Changeset 95
- Timestamp:
- 04/22/04 19:35:32 (9 years ago)
- Location:
- trunk/wifidog
- Files:
-
- 19 modified
-
ChangeLog (modified) (1 diff)
-
configure.in (modified) (1 diff)
-
src/Makefile.am (modified) (2 diffs)
-
src/auth.c (modified) (6 diffs)
-
src/auth.h (modified) (1 diff)
-
src/centralserver.c (modified) (3 diffs)
-
src/centralserver.h (modified) (1 diff)
-
src/common.h (modified) (2 diffs)
-
src/conf.c (modified) (5 diffs)
-
src/conf.h (modified) (2 diffs)
-
src/debug.c (modified) (2 diffs)
-
src/debug.h (modified) (1 diff)
-
src/firewall.c (modified) (18 diffs)
-
src/firewall.h (modified) (3 diffs)
-
src/fw.access (modified) (2 diffs)
-
src/fw.destroy (modified) (3 diffs)
-
src/fw.init (modified) (1 diff)
-
src/gateway.c (modified) (3 diffs)
-
src/http.c (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/wifidog/ChangeLog
r93 r95 1 1 # $Header$ 2 2004-04-22 Philippe April <papril777@yahoo.com> 3 * Major changes, cleaned up code 4 * Changed the way firewall tags traffic 2 5 3 6 2004-04-21 Philippe April <papril777@yahoo.com> -
trunk/wifidog/configure.in
r87 r95 18 18 19 19 WIFIDOG_MAJOR_VERSION=0 20 WIFIDOG_MINOR_VERSION= 120 WIFIDOG_MINOR_VERSION=2 21 21 WIFIDOG_MICRO_VERSION=0 22 22 WIFIDOG_VERSION=$WIFIDOG_MAJOR_VERSION.$WIFIDOG_MINOR_VERSION.$WIFIDOG_MICRO_VERSION -
trunk/wifidog/src/Makefile.am
r87 r95 19 19 centralserver.c \ 20 20 http.c \ 21 auth.c \ 22 userclasses.c 21 auth.c 23 22 24 23 noinst_HEADERS = commandline.h \ … … 30 29 centralserver.h \ 31 30 http.h \ 32 auth.h \ 33 userclasses.h 31 auth.h 34 32 -
trunk/wifidog/src/auth.c
r90 r95 63 63 { 64 64 t_node *node; 65 int profile; 66 UserClasses *tmp_uc; 67 UserRights *tmp_ur; 65 t_authresponse auth_response; 68 66 char *ip, 69 67 *mac, 70 68 *token; 69 t_node *p1; 71 70 72 71 ip = (char *)ptr; … … 86 85 pthread_mutex_unlock(&nodes_mutex); 87 86 88 profile = authenticate(ip, mac, token, 0);87 authenticate(&auth_response, ip, mac, token, 0); 89 88 90 89 pthread_mutex_lock(&nodes_mutex); … … 103 102 } 104 103 105 if ( profile == -1) {104 if (auth_response.authcode == AUTH_ERROR) { 106 105 // Error talking to central server 107 106 debug(LOG_ERR, "Got %d from central server authenticating " 108 "token %s from %s at %s", profile, node->token,107 "token %s from %s at %s", auth_response, node->token, 109 108 node->ip, node->mac); 110 109 _http_output(node->fd, "Access denied: We did not get a valid " … … 113 112 pthread_mutex_unlock(&nodes_mutex); 114 113 return; 115 } else if ( profile == 0) {114 } else if (auth_response.authcode == AUTH_DENIED) { 116 115 // Central server said invalid token 117 _http_output(node->fd, "Your authentication has failed or " 118 "timed-out. Please re-login"); 116 _http_output(node->fd, "Access denied"); 119 117 node->fd = 0; 120 118 pthread_mutex_unlock(&nodes_mutex); … … 124 122 /* If we get here, we've got a profile > 0 */ 125 123 126 debug(LOG_INFO, "Node %s with mac %s and profile"127 " %d validated", node->ip, node->mac, profile);124 debug(LOG_INFO, "Node %s with mac %s " 125 "validated", node->ip, node->mac); 128 126 129 tmp_uc = find_userclasses(profile); 130 131 if (tmp_uc == NULL) { 132 debug(LOG_WARNING, "Profile %d undefined", profile); 133 _http_output(node->fd, "User Class not defined"); 134 node->fd = 0; 135 pthread_mutex_unlock(&nodes_mutex); 136 return; 137 } else { 138 debug(LOG_INFO, "Profile %d UserClasses retrieved", profile); 139 } 140 141 if (tmp_uc->active) { 142 /* Profile is active */ 127 p1 = node_find_by_ip(node->ip); 128 p1->noactivity = time(NULL); 129 switch(auth_response.authcode) { 130 case AUTH_VALIDATION: 131 p1->tag = MARK_VALIDATION; 132 fw_allow(node->ip, node->mac, MARK_VALIDATION); 133 _http_output(node->fd, "You have 15 minutes to activate your account, hurry up!"); 134 break; 135 case AUTH_ALLOWED: 136 p1->tag = MARK_KNOWN; 137 fw_allow(node->ip, node->mac, MARK_KNOWN); 138 _http_redirect(node->fd, "http://%s/wifidog/portal.php?gw_id=%s", config.authserv_hostname, config.gw_id); 139 break; 140 case AUTH_VALIDATION_FAILED: 141 _http_output(node->fd, "You have failed to validate your account in 15 minutes"); 142 break; 143 case AUTH_DENIED: 144 _http_output(node->fd, "Authentication failure"); 145 break; 146 default: 147 _http_output(node->fd, "Internal error"); 148 debug(LOG_WARNING, "I don't know what the validation code %d means", auth_response.authcode); 149 break; 150 } 143 151 144 tmp_ur = new_userrights(); 145 tmp_ur->profile = profile; 146 tmp_ur->start_time = time(NULL); 147 tmp_ur->last_checked = time(NULL); 148 tmp_ur->end_time = tmp_ur->start_time + (time_t)tmp_uc->timeout; 149 150 fw_allow(node->ip, node->mac, profile); 151 152 node->active = 1; 153 node->rights = tmp_ur; 154 155 _http_output(node->fd, "You are now good to go"); 156 } else { 157 _http_output(node->fd, "User Class inactive"); 158 } 152 //_http_output(node->fd, "You are now good to go"); 153 //_http_redirect(node->fd, "http://%s/wifidog/portal.php?gw_id=%s", config.authserv_hostname, config.gw_id); 159 154 160 155 node->fd = 0; … … 168 163 _http_output(int fd, char *msg) 169 164 { 170 char response[] = "HTTP/1.1 200 OK\r\nConnection: close\r\nContent-" 171 "Type: text/html\r\n\r\n"; 165 char header[] = "HTTP/1.1 200 OK\r\nConnection: close\r\nContent-" 166 "Type: text/html\r\n\r\n<html><body>"; 167 char footer[] = "</body></html>"; 172 168 173 send(fd, response, sizeof(response), 0);169 send(fd, header, sizeof(header), 0); 174 170 send(fd, msg, strlen(msg), 0); 171 send(fd, footer, sizeof(footer), 0); 175 172 shutdown(fd, 2); 176 173 close(fd); 177 174 } 175 176 void 177 _http_redirect(int fd, char *format, ...) 178 { 179 char *response, *url; 180 va_list vlist; 181 182 va_start(vlist, format); 183 184 vasprintf(&url, format, vlist); 185 186 asprintf(&response, "HTTP/1.1 307 Please authenticate yourself here\r\nLocation: %s\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n<html><head>Redirection</head><body>Please <a href='%s'>Click here</a> if you're not redirected.", url, url); 187 188 send(fd, response, strlen(response), 0); 189 shutdown(fd, 2); 190 close(fd); 191 192 free(response); 193 free(url); 194 } 195 -
trunk/wifidog/src/auth.h
r64 r95 29 29 #define _AUTH_H_ 30 30 31 typedef enum { 32 AUTH_ERROR = -1, 33 AUTH_DENIED = 0, 34 AUTH_ALLOWED = 1, 35 AUTH_VALIDATION = 5, 36 AUTH_VALIDATION_FAILED = 6, 37 AUTH_LOCKED = 254, 38 } t_authcode; 39 40 typedef struct _t_authresponse { 41 int authcode; 42 } t_authresponse; 43 31 44 void auth_thread(void *ptr); 32 45 void cleanup_thread(void *ptr); 46 void _http_redirect(int fd, char *format, ...); 33 47 34 48 #endif -
trunk/wifidog/src/centralserver.c
