diff options
author | David Sommerseth <dazo@users.sourceforge.net> | 2008-10-15 00:39:53 +0200 |
---|---|---|
committer | David Sommerseth <dazo@users.sourceforge.net> | 2008-10-15 00:39:53 +0200 |
commit | 0ea1a3e2e6a10300388e01ac89504abe3624ae56 (patch) | |
tree | fff59c70d4db431c2114e89d0819af8921aff463 /plugin/firewall/iptables/efw_iptables.c | |
parent | b65b0802ead5e863ca8cb41fff77528735a1466c (diff) | |
download | eurephia-0ea1a3e2e6a10300388e01ac89504abe3624ae56.tar.gz eurephia-0ea1a3e2e6a10300388e01ac89504abe3624ae56.tar.xz eurephia-0ea1a3e2e6a10300388e01ac89504abe3624ae56.zip |
Reorganised the source code
Moved all OpenVPN plug-in related things into ./plugins, including firewall
Moved all shared code into ./common and moved the generic part of the
database files into ./database
Updated all CMakeLists.txt files and created a new one for the root directory
Diffstat (limited to 'plugin/firewall/iptables/efw_iptables.c')
-rw-r--r-- | plugin/firewall/iptables/efw_iptables.c | 234 |
1 files changed, 234 insertions, 0 deletions
diff --git a/plugin/firewall/iptables/efw_iptables.c b/plugin/firewall/iptables/efw_iptables.c new file mode 100644 index 0000000..9e0aaa4 --- /dev/null +++ b/plugin/firewall/iptables/efw_iptables.c @@ -0,0 +1,234 @@ +/* efw_iptables.c -- iptables implementation - updates Linux iptables + * + * GPLv2 - Copyright (C) 2008 David Sommerseth <dazo@users.sourceforge.net> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; version 2 + * of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <unistd.h> +#include <pthread.h> +#include <sys/types.h> +#include <sys/wait.h> + +#include <eurephia_nullsafe.h> +#include <eurephia_log.h> +#include <eurephia_struct.h> +#include <eurephiafw_helpers.h> + +#define INTERFACEVER "1.0" +#define INTERFACEAPIVER 1 + + +const char *eFWinterfaceVersion() { + return "eFW-iptables (v"INTERFACEVER") David Sommerseth 2008 (C) GPLv2"; +} + +int eFWinterfaceAPIversion() { + return INTERFACEAPIVER; +} + + +int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *msg); +int call_iptables(eurephiaCTX *ctx, const char *fwcmd, char **ipt_args); + +void eFW_RunFirewall(void *fwargs) { + efw_threaddata *cfg = (efw_threaddata *) fwargs; + eurephiaCTX *ctx = (eurephiaCTX *) cfg->ctx; + int quit = 0; + unsigned int prio; + char buf[EFW_MSG_SIZE+2]; + + DEBUG(ctx, 28, "eFW_RunFirewall: Waiting for eFW master to get ready"); + sem_wait(cfg->semp_master); + DEBUG(ctx, 28, "eFW_RunFirewall: Telling eFW master that the worker process is ready"); + sem_post(cfg->semp_worker); + + if( cfg->fw_command == NULL ) { + eurephia_log(ctx, LOG_FATAL, 0, + "eFW_RunFirewall: firewall_command is not configured. " + "iptables will not be updated."); + exit(3); + } + + // Main loop ... grab messages of the messague queue until shutdown command is sent, or a failure happens + while( quit == 0 ) { + memset(buf, 0, EFW_MSG_SIZE+2); + if( mq_receive(cfg->msgq, &buf[0], EFW_MSG_SIZE, &prio) == -1 ) { + eurephia_log(ctx, LOG_FATAL, 0, + "eFW_RunFirewall: Error while reading messages from queue: %s", + strerror(errno)); + exit(2); + } + quit = (strncmp(buf, "FWSHUTDOWN", 10) == 0 ); + if( !quit ) { + int res = 0; + + DEBUG(ctx, 20, "eFW_RunFirewall: Received '%s'", buf); + + res = process_input(ctx, cfg->fw_command, buf); + if( ! res ) { + quit = 1; + eurephia_log(ctx, LOG_FATAL, 0, + "eFW_RunFirewall: Failed updating iptables"); + } + } + } + + efwRemoveSemaphores(ctx, fwargs); + efwRemoveMessageQueue(ctx, fwargs); + exit(0); +} + + +int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) { + char mode[3], *macaddr = NULL, *destchain = NULL, *jump = NULL; + char *msg = NULL, *orig_msg = NULL; + char *iptables_args[] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}; + int ret = 