diff --git a/AUTHORS b/AUTHORS index 09afe70..4645dc5 100644 --- a/AUTHORS +++ b/AUTHORS @@ -1,8 +1,12 @@ On the Nodogsplash project: -Moritz Warning -Shiao-An Yuan -Fred Moyer -Paul Kube +Active: + Alexander Couzens + Moritz Warning + Rob White +Inactive: + Shiao-An Yuan + Fred Moyer + Paul Kube On the WifiDog project: Philippe April diff --git a/ChangeLog b/ChangeLog index fa122b4..d470767 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,43 @@ +nodogsplash (3.0.0) + + * Removed settings without implementation due to the change of the http library: + DecongestHttpdThreads, HttpdThreadthreshold, HttpdThreaddelayms + AuthenticateImmediately, RemoteAuthenticatorAction, EnablePreAuth, + BinVoucher, ForceVoucher, PasswordAuthentication, UsernameAuthentication, + PasswordAttempts, Username, Password + * Add binauth feature as a replacement for the old binvoucher feature + * call a script with username/password to decide the authentication + * Replace ClientForceTimeout setting with SessionTimeout + * Replace ClientTimeout settings with PreauthIdleTimeout and AuthedIdleTimeout + + -- Moritz Warning Tue, 31 July 2018 19:19:00 +0000 + +nodogsplash (2.1.1) + + * Update nodogsplash.conf for non-OpenWrt builds + * Minor cosmetic changes + + -- Rob White Sat, 12 May 2018 10:03:00 +0000 + +nodogsplash (2.1.0) + + * Allow firewall rule chaining, PR #231 [bluewavenet] + * OpenWrt: Add hook to allow firewall to restart nodogsplash after configuring additional rules, PR https://github.com/openwrt-routing/packages/pull/369 [bluewavenet] + * OpenWrt: Add support for mwan3(v2) and sqm-scripts, PR https://github.com/openwrt-routing/packages/pull/359 [bluewavenet] + * Update documentation [bluewavenet] + * Enable TCP Fast Open, PR #237 [blogcin] + * Avoid continuous thread creation for control interface, PR #238 [blogcin] + * Fix possible memory corruption for long config file path, PR #240 [blogcin] + + -- Moritz Warning Tue, 08 May 2018 19:19:00 +0000 + +nodogsplash (2.0.1) + + * Added Forwarding Authentication Service (FAS). [bluewavenet] + * Support for external (to NDS) authentication without using Binvoucher. [bluewavenet] + * Fix crash when mimetype is not found. [azsde] + + -- Rob White Thu, 28 Dec 2017 11:36:10 +0000 nodogsplash (2.0.0) @@ -13,8 +53,11 @@ nodogsplash (2.0.0) * add debian support including systemd [efernandesng] * fix file descriptor leak [sfstudio] * fix uncomplete console output [mwarning] + * update splash.html (#152) [bluewavenet] + * fw_iptables: fix iptables syntax for 1.6.1 [mwarning] + * fix CheckInterval option (#168) [zaolin] - -- Alexander Couzens Thu, 10 Nov 2016 12:23:42 +0100 + -- Alexander Couzens Mon, 29 May 2017 12:23:42 +0100 nodogsplash (1.0.0) diff --git a/Makefile b/Makefile index f912544..1963b3e 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ NDS_OBJS=src/auth.o src/client_list.o src/commandline.o src/conf.o \ src/debug.o src/firewall.o src/fw_iptables.o src/gateway.o src/http_microhttpd.o src/http_microhttpd_utils.o \ src/ndsctl_thread.o src/safe.o src/tc.o src/util.o src/template.o -.PHONY: all clean install checkastyle fixstyle +.PHONY: all clean install checkastyle fixstyle deb all: nodogsplash ndsctl @@ -33,7 +33,7 @@ install: #ifeq(yes,$(STRIP)) strip nodogsplash strip ndsctl -#endif +#endif mkdir -p $(DESTDIR)/usr/bin/ cp ndsctl $(DESTDIR)/usr/bin/ cp nodogsplash $(DESTDIR)/usr/bin/ @@ -70,10 +70,10 @@ fixstyle: checkastyle echo "\033[1;33mPrevious files have been corrected\033[00m" ; else \ echo "\033[0;32mAll files are ok\033[00m" ; fi -DEBVERSION=$(shell dpkg-parsechangelog | grep ^Version |cut -f2 -d\ | sed -e 's/-[0-9]*$$//' ) +DEBVERSION=$(shell dpkg-parsechangelog | awk -F'[ -]' '/^Version/{print($$2); exit;}' ) deb: clean mkdir -p dist/nodogsplash-$(DEBVERSION) tar --exclude dist --exclude ".git*" -cf - . | (cd dist/nodogsplash-$(DEBVERSION) && tar xf -) - cd dist && tar cjf nodogsplash_$(DEBVERSION).orig.tar.bz2 nodogsplash-$(DEBVERSION) - cd dist/nodogsplash-$(DEBVERSION) && dpkg-buildpackage -us -uc + cd dist && tar cjf nodogsplash_$(DEBVERSION).orig.tar.bz2 nodogsplash-$(DEBVERSION) && cd - + cd dist/nodogsplash-$(DEBVERSION) && dpkg-buildpackage -us -uc && cd - rm -rf dist/nodogsplash-$(DEBVERSION) diff --git a/README.md b/README.md index 2eb994a..df4800b 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -##0. The Nodogsplash project +## 0. The Nodogsplash project Nodogsplash offers a simple way to provide restricted access to an internet connection. It is derived from the codebase of the Wifi Guard Dog project. @@ -12,7 +12,7 @@ Nodogsplash is released under the GNU General Public License. The following describes what Nodogsplash does, how to get it and run it, and how to customize its behavior for your application. -##1. Overview +## 1. Overview Nodogsplash offers a solution to this problem: You want to provide controlled and reasonably secure public access to an internet connection; and while you @@ -32,7 +32,7 @@ Specific features of Nodogsplash are configurable, by editing the configuration file and the splash page. The default installed configuration may be all you need, though. -##2. Documentation +## 2. Documentation For additonal documentation please look at https://nodogsplash.readthedocs.io/en/latest/ diff --git a/debian/README.md b/debian/README.md index 6220855..67ebb48 100644 --- a/debian/README.md +++ b/debian/README.md @@ -1,9 +1,10 @@ -To create a Debian package of NoDogSplash (a *.deb file), +To create a Debian package of NoDogSplash (a \*.deb file), you first need to have installed the following programs and libraries: ``` -apt-get install build-essential debhelper devscripts hardening-includes +apt install build-essential debhelper devscripts +apt install libmicrohttpd-dev dh-systemd ``` Run this command in the repository root folder to create the package: diff --git a/debian/changelog b/debian/changelog index 0190459..c59ea11 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,29 @@ +nodogsplash (2.1.1-1) stable; urgency=medium -nodogsplash (2.0.0) stable; urgency=low + * Update nodogsplash.conf for non-OpenWrt builds [bluewavenet] + * Minor cosmetic changes + + -- Rob White Sat, 12 May 2018 10:03:00 +0000 + +nodogsplash (2.1.0-1) UNRELEASED; urgency=medium + + * Allow firewall rule chaining, PR #231 [bluewavenet] + * Update documentation [bluewavenet] + * Enable TCP Fast Open, PR #237 [blogcin] + * Avoid continuous thread creation for control interface, PR #238 [blogcin] + * Fix possible memory corruption for long config file path, PR #240 [blogcin] + + -- Moritz Warning Tue, 08 May 2018 19:19:00 +0000 + +nodogsplash (2.0.1-1) stable; urgency=medium + + * Added Forwarding Authentication Service (FAS). [bluewavenet] + * Support for external (to NDS) authentication without using Binvoucher. [bluewavenet] + * Fix crash when mimetype is not found. [azsde] + + -- Moritz Warning Tue, 02 Jan 2018 08:31:52 -0500 + +nodogsplash (2.0.0-1) stable; urgency=low * replace libhttp by libmicrohttpd [lynxis] * implement string replace based template engine [lynxis] @@ -12,8 +36,11 @@ nodogsplash (2.0.0) stable; urgency=low * prevent possible divison by zero and negative durations [mwarning] * add debian support including systemd [efernandesng] * fix file descriptor leak [sfstudio] + * update splash.html (#152) [bluewavenet] + * fw_iptables: fix iptables syntax for 1.6.1 [mwarning] + * fix CheckInterval option (#168) [zaolin] - -- Alexander Couzens Thu, 10 Nov 2016 12:23:42 +0100 + -- Alexander Couzens Mon, 29 May 2017 12:23:42 +0100 nodogsplash (1.0.0-1) stable; urgency=low diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst deleted file mode 100644 index 116094c..0000000 --- a/docs/source/authentication.rst +++ /dev/null @@ -1,37 +0,0 @@ -Authentication -############## - -Site-wide username and password -******************************* - -Nodogsplash can be configured to require a username and/or password to be -entered on the splash page as part of the authentication process. Since the -username and password are site-wide (not per user), and they are sent in the -clear using HTTP GET, this is not a secure mechanism. -To enable this, edit *nodogsplash.conf* to set parameters *PasswordAuthentication*, -*UsernameAuthentication*, *Password*, *Username*, and *PasswordAttempts* as desired. -Then the splash page must use a GET-method HTML form to send user-entered -username and/or password as values of variables *nodoguser* and *nodogpass* -respectively, along with others as required, to the server. For example: - -.. code:: - -
- - - username: -
- password: -
- -
- -Forwarding authentication -************************* - -Nodogsplash allows to call an external program for authentication using -the options BinVoucher/EnablePreAuth/ForceVoucher in nodogsplash.conf. -The given program for BinVoucher will be called using the clients MAC address as argument. -The output is expected to be the number of seconds the client is to be authenticated. -It may also contain the clients download and upload speed limit in KBits/s. -See the example configuration file for further details. diff --git a/docs/source/binauth.rst b/docs/source/binauth.rst new file mode 100644 index 0000000..836de79 --- /dev/null +++ b/docs/source/binauth.rst @@ -0,0 +1,81 @@ +BinAuth Option +================= + +**Key: BinAuth** + +**Value: /path/to/executable/script** + +Authenticate a client using an external program that get passed the (optional) username and password value. +The exit code and output values of the program decide if and how a client is to be authenticated. + +For the following examples, setting `binauth` in nodogsplash.conf is set to `/etc/nds_auth.sh`: + +.. code-block:: sh + + #!/bin/sh + + METHOD="$1" + MAC="$2" + + case "$METHOD" in + "client_auth") + USERNAME="$3" + PASSWORD="$4" + if [ "$USERNAME" = "Bill" -a "$PASSWORD" = "tms" ]; then + # Allow client to access the Internet for one hour (3600 seconds) + # Further values are upload and download limits in bytes. 0 for no limit. + echo 3600 0 0 + fi + ;; + "idle_timeout") + INGOING_BYTES="$3" + OUTGOING_BYTES="$4" + DURATION_SECONDS="$5" + # The client was deauthenticated after DURATION_SECONDS seconds because of inactivity + ;; + "session_end") + INGOING_BYTES="$3" + OUTGOING_BYTES="$4" + DURATION_SECONDS="$5" + # The client was deauthenticated after DURATION_SECONDS seconds because the session ended + ;; + esac + + exit 0 + + +The splash.html page contains the following code: + +.. code-block:: html + +
