config: add bypass auth flag

Signed-off-by: staylightblow8 <[email protected]>
liudf0716 · Nov 12, 2023 · c380b6d · c380b6d
1 parent b589652
commit c380b6d
Show file tree

Hide file tree

Showing 7 changed files with 85 additions and 18 deletions.
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -52,7 +52,8 @@ set(libs
 	ssl
 	crypto
 	event
-	event_openssl)
+	event_openssl
+	netfilter_queue)
 
 if(AW_DEBUG)
 	message("Building debug")

diff --git a/src/conf.c b/src/conf.c
@@ -125,6 +125,8 @@ typedef enum {
 	oDNSTimeout,
 	oFW4Enable,
 	oDhcpOptionCpi,
+	oDhcpOptionCpiEnable,
+	oBypassAuthEnable,
 } OpCodes;
 
 /** @internal
@@ -190,6 +192,8 @@ static const struct {
 	"dnstimeout",oDNSTimeout},{
 	"fw4enable",oFW4Enable},{
 	"dhcpoptioncpi",oDhcpOptionCpi},{
+	"dhcpoptioncpienable",oDhcpOptionCpiEnable},{
+	"bypassauthenable",oBypassAuthEnable},{
     NULL, oBadOption},};
 
 static void config_notnull(const void *, const char *);
@@ -288,6 +292,8 @@ config_init(void)
 	config.mqtt_server  = mqtt_server;
 
 	config.fw4_enable = 1;
+	config.bypass_auth_enable = 1;
+	config.dhcp_cpi_enable = 1;
 
 	debugconf.log_stderr = 1;
 	debugconf.debuglevel = DEFAULT_DEBUGLEVEL;
@@ -1005,6 +1011,12 @@ config_read()
 				case oDhcpOptionCpi:
 					config.dhcp_cpi_uri = safe_strdup(p1);
 					break;
+				case oDhcpOptionCpiEnable:
+					config.dhcp_cpi_enable = parse_boolean_value(p1);
+					break;
+				case oBypassAuthEnable:
+					config.bypass_auth_enable = parse_boolean_value(p1);
+					break;
 				case oBadOption:
 					/* FALL THROUGH */
 				default:

diff --git a/src/conf.h b/src/conf.h
@@ -296,6 +296,8 @@ typedef struct {
 	char 	* dns_timeout; /*time to limit during of parsing the dns */
 	int 	fw4_enable; /* 1, enable ipv4 firewall */
 	char 	*dhcp_cpi_uri; /* dhcp cpi uri */
+	short 	dhcp_cpi_enable; /* 1, enable dhcp cpi */
+	short	bypass_auth_enable; /* 1, bypass auth */
 } s_config;
 
 /** @brief Get the current gateway configuration */

diff --git a/src/dhcp_cpi.c b/src/dhcp_cpi.c
@@ -21,9 +21,6 @@
 #include "options.h"
 #include "dhcp_cpi.h"
 
-#define MIN_BOOTP_SIZE  300
-#define DHCPOPT_CPI     114
-
 #pragma pack(1)
 struct Packet
 {
@@ -33,16 +30,6 @@ struct Packet
 };
 #pragma pack()
 
-enum MangleResult
-{
-    Mangle_OK = 0,
-    Mangle_mallocFail,
-    Mangle_optExists,
-};
-
-/* Somewhat arbitrary, feel free to change */
-#define MAX_PACKET_SIZE 2048
-
 static int inspectPacket(struct nfq_q_handle *queue, struct nfgenmsg *pktInfo, 
 		struct nfq_data *pktData, void *userData);
 static bool packetIsComplete(const uint8_t *data, size_t size);
@@ -165,7 +152,7 @@ static enum MangleResult
 manglePacket(const uint8_t *origData, size_t origDataSize,
              uint8_t **newData, size_t *newDataSize)
 {
-    s_config *config = get_config();
+    s_config *config = config_get_config();
     const struct Packet *origPacket = (const struct Packet *)origData;
     size_t ipHdrSize = ipv4_headerLen(&origPacket->ipHeader);
     size_t udpHdrSize = sizeof(struct UDPHeader);
@@ -230,7 +217,7 @@ static enum MangleResult mangleOptions(const uint8_t *origData, size_t origDataS
     size_t origOffset = offsetof(struct Packet, bootp) + sizeof(struct BootP);
     size_t newOffset = origOffset;
     size_t padCount = 0;
-    s_config *config = get_config();
+    s_config *config = config_get_config();
 
