Ticket #92: ticket92src.diff

File ticket92src.diff, 9.8 KB (added by gbastien, 12 years ago)

patch in src directory

  • fw_iptables.c

     
    255255        iptables_do_command("-t mangle -N " TABLE_WIFIDOG_TRUSTED); 
    256256        iptables_do_command("-t mangle -N " TABLE_WIFIDOG_OUTGOING); 
    257257        iptables_do_command("-t mangle -N " TABLE_WIFIDOG_INCOMING); 
     258        iptables_do_command("-t mangle -N " TABLE_WIFIDOG_AUTH_IS_DOWN); 
    258259 
    259260        /* Assign links and rules to these new chains */ 
    260261        iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface); 
    261262        iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, config->gw_interface);//this rule will be inserted before the prior one 
     263        iptables_do_command("-t mangle -A PREROUTING -i %s -j " TABLE_WIFIDOG_AUTH_IS_DOWN, config->gw_interface); //this rule must be the last of the chain 
    262264        iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, config->gw_interface); 
    263265 
    264266        for (p = config->trustedmaclist; p != NULL; p = p->next) 
     
    277279        iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL); 
    278280        iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN); 
    279281        iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS); 
     282        iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTH_IS_DOWN); 
    280283 
    281284        /* Assign links and rules to these new chains */ 
    282285        iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface); 
     
    291294 
    292295        iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS); 
    293296        iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL); 
     297        iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTH_IS_DOWN); 
    294298        iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port); 
    295299 
     300        iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTH_IS_DOWN " -m mark --mark 0x%u -j ACCEPT", FW_MARK_AUTHISDOWN); 
    296301 
     302 
    297303        /* 
    298304         * 
    299305         * Everything in the FILTER table 
     
    308314        iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE); 
    309315        iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN); 
    310316        iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN); 
     317        iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTH_IS_DOWN); 
    311318 
    312319        /* Assign links and rules to these new chains */ 
    313320 
     
    343350        iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN); 
    344351        iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN); 
    345352 
     353        iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_AUTH_IS_DOWN, FW_MARK_AUTHISDOWN); 
     354        iptables_load_ruleset("filter", "auth-is-down", TABLE_WIFIDOG_AUTH_IS_DOWN); 
     355 
    346356        iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN); 
    347357        iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN); 
    348358        iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable"); 
     
    371381        iptables_fw_destroy_mention("mangle", "PREROUTING", TABLE_WIFIDOG_TRUSTED); 
    372382        iptables_fw_destroy_mention("mangle", "PREROUTING", TABLE_WIFIDOG_OUTGOING); 
    373383        iptables_fw_destroy_mention("mangle", "POSTROUTING", TABLE_WIFIDOG_INCOMING); 
     384        iptables_fw_destroy_mention("mangle", "PREROUTING", TABLE_WIFIDOG_AUTH_IS_DOWN); 
    374385        iptables_do_command("-t mangle -F " TABLE_WIFIDOG_TRUSTED); 
    375386        iptables_do_command("-t mangle -F " TABLE_WIFIDOG_OUTGOING); 
    376387        iptables_do_command("-t mangle -F " TABLE_WIFIDOG_INCOMING); 
     388        iptables_do_command("-t mangle -F " TABLE_WIFIDOG_AUTH_IS_DOWN); 
    377389        iptables_do_command("-t mangle -X " TABLE_WIFIDOG_TRUSTED); 
    378390        iptables_do_command("-t mangle -X " TABLE_WIFIDOG_OUTGOING); 
    379391        iptables_do_command("-t mangle -X " TABLE_WIFIDOG_INCOMING); 
     392        iptables_do_command("-t mangle -X " TABLE_WIFIDOG_AUTH_IS_DOWN); 
    380393 
    381394        /* 
    382395         * 
     
