From e130b8455d691352c8445217d985873f17526d41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benoit=20Gr=C3=A9goire?= <benoitg@coeus.ca>
Date: Sun, 24 Jun 2007 04:13:13 +0000
Subject: [PATCH] 	* Close #321:  Make the Gateway retry forever if it
 cannot find it's interface.  You never know when someone may finally replug
 the network cable or something... 	* Close #332:  Apply patch from
 Laurent Marchal. biguphpc<AT>gmail<DOT>com 	* fw_iptables.c:  Fix error in
 iptables_fw_access().  Rules were created as ACCEPT instead of DROP 	*
 firewall.c:  Fix bug in fw_sync_with_authserver().  The traffic for the
 validation period of a user who validated his account while connected
 wouldn't get counted. 	* doc/wifidog_firewall_map.dia:  At long last, full
 documentation of the firewall.  We would have avoided a lot of stupid
 mistakes if we produced that sooner. 	* Release 1.1.3_rc1

---
 ChangeLog                                  |   8 +++++++
 Makefile.am                                |   4 ++--
 NEWS                                       |  15 ++++++++++++++
 configure.in                               |   2 +-
 contrib/build-openwrt-ipk/wifidog/Makefile |   4 ++--
 doc/wifidog_firewall_diagram.dia           | Bin 0 -> 8702 bytes
 src/conf.c                                 |   1 -
 src/conf.h                                 |   5 +++--
 src/firewall.c                             |  16 ++++++++++----
 src/firewall.h                             |   2 ++
 src/fw_iptables.c                          |  23 +++++++++------------
 src/util.c                                 |   8 ++++++-
 src/wdctl_thread.c                         |  17 ++++++++-------
 src/wdctl_thread.h                         |   2 ++
 14 files changed, 73 insertions(+), 34 deletions(-)
 create mode 100644 doc/wifidog_firewall_diagram.dia

diff --git a/ChangeLog b/ChangeLog
index 9aef24e9..509b26c3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,12 @@
 # $Id$
+2007-06-24 Benoit Grégoire  <bock@step.polymtl.ca>
+	* Close #321:  Make the Gateway retry forever if it cannot find it's interface.  You never know when someone may finally replug the network cable or something...
+	* Close #332:  Apply patch from Laurent Marchal. biguphpc<AT>gmail<DOT>com
+	* fw_iptables.c:  Fix error in iptables_fw_access().  Rules were created as ACCEPT instead of DROP
+	* firewall.c:  Fix bug in fw_sync_with_authserver().  The traffic for the validation period of a user who validated his account while connected wouldn't get counted.
+	* doc/wifidog_firewall_map.dia:  At long last, full documentation of the firewall.  We would have avoided a lot of stupid mistakes if we produced that sooner.
+	* Release 1.1.3_rc1
+
 2007-05-24 Benoit Grégoire  <bock@step.polymtl.ca>
 	* wdctl_thread.c:  Fix #324, again.  Credit goes to Medea, I misunderstood his instructons.
 	* From David Bird <david@coova.com> libhttpd/: Fix #266 - don't process query string parameters and keep them in that request.path.
diff --git a/Makefile.am b/Makefile.am
index 6576b783..81590cc6 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -29,8 +29,8 @@ doc:
 ipk: dist
 	make -C $(OPENWRTSDK) distclean
 	mkdir -p  $(OPENWRTSDK)/dl
-	cp -f  ${builddir}wifidog-@VERSION@.tar.gz $(OPENWRTSDK)/dl/
-	make -C ${builddir}contrib/build-openwrt-ipk/wifidog TOPDIR=$(OPENWRTSDK) PKG_MD5SUM= V=99
+	cp -f  ${builddir}/wifidog-@VERSION@.tar.gz $(OPENWRTSDK)/dl/
+	make -C ${builddir}/contrib/build-openwrt-ipk/wifidog TOPDIR=$(OPENWRTSDK) PKG_MD5SUM= V=99
 	@echo DONE.  If there were no errors, your package should be in: $(OPENWRTSDK)/bin/packages/
 .PHONY: rpm
 rpm: dist
diff --git a/NEWS b/NEWS
index aa45e120..ce3b053c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,19 @@
 # $Id$
+WiFiDog 1.1.3rc1:
+	* Close #321:  Make the Gateway retry forever if it cannot find it's interface.  You never know when someone may finally replug the network cable or something...
+	* Close #332:  Apply patch from Laurent Marchal. biguphpc<AT>gmail<DOT>com
+	* fw_iptables.c:  Fix error in iptables_fw_access().  Rules were created as ACCEPT instead of DROP
+	* firewall.c:  Fix bug in fw_sync_with_authserver().  The traffic for the validation period of a user who validated his account while connected wouldn't get counted.
+	* doc/wifidog_firewall_map.dia:  At long last, full documentation of the firewall.  We would have avoided a lot of stupid mistakes if we produced that sooner.
+	* Release 1.1.3_rc1
+	* Fix #324
+	* wifidog.conf:  Improve comments and add examples of blocking access to the upstream LAN.
+	* conf.h:  The DEFAULT_CHECKINTERVAL was 5 instead of 60 (as stated in the config file) which caused huge needless load on the auth servers, and needless ping traffic towards the clients if it wasn't manually set.
+	* contrib/ Add contrib dir to collect the scripts and other code distributed with, but not really part of wifidog.
+	* Modify the build system to finally be able to build wifidog directly from the wifidog directory using the same files 
+		used to make the official .ipk, without having to copy ANYTHNG to the openwrt SDK.
+		There is now a new target:  make ipk make ipk OPENWRTSDK=path_to_openwrt_sdk
+			
 WiFiDog 1.1.3beta6:
 	-Fix bug #238 (config file location was hardcoded)
 	-Fix problem with autodectection of the External interface if the interface isn't fully up yet.  wifidog wil now retry for up to two minutes.
diff --git a/configure.in b/configure.in
index 9a3f51d5..fd74093d 100644
--- a/configure.in
+++ b/configure.in
@@ -20,7 +20,7 @@ AC_SUBST(BUILDROOT)
 
 WIFIDOG_MAJOR_VERSION=1
 WIFIDOG_MINOR_VERSION=1
-WIFIDOG_MICRO_VERSION=3_beta7-pre2
+WIFIDOG_MICRO_VERSION=3_rc1
 WIFIDOG_VERSION=$WIFIDOG_MAJOR_VERSION.$WIFIDOG_MINOR_VERSION.$WIFIDOG_MICRO_VERSION
 
 AC_SUBST(WIFIDOG_MAJOR_VERSION)
diff --git a/contrib/build-openwrt-ipk/wifidog/Makefile b/contrib/build-openwrt-ipk/wifidog/Makefile
index 82b495a6..3a6c34bc 100644
--- a/contrib/build-openwrt-ipk/wifidog/Makefile
+++ b/contrib/build-openwrt-ipk/wifidog/Makefile
@@ -1,4 +1,4 @@
-# $Id: Makefile 3277 2006-02-27 18:58:33Z florian $
+# $Id: $
 ifndef TOPDIR
 	        ERR := $(Please set TOPDIR to OpenWRT SDK's buildroot)
 endif
@@ -6,7 +6,7 @@ endif
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wifidog
-PKG_VERSION:=1.1.3_beta7-pre1
+PKG_VERSION:=1.1.3_rc1
 PKG_RELEASE:=1
 PKG_MD5SUM:=842b21e1b02d0a90677b289d794e0e21
 PKG_SOURCE_URL:= @SF/$(PKG_NAME)
diff --git a/doc/wifidog_firewall_diagram.dia b/doc/wifidog_firewall_diagram.dia
new file mode 100644
index 0000000000000000000000000000000000000000..2946cc770d0ac8c8bafbb34fab1a9bdff80b0af0
GIT binary patch
literal 8702
zcmV<aApzbWiwFP!000001MPj=avR5z?YqAMNBd<aqIan-SyfpZV^7Eu?a{F<DrkBf
zGcOE?1SuSY00V%mt$8@#K9vPf;-#BxppXp;E=AZBsAd<E=**Rum6`wc@Bh3U_x>Et
z=A-H4+h<D1XT9O%bb2<LTzvcNx8ooFj?e!6yKnyOY&7^s{O@8mxa`HBn9S+bx6j@$
z7FYjx{`}*|k7E33K3Gg=Vm$gF=ELXze=r^op2v%xKl|>RUhn1&&IXGCeQ)*M!D2BR
zz5B2j_9lbN;kVD;4Nm{Km`y)S&Ymr=T3vTK9ZzSyKL_J)pZ)DT{dx9$b(`n6?(@LC
zuLc*xceCN(kLFv;_$P!-ZhbYJ-M#JQ)pS0Jmn=SA-MggWKJ@<^*Q~CZ$BQNx-~H_c
z{B8M`R^Rw?uevwdc*x>%FuNE{?w=EXH{<0mLJQPd$6tmG7^DZUu74-%ANQ`?<Hp?{
zH|zGe(fs6UI$O*Jqs9Fr-%Y3E;b5{nbus%e-29yR>0lfmv4_OUkm7u_SWF*z|L248
zyo~_MZ-3Udbv5^5HadG)ac^DGaF>sxv&H+9e=_~LmUsWeboW0;^U=HUu<qTDCX21z
z{?m4DfA`Z#*89tkXFd(fyEVeY84m5xt`83vA4X@x`6G|n?Q0tD^nP{O^T&Sccdu*v
zi&=i_4p^rn#)D78+3NP+e}U=V>H}U`oEyJ|>AU|oJYB5B`(Zr&c=~=YTlD_k`+oY*
zXJ6co=yZ(EzI}EmZ~uPoN)+!FP2as=(AD(wQ)DW*EAM@4(RAx~@9y4t7T^3}axorW
zTk&8k6aUv&QW#e`;q7L}4adXFlhf&Ja^D}=hBWE+$z<G@=-OO(VWOXN<B!WY>-}(a
z@qW>Km=<2%`lB~HZ2o@w@ubE<d>sAOIpu0_c6J;2?uaABhM)Ul_|JR4rMp((&NWTH
ziRAy?y6%pvc)5IX-yR(t9sYLw`pu6Gp5p`Nwh6nZlSSRh^!?uX;Bqwn6yM-rGJn>a
zFFui7hzh>^(f=5Z{~Rtxr-Pg3YyEd{?|G~Jknr|1Cn4|9+oq>ZVV!W+R#rgJHt($4
zDD*(6B4yq|(Z{=(Tn_6$(Bb66Weq$(1kiOD(}a`Hzd*$1n4xkp!&b^Nf(8(1C`hQG
zgwj5~a`6=>aBMD88{}|8dJi{{!!sg>5}{Fv3v%!v$7HZ5u+brGppXWac0m^8=nOe@
zE^>s*1V-e*6mDQb4)Q7DE0D~{vAIa?kOLq@=SblSKd>OjKE@nB93K7t;^<XD4sPU7
zT4)WP>_S0~?vTUeBL}b}2P}~Tgmdwg<wp)+L=G#Qx`iAi=GZUfI3JA{!&yO&&X7aJ
zGlM6)P>`cL<bYh{a1|Ox<gkPss1tG+;bTyWzziIlOVqB+;Wczs=C}tOssKk<WsbvN
