diff options
| author | Katze Miau <miaukatzemiau@priveasy.de> | 2011-12-20 16:30:27 (GMT) | 
|---|---|---|
| committer | Katze Miau <miaukatzemiau@priveasy.de> | 2011-12-20 16:30:27 (GMT) | 
| commit | 8ebdb23cff88abd518c8f631eb5e8cc65036d08e (patch) | |
| tree | e223ba0259f69ff66d239cc498eedc6944d62f91 /files/common | |
| parent | 2c089f72e227ec7229709c7903d322ef42986abd (diff) | |
reintegrate splash
- add cronjob for splash_sync (every minute for debugging; to be
  increased)
- add redirection for unsplashed users in queen.enter, remove it in
  queen.leave
- add /etc/splash.sh to centralize functionality used in
  /sbin/splash_sync and /www/service/*splash*
- make splash_sync to use a transactional update approach: insert
  iptable rules for all splashed MACs into a new chain, then replace
  old and new chain; this avoids downtime even if splash_sync is slow
- remove allowed services for splashed users; this is intended to not
  move old cruft over to new code; if any of the those services shall
  be reenabled, it should happen in /etc/firewall.user
- make /sbin/splash_sync aware of the current state of FSM inetable
  (read via /sbin/fsm with optional command line override); this
  allows to unconditionally call splash_sync via cron
- add locks to all places where the splash state is touched
- remove multiple escaping/quoting/encoding problems in splash cgi
  scripts
- reenable link to the page the user initially demanded in
  /www/service/cgi-bin/splash_click
Diffstat (limited to 'files/common')
| -rw-r--r-- | files/common/etc/crontabs/root | 1 | ||||
| -rwxr-xr-x | files/common/etc/fsm/inetable/trans/queen.enter | 19 | ||||
| -rwxr-xr-x | files/common/etc/fsm/inetable/trans/queen.leave | 3 | ||||
| -rwxr-xr-x | files/common/sbin/splash_sync | 72 | ||||
| -rwxr-xr-x | files/common/www/service/cgi-bin/splash | 7 | ||||
| -rwxr-xr-x | files/common/www/service/cgi-bin/splash_click | 44 | ||||
| -rw-r--r-- | files/common/www/service/iframe.html | 2 | 
7 files changed, 78 insertions, 70 deletions
| diff --git a/files/common/etc/crontabs/root b/files/common/etc/crontabs/root index 3892b07..178f6e3 100644 --- a/files/common/etc/crontabs/root +++ b/files/common/etc/crontabs/root @@ -2,3 +2,4 @@  * * * * * /sbin/p2ptbl gossip /tmp/p2ptbl/update 500 br-mesh  * * * * * /sbin/fsm watch inetable  * * * * * /sbin/fsm watch update +* * * * * /sbin/splash_sync diff --git a/files/common/etc/fsm/inetable/trans/queen.enter b/files/common/etc/fsm/inetable/trans/queen.enter index c8ec801..5d266a0 100755 --- a/files/common/etc/fsm/inetable/trans/queen.enter +++ b/files/common/etc/fsm/inetable/trans/queen.enter @@ -4,6 +4,7 @@  gwiptbl=/tmp/p2ptbl/gwip  NodeId="$(cat /etc/nodeid)" +## setup gateway IPv4  # determine gw IP from p2ptable  getoct () {      p2ptbl show $gwiptbl \ @@ -34,9 +35,7 @@ batctl gw server  # set up gw IP  mesh_add_ipv4 $gwip 255.255.0.0 -# TODO: load splash status - -# setup DHCP +## setup DHCP  echo "  set dhcp.mesh=dhcp  set dhcp.mesh.start=2 @@ -46,9 +45,19 @@ set dhcp.mesh.interface=mesh  " | uci batch  /etc/init.d/dnsmasq restart +## set splash  # start redirection httpd (for splash), add GW IP to the addrs service  # httpd listens on  echo "http://$gwip/cgi-bin/splash? /sbin/urlencode" > /tmp/redirection_target -enable_httpd redirection $randnet.1:81 -change_service_httpd_listen   $gwip:80 +enable_httpd redirection    $gwip:81 +change_service_httpd_listen $gwip:80  /etc/init.d/uhttpd restart + +# fill splash table +splash_sync "$1" + +# redirect tcp to local httpd, dns to local ns +iptables -t nat -F prerouting_inet_unsplashed +iptables -t