Project

General

Profile

Feature #12945

Updated by Reid Linnemann over 2 years ago

As indicated by Viktor Gurov: 
 > pfSense_ipfw_*() functions have been rewritten to use shell scripts, which is slow, and can be a serious issue for the large (>1k clients) captive > > portal installations. These shell scripts should be rewritten as C functions (maybe not all): 
 > pfSense_pf_flush_anchor(): https://gitlab.netgate.com/pfSense/pfSense/-/blob/viktor-captive/src/etc/inc/captiveportal.inc#L1064 
 > pfSense_pf_get_cp_anchor_pipes(): https://gitlab.netgate.com/pfSense/pfSense/-/blob/viktor-captive/src/etc/inc/captiveportal.inc#L1116 
 > pfSense_pf_mod_table(): https://gitlab.netgate.com/pfSense/pfSense/-/blob/viktor-captive/src/etc/inc/captiveportal.inc#L1129 
 > pfSense_pf_get_table_counters(): https://gitlab.netgate.com/pfSense/pfSense/-/blob/viktor-captive/src/etc/inc/captiveportal.inc#L1764 
 > pfSense_pf_anchor_rules(): https://gitlab.netgate.com/pfSense/pfSense/-/blob/viktor-captive/src/etc/inc/captiveportal.inc#L3054 
 >  
 > 

 Some of these may have been introduced into libpfctl already. 

 For reference: 
 <pre><code class="php"> 
 /* XXX OPTIMIZE: pfSense_pf_flush_anchor($anchor, $type = 'rules/nat/ether') */ 
 mwexec("/sbin/pfctl -a {$cpzoneprefix}_passthrumac/{$host} -F ethernet"); 

 /* XXX OPTIMIZE: pfSense_pf_flush_anchor($anchor, $type = 'rules/nat/ether') */ 
 mwexec("/sbin/pfctl -a {$cpzoneprefix}_{$anchor}/{$host} -F ether"); 

 /* XXX OPTIMIZE: list($pipeup, $pipedown) = pfSense_pf_get_cp_anchor_pipes($anchor); */ 
 $pipeup = mwexec("/sbin/pfctl -a {$cpzoneprefix}_{$anchor}/{$host} -se | cut -d' ' -f 17 | head -n1"); 

 /* XXX OPTIMIZE: list($pipeup, $pipedown) = pfSense_pf_get_cp_anchor_pipes($anchor) */ 
 exec("/sbin/pfctl -a {$cpzoneprefix}_{$anchor}mac/{$host} -se | awk -F'[()]' '{print $2; exit}'", $result, $retval); 

 /* XXX OPTIMIZE: array('output_pkts', 'output_bytes', 'input_pkts', 'input_bytes') = pfSense_pf_get_table_counters($table) */ 
 exec("/sbin/pfctl -a {$anchor}/{$ip} -se -v 2>/dev/null | grep Bytes", $result); 

 /* I believe this was the forementioned pfSense_pf_anchor rules */ 
 function captiveportal_anchor_zerocnt($ip, $anchor = 'auth') { 
	 global $config, $cpzone; 
	 $cpzoneprefix = CPPREFIX . $config['captiveportal'][$cpzone]['zoneid']; 

	 mwexec("/sbin/pfctl -z -a {$cpzoneprefix}_{$anchor}/{$ip}"); 
 } 
 </code></pre> 

Back