zk4wU;Bk%|Uold5qU`Kb@Ve_#guwzG9VuuzM;u8}1!6O*fd{xjpt8^6b=%&(9kfTfF
z(BPJap+LvBpyStQh0g}Fvxpr3J-Ybs!Nt#`$?yh%s1<;?TmZR|Zsbf~#n{wPY#NWj
zgeA*YLC8%D^|QtMlO)Ib(min9ZE$OjvD;r5GUS`iMz^2Phn~(m|0W;!w+&%v@L@5H
z0JNw9i7i3UaB_Asn9Zgin`PEI^VTQh;pE~W7hz+V`*Or1PDtw$PN$PeRHUf#^Ly}l
z{V%=u(NwJPW-(1g(B7ASjUTqT_axN(uv-1Fx&6cXKG*clJKCl-^Vv!G&ru9-E*?NF
zkBP=Ch>%_&vn{KYt@*O(=sswmP=uurtuMr4$%-ZG)RIAtB~zNil--Q!kB76%(PS{L
z3G6Z3FB8ESAHC`z6sKP%5Ld^@B_{>YS4t|OScCk0@!ACY$_Q`}te4=t52zI<A%3%a
zk0TU5u4PJYC6SO0qfqL@?0!7n9AK?;#QA7EZgIrzcF(7n4oSbO6v{ta1Da}^x1MUQ
z<nY7d>O-__(_Xyca28EjFKXy;c0M>Amc$7^N7Ol|O|-UBXwW5b@>t@e=>Z#$u1?-Z
z5A%QG6BW_;A#-r2|8(tRBGA+Gn19GN!={iQHhoUv@y1OmJ@8=_H|dZL4IBF!Z3Cw|
z=^nVwKO7D%wYKF|o4ao%Y${>XW?_@f37e2RYI-#qTuxJq@x8vU>}FvtjIlOUMhX`+
zvNjHDygmsuQX`l))>p<xBj*EW?6egj+k{UT&9qd2;7C+wLSPJ^K!CQ=gEpWkR5SJ~
zuaz1bKP6*=w83a^ym|WZz|qpS_s)i=BT~&01Ms&OdncW%j1dw%mKdO;4&&?=V=XJz
zyj&pW4H5kNItcPgH8bsIbAj4GNf7o{e{mMYr_gSm9(4Tv`iIxA4u3p3KKkv~<AYbd
ze_4_^|Fu8}H-u;qo?4A{q2F|gAla?Puz5wb4T6|N`}Zr_e{@0PtH6vQn~T&ALl9$#
z@a2yw4P$$WA+O)OJpASLn;#2^bXbd6kvu{{kuFihY#|Qu>~RPUH|iTHl&X+F4DpPF
z04ZeY7TZtMIQ;GS$HRgeorWG(NE1y$fsC$s|0=ud_y*$h)_i>`s>Wkd&3E}K7-q6;
zy>!jj1@#CE_H%K#^@XO?eM{Z9)4H$9V*Xq1!f%5MY`2k$*X%y9QYjga0%?Q-rBv9{
z@tU=?tNqPfO7V*K-7B697R4p*A{!6NAQ_0_6?d3O$!>%-rc#bGAD>nYD4M9y2NV6^
zN_l1s$q=b!GR1`g8+!>G^!4QU@Pwu)92^z!=mtCt3Imo5L&1&?u_L?fScOWnvVqd{
zPc2tzc&#hVO$W*lsTFo8p~~c){l<>hZz6QOIXEup(OKwW(UNH>=+Pm1;1=>%hChF0
z)R!Wz=^%S$bSdK&^jIG~etYxNo5SDV6wv6hglkH+s#DAeTZlNovPT?g${95vM9cuk
zA8~*!m{Bleea!gr=fm$`{9GWTvp6F{29(Waoo+Uh+Xyo(f0%I%8NrwsX!wnJKJ5by
z%iD5b)Qx%3{^<>nDuA&*V7&P4_&<I<IQq|nqhAYZbcPxMl&g#r3JPv)A2*ukYUuoK
z=Sm^#6vAMa<!~AejmDTt8yd3eSg~Vcp<2cp9%=ByYI+7}M(D7@1m%qLtKk`{%+BZ<
zT1Mx+^V#%rIY2K>(koN+y1*5m9(|zdC>k^cS31O%>>g<4H(qPs4p>}5mg|@#T1ZnV
zny2AdCp2Y<)e2g)u;`5OK?i_ft!ACeWWA#~P}W6+0dHKvmK|Wr*>JuXO@?PQto7n!
zFN!%E&gTVQ*uxehbbL<8I|U;{ftM|Jx!vh+`wT7ljnQ9-*qr@sM8uNb&@mVvls+Ac
zkchs~FWE4@pjMlc;pFVmHn(~qA9#v4M5Xw|oL=31A79|E^nC5E=PPU2r@qrMCbzxr
zrAfWB+gGDEM?MhQWsL}&8XiwF%2m;q1n{<>YUM#CM6lX&Yj~5K4RrsFi?l_>pX@%T
zJ4y;`Z9#Fjf7oxmt@G_*HW-hG<LSk0a9OA8*$tlHS!XRKX2WvUqIE)hP?cdWTWu~;
zyQ-Depp<jg2C&9?{Hs>2=I@7t*-84WAJ``@|H>t?Uk0;3dO!Sr^2>{(pH33>t^}3b
zL8Vo~DXl79N?|N1%SR!}ZGlW-B|Dh{!fNJ#wb22!nx9OusZi}^4p^z&4OnsomI^F2
zjiNtz_4?@G<#Eb)4i>|YgHHvQI^bw%E3u0BRDh}DTAJU+00Z{<1u05`_*Z3p1;QA#
zj(dawE4|NI7h=d4JUE4{^gcrg9P5DCgvy$*X$i6v(lQEZ^IrUw%ooG6-Y+j+7C>Pi
zXy9q`IL1K7qbuu8I;);#_oPM>A5Ei=ADjbVU8F@PNlK@SXoQ37gQo%-&?6%yI_C6x
zqnvd)J7I`tRMP8vmR|Q6>2+;6((5fWJiCJsjBp{RVAM{#<0%@D&Ornu?UvwNMUjTF
zid(zuWURT&iRhO_BLGFW_pCa8r}~BK=(aH&6Hy=6ZIj>Xbxrr6wOfvr{t{2p+NG1E
zOZ1n37#%((VnD#H-;HuM4@Xf&#rL~9zLttBzq@U>Cc7&~;l_~Ft_b1N*fEm^$I!s8
z=$0EPz*t~qPj4<(EB3SzN`rC1t7x$tW}Wp|(#HvdHaa>^fwR;GRM^v<Cw<-z=C=#n
zy>F(o&)<1_bol*?<JX6!?A^(LGDpJ;qeE_PHZ7EF5N9^X=q+%mSCi#feMu0~DMQB~
zgg#9saz<6@+ncW6TZc(~U&IF<;SwtDTd3%Bh}6-UV<1wm!)Y<u9TSvv1>RiHXLk}%
zfK@<Hz|6D+R%a3fNM%rKl!?>gpm16Wr=`IWeev?;!Q12FXL9?Q;DnaaSJ8tgG?oti
z%<QHfN-}7&*j}ihIro~zlcaNjoJ$B8@rb@!I#^q&nSIShG3(%KS#&H-J$vSE-gOuu
zr!vu1)zR2(M3NLg8A*vT;Eg7&q|vtVByB8(lU74KSqp_;cMwk2%Go%9x9|$~T*KEZ
zOyG`ckNKSu*8`=QQ$=8crehGCCglbyPQ<e@1a94~k??_ecLlolEmMS9E%$Oqn(eoN
z-JWRQCVk~)6<Dx3ourf^R)GVWIc$a2)^&j0wQ@F&LM|%4XDV)e4t9s#Y*IGatY4=p
zB{^5oIGN_L$+U~ch1D))$-RyyN3OC>xy+6JJU4o^n&x~oUJPetXf%5!*IAlx<&%k!
zp$zxzXxV_tW|wPK@p^~}NUTfLG%Z|o3oDD<Tg^5Xs^v~h>$NS=@fX>OSx}@a-kGEJ
zLrn&vtgPt{ML=$2@Rtniqra5IH2llco-?H+GmPX&RW_adwNd2rcFY1EUCrv!l;R_+
zPy&$dphIl|I)Y?J4h&y_BPf2{2(rLNfsM@<WERxu6g8qrC;>-@sFB_10=C+8Dq%a+
zpiMNDw+S_@FvhydBR2(pbD>(|hDPgH6IW$5W@k`wYc*!Ui>~lO5>*{5?+azUOT@@-
znsTy2&H*|$4Fblr!OWomqkM&qyI#JzQ0>a)29;OnulFkJ5_aq*mi&D9@~4AW1xC87
zmxEA22C@((@aPamU<=GE);VlT;#Gia-jxZy3XY$46<A@!V{l(kBtU_Yy@ZkfeDU+^
zS1*na3XpV3yfOihY(xQ)ZYRM*c9Wg2tl`9xM7^SM@O>Js87wAdh1RS)l{Xiv-6Z$`
z)_VgEX-XG(#kx{Cc#Y`daoPt|n+}aAL&17EE0xb@)5~6bzJ{|&6lHWiI2{&X;RY6^
z=;05QwZdsE`;<GH%>dbbon-2POuZF=j&<y$qrMQ8PEy|YX_l<iKp+Fs80PM;MmZb!
zz-8g;-gSS0&6&**xEHQI;5ugac!H}eYXQ_I=W$s81>vQ$m5UC9N5fhI-CV48nFwc{
zRq;P3$$NB$)q6A=we_e`>gYZC;ymtPjnI5Ch(GZ9P0CFax3PozXng7o`2a@V9HLy@
z#%@-oLUwbpbwWAn!r&zI(;;fv>Oq-qDWud`ImJw|$(5}Q$QWv3xv@UAjG8Q?CL0mz
z)zRVGf=cYDMAW^IJlMk8=`fj*-JWc8YPHP?-`g%twOV;P$2kLipmE13T^`Lha*vs;
z7qUJ&!U$kcmgDT(47!jp#|G|BMDJ=;mCbG(wU8q6yvMqo!<qI5EGu9kYB-G~Q1LY-
zHG<||fYm5xt&3`n)bWiKCEv4jWzGUiz}<|Jwb>nh*C_$F{L0(wXEiE1NjszabaK@7
z%AxSVa>IC|oV6=zrIL=`n049}Mc;2lUklBx=H5`!T$iwV3;U>*wkq$*Zo7|K`qfEF
zyS`N-fYX&XG$~%ORw=e2WIMKt_e!D-*K8MLtyf??1$4j_+XYL(Vh06_i};*fL{rd<
zw=86rjuw%u@YpM%z!$Ph=T!@9wh&21>xGq<yg?*VUdW|!5>5%DjH$flu3BWu)&^>v
z0O`RyX;urebg5dDszn1#osI{WSH0txZ-4pq*Md%6RWA}cmFh)T)eD>5EEYo&3>1<m
zAtfu-pH2d&B0>o2vZ9$4+Akd%yKxIt`^-m^oHdumH>N^_vQom>w^95$BfDvLv?$AF
z_wZ1~Fwk@u&T;$@1Ug9S979>4L1x~WsBqD1bC#QFT_@rLlQBv<bKf-E<m}M_y_-Ec
z*5!{Tq^y8X8AU+FJfsjL&`HL7q{0OR4@tjO;NF4PC}&afzb<^^?sdFn%_6&(LWRm8
zXP*>tTr1<#4g@K*REBm|Ii0nn;L)s6hFC4PASkPhmIh2JPH^^8SlaOAoK#+UA5be>
zY7@JxO$<IP-p_}#sEobQRmlLcFGjfDbSI<#FUxf6t};N`y%f>hlaZtk&ZFl9nRt@K
z=)}?bWa76)r%q{02ct#cX0SGiS;t`&-da@^*2}){V$9l<uAr+hF>GPo>T-dw=Ut>M
