Rework captive portal to run with stock IPFW (round 1)

- Remove use of IPFW context
- Create a rule that will skip to proper rule for each cp zone
- Use new PHP module functions wherever is possible

10 files changed, 419 insertions, 347 deletions

diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc
index f6b3efe..5da27b2 100644
--- a/src/etc/inc/captiveportal.inc
+++ b/src/etc/inc/captiveportal.inc
@@ -139,17 +139,26 @@ function captiveportal_load_modules() {
 		mwexec("/sbin/kldload ipfw");
 		/* make sure ipfw is not on pfil hooks */
 		set_sysctl(array(
-			"net.inet.ip.pfil.inbound" => "pf", "net.inet6.ip6.pfil.inbound" => "pf",
-			"net.inet.ip.pfil.outbound" => "pf", "net.inet6.ip6.pfil.outbound" => "pf")
-		);
+		    "net.inet.ip.pfil.inbound" => "pf",
+		    "net.inet6.ip6.pfil.inbound" => "pf",
+		    "net.inet.ip.pfil.outbound" => "pf",
+		    "net.inet6.ip6.pfil.outbound" => "pf"
+		));
 	}
 	/* Activate layer2 filtering */
-	set_sysctl(array("net.link.ether.ipfw" => "1", "net.inet.ip.fw.one_pass" => "1"));
+	set_sysctl(array(
+	    "net.link.ether.ipfw" => "1",
+	    "net.inet.ip.fw.one_pass" => "1",
+	    "net.inet.ip.fw.tables_max" => "65534"
+	));
 
 	/* Always load dummynet now that even allowed ip and mac passthrough use it. */
 	if (!is_module_loaded("dummynet.ko")) {
 		mwexec("/sbin/kldload dummynet");
-		set_sysctl(array("net.inet.ip.dummynet.io_fast" => "1", "net.inet.ip.dummynet.hash_size" => "256"));
+		set_sysctl(array(
+		    "net.inet.ip.dummynet.io_fast" => "1",
+		    "net.inet.ip.dummynet.hash_size" => "256"
+		));
 	}
 	unmute_kernel_msgs();
 }
@@ -352,7 +361,7 @@ EOD;
 		/* Release allocated pipes for this zone */
 		captiveportal_free_dnrules();
 
-		mwexec("/sbin/ipfw zone {$cpzoneid} destroy", true);
+		captiveportal_delete_rules();
 
 		if (empty($config['captiveportal'])) {
 			set_single_sysctl("net.link.ether.ipfw", "0");
@@ -461,6 +470,57 @@ function captiveportal_init_rules_byinterface($interface) {
 	}
 }
 
+/* Create basic rules used by all zones */
+function captiveportal_init_general_rules($flush = false) {
+	global $g;
+
+	$flush_rule = '';
+	if ($flush) {
+		$flush_rule = 'flush';
+	}
+
+	/* Already loaded */
+	if (!$flush && (mwexec("/sbin/ipfw list 1000", true) == 0)) {
+		return;
+	}
+
+	$cprules = <<<EOD
+{$flush_rule}
+# Table with interfaces that have CP enabled
+table cp_ifaces create type iface valtype skipto
+
+# Redirect each CP interface to its specific rule
+add 1000 skipto tablearg all from any to any via cp_ifaces
+
+# This interface has no cp zone configured
+add 1100 allow all from any to any
+
+# block everything else
+add 65534 deny all from any to any
+EOD;
+
+	/* load rules */
+	file_put_contents("{$g['tmp_path']}/ipfw.cp.rules", $cprules);
+	mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw.cp.rules", true);
+	@unlink("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules");
+	unset($cprules);
+}
+
+/* Create a string with ipfw rule and increase rulenum */
+function captiveportal_create_ipfw_rule($cmd, &$rulenum, $args) {
+	$rule = "{$cmd} {$rulenum} {$args}\n";
+	$rulenum++;
+
+	return $rule;
+}
+
+/* Return first rule number for a cp zone */
+function captiveportal_ipfw_ruleno($id) {
+	global $g;
+
+	return 2000 + $id * $g['captiveportal_rules_interval'];
+}
+
 /* reinit will disconnect all users, be careful! */
 function captiveportal_init_rules($reinit = false) {
 	global $config, $g, $cpzone, $cpzoneid;
@@ -470,12 +530,16 @@ function captiveportal_init_rules($reinit = false) {
 	}
 
 	captiveportal_load_modules();
-	mwexec("/sbin/ipfw zone {$cpzoneid} create", true);
+	captiveportal_init_general_rules();
 
 	/* Cleanup so nothing is leaked */
 	captiveportal_free_dnrules();
 	unlink_if_exists("{$g['vardb_path']}/captiveportal_{$cpzone}.rules");
 
+	$skipto = captiveportal_ipfw_ruleno($cpzoneid);
+
+	$cprules = '';
+
 	$cpips = array();
 	$ifaces = get_configured_interface_list();
 	$cpinterfaces = explode(",", $config['captiveportal'][$cpzone]['interface']);
@@ -485,20 +549,28 @@ function captiveportal_init_rules($reinit = false) {
 			continue;
 		}
 		$tmpif = get_real_interface($cpifgrp);
-		if (!empty($tmpif)) {
-			$cpipm = get_interface_ip($cpifgrp);
-			if (is_ipaddr($cpipm)) {
-				$cpips[] = $cpipm;
-				if (is_array($config['virtualip']['vip'])) {
-					foreach ($config['virtualip']['vip'] as $vip) {
-						if (($vip['interface'] == $cpifgrp) && (($vip['mode'] == "carp") || ($vip['mode'] == "ipalias"))) {
-							$cpips[] = $vip['subnet'];
-						}
-					}
+		if (empty($tmpif)) {
+			continue;
+		}
+
+		$cpipm = get_interface_ip($cpifgrp);
+
+		if (!is_ipaddr($cpipm)) {
+			continue;
+		}
+
+		$cpips[] = $cpipm;
+		if (is_array($config['virtualip']['vip'])) {
+			foreach ($config['virtualip']['vip'] as $vip) {
+				if (($vip['interface'] == $cpifgrp) &&
+				    (($vip['mode'] == "carp") ||
+				    ($vip['mode'] == "ipalias"))) {
+					$cpips[] = $vip['subnet'];
 				}
 			}
-			mwexec("/sbin/ipfw zone {$cpzoneid} madd {$tmpif}", true);
 		}
+
+		$cprules .= "table cp_ifaces add {$tmpif} {$skipto}\n";
 	}
 	if (count($cpips) > 0) {
 		$cpactive = true;
@@ -510,53 +582,60 @@ function captiveportal_init_rules($reinit = false) {
 		$captiveportallck = lock("captiveportal{$cpzone}");
 	}
 
-	$cprules = <<<EOD
+	$rulenum = $skipto;
+	$cprules .= "table {$cpzone}_pipe_mac create type mac valtype pipe\n";
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pipe tablearg MAC table({$cpzone}_pipe_mac)");
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "allow pfsync from any to any");
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "allow carp from any to any\n");
+	$cprules .= "# layer 2: pass ARP\n";
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pass layer2 mac-type arp,rarp");
+	$cprules .= "# pfsense requires for WPA\n";
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pass layer2 mac-type 0x888e,0x88c7");
+	$cprules .= "# PPP Over Ethernet Session Stage/Discovery Stage\n";
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pass layer2 mac-type 0x8863,0x8864\n");
+	$cprules .= "# layer 2: block anything else non-IP(v4/v6)\n";
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "deny layer2 not mac-type ip,ipv6");
 
