Ticket #92: ticket92src.diff
| File ticket92src.diff, 9.8 KB (added by gbastien, 2 years ago) |
|---|
-
fw_iptables.c
255 255 iptables_do_command("-t mangle -N " TABLE_WIFIDOG_TRUSTED); 256 256 iptables_do_command("-t mangle -N " TABLE_WIFIDOG_OUTGOING); 257 257 iptables_do_command("-t mangle -N " TABLE_WIFIDOG_INCOMING); 258 iptables_do_command("-t mangle -N " TABLE_WIFIDOG_AUTH_IS_DOWN); 258 259 259 260 /* Assign links and rules to these new chains */ 260 261 iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface); 261 262 iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, config->gw_interface);//this rule will be inserted before the prior one 263 iptables_do_command("-t mangle -A PREROUTING -i %s -j " TABLE_WIFIDOG_AUTH_IS_DOWN, config->gw_interface); //this rule must be the last of the chain 262 264 iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, config->gw_interface); 263 265 264 266 for (p = config->trustedmaclist; p != NULL; p = p->next) … … 277 279 iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL); 278 280 iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN); 279 281 iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS); 282 iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTH_IS_DOWN); 280 283 281 284 /* Assign links and rules to these new chains */ 282 285 iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface); … … 291 294 292 295 iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS); 293 296 iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL); 297 iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTH_IS_DOWN); 294 298 iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port); 295 299 300 iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTH_IS_DOWN " -m mark --mark 0x%u -j ACCEPT", FW_MARK_AUTHISDOWN); 296 301 302 297 303 /* 298 304 * 299 305 * Everything in the FILTER table … … 308 314 iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE); 309 315 iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN); 310 316 iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN); 317 iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTH_IS_DOWN); 311 318 312 319 /* Assign links and rules to these new chains */ 313 320 … … 343 350 iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN); 344 351 iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN); 345 352 353 iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_AUTH_IS_DOWN, FW_MARK_AUTHISDOWN); 354 iptables_load_ruleset("filter", "auth-is-down", TABLE_WIFIDOG_AUTH_IS_DOWN); 355 346 356 iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN); 347 357 iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN); 348 358 iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable"); … … 371 381 iptables_fw_destroy_mention("mangle", "PREROUTING", TABLE_WIFIDOG_TRUSTED); 372 382 iptables_fw_destroy_mention("mangle", "PREROUTING", TABLE_WIFIDOG_OUTGOING); 373 383 iptables_fw_destroy_mention("mangle", "POSTROUTING", TABLE_WIFIDOG_INCOMING); 384 iptables_fw_destroy_mention("mangle", "PREROUTING", TABLE_WIFIDOG_AUTH_IS_DOWN); 374 385 iptables_do_command("-t mangle -F " TABLE_WIFIDOG_TRUSTED); 375 386 iptables_do_command("-t mangle -F " TABLE_WIFIDOG_OUTGOING); 376 387 iptables_do_command("-t mangle -F " TABLE_WIFIDOG_INCOMING); 388 iptables_do_command("-t mangle -F " TABLE_WIFIDOG_AUTH_IS_DOWN); 377 389 iptables_do_command("-t mangle -X " TABLE_WIFIDOG_TRUSTED); 378 390 iptables_do_command("-t mangle -X " TABLE_WIFIDOG_OUTGOING); 379 391 iptables_do_command("-t mangle -X " TABLE_WIFIDOG_INCOMING); 392 iptables_do_command("-t mangle -X " TABLE_WIFIDOG_AUTH_IS_DOWN); 380 393 381 394 /* 382 395 * … … 391 404 iptables_do_command("-t nat -F " TABLE_WIFIDOG_WIFI_TO_INTERNET); 392 405 iptables_do_command("-t nat -F " TABLE_WIFIDOG_GLOBAL); 393 406 iptables_do_command("-t nat -F " TABLE_WIFIDOG_UNKNOWN); 407 iptables_do_command("-t nat -F " TABLE_WIFIDOG_AUTH_IS_DOWN); 394 408 iptables_do_command("-t nat -X " TABLE_WIFIDOG_AUTHSERVERS); 395 409 iptables_do_command("-t nat -X " TABLE_WIFIDOG_OUTGOING); 396 410 iptables_do_command("-t nat -X " TABLE_WIFIDOG_WIFI_TO_ROUTER); 397 411 iptables_do_command("-t nat -X " TABLE_WIFIDOG_WIFI_TO_INTERNET); 398 412 iptables_do_command("-t nat -X " TABLE_WIFIDOG_GLOBAL); 399 413 iptables_do_command("-t nat -X " TABLE_WIFIDOG_UNKNOWN); 414 iptables_do_command("-t nat -X " TABLE_WIFIDOG_AUTH_IS_DOWN); 400 415 401 416 /* 402 417 * … … 412 427 iptables_do_command("-t filter -F " TABLE_WIFIDOG_VALIDATE); 413 428 iptables_do_command("-t filter -F " TABLE_WIFIDOG_KNOWN); 414 429 iptables_do_command("-t filter -F " TABLE_WIFIDOG_UNKNOWN); 430 iptables_do_command("-t