Skip to content

Commit 6a65ff5

Browse files
committed
Merge branch 'master' of https://github.com/wifidog/wifidog-gateway into feature-ssl
2 parents 717512c + 0d53483 commit 6a65ff5

6 files changed

Lines changed: 63 additions & 27 deletions

File tree

libhttpd/api.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -256,7 +256,7 @@ httpd *httpdCreate(host, port)
256256
}
257257

258258
/* The WinSock DLL is acceptable. Proceed. */
259-
}
259+
}
260260
#endif
261261

262262
sock = socket(AF_INET, SOCK_STREAM, 0);
@@ -851,7 +851,7 @@ void httpdAddHeader(request *r, const char *msg)
851851
int size;
852852
size = HTTP_MAX_HEADERS - 2 - strlen(r->response.headers);
853853
if(size > 0)
854-
{
854+
{
855855
strncat(r->response.headers,msg,size);
856856
if (r->response.headers[strlen(r->response.headers) - 1] != '\n')
857857
strcat(r->response.headers,"\n");

src/conf.c

Lines changed: 43 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -489,6 +489,7 @@ _parse_firewall_rule(const char *ruleset, char *leftover)
489489
char *protocol = NULL; /**< protocol to block, tcp/udp/icmp */
490490
char *mask = NULL; /**< Netmask */
491491
char *other_kw = NULL; /**< other key word */
492+
int mask_is_ipset = 0;
492493
t_firewall_ruleset *tmpr;
493494
t_firewall_ruleset *tmpr2;
494495
t_firewall_rule *tmp;
@@ -531,6 +532,11 @@ _parse_firewall_rule(const char *ruleset, char *leftover)
531532

532533
/* Get the optional port or port range */
533534
if (strncmp(leftover, "port", 4) == 0) {
535+
if(protocol == NULL ||
536+
!(strncmp(protocol, "tcp", 3) == 0 || strncmp(protocol, "udp", 3) == 0)) {
537+
debug(LOG_ERR, "ERROR: wifidog config file, section FirewallRuleset %s. Port without tcp or udp protocol.", ruleset);
538+
return -3; /*< Fail */
539+
}
534540
TO_NEXT_WORD(leftover, finished);
535541
/* Get port now */
536542
port = leftover;
@@ -539,31 +545,49 @@ _parse_firewall_rule(const char *ruleset, char *leftover)
539545
if (!isdigit((unsigned char)*(port + i)) && ((unsigned char)*(port + i) != ':'))
540546
all_nums = 0; /*< No longer only digits */
541547
if (!all_nums) {
542-
debug(LOG_ERR, "Invalid port %s", port);
548+
debug(LOG_ERR, "ERROR: wifidog config file, section FirewallRuleset %s. Invalid port %s", ruleset, port);
543549
return -3; /*< Fail */
544550
}
545551
}
546552

547553
/* Now, further stuff is optional */
548554
if (!finished) {
549-
/* should be exactly "to" */
555+
/* should be exactly "to" or "to-ipset" */
550556
other_kw = leftover;
551557
TO_NEXT_WORD(leftover, finished);
552-
if (strcmp(other_kw, "to") || finished) {
558+
if (!finished) {
559+
/* Get arg now and check validity in next section */
560+
mask = leftover;
561+
}
562+
if (strncmp(other_kw, "to-ipset", 8) == 0 && !finished) {
563+
mask_is_ipset = 1;
564+
} else if (strncmp(other_kw, "to", 2) == 0 && !finished) {
565+
/* Check if mask is valid */
566+
all_nums = 1;
567+
for (i = 0; *(mask + i) != '\0'; i++)
568+
if (!isdigit((unsigned char)*(mask + i)) && (*(mask + i) != '.')
569+
&& (*(mask + i) != '/'))
570+
all_nums = 0; /*< No longer only digits */
571+
if (!all_nums) {
572+
debug(LOG_ERR, "Invalid mask %s", mask);
573+
return -3; /*< Fail */
574+
}
575+
} else {
553576
debug(LOG_ERR, "Invalid or unexpected keyword %s, "
554-
"expecting \"to\"", other_kw);
577+
"expecting \"to\" or \"to-ipset\"", other_kw);
555578
return -4; /*< Fail */
556579
}
557-
558-
/* Get port now */
559-
mask = leftover;
560580
TO_NEXT_WORD(leftover, finished);
581+
if (!finished) {
582+
debug(LOG_WARNING, "Ignoring trailining string after successfully parsing rule: %s",
583+
leftover);
584+
}
561585
}
562-
563586
/* Generate rule record */
564587
tmp = safe_malloc(sizeof(t_firewall_rule));
565588
memset((void *)tmp, 0, sizeof(t_firewall_rule));
566589
tmp->target = target;
590+
tmp->mask_is_ipset = mask_is_ipset;
567591
if (protocol != NULL)
568592
tmp->protocol = safe_strdup(protocol);
569593
if (port != NULL)
@@ -574,7 +598,7 @@ _parse_firewall_rule(const char *ruleset, char *leftover)
574598
tmp->mask = safe_strdup(mask);
575599

