[Chilli] [Layer3] Like uamallowed, but for source address - like macallowed but for IPs - ip source whitelist - server whitelist
Michele Bergonzoni
bergonz at labs.it
Mon Dec 2 17:32:36 UTC 2013
> Could you resubmit your patches as attachments and "sign-off" on them
> based acknowledging:
> http://dev.coova.org/svn/coova-chilli/Contributing ?
Ok, I attach the patches I sent in the last days:
- edns.diff: Patch to pass EDNS pseudorecords
- typo.diff: Trivial patch for MAC_ARG type when compiling with
--enable-debug2
- l3singledhcp.diff: Patch for having a single DHCP connection when
using L3 only
- ipsrcallowed.diff: the patch we were talking about
- all4.diff: The previous 4 patches in a single diff
- Contribution.txt: The sign-off you asked for.
So you should be able to use whatever combination of pieces as you prefer.
Hope this helps,
Bergonz
--
Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a.
Phone:+39-051-6781926 e-mail: bergonz at labs.it
alt.advanced.networks.design.configure.operate
-------------- next part --------------
Contributions to CoovaChilli
----------------------------
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the modified BSD license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same modified BSD license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
Additionally, I certify that:
(e) The contribution can be licensed under the modified BSD license,
as shown below, and the GPL license, in LICENSE file, even in
case of files that are currently licensed under other terms.
(f) I understand that my contribution is licensed under the modified
BSD license contained in this file, but that the CoovaChilli
combined work remains licensed under the GPL license contained
in the LICENSE file.
To indicate your acceptance of these terms, please add the following
line to each contribution you make to the project:
Signed-by: Michele Bergonzoni <bergonz at labs.it>
--
Modified BSD license (no advertisement clause) for code contributions:
Copyright (c) Mondru AB, David Bird (Coova Technologies)
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name(s) of the above-listed copyright holder(s) nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-------------- next part --------------
Index: conf/functions.in
===================================================================
--- conf/functions.in (revision 485)
+++ conf/functions.in (working copy)
@@ -179,6 +179,9 @@
HS_UAMALLOW=$(echo $HS_UAMALLOW|sed 's/ /,/g')
uamallow=${HS_UAMALLOW:+",$HS_UAMALLOW"}
+ HS_IPSRCALLOWED=$(echo $HS_IPSRCALLOWED|sed 's/ /,/g')
+ addconfig1 ${HS_IPSRCALLOWED:+"ipsrcallowed $HS_IPSRCALLOWED"}
+
addconfig1 ${HS_MAXCLIENTS:+"maxclients $HS_MAXCLIENTS"}
addconfig1 ${HS_RADIUSQSIZE:+"radiusqsize $HS_RADIUSQSIZE"}
addconfig1 ${HS_DHCPHASHSIZE:+"dhcphashsize $HS_DHCPHASHSIZE"}
Index: src/options.h
===================================================================
--- src/options.h (revision 485)
+++ src/options.h (working copy)
@@ -302,6 +302,11 @@
uint32_t regex_num_pass_throughs;
#endif
+#ifdef ENABLE_LAYER3
+ pass_through ipsrc_pass_throughs[MAX_IPSRC_PASS_THROUGHS];
+ uint32_t ipsrc_num_pass_throughs;
+#endif
+
char* uamdomains[MAX_UAM_DOMAINS];
int uamdomain_ttl;
Index: src/cmdline.ggo
===================================================================
--- src/cmdline.ggo (revision 485)
+++ src/cmdline.ggo (working copy)
@@ -266,6 +266,7 @@
option "uamdomainfile" - "Load uamdomains (regex) from file" string no
option "layer3" - "Layer3 only" flag off
+option "ipsrcallowed" - "List of allowed source IP addresses, for Layer3" string no multiple
option "patricia" - "Use patricia tries for walled garden lookup" flag off
option "redirdnsreq" - "Send DNS query on redirect to pick of DNS based walled garden" flag off
Index: src/dhcp.c
===================================================================
--- src/dhcp.c (revision 485)
+++ src/dhcp.c (working copy)
@@ -617,6 +617,13 @@
struct dhcp_conn_t *p;
uint32_t hash;
+#ifdef ENABLE_LAYER3
+ if (_options.layer3 && this->firstusedconn){
+ /* We want just one dhcp connection, so reuse the same */
+ *conn = this->firstusedconn;
+ return 0;
+ }
+#endif
/* Find in hash table */
hash = dhcp_hash(hwaddr) & this->hashmask;
for (p = this->hash[hash]; p; p = p->nexthash) {
@@ -904,7 +911,7 @@
if (_options.debug) {
addr.s_addr = pack_iph->saddr;
log_dbg("NFQUEUE: From "MAC_FMT" %s %s",
- MAC_ACR(hw->hw_addr),
+ MAC_ARG(hw->hw_addr),
inet_ntoa(addr),
result == NF_ACCEPT ? "Accept" : "Drop");
@@ -2503,6 +2510,26 @@
found = 1;
#endif
+#ifdef ENABLE_LAYER3
+ if (!found && _options.ipsrc_pass_throughs){
+#if(_debug_ > 1)
+ log_dbg("Checking ipsrcallowed pass throughs (%d)", _options.ipsrc_num_pass_throughs);
+#endif
+ if (garden_check(_options.ipsrc_pass_throughs,
+ &_options.ipsrc_num_pass_throughs, &pt,
+ ipph, !dst
+#ifdef HAVE_PATRICIA
+ , 0
+#endif
+ )) {
+ found = 1;
+#if(_debug_ > 1)
+ log_dbg("Packet matches ipsrcallowed");
+#endif
+ }
+ }
+#endif
+
#ifdef ENABLE_GARDENACCOUNTING
if (_options.uamgardendata) {
@@ -5015,7 +5042,7 @@
struct pkt_ethhdr_t *ethh = pkt_ethhdr(packet);
log_dbg("dhcp_decaps: src="MAC_FMT" "
"dst="MAC_FMT" prot=%.4x %d len=%d",
- MAC_ACR(ethh->src),
+ MAC_ARG(ethh->src),
MAC_ARG(ethh->dst),
prot, (int)prot, length);
}
Index: src/dns.c
===================================================================
--- src/dns.c (revision 485)
+++ src/dns.c (working copy)
@@ -360,6 +360,7 @@
break;
case 29: log_dbg("LOC record"); break;
case 33: log_dbg("SRV record"); break;
+ case 41: log_dbg("EDNS OPT pseudorecord"); break;
case 47: log_dbg("NSEC record"); break;
}
Index: src/main-opt.c
===================================================================
--- src/main-opt.c (revision 485)
+++ src/main-opt.c (working copy)
@@ -724,6 +724,18 @@
#endif
);
}
+#ifdef ENABLE_LAYER3
+ for (numargs = 0; numargs < args_info.ipsrcallowed_given; ++numargs) {
+ pass_throughs_from_string(_options.ipsrc_pass_throughs,
+ MAX_IPSRC_PASS_THROUGHS,
+ &_options.ipsrc_num_pass_throughs,
+ args_info.ipsrcallowed_arg[numargs], 0, 0
+#ifdef HAVE_PATRICIA
+ , 0
+#endif
+ );
+ }
+#endif
_options.uamauthedallowed = args_info.uamauthedallowed_flag;
#ifdef ENABLE_AUTHEDALLOWED
Index: src/chilli_limits.h
===================================================================
--- src/chilli_limits.h (revision 485)
+++ src/chilli_limits.h (working copy)
@@ -134,4 +134,12 @@
#define RADIUS_QUEUE_PACKET_PTR 1
#endif
+#ifdef ENABLE_LAYER3
+#ifdef ENABLE_LARGELIMITS
+#define MAX_IPSRC_PASS_THROUGHS 512 /* Max number of allowed IP source addresses, for Layer3 */
+#else
+#define MAX_IPSRC_PASS_THROUGHS 8 /* Max number of allowed IP source addresses, for Layer3 */
#endif
+#endif
+
+#endif
-------------- next part --------------
Index: src/dns.c
===================================================================
--- src/dns.c (revision 485)
+++ src/dns.c (working copy)
@@ -360,6 +360,7 @@
break;
case 29: log_dbg("LOC record"); break;
case 33: log_dbg("SRV record"); break;
+ case 41: log_dbg("EDNS OPT pseudorecord"); break;
case 47: log_dbg("NSEC record"); break;
}
-------------- next part --------------
Index: conf/functions.in
===================================================================
--- conf/functions.in (revision 485)
+++ conf/functions.in (working copy)
@@ -179,6 +179,9 @@
HS_UAMALLOW=$(echo $HS_UAMALLOW|sed 's/ /,/g')
uamallow=${HS_UAMALLOW:+",$HS_UAMALLOW"}
+ HS_IPSRCALLOWED=$(echo $HS_IPSRCALLOWED|sed 's/ /,/g')
+ addconfig1 ${HS_IPSRCALLOWED:+"ipsrcallowed $HS_IPSRCALLOWED"}
+
addconfig1 ${HS_MAXCLIENTS:+"maxclients $HS_MAXCLIENTS"}
addconfig1 ${HS_RADIUSQSIZE:+"radiusqsize $HS_RADIUSQSIZE"}
addconfig1 ${HS_DHCPHASHSIZE:+"dhcphashsize $HS_DHCPHASHSIZE"}
Index: src/dhcp.c
===================================================================
