Context Navigation

← Previous Change
Next Change →

fw_iptables.c

Timestamp:

02/13/05 21:31:43 (8 years ago)

Author:

minaguib

Message:

* Bugfix previous commit of re-doing firewall - was not respecting gw_interface when it should have
* Got rid of TABLE_WIFIDOG_WIFI_TO_GW completely since it's unneeded and screwed up bytecount

Files:

: 1 modified

trunk/wifidog/src/fw_iptables.c (modified) (12 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/wifidog/src/fw_iptables.c

r457	r458
183	183	s_config *config;
184	184	char * gw_interface = NULL;
185		~~char * external_interface = NULL;~~
186	185	int gw_port = 0;
187	186
…	…
190	189	config = config_get_config();
191	190	LOCK_CONFIG();
192		if (config->gw_interface)
193		gw_interface = strdup(config->gw_interface);
194		if (config->external_interface)
195		external_interface = strdup(config->external_interface);
	191	gw_interface = strdup(config->gw_interface);
196	192	gw_port = config->gw_port;
197	193	UNLOCK_CONFIG();
…	…
209	205	/* Assign links and rules to these new chains */
210	206	iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, gw_interface);
211
212		if (external_interface) {
213		iptables_do_command("-t mangle -I FORWARD 1 -i %s -j " TABLE_WIFIDOG_INCOMING, external_interface);
214		}
215		else {
216		iptables_do_command("-t mangle -I FORWARD 1 -j " TABLE_WIFIDOG_INCOMING);
217		}
	207	iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, gw_interface);
218	208
219	209
…	…
229	219
230	220	/* Assign links and rules to these new chains */
231		if (external_interface) {
232		iptables_do_command("-t nat -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, gw_interface);
233		}
234		else {
235		iptables_do_command("-t nat -I PREROUTING 1 -j " TABLE_WIFIDOG_WIFI_TO_INTERNET);
236		}
237
	221	iptables_do_command("-t nat -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, gw_interface);
238	222	iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j RETURN", FW_MARK_KNOWN);
239	223	iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j RETURN", FW_MARK_PROBATION);
240	224	iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
	225
241	226	iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);
242	227
…	…
249	234
250	235	/* Create new chains */
251		~~iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_GW);~~
252	236	iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
253	237	iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS);
…	…
259	243
260	244	/* Assign links and rules to these new chains */
261		iptables_do_command("-t filter -I INPUT 1 -i %s -j " TABLE_WIFIDOG_WIFI_TO_GW, gw_interface);
262
263		if (external_interface) {
264		iptables_do_command("-t filter -I FORWARD 1 -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, gw_interface);
265		}
266		else {
267		iptables_do_command("-t filter -I FORWARD 1 -j " TABLE_WIFIDOG_WIFI_TO_INTERNET);
268		}
269
	245	iptables_do_command("-t filter -I FORWARD 1 -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, gw_interface);
270	246	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);
271	247	iptables_fw_set_authservers();
…	…
287	263	iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");
288	264
289		if (gw_interface)
290		free(gw_interface);
291		if (external_interface)
292		free(external_interface);
	265	free(gw_interface);
293	266
294	267	return 1;
…	…
310	283	*/
311	284	iptables_fw_destroy_mention("mangle", "PREROUTING", TABLE_WIFIDOG_OUTGOING);
