Index: fw_iptables.c =================================================================== --- fw_iptables.c (revision 1429) +++ fw_iptables.c (working copy) @@ -255,10 +255,12 @@ iptables_do_command("-t mangle -N " TABLE_WIFIDOG_TRUSTED); iptables_do_command("-t mangle -N " TABLE_WIFIDOG_OUTGOING); iptables_do_command("-t mangle -N " TABLE_WIFIDOG_INCOMING); + iptables_do_command("-t mangle -N " TABLE_WIFIDOG_AUTH_IS_DOWN); /* Assign links and rules to these new chains */ iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface); iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, config->gw_interface);//this rule will be inserted before the prior one + iptables_do_command("-t mangle -A PREROUTING -i %s -j " TABLE_WIFIDOG_AUTH_IS_DOWN, config->gw_interface); //this rule must be the last of the chain iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, config->gw_interface); for (p = config->trustedmaclist; p != NULL; p = p->next) @@ -277,6 +279,7 @@ iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL); iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN); iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS); + iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTH_IS_DOWN); /* Assign links and rules to these new chains */ iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface); @@ -291,9 +294,12 @@ iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS); iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL); + iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTH_IS_DOWN); iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port); + iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTH_IS_DOWN " -m mark --mark 0x%u -j ACCEPT", FW_MARK_AUTHISDOWN); + /* * * Everything in the FILTER table @@ -308,6 +314,7 @@ iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE); iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN); iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN); + iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTH_IS_DOWN); /* Assign links and rules to these new chains */ @@ -343,6 +350,9 @@ iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN); iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN); + iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_AUTH_IS_DOWN, FW_MARK_AUTHISDOWN); + iptables_load_ruleset("filter", "auth-is-down", TABLE_WIFIDOG_AUTH_IS_DOWN); + iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN); iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN); iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable"); @@ -371,12 +381,15 @@ iptables_fw_destroy_mention("mangle", "PREROUTING", TABLE_WIFIDOG_TRUSTED); iptables_fw_destroy_mention("mangle", "PREROUTING", TABLE_WIFIDOG_OUTGOING); iptables_fw_destroy_mention("mangle", "POSTROUTING", TABLE_WIFIDOG_INCOMING); + iptables_fw_destroy_mention("mangle", "PREROUTING", TABLE_WIFIDOG_AUTH_IS_DOWN); iptables_do_command("-t mangle -F " TABLE_WIFIDOG_TRUSTED); iptables_do_command("-t mangle -F " TABLE_WIFIDOG_OUTGOING); iptables_do_command("-t mangle -F " TABLE_WIFIDOG_INCOMING); + iptables_do_command("-t mangle -F " TABLE_WIFIDOG_AUTH_IS_DOWN); iptables_do_command("-t mangle -X " TABLE_WIFIDOG_TRUSTED); iptables_do_command("-t mangle -X " TABLE_WIFIDOG_OUTGOING); iptables_do_command("-t mangle -X " TABLE_WIFIDOG_INCOMING); + iptables_do_command("-t mangle -X " TABLE_WIFIDOG_AUTH_IS_DOWN); /* * @@ -391,12 +404,14 @@ iptables_do_command("-t nat -F " TABLE_WIFIDOG_WIFI_TO_INTERNET); iptables_do_command("-t nat -F " TABLE_WIFIDOG_GLOBAL); iptables_do_command("-t nat -F " TABLE_WIFIDOG_UNKNOWN); + iptables_do_command("-t nat -F " TABLE_WIFIDOG_AUTH_IS_DOWN); iptables_do_command("-t nat -X " TABLE_WIFIDOG_AUTHSERVERS); iptables_do_command("-t nat -X " TABLE_WIFIDOG_OUTGOING); iptables_do_command("-t nat -X " TABLE_WIFIDOG_WIFI_TO_ROUTER); iptables_do_command("-t nat -X " TABLE_WIFIDOG_WIFI_TO_INTERNET); iptables_do_command("-t nat -X " TABLE_WIFIDOG_GLOBAL); iptables_do_command("-t nat -X " TABLE_WIFIDOG_UNKNOWN); + iptables_do_command("-t nat -X " TABLE_WIFIDOG_AUTH_IS_DOWN); /* * @@ -412,6 +427,7 @@ iptables_do_command("-t filter -F " TABLE_WIFIDOG_VALIDATE); iptables_do_command("-t filter -F " TABLE_WIFIDOG_KNOWN); iptables_do_command("-t filter -F " TABLE_WIFIDOG_UNKNOWN); + iptables_do_command("-t filter -F " TABLE_WIFIDOG_AUTH_IS_DOWN); iptables_do_command("-t filter -X " TABLE_WIFIDOG_WIFI_TO_INTERNET); iptables_do_command("-t filter -X " TABLE_WIFIDOG_AUTHSERVERS); iptables_do_command("-t filter -X " TABLE_WIFIDOG_LOCKED); @@ -419,6 +435,7 @@ iptables_do_command("-t