reintegrate splash

- add cronjob for splash_sync (every minute for debugging; to be
  increased)
- add redirection for unsplashed users in queen.enter, remove it in
  queen.leave
- add /etc/splash.sh to centralize functionality used in
  /sbin/splash_sync and /www/service/*splash*
- make splash_sync to use a transactional update approach: insert
  iptable rules for all splashed MACs into a new chain, then replace
  old and new chain; this avoids downtime even if splash_sync is slow
- remove allowed services for splashed users; this is intended to not
  move old cruft over to new code; if any of the those services shall
  be reenabled, it should happen in /etc/firewall.user
- make /sbin/splash_sync aware of the current state of FSM inetable
  (read via /sbin/fsm with optional command line override); this
  allows to unconditionally call splash_sync via cron
- add locks to all places where the splash state is touched
- remove multiple escaping/quoting/encoding problems in splash cgi
  scripts
- reenable link to the page the user initially demanded in
  /www/service/cgi-bin/splash_click

7 files changed, 78 insertions, 70 deletions

diff --git a/files/common/etc/crontabs/root b/files/common/etc/crontabs/root
index 3892b07..178f6e3 100644
--- a/files/common/etc/crontabs/root
+++ b/files/common/etc/crontabs/root
@@ -2,3 +2,4 @@
 * * * * * /sbin/p2ptbl gossip /tmp/p2ptbl/update 500 br-mesh
 * * * * * /sbin/fsm watch inetable
 * * * * * /sbin/fsm watch update
+* * * * * /sbin/splash_sync
diff --git a/files/common/etc/fsm/inetable/trans/queen.enter b/files/common/etc/fsm/inetable/trans/queen.enter
index c8ec801..5d266a0 100755
--- a/files/common/etc/fsm/inetable/trans/queen.enter
+++ b/files/common/etc/fsm/inetable/trans/queen.enter
@@ -4,6 +4,7 @@
 gwiptbl=/tmp/p2ptbl/gwip
 NodeId="$(cat /etc/nodeid)"
 
+## setup gateway IPv4
 # determine gw IP from p2ptable
 getoct () {
     p2ptbl show $gwiptbl \
@@ -34,9 +35,7 @@ batctl gw server
 # set up gw IP
 mesh_add_ipv4 $gwip 255.255.0.0
 
-# TODO: load splash status
-
-# setup DHCP
+## setup DHCP
 echo "
 set dhcp.mesh=dhcp
 set dhcp.mesh.start=2
@@ -46,9 +45,19 @@ set dhcp.mesh.interface=mesh
 " | uci batch
 /etc/init.d/dnsmasq restart
 
+## set splash
 # start redirection httpd (for splash), add GW IP to the addrs service
 # httpd listens on
 echo "http://$gwip/cgi-bin/splash? /sbin/urlencode" > /tmp/redirection_target
-enable_httpd redirection $randnet.1:81
-change_service_httpd_listen   $gwip:80
+enable_httpd redirection    $gwip:81
+change_service_httpd_listen $gwip:80
 /etc/init.d/uhttpd restart
+
+# fill splash table
+splash_sync "$1"
+
+# redirect tcp to local httpd, dns to local ns
+iptables -t nat -F prerouting_inet_unsplashed
+iptables -t nat -A prerouting_inet_unsplashed -p tcp            -j DNAT --to $gwip:81
+iptables -t nat -A prerouting_inet_unsplashed -p udp --dport 53 -j DNAT --to $gwip:53
+# TODO: discard any other UDP traffic
diff --git a/files/common/etc/fsm/inetable/trans/queen.leave b/files/common/etc/fsm/inetable/trans/queen.leave
index 306c2f8..3f10d3c 100755
--- a/files/common/etc/fsm/inetable/trans/queen.leave
+++ b/files/common/etc/fsm/inetable/trans/queen.leave
@@ -18,6 +18,9 @@ uci delete dhcp.mesh
 /etc/init.d/dnsmasq restart
 
