/********************************************************************\ * This program is free software; you can redistribute it and/or * * modify it under the terms of the GNU General Public License as * * published by the Free Software Foundation; either version 2 of * * the License, or (at your option) any later version. * * * * This program is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * * GNU General Public License for more details. * * * * You should have received a copy of the GNU General Public License* * along with this program; if not, contact: * * * * Free Software Foundation Voice: +1-617-542-5942 * * 59 Temple Place - Suite 330 Fax: +1-617-542-2652 * * Boston, MA 02111-1307, USA gnu@gnu.org * * * \********************************************************************/ /* * $Header: /cvsroot/wifidog/wifidog/src/firewall.c,v 1.32 2004/04/23 * 11:37:43 aprilp Exp $ */ /** @internal @file firewall.c @brief Firewall update functions @author Copyright (C) 2004 Philippe April */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "httpd.h" #include "debug.h" #include "conf.h" #include "firewall.h" #include "fw_iptables.h" #include "auth.h" #include "centralserver.h" #include "client_list.h" extern pthread_mutex_t client_list_mutex; int icmp_fd = 0; /** * Allow a client access through the firewall by adding a rule in the firewall to MARK the user's packets with the proper * rule by providing his IP and MAC address * @param ip IP address to allow * @param mac MAC address to allow * @param fw_connection_state fw_connection_state Tag * @return Return code of the command */ int fw_allow(char *ip, char *mac, int fw_connection_state) { debug(LOG_DEBUG, "Allowing %s %s with fw_connection_state %d", ip, mac, fw_connection_state); return iptables_fw_access(FW_ACCESS_ALLOW, ip, mac, fw_connection_state); } /** * @brief Deny a client access through the firewall by removing the rule in the firewall that was fw_connection_stateging the user's traffic * @param ip IP address to deny * @param mac MAC address to deny * @param fw_connection_state fw_connection_state Tag * @return Return code of the command */ int fw_deny(char *ip, char *mac, int fw_connection_state) { debug(LOG_DEBUG, "Denying %s %s with fw_connection_state %d", ip, mac, fw_connection_state); return iptables_fw_access(FW_ACCESS_DENY, ip, mac, fw_connection_state); } /** * Get an IP's MAC address from the ARP cache. * Go through all the entries in /proc/net/arp until we find the requested * IP address and return the MAC address bound to it. * @todo Make this function portable (using shell scripts?) */ char * arp_get(char *req_ip) { FILE *proc; char *ip, *mac; char * reply; if (!(proc = fopen("/proc/net/arp", "r"))) { return NULL; } if (!(ip = malloc(16))) { debug(LOG_CRIT, "Cannot allocate 16 bytes of memory for IP, Banzai!"); exit(1); } if (!(mac = malloc(18))) { debug(LOG_CRIT, "Cannot allocate 18 bytes of memory for MAC, Banzai!"); exit(1); } /* Skip first line */ while (!feof(proc) && fgetc(proc) != '\n'); /* Find ip, put mac in reply */ reply = NULL; while (!feof(proc) && (fscanf(proc, " %15[0-9.] %*s %*s %17[A-F0-9:] %*s %*s", ip, mac) == 2)) { if (strcmp(ip, req_ip) == 0) { reply = mac; break; } } free(ip); if (!reply) free(mac); fclose(proc); return reply; } /** Initialize the firewall rules */ int fw_init(void) { int flags, oneopt = 1, zeroopt = 0; debug(LOG_INFO, "Creating ICMP socket"); if ((icmp_fd = socket (AF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1 || (flags = fcntl(icmp_fd, F_GETFL, 0)) == -1 || fcntl(icmp_fd, F_SETFL, flags | O_NONBLOCK) == -1 || setsockopt(icmp_fd, SOL_SOCKET, SO_RCVBUF, &oneopt, sizeof(oneopt)) || setsockopt(icmp_fd, SOL_SOCKET, SO_DONTROUTE, &zeroopt, sizeof(zeroopt)) == -1) { debug(LOG_ERR, "Cannot create ICMP raw socket."); return; } debug(LOG_INFO, "Initializing Firewall"); return iptables_fw_init(); } /** Clear the authserver rules */ void fw_clear_authservers(void) { debug(LOG_INFO, "Clearing the authservers list"); iptables_fw_clear_authservers(); } /** Set the authservers rules */ void fw_set_authservers(void) { debug(LOG_INFO, "Setting the authservers list"); iptables_fw_set_authservers(); } /** Remove the firewall rules * This is used when we do a clean shutdown of WiFiDog. * @return Return code of the fw.destroy script */ int fw_destroy(void) { if (icmp_fd != 0) { debug(LOG_INFO, "Closing ICMP socket"); close(icmp_fd); } debug(LOG_INFO, "Removing Firewall rules"); return iptables_fw_destroy(); } /**Probably a misnomer, this