* Fri Mar 5 2004 David Parrish <david@dparrish.com> 1.1.0
- Change all strcpy() calls to strncpy() to avoid buffer overflow potential - Add ICMP host unreachable support - Logging to syslog if log_file = "syslog:facility" - Now requires libcli 1.5 - All configuration moves to a config structure - Ability to modify and write config on the fly through command-line interface - Config file support is removed, and now handled by the cli - Show hostname in cli prompt - Keep current state type for tunnels - Add uptime command do CLI, which also shows real-time bandwidth utilisation - Add goodbye command to cluster master, which forces droppping a slave - Cache IP address allocation, so that reconnecting users get the same address - Fix tunnel resend timeouts, so that dead tunnels will be cleaned up - Allocate tunnels and radius without using a linked list which had issues - Fix some off-by-one errors in tunnel and session and radius arrays - Save and reload ip address pool when dieing - Check version and size of reloaded data when restarting - Remove plugin_config support - Remove old support for TBF which didn't work anyway. HTB is required to do throttling now. - Add COPYING and Changes files
This commit is contained in:
David Parrish
parent
7c1104efff
commit
fc0a363208
22 changed files with 1731 additions and 1248 deletions
67
garden.c
67
garden.c
|
|
@ -10,43 +10,43 @@
|
|||
int __plugin_api_version = 1;
|
||||
struct pluginfuncs p;
|
||||
|
||||
int garden_session(sessiont *s, int flag);
|
||||
|
||||
char *init_commands[] = {
|
||||
// This is for incoming connections to a gardened user
|
||||
"iptables -t nat -N garden_users 2>&1 >/dev/null",
|
||||
"iptables -t nat -F garden_users 2>&1 >/dev/null",
|
||||
"iptables -t nat -N garden 2>&1 >/dev/null",
|
||||
"iptables -t nat -F garden_users",
|
||||
"iptables -t nat -N garden 2>&1", /* Don't flush - init script sets this up */
|
||||
"iptables -t nat -A l2tpns -j garden_users",
|
||||
NULL
|
||||
};
|
||||
|
||||
char *done_commands[] = {
|
||||
"iptables -t nat -F garden_users 2>&1 >/dev/null",
|
||||
"iptables -t nat -D l2tpns -j garden_users 2>&1 >/dev/null",
|
||||
"iptables -t nat -D l2tpns -j garden_users",
|
||||
NULL
|
||||
};
|
||||
|
||||
int garden_session(sessiont *s, int flag);
|
||||
|
||||
int plugin_post_auth(struct param_post_auth *data)
|
||||
{
|
||||
// Ignore if user authentication was successful
|
||||
if (data->auth_allowed) return PLUGIN_RET_OK;
|
||||
|
||||
p.log(3, 0, 0, 0, "User allowed into walled garden\n");
|
||||
p.log(3, 0, 0, 0, "Walled Garden allowing login\n");
|
||||
data->auth_allowed = 1;
|
||||
data->s->walled_garden = 1;
|
||||
data->s->garden = 1;
|
||||
return PLUGIN_RET_OK;
|
||||
}
|
||||
|
||||
int plugin_new_session(struct param_new_session *data)
|
||||
{
|
||||
if (data->s->walled_garden) garden_session(data->s, 1);
|
||||
if (data->s->garden) garden_session(data->s, 1);
|
||||
return PLUGIN_RET_OK;
|
||||
}
|
||||
|
||||
int plugin_kill_session(struct param_new_session *data)
|
||||
{
|
||||
if (data->s->walled_garden) garden_session(data->s, 0);
|
||||
if (data->s->garden) garden_session(data->s, 0);
|
||||
return PLUGIN_RET_OK;
|
||||
}
|
||||
|
||||
|
|
@ -58,10 +58,7 @@ int plugin_control(struct param_control *data)
|
|||
if (data->type != PKT_GARDEN && data->type != PKT_UNGARDEN) return PLUGIN_RET_OK;
|
||||
if (!data->data && data->data_length) return PLUGIN_RET_OK;
|
||||
session = atoi((char*)(data->data));
|
||||
|
||||
if (!session)
|
||||
return PLUGIN_RET_OK;
|
||||
|
||||
if (!session) return PLUGIN_RET_OK; // Really?
|
||||
data->send_response = 1;
|
||||
s = p.get_session_by_id(session);
|
||||
if (!s || !s->ip)
|
||||
|
|
@ -86,11 +83,6 @@ int plugin_control(struct param_control *data)
|
|||
return PLUGIN_RET_STOP;
|
||||
}
|
||||
|
||||
int plugin_config(struct param_config *data)
|
||||
{
|
||||
return PLUGIN_RET_OK;
|
||||
}
|
||||
|
||||
int garden_session(sessiont *s, int flag)
|
||||
{
|
||||
char cmd[2048];
|
||||
|
|
@ -98,25 +90,48 @@ int garden_session(sessiont *s, int flag)
|
|||
if (!s) return 0;
|
||||
if (!s->opened) return 0;
|
||||
|
||||
/* Note that we don't handle throttling/snooping/etc here
|
||||
* To do that, we'd need to send an end accounting record
|
||||
* then a radius auth, then start accouting again.
|
||||
* That means that we need the password (which garden has)
|
||||
* and a lot of code to check that the new set of params
|
||||
* (routes, IP, ACLs, etc) 'matched' the old one in a
|
||||
* 'compatable' way. (ie user's system doesn't need to be told
|
||||
* of the change)
|
||||
*
|
||||
* Thats a lot of pain/code for very little gain.
|
||||
* If we want them redone from scratch, just sessionkill them -
|
||||
* a user on garden isn't going to have any open TCP
|
||||
* connections which are worth caring about, anyway.
|
||||
*
|
||||
* Note that the user will be rethrottled shortly by the scan
|
||||
* script thingy if appropriate.
|
||||
*
|
||||
* Currently, garden only directly ungardens someone if
|
||||
* they haven't paid their bill, and then subsequently do so
|
||||
* online. This isn't something which can be set up by a malicious
|
||||
* customer at will.
|
||||
*/
|
||||
if (flag == 1)
|
||||
{
|
||||
// Gardened User
|
||||
p.log(2, 0, 0, s->tunnel, "Trap user %s (%s) in walled garden\n", s->user, p.inet_toa(ntohl(s->ip)));
|
||||
snprintf(cmd, 2048, "iptables -t nat -A garden_users -s %s -j garden", p.inet_toa(ntohl(s->ip)));
|
||||
p.log(3, 0, 0, s->tunnel, "%s\n", cmd);
|
||||
system(cmd);
|
||||
s->walled_garden = 1;
|
||||
s->garden = 1;
|
||||
}
|
||||
else
|
||||
{
|
||||
sessionidt other;
|
||||
int count = 10;
|
||||
int count = 40;
|
||||
|
||||
// Normal User
|
||||
p.log(2, 0, 0, s->tunnel, "Release user %s (%s) from walled garden\n", s->user, p.inet_toa(ntohl(s->ip)));
|
||||
// Kick off any duplicate usernames
|
||||
// but make sure not to kick off ourself
|
||||
if (s->ip && !s->die && (other = p.get_session_by_username(s->user)) && s != p.get_session_by_id(other)) {
|
||||
p.sessionkill(other, "Duplicate session when user ungardened");
|
||||
p.sessionkill(other, "Duplicate session when user un-gardened");
|
||||
}
|
||||
/* Clean up counters */
|
||||
s->cin = s->cout = 0;
|
||||
|
|
@ -130,7 +145,7 @@ int garden_session(sessiont *s, int flag)
|
|||
if (WEXITSTATUS(status) != 0) break;
|
||||
}
|
||||
|
||||
s->walled_garden = 0;
|
||||
s->garden = 0;
|
||||
|
||||
if (!s->die) {
|
||||
/* OK, we're up! */
|
||||
|
|
@ -138,7 +153,7 @@ int garden_session(sessiont *s, int flag)
|
|||
p.radiussend(r, RADIUSSTART);
|
||||
}
|
||||
}
|
||||
s->walled_garden = flag;
|
||||
s->garden = flag;
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
@ -149,11 +164,9 @@ int plugin_init(struct pluginfuncs *funcs)
|
|||
if (!funcs) return 0;
|
||||
memcpy(&p, funcs, sizeof(p));
|
||||
|
||||
p.log(1, 0, 0, 0, "Enabling walled garden service\n");
|
||||
|
||||
for (i = 0; init_commands[i] && *init_commands[i]; i++)
|
||||
{
|
||||
p.log(4, 0, 0, 0, "Running %s\n", init_commands[i]);
|
||||
p.log(3, 0, 0, 0, "Running %s\n", init_commands[i]);
|
||||
system(init_commands[i]);
|
||||
}
|
||||
|
||||
|
|
@ -165,7 +178,7 @@ void plugin_done()
|
|||
int i;
|
||||
for (i = 0; done_commands[i] && *done_commands[i]; i++)
|
||||
{
|
||||
p.log(4, 0, 0, 0, "Running %s\n", done_commands[i]);
|
||||
p.log(3, 0, 0, 0, "Running %s\n", done_commands[i]);
|
||||
system(done_commands[i]);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue