diff options
| author | Ermal <eri@pfsense.org> | 2010-05-03 17:43:39 +0000 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2010-05-03 17:43:39 +0000 |
| commit | b01792a0a3df6795d21ca205cf57b371b41bf195 (patch) | |
| tree | f36c9f2aaeb6ed7e9013a8526c1b809bfcd28278 | |
| parent | 7133ab35b97ba2600d7ad1125bb15c3b6d51eb52 (diff) | |
| download | pfsense-b01792a0a3df6795d21ca205cf57b371b41bf195.zip pfsense-b01792a0a3df6795d21ca205cf57b371b41bf195.tar.gz | |
Ticket #566. Reimplement the allowed ips keeping previous funcitonality and improving by adding a both direction. The problem with previous commit is that it always assumes that allowed ip address would have a pipe configured and entires without one would just get dropped.
| -rw-r--r-- | etc/inc/captiveportal.inc | 149 | ||||
| -rwxr-xr-x | usr/local/www/services_captiveportal_ip.php | 12 | ||||
| -rwxr-xr-x | usr/local/www/services_captiveportal_ip_edit.php | 39 |
3 files changed, 143 insertions, 57 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index be89ba5..611016d 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -107,7 +107,7 @@ function captiveportal_configure() { unlink_if_exists("{$g['vardb_path']}/captiveportal_mac.db"); unlink_if_exists("{$g['vardb_path']}/captiveportal_ip.db"); unlink_if_exists("{$g['vardb_path']}/captiveportal_radius.db"); - mwexec("/sbin/ipfw table all flush"); + mwexec("/sbin/ipfw -q table all flush"); /* setup new database in case someone tries to access the status -> captive portal page */ touch("{$g['vardb_path']}/captiveportal.db"); @@ -118,7 +118,8 @@ function captiveportal_configure() { /* make sure ipfw is loaded */ if (!is_module_loaded("ipfw.ko")) filter_load_ipfw(); - if (isset($config['captiveportal']['peruserbw']) && !is_module_loaded("dummynet.ko")) + /* Always load dummynet now that even allowed ip and mac passthrough use it. */ + if (!is_module_loaded("dummynet.ko")) mwexec("/sbin/kldload dummynet"); /* generate ipfw rules */ @@ -228,7 +229,7 @@ EOD; fwrite($fd, $cprules); fclose($fd); - mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.cp.rules"); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw.cp.rules"); @unlink("{$g['tmp_path']}/ipfw.cp.rules"); @@ -346,30 +347,30 @@ EOD; function captiveportal_rules_generate($cpif, &$cpiparray) { global $config, $g; - $cprules = "add 65301 set 1 allow pfsync from any to any\n"; - $cprules .= "add 65302 set 1 allow carp from any to any\n"; + $cprules = "add 65291 set 1 allow pfsync from any to any\n"; + $cprules .= "add 65292 set 1 allow carp from any to any\n"; $cprules .= <<<EOD -# add 65305 set 1 skipto 65534 all from any to any not layer2 +# add 65300 set 1 skipto 65534 all from any to any not layer2 # layer 2: pass ARP -add 65310 set 1 pass layer2 mac-type arp +add 65301 set 1 pass layer2 mac-type arp # pfsense requires for WPA -add 65311 set 1 pass layer2 mac-type 0x888e -add 65312 set 1 pass layer2 mac-type 0x88c7 +add 65302 set 1 pass layer2 mac-type 0x888e +add 65303 set 1 pass layer2 mac-type 0x88c7 # PPP Over Ethernet Discovery Stage -add 65313 set 1 pass layer2 mac-type 0x8863 +add 65304 set 1 pass layer2 mac-type 0x8863 # PPP Over Ethernet Session Stage -add 65314 set 1 pass layer2 mac-type 0x8864 +add 65305 set 1 pass layer2 mac-type 0x8864 # Allow WPA -add 65315 set 1 pass layer2 mac-type 0x888e +add 65306 set 1 pass layer2 mac-type 0x888e # layer 2: block anything else non-IP -add 65316 set 1 deny layer2 not mac-type ip +add 65307 set 1 deny layer2 not mac-type ip EOD; - $rulenum = 65320; + $rulenum = 65310; $ips = "255.255.255.255 "; foreach ($cpiparray as $cpip) $ips .= "or {$cpip} "; @@ -413,6 +414,25 @@ EOD; $cprules .= "add {$rulenum} set 1 pass tcp from {$ips} {$port} to any out \n"; $rulenum++; + /* Allowed ips */ + $cprules .= "add {$rulenum} allow ip from table(3) to any in\n"; + $rulenum++; + $cprules .= "add {$rulenum} allow ip from any to table(4) out\n"; + $rulenum++; + $cprules .= "add {$rulenum} pipe tablearg ip from table(5) to any in\n"; + $rulenum++; + $cprules .= "add {$rulenum} pipe tablearg ip from any to table(6) out\n"; + $rulenum++; + $cprules .= "add {$rulenum} allow ip from any to table(7) in\n"; + $rulenum++; + $cprules .= "add {$rulenum} allow ip from table(8) to any out\n"; + $rulenum++; + $cprules .= "add {$rulenum} pipe tablearg ip from any to table(9) in\n"; + $rulenum++; + $cprules .= "add {$rulenum} pipe tablearg ip from table(10) to any out\n"; + $rulenum++; + + /* Authenticated users rules. */ if (isset($config['captiveportal']['peruserbw'])) { $cprules .= "add {$rulenum} set 1 pipe tablearg ip from table(1) to any in\n"; $rulenum++; @@ -726,31 +746,82 @@ function captiveportal_passthrumac_configure($lock = false) { unlock($captiveportallck); } +/* + * table (3=IN)/(4=OUT) hold allowed ip's without bw limits + * table (5=IN)/(6=OUT) hold allowed ip's with bw limit. + */ +function captiveportal_allowedip_configure_entry($ipent) { + + $rules = ""; + $enBwup = isset($ipent['bw_up']); + $enBwdown = isset($ipent['bw_down']); + $bw_up = ""; + $bw_down = ""; + $tablein = array(); + $tableout = array(); + + if ($enBwup && $enBwdown) + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); + else + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); + + if ($ipent['dir'] == "from") { + if ($enBwup) + $tablein[] = 5; + else + $tablein[] = 3; + if ($enBwdown) + $tableout[] = 6; + else + $tableout[] = 4; + } else if ($ipent['dir'] == "to") { + if ($enBwup) + $tablein[] = 9; + else + $tablein[] = 7; + if ($enBwdown) + $tableout[] = 10; + else + $tableout[] = 8; + } else if ($ipent['dir'] == "both") { + if ($enBwup) { + $tablein[] = 5; + $tablein[] = 9; + } else { + $tablein[] = 3; + $tablein[] = 7; + } + if ($enBwdown) { + $tableout[] = 6; + $tableout[] = 10; + } else { + $tableout[] = 4; + $tableout[] = 8; + } + } + if ($enBwup) { + $bw_up = $ruleno + 20000; + $rules .= "pipe {$bw_up} config bw {$ipent['bw_up']}Kbit/s queue 100\n"; + } + foreach ($tablein as $table) + $rules .= "table {$table} add {$ipent['ip']} {$bw_up}\n"; + if ($enBwdown) { + $bw_down = $ruleno + 20001; + $rules .= "pipe {$bw_down} config bw {$ipent['bw_down']}Kbit/s queue 100\n"; + } + foreach ($tableout as $table) + $rules .= "table {$table} add {$ipent['ip']} {$bw_down}\n"; + + return $rules; +} + function captiveportal_allowedip_configure() { global $config, $g; $rules = ""; if (is_array($config['captiveportal']['allowedip'])) { - $peruserbw = isset($config['captiveportal']['peruserbw']); foreach ($config['captiveportal']['allowedip'] as $ipent) { - $ruleno = captiveportal_get_next_ipfw_ruleno(); - $bw_up = ""; - $bw_down = ""; - if ($peruserbw) { - $bwup = isset($ipent['bw_up']) ? trim($ipent['bw_up']) : $config['captiveportal']['bwdefaultup']; - $bwdown = isset($ipent['bw_down']) ? trim($ipent['bw_down']) : $config['captiveportal']['bwdefaultdn']; - if (!empty($bwup) && is_numeric($bwup)) { - $bw_up = $ruleno + 20000; - $rules .