**************************************************/
/*************************************
-This program uses following data structures
-to maintain the state of each terminal.
+This program uses following data structures to maintain the state of each terminal.
+ * MAC address is used as the main key for recognizing the user terminal.
+ * IP address is kept only for information.
+ * The packet cache uses the MAC-IP pair, as to record all IPs.
1. Packet Check Cache
To speed up the packet check process, the address checked once
is ignored for a while.
The cache (key: MAC&IP address pair) is used to decide
the necessity of checking.
- The cache is maintained the information of arrived packets
- by using hash-table and queue in the memory of local machine.
+ The cache maintains the information of arrived packets
+ by using hash-table and queue in the memory of the local machine.
2. Session Table
The table (key: MAC address) maintains temporal information
- of terminals allowing the use of network now.
- The data are stored in the DB of local machine.
- 3. MAC address Table
+ of terminals allowing the use of network at now.
+ The data are stored in the work DB(SQLite3) on the local machine
+ (table:sessionmd in db:opengatemd.db).
+ 3. MAC-IP pair Table
+ The table maintains the MAC-IP pairs where an active session has the MAC
+ (One MAC corresponds to plural IPs(ipv4 and ipv6))
+ The data are stored in the work DB on the local machine.
+ (table:macippair in db:opengatemd.db)
+ The mac-ip pair table in management db is used only for logging.
+ 4. MAC address registration Table
The table (key: MAC address) maintains MAC addresses of terminals
and the owners' information.
- The data are stored in the DB of a central machine
+ The data are stored in the management DB(MySQL) on a central machine
and accessed via network.
- 4. Cache of MAC address Table
+ (table: macaddrs in db:opengatem)
+ 5. Cache of MAC address registration Table
As the network DB access is time-consuming, the access cache
- (key: MAC address) is maintained in the memory of local machine.
+ (key: MAC address) is maintained in the memory of the local machine.
+
-MAC address is used as main key for the user terminal.
-IP address is kept only for information.
-The packet cache uses the MAC-IP pair, as to record all IP.
*************************************/
#include "opengatemd.h"
int checkInterval; /* useless session check interval */
int isNatOrRouter=FALSE; /* the packet is sent from nat/router */
char macAddrInUdp[ADDRMAXLN]; /* mac address sent from udp port */
- int ret;
+ int ret; /* return code */
char clientIpAddress[ADDRMAXLN]; /* udp client ip address */
/* analyze arguments */
terminateProg(0);
}
- /* if '-v' option, show makedir and exit */
+ /* if '-v' option, show 'makedir' and exit */
+ /* makedir is the directory where the make command is executed */
+ /* the directory can include the string such as 'opengatem0.9.9-trial'. */
if(showVersionMode){
printf("makedir: %s\n", MAKEDIR);
terminateProg(0);
terminateProg(0);
}
- /* if endServiceMode, stop deamon and close sessions after setup */
+ /* if endServiceMode, stop deamon */
+ /* and close sessions(about 30-lines below in this source) */
if(endServiceMode) KillDaemon();
- /* get runmode from command argument and set as daemon */
+ /* if not console mode, run as daemon */
if(consoleMode) errToSyslog(FALSE); /* console mode (no syslog) */
else Daemonize(); /* daemon mode (fork&exit) */
if(!InitMngDb()) terminateProg(0);
InitTtlCheck();
InitWatchlistCache();
- PrepareUdpPort(sigIoHandler); /* UDP port runs as asynchronous */
+ PrepareUdpPort(sigIoHandler); /* UDP port runs in asynchronous mode */
- /* if endService is indicated, close all sessions, and exit */
+ /* if endServiceMode is indicated, close all sessions, and exit */
if(endServiceMode){
DelAllSessions();
terminateProg(0);
}
- /* set check interval and remove residue sessions that are useless */
+ /* set check interval and remove useless residue sessions */
checkInterval=atoi(GetConfValue("UselessCheckInterval"));
uselessCheckTime=time(NULL);
DelUselessSessions();
- /*** enter packet inspection loop ***/
+ /*** enter infinite loop of packet inspection ***/
while(1){
/* if sig-hup flag is on, reload this program */
+ /* sig-hup flag is set in sigHupHandler, when HUP signal arrives */
if(sigHupArrived)execlp(argv[0], argv[0], NULL);
- /* if mac addresses are received from management program through udp port,
- remove the addresses from caches */
+ /* if sig-IO flag is on, get mac addresses from UDP port */
+ /* and remove the addresses from caches (renew info at next capture) */
+ /* sig-IO flag is on in sigIoHandler, when a packet arrives. */
+ /* the packet includes renewed mac addresses sent from management program. */
if(sigIoArrived){
sigIoArrived=FALSE;
while(GetDataFromUdpPort(macAddrInUdp, ADDRMAXLN, clientIpAddress)>0){
/* if no packet */
if(ret==0){
-
- /* check&delete useless sessions */
- /* when long time passed from previous check */
+
+ /* when long time passed from previous check, check&delete useless sessions */
if( time(NULL) - uselessCheckTime > checkInterval ){
