Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Duplicate allow rules created by wifidog when a user authenticates #55

Open
florida63 opened this issue Feb 22, 2015 · 21 comments
Open

Duplicate allow rules created by wifidog when a user authenticates #55

florida63 opened this issue Feb 22, 2015 · 21 comments
Labels
Milestone

Comments

@florida63
Copy link
Contributor

@florida63 florida63 commented Feb 22, 2015

Reported and corrected bug in DD WRT
http://svn.dd-wrt.com/changeset/20674

To be confirmed.

@florida63 florida63 changed the title Fix duplicate allow rules created by wifidog when a user authenticates Duplicate allow rules created by wifidog when a user authenticates Feb 22, 2015
@florida63
Copy link
Contributor Author

@florida63 florida63 commented Feb 23, 2015

@Kvncrck: I saw your issue # 47 and you seem to use wifidog with many user. Could you send me the return of the order when there are many users.

iptables -t mangle -L

to confirm this problem of duplication in firewall rule.

In advance, thank you

@florida63
Copy link
Contributor Author

@florida63 florida63 commented Feb 24, 2015

@Kvncrck: Thank you,

I deliberately deleted your message because your post match mac adress trusted.

In fact, i want users who are truly authenticated or an account is created.
mask your mac addresses and guards a certain consistency if you have duplicates.

No need to send "Chain WiFiDog_eth1_Trusted".

@Kvncrck
Copy link

@Kvncrck Kvncrck commented Feb 25, 2015

We are using apAuthSplashOnlyPlugin for authentication. Here is the output
with with over 112 users authenticated.

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
WiFiDog_eth1_Trusted all -- anywhere anywhere
WiFiDog_eth1_Outgoing all -- anywhere anywhere
tcpre all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination
tcin all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
tcfor all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
tcout all -- anywhere anywhere

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
WiFiDog_eth1_Incoming all -- anywhere anywhere
tcpost all -- anywhere anywhere

