welterde/l2tpns
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add Cisco-AVPairs to RADIUS accounting records via plugin_radius_account

Browse source
This commit is contained in:
bodea 2005-10-11 09:04:53 +00:00
parent 5d659af7fd
commit f6b56a0f4d
12 changed files with 668 additions and 584 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Changes
View file

@ -3,6 +3,7 @@
- Fix RADIUS authentication on DAE responses.
- Don't send tunnel HELLO when there are pending control messages.
- Move plugin_radius_reset from *ctl to auto* plugins.
- Add Cisco-AVPairs to RADIUS accounting records via plugin_radius_account.
* Mon Sep 19 2005 Brendan O'Dea <bod@optus.net> 2.1.8
- Move code from signal handlers into mainloop, avoiding a race

74
autosnoop.c
View file

@ -4,46 +4,72 @@
/* set up intercept based on RADIUS reply */
char const *cvs_id = "$Id: autosnoop.c,v 1.11 2005/10/11 07:59:09 bodea Exp $";
char const *cvs_id = "$Id: autosnoop.c,v 1.12 2005/10/11 09:04:53 bodea Exp $";
int plugin_api_version = PLUGIN_API_VERSION;
struct pluginfuncs *p;
static struct pluginfuncs *f = 0;
int plugin_radius_response(struct param_radius_response *data)
{
if (!strcmp(data->key, "intercept"))
if (!strcmp(data->key, "intercept"))
{
char *p;
data->s->snoop_ip = 0;
data->s->snoop_port = 0;
if ((p = strchr(data->value, ':')))
{
char *x;
*p++ = 0;
if (*data->value)
data->s->snoop_ip = inet_addr(data->value);
if (data->s->snoop_ip == INADDR_NONE)
data->s->snoop_ip = 0;
data->s->snoop_port = 0;
if ((x = strchr(data->value, ':')))
{
*x++ = 0;
if (*data->value) data->s->snoop_ip = inet_addr(data->value);
if (data->s->snoop_ip == INADDR_NONE) data->s->snoop_ip = 0;
if (*x) data->s->snoop_port = atoi(x);
p->log(3, p->get_id_by_session(data->s), data->s->tunnel,
" Intercepting user to %s:%d\n",
p->fmtaddr(data->s->snoop_ip, 0), data->s->snoop_port);
}
else
{
p->log(3, p->get_id_by_session(data->s), data->s->tunnel,
" Not Intercepting user (reply string should be intercept=ip:port)\n");
}
if (*p)
data->s->snoop_port = atoi(p);
f->log(3, f->get_id_by_session(data->s), data->s->tunnel,
" Intercepting user to %s:%d\n",
f->fmtaddr(data->s->snoop_ip, 0), data->s->snoop_port);
}
else
{
f->log(3, f->get_id_by_session(data->s), data->s->tunnel,
" Not Intercepting user (reply string should"
" be intercept=ip:port)\n");
}
}
return PLUGIN_RET_OK;
}
int plugin_radius_reset(struct param_radius_reset *data)
{
data->s->snoop_ip = 0;
data->s->snoop_port = 0;
return PLUGIN_RET_OK;
data->s->snoop_ip = 0;
data->s->snoop_port = 0;
return PLUGIN_RET_OK;
}
int plugin_radius_account(struct param_radius_account *data)
{
if (data->s->snoop_ip && data->s->snoop_port)
{
uint8_t *p = *data->packet;
*p = 26; // vendor-specific
*(uint32_t *) (p + 2) = htonl(9); // Cisco
p[6] = 1; // Cisco-AVPair
p[7] = 2 + sprintf((char *) p + 8, "intercept=%s:%d",
f->fmtaddr(data->s->snoop_ip, 0), data->s->snoop_port);
p[1] = p[7] + 6;
*data->packet += p[1];
}
return PLUGIN_RET_OK;
}
int plugin_init(struct pluginfuncs *funcs)
{
return ((p = funcs)) ? 1 : 0;
return ((f = funcs)) ? 1 : 0;
}

