summaryrefslogtreecommitdiffhomepage
path: root/applications/luci-splash/root/etc
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2009-07-06 21:14:59 +0000
committerJo-Philipp Wich <jow@openwrt.org>2009-07-06 21:14:59 +0000
commitb0771c43ea996b6f3c3a38ef7c6f5b28eaf04a89 (patch)
tree18473834f6876a05ba5caf01f9c5976281e0d8c9 /applications/luci-splash/root/etc
parent9525fb76bd4870bbf1513aa9c48c80d5c7b9fbe2 (diff)
applications/luci-splash:
- rewrote init script, cli - introduce download traffic counters - adept user interface
Diffstat (limited to 'applications/luci-splash/root/etc')
-rwxr-xr-xapplications/luci-splash/root/etc/init.d/luci_splash225
1 files changed, 103 insertions, 122 deletions
diff --git a/applications/luci-splash/root/etc/init.d/luci_splash b/applications/luci-splash/root/etc/init.d/luci_splash
index dd688d77c3..08c3939b14 100755
--- a/applications/luci-splash/root/etc/init.d/luci_splash
+++ b/applications/luci-splash/root/etc/init.d/luci_splash
@@ -1,15 +1,29 @@
#!/bin/sh /etc/rc.common
+
START=70
EXTRA_COMMANDS=clear_leases
-SPLASH_INTERFACES=""
LIMIT_DOWN=0
LIMIT_DOWN_BURST=0
LIMIT_UP=0
+IPT_REPLAY=/var/run/luci_splash.iptlog
+LOCK=/var/run/luci_splash.lock
+
+include /lib/network
+scan_interfaces
+config_load luci_splash
+
+set -x
+
silent() {
"$@" 2>/dev/null
}
+ipt_log() {
+ iptables -I "$@"
+ echo iptables -D "$@" >> $IPT_REPLAY
+}
+
iface_add() {
local cfg="$1"
@@ -37,95 +51,45 @@ iface_add() {
eval "$(ipcalc.sh $ipaddr $netmask)"
- iptables -t nat -A prerouting_${zone} -j luci_splash_prerouting
- iptables -t nat -A luci_splash_prerouting -j luci_splash_portal
-
- iptables -t filter -I luci_splash_filter -s ! "$NETWORK/$PREFIX" -j RETURN
- iptables -t nat -I luci_splash_leases -s ! "$NETWORK/$PREFIX" -j RETURN
+ ### Add interface specific chain entry rules
+ ipt_log "zone_${zone}_prerouting" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_prerouting -t nat
+ ipt_log "zone_${zone}_forward" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_forwarding -t filter
- iptables -t filter -I luci_splash_filter -s "$NETWORK/$PREFIX" -d "$ipaddr/${netmask:-32}" -j RETURN
- iptables -t nat -I luci_splash_leases -s "$NETWORK/$PREFIX" -d "$ipaddr/${netmask:-32}" -j RETURN
+ ### Allow traffic to the same subnet
+ iptables -t nat -I luci_splash_prerouting -d "$ipaddr/${netmask:-32}" -j RETURN
+ iptables -t filter -I luci_splash_forwarding -d "$ipaddr/${netmask:-32}" -j RETURN
+ ### Allow traffic to the mesh subnet
[ "$parentproto" = "static" -a -n "$parentipaddr" ] && {
- iptables -t filter -I luci_splash_filter -s "$NETWORK/$PREFIX" -d "$parentipaddr/${parentnetmask:-32}" -j RETURN
- iptables -t nat -I luci_splash_leases -s "$NETWORK/$PREFIX" -d "$parentipaddr/${parentnetmask:-32}" -j RETURN
+ iptables -t nat -I luci_splash_prerouting -d "$parentipaddr/${parentnetmask:-32}" -j RETURN
+ iptables -t filter -I luci_splash_forwarding -d "$parentipaddr/${parentnetmask:-32}" -j RETURN
}
- iptables -t filter -A luci_splash_filter -s "$NETWORK/$PREFIX" -p udp --dport 53 -j RETURN
- iptables -t filter -A luci_splash_filter -s "$NETWORK/$PREFIX" -p tcp --dport 22 -j RETURN # XXX: ssh really needed?
