* Close #321: Make the Gateway retry forever if it cannot find it's …

…interface. You never know when someone may finally replug the network cable or something... * Close #332: Apply patch from Laurent Marchal. biguphpc<AT>gmail<DOT>com * fw_iptables.c: Fix error in iptables_fw_access(). Rules were created as ACCEPT instead of DROP * firewall.c: Fix bug in fw_sync_with_authserver(). The traffic for the validation period of a user who validated his account while connected wouldn't get counted. * doc/wifidog_firewall_map.dia: At long last, full documentation of the firewall. We would have avoided a lot of stupid mistakes if we produced that sooner. * Release 1.1.3_rc1
wifidog · Jun 24, 2007 · e130b84 · e130b84
1 parent 9c4c73a
commit e130b84
Show file tree

Hide file tree

Showing 14 changed files with 73 additions and 34 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,4 +1,12 @@
 # $Id$
+2007-06-24 Benoit Gr�goire  <[email protected]>
+	* Close #321:  Make the Gateway retry forever if it cannot find it's interface.  You never know when someone may finally replug the network cable or something...
+	* Close #332:  Apply patch from Laurent Marchal. biguphpc<AT>gmail<DOT>com
+	* fw_iptables.c:  Fix error in iptables_fw_access().  Rules were created as ACCEPT instead of DROP
+	* firewall.c:  Fix bug in fw_sync_with_authserver().  The traffic for the validation period of a user who validated his account while connected wouldn't get counted.
+	* doc/wifidog_firewall_map.dia:  At long last, full documentation of the firewall.  We would have avoided a lot of stupid mistakes if we produced that sooner.
+	* Release 1.1.3_rc1
+
 2007-05-24 Benoit Gr�goire  <[email protected]>
 	* wdctl_thread.c:  Fix #324, again.  Credit goes to Medea, I misunderstood his instructons.
 	* From David Bird <[email protected]> libhttpd/: Fix #266 - don't process query string parameters and keep them in that request.path.

diff --git a/Makefile.am b/Makefile.am
@@ -29,8 +29,8 @@ doc:
 ipk: dist
 	make -C $(OPENWRTSDK) distclean
 	mkdir -p  $(OPENWRTSDK)/dl
-	cp -f  ${builddir}wifidog-@[email protected] $(OPENWRTSDK)/dl/
-	make -C ${builddir}contrib/build-openwrt-ipk/wifidog TOPDIR=$(OPENWRTSDK) PKG_MD5SUM= V=99
+	cp -f  ${builddir}/wifidog-@[email protected] $(OPENWRTSDK)/dl/
+	make -C ${builddir}/contrib/build-openwrt-ipk/wifidog TOPDIR=$(OPENWRTSDK) PKG_MD5SUM= V=99
 	@echo DONE.  If there were no errors, your package should be in: $(OPENWRTSDK)/bin/packages/
 .PHONY: rpm
 rpm: dist

diff --git a/NEWS b/NEWS
@@ -1,4 +1,19 @@
 # $Id$
+WiFiDog 1.1.3rc1:
+	* Close #321:  Make the Gateway retry forever if it cannot find it's interface.  You never know when someone may finally replug the network cable or something...
+	* Close #332:  Apply patch from Laurent Marchal. biguphpc<AT>gmail<DOT>com
+	* fw_iptables.c:  Fix error in iptables_fw_access().  Rules were created as ACCEPT instead of DROP
+	* firewall.c:  Fix bug in fw_sync_with_authserver().  The traffic for the validation period of a user who validated his account while connected wouldn't get counted.
+	* doc/wifidog_firewall_map.dia:  At long last, full documentation of the firewall.  We would have avoided a lot of stupid mistakes if we produced that sooner.
+	* Release 1.1.3_rc1
+	* Fix #324
+	* wifidog.conf:  Improve comments and add examples of blocking access to the upstream LAN.
+	* conf.h:  The DEFAULT_CHECKINTERVAL was 5 instead of 60 (as stated in the config file) which caused huge needless load on the auth servers, and needless ping traffic towards the clients if it wasn't manually set.
+	* contrib/ Add contrib dir to collect the scripts and other code distributed with, but not really part of wifidog.
+	* Modify the build system to finally be able to build wifidog directly from the wifidog directory using the same files 
+		used to make the official .ipk, without having to copy ANYTHNG to the openwrt SDK.
+		There is now a new target:  make ipk make ipk OPENWRTSDK=path_to_openwrt_sdk
+
 WiFiDog 1.1.3beta6:
 	-Fix bug #238 (config file location was hardcoded)
 	-Fix problem with autodectection of the External interface if the interface isn't fully up yet.  wifidog wil now retry for up to two minutes.

