Merge branch 'master' into refactor-auth

Conflicts:
	src/firewall.c

Author: acv

NEWS

@@ -12,6 +12,8 @@ WiFiDog 1.2.1:
 	* Enhance safe_malloc to always zero memory (#155)
 	* Fix segfault related pstr_t's buffer (#149)
 	* Add open the firewall if no auth servers can be reached (optional, #90)
+	* Add configurable ARP table location (-a switch). Useful for mock ARP tables during
+		load tests (#166)
 	* Various other fixes and minor improvements, see
 		https://github.com/wifidog/wifidog-gateway/compare/1.2.0...1.2.1
 

contrib/load-tester/README.md

@@ -0,0 +1,26 @@
+## Wifidog Load Tester ##
+
+* generate\_interfaces.sh: Sets up pseudo interfaces and creates a fake ARP
+  table in /tmp/arp. Make sure that the IP addresses used do not collide with
+  your real network
+* mock\_auth.py: A mock auth server. Randomly grants or denies access
+* fire\_requests.py: Hammers Wifidog with requests. talks to wifidog, never
+  to the auth server.
+* run.sh: Ties it all together. Make sure to run as root. 
+
+Once you think the script has run long enough, kill run.sh and look at
+valgrind.log. You have to clean up after the script yourself, e.g. kill
+mock\_auth.py separately and run **./generate_interfaces.sh stop**
+
+### Note on ARP tables ###
+
+Although generate\_interfaces.sh will add random MAC addresses
+to the virtual interfaces, these will not show up in the local
+ARP table. The ARP table only lists remote systems. Even with the
+**publish** flag set, the ARP table entry will list an all-zero MAC
+address. For this reason, the script generates a fake ARP table
+and passes it to wifidog with the **-a** switch.
+
+The macvlan type virtual interface used by generate\_interfaces.sh
+is still useful if you load-test a remote wifidog instance. In this case,
+the remote ARP table will (hopefully) be populated correctly.

contrib/load-tester/fire_requests.py

@@ -0,0 +1,94 @@
+#!/usr/bin/env python2
+# -*- coding: utf -*-
+
+
+import socket
+import fcntl
+import struct
+
+import uuid
+import sys
+import random
+
+import argparse
+import functools
+
+
+from multiprocessing import Pool
+
+from httplib import HTTPConnection
+
+PORT = "2060"
+
+
+def main(targetIF, prefix, maxI):
+    target = get_ip_address(targetIF)
+    for i in xrange(int(maxI)):
+        main_single(target, prefix, i)
+
+def main_single(target, prefix, i):
+        source = get_ip_address(prefix + str(i))
+        # source_address requires python 2.7
+        # urllib2 does not nicely expose source_address, so use
+        # lower-level API
+        conn = HTTPConnection(target, PORT, timeout=10, source_address=(source, 0))
+        conn.connect()
+        conn.request("GET", "/")
+        try:
+            resp = conn.getresponse()
+            resp.read()
+        except:
+            pass
+        conn = HTTPConnection(target, PORT, timeout=10, source_address=(source, 0))
+        conn.connect()
+        token = str(uuid.uuid4())
+        conn.request("GET", "/wifidog/auth?token=" + token )
+        try:
+            resp = conn.getresponse()
+            # this causes wifidog to ask our mock auth server if the token is
+            # correct
+            resp.read()
+        except:
+            pass
+        # log out sometimes
+        if random.choice([True, False, False]):
+            conn = HTTPConnection(target, PORT, timeout=10, source_address=(source, 0))
+            conn.connect()
+            conn.request("GET", "/wifidog/auth?logout=1&token=" + token)
+            try:
+                resp = conn.getresponse()
+                resp.read()
+            except:
+                pass
+
+
+# http://code.activestate.com/recipes/439094-get-the-ip-address-associated-with-a-network-inter/
+def get_ip_address(ifname):
+    print "ifname: %s" % ifname
+    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    return socket.inet_ntoa(fcntl.ioctl(
+        s.fileno(),
+        0x8915,  # SIOCGIFADDR
+        struct.pack('256s', ifname[:15])
+        )[20:24])
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser(description='Hammer a wifidog instance with requests')
+    parser.add_argument('--target-interface', required=True,
+                   help='Interface where Wifidog is listening')
+    parser.add_argument('--source-interface-prefix', required=True,
+                   help='Prefix of the virtual interfaces from which Wifidog is exercised.')
+    parser.add_argument('--source-interface-count', required=True,
+                   help='Number of virtual interfaces, where interface is prefix+index')
+    parser.add_argument('--process-count', required=True,
+                   help='How many processes to run')
+
+    args = parser.parse_args()
+
+    target = get_ip_address(args.target_interface)
+    p = Pool(int(args.process_count))
+    partial = functools.partial(main_single, target, args.source_interface_prefix)
+    while True:
+        p.map(partial, list(xrange(int(args.source_interface_count))))
+

contrib/load-tester/generate_interfaces.sh

@@ -0,0 +1,57 @@
+#/bin/bash
+
+IF="eth0"
+# for whatever reason, if you use eth0.x as your virtual interface name,
+# dhclient will lose the carrier
+PREFIX="mac"
+# don't touch resolv.conf
+DHCP="dhcpcd --waitip -C resolv.conf"
+#DHCP="dhclient -v"
+NET="10.0.10."
+ARPTABLE="/tmp/arp"
+
+COUNT=$2
+
+function start() {
+    echo "IP address       HW type     Flags       HW address            Mask     Device" > $ARPTABLE
+    # Add internal address for GW
+    sudo ip link add internal0 link $IF type macvlan mode bridge || exit 1
+    sudo ip addr add ${NET}254 dev internal0
+    sudo ip link set internal0 up || exit 2
+    for i in `seq 0 $COUNT`; do
+        echo "Add link $i"
+        # sudo ip link add virtual0 link eth0 type macvlan mode bridge
+        sudo ip link add ${PREFIX}${i} link $IF type macvlan mode bridge || exit 1
+        echo "Assigning temporary IP address"
+        # use link-local address. Ideally, we would check if the
+        # address is already aissgned
+        sudo ip addr add ${NET}$(($i + 1)) dev ${PREFIX}${i}
+        MAC=`ip link show ${PREFIX}${i} | grep ether | sed -e 's,.*link/ether ,,' -e 's, brd.*,,'`
+        echo "Marking link $i up"
+        sudo ip link set ${PREFIX}${i} up || exit 2
+        #echo "Acquiring IP for link $i"
+        # when using DHCP, the interface would immediately
+        # go down?
+        #sudo $DHCP ${PREFIX}${i} || exit 3
+        echo " ${NET}$(($i + 1))     0x1         0x2         $MAC     *        ${PREFIX}${i}" >> $ARPTABLE
+    done
+}
+
+function stop() {
+    sudo ip link del internal0 2>/dev/null || true
+    for i in `seq 0 $COUNT`; do
+        echo "Deleting link $i"
+        sudo ip link del ${PREFIX}${i} 2>/dev/null || true
+    done
+}
+
+
+
+if [[ x$1 == x"start" ]]; then
+    stop
+    start
+elif [[ x$1 == x"stop" ]]; then
+    stop
+else
+    echo "Unknown command"
+fi

contrib/load-tester/mock_auth.py

@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+# -*- coding: utf -*-
+
+from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+
+import random
+
+def main():
+    server = HTTPServer(('', 8080), AuthHandler)
+    server.serve_forever()
+
+
+class AuthHandler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        self.send_response(200)
+        self.send_header('Content-type', 'text/html')
+        self.end_headers()
+        if "ping" in self.path:
+            self.wfile.write("Pong\n")
+        else:
+            self.wfile.write("Auth: %s\n" % random.choice([0,1]))
+        return
+
+if __name__ == "__main__":
+    main()

contrib/load-tester/run.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# On Ubuntu, you may want this:
+# echo "core.%e.%p" > /proc/sys/kernel/core_pattern
+# http://stackoverflow.com/a/18368068
+
+echo "core.%e.%p" > /proc/sys/kernel/core_pattern
+ulimit -c unlimited
+
+COUNT=40
+echo "Make sure to configure GatewayInterface in wifidog_mock.conf"
+
+./generate_interfaces.sh start $COUNT || exit 1
+
+./mock_auth.py &
+MA_PID="$!"
+
+# trace-children is necessary because of the libtool wrapper -.-
+#sudo valgrind --leak-check=full --trace-children=yes --trace-children-skip=/bin/sh \
+#    --log-file=valgrind.log ../../src/wifidog -d 7 -f -c wifidog-mock.conf 2> wifidog.log &
+
+# for -fsanitize=address
+export ASAN_OPTIONS=check_initialization_order=1
+export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5
+
+../../src/wifidog -d 7 -f -c wifidog-mock.conf -a /tmp/arp 2> wifidog.log &
+WD_PID="$!"
+
+IF=`grep GatewayInterface wifidog-mock.conf | cut -f 2 -d ' '`
+
+echo "Waiting for wifidog to come up"
+
+sleep 10
+
+./fire_requests.py \
+    --target-interface $IF \
+    --source-interface-prefix mac \
+    --source-interface-count $COUNT \
+    --process-count 2
+
+#./generate_interfaces.sh stop
+
+function cleanup() {
+
+    kill $MA_PID
+    kill $WD_PID
+    ./generate_interfaces.sh stop $COUNT
+
+}
+
+trap cleanup EXIT

contrib/load-tester/wdctl.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+while true; do
+    ../../src/wdctl status
+    sleep 5
+done

contrib/load-tester/wifidog-mock.conf

@@ -0,0 +1,35 @@
+ExternalInterface eth0
+GatewayInterface internal0
+
+HtmlMessageFile ../../wifidog-msg.html
+
+
+AuthServer {
+    Hostname localhost
+    HTTPPort 8080
+    Path /
+}
+
+ClientTimeout 5
+
+FirewallRuleSet global {
+}
+
+FirewallRuleSet validating-users {
+    FirewallRule allow to 0.0.0.0/0
+}
+
+FirewallRuleSet known-users {
+    FirewallRule allow to 0.0.0.0/0
+}
+
+FirewallRuleSet unknown-users {
+    FirewallRule allow udp port 53
+    FirewallRule allow tcp port 53
+    FirewallRule allow udp port 67
+    FirewallRule allow tcp port 67
+}
+
+FirewallRuleSet locked-users {
+    FirewallRule block to 0.0.0.0/0
+}

src/commandline.c

@@ -91,7 +91,8 @@ parse_commandline(int argc, char **argv)
     i = 0;
     restartargv[i++] = safe_strdup(argv[0]);
 
-    while (-1 != (c = getopt(argc, argv, "c:hfd:sw:vx:i:"))) {
+    while (-1 != (c = getopt(argc, argv, "c:hfd:sw:vx:i:a:"))) {
+
         skiponrestart = 0;
 
         switch (c) {
@@ -152,6 +153,15 @@ parse_commandline(int argc, char **argv)
             }
             break;
 
+        case 'a':
+            if (optarg) {
+                free(config->arp_table_path);
+                config->arp_table_path = safe_strdup(optarg);
+            } else {
+                fprintf(stdout, "You must supply the path to the ARP table with -a!");
+                exit(1);
+            }
+            break;
         default:
             usage();
             exit(1);

src/conf.c

@@ -196,6 +196,7 @@ config_init(void)
     config.ssl_certs = safe_strdup(DEFAULT_AUTHSERVSSLCERTPATH);
     config.ssl_verify = DEFAULT_AUTHSERVSSLPEERVER;
     config.ssl_cipher_list = NULL;
+    config.arp_table_path = safe_strdup(DEFAULT_ARPTABLE);
 }
 
 /**