void start_privoxy(void) { if (!nvram_match("privoxy_enable", "1")) return; int mode = 0; char *ip = nvram_safe_get("lan_ipaddr"); sysprintf("grep -q nobody /etc/passwd || echo \"nobody:*:65534:65534:nobody:/var:/bin/false\" >> /etc/passwd"); mkdir("/var/log/privoxy", 0777); char *wan = get_wan_ipaddr(); if (nvram_match("privoxy_transp_enable", "1")) { sysprintf("iptables -t nat -D PREROUTING -p tcp -d ! %s --dport 80 -j REDIRECT --to-port 8118", wan); sysprintf("iptables -t nat -I PREROUTING -p tcp -d ! %s --dport 80 -j REDIRECT --to-port 8118", wan); mode = 1; } FILE *fp = fopen("/tmp/privoxy.conf", "wb"); if (nvram_match("privoxy_advanced", "1") && nvram_invmatch("privoxy_conf", "")) { fprintf(fp, "%s", nvram_safe_get("privoxy_conf")); } else { fprintf(fp, "confdir /etc/privoxy\n" "logdir /var/log/privoxy\n" "actionsfile match-all.action\n" "actionsfile default.action\n" "actionsfile user.action\n" "filterfile default.filter\n" "logfile logfile\n" "listen-address %s:8118\n" "toggle 1\n" "enable-remote-toggle 0\n" "enable-remote-http-toggle 0\n" "enable-edit-actions 0\n" "buffer-limit 4096\n" "accept-intercepted-requests %d\n" "split-large-forms 0\n" "keep-alive-timeout 5\n" "socket-timeout 300\n" "max-client-connections 64\n" "handle-as-empty-doc-returns-ok 1\n", ip, mode); } fclose(fp); eval("privoxy", "/tmp/privoxy.conf"); syslog(LOG_INFO, "Privoxy : privoxy started\n"); return; }
void main_config(void) { int log_level = 0; log_level = atoi(nvram_safe_get("log_level")); mkdir("/tmp/chilli", 0700); FILE *fp = fopen("/tmp/chilli/ip-up.sh", "wb"); if (fp == NULL) return; if (log_level >= 1) sprintf(log_drop, "%s", "logdrop"); else sprintf(log_drop, "%s", "DROP"); if (log_level >= 2) sprintf(log_accept, "%s", "logaccept"); else sprintf(log_accept, "%s", TARG_PASS); if (log_level >= 1) sprintf(log_reject, "%s", "logreject"); else sprintf(log_reject, "%s", TARG_RST); /* if we have a gw traffic will go there. but if we dont have any gw we might use chilli on a local network only also we need to allow traffic in/outgoing to chilli*/ fprintf(fp, "#!/bin/sh\n"); fprintf(fp, "iptables -I INPUT -i tun0 -j %s\n",log_accept); fprintf(fp, "iptables -I FORWARD -i tun0 -j %s\n",log_accept); fprintf(fp, "iptables -I FORWARD -o tun0 -j %s\n",log_accept); // clamp when fw clamping is off if (nvram_invmatch("filter", "on")) fprintf(fp, "iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n"); // secure chilli interface if (nvram_match("hotss_enable", "1") && nvram_invmatch("hotss_interface", "br0")) fprintf(fp, "iptables -t nat -I PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("hotss_interface"), nvram_safe_get("hotss_net"), log_drop); if (nvram_match("chilli_enable", "1") && nvram_invmatch("chilli_interface", "br0")) fprintf(fp, "iptables -t nat -I PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("chilli_interface"), nvram_safe_get("chilli_net"), log_drop); // MASQUERADE chilli/hotss if (nvram_match("wan_proto", "disabled")) { if (nvram_match("hotss_enable", "1") && strlen(nvram_safe_get("hotss_net")) > 0) fprintf(fp, "iptables -t nat -I POSTROUTING -s %s -j MASQUERADE\n", nvram_safe_get("hotss_net")); else if (nvram_match("chilli_enable", "1") && strlen(nvram_safe_get("chilli_net")) > 0) fprintf(fp, "iptables -t nat -I POSTROUTING -s %s -j MASQUERADE\n", nvram_safe_get("chilli_net")); else if (nvram_match("hotss_enable", "1") || nvram_match("chilli_enable", "1")) fprintf(fp, "iptables -t nat -I POSTROUTING -s 192.168.182.0/24 -j MASQUERADE\n"); } else { if (nvram_match("hotss_enable", "1") && strlen(nvram_safe_get("hotss_net")) > 0) fprintf(fp, "iptables -t nat -I POSTROUTING -s %s -j SNAT --to-source=%s\n", nvram_safe_get("hotss_net"), get_wan_ipaddr()); else if (nvram_match("chilli_enable", "1") && strlen(nvram_safe_get("chilli_net")) > 0) fprintf(fp, "iptables -t nat -I POSTROUTING -s %s -j SNAT --to-source=%s\n", nvram_safe_get("chilli_net"), get_wan_ipaddr()); else if (nvram_match("hotss_enable", "1") || nvram_match("chilli_enable", "1")) fprintf(fp, "iptables -t nat -I POSTROUTING -s 192.168.182.0/24 -j SNAT --to-source=%s\n", get_wan_ipaddr()); } fclose(fp); fp = fopen("/tmp/chilli/ip-down.sh", "wb"); if (fp == NULL) return; fprintf(fp, "#!