202
autothrottle.c
View file

@ -13,110 +13,146 @@
* throttle=no
*/
char const *cvs_id = "$Id: autothrottle.c,v 1.15 2005/10/11 07:59:09 bodea Exp $";
char const *cvs_id = "$Id: autothrottle.c,v 1.16 2005/10/11 09:04:53 bodea Exp $";
int plugin_api_version = PLUGIN_API_VERSION;
struct pluginfuncs *p;
static struct pluginfuncs *f = 0;
#define THROTTLE_KEY "lcp:interface-config"
int plugin_radius_response(struct param_radius_response *data)
{
if (!strncmp(data->key, THROTTLE_KEY, sizeof(THROTTLE_KEY) - 1))
if (!strncmp(data->key, THROTTLE_KEY, sizeof(THROTTLE_KEY) - 1))
{
char *sp = strchr(data->value, ' ');
char type;
int rate;
if (!sp || sp - data->value < 4 ||
strncmp("service-policy", data->value, sp - data->value))
return PLUGIN_RET_OK;
while (*sp == ' ') sp++;
data->value = sp;
if (!(sp = strchr(data->value, ' ')) ||
(strncmp("input", data->value, sp - data->value) &&
strncmp("output", data->value, sp - data->value)))
{
char *sp = strchr(data->value, ' ');
char type;
int rate;
f->log(3, f->get_id_by_session(data->s), data->s->tunnel,
" Not throttling user (invalid type %.*s)\n",
sp - data->value, data->value);
if (!sp || sp - data->value < 4 ||
strncmp("service-policy", data->value, sp - data->value))
return PLUGIN_RET_OK;
while (*sp == ' ') sp++;
data->value = sp;
if (!(sp = strchr(data->value, ' ')) ||
(strncmp("input", data->value, sp - data->value) &&
strncmp("output", data->value, sp - data->value)))
{
p->log(3, p->get_id_by_session(data->s), data->s->tunnel,
" Not throttling user (invalid type %.*s)\n",
sp - data->value, data->value);
return PLUGIN_RET_OK;
}
type = *data->value;
while (*sp == ' ') sp++;
data->value = sp;
if ((rate = strtol(data->value, &sp, 10)) < 0 || *sp)
{
p->log(3, p->get_id_by_session(data->s), data->s->tunnel,
" Not throttling user (invalid rate %s)\n",
data->value);
return PLUGIN_RET_OK;
}
if (type == 'i')
{
data->s->throttle_in = rate;
p->log(3, p->get_id_by_session(data->s), data->s->tunnel,
" Throttling user input to %dkb/s\n",
rate);
}
else
{
data->s->throttle_out = rate;
p->log(3, p->get_id_by_session(data->s), data->s->tunnel,
" Throttling user output to %dkb/s\n",
rate);
}
return PLUGIN_RET_OK;
}
if (!strcmp(data->key, "throttle"))
type = *data->value;
while (*sp == ' ') sp++;
data->value = sp;
if ((rate = strtol(data->value, &sp, 10)) < 0 || *sp)
{
char *e;
int rate;
f->log(3, f->get_id_by_session(data->s), data->s->tunnel,
" Not throttling user (invalid rate %s)\n",
data->value);
if ((rate = strtol(data->value, &e, 10)) < 0 || *e)
{
rate = -1;
if (!strcmp(data->value, "yes"))
{
unsigned long *ts = p->getconfig("throttle_speed", UNSIGNED_LONG);
if (ts)
rate = *ts;
}
else if (!strcmp(data->value, "no"))
rate = 0;
}
if (rate < 0)
return PLUGIN_RET_OK;
if (rate)
p->log(3, p->get_id_by_session(data->s), data->s->tunnel,
" Throttling user to %dkb/s\n", rate);
else
p->log(3, p->get_id_by_session(data->s), data->s->tunnel,
" Not throttling user\n");
data->s->throttle_in = data->s->throttle_out = rate;
return PLUGIN_RET_OK;
}
return PLUGIN_RET_OK;
if (type == 'i')
{
data->s->throttle_in = rate;
f->log(3, f->get_id_by_session(data->s), data->s->tunnel,
" Throttling user input to %dkb/s\n", rate);
}
else
{
data->s->throttle_out = rate;
f->log(3, f->get_id_by_session(data->s), data->s->tunnel,
" Throttling user output to %dkb/s\n", rate);
}
}
else if (!strcmp(data->key, "throttle"))
{
char *e;
int rate;
if ((rate = strtol(data->value, &e, 10)) < 0 || *e)
{
rate = -1;
if (!strcmp(data->value, "yes"))
{
unsigned long *ts = f->getconfig("throttle_speed", UNSIGNED_LONG);
if (ts)
rate = *ts;
}
else if (!strcmp(data->value, "no"))
rate = 0;
}
if (rate < 0)
return PLUGIN_RET_OK;
if (rate)
f->log(3, f->get_id_by_session(data->s), data->s->tunnel,
" Throttling user to %dkb/s\n", rate);
else
f->log(3, f->get_id_by_session(data->s), data->s->tunnel,
" Not throttling user\n");
data->s->throttle_in = data->s->throttle_out = rate;
}
return PLUGIN_RET_OK;
}
int plugin_radius_reset(struct param_radius_reset *data)
{
p->throttle(p->get_id_by_session(data->s), 0, 0);
return PLUGIN_RET_OK;
f->throttle(f->get_id_by_session(data->s), 0, 0);
return PLUGIN_RET_OK;
}
int plugin_radius_account(struct param_radius_account *data)
{
if (data->s->throttle_in || data->s->throttle_out)
{
uint8_t *p = *data->packet;
int i = 1;
if (data->s->throttle_in)
{
*p = 26; // vendor-specific
*(uint32_t *) (p + 2) = htonl(9); // Cisco
p[6] = 1; // Cisco-AVPair
p[7] = 2 + sprintf((char *) p + 8,
"lcp:interface-config#%d=service-policy input %d", i++,
data->s->throttle_in);
p[1] = p[7] + 6;
p += p[1];
}
if (data->s->throttle_out)
{
*p = 26; // vendor-specific
*(uint32_t *) (p + 2) = htonl(9); // Cisco
p[6] = 1; // Cisco-AVPair
p[7] = 2 + sprintf((char *) p + 8,
"lcp:interface-config#%d=service-policy output %d", i++,
data->s->throttle_out);
p[1] = p[7] + 6;
p += p[1];
}
*data->packet = p;
}
return PLUGIN_RET_OK;
}
int plugin_init(struct pluginfuncs *funcs)
{
return ((p = funcs)) ? 1 : 0;
return ((f = funcs)) ? 1 : 0;
}