+ + + username: +
+ password: +
+ +
+ +If a client enters a username 'Bill' and password 'tms', then the configured `binauth` script is executed: + +.. code:: + + /etc/nds_auth.sh client_auth 12:34:56:78:90 'Bill' 'tms' + +For the authentication to be successful, the exit code of the script must be 0. The output can be up to three values. First the number of seconds the client is to authenticated, second and third the maximum number of upload and download bytes. Values not given to NDS will resort to default values. Note that the traffic shaping feature does not work right now. + +Nodogsplash will also call the script when the client is deathenticated. + +Client is deauthenticated due to inactivity: + +.. code:: + + /etc/nds_auth.sh idle_timeout + +Client is deauthenticated due to the session end: + +.. code:: + + /etc/nds_auth.sh session_end diff --git a/docs/source/checkinterval.rst b/docs/source/checkinterval.rst new file mode 100644 index 0000000..2a1d0af --- /dev/null +++ b/docs/source/checkinterval.rst @@ -0,0 +1,10 @@ +CheckInterval Option +==================== + +**Key: CheckInterval** + +**Value: 1 - 2.147.483.647 in seconds** + +This feature was introduced in previous versions of nodogsplash. +It was used for the bin voucher support checking for invalidation +of clients. diff --git a/docs/source/compile.rst b/docs/source/compile.rst index 8a6b12d..c1f21b6 100644 --- a/docs/source/compile.rst +++ b/docs/source/compile.rst @@ -12,8 +12,8 @@ Install libmicrohttpd including the header files (often call -dev package). cd nodogsplash make -If you installed the libmicrohttpd to another location please like /tmp/libmicrohttpd_install/ -replace the make call with +If you installed the libmicrohttpd to another location (e.g. /tmp/libmicrohttpd_install/) +replace path in the make call with .. code:: @@ -24,7 +24,7 @@ After compiling you can call ``make install`` to install nodogsplash to /usr/ OpenWrt ******* -To compile nodogsplash please ues the package definiton from the feeds package. +To compile nodogsplash please use the package definiton from the feeds package. .. code:: diff --git a/docs/source/faq.rst b/docs/source/faq.rst index 194e00e..0171c00 100644 --- a/docs/source/faq.rst +++ b/docs/source/faq.rst @@ -26,6 +26,15 @@ You can, if you don't use: I would like to use QoS or TrafficControl on OpenWrt **************************************************** -This feature is broken since OpenWrt 12.09 (Attitude Adjustment), because -OpenWrt removed the IMQ (Intermediate queueing device) support. We're looking -for somebody who want to fix that. +The original pre version 1 feature has been broken since OpenWrt 12.09 (Attitude Adjustment), because +OpenWrt removed the IMQ (Intermediate queueing device) support. We're looking for somebody who to fix this! + +However the OpenWrt package, SQM Scripts, is fully compatible with Nodogsplash and if configured to operate on the Nodogsplash interface (br-lan by default) will provide efficient IP connection based traffic control to ensure fair usage of available bandwidth. + +Is https:// redirection supported? +********************************** + +No. We believe this is the wrong way to do it, because all connections would have a critical certificate failure. +Https web sites are now more or less a standard and to maintain security and user confidence it is essential that captive portals DO NOT attempt to capture port 443. + +Captive Portal Detection (CPD) has evolved as an enhancement to the network manager component included with major Operating Systems (Linux, Android, iOS/macOS, Windows). Using a pre defined port 80 web page (depending on the vendor) the network manager will detect the presence of a captive portal hotspot and notify the user. In addition, most major browsers now support CPD. diff --git a/docs/source/fas.rst b/docs/source/fas.rst new file mode 100644 index 0000000..fe240a3 --- /dev/null +++ b/docs/source/fas.rst @@ -0,0 +1,49 @@ +Forwarding Authentication Service (FAS) +####################################### + +Overview +******** + +Nodogsplash (NDS) can support external (to NDS) authentication. +The BinVoucher process was derived to support this and has been called Forwarding Authentication. This is a non trivial function and although partially implemented in early versions, is not implemented at all in version 2, at the time of writing. + +Fortunately, Forwarding Authentication can be done without any modification to the core NDS code and in a way that is compatible with all versions, pre v1 beta through to the current release of v2. + +The defacto industry standard Captive Portal Detection (CPD), present on almost all devices these days, invokes the NDS splash page with various parameters passed to the splash page by NDS, including the client access token. + +It is a simple matter to pass this token to an external Forwarding Authentication Service (FAS) by using a redirect in the splash page. + +For a client to access this external service, the ip address and port number of the service must be added to the NDS walled garden in nodogsplash.conf or its equivalent UCI config file if running under LEDE/OpenWrt. + +Included are various configuration files and remote php scripts, intended as an example implementation of FAS to demonstrate the methods. + +FAS Installation +**************** +NOTE: USING HTTPS. Your FAS can be an https server, but self signed certificates will throw dire "Here Be Dragons" warnings on your client devices when the redirection to your FAS takes place. Also even if using a registered CA all browsers will still return a security error on returning to Nodogsplash. This can be prevented by using wget to return to Nodogsplash from your FAS script instead of an html GET. + +The contents of the FAS etc folder should be placed in the /etc folder of your NoDogSplash router, overwriting existing files. + +The following two files should be edited as follows. + +1: +/etc/config/nodogsplash should be edited to reflect the ip address and port of your FAS service as described in the comments in the example file. +Your FAS can reside on your Nodogsplash router, a web server on your LAN, or a web server on the internet. + +2: +/etc/nodogsplash/htdocs/splash.html should also be edited to reflect the URL of your FAS service as indicated in the comments in the example file. +Take note of the USING HTTPS warning above. A typical URL could be http://my-fas.net/nodog/fas.php?auth.... etc. + +Running FAS on your Nodogsplash router: +The example FAS service will run fairly well on uhttpd (the web server that serves Luci) on an LEDE/OpenWrt supported device with 8MB flash and 32MB ram but shortage of ram may well be an issue if more than two or three clients log in at the same time. For this reason a device with a minimum of 16MB flash and 64MB ram is recommended. + +Running on uhttpd: +Install the modules php7 and php7-cgi on LEDE for the simple example. Further modules may be required when you write your own php scripts depending on your requirements. +To enable php in uhttpd you must add the line: + list interpreter ".php=/usr/bin/php-cgi" +to the /etc/config/uhttpd file in the config uhttpd 'main' or first section. + +Finally, reboot the router to start NoDogSplash in FAS mode. + +The example file "users.dat" contains a list of usernames and passwords. + +NOTE: /etc/config/nodogsplash contains the line "option enabled 1". If you have done something wrong and locked yourself out, you can still SSH to your router and stop NoDogSplash (ndsctl stop) to fix the problem. diff --git a/docs/source/index.rst b/docs/source/index.rst index 14979b5..6414175 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -28,7 +28,8 @@ Contents: compile faq howitworks - authentication + fas + binauth ndsctl customize debug diff --git a/docs/source/install.rst b/docs/source/install.rst index 49b96ee..eb8c8ae 100644 --- a/docs/source/install.rst +++ b/docs/source/install.rst @@ -1,49 +1,57 @@ -Installing nodogsplash +Installing Nodogsplash ###################### -OpenWrt +OpenWrt (LEDE) ******* -* Have a router working with OpenWrt. Nodogsplash has been compiled against a - OpenWrt Attitude Adjustment buildroot; it may or may not work on other versions - of OpenWrt or on other kinds of Linux-based router firmware. For notes on - using Nodogsplash with OpenWrt Kamikaze, see below. +* Have a router working with OpenWrt. At the time of writing, Nodogsplash has been tested with OpenWrt/LEDE 17.01.4; + it may or may not work on older versions of OpenWrt or on other kinds of Linux-based router firmware. * Make sure your router is basically working before you try to install - nodogsplash. In particular, make sure your DHCP daemon is serving addresses - on the interface that nodogsplash will manage (typically br-lan or eth1), and - for the following use ssh or telnet access to your router over a different - interface. -* To install nodogsplash, obtain the nodogsplash*.ipk package you want to - install from the project website, copy it to /tmp/ on your OpenWrt router, - and, in as root on the router, run: + Nodogsplash. In particular, make sure your DHCP daemon is serving addresses on the interface that nodogsplash will manage. + The default is br-lan but can be changed to any interface by editing the /etc/config/nodogsplash file. +* To install Nodogsplash, you may use the OpenWrt Luci web interface or alternatively, ssh to your router and run the command: - ``opkg install /tmp/nodogsplash*.ipk`` + ``opkg update`` + + followed by + + ``opkg install nodogsplash`` (for version 1x). + + or + + ``opkg install nodogsplash2`` (for version 2x). + +* Nodogsplash is enabled by default and will start automatically on reboot or can be started and stopped manually. + - (Note: to prevent installation of an older package, you may have to remove - references to remote package repositories in your /etc/opkg.conf file) -* If the interface that you want nodogsplash to manage is not br-lan, - edit /etc/nodogsplash/nodogsplash.conf and set GatewayInterface. -* To start nodogsplash, run the following, or just reboot the router: +* If the interface that you want Nodogsplash to manage is not br-lan, + edit /etc/config/nodogsplash and set GatewayInterface. +* To start Nodogsplash, run the following, or just reboot the router: ``/etc/init.d/nodogsplash start`` -* To