zF*<ZHP&78s9%bn?L<di3g~-2X^`3;yAhoH}Sv32pYWCe#$m=D5?%D;}k!HL6wMJH;
zalT^Zu{q(a0>bS85OF)68MLWP46lM^PyN(LSTkfycqd)de<@thMZNc}`6Mg9tK{zZ
zsxE*13{;+VahXYr1eSZtT#OtMDl{}F2U!`an~T*d_oJf|Pc%`b!GlwQm6oclMj0e1
zi&{FPOX{bje*RJeHGI$&DxqDO!`3}D)n)fY*ia!WD>c;@{F0Mu1duz4?3~oig=&K^
zAV4aEnk;`AqEYCm55m)nmoE?A9v3WPA2uB^NJ>vwREVhEl_8wj!bm6b*V6~5S!aUM
zNzz4Vpe8)sw?RO(;&iZ;ioFB3Nz6L<62{S$C7H2b$qc75st``^hKB0$_maqEA`dxf
zs3Ag*PUb&AprLJu-cvfm%1!sAx7O`C0q<W$JXvk4O{WYLwSKZ{t+P0&yP=>uyM@^q
zOTHyCv&&H_+G!X}NbJ+7*M=fW<u<Kqt}`~{o`}t9kWI6iMYEsmu#7Ctz6<xARv+9J
zst*Y4)dw`G`hY|kFco@Xtx?R?2L#6I0|=?KwwflaQVN}ODh4?>MmiHMVL+o0$_|*$
z^E>Yc^WG1?pZxOT=%>}H%9870uRBmLr&ARY9|20Lr=wI)b~6K+c|~U43U3wb#$#$|
z@QzLb@XI0IApq?(1-t2%`SxyOlbj7(lFRy+{fh}*&OAlKz5eCV!eTbN+%xYqcQ<yL
zCkl&6?jvtu(R1%K57HQ8L6+(KrLg#j<2ksx8h`4Ir>B1m&;I^lKAiPtAI8IZ@jkh|
zPY*<6@Z?LBN@IuaXLd7$Lt&6UILkY*pUyGTCg(F?=+odE?HoNYRx0j+Hw{wOf!VUm
zSel*oEo*5q+U4DjW_f$LjalA_jc5`pmovJICrLy)Ng<8AQBlE_A#c>!&_Pk6Ud{&+
zB~WyHzo`W4>A2fX*OOOUm|C}dpgpC&6|as5kbzEusBV3$g;mN`K?-dg|IoU6F>5Z>
zLYnxlih}QV0%^UOH;Q}a&0`59pUq5<kAL7~raPGuNK0mVSSFAHH#0p$sFFY`2_%LD
z(#3fCF23!OJL-m|ZkM^EP+00+=8nAC!YEaloWH<awv;jeodaPx#UE%QaY&<*E&nXl
z`!d#cT2S676ngr;<&AP;O0Rcav-H_Sbx;+su7yf2C)h-J1A%~80W!Os8A7!pycyvG
zB6YwoeNJCo&f;>mb~$_hG8_Im8h-3WbJB~NKDikFpMNcWXa`HBkoZtEiLdyf-T9%}
zO&2<lj|R*YOgcr{P^E!SHuNF-q1G9CT&&dG6B}z~tOK^>hk`GD=zjU3Dre!i2W~&K
zx#_~^H(fXZ=qL~Afq5G-m~@T{hT1QT(^Wv~k7o5n^Tlg9{u{NE;DU6LfBbh)Mrs4J
z8J)&|yV8WQ%O;GsM~C0PIDUQjrg)L;eHdDp5ULQp1klBY?8t}QMjM7vnm#rcc+;6E
zG<9Kw>n;o>B<*4gU3Fp9idkQkD@_>t=ScdjCJfjS5iYy+Vnqp2BJgf?3|a;{1`R0U
z$DsF$e7k^weeGL~h|Tzv;cgb?{#vRP>-FY)x4YhaAM(S*N=Z&~OiI2~A(3OOkD5&f
z#_u`98y;>hR*4HsT=-yI_|u!i-%Cu`MQ?t5?xP+X>bNdJVK+e`$}KpJ$yY+*tmE|?
zL0hDQY|!L3f}_Vp3avc9*H|ax0}pYbRquI7xL$1`?51x5)fVV$(esH9w5GWjybLz)
zZAd4<GUH>FN^k%j@YiaEtWEeVuPW-jXX+ht_Pp(=^%3<J+M<?tm4Xgl^tKvpItg9M
z`dFjrHP!3`e_K?om`(X1CCfy{Jy-Dc+M?vH+oCX=i0&e6Ii=&X&Dr5hr>JyF+6?Zz
z(9&b2l;m!Z$`!BO0uL3OQ_dC2YN4z?l0rH<_`e4)%l?ioI-{fwOHV=-HbG~JBiK%7
z6n$*`tx<;JHl(RKX_*uRw}d3=J86x&D`d@6Y=qHP7teDK>y0wQ^F*_w&@!8FZX`YV
zo>#f)5a}=;<CT%2Z)l^qu@%PG-g4)S>O`!$3MyJ?Za3ZWSv32}^38MRWre%@$90EH
z0?a0yD_0?BK3F9p0Xm8zwG+x=>Sk6>vl7iS#A-z(kU}Z+Xp~3kG)m37WH?6RP6ApC
zTGHPNk)ZP>!{@!@!`>g0>BmX$bUca<e~AdWBSKBJBbwPB1Hyn<BEpU$!fbxIG6In{
zoguH+Naq--=p1VS`pOCE(?}<4H{CVY+G%VMvL1>;e3D&ZpzfRBsB<Dh$L=>iT8zkM
znrkn>lge?{BIpoJhon+O3=M-ffyUJERw8m`YvV`8BfynS;-wPNev^1FdMl+S(TxXc
zu6K%uG9{x+4>Y?!f-((?26X2*UhTjs`kc;daswft>qpcGR4FGXR4VpK8BKE5!Wn`h
z@3^?3`{jmWPM0I%?#5+=Y|^@cij%8u(u&eFt_^6>RN|fqK;9u4n+w%4bs416Us9Kf
zHFXKJpA-SXS*7i!4Ob;~nU%Wy;pp&}lDzEJbqoTmbQQ)&#$%zgY{hk4C%F;S7Mg55
zdyB1Gb=Vp-Rp6cky0Jhln`@0RQtPl9K941rQF0j#pfn#YdV{O0+4O2Q8pNNw9L)ac
zMfdb7em27bPhE8BI_HRBQxY59B{o8KqYs54k~WRyFp=896V0b4#Gt%}i~&#@-A5-|
zsRB18t5MF{nSyDJVM%N3S6bsPv1+ZfMo_!qTZZiZp6Es?w7xPrYJlZTUD8P!=^zB}
z`brD0T@?ct75zBw>UootHJ56kHN;Cx;&R{W=Q$d#Ia>KzC^&3E!BGZZ(Sku<?FKI`
z9fRNusW*6QDr<y9bo}~VBV_G$!Rt`jLXO!p<u*Cf*}(2*&_>8^mvBK?6E@$D)JnI5
z@RU!lFzR&hNb3u2u#Sk;(mHPDTb+pauL=Sk(c_+yVvpmeev$(HX3Z`(V~5TCIfOdc
zkwf6NU@|;LtPIRcJ>oGEr6#LkrSxPq5Q3s<%(Qfl-)huJSqw)p99!tkgs;$W_$?R?
zBw}pND65v1!&$FamLnv81B3L-A&<)NTaH>Wi|Ht)V+(N#eubtZo48Mlyo`kkSc&@}
ztX7t`h6S+Lr$aF~N(xxXzW$+3#2Q*82&Vw!dnz`g*o?Mu3gjd=wA+!@$fi|$VS;i{
zX_NlKIe$!Oi&~|VjJJJil%Y*BM#d<@a!-3{l(WV;5#C9c-k1xz6e0Ia({;{D?7Q`i
z?eCa49?mXDlfk$~+i7-nF1xzoOk$EVU(rJBzLGSSJ5+|5|F*F_?OOQ^1oRlR@;;!J
zPmunW{EA2QN!=kM<v1}!0s1hz&njys2CZ|%`Di?Dam0E0^OPBbZ5%#%&-C2jUOs)s
z-`m9O>qVPB`g1rh3_tdHio$sa(T6Dvzg7&trsr!sx;lA3osIq{K2Q;8AJYHx!Fax*
z0Z7M045!C2|B&s(3rc2F=&v6_!x}0m3o%j<0fJO9Qc#vQm(%Q+z)f?gk+1e5Ybz+B
z!M?GV?oNJNi@zjylLSyQn}du(8l-%@V<j-fyBli^9fL->K1RpX>q?=}!Eq~gy^PJ7
z0#zdaeN*qO6rbANc1b1kImi`fS%6~xG;Os{EI~smPP3d9??A{3S$nEIQa>;_w6s@J
zv+k87lVe;wO;e&lm6qxqv{awZrkB0=bPZ>dD9Y%3a5^k8Eq_eALfd$@K~sX-ZrawA
z%qG2i)>dj8T}6aI&D2JjKF#V!Pp$V-Tkf4yw<K$RWQ%{eC;s7=;*Qx3M_tK$lKQnB
z?Vyfpv<%6^qrb!;4z!{Dapc8l&z_!Xkn@3nudIaJyF5+Kcz?C4G)*?GTw7X!h`dc^
z<OF(Jj1j{h)O|WLP?E+8P@4`;Z9o0)zJ#?MX3{6cF6&<ResjlqS(;{U2eWSbE%cCj
zG-(>03l@3XNWG$^%EHF4eN9viq)k}DJ7@X3NbAL{u>~@|#iHPQ58i9lSk#WDK+y8i
zTn*RDM_==6xL#?vjw-I*QpH1{le<vyCOPX>yzFe>e~#sPDsH*w*S?(%&xYqw(a+*v
zr>DdDyjJ5we$fRichx0LvF$rSJC8N>W$+R%Hy5c*)y2|4DzB`K{=G2@!4<}3VO$o*
z<#m<n=jmyDx6zD^CWUXwKk!$0FveBj3gNO4E;kDsRCddT7RC_$k$-xe7Bo8^mgD0>
z=!4K;eTaxpJT309p;68U6te^ldp<u->Gis^!j5wLDw|jR`I+Xds+$;*OHhPp0X#(w
zQY&2{2x%nuxR^Q#YYKc7nvxONL&Xj`)N0sK)=y<qt91~TYE``BT<8?#R6GWQlCEz|
zbXn0<^aa@GGStdgV*pI0g^TZ}FlY8nyK{P~wP#tI+D5yxY1PJyU^G_IRYtUqck&8)
z)O3;##`fvtpwldO_MWIlDVqxTz9{&fCG>p`;l}LBE6*mmS`}kpRIJ^OnieBio!T9Z
zH2rv{kyb_3wo<V#J+G0lX!T!3t8Et7W@l<`w?MX8&M5ckE9;y^<7nS7oun|(%yy|=
zpdeQUh5T%rdO5$2L5oGnw=qc7KH+JI$5a^mqT=eaio1NaO=VdrHqje~81?pz63#+A
zO_<=nf<0|NAN+Xm=G8xXy&tBt-e5fLoefV%^y}{}%}LdpQ8li2IUG#pz5hD+wd$SG
zn$hL!H;1L}$X$25{pjvPu~BwcZ2U95rDnh|+pYUG8nA3aa5O1~(}L0cLAZW8N8r;p
zT*dHk8=gClT(LY~rRCYeB<ad<rZVaNcIiBUr=@Z6xUa-{>J=lzZiH?>eZ>fUl}0EO
z_oui&#r-Lkr)$fjvk8}AnB5;k7AIOBI;U8kVtMX8a>epIWy{l4meTngP#S{ed=(^b
zbEq*06$TN2sABQZ;8Ybr00i#MUv(nZwva;5whB*-3R<@KJndQ+VopKZ<_?coz8()g
c4QJndvwRW%yO<3wzx(EY0d`2g%YSnM0GHJxJpcdz

