diff --git a/ChangeLog b/ChangeLog index 40768a06..14661406 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,12 @@ # $Id$ +2006-01-31 Benoit Grégoire + * src/fw_iptables.c: Add the global ruleset to the nat table to fix #65. + Add the table parameter to iptables_load_ruleset() and iptables_compile + * libhttpd/protocol.c: Fix pointer type mismatch + * src/conf.c,h: Remove deprecated option AuthServMaxTries (which was already ignored anyway. + 2006-01-23 Benoit Grégoire - src/conf.h: Fix the value of DEFAULT_AUTHSERVPATH and completely wrong code comment. Not the default indicated in the config file and the define are in sync. + * src/conf.h: Fix the value of DEFAULT_AUTHSERVPATH and completely wrong code comment. Not the default indicated in the config file and the define are in sync. 2006-01-17 Mina Naguib * Ingisgnificant cleanup of CVS artifacts after svn migration diff --git a/Makefile.am b/Makefile.am index f7c00be1..e42bc5dc 100644 --- a/Makefile.am +++ b/Makefile.am @@ -38,7 +38,7 @@ rpm: dist cp ${builddir}wifidog-@VERSION@.tar.gz /usr/src/RPM/SOURCES rpmbuild -ta ${builddir}wifidog-@VERSION@.tar.gz -clean-local: - echo "clean-local: " && pwd - rm -f /usr/src/RPM/SPECS/wifidog.spec - rm -f /usr/src/RPM/SOURCES/wifidog-@VERSION@.tar.gz +#clean-local: +# echo "clean-local: " && pwd +# rm -f /usr/src/RPM/SPECS/wifidog.spec +# rm -f /usr/src/RPM/SOURCES/wifidog-@VERSION@.tar.gz diff --git a/README b/README index a9e7c446..15c6bc87 100644 --- a/README +++ b/README @@ -7,14 +7,10 @@ solution for wireless community groups or individuals who wish to open a free HotSpot while still preventing abuse of their Internet connection. The project's homepage is: - http://www.ilesansfil.org/wiki/WiFiDog - -SourceForge project page: - http://sourceforge.net/projects/wifidog/ + http://dev.wifidog.org/ Mailing list interface: http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog - The project's software is released under the GPL license and is copyright it's respective owners. diff --git a/configure.in b/configure.in index f9022f34..17d602d7 100644 --- a/configure.in +++ b/configure.in @@ -20,7 +20,7 @@ AC_SUBST(BUILDROOT) WIFIDOG_MAJOR_VERSION=1 WIFIDOG_MINOR_VERSION=1 -WIFIDOG_MICRO_VERSION=3_beta1 +WIFIDOG_MICRO_VERSION=3_pre1 WIFIDOG_VERSION=$WIFIDOG_MAJOR_VERSION.$WIFIDOG_MINOR_VERSION.$WIFIDOG_MICRO_VERSION AC_SUBST(WIFIDOG_MAJOR_VERSION) diff --git a/libhttpd/protocol.c b/libhttpd/protocol.c index 9420a2da..4ae069ef 100644 --- a/libhttpd/protocol.c +++ b/libhttpd/protocol.c @@ -220,7 +220,7 @@ int _httpd_decode (bufcoded, bufplain, outbufsize) int nbytesdecoded, j; register char *bufin = bufcoded; - register unsigned char *bufout = bufplain; + register char *bufout = bufplain; register int nprbytes; /* @@ -255,9 +255,9 @@ int _httpd_decode (bufcoded, bufplain, outbufsize) while (nprbytes > 0) { - *(bufout++)=(unsigned char)(DEC(*bufin)<<2|DEC(bufin[1])>>4); - *(bufout++)=(unsigned char)(DEC(bufin[1])<<4|DEC(bufin[2])>>2); - *(bufout++)=(unsigned char)(DEC(bufin[2])<<6|DEC(bufin[3])); + *(bufout++)=(DEC(*bufin)<<2|DEC(bufin[1])>>4); + *(bufout++)=(DEC(bufin[1])<<4|DEC(bufin[2])>>2); + *(bufout++)=(DEC(bufin[2])<<6|DEC(bufin[3])); bufin += 4; nprbytes -= 4; } diff --git a/src/auth.c b/src/auth.c index 1e84cf72..d8a8ef0b 100644 --- a/src/auth.c +++ b/src/auth.c @@ -82,7 +82,7 @@ thread_client_timeout_check(void *arg) debug(LOG_DEBUG, "Running fw_counter()"); - fw_counter(); + fw_sync_with_authserver(); } } diff --git a/src/centralserver.c b/src/centralserver.c index f50d80c3..26526435 100644 --- a/src/centralserver.c +++ b/src/centralserver.c @@ -332,5 +332,3 @@ int _connect_auth_server(int level) { } } } - -/* config->authserv_maxtries */ diff --git a/src/commandline.c b/src/commandline.c index 422ead47..c45ee8e8 100644 --- a/src/commandline.c +++ b/src/commandline.c @@ -47,7 +47,7 @@ static void usage(void); * A flag to denote whether we were restarted via a parent wifidog, or started normally * 0 means normally, otherwise it will be populated by the PID of the parent */ -pid_t restarted = 0; +pid_t restart_orig_pid = 0; /** @internal * @brief