diff --git a/configure.in b/configure.in
@@ -20,7 +20,7 @@ AC_SUBST(BUILDROOT)
 
 WIFIDOG_MAJOR_VERSION=1
 WIFIDOG_MINOR_VERSION=1
-WIFIDOG_MICRO_VERSION=3_beta7-pre2
+WIFIDOG_MICRO_VERSION=3_rc1
 WIFIDOG_VERSION=$WIFIDOG_MAJOR_VERSION.$WIFIDOG_MINOR_VERSION.$WIFIDOG_MICRO_VERSION
 
 AC_SUBST(WIFIDOG_MAJOR_VERSION)

diff --git a/contrib/build-openwrt-ipk/wifidog/Makefile b/contrib/build-openwrt-ipk/wifidog/Makefile
@@ -1,12 +1,12 @@
-# $Id: Makefile 3277 2006-02-27 18:58:33Z florian $
+# $Id: $
 ifndef TOPDIR
 	        ERR := $(Please set TOPDIR to OpenWRT SDK's buildroot)
 endif
 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wifidog
-PKG_VERSION:=1.1.3_beta7-pre1
+PKG_VERSION:=1.1.3_rc1
 PKG_RELEASE:=1
 PKG_MD5SUM:=842b21e1b02d0a90677b289d794e0e21
 PKG_SOURCE_URL:= @SF/$(PKG_NAME)

diff --git a/doc/wifidog_firewall_diagram.dia b/doc/wifidog_firewall_diagram.dia
diff --git a/src/conf.c b/src/conf.c
@@ -607,7 +607,6 @@ config_read(char *filename)
 
 		if (p1 && p1[0] != '\0') {
 			/* Strip trailing spaces */
-			/* Strip tailing spaces */
 
 			if ((strncmp(s, "#", 1)) != 0) {
 				debug(LOG_DEBUG, "Parsing token: %s, "

diff --git a/src/conf.h b/src/conf.h
@@ -29,10 +29,11 @@
 
 /*@{*/ 
 /** Defines */
-/** How long till we give up detecting the interface with the default route */
+/** How many times should we try detecting the interface with the default route
+ * (in seconds) */
 #define NUM_EXT_INTERFACE_DETECT_RETRY 120
 /** How often should we try to detect the interface with the default route
- *  if it isn't up yet */
+ *  if it isn't up yet (interval in seconds) */
 #define EXT_INTERFACE_DETECT_RETRY_INTERVAL 1
 
 /** Defaults configuration values */

diff --git a/src/firewall.c b/src/firewall.c
@@ -72,7 +72,7 @@ extern pthread_mutex_t client_list_mutex;
 /* from commandline.c */
 extern pid_t restart_orig_pid;
 
-int icmp_fd = 0;
+
 
 /**
  * Allow a client access through the firewall by adding a rule in the firewall to MARK the user's packets with the proper
@@ -295,9 +295,17 @@ fw_sync_with_authserver(void)
                         case AUTH_ALLOWED:
                             if (p1->fw_connection_state != FW_MARK_KNOWN) {
                                 debug(LOG_INFO, "%s - Access has changed to allowed, refreshing firewall and clearing counters", p1->ip);
-                                fw_deny(p1->ip, p1->mac, p1->fw_connection_state);
+                                //WHY did we deny, then allow!?!? benoitg 2007-06-21
+                                //fw_deny(p1->ip, p1->mac, p1->fw_connection_state);
+
+                                if (p1->fw_connection_state != FW_MARK_PROBATION) {
+     p1->counters.incoming = p1->counters.outgoing = 0;
+                                }
+                                else {
+                                	//We don't want to clear counters if the user was in validation, it probably already transmitted data..
+                                    debug(LOG_INFO, "%s - Skipped clearing counters after all, the user was previously in validation", p1->ip);
+                                }
                                 p1->fw_connection_state = FW_MARK_KNOWN;
-                                p1->counters.incoming = p1->counters.outgoing = 0;
                                 fw_allow(p1->ip, p1->mac, p1->fw_connection_state);
                             }
                             break;
@@ -316,7 +324,7 @@ fw_sync_with_authserver(void)
                                     break;
 