-flush
-add 65291 allow pfsync from any to any
-add 65292 allow carp from any to any
-
-# layer 2: pass ARP
-add 65301 pass layer2 mac-type arp,rarp
-# pfsense requires for WPA
-add 65302 pass layer2 mac-type 0x888e,0x88c7
-# PPP Over Ethernet Session Stage/Discovery Stage
-add 65303 pass layer2 mac-type 0x8863,0x8864
-
-# layer 2: block anything else non-IP(v4/v6)
-add 65307 deny layer2 not mac-type ip,ipv6
-
-EOD;
-
-	$rulenum = 65310;
 	/* These tables contain host ips */
-	$cprules .= "add {$rulenum} pass ip from any to table(100) in\n";
-	$rulenum++;
-	$cprules .= "add {$rulenum} pass ip from table(100) to any out\n";
-	$rulenum++;
+	$cprules .= "table {$cpzone}_host_ips create type addr valtype pipe\n";
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pass ip from any to table({$cpzone}_host_ips) in");
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pass ip from table({$cpzone}_host_ips) to any out");
 	foreach ($cpips as $cpip) {
-		$cprules .= "table 100 add {$cpip}\n";
+		$cprules .= "table {$cpzone}_host_ips add {$cpip}\n";
 	}
-	$cprules .= "add {$rulenum} pass ip from any to 255.255.255.255 in\n";
-	$rulenum++;
-	$cprules .= "add {$rulenum} pass ip from 255.255.255.255 to any out\n";
-	$rulenum++;
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pass ip from any to 255.255.255.255 in");
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pass ip from 255.255.255.255 to any out");
 
 	/* Allowed ips */
-	$cprules .= "add {$rulenum} pipe tablearg ip from table(3) to any in\n";
-	$rulenum++;
-	$cprules .= "add {$rulenum} pipe tablearg ip from any to table(4) in\n";
-	$rulenum++;
-	$cprules .= "add {$rulenum} pipe tablearg ip from table(3) to any out\n";
-	$rulenum++;
-	$cprules .= "add {$rulenum} pipe tablearg ip from any to table(4) out\n";
-	$rulenum++;
+	$cprules .= "table {$cpzone}_allowed_up create type addr valtype pipe\n";
+	$cprules .= "table {$cpzone}_allowed_down create type addr valtype pipe\n";
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pipe tablearg ip from table({$cpzone}_allowed_up) to any in");
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pipe tablearg ip from any to table({$cpzone}_allowed_down) in");
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pipe tablearg ip from table({$cpzone}_allowed_up) to any out");
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pipe tablearg ip from any to table({$cpzone}_allowed_down) out");
 
 	/* Authenticated users rules. */
-	$cprules .= "add {$rulenum} pipe tablearg ip from table(1) to any in\n";
-	$rulenum++;
-	$cprules .= "add {$rulenum} pipe tablearg ip from any to table(2) out\n";
-	$rulenum++;
+	$cprules .= "table {$cpzone}_auth_up create type addr valtype pipe\n";
+	$cprules .= "table {$cpzone}_auth_down create type addr valtype pipe\n";
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pipe tablearg ip from table({$cpzone}_auth_up) to any in");
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pipe tablearg ip from any to table({$cpzone}_auth_down) out");
 
 	if (!empty($config['captiveportal'][$cpzone]['listenporthttp'])) {
 		$listenporthttp = $config['captiveportal'][$cpzone]['listenporthttp'];
@@ -571,22 +650,23 @@ EOD;
 			$listenporthttps = 8001 + $cpzoneid;
 		}
 		if (!isset($config['captiveportal'][$cpzone]['nohttpsforwards'])) {
-			$cprules .= "add 65531 fwd 127.0.0.1,{$listenporthttps} tcp from any to any dst-port 443 in\n";
+			$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+			    "fwd 127.0.0.1,{$listenporthttps} tcp from any to any dst-port 443 in");
 		}
 	}
 
-	$cprules .= <<<EOD
-
-# redirect non-authenticated clients to captive portal
-add 65532 fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in
-# let the responses from the captive portal web server back out
-add 65533 pass tcp from any to any out
-# block everything else
-add 65534 deny all from any to any
-
-EOD;
+	$cprules .= "# redirect non-authenticated clients to captive portal\n";
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "fwd 127.0.0.1,{$listenporthttp} tcp from any to any dst-port 80 in");
+	$cprules .= "# let the responses from the captive portal web server back out\n";
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "pass tcp from any to any out");
+	$cprules .= "# This CP zone is over, skip to last rule\n";
+	$cprules .= captiveportal_create_ipfw_rule("add", $rulenum,
+	    "skipto 65534 all from any to any");
 
 	/* generate passthru mac database */
+	file_put_contents("/tmp/debug_antes", $cprules);
 	$cprules .= captiveportal_passthrumac_configure(true);
 	$cprules .= "\n";
 
@@ -597,16 +677,57 @@ EOD;
 	$cprules .= captiveportal_allowedhostname_configure();
 
 	/* load rules */
+	captiveportal_delete_rules();
 	file_put_contents("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules", $cprules);
-	mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/ipfw_{$cpzone}.cp.rules", true);
-	//@unlink("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules");
+	mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw_{$cpzone}.cp.rules", true);
+	@unlink("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules");
 	unset($cprules);
 
+	captiveportal_filterdns_configure();
+
 	if ($reinit == false) {
 		unlock($captiveportallck);
 	}
 }
 
+/* Delete all rules related to specific cpzone */
+function captiveportal_delete_rules() {
+	global $g, $cpzoneid;
+
+	$skipto1 = captiveportal_ipfw_ruleno($cpzoneid);
+	$skipto2 = $skipto1 + $g['captiveportal_rules_interval'];
+
+	$cp_ifaces = pfSense_ipfw_table_list("cp_ifaces");
+	if (is_array($cp_ifaces)) {
+		foreach ($cp_ifaces as $cp_iface) {
+			if (empty($cp_iface['skipto']) ||
+			    $cp_iface['skipto'] != $skipto1) {
+				continue;
+			}
+
+			pfSense_ipfw_table("cp_ifaces", IP_FW_TABLE_XDEL,
+			    $cp_iface['iface']);
+		}
+	}
+
+	mwexec("/sbin/ipfw delete {$skipto1}-{$skipto2}", true);
+
+	$tables = captiveportal_get_ipfw_table_names();
+
+	$delrules = "";
+	foreach ($tables as $table) {
+		$delrules .= "table {$table} destroy\n";
+	}
+
+	if (empty($delrules)) {
+		return;
+	}
+
+	file_put_contents("{$g['tmp_path']}/ipfw_{$cpzone}.deltable.rules", $delrules);
+	mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw_{$cpzone}.deltable.rules", true);
+	@unlink("{$g['tmp_path']}/ipfw_{$cpzone}.del.rules");
+}
+
 /*
  * Remove clients that have been around for longer than the specified amount of time
  * db file structure:
@@ -741,8 +862,10 @@ function captiveportal_prune_old() {
 						false, // Not an interim request
 						$rastop_time); // Stop Time
 					$clientsn = (is_ipaddrv6($cpentry[2])) ? 128 : 32;
-					$_gb = @pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XZEROENTRY, 1, $cpentry[2], $clientsn, $cpentry[3]);
-					$_gb = @pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XZEROENTRY, 2, $cpentry[2], $clientsn, $cpentry[3]);
+					/* XXX: Fix
+					$_gb = @pfSense_ipfw_table($cpzoneid, IP_FW_TABLE_XZEROENTRY, {$cpzone}_auth_up, $cpentry[2], $clientsn, $cpentry[3]);
+					$_gb = @pfSense_ipfw_table($cpzoneid, IP_FW_TABLE_XZEROENTRY, {$cpzone}_auth_down, $cpentry[2], $clientsn, $cpentry[3]);
+					*/
 					if ($cpcfg['reauthenticateacct'] == "stopstartfreeradius") {
 						/* Need to pause here or the FreeRADIUS server gets confused about packet ordering. */
 						sleep(1);
@@ -814,61 +937,55 @@ function captiveportal_prune_old() {
 function captiveportal_prune_old_automac() {
 	global $g, $config, $cpzone, $cpzoneid;
 