= "pipe {$bw_up} config bw {$bw_up}Kbit/s queue 100\n"; - } - if (!empty($bwdown) && is_numeric($bwdown)) { - $bw_down = $ruleno + 20001; - $rules .= "pipe {$bw_down} config bw {$bw_down}Kbit/s queue 100\n"; - } - } - /* insert address in ipfw table */ - $rules .= "table 1 add {$ipent['ip']} ${bw_up}\n"; - $rules .= "table 2 add {$ipent['ip']} ${bw_down}\n"; + $rules .= captiveportal_allowedip_configure_entry($ipent); } } @@ -953,7 +1024,7 @@ function captiveportal_init_ipfw_ruleno($rulenos_start = 2000, $rulenos_range_ma * within the range specified based on the actual logged on users * */ -function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_range_max = 49899) { +function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_range_max = 49899, $usebw = false) { global $config, $g; if(!isset($config['captiveportal']['enable'])) @@ -975,7 +1046,7 @@ function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_rang } $ruleno = $ridx; $rules[$ridx] = "used"; - if (isset($config['captiveportal']['peruserbw'])) + if (isset($config['captiveportal']['peruserbw']) || $usebw == true) $rules[++$ridx] = "used"; break; } @@ -988,7 +1059,7 @@ function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_rang return $ruleno; } -function captiveportal_free_ipfw_ruleno($ruleno) { +function captiveportal_free_ipfw_ruleno($ruleno, $usedbw = false) { global $config, $g; if(!isset($config['captiveportal']['enable'])) @@ -997,13 +1068,13 @@ function captiveportal_free_ipfw_ruleno($ruleno) { if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); $rules[$ruleno] = false; - if (isset($config['captiveportal']['peruserbw'])) + if (isset($config['captiveportal']['peruserbw']) || $usedbw == true) $rules[++$ruleno] = false; file_put_contents("{$g['vardb_path']}/captiveportal.rules", serialize($rules)); } } -function captiveportal_get_ipfw_ruleno_byvalue($value) { +function captiveportal_get_ipfw_ruleno_byvalue($value, $table = 1) { global $config, $g; if(!isset($config['captiveportal']['enable'])) @@ -1011,7 +1082,7 @@ function captiveportal_get_ipfw_ruleno_byvalue($value) { if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); - $ruleno = intval(`/sbin/ipfw table 1 list | /usr/bin/grep {$value} | /usr/bin/grep -v grep | /usr/bin/cut -d " " -f 1 | /usr/bin/head -n 1`); + $ruleno = intval(`/sbin/ipfw table {$table} list | /usr/bin/grep {$value} | /usr/bin/grep -v grep | /usr/bin/cut -d " " -f 1 | /usr/bin/head -n 1`); if ($rules[$ruleno]) return $ruleno; } diff --git a/usr/local/www/services_captiveportal_ip.php b/usr/local/www/services_captiveportal_ip.php index fb8711b..4bf2cf9 100755 --- a/usr/local/www/services_captiveportal_ip.php +++ b/usr/local/www/services_captiveportal_ip.php @@ -56,8 +56,10 @@ if ($_GET['act'] == "del") { $ipent = $a_allowedips[$_GET['id']]; if (isset($config['captiveportal']['enable'])) { - mwexec("/sbin/ipfw table 1 delete " . $ipent['ip']); - mwexec("/sbin/ipfw table 2 delete " . $ipent['ip']); + mwexec("/sbin/ipfw table 3 delete " . $ipent['ip']); + mwexec("/sbin/ipfw table 4 delete " . $ipent['ip']); + mwexec("/sbin/ipfw table 5 delete " . $ipent['ip']); + mwexec("/sbin/ipfw table 6 delete " . $ipent['ip']); } unset($a_allowedips[$_GET['id']]); @@ -104,7 +106,13 @@ include("head.inc"); <?php $i = 0; foreach ($a_allowedips as $ip): ?> <tr ondblclick="document.location='services_captiveportal_ip_edit.php?id=<?=$i;?>'"> <td class="listlr"> + <?php if($ip['dir'] == "to") + echo "any <img src=\"in.gif\" width=\"11\" height=\"11\" align=\"absmiddle\">"; + ?> <?=strtolower($ip['ip']);?> + <?php if($ip['dir'] == "from") + echo "<img src=\"in.gif\" width=\"11\" height=\"11\" align=\"absmiddle\"> any"; + ?> </td> <td class="listbg"> <?=htmlspecialchars($ip['descr']);?> diff --git a/usr/local/www/services_captiveportal_ip_edit.php b/usr/local/www/services_captiveportal_ip_edit.php index 45c4e2f..09d8075 100755 --- a/usr/local/www/services_captiveportal_ip_edit.php +++ b/usr/local/www/services_captiveportal_ip_edit.php @@ -67,6 +67,7 @@ if (isset($_POST['id'])) if (isset($id) && $a_allowedips[$id]) { $pconfig['ip'] = $a_allowedips[$id]['ip']; + $pconfig['dir'] = $a_allowedips[$id]['dir']; $pconfig['bw_up'] = $a_allowedips[$id]['bw_up']; $pconfig['bw_down'] = $a_allowedips[$id]['bw_down']; $pconfig['descr'] = $a_allowedips[$id]['descr']; @@ -104,6 +105,7 @@ if ($_POST) { if (!$input_errors) { $ip = array(); $ip['ip'] = $_POST['ip']; + $ip['dir'] = $_POST['dir']; $ip['descr'] = $_POST['descr']; if ($_POST['bw_up']) $ip['bw_up'] = $_POST['bw_up']; @@ -117,22 +119,11 @@ if ($_POST) { write_config(); - if (isset($config['captiveportal']['enable'])) { - $bwup = ""; - $bwdown = ""; - $ruleno = captiveportal_get_next_ipfw_ruleno(); - if (!empty($ip['bw_up'])) { - $pipeno = $ruleno + 20000; - mwexec("/sbin/ipfw pipe {$pipeno} config bw {$ip['bw_up']}Kbit/s queue 100"); - $bwup = "pipe {$pipeno}"; - } - if (!empty($ip['bw_down'])) { - $pipeno = $ruleno + 20001; - mwexec("/sbin/ipfw pipe {$pipeno} config bw {$ip['bw_down']}Kbit/s queue 100"); - $bwdown = "pipe {$pipeno}"; - } - mwexec("/sbin/ipfw table 1 add {$ip['ip']} {$bwup}"); - mwexec("/sbin/ipfw table 2 add {$ip['ip']} {$bwdown}"); + if (isset($config['captiveportal']['enable']) && is_module_loaded("ipfw.ko")) { + $rules = captiveportal_allowedip_configure_entry($ip); + file_put_contents("{$g['tmp_path']}/allowedip_tmp", $rules); + mwexec("/sbin/ipfw {$g['tmp_path']}/allowedip_tmp"); + @unlink("{$g['tmp_path']}/allowedip_tmp"); } header("Location: services_captiveportal_ip.php"); @@ -149,6 +140,22 @@ include("head.inc"); <form action="services_captiveportal_ip_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> + <td width="22%" valign="top" class="vncellreq">Direction</td> + <td width="78%" class="vtable"> + <select name="dir" class="formfld"> + <?php + $dirs = explode(" ", "Both From To") ; + foreach ($dirs as $dir): ?> + <option value="<?=strtolower($dir);?>" <?php if (strtolower($dir) == strtolower($pconfig['dir'])) echo "selected";?> > + <?=htmlspecialchars($dir);?> + </option> + <?php endforeach; ?> + </select> + <br> + <span class="vexpl">Use <em>From</em> to always allow an IP address through the captive portal (without authentication). + Use <em>To</em> to allow access from all clients (even non-authenticated ones) behind the portal to this IP address.</span></td> + </tr> + <tr> <td width="22%" valign="top" class="vncellreq">IP address</td> <td width="78%" class="vtable"> <?=$mandfldhtml;?><input name="ip" type="text" class="formfld unknown" id="ip" size="17" value="<?=htmlspecialchars($pconfig['ip']);?>"> |
