Allow/deny access to DHCP by partial MAC matching.

2 files changed, 21 insertions, 2 deletions

diff --git a/etc/inc/services.inc b/etc/inc/services.inc
index 6cea972..ffc15e8 100644
--- a/etc/inc/services.inc
+++ b/etc/inc/services.inc
@@ -535,6 +535,14 @@ EOPP;
 			$dnscfg .= "	option domain-name-servers " . join(",", $syscfg['dnsserver']) . ";";
 		}
 
+		/* Create classes */
+		$all_mac_list = array_unique(explode(',', $dhcpifconf['mac_allow'] . ',' . $dhcpifconf['mac_deny']));
+		foreach ($all_mac_list as $mac) {
+			$dhcpdconf .= 'class "' . str_replace(':', '', $mac) . '" {' . "\n";
+			$dhcpdconf .= '	match if substring (hardware, 1, ' . (substr_count($mac, ':') + 1) . ') = ' . $mac . ';' . "\n";
+			$dhcpdconf .= '}' . "\n";
+		}
+
 		$dhcpdconf .= "subnet {$subnet} netmask {$subnetmask} {\n";
 		$dhcpdconf .= "	pool {\n";
 
@@ -546,6 +554,16 @@ EOPP;
 			$dhcpdconf .= ";\n";
 		}
 
+		/* allow/deny MACs */
+		$mac_allow_list = array_unique(explode(',', $dhcpifconf['mac_allow']));
+		foreach ($mac_allow_list as $mac) {
+			$dhcpdconf .= "		allow members of \"" . str_replace(':', '', $mac) . "\";\n";
+		}
+		$mac_deny_list = array_unique(explode(',', $dhcpifconf['mac_deny']));
+		foreach ($mac_deny_list as $mac) {
+			$dhcpdconf .= "		deny members of \"" . str_replace(':', '', $mac) . "\";\n";
+		}
+
 		if($dhcpifconf['failover_peerip'] <> "")
 			$dhcpdconf .= "		deny dynamic bootp clients;\n";
 
diff --git a/etc/inc/util.inc b/etc/inc/util.inc
index 881537f..e7a0734 100644
--- a/etc/inc/util.inc
+++ b/etc/inc/util.inc
@@ -604,8 +604,9 @@ function is_domain($domain) {
 }
 
 /* returns true if $macaddr is a valid MAC address */
-function is_macaddr($macaddr) {
-	return preg_match('/^[0-9A-F]{2}(?:[:][0-9A-F]{2}){5}$/i', $macaddr) == 1 ? true : false;
+function is_macaddr($macaddr, $partial=false) {
+	$repeat = ($partial) ? '1,5' : '5';
+	return preg_match('/^[0-9A-F]{2}(?:[:][0-9A-F]{2}){'.$repeat.'}$/i', $macaddr) == 1 ? true : false;
 }
 
 /* returns true if $name is a valid name for an alias */