Attachment – WiFiDog

src/fw_iptables.c

From 54bfeb9313b47a73dfbdef8b68d5011f40cad0a6 Mon Sep 17 00:00:00 2001
From: Wichert Akkerman <wichert@wiggy.net>
Date: Mon, 5 May 2008 16:41:47 +0200
Subject: [PATCH] Use gateway id in names in firewall table names

This makes it possible to run multiple gateways on the same machine.
---
 src/fw_iptables.c |  251 +++++++++++++++++++++++++++++------------------------
 src/fw_iptables.h |   22 +++---
 wifidog.conf      |    5 +-
 3 files changed, 152 insertions(+), 126 deletions(-)

diff --git a/src/fw_iptables.c b/src/fw_iptables.c
index 1e25b4e..f19d485 100644

a	b
59	59	Used to supress the error output of the firewall during destruction */
60	60	static int fw_quiet = 0;
61	61
	62	/** @internal
	63	* @brief Insert $ID$ with the gateway's id in a string.
	64	*
	65	* This function can replace the input string with a new one. It assumes
	66	* the input string is dynamically allocted and can be free()ed safely.
	67	*
	68	* This function must be called with the CONFIG_LOCK held.
	69	*/
	70	static void
	71	iptables_insert_gateway_id(char **input)
	72	{
	73	char *token;
	74	const s_config *config;
	75	char *buffer;
	76
	77	if (strstr(*input, "$ID$")==NULL)
	78	return;
	79
	80
	81	while ((token=strstr(*input, "$ID$"))!=NULL)
	82	/* This string may look odd but it's standard POSIX and ISO C */
	83	memcpy(token, "%1$s", 4);
	84
	85	config = config_get_config();
	86	safe_asprintf(&buffer, *input, config->gw_id);
	87
	88	free(*input);
	89	*input=buffer;
	90	}
	91
62	92	/** @internal
63	93	* */
64	94	static int
65	95	iptables_do_command(const char *format, ...)
66	96	{
67		va_list vlist;
68		char *fmt_cmd,
69		*cmd;
70		int rc;
	97	va_list vlist;
	98	char *fmt_cmd;
	99	char *cmd;
	100	int rc;
71	101
72		va_start(vlist, format);
73		safe_vasprintf(&fmt_cmd, format, vlist);
74		va_end(vlist);
	102	va_start(vlist, format);
	103	safe_vasprintf(&fmt_cmd, format, vlist);
	104	va_end(vlist);
75	105
76		safe_asprintf(&cmd, "iptables %s", fmt_cmd);
	106	safe_asprintf(&cmd, "iptables %s", fmt_cmd);
	107	free(fmt_cmd);
77	108
78		~~free(fmt_~~cmd);
	109	iptables_insert_gateway_id(&cmd);
79	110
80		debug(LOG_DEBUG, "Executing command: %s", cmd);
81
82		rc = execute(cmd, fw_quiet);
	111	debug(LOG_DEBUG, "Executing command: %s", cmd);
83	112
84		if (rc!=0)
85		debug(LOG_ERR, "iptables comand tailed: %s", cmd);
	113	rc = execute(cmd, fw_quiet);
86	114
87		free(cmd);
	115	if (rc!=0)
	116	debug(LOG_ERR, "iptables comand failed: %s", cmd);
88	117
89		return rc;
	118	free(cmd);
	119
	120	return rc;
90	121	}
91	122
92	123	/**
…	…
189	220	iptables_fw_init(void)
190	221	{
191	222	const s_config *config;
192		~~char * gw_interface = NULL;~~
193		~~char * gw_address = NULL;~~
194	223	char * ext_interface = NULL;
195	224	int gw_port = 0;
196	225	t_trusted_mac *p;
197
	226
198	227	fw_quiet = 0;
199	228
200		LOCK_CONFIG();
201		config = config_get_config();
202		gw_interface = safe_strdup(config->gw_interface);
203		gw_address = safe_strdup(config->gw_address);
204		gw_port = config->gw_port;
205		if (config->external_interface) {
206		ext_interface = safe_strdup(config->external_interface);
207		} else {
208		ext_interface = get_ext_iface();
209		}
210		UNLOCK_CONFIG();
211
	229	LOCK_CONFIG();
	230	config = config_get_config();
	231	gw_port = config->gw_port;
	232	if (config->external_interface) {
	233	ext_interface = safe_strdup(config->external_interface);
	234	} else {
	235	ext_interface = get_ext_iface();
	236	}
	237
212	238	if (ext_interface == NULL) {
	239	UNLOCK_CONFIG();
213	240	debug(LOG_ERR, "FATAL: no external interface");
214		~~/* XXX leaks safe_strdup()'d strings */~~
215	241	return 0;
216	242	}
217		/*
218		*
219		* Everything in the MANGLE table
220		*
221		*/
	243	/*
	244	*
	245	* Everything in the MANGLE table
	246	*
	247	*/
222	248
223		/* Create new chains */
224		iptables_do_command("-t mangle -N " TABLE_WIFIDOG_TRUSTED);
225		iptables_do_command("-t mangle -N " TABLE_WIFIDOG_OUTGOING);
226		iptables_do_command("-t mangle -N " TABLE_WIFIDOG_INCOMING);
	249	/* Create new chains */
	250	iptables_do_command("-t mangle -N " TABLE_WIFIDOG_TRUSTED);
	251	iptables_do_command("-t mangle -N " TABLE_WIFIDOG_OUTGOING);
	252	iptables_do_command("-t mangle -N " TABLE_WIFIDOG_INCOMING);
227	253
228		/* Assign links and rules to these new chains */
229		~~iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING,~~ gw_interface);
230		~~iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED,~~ gw_interface);//this rule will be inserted before the prior one
231		~~iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING,~~ gw_interface);
	254	/* Assign links and rules to these new chains */
	255	iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);
	256	iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, config->gw_interface);//this rule will be inserted before the prior one
	257	iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, config->gw_interface);
232	258
233		for (p = config->trustedmaclist; p != NULL; p = p->next)
234		iptables_do_command("-t mangle -A " TABLE_WIFIDOG_TRUSTED " -m mac --mac-source %s -j MARK --set-mark %d", p->mac, FW_MARK_KNOWN);
	259	for (p = config->trustedmaclist; p != NULL; p = p->next)
	260	iptables_do_command("-t mangle -A " TABLE_WIFIDOG_TRUSTED " -m mac --mac-source %s -j MARK --set-mark %d", p->mac, FW_MARK_KNOWN);
235	261
236		/*
237		*
238		* Everything in the NAT table
239		*
240		*/
	262	/*
	263	*
	264	* Everything in the NAT table
	265	*
	266	*/
241	267
242		/* Create new chains */
243		iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING);
244		iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER);
245		iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
246		iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL);
247		iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);
248		iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);
	268	/* Create new chains */
	269	iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING);
	270	iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER);
	271	iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
	272	iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL);
	273	iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);
	274	iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);
249	275
250		/* Assign links and rules to these new chains */