r90 r95 31 31 32 32 int 33 authenticate( char *ip, char *mac, char *token, long int stats)33 authenticate(t_authresponse *authresponse, char *ip, char *mac, char *token, long int stats) 34 34 { 35 35 int sockfd, numbytes; … … 37 37 struct hostent *he; 38 38 struct sockaddr_in their_addr; 39 int profile;40 39 char *p1; 41 40 … … 80 79 close(sockfd); 81 80 82 if ((p1 = strstr(buf, " Profile: "))) {83 if (sscanf(p1, " Profile: %d", &profile) == 1) {84 debug(LOG_INFO, "Auth server returned profile %d",85 profile);86 return( profile);81 if ((p1 = strstr(buf, "Auth: "))) { 82 if (sscanf(p1, "Auth: %d", &authresponse->authcode) == 1) { 83 debug(LOG_INFO, "Auth server returned response %d", 84 authresponse->authcode); 85 return(authresponse->authcode); 87 86 } else { 88 87 debug(LOG_WARNING, "Auth server did not return " 89 88 "expected information"); 90 return( -1);89 return(AUTH_ERROR); 91 90 } 92 91 } else { 93 return( -1);92 return(AUTH_ERROR); 94 93 } 95 94 96 return( -1);95 return(AUTH_ERROR); 97 96 } 98 97 -
trunk/wifidog/src/centralserver.h
r28 r95 28 28 #define _CENTRALSERVER_H_ 29 29 30 int authenticate( char *ip, char *mac, char *token, long int stats);30 int authenticate(t_authresponse *authresponse, char *ip, char *mac, char *token, long int stats); 31 31 32 32 #endif /* _CENTRALSERVER_H_ */ -
trunk/wifidog/src/common.h
r90 r95 29 29 #define _COMMON_H_ 30 30 31 #define _GNU_SOURCE 31 32 #include <stdio.h> 32 33 #include <stdlib.h> … … 56 57 #include "commandline.h" 57 58 #include "debug.h" 58 #include "userclasses.h"59 59 #include "firewall.h" 60 60 #include "http.h" 61 #include "auth.h" 61 62 #include "centralserver.h" 62 #include "auth.h"63 63 64 64 #define MAX_BUF 4096 -
trunk/wifidog/src/conf.c
r90 r95 63 63 oFWScriptsPath, 64 64 oFWType, 65 oUserClass,66 65 oSyslogFacility, 67 66 } OpCodes; … … 88 87 { "fwscriptspath", oFWScriptsPath }, 89 88 { "fwtype", oFWType }, 90 { "userclass", oUserClass },91 89 { "syslogfacility", oSyslogFacility }, 92 90 { NULL, oBadOption }, … … 114 112 config.fwscripts_path = DEFAULT_FWSCRIPTS_PATH; 115 113 config.fwtype = DEFAULT_FWTYPE; 116 config.userclasses = (char **)malloc(sizeof(char *) * 256);117 memset(config.userclasses, 0, sizeof(char *) * 256);118 114 config.syslog_facility = DEFAULT_SYSLOG_FACILITY; 119 115 config.daemon = -1; … … 197 193 198 194 switch(opcode) { 199 case oUserClass:200 add_userclass((int)strtol(p1, NULL, 10),201 ++p2);202 break;203 195 case oDaemon: 204 196 if (config.daemon == -1 && ((value = parse_value(p1)) != -1)) { … … 288 280 buf = strdup(ptr); 289 281 return buf; 290 }291 292 char *293 add_userclass(int profile, char *ptr)294 {295 char *tmp_str;296 297 if (profile > 255 || profile < 0)298 return NULL;299 300 if (*(config.userclasses + profile) != NULL)301 free(*(config.userclasses + profile));302 303 tmp_str = strdup(ptr);304 305 *(config.userclasses + profile) = tmp_str;306 307 return tmp_str;308 282 } 309 283 -
trunk/wifidog/src/conf.h
r90 r95 35 35 int parse_value(char *); 36 36 char *get_string(char *ptr); 37 char *add_userclass(int profile, char *ptr);38 37 39 38 typedef struct { … … 55 54 char *fwscripts_path; 56 55 char *fwtype; 57 char **userclasses;58 56 int log_syslog; 59 57 int syslog_facility; -
trunk/wifidog/src/debug.c