    391404        iptables_do_command("-t nat -F " TABLE_WIFIDOG_WIFI_TO_INTERNET); 
    392405        iptables_do_command("-t nat -F " TABLE_WIFIDOG_GLOBAL); 
    393406        iptables_do_command("-t nat -F " TABLE_WIFIDOG_UNKNOWN); 
     407        iptables_do_command("-t nat -F " TABLE_WIFIDOG_AUTH_IS_DOWN); 
    394408        iptables_do_command("-t nat -X " TABLE_WIFIDOG_AUTHSERVERS); 
    395409        iptables_do_command("-t nat -X " TABLE_WIFIDOG_OUTGOING); 
    396410        iptables_do_command("-t nat -X " TABLE_WIFIDOG_WIFI_TO_ROUTER); 
    397411        iptables_do_command("-t nat -X " TABLE_WIFIDOG_WIFI_TO_INTERNET); 
    398412        iptables_do_command("-t nat -X " TABLE_WIFIDOG_GLOBAL); 
    399413        iptables_do_command("-t nat -X " TABLE_WIFIDOG_UNKNOWN); 
     414        iptables_do_command("-t nat -X " TABLE_WIFIDOG_AUTH_IS_DOWN); 
    400415 
    401416        /* 
    402417         * 
     
    412427        iptables_do_command("-t filter -F " TABLE_WIFIDOG_VALIDATE); 
    413428        iptables_do_command("-t filter -F " TABLE_WIFIDOG_KNOWN); 
    414429        iptables_do_command("-t filter -F " TABLE_WIFIDOG_UNKNOWN); 
     430        iptables_do_command("-t filter -F " TABLE_WIFIDOG_AUTH_IS_DOWN); 
    415431        iptables_do_command("-t filter -X " TABLE_WIFIDOG_WIFI_TO_INTERNET); 
    416432        iptables_do_command("-t filter -X " TABLE_WIFIDOG_AUTHSERVERS); 
    417433        iptables_do_command("-t filter -X " TABLE_WIFIDOG_LOCKED); 
     
    419435        iptables_do_command("-t filter -X " TABLE_WIFIDOG_VALIDATE); 
    420436        iptables_do_command("-t filter -X " TABLE_WIFIDOG_KNOWN); 
    421437        iptables_do_command("-t filter -X " TABLE_WIFIDOG_UNKNOWN); 
     438        iptables_do_command("-t filter -X " TABLE_WIFIDOG_AUTH_IS_DOWN); 
    422439 
    423440        return 1; 
    424441} 
     
    510527        return rc; 
    511528} 
    512529 
     530/** Set a mark when auth server is not reachable */ 
     531        int 
     532iptables_fw_auth_unreachable(int tag) 
     533{ 
     534        return iptables_do_command("-t mangle -A " TABLE_WIFIDOG_AUTH_IS_DOWN " -j MARK --set-mark 0x%u", tag); 
     535} 
     536 
     537/** Remove mark when auth server is reachable again */ 
     538        int 
     539iptables_fw_auth_reachable(void) 
     540{ 
     541        return iptables_do_command("-t mangle -F " TABLE_WIFIDOG_AUTH_IS_DOWN); 
     542} 
     543 
    513544/** Update the counters of all the clients in the client list */ 
    514545        int 
    515546iptables_fw_counters_update(void) 
  • fw_iptables.h

     
    4242#define TABLE_WIFIDOG_UNKNOWN   "WiFiDog_$ID$_Unknown" 
    4343#define TABLE_WIFIDOG_LOCKED    "WiFiDog_$ID$_Locked" 
    4444#define TABLE_WIFIDOG_TRUSTED    "WiFiDog_$ID$_Trusted" 
     45#define TABLE_WIFIDOG_AUTH_IS_DOWN "WiFiDog_$ID$_AuthIsDown" 
    4546/*@}*/  
    4647 
    4748/** Used by iptables_fw_access to select if the client should be granted of denied access */ 
     
