8 #include <netinet/in.h>
11 #include "libsmooth.h"
16 struct keyvalue
*kv
= NULL
;
17 FILE *ifacefile
= NULL
;
19 char redif
[STRING_SIZE
];
20 char blueif
[STRING_SIZE
];
21 char orangeif
[STRING_SIZE
];
22 char enablered
[STRING_SIZE
] = "off";
23 char enableblue
[STRING_SIZE
] = "off";
24 char enableorange
[STRING_SIZE
] = "off";
27 char OVPNRED
[STRING_SIZE
] = "OVPN";
28 char OVPNBLUE
[STRING_SIZE
] = "OVPN_BLUE_";
29 char OVPNORANGE
[STRING_SIZE
] = "OVPN_ORANGE_";
30 char OVPNBLOCK
[STRING_SIZE
] = "OVPNBLOCK";
31 char OVPNNAT
[STRING_SIZE
] = "OVPNNAT";
32 char WRAPPERVERSION
[STRING_SIZE
] = "ipfire-2.2.3";
34 struct connection_struct
{
35 char name
[STRING_SIZE
];
36 char type
[STRING_SIZE
];
37 char proto
[STRING_SIZE
];
38 char status
[STRING_SIZE
];
39 char local_subnet
[STRING_SIZE
];
40 char transfer_subnet
[STRING_SIZE
];
41 char role
[STRING_SIZE
];
43 struct connection_struct
*next
;
46 typedef struct connection_struct connection
;
48 void exithandler(void)
59 printf("Wrapper for OpenVPN %s-debug\n", WRAPPERVERSION
);
61 printf("Wrapper for OpenVPN %s\n", WRAPPERVERSION
);
63 printf("openvpnctrl <option>\n");
64 printf(" Valid options are:\n");
65 printf(" -s --start\n");
66 printf(" starts OpenVPN (implicitly creates chains and firewall rules)\n");
67 printf(" -k --kill\n");
68 printf(" kills/stops OpenVPN\n");
69 printf(" -r --restart\n");
70 printf(" restarts OpenVPN (implicitly creates chains and firewall rules)\n");
71 printf(" -sn2n --start-net-2-net\n");
72 printf(" starts all net2net connections\n");
73 printf(" you may pass a connection name to the switch to only start a specific one\n");
74 printf(" -kn2n --kill-net-2-net\n");
75 printf(" kills all net2net connections\n");
76 printf(" you may pass a connection name to the switch to only start a specific one\n");
77 printf(" -d --display\n");
78 printf(" displays OpenVPN status to syslog\n");
79 printf(" -fwr --firewall-rules\n");
80 printf(" removes current OpenVPN chains and rules and resets them according to the config\n");
81 printf(" -sdo --start-daemon-only\n");
82 printf(" starts OpenVPN daemon only\n");
83 printf(" -ccr --create-chains-and-rules\n");
84 printf(" creates chains and rules for OpenVPN\n");
85 printf(" -dcr --delete-chains-and-rules\n");
86 printf(" removes all chains for OpenVPN\n");
90 connection
*getConnections() {
93 if (!(fp
= fopen(CONFIG_ROOT
"/ovpn/ovpnconfig", "r"))) {
94 fprintf(stderr
, "Could not open openvpn n2n configuration file.\n");
98 char line
[STRING_SIZE
] = "";
99 char result
[STRING_SIZE
] = "";
102 connection
*conn_first
= NULL
;
103 connection
*conn_last
= NULL
;
104 connection
*conn_curr
;
106 while ((fgets(line
, STRING_SIZE
, fp
) != NULL
)) {
107 if (line
[strlen(line
) - 1] == '\n')
108 line
[strlen(line
) - 1] = '\0';
110 conn_curr
= (connection
*)malloc(sizeof(connection
));
111 memset(conn_curr
, 0, sizeof(connection
));
113 if (conn_first
== NULL
) {
114 conn_first
= conn_curr
;
116 conn_last
->next
= conn_curr
;
118 conn_last
= conn_curr
;
121 char *lineptr
= &line
;
123 if (*lineptr
== NULL
)
127 while (*lineptr
!= NULL
) {
128 if (*lineptr
== ',') {
132 *resultptr
++ = *lineptr
++;
137 strcpy(conn_curr
->status
, result
);
138 } else if (count
== 2) {
139 strcpy(conn_curr
->name
, result
);
140 } else if (count
== 4) {
