projects / l2tpns.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Use multiple radius sockets to allow more concurrent authentication requests
[l2tpns.git] / garden.c
1 #include <string.h>
2 #include <malloc.h>
3 #include <stdlib.h>
4 #include <sys/wait.h>
5 #include <sys/types.h>
6 #include "l2tpns.h"
7 #include "plugin.h"
8 #include "control.h"
9
10 int __plugin_api_version = 1;
11 struct pluginfuncs p;
12
13 char *init_commands[] = {
14 // This is for incoming connections to a gardened user
15 "iptables -t nat -N garden_users 2>&1 >/dev/null",
16 "iptables -t nat -F garden_users",
17 "iptables -t nat -N garden 2>&1", /* Don't flush - init script sets this up */
18 "iptables -t nat -A l2tpns -j garden_users",
19 NULL
20 };
21
22 char *done_commands[] = {
23 "iptables -t nat -F garden_users 2>&1 >/dev/null",
24 "iptables -t nat -D l2tpns -j garden_users",
25 NULL
26 };
27
28 int garden_session(sessiont *s, int flag);
29
30 int plugin_post_auth(struct param_post_auth *data)
31 {
32 // Ignore if user authentication was successful
33 if (data->auth_allowed) return PLUGIN_RET_OK;
34
35 p.log(3, 0, 0, 0, "Walled Garden allowing login\n");
36 data->auth_allowed = 1;
37 data->s->walled_garden = 1;
38 return PLUGIN_RET_OK;
39 }
40
41 int plugin_new_session(struct param_new_session *data)
42 {
43 if (data->s->walled_garden) garden_session(data->s, 1);
44 return PLUGIN_RET_OK;
45 }
46
47 int plugin_kill_session(struct param_new_session *data)
48 {
49 if (data->s->walled_garden) garden_session(data->s, 0);
50 return PLUGIN_RET_OK;
51 }
52
53 int plugin_control(struct param_control *data)
54 {
55 sessiont *s;
56 sessionidt session;
57
58 if (data->type != PKT_GARDEN && data->type != PKT_UNGARDEN) return PLUGIN_RET_OK;
59 if (!data->data && data->data_length) return PLUGIN_RET_OK;
60 session = atoi((char*)(data->data));
61 if (!session) return PLUGIN_RET_OK; // Really?
62 data->send_response = 1;
63 s = p.get_session_by_id(session);
64 if (!s || !s->ip)
65 {
66 char *errormsg = "Session not connected";
67 *(short *)(data->response + 2) = ntohs(PKT_RESP_ERROR);
68 sprintf((data->response + data->response_length), "%s", errormsg);
69 data->response_length += strlen(errormsg) + 1;
70
71 p.log(3, 0, 0, 0, "Unknown session %s\n", session);
72 return PLUGIN_RET_STOP;
73 }
74 *(short *)(data->response + 2) = ntohs(PKT_RESP_OK);
75
76 if (!(garden_session(s, (data->type == PKT_GARDEN))))
77 {
78 char *errormsg = "User not connected";
79 *(short *)(data->response + 2) = ntohs(PKT_RESP_ERROR);
80 sprintf((data->response + data->response_length), "%s", errormsg);
81 data->response_length += strlen(errormsg) + 1;
82 }
83 return PLUGIN_RET_STOP;
84 }
85
86 int garden_session(sessiont *s, int flag)
87 {
88 char cmd[2048];
89
90 if (!s) return 0;
91 if (!s->opened) return 0;
92
93 /* Note that we don't handle throttling/snooping/etc here
94 * To do that, we'd need to send an end accounting record
95 * then a radius auth, then start accouting again.
96 * That means that we need the password (which garden has)
97 * and a lot of code to check that the new set of params
98 * (routes, IP, ACLs, etc) 'matched' the old one in a
99 * 'compatable' way. (ie user's system doesn't need to be told
100 * of the change)
101 *
102 * Thats a lot of pain/code for very little gain.
103 * If we want them redone from scratch, just sessionkill them -
104 * a user on garden isn't going to have any open TCP
105 * connections which are worth caring about, anyway.
106 *
107 * Note that the user will be rethrottled shortly by the scan
108 * script thingy if appropriate.
109 *
110 * Currently, garden only directly ungardens someone if
111 * they haven't paid their bill, and then subsequently do so
112 * online. This isn't something which can be set up by a malicious
113 * customer at will.
114 */
115 if (flag == 1)
116 {
117 // Gardened User
118 p.log(2, 0, 0, s->tunnel, "Trap user %s (%s) in walled garden\n", s->user, p.inet_toa(ntohl(s->ip)));
119 snprintf(cmd, 2048, "iptables -t nat -A garden_users -s %s -j garden", p.inet_toa(ntohl(s->ip)));
120 p.log(3, 0, 0, s->tunnel, "%s\n", cmd);
121 system(cmd);
122 s->walled_garden = 1;
123 }
124 else
125 {
126 sessionidt other;
127 int count = 40;
128
129 // Normal User
130 p.log(2, 0, 0, s->tunnel, "Release user %s (%s) from walled garden\n", s->user, p.inet_toa(ntohl(s->ip)));
131 // Kick off any duplicate usernames
132 // but make sure not to kick off ourself
133 if (s->ip && !s->die && (other = p.get_session_by_username(s->user)) && s != p.get_session_by_id(other)) {
134 p.sessionkill(other, "Duplicate session when user un-gardened");
135 }
136 /* Clean up counters */
137 s->cin = s->cout = 0;
138 s->pin = s->pout = 0;
139
140 snprintf(cmd, 2048, "iptables -t nat -D garden_users -s %s -j garden", p.inet_toa(ntohl(s->ip)));
141 p.log(3, 0, 0, s->tunnel, "%s\n", cmd);
142 while (--count)
143 {
144 int status = system(cmd);
145 if (WEXITSTATUS(status) != 0) break;
146 }
147
148 s->walled_garden = 0;
149
150 if (!s->die) {
151 /* OK, we're up! */
152 u16 r = p.radiusnew(p.get_id_by_session(s));
153 p.radiussend(r, RADIUSSTART);
154 }
155 }
156 s->walled_garden = flag;
157 return 1;
158 }
159
160 int plugin_init(struct pluginfuncs *funcs)
161 {
162 int i;
163
164 if (!funcs) return 0;
165 memcpy(&p, funcs, sizeof(p));
166
167 for (i = 0; init_commands[i] && *init_commands[i]; i++)
168 {
169 p.log(3, 0, 0, 0, "Running %s\n", init_commands[i]);
170 system(init_commands[i]);
171 }
172
173 return 1;
174 }
175
176 void plugin_done()
177 {
178 int i;
179 for (i = 0; done_commands[i] && *done_commands[i]; i++)
180 {
181 p.log(3, 0, 0, 0, "Running %s\n", done_commands[i]);
182 system(done_commands[i]);
183 }
184 }
185
for cloning use: "git clone git://git.sameswireless.fr/l2tpns.git" ; For add to your sources.list: "deb http://package.sameswifi.fr/ jessie main"