diff options
author | Renato Botelho <renato@netgate.com> | 2016-10-24 19:19:19 -0200 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2016-10-24 19:22:00 -0200 |
commit | 517b893eec63ce7695bc91b3a0e82882136e8ef5 (patch) | |
tree | 603b3c72b04277a76b8c531400a0f339ceebf9ed | |
parent | 6344be46d4946e594085f7a08249f70a5b109340 (diff) | |
download | pfsense-517b893eec63ce7695bc91b3a0e82882136e8ef5.zip pfsense-517b893eec63ce7695bc91b3a0e82882136e8ef5.tar.gz |
Rework captive portal to run with stock IPFW (round 1)
- Remove use of IPFW context
- Create a rule that will skip to proper rule for each cp zone
- Use new PHP module functions wherever is possible
-rw-r--r-- | src/etc/inc/captiveportal.inc | 692 | ||||
-rw-r--r-- | src/etc/inc/globals.inc | 1 | ||||
-rw-r--r-- | src/etc/inc/shaper.inc | 4 | ||||
-rwxr-xr-x | src/etc/rc.captiveportal_configure_mac | 2 | ||||
-rw-r--r-- | src/usr/local/www/services_captiveportal_hostname.php | 17 | ||||
-rw-r--r-- | src/usr/local/www/services_captiveportal_hostname_edit.php | 2 | ||||
-rw-r--r-- | src/usr/local/www/services_captiveportal_ip.php | 17 | ||||
-rw-r--r-- | src/usr/local/www/services_captiveportal_ip_edit.php | 23 | ||||
-rw-r--r-- | src/usr/local/www/services_captiveportal_mac.php | 6 | ||||
-rw-r--r-- | src/usr/local/www/services_captiveportal_mac_edit.php | 2 |
10 files changed, 419 insertions, 347 deletions
diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc index f6b3efe..5da27b2 100644 --- a/src/etc/inc/captiveportal.inc +++ b/src/etc/inc/captiveportal.inc @@ -139,17 +139,26 @@ function captiveportal_load_modules() { mwexec("/sbin/kldload ipfw"); /* make sure ipfw is not on pfil hooks */ set_sysctl(array( - "net.inet.ip.pfil.inbound" => "pf", "net.inet6.ip6.pfil.inbound" => "pf", - "net.inet.ip.pfil.outbound" => "pf", "net.inet6.ip6.pfil.outbound" => "pf") - ); + "net.inet.ip.pfil.inbound" => "pf", + "net.inet6.ip6.pfil.inbound" => "pf", + "net.inet.ip.pfil.outbound" => "pf", + "net.inet6.ip6.pfil.outbound" => "pf" + )); } /* Activate layer2 filtering */ - set_sysctl(array("net.link.ether.ipfw" => "1", "net.inet.ip.fw.one_pass" => "1")); + set_sysctl(array( + "net.link.ether.ipfw" => "1", + "net.inet.ip.fw.one_pass" => "1", + "net.inet.ip.fw.tables_max" => "65534" + )); /* Always load dummynet now that even allowed ip and mac passthrough use it. */ if (!is_module_loaded("dummynet.ko")) { mwexec("/sbin/kldload dummynet"); - set_sysctl(array("net.inet.ip.dummynet.io_fast" => "1", "net.inet.ip.dummynet.hash_size" => "256")); + set_sysctl(array( + "net.inet.ip.dummynet.io_fast" => "1", + "net.inet.ip.dummynet.hash_size" => "256" + )); } unmute_kernel_msgs(); } @@ -352,7 +361,7 @@ EOD; /* Release allocated pipes for this zone */ captiveportal_free_dnrules(); - mwexec("/sbin/ipfw zone {$cpzoneid} destroy", true); + captiveportal_delete_rules(); if (empty($config['captiveportal'])) { set_single_sysctl("net.link.ether.ipfw", "0"); @@ -461,6 +470,57 @@ function captiveportal_init_rules_byinterface($interface) { } } +/* Create basic rules used by all zones */ +function captiveportal_init_general_rules($flush = false) { + global $g; + + $flush_rule = ''; + if ($flush) { + $flush_rule = 'flush'; + } + + /* Already loaded */ + if (!$flush && (mwexec("/sbin/ipfw list 1000", true) == 0)) { + return; + } + + $cprules = <<<EOD +{$flush_rule} +# Table with interfaces that have CP enabled +table cp_ifaces create type iface valtype skipto + +# Redirect each CP interface to its specific rule +add 1000 skipto tablearg all from any to any via cp_ifaces + +# This interface has no cp zone configured +add 1100 allow all from any to any + +# block everything else +add 65534 deny all from any to any +EOD; + + /* load rules */ + file_put_contents("{$g['tmp_path']}/ipfw.cp.rules", $cprules); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw.cp.rules", true); + @unlink("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules"); + unset($cprules); +} + +/* Create a string with ipfw rule and increase rulenum */ +function captiveportal_create_ipfw_rule($cmd, &$rulenum, $args) { + $rule = "{$cmd} {$rulenum} {$args}\n"; + $rulenum++; + + return $rule; +} + +/* Return first rule number for a cp zone */ +function captiveportal_ipfw_ruleno($id) { + global $g; + + return 2000 + $id * $g['captiveportal_rules_interval']; +} + /* reinit will disconnect all users, be careful! */ function captiveportal_init_rules($reinit = false) { global $config, $g, $cpzone, $cpzoneid; @@ -470,12 +530,16 @@ function captiveportal_init_rules($reinit = false) { } captiveportal_load_modules(); - mwexec("/sbin/ipfw zone {$cpzoneid} create", true); + captiveportal_init_general_rules(); /* Cleanup so nothing is leaked */ captiveportal_free_dnrules(); unlink_if_exists("{$g['vardb_path']}/captiveportal_{$cpzone}.rules"); + $skipto = captiveportal_ipfw_ruleno($cpzoneid); + + $cprules = ''; + $cpips = array(); $ifaces = get_configured_interface_list(); $cpinterfaces = explode(",", $config['captiveportal'][$cpzone]['interface']); @@ -485,20 +549,28 @@ function captiveportal_init_rules($reinit = false) { continue; } $tmpif = get_real_interface($cpifgrp); - if (!empty($tmpif)) { - $cpipm = get_interface_ip($cpifgrp); - if (is_ipaddr($cpipm)) { - $cpips[] = $cpipm; - if (is_array($config['virtualip']['vip'])) { - foreach ($config['virtualip']['vip'] as $vip) { - if (($vip['interface'] == $cpifgrp) && (($vip['mode'] == "carp") || ($vip['mode'] == "ipalias"))) { - $cpips[] = $vip['subnet']; - } - } + if (empty($tmpif)) { + continue; + } + + $cpipm = get_interface_ip($cpifgrp); + + if (!is_ipaddr($cpipm)) { + continue; + } + + $cpips[] = $cpipm; + if (is_array($config['virtualip']['vip'])) { + foreach ($config['virtualip']['vip'] as $vip) { + if (($vip['interface'] == $cpifgrp) && + (($vip['mode'] == "carp") || + ($vip['mode'] == "ipalias"))) { + $cpips[] = $vip['subnet']; } } - mwexec("/sbin/ipfw zone {$cpzoneid} madd {$tmpif}", true); } + + $cprules .= "table cp_ifaces add {$tmpif} {$skipto}\n"; } if (count($cpips) > 0) { $cpactive = true; @@ -510,53 +582,60 @@ function captiveportal_init_rules($reinit = false) { $captiveportallck = lock("captiveportal{$cpzone}"); } - $cprules = <<<EOD + $rulenum = $skipto; + $cprules .= "table {$cpzone}_pipe_mac create type mac valtype pipe\n"; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pipe tablearg MAC table({$cpzone}_pipe_mac)"); + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "allow pfsync from any to any"); + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "allow carp from any to any\n"); + $cprules .= "# layer 2: pass ARP\n"; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pass layer2 mac-type arp,rarp"); + $cprules .= "# pfsense requires for WPA\n"; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pass layer2 mac-type 0x888e,0x88c7"); + $cprules .= "# PPP Over Ethernet Session Stage/Discovery Stage\n"; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pass layer2 mac-type 0x8863,0x8864\n"); + $cprules .= "# layer 2: block anything else non-IP(v4/v6)\n"; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "deny layer2 not mac-type ip,ipv6"); -flush -add 65291 allow pfsync from any to any -add 65292 allow carp from any to any - -# layer 2: pass ARP -add 65301 pass layer2 mac-type arp,rarp -# pfsense requires for WPA -add 65302 pass layer2 mac-type 0x888e,0x88c7 -# PPP Over Ethernet Session Stage/Discovery Stage -add 65303 pass layer2 mac-type 0x8863,0x8864 - -# layer 2: block anything else non-IP(v4/v6) -add 65307 deny layer2 not mac-type ip,ipv6 - -EOD; - - $rulenum = 65310; /* These tables contain host ips */ - $cprules .= "add {$rulenum} pass ip from any to table(100) in\n"; - $rulenum++; - $cprules .= "add {$rulenum} pass ip from table(100) to any out\n"; - $rulenum++; + $cprules .= "table {$cpzone}_host_ips create type addr valtype pipe\n"; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pass ip from any to table({$cpzone}_host_ips) in"); + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pass ip from table({$cpzone}_host_ips) to any out"); foreach ($cpips as $cpip) { - $cprules .= "table 100 add {$cpip}\n"; + $cprules .= "table {$cpzone}_host_ips add {$cpip}\n"; } - $cprules .= "add {$rulenum} pass ip from any to 255.255.255.255 in\n"; - $rulenum++; - $cprules .= "add {$rulenum} pass ip from 255.255.255.255 to any out\n"; - $rulenum++; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pass ip from any to 255.255.255.255 in"); + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pass ip from 255.255.255.255 to any out"); /* Allowed ips */ - $cprules .= "add {$rulenum} pipe tablearg ip from table(3) to any in\n"; - $rulenum++; - $cprules .= "add {$rulenum} pipe tablearg ip from any to table(4) in\n"; - $rulenum++; - $cprules .= "add {$rulenum} pipe tablearg ip from table(3) to any out\n"; - $rulenum++; - $cprules .= "add {$rulenum} pipe tablearg ip from any to table(4) out\n"; - $rulenum++; + $cprules .= "table {$cpzone}_allowed_up create type addr valtype pipe\n"; + $cprules .= "table {$cpzone}_allowed_down create type addr valtype pipe\n"; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pipe tablearg ip from table({$cpzone}_allowed_up) to any in"); + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pipe tablearg ip from any to table({$cpzone}_allowed_down) in"); + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pipe tablearg ip from table({$cpzone}_allowed_up) to any out"); + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pipe tablearg ip from any to table({$cpzone}_allowed_down) out"); /* Authenticated users rules. */ - $cprules .= "add {$rulenum} pipe tablearg ip from table(1) to any in\n"; - $rulenum++; - $cprules .= "add {$rulenum} pipe tablearg ip from any to table(2) out\n"; - $rulenum++; + $cprules .= "table {$cpzone}_auth_up create type addr valtype pipe\n"; + $cprules .= "table {$cpzone}_auth_down create type addr valtype pipe\n"; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pipe tablearg ip from table({$cpzone}_auth_up) to any in"); + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pipe tablearg ip from any to table({$cpzone}_auth_down) out"); if (!empty($config['captiveportal'][$cpzone]['listenporthttp'])) { $listenporthttp = $config['captiveportal'][$cpzone]['listenporthttp']; @@ -571,22 +650,23 @@ EOD; $listenporthttps = 8001 + $cpzoneid; } if (!isset($config['captiveportal'][$cpzone]['nohttpsforwards'])) { - $cprules .= "add 65531 fwd 127.0.0.1,{$listenporthttps} tcp from any to any dst-port 443 in\n"; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "fwd 127.0.0.1,{$listenporthttps} tcp from any to any dst-port 443 in"); } } - $cprules .= <<<EOD - -# redirect non-authenticated clients to captive portal -add 65532 fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in -# let the responses from the captive portal web server back out -add 65533 pass tcp from any to any out -# block everything else -add 65534 deny all from any to any - -EOD; + $cprules .= "# redirect non-authenticated clients to captive portal\n"; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in"); + $cprules .= "# let the responses from the captive portal web server back out\n"; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "pass tcp from any to any out"); + $cprules .= "# This CP zone is over, skip to last rule\n"; + $cprules .= captiveportal_create_ipfw_rule("add", $rulenum, + "skipto 65534 all from any to any"); /* generate passthru mac database */ + file_put_contents("/tmp/debug_antes", $cprules); $cprules .= captiveportal_passthrumac_configure(true); $cprules .= "\n"; @@ -597,16 +677,57 @@ EOD; $cprules .