141 strcpy(conn_curr
->type
, result
);
142 } else if (count
== 7) {
143 strcpy(conn_curr
->role
, result
);
144 } else if (count
== 9) {
145 strcpy(conn_curr
->local_subnet
, result
);
146 } else if (count
== 28) {
147 strcpy(conn_curr
->transfer_subnet
, result
);
148 } else if (count
== 29) {
149 strcpy(conn_curr
->proto
, result
);
150 } else if (count
== 30) {
151 conn_curr
->port
= atoi(result
);
163 int readPidFile(const char *pidfile
) {
164 FILE *fp
= fopen(pidfile
, "r");
166 fprintf(stderr
, "PID file not found: '%s'\n", pidfile
);
171 fscanf(fp
, "%d", &pid
);
177 void ovpnInit(void) {
179 // Read OpenVPN configuration
180 kv
= initkeyvalues();
181 if (!readkeyvalues(kv
, CONFIG_ROOT
"/ovpn/settings")) {
182 fprintf(stderr
, "Cannot read ovpn settings\n");
186 if (!findkey(kv
, "ENABLED", enablered
)) {
187 fprintf(stderr
, "Cannot read ENABLED\n");
191 if (!findkey(kv
, "ENABLED_BLUE", enableblue
)){
192 fprintf(stderr
, "Cannot read ENABLED_BLUE\n");
196 if (!findkey(kv
, "ENABLED_ORANGE", enableorange
)){
197 fprintf(stderr
, "Cannot read ENABLED_ORANGE\n");
202 // read interface settings
204 // details for the red int
205 memset(redif
, 0, STRING_SIZE
);
206 if ((ifacefile
= fopen(CONFIG_ROOT
"/red/iface", "r")))
208 if (fgets(redif
, STRING_SIZE
, ifacefile
))
210 if (redif
[strlen(redif
) - 1] == '\n')
211 redif
[strlen(redif
) - 1] = '\0';
216 if (!VALID_DEVICE(redif
))
218 memset(redif
, 0, STRING_SIZE
);
223 if (!readkeyvalues(kv
, CONFIG_ROOT
"/ethernet/settings"))
225 fprintf(stderr
, "Cannot read ethernet settings\n");
229 if (strcmp(enableblue
, "on")==0){
230 if (!findkey(kv
, "BLUE_DEV", blueif
)){
231 fprintf(stderr
, "Cannot read BLUE_DEV\n");
235 if (strcmp(enableorange
, "on")==0){
236 if (!findkey(kv
, "ORANGE_DEV", orangeif
)){
237 fprintf(stderr
, "Cannot read ORNAGE_DEV\n");
244 void executeCommand(char *command
) {
246 printf(strncat(command
, "\n", 2));
248 safe_system(strncat(command
, " >/dev/null 2>&1", 17));
251 void setChainRules(char *chain
, char *interface
, char *protocol
, char *port
)
253 char str
[STRING_SIZE
];
255 sprintf(str
, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %s -j ACCEPT", chain
, interface
, protocol
, port
);
259 void flushChain(char *chain
) {
260 char str
[STRING_SIZE
];
262 sprintf(str
, "/sbin/iptables -F %s", chain
);
266 void flushChainNAT(char *chain
) {
267 char str
[STRING_SIZE
];
269 sprintf(str
, "/sbin/iptables -t nat -F %s", chain
);
273 void flushChainINPUT(char *chain
) {
274 char str
[STRING_SIZE
];
276 snprintf(str
, STRING_SIZE
, "%sINPUT", chain
);
280 void deleteChainReference(char *chain
) {
281 char str
[STRING_SIZE
];
283 sprintf(str
, "/sbin/iptables -D INPUT -j %sINPUT", chain
);
287 void deleteChain(char *chain
) {
288 char str
[STRING_SIZE
];
290 sprintf(str
, "/sbin/iptables -X %sINPUT", chain
);
294 void deleteAllChains(void) {
295 // not an elegant solution, but to avoid timing problems with undeleted chain references
296 deleteChainReference(OVPNRED
);
297 deleteChainReference(OVPNBLUE
);
298 deleteChainReference(OVPNORANGE
);
299 flushChainINPUT(OVPNRED
);
300 flushChainINPUT(OVPNBLUE
);
301 flushChainINPUT(OVPNORANGE
);
302 deleteChain(OVPNRED
);
303 deleteChain(OVPNBLUE
);
304 deleteChain(OVPNORANGE
);
306 // Only flush chains that are created by the firewall