Print usage @@ -133,7 +133,7 @@ void parse_commandline(int argc, char **argv) { case 'x': skiponrestart = 1; if (optarg) { - restarted = atoi(optarg); + restart_orig_pid = atoi(optarg); } else { printf("The expected PID to the -x switch was not supplied!"); diff --git a/src/conf.c b/src/conf.c index 6cdf4f4a..b2cfc41e 100644 --- a/src/conf.c +++ b/src/conf.c @@ -76,7 +76,6 @@ typedef enum { oAuthServSSLPort, oAuthServHTTPPort, oAuthServPath, - oAuthServMaxTries, oHTTPDMaxConn, oHTTPDName, oClientTimeout, @@ -103,7 +102,6 @@ static const struct { { "gatewayaddress", oGatewayAddress }, { "gatewayport", oGatewayPort }, { "authserver", oAuthServer }, - { "authservmaxtries", oAuthServMaxTries }, { "httpdmaxconn", oHTTPDMaxConn }, { "httpdname", oHTTPDName }, { "clienttimeout", oClientTimeout }, @@ -146,7 +144,6 @@ config_init(void) config.gw_address = NULL; config.gw_port = DEFAULT_GATEWAYPORT; config.auth_servers = NULL; - config.authserv_maxtries = DEFAULT_AUTHSERVMAXTRIES; config.httpdname = NULL; config.clienttimeout = DEFAULT_CLIENTTIMEOUT; config.checkinterval = DEFAULT_CHECKINTERVAL; @@ -389,7 +386,7 @@ parse_firewall_ruleset(char *ruleset, FILE *file, char *filename, int *linenum) switch (opcode) { case oFirewallRule: - parse_firewall_rule(ruleset, p2); + _parse_firewall_rule(ruleset, p2); break; case oBadOption: @@ -412,8 +409,11 @@ parse_firewall_ruleset(char *ruleset, FILE *file, char *filename, int *linenum) debug(LOG_DEBUG, "Firewall Rule Set %s added.", ruleset); } +/** @internal +Helper for parse_firewall_ruleset. Parses a single rule in a ruleset +*/ static int -parse_firewall_rule(char *ruleset, char *leftover) +_parse_firewall_rule(char *ruleset, char *leftover) { int i; int block_allow = 0; /**< 0 == block, 1 == allow */ @@ -651,9 +651,6 @@ config_read(char *filename) case oHTTPDMaxConn: sscanf(p1, "%d", &config.httpdmaxconn); break; - case oAuthServMaxTries: - sscanf(p1, "%d", &config.authserv_maxtries); - break; case oBadOption: debug(LOG_ERR, "Bad option on line %d " "in %s.", linenum, diff --git a/src/conf.h b/src/conf.h index 770defcc..5809697f 100644 --- a/src/conf.h +++ b/src/conf.h @@ -48,7 +48,6 @@ #define DEFAULT_AUTHSERVSSLAVAILABLE 0 /** Note: The path must be prefixed by /, and must be suffixed /. Put / for the server root.*/ #define DEFAULT_AUTHSERVPATH "/wifidog/" -#define DEFAULT_AUTHSERVMAXTRIES 1 /*@}*/ /** @@ -112,8 +111,6 @@ typedef struct { server */ int gw_port; /**< @brief Port the webserver will run on */ - int authserv_maxtries; /**< @brief Maximum number of auth server - connection attempts before abandoning */ t_auth_serv *auth_servers; /**< @brief Auth servers list */ char *httpdname; /**< @brief Name the web server will return when replying to a request */ @@ -157,7 +154,7 @@ t_firewall_rule *get_ruleset(char *); static void config_notnull(void *parm, char *parmname); static int parse_boolean_value(char *); static void parse_auth_server(FILE *, char *, int *); -static int parse_firewall_rule(char *ruleset, char *leftover); +static int _parse_firewall_rule(char *ruleset, char *leftover); static void parse_firewall_ruleset(char *, FILE *, char *, int *); void parse_trusted_mac_list(char *); diff --git a/src/firewall.c b/src/firewall.c index 3b858e0b..8280f4d5 100644 --- a/src/firewall.c +++ b/src/firewall.c @@ -69,7 +69,7 @@ extern pthread_mutex_t client_list_mutex; /* from commandline.c */ -extern pid_t restarted; +extern pid_t restart_orig_pid; int icmp_fd = 0; @@ -161,7 +161,7 @@ fw_init(void) debug(LOG_INFO, "Initializing Firewall"); result = iptables_fw_init(); - if (restarted) { + if (restart_orig_pid) { debug(LOG_INFO, "Restoring firewall rules for clients inherited from parent"); LOCK_CLIENT_LIST(); client = client_get_first_client(); @@ -175,7 +175,7 @@ fw_init(void) return result; } -/** Clear the authserver rules +/** Remove all auth server firewall whitelist rules */ void fw_clear_authservers(void) @@ -184,7 +184,7 @@ fw_clear_authservers(void) iptables_fw_clear_authservers(); } -/** Set the authservers rules +/** Add the necessary firewall rules to whitelist the authservers */ void fw_set_authservers(void) @@ -213,7 +213,7 @@ fw_destroy(void) * @todo Make this function smaller and use sub-fonctions */ void -fw_counter(void) +fw_sync_with_authserver(void) { t_authresponse authresponse; char *token, *ip, *mac; diff --git a/src/firewall.h b/src/firewall.h index c90ca701..70696f9f 100644 --- a/src/firewall.h +++ b/src/firewall.h @@ -54,7 +54,7 @@ int fw_allow(char *ip, char *mac, int profile); int fw_deny(char *ip, char *mac, int profile); /** @brief Refreshes the entire client list */ -void fw_counter(void); +void fw_sync_with_authserver(void); /** @brief Get an IP's MAC address from the ARP cache.