From 24bbafd2fec28df0f44a00c2d795e4767b8f273a Mon Sep 17 00:00:00 2001 From: jdegraeve Date: Wed, 24 May 2006 14:28:58 +0000 Subject: [PATCH] First BETA of Captive Portal per user bandwidth limitation. PLEASE RELEASE A BETA TO TEST!!! git-svn-id: https://svn.m0n0.ch/wall/trunk@138 e36fee2c-cc09-0410-a7cc-ebac5c6737de --- CHANGELOG | 1 + captiveportal/index.php | 26 +++++++++++++++++++++++--- phpconf/inc/captiveportal.inc | 15 ++++++++------- phpconf/inc/radius.inc | 8 ++++---- webgui/license.php | 5 +---- webgui/services_captiveportal.php | 28 +++++++++++++++++++++++++++- 6 files changed, 64 insertions(+), 19 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index b59825c..b0b6888 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -9,6 +9,7 @@ $Id$ - changes in Captive portal (jdegraeve): - Fixes a bug in the way we handle authentication mechanism. (Potentially allowing double logins and faulty locking) - Add support for different MAC formatting styles. + - Add support for per user bandwidth limitation. 1.22 ---- diff --git a/captiveportal/index.php b/captiveportal/index.php index 4e5d6eb..dbe477b 100755 --- a/captiveportal/index.php +++ b/captiveportal/index.php @@ -284,9 +284,29 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut $tod = gettimeofday(); $sessionid = substr(md5(mt_rand() . $tod['sec'] . $tod['usec'] . $clientip . $clientmac), 0, 16); - /* add ipfw rules for layer 3 */ - exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any in"); - exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip out"); + /* Add rules for traffic shaping + * We don't need to add extra l3 allow rules since traffic will pass due to the following kernel option + * net.inet.ip.fw.one_pass: 1 + */ + $peruserbw = isset($config['captiveportal']['peruserbw']); + + $bw_up = !empty($attributes['bw_up']) ? trim($attributes['bw_up']) : $config['captiveportal']['bwdefaultup']; + $bw_down = !empty($attributes['bw_down']) ? trim($attributes['bw_down']) : $config['captiveportal']['bwdefaultdn']; + + if ($peruserbw && !empty($bw_up)) { + $bw_up_pipeno = $ruleno + 40500; + exec("/sbin/ipfw add $ruleno set 2 pipe $bw_up_pipeno ip from $clientip to any in"); + exec("/sbin/ipfw pipe $bw_up_pipeno config bw {$bw_up}Kbit/s queue 100"); + } else { + exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any in"); + } + if ($peruserbw && !empty($bw_down)) { + $bw_down_pipeno = $ruleno + 45500; + exec("/sbin/ipfw add $ruleno set 2 pipe $bw_down_pipeno ip from any to $clientip out"); + exec("/sbin/ipfw pipe $bw_down_pipeno config bw {$bw_down}Kbit/s queue 100"); + } else { + exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip out"); + } /* add ipfw rules for layer 2 */ if (!isset($config['captiveportal']['nomacfilter'])) { diff --git a/phpconf/inc/captiveportal.inc b/phpconf/inc/captiveportal.inc index 7c62db9..a6ec6b0 100644 --- a/phpconf/inc/captiveportal.inc +++ b/phpconf/inc/captiveportal.inc @@ -528,12 +528,13 @@ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_t mwexec("/sbin/ipfw delete " . $dbent[1] . " " . ($dbent[1]+10000)); - //KEYCOM: we need to delete +40500 and +45500 as well... - //these are the rule numbers we use to control traffic shaping for each logged in user via captive portal - //we only need to remove our rules if peruserbw is turned on. + /* We need to delete +40500 and +45500 as well... + * these are the pipe numbers we use to control traffic shaping for each logged in user via captive portal + * We could get an error if the pipe doesn't exist but everything should still be fine + */ if (isset($config['captiveportal']['peruserbw'])) { - mwexec("/sbin/ipfw delete " . ($dbent[1]+40500)); - mwexec("/sbin/ipfw delete " . ($dbent[1]+45500)); + mwexec("/sbin/ipfw pipe delete " . ($dbent[1]+40500)); + mwexec("/sbin/ipfw pipe delete " . ($dbent[1]+45500)); } } @@ -926,7 +927,7 @@ function getVolume($ruleno) { // Ingress exec("/sbin/ipfw show {$ruleno}", $ipfw); - preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[0], $matches); + preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+.*/", $ipfw[0], $matches); $volume['input_pkts'] = $matches[2]; $volume['input_bytes'] = $matches[3]; @@ -934,7 +935,7 @@ function getVolume($ruleno) { unset($matches); // Outgress - preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[1], $matches); + preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+.*/", $ipfw[1], $matches); $volume['output_pkts'] = $matches[2]; $volume['output_bytes'] = $matches[3]; diff --git a/phpconf/inc/radius.inc b/phpconf/inc/radius.inc index e27632b..0c69f6b 100644 --- a/phpconf/inc/radius.inc +++ b/phpconf/inc/radius.inc @@ -595,16 +595,16 @@ class Auth_RADIUS extends PEAR { $this->attributes['url_redirection'] = radius_cvt_string($datav); break; case 5: /* WISPr-Bandwidth-Min-Up */ - $this->attributes['bw_minbytesup'] = radius_cvt_int($datav); + $this->attributes['bw_up_min'] = radius_cvt_int($datav); break; case 6: /* WISPr-Bandwidth-Min-Down */ - $this->attributes['bw_minbytesdown'] = radius_cvt_int($datav); + $this->attributes['bw_down_min'] = radius_cvt_int($datav); break; case 7: /* WIPSr-Bandwidth-Max-Up */ - $this->attributes['bw_maxbytesup'] = radius_cvt_int($datav); + $this->attributes['bw_up'] = radius_cvt_int($datav); break; case 8: /* WISPr-Bandwidth-Max-Down */ - $this->attributes['bw_maxbytesdown'] = radius_cvt_int($datav); + $this->attributes['bw_down'] = radius_cvt_int($datav); break; case 9: /* WISPr-Session-Terminate-Time */ $this->attributes['session_terminate_time'] = radius_cvt_string($datav); diff --git a/webgui/license.php b/webgui/license.php index e2a1b53..c3627da 100755 --- a/webgui/license.php +++ b/webgui/license.php @@ -142,9 +142,6 @@ require("guiconfig.inc"); Pavel A. Grodek (pg@abletools.com)
    Traffic shaper packet loss rate/queue size

- Rob Parker, Keycom PLC (rob.parker@keycom.co.uk)
-     Captive portal per-user bandwidth restrictions
-
Pascal Suter (d-monodev@psuter.ch)
    Captive portal local user database

@@ -167,7 +164,7 @@ require("guiconfig.inc");
Jonathan De Graeve (Jonathan.De.Graeve@imelda.be)
    Complete captive portal RADIUS overhaul, cleanup
-     captive portal: file manager, volume stats, FW rulepool (virtual port pool), MAC formatting
+     captive portal: file manager, volume stats, FW rulepool (virtual port pool), MAC formatting, per user bandwidth limitation

m0n0wall is based upon/includes various free software packages, listed below.
diff --git a/webgui/services_captiveportal.php b/webgui/services_captiveportal.php index 66b9d00..bf56d73 100755 --- a/webgui/services_captiveportal.php +++ b/webgui/services_captiveportal.php @@ -63,6 +63,9 @@ $pconfig['httpsname'] = $config['captiveportal']['httpsname']; $pconfig['cert'] = base64_decode($config['captiveportal']['certificate']); $pconfig['key'] = base64_decode($config['captiveportal']['private-key']); $pconfig['logoutwin_enable'] = isset($config['captiveportal']['logoutwin_enable']); +$pconfig['peruserbw'] = isset($config['captiveportal']['peruserbw']); +$pconfig['bwdefaultdn'] = $config['captiveportal']['bwdefaultdn']; +$pconfig['bwdefaultup'] = $config['captiveportal']['bwdefaultup']; $pconfig['nomacfilter'] = isset($config['captiveportal']['nomacfilter']); $pconfig['noconcurrentlogins'] = isset($config['captiveportal']['noconcurrentlogins']); $pconfig['redirurl'] = $config['captiveportal']['redirurl']; @@ -161,6 +164,9 @@ if ($_POST) { $config['captiveportal']['certificate'] = base64_encode($_POST['cert']); $config['captiveportal']['private-key'] = base64_encode($_POST['key']); $config['captiveportal']['logoutwin_enable'] = $_POST['logoutwin_enable'] ? true : false; + $config['captiveportal']['peruserbw'] = $_POST['peruserbw'] ? true : false; + $config['captiveportal']['bwdefaultdn'] = $_POST['bwdefaultdn']; + $config['captiveportal']['bwdefaultup'] = $_POST['bwdefaultup']; $config['captiveportal']['nomacfilter'] = $_POST['nomacfilter'] ? true : false; $config['captiveportal']['noconcurrentlogins'] = $_POST['noconcurrentlogins'] ? true : false; $config['captiveportal']['redirurl'] = $_POST['redirurl']; @@ -218,6 +224,9 @@ function enable_change(enable_change) { document.iform.auth_method[0].disabled = endis; document.iform.auth_method[1].disabled = endis; document.iform.auth_method[2].disabled = endis; + document.iform.peruserbw.disabled = endis; + document.iform.bwdefaultdn.disabled = endis; + document.iform.bwdefaultup.disabled = endis; document.iform.radmac_enable.disabled = radius_endis; document.iform.radmac_format.disabled = radius_endis; document.iform.httpslogin_enable.disabled = endis; @@ -343,7 +352,24 @@ to access after they've authenticated. Disable MAC filtering
If this option is set, no attempts will be made to ensure that the MAC address of clients stays the same while they're logged in. This is required when the MAC address of the client cannot be determined (usually because there are routers between m0n0wall and the clients). - + + + Per-user bandwidth restriction + + > + Enable per-user bandwidth restriction

+ + + + + + + + +
Default download"> Kbit/s
Default upload"> Kbit/s
+
+ If this option is set, the captive portal will restrict each user who logs in to the specified default bandwidth. RADIUS can override the default settings. Leave empty or set to 0 for no limit. You will need to enable the traffic shaper for this to be effective. + Authentication -- 2.25.1