applications/luci-splash/root/etc/init.d/luci_splash

   1 #!/bin/sh /etc/rc.common
   2
   3 START=70
   4 EXTRA_COMMANDS=clear_leases
   5 LIMIT_DOWN=0
   6 LIMIT_DOWN_BURST=0
   7 LIMIT_UP=0
   8
   9 IPT_REPLAY=/var/run/luci_splash.iptlog
  10 LOCK=/var/run/luci_splash.lock
  11 [ -x /usr/sbin/ip6tables ] && [ -f /proc/net/ipv6_route ] && HAS_IPV6=1
  12
  13 silent() {
  14         "$@" 2>/dev/null
  15 }
  16
  17 ipt_log() {
  18         iptables -I "$@"
  19         echo iptables -D "$@" >> $IPT_REPLAY
  20 }
  21
  22 ipt6_log() {
  23         [ "$HAS_IPV6" = 1 ] || return
  24         ip6tables -I "$@"
  25         echo ip6tables -D "$@" >> $IPT_REPLAY
  26 }
  27
  28
  29 iface_add() {
  30         local cfg="$1"
  31
  32         config_get zone "$cfg" zone
  33         [ -n "$zone" ] || return 0
  34
  35         config_get net "$cfg" network
  36         [ -n "$net" ] || return 0
  37
  38         config_get ifname "$net" ifname
  39         [ -n "$ifname" ] || return 0
  40
  41         config_get ipaddr "$net" ipaddr
  42         [ -n "$ipaddr" ] || return 0
  43
  44         config_get netmask "$net" netmask
  45         [ -n "$netmask" ] || return 0
  46
  47         config_get ip6addr "$net" ip6addr
  48
  49         config_get type "$net" type
  50
  51         parentiface="$(uci -q get network.${net}.ifname)"
  52
  53         [ -n "$parentiface" ] && [ ! "$type" = "bridge" ] && {
  54                 parentiface=${parentiface#@}
  55                 config_get parentproto   "$parentiface" proto
  56                 config_get parentipaddr  "$parentiface" ipaddr
  57                 config_get parentnetmask "$parentiface" netmask
  58         }
  59
  60         eval "$(ipcalc.sh $ipaddr $netmask)"
  61
  62         logger -s -p info -t splash "Add $NETWORK/$PREFIX ($ifname) to splashed networks."
  63
  64         ### Add interface specific chain entry rules
  65         ipt_log "prerouting_${zone}_rule" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_prerouting -t nat
  66         ipt_log "forwarding_${zone}_rule"    -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_forwarding -t filter
  67
  68         if [ "$HAS_IPV6" = 1 ] && [ -n "$ip6addr" ]; then
  69                 ipt6_log "forwarding_${zone}_rule"    -i "${ifname%:*}" -s "$ip6addr" -j luci_splash_forwarding -t filter
  70         fi
  71
  72         ### Allow traffic to the same subnet
  73         iptables -t nat    -I luci_splash_prerouting -d "$ipaddr/${netmask:-32}" -j RETURN
  74         iptables -t filter -I luci_splash_forwarding -d "$ipaddr/${netmask:-32}" -j RETURN
  75
  76         ### Allow traffic to the mesh subnet
  77         [ "$parentproto" = "static" -a -n "$parentipaddr" ] && {
  78                 iptables -t nat    -I luci_splash_prerouting -d "$parentipaddr/${parentnetmask:-32}" -j RETURN
  79                 iptables -t filter -I luci_splash_forwarding -d "$parentipaddr/${parentnetmask:-32}" -j RETURN
  80         }
  81
  82         qos_iface_add "$ifname"
  83 }
  84
  85 iface_del() {
  86         config_get zone "$1" zone
  87         [ -n "$zone" ] || return 0
  88
  89         config_get net "$1" network
  90         [ -n "$net" ] || return 0
  91
  92         config_get ifname "$net" ifname
  93         [ -n "$ifname" ] || return 0
  94
  95         # Clear interface specific rules
  96         [ -s $IPT_REPLAY ] && {
  97                 logger -s -p info -t splash "Remove $ifname from splashed networks."