r90 r95 26 26 */ 27 27 28 #define SYSLOG_NAMES29 28 #include "common.h" 30 29 31 30 extern s_config config; 32 //extern CODE prioritynames[];33 31 34 32 void 35 debug(int level, char *format, ...)33 _debug(char *filename, int line, int level, char *format, ...) 36 34 { 37 int i;38 35 va_list vlist; 39 36 … … 42 39 43 40 if (level <= LOG_WARNING) { 44 fprintf(stderr, "[ debug %d] ", level);41 fprintf(stderr, "[%d](%s:%d) ", level, filename, line); 45 42 vfprintf(stderr, format, vlist); 46 43 fputc('\n', stderr); 47 44 fflush(stderr); 48 45 } else if (!config.daemon) { 49 fprintf(stdout, "[ debug %d] ", level);46 fprintf(stdout, "[%d](%s:%d) ", level, filename, line); 50 47 vfprintf(stdout, format, vlist); 51 48 fputc('\n', stdout); -
trunk/wifidog/src/debug.h
r90 r95 28 28 #define _DEBUG_H_ 29 29 30 void debug(int level, char *format, ...); 30 #define debug(level, format...) _debug(__FILE__, __LINE__, level, format) 31 void _debug(char *filename, int line, int level, char *format, ...); 31 32 32 33 #endif /* _DEBUG_H_ */ -
trunk/wifidog/src/firewall.c
r91 r95 37 37 * @brief Allow a user through the firewall 38 38 * 39 * Add a rule in the firewall to tag the user's packets with its profile40 * numberby providing his IP and MAC address. This is done by39 * Add a rule in the firewall to MARK the user's packets with the proper 40 * rule by providing his IP and MAC address. This is done by 41 41 * executing the firewall script "fw.access" like this: 42 * fw.access allow <ip> <mac> <profile> 42 * fw.access allow <ip> <mac> <tag> 43 * @param ip IP address to allow 44 * @param mac MAC address to allow 45 * @tag tag Tag 46 * @return Return code of the command 43 47 */ 44 48 int 45 fw_allow(char *ip, char *mac, int profile)46 { 47 char s_ profile[16];49 fw_allow(char *ip, char *mac, int tag) 50 { 51 char s_tag[16]; 48 52 char script[MAX_BUF]; 49 53 struct stat st; 50 char *command[] = {script, "allow", ip, mac, s_profile, NULL}; 51 52 sprintf(s_profile, "%-10d", profile); 54 char *command[] = {script, "allow", ip, mac, s_tag, NULL}; 55 56 debug(LOG_DEBUG, "Allowing ip %s mac %s with MARK %s", ip, mac, s_tag); 57 58 sprintf(s_tag, "%-10d", tag); 53 59 sprintf(script, "%s/%s/%s", config.fwscripts_path, config.fwtype, 54 60 SCRIPT_FWACCESS); … … 69 75 * by executing the firewall script "fw.access" this way: 70 76 * fw.access deny <ip> <mac> <profile> 77 * @param ip IP address to deny 78 * @param mac MAC address to deny 79 * @tag tag Tag 80 * @return Return code of the command 71 81 */ 72 82 int 73 fw_deny(char *ip, char *mac, int profile)74 { 75 char s_ profile[16];83 fw_deny(char *ip, char *mac, int tag) 84 { 85 char s_tag[16]; 76 86 char script[MAX_BUF]; 77 87 struct stat st; 78 char *command[] = {script, "deny", ip, mac, s_profile, NULL}; 79 80 sprintf(s_profile, "%-10d", profile); 88 char *command[] = {script, "deny", ip, mac, s_tag, NULL}; 89 90 debug(LOG_DEBUG, "Denying ip %s mac %s with MARK %s", ip, mac, s_tag); 91 92 sprintf(s_tag, "%-10d", tag); 81 93 sprintf(script, "%s/%s/%s", config.fwscripts_path, config.fwtype, 82 94 SCRIPT_FWACCESS); … … 96 108 * process waits for the child to return and returns the child's exit() 97 109 * value. 110 * @return Return code of the command 98 111 */ 99 112 int … … 126 139 * Go through all the entries in /proc/net/arp until we find the requested 127 140 * IP address and return the MAC address bound to it. 128 * /129 /* TODO Make this function portable... Use shell scripts?