* Added experimental version of DHCP-Splash for Kamikaze

* Added MAC-Address matching to luci_fw
* Added interface alias hack for Kamikaze
* ffluci.sys: Added several networking helper functions
* ffluci.http: Added function remote_addr
* Updated Haserl to 0.9.24

contrib/package/ffluci/Makefile

@@ -43,9 +43,11 @@ define Package/ffluci/install
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_DIR) $(1)/sbin
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
 	
 	$(CP) $(PKG_BUILD_DIR)/core/dist/* $(1)/usr/lib/lua/ -R
 	$(CP) $(PKG_BUILD_DIR)/core/contrib/uci/* $(1)/etc/config/
+	$(CP) $(PKG_BUILD_DIR)/core/contrib/hotplug.d-20-aliases $(1)/etc/hotplug.d/iface -R
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/core/contrib/ffluci $(1)/www/cgi-bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/core/contrib/ffluci-upload $(1)/www/cgi-bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/core/contrib/index.cgi $(1)/www/cgi-bin

contrib/package/haserl-lua/Makefile

@@ -7,13 +7,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=haserl-lua
-PKG_VERSION:=0.9.23
+PKG_VERSION:=0.9.24
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://dev.leipzig.freifunk.net/svn/ff-luci/trunk/contrib/package-source/ \
 	http://firmware.freifunk-halle.net/ffluci/package-source/
-PKG_MD5SUM:=f3a0f329904791c5662d93638f92bdfd
+PKG_MD5SUM:=b004005594b84e35839b1d5c330f8e03
 
 
 include $(INCLUDE_DIR)/package.mk

contrib/package/luci-splash/Makefile

@@ -0,0 +1,36 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=luci-splash
+PKG_VERSION:=0.1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
+PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/luci-splash
+  SECTION:=admin
+  CATEGORY:=Administration
+  SUBMENU:=ffluci
+  DEPENDS:=+ffluci
+  TITLE:=FFLuCI DHCP-Splash
+endef
+
+define Package/luci-splash/install
+	$(INSTALL_DIR) $(1)/usr/lib/luci_splash/htdocs
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_DIR) $(1)/etc/init.d
+	
+	$(CP) -a ./src/luci_splash/* $(1)/usr/lib/luci_splash/ -R
+	$(INSTALL_BIN) ./src/luci_splash/sync.lua $(1)/usr/lib/luci_splash
+	$(INSTALL_BIN) ./src/luci_splash/htdocs/cgi-bin/index.cgi $(1)/usr/lib/luci_splash/htdocs/cgi-bin
+	
+	$(CP) -a ./src/luci_splash.init $(1)/etc/init.d/luci_splash
+	$(CP) -a ./src/luci_splash.uci $(1)/etc/config/luci_splash
+	$(CP) -a ./src/luci_splash_httpd.conf $(1)/etc/
+	
+	$(CP) -a ./ipkg/conffiles $(1)/CONTROL/conffiles
+endef
+
+$(eval $(call BuildPackage,luci-splash))