379
garden.c
View file

@ -9,35 +9,35 @@
/* walled garden */
char const *cvs_id = "$Id: garden.c,v 1.23 2005/06/02 11:32:30 bodea Exp $";
char const *cvs_id = "$Id: garden.c,v 1.24 2005/10/11 09:04:53 bodea Exp $";
int plugin_api_version = PLUGIN_API_VERSION;
static struct pluginfuncs *p = 0;
static struct pluginfuncs *f = 0;
static int iam_master = 0; // We're all slaves! Slaves I tell you!
char *up_commands[] = {
"iptables -t nat -N garden >/dev/null 2>&1", // Create a chain that all gardened users will go through
"iptables -t nat -F garden",
". " PLUGINCONF "/build-garden", // Populate with site-specific DNAT rules
"iptables -t nat -N garden_users >/dev/null 2>&1", // Empty chain, users added/removed by garden_session
"iptables -t nat -F garden_users",
"iptables -t nat -A PREROUTING -j garden_users", // DNAT any users on the garden_users chain
"sysctl -w net.ipv4.ip_conntrack_max=512000 >/dev/null", // lots of entries
NULL,
"iptables -t nat -N garden >/dev/null 2>&1", // Create a chain that all gardened users will go through
"iptables -t nat -F garden",
". " PLUGINCONF "/build-garden", // Populate with site-specific DNAT rules
"iptables -t nat -N garden_users >/dev/null 2>&1", // Empty chain, users added/removed by garden_session
"iptables -t nat -F garden_users",
"iptables -t nat -A PREROUTING -j garden_users", // DNAT any users on the garden_users chain
"sysctl -w net.ipv4.ip_conntrack_max=512000 >/dev/null", // lots of entries
NULL,
};
char *down_commands[] = {
"iptables -t nat -F PREROUTING",
"iptables -t nat -F garden_users",
"iptables -t nat -X garden_users",
"iptables -t nat -F garden",
"iptables -t nat -X garden",
"rmmod iptable_nat", // Should also remove ip_conntrack, but
"iptables -t nat -F PREROUTING",
"iptables -t nat -F garden_users",
"iptables -t nat -X garden_users",
"iptables -t nat -F garden",
"iptables -t nat -X garden",
"rmmod iptable_nat", // Should also remove ip_conntrack, but
// doing so can take hours... literally.
// If a master is re-started as a slave,
// either rmmod manually, or reboot.
NULL,
NULL,
};
#define F_UNGARDEN 0
@ -48,234 +48,249 @@ int garden_session(sessiont *s, int flag, char *newuser);
int plugin_post_auth(struct param_post_auth *data)
{
// Ignore if user authentication was successful
if (data->auth_allowed) return PLUGIN_RET_OK;
p->log(3, p->get_id_by_session(data->s), data->s->tunnel, "Walled Garden allowing login\n");
data->auth_allowed = 1;
data->s->walled_garden = 1;
// Ignore if user authentication was successful
if (data->auth_allowed)
return PLUGIN_RET_OK;
f->log(3, f->get_id_by_session(data->s), data->s->tunnel,
"Walled Garden allowing login\n");
data->auth_allowed = 1;
data->s->walled_garden = 1;
return PLUGIN_RET_OK;
}
int plugin_new_session(struct param_new_session *data)
{
if (!iam_master)
return PLUGIN_RET_OK; // Slaves don't do walled garden processing.
if (!iam_master)
return PLUGIN_RET_OK; // Slaves don't do walled garden processing.
if (data->s->walled_garden)
garden_session(data->s, F_GARDEN, 0);
if (data->s->walled_garden)
garden_session(data->s, F_GARDEN, 0);
return PLUGIN_RET_OK;
return PLUGIN_RET_OK;
}
int plugin_kill_session(struct param_new_session *data)
{
if (!iam_master)
return PLUGIN_RET_OK; // Slaves don't do walled garden processing.
if (!iam_master)
return PLUGIN_RET_OK; // Slaves don't do walled garden processing.
if (data->s->walled_garden)
garden_session(data->s, F_CLEANUP, 0);
if (data->s->walled_garden)
garden_session(data->s, F_CLEANUP, 0);
return PLUGIN_RET_OK;
return PLUGIN_RET_OK;
}
char *plugin_control_help[] = {
" garden USER|SID Put user into the walled garden",
" ungarden SID [USER] Release session from garden",
0
" garden USER|SID Put user into the walled garden",
" ungarden SID [USER] Release session from garden",
0
};
int plugin_control(struct param_control *data)
{
sessionidt session;
sessiont *s = 0;
int flag;
char *end;
sessionidt session;
sessiont *s = 0;
int flag;
char *end;
if (data->argc < 1)
return PLUGIN_RET_OK;
if (data->argc < 1)
return PLUGIN_RET_OK;
if (strcmp(data->argv[0], "garden") && strcmp(data->argv[0], "ungarden"))
return PLUGIN_RET_OK; // not for us
if (strcmp(data->argv[0], "garden") && strcmp(data->argv[0], "ungarden"))
return PLUGIN_RET_OK; // not for us
if (!iam_master)
return PLUGIN_RET_NOTMASTER;
if (!iam_master)
return PLUGIN_RET_NOTMASTER;
flag = data->argv[0][0] == 'g' ? F_GARDEN : F_UNGARDEN;
flag = data->argv[0][0] == 'g' ? F_GARDEN : F_UNGARDEN;
if (data->argc < 2 || data->argc > 3 || (data->argc > 2 && flag == F_GARDEN))
{
data->response = NSCTL_RES_ERR;
data->additional = flag == F_GARDEN
? "requires username or session id"
: "requires session id and optional username";
return PLUGIN_RET_STOP;
}
if (!(session = strtol(data->argv[1], &end, 10)) || *end)
{
if (flag)
session = p->get_session_by_username(data->argv[1]);
else
session = 0; // can't ungarden by username
}
if (session)
s = p->get_session_by_id(session);
if (!s || !s->ip)
{
data->response = NSCTL_RES_ERR;
data->additional = "session not found";
return PLUGIN_RET_STOP;
}
if (s->walled_garden == flag)
{
data->response = NSCTL_RES_ERR;
data->additional = flag ? "already in walled garden" : "not in walled garden";
return PLUGIN_RET_STOP;
}
garden_session(s, flag, data->argc > 2 ? data->argv[2] : 0);
p->session_changed(session);
data->response = NSCTL_RES_OK;
data->additional = 0;
if (data->argc < 2 || data->argc > 3 || (data->argc > 2 && flag == F_GARDEN))
{
data->response = NSCTL_RES_ERR;
data->additional = flag == F_GARDEN
? "requires username or session id"
: "requires session id and optional username";
return PLUGIN_RET_STOP;
}
if (!(session = strtol(data->argv[1], &end, 10)) || *end)
{
if (flag)
