* src/fw_iptables.c: Add the global ruleset to the nat table to fix #65

. Add the table parameter to iptables_load_ruleset() and iptables_compile * libhttpd/protocol.c: Fix pointer type mismatch * src/conf.c,h: Remove deprecated option AuthServMaxTries (which was already ignored anyway.
wifidog · Feb 1, 2006 · e9a3ec1 · e9a3ec1
1 parent 92f8591
commit e9a3ec1
Show file tree

Hide file tree

Showing 17 changed files with 66 additions and 76 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,12 @@
 # $Id$
+2006-01-31 Benoit Gr�goire  <[email protected]>
+	* src/fw_iptables.c:  Add the global ruleset to the nat table to fix #65.
+	Add the table parameter to iptables_load_ruleset() and iptables_compile
+	* libhttpd/protocol.c:  Fix pointer type mismatch
+    * src/conf.c,h:  Remove deprecated option AuthServMaxTries (which was already ignored anyway.	
+
 2006-01-23 Benoit Gr�goire  <[email protected]>
-	src/conf.h:  Fix the value of DEFAULT_AUTHSERVPATH and completely wrong code comment.  Not the default indicated in the config file and the define are in sync.
+	* src/conf.h:  Fix the value of DEFAULT_AUTHSERVPATH and completely wrong code comment.  Not the default indicated in the config file and the define are in sync.
 
 2006-01-17 Mina Naguib <[email protected]>
 	* Ingisgnificant cleanup  of CVS artifacts after svn migration

diff --git a/Makefile.am b/Makefile.am
@@ -38,7 +38,7 @@ rpm: dist
 	cp ${builddir}wifidog-@[email protected] /usr/src/RPM/SOURCES
 	rpmbuild -ta ${builddir}wifidog-@[email protected]
 
-clean-local:
-	echo "clean-local: " && pwd
-	rm -f /usr/src/RPM/SPECS/wifidog.spec
-	rm -f /usr/src/RPM/SOURCES/wifidog-@[email protected]
+#clean-local:
+#	echo "clean-local: " && pwd
+#	rm -f /usr/src/RPM/SPECS/wifidog.spec
+#	rm -f /usr/src/RPM/SOURCES/wifidog-@[email protected]
diff --git a/README b/README
@@ -7,14 +7,10 @@ solution for wireless community groups or individuals who wish to open a
 free HotSpot while still preventing abuse of their Internet connection.
 
 The project's homepage is:
-	http://www.ilesansfil.org/wiki/WiFiDog
-
-SourceForge project page:
-	http://sourceforge.net/projects/wifidog/
+	http://dev.wifidog.org/
 
 Mailing list interface:
 	http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
 
-
 The project's software is released under the GPL license and is copyright it's respective owners.
 
diff --git a/configure.in b/configure.in
@@ -20,7 +20,7 @@ AC_SUBST(BUILDROOT)
 
 WIFIDOG_MAJOR_VERSION=1
 WIFIDOG_MINOR_VERSION=1
-WIFIDOG_MICRO_VERSION=3_beta1
+WIFIDOG_MICRO_VERSION=3_pre1
 WIFIDOG_VERSION=$WIFIDOG_MAJOR_VERSION.$WIFIDOG_MINOR_VERSION.$WIFIDOG_MICRO_VERSION
 
 AC_SUBST(WIFIDOG_MAJOR_VERSION)

diff --git a/libhttpd/protocol.c b/libhttpd/protocol.c
@@ -220,7 +220,7 @@ int _httpd_decode (bufcoded, bufplain, outbufsize)
 
 	int nbytesdecoded, j;
 	register char *bufin = bufcoded;
-	register unsigned char *bufout = bufplain;
+	register char *bufout = bufplain;
 	register int nprbytes;
 
 	/*
@@ -255,9 +255,9 @@ int _httpd_decode (bufcoded, bufplain, outbufsize)
 
 	while (nprbytes > 0) 
 	{
-		*(bufout++)=(unsigned char)(DEC(*bufin)<<2|DEC(bufin[1])>>4);
-		*(bufout++)=(unsigned char)(DEC(bufin[1])<<4|DEC(bufin[2])>>2);
-		*(bufout++)=(unsigned char)(DEC(bufin[2])<<6|DEC(bufin[3]));
+		*(bufout++)=(DEC(*bufin)<<2|DEC(bufin[1])>>4);
+		*(bufout++)=(DEC(bufin[1])<<4|DEC(bufin[2])>>2);
+		*(bufout++)=(DEC(bufin[2])<<6|DEC(bufin[3]));
 		bufin += 4;
 		nprbytes -= 4;
 	}

diff --git a/src/auth.c b/src/auth.c
@@ -82,7 +82,7 @@ thread_client_timeout_check(void *arg)
 
 		debug(LOG_DEBUG, "Running fw_counter()");
 