filter -F " TABLE_WIFIDOG_AUTH_IS_DOWN); 415 431 iptables_do_command("-t filter -X " TABLE_WIFIDOG_WIFI_TO_INTERNET); 416 432 iptables_do_command("-t filter -X " TABLE_WIFIDOG_AUTHSERVERS); 417 433 iptables_do_command("-t filter -X " TABLE_WIFIDOG_LOCKED); … … 419 435 iptables_do_command("-t filter -X " TABLE_WIFIDOG_VALIDATE); 420 436 iptables_do_command("-t filter -X " TABLE_WIFIDOG_KNOWN); 421 437 iptables_do_command("-t filter -X " TABLE_WIFIDOG_UNKNOWN); 438 iptables_do_command("-t filter -X " TABLE_WIFIDOG_AUTH_IS_DOWN); 422 439 423 440 return 1; 424 441 } … … 510 527 return rc; 511 528 } 512 529 530 /** Set a mark when auth server is not reachable */ 531 int 532 iptables_fw_auth_unreachable(int tag) 533 { 534 return iptables_do_command("-t mangle -A " TABLE_WIFIDOG_AUTH_IS_DOWN " -j MARK --set-mark 0x%u", tag); 535 } 536 537 /** Remove mark when auth server is reachable again */ 538 int 539 iptables_fw_auth_reachable(void) 540 { 541 return iptables_do_command("-t mangle -F " TABLE_WIFIDOG_AUTH_IS_DOWN); 542 } 543 513 544 /** Update the counters of all the clients in the client list */ 514 545 int 515 546 iptables_fw_counters_update(void) -
fw_iptables.h
42 42 #define TABLE_WIFIDOG_UNKNOWN "WiFiDog_$ID$_Unknown" 43 43 #define TABLE_WIFIDOG_LOCKED "WiFiDog_$ID$_Locked" 44 44 #define TABLE_WIFIDOG_TRUSTED "WiFiDog_$ID$_Trusted" 45 #define TABLE_WIFIDOG_AUTH_IS_DOWN "WiFiDog_$ID$_AuthIsDown" 45 46 /*@}*/ 46 47 47 48 /** Used by iptables_fw_access to select if the client should be granted of denied access */ … … 68 69 /** @brief Define the access of a specific client */ 69 70 int iptables_fw_access(fw_access_t type, const char *ip, const char *mac, int tag); 70 71 72 /** @brief Set a mark when auth server is not reachable */ 73 int iptables_fw_auth_unreachable(int tag); 74 75 /** @brief Remove mark when auth server is reachable again */ 76 int iptables_fw_auth_reachable(void); 77 71 78 /** @brief All counters in the client list */ 72 79 int iptables_fw_counters_update(void); 73 80 -
firewall.c
111 111 return iptables_fw_access(FW_ACCESS_DENY, ip, mac, fw_connection_state); 112 112 } 113 113 114 /** Passthrough for clients when auth server is down */ 115 int 116 fw_set_authdown(void) 117 { 118 debug(LOG_DEBUG, "Marking auth server down"); 119 120 return iptables_fw_auth_unreachable(FW_MARK_AUTHISDOWN); 121 } 122 123 /** Remove passthrough for clients when auth server is up */ 124 int 125 fw_set_authup(void) 126 { 127 debug(LOG_DEBUG, "Marking auth server up again"); 128 129 return iptables_fw_auth_reachable(); 130 } 131 114 132 /* XXX DCY */ 115 133 /** 116 134 * Get an IP's MAC address from the ARP cache. -
firewall.h
34 34 FW_MARK_PROBATION = 1, /**< @brief The client is in probation period and must be authenticated 35 35 @todo: VERIFY THAT THIS IS ACCURATE*/ 36 36 FW_MARK_KNOWN = 2, /**< @brief The client is known to the firewall */ 37 FW_MARK_AUTHISDOWN = 253, /**< @brief The auth server is not reachable */ 37 38 FW_MARK_LOCKED = 254 /**< @brief The client has been locked out */ 38 39 } t_fw_marks; 39 40 … … 55 56 /** @brief Deny a client access through the firewall*/ 56 57 int fw_deny(char *ip, char *mac, int profile); 57 58 59 /** @brief Passthrough for clients when auth server is down */ 60 int fw_set_authdown(void); 61 62 /** @brief Remove passthrough for clients when auth server is up */ 63 int fw_set_authup(void); 64 58 65 /** @brief Refreshes the entire client list */ 59 66 void fw_sync_with_authserver(void); 60 67 -
util.c
224 224 225 225 strcpy(ifr.ifr_name, ifname); 226 226 227 s = socket(PF_ INET, SOCK_DGRAM, 0);227 s = socket(PF_PACKET, SOCK_DGRAM, 0); 228 228 if (-1 == s) { 229 229 debug(LOG_ERR, "get_iface_mac socket: %s", strerror(errno)); 230 230 return NULL; -
ping_thread.c
51 51 #include "ping_thread.h" 52 52 #include "util.h" 53 53 #include "centralserver.h" 54 #include "firewall.h" 54 55 55 56 static void ping(void); 56 57 57 58 extern time_t started_time; 59 static int authdown = 0; 58 60 59 61 /** Launches a thread that periodically checks in with the wifidog auth server to perform heartbeat function. 60 62 @param arg NULL … … 118 120 /* 119 121 * No auth servers for me to talk to 120 122 */ 123 if (!authdown) { 124 fw_set_authdown(); 125 authdown = 1; 126 } 121 127 return; 122 128 } 123 129 … … 223 229 if (strstr(request, "Pong") == 0) { 224 230 debug(LOG_WARNING, "Auth server did NOT say pong!"); 225 231 /* FIXME */ 232 if (!authdown) { 233 fw_set_authdown(); 234 authdown = 1; 235 } 226 236 } 227 237 else { 228 238 debug(LOG_DEBUG, "Auth Server Says: Pong"); 239 if (authdown) { 240 fw_set_authup(); 241 authdown = 0; 242 } 229 243 } 230 244 231 245 return;