 # TODO remove splash iptable
+for mode in splashed unsplashed; do
+    iptables -t nat -F prerouting_inet_$mode
+done
 
 # stop redirection httpd, remove GW IP from the addrs service httpd
 # listens on
diff --git a/files/common/sbin/splash_sync b/files/common/sbin/splash_sync
index 3a2b0f1..978583f 100755
--- a/files/common/sbin/splash_sync
+++ b/files/common/sbin/splash_sync
@@ -1,51 +1,47 @@
-#!/bin/sh
+#!/bin/sh -e
 . $IPKG_INSTROOT/etc/functions.sh
+. /etc/splash.sh
+
 x=0
-config_load splash_users
-test=1
-myip=`uci get network.mesh.ipaddr`
+current_time=$(date +%s)
 splash_check() {
-   timeout=6000
-   current_time=`date +%s`
    config_get mac "$1" mac
    config_get time "$1" time
-   local config="$1" 
    let time_check=$time+$timeout
    if [ $time_check -gt  $current_time ]; then
-   	# User ist noch gesplashed
-   	iptables  -t nat -D ffj_splash -m mac --mac-source $mac -j ACCEPT
-   	iptables  -t nat -I ffj_splash 1 -m mac --mac-source $mac -j ACCEPT
+	# user is splashed
+       iptables -t nat -I $chain -m mac --mac-source $mac -j ACCEPT
    else
-   	# User is not longer splashed / the user must click again
-   	iptables -t nat -D ffj_splash -m mac --mac-source $mac -j ACCEPT
-   	uci delete splash_users.@user[$x].mac
-   	uci delete splash_users.@user[$x].time
-   	uci delete splash_users.@user[$x]     
-   	
+	# user is no longer splashed / must click again
+       uci delete splash_users.@user[$x]     
    fi
    let x=$x+1
 }
-#chain refresh
-iptables -t nat -D zone_mesh_prerouting -p tcp -j ffj_splash 
-iptables -t nat -F ffj_splash
-iptables -t nat -X ffj_splash 
-#recreation
-iptables -t nat -N ffj_splash
-iptables -t nat -I zone_mesh_prerouting 1 -p tcp -j ffj_splash
-config_foreach splash_check user
-#DNS Whitelisting
-iptables -t nat -p udp -A ffj_splash --dport 53 -j ACCEPT
-#Jabber Whitelisting
-iptables -t nat -p tcp -A ffj_splash --dport 5222 -j ACCEPT
-iptables -t nat -p tcp -A ffj_splash --dport 5223 -j ACCEPT
-#Free Wavez in Freifunk
-iptables -t nat -A ffj_splash -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-#Freifunk-Jena Whitelisting
-iptables -t nat -A ffj_splash -d freifunk-jena.de -j ACCEPT
-iptables -t nat -A ffj_splash -d www.freifunk-jena.de -j ACCEPT
-#Jappix Whitelisting
-iptables -t nat -A ffj_splash -d  static.jappix.com -j ACCEPT
-iptables -t nat -A ffj_splash -p tcp -j DNAT --to $myip:80
 
-                                               
+# check for current inetable state, allowing a command line override
+lockSplash
+state=${1:-$(fsm get inetable)}
+if [ "$state" == "queen" ]; then
+    # functional gateway: copy splash db to a new iptables chain and
+    # replace the old chain with the new one; this ensures that a user
+    # stays splashed during the runtime of this script
+    chain_id=$(($chain_id + 1))
+    chain=$chain_prefix$chain_id
+    echo $chain_id > $chain_id_file
+    iptables -t nat -N $chain
+
+    config_load splash_users
+    config_foreach splash_check user
+    iptables -t nat -I prerouting_inet_splashed -j $chain
+    while iptables -t nat -D prerouting_inet_splashed 2 &>/dev/null; do :; done
+else
+    # no working gw -> remove reference to iptable copy of splash db
+    iptables -t nat -F prerouting_inet_splashed
+fi
 