  98                 grep -- "-i ${ifname%:*}" $IPT_REPLAY | while read ln; do silent $ln; done
  99                 sed -ie "/-i ${ifname%:*}/d" $IPT_REPLAY
 100         }
 101
 102         qos_iface_del "$ifname"
 103 }
 104
 105 mac_add() {
 106         config_get mac "$1" mac
 107         append MACS "$mac"
 108 }
 109
 110 subnet_add() {
 111         local cfg="$1"
 112
 113         config_get ipaddr  "$cfg" ipaddr
 114         config_get netmask "$cfg" netmask
 115
 116         [ -n "$ipaddr" ] && {
 117                 iptables -t nat    -I luci_splash_prerouting -d "$ipaddr/${netmask:-32}" -j RETURN
 118                 iptables -t filter -I luci_splash_forwarding -d "$ipaddr/${netmask:-32}" -j RETURN
 119         }
 120 }
 121
 122 qos_iface_add() {
 123         local iface="$1"
 124
 125         # 77 -> download root qdisc
 126         # 78 -> upload root qdisc
 127         # 79 -> fwmark: client->inet
 128         # 80 -> fwmark: inet->client
 129
 130         silent tc qdisc del dev "$iface" root handle 77:
 131
 132         if [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ]; then
 133                 tc qdisc add dev "$iface" root handle 77: htb
 134
 135                 # assume maximum rate of 20.000 kilobit for wlan
 136                 tc class add dev "$iface" parent 77: classid 77:1 htb rate 20000kbit
 137
 138                 # set download limit and burst
 139                 tc class add dev "$iface" parent 77:1 classid 77:10 htb \
 140                         rate ${LIMIT_DOWN}kbit ceil ${LIMIT_DOWN_BURST}kbit prio 2
 141
 142                 tc qdisc add dev "$iface" parent 77:10 handle 78: sfq perturb 10
 143
 144                 # adding ingress can result in "File exists" if qos-scripts are active
 145                 silent tc qdisc add dev "$iface" ingress
 146
 147                 # set client download speed
 148                 tc filter add dev "$iface" parent 77: protocol ip prio 2 \
 149                         handle 80 fw flowid 77:10
 150
 151                 # set client upload speed
 152                 tc filter add dev "$iface" parent ffff: protocol ip prio 1 \
 153                         handle 79 fw police rate ${LIMIT_UP}kbit mtu 6k burst 6k drop
 154         fi
 155 }
 156
 157 qos_iface_del() {
 158         local iface="$1"
 159
 160         silent tc qdisc del dev "$iface" root handle 77:
 161         silent tc qdisc del dev "$iface" root handle 78:
 162         silent tc filter del dev "$iface" parent ffff: protocol ip prio 1 handle 79 fw
 163 }
 164
 165 boot() {
 166         ### Setup splash-relay
 167         uci get uhttpd.splash 2>/dev/null || {
 168 uci batch <<EOF
 169         set uhttpd.splash=uhttpd
 170         set uhttpd.splash.home="/www/cgi-bin/splash/"
 171         set uhttpd.splash.interpreter=".sh=/bin/ash"
 172         set uhttpd.splash.listen_http="8082"
 173         set uhttpd.splash.index_page="splash.sh"
 174         set uhttpd.splash.error_page="/splash.sh"
 175
 176         commit uhttpd
 177 EOF
 178         }
 179
 180         ### We are started by the firewall include
 181         exit 0
 182 }
 183
 184 start() {
 185         lock $LOCK
 186         logger -s -p info -t splash "Starting luci-splash"
 187         include /lib/network
 188         . /lib/functions/network.sh
 189         scan_interfaces
 190         config_load luci_splash
 191
 192         ### Find QoS limits
 193         config_get LIMIT_UP general limit_up
 194         config_get LIMIT_DOWN general limit_down
 195         config_get LIMIT_DOWN_BURST general limit_down_burst
 196
 197         LIMIT_UP="$((8*${LIMIT_UP:-0}))"
 198         LIMIT_DOWN="$((8*${LIMIT_DOWN:-0}))"
 199         LIMIT_DOWN_BURST="${LIMIT_DOWN_BURST:+$((8*$LIMIT_DOWN_BURST))}"
 200         LIMIT_DOWN_BURST="${LIMIT_DOWN_BURST:-$(($LIMIT_DOWN / 5 * 6))}"
 201
 202         ### Load required modules
 203         [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && {
 204                 silent insmod act_police
 205                 silent insmod cls_fw
 206                 silent insmod cls_u32
 207                 silent insmod sch_htb
 208                 silent insmod sch_sfq
 209                 silent insmod sch_ingress
 210         }
 211
 212         ### Create subchains
 213         iptables -t nat    -N luci_splash_prerouting
 214         iptables -t nat    -N luci_splash_leases
 215         iptables -t filter -N luci_splash_forwarding
 216         iptables -t filter -N luci_splash_filter
 217
 218         if [ "$HAS_IPV6" = 1 ]; then
 219                 ip6tables -t filter -N luci_splash_forwarding
 220                 ip6tables -t filter -N luci_splash_filter
 221         fi
 222
 223         ### Clear iptables replay log
 224         [ -s $IPT_REPLAY ] && . $IPT_REPLAY
 225         echo -n > $IPT_REPLAY
 226
 227         ### Build the main and portal rule
 228         config_foreach iface_add iface
