1 #!/bin/sh /etc/rc.common
4 EXTRA_COMMANDS
=clear_leases
9 IPT_REPLAY
=/var
/run
/luci_splash.iptlog
10 LOCK
=/var
/run
/luci_splash.lock
11 [ -x /usr
/sbin
/ip6tables
] && [ -f /proc
/net
/ipv6_route
] && HAS_IPV6
=1
19 echo iptables
-D "$@" >> $IPT_REPLAY
23 [ "$HAS_IPV6" = 1 ] ||
return
25 echo ip6tables
-D "$@" >> $IPT_REPLAY
32 config_get zone
"$cfg" zone
33 [ -n "$zone" ] ||
return 0
35 config_get net
"$cfg" network
36 [ -n "$net" ] ||
return 0
38 config_get ifname
"$net" ifname
39 [ -n "$ifname" ] ||
return 0
41 config_get ipaddr
"$net" ipaddr
42 [ -n "$ipaddr" ] ||
return 0
44 config_get netmask
"$net" netmask
45 [ -n "$netmask" ] ||
return 0
47 config_get ip6addr
"$net" ip6addr
49 config_get
type "$net" type
51 parentiface
="$(uci -q get network.${net}.ifname)"
53 [ -n "$parentiface" ] && [ ! "$type" = "bridge" ] && {
54 parentiface
=${parentiface#@}
55 config_get parentproto
"$parentiface" proto
56 config_get parentipaddr
"$parentiface" ipaddr
57 config_get parentnetmask
"$parentiface" netmask
60 eval "$(ipcalc.sh $ipaddr $netmask)"
62 logger
-s -p info
-t splash
"Add $NETWORK/$PREFIX ($ifname) to splashed networks."
64 ### Add interface specific chain entry rules
65 ipt_log
"prerouting_${zone}_rule" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_prerouting
-t nat
66 ipt_log
"forwarding_${zone}_rule" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_forwarding
-t filter
68 if [ "$HAS_IPV6" = 1 ] && [ -n "$ip6addr" ]; then
69 ipt6_log
"forwarding_${zone}_rule" -i "${ifname%:*}" -s "$ip6addr" -j luci_splash_forwarding
-t filter
72 ### Allow traffic to the same subnet
73 iptables
-t nat
-I luci_splash_prerouting
-d "$ipaddr/${netmask:-32}" -j RETURN
74 iptables
-t filter
-I luci_splash_forwarding
-d "$ipaddr/${netmask:-32}" -j RETURN
76 ### Allow traffic to the mesh subnet
77 [ "$parentproto" = "static" -a -n "$parentipaddr" ] && {
78 iptables
-t nat
-I luci_splash_prerouting
-d "$parentipaddr/${parentnetmask:-32}" -j RETURN
79 iptables
-t filter
-I luci_splash_forwarding
-d "$parentipaddr/${parentnetmask:-32}" -j RETURN
82 qos_iface_add
"$ifname"
86 config_get zone
"$1" zone
87 [ -n "$zone" ] ||
return 0
89 config_get net
"$1" network
90 [ -n "$net" ] ||
return 0
92 config_get ifname
"$net" ifname
93 [ -n "$ifname" ] ||
return 0
95 # Clear interface specific rules
96 [ -s $IPT_REPLAY ] && {
97 logger
-s -p info
-t splash
"Remove $ifname from splashed networks."
98 grep -- "-i ${ifname%:*}" $IPT_REPLAY |
while read ln; do silent
$ln; done
99 sed -ie "/-i ${ifname%:*}/d" $IPT_REPLAY
102 qos_iface_del
"$ifname"
106 config_get mac
"$1" mac
113 config_get ipaddr
"$cfg" ipaddr
114 config_get netmask
"$cfg" netmask
116 [ -n "$ipaddr" ] && {
117 iptables
-t nat
-I luci_splash_prerouting
-d "$ipaddr/${netmask:-32}" -j RETURN
118 iptables
-t filter
-I luci_splash_forwarding
-d "$ipaddr/${netmask:-32}" -j RETURN
125 # 77 -> download root qdisc
126 # 78 -> upload root qdisc
127 # 79 -> fwmark: client->inet
128 # 80 -> fwmark: inet->client
130 silent tc qdisc del dev
"$iface" root handle
77:
132 if [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ]; then
133 tc qdisc add dev
"$iface" root handle
77: htb
135 # assume maximum rate of 20.000 kilobit for wlan
136 tc class add dev
"$iface" parent
77: classid
77:1 htb rate
20000kbit
138 # set download limit and burst
139 tc class add dev
"$iface" parent
77:1 classid
77:10 htb \
140 rate
${LIMIT_DOWN}kbit ceil
${LIMIT_DOWN_BURST}kbit prio
2
142 tc qdisc add dev
"$iface" parent
77:10 handle
78: sfq perturb
10
144 # adding ingress can result in "File exists" if qos-scripts are active
145 silent tc qdisc add dev
"$iface" ingress
147 # set client download speed
148 tc filter add dev
"$iface" parent
77: protocol ip prio
2 \
149 handle
80 fw flowid
77:10
151 # set client upload speed
152 tc filter add dev
"$iface" parent ffff
: protocol ip prio
1 \
153 handle
79 fw police rate
${LIMIT_UP}kbit mtu
6k burst
6k drop
160 silent tc qdisc del dev
"$iface" root handle
77:
161 silent tc qdisc del dev
"$iface" root handle
78:
162 silent tc filter del dev
"$iface" parent ffff
: protocol ip prio
1 handle
79 fw
166 ### Setup splash-relay
167 uci get uhttpd.splash
2>/dev
/null ||
{
169 set uhttpd.splash=uhttpd
170 set uhttpd.splash.home="/www/cgi-bin/splash/"
171 set uhttpd.splash.interpreter=".sh=/bin/ash"
172 set uhttpd.splash.listen_http="8082"
173 set uhttpd.splash.index_page="splash.sh"
174 set uhttpd.splash.error_page="/splash.sh"
180 ### We are started by the firewall include
186 logger
-s -p info
-t splash
"Starting luci-splash"
188 .
/lib
/functions
/network.sh
190 config_load luci_splash
193 config_get LIMIT_UP general limit_up
194 config_get LIMIT_DOWN general limit_down
195 config_get LIMIT_DOWN_BURST general limit_down_burst
197 LIMIT_UP
="$((8*${LIMIT_UP:-0}))"
198 LIMIT_DOWN
="$((8*${LIMIT_DOWN:-0}))"
199 LIMIT_DOWN_BURST
="${LIMIT_DOWN_BURST:+$((8*$LIMIT_DOWN_BURST))}"
200 LIMIT_DOWN_BURST
="${LIMIT_DOWN_BURST:-$(($LIMIT_DOWN / 5 * 6))}"
202 ### Load required modules
203 [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && {
204 silent insmod act_police
206 silent insmod cls_u32
207 silent insmod sch_htb
208 silent insmod sch_sfq
209 silent insmod sch_ingress
213 iptables
-t nat
-N luci_splash_prerouting
214 iptables
-t nat
-N luci_splash_leases
215 iptables
-t filter
-N luci_splash_forwarding
216 iptables
-t filter
-N luci_splash_filter
218 if [ "$HAS_IPV6" = 1 ]; then
219 ip6tables
-t filter
-N luci_splash_forwarding
220 ip6tables
-t filter
-N luci_splash_filter
223 ### Clear iptables replay log
224 [ -s $IPT_REPLAY ] && .