    6869/** @brief Define the access of a specific client */ 
    6970int iptables_fw_access(fw_access_t type, const char *ip, const char *mac, int tag); 
    7071 
     72/** @brief Set a mark when auth server is not reachable */ 
     73int iptables_fw_auth_unreachable(int tag); 
     74 
     75/** @brief Remove mark when auth server is reachable again */ 
     76int iptables_fw_auth_reachable(void); 
     77 
    7178/** @brief All counters in the client list */ 
    7279int iptables_fw_counters_update(void); 
    7380 
  • firewall.c

     
    111111    return iptables_fw_access(FW_ACCESS_DENY, ip, mac, fw_connection_state); 
    112112} 
    113113 
     114/** Passthrough for clients when auth server is down */ 
     115int 
     116fw_set_authdown(void) 
     117{ 
     118        debug(LOG_DEBUG, "Marking auth server down"); 
     119 
     120        return iptables_fw_auth_unreachable(FW_MARK_AUTHISDOWN); 
     121} 
     122 
     123/** Remove passthrough for clients when auth server is up */ 
     124int 
     125fw_set_authup(void) 
     126{ 
     127        debug(LOG_DEBUG, "Marking auth server up again"); 
     128 
     129        return iptables_fw_auth_reachable(); 
     130} 
     131 
    114132/* XXX DCY */ 
    115133/** 
    116134 * Get an IP's MAC address from the ARP cache. 
  • firewall.h

     
    3434    FW_MARK_PROBATION = 1, /**< @brief The client is in probation period and must be authenticated  
    3535                            @todo: VERIFY THAT THIS IS ACCURATE*/ 
    3636    FW_MARK_KNOWN = 2,  /**< @brief The client is known to the firewall */  
     37    FW_MARK_AUTHISDOWN = 253,  /**< @brief The auth server is not reachable */ 
    3738    FW_MARK_LOCKED = 254 /**< @brief The client has been locked out */ 
    3839} t_fw_marks; 
    3940 
     
    5556/** @brief Deny a client access through the firewall*/ 
    5657int fw_deny(char *ip, char *mac, int profile); 
    5758 
     59/** @brief Passthrough for clients when auth server is down */ 
     60int fw_set_authdown(void); 
     61 
     62/** @brief Remove passthrough for clients when auth server is up */ 
     63int fw_set_authup(void); 
     64 
    5865/** @brief Refreshes the entire client list */ 
    5966void fw_sync_with_authserver(void); 
    6067 
  • util.c

     
    224224 
    225225        strcpy(ifr.ifr_name, ifname); 
    226226 
    227         s = socket(PF_INET, SOCK_DGRAM, 0); 
     227        s = socket(PF_PACKET, SOCK_DGRAM, 0); 
    228228        if (-1 == s) { 
    229229                debug(LOG_ERR, "get_iface_mac socket: %s", strerror(errno)); 
    230230                return NULL; 
  • ping_thread.c

     
    5151#include "ping_thread.h" 
    5252#include "util.h" 
    5353#include "centralserver.h" 
     54#include "firewall.h" 
    5455 
    5556static void ping(void); 
    5657 
    5758extern time_t started_time; 
     59static int authdown = 0; 
    5860 
    5961/** Launches a thread that periodically checks in with the wifidog auth server to perform heartbeat function. 
    6062@param arg NULL 
     
    118120                /* 
    119121                 * No auth servers for me to talk to 
    120122                 */ 
     123                if (!authdown) { 
     124                        fw_set_authdown(); 
     125                        authdown = 1; 
     126                } 
    121127                return; 
    122128        } 
    123129 
     
    223229        if (strstr(request, "Pong") == 0) { 
    224230                debug(LOG_WARNING, "Auth server did NOT say pong!"); 
    225231                /* FIXME */ 
     232                if (!authdown) { 
     233                        fw_set_authdown(); 
     234                        authdown = 1; 
     235                } 
    226236        } 
    227237        else { 
    228238                debug(LOG_DEBUG, "Auth Server Says: Pong"); 
     239                if (authdown) { 
     240                        fw_set_authup(); 
     241                        authdown = 0; 
     242                } 
    229243        } 
    230244 
    231245        return;