session = f->get_session_by_username(data->argv[1]);
else
session = 0; // can't ungarden by username
}
if (session)
s = f->get_session_by_id(session);
if (!s || !s->ip)
{
data->response = NSCTL_RES_ERR;
data->additional = "session not found";
return PLUGIN_RET_STOP;
}
if (s->walled_garden == flag)
{
data->response = NSCTL_RES_ERR;
data->additional = flag ? "already in walled garden" : "not in walled garden";
return PLUGIN_RET_STOP;
}
garden_session(s, flag, data->argc > 2 ? data->argv[2] : 0);
f->session_changed(session);
data->response = NSCTL_RES_OK;
data->additional = 0;
return PLUGIN_RET_STOP;
}
int plugin_become_master(void)
{
int i;
iam_master = 1; // We just became the master. Wow!
int i;
iam_master = 1; // We just became the master. Wow!
for (i = 0; up_commands[i] && *up_commands[i]; i++)
{
p->log(3, 0, 0, "Running %s\n", up_commands[i]);
system(up_commands[i]);
}
for (i = 0; up_commands[i] && *up_commands[i]; i++)
{
f->log(3, 0, 0, "Running %s\n", up_commands[i]);
system(up_commands[i]);
}
return PLUGIN_RET_OK;
return PLUGIN_RET_OK;
}
// Called for each active session after becoming master
int plugin_new_session_master(sessiont *s)
{
if (s->walled_garden)
garden_session(s, F_GARDEN, 0);
if (s->walled_garden)
garden_session(s, F_GARDEN, 0);
return PLUGIN_RET_OK;
return PLUGIN_RET_OK;
}
int garden_session(sessiont *s, int flag, char *newuser)
{
char cmd[2048];
sessionidt sess;
char cmd[2048];
sessionidt sess;
if (!s) return 0;
if (!s->opened) return 0;
if (!s) return 0;
if (!s->opened) return 0;
sess = p->get_id_by_session(s);
if (flag == F_GARDEN)
sess = f->get_id_by_session(s);
if (flag == F_GARDEN)
{
f->log(2, sess, s->tunnel, "Garden user %s (%s)\n", s->user,
f->fmtaddr(htonl(s->ip), 0));
snprintf(cmd, sizeof(cmd),
"iptables -t nat -A garden_users -s %s -j garden",
f->fmtaddr(htonl(s->ip), 0));
f->log(3, sess, s->tunnel, "%s\n", cmd);
system(cmd);
s->walled_garden = 1;
}
else
{
sessionidt other;
int count = 40;
// Normal User
f->log(2, sess, s->tunnel, "Un-Garden user %s (%s)\n", s->user, f->fmtaddr(htonl(s->ip), 0));
if (newuser)
{
p->log(2, sess, s->tunnel, "Garden user %s (%s)\n", s->user, p->fmtaddr(htonl(s->ip), 0));
snprintf(cmd, sizeof(cmd), "iptables -t nat -A garden_users -s %s -j garden", p->fmtaddr(htonl(s->ip), 0));
p->log(3, sess, s->tunnel, "%s\n", cmd);
system(cmd);
s->walled_garden = 1;
}
else
{
sessionidt other;
int count = 40;
// Normal User
p->log(2, sess, s->tunnel, "Un-Garden user %s (%s)\n", s->user, p->fmtaddr(htonl(s->ip), 0));
if (newuser)
{
snprintf(s->user, MAXUSER, "%s", newuser);
p->log(2, sess, s->tunnel, " Setting username to %s\n", s->user);
}
// Kick off any duplicate usernames
// but make sure not to kick off ourself
if (s->ip && !s->die && (other = p->get_session_by_username(s->user)) && s != p->get_session_by_id(other)) {
p->sessionkill(other, "Duplicate session when user released from walled garden");
}
/* Clean up counters */
s->pin = s->pout = 0;
s->cin = s->cout = 0;
s->cin_delta = s->cout_delta = 0;
s->cin_wrap = s->cout_wrap = 0;
snprintf(cmd, sizeof(cmd), "iptables -t nat -D garden_users -s %s -j garden", p->fmtaddr(htonl(s->ip), 0));
p->log(3, sess, s->tunnel, "%s\n", cmd);
while (--count)
{
int status = system(cmd);
if (WEXITSTATUS(status) != 0) break;
}
s->walled_garden = 0;
if (flag != F_CLEANUP)
{
/* OK, we're up! */
uint16_t r = p->radiusnew(p->get_id_by_session(s));
if (r) p->radiussend(r, RADIUSSTART);
}
snprintf(s->user, MAXUSER, "%s", newuser);
f->log(2, sess, s->tunnel, " Setting username to %s\n", s->user);
}
return 1;
// Kick off any duplicate usernames
// but make sure not to kick off ourself
if (s->ip && !s->die && (other = f->get_session_by_username(s->user)) &&
s != f->get_session_by_id(other))
{
f->sessionkill(other,
"Duplicate session when user released from walled garden");
}
/* Clean up counters */
s->pin = s->pout = 0;
s->cin = s->cout = 0;
s->cin_delta = s->cout_delta = 0;
s->cin_wrap = s->cout_wrap = 0;
snprintf(cmd, sizeof(cmd),
"iptables -t nat -D garden_users -s %s -j garden",
f->fmtaddr(htonl(s->ip), 0));
f->log(3, sess, s->tunnel, "%s\n", cmd);
while (--count)
{
int status = system(cmd);
if (WEXITSTATUS(status) != 0) break;
}
s->walled_garden = 0;
if (flag != F_CLEANUP)
{
/* OK, we're up! */
uint16_t r = f->radiusnew(f->get_id_by_session(s));
if (r) f->radiussend(r, RADIUSSTART);
}
}
return 1;
}
int plugin_init(struct pluginfuncs *funcs)
{
FILE *tables;
int found_nat = 0;
FILE *tables;
int found_nat = 0;
if (!funcs)
return 0;
if (!funcs)
return 0;
p = funcs;
f = funcs;
if ((tables = fopen("/proc/net/ip_tables_names", "r")))
if ((tables = fopen("/proc/net/ip_tables_names", "r")))
{
char buf[1024];
while (fgets(buf, sizeof(buf), tables) && !found_nat)
found_nat = !strcmp(buf, "nat\n");
fclose(tables);
}
/* master killed/crashed? */
if (found_nat)
{
int i;
for (i = 0; down_commands[i] && *down_commands[i]; i++)
{
char buf[1024];
while (fgets(buf, sizeof(buf), tables) && !found_nat)
found_nat = !strcmp(buf, "nat\n");
fclose(tables);
f->log(3, 0, 0, "Running %s\n", down_commands[i]);
system(down_commands[i]);
}
}
/* master killed/crashed? */
if (found_nat)
{
int i;
for (i = 0; down_commands[i] && *down_commands[i]; i++)
{
p->log(3, 0, 0, "Running %s\n", down_commands[i]);
system(down_commands[i]);
}
}
return 1;
return 1;
}
void plugin_done()
{
int i;
int i;
if (!iam_master) // Never became master. nothing to do.
return;
if (!iam_master) // Never became master. nothing to do.
return;
for (i = 0; down_commands[i] && *down_commands[i]; i++)
{
p->log(3, 0, 0, "Running %s\n", down_commands[i]);
system(down_commands[i]);
}
for (i = 0; down_commands[i] && *down_commands[i]; i++)
{
f->log(3, 0, 0, "Running %s\n", down_commands[i]);
system(down_commands[i]);
}
}