                         default:
-                            debug(LOG_DEBUG, "I do not know about authentication code %d", authresponse.authcode);
+                            debug(LOG_ERR, "I do not know about authentication code %d", authresponse.authcode);
                             break;
                     }
                 }

diff --git a/src/firewall.h b/src/firewall.h
@@ -27,6 +27,8 @@
 #ifndef _FIREWALL_H_
 #define _FIREWALL_H_
 
+int icmp_fd;
+
 /** Used by fw_iptables.c */
 typedef enum _t_fw_marks {
     FW_MARK_PROBATION = 1, /**< @brief The client is in probation period and must be authenticated 

diff --git a/src/fw_iptables.c b/src/fw_iptables.c
@@ -59,7 +59,8 @@ extern pthread_mutex_t	config_mutex;
 Used to supress the error output of the firewall during destruction */ 
 static int fw_quiet = 0;
 
-/** @internal */
+/** @internal 
+ * */
 static int
 iptables_do_command(char *format, ...)
 {
@@ -218,7 +219,7 @@ iptables_fw_init(void)
 
 			/* Assign links and rules to these new chains */
 			iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, gw_interface);
-			iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, gw_interface);
+			iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, gw_interface);//this rule will be inserted before the prior one
 			iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, gw_interface);
 
             for (p = config->trustedmaclist; p != NULL; p = p->next)
@@ -274,22 +275,18 @@ iptables_fw_init(void)
             /* Insert at the beginning */
 			iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, gw_interface);
 
-            /* TCPMSS rule for PPPoE */
+
 			iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");
 
 			/* XXX: Why this? it means that connections setup after authentication
 			   stay open even after the connection is done... 
 			   iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state RELATED,ESTABLISHED -j ACCEPT");*/
 
-
-            if (ext_interface != NULL) {
-			    iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW,INVALID -j DROP", ext_interface);
-			    iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);
-            } else {
-                /* Will this work even if we don't specify an external interface? */
-			    iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state NEW,INVALID -j DROP");
-			    iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu");
-            }
+			//Won't this rule NEVER match anyway?!?!? benoitg, 2007-06-23
+			//iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW -j DROP", ext_interface);
+
+            /* TCPMSS rule for PPPoE */
+   			iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);
 
 			iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);
 			iptables_fw_set_authservers();
@@ -461,7 +458,7 @@ iptables_fw_access(fw_access_t type, char *ip, char *mac, int tag)
             break;
         case FW_ACCESS_DENY:
             iptables_do_command("-t mangle -D " TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);
-            rc = iptables_do_command("-t mangle -D " TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
+            rc = iptables_do_command("-t mangle -D " TABLE_WIFIDOG_INCOMING " -d %s -j DROP", ip);
             break;
         default:
             rc = -1;

diff --git a/src/util.c b/src/util.c
@@ -173,6 +173,7 @@ char *get_iface_ip(char *ifname) {
     in.s_addr = ip;
 
     ip_str = (char *)inet_ntoa(in);
+    close(sockd);
     return safe_strdup(ip_str);
 #else
     return safe_strdup("0.0.0.0");
@@ -222,13 +223,14 @@ char *get_ext_iface (void) {
     FILE *input;
     char *device, *gw;
     int i;
+    int keep_detecting = 1;
     pthread_cond_t		cond = PTHREAD_COND_INITIALIZER;
     pthread_mutex_t		cond_mutex = PTHREAD_MUTEX_INITIALIZER;
     struct	timespec	timeout;
     device = (char *)malloc(16);
     gw = (char *)malloc(16);
     debug(LOG_DEBUG, "get_ext_iface(): Autodectecting the external interface from routing table");
-    for (i=1; i<=NUM_EXT_INTERFACE_DETECT_RETRY; i++) {
+    while(keep_detecting) {
         input = fopen("/proc/net/route", "r");
         while (!feof(input)) {
             fscanf(input, "%s %s %*s %*s %*s %*s %*s %*s %*s %*s %*s\n", device, gw);
@@ -249,6 +251,10 @@ char *get_ext_iface (void) {
 	pthread_cond_timedwait(&cond, &cond_mutex, &timeout);
 	/* No longer needs to be locked */
 	pthread_mutex_unlock(&cond_mutex);
+	    //for (i=1; i<=NUM_EXT_INTERFACE_DETECT_RETRY; i++) {
+	    if (NUM_EXT_INTERFACE_DETECT_RETRY != 0 && i>=NUM_EXT_INTERFACE_DETECT_RETRY) {
+	    	keep_detecting = 0;
+	    }
     }
     debug(LOG_ERR, "get_ext_iface(): Failed to detect the external interface after %d tries, aborting", NUM_EXT_INTERFACE_DETECT_RETRY);
     exit(1);

diff --git a/src/wdctl_thread.c b/src/wdctl_thread.c
@@ -70,13 +70,12 @@ static void wdctl_restart(int);
 void
 thread_wdctl(void *arg)
 {
-	int	sock,
-		fd;
+	int	fd;
 	char	*sock_name;
 	struct 	sockaddr_un	sa_un;
 	int result;
 	pthread_t	tid;
-    socklen_t len;
+	socklen_t len;
 
 	debug(LOG_DEBUG, "Starting wdctl.");
 
@@ -92,9 +91,9 @@ thread_wdctl(void *arg)
 
 
 	debug(LOG_DEBUG, "Creating socket");
-	sock = socket(PF_UNIX, SOCK_STREAM, 0);
+	wdctl_socket_server = socket(PF_UNIX, SOCK_STREAM, 0);
 
-	debug(LOG_DEBUG, "Got server socket %d", sock);
+	debug(LOG_DEBUG, "Got server socket %d", wdctl_socket_server);
 
 	/* If it exists, delete... Not the cleanest way to deal. */
 	unlink(sock_name);
@@ -108,14 +107,14 @@ thread_wdctl(void *arg)
 			strlen(sock_name));
 
 	/* Which to use, AF_UNIX, PF_UNIX, AF_LOCAL, PF_LOCAL? */
-	if (bind(sock, (struct sockaddr *)&sa_un, strlen(sock_name) 
+	if (bind(wdctl_socket_server, (struct sockaddr *)&sa_un, strlen(sock_name) 
 				+ sizeof(sa_un.sun_family))) {
 		debug(LOG_ERR, "Could not bind control socket: %s",
 				strerror(errno));
 		pthread_exit(NULL);
 	}
 
-	if (listen(sock, 5)) {
+	if (listen(wdctl_socket_server, 5)) {
 		debug(LOG_ERR, "Could not listen on control socket: %s",
 				strerror(errno));
 		pthread_exit(NULL);
@@ -124,7 +123,7 @@ thread_wdctl(void *arg)
 	while (1) {
 		len = sizeof(sa_un); 
 		memset(&sa_un, 0, len);
-		if ((fd = accept(sock, (struct sockaddr *)&sa_un, &len)) == -1){
+		if ((fd = accept(wdctl_socket_server, (struct sockaddr *)&sa_un, &len)) == -1){
 			debug(LOG_ERR, "Accept failed on control socket: %s",
 					strerror(errno));
 		} else {
@@ -342,6 +341,8 @@ wdctl_restart(int afd)
 	}
 	else {
 		/* Child */
+		close(wdctl_socket_server);
+		close(icmp_fd);
 		close(sock);
 		shutdown(afd, 2);
 		close(afd);

diff --git a/src/wdctl_thread.h b/src/wdctl_thread.h
@@ -29,6 +29,8 @@
 
 #define DEFAULT_WDCTL_SOCK	"/tmp/wdctl.sock"
 
+int wdctl_socket_server;
+
 /** @brief Listen for WiFiDog control messages on a unix domain socket */
 void thread_wdctl(void *arg);