Changeset 935

Timestamp:

01/31/06 22:22:04 (3 years ago)

Author:

benoitg

Message:

• src/fw_iptables.c: Add the global ruleset to the nat table to fix #65.
  Add the table parameter to iptables_load_ruleset() and iptables_compile
  
• libhttpd/protocol.c: Fix pointer type mismatch
  

• src/conf.c,h: Remove deprecated option AuthServMaxTries? (which was already ignored anyway.
  

Files:

• trunk/wifidog/ChangeLog (modified) (1 diff)
• trunk/wifidog/Makefile.am (modified) (1 diff)
• trunk/wifidog/README (modified) (1 diff)
• trunk/wifidog/configure.in (modified) (1 diff)
• trunk/wifidog/libhttpd/protocol.c (modified) (2 diffs)
• trunk/wifidog/src/auth.c (modified) (1 diff)
• trunk/wifidog/src/centralserver.c (modified) (1 diff)
• trunk/wifidog/src/commandline.c (modified) (2 diffs)
• trunk/wifidog/src/conf.c (modified) (6 diffs)
• trunk/wifidog/src/conf.h (modified) (3 diffs)
• trunk/wifidog/src/firewall.c (modified) (5 diffs)
• trunk/wifidog/src/firewall.h (modified) (1 diff)
• trunk/wifidog/src/fw_iptables.c (modified) (7 diffs)
• trunk/wifidog/src/gateway.c (modified) (4 diffs)
• trunk/wifidog/src/http.c (modified) (1 diff)
• trunk/wifidog/src/util.c (modified) (2 diffs)
• trunk/wifidog/wifidog.conf (modified) (1 diff)

trunk/wifidog/ChangeLog

@@ -1 +1 @@
-# $Id$
+2006-01-31 Benoit Gr�ire  <bock@step.polymtl.ca>
+        * src/fw_iptables.c:  Add the global ruleset to the nat table to fix #65.
+        Add the table parameter to iptables_load_ruleset() and iptables_compile
+        * libhttpd/protocol.c:  Fix pointer type mismatch
+    * src/conf.c,h:  Remove deprecated option AuthServMaxTries (which was already ignored anyway.       
+        
-2006-01-23 Benoit Gr�ire  <bock@step.polymtl.ca>
-
+* 
-
-2006-01-17 Mina Naguib <mina@ilesansfil.org>

trunk/wifidog/Makefile.am

@@ -39 +39 @@
-        rpmbuild -ta ${builddir}wifidog-@VERSION@.tar.gz
-        
-
-
-
-
+#
+#
+#
+#

trunk/wifidog/README

@@ -8 +8 @@
-
-The project's homepage is:
-
-
-
-
+
-
-Mailing list interface:
-        http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
-
-
-The project's software is released under the GPL license and is copyright it's respective owners.
-

trunk/wifidog/configure.in

@@ -21 +21 @@
-WIFIDOG_MAJOR_VERSION=1
-WIFIDOG_MINOR_VERSION=1
-beta
+pre
-WIFIDOG_VERSION=$WIFIDOG_MAJOR_VERSION.$WIFIDOG_MINOR_VERSION.$WIFIDOG_MICRO_VERSION
-

trunk/wifidog/libhttpd/protocol.c

@@ -221 +221 @@
-        int nbytesdecoded, j;
-        register char *bufin = bufcoded;
-unsigned 
+
-        register int nprbytes;
-
@@ -256 +256 @@
-        while (nprbytes > 0) 
-        {
-unsigned char)(
-unsigned char)(
-unsigned char)(
+
+
+
-                bufin += 4;
-                nprbytes -= 4;

trunk/wifidog/src/auth.c

@@ -83 +83 @@
-                debug(LOG_DEBUG, "Running fw_counter()");
-        
-count
+sync_with_authserv
-        }
-}

trunk/wifidog/src/centralserver.c

@@ -333 +333 @@
-        }
-}
-
-/* config->authserv_maxtries */

trunk/wifidog/src/commandline.c

@@ -48 +48 @@
- * 0 means normally, otherwise it will be populated by the PID of the parent
- */
-e
+_orig_pi
-
-/** @internal
@@ -134 +134 @@
-                                skiponrestart = 1;
-                                if (optarg) {
-e
+_orig_pi
-                                }
-                                else {