*/ char *arp_get(char *req_ip); diff --git a/src/fw_iptables.c b/src/fw_iptables.c index 3384225c..5983c9e0 100644 --- a/src/fw_iptables.c +++ b/src/fw_iptables.c @@ -49,8 +49,8 @@ #include "client_list.h" static int iptables_do_command(char *format, ...); -static char *iptables_compile(char *, t_firewall_rule *); -static void iptables_load_ruleset(char *, char *); +static char *iptables_compile(char *, char *, t_firewall_rule *); +static void iptables_load_ruleset(char *, char *, char *); extern pthread_mutex_t client_list_mutex; extern pthread_mutex_t config_mutex; @@ -89,11 +89,12 @@ iptables_do_command(char *format, ...) * @internal * Compiles a struct definition of a firewall rule into a valid iptables * command. + * @arg table Table containing the chain. * @arg chain Chain that the command will be (-A)ppended to. * @arg rule Definition of a rule into a struct, from conf.c. */ static char * -iptables_compile(char *chain, t_firewall_rule *rule) +iptables_compile(char * table, char *chain, t_firewall_rule *rule) { char command[MAX_BUF], *mode; @@ -106,7 +107,7 @@ iptables_compile(char *chain, t_firewall_rule *rule) mode = safe_strdup("REJECT"); } - snprintf(command, sizeof(command), "-t filter -A %s ", chain); + snprintf(command, sizeof(command), "-t %s -A %s ",table, chain); if (rule->mask != NULL) { snprintf((command + strlen(command)), (sizeof(command) - strlen(command)), "-d %s ", rule->mask); @@ -133,24 +134,25 @@ iptables_compile(char *chain, t_firewall_rule *rule) * @internal * Load all the rules in a rule set. * @arg ruleset Name of the ruleset + * @arg table Table containing the chain. * @arg chain IPTables chain the rules go into */ static void -iptables_load_ruleset(char *ruleset, char *chain) +iptables_load_ruleset(char * table, char *ruleset, char *chain) { - t_firewall_rule *rules; + t_firewall_rule *rule; char *cmd; - debug(LOG_DEBUG, "Load ruleset %s into chain %s", ruleset, chain); + debug(LOG_DEBUG, "Load ruleset %s into table %s, chain %s", ruleset, table, chain); - for (rules = get_ruleset(ruleset); rules != NULL; rules = rules->next) { - cmd = iptables_compile(chain, rules); - debug(LOG_DEBUG, "Loading rule \"%s\" into %s", cmd, chain); + for (rule = get_ruleset(ruleset); rule != NULL; rule = rule->next) { + cmd = iptables_compile(table, chain, rule); + debug(LOG_DEBUG, "Loading rule \"%s\" into table %s, chain %s", cmd, table, chain); iptables_do_command(cmd); free(cmd); } - debug(LOG_DEBUG, "Ruleset %s loaded into %s", ruleset, chain); + debug(LOG_DEBUG, "Ruleset %s loaded into table %s, chain %s", ruleset, table, chain); } void @@ -226,6 +228,7 @@ iptables_fw_init(void) iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING); iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER); iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET); + iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL); iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN); iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS); @@ -241,6 +244,7 @@ iptables_fw_init(void) iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN); iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS); + iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL); iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port); @@ -265,19 +269,20 @@ iptables_fw_init(void) iptables_fw_set_authservers(); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED); - iptables_load_ruleset("locked-users", TABLE_WIFIDOG_LOCKED); + iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL); - iptables_load_ruleset("global", TABLE_WIFIDOG_GLOBAL); + iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL); + iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION); - iptables_load_ruleset("validating-users", TABLE_WIFIDOG_VALIDATE); + iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN); - iptables_load_ruleset("known-users", TABLE_WIFIDOG_KNOWN); + iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN); - iptables_load_ruleset("unknown-users", TABLE_WIFIDOG_UNKNOWN); + iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN); iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable"); free(gw_interface); diff --git a/src/gateway.c b/src/gateway.c index cad8eeed..826e4c5a 100644 --- a/src/gateway.c +++ b/src/gateway.c @@ -72,7 +72,7 @@ httpd * webserver = NULL; /* from commandline.c */ extern char ** restartargv; -extern pid_t restarted; +extern pid_t restart_orig_pid; t_client *firstclient; /* from client_list.c */ @@ -94,7 +94,7 @@ void append_x_restartargv(void) { } /* @internal - * @brief Connects to the parent via the internal socket + * @brief During gateway restart, connects to the parent process via the internal socket * Downloads from it the active client list */ void get_clients_from_parent(void) { @@ -507,7 +507,7 @@ int main(int argc, char **argv) { /* Init the signals to catch chld/quit/etc */ init_signals(); - if (restarted) { + if (restart_orig_pid) { /* * We were restarted and our parent is waiting for us to talk to it over the socket */ @@ -516,8 +516,8 @@ int main(int argc, char **argv) { /* * At this point the parent will start destroying itself and the firewall. Let it finish it's job before we continue */ - while (kill(restarted, 0) != -1) { - debug(LOG_INFO, "Waiting for parent PID %d to die before continuing loading", restarted); + while (kill(restart_orig_pid, 0) != -1) { + debug(LOG_INFO, "Waiting for parent PID %d to die before continuing loading", restart_orig_pid); sleep(1); } diff --git a/src/http.c b/src/http.c index dd9edfd6..e0a2eee1 100644 --- a/src/http.c +++ b/src/http.c @@ -51,6 +51,7 @@ extern pthread_mutex_t client_list_mutex; +/** The 404 handler is also responsable for redirecting to the auth server */ void http_callback_404(httpd *webserver, request *r) { diff --git a/src/util.c b/src/util.c index bcf502e0..9c14650e 100644 --- a/src/util.c +++ b/src/util.c @@ -67,7 +67,7 @@ extern pthread_mutex_t client_list_mutex; extern pthread_mutex_t config_mutex; /* Defined in commandline.c */ -extern pid_t restarted; +extern pid_t restart_orig_pid; /* XXX Do these need to be locked ? */ static time_t last_online_time = 0; @@ -339,8 +339,8 @@ char * get_status_text() { snprintf((buffer + len), (sizeof(buffer) - len), "Has been restarted: "); len = strlen(buffer); - if (restarted) { - snprintf((buffer + len), (sizeof(buffer) - len), "yes (from PID %d)\n", restarted); + if (restart_orig_pid) { + snprintf((buffer + len), (sizeof(buffer) - len), "yes (from PID %d)\n", restart_orig_pid); len = strlen(buffer); } else { diff --git a/wifidog.conf b/wifidog.conf index bfef60a7..e1333f37 100644 --- a/wifidog.conf +++ b/wifidog.conf @@ -36,23 +36,13 @@ GatewayInterface eth1 # GatewayAddress 192.168.1.1 -# Parameter: AuthServMaxTries -# Default: 1 -# Optional -# -# Sets the number of auth servers the gateway will attempt to contact when a request fails. -# this number should be equal to the number of AuthServer lines in this -# configuration but it should probably not exceed 3. - -# AuthServMaxTries 3 - # Parameter: AuthServer # Default: NONE -# Mandatory +# Mandatory, repeatable # -# Set this to the hostname or IP of your auth server, the path where -# WiFiDog-auth resides and optionally as a second argument, the port it -# listens on. +# This allows you to configure your auth server(s). Each one will be tried in order, untill one responds. +# Set this to the hostname or IP of your auth server(s), the path where +# WiFiDog-auth resides in and the port it listens on. #AuthServer { # Hostname (Mandatory; Default: NONE) # SSLAvailable (Optional; Default: no; Possible values: yes, no)