summaryrefslogtreecommitdiffstats
path: root/plugin/firewall
Commit message (Collapse)AuthorAgeFilesLines
* efw-iptables: Use the iptables conntrack moduleMatthew Gyurgyik2010-12-241-4/+4
| | | | | | | Make use of the iptables conntrack module instead of the older state module for stateful firewalling. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Implemented proper TUN support in eurephiaDavid Sommerseth2010-12-141-1/+1
| | | | | | | | | | Now eurephia will support both TUN and TAP configurations in OpenVPN. Thanks to Tavis Paquette and Matthew Gyurgyik for their willingness to test out this patch. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Add preliminary support for using IP addresses in the firewall moduleDavid Sommerseth2010-12-011-17/+17
| | | | | | | | | | | The current implementation uses the MAC address of the client's VPN interface. This also restricts eurephia to use TAP mode. This patch adds preliminary support for also accepting the clients IP address when updating the firewall rules. But the complete support for TUN mode is not completed yet. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Update efw-iptables version number and API versionDavid Sommerseth2010-11-302-3/+8
| | | | | | | | | | | | As the firewall API has changed in regards to moving a way from a string based implementation to a struct based implementation, the older eurephia firewall module will not work any longer. To make sure nothing bad happens, enforce that the efw-iptables module is at least using API version 2. Also updated the module version to reflect some changes as well. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Move daemonize() code to be called in the firewall child thread onlyDavid Sommerseth2010-11-262-2/+28
| | | | | | | | The eurephia plug-in would daemonize the OpenVPN process by calling daemonize() too early. This patch renames daemoinze() to efw_daemonize() and calls it only in the firewall child process. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Updated wrong log entriesDavid Sommerseth2010-08-291-1/+1
| | | | | | Removed old and obsolete expressions used to reference the eurephia database driver. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fixed some issues with the firewall implementationDavid Sommerseth2010-08-261-3/+9
| | | | | | | | | | - OpenVPN would not exit gracefully due to mq_send() returns 0 on success - On-the-fly blacklisting with new API failed due to wrong value checking The request->rule_destination is empty when request->mode==BLACKLIST, so the check for rule_destination was moved to the appropriate place. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fixed Doxygen complaintsDavid Sommerseth2010-08-261-1/+4
| | | | | | Removed some #defines which was not needed and added missing comments. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Completed the needed changes for the new firewall plug-in APIDavid Sommerseth2010-08-253-128/+97
| | | | | | | Moved over the missing pieces to use the eFWupdateRequest struct. This is a continuation of the work started in commit bdd956adcccd91ff553278fd73cea7 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fixed a few doxygen complaints - missing documentationDavid Sommerseth2010-07-301-0/+4
| | | | Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Updated Copyright dates to include 2010David Sommerseth2010-07-308-8/+8
|
* Changed main firewall implementation to use eFWupdateRequest structDavid Sommerseth2009-11-093-57/+142
| | | | | All functions calling eFW_UpdateFirewall() and the iptables driver needs to be updated as well.
* Cleaned up the driver/interface API for database and firewallDavid Sommerseth2009-11-041-3/+5
|
* Fixed memory leak in the firewall implementation and added mlock() usageDavid Sommerseth2009-10-061-1/+8
| | | | | | | | | | | The memory leak was caused by not freeing the shadow context the firewall child process uses for logging. In addition this child process had a connection to the database open as well, which was not needed. This connection is now disconnected immediately after the child process has started. Added also usage of mlock() to protect sensitive information from being swapped out to disk.
* Restrict input data length for plug-in arguments from openvpnDavid Sommerseth2009-10-041-6/+9
| | | | This only affects functions related to MAC address and certificate depth
* Rewritten the eurephia_log() to support syslog logging as wellDavid Sommerseth2009-09-241-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | Also simplified the initialisation of the logging module. By calling the eurephia_log_init(eurephiaCTX *, char *dest, int loglevel) function, a log context will be setup inside the eurephiaCTX. To close the log file, eurephia_log_close(eurephiaCTX *) must be called. The destination string to eurephia_log_init() can be: - stdout: Log everything to stdout - stderr: Log everything to stderr - none: Do no logging at all - syslog:<facility> Log via syslog. <facility> can be: user, local[0-7], daemon or authpriv. - Filename All logging goes to the given filename. If the filename string is not recognised by any of the reserved words above, it will be handled as a filename.
* Added debug logging of free_nullsafe() calls as wellDavid Sommerseth2009-09-072-6/+6
|
* Moved all malloc() operations over to a calloc wrapper, malloc_nullsafe()David Sommerseth2009-09-071-4/+4
| | | | This also improves debugging as well, if debug logging is enabled and log level is >= 40.
