From 4138aaef4a31038ccede7d63194b7229e1f85199 Mon Sep 17 00:00:00 2001 From: watanaby <> Date: Mon, 27 Mar 2006 03:58:43 +0000 Subject: [PATCH] Ver1.3.1: Simplify logics. Modify rulechk script --- opengate/conf/{opengatefw.pl => ipfwctrl.pl} | 0 opengate/doc/Changes.html | 5 + opengate/doc/en/install.html | 4 +- opengate/doc/ja/install.html | 6 +- opengate/javahtml/en/index-ssl.html | 4 +- opengate/javahtml/en/index.html | 4 +- opengate/javahtml/ja/index-ssl.html | 5 +- opengate/javahtml/ja/index.html | 5 +- opengate/opengatesrv/Makefile | 4 +- opengate/opengatesrv/comm-arp.c | 58 ++--- opengate/opengatesrv/comm-ip6fw.c | 333 ++++++++------------------- opengate/opengatesrv/comm-ipfw.c | 263 ++++++--------------- opengate/opengatesrv/comm-ndp.c | 154 +++++-------- opengate/opengatesrv/comm-userdb.c | 2 +- opengate/opengatesrv/main.c | 8 +- opengate/opengatesrv/opengatesrv.h | 5 +- opengate/opengatesrv/utilities.c | 80 +++++++ opengate/opengatesrv/wrapper.c | 2 - opengate/tools/rulechk/opengate_rulechk.pl | 90 ++++++++ opengate/tools/rulechk/rulechk.sh | 40 ---- 20 files changed, 449 insertions(+), 623 deletions(-) rename opengate/conf/{opengatefw.pl => ipfwctrl.pl} (100%) mode change 100755 => 100644 create mode 100644 opengate/tools/rulechk/opengate_rulechk.pl delete mode 100644 opengate/tools/rulechk/rulechk.sh diff --git a/opengate/conf/opengatefw.pl b/opengate/conf/ipfwctrl.pl old mode 100755 new mode 100644 similarity index 100% rename from opengate/conf/opengatefw.pl rename to opengate/conf/ipfwctrl.pl diff --git a/opengate/doc/Changes.html b/opengate/doc/Changes.html index a309904..c586d28 100644 --- a/opengate/doc/Changes.html +++ b/opengate/doc/Changes.html @@ -403,6 +403,11 @@ Ver.1.3.0 at 2006.3.22
Change address acquisition method for IPv4/IPv6 dual stack and others.
+
+Ver.1.3.1 at 2006.3.27
+
+Simplify logics. Modify rulechk script. +
Please see CVS in SourceForge.net to check the file difference between versions. diff --git a/opengate/doc/en/install.html b/opengate/doc/en/install.html index 0f01374..a2a8953 100644 --- a/opengate/doc/en/install.html +++ b/opengate/doc/en/install.html @@ -1337,7 +1337,9 @@ Opengate User Counter

H rulechk Install

-

This is optional. At the abnormal termination of Opengate process, superfluous rule might be left bihind. Though it is very rare, a script dealing with the case is prepared in tools/rulechk. The script compares the Opengate process list and the firewall rule list, and deletes the superfluous rules. +

This is optional. At the abnormal termination of Opengate process, superfluous rule might be left bihind. +Though it is very rare, a script dealing with the case is prepared in tools/rulechk. This script is compatible with the format of Opengate Ver1.3.1 or later. +The script compares the Opengate process list and the firewall rule list, and deletes the superfluous rules.

back top
diff --git a/opengate/doc/ja/install.html b/opengate/doc/ja/install.html index ec6cc9b..c8b86c7 100644 --- a/opengate/doc/ja/install.html +++ b/opengate/doc/ja/install.html @@ -1362,7 +1362,11 @@ Opengate User Counter

H. rulechk‚̃Cƒ“ƒXƒg[ƒ‹õ

-

Opengate‚̃vƒƒZƒX‚ªˆÙíI—¹‚µ‚½‚Æ‚«A‹É‚ß‚Ä‹H‚É‚Å‚Í‚ ‚邪Aƒtƒ@ƒCƒAƒEƒH[ƒ‹ƒ‹[ƒ‹‚ªÁ‚³‚ꂸ‚ÉŽc‚邱‚Æ‚ª‚ ‚éB‚»‚̂悤‚ȏ󋵂ɑΉž‚·‚éƒXƒNƒŠƒvƒg‚ðAtools/rulechk‚É—pˆÓ‚µ‚½B‚±‚̃c[ƒ‹‚́ApsƒRƒ}ƒ“ƒh‚©‚瓾‚ç‚ê‚éOpengateƒvƒƒZƒXˆê——‚ƁAƒtƒ@ƒCƒAƒEƒH[ƒ‹‚©‚瓾‚ç‚ê‚é‹–‰Âƒ‹[ƒ‹ˆê——‚ð”äŠr‚µ‚āA—]•ª‚ȃ‹[ƒ‹‚ðíœ‚·‚éƒXƒNƒŠƒvƒg‚Å‚ ‚éBƒRƒ“ƒ\[ƒ‹‚©‚çŽÀs‚·‚é‚©A‚à‚µ‚­‚͏ã‹L‚Æ“¯—l‚ÉcronŽÀs‚·‚éB‚±‚̃c[ƒ‹‚ÍŒ»ó‚Å‚Íip6fw‚ɑΉž‚µ‚Ä‚¢‚È‚¢B

+

Opengate‚̃vƒƒZƒX‚ªˆÙíI—¹‚µ‚½‚Æ‚«A‹É‚ß‚Ä‹H‚É‚Å‚Í‚ ‚邪Aƒtƒ@ƒCƒAƒEƒH[ƒ‹ƒ‹[ƒ‹‚ªÁ‚³‚ꂸ‚ÉŽc‚邱‚Æ‚ª‚ ‚éB +‚»‚̂悤‚ȏ󋵂ɑΉž‚·‚éƒXƒNƒŠƒvƒg‚ðAtools/rulechk‚É—pˆÓ‚µ‚½BOpengateVer.1.3.1ˆÈ~‚̃tƒH[ƒ}ƒbƒg‚ɂ̂ݑΉž‚·‚éB +‚±‚̃c[ƒ‹‚́ApsƒRƒ}ƒ“ƒh‚©‚瓾‚ç‚ê‚éOpengateƒvƒƒZƒXˆê——‚ƁAƒtƒ@ƒCƒAƒEƒH[ƒ‹‚©‚瓾‚ç‚ê‚é‹–‰Âƒ‹[ƒ‹ˆê——‚ð”äŠr‚µ‚āA +—]•ª‚ȃ‹[ƒ‹‚ðíœ‚·‚éƒXƒNƒŠƒvƒg‚Å‚ ‚éB +ƒRƒ“ƒ\[ƒ‹‚©‚çŽÀs‚·‚é‚©A‚à‚µ‚­‚͏ã‹L‚Æ“¯—l‚ÉcronŽÀs‚·‚éB

back top
diff --git a/opengate/javahtml/en/index-ssl.html b/opengate/javahtml/en/index-ssl.html index 268a917..ef6b242 100644 --- a/opengate/javahtml/en/index-ssl.html +++ b/opengate/javahtml/en/index-ssl.html @@ -42,7 +42,9 @@ SEND.
-Required Usage Duration: minutes(Max 3 hours). The value is used only when Java Applet is not active. Click the TERMINATE link in the accept page at the end of usage. +Required Usage Duration: minutes(Max 3 hours). +The value is used only when Java is not active. +Click the TERMINATE link in the accept page at the end of usage.