$IPT_REPLAY
225 echo -n > $IPT_REPLAY
227 ### Build the main and portal rule
228 config_foreach iface_add iface
229 config_foreach subnet_add subnet
231 ### Add interface independant prerouting rules
232 iptables
-t nat
-A luci_splash_prerouting
-j luci_splash_leases
233 iptables
-t nat
-A luci_splash_leases
-p udp
--dport 53 -j REDIRECT
--to-ports 53
234 iptables
-t nat
-A luci_splash_leases
-p tcp
--dport 80 -j REDIRECT
--to-ports 8082
236 ### Add interface independant forwarding rules
237 iptables
-t filter
-A luci_splash_forwarding
-j luci_splash_filter
238 iptables
-t filter
-A luci_splash_filter
-p tcp
-j REJECT
--reject-with tcp-reset
239 iptables
-t filter
-A luci_splash_filter
-j REJECT
--reject-with icmp-net-prohibited
241 if [ "$HAS_IPV6" = 1 ]; then
242 ip6tables
-t filter
-A luci_splash_forwarding
-j luci_splash_filter
243 ip6tables
-t filter
-A luci_splash_filter
-p tcp
-j REJECT
--reject-with tcp-reset
244 ip6tables
-t filter
-A luci_splash_filter
-j REJECT
--reject-with adm-prohibited
248 [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && {
249 iptables
-t mangle
-N luci_splash_mark_out
250 iptables
-t mangle
-N luci_splash_mark_in
251 iptables
-t mangle
-I PREROUTING
-j luci_splash_mark_out
252 iptables
-t mangle
-I POSTROUTING
-j luci_splash_mark_in
253 if [ "$HAS_IPV6" = 1 ]; then
254 ip6tables
-t mangle
-N luci_splash_mark_out
255 ip6tables
-t mangle
-N luci_splash_mark_in
256 ip6tables
-t mangle
-I PREROUTING
-j luci_splash_mark_out
257 ip6tables
-t mangle
-I POSTROUTING
-j luci_splash_mark_in
261 ### Find active mac addresses
263 config_foreach mac_add lease
264 config_foreach mac_add blacklist
265 config_foreach mac_add whitelist
267 ### Add crontab entry
268 test -f /etc
/crontabs
/root ||
touch /etc
/crontabs
/root
269 grep -q luci-splash
/etc
/crontabs
/root ||
{
270 echo '*/5 * * * * /usr/sbin/luci-splash sync' >> /etc
/crontabs
/root
275 ### Populate iptables
276 [ -n "$MACS" ] && luci-splash add-rules
$MACS
284 config_load luci_splash
286 ### Clear interface rules
287 config_foreach iface_del iface
289 silent iptables
-t mangle
-D PREROUTING
-j luci_splash_mark_out
290 silent iptables
-t mangle
-D POSTROUTING
-j luci_splash_mark_in
292 if [ "$HAS_IPV6" = 1 ]; then
293 silent ip6tables
-t mangle
-D PREROUTING
-j luci_splash_mark_out
294 silent ip6tables
-t mangle
-D POSTROUTING
-j luci_splash_mark_in
298 silent iptables
-t nat
-F luci_splash_prerouting
299 silent iptables
-t nat
-F luci_splash_leases
300 silent iptables
-t filter
-F luci_splash_forwarding
301 silent iptables
-t filter
-F luci_splash_filter
302 silent iptables
-t mangle
-F luci_splash_mark_out
303 silent iptables
-t mangle
-F luci_splash_mark_in
305 if [ "$HAS_IPV6" = 1 ]; then
306 ip6tables
-t filter
-F luci_splash_forwarding
307 ip6tables
-t filter
-F luci_splash_filter
308 ip6tables
-t mangle
-F luci_splash_mark_out
309 ip6tables
-t mangle
-F luci_splash_mark_in
313 silent iptables
-t nat
-X luci_splash_prerouting
314 silent iptables
-t nat
-X luci_splash_leases
315 silent iptables
-t filter
-X luci_splash_forwarding
316 silent iptables
-t filter
-X luci_splash_filter
317 silent iptables
-t mangle
-X luci_splash_mark_out
318 silent iptables
-t mangle
-X luci_splash_mark_in
319 if [ "$HAS_IPV6" = 1 ]; then
320 ip6tables
-t filter
-X luci_splash_forwarding
321 ip6tables
-t filter
-X luci_splash_filter
322 ip6tables
-t mangle
-X luci_splash_mark_out
323 ip6tables
-t mangle
-X luci_splash_mark_in
325 sed -ie '/\/usr\/sbin\/luci-splash sync/d' /var
/spool
/cron
/crontabs
/root
331 ### Find active mac addresses
333 config_foreach mac_add lease
336 [ -n "$MACS" ] && luci-splash remove
$MACS