vvfedorenko / lisg Goto Github PK

View Code? Open in Web Editor NEW

This project forked from leoelan/lisg

6.0 4.0 1.0 95 KB

linux ISG

License: GNU General Public License v3.0

Perl 43.52% Shell 0.61% Makefile 0.98% C 54.89%

lisg's Introduction

Linux ISG

This repo is fork of Linux ISG project from Oleg A. Arkhangelsky.

It is based on a non-original copy of source code recovered from old archive. Previously this code was published under GNU License so there is no problem to restore it in public.

Changes

Restore (write from scratch) match userspace library because it was lost during recovery.
Linux kernel version 4.19+ is supported.
Splitted global spinlock into different rw_locks and per-session spinlock. (Not tested, use on your own risk)

TODO

--The code is really full of global spinlocks and currently do not scale well on multi-CPU servers. I will try to rewrite it with a new lockless techniques in future.--
Rewrite session counters structure to simplify isg_tg.
A userspace daemon should be rewritten because perl is not fast enought in case of creating lots of new sessions per second.
IPv6 support is fully absent. I think that shoud be fixed.

Usage

Session initiation and shaping

Use iptables to setup rules in FORWARD chain to specify how to init session

iptables -A FORWARD -s 192.0.0.0/24 -j ISG --session-init
iptables -A FORWARD -d 192.0.0.0/24 -j ISG

This commands will advise ISG module to initiate session for every IP address from 192.0.0.0/24 network and to policy traffic to 192.0.0.0/24 network in case of active session

Redirect to authorization

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -m isg --service-name REDIRECT --j DNAT --to 192.0.0.1

This command will make DNAT for every HTTP packet that found in ISG with service REDIRECT. Possible usage to redirect to authorization web-site.

Additional documentation can be found by your favorite search engine

lisg's People

Contributors

Stargazers

Watchers

Forkers

pasha49

lisg's Issues

Ubuntu 20.04 LTS don not compiles

root@leo:/opt/lisg/kernel# ./configure
Kernel version: 5.4.0-42-generic
Iptables binary version: 1.8.4 (legacy) (detected from /usr/sbin/iptables)
Searching for iptables-1.8.4 (legacy) sources..
Found iptables sources at /usr
Iptables module path: /usr/lib/debug/.dwz/x86_64-linux-gnu/iptables.debug (from binary)
Creating Makefile.. done.

Now run: 'make' and (if everything is fine) 'make install'

root@leo:/opt/lisg/kernel# make && make install
echo "" > build.h
printf "/* Compilation date.\n * Written by Makefile (userspace) */\n#define _BUILD_DATE "%s %s"\n" date +'%F %T' > build.h
make -C /lib/modules/5.4.0-42-generic/build M=/opt/lisg/kernel modules
make[1]: Entering directory '/usr/src/linux-headers-5.4.0-42-generic'
CC [M] /opt/lisg/kernel/isg_main.o
LD [M] /opt/lisg/kernel/ipt_ISG.o
Building modules, stage 2.
MODPOST 1 modules
CC [M] /opt/lisg/kernel/ipt_ISG.mod.o
LD [M] /opt/lisg/kernel/ipt_ISG.ko
make[1]: Leaving directory '/usr/src/linux-headers-5.4.0-42-generic'
gcc -O2 -Wall -Wunused -I/include -DIPTABLES_VERSION="1.8.4 (legacy)" -fPIC -o libipt_ISG_sh.o -c libipt_isg.c
/bin/sh: 1: Syntax error: "(" unexpected
make: *** [Makefile:17: all] Error 2

root@leo:/opt/lisg/kernel# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
root@leo:/opt/lisg/kernel#

Debian 11 не подключается к модулю

debian 11 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux5.10.179-1 (2023-05-12) x86_64 GNU/Linux
lsmod | grep ISG
ipt_ISG 28672 0
x_tables 53248 13 xt_conntrack,iptable_filter,xt_LOG,xt_state,ipt_NETFLOW,xt_nat,ipt_ISG,xt_set,ipt_REJECT,ip_tables,xt_limit,xt_connlimit,iptable_mangle
iptables v1.8.7 (legacy)

Модуль собрался - загрузился, но получаю такое
./ISG.pl
Incorrect packet length (196 bytes)
Recv from kernel: Interrupted system call
Unable to get sessions/services list: Interrupted system call

[Feature Request] Captive Portal

Hi!
I have a patch to web authorization (captive portal), but this patch not working on new versions, you can adapt this. Look here