diff --git a/opengate/javahtml/en/index.html b/opengate/javahtml/en/index.html index 95ca653..cf11956 100644 --- a/opengate/javahtml/en/index.html +++ b/opengate/javahtml/en/index.html @@ -44,7 +44,9 @@ Please use SSL Authentication as far as possible to prevent wiretapping.
-Required Usage Duration: minutes(Max 3 hours). The value is used only when Java Applet is not active. Click the TERMINATE link in the accept page at the end of usage. +Required Usage Duration: minutes(Max 3 hours). +The value is used only when Java is not active. +Click the TERMINATE link in the accept page at the end of usage.

diff --git a/opengate/javahtml/ja/index-ssl.html b/opengate/javahtml/ja/index-ssl.html index f46e9be..72c607a 100644 --- a/opengate/javahtml/ja/index-ssl.html +++ b/opengate/javahtml/ja/index-ssl.html @@ -38,7 +38,10 @@
-$BI,MW$H$9$kMxMQ7QB3;~4V!'(B $BJ,(B($B:GBg(B3$B;~4V(B)$B!#(BJavaApplet$B$,F0$/%V%i%&%6$G$O@_DjITMW$G$9!#$J$*!";XDj;~4V$h$jAa4|$KMxMQ$r=*$k;~$K$O!"5v2D%Z!<%8$K$"$k!VMxMQCfCG!W$N%j%s%/$r%/%j%C%/$7$F2<$5$$!#(B +$BI,MW$H$9$kMxMQ7QB3;~4V!'(B $BJ,(B +($B:GBg(B3$B;~4V(B)$B!#(BJava$B$,F0$/%V%i%&%6$G$O@_DjITMW$G$9!#(B +$B$J$*!";XDj;~4V$h$jAa4|$KMxMQ$r=*$k;~$K$O!"(B +$B5v2D%Z!<%8$K$"$k!VMxMQCfCG!W$N%j%s%/$r%/%j%C%/$7$F2<$5$$!#(B

diff --git a/opengate/javahtml/ja/index.html b/opengate/javahtml/ja/index.html index 4416974..938bab7 100644 --- a/opengate/javahtml/ja/index.html +++ b/opengate/javahtml/ja/index.html @@ -40,7 +40,10 @@
-$BI,MW$H$9$kMxMQ7QB3;~4V!'(B $BJ,(B($B:GBg(B3$B;~4V(B)$B!#(BJavaApplet$B$,F0$/%V%i%&%6$G$O@_DjITMW$G$9!#$J$*!";XDj;~4V$h$jAa4|$KMxMQ$r=*$k;~$K$O!"5v2D%Z!<%8$K$"$k!VMxMQCfCG!W$N%j%s%/$r%/%j%C%/$7$F2<$5$$!#(B +$BI,MW$H$9$kMxMQ7QB3;~4V!'(B $BJ,(B +($B:GBg(B3$B;~4V(B)$B!#(BJava$B$,F0$/%V%i%&%6$G$O@_DjITMW$G$9!#(B +$B$J$*!";XDj;~4V$h$jAa4|$KMxMQ$r=*$k;~$K$O!"(B +$B5v2D%Z!<%8$K$"$k!VMxMQCfCG!W$N%j%s%/$r%/%j%C%/$7$F2<$5$$!#(B