trunk/wifidog/src/conf.c

@@ -77 +77 @@
-        oAuthServHTTPPort,
-        oAuthServPath,
-        oAuthServMaxTries,
-        oHTTPDMaxConn,
-        oHTTPDName,
@@ -104 +103 @@
-        { "gatewayport",        oGatewayPort },
-        { "authserver",         oAuthServer },
-        { "authservmaxtries",   oAuthServMaxTries },
-        { "httpdmaxconn",       oHTTPDMaxConn },
-        { "httpdname",          oHTTPDName },
@@ -147 +145 @@
-        config.gw_port = DEFAULT_GATEWAYPORT;
-        config.auth_servers = NULL;
-        config.authserv_maxtries = DEFAULT_AUTHSERVMAXTRIES;
-        config.httpdname = NULL;
-        config.clienttimeout = DEFAULT_CLIENTTIMEOUT;
@@ -390 +387 @@
-                        switch (opcode) {
-                                case oFirewallRule:
-
+_
-                                        break;
-
@@ -413 +410 @@
-}
-
+/** @internal
+Helper for parse_firewall_ruleset.  Parses a single rule in a ruleset
+*/
-static int
-
+_
-{
-        int i;
@@ -652 +652 @@
-                                        sscanf(p1, "%d", &config.httpdmaxconn);
-                                        break;
-                                case oAuthServMaxTries:
-                                        sscanf(p1, "%d", &config.authserv_maxtries);
-                                        break;
-                                case oBadOption:
-                                        debug(LOG_ERR, "Bad option on line %d "

trunk/wifidog/src/conf.h

@@ -49 +49 @@
-/** Note:  The path must be prefixed by /, and must be suffixed /.  Put / for the server root.*/
-#define DEFAULT_AUTHSERVPATH "/wifidog/"
-#define DEFAULT_AUTHSERVMAXTRIES 1
-/*@}*/ 
-
@@ -113 +112 @@
-    int gw_port;                /**< @brief Port the webserver will run on */
-    
-    int authserv_maxtries;      /**< @brief Maximum number of auth server
-                                     connection attempts before abandoning */
-    t_auth_serv *auth_servers;  /**< @brief Auth servers list */
-    char *httpdname;            /**< @brief Name the web server will return when
@@ -158 +155 @@
-static int parse_boolean_value(char *);
-static void parse_auth_server(FILE *, char *, int *);
-
+_
-static void parse_firewall_ruleset(char *, FILE *, char *, int *);
-void parse_trusted_mac_list(char *);

trunk/wifidog/src/firewall.c

@@ -70 +70 @@
-
-/* from commandline.c */
-e
+_orig_pi
-
-int icmp_fd = 0;
@@ -162 +162 @@
-    result = iptables_fw_init();
-
-e
+_orig_pi
-                 debug(LOG_INFO, "Restoring firewall rules for clients inherited from parent");
-                 LOCK_CLIENT_LIST();
@@ -176 +176 @@
-}
-
-Clear the authserver
+Remove all auth server firewall whitelist
- */
-void
@@ -185 +185 @@
-}
-
-Set the authservers rule
+Add the necessary firewall rules to whitelist the authserver
- */
-void
@@ -214 +214 @@
- */
-void
-count
+sync_with_authserv
-{
-    t_authresponse  authresponse;

trunk/wifidog/src/firewall.h

@@ -55 +55 @@
-
-/** @brief Refreshes the entire client list */
-count
+sync_with_authserv
-
-/** @brief Get an IP's MAC address from the ARP cache.*/

