diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2009-07-06 21:14:59 +0000 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2009-07-06 21:14:59 +0000 |
commit | b0771c43ea996b6f3c3a38ef7c6f5b28eaf04a89 (patch) | |
tree | 18473834f6876a05ba5caf01f9c5976281e0d8c9 /applications/luci-splash/root/etc | |
parent | 9525fb76bd4870bbf1513aa9c48c80d5c7b9fbe2 (diff) |
applications/luci-splash:
- rewrote init script, cli
- introduce download traffic counters
- adept user interface
Diffstat (limited to 'applications/luci-splash/root/etc')
-rwxr-xr-x | applications/luci-splash/root/etc/init.d/luci_splash | 225 |
1 files changed, 103 insertions, 122 deletions
diff --git a/applications/luci-splash/root/etc/init.d/luci_splash b/applications/luci-splash/root/etc/init.d/luci_splash index dd688d77c3..08c3939b14 100755 --- a/applications/luci-splash/root/etc/init.d/luci_splash +++ b/applications/luci-splash/root/etc/init.d/luci_splash @@ -1,15 +1,29 @@ #!/bin/sh /etc/rc.common + START=70 EXTRA_COMMANDS=clear_leases -SPLASH_INTERFACES="" LIMIT_DOWN=0 LIMIT_DOWN_BURST=0 LIMIT_UP=0 +IPT_REPLAY=/var/run/luci_splash.iptlog +LOCK=/var/run/luci_splash.lock + +include /lib/network +scan_interfaces +config_load luci_splash + +set -x + silent() { "$@" 2>/dev/null } +ipt_log() { + iptables -I "$@" + echo iptables -D "$@" >> $IPT_REPLAY +} + iface_add() { local cfg="$1" @@ -37,95 +51,45 @@ iface_add() { eval "$(ipcalc.sh $ipaddr $netmask)" - iptables -t nat -A prerouting_${zone} -j luci_splash_prerouting - iptables -t nat -A luci_splash_prerouting -j luci_splash_portal - - iptables -t filter -I luci_splash_filter -s ! "$NETWORK/$PREFIX" -j RETURN - iptables -t nat -I luci_splash_leases -s ! "$NETWORK/$PREFIX" -j RETURN + ### Add interface specific chain entry rules + ipt_log "zone_${zone}_prerouting" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_prerouting -t nat + ipt_log "zone_${zone}_forward" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_forwarding -t filter - iptables -t filter -I luci_splash_filter -s "$NETWORK/$PREFIX" -d "$ipaddr/${netmask:-32}" -j RETURN - iptables -t nat -I luci_splash_leases -s "$NETWORK/$PREFIX" -d "$ipaddr/${netmask:-32}" -j RETURN + ### Allow traffic to the same subnet + iptables -t nat -I luci_splash_prerouting -d "$ipaddr/${netmask:-32}" -j RETURN + iptables -t filter -I luci_splash_forwarding -d "$ipaddr/${netmask:-32}" -j RETURN + ### Allow traffic to the mesh subnet [ "$parentproto" = "static" -a -n "$parentipaddr" ] && { - iptables -t filter -I luci_splash_filter -s "$NETWORK/$PREFIX" -d "$parentipaddr/${parentnetmask:-32}" -j RETURN - iptables -t nat -I luci_splash_leases -s "$NETWORK/$PREFIX" -d "$parentipaddr/${parentnetmask:-32}" -j RETURN + iptables -t nat -I luci_splash_prerouting -d "$parentipaddr/${parentnetmask:-32}" -j RETURN + iptables -t filter -I luci_splash_forwarding -d "$parentipaddr/${parentnetmask:-32}" -j RETURN } - iptables -t filter -A luci_splash_filter -s "$NETWORK/$PREFIX" -p udp --dport 53 -j RETURN - iptables -t filter -A luci_splash_filter -s "$NETWORK/$PREFIX" -p tcp --dport 22 -j RETURN # XXX: ssh really needed? - iptables -t filter -A luci_splash_filter -s "$NETWORK/$PREFIX" -p tcp --dport 80 -j RETURN - iptables -t filter -A luci_splash_filter -s "$NETWORK/$PREFIX" -j REJECT --reject-with icmp-admin-prohibited - qos_iface_add "$ifname" - - append SPLASH_INTERFACES "$ifname" } iface_del() { config_get zone "$1" zone [ -n "$zone" ] || return 0 - while iptables -t nat -D prerouting_${zone} -j luci_splash_prerouting 2>&-; do :; done - config_get net "$1" network [ -n "$net" ] || return 0 config_get ifname "$net" ifname [ -n "$ifname" ] || return 0 - qos_iface_del "$ifname" -} - -blacklist_add() { - local cfg="$1" - - config_get mac "$cfg" mac - [ -n "$mac" ] && { - iptables -t filter -I luci_splash_filter -m mac --mac-source "$mac" -j DROP - iptables -t nat -I luci_splash_leases -m mac --mac-source "$mac" -j DROP + # Clear interface specific rules + [ -s $IPT_REPLAY ] && { + grep -- "-i ${ifname%:*}" $IPT_REPLAY | while read ln; do silent $ln; done + sed -ie "/-i ${ifname%:*}/d" $IPT_REPLAY } -} -whitelist_add() { - local cfg="$1" - - config_get mac "$cfg" mac - [ -n "$mac" ] && { - iptables -t filter -I luci_splash_filter -m mac --mac-source "$mac" -j RETURN - iptables -t nat -I luci_splash_leases -m mac --mac-source "$mac" -j RETURN - } + qos_iface_del "$ifname" } -lease_add() { - local cfg="$1" - - config_get mac "$cfg" mac - config_get ban "$cfg" kicked - - ban=${ban:+DROP} - - [ -n "$mac" ] && { - local oIFS="$IFS"; IFS=":" - set -- $mac - IFS="$oIFS"; unset oIFS - - local mac_pre="$1$2" - local mac_post="$3$4$5$6" - local handle="$6" - - iptables -t filter -I luci_splash_filter -m mac --mac-source "$mac" -j RETURN - iptables -t nat -I luci_splash_leases -m mac --mac-source "$mac" -j "${ban:-RETURN}" - - [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && { - iptables -t mangle -I luci_splash_mark -m mac --mac-source "$mac" -j MARK --set-mark 79 - - for i in $SPLASH_INTERFACES; do - tc filter add dev $i parent 77:0 protocol ip prio 2 handle ::$handle u32 \ - match u16 0x0800 0xFFFF at -2 match u32 0x$mac_post 0xFFFFFFFF at -12 \ - match u16 0x$mac_pre 0xFFFF at -14 flowid 77:10 - done - } - } +mac_add() { + config_get mac "$1" mac + append MACS "$mac" } subnet_add() { @@ -135,8 +99,8 @@ subnet_add() { config_get netmask "$cfg" netmask [ -n "$ipaddr" ] && { - iptables -t filter -I luci_splash_filter -d "$ipaddr/${netmask:-32}" -j RETURN - iptables -t nat -I luci_splash_portal -d "$ipaddr/${netmask:-32}" -j RETURN + iptables -t nat -I luci_splash_prerouting -d "$ipaddr/${netmask:-32}" -j RETURN + iptables -t filter -I luci_splash_forwarding -d "$ipaddr/${netmask:-32}" -j RETURN } } @@ -145,7 +109,8 @@ qos_iface_add() { # 77 -> download root qdisc # 78 -> upload root qdisc - # 79 -> fwmark + # 79 -> fwmark: client->inet + # 80 -> fwmark: inet->client silent tc qdisc del dev "$iface" root handle 77: @@ -157,16 +122,20 @@ qos_iface_add() { # set download limit and burst tc class add dev "$iface" parent 77:1 classid 77:10 htb \ - rate ${LIMIT_DOWN}kb ceil ${LIMIT_DOWN_BURST}kb prio 2 + rate ${LIMIT_DOWN}kbit ceil ${LIMIT_DOWN_BURST}kbit prio 2 tc qdisc add dev "$iface" parent 77:10 handle 78: sfq perturb 10 # adding ingress can result in "File exists" if qos-scripts are active silent tc qdisc add dev "$iface" ingress + # set client download speed + tc filter add dev "$iface" parent 77: protocol ip prio 2 \ + handle 80 fw flowid 77:10 + # set client upload speed tc filter add dev "$iface" parent ffff: protocol ip prio 1 \ - handle 79 fw police rate ${LIMIT_UP}kb mtu 6k burst 6k drop + handle 79 fw police rate ${LIMIT_UP}kbit mtu 6k burst 6k drop fi } @@ -180,7 +149,7 @@ qos_iface_del() { boot() { ### Setup splash-relay - uci get lucid.splashr || { + uci get lucid.splashr 2>/dev/null || { uci batch <<EOF set lucid.splashr=daemon set lucid.splashr.slave=httpd @@ -202,101 +171,113 @@ EOF } start() { - ### Read chains from config - include /lib/network - scan_interfaces - config_load luci_splash - + lock -w $LOCK && lock $LOCK + ### Find QoS limits config_get LIMIT_UP general limit_up config_get LIMIT_DOWN general limit_down config_get LIMIT_DOWN_BURST general limit_down_burst - LIMIT_UP="${LIMIT_UP:-0}" - LIMIT_DOWN="${LIMIT_DOWN:-0}" - LIMIT_DOWN_BURST="${LIMIT_DOWN_BURST:-$(($LIMIT_DOWN * 2))}" + LIMIT_UP="$((8*${LIMIT_UP:-0}))" + LIMIT_DOWN="$((8*${LIMIT_DOWN:-0}))" + LIMIT_DOWN_BURST="${LIMIT_DOWN_BURST:+$((8*$LIMIT_DOWN_BURST))}" + LIMIT_DOWN_BURST="${LIMIT_DOWN_BURST:-$(($LIMIT_DOWN / 5 * 6))}" ### Load required modules [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && { silent insmod cls_fw silent insmod cls_u32 silent insmod sch_htb + silent insmod sch_sfq silent insmod sch_ingress } ### Create subchains - iptables -t filter -N luci_splash_filter - iptables -t nat -N luci_splash_portal - iptables -t nat -N luci_splash_leases iptables -t nat -N luci_splash_prerouting + iptables -t nat -N luci_splash_leases + iptables -t filter -N luci_splash_forwarding + iptables -t filter -N luci_splash_filter - [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && \ - iptables -t mangle -N luci_splash_mark + ### Clear iptables replay log + [ -s $IPT_REPLAY ] && . $IPT_REPLAY + echo -n > $IPT_REPLAY ### Build the main and portal rule config_foreach iface_add iface config_foreach subnet_add subnet - config_foreach blacklist_add blacklist - config_foreach whitelist_add whitelist - config_foreach lease_add lease - - ### Build the portal rule - iptables -t filter -I INPUT -j luci_splash_filter - iptables -t filter -I FORWARD -j luci_splash_filter - [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && \ - iptables -t mangle -I PREROUTING -j luci_splash_mark + ### Add interface independant prerouting rules + iptables -t nat -A luci_splash_prerouting -j luci_splash_leases + iptables -t nat -A luci_splash_leases -p udp --dport 53 -j REDIRECT --to-ports 53 + iptables -t nat -A luci_splash_leases -p tcp --dport 80 -j REDIRECT --to-ports 8082 - ### Allow icmp, dns and traceroute - iptables -t nat -A luci_splash_portal -p udp --dport 33434:33523 -j RETURN - iptables -t nat -A luci_splash_portal -p icmp -j RETURN - iptables -t nat -A luci_splash_portal -p udp --dport 53 -j RETURN + ### Add interface independant forwarding rules + iptables -t filter -A luci_splash_forwarding -j luci_splash_filter + iptables -t filter -A luci_splash_filter -p tcp -j REJECT --reject-with tcp-reset + iptables -t filter -A luci_splash_filter -j REJECT --reject-with icmp-net-prohibited + + ### Add QoS chain + [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && { + iptables -t mangle -N luci_splash_mark_out + iptables -t mangle -N luci_splash_mark_in + iptables -t mangle -I PREROUTING -j luci_splash_mark_out + iptables -t mangle -I POSTROUTING -j luci_splash_mark_in + } + + ### Find active mac addresses + MACS="" + config_foreach mac_add lease + config_foreach mac_add blacklist + config_foreach mac_add whitelist - ### Redirect the rest into the lease chain - iptables -t nat -A luci_splash_portal -j luci_splash_leases - - ### Build the leases rule - iptables -t nat -A luci_splash_leases -p tcp --dport 80 -j REDIRECT --to-ports 8082 - ### Add crontab entry test -f /etc/crontabs/root || touch /etc/crontabs/root grep -q luci-splash /etc/crontabs/root || { echo '*/5 * * * * /usr/sbin/luci-splash sync' >> /etc/crontabs/root } + + lock -u $LOCK + + ### Populate iptables + [ -n "$MACS" ] && luci-splash add-rules $MACS } stop() { + lock -w $LOCK && lock $LOCK + ### Clear interface rules - include /lib/network - scan_interfaces - config_load luci_splash config_foreach iface_del iface - silent iptables -t filter -D INPUT -j luci_splash_filter - silent iptables -t filter -D FORWARD -j luci_splash_filter - silent iptables -t mangle -D PREROUTING -j luci_splash_mark + silent iptables -t mangle -D PREROUTING -j luci_splash_mark_out + silent iptables -t mangle -D POSTROUTING -j luci_splash_mark_in ### Clear subchains - silent iptables -t nat -F luci_splash_leases - silent iptables -t nat -F luci_splash_portal silent iptables -t nat -F luci_splash_prerouting + silent iptables -t nat -F luci_splash_leases + silent iptables -t filter -F luci_splash_forwarding silent iptables -t filter -F luci_splash_filter - silent iptables -t mangle -F luci_splash_mark + silent iptables -t mangle -F luci_splash_mark_out + silent iptables -t mangle -F luci_splash_mark_in ### Delete subchains - silent iptables -t nat -X luci_splash_leases - silent iptables -t nat -X luci_splash_portal silent iptables -t nat -X luci_splash_prerouting + silent iptables -t nat -X luci_splash_leases + silent iptables -t filter -X luci_splash_forwarding silent iptables -t filter -X luci_splash_filter - silent iptables -t mangle -X luci_splash_mark + silent iptables -t mangle -X luci_splash_mark_out + silent iptables -t mangle -X luci_splash_mark_in sed -ie '/\/usr\/sbin\/luci-splash sync/d' /var/spool/cron/crontabs/root + + lock -u $LOCK } - clear_leases() { - stop - while uci -P /var/state del luci_splash.@lease[0] 2>&-;do :; done - start + ### Find active mac addresses + MACS="" + config_foreach mac_add lease + + ### Clear leases + [ -n "$MACS" ] && luci-splash remove $MACS } |