uselessCheckTime = time(NULL);
DelUselessSessions();
/* ignore local packet */
if(ttl<=1) continue;
- /* ignore the packet checked recently */
+ /* ignore the packet tha is checked recently */
if( IsRecentlyCheckedAddress(macAndIpAddressRaw, addrLen) ) continue;
+ /**** no more processing for recently checked packets ****/
/**** only cache timeout packets proceeds to below ****/
/* convert address from network-raw form to presentation form */
addrLen-MACADDRLN, ipAddress);
/* if the address is included in watchlist, report the detection */
+ /* watchlist is the address list needing specific reporting */
+ /* (e.g., suspicion of illegal access). no need for normal operation */
if(IsFoundInWatchlistCache(macAddress)==TRUE){
err_msg_warn("WARN: find mac=%s ip=%s", macAddress, ipAddress);
}
- /* check nat/router and save info to db */
+ /* check NAT/Router and save info to db */
+ /* when NAT/Router is inserted, the acquired MAC is the address of NAT/Router */
+ /* thus the MAC based control is failed */
+ /* at now, not denying the packet but reporting the detection. */
isNatOrRouter=IsSentViaNatOrRouter(ipAddress, macAddress, ttl);
if(isNatOrRouter) PutLogAtNatOrRouter(isNatOrRouter,ipAddress,macAddress,ttl);
PutMacInfoToWorkDb(macAddress, ttl, isNatOrRouter);
/*** get the status of the terminal from session table and DB ***/
- /* search the address in session table */
+ /* search the captured address in session table */
sessionFound = IsMatchedSessionFound(macAddress);
- /* search the address in cache of MAC DB */
+ /* search the captured address in cache of MAC DB */
macFound = QueryMacFromMacCache(macAddress, userId, extraId);
- /* if accessing cache of MAC DB is failed, access MAC DB */
+ /* if failed, access MAC DB */
if(macFound==ERROR){
macFound = QueryMacFromMngDb(macAddress, userId, extraId);
- /* if db access is failed, set not-found and retry next time */
- /* if db access is successed (found or not), save it to cache */
+ /* if db access is failed, set not-found and retry at next capture */
+ /* if db access is successed (found or not-found), save it to cache */
if(macFound==ERROR) macFound=FALSE;
else AddMacCacheItem(macAddress, userId, extraId, macFound);
}
- /*** depending the states, add/del/renew the session ***/
+ /*** depending the status, add/del/renew the session ***/
/* if valid mac and no session, start session */
if(macFound && !sessionFound){
AddSession(macAddress, userId, extraId);
- /* save MAC and IP address pair */
+ /* save MAC and IP address pair to work db */
SetMacIpPair(macAddress, ipAddress, userId, extraId);
}
/* if no mac and started session, stop session */
- /* (MAC and IP pairs are removed in stop session) */
+ /* (MAC-IP pair in work db is removed in delSession) */
if(!macFound && sessionFound){
DelSession(macAddress);
}
if(macFound && sessionFound){
/* in normal case, ipfw rule exists. */
- if(IsMacAddressFoundInIpfw(macAddress)) RenewSession(macAddress);
-
+ if(IsMacAddressFoundInIpfw(macAddress)){
+ RenewSession(macAddress);
+ }
+
/* when no ipfw rule exists, reset the session */
else{
DelSession(macAddress);
AddSession(macAddress, userId, extraId);
}
- /* save MAC and IP address pair */
- /* only when new pair is found. */
+ /* save MAC-IP pair to work db (new ip is found for a mac in session). */
SetMacIpPair(macAddress, ipAddress, userId, extraId);
}
DelUselessSessions();
}
}
+ /*** end of infinite loop ***/
/* clear data structures (can't reach here, but coded for debugging) */
FreeCache();
/* get lock file name */
lockFileMd=GetConfValue("DaemonLockFile");
- /* if lock file is not exists, skip */
+ /* if lock file does not exist, skip */
if(stat(lockFileMd, &st)!=0){
;
}
- /* read pid from the file */
+ /*else (file exists), read pid from the file */
else if((file=fopen(lockFileMd, "r"))==NULL){
err_msg("ERR at %s#%d: cannot open proc lock file:%s",__FILE__,__LINE__
,lockFileMd);
}
-
else if(fscanf(file, "%d", &pid)==0){
err_msg("ERR at %s#%d: cannot read proc lock file:%s",__FILE__,__LINE__
,lockFileMd);
}
if(file!=NULL) fclose(file);
- /* send kill signal to the pid process */
+ /* send kill signal to the 'pid' process */
if(pid!=0){
seteuid(0); /* get root privilege */
kill(pid, SIGKILL);
/* get lock file name */
lockFileMd=GetConfValue("DaemonLockFile");
- /* if lock file is not exists, skip */
+ /* if lock file does not exists, skip */
if(stat(lockFileMd, &st)!=0){
;
}
- /* read pid from the file */
+ /* else (file exists), read pid from the file */
else if((file=fopen(lockFileMd, "r"))==NULL){
err_msg("ERR at %s#%d: cannot open proc lock file:%s",__FILE__,__LINE__
,lockFileMd);
}
-
else if(fscanf(file, "%d", &pid)==0){
err_msg("ERR at %s#%d: cannot read proc lock file:%s",__FILE__,__LINE__
,lockFileMd);
}
if(file!=NULL)fclose(file);
- /* send hup signal to the pid process */
+ /* send hup signal to the 'pid' process */
if(pid!=0){
seteuid(0); /* get root privilege */
kill(pid, SIGHUP);
*************************************/
void terminateProg(int ret){
- /* close opengatemd.db */
+ /* close work db (opengatemd.db) */
FinalizeWorkDb();
if(debug>0) err_msg("INFO: Terminated");