#include "plugin.h"
#include "control.h"
-int __plugin_api_version = 1;
-struct pluginfuncs p;
+/* walled garden */
-char *init_commands[] = {
- // This is for incoming connections to a gardened user
- "iptables -t nat -N garden_users 2>&1 >/dev/null",
+char const *cvs_id = "$Id: garden.c,v 1.22 2005-05-07 08:17:25 bodea Exp $";
+
+int plugin_api_version = PLUGIN_API_VERSION;
+static struct pluginfuncs *p = 0;
+
+static int iam_master = 0; // We're all slaves! Slaves I tell you!
+
+char *up_commands[] = {
+ "iptables -t nat -N garden >/dev/null 2>&1", // Create a chain that all gardened users will go through
+ "iptables -t nat -F garden",
+ ". " PLUGINCONF "/build-garden", // Populate with site-specific DNAT rules
+ "iptables -t nat -N garden_users >/dev/null 2>&1", // Empty chain, users added/removed by garden_session
"iptables -t nat -F garden_users",
- "iptables -t nat -N garden 2>&1", /* Don't flush - init script sets this up */
- "iptables -t nat -A l2tpns -j garden_users",
- NULL
+ "iptables -t nat -A PREROUTING -j garden_users", // DNAT any users on the garden_users chain
+ "sysctl -w net.ipv4.ip_conntrack_max=512000 >/dev/null", // lots of entries
+ NULL,
};
-char *done_commands[] = {
- "iptables -t nat -F garden_users 2>&1 >/dev/null",
- "iptables -t nat -D l2tpns -j garden_users",
- NULL
+char *down_commands[] = {
+ "iptables -t nat -F PREROUTING",
+ "iptables -t nat -F garden_users",
+ "iptables -t nat -X garden_users",
+ "iptables -t nat -F garden",
+ "iptables -t nat -X garden",
+ "rmmod iptable_nat", // Should also remove ip_conntrack, but
+ // doing so can take hours... literally.
+ // If a master is re-started as a slave,
+ // either rmmod manually, or reboot.
+ NULL,
};
-int garden_session(sessiont *s, int flag);
+#define F_UNGARDEN 0
+#define F_GARDEN 1
+#define F_CLEANUP 2
+
+int garden_session(sessiont *s, int flag, char *newuser);
int plugin_post_auth(struct param_post_auth *data)
{
// Ignore if user authentication was successful
if (data->auth_allowed) return PLUGIN_RET_OK;
- p.log(3, 0, 0, 0, "Walled Garden allowing login\n");
+ p->log(3, p->get_id_by_session(data->s), data->s->tunnel, "Walled Garden allowing login\n");
data->auth_allowed = 1;
data->s->walled_garden = 1;
return PLUGIN_RET_OK;
int plugin_new_session(struct param_new_session *data)
{
- if (data->s->walled_garden) garden_session(data->s, 1);
+ if (!iam_master)
+ return PLUGIN_RET_OK; // Slaves don't do walled garden processing.
+
+ if (data->s->walled_garden)
+ garden_session(data->s, F_GARDEN, 0);
+
return PLUGIN_RET_OK;
}
int plugin_kill_session(struct param_new_session *data)
{
- if (data->s->walled_garden) garden_session(data->s, 0);
+ if (!iam_master)
+ return PLUGIN_RET_OK; // Slaves don't do walled garden processing.
+
+ if (data->s->walled_garden)
+ garden_session(data->s, F_CLEANUP, 0);
+
return PLUGIN_RET_OK;
}
+char *plugin_control_help[] = {
+ " garden USER|SID Put user into the walled garden",
+ " ungarden SID [USER] Release session from garden",
+ 0
+};
+
int plugin_control(struct param_control *data)
{
- sessiont *s;
sessionidt session;
+ sessiont *s = 0;
+ int flag;
+ char *end;
- if (data->type != PKT_GARDEN && data->type != PKT_UNGARDEN) return PLUGIN_RET_OK;
- if (!data->data && data->data_length) return PLUGIN_RET_OK;
- session = atoi((char*)(data->data));
- if (!session) return PLUGIN_RET_OK; // Really?
