Add preliminary support for using IP addresses in the firewall module

The current implementation uses the MAC address of the client's VPN
interface.  This also restricts eurephia to use TAP mode.

This patch adds preliminary support for also accepting the clients
IP address when updating the firewall rules.  But the complete support
for TUN mode is not completed yet.

Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>

2 files changed, 33 insertions, 25 deletions

diff --git a/plugin/eurephia.c b/plugin/eurephia.c
index 8587e93..3451e8c 100644
--- a/plugin/eurephia.c
+++ b/plugin/eurephia.c
@@ -636,7 +636,7 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) {
  *
  * @return Returns 0 on failure and 1 on success.
  */
-int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macaddr, const char **env) {
+int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *clientaddr, const char **env) {
         eurephiaSESSION *session = NULL;
         char *digest = NULL, *cname = NULL, *uname = NULL,
                 *vpnipaddr = NULL, *vpnipmask = NULL,
@@ -645,7 +645,7 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macad
         int ret = 0, fw_enabled = 0;
 
         DEBUG(ctx, 10, "** Function call: eurephia_learn_address(ctx, '%.10s', '%.18s', ...)",
-              mode, macaddr);
+              mode, clientaddr);
 
         // Get firewall information
         fw_enabled = (eGet_value(ctx->dbc->config, "firewall_interface") != NULL);
@@ -673,13 +673,17 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macad
                 }
 
                 // Update openvpn_lastlog with the active MAC address, and save it as a session variable
-                ret = eDBregister_vpnmacaddr(ctx, session, macaddr);
+                ret = eDBregister_vpnmacaddr(ctx, session, clientaddr);
 
                 if( (fw_enabled) && (fwdest != NULL) ) {
                         fwprofile = eDBget_firewall_profile(ctx, session);
                         if( fwprofile != NULL ) {
                                 eFWupdateRequest req = { .mode = fwADD, };
-                                strncpy(req.macaddress, macaddr, sizeof(req.macaddress));
+                                if( ctx->tuntype == tuntype_TAP ) {
+                                        strncpy(req.macaddress, clientaddr, sizeof(req.macaddress));
+                                } else {
+                                        strncpy(req.ipaddress, vpnipaddr, sizeof(req.ipaddress));
+                                }
                                 strncpy(req.rule_destination, fwdest, sizeof(req.rule_destination));
                                 strncpy(req.goto_destination, fwprofile, sizeof(req.goto_destination));
                                 eFW_UpdateFirewall(ctx, &req);
@@ -690,11 +694,11 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macad
         } else if( strncmp(mode, "delete", 6) == 0 ) {
 
                 // Load the session, based on MAC address
-                session = eDBopen_session_macaddr(ctx, macaddr);
+                session = eDBopen_session_macaddr(ctx, clientaddr);
                 if( session == NULL ) {
                         eurephia_log(ctx, LOG_WARNING, 0,
                                      "Could not find any session connected to this MAC address: %.18s",
-                                     macaddr);
+                                     clientaddr);
                         ret = 0;
                         goto exit;
                 }
@@ -703,7 +707,11 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macad
                         fwprofile = eDBget_firewall_profile(ctx, session);
                         if( fwprofile != NULL ) {
                                 eFWupdateRequest req = { .mode = fwDELETE, };
-                                strncpy(req.macaddress, macaddr, sizeof(req.macaddress));
+                                if( ctx->tuntype == tuntype_TAP) {
+                                        strncpy(req.macaddress, clientaddr, sizeof(req.macaddress));
+                                } else {
+                                        strncpy(req.ipaddress, clientaddr, sizeof(req.ipaddress));
+                                }
                                 strncpy(req.rule_destination, fwdest, sizeof(req.rule_destination));
                                 strncpy(req.goto_destination, fwprofile, sizeof(req.goto_destination));
                                 eFW_UpdateFirewall(ctx, &req);
@@ -722,7 +730,7 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macad
         free_nullsafe(ctx, cname);
         free_nullsafe(ctx, digest);
         DEBUG(ctx, 10, "** Function result: eurephia_learn_address(ctx, '%s', '%.18s', ...) = %i",
-                     mode, macaddr, ret);
+                     mode, clientaddr, ret);
 
         return ret;
 }
diff --git a/plugin/firewall/iptables/efw-iptables.c b/plugin/firewall/iptables/efw-iptables.c
index aad5d4f..6172d5d 100644
--- a/plugin/firewall/iptables/efw-iptables.c
+++ b/plugin/firewall/iptables/efw-iptables.c
@@ -176,7 +176,7 @@ void eFW_RunFirewall(void *fwargs) {
  */
 int process_input(eurephiaCTX *ctx, const char *fwcmd, const eFWupdateRequest *req) {
         const char *iptables_args[] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL};
-        int ret = 0;
+        int ret = 0, argc = 2;
 
         DEBUG(ctx, 36, "eFW_RunFirewall::process_input(ctx, %s, %s, %s, %s, %s)",
               eFWmode_str[req->mode], req->ipaddress, req->macaddress,
@@ -195,24 +195,24 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const eFWupdateRequest *r
                         iptables_args[1] = "-D";
                 }
                 // Prepare iptables arguments
-                iptables_args[2] = req->rule_destination;
-                if( req->ipaddress ) {
-                        iptables_args[3] = "-s\0";
-                        iptables_args[4] = req->ipaddress;
+                iptables_args[argc++] = req->rule_destination;
+                if( strlen_nullsafe(req->ipaddress) > 0 ) {
+                        iptables_args[argc++] = "-s\0";
+                        iptables_args[argc++] = req->ipaddress;
                 }
-                if( req->macaddress ) {
-                        iptables_args[3] = "-m\0";
-                        iptables_args[4] = "mac\0";
-                        iptables_args[5] = "--mac-source\0";
-                        iptables_args[6] = req->macaddress;
+                if( strlen_nullsafe(req->macaddress) > 0 ) {
+                        iptables_args[argc++] = "-m\0";
+                        iptables_args[argc++] = "mac\0";
+                        iptables_args[argc++] = "--mac-source\0";
+                        iptables_args[argc++] = req->macaddress;
                 }
-                iptables_args[7] = "-m\0";
-                iptables_args[8] = "state\0";
-                iptables_args[9] = "--state\0";
-                iptables_args[10] = "NEW\0";
-                iptables_args[11] = "-j\0";
-                iptables_args[12] = req->goto_destination;
-                iptables_args[13] = NULL;
+                iptables_args[argc++] = "-m\0";
+                iptables_args[argc++] = "state\0";
+                iptables_args[argc++] = "--state\0";
+                iptables_args[argc++] = "NEW\0";
+                iptables_args[argc++] = "-j\0";
+                iptables_args[argc++] = req->goto_destination;
+                iptables_args[argc++] = NULL;
 
                 eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - updating iptables rules "
                              "==> mode: %s ipaddr: %s  macaddr: '%s'  destchain: '%s'  jump: '%s'",