nat -A prerouting_inet_unsplashed -p tcp            -j DNAT --to $gwip:81 +iptables -t nat -A prerouting_inet_unsplashed -p udp --dport 53 -j DNAT --to $gwip:53 +# TODO: discard any other UDP traffic diff --git a/files/common/etc/fsm/inetable/trans/queen.leave b/files/common/etc/fsm/inetable/trans/queen.leave index 306c2f8..3f10d3c 100755 --- a/files/common/etc/fsm/inetable/trans/queen.leave +++ b/files/common/etc/fsm/inetable/trans/queen.leave @@ -18,6 +18,9 @@ uci delete dhcp.mesh  /etc/init.d/dnsmasq restart  # TODO remove splash iptable +for mode in splashed unsplashed; do +    iptables -t nat -F prerouting_inet_$mode +done  # stop redirection httpd, remove GW IP from the addrs service httpd  # listens on diff --git a/files/common/sbin/splash_sync b/files/common/sbin/splash_sync index 3a2b0f1..978583f 100755 --- a/files/common/sbin/splash_sync +++ b/files/common/sbin/splash_sync @@ -1,51 +1,47 @@ -#!/bin/sh +#!/bin/sh -e  . $IPKG_INSTROOT/etc/functions.sh +. /etc/splash.sh +  x=0 -config_load splash_users -test=1 -myip=`uci get network.mesh.ipaddr` +current_time=$(date +%s)  splash_check() { -   timeout=6000 -   current_time=`date +%s`     config_get mac "$1" mac     config_get time "$1" time -   local config="$1"      let time_check=$time+$timeout     if [ $time_check -gt  $current_time ]; then -   	# User ist noch gesplashed -   	iptables  -t nat -D ffj_splash -m mac --mac-source $mac -j ACCEPT -   	iptables  -t nat -I ffj_splash 1 -m mac --mac-source $mac -j ACCEPT +	# user is splashed +       iptables -t nat -I $chain -m mac --mac-source $mac -j ACCEPT     else -   	# User is not longer splashed / the user must click again -   	iptables -t nat -D ffj_splash -m mac --mac-source $mac -j ACCEPT -   	uci delete splash_users.@user[$x].mac -   	uci delete splash_users.@user[$x].time -   	uci delete splash_users.@user[$x]      -   	 +	# user is no longer splashed / must click again +       uci delete splash_users.@user[$x]          fi     let x=$x+1  } -#chain refresh -iptables -t nat -D zone_mesh_prerouting -p tcp -j ffj_splash  -iptables -t nat -F ffj_splash -iptables -t nat -X ffj_splash  -#recreation -iptables -t nat -N ffj_splash -iptables -t nat -I zone_mesh_prerouting 1 -p tcp -j ffj_splash -config_foreach splash_check user -#DNS Whitelisting -iptables -t nat -p udp -A ffj_splash --dport 53 -j ACCEPT -#Jabber Whitelisting -iptables -t nat -p tcp -A ffj_splash --dport 5222 -j ACCEPT -iptables -t nat -p tcp -A ffj_splash --dport 5223 -j ACCEPT -#Free Wavez in Freifunk -iptables -t nat -A ffj_splash -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT -#Freifunk-Jena Whitelisting -iptables -t nat -A ffj_splash -d freifunk-jena.de -j ACCEPT -iptables -t nat -A ffj_splash -d www.freifunk-jena.de -j ACCEPT -#Jappix Whitelisting -iptables -t nat -A ffj_splash -d  static.jappix.com -j ACCEPT -iptables -t nat -A ffj_splash -p tcp -j DNAT --to $myip:80 -                                                +# check for current inetable state, allowing a command line override +lockSplash +state=${1:-$(fsm get inetable)} +if [ "$state" == "queen" ]; then +    # functional gateway: copy splash db to a new iptables chain and +    # replace the old chain with the new one; this ensures that a user +    # stays splashed during the runtime of this script +    chain_id=$(($chain_id + 1)) +    chain=$chain_prefix$chain_id +    echo $chain_id > $chain_id_file +    iptables -t nat -N $chain + +    config_load splash_users +    config_foreach splash_check user +    iptables -t nat -I prerouting_inet_splashed -j $chain +    while iptables -t nat -D prerouting_inet_splashed 