Chain WiFiDog_eth1_Incoming (1 references)
target prot opt source destination
ACCEPT all -- anywhere 10.10.2.146
ACCEPT all -- anywhere 10.10.2.75
ACCEPT all -- anywhere 10.10.2.96
ACCEPT all -- anywhere 10.10.2.96
ACCEPT all -- anywhere 10.10.2.96
ACCEPT all -- anywhere 10.10.2.96
ACCEPT all -- anywhere 10.10.1.18
ACCEPT all -- anywhere 10.10.2.255
ACCEPT all -- anywhere 10.10.0.120
ACCEPT all -- anywhere 10.10.0.227
ACCEPT all -- anywhere 10.10.0.188
ACCEPT all -- anywhere 10.10.1.160
ACCEPT all -- anywhere 10.10.2.239
ACCEPT all -- anywhere 10.10.2.104
ACCEPT all -- anywhere 10.10.2.230
ACCEPT all -- anywhere 10.10.1.109
ACCEPT all -- anywhere 10.10.2.142
ACCEPT all -- anywhere 10.10.2.142
ACCEPT all -- anywhere 10.10.2.173
ACCEPT all -- anywhere 10.10.1.80
ACCEPT all -- anywhere 10.10.0.159
ACCEPT all -- anywhere 10.10.2.67
ACCEPT all -- anywhere 10.10.0.226
ACCEPT all -- anywhere 10.10.1.221
ACCEPT all -- anywhere 10.10.2.31
ACCEPT all -- anywhere 10.10.1.213
ACCEPT all -- anywhere 10.10.1.213
ACCEPT all -- anywhere 10.10.1.77
ACCEPT all -- anywhere 10.10.1.189
ACCEPT all -- anywhere 10.10.2.126
ACCEPT all -- anywhere 10.10.0.200
ACCEPT all -- anywhere 10.10.0.200
ACCEPT all -- anywhere 10.10.2.217
ACCEPT all -- anywhere 10.10.2.117
ACCEPT all -- anywhere 10.10.1.233
ACCEPT all -- anywhere 10.10.2.233
ACCEPT all -- anywhere 10.10.1.187
ACCEPT all -- anywhere 10.10.2.48
ACCEPT all -- anywhere 10.10.1.94
ACCEPT all -- anywhere 10.10.1.245
ACCEPT all -- anywhere 10.10.2.235
ACCEPT all -- anywhere 10.10.2.246
ACCEPT all -- anywhere 10.10.2.162
ACCEPT all -- anywhere 10.10.1.216
ACCEPT all -- anywhere 10.10.2.168
ACCEPT all -- anywhere 10.10.2.168
ACCEPT all -- anywhere 10.10.2.168
ACCEPT all -- anywhere 10.10.1.5
ACCEPT all -- anywhere 10.10.2.14
ACCEPT all -- anywhere 10.10.1.5
ACCEPT all -- anywhere 10.10.0.109
ACCEPT all -- anywhere 10.10.1.5
ACCEPT all -- anywhere 10.10.2.102
ACCEPT all -- anywhere 10.10.2.102
ACCEPT all -- anywhere 10.10.2.102
ACCEPT all -- anywhere 10.10.2.102
ACCEPT all -- anywhere 10.10.1.216
ACCEPT all -- anywhere 10.10.1.216
ACCEPT all -- anywhere 10.10.1.216
ACCEPT all -- anywhere 10.10.1.216
ACCEPT all -- anywhere 10.10.1.216
ACCEPT all -- anywhere 10.10.0.139
ACCEPT all -- anywhere 10.10.1.25
ACCEPT all -- anywhere 10.10.1.25
ACCEPT all -- anywhere 10.10.2.242
ACCEPT all -- anywhere 10.10.2.188
ACCEPT all -- anywhere 10.10.0.202
ACCEPT all -- anywhere 10.10.2.169
ACCEPT all -- anywhere 10.10.2.100
ACCEPT all -- anywhere 10.10.2.214
ACCEPT all -- anywhere 10.10.1.108
ACCEPT all -- anywhere 10.10.1.104
ACCEPT all -- anywhere 10.10.2.153
ACCEPT all -- anywhere 10.10.0.252
ACCEPT all -- anywhere 10.10.1.22
ACCEPT all -- anywhere 10.10.1.60
ACCEPT all -- anywhere 10.10.2.74
ACCEPT all -- anywhere 10.10.2.74
ACCEPT all -- anywhere 10.10.2.251
ACCEPT all -- anywhere 10.10.2.237
ACCEPT all -- anywhere 10.10.2.90
ACCEPT all -- anywhere 10.10.2.74
ACCEPT all -- anywhere 10.10.2.134
ACCEPT all -- anywhere 10.10.1.1
ACCEPT all -- anywhere 10.10.1.1
ACCEPT all -- anywhere 10.10.1.214
ACCEPT all -- anywhere 10.10.2.25
ACCEPT all -- anywhere 10.10.2.30
ACCEPT all -- anywhere 10.10.1.138
ACCEPT all -- anywhere 10.10.2.177
ACCEPT all -- anywhere 10.10.2.207
ACCEPT all -- anywhere 10.10.1.143
ACCEPT all -- anywhere 10.10.2.118
ACCEPT all -- anywhere 10.10.0.140
ACCEPT all -- anywhere 10.10.2.105
ACCEPT all -- anywhere 10.10.0.142
ACCEPT all -- anywhere 10.10.0.121
ACCEPT all -- anywhere 10.10.0.144
ACCEPT all -- anywhere 10.10.2.57
ACCEPT all -- anywhere 10.10.0.203
ACCEPT all -- anywhere 10.10.2.229
ACCEPT all -- anywhere 10.10.1.250
ACCEPT all -- anywhere 10.10.1.29
ACCEPT all -- anywhere 10.10.1.118
ACCEPT all -- anywhere 10.10.1.247
ACCEPT all -- anywhere 10.10.1.247
ACCEPT all -- anywhere 10.10.1.118
ACCEPT all -- anywhere 10.10.1.69
ACCEPT all -- anywhere 10.10.2.250
ACCEPT all -- anywhere 10.10.2.18
ACCEPT all -- anywhere 10.10.0.119
ACCEPT all -- anywhere 10.10.0.119
ACCEPT all -- anywhere 10.10.1.154
ACCEPT all -- anywhere 10.10.1.154
ACCEPT all -- anywhere 10.10.0.237
ACCEPT all -- anywhere 10.10.1.181
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.141
ACCEPT all -- anywhere 10.10.2.186
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.1.145
ACCEPT all -- anywhere 10.10.2.60
ACCEPT all -- anywhere 10.10.1.211
ACCEPT all -- anywhere 10.10.2.28
ACCEPT all -- anywhere 10.10.2.28
ACCEPT all -- anywhere 10.10.2.28
ACCEPT all -- anywhere 10.10.2.28
ACCEPT all -- anywhere 10.10.2.28
ACCEPT all -- anywhere 10.10.2.28
ACCEPT all -- anywhere 10.10.0.110
ACCEPT all -- anywhere 10.10.2.28
ACCEPT all -- anywhere 10.10.2.28
ACCEPT all -- anywhere 10.10.2.28
ACCEPT all -- anywhere 10.10.2.28
ACCEPT all -- anywhere 10.10.2.95
ACCEPT all -- anywhere 10.10.2.95
ACCEPT all -- anywhere 10.10.2.95
ACCEPT all -- anywhere 10.10.1.76
ACCEPT all -- anywhere 10.10.2.252
ACCEPT all -- anywhere 10.10.0.231
ACCEPT all -- anywhere 10.10.2.105
ACCEPT all -- anywhere 10.10.0.231
ACCEPT all -- anywhere 10.10.0.231
ACCEPT all -- anywhere 10.10.0.231
ACCEPT all -- anywhere 10.10.1.49
ACCEPT all -- anywhere 10.10.1.48
ACCEPT all -- anywhere 10.10.1.48
ACCEPT all -- anywhere 10.10.1.48
ACCEPT all -- anywhere 10.10.1.48
ACCEPT all -- anywhere 10.10.1.48
ACCEPT all -- anywhere 10.10.1.48
ACCEPT all -- anywhere 10.10.1.151
ACCEPT all -- anywhere 10.10.2.2
ACCEPT all -- anywhere 10.10.1.4
ACCEPT all -- anywhere 10.10.1.4
ACCEPT all -- anywhere 10.10.0.246
ACCEPT all -- anywhere 10.10.1.31
ACCEPT all -- anywhere 10.10.1.176
ACCEPT all -- anywhere 10.10.1.46
ACCEPT all -- anywhere 10.10.2.211
ACCEPT all -- anywhere 10.10.0.100
ACCEPT all -- anywhere 10.10.0.229
ACCEPT all -- anywhere 10.10.2.109
ACCEPT all -- anywhere 10.10.2.109
ACCEPT all -- anywhere 10.10.2.109
ACCEPT all -- anywhere 10.10.2.109
ACCEPT all -- anywhere 10.10.2.109
ACCEPT all -- anywhere 10.10.2.109
ACCEPT all -- anywhere 10.10.1.68
ACCEPT all -- anywhere 10.10.2.109
ACCEPT all -- anywhere 10.10.2.11
ACCEPT all -- anywhere 10.10.1.177
ACCEPT all -- anywhere 10.10.0.124
ACCEPT all -- anywhere 10.10.1.105