--- sysoleg-lisg-1d05e525c870/ISG/bin/ISGd.pl	2014-03-23 18:18:29.000000000 +0600
+++ web_auth/ISG/bin/ISGd.pl	2015-12-29 22:28:35.000000000 +0500
@@ -58,9 +58,18 @@
 	my $sig = shift;
 	$dying = 1;
 
-	do_log("info", "Got signal $sig. Terminating all childs and finishing.");
+	do_log("info", "Got signal $sig. Terminating all children and finishing.");
 	unlink($cfg{pid_file});
 
+	if ($cfg{web_auth_enable})
+	{
+		do_log("info", "Cleaning the web_auth ipset table");
+		`ipset flush $cfg{web_auth_ipset_name} 2>/dev/null` ;
+	}
+	do_log("info", "Sending all children the KILL signal");
+	kill('KILL' => keys %child); # Let the workers do the cleanup
+	sleep(1);
+	do_log("info", "Sending all children the TERM signal");
 	my $count = kill('TERM' => keys %child);
 	exit(0);
 }
@@ -123,6 +132,7 @@
 
 &daemonize() if ($cfg{daemonize});
 
+init_web_auth() if ($cfg{web_auth_enable});
 $jobs{"ISG"}        = \&job_isg;
 $jobs{"CoA"}        = \&job_coa;
 $jobs{"TC_Refresh"} = \&job_reload_tc;
@@ -192,7 +202,7 @@
 					if ($ev->{'flags'} & ISG::IS_SERVICE && $ev->{'type'} == ISG::EVENT_SESS_START) {
 						do_log("info", "Service '" . $ev->{'service_name'} . "' for '$ipaddr' started");
 					} elsif ($ev->{'type'} == ISG::EVENT_SESS_STOP) {
-
+						web_auth("del", $ipaddr);
 						if ($ev->{'flags'} & ISG::IS_APPROVED_SESSION) {
 							make_new_child($cfg{cb_on_session_stop}, { "ipaddr" => $ipaddr, "nat_ipaddr" => $nat_ipaddr }) if defined($cfg{cb_on_session_stop});
 							do_log("info", "Session '$ipaddr' on 'Virtual" . $ev->{'port_number'} . "' finished");
@@ -200,6 +210,14 @@
 							do_log("info", "Service '" . $ev->{'service_name'} . "' for '$ipaddr' finished");
 						}
 					}
+					if ($ev->{'type'} == ISG::EVENT_SESS_START)
+					{
+						if ($ev->{'flags'} & ISG::IS_APPROVED_SESSION) {
+							web_auth("del", $ipaddr);
+						} else {
+							web_auth("add", $ipaddr);
+						}
+					}
 				}
 			} else {
 				my $src_host = $rsk->peerhost();
@@ -337,7 +355,7 @@
 					if (isg_send_event($sk, $oev) < 0) {
 						do_log("err", "Error sending EVENT_SESS_APPROVE: $!");
 					}
-
+					web_auth("del",$exp_login);
 					make_new_child($cfg{cb_on_session_start}, { "ipaddr" => $exp_login, "nat_ipaddr" => $nat_ipaddr }) if defined($cfg{cb_on_session_start});
 					do_log("info", "Session '$exp_login' on 'Virtual" . $exp_ev->{'port_number'} ."' accepted by '$src_host:$src_port'");
 
@@ -345,6 +363,7 @@
 					my $oev;
 
 					do_log("info", "Session '$exp_login' rejected by '$src_host:$src_port'");
+                                        web_auth("add",$exp_login);
 
 					$oev->{'type'} = ISG::EVENT_SESS_CHANGE;
 					$oev->{'port_number'} = $exp_ev->{'port_number'};
@@ -600,6 +619,10 @@
 			$out_err  = "Session-Context-Not-Found";
 		} else {
 			$out_code = $ack_code;
+			if ($rp->code eq "Disconnect-Request")
+			{
+				web_auth("del","$ev->{'ipaddr'}");
+			}
 		}
 