0; + + orig_msg = strdup_nullsafe(input); + msg = orig_msg; + DEBUG(ctx, 36, "eFW_RunFirewall::process_input(ctx, '%s')", msg); + + // + // Simple parsing of the input string + // + mode[0] = '-'; + mode[1] = *msg; + mode[2] = 0; + msg += 2; + + iptables_args[0] = (char *)fwcmd; + + switch( mode[1] ) { + case 'A': + case 'D': + iptables_args[1] = mode; + macaddr = msg; // start of string for macaddr + + // Search for end of macaddr and NULL terminate it + destchain = macaddr+1; + while( (*destchain != 0x20) || (*destchain == 0) ) { + destchain++; + } + if( *destchain == 0 ) { + return 0; + } + *destchain = 0; // end of string for macaddr + destchain++; // start of string for destchain + // Search for end of destchain and NULL terminate it + jump = destchain+1; + while( (*jump != 0x20) || (*jump == 0) ) { + jump++; + } + *jump = 0; // end of string for destchain + jump++; // start of string for jump + + // Prepare iptables arguments + iptables_args[2] = destchain; + iptables_args[3] = "-m\0"; + iptables_args[4] = "mac\0"; + iptables_args[5] = "--mac-source\0"; + iptables_args[6] = macaddr; + iptables_args[7] = "-m\0"; + iptables_args[8] = "state\0"; + iptables_args[9] = "--state\0"; + iptables_args[10] = "NEW\0"; + iptables_args[11] = "-j\0"; + iptables_args[12] = jump; + iptables_args[13] = NULL; + + eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - updating iptables rules " + "==> mode: %s macaddr: '%s' destchain: '%s' jump: '%s'", + (mode[1] == 'A' ? "ADD":"DELETE"), macaddr, destchain, jump); + ret = call_iptables(ctx, fwcmd, iptables_args); + break; + + case 'F': + iptables_args[1] = mode; + destchain = msg; + iptables_args[2] = destchain; + iptables_args[3] = NULL; + eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - updating iptables rules " + "==> mode: FLUSH destchain: '%s'", destchain); + ret = call_iptables(ctx, fwcmd, iptables_args); + break; + + case 'I': + // Init chain - flush it and then add needed rule for stateful inspection + destchain = msg; + + eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - Initialising iptables chain '%s'", + destchain); + + // Flush phase + iptables_args[1] = "-F"; + destchain = msg; + iptables_args[2] = destchain; + iptables_args[3] = NULL; + ret = call_iptables(ctx, fwcmd, iptables_args); + + // Add stateful inspection + iptables_args[1] = "-I\0"; + iptables_args[2] = destchain; + iptables_args[3] = "-m\0"; + iptables_args[4] = "state\0"; + iptables_args[5] = "--state\0"; + iptables_args[6] = "ESTABLISHED,RELATED\0"; + iptables_args[7] = "-j\0"; + iptables_args[8] = "ACCEPT\0"; + ret &= call_iptables(ctx, fwcmd, iptables_args); + break; + + default: + eurephia_log(ctx, LOG_CRITICAL, 0, "eFW_RunFirewall::process_input: Malformed update request"); + ret = 1; + } + free_nullsafe(orig_msg); + return ret; +} + +int call_iptables(eurephiaCTX *ctx, const char *fwcmd, char **ipt_args) { + pid_t pid; + int cmdret = -1; + + // Fork out a child process which will run the iptables command. Since the execve replaces + // the current process, we need to do the forking first. + if( (pid = fork()) < 0) { + eurephia_log(ctx, LOG_FATAL, 0, + "eFW_RunFirewall::process_input: Failed to fork process for %s", fwcmd); + return 0; + } + + switch( pid ) { + case 0: // child process - execute the program and exit + execve(fwcmd, ipt_args, NULL); + exit(1); // execve should replace the process, but if it fails to do so, make sure we exit + + default: // parent process + if( waitpid(pid, &cmdret, 0) != pid ) { + eurephia_log(ctx, LOG_WARNING, 0, + "eFW_RunFirewall::process_input: Failed to wait for process for %s" + " to complete (%s)", fwcmd, strerror(errno)); + } + eurephia_log(ctx, LOG_INFO, 4, "eFW_RunFirewall - iptables exited with code: %i ", cmdret); + } + return 1; +} |