filter -X " TABLE_WIFIDOG_VALIDATE); iptables_do_command("-t filter -X " TABLE_WIFIDOG_KNOWN); iptables_do_command("-t filter -X " TABLE_WIFIDOG_UNKNOWN); + iptables_do_command("-t filter -X " TABLE_WIFIDOG_AUTH_IS_DOWN); return 1; } @@ -510,6 +527,20 @@ return rc; } +/** Set a mark when auth server is not reachable */ + int +iptables_fw_auth_unreachable(int tag) +{ + return iptables_do_command("-t mangle -A " TABLE_WIFIDOG_AUTH_IS_DOWN " -j MARK --set-mark 0x%u", tag); +} + +/** Remove mark when auth server is reachable again */ + int +iptables_fw_auth_reachable(void) +{ + return iptables_do_command("-t mangle -F " TABLE_WIFIDOG_AUTH_IS_DOWN); +} + /** Update the counters of all the clients in the client list */ int iptables_fw_counters_update(void) Index: fw_iptables.h =================================================================== --- fw_iptables.h (revision 1423) +++ fw_iptables.h (working copy) @@ -42,6 +42,7 @@ #define TABLE_WIFIDOG_UNKNOWN "WiFiDog_$ID$_Unknown" #define TABLE_WIFIDOG_LOCKED "WiFiDog_$ID$_Locked" #define TABLE_WIFIDOG_TRUSTED "WiFiDog_$ID$_Trusted" +#define TABLE_WIFIDOG_AUTH_IS_DOWN "WiFiDog_$ID$_AuthIsDown" /*@}*/ /** Used by iptables_fw_access to select if the client should be granted of denied access */ @@ -68,6 +69,12 @@ /** @brief Define the access of a specific client */ int iptables_fw_access(fw_access_t type, const char *ip, const char *mac, int tag); +/** @brief Set a mark when auth server is not reachable */ +int iptables_fw_auth_unreachable(int tag); + +/** @brief Remove mark when auth server is reachable again */ +int iptables_fw_auth_reachable(void); + /** @brief All counters in the client list */ int iptables_fw_counters_update(void); Index: firewall.c =================================================================== --- firewall.c (revision 1423) +++ firewall.c (working copy) @@ -111,6 +111,24 @@ return iptables_fw_access(FW_ACCESS_DENY, ip, mac, fw_connection_state); } +/** Passthrough for clients when auth server is down */ +int +fw_set_authdown(void) +{ + debug(LOG_DEBUG, "Marking auth server down"); + + return iptables_fw_auth_unreachable(FW_MARK_AUTHISDOWN); +} + +/** Remove passthrough for clients when auth server is up */ +int +fw_set_authup(void) +{ + debug(LOG_DEBUG, "Marking auth server up again"); + + return iptables_fw_auth_reachable(); +} + /* XXX DCY */ /** * Get an IP's MAC address from the ARP cache. Index: firewall.h =================================================================== --- firewall.h (revision 1423) +++ firewall.h (working copy) @@ -34,6 +34,7 @@ FW_MARK_PROBATION = 1, /**< @brief The client is in probation period and must be authenticated @todo: VERIFY THAT THIS IS ACCURATE*/ FW_MARK_KNOWN = 2, /**< @brief The client is known to the firewall */ + FW_MARK_AUTHISDOWN = 253, /**< @brief The auth server is not reachable */ FW_MARK_LOCKED = 254 /**< @brief The client has been locked out */ } t_fw_marks; @@ -55,6 +56,12 @@ /** @brief Deny a client access through the firewall*/ int fw_deny(char *ip, char *mac, int profile); +/** @brief Passthrough for clients when auth server is down */ +int fw_set_authdown(void); + +/** @brief Remove passthrough for clients when auth server is up */ +int fw_set_authup(void); + /** @brief Refreshes the entire client list */ void fw_sync_with_authserver(void); Index: util.c =================================================================== --- util.c (revision 1429) +++ util.c (working copy) @@ -224,7 +224,7 @@ strcpy(ifr.ifr_name, ifname); - s = socket(PF_INET, SOCK_DGRAM, 0); + s = socket(PF_PACKET, SOCK_DGRAM, 0); if (-1 == s) { debug(LOG_ERR, "get_iface_mac socket: %s", strerror(errno)); return NULL; Index: ping_thread.c =================================================================== --- ping_thread.c (revision 1423) +++ ping_thread.c (working copy) @@ -51,10 +51,12 @@ #include "ping_thread.h" #include "util.h" #include "centralserver.h" +#include "firewall.h" static void ping(void); extern time_t started_time; +static int authdown = 0; /** Launches a thread that periodically checks in with the wifidog auth server to perform heartbeat function. @param arg NULL @@ -118,6 +120,10 @@ /* * No auth servers for me to talk to */ + if (!authdown) { + fw_set_authdown(); + authdown = 1; + } return; } @@ -223,9 +229,17 @@ if (strstr(request, "Pong") == 0) { debug(LOG_WARNING, "Auth server did NOT say pong!"); /* FIXME */ + if (!authdown) { + fw_set_authdown(); + authdown = 1; + } } else { debug(LOG_DEBUG, "Auth Server Says: Pong"); + if (authdown) { + fw_set_authup(); + authdown = 0; + } } return;