Context Navigation

← Previous Changeset
Next Changeset →

Changeset 101

Timestamp:

05/04/04 16:22:22 (9 years ago)

Author:

aprilp

Message:

Calling iptables directly instead of using shell scripts

Location:

trunk/wifidog

Files:

: 2 added
: 5 modified

ChangeLog (modified) (1 diff)
src/Makefile.am (modified) (2 diffs)
src/common.h (modified) (2 diffs)
src/firewall.c (modified) (8 diffs)
src/firewall.h (modified) (1 diff)
src/iptables.c (added)
src/iptables.h (added)

Legend:

: Unmodified
: Added
: Removed

trunk/wifidog/ChangeLog

r99	r101
1	1	# $Header$
	2	2004-05-05 Philippe April <papril777@yahoo.com>
	3	* Calling iptables directly instead of using shell scripts
	4	for fw_init, fw_destroy and fw_allow/fw_deny
	5
2	6	2004-04-23 Philippe April <papril777@yahoo.com>
3	7	* Fixed a debug line

trunk/wifidog/src/Makefile.am

r95	r101
15	15	conf.c \
16	16	debug.c \
	17	iptables.c \
17	18	firewall.c \
18	19	gateway.c \
…	…
25	26	conf.h \
26	27	debug.h \
	28	iptables.h \
27	29	firewall.h \
28	30	gateway.h \

trunk/wifidog/src/common.h

r95	r101
57	57	#include "commandline.h"
58	58	#include "debug.h"
	59	#include "iptables.h"
59	60	#include "firewall.h"
60	61	#include "http.h"
…	…
64	65	#define MAX_BUF 4096
65	66
66		~~#define SCRIPT_FWINIT "fw.init"~~
67		~~#define SCRIPT_FWACCESS "fw.access"~~
68		~~#define SCRIPT_FWDESTROY "fw.destroy"~~
69	67	#define SCRIPT_FWCOUNTERS "fw.counters"
70	68

