/**************************************************
OpengateM - a MAC address authentication system
- module for Controlling sessions
+ module for Controling sessions
+
+ each session corresponds to the active client used now
+ (session main key is the mac address of the client)
+ a session is created at the start of accessing from a client
+ the session is removed at the end of accessing from the client
+ the end is determined when no packet is detected for a while
+
+ MAC-IP pair is also kept in work db to recognize IP addresses
+ corresponding to each session
Copyright (C) 2011 Opengate Project Team
Written by Yoshiaki Watanabe
/*******************************
add session for the mac address
-add ipfw-rule and table-entry, write db and log
+add ipfw-rule, add session in work db, and write log(MngDb and syslog)
*******************************/
int addSession(char* macAddress, char* userId, char* extraId){
int ruleNumber;
int ruleNumberInDb;
/* open firewall */
+ /* return value */
+ /* normally open: ipfw rule number added for the mac */
+ /* error: between -2 and 2 (see ipfw.c for detail) */
+ /* already opened: ipfw rule number found, but inverted sign (ruleNo = -retVal) */
ruleNumber=OpenClientGate(macAddress, userId, extraId);
/* check error */
if(-2<=ruleNumber && ruleNumber<=2) failToAdd=TRUE;
- /* if mac is already registered in ipfw rule */
+ /* if the mac is already registered in ipfw rule */
if(ruleNumber < -2){
- /* if mac is active session in work db, do nothing */
+ /* if the mac is active session in work db, do nothing */
if(GetSessionFromWorkDb(macAddress, userId, extraId, &openTime,
&checkTime, &ruleNumberInDb)){
return FALSE;
}
- /* if not active session in work db, invert sign and goto write db */
+ /* if no active session in work db */
+ /* invert sign(the inverted value means the ipfw rule found) and make session (below) */
else{
ruleNumber=-ruleNumber;
}
}
- /* if addtion is failed, retry on next packet (clear cache for checking) */
- /* as to prevent error loop, retry count is limitted */
+ /* if addtion is failed, retry on next packet */
+ /* (as the entry in packet-cache is cleared, next packet is not skipped) */
+ /* (as to prevent error loop, retry count is limitted) */
if( failToAdd || !IsMacAddressFoundInIpfw(macAddress) ){
nSerialError++;
if(nSerialError<1) DelCacheItem(macAddress,"");
/*******************************
delete session for the mac address
-(del ipfw-rule and table-entry, write db and log)
+del ipfw-rule, del session in work db, and write log(MngDb and syslog)
*******************************/
void delSession(char* macAddress){
char userId[USERMAXLN]="";
/*******************************
renew session for the ip address
-(renew time in table entry)
+(renew time in session-table entry)
*******************************/
void renewSession(char* macAddress){
}
/**********************************
-CALLBACK FUNCTION
-called back from sqlite3_exec
-in sessiondb.c/delUselessSessionsInDb & delAllSessionsInDb
+this is CALLBACK FUNCTION
+(called back from sqlite3_exec in workdb.c/delUselessSessionsInWorkDb)
**********************************/
int closeSession(void* pParam, int argc, char *argv[], char* colName[]){
}
/*******************************
-search db to find all ip
-del ipfw rule, del table entry, write db/log
+delete all sessions (terminate the all service)
*******************************/
void delAllSessions(void){
- /* scan db to remove all sessions. argument indicates delayed flag */
+ /* scan db to remove all sessions (argument indicates immediate deletion) */
DelUselessSessionsInWorkDb(FALSE);
- /* scan ipfw rule to close unmatched db row */
+ /* remove ipfw rules having no corresponding db entry */
CloseUnmatchSessions();
}
/**********************************************
-is the mac session found
+is the session for the mac found in work db
**********************************************/
int isMatchedSessionFound(char* macAddress){
char userId[USERMAXLN];
}
/************************************
-debug routine for hash table
+debug dump routine for a hash table
************************************/
void dumpTable(DB* table){
DBT hashKey;
/************************************************
close sessions that lost ipfw rule or database entry
- load rules from ipfw and database, then compare
+ make HashTables of sessions and ipfw-rules, then compare
sessionTable ruleTable
-form opengatemd.db from ipfw
- key=macAddr macAddr
- val=0 ipfwRule
+ from work-db from ipfw
+ key=macAddr key=macAddr
+ val=0 val=ipfwRule
^ ^
|-----------------|
-entry in ruleTable adn sessionTable should be matched.