- data->send_response = 1;
- s = p.get_session_by_id(session);
- if (!s || !s->ip)
+ if (data->argc < 1)
+ return PLUGIN_RET_OK;
+
+ if (strcmp(data->argv[0], "garden") && strcmp(data->argv[0], "ungarden"))
+ return PLUGIN_RET_OK; // not for us
+
+ if (!iam_master)
+ return PLUGIN_RET_NOTMASTER;
+
+ flag = data->argv[0][0] == 'g' ? F_GARDEN : F_UNGARDEN;
+
+ if (data->argc < 2 || data->argc > 3 || (data->argc > 2 && flag == F_GARDEN))
{
- char *errormsg = "Session not connected";
- *(short *)(data->response + 2) = ntohs(PKT_RESP_ERROR);
- sprintf((data->response + data->response_length), "%s", errormsg);
- data->response_length += strlen(errormsg) + 1;
+ data->response = NSCTL_RES_ERR;
+ data->additional = flag == F_GARDEN
+ ? "requires username or session id"
+ : "requires session id and optional username";
+
+ return PLUGIN_RET_STOP;
+ }
+
+ if (!(session = strtol(data->argv[1], &end, 10)) || *end)
+ {
+ if (flag)
+ session = p->get_session_by_username(data->argv[1]);
+ else
+ session = 0; // can't ungarden by username
+ }
- p.log(3, 0, 0, 0, "Unknown session %s\n", session);
+ if (session)
+ s = p->get_session_by_id(session);
+
+ if (!s || !s->ip)
+ {
+ data->response = NSCTL_RES_ERR;
+ data->additional = "session not found";
return PLUGIN_RET_STOP;
}
- *(short *)(data->response + 2) = ntohs(PKT_RESP_OK);
- if (!(garden_session(s, (data->type == PKT_GARDEN))))
+ if (s->walled_garden == flag)
{
- char *errormsg = "User not connected";
- *(short *)(data->response + 2) = ntohs(PKT_RESP_ERROR);
- sprintf((data->response + data->response_length), "%s", errormsg);
- data->response_length += strlen(errormsg) + 1;
+ data->response = NSCTL_RES_ERR;
+ data->additional = flag ? "already in walled garden" : "not in walled garden";
+ return PLUGIN_RET_STOP;
}
+
+ garden_session(s, flag, data->argc > 2 ? data->argv[2] : 0);
+ p->session_changed(session);
+
+ data->response = NSCTL_RES_OK;
+ data->additional = 0;
+
return PLUGIN_RET_STOP;
}
-int garden_session(sessiont *s, int flag)
+int plugin_become_master(void)
+{
+ int i;
+ iam_master = 1; // We just became the master. Wow!
+
+ for (i = 0; up_commands[i] && *up_commands[i]; i++)
+ {
+ p->log(3, 0, 0, "Running %s\n", up_commands[i]);
+ system(up_commands[i]);
+ }
+
+ return PLUGIN_RET_OK;
+}
+
+// Called for each active session after becoming master
+int plugin_new_session_master(sessiont *s)
+{
+ if (s->walled_garden)
+ garden_session(s, F_GARDEN, 0);
+
+ return PLUGIN_RET_OK;
+}
+
+int garden_session(sessiont *s, int flag, char *newuser)
{
char cmd[2048];
+ sessionidt sess;
if (!s) return 0;
if (!s->opened) return 0;
- /* Note that we don't handle throttling/snooping/etc here
- * To do that, we'd need to send an end accounting record
- * then a radius auth, then start accouting again.
- * That means that we need the password (which garden has)
- * and a lot of code to check that the new set of params
- * (routes, IP, ACLs, etc) 'matched' the old one in a
- * 'compatable' way. (ie user's system doesn't need to be told
- * of the change)
- *
- * Thats a lot of pain/code for very little gain.
- * If we want them redone from scratch, just sessionkill them -
- * a user on garden isn't going to have any open TCP
- * connections which are worth caring about, anyway.
- *
- * Note that the user will be rethrottled shortly by the scan
- * script thingy if appropriate.
- *
- * Currently, garden only directly ungardens someone if
- * they haven't paid their bill, and then subsequently do so
- * online. This isn't something which can be set up by a malicious
- * customer at will.
