Ticket #92 (assigned Feature Request)

Opened 12 years ago

Last modified 8 years ago

Opening the firewall if the auth servers are all unreachable

Reported by: max-horvath Owned by: benoitg
Priority: normal Milestone: Gateway 1.1.5
Component: Gateway and Auth server Version: Gateway SVN
Keywords: firewall Cc:

Description

The goal is to have an option to open the firewall if the auth servers are all unreachable ...

Here is the current suggestion from Rob Janes:

Add a new chain, TABLE_WIFIDOG_AUTH_IS_DOWN, on the mangle, nat and filter.

On the PREROUTING mangle, the chain is there, at the very end, but normally empty. When the heartbeat monitor thread finds the auth servers are unreachable it adds a line to mark unmarked packets with a new mark, FW_MARK_AUTHISDOWN (253).

When the heartbeat monitor thread finds the auth servers are responding again it clears the above mangle chain.

Similarily, in the nat PREROUTING chains, add a check for mark FW_MARK_AUTHISDOWN just before the redirect of port 80. If that mark is set, accept the packet. This bypasses the redirect.

In the filter FORWARD chain, add a check for the FW_MARK_AUTHISDOWN just before the jump to the TABLE_WIFIDOG_UNKNOWN chain. If the mark is set, jump to the filter chain TABLE_WIFIDOG_AUTH_IS_DOWN. This chain is loaded at firewall init time from a ruleset, 'auth-is-down'.

If you leave the 'auth-is-down' ruleset empty, everything stays the way it is now.

But, if you do

FirewallRuleSet auth-is-down {
  FirewallRule allow to 0/0
}

all customers will be allowed to surf while the auth server is down. As soon as the authserver comes back up, they will be redirected to the login splash since the heartbeat monitor will clear the chain that marks their packets as FW_MARK_AUTHISDOWN, and then their packets will no longer be specially marked.

That's it''

Attachments

ticket92src.diff Download (9.8 KB) - added by gbastien 8 years ago.
patch in src directory
ticket92wifidog.conf.diff Download (463 bytes) - added by gbastien 8 years ago.
patch to the wifidog.conf file

Change History

Changed 10 years ago by benoitg

  • owner set to benoitg
  • status changed from new to assigned
  • milestone changed from Gateway 1.1.3 to Gateway 1.1.4

This will be done during the firewall refactoring. Bumping to 1.1.4 as it's a feature request.

Changed 10 years ago by dondruce@…

milestone changed from Gateway 1.1.3 to Gateway 1.1.4.

Has this been modified - or has it been assigned to a specific release of 1.1.4 ?

Changed 10 years ago by anonymous

Milestone now 115

There was an unplaned 1.1.4 release to fix the stats bug discovered by Philippe April. So in effect, everything listed for 1.1.4 is now planned for for 1.1.5

Changed 8 years ago by gbastien

patch in src directory

Changed 8 years ago by gbastien

patch to the wifidog.conf file

Changed 8 years ago by gbastien

The last 2 attachments are a patch from Alex Nault from Zapbsl, compiled and tested by gbastien.

Works fine, but when the auth server is down and the auth-is-down ruleset is empty, then it does not redirect to the Uh ho! message page as it should do. If anyone has any idea why it doesn't, let me know. The code is not committed yet.

Note: See TracTickets for help on using tickets.