 send_rp:
@@ -1093,3 +1116,90 @@
 	$job->(defined($par) ? $par : 0);
 	exit;
 }
+
+sub web_auth {
+    my ($act, $local_ip) = @_;
+
+    return if ($act ne "add" && $act ne "del");
+    
+    if ($cfg{web_auth_enable})
+    {
+        `ipset $act $cfg{web_auth_ipset_name} $local_ip 2>/dev/null`;
+        if ($act eq "add")
+        {
+            do_log("info", "Adding $local_ip to web auth list");
+        }
+        else
+        {
+            do_log("info", "Removing $local_ip from web auth list");
+        }
+    }
+}
+
+sub init_web_auth {
+    `ipset create $cfg{web_auth_ipset_name} hash:ip`;
+    reload_web_auth();
+}
+
+sub reload_web_auth {
+    `ipset flush $cfg{web_auth_ipset_name} 2>/dev/null`;
+    my $sk = prepare_netlink_socket();
+    if ($sk < 0) {
+        do_log("err", "Unable to open netlink socket: $!");
+        exit(1);
+    }
+    my $data;
+    my %ev;
+	$ev->{'type'} = ISG::EVENT_SESS_GETLIST;
+
+    if (isg_send_event($sk, $ev) < 0) {
+        do_log("err", "Unable to get sessions list: $!");
+	    return;
+    }
+    
+    my $tot_msg_sz = ISG::NL_HDR_LEN + ISG::IN_EVENT_MSG_LEN;
+    my $stop = 0;
+    while (!$stop) {
+	    if (!(my $read_b = netlink_read($sk, \$data, 16384, 10))) {
+	        do_log("err", "Recv from kernel: $!");
+	        last;
+	    } else {
+	        if ($read_b < $tot_msg_sz) {
+	            do_log("err", "Packet too small ($read_b bytes)");
+		        next;
+	        }
+	        if ($read_b % $tot_msg_sz) {
+	            do_log("err", "Incorrect packet length ($read_b bytes)");
+		        next;
+	        }
+	        my $pkts_cnt = $read_b / $tot_msg_sz;
+
+	        for (my $i = 0; $i < $pkts_cnt; $i++) {
+		        my $offset = $i * $tot_msg_sz;
+
+		        $ev = isg_parse_event(substr($data, $offset, $tot_msg_sz));
+
+		        if ($ev->{'type'} == ISG::EVENT_SESS_INFO) {
+			        if ($ev->{'flags'}) 
+			        {
+	                    if (!($ev->{'flags'} & ISG::IS_SERVICE) && 
+	                        !($ev->{'flags'} & ISG::IS_APPROVED_SESSION)) 
+	                    {
+	                        web_auth("add",ISG::long2ip($ev->{'ipaddr'}));
+	                    }
+                    }
+                    else
+                    {
+                        web_auth("add",ISG::long2ip($ev->{'ipaddr'}))
+                            if (ISG::long2ip($ev->{'ipaddr'}) ne '0.0.0.0')
+                    }
+		        }
+
+		        if ($ev->{'nlhdr_type'} == ISG::NLMSG_DONE) {
+			        $stop = 1;
+  			    last;
+		        }
+		    }
+	    }
+	}
+}

Add support for IPv6 sessions

Is your feature request related to a problem? Please describe.
The module does not support IPv6, but this is good point of grow.

Describe the solution you'd like
The best solution would be to have dual-stack shaper to limit user speed in both address family at the same time.

Describe alternatives you've considered
There is no alternatives except specialized hardware BRAS.

[Feature Request] nftables module

Hi!
Is there any plans to adopt this to nftables new linux firewall stack?

[Feature Request] Authorize by Framed-IP-Address

Hi!
We are using Linux ISG from sysoleg.
We are using NETMAP rules for Full Cone NAT (NAT 1:1) - based on authorization packets in ISG and if RADIUS Attribute has != 0.0.0.0
$cfg{cb_on_session_start} = sub {
my $pars = shift;
my $ipaddr = $pars->{"ipaddr"};
my $nat_ipaddr = $pars->{"nat_ipaddr"};
if ($nat_ipaddr != '0.0.0.0'){
iptables -t nat -A binat_dst -d $nat_ipaddr/32 -j NETMAP --to $ipaddr;
iptables -t nat -A binat_src -s $ipaddr/32 -j NETMAP --to $nat_ipaddr;
ipset add smtp_pass $ipaddr -exist;
}
do_log("info", "Adding $ipaddr to ipset table fwd_allow\n");
ipset add fwd_allow $ipaddr -exist;
};
So, subscriber address has 192.168.0.1 address and NAT IP-address 167.80.45.50
In this case local subscriber can initiate session from LAN (by User-Name = 192.168.0.1), but session not will be authorized if other public service send a request to NAT IP-address 167.80.45.50 (because its not authorize packet by NAT IP-address(Framed-IP-Address)).
How can we add to Linux ISG authorization by Framed-IP-Address?

Add support for IPv4 network session

Describe the solution you'd like
Right now module can authorized and rate-limit only per IP-address session. Some clients want to use multiple IP addresses in one commit rate. For the first let's support networks as session identifier. (e.g. 10.10.10.0/28)