Commit message (Collapse)AuthorAgeFilesLines
* filter: use different block page if category is forbiddenDuane Hughes2011-09-152-2/+32
| | | | fixes #719
* auth-snmp: fix q-bridge-mib vlan queriesv0.3Timo Teräs2011-09-051-11/+35
| | | | | | The queries use Q-BRIDGE-MIB's qVlanId which is switch specific mapping. Exception seems to be 1810G's which use the real VLAN index.
* filter: option to allow automatic anonymous loginTimo Teräs2011-09-015-2/+33
| | | | | | so no captive portal, snmp or squid authentication is required. fixes #737.
* auth-snmp: implement Q-BRIDGE-MIB FIB queriesTimo Teräs2011-07-191-26/+49
| | | | | | | | Certain switches seem to export FIB of tagged VLANs only in the Q-BRIDGE-MIB only. Detect if switch support Q-BRIDGE-MIB during information discovery, and prefer it over the older BRIDGE-MIB. Q-BRIDGE-MIB should be used anyway, since it's the only reliable way to trace MAC properly when it appears in multiple VLANs.
* filter: honor squid authenticationv0.2Timo Teräs2011-06-141-0/+5
| | | | | | Instead of having separate modes (which would likely need to be configurable on per-subnet or per-user, anyway), honour just the squid reported username.
* Revert "filter: support filter-only and track-only modes"Timo Teräs2011-06-141-61/+9
| | | | This reverts commit a1277ab45a9d2bab9ca28baf05f978bf8066d928.
* Revert "filter: rename modes to something that makes more sense"Timo Teräs2011-06-141-29/+25
| | | | This reverts commit a4180db79a80882f81bc8c880ec1e2db5ee9bf6d.
* filter: rename modes to something that makes more senseTimo Teräs2011-06-141-25/+29
| | | | | Also, make sure the categorize mode is not touching authdb datastructures as they are invalid in that mode.
* filter: support filter-only and track-only modesTimo Teräs2011-06-141-9/+61
* www: add a set of example pages for block info and captive portalv0.1Timo Teräs2010-11-2413-2/+297
| | | | Relatively simple set of pages done in haserl. Fixes #448.
* filter: return categorization and blocked/overridden statusTimo Teräs2010-11-181-3/+11
| | | | | return the analysis back to squid as urlgroup. it can be then used in squid config acl's and logging (with patch). ref #447.
* auth-snmp: option to syslog authentication requestsTimo Teräs2010-11-091-3/+51
| | | | Including some information where it fails.
* blob, config.[ch]: add missing files and includesTimo Teräs2010-11-083-0/+24
* authdb, auth-ip: make logout_timeout configurableTimo Teräs2010-11-074-15/+32
| | | | | | | | * authdb: change to use squark.conf instead of filter.conf * authdb: config option logout_timeout added (defaults to 15mins) * auth-ip: add -r parameter to refresh login time fixes #452
* all: check error for sqdb_open and adb_openTimo Teräs2010-11-075-16/+63
| | | | | so we don't crash on startup if essential files are missing. fixes #454
* build: use build system from apk-tools/opennhrpTimo Teräs2010-11-078-28/+374
* squark: reorganize sources to src directoryTimo Teräs2010-11-0715-0/+0
* auth-ip: dump block categoriesTimo Teräs2010-11-071-0/+4
* auth-snmp: fix 1810 version testTimo Teräs2010-11-061-1/+2
| | | | It has dot. So it's P.1 series which is buggy.
* auth-snmp: Procurve 1810G P2.1 has BRIDGE-MIB fixedTimo Teräs2010-11-061-2/+7
| | | | Don't enable the workaroudn if new enough firmware is detected.
* auth-snmp: reset switch flags on rediscoveryTimo Teräs2010-10-191-0/+2
| | | | | Otherwise we might attempt to access invalid or even unreceived data (e.g. if switch was swapped, is offline, or just did not respond to us).
* authdb, blob: fix a casting error and a byte order issueTimo Teräs2010-10-192-2/+2
* authdb: fix memory corruption bugsTimo Teräs2010-09-141-1/+3
| | | | | properly calculate module of the hash bucket, and when cleaning up free the correct entry (instead of the next one).
* authdb: use configuration file to decide blocked categoriesTimo Teräs2010-09-146-63/+157
| | | | and cache the information to authdb properly.
* auth-ip: print information in shell compatible formatTimo Teräs2010-09-145-24/+62
| | | | so we can dump information from http cgi-bin scripts.
* authdb: use shared 'squark' group for shm areasTimo Teräs2010-09-101-3/+11
| | | | | | this way multiple users can access the shm areas (e.g. www-data for captive portal, and proxy for squid). all system users needing to use squark tools need to belong to this group.