307 flushChain(OVPNBLOCK
);
308 flushChainNAT(OVPNNAT
);
311 void createChainReference(char *chain
) {
312 char str
[STRING_SIZE
];
313 sprintf(str
, "/sbin/iptables -I INPUT %s -j %sINPUT", "14", chain
);
317 void createChain(char *chain
) {
318 char str
[STRING_SIZE
];
319 sprintf(str
, "/sbin/iptables -N %sINPUT", chain
);
323 void createAllChains(void) {
324 // create chain and chain references
325 if (!strcmp(enableorange
, "on")) {
326 if (strlen(orangeif
)) {
327 createChain(OVPNORANGE
);
328 createChainReference(OVPNORANGE
);
330 fprintf(stderr
, "OpenVPN enabled on orange but no orange interface found\n");
335 if (!strcmp(enableblue
, "on")) {
336 if (strlen(blueif
)) {
337 createChain(OVPNBLUE
);
338 createChainReference(OVPNBLUE
);
340 fprintf(stderr
, "OpenVPN enabled on blue but no blue interface found\n");
345 if (!strcmp(enablered
, "on")) {
347 createChain(OVPNRED
);
348 createChainReference(OVPNRED
);
350 fprintf(stderr
, "OpenVPN enabled on red but no red interface found\n");
356 char* calcTransferNetAddress(const connection
* conn
) {
357 char *subnetmask
= strdup(conn
->transfer_subnet
);
358 char *address
= strsep(&subnetmask
, "/");
360 if ((address
== NULL
) || (subnetmask
== NULL
)) {
364 in_addr_t _address
= inet_addr(address
);
365 in_addr_t _subnetmask
= inet_addr(subnetmask
);
366 _address
&= _subnetmask
;
368 if (strcmp(conn
->role
, "server") == 0) {
370 } else if (strcmp(conn
->role
, "client") == 0) {
376 struct in_addr address_info
;
377 address_info
.s_addr
= _address
;
379 return inet_ntoa(address_info
);
382 fprintf(stderr
, "Could not determine transfer net address: %s\n", conn
->name
);
388 char* getLocalSubnetAddress(const connection
* conn
) {
389 kv
= initkeyvalues();
390 if (!readkeyvalues(kv
, CONFIG_ROOT
"/ethernet/settings")) {
391 fprintf(stderr
, "Cannot read ethernet settings\n");
395 const char *zones
[] = {"GREEN", "BLUE", "ORANGE", NULL
};
398 // Get net address of the local openvpn subnet.
399 char *subnetmask
= strdup(conn
->local_subnet
);
400 char *address
= strsep(&subnetmask
, "/");
402 if ((address
== NULL
) || (subnetmask
== NULL
)) {
406 in_addr_t _address
= inet_addr(address
);
407 in_addr_t _subnetmask
= inet_addr(subnetmask
);
409 in_addr_t _netaddr
= (_address
& _subnetmask
);
410 in_addr_t _broadcast
= (_address
| ~_subnetmask
);
412 char zone_address_key
[STRING_SIZE
];
413 char zone_address
[STRING_SIZE
];
419 snprintf(zone_address_key
, STRING_SIZE
, "%s_ADDRESS", zone
);
421 if (!findkey(kv
, zone_address_key
, zone_address
))
424 zone_addr
= inet_addr(zone_address
);
425 if ((zone_addr
> _netaddr
) && (zone_addr
< _broadcast
)) {
428 return strdup(zone_address
);
433 fprintf(stderr
, "Could not determine local subnet address: %s\n", conn
->name
);
439 void setFirewallRules(void) {
440 char protocol
[STRING_SIZE
] = "";
441 char dport
[STRING_SIZE
] = "";
442 char dovpnip
[STRING_SIZE
] = "";
444 kv
= initkeyvalues();
445 if (!readkeyvalues(kv
, CONFIG_ROOT
"/ovpn/settings"))
447 fprintf(stderr
, "Cannot read ovpn settings\n");
451 /* we got one device, so lets proceed further */
452 if (!findkey(kv
, "DDEST_PORT", dport
)){
453 fprintf(stderr
, "Cannot read DDEST_PORT\n");
457 if (!findkey(kv
, "DPROTOCOL", protocol
)){
458 fprintf(stderr
, "Cannot read DPROTOCOL\n");
