logging

[l2tpns.git] / garden.c

diff --git a/garden.c b/garden.c
index c3ce34a..b352e7b 100644 (file)
--- a/garden.c
+++ b/garden.c
@@ -7,32 +7,51 @@
 #include "plugin.h"
 #include "control.h"
 
 #include "plugin.h"
 #include "control.h"
 

-int __plugin_api_version = 1;
-struct pluginfuncs p;
+/* walled garden */

 
 

-char *init_commands[] = {
-       // This is for incoming connections to a gardened user
-       "iptables -t nat -N garden_users 2>&1 >/dev/null",
+char const *cvs_id = "$Id: garden.c,v 1.23 2005/06/02 11:32:30 bodea Exp $";
+
+int plugin_api_version = PLUGIN_API_VERSION;
+static struct pluginfuncs *p = 0;
+
+static int iam_master = 0;     // We're all slaves! Slaves I tell you!
+
+char *up_commands[] = {
+       "iptables -t nat -N garden >/dev/null 2>&1",                    // Create a chain that all gardened users will go through
+       "iptables -t nat -F garden",
+       ". " PLUGINCONF "/build-garden",                                // Populate with site-specific DNAT rules
+       "iptables -t nat -N garden_users >/dev/null 2>&1",              // Empty chain, users added/removed by garden_session

        "iptables -t nat -F garden_users",
        "iptables -t nat -F garden_users",

-       "iptables -t nat -N garden 2>&1", /* Don't flush - init script sets this up */
-       "iptables -t nat -A l2tpns -j garden_users",
-       NULL
+       "iptables -t nat -A PREROUTING -j garden_users",                // DNAT any users on the garden_users chain
+       "sysctl -w net.ipv4.ip_conntrack_max=512000 >/dev/null",        // lots of entries
+       NULL,

 };
 
 };
 

-char *done_commands[] = {
-       "iptables -t nat -F garden_users 2>&1 >/dev/null",
-       "iptables -t nat -D l2tpns -j garden_users",
-       NULL
+char *down_commands[] = {
+       "iptables -t nat -F PREROUTING",
+       "iptables -t nat -F garden_users",
+       "iptables -t nat -X garden_users",
+       "iptables -t nat -F garden",
+       "iptables -t nat -X garden",
+       "rmmod iptable_nat",    // Should also remove ip_conntrack, but
+                               // doing so can take hours...  literally.
+                               // If a master is re-started as a slave,
+                               // either rmmod manually, or reboot.
+       NULL,

 };
 
 };
 

-int garden_session(sessiont *s, int flag);
+#define F_UNGARDEN     0
+#define F_GARDEN       1
+#define F_CLEANUP      2
+
+int garden_session(sessiont *s, int flag, char *newuser);

 
 int plugin_post_auth(struct param_post_auth *data)
 {
        // Ignore if user authentication was successful
        if (data->auth_allowed) return PLUGIN_RET_OK;
 
 
 int plugin_post_auth(struct param_post_auth *data)
 {
        // Ignore if user authentication was successful
        if (data->auth_allowed) return PLUGIN_RET_OK;
 

-       p.log(3, 0, 0, 0, "Walled Garden allowing login\n");
+       p->log(3, p->get_id_by_session(data->s), data->s->tunnel, "Walled Garden allowing login\n");

        data->auth_allowed = 1;
        data->s->walled_garden = 1;
        return PLUGIN_RET_OK;
        data->auth_allowed = 1;
        data->s->walled_garden = 1;
        return PLUGIN_RET_OK;