trunk/wifidog/src/fw_iptables.c

@@ -50 +50 @@
-
-static int iptables_do_command(char *format, ...);
-
-
+char *, 
+, char *
-
-extern pthread_mutex_t  client_list_mutex;
@@ -90 +90 @@
- * Compiles a struct definition of a firewall rule into a valid iptables
- * command.
+ * @arg table Table containing the chain.
- * @arg chain Chain that the command will be (-A)ppended to.
- * @arg rule Definition of a rule into a struct, from conf.c.
- */
-static char *
-
+ table, char *
-{
-    char        command[MAX_BUF],
@@ -107 +108 @@
-    }
-    
-filter -A %s "
+%s -A %s ",table
-    if (rule->mask != NULL) {
-        snprintf((command + strlen(command)), (sizeof(command) - 
@@ -134 +135 @@
- * Load all the rules in a rule set.
- * @arg ruleset Name of the ruleset
+ * @arg table Table containing the chain.
- * @arg chain IPTables chain the rules go into
- */
-static void
-
-
-s
+ table, char *
+
+
-        char                    *cmd;
-
-chain %s", ruleset
+table %s, chain %s", ruleset, table
-        
-s = get_ruleset(ruleset); rules != NULL; rules = rules
-chain, rules
-%s", cmd
+ = get_ruleset(ruleset); rule != NULL; rule = rule
+table, chain, rule
+table %s, chain %s", cmd, table
-                iptables_do_command(cmd);
-                free(cmd);
-        }
-
-%s", ruleset
+table %s, chain %s", ruleset, table
-}
-
@@ -227 +229 @@
-                        iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER);
-                        iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
+                        iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL);
-                        iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);
-                        iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);
@@ -242 +245 @@
-
-                        iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);
+                        iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL);
-                        iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);
-
@@ -266 +270 @@
-
-                        iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);
-
+filter", "
-
-                        iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL);
-
+
+
-
-                        iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);
-
+filter", "
-
-                        iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);
-
+filter", "
-    
-                        iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
-
+filter", "
-                        iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");
-

trunk/wifidog/src/gateway.c

@@ -73 +73 @@
-/* from commandline.c */
-extern char ** restartargv;
-e
+_orig_pi
-t_client *firstclient;
-
@@ -95 +95 @@
-
-/* @internal
-Connects to the parent
+During gateway restart, connects to the parent process
- * Downloads from it the active client list
- */
@@ -508 +508 @@
-        init_signals();
-
-e
+_orig_pi
-                /*
-                 * We were restarted and our parent is waiting for us to talk to it over the socket
@@ -517 +517 @@
-                 * At this point the parent will start destroying itself and the firewall. Let it finish it's job before we continue
-                 */
-e
-e
+_orig_pi
+_orig_pi
-                        sleep(1);
-                }

trunk/wifidog/src/http.c

@@ -52 +52 @@
-extern pthread_mutex_t  client_list_mutex;
-
+/** The 404 handler is also responsable for redirecting to the auth server */
-void
-http_callback_404(httpd *webserver, request *r)

trunk/wifidog/src/util.c

@@ -68 +68 @@
-
-/* Defined in commandline.c */
-e
+_orig_pi
-
-/* XXX Do these need to be locked ? */
@@ -340 +340 @@
-        snprintf((buffer + len), (sizeof(buffer) - len), "Has been restarted: ");
-        len = strlen(buffer);
-e
-e
+_orig_pi
+_orig_pi
-                len = strlen(buffer);
-        }

trunk/wifidog/wifidog.conf

@@ -37 +37 @@
-# GatewayAddress 192.168.1.1
-
-# Parameter: AuthServMaxTries
-# Default: 1
-# Optional
-#
-# Sets the number of auth servers the gateway will attempt to contact when a request fails.
-# this number should be equal to the number of AuthServer lines in this
-# configuration but it should probably not exceed 3.
-
-# AuthServMaxTries 3
-
-# Parameter: AuthServer
-# Default: NONE
-
+, repeatable
-#
-Set this to the hostname or IP of your auth server, the path where
-WiFiDog-auth resides  and optionally as a second argument, the port it
-
+This allows you to configure your auth server(s).  Each one will be tried in order, untill one responds.
+Set this to the hostname or IP of your auth server(s), the path where
+WiFiDog-auth resides in and the port it 
-#AuthServer {
-#       Hostname      (Mandatory; Default: NONE)