//#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@> int set_xtaccess(std::vector<std::string> & parameters, std::string & response) { std::string ifacefile = "/var/smoothwall/red/iface"; std::string cmdprefix = "/var/smoothwall"; std::string configfile = cmdprefix + "/xtaccess/config"; std::string aliasfile = cmdprefix + "/portfw/aliases"; ConfigSTR ifacef(ifacefile); ConfigCSV config(configfile); ConfigCSV aliases(aliasfile); std::vector<std::string> ipb; std::string red_ip = ""; std::string iface = ifacef.str(); std::string destination = ""; std::string dport_out = ""; int error = 0; // preset the response to a success, changed only on error, always return zero response = "External Access Rules set"; if (ifacef.str() == "") { response = "Abort, could not open red local interface file (" + ifacefile + ")"; return errrpt (response); } if (iface.find_first_not_of(INTERFACE) != std::string::npos) { response = "Abort, bad interface: " + iface; return errrpt (response); } rmdupes(ipb, "iptables -t filter -F xtaccess"); rmdupes(ipb, "iptables -t nat -F portfw_pre"); //=============================================================================> // Any destination IP that is local and not forwarded goes to us through INPUT for (int line = config.first(); line == 0; line = config.next()) { const std::string & alias = config[0]; const std::string & protocol = config[1]; const std::string & remip = config[2]; const std::string & locport = config[3]; const std::string & enabled = config[4]; if (protocol.find_first_not_of(NUMBERS) != std::string::npos) { response = "Abort, bad protocol: " + protocol; return errrpt (response); } if (remip.find_first_not_of(IP_NUMBERS) != std::string::npos) { response = "Abort, bad remote IP: " + remip; return errrpt (response); } if (locport.find_first_not_of(NUMBERS_COLON) != std::string::npos) { response = "Abort, bad port: " + locport; return errrpt (response); } dport_out = ""; if (locport != "0" && locport != "") dport_out = " --dport " + locport; red_ip = ""; for (int aline = aliases.first(); aline == 0; aline = aliases.next()) // we need to find the alias IP of the red interface { const std::string & f_ifalias = aliases[1]; const std::string & f_ipaddress = aliases[3]; if (alias == f_ifalias) { red_ip = f_ipaddress; break; } } if (red_ip == "") { response = "Abort, could not find an alias match in (" + configfile + ") with (" + aliasfile + ") for an IP in the XTAccess rule"; return errrpt(response); } destination = " -d " + red_ip; //============================================================================> // This only creates the rules if they are present and enabled, the alias // may be disabled which would make the rule ineffective since the IP would // not be present in ifconfig if (enabled == "on") { rmdupes(ipb, "iptables -t filter -A xtaccess -i " + iface + " -d " + red_ip + " -p " + protocol + dport_out + " -s " + remip + " -j ACCEPT"); } } error = ipbatch(ipb); if (error) response = "ipbatch failure"; return errrpt (response); }
int set_xtaccess(std::vector<std::string> & parameters, std::string & response) { int error = 0; ConfigSTR ifacef("/var/smoothwall/red/iface"); ConfigCSV config("/var/smoothwall/xtaccess/config"); std::vector<std::string>ipb; std::string::size_type n; std::string iface = ifacef.str(); if (iface.substr(0, 3) == "ppp" || iface.substr(0, 4) == "ippp") iface = ""; // ignore ppp if (iface != "" && ((n = iface.find_first_not_of(LETTERS_NUMBERS)) != std::string::npos)) { response = "Bad iface: " + iface; error = 1; goto EXIT; } ipb.push_back("iptables -F xtaccess"); for (int line = config.first(); line == 0; line = config.next()) { const std::string & protocol = config[0]; const std::string & remip = config[1]; const std::string & locport = config[2]; const std::string & enabled = config[3]; // are we complete? if (protocol == "" || remip == "" || locport == "" || enabled == "") break; if ((n = protocol.find_first_not_of(LETTERS)) != std::string::npos) { response = "Bad protocol: " + protocol; error = 1; goto EXIT; } if ((n = remip.find_first_not_of(IP_NUMBERS)) != std::string::npos) { response = "Bad remote IP: " + remip; error = 1; goto EXIT; } if ((n = locport.find_first_not_of(NUMBERS_COLON)) != std::string::npos) { response = "Bad port: " + locport; error = 1; goto EXIT; } if (enabled == "on") { ipb.push_back("iptables -A xtaccess -i ppp0 -p " + protocol + " -s " + remip + " --destination-port " + locport + " -j ACCEPT"); ipb.push_back("iptables -A xtaccess -i ippp0 -p " + protocol + " -s " + remip + " --destination-port " + locport + " -j ACCEPT"); if (iface != "") { ipb.push_back("iptables -A xtaccess -i " + iface + " -p " + protocol + " -s " + remip + " --destination-port " + locport + " -j ACCEPT"); } } } error = ipbatch(ipb); if (error) response = "ipbatch failure"; else response = "xtaccess set"; EXIT: return error; }