Merge pull request #96 from acv/auth-down-rule

Open firewall when auth server are down

Author: acv

src/conf.h

@@ -73,6 +73,16 @@
 #define DEFAULT_AUTHSERVSSLPEERVER 1    /* 0 means: Enable peer verification */
 /*@}*/
 
+/*@{*/
+/** Defines for firewall rule sets. */
+#define FWRULESET_GLOBAL "global"
+#define FWRULESET_VALIDATING_USERS "validating-users"
+#define FWRULESET_KNOWN_USERS "known-users"
+#define FWRULESET_AUTH_IS_DOWN "auth-is-down"
+#define FWRULESET_UNKNOWN_USERS "unknown-users"
+#define FWRULESET_LOCKED_USERS "locked-users"
+/*@}*/
+
 /**
  * Information about the authentication server
  */

src/firewall.c

@@ -116,6 +116,26 @@ fw_deny(const char *ip, const char *mac, int fw_connection_state)
     return iptables_fw_access(FW_ACCESS_DENY, ip, mac, fw_connection_state);
 }
 
+/** Passthrough for clients when auth server is down */
+int
+fw_set_authdown(void)
+{
+	debug(LOG_DEBUG, "Marking auth server down");
+
+	return iptables_fw_auth_unreachable(FW_MARK_AUTH_IS_DOWN);
+}
+
+/** Remove passthrough for clients when auth server is up */
+int
+fw_set_authup(void)
+{
+	debug(LOG_DEBUG, "Marking auth server up again");
+
+	return iptables_fw_auth_reachable();
+}
+
+
+
 /* XXX DCY */
 /**
  * Get an IP's MAC address from the ARP cache.

src/firewall.h

@@ -37,6 +37,7 @@ typedef enum _t_fw_marks {
     FW_MARK_PROBATION = 1, /**< @brief The client is in probation period and must be authenticated 
 			    @todo: VERIFY THAT THIS IS ACCURATE*/
     FW_MARK_KNOWN = 2,  /**< @brief The client is known to the firewall */ 
+    FW_MARK_AUTH_IS_DOWN = 253, /**< @brief The auth servers are down */
     FW_MARK_LOCKED = 254 /**< @brief The client has been locked out */
 } t_fw_marks;
 
@@ -61,6 +62,12 @@ int fw_allow_host(const char *host);
 /** @brief Deny a client access through the firewall*/
 int fw_deny(const char *ip, const char *mac, int profile);
 
+/** @brief Passthrough for clients when auth server is down */
+int fw_set_authdown(void);
+
+/** @brief Remove passthrough for clients when auth server is up */
+int fw_set_authup(void);
+
 /** @brief Refreshes the entire client list */
 void fw_sync_with_authserver(void);
 

src/fw_iptables.c

@@ -258,6 +258,7 @@ iptables_fw_init(void)
 	t_trusted_mac *p;
 	int proxy_port;
 	fw_quiet = 0;
+    int got_authdown_ruleset = NULL == get_ruleset(FWRULESET_AUTH_IS_DOWN) ? 0 : 1;
 
 	LOCK_CONFIG();
 	config = config_get_config();
@@ -283,10 +284,14 @@ iptables_fw_init(void)
 	iptables_do_command("-t mangle -N " CHAIN_TRUSTED);
 	iptables_do_command("-t mangle -N " CHAIN_OUTGOING);
 	iptables_do_command("-t mangle -N " CHAIN_INCOMING);
+    if (got_authdown_ruleset)
+        iptables_do_command("-t mangle -N " CHAIN_AUTH_IS_DOWN);
 
 	/* Assign links and rules to these new chains */
 	iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " CHAIN_OUTGOING, config->gw_interface);
-	iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " CHAIN_TRUSTED, config->gw_interface);//this rule will be inserted before the prior one
+	iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " CHAIN_TRUSTED, config->gw_interface); //this rule will be inserted before the prior one
+    if (got_authdown_ruleset)
+        iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " CHAIN_AUTH_IS_DOWN, config->gw_interface); //this rule must be last in the chain
 	iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " CHAIN_INCOMING, config->gw_interface);
 
 	for (p = config->trustedmaclist; p != NULL; p = p->next)
@@ -305,6 +310,8 @@ iptables_fw_init(void)
 	iptables_do_command("-t nat -N " CHAIN_GLOBAL);
 	iptables_do_command("-t nat -N " CHAIN_UNKNOWN);
 	iptables_do_command("-t nat -N " CHAIN_AUTHSERVERS);
+    if (got_authdown_ruleset)
+        iptables_do_command("-t nat -N " CHAIN_AUTH_IS_DOWN);
 