-		fw_counter();
+		fw_sync_with_authserver();
 	}
 }
 

diff --git a/src/centralserver.c b/src/centralserver.c
@@ -332,5 +332,3 @@ int _connect_auth_server(int level) {
 		}
 	}
 }
-
-/* config->authserv_maxtries */
diff --git a/src/commandline.c b/src/commandline.c
@@ -47,7 +47,7 @@ static void usage(void);
  * A flag to denote whether we were restarted via a parent wifidog, or started normally
  * 0 means normally, otherwise it will be populated by the PID of the parent
  */
-pid_t restarted = 0;
+pid_t restart_orig_pid = 0;
 
 /** @internal
  * @brief Print usage
@@ -133,7 +133,7 @@ void parse_commandline(int argc, char **argv) {
 			case 'x':
 				skiponrestart = 1;
 				if (optarg) {
-					restarted = atoi(optarg);
+					restart_orig_pid = atoi(optarg);
 				}
 				else {
 					printf("The expected PID to the -x switch was not supplied!");

diff --git a/src/conf.c b/src/conf.c
@@ -76,7 +76,6 @@ typedef enum {
 	oAuthServSSLPort,
 	oAuthServHTTPPort,
 	oAuthServPath,
-	oAuthServMaxTries,
 	oHTTPDMaxConn,
 	oHTTPDName,
 	oClientTimeout,
@@ -103,7 +102,6 @@ static const struct {
 	{ "gatewayaddress",     oGatewayAddress },
 	{ "gatewayport",        oGatewayPort },
 	{ "authserver",         oAuthServer },
-	{ "authservmaxtries",   oAuthServMaxTries },
 	{ "httpdmaxconn",       oHTTPDMaxConn },
 	{ "httpdname",          oHTTPDName },
 	{ "clienttimeout",      oClientTimeout },
@@ -146,7 +144,6 @@ config_init(void)
 	config.gw_address = NULL;
 	config.gw_port = DEFAULT_GATEWAYPORT;
 	config.auth_servers = NULL;
-	config.authserv_maxtries = DEFAULT_AUTHSERVMAXTRIES;
 	config.httpdname = NULL;
 	config.clienttimeout = DEFAULT_CLIENTTIMEOUT;
 	config.checkinterval = DEFAULT_CHECKINTERVAL;
@@ -389,7 +386,7 @@ parse_firewall_ruleset(char *ruleset, FILE *file, char *filename, int *linenum)
 
 			switch (opcode) {
 				case oFirewallRule:
-					parse_firewall_rule(ruleset, p2);
+					_parse_firewall_rule(ruleset, p2);
 					break;
 
 				case oBadOption:
@@ -412,8 +409,11 @@ parse_firewall_ruleset(char *ruleset, FILE *file, char *filename, int *linenum)
 	debug(LOG_DEBUG, "Firewall Rule Set %s added.", ruleset);
 }
 
+/** @internal
+Helper for parse_firewall_ruleset.  Parses a single rule in a ruleset
+*/
 static int
-parse_firewall_rule(char *ruleset, char *leftover)
+_parse_firewall_rule(char *ruleset, char *leftover)
 {
 	int i;
 	int block_allow = 0; /**< 0 == block, 1 == allow */
@@ -651,9 +651,6 @@ config_read(char *filename)
 				case oHTTPDMaxConn:
 					sscanf(p1, "%d", &config.httpdmaxconn);
 					break;
-				case oAuthServMaxTries:
-					sscanf(p1, "%d", &config.authserv_maxtries);
-					break;
 				case oBadOption:
 					debug(LOG_ERR, "Bad option on line %d "
 							"in %s.", linenum,

diff --git a/src/conf.h b/src/conf.h
@@ -48,7 +48,6 @@
 #define DEFAULT_AUTHSERVSSLAVAILABLE 0
 /** Note:  The path must be prefixed by /, and must be suffixed /.  Put / for the server root.*/
 #define DEFAULT_AUTHSERVPATH "/wifidog/"
-#define DEFAULT_AUTHSERVMAXTRIES 1
 /*@}*/ 
 
 /**
@@ -112,8 +111,6 @@ typedef struct {
 				     server */
     int gw_port;		/**< @brief Port the webserver will run on */
 