-	if (is_array($config['captiveportal'][$cpzone]['passthrumac']) && isset($config['captiveportal'][$cpzone]['passthrumacaddusername'])) {
+	if (is_array($config['captiveportal'][$cpzone]['passthrumac']) &&
+	    isset($config['captiveportal'][$cpzone]['passthrumacaddusername'])) {
 		$tmpvoucherdb = array();
 		$macrules = "";
 		$writecfg = false;
 		foreach ($config['captiveportal'][$cpzone]['passthrumac'] as $eid => $emac) {
-			if ($emac['logintype'] == "voucher") {
-				if (isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) {
-					if (isset($tmpvoucherdb[$emac['username']])) {
-						$temac = $config['captiveportal'][$cpzone]['passthrumac'][$tmpvoucherdb[$emac['username']]];
-						$ruleno = captiveportal_get_ipfw_passthru_ruleno($temac['mac']);
-						$pipeno = captiveportal_get_dn_passthru_ruleno($temac['mac']);
-						if ($ruleno) {
-							captiveportal_free_ipfw_ruleno($ruleno);
-							$macrules .= "delete {$ruleno}";
-							++$ruleno;
-							$macrules .= "delete {$ruleno}";
-						}
-						if ($pipeno) {
-							captiveportal_free_dn_ruleno($pipeno);
-							$macrules .= "pipe delete {$pipeno}\n";
-							++$pipeno;
-							$macrules .= "pipe delete {$pipeno}\n";
-						}
-						$writecfg = true;
-						captiveportal_logportalauth($temac['username'], $temac['mac'], $temac['ip'], "DUPLICATE {$temac['username']} LOGIN - TERMINATING OLD SESSION");
-						unset($config['captiveportal'][$cpzone]['passthrumac'][$tmpvoucherdb[$emac['username']]]);
-					}
-					$tmpvoucherdb[$emac['username']] = $eid;
-				}
-				if (voucher_auth($emac['username']) <= 0) {
-					$ruleno = captiveportal_get_ipfw_passthru_ruleno($emac['mac']);
-					$pipeno = captiveportal_get_dn_passthru_ruleno($emac['mac']);
-					if ($ruleno) {
-						captiveportal_free_ipfw_ruleno($ruleno);
-						$macrules .= "delete {$ruleno}";
-						++$ruleno;
-						$macrules .= "delete {$ruleno}";
-					}
+			if ($emac['logintype'] != "voucher") {
+				continue;
+			}
+			if (isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) {
+				if (isset($tmpvoucherdb[$emac['username']])) {
+					$temac = $config['captiveportal'][$cpzone]['passthrumac'][$tmpvoucherdb[$emac['username']]];
+					$pipeno = captiveportal_get_dn_passthru_ruleno($temac['mac']);
 					if ($pipeno) {
 						captiveportal_free_dn_ruleno($pipeno);
+						$macrules .= "table {$cpzone}_pipe_mac delete any,{$temac['mac']}\n";
+						$macrules .= "table {$cpzone}_pipe_mac delete {$temac['mac']},any\n";
 						$macrules .= "pipe delete {$pipeno}\n";
 						++$pipeno;
 						$macrules .= "pipe delete {$pipeno}\n";
 					}
 					$writecfg = true;
-					captiveportal_logportalauth($emac['username'], $emac['mac'], $emac['ip'], "EXPIRED {$emac['username']} LOGIN - TERMINATING SESSION");
-					unset($config['captiveportal'][$cpzone]['passthrumac'][$eid]);
+					captiveportal_logportalauth($temac['username'], $temac['mac'],
+					    $temac['ip'], "DUPLICATE {$temac['username']} LOGIN - TERMINATING OLD SESSION");
+					unset($config['captiveportal'][$cpzone]['passthrumac'][$tmpvoucherdb[$emac['username']]]);
 				}
+				$tmpvoucherdb[$emac['username']] = $eid;
+			}
+			if (voucher_auth($emac['username']) <= 0) {
+				$pipeno = captiveportal_get_dn_passthru_ruleno($emac['mac']);
+				if ($pipeno) {
+					captiveportal_free_dn_ruleno($pipeno);
+					$macrules .= "table {$cpzone}_pipe_mac delete any,{$emac['mac']}\n";
+					$macrules .= "table {$cpzone}_pipe_mac delete {$emac['mac']},any\n";
+					$macrules .= "pipe delete {$pipeno}\n";
+					++$pipeno;
+					$macrules .= "pipe delete {$pipeno}\n";
+				}
+				$writecfg = true;
+				captiveportal_logportalauth($emac['username'], $emac['mac'],
+				    $emac['ip'], "EXPIRED {$emac['username']} LOGIN - TERMINATING SESSION");
+				unset($config['captiveportal'][$cpzone]['passthrumac'][$eid]);
 			}
 		}
 		unset($tmpvoucherdb);
 		if (!empty($macrules)) {
 			@file_put_contents("{$g['tmp_path']}/macentry.prunerules.tmp", $macrules);
 			unset($macrules);
-			mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/macentry.prunerules.tmp");
+			mwexec("/sbin/ipfw -q {$g['tmp_path']}/macentry.prunerules.tmp");
 		}
 		if ($writecfg === true) {
 			write_config("Prune session for auto-added macs");
@@ -904,10 +1021,10 @@ function captiveportal_disconnect($dbent, $radiusservers, $term_cause = 1, $stop
 	}
 
 	if (is_ipaddr($dbent[2])) {
-		/* Delete client's ip entry from tables 1 and 2. */
+		/* Delete client's ip entry from tables auth_up and auth_down. */
 		$clientsn = (is_ipaddrv6($dbent[2])) ? 128 : 32;
-		pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XDEL, 1, $dbent[2], $clientsn, $dbent[3]);
-		pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XDEL, 2, $dbent[2], $clientsn, $dbent[3]);
+		pfSense_ipfw_table("{$cpzone}_auth_up", IP_FW_TABLE_XDEL, "{$dbent[2]}/{$clientsn}");
+		pfSense_ipfw_table("{$cpzone}_auth_down", IP_FW_TABLE_XDEL, "{$dbent[2]}/{$clientsn}");
 		/* XXX: Redundant?! Ensure all pf(4) states are killed. */
 		$_gb = @pfSense_kill_states($dbent[2]);
 		$_gb = @pfSense_kill_srcstates($dbent[2]);
@@ -918,8 +1035,8 @@ function captiveportal_disconnect($dbent, $radiusservers, $term_cause = 1, $stop
 	* We could get an error if the pipe doesn't exist but everything should still be fine
 	*/
 	if (!empty($dbent[1])) {
-		$_gb = @pfSense_pipe_action("pipe delete {$dbent[1]}");
-		$_gb = @pfSense_pipe_action("pipe delete " . ($dbent[1]+1));
+		$_gb = @pfSense_ipfw_pipe("pipe delete {$dbent[1]}");
+		$_gb = @pfSense_ipfw_pipe("pipe delete " . ($dbent[1]+1));
 
