int iptables_fw_deauthenticate(t_client *client) { int download_limit, upload_limit, traffic_control; s_config *config; char upload_ifbname[16]; int rc = 0; config = config_get_config(); sprintf(upload_ifbname, "ifb%d", config->upload_ifb); LOCK_CONFIG(); traffic_control = config->traffic_control; download_limit = config->download_limit; upload_limit = config->upload_limit; UNLOCK_CONFIG(); if ((client->download_limit > 0) && (client->upload_limit > 0)) { download_limit = client->download_limit; upload_limit = client->upload_limit; } /* Remove the authentication rules. */ debug(LOG_NOTICE, "Deauthenticating %s %s", client->ip, client->mac); rc |= iptables_do_command("-t mangle -D " CHAIN_OUTGOING " -s %s -m mac --mac-source %s -j MARK %s 0x%x", client->ip, client->mac, markop, FW_MARK_AUTHENTICATED); rc |= iptables_do_command("-t mangle -D " CHAIN_INCOMING " -d %s -j MARK %s 0x%x", client->ip, markop, FW_MARK_AUTHENTICATED); rc |= iptables_do_command("-t mangle -D " CHAIN_INCOMING " -d %s -j ACCEPT", client->ip); if (traffic_control) { rc |= tc_detach_client(config->gw_interface, download_limit, upload_ifbname, upload_limit, client->id); } return rc; }
/** Insert or delete firewall mangle rules marking a client's packets. */ int iptables_fw_access(t_authaction action, t_client *client) { int rc = 0, download_limit, upload_limit, traffic_control; s_config *config; char *download_imqname, *upload_imqname; fw_quiet = 0; config = config_get_config(); safe_asprintf(&download_imqname,"imq%d",config->download_imq); /* must free */ safe_asprintf(&upload_imqname,"imq%d",config->upload_imq); /* must free */ LOCK_CONFIG(); traffic_control = config->traffic_control; download_limit = config->download_limit; upload_limit = config->upload_limit; UNLOCK_CONFIG(); if ((client->download_limit > 0) && (client->upload_limit > 0)) { download_limit = client->download_limit; upload_limit = client->upload_limit; } switch(action) { case AUTH_MAKE_AUTHENTICATED: debug(LOG_NOTICE, "Authenticating %s %s", client->ip, client->mac); /* This rule is for marking upload (outgoing) packets, and for upload byte counting */ rc |= iptables_do_command("-t mangle -A " CHAIN_OUTGOING " -s %s -m mac --mac-source %s -j MARK %s 0x%x%x", client->ip, client->mac, markop, client->idx + 10, FW_MARK_AUTHENTICATED); rc |= iptables_do_command("-t mangle -A " CHAIN_INCOMING " -d %s -j MARK %s 0x%x%x", client->ip, markop, client->idx + 10, FW_MARK_AUTHENTICATED); /* This rule is just for download (incoming) byte counting, see iptables_fw_counters_update() */ rc |= iptables_do_command("-t mangle -A " CHAIN_INCOMING " -d %s -j ACCEPT", client->ip); if (traffic_control) { rc |= tc_attach_client(download_imqname, download_limit, upload_imqname, upload_limit, client->idx, FW_MARK_AUTHENTICATED); } break; case AUTH_MAKE_DEAUTHENTICATED: /* Remove the authentication rules. */ debug(LOG_NOTICE, "Deauthenticating %s %s", client->ip, client->mac); rc |= iptables_do_command("-t mangle -D " CHAIN_OUTGOING " -s %s -m mac --mac-source %s -j MARK %s 0x%x%x", client->ip, client->mac, markop, client->idx + 10, FW_MARK_AUTHENTICATED); rc |= iptables_do_command("-t mangle -D " CHAIN_INCOMING " -d %s -j MARK %s 0x%x%x", client->ip, markop, client->idx + 10, FW_MARK_AUTHENTICATED); rc |= iptables_do_command("-t mangle -D " CHAIN_INCOMING " -d %s -j ACCEPT", client->ip); if (traffic_control) { rc |= tc_detach_client(download_imqname, upload_imqname, client->idx); } break; default: rc = -1; break; } free(upload_imqname); free(download_imqname); return rc; }