/**************************************************
OpengateM - MAC address authentication system
- module for Controling ipfw
+ module for Controling ipfw (firewall)
Copyright (C) 2011 Opengate Project Team
Written by Yoshiaki Watanabe
static void sigFunc(int signo);
-/******************************************************************
- open gate for clientAddr
- if forced=TRUE, ignore checking for address overlapping
- return=ruleNumber. if overlapped ip return=(-1)*ruleNumber
-******************************************************************/
+/******************************************************************/
+/* open gate for clientAddr */
+/* if forced=TRUE, ignore checking for address overlapping */
+/* return=ruleNumber */
+/* return=(-1)*ruleNumber: can't open because of overlapping */
+/******************************************************************/
int openClientGate(char *clientAddr, int forced, char* userId, char* extraId, char* macAddress)
{
int fd=0;
/* exclusive exec of ipfw to avoid overlapped rule number */
/**** prepare ****/
- /* if not found lock is ignored */
+ /* search lock file */
lockFile=GetConfValue("LockFile");
if(stat(lockFile, &st)!=0) lockFileExist=FALSE;
else lockFileExist=TRUE;
- /* if lock file exists, exec lock */
+ /* if lock file exists, exec lock (if not found, lock is ignored) */
if(lockFileExist){
+
/* open lockfile */
fd=open(lockFile, O_RDWR, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
if(fd==-1){
return -1;
}
- /* set timeout */
+ /* set lock timeout (at long time locking, lock is canceled by SIGALRM) */
if((defaultSigFunc=signal(SIGALRM, sigFunc))==SIG_ERR){
err_msg("ERR at %s#%d: set sig alarm error",__FILE__,__LINE__);
Close(fd);
return -1;
}
- /* reset timeout */
+ /* when other process executes here, this process waits in lock() */
+ /* returning from lock() means that exclusive execution is possible */
+ /* then reset timeout signal and go to main processing */
signal(SIGALRM, defaultSigFunc);
alarm(0);
}
/**** read rules ****/
if((retNum=GetRuleNumber(clientAddr, forced))<0){
- /* fail then unlock */
+
+ /* if fail, then unlock and return */
if(lockFileExist){
Unlock(fd);
Close(fd);
}
/**** write rules ****/
- /* branch by perl script control flag */
+ /**** if perl script control flag is set in conf file, use perl script */
+ /* (not recommended) */
if(atoi(GetConfValue("IpfwScript/Enable"))){
- /********** use perl script to control firewall ************/
-
if(Systeml(1, GetConfValue("IpfwScript/Path"),GetConfValue("IpfwPath"),
ruleNumber,clientAddr,userIdLong,macAddress,"-",
GetConfValue("IpfwTagNumber"),(char *)0) != 0){
}
}
+ /**** else, direct control of firewall (default) ***************/
else{
- /********** direct control of firewall **********************/
- /********** add outgoing ipfw rule for the client *************/
+
+ /********** add outgoing ipfw rule for the client (in IP level) *************/
+ /* eg.(ipfw -q add 10000 count tag 123 ip from 192.168.1.10 to any //wata@guest) */
if(Systeml(1, GetConfValue("IpfwPath"),"-q","add",ruleNumber,
"count","tag",GetConfValue("IpfwTagNumber"),
"ip","from",clientAddr,"to","any",
err_msg("ERR at %s#%d: exec ipfw add error",__FILE__,__LINE__);
retNum=1; /* abnormal */
}
-
+
+ /********** add incoming ipfw rule for the client *************/
+ /* eg.(ipfw -q add 10000 count tag 123 ip from any to 192.168.1.10 //wata@guest) */
if(Systeml(1, GetConfValue("IpfwPath"),"-q","add",ruleNumber,
"count","tag",GetConfValue("IpfwTagNumber"),
"ip","from","any","to",clientAddr,
}
-/******************************************************************
- close gate for clientAddr for the rule number
-******************************************************************/
+/*****************************************************************/
+/* close gate for clientAddr for the rule number */
+/*****************************************************************/
void closeClientGate(int ruleNumber)
{
int count;