Ticket #501 (closed Bug report: fixed)
PATCH: Bug in fw_iptables.c (version 1.1.5)
Reported by: | Piero | Owned by: | gbastien |
---|---|---|---|
Priority: | blocker | Milestone: | Gateway 1.1.5 |
Component: | Gateway | Version: | |
Keywords: | Cc: |
Description
Finally I understand why the gateway leaves a user to be connected while it should be logged off.
If the user client submits a valid token the gateway (fw_iptables.c) executes:
iptables -t mangle -A WiFiDog_Outgoing -s 10.4.19.235 -m mac --mac-source 00:14:BF:D1:XX:XX -j MARK --set-mark 2
and this is fine.
But if the user is still allowed and submits the token again, the gateway just executes the command again, so when the auth server denies the connection to the client, and the gateway executes:
iptables -t mangle -D WiFiDog_Outgoing -s 10.4.19.235 -m mac --mac-source 00:14:BF:D1:XX:XX -j MARK --set-mark 2 iptables -t mangle -D WiFiDog_Incoming -d 10.4.19.235 -j ACCEPT
this is just unusefull since the previous command is excecuted twice.
So the gateway just deletes the ip from the client list and looses control over the client who is still able to pass the firewall.
Workaround:
As I noticed in the debug messages of the gateway, if the client still uses the service, but is not on the client list, a debug message is shown:
[3][Sat Jan 1 00:43:48 2000][2297](fw_iptables.c:556) Could not find 10.4.19.235 in client list
this means that the gateway feels that something is going wrong, so why dont just block that IP instead of just showing the debug message?
I wish I could do it myself but I think it is something that should be fixed in the official version, and I cant fix myself.
The error is on source code fw_iptables.c on lines 519 and 556, actually the code is:
pclose(output);
Please fix this, or the all great system would be unusefull in a commercial environment.
Greets. Piero