3 utl = require "luci.util"
4 sys = require "luci.sys"
6 require("luci.model.uci")
7 require("luci.sys.iptparser")
10 local uci = luci.model.uci.cursor_state()
11 local ipt = luci.sys.iptparser.IptParser()
13 local fs = require "luci.fs"
14 local ip = require "luci.ip"
18 local has_ipv6 = fs.access("/proc/net/ipv6_route") and fs.access("/usr/sbin/ip6tables")
21 os.execute("lock /var/run/luci_splash.lock")
25 os.execute("lock -u /var/run/luci_splash.lock")
30 local ret = sys.exec(cmd)
32 if ret and ret ~= "" then
36 local ret = sys.exec(cmd .. " &> /dev/null")
41 local o3, o4 = ip:match("[0-9]+%.[0-9]+%.([0-9]+)%.([0-9]+)")
43 return string.format("%02X%s", tonumber(o3), "") .. string.format("%02X%s", tonumber(o4), "")
49 function update_stats(leased, whitelisted, whitelisttotal, blacklisted, blacklisttotal)
50 local leases = uci:get_all("luci_splash_leases", "stats")
51 uci:delete("luci_splash_leases", "stats")
52 uci:section("luci_splash_leases", "stats", "stats", {
53 leases = leased or (leases and leases.leases) or 0,
54 whitelisttotal = whitelisttotal or (leased and leases.whitelisttotal) or 0,
55 whitelistonline = whitelisted or (leases and leases.whitelistonline) or 0,
56 blacklisttotal = blacklisttotal or (leases and leases.blacklisttotal) or 0,
57 blacklistonline = blacklisted or (leases and leases.blacklistonline) or 0,
59 uci:save("luci_splash_leases")
62 function get_device_for_ip(ipaddr)
64 uci:foreach("network", "interface", function(s)
65 if s.ipaddr and s.netmask then
66 local network = ip.IPv4(s.ipaddr, s.netmask)
67 if network:contains(ip.IPv4(ipaddr)) then
68 -- this should be rewritten to luci functions if possible
69 dev = utl.trim(sys.exec(". /lib/functions/network.sh; network_get_device IFNAME '" .. s['.name'] .. "'; echo $IFNAME"))
76 function get_physdev(interface)
78 dev = utl.trim(sys.exec(". /lib/functions/network.sh; network_get_device IFNAME '" .. interface .. "'; echo $IFNAME"))
84 function get_filter_handle(parent, direction, device, mac)
85 local input = utl.split(sys.exec('/usr/sbin/tc filter show dev ' .. device .. ' parent ' .. parent) or {})
88 for k, v in pairs(input) do
89 handle = v:match('filter protocol ip pref %d+ u32 fh (%d*:%d*:%d*) order') or v:match('filter protocol all pref %d+ u32 fh (%d*:%d*:%d*) order')
91 local mac, mac1, mac2, mac3, mac4, mac5, mac6
92 if direction == 'src' then
93 mac1, mac2, mac3, mac4 = input[k+1]:match('match ([%a%d][%a%d])([%a%d][%a%d])([%a%d][%a%d])([%a%d][%a%d])/ffffffff')
94 mac5, mac6 = input[k+2]:match('match ([%a%d][%a%d])([%a%d][%a%d])0000/ffff0000')
96 mac1, mac2 = input[k+1]:match('match 0000([%a%d][%a%d])([%a%d][%a%d])/0000ffff')
97 mac3, mac4, mac5, mac6 = input[k+2]:match('match ([%a%d][%a%d])([%a%d][%a%d])([%a%d][%a%d])([%a%d][%a%d])/ffffffff')
99 if mac1 and mac2 and mac3 and mac4 and mac5 and mac6 then
100 mac = "%s:%s:%s:%s:%s:%s" % { mac1, mac2, mac3, mac4, mac5, mac6 }
111 function macvalid(mac)
112 if mac and mac:match(
113 "^[a-fA-F0-9][a-fA-F0-9]:[a-fA-F0-9][a-fA-F0-9]:" ..
114 "[a-fA-F0-9][a-fA-F0-9]:[a-fA-F0-9][a-fA-F0-9]:" ..
115 "[a-fA-F0-9][a-fA-F0-9]:[a-fA-F0-9][a-fA-F0-9]$"
123 function ipvalid(ipaddr)
125 return ip.IPv4(ipaddr) and true or false
132 local cmd = table.remove(argv, 1)
135 limit_up = (tonumber(uci:get("luci_splash", "general", "limit_up")) or 0) * 8
136 limit_down = (tonumber(uci:get("luci_splash", "general", "limit_down")) or 0) * 8
138 if ( cmd == "lease" or cmd == "add-rules" or cmd == "remove" or
139 cmd == "whitelist" or cmd == "blacklist" or cmd == "status" ) and #argv > 0
141 if not (macvalid(arg) or ipvalid(arg)) then
142 print("Invalid argument. The second argument must " ..
143 "be a valid IPv4 or Mac Address.")
149 local arp_cache = net.arptable()
150 local leased_macs = get_known_macs("lease")
151 local blacklist_macs = get_known_macs("blacklist")
152 local whitelist_macs = get_known_macs("whitelist")
154 for i, adr in ipairs(argv) do
156 if adr:find(":") then
159 for _, e in ipairs(arp_cache) do
160 if e["IP address"] == adr then
161 mac = e["HW address"]:lower()
167 if mac and cmd == "add-rules" then
168 if leased_macs[mac] then
169 add_lease(mac, arp_cache, true)
170 elseif blacklist_macs[mac] then
171 add_blacklist_rule(mac)
172 elseif whitelist_macs[mac] then
173 add_whitelist_rule(mac)
175 elseif mac and cmd == "status" then
176 print(leased_macs[mac] and "lease"
177 or whitelist_macs[mac] and "whitelist"
178 or blacklist_macs[mac] and "blacklist"
180 elseif mac and ( cmd == "whitelist" or cmd == "blacklist" or cmd == "lease" ) then
181 if cmd ~= "lease" and leased_macs[mac] then
182 print("Removing %s from leases" % mac)
184 leased_macs[mac] = nil
187 if cmd ~= "whitelist" and whitelist_macs[mac] then
188 if cmd == "lease" then
189 print('%s is whitelisted. Remove it before you can lease it.' % mac)
191 print("Removing %s from whitelist" % mac)
192 remove_whitelist(mac)
193 whitelist_macs[mac] = nil
197 if cmd == "whitelist" and leased_macs[mac] then
198 print("Removing %s from leases" % mac)
200 leased_macs[mac] = nil
203 if cmd ~= "blacklist" and blacklist_macs[mac] then
204 print("Removing %s from blacklist" % mac)
205 remove_blacklist(mac)
206 blacklist_macs[mac] = nil
209 if cmd == "lease" and not leased_macs[mac] then
210 if not whitelist_macs[mac] then
211 print("Adding %s to leases" % mac)
213 leased_macs[mac] = true
215 elseif cmd == "whitelist" and not whitelist_macs[mac] then
216 print("Adding %s to whitelist" % mac)
218 whitelist_macs[mac] = true
219 elseif cmd == "blacklist" and not blacklist_macs[mac] then
220 print("Adding %s to blacklist" % mac)
222 blacklist_macs[mac] = true
224 print("The mac %s is already %sed" %{ mac, cmd })
226 elseif mac and cmd == "remove" then
227 if leased_macs[mac] then
228 print("Removing %s from leases" % mac)
230 leased_macs[mac] = nil
231 elseif whitelist_macs[mac] then
232 print("Removing %s from whitelist" % mac)
233 remove_whitelist(mac)
234 whitelist_macs[mac] = nil
235 elseif blacklist_macs[mac] then
236 print("Removing %s from blacklist" % mac)
237 remove_blacklist(mac)
238 blacklist_macs[mac] = nil
240 print("The mac %s is not known" % mac)
243 print("Can not find mac for ip %s" % argv[i])
249 elseif cmd == "sync" then
252 elseif cmd == "list" then
257 print("\n luci-splash list\n List connected, black- and whitelisted clients")
258 print("\n luci-splash sync\n Synchronize firewall rules and clear expired leases")
259 print("\n luci-splash lease <MAC-or-IP>\n Create a lease for the given address")
260 print("\n luci-splash blacklist <MAC-or-IP>\n Add given address to blacklist")
261 print("\n luci-splash whitelist <MAC-or-IP>\n Add given address to whitelist")
262 print("\n luci-splash remove <MAC-or-IP>\n Remove given address from the lease-, black- or whitelist")
269 -- Get current arp cache
270 function get_arpcache()
272 for _, entry in ipairs(net.arptable()) do
273 arpcache[entry["HW address"]:lower()] = { entry["Device"]:lower(), entry["IP address"]:lower() }
278 -- Get a list of known mac addresses
279 function get_known_macs(list)
280 local leased_macs = { }
282 if not list or list == "lease" then
283 uci:foreach("luci_splash_leases", "lease",
284 function(s) leased_macs[s.mac:lower()] = true end)
287 if not list or list == "whitelist" then
288 uci:foreach("luci_splash", "whitelist",
289 function(s) leased_macs[s.mac:lower()] = true end)
292 if not list or list == "blacklist" then
293 uci:foreach("luci_splash", "blacklist",
294 function(s) leased_macs[s.mac:lower()] = true end)
301 -- Helper to delete iptables rules
302 function ipt_delete_all(args, comp, off)
304 for i, r in ipairs(ipt:find(args)) do
305 if comp == nil or comp(r) then
306 off[r.table] = off[r.table] or { }
307 off[r.table][r.chain] = off[r.table][r.chain] or 0
309 exec("iptables -t %q -D %q %d 2>/dev/null"
310 %{ r.table, r.chain, r.index - off[r.table][r.chain] })
312 off[r.table][r.chain] = off[r.table][r.chain] + 1
317 function ipt6_delete_all(args, comp, off)
319 for i, r in ipairs(ipt:find(args)) do
320 if comp == nil or comp(r) then
321 off[r.table] = off[r.table] or { }
322 off[r.table][r.chain] = off[r.table][r.chain] or 0
324 exec("ip6tables -t %q -D %q %d 2>/dev/null"
325 %{ r.table, r.chain, r.index - off[r.table][r.chain] })
327 off[r.table][r.chain] = off[r.table][r.chain] + 1
333 -- Convert mac to uci-compatible section name
334 function convert_mac_to_secname(mac)
335 return string.gsub(mac, ":", "")
338 -- Add a lease to state and invoke add_rule
339 function add_lease(mac, arp, no_uci)
342 -- Get current ip address
344 for _, entry in ipairs(arp or net.arptable()) do
345 if entry["HW address"]:lower() == mac then
346 ipaddr = entry["IP address"]
351 -- Add lease if there is an ip addr
353 local device = get_device_for_ip(ipaddr)
355 local leased = uci:get("luci_splash_leases", "stats", "leases")
356 if type(tonumber(leased)) == "number" then
357 update_stats(leased + 1, nil, nil, nil, nil)
360 uci:section("luci_splash_leases", "lease", convert_mac_to_secname(mac), {
365 limit_down = limit_down,
368 uci:save("luci_splash_leases")
370 add_lease_rule(mac, ipaddr, device)
372 print("Found no active IP for %s, lease not added" % mac)
377 -- Remove a lease from state and invoke remove_rule
378 function remove_lease(mac)
381 uci:delete_all("luci_splash_leases", "lease",
383 if s.mac:lower() == mac then
384 remove_lease_rule(mac, s.ipaddr, s.device, tonumber(s.limit_up), tonumber(s.limit_down))
385 local leased = uci:get("luci_splash_leases", "stats", "leases")
386 if type(tonumber(leased)) == "number" and tonumber(leased) > 0 then
387 update_stats(leased - 1, nil, nil, nil, nil)
394 uci:save("luci_splash_leases")
398 -- Add a whitelist entry
399 function add_whitelist(mac)
400 uci:section("luci_splash", "whitelist", convert_mac_to_secname(mac), { mac = mac })
401 uci:save("luci_splash")
402 uci:commit("luci_splash")
403 add_whitelist_rule(mac)
407 -- Add a blacklist entry
408 function add_blacklist(mac)
409 uci:section("luci_splash", "blacklist", convert_mac_to_secname(mac), { mac = mac })
410 uci:save("luci_splash")
411 uci:commit("luci_splash")
412 add_blacklist_rule(mac)
416 -- Remove a whitelist entry
417 function remove_whitelist(mac)
419 uci:delete_all("luci_splash", "whitelist",
420 function(s) return not s.mac or s.mac:lower() == mac end)
421 uci:save("luci_splash")
422 uci:commit("luci_splash")
423 remove_lease_rule(mac)
424 remove_whitelist_tc(mac)
427 function remove_whitelist_tc(mac)
428 uci:foreach("luci_splash", "iface", function(s)
429 local device = get_physdev(s['.name'])
430 if device and device ~= "" then
432 print("Removing whitelist filters for %s interface %s." % {mac, device})
434 local handle = get_filter_handle('ffff:', 'src', device, mac)
436 exec('tc filter del dev "%s" parent ffff: protocol ip prio 1 handle %s u32' % { device, handle })
438 print('Warning! Could not get a handle for %s parent :ffff on interface %s' % { mac, device })
440 local handle = get_filter_handle('1:', 'dest', device, mac)
442 exec('tc filter del dev "%s" parent 1:0 protocol ip prio 1 handle %s u32' % { device, handle })
444 print('Warning! Could not get a handle for %s parent 1:0 on interface %s' % { mac, device })
450 -- Remove a blacklist entry
451 function remove_blacklist(mac)
453 uci:delete_all("luci_splash", "blacklist",
454 function(s) return not s.mac or s.mac:lower() == mac end)
455 uci:save("luci_splash")
456 uci:commit("luci_splash")
457 remove_lease_rule(mac)
461 -- Add an iptables rule
462 function add_lease_rule(mac, ipaddr, device)
468 exec("iptables -t mangle -I luci_splash_mark_out -m mac --mac-source %q -j RETURN" % mac)
470 -- Mark incoming packets to a splashed host
471 -- for ipv4 - by iptables and destination
472 if id and device then
473 exec("iptables -t mangle -I luci_splash_mark_in -d %q -j MARK --set-mark 0x1%s -m comment --comment %s" % {ipaddr, id, mac:upper()})
476 --for ipv6: need to use the mac here
478 exec("ip6tables -t mangle -I luci_splash_mark_out -m mac --mac-source %q -j MARK --set-mark 79" % mac)
479 if id and device and tonumber(limit_down) then
480 exec("tc filter add dev %s parent 1:0 protocol ipv6 prio 1 u32 match ether dst %s classid 1:%s" % {device, mac:lower(), id})
485 if device and tonumber(limit_up) > 0 then
486 exec('tc filter add dev "%s" parent ffff: protocol all prio 2 u32 match ether src %s police rate %skbit mtu 6k burst 6k drop' % {device, mac, limit_up})
489 if id and device and tonumber(limit_down) > 0 then
490 exec("tc class add dev %s parent 1: classid 1:0x%s htb rate %skbit" % { device, id, limit_down })
491 exec("tc qdisc add dev %s parent 1:%s sfq perturb 10" % { device, id })
494 exec("iptables -t filter -I luci_splash_filter -m mac --mac-source %q -j RETURN" % mac)
495 exec("iptables -t nat -I luci_splash_leases -m mac --mac-source %q -j RETURN" % mac)
497 exec("ip6tables -t filter -I luci_splash_filter -m mac --mac-source %q -j RETURN" % mac)
502 -- Remove lease, black- or whitelist rules
503 function remove_lease_rule(mac, ipaddr, device, limit_up, limit_down)
510 ipt_delete_all({table="mangle", chain="luci_splash_mark_in", options={"/*", mac:upper()}})
511 ipt_delete_all({table="mangle", chain="luci_splash_mark_out", options={"MAC", mac:upper()}})
512 ipt_delete_all({table="filter", chain="luci_splash_filter", options={"MAC", mac:upper()}})
513 ipt_delete_all({table="nat", chain="luci_splash_leases", options={"MAC", mac:upper()}})
515 ipt6_delete_all({table="mangle", chain="luci_splash_mark_out", options={"MAC", mac:upper()}})
516 ipt6_delete_all({table="filter", chain="luci_splash_filter", options={"MAC", mac:upper()}})
519 if device and tonumber(limit_up) > 0 then
520 local handle = get_filter_handle('ffff:', 'src', device, mac)
522 exec('tc filter del dev "%s" parent ffff: protocol all prio 2 handle %s u32 police rate %skbit mtu 6k burst 6k drop' % {device, handle, limit_up})
524 print('Warning! Could not get a handle for %s parent :ffff on interface %s' % { mac, device })
528 -- remove clients class
529 if device and id then
530 exec('tc class del dev "%s" classid 1:%s' % {device, id})
531 exec('tc filter del dev "%s" parent 1:0 prio 1' % device) -- ipv6 rule
532 --exec('tc qdisc del dev "%s" parent 1:%s sfq perturb 10' % { device, id })
538 -- Add whitelist rules
539 function add_whitelist_rule(mac)
540 exec("iptables -t filter -I luci_splash_filter -m mac --mac-source %q -j RETURN" % mac)
541 exec("iptables -t nat -I luci_splash_leases -m mac --mac-source %q -j RETURN" % mac)
543 exec("ip6tables -t filter -I luci_splash_filter -m mac --mac-source %q -j RETURN" % mac)
545 uci:foreach("luci_splash", "iface", function(s)
546 local device = get_physdev(s['.name'])
547 if device and device ~= "" then
548 exec('tc filter add dev "%s" parent ffff: protocol ip prio 1 u32 match ether src %s police pass' % { device, mac })
549 exec('tc filter add dev "%s" parent 1:0 protocol ip prio 1 u32 match ether dst %s classid 1:1' % { device, mac })
555 -- Add blacklist rules
556 function add_blacklist_rule(mac)
557 exec("iptables -t filter -I luci_splash_filter -m mac --mac-source %q -j DROP" % mac)
559 exec("ip6tables -t filter -I luci_splash_filter -m mac --mac-source %q -j DROP" % mac)
564 -- Synchronise leases, remove abandoned rules
568 local time = os.time()
570 -- Current leases in state files
571 local leases = uci:get_all("luci_splash_leases")
573 -- Convert leasetime to seconds
574 local leasetime = tonumber(uci:get("luci_splash", "general", "leasetime")) * 3600
577 uci:load("luci_splash_leases")
578 uci:revert("luci_splash_leases")
581 -- Get the mac addresses of current leases
582 local macs = get_known_macs()
583 local arpcache = get_arpcache()
585 local blackwhitelist = uci:get_all("luci_splash")
586 local whitelist_total = 0
587 local whitelist_online = 0
588 local blacklist_total = 0
589 local blacklist_online = 0
594 local leases_online = 0
595 for k, v in pairs(leases) do
596 if v[".type"] == "lease" then
597 if os.difftime(time, tonumber(v.start)) > leasetime then
599 remove_lease_rule(v.mac, v.ipaddr, v.device, tonumber(v.limit_up), tonumber(v.limit_down))
601 leasecount = leasecount + 1
603 -- only count leases_online for connected clients
604 if arpcache[v.mac] then
605 leases_online = leases_online + 1
609 uci:section("luci_splash_leases", "lease", convert_mac_to_secname(v.mac), {
614 limit_down = limit_down,
621 -- Whitelist, Blacklist
622 for _, s in utl.spairs(blackwhitelist,
623 function(a,b) return blackwhitelist[a][".type"] > blackwhitelist[b][".type"] end
625 if (s[".type"] == "whitelist") then
626 whitelist_total = whitelist_total + 1
628 local mac = s.mac:lower()
629 if arpcache[mac] then
630 whitelist_online = whitelist_online + 1
634 if (s[".type"] == "blacklist") then
635 blacklist_total = blacklist_total + 1
637 local mac = s.mac:lower()
638 if arpcache[mac] then
639 blacklist_online = blacklist_online + 1
646 -- include a new field "leases_online" in stats to differ between active clients and leases:
647 -- update_stats(leasecount, leases_online, whitelist_online, whitelist_total, blacklist_online, blacklist_total) later:
648 update_stats(leases_online, whitelist_online, whitelist_total, blacklist_online, blacklist_total)
650 uci:save("luci_splash_leases")
654 ipt_delete_all({table="filter", chain="luci_splash_filter", options={"MAC"}},
655 function(r) return not macs[r.options[2]:lower()] end)
656 ipt_delete_all({table="nat", chain="luci_splash_leases", options={"MAC"}},
657 function(r) return not macs[r.options[2]:lower()] end)
658 ipt_delete_all({table="mangle", chain="luci_splash_mark_out", options={"MAC", "MARK", "set"}},
659 function(r) return not macs[r.options[2]:lower()] end)
660 ipt_delete_all({table="mangle", chain="luci_splash_mark_in", options={"/*", "MARK", "set"}},
661 function(r) return not macs[r.options[2]:lower()] end)
665 ipt6_delete_all({table="filter", chain="luci_splash_filter", options={"MAC"}},
666 function(r) return not macs[r.options[2]:lower()] end)
667 ipt6_delete_all({table="mangle", chain="luci_splash_mark_out", options={"MAC", "MARK", "set"}},
668 function(r) return not macs[r.options[2]:lower()] end)
676 local arpcache = get_arpcache()
677 -- Find traffic usage
678 local function traffic(lease)
680 local traffic_out = 0
682 local rin = ipt:find({table="mangle", chain="luci_splash_mark_in", destination=lease.ipaddr})
683 local rout = ipt:find({table="mangle", chain="luci_splash_mark_out", options={"MAC", lease.mac:upper()}})
685 if rin and #rin > 0 then traffic_in = math.floor( rin[1].bytes / 1024) end
686 if rout and #rout > 0 then traffic_out = math.floor(rout[1].bytes / 1024) end
688 return traffic_in, traffic_out
692 local leases = uci:get_all("luci_splash_leases")
693 local blackwhitelist = uci:get_all("luci_splash")
696 "%-17s %-15s %-9s %-4s %-7s %20s",
697 "MAC", "IP", "State", "Dur.", "Intf.", "Traffic down/up"
701 for _, s in pairs(leases) do
702 if s[".type"] == "lease" and s.mac then
703 local ti, to = traffic(s)
704 local mac = s.mac:lower()
705 local arp = arpcache[mac]
707 "%-17s %-15s %-9s %3dm %-7s %7dKB %7dKB",
708 mac, s.ipaddr, "leased",
709 math.floor(( os.time() - tonumber(s.start) ) / 60),
710 arp and arp[1] or "?", ti, to
715 -- Whitelist, Blacklist
716 for _, s in utl.spairs(blackwhitelist,
717 function(a,b) return blackwhitelist[a][".type"] > blackwhitelist[b][".type"] end
719 if (s[".type"] == "whitelist" or s[".type"] == "blacklist") and s.mac then
720 local mac = s.mac:lower()
721 local arp = arpcache[mac]
723 "%-17s %-15s %-9s %4s %-7s %9s %9s",
724 mac, arp and arp[2] or "?", s[".type"],
725 "- ", arp and arp[1] or "?", "-", "-"
projects / project / luci.git / blob