diff --git a/opengate/opengatesrv/Makefile b/opengate/opengatesrv/Makefile index 1fa9100..3589270 100644 --- a/opengate/opengatesrv/Makefile +++ b/opengate/opengatesrv/Makefile @@ -39,8 +39,8 @@ CONFIGFILE = ${CONFIGPATH}/opengatesrv.conf ### use perl script(=1) to add firewall rule or execl ipfw directly(=0) # 1 is for flexible control and 0 is for simple control(full open). USEFWSCRIPT=0 -### firewall control perl script (copied from ../conf/opengatefw.pl) -FWSCRIPT = opengatefw.pl +### firewall control perl script (copied from ../conf/ipfwctrl.pl) +FWSCRIPT = ipfwctrl.pl FWSCRIPTPATH = ${CONFIGPATH}/${FWSCRIPT} ### lockfile for ipfw exclusive exec diff --git a/opengate/opengatesrv/comm-arp.c b/opengate/opengatesrv/comm-arp.c index d2b2f88..9c2179f 100644 --- a/opengate/opengatesrv/comm-arp.c +++ b/opengate/opengatesrv/comm-arp.c @@ -29,72 +29,44 @@ Email: watanaby@is.saga-u.ac.jp /*******************************************************************/ int getMacAddrFromArp(char *clientAddr4, char* macAddr4) { - int fd[2]; - int piperead_fd,pipewrite_fd; - int stdin_fd=0,stdout_fd=1; char buf[BUFFMAXLN]; - int st; char *startp; char *endp; + FILE *fpipe; macAddr4[0]='?'; macAddr4[1]='\0'; - /* create pipe */ - if(pipe(fd)!=0){ - err_msg("ERR in comm-arp: Cannot create pipe for arp\n"); + /* exec arp */ + if( (fpipe=Popenl("r", ARPPATH, "-n", clientAddr4, (char *)0)) == NULL){ + err_quit("ERR in comm-arp: exec arp -n error"); return -1; } - piperead_fd=fd[0]; - pipewrite_fd=fd[1]; - - /* fork */ - if(Fork()==0){ - /* child proc */ - - /* connect pipeout to stdout */ - Close(stdout_fd); - dup(pipewrite_fd); - - /* close other IO */ - Close(stdin_fd); - Close(piperead_fd); - Close(pipewrite_fd); - - /* exec proc */ - if(execl(ARPPATH,"arp","-n",clientAddr4,(char *)0) == -1){ - err_quit("ERR in comm-arp: execlp error no= %d", errno); - } - exit(1); - } - /* parent proc */ - /* close unuse IO */ - Close(pipewrite_fd); - /* get arp response */ - if(readln(piperead_fd, buf, BUFFMAXLN-1)==0){ + if(fgets(buf, BUFFMAXLN, fpipe)==NULL){ err_msg("ERR in comm-arp: readin error"); + Pclose(fpipe); return -1; - } - + } + + /* close pipe */ + Pclose(fpipe); + /* arp response takes following format */ /* "? (133.49.22.1) at 8:0:20:a5:4:62 [ethernet]"*/ /* get MAC address from above string */ - if((startp=strstr(buf," at "))==NULL) return -1; - startp=startp+4; + startp=startp+4; if((endp=strstr(startp, " "))==NULL) return -1; + + /* cut off string at endp */ *endp='\0'; + /* save to macAddr4 */ strncpy(macAddr4, startp, ADDRMAXLN); - - Close(piperead_fd); - /* wait child end */ - wait(&st); - return 0; } diff --git a/opengate/opengatesrv/comm-ip6fw.c b/opengate/opengatesrv/comm-ip6fw.c index a327e62..745f360 100644 --- a/opengate/opengatesrv/comm-ip6fw.c +++ b/opengate/opengatesrv/comm-ip6fw.c @@ -36,11 +36,11 @@ static void sigFunc(int signo); /******************************************************************/ int openClientGate6(char *clientAddr6, char *userid, char *macAddr6, char *userProperty) { - int st; int fd; - int ret; - int retFork; + int ret=0; int retNum; + int ruleCount; + int ruleNumber; Sigfunc *defaultSigFunc; @@ -61,41 +61,25 @@ int openClientGate6(char *clientAddr6, char *userid, char *macAddr6, char *userP /**** read rules ****/ if((retNum=GetRuleNumber6(clientAddr6))<0){ - /* fail then unlock */ - Unlock(fd); - Close(fd); - if(retNum==-3) return 1; /* ipfw returns abnormal response */ - else return -1; /* already opened or rules are full */ + if(retNum==-2){ /* ipfw returns abnormal response */ + Unlock(fd); + Close(fd); + return 1; + }else{ /* rules are full */ + Unlock(fd); + Close(fd); + return -1; + } } /**** write rules ****/ - if(GetUseFwScript()==1){ /********** use perl script to control firewall ************/ - /* fork */ - if((retFork=Fork())==0){ - /* child proc */ - if(execl(GetFwScriptPath(),GetFwScript(),IP6FWPATH,ruleNumber6,clientAddr6, - userid,macAddr6,userProperty,(char *)0)==-1){ - err_quit("ERR in comm-ipfw: execl error no= %d", errno); - } - exit(1); - } - - /* parent process */ - if(retFork==-1){ - err_msg("ERR in comm-ipfw: fork error no= %d", errno); - } - - /* wait child end */ - wait(&st); - if(WIFEXITED(st)){ - ret=WEXITSTATUS(st); - if(ret) err_msg("ERR in comm-ipfw: child process returns error %d", ret); - } else{ - ret=1; - err_msg("ERR in comm-ipfw: child process does not exited by exit call"); + if(Systeml(GetFwScriptPath(),IP6FWPATH,ruleNumber6,clientAddr6, + userid,macAddr6,userProperty,(char *)0) != 0){ + err_quit("ERR in comm-ip6fw: exec ip6fw script"); + ret=1; /* abmormal */ } Unlock(fd); /* lock is not necessary in following exec */ @@ -104,60 +88,21 @@ int openClientGate6(char *clientAddr6, char *userid, char *macAddr6, char *userP }else{ /********** direct control of firewall **********************/ /********** add outgoing ipfw rule for the client *************/ - /* fork */ - if((retFork=Fork())==0){ - /* child proc */ - if(execl(IP6FWPATH,"ip6fw","-q","add",ruleNumber6,"allow","all", - "from",clientAddr6,"to","any",(char *)0)==-1){ - err_quit("ERR in comm-ipfw: execl error no= %d", errno); - } - exit(1); - } - - /* parent process */ - if(retFork==-1){ - err_msg("ERR in comm-ipfw: fork error no= %d", errno); - } - - /* wait child end */ - wait(&st); - if(WIFEXITED(st)){ - ret=WEXITSTATUS(st); - if(ret) err_msg("ERR in comm-ipfw: child process returns error %d", ret); - } else{ - ret=1; - err_msg("ERR in comm-ipfw: child process does not exited by exit call"); + if(Systeml(IP6FWPATH,"-q","add",ruleNumber6,"allow","all", + "from",clientAddr6,"to","any",(char *)0) != 0){ + err_quit("ERR in comm-ip6fw: exec ip6fw add from addr error"); + ret=1; } Unlock(fd); /* lock is not necessary in following exec */ Close(fd); /* because reserved number is used */ /********** add incoming ipfw rule for the client *************/ - /* fork */ - if((retFork=Fork())==0){ - /* child proc */ - if(execl(IP6FWPATH,"ip6fw","-q","add",ruleNumber6,"allow","all", - "from","any","to",clientAddr6,(char *)0)==-1){ - err_quit("ERR in comm-ipfw: execl error no= %d", errno); - } - exit(1); - } - - /* parent process */ - if(retFork==-1){ - err_msg("ERR in comm-ipfw: fork error no= %d", errno); + if(Systeml(IP6FWPATH,"-q","add",ruleNumber6,"allow","all", + "from","any","to",clientAddr6,(char *)0) != 0){ + err_quit("ERR in comm-ip6fw: exec ip6fw add to addr error"); + ret=1; /* abnormal */ } - - /* wait child end */ - wait(&st); - if(WIFEXITED(st)){ - ret=WEXITSTATUS(st); - if(ret) err_msg("ERR in comm-ipfw: child process returns error %d", ret); - } else{ - ret=1; - err_msg("ERR in comm-ipfw: child process does not exited by exit call"); - } - } return ret; } @@ -168,7 +113,6 @@ int openClientGate6(char *clientAddr6, char *userid, char *macAddr6, char *userP /******************************************************************/ void closeClientGate6(struct clientAddr *pClientAddr, char *userid, char *macAddr6) { - int st; double time_l; int hour, min, sec; time_t timeOut; @@ -179,16 +123,9 @@ void closeClientGate6(struct clientAddr *pClientAddr, char *userid, char *macAdd ruleCount = CountRuleNumber(pClientAddr->ruleNumber); while(ruleCount!=0){ - /* fork */ - if(Fork()==0){ - /* child proc */ - if(execl(IP6FWPATH,"ip6fw","del",pClientAddr->ruleNumber,(char *)0)==-1){ - err_quit("ERR in comm-ipfw: execl error no= %d", errno); - } - exit(1); + if(Systeml(IP6FWPATH,"del",pClientAddr->ruleNumber,(char *)0) != 0){ + err_quit("ERR in comm-ip6fw: exec ip6fw del error"); } - /* wait child end */ - wait(&st); ruleCount--; } @@ -208,126 +145,110 @@ void closeClientGate6(struct clientAddr *pClientAddr, char *userid, char *macAdd /* error if addr is already in rules */ /* return value ret>0: acquired rule number that can be used */ /* ret=-1: no rule number available */ -/* ret=-2: the ip address is already opened */ -/* ret=-3: some system error occured */ +/* ret=-2: some system error occured */ +/* ret=-num: the ip address is already registered in rule 'num' */ /**************************************/ int getRuleNumber6(char *clientAddr6) { - int fd[2]; - int piperead_fd,pipewrite_fd; - int stdin_fd=0,stdout_fd=1,stderr_fd=2; + FILE *fpipe; char buf[BUFFMAXLN]; - int st; int num,newNum,readinNum; - int eofFound; - int abnormalRes; - char *p; + char *p; int ipfwmin; int ipfwmax; int ipfwinterval; + int portStatus; + int fileStatus; + enum status {NORMAL, ABNORMAL, FOUND, NOTFOUND, DUPLICATED}; - /* create pipe */ - if(pipe(fd)!=0){ - err_msg("ERR in comm-ipfw: Cannot create pipe for ip6fw\n"); - return -1; - } - piperead_fd=fd[0]; - pipewrite_fd=fd[1]; - - /* fork */ - if(Fork()==0){ - /* child proc */ - - /* connect pipeout to stdout & strerr */ - Close(stdout_fd); - Close(stderr_fd); - dup(pipewrite_fd); - dup(pipewrite_fd); - - /* close other IO */ - Close(stdin_fd); - Close(piperead_fd); - Close(pipewrite_fd); - - /* exec proc */ - if(execl(IP6FWPATH,"ip6fw","list",(char *)0) == -1){ - err_quit("ERR in comm-ipfw: execlp error no= %d", errno); - } - exit(1); + if((fpipe=Popenl("r", IP6FWPATH,"list",(char *)0)) == NULL){ + err_quit("ERR in comm-ip6fw: exec ip6fw list error"); } - /* parent proc */ - - /* close unuse IO */ - Close(pipewrite_fd); /* search unused rule number in the list read from pipe */ /* check duplication of clientAddr to existing rules */ + newNum=-1; readinNum=0; - eofFound=0; - abnormalRes=0; + portStatus=NOTFOUND; + fileStatus=NORMAL; /* get rule range from config */ ipfwmin=GetIpfwMin(); ipfwmax=GetIpfwMax(); ipfwinterval=GetIpfwInterval(); + /* each port is checked whether it can be used for new rule or not */ for(num=ipfwmin;num<=ipfwmax;num+=ipfwinterval){ /* skip rules smaller than num */ while(readinNumipfwmax)break; + + /* at this point, readNum is larger than num */ + /* it means that num can be used for new client */ + newNum=num; + portStatus=FOUND; + break; } /* close pipe */ - Close(piperead_fd); - - /* wait child end */ - wait(&st); + Pclose(fpipe); - if(newNum==-1){ - err_msg("ERR in comm-ipfw: cannot get unused ip6fw number"); + if(fileStatus==ABNORMAL){ + err_msg("ERR in comm-ip6fw: abnormal ip6fw response "); + return -2; + } + if(portStatus==NOTFOUND){ + err_msg("ERR in comm-ip6fw: cannot get unused ip6fw number"); + return -1; + } + if(portStatus==DUPLICATED){ + err_msg("ERR in comm-ip6fw: the ip-address is already opened"); + return -newNum; } snprintf(ruleNumber6, WORDMAXLN, "%d", newNum); /* to string */ @@ -340,59 +261,27 @@ int getRuleNumber6(char *clientAddr6) /*******************************/ int getPacketCount6(char *ruleNumber) { - int fd[2]; - int piperead_fd,pipewrite_fd; - int stdin_fd=0,stdout_fd=1; + FILE *fpipe; char buf[BUFFMAXLN]; - int st; int rule; int packets,packetsSum; - /* create pipe */ - if(pipe(fd)!=0){ - err_msg("ERR in comm-ipfw: Cannot create pipe for ip6fw\n"); - return -1; - } - piperead_fd=fd[0]; - pipewrite_fd=fd[1]; - - /* fork */ - if(Fork()==0){ - /* child proc */ - - /* connect pipeout to stdout */ - Close(stdout_fd); - dup(pipewrite_fd); - - /* close other IO */ - Close(stdin_fd); - Close(piperead_fd); - Close(pipewrite_fd); - - /* exec proc */ - if(execl(IP6FWPATH,"ip6fw","-a","list",ruleNumber,(char *)0) == -1){ - err_quit("ERR in comm-ipfw: execl error no= %d", errno); - } + /* exec proc */ + if((fpipe=Popenl("r", IP6FWPATH,"-a","list",ruleNumber,(char *)0)) == NULL){ + err_quit("ERR in comm-ipfw: exec ip6fw -a list error"); + return 0; /* abnormal */ } - /* parent proc */ - - /* close unuse IO */ - Close(pipewrite_fd); /* search unused number in the list read from pipe */ - packetsSum=0; - while(readln(piperead_fd, buf, BUFFMAXLN-1)!=0){ + while(fgets(buf, BUFFMAXLN, fpipe)!=NULL){ sscanf(buf, "%d %d", &rule, &packets); /* get packet count */ packetsSum+=packets; } /* close pipe */ - Close(piperead_fd); - - /* wait child end */ - wait(&st); + Pclose(fpipe); return packetsSum; } @@ -402,53 +291,21 @@ int getPacketCount6(char *ruleNumber) /**********************************************/ int countRuleNumber(char *ruleNumber) { - int fd[2]; - int piperead_fd,pipewrite_fd; - int stdin_fd=0,stdout_fd=1; + FILE *fpipe; char buf[BUFFMAXLN]; - int st; int ruleCount; - /* create pipe */ - if(pipe(fd)!=0){ - err_msg("ERR in comm-ipfw: Cannot create pipe for ip6fw\n"); - return -1; - } - piperead_fd=fd[0]; - pipewrite_fd=fd[1]; - - /* fork */ - if(Fork()==0){ - /* child proc */ - - /* connect pipeout to stdout */ - Close(stdout_fd); - dup(pipewrite_fd); - - /* close other IO */ - Close(stdin_fd); - Close(piperead_fd); - Close(pipewrite_fd); - - /* exec proc */ - if(execl(IP6FWPATH,"ip6fw","list",ruleNumber,(char *)0) == -1){ - err_quit("ERR in comm-ipfw: execl error no= %d", errno); - } + /* exec proc */ + if((fpipe=Popenl("r", IP6FWPATH,"list",ruleNumber,(char *)0)) == NULL){ + err_quit("ERR in comm-ipfw: exec ip6fw list error"); } - /* parent proc */ - - /* close unuse IO */ - Close(pipewrite_fd); /* count line read from pipe */ ruleCount = 0; - while(readln(piperead_fd, buf, BUFFMAXLN-1)!