literal 0
HcmV?d00001

diff --git a/src/conf.c b/src/conf.c
index b2cfc41e..aad99567 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -607,7 +607,6 @@ config_read(char *filename)
 
 		if (p1 && p1[0] != '\0') {
 			/* Strip trailing spaces */
-			/* Strip tailing spaces */
 
 			if ((strncmp(s, "#", 1)) != 0) {
 				debug(LOG_DEBUG, "Parsing token: %s, "
diff --git a/src/conf.h b/src/conf.h
index 1a540818..28983cde 100644
--- a/src/conf.h
+++ b/src/conf.h
@@ -29,10 +29,11 @@
 
 /*@{*/ 
 /** Defines */
-/** How long till we give up detecting the interface with the default route */
+/** How many times should we try detecting the interface with the default route
+ * (in seconds) */
 #define NUM_EXT_INTERFACE_DETECT_RETRY 120
 /** How often should we try to detect the interface with the default route
- *  if it isn't up yet */
+ *  if it isn't up yet (interval in seconds) */
 #define EXT_INTERFACE_DETECT_RETRY_INTERVAL 1
 
 /** Defaults configuration values */
diff --git a/src/firewall.c b/src/firewall.c
index d1c1454c..3ecd4ef8 100644
--- a/src/firewall.c
+++ b/src/firewall.c
@@ -72,7 +72,7 @@ extern pthread_mutex_t client_list_mutex;
 /* from commandline.c */
 extern pid_t restart_orig_pid;
 
-int icmp_fd = 0;
+
 
 /**
  * Allow a client access through the firewall by adding a rule in the firewall to MARK the user's packets with the proper
@@ -295,9 +295,17 @@ fw_sync_with_authserver(void)
                         case AUTH_ALLOWED:
                             if (p1->fw_connection_state != FW_MARK_KNOWN) {
                                 debug(LOG_INFO, "%s - Access has changed to allowed, refreshing firewall and clearing counters", p1->ip);
-                                fw_deny(p1->ip, p1->mac, p1->fw_connection_state);
+                                //WHY did we deny, then allow!?!? benoitg 2007-06-21
+                                //fw_deny(p1->ip, p1->mac, p1->fw_connection_state);
+
+                                if (p1->fw_connection_state != FW_MARK_PROBATION) {
+     p1->counters.incoming = p1->counters.outgoing = 0;
+                                }
+                                else {
+                                	//We don't want to clear counters if the user was in validation, it probably already transmitted data..
+                                    debug(LOG_INFO, "%s - Skipped clearing counters after all, the user was previously in validation", p1->ip);
+                                }
                                 p1->fw_connection_state = FW_MARK_KNOWN;
-                                p1->counters.incoming = p1->counters.outgoing = 0;
                                 fw_allow(p1->ip, p1->mac, p1->fw_connection_state);
                             }
                             break;
@@ -316,7 +324,7 @@ fw_sync_with_authserver(void)
                                     break;
 
                         default:
-                            debug(LOG_DEBUG, "I do not know about authentication code %d", authresponse.authcode);
+                            debug(LOG_ERR, "I do not know about authentication code %d", authresponse.authcode);
                             break;
                     }
                 }
diff --git a/src/firewall.h b/src/firewall.h
index 70696f9f..5c592406 100644
--- a/src/firewall.h
+++ b/src/firewall.h
@@ -27,6 +27,8 @@
 #ifndef _FIREWALL_H_
 #define _FIREWALL_H_
 
+int icmp_fd;
+
 /** Used by fw_iptables.c */
 typedef enum _t_fw_marks {
     FW_MARK_PROBATION = 1, /**< @brief The client is in probation period and must be authenticated 
diff --git a/src/fw_iptables.c b/src/fw_iptables.c
index c90033b9..3cb2d06e 100644
--- a/src/fw_iptables.c
+++ b/src/fw_iptables.c
@@ -59,7 +59,8 @@ extern pthread_mutex_t	config_mutex;
 Used to supress the error output of the firewall during destruction */ 
 static int fw_quiet = 0;
 
-/** @internal */
+/** @internal 
+ * */
 static int
 iptables_do_command(char *format, ...)
 {
@@ -218,7 +219,7 @@ iptables_fw_init(void)
 
 			/* Assign links and rules to these new chains */
 			iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, gw_interface);
-			iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, gw_interface);
+			iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, gw_interface);//this rule will be inserted before the prior one
 			iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, gw_interface);
 
             for (p = config->trustedmaclist; p != NULL; p = p->next)
@@ -274,22 +275,18 @@ iptables_fw_init(void)
             /* Insert at the beginning */
 			iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, gw_interface);
 
-            /* TCPMSS rule for PPPoE */
+
 			iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");
 
 			/* XXX: Why this? it means that connections setup after authentication
 			   stay open even after the connection is done... 
 			   iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state RELATED,ESTABLISHED -j ACCEPT");*/
 
