]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - src/misc-progs/wirelessctrl.c
projects / people / teissler / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Added option for firewall adjustment on blue
[people/teissler/ipfire-2.x.git] / src / misc-progs / wirelessctrl.c
1 /* IPCop helper program - wirelessctrl
2 *
3 * This program is distributed under the terms of the GNU General Public
4 * Licence. See the file COPYING for details.
5 *
6 * (c) Alan Hourihane, 2003
7 *
8 * $Id: wirelessctrl.c,v 1.2.2.5 2005/07/11 10:56:47 franck78 Exp $
9 *
10 */
11
12 #include "libsmooth.h"
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <unistd.h>
16 #include <fcntl.h>
17 #include <string.h>
18 #include <sys/types.h>
19 #include <sys/stat.h>
20 #include <signal.h>
21 #include "setuid.h"
22 #include <errno.h>
23
24 FILE *fd = NULL;
25 char blue_dev[STRING_SIZE] = "";
26 char command[STRING_SIZE];
27
28 void exithandler(void)
29 {
30 struct keyvalue *kv = NULL;
31 char buffer[STRING_SIZE];
32 if(strlen(blue_dev))
33 {
34 if(findkey(kv, "DROPWIRELESSINPUT", buffer) && !strcmp(buffer,"on")){
35 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
36 safe_system(command);
37 }
38 if(findkey(kv, "DROPWIRELESSFORWARD", buffer) && !strcmp(buffer,"on")){
39 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
40 safe_system(command);
41 }
42 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
43 safe_system(command);
44 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
45 safe_system(command);
46 }
47
48 if (fd)
49 fclose(fd);
50 }
51
52 int main(void)
53 {
54 char green_dev[STRING_SIZE] = "";
55 char buffer[STRING_SIZE];
56 char *index, *ipaddress, *macaddress, *enabled;
57 struct keyvalue *kv = NULL;
58
59 if (!(initsetuid()))
60 exit(1);
61
62 /* flush wireless iptables */
63 safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null");
64 safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null");
65
66 memset(buffer, 0, STRING_SIZE);
67
68 /* Init the keyvalue structure */
69 kv=initkeyvalues();
70
71 /* Read in the current values */
72 if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
73 {
74 fprintf(stderr, "Cannot read ethernet settings\n");
75 exit(1);
76 }
77
78 /* Read in the firewall values */
79 if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings"))
80 {
81 fprintf(stderr, "Cannot read optionsfw settings\n");
82 exit(1);
83 }
84
85 /* Get the GREEN interface details */
86 if(!findkey(kv, "GREEN_DEV", green_dev))
87 {
88 fprintf(stderr, "Cannot read GREEN_DEV\n");
89 exit(1);
90 }
91 if (!VALID_DEVICE(green_dev))
92 {
93 fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
94 exit(1);
95 }
96 /* Get the BLUE interface details */
97 if(!findkey(kv, "BLUE_DEV", blue_dev))
98 {
99 fprintf(stderr, "Cannot read BLUE_DEV\n");
100 exit(1);
101 }
102 if (strlen(blue_dev) && !VALID_DEVICE(blue_dev))
103 {
104 fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
105 exit(1);
106 }
107 if(! strlen(blue_dev) > 0)
108 {
109 fprintf(stderr, "No BLUE interface\n");
110 exit(0);
111 }
112
113 /* register exit handler to ensure the block rule is always present */
114 atexit(exithandler);
115
116 if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r")))
117 {
118 exit(0);
119 }
120 while (fgets(buffer, STRING_SIZE, fd))
121 {
122 buffer[strlen(buffer) - 1] = 0;
123
124 index = strtok(buffer, ",");
125 ipaddress = strtok(NULL, ",");
126 macaddress = strtok(NULL, ",");
127 enabled = strtok(NULL, ",");
128
129 if (!strncmp(enabled, "on", 2)) {
130
131 /* both specified, added security */
132 if ((strlen(macaddress) == 17) &&
133 (VALID_IP(ipaddress))) {
134 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
135 safe_system(command);
136 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -o ! %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev);
137 safe_system(command);
138 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev);
139 safe_system(command);
140 } else {
141
142 /* correctly formed mac address is 17 chars */
143 if (strlen(macaddress) == 17) {
144 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
145 safe_system(command);
146 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -o ! %s -j ACCEPT", macaddress, blue_dev, green_dev);
147 safe_system(command);
148 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev);
149 safe_system(command);
150 }
151
152 if (VALID_IP(ipaddress)) {
153 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
154 safe_system(command);
155 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -o ! %s -j ACCEPT", ipaddress, blue_dev, green_dev);
156 safe_system(command);
157 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev);
158 safe_system(command);
159 }
160 }
161 }
162 }
163
164 return 0;
165 }
Timo's tree of IPFire 2.x