 	/* Assign links and rules to these new chains */
 	iptables_do_command("-t nat -A PREROUTING -i %s -j " CHAIN_OUTGOING, config->gw_interface);
@@ -326,7 +333,11 @@ iptables_fw_init(void)
 
 	iptables_do_command("-t nat -A " CHAIN_UNKNOWN " -j " CHAIN_AUTHSERVERS);
 	iptables_do_command("-t nat -A " CHAIN_UNKNOWN " -j " CHAIN_GLOBAL);
-	iptables_do_command("-t nat -A " CHAIN_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);
+    if (got_authdown_ruleset) {
+        iptables_do_command("-t nat -A " CHAIN_UNKNOWN " -j " CHAIN_AUTH_IS_DOWN);
+        iptables_do_command("-t nat -A " CHAIN_AUTH_IS_DOWN " -m mark --mark 0x%u -j ACCEPT", FW_MARK_AUTH_IS_DOWN);
+    }
+    iptables_do_command("-t nat -A " CHAIN_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);
 
 
 	/*
@@ -343,6 +354,8 @@ iptables_fw_init(void)
 	iptables_do_command("-t filter -N " CHAIN_VALIDATE);
 	iptables_do_command("-t filter -N " CHAIN_KNOWN);
 	iptables_do_command("-t filter -N " CHAIN_UNKNOWN);
+    if (got_authdown_ruleset)
+        iptables_do_command("-t filter -N " CHAIN_AUTH_IS_DOWN);
 
 	/* Assign links and rules to these new chains */
 
@@ -366,20 +379,25 @@ iptables_fw_init(void)
 	iptables_fw_set_authservers();
 
 	iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j " CHAIN_LOCKED, FW_MARK_LOCKED);
-	iptables_load_ruleset("filter", "locked-users", CHAIN_LOCKED);
+	iptables_load_ruleset("filter", FWRULESET_LOCKED_USERS, CHAIN_LOCKED);
 
 	iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -j " CHAIN_GLOBAL);
-	iptables_load_ruleset("filter", "global", CHAIN_GLOBAL);
-	iptables_load_ruleset("nat", "global", CHAIN_GLOBAL);
+	iptables_load_ruleset("filter", FWRULESET_GLOBAL, CHAIN_GLOBAL);
+	iptables_load_ruleset("nat", FWRULESET_GLOBAL, CHAIN_GLOBAL);
 
 	iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j " CHAIN_VALIDATE, FW_MARK_PROBATION);
-	iptables_load_ruleset("filter", "validating-users", CHAIN_VALIDATE);
+	iptables_load_ruleset("filter", FWRULESET_VALIDATING_USERS, CHAIN_VALIDATE);
 
 	iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j " CHAIN_KNOWN, FW_MARK_KNOWN);
-	iptables_load_ruleset("filter", "known-users", CHAIN_KNOWN);
+	iptables_load_ruleset("filter", FWRULESET_KNOWN_USERS, CHAIN_KNOWN);
+
+    if (got_authdown_ruleset) {
+        iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j " CHAIN_AUTH_IS_DOWN, FW_MARK_AUTH_IS_DOWN);
+        iptables_load_ruleset("filter", FWRULESET_AUTH_IS_DOWN, CHAIN_AUTH_IS_DOWN);
+    }
 
 	iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -j " CHAIN_UNKNOWN);
-	iptables_load_ruleset("filter", "unknown-users", CHAIN_UNKNOWN);
+	iptables_load_ruleset("filter", FWRULESET_UNKNOWN_USERS, CHAIN_UNKNOWN);
 	iptables_do_command("-t filter -A " CHAIN_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");
 
 	UNLOCK_CONFIG();
@@ -395,6 +413,7 @@ iptables_fw_init(void)
 	int
 iptables_fw_destroy(void)
 {
+    int got_authdown_ruleset = NULL == get_ruleset(FWRULESET_AUTH_IS_DOWN) ? 0 : 1;
 	fw_quiet = 1;
 
 	debug(LOG_DEBUG, "Destroying our iptables entries");
@@ -407,12 +426,18 @@ iptables_fw_destroy(void)
 	debug(LOG_DEBUG, "Destroying chains in the MANGLE table");
 	iptables_fw_destroy_mention("mangle", "PREROUTING", CHAIN_TRUSTED);
 	iptables_fw_destroy_mention("mangle", "PREROUTING", CHAIN_OUTGOING);
+    if (got_authdown_ruleset)
+        iptables_fw_destroy_mention("mangle", "PREROUTING", CHAIN_AUTH_IS_DOWN);
 	iptables_fw_destroy_mention("mangle", "POSTROUTING", CHAIN_INCOMING);
 	iptables_do_command("-t mangle -F " CHAIN_TRUSTED);
 	iptables_do_command("-t mangle -F " CHAIN_OUTGOING);
+    if (got_authdown_ruleset)
+        iptables_do_command("-t mangle -F " CHAIN_AUTH_IS_DOWN);
 	iptables_do_command("-t mangle -F " CHAIN_INCOMING);
 	iptables_do_command("-t mangle -X " CHAIN_TRUSTED);
 	iptables_do_command("-t mangle -X " CHAIN_OUTGOING);
+    if (got_authdown_ruleset)
+        iptables_do_command("-t mangle -X " CHAIN_AUTH_IS_DOWN);
 	iptables_do_command("-t mangle -X " CHAIN_INCOMING);
 
 	/*
@@ -424,12 +449,16 @@ iptables_fw_destroy(void)
 	iptables_fw_destroy_mention("nat", "PREROUTING", CHAIN_OUTGOING);
 	iptables_do_command("-t nat -F " CHAIN_AUTHSERVERS);
 	iptables_do_command("-t nat -F " CHAIN_OUTGOING);
+    if (got_authdown_ruleset)
+        iptables_do_command("-t nat -F " CHAIN_AUTH_IS_DOWN);
 	iptables_do_command("-t nat -F " CHAIN_TO_ROUTER);
 	iptables_do_command("-t nat -F " CHAIN_TO_INTERNET);
 	iptables_do_command("-t nat -F " CHAIN_GLOBAL);
 	iptables_do_command("-t nat -F " CHAIN_UNKNOWN);
 	iptables_do_command("-t nat -X " CHAIN_AUTHSERVERS);
 	iptables_do_command("-t nat -X " CHAIN_OUTGOING);
+    if (got_authdown_ruleset)
+        iptables_do_command("-t nat -X " CHAIN_AUTH_IS_DOWN);
 	iptables_do_command("-t nat -X " CHAIN_TO_ROUTER);
 	iptables_do_command("-t nat -X " CHAIN_TO_INTERNET);
 	iptables_do_command("-t nat -X " CHAIN_GLOBAL);
@@ -449,13 +478,17 @@ iptables_fw_destroy(void)
 	iptables_do_command("-t filter -F " CHAIN_VALIDATE);
 	iptables_do_command("-t filter -F " CHAIN_KNOWN);
 	iptables_do_command("-t filter -F " CHAIN_UNKNOWN);
+    if (got_authdown_ruleset)
+        iptables_do_command("-t filter -F " CHAIN_AUTH_IS_DOWN);
 	iptables_do_command("-t filter -X " CHAIN_TO_INTERNET);
 	iptables_do_command("-t filter -X " CHAIN_AUTHSERVERS);
 	iptables_do_command("-t filter -X " CHAIN_LOCKED);
 	iptables_do_command("-t filter -X " CHAIN_GLOBAL);
 	iptables_do_command("-t filter -X " CHAIN_VALIDATE);
 	iptables_do_command("-t filter -X " CHAIN_KNOWN);
 	iptables_do_command("-t filter -X " CHAIN_UNKNOWN);
+    if (got_authdown_ruleset)
+        iptables_do_command("-t filter -X " CHAIN_AUTH_IS_DOWN);
 
 	return 1;
 }
@@ -571,6 +604,28 @@ iptables_fw_access_host(fw_access_t type, const char *host)
 	return rc;
 }
 