--- src/dhcp.c (revision 485)
+++ src/dhcp.c (working copy)
@@ -2503,6 +2503,26 @@
found = 1;
#endif
+#ifdef ENABLE_LAYER3
+ if (!found && _options.ipsrc_pass_throughs){
+#if(_debug_ > 1)
+ log_dbg("Checking ipsrcallowed pass throughs (%d)", _options.ipsrc_num_pass_throughs);
+#endif
+ if (garden_check(_options.ipsrc_pass_throughs,
+ &_options.ipsrc_num_pass_throughs, &pt,
+ ipph, !dst
+#ifdef HAVE_PATRICIA
+ , 0
+#endif
+ )) {
+ found = 1;
+#if(_debug_ > 1)
+ log_dbg("Packet matches ipsrcallowed");
+#endif
+ }
+ }
+#endif
+
#ifdef ENABLE_GARDENACCOUNTING
if (_options.uamgardendata) {
Index: src/main-opt.c
===================================================================
--- src/main-opt.c (revision 485)
+++ src/main-opt.c (working copy)
@@ -724,6 +724,18 @@
#endif
);
}
+#ifdef ENABLE_LAYER3
+ for (numargs = 0; numargs < args_info.ipsrcallowed_given; ++numargs) {
+ pass_throughs_from_string(_options.ipsrc_pass_throughs,
+ MAX_IPSRC_PASS_THROUGHS,
+ &_options.ipsrc_num_pass_throughs,
+ args_info.ipsrcallowed_arg[numargs], 0, 0
+#ifdef HAVE_PATRICIA
+ , 0
+#endif
+ );
+ }
+#endif
_options.uamauthedallowed = args_info.uamauthedallowed_flag;
#ifdef ENABLE_AUTHEDALLOWED
Index: src/cmdline.ggo
===================================================================
--- src/cmdline.ggo (revision 485)
+++ src/cmdline.ggo (working copy)
@@ -266,6 +266,7 @@
option "uamdomainfile" - "Load uamdomains (regex) from file" string no
option "layer3" - "Layer3 only" flag off
+option "ipsrcallowed" - "List of allowed source IP addresses, for Layer3" string no multiple
option "patricia" - "Use patricia tries for walled garden lookup" flag off
option "redirdnsreq" - "Send DNS query on redirect to pick of DNS based walled garden" flag off
Index: src/chilli_limits.h
===================================================================
--- src/chilli_limits.h (revision 485)
+++ src/chilli_limits.h (working copy)
@@ -134,4 +134,12 @@
#define RADIUS_QUEUE_PACKET_PTR 1
#endif
+#ifdef ENABLE_LAYER3
+#ifdef ENABLE_LARGELIMITS
+#define MAX_IPSRC_PASS_THROUGHS 512 /* Max number of allowed IP source addresses, for Layer3 */
+#else
+#define MAX_IPSRC_PASS_THROUGHS 8 /* Max number of allowed IP source addresses, for Layer3 */
#endif
+#endif
+
+#endif
Index: src/options.h
===================================================================
--- src/options.h (revision 485)
+++ src/options.h (working copy)
@@ -302,6 +302,11 @@
uint32_t regex_num_pass_throughs;
#endif
+#ifdef ENABLE_LAYER3
+ pass_through ipsrc_pass_throughs[MAX_IPSRC_PASS_THROUGHS];
+ uint32_t ipsrc_num_pass_throughs;
+#endif
+
char* uamdomains[MAX_UAM_DOMAINS];
int uamdomain_ttl;
-------------- next part --------------
Index: src/dhcp.c
===================================================================
--- src/dhcp.c (revision 485)
+++ src/dhcp.c (working copy)
@@ -617,6 +617,13 @@
struct dhcp_conn_t *p;
uint32_t hash;
+#ifdef ENABLE_LAYER3
+ if (_options.layer3 && this->firstusedconn){
+ /* We want just one dhcp connection, so reuse the same */
+ *conn = this->firstusedconn;
+ return 0;
+ }
+#endif
/* Find in hash table */
hash = dhcp_hash(hwaddr) & this->hashmask;
for (p = this->hash[hash]; p; p = p->nexthash) {
-------------- next part --------------
Index: src/dhcp.c
===================================================================
--- src/dhcp.c (revision 485)
+++ src/dhcp.c (working copy)
@@ -904,7 +904,7 @@
if (_options.debug) {
addr.s_addr = pack_iph->saddr;
log_dbg("NFQUEUE: From "MAC_FMT" %s %s",
- MAC_ACR(hw->hw_addr),
+ MAC_ARG(hw->hw_addr),
inet_ntoa(addr),
result == NF_ACCEPT ? "Accept" : "Drop");
@@ -5015,7 +5015,7 @@
struct pkt_ethhdr_t *ethh = pkt_ethhdr(packet);
log_dbg("dhcp_decaps: src="MAC_FMT" "
"dst="MAC_FMT" prot=%.4x %d len=%d",
- MAC_ACR(ethh->src),
+ MAC_ARG(ethh->src),
MAC_ARG(ethh->dst),
prot, (int)prot, length);
}
More information about the Chilli
mailing list