462 if (!findkey(kv
, "VPN_IP", dovpnip
)){
463 fprintf(stderr
, "Cannot read VPN_IP\n");
464 // exit(1); step further as we don't need an ip
469 flushChainINPUT(OVPNRED
);
470 flushChainINPUT(OVPNBLUE
);
471 flushChainINPUT(OVPNORANGE
);
472 flushChain(OVPNBLOCK
);
473 flushChainNAT(OVPNNAT
);
475 // set firewall rules
476 if (!strcmp(enablered
, "on") && strlen(redif
))
477 setChainRules(OVPNRED
, redif
, protocol
, dport
);
478 if (!strcmp(enableblue
, "on") && strlen(blueif
))
479 setChainRules(OVPNBLUE
, blueif
, protocol
, dport
);
480 if (!strcmp(enableorange
, "on") && strlen(orangeif
))
481 setChainRules(OVPNORANGE
, orangeif
, protocol
, dport
);
483 // read connection configuration
484 connection
*conn
= getConnections();
486 // set firewall rules for n2n connections
487 char command
[STRING_SIZE
];
488 char *local_subnet_address
= NULL
;
489 char *transfer_subnet_address
= NULL
;
490 while (conn
!= NULL
) {
491 if (strcmp(conn
->type
, "net") == 0) {
492 sprintf(command
, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %d -j ACCEPT",
493 OVPNRED
, redif
, conn
->proto
, conn
->port
);
494 executeCommand(command
);
496 /* Block all communication from the transfer nets. */
497 snprintf(command
, STRING_SIZE
, "/sbin/iptables -A %s -s %s -j DROP",
498 OVPNBLOCK
, conn
->transfer_subnet
);
499 executeCommand(command
);
501 local_subnet_address
= getLocalSubnetAddress(conn
);
502 transfer_subnet_address
= calcTransferNetAddress(conn
);
504 if ((local_subnet_address
) && (transfer_subnet_address
)) {
505 snprintf(command
, STRING_SIZE
, "/sbin/iptables -t nat -A %s -s %s -j SNAT --to-source %s",
506 OVPNNAT
, transfer_subnet_address
, local_subnet_address
);
507 executeCommand(command
);
515 void stopDaemon(void) {
516 char command
[STRING_SIZE
];
518 int pid
= readPidFile("/var/run/openvpn.pid");
523 fprintf(stderr
, "Killing PID %d.\n", pid
);
526 snprintf(command
, STRING_SIZE
- 1, "/bin/rm -f /var/run/openvpn.pid");
527 executeCommand(command
);
530 void startDaemon(void) {
531 char command
[STRING_SIZE
];
533 if (!((strcmp(enablered
, "on")==0) || (strcmp(enableblue
, "on")==0) || (strcmp(enableorange
, "on")==0))){
534 fprintf(stderr
, "OpenVPN is not enabled on any interface\n");
537 snprintf(command
, STRING_SIZE
-1, "/sbin/modprobe tun");
538 executeCommand(command
);
539 snprintf(command
, STRING_SIZE
-1, "/usr/sbin/openvpn --config /var/ipfire/ovpn/server.conf");
540 executeCommand(command
);
544 int startNet2Net(char *name
) {
545 connection
*conn
= NULL
;
546 connection
*conn_iter
;
548 conn_iter
= getConnections();
551 if ((strcmp(conn_iter
->type
, "net") == 0) && (strcmp(conn_iter
->name
, name
) == 0)) {
555 conn_iter
= conn_iter
->next
;
559 fprintf(stderr
, "Connection not found.\n");
563 if (strcmp(conn
->status
, "on") != 0) {
564 fprintf(stderr
, "Connection '%s' is not enabled.\n", conn
->name
);
568 fprintf(stderr
, "Starting connection %s...\n", conn
->name
);
570 char configfile
[STRING_SIZE
];
571 snprintf(configfile
, STRING_SIZE
- 1, CONFIG_ROOT
"/ovpn/n2nconf/%s/%s.conf",
572 conn
->name
, conn
->name
);
574 FILE *fp
= fopen(configfile
, "r");
576 fprintf(stderr
, "Could not find configuration file for connection '%s' at '%s'.\n",
577 conn
->name
, configfile
);
582 // Make sure all firewall rules are up to date.