Chain WiFiDog_eth1_Outgoing (1 references)
target prot opt source destination
MARK all -- 10.10.2.146 anywhere MAC
88:C9:D0:C5:A6:32 MARK set 0x2
MARK all -- 10.10.2.75 anywhere MAC
00:88:65:65:32:9C MARK set 0x2
MARK all -- 10.10.2.96 anywhere MAC
C8:85:50:06:A1:3E MARK set 0x2
MARK all -- 10.10.2.96 anywhere MAC
C8:85:50:06:A1:3E MARK set 0x2
MARK all -- 10.10.2.96 anywhere MAC
C8:85:50:06:A1:3E MARK set 0x2
MARK all -- 10.10.2.96 anywhere MAC
C8:85:50:06:A1:3E MARK set 0x2
MARK all -- 10.10.1.18 anywhere MAC
34:23:BA:EE:95:15 MARK set 0x2
MARK all -- 10.10.2.255 anywhere MAC
04:F1:3E:DF:22:17 MARK set 0x2
MARK all -- 10.10.0.120 anywhere MAC
60:F8:1D:B8:A6:BE MARK set 0x2
MARK all -- 10.10.0.227 anywhere MAC
70:14:A6:0A:FB:CE MARK set 0x2
MARK all -- 10.10.0.188 anywhere MAC
3C:15:C2:CE:3D:3A MARK set 0x2
MARK all -- 10.10.1.160 anywhere MAC
94:EB:CD:00:47:F9 MARK set 0x2
MARK all -- 10.10.2.239 anywhere MAC
B4:18:D1:0B:65:59 MARK set 0x2
MARK all -- 10.10.2.104 anywhere MAC
20:C9:D0:82:80:39 MARK set 0x2
MARK all -- 10.10.2.230 anywhere MAC
90:18:7C:4A:5C:B8 MARK set 0x2
MARK all -- 10.10.1.109 anywhere MAC
F0:27:65:E7:05:66 MARK set 0x2
MARK all -- 10.10.2.142 anywhere MAC
00:1F:3A:50:CB:91 MARK set 0x2
MARK all -- 10.10.2.142 anywhere MAC
00:1F:3A:50:CB:91 MARK set 0x2
MARK all -- 10.10.2.173 anywhere MAC
98:FE:94:47:E9:76 MARK set 0x2
MARK all -- 10.10.1.80 anywhere MAC
B0:9F:BA:29:27:95 MARK set 0x2
MARK all -- 10.10.0.159 anywhere MAC
28:E3:47:1A:EB:14 MARK set 0x2
MARK all -- 10.10.2.67 anywhere MAC
60:C5:47:04:51:7C MARK set 0x2
MARK all -- 10.10.0.226 anywhere MAC
B4:B6:76:37:E7:3B MARK set 0x2
MARK all -- 10.10.1.221 anywhere MAC
D0:DF:9A:A3:49:9B MARK set 0x2
MARK all -- 10.10.2.31 anywhere MAC
54:72:4F:97:0D:84 MARK set 0x2
MARK all -- 10.10.1.213 anywhere MAC
34:BB:26:90:A7:9E MARK set 0x2
MARK all -- 10.10.1.213 anywhere MAC
34:BB:26:90:A7:9E MARK set 0x2
MARK all -- 10.10.1.77 anywhere MAC
D8:D1:CB:B0:D2:86 MARK set 0x2
MARK all -- 10.10.1.189 anywhere MAC
2C:BE:08:EE:43:B8 MARK set 0x2
MARK all -- 10.10.2.126 anywhere MAC
D8:9E:3F:11:47:65 MARK set 0x2
MARK all -- 10.10.0.200 anywhere MAC
84:4B:F5:4C:B9:75 MARK set 0x2
MARK all -- 10.10.0.200 anywhere MAC
84:4B:F5:4C:B9:75 MARK set 0x2
MARK all -- 10.10.2.217 anywhere MAC
1C:65:9D:4C:65:9A MARK set 0x2
MARK all -- 10.10.2.117 anywhere MAC
88:C9:D0:D9:2A:4D MARK set 0x2
MARK all -- 10.10.1.233 anywhere MAC
F0:27:65:E1:93:6B MARK set 0x2
MARK all -- 10.10.2.233 anywhere MAC
30:10:E4:2B:B0:69 MARK set 0x2
MARK all -- 10.10.1.187 anywhere MAC
8C:70:5A:27:6B:BC MARK set 0x2
MARK all -- 10.10.2.48 anywhere MAC
14:2D:27:AB:94:FD MARK set 0x2
MARK all -- 10.10.1.94 anywhere MAC
88:C9:D0:F8:49:EA MARK set 0x2
MARK all -- 10.10.1.245 anywhere MAC
64:89:9A:9E:08:27 MARK set 0x2
MARK all -- 10.10.2.235 anywhere MAC
30:75:12:58:70:AD MARK set 0x2
MARK all -- 10.10.2.246 anywhere MAC
40:7A:80:DA:69:64 MARK set 0x2
MARK all -- 10.10.2.162 anywhere MAC
80:EA:96:C5:D3:95 MARK set 0x2
MARK all -- 10.10.1.216 anywhere MAC
2C:8A:72:83:DF:18 MARK set 0x2
MARK all -- 10.10.2.168 anywhere MAC
00:24:2C:0A:61:DB MARK set 0x2
MARK all -- 10.10.2.168 anywhere MAC
00:24:2C:0A:61:DB MARK set 0x2
MARK all -- 10.10.2.168 anywhere MAC
00:24:2C:0A:61:DB MARK set 0x2
MARK all -- 10.10.1.5 anywhere MAC
A8:BB:CF:07:8C:28 MARK set 0x2
MARK all -- 10.10.2.14 anywhere MAC
E4:98:D6:E8:CC:E0 MARK set 0x2
MARK all -- 10.10.1.5 anywhere MAC
A8:BB:CF:07:8C:28 MARK set 0x2
MARK all -- 10.10.0.109 anywhere MAC
0C:74:C2:A4:2C:DC MARK set 0x2
MARK all -- 10.10.1.5 anywhere MAC
A8:BB:CF:07:8C:28 MARK set 0x2
MARK all -- 10.10.2.102 anywhere MAC
D8:B1:2A:39:7D:39 MARK set 0x2
MARK all -- 10.10.2.102 anywhere MAC
D8:B1:2A:39:7D:39 MARK set 0x2
MARK all -- 10.10.2.102 anywhere MAC
D8:B1:2A:39:7D:39 MARK set 0x2
MARK all -- 10.10.2.102 anywhere MAC
D8:B1:2A:39:7D:39 MARK set 0x2
MARK all -- 10.10.1.216 anywhere MAC
2C:8A:72:83:DF:18 MARK set 0x2
MARK all -- 10.10.1.216 anywhere MAC
2C:8A:72:83:DF:18 MARK set 0x2
MARK all -- 10.10.1.216 anywhere MAC
2C:8A:72:83:DF:18 MARK set 0x2
MARK all -- 10.10.1.216 anywhere MAC
2C:8A:72:83:DF:18 MARK set 0x2
MARK all -- 10.10.1.216 anywhere MAC
2C:8A:72:83:DF:18 MARK set 0x2
MARK all -- 10.10.0.139 anywhere MAC
54:72:4F:93:E0:85 MARK set 0x2
MARK all -- 10.10.1.25 anywhere MAC
58:B0:35:60:1B:D9 MARK set 0x2
MARK all -- 10.10.1.25 anywhere MAC
58:B0:35:60:1B:D9 MARK set 0x2
MARK all -- 10.10.2.242 anywhere MAC
34:23:87:58:CF:15 MARK set 0x2
MARK all -- 10.10.2.188 anywhere MAC
48:D7:05:E6:E4:B9 MARK set 0x2
MARK all -- 10.10.0.202 anywhere MAC
40:6F:2A:F5:34:64 MARK set 0x2
MARK all -- 10.10.2.169 anywhere MAC
00:23:6C:92:A9:4B MARK set 0x2
MARK all -- 10.10.2.100 anywhere MAC
B0:65:BD:97:EF:43 MARK set 0x2
MARK all -- 10.10.2.214 anywhere MAC
00:25:00:42:F4:50 MARK set 0x2
MARK all -- 10.10.1.108 anywhere MAC
34:FC:EF:E7:18:D8 MARK set 0x2
MARK all -- 10.10.1.104 anywhere MAC
F8:A9:D0:67:FE:66 MARK set 0x2
MARK all -- 10.10.2.153 anywhere MAC
28:18:78:C3:5D:DB MARK set 0x2
MARK all -- 10.10.0.252 anywhere MAC
1C:65:9D:76:B0:21 MARK set 0x2
MARK all -- 10.10.1.22 anywhere MAC
5C:96:9D:84:A2:D9 MARK set 0x2
MARK all -- 10.10.1.60 anywhere MAC
F0:DB:E2:6A:29:54 MARK set 0x2
MARK all -- 10.10.2.74 anywhere MAC
1C:65:9D:B7:40:C2 MARK set 0x2
MARK all -- 10.10.2.74 anywhere MAC
1C:65:9D:B7:40:C2 MARK set 0x2
MARK all -- 10.10.2.251 anywhere MAC
44:4C:0C:D7:2C:4F MARK set 0x2
MARK all -- 10.10.2.237 anywhere MAC
90:00:4E:BC:99:61 MARK set 0x2
MARK all -- 10.10.2.90 anywhere MAC
CC:3A:61:28:7F:01 MARK set 0x2
MARK all -- 10.10.2.74 anywhere MAC
1C:65:9D:B7:40:C2 MARK set 0x2
MARK all -- 10.10.2.134 anywhere MAC
2C:B4:3A:EB:68:DD MARK set 0x2
MARK all -- 10.10.1.1 anywhere MAC
6C:40:08:97:66:BE MARK set 0x2
MARK all -- 10.10.1.1 anywhere MAC
6C:40:08:97:66:BE MARK set 0x2
