diff options
author | Ermal Luçi <eri@pfsense.org> | 2009-08-13 17:21:37 +0000 |
---|---|---|
committer | Ermal Luçi <eri@pfsense.org> | 2009-08-13 17:21:37 +0000 |
commit | cb0a2913cdbe02d0696b83d0de431a8e37214703 (patch) | |
tree | a372a56042e71045d184937d98beba5a4010acc8 /etc | |
parent | d1bd66b422f1f4cf74b7389e051b67a40237b9fe (diff) | |
download | pfsense-cb0a2913cdbe02d0696b83d0de431a8e37214703.zip pfsense-cb0a2913cdbe02d0696b83d0de431a8e37214703.tar.gz |
Use ipfw tables for allowed ips. This reduces the number of rules needed for them and speedups things when this list is big. This simplifies even deleteing an allowed ip from services->captiveportal->allowedips since we just need to remove them from the table.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/captiveportal.inc | 94 |
1 files changed, 41 insertions, 53 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 452698b..bfd3c01 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -247,8 +247,8 @@ EOD; /* generate passthru mac database */ captiveportal_passthrumac_configure(true); - /* create allowed ip database and insert ipfw rules to make it so */ - captiveportal_allowedip_configure(true); + /* allowed ipfw rules to make allowed ip work */ + captiveportal_allowedip_configure(); /* generate radius server database */ if ($config['captiveportal']['radiusip'] && (!isset($config['captiveportal']['auth_method']) || @@ -724,34 +724,17 @@ function captiveportal_passthrumac_configure($lock = false) { return 0; } -function captiveportal_allowedip_configure($lock = false) { +function captiveportal_allowedip_configure() { global $config, $g; - if (!$lock) - $captiveportallck = lock('captiveportal'); - /* clear out existing allowed ips, if necessary */ + mwexec("/sbin/ipfw table 1 flush"); + mwexec("/sbin/ipfw table 2 flush"); if (file_exists("{$g['vardb_path']}/captiveportal_ip.db")) { - $fd = @fopen("{$g['vardb_path']}/captiveportal_ip.db", "r"); - if ($fd) { - while (!feof($fd)) { - $line = trim(fgets($fd)); - if ($line) { - list($ip,$rule) = explode(",",$line); - mwexec("/sbin/ipfw delete $rule"); - } - } - } - fclose($fd); - unlink("{$g['vardb_path']}/captiveportal_ip.db"); + $ruleno = intval(file_get_contents("{$g['vardb_path']}/captiveportal_ip.db")); + mwexec("/sbin/ipfw delete {$ruleno}"); } - /* get next ipfw rule number */ - if (file_exists("{$g['vardb_path']}/captiveportal.nextrule")) - $ruleno = trim(file_get_contents("{$g['vardb_path']}/captiveportal.nextrule")); - if (!$ruleno) - $ruleno = 10000; /* first rule number */ - if (is_array($config['captiveportal']['allowedip'])) { $fd = @fopen("{$g['vardb_path']}/captiveportal_ip.db", "w"); @@ -760,38 +743,43 @@ function captiveportal_allowedip_configure($lock = false) { unlock($captiveportallck); return 1; } + /* get next ipfw rule number */ + $ruleno = captiveportal_get_next_ipfw_ruleno(); - foreach ($config['captiveportal']['allowedip'] as $ipent) { - /* get next ipfw rule number */ - $ruleno = captiveportal_get_next_ipfw_ruleno(); - - /* if the pool is empty, return apprioriate message and fail */ - if (is_null($ruleno)) { - printf("Error: system reached maximum login capacity, no free FW rulenos in captiveportal_allowedip_configure().\n"); - fclose($fd); - unlock($captiveportallck); - return 1; - } - - /* record allowed ip so it can be recognized and removed later */ - fwrite($fd, $ipent['ip'] . "," . $ruleno ."\n"); - - /* insert ipfw rule to allow ip thru */ - if ($ipent['dir'] == "from") { - mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from " . $ipent['ip'] . " to any in"); - mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to " . $ipent['ip'] . " out"); - } else { - mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to " . $ipent['ip'] . " in"); - mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from " . $ipent['ip'] . " to any out"); - } - - } + /* if the pool is empty, return apprioriate message and fail */ + if (is_null($ruleno)) { + printf("Error: system reached maximum login capacity, no free FW rulenos in captiveportal_allowedip_configure().\n"); + fclose($fd); + unlock($captiveportallck); + return 1; + } + /* Keep the rule number where this will be stored */ + fwrite($fd, $ruleno); + fclose($fd); - fclose($fd); - } + $numberofallowedip = count($config['captiveportal']['allowedip']); + $tableone = false; + $tabletwo = false; + foreach ($config['captiveportal']['allowedip'] as $ipent) { + /* insert address in ipfw table */ + if ($ipent['dir'] == "from") { + mwexec("/sbin/ipfw table 1 add {$ipent['ip']}"); + $tableone = true; + } else { + mwexec("/sbin/ipfw table 2 add {$ipent['ip']}"); + $tabletwo = true; + } + } + if ($tableone == true) { + mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from table\(1\) to any in"); + mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to table\(1\) out"); + } + if ($tabletwo == true) { + mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to table\(2\) in"); + mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from table\(2\) to any out"); + } + } - if (!$lock) - unlock($captiveportallck); return 0; } |