-
-            if (ext_interface != NULL) {
-			    iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW,INVALID -j DROP", ext_interface);
-			    iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);
-            } else {
-                /* Will this work even if we don't specify an external interface? */
-			    iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state NEW,INVALID -j DROP");
-			    iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu");
-            }
+			//Won't this rule NEVER match anyway?!?!? benoitg, 2007-06-23
+			//iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW -j DROP", ext_interface);
+            
+            /* TCPMSS rule for PPPoE */
+   			iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);
 
 			iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);
 			iptables_fw_set_authservers();
@@ -461,7 +458,7 @@ iptables_fw_access(fw_access_t type, char *ip, char *mac, int tag)
             break;
         case FW_ACCESS_DENY:
             iptables_do_command("-t mangle -D " TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);
-            rc = iptables_do_command("-t mangle -D " TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
+            rc = iptables_do_command("-t mangle -D " TABLE_WIFIDOG_INCOMING " -d %s -j DROP", ip);
             break;
         default:
             rc = -1;
diff --git a/src/util.c b/src/util.c
index 74133b58..848d7d36 100644
--- a/src/util.c
+++ b/src/util.c
@@ -173,6 +173,7 @@ char *get_iface_ip(char *ifname) {
     in.s_addr = ip;
 
     ip_str = (char *)inet_ntoa(in);
+    close(sockd);
     return safe_strdup(ip_str);
 #else
     return safe_strdup("0.0.0.0");
@@ -222,13 +223,14 @@ char *get_ext_iface (void) {
     FILE *input;
     char *device, *gw;
     int i;
+    int keep_detecting = 1;
     pthread_cond_t		cond = PTHREAD_COND_INITIALIZER;
     pthread_mutex_t		cond_mutex = PTHREAD_MUTEX_INITIALIZER;
     struct	timespec	timeout;
     device = (char *)malloc(16);
     gw = (char *)malloc(16);
     debug(LOG_DEBUG, "get_ext_iface(): Autodectecting the external interface from routing table");
-    for (i=1; i<=NUM_EXT_INTERFACE_DETECT_RETRY; i++) {
+    while(keep_detecting) {
         input = fopen("/proc/net/route", "r");
         while (!feof(input)) {
             fscanf(input, "%s %s %*s %*s %*s %*s %*s %*s %*s %*s %*s\n", device, gw);
@@ -249,6 +251,10 @@ char *get_ext_iface (void) {
 	pthread_cond_timedwait(&cond, &cond_mutex, &timeout);
 	/* No longer needs to be locked */
 	pthread_mutex_unlock(&cond_mutex);
+	    //for (i=1; i<=NUM_EXT_INTERFACE_DETECT_RETRY; i++) {
+	    if (NUM_EXT_INTERFACE_DETECT_RETRY != 0 && i>=NUM_EXT_INTERFACE_DETECT_RETRY) {
+	    	keep_detecting = 0;
+	    }
     }
     debug(LOG_ERR, "get_ext_iface(): Failed to detect the external interface after %d tries, aborting", NUM_EXT_INTERFACE_DETECT_RETRY);
     exit(1);
diff --git a/src/wdctl_thread.c b/src/wdctl_thread.c
index 2d9645cf..8c7d7f44 100644
--- a/src/wdctl_thread.c
+++ b/src/wdctl_thread.c
@@ -70,13 +70,12 @@ static void wdctl_restart(int);
 void
 thread_wdctl(void *arg)
 {
-	int	sock,
-		fd;
+	int	fd;
 	char	*sock_name;
 	struct 	sockaddr_un	sa_un;
 	int result;
 	pthread_t	tid;
-    socklen_t len;
+	socklen_t len;
 
 	debug(LOG_DEBUG, "Starting wdctl.");
 
@@ -92,9 +91,9 @@ thread_wdctl(void *arg)
 	
 
 	debug(LOG_DEBUG, "Creating socket");
-	sock = socket(PF_UNIX, SOCK_STREAM, 0);
+	wdctl_socket_server = socket(PF_UNIX, SOCK_STREAM, 0);
 
-	debug(LOG_DEBUG, "Got server socket %d", sock);
+	debug(LOG_DEBUG, "Got server socket %d", wdctl_socket_server);
 
 	/* If it exists, delete... Not the cleanest way to deal. */
 	unlink(sock_name);
@@ -108,14 +107,14 @@ thread_wdctl(void *arg)
 			strlen(sock_name));
 	
 	/* Which to use, AF_UNIX, PF_UNIX, AF_LOCAL, PF_LOCAL? */
-	if (bind(sock, (struct sockaddr *)&sa_un, strlen(sock_name) 
+	if (bind(wdctl_socket_server, (struct sockaddr *)&sa_un, strlen(sock_name) 
 				+ sizeof(sa_un.sun_family))) {
 		debug(LOG_ERR, "Could not bind control socket: %s",
 				strerror(errno));
 		pthread_exit(NULL);
 	}
 
-	if (listen(sock, 5)) {
+	if (listen(wdctl_socket_server, 5)) {
 		debug(LOG_ERR, "Could not listen on control socket: %s",
 				strerror(errno));
 		pthread_exit(NULL);
@@ -124,7 +123,7 @@ thread_wdctl(void *arg)
 	while (1) {
 		len = sizeof(sa_un); 
 		memset(&sa_un, 0, len);
-		if ((fd = accept(sock, (struct sockaddr *)&sa_un, &len)) == -1){
+		if ((fd = accept(wdctl_socket_server, (struct sockaddr *)&sa_un, &len)) == -1){
 			debug(LOG_ERR, "Accept failed on control socket: %s",
 					strerror(errno));
 		} else {
@@ -342,6 +341,8 @@ wdctl_restart(int afd)
 	}
 	else {
 		/* Child */
+		close(wdctl_socket_server);
+		close(icmp_fd);
 		close(sock);
 		shutdown(afd, 2);
 		close(afd);
diff --git a/src/wdctl_thread.h b/src/wdctl_thread.h
index eca5f551..0956bf96 100644
--- a/src/wdctl_thread.h
+++ b/src/wdctl_thread.h
@@ -29,6 +29,8 @@
 
 #define DEFAULT_WDCTL_SOCK	"/tmp/wdctl.sock"
 
+int wdctl_socket_server;
+
 /** @brief Listen for WiFiDog control messages on a unix domain socket */
 void thread_wdctl(void *arg);