int
iptables_fw_deauthenticate(t_client *client)
{
int download_limit, upload_limit, traffic_control;
s_config *config;
char upload_ifbname[16];
int rc = 0;
config = config_get_config();
sprintf(upload_ifbname, "ifb%d", config->upload_ifb);
LOCK_CONFIG();
traffic_control = config->traffic_control;
download_limit = config->download_limit;
upload_limit = config->upload_limit;
UNLOCK_CONFIG();
if ((client->download_limit > 0) && (client->upload_limit > 0)) {
download_limit = client->download_limit;
upload_limit = client->upload_limit;
}
/* Remove the authentication rules. */
debug(LOG_NOTICE, "Deauthenticating %s %s", client->ip, client->mac);
rc |= iptables_do_command("-t mangle -D " CHAIN_OUTGOING " -s %s -m mac --mac-source %s -j MARK %s 0x%x", client->ip, client->mac, markop, FW_MARK_AUTHENTICATED);
rc |= iptables_do_command("-t mangle -D " CHAIN_INCOMING " -d %s -j MARK %s 0x%x", client->ip, markop, FW_MARK_AUTHENTICATED);
rc |= iptables_do_command("-t mangle -D " CHAIN_INCOMING " -d %s -j ACCEPT", client->ip);
if (traffic_control) {
rc |= tc_detach_client(config->gw_interface, download_limit, upload_ifbname, upload_limit, client->id);
}
return rc;
}
/** Insert or delete firewall mangle rules marking a client's packets.
*/
int
iptables_fw_access(t_authaction action, t_client *client)
{
int rc = 0, download_limit, upload_limit, traffic_control;
s_config *config;
char *download_imqname, *upload_imqname;
fw_quiet = 0;
config = config_get_config();
safe_asprintf(&download_imqname,"imq%d",config->download_imq); /* must free */
safe_asprintf(&upload_imqname,"imq%d",config->upload_imq); /* must free */
LOCK_CONFIG();
traffic_control = config->traffic_control;
download_limit = config->download_limit;
upload_limit = config->upload_limit;
UNLOCK_CONFIG();
if ((client->download_limit > 0) && (client->upload_limit > 0)) {
download_limit = client->download_limit;
upload_limit = client->upload_limit;
}
switch(action) {
case AUTH_MAKE_AUTHENTICATED:
debug(LOG_NOTICE, "Authenticating %s %s", client->ip, client->mac);
/* This rule is for marking upload (outgoing) packets, and for upload byte counting */
rc |= iptables_do_command("-t mangle -A " CHAIN_OUTGOING " -s %s -m mac --mac-source %s -j MARK %s 0x%x%x", client->ip, client->mac, markop, client->idx + 10, FW_MARK_AUTHENTICATED);
rc |= iptables_do_command("-t mangle -A " CHAIN_INCOMING " -d %s -j MARK %s 0x%x%x", client->ip, markop, client->idx + 10, FW_MARK_AUTHENTICATED);
/* This rule is just for download (incoming) byte counting, see iptables_fw_counters_update() */
rc |= iptables_do_command("-t mangle -A " CHAIN_INCOMING " -d %s -j ACCEPT", client->ip);
if (traffic_control) {
rc |= tc_attach_client(download_imqname, download_limit, upload_imqname, upload_limit, client->idx, FW_MARK_AUTHENTICATED);
}
break;
case AUTH_MAKE_DEAUTHENTICATED:
/* Remove the authentication rules. */
debug(LOG_NOTICE, "Deauthenticating %s %s", client->ip, client->mac);
rc |= iptables_do_command("-t mangle -D " CHAIN_OUTGOING " -s %s -m mac --mac-source %s -j MARK %s 0x%x%x", client->ip, client->mac, markop, client->idx + 10, FW_MARK_AUTHENTICATED);
rc |= iptables_do_command("-t mangle -D " CHAIN_INCOMING " -d %s -j MARK %s 0x%x%x", client->ip, markop, client->idx + 10, FW_MARK_AUTHENTICATED);
rc |= iptables_do_command("-t mangle -D " CHAIN_INCOMING " -d %s -j ACCEPT", client->ip);
if (traffic_control) {
rc |= tc_detach_client(download_imqname, upload_imqname, client->idx);
}
break;
default:
rc = -1;
break;
}
free(upload_imqname);
free(download_imqname);
return rc;
}