- */
- if (flag == 1)
+ sess = p->get_id_by_session(s);
+ if (flag == F_GARDEN)
{
- // Gardened User
- p.log(2, 0, 0, s->tunnel, "Trap user %s (%s) in walled garden\n", s->user, p.inet_toa(ntohl(s->ip)));
- snprintf(cmd, 2048, "iptables -t nat -A garden_users -s %s -j garden", p.inet_toa(ntohl(s->ip)));
- p.log(3, 0, 0, s->tunnel, "%s\n", cmd);
+ p->log(2, sess, s->tunnel, "Garden user %s (%s)\n", s->user, p->fmtaddr(htonl(s->ip), 0));
+ snprintf(cmd, sizeof(cmd), "iptables -t nat -A garden_users -s %s -j garden", p->fmtaddr(htonl(s->ip), 0));
+ p->log(3, sess, s->tunnel, "%s\n", cmd);
system(cmd);
s->walled_garden = 1;
}
int count = 40;
// Normal User
- p.log(2, 0, 0, s->tunnel, "Release user %s (%s) from walled garden\n", s->user, p.inet_toa(ntohl(s->ip)));
+ p->log(2, sess, s->tunnel, "Un-Garden user %s (%s)\n", s->user, p->fmtaddr(htonl(s->ip), 0));
+ if (newuser)
+ {
+ snprintf(s->user, MAXUSER, "%s", newuser);
+ p->log(2, sess, s->tunnel, " Setting username to %s\n", s->user);
+ }
+
// Kick off any duplicate usernames
// but make sure not to kick off ourself
- if (s->ip && !s->die && (other = p.get_session_by_username(s->user)) && s != p.get_session_by_id(other)) {
- p.sessionkill(other, "Duplicate session when user un-gardened");
+ if (s->ip && !s->die && (other = p->get_session_by_username(s->user)) && s != p->get_session_by_id(other)) {
+ p->sessionkill(other, "Duplicate session when user released from walled garden");
}
/* Clean up counters */
s->cin = s->cout = 0;
s->pin = s->pout = 0;
- snprintf(cmd, 2048, "iptables -t nat -D garden_users -s %s -j garden", p.inet_toa(ntohl(s->ip)));
- p.log(3, 0, 0, s->tunnel, "%s\n", cmd);
+ snprintf(cmd, sizeof(cmd), "iptables -t nat -D garden_users -s %s -j garden", p->fmtaddr(htonl(s->ip), 0));
+ p->log(3, sess, s->tunnel, "%s\n", cmd);
while (--count)
{
int status = system(cmd);
s->walled_garden = 0;
- if (!s->die) {
+ if (flag != F_CLEANUP)
+ {
/* OK, we're up! */
- u16 r = p.radiusnew(p.get_id_by_session(s));
- p.radiussend(r, RADIUSSTART);
+ uint16_t r = p->radiusnew(p->get_id_by_session(s));
+ if (r) p->radiussend(r, RADIUSSTART);
}
}
- s->walled_garden = flag;
+
return 1;
}
int plugin_init(struct pluginfuncs *funcs)
{
- int i;
+ FILE *tables;
+ int found_nat = 0;
+
+ if (!funcs)
+ return 0;
+
+ p = funcs;
- if (!funcs) return 0;
- memcpy(&p, funcs, sizeof(p));
+ if ((tables = fopen("/proc/net/ip_tables_names", "r")))
+ {
+ char buf[1024];
+ while (fgets(buf, sizeof(buf), tables) && !found_nat)
+ found_nat = !strcmp(buf, "nat\n");
+
+ fclose(tables);
+ }
- for (i = 0; init_commands[i] && *init_commands[i]; i++)
+ /* master killed/crashed? */
+ if (found_nat)
{
- p.log(3, 0, 0, 0, "Running %s\n", init_commands[i]);
- system(init_commands[i]);
+ int i;
+ for (i = 0; down_commands[i] && *down_commands[i]; i++)
+ {
+ p->log(3, 0, 0, "Running %s\n", down_commands[i]);
+ system(down_commands[i]);
+ }
}
return 1;
void plugin_done()
{
int i;
- for (i = 0; done_commands[i] && *done_commands[i]; i++)
+
+ if (!iam_master) // Never became master. nothing to do.
+ return;
+
+ for (i = 0; down_commands[i] && *down_commands[i]; i++)
{
- p.log(3, 0, 0, 0, "Running %s\n", done_commands[i]);
- system(done_commands[i]);
+ p->log(3, 0, 0, "Running %s\n", down_commands[i]);
+ system(down_commands[i]);
}
}