576600
debug(LOG_DEBUG, "Adding Firewall Rule %s %s port %s to %s", token, tmp->protocol, tmp->port, tmp->mask);
577-
601+
578602
/* Append the rule record */
579603
if (config.rulesets == NULL) {
580604
config.rulesets = safe_malloc(sizeof(t_firewall_ruleset));
@@ -606,7 +630,7 @@ _parse_firewall_rule(const char *ruleset, char *leftover)
606630
tmp2 = tmp2->next;
607631
tmp2->next = tmp;
608632
}
609-
633+
610634
return 1;
611635
}
612636

@@ -810,11 +834,11 @@ parse_boolean_value(char *line)
810834

811835
/* Parse possiblemac to see if it is valid MAC address format */
812836
int check_mac_format(char *possiblemac) {
813-
char hex2[3];
814-
return
815-
sscanf(possiblemac,
816-
"%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]",
817-
hex2,hex2,hex2,hex2,hex2,hex2) == 6;
837+
char hex2[3];
838+
return
839+
sscanf(possiblemac,
840+
"%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]",
841+
hex2,hex2,hex2,hex2,hex2,hex2) == 6;
818842
}
819843

820844
void parse_trusted_mac_list(const char *ptr) {
@@ -832,11 +856,10 @@ void parse_trusted_mac_list(const char *ptr) {
832856

833857
while ((possiblemac = strsep(&ptrcopy, ", "))) {
834858
/* check for valid format */
835-
836-
if (!check_mac_format(possiblemac)) {
837-
debug(LOG_ERR, "[%s] not a valid MAC address to trust. See option TrustedMACList in wifidog.conf for correct this mistake.", possiblemac);
838-
return;
839-
} else {
859+
if (!check_mac_format(possiblemac)) {
860+
debug(LOG_ERR, "[%s] not a valid MAC address to trust. See option TrustedMACList in wifidog.conf for correct this mistake.", possiblemac);
861+
return;
862+
} else {
840863
if (sscanf(possiblemac, " %17[A-Fa-f0-9:]", mac) == 1) {
841864
/* Copy mac to the list */
842865

src/conf.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,7 @@ typedef struct _firewall_rule_t {
111111
char *protocol; /**< @brief tcp, udp, etc ... */
112112
char *port; /**< @brief Port to block/allow */
113113
char *mask; /**< @brief Mask for the rule *destination* */
114+
int mask_is_ipset; /**< @brief *destination* is ipset */
114115
struct _firewall_rule_t *next;
115116
} t_firewall_rule;
116117

src/fw_iptables.c

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -170,8 +170,13 @@ iptables_compile(const char * table, const char *chain, const t_firewall_rule *r
170170

171171
snprintf(command, sizeof(command), "-t %s -A %s ",table, chain);
172172
if (rule->mask != NULL) {
173-
snprintf((command + strlen(command)), (sizeof(command) -
173+
if (rule->mask_is_ipset) {
174+
snprintf((command + strlen(command)), (sizeof(command) -
175+
strlen(command)), "-m set --match-set %s dst ", rule->mask);
176+
} else {
177+
snprintf((command + strlen(command)), (sizeof(command) -
174178
strlen(command)), "-d %s ", rule->mask);
179+
}
175180
}
176181
if (rule->protocol != NULL) {
177182
snprintf((command + strlen(command)), (sizeof(command) -

src/http.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,7 @@ http_callback_404(httpd *webserver, request *r)
133133
r->clientAddr,
134134
mac,
135135
url);
136+
free(mac);
136137
}
137138

138139
debug(LOG_INFO, "Check host %s is in whitelist or not", r->request.host); // eg. www.example.com
@@ -214,7 +215,7 @@ void http_send_redirect_to_auth(request *r, const char *urlFragment, const char
214215
protocol = "http";
215216
port = auth_server->authserv_http_port;
216217
}
217-
218+
218219
char *url = NULL;
219220
safe_asprintf(&url, "%s://%s:%d%s%s",
220221
protocol,
@@ -278,11 +279,11 @@ http_callback_auth(httpd *webserver, request *r)
278279
char *ip = safe_strdup(client->ip);
279280
char *urlFragment = NULL;
280281
t_auth_serv *auth_server = get_auth_server();
281-
282+
282283
fw_deny(client->ip, client->mac, client->fw_connection_state);
283284
client_list_delete(client);
284285
debug(LOG_DEBUG, "Got logout from %s", ip);
285-
286+
286287
/* Advertise the logout if we have an auth server */
287288
if (config->auth_servers != NULL) {
288289
UNLOCK_CLIENT_LIST();
@@ -354,4 +355,3 @@ void send_http_page(request *r, const char *title, const char* message)
354355
httpdOutput(r, buffer);
355356
free(buffer);
356357
}
357-

wifidog.conf

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -292,6 +292,13 @@ FirewallRuleSet known-users {
292292
#
293293
# XXX The redirect code adds the Default DROP clause.
294294
FirewallRuleSet unknown-users {
295+
# Use to-ipset to block or allow externally specified hosts.
296+
# Ipsets are created with the ipset utility. This is useful to
297+
# block or allow hosts at runtime externally.
298+
# For example, if your auth server requires users to log in
299+
# via Facebook, use the ipset feature built into dnsmasq to
300+
# to populate a list of various IPs used by the Facebook networks.
301+
#FirewallRule allow to-ipset fb
295302
FirewallRule allow udp port 53
296303
FirewallRule allow tcp port 53
297304
FirewallRule allow udp port 67

0 commit comments

Comments
 (0)