     while (origOffset < origDataSize)
     {

diff --git a/src/dhcp_cpi.h b/src/dhcp_cpi.h
@@ -1,6 +1,29 @@
 #ifndef _DCHP_CPI_H_
 #define _DCHP_CPI_H_
 
+#define MIN_BOOTP_SIZE  300
+#define DHCPOPT_CPI     114
+
+#pragma pack(2)
+struct UDPHeader
+{
+	uint16_t sourcePort;
+	uint16_t destPort;
+	uint16_t length;
+	uint16_t checksum;
+};
+#pragma pack()
+
+enum MangleResult
+{
+    Mangle_OK = 0,
+    Mangle_mallocFail,
+    Mangle_optExists,
+};
+
+/* Somewhat arbitrary, feel free to change */
+#define MAX_PACKET_SIZE 2048
+
 void thread_dhcp_cpi(const void *arg);
 
 #endif
diff --git a/src/fw4_nft.c b/src/fw4_nft.c
@@ -34,6 +34,7 @@
 #include "fw_iptables.h"
 #include "fw4_nft.h"
 #include "client_list.h"
+#include "conf.h"
 
 
 #define NFT_CONF_FILENAME "/etc/fw4_apfree-wifiodg_init.conf"
@@ -98,6 +99,7 @@ const char *nft_wifidogx_init_script[] = {
     "add set inet fw4 set_wifidogx_gateway { type ipv4_addr; }",
     "add set inet fw4 set_wifidogx_trust_domains { type ipv4_addr; }",
     "add set inet fw4 set_wifidogx_inner_trust_domains { type ipv4_addr; }",
+    "add set inet fw4 set_wifidogx_bypass_clients { type ipv4_net; }",
     "add set inet fw4 set_wifidogx_trust_clients { type ether_addr; }",
     "add set inet fw4 set_wifidogx_tmp_trust_clients { type ether_addr; flags timeout; }",
     "add chain inet fw4 dstnat_wifidogx_auth_server",
@@ -108,6 +110,9 @@ const char *nft_wifidogx_init_script[] = {
     "add rule inet fw4 dstnat iifname $interface$ jump dstnat_wifidogx_outgoing",
     "add rule inet fw4 dstnat_wifidogx_outgoing ip daddr @set_wifidogx_gateway accept",
     "add rule inet fw4 dstnat_wifidogx_outgoing jump dstnat_wifidogx_wan",
+    "add rule inet fw4 dstnat_wifidogx_wan ether saddr @set_wifidogx_tmp_trust_clients accept",
+    "add rule inet fw4 dstnat_wifidogx_wan ether saddr @set_wifidogx_trust_clients accept",
+    "add rule inet fw4 dstnat_wifidogx_wan ip saddr @set_wifidogx_bypass_clients accept",
     "add rule inet fw4 dstnat_wifidogx_wan meta mark 0x20000 accept",
     "add rule inet fw4 dstnat_wifidogx_wan meta mark 0x10000 accept",
     "add rule inet fw4 dstnat_wifidogx_wan jump dstnat_wifidogx_unknown",
@@ -127,6 +132,9 @@ const char *nft_wifidogx_init_script[] = {
     "insert rule inet fw4 accept_to_wan jump forward_wifidogx_wan",
     "add rule inet fw4 forward_wifidogx_wan jump forward_wifidogx_auth_servers",
     "add rule inet fw4 forward_wifidogx_wan jump forward_wifidogx_trust_domains",
+    "add rule inet fw4 forward_wifidogx_wan ether saddr @set_wifidogx_tmp_trust_clients accept",
+    "add rule inet fw4 forward_wifidogx_wan ether saddr @set_wifidogx_trust_clients accept",
+    "add rule inet fw4 forward_wifidogx_wan ip saddr @set_wifidogx_bypass_clients accept",
     "add rule inet fw4 forward_wifidogx_wan meta mark 0x10000 accept",
     "add rule inet fw4 forward_wifidogx_wan meta mark 0x20000 accept",
     "add rule inet fw4 forward_wifidogx_wan jump forward_wifidogx_unknown",
@@ -137,6 +145,7 @@ const char *nft_wifidogx_init_script[] = {
     "add rule inet fw4 forward_wifidogx_unknown tcp dport 53 accept",
     "add rule inet fw4 forward_wifidogx_unknown udp dport 67 accept",
     "add rule inet fw4 forward_wifidogx_unknown tcp dport 67 accept",
+    "add rule inet fw4 mangle_prerouting iifname $interface$ jump mangle_prerouting_wifidogx_dhcp_cpi", 
     "add rule inet fw4 mangle_prerouting iifname $interface$ jump mangle_prerouting_wifidogx_outgoing",
     "add rule inet fw4 mangle_postrouting oifname $interface$ jump mangle_postrouting_wifidogx_incoming",
     "add element inet fw4 set_wifidogx_gateway { $gateway_ip$ }",
@@ -241,6 +250,32 @@ nft_do_init_script_command()
     return 1;
 }
 