= captiveportal_allowedhostname_configure(); /* load rules */ + captiveportal_delete_rules(); file_put_contents("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules", $cprules); - mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/ipfw_{$cpzone}.cp.rules", true); - //@unlink("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules"); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw_{$cpzone}.cp.rules", true); + @unlink("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules"); unset($cprules); + captiveportal_filterdns_configure(); + if ($reinit == false) { unlock($captiveportallck); } } +/* Delete all rules related to specific cpzone */ +function captiveportal_delete_rules() { + global $g, $cpzoneid; + + $skipto1 = captiveportal_ipfw_ruleno($cpzoneid); + $skipto2 = $skipto1 + $g['captiveportal_rules_interval']; + + $cp_ifaces = pfSense_ipfw_table_list("cp_ifaces"); + if (is_array($cp_ifaces)) { + foreach ($cp_ifaces as $cp_iface) { + if (empty($cp_iface['skipto']) || + $cp_iface['skipto'] != $skipto1) { + continue; + } + + pfSense_ipfw_table("cp_ifaces", IP_FW_TABLE_XDEL, + $cp_iface['iface']); + } + } + + mwexec("/sbin/ipfw delete {$skipto1}-{$skipto2}", true); + + $tables = captiveportal_get_ipfw_table_names(); + + $delrules = ""; + foreach ($tables as $table) { + $delrules .= "table {$table} destroy\n"; + } + + if (empty($delrules)) { + return; + } + + file_put_contents("{$g['tmp_path']}/ipfw_{$cpzone}.deltable.rules", $delrules); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw_{$cpzone}.deltable.rules", true); + @unlink("{$g['tmp_path']}/ipfw_{$cpzone}.del.rules"); +} + /* * Remove clients that have been around for longer than the specified amount of time * db file structure: @@ -741,8 +862,10 @@ function captiveportal_prune_old() { false, // Not an interim request $rastop_time); // Stop Time $clientsn = (is_ipaddrv6($cpentry[2])) ? 128 : 32; - $_gb = @pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XZEROENTRY, 1, $cpentry[2], $clientsn, $cpentry[3]); - $_gb = @pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XZEROENTRY, 2, $cpentry[2], $clientsn, $cpentry[3]); + /* XXX: Fix + $_gb = @pfSense_ipfw_table($cpzoneid, IP_FW_TABLE_XZEROENTRY, {$cpzone}_auth_up, $cpentry[2], $clientsn, $cpentry[3]); + $_gb = @pfSense_ipfw_table($cpzoneid, IP_FW_TABLE_XZEROENTRY, {$cpzone}_auth_down, $cpentry[2], $clientsn, $cpentry[3]); + */ if ($cpcfg['reauthenticateacct'] == "stopstartfreeradius") { /* Need to pause here or the FreeRADIUS server gets confused about packet ordering. */ sleep(1); @@ -814,61 +937,55 @@ function captiveportal_prune_old() { function captiveportal_prune_old_automac() { global $g, $config, $cpzone, $cpzoneid; - if (is_array($config['captiveportal'][$cpzone]['passthrumac']) && isset($config['captiveportal'][$cpzone]['passthrumacaddusername'])) { + if (is_array($config['captiveportal'][$cpzone]['passthrumac']) && + isset($config['captiveportal'][$cpzone]['passthrumacaddusername'])) { $tmpvoucherdb = array(); $macrules = ""; $writecfg = false; foreach ($config['captiveportal'][$cpzone]['passthrumac'] as $eid => $emac) { - if ($emac['logintype'] == "voucher") { - if (isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) { - if (isset($tmpvoucherdb[$emac['username']])) { - $temac = $config['captiveportal'][$cpzone]['passthrumac'][$tmpvoucherdb[$emac['username']]]; - $ruleno = captiveportal_get_ipfw_passthru_ruleno($temac['mac']); - $pipeno = captiveportal_get_dn_passthru_ruleno($temac['mac']); - if ($ruleno) { - captiveportal_free_ipfw_ruleno($ruleno); - $macrules .= "delete {$ruleno}"; - ++$ruleno; - $macrules .= "delete {$ruleno}"; - } - if ($pipeno) { - captiveportal_free_dn_ruleno($pipeno); - $macrules .= "pipe delete {$pipeno}\n"; - ++$pipeno; - $macrules .= "pipe delete {$pipeno}\n"; - } - $writecfg = true; - captiveportal_logportalauth($temac['username'], $temac['mac'], $temac['ip'], "DUPLICATE {$temac['username']} LOGIN - TERMINATING OLD SESSION"); - unset($config['captiveportal'][$cpzone]['passthrumac'][$tmpvoucherdb[$emac['username']]]); - } - $tmpvoucherdb[$emac['username']] = $eid; - } - if (voucher_auth($emac['username']) <= 0) { - $ruleno = captiveportal_get_ipfw_passthru_ruleno($emac['mac']); - $pipeno = captiveportal_get_dn_passthru_ruleno($emac['mac']); - if ($ruleno) { - captiveportal_free_ipfw_ruleno($ruleno); - $macrules .= "delete {$ruleno}"; - ++$ruleno; - $macrules .= "delete {$ruleno}"; - } + if ($emac['logintype'] != "voucher") { + continue; + } + if (isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) { + if (isset($tmpvoucherdb[$emac['username']])) { + $temac = $config['captiveportal'][$cpzone]['passthrumac'][$tmpvoucherdb[$emac['username']]]; + $pipeno = captiveportal_get_dn_passthru_ruleno($temac['mac']); if ($pipeno) { captiveportal_free_dn_ruleno($pipeno); + $macrules .= "table {$cpzone}_pipe_mac delete any,{$temac['mac']}\n"; + $macrules .= "table {$cpzone}_pipe_mac delete {$temac['mac']},any\n"; $macrules .= "pipe delete {$pipeno}\n"; ++$pipeno; $macrules .= "pipe delete {$pipeno}\n"; } $writecfg = true; - captiveportal_logportalauth($emac['username'], $emac['mac'], $emac['ip'], "EXPIRED {$emac['username']} LOGIN - TERMINATING SESSION"); - unset($config['captiveportal'][$cpzone]['passthrumac'][$eid]); + captiveportal_logportalauth($temac['username'], $temac['mac'], + $temac['ip'], "DUPLICATE {$temac['username']} LOGIN - TERMINATING OLD SESSION"); + unset($config['captiveportal'][$cpzone]['passthrumac'][$tmpvoucherdb[$emac['username']]]); } + $tmpvoucherdb[$emac['username']] = $eid; + } + if (voucher_auth($emac['username']) <= 0) { + $pipeno = captiveportal_get_dn_passthru_ruleno($emac['mac']); + if ($pipeno) { + captiveportal_free_dn_ruleno($pipeno); + $macrules .= "table {$cpzone}_pipe_mac delete any,{$emac['mac']}\n"; + $macrules .= "table {$cpzone}_pipe_mac delete {$emac['mac']},any\n"; + $macrules .= "pipe delete {$pipeno}\n"; + ++$pipeno; + $macrules .