3
l2tpns.c
View file

@ -4,7 +4,7 @@
// Copyright (c) 2002 FireBrick (Andrews & Arnold Ltd / Watchfront Ltd) - GPL licenced
// vim: sw=8 ts=8
char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.143 2005/10/11 07:06:56 bodea Exp $";
char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.144 2005/10/11 09:04:53 bodea Exp $";
#include <arpa/inet.h>
#include <assert.h>
@ -162,6 +162,7 @@ static char *plugin_functions[] = {
"plugin_control",
"plugin_radius_response",
"plugin_radius_reset",
"plugin_radius_account",
"plugin_become_master",
"plugin_new_session_master",
};

130
plugin.h
View file

@ -6,18 +6,19 @@
enum
{
PLUGIN_PRE_AUTH = 1,
PLUGIN_POST_AUTH,
PLUGIN_PACKET_RX,
PLUGIN_PACKET_TX,
PLUGIN_TIMER,
PLUGIN_NEW_SESSION,
PLUGIN_KILL_SESSION,
PLUGIN_CONTROL,
PLUGIN_RADIUS_RESPONSE,
PLUGIN_RADIUS_RESET,
PLUGIN_BECOME_MASTER,
PLUGIN_NEW_SESSION_MASTER,
PLUGIN_PRE_AUTH = 1,
PLUGIN_POST_AUTH,
PLUGIN_PACKET_RX,
PLUGIN_PACKET_TX,
PLUGIN_TIMER,
PLUGIN_NEW_SESSION,
PLUGIN_KILL_SESSION,
PLUGIN_CONTROL,
PLUGIN_RADIUS_RESPONSE,
PLUGIN_RADIUS_RESET,
PLUGIN_RADIUS_ACCOUNT,
PLUGIN_BECOME_MASTER,
PLUGIN_NEW_SESSION_MASTER,
};
#define PLUGIN_RET_ERROR 0
@ -27,95 +28,102 @@ enum
struct pluginfuncs
{
void (*log)(int level, sessionidt s, tunnelidt t, const char *format, ...);
void (*log_hex)(int level, const char *title, const uint8_t *data, int maxsize);
char *(*fmtaddr)(in_addr_t addr, int n);
sessionidt (*get_session_by_username)(char *username);
sessiont *(*get_session_by_id)(sessionidt s);
sessionidt (*get_id_by_session)(sessiont *s);
uint16_t (*radiusnew)(sessionidt s);
void (*radiussend)(uint16_t r, uint8_t state);
void *(*getconfig)(char *key, enum config_typet type);
void (*sessionshutdown)(sessionidt s, char *reason, int result, int error);
void (*sessionkill)(sessionidt s, char *reason);
void (*throttle)(sessionidt s, int rate_in, int rate_out);
int (*session_changed)(int sid);
void (*log)(int level, sessionidt s, tunnelidt t, const char *format, ...);
void (*log_hex)(int level, const char *title, const uint8_t *data, int maxsize);
char *(*fmtaddr)(in_addr_t addr, int n);
sessionidt (*get_session_by_username)(char *username);
sessiont *(*get_session_by_id)(sessionidt s);
sessionidt (*get_id_by_session)(sessiont *s);
uint16_t (*radiusnew)(sessionidt s);
void (*radiussend)(uint16_t r, uint8_t state);
void *(*getconfig)(char *key, enum config_typet type);
void (*sessionshutdown)(sessionidt s, char *reason, int result, int error);
void (*sessionkill)(sessionidt s, char *reason);
void (*throttle)(sessionidt s, int rate_in, int rate_out);
int (*session_changed)(int sid);
};
struct param_pre_auth
{
tunnelt *t;
sessiont *s;
char *username;
char *password;
int protocol;
int continue_auth;
tunnelt *t;
sessiont *s;
char *username;
char *password;
int protocol;
int continue_auth;
};
struct param_post_auth
{
tunnelt *t;
sessiont *s;
char *username;
short auth_allowed;
int protocol;
tunnelt *t;
sessiont *s;
char *username;
short auth_allowed;
int protocol;
};
struct param_packet_rx
{
tunnelt *t;
sessiont *s;
char *buf;
int len;
tunnelt *t;
sessiont *s;
char *buf;
int len;
};
struct param_packet_tx
{
tunnelt *t;
sessiont *s;
char *buf;
int len;
tunnelt *t;
sessiont *s;
char *buf;
int len;
};
struct param_timer
{
time_t time_now;
time_t time_now;
};
struct param_control
{
int iam_master;
int argc;
char **argv;
// output
int response;
char *additional;
int iam_master;
int argc;
char **argv;
// output
int response;
char *additional;
};
struct param_new_session
{
tunnelt *t;
sessiont *s;
tunnelt *t;
sessiont *s;
};
struct param_kill_session
{
tunnelt *t;
sessiont *s;
tunnelt *t;
sessiont *s;
};
struct param_radius_response
{
tunnelt *t;
sessiont *s;
char *key;
char *value;
tunnelt *t;
sessiont *s;
char *key;
char *value;
};
struct param_radius_reset
{
tunnelt *t;
sessiont *s;
tunnelt *t;
sessiont *s;
};
struct param_radius_account
{
tunnelt *t;
sessiont *s;
uint8_t **packet;
};
#endif /* __PLUGIN_H__ */