contrib/package/luci-splash/ipkg/conffiles

@@ -0,0 +1 @@
+/etc/config/luci_splash

contrib/package/luci-splash/src/luci_splash.init

@@ -0,0 +1,86 @@
+#!/bin/sh /etc/rc.common
+START=70
+
+iface_add() {
+	local cfg="$1"
+	
+	config_get net "$cfg" network
+	[ -n "$net" ] || return 0
+	
+	config_get iface "$net" ifname
+	[ -n "$iface" ] || return 0
+	iface="${iface%%:*}"
+	
+	config_get ipaddr "$net" ipaddr
+	[ -n "$ipaddr" ] || return 0
+	
+	config_get netmask "$net" netmask
+	[ -n "$netmask" ] || return 0
+	
+	eval "$(ipcalc.sh $ipaddr $netmask)"
+	
+	iptables -t nat -A luci_splash -i "$iface" -s "$IP/$PREFIX" -j luci_splash_portal	
+}
+
+blacklist_add() {
+	local cfg="$1"
+	
+	config_get mac "$cfg" mac
+	[ -n "$mac" ] && iptables -t nat -A luci_splash_portal -m mac --mac-source "$mac" -j REJECT
+}
+
+whitelist_add() {
+	local cfg="$1"
+	
+	config_get mac "$cfg" mac
+	[ -n "$mac" ] && iptables -t nat -A luci_splash_portal -m mac --mac-source "$mac" -j RETURN
+}
+
+start() {
+	### Read chains from config
+	include /lib/network
+	scan_interfaces
+	config_load luci_splash
+	
+	### Create subchains
+	iptables -t nat -N luci_splash
+	iptables -t nat -N luci_splash_portal
+	iptables -t nat -N luci_splash_leases
+	
+	### Build the main rule
+	config_foreach iface_add iface
+	
+	### Build the portal rule
+	config_foreach blacklist_add blacklist
+	config_foreach whitelist_add whitelist
+	iptables -t nat -A luci_splash_portal -j luci_splash_leases
+	
+	### Build the leases rule
+	iptables -t nat -A luci_splash_leases -p tcp --dport 80 -j REDIRECT --to-ports 8082
+	iptables -t nat -A luci_splash_leases -j REJECT
+	
+	### Start the splash httpd
+	httpd -c /etc/luci_splash_httpd.conf -p 8082 -h /usr/lib/luci_splash/htdocs
+	
+	### Sync leases
+	/usr/lib/luci_splash/sync.lua
+	
+	### Hook in the chain
+	iptables -t nat -A prerouting_rule -j luci_splash
+}
+
+stop() {
+	### Hook out the chain
+	iptables -t nat -D prerouting_rule -j luci_splash
+	
+	### Clear subchains
+	iptables -t nat -F luci_splash
+	iptables -t nat -F luci_splash_portal
+	iptables -t nat -F luci_splash_leases
+	
+	### Delete subchains
+	iptables -t nat -X luci_splash
+	iptables -t nat -X luci_splash_portal
+	iptables -t nat -X luci_splash_leases
+}
+

contrib/package/luci-splash/src/luci_splash.uci

@@ -0,0 +1,8 @@
+config iface
+	option	network	wldhcp
+	
+config whitelist
+	option mac	02:CA:FF:EE:BA:BE
+	
+config blacklist
+	option mac	03:CA:FF:EE:BA:BE

contrib/package/luci-splash/src/luci_splash/htdocs/cgi-bin/index.cgi

@@ -0,0 +1,49 @@
+#!/usr/bin/haserl --shell=luac
+dofile("/usr/lib/luci_splash")
+
+require("ffluci.template")
+
+function dispatch()
+	local mac = get_usermac()
+	if not mac then
+		return action_nodata()
+	end
+	
+	if isblacklisted(mac) then
+		return action_blocked()
+	end
+	
+	if iswhitelisted(mac) or haslease(mac) then
+		return action_allowed()
+	end
+
+	return action_splash(mac)
+end
+
+function action_splash(mac)
+	if ffluci.http.formvalue("activate") then
+		add_lease(mac)
+		ffluci.http.textheader()
+		print("Got splashed!")
+	else
+		ffluci.http.textheader()
+		print("Get splashed!")
+	end
+end
+
+function action_allowed()
+	ffluci.http.textheader()
+	print("Already allowed!")
+end
+
+function action_blocked()
+	ffluci.http.textheader()
+	print("Blocked!")
+end
+
+function action_nodata()
+	ffluci.http.textheader()
+	print("No data!")
+end
+
+dispatch()

contrib/package/luci-splash/src/luci_splash/htdocs/index.html

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="refresh" content="0; URL=/cgi-bin/index.cgi" />
+</head>
+<body style="background-color: black">
+<a style="color: white; text-decoration: none" href="/cgi-bin/index.cgi">FFLuCI - Freifunk Lua Configuration Interface</a>
+</body>
+</html>

contrib/package/luci-splash/src/luci_splash/splash.lua

@@ -0,0 +1,74 @@
+package.path  = "/usr/lib/lua/?.lua;/usr/lib/lua/?/init.lua;" .. package.path
+package.cpath = "/usr/lib/lua/?.so;" .. package.cpath
+
+require("ffluci.http")
+require("ffluci.sys")
+require("ffluci.model.uci")
+
+ucis = ffluci.model.uci.Session("/var/state")
+
+function add_lease(mac)
+	local key = ucis:add("luci_splash", "lease")
+	ucis:set("luci_splash", key, "mac", mac)
+	add_rule(mac)
+end
+
+function add_rule(mac)
+	return os.execute("iptables -t nat -I luci_splash_leases -m mac --source-mac '"..mac.."' -j RETURN")
+end
+
+function remove_rule(mac)
+	return os.execute("iptables -t nat -D luci_splash_leases -m mac --source-mac '"..mac.."' -j RETURN")
+end
+
+function get_usermac()
+	local ip  = ffluci.http.remote_addr()
+	local mac = nil
+	
+	for i, l in ipairs(ffluci.sys.net.arptable()) do
+		if l["IP address"] == ip then
+			mac = l["HW address"]
+		end
+	end
+	
+	return mac
+end
+
+function haslease(mac)
+	mac = mac:lower()
+	local list = ucis:show("luci_splash").luci_splash
+	
+	for k, v in pairs(list) do
+		if v[".type"] == "lease" and v.mac and v.mac:lower() == mac then
+			return true
+		end
+	end
+	
+	return false
+end
+
+function isblacklisted(mac)
+	mac = mac:lower()
+	local list = ucis:show("luci_splash").luci_splash
+	
+	for k, v in pairs(list) do
+		if v[".type"] == "blacklist" and v.mac and v.mac:lower() == mac then
+			return true
+		end
+	end
+	
+	return false
+end
+
+function iswhitelisted(mac)
+	mac = mac:lower()
+	local list = ucis:show("luci_splash").luci_splash
+	
+	for k, v in pairs(list) do
+		if v[".type"] == "whitelist" and v.mac and v.mac:lower() == mac then
+			return true
+		end
+	end
+	
+	return false
+end

contrib/package/luci-splash/src/luci_splash/sync.lua

@@ -0,0 +1,3 @@
+#!/usr/bin/haserl --shell=luac --accept-none
+dofile("splash.lua")
+

contrib/package/luci-splash/src/luci_splash_httpd.conf

@@ -0,0 +1 @@
+E404:/index.html

core/contrib/hotplug.d-20-aliases

@@ -0,0 +1,24 @@
+add_aliases() {
+        local config="$1"
+
+        config_get base "$INTERFACE" ifname
+        config_get iface "$config" ifname
+        config_get ipaddr "$config" ipaddr
+        config_get auto "$config" auto
+
+        [ "${iface%%:*}" == "$base" -a "$iface" != "$base" ] && {
+                case "$auto" in
+                        1|on|enabled) setup_interface "$iface" "$config";;
+                        *) return 1;;
+                esac
+        }
+}
+
+
+case "$ACTION" in
+        ifup)
+                include /lib/network
+                scan_interfaces
+                config_foreach "add_aliases" interface
+        ;;
+esac

core/src/ffluci/http.lua

@@ -59,6 +59,12 @@ function request_redirect(category, module, action, ...)
 end
 
 
+-- Returns the User's IP
+function remote_addr()
+	return ENV.REMOTE_ADDR
+end
+
+
 -- Returns the script name
 function script_name()
 	return ENV.SCRIPT_NAME

core/src/ffluci/sys.lua

@@ -115,18 +115,14 @@ group = {}
 group.getgroup = posix.getgroup
 
 net = {}
+-- Returns the ARP-Table
+function net.arptable()
+	return _parse_delimited_table(io.lines("/proc/net/arp"), "%s%s+")
+end
+
 -- Returns whether an IP-Adress belongs to a certain net
-function net.belongs(ip, net)
+function net.belongs(ip, net, prefix)
-	local netparts = ffluci.util.split(net, "/")
+	return (net.ip4bin(ip):sub(1, prefix) == net.ip4bin(net):sub(1, prefix))
-	
-	if #netparts ~= 2 then
-		return nil
-	end
-	
-	local binadr = net.ip4bin(ip)
-	local binnet = net.ip4bin(netparts[1])
-	
-	return (binadr:sub(1, netparts[2]) == binnet:sub(1, netparts[2]))
 end
 
