int main(int argc, char *argv[]) {
if ( argc < 2 ) {
printf("invalid parameter(s)\n");
return(1);
}
if (!(initsetuid()))
exit(1);
if (strcmp(argv[1], "cron") == 0) {
safe_system("rm /etc/fcron.*/updxlrator 2&>/dev/null");
if (strcmp(argv[2], "daily") == 0) {
safe_system("ln -s /var/ipfire/updatexlrator/bin/checkup /etc/fcron.daily/updxlrator");
} else if (strcmp(argv[2], "weekly") == 0) {
safe_system("ln -s /var/ipfire/updatexlrator/bin/checkup /etc/fcron.weekly/updxlrator");
} else if (strcmp(argv[2], "monthly") == 0) {
safe_system("ln -s /var/ipfire/updatexlrator/bin/checkup /etc/fcron.monthly/updxlrator");
} else {
printf("invalid parameter(s)\n");
return(1);
}
}
return 0;
}
/*
ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface
*/
void open_physical (char *interface, int nat_traversal_port) {
char str[STRING_SIZE];
// GRE ???
// sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface);
// safe_system(str);
// ESP
// sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface);
// safe_system(str);
// AH
// sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface);
// safe_system(str);
// IKE
sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
safe_system(str);
sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface);
safe_system(str);
if (! nat_traversal_port)
return;
sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
safe_system(str);
sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
safe_system(str);
}
int main(int argc, char *argv[]) {
char command[512];
if (!(initsetuid()))
exit(1);
snprintf(command, 512, "/var/ipfire/extrahd/bin/extrahd.pl %s %s", argv[1], argv[2]);
safe_system("chmod 755 /var/ipfire/extrahd/bin/extrahd.pl 2>&1 >/dev/null");
safe_system(command);
}
void exithandler(void) {
/* added comment mark to the drop rules to be able to collect the bytes by the collectd */
if (strlen(blue_dev) > 0) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
safe_system(command);
}
if (fd)
fclose(fd);
}
int main(int argc, char *argv[])
{
if (!(initsetuid()))
exit(1);
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/etherwake -i %s %s", argv[2], argv[1]);
safe_system(command);
/* Send magic packet with broadcast flag set. */
snprintf(command, BUFFER_SIZE-1, "/usr/sbin/etherwake -i %s -b %s", argv[2], argv[1]);
safe_system(command);
return(0);
}
int main(int argc, char *argv[]) {
if (!(initsetuid()))
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\nsquidctrl (start|stop|restart|flush|reconfigure)\n\n");
exit(1);
}
if (strcmp(argv[1], "start") == 0) {
safe_system("/etc/rc.d/init.d/squid start");
} else if (strcmp(argv[1], "stop") == 0) {
safe_system("/etc/rc.d/init.d/squid stop");
} else if (strcmp(argv[1], "restart") == 0) {
safe_system("/etc/rc.d/init.d/squid restart");
} else if (strcmp(argv[1], "reconfigure") == 0) {
safe_system("/etc/rc.d/init.d/squid reconfigure");
} else if (strcmp(argv[1], "flush") == 0) {
safe_system("/etc/rc.d/init.d/squid flush");
} else if (strcmp(argv[1], "enable") == 0) {
safe_system("ln -fs ../init.d/squid /etc/rc.d/rc0.d/K00squid >/dev/null 2>&1");
safe_system("ln -fs ../init.d/squid /etc/rc.d/rc6.d/K00squid >/dev/null 2>&1");
} else if (strcmp(argv[1], "disable") == 0) {
safe_system("rm -f /etc/rc.d/rc*.d/*squid >/dev/null 2>&1");
} else {
fprintf(stderr, "\nBad argument given.\n\nsquidctrl (start|stop|restart|flush|reconfigure|setperms)\n\n");
exit(1);
}
return 0;
}
/*
issue ipsec commmands to turn off connection 'name'
*/
void turn_connection_off (char *name) {
/*
* To turn off a connection, all SAs must be turned down.
* After that, the configuration must be reloaded.
