facebook-wifi: add support for this feature

Signed-off-by: John Crispin <john@phrozen.org>

feeds/facebook/fbwifi/Makefile

@@ -0,0 +1,56 @@
+# Copyright (c) Facebook, Inc. and its affiliates.
+# All rights reserved.
+#
+# This source code is licensed under the license found in the
+# LICENSE file in the root directory of this source tree.
+#
+
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fbwifi
+PKG_VERSION:=2
+PKG_RELEASE:=0
+PKG_LICENSE:=GPL-2.0
+
+PKG_MAINTAINER:=Simon Kinane <skinane@fb.com>
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fbwifi
+  SUBMENU:=Captive Portals
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+iptables +luasec +luasocket \
+	+luci-base +libuci-lua +luaposix \
+	+luci-mod-network +luci-mod-status +luci-theme-bootstrap \
+	+lua-cjson +uhttpd
+  TITLE:=Facebook Wi-Fi
+  PKGARCH:=all
+endef
+
+define Package/fbwifi/description
+  Facebook Wi-Fi, an AP authorisation solution
+endef
+
+define Package/fbwifi/conffiles
+/etc/config/fbwifi
+endef
+
+define Build/Prepare
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/fbwifi/install
+	$(INSTALL_DIR) $(1)
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fbwifi))

feeds/facebook/fbwifi/README.md

@@ -0,0 +1,55 @@
+# Facebook Wi-Fi v2.0 Reference Implementation for OpenWrt 
+
+## Getting started
+
+Case studies for OEM customers are available at the official page of [Facebook Wi-Fi](https://www.facebook.com/facebook-wifi).
+
+For OEM engineers, start by reading the init script in [files/etc/init.d/fbwifi](https://github.com/facebookincubator/fbc_owrt_feed/blob/master/fbwifi/files/etc/init.d/fbwifi)
+
+## Contents
+
+The 'files' subdirectory contains all the configuration, script and code 
+that implements the Facebook Wi-Fi v2.0 standard for OpenWrt.
+
+The folder structure follows *nix conventions :
+- 'etc' is the boot time scripts and configuration
+- 'usr' contains procedural scripts, lua common code module and GUI prototype for luci
+- 'www' contains the HTTP endpoints as CGI handlers 
+
+```
+files/
+├── etc
+│   ├── config
+│   │   └── fbwifi
+│   ├── hotplug.d
+│   │   └── iface
+│   │       └── 50-fbwifi
+│   ├── init.d
+│   │   └── fbwifi
+│   └── uci-defaults
+│       └── fbwifi
+├── usr
+│   ├── lib
+│   │   └── lua
+│   │       ├── fbwifi.lua
+│   │       └── luci
+│   │           ├── controller
+│   │           │   └── fbwifi.lua
+│   │           └── view
+│   │               └── fbwifi.htm
+│   ├── sbin
+│   │   ├── fbwifi_debug_dump
+│   │   ├── fbwifi_gateway_info_update
+│   │   ├── fbwifi_get_config
+│   │   └── fbwifi_validate_token_db
+│   └── share
+│       ├── firewall.include
+│       └── uhttpd.include
+└── www
+    └── cgi-bin
+        └── fbwifi
+            └── v2.0
+                ├── auth
+                ├── capport
+                └── info
+```

feeds/facebook/fbwifi/files/etc/config/fbwifi

@@ -0,0 +1,6 @@
+config fbwifi 'main'
+	option enabled '0'
+	option gateway_token 'FBWIFI:GATEWAY|123456789|0123456789|abcdeABCDE123456789'
+	option http_port '2060'
+	option https_port '2061'
+	option zone 'lan'

feeds/facebook/fbwifi/files/etc/hotplug.d/iface/50-fbwifi

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+[ "$ACTION" = ifup ] || exit 0
+
+/etc/init.d/fbwifi enabled || exit 0
+
+ip route get fibmatch 1.1.1.1 | grep -q "$DEVICE" || exit 0
+
+logger -t fbwifi "Reloading fbwifi due to $ACTION of $INTERFACE ($DEVICE)"
+/etc/init.d/fbwifi restart

