int __plugin_api_version = 1;
struct pluginfuncs p;
-int garden_session(sessiont *s, int flag);
-
char *init_commands[] = {
// This is for incoming connections to a gardened user
"iptables -t nat -N garden_users 2>&1 >/dev/null",
- "iptables -t nat -F garden_users 2>&1 >/dev/null",
- "iptables -t nat -N garden 2>&1 >/dev/null",
+ "iptables -t nat -F garden_users",
+ "iptables -t nat -N garden 2>&1", /* Don't flush - init script sets this up */
"iptables -t nat -A l2tpns -j garden_users",
NULL
};
char *done_commands[] = {
"iptables -t nat -F garden_users 2>&1 >/dev/null",
- "iptables -t nat -D l2tpns -j garden_users 2>&1 >/dev/null",
+ "iptables -t nat -D l2tpns -j garden_users",
NULL
};
+int garden_session(sessiont *s, int flag);
+
int plugin_post_auth(struct param_post_auth *data)
{
// Ignore if user authentication was successful
if (data->auth_allowed) return PLUGIN_RET_OK;
- p.log(3, 0, 0, 0, "User allowed into walled garden\n");
+ p.log(3, 0, 0, 0, "Walled Garden allowing login\n");
data->auth_allowed = 1;
data->s->walled_garden = 1;
return PLUGIN_RET_OK;
if (data->type != PKT_GARDEN && data->type != PKT_UNGARDEN) return PLUGIN_RET_OK;
if (!data->data && data->data_length) return PLUGIN_RET_OK;
session = atoi((char*)(data->data));
-
- if (!session)
- return PLUGIN_RET_OK;
-
+ if (!session) return PLUGIN_RET_OK; // Really?
data->send_response = 1;
s = p.get_session_by_id(session);
if (!s || !s->ip)
return PLUGIN_RET_STOP;
}
-int plugin_config(struct param_config *data)
-{
- return PLUGIN_RET_OK;
-}
-
int garden_session(sessiont *s, int flag)
{
char cmd[2048];
if (!s) return 0;
if (!s->opened) return 0;
+ /* Note that we don't handle throttling/snooping/etc here
+ * To do that, we'd need to send an end accounting record
+ * then a radius auth, then start accouting again.
+ * That means that we need the password (which garden has)
+ * and a lot of code to check that the new set of params
+ * (routes, IP, ACLs, etc) 'matched' the old one in a
+ * 'compatable' way. (ie user's system doesn't need to be told
+ * of the change)
+ *
+ * Thats a lot of pain/code for very little gain.
+ * If we want them redone from scratch, just sessionkill them -
+ * a user on garden isn't going to have any open TCP
+ * connections which are worth caring about, anyway.
+ *
+ * Note that the user will be rethrottled shortly by the scan
+ * script thingy if appropriate.
+ *
+ * Currently, garden only directly ungardens someone if
+ * they haven't paid their bill, and then subsequently do so
+ * online. This isn't something which can be set up by a malicious
+ * customer at will.
+ */
if (flag == 1)
{
+ // Gardened User
p.log(2, 0, 0, s->tunnel, "Trap user %s (%s) in walled garden\n", s->user, p.inet_toa(ntohl(s->ip)));
snprintf(cmd, 2048, "iptables -t nat -A garden_users -s %s -j garden", p.inet_toa(ntohl(s->ip)));
p.log(3, 0, 0, s->tunnel, "%s\n", cmd);
else
{
sessionidt other;
- int count = 10;
+ int count = 40;
// Normal User
p.log(2, 0, 0, s->tunnel, "Release user %s (%s) from walled garden\n", s->user, p.inet_toa(ntohl(s->ip)));
// Kick off any duplicate usernames
// but make sure not to kick off ourself
if (s->ip && !s->die && (other = p.get_session_by_username(s->user)) && s != p.get_session_by_id(other)) {
- p.sessionkill(other, "Duplicate session when user ungardened");
+ p.sessionkill(other, "Duplicate session when user un-gardened");
}
/* Clean up counters */
s->cin = s->cout = 0;
if (!funcs) return 0;
memcpy(&p, funcs, sizeof(p));
- p.log(1, 0, 0, 0, "Enabling walled garden service\n");
-
for (i = 0; init_commands[i] && *init_commands[i]; i++)
{
- p.log(4, 0, 0, 0, "Running %s\n", init_commands[i]);
+ p.log(3, 0, 0, 0, "Running %s\n", init_commands[i]);
system(init_commands[i]);
}
int i;
for (i = 0; done_commands[i] && *done_commands[i]; i++)
{
- p.log(4, 0, 0, 0, "Running %s\n", done_commands[i]);
+ p.log(3, 0, 0, 0, "Running %s\n", done_commands[i]);
system(done_commands[i]);
}
}