/**************************************************\r
opengate server\r
- module for Controling ip6fw \r
+ module for Controling ipfw for IPv6 address \r
\r
Copyright (C) 2005 Opengate Project Team\r
Written by Katsuhiko Eguchi, 2005 \r
\r
#include "opengatesrv.h"\r
\r
-char ruleNumber6[WORDMAXLN]; /* ip6fw rule number in string form */\r
+char ruleNumber6[WORDMAXLN]; /* ipfw rule number in string form */\r
\r
int getRuleNumber6(char *clientAddr6);\r
int GetRuleNumber6(char *clientAddr6);\r
\r
Sigfunc *defaultSigFunc;\r
\r
- /* exclusive exec of ip6fw to avoid overlapped rule number */\r
+ /* exclusive exec of ipfw to avoid overlapped rule number */\r
\r
/**** prepare ****/\r
/* open lockfile */\r
\r
/* set timeout */\r
if((defaultSigFunc=Signal(SIGALRM, sigFunc))==SIG_ERR) return 1;\r
- alarm(LOCKTIMEOUT);\r
+ alarm(atoi(GetConfValue("LockTimeout")));\r
+\r
/* lock */\r
if(Lock(fd)<0){\r
err_msg("ERR at %s#%d: lock error",__FILE__,__LINE__);\r
}\r
\r
/**** write rules ****/\r
- if(atoi(GetConfValue("Ip6fwScript/Enable"))){\r
+ if(atoi(GetConfValue("IpfwScript/Enable"))){\r
/********** use perl script to control firewall ************/\r
\r
- if(Systeml(GetConfValue("Ip6fwScript/Path"),GetConfValue("Ip6fwPath"),\r
+ if(Systeml(1, GetConfValue("IpfwScript/Path"),GetConfValue("IpfwPath"),\r
ruleNumber6,clientAddr6,\r
- userid,macAddr6,userProperty,(char *)0) != 0){\r
- err_msg("ERR at %s#%d: exec ip6fw script error",__FILE__,__LINE__);\r
+ userid,macAddr6,userProperty,\r
+ GetConfValue("IpfwTagNumber"),(char *)0) != 0){\r
+ err_msg("ERR at %s#%d: exec ipfw script error",__FILE__,__LINE__);\r
ret=1; /* abmormal */\r
}\r
\r
\r
}else{\r
/********** direct control of firewall **********************/\r
- /********** add outgoing ip6fw rule for the client *************/\r
- if(Systeml(GetConfValue("Ip6fwPath"),"-q","add",ruleNumber6,"allow","all",\r
- "from",clientAddr6,"to","any",(char *)0) != 0){\r
- err_msg("ERR at %s#%d: exec ip6fw add error",__FILE__,__LINE__);\r
+ /********** add outgoing ipfw rule for the client *************/\r
+ if(Systeml(1, GetConfValue("IpfwPath"),"-q","add",ruleNumber6,\r
+ "count","tag",GetConfValue("IpfwTagNumber"),\r
+ "ip","from",clientAddr6,"to","any",(char *)0) != 0){\r
+ err_msg("ERR at %s#%d: exec ipfw add error",__FILE__,__LINE__);\r
ret=1;\r
}\r
\r
/* lock is not necessary in following exec */\r
Unlock(fd);\r
Close(fd); /* because reserved number is used */\r
- \r
- /********** add incoming ip6fw rule for the client *************/\r
- if(Systeml(GetConfValue("Ip6fwPath"),"-q","add",ruleNumber6,"allow","all",\r
- "from","any","to",clientAddr6,(char *)0) != 0){\r
- err_msg("ERR at %s#%d: exec ip6fw add error",__FILE__,__LINE__);\r
+\r
+ /********** add incoming ipfw rule for the client *************/\r
+ if(Systeml(1, GetConfValue("IpfwPath"),"-q","add",ruleNumber6,\r
+ "count","tag",GetConfValue("IpfwTagNumber"),\r
+ "ip","from","any","to",clientAddr6,(char *)0) != 0){\r
+ err_msg("ERR at %s#%d: exec ipfw add error",__FILE__,__LINE__);\r
ret=1; /* abnormal */\r
}\r
}\r
int hour, min, sec;\r
time_t timeOut;\r