 -- Returns all available network interfaces
@@ -138,6 +134,17 @@ function net.devices()
 	return devices
 end
 
+-- Returns the prefix to a given netmask
+function net.mask4prefix(mask)
+	local bin = net.ip4bin(mask)
+	
+	if not bin then
+		return nil
+	end
+	
+	return #ffluci.util.split(bin, "1")-1
+end
+
 -- Returns the kernel routing table
 function net.routes()
 	return _parse_delimited_table(io.lines("/proc/net/route"))
@@ -267,7 +274,7 @@ end
 -- Internal functions
 
 function _parse_delimited_table(iter, delimiter)
-	delimiter = delimiter or "\t+"
+	delimiter = delimiter or "%s+"
 	
 	local data  = {}
 	local trim  = ffluci.util.trim

module/admin-core/contrib/init.d/luci_fw

@@ -18,13 +18,13 @@ apply_portfw() {
 	ip=$(echo $to | cut -d: -f1)
 	
 	if ([ "$proto" == "tcpudp" ] || [ "$proto" == "tcp" ]); then
-		iptables -t nat -A luci_prerouting -i "$iface" -p tcp --dport "$dport" -j DNAT --to "$to"
+		iptables -t nat -A luci_fw_prerouting -i "$iface" -p tcp --dport "$dport" -j DNAT --to "$to"
-		iptables -A luci_forward -i "$iface" -p tcp -d "$ip" $ports -j ACCEPT
+		iptables -A luci_fw_forward -i "$iface" -p tcp -d "$ip" $ports -j ACCEPT
 	fi
 
 	if ([ "$proto" == "tcpudp" ] || [ "$proto" == "udp" ]); then
-		iptables -t nat -A luci_prerouting -i "$iface" -p udp --dport "$dport" -j DNAT --to "$to"
+		iptables -t nat -A luci_fw_prerouting -i "$iface" -p udp --dport "$dport" -j DNAT --to "$to"
-		iptables -A luci_forward -i "$iface" -p udp -d "$ip" $ports -j ACCEPT
+		iptables -A luci_fw_forward -i "$iface" -p udp -d "$ip" $ports -j ACCEPT
 	fi
 }
 
@@ -34,11 +34,11 @@ apply_rule() {
 
 	config_get chain "$cfg" chain
 	[ -n "$chain" ] || return 0
-	[ "$chain" == "forward" ] && cmd="$cmd -A luci_forward"
+	[ "$chain" == "forward" ] && cmd="$cmd -A luci_fw_forward"
-	[ "$chain" == "input" ] && cmd="$cmd -A luci_input"
+	[ "$chain" == "input" ] && cmd="$cmd -A luci_fw_input"
-	[ "$chain" == "output" ] && cmd="$cmd -A luci_output"
+	[ "$chain" == "output" ] && cmd="$cmd -A luci_fw_output"
-	[ "$chain" == "prerouting" ] && cmd="$cmd -t nat -A luci_prerouting"
+	[ "$chain" == "prerouting" ] && cmd="$cmd -t nat -A luci_fw_prerouting"
-	[ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_postrouting"
+	[ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_fw_postrouting"
 	
 	config_get iface "$cfg" iface
 	[ -n "$iface" ] && cmd="$cmd -i $iface"	
@@ -66,6 +66,9 @@ apply_rule() {
 
 	config_get tosrc "$cfg" tosrc
 	[ -n "$tosrc" ] && cmd="$cmd --to-source $tosrc"	
+	
+	config_get mac "$cfg" mac
+	[ -n "$mac" ] && cmd="$cmd -m mac --mac-source $mac"
 
 	config_get jump "$cfg" jump
 	[ -n "$jump" ] && cmd="$cmd -j $jump"	
@@ -78,18 +81,18 @@ apply_rule() {
 
 start() {
 	### Create subchains
-	iptables -N luci_input
+	iptables -N luci_fw_input
-	iptables -N luci_output
+	iptables -N luci_fw_output
-	iptables -N luci_forward
+	iptables -N luci_fw_forward
-	iptables -t nat -N luci_prerouting
+	iptables -t nat -N luci_fw_prerouting
-	iptables -t nat -N luci_postrouting
+	iptables -t nat -N luci_fw_postrouting
 	
 	### Hook in the chains
-	iptables -A input_rule -j luci_input
+	iptables -A input_rule -j luci_fw_input
-	iptables -A output_rule -j luci_output
+	iptables -A output_rule -j luci_fw_output
-	iptables -A forwarding_rule -j luci_forward
+	iptables -A forwarding_rule -j luci_fw_forward
-	iptables -t nat -A prerouting_rule -j luci_prerouting
+	iptables -t nat -A prerouting_rule -j luci_fw_prerouting
-	iptables -t nat -A postrouting_rule -j luci_postrouting
+	iptables -t nat -A postrouting_rule -j luci_fw_postrouting
 	
 	### Read chains from config
 	config_load luci_fw
@@ -99,23 +102,23 @@ start() {
 
 stop() {
 	### Hook out the chains
-	iptables -D input_rule -j luci_input
+	iptables -D input_rule -j luci_fw_input
-	iptables -D output_rule -j luci_output
+	iptables -D output_rule -j luci_fw_output
-	iptables -D forwarding_rule -j luci_forward
+	iptables -D forwarding_rule -j luci_fw_forward
-	iptables -t nat -D prerouting_rule -j luci_prerouting
+	iptables -t nat -D prerouting_rule -j luci_fw_prerouting
-	iptables -t nat -D postrouting_rule -j luci_postrouting	
+	iptables -t nat -D postrouting_rule -j luci_fw_postrouting	
 	
 	### Clear subchains
-	iptables -F luci_input
+	iptables -F luci_fw_input
-	iptables -F luci_output
+	iptables -F luci_fw_output
-	iptables -F luci_forward
+	iptables -F luci_fw_forward
-	iptables -t nat -F luci_prerouting
+	iptables -t nat -F luci_fw_prerouting
-	iptables -t nat -F luci_postrouting
+	iptables -t nat -F luci_fw_postrouting
 	
 	### Delete subchains
-	iptables -X luci_input
+	iptables -X luci_fw_input
-	iptables -X luci_output
+	iptables -X luci_fw_output
-	iptables -X luci_forward
+	iptables -X luci_fw_forward
-	iptables -t nat -X luci_prerouting
+	iptables -t nat -X luci_fw_prerouting
-	iptables -t nat -X luci_postrouting
+	iptables -t nat -X luci_fw_postrouting
 }

module/admin-core/src/controller/admin/uci.lua

@@ -14,7 +14,7 @@ function action_apply()
 		for i, line in ipairs(ffluci.util.split(changes)) do
 			local r = line:match("^-?([^.]+)")
 			if r then
-				apply[r] = true
+				table.insert(apply, ffluci.config.uci_oncommit[r])
 			end
 		end
 		
@@ -23,8 +23,7 @@ function action_apply()
 		
 		-- Search for post-commit commands
 		if ffluci.config.uci_oncommit then
-			for k, v in pairs(apply) do
+			for i, cmd in ipairs(apply) do
-				local cmd = ffluci.config.uci_oncommit[k]
 				if cmd then
 					output = output .. cmd .. ":" .. ffluci.sys.exec(cmd)
 				end

module/admin-core/src/model/cbi/admin_network/firewall.lua

@@ -24,6 +24,7 @@ proto:value("udp", "UDP")
 
 s:option(Value, "source", "Quelladresse").optional = true
 s:option(Value, "destination", "Zieladresse").optional = true
+s:option(Value, "mac", "MAC-Adresse").optional = true
 
 sport = s:option(Value, "sport", "Quellport")
 sport.optional = true