@@ -40,84 +59,131 @@ int plugin_post_auth(struct param_post_auth *data)
 
 int plugin_new_session(struct param_new_session *data)
 {
 
 int plugin_new_session(struct param_new_session *data)
 {

-       if (data->s->walled_garden) garden_session(data->s, 1);
+       if (!iam_master)
+               return PLUGIN_RET_OK;   // Slaves don't do walled garden processing.
+
+       if (data->s->walled_garden)
+               garden_session(data->s, F_GARDEN, 0);
+

        return PLUGIN_RET_OK;
 }
 
 int plugin_kill_session(struct param_new_session *data)
 {
        return PLUGIN_RET_OK;
 }
 
 int plugin_kill_session(struct param_new_session *data)
 {

-       if (data->s->walled_garden) garden_session(data->s, 0);
+       if (!iam_master)
+               return PLUGIN_RET_OK;   // Slaves don't do walled garden processing.
+
+       if (data->s->walled_garden)
+               garden_session(data->s, F_CLEANUP, 0);
+

        return PLUGIN_RET_OK;
 }
 
        return PLUGIN_RET_OK;
 }
 

+char *plugin_control_help[] = {
+       "  garden USER|SID                             Put user into the walled garden",
+       "  ungarden SID [USER]                         Release session from garden",
+       0
+};
+

 int plugin_control(struct param_control *data)
 {
 int plugin_control(struct param_control *data)
 {

-       sessiont *s;

        sessionidt session;
        sessionidt session;

+       sessiont *s = 0;
+       int flag;
+       char *end;

 
 

-       if (data->type != PKT_GARDEN && data->type != PKT_UNGARDEN) return PLUGIN_RET_OK;
-       if (!data->data && data->data_length) return PLUGIN_RET_OK;
-       session = atoi((char*)(data->data));
-       if (!session) return PLUGIN_RET_OK; // Really?
-       data->send_response = 1;
-       s = p.get_session_by_id(session);
-       if (!s || !s->ip)
+       if (data->argc < 1)
+               return PLUGIN_RET_OK;
+
+       if (strcmp(data->argv[0], "garden") && strcmp(data->argv[0], "ungarden"))
+               return PLUGIN_RET_OK; // not for us
+
+       if (!iam_master)
+               return PLUGIN_RET_NOTMASTER;
+
+       flag = data->argv[0][0] == 'g' ? F_GARDEN : F_UNGARDEN;
+
+       if (data->argc < 2 || data->argc > 3 || (data->argc > 2 && flag == F_GARDEN))

        {
        {

-               char *errormsg = "Session not connected";
-               *(short *)(data->response + 2) = ntohs(PKT_RESP_ERROR);
-               sprintf((data->response + data->response_length), "%s", errormsg);
-               data->response_length += strlen(errormsg) + 1;
+               data->response = NSCTL_RES_ERR;
+               data->additional = flag == F_GARDEN
+                   ? "requires username or session id"
+                   : "requires session id and optional username";

 
 

-               p.log(3, 0, 0, 0, "Unknown session %d\n", session);

                return PLUGIN_RET_STOP;
        }
                return PLUGIN_RET_STOP;
        }

-       *(short *)(data->response + 2) = ntohs(PKT_RESP_OK);

 
 

-       if (!(garden_session(s, (data->type == PKT_GARDEN))))
+       if (!(session = strtol(data->argv[1], &end, 10)) || *end)
+       {
+               if (flag)
+                       session = p->get_session_by_username(data->argv[1]);
+               else
+                       session = 0; // can't ungarden by username
+       }
+
+       if (session)
+               s = p->get_session_by_id(session);
+
+       if (!s || !s->ip)

        {
        {

-               char *errormsg = "User not connected";
-               *(short *)(data->response + 2) = ntohs(PKT_RESP_ERROR);
-               sprintf((data->response + data->response_length), "%s", errormsg);
-               data->response_length += strlen(errormsg) + 1;
+               data->response = NSCTL_RES_ERR;
+               data->additional = "session not found";
+               return PLUGIN_RET_STOP;