= "pipe delete {$pipeno}\n"; + } + $writecfg = true; + captiveportal_logportalauth($emac['username'], $emac['mac'], + $emac['ip'], "EXPIRED {$emac['username']} LOGIN - TERMINATING SESSION"); + unset($config['captiveportal'][$cpzone]['passthrumac'][$eid]); } } unset($tmpvoucherdb); if (!empty($macrules)) { @file_put_contents("{$g['tmp_path']}/macentry.prunerules.tmp", $macrules); unset($macrules); - mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/macentry.prunerules.tmp"); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/macentry.prunerules.tmp"); } if ($writecfg === true) { write_config("Prune session for auto-added macs"); @@ -904,10 +1021,10 @@ function captiveportal_disconnect($dbent, $radiusservers, $term_cause = 1, $stop } if (is_ipaddr($dbent[2])) { - /* Delete client's ip entry from tables 1 and 2. */ + /* Delete client's ip entry from tables auth_up and auth_down. */ $clientsn = (is_ipaddrv6($dbent[2])) ? 128 : 32; - pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XDEL, 1, $dbent[2], $clientsn, $dbent[3]); - pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XDEL, 2, $dbent[2], $clientsn, $dbent[3]); + pfSense_ipfw_table("{$cpzone}_auth_up", IP_FW_TABLE_XDEL, "{$dbent[2]}/{$clientsn}"); + pfSense_ipfw_table("{$cpzone}_auth_down", IP_FW_TABLE_XDEL, "{$dbent[2]}/{$clientsn}"); /* XXX: Redundant?! Ensure all pf(4) states are killed. */ $_gb = @pfSense_kill_states($dbent[2]); $_gb = @pfSense_kill_srcstates($dbent[2]); @@ -918,8 +1035,8 @@ function captiveportal_disconnect($dbent, $radiusservers, $term_cause = 1, $stop * We could get an error if the pipe doesn't exist but everything should still be fine */ if (!empty($dbent[1])) { - $_gb = @pfSense_pipe_action("pipe delete {$dbent[1]}"); - $_gb = @pfSense_pipe_action("pipe delete " . ($dbent[1]+1)); + $_gb = @pfSense_ipfw_pipe("pipe delete {$dbent[1]}"); + $_gb = @pfSense_ipfw_pipe("pipe delete " . ($dbent[1]+1)); /* Release the ruleno so it can be reallocated to new clients. */ captiveportal_free_dn_ruleno($dbent[1]); @@ -1006,29 +1123,32 @@ function captiveportal_passthrumac_configure_entry($macent, $pipeinrule = false) $bwDown = $config['captiveportal'][$cpzone]['bwdefaultdn']; } - $ruleno = captiveportal_get_next_ipfw_ruleno(); - if ($macent['action'] == 'pass') { $rules = ""; - $pipeno = captiveportal_get_next_dn_ruleno(); - $pipeup = $pipeno; - if ($pipeinrule == true) { - $_gb = @pfSense_pipe_action("pipe {$pipeno} config bw {$bwUp}Kbit/s queue 100 buckets 16"); + if ($bwUp == 0 && $bwDown == 0) { + $pipeup = 0; + $pipedown = 0; } else { - $rules .= "pipe {$pipeno} config bw {$bwUp}Kbit/s queue 100 buckets 16\n"; - } + $pipeno = captiveportal_get_next_dn_ruleno(); - $pipedown = $pipeno + 1; - if ($pipeinrule == true) { - $_gb = @pfSense_pipe_action("pipe {$pipedown} config bw {$bwDown}Kbit/s queue 100 buckets 16"); - } else { - $rules .= "pipe {$pipedown} config bw {$bwDown}Kbit/s queue 100 buckets 16\n"; + $pipeup = $pipeno; + if ($pipeinrule == true) { + $_gb = @pfSense_ipfw_pipe("pipe {$pipeno} config bw {$bwUp}Kbit/s queue 100 buckets 16"); + } else { + $rules .= "pipe {$pipeno} config bw {$bwUp}Kbit/s queue 100 buckets 16\n"; + } + + $pipedown = $pipeno + 1; + if ($pipeinrule == true) { + $_gb = @pfSense_ipfw_pipe("pipe {$pipedown} config bw {$bwDown}Kbit/s queue 100 buckets 16"); + } else { + $rules .= "pipe {$pipedown} config bw {$bwDown}Kbit/s queue 100 buckets 16\n"; + } } - $rules .= "add {$ruleno} pipe {$pipeup} ip from any to any MAC any {$macent['mac']}\n"; - $ruleno++; - $rules .= "add {$ruleno} pipe {$pipedown} ip from any to any MAC {$macent['mac']} any\n"; + $rules .= "table {$cpzone}_pipe_mac add any,{$macent['mac']} {$pipeup}\n"; + $rules .= "table {$cpzone}_pipe_mac add {$macent['mac']},any {$pipedown}\n"; } return $rules; @@ -1038,21 +1158,12 @@ function captiveportal_passthrumac_delete_entry($macent) { $rules = ""; if ($macent['action'] == 'pass') { - $ruleno = captiveportal_get_ipfw_passthru_ruleno($macent['mac']); - - if (!$ruleno) { - return $rules; - } - - captiveportal_free_ipfw_ruleno($ruleno); - - $rules .= "delete {$ruleno}\n"; - $rules .= "delete " . ++$ruleno . "\n"; - $pipeno = captiveportal_get_dn_passthru_ruleno($macent['mac']); if (!empty($pipeno)) { captiveportal_free_dn_ruleno($pipeno); + $rules .= "table {$cpzone}_pipe_mac delete any,{$macent['mac']}\n"; + $rules .= "table {$cpzone}_pipe_mac delete {$macent['mac']},any\n"; $rules .= "pipe delete " . $pipeno . "\n"; $rules .= "pipe delete " . ++$pipeno . "\n"; } @@ -1117,7 +1228,7 @@ function captiveportal_passthrumac_findbyname($username) { * table (3=IN)/(4=OUT) hold allowed ip's without bw limits */ function captiveportal_allowedip_configure_entry($ipent, $ishostname = false) { - global $g; + global $g, $config, $cpzone; /* Instead of copying this entire function for something * easy such as hostname vs ip address add this check @@ -1150,13 +1261,18 @@ function captiveportal_allowedip_configure_entry($ipent, $ishostname = false) { $enBwdown = $config['captiveportal'][$cpzone]['bwdefaultdn']; } - $pipeno = captiveportal_get_next_dn_ruleno(); - $_gb = @pfSense_pipe_action("pipe {$pipeno} config bw {$enBwup}Kbit/s queue 100 buckets 16"); - $pipedown = $pipeno + 1; - $_gb = @pfSense_pipe_action("pipe {$pipedown} config bw {$enBwdown}Kbit/s queue 100 buckets 16"); + if ($enBwup == 0 && $enBwdown == 0) { + $pipeup = 0; + $pipedown = 0; + } else { + $pipeup = captiveportal_get_next_dn_ruleno(); + $_gb = @pfSense_ipfw_pipe("pipe {$pipeup} config bw {$enBwup}Kbit/s queue 100 buckets 16"); + $pipedown = $pipeup + 1; + $_gb = @pfSense_ipfw_pipe("pipe {$pipedown} config bw {$enBwdown}Kbit/s queue 100 buckets 16"); + } if ($ishostname === true) { - $cp_filterdns_conf .= "ipfw {$ipent['hostname']} 3 pipe {$pipeno}\n"; - $cp_filterdns_conf .= "ipfw {$ipent['hostname']} 4 pipe {$pipedown}\n"; + $cp_filterdns_conf .