function actually refreshes the entire client list's traffic counter, re-authenticates every client with the central server and update's the central servers traffic counters and notifies it if a client has logged-out. * @todo Make this function smaller and use sub-fonctions */ void fw_counter(void) { t_authresponse authresponse; char *token, *ip, *mac; t_client *p1, *p2; long long incoming, outgoing; s_config *config = config_get_config(); if (-1 == iptables_fw_counters_update()) { debug(LOG_ERR, "Could not get counters from firewall!"); return; } LOCK_CLIENT_LIST(); for (p1 = p2 = client_get_first_client(); NULL != p1; p1 = p2) { p2 = p1->next; ip = strdup(p1->ip); token = strdup(p1->token); mac = strdup(p1->mac); outgoing = p1->counters.outgoing; incoming = p1->counters.incoming; UNLOCK_CLIENT_LIST(); /* Ping the client, if he responds it'll keep activity on the link */ icmp_ping(ip); /* Update the counters on the remote server */ auth_server_request(&authresponse, REQUEST_TYPE_COUNTERS, ip, mac, token, incoming, outgoing); LOCK_CLIENT_LIST(); if (!(p1 = client_list_find(ip, mac))) { debug(LOG_ERR, "Node %s was freed while being re-validated!", ip); } else { if (p1->counters.last_updated + (config->checkinterval * config->clienttimeout) <= time(NULL)) { /* Timing out user */ debug(LOG_INFO, "%s - Inactive for %ld seconds, removing client and denying in firewall", p1->ip, config->checkinterval * config->clienttimeout); fw_deny(p1->ip, p1->mac, p1->fw_connection_state); client_list_delete(p1); /* Advertise the logout */ UNLOCK_CLIENT_LIST(); auth_server_request(&authresponse, REQUEST_TYPE_LOGOUT, ip, mac, token, 0, 0); LOCK_CLIENT_LIST(); } else { /* * This handles any change in * the status this allows us * to change the status of a * user while he's connected */ switch (authresponse.authcode) { case AUTH_DENIED: case AUTH_VALIDATION_FAILED: debug(LOG_NOTICE, "%s - Validation timeout, now denied. Removing client and firewall rules", p1->ip); fw_deny(p1->ip, p1->mac, p1->fw_connection_state); client_list_delete(p1); break; case AUTH_ALLOWED: if (p1->fw_connection_state != FW_MARK_KNOWN) { debug(LOG_INFO, "%s - Access has changed, refreshing firewall and clearing counters", p1->ip); fw_deny(p1->ip, p1->mac, p1->fw_connection_state); p1->fw_connection_state = FW_MARK_KNOWN; p1->counters.togateway = p1->counters.incoming = p1->counters.outgoing = 0; fw_allow(p1->ip, p1->mac, p1->fw_connection_state); } break; case AUTH_VALIDATION: /* * Do nothing, user * is in validation * period */ debug(LOG_INFO, "%s - User in validation period", p1->ip); break; default: debug(LOG_DEBUG, "I do not know about authentication code %d", authresponse.authcode); break; } } } free(token); free(ip); free(mac); } UNLOCK_CLIENT_LIST(); } void icmp_ping(char *host) { struct sockaddr_in saddr; struct { struct ip ip; struct icmp icmp; } packet; unsigned int i, j; int opt = 2000; unsigned short id = rand16(); saddr.sin_family = AF_INET; saddr.sin_port = 0; inet_aton(host, &saddr.sin_addr); #ifdef HAVE_SOCKADDR_SA_LEN saddr.sin_len = sizeof(struct sockaddr_in); #endif memset(&(saddr.sin_zero), '\0', sizeof(saddr.sin_zero)); memset(&packet.icmp, 0, sizeof(packet.icmp)); packet.icmp.icmp_type = ICMP_ECHO; packet.icmp.icmp_id = id; for (j = 0, i = 0; i < sizeof(struct icmp) / 2; i++) j += ((unsigned short *)&packet.icmp)[i]; while (j>>16) j = (j & 0xffff) + (j >> 16); packet.icmp.icmp_cksum = (j == 0xffff) ? j : ~j; if (setsockopt(icmp_fd, SOL_SOCKET, SO_RCVBUF, &opt, sizeof(opt)) == -1) { debug(LOG_ERR, "setsockopt(): %s", strerror(errno)); } if (sendto(icmp_fd, (char *)&packet.icmp, sizeof(struct icmp), 0, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) { debug(LOG_ERR, "sendto(): %s", strerror(errno)); } opt = 1; if (setsockopt(icmp_fd, SOL_SOCKET, SO_RCVBUF, &opt, sizeof(opt)) == -1) { debug(LOG_ERR, "setsockopt(): %s", strerror(errno)); } return; } unsigned short rand16(void) { static int been_seeded = 0; if (!been_seeded) { int fd, n = 0; unsigned int c = 0, seed = 0; char sbuf[sizeof(seed)]; char *s; struct timeval now; /* not a very good seed but what the heck, it needs to be quickly acquired */ gettimeofday(&now, NULL); seed = now.tv_sec ^ now.tv_usec ^ (getpid() << 16); srand(seed); been_seeded = 1; } /* Some rand() implementations have less randomness in low bits * than in high bits, so we only pay attention to the high ones. * But most implementations don't touch the high bit, so we * ignore that one. **/ return( (unsigned short) (rand() >> 15) ); }