feeds/facebook/fbwifi/files/etc/init.d/fbwifi

@@ -0,0 +1,43 @@
+#!/bin/sh /etc/rc.common
+
+START=90
+
+USE_PROCD=1
+
+service_triggers() {
+	procd_add_reload_trigger fbwifi
+}
+
+reload_service() {
+	restart
+}
+
+start_service() {
+	config_load fbwifi
+	config_get_bool enabled 'main' 'enabled' '0'
+	[ "$enabled" -eq 0 ] && return
+
+
+	config_get http_port main http_port
+	[ -z "$http_port" ] && {
+		logger -t fbwifi "required option http_port not set"
+		exit 1
+	}
+
+	config_get https_port main https_port
+	[ -z "$https_port" ] && {
+		logger -t fbwifi "required option https_port not set"
+		exit 1
+	}
+
+	logger "[fbwifi] Enabled; starting"
+
+	mkdir -p /tmp/fbwifi
+	
+	fbwifi reload
+
+	procd_open_instance
+	procd_set_param command /usr/sbin/fbwifi_validate_token_db
+	procd_set_param respawn 1 300 0
+	procd_close_instance
+}

feeds/facebook/fbwifi/files/usr/lib/lua/fbwifi.lua

@@ -0,0 +1,153 @@
+-- FBWIFI Lua library
+-- function table
+local fbwifi = {}
+
+local http = require("ssl.https")
+local json = require("cjson")
+local log = require("posix.syslog")
+local uci = require("uci")
+
+function fbwifi.gateway_token()
+
+	state = uci.cursor(nil, "/var/state")
+	token = state:get("fbwifi", "main", "gateway_token")
+	if token and string.len(token) > 0 then
+		return token
+	else
+		log.syslog( log.LOG_WARNING, "[fbwifi] UCI option fbwifi.main.gateway_token is missing" )
+		return nil
+	end 
+end
+
+function fbwifi.validate_token( token )
+
+	local valid = false
+
+	if string.len(token or '' ) > 0 then
+
+	        GATEWAY_TOKEN = fbwifi.gateway_token()
+
+	        URL="https://api.fbwifi.com/v2.0/token"
+	        BODY="token="..token
+	        body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN, BODY)
+
+	        if code==200 then
+	                valid = true
+	        else
+	                log.syslog(log.LOG_WARNING, "[fbwifi] validate_token:"..body)
+	        end
+
+	end
+
+	return valid
+end
+
+local mac_to_purge=''
+function remove_client_by_mac(client)
+	state = uci.cursor(nil, "/var/state")
+
+	for key, value in pairs(client) do
+		if
+			key == 'mac' and
+			value == mac_to_purge
+		then
+			log.syslog(log.LOG_INFO, string.format("[fbwifi] Purging DB entry %s for MAC %s", client['.name'] or 'unknown', mac_to_purge) )
+			state:delete("fbwifi", client['.name'])
+			return
+		end
+	end
+end
+
+function fbwifi.instate_client_rule( token, client_mac )
+
+	log.syslog(log.LOG_INFO, "[fbwifi] Validating client "..client_mac)
+
+	state = uci.cursor(nil, "/var/state")
+	state_name = "token_" .. token
+
+	RULE_COND="iptables -w -L FBWIFI_CLIENT_TO_INTERNET -t mangle | grep -i -q \"%s\""
+	RULE_FMT="iptables -w -t mangle -%s FBWIFI_CLIENT_TO_INTERNET -m mac --mac-source \"%s\" -j MARK --set-mark 0xfb"
+	local RULE
+
+	log.syslog(log.LOG_INFO, string.format("[fbwifi] Cleaning DB for MAC %s", client_mac) )
+	mac_to_purge = client_mac
+	state:foreach("fbwifi", "client", remove_client_by_mac)
+	
+		
+	log.syslog(log.LOG_INFO, string.format("[fbwifi] Adding DB entry %s for MAC %s", state_name, client_mac) )
+	state:set("fbwifi", state_name, "client")
+	state:set("fbwifi", state_name, "token", token)
+	state:set("fbwifi", state_name, "mac", client_mac)
+	state:set("fbwifi", state_name, "authenticated", "true")
+				
+	-- verify a rule exists for the given client MAC, 
+	--   OR install it
+	RULE=string.format(RULE_COND.." || "..RULE_FMT, client_mac, "A", client_mac)
+
+	log.syslog(log.LOG_INFO, string.format( "[fbwifi] Opening iptables for %s", client_mac ) )
+	res = os.execute(RULE)
+	if res ~= 0 then 
+		log.syslog(log.LOG_WARNING, string.format( "[fbwifi] Failed to update iptables (%s)", res ) )
+	end
+	log.syslog(log.LOG_INFO, "[fbwifi] "..RULE)
+	
+	state:save('fbwifi')
+end
+
+function fbwifi.revoke_client_rule( token )
+        
+        if (token == nil) then
+                log.syslog(log.LOG_INFO, "[fbwifi] Invalidating token, but token is Nil")
+                return
+        end
+
+	log.syslog(log.LOG_INFO, string.format( "[fbwifi] Invalidating token (%s)", token) )
+
+	state = uci.cursor(nil, "/var/state")
+	state_name = "token_" .. token
+	
+	client_mac = state:get("fbwifi", state_name, "mac")
+
+	if client_mac then
+		RULE_COND="iptables -w -L FBWIFI_CLIENT_TO_INTERNET -t mangle | grep -i -q \"%s\""
+		RULE_FMT="iptables -w -t mangle -%s FBWIFI_CLIENT_TO_INTERNET -m mac --mac-source \"%s\" -j MARK --set-mark 0xfb"
+
+		-- verify a rule exists for the given client MAC, 
+		--  AND delete it
+		RULE=string.format(RULE_COND.." && "..RULE_FMT, client_mac, "D", client_mac)
+
+		res = os.execute(RULE)
+		if res ~= 0 then 
+			log.syslog(log.LOG_WARNING, string.format( "[fbwifi] Failed to update iptables (%s)", res ) )
+		end
+		log.syslog(log.LOG_INFO, "[fbwifi] "..RULE)
+
+		state:delete("fbwifi", state_name)
+		state:save('fbwifi')
+	else
+		log.syslog(log.LOG_WARNING, string.format( "[fbwifi] Client MAC not found in DB (%s)", state_name ) )
+	end
+end
+
+function fbwifi.reset()
+
+	local success = false
+        GATEWAY_TOKEN = fbwifi.gateway_token()
+        URL="https://api.fbwifi.com/v2.0/gateway/reset"
+	BODY="{}"
+        body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN, BODY)
+
+        if code==200 then
+                log.syslog(log.LOG_INFO, "[fbwifi] Reset committed")
+                success = true
+        else
+                log.syslog(log.LOG_WARNING, "[fbwifi] Reset failed : "..body)
+        end
+
+	return success
+end
+
+--
+-- Return the function table to the host script
+--
+return fbwifi