- iptables -t filter -A luci_splash_filter -s "$NETWORK/$PREFIX" -p tcp --dport 80 -j RETURN
- iptables -t filter -A luci_splash_filter -s "$NETWORK/$PREFIX" -j REJECT --reject-with icmp-admin-prohibited
-
qos_iface_add "$ifname"
-
- append SPLASH_INTERFACES "$ifname"
}
iface_del() {
config_get zone "$1" zone
[ -n "$zone" ] || return 0
- while iptables -t nat -D prerouting_${zone} -j luci_splash_prerouting 2>&-; do :; done
-
config_get net "$1" network
[ -n "$net" ] || return 0
config_get ifname "$net" ifname
[ -n "$ifname" ] || return 0
- qos_iface_del "$ifname"
-}
-
-blacklist_add() {
- local cfg="$1"
-
- config_get mac "$cfg" mac
- [ -n "$mac" ] && {
- iptables -t filter -I luci_splash_filter -m mac --mac-source "$mac" -j DROP
- iptables -t nat -I luci_splash_leases -m mac --mac-source "$mac" -j DROP
+ # Clear interface specific rules
+ [ -s $IPT_REPLAY ] && {
+ grep -- "-i ${ifname%:*}" $IPT_REPLAY | while read ln; do silent $ln; done
+ sed -ie "/-i ${ifname%:*}/d" $IPT_REPLAY
}
-}
-whitelist_add() {
- local cfg="$1"
-
- config_get mac "$cfg" mac
- [ -n "$mac" ] && {
- iptables -t filter -I luci_splash_filter -m mac --mac-source "$mac" -j RETURN
- iptables -t nat -I luci_splash_leases -m mac --mac-source "$mac" -j RETURN
- }
+ qos_iface_del "$ifname"
}
-lease_add() {
- local cfg="$1"
-
- config_get mac "$cfg" mac
- config_get ban "$cfg" kicked
-
- ban=${ban:+DROP}
-
- [ -n "$mac" ] && {
- local oIFS="$IFS"; IFS=":"
- set -- $mac
- IFS="$oIFS"; unset oIFS
-
- local mac_pre="$1$2"
- local mac_post="$3$4$5$6"
- local handle="$6"
-
- iptables -t filter -I luci_splash_filter -m mac --mac-source "$mac" -j RETURN
- iptables -t nat -I luci_splash_leases -m mac --mac-source "$mac" -j "${ban:-RETURN}"
-
- [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && {
- iptables -t mangle -I luci_splash_mark -m mac --mac-source "$mac" -j MARK --set-mark 79
-
- for i in $SPLASH_INTERFACES; do
- tc filter add dev $i parent 77:0 protocol ip prio 2 handle ::$handle u32 \
- match u16 0x0800 0xFFFF at -2 match u32 0x$mac_post 0xFFFFFFFF at -12 \
- match u16 0x$mac_pre 0xFFFF at -14 flowid 77:10
- done
- }
- }
+mac_add() {
+ config_get mac "$1" mac
+ append MACS "$mac"
}
subnet_add() {
@@ -135,8 +99,8 @@ subnet_add() {
config_get netmask "$cfg" netmask
[ -n "$ipaddr" ] && {
- iptables -t filter -I luci_splash_filter -d "$ipaddr/${netmask:-32}" -j RETURN
- iptables -t nat -I luci_splash_portal -d "$ipaddr/${netmask:-32}" -j RETURN
+ iptables -t nat -I luci_splash_prerouting -d "$ipaddr/${netmask:-32}" -j RETURN
+ iptables -t filter -I luci_splash_forwarding -d "$ipaddr/${netmask:-32}" -j RETURN
}
}
@@ -145,7 +109,8 @@ qos_iface_add() {
# 77 -> download root qdisc
# 78 -> upload root qdisc
- # 79 -> fwmark
+ # 79 -> fwmark: client->inet
+ # 80 -> fwmark: inet->client
silent tc qdisc del dev "$iface" root handle 77:
@@ -157,16 +122,20 @@ qos_iface_add() {
# set download limit and burst
tc class add dev "$iface" parent 77:1 classid 77:10 htb \
- rate ${LIMIT_DOWN}kb ceil ${LIMIT_DOWN_BURST}kb prio 2
