From 5b4ee05e58777606c988c099139adb25633b50c3 Mon Sep 17 00:00:00 2001
From: Ermal <eri@pfsense.org>
Date: Tue, 5 Jun 2012 19:38:04 +0000
Subject: Import OpenVPN cisco style radius attributes applying policy to
 logged in users. Feature #2100

---
 etc/inc/openvpn.attributes.php       | 186 +++++++++++++++++++++++++++++++++++
 usr/local/sbin/openvpn.attributes.sh |  16 +++
 2 files changed, 202 insertions(+)
 create mode 100644 etc/inc/openvpn.attributes.php
 create mode 100644 usr/local/sbin/openvpn.attributes.sh

diff --git a/etc/inc/openvpn.attributes.php b/etc/inc/openvpn.attributes.php
new file mode 100644
index 0000000..b847013
--- /dev/null
+++ b/etc/inc/openvpn.attributes.php
@@ -0,0 +1,186 @@
+<?php
+/*
+        filter.inc
+        Copyright (C) 2011-2012         Ermal Luçi
+        All rights reserved.
+
+        Redistribution and use in source and binary forms, with or without
+        modification, are permitted provided that the following conditions are met:
+
+        1. Redistributions of source code must retain the above copyright notice,
+           this list of conditions and the following disclaimer.
+
+        2. Redistributions in binary form must reproduce the above copyright
+           notice, this list of conditions and the following disclaimer in the
+           documentation and/or other materials provided with the distribution.
+
+        THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+        INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+        AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+        AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+        OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+        SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+        INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+        CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+        ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+        POSSIBILITY OF SUCH DAMAGE.
+*/
+
+if (empty($common_name)) {
+	$common_name = getenv("common_name");
+	if (empty($common_name))
+		$common_name = getenv("username");
+}
+
+$devname = getenv("dev");
+if (empty($devname))
+	$devname = "openvpn";
+
+function cisco_to_cidr($addr) {
+	if (!is_ipaddr($addr))
+		return 0;
+	$mask = decbin(~ip2long($addr));
+	$mask = substr($mask, -32);
+	$k = 0;
+	for ($i = 0; $i <= 32; $i++) {
+		$k += intval($mask[$i]);
+	}
+	return $k;
+}
+
+function cisco_extract_index($prule) {
+	
+	$index = explode("#", $prule);
+	if (is_numeric($index[1]))
+		return intval($index[1]);
+	else
+		syslog(LOG_WARNING, "Error parsing rule {$prule}: Could not extract index");
+	return -1;;
+}
+
+function parse_cisco_acl($attribs) {
+	global $devname, $attributes;
+	if (!is_array($attribs))
+		return "";
+	$finalrules = "";
+	if (is_array($attribs['ciscoavpair'])) {
+		$inrules = array();
+		$outrules = array();
+		foreach ($attribs['ciscoavpair'] as $avrules) {
+			$rule = explode("=", $avrules);
+			$dir = "";
+			if (strstr($rule[0], "inacl")) {
+				$dir = "in";
+			} else if (strstr($rule[0], "outacl"))
+				$dir = "out";
+			else if (strstr($rule[0], "dns-servers")) {
+				$attributes['dns-servers'] = explode(" ", $rule[1]);
+				continue;
+			} else if (strstr($rule[0], "route")) {
+				if (!is_array($attributes['routes']))
+					$attributes['routes'] = array();
+				$attributes['routes'][] = $route[1];
+				continue;
+			}	
+			$rindex = cisco_extract_index($rule[0]);
+			if ($rindex < 0)
+				continue;
+
+			$rule = $rule[1];
+			$rule = explode(" ", $rule);
+			$tmprule = "";
+			$index = 0;
+			$isblock = false;
+			if ($rule[$index] == "permit")
+				$tmprule = "pass {$dir} quick on {$devname} ";
+			else if ($rule[$index] == "deny") {
+				//continue;
+				$isblock = true;
+				$tmprule = "block {$dir} quick on {$devname} ";
+			} else {
+				continue;
+			}
+
+			$index++;
+
+			switch ($rule[$index]) {
+			case "tcp":
+			case "udp":
+				$tmprule .= "proto {$rule[$index]} ";
+				break;
+				
+			}
+
+			$index++;
+			/* Source */
+			if (trim($rule[$index]) == "host") {
+				$index++;
+				$tmprule .= "from {$rule[$index]} ";
+				$index++;
+				if ($isblock == true)
+					$isblock = false;
+			} else if (trim($rule[$index]) == "any") {
+				$tmprule .= "from any";
+				$index++;
+			} else {
+				$tmprule .= "from $rule[$index]";
+				$index++;
+				$netmask = cisco_to_cidr($rule[$index]);
+				$tmprule .= "/{$netmask} ";
+				$index++;
+				if ($isblock == true)
+					$isblock = false;
+			}
+			/* Destination */
+			if (trim($rule[$index]) == "host") {
+				$index++;
+				$tmprule .= "to {$rule[$index]} ";
+				$index++;
+				if ($isblock == true)
+					$isblock = false;
+			} else if (trim($rule[$index]) == "any") {
+				$index++;
+				$tmprule .= "to any";
+			} else {
+				$tmprule .= "to $rule[$index]";
+				$index++;
+				$netmask = cisco_to_cidr($rule[$index]);
+				$tmprule .= "/{$netmask} ";
+				$index++;
+				if ($isblock == true)
+					$isblock = false;
+			}
+
+			if ($isblock == true)
+				continue;
+
+			if ($dir == "in")
+				$inrules[$rindex] = $tmprule;
+			else if ($dir == "out")
+				$outrules[$rindex] = $tmprule;
+		}
+
+
+		$state = "";
+		if (!empty($outrules))
+			$state = "no state";
+		ksort($inrules, SORT_NUMERIC);
+		foreach ($inrules as $inrule)
+			$finalrules .= "{$inrule} {$state}\n";
+		if (!empty($outrules)) {
+			ksort($outrules, SORT_NUMERIC);
+			foreach ($outrules as $outrule)
+				$finalrules .= "{$outrule} {$state}\n";
+		}
+	}
+	return $finalrules;
+}
+
+$rules = parse_cisco_acl($attributes);
+if (!empty($rules)) {
+	@file_put_contents("/tmp/{$common_name}.rules", $rules);
+	mwexec("/sbin/pfctl -a \"openvpn/{$common_name}\" -f {$g['tmp_path']}/{$common_name}.rules");
+	@unlink("{$g['tmp_path']}/{$common_name}.rules");
+}
+
+?>
diff --git a/usr/local/sbin/openvpn.attributes.sh b/usr/local/sbin/openvpn.attributes.sh
new file mode 100644
index 0000000..b88d1df
--- /dev/null
+++ b/usr/local/sbin/openvpn.attributes.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+echo $script_type > /tmp/script
+if [ "$script_type" = "client-connect" ]; then
+	if [ -f /tmp/$common_name ]; then
+		/bin/cat /tmp/$common_name > $1
+		/bin/rm /tmp/$common_name
+	fi
+elif [ "$script_type" = "client-disconnect" ]; then
+	command="/sbin/pfctl -a 'openvpn/$common_name' -F rules"
+        eval $command
+	/sbin/pfctl -k $ifconfig_pool_remote_ip
+	/sbin/pfctl -K $ifconfig_pool_remote_ip
+fi
+
+exit 0
-- 
cgit v1.1