X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/3aa4eda8b1e0c4abc04439affe850d33648c7472..8512f6d9249a7190045a14066f952162ae67b0d3:/garden.c

diff --git a/garden.c b/garden.c
index 064bea2..c3ce34a 100644
--- a/garden.c
+++ b/garden.c
@@ -10,29 +10,29 @@
 int __plugin_api_version = 1;
 struct pluginfuncs p;
 
-int garden_session(sessiont *s, int flag);
-
 char *init_commands[] = {
 	// This is for incoming connections to a gardened user
 	"iptables -t nat -N garden_users 2>&1 >/dev/null",
-	"iptables -t nat -F garden_users 2>&1 >/dev/null",
-	"iptables -t nat -N garden 2>&1 >/dev/null",
+	"iptables -t nat -F garden_users",
+	"iptables -t nat -N garden 2>&1", /* Don't flush - init script sets this up */
 	"iptables -t nat -A l2tpns -j garden_users",
 	NULL
 };
 
 char *done_commands[] = {
 	"iptables -t nat -F garden_users 2>&1 >/dev/null",
-	"iptables -t nat -D l2tpns -j garden_users 2>&1 >/dev/null",
+	"iptables -t nat -D l2tpns -j garden_users",
 	NULL
 };
 
+int garden_session(sessiont *s, int flag);
+
 int plugin_post_auth(struct param_post_auth *data)
 {
 	// Ignore if user authentication was successful
 	if (data->auth_allowed) return PLUGIN_RET_OK;
 
-	p.log(3, 0, 0, 0, "User allowed into walled garden\n");
+	p.log(3, 0, 0, 0, "Walled Garden allowing login\n");
 	data->auth_allowed = 1;
 	data->s->walled_garden = 1;
 	return PLUGIN_RET_OK;
@@ -58,10 +58,7 @@ int plugin_control(struct param_control *data)
 	if (data->type != PKT_GARDEN && data->type != PKT_UNGARDEN) return PLUGIN_RET_OK;
 	if (!data->data && data->data_length) return PLUGIN_RET_OK;
 	session = atoi((char*)(data->data));
-
-	if (!session)
-		return PLUGIN_RET_OK;
-
+	if (!session) return PLUGIN_RET_OK; // Really?
 	data->send_response = 1;
 	s = p.get_session_by_id(session);
 	if (!s || !s->ip)
@@ -71,7 +68,7 @@ int plugin_control(struct param_control *data)
 		sprintf((data->response + data->response_length), "%s", errormsg);
 		data->response_length += strlen(errormsg) + 1;
 
-		p.log(3, 0, 0, 0, "Unknown session %s\n", session);
+		p.log(3, 0, 0, 0, "Unknown session %d\n", session);
 		return PLUGIN_RET_STOP;
 	}
 	*(short *)(data->response + 2) = ntohs(PKT_RESP_OK);
@@ -86,11 +83,6 @@ int plugin_control(struct param_control *data)
 	return PLUGIN_RET_STOP;
 }
 
-int plugin_config(struct param_config *data)
-{
-	return PLUGIN_RET_OK;
-}
-
 int garden_session(sessiont *s, int flag)
 {
 	char cmd[2048];
@@ -98,8 +90,31 @@ int garden_session(sessiont *s, int flag)
 	if (!s) return 0;
 	if (!s->opened) return 0;
 
+	/* Note that we don't handle throttling/snooping/etc here
+	 * To do that, we'd need to send an end accounting record
+	 * then a radius auth, then start accouting again.
+	 * That means that we need the password (which garden has)
+	 * and a lot of code to check that the new set of params
+	 * (routes, IP, ACLs, etc) 'matched' the old one in a
+	 * 'compatable' way. (ie user's system doesn't need to be told
+	 * of the change)
+	 *
+	 * Thats a lot of pain/code for very little gain.
+	 * If we want them redone from scratch, just sessionkill them -
+	 * a user on garden isn't going to have any open TCP
+	 * connections which are worth caring about, anyway.
+	 *
+	 * Note that the user will be rethrottled shortly by the scan
+	 * script thingy if appropriate.
+	 *
+	 * Currently, garden only directly ungardens someone if
+	 * they haven't paid their bill, and then subsequently do so
+	 * online. This isn't something which can be set up by a malicious
+	 * customer at will.
+	 */
 	if (flag == 1)
 	{
+		// Gardened User
 		p.log(2, 0, 0, s->tunnel, "Trap user %s (%s) in walled garden\n", s->user, p.inet_toa(ntohl(s->ip)));
 		snprintf(cmd, 2048, "iptables -t nat -A garden_users -s %s -j garden", p.inet_toa(ntohl(s->ip)));
 		p.log(3, 0, 0, s->tunnel, "%s\n", cmd);
@@ -109,14 +124,14 @@ int garden_session(sessiont *s, int flag)
 	else
 	{
 		sessionidt other;
-		int count = 10;
+		int count = 40;
 
 		// Normal User
 		p.log(2, 0, 0, s->tunnel, "Release user %s (%s) from walled garden\n", s->user, p.inet_toa(ntohl(s->ip)));
 		// Kick off any duplicate usernames
 		// but make sure not to kick off ourself
 		if (s->ip && !s->die && (other = p.get_session_by_username(s->user)) && s != p.get_session_by_id(other)) {
-			p.sessionkill(other, "Duplicate session when user ungardened");
+			p.sessionkill(other, "Duplicate session when user un-gardened");
 		}
 		/* Clean up counters */
 		s->cin = s->cout = 0;
@@ -134,7 +149,7 @@ int garden_session(sessiont *s, int flag)
 
 		if (!s->die) {
 			/* OK, we're up! */
-			u8 r = p.radiusnew(p.get_id_by_session(s));
+			u16 r = p.radiusnew(p.get_id_by_session(s));
 			p.radiussend(r, RADIUSSTART);
 		}
 	}
@@ -149,11 +164,9 @@ int plugin_init(struct pluginfuncs *funcs)
 	if (!funcs) return 0;
 	memcpy(&p, funcs, sizeof(p));
 
-	p.log(1, 0, 0, 0, "Enabling walled garden service\n");
-
 	for (i = 0; init_commands[i] && *init_commands[i]; i++)
 	{
-		p.log(4, 0, 0, 0, "Running %s\n", init_commands[i]);
+		p.log(3, 0, 0, 0, "Running %s\n", init_commands[i]);
 		system(init_commands[i]);
 	}
 
@@ -165,7 +178,7 @@ void plugin_done()
 	int i;
 	for (i = 0; done_commands[i] && *done_commands[i]; i++)
 	{
-		p.log(4, 0, 0, 0, "Running %s\n", done_commands[i]);
+		p.log(3, 0, 0, 0, "Running %s\n", done_commands[i]);
 		system(done_commands[i]);
 	}
 }