*/
char command[STRING_SIZE];
// Bring down the connection.
snprintf(command, STRING_SIZE - 1,
"/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
// Reload, so the connection is dropped.
safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
}
void safe_system_f( const char *command,
int *timeout_seconds,
int *return_status )
{
int status = safe_system( command, *timeout_seconds );
*return_status = status;
}
int main(void)
{
if (!(initsetuid()))
exit(1);
safe_system("/usr/bin/sendprofile");
return 0;
}
int main(void)
{
if (!(initsetuid()))
exit(1);
safe_system("/sbin/shutdown -h now");
return 0;
}
/*
issue ipsec commmands to turn on connection 'name'
*/
void turn_connection_on(char *name, char *type) {
/*
* To bring up a connection, we need to reload the configuration
* and issue ipsec up afterwards. To make sure the connection
* is not established from the start, we bring it down in advance.
*/
char command[STRING_SIZE];
// Bring down the connection (if established).
snprintf(command, STRING_SIZE - 1,
"/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
// Reload the configuration into the daemon.
safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
// Bring the connection up again.
snprintf(command, STRING_SIZE - 1,
"/usr/sbin/ipsec up %s >/dev/null", name);
safe_system(command);
}
int main(int argc, char *argv[])
{
static struct option long_options[] =
{
{ "eroute", no_argument, &flag_eroute, 1 },
{ "verbose", no_argument, 0, 'v' },
{ "help", no_argument, 0, 'h' },
{ 0, 0, 0, 0}
};
int c;
int option_index = 0;
while ((c = getopt_long(argc, argv, "v", long_options, &option_index)) != -1) {
switch (c) {
case 0:
break;
case 'v': /* verbose */
flag_verbose++;
break;
case 'h':
usage(argv[0], 0);
default:
fprintf(stderr, "unknown option\n");
usage(argv[0], 1);
}
}
if ( !(initsetuid()) )
exit(1);
if (flag_eroute) {
safe_system("/bin/cat /proc/net/ipsec_eroute 2>/dev/null");
}
else {
safe_system("/usr/sbin/conntrack -L -o xml 2>/dev/null");
}
return(0);
}
int main(int argc, char *argv[]) {
struct keyvalue* kv = NULL;
int fd = -1;
int r = 0;
if (!(initsetuid()))
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\nqosctrl (start|stop|restart|status|generate)\n\n");
exit(1);
}
if (strcmp(argv[1], "generate") == 0) {
kv = initkeyvalues();
if (!readkeyvalues(kv, CONFIG_ROOT "/qos/settings")) {
fprintf(stderr, "Cannot read QoS settings\n");
r = 1;
goto END;
}
char enabled[STRING_SIZE];
if (!findkey(kv, "ENABLED", enabled))
strcpy(enabled, "off");
if (strcmp(enabled, "on") == 0)
safe_system("/usr/bin/perl /var/ipfire/qos/bin/makeqosscripts.pl > " QOS_SH);
else
unlink(QOS_SH);
}
if ((fd = open(QOS_SH, O_RDONLY)) != -1) {
close(fd);
} else {
// If there is no qos.sh do nothing.
