mirror of
https://github.com/Telecominfraproject/wlan-ap.git
synced 2025-10-29 01:22:25 +00:00
fbwifi: update to git HEAD
9febd0a fbwifi: close file handles 281e8fd fbwifi: allow HTTP/3 2306d44 fbwifi: quote variables in firewall includes c6557bc fbwifi: set webroot for redirect uhttpd instance ec76371 fbwifi: wait for xtables lock in firewall includes 7420154 fbwifi: handle duplicate arp entries cc31879 fbwifi: rework UCI state tracking 594a4e0 fbwifi: fix custom HTTP status codes e0d9cca fbwifi: fix CORS for info 4aa60db fbwifi: drop luci.sgi.cgi module from info 7b2cf4d README: editing feeds.conf.default should be avoided b1adf01 fbwifi: document how to enable/disable Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This commit is contained in:
Stijn Tintel
committed by
John Crispin
John Crispin
parent
d9b43c559a
commit
a6140a494c
@@ -6,6 +6,9 @@ Case studies for OEM customers are available at the official page of [Facebook W
|
||||
|
||||
For OEM engineers, start by reading the init script in [files/etc/init.d/fbwifi](https://github.com/facebookincubator/fbc_owrt_feed/blob/master/fbwifi/files/etc/init.d/fbwifi)
|
||||
|
||||
To enable Facebook Wi-Fi, configure the gateway_token in `/etc/config/fbwifi`, and run `fbwifi enable`.
|
||||
To disable Facebook Wi-Fi, run `fbwifi disable`.
|
||||
|
||||
## Contents
|
||||
|
||||
The 'files' subdirectory contains all the configuration, script and code
|
||||
|
||||
@@ -11,9 +11,7 @@ local log = require("posix.syslog")
|
||||
local uci = require("uci")
|
||||
|
||||
function fbwifi.gateway_token()
|
||||
|
||||
state = uci.cursor(nil, "/var/state")
|
||||
token = state:get("fbwifi", "main", "gateway_token")
|
||||
token = uci.get("fbwifi.main.gateway_token")
|
||||
if token and string.len(token) > 0 then
|
||||
return token
|
||||
else
|
||||
@@ -47,7 +45,7 @@ end
|
||||
|
||||
local mac_to_purge=''
|
||||
function remove_client_by_mac(client)
|
||||
state = uci.cursor(nil, "/var/state")
|
||||
state = uci.cursor("/var/state", "/tmp/fbwifi")
|
||||
|
||||
for key, value in pairs(client) do
|
||||
if
|
||||
@@ -65,7 +63,7 @@ function fbwifi.instate_client_rule( token, client_mac )
|
||||
|
||||
log.syslog(log.LOG_INFO, "[fbwifi] Validating client "..client_mac)
|
||||
|
||||
state = uci.cursor(nil, "/var/state")
|
||||
state = uci.cursor("/var/state", "/tmp/fbwifi")
|
||||
state_name = "token_" .. token
|
||||
|
||||
RULE_COND="iptables -w -L FBWIFI_CLIENT_TO_INTERNET -t mangle | grep -i -q \"%s\""
|
||||
@@ -93,8 +91,9 @@ function fbwifi.instate_client_rule( token, client_mac )
|
||||
log.syslog(log.LOG_WARNING, string.format( "[fbwifi] Failed to update iptables (%s)", res ) )
|
||||
end
|
||||
log.syslog(log.LOG_INFO, "[fbwifi] "..RULE)
|
||||
|
||||
|
||||
state:save('fbwifi')
|
||||
state:commit('fbwifi')
|
||||
end
|
||||
|
||||
function fbwifi.revoke_client_rule( token )
|
||||
@@ -106,7 +105,7 @@ function fbwifi.revoke_client_rule( token )
|
||||
|
||||
log.syslog(log.LOG_INFO, string.format( "[fbwifi] Invalidating token (%s)", token) )
|
||||
|
||||
state = uci.cursor(nil, "/var/state")
|
||||
state = uci.cursor("/var/state", "/tmp/fbwifi")
|
||||
state_name = "token_" .. token
|
||||
|
||||
client_mac = state:get("fbwifi", state_name, "mac")
|
||||