test the installation, connect a client machine to the interface on your - router that is managed by nodogsplash (for example, connect to the router's - wireless lan) and in a browser on that machine, attempt to visit any website. - You should see the nodogsplash splash page instead. Click on the icon; the - browser should redirect to the initially requested website. -* To stop nodogsplash: +* To test the installation, connect a client device to the interface on your + router that is managed by Nodogsplash (for example, connect to the router's + wireless lan). + Most client device operating systems and browsers support Captive Portal Detection (CPD) and the operating system or browser on that device will attempt to contact a pre defined port 80 web page. + CPD will trigger Nodogsplash to serve the default splash page where you can click or tap Continue to access the Internet. + + See the Authentication section for details of setting up a proper authentication process. + + If your client device does not display the splash page it most likely does not support CPD. You should then manually trigger Nodogsplash by trying to access a port 80 web site (for example, google.com:80 is a good choice). + +* To stop Nodogsplash: ``/etc/init.d/nodogsplash stop`` -* To uninstall nodogsplash: +* To uninstall Nodogsplash: ``opkg remove nodogsplash`` Debian ****** -There isn't a packet in the repostiory (yet). But we have support for a debian package. +There isn't a package in the repository (yet). But we have support for a debian package. Requirements beside debian tools are: - libmicrohttpd-dev (>= 0.9.51) [avaiable in **stretch**] diff --git a/docs/source/overview.rst b/docs/source/overview.rst index 7061481..3af56be 100644 --- a/docs/source/overview.rst +++ b/docs/source/overview.rst @@ -1,7 +1,7 @@ Overview ######## -Nodogsplash offers a solution to this problem: You want to provide controlled +Nodogsplash (NDS) offers a solution to this problem: You want to provide controlled and reasonably secure public access to an internet connection; and while you want to require users to give some acknowledgment of the service you are providing, you don't need or want the complexity of user account names and @@ -18,3 +18,9 @@ you don't want to grant all of your available upload or download bandwidth. Specific features of Nodogsplash are configurable, by editing the configuration file and the splash page. The default installed configuration may be all you need, though. + +Nodogsplash supports multiple means of authentication: + +- hit the submit button (default) +- call an external script that may accept username/password +- forwarding authentication to an external service diff --git a/forward_authentication_service/FAS-Docs/readme b/forward_authentication_service/FAS-Docs/readme new file mode 100644 index 0000000..e5421f4 --- /dev/null +++ b/forward_authentication_service/FAS-Docs/readme @@ -0,0 +1,62 @@ +Forwarding Authentication Service (FAS) + +Author: Rob White - BlueWave Projects and Services +Copyright (C) 2015-2017 BlueWave Projects and Services. This software is released under the GNU GPL license. + +Nodogsplash (NDS) can support external (to NDS) authentication. + +The BinVoucher process was derived to support this and has been called Forwarding Authentication. This is a non trivial function and although partially implemented in early versions, is not implemented in version 2, at the time of writing. + +######################################################################################## +Fortunately, Forwarding Authentication can be done without any modification to the core NDS code and in a way that is compatible with all versions, pre v1 beta through to the current release of v2. +######################################################################################## + +The defacto industry standard Captive Portal Detection (CPD), present on almost all devices these days, invokes the NDS splash page with various parameters passed to it by NDS, including the client access token. + +It is a simple matter to pass this token to an external Forwarding Authentication Service (FAS) by using a redirect in the splash page. + +For a client to access this external service, the ip address and port number of the service must be added to the NDS walled garden in nodogsplash.conf or its equivalent UCI config file if running under LEDE/OpenWrt. + +Included are various configuration files and remote php scripts, intended as an example implementation of FAS to demonstrate the methods. + +############ +INSTALLATION +############ + +NOTE: USING HTTPS +Your FAS can be an https server, but self signed certificates will throw dire "Here Be Dragons" warnings on your client devices when the redirection to your FAS takes place. Also even if using a registered CA all browsers will still return a security error on returning to Nodogsplash. This can be prevented by using wget to return to Nodogsplash from your FAS script instead of an html GET. + +The contents of the etc folder should be placed in the /etc folder of your NoDogSplash router, overwriting existing files. + +The following two files should be edited as follows. + +1: +/etc/config/nodogsplash should be edited to reflect the ip address and port of your FAS service as described in the comments in the example file. +Your FAS can reside on your Nodogsplash router, a web server on your LAN, or a web server on the internet. + +2: +/etc/nodogsplash/htdocs/splash.html should also be edited to reflect the URL of your FAS service as indicated in the comments in the example file. +Take note of the https warning in 1: above. A typical URL could be http://my-fas.net/nodog/fas.php?auth.... etc. + +3: +Run the command "chmod +x /etc/init.d/nodogsplash" on your router. + +Running FAS on your Nodogsplash router: +The example FAS service will run fairly well on uhttpd (the web server that serves Luci) on an LEDE/OpenWrt supported device with 8MB flash and 32MB ram but shortage of ram may well be an issue if more than two or three clients log in at the same time. For this reason a device with a minimum of 16MB flash and 64MB ram is recommended. + +Running on uhttpd: +Install the modules php7 and php7-cgi on LEDE for the simple example. Further modules may be required when you write your own php scripts depending on your requirements. +To enable php in uhttpd you must add the line: + list interpreter ".php=/usr/bin/php-cgi" +to the /etc/config/uhttpd file in the config uhttpd 'main' or first section. + +Finally, reboot the router to start NoDogSplash in FAS mode. + +The example file "users.dat" contains a list of usernames and passwords. + +NOTE: /etc/config/nodogsplash contains the line "option enabled 1". If you have done something wrong and locked yourself out, you can still SSH to your router and stop NoDogSplash (ndsctl stop) to fix the problem. + + + + + diff --git a/forward_authentication_service/etc/config/nodogsplash b/forward_authentication_service/etc/config/nodogsplash new file mode 100644 index 0000000..4b121b8 --- /dev/null +++ b/forward_authentication_service/etc/config/nodogsplash @@ -0,0 +1,70 @@ + +# The options available here are an adaptation of the settings used in nodogsplash.conf. +# See https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf +# 2 Example entries added to allow preauthenticated clients access to the Forwarding Authentication Service + +config nodogsplash + # Set to 1 to enable nodogsplash + option enabled 1 + + # Use plain configuration file + #option config '/etc/nodogsplash/nodogsplash.conf' + + # The network the users are connected to + option network 'lan' + option gatewayname 'NodogsplashFAS' + option maxclients '250' + option clientidletimeout '1200' + + # Your router may have several interfaces, and you + # probably want to keep them private from the network/gatewayinterface. + # If so, you should block the entire subnets on those interfaces, e.g.: + #list authenticated_users 'block to 192.168.0.0/16' + #list authenticated_users 'block to 10.0.0.0/8' + + # Typical ports you will probably want to open up. + #list authenticated_users 'allow tcp port 22' + #list authenticated_users 'allow tcp port 53' + #list authenticated_users 'allow udp port 53' + #list authenticated_users 'allow tcp port 80' + #list authenticated_users 'allow tcp port 443' + list authenticated_users 'allow all' + + # For preauthenticated users to resolve IP addresses in their + # initial request not using the router itself as a DNS server, + #list preauthenticated_users 'allow tcp port 53' + #list preauthenticated_users 'allow udp port 53' + + ############ FAS ############ + # Allow preauthenticated users access to the Forwarding Authentiation service + # + # The following line allows access to the FAS wherever it is running but must be the port and ip address of FAS + # The example here [allow tcp port 80 to 46.32.240.37] was a live demonstration available at the time of writing + # It may still be available, try it and see. + list preauthenticated_users 'allow tcp port 80 to 46.32.240.37' + + # The following line is REQUIRED if the FAS is running ON THE SAME DEVICE as NDS + # and is the TCP *port* of the FAS service if not listed elsewhere in the users_to_router section + #list users_to_router 'allow tcp port 4280' + ############ FAS ############ + + # Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS + list users_to_router 'allow tcp port 22' + list users_to_router 'allow tcp port 23' + list users_to_router 'allow tcp port 53' + list users_to_router 'allow udp port 53' + list users_to_router 'allow udp port 67' + list users_to_router 'allow tcp port 80' + list users_to_router 'allow tcp port 443' + + + # MAC addresses that are / are not allowed to access the splash page + # Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used. + #option macmechanism 'allow' + #list allowedmac '00:00:C0:01:D0:0D' + #list allowedmac '00:00:C0:01:D0:1D' + #list blockedmac '00:00:C0:01:D0:2D' + + #MAC addresses that do not need to authenticate + #list trustedmac '00:00:C0:01:D0:1D' + diff --git a/forward_authentication_service/etc/nodogsplash/htdocs/infoskel.html b/forward_authentication_service/etc/nodogsplash/htdocs/infoskel.html new file mode 100644 index 0000000..dceb072 --- /dev/null +++ b/forward_authentication_service/etc/nodogsplash/htdocs/infoskel.html @@ -0,0 +1,66 @@ + + + + + + + + + +Something Went Wrong. + + + + +

$gatewayname Hotspot Gateway. +

+ +Sorry! Something seems to have gone wrong. + +

+
The most likely cause is that your connection timed out.
+Please click the button to try again.

+ +
+ +
+
+ +Received Error: $content
Software version: $version + +
Copyright (C) 2004-2016. This software is released under the GNU GPL license. + + + + diff --git a/forward_authentication_service/etc/nodogsplash/htdocs/splash.html b/forward_authentication_service/etc/nodogsplash/htdocs/splash.html new file mode 100644 index 0000000..d50ed13 --- /dev/null +++ b/forward_authentication_service/etc/nodogsplash/htdocs/splash.html @@ -0,0 +1,43 @@ + + + + + + + + + + + + + + +Login Required On This Network + + + +

+
+Redirecting.... +
+ + diff --git a/forward_authentication_service/nodog/css.php b/forward_authentication_service/nodog/css.php new file mode 100644 index 0000000..aa7a817 --- /dev/null +++ b/forward_authentication_service/nodog/css.php @@ -0,0 +1,101 @@ +body { +background-color:lightgrey; +color:black; +font-family: Arial, 'Arial Black', sans-serif; +} + +input[type=text], input[type=email], input[type=password] { +margin-left: 0%; margin-right: 0%; +text-align:left; +display: left; +font-size: 1em; +line-height: 1em; +color: #333; +font-weight: bold; +height: 1.5em; +width: auto; +max-width: 100%; +border: 1px solid #bbb; +} + +input[type=submit], input[type=button], input[type=file], button[type=link], select[type=list] { +-webkit-appearance: none; +-moz-appearance: none; +margin-left: 0%; +margin-right: 5%; +text-align:left; +display: left; +font-size: 1em; +line-height: 1em; +color: #333; +font-weight: bold; +height: 1.5em; +width: auto; +max-width: 95%; +background: #fdfdfd; +background: -moz-linear-gradient(top, #fdfdfd 0%, #bebebe 100%); +background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#fdfdfd), color-stop(100%,#bebebe)); +background: -webkit-linear-gradient(top, #fdfdfd 0%,#bebebe 100%); +background: -o-linear-gradient(top, #fdfdfd 0%,#bebebe 100%); +background: -ms-linear-gradient(top, #fdfdfd 0%,#bebebe 100%); +background: linear-gradient(to bottom, #fdfdfd 0%,#bebebe 100%); +border: 1px solid #bbb; +border-radius: 10px; +-webkit-border-radius: 10px; +-moz-border-radius: 10px; +} + +.box +{ +border: 2px solid #aaa; +border-radius: 4px; +padding: 5px; +min-width:200px; +max-width:100%; +} + +@media screen and (min-width: 500px) { +.box {max-width:50%;} +} + +textarea +{ +width: 97%; +margin-left:0%; +margin-right:0%; +} + +img +{ +width: 100%; +margin-left:0%; +margin-right:0%; +} + +mark { +background-color:red; +color:white; +} + +hr { +display:block; +margin-top:0.5em; +margin-bottom:0.5em; +margin-left:auto; +margin-right:auto; +border-style:inset; +border-width:5px; +} + +.offset { +max-width:400px; +min-width:200px; +margin: auto; + +} + +@media screen and (min-width: 2500px) { +body {font-size: 2em;} +} + + diff --git a/forward_authentication_service/nodog/fas.php b/forward_authentication_service/nodog/fas.php new file mode 100644 index 0000000..5c289e8 --- /dev/null +++ b/forward_authentication_service/nodog/fas.php @@ -0,0 +1,148 @@ +\n\n\n"); +} + +function acceptance($landing, $gatewayname, $tok, $tokchk, $redir, $orgurl, $authaction, $clientip, $clientmac, $username, $password) { +read_terms(); +echo("\n
\n
\n"); +echo("\n"); +echo("\n"); +echo("\n
\n"); +}//end of function acceptance + +function login($gatewayname, $tok, $tokchk, $redir, $orgurl, $authaction, $clientip, $clientmac, $username, $password) { +$me=$_SERVER['SCRIPT_NAME']; +echo ("
\n"); +echo ("\n"); +echo ("\n"); +echo ("\n"); +echo ("\n"); +echo ("\n"); +echo ("\n"); +echo ("\n"); +echo ("\n"); +echo"
Username:
"; +echo ("\n
\n"); +echo"Password:
"; +echo ("\n

\n"); +echo ("\n
\n
\n"); +}//end of function login + +// Add headers to stop browsers from cacheing +header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); +header("Cache-Control: no-cache"); +header("Pragma: no-cache"); + +//Output our responsive page +echo"\n\n\n"; +echo"\n"; +echo"\n"; +echo"".$header.".\n"; +echo"\n\n\n"; + +//page header +echo "
\n"; +echo "
".$gatewayname."
".$header."
\n"; +echo"
\n"; +//end of page header + +################## check for invalid token return in NDS V2 ################### +#NDS V2 does not check for invalid (timed out) tokens so we have to check here# +if (isset($_GET['tokchk'])){ +$userurl=$_GET['orgurl']; +include "oops-ndsv2.php"; +} +############### end of check for invalid token return in NDS V2 ############### + +//Example Simple Login Form that checks in a plain text file for username and login +if (isset($_POST['username']))//Validate user supplied username and password +{ +if ($username!="")//username is set to something +{ +if (file_exists($users))//read the file line by line +{ +$handle=fopen($users,'r'); + +while(! feof($handle)) +{ +$line=fgets($handle); +if (feof($handle)){break;} +list($user,$pass)=explode(", ",$line); +if($username==trim($user) and $password==trim($pass)){$validated="yes"; break;} +}//end while not eof +if($validated!="yes"){$validated="no";} +fclose($handle); + +}//end if user database exists +else{echo"
Missing User Database
";} +}//end if username is set to something +else{$validated="no";} +}//end if username set +else{//Initial Form +echo"Enter Username and Password"; +login($gatewayname, $tok, $tokchk, $redir, $orgurl, $authaction, $clientip, $clientmac, $username, $password); +}//end else initial form + +if($validated=="yes") +{ +echo"Successful Login
"; +acceptance($landing, $gatewayname, $tok, $tokchk, $redir, $orgurl, $authaction, $clientip, $clientmac, $username, $password); +} +if($validated=="no") +{ +echo"Invalid login attempt"; +login($gatewayname, $tok, $tokchk, $redir, $orgurl, $authaction, $clientip, $clientmac, $username, ""); +} + +echo"
\n"; +echo "
\n"; +echo "© Blue Wave Projects and Services 2015-".date("Y")." This software is released under the GNU GPL license.\n"; +echo"
\n"; +echo"
\n"; + +echo"\n\n"; +?> diff --git a/forward_authentication_service/nodog/landing.php b/forward_authentication_service/nodog/landing.php new file mode 100644 index 0000000..e4d0bfa --- /dev/null +++ b/forward_authentication_service/nodog/landing.php @@ -0,0 +1,56 @@ +\n\n\n"); +} + + +if(isset($_GET['gatewayname'])){$gatewayname=$_GET['gatewayname'];} +else{$gatewayname="NoDogSplash";} +if(isset($_GET['tok'])){$tok=$_GET['tok'];} +if(isset($_GET['tokchk'])){$tokchk=$_GET['tokchk'];} +if(isset($_GET['orgurl'])){$orgurl=$_GET['orgurl'];} +if(isset($_GET['clientip'])){$clientip=$_GET['clientip'];} +if(isset($_GET['clientmac'])){$clientmac=$_GET['clientmac'];} +if(isset($_GET['username'])){$username=$_GET['username'];} + +// Add headers to stop browsers from cacheing +header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); +header("Cache-Control: no-cache"); +header("Pragma: no-cache"); + +//Output our responsive page +echo"\n\n\n"; +echo"\n"; +echo"\n"; +echo"".$header.".\n"; +echo"\n\n\n"; + +//page header +echo "
\n"; +echo "
".$gatewayname."
".$header."
\n"; +echo"
\n"; +//end of page header + +echo"
Welcome \"".$username."\".
You are logged in.
"; +echo"Thank you for accepting the Terms of Service.

You can now use your browser and device APPs as you normally would.
"; +read_terms(); + +echo"
\n"; +echo "
\n"; +echo "© Blue Wave Projects and Services 2015-".date("Y")." This software is released under the GNU GPL license."; +echo"
\n"; +echo""; +?> + diff --git a/forward_authentication_service/nodog/oops-ndsv2.php b/forward_authentication_service/nodog/oops-ndsv2.php new file mode 100644 index 0000000..c969470 --- /dev/null +++ b/forward_authentication_service/nodog/oops-ndsv2.php @@ -0,0 +1,11 @@ +Sorry! Something seems to have gone wrong!"; +echo"
Most likely your connection timed out.
Please click the button to try again."; +echo"
"; +echo""; +echo"
"; +exit(); +?> + + + diff --git a/forward_authentication_service/nodog/tos.php b/forward_authentication_service/nodog/tos.php new file mode 100644 index 0000000..6150ad2 --- /dev/null +++ b/forward_authentication_service/nodog/tos.php @@ -0,0 +1,91 @@ + + + + + + + + +Terms of Service + + + + +"; +echo"
Terms of Service for use of this Hotspot.
Access is granted on a basis of trust that you will NOT misuse or abuse that access in any way.
"; + +echo"Please scroll down to read the Terms of Service in full or click the Continue button to return to the Acceptance Page"; +#echo"
"; +echo"
"; +echo""; +echo"
"; + +echo"
Proper Use"; + +echo"

This Hotspot provides a wireless network that allows you to connect to the Internet.
+Use of this Internet connection is provided in return for your FULL acceptance of these Terms Of Service.

"; + +echo "

You agree that you are responsible for providing security measures that are suited for your intended use of the Service. For example, you shall take full responsibility for taking adequate measures to safeguard your data from loss.

"; + +echo "

While the Hotspot uses commercially reasonable efforts to provide a secure service, the effectiveness of those efforts cannot be guaranteed. +

"; + +echo "

You may use the technology provided to you by this Hotspot for the sole purpose of using the Service as described here. You must immediately notify the Owner of any unauthorized use of the Service or any other security breach.

We will give you an IP address each time you access the Hotspot, and it may change. +
You shall not program any other IP or MAC address into your device that accesses the Hotspot. You may not use the Service for any other reason, including reselling any aspect of the Service. Other examples of improper activities include, without limitation:

"; +?> +
    +
  1. downloading or uploading such large volumes of data that the performance of the Service becomes noticeably degraded for other users for a significant period;
    2. + +
  2. attempting to break security, access, tamper with or use any unauthorized areas of the Service;
    3. + +
  3. removing any copyright, trademark or other proprietary rights notices contained in or on the Service;
    4. + +
  4. attempting to collect or maintain any information about other users of the Service (including usernames and/or email addresses) or other third parties for unauthorized purposes;
    5. + +
  5. logging onto the Service under false or fraudulent pretenses;
    6. + +
  6. creating or transmitting unwanted electronic communications such as SPAM or chain letters to other users or otherwise interfering with other user's enjoyment of the service;
    7. + +
  7. transmitting any viruses, worms, defects, Trojan Horses or other items of a destructive nature; or
    8. + +
  8. using the Service for any unlawful, harassing, abusive, criminal or fraudulent purpose.
    9. +
+ +
Content Disclaimer + +The Hotspot Owners do not control and are not responsible for data, content, services, or products that are accessed or downloaded through the Service. The Owners may, but are not obliged to, block data transmissions to protect the Owner and the Public.

+The Owners, their suppliers and their licensors expressly disclaim to the fullest extent permitted by law, all express, implied, and statutary warranties, including, without limitation, the warranties of merchantability or fitness for a particular purpose. +

The Owners, their suppliers and their licensors expressly disclaim to the fullest extent permitted by law any liability for infringement of proprietory rights and/or infringement of Copyright by any user of the system. Login details and device identities may be stored and be used as evidence in a Court of Law against such users.
"; + +echo"
Limitation of Liability +

Under no circumstances shall the Owners, their suppliers or their licensors be liable to any user or any third party on account of that party's use or misuse of or reliance on the Service. +

"; + +echo "
Changes to Terms of Service and Termination\n

We may modify or terminate the Service and these Terms of Service and any accompanying policies, for any reason, and without notice, including the right to terminate with or without notice, without liability to you, any user or any third party. Please review these Terms of Service from time to time so that you will be apprised of any changes.

\n"; + +echo "

We reserve the right to terminate your use of the Service, for any reason, and without notice. Upon any such termination, any and all rights granted to you by this Hotspot Owner shall terminate.

\n"; + +echo"
Indemnity"; +$indemnitystr="

You agree to hold harmless and indemnify the Owners of this Hotspot, their suppliers and licensors from and against any third party claim arising from or in any way related to your use of the Service, including any liability or expense arising from all claims, losses, damages (actual and consequential), suits, judgments, litigation costs and legal fees, of every kind and nature.

