X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/69a383f460ae05ca3694f67744198c269141d14a..HEAD:/garden.c diff --git a/garden.c b/garden.c index c3ce34a..0e6880c 100644 --- a/garden.c +++ b/garden.c @@ -3,183 +3,296 @@ #include #include #include +#include +#include "dhcp6.h" #include "l2tpns.h" #include "plugin.h" #include "control.h" -int __plugin_api_version = 1; -struct pluginfuncs p; +/* walled garden */ -char *init_commands[] = { - // This is for incoming connections to a gardened user - "iptables -t nat -N garden_users 2>&1 >/dev/null", - "iptables -t nat -F garden_users", - "iptables -t nat -N garden 2>&1", /* Don't flush - init script sets this up */ - "iptables -t nat -A l2tpns -j garden_users", - NULL +int plugin_api_version = PLUGIN_API_VERSION; +static struct pluginfuncs *f = 0; + +static int iam_master = 0; // We're all slaves! Slaves I tell you! + +char *up_commands[] = { + "iptables -t nat -N garden >/dev/null 2>&1", // Create a chain that all gardened users will go through + "iptables -t nat -F garden", + ". " PLUGINCONF "/build-garden", // Populate with site-specific DNAT rules + "iptables -t nat -N garden_users >/dev/null 2>&1", // Empty chain, users added/removed by garden_session + "iptables -t nat -F garden_users", + "iptables -t nat -A PREROUTING -j garden_users", // DNAT any users on the garden_users chain + "sysctl -w net.ipv4.netfilter.ip_conntrack_max=512000" // lots of entries + " net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=18000 >/dev/null", // 5hrs + NULL, }; -char *done_commands[] = { - "iptables -t nat -F garden_users 2>&1 >/dev/null", - "iptables -t nat -D l2tpns -j garden_users", - NULL +char *down_commands[] = { + "iptables -t nat -F PREROUTING", + "iptables -t nat -F garden_users", + "iptables -t nat -X garden_users", + "iptables -t nat -F garden", + "iptables -t nat -X garden", + "rmmod iptable_nat", // Should also remove ip_conntrack, but + // doing so can take hours... literally. + // If a master is re-started as a slave, + // either rmmod manually, or reboot. + NULL, }; -int garden_session(sessiont *s, int flag); +#define F_UNGARDEN 0 +#define F_GARDEN 1 +#define F_CLEANUP 2 + +int garden_session(sessiont *s, int flag, char *newuser); int plugin_post_auth(struct param_post_auth *data) { - // Ignore if user authentication was successful - if (data->auth_allowed) return PLUGIN_RET_OK; - - p.log(3, 0, 0, 0, "Walled Garden allowing login\n"); - data->auth_allowed = 1; - data->s->walled_garden = 1; + // Ignore if user authentication was successful + if (data->auth_allowed) return PLUGIN_RET_OK; + + f->log(3, f->get_id_by_session(data->s), data->s->tunnel, + "Walled Garden allowing login\n"); + + data->auth_allowed = 1; + data->s->walled_garden = 1; + return PLUGIN_RET_OK; } int plugin_new_session(struct param_new_session *data) { - if (data->s->walled_garden) garden_session(data->s, 1); - return PLUGIN_RET_OK; + if (!iam_master) + return PLUGIN_RET_OK; // Slaves don't do walled garden processing. + + if (data->s->walled_garden) + garden_session(data->s, F_GARDEN, 0); + + return PLUGIN_RET_OK; } int plugin_kill_session(struct param_new_session *data) { - if (data->s->walled_garden) garden_session(data->s, 0); - return PLUGIN_RET_OK; + if (!iam_master) + return PLUGIN_RET_OK; // Slaves don't do walled garden processing. + + if (data->s->walled_garden) + garden_session(data->s, F_CLEANUP, 0); + + return PLUGIN_RET_OK; } +char *plugin_control_help[] = { + " garden USER|SID Put user into the walled garden", + " ungarden SID [USER] Release session from garden", + 0 +}; + int plugin_control(struct param_control *data) { - sessiont *s; - sessionidt session; - - if (data->type != PKT_GARDEN && data->type != PKT_UNGARDEN) return PLUGIN_RET_OK; - if (!data->data && data->data_length) return PLUGIN_RET_OK; - session = atoi((char*)(data->data)); - if (!session) return PLUGIN_RET_OK; // Really? - data->send_response = 1; - s = p.get_session_by_id(session); - if (!s || !s->ip) - { - char *errormsg = "Session not connected"; - *(short *)(data->response + 2) = ntohs(PKT_RESP_ERROR); - sprintf((data->response + data->response_length), "%s", errormsg); - data->response_length += strlen(errormsg) + 1; + sessionidt session; + sessiont *s = 0; + int flag; + char *end; - p.log(3, 0, 0, 0, "Unknown session %d\n", session); - return PLUGIN_RET_STOP; - } - *(short *)(data->response + 2) = ntohs(PKT_RESP_OK); + if (data->argc < 1) + return PLUGIN_RET_OK; + + if (strcmp(data->argv[0], "garden") && strcmp(data->argv[0], "ungarden")) + return PLUGIN_RET_OK; // not for us + + if (!iam_master) + return PLUGIN_RET_NOTMASTER; + + flag = data->argv[0][0] == 'g' ? F_GARDEN : F_UNGARDEN; + + if (data->argc < 2 || data->argc > 3 || (data->argc > 2 && flag == F_GARDEN)) + { + data->response = NSCTL_RES_ERR; + data->additional = flag == F_GARDEN + ? "requires username or session id" + : "requires session id and optional username"; - if (!(garden_session(s, (data->type == PKT_GARDEN)))) - { - char *errormsg = "User not connected"; - *(short *)(data->response + 2) = ntohs(PKT_RESP_ERROR); - sprintf((data->response + data->response_length), "%s", errormsg); - data->response_length += strlen(errormsg) + 1; - } return PLUGIN_RET_STOP; + } + + if (!(session = strtol(data->argv[1], &end, 10)) || *end) + { + if (flag) + session = f->get_session_by_username(data->argv[1]); + else + session = 0; // can't ungarden by username + } + + if (session) + s = f->get_session_by_id(session); + + if (!s || !s->ip) + { + data->response = NSCTL_RES_ERR; + data->additional = "session not found"; + return PLUGIN_RET_STOP; + } + + if (s->walled_garden == flag) + { + data->response = NSCTL_RES_ERR; + data->additional = flag ? "already in walled garden" : "not in walled garden"; + return PLUGIN_RET_STOP; + } + + garden_session(s, flag, data->argc > 2 ? data->argv[2] : 0); + f->session_changed(session); + + data->response = NSCTL_RES_OK; + data->additional = 0; + + return PLUGIN_RET_STOP; +} + +int plugin_become_master(void) +{ + int i; + iam_master = 1; // We just became the master. Wow! + + for (i = 0; up_commands[i] && *up_commands[i]; i++) + { + f->log(3, 0, 0, "Running %s\n", up_commands[i]); + if (-1 == system(up_commands[i])) f->log(0, 0, 0, "error command %s\n", up_commands[i]); + } + + return PLUGIN_RET_OK; } -int garden_session(sessiont *s, int flag) +// Called for each active session after becoming master +int plugin_new_session_master(sessiont *s) +{ + if (s->walled_garden) + garden_session(s, F_GARDEN, 0); + + return PLUGIN_RET_OK; +} + +int garden_session(sessiont *s, int flag, char *newuser) { - char cmd[2048]; - - if (!s) return 0; - if (!s->opened) return 0; - - /* Note that we don't handle throttling/snooping/etc here - * To do that, we'd need to send an end accounting record - * then a radius auth, then start accouting again. - * That means that we need the password (which garden has) - * and a lot of code to check that the new set of params - * (routes, IP, ACLs, etc) 'matched' the old one in a - * 'compatable' way. (ie user's system doesn't need to be told - * of the change) - * - * Thats a lot of pain/code for very little gain. - * If we want them redone from scratch, just sessionkill them - - * a user on garden isn't going to have any open TCP - * connections which are worth caring about, anyway. - * - * Note that the user will be rethrottled shortly by the scan - * script thingy if appropriate. - * - * Currently, garden only directly ungardens someone if - * they haven't paid their bill, and then subsequently do so - * online. This isn't something which can be set up by a malicious - * customer at will. - */ - if (flag == 1) + char cmd[2048]; + sessionidt sess; + int status; + + if (!s) return 0; + if (!s->opened) return 0; + + sess = f->get_id_by_session(s); + if (flag == F_GARDEN) + { + f->log(2, sess, s->tunnel, "Garden user %s (%s)\n", s->user, + f->fmtaddr(htonl(s->ip), 0)); + + snprintf(cmd, sizeof(cmd), + "iptables -t nat -A garden_users -s %s -j garden", + f->fmtaddr(htonl(s->ip), 0)); + + f->log(3, sess, s->tunnel, "%s\n", cmd); + status = system(cmd); + s->walled_garden = 1; + } + else + { + sessionidt other; + int count = 40; + + // Normal User + f->log(2, sess, s->tunnel, "Un-Garden user %s (%s)\n", s->user, f->fmtaddr(htonl(s->ip), 0)); + if (newuser) { - // Gardened User - p.log(2, 0, 0, s->tunnel, "Trap user %s (%s) in walled garden\n", s->user, p.inet_toa(ntohl(s->ip))); - snprintf(cmd, 2048, "iptables -t nat -A garden_users -s %s -j garden", p.inet_toa(ntohl(s->ip))); - p.log(3, 0, 0, s->tunnel, "%s\n", cmd); - system(cmd); - s->walled_garden = 1; + snprintf(s->user, MAXUSER, "%s", newuser); + f->log(2, sess, s->tunnel, " Setting username to %s\n", s->user); } - else + + // Kick off any duplicate usernames + // but make sure not to kick off ourself + if (s->ip && !s->die && (other = f->get_session_by_username(s->user)) && + s != f->get_session_by_id(other)) + { + f->sessionkill(other, + "Duplicate session when user released from walled garden"); + } + + /* Clean up counters */ + s->pin = s->pout = 0; + s->cin = s->cout = 0; + s->cin_delta = s->cout_delta = 0; + s->cin_wrap = s->cout_wrap = 0; + + snprintf(cmd, sizeof(cmd), + "iptables -t nat -D garden_users -s %s -j garden", + f->fmtaddr(htonl(s->ip), 0)); + + f->log(3, sess, s->tunnel, "%s\n", cmd); + while (--count) { - sessionidt other; - int count = 40; - - // Normal User - p.log(2, 0, 0, s->tunnel, "Release user %s (%s) from walled garden\n", s->user, p.inet_toa(ntohl(s->ip))); - // Kick off any duplicate usernames - // but make sure not to kick off ourself - if (s->ip && !s->die && (other = p.get_session_by_username(s->user)) && s != p.get_session_by_id(other)) { - p.sessionkill(other, "Duplicate session when user un-gardened"); - } - /* Clean up counters */ - s->cin = s->cout = 0; - s->pin = s->pout = 0; - - snprintf(cmd, 2048, "iptables -t nat -D garden_users -s %s -j garden", p.inet_toa(ntohl(s->ip))); - p.log(3, 0, 0, s->tunnel, "%s\n", cmd); - while (--count) - { - int status = system(cmd); - if (WEXITSTATUS(status) != 0) break; - } - - s->walled_garden = 0; - - if (!s->die) { - /* OK, we're up! */ - u16 r = p.radiusnew(p.get_id_by_session(s)); - p.radiussend(r, RADIUSSTART); - } + status = system(cmd); + if (WEXITSTATUS(status) != 0) break; } - s->walled_garden = flag; - return 1; + + s->walled_garden = 0; + + if (flag != F_CLEANUP) + { + /* OK, we're up! */ + uint16_t r = f->radiusnew(f->get_id_by_session(s)); + if (r) f->radiussend(r, RADIUSSTART); + } + } + + return 1; } int plugin_init(struct pluginfuncs *funcs) { - int i; + FILE *tables; + int found_nat = 0; + + if (!funcs) + return 0; - if (!funcs) return 0; - memcpy(&p, funcs, sizeof(p)); + f = funcs; - for (i = 0; init_commands[i] && *init_commands[i]; i++) + if ((tables = fopen("/proc/net/ip_tables_names", "r"))) + { + char buf[1024]; + while (fgets(buf, sizeof(buf), tables) && !found_nat) + found_nat = !strcmp(buf, "nat\n"); + + fclose(tables); + } + + /* master killed/crashed? */ + if (found_nat) + { + int i; + for (i = 0; down_commands[i] && *down_commands[i]; i++) { - p.log(3, 0, 0, 0, "Running %s\n", init_commands[i]); - system(init_commands[i]); + f->log(3, 0, 0, "Running %s\n", down_commands[i]); + if (-1 == system(down_commands[i])) f->log(0, 0, 0, "error command %s\n", down_commands[i]); } + } - return 1; + return 1; } void plugin_done() { - int i; - for (i = 0; done_commands[i] && *done_commands[i]; i++) - { - p.log(3, 0, 0, 0, "Running %s\n", done_commands[i]); - system(done_commands[i]); - } + int i; + + if (!iam_master) // Never became master. nothing to do. + return; + + for (i = 0; down_commands[i] && *down_commands[i]; i++) + { + f->log(3, 0, 0, "Running %s\n", down_commands[i]); + if (-1 == system(down_commands[i])) f->log(0, 0, 0, "error command %s\n", down_commands[i]); + } }