312		iptables_fw_destroy_mention("mangle", "~~FORWARD~~", TABLE_WIFIDOG_INCOMING);
	285	iptables_fw_destroy_mention("mangle", "POSTROUTING", TABLE_WIFIDOG_INCOMING);
313	286	iptables_do_command("-t mangle -F " TABLE_WIFIDOG_OUTGOING);
314	287	iptables_do_command("-t mangle -F " TABLE_WIFIDOG_INCOMING);
…	…
332	305	*
333	306	*/
334		~~iptables_fw_destroy_mention("filter", "INPUT", TABLE_WIFIDOG_WIFI_TO_GW);~~
335	307	iptables_fw_destroy_mention("filter", "FORWARD", TABLE_WIFIDOG_WIFI_TO_INTERNET);
336		~~iptables_do_command("-t filter -F " TABLE_WIFIDOG_WIFI_TO_GW);~~
337	308	iptables_do_command("-t filter -F " TABLE_WIFIDOG_WIFI_TO_INTERNET);
338	309	iptables_do_command("-t filter -F " TABLE_WIFIDOG_AUTHSERVERS);
…	…
342	313	iptables_do_command("-t filter -F " TABLE_WIFIDOG_KNOWN);
343	314	iptables_do_command("-t filter -F " TABLE_WIFIDOG_UNKNOWN);
344		~~iptables_do_command("-t filter -X " TABLE_WIFIDOG_WIFI_TO_GW);~~
345	315	iptables_do_command("-t filter -X " TABLE_WIFIDOG_WIFI_TO_INTERNET);
346	316	iptables_do_command("-t filter -X " TABLE_WIFIDOG_AUTHSERVERS);
…	…
418	388	switch(type) {
419	389	case FW_ACCESS_ALLOW:
420		~~iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_GW " -s %s -j ACCEPT", ip);~~
421	390	iptables_do_command("-t mangle -A " TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);
422	391	rc = iptables_do_command("-t mangle -A " TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
423	392	break;
424	393	case FW_ACCESS_DENY:
425		~~iptables_do_command("-t filter -D " TABLE_WIFIDOG_WIFI_TO_GW " -s %s -j ACCEPT", ip);~~
426	394	iptables_do_command("-t mangle -D " TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);
427	395	rc = iptables_do_command("-t mangle -D " TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
…	…
484	452	pclose(output);
485	453
486		~~/* Look for wifi-to-firewall traffic */~~
487		~~asprintf(&script, "%s %s", "iptables", "-v -n -x -t filter -L " TABLE_WIFIDOG_WIFI_TO_GW);~~
488		~~if (!(output = popen(script, "r"))) {~~
489		~~debug(LOG_ERR, "popen(): %s", strerror(errno));~~
490		~~return -1;~~
491		}
492		~~free(script);~~
493
494		~~/* skip the first two lines */~~
495		~~while (('\n' != fgetc(output)) && !feof(output))~~
496		;
497		~~while (('\n' != fgetc(output)) && !feof(output))~~
498		;
499		~~while (output && !(feof(output))) {~~
500		~~rc = fscanf(output, "%s %lu %s %s %s %s %s %15[0-9.] %*s", &counter, ip);~~
501		~~if (2 == rc && EOF != rc) {~~
502		~~/* Sanity*/~~
503		~~if (!inet_aton(ip, &tempaddr)) {~~
504		~~debug(LOG_WARNING, "I was supposed to read an IP address but instead got [%s] - ignoring it", ip);~~
505		~~continue;~~
506		}
507		~~debug(LOG_DEBUG, "WIFI2FW %s Bytes=%ld", ip, counter);~~
508		~~LOCK_CLIENT_LIST();~~
509		~~if ((p1 = client_list_find_by_ip(ip))) {~~
510		~~if (p1->counters.togateway < counter) {~~
511		~~p1->counters.togateway = counter;~~
512		~~p1->counters.last_updated = time(NULL);~~
513		~~debug(LOG_DEBUG, "%s - Updated togateway counter to %ld bytes from wifi2fw chain", ip, counter);~~
514		}
515		~~} else {~~
516		~~debug(LOG_ERR, "Could not find %s in client list", ip);~~
517		}
518		~~UNLOCK_CLIENT_LIST();~~
519		}
520		}
521		~~pclose(output);~~
522
523	454	/* Look for incoming traffic */
524	455	asprintf(&script, "%s %s", "iptables", "-v -n -x -t mangle -L " TABLE_WIFIDOG_INCOMING);

Context Navigation

Changeset 458 for trunk/wifidog/src/fw_iptables.c

Legend:

trunk/wifidog/src/fw_iptables.c

Download in other formats: