+++ /dev/null
-/*
- * fwd - OpenWrt firewall daemon - main part
- *
- * Copyright (C) 2009 Jo-Philipp Wich <xm@subsignal.org>
- *
- * The fwd program is free software: you can redistribute it and/or
- * modify it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * The fwd program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
- * See the GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with the fwd program. If not, see http://www.gnu.org/licenses/.
- */
-
-
-#include "fwd.h"
-#include "fwd_addr.h"
-#include "fwd_rules.h"
-#include "fwd_config.h"
-#include "fwd_xtables.h"
-#include "fwd_ipc.h"
-#include "fwd_utils.h"
-
-
-static void fwd_foreach_network(
- struct fwd_handle *h,
- void (*cb)(struct fwd_handle *h, struct fwd_network *net)
-) {
- struct fwd_data *data;
- struct fwd_network *net;
-
- for( data = h->conf; data; data = data->next )
- {
- if( data->type != FWD_S_ZONE )
- continue;
-
- for( net = data->section.zone.networks; net; net = net->next )
- cb(h, net);
- }
-}
-
-static void fwd_addif_all_cb(struct fwd_handle *h, struct fwd_network *net)
-{
- fwd_ipt_addif(h, net->name);
-}
-
-static void fwd_delif_all_cb(struct fwd_handle *h, struct fwd_network *net)
-{
- fwd_ipt_delif(h, net->name);
-}
-
-#define fwd_addif_all(h) fwd_foreach_network(h, fwd_addif_all_cb)
-#define fwd_delif_all(h) fwd_foreach_network(h, fwd_delif_all_cb)
-
-
-static int fwd_server_main(int argc, const char *argv[])
-{
- struct fwd_handle *h;
- struct fwd_network *net;
- struct fwd_addr *addrs;
- struct fwd_data *data;
- struct fwd_cidr *addr_old, *addr_new;
- struct sigaction sa;
- int unix_client;
-
- sa.sa_handler = SIG_IGN;
- sigaction(SIGPIPE, &sa, NULL);
-
- if( getuid() > 0 )
- fwd_fatal("Need root permissions!");
-
- if( !(h = fwd_alloc_ptr(struct fwd_handle)) )
- fwd_fatal("Out of memory");
-
- if( (h->rtnl_socket = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) == -1 )
- fwd_fatal("Failed to create AF_NETLINK socket (%m)");
-
- if( (h->unix_socket = fwd_ipc_listen()) == -1 )
- fwd_fatal("Failed to create AF_UNIX socket (%m)");
-
- if( !(h->conf = fwd_read_config(h)) )
- fwd_fatal("Failed to read configuration");
-
- fwd_log_init();
-
- fwd_ipt_build_ruleset(h);
- fwd_addif_all(h);
-
- while(1)
- {
- if( (addrs = fwd_get_addrs(h->rtnl_socket, AF_INET)) != NULL )
- {
- for( data = h->conf; data; data = data->next )
- {
- if( data->type != FWD_S_ZONE )
- continue;
-
- for( net = data->section.zone.networks; net; net = net->next )
- {
- addr_new = fwd_lookup_addr(addrs, net->ifname);
- addr_old = net->addr;
-
- if( !fwd_empty_cidr(addr_new) && fwd_empty_cidr(addr_old) )
- {
- fwd_log_info(
- "Interface %s brought up - adding rules",
- net->ifname
- );
-
- fwd_update_cidr(addr_old, addr_new);
- fwd_ipt_addif(h, net->name);
- }
- else if( fwd_empty_cidr(addr_new) && !fwd_empty_cidr(addr_old) )
- {
- fwd_log_info(
- "Interface %s went down - removing rules",
- net->ifname
- );
-
- fwd_update_cidr(addr_old, NULL);
- fwd_ipt_delif(h, net->name);
- }
- else if( ! fwd_equal_cidr(addr_old, addr_new) )
- {
- fwd_log_info(
- "Interface %s changed IP - rebuilding rules",
- net->ifname
- );
-
- fwd_update_cidr(addr_old, addr_new);
- fwd_ipt_chgif(h, net->name);
- }
- }
- }
-
- fwd_free_addrs(addrs);
- }
-
-
- if( (unix_client = fwd_ipc_accept(h->unix_socket)) > -1 )
- {
- struct fwd_ipc_msg msg;
- memset(&msg, 0, sizeof(struct fwd_ipc_msg));
-
- while( fwd_ipc_recvmsg(unix_client, &msg, sizeof(struct fwd_ipc_msg)) > 0 )
- {