 		/* Release the ruleno so it can be reallocated to new clients. */
 		captiveportal_free_dn_ruleno($dbent[1]);
@@ -1006,29 +1123,32 @@ function captiveportal_passthrumac_configure_entry($macent, $pipeinrule = false)
 		$bwDown = $config['captiveportal'][$cpzone]['bwdefaultdn'];
 	}
 
-	$ruleno = captiveportal_get_next_ipfw_ruleno();
-
 	if ($macent['action'] == 'pass') {
 		$rules = "";
-		$pipeno = captiveportal_get_next_dn_ruleno();
 
-		$pipeup = $pipeno;
-		if ($pipeinrule == true) {
-			$_gb = @pfSense_pipe_action("pipe {$pipeno} config bw {$bwUp}Kbit/s queue 100 buckets 16");
+		if ($bwUp == 0 && $bwDown == 0) {
+			$pipeup = 0;
+			$pipedown = 0;
 		} else {
-			$rules .= "pipe {$pipeno} config bw {$bwUp}Kbit/s queue 100 buckets 16\n";
-		}
+			$pipeno = captiveportal_get_next_dn_ruleno();
 
-		$pipedown = $pipeno + 1;
-		if ($pipeinrule == true) {
-			$_gb = @pfSense_pipe_action("pipe {$pipedown} config bw {$bwDown}Kbit/s queue 100 buckets 16");
-		} else {
-			$rules .= "pipe {$pipedown} config bw {$bwDown}Kbit/s queue 100 buckets 16\n";
+			$pipeup = $pipeno;
+			if ($pipeinrule == true) {
+				$_gb = @pfSense_ipfw_pipe("pipe {$pipeno} config bw {$bwUp}Kbit/s queue 100 buckets 16");
+			} else {
+				$rules .= "pipe {$pipeno} config bw {$bwUp}Kbit/s queue 100 buckets 16\n";
+			}
+
+			$pipedown = $pipeno + 1;
+			if ($pipeinrule == true) {
+				$_gb = @pfSense_ipfw_pipe("pipe {$pipedown} config bw {$bwDown}Kbit/s queue 100 buckets 16");
+			} else {
+				$rules .= "pipe {$pipedown} config bw {$bwDown}Kbit/s queue 100 buckets 16\n";
+			}
 		}
 
-		$rules .= "add {$ruleno} pipe {$pipeup} ip from any to any MAC any {$macent['mac']}\n";
-		$ruleno++;
-		$rules .= "add {$ruleno} pipe {$pipedown} ip from any to any MAC {$macent['mac']} any\n";
+		$rules .= "table {$cpzone}_pipe_mac add any,{$macent['mac']} {$pipeup}\n";
+		$rules .= "table {$cpzone}_pipe_mac add {$macent['mac']},any {$pipedown}\n";
 	}
 
 	return $rules;
@@ -1038,21 +1158,12 @@ function captiveportal_passthrumac_delete_entry($macent) {
 	$rules = "";
 
 	if ($macent['action'] == 'pass') {
-		$ruleno = captiveportal_get_ipfw_passthru_ruleno($macent['mac']);
-
-		if (!$ruleno) {
-			return $rules;
-		}
-
-		captiveportal_free_ipfw_ruleno($ruleno);
-
-		$rules .= "delete {$ruleno}\n";
-		$rules .= "delete " . ++$ruleno . "\n";
-
 		$pipeno = captiveportal_get_dn_passthru_ruleno($macent['mac']);
 
 		if (!empty($pipeno)) {
 			captiveportal_free_dn_ruleno($pipeno);
+			$rules .= "table {$cpzone}_pipe_mac delete any,{$macent['mac']}\n";
+			$rules .= "table {$cpzone}_pipe_mac delete {$macent['mac']},any\n";
 			$rules .= "pipe delete " . $pipeno . "\n";
 			$rules .= "pipe delete " . ++$pipeno . "\n";
 		}
@@ -1117,7 +1228,7 @@ function captiveportal_passthrumac_findbyname($username) {
  * table (3=IN)/(4=OUT) hold allowed ip's without bw limits
  */
 function captiveportal_allowedip_configure_entry($ipent, $ishostname = false) {
-	global $g;
+	global $g, $config, $cpzone;
 
 	/*  Instead of copying this entire function for something
 	 *  easy such as hostname vs ip address add this check
@@ -1150,13 +1261,18 @@ function captiveportal_allowedip_configure_entry($ipent, $ishostname = false) {
 		$enBwdown = $config['captiveportal'][$cpzone]['bwdefaultdn'];
 	}
 
-	$pipeno = captiveportal_get_next_dn_ruleno();
-	$_gb = @pfSense_pipe_action("pipe {$pipeno} config bw {$enBwup}Kbit/s queue 100 buckets 16");
-	$pipedown = $pipeno + 1;
-	$_gb = @pfSense_pipe_action("pipe {$pipedown} config bw {$enBwdown}Kbit/s queue 100 buckets 16");
+	if ($enBwup == 0 && $enBwdown == 0) {
+		$pipeup = 0;
+		$pipedown = 0;
+	} else {
+		$pipeup = captiveportal_get_next_dn_ruleno();
+		$_gb = @pfSense_ipfw_pipe("pipe {$pipeup} config bw {$enBwup}Kbit/s queue 100 buckets 16");
+		$pipedown = $pipeup + 1;
+		$_gb = @pfSense_ipfw_pipe("pipe {$pipedown} config bw {$enBwdown}Kbit/s queue 100 buckets 16");
+	}
 	if ($ishostname === true) {
-		$cp_filterdns_conf .= "ipfw {$ipent['hostname']} 3 pipe {$pipeno}\n";
-		$cp_filterdns_conf .= "ipfw {$ipent['hostname']} 4 pipe {$pipedown}\n";
+		$cp_filterdns_conf .= "ipfw {$ipent['hostname']} {$cpzone}_allowed_up pipe {$pipeup}\n";
+		$cp_filterdns_conf .= "ipfw {$ipent['hostname']} {$cpzone}_allowed_down pipe {$pipedown}\n";
 		if (!is_ipaddr($ipaddress)) {
 			return array("", $cp_filterdns_conf);
 		}
@@ -1165,8 +1281,8 @@ function captiveportal_allowedip_configure_entry($ipent, $ishostname = false) {
 	if (!empty($ipent['sn'])) {
 		$subnet = "/{$ipent['sn']}";
 	}
-	$rules .= "table 3 add {$ipaddress}{$subnet} {$pipeno}\n";
-	$rules .= "table 4 add {$ipaddress}{$subnet} {$pipedown}\n";
+	$rules .= "table {$cpzone}_allowed_up add {$ipaddress}{$subnet} {$pipeup}\n";
+	$rules .= "table {$cpzone}_allowed_down add {$ipaddress}{$subnet} {$pipedown}\n";
 
 	if ($ishostname === true) {
 		return array($rules, $cp_filterdns_conf);
@@ -1179,21 +1295,41 @@ function captiveportal_allowedhostname_configure() {
 	global $config, $g, $cpzone, $cpzoneid;
 
 	$rules = "";
-	if (is_array($config['captiveportal'][$cpzone]['allowedhostname'])) {
-		$rules = "\n# captiveportal_allowedhostname_configure()\n";
-		$cp_filterdns_conf = "";
-		foreach ($config['captiveportal'][$cpzone]['allowedhostname'] as $hostnameent) {
-			$tmprules = captiveportal_allowedip_configure_entry($hostnameent, true);
-			$rules .= $tmprules[0];
-			$cp_filterdns_conf .= $tmprules[1];
-		}
-		$cp_filterdns_filename = "{$g['varetc_path']}/filterdns-{$cpzone}-captiveportal.conf";
-		@file_put_contents($cp_filterdns_filename, $cp_filterdns_conf);
-		unset($cp_filterdns_conf);
-		if (isvalidpid("{$g['varrun_path']}/filterdns-{$cpzone}-cpah.pid")) {
-			sigkillbypid("{$g['varrun_path']}/filterdns-{$cpzone}-cpah.pid", "HUP");
+	if (!is_array($config['captiveportal'][$cpzone]['allowedhostname'])) {
+		return $rules;
+	}
+
+	$rules = "\n# captiveportal_allowedhostname_configure()\n";
+	$cp_filterdns_conf = "";
+	foreach ($config['captiveportal'][$cpzone]['allowedhostname'] as $hostnameent) {
+		$tmprules = captiveportal_allowedip_configure_entry($hostnameent, true);
+		$rules .= $tmprules[0];
+		$cp_filterdns_conf .= $tmprules[1];
+	}
+	$cp_filterdns_filename = "{$g['varetc_path']}/filterdns-{$cpzone}-captiveportal.conf";
+	@file_put_contents($cp_filterdns_filename, $cp_filterdns_conf);
+	unset($cp_filterdns_conf);
+
+	return $rules;
+}
+
+function captiveportal_filterdns_configure() {
+	global $config, $g, $cpzone, $cpzoneid;
+
+	$cp_filterdns_filename = $g['varetc_path'] .
+	    "/filterdns-{$cpzone}-captiveportal.conf";
+
+	if (is_array($config['captiveportal'][$cpzone]['allowedhostname']) &&
+	    file_exists($cp_filterdns_filename)) {
+		if (isvalidpid($g['varrun_path'] .
+		    "/filterdns-{$cpzone}-cpah.pid")) {
+			sigkillbypid($g['varrun_path'] .
+			    "/filterdns-{$cpzone}-cpah.pid", "HUP");
 		} else {
-			mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-{$cpzone}-cpah.pid -i 300 -c {$cp_filterdns_filename} -y {$cpzoneid} -d 1");
+			mwexec("/usr/local/sbin/filterdns -p " .
+			    "{$g['varrun_path']}/filterdns-{$cpzone}-cpah.pid" .
+			    " -i 300 -c {$cp_filterdns_filename} " .
+			    "-y {$cpzoneid} -d 1");
 		}
 	} else {
 		killbypid("{$g['varrun_path']}/filterdns-{$cpzone}-cpah.pid");
@@ -1220,6 +1356,8 @@ function captiveportal_allowedip_configure() {
 function captiveportal_get_last_activity($ip, $mac = NULL, $table = 1) {
 	global $cpzoneid;
 
+	/* XXX Fix */
+	return 0;
 	$ipfwoutput = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, $table, $ip, $mac);
 	/* Reading only from one of the tables is enough of approximation. */
 	if (is_array($ipfwoutput)) {
@@ -1465,7 +1603,10 @@ function captiveportal_opendb() {
 				}
 			}
 			if (is_numericint($cpzoneid)) {
-				mwexec("/sbin/ipfw -x $cpzoneid table all flush");
+				$table_names = captiveportal_get_ipfw_table_names();
+				foreach ($table_names as $table_name) {
+					mwexec("/sbin/ipfw table {$table_name} flush");
+				}
 				captiveportal_syslog("Flushed tables for {$cpzone} after database reset.");
 			}
 		} else {
@@ -1476,6 +1617,29 @@ function captiveportal_opendb() {
 	return $DB;
 }
 
+/* Get all tables for specific cpzone */
+function captiveportal_get_ipfw_table_names() {
+	global $cpzone;
+
+	$result = array();
+	$tables = pfSense_ipfw_tables_list();
+
+	if (!is_array($tables)) {
+		return $result;
+	}
+
+	$len = strlen($cpzone) + 1;
+	foreach ($tables as $table) {
+		if (substr($table['name'], 0, $len) != $cpzone . '_') {
+			continue;
+		}
+
+		$result[] = $table['name'];
+	}
+
+	return $result;
+}
+
 /* read captive portal DB into array */
 function captiveportal_read_db($query = "") {
 	$cpdb = array();
@@ -1647,102 +1811,16 @@ function captiveportal_get_dn_passthru_ruleno($value) {
 	$cpruleslck = lock("captiveportalrulesdn", LOCK_EX);
 	$ruleno = NULL;
 	if (file_exists("{$g['vardb_path']}/captiveportaldn.rules")) {
-		$rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportaldn.rules"));
 		unset($output);
-		$_gb = exec("/sbin/ipfw -x {$cpzoneid} show | /usr/bin/grep " . escapeshellarg($value) . " | /usr/bin/grep -v grep | /usr/bin/awk '{print $5}' | /usr/bin/head -n 1", $output);
-		$ruleno = intval($output[0]);
-		if (!$rules[$ruleno]) {
-			$ruleno = NULL;
-		}
-		unset($rules);
-	}
-	unlock($cpruleslck);
-
-	return $ruleno;
-}
-
-/*
- * This function will calculate the lowest free firewall ruleno
- * within the range specified based on the actual logged on users
- *
- */
-function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2, $rulenos_range_max = 64500) {
-	global $config, $g, $cpzone;
-
-	$cpcfg = $config['captiveportal'][$cpzone];
-	if (!isset($cpcfg['enable'])) {
-		return NULL;
-	}
-
-	$cpruleslck = lock("captiveportalrules{$cpzone}", LOCK_EX);
-	$ruleno = 0;
-	if (file_exists("{$g['vardb_path']}/captiveportal_{$cpzone}.rules")) {
-		$rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules"));
-		$ridx = $rulenos_start;
-		while ($ridx < $rulenos_range_max) {
-			if (empty($rules[$ridx])) {
-				$ruleno = $ridx;
-				$rules[$ridx] = $cpzone;
-				$ridx++;
-				$rules[$ridx] = $cpzone;
-				break;
-			} else {
-				/*
-				 * This allows our traffic shaping pipes to be the in pipe the same as ruleno
-				 * and the out pipe ruleno + 1.
-				 */
-				$ridx += 2;
-			}
+		$item = pfSense_ipfw_table_lookup("{$cpzone}_pipe_mac",
+		    "any,{$value}");
+		if (!is_array($item) || empty($item['pipe'])) {
+			unlock($cpruleslck);
+			return NULL;
 		}
-	} else {
-		$rules = array_pad(array(), $rulenos_range_max, false);
-		$ruleno = $rulenos_start;
-		$rules[$rulenos_start] = $cpzone;
-		$rulenos_start++;
-		$rules[$rulenos_start] = $cpzone;
-	}
-	file_put_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules", serialize($rules));
-	unlock($cpruleslck);
-	unset($rules);
-
-	return $ruleno;
-}
-
-function captiveportal_free_ipfw_ruleno($ruleno) {
-	global $config, $g, $cpzone;
-
-	$cpcfg = $config['captiveportal'][$cpzone];
-	if (!isset($cpcfg['enable'])) {
-		return NULL;
-	}
-
-	$cpruleslck = lock("captiveportalrules{$cpzone}", LOCK_EX);
-	if (file_exists("{$g['vardb_path']}/captiveportal_{$cpzone}.rules")) {
-		$rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules"));
-		$rules[$ruleno] = false;
-		$ruleno++;
-		$rules[$ruleno] = false;
-		file_put_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules", serialize($rules));
-		unset($rules);
-	}
-	unlock($cpruleslck);
-}
-
-function captiveportal_get_ipfw_passthru_ruleno($value) {
-	global $config, $g, $cpzone, $cpzoneid;
-
-	$cpcfg = $config['captiveportal'][$cpzone];
-	if (!isset($cpcfg['enable'])) {
-		return NULL;
-	}
 
-	$cpruleslck = lock("captiveportalrules{$cpzone}", LOCK_EX);
-	$ruleno = NULL;
-	if (file_exists("{$g['vardb_path']}/captiveportal_{$cpzone}.rules")) {
-		$rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules"));
-		unset($output);
-		$_gb = exec("/sbin/ipfw -x {$cpzoneid} show | /usr/bin/grep " . escapeshellarg($value) . " | /usr/bin/grep -v grep | /usr/bin/awk '{print $1}' | /usr/bin/head -n 1", $output);
-		$ruleno = intval($output[0]);
+		$ruleno = intval($item['pipe']);
+		$rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportaldn.rules"));
 		if (!$rules[$ruleno]) {
 			$ruleno = NULL;
 		}
@@ -1772,6 +1850,8 @@ function getVolume($ip, $mac = NULL) {
 	// Initialize vars properly, since we don't want NULL vars
 	$volume['input_pkts'] = $volume['input_bytes'] = $volume['output_pkts'] = $volume['output_bytes'] = 0 ;
 
+	/* XXX Fix */
+	return $volume;
 	$ipfw = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, 1, $ip, $mac);
 	if (is_array($ipfw)) {
 		if ($reverse) {
@@ -1979,8 +2059,8 @@ function captiveportal_reapply_attributes($cpentry, $attributes) {
 	$bw_up_pipeno = $cpentry[1];
 	$bw_down_pipeno = $cpentry[1]+1;
 
-	$_gb = @pfSense_pipe_action("pipe {$bw_up_pipeno} config bw {$bw_up}Kbit/s queue 100 buckets 16");
-	$_gb = @pfSense_pipe_action("pipe {$bw_down_pipeno} config bw {$bw_down}Kbit/s queue 100 buckets 16");
+	$_gb = @pfSense_ipfw_pipe("pipe {$bw_up_pipeno} config bw {$bw_up}Kbit/s queue 100 buckets 16");
+	$_gb = @pfSense_ipfw_pipe("pipe {$bw_down_pipeno} config bw {$bw_down}Kbit/s queue 100 buckets 16");
 	//captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "RADIUS_BANDWIDTH_REAPPLY", "{$bw_up}/{$bw_down}");
 
 	unset($bw_up_pipeno, $bw_down_pipeno, $bw_up, $bw_down);
@@ -2007,47 +2087,42 @@ function portal_allow($clientip, $clientmac, $username, $password = null, $attri
 
 	$writecfg = false;
 	/* Find an existing session */
-	if ((isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) && $passthrumac) {
-		if (isset($config['captiveportal'][$cpzone]['passthrumacadd'])) {
-			$mac = captiveportal_passthrumac_findbyname($username);
-			if (!empty($mac)) {
-				if ($_POST['replacemacpassthru']) {
-					foreach ($config['captiveportal'][$cpzone]['passthrumac'] as $idx => $macent) {
-						if ($macent['mac'] == $mac['mac']) {
-							$macrules = "";
-							$ruleno = captiveportal_get_ipfw_passthru_ruleno($mac['mac']);
-							$pipeno = captiveportal_get_dn_passthru_ruleno($mac['mac']);
-							if ($ruleno) {
-								captiveportal_free_ipfw_ruleno($ruleno);
-								$macrules .= "delete {$ruleno}\n";
-								++$ruleno;
-								$macrules .= "delete {$ruleno}\n";
-							}
-							if ($pipeno) {
-								captiveportal_free_dn_ruleno($pipeno);
-								$macrules .= "pipe delete {$pipeno}\n";
-								++$pipeno;
-								$macrules .= "pipe delete {$pipeno}\n";
-							}
-							unset($config['captiveportal'][$cpzone]['passthrumac'][$idx]);
-							$mac['action'] = 'pass';
-							$mac['mac'] = $clientmac;
-							$config['captiveportal'][$cpzone]['passthrumac'][] = $mac;
-							$macrules .= captiveportal_passthrumac_configure_entry($mac);
-							file_put_contents("{$g['tmp_path']}/macentry_{$cpzone}.rules.tmp", $macrules);
-							mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/macentry_{$cpzone}.rules.tmp");
-							$writecfg = true;
-							$sessionid = true;
-							break;
-						}
-					}
-				} else {
-					portal_reply_page($redirurl, "error", "Username: {$username} is already authenticated using another MAC address.",
-						$clientmac, $clientip, $username, $password);
-					unlock($cpdblck);
-					return;
+	if ((isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) &&
+	    $passthrumac &&
+	    isset($config['captiveportal'][$cpzone]['passthrumacadd'])) {
+		$mac = captiveportal_passthrumac_findbyname($username);
+		if (!empty($mac) && $_POST['replacemacpassthru']) {
+			foreach ($config['captiveportal'][$cpzone]['passthrumac'] as $idx => $macent) {
+				if ($macent['mac'] != $mac['mac']) {
+					continue;
 				}
+
+				$macrules = "";
+				$pipeno = captiveportal_get_dn_passthru_ruleno($mac['mac']);
+				if ($pipeno) {
+					captiveportal_free_dn_ruleno($pipeno);
+					$macrules .= "table {$cpzone}_pipe_mac delete any,{$mac['mac']}\n";
+					$macrules .= "table {$cpzone}_pipe_mac delete {$mac['mac']},any\n";
+					$macrules .= "pipe delete {$pipeno}\n";
+					++$pipeno;
+					$macrules .= "pipe delete {$pipeno}\n";
+				}
+				unset($config['captiveportal'][$cpzone]['passthrumac'][$idx]);
+				$mac['action'] = 'pass';
+				$mac['mac'] = $clientmac;
+				$config['captiveportal'][$cpzone]['passthrumac'][] = $mac;
+				$macrules .= captiveportal_passthrumac_configure_entry($mac);
+				file_put_contents("{$g['tmp_path']}/macentry_{$cpzone}.rules.tmp", $macrules);
+				mwexec("/sbin/ipfw -q {$g['tmp_path']}/macentry_{$cpzone}.rules.tmp");
+				$writecfg = true;
+				$sessionid = true;
+				break;
 			}
+		} elseif (!empty($mac)) {
+			portal_reply_page($redirurl, "error", "Username: {$username} is already authenticated using another MAC address.",
+				$clientmac, $clientip, $username, $password);
+			unlock($cpdblck);
+			return;
 		}
 	}
 
@@ -2148,7 +2223,7 @@ function portal_allow($clientip, $clientmac, $username, $password = null, $attri
 			unlock($cpdblck);
 			$macrules = captiveportal_passthrumac_configure_entry($mac);
 			file_put_contents("{$g['tmp_path']}/macentry_{$cpzone}.rules.tmp", $macrules);
-			mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/macentry_{$cpzone}.rules.tmp");
+			mwexec("/sbin/ipfw -q {$g['tmp_path']}/macentry_{$cpzone}.rules.tmp");
 			$writecfg = true;
 		} else {
 			/* See if a pipeno is passed, if not start sessions because this means there isn't one atm */
@@ -2176,21 +2251,12 @@ function portal_allow($clientip, $clientmac, $username, $password = null, $attri
 			$bw_up_pipeno = $pipeno;
 			$bw_down_pipeno = $pipeno + 1;
 			//$bw_up /= 1000; // Scale to Kbit/s
-			$_gb = @pfSense_pipe_action("pipe {$bw_up_pipeno} config bw {$bw_up}Kbit/s queue 100 buckets 16");
-			$_gb = @pfSense_pipe_action("pipe {$bw_down_pipeno} config bw {$bw_down}Kbit/s queue 100 buckets 16");
+			$_gb = @pfSense_ipfw_pipe("pipe {$bw_up_pipeno} config bw {$bw_up}Kbit/s queue 100 buckets 16");
+			$_gb = @pfSense_ipfw_pipe("pipe {$bw_down_pipeno} config bw {$bw_down}Kbit/s queue 100 buckets 16");
 
 			$clientsn = (is_ipaddrv6($clientip)) ? 128 : 32;
-			if (!isset($config['captiveportal'][$cpzone]['nomacfilter'])) {
-				$_gb = @pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XADD, 1, $clientip, $clientsn, $clientmac, $bw_up_pipeno);
-			} else {
-				$_gb = @pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XADD, 1, $clientip, $clientsn, NULL, $bw_up_pipeno);
-			}
-
-			if (!isset($config['captiveportal'][$cpzone]['nomacfilter'])) {
-				$_gb = @pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XADD, 2, $clientip, $clientsn, $clientmac, $bw_down_pipeno);
-			} else {
-				$_gb = @pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XADD, 2, $clientip, $clientsn, NULL, $bw_down_pipeno);
-			}
+			$_gb = @pfSense_ipfw_table("{$cpzone}_auth_up", IP_FW_TABLE_XADD, "{$clientip}/{$clientsn}", $bw_up_pipeno);
+			$_gb = @pfSense_ipfw_table("{$cpzone}_auth_down", IP_FW_TABLE_XADD, "{$clientip}/{$clientsn}", $bw_down_pipeno);
 
 			if ($attributes['voucher']) {
 				$attributes['session_timeout'] = $remaining_time;
diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc
index 733d06e..0c19aa6 100644
--- a/src/etc/inc/globals.inc
+++ b/src/etc/inc/globals.inc
@@ -72,6 +72,7 @@ $g = array(
 	"captiveportal_path" => "/usr/local/captiveportal",
 	"captiveportal_element_path" => "/var/db/cpelements",
 	"captiveportal_element_sizelimit" => 1048576,
+	"captiveportal_rules_interval" => 50,
 	"services_dhcp_server_enable" => true,
 	"wireless_regex" => "/^(ndis|wi|ath|an|ral|ural|iwi|wlan|rum|run|bwn|zyd|mwl|bwi|ipw|iwn|malo|uath|upgt|urtw|wpi)/",
 	"help_base_url" => "/help.php",
diff --git a/src/etc/inc/shaper.inc b/src/etc/inc/shaper.inc
index 90f068d..5bdafdc 100644
--- a/src/etc/inc/shaper.inc
+++ b/src/etc/inc/shaper.inc
@@ -3373,7 +3373,7 @@ class dnpipe_class extends dummynet_class {
 			$q->delete_queue();
 		}
 		unset_dn_object_by_reference($this->GetLink());
-		@pfSense_pipe_action("pipe delete " . $this->GetNumber());
+		@pfSense_ipfw_pipe("pipe delete " . $this->GetNumber());
 	}
 	function GetBandwidth() {
 		return $this->qbandwidth;
@@ -3987,7 +3987,7 @@ class dnqueue_class extends dummynet_class {
 	function delete_queue() {
 		cleanup_dnqueue_from_rules($this->GetQname());
 		unset_dn_object_by_reference($this->GetLink());
-		@pfSense_pipe_action("queue delete " . $this->GetNumber());
+		@pfSense_ipfw_pipe("queue delete " . $this->GetNumber());
 	}
 
 	function validate_input($data, &$input_errors) {
diff --git a/src/etc/rc.captiveportal_configure_mac b/src/etc/rc.captiveportal_configure_mac
index dc155cd..8b51904 100755
--- a/src/etc/rc.captiveportal_configure_mac
+++ b/src/etc/rc.captiveportal_configure_mac
@@ -39,6 +39,6 @@ $filename = "{$g['tmp_path']}/{$cpzoneidx}_mac_{$startidx}_{$stopidx}";
 captiveportal_passthrumac_configure($filename, $startidx, $stopidx);
 //log_error("STOPPED: " .time() . " - {$cpzone} : $startidx : {$stopidx} : {$cpzoneidx} : {$filename}");
 
-mwexec("/sbin/ipfw -x {$cpzoneidx} -q {$filename}");
+mwexec("/sbin/ipfw -q {$filename}");
 @unlink($filename);
 ?>
diff --git a/src/usr/local/www/services_captiveportal_hostname.php b/src/usr/local/www/services_captiveportal_hostname.php
index 6c2af91..7de5912 100644
--- a/src/usr/local/www/services_captiveportal_hostname.php
+++ b/src/usr/local/www/services_captiveportal_hostname.php
@@ -75,15 +75,16 @@ if ($_GET['act'] == "del" && !empty($cpzone) && isset($cpzoneid)) {
 			}
 			$sn = (is_ipaddrv6($ip)) ? 128 : 32;
 			if (is_ipaddr($ip)) {
-				$ipfw = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, 3, $ip);
-				if (is_array($ipfw)) {
-					captiveportal_free_dn_ruleno($ipfw['dnpipe']);
-					pfSense_pipe_action("pipe delete {$ipfw['dnpipe']}");
-					pfSense_pipe_action("pipe delete " . ($ipfw['dnpipe']+1));
-				}
+				$rule = pfSense_ipfw_table_lookup("{$cpzone}_allowed_up", "{$ip}/{$sn}");
+
+				pfSense_ipfw_table("{$cpzone}_allowed_up", IP_FW_TABLE_XDEL, "{$ip}/{$sn}");
+				pfSense_ipfw_table("{$cpzone}_allowed_down", IP_FW_TABLE_XDEL, "{$ip}/{$sn}");
 
-				pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XDEL, 3, $ip, $sn);
-				pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XDEL, 4, $ip, $sn);
+				if (is_array($rule) && !empty($rule['pipe'])) {
+					captiveportal_free_dn_ruleno($rule['pipe']);
+					pfSense_ipfw_pipe("pipe delete {$rule['pipe']}");
+					pfSense_ipfw_pipe("pipe delete " . ($rule['pipe']+1));
+				}
 			}
 		}
 
diff --git a/src/usr/local/www/services_captiveportal_hostname_edit.php b/src/usr/local/www/services_captiveportal_hostname_edit.php
index cabc214..3149ac2 100644
--- a/src/usr/local/www/services_captiveportal_hostname_edit.php
+++ b/src/usr/local/www/services_captiveportal_hostname_edit.php
@@ -142,7 +142,7 @@ if ($_POST) {
 
 		$rules = captiveportal_allowedhostname_configure();
 		@file_put_contents("{$g['tmp_path']}/hostname_rules", $rules);
-		mwexec("/sbin/ipfw -x {$cpzoneid} {$g['tmp_path']}/hostname_rules", true);
+		mwexec("/sbin/ipfw {$g['tmp_path']}/hostname_rules", true);
 		unset($rules);
 
 		header("Location: services_captiveportal_hostname.php?zone={$cpzone}");
diff --git a/src/usr/local/www/services_captiveportal_ip.php b/src/usr/local/www/services_captiveportal_ip.php
index 9487ba5..648c629 100644
--- a/src/usr/local/www/services_captiveportal_ip.php
+++ b/src/usr/local/www/services_captiveportal_ip.php
@@ -71,14 +71,15 @@ if ($_GET['act'] == "del" && !empty($cpzone) && isset($cpzoneid)) {
 		if (isset($config['captiveportal'][$cpzone]['enable'])) {
 			$mask = (!empty($ipent['sn'])) ? $ipent['sn'] : 32;
 
-			$ipfw = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, 3, $ipent['ip']);
-			pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XDEL, 3, $ipent['ip'], $mask);
-			pfSense_ipfw_Tableaction($cpzoneid, IP_FW_TABLE_XDEL, 4, $ipent['ip'], $mask);
-
-			if (is_array($ipfw)) {
-				captiveportal_free_dn_ruleno($ipfw['dnpipe']);
-				pfSense_pipe_action("pipe delete {$ipfw['dnpipe']}");
-				pfSense_pipe_action("pipe delete " . ($ipfw['dnpipe']+1));
+			$rule = pfSense_ipfw_table_lookup("{$cpzone}_allowed_up", "{$ipent['ip']}/{$mask}");
+
+			pfSense_ipfw_table("{$cpzone}_allowed_up", IP_FW_TABLE_XDEL, "{$ipent['ip']}/{$mask}");
+			pfSense_ipfw_table("{$cpzone}_allowed_down", IP_FW_TABLE_XDEL, "{$ipent['ip']}/{$mask}");
+
+			if (is_array($rule) && !empty($rule['pipe'])) {
+				captiveportal_free_dn_ruleno($rule['pipe']);
+				pfSense_ipfw_pipe("pipe delete {$rule['pipe']}");
+				pfSense_ipfw_pipe("pipe delete " . ($rule['pipe']+1));
 			}
 		}
 
diff --git a/src/usr/local/www/services_captiveportal_ip_edit.php b/src/usr/local/www/services_captiveportal_ip_edit.php
index daed6da..420faae 100644
--- a/src/usr/local/www/services_captiveportal_ip_edit.php
+++ b/src/usr/local/www/services_captiveportal_ip_edit.php
@@ -167,25 +167,28 @@ if ($_POST) {
 		if (isset($a_cp[$cpzone]['enable']) && is_module_loaded("ipfw.ko")) {
 			$rules = "";
 			$cpzoneid = $a_cp[$cpzone]['zoneid'];
-			unset($ipfw);
+
+			unset($rule);
 			if (isset($oldip) && isset($oldmask)) {
-				$ipfw = pfSense_ipfw_getTablestats($cpzoneid, IP_FW_TABLE_XLISTENTRY, 3, $oldip);
-				$rules .= "table 3 delete {$oldip}/{$oldmask}\n";
-				$rules .= "table 4 delete {$oldip}/{$oldmask}\n";
-				if (is_array($ipfw)) {
-					$rules .= "pipe delete {$ipfw['dnpipe']}\n";
-					$rules .= "pipe delete " . ($ipfw['dnpipe']+1 . "\n");
+				$rule = pfSense_ipfw_table_lookup("{$cpzone}_allowed_up", "{$oldip}/{$oldmask}");
+
+				$rules .= "table {$cpzone}_allowed_up delete {$oldip}/{$oldmask}\n";
+				$rules .= "table {$cpzone}_allowed_down delete {$oldip}/{$oldmask}\n";
+
+				if (is_array($rule) && !empty($rule['pipe'])) {
+					$rules .= "pipe delete {$rule['pipe']}\n";
+					$rules .= "pipe delete " . ($rule['pipe']+1 . "\n");
 				}
 			}
 
 			$rules .= captiveportal_allowedip_configure_entry($ip);
-			if (is_array($ipfw)) {
-				captiveportal_free_dn_ruleno($ipfw['dnpipe']);
+			if (is_array($rule) && !empty($rule['pipe'])) {
+				captiveportal_free_dn_ruleno($rule['pipe']);
 			}
 
 			$uniqid = uniqid("{$cpzone}_allowed");
 			@file_put_contents("{$g['tmp_path']}/{$uniqid}_tmp", $rules);
-			mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/{$uniqid}_tmp");
+			mwexec("/sbin/ipfw -q {$g['tmp_path']}/{$uniqid}_tmp");
 			@unlink("{$g['tmp_path']}/{$uniqid}_tmp");
 		}
 
diff --git a/src/usr/local/www/services_captiveportal_mac.php b/src/usr/local/www/services_captiveportal_mac.php
index 193cffb..acfff96 100644
--- a/src/usr/local/www/services_captiveportal_mac.php
+++ b/src/usr/local/www/services_captiveportal_mac.php
@@ -73,7 +73,7 @@ if ($_POST) {
 			$rules = captiveportal_passthrumac_configure();
 			if (!empty($rules)) {
 				@file_put_contents("{$g['tmp_path']}/passthrumac_gui", $rules);
-				mwexec("/sbin/ipfw -x {$cpzoneid} {$g['tmp_path']}/passthrumac_gui");
+				mwexec("/sbin/ipfw {$g['tmp_path']}/passthrumac_gui");
 				@unlink("{$g['tmp_path']}/passthrumac_gui");
 			}
 			$savemsg = get_std_save_message($retval);
@@ -120,7 +120,7 @@ if ($_POST) {
 				$rules = captiveportal_passthrumac_delete_entry($a_passthrumacs[$idx]);
 				$uniqid = uniqid("{$cpzone}_mac");
 				file_put_contents("{$g['tmp_path']}/{$uniqid}_tmp", $rules);
-				mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/{$uniqid}_tmp");
+				mwexec("/sbin/ipfw -q {$g['tmp_path']}/{$uniqid}_tmp");
 				@unlink("{$g['tmp_path']}/{$uniqid}_tmp");
 				unset($a_passthrumacs[$idx]);
 				write_config();
@@ -141,7 +141,7 @@ if ($_GET['act'] == "del") {
 		$rules = captiveportal_passthrumac_delete_entry($a_passthrumacs[$_GET['id']]);
 		$uniqid = uniqid("{$cpzone}_mac");
 		file_put_contents("{$g['tmp_path']}/{$uniqid}_tmp", $rules);
-		mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/{$uniqid}_tmp");
+		mwexec("/sbin/ipfw -q {$g['tmp_path']}/{$uniqid}_tmp");
 		@unlink("{$g['tmp_path']}/{$uniqid}_tmp");
 		unset($a_passthrumacs[$_GET['id']]);
 		write_config();
diff --git a/src/usr/local/www/services_captiveportal_mac_edit.php b/src/usr/local/www/services_captiveportal_mac_edit.php
index 270daf3..91d01e0 100644
--- a/src/usr/local/www/services_captiveportal_mac_edit.php
+++ b/src/usr/local/www/services_captiveportal_mac_edit.php
@@ -172,7 +172,7 @@ if ($_POST) {
 			$rules .= captiveportal_passthrumac_configure_entry($mac);
 			$uniqid = uniqid("{$cpzone}_macedit");
 			file_put_contents("{$g['tmp_path']}/{$uniqid}_tmp", $rules);
-			mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/{$uniqid}_tmp");
+			mwexec("/sbin/ipfw -q {$g['tmp_path']}/{$uniqid}_tmp");
 			@unlink("{$g['tmp_path']}/{$uniqid}_tmp");
 			unset($cpzoneid);
 		}