+static void
+nft_set_dhcp_cpi()
+{
+    // add rule inet fw4 mangle_prerouting iifname $interface$ udp dport 67 queue num 42
+    char cmd[256] = {0};
+    snprintf(cmd, sizeof(cmd), "nft add rule inet fw4 mangle_prerouting_wifidogx_dhcp_cpi udp dport 67 queue num 42");
+    debug (LOG_DEBUG, "cmd: %s", cmd);
+    int nret = system(cmd);
+    if (nret == -1) {
+        debug(LOG_ERR, "system call [%s] failed", cmd);
+    }
+}
+
+static void
+nft_set_bypass_auth(const char *gateway_ip)
+{
+    // add gateway_ip to set_wifidogx_bypass_clients
+    char cmd[256] = {0};
+    snprintf(cmd, sizeof(cmd), "nft add element inet fw4 set_wifidogx_bypass_clients { %s/24 }", gateway_ip);
+    debug (LOG_DEBUG, "cmd: %s", cmd);
+    int nret = system(cmd);
+    if (nret == -1) {
+        debug(LOG_ERR, "system call [%s] failed", cmd);
+    }
+}
+
 // statistical outgoing information,must free when statistical is over
 void
 nft_statistical_outgoing(char *outgoing, uint32_t outgoing_len)
@@ -271,6 +306,7 @@ nft_statistical_incoming(char *incoming, uint32_t incoming_len)
 int 
 nft_init(const char *gateway_ip, const char* interface)
 {
+    s_config *config = config_get_config();
 	// generate nftables wifidogx init script
 	int ret = generate_nft_wifidogx_init_script(gateway_ip, interface);
 	if (ret != 0) {
@@ -283,6 +319,12 @@ nft_init(const char *gateway_ip, const char* interface)
     // add auth server ip to firewall
     iptables_fw_set_authservers(NULL);
 
+    if (config->dhcp_cpi_enable)
+        nft_set_dhcp_cpi();
+
+    if (config->bypass_auth_enable)
+        nft_set_bypass_auth(gateway_ip);
+
     return 1;
 }
 

diff --git a/src/fw_iptables.c b/src/fw_iptables.c
@@ -847,7 +847,7 @@ iptables_fw_save_online_clients()
 #ifdef AW_FW3
 
 static int 
-fw3_int(void)
+fw3_init(void)
 {
 	const s_config *config;
 	char *ext_interface = NULL;
@@ -1093,7 +1093,7 @@ iptables_fw_init(void)
 {
 	// if define AW_FW3, then fw3_init
 #ifdef AW_FW3
-	return fw3_int();
+	return fw3_init();
 #else
 	return fw4_init();
 #endif