@@ -258,6 +258,7 @@ iptables_fw_init(void)
258258 t_trusted_mac * p ;
259259 int proxy_port ;
260260 fw_quiet = 0 ;
261+ int got_authdown_ruleset = NULL == get_ruleset ("auth-is-down" ) ? 0 : 1 ;
261262
262263 LOCK_CONFIG ();
263264 config = config_get_config ();
@@ -283,12 +284,14 @@ iptables_fw_init(void)
283284 iptables_do_command ("-t mangle -N " CHAIN_TRUSTED );
284285 iptables_do_command ("-t mangle -N " CHAIN_OUTGOING );
285286 iptables_do_command ("-t mangle -N " CHAIN_INCOMING );
286- iptables_do_command ("-t mangle -N " CHAIN_AUTH_IS_DOWN );
287+ if (got_authdown_ruleset )
288+ iptables_do_command ("-t mangle -N " CHAIN_AUTH_IS_DOWN );
287289
288290 /* Assign links and rules to these new chains */
289291 iptables_do_command ("-t mangle -I PREROUTING 1 -i %s -j " CHAIN_OUTGOING , config -> gw_interface );
290292 iptables_do_command ("-t mangle -I PREROUTING 1 -i %s -j " CHAIN_TRUSTED , config -> gw_interface ); //this rule will be inserted before the prior one
291- iptables_do_command ("-t mangle -I PREROUTING 1 -i %s -j " CHAIN_AUTH_IS_DOWN , config -> gw_interface ); //this rule must be last in the chain
293+ if (got_authdown_ruleset )
294+ iptables_do_command ("-t mangle -I PREROUTING 1 -i %s -j " CHAIN_AUTH_IS_DOWN , config -> gw_interface ); //this rule must be last in the chain
292295 iptables_do_command ("-t mangle -I POSTROUTING 1 -o %s -j " CHAIN_INCOMING , config -> gw_interface );
293296
294297 for (p = config -> trustedmaclist ; p != NULL ; p = p -> next )
@@ -307,7 +310,8 @@ iptables_fw_init(void)
307310 iptables_do_command ("-t nat -N " CHAIN_GLOBAL );
308311 iptables_do_command ("-t nat -N " CHAIN_UNKNOWN );
309312 iptables_do_command ("-t nat -N " CHAIN_AUTHSERVERS );
310- iptables_do_command ("-t nat -N " CHAIN_AUTH_IS_DOWN );
313+ if (got_authdown_ruleset )
314+ iptables_do_command ("-t nat -N " CHAIN_AUTH_IS_DOWN );
311315
312316 /* Assign links and rules to these new chains */
313317 iptables_do_command ("-t nat -A PREROUTING -i %s -j " CHAIN_OUTGOING , config -> gw_interface );
@@ -329,7 +333,8 @@ iptables_fw_init(void)
329333
330334 iptables_do_command ("-t nat -A " CHAIN_UNKNOWN " -j " CHAIN_AUTHSERVERS );
331335 iptables_do_command ("-t nat -A " CHAIN_UNKNOWN " -j " CHAIN_GLOBAL );
332- iptables_do_command ("-t nat -A " CHAIN_UNKNOWN " -j " CHAIN_AUTH_IS_DOWN );
336+ if (got_authdown_ruleset )
337+ iptables_do_command ("-t nat -A " CHAIN_UNKNOWN " -j " CHAIN_AUTH_IS_DOWN );
333338 iptables_do_command ("-t nat -A " CHAIN_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d" , gw_port );
334339
335340
@@ -347,7 +352,8 @@ iptables_fw_init(void)
347352 iptables_do_command ("-t filter -N " CHAIN_VALIDATE );
348353 iptables_do_command ("-t filter -N " CHAIN_KNOWN );
349354 iptables_do_command ("-t filter -N " CHAIN_UNKNOWN );
350- iptables_do_command ("-t filter -N " CHAIN_AUTH_IS_DOWN );
355+ if (got_authdown_ruleset )
356+ iptables_do_command ("-t filter -N " CHAIN_AUTH_IS_DOWN );
351357
352358 /* Assign links and rules to these new chains */
353359
@@ -383,8 +389,10 @@ iptables_fw_init(void)
383389 iptables_do_command ("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j " CHAIN_KNOWN , FW_MARK_KNOWN );
384390 iptables_load_ruleset ("filter" , "known-users" , CHAIN_KNOWN );
385391
386- iptables_do_command ("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j " CHAIN_AUTH_IS_DOWN , FW_MARK_AUTH_IS_DOWN );
387- iptables_load_ruleset ("filter" , "known-users" , CHAIN_AUTH_IS_DOWN );
392+ if (got_authdown_ruleset ) {
393+ iptables_do_command ("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j " CHAIN_AUTH_IS_DOWN , FW_MARK_AUTH_IS_DOWN );
394+ iptables_load_ruleset ("filter" , "auth-is-down" , CHAIN_AUTH_IS_DOWN );
395+ }
388396
389397 iptables_do_command ("-t filter -A " CHAIN_TO_INTERNET " -j " CHAIN_UNKNOWN );
390398 iptables_load_ruleset ("filter" , "unknown-users" , CHAIN_UNKNOWN );
@@ -403,6 +411,7 @@ iptables_fw_init(void)
403411 int
404412iptables_fw_destroy (void )
405413{
414+ int got_authdown_ruleset = NULL == get_ruleset ("auth-is-down" ) ? 0 : 1 ;
406415 fw_quiet = 1 ;
407416
408417 debug (LOG_DEBUG , "Destroying our iptables entries" );
@@ -415,15 +424,18 @@ iptables_fw_destroy(void)
415424 debug (LOG_DEBUG , "Destroying chains in the MANGLE table" );
416425 iptables_fw_destroy_mention ("mangle" , "PREROUTING" , CHAIN_TRUSTED );
417426 iptables_fw_destroy_mention ("mangle" , "PREROUTING" , CHAIN_OUTGOING );
418- iptables_fw_destroy_mention ("mangle" , "PREROUTING" , CHAIN_AUTH_IS_DOWN );
427+ if (got_authdown_ruleset )
428+ iptables_fw_destroy_mention ("mangle" , "PREROUTING" , CHAIN_AUTH_IS_DOWN );
419429 iptables_fw_destroy_mention ("mangle" , "POSTROUTING" , CHAIN_INCOMING );
420430 iptables_do_command ("-t mangle -F " CHAIN_TRUSTED );
421431 iptables_do_command ("-t mangle -F " CHAIN_OUTGOING );
422- iptables_do_command ("-t mangle -F " CHAIN_AUTH_IS_DOWN );
432+ if (got_authdown_ruleset )
433+ iptables_do_command ("-t mangle -F " CHAIN_AUTH_IS_DOWN );
423434 iptables_do_command ("-t mangle -F " CHAIN_INCOMING );
424435 iptables_do_command ("-t mangle -X " CHAIN_TRUSTED );
425436 iptables_do_command ("-t mangle -X " CHAIN_OUTGOING );
426- iptables_do_command ("-t mangle -X " CHAIN_AUTH_IS_DOWN );
437+ if (got_authdown_ruleset )
438+ iptables_do_command ("-t mangle -X " CHAIN_AUTH_IS_DOWN );
427439 iptables_do_command ("-t mangle -X " CHAIN_INCOMING );
428440
429441 /*
@@ -435,14 +447,16 @@ iptables_fw_destroy(void)
435447 iptables_fw_destroy_mention ("nat" , "PREROUTING" , CHAIN_OUTGOING );
436448 iptables_do_command ("-t nat -F " CHAIN_AUTHSERVERS );
437449 iptables_do_command ("-t nat -F " CHAIN_OUTGOING );
438- iptables_do_command ("-t nat -F " CHAIN_AUTH_IS_DOWN );
450+ if (got_authdown_ruleset )
451+ iptables_do_command ("-t nat -F " CHAIN_AUTH_IS_DOWN );
439452 iptables_do_command ("-t nat -F " CHAIN_TO_ROUTER );
440453 iptables_do_command ("-t nat -F " CHAIN_TO_INTERNET );
441454 iptables_do_command ("-t nat -F " CHAIN_GLOBAL );
442455 iptables_do_command ("-t nat -F " CHAIN_UNKNOWN );
443456 iptables_do_command ("-t nat -X " CHAIN_AUTHSERVERS );
444457 iptables_do_command ("-t nat -X " CHAIN_OUTGOING );
445- iptables_do_command ("-t nat -X " CHAIN_AUTH_IS_DOWN );
458+ if (got_authdown_ruleset )
459+ iptables_do_command ("-t nat -X " CHAIN_AUTH_IS_DOWN );
446460 iptables_do_command ("-t nat -X " CHAIN_TO_ROUTER );
447461 iptables_do_command ("-t nat -X " CHAIN_TO_INTERNET );
448462 iptables_do_command ("-t nat -X " CHAIN_GLOBAL );
@@ -462,15 +476,17 @@ iptables_fw_destroy(void)
462476 iptables_do_command ("-t filter -F " CHAIN_VALIDATE );
463477 iptables_do_command ("-t filter -F " CHAIN_KNOWN );
464478 iptables_do_command ("-t filter -F " CHAIN_UNKNOWN );
465- iptables_do_command ("-t filter -F " CHAIN_AUTH_IS_DOWN );
479+ if (got_authdown_ruleset )
480+ iptables_do_command ("-t filter -F " CHAIN_AUTH_IS_DOWN );
466481 iptables_do_command ("-t filter -X " CHAIN_TO_INTERNET );
467482 iptables_do_command ("-t filter -X " CHAIN_AUTHSERVERS );
468483 iptables_do_command ("-t filter -X " CHAIN_LOCKED );
469484 iptables_do_command ("-t filter -X " CHAIN_GLOBAL );
470485 iptables_do_command ("-t filter -X " CHAIN_VALIDATE );
471486 iptables_do_command ("-t filter -X " CHAIN_KNOWN );
472487 iptables_do_command ("-t filter -X " CHAIN_UNKNOWN );
473- iptables_do_command ("-t filter -X " CHAIN_AUTH_IS_DOWN );
488+ if (got_authdown_ruleset )
489+ iptables_do_command ("-t filter -X " CHAIN_AUTH_IS_DOWN );
474490
475491 return 1 ;
476492}
0 commit comments