2 &>/dev/null; do :; done +else +    # no working gw -> remove reference to iptable copy of splash db +    iptables -t nat -F prerouting_inet_splashed +fi +# remove old splash_db chains +for i in $(iptables -t nat -L | grep ^Chain | grep '0 references' \ +         | cut -f2 -d' ' | grep ^splash_db); do +    iptables -t nat -F $i +    iptables -t nat -X $i +done diff --git a/files/common/www/service/cgi-bin/splash b/files/common/www/service/cgi-bin/splash index ee907d6..086fa82 100755 --- a/files/common/www/service/cgi-bin/splash +++ b/files/common/www/service/cgi-bin/splash @@ -2,7 +2,6 @@  echo -en "Status: 200 OK\r\n"  echo -en "Content-Type: text/html\r\n"  echo -en "\r\n" -#targeturl=$(echo $QUERY_STRING) -#targeturl=$(echo $QUERY_STRING | sed -f /etc/urlencode.sed) -targeturl=`echo $QUERY_STRING` -sed "s/targeturl/"$targeturl"/g" /www/splash.html  + +targeturl="$(echo "$QUERY_STRING" | tr -d '/')" +sed "s/targeturl/"$targeturl"/g" splash.html diff --git a/files/common/www/service/cgi-bin/splash_click b/files/common/www/service/cgi-bin/splash_click index d08af6a..d7e3f2f 100755 --- a/files/common/www/service/cgi-bin/splash_click +++ b/files/common/www/service/cgi-bin/splash_click @@ -1,14 +1,19 @@ -#!/bin/sh +#!/bin/sh -e +. $IPKG_INSTROOT/etc/functions.sh +. /etc/splash.sh +  echo -en "Status: 200 OK\r\n"  echo -en "Content-Type: text/html\r\n"  echo -en "\r\n" -TEST=`cat ` -TEST=`echo $TEST | sed 's/'target_url='/''/g'` -TEST=`/bin/urldecode "$TEST"` -TEST=`echo $TEST | sed 's/%2F/\//g'` -USER_MAC=`cat /proc/net/arp | grep $REMOTE_HOST | awk 'BEGIN { FS = " " } ; { print $4 }'` -. $IPKG_INSTROOT/etc/functions.sh +# decode request params +# url is decoded twice, as it is encoded by the browser and once by us +URL="http://$(sed 's/target_url=//g' | urldecode)" +USER_MAC=$(grep ^$REMOTE_HOST </proc/net/arp \ +	 | awk 'BEGIN { FS = " " } ; { print $4 }') + +# check if user is already splashed; splash otherwise +lockSplash  ISSPLASHED=0  config_load splash_users  is_mac() { @@ -17,22 +22,17 @@ is_mac() {     	ISSPLASHED=1     fi  } -#check if user is alredy splashed  config_foreach is_mac user -sed 's/targeturl/'"$(echo $TEST| sed 's#/#\\/#g')"'/g' /www/iframe.html +if [ $ISSPLASHED -eq 0 ]; then +    # user is now free to go +    chain=$chain_prefix$chain_id +    iptables -t nat -I $chain 1 -m mac --mac-source $USER_MAC -j ACCEPT -if [ $ISSPLASHED -eq 1 ]; then -	exit +    uci -q add splash_users user >/dev/null +    uci -q set splash_users.@user[-1].mac=$USER_MAC +    uci -q set splash_users.@user[-1].time=`date +%s`  fi -#User is now free to go -iptables -t nat -I ffj_splash 1 -m --mac-source $USER_MAC -j ACCEPT - -uci -q add splash_users user -uci -q set splash_users.@user[-1].mac=$USER_MAC -uci -q set splash_users.@user[-1].time=`date +%s` - -exit 0 - - -                                                +unlockSplash +# send response +sed "s/targeturl/$(echo "$URL" | sed 's#/#\\/#g')/g" iframe.html diff --git a/files/common/www/service/iframe.html b/files/common/www/service/iframe.html index cdee514..02d6112 100644 --- a/files/common/www/service/iframe.html +++ b/files/common/www/service/iframe.html @@ -14,7 +14,7 @@  </head>  <body style="margin:0px;"> -<!-- <div style="width:100%;padding:0px;background-color: #E5E5E5;text-align: center"><a href="targeturl">Weiter zur gesuchten Seite...</a></div>/--> + <div style="width:100%;padding:0px;background-color: #E5E5E5;text-align: center"><a href="targeturl">Weiter zur gesuchten Seite...</a></div>  <iframe src="http://www.freifunk-jena.de/" width="100%" height="1000px"></iframe>  </body>  </html> | 
