--- sysoleg-lisg-1d05e525c870/ISG/bin/ISGd.pl 2014-03-23 18:18:29.000000000 +0600
+++ web_auth/ISG/bin/ISGd.pl 2015-12-29 22:28:35.000000000 +0500
@@ -58,9 +58,18 @@
my $sig = shift;
$dying = 1;
- do_log("info", "Got signal $sig. Terminating all childs and finishing.");
+ do_log("info", "Got signal $sig. Terminating all children and finishing.");
unlink($cfg{pid_file});
+ if ($cfg{web_auth_enable})
+ {
+ do_log("info", "Cleaning the web_auth ipset table");
+ `ipset flush $cfg{web_auth_ipset_name} 2>/dev/null` ;
+ }
+ do_log("info", "Sending all children the KILL signal");
+ kill('KILL' => keys %child); # Let the workers do the cleanup
+ sleep(1);
+ do_log("info", "Sending all children the TERM signal");
my $count = kill('TERM' => keys %child);
exit(0);
}
@@ -123,6 +132,7 @@
&daemonize() if ($cfg{daemonize});
+init_web_auth() if ($cfg{web_auth_enable});
$jobs{"ISG"} = \&job_isg;
$jobs{"CoA"} = \&job_coa;
$jobs{"TC_Refresh"} = \&job_reload_tc;
@@ -192,7 +202,7 @@
if ($ev->{'flags'} & ISG::IS_SERVICE && $ev->{'type'} == ISG::EVENT_SESS_START) {
do_log("info", "Service '" . $ev->{'service_name'} . "' for '$ipaddr' started");
} elsif ($ev->{'type'} == ISG::EVENT_SESS_STOP) {
-
+ web_auth("del", $ipaddr);
if ($ev->{'flags'} & ISG::IS_APPROVED_SESSION) {
make_new_child($cfg{cb_on_session_stop}, { "ipaddr" => $ipaddr, "nat_ipaddr" => $nat_ipaddr }) if defined($cfg{cb_on_session_stop});
do_log("info", "Session '$ipaddr' on 'Virtual" . $ev->{'port_number'} . "' finished");
@@ -200,6 +210,14 @@
do_log("info", "Service '" . $ev->{'service_name'} . "' for '$ipaddr' finished");
}
}
+ if ($ev->{'type'} == ISG::EVENT_SESS_START)
+ {
+ if ($ev->{'flags'} & ISG::IS_APPROVED_SESSION) {
+ web_auth("del", $ipaddr);
+ } else {
+ web_auth("add", $ipaddr);
+ }
+ }
}
} else {
my $src_host = $rsk->peerhost();
@@ -337,7 +355,7 @@
if (isg_send_event($sk, $oev) < 0) {
do_log("err", "Error sending EVENT_SESS_APPROVE: $!");
}
-
+ web_auth("del",$exp_login);
make_new_child($cfg{cb_on_session_start}, { "ipaddr" => $exp_login, "nat_ipaddr" => $nat_ipaddr }) if defined($cfg{cb_on_session_start});
do_log("info", "Session '$exp_login' on 'Virtual" . $exp_ev->{'port_number'} ."' accepted by '$src_host:$src_port'");
@@ -345,6 +363,7 @@
my $oev;
do_log("info", "Session '$exp_login' rejected by '$src_host:$src_port'");
+ web_auth("add",$exp_login);
$oev->{'type'} = ISG::EVENT_SESS_CHANGE;
$oev->{'port_number'} = $exp_ev->{'port_number'};
@@ -600,6 +619,10 @@
$out_err = "Session-Context-Not-Found";
} else {
$out_code = $ack_code;
+ if ($rp->code eq "Disconnect-Request")
+ {
+ web_auth("del","$ev->{'ipaddr'}");
+ }
}
send_rp:
@@ -1093,3 +1116,90 @@
$job->(defined($par) ? $par : 0);
exit;
}
+
+sub web_auth {
+ my ($act, $local_ip) = @_;
+
+ return if ($act ne "add" && $act ne "del");
+
+ if ($cfg{web_auth_enable})
+ {
+ `ipset $act $cfg{web_auth_ipset_name} $local_ip 2>/dev/null`;
+ if ($act eq "add")
+ {
+ do_log("info", "Adding $local_ip to web auth list");
+ }
+ else
+ {
+ do_log("info", "Removing $local_ip from web auth list");
+ }
+ }
+}
+
+sub init_web_auth {
+ `ipset create $cfg{web_auth_ipset_name} hash:ip`;
+ reload_web_auth();
+}
+
+sub reload_web_auth {
+ `ipset flush $cfg{web_auth_ipset_name} 2>/dev/null`;
+ my $sk = prepare_netlink_socket();
+ if ($sk < 0) {
+ do_log("err", "Unable to open netlink socket: $!");
+ exit(1);
+ }
+ my $data;
+ my %ev;
+ $ev->{'type'} = ISG::EVENT_SESS_GETLIST;
+
+ if (isg_send_event($sk, $ev) < 0) {
+ do_log("err", "Unable to get sessions list: $!");
+ return;
+ }
+
+ my $tot_msg_sz = ISG::NL_HDR_LEN + ISG::IN_EVENT_MSG_LEN;
+ my $stop = 0;
+ while (!$stop) {
+ if (!(my $read_b = netlink_read($sk, \$data, 16384, 10))) {
+ do_log("err", "Recv from kernel: $!");
+ last;
+ } else {
+ if ($read_b < $tot_msg_sz) {
+ do_log("err", "Packet too small ($read_b bytes)");
+ next;
+ }
+ if ($read_b % $tot_msg_sz) {
+ do_log("err", "Incorrect packet length ($read_b bytes)");
+ next;
+ }
+ my $pkts_cnt = $read_b / $tot_msg_sz;
+
+ for (my $i = 0; $i < $pkts_cnt; $i++) {
+ my $offset = $i * $tot_msg_sz;
+
+ $ev = isg_parse_event(substr($data, $offset, $tot_msg_sz));
+
+ if ($ev->{'type'} == ISG::EVENT_SESS_INFO) {
+ if ($ev->{'flags'})
+ {
+ if (!($ev->{'flags'} & ISG::IS_SERVICE) &&
+ !($ev->{'flags'} & ISG::IS_APPROVED_SESSION))
+ {
+ web_auth("add",ISG::long2ip($ev->{'ipaddr'}));
+ }
+ }
+ else
+ {
+ web_auth("add",ISG::long2ip($ev->{'ipaddr'}))
+ if (ISG::long2ip($ev->{'ipaddr'}) ne '0.0.0.0')
+ }
+ }
+
+ if ($ev->{'nlhdr_type'} == ISG::NLMSG_DONE) {
+ $stop = 1;
+ last;
+ }
+ }
+ }
+ }
+}