Reorganised the source code

Moved all OpenVPN plug-in related things into ./plugins, including firewall
Moved all shared code into ./common and moved the generic part of the
database files into ./database

Updated all CMakeLists.txt files and created a new one for the root directory

1 files changed, 234 insertions, 0 deletions

diff --git a/plugin/firewall/iptables/efw_iptables.c b/plugin/firewall/iptables/efw_iptables.c
new file mode 100644
index 0000000..9e0aaa4
--- /dev/null
+++ b/plugin/firewall/iptables/efw_iptables.c
@@ -0,0 +1,234 @@
+/* efw_iptables.c  --  iptables implementation - updates Linux iptables
+ *
+ *  GPLv2 - Copyright (C) 2008  David Sommerseth <dazo@users.sourceforge.net>
+ *
+ *  This program is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU General Public License
+ *  as published by the Free Software Foundation; version 2
+ *  of the License.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <eurephia_nullsafe.h>
+#include <eurephia_log.h>
+#include <eurephia_struct.h>
+#include <eurephiafw_helpers.h>
+
+#define INTERFACEVER "1.0"
+#define INTERFACEAPIVER 1
+
+
+const char *eFWinterfaceVersion() {
+        return "eFW-iptables (v"INTERFACEVER")  David Sommerseth 2008 (C) GPLv2";
+}
+
+int eFWinterfaceAPIversion() {
+        return INTERFACEAPIVER;
+}
+
+
+int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *msg);
+int call_iptables(eurephiaCTX *ctx, const char *fwcmd, char **ipt_args);
+
+void eFW_RunFirewall(void *fwargs) {
+        efw_threaddata *cfg = (efw_threaddata *) fwargs;
+        eurephiaCTX *ctx = (eurephiaCTX *) cfg->ctx;
+        int quit = 0;
+        unsigned int prio;
+        char buf[EFW_MSG_SIZE+2];
+
+        DEBUG(ctx, 28, "eFW_RunFirewall:  Waiting for eFW master to get ready");
+        sem_wait(cfg->semp_master);
+        DEBUG(ctx, 28, "eFW_RunFirewall:  Telling eFW master that the worker process is ready");
+        sem_post(cfg->semp_worker);
+
+        if( cfg->fw_command == NULL ) {
+                eurephia_log(ctx, LOG_FATAL, 0,
+                             "eFW_RunFirewall: firewall_command is not configured.  "
+                             "iptables will not be updated.");
+                exit(3);
+        }
+
+        // Main loop ... grab messages of the messague queue until shutdown command is sent, or a failure happens
+        while( quit == 0 ) {
+                memset(buf, 0, EFW_MSG_SIZE+2);
+                if( mq_receive(cfg->msgq, &buf[0], EFW_MSG_SIZE, &prio) == -1 ) {
+                        eurephia_log(ctx, LOG_FATAL, 0,
+                                     "eFW_RunFirewall: Error while reading messages from queue: %s",
+                                     strerror(errno));
+                        exit(2);
+                }
+                quit = (strncmp(buf, "FWSHUTDOWN", 10) == 0 );
+                if( !quit ) {
+                        int res = 0;
+
+                        DEBUG(ctx, 20, "eFW_RunFirewall:  Received '%s'", buf);
+
+                        res = process_input(ctx, cfg->fw_command, buf);
+                        if( ! res ) {
+                                quit = 1;
+                                eurephia_log(ctx, LOG_FATAL, 0,
+                                             "eFW_RunFirewall: Failed updating iptables");
+                        }
+                }
+        }
+
+        efwRemoveSemaphores(ctx, fwargs);
+        efwRemoveMessageQueue(ctx, fwargs);
+        exit(0);
+}
+
+
+int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) {
+        char mode[3], *macaddr = NULL, *destchain = NULL, *jump = NULL;
+        char *msg = NULL, *orig_msg = NULL;
+        char *iptables_args[] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL};
+	int ret = 0;
+
+        orig_msg = strdup_nullsafe(input);
+        msg = orig_msg;
+        DEBUG(ctx, 36, "eFW_RunFirewall::process_input(ctx, '%s')", msg);
+
+        //
+        // Simple parsing of the input string
+        //
+        mode[0] = '-';
+        mode[1] = *msg;
+        mode[2] = 0;
+        msg += 2;
+
+        iptables_args[0] = (char *)fwcmd;
+
+        switch( mode[1] ) {
+        case 'A':
+        case 'D':
+	        iptables_args[1] = mode;
+                macaddr = msg;   // start of string for macaddr
+
+                // Search for end of macaddr and NULL terminate it
+                destchain = macaddr+1;
+                while( (*destchain != 0x20) || (*destchain == 0) ) {
+                        destchain++;
+                }
+                if( *destchain == 0 ) {
+                        return 0;
+                }
+                *destchain = 0; // end of string for macaddr
+                destchain++;  // start of string for destchain
+                // Search for end of destchain and NULL terminate it
+                jump = destchain+1;
+                while( (*jump != 0x20) || (*jump == 0) ) {
+                        jump++;
+                }
+                *jump = 0; // end of string for destchain
+                jump++;  // start of string for jump
+
+                // Prepare iptables arguments
+                iptables_args[2] = destchain;
+                iptables_args[3] = "-m\0";
+                iptables_args[4] = "mac\0";
+                iptables_args[5] = "--mac-source\0";
+                iptables_args[6] = macaddr;
+                iptables_args[7] = "-m\0";
+                iptables_args[8] = "state\0";
+                iptables_args[9] = "--state\0";
+                iptables_args[10] = "NEW\0";
+                iptables_args[11] = "-j\0";
+                iptables_args[12] = jump;
+                iptables_args[13] = NULL;
+
+                eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - updating iptables rules "
+                             "==> mode: %s  macaddr: '%s'  destchain: '%s'  jump: '%s'",
+                             (mode[1] == 'A' ? "ADD":"DELETE"), macaddr, destchain, jump);
+		ret = call_iptables(ctx, fwcmd, iptables_args);
+                break;
+
+        case 'F':
+	        iptables_args[1] = mode;
+                destchain = msg;
+                iptables_args[2] = destchain;
+		iptables_args[3] = NULL;
+                eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - updating iptables rules "
+                             "==> mode: FLUSH  destchain: '%s'", destchain);
+		ret = call_iptables(ctx, fwcmd, iptables_args);
+                break;
+
+	case 'I':
+		// Init chain - flush it and then add needed rule for stateful inspection
+		destchain = msg;
+
+                eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - Initialising iptables chain '%s'",
+			     destchain);
+
+		// Flush phase
+	        iptables_args[1] = "-F";
+                destchain = msg;
+                iptables_args[2] = destchain;
+		iptables_args[3] = NULL;
+		ret = call_iptables(ctx, fwcmd, iptables_args);
+
+		// Add stateful inspection
+		iptables_args[1] = "-I\0";
+		iptables_args[2] = destchain;
+		iptables_args[3] = "-m\0";
+                iptables_args[4] = "state\0";
+                iptables_args[5] = "--state\0";
+                iptables_args[6] = "ESTABLISHED,RELATED\0";
+                iptables_args[7] = "-j\0";
+                iptables_args[8] = "ACCEPT\0";
+		ret &= call_iptables(ctx, fwcmd, iptables_args);
+		break;
+
+        default:
+                eurephia_log(ctx, LOG_CRITICAL, 0, "eFW_RunFirewall::process_input:  Malformed update request");
+		ret = 1;
+        }
+	free_nullsafe(orig_msg);
+	return ret;
+}
+
+int call_iptables(eurephiaCTX *ctx, const char *fwcmd, char **ipt_args) {
+        pid_t pid;
+        int cmdret = -1;
+
+        // Fork out a child process which will run the iptables command.  Since the execve replaces 
+        // the current process, we need to do the forking first.
+        if( (pid = fork()) < 0) {
+                eurephia_log(ctx, LOG_FATAL, 0,
+                             "eFW_RunFirewall::process_input: Failed to fork process for %s", fwcmd);
+                return 0;
+        }
+
+        switch( pid ) {
+        case 0: // child process - execute the program and exit
+                execve(fwcmd, ipt_args, NULL);
+                exit(1); // execve should replace the process, but if it fails to do so, make sure we exit
+
+        default: // parent process
+                if( waitpid(pid, &cmdret, 0) != pid ) {
+                        eurephia_log(ctx, LOG_WARNING, 0,
+                                     "eFW_RunFirewall::process_input: Failed to wait for process for %s"
+                                     " to complete (%s)", fwcmd, strerror(errno));
+                }
+                eurephia_log(ctx, LOG_INFO, 4, "eFW_RunFirewall - iptables exited with code: %i ", cmdret);
+        }
+        return 1;
+}