trunk/wifidog/src/firewall.c

r100	r101
52	52	fw_allow(char ip, char mac, int tag)
53	53	{
54		char s_tag[16];
55		char script[MAX_BUF];
56		struct stat st;
57		char *command[] = {script, "allow", ip, mac, s_tag, NULL};
58
59		sprintf(s_tag, "%-10d", tag);
60		sprintf(script, "%s/%s/%s", config.fwscripts_path, config.fwtype,
61		SCRIPT_FWACCESS);
62
63		debug(LOG_DEBUG, "Allowing ip %s mac %s with MARK %s", ip, mac, s_tag);
64
65		if (-1 == (stat(script, &st))) {
66		debug(LOG_ERR, "Could not find %s: %s", script,
67		strerror(errno));
68		return (1);
69		}
70		return (execute(command));
	54	iptables_do_command("-t mangle -A wifidog_mark -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);
	55
	56	return 1;
71	57	}
72	58
…	…
85	71	fw_deny(char ip, char mac, int tag)
86	72	{
87		char s_tag[16];
88		char script[MAX_BUF];
89		struct stat st;
90		char *command[] = {script, "deny", ip, mac, s_tag, NULL};
91
92		sprintf(s_tag, "%-10d", tag);
93		sprintf(script, "%s/%s/%s", config.fwscripts_path, config.fwtype,
94		SCRIPT_FWACCESS);
95
96		debug(LOG_DEBUG, "Denying ip %s mac %s with MARK %s", ip, mac, s_tag);
97
98		if (-1 == (stat(script, &st))) {
99		debug(LOG_ERR, "Could not find %s: %s", script,
100		strerror(errno));
101		return (1);
102		}
103		return (execute(command));
	73	iptables_do_command("-t mangle -D wifidog_mark -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);
	74
	75	return 1;
104	76	}
105	77
…	…
112	84	*/
113	85	int
114		execute(char **argv)
115		{
116		int pid, status, rc;
117
118		debug(LOG_DEBUG, "Executing '%s'", argv[0]);
	86	execute(char *line)
	87	{
	88	int pid,
	89	status,
	90	rc;
	91
	92	const char *new_argv[4];
	93	new_argv[0] = "/bin/sh";
	94	new_argv[1] = "-c";
	95	new_argv[2] = line;
	96	new_argv[3] = NULL;
119	97
120	98	if ((pid = fork()) < 0) { /* fork a child process */
…	…
122	100	exit(1);
123	101	} else if (pid == 0) { /* for the child process: */
124		if (execvp(argv, argv) < 0) { / execute the command */
	102	/* We don't want to see any errors */
	103	close(2);
	104	if (execvp("/bin/sh", (char const )new_argv) < 0) { /* execute the command */
125	105	debug(LOG_ERR, "fork(): %s", strerror(errno));
126	106	exit(1);
…	…
132	112	}
133	113
134		return (~~status~~);
	114	return (WEXITSTATUS(status));
135	115	}
136	116
…	…
177	157	fw_init(void)
178	158	{
179		char port[16];
180		char script[MAX_BUF];
181		int rc;
182		struct stat st;
183		char *command[] = {script, config.gw_interface, config.gw_address,
184		port, config.authserv_hostname, NULL};
185
186		sprintf(port, "%-5d", config.gw_port);
187		sprintf(script, "%s/%s/%s", config.fwscripts_path, config.fwtype,
188		SCRIPT_FWINIT);
189
190		if (-1 == (stat(script, &st))) {
191		debug(LOG_ERR, "Could not find %s: %s", script,
192		strerror(errno));
193		debug(LOG_ERR, "Exiting...");
194		exit(1);
195		}
196		debug(LOG_NOTICE, "Setting firewall rules");
197
198		if ((rc = execute(command)) != 0) {
199		debug(LOG_ERR, "Could not setup firewall, exiting...");
200		exit(1);
201		}
202		return (rc);
	159	debug(LOG_INFO, "Initializing Firewall");
	160
	161	iptables_do_command("-t nat -N wifidog_validate");
	162	iptables_do_command("-t nat -A wifidog_validate -d %s -j ACCEPT", config.gw_address);
	163	iptables_do_command("-t nat -A wifidog_validate -d %s -j ACCEPT", config.authserv_hostname);
	164	iptables_do_command("-t nat -A wifidog_validate -p udp --dport 67 -j ACCEPT");
	165	iptables_do_command("-t nat -A wifidog_validate -p tcp --dport 67 -j ACCEPT");
	166	iptables_do_command("-t nat -A wifidog_validate -p udp --dport 53 -j ACCEPT");
	167	iptables_do_command("-t nat -A wifidog_validate -p tcp --dport 80 -j ACCEPT");
	168	iptables_do_command("-t nat -A wifidog_validate -p tcp --dport 443 -j ACCEPT");
	169	iptables_do_command("-t nat -A wifidog_validate -j DROP");
	170
	171	iptables_do_command("-t nat -N wifidog_unknown");
	172	iptables_do_command("-t nat -A wifidog_unknown -d %s -j ACCEPT", config.gw_address);
	173	iptables_do_command("-t nat -A wifidog_unknown -d %s -j ACCEPT", config.authserv_hostname);
	174	iptables_do_command("-t nat -A wifidog_unknown -p udp --dport 67 -j ACCEPT");
	175	iptables_do_command("-t nat -A wifidog_unknown -p tcp --dport 67 -j ACCEPT");
	176	iptables_do_command("-t nat -A wifidog_unknown -p udp --dport 53 -j ACCEPT");
	177	iptables_do_command("-t nat -A wifidog_unknown -p tcp --dport 80 -j REDIRECT --to-ports %d", config.gw_port);
	178	iptables_do_command("-t nat -A wifidog_unknown -j DROP");
	179
	180	iptables_do_command("-t nat -N wifidog_known");
	181	iptables_do_command("-t nat -A wifidog_known -j ACCEPT");
	182
	183	iptables_do_command("-t nat -N wifidog_locked");
	184	iptables_do_command("-t nat -A wifidog_locked -j DROP");
	185
	186	iptables_do_command("-t nat -N wifidog_class");
	187	iptables_do_command("-t nat -A wifidog_class -i %s -m mark --mark 0x1 -j wifidog_validate", config.gw_interface);
	188	iptables_do_command("-t nat -A wifidog_class -i %s -m mark --mark 0x2 -j wifidog_known", config.gw_interface);
	189	iptables_do_command("-t nat -A wifidog_class -i %s -m mark --mark 0x254 -j wifidog_locked", config.gw_interface);
	190	iptables_do_command("-t nat -A wifidog_class -i %s -j wifidog_unknown", config.gw_interface);
	191
	192	iptables_do_command("-t mangle -N wifidog_mark");
	193
	194	iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j wifidog_mark", config.gw_interface);
	195
	196	iptables_do_command("-t nat -I PREROUTING 1 -i %s -j wifidog_class", config.gw_interface);
	197
	198	return 1;
203	199	}
204	200
…	…
213	209	fw_destroy(void)
214	210	{
215		char script[MAX_BUF];
216		struct stat st;
217		char *command[] = {script, config.gw_interface, NULL};
218
219		sprintf(script, "%s/%s/%s", config.fwscripts_path, config.fwtype,
220		SCRIPT_FWDESTROY);
221
222		if (-1 == (stat(script, &st))) {
223		debug(LOG_ERR, "Could not find %s: %s", script,
224		strerror(errno));
225		return (1);
226		}
227		debug(LOG_NOTICE, "Flushing firewall rules");
228
229		return (execute(command));
	211	int rc, tries, fd;
	212
	213	debug(LOG_INFO, "Removing Firewall rules");
	214
	215	iptables_do_command("-t nat -F wifidog_class");
	216	iptables_do_command("-t mangle -F wifidog_mark");
	217
	218	iptables_do_command("-t nat -F wifidog_validate");
	219	iptables_do_command("-t nat -F wifidog_unknown");
	220	iptables_do_command("-t nat -F wifidog_known");
	221	iptables_do_command("-t nat -F wifidog_locked");
	222	iptables_do_command("-t nat -X wifidog_validate");
	223	iptables_do_command("-t nat -X wifidog_unknown");
	224	iptables_do_command("-t nat -X wifidog_known");
	225	iptables_do_command("-t nat -X wifidog_locked");
	226
	227	/* We loop in case wifidog has crashed and left some unwanted rules,
	228	* maybe we shouldn't loop forever, we'll give it 10 tries
	229	*/
	230	rc = 0;
	231	for (tries = 0; tries < 10 && rc == 0; tries++) {
	232	rc = iptables_do_command("-t nat -D PREROUTING -i %s -j wifidog_class", config.gw_interface);
	233	}
	234	iptables_do_command("-t nat -X wifidog_class");
	235
	236	rc = 0;
	237	for (tries = 0; tries < 10 && rc == 0; tries++) {
	238	rc = iptables_do_command("-t mangle -D PREROUTING -i %s -j wifidog_mark", config.gw_interface);
	239	}
	240	iptables_do_command("-t mangle -X wifidog_mark");
	241
	242	return 1;
230	243	}
231	244
…	…
491	504	}
492	505	}
	506

trunk/wifidog/src/firewall.h

r95	r101
51	51	int fw_deny(char ip, char mac, int profile);
52	52	void fw_counter(void);
53		int execute(char **argv);
	53	int execute(char *line);
54	54	char arp_get(char req_ip);
55	55

Context Navigation

Changeset 101

Legend:

trunk/wifidog/ChangeLog

trunk/wifidog/src/Makefile.am

trunk/wifidog/src/common.h

trunk/wifidog/src/firewall.c

trunk/wifidog/src/firewall.h

Download in other formats: