X-Git-Url: https://git.archive.openwrt.org/?p=project%2Fluci.git;a=blobdiff_plain;f=applications%2Fluci-splash%2Froot%2Fetc%2Finit.d%2Fluci_splash;h=06b4408c658510e87617c3d532dea65beffc9dc0;hp=02fdd8b6a58cd080e6571a8c616230f9e05de414;hb=992bc68b2b9d95d7fa46eeef42a67cd51291701d;hpb=2414448845899ad67c1f4b39885c6e2cfc4a5b47

diff --git a/applications/luci-splash/root/etc/init.d/luci_splash b/applications/luci-splash/root/etc/init.d/luci_splash
index 02fdd8b6a..06b4408c6 100755
--- a/applications/luci-splash/root/etc/init.d/luci_splash
+++ b/applications/luci-splash/root/etc/init.d/luci_splash
@@ -1,5 +1,14 @@
 #!/bin/sh /etc/rc.common
 START=70
+EXTRA_COMMANDS=clear_leases
+SPLASH_INTERFACES=""
+LIMIT_DOWN=0
+LIMIT_DOWN_BURST=0
+LIMIT_UP=0
+
+silent() {
+	"$@" 2>/dev/null
+}
 
 iface_add() {
 	local cfg="$1"
@@ -7,29 +16,186 @@ iface_add() {
 	config_get zone "$cfg" zone
 	[ -n "$zone" ] || return 0
 	
-	config_get gw "$cfg" gateway
-	[ -n "$gw" ] || return 0
+	config_get net "$cfg" network
+	[ -n "$net" ] || return 0
+
+	config_get ifname "$net" ifname
+	[ -n "$ifname" ] || return 0
+	
+	config_get ipaddr "$net" ipaddr
+	[ -n "$ipaddr" ] || return 0
+	
+	config_get netmask "$net" netmask
+	[ -n "$netmask" ] || return 0
 	
-	iptables -t nat -A zone_$zone_prerouting -j luci_splash_portal
+	config_get parentiface "$net" interface
+	[ -n "$parentiface" ] && {
+		config_get parentproto   "$parentiface" proto
+		config_get parentipaddr  "$parentiface" ipaddr
+		config_get parentnetmask "$parentiface" netmask
+	}
 	
-	for i in $gw
-	do
-		iptables -t nat -A luci_splash_portal -d "$i" -p tcp -m multiport --dports 22,80,443 -j RETURN
-	done
+	eval "$(ipcalc.sh $ipaddr $netmask)"
+
+	iptables -t nat -A prerouting_${zone} -j luci_splash_prerouting
+	iptables -t nat -A luci_splash_prerouting -j luci_splash_portal
+
+	iptables -t filter -I luci_splash_filter -s "$NETWORK/$PREFIX" -d "$ipaddr/${netmask:-32}" -j RETURN
+	iptables -t nat    -I luci_splash_leases -s "$NETWORK/$PREFIX" -d "$ipaddr/${netmask:-32}" -j RETURN
+
+	[ "$parentproto" = "static" -a -n "$parentipaddr" ] && {
+		iptables -t filter -I luci_splash_filter -s "$NETWORK/$PREFIX" -d "$parentipaddr/${parentnetmask:-32}" -j RETURN
+		iptables -t nat    -I luci_splash_leases -s "$NETWORK/$PREFIX" -d "$parentipaddr/${parentnetmask:-32}" -j RETURN
+	}
+
+	iptables -t filter -A luci_splash_filter -s "$NETWORK/$PREFIX" -p udp --dport 53 -j RETURN
+	iptables -t filter -A luci_splash_filter -s "$NETWORK/$PREFIX" -p tcp --dport 22 -j RETURN    # XXX: ssh really needed?
+	iptables -t filter -A luci_splash_filter -s "$NETWORK/$PREFIX" -p tcp --dport 80 -j RETURN
+	iptables -t filter -A luci_splash_filter -s "$NETWORK/$PREFIX" -j REJECT --reject-with icmp-admin-prohibited
+
+	qos_iface_add "$ifname"
+
+	append SPLASH_INTERFACES "$ifname"
+}
+
+iface_del() {
+	config_get zone "$1" zone                                                                
+	[ -n "$zone" ] || return 0
+
+	while iptables -t nat -D prerouting_${zone} -j luci_splash_prerouting 2>&-; do :; done
+
+	config_get net "$1" network
+	[ -n "$net" ] || return 0
+
+	config_get ifname "$net" ifname
+	[ -n "$ifname" ] || return 0
+
+	qos_iface_del "$ifname"
 }
 
 blacklist_add() {
 	local cfg="$1"
 	
 	config_get mac "$cfg" mac
-	[ -n "$mac" ] && iptables -t nat -A luci_splash_portal -m mac --mac-source "$mac" -j DROP
+	[ -n "$mac" ] && {
+		iptables -t filter -I luci_splash_filter -m mac --mac-source "$mac" -j DROP
+		iptables -t nat    -I luci_splash_leases -m mac --mac-source "$mac" -j DROP
+	}
 }
 
 whitelist_add() {
 	local cfg="$1"
 	
 	config_get mac "$cfg" mac
-	[ -n "$mac" ] && iptables -t nat -A luci_splash_portal -m mac --mac-source "$mac" -j RETURN
+	[ -n "$mac" ] && {
+		iptables -t filter -I luci_splash_filter -m mac --mac-source "$mac" -j RETURN
+		iptables -t nat    -I luci_splash_leases -m mac --mac-source "$mac" -j RETURN
+	}
+}
+
+lease_add() {
+	local cfg="$1"
+	
+	config_get mac "$cfg" mac
+	config_get ban "$cfg" kicked
+
+	ban=${ban:+DROP}
+
+	[ -n "$mac" ] && {
+		local oIFS="$IFS"; IFS=":"
+		set -- $mac
+		IFS="$oIFS"; unset oIFS
+	
+		local mac_pre="$1$2"
+		local mac_post="$3$4$5$6"
+		local handle="$6"
+
+		iptables -t filter -I luci_splash_filter -m mac --mac-source "$mac" -j RETURN
+		iptables -t nat    -I luci_splash_leases -m mac --mac-source "$mac" -j "${ban:-RETURN}"
+
+		[ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && {
+			iptables -t mangle -I luci_splash_mark -m mac --mac-source "$mac" -j MARK --set-mark 79
+
+			for i in $SPLASH_INTERFACES; do
+				tc filter add dev $i parent 77:0 protocol ip prio 2 handle ::$handle u32 \
+					match u16 0x0800 0xFFFF at -2 match u32 0x$mac_post 0xFFFFFFFF at -12 \
+					match u16 0x$mac_pre 0xFFFF at -14 flowid 77:10
+			done
+		}
+	}
+}
+
+subnet_add() {
+	local cfg="$1"
+	
+	config_get ipaddr  "$cfg" ipaddr
+	config_get netmask "$cfg" netmask
+	
+	[ -n "$ipaddr" ] && {
+		iptables -t filter -I luci_splash_filter -d "$ipaddr/${netmask:-32}" -j RETURN
+		iptables -t nat    -I luci_splash_portal -d "$ipaddr/${netmask:-32}" -j RETURN
+	}
+}
+
+qos_iface_add() {
+	local iface="$1"
+
+	# 77 -> download root qdisc
+	# 78 -> upload root qdisc
+	# 79 -> fwmark
+
+	silent tc qdisc del dev "$iface" root handle 77:
+
+	if [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ]; then
+		tc qdisc add dev "$iface" root handle 77: htb
+
+		# assume maximum rate of 20.000 kilobit for wlan
+		tc class add dev "$iface" parent 77: classid 77:1 htb rate 20000kbit
+
+		# set download limit and burst
+		tc class add dev "$iface" parent 77:1 classid 77:10 htb \
+			rate ${LIMIT_DOWN}kb ceil ${LIMIT_DOWN_BURST}kb prio 2
+
+		tc qdisc add dev "$iface" parent 77:10 handle 78: sfq perturb 10
+
+		# adding ingress can result in "File exists" if qos-scripts are active
+		silent tc qdisc add dev "$iface" ingress
+
+		# set client upload speed
+		tc filter add dev "$iface" parent ffff: protocol ip prio 1 \
+			handle 79 fw police rate ${LIMIT_UP}kb mtu 6k burst 6k drop
+	fi	
+}
+
+qos_iface_del() {
+	local iface="$1"
+
+	silent tc qdisc del dev "$iface" root handle 77:
+	silent tc qdisc del dev "$iface" root handle 78:
+	silent tc filter del dev "$iface" parent ffff: protocol ip prio 1 handle 79 fw
+}
+
+boot() {
+	### Setup splash-relay
+	uci get lucid.splashr || {
+uci batch <<EOF
+	set lucid.splashr=daemon
+	set lucid.splashr.slave=httpd
+	add_list lucid.splashr.address=8082
+	add_list lucid.splashr.publisher=splashredir
+	set lucid.splashr.enabled=1
+
+	set lucid.splashredir=Redirector
+	set lucid.splashredir.name=Splashd
+	set lucid.splashredir.virtual='/'
+	set lucid.splashredir.physical=':80/luci/splash'
+
+	commit lucid
+EOF
+	}
+
+	### We are started by the firewall include
+	exit 0
 }
 
 start() {
@@ -38,37 +204,96 @@ start() {
 	scan_interfaces
 	config_load luci_splash
 	
+	### Find QoS limits
+	config_get LIMIT_UP general limit_up
+	config_get LIMIT_DOWN general limit_down
+	config_get LIMIT_DOWN_BURST general limit_down_burst
+
+	LIMIT_UP="${LIMIT_UP:-0}"
+	LIMIT_DOWN="${LIMIT_DOWN:-0}"
+	LIMIT_DOWN_BURST="${LIMIT_DOWN_BURST:-$(($LIMIT_DOWN * 2))}"
+
+	### Load required modules
+	[ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && {
+		silent insmod cls_fw
+		silent insmod cls_u32
+		silent insmod sch_htb
+		silent insmod sch_ingress
+	}
+
 	### Create subchains
-	iptables -t nat -N luci_splash
-	iptables -t nat -N luci_splash_portal
-	iptables -t nat -N luci_splash_leases
-	
+	iptables -t filter -N luci_splash_filter
+	iptables -t nat    -N luci_splash_portal
+	iptables -t nat    -N luci_splash_leases
+	iptables -t nat    -N luci_splash_prerouting
+
+	[ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && \
+		iptables -t mangle -N luci_splash_mark
+
 	### Build the main and portal rule
+	config_foreach iface_add iface
+	config_foreach subnet_add subnet
 	config_foreach blacklist_add blacklist
 	config_foreach whitelist_add whitelist
-	config_foreach iface_add iface
+	config_foreach lease_add lease
 	
 	### Build the portal rule
+	iptables -t filter -I INPUT      -j luci_splash_filter
+	iptables -t filter -I FORWARD    -j luci_splash_filter
+
+	[ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && \
+		iptables -t mangle -I PREROUTING -j luci_splash_mark
+
+	### Allow icmp, dns and traceroute
+	iptables -t nat -A luci_splash_portal -p udp --dport 33434:33523 -j RETURN
+	iptables -t nat -A luci_splash_portal -p icmp -j RETURN
 	iptables -t nat -A luci_splash_portal -p udp --dport 53 -j RETURN
+
+	### Redirect the rest into the lease chain
 	iptables -t nat -A luci_splash_portal -j luci_splash_leases
 	
 	### Build the leases rule
 	iptables -t nat -A luci_splash_leases -p tcp --dport 80 -j REDIRECT --to-ports 8082
-	iptables -t nat -A luci_splash_leases -j DROP
 	
-	### Start the splash httpd
-	start-stop-daemon -S -b -q -x /usr/bin/luci-splashd
+	### Add crontab entry
+	test -f /etc/crontabs/root || touch /etc/crontabs/root
+	grep -q luci-splash /etc/crontabs/root || {
+		echo '*/5 * * * * 	/usr/sbin/luci-splash sync' >> /etc/crontabs/root
+	}
 }
 
-stop() {	
+stop() {
+	### Clear interface rules
+	include /lib/network
+	scan_interfaces
+	config_load luci_splash
+	config_foreach iface_del iface
+
+	silent iptables -t filter -D INPUT      -j luci_splash_filter
+	silent iptables -t filter -D FORWARD    -j luci_splash_filter
+	silent iptables -t mangle -D PREROUTING -j luci_splash_mark
+        
 	### Clear subchains
-	iptables -t nat -F luci_splash_leases
-	iptables -t nat -F luci_splash_portal
-	iptables -t nat -F luci_splash	
+	silent iptables -t nat    -F luci_splash_leases
+	silent iptables -t nat    -F luci_splash_portal
+	silent iptables -t nat    -F luci_splash_prerouting
+	silent iptables -t filter -F luci_splash_filter
+	silent iptables -t mangle -F luci_splash_mark
 	
 	### Delete subchains
-	iptables -t nat -X luci_splash_leases
-	iptables -t nat -X luci_splash_portal
-	iptables -t nat -X luci_splash
+	silent iptables -t nat    -X luci_splash_leases
+	silent iptables -t nat    -X luci_splash_portal
+	silent iptables -t nat    -X luci_splash_prerouting
+	silent iptables -t filter -X luci_splash_filter
+	silent iptables -t mangle -X luci_splash_mark
+	
+	sed -ie '/\/usr\/sbin\/luci-splash sync/d' /var/spool/cron/crontabs/root
+}
+
+	
+clear_leases() {
+	stop
+	while uci -P /var/state del luci_splash.@lease[0] 2>&-;do :; done
+	start
 }