17
radius.c
View file

@ -1,6 +1,6 @@
// L2TPNS Radius Stuff
char const *cvs_id_radius = "$Id: radius.c,v 1.43 2005/10/11 02:27:40 foonly Exp $";
char const *cvs_id_radius = "$Id: radius.c,v 1.44 2005/10/11 09:04:53 bodea Exp $";
#include <time.h>
#include <stdio.h>
@ -304,18 +304,11 @@ void radiussend(uint16_t r, uint8_t state)
p[1] = 6;
*(uint32_t *) (p + 2) = htonl(session[s].cout_wrap);
p += p[1];
}
if (session[s].snoop_ip && session[s].snoop_port)
{
*p = 26; // vendor-specific
*(uint32_t *) (p + 2) = htonl(9); // Cisco
p[6] = 1; // Cisco-AVPair
p[7] = 2 + sprintf((char *) p + 8, "intercept=%s:%d",
fmtaddr(session[s].snoop_ip, 0), session[s].snoop_port);
p[1] = p[7] + 6;
p += p[1];
{
struct param_radius_account acct = { &tunnel[session[s].tunnel], &session[s], &p };
run_plugins(PLUGIN_RADIUS_ACCOUNT, &acct);
}
}
}
}

14
sessionctl.c
View file

@ -5,10 +5,10 @@
/* session control */
char const *cvs_id = "$Id: sessionctl.c,v 1.3 2005/06/28 14:48:28 bodea Exp $";
char const *cvs_id = "$Id: sessionctl.c,v 1.4 2005/10/11 09:04:53 bodea Exp $";
int plugin_api_version = PLUGIN_API_VERSION;
static struct pluginfuncs *p = 0;
static struct pluginfuncs *f = 0;
char *plugin_control_help[] = {
" drop USER|SID [REASON] Shutdown user session",
@ -40,10 +40,10 @@ int plugin_control(struct param_control *data)
}
if (!(session = strtol(data->argv[1], &end, 10)) || *end)
session = p->get_session_by_username(data->argv[1]);
session = f->get_session_by_username(data->argv[1]);
if (session)
s = p->get_session_by_id(session);
s = f->get_session_by_id(session);
if (!s || !s->ip)
{
@ -58,9 +58,9 @@ int plugin_control(struct param_control *data)
reason = "Requested by administrator.";
if (data->argv[0][0] == 'd')
p->sessionshutdown(session, reason, 3, 0);
f->sessionshutdown(session, reason, 3, 0);
else
p->sessionkill(session, reason);
f->sessionkill(session, reason);
data->response = NSCTL_RES_OK;
data->additional = 0;
@ -70,5 +70,5 @@ int plugin_control(struct param_control *data)
int plugin_init(struct pluginfuncs *funcs)
{
return ((p = funcs)) ? 1 : 0;
return ((f = funcs)) ? 1 : 0;
}

44
setrxspeed.c
View file

@ -4,34 +4,38 @@
/* fudge up session rx speed if not set */
char const *cvs_id = "$Id: setrxspeed.c,v 1.3 2004/11/17 08:23:35 bodea Exp $";
char const *cvs_id = "$Id: setrxspeed.c,v 1.4 2005/10/11 09:04:53 bodea Exp $";
int plugin_api_version = PLUGIN_API_VERSION;
static struct pluginfuncs *p = 0;
static struct pluginfuncs *f = 0;
int plugin_post_auth(struct param_post_auth *data)
{
if (!data->auth_allowed) return PLUGIN_RET_OK;
if (!data->auth_allowed)
return PLUGIN_RET_OK;
if (!data->s->rx_connect_speed)
{
switch (data->s->tx_connect_speed)
{
case 256 :
data->s->rx_connect_speed = 64;
break;
case 512 :
data->s->rx_connect_speed = 128;
break;
case 1500 :
data->s->rx_connect_speed = 256;
break;
}
}
return PLUGIN_RET_OK;
if (data->s->rx_connect_speed)
return PLUGIN_RET_OK;
switch (data->s->tx_connect_speed)
{
case 256:
data->s->rx_connect_speed = 64;
break;
case 512:
data->s->rx_connect_speed = 128;
break;
case 1500:
data->s->rx_connect_speed = 256;
break;
}
return PLUGIN_RET_OK;
}
int plugin_init(struct pluginfuncs *funcs)
{
return ((p = funcs)) ? 1 : 0;
return ((f = funcs)) ? 1 : 0;
}

