diff options
author | David Sommerseth <dazo@users.sourceforge.net> | 2010-12-01 00:10:35 +0100 |
---|---|---|
committer | David Sommerseth <dazo@users.sourceforge.net> | 2010-12-01 00:10:35 +0100 |
commit | ec1edb86e254b8b730a9f882dea919e127723f77 (patch) | |
tree | 85b93f956c991119af65925af1902b435487069e /plugin | |
parent | b3f80c7922908e7d048c4e691ceadf79db62bd75 (diff) | |
download | eurephia-ec1edb86e254b8b730a9f882dea919e127723f77.tar.gz eurephia-ec1edb86e254b8b730a9f882dea919e127723f77.tar.xz eurephia-ec1edb86e254b8b730a9f882dea919e127723f77.zip |
Add preliminary support for using IP addresses in the firewall module
The current implementation uses the MAC address of the client's VPN
interface. This also restricts eurephia to use TAP mode.
This patch adds preliminary support for also accepting the clients
IP address when updating the firewall rules. But the complete support
for TUN mode is not completed yet.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Diffstat (limited to 'plugin')
-rw-r--r-- | plugin/eurephia.c | 24 | ||||
-rw-r--r-- | plugin/firewall/iptables/efw-iptables.c | 34 |
2 files changed, 33 insertions, 25 deletions
diff --git a/plugin/eurephia.c b/plugin/eurephia.c index 8587e93..3451e8c 100644 --- a/plugin/eurephia.c +++ b/plugin/eurephia.c @@ -636,7 +636,7 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) { * * @return Returns 0 on failure and 1 on success. */ -int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macaddr, const char **env) { +int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *clientaddr, const char **env) { eurephiaSESSION *session = NULL; char *digest = NULL, *cname = NULL, *uname = NULL, *vpnipaddr = NULL, *vpnipmask = NULL, @@ -645,7 +645,7 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macad int ret = 0, fw_enabled = 0; DEBUG(ctx, 10, "** Function call: eurephia_learn_address(ctx, '%.10s', '%.18s', ...)", - mode, macaddr); + mode, clientaddr); // Get firewall information fw_enabled = (eGet_value(ctx->dbc->config, "firewall_interface") != NULL); @@ -673,13 +673,17 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macad } // Update openvpn_lastlog with the active MAC address, and save it as a session variable - ret = eDBregister_vpnmacaddr(ctx, session, macaddr); + ret = eDBregister_vpnmacaddr(ctx, session, clientaddr); if( (fw_enabled) && (fwdest != NULL) ) { fwprofile = eDBget_firewall_profile(ctx, session); if( fwprofile != NULL ) { eFWupdateRequest req = { .mode = fwADD, }; - strncpy(req.macaddress, macaddr, sizeof(req.macaddress)); + if( ctx->tuntype == tuntype_TAP ) { + strncpy(req.macaddress, clientaddr, sizeof(req.macaddress)); + } else { + strncpy(req.ipaddress, vpnipaddr, sizeof(req.ipaddress)); + } strncpy(req.rule_destination, fwdest, sizeof(req.rule_destination)); strncpy(req.goto_destination, fwprofile, sizeof(req.goto_destination)); eFW_UpdateFirewall(ctx, &req); @@ -690,11 +694,11 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macad } else if( strncmp(mode, "delete", 6) == 0 ) { // Load the session, based on MAC address - session = eDBopen_session_macaddr(ctx, macaddr); + session = eDBopen_session_macaddr(ctx, clientaddr); if( session == NULL ) { eurephia_log(ctx, LOG_WARNING, 0, "Could not find any session connected to this MAC address: %.18s", - macaddr); + clientaddr); ret = 0; goto exit; } @@ -703,7 +707,11 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macad fwprofile = eDBget_firewall_profile(ctx, session); if( fwprofile != NULL ) { eFWupdateRequest req = { .mode = fwDELETE, }; - strncpy(req.macaddress, macaddr, sizeof(req.macaddress)); + if( ctx->tuntype == tuntype_TAP) { + strncpy(req.macaddress, clientaddr, sizeof(req.macaddress)); + } else { + strncpy(req.ipaddress, clientaddr, sizeof(req.ipaddress)); + } strncpy(req.rule_destination, fwdest, sizeof(req.rule_destination)); strncpy(req.goto_destination, fwprofile, sizeof(req.goto_destination)); eFW_UpdateFirewall(ctx, &req); @@ -722,7 +730,7 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macad free_nullsafe(ctx, cname); free_nullsafe(ctx, digest); DEBUG(ctx, 10, "** Function result: eurephia_learn_address(ctx, '%s', '%.18s', ...) = %i", - mode, macaddr, ret); + mode, clientaddr, ret); return ret; } diff --git a/plugin/firewall/iptables/efw-iptables.c b/plugin/firewall/iptables/efw-iptables.c index aad5d4f..6172d5d 100644 --- a/plugin/firewall/iptables/efw-iptables.c +++ b/plugin/firewall/iptables/efw-iptables.c @@ -176,7 +176,7 @@ void eFW_RunFirewall(void *fwargs) { */ int process_input(eurephiaCTX *ctx, const char *fwcmd, const eFWupdateRequest *req) { const char *iptables_args[] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}; - int ret = 0; + int ret = 0, argc = 2; DEBUG(ctx, 36, "eFW_RunFirewall::process_input(ctx, %s, %s, %s, %s, %s)", eFWmode_str[req->mode], req->ipaddress, req->macaddress, @@ -195,24 +195,24 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const eFWupdateRequest *r iptables_args[1] = "-D"; } // Prepare iptables arguments - iptables_args[2] = req->rule_destination; - if( req->ipaddress ) { - iptables_args[3] = "-s\0"; - iptables_args[4] = req->ipaddress; + iptables_args[argc++] = req->rule_destination; + if( strlen_nullsafe(req->ipaddress) > 0 ) { + iptables_args[argc++] = "-s\0"; + iptables_args[argc++] = req->ipaddress; } - if( req->macaddress ) { - iptables_args[3] = "-m\0"; - iptables_args[4] = "mac\0"; - iptables_args[5] = "--mac-source\0"; - iptables_args[6] = req->macaddress; + if( strlen_nullsafe(req->macaddress) > 0 ) { + iptables_args[argc++] = "-m\0"; + iptables_args[argc++] = "mac\0"; + iptables_args[argc++] = "--mac-source\0"; + iptables_args[argc++] = req->macaddress; } - iptables_args[7] = "-m\0"; - iptables_args[8] = "state\0"; - iptables_args[9] = "--state\0"; - iptables_args[10] = "NEW\0"; - iptables_args[11] = "-j\0"; - iptables_args[12] = req->goto_destination; - iptables_args[13] = NULL; + iptables_args[argc++] = "-m\0"; + iptables_args[argc++] = "state\0"; + iptables_args[argc++] = "--state\0"; + iptables_args[argc++] = "NEW\0"; + iptables_args[argc++] = "-j\0"; + iptables_args[argc++] = req->goto_destination; + iptables_args[argc++] = NULL; eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - updating iptables rules " "==> mode: %s ipaddr: %s macaddr: '%s' destchain: '%s' jump: '%s'", |