| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
The functions related to dynamic loading of shared objects are a part
of the standard libc library on FreeBSD, while in Linux it is in libdl.
However, the linker on Linux seems to add the libdl linking automatically
when needed, so no need to explicitly link this library.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
Make use of the iptables conntrack module instead of the older state module
for stateful firewalling.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
| |
Now eurephia will support both TUN and TAP configurations in
OpenVPN.
Thanks to Tavis Paquette and Matthew Gyurgyik for their willingness
to test out this patch.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
| |
This memory leak got introduced with commit 525d75316848f79208101e48a54e2
which moves the daemonisation of the firewall thread. Two environment
variables was not freed after usage.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
The char buffer returned by eDBget_firewall_profile() must be freed after
usage.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
|
| |
The current implementation uses the MAC address of the client's VPN
interface. This also restricts eurephia to use TAP mode.
This patch adds preliminary support for also accepting the clients
IP address when updating the firewall rules. But the complete support
for TUN mode is not completed yet.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
As the firewall API has changed in regards to moving a way from
a string based implementation to a struct based implementation, the
older eurephia firewall module will not work any longer.
To make sure nothing bad happens, enforce that the efw-iptables
module is at least using API version 2. Also updated the module
version to reflect some changes as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will later be used to be able to support OpenVPN in tun mode
as well as the now only supported tap mode. It will first try to
detect the tunnel type based on the 'dev_type' environment variable
if available. If not, it will try to figure it out based on the
device name. If this fails, it is possible to force the eurephia
to a specific device type by setting the openvpn_devtype config
variable.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
| |
The eurephia plug-in would daemonize the OpenVPN process by calling
daemonize() too early. This patch renames daemoinze() to efw_daemonize()
and calls it only in the firewall child process.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
| |
Removed old and obsolete expressions used to reference the eurephia database driver.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
| |
- OpenVPN would not exit gracefully due to mq_send() returns 0 on success
- On-the-fly blacklisting with new API failed due to wrong value checking
The request->rule_destination is empty when request->mode==BLACKLIST, so
the check for rule_destination was moved to the appropriate place.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
| |
Removed some #defines which was not needed and added missing comments.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
Moved over the missing pieces to use the eFWupdateRequest struct. This is
a continuation of the work started in commit bdd956adcccd91ff553278fd73cea7
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
| |
On Fedora 13 and Rawhide, the sem_wait(), sem_timedwait() and sem_post() functions
is no longer available in librt, only in libpthread. Added extra CMake checks to
check if the functions are in libpthread if not found in librt.
|
| |
|
|
|
|
| |
This is related to the changes done in commit c6621d108bb8beb97ca61.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
All functions calling eFW_UpdateFirewall() and the iptables driver
needs to be updated as well.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The memory leak was caused by not freeing the shadow context the firewall
child process uses for logging. In addition this child process had a
connection to the database open as well, which was not needed. This
connection is now disconnected immediately after the child process has
started.
Added also usage of mlock() to protect sensitive information from being
swapped out to disk.
|
| |
|
|
|
|
|
| |
This has two purposes. To make the code more readable and to use the
same maximum length of the data being retrieved from the environment table.
|
| |
|
| |
|
|
|
|
| |
This only affects functions related to MAC address and certificate depth
|
|
|
|
| |
This is a follow up of commit 80b41e27b7361633bee17c64bbb95490dc94ab9f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The eDBopen_session_seed() function was prune to an integer overflow issue, if
the input data (some which comes from clients) exeeds the size_t max value which
calloc() uses (via malloc_nullsafe()). The totlen variable was in addition defined
as int and the totlen value was multiplied by 2.
The fix was to use the maximum values used when calling get_env(). These values the
maximum can then be added together to retrieve the maximum length of the seeddata string.
This should also make the execution go slightly quicker as strlen_nullsafe() is no
longer called for each of the input variables. In addition, there are no reasons to
multiply the totlen value by two as it did.
Credit goes to Larry Highsmith for noticing this potential problem.
|
|
|
|
|
| |
This is to enhance the security and to avoid possible buffer overflows
based on input received from the client
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also simplified the initialisation of the logging module. By calling
the eurephia_log_init(eurephiaCTX *, char *dest, int loglevel) function,
a log context will be setup inside the eurephiaCTX.
To close the log file, eurephia_log_close(eurephiaCTX *) must be called.
The destination string to eurephia_log_init() can be:
- stdout:
Log everything to stdout
- stderr:
Log everything to stderr
- none:
Do no logging at all
- syslog:<facility>
Log via syslog. <facility> can be: user, local[0-7],
daemon or authpriv.
- Filename
All logging goes to the given filename. If the filename
string is not recognised by any of the reserved words above,
it will be handled as a filename.
|
|
|
|
| |
and vars
|
| |
|
|
|
|
| |
This also improves debugging as well, if debug logging is enabled and log level is >= 40.
|
|
|
|
| |
A compiler warning showed up when --debug mode was enabled.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This static library is later on linked in. This is to avoid recompiling
the same source files several times during a complete eurephia
compilation.
|
|
|
|
| |
Also added install rules to XSLT files
|