diff options
Diffstat (limited to 'etc/inc/captiveportal.inc')
| -rw-r--r-- | etc/inc/captiveportal.inc | 809 |
1 files changed, 430 insertions, 379 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 84c98b2..12701ab 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -2,12 +2,11 @@ /* captiveportal.inc part of pfSense (http://www.pfSense.org) - - originally part of m0n0wall (http://m0n0.ch/wall) - - Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> + Copyright (C) 2004-2011 Scott Ullrich <sullrich@gmail.com> Copyright (C) 2009 Ermal Luçi <ermal.luci@gmail.com> Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + + originally part of m0n0wall (http://m0n0.ch/wall) All rights reserved. Redistribution and use in source and binary forms, with or without @@ -38,9 +37,9 @@ These changes are (c) 2004 Keycom PLC. pfSense_BUILDER_BINARIES: /sbin/ipfw /sbin/sysctl /sbin/kldunload - pfSense_BUILDER_BINARIES: /usr/local/sbin/lighttpd /usr/local/bin/minicron /sbin/pfctl - pfSense_BUILDER_BINARIES: /bin/hostname /bin/cp - pfSense_MODULE: captiveportal + pfSense_BUILDER_BINARIES: /usr/local/sbin/lighttpd /usr/local/bin/minicron /sbin/pfctl + pfSense_BUILDER_BINARIES: /bin/hostname /bin/cp + pfSense_MODULE: captiveportal */ /* include all configuration functions */ @@ -74,8 +73,8 @@ function get_default_captive_portal_html() { <div id="mainlevel"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="0"> - <tr> - <td> + <tr> + <td> <center> <div id="mainarea"> <center> @@ -100,7 +99,7 @@ function get_default_captive_portal_html() { </div> </center> </div> - </td> + </td> </tr> </table> </center> @@ -145,14 +144,14 @@ EOD; <div id="mainlevel"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="0"> - <tr> - <td> + <tr> + <td> <center> <div id="mainarea"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="5"> <tr> - <td> + <td> <div id="maindivarea"> <center> <div id='statusbox'> @@ -171,15 +170,15 @@ EOD; <tr><td align="right">Password:</td><td><input name="auth_pass" type="password" style="border: 1px dashed;"></td></tr> <tr><td> </td></tr> <tr> - <td colspan="2"> + <td colspan="2"> <center><input name="accept" type="submit" value="Continue"></center> - </td> + </td> </tr> </table> </div> </center> </div> - </td> + </td> </tr> </table> </center> @@ -260,6 +259,10 @@ function captiveportal_configure() { $htmltext = str_replace("\$CLIENT_IP\$", "#CLIENT_IP#", $htmltext); $htmltext = str_replace("\$ORIGINAL_PORTAL_IP\$", "#ORIGINAL_PORTAL_IP#", $htmltext); $htmltext = str_replace("\$PORTAL_ACTION\$", "#PORTAL_ACTION#", $htmltext); + if($config['captiveportal']['preauthurl']) { + $htmltext = str_replace("\$PORTAL_REDIRURL\$", "{$config['captiveportal']['preauthurl']}", $htmltext); + $htmltext = str_replace("#PORTAL_REDIRURL#", "{$config['captiveportal']['preauthurl']}", $htmltext); + } fwrite($fd, $htmltext); fclose($fd); } @@ -290,14 +293,14 @@ function captiveportal_configure() { <div id="mainlevel"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="0"> - <tr> - <td> + <tr> + <td> <center> <div id="mainarea"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="5"> <tr> - <td> + <td> <div id="maindivarea"> <center> <div id='statusbox'> @@ -316,15 +319,15 @@ function captiveportal_configure() { <tr><td align="right">Password:</td><td><input name="auth_pass" type="password" style="border: 1px dashed;"></td></tr> <tr><td> </td></tr> <tr> - <td colspan="2"> + <td colspan="2"> <center><input name="accept" type="submit" value="Continue"></center> - </td> + </td> </tr> </table> </div> </center> </div> - </td> + </td> </tr> </table> </center> @@ -356,6 +359,10 @@ EOD; $errtext = str_replace("\$CLIENT_IP\$", "#CLIENT_IP#", $errtext); $errtext = str_replace("\$ORIGINAL_PORTAL_IP\$", "#ORIGINAL_PORTAL_IP#", $errtext); $errtext = str_replace("\$PORTAL_ACTION\$", "#PORTAL_ACTION#", $errtext); + if($config['captiveportal']['preauthurl']) { + $errtext = str_replace("\$PORTAL_REDIRURL\$", "{$config['captiveportal']['preauthurl']}", $errtext); + $errtext = str_replace("#PORTAL_REDIRURL#", "{$config['captiveportal']['preauthurl']}", $errtext); + } fwrite($fd, $errtext); fclose($fd); } @@ -376,18 +383,18 @@ EOD; <!-- LogoutWin = window.open('', 'Logout', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=256,height=64'); if (LogoutWin) { - LogoutWin.document.write('<HTML>'); - LogoutWin.document.write('<HEAD><TITLE>Logout</TITLE></HEAD>') ; - LogoutWin.document.write('<BODY BGCOLOR="#435370">'); - LogoutWin.document.write('<DIV ALIGN="center" STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">') ; - LogoutWin.document.write('<B>Click the button below to disconnect</B><P>'); - LogoutWin.document.write('<FORM METHOD="POST" ACTION="<?=\$logouturl;?>">'); - LogoutWin.document.write('<INPUT NAME="logout_id" TYPE="hidden" VALUE="<?=\$sessionid;?>">'); - LogoutWin.document.write('<INPUT NAME="logout" TYPE="submit" VALUE="Logout">'); - LogoutWin.document.write('</FORM>'); - LogoutWin.document.write('</DIV></BODY>'); - LogoutWin.document.write('</HTML>'); - LogoutWin.document.close(); + LogoutWin.document.write('<HTML>'); + LogoutWin.document.write('<HEAD><TITLE>Logout</TITLE></HEAD>') ; + LogoutWin.document.write('<BODY BGCOLOR="#435370">'); + LogoutWin.document.write('<DIV ALIGN="center" STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">') ; + LogoutWin.document.write('<B>Click the button below to disconnect</B><P>'); + LogoutWin.document.write('<FORM METHOD="POST" ACTION="<?=\$logouturl;?>">'); + LogoutWin.document.write('<INPUT NAME="logout_id" TYPE="hidden" VALUE="<?=\$sessionid;?>">'); + LogoutWin.document.write('<INPUT NAME="logout" TYPE="submit" VALUE="Logout">'); + LogoutWin.document.write('</FORM>'); + LogoutWin.document.write('</DIV></BODY>'); + LogoutWin.document.write('</HTML>'); + LogoutWin.document.close(); } document.location.href="<?=\$my_redirurl;?>"; @@ -437,7 +444,7 @@ EOD; if (does_interface_exist($listrealif)) { pfSense_interface_flags($listrealif, -IFF_IPFW_FILTER); $carpif = link_ip_to_carp_interface(find_interface_ip($listrealif)); - if (!empty($carpif)) { + if (!empty($carpif)) { $carpsif = explode(" ", $carpif); foreach ($carpsif as $cpcarp) pfSense_interface_flags($cpcarp, -IFF_IPFW_FILTER); @@ -456,7 +463,7 @@ function captiveportal_init_webgui() { global $g, $config; if (!isset($config['captiveportal']['enable'])) - return; + return; if ($config['captiveportal']['maxproc']) $maxproc = $config['captiveportal']['maxproc']; @@ -534,7 +541,7 @@ function captiveportal_init_rules($reinit = false) { if (count($cpips) > 0) { $cpactive = true; $cpinterface = "{ {$cpinterface} } "; - } else + } else return false; if ($reinit == false) @@ -550,7 +557,7 @@ function captiveportal_init_rules($reinit = false) { if (!is_module_loaded("dummynet.ko")) mwexec("/sbin/kldload dummynet"); - $cprules = "add 65291 set 1 allow pfsync from any to any\n"; + $cprules = "add 65291 set 1 allow pfsync from any to any\n"; $cprules .= "add 65292 set 1 allow carp from any to any\n"; $cprules .= <<<EOD @@ -619,12 +626,12 @@ EOD; $rulenum++; } else { $cprules .= "add {$rulenum} set 1 allow ip from table(1) to any in\n"; - $rulenum++; - $cprules .= "add {$rulenum} set 1 allow ip from any to table(2) out\n"; - $rulenum++; + $rulenum++; + $cprules .= "add {$rulenum} set 1 allow ip from any to table(2) out\n"; + $rulenum++; } - $cprules .= <<<EOD + $cprules .= <<<EOD # redirect non-authenticated clients to captive portal add 65531 set 1 fwd 127.0.0.1,8000 tcp from any to any in @@ -640,9 +647,13 @@ EOD; /* generate passthru mac database */ $cprules .= captiveportal_passthrumac_configure(true); $cprules .= "\n"; + /* allowed ipfw rules to make allowed ip work */ $cprules .= captiveportal_allowedip_configure(); + /* allowed ipfw rules to make allowed hostnames work */ + $cprules .= captiveportal_allowedhostname_configure(); + /* load rules */ if ($reinit == true) $cprules = "table all flush\nflush\n{$cprules}"; @@ -661,12 +672,11 @@ EOD; file_put_contents("{$g['tmp_path']}/ipfw.cp.rules", $cprules); mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw.cp.rules", true); - @unlink("{$g['tmp_path']}/ipfw.cp.rules"); + //@unlink("{$g['tmp_path']}/ipfw.cp.rules"); if ($reinit == false) unlock($captiveportallck); - /* filter on layer2 as well so we can check MAC addresses */ mwexec("/sbin/sysctl net.link.ether.ipfw=1"); @@ -679,153 +689,152 @@ EOD; * (password is in Base64 and only saved when reauthentication is enabled) */ function captiveportal_prune_old() { - global $g, $config; + global $g, $config; - /* check for expired entries */ - if (empty($config['captiveportal']['timeout']) || + /* check for expired entries */ + if (empty($config['captiveportal']['timeout']) || !is_numeric($config['captiveportal']['timeout'])) - $timeout = 0; - else - $timeout = $config['captiveportal']['timeout'] * 60; + $timeout = 0; + else + $timeout = $config['captiveportal']['timeout'] * 60; - if (empty($config['captiveportal']['idletimeout']) || + if (empty($config['captiveportal']['idletimeout']) || !is_numeric($config['captiveportal']['idletimeout'])) - $idletimeout = 0; - else - $idletimeout = $config['captiveportal']['idletimeout'] * 60; + $idletimeout = 0; + else + $idletimeout = $config['captiveportal']['idletimeout'] * 60; - if (!$timeout && !$idletimeout && !isset($config['captiveportal']['reauthenticate']) && + if (!$timeout && !$idletimeout && !isset($config['captiveportal']['reauthenticate']) && !isset($config['captiveportal']['radiussession_timeout']) && !isset($config['voucher']['enable'])) - return; - - /* read database */ - $cpdb = captiveportal_read_db(); - - $radiusservers = captiveportal_get_radius_servers(); - - /* To make sure we iterate over ALL accounts on every run the count($cpdb) is moved - * outside of the loop. Otherwise the loop would evaluate count() on every iteration - * and since $i would increase and count() would decrement they would meet before we - * had a chance to iterate over all accounts. - */ - $unsetindexes = array(); - $no_users = count($cpdb); - for ($i = 0; $i < $no_users; $i++) { - - $timedout = false; - $term_cause = 1; - - /* hard timeout? */ - if ($timeout) { - if ((time() - $cpdb[$i][0]) >= $timeout) { - $timedout = true; - $term_cause = 5; // Session-Timeout - } - } - - /* Session-Terminate-Time */ - if (!$timedout && !empty($cpdb[$i][9])) { - if (time() >= $cpdb[$i][9]) { - $timedout = true; - $term_cause = 5; // Session-Timeout - } - } - - /* check if the radius idle_timeout attribute has been set and if its set change the idletimeout to this value */ - $uidletimeout = (is_numeric($cpdb[$i][8])) ? $cpdb[$i][8] : $idletimeout; - /* if an idle timeout is specified, get last activity timestamp from ipfw */ - if (!$timedout && $uidletimeout) { - $lastact = captiveportal_get_last_activity($cpdb[$i][2]); - /* If the user has logged on but not sent any traffic they will never be logged out. - * We "fix" this by setting lastact to the login timestamp. - */ - $lastact = $lastact ? $lastact : $cpdb[$i][0]; - if ($lastact && ((time() - $lastact) >= $uidletimeout)) { - $timedout = true; - $term_cause = 4; // Idle-Timeout - $stop_time = $lastact; // Entry added to comply with WISPr + return; + + /* read database */ + $cpdb = captiveportal_read_db(); + + $radiusservers = captiveportal_get_radius_servers(); + + /* To make sure we iterate over ALL accounts on every run the count($cpdb) is moved + * outside of the loop. Otherwise the loop would evaluate count() on every iteration + * and since $i would increase and count() would decrement they would meet before we + * had a chance to iterate over all accounts. + */ + $unsetindexes = array(); + $no_users = count($cpdb); + for ($i = 0; $i < $no_users; $i++) { + + $timedout = false; + $term_cause = 1; + + /* hard timeout? */ + if ($timeout) { + if ((time() - $cpdb[$i][0]) >= $timeout) { + $timedout = true; + $term_cause = 5; // Session-Timeout + } } - } - /* if vouchers are configured, activate session timeouts */ - if (!$timedout && isset($config['voucher']['enable']) && !empty($cpdb[$i][7])) { - if (time() >= ($cpdb[$i][0] + $cpdb[$i][7])) { - $timedout = true; - $term_cause = 5; // Session-Timeout + /* Session-Terminate-Time */ + if (!$timedout && !empty($cpdb[$i][9])) { + if (time() >= $cpdb[$i][9]) { + $timedout = true; + $term_cause = 5; // Session-Timeout + } + } + + /* check if the radius idle_timeout attribute has been set and if its set change the idletimeout to this value */ + $uidletimeout = (is_numeric($cpdb[$i][8])) ? $cpdb[$i][8] : $idletimeout; + /* if an idle timeout is specified, get last activity timestamp from ipfw */ + if (!$timedout && $uidletimeout) { + $lastact = captiveportal_get_last_activity($cpdb[$i][2]); + /* If the user has logged on but not sent any traffic they will never be logged out. + * We "fix" this by setting lastact to the login timestamp. + */ + $lastact = $lastact ? $lastact : $cpdb[$i][0]; + if ($lastact && ((time() - $lastact) >= $uidletimeout)) { + $timedout = true; + $term_cause = 4; // Idle-Timeout + $stop_time = $lastact; // Entry added to comply with WISPr + } } - } - /* if radius session_timeout is enabled and the session_timeout is not null, then check if the user should be logged out */ - if (!$timedout && isset($config['captiveportal']['radiussession_timeout']) && !empty($cpdb[$i][7])) { - if (time() >= ($cpdb[$i][0] + $cpdb[$i][7])) { - $timedout = true; - $term_cause = 5; // Session-Timeout - } - } - - if ($timedout) { - captiveportal_disconnect($cpdb[$i], $radiusservers,$term_cause,$stop_time); - captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "TIMEOUT"); - $unsetindexes[$i] = $i; - } - - /* do periodic RADIUS reauthentication? */ - if (!$timedout && !empty($radiusservers)) { - if (isset($config['captiveportal']['radacct_enable'])) { - if ($config['captiveportal']['reauthenticateacct'] == "stopstart") { - /* stop and restart accounting */ - RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno - $cpdb[$i][4], // username - $cpdb[$i][5], // sessionid - $cpdb[$i][0], // start time - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3], // clientmac - 10); // NAS Request - exec("/sbin/ipfw table 1 entryzerostats {$cpdb[$i][2]}"); - exec("/sbin/ipfw table 2 entryzerostats {$cpdb[$i][2]}"); - RADIUS_ACCOUNTING_START($cpdb[$i][1], // ruleno - $cpdb[$i][4], // username - $cpdb[$i][5], // sessionid - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3]); // clientmac - } else if ($config['captiveportal']['reauthenticateacct'] == "interimupdate") { - RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno - $cpdb[$i][4], // username - $cpdb[$i][5], // sessionid - $cpdb[$i][0], // start time - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3], // clientmac - 10, // NAS Request - true); // Interim Updates - } - } - - /* check this user against RADIUS again */ - if (isset($config['captiveportal']['reauthenticate'])) { - $auth_list = RADIUS_AUTHENTICATION($cpdb[$i][4], // username - base64_decode($cpdb[$i][6]), // password - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3], // clientmac - $cpdb[$i][1]); // ruleno - - if ($auth_list['auth_val'] == 3) { - captiveportal_disconnect($cpdb[$i], $radiusservers, 17); - captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "RADIUS_DISCONNECT", $auth_list['reply_message']); + /* if vouchers are configured, activate session timeouts */ + if (!$timedout && isset($config['voucher']['enable']) && !empty($cpdb[$i][7])) { + if (time() >= ($cpdb[$i][0] + $cpdb[$i][7])) { + $timedout = true; + $term_cause = 5; // Session-Timeout + } + } + + /* if radius session_timeout is enabled and the session_timeout is not null, then check if the user should be logged out */ + if (!$timedout && isset($config['captiveportal']['radiussession_timeout']) && !empty($cpdb[$i][7])) { + if (time() >= ($cpdb[$i][0] + $cpdb[$i][7])) { + $timedout = true; + $term_cause = 5; // Session-Timeout + } + } + + if ($timedout) { + captiveportal_disconnect($cpdb[$i], $radiusservers,$term_cause,$stop_time); + captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "TIMEOUT"); $unsetindexes[$i] = $i; - } - } - } - } - /* This is a kludge to overcome some php weirdness */ - foreach($unsetindexes as $unsetindex) + } + + /* do periodic RADIUS reauthentication? */ + if (!$timedout && !empty($radiusservers)) { + if (isset($config['captiveportal']['radacct_enable'])) { + if ($config['captiveportal']['reauthenticateacct'] == "stopstart") { + /* stop and restart accounting */ + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $cpdb[$i][0], // start time + $radiusservers, + $cpdb[$i][2], // clientip + $cpdb[$i][3], // clientmac + 10); // NAS Request + exec("/sbin/ipfw table 1 entryzerostats {$cpdb[$i][2]}"); + exec("/sbin/ipfw table 2 entryzerostats {$cpdb[$i][2]}"); + RADIUS_ACCOUNTING_START($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $radiusservers, + $cpdb[$i][2], // clientip + $cpdb[$i][3]); // clientmac + } else if ($config['captiveportal']['reauthenticateacct'] == "interimupdate") { + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $cpdb[$i][0], // start time + $radiusservers, + $cpdb[$i][2], // clientip + $cpdb[$i][3], // clientmac + 10, // NAS Request + true); // Interim Updates + } + } + + /* check this user against RADIUS again */ + if (isset($config['captiveportal']['reauthenticate'])) { + $auth_list = RADIUS_AUTHENTICATION($cpdb[$i][4], // username + base64_decode($cpdb[$i][6]), // password + $radiusservers, + $cpdb[$i][2], // clientip + $cpdb[$i][3], // clientmac + $cpdb[$i][1]); // ruleno + if ($auth_list['auth_val'] == 3) { + captiveportal_disconnect($cpdb[$i], $radiusservers, 17); + captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "RADIUS_DISCONNECT", $auth_list['reply_message']); + $unsetindexes[$i] = $i; + } + } + } + } + /* This is a kludge to overcome some php weirdness */ + foreach($unsetindexes as $unsetindex) unset($cpdb[$unsetindex]); - /* write database */ - captiveportal_write_db($cpdb); + /* write database */ + captiveportal_write_db($cpdb); } /* remove a single client according to the DB entry */ @@ -837,15 +846,15 @@ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_t /* this client needs to be deleted - remove ipfw rules */ if (isset($config['captiveportal']['radacct_enable']) && !empty($radiusservers)) { RADIUS_ACCOUNTING_STOP($dbent[1], // ruleno - $dbent[4], // username - $dbent[5], // sessionid - $dbent[0], // start time - $radiusservers, - $dbent[2], // clientip - $dbent[3], // clientmac - $term_cause, // Acct-Terminate-Cause - false, - $stop_time); + $dbent[4], // username + $dbent[5], // sessionid + $dbent[0], // start time + $radiusservers, + $dbent[2], // clientip + $dbent[3], // clientmac + $term_cause, // Acct-Terminate-Cause + false, + $stop_time); } /* Delete client's ip entry from tables 3 and 4. */ mwexec("/sbin/ipfw table 1 delete {$dbent[2]}"); @@ -903,39 +912,39 @@ function captiveportal_radius_stop_all() { $cpdb = captiveportal_read_db(); foreach ($cpdb as $cpentry) { RADIUS_ACCOUNTING_STOP($cpentry[1], // ruleno - $cpentry[4], // username - $cpentry[5], // sessionid - $cpentry[0], // start time - $radiusservers, - $cpentry[2], // clientip - $cpentry[3], // clientmac - 7); // Admin Reboot + $cpentry[4], // username + $cpentry[5], // sessionid + $cpentry[0], // start time + $radiusservers, + $cpentry[2], // clientip + $cpentry[3], // clientmac + 7); // Admin Reboot } } } function captiveportal_passthrumac_configure_entry($macent) { $rules = ""; - $enBwup = isset($macent['bw_up']); - $enBwdown = isset($macent['bw_down']); + $enBwup = isset($macent['bw_up']); + $enBwdown = isset($macent['bw_down']); $actionup = "allow"; $actiondown = "allow"; - if ($enBwup && $enBwdown) - $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); - else - $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); + if ($enBwup && $enBwdown) + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); + else + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); if ($enBwup) { - $bw_up = $ruleno + 20000; - $rules .= "pipe {$bw_up} config bw {$macent['bw_up']}Kbit/s queue 100\n"; + $bw_up = $ruleno + 20000; + $rules .= "pipe {$bw_up} config bw {$macent['bw_up']}Kbit/s queue 100\n"; $actionup = "pipe {$bw_up}"; - } - if ($enBwdown) { + } + if ($enBwdown) { $bw_down = $ruleno + 20001; $rules .= "pipe {$bw_down} config bw {$macent['bw_down']}Kbit/s queue 100\n"; $actiondown = "pipe {$bw_down}"; - } + } $rules .= "add {$ruleno} {$actiondown} ip from any to any MAC {$macent['mac']} any\n"; $ruleno++; $rules .= "add {$ruleno} {$actionup} ip from any to any MAC any {$macent['mac']}\n"; @@ -978,69 +987,112 @@ function captiveportal_passthrumac_findbyname($username) { */ function captiveportal_allowedip_configure_entry($ipent) { + /* This function can deal with hostname or ipaddress */ + if($ipent['ip']) + $ipaddress = $ipent['ip']; + + /* Instead of copying this entire function for something + * easy such as hostname vs ip address add this check + */ + if($ipent['hostname']) { + $ipaddress = gethostbyname($ipent['hostname']); + if(!is_ipaddr($ipaddress)) + return; + } + $rules = ""; - $enBwup = isset($ipent['bw_up']); - $enBwdown = isset($ipent['bw_down']); + $enBwup = intval($ipent['bw_up']); + $enBwdown = intval($ipent['bw_down']); $bw_up = ""; - $bw_down = ""; - $tablein = array(); - $tableout = array(); + $bw_down = ""; + $tablein = array(); + $tableout = array(); - if ($enBwup && $enBwdown) + if (intval($enBwup) > 0 or intval($enBwdown) > 0) $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); else $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); - if ($ipent['dir'] == "from") { - if ($enBwup) - $tablein[] = 5; - else - $tablein[] = 3; - if ($enBwdown) - $tableout[] = 6; - else - $tableout[] = 4; - } else if ($ipent['dir'] == "to") { - if ($enBwup) - $tablein[] = 9; - else - $tablein[] = 7; - if ($enBwdown) - $tableout[] = 10; - else - $tableout[] = 8; - } else if ($ipent['dir'] == "both") { - if ($enBwup) { - $tablein[] = 5; - $tablein[] = 9; - } else { - $tablein[] = 3; - $tablein[] = 7; - } - if ($enBwdown) { - $tableout[] = 6; - $tableout[] = 10; - } else { - $tableout[] = 4; - $tableout[] = 8; - } - } - if ($enBwup) { - $bw_up = $ruleno + 20000; - $rules .= "pipe {$bw_up} config bw {$ipent['bw_up']}Kbit/s queue 100\n"; - } + if ($ipent['dir'] == "from") { + if ($enBwup) + $tablein[] = 5; + else + $tablein[] = 3; + if ($enBwdown) + $tableout[] = 6; + else + $tableout[] = 4; + } else if ($ipent['dir'] == "to") { + if ($enBwup) + $tablein[] = 9; + else + $tablein[] = 7; + if ($enBwdown) + $tableout[] = 10; + else + $tableout[] = 8; + } else if ($ipent['dir'] == "both") { + if ($enBwup) { + $tablein[] = 5; + $tablein[] = 9; + } else { + $tablein[] = 3; + $tablein[] = 7; + } + if ($enBwdown) { + $tableout[] = 6; + $tableout[] = 10; + } else { + $tableout[] = 4; + $tableout[] = 8; + } + } + if ($enBwup) { + $bw_up = $ruleno + 20000; + $rules .= "pipe {$bw_up} config bw {$ipent['bw_up']}Kbit/s queue 100\n"; + } $subnet = ""; if (!empty($ipent['sn'])) $subnet = "/{$ipent['sn']}"; foreach ($tablein as $table) - $rules .= "table {$table} add {$ipent['ip']}{$subnet} {$bw_up}\n"; - if ($enBwdown) { - $bw_down = $ruleno + 20001; - $rules .= "pipe {$bw_down} config bw {$ipent['bw_down']}Kbit/s queue 100\n"; - } - foreach ($tableout as $table) - $rules .= "table {$table} add {$ipent['ip']}{$subnet} {$bw_down}\n"; + $rules .= "table {$table} add {$ipaddress}{$subnet} {$bw_up}\n"; + if ($enBwdown) { + $bw_down = $ruleno + 20001; + $rules .= "pipe {$bw_down} config bw {$ipent['bw_down']}Kbit/s queue 100\n"; + } + foreach ($tableout as $table) + $rules .= "table {$table} add {$ipaddress}{$subnet} {$bw_down}\n"; + + return $rules; +} + +/* + Adds a dnsfilter entry and watches for hostname changes. + A change results in reloading the ruleset. +*/ +function setup_dnsfilter_entries() { + global $g, $config; + $cp_filterdns_filename = "{$g['varetc_path']}/filterdns-captiveportal.conf"; + $fd = fopen($cp_filterdns_filename, "w"); + if (is_array($config['captiveportal']['allowedhostname'])) + foreach ($config['captiveportal']['allowedhostname'] as $hostnameent) + fwrite($fd, $hostnameent['hostname'] . "\n"); + fclose($fd); + killbypid("{$g['tmp_path']}/dnswatch-cpah.pid"); + // For some reason the killbypid() is not working. Brute force if needed. + exec("/bin/ps awux | grep -v /usr/bin/grep | grep dnswatch-cpah.pid | /usr/bin/awk '{ print \$2 }' | /usr/bin/xargs kill"); + mwexec("/usr/local/sbin/dnswatch {$g['tmp_path']}/dnswatch-cpah.pid 300 /etc/rc.captiveportal_configure {$cp_filterdns_filename}"); +} + +function captiveportal_allowedhostname_configure() { + global $config, $g; + $rules = "\n# captiveportal_allowedhostname_configure()\n"; + setup_dnsfilter_entries(); + if (is_array($config['captiveportal']['allowedhostname'])) { + foreach ($config['captiveportal']['allowedhostname'] as $hostnameent) + $rules .= captiveportal_allowedip_configure_entry($hostnameent); + } return $rules; } @@ -1049,9 +1101,8 @@ function captiveportal_allowedip_configure() { $rules = ""; if (is_array($config['captiveportal']['allowedip'])) { - foreach ($config['captiveportal']['allowedip'] as $ipent) { + foreach ($config['captiveportal']['allowedip'] as $ipent) $rules .= captiveportal_allowedip_configure_entry($ipent); - } } return $rules; @@ -1078,7 +1129,7 @@ function captiveportal_init_radius_servers() { /* generate radius server database */ if ($config['captiveportal']['radiusip'] && (!isset($config['captiveportal']['auth_method']) || - ($config['captiveportal']['auth_method'] == "radius"))) { + ($config['captiveportal']['auth_method'] == "radius"))) { $radiusip = $config['captiveportal']['radiusip']; $radiusip2 = ($config['captiveportal']['radiusip2']) ? $config['captiveportal']['radiusip2'] : null; @@ -1115,29 +1166,29 @@ function captiveportal_init_radius_servers() { /* read RADIUS servers into array */ function captiveportal_get_radius_servers() { - global $g; + global $g; - $cprdsrvlck = lock('captiveportalradius'); - if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { - $radiusservers = array(); - $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", + $cprdsrvlck = lock('captiveportalradius'); + if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + $radiusservers = array(); + $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); - if ($cpradiusdb) - foreach($cpradiusdb as $cpradiusentry) { - $line = trim($cpradiusentry); - if ($line) { - $radsrv = array(); - list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); - $radiusservers[] = $radsrv; - } + if ($cpradiusdb) { + foreach($cpradiusdb as $cpradiusentry) { + $line = trim($cpradiusentry); + if ($line) { + $radsrv = array(); + list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); + $radiusservers[] = $radsrv; + } + } + } + unlock($cprdsrvlck); + return $radiusservers; } unlock($cprdsrvlck); - return $radiusservers; - } - - unlock($cprdsrvlck); - return false; + return false; } /* log successful captive portal authentication to syslog */ @@ -1164,79 +1215,78 @@ function captiveportal_syslog($message) { } function radius($username,$password,$clientip,$clientmac,$type) { - global $g, $config; - - $ruleno = captiveportal_get_next_ipfw_ruleno(); - - /* If the pool is empty, return appropriate message and fail authentication */ - if (is_null($ruleno)) { - $auth_list = array(); - $auth_list['auth_val'] = 1; - $auth_list['error'] = "System reached maximum login capacity"; - return $auth_list; - } - - $radiusservers = captiveportal_get_radius_servers(); - - $auth_list = RADIUS_AUTHENTICATION($username, - $password, - $radiusservers, - $clientip, - $clientmac, - $ruleno); - - if ($auth_list['auth_val'] == 2) { - captiveportal_logportalauth($username,$clientmac,$clientip,$type); - $sessionid = portal_allow($clientip, - $clientmac, - $username, - $password, - $auth_list, - $ruleno); - } - - return $auth_list; + global $g, $config; + + $ruleno = captiveportal_get_next_ipfw_ruleno(); + + /* If the pool is empty, return appropriate message and fail authentication */ + if (is_null($ruleno)) { + $auth_list = array(); + $auth_list['auth_val'] = 1; + $auth_list['error'] = "System reached maximum login capacity"; + return $auth_list; + } + + $radiusservers = captiveportal_get_radius_servers(); + + $auth_list = RADIUS_AUTHENTICATION($username, + $password, + $radiusservers, + $clientip, + $clientmac, + $ruleno); + + if ($auth_list['auth_val'] == 2) { + captiveportal_logportalauth($username,$clientmac,$clientip,$type); + $sessionid = portal_allow($clientip, + $clientmac, + $username, + $password, + $auth_list, + $ruleno); + } + + return $auth_list; } /* read captive portal DB into array */ function captiveportal_read_db() { - global $g; - - $cpdb = array(); - - $cpdblck = lock('captiveportaldb'); - $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "r"); - if ($fd) { - while (!feof($fd)) { - $line = trim(fgets($fd)); - if ($line) { - $cpdb[] = explode(",", $line); - } - } - fclose($fd); - } - unlock($cpdblck); - return $cpdb; + global $g; + + $cpdb = array(); + + $cpdblck = lock('captiveportaldb'); + $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "r"); + if ($fd) { + while (!feof($fd)) { + $line = trim(fgets($fd)); + if ($line) + $cpdb[] = explode(",", $line); + } + fclose($fd); + } + unlock($cpdblck); + return $cpdb; } /* write captive portal DB */ function captiveportal_write_db($cpdb) { - global $g; - - $cpdblck = lock('captiveportaldb', LOCK_EX); - $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "w"); - if ($fd) { - foreach ($cpdb as $cpent) { - fwrite($fd, join(",", $cpent) . "\n"); - } - fclose($fd); - } + global $g; + + $cpdblck = lock('captiveportaldb', LOCK_EX); + $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "w"); + if ($fd) { + foreach ($cpdb as $cpent) { + fwrite($fd, join(",", $cpent) . "\n"); + } + fclose($fd); + } unlock($cpdblck); } function captiveportal_write_elements() { global $g, $config; - + /* delete any existing elements */ if (is_dir($g['captiveportal_element_path'])) { $dh = opendir($g['captiveportal_element_path']); @@ -1245,8 +1295,9 @@ function captiveportal_write_elements() { unlink($g['captiveportal_element_path'] . "/" . $file); } closedir($dh); - } else + } else { @mkdir($g['captiveportal_element_path']); + } if (is_array($config['captiveportal']['element'])) { conf_mount_rw(); @@ -1265,7 +1316,7 @@ function captiveportal_write_elements() { } conf_mount_ro(); } - + return 0; } @@ -1295,10 +1346,10 @@ function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_rang for ($ridx = 2; $ridx < ($rulenos_range_max - $rulenos_start); $ridx++) { if ($rules[$ridx]) { /* - * This allows our traffic shaping pipes to be the in pipe the same as ruleno - * and the out pipe ruleno + 1. This removes limitation that where present in - * previous version of the peruserbw. - */ + * This allows our traffic shaping pipes to be the in pipe the same as ruleno + * and the out pipe ruleno + 1. This removes limitation that where present in + * previous version of the peruserbw. + */ if (isset($config['captiveportal']['peruserbw'])) $ridx++; continue; @@ -1340,17 +1391,17 @@ function captiveportal_get_ipfw_passthru_ruleno($value) { global $config, $g; if(!isset($config['captiveportal']['enable'])) - return NULL; + return NULL; $cpruleslck = lock('captiveportalrules', LOCK_EX); - if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { - $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); + if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { + $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); $ruleno = intval(`/sbin/ipfw show | /usr/bin/grep {$value} | /usr/bin/grep -v grep | /usr/bin/cut -d " " -f 1 | /usr/bin/head -n 1`); if ($rules[$ruleno]) { unlock($cpruleslck); return $ruleno; } - } + } unlock($cpruleslck); return NULL; @@ -1369,31 +1420,31 @@ function captiveportal_get_ipfw_passthru_ruleno($value) { function getVolume($ip) { - $volume = array(); + $volume = array(); - // Initialize vars properly, since we don't want NULL vars - $volume['input_pkts'] = $volume['input_bytes'] = $volume['output_pkts'] = $volume['output_bytes'] = 0 ; + // Initialize vars properly, since we don't want NULL vars + $volume['input_pkts'] = $volume['input_bytes'] = $volume['output_pkts'] = $volume['output_bytes'] = 0 ; - // Ingress - $ipfwin = ""; - $ipfwout = ""; - $matchesin = ""; - $matchesout = ""; - exec("/sbin/ipfw table 1 entrystats {$ip}", $ipfwin); - if ($ipfwin[0]) { + // Ingress + $ipfwin = ""; + $ipfwout = ""; + $matchesin = ""; + $matchesout = ""; + exec("/sbin/ipfw table 1 entrystats {$ip}", $ipfwin); + if ($ipfwin[0]) { $ipfwin = split(" ", $ipfwin[0]); $volume['input_pkts'] = $ipfwin[2]; $volume['input_bytes'] = $ipfwin[3]; - } + } - exec("/sbin/ipfw table 2 entrystats {$ip}", $ipfwout); - if ($ipfwout[0]) { - $ipfwout = split(" ", $ipfwout[0]); - $volume['output_pkts'] = $ipfwout[2]; - $volume['output_bytes'] = $ipfwout[3]; - } + exec("/sbin/ipfw table 2 entrystats {$ip}", $ipfwout); + if ($ipfwout[0]) { + $ipfwout = split(" ", $ipfwout[0]); + $volume['output_pkts'] = $ipfwout[2]; + $volume['output_bytes'] = $ipfwout[3]; + } - return $volume; + return $volume; } /** @@ -1403,11 +1454,11 @@ function getVolume($ip) { */ function getNasID() { - $nasId = ""; - exec("/bin/hostname", $nasId); - if(!$nasId[0]) - $nasId[0] = "{$g['product_name']}"; - return $nasId[0]; + $nasId = ""; + exec("/bin/hostname", $nasId); + if(!$nasId[0]) + $nasId[0] = "{$g['product_name']}"; + return $nasId[0]; } /** @@ -1421,17 +1472,17 @@ function getNasIP() { global $config; - if (empty($config['captiveportal']['radiussrcip_attribute'])) - $nasIp = get_interface_ip(); - else { + if (empty($config['captiveportal']['radiussrcip_attribute'])) { + $nasIp = get_interface_ip(); + } else { if (is_ipaddr($config['captiveportal']['radiussrcip_attribute'])) - $nasIp = $config['captiveportal']['radiussrcip_attribute']; - else - $nasIp = get_interface_ip($config['captiveportal']['radiussrcip_attribute']); + $nasIp = $config['captiveportal']['radiussrcip_attribute']; + else + $nasIp = get_interface_ip($config['captiveportal']['radiussrcip_attribute']); } - if(!is_ipaddr($nasIp)) - $nasIp = "0.0.0.0"; + if(!is_ipaddr($nasIp)) + $nasIp = "0.0.0.0"; return $nasIp; } @@ -1460,4 +1511,4 @@ function portal_ip_from_client_ip($cliip) { return false; } -?> +?>
\ No newline at end of file |