= "ipfw {$ipent['hostname']} {$cpzone}_allowed_up pipe {$pipeup}\n"; + $cp_filterdns_conf .= "ipfw {$ipent['hostname']} {$cpzone}_allowed_down pipe {$pipedown}\n"; if (!is_ipaddr($ipaddress)) { return array("", $cp_filterdns_conf); } @@ -1165,8 +1281,8 @@ function captiveportal_allowedip_configure_entry($ipent, $ishostname = false) { if (!empty($ipent['sn'])) { $subnet = "/{$ipent['sn']}"; } - $rules .= "table 3 add {$ipaddress}{$subnet} {$pipeno}\n"; - $rules .= "table 4 add {$ipaddress}{$subnet} {$pipedown}\n"; + $rules .= "table {$cpzone}_allowed_up add {$ipaddress}{$subnet} {$pipeup}\n"; + $rules .= "table {$cpzone}_allowed_down add {$ipaddress}{$subnet} {$pipedown}\n"; if ($ishostname === true) { return array($rules, $cp_filterdns_conf); @@ -1179,21 +1295,41 @@ function captiveportal_allowedhostname_configure() { global $config, $g, $cpzone, $cpzoneid; $rules = ""; - if (is_array($config['captiveportal'][$cpzone]['allowedhostname'])) { - $rules = "\n# captiveportal_allowedhostname_configure()\n"; - $cp_filterdns_conf = ""; - foreach ($config['captiveportal'][$cpzone]['allowedhostname'] as $hostnameent) { - $tmprules = captiveportal_allowedip_configure_entry($hostnameent, true); - $rules .= $tmprules[0]; - $cp_filterdns_conf .= $tmprules[1]; - } - $cp_filterdns_filename = "{$g['varetc_path']}/filterdns-{$cpzone}-captiveportal.conf"; - @file_put_contents($cp_filterdns_filename, $cp_filterdns_conf); - unset($cp_filterdns_conf); - if (isvalidpid("{$g['varrun_path']}/filterdns-{$cpzone}-cpah.pid")) { - sigkillbypid("{$g['varrun_path']}/filterdns-{$cpzone}-cpah.pid", "HUP"); + if (!is_array($config['captiveportal'][$cpzone]['allowedhostname'])) { + return $rules; + } + + $rules = "\n# captiveportal_allowedhostname_configure()\n"; + $cp_filterdns_conf = ""; + foreach ($config['captiveportal'][$cpzone]['allowedhostname'] as $hostnameent) { + $tmprules = captiveportal_allowedip_configure_entry($hostnameent, true); + $rules .= $tmprules[0]; + $cp_filterdns_conf .= $tmprules[1]; + } + $cp_filterdns_filename = "{$g['varetc_path']}/filterdns-{$cpzone}-captiveportal.conf"; + @file_put_contents($cp_filterdns_filename, $cp_filterdns_conf); + unset($cp_filterdns_conf); + + return $rules; +} + +function captiveportal_filterdns_configure() { + global $config, $g, $cpzone, $cpzoneid; + + $cp_filterdns_filename = $g['varetc_path'] . + "/filterdns-{$cpzone}-captiveportal.conf"; + + if (is_array($config['captiveportal'][$cpzone]['allowedhostname']) && + file_exists($cp_filterdns_filename)) { + if (isvalidpid($g['varrun_path'] . + "/filterdns-{$cpzone}-cpah.pid")) { + sigkillbypid($g['varrun_path'] . + "/filterdns-{$cpzone}-cpah.pid", "HUP"); } else { - mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-{$cpzone}-cpah.pid -i 300 -c {$cp_filterdns_filename} -y {$cpzoneid} -d 1"); + mwexec("/usr/local/sbin/filterdns -p " . + "{$g['varrun_path']}/filterdns-{$cpzone}-cpah.pid" . + " -i 300 -c {$cp_filterdns_filename} " . + "-y {$cpzoneid} -d 1"); } } else { killbypid("{$g['varrun_path']}/filterdns-{$cpzone}-cpah.pid"); @@ -1220,6 +1356,8 @@ function captiveportal_allowedip_configure() { function captiveportal_get_last_activity($ip, $mac = NULL, $table = 1) { global $cpzoneid; + /* XXX Fix */ + return 0; $ipfwoutput = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, $table, $ip, $mac); /* Reading only from one of the tables is enough of approximation. */ if (is_array($ipfwoutput)) { @@ -1465,7 +1603,10 @@ function captiveportal_opendb() { } } if (is_numericint($cpzoneid)) { - mwexec("/sbin/ipfw -x $cpzoneid table all flush"); + $table_names = captiveportal_get_ipfw_table_names(); + foreach ($table_names as $table_name) { + mwexec("/sbin/ipfw table {$table_name} flush"); + } captiveportal_syslog("Flushed tables for {$cpzone} after database reset."); } } else { @@ -1476,6 +1617,29 @@ function captiveportal_opendb() { return $DB; } +/* Get all tables for specific cpzone */ +function captiveportal_get_ipfw_table_names() { + global $cpzone; + + $result = array(); + $tables = pfSense_ipfw_tables_list(); + + if (!is_array($tables)) { + return $result; + } + + $len = strlen($cpzone) + 1; + foreach ($tables as $table) { + if (substr($table['name'], 0, $len) != $cpzone . '_') { + continue; + } + + $result[] = $table['name']; + } + + return $result; +} + /* read captive portal DB into array */ function captiveportal_read_db($query = "") { $cpdb = array(); @@ -1647,102 +1811,16 @@ function captiveportal_get_dn_passthru_ruleno($value) { $cpruleslck = lock("captiveportalrulesdn", LOCK_EX); $ruleno = NULL; if (file_exists("{$g['vardb_path']}/captiveportaldn.rules")) { - $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportaldn.rules")); unset($output); - $_gb = exec("/sbin/ipfw -x {$cpzoneid} show | /usr/bin/grep " . escapeshellarg($value) . " | /usr/bin/grep -v grep | /usr/bin/awk '{print $5}' | /usr/bin/head -n 1", $output); - $ruleno = intval($output[0]); - if (!$rules[$ruleno]) { - $ruleno = NULL; - } - unset($rules); - } - unlock($cpruleslck); - - return $ruleno; -} - -/* - * This function will calculate the lowest free firewall ruleno - * within the range specified based on the actual logged on users - * - */ -function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2, $rulenos_range_max = 64500) { - global $config, $g, $cpzone; - - $cpcfg = $config['captiveportal'][$cpzone]; - if (!isset($cpcfg['enable'])) { - return NULL; - } - - $cpruleslck = lock("captiveportalrules{$cpzone}", LOCK_EX); - $ruleno = 0; - if (file_exists("{$g['vardb_path']}/captiveportal_{$cpzone}.rules")) { - $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules")); - $ridx = $rulenos_start; - while ($ridx < $rulenos_range_max) { - if (empty($rules[$ridx])) { - $ruleno = $ridx; - $rules[$ridx] = $cpzone; - $ridx++; - $rules[$ridx] = $cpzone; - break; - } else { - /* - * This allows our traffic shaping pipes to be the in pipe the same as