feeds/facebook/fbwifi/files/usr/lib/lua/luci/controller/fbwifi.lua

@@ -0,0 +1,12 @@
+-- Copyright 
+-- Licensed to the public under the GNU General Public License v2.
+
+module("luci.controller.fbwifi", package.seeall)
+
+sys = require "luci.sys"
+ut = require "luci.util"
+
+function index()
+    entry({"admin", "network", "fbwifi"}, template("fbwifi"), "Facebook Wi-Fi", 90).dependent=false
+end
+

feeds/facebook/fbwifi/files/usr/lib/lua/luci/view/fbwifi.htm

@@ -0,0 +1,16 @@
+<%#
+ Copyright
+ Licensed to the public under the GNU General Public License v2.
+-%>
+
+<%+header%>
+
+<h1>Facebook Wi-Fi</h1>
+<%
+	require("uci")
+	state = uci.cursor(nil, "/var/state")
+	url = state:get("fbwifi", "main", "captive_portal_config_url")
+%>
+<a href="<% print(url) %>">Configure FB business page</a>
+
+<%+footer%>

feeds/facebook/fbwifi/files/usr/sbin/fbwifi

@@ -0,0 +1,60 @@
+#!/bin/sh
+
+case "$1" in
+enable)
+	uci set fbwifi.main.enabled=1
+	
+	uci set uhttpd.main.cert='/tmp/fbwifi/https_server_cert'
+	uci set uhttpd.main.key='/tmp/fbwifi/https_server_key'
+	uci set uhttpd.main.json_script='/usr/share/fbwifi/uhttpd.json'
+	uci set uhttpd.main.rfc1918_filter=0
+	
+	uci set firewall.fbwifi=include
+	uci set firewall.fbwifi.enabled=1
+	uci set firewall.fbwifi.family=ipv4
+	uci set firewall.fbwifi.path=/usr/share/fbwifi/firewall.include
+	uci set firewall.fbwifi.reload=1
+	uci set firewall.fbwifi.type=script
+
+	uci set uhttpd.fbwifi_redirect=uhttpd
+	uci set uhttpd.fbwifi_redirect.enabled=1
+	uci set uhttpd.fbwifi_redirect.listen_http='0.0.0.0:2060'
+	uci set uhttpd.fbwifi_redirect.listen_https='0.0.0.0:2061'
+	uci set uhttpd.fbwifi_redirect.cert='/tmp/fbwifi/https_server_cert'
+	uci set uhttpd.fbwifi_redirect.key='/tmp/fbwifi/https_server_key'
+	uci set uhttpd.fbwifi_redirect.json_script='/tmp/fbwifi/uhttpd-redirect.json'
+	
+	uci add_list dhcp.@dnsmasq[0].rebind_domain=fbwifigateway.net
+	;;
+
+disable)
+	uci set fbwifi.main.enabled=0
+	
+	uci delete uhttpd.main.cert
+	uci delete uhttpd.main.key
+	uci delete uhttpd.main.json_script
+	uci delete uhttpd.main.rfc1918_filter
+	
+	uci delete firewall.fbwifi
+
+	uci delete uhttpd.fbwifi_redirect
+
+	uci delete dhcp.@dnsmasq[0].rebind_domain
+	;;
+
+reload)
+	/usr/sbin/fbwifi_get_config
+	login_url=$(uci -p /var/state get fbwifi.main.captive_portal_url)
+	[ -z "$login_url" ] && {
+		logger -t fbwifi "captive_portal_url not available yet"
+		exit 1
+	}
+	printf '{ "request": [ ["redirect", "%s", 302] ] }' "$login_url" > /tmp/fbwifi/uhttpd-redirect.json
+	/etc/init.d/uhttpd restart
+	exit 0
+	;;
+esac
+
+uci commit
+/etc/init.d/uhttpd restart
+reload_config

feeds/facebook/fbwifi/files/usr/sbin/fbwifi_debug_dump

@@ -0,0 +1,8 @@
+echo -e "Runtime configuration and token DB\n"
+uci -p /var/state export fbwifi
+
+echo -e "\nDynamic firewall flow rules\n"
+iptables -t mangle -L FBWIFI_CLIENT_TO_INTERNET
+
+echo -e "\nDHCP leases\n"
+cat /tmp/dhcp.leases

feeds/facebook/fbwifi/files/usr/sbin/fbwifi_gateway_info_update

@@ -0,0 +1,38 @@
+#!/usr/bin/lua
+
+http = require("ssl.https")
+json = require("cjson")
+log = require("posix.syslog")
+socket = require("socket")
+require("uci")
+fbwifi = require("fbwifi")
+
+GATEWAY_TOKEN = fbwifi.gateway_token()
+state = uci.cursor(nil, "/var/state")
+
+payload="name="..socket.dns.gethostname()
+
+function queue_ssid_update(iface)
+	bssid_file="/sys/class/net/br-"..iface["network"].."/address"
+	local file = io.open(bssid_file)
+        if file then
+            for line in file:lines() do
+		payload=payload.."&bssid[]="..line
+            end
+	    payload=payload.."ssid[]="..iface["ssid"]
+        else
+	    log.syslog(log.LOG_WARNING, "[fbwifi] Failed to find BSSID for interface br-"..iface["network"])
+        end
+end
+
+state:foreach("wireless", "wifi-iface", queue_ssid_update)
+
+URL="https://api.fbwifi.com/v2.0/gateway"
+body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN, payload)
+if code == 200 then 
+	log.syslog(log.LOG_INFO, "[fbwifi] gateway information updated "..body)
+	os.exit(0)
+else
+	log.syslog(log.LOG_WARNING, "[fbwifi] gateway API failed "..body)
+	os.exit(code)
+end

feeds/facebook/fbwifi/files/usr/sbin/fbwifi_get_config

@@ -0,0 +1,106 @@
+#!/usr/bin/lua
+http = require("ssl.https")
+json = require("cjson")
+require("uci")
+log = require("posix.syslog")
+fbwifi = require("fbwifi")
+
+GATEWAY_TOKEN = fbwifi.gateway_token()
+
+http_port = uci.get("fbwifi.main.http_port")
+https_port = uci.get("fbwifi.main.https_port")
+
+state = uci.cursor(nil, "/var/state")
+
+URL="https://api.fbwifi.com/v2.0/gateway"
+body, code, headers = http.request(URL.."?access_token="..GATEWAY_TOKEN.."&fields=config,config_version")
+
+if code == 200 then
+	log.syslog(log.LOG_INFO, "[fbwifi] Got gateway config ("..code..")")
+else
+	log.syslog(log.LOG_CRIT, "[fbwifi] Failed to get gateway config ("..code..")")
+	os.exit(1)
+end
+
+obj = json.decode(body)
+
+function save_cert(name, value)
+	log.syslog(log.LOG_INFO, "[fbwifi] Saving cert "..name)
+	local f = assert(io.open("/tmp/fbwifi/"..name, "w"))
+	f:write(value)
+	f:close()
+end
+
+function process_redirect(ix, host)
+	IP_SET = "ip addr replace dev lo "..host
+	local result = os.execute(IP_SET)
+	if result == 0 then
+		log.syslog(log.LOG_INFO, "[fbwifi] Redirect address applied "..host)
+	else
+		log.syslog(log.LOG_WARNING, "[fbwifi] Failed to apply redirect address "..host)
+	end
+
+	ip = string.match(host, '([0-9\.]*)/([0-9]*)')
+	RULE_FMT="grep -q \"%s\" /etc/hosts || echo \"%s\tstar.fbwifigateway.net\" >> /etc/hosts"
+	HOSTS_RULE = string.format(RULE_FMT, ip, ip)
+	result = os.execute(HOSTS_RULE)
+	if result == 0 then
+		log.syslog(log.LOG_INFO, "[fbwifi] Cached redirect host for DNS")
+	else
+		log.syslog(log.LOG_WARNING, "[fbwifi] Failed to amend /etc/hosts")
+		log.syslog(log.LOG_INFO, "[fbwifi] "..HOSTS_RULE)
+	end
+
+	result = os.execute("iptables -t nat -A FBWIFI_HOST_REDIRLIST -p tcp --dport 80 -d "..ip.." -j ACCEPT # REDIRECT --to-ports "..http_port)
+	--print(result)
+	result = os.execute("iptables -t nat -A FBWIFI_HOST_REDIRLIST -p tcp --dport 443 -d "..ip.."  -j ACCEPT # REDIRECT --to-ports "..https_port)
+	--print(result)
+end
+
+save_cert("https_server_cert", obj['config']['https_server_cert'])
+save_cert("https_server_key", obj['config']['https_server_key'])
+
+result = os.execute("iptables -t nat -F FBWIFI_HOST_REDIRLIST")
+--print(result)
+table.foreach(obj['config']['host_redirect_ips'], process_redirect)
+
+RULE_FORMAT = "iptables -t mangle -A FBWIFI_TRAFFIC_ALLOWLIST -d %s -p %s --dport %s -j MARK --set-mark 0xfb"
+function process_traffic_rule(ix, rule)
+	log.syslog(log.LOG_INFO, "[fbwifi] Traffic rule "..ix)
+	
+	if rule["protocol"] == 6 then
+		PROTO = "tcp"
+	elseif rule["protocol"] == 17 then
+		PROTO = "udp"
+	end
+	RULE = string.format(RULE_FORMAT, rule["ip"], PROTO, rule["port"])
+	local result = os.execute(RULE)
+	if result == 0 then
+		log.syslog(log.LOG_INFO, "[fbwifi] Traffic rule "..ix)
+	else
+		log.syslog(log.LOG_WARNING, "[fbwifi] Failed to install traffic rule ; "..RULE)
+	end
+end
+
+local cross_origin_list = {}
+function process_cross_origin_rule(ix, url)
+	log.syslog(log.LOG_INFO, "[fbwifi] Cross origin rule "..url)
+	table.insert(cross_origin_list, url)
+end
+
+function process_url(url_purpose, fqdn)
+	log.syslog(log.LOG_INFO, "[fbwifi] Caching "..url_purpose)
+	state:set("fbwifi", "main", url_purpose, fqdn)	
+end
+
+state:set("fbwifi", "main", "config")
+
+result = os.execute("iptables -t mangle -F FBWIFI_TRAFFIC_ALLOWLIST ")
+--print(result)
+table.foreach(obj['config']['traffic_allowlist'], process_traffic_rule)
+table.foreach(obj['config']['cross_origin_allowlist'], process_cross_origin_rule)
+table.foreach(obj['config']['urls'], process_url)
+state:set("fbwifi", "main", "cross_origin_allow_rules", cross_origin_list)
+
+state:set("fbwifi", "main", "config_version", obj['config_version'])
+state:save('fbwifi')

feeds/facebook/fbwifi/files/usr/sbin/fbwifi_validate_token_db

@@ -0,0 +1,75 @@
+#!/usr/bin/lua
+
+https = require("ssl.https")
+json = require("cjson")
+log = require("posix.syslog")
+fbwifi = require("fbwifi")
+require("uci")
+
+state = uci.cursor(nil, "/var/state")
+GATEWAY_TOKEN = fbwifi.gateway_token()
+
+request = { 
+	tokens = {}, 
+	traffic_type = "total",
+	config_version = state:get("fbwifi", "main", "config_version")
+}
+
+function queue_token(client)
+
+	request.tokens[client.token]={
+		incoming = json.null,
+		outgoing = json.null,
+		connected_time_sec = json.null,
+		inactive_time_sec = json.null,
+		signal_rssi_dbm = json.null,
+		--expected_tpus_mbps = json.null,
+		is_connected = true
+	}
+
+end
+
+state:foreach("fbwifi", "client", queue_token)
+print( "\nRequest:\n"..json.encode(request) )
+
+URL="https://api.fbwifi.com/v2.0/tokens"
+BODY=string.format(
+	"tokens=%s&traffic_type=%s&config_version=%s",
+	json.encode(request.tokens),
+	"'total'",
+	state:get("fbwifi", "main", "config_version")
+)
+
+body, code, headers = https.request(URL.."?access_token="..GATEWAY_TOKEN, BODY)
+
+if code then
+	print( "\nResponse:\n"..body )
+end
+
+response = json.decode(body)
+--print(response)
+--table.foreach(response,print)
+--table.foreach(response.tokens,print)
+
+if response.config_valid then
+	log.syslog(log.LOG_INFO, "[fbwifi] Config validated")
+else
+	log.syslog(log.LOG_WARNING, "[fbwifi] config is stale, refreshing config")
+        local result = os.execute("/usr/sbin/fbwifi reload")
+        if result == 0 then
+                log.syslog(log.LOG_INFO, "[fbwifi] init.d fbwifi restarted successfully to fetch and update fresh config ")
+        else
+                log.syslog(log.LOG_WARNING, "[fbwifi] init.d fbwifi failed to restart. Possible stale config")
+        end
+end
+
+function process_token(token, metadata)
+	table.foreach(metadata,print)
+	if metadata.valid then
+		print("OK: "..token)	
+	else
+		print("Nok: "..token)	
+		fbwifi.revoke_client_rule( token )
+	end
+end
+table.foreach(response.tokens,process_token)

feeds/facebook/fbwifi/files/usr/share/fbwifi/firewall.include

@@ -0,0 +1,67 @@
+#!/bin/sh
+
+IPT4="/usr/sbin/iptables"
+
+fbwifi_http_port="$(uci get fbwifi.main.http_port)"
+[ -n "$fbwifi_http_port" ] || {
+	logger -t fbwifi "required option http_port not set"
+	exit 1
+}
+
+fbwifi_https_port="$(uci get fbwifi.main.https_port)"
+[ -n "$fbwifi_https_port" ] || {
+	logger -t fbwifi "required option https_port not set"
+	exit 1
+}
+
+fbwifi_zone="$(uci get fbwifi.main.zone)"
+[ -n "$fbwifi_zone" ] || {
+	logger -t fbwifi "required option zone  not set"
+	exit 1
+}
+
+fbwifi_ifaces="$(fw3 -q zone "$fbwifi_zone")"
+
+## Create custom chains
+$IPT4 -t filter -N FBWIFI_FORWARD 2>/dev/null
+$IPT4 -t filter -N FBWIFI_INPUT 2>/dev/null
+$IPT4 -t mangle -N FBWIFI_CLIENT_TO_INTERNET 2>/dev/null
+$IPT4 -t mangle -N FBWIFI_PREROUTING 2>/dev/null
+$IPT4 -t mangle -N FBWIFI_TRAFFIC_ALLOWLIST 2>/dev/null
+$IPT4 -t nat -N FBWIFI_CLIENT_TO_INTERNET 2>/dev/null
+$IPT4 -t nat -N FBWIFI_PREROUTING 2>/dev/null
+$IPT4 -t nat -N FBWIFI_HOST_REDIRLIST 2>/dev/null
+
+## Flush custom chains
+$IPT4 -t filter -F FBWIFI_FORWARD
+$IPT4 -t filter -F FBWIFI_INPUT
+$IPT4 -t mangle -F FBWIFI_CLIENT_TO_INTERNET
+$IPT4 -t mangle -F FBWIFI_PREROUTING
+$IPT4 -t mangle -F FBWIFI_TRAFFIC_ALLOWLIST
+$IPT4 -t nat -F FBWIFI_CLIENT_TO_INTERNET
+$IPT4 -t nat -F FBWIFI_PREROUTING
+$IPT4 -t nat -F FBWIFI_HOST_REDIRLIST
+
+## Populate custom chains
+$IPT4 -t filter -A FBWIFI_FORWARD -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
+$IPT4 -t filter -A FBWIFI_FORWARD -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
+$IPT4 -t filter -A FBWIFI_FORWARD -j REJECT
+$IPT4 -t filter -A FBWIFI_INPUT -p tcp --dport "$fbwifi_http_port" -m conntrack --ctstate NEW -j ACCEPT
+$IPT4 -t filter -A FBWIFI_INPUT -p tcp --dport "$fbwifi_https_port"  -m conntrack --ctstate NEW -j ACCEPT
+$IPT4 -t mangle -A FBWIFI_PREROUTING -j FBWIFI_CLIENT_TO_INTERNET
+$IPT4 -t mangle -A FBWIFI_PREROUTING -j FBWIFI_TRAFFIC_ALLOWLIST
+$IPT4 -t nat -A FBWIFI_PREROUTING -j FBWIFI_CLIENT_TO_INTERNET
+$IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -j FBWIFI_HOST_REDIRLIST
+$IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 443 -m conntrack --ctstate NEW -j FBWIFI_HOST_REDIRLIST
+$IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
+$IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 443 -m conntrack --ctstate NEW -m mark --mark 0xfb -j ACCEPT
+$IPT4 -t nat -A FBWIFI_CLIENT_TO_INTERNET -p tcp --dport 80 -m conntrack --ctstate NEW -j REDIRECT --to-ports "$fbwifi_http_port"
+
+## Hook custom chains in firewall3 chains
+$IPT4 -t filter -I "zone_${fbwifi_zone}_input" 2 -j FBWIFI_INPUT
+$IPT4 -t filter -I "zone_${fbwifi_zone}_forward" 2 -j FBWIFI_FORWARD
+$IPT4 -t nat -I "zone_${fbwifi_zone}_prerouting" 2 -j FBWIFI_PREROUTING
+# There are no firewall3 zone chains in the mangle table so we need to do this for all interfaces in the zone
+for iface in $fbwifi_ifaces; do
+	$IPT4 -t mangle -I PREROUTING -i "$iface" -j FBWIFI_PREROUTING
+done

feeds/facebook/fbwifi/files/usr/share/fbwifi/uhttpd.json

@@ -0,0 +1,8 @@
+{
+  "request": [
+    [ "if",
+      [ "regex", "REQUEST_URI", "^/fbwifi" ],
+      [ "rewrite", "/cgi-bin%REQUEST_URI%" ]
+    ]
+  ]
+}

feeds/facebook/fbwifi/files/www/cgi-bin/fbwifi/v2.0/auth

@@ -0,0 +1,69 @@
+#!/usr/bin/lua
+require("uci")
+log = require("posix.syslog")
+fbwifi = require("fbwifi")
+
+state = uci.cursor(nil, "/var/state")
+function process_cors()
+	origin = os.getenv("HTTP_ORIGIN")
+	log.syslog(log.LOG_INFO, string.format("[fbwifi] [auth] process_cors origin %s", origin or 'not found') )
+	if string.len(origin or '') > 0 then
+		allow_list = state:get("fbwifi", "main", "cross_origin_allow_rules")
+		for _, value in pairs(allow_list) do
+    			if value == origin then
+				log.syslog(log.LOG_INFO, "[fbwifi] [auth] process_cors Appending CORS Headers to HTTP")
+				print("Access-Control-Allow-Origin: "..origin)
+				print("Vary: Origin")
+				break
+			end
+		end
+	else	
+		log.syslog(log.LOG_INFO, "[fbwifi] [auth] process_cors No CORS Headers added to Response")
+	end
+end
+
+method = os.getenv("REQUEST_METHOD")
+if method == 'GET' then
+	log.syslog(log.LOG_INFO, "[fbwifi] [auth] GET handler")
+	print("Status: 302")
+	print("Location: "..state:get("fbwifi", "main", "landing_page_url"))
+	process_cors()
+	print ('\n')
+
+elseif method == 'POST' then
+	local token
+	
+	log.syslog(log.LOG_INFO, "[fbwifi] [auth] POST handler")
+	process_cors()
+	print("Status: 200")
+
+	form_data=io.read()
+	while form_data do
+		token = string.match(form_data, '[%d]+')
+		if string.len(token or '') > 14 then
+
+			client = os.getenv("REMOTE_ADDR")
+			f = io.popen("awk '/"..client.."/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
+			client_mac = assert(f:read('*a'))
+
+			if fbwifi.validate_token(token) then
+                                log.syslog(log.LOG_INFO, string.format( "[fbwifi] [auth] POST handler : Validating Token (%s) for MAC (%s)", token or 'nil', client_mac or 'nil') )
+				fbwifi.instate_client_rule(token, client_mac)
+				print("\n{\"valid\":true}\n")
+			else
+                                log.syslog(log.LOG_WARNING, string.format( "[fbwifi] [auth] POST handler : ! Invalid token (%s) for mac (%s) !", token or 'nil', client_mac or 'nil') )
+				fbwifi.revoke_client_rule(token)
+				print("\n{\"valid\":false}\n")
+			end
+			log.syslog(log.LOG_INFO, "[fbwifi] [auth] POST handler completed")
+			return
+		end
+
+		form_data=io.read()
+	end
+	print ('\n')
+
+	log.syslog(log.LOG_WARNING, string.format("[fbwifi] [auth] POST handler : token not found" ))
+	fbwifi.revoke_client_rule(token)
+	print("\n{\"valid\":false}\n")
+end

