]>
git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - src/misc-progs/wirelessctrl.c
dc77ec18584d315685053a279a74763afe98a7f3
1 /* IPCop helper program - wirelessctrl
3 * This program is distributed under the terms of the GNU General Public
4 * Licence. See the file COPYING for details.
6 * (c) Alan Hourihane, 2003
10 #include "libsmooth.h"
16 #include <sys/types.h>
23 char blue_dev
[STRING_SIZE
] = "";
24 char command
[STRING_SIZE
];
26 void exithandler(void) {
27 /* added comment mark to the drop rules to be able to collect the bytes by the collectd */
28 if (strlen(blue_dev
) > 0) {
29 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev
);
31 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev
);
40 char green_dev
[STRING_SIZE
] = "";
41 char buffer
[STRING_SIZE
];
42 char *index
, *ipaddress
, *macaddress
, *enabled
;
43 struct keyvalue
*kv
= NULL
;
48 /* flush wireless iptables */
49 safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null");
50 safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null");
52 memset(buffer
, 0, STRING_SIZE
);
54 /* Init the keyvalue structure */
57 /* Read in the current values */
58 if (!readkeyvalues(kv
, CONFIG_ROOT
"/ethernet/settings")) {
59 fprintf(stderr
, "Cannot read ethernet settings\n");
63 /* Read in the firewall values */
64 if (!readkeyvalues(kv
, CONFIG_ROOT
"/optionsfw/settings")) {
65 fprintf(stderr
, "Cannot read optionsfw settings\n");
69 /* Get the GREEN interface details */
70 if (!findkey(kv
, "GREEN_DEV", green_dev
)) {
71 fprintf(stderr
, "Cannot read GREEN_DEV\n");
75 if (!VALID_DEVICE(green_dev
)) {
76 fprintf(stderr
, "Bad GREEN_DEV: %s\n", green_dev
);
80 /* Get the BLUE interface details */
81 if (!findkey(kv
, "BLUE_DEV", blue_dev
)) {
82 fprintf(stderr
, "Cannot read BLUE_DEV\n");
86 if ((strlen(blue_dev
) > 0) && !VALID_DEVICE(blue_dev
)) {
87 fprintf(stderr
, "Bad BLUE_DEV: %s\n", blue_dev
);
91 if (!strlen(blue_dev
) > 0) {
92 fprintf(stderr
, "No BLUE interface\n");
96 if ((fd
= fopen(CONFIG_ROOT
"/wireless/nodrop", "r")))
99 /* register exit handler to ensure the block rule is always present */
102 if (!(fd
= fopen(CONFIG_ROOT
"/wireless/config", "r"))) {
106 /* restrict blue access tp the proxy port */
107 if (findkey(kv
, "DROPPROXY", buffer
) && strcmp(buffer
,"off") == 0) {
108 /* Read the proxy values */
109 if (!readkeyvalues(kv
, CONFIG_ROOT
"/proxy/settings") || !(findkey(kv
, "PROXY_PORT", buffer
))) {
110 fprintf(stderr
, "Cannot read proxy settings\n");
114 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev
, buffer
);
115 safe_system(command
);
116 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev
, buffer
);
117 safe_system(command
);
120 /* not allow blue to acces a samba server running on local fire*/
121 if(findkey(kv
, "DROPSAMBA", buffer
) && strcmp(buffer
,"off")){
122 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev
);
123 safe_system(command
);
124 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev
);
125 safe_system(command
);
126 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev
);
127 safe_system(command
);
128 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev
);
129 safe_system(command
);
132 while (fgets(buffer
, STRING_SIZE
, fd
)) {
133 buffer
[strlen(buffer
) - 1] = 0;
135 index
= strtok(buffer
, ",");
136 ipaddress
= strtok(NULL
, ",");
137 macaddress
= strtok(NULL
, ",");
138 enabled
= strtok(NULL
, ",");
140 if (strncmp(enabled
, "on", 2) != 0) {
141 /* both specified, added security */
142 if ((strlen(macaddress
) == 17) && (VALID_IP_AND_MASK(ipaddress
))) {
143 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress
, ipaddress
, blue_dev
);
144 safe_system(command
);
145 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress
, ipaddress
, blue_dev
);
146 safe_system(command
);
148 /* correctly formed mac address is 17 chars */
149 if (strlen(macaddress
) == 17) {
150 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress
, blue_dev
);
151 safe_system(command
);
152 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress
, blue_dev
);
153 safe_system(command
);
156 if (VALID_IP_AND_MASK(ipaddress
)) {
157 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress
, blue_dev
);
158 safe_system(command
);
159 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress
, blue_dev
);
160 safe_system(command
);
166 /* with this rule you can disable the logging of the dropped wireless input packets*/
167 if (!findkey(kv
, "DROPWIRELESSINPUT", buffer
) || strcmp(buffer
,"off") == 0) {
168 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev
);
169 safe_system(command
);
172 /* with this rule you can disable the logging of the dropped wireless forward packets*/
173 if (!findkey(kv
, "DROPWIRELESSFORWARD", buffer
) || strcmp(buffer
,"off") == 0) {
174 snprintf(command
, STRING_SIZE
-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev
);
175 safe_system(command
);