=0) ruleCount++; + while(fgets(buf, BUFFMAXLN, fpipe)!=0) ruleCount++; /* close pipe */ - Close(piperead_fd); - - /* wait child end */ - wait(&st); + Pclose(fpipe); return ruleCount; } diff --git a/opengate/opengatesrv/comm-ipfw.c b/opengate/opengatesrv/comm-ipfw.c index cdef09d..c74ad81 100644 --- a/opengate/opengatesrv/comm-ipfw.c +++ b/opengate/opengatesrv/comm-ipfw.c @@ -37,10 +37,8 @@ static void sigFunc(int signo); /******************************************************************/ int openClientGate4(char *clientAddr4, char *userid, char *macAddr4, char *userProperty) { - int st; int fd; - int ret; - int retFork; + int ret=0; int retNum; Sigfunc *defaultSigFunc; @@ -65,7 +63,7 @@ int openClientGate4(char *clientAddr4, char *userid, char *macAddr4, char *userP /* fail then unlock */ Unlock(fd); Close(fd); - if(retNum==-3) return 1; /* ipfw returns abnormal response */ + if(retNum==-2) return 1; /* ipfw returns abnormal response */ else return -1; /* already opened or rules are full */ } @@ -74,91 +72,32 @@ int openClientGate4(char *clientAddr4, char *userid, char *macAddr4, char *userP if(GetUseFwScript()==1){ /********** use perl script to control firewall ************/ - /* fork */ - if((retFork=Fork())==0){ - /* child proc */ - if(execl(GetFwScriptPath(),GetFwScript(),IPFWPATH,ruleNumber4,clientAddr4, - userid,macAddr4,userProperty,(char *)0)==-1){ - err_quit("ERR in comm-ipfw: execl error no= %d", errno); - } - exit(1); + if(Systeml(GetFwScriptPath(),IPFWPATH,ruleNumber4,clientAddr4, + userid,macAddr4,userProperty,(char *)0) != 0){ + err_quit("ERR in comm-ipfw: exec script error"); + ret=1; /* abnormal */ } - /* parent process */ - if(retFork==-1){ - err_msg("ERR in comm-ipfw: fork error no= %d", errno); - } - - /* wait child end */ - wait(&st); - if(WIFEXITED(st)){ - ret=WEXITSTATUS(st); - if(ret) err_msg("ERR in comm-ipfw: child process returns error %d", ret); - } else{ - ret=1; - err_msg("ERR in comm-ipfw: child process does not exited by exit call"); - } - Unlock(fd); /* lock is not necessary in following exec */ Close(fd); /* because reserved number is used */ }else{ /********** direct control of firewall **********************/ /********** add outgoing ipfw rule for the client *************/ - /* fork */ - if((retFork=Fork())==0){ - /* child proc */ - if(execl(IPFWPATH,"ipfw","-q","add",ruleNumber4,"allow","ip", - "from",clientAddr4,"to","any",(char *)0)==-1){ - err_quit("ERR in comm-ipfw: execl error no= %d", errno); - } - exit(1); - } - - /* parent process */ - if(retFork==-1){ - err_msg("ERR in comm-ipfw: fork error no= %d", errno); - } - - /* wait child end */ - wait(&st); - if(WIFEXITED(st)){ - ret=WEXITSTATUS(st); - if(ret) err_msg("ERR in comm-ipfw: child process returns error %d", ret); - } else{ - ret=1; - err_msg("ERR in comm-ipfw: child process does not exited by exit call"); + if(Systeml(IPFWPATH,"-q","add",ruleNumber4,"allow","ip", + "from",clientAddr4,"to","any",(char *)0) != 0){ + err_quit("ERR in comm-ipfw: exec ipfw add from addr error"); + ret=1; /* abnormal */ } Unlock(fd); /* lock is not necessary in following exec */ Close(fd); /* because reserved number is used */ - /********** add incoming ipfw rule for the client *************/ - /* fork */ - if((retFork=Fork())==0){ - /* child proc */ - if(execl(IPFWPATH,"ipfw","-q","add",ruleNumber4,"allow","ip", - "from","any","to",clientAddr4,(char *)0)==-1){ - err_quit("ERR in comm-ipfw: execl error no= %d", errno); - } - exit(1); - } - - /* parent process */ - if(retFork==-1){ - err_msg("ERR in comm-ipfw: fork error no= %d", errno); - } - - /* wait child end */ - wait(&st); - if(WIFEXITED(st)){ - ret=WEXITSTATUS(st); - if(ret) err_msg("ERR in comm-ipfw: child process returns error %d", ret); - } else{ - ret=1; - err_msg("ERR in comm-ipfw: child process does not exited by exit call"); + if(Systeml(IPFWPATH,"-q","add",ruleNumber4,"allow","ip", + "from","any","to",clientAddr4,(char *)0) != 0){ + err_quit("ERR in comm-ipfw: exec ipfw add to addr error"); + ret=1; /* abnormal */ } - } return ret; } @@ -169,23 +108,16 @@ int openClientGate4(char *clientAddr4, char *userid, char *macAddr4, char *userP /******************************************************************/ void closeClientGate4(struct clientAddr *pClientAddr, char *userid, char *macAddr4) { - int st; double time_l; int hour, min, sec; time_t timeOut; /********** del ipfw rule for the client *************/ - /* fork */ - if(Fork()==0){ - /* child proc */ - if(execl(IPFWPATH,"ipfw","del",pClientAddr->ruleNumber,(char *)0)==-1){ - err_quit("ERR in comm-ipfw: execl error no= %d", errno); - } - exit(1); + /* exec ipfw del */ + if(Systeml(IPFWPATH,"del",pClientAddr->ruleNumber,(char *)0) != 0){ + err_quit("ERR in comm-ipfw: exec ipdw del error"); } - /* wait child end */ - wait(&st); timeOut = time(NULL); time_l=difftime(timeOut,pClientAddr->timeIn); @@ -204,99 +136,72 @@ void closeClientGate4(struct clientAddr *pClientAddr, char *userid, char *macAdd /* error if addr is already in rules */ /* return value ret>0: acquired rule number that can be used */ /* ret=-1: no rule number available */ -/* ret=-2: the ip address is already opened */ -/* ret=-3: some system error occured */ +/* ret=-2: some system error occured */ +/* ret=-num: the ip address is already registered in rule 'num' */ /**************************************/ int getRuleNumber4(char *clientAddr4) { - int fd[2]; - int piperead_fd,pipewrite_fd; - int stdin_fd=0,stdout_fd=1,stderr_fd=2; + FILE *fpipe; char buf[BUFFMAXLN]; - int st; int num,newNum,readinNum; - int eofFound; - int abnormalRes; char *p; int ipfwmin; int ipfwmax; int ipfwinterval; + int portStatus; + int fileStatus; + enum status {NORMAL, ABNORMAL, FOUND, NOTFOUND, DUPLICATED}; - /* create pipe */ - if(pipe(fd)!