251		~~iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING,~~ gw_interface);
	276	/* Assign links and rules to these new chains */
	277	iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);
252	278
253		~~iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -d %s -j " TABLE_WIFIDOG_WIFI_TO_ROUTER,~~ gw_address);
254		iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_ROUTER " -j ACCEPT");
	279	iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -d %s -j " TABLE_WIFIDOG_WIFI_TO_ROUTER, config->gw_address);
	280	iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_ROUTER " -j ACCEPT");
255	281
256		iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -j " TABLE_WIFIDOG_WIFI_TO_INTERNET);
257		iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN);
258		iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION);
259		iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
	282	iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -j " TABLE_WIFIDOG_WIFI_TO_INTERNET);
	283	iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN);
	284	iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION);
	285	iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
260	286
261		iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);
262		iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL);
263		iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);
	287	iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);
	288	iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL);
	289	iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);
264	290
265	291
266		/*
267		*
268		* Everything in the FILTER table
269		*
270		*/
	292	/*
	293	*
	294	* Everything in the FILTER table
	295	*
	296	*/
271	297
272		/* Create new chains */
273		iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
274		iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS);
275		iptables_do_command("-t filter -N " TABLE_WIFIDOG_LOCKED);
276		iptables_do_command("-t filter -N " TABLE_WIFIDOG_GLOBAL);
277		iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE);
278		iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN);
279		iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN);
	298	/* Create new chains */
	299	iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
	300	iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS);
	301	iptables_do_command("-t filter -N " TABLE_WIFIDOG_LOCKED);
	302	iptables_do_command("-t filter -N " TABLE_WIFIDOG_GLOBAL);
	303	iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE);
	304	iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN);
	305	iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN);
280	306
281		/* Assign links and rules to these new chains */
	307	/* Assign links and rules to these new chains */
282	308
283		/* Insert at the beginning */
284		~~iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET,~~ gw_interface);
	309	/* Insert at the beginning */
	310	iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface);
285	311
286	312
287		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");
	313	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");
288	314
289		/* XXX: Why this? it means that connections setup after authentication
290		stay open even after the connection is done...
291		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state RELATED,ESTABLISHED -j ACCEPT");*/
	315	/* XXX: Why this? it means that connections setup after authentication
	316	stay open even after the connection is done...
	317	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state RELATED,ESTABLISHED -j ACCEPT");*/
292	318
293		//Won't this rule NEVER match anyway?!?!? benoitg, 2007-06-23
294		//iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW -j DROP", ext_interface);
295
296		/* TCPMSS rule for PPPoE */
297		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);
	319	//Won't this rule NEVER match anyway?!?!? benoitg, 2007-06-23
	320	//iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW -j DROP", ext_interface);
298	321
299		~~iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);~~
300		~~iptables_fw_set_authservers(~~);
	322	/* TCPMSS rule for PPPoE */
	323	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);
301	324
302		~~iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED~~);
303		~~iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED~~);
	325	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);
	326	iptables_fw_set_authservers();
304	327
305		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL);
306		iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL);
307		iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL);
	328	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);
	329	iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED);
308	330
309		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);
310		iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE);
	331	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL);
	332	iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL);
	333	iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL);
311	334
312		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);
313		iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN);
314
315		iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
316		iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN);
317		iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");
	335	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);
	336	iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE);
318	337
319		~~free(gw_interface~~);
320		~~free(gw_address~~);
	338	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);
	339	iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN);
321	340
322		return 1;
	341	iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
	342	iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN);
	343	iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");
	344
	345	UNLOCK_CONFIG();
	346	return 1;
323	347	}
324	348
325	349	/** Remove the firewall rules
…	…
490	514
491	515	/* Look for outgoing traffic */
492	516	safe_asprintf(&script, "%s %s", "iptables", "-v -n -x -t mangle -L " TABLE_WIFIDOG_OUTGOING);
	517	iptables_insert_gateway_id(&script);
493	518	output = popen(script, "r");
494	519	free(script);
495	520	if (!output) {

src/fw_iptables.h

diff --git a/src/fw_iptables.h b/src/fw_iptables.h
index aaf5921..6de59b3 100644

a	b
31	31
32	32	/@{/
33	33	/*Iptable table names used by WifiDog /
34		#define TABLE_WIFIDOG_OUTGOING "WiFiDog_Outgoing"
35		#define TABLE_WIFIDOG_WIFI_TO_INTERNET "WiFiDog_WIFI2Internet"
36		#define TABLE_WIFIDOG_WIFI_TO_ROUTER "WiFiDog_WIFI2Router"
37		#define TABLE_WIFIDOG_INCOMING "WiFiDog_Incoming"
38		#define TABLE_WIFIDOG_AUTHSERVERS "WiFiDog_AuthServers"
39		#define TABLE_WIFIDOG_GLOBAL "WiFiDog_Global"
40		#define TABLE_WIFIDOG_VALIDATE "WiFiDog_Validate"
41		#define TABLE_WIFIDOG_KNOWN "WiFiDog_Known"
42		#define TABLE_WIFIDOG_UNKNOWN "WiFiDog_Unknown"
43		#define TABLE_WIFIDOG_LOCKED "WiFiDog_Locked"
44		#define TABLE_WIFIDOG_TRUSTED "WiFiDog_Trusted"
	34	#define TABLE_WIFIDOG_OUTGOING "WiFiDog_$ID$_Outgoing"
	35	#define TABLE_WIFIDOG_WIFI_TO_INTERNET "WiFiDog_$ID$_WIFI2Internet"
	36	#define TABLE_WIFIDOG_WIFI_TO_ROUTER "WiFiDog_$ID$_WIFI2Router"
	37	#define TABLE_WIFIDOG_INCOMING "WiFiDog_$ID$_Incoming"
	38	#define TABLE_WIFIDOG_AUTHSERVERS "WiFiDog_$ID$_AuthServers"
	39	#define TABLE_WIFIDOG_GLOBAL "WiFiDog_$ID$_Global"
	40	#define TABLE_WIFIDOG_VALIDATE "WiFiDog_$ID$_Validate"
	41	#define TABLE_WIFIDOG_KNOWN "WiFiDog_$ID$_Known"
	42	#define TABLE_WIFIDOG_UNKNOWN "WiFiDog_$ID$_Unknown"
	43	#define TABLE_WIFIDOG_LOCKED "WiFiDog_$ID$_Locked"
	44	#define TABLE_WIFIDOG_TRUSTED "WiFiDog_$ID$_Trusted"
45	45	/@}/
46	46
47	47	/** Used by iptables_fw_access to select if the client should be granted of denied access */

wifidog.conf

diff --git a/wifidog.conf b/wifidog.conf
index 8c7d74d..3c6c7d3 100644

a	b
6	6	# Optional
7	7	#
8	8	# Set this to the node ID on the auth server
9		# this is used to give a customized login page to the clients and for
10		# monitoring/statistics purpose
	9	# This is used to give a customized login page to the clients and for
	10	# monitoring/statistics purpose. If you run multiple gateways on the same
	11	# machine each gateway needs to have a different gateway id.
11	12	# If none is supplied, the mac address of the GatewayInterface interface will be used,
12	13	# without the : separators
13	14

Context Navigation

Ticket #466: 0002-Use-gateway-id-in-names-in-firewall-table-names.patch

src/fw_iptables.c

src/fw_iptables.h

wifidog.conf

Download in other formats: