diff options
| author | Ermal <eri@pfsense.org> | 2010-04-20 00:39:16 +0000 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2010-04-20 00:40:02 +0000 |
| commit | 6ce61a8fd6423e5b7cd851ebbfab3486523db9b6 (patch) | |
| tree | 64dbac1a32815d2de8f3181e3bc52f81c8fcbd9b /usr/local | |
| parent | c443bb14cb89462e8f19f8e60527b970f3344bfb (diff) | |
| download | pfsense-6ce61a8fd6423e5b7cd851ebbfab3486523db9b6.zip pfsense-6ce61a8fd6423e5b7cd851ebbfab3486523db9b6.tar.gz | |
Add a new option which allows the admin user to configure CP so that it automatically enters an MAC passthru entry. The MAC is taken from login details and has to be removed manually. Also do improvements on rules handling and pipes. Add some optmizations. Teach the GUI/backend on ip/mac passthrough to configure a bw limit for this entries.
Diffstat (limited to 'usr/local')
| -rwxr-xr-x | usr/local/captiveportal/index.php | 78 | ||||
| -rwxr-xr-x | usr/local/www/services_captiveportal.php | 13 | ||||
| -rwxr-xr-x | usr/local/www/services_captiveportal_ip.php | 5 | ||||
| -rwxr-xr-x | usr/local/www/services_captiveportal_ip_edit.php | 38 | ||||
| -rwxr-xr-x | usr/local/www/services_captiveportal_mac.php | 14 | ||||
| -rwxr-xr-x | usr/local/www/services_captiveportal_mac_edit.php | 27 |
6 files changed, 137 insertions, 38 deletions
diff --git a/usr/local/captiveportal/index.php b/usr/local/captiveportal/index.php index 0011f0b..c2f886c 100755 --- a/usr/local/captiveportal/index.php +++ b/usr/local/captiveportal/index.php @@ -117,11 +117,13 @@ setTimeout('window.close();',5000) ; </HTML> EOD; -/* The $macfilter can be removed safely since we first check if the $clientmac is present, if not we fail */ +/* NOTE: This is not needed now that CP works only at layer2. + * The $macfilter can be removed safely since we first check if the $clientmac is present, if not we fail } else if ($clientmac && portal_mac_fixed($clientmac)) { - /* punch hole in ipfw for pass thru mac addresses */ + // punch hole in ipfw for pass thru mac addresses portal_allow($clientip, $clientmac, "unauthenticated"); exit; +*/ } else if ($clientmac && $radmac_enable && portal_mac_radius($clientmac,$clientip)) { /* radius functions handle everything so we exit here since we're done */ @@ -307,6 +309,7 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut return 0; // voucher already used and no time left } + $writecfg = false; if (!isset($sessionid)) { /* generate unique session ID */ @@ -314,40 +317,69 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut $sessionid = substr(md5(mt_rand() . $tod['sec'] . $tod['usec'] . $clientip . $clientmac), 0, 16); /* Add rules for traffic shaping - * We don't need to add extra l3 allow rules since traffic will pass due to the following kernel option + * We don't need to add extra rules since traffic will pass due to the following kernel option * net.inet.ip.fw.one_pass: 1 */ $peruserbw = isset($config['captiveportal']['peruserbw']); - + $passthrumacadd = isset($config['captiveportal']['passthrumacadd']); + $bw_up = isset($attributes['bw_up']) ? trim($attributes['bw_up']) : $config['captiveportal']['bwdefaultup']; $bw_down = isset($attributes['bw_down']) ? trim($attributes['bw_down']) : $config['captiveportal']['bwdefaultdn']; + if ($passthrumacadd) { + $mac = array(); + $mac['mac'] = $clientmac; + if (!empty($bw_up)) + $mac['bw_up'] = $bw_up; + if (!empty($bw_down)) + $mac['bw_down'] = $bw_down; + if (!is_array($config['captiveportal']['passthrumac'])) + $config['captiveportal']['passthrumac'] = array(); + $config['captiveportal']['passthrumac'][] = $mac; + $writecfg = true; + } + if ($peruserbw && !empty($bw_up) && is_numeric($bw_up)) { $bw_up_pipeno = $ruleno + 20000; - mwexec("/sbin/ipfw pipe $bw_up_pipeno config bw {$bw_up}Kbit/s queue 100"); - - if (!isset($config['captiveportal']['nomacfilter'])) - mwexec("/sbin/ipfw table 3 add {$clientip} mac {$clientmac} {$bw_up_pipeno}"); + //$bw_up /= 1000; // Scale to Kbit/s + mwexec("/sbin/ipfw pipe {$bw_up_pipeno} config bw {$bw_up}Kbit/s queue 100"); + mwexec("echo 'pipe {$bw_up_pipeno} config bw {$bw_up}Kbit/s queue 100' > /tmp/testing"); + + if ($passthrumacadd) { + mwexec("/sbin/ipfw add {$ruleno} pipe {$bw_up_pipeno} ip from any to any MAC {$clientmac} any"); + } else if (!isset($config['captiveportal']['nomacfilter'])) + mwexec("/sbin/ipfw table 1 add {$clientip} mac {$clientmac} {$bw_up_pipeno}"); else - mwexec("/sbin/ipfw table 3 add {$clientip} {$bw_up_pipeno}"); + mwexec("/sbin/ipfw table 1 add {$clientip} {$bw_up_pipeno}"); } else { - if (!isset($config['captiveportal']['nomacfilter'])) - mwexec("/sbin/ipfw table 3 add {$clientip} mac {$clientmac}"); + if ($passthrumacadd) { + mwexec("/sbin/ipfw add {$ruleno} allow ip from any to any MAC {$clientmac} any"); + } else if (!isset($config['captiveportal']['nomacfilter'])) + mwexec("/sbin/ipfw table 1 add {$clientip} mac {$clientmac}"); else - mwexec("/sbin/ipfw table 3 add {$clientip}"); + mwexec("/sbin/ipfw table 1 add {$clientip}"); } if ($peruserbw && !empty($bw_down) && is_numeric($bw_down)) { $bw_down_pipeno = $ruleno + 20001; - mwexec("/sbin/ipfw pipe $bw_down_pipeno config bw {$bw_down}Kbit/s queue 100"); - if (!isset($config['captiveportal']['nomacfilter'])) - mwexec("/sbin/ipfw table 4 add {$clientip} mac {$clientmac} {$bw_down_pipeno}"); + //$bw_down /= 1000; // Scale to Kbit/s + mwexec("/sbin/ipfw pipe {$bw_down_pipeno} config bw {$bw_down}Kbit/s queue 100"); + mwexec("echo 'pipe {$bw_down_pipeno} config bw {$bw_down}Kbit/s queue 100' > /tmp/testing"); + + if ($passthrumacadd) { + $ruledown = $ruleno + 1; + mwexec("/sbin/ipfw add {$ruledown} pipe {$bw_down_pipeno} ip from any to any MAC any {$clientmac}"); + } else if (!isset($config['captiveportal']['nomacfilter'])) + mwexec("/sbin/ipfw table 2 add {$clientip} mac {$clientmac} {$bw_down_pipeno}"); else - mwexec("/sbin/ipfw table 4 add {$clientip} {$bw_down_pipeno}"); + mwexec("/sbin/ipfw table 2 add {$clientip} {$bw_down_pipeno}"); } else { - if (!isset($config['captiveportal']['nomacfilter'])) - mwexec("/sbin/ipfw table 4 add {$clientip} mac {$clientmac}"); + if ($passthrumacadd) { + $ruledown = $ruleno + 1; + mwexec("/sbin/ipfw add {$ruleno} allow ip from any to any MAC {$clientmac} any"); + } else if (!isset($config['captiveportal']['nomacfilter'])) + mwexec("/sbin/ipfw table 2 add {$clientip} mac {$clientmac}"); else - mwexec("/sbin/ipfw table 4 add {$clientip}"); + mwexec("/sbin/ipfw table 2 add {$clientip}"); } if ($attributes['voucher']) @@ -379,6 +411,9 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut if ($captiveshouldunlock == true) unlock($cplock); + if ($writecfg == true) + write_config(); + /* redirect user to desired destination */ if ($url_redirection) $my_redirurl = $url_redirection; @@ -387,7 +422,7 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut else $my_redirurl = $redirurl; - if(isset($config['captiveportal']['logoutwin_enable'])) { + if(isset($config['captiveportal']['logoutwin_enable']) && !isset($config['captiveportal']['passthrumacadd'])) { if (isset($config['captiveportal']['httpslogin'])) $logouturl = "https://{$config['captiveportal']['httpsname']}:8001/"; @@ -456,7 +491,8 @@ function disconnect_client($sessionid, $logoutReason = "LOGOUT", $term_cause = 1 $radiusservers = captiveportal_get_radius_servers(); /* find entry */ - for ($i = 0; $i < count($cpdb); $i++) { + $dbcount = count($cpdb); + for ($i = 0; $i < $dbcount; $i++) { if ($cpdb[$i][5] == $sessionid) { captiveportal_disconnect($cpdb[$i],$radiusservers, $term_cause); captiveportal_logportalauth($cpdb[$i][4],$cpdb[$i][3],$cpdb[$i][2],$logoutReason); diff --git a/usr/local/www/services_captiveportal.php b/usr/local/www/services_captiveportal.php index b79a5ac..99a943f 100755 --- a/usr/local/www/services_captiveportal.php +++ b/usr/local/www/services_captiveportal.php @@ -92,6 +92,7 @@ $pconfig['radiuskey'] = $config['captiveportal']['radiuskey']; $pconfig['radiuskey2'] = $config['captiveportal']['radiuskey2']; $pconfig['radiusvendor'] = $config['captiveportal']['radiusvendor']; $pconfig['radiussession_timeout'] = isset($config['captiveportal']['radiussession_timeout']); +$pconfig['passthrumacadd'] = isset($config['captiveportal']['passthrumacadd']); $pconfig['radmac_format'] = $config['captiveportal']['radmac_format']; if ($_POST) { @@ -192,7 +193,8 @@ if ($_POST) { $config['captiveportal']['radiuskey2'] = $_POST['radiuskey2']; $config['captiveportal']['radiusvendor'] = $_POST['radiusvendor'] ? $_POST['radiusvendor'] : false; $config['captiveportal']['radiussession_timeout'] = $_POST['radiussession_timeout'] ? true : false; - $config['captiveportal']['radmac_format'] = $_POST['radmac_format'] ? $_POST['radmac_format'] : false; + $config['captiveportal']['passthrumacadd'] = $_POST['passthrumacadd'] ? true : false; + $config['captiveportal']['radmac_format'] = $_POST['radmac_format'] ? $_POST['radmac_format'] : false; /* file upload? */ if (is_uploaded_file($_FILES['htmlfile']['tmp_name'])) @@ -362,6 +364,15 @@ to access after they've authenticated.</td> If this is enabled, RADIUS MAC authentication cannot be used.</td> </tr> <tr> + <td valign="top" class="vncell">MAC passthrough</td> + <td class="vtable"> + <input name="passthrumacadd" type="checkbox" class="formfld" id="passthrumacadd" value="yes" <?php if ($pconfig['passthrumacadd']) echo "checked"; ?>> + <strong>MAC passthrough authentication</strong><br> + If this option is set, after a user is authenticated a mac passthrough entry will be added. + To remove the passthrough MAC entry you either have to log in and remove it manually from the MAC passthrough tab or send a POST to remove it from some other system. + If this is enabled, RADIUS MAC authentication cannot be used. Also, the logout window will not be shown.</td> + </tr> + <tr> <td valign="top" class="vncell">Per-user bandwidth restriction</td> <td class="vtable"> <input name="peruserbw" type="checkbox" class="formfld" id="peruserbw" value="yes" <?php if ($pconfig['peruserbw']) echo "checked"; ?>> diff --git a/usr/local/www/services_captiveportal_ip.php b/usr/local/www/services_captiveportal_ip.php index 60d2792..1da30a1 100755 --- a/usr/local/www/services_captiveportal_ip.php +++ b/usr/local/www/services_captiveportal_ip.php @@ -54,10 +54,11 @@ $a_allowedips = &$config['captiveportal']['allowedip'] ; if ($_GET['act'] == "del") { if ($a_allowedips[$_GET['id']]) { $ipent = $a_allowedips[$_GET['id']]; - if ($ipent['dir'] == "from") + + if (isset($config['captiveportal']['enable'])) { mwexec("/sbin/ipfw table 1 delete " . $ipent['ip']); - else mwexec("/sbin/ipfw table 2 delete " . $ipent['ip']); + } unset($a_allowedips[$_GET['id']]); write_config(); diff --git a/usr/local/www/services_captiveportal_ip_edit.php b/usr/local/www/services_captiveportal_ip_edit.php index 93628ba..4e1b661 100755 --- a/usr/local/www/services_captiveportal_ip_edit.php +++ b/usr/local/www/services_captiveportal_ip_edit.php @@ -67,8 +67,9 @@ if (isset($_POST['id'])) if (isset($id) && $a_allowedips[$id]) { $pconfig['ip'] = $a_allowedips[$id]['ip']; + $pconfig['bw_up'] = $a_allowedips[$id]['bw_up']; + $pconfig['bw_down'] = $a_allowedips[$id]['bw_down']; $pconfig['descr'] = $a_allowedips[$id]['descr']; - $pconfig['dir'] = $a_allowedips[$id]['dir']; } if ($_POST) { @@ -85,6 +86,10 @@ if ($_POST) { if (($_POST['ip'] && !is_ipaddr($_POST['ip']))) { $input_errors[] = "A valid IP address must be specified. [".$_POST['ip']."]"; } + if ($_POST['bw_up'] && !is_numeric($_POST['bw_up'])) + $input_errors[] = "Upload speed needs to be an integer"; + if ($_POST['bw_down'] && !is_numeric($_POST['bw_down'])) + $input_errors[] = "Download speed needs to be an integer"; foreach ($a_allowedips as $ipent) { if (isset($id) && ($a_allowedips[$id]) && ($a_allowedips[$id] === $ipent)) @@ -100,8 +105,10 @@ if ($_POST) { $ip = array(); $ip['ip'] = $_POST['ip']; $ip['descr'] = $_POST['descr']; - $ip['dir'] = $_POST['dir']; - + if ($_POST['bw_up']) + $ip['bw_up'] = $_POST['bw_up']; + if ($_POST['bw_down']) + $ip['bw_down'] = $_POST['bw_down']; if (isset($id) && $a_allowedips[$id]) $a_allowedips[$id] = $ip; else @@ -111,10 +118,7 @@ if ($_POST) { write_config(); if (isset($config['captiveportal']['enable'])) { - if ($ip['dir'] == "from") - mwexec("/sbin/ipfw table 1 add " . $ip['ip']); - else - mwexec("/sbin/ipfw table 2 add " . $ip['ip']); + mwexec("/sbin/ipfw table 1 add " . $ip['ip']); } header("Location: services_captiveportal_ip.php"); @@ -130,7 +134,8 @@ include("head.inc"); <?php if ($input_errors) print_input_errors($input_errors); ?> <form action="services_captiveportal_ip_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> +<?php if (false): ?> + <tr> <td width="22%" valign="top" class="vncellreq">Direction</td> <td width="78%" class="vtable"> <select name="dir" class="formselect"> @@ -146,20 +151,33 @@ include("head.inc"); <span class="vexpl">Use <em>From</em> to always allow an IP address through the captive portal (without authentication). Use <em>To</em> to allow access from all clients (even non-authenticated ones) behind the portal to this IP address.</span></td> </tr> - <tr> +<?php endif; ?> + <tr> <td width="22%" valign="top" class="vncellreq">IP address</td> <td width="78%" class="vtable"> <?=$mandfldhtml;?><input name="ip" type="text" class="formfld unknown" id="ip" size="17" value="<?=htmlspecialchars($pconfig['ip']);?>"> <br> <span class="vexpl">IP address</span></td> </tr> - <tr> + <tr> <td width="22%" valign="top" class="vncell">Description</td> <td width="78%" class="vtable"> <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> <br> <span class="vexpl">You may enter a description here for your reference (not parsed).</span></td> </tr> + <tr> + <td width="22%" valign="top" class="vncell">Bandwidth up</td> + <td width="78%" class="vtable"> + <input name="bw_up" type="text" class="formfld unknown" id="bw_up" size="10" value="<?=htmlspecialchars($pconfig['bw_up']);?>"> + <br> <span class="vexpl">Enter a upload limit to be enforced on this mac-address in Kbit/s</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Bandwidth down</td> + <td width="78%" class="vtable"> + <input name="bw_down" type="text" class="formfld unknown" id="bw_down" size="10" value="<?=htmlspecialchars($pconfig['bw_down']);?>"> + <br> <span class="vexpl">Enter a download limit to be enforced on this mac-address in Kbit/s</span></td> + </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"> diff --git a/usr/local/www/services_captiveportal_mac.php b/usr/local/www/services_captiveportal_mac.php index 5080c0c..ca900bf 100755 --- a/usr/local/www/services_captiveportal_mac.php +++ b/usr/local/www/services_captiveportal_mac.php @@ -50,6 +50,7 @@ if (!is_array($config['captiveportal']['passthrumac'])) $a_passthrumacs = &$config['captiveportal']['passthrumac'] ; + if ($_POST) { $pconfig = $_POST; @@ -57,7 +58,9 @@ if ($_POST) { if ($_POST['apply']) { $retval = 0; - $retval = captiveportal_passthrumac_configure(); + $rules = captiveportal_passthrumac_configure(); + file_put_contents("{$g['tmp_path']}/passthru.mac", $rules); + mwexec("/sbin/ipfw {$g['tmp_path']}/passthru.mac"); $savemsg = get_std_save_message($retval); if ($retval == 0) @@ -67,10 +70,17 @@ if ($_POST) { if ($_GET['act'] == "del") { if ($a_passthrumacs[$_GET['id']]) { + $ruleno = captiveportal_get_ipfw_ruleno_byvalue($a_passthrumacs[$_GET['id']]['mac']); + if ($ruleno) { + mwexec("/sbin/ipfw delete {$ruleno}"); + captiveportal_free_ipfw_ruleno($ruleno); + $ruleno++; + mwexec("/sbin/ipfw delete {$ruleno}"); + } unset($a_passthrumacs[$_GET['id']]); write_config(); - mark_subsystem_dirty('passthrumac'); header("Location: services_captiveportal_mac.php"); + //mark_subsystem_dirty('passthrumac'); exit; } } diff --git a/usr/local/www/services_captiveportal_mac_edit.php b/usr/local/www/services_captiveportal_mac_edit.php index 9123303..f618d47 100755 --- a/usr/local/www/services_captiveportal_mac_edit.php +++ b/usr/local/www/services_captiveportal_mac_edit.php @@ -66,6 +66,8 @@ if (isset($_POST['id'])) if (isset($id) && $a_passthrumacs[$id]) { $pconfig['mac'] = $a_passthrumacs[$id]['mac']; + $pconfig['bw_up'] = $a_passthrumacs[$id]['bw_up']; + $pconfig['bw_down'] = $a_passthrumacs[$id]['bw_down']; $pconfig['descr'] = $a_passthrumacs[$id]['descr']; } @@ -85,6 +87,10 @@ if ($_POST) { if (($_POST['mac'] && !is_macaddr($_POST['mac']))) { $input_errors[] = "A valid MAC address must be specified. [".$_POST['mac']."]"; } + if ($_POST['bw_up'] && !is_numeric($_POST['bw_up'])) + $input_errors[] = "Upload speed needs to be an integer"; + if ($_POST['bw_down'] && !is_numeric($_POST['bw_down'])) + $input_errors[] = "Download speed needs to be an integer"; foreach ($a_passthrumacs as $macent) { if (isset($id) && ($a_passthrumacs[$id]) && ($a_passthrumacs[$id] === $macent)) @@ -99,6 +105,11 @@ if ($_POST) { if (!$input_errors) { $mac = array(); $mac['mac'] = $_POST['mac']; + if ($_POST['bw_up']) + $mac['bw_up'] = $_POST['bw_up']; + if ($_POST['bw_down']) + $mac['bw_down'] = $_POST['bw_down']; + $mac['descr'] = $_POST['descr']; if (isset($id) && $a_passthrumacs[$id]) @@ -109,7 +120,7 @@ if ($_POST) { write_config(); - mark_subsystem_dirty('passthrumac'); + //mark_subsystem_dirty('passthrumac'); header("Location: services_captiveportal_mac.php"); exit; @@ -129,13 +140,25 @@ include("head.inc"); <br> <span class="vexpl">MAC address (6 hex octets separated by colons)</span></td> </tr> - <tr> + <tr> <td width="22%" valign="top" class="vncell">Description</td> <td width="78%" class="vtable"> <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> <br> <span class="vexpl">You may enter a description here for your reference (not parsed).</span></td> </tr> + <tr> + <td width="22%" valign="top" class="vncell">Bandwidth up</td> + <td width="78%" class="vtable"> + <input name="bw_up" type="text" class="formfld unknown" id="bw_up" size="10" value="<?=htmlspecialchars($pconfig['bw_up']);?>"> + <br> <span class="vexpl">Enter a upload limit to be enforced on this mac-address in Kbit/s</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Bandwidth down</td> + <td width="78%" class="vtable"> + <input name="bw_down" type="text" class="formfld unknown" id="bw_down" size="10" value="<?=htmlspecialchars($pconfig['bw_down']);?>"> + <br> <span class="vexpl">Enter a download limit to be enforced on this mac-address in Kbit/s</span></td> + </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"> |
