- changes in Captive portal (jdegraeve):
- Fixes a bug in the way we handle authentication mechanism. (Potentially allowing double logins and faulty locking)
- Add support for different MAC formatting styles.
+ - Add support for per user bandwidth limitation.
1.22
----
$tod = gettimeofday();
$sessionid = substr(md5(mt_rand() . $tod['sec'] . $tod['usec'] . $clientip . $clientmac), 0, 16);
- /* add ipfw rules for layer 3 */
- exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any in");
- exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip out");
+ /* Add rules for traffic shaping
+ * We don't need to add extra l3 allow rules since traffic will pass due to the following kernel option
+ * net.inet.ip.fw.one_pass: 1
+ */
+ $peruserbw = isset($config['captiveportal']['peruserbw']);
+
+ $bw_up = !empty($attributes['bw_up']) ? trim($attributes['bw_up']) : $config['captiveportal']['bwdefaultup'];
+ $bw_down = !empty($attributes['bw_down']) ? trim($attributes['bw_down']) : $config['captiveportal']['bwdefaultdn'];
+
+ if ($peruserbw && !empty($bw_up)) {
+ $bw_up_pipeno = $ruleno + 40500;
+ exec("/sbin/ipfw add $ruleno set 2 pipe $bw_up_pipeno ip from $clientip to any in");
+ exec("/sbin/ipfw pipe $bw_up_pipeno config bw {$bw_up}Kbit/s queue 100");
+ } else {
+ exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any in");
+ }
+ if ($peruserbw && !empty($bw_down)) {
+ $bw_down_pipeno = $ruleno + 45500;
+ exec("/sbin/ipfw add $ruleno set 2 pipe $bw_down_pipeno ip from any to $clientip out");
+ exec("/sbin/ipfw pipe $bw_down_pipeno config bw {$bw_down}Kbit/s queue 100");
+ } else {
+ exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip out");
+ }
/* add ipfw rules for layer 2 */
if (!isset($config['captiveportal']['nomacfilter'])) {
mwexec("/sbin/ipfw delete " . $dbent[1] . " " . ($dbent[1]+10000));
- //KEYCOM: we need to delete +40500 and +45500 as well...
- //these are the rule numbers we use to control traffic shaping for each logged in user via captive portal
- //we only need to remove our rules if peruserbw is turned on.
+ /* We need to delete +40500 and +45500 as well...
+ * these are the pipe numbers we use to control traffic shaping for each logged in user via captive portal
+ * We could get an error if the pipe doesn't exist but everything should still be fine
+ */
if (isset($config['captiveportal']['peruserbw'])) {
- mwexec("/sbin/ipfw delete " . ($dbent[1]+40500));
- mwexec("/sbin/ipfw delete " . ($dbent[1]+45500));
+ mwexec("/sbin/ipfw pipe delete " . ($dbent[1]+40500));
+ mwexec("/sbin/ipfw pipe delete " . ($dbent[1]+45500));
}
}
// Ingress
exec("/sbin/ipfw show {$ruleno}", $ipfw);
- preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[0], $matches);
+ preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+.*/", $ipfw[0], $matches);
$volume['input_pkts'] = $matches[2];
$volume['input_bytes'] = $matches[3];
unset($matches);
// Outgress
- preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[1], $matches);
+ preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+.*/", $ipfw[1], $matches);
$volume['output_pkts'] = $matches[2];
$volume['output_bytes'] = $matches[3];
$this->attributes['url_redirection'] = radius_cvt_string($datav);
break;
case 5: /* WISPr-Bandwidth-Min-Up */
- $this->attributes['bw_minbytesup'] = radius_cvt_int($datav);
+ $this->attributes['bw_up_min'] = radius_cvt_int($datav);
break;
case 6: /* WISPr-Bandwidth-Min-Down */
- $this->attributes['bw_minbytesdown'] = radius_cvt_int($datav);
+ $this->attributes['bw_down_min'] = radius_cvt_int($datav);
break;
case 7: /* WIPSr-Bandwidth-Max-Up */
- $this->attributes['bw_maxbytesup'] = radius_cvt_int($datav);
+ $this->attributes['bw_up'] = radius_cvt_int($datav);
break;
case 8: /* WISPr-Bandwidth-Max-Down */
- $this->attributes['bw_maxbytesdown'] = radius_cvt_int($datav);
+ $this->attributes['bw_down'] = radius_cvt_int($datav);
break;
case 9: /* WISPr-Session-Terminate-Time */
$this->attributes['session_terminate_time'] = radius_cvt_string($datav);
Pavel A. Grodek (<a href="mailto:pg@abletools.com">pg@abletools.com</a>)<br>
<em><font color="#666666">Traffic shaper packet loss rate/queue size</font></em><br>
<br>
- Rob Parker, Keycom PLC (<a href="mailto:rob.parker@keycom.co.uk">rob.parker@keycom.co.uk</a>)<br>