178
snoopctl.c
View file

@ -5,118 +5,118 @@
/* snoop control */
char const *cvs_id = "$Id: snoopctl.c,v 1.6 2005/10/11 07:59:09 bodea Exp $";
char const *cvs_id = "$Id: snoopctl.c,v 1.7 2005/10/11 09:04:53 bodea Exp $";
int plugin_api_version = PLUGIN_API_VERSION;
static struct pluginfuncs *p = 0;
static struct pluginfuncs *f = 0;
char *plugin_control_help[] = {
" snoop USER|SID IP PORT Intercept user traffic",
" unsnoop USER|SID Stop intercepting user",
0
" snoop USER|SID IP PORT Intercept user traffic",
" unsnoop USER|SID Stop intercepting user",
0
};
int plugin_control(struct param_control *data)
{
sessionidt session;
sessiont *s = 0;
int flag;
char *end;
sessionidt session;
sessiont *s = 0;
int flag;
char *end;
if (data->argc < 1)
return PLUGIN_RET_OK;
if (data->argc < 1)
return PLUGIN_RET_OK;
if (strcmp(data->argv[0], "snoop") && strcmp(data->argv[0], "unsnoop"))
return PLUGIN_RET_OK; // not for us
if (strcmp(data->argv[0], "snoop") && strcmp(data->argv[0], "unsnoop"))
return PLUGIN_RET_OK; // not for us
if (!data->iam_master)
return PLUGIN_RET_NOTMASTER;
if (!data->iam_master)
return PLUGIN_RET_NOTMASTER;
flag = data->argv[0][0] != 'u';
flag = data->argv[0][0] != 'u';
if (flag)
if (flag)
{
if (data->argc != 4)
{
if (data->argc != 4)
{
data->response = NSCTL_RES_ERR;
data->additional = "requires username or session id and host, port";
return PLUGIN_RET_STOP;
}
data->response = NSCTL_RES_ERR;
data->additional = "requires username or session id and host, port";
return PLUGIN_RET_STOP;
}
else
}
else
{
if (data->argc != 2)
{
if (data->argc != 2)
{
data->response = NSCTL_RES_ERR;
data->additional = "requires username or session id";
return PLUGIN_RET_STOP;
}
data->response = NSCTL_RES_ERR;
data->additional = "requires username or session id";
return PLUGIN_RET_STOP;
}
}
if (!(session = strtol(data->argv[1], &end, 10)) || *end)
session = p->get_session_by_username(data->argv[1]);
if (!(session = strtol(data->argv[1], &end, 10)) || *end)
session = f->get_session_by_username(data->argv[1]);
if (session)
s = p->get_session_by_id(session);
if (!s || !s->ip)
{
data->response = NSCTL_RES_ERR;
data->additional = "session not found";
return PLUGIN_RET_STOP;
}
if (flag)
{
in_addr_t ip = inet_addr(data->argv[2]);
uint16_t port = atoi(data->argv[3]);
if (!ip || ip == INADDR_NONE)
{
data->response = NSCTL_RES_ERR;
data->additional = "invalid ip address";
return PLUGIN_RET_STOP;
}
if (!port)
{
data->response = NSCTL_RES_ERR;
data->additional = "invalid port";
return PLUGIN_RET_STOP;
}
if (ip == s->snoop_ip && port == s->snoop_port)
{
data->response = NSCTL_RES_ERR;
data->additional = "already intercepted";
return PLUGIN_RET_STOP;
}
s->snoop_ip = ip;
s->snoop_port = port;
}
else
{
if (!s->snoop_ip)
{
data->response = NSCTL_RES_ERR;
data->additional = "not intercepted";
return PLUGIN_RET_STOP;
}
s->snoop_ip = 0;
s->snoop_port = 0;
}
p->session_changed(session);
data->response = NSCTL_RES_OK;
data->additional = 0;
if (session)
s = f->get_session_by_id(session);
if (!s || !s->ip)
{
data->response = NSCTL_RES_ERR;
data->additional = "session not found";
return PLUGIN_RET_STOP;
}
if (flag)
{
in_addr_t ip = inet_addr(data->argv[2]);
uint16_t port = atoi(data->argv[3]);
if (!ip || ip == INADDR_NONE)
{
data->response = NSCTL_RES_ERR;
data->additional = "invalid ip address";
return PLUGIN_RET_STOP;
}
if (!port)
{
data->response = NSCTL_RES_ERR;
data->additional = "invalid port";
return PLUGIN_RET_STOP;
}
if (ip == s->snoop_ip && port == s->snoop_port)
{
data->response = NSCTL_RES_ERR;
data->additional = "already intercepted";
return PLUGIN_RET_STOP;
}
s->snoop_ip = ip;
s->snoop_port = port;
}
else
{
if (!s->snoop_ip)
{
data->response = NSCTL_RES_ERR;
data->additional = "not intercepted";
return PLUGIN_RET_STOP;
}
s->snoop_ip = 0;
s->snoop_port = 0;
}
f->session_changed(session);
data->response = NSCTL_RES_OK;
data->additional = 0;
return PLUGIN_RET_STOP;
}
int plugin_init(struct pluginfuncs *funcs)
{
return ((p = funcs)) ? 1 : 0;
return ((f = funcs)) ? 1 : 0;
}

24
stripdomain.c
View file

@ -4,28 +4,28 @@
/* strip domain part of username before sending RADIUS requests */
char const *cvs_id = "$Id: stripdomain.c,v 1.7 2004/11/29 02:17:18 bodea Exp $";
char const *cvs_id = "$Id: stripdomain.c,v 1.8 2005/10/11 09:04:53 bodea Exp $";
int plugin_api_version = PLUGIN_API_VERSION;
static struct pluginfuncs *p = 0;
static struct pluginfuncs *f = 0;
int plugin_pre_auth(struct param_pre_auth *data)
{
char *x;
char *p;
if (!data->continue_auth) return PLUGIN_RET_STOP;
if (!data->continue_auth) return PLUGIN_RET_STOP;
// Strip off @domain
if ((x = strchr(data->username, '@')))
{
p->log(3, 0, 0, "Stripping off trailing domain name \"%s\"\n", x);
*x = 0;
}
// Strip off @domain
if ((p = strchr(data->username, '@')))
{
f->log(3, 0, 0, "Stripping off trailing domain name \"%s\"\n", p);
*p = 0;
}
return PLUGIN_RET_OK;
return PLUGIN_RET_OK;
}
int plugin_init(struct pluginfuncs *funcs)
{
return ((p = funcs)) ? 1 : 0;
return ((f = funcs)) ? 1 : 0;
}