+# remove old splash_db chains
+for i in $(iptables -t nat -L | grep ^Chain | grep '0 references' \
+         | cut -f2 -d' ' | grep ^splash_db); do
+    iptables -t nat -F $i
+    iptables -t nat -X $i
+done
diff --git a/files/common/www/service/cgi-bin/splash b/files/common/www/service/cgi-bin/splash
index ee907d6..086fa82 100755
--- a/files/common/www/service/cgi-bin/splash
+++ b/files/common/www/service/cgi-bin/splash
@@ -2,7 +2,6 @@
 echo -en "Status: 200 OK\r\n"
 echo -en "Content-Type: text/html\r\n"
 echo -en "\r\n"
-#targeturl=$(echo $QUERY_STRING)
-#targeturl=$(echo $QUERY_STRING | sed -f /etc/urlencode.sed)
-targeturl=`echo $QUERY_STRING`
-sed "s/targeturl/"$targeturl"/g" /www/splash.html 
+
+targeturl="$(echo "$QUERY_STRING" | tr -d '/')"
+sed "s/targeturl/"$targeturl"/g" splash.html
diff --git a/files/common/www/service/cgi-bin/splash_click b/files/common/www/service/cgi-bin/splash_click
index d08af6a..d7e3f2f 100755
--- a/files/common/www/service/cgi-bin/splash_click
+++ b/files/common/www/service/cgi-bin/splash_click
@@ -1,14 +1,19 @@
-#!/bin/sh
+#!/bin/sh -e
+. $IPKG_INSTROOT/etc/functions.sh
+. /etc/splash.sh
+
 echo -en "Status: 200 OK\r\n"
 echo -en "Content-Type: text/html\r\n"
 echo -en "\r\n"
-TEST=`cat `
-TEST=`echo $TEST | sed 's/'target_url='/''/g'`
-TEST=`/bin/urldecode "$TEST"`
-TEST=`echo $TEST | sed 's/%2F/\//g'`
-USER_MAC=`cat /proc/net/arp | grep $REMOTE_HOST | awk 'BEGIN { FS = " " } ; { print $4 }'`
 
-. $IPKG_INSTROOT/etc/functions.sh
+# decode request params
+# url is decoded twice, as it is encoded by the browser and once by us
+URL="http://$(sed 's/target_url=//g' | urldecode)"
+USER_MAC=$(grep ^$REMOTE_HOST </proc/net/arp \
+	 | awk 'BEGIN { FS = " " } ; { print $4 }')
+
+# check if user is already splashed; splash otherwise
+lockSplash
 ISSPLASHED=0
 config_load splash_users
 is_mac() {
@@ -17,22 +22,17 @@ is_mac() {
    	ISSPLASHED=1
    fi
 }
-#check if user is alredy splashed
 config_foreach is_mac user
-sed 's/targeturl/'"$(echo $TEST| sed 's#/#\\/#g')"'/g' /www/iframe.html
+if [ $ISSPLASHED -eq 0 ]; then
+    # user is now free to go
+    chain=$chain_prefix$chain_id
+    iptables -t nat -I $chain 1 -m mac --mac-source $USER_MAC -j ACCEPT
 
-if [ $ISSPLASHED -eq 1 ]; then
-	exit
+    uci -q add splash_users user >/dev/null
+    uci -q set splash_users.@user[-1].mac=$USER_MAC
+    uci -q set splash_users.@user[-1].time=`date +%s`
 fi
-#User is now free to go
-iptables -t nat -I ffj_splash 1 -m --mac-source $USER_MAC -j ACCEPT
-
-uci -q add splash_users user
-uci -q set splash_users.@user[-1].mac=$USER_MAC
-uci -q set splash_users.@user[-1].time=`date +%s`
-
-exit 0
-
-
-                                               
+unlockSplash
 
+# send response
+sed "s/targeturl/$(echo "$URL" | sed 's#/#\\/#g')/g" iframe.html
diff --git a/files/common/www/service/iframe.html b/files/common/www/service/iframe.html
index cdee514..02d6112 100644
--- a/files/common/www/service/iframe.html
+++ b/files/common/www/service/iframe.html
@@ -14,7 +14,7 @@
 
 </head>
 <body style="margin:0px;">
-<!-- <div style="width:100%;padding:0px;background-color: #E5E5E5;text-align: center"><a href="targeturl">Weiter zur gesuchten Seite...</a></div>/-->
+ <div style="width:100%;padding:0px;background-color: #E5E5E5;text-align: center"><a href="targeturl">Weiter zur gesuchten Seite...</a></div>
 <iframe src="http://www.freifunk-jena.de/" width="100%" height="1000px"></iframe>
 </body>
 </html>