+/** Set a mark when auth server is not reachable */
+	int
+iptables_fw_auth_unreachable(int tag)
+{
+    int got_authdown_ruleset = NULL == get_ruleset(FWRULESET_AUTH_IS_DOWN) ? 0 : 1;
+    if (got_authdown_ruleset)
+        return iptables_do_command("-t mangle -A " CHAIN_AUTH_IS_DOWN " -j MARK --set-mark 0x%u", tag);
+    else
+        return 1;
+}
+
+/** Remove mark when auth server is reachable again */
+	int
+iptables_fw_auth_reachable(void)
+{
+    int got_authdown_ruleset = NULL == get_ruleset(FWRULESET_AUTH_IS_DOWN) ? 0 : 1;
+    if (got_authdown_ruleset)
+        return iptables_do_command("-t mangle -F " CHAIN_AUTH_IS_DOWN);
+    else
+        return 1;
+}
+
 /** Update the counters of all the clients in the client list */
 	int
 iptables_fw_counters_update(void)

src/fw_iptables.h

@@ -42,6 +42,7 @@
 #define CHAIN_UNKNOWN   "WiFiDog_$ID$_Unknown"
 #define CHAIN_LOCKED    "WiFiDog_$ID$_Locked"
 #define CHAIN_TRUSTED    "WiFiDog_$ID$_Trusted"
+#define CHAIN_AUTH_IS_DOWN "WiFiDog_$ID$_AuthIsDown"
 /*@}*/ 
 
 /** Used by iptables_fw_access to select if the client should be granted of denied access */
@@ -71,6 +72,12 @@ int iptables_fw_access(fw_access_t type, const char *ip, const char *mac, int ta
 /** @brief Define the access of a host */
 int iptables_fw_access_host(fw_access_t type, const char *host);
 
+/** @brief Set a mark when auth server is not reachable */
+int iptables_fw_auth_unreachable(int tag);
+
+/** @brief Remove mark when auth server is reachable again */
+int iptables_fw_auth_reachable(void);
+
 /** @brief All counters in the client list */
 int iptables_fw_counters_update(void);
 

src/ping_thread.c

@@ -51,6 +51,7 @@
 #include "ping_thread.h"
 #include "util.h"
 #include "centralserver.h"
+#include "firewall.h"
 
 #include "simple_http.h"
 
@@ -103,6 +104,7 @@ ping(void)
 	float             sys_load    = 0;
 	t_auth_serv	*auth_server = NULL;
 	auth_server = get_auth_server();
+    static int authdown = 0;
 
 	debug(LOG_DEBUG, "Entering ping()");
 	memset(request, 0, sizeof(request));
@@ -117,6 +119,10 @@ ping(void)
 		/*
 		 * No auth servers for me to talk to
 		 */
+		if (!authdown) {
+			fw_set_authdown();
+			authdown = 1;
+		}
 		return;
 	}
 
@@ -184,10 +190,17 @@ ping(void)
 
 	if (strstr(request, "Pong") == 0) {
 		debug(LOG_WARNING, "Auth server did NOT say Pong!");
-		/* FIXME */
+  		if (!authdown) {
+			fw_set_authdown();
+			authdown = 1;
+		}
 	}
 	else {
 		debug(LOG_DEBUG, "Auth Server Says: Pong");
+  		if (authdown) {
+			fw_set_authup();
+			authdown = 0;
+		}
 	}
 
 	return;	

wifidog.conf

@@ -299,6 +299,15 @@ FirewallRuleSet known-users {
     FirewallRule allow to 0.0.0.0/0
 }
 
+# Rule Set: auth-is-down
+#
+# Does nothing when not configured.
+#
+# Used when auth server is down
+#FirewallRuleSet auth-is-down {
+#  FirewallRule allow to 0.0.0.0/0
+#}
+
 # Rule Set: unknown-users
 #
 # Used for unvalidated users, this is the ruleset that gets redirected.