goto END;
}
safe_system("chmod 755 " QOS_SH " &>/dev/null");
if (strcmp(argv[1], "start") == 0) {
safe_system(QOS_SH " start");
} else if (strcmp(argv[1], "stop") == 0) {
safe_system(QOS_SH " clear");
} else if (strcmp(argv[1], "status") == 0) {
safe_system(QOS_SH " status");
} else if (strcmp(argv[1], "restart") == 0) {
safe_system(QOS_SH " restart");
} else {
if (strcmp(argv[1], "generate") == 0) {exit(0);}
fprintf(stderr, "\nBad argument given.\n\nqosctrl (start|stop|restart|status|generate)\n\n");
exit(1);
}
END:
if (kv)
freekeyvalues(kv);
return r;
}
int main(int argc, char *argv[])
{
if (argc < 2)
return(1);
if (!(initsetuid()))
exit(-1);
snprintf(command, BUFFER_SIZE-1, "/bin/chown nobody:squid /home/httpd/vhost81/html/updatecache/%s", argv[1]);
safe_system(command);
return(0);
}
int main(int argc, char *argv[]) {
if (!(initsetuid()))
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\nredctrl (start|stop|restart)\n\n");
exit(1);
}
if (strcmp(argv[1], "start") == 0) {
safe_system("/etc/rc.d/init.d/network start red");
} else if (strcmp(argv[1], "stop") == 0) {
safe_system("/etc/rc.d/init.d/network stop red");
} else if (strcmp(argv[1], "restart") == 0) {
safe_system("/etc/rc.d/init.d/network restart red");
} else {
fprintf(stderr, "\nBad argument given.\n\nredctrl (start|stop|restart)\n\n");
exit(1);
}
return 0;
}
int main()
{
CURL *curl = curl_easy_init( );
printf("Content-Type: text/html;charset=us-ascii\n\n");
char *q = getenv("QUERY_STRING");
if(q == NULL || strlen(q) <= 0)
{
printf("<p>You must pass in some source code.</p>");
return 1;
}
if(strlen(q) > 1024)
{
printf("<p>The source code is too long.</p>");
return 1;
}
q = curl_easy_unescape(curl, q, strlen(q), NULL);
FILE * log = fopen(HOME "/tmp/build.log", "w+");
char * filename = tempnam("/tmp", "gcc_");
fprintf(log, "%d IP: %s Output: %s\n", time(0), getenv("REMOTE_ADDR"), filename);
fflush(log);
chdir(HOME "/root");
chroot(HOME "/root");
struct passwd *passwd = getpwnam(USER);
if(passwd == NULL)
{
printf("<p>User does not exist.</p>");
return 1;
}
if(setuid(passwd->pw_uid) < 0)
return 1;
char buffer[2048];
sprintf(buffer, "echo -n '%s' | gcc -x c -o %s -", q, filename);
printf("Starting build...\n");
int pid = safe_system(buffer);
fprintf(log, "%d %s done.\n", time(0), filename);
fclose(log);
sleep_kill(pid);
return 0;
}
int main(int argc, char *argv[]) {
int i;
char command[1024];
char add[STRING_SIZE];
if (!(initsetuid()))
exit(1);
snprintf(command, STRING_SIZE, "/opt/pakfire/pakfire");
for (i = 1; i < argc; i++) {
sprintf(add, " %s", argv[i]);
strcat(command, add);
}
return safe_system(command);
}
int main(int argc, char *argv[]) {
if (!(initsetuid()))
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\ndnsmasqctrl (restart)\n\n");
exit(1);
}
if (strcmp(argv[1], "restart") == 0) {
safe_system("/etc/rc.d/init.d/dnsmasq restart");
} else {
fprintf(stderr, "\nBad argument given.\n\ndnsmasqctrl (restart)\n\n");
exit(1);
}
return 0;
}
void exithandler(void)
{
char command[STRING_SIZE];
/* clean up temporary files and directory */
snprintf(command, STRING_SIZE - 1, "/tmp/%s.tar.gz", hostname);
unlink(command);
if (tmpdir[0]) {
snprintf(command, STRING_SIZE - 1, "/bin/rm -rf %s &>/dev/null", tmpdir);
safe_system(command);
}
if (tmpdatefile[0])
unlink(tmpdatefile);
/* remove just uploaded file */
snprintf(command, STRING_SIZE - 1, MOUNTPOINT "/%s.dat", hostname);
unlink(command);
snprintf(command, STRING_SIZE - 1, "/tmp/%s.tar", hostname);
unlink(command);
}
void run_command_event(
struct state *state, struct event *event, struct command_spec *command)
{
DEBUGP("%d: command: `%s`\n", event->line_number,
command->command_line);
/* Wait for the right time before firing off this event. */
wait_for_event(state);
char *error = NULL;
if (safe_system(command->command_line, &error))
goto error_out;
return;
error_out:
die("%s:%d: error executing `%s` command: %s\n",
state->config->script_path, event->line_number,
command->command_line, error);
free(error);
}
int main(int argc, char *argv[]) {
char cmd[STRING_SIZE];
if (!(initsetuid()))
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\nddnsctrl (update-all)\n\n");