=0){ - err_msg("ERR in comm-ipfw: Cannot create pipe for ipfw\n"); - return -1; - } - piperead_fd=fd[0]; - pipewrite_fd=fd[1]; - - /* fork */ - if(Fork()==0){ - /* child proc */ - - /* connect pipeout to stdout & strerr */ - Close(stdout_fd); - Close(stderr_fd); - dup(pipewrite_fd); - dup(pipewrite_fd); - - /* close other IO */ - Close(stdin_fd); - Close(piperead_fd); - Close(pipewrite_fd); - - /* exec proc */ - if(execl(IPFWPATH,"ipfw","list",(char *)0) == -1){ - err_quit("ERR in comm-ipfw: execlp error no= %d", errno); - } - exit(1); + /* exec ipfw list and open pipe */ + if((fpipe=Popenl("r", IPFWPATH,"list",(char *)0)) == NULL){ + err_quit("ERR in comm-ipfw: exec ipfw list error"); } - /* parent proc */ - - /* close unuse IO */ - Close(pipewrite_fd); /* search unused rule number in the list read from pipe */ /* check duplication of clientAddr to existing rules */ newNum=-1; readinNum=0; - eofFound=0; - abnormalRes=0; + portStatus=NOTFOUND; + fileStatus=NORMAL; /* get rule range from config */ ipfwmin=GetIpfwMin(); ipfwmax=GetIpfwMax(); ipfwinterval=GetIpfwInterval(); + /* each port is checked whether it can be used for new rule or not */ for(num=ipfwmin;num<=ipfwmax;num+=ipfwinterval){ /* skip rules smaller than num */ while(readinNumipfwmax)break; + + /* at this point, readNum is larger than num */ + /* it means that num can be used for new client */ + newNum=num; + portStatus=FOUND; + break; } /* close pipe */ - Close(piperead_fd); + Pclose(fpipe); - /* wait child end */ - wait(&st); - - if(newNum==-1){ + if(fileStatus==ABNORMAL){ + err_msg("ERR in comm-ipfw: abnormal ipfw response "); + return -2; + } + if(portStatus==NOTFOUND){ err_msg("ERR in comm-ipfw: cannot get unused ipfw number"); + return -1; + } + if(portStatus==DUPLICATED){ + err_msg("ERR in comm-ipfw: the ip-address is already opened"); + return -newNum; } snprintf(ruleNumber4, WORDMAXLN, "%d", newNum); /* to string */ @@ -330,6 +248,7 @@ int getRuleNumber4(char *clientAddr4) return newNum; } + /****************************************/ /* get packet count from ipfw and ip6fw */ /****************************************/ @@ -356,59 +275,26 @@ int getPacketCount(struct clientAddr *pClientAddr) /*******************************/ int getPacketCount4(char *ruleNumber) { - int fd[2]; - int piperead_fd,pipewrite_fd; - int stdin_fd=0,stdout_fd=1; + FILE *fpipe; char buf[BUFFMAXLN]; - int st; int rule; int packets,packetsSum; - /* create pipe */ - if(pipe(fd)!=0){ - err_msg("ERR in comm-ipfw: Cannot create pipe for ipfw\n"); - return -1; + /* exec proc */ + if((fpipe=Popenl("r", IPFWPATH,"-a","list",ruleNumber,(char *)0)) == NULL){ + err_quit("ERR in comm-ipfw: exec ipfw -a list error"); } - piperead_fd=fd[0]; - pipewrite_fd=fd[1]; - /* fork */ - if(Fork()==0){ - /* child proc */ - - /* connect pipeout to stdout */ - Close(stdout_fd); - dup(pipewrite_fd); - - /* close other IO */ - Close(stdin_fd); - Close(piperead_fd); - Close(pipewrite_fd); - - /* exec proc */ - if(execl(IPFWPATH,"ipfw","-a","list",ruleNumber,(char *)0) == -1){ - err_quit("ERR in comm-ipfw: execl error no= %d", errno); - } - } - /* parent proc */ - - /* close unuse IO */ - Close(pipewrite_fd); - /* search unused number in the list read from pipe */ - packetsSum=0; - while(readln(piperead_fd, buf, BUFFMAXLN-1)!=0){ + while(fgets(buf, BUFFMAXLN, fpipe)!=NULL){ sscanf(buf, "%d %d", &rule, &packets); /* get packet count */ packetsSum+=packets; } /* close pipe */ - Close(piperead_fd); - - /* wait child end */ - wait(&st); + Pclose(fpipe); return packetsSum; } @@ -453,6 +339,7 @@ void CloseClientGate4(struct clientAddr *pClientAddr, char *userid, char *macAdd if(DEBUG) err_msg("DEBUG:<=closeClientGate4( )"); } + int GetPacketCount(struct clientAddr *pClientAddr) { int ret; diff --git a/opengate/opengatesrv/comm-ndp.c b/opengate/opengatesrv/comm-ndp.c index 2534585..33d6cce 100644 --- a/opengate/opengatesrv/comm-ndp.c +++ b/opengate/opengatesrv/comm-ndp.c @@ -31,10 +31,7 @@ extern char ruleNumber6[WORDMAXLN]; /* ip6fw rule number in string form */ /**************************************/ void scanNdpEntry(struct clientAddr *pClientAddr, char *userid, char *macAddr6, char *userProperty) { - int fd[2]; - int piperead_fd,pipewrite_fd; - int stdin_fd=0,stdout_fd=1; - int st; + FILE *fpipe; int ret; int set; char *startp; @@ -43,79 +40,80 @@ void scanNdpEntry(struct clientAddr *pClientAddr, char *userid, char *macAddr6, int pid; struct clientAddr *tmp1, *tmp2, *lastAddr; - /* create pipe */ - if(pipe(fd)!=0){ - err_msg("ERR in comm-ndp: Cannot create pipe for ndp\n"); + /* exec ndp */ + if( (fpipe=Popenl("r", NDPPATH, "-na", (char *)0)) == NULL){ + err_quit("ERR in comm-ndp: exec ndp -na error"); return; } - piperead_fd=fd[0]; - pipewrite_fd=fd[1]; - - /* fork */ - if( (pid=Fork()) == 0 ){ - /* child proc */ - - /* connect pipeout to stdout */ - Close(stdout_fd); - dup(pipewrite_fd); - - /* close other IO */ - Close(stdin_fd); - Close(piperead_fd); - Close(pipewrite_fd); - - /* exec proc */ - if(execl(NDPPATH,"ndp","-na",(char *)0) == -1){ - err_quit("ERR in comm-ndp: execlp error no= %d", errno); - } - exit(1); - } - - /* parent proc */ - /* close unuse IO */ - Close(pipewrite_fd); - /* get ndp response */ /* ndp response takes following format */ /* "[IPv6Addr] [MacAddr] [InterfaceID] [Expire] [State]" */ /* get IPv6 address from above string */ - // active cheack + /* clear active status for IPv6 address */ tmp1=pClientAddr; while(tmp1!=NULL){ if(tmp1->ipType==IPV6) tmp1->activeStatus=FALSE; lastAddr=tmp1; tmp1=tmp1->next; } - - // skip first line - if(readln(piperead_fd, buf, BUFFMAXLN-1)==0){ + + /* skip first title line in ndp response */ + if(fgets(buf, BUFFMAXLN, fpipe)==NULL){ err_msg("ERR in comm-ndp: readin error"); + Pclose(fpipe); return; } - while(readln(piperead_fd, buf, BUFFMAXLN-1)!=0){ + + /* get ndp response */ + /* ndp response is like [2001:10:20:30::1 0:10:20:30:40:50 ..] */ + while(fgets(buf, BUFFMAXLN, fpipe)!=NULL){ + + /* find the separate point of IP(ip-ndp) and MAC */ if((startp = strstr(buf," "))==NULL) break; + + /* if MAC is differed, skip the line. */ if(strstr(startp,macAddr6)==NULL) continue; + + /* if ip-ndp has [fe80::]. skip the line */ *startp = '\0'; if(strstr(buf,"fe80::")!=NULL) continue; + + /* if the address is not registered, */ + /* regist it and open firewall for it */ + + /* cut out ip-ndp */ strncpy(tmpAddr,buf,ADDRMAXLN); + + /* get first ip-reg in address list */ tmp1 = pClientAddr; + + /* init as ip-ndp is not set in list */ set = FALSE; + + /* loop until list end */ while(tmp1!=NULL){ + + /* the list item is IPv4, skip it */ if(tmp1->ipType==IPV4){ tmp1=tmp1->next; continue; } + /* if ip-ndp same as a list item, set it active */ if(strstr(tmpAddr,tmp1->ipAddr)!