+ rate ${LIMIT_DOWN}kbit ceil ${LIMIT_DOWN_BURST}kbit prio 2
tc qdisc add dev "$iface" parent 77:10 handle 78: sfq perturb 10
# adding ingress can result in "File exists" if qos-scripts are active
silent tc qdisc add dev "$iface" ingress
+ # set client download speed
+ tc filter add dev "$iface" parent 77: protocol ip prio 2 \
+ handle 80 fw flowid 77:10
+
# set client upload speed
tc filter add dev "$iface" parent ffff: protocol ip prio 1 \
- handle 79 fw police rate ${LIMIT_UP}kb mtu 6k burst 6k drop
+ handle 79 fw police rate ${LIMIT_UP}kbit mtu 6k burst 6k drop
fi
}
@@ -180,7 +149,7 @@ qos_iface_del() {
boot() {
### Setup splash-relay
- uci get lucid.splashr || {
+ uci get lucid.splashr 2>/dev/null || {
uci batch <<EOF
set lucid.splashr=daemon
set lucid.splashr.slave=httpd
@@ -202,101 +171,113 @@ EOF
}
start() {
- ### Read chains from config
- include /lib/network
- scan_interfaces
- config_load luci_splash
-
+ lock -w $LOCK && lock $LOCK
+
### Find QoS limits
config_get LIMIT_UP general limit_up
config_get LIMIT_DOWN general limit_down
config_get LIMIT_DOWN_BURST general limit_down_burst
- LIMIT_UP="${LIMIT_UP:-0}"
- LIMIT_DOWN="${LIMIT_DOWN:-0}"
- LIMIT_DOWN_BURST="${LIMIT_DOWN_BURST:-$(($LIMIT_DOWN * 2))}"
+ LIMIT_UP="$((8*${LIMIT_UP:-0}))"
+ LIMIT_DOWN="$((8*${LIMIT_DOWN:-0}))"
+ LIMIT_DOWN_BURST="${LIMIT_DOWN_BURST:+$((8*$LIMIT_DOWN_BURST))}"
+ LIMIT_DOWN_BURST="${LIMIT_DOWN_BURST:-$(($LIMIT_DOWN / 5 * 6))}"
### Load required modules
[ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && {
silent insmod cls_fw
silent insmod cls_u32
silent insmod sch_htb
+ silent insmod sch_sfq
silent insmod sch_ingress
}
### Create subchains
- iptables -t filter -N luci_splash_filter
- iptables -t nat -N luci_splash_portal
- iptables -t nat -N luci_splash_leases
iptables -t nat -N luci_splash_prerouting
+ iptables -t nat -N luci_splash_leases
+ iptables -t filter -N luci_splash_forwarding
+ iptables -t filter -N luci_splash_filter
- [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && \
- iptables -t mangle -N luci_splash_mark
+ ### Clear iptables replay log
+ [ -s $IPT_REPLAY ] && . $IPT_REPLAY
+ echo -n > $IPT_REPLAY
### Build the main and portal rule
config_foreach iface_add iface
config_foreach subnet_add subnet
- config_foreach blacklist_add blacklist
- config_foreach whitelist_add whitelist
- config_foreach lease_add lease
-
- ### Build the portal rule
- iptables -t filter -I INPUT -j luci_splash_filter
- iptables -t filter -I FORWARD -j luci_splash_filter
- [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && \
- iptables -t mangle -I PREROUTING -j luci_splash_mark
+ ### Add interface independant prerouting rules
+ iptables -t nat -A luci_splash_prerouting -j luci_splash_leases
+ iptables -t nat -A luci_splash_leases -p udp --dport 53 -j REDIRECT --to-ports 53
+ iptables -t nat -A luci_splash_leases -p tcp --dport 80 -j REDIRECT --to-ports 8082
- ### Allow icmp, dns and traceroute
- iptables -t nat -A luci_splash_portal -p udp --dport 33434:33523 -j RETURN
- iptables -t nat -A luci_splash_portal -p icmp -j RETURN
- iptables -t nat -A luci_splash_portal -p udp --dport 53 -j RETURN
+ ### Add interface independant forwarding rules
+ iptables -t filter -A luci_splash_forwarding -j luci_splash_filter
+ iptables -t filter -A luci_splash_filter -p tcp -j REJECT --reject-with tcp-reset
+ iptables -t filter -A luci_splash_filter -j REJECT --reject-with icmp-net-prohibited
+
+ ### Add QoS chain
+ [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && {
+ iptables -t mangle -N luci_splash_mark_out
+ iptables -t mangle -N luci_splash_mark_in
+ iptables -t mangle -I PREROUTING -j luci_splash_mark_out
+ iptables -t mangle -I POSTROUTING -j luci_splash_mark_in
+ }
+
+ ### Find active mac addresses
+ MACS=""
+ config_foreach mac_add lease
+ config_foreach mac_add blacklist
+ config_foreach mac_add whitelist
- ### Redirect the rest into the lease chain
- iptables -t nat -A luci_splash_portal -j luci_splash_leases
-
- ### Build the leases rule
- iptables -t nat -A luci_splash_leases -p tcp --dport 80 -j REDIRECT --to-ports 8082
-
### Add crontab entry
test -f /etc/crontabs/root || touch /etc/crontabs/root
grep -q luci-splash /etc/crontabs/root || {
echo '*/5 * * * * /usr/sbin/luci-splash sync' >> /etc/crontabs/root
}
+
+ lock -u $LOCK
+
+ ### Populate iptables
+ [ -n "$MACS" ] && luci-splash add-rules $MACS
}
stop() {
+ lock -w $LOCK && lock $LOCK
+
### Clear interface rules
- include /lib/network
- scan_interfaces
- config_load luci_splash
config_foreach iface_del iface
- silent iptables -t filter -D INPUT -j luci_splash_filter
- silent iptables -t filter -D FORWARD -j luci_splash_filter
- silent iptables -t mangle -D PREROUTING -j luci_splash_mark
+ silent iptables -t mangle -D PREROUTING -j luci_splash_mark_out
+ silent iptables -t mangle -D POSTROUTING -j luci_splash_mark_in
### Clear subchains
- silent iptables -t nat -F luci_splash_leases
- silent iptables -t nat -F luci_splash_portal
silent iptables -t nat -F luci_splash_prerouting
+ silent iptables -t nat -F luci_splash_leases
+ silent iptables -t filter -F luci_splash_forwarding
silent iptables -t filter -F luci_splash_filter
- silent iptables -t mangle -F luci_splash_mark
+ silent iptables -t mangle -F luci_splash_mark_out
+ silent iptables -t mangle -F luci_splash_mark_in
### Delete subchains
- silent iptables -t nat -X luci_splash_leases
- silent iptables -t nat -X luci_splash_portal
silent iptables -t nat -X luci_splash_prerouting
+ silent iptables -t nat -X luci_splash_leases
+ silent iptables -t filter -X luci_splash_forwarding
silent iptables -t filter -X luci_splash_filter
- silent iptables -t mangle -X luci_splash_mark
+ silent iptables -t mangle -X luci_splash_mark_out
+ silent iptables -t mangle -X luci_splash_mark_in
sed -ie '/\/usr\/sbin\/luci-splash sync/d' /var/spool/cron/crontabs/root
+
+ lock -u $LOCK
}
-
clear_leases() {
- stop
- while uci -P /var/state del luci_splash.@lease[0] 2>&-;do :; done
- start
+ ### Find active mac addresses
+ MACS=""
+ config_foreach mac_add lease
+
+ ### Clear leases
+ [ -n "$MACS" ] && luci-splash remove $MACS
}