 229         config_foreach subnet_add subnet
 230
 231         ### Add interface independant prerouting rules
 232         iptables -t nat -A luci_splash_prerouting -j luci_splash_leases
 233         iptables -t nat -A luci_splash_leases -p udp --dport 53 -j REDIRECT --to-ports 53
 234         iptables -t nat -A luci_splash_leases -p tcp --dport 80 -j REDIRECT --to-ports 8082
 235
 236         ### Add interface independant forwarding rules
 237         iptables -t filter -A luci_splash_forwarding -j luci_splash_filter
 238         iptables -t filter -A luci_splash_filter -p tcp -j REJECT --reject-with tcp-reset
 239         iptables -t filter -A luci_splash_filter -j REJECT --reject-with icmp-net-prohibited
 240
 241         if [ "$HAS_IPV6" = 1 ]; then
 242                 ip6tables -t filter -A luci_splash_forwarding -j luci_splash_filter
 243                 ip6tables -t filter -A luci_splash_filter -p tcp -j REJECT --reject-with tcp-reset
 244                 ip6tables -t filter -A luci_splash_filter -j REJECT --reject-with adm-prohibited
 245         fi
 246
 247         ### Add QoS chain
 248         [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && {
 249                 iptables -t mangle -N luci_splash_mark_out
 250                 iptables -t mangle -N luci_splash_mark_in
 251                 iptables -t mangle -I PREROUTING  -j luci_splash_mark_out
 252                 iptables -t mangle -I POSTROUTING -j luci_splash_mark_in
 253                 if [ "$HAS_IPV6" = 1 ]; then
 254                         ip6tables -t mangle -N luci_splash_mark_out
 255                         ip6tables -t mangle -N luci_splash_mark_in
 256                         ip6tables -t mangle -I PREROUTING  -j luci_splash_mark_out
 257                         ip6tables -t mangle -I POSTROUTING -j luci_splash_mark_in
 258                 fi
 259         }
 260
 261         ### Find active mac addresses
 262         MACS=""
 263         config_foreach mac_add lease
 264         config_foreach mac_add blacklist
 265         config_foreach mac_add whitelist
 266
 267         ### Add crontab entry
 268         test -f /etc/crontabs/root || touch /etc/crontabs/root
 269         grep -q luci-splash /etc/crontabs/root || {
 270                 echo '*/5 * * * *       /usr/sbin/luci-splash sync' >> /etc/crontabs/root
 271         }
 272
 273         lock -u $LOCK
 274
 275         ### Populate iptables
 276         [ -n "$MACS" ] && luci-splash add-rules $MACS
 277 }
 278
 279 stop() {
 280         lock $LOCK
 281
 282         include /lib/network
 283         scan_interfaces
 284         config_load luci_splash
 285
 286         ### Clear interface rules
 287         config_foreach iface_del iface
 288
 289         silent iptables -t mangle -D PREROUTING  -j luci_splash_mark_out
 290         silent iptables -t mangle -D POSTROUTING -j luci_splash_mark_in
 291
 292         if [ "$HAS_IPV6" = 1 ]; then
 293                 silent ip6tables -t mangle -D PREROUTING  -j luci_splash_mark_out
 294                 silent ip6tables -t mangle -D POSTROUTING -j luci_splash_mark_in
 295         fi
 296
 297         ### Clear subchains
 298         silent iptables -t nat    -F luci_splash_prerouting
 299         silent iptables -t nat    -F luci_splash_leases
 300         silent iptables -t filter -F luci_splash_forwarding
 301         silent iptables -t filter -F luci_splash_filter
 302         silent iptables -t mangle -F luci_splash_mark_out
 303         silent iptables -t mangle -F luci_splash_mark_in
 304
 305         if [ "$HAS_IPV6" = 1 ]; then
 306                 ip6tables -t filter -F luci_splash_forwarding
 307                 ip6tables -t filter -F luci_splash_filter
 308                 ip6tables -t mangle -F luci_splash_mark_out
 309                 ip6tables -t mangle -F luci_splash_mark_in
 310         fi
 311
 312         ### Delete subchains
 313         silent iptables -t nat    -X luci_splash_prerouting
 314         silent iptables -t nat    -X luci_splash_leases
 315         silent iptables -t filter -X luci_splash_forwarding
 316         silent iptables -t filter -X luci_splash_filter
 317         silent iptables -t mangle -X luci_splash_mark_out
 318         silent iptables -t mangle -X luci_splash_mark_in
 319         if [ "$HAS_IPV6" = 1 ]; then
 320                 ip6tables -t filter -X luci_splash_forwarding
 321                 ip6tables -t filter -X luci_splash_filter
 322                 ip6tables -t mangle -X luci_splash_mark_out
 323                 ip6tables -t mangle -X luci_splash_mark_in
 324         fi
 325         sed -ie '/\/usr\/sbin\/luci-splash sync/d' /var/spool/cron/crontabs/root
 326
 327         lock -u $LOCK
 328 }
 329
 330 clear_leases() {
 331         ### Find active mac addresses
 332         MACS=""
 333         config_foreach mac_add lease
 334
 335         ### Clear leases
 336         [ -n "$MACS" ] && luci-splash remove $MACS
 337 }
 338