=NULL){ tmp1->activeStatus=TRUE; set = TRUE; break; } + + /* shift to next list item */ tmp1=tmp1->next; } - // ipfw add new client address + + /* if ip-ndp is not registered, regist it and open firewall for it */ if(set==FALSE){ + /* open firewall */ if((ret=OpenClientGate6(tmpAddr, userid, macAddr6, userProperty))<0){ err_msg("ERR in comm-ndp: error return form openClientGate6"); break; @@ -124,11 +122,15 @@ void scanNdpEntry(struct clientAddr *pClientAddr, char *userid, char *macAddr6, break; } err_msg("OPEN: user %s from %s at %s", userid, tmpAddr, macAddr6); + + /* add ip-ndp to the address list */ lastAddr->next = CreateAddrListItem(tmpAddr,ruleNumber6,6); lastAddr=lastAddr->next; } } - Close(piperead_fd); + /* close pipe */ + Pclose(fpipe); + /* check deleted address from ndp entry */ tmp1 = pClientAddr; @@ -147,9 +149,7 @@ void scanNdpEntry(struct clientAddr *pClientAddr, char *userid, char *macAddr6, } tmp1=tmp1->next; } - - /* wait child end */ - wait(&st); + return; } @@ -158,70 +158,39 @@ void scanNdpEntry(struct clientAddr *pClientAddr, char *userid, char *macAddr6, /**********************************************************************/ int getMacAddrFromNdp(char *clientAddr6, char* macAddr6) { - int fd[2]; - int piperead_fd,pipewrite_fd; - int stdin_fd=0,stdout_fd=1; + FILE *fpipe; char buf[BUFFMAXLN]; - int st; char *startp; char *endp; macAddr6[0]='?'; macAddr6[1]='\0'; - /* create pipe */ - if(pipe(fd)!=0){ - err_msg("ERR in comm-ndp: Cannot create pipe for ndp\n"); - return -1; + /* exec proc */ + if((fpipe=Popenl("r", NDPPATH,"-na",(char *)0)) == NULL){ + err_quit("ERR in comm-ndp: exec ndp -na error"); } - piperead_fd=fd[0]; - pipewrite_fd=fd[1]; - - /* fork */ - if(Fork()==0){ - /* child proc */ - - /* connect pipeout to stdout */ - Close(stdout_fd); - dup(pipewrite_fd); - - /* close other IO */ - Close(stdin_fd); - Close(piperead_fd); - Close(pipewrite_fd); - - /* exec proc */ - if(execl(NDPPATH,"ndp","-na",(char *)0) == -1){ - err_quit("ERR in comm-ndp: execlp error no= %d", errno); - } - exit(1); - } - /* parent proc */ - - /* close unuse IO */ - Close(pipewrite_fd); /* get ndp response */ - // skip first line - if(readln(piperead_fd, buf, BUFFMAXLN-1)==0){ + /* skip first title line */ + if(fgets(buf, BUFFMAXLN, fpipe)==NULL){ err_msg("ERR in comm-ndp: readin error"); + Pclose(fpipe); return -1; } /* arp response takes following format */ /* "[IPv6 Addr] [Mac] [InterfaseID] [Expire] [Status] [Flags] [Prbs]" */ /* get MAC address from above string */ - while(readln(piperead_fd, buf, BUFFMAXLN-1)){ + while(fgets(buf, BUFFMAXLN, fpipe)!=NULL){ if(strstr(buf,clientAddr6)==NULL)continue; startp = strtok(buf," "); startp = strtok(NULL," "); strcpy(macAddr6,startp); } - Close(piperead_fd); + Pclose(fpipe); - /* wait child end */ - wait(&st); return 0; } @@ -230,21 +199,10 @@ int getMacAddrFromNdp(char *clientAddr6, char* macAddr6) /********************************************/ void deleteNdpEntry(char *clientAddr6) { - int st; - - /********** del ipfw rule for the client *************/ - - /* fork */ - if(Fork()==0){ - /* child proc */ - if(execl(NDPPATH,"ndp","-nd",clientAddr6,(char *)0)==-1){ - err_quit("ERR in comm-ndp: execl error no= %d", errno); - } - exit(1); + /* exec ndp */ + if(Systeml(NDPPATH,"-nd",clientAddr6,(char *)0) != 0){ + err_msg("ERR in comm-ndp: exec ndp -nd error"); } - /* wait child end */ - wait(&st); - return; } diff --git a/opengate/opengatesrv/comm-userdb.c b/opengate/opengatesrv/comm-userdb.c index 18e61fd..2ec376a 100644 --- a/opengate/opengatesrv/comm-userdb.c +++ b/opengate/opengatesrv/comm-userdb.c @@ -17,7 +17,7 @@ int getUserProperty(char userid[USERMAXLN], char userProperty[BUFFMAXLN]) /* Caution: "userid" if default server,*/ /* "userid@serverid" if not. */ /* userProperty[BUFFMAXLN]: output: user property */ - /* the value goes to opengatefw.pl */ + /* the value goes to ipfwctrl.pl */ /* to determine permitting grade. */ /* return value: DENY or ACCEPT */ /* If DENY is returned, the user is denyed. */ diff --git a/opengate/opengatesrv/main.c b/opengate/opengatesrv/main.c index 6c41ee9..7bbb50c 100644 --- a/opengate/opengatesrv/main.c +++ b/opengate/opengatesrv/main.c @@ -33,7 +33,6 @@ char clientAddr4[ADDRMAXLN]=""; /* client addr (nnn.nnn.nnn.nnn) */ char clientAddr6[ADDRMAXLN]=""; /* client addr (nnnn:nnnn:xxxx::xxxx) 128bit */ struct clientAddr *pClientAddr = NULL; -struct clientAddr *pLastClientAddr = NULL; char macAddr4[ADDRMAXLN]="?"; /* client MAC address (format for arp) */ char macAddr6[ADDRMAXLN]="?"; /* client MAC address (format for ndp) */ @@ -127,9 +126,9 @@ int main(int argc, char **argv) if(ipStatus==IPV46DUAL){ setproctitle("%s(useIPv6),[%s(%s)],[%s(%s)]", useridshort, clientAddr4, ruleNumber4, clientAddr6, ruleNumber6); }else if(ipStatus==IPV4ONLY){ - setproctitle("%s,[%s(%s)]",useridshort, clientAddr4, ruleNumber4); + setproctitle("%s,[%s(%s)],",useridshort, clientAddr4, ruleNumber4); }else if(ipStatus==IPV6ONLY){ - setproctitle("%s(useIPv6),[%s(%s)]",useridshort, clientAddr6, ruleNumber6); + setproctitle("%s(useIPv6),,[%s(%s)]",useridshort, clientAddr6, ruleNumber6); } /* get temporary port for server-listen */ @@ -179,6 +178,7 @@ int main(int argc, char **argv) int openClientGate(void) { int ret; + struct clientAddr *pLastClientAddr = NULL; /**** if client have IPv6 & IPv4 addresses, do below */ if(ipStatus == IPV46DUAL){ @@ -236,7 +236,7 @@ int openClientGate(void) /***** if client have IPv4 only, do below */ }else if(ipStatus==IPV4ONLY){ - //err_msg("START: user %s use IPv4(IPv6) at %s", userid, macAddr4); + //err_msg("START: user %s use IPv4 at %s", userid, macAddr4); if((ret=OpenClientGate4(clientAddr4, userid, macAddr4, userProperty))<0){ PutClientMsg("Error: Please End Web and Retry"); diff --git a/opengate/opengatesrv/opengatesrv.h b/opengate/opengatesrv/opengatesrv.h index 35767c6..4f0a147 100644 --- a/opengate/opengatesrv/opengatesrv.h +++ b/opengate/opengatesrv/opengatesrv.h @@ -58,7 +58,7 @@ typedef void Sigfunc(int); /* for signal handlers */ /***** some parameters are overrided by the value in makefile. ****/ -#define DEBUG 0 /* if 1, dump many message to syslog */ +#define DEBUG 1 /* if 1, dump many message to syslog */ #define ERRORTOSYSLOG 1 /* if 1, error message to syslog */ /* if 0, to