@@ -127,6 +126,7 @@ function fbwifi.revoke_client_rule( token )
|
||||
|
||||
state:delete("fbwifi", state_name)
|
||||
state:save('fbwifi')
|
||||
state:commit('fbwifi')
|
||||
else
|
||||
log.syslog(log.LOG_WARNING, string.format( "[fbwifi] Client MAC not found in DB (%s)", state_name ) )
|
||||
end
|
||||
|
||||
@@ -8,7 +8,7 @@
|
||||
<h1>Facebook Wi-Fi</h1>
|
||||
<%
|
||||
require("uci")
|
||||
state = uci.cursor(nil, "/var/state")
|
||||
state = uci.cursor("/var/state", "/tmp/fbwifi")
|
||||
url = state:get("fbwifi", "main", "captive_portal_config_url")
|
||||
%>
|
||||
<a href="<% print(url) %>">Configure FB business page</a>
|
||||
|
||||
@@ -26,6 +26,7 @@ enable)
|
||||
uci set uhttpd.fbwifi_redirect=uhttpd
|
||||
uci set uhttpd.fbwifi_redirect.enabled=1
|
||||
uci set uhttpd.fbwifi_redirect.cert='/tmp/fbwifi/https_server_cert'
|
||||
uci set uhttpd.fbwifi_redirect.home='/dev/null'
|
||||
uci set uhttpd.fbwifi_redirect.json_script='/tmp/fbwifi/uhttpd-redirect.json'
|
||||
uci set uhttpd.fbwifi_redirect.key='/tmp/fbwifi/https_server_key'
|
||||
uci set uhttpd.fbwifi_redirect.listen_http='0.0.0.0:2060'
|
||||
@@ -39,7 +40,7 @@ enable)
|
||||
reload)
|
||||
/usr/sbin/fbwifi_get_config
|
||||
|
||||
login_url=$(uci -p /var/state get fbwifi.main.captive_portal_url)
|
||||
login_url=$(uci -c /var/state get fbwifi.main.captive_portal_url)
|
||||
[ -z "$login_url" ] && {
|
||||
logger -t fbwifi "captive_portal_url not available yet"
|
||||
exit 1
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
echo -e "Runtime configuration and token DB\n"
|
||||
uci -p /var/state export fbwifi
|
||||
uci -c /var/state export fbwifi
|
||||
|
||||
echo -e "\nDynamic firewall flow rules\n"
|
||||
iptables -t mangle -L FBWIFI_CLIENT_TO_INTERNET
|
||||
|
||||
@@ -8,7 +8,7 @@ require("uci")
|
||||
fbwifi = require("fbwifi")
|
||||
|
||||
GATEWAY_TOKEN = fbwifi.gateway_token()
|
||||
state = uci.cursor(nil, "/var/state")
|
||||
state = uci.cursor("/var/state", "/tmp/fbwifi")
|
||||
|
||||
payload="name="..socket.dns.gethostname()
|
||||
|
||||
@@ -19,6 +19,7 @@ function queue_ssid_update(iface)
|
||||
for line in file:lines() do
|
||||
payload=payload.."&bssid[]="..line
|
||||
end
|
||||
file:close()
|
||||
payload=payload.."ssid[]="..iface["ssid"]
|
||||
else
|
||||
log.syslog(log.LOG_WARNING, "[fbwifi] Failed to find BSSID for interface br-"..iface["network"])
|
||||
|
||||
@@ -10,7 +10,10 @@ GATEWAY_TOKEN = fbwifi.gateway_token()
|
||||
http_port = uci.get("fbwifi.main.http_port")
|
||||
https_port = uci.get("fbwifi.main.https_port")
|
||||
|
||||
state = uci.cursor(nil, "/var/state")
|
||||
statefile = assert(io.open("/var/state/fbwifi", "a"), "could not create state file")
|
||||
statefile:close()
|
||||
|
||||
state = uci.cursor("/var/state", "/tmp/fbwifi")
|
||||
|
||||
URL="https://api.fbwifi.com/v2.0/gateway"
|
||||
body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN.."&fields=config,config_version")
|
||||
@@ -100,7 +103,9 @@ result = os.execute("iptables -t mangle -F FBWIFI_TRAFFIC_ALLOWLIST ")
|
||||
table.foreach(obj['config']['traffic_allowlist'], process_traffic_rule)
|
||||
table.foreach(obj['config']['cross_origin_allowlist'], process_cross_origin_rule)
|
||||
table.foreach(obj['config']['urls'], process_url)
|
||||