ruleno - * and the out pipe ruleno + 1. - */ - $ridx += 2; - } + $item = pfSense_ipfw_table_lookup("{$cpzone}_pipe_mac", + "any,{$value}"); + if (!is_array($item) || empty($item['pipe'])) { + unlock($cpruleslck); + return NULL; } - } else { - $rules = array_pad(array(), $rulenos_range_max, false); - $ruleno = $rulenos_start; - $rules[$rulenos_start] = $cpzone; - $rulenos_start++; - $rules[$rulenos_start] = $cpzone; - } - file_put_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules", serialize($rules)); - unlock($cpruleslck); - unset($rules); - - return $ruleno; -} - -function captiveportal_free_ipfw_ruleno($ruleno) { - global $config, $g, $cpzone; - - $cpcfg = $config['captiveportal'][$cpzone]; - if (!isset($cpcfg['enable'])) { - return NULL; - } - - $cpruleslck = lock("captiveportalrules{$cpzone}", LOCK_EX); - if (file_exists("{$g['vardb_path']}/captiveportal_{$cpzone}.rules")) { - $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules")); - $rules[$ruleno] = false; - $ruleno++; - $rules[$ruleno] = false; - file_put_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules", serialize($rules)); - unset($rules); - } - unlock($cpruleslck); -} - -function captiveportal_get_ipfw_passthru_ruleno($value) { - global $config, $g, $cpzone, $cpzoneid; - - $cpcfg = $config['captiveportal'][$cpzone]; - if (!isset($cpcfg['enable'])) { - return NULL; - } - $cpruleslck = lock("captiveportalrules{$cpzone}", LOCK_EX); - $ruleno = NULL; - if (file_exists("{$g['vardb_path']}/captiveportal_{$cpzone}.rules")) { - $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules")); - unset($output); - $_gb = exec("/sbin/ipfw -x {$cpzoneid} show | /usr/bin/grep " . escapeshellarg($value) . " | /usr/bin/grep -v grep | /usr/bin/awk '{print $1}' | /usr/bin/head -n 1", $output); - $ruleno = intval($output[0]); + $ruleno = intval($item['pipe']); + $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportaldn.rules")); if (!$rules[$ruleno]) { $ruleno = NULL; } @@ -1772,6 +1850,8 @@ function getVolume($ip, $mac = NULL) { // Initialize vars properly, since we don't want NULL vars $volume['input_pkts'] = $volume['input_bytes'] = $volume['output_pkts'] = $volume['output_bytes'] = 0 ; + /* XXX Fix */ + return $volume; $ipfw = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, 1, $ip, $mac); if (is_array($ipfw)) { if ($reverse) { @@ -1979,8 +2059,8 @@ function captiveportal_reapply_attributes($cpentry, $attributes) { $bw_up_pipeno = $cpentry[1]; $bw_down_pipeno = $cpentry[1]+1; - $_gb = @pfSense_pipe_action("pipe {$bw_up_pipeno} config bw {$bw_up}Kbit/s queue 100 buckets 16"); - $_gb = @pfSense_pipe_action("pipe {$bw_down_pipeno} config bw {$bw_down}Kbit/s queue 100 buckets 16"); + $_gb = @pfSense_ipfw_pipe("pipe {$bw_up_pipeno} config bw {$bw_up}Kbit/s queue 100 buckets 16"); + $_gb = @pfSense_ipfw_pipe("pipe {$bw_down_pipeno} config bw {$bw_down}Kbit/s queue 100 buckets 16"); //captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "RADIUS_BANDWIDTH_REAPPLY", "{$bw_up}/{$bw_down}"); unset($bw_up_pipeno, $bw_down_pipeno, $bw_up, $bw_down); @@ -2007,47 +2087,42 @@ function portal_allow($clientip, $clientmac, $username, $password = null, $attri $writecfg = false; /* Find an existing session */ - if ((isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) && $passthrumac) { - if (isset($config['captiveportal'][$cpzone]['passthrumacadd'])) { - $mac = captiveportal_passthrumac_findbyname($username); - if (!empty($mac)) { - if ($_POST['replacemacpassthru']) { - foreach ($config['captiveportal'][$cpzone]['passthrumac'] as $idx => $macent) { - if ($macent['mac'] == $mac['mac']) { - $macrules = ""; - $ruleno = captiveportal_get_ipfw_passthru_ruleno($mac['mac']); - $pipeno = captiveportal_get_dn_passthru_ruleno($mac['mac']); - if ($ruleno) { - captiveportal_free_ipfw_ruleno($ruleno); - $macrules .= "delete {$ruleno}\n"; - ++$ruleno; - $macrules .= "delete {$ruleno}\n"; - } - if ($pipeno) { - captiveportal_free_dn_ruleno($pipeno); - $macrules .= "pipe delete {$pipeno}\n"; - ++$pipeno; - $macrules .= "pipe delete {$pipeno}\n"; - } - unset($config['captiveportal'][$cpzone]['passthrumac'][$idx]); - $mac['action'] = 'pass'; - $mac['mac'] = $clientmac; - $config['captiveportal'][$cpzone]['passthrumac'][] = $mac; - $macrules .= captiveportal_passthrumac_configure_entry($mac); - file_put_contents("{$g['tmp_path']}/macentry_{$cpzone}.rules.tmp", $macrules); - mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/macentry_{$cpzone}.rules.tmp"); - $writecfg = true; - $sessionid = true; - break; - } - } - } else { - portal_reply_page($redirurl, "error", "Username: {$username} is already authenticated using another MAC address.", - $clientmac, $clientip, $username, $password); - unlock($cpdblck); - return; + if ((isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) && + $passthrumac && + isset($config['captiveportal'][$cpzone]['passthrumacadd'])) { + $mac = captiveportal_passthrumac_findbyname($username); + if (!empty($mac) && $_POST['replacemacpassthru']) { + foreach ($config['captiveportal'][$cpzone]['passthrumac'] as $idx => $macent) { + if ($macent['mac'] != $mac['mac']) { + continue; } + + $macrules = ""; + $pipeno = captiveportal_get_dn_passthru_ruleno($mac['mac']); + if ($pipeno) { + captiveportal_free_dn_ruleno($pipeno); + $macrules .= "table {$cpzone}_pipe_mac delete any,{$mac['mac']}\n"; + $macrules .= "table {$cpzone}_pipe_mac delete {$mac['mac']},any\n"; + $macrules .= "pipe delete {$pipeno}\n"; + ++$pipeno; + $macrules .= "pipe delete {$pipeno}\n"; + } + unset($config['captiveportal'][$cpzone]['passthrumac'][$idx]); + $mac['action'] = 'pass'; + $mac['mac'] = $clientmac; + $config['captiveportal'][$cpzone]['passthrumac'][] = $mac; + $macrules .