-    int authserv_maxtries;	/**< @brief Maximum number of auth server
-				     connection attempts before abandoning */
     t_auth_serv	*auth_servers;	/**< @brief Auth servers list */
     char *httpdname;		/**< @brief Name the web server will return when
 				     replying to a request */
@@ -157,7 +154,7 @@ t_firewall_rule *get_ruleset(char *);
 static void config_notnull(void *parm, char *parmname);
 static int parse_boolean_value(char *);
 static void parse_auth_server(FILE *, char *, int *);
-static int parse_firewall_rule(char *ruleset, char *leftover);
+static int _parse_firewall_rule(char *ruleset, char *leftover);
 static void parse_firewall_ruleset(char *, FILE *, char *, int *);
 void parse_trusted_mac_list(char *);
 

diff --git a/src/firewall.c b/src/firewall.c
@@ -69,7 +69,7 @@
 extern pthread_mutex_t client_list_mutex;
 
 /* from commandline.c */
-extern pid_t restarted;
+extern pid_t restart_orig_pid;
 
 int icmp_fd = 0;
 
@@ -161,7 +161,7 @@ fw_init(void)
     debug(LOG_INFO, "Initializing Firewall");
     result = iptables_fw_init();
 
-	 if (restarted) {
+	 if (restart_orig_pid) {
 		 debug(LOG_INFO, "Restoring firewall rules for clients inherited from parent");
 		 LOCK_CLIENT_LIST();
 		 client = client_get_first_client();
@@ -175,7 +175,7 @@ fw_init(void)
 	 return result;
 }
 
-/** Clear the authserver rules
+/** Remove all auth server firewall whitelist rules
  */
 void
 fw_clear_authservers(void)
@@ -184,7 +184,7 @@ fw_clear_authservers(void)
 	iptables_fw_clear_authservers();
 }
 
-/** Set the authservers rules
+/** Add the necessary firewall rules to whitelist the authservers
  */
 void
 fw_set_authservers(void)
@@ -213,7 +213,7 @@ fw_destroy(void)
  * @todo Make this function smaller and use sub-fonctions
  */
 void
-fw_counter(void)
+fw_sync_with_authserver(void)
 {
     t_authresponse  authresponse;
     char            *token, *ip, *mac;

diff --git a/src/firewall.h b/src/firewall.h
@@ -54,7 +54,7 @@ int fw_allow(char *ip, char *mac, int profile);
 int fw_deny(char *ip, char *mac, int profile);
 
 /** @brief Refreshes the entire client list */
-void fw_counter(void);
+void fw_sync_with_authserver(void);
 
 /** @brief Get an IP's MAC address from the ARP cache.*/
 char *arp_get(char *req_ip);

diff --git a/src/fw_iptables.c b/src/fw_iptables.c
@@ -49,8 +49,8 @@
 #include "client_list.h"
 
 static int iptables_do_command(char *format, ...);
-static char *iptables_compile(char *, t_firewall_rule *);
-static void iptables_load_ruleset(char *, char *);
+static char *iptables_compile(char *, char *, t_firewall_rule *);
+static void iptables_load_ruleset(char *, char *, char *);
 
 extern pthread_mutex_t	client_list_mutex;
 extern pthread_mutex_t	config_mutex;
@@ -89,11 +89,12 @@ iptables_do_command(char *format, ...)
  * @internal
  * Compiles a struct definition of a firewall rule into a valid iptables
  * command.
+ * @arg table Table containing the chain.
  * @arg chain Chain that the command will be (-A)ppended to.
  * @arg rule Definition of a rule into a struct, from conf.c.
  */
 static char *
-iptables_compile(char *chain, t_firewall_rule *rule)
+iptables_compile(char * table, char *chain, t_firewall_rule *rule)
 {
     char	command[MAX_BUF],
     		*mode;
@@ -106,7 +107,7 @@ iptables_compile(char *chain, t_firewall_rule *rule)
         mode = safe_strdup("REJECT");
     }
 
-    snprintf(command, sizeof(command),  "-t filter -A %s ", chain);
+    snprintf(command, sizeof(command),  "-t %s -A %s ",table, chain);
     if (rule->mask != NULL) {
         snprintf((command + strlen(command)), (sizeof(command) - 
                 strlen(command)), "-d %s ", rule->mask);
@@ -133,24 +134,25 @@ iptables_compile(char *chain, t_firewall_rule *rule)
  * @internal
  * Load all the rules in a rule set.
  * @arg ruleset Name of the ruleset
+ * @arg table Table containing the chain.
  * @arg chain IPTables chain the rules go into
  */
 static void
-iptables_load_ruleset(char *ruleset, char *chain)
+iptables_load_ruleset(char * table, char *ruleset, char *chain)
 {
-	t_firewall_rule		*rules;
+	t_firewall_rule		*rule;
 	char			*cmd;
 