        }
        }

+
+       if (s->walled_garden == flag)
+       {
+               data->response = NSCTL_RES_ERR;
+               data->additional = flag ? "already in walled garden" : "not in walled garden";
+               return PLUGIN_RET_STOP;
+       }
+
+       garden_session(s, flag, data->argc > 2 ? data->argv[2] : 0);
+       p->session_changed(session);
+
+       data->response = NSCTL_RES_OK;
+       data->additional = 0;
+

        return PLUGIN_RET_STOP;
 }
 
        return PLUGIN_RET_STOP;
 }
 

-int garden_session(sessiont *s, int flag)
+int plugin_become_master(void)
+{
+       int i;
+       iam_master = 1; // We just became the master. Wow!
+
+       for (i = 0; up_commands[i] && *up_commands[i]; i++)
+       {
+               p->log(3, 0, 0, "Running %s\n", up_commands[i]);
+               system(up_commands[i]);
+       }
+
+       return PLUGIN_RET_OK;
+}
+
+// Called for each active session after becoming master
+int plugin_new_session_master(sessiont *s)
+{      
+       if (s->walled_garden)
+               garden_session(s, F_GARDEN, 0);
+
+       return PLUGIN_RET_OK;
+}
+
+int garden_session(sessiont *s, int flag, char *newuser)

 {
        char cmd[2048];
 {
        char cmd[2048];

+       sessionidt sess;

 
        if (!s) return 0;
        if (!s->opened) return 0;
 
 
        if (!s) return 0;
        if (!s->opened) return 0;
 

-       /* Note that we don't handle throttling/snooping/etc here
-        * To do that, we'd need to send an end accounting record
-        * then a radius auth, then start accouting again.
-        * That means that we need the password (which garden has)
-        * and a lot of code to check that the new set of params
-        * (routes, IP, ACLs, etc) 'matched' the old one in a
-        * 'compatable' way. (ie user's system doesn't need to be told
-        * of the change)
-        *
-        * Thats a lot of pain/code for very little gain.
-        * If we want them redone from scratch, just sessionkill them -
-        * a user on garden isn't going to have any open TCP
-        * connections which are worth caring about, anyway.
-        *
-        * Note that the user will be rethrottled shortly by the scan
-        * script thingy if appropriate.
-        *
-        * Currently, garden only directly ungardens someone if
-        * they haven't paid their bill, and then subsequently do so
-        * online. This isn't something which can be set up by a malicious
-        * customer at will.
-        */
-       if (flag == 1)
+       sess = p->get_id_by_session(s);
+       if (flag == F_GARDEN)

        {
        {

-               // Gardened User
-               p.log(2, 0, 0, s->tunnel, "Trap user %s (%s) in walled garden\n", s->user, p.inet_toa(ntohl(s->ip)));
-               snprintf(cmd, 2048, "iptables -t nat -A garden_users -s %s -j garden", p.inet_toa(ntohl(s->ip)));
-               p.log(3, 0, 0, s->tunnel, "%s\n", cmd);
+               p->log(2, sess, s->tunnel, "Garden user %s (%s)\n", s->user, p->fmtaddr(htonl(s->ip), 0));
+               snprintf(cmd, sizeof(cmd), "iptables -t nat -A garden_users -s %s -j garden", p->fmtaddr(htonl(s->ip), 0));
+               p->log(3, sess, s->tunnel, "%s\n", cmd);

                system(cmd);
                s->walled_garden = 1;
        }
                system(cmd);
                s->walled_garden = 1;
        }


@@ -127,18 +193,26 @@ int garden_session(sessiont *s, int flag)
                int count = 40;
 
                // Normal User
                int count = 40;
 
                // Normal User

-               p.log(2, 0, 0, s->tunnel, "Release user %s (%s) from walled garden\n", s->user, p.inet_toa(ntohl(s->ip)));
+               p->log(2, sess, s->tunnel, "Un-Garden user %s (%s)\n", s->user, p->fmtaddr(htonl(s->ip), 0));
+               if (newuser)
+               {
+                       snprintf(s->user, MAXUSER, "%s", newuser);
+                       p->log(2, sess, s->tunnel, "  Setting username to %s\n", s->user);
+               }
+

                // Kick off any duplicate usernames
                // but make sure not to kick off ourself
                // Kick off any duplicate usernames
                // but make sure not to kick off ourself