state:set("fbwifi", "main", "cross_origin_allow_rules", cross_origin_list)
|
||||
|
||||
state:set("fbwifi", "main", "cross_origin_allow_rules", cross_origin_list)
|
||||
state:set("fbwifi", "main", "config_version", obj['config_version'])
|
||||
|
||||
state:save('fbwifi')
|
||||
state:commit('fbwifi')
|
||||
|
||||
@@ -6,7 +6,7 @@ log = require("posix.syslog")
|
||||
fbwifi = require("fbwifi")
|
||||
require("uci")
|
||||
|
||||
state = uci.cursor(nil, "/var/state")
|
||||
state = uci.cursor("/var/state", "/tmp/fbwifi")
|
||||
GATEWAY_TOKEN = fbwifi.gateway_token()
|
||||
|
||||
request = {
|
||||
|
||||
@@ -5,6 +5,8 @@
|
||||
|
||||
IPT4="/usr/sbin/iptables"
|
||||
|
||||
set -- --wait 1 --wait-interval 100
|
||||
|
||||
fbwifi_http_port="$(uci get fbwifi.main.http_port)"
|
||||
[ -n "$fbwifi_http_port" ] || {
|
||||
logger -t fbwifi "required option http_port not set"
|
||||
@@ -26,46 +28,48 @@ fbwifi_zone="$(uci get fbwifi.main.zone)"
|
||||
fbwifi_ifaces="$(fw3 -q zone "$fbwifi_zone")"
|
||||
|
||||
## Create custom chains
|
||||
$IPT4 -t filter -N FBWIFI_FORWARD 2>/dev/null
|
||||
$IPT4 -t filter -N FBWIFI_INPUT 2>/dev/null
|
||||
$IPT4 -t mangle -N FBWIFI_CLIENT_TO_INTERNET 2>/dev/null
|
||||
$IPT4 -t mangle -N FBWIFI_PREROUTING 2>/dev/null
|
||||
$IPT4 -t mangle -N FBWIFI_TRAFFIC_ALLOWLIST 2>/dev/null
|
||||
$IPT4 -t nat -N FBWIFI_CLIENT_TO_INTERNET 2>/dev/null
|
||||
$IPT4 -t nat -N FBWIFI_PREROUTING 2>/dev/null
|
||||
$IPT4 -t nat -N FBWIFI_HOST_REDIRLIST 2>/dev/null
|
||||
"$IPT4" "$@" -t filter -N FBWIFI_FORWARD 2>/dev/null
|
||||
"$IPT4" "$@" -t filter -N FBWIFI_INPUT 2>/dev/null
|
||||
"$IPT4" "$@" -t mangle -N FBWIFI_CLIENT_TO_INTERNET 2>/dev/null
|
||||
"$IPT4" "$@" -t mangle -N FBWIFI_PREROUTING 2>/dev/null
|
||||
"$IPT4" "$@" -t mangle -N FBWIFI_TRAFFIC_ALLOWLIST 2>/dev/null
|
||||
"$IPT4" "$@" -t nat -N FBWIFI_CLIENT_TO_INTERNET 2>/dev/null
|
||||
"$IPT4" "$@" -t nat -N FBWIFI_PREROUTING 2>/dev/null
|
||||
"$IPT4" "$@" -t nat -N FBWIFI_HOST_REDIRLIST 2>/dev/null
|
||||
|
||||
## Flush custom chains
|
||||
$IPT4 -t filter -F FBWIFI_FORWARD
|
||||
$IPT4 -t filter -F FBWIFI_INPUT
|
||||
$IPT4 -t mangle -F FBWIFI_CLIENT_TO_INTERNET
|
||||
$IPT4 -t mangle -F FBWIFI_PREROUTING
|
||||
$IPT4 -t mangle -F FBWIFI_TRAFFIC_ALLOWLIST
|
||||
$IPT4 -t nat -F FBWIFI_CLIENT_TO_INTERNET
|
||||
$IPT4 -t nat -F FBWIFI_PREROUTING
|
||||
$IPT4 -t nat -F FBWIFI_HOST_REDIRLIST
|
||||
"$IPT4" "$@" -t filter -F FBWIFI_FORWARD
|
||||
"$IPT4" "$@" -t filter -F FBWIFI_INPUT
|
||||
"$IPT4" "$@" -t mangle -F FBWIFI_CLIENT_TO_INTERNET
|
||||
"$IPT4" "$@" -t mangle -F FBWIFI_PREROUTING
|
||||
"$IPT4" "$@" -t mangle -F FBWIFI_TRAFFIC_ALLOWLIST
|
||||
"$IPT4" "$@" -t nat -F FBWIFI_CLIENT_TO_INTERNET
|
||||
"$IPT4" "$@" -t nat -F FBWIFI_PREROUTING
|
||||
"$IPT4" "$@" -t nat -F FBWIFI_HOST_REDIRLIST
|
||||
|
||||
## Populate custom chains
|
||||
$IPT4 -t filter -A FBWIFI_FORWARD -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
$IPT4 -t filter -A FBWIFI_FORWARD -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
|
||||
$IPT4 -t filter -A FBWIFI_FORWARD -j REJECT
|
||||
$IPT4 -t filter -A FBWIFI_INPUT -p tcp --dport "$fbwifi_http_port" -m conntrack --ctstate NEW -j ACCEPT
|
||||
$IPT4 -t filter -A FBWIFI_INPUT -p tcp --dport "$fbwifi_https_port" -m conntrack --ctstate NEW -j ACCEPT