-	debug(LOG_DEBUG, "Load ruleset %s into chain %s", ruleset, chain);
+	debug(LOG_DEBUG, "Load ruleset %s into table %s, chain %s", ruleset, table, chain);
 
-	for (rules = get_ruleset(ruleset); rules != NULL; rules = rules->next) {
-		cmd = iptables_compile(chain, rules);
-		debug(LOG_DEBUG, "Loading rule \"%s\" into %s", cmd, chain);
+	for (rule = get_ruleset(ruleset); rule != NULL; rule = rule->next) {
+		cmd = iptables_compile(table, chain, rule);
+		debug(LOG_DEBUG, "Loading rule \"%s\" into table %s, chain %s", cmd, table, chain);
 		iptables_do_command(cmd);
 		free(cmd);
 	}
 
-	debug(LOG_DEBUG, "Ruleset %s loaded into %s", ruleset, chain);
+	debug(LOG_DEBUG, "Ruleset %s loaded into table %s, chain %s", ruleset, table, chain);
 }
 
 void
@@ -226,6 +228,7 @@ iptables_fw_init(void)
 			iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING);
 			iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER);
 			iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
+			iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL);
 			iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);
 			iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);
 
@@ -241,6 +244,7 @@ iptables_fw_init(void)
 			iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
 
 			iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);
+			iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL);
 			iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);
 
 
@@ -265,19 +269,20 @@ iptables_fw_init(void)
 			iptables_fw_set_authservers();
 
 			iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);
-			iptables_load_ruleset("locked-users", TABLE_WIFIDOG_LOCKED);
+			iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED);
 
 			iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL);
-			iptables_load_ruleset("global", TABLE_WIFIDOG_GLOBAL);
+			iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL);
+			iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL);
 
 			iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);
-			iptables_load_ruleset("validating-users", TABLE_WIFIDOG_VALIDATE);
+			iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE);
 
 			iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);
-			iptables_load_ruleset("known-users", TABLE_WIFIDOG_KNOWN);
+			iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN);
 
 			iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
-			iptables_load_ruleset("unknown-users", TABLE_WIFIDOG_UNKNOWN);
+			iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN);
 			iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");
 
 	free(gw_interface);

diff --git a/src/gateway.c b/src/gateway.c
@@ -72,7 +72,7 @@ httpd * webserver = NULL;
 
 /* from commandline.c */
 extern char ** restartargv;
-extern pid_t restarted;
+extern pid_t restart_orig_pid;
 t_client *firstclient;
 
 /* from client_list.c */
@@ -94,7 +94,7 @@ void append_x_restartargv(void) {
 }
 
 /* @internal
- * @brief Connects to the parent via the internal socket
+ * @brief During gateway restart, connects to the parent process via the internal socket
  * Downloads from it the active client list
  */
 void get_clients_from_parent(void) {
@@ -507,7 +507,7 @@ int main(int argc, char **argv) {
 	/* Init the signals to catch chld/quit/etc */
 	init_signals();
 
-	if (restarted) {
+	if (restart_orig_pid) {
 		/*
 		 * We were restarted and our parent is waiting for us to talk to it over the socket
 		 */
@@ -516,8 +516,8 @@ int main(int argc, char **argv) {
 		/*
 		 * At this point the parent will start destroying itself and the firewall. Let it finish it's job before we continue
 		 */
-		while (kill(restarted, 0) != -1) {
-			debug(LOG_INFO, "Waiting for parent PID %d to die before continuing loading", restarted);
+		while (kill(restart_orig_pid, 0) != -1) {
+			debug(LOG_INFO, "Waiting for parent PID %d to die before continuing loading", restart_orig_pid);
 			sleep(1);
 		}
 

diff --git a/src/http.c b/src/http.c
@@ -51,6 +51,7 @@
 
 extern pthread_mutex_t	client_list_mutex;
 
+/** The 404 handler is also responsable for redirecting to the auth server */
 void
 http_callback_404(httpd *webserver, request *r)
 {
-Original file line number
+Diff line change
@@ Expand Up / @@ -82,7 +82,7 @@ thread_client_timeout_check(void *arg) @@
     		debug(LOG_DEBUG, "Running fw_counter()");
-    		fw_counter();
+    		fw_sync_with_authserver();
     	}
     }
@@ Expand Down @@