- fwd_log_info("Got message [%i]", msg.type);
-
- switch(msg.type)
- {
- case FWD_IPC_FLUSH:
- fwd_log_info("Flushing rules ...");
- fwd_ipt_clear_ruleset(h);
- fwd_ipc_sendtype(unix_client, FWD_IPC_OK);
- break;
-
- case FWD_IPC_BUILD:
- fwd_log_info("Building rules ...");
- fwd_ipt_clear_ruleset(h);
- fwd_ipt_build_ruleset(h);
- fwd_addif_all(h);
- fwd_ipc_sendtype(unix_client, FWD_IPC_OK);
- break;
-
- case FWD_IPC_RELOAD:
- if( (data = fwd_read_config(h)) != NULL )
- {
- fwd_log_info("Flushing rules ...");
- fwd_ipt_clear_ruleset(h);
- fwd_free_config(h->conf);
- h->conf = data;
- fwd_log_info("Building rules ...");
- fwd_ipt_build_ruleset(h);
- fwd_addif_all(h);
- fwd_ipc_sendtype(unix_client, FWD_IPC_OK);
- }
- else
- {
- fwd_log_err("Cannot reload configuration!");
- fwd_ipc_sendtype(unix_client, FWD_IPC_ERROR);
- }
- break;
-
- case FWD_IPC_ADDIF:
- case FWD_IPC_DELIF:
- if( strlen(msg.data.network) > 0 )
- {
- fwd_ipt_delif(h, msg.data.network);
-
- if( msg.type == FWD_IPC_ADDIF )
- fwd_ipt_addif(h, msg.data.network);
-
- fwd_ipc_sendtype(unix_client, FWD_IPC_OK);
- }
- else
- {
- fwd_log_err("No network name provided!");
- fwd_ipc_sendtype(unix_client, FWD_IPC_ERROR);
- }
- break;
-
- case FWD_IPC_OK:
- case FWD_IPC_ERROR:
- break;
- }
- }
-
- fwd_ipc_shutdown(unix_client);
- }
-
-
- sleep(1);
- }
-
- fwd_delif_all(h);
- fwd_ipt_clear_ruleset(h);
-
- close(h->rtnl_socket);
- fwd_free_config(h->conf);
- fwd_free_ptr(h);
-
- return 0;
-}
-
-static void fwd_client_usage(const char *msg)
-{
- printf(
- "%s\n\n"
- "Usage:\n"
- " fw flush\n"
- " Flush all rules in the firewall and reset policy\n\n"
- " fw build\n"
- " Rebuild firewall rules\n\n"
- " fw reload\n"
- " Reload configuration and rebuild firewall rules\n\n"
- " fw addif {network}\n"
- " Add rules for given network\n\n"
- " fw delif {network}\n"
- " Remove rules for given network\n\n"
- "", msg
- );
-
- exit(1);
-}
-
-static int fwd_client_main(int argc, const char *argv[])
-{
- int unix_server;
- struct fwd_ipc_msg msg;
- enum fwd_ipc_msgtype type;
-
- if( argc < 2 )
- fwd_client_usage("Command required");
-
- if( (unix_server = fwd_ipc_connect()) < 0 )
- fwd_fatal("Cannot connect to server instance (%m)");
-
-
- memset(&msg, 0, sizeof(struct fwd_ipc_msg));
-
- if( !strcmp(argv[1], "flush") )
- type = FWD_IPC_FLUSH;
-
- else if( !strcmp(argv[1], "build") )
- type = FWD_IPC_BUILD;
-
- else if( !strcmp(argv[1], "reload") )
- type = FWD_IPC_RELOAD;
-
- else if( !strcmp(argv[1], "addif") || !strcmp(argv[1], "delif") )
- {
- if( argc < 3 )
- fwd_client_usage("The command requires a parameter.");
-
- type = strcmp(argv[1], "addif") ? FWD_IPC_DELIF : FWD_IPC_ADDIF;
- strncpy(msg.data.network, argv[2], sizeof(msg.data.network));
- }
-
- else
- fwd_client_usage("Invalid command given.");
-
- msg.type = type;
- fwd_ipc_sendmsg(unix_server, &msg, sizeof(struct fwd_ipc_msg));
-
- memset(&msg, 0, sizeof(struct fwd_ipc_msg));
-
- while( fwd_ipc_recvmsg(unix_server, &msg, sizeof(struct fwd_ipc_msg)) == 0 )
- continue;
-
- switch(msg.type)
- {
- case FWD_IPC_OK:
- printf("Success\n");
- break;
-
- case FWD_IPC_ERROR:
- printf("The server reported an error, check logread!\n");
- break;
-
- default:
- fwd_fatal("Unexpected response type %i", msg.type);
- }
-
- fwd_ipc_shutdown(unix_server);
-
- return 0;
-}
-
-int main(int argc, const char *argv[])
-{
- if( strstr(argv[0], "fwd") )
- return fwd_server_main(argc, argv);
- else
- return fwd_client_main(argc, argv);
-}
-
projects / project / luci.git / blobdiff