ipoe: implemented "L4 redirect on reject" for DHCP sessions

If authentication rejects session, but l4-redirect-on-reject is specified in config then
temporary session will be created and l4 redirect rule will be applied to IP of that session.
Session will be terminated after specified number of seconds.
Also if l4-redirect-ip-pool option is specified then IP will be allocated from that special pool.

2 files changed, 40 insertions, 0 deletions

diff --git a/accel-pppd/ctrl/ipoe/ipoe.c b/accel-pppd/ctrl/ipoe/ipoe.c
index 87aa897..a32b87a 100644
--- a/accel-pppd/ctrl/ipoe/ipoe.c
+++ b/accel-pppd/ctrl/ipoe/ipoe.c
@@ -105,6 +105,7 @@ static int conf_arp;
 static int conf_ipv6;
 static uint32_t conf_src;
 static const char *conf_ip_pool;
+static const char *conf_l4_redirect_pool;
 //static int conf_dhcpv6;
 static int conf_username;
 static const char *conf_password;
@@ -307,6 +308,17 @@ static void ipoe_session_timeout(struct triton_timer_t *t)
 	ap_session_terminate(&ses->ses, TERM_LOST_CARRIER, 0);
 }
 
+static void ipoe_session_l4_redirect_timeout(struct triton_timer_t *t)
+{
+	struct ipoe_session *ses = container_of(t, typeof(*ses), l4_redirect_timer);
+
+	triton_timer_del(t);
+
+	log_ppp_info2("ipoe: session timed out\n");
+
+	ap_session_terminate(&ses->ses, TERM_NAS_REQUEST, 0);
+}
+
 static void ipoe_relay_timeout(struct triton_timer_t *t)
 {
 	struct ipoe_session *ses = container_of(t, typeof(*ses), timer);
@@ -449,6 +461,9 @@ static void ipoe_change_l4_redirect(struct ipoe_session *ses, int del)
 			ses->l4_redirect_set = 1;
 		}
 	}
+
+	if (del && ses->l4_redirect_timer.tpd)
+		triton_timer_del(&ses->l4_redirect_timer);
 }
 
 static void ipoe_change_addr(struct ipoe_session *ses, in_addr_t newaddr)
@@ -505,6 +520,24 @@ static void auth_result(struct ipoe_session *ses, int r)
 	ses->username = NULL;
 
 	if (r == PWDB_DENIED) {
+		if (conf_l4_redirect_on_reject && ses->dhcpv4_request) {
+			ses->l4_redirect = 1;
+			if (conf_l4_redirect_pool) {
+				if (ses->ses.ipv4_pool_name)
+					_free(ses->ses.ipv4_pool_name);
+				ses->ses.ipv4_pool_name = _strdup(conf_l4_redirect_pool);
+			}
+
+			ses->l4_redirect_timer.expire = ipoe_session_l4_redirect_timeout;
+			ses->l4_redirect_timer.expire_tv.tv_sec = conf_l4_redirect_on_reject;
+			triton_timer_add(&ses->ctx, &ses->l4_redirect_timer, 0);
+
+			ap_session_set_username(&ses->ses, username);
+			log_ppp_info1("%s: authentication failed\n", ses->ses.username);
+			log_ppp_info1("%s: start temporary session (l4-redirect)\n", ses->ses.username);
+			goto cont;
+		}
+
 		pthread_rwlock_wrlock(&ses_lock);
 		ses->ses.username = username;
 		ses->ses.terminate_cause = TERM_AUTH_ERROR;
@@ -519,6 +552,8 @@ static void auth_result(struct ipoe_session *ses, int r)
 
 	ap_session_set_username(&ses->ses, username);
 	log_ppp_info1("%s: authentication succeeded\n", ses->ses.username);
+
+cont:
 	triton_event_fire(EV_SES_AUTHORIZED, &ses->ses);
 
 	if (ses->serv->opt_nat)
@@ -999,6 +1034,9 @@ static void ipoe_session_free(struct ipoe_session *ses)
 	
 	if (ses->timer.tpd)
 		triton_timer_del(&ses->timer);
+	
+	if (ses->l4_redirect_timer.tpd)
+		triton_timer_del(&ses->timer);
 
 	if (ses->dhcpv4_request)
 		dhcpv4_packet_free(ses->dhcpv4_request);
@@ -3103,6 +3141,7 @@ static void load_config(void)
 		conf_offer_timeout = 10;
 	
 	conf_ip_pool = conf_get_opt("ipoe", "ip-pool");
+	conf_l4_redirect_pool = conf_get_opt("ipoe", "l4-redirect-ip-pool");
 
 	conf_vlan_name = conf_get_opt("ipoe", "vlan-name");
 	if (!conf_vlan_name)
diff --git a/accel-pppd/ctrl/ipoe/ipoe.h b/accel-pppd/ctrl/ipoe/ipoe.h
index b06aa8b..555d314 100644
--- a/accel-pppd/ctrl/ipoe/ipoe.h
+++ b/accel-pppd/ctrl/ipoe/ipoe.h
@@ -58,6 +58,7 @@ struct ipoe_session {
 	struct list_head entry;
 	struct triton_context_t ctx;
 	struct triton_timer_t timer;
+	struct triton_timer_t l4_redirect_timer;
 	struct ipoe_serv *serv;
 	struct dhcpv4_serv *dhcpv4;
 	struct ap_ctrl ctrl;