/bin/sh\n"); fprintf(fp, "iptables -D INPUT -i tun0 -j logaccept\n"); fprintf(fp, "iptables -D FORWARD -i tun0 -j logaccept\n"); fprintf(fp, "iptables -D FORWARD -o tun0 -j logaccept\n"); if (nvram_invmatch("filter", "on")) fprintf(fp, "iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n"); if (nvram_match("hotss_enable", "1") && nvram_invmatch("hotss_interface", "br0")) fprintf(fp, "iptables -t nat -D PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("hotss_interface"), nvram_safe_get("hotss_net"), log_drop); if (nvram_match("chilli_enable", "1") && nvram_invmatch("chilli_interface", "br0")) fprintf(fp, "iptables -t nat -D PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("chilli_interface"), nvram_safe_get("chilli_net"), log_drop); // MASQUERADE chilli/hotss if (nvram_match("wan_proto", "disabled")) { if (nvram_match("hotss_enable", "1") && strlen(nvram_safe_get("hotss_net")) > 0) fprintf(fp, "iptables -t nat -D POSTROUTING -s %s -j MASQUERADE\n", nvram_safe_get("hotss_net")); else if (nvram_match("chilli_enable", "1") && strlen(nvram_safe_get("chilli_net")) > 0) fprintf(fp, "iptables -t nat -D POSTROUTING -s %s -j MASQUERADE\n", nvram_safe_get("chilli_net")); else if (nvram_match("hotss_enable", "1") || nvram_match("chilli_enable", "1")) fprintf(fp, "iptables -t nat -D POSTROUTING -s 192.168.182.0/24 -j MASQUERADE\n"); } else { if (nvram_match("hotss_enable", "1") && strlen(nvram_safe_get("hotss_net")) > 0) fprintf(fp, "iptables -t nat -D POSTROUTING -s %s -j SNAT --to-source=%s\n", nvram_safe_get("hotss_net"), get_wan_ipaddr()); else if (nvram_match("chilli_enable", "1") && strlen(nvram_safe_get("chilli_net")) > 0) fprintf(fp, "iptables -t nat -D POSTROUTING -s %s -j SNAT --to-source=%s\n", nvram_safe_get("chilli_net"), get_wan_ipaddr()); else if (nvram_match("hotss_enable", "1") || nvram_match("chilli_enable", "1")) fprintf(fp, "iptables -t nat -D POSTROUTING -s 192.168.182.0/24 -j SNAT --to-source=%s\n", get_wan_ipaddr()); } fclose(fp); chmod("/tmp/chilli/ip-up.sh", 0750); chmod("/tmp/chilli/ip-down.sh", 0750); }
void main_config(void) { char *chillinet; int log_level = 0; FILE *fp; log_level = atoi(nvram_safe_get("log_level")); mkdir("/tmp/chilli", 0700); if (!(fp = fopen("/tmp/chilli/ip-up.sh", "w"))) { perror("/tmp/chilli/ip-up.sh"); return; } if (log_level >= 1) sprintf(log_drop, "%s", "logdrop"); else sprintf(log_drop, "%s", "DROP"); if (log_level >= 2) sprintf(log_accept, "%s", "logaccept"); else sprintf(log_accept, "%s", TARG_PASS); if (log_level >= 1) sprintf(log_reject, "%s", "logreject"); else sprintf(log_reject, "%s", TARG_RST); if (nvram_match("hotss_enable", "1")) { if (strlen(nvram_safe_get("hotss_net")) > 0) chillinet = nvram_safe_get("hotss_net"); else chillinet = "192.168.182.0/24"; } if (nvram_match("chilli_enable", "1") && nvram_match("hotss_enable", "0")) { if (strlen(nvram_safe_get("chilli_net")) > 0) chillinet = nvram_safe_get("chilli_net"); else chillinet = "192.168.182.0/24"; } /* if we have a gw traffic will go there. but if we dont have any gw we might use chilli on a local network only also we need to allow traffic in/outgoing to chilli*/ fprintf(fp, "#!/bin/sh\n"); fprintf(fp, "iptables -D INPUT -i tun0 -j %s\n", log_accept); fprintf(fp, "iptables -D FORWARD -i tun0 -j %s\n", log_accept); fprintf(fp, "iptables -D FORWARD -o tun0 -j %s\n", log_accept); fprintf(fp, "iptables -I INPUT -i tun0 -j %s\n", log_accept); fprintf(fp, "iptables -I FORWARD -i tun0 -j %s\n", log_accept); fprintf(fp, "iptables -I FORWARD -o tun0 -j %s\n", log_accept); // secure chilli interface, only usefull if ! br0 if (nvram_match("chilli_enable", "1") && nvram_match("hotss_enable", "0") && nvram_invmatch("chilli_interface", "br0")) { fprintf(fp, "iptables -t nat -D PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("chilli_interface"), chillinet, log_drop); fprintf(fp, "iptables -t nat -I PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("chilli_interface"), chillinet, log_drop); } if (nvram_match("chilli_enable", "1") && nvram_match("hotss_enable", "1") && nvram_invmatch("hotss_interface", "br0")) { fprintf(fp, "iptables -t nat -D PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("hotss_interface"), chillinet, log_drop); fprintf(fp, "iptables -t nat -I PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("hotss_interface"), chillinet, log_drop); } // MASQUERADE chilli/hotss if (nvram_match("wan_proto", "disabled")) { fprintf(fp, "iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n"); fprintf(fp, "iptables -t nat -D POSTROUTING -s %s -j MASQUERADE\n", chillinet); fprintf(fp, "iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n"); // clamp when fw clamping is off fprintf(fp, "iptables -t nat -I POSTROUTING -s %s -j MASQUERADE\n", chillinet); } else { fprintf(fp, "iptables -t nat -D POSTROUTING -o %s -s %s -j SNAT --to-source=%s\n", nvram_safe_get("wan_iface"), chillinet, get_wan_ipaddr()); fprintf(fp, "iptables -t nat -I POSTROUTING -o %s -s %s -j SNAT --to-source=%s\n", nvram_safe_get("wan_iface"), chillinet, get_wan_ipaddr()); } // enable Reverse Path Filtering to prevent double outgoing packages if (nvram_match("chilli_enable", "1") && nvram_match("hotss_enable", "0")) { fprintf(fp, "echo 1 > /proc/sys/net/ipv4/conf/%s/rp_filter\n", nvram_safe_get("chilli_interface")); } if (nvram_match("chilli_enable", "1") && nvram_match("hotss_enable", "1")) { fprintf(fp, "echo 1 > /proc/sys/net/ipv4/conf/%s/rp_filter\n", nvram_safe_get("hotss_interface")); } fclose(fp); if (!(fp = fopen("/tmp/chilli/ip-down.sh", "w"))) { perror("/tmp/chilli/ip-down.sh"); return; } fprintf(fp, "#!/bin/sh\n"); fprintf(fp, "iptables -D INPUT -i tun0 -j %s\n", log_accept); fprintf(fp, "iptables -D FORWARD -i tun0 -j %s\n", log_accept); fprintf(fp, "iptables -D FORWARD -o tun0 -j %s\n", log_accept); if (nvram_match("chilli_enable", "1") && nvram_match("hotss_enable", "0") && nvram_invmatch("chilli_interface", "br0")) fprintf(fp, "iptables -t nat -D PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("chilli_interface"), chillinet, log_drop); if (nvram_match("chilli_enable", "1") && nvram_match("hotss_enable", "1") && nvram_invmatch("hotss_interface", "br0")) fprintf(fp, "iptables -t nat -D PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("hotss_interface"), chillinet, log_drop); if (nvram_match("wan_proto", "disabled")) { fprintf(fp, "iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n"); fprintf(fp, "iptables -t nat -D POSTROUTING -s %s -j MASQUERADE\n", chillinet); } else fprintf(fp, "iptables -t nat -D POSTROUTING -o %s -s %s -j SNAT --to-source=%s\n", nvram_safe_get("wan_iface"), chillinet, get_wan_ipaddr()); fclose(fp); chmod("/tmp/chilli/ip-up.sh", 0700); chmod("/tmp/chilli/ip-down.sh", 0700); // use usb/jffs for connection scripts if available if ((nvram_match("usb_enable", "1") && nvram_match("usb_storage", "1") && nvram_match("usb_automnt", "1") && nvram_match("usb_mntpoint", "jffs")) || (nvram_match("enable_jffs2", "1") && nvram_match("jffs_mounted", "1") && nvram_match("sys_enable_jffs2", "1"))) { mkdir("/jffs/etc", 0700); mkdir("/jffs/etc/chilli", 0700); if (!(fp = fopen("/jffs/etc/chilli/con-up.sh", "r"))) { // dont overwrite fp = fopen("/jffs/etc/chilli/con-up.sh", "w"); if (fp == NULL) return; fprintf(fp, "#!/bin/sh\n"); fclose(fp); } if (!(fp = fopen("/jffs/etc/chilli/con-down.sh", "r"))) { fp = fopen("/jffs/etc/chilli/con-up.sh", "w"); if (fp == NULL) return; fprintf(fp, "#!/bin/sh\n"); fclose(fp); } chmod("/jffs/etc/chilli/con-up.sh", 0700); chmod("/jffs/etc/chilli/con-down.sh", 0700); } }
void stop_privoxy(void) { char *wan = get_wan_ipaddr(); sysprintf("iptables -t nat -D PREROUTING -p tcp -d ! %s --dport 80 -j REDIRECT --to-port 8118", wan); stop_process("privoxy", "privoxy"); }