-               if (s->ip && !s->die && (other = p.get_session_by_username(s->user)) && s != p.get_session_by_id(other)) {
-                       p.sessionkill(other, "Duplicate session when user un-gardened");
+               if (s->ip && !s->die && (other = p->get_session_by_username(s->user)) && s != p->get_session_by_id(other)) {
+                       p->sessionkill(other, "Duplicate session when user released from walled garden");

                }
                /* Clean up counters */
                }
                /* Clean up counters */

-               s->cin = s->cout = 0;

                s->pin = s->pout = 0;
                s->pin = s->pout = 0;

+               s->cin = s->cout = 0;
+               s->cin_delta = s->cout_delta = 0;
+               s->cin_wrap = s->cout_wrap = 0;

 
 

-               snprintf(cmd, 2048, "iptables -t nat -D garden_users -s %s -j garden", p.inet_toa(ntohl(s->ip)));
-               p.log(3, 0, 0, s->tunnel, "%s\n", cmd);
+               snprintf(cmd, sizeof(cmd), "iptables -t nat -D garden_users -s %s -j garden", p->fmtaddr(htonl(s->ip), 0));
+               p->log(3, sess, s->tunnel, "%s\n", cmd);

                while (--count)
                {
                        int status = system(cmd);
                while (--count)
                {
                        int status = system(cmd);


@@ -147,27 +221,45 @@ int garden_session(sessiont *s, int flag)
 
                s->walled_garden = 0;
 
 
                s->walled_garden = 0;
 

-               if (!s->die) {
+               if (flag != F_CLEANUP)
+               {

                        /* OK, we're up! */
                        /* OK, we're up! */

-                       u16 r = p.radiusnew(p.get_id_by_session(s));
-                       p.radiussend(r, RADIUSSTART);
+                       uint16_t r = p->radiusnew(p->get_id_by_session(s));
+                       if (r) p->radiussend(r, RADIUSSTART);

                }
        }
                }
        }

-       s->walled_garden = flag;
+

        return 1;
 }
 
 int plugin_init(struct pluginfuncs *funcs)
 {
        return 1;
 }
 
 int plugin_init(struct pluginfuncs *funcs)
 {

-       int i;
+       FILE *tables;
+       int found_nat = 0;
+
+       if (!funcs)
+               return 0;
+
+       p = funcs;

 
 

-       if (!funcs) return 0;
-       memcpy(&p, funcs, sizeof(p));
+       if ((tables = fopen("/proc/net/ip_tables_names", "r")))
+       {
+               char buf[1024];
+               while (fgets(buf, sizeof(buf), tables) && !found_nat)
+                       found_nat = !strcmp(buf, "nat\n");
+
+               fclose(tables);
+       }

 
 

-       for (i = 0; init_commands[i] && *init_commands[i]; i++)
+       /* master killed/crashed? */
+       if (found_nat)

        {
        {

-               p.log(3, 0, 0, 0, "Running %s\n", init_commands[i]);
-               system(init_commands[i]);
+               int i;
+               for (i = 0; down_commands[i] && *down_commands[i]; i++)
+               {
+                       p->log(3, 0, 0, "Running %s\n", down_commands[i]);
+                       system(down_commands[i]);
+               }

        }
 
        return 1;
        }
 
        return 1;


@@ -176,10 +268,14 @@ int plugin_init(struct pluginfuncs *funcs)
 void plugin_done()
 {
        int i;
 void plugin_done()
 {
        int i;

-       for (i = 0; done_commands[i] && *done_commands[i]; i++)
+
+       if (!iam_master)        // Never became master. nothing to do.
+               return;
+
+       for (i = 0; down_commands[i] && *down_commands[i]; i++)

        {
        {

-               p.log(3, 0, 0, 0, "Running %s\n", done_commands[i]);
-               system(done_commands[i]);
+               p->log(3, 0, 0, "Running %s\n", down_commands[i]);
+               system(down_commands[i]);

        }
 }
 
        }
 }