= captiveportal_passthrumac_configure_entry($mac); + file_put_contents("{$g['tmp_path']}/macentry_{$cpzone}.rules.tmp", $macrules); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/macentry_{$cpzone}.rules.tmp"); + $writecfg = true; + $sessionid = true; + break; } + } elseif (!empty($mac)) { + portal_reply_page($redirurl, "error", "Username: {$username} is already authenticated using another MAC address.", + $clientmac, $clientip, $username, $password); + unlock($cpdblck); + return; } } @@ -2148,7 +2223,7 @@ function portal_allow($clientip, $clientmac, $username, $password = null, $attri unlock($cpdblck); $macrules = captiveportal_passthrumac_configure_entry($mac); file_put_contents("{$g['tmp_path']}/macentry_{$cpzone}.rules.tmp", $macrules); - mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/macentry_{$cpzone}.rules.tmp"); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/macentry_{$cpzone}.rules.tmp"); $writecfg = true; } else { /* See if a pipeno is passed, if not start sessions because this means there isn't one atm */ @@ -2176,21 +2251,12 @@ function portal_allow($clientip, $clientmac, $username, $password = null, $attri $bw_up_pipeno = $pipeno; $bw_down_pipeno = $pipeno + 1; //$bw_up /= 1000; // Scale to Kbit/s - $_gb = @pfSense_pipe_action("pipe {$bw_up_pipeno} config bw {$bw_up}Kbit/s queue 100 buckets 16"); - $_gb = @pfSense_pipe_action("pipe {$bw_down_pipeno} config bw {$bw_down}Kbit/s queue 100 buckets 16"); + $_gb = @pfSense_ipfw_pipe("pipe {$bw_up_pipeno} config bw {$bw_up}Kbit/s queue 100 buckets 16"); + $_gb = @pfSense_ipfw_pipe("pipe {$bw_down_pipeno} config bw {$bw_down}Kbit/s queue 100 buckets 16"); $clientsn = (is_ipaddrv6($clientip)) ? 128 : 32; - if (!isset($config['captiveportal'][$cpzone]['nomacfilter'])) { - $_gb = @pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XADD, 1, $clientip, $clientsn, $clientmac, $bw_up_pipeno); - } else { - $_gb = @pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XADD, 1, $clientip, $clientsn, NULL, $bw_up_pipeno); - } - - if (!isset($config['captiveportal'][$cpzone]['nomacfilter'])) { - $_gb = @pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XADD, 2, $clientip, $clientsn, $clientmac, $bw_down_pipeno); - } else { - $_gb = @pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XADD, 2, $clientip, $clientsn, NULL, $bw_down_pipeno); - } + $_gb = @pfSense_ipfw_table("{$cpzone}_auth_up", IP_FW_TABLE_XADD, "{$clientip}/{$clientsn}", $bw_up_pipeno); + $_gb = @pfSense_ipfw_table("{$cpzone}_auth_down", IP_FW_TABLE_XADD, "{$clientip}/{$clientsn}", $bw_down_pipeno); if ($attributes['voucher']) { $attributes['session_timeout'] = $remaining_time; diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc index 733d06e..0c19aa6 100644 --- a/src/etc/inc/globals.inc +++ b/src/etc/inc/globals.inc @@ -72,6 +72,7 @@ $g = array( "captiveportal_path" => "/usr/local/captiveportal", "captiveportal_element_path" => "/var/db/cpelements", "captiveportal_element_sizelimit" => 1048576, + "captiveportal_rules_interval" => 50, "services_dhcp_server_enable" => true, "wireless_regex" => "/^(ndis|wi|ath|an|ral|ural|iwi|wlan|rum|run|bwn|zyd|mwl|bwi|ipw|iwn|malo|uath|upgt|urtw|wpi)/", "help_base_url" => "/help.php", diff --git a/src/etc/inc/shaper.inc b/src/etc/inc/shaper.inc index 90f068d..5bdafdc 100644 --- a/src/etc/inc/shaper.inc +++ b/src/etc/inc/shaper.inc @@ -3373,7 +3373,7 @@ class dnpipe_class extends dummynet_class { $q->delete_queue(); } unset_dn_object_by_reference($this->GetLink()); - @pfSense_pipe_action("pipe delete " . $this->GetNumber()); + @pfSense_ipfw_pipe("pipe delete " . $this->GetNumber()); } function GetBandwidth() { return $this->qbandwidth; @@ -3987,7 +3987,7 @@ class dnqueue_class extends dummynet_class { function delete_queue() { cleanup_dnqueue_from_rules($this->GetQname()); unset_dn_object_by_reference($this->GetLink()); - @pfSense_pipe_action("queue delete " . $this->GetNumber()); + @pfSense_ipfw_pipe("queue delete " . $this->GetNumber()); } function validate_input($data, &$input_errors) { diff --git a/src/etc/rc.captiveportal_configure_mac b/src/etc/rc.captiveportal_configure_mac index dc155cd..8b51904 100755 --- a/src/etc/rc.captiveportal_configure_mac +++ b/src/etc/rc.captiveportal_configure_mac @@ -39,6 +39,6 @@ $filename = "{$g['tmp_path']}/{$cpzoneidx}_mac_{$startidx}_{$stopidx}"; captiveportal_passthrumac_configure($filename, $startidx, $stopidx); //log_error("STOPPED: " .time() . " - {$cpzone} : $startidx : {$stopidx} : {$cpzoneidx} : {$filename}"); -mwexec("/sbin/ipfw -x {$cpzoneidx} -q {$filename}"); +mwexec("/sbin/ipfw -q {$filename}"); @unlink($filename); ?> diff --git a/src/usr/local/www/services_captiveportal_hostname.php b/src/usr/local/www/services_captiveportal_hostname.php index 6c2af91..7de5912 100644 --- a/src/usr/local/www/services_captiveportal_hostname.php +++ b/src/usr/local/www/services_captiveportal_hostname.php @@ -75,15 +75,16 @@ if ($_GET['act'] == "del" && !empty($cpzone) && isset($cpzoneid)) { } $sn = (is_ipaddrv6($ip)) ? 128 : 32; if (is_ipaddr($ip)) { - $ipfw = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, 3, $ip); - if (is_array($ipfw)) { - captiveportal_free_dn_ruleno($ipfw['dnpipe']); - pfSense_pipe_action("pipe delete {$ipfw['dnpipe']}"); - pfSense_pipe_action("pipe delete " . ($ipfw['dnpipe']+1)); - } + $rule = pfSense_ipfw_table_lookup("{$cpzone}_allowed_up", "{$ip}/{$sn}"); + + pfSense_ipfw_table("{$cpzone}_allowed_up", IP_FW_TABLE_XDEL, "{$ip}/{$sn}"); + pfSense_ipfw_table("{$cpzone}_allowed_down", IP_FW_TABLE_XDEL, "{$ip}/{$sn}"); - pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XDEL, 3, $ip, $sn); - pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XDEL, 4, $ip, $sn); + if (is_array($rule) && !empty($rule['pipe'])) { + captiveportal_free_dn_ruleno($rule['pipe']); + pfSense_ipfw_pipe("pipe delete {$rule['pipe']}"); + pfSense_ipfw_pipe("pipe delete " . ($rule['pipe']+1)); + } } } diff --git a/src/usr/local/www/services_captiveportal_hostname_edit.php