X-Git-Url: http://git.osdn.net/view?a=blobdiff_plain;f=mdsrc%2Fsession.c;h=151f6d286b202c2a7ddd78669193a5acfa442576;hb=8e54deeda4cca8e6ceceea7d7df11d6047e7e8cd;hp=6b48f97c979caf9248e759e076db856bc836803b;hpb=8da4f192a4aeba5ac0b592859af2df8d979d43a7;p=opengatem%2Fopengatem.git diff --git a/mdsrc/session.c b/mdsrc/session.c index 6b48f97..151f6d2 100644 --- a/mdsrc/session.c +++ b/mdsrc/session.c @@ -1,6 +1,15 @@ /************************************************** OpengateM - a MAC address authentication system - module for Controlling sessions + module for Controling sessions + + each session corresponds to the active client used now + (session main key is the mac address of the client) + a session is created at the start of accessing from a client + the session is removed at the end of accessing from the client + the end is determined when no packet is detected for a while + + MAC-IP pair is also kept in work db to recognize IP addresses + corresponding to each session Copyright (C) 2011 Opengate Project Team Written by Yoshiaki Watanabe @@ -25,7 +34,7 @@ Email: watanaby@is.saga-u.ac.jp /******************************* add session for the mac address -add ipfw-rule and table-entry, write db and log +add ipfw-rule, add session in work db, and write log(MngDb and syslog) *******************************/ int addSession(char* macAddress, char* userId, char* extraId){ int ruleNumber; @@ -36,27 +45,33 @@ int addSession(char* macAddress, char* userId, char* extraId){ int ruleNumberInDb; /* open firewall */ + /* return value */ + /* normally open: ipfw rule number added for the mac */ + /* error: between -2 and 2 (see ipfw.c for detail) */ + /* already opened: ipfw rule number found, but inverted sign (ruleNo = -retVal) */ ruleNumber=OpenClientGate(macAddress, userId, extraId); /* check error */ if(-2<=ruleNumber && ruleNumber<=2) failToAdd=TRUE; - /* if mac is already registered in ipfw rule */ + /* if the mac is already registered in ipfw rule */ if(ruleNumber < -2){ - /* if mac is active session in work db, do nothing */ + /* if the mac is active session in work db, do nothing */ if(GetSessionFromWorkDb(macAddress, userId, extraId, &openTime, &checkTime, &ruleNumberInDb)){ return FALSE; } - /* if not active session in work db, invert sign and goto write db */ + /* if no active session in work db */ + /* invert sign(the inverted value means the ipfw rule found) and make session (below) */ else{ ruleNumber=-ruleNumber; } } - /* if addtion is failed, retry on next packet (clear cache for checking) */ - /* as to prevent error loop, retry count is limitted */ + /* if addtion is failed, retry on next packet */ + /* (as the entry in packet-cache is cleared, next packet is not skipped) */ + /* (as to prevent error loop, retry count is limitted) */ if( failToAdd || !IsMacAddressFoundInIpfw(macAddress) ){ nSerialError++; if(nSerialError<1) DelCacheItem(macAddress,""); @@ -79,7 +94,7 @@ int addSession(char* macAddress, char* userId, char* extraId){ /******************************* delete session for the mac address -(del ipfw-rule and table-entry, write db and log) +del ipfw-rule, del session in work db, and write log(MngDb and syslog) *******************************/ void delSession(char* macAddress){ char userId[USERMAXLN]=""; @@ -116,7 +131,7 @@ void delSession(char* macAddress){ /******************************* renew session for the ip address -(renew time in table entry) +(renew time in session-table entry) *******************************/ void renewSession(char* macAddress){ @@ -138,9 +153,8 @@ void delUselessSessions(void){ } /********************************** -CALLBACK FUNCTION -called back from sqlite3_exec -in sessiondb.c/delUselessSessionsInDb & delAllSessionsInDb +this is CALLBACK FUNCTION +(called back from sqlite3_exec in workdb.c/delUselessSessionsInWorkDb) **********************************/ int closeSession(void* pParam, int argc, char *argv[], char* colName[]){ @@ -176,20 +190,19 @@ int closeSession(void* pParam, int argc, char *argv[], char* colName[]){ } /******************************* -search db to find all ip -del ipfw rule, del table entry, write db/log +delete all sessions (terminate the all service) *******************************/ void delAllSessions(void){ - /* scan db to remove all sessions. argument indicates delayed flag */ + /* scan db to remove all sessions (argument indicates immediate deletion) */ DelUselessSessionsInWorkDb(FALSE); - /* scan ipfw rule to close unmatched db row */ + /* remove ipfw rules having no corresponding db entry */ CloseUnmatchSessions(); } /********************************************** -is the mac session found +is the session for the mac found in work db **********************************************/ int isMatchedSessionFound(char* macAddress){ char userId[USERMAXLN]; @@ -204,7 +217,7 @@ int isMatchedSessionFound(char* macAddress){ } /************************************ -debug routine for hash table +debug dump routine for a hash table ************************************/ void dumpTable(DB* table){ DBT hashKey; @@ -229,14 +242,14 @@ void dumpTable(DB* table){ /************************************************ close sessions that lost ipfw rule or database entry - load rules from ipfw and database, then compare + make HashTables of sessions and ipfw-rules, then compare sessionTable ruleTable -form opengatemd.db from ipfw - key=macAddr macAddr - val=0 ipfwRule + from work-db from ipfw + key=macAddr key=macAddr + val=0 val=ipfwRule ^ ^ |-----------------| -entry in ruleTable adn sessionTable should be matched. +entry in ruleTable and sessionTable should be matched. if exists in ruleTable and not in sessionTable, remove rule if exists in sessionTable and not in ruleTable, remove session *************************************************/ @@ -279,8 +292,8 @@ void closeUnmatchSessions(void){ } /******************************* -remove session in db unmatched to ipfw active rule - (db entry exists but no ipfw rule is found) +remove session unmatched to ipfw active rule + (session exists in session-table but no ipfw rule exists in rule-table) *******************************/ void removeSessionUnmatchedToIpfwRule(DB* ruleTable, DB* sessionTable){ DBT hashKey; @@ -294,14 +307,13 @@ void removeSessionUnmatchedToIpfwRule(DB* ruleTable, DB* sessionTable){ int openTime; int checkTime; - /* scan session table to find entry unmatched to rule table */ + /*** scan session table to find entry unmatched to rule table */ /* get first entry of session table */ memset(&hashKey, 0, sizeof(DBT)); memset(&hashVal, 0, sizeof(DBT)); retSesTbl=sessionTable->seq(sessionTable, &hashKey, &hashVal, R_FIRST); while(retSesTbl==0){ - /* (get-function returns 0 on success) */ /* if found a session, save the data */ strlcpy(macAddress, (char*)hashKey.data, ADDRMAXLN); @@ -311,15 +323,16 @@ void removeSessionUnmatchedToIpfwRule(DB* ruleTable, DB* sessionTable){ memset(&hashVal, 0, sizeof(DBT)); retRuleTbl=ruleTable->get(ruleTable, &hashKey, &hashVal, 0); - /* (get-function returns 0 on success) */ - /*** rule for the session exists */ - if(retRuleTbl==0){ - ; /* do nothing */ + /*** if rule exists (the session matchs to a rule), do nothing */ + if(retRuleTbl==0){ /* (get-function returns 0 on success) */ + ; } - /*** rule for the session does not exist */ + /*** else(no rule for the session), remove the session */ else{ + /* write log and close session */ + /* (as Hash(sessionTable) is cleared after scanning, it is untouched) */ if(!GetSessionFromWorkDb(macAddress, userId, extraId, &openTime, &checkTime, &ruleNumber)){ err_msg("ERR at %s#%d: fail to get session info",__FILE__,__LINE__); @@ -340,8 +353,8 @@ void removeSessionUnmatchedToIpfwRule(DB* ruleTable, DB* sessionTable){ } /*********************************** -remove active ipfw rule unmatched to session in db - (ipfw rule exists but no db entry is found) +remove active ipfw rule unmatched to session table + (ipfw rule exists in rule-table but no corresponding session exists in session-table) ***********************************/ void removeIpfwRuleUnmatchedToSession(DB* ruleTable, DB* sessionTable){ DBT hashKey; @@ -351,7 +364,7 @@ void removeIpfwRuleUnmatchedToSession(DB* ruleTable, DB* sessionTable){ int ruleNumber; char macAddress[ADDRMAXLN]; - /* scan ipfw rule table to find entry unmatched to session table */ + /*** scan ipfw rule table to find entry unmatched to session table */ /* get first entry of ipfw rule table */ memset(&hashKey, 0, sizeof(DBT)); memset(&hashVal, 0, sizeof(DBT)); @@ -368,16 +381,16 @@ void removeIpfwRuleUnmatchedToSession(DB* ruleTable, DB* sessionTable){ memset(&hashVal, 0, sizeof(DBT)); retSesTbl=sessionTable->get(sessionTable, &hashKey, &hashVal, 0); - /* (get-function returns 0 on success) */ - /*** session for the rule exists */ - if(retSesTbl==0){ - ; /* do nothing */ + /*** if session exists(the rule matchs to a session), do nothing */ + if(retSesTbl==0){ /* (get-function returns 0 on success) */ + ; } - /*** session for the rule does not exist */ + /*** else(no session for the rule), remove the rule */ else{ - /* remove entry in ipfw rule */ + /* remove entry in ipfw active rules */ + /* (as Hash(ruleTable) is cleared after scanning, it is untouched) */ CloseClientGate(ruleNumber); DelCacheItem(macAddress,""); @@ -385,7 +398,7 @@ void removeIpfwRuleUnmatchedToSession(DB* ruleTable, DB* sessionTable){ WriteCloseToSyslog("?", "", macAddress, time(NULL)); PutCloseToMngDb(macAddress); - /* write session info to syslog */ + /* write session info to syslog (no user info)*/ if(debug>0) WriteSessionInfoToSyslog("?","", macAddress, ruleNumber); } @@ -417,6 +430,7 @@ void writeCloseToSyslog(char* userId, char* extraId, char* macAddress, int openT double time_l; int hour, min, sec; + /* time_l is the time length from open-net to close-net */ time_l=difftime((int)time(NULL), openTime); hour=time_l/60/60; min=(time_l-hour*60*60)/60; @@ -460,11 +474,14 @@ Memorize the MAC&IP address pair to DB and log **********************************************/ void setMacIpPair(char* macAddress, char* ipAddress, char* userId, char* extraId){ - /* if the pair is not found in work db, record it */ + /* if the pair is not found in work db, record it */ + /* the pair in work db is used for saving session detail (remove at the end of session)*/ + /* one session includes plural pairs (one MAC corresponds to plural IPs) */ if(!IsFoundMacIpPairInWorkDb(macAddress, ipAddress)){ PutMacIpPairToWorkDb(macAddress, ipAddress); /* record the pair to management db */ + /* the pair in management db is the sccess log (don't remove at the end of session)*/ PutMacIpPairToMngDb(macAddress, ipAddress); /* write to syslog */