\n"; +echo $indemnitystr; + +echo"
"; +echo"
"; +echo""; +echo"
\n
\n"; +echo"
\n"; +echo("\n\n"); +?> + + + + diff --git a/forward_authentication_service/nodog/users.dat b/forward_authentication_service/nodog/users.dat new file mode 100644 index 0000000..495bc0c --- /dev/null +++ b/forward_authentication_service/nodog/users.dat @@ -0,0 +1,6 @@ +tom, letmein +dick, 123456 +harry, abcdefg +gemima, puddleduck23 +jennie, StarShipFreedom +judith, heyjude1968 diff --git a/forward_authentication_service/readme b/forward_authentication_service/readme new file mode 100644 index 0000000..9d72b62 --- /dev/null +++ b/forward_authentication_service/readme @@ -0,0 +1,6 @@ +Forwarding Authentication Service (FAS) + +Author: Rob White @bluewavenet - BlueWave Projects and Services +Copyright (C) 2015-2017 BlueWave Projects and Services. This software is released under the GNU GPL license. + +Nodogsplash (NDS) can support external (to NDS) authentication without using the Binvoucher functionality. diff --git a/resources/nodogsplash.conf b/resources/nodogsplash.conf index 63c82be..f657a0c 100644 --- a/resources/nodogsplash.conf +++ b/resources/nodogsplash.conf @@ -8,8 +8,7 @@ # GatewayInterface is not autodetected, has no default, and must be set here. # Set GatewayInterface to the interface on your router # that is to be managed by Nodogsplash. -# Typically br0 for the wired and wireless lan on OpenWrt White Russian. -# May be br-lan on OpenWrt Kamikaze. +# Typically br-lan for the wired and wireless lan. # GatewayInterface br-lan @@ -31,32 +30,33 @@ GatewayInterface br-lan # FirewallRuleSet authenticated-users { - # You may want to open access to a machine on a local - # subnet that is otherwise blocked (for example, to - # serve a redirect page; see RedirectURL). If so, - # allow that explicitly here, e.g: - # FirewallRule allow tcp port 80 to 192.168.254.254 +# You may want to open access to a machine on a local +# subnet that is otherwise blocked (for example, to +# serve a redirect page; see RedirectURL). If so, +# allow that explicitly here, e.g: +# FirewallRule allow tcp port 80 to 192.168.254.254 - # Your router may have several interfaces, and you - # probably want to keep them private from the GatewayInterface. - # If so, you should block the entire subnets on those interfaces, e.g.: - FirewallRule block to 192.168.0.0/16 - FirewallRule block to 10.0.0.0/8 +# Your router may have several interfaces, and you +# probably want to keep them private from the GatewayInterface. +# If so, you should block the entire subnets on those interfaces, e.g.: +# FirewallRule block to 192.168.0.0/16 +# FirewallRule block to 10.0.0.0/8 - # Typical ports you will probably want to open up include - # 53 udp and tcp for DNS, - # 80 for http, - # 443 for https, - # 22 for ssh: - FirewallRule allow tcp port 53 - FirewallRule allow udp port 53 - FirewallRule allow tcp port 80 - FirewallRule allow tcp port 443 - FirewallRule allow tcp port 22 - - # You might use ipset to easily allow/block range of ips, e.g.: - # FirewallRule allow ipset WHITELISTED_IPS - # FirewallRule allow tcp port 80 ipset WHITELISTED_IPS +# Typical ports you will probably want to open up include +# 53 udp and tcp for DNS, +# 80 for http, +# 443 for https, +# 22 for ssh: +# FirewallRule allow tcp port 53 +# FirewallRule allow udp port 53 +# FirewallRule allow tcp port 80 +# FirewallRule allow tcp port 443 +# FirewallRule allow tcp port 22 +# Or for happy customers allow all + FirewallRule allow all +# You might use ipset to easily allow/block range of ips, e.g.: +# FirewallRule allow ipset WHITELISTED_IPS +# FirewallRule allow tcp port 80 ipset WHITELISTED_IPS } # end FirewallRuleSet authenticated-users @@ -78,18 +78,19 @@ FirewallRuleSet authenticated-users { # the authenticated-users and users-to-router rulesets. # FirewallRuleSet preauthenticated-users { - # For preauthenticated users to resolve IP addresses in their initial - # request not using the router itself as a DNS server, - # you probably want to allow port 53 udp and tcp for DNS. - FirewallRule allow tcp port 53 - FirewallRule allow udp port 53 - # For splash page content not hosted on the router, you - # will want to allow port 80 tcp to the remote host here. - # Doing so circumvents the usual capture and redirect of - # any port 80 request to this remote host. - # Note that the remote host's numerical IP address must be known - # and used here. - # FirewallRule allow tcp port 80 to 123.321.123.321 +# For preauthenticated users to resolve IP addresses in their +# initial request not using the router itself as a DNS server. +# Leave commented to help prevent DNS tunnelling +# FirewallRule allow tcp port 53 +# FirewallRule allow udp port 53 +# +# For splash page content not hosted on the router, you +# will want to allow port 80 tcp to the remote host here. +# Doing so circumvents the usual capture and redirect of +# any port 80 request to this remote host. +# Note that the remote host's numerical IP address must be known +# and used here. +# FirewallRule allow tcp port 80 to 123.321.123.321 } # end FirewallRuleSet preauthenticated-users @@ -120,9 +121,9 @@ FirewallRuleSet users-to-router { # You may want to allow ssh, http, and https to the router # for administration from the GatewayInterface. If not, # comment these out. - FirewallRule allow tcp port 22 - FirewallRule allow tcp port 80 - FirewallRule allow tcp port 443 + FirewallRule allow tcp port 22 + FirewallRule allow tcp port 80 + FirewallRule allow tcp port 443 } # end FirewallRuleSet users-to-router @@ -197,34 +198,29 @@ FirewallRuleSet users-to-router { # connect at any time. (Does not include users on the TrustedMACList, # who do not authenticate.) # -# MaxClients 20 + MaxClients 250 -# ClientIdleTimeout -# Parameter: ClientIdleTimeout -# Default: 10 +# Parameter: SessionTimeout +# Default: 0 # -# Set ClientIdleTimeout to the desired of number of minutes -# of inactivity before a user is automatically 'deauthenticated'. +# Set the default session length in seconds. A value of 0 is for +# sessions without an end. # -# ClientIdleTimeout 10 -# Parameter: ClientForceTimeout -# Default: 360 +# Parameter: PreAuthIdleTimeout +# Default: 300 # -# Set ClientForceTimeout to the desired number of minutes before -# a user is automatically 'deauthenticated', whether active or not +# Set PreAuthIdleTimeout to the desired number of seconds before +# an pre-authenticated user is automatically removed from the client list. # -# ClientForceTimeout 360 -# Parameter: AuthenticateImmediately -# Default: no +# Parameter: AuthedIdleTimeout +# Default: 7200 # -# Set to yes (or true or 1), to immediately authenticate users -# who make a http port 80 request on the GatewayInterface (that is, -# do not serve a splash page, just redirect to the user's request, -# or to RedirectURL if set). +# Set AuthedIdleTimeout to the desired number of seconds before +# an authenticated user is automatically 'deauthenticated' +# and removed from the client list. # -# AuthenticateImmediately no # Parameter: MACMechanism # Default: block @@ -264,47 +260,6 @@ FirewallRuleSet users-to-router { # # TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D - -# Parameter: PasswordAuthentication -# Default: no -# Set to yes (or true or 1), to require a password matching -# the Password parameter to be supplied when authenticating. -# -# -# PasswordAuthentication no - -# Parameter: Password -# Default: none -# Whitespace delimited string that is compared to user-supplied -# password when authenticating. -# -# -# Password nodog - -# Parameter: UsernameAuthentication -# Default: no -# Set to yes (or true or 1), to require a username matching -# the Username parameter to be supplied when authenticating. -# -# -# UsernameAuthentication no - -# Parameter: Username -# Default: none -# Whitespace delimited string that is compared to user-supplied -# username when authenticating. -# -# -# Username guest - -# Parameter: PasswordAttempts -# Default: 5 -# Integer number of failed password/username entries before -# a user is forced to reauthenticate. -# -# -# PasswordAttempts 5 - # Parameter: TrafficControl # Default: no # @@ -355,49 +310,27 @@ FirewallRuleSet users-to-router { # # ImagesDir images -# Parameter: BinVoucher +# Parameter: BinAuth # Default: None # -# Enable Voucher Support. -# If set, an alphanumeric voucher HTTP parameter is accepted -# and passed to a command line call along with the clients MAC: +# Enable BinAuth Support. +# If set, a program is called with several parameters on authentication or timeout on inactivity. # -# $ auth_voucher +# $ client_auth '' ''' +# $ idle_timeout +# $ session_end # -# BinVoucher must point to a program that will be called as described above. -# The call is expected to output the number of seconds the client -# is to be authenticated. Zero or negative seconds will cause the -# authentification request to be rejected. +# BinAuth must point to a program that will be called in one of the ways described above. +# The username and password values may be empty strings and are URL encoded. +# The program is expected to output the number of seconds the client +# is to be authenticated. Zero or negative seconds will cause the authentification request +# to be rejected. The same goes for an exit code that is not 0. # The output may contain a user specific download and upload limit in KBit/s: # # -# BinVoucher "/bin/myauth" - -# Parameter: ForceVoucher -# Default: no -# -# Force the use of a voucher. Authentification is not possible without voucher. -# -# ForceVoucher no - -# Parameter: EnablePreAuth -# Default: no -# -# Enable pre-authentication support. -# Pass the MAC of a client to a command line call before the splash page -# would be send: -# -# $ auth_status -# -# The call is expected to output the number of seconds the client -# is to be authenticated. Zero or negative seconds will cause the -# splash page to be displayed. -# The output may contain a user specific download and upload limit in KBit/s: -# -# -# EnablePreAuth no - +# BinAuth "/bin/myauth.sh" +# Nodogsplash uses specific values to mark packets using iptables. # Parameter: FW_MARK_BLOCKED # Default: 0x100 # @@ -407,6 +340,7 @@ FirewallRuleSet users-to-router { # Parameter: FW_MARK_AUTHENTICATED # Default: 0x400 # -# Nodogsplash uses specific values to mark packet using iptables. -# In rare cases these might conflict with other programs and need -# to be changed. +# Set FW_MARK for compatibilty with other Packages eg mwan3, sqm etc. +fw_mark_authenticated 30000 +fw_mark_trusted 20000 +fw_mark_blocked 10000 diff --git a/resources/splash.html b/resources/splash.html index 7c6ae07..2498305 100644 --- a/resources/splash.html +++ b/resources/splash.html @@ -27,10 +27,8 @@ Available variables: Additional Variables that can also be passed back via HTTP get. Or just append them to the authentication link: - nodoguser - nodogpass - info - voucher + username + password --> diff --git a/src/auth.c b/src/auth.c index f41b743..011c8e6 100644 --- a/src/auth.c +++ b/src/auth.c @@ -46,7 +46,7 @@ /* Defined in clientlist.c */ -extern pthread_mutex_t client_list_mutex; +extern pthread_mutex_t client_list_mutex; /* Count number of authentications */ unsigned int authenticated_since_start = 0; @@ -61,7 +61,7 @@ thread_client_timeout_check(void *arg) { pthread_cond_t cond = PTHREAD_COND_INITIALIZER; pthread_mutex_t cond_mutex = PTHREAD_MUTEX_INITIALIZER; - struct timespec timeout; + struct timespec timeout; while (1) { debug(LOG_DEBUG, "Running fw_refresh_client_list()"); @@ -95,12 +95,11 @@ auth_client_action(const char ip[], const char mac[], t_authaction action) LOCK_CLIENT_LIST(); - client = client_list_find(ip,mac); + client = client_list_find(ip, mac); /* Client should already have hit the server and be on the client list */ if (client == NULL) { - debug(LOG_ERR, "Client %s %s action %d is not on client list", - ip, mac, action); + debug(LOG_ERR, "Client %s %s action %d is not on client list", ip, mac, action); UNLOCK_CLIENT_LIST(); return; } @@ -108,7 +107,7 @@ auth_client_action(const char ip[], const char mac[], t_authaction action) switch(action) { case AUTH_MAKE_AUTHENTICATED: - if(client->fw_connection_state != FW_MARK_AUTHENTICATED) { + if (client->fw_connection_state != FW_MARK_AUTHENTICATED) { client->fw_connection_state = FW_MARK_AUTHENTICATED; iptables_fw_access(AUTH_MAKE_AUTHENTICATED, client); authenticated_since_start++; @@ -118,15 +117,15 @@ auth_client_action(const char ip[], const char mac[], t_authaction action) break; case AUTH_MAKE_DEAUTHENTICATED: - if(client->fw_connection_state == FW_MARK_AUTHENTICATED) { + if (client->fw_connection_state == FW_MARK_AUTHENTICATED) { iptables_fw_access(AUTH_MAKE_DEAUTHENTICATED, client); } client_list_delete(client); break; default: - debug(LOG_ERR, "Unknown auth action: %d",action); + debug(LOG_ERR, "Unknown auth action: %d", action); } + UNLOCK_CLIENT_LIST(); - return; } diff --git a/src/client_list.c b/src/client_list.c index 0d47da3..7933f4c 100644 --- a/src/client_list.c +++ b/src/client_list.c @@ -113,7 +113,7 @@ _client_list_append(const char ip[], const char mac[], const char token[]) config = config_get_config(); maxclients = config->maxclients; - if(client_count >= maxclients) { + if (client_count >= maxclients) { debug(LOG_NOTICE, "Already list %d clients, cannot add %s %s", client_count, ip, mac); return NULL; } @@ -133,11 +133,15 @@ _client_list_append(const char ip[], const char mac[], const char token[]) client->mac = safe_strdup(mac); client->token = token ? safe_strdup(token) : NULL; client->fw_connection_state = FW_MARK_PREAUTHENTICATED; - client->counters.incoming = client->counters.incoming_history = 0; - client->counters.outgoing = client->counters.outgoing_history = 0; + client->counters.incoming = 0; + client->counters.incoming_history = 0; + client->counters.outgoing = 0; + client->counters.outgoing_history = 0; last_client_time = time(NULL); client->counters.last_updated = last_client_time; - client->added_time = last_client_time; + /* Session has not started and not ended yet */ + client->session_start = 0; + client->session_end = 0; for (i = 0; i < maxclients; i++) { if (client_arr[i]) @@ -171,7 +175,7 @@ _client_list_append(const char ip[], const char mac[], const char token[]) char * _client_list_make_auth_token(const char ip[], const char mac[]) { - char *token; + char *token = NULL; safe_asprintf(&token,"%04hx%04hx", rand16(), rand16()); @@ -190,7 +194,7 @@ client_list_add_client(const char ip[]) t_client *client; char *mac, *token; - if(!check_ip_format(ip)) { + if (!check_ip_format(ip)) { /* Inappropriate format in IP address */ debug(LOG_NOTICE, "Illegal IP format [%s]", ip); return NULL; @@ -207,14 +211,13 @@ client_list_add_client(const char ip[]) client = _client_list_append(ip, mac, token); free(token); } else { - debug(LOG_INFO, "Client %s %s token %s already on client list", - ip, mac, client->token); + debug(LOG_INFO, "Client %s %s token %s already on client list", ip, mac, client->token); } free(mac); return client; } -/** Finds a client by its IP and MAC, returns NULL if the client could not +/** Finds a client by its IP and MAC, returns NULL if the client could not * be found * @param ip IP we are looking for in the linked list * @param mac MAC we are looking for in the linked list @@ -258,9 +261,9 @@ client_list_find_by_ip(const char ip[]) } /** - * Finds a client by its Mac, returns NULL if the client could not + * Finds a client by its MAC, returns NULL if the client could not * be found - * @param mac Mac we are looking for in the linked list + * @param mac MAC we are looking for in the linked list * @return Pointer to the client, or NULL if not found */ t_client * @@ -304,15 +307,15 @@ client_list_find_by_token(const char token[]) * @param client Points to the client to be freed */ void -_client_list_free_node(t_client * client) +_client_list_free_node(t_client *client) { - if (client->mac != NULL) + if (client->mac) free(client->mac); - if (client->ip != NULL) + if (client->ip) free(client->ip); - if (client->token != NULL) + if (client->token) free(client->token); if (client_arr[client->idx] == client) @@ -329,7 +332,7 @@ _client_list_free_node(t_client * client) * @param client Points to the client to be deleted */ void -client_list_delete(t_client * client) +client_list_delete(t_client *client) { t_client *ptr; diff --git a/src/client_list.h b/src/client_list.h index 299537a..d2511e5 100644 --- a/src/client_list.h +++ b/src/client_list.h @@ -30,27 +30,26 @@ /** Counters struct for a client's bandwidth usage (in bytes) */ typedef struct _t_counters { - unsigned long long incoming; /**< @brief Incoming data total*/ - unsigned long long outgoing; /**< @brief Outgoing data total*/ - unsigned long long incoming_history; /**< @brief Incoming data before nodogsplash restarted*/ - unsigned long long outgoing_history; /**< @brief Outgoing data before nodogsplash restarted*/ - time_t last_updated; /**< @brief Last update of the counters */ + unsigned long long incoming; /**< @brief Incoming data total*/ + unsigned long long outgoing; /**< @brief Outgoing data total*/ + unsigned long long incoming_history; /**< @brief Incoming data before nodogsplash restarted*/ + unsigned long long outgoing_history; /**< @brief Outgoing data before nodogsplash restarted*/ + time_t last_updated; /**< @brief Last update of the counters */ } t_counters; /** Client node for the connected client linked list. */ -typedef struct _t_client { - struct _t_client *next; /**< @brief Pointer to the next client */ - char *ip; /**< @brief Client Ip address */ - char *mac; /**< @brief Client Mac address */ - char *token; /**< @brief Client token */ - unsigned int fw_connection_state; /**< @brief Connection state in the firewall */ - time_t added_time; /**< @brief Time client added to list */ - t_counters counters; /**< @brief Counters for input/output of - the client. */ - int attempts; /**< @brief Number of authentication attempts */ - int download_limit; /**< @brief Download limit, kb/s */ - int upload_limit; /**< @brief Upload limit, kb/s */ +typedef struct _t_client { + struct _t_client *next; /**< @brief Pointer to the next client */ + char *ip; /**< @brief Client IP address */ + char *mac; /**< @brief Client MAC address */ + char *token; /**< @brief Client token */ + unsigned int fw_connection_state; /**< @brief Connection state in the firewall */ + time_t session_start; /**< @brief Time the client was authenticated */ + time_t session_end; /**< @brief Time until client will be deauthenticated */ + t_counters counters; /**< @brief Counters for input/output of the client. */ + int download_limit; /**< @brief Download limit, kb/s */ + int upload_limit; /**< @brief Upload limit, kb/s */ int idx; } t_client; @@ -71,10 +70,9 @@ t_client *client_list_add_client(const char ip[]); t_client *client_list_find(const char ip[], const char mac[]); /** @brief Finds a client only by its IP */ -t_client *client_list_find_by_ip(const char ip[]); /* needed by fw_iptables.c, auth.c - * and ndsctl_thread.c */ +t_client *client_list_find_by_ip(const char ip[]); /* needed by fw_iptables.c, auth.c * and ndsctl_thread.c */ -/** @brief Finds a client only by its Mac */ +/** @brief Finds a client only by its MAC */ t_client *client_list_find_by_mac(const char mac[]); /* needed by ndsctl_thread.c */ /** @brief Finds a client by its token */ diff --git a/src/commandline.c b/src/commandline.c index dd374d7..9968bc2 100644 --- a/src/commandline.c +++ b/src/commandline.c @@ -44,16 +44,17 @@ static void usage(void); static void usage(void) { - printf("Usage: nodogsplash [options]\n"); - printf("\n"); - printf(" -c [filename] Use this config file\n"); - printf(" -f Run in foreground\n"); - printf(" -d Debug level\n"); - printf(" -s Log to syslog\n"); - printf(" -w Ndsctl socket path\n"); - printf(" -h Print usage\n"); - printf(" -v Print version information\n"); - printf("\n"); + printf("Usage: nodogsplash [options]\n" + "\n" + " -c [filename] Use this config file\n" + " -f Run in foreground\n" + " -d Debug level\n" + " -s Log to syslog\n" + " -w Ndsctl socket path\n" + " -h Print usage\n" + " -v Print version information\n" + "\n" + ); } /** Uses getopt() to parse the command line and set configuration values @@ -75,7 +76,7 @@ void parse_commandline(int argc, char **argv) case 'c': if (optarg) { - strncpy(config->configfile, optarg, sizeof(config->configfile)); + strncpy(config->configfile, optarg, sizeof(config->configfile)-1); } break; @@ -101,7 +102,7 @@ void parse_commandline(int argc, char **argv) break; case 