exit(1);
}
if (strcmp(argv[1], "update-all") == 0) {
snprintf(cmd, sizeof(cmd), "/usr/bin/ddns --config %s update-all >/dev/null 2>&1", conffile);
safe_system(cmd);
} else {
fprintf(stderr, "\nBad argument given.\n\nddnsctrl (update-all)\n\n");
exit(1);
}
return 0;
}
void CPlugins::startScriptPlugin(int number)
{
const char * script = plugin_list[number].pluginfile.c_str();
dprintf(DEBUG_NORMAL, "[CPlugins] executing script %s\n", script);
if (!pluginfile_exists(plugin_list[number].pluginfile))
{
dprintf(DEBUG_NORMAL, "[CPlugins] could not find %s,\nperhaps wrong plugin type in %s\n", script, plugin_list[number].cfgfile.c_str());
return;
}
if( !safe_system(script) )
{
dprintf(DEBUG_NORMAL, "CPlugins::startScriptPlugin: script %s successfull started\n", script);
}
else
{
dprintf(DEBUG_NORMAL, "[CPlugins] can't execute %s\n",script);
}
}
int main(int argc, char *argv[]) {
if (!(initsetuid()))
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\nsmartctrl <device>\n\n");
exit(1);
}
sprintf(command, "/var/run/hddshutdown-%s", argv[1]);
FILE *fp = fopen(command,"r");
if( fp ) {
fclose(fp);
printf("\nDisk %s is in Standby. Do nothing because we won't wakeup\n",argv[1]);
exit(1);
}
sprintf(command, "smartctl -iHA /dev/%s", argv[1]);
safe_system(command);
return 0;
}
int main(void) {
char green_dev[STRING_SIZE] = "";
char buffer[STRING_SIZE];
char *index, *ipaddress, *macaddress, *enabled;
struct keyvalue *kv = NULL;
if (!(initsetuid()))
exit(1);
/* flush wireless iptables */
safe_system("/sbin/iptables --wait -F WIRELESSINPUT > /dev/null 2> /dev/null");
safe_system("/sbin/iptables --wait -F WIRELESSFORWARD > /dev/null 2> /dev/null");
memset(buffer, 0, STRING_SIZE);
/* Init the keyvalue structure */
kv=initkeyvalues();
/* Read in the current values */
if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
fprintf(stderr, "Cannot read ethernet settings\n");
exit(1);
}
/* Read in the firewall values */
if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) {
fprintf(stderr, "Cannot read optionsfw settings\n");
exit(1);
}
/* Get the GREEN interface details */
if (findkey(kv, "GREEN_DEV", green_dev) > 0) {
if (!VALID_DEVICE(green_dev)) {
fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
exit(1);
}
}
/* Get the BLUE interface details */
if (findkey(kv, "BLUE_DEV", blue_dev) > 0) {
if ((strlen(blue_dev) > 0) && !VALID_DEVICE(blue_dev)) {
fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
exit(1);
}
}
if (strlen(blue_dev) == 0) {
exit(0);
}
if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r")))
return 0;
/* register exit handler to ensure the block rule is always present */
atexit(exithandler);
if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r"))) {
exit(0);
}
/* restrict blue access tp the proxy port */
if (findkey(kv, "DROPPROXY", buffer) && strcmp(buffer, "on") == 0) {
/* Read the proxy values */
if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer))) {
fprintf(stderr, "Cannot read proxy settings\n");
exit(1);
}
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer);
safe_system(command);
}
/* not allow blue to acces a samba server running on local fire*/
if (findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer, "on") == 0) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
safe_system(command);
}
while (fgets(buffer, STRING_SIZE, fd)) {
buffer[strlen(buffer) - 1] = 0;
index = strtok(buffer, ",");
ipaddress = strtok(NULL, ",");
macaddress = strtok(NULL, ",");
enabled = strtok(NULL, ",");
if (strcmp(enabled, "on") == 0) {
/* both specified, added security */
if ((strlen(macaddress) == 17) && (VALID_IP_AND_MASK(ipaddress))) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
safe_system(command);
} else {
/* correctly formed mac address is 17 chars */
if (strlen(macaddress) == 17) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
safe_system(command);
}
if (VALID_IP_AND_MASK(ipaddress)) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
safe_system(command);
}
}
}
}
/* with this rule you can disable the logging of the dropped wireless input packets*/
