| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
| |
Now eurephia will support both TUN and TAP configurations in
OpenVPN.
Thanks to Tavis Paquette and Matthew Gyurgyik for their willingness
to test out this patch.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
As the firewall API has changed in regards to moving a way from
a string based implementation to a struct based implementation, the
older eurephia firewall module will not work any longer.
To make sure nothing bad happens, enforce that the efw-iptables
module is at least using API version 2. Also updated the module
version to reflect some changes as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
| |
The eurephia plug-in would daemonize the OpenVPN process by calling
daemonize() too early. This patch renames daemoinze() to efw_daemonize()
and calls it only in the firewall child process.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
| |
Removed old and obsolete expressions used to reference the eurephia database driver.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
| |
- OpenVPN would not exit gracefully due to mq_send() returns 0 on success
- On-the-fly blacklisting with new API failed due to wrong value checking
The request->rule_destination is empty when request->mode==BLACKLIST, so
the check for rule_destination was moved to the appropriate place.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
Moved over the missing pieces to use the eFWupdateRequest struct. This is
a continuation of the work started in commit bdd956adcccd91ff553278fd73cea7
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
All functions calling eFW_UpdateFirewall() and the iptables driver
needs to be updated as well.
|
|
|
|
|
|
|
|
|
|
|
| |
The memory leak was caused by not freeing the shadow context the firewall
child process uses for logging. In addition this child process had a
connection to the database open as well, which was not needed. This
connection is now disconnected immediately after the child process has
started.
Added also usage of mlock() to protect sensitive information from being
swapped out to disk.
|
|
|
|
| |
This only affects functions related to MAC address and certificate depth
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also simplified the initialisation of the logging module. By calling
the eurephia_log_init(eurephiaCTX *, char *dest, int loglevel) function,
a log context will be setup inside the eurephiaCTX.
To close the log file, eurephia_log_close(eurephiaCTX *) must be called.
The destination string to eurephia_log_init() can be:
- stdout:
Log everything to stdout
- stderr:
Log everything to stderr
- none:
Do no logging at all
- syslog:<facility>
Log via syslog. <facility> can be: user, local[0-7],
daemon or authpriv.
- Filename
All logging goes to the given filename. If the filename
string is not recognised by any of the reserved words above,
it will be handled as a filename.
|
| |
|
|
|
|
| |
This also improves debugging as well, if debug logging is enabled and log level is >= 40.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Made sure we only include needed include files and checked that
the copyright headers are equal and correct
|
|
|
|
| |
context type.
|
|
|
|
|
|
|
|
|
| |
eurephia_context.h do only need to know about the eurephiaFWINTF *
struct when compiling the auth plug-in and firewall modules.
To enable this, EUREPHIA_FWINTF needs to be defined as well as the
eurephiafw_struct.h must be included before including eurephia_context.h
in the source. When this is not done, *fwcfg will just be a void *.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since this include file now only consists of eurephiaCTX definition,
it was moved to the common/ directory and renamed.
Moved the SESSION_* definitions out of this file and into
plugin/eurephiadb_session.h where they belong.
Moved the Posix MQ definitions into plugin/firewall/eurephiafw_struct.h
where they belong.
eurephia_context.h is now containing only context related things.
|
|
|
|
|
|
| |
It will now support config option 'firewall_blacklist_send_to'. If set
it will send all blacklisted IP addresses to this chain (iptables -j).
If this option is not set, it will default to DROP.
|
|
|
|
| |
eFW_UpdateFirewall(...)
|
| |
|
| |
|
|
|
|
| |
duplicates in firewall rules
|
|
|
|
|
| |
Also changed the worker side to use sem_timedwait(), to not wait
forever on shutdown acknowledge
|
|
|
|
|
|
|
|
| |
If the configuration variable 'firewall_blacklist_destination' is
set, it will insert DROP rules when a blacklisted IP address is
attempted.
Feature not tested yet.
|
|
Moved all OpenVPN plug-in related things into ./plugins, including firewall
Moved all shared code into ./common and moved the generic part of the
database files into ./database
Updated all CMakeLists.txt files and created a new one for the root directory
|