'v': - printf("This is nodogsplash version " VERSION "\n"); + printf("This is Nodogsplash version " VERSION "\n"); exit(1); break; diff --git a/src/conf.c b/src/conf.c index c84cc08..a5b8742 100644 --- a/src/conf.c +++ b/src/conf.c @@ -34,6 +34,9 @@ #include #include +#include +#include +#include #include "common.h" #include "safe.h" @@ -47,7 +50,7 @@ /** @internal * Holds the current configuration of the gateway */ -static s_config config; +static s_config config = { 0 }; /** * Mutex for the configuration file, used by the auth_servers related @@ -63,6 +66,7 @@ static int missing_parms; The different configuration options */ typedef enum { oBadOption, + oSessionTimeout, oDaemon, oDebugLevel, oMaxClients, @@ -71,25 +75,15 @@ typedef enum { oGatewayIPRange, oGatewayAddress, oGatewayPort, - oRemoteAuthenticatorAction, - oEnablePreAuth, - oBinVoucher, - oForceVoucher, - oPasswordAuthentication, - oUsernameAuthentication, - oPasswordAttempts, - oUsername, - oPassword, oHTTPDMaxConn, oWebRoot, oSplashPage, oImagesDir, oPagesDir, oRedirectURL, - oClientIdleTimeout, - oClientForceTimeout, + oPreauthIdleTimeout, + oAuthedIdleTimeout, oCheckInterval, - oAuthenticateImmediately, oSetMSS, oMSSValue, oTrafficControl, @@ -97,9 +91,6 @@ typedef enum { oUploadLimit, oUploadIFB, oNdsctlSocket, - oDecongestHttpdThreads, - oHttpdThreadThreshold, - oHttpdThreadDelayMS, oSyslogFacility, oFirewallRule, oFirewallRuleSet, @@ -110,7 +101,8 @@ typedef enum { oAllowedMACList, oFWMarkAuthenticated, oFWMarkTrusted, - oFWMarkBlocked + oFWMarkBlocked, + oBinAuth } OpCodes; /** @internal @@ -120,6 +112,7 @@ static const struct { OpCodes opcode; int required; } keywords[] = { + { "sessiontimeout", oSessionTimeout }, { "daemon", oDaemon }, { "debuglevel", oDebugLevel }, { "maxclients", oMaxClients }, @@ -128,24 +121,14 @@ static const struct { { "gatewayiprange", oGatewayIPRange }, { "gatewayaddress", oGatewayAddress }, { "gatewayport", oGatewayPort }, - { "remoteauthenticatoraction", oRemoteAuthenticatorAction }, - { "enablepreauth", oEnablePreAuth }, - { "binvoucher", oBinVoucher }, - { "forcevoucher", oForceVoucher }, - { "passwordauthentication", oPasswordAuthentication }, - { "usernameauthentication", oUsernameAuthentication }, - { "passwordattempts", oPasswordAttempts }, - { "username", oUsername }, - { "password", oPassword }, { "webroot", oWebRoot }, { "splashpage", oSplashPage }, { "imagesdir", oImagesDir }, { "pagesdir", oPagesDir }, { "redirectURL", oRedirectURL }, - { "clientidletimeout", oClientIdleTimeout }, - { "clientforcetimeout", oClientForceTimeout }, + { "preauthidletimeout", oPreauthIdleTimeout }, + { "authedidletimeout", oAuthedIdleTimeout }, { "checkinterval", oCheckInterval }, - { "authenticateimmediately", oAuthenticateImmediately }, { "setmss", oSetMSS }, { "mssvalue", oMSSValue }, { "trafficcontrol", oTrafficControl }, @@ -153,11 +136,7 @@ static const struct { { "uploadlimit", oUploadLimit }, { "ifb", oUploadIFB }, { "syslogfacility", oSyslogFacility }, - { "syslogfacility", oSyslogFacility }, { "ndsctlsocket", oNdsctlSocket }, - { "decongesthttpdthreads", oDecongestHttpdThreads }, - { "httpdthreadthreshold", oHttpdThreadThreshold }, - { "httpdthreaddelayms", oHttpdThreadDelayMS }, { "firewallruleset", oFirewallRuleSet }, { "firewallrule", oFirewallRule }, { "emptyrulesetpolicy", oEmptyRuleSetPolicy }, @@ -168,6 +147,7 @@ static const struct { { "FW_MARK_AUTHENTICATED", oFWMarkAuthenticated }, { "FW_MARK_TRUSTED", oFWMarkTrusted }, { "FW_MARK_BLOCKED", oFWMarkBlocked }, + { "binauth", oBinAuth }, { NULL, oBadOption }, }; @@ -200,7 +180,8 @@ config_init(void) t_firewall_ruleset *rs; debug(LOG_DEBUG, "Setting default config parameters"); - strncpy(config.configfile, DEFAULT_CONFIGFILE, sizeof(config.configfile)); + strncpy(config.configfile, DEFAULT_CONFIGFILE, sizeof(config.configfile)-1); + config.session_timeout = DEFAULT_SESSION_TIMEOUT; config.debuglevel = DEFAULT_DEBUGLEVEL; config.maxclients = DEFAULT_MAXCLIENTS; config.gw_name = safe_strdup(DEFAULT_GATEWAYNAME); @@ -208,7 +189,6 @@ config_init(void) config.gw_iprange = safe_strdup(DEFAULT_GATEWAY_IPRANGE); config.gw_address = NULL; config.gw_port = DEFAULT_GATEWAYPORT; - config.remote_auth_action = NULL; config.webroot = safe_strdup(DEFAULT_WEBROOT); config.splashpage = safe_strdup(DEFAULT_SPLASHPAGE); config.infoskelpage = safe_strdup(DEFAULT_INFOSKELPAGE); @@ -217,16 +197,10 @@ config_init(void) config.authdir = safe_strdup(DEFAULT_AUTHDIR); config.denydir = safe_strdup(DEFAULT_DENYDIR); config.redirectURL = NULL; - config.clienttimeout = DEFAULT_CLIENTTIMEOUT; - config.clientforceout = DEFAULT_CLIENTFORCEOUT; + config.preauth_idle_timeout = DEFAULT_PREAUTH_IDLE_TIMEOUT, + config.authed_idle_timeout = DEFAULT_AUTHED_IDLE_TIMEOUT, config.checkinterval = DEFAULT_CHECKINTERVAL; config.daemon = -1; - config.passwordauth = DEFAULT_PASSWORD_AUTH; - config.usernameauth = DEFAULT_USERNAME_AUTH; - config.passwordattempts = DEFAULT_PASSWORD_ATTEMPTS; - config.username = NULL; - config.password = NULL; - config.authenticate_immediately = DEFAULT_AUTHENTICATE_IMMEDIATELY; config.set_mss = DEFAULT_SET_MSS; config.mss_value = DEFAULT_MSS_VALUE; config.traffic_control = DEFAULT_TRAFFIC_CONTROL; @@ -237,9 +211,6 @@ config_init(void) config.log_syslog = DEFAULT_LOG_SYSLOG; config.ndsctl_sock = safe_strdup(DEFAULT_NDSCTL_SOCK); config.internal_sock = safe_strdup(DEFAULT_INTERNAL_SOCK); - config.decongest_httpd_threads = DEFAULT_DECONGEST_HTTPD_THREADS; - config.httpd_thread_threshold = DEFAULT_HTTPD_THREAD_THRESHOLD; - config.httpd_thread_delay_ms = DEFAULT_HTTPD_THREAD_DELAY_MS; config.rulesets = NULL; config.trustedmaclist = NULL; config.blockedmaclist = NULL; @@ -249,6 +220,7 @@ config_init(void) config.FW_MARK_TRUSTED = DEFAULT_FW_MARK_TRUSTED; config.FW_MARK_BLOCKED = DEFAULT_FW_MARK_BLOCKED; config.ip6 = DEFAULT_IP6; + config.bin_auth = NULL; /* Set up default FirewallRuleSets, and their empty ruleset policies */ rs = add_ruleset("trusted-users"); @@ -269,7 +241,9 @@ config_init(void) void config_init_override(void) { - if (config.daemon == -1) config.daemon = DEFAULT_DAEMON; + if (config.daemon == -1) { + config.daemon = DEFAULT_DAEMON; + } } /** @internal @@ -280,12 +254,13 @@ config_parse_opcode(const char *cp, const char *filename, int linenum) { int i; - for (i = 0; keywords[i].name; i++) - if (strcasecmp(cp, keywords[i].name) == 0) + for (i = 0; keywords[i].name; i++) { + if (strcasecmp(cp, keywords[i].name) == 0) { return keywords[i].opcode; + } + } - debug(LOG_ERR, "%s: line %d: Bad configuration option: %s", - filename, linenum, cp); + debug(LOG_ERR, "%s: line %d: Bad configuration option: %s", filename, linenum, cp); return oBadOption; } @@ -321,7 +296,7 @@ add_ruleset(const char rulesetname[]) ruleset = get_ruleset(rulesetname); - if(ruleset != NULL) { + if (ruleset != NULL) { debug(LOG_DEBUG, "add_ruleset(): FirewallRuleSet %s already exists.", rulesetname); return ruleset; } @@ -338,7 +313,6 @@ add_ruleset(const char rulesetname[]) return ruleset; } - /** @internal Parses an empty ruleset policy directive */ @@ -358,7 +332,7 @@ parse_empty_ruleset_policy(char *ptr, const char *filename, int lineno) /* get the ruleset struct with this name; error if it doesn't exist */ debug(LOG_DEBUG, "Parsing EmptyRuleSetPolicy for %s", rulesetname); ruleset = get_ruleset(rulesetname); - if(ruleset == NULL) { + if (ruleset == NULL) { debug(LOG_ERR, "Unrecognized FirewallRuleSet name: %s at line %d in %s", rulesetname, lineno, filename); debug(LOG_ERR, "Exiting..."); exit(-1); @@ -377,7 +351,7 @@ parse_empty_ruleset_policy(char *ptr, const char *filename, int lineno) "block" means iptables REJECT */ if (ruleset->emptyrulesetpolicy != NULL) free(ruleset->emptyrulesetpolicy); - if(!strcasecmp(policy,"passthrough")) { + if (!strcasecmp(policy,"passthrough")) { ruleset->emptyrulesetpolicy = safe_strdup("RETURN"); } else if (!strcasecmp(policy,"allow")) { ruleset->emptyrulesetpolicy = safe_strdup("ACCEPT"); @@ -406,13 +380,13 @@ parse_firewall_ruleset(const char *rulesetname, FILE *fd, const char *filename, /* find whitespace delimited word in ruleset string; this is its name */ p1 = strchr(rulesetname,' '); - if(p1) *p1 = '\0'; + if (p1) *p1 = '\0'; p1 = strchr(rulesetname,'\t'); - if(p1) *p1 = '\0'; + if (p1) *p1 = '\0'; debug(LOG_DEBUG, "Parsing FirewallRuleSet %s", rulesetname); ruleset = get_ruleset(rulesetname); - if(ruleset == NULL) { + if (ruleset == NULL) { debug(LOG_ERR, "Unrecognized FirewallRuleSet name: %s", rulesetname); debug(LOG_ERR, "Exiting..."); exit(-1); @@ -424,10 +398,10 @@ parse_firewall_ruleset(const char *rulesetname, FILE *fd, const char *filename, p1 = _strip_whitespace(line); /* if nothing left, get next line */ - if(p1[0] == '\0') continue; + if (p1[0] == '\0') continue; /* if closing brace, we are done */ - if(p1[0] == '}') break; + if (p1[0] == '}') break; /* next, we coopt the parsing of the regular config */ @@ -435,7 +409,7 @@ parse_firewall_ruleset(const char *rulesetname, FILE *fd, const char *filename, p2 = p1; while ((*p2 != '\0') && (!isblank(*p2))) p2++; /* if this is end of line, it's a problem */ - if(p2[0] == '\0') { + if (p2[0] == '\0') { debug(LOG_ERR, "FirewallRule incomplete on line %d in %s", *linenum, filename); debug(LOG_ERR, "Exiting..."); exit(-1); @@ -525,7 +499,7 @@ _parse_firewall_rule(t_firewall_ruleset *ruleset, char *leftover) /* Get the optional port or port range */ if (strncmp(leftover, "port", 4) == 0) { - if(protocol == NULL || + if (protocol == NULL || !(strncmp(protocol, "tcp", 3) == 0 || strncmp(protocol, "udp", 3) == 0)) { debug(LOG_ERR, "Port without tcp or udp protocol"); return -3; /*< Fail */ @@ -619,7 +593,7 @@ get_empty_ruleset_policy(const char *rulesetname) { t_firewall_ruleset *rs; rs = get_ruleset(rulesetname); - if(rs == NULL) return NULL; + if (rs == NULL) return NULL; return rs->emptyrulesetpolicy; } @@ -683,6 +657,7 @@ config_read(const char *filename) FILE *fd; char line[MAX_BUF], *s, *p1, *p2; int linenum = 0, opcode, value; + struct stat sb; debug(LOG_INFO, "Reading configuration file '%s'", filename); @@ -697,7 +672,7 @@ config_read(const char *filename) s = _strip_whitespace(line); /* if nothing left, get next line */ - if(s[0] == '\0') continue; + if (s[0] == '\0') continue; /* now we require the line must have form: