root/trunk/wifidog/src/iptables.c @ 111

Revision 111, 6.2 KB (checked in by aprilp, 9 years ago)

Hack to be able to have verbose FW calls' messages or not
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1/********************************************************************\
2 * This program is free software; you can redistribute it and/or    *
3 * modify it under the terms of the GNU General Public License as   *
4 * published by the Free Software Foundation; either version 2 of   *
5 * the License, or (at your option) any later version.              *
6 *                                                                  *
7 * This program is distributed in the hope that it will be useful,  *
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of   *
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the    *
10 * GNU General Public License for more details.                     *
11 *                                                                  *
12 * You should have received a copy of the GNU General Public License*
13 * along with this program; if not, contact:                        *
14 *                                                                  *
15 * Free Software Foundation           Voice:  +1-617-542-5942       *
16 * 59 Temple Place - Suite 330        Fax:    +1-617-542-2652       *
17 * Boston, MA  02111-1307,  USA       gnu@gnu.org                   *
18 *                                                                  *
19 \********************************************************************/
20
21/* $Header$ */
22/** @internal
23  @file iptables.c
24  @brief Firewall iptables functions
25  @author Copyright (C) 2004 Philippe April <papril777@yahoo.com>
26 */
27
28#include "common.h"
29
30extern s_config config;
31extern int fw_quiet;
32
33int
34iptables_do_command(char *format, ...)
35{
36    va_list vlist;
37    char *fmt_cmd,
38        *cmd;
39    int rc;
40
41    va_start(vlist, format);
42    vasprintf(&fmt_cmd, format, vlist);
43    asprintf(&cmd, "iptables %s", fmt_cmd);
44
45    rc = execute(cmd);
46
47    free(fmt_cmd);
48    free(cmd);
49
50    return rc;
51}
52
53/**
54 * @brief Initialize the firewall
55 *
56 * Initialize the firewall rules
57 */
58int
59iptables_fw_init(void)
60{
61    fw_quiet = 0;
62    iptables_do_command("-t nat -N wifidog_validate");
63    iptables_do_command("-t nat -A wifidog_validate -d %s -j ACCEPT", config.gw_address);
64    iptables_do_command("-t nat -A wifidog_validate -d %s -j ACCEPT", config.authserv_hostname);
65    iptables_do_command("-t nat -A wifidog_validate -p udp --dport 67 -j ACCEPT");
66    iptables_do_command("-t nat -A wifidog_validate -p tcp --dport 67 -j ACCEPT");
67    iptables_do_command("-t nat -A wifidog_validate -p udp --dport 53 -j ACCEPT");
68    iptables_do_command("-t nat -A wifidog_validate -p tcp --dport 80 -j ACCEPT");
69    iptables_do_command("-t nat -A wifidog_validate -p tcp --dport 443 -j ACCEPT");
70    iptables_do_command("-t nat -A wifidog_validate -j DROP");
71
72    iptables_do_command("-t nat -N wifidog_unknown");
73    iptables_do_command("-t nat -A wifidog_unknown -d %s -j ACCEPT", config.gw_address);
74    iptables_do_command("-t nat -A wifidog_unknown -d %s -j ACCEPT", config.authserv_hostname);
75    iptables_do_command("-t nat -A wifidog_unknown -p udp --dport 67 -j ACCEPT");
76    iptables_do_command("-t nat -A wifidog_unknown -p tcp --dport 67 -j ACCEPT");
77    iptables_do_command("-t nat -A wifidog_unknown -p udp --dport 53 -j ACCEPT");
78    iptables_do_command("-t nat -A wifidog_unknown -p tcp --dport 80 -j REDIRECT --to-ports %d", config.gw_port);
79    iptables_do_command("-t nat -A wifidog_unknown -j DROP");
80
81    iptables_do_command("-t nat -N wifidog_known");
82    iptables_do_command("-t nat -A wifidog_known -j ACCEPT");
83
84    iptables_do_command("-t nat -N wifidog_locked");
85    iptables_do_command("-t nat -A wifidog_locked -j DROP");
86
87    iptables_do_command("-t nat -N wifidog_class");
88    iptables_do_command("-t nat -A wifidog_class -i %s -m mark --mark 0x%u -j wifidog_validate", config.gw_interface, MARK_VALIDATION);
89    iptables_do_command("-t nat -A wifidog_class -i %s -m mark --mark 0x%u -j wifidog_known", config.gw_interface, MARK_KNOWN);
90    iptables_do_command("-t nat -A wifidog_class -i %s -m mark --mark 0x%u -j wifidog_locked", config.gw_interface, MARK_LOCKED);
91    iptables_do_command("-t nat -A wifidog_class -i %s -j wifidog_unknown", config.gw_interface);
92
93    iptables_do_command("-t mangle -N wifidog_mark");
94
95    iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j wifidog_mark", config.gw_interface);
96
97    iptables_do_command("-t nat -I PREROUTING 1 -i %s -j wifidog_class", config.gw_interface);
98
99    return 1;
100}
101
102/**
103 * @brief Destroy the firewall
104 *
105 * Remove the firewall rules
106 * This is used when we do a clean shutdown of WiFiDog and when it starts to make
107 * sure there are no rules left over
108 */
109int
110iptables_fw_destroy(void)
111{
112    int rc, tries;
113
114    fw_quiet = 1;
115    iptables_do_command("-t nat -F wifidog_class");
116    iptables_do_command("-t mangle -F wifidog_mark");
117
118    iptables_do_command("-t nat -F wifidog_validate");
119    iptables_do_command("-t nat -F wifidog_unknown");
120    iptables_do_command("-t nat -F wifidog_known");
121    iptables_do_command("-t nat -F wifidog_locked");
122    iptables_do_command("-t nat -X wifidog_validate");
123    iptables_do_command("-t nat -X wifidog_unknown");
124    iptables_do_command("-t nat -X wifidog_known");
125    iptables_do_command("-t nat -X wifidog_locked");
126
127    /* We loop in case wifidog has crashed and left some unwanted rules,
128     * maybe we shouldn't loop forever, we'll give it 10 tries
129     */
130    rc = 0;
131    for (tries = 0; tries < 10 && rc == 0; tries++) {
132        rc = iptables_do_command("-t nat -D PREROUTING -i %s -j wifidog_class", config.gw_interface);
133    }
134    iptables_do_command("-t nat -X wifidog_class");
135
136    rc = 0;
137    for (tries = 0; tries < 10 && rc == 0; tries++) {
138        rc = iptables_do_command("-t mangle -D PREROUTING -i %s -j wifidog_mark", config.gw_interface);
139    }
140    iptables_do_command("-t mangle -X wifidog_mark");
141
142    return 1;
143}
144
145int
146iptables_fw_access(fw_access_t type, char *ip, char *mac, int tag)
147{
148    fw_quiet = 0;
149
150    switch(type) {
151        case FW_ACCESS_ALLOW:
152            return iptables_do_command("-t mangle -A wifidog_mark -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);
153            break;
154        case FW_ACCESS_DENY:
155            return iptables_do_command("-t mangle -D wifidog_mark -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);
156            break;
157        default:
158            return -1;
159            break;
160    }
161}
162
Note: See TracBrowser for help on using the browser.