* auth-snmp: record logins to authdbTimo Teräs2010-09-102-2/+23
| | | | with additional info.
* authdb: separate last access / login timeTimo Teräs2010-09-074-25/+28
| | | | and tweak the authdb a bit.
* filter: do not do auto-login, fix url parsing without hostnameTimo Teräs2010-09-071-7/+2
| | | | | | | do not have filter process to do auto login. this is required since squid might have stale login info in cache, and we should not honor it. need to fix auth-snmp to record logins in authdb too (should do that anyway to store the additional snmp information in authdb).
* auth-snmp: improve line parserTimo Teräs2010-09-061-18/+41
| | | | get rid of sscanf and use the blob api.
* auth-ip: implement logoutTimo Teräs2010-09-034-7/+32
| | | | Implement logout function and some minor fixes.
* auth-ip: introduce helper tool for authdb managementTimo Teräs2010-09-016-16/+216
| | | | fix also some authdb bugs, and make it actually usable.
* authdb: implement basicsTimo Teräs2010-08-278-83/+420
| | | | | | | | | Implement a shared memory based authentication cache. It's a simple local cache indexed by IP-address, and keeps track of that IP's auth info such as username, allowed categories and timeouts. This provides basis for captive portal, per-user definable category restrictions and implementation of soft blocks (block which can be overridden by user by clicking a button on the blocked page).
* auth: rename to squark-auth-snmpTimo Teräs2010-08-223-2/+2
| | | | | Will implement 'captive portal' style authentication with separate DB later.
* db: rename squarkdb to filterdbTimo Teräs2010-08-225-5/+5
| | | | will need authentication db later too.
* squark: add missing #include and define _GNU_SOURCETimo Teräs2010-08-202-1/+2
* filter: do not modify deniedurl cgi parameterTimo Teräs2010-08-193-40/+44
| | | | | | | Keep the modifications (which are needed for key lookup) inside the lookup routine. This includes e.g. lower casing the URL. This way can pass the exact original request string to our block page script. This also changes the way 'www123.' is stripped from the request.
* auth: experimental (untested) support for port reauthenticationTimo Teräs2010-08-191-12/+53
| | | | | | Ability to force reauthentication (HP ProCurve specific) for the switch port to which we traced the IP. This works currently only with the HP WebAuth scheme (should be possible with MAC auth scheme too).
* filter: url encoding of block script parametersTimo Teräs2010-08-193-5/+110
| | | | and pass the denied url too.
* filter: properly filter ipv4 address form urlsTimo Teräs2010-08-193-34/+65
| | | | properly match them against db data.
* db, filter: fix db generation of ipv4 style addressesTimo Teräs2010-08-183-18/+46
| | | | | Properly embed the ipv4 address in database now. Teach filter to understand the two new reserved component id's.
* blob: definite null blob inlineTimo Teräs2010-08-182-3/+1
| | | | | Should be faster in most cases to write two null words than to copy them around.
* filter: improve dns part matchingTimo Teräs2010-08-181-21/+105
| | | | | Lower case the dns part of url. Also skip "www123" and similar entries when determining if path components should be matched.
* filter: squid interfacing code, basic minimum configurationTimo Teräs2010-08-143-29/+175
| | | | | | | | | | Implement squid redirect protocol. It implements the "concurrent" version even though the algorithm is non-blocking. Doing this can reduce the amount of read system calls on busy system. Minimum command line based configuration for banning specific categories and specifying the redirect site. Will probably have to add some sort of config file system later.
* filter: fix db building issues and implement path component matchingTimo Teräs2010-08-134-15/+110
| | | | | | | | Fixes has sub domains/paths hints to be correct. www<number> as first domain entry matching now checks it won't remove second level domain names. And the filter code now looksup path components from the db.
* db: smarter string pointer encoding (include length field)Timo Teräs2010-08-134-12/+38
| | | | | | So we don't need explicit null terminator in most cases saving space. It will also speed up comparisons as getting string blob is now constant time (no strlen needed).
* filter: implement basic analysis of urlsTimo Teräs2010-08-115-8/+250
| | | | | Analysing of the url host part, some simple tests. Not usable as squid filter yet.
* sqdb-build: write out category sectionTimo Teräs2010-08-112-4/+51
| | | | store the names of categories to database
* squarkdb: use stdint.h defined typedefsTimo Teräs2010-08-102-14/+15
| | | | u_int32_t is not standard, use uint32_t from stdint.h instead.
* blob: use uppercase for macroes, add some functionalityTimo Teräs2010-08-103-64/+135
| | | | Normalizing macro names to upper case and extending functionality.