|
||||
$IPT4 -t filter -A FBWIFI_INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
|
||||
$IPT4 -t mangle -A FBWIFI_PREROUTING -j FBWIFI_CLIENT_TO_INTERNET
|
||||
$IPT4 -t mangle -A FBWIFI_PREROUTING -j FBWIFI_TRAFFIC_ALLOWLIST
|
||||
$IPT4 -t nat -A FBWIFI_PREROUTING -j FBWIFI_CLIENT_TO_INTERNET
|
||||
$IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -j FBWIFI_HOST_REDIRLIST
|
||||
$IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 443 -m conntrack --ctstate NEW -j FBWIFI_HOST_REDIRLIST
|
||||
$IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
|
||||
$IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 443 -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
|
||||
$IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -j REDIRECT --to-ports "$fbwifi_http_port"
|
||||
"$IPT4" "$@" -t filter -A FBWIFI_FORWARD -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||||
"$IPT4" "$@" -t filter -A FBWIFI_FORWARD -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
|
||||
"$IPT4" "$@" -t filter -A FBWIFI_FORWARD -j REJECT
|
||||
"$IPT4" "$@" -t filter -A FBWIFI_INPUT -p tcp --dport "$fbwifi_http_port" -m conntrack --ctstate NEW -j ACCEPT
|
||||
"$IPT4" "$@" -t filter -A FBWIFI_INPUT -p tcp --dport "$fbwifi_https_port" -m conntrack --ctstate NEW -j ACCEPT
|
||||
"$IPT4" "$@" -t filter -A FBWIFI_INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
|
||||
"$IPT4" "$@" -t mangle -A FBWIFI_PREROUTING -j FBWIFI_CLIENT_TO_INTERNET
|
||||
"$IPT4" "$@" -t mangle -A FBWIFI_PREROUTING -j FBWIFI_TRAFFIC_ALLOWLIST
|
||||
"$IPT4" "$@" -t nat -A FBWIFI_PREROUTING -j FBWIFI_CLIENT_TO_INTERNET
|
||||
"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -j FBWIFI_HOST_REDIRLIST
|
||||
"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 443 -m conntrack --ctstate NEW -j FBWIFI_HOST_REDIRLIST
|
||||
"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p udp --dport 443 -m conntrack --ctstate NEW -j FBWIFI_HOST_REDIRLIST
|
||||
"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
|
||||
"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 443 -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
|
||||
"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p udp --dport 443 -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
|
||||
"$IPT4" "$@" -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -j REDIRECT --to-ports "$fbwifi_http_port"
|
||||
|
||||
## Hook custom chains in firewall3 chains
|
||||
$IPT4 -t filter -I "zone_${fbwifi_zone}_input" 2 -j FBWIFI_INPUT
|
||||
$IPT4 -t filter -I "zone_${fbwifi_zone}_forward" 2 -j FBWIFI_FORWARD
|
||||
$IPT4 -t nat -I "zone_${fbwifi_zone}_prerouting" 2 -j FBWIFI_PREROUTING
|
||||
"$IPT4" "$@" -t filter -I "zone_${fbwifi_zone}_input" 2 -j FBWIFI_INPUT
|
||||
"$IPT4" "$@" -t filter -I "zone_${fbwifi_zone}_forward" 2 -j FBWIFI_FORWARD
|
||||
"$IPT4" "$@" -t nat -I "zone_${fbwifi_zone}_prerouting" 2 -j FBWIFI_PREROUTING
|
||||
# There are no firewall3 zone chains in the mangle table so we need to do this for all interfaces in the zone
|
||||
for iface in $fbwifi_ifaces; do
|
||||
$IPT4 -t mangle -I PREROUTING -i "$iface" -j FBWIFI_PREROUTING
|
||||
"$IPT4" "$@" -t mangle -I PREROUTING -i "$iface" -j FBWIFI_PREROUTING
|
||||
done
|