MARK all -- 10.10.1.214 anywhere MAC
00:23:12:14:B7:13 MARK set 0x2
MARK all -- 10.10.2.25 anywhere MAC
0C:3E:9F:B8:11:69 MARK set 0x2
MARK all -- 10.10.2.30 anywhere MAC
E4:CE:8F:43:EB:C2 MARK set 0x2
MARK all -- 10.10.1.138 anywhere MAC
1C:E6:2B:A6:98:54 MARK set 0x2
MARK all -- 10.10.2.177 anywhere MAC
94:35:0A:D0:FA:35 MARK set 0x2
MARK all -- 10.10.2.207 anywhere MAC
94:94:26:01:26:2E MARK set 0x2
MARK all -- 10.10.1.143 anywhere MAC
90:FD:61:BF:CB:5A MARK set 0x2
MARK all -- 10.10.2.118 anywhere MAC
80:E6:50:45:F5:4C MARK set 0x2
MARK all -- 10.10.0.140 anywhere MAC
24:E3:14:70:33:46 MARK set 0x2
MARK all -- 10.10.2.105 anywhere MAC
84:38:38:A5:90:98 MARK set 0x2
MARK all -- 10.10.0.142 anywhere MAC
54:E4:3A:CE:03:6F MARK set 0x2
MARK all -- 10.10.0.121 anywhere MAC
70:14:A6:43:F3:71 MARK set 0x2
MARK all -- 10.10.0.144 anywhere MAC
70:14:A6:12:5A:61 MARK set 0x2
MARK all -- 10.10.2.57 anywhere MAC
4C:8D:79:EE:BD:62 MARK set 0x2
MARK all -- 10.10.0.203 anywhere MAC
68:D9:3C:2A:5E:E9 MARK set 0x2
MARK all -- 10.10.2.229 anywhere MAC
60:FA:CD:B6:10:BE MARK set 0x2
MARK all -- 10.10.1.250 anywhere MAC
80:BE:05:B5:F9:D3 MARK set 0x2
MARK all -- 10.10.1.29 anywhere MAC
3C:AB:8E:98:B9:9A MARK set 0x2
MARK all -- 10.10.1.118 anywhere MAC
B8:E8:56:12:47:F6 MARK set 0x2
MARK all -- 10.10.1.247 anywhere MAC
60:03:08:97:C6:C0 MARK set 0x2
MARK all -- 10.10.1.247 anywhere MAC
60:03:08:97:C6:C0 MARK set 0x2
MARK all -- 10.10.1.118 anywhere MAC
B8:E8:56:12:47:F6 MARK set 0x2
MARK all -- 10.10.1.69 anywhere MAC
64:76:BA:44:72:17 MARK set 0x2
MARK all -- 10.10.2.250 anywhere MAC
90:72:40:7D:47:CC MARK set 0x2
MARK all -- 10.10.2.18 anywhere MAC
04:F1:3E:E1:F8:9B MARK set 0x2
MARK all -- 10.10.0.119 anywhere MAC
D0:E1:40:96:AB:E0 MARK set 0x2
MARK all -- 10.10.0.119 anywhere MAC
D0:E1:40:96:AB:E0 MARK set 0x2
MARK all -- 10.10.1.154 anywhere MAC
98:FE:94:4F:51:90 MARK set 0x2
MARK all -- 10.10.1.154 anywhere MAC
98:FE:94:4F:51:90 MARK set 0x2
MARK all -- 10.10.0.237 anywhere MAC
D0:A6:37:CD:97:1C MARK set 0x2
MARK all -- 10.10.1.181 anywhere MAC
6C:40:08:5C:8E:01 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.141 anywhere MAC
84:4B:F5:60:0F:6F MARK set 0x2
MARK all -- 10.10.2.186 anywhere MAC
48:D7:05:48:28:D8 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.1.145 anywhere MAC
2C:F0:EE:00:F2:32 MARK set 0x2
MARK all -- 10.10.2.60 anywhere MAC
54:26:96:DC:BA:17 MARK set 0x2
MARK all -- 10.10.1.211 anywhere MAC
70:56:81:9B:3B:83 MARK set 0x2
MARK all -- 10.10.2.28 anywhere MAC
E0:F5:C6:97:94:CD MARK set 0x2
MARK all -- 10.10.2.28 anywhere MAC
E0:F5:C6:97:94:CD MARK set 0x2
MARK all -- 10.10.2.28 anywhere MAC
E0:F5:C6:97:94:CD MARK set 0x2
MARK all -- 10.10.2.28 anywhere MAC
E0:F5:C6:97:94:CD MARK set 0x2
MARK all -- 10.10.2.28 anywhere MAC
E0:F5:C6:97:94:CD MARK set 0x2
MARK all -- 10.10.2.28 anywhere MAC
E0:F5:C6:97:94:CD MARK set 0x2
MARK all -- 10.10.0.110 anywhere MAC
60:45:BD:20:C1:80 MARK set 0x2
MARK all -- 10.10.2.28 anywhere MAC
E0:F5:C6:97:94:CD MARK set 0x2
MARK all -- 10.10.2.28 anywhere MAC
E0:F5:C6:97:94:CD MARK set 0x2
MARK all -- 10.10.2.28 anywhere MAC
E4:98:D6:13:83:07 MARK set 0x2
MARK all -- 10.10.2.28 anywhere MAC
E0:F5:C6:97:94:CD MARK set 0x2
MARK all -- 10.10.2.95 anywhere MAC
54:26:96:E0:9A:D1 MARK set 0x2
MARK all -- 10.10.2.95 anywhere MAC
54:26:96:E0:9A:D1 MARK set 0x2
MARK all -- 10.10.2.95 anywhere MAC
54:26:96:E0:9A:D1 MARK set 0x2
MARK all -- 10.10.1.76 anywhere MAC
28:CF:E9:64:64:DB MARK set 0x2
MARK all -- 10.10.2.252 anywhere MAC
AC:7F:3E:52:DA:98 MARK set 0x2
MARK all -- 10.10.0.231 anywhere MAC
20:C9:D0:42:F9:41 MARK set 0x2
MARK all -- 10.10.2.105 anywhere MAC
84:38:38:A5:90:98 MARK set 0x2
MARK all -- 10.10.0.231 anywhere MAC
20:C9:D0:42:F9:41 MARK set 0x2
MARK all -- 10.10.0.231 anywhere MAC
20:C9:D0:42:F9:41 MARK set 0x2
MARK all -- 10.10.0.231 anywhere MAC
20:C9:D0:42:F9:41 MARK set 0x2
MARK all -- 10.10.1.49 anywhere MAC
88:44:F6:31:75:AC MARK set 0x2
MARK all -- 10.10.1.48 anywhere MAC
2C:F0:EE:01:4B:B2 MARK set 0x2
MARK all -- 10.10.1.48 anywhere MAC
2C:F0:EE:01:4B:B2 MARK set 0x2
MARK all -- 10.10.1.48 anywhere MAC
2C:F0:EE:01:4B:B2 MARK set 0x2
MARK all -- 10.10.1.48 anywhere MAC
2C:F0:EE:01:4B:B2 MARK set 0x2
MARK all -- 10.10.1.48 anywhere MAC
2C:F0:EE:01:4B:B2 MARK set 0x2
MARK all -- 10.10.1.48 anywhere MAC
2C:F0:EE:01:4B:B2 MARK set 0x2
MARK all -- 10.10.1.151 anywhere MAC
30:75:12:AE:B4:6C MARK set 0x2
MARK all -- 10.10.2.2 anywhere MAC
9C:D9:17:91:E8:70 MARK set 0x2
MARK all -- 10.10.1.4 anywhere MAC
A0:0B:BA:CA:8C:2E MARK set 0x2
MARK all -- 10.10.1.4 anywhere MAC
A0:0B:BA:CA:8C:2E MARK set 0x2
MARK all -- 10.10.0.246 anywhere MAC
20:C9:D0:B1:54:33 MARK set 0x2
MARK all -- 10.10.1.31 anywhere MAC
9C:F3:87:D5:F7:02 MARK set 0x2
MARK all -- 10.10.1.176 anywhere MAC
54:72:4F:75:87:59 MARK set 0x2
MARK all -- 10.10.1.46 anywhere MAC
64:76:BA:B3:68:5E MARK set 0x2
MARK all -- 10.10.2.211 anywhere MAC
54:26:96:E0:4A:15 MARK set 0x2
MARK all -- 10.10.0.100 anywhere MAC
B0:34:95:F0:5E:72 MARK set 0x2
MARK all -- 10.10.0.229 anywhere MAC
28:CF:E9:20:66:51 MARK set 0x2
MARK all -- 10.10.2.109 anywhere MAC
70:56:81:A6:C1:7D MARK set 0x2
MARK all -- 10.10.2.109 anywhere MAC
70:56:81:A6:C1:7D MARK set 0x2
MARK all -- 10.10.2.109 anywhere MAC
70:56:81:A6:C1:7D MARK set 0x2
MARK all -- 10.10.2.109 anywhere MAC
70:56:81:A6:C1:7D MARK set 0x2
MARK all -- 10.10.2.109 anywhere MAC
70:56:81:A6:C1:7D MARK set 0x2
MARK all -- 10.10.1.68 anywhere MAC
F0:DB:E2:F4:10:61 MARK set 0x2
MARK all -- 10.10.2.109 anywhere MAC
70:56:81:A6:C1:7D MARK set 0x2
MARK all -- 10.10.2.11 anywhere MAC
20:C9:D0:B7:80:45 MARK set 0x2
MARK all -- 10.10.1.177 anywhere MAC
00:23:4E:6C:70:29 MARK set 0x2
MARK all -- 10.10.0.124 anywhere MAC
CC:3A:61:7F:94:91 MARK set 0x2
MARK all -- 10.10.1.105 anywhere MAC
60:03:08:A0:41:C8 MARK set 0x2

Chain WiFiDog_eth1_Trusted (1 references)....

Regards

On Tue, Feb 24, 2015 at 8:34 AM, florida63 notifications@github.com wrote:

@Kvncrck https://github.com/Kvncrck: Thank you,

I deliberately deleted your message because your post match mac adress
trusted.

In fact, i want users who are truly authenticated or an account is created.
mask your mac addresses and guards a certain consistency if you have
duplicates.

no need to send "Chain WiFiDog_eth1_Trusted".


Reply to this email directly or view it on GitHub
#55 (comment)
.

@florida63
Copy link
Contributor Author

@florida63 florida63 commented Feb 26, 2015

Oh, there is many redundancy

@Kvncrck
Copy link

@Kvncrck Kvncrck commented Feb 26, 2015

Could they be hitting the login button multiple times?

On Thu, Feb 26, 2015 at 5:54 AM, florida63 notifications@github.com wrote:

Oh, there is many redundancy


Reply to this email directly or view it on GitHub
#55 (comment)
.

@florida63
Copy link
Contributor Author

@florida63 florida63 commented Feb 28, 2015

In all cases, there is no reason to add several times the same rule.

@acv
Copy link
Contributor

@acv acv commented Mar 14, 2015

One possible fix is to first check if the rule already exists before creating it.

At one point the code always removed access before granting it in the re-auth code path. This was added explicitly in 2004 and removed a few years later probably because it made no sense without comments.

The problem with that approach is a race condition where the users' access is removed and recreated a few (hundreds in some case) milliseconds later.

@mhaas mhaas added this to the 1.2.0 milestone Mar 18, 2015
@sinkcup sinkcup modified the milestones: 1.3.0, 1.2.0 Mar 19, 2015
@acv
Copy link
Contributor

@acv acv commented Mar 22, 2015

@Kvncrck Do you frequently use wdctl restart?

@florida63
Copy link
Contributor Author

@florida63 florida63 commented Mar 22, 2015

@acv: I have done this test with 72f3d3d

on the auth page I log (1 time) and then sign out, I reconnected and sign out, etc, etc.

the command "iptables -L -t mangle returns me
Chain WiFiDog_br0_Outgoing (1 references)
target prot opt source destination
MARK all -- 10.63.57.13 anywhere MAC 00:E0:18:AC:2E:80 MARK set 0x2
MARK all -- 10.63.57.13 anywhere MAC 00:E0:18:AC:2E:80 MARK set 0x2
MARK all -- 10.63.57.13 anywhere MAC 00:E0:18:AC:2E:80 MARK set 0x2

wdctl restart and iptables -L -t mangle
Chain WiFiDog_br0_Outgoing (1 references)
target prot opt source destination
MARK all -- 10.63.57.13 anywhere MAC 00:E0:18:AC:2E:80 MARK set 0x2

wdctl restart makes the household.

@acv
Copy link
Contributor

@acv acv commented Mar 22, 2015

OK, I think I have an idea.

@Kvncrck
Copy link

@Kvncrck Kvncrck commented Mar 23, 2015

Wdctl restart did not seem to fix the problems. I would stop wifidog, then start it. Users would have to revisit the Terms of Service page. I would do this often until I discovered that wdctl status seemed to be the cause. Perhaps executing the problematic "wdctl status" right after trying a wdctl restart led me to conclude that wdctl restart was not working.

@Kvncrck Do you frequently use wdctl restart?

@Kvncrck
Copy link

@Kvncrck Kvncrck commented Mar 23, 2015

I am not sure if this is related to the problem... The wifidog process dies after a period of time, typically 2 - 3 times a day. I did find OOM errors in the logs. The wifidog gateway is running Debian and has 8 GB memory. I monitored the processes on the wifidog gateway using ps and top periodically for a few days. Most of the time the wifidog process consumed very little memory. On one occasion I caught it consuming all available memory. Stopping the wifidog and starting it resolved the problem.

@acv
Copy link
Contributor

@acv acv commented Mar 23, 2015

Yeah, we've been working on memory leaks issues, the newest build should be better for that.

@acv
Copy link
Contributor

@acv acv commented Mar 23, 2015

It should also avoid the truncation of the wdctl status to ~112 clients due to fixed 16KB buffer.

@Kvncrck
Copy link

@Kvncrck Kvncrck commented Mar 23, 2015

Thanks. Is the newest build available now?

@acv
Copy link
Contributor

@acv acv commented Mar 23, 2015

You have to compile from the git source at the moment. On debian, you also have to manually install cyassl (also from github sources, with at least --enable-ecc) if you want to use HTTPS between gateway and auth server.

@florida63
Copy link
Contributor Author

@florida63 florida63 commented Mar 24, 2015

@acv: Always the same conclusion with the last release (by the same test as above).

however, if I wait a moment that I

root@Auz2:/etc# [3][Sat Jan 1 04:50:46 2000]8604 iptables_fw_counters_update(): Could not find 10.63.57.13 in client list, this should not happen unless if the gateway crashed
[3][Sat Jan 1 04:50:46 2000]8604 Preventively deleting firewall rules for 10.63.57.13 in table WiFiDog_$ID$Outgoing
[3][Sat Jan 1 04:50:46 2000]8604 Preventively deleting firewall rules for 10.63.57.13 in table WiFiDog
$ID$Incoming
[3][Sat Jan 1 04:50:46 2000]8604 iptables_fw_counters_update(): Could not find 10.63.57.13 in client list, this should not happen unless if the gateway crashed
[3][Sat Jan 1 04:50:46 2000]8604 Preventively deleting firewall rules for 10.63.57.13 in table WiFiDog
$ID$Outgoing
[3][Sat Jan 1 04:50:46 2000]8604 Preventively deleting firewall rules for 10.63.57.13 in table WiFiDog
$ID$Incoming
[3][Sat Jan 1 04:50:46 2000]8604 iptables_fw_counters_update(): Could not find 10.63.57.13 in client list, this should not happen unless if the gateway crashed
[3][Sat Jan 1 04:50:46 2000]8604 Preventively deleting firewall rules for 10.63.57.13 in table WiFiDog
$ID$Outgoing
[3][Sat Jan 1 04:50:46 2000]8604 Preventively deleting firewall rules for 10.63.57.13 in table WiFiDog
$ID$_Incoming

It must wait until iptables_fw_counters_update () is called for it to do the household.
Maybe the household should also be done at the time of logout.

@Kvncrck
Copy link

@Kvncrck Kvncrck commented Mar 24, 2015

I compiled from the git source and manually installed ecyassl with --enable-ecc.
The new gateway was speaking to auth server. About 20 users had consented to the TOS and were logged in. When I checked on the system later, I found that the wifidog process had died. I found the following new error in the logs:

wfgw kernel: [38113.926752] traps: wifidog[9645] general protection ip:7fe5ac715a3f sp:7fe5a8c85b80 error:0 in libc-2.18.so[7fe5ac69c000+1a0000]

I was able to restart wifidog, but it looks like I should go back to the previous version.

@Kvncrck
Copy link

@Kvncrck Kvncrck commented Mar 25, 2015

I kept running the latest build of wifidog after the general protection faults. I was suspicious of the "wdctl status" command, so I stopped running it. I haven't seen any more general protection faults since I stopped using wdctl status. I did find that the wifidog process on occasion would start consuming all available memory again. It crashed about 3 or 4 times yesterday. I think the OOMs are occurring with the same frequency as the old build.

I should point out that I have a number of other sites with 50+ simultaneous users where wifidog is rock solid. It is only at the site with a very high user volume (200 - 300 users) that we have problems.

@acv
Copy link
Contributor

@acv acv commented Mar 25, 2015

I'd kill for core files or at least backtraces from those crashes.

core files would be problematic due to user data... But a backtrace would be anonymous and absolutely fantastic! Knowing where the code segfaults would pin point what we need to look at.

@acv
Copy link
Contributor

@acv acv commented Apr 3, 2015

@Kvncrck We've done some work on the authentication code and the duplicate rule issue is probably at least reduced significantly (new code removes the old MARK after changing it.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.