Changeset 1241 for trunk/wifidog/src/fw_iptables.c

Timestamp:

06/24/07 00:13:13 (6 years ago)

Author:

benoitg

Message:

• Close #321: Make the Gateway retry forever if it cannot find it's interface. You never know when someone may finally replug the network cable or something...
• Close #332: Apply patch from Laurent Marchal. biguphpc<AT>gmail<DOT>com
• fw_iptables.c: Fix error in iptables_fw_access(). Rules were created as ACCEPT instead of DROP
• firewall.c: Fix bug in fw_sync_with_authserver(). The traffic for the validation period of a user who validated his account while connected wouldn't get counted.
• doc/wifidog_firewall_map.dia: At long last, full documentation of the firewall. We would have avoided a lot of stupid mistakes if we produced that sooner.
• Release 1.1.3_rc1

Files:

• trunk/wifidog/src/fw_iptables.c (modified) (5 diffs)

trunk/wifidog/src/fw_iptables.c

@@ -60 +60 @@
 static int fw_quiet = 0;
 
-/** @internal */
+/** @internal 
+ * */
 static int
 iptables_do_command(char *format, ...)
@@ -219 +220 @@
                         /* Assign links and rules to these new chains */
                         iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, gw_interface);
-                        iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, gw_interface);
+                        iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, gw_interface);//this rule will be inserted before the prior one
                         iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, gw_interface);
 
@@ -275 +276 @@
                         iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, gw_interface);
 
-            /* TCPMSS rule for PPPoE */
+
                         iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");
 
@@ -282 +283 @@
                            iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state RELATED,ESTABLISHED -j ACCEPT");*/
 
-
-            if (ext_interface != NULL) {
-                            iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW,INVALID -j DROP", ext_interface);
-                            iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);
-            } else {
-                /* Will this work even if we don't specify an external interface? */
-                            iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state NEW,INVALID -j DROP");
-                            iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu");
-            }
+                        //Won't this rule NEVER match anyway?!?!? benoitg, 2007-06-23
+                        //iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW -j DROP", ext_interface);
+            
+            /* TCPMSS rule for PPPoE */
+                        iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);
 
                         iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);
@@ -462 +459 @@
         case FW_ACCESS_DENY:
             iptables_do_command("-t mangle -D " TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);
-            rc = iptables_do_command("-t mangle -D " TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
+            rc = iptables_do_command("-t mangle -D " TABLE_WIFIDOG_INCOMING " -d %s -j DROP", ip);
             break;
         default: