfer_subnet_address = calcTransferNetAddress(conn);
	426
cdbe3504	427	if ((local_subnet_address) && (transfer_subnet_address)) {
ab4876ad	428	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s",
cdbe3504 MT	429	OVPNNAT, transfer_subnet_address, local_subnet_address);
	430	executeCommand(command);
	431	}
91a0a221 MT	432	}
91a0a221 MT	433
6925b8ef AF	434	conn = conn->next;
6925b8ef AF	435	}
6e13d0a5 MT	436	}
	437
	438	void stopDaemon(void) {
	439	char command[STRING_SIZE];
	440
2bcff894	441	int pid = readPidFile("/var/run/openvpn.pid");
80ca8bd0	442	if (!pid > 0) {
2bcff894 MT	443	exit(1);
	444	}
	445
	446	fprintf(stderr, "Killing PID %d.\n", pid);
	447	kill(pid, SIGTERM);
	448
6e13d0a5 MT	449	snprintf(command, STRING_SIZE - 1, "/bin/rm -f /var/run/openvpn.pid");
	450	executeCommand(command);
	451	}
	452
	453	void startDaemon(void) {
	454	char command[STRING_SIZE];
	455
3ad23ee1	456	if (!((strcmp(enablered, "on") == 0) \|\| (strcmp(enableblue, "on") == 0) \|\| (strcmp(enableorange, "on") == 0))) {
6e13d0a5 MT	457	fprintf(stderr, "OpenVPN is not enabled on any interface\n");
	458	exit(1);
	459	} else {
7d3af7f7 MT	460	snprintf(command, STRING_SIZE-1, "/sbin/modprobe tun");
7d3af7f7 MT	461	executeCommand(command);
072cd997	462	snprintf(command, STRING_SIZE-1, "/usr/sbin/openvpn --config /var/ipfire/ovpn/server.conf");
6e13d0a5 MT	463	executeCommand(command);
	464	}
	465	}
	466
99b01b84	467	int startNet2Net(char *name) {
6925b8ef AF	468	connection *conn = NULL;
	469	connection *conn_iter;
	470
	471	conn_iter = getConnections();
	472
	473	while (conn_iter) {
91a0a221	474	if ((strcmp(conn_iter->type, "net") == 0) && (strcmp(conn_iter->name, name) == 0)) {
6925b8ef AF	475	conn = conn_iter;
	476	break;
	477	}
	478	conn_iter = conn_iter->next;
	479	}
	480
	481	if (conn == NULL) {
	482	fprintf(stderr, "Connection not found.\n");
99b01b84 MT	483	return 1;
	484	}
	485
	486	if (strcmp(conn->status, "on") != 0) {
	487	fprintf(stderr, "Connection '%s' is not enabled.\n", conn->name);
	488	return 1;
6925b8ef AF	489	}
6925b8ef AF	490
99b01b84 MT	491	fprintf(stderr, "Starting connection %s...\n", conn->name);
99b01b84 MT	492
39877197 MT	493	char configfile[STRING_SIZE];
	494	snprintf(configfile, STRING_SIZE - 1, CONFIG_ROOT "/ovpn/n2nconf/%s/%s.conf",
	495	conn->name, conn->name);
	496
	497	FILE *fp = fopen(configfile, "r");
	498	if (fp == NULL) {
	499	fprintf(stderr, "Could not find configuration file for connection '%s' at '%s'.\n",
	500	conn->name, configfile);
99b01b84	501	return 2;
39877197 MT	502	}
	503	fclose(fp);
	504
07081137 MT	505	// Make sure all firewall rules are up to date.
	506	setFirewallRules();
	507
e1a51ebb SS	508	// Get the external IP address.
	509	char address[STRING_SIZE] = "";
	510	int r = readExternalAddress(address);
	511	if (r) {
	512	fprintf(stderr, "Could not read the external address\n");
	513	exit(1);
	514	}
	515
6925b8ef	516	char command[STRING_SIZE];
81a789d9 MT	517	snprintf(command, STRING_SIZE-1, "/sbin/modprobe tun");
81a789d9 MT	518	executeCommand(command);
e1a51ebb	519	snprintf(command, STRING_SIZE-1, "/usr/sbin/openvpn --local %s --config %s", address, configfile);
6925b8ef	520	executeCommand(command);
99b01b84 MT	521
99b01b84 MT	522	return 0;
6925b8ef AF	523	}
6925b8ef AF	524
99b01b84	525	int killNet2Net(char *name) {
39877197 MT	526	connection *conn = NULL;
	527	connection *conn_iter;
	528
	529	conn_iter = getConnections();
	530
	531	while (conn_iter) {
	532	if (strcmp(conn_iter->name, name) == 0) {
	533	conn = conn_iter;
	534	break;
	535	}
	536	conn_iter = conn_iter->next;
	537	}
	538
	539	if (conn == NULL) {
	540	fprintf(stderr, "Connection not found.\n");
99b01b84	541	return 1;
39877197 MT	542	}
	543
	544	char pidfile[STRING_SIZE];
80ca8bd0	545	snprintf(pidfile, STRING_SIZE - 1, "/var/run/%sn2n.pid", conn->name);
39877197	546
2bcff894	547	int pid = readPidFile(pidfile);
80ca8bd0	548	if (!pid > 0) {
99b01b84 MT	549	fprintf(stderr, "Could not read pid file of connection %s.", conn->name);
99b01b84 MT	550	return 1;
39877197 MT	551	}
39877197 MT	552
99b01b84	553	fprintf(stderr, "Killing connection %s (PID %d)...\n", conn->name, pid);
39877197 MT	554	kill(pid, SIGTERM);
39877197 MT	555
d4c8b6be MT	556	char command[STRING_SIZE];
	557	snprintf(command, STRING_SIZE - 1, "/bin/rm -f %s", pidfile);
	558	executeCommand(command);
	559
99b01b84	560	return 0;
6925b8ef AF	561	}
6925b8ef AF	562
64f0c354	563	void startAllNet2Net() {
99b01b84 MT	564	int exitcode = 0, _exitcode = 0;
99b01b84 MT	565
64f0c354 MT	566	connection *conn = getConnections();
	567
	568	while(conn) {
99b01b84 MT	569	/* Skip all connections that are not of type "net" or disabled. */
	570	if ((strcmp(conn->type, "net") != 0) \|\| (strcmp(conn->status, "on") != 0)) {
	571	conn = conn->next;
	572	continue;
	573	}
	574
	575	_exitcode = startNet2Net(conn->name);
64f0c354	576	conn = conn->next;
99b01b84 MT	577
	578	if (_exitcode > exitcode) {
	579	exitcode = _exitcode;
	580	}
64f0c354 MT	581	}
64f0c354 MT	582
99b01b84	583	exit(exitcode);
64f0c354 MT	584	}
	585
	586	void killAllNet2Net() {
99b01b84 MT	587	int exitcode = 0, _exitcode = 0;
99b01b84 MT	588
64f0c354 MT	589	connection *conn = getConnections();
	590
	591	while(conn) {
99b01b84 MT	592	/* Skip all connections that are not of type "net". */
	593	if (strcmp(conn->type, "net") != 0) {
	594	conn = conn->next;
	595	continue;
	596	}
	597
	598	_exitcode = killNet2Net(conn->name);
64f0c354	599	conn = conn->next;
99b01b84 MT	600
	601	if (_exitcode > exitcode) {
	602	exitcode = _exitcode;
	603	}
64f0c354 MT	604	}
64f0c354 MT	605
99b01b84	606	exit(exitcode);
64f0c354 MT	607	}
64f0c354 MT	608
6e13d0a5 MT	609	void displayopenvpn(void) {
	610	char command[STRING_SIZE];
	611
	612	snprintf(command, STRING_SIZE - 1, "/bin/killall -sSIGUSR2 openvpn");
	613	executeCommand(command);
	614	}
	615
	616	int main(int argc, char *argv[]) {
	617	if (!(initsetuid()))
	618	exit(1);
	619	if(argc < 2)
	620	usage();
6925b8ef AF	621
6925b8ef AF	622	if(argc == 3) {
91a0a221 MT	623	ovpnInit();
91a0a221 MT	624
6925b8ef AF	625	if( (strcmp(argv[1], "-sn2n") == 0) \|\| (strcmp(argv[1], "--start-net-2-net") == 0) ) {
	626	startNet2Net(argv[2]);
	627	return 0;
	628	}
	629	else if( (strcmp(argv[1], "-kn2n") == 0) \|\| (strcmp(argv[1], "--kill-net-2-net") == 0) ) {
	630	killNet2Net(argv[2]);
	631	return 0;
	632	} else {
	633	usage();
	634	return 1;
	635	}
	636	}
	637	else if(argc == 2) {
6e13d0a5 MT	638	if( (strcmp(argv[1], "-k") == 0) \|\| (strcmp(argv[1], "--kill") == 0) ) {
	639	stopDaemon();
	640	return 0;
	641	}
	642	else if( (strcmp(argv[1], "-d") == 0) \|\| (strcmp(argv[1], "--display") == 0) ) {
	643	displayopenvpn();
	644	return 0;
	645	}
6e13d0a5 MT	646	else {
	647	ovpnInit();
	648
	649	if( (strcmp(argv[1], "-s") == 0) \|\| (strcmp(argv[1], "--start") == 0) ) {
6e13d0a5 MT	650	setFirewallRules();
	651	startDaemon();
	652	return 0;
	653	}
64f0c354 MT	654	else if( (strcmp(argv[1], "-sn2n") == 0) \|\| (strcmp(argv[1], "--start-net-2-net") == 0) ) {
	655	startAllNet2Net();
	656	return 0;
	657	}
	658	else if( (strcmp(argv[1], "-kn2n") == 0) \|\| (strcmp(argv[1], "--kill-net-2-net") == 0) ) {
	659	killAllNet2Net();
	660	return 0;
	661	}
6e13d0a5 MT	662	else if( (strcmp(argv[1], "-sdo") == 0) \|\| (strcmp(argv[1], "--start-daemon-only") == 0) ) {
	663	startDaemon();
	664	return 0;
	665	}
	666	else if( (strcmp(argv[1], "-r") == 0) \|\| (strcmp(argv[1], "--restart") == 0) ) {
	667	stopDaemon();
6e13d0a5 MT	668	setFirewallRules();
	669	startDaemon();
	670	return 0;
	671	}
	672	else if( (strcmp(argv[1], "-fwr") == 0) \|\| (strcmp(argv[1], "--firewall-rules") == 0) ) {
6e13d0a5 MT	673	setFirewallRules();
	674	return 0;
	675	}
	676	else {
	677	usage();
	678	return 0;
	679	}
	680	}
	681	}
	682	else {
	683	usage();
	684	return 0;
	685	}
	686	return 0;
	687	}
	688