stderr */ @@ -166,6 +166,9 @@ ssize_t readln(int fd, void *ptr, size_t maxlen); void Writefmt(int fd, const char *fmt, ...); int Lock(int fd); int Unlock(int fd); +FILE *Popenl(const char *type, const char *path, ...); +int Systeml(const char *path, ...); +int Pclose(FILE *stream); void err_ret(const char *fmt, ...); void err_sys(const char *fmt, ...); diff --git a/opengate/opengatesrv/utilities.c b/opengate/opengatesrv/utilities.c index 18af76a..87cd99b 100644 --- a/opengate/opengatesrv/utilities.c +++ b/opengate/opengatesrv/utilities.c @@ -202,8 +202,88 @@ int unlock(int fd) return fcntl(fd, F_SETLK, &lck); } +/**************************************************/ +/* popen with argument list */ +/* type : open type "r" or "w" */ +/* path : command path to fork/exec */ +/* ... : command arguments. last must be (char*)0 */ +/* DO NOT SET user entered string in args */ +/**************************************************/ +FILE *Popenl(const char *type, const char *path, ...) +{ + char commandLine[BUFFMAXLN]; + va_list ap; + char *pStr; + FILE *file; + + /* insert command path */ + strncpy(commandLine, path, BUFFMAXLN); + + /* insert command arguments */ + va_start(ap, path); + + while((pStr=va_arg(ap, char *))!=(char *)0){ + strcat(commandLine, " "); + strncat(commandLine, pStr, BUFFMAXLN); + } + + va_end(ap); + + /* open the pipe to the program */ + if(DEBUG) err_msg("DEBUG:=>popen(%s, %s)", commandLine, type); + file=popen(commandLine, type); + if(DEBUG) err_msg("DEBUG:<=popen( )"); + + return file; +} + + +/**************************************************/ +/* system with argument list */ +/* path : command path to fork/exec */ +/* ... : command arguments. last must be (char*)0 */ +/* DO NOT SET user entered string in args */ +/**************************************************/ +int Systeml(const char *path, ...) +{ + char commandLine[BUFFMAXLN]; + va_list ap; + char *pStr; + int ret; + + /* insert command path */ + strncpy(commandLine, path, BUFFMAXLN); + + /* insert command arguments */ + va_start(ap, path); + + while((pStr=va_arg(ap, char *))!=(char *)0){ + strcat(commandLine, " "); + strncat(commandLine, pStr, BUFFMAXLN); + } + + va_end(ap); + + /* execute shell */ + if(DEBUG) err_msg("DEBUG:=>system(%s)", commandLine); + ret=system(commandLine); + if(DEBUG) err_msg("DEBUG:<=system()"); + + return ret; +} + /****************************************/ /****************************************/ +int Pclose(FILE *stream) +{ + int ret; + + if(DEBUG) err_msg("DEBUG:=>pclose( )"); + ret = pclose(stream); + if(DEBUG) err_msg("DEBUG:<=pclose( )"); + + return ret; +} ssize_t Readln(int fd, void *ptr, size_t maxlen) { diff --git a/opengate/opengatesrv/wrapper.c b/opengate/opengatesrv/wrapper.c index f5af98a..88fe0c7 100644 --- a/opengate/opengatesrv/wrapper.c +++ b/opengate/opengatesrv/wrapper.c @@ -40,8 +40,6 @@ Pipe(int *fds) err_sys("pipe error"); } - - void Getpeername(int fd, struct sockaddr *sa, socklen_t *salenptr) { diff --git a/opengate/tools/rulechk/opengate_rulechk.pl b/opengate/tools/rulechk/opengate_rulechk.pl new file mode 100644 index 0000000..b624cd0 --- /dev/null +++ b/opengate/tools/rulechk/opengate_rulechk.pl @@ -0,0 +1,90 @@ +#!/usr/bin/perl -U +#This is a script to remove superfluous rules left bihind at the abnormal termination of opengate process. + +### this script is compatible with the format of opengate ver.1.3.1 or later. + +#get opengate process information from 'ps x' output like following lines. +# and save it to $proc table. + +# 1200 ?? | 0:00.00 opengatesrv.cgi: user1(useIPv6),[192.168.1.100(10000)],[2001:1:2:3:4:5:6:7(10000)](opengatesrv.cgi) +# 1200 ?? | 0:00.00 opengatesrv.cgi: user1,[192.168.1.100(10000)](opengatesrv.cgi) +# 1200 ?? | 0:00.00 opengatesrv.cgi: user1(useIPv6),,[2001:1:2:3:4:5:6:7(10000)](opengatesrv.cgi) + +#### +$ipfwmin=10000; +$ipfwmax=40000; +#### + +# get response from 'ps ax' +open(pspipe, "ps ax|"); + +while(){ + # get lines for opengatesrv process and divide it with ',' + if(/opengatesrv.cgi: (.*),(.*),(.*)/){ + $user=$1; $rule4=$2; $rule6=$3; + + # get the rule number for ipfw located between '(' and ')' + if($rule4=~/\((\d*)\)\]/){ + $rule4=$1; + }else{ + $rule4=""; + } + + # get the rule number for ip6fw located between '(' and ')' + if($rule6=~/\((\d*)\)\]/){ + $rule6=$1; + }else{ + $rule6=""; + } + if($rule4!=""){ + $proc4{$rule4}=1; + } + if($rule6!=""){ + $proc6{$rule6}=1; + } + } +} +close(pspipe); + + +#get firewall rules from 'ipfw list' output, +# and delete the superfluous rules that are not included in $proc4 table. + +open(ipfwpipe, "ipfw list|"); +$delcount=0; +$rule=0; +while(){ + if(/^(\d*) allow/){ + $rulesave=$rule; + $rule=$1; + if($rule>=$ipfwmin and $rule<=$ipfwmax and $rule!=$rulesave){ + if(!defined($proc4{$rule})){ + system "ipfw del $rule"; + $delcount++; + } + } + } +} +close(ipfwpipe); + +#get firewall rules from 'ip6fw list' output, +# and delete the superfluous rules that are not included in $proc6 table. +# ipfw deletes all rules having same rule number at once, +# but ip6fw deletes first one rule for matched rule number. + +open(ip6fwpipe, "ip6fw list|"); +while(){ + if(/^(\d*) allow/){ + $rule=$1; + if($rule>=$ipfwmin and $rule<=$ipfwmax){ + if(!defined($proc6{$rule})){ + system "ip6fw del $rule"; + $delcount++; + } + } + } +} +close(ip6fwpipe); + + + diff --git a/opengate/tools/rulechk/rulechk.sh b/opengate/tools/rulechk/rulechk.sh deleted file mode 100644 index 508612d..0000000 --- a/opengate/tools/rulechk/rulechk.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/perl -#This is a script to remove superfluous rules left bihind at the abnormal termination of opengate process. - -#get opengate process information from 'ps x' output -# and save it to $proc table. - -open(pspipe, "ps x|"); -while(){ - if(/opengatesrv.cgi: (.*),(.*),/){ - $rule=$1; $user=$2; - $proc{$rule}=$user; - } -} -close(pspipe); - - -#get firewall rules from 'ipfw list' output, -# and delete the superfluous rules that are not included in $proc table. - -open(ipfwpipe, "ipfw list|"); -$delcount=0; -$rule=0; -while(){ - if(/^(\d*) allow/){ - $rulesave=$rule; - $rule=$1; - if($rule>=10000 and $rule<=40000 and $rule!=$rulesave){ - if(!defined($proc{$rule})){ - system "ipfw del $rule"; - $delcount++; - } - } - } -} -close(ipfwpipe); - -print $delcount." rules are deleted.\n"; - - - -- 2.11.0