*/141 * @todo Make this function portable (using shell scripts?) 142 */ 130 143 char * 131 144 arp_get(char *req_ip) … … 159 172 * Initialize the firewall rules by executing the 'fw.init' script: 160 173 * fw.init <gw_interface> <gw_address> <port> <authserv_hostname> 174 * @return Return code of the fw.init script 161 175 */ 162 176 int … … 196 210 * Remove the firewall rules by executing the 'fw.destroy' script. 197 211 * This is used when we do a clean shutdown of WiFiDog. 212 * @return Return code of the fw.destroy script 198 213 */ 199 214 int … … 218 233 } 219 234 235 /** 236 * @todo Make this function smaller and use sub-fonctions 237 */ 220 238 void 221 239 fw_counter(void) … … 223 241 FILE *output; 224 242 long int counter; 225 int profile, 243 t_authresponse authresponse; 244 int tag, 226 245 rc; 227 246 char ip[255], … … 239 258 while (!(feof(output)) && output) { 240 259 rc = fscanf(output, "%ld %s %s %d", &counter, ip, 241 mac, & profile);260 mac, &tag); 242 261 if (rc == 4 && rc != EOF) { 243 262 … … 245 264 246 265 p1 = node_find_by_ip(ip); 247 248 if (!(p1) || (p1->rights->last_checked + 249 (config.checkinterval * 250 config.clienttimeout)) > time(NULL)) { 251 /* Do nothing */ 252 } else if (p1->counter == counter) { 253 /* expire clients for inactivity */ 254 debug(LOG_INFO, "Client %s was " 255 "inactive", ip); 256 fw_deny(p1->ip, p1->mac, 257 p1->rights->profile); 258 node_delete(p1); 259 } else if (!(p1->active)) { 260 p1->rights->last_checked = time(NULL); 261 p1->counter = counter; 262 266 267 if (p1) { 263 268 token = strdup(p1->token); 264 269 265 270 pthread_mutex_unlock(&nodes_mutex); 266 267 profile = authenticate(ip, mac, token, 268 counter); 269 271 authenticate(&authresponse, ip, mac, token, counter); 270 272 pthread_mutex_lock(&nodes_mutex); 271 273 272 274 free(token); 273 274 /* may have changed while we held the 275 * mutex */ 275 276 276 p1 = node_find_by_ip(ip); 277 278 277 if (p1 == NULL) { 279 278 debug(LOG_DEBUG, "Node was " 280 279 "freed while being " 281 280 "re-validated!"); 282 } else if (profile <= 0) { 283 /* failed */ 284 debug(LOG_NOTICE, "Auth " 285 "failed for client %s", 286 ip); 287 fw_deny(p1->ip, p1->mac, 288 p1->rights->profile); 289 node_delete(p1); 290 } else { 291 /* successful */ 292 debug(LOG_INFO, "Updated " 293 "client %s counter to " 294 "%ld bytes", ip, 295 counter); 296 297 if (!check_userrights(p1)) { 298 fw_deny(p1->ip, p1->mac, 299 p1->rights->profile); 300 node_delete(p1); 301 } 302 } 303 } 281 } 282 283 debug(LOG_INFO, "User %s counter currently %d, new counter %d", p1->ip, p1->counter, counter); 284 if (counter > p1->counter) { 285 p1->counter = counter; 286 debug(LOG_INFO, "Updated " 287 "client %s counter to " 288 "%ld bytes", ip, 289 counter); 290 p1->noactivity = time(NULL); 291 } else { 292 debug(LOG_INFO, "No activity recorded %s", p1->ip); 293 } 294 if (p1->noactivity + 295 (config.checkinterval * config.clienttimeout) 296 <= time(NULL)) { 297 /* Timing out user */ 298 debug(LOG_INFO, "Client %s was inactive for %d seconds, removing node and denying in firewall", ip, 299 config.checkinterval * config.clienttimeout); 300 fw_deny(p1->ip, p1->mac, p1->tag); 301 node_delete(p1); 302 } else { 303 /* This handles any change in the status 304 * this allows us to change the status of a 305 * user while he's connected */ 306 switch(authresponse.authcode) { 307 case AUTH_DENIED: 308 case AUTH_VALIDATION_FAILED: 309 debug(LOG_NOTICE, "Client %s now denied, removing node", ip); 310 fw_deny(p1->ip, p1->mac, p1->tag); 311 node_delete(p1); 312 break; 313 case AUTH_ALLOWED: 314 if (p1->tag != MARK_KNOWN) { 315 debug(LOG_INFO, "Access has changed, refreshing firewall and clearing counters"); 316 fw_deny(p1->ip, p1->mac, p1->tag); 317 p1->tag = MARK_KNOWN; 318 p1->counter = 0; 319 fw_allow(p1->ip, p1->mac, p1->tag); 320 } 321 break; 322 case AUTH_VALIDATION: 323 /* Do nothing, user is in validation period */ 324 break; 325 default: 326 debug(LOG_DEBUG, "I do not know about type %d", authresponse.authcode); 327 break; 328 } 329 } 330 } 331 304 332 pthread_mutex_unlock(&nodes_mutex); 305 333 } … … 311 339 /** 312 340 * @brief Initializes the list of connected clients (node) 341 * 342 * Initializes the list of connected clients (node) 313 343 */ 314 344 void 315 345 node_init(void) 316 346 { 317 318 347 firstnode = NULL; 319 348 } … … 324 353 * Based on the parameters it receives, this function creates a new entry 325 354 * in the connections list. All the memory allocation is done here. 355 * @param ip IP address 356 * @param mac MAC address 357 * @param token Token 358 * @param counter Value of the counter at creation (usually 0) 359 * @param active Is the node active, or not 360 * @return Pointer to the node we just created 326 361 */ 327 362 t_node * … … 367 402 368 403 /** 369 * @brief Finds a specific node by its IP 404 * @brief Finds a node by its IP 405 * 406 * Finds a node by its IP, returns NULL if the node could not 407 * be found 408 * @param ip IP we are looking for in the linked list 409 * @return Pointer to the node, or NULL if not found 370 410 */ 371 411 t_node * … … 385 425 386 426 /** 387 * @brief Finds a specific node by its token 427 * @brief Finds a node by its token 428 * 429 * Finds a node by its token 430 * @param token Token we are looking for in the linked list 431 * @return Pointer to the node, or NULL if not found 388 432 */ 389 433 t_node * … … 406 450 * 407 451 * This function frees the memory used by the t_node structure in the 408 * proper order. It also calls the free_userrights() function to free409 * the memory used by the rights structure for the node.452 * proper order. 453 * @param node Points to the node to be freed 410 454 */ 411 455 void … … 422 466 free(node->token); 423 467 424 if (node->rights != NULL)425 free_userrights(node->rights);426 427 468 free(node); 428 469 } … … 433 474 * Removes the specified node from the connections list and then calls 434 475 * the function to free the memory used by the node. 476 * @param node Points to the node to be deleted 435 477 */ 436 478 void … … 454 496 } 455 497 456 /**457 * @brief Check the rights for a client458 *459 * This function validates that a client hasn't met one of the conditions460 * for the termination of his connection. Right now, we only check to see461 * for a time-out. More checks could be added here.462 */463 int464 check_userrights(t_node *node)465 {466 if (node->rights->end_time <= time(NULL)) {467 debug(LOG_INFO, "Connection %s has expired", node->ip);468 return 0;469 }470 471 return 1;472 }473 -
trunk/wifidog/src/firewall.h
r64 r95 28 28 #define _FIREWALL_H_ 29 29 30 typedef enum _t_marks { 31 MARK_VALIDATION = 1, 32 MARK_KNOWN = 2, 33 MARK_LOCKED = 254, 34 } t_marks; 35 30 36 typedef struct _t_node { 31 37 struct _t_node *next; … … 34 40 *token; 35 41 int active, /* boolean */ 42 noactivity, /* seconds since there has not been activity */ 43 tag, /* the MARK in the firewall */ 36 44 fd; /* socket */ 37 45 long int counter; 38 UserRights *rights;39 46 } t_node; 40 47 … … 55 62 void free_node(t_node *node); 56 63 57 int check_userrights(t_node *node);58 59 64 #endif /* _FIREWALL_H_ */ -
trunk/wifidog/src/fw.access
r82 r95 29 29 30 30 if [ ! $4 ]; then 31 echo "Usage: $0 <allow|deny> <ip> <mac> < profile>"31 echo "Usage: $0 <allow|deny> <ip> <mac> <tag>" 32 32 echo 33 33 exit 1 … … 44 44 45 45 *) 46 echo "Usage: $0 <allow|deny> <ip> <mac> < profile>"46 echo "Usage: $0 <allow|deny> <ip> <mac> <tag>" 47 47 echo 48 48 exit -
trunk/wifidog/src/fw.destroy
r93 r95 29 29 GW_INTERFACE=$1 30 30 31 ${IPTABLES} -t nat -F wifidog_p1 32 ${IPTABLES} -t nat -F wifidog_p2 33 ${IPTABLES} -t nat -F wifidog_p3 34 ${IPTABLES} -t nat -F wifidog_p4 35 ${IPTABLES} -t nat -F wifidog_p5 36 ${IPTABLES} -t nat -F wifidog_class 37 ${IPTABLES} -t mangle -F wifidog_mark 38 ${IPTABLES} -t nat -X wifidog_p1 39 ${IPTABLES} -t nat -X wifidog_p2 40 ${IPTABLES} -t nat -X wifidog_p3 41 ${IPTABLES} -t nat -X wifidog_p4 42 ${IPTABLES} -t nat -X wifidog_p5 31 ${IPTABLES} -t nat -F wifidog_class 2>/dev/null 32 ${IPTABLES} -t mangle -F wifidog_mark 2>/dev/null 33 34 ${IPTABLES} -t nat -F wifidog_validate 2>/dev/null 35 ${IPTABLES} -t nat -F wifidog_unknown 2>/dev/null 36 ${IPTABLES} -t nat -F wifidog_known 2>/dev/null 37 ${IPTABLES} -t nat -F wifidog_locked 2>/dev/null 38 ${IPTABLES} -t nat -X wifidog_validate 2>/dev/null 39 ${IPTABLES} -t nat -X wifidog_unknown 2>/dev/null 40 ${IPTABLES} -t nat -X wifidog_known 2>/dev/null 41 ${IPTABLES} -t nat -X wifidog_locked 2>/dev/null 43 42 44 43 RC=0 … … 49 48 done 50 49 51 ${IPTABLES} -t nat -X wifidog_class 50 ${IPTABLES} -t nat -X wifidog_class 2>/dev/null 52 51 53 52 RC=0 … … 58 57 done 59 58 60 ${IPTABLES} -t mangle -X wifidog_mark 59 ${IPTABLES} -t mangle -X wifidog_mark 2>/dev/null 61 60 -
trunk/wifidog/src/fw.init
r82 r95 38 38 AUTHSERV_IP=$4 39 39 40 ${IPTABLES} -t nat -N wifidog_p1 41 ${IPTABLES} -t nat -A wifidog_p1 -d ${GW_IP} -j ACCEPT 42 ${IPTABLES} -t nat -A wifidog_p1 -d ${AUTHSERV_IP} -j ACCEPT 43 ${IPTABLES} -t nat -A wifidog_p1 -p udp --dport 53 -j ACCEPT 44 ${IPTABLES} -t nat -A wifidog_p1 -p tcp --dport 80 -j REDIRECT --to-ports ${GW_PORT} 45 ${IPTABLES} -t nat -A wifidog_p1 -j DROP 40 ${IPTABLES} -t nat -N wifidog_validate 41 ${IPTABLES} -t nat -A wifidog_validate -d ${GW_IP} -j ACCEPT 42 ${IPTABLES} -t nat -A wifidog_validate -d ${AUTHSERV_IP} -j ACCEPT 43 ${IPTABLES} -t nat -A wifidog_validate -p udp --dport 67 -j ACCEPT 44 ${IPTABLES} -t nat -A wifidog_validate -p tcp --dport 67 -j ACCEPT 45 ${IPTABLES} -t nat -A wifidog_validate -p udp --dport 53 -j ACCEPT 46 ${IPTABLES} -t nat -A wifidog_validate -p tcp --dport 80 -j ACCEPT 47 ${IPTABLES} -t nat -A wifidog_validate -p tcp --dport 443 -j ACCEPT 48 ${IPTABLES} -t nat -A wifidog_validate -j DROP 46 49 47 ${IPTABLES} -t nat -N wifidog_p2 48 ${IPTABLES} -t nat -A wifidog_p2 -j ACCEPT 50 ${IPTABLES} -t nat -N wifidog_unknown 51 ${IPTABLES} -t nat -A wifidog_unknown -d ${GW_IP} -j