\r
- /********** del ip6fw rule for the client *************/\r
+ /********** del ipfw rule for the client *************/\r
DelIp6fwRule(pClientAddr->ruleNumber);\r
\r
timeOut = time(NULL);\r
\r
\r
/***********************************************/\r
-/* delete ip6fw rule */\r
+/* delete ipfw rule */\r
/***********************************************/\r
void delIp6fwRule(char *ruleNumber)\r
{\r
int ruleCount;\r
- int i;\r
\r
/* get rule count */\r
ruleCount = CountRuleNumber6(ruleNumber);\r
\r
/* delete rule */\r
- /* [ip6fw del num] deletes one rule registered in the rule number */\r
- for(i=0;i<ruleCount;i++){\r
- if(Systeml(GetConfValue("Ip6fwPath"),"del",ruleNumber,(char *)0) != 0){\r
- err_msg("ERR at %s#%d: exec ip6fw del error",__FILE__,__LINE__);\r
- }\r
+ if(Systeml(1, GetConfValue("IpfwPath"),"delete",ruleNumber,(char *)0) != 0){\r
+ err_msg("ERR at %s#%d: exec ipfw del error",__FILE__,__LINE__);\r
}\r
}\r
\r
- /**************************************/\r
-/* get unused ip6fw rule number */\r
+/**************************************/\r
+/* get unused ipfw rule number */\r
/* error if addr is already in rules */ \r
/* return value ret>0: acquired rule number that can be used */\r
/* ret=-1: no rule number available */\r
int fileStatus;\r
enum status {NORMAL, ABNORMAL, FOUND, NOTFOUND, DUPLICATED};\r
\r
- if((fpipe=Popenl("r", GetConfValue("Ip6fwPath"),"list",(char *)0)) == NULL){ \r
- err_msg("ERR at %s#%d: exec ip6fw list error",__FILE__,__LINE__);\r
+ if((fpipe=Popenl(1, "r", GetConfValue("IpfwPath"),"list",(char *)0)) == NULL){ \r
+ err_msg("ERR at %s#%d: exec ipfw list error",__FILE__,__LINE__);\r
}\r
\r
/* search unused rule number in the list read from pipe */\r
fileStatus=NORMAL;\r
\r
/* get rule range from config */\r
- ip6fwmin=atoi(GetConfValue("Ip6fwRule/Min"));\r
- ip6fwmax=atoi(GetConfValue("Ip6fwRule/Max"));\r
- ip6fwinterval=atoi(GetConfValue("Ip6fwRule/Interval"));\r
+ ip6fwmin=atoi(GetConfValue("IpfwRule/Min"));\r
+ ip6fwmax=atoi(GetConfValue("IpfwRule/Max"));\r
+ ip6fwinterval=atoi(GetConfValue("IpfwRule/Interval"));\r
\r
/* each port is checked whether it can be used for new rule or not */\r
for(num=ip6fwmin;num<=ip6fwmax;num+=ip6fwinterval){\r
break;\r
}\r
if( sscanf(buf, "%d", &readinNum) !=1 ){\r
- err_msg("ERR at %s#%d: abnormal ip6fw response[ %s ]",\r
+ err_msg("ERR at %s#%d: abnormal ipfw response[ %s ]",\r
__FILE__,__LINE__,buf);\r
fileStatus=ABNORMAL; /* abnormal responsem exit internal loop */\r
break;\r
Pclose(fpipe);\r
\r
if(fileStatus==ABNORMAL){\r
- err_msg("ERR at %s#%d: abnormal ip6fw response ",__FILE__,__LINE__);\r
+ err_msg("ERR at %s#%d: abnormal ipfw response ",__FILE__,__LINE__);\r
return -2;\r
}\r
if(portStatus==NOTFOUND){\r
- err_msg("ERR at %s#%d: cannot get unused ip6fw number",__FILE__,__LINE__);\r
+ err_msg("ERR at %s#%d: cannot get unused ipfw number",__FILE__,__LINE__);\r
return -1;\r
}\r
if(portStatus==DUPLICATED){\r
}\r
\r
/*******************************/\r
-/* get packet count from ip6fw */\r
+/* get packet count from ipfw */\r
/*******************************/\r