- <em><font color="#666666">Captive portal per-user bandwidth restrictions</font></em><br>
- <br>
Pascal Suter (<a href="mailto:d-monodev@psuter.ch">d-monodev@psuter.ch</a>)<br>
<em><font color="#666666">Captive portal local user database</font></em><br>
<br>
<br>
Jonathan De Graeve (<a href="mailto:Jonathan.De.Graeve@imelda.be">Jonathan.De.Graeve@imelda.be</a>)<br>
<em><font color="#666666">Complete captive portal RADIUS overhaul, cleanup</font></em><br>
- <em><font color="#666666">captive portal: file manager, volume stats, FW rulepool (virtual port pool), MAC formatting</font></em><br>
+ <em><font color="#666666">captive portal: file manager, volume stats, FW rulepool (virtual port pool), MAC formatting, per user bandwidth limitation</font></em><br>
<hr size="1">
<p>m0n0wall is based upon/includes various free software packages,
listed below.<br>
$pconfig['cert'] = base64_decode($config['captiveportal']['certificate']);
$pconfig['key'] = base64_decode($config['captiveportal']['private-key']);
$pconfig['logoutwin_enable'] = isset($config['captiveportal']['logoutwin_enable']);
+$pconfig['peruserbw'] = isset($config['captiveportal']['peruserbw']);
+$pconfig['bwdefaultdn'] = $config['captiveportal']['bwdefaultdn'];
+$pconfig['bwdefaultup'] = $config['captiveportal']['bwdefaultup'];
$pconfig['nomacfilter'] = isset($config['captiveportal']['nomacfilter']);
$pconfig['noconcurrentlogins'] = isset($config['captiveportal']['noconcurrentlogins']);
$pconfig['redirurl'] = $config['captiveportal']['redirurl'];
$config['captiveportal']['certificate'] = base64_encode($_POST['cert']);
$config['captiveportal']['private-key'] = base64_encode($_POST['key']);
$config['captiveportal']['logoutwin_enable'] = $_POST['logoutwin_enable'] ? true : false;
+ $config['captiveportal']['peruserbw'] = $_POST['peruserbw'] ? true : false;
+ $config['captiveportal']['bwdefaultdn'] = $_POST['bwdefaultdn'];
+ $config['captiveportal']['bwdefaultup'] = $_POST['bwdefaultup'];
$config['captiveportal']['nomacfilter'] = $_POST['nomacfilter'] ? true : false;
$config['captiveportal']['noconcurrentlogins'] = $_POST['noconcurrentlogins'] ? true : false;
$config['captiveportal']['redirurl'] = $_POST['redirurl'];
document.iform.auth_method[0].disabled = endis;
document.iform.auth_method[1].disabled = endis;
document.iform.auth_method[2].disabled = endis;
+ document.iform.peruserbw.disabled = endis;
+ document.iform.bwdefaultdn.disabled = endis;
+ document.iform.bwdefaultup.disabled = endis;
document.iform.radmac_enable.disabled = radius_endis;
document.iform.radmac_format.disabled = radius_endis;
document.iform.httpslogin_enable.disabled = endis;
<strong>Disable MAC filtering</strong><br>
If this option is set, no attempts will be made to ensure that the MAC address of clients stays the same while they're logged in.
This is required when the MAC address of the client cannot be determined (usually because there are routers between m0n0wall and the clients).</td>
- </tr>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell">Per-user bandwidth restriction</td>
+ <td class="vtable">
+ <input name="peruserbw" type="checkbox" class="formfld" id="peruserbw" value="yes" <?php if ($pconfig['peruserbw']) echo "checked"; ?>>
+ <strong>Enable per-user bandwidth restriction</strong><br><br>
+ <table cellpadding="0" cellspacing="0">
+ <tr>
+ <td>Default download</td>
+ <td><input type="text" class="formfld" name="bwdefaultdn" id="bwdefaultdn" size="10" value"<?=htmlspecialchars($pconfig['bwdefaultdn']);?>"> Kbit/s</td>
+ </tr>
+ <tr>
+ <td>Default upload</td>
+ <td><input type="text" class="formfld" name="bwdefaultup" id="bwdefaultup" size="10" value"<?=htmlspecialchars($pconfig['bwdefaultup']);?>"> Kbit/s</td>
+ </tr></table>
+ <br>
+ If this option is set, the captive portal will restrict each user who logs in to the specified default bandwidth. RADIUS can override the default settings. Leave empty or set to 0 for no limit. You will <strong>need</strong> to enable the traffic shaper for this to be effective.</td>
+ </tr>
<tr>
<td width="22%" valign="top" class="vncell">Authentication</td>
<td width="78%" class="vtable">
projects / m0n0chwall.git / commitdiff