b/src/usr/local/www/services_captiveportal_hostname_edit.php index cabc214..3149ac2 100644 --- a/src/usr/local/www/services_captiveportal_hostname_edit.php +++ b/src/usr/local/www/services_captiveportal_hostname_edit.php @@ -142,7 +142,7 @@ if ($_POST) { $rules = captiveportal_allowedhostname_configure(); @file_put_contents("{$g['tmp_path']}/hostname_rules", $rules); - mwexec("/sbin/ipfw -x {$cpzoneid} {$g['tmp_path']}/hostname_rules", true); + mwexec("/sbin/ipfw {$g['tmp_path']}/hostname_rules", true); unset($rules); header("Location: services_captiveportal_hostname.php?zone={$cpzone}"); diff --git a/src/usr/local/www/services_captiveportal_ip.php b/src/usr/local/www/services_captiveportal_ip.php index 9487ba5..648c629 100644 --- a/src/usr/local/www/services_captiveportal_ip.php +++ b/src/usr/local/www/services_captiveportal_ip.php @@ -71,14 +71,15 @@ if ($_GET['act'] == "del" && !empty($cpzone) && isset($cpzoneid)) { if (isset($config['captiveportal'][$cpzone]['enable'])) { $mask = (!empty($ipent['sn'])) ? $ipent['sn'] : 32; - $ipfw = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, 3, $ipent['ip']); - pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XDEL, 3, $ipent['ip'], $mask); - pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XDEL, 4, $ipent['ip'], $mask); - - if (is_array($ipfw)) { - captiveportal_free_dn_ruleno($ipfw['dnpipe']); - pfSense_pipe_action("pipe delete {$ipfw['dnpipe']}"); - pfSense_pipe_action("pipe delete " . ($ipfw['dnpipe']+1)); + $rule = pfSense_ipfw_table_lookup("{$cpzone}_allowed_up", "{$ipent['ip']}/{$mask}"); + + pfSense_ipfw_table("{$cpzone}_allowed_up", IP_FW_TABLE_XDEL, "{$ipent['ip']}/{$mask}"); + pfSense_ipfw_table("{$cpzone}_allowed_down", IP_FW_TABLE_XDEL, "{$ipent['ip']}/{$mask}"); + + if (is_array($rule) && !empty($rule['pipe'])) { + captiveportal_free_dn_ruleno($rule['pipe']); + pfSense_ipfw_pipe("pipe delete {$rule['pipe']}"); + pfSense_ipfw_pipe("pipe delete " . ($rule['pipe']+1)); } } diff --git a/src/usr/local/www/services_captiveportal_ip_edit.php b/src/usr/local/www/services_captiveportal_ip_edit.php index daed6da..420faae 100644 --- a/src/usr/local/www/services_captiveportal_ip_edit.php +++ b/src/usr/local/www/services_captiveportal_ip_edit.php @@ -167,25 +167,28 @@ if ($_POST) { if (isset($a_cp[$cpzone]['enable']) && is_module_loaded("ipfw.ko")) { $rules = ""; $cpzoneid = $a_cp[$cpzone]['zoneid']; - unset($ipfw); + + unset($rule); if (isset($oldip) && isset($oldmask)) { - $ipfw = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, 3, $oldip); - $rules .= "table 3 delete {$oldip}/{$oldmask}\n"; - $rules .= "table 4 delete {$oldip}/{$oldmask}\n"; - if (is_array($ipfw)) { - $rules .= "pipe delete {$ipfw['dnpipe']}\n"; - $rules .= "pipe delete " . ($ipfw['dnpipe']+1 . "\n"); + $rule = pfSense_ipfw_table_lookup("{$cpzone}_allowed_up", "{$oldip}/{$oldmask}"); + + $rules .= "table {$cpzone}_allowed_up delete {$oldip}/{$oldmask}\n"; + $rules .= "table {$cpzone}_allowed_down delete {$oldip}/{$oldmask}\n"; + + if (is_array($rule) && !empty($rule['pipe'])) { + $rules .= "pipe delete {$rule['pipe']}\n"; + $rules .= "pipe delete " . ($rule['pipe']+1 . "\n"); } } $rules .= captiveportal_allowedip_configure_entry($ip); - if (is_array($ipfw)) { - captiveportal_free_dn_ruleno($ipfw['dnpipe']); + if (is_array($rule) && !empty($rule['pipe'])) { + captiveportal_free_dn_ruleno($rule['pipe']); } $uniqid = uniqid("{$cpzone}_allowed"); @file_put_contents("{$g['tmp_path']}/{$uniqid}_tmp", $rules); - mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/{$uniqid}_tmp"); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/{$uniqid}_tmp"); @unlink("{$g['tmp_path']}/{$uniqid}_tmp"); } diff --git a/src/usr/local/www/services_captiveportal_mac.php b/src/usr/local/www/services_captiveportal_mac.php index 193cffb..acfff96 100644 --- a/src/usr/local/www/services_captiveportal_mac.php +++ b/src/usr/local/www/services_captiveportal_mac.php @@ -73,7 +73,7 @@ if ($_POST) { $rules = captiveportal_passthrumac_configure(); if (!empty($rules)) { @file_put_contents("{$g['tmp_path']}/passthrumac_gui", $rules); - mwexec("/sbin/ipfw -x {$cpzoneid} {$g['tmp_path']}/passthrumac_gui"); + mwexec("/sbin/ipfw {$g['tmp_path']}/passthrumac_gui"); @unlink("{$g['tmp_path']}/passthrumac_gui"); } $savemsg = get_std_save_message($retval); @@ -120,7 +120,7 @@ if ($_POST) { $rules = captiveportal_passthrumac_delete_entry($a_passthrumacs[$idx]); $uniqid = uniqid("{$cpzone}_mac"); file_put_contents("{$g['tmp_path']}/{$uniqid}_tmp", $rules); - mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/{$uniqid}_tmp"); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/{$uniqid}_tmp"); @unlink("{$g['tmp_path']}/{$uniqid}_tmp"); unset($a_passthrumacs[$idx]); write_config(); @@ -141,7 +141,7 @@ if ($_GET['act'] == "del") { $rules = captiveportal_passthrumac_delete_entry($a_passthrumacs[$_GET['id']]); $uniqid = uniqid("{$cpzone}_mac"); file_put_contents("{$g['tmp_path']}/{$uniqid}_tmp", $rules); - mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/{$uniqid}_tmp"); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/{$uniqid}_tmp"); @unlink("{$g['tmp_path']}/{$uniqid}_tmp"); unset($a_passthrumacs[$_GET['id']]); write_config(); diff --git a/src/usr/local/www/services_captiveportal_mac_edit.php b/src/usr/local/www/services_captiveportal_mac_edit.php index 270daf3..91d01e0 100644 --- a/src/usr/local/www/services_captiveportal_mac_edit.php +++ b/src/usr/local/www/services_captiveportal_mac_edit.php @@ -172,7 +172,7 @@ if ($_POST) { $rules .= captiveportal_passthrumac_configure_entry($mac); $uniqid = uniqid("{$cpzone}_macedit"); file_put_contents("{$g['tmp_path']}/{$uniqid}_tmp", $rules); - mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/{$uniqid}_tmp"); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/{$uniqid}_tmp"); @unlink("{$g['tmp_path']}/{$uniqid}_tmp"); unset($cpzoneid); } |