585 char command
[STRING_SIZE
];
586 snprintf(command
, STRING_SIZE
-1, "/sbin/modprobe tun");
587 executeCommand(command
);
588 snprintf(command
, STRING_SIZE
-1, "/usr/sbin/openvpn --config %s", configfile
);
589 executeCommand(command
);
594 int killNet2Net(char *name
) {
595 connection
*conn
= NULL
;
596 connection
*conn_iter
;
598 conn_iter
= getConnections();
601 if (strcmp(conn_iter
->name
, name
) == 0) {
605 conn_iter
= conn_iter
->next
;
609 fprintf(stderr
, "Connection not found.\n");
613 char pidfile
[STRING_SIZE
];
614 snprintf(pidfile
, STRING_SIZE
- 1, "/var/run/%sn2n.pid", conn
->name
);
616 int pid
= readPidFile(pidfile
);
618 fprintf(stderr
, "Could not read pid file of connection %s.", conn
->name
);
622 fprintf(stderr
, "Killing connection %s (PID %d)...\n", conn
->name
, pid
);
625 char command
[STRING_SIZE
];
626 snprintf(command
, STRING_SIZE
- 1, "/bin/rm -f %s", pidfile
);
627 executeCommand(command
);
632 void startAllNet2Net() {
633 int exitcode
= 0, _exitcode
= 0;
635 connection
*conn
= getConnections();
638 /* Skip all connections that are not of type "net" or disabled. */
639 if ((strcmp(conn
->type
, "net") != 0) || (strcmp(conn
->status
, "on") != 0)) {
644 _exitcode
= startNet2Net(conn
->name
);
647 if (_exitcode
> exitcode
) {
648 exitcode
= _exitcode
;
655 void killAllNet2Net() {
656 int exitcode
= 0, _exitcode
= 0;
658 connection
*conn
= getConnections();
661 /* Skip all connections that are not of type "net". */
662 if (strcmp(conn
->type
, "net") != 0) {
667 _exitcode
= killNet2Net(conn
->name
);
670 if (_exitcode
> exitcode
) {
671 exitcode
= _exitcode
;
678 void displayopenvpn(void) {
679 char command
[STRING_SIZE
];
681 snprintf(command
, STRING_SIZE
- 1, "/bin/killall -sSIGUSR2 openvpn");
682 executeCommand(command
);
685 int main(int argc
, char *argv
[]) {
694 if( (strcmp(argv
[1], "-sn2n") == 0) || (strcmp(argv
[1], "--start-net-2-net") == 0) ) {
695 startNet2Net(argv
[2]);
698 else if( (strcmp(argv
[1], "-kn2n") == 0) || (strcmp(argv
[1], "--kill-net-2-net") == 0) ) {
699 killNet2Net(argv
[2]);
707 if( (strcmp(argv
[1], "-k") == 0) || (strcmp(argv
[1], "--kill") == 0) ) {
711 else if( (strcmp(argv
[1], "-d") == 0) || (strcmp(argv
[1], "--display") == 0) ) {
715 else if( (strcmp(argv
[1], "-dcr") == 0) || (strcmp(argv
[1], "--delete-chains-and-rules") == 0) ) {
722 if( (strcmp(argv
[1], "-s") == 0) || (strcmp(argv
[1], "--start") == 0) ) {
729 else if( (strcmp(argv
[1], "-sn2n") == 0) || (strcmp(argv
[1], "--start-net-2-net") == 0) ) {
733 else if( (strcmp(argv
[1], "-kn2n") == 0) || (strcmp(argv
[1], "--kill-net-2-net") == 0) ) {
737 else if( (strcmp(argv
[1], "-sdo") == 0) || (strcmp(argv
[1], "--start-daemon-only") == 0) ) {
741 else if( (strcmp(argv
[1], "-r") == 0) || (strcmp(argv
[1], "--restart") == 0) ) {
749 else if( (strcmp(argv
[1], "-fwr") == 0) || (strcmp(argv
[1], "--firewall-rules") == 0) ) {
755 else if( (strcmp(argv
[1], "-ccr") == 0) || (strcmp(argv
[1], "--create-chains-and-rules") == 0) ) {
projects / people / teissler / ipfire-2.x.git / blob