if (findkey(kv, "DROPWIRELESSINPUT", buffer) && strcmp(buffer, "on") == 0) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
safe_system(command);
}
/* with this rule you can disable the logging of the dropped wireless forward packets*/
if (findkey(kv, "DROPWIRELESSFORWARD", buffer) && strcmp(buffer, "on") == 0) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
safe_system(command);
}
return 0;
}
/* read the IPsec config file and adds a rule for every net-to-net definition
that skip the transparent rules REDIRECT
*/
void setdirectipsec(int setdirectipsec_green, int setdirectipsec_blue)
{
int count;
char *result;
char *name;
char *type;
char *running;
char *ipsec_network_mask;
char *ipsec_netaddress;
char *ipsec_netmask;
FILE *file = NULL;
char *conn_enabled;
char buffer[STRING_SIZE];
char s[STRING_SIZE_LARGE];
if (!setdirectipsec_green && !setdirectipsec_blue)
return; /* nothing to do */
if (!(file = fopen("/var/ipcop/ipsec/config", "r"))) {
fprintf(stderr, "Couldn't open IPsec config file");
return; /* error! exit or return? */
}
while (fgets(s, STRING_SIZE_LARGE, file) != NULL) {
/* Line should contain 25+ comma seperated fields */
if (strlen(s) < 25) {
verbose_printf(2, "Bad (empty?) configline\n");
continue;
}
if (s[strlen(s) - 1] == '\n') {
s[strlen(s) - 1] = '\0';
}
running = strdup(s);
result = strsep(&running, ",");
count = 0;
name = NULL;
type = NULL;
ipsec_network_mask = NULL;
conn_enabled = NULL;
while (result) {
if (count == 1)
conn_enabled = result;
if (count == 2)
name = result;
if (count == 4)
type = result;
if (count == 12)
ipsec_network_mask = result;
count++;
result = strsep(&running, ",");
}
if (name == NULL) {
verbose_printf(2, "Bad (empty?) configline\n");
continue;
}
if (strspn(name, LETTERS_NUMBERS) != strlen(name)) {
verbose_printf(1, "Bad connection name: %s\n", name);
continue;
}
if (count < 25) {
verbose_printf(2, "Bad configline, name %s count %d, %s\n", name, count, s);
continue;
}
if (!(strcmp(type, "net") == 0)) {
verbose_printf(2, "Skip (no net-net) connection name: %s\n", name);
continue;
}
/* Darren Critchley - new check to see if connection is enabled */
if (!(strcmp(conn_enabled, "on") == 0)) {
verbose_printf(2, "Skip disabled connection name: %s\n", name);
continue;
}
result = strsep(&ipsec_network_mask, "/");
count = 0;
ipsec_netaddress = NULL;
ipsec_netmask = NULL;
while (result) {
if (count == 0)
ipsec_netaddress = result;
if (count == 1)
ipsec_netmask = result;
count++;
result = strsep(&ipsec_network_mask, "/");
}
if (!VALID_IP(ipsec_netaddress)) {
verbose_printf(1, "Bad network for IPsec connection %s: %s\n", name, ipsec_netaddress);
continue;
}
if ((!VALID_IP(ipsec_netmask)) && (!VALID_SHORT_MASK(ipsec_netmask))) {
verbose_printf(1, "Bad mask for IPsec connection %s: %s\n", name, ipsec_netmask);
continue;
}
memset(buffer, 0, STRING_SIZE);
if (setdirectipsec_green) {
if (snprintf(buffer, STRING_SIZE - 1,
"/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s/%s --dport 80 -j RETURN",
ipcop_ethernet.device[GREEN][1], ipsec_netaddress, ipsec_netmask) >= STRING_SIZE) {
fprintf(stderr, "Command too long\n");
fclose(file);
exit(1);
}
verbose_printf(1, "Bypass proxy redirect for GREEN to remote IPsec network %s/%s\n", ipsec_netaddress, ipsec_netmask);
safe_system(buffer);
}
if (setdirectipsec_blue) {
if (snprintf(buffer,
STRING_SIZE - 1,
"/sbin/iptables -t nat -A SQUID -i %s -p tcp -d %s/%s --dport 80 -j RETURN",
ipcop_ethernet.device[BLUE][1], ipsec_netaddress, ipsec_netmask) >= STRING_SIZE) {
fprintf(stderr, "Command too long\n");
fclose(file);
exit(1);
}
verbose_printf(1, "Bypass proxy redirect for BLUE to remote IPsec network %s/%s\n", ipsec_netaddress, ipsec_netmask);
safe_system(buffer);
}
}
fclose(file);
}
void run_script(struct config *config, struct script *script)
{
char *error = NULL;
struct state *state = NULL;
struct netdev *netdev = NULL;
struct event *event = NULL;
DEBUGP("run_script: running script\n");
set_scheduling_priority();
lock_memory();
/* This interpreter loop runs for local mode or wire client mode. */
assert(!config->is_wire_server);
/* How we use the network is of course a little different in
* each of the two cases....