* Cleaned up and added some missing commentsDavid Sommerseth2009-09-052-7/+23
|
* Even more commentsDavid Sommerseth2009-09-044-23/+65
|
* Added doxygen commentsDavid Sommerseth2009-09-023-6/+148
|
* Added copyright info in CMake filesDavid Sommerseth2009-09-021-0/+19
|
* Added missing #include statementsDavid Sommerseth2009-09-021-0/+1
|
* Cleaned up the efw-iptables CMake rulesDavid Sommerseth2009-09-021-3/+11
|
* Rewritten CMake rules to build common/ as static libraryDavid Sommerseth2009-04-111-2/+1
| | | | | | This static library is later on linked in. This is to avoid recompiling the same source files several times during a complete eurephia compilation.
* Restructured ./configure and improved the path setupDavid Sommerseth2009-03-301-1/+1
| | | | Also added install rules to XSLT files
* Made the licence explicit GPLv2 onlyDavid Sommerseth2009-03-267-7/+7
|
* Cleaned up the code a little bitDavid Sommerseth2009-03-267-15/+15
| | | | | Made sure we only include needed include files and checked that the copyright headers are equal and correct
* Merge branch 'master' into eurephiadmDavid Sommerseth2008-12-021-2/+2
|\
| * Made some messages clearer in efw-iptablesDavid Sommerseth2008-12-021-2/+2
| |
* | Added context_type into eurephiaCTX struct. Database queries limited due to ↵David Sommerseth2008-11-291-0/+1
|/ | | | context type.
* Made eurephia_context.h even more generic and independentDavid Sommerseth2008-11-283-1/+7
| | | | | | | | | eurephia_context.h do only need to know about the eurephiaFWINTF * struct when compiling the auth plug-in and firewall modules. To enable this, EUREPHIA_FWINTF needs to be defined as well as the eurephiafw_struct.h must be included before including eurephia_context.h in the source. When this is not done, *fwcfg will just be a void *.
* Renamed eurephia_struct.h to eurephia_context.hDavid Sommerseth2008-11-274-3/+6
| | | | | | | | | | | | | Since this include file now only consists of eurephiaCTX definition, it was moved to the common/ directory and renamed. Moved the SESSION_* definitions out of this file and into plugin/eurephiadb_session.h where they belong. Moved the Posix MQ definitions into plugin/firewall/eurephiafw_struct.h where they belong. eurephia_context.h is now containing only context related things.
* Code cleanup: Splitted all structures defined in eurephia_struct.h into ↵David Sommerseth2008-11-051-0/+48
| | | | separate include files
* Renamed efw_iptables to efw-iptables (underscore -> dash)David Sommerseth2008-11-052-6/+6
|
* FEATURE: Enhanced firewall blacklisting to make it more flexibleDavid Sommerseth2008-11-052-3/+27
| | | | | | It will now support config option 'firewall_blacklist_send_to'. If set it will send all blacklisted IP addresses to this chain (iptables -j). If this option is not set, it will default to DROP.
* Added double check that IP addr is not null before calling ↵David Sommerseth2008-11-011-1/+3
| | | | eFW_UpdateFirewall(...)
* Fixed some typosDavid Sommerseth2008-11-011-2/+2
|
* Added firewall update of blacklisted IP addresses in eFW_StartFirewall(...)David Sommerseth2008-11-011-0/+20
|
* Registering all IP addr blacklisted via eFW_UpdateFirewall(...) to avoid ↵David Sommerseth2008-11-011-2/+15
| | | | duplicates in firewall rules
* BUGFIX (2/2) ... implemented master side fix of shutdown bugDavid Sommerseth2008-11-012-4/+40
| | | | | Also changed the worker side to use sem_timedwait(), to not wait forever on shutdown acknowledge
* BUGFIX (1/2) ... implemented worker side fix of shutdown bugDavid Sommerseth2008-10-311-1/+9
|
* Created install rules via cmakeDavid Sommerseth2008-10-211-0/+1
|
* Added (untested) firewall block when IP addresses are blacklistedDavid Sommerseth2008-10-213-11/+52
| | | | | | | | If the configuration variable 'firewall_blacklist_destination' is set, it will insert DROP rules when a blacklisted IP address is attempted. Feature not tested yet.
* Reorganised the source codeDavid Sommerseth2008-10-157-0/+731
Moved all OpenVPN plug-in related things into ./plugins, including firewall Moved all shared code into ./common and moved the generic part of the database files into ./database Updated all CMakeLists.txt files and created a new one for the root directory
generated by cgit (git 2.34.1) at 2024-06-27 15:27:36 +0000