||||
|
||||
@@ -3,7 +3,7 @@ require("uci")
|
||||
log = require("posix.syslog")
|
||||
fbwifi = require("fbwifi")
|
||||
|
||||
state = uci.cursor(nil, "/var/state")
|
||||
state = uci.cursor("/var/state", "/tmp/fbwifi")
|
||||
function process_cors()
|
||||
origin = os.getenv("HTTP_ORIGIN")
|
||||
log.syslog(log.LOG_INFO, string.format("[fbwifi] [auth] process_cors origin %s", origin or 'not found') )
|
||||
@@ -25,7 +25,7 @@ end
|
||||
method = os.getenv("REQUEST_METHOD")
|
||||
if method == 'GET' then
|
||||
log.syslog(log.LOG_INFO, "[fbwifi] [auth] GET handler")
|
||||
print("Status: 302")
|
||||
print("Status: 302 Found")
|
||||
print("Location: "..state:get("fbwifi", "main", "landing_page_url"))
|
||||
process_cors()
|
||||
print ('\n')
|
||||
@@ -35,7 +35,7 @@ elseif method == 'POST' then
|
||||
|
||||
log.syslog(log.LOG_INFO, "[fbwifi] [auth] POST handler")
|
||||
process_cors()
|
||||
print("Status: 200")
|
||||
print("Status: 200 OK")
|
||||
|
||||
form_data=io.read()
|
||||
while form_data do
|
||||
@@ -43,8 +43,9 @@ elseif method == 'POST' then
|
||||
if string.len(token or '') > 14 then
|
||||
|
||||
client = os.getenv("REMOTE_ADDR")
|
||||
f = io.popen("awk '/"..client.."/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
|
||||
f = io.popen("awk '/"..client..".*0x2/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
|
||||
client_mac = assert(f:read('*a'))
|
||||
f:close()
|
||||
|
||||
if fbwifi.validate_token(token) then
|
||||
log.syslog(log.LOG_INFO, string.format( "[fbwifi] [auth] POST handler : Validating Token (%s) for MAC (%s)", token or 'nil', client_mac or 'nil') )
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
json = require("cjson")
|
||||
require("uci")
|
||||
|
||||
state = uci.cursor(nil, "/var/state")
|
||||
state = uci.cursor("/var/state", "/tmp/fbwifi")
|
||||
client_mac = ""
|
||||
token = ""
|
||||
|
||||
@@ -22,8 +22,9 @@ function map_remote_mac_to_token(client)
|
||||
end
|
||||
|
||||
function hasValidToken(client_ip)
|
||||
f = io.popen("awk '/"..client_ip.."/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
|
||||
f = io.popen("awk '/"..client_ip..".*0x2/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
|
||||
client_mac = assert(f:read('*a'))
|
||||
f:close()
|
||||
state:foreach("fbwifi", "client", map_remote_mac_to_token)
|
||||
|
||||
return 0 < string.len(token)
|
||||
|
||||
@@ -1,10 +1,8 @@
|
||||
#!/usr/bin/lua
|
||||
require "luci.cacheloader"
|
||||
require "luci.sgi.cgi"
|
||||
json = require("cjson")
|
||||
fbwifi = require("fbwifi")
|
||||
|
||||
state = uci.cursor(nil, "/var/state")
|
||||
state = uci.cursor("/var/state", "/tmp/fbwifi")
|
||||
GATEWAY_TOKEN = fbwifi.gateway_token()
|
||||
|
||||
response = { api_version = "2.0", token = json.null }
|
||||
@@ -38,8 +36,9 @@ function map_remote_mac_to_token(client)
|
||||
end
|
||||
|
||||
function getClientToken(client_ip)
|
||||
f = io.popen("awk '/"..client_ip.."/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
|
||||
f = io.popen("awk '/"..client_ip..".*0x2/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
|
||||
client_mac = assert(f:read('*a'))
|
||||
f:close()
|
||||
|
||||
state:foreach("fbwifi", "client", map_remote_mac_to_token)
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user