+entry in ruleTable and sessionTable should be matched.
if exists in ruleTable and not in sessionTable, remove rule
if exists in sessionTable and not in ruleTable, remove session
*************************************************/
}
/*******************************
-remove session in db unmatched to ipfw active rule
- (db entry exists but no ipfw rule is found)
+remove session unmatched to ipfw active rule
+ (session exists in session-table but no ipfw rule exists in rule-table)
*******************************/
void removeSessionUnmatchedToIpfwRule(DB* ruleTable, DB* sessionTable){
DBT hashKey;
int openTime;
int checkTime;
- /* scan session table to find entry unmatched to rule table */
+ /*** scan session table to find entry unmatched to rule table */
/* get first entry of session table */
memset(&hashKey, 0, sizeof(DBT));
memset(&hashVal, 0, sizeof(DBT));
retSesTbl=sessionTable->seq(sessionTable, &hashKey, &hashVal, R_FIRST);
while(retSesTbl==0){
- /* (get-function returns 0 on success) */
/* if found a session, save the data */
strlcpy(macAddress, (char*)hashKey.data, ADDRMAXLN);
memset(&hashVal, 0, sizeof(DBT));
retRuleTbl=ruleTable->get(ruleTable, &hashKey, &hashVal, 0);
- /* (get-function returns 0 on success) */
- /*** rule for the session exists */
- if(retRuleTbl==0){
- ; /* do nothing */
+ /*** if rule exists (the session matchs to a rule), do nothing */
+ if(retRuleTbl==0){ /* (get-function returns 0 on success) */
+ ;
}
- /*** rule for the session does not exist */
+ /*** else(no rule for the session), remove the session */
else{
+
/* write log and close session */
+ /* (as Hash(sessionTable) is cleared after scanning, it is untouched) */
if(!GetSessionFromWorkDb(macAddress, userId, extraId,
&openTime, &checkTime, &ruleNumber)){
err_msg("ERR at %s#%d: fail to get session info",__FILE__,__LINE__);
}
/***********************************
-remove active ipfw rule unmatched to session in db
- (ipfw rule exists but no db entry is found)
+remove active ipfw rule unmatched to session table
+ (ipfw rule exists in rule-table but no corresponding session exists in session-table)
***********************************/
void removeIpfwRuleUnmatchedToSession(DB* ruleTable, DB* sessionTable){
DBT hashKey;
int ruleNumber;
char macAddress[ADDRMAXLN];
- /* scan ipfw rule table to find entry unmatched to session table */
+ /*** scan ipfw rule table to find entry unmatched to session table */
/* get first entry of ipfw rule table */
memset(&hashKey, 0, sizeof(DBT));
memset(&hashVal, 0, sizeof(DBT));
memset(&hashVal, 0, sizeof(DBT));
retSesTbl=sessionTable->get(sessionTable, &hashKey, &hashVal, 0);
- /* (get-function returns 0 on success) */
- /*** session for the rule exists */
- if(retSesTbl==0){
- ; /* do nothing */
+ /*** if session exists(the rule matchs to a session), do nothing */
+ if(retSesTbl==0){ /* (get-function returns 0 on success) */
+ ;
}
- /*** session for the rule does not exist */
+ /*** else(no session for the rule), remove the rule */
else{
- /* remove entry in ipfw rule */
+ /* remove entry in ipfw active rules */
+ /* (as Hash(ruleTable) is cleared after scanning, it is untouched) */
CloseClientGate(ruleNumber);
DelCacheItem(macAddress,"");
WriteCloseToSyslog("?", "", macAddress, time(NULL));
PutCloseToMngDb(macAddress);
- /* write session info to syslog */
+ /* write session info to syslog (no user info)*/
if(debug>0) WriteSessionInfoToSyslog("?","", macAddress, ruleNumber);
}
double time_l;
int hour, min, sec;
+ /* time_l is the time length from open-net to close-net */
time_l=difftime((int)time(NULL), openTime);
hour=time_l/60/60;
min=(time_l-hour*60*60)/60;
**********************************************/
void setMacIpPair(char* macAddress, char* ipAddress, char* userId, char* extraId){
- /* if the pair is not found in work db, record it */
+ /* if the pair is not found in work db, record it */
+ /* the pair in work db is used for saving session detail (remove at the end of session)*/
+ /* one session includes plural pairs (one MAC corresponds to plural IPs) */
if(!IsFoundMacIpPairInWorkDb(macAddress, ipAddress)){
PutMacIpPairToWorkDb(macAddress, ipAddress);
/* record the pair to management db */
+ /* the pair in management db is the sccess log (don't remove at the end of session)*/
PutMacIpPairToMngDb(macAddress, ipAddress);
/* write to syslog */