*/
if (config->is_wire_client)
netdev = wire_client_netdev_new(config);
else
netdev = local_netdev_new(config);
state = state_new(config, script, netdev);
if (config->is_wire_client)
{
state->wire_client = wire_client_new();
wire_client_init(state->wire_client, config, script, state);
}
if (script->init_command != NULL)
{
if (safe_system(script->init_command->command_line,
&error))
{
die("%s: error executing init command: %s\n",
config->script_path, error);
}
}
signal(SIGPIPE, SIG_IGN); /* ignore EPIPE */
state->live_start_time_usecs = schedule_start_time_usecs();
DEBUGP("live_start_time_usecs is %lld\n",
state->live_start_time_usecs);
if (state->wire_client != NULL)
wire_client_send_client_starting(state->wire_client);
while (1)
{
if (get_next_event(state, &error))
die("%s", error);
event = state->event;
if (event == NULL)
break;
if (state->wire_client != NULL)
wire_client_next_event(state->wire_client, event);
/* In wire mode, we adjust relative times after
* getting notification that previous packet events
* have completed, if any.
*/
adjust_relative_event_times(state, event);
switch (event->type)
{
case PACKET_EVENT:
/* For wire clients, the server handles packets. */
if (!config->is_wire_client)
{
run_local_packet_event(state, event,
event->event.packet);
}
break;
case SYSCALL_EVENT:
run_system_call_event(state, event,
event->event.syscall);
break;
case COMMAND_EVENT:
run_command_event(state, event,
event->event.command);
break;
case CODE_EVENT:
run_code_event(state, event,
event->event.code->text);
break;
case INVALID_EVENT:
case NUM_EVENT_TYPES:
assert(!"bogus type");
break;
/* We omit default case so compiler catches missing values. */
}
}
/* Wait for any outstanding packet events we requested on the server. */
if (state->wire_client != NULL)
wire_client_next_event(state->wire_client, NULL);
if (code_execute(state->code, &error))
{
die("%s: error executing code: %s\n",
state->config->script_path, error);
free(error);
}
state_free(state);
DEBUGP("run_script: done running\n");
}
void CPlugins::startPlugin(int number)
{
dprintf(DEBUG_NORMAL, "CPlugins::startPlugin: %s type:%d\n", plugin_list[number].pluginfile.c_str(), plugin_list[number].type);
// export neutrino settings to the environment
char tmp[32];
sprintf(tmp, "%d", g_settings.screen_StartX);
setenv("SCREEN_OFF_X", tmp, 1);
sprintf(tmp, "%d", g_settings.screen_StartY);
setenv("SCREEN_OFF_Y", tmp, 1);
sprintf(tmp, "%d", g_settings.screen_EndX);
setenv("SCREEN_END_X", tmp, 1);
sprintf(tmp, "%d", g_settings.screen_EndY);
setenv("SCREEN_END_Y", tmp, 1);
// script type
if (plugin_list[number].type == CPlugins::P_TYPE_SCRIPT)
{
g_RCInput->clearRCMsg();
g_RCInput->stopInput();
startScriptPlugin(number);
frameBuffer->paintBackground();
frameBuffer->blit();
g_RCInput->restartInput();
g_RCInput->clearRCMsg();
return;
}
// neutrinoHD plugins (standalone)
if ( (plugin_list[number].type == CPlugins::P_TYPE_TOOL) || (plugin_list[number].type == CPlugins::P_TYPE_GAME) )
{
/* stop rc input */
g_RCInput->stopInput();
safe_system((char *) plugin_list[number].pluginfile.c_str());
frameBuffer->paintBackground();
frameBuffer->blit();
g_RCInput->restartInput();
g_RCInput->clearRCMsg();
return;
}
else if (plugin_list[number].type == CPlugins::P_TYPE_NEUTRINO)
{
PluginExec execPlugin;
void *handle;
char * error;
g_RCInput->clearRCMsg();
// load
handle = dlopen ( plugin_list[number].pluginfile.c_str(), RTLD_NOW);
if (!handle)
{
fputs (dlerror(), stderr);
}
else
{
execPlugin = (PluginExec) dlsym(handle, "plugin_exec");
if ((error = dlerror()) != NULL)
{
fputs(error, stderr);
dlclose(handle);
}
else
{
dprintf(DEBUG_NORMAL, "[CPlugins] try exec...\n");
frameBuffer->paintBackground();
frameBuffer->blit();
execPlugin();
dlclose(handle);
dprintf(DEBUG_NORMAL, "[CPlugins] exec done...\n");
}
}
g_RCInput->clearRCMsg();
}
}
int main(int argc, char *argv[]) {
char configtype[STRING_SIZE];
char redtype[STRING_SIZE] = "";
struct keyvalue *kv = NULL;
if (argc < 2) {
usage();
exit(1);
}
if (!(initsetuid()))
exit(1);
FILE *file = NULL;
if (strcmp(argv[1], "I") == 0) {
safe_system("/usr/sbin/ipsec status");
exit(0);
}
if (strcmp(argv[1], "R") == 0) {
safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
exit(0);
}
/* FIXME: workaround for pclose() issue - still no real idea why
* this is happening */
signal(SIGCHLD, SIG_DFL);
/* handle operations that doesn't need start the ipsec system */
if (argc == 2) {
if (strcmp(argv[1], "D") == 0) {
safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1");
ipsec_norules();
exit(0);
}
}
/* read vpn config */
kv=initkeyvalues();
if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings"))
{
fprintf(stderr, "Cannot read vpn settings\n");
exit(1);
}
/* check is the vpn system is enabled */
{
char s[STRING_SIZE];
findkey(kv, "ENABLED", s);
freekeyvalues(kv);
if (strcmp (s, "on") != 0)
exit(0);
}
/* read interface settings */
kv=initkeyvalues();
if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
{
fprintf(stderr, "Cannot read ethernet settings\n");
exit(1);
}
if (!findkey(kv, "CONFIG_TYPE", configtype))
{
fprintf(stderr, "Cannot read CONFIG_TYPE\n");
exit(1);
}
findkey(kv, "RED_TYPE", redtype);
/* Loop through the config file to find physical interface that will accept IPSEC */
int enable_red=0; // states 0: not used
int enable_green=0; // 1: error condition
int enable_orange=0; // 2: good
int enable_blue=0;
char if_red[STRING_SIZE] = "";
char if_green[STRING_SIZE] = "";
char if_orange[STRING_SIZE] = "";
char if_blue[STRING_SIZE] = "";
char s[STRING_SIZE];
// when RED is up, find interface name in special file
FILE *ifacefile = NULL;
if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {
if (fgets(if_red, STRING_SIZE, ifacefile)) {
if (if_red[strlen(if_red) - 1] == '\n')
if_red[strlen(if_red) - 1] = '\0';
}
fclose (ifacefile);
if (VALID_DEVICE(if_red))
enable_red++;
}
// Check if GREEN is enabled.
findkey(kv, "GREEN_DEV", if_green);
if (VALID_DEVICE(if_green))
enable_green++;
// Check if ORANGE is enabled.
findkey(kv, "ORANGE_DEV", if_orange);
if (VALID_DEVICE(if_orange))
enable_orange++;
// Check if BLUE is enabled.
findkey(kv, "BLUE_DEV", if_blue);
if (VALID_DEVICE(if_blue))
enable_blue++;
freekeyvalues(kv);
// exit if nothing to do
if ((enable_red+enable_green+enable_orange+enable_blue) == 0)
exit(0);
// open needed ports
if (enable_red > 0)
open_physical(if_red, 4500);
if (enable_green > 0)
open_physical(if_green, 4500);
if (enable_orange > 0)
open_physical(if_orange, 4500);
if (enable_blue > 0)
open_physical(if_blue, 4500);
// start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
safe_system("/usr/sbin/ipsec restart >/dev/null");
exit(0);
}
// it is a selective start or stop
// second param is only a number 'key'
if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) {
fprintf(stderr, "Bad arg: %s\n", argv[2]);
usage();
exit(1);
}
// search the vpn pointed by 'key'
if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {
fprintf(stderr, "Couldn't open vpn settings file");
exit(1);
}
while (fgets(s, STRING_SIZE, file) != NULL) {
char *key;
char *name;
char *type;
if (!decode_line(s,&key,&name,&type))
continue;
// is it the 'key' requested ?
if (strcmp(argv[2], key) != 0)
continue;
// Start or Delete this Connection
if (strcmp(argv[1], "S") == 0)
turn_connection_on (name, type);
else if (strcmp(argv[1], "D") == 0)
turn_connection_off (name);
else {
fprintf(stderr, "Bad command\n");
exit(1);
}
}
fclose(file);
return 0;
}
void ipsec_norules() {
/* clear input rules */
safe_system("/sbin/iptables -F IPSECINPUT");
safe_system("/sbin/iptables -F IPSECFORWARD");
safe_system("/sbin/iptables -F IPSECOUTPUT");
}
int main(int argc, char**argv)
{
if (!(initsetuid()))
return 1;
// Check what command is asked
if (argc==1)
{
fprintf (stderr, "Missing reboot command!\n");
return 1;
}
if (argc==2 && strcmp(argv[1], OP_SHUTDOWN)==0)
{
safe_system("/sbin/shutdown -h now");
return 0;
}
if (argc==2 && strcmp(argv[1], OP_REBOOT)==0)
{
safe_system("/sbin/shutdown -r now");
return 0;
}
if (argc==2 && strcmp(argv[1], OP_REBOOT_FS)==0)
{
safe_system("/sbin/shutdown -F -r now");
return 0;
}
// output schedule to stdout
if (argc==2 && strcmp(argv[1], OP_SCHEDULE_GET)==0)
{
safe_system("/bin/grep /sbin/shutdown /var/spool/cron/root.orig");
return 0;
}
if (argc==2 && strcmp(argv[1], OP_SCHEDULE_REM)==0)
{
safe_system("/usr/bin/perl -i -p -e 's/^.*\\/sbin\\/shutdown.*$//s' /var/spool/cron/root.orig");
safe_system("/usr/bin/fcrontab -u root -z");
return 0;
}
if (argc==6 && strcmp(argv[1], OP_SCHEDULE_ADD)==0)
{
// check args
if (!( strlen(argv[2])<3 &&
strspn(argv[2], "0123456789") == strlen (argv[2]) &&
strlen(argv[3])<3 &&
strspn(argv[3], "0123456789") == strlen (argv[3]) &&
strlen(argv[4])<14 &&
strspn(argv[4], "1234567,*") == strlen (argv[4]) &&
((strcmp(argv[5], "-r")==0) || //reboot
(strcmp(argv[5], "-h")==0)) ) //hangup
) {
fprintf (stderr, "Bad cron+ parameters!\n");
return 1;
}
// remove old entry
safe_system("/usr/bin/perl -i -p -e 's/^.*\\/sbin\\/shutdown.*$//s' /var/spool/cron/root.orig");
// add new entry
FILE *fd = NULL;
if ((fd = fopen("/var/spool/cron/root.orig", "a")))
{
fprintf (fd,"%s %s * * %s /sbin/shutdown %s 1\n",argv[2],argv[3],argv[4],argv[5]);
fclose (fd);
}
// inform cron
safe_system("/usr/bin/fcrontab -u root -z");
return 0;
}
fprintf (stderr, "Bad reboot command!\n");
return 1;
}