186
throttlectl.c
View file

@ -5,131 +5,131 @@
/* throttle control */
char const *cvs_id = "$Id: throttlectl.c,v 1.8 2005/10/11 07:59:09 bodea Exp $";
char const *cvs_id = "$Id: throttlectl.c,v 1.9 2005/10/11 09:04:53 bodea Exp $";
int plugin_api_version = PLUGIN_API_VERSION;
static struct pluginfuncs *p = 0;
static struct pluginfuncs *f = 0;
char *plugin_control_help[] = {
" throttle USER|SID [RATE|[in|out] RATE ...] Throttle user traffic",
" unthrottle USER|SID Stop throttling user",
0
" throttle USER|SID [RATE|[in|out] RATE ...] Throttle user traffic",
" unthrottle USER|SID Stop throttling user",
0
};
int plugin_control(struct param_control *data)
{
sessionidt session;
sessiont *s = 0;
int flag;
char *end;
int rate_in = 0;
int rate_out = 0;
sessionidt session;
sessiont *s = 0;
int flag;
char *end;
int rate_in = 0;
int rate_out = 0;
if (data->argc < 1)
return PLUGIN_RET_OK;
if (data->argc < 1)
return PLUGIN_RET_OK;
if (strcmp(data->argv[0], "throttle")
&& strcmp(data->argv[0], "unthrottle"))
return PLUGIN_RET_OK; // not for us
if (strcmp(data->argv[0], "throttle") &&
strcmp(data->argv[0], "unthrottle"))
return PLUGIN_RET_OK; // not for us
if (!data->iam_master)
return PLUGIN_RET_NOTMASTER;
if (!data->iam_master)
return PLUGIN_RET_NOTMASTER;
flag = data->argv[0][0] == 't';
flag = data->argv[0][0] == 't';
if (flag)
if (flag)
{
if (data->argc < 2 || data->argc > 6)
{
if (data->argc < 2 || data->argc > 6)
{
data->response = NSCTL_RES_ERR;
data->additional = "requires username or session id and optional rate(s)";
return PLUGIN_RET_STOP;
}
data->response = NSCTL_RES_ERR;
data->additional = "requires username or session id and optional rate(s)";
return PLUGIN_RET_STOP;
}
}
else
{
if (data->argc != 2)
{
data->response = NSCTL_RES_ERR;
data->additional = "requires username or session id";
return PLUGIN_RET_STOP;
}
}
if (!(session = strtol(data->argv[1], &end, 10)) || *end)
session = f->get_session_by_username(data->argv[1]);
if (session)
s = f->get_session_by_id(session);
if (!s || !s->ip)
{
data->response = NSCTL_RES_ERR;
data->additional = "session not found";
return PLUGIN_RET_STOP;
}
if (flag)
{
rate_in = rate_out = -1;
if (data->argc == 2)
{
unsigned long *rate = f->getconfig("throttle_speed", UNSIGNED_LONG);
rate_in = rate_out = *rate;
}
else if (data->argc == 3)
{
rate_in = rate_out = atoi(data->argv[2]);
}
else
{
if (data->argc != 2)
int i;
for (i = 2; i < data->argc - 1; i += 2)
{
int len = strlen(data->argv[i]);
if (!strncmp(data->argv[i], "in", len))
{
data->response = NSCTL_RES_ERR;
data->additional = "requires username or session id";
return PLUGIN_RET_STOP;
rate_in = atoi(data->argv[i+1]);
}
}
if (!(session = strtol(data->argv[1], &end, 10)) || *end)
session = p->get_session_by_username(data->argv[1]);
if (session)
s = p->get_session_by_id(session);
if (!s || !s->ip)
{
data->response = NSCTL_RES_ERR;
data->additional = "session not found";
return PLUGIN_RET_STOP;
}
if (flag)
{
rate_in = rate_out = -1;
if (data->argc == 2)
else if (!strncmp(data->argv[i], "out", len))
{
unsigned long *rate = p->getconfig("throttle_speed", UNSIGNED_LONG);
rate_in = rate_out = *rate;
}
else if (data->argc == 3)
{
rate_in = rate_out = atoi(data->argv[2]);
rate_out = atoi(data->argv[i+1]);
}
else
{
int i;
for (i = 2; i < data->argc - 1; i += 2)
{
int len = strlen(data->argv[i]);
if (!strncmp(data->argv[i], "in", len))
{
rate_in = atoi(data->argv[i+1]);
}
else if (!strncmp(data->argv[i], "out", len))
{
rate_out = atoi(data->argv[i+1]);
}
else
{
data->response = NSCTL_RES_ERR;
data->additional = "invalid rate";
return PLUGIN_RET_STOP;
}
}
}
if (!rate_in || !rate_out)
{
data->response = NSCTL_RES_ERR;
data->additional = "invalid rate";
return PLUGIN_RET_STOP;
data->response = NSCTL_RES_ERR;
data->additional = "invalid rate";
return PLUGIN_RET_STOP;
}
}
}
if (rate_in != -1 && rate_in == s->throttle_in &&
rate_out != -1 && rate_out == s->throttle_out)
if (!rate_in || !rate_out)
{
data->response = NSCTL_RES_ERR;
data->additional = flag ? "already throttled" : "not throttled";
return PLUGIN_RET_STOP;
data->response = NSCTL_RES_ERR;
data->additional = "invalid rate";
return PLUGIN_RET_STOP;
}
}
p->throttle(session, rate_in, rate_out);
p->session_changed(session);
data->response = NSCTL_RES_OK;
data->additional = 0;
if (rate_in != -1 && rate_in == s->throttle_in &&
rate_out != -1 && rate_out == s->throttle_out)
{
data->response = NSCTL_RES_ERR;
data->additional = flag ? "already throttled" : "not throttled";
return PLUGIN_RET_STOP;
}
f->throttle(session, rate_in, rate_out);
f->session_changed(session);
data->response = NSCTL_RES_OK;
data->additional = 0;
return PLUGIN_RET_STOP;
}
int plugin_init(struct pluginfuncs *funcs)
{
return ((p = funcs)) ? 1 : 0;
return ((f = funcs)) ? 1 : 0;
}