[isf-wifidog] throtting
Mina Naguib
mina at naguib.ca
Jeu 6 Oct 08:40:24 EDT 2005
Throttling is the next main feature to be implemented in the wifidog
client.
The code below looks okay, but it won't alone implement throttling.
It simply marks clients' packets to be throttled. There still needs
to be a throttling framework, such as `tc`, to do the actual work.
Throttling, when implemented, will be much more concise than the
example below. It will be per-user instead of clumped per class,
while taking into account the user's status, user's abuse history,
hotspot monthly limits etc :)
On 6-Oct-05, at 1:43 AM, Ian White wrote:
> Is throtting and user class on the list of changes. Public have
> already changed their wifidog to support this.
>
>
>> From what I've seen they changed,
>>
>
> auth.h
>
>
>
> /** @brief
>
> * This structure contains all the information returned by the
> authentication server
>
> */
>
> typedef struct _t_authresponse {
>
> t_authcode authcode; /**< @brief Authentication code returned by
> the server */
>
> t_fw_marks classcode; /**< @brief Class code returned by the server
> for dynamic fw mark */
>
> } t_authresponse;
>
>
>
> auth.c
>
> case AUTH_ALLOWED:
> client->fw_connection_state = auth_response.classcode;
> fw_allow(client->ip, client->mac, auth_response.classcode);
> _http_redirect(r->clientSock, "http://%s:%d%sportal/?gw_id=%s",
> config_get_config()->auth_servers->authserv_hostname,
> config_get_config()->auth_servers->authserv_http_port,
> config_get_config()->auth_servers->authserv_path,
> config_get_config()->gw_id);
> break;
>
>
>
> i.e. the class of the user comes back as a second item to the auth
> request.
>
> They have different rulesets in fw_iptables
>
>
>
> iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET
> " -m mark --mark 0x%u -j " TABLE_WIFIDOG_SUPER, FW_MARK_SUPER);
> iptables_load_ruleset("super-users", TABLE_WIFIDOG_SUPER);
>
> iptables_do_command("-t filter -A "
> TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j "
> TABLE_WIFIDOG_TRUSTED, FW_MARK_TRUSTED);
> iptables_load_ruleset("trusted-users",
> TABLE_WIFIDOG_TRUSTED);
>
> iptables_do_command("-t filter -A "
> TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j "
> TABLE_WIFIDOG_LIBERATED, FW_MARK_LIBERATED);
> iptables_load_ruleset("liberated-users",
> TABLE_WIFIDOG_LIBERATED);
>
> iptables_do_command("-t filter -A "
> TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j "
> TABLE_WIFIDOG_PROTECTED, FW_MARK_PROTECTED);
> iptables_load_ruleset("protected-users",
> TABLE_WIFIDOG_PROTECTED);
>
>
>
> and marks set in
>
>
>
>
> iptables_fw_access(fw_access_t type, char *ip, char *mac, int tag)
> {
> int rc;
>
> fw_quiet = 0;
>
> switch(type) {
> case FW_ACCESS_ALLOW:
> iptables_do_command("-t mangle -A "
> TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-
> mark %d", ip, mac, tag);
> iptables_do_command("-t mangle -A "TABLE_WIFIDOG_THROTTLE" -d %
> s -j MARK --set-mark %d",ip,tag);
> rc = iptables_do_command("-t mangle -A "
> TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
> break;
> case FW_ACCESS_DENY:
> iptables_do_command("-t mangle -D "
> TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-
> mark %d", ip, mac, tag);
> iptables_do_command("-t mangle -D "TABLE_WIFIDOG_THROTTLE" -d %
> s -j MARK --set-mark %d",ip,tag);
> rc = iptables_do_command("-t mangle -D "
> TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);
> break;
> default:
> rc = -1;
> break;
> }
>
> return rc;
> }
>
>
>
> Look a fairly good solution to me.
>
>
>
>
>
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>
More information about the WiFiDog
mailing list