feeds/facebook/fbwifi/files/www/cgi-bin/fbwifi/v2.0/capport

@@ -0,0 +1,41 @@
+#!/usr/bin/lua
+json = require("cjson")
+require("uci")
+
+state = uci.cursor(nil, "/var/state")
+client_mac = ""
+token = ""
+
+response = {}
+response['venue-info-url'] = state:get("fbwifi", "main", "capport_venue_info_url")
+
+function map_remote_mac_to_token(client)
+        for key, value in pairs(client) do
+                if
+                        key == 'mac' and
+                        value == client_mac
+                then
+			token = client.token
+                        return false
+                end
+        end
+end
+
+function hasValidToken(client_ip)
+	f = io.popen("awk '/"..client_ip.."/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
+	client_mac = assert(f:read('*a'))
+	state:foreach("fbwifi", "client", map_remote_mac_to_token)
+
+	return 0 < string.len(token)
+end
+
+print("Content-type: application/captive+json; charset=utf-8\n")
+
+client = os.getenv("REMOTE_ADDR")
+response['captive'] = not hasValidToken(client)
+
+if response['captive'] then
+	response['user-portal-url'] = state:get("fbwifi", "main", "captive_portal_url")
+end
+
+print( json.encode(response) )

feeds/facebook/fbwifi/files/www/cgi-bin/fbwifi/v2.0/info

@@ -0,0 +1,58 @@
+#!/usr/bin/lua
+require "luci.cacheloader"
+require "luci.sgi.cgi"
+json = require("cjson")
+fbwifi = require("fbwifi")
+
+state = uci.cursor(nil, "/var/state")
+GATEWAY_TOKEN = fbwifi.gateway_token()
+
+response = { api_version = "2.0", token = json.null }
+client_mac = ""
+
+function process_cors()
+        origin = os.getenv("HTTP_ORIGIN")
+        if string.len(origin or '') > 0 then
+                allow_list = state:get("fbwifi", "main", "cross_origin_allow_rules")
+                for _, value in pairs(allow_list) do
+                        if value == origin then
+                                print("Access-Control-Allow-Origin: "..origin)
+                                print("Vary: Origin")
+                                break
+                        end
+                end
+        end
+end
+
+function map_remote_mac_to_token(client)
+
+	for key, value in pairs(client) do
+		if
+			key == 'mac' and
+			value == client_mac
+		then
+			response.token = client.token
+			return false -- escape outer loop
+		end
+	end
+end
+
+function getClientToken(client_ip)
+	f = io.popen("awk '/"..client_ip.."/ { printf(\"%s\", $4) }' /proc/net/arp", 'r')
+	client_mac = assert(f:read('*a'))
+
+	state:foreach("fbwifi", "client", map_remote_mac_to_token)
+end
+
+function getGatewayId()
+	id = string.match(GATEWAY_TOKEN, 'FBWIFI:GATEWAY|[0-9]*|([0-9]*)')
+	return id
+end
+
+process_cors()
+print("Content-type: application/json; charset=utf-8\n")
+
+getClientToken(os.getenv("REMOTE_ADDR"))
+response.gateway_id = getGatewayId()
+
+print( json.encode(response) )

profiles/fbwifi.yml

@@ -0,0 +1,8 @@
+---
+description: Add the FaceBook dependencies
+feeds:
+  - name: facebook
+    path: ../../feeds/facebook
+
+packages:
+  - fbwifi