ACCEPT 52 ${IPTABLES} -t nat -A wifidog_unknown -d ${AUTHSERV_IP} -j ACCEPT 53 ${IPTABLES} -t nat -A wifidog_unknown -p udp --dport 67 -j ACCEPT 54 ${IPTABLES} -t nat -A wifidog_unknown -p tcp --dport 67 -j ACCEPT 55 ${IPTABLES} -t nat -A wifidog_unknown -p udp --dport 53 -j ACCEPT 56 ${IPTABLES} -t nat -A wifidog_unknown -p tcp --dport 80 -j REDIRECT --to-ports ${GW_PORT} 57 ${IPTABLES} -t nat -A wifidog_unknown -j DROP 49 58 50 ${IPTABLES} -t nat -N wifidog_ p351 ${IPTABLES} -t nat -A wifidog_ p3-j ACCEPT59 ${IPTABLES} -t nat -N wifidog_known 60 ${IPTABLES} -t nat -A wifidog_known -j ACCEPT 52 61 53 ${IPTABLES} -t nat -N wifidog_p4 54 ${IPTABLES} -t nat -A wifidog_p4 -j ACCEPT 55 56 ${IPTABLES} -t nat -N wifidog_p5 57 ${IPTABLES} -t nat -A wifidog_p5 -j ACCEPT 62 ${IPTABLES} -t nat -N wifidog_locked 63 ${IPTABLES} -t nat -A wifidog_locked -j DROP 58 64 59 65 ${IPTABLES} -t nat -N wifidog_class 60 ${IPTABLES} -t nat -A wifidog_class -i ${GW_INTERFACE} -m mark --mark 0x1 -j wifidog_p1 61 ${IPTABLES} -t nat -A wifidog_class -i ${GW_INTERFACE} -m mark --mark 0x2 -j wifidog_p2 62 ${IPTABLES} -t nat -A wifidog_class -i ${GW_INTERFACE} -m mark --mark 0x3 -j wifidog_p3 63 ${IPTABLES} -t nat -A wifidog_class -i ${GW_INTERFACE} -m mark --mark 0x4 -j wifidog_p4 64 ${IPTABLES} -t nat -A wifidog_class -i ${GW_INTERFACE} -m mark --mark 0x5 -j wifidog_p5 66 ${IPTABLES} -t nat -A wifidog_class -i ${GW_INTERFACE} -m mark --mark 0x1 -j wifidog_validate 67 ${IPTABLES} -t nat -A wifidog_class -i ${GW_INTERFACE} -m mark --mark 0x2 -j wifidog_known 68 ${IPTABLES} -t nat -A wifidog_class -i ${GW_INTERFACE} -m mark --mark 0x254 -j wifidog_locked 69 ${IPTABLES} -t nat -A wifidog_class -i ${GW_INTERFACE} -j wifidog_unknown 65 70 66 71 ${IPTABLES} -t mangle -N wifidog_mark 67 ${IPTABLES} -t mangle -A wifidog_mark -j MARK --set-mark 0x168 72 69 73 ${IPTABLES} -t mangle -I PREROUTING 1 -i ${GW_INTERFACE} -j wifidog_mark -
trunk/wifidog/src/gateway.c
r90 r95 36 36 { 37 37 struct timeval tv; 38 time_t last_checked;39 38 httpd * webserver; 40 39 int result; … … 63 62 64 63 // Reset the firewall 64 fw_destroy(); 65 65 fw_init(); 66 66 … … 124 124 config_validate(); 125 125 126 init_userclasses(0);127 128 126 if (config.daemon) { 129 127 int childPid; -
trunk/wifidog/src/http.c
r90 r95 37 37 char *newlocation; 38 38 39 if ( asprintf(&newlocation, "Location: %s?gw_address=%s&gw_port=%d&"39 if ((asprintf(&newlocation, "Location: %s?gw_address=%s&gw_port=%d&" 40 40 "gw_id=%s", config.authserv_loginurl, 41 41 config.gw_address, config.gw_port, 42 config.gw_id) == -1) {42 config.gw_id)) == -1) { 43 43 debug(LOG_ERR, "Failed to asprintf newlocation"); 44 44 httpdOutput(webserver, "Internal error occurred"); … … 78 78 char *mac, 79 79 *ip; 80 int profile;81 int temp;82 80 pthread_t tid; 83 81 84 if ( token = httpdGetVariableByName(webserver, "token")) {82 if ((token = httpdGetVariableByName(webserver, "token"))) { 85 83 // They supplied variable "token" 86 84 if (!(mac = arp_get(webserver->clientAddr))) { … … 104 102 debug(LOG_DEBUG, "Node for %s already " 105 103 "exists", node->ip); 106 if (node->rights != NULL) {107 /* log off if logged in */108 debug(LOG_DEBUG, "Logging off %s "109 "because they tried a new "110 "token", node->ip);111 fw_deny(node->ip, node->mac,112 node->rights->profile);113 }114 104 } 115 105
