/etc/inc/captiveportal.inc - Diff - pfSense - pfSense bugtracker

« Previous | Next »

Revision 769e254e

Added by Ermal LUÇI almost 15 years ago

ID 769e254ee1316fb5d4a9429a37f44b6d8955fe55
Parent e00ec007
Child 1ea67f2e

Do not reconfigure CP on every event of interfaces or while reloading the webGUI. Create 2 new function to just rewrite rules and restart the webserver for CP repctively for interface events and webGUI restart events.

     	$captiveportallck = lock('captiveportal');
     	$cpactive = false;
     	if (isset($config['captiveportal']['enable'])) {
     		$cpips = array();
     		$ifaces = get_configured_interface_list();
     		foreach ($ifaces as $kiface => $kiface2) {
     			$tmpif = get_real_interface($kiface);
     			pfSense_interface_flags($tmpif, -IFF_IPFW_FILTER);
+    		}
     		$cpinterfaces = explode(",", $config['captiveportal']['interface']);
     		$firsttime = 0;
     		foreach ($cpinterfaces as $cpifgrp) {
     			if (!isset($ifaces[$cpifgrp]))
     				continue;
     			$tmpif = get_real_interface($cpifgrp);
     			if (!empty($tmpif)) {
     				if ($firsttime > 0)
     					$cpinterface .= " or ";
     				$cpinterface .= "via {$tmpif}";
     				$firsttime = 1;
     				$cpipm = get_interface_ip($cpifgrp);
     				if (is_ipaddr($cpipm)) {
     					$carpif = link_ip_to_carp_interface($cpipm);
     					if (!empty($carpif)) {
     						$carpsif = explode(" ", $carpif);
     						foreach ($carpsif as $cpcarp) {
     							pfSense_interface_flags($cpcarp, IFF_IPFW_FILTER);
     							$carpip = find_interface_ip($cpcarp);
     							if (is_ipaddr($carpip))
     								$cpips[] = $carpip;
+    						}
+    					}
     					$cpips[] = $cpipm;
     					pfSense_interface_flags($tmpif, IFF_IPFW_FILTER);
+    				}
+    			}
+    		}
     		if (count($cpips) > 0) {
     			$cpactive = true;
     			$cpinterface = "{ {$cpinterface} } ";
+    		}
+    	}
     	if ($cpactive == true) {
     		if ($g['booting'])
     			echo "Starting captive portal... ";
-...
     		unlink_if_exists("{$g['vardb_path']}/captiveportal_mac.db");
     		unlink_if_exists("{$g['vardb_path']}/captiveportal_ip.db");
     		unlink_if_exists("{$g['vardb_path']}/captiveportal_radius.db");
     		mwexec("/sbin/ipfw -q table all flush", true);
     		/* setup new database in case someone tries to access the status -> captive portal page */
     		touch("{$g['vardb_path']}/captiveportal.db");
-...
     		/* kill any running minicron */
     		killbypid("{$g['varrun_path']}/minicron.pid");
     		/* make sure ipfw is loaded */
     		if (!is_module_loaded("ipfw.ko"))
     			filter_load_ipfw();
     		/* Always load dummynet now that even allowed ip and mac passthrough use it. */
     		if (!is_module_loaded("dummynet.ko"))
                             mwexec("/sbin/kldload dummynet");
     		/* generate ipfw rules */
     		/* init dummynet/ipfw rules number database */
     		captiveportal_init_ipfw_ruleno();
     		$cprules = captiveportal_rules_generate($cpinterface, $cpips);
     		$cprules .= "\n";
     		/* generate passthru mac database */
     		$cprules .= captiveportal_passthrumac_configure(true);
     		$cprules .= "\n";
     		/* allowed ipfw rules to make allowed ip work */
     		$cprules .= captiveportal_allowedip_configure();
     		/* init ipfw rules */
     		captiveportal_init_rules();
     		/* stop accounting on all clients */
     		captiveportal_radius_stop_all(true);
-...
     		/* write elements */
     		captiveportal_write_elements();
     		/* load rules */
     		mwexec("/sbin/ipfw -q flush");
     		/* ipfw cannot accept rules directly on stdin,
     		   so we have to write them to a temporary file first */
     		$fd = @fopen("{$g['tmp_path']}/ipfw.cp.rules", "w");
     		if (!$fd) {
     			printf("Cannot open ipfw.cp.rules in captiveportal_configure()\n");
     			return 1;
+    		}
     		fwrite($fd, $cprules);
     		fclose($fd);
     		mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw.cp.rules");
     		@unlink("{$g['tmp_path']}/ipfw.cp.rules");
     		/* filter on layer2 as well so we can check MAC addresses */
     		mwexec("/sbin/sysctl net.link.ether.ipfw=1");
     		chdir($g['captiveportal_path']);
     		if ($config['captiveportal']['maxproc'])
     			$maxproc = $config['captiveportal']['maxproc'];
     		else
     			$maxproc = 16;
     		$use_fastcgi = true;
     		if(isset($config['captiveportal']['httpslogin'])) {
     			$cert = base64_decode($config['captiveportal']['certificate']);
     			if (isset($config['captiveportal']['cacertificate']))
     				$cacert = base64_decode($config['captiveportal']['cacertificate']);
     			else
     				$cacert = "";
     			$key = base64_decode($config['captiveportal']['private-key']);
     			/* generate lighttpd configuration */
     			system_generate_lighty_config("{$g['varetc_path']}/lighty-CaptivePortal-SSL.conf",
     				$cert, $key, $cacert, "lighty-CaptivePortal-ssl.pid", "8001", "/usr/local/captiveportal/",
     					"cert-portal.pem", "ca-portal.pem", "1", $maxproc, $use_fastcgi, true);
+    		}
     		/* generate lighttpd configuration */
     		system_generate_lighty_config("{$g['varetc_path']}/lighty-CaptivePortal.conf",
     			"", "", "", "lighty-CaptivePortal.pid", "8000", "/usr/local/captiveportal/",
     				"cert-portal.pem", "ca-portal.pem", "1", $maxproc, $use_fastcgi, true);
     		/* attempt to start lighttpd */
     		$res = mwexec("/usr/local/sbin/lighttpd -f {$g['varetc_path']}/lighty-CaptivePortal.conf");
     		/* fire up https instance */
     		if(isset($config['captiveportal']['httpslogin']))
     			$res = mwexec("/usr/local/sbin/lighttpd -f {$g['varetc_path']}/lighty-CaptivePortal-SSL.conf");
     		/* start up the webserving daemon */
     		captiveportal_init_webgui();
     		/* start pruning process (interval defaults to 60 seconds) */
     		mwexec("/usr/local/bin/minicron $croninterval {$g['varrun_path']}/minicron.pid " .
-...
     	return 0;
+    }
     function captiveportal_rules_generate($cpif, &$cpiparray) {
     function captiveportal_init_webgui() {
     	global $g, $config;
     	 if (!isset($config['captiveportal']['enable']))
                     return;
     	if ($config['captiveportal']['maxproc'])
     		$maxproc = $config['captiveportal']['maxproc'];
     	else
     		$maxproc = 16;
     	$use_fastcgi = true;
     	if (isset($config['captiveportal']['httpslogin'])) {
     		$cert = base64_decode($config['captiveportal']['certificate']);
     		if (isset($config['captiveportal']['cacertificate']))
     			$cacert = base64_decode($config['captiveportal']['cacertificate']);
     		else
     			$cacert = "";
     		$key = base64_decode($config['captiveportal']['private-key']);
     		/* generate lighttpd configuration */
     		system_generate_lighty_config("{$g['varetc_path']}/lighty-CaptivePortal-SSL.conf",
     			$cert, $key, $cacert, "lighty-CaptivePortal-ssl.pid", "8001", "/usr/local/captiveportal/",
     			"cert-portal.pem", "ca-portal.pem", "1", $maxproc, $use_fastcgi, true);
+    	}
     	/* generate lighttpd configuration */
     	system_generate_lighty_config("{$g['varetc_path']}/lighty-CaptivePortal.conf",
     		"", "", "", "lighty-CaptivePortal.pid", "8000", "/usr/local/captiveportal/",
     		"cert-portal.pem", "ca-portal.pem", "1", $maxproc, $use_fastcgi, true);
     	/* attempt to start lighttpd */
     	$res = mwexec("/usr/local/sbin/lighttpd -f {$g['varetc_path']}/lighty-CaptivePortal.conf");
     	/* fire up https instance */
     	if (isset($config['captiveportal']['httpslogin']))
     		$res = mwexec("/usr/local/sbin/lighttpd -f {$g['varetc_path']}/lighty-CaptivePortal-SSL.conf");
+    }
     function captiveportal_init_rules() {
     	global $config, $g;
     	if (!isset($config['captiveportal']['enable']))
     		return;
     	$cpips = array();
     	$ifaces = get_configured_interface_list();
     	foreach ($ifaces as $kiface => $kiface2) {
     		$tmpif = get_real_interface($kiface);
     		pfSense_interface_flags($tmpif, -IFF_IPFW_FILTER);
+    	}
     	$cpinterfaces = explode(",", $config['captiveportal']['interface']);
     	$firsttime = 0;
     	foreach ($cpinterfaces as $cpifgrp) {
     		if (!isset($ifaces[$cpifgrp]))
     			continue;
     		$tmpif = get_real_interface($cpifgrp);
     		if (!empty($tmpif)) {
     			if ($firsttime > 0)
     				$cpinterface .= " or ";
     			$cpinterface .= "via {$tmpif}";
     			$firsttime = 1;
     			$cpipm = get_interface_ip($cpifgrp);
     			if (is_ipaddr($cpipm)) {
     				$carpif = link_ip_to_carp_interface($cpipm);
     				if (!empty($carpif)) {
     					$carpsif = explode(" ", $carpif);
     					foreach ($carpsif as $cpcarp) {
     						pfSense_interface_flags($cpcarp, IFF_IPFW_FILTER);
     						$carpip = find_interface_ip($cpcarp);
     						if (is_ipaddr($carpip))
     							$cpips[] = $carpip;
+    					}
+    				}
     				$cpips[] = $cpipm;
     				pfSense_interface_flags($tmpif, IFF_IPFW_FILTER);
+    			}
+    		}
+    	}
     	if (count($cpips) > 0) {
     		$cpactive = true;
     		$cpinterface = "{ {$cpinterface} } ";
             } else
     		return false;
     	/* make sure ipfw is loaded */
     	if (!is_module_loaded("ipfw.ko"))
     		filter_load_ipfw();
     	/* Always load dummynet now that even allowed ip and mac passthrough use it. */
     	if (!is_module_loaded("dummynet.ko"))
     		mwexec("/sbin/kldload dummynet");
     	$cprules =  "add 65291 set 1 allow pfsync from any to any\n";
     	$cprules .= "add 65292 set 1 allow carp from any to any\n";
-...
     	$rulenum = 65310;
     	$ips = "255.255.255.255 ";
     	foreach ($cpiparray as $cpip)
     	foreach ($cpips as $cpip)
     		$ips .= "or {$cpip} ";
     	$ips = "{ {$ips} }";
     	//# allow access to our DHCP server (which needs to be able to ping clients as well)
-...
     EOD;
         return $cprules;
     	/* generate passthru mac database */
     	$cprules .= captiveportal_passthrumac_configure(true);
     	$cprules .= "\n";
     	/* allowed ipfw rules to make allowed ip work */
     	$cprules .= captiveportal_allowedip_configure();
     	/* load rules */
     	$cprules = "table all flush\nflush\n{$cprules}";
     	if (file_put_contents("{$g['tmp_path']}/ipfw.cp.rules", $cprules)) {
     		mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw.cp.rules", true);
     		//@unlink("{$g['tmp_path']}/ipfw.cp.rules");
+    	}
     	/* filter on layer2 as well so we can check MAC addresses */
     	mwexec("/sbin/sysctl net.link.ether.ipfw=1");
     	return $cprules;
+    }
     /* remove clients that have been around for longer than the specified amount of time */
-...
+    }
     function captiveportal_write_elements() {
         global $g, $config;
         /* delete any existing elements */
         if (is_dir($g['captiveportal_element_path'])) {
             $dh = opendir($g['captiveportal_element_path']);
             while (($file = readdir($dh)) !== false) {
                 if ($file != "." && $file != "..")
                     unlink($g['captiveportal_element_path'] . "/" . $file);
+            }
             closedir($dh);
         } else {
             @mkdir($g['captiveportal_element_path']);
+        }
     	global $g, $config;
     	/* delete any existing elements */
     	if (is_dir($g['captiveportal_element_path'])) {
     		$dh = opendir($g['captiveportal_element_path']);
     		while (($file = readdir($dh)) !== false) {
     			if ($file != "." && $file != "..")
     				unlink($g['captiveportal_element_path'] . "/" . $file);
+    		}
     		closedir($dh);
     	} else
     		@mkdir($g['captiveportal_element_path']);
     	if (is_array($config['captiveportal']['element'])) {
     		conf_mount_rw();
     		foreach ($config['captiveportal']['element'] as $data) {
-...
     		conf_mount_ro();
+    	}
         return 0;
     	return 0;
+    }
     function captiveportal_init_ipfw_ruleno($rulenos_start = 2000, $rulenos_range_max = 49899) {

Also available in: Unified diff

Project

General

Profile

pfSense

Revision 769e254e

Added by Ermal LUÇI almost 15 years ago