int getPacketCount6(char *ruleNumber)\r
{\r
int packets,packetsSum;\r
\r
/* exec proc */\r
- if((fpipe=Popenl("r", GetConfValue("Ip6fwPath"),"-a","list",ruleNumber,(char *)0)) == NULL){ \r
- err_msg("ERR at %s#%d: exec ip6fw -a list error",__FILE__,__LINE__);\r
+ if((fpipe=Popenl(1, "r", GetConfValue("IpfwPath"),"-a","list",ruleNumber,(char *)0)) == NULL){ \r
+ err_msg("ERR at %s#%d: exec ipfw -a list error",__FILE__,__LINE__);\r
return 0; /* abnormal */\r
}\r
\r
int ruleCount;\r
\r
/* exec proc */\r
- if((fpipe=Popenl("r", GetConfValue("Ip6fwPath"),"list",ruleNumber,(char *)0)) == NULL){ \r
- err_msg("ERR at %s#%d: exec ip6fw list error",__FILE__,__LINE__);\r
+ if((fpipe=Popenl(1, "r", GetConfValue("IpfwPath"),"list",ruleNumber,(char *)0)) == NULL){ \r
+ err_msg("ERR at %s#%d: exec ipfw list error",__FILE__,__LINE__);\r
}\r
\r
/* count line read from pipe */\r
{\r
int ret;\r
\r
- if(debug) err_msg("DEBUG:=>getRuleNumber6(%s)",clientAddr6);\r
+ if(debug>1) err_msg("DEBUG:=>getRuleNumber6(%s)",clientAddr6);\r
ret=getRuleNumber6(clientAddr6);\r
- if(debug) err_msg("DEBUG:(%d)<=getRuleNumber6( )",ret);\r
+ if(debug>1) err_msg("DEBUG:(%d)<=getRuleNumber6( )",ret);\r
\r
return ret;\r
}\r
{\r
int ret;\r
\r
- if(debug) err_msg("DEBUG:=>openClientGate6(%s,%s,%s,%s)",clientAddr6,userid,macAddr6,userProperty);\r
+ if(debug>1) err_msg("DEBUG:=>openClientGate6(%s,%s,%s,%s)",clientAddr6,userid,macAddr6,userProperty);\r
ret=openClientGate6(clientAddr6, userid, macAddr6, userProperty);\r
- if(debug) err_msg("DEBUG:(%d)<=openClientGate6( )",ret);\r
+ if(debug>1) err_msg("DEBUG:(%d)<=openClientGate6( )",ret);\r
\r
return ret;\r
}\r
\r
void CloseClientGate6(struct clientAddr *pClientAddr, char *userid, char *macAddr6)\r
{\r
- if(debug) err_msg("DEBUG:=>closeClientGate6(%p,%s,%s)",pClientAddr,userid,macAddr6);\r
+ if(debug>1) err_msg("DEBUG:=>closeClientGate6(%p,%s,%s)",pClientAddr,userid,macAddr6);\r
closeClientGate6(pClientAddr,userid,macAddr6);\r
- if(debug) err_msg("DEBUG:<=closeClientGate6( )");\r
+ if(debug>1) err_msg("DEBUG:<=closeClientGate6( )");\r
}\r
\r
int GetPacketCount6(char *ruleNumber)\r
{\r
int ret;\r
\r
- if(debug) err_msg("DEBUG:=>getPacketCount6(%s)",ruleNumber);\r
+ if(debug>1) err_msg("DEBUG:=>getPacketCount6(%s)",ruleNumber);\r
ret=getPacketCount6(ruleNumber);\r
- if(debug) err_msg("DEBUG:(%d)<=getPacketCount6( )",ret);\r
+ if(debug>1) err_msg("DEBUG:(%d)<=getPacketCount6( )",ret);\r
\r
return ret;\r
}\r
{\r
int ret;\r
\r
- if(debug) err_msg("DEBUG:=>countRuleNumber6(%s)", ruleNumber);\r
+ if(debug>1) err_msg("DEBUG:=>countRuleNumber6(%s)", ruleNumber);\r
ret=countRuleNumber6(ruleNumber);\r
- if(debug) err_msg("DEBUG:(%d)<=countRuleNumber6( )",ret);\r
+ if(debug>1) err_msg("DEBUG:(%d)<=countRuleNumber6( )",ret);\r
\r
return ret;\r
}\r
\r
void DelIp6fwRule(char *ruleNumber){\r
- if(debug) err_msg("DEBUG:=>delIp6fwRule(%s)",ruleNumber);\r
+ if(debug>1) err_msg("DEBUG:=>delIp6fwRule(%s)",ruleNumber);\r
delIp6fwRule(ruleNumber);\r
- if(debug) err_msg("DEBUG:<=delIp6fwRule( )");\r
+ if(debug>1) err_msg("DEBUG:<=delIp6fwRule( )");\r
}\r