In order to send RADIUS accounting requests at the NAS level (for e.g.
Accounting-On/Off), radius_init() and radius_call() are made to accept a
null mac argument.
For radius_call() we fall back to the acct_session value (which is
required to be present per RFC) to construct the temporary file name.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
NAS-ID is a mandatory setting in configuration. This will be useful to
support Accounting-Off frames.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Now that accounting.uc no longer needs the per-client radius server
information, there is no reason to publish these sensitive secrets in
cleartext in spotfiler data.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Address RADIUS accounting server from the global settings, and call
client_interim() only if accounting is globally enabled for that
interface.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Before this commit, interface-wide settings (mainly radius) were stored
per client, resulting in duplicate data.
This commit runs a first pass that renames the "clients" global variable
to "interfaces" which is expected to have the following content:
interfaces {
settings {},
clients {},
}
Thus the settings are stored per interface now, and the list of clients
belonging to that interface is stored within the object.
This change enables us to also remove direct calls to uci configuration
in the code and thus we no longer need to store it locally.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
If a client "disappears" from wireless, spotfilter eventually wipes
their state data before the accounting removal occurs. Thus in
radius_acct(), the ubus call returns empty and no RADIUS accounting Stop
frame is sent in this condition, leaving a dangling accounting for the
client.
This commit solves this issue by maintaining a local copy of the most
recent accounting data and sending that when the live data is no longer
available.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Instead of running one timer per client, handle interim reports in the
main loop through a simple comparison between current time and expected
time of next report.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This enables CONNMARK'ing allowed traffic, and is used by accounting to
selectively delete conntrack entries on client removal.
To be used with the following fw4 config:
config include
option type 'nftables'
option path '/usr/share/uspot/firewall.nft'
option position 'chain-post'
option chain 'mangle_postrouting'
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Per RFC: https://www.rfc-editor.org/rfc/rfc2869.html#section-2.1
It is also possible to statically configure an interim value on the
NAS itself. Note that a locally configured value on the NAS MUST
override the value found in an Access-Accept.
Don't start the interim reporting timer if no interval is configured.
Also add the config option to the documented config template
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
There is no point in setting up the interim timer if the relevant radius
data is not available. Furthermore, the return value check would only
fail if the client was unknown to spotfilter at the query time, which
isn't a failure to *send* data.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
When looping through known clients:
- removal of client in spotfilter list is checked first
- checks for known client existence are redundant by construction
Also format the max_total check similarly to the timeout one
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
radius_stop() had nothing to do with RADIUS.
Simplify the function prototype by handling spotfilter args internally.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
By construction:
- interface is one of clients[] keys
- clients[] is built from config uspot 'interface'
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This commit introduces a helper function "ratelimit_client()", invoked
from allow_client(), which parses the radius reply for known
ratelimiting attributes:
- WISPr-Bandwidth-Max-{Up,Down}
- ChilliSpot-Bandwidth-Max-{Up,Down}
WISPr attributes are expressed in bits/s, ChilliSpot in kbits/s.
If none of the attributes are present, the function is a NOP.
If any of the -Up or -Down is missing, the corresponding limit is not
set. NB: ratelimit currently does not support setting only up OR down
ratelimiting if defaults are not set.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This carries over two Chilli options used during mac authentication:
- macpasswd, which sets a static password when performing mac-auth
- macsuffix, which allows suffixing the mac address provided as username
These options are implemented in config uspot section as:
- option mac_passwd 'password'
- option mac_suffix 'suffix'
If unset, this commit is a NOP.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
If debug is disabled, this commit deletes the temporary json files
passed to radius-client.
Furthermore, to reduce the risk of collision, use a different prefix in
accounting.uc ('uacct') vs common.uc ('acct').
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
For basic uspot setups, this commit implements a 'generate' verb to
uspot /usr/bin/captive that takes a config uspot section name, and
parses the following extra options to generate the relevant spotfilter
config:
option generate_spotfilter (bool) # if unset/false, generate is a NOP
option interface 'name' # config/network interface name to redirect to
option client_autoremove (bool) # if set/true, sets client_autoremove
list wl_hosts '*.example.com' # optional list of whitelist hostnames
list wl_addrs '1.2.3.4' # optional list of whitelist IPs
"captive generate" is called in spotfilter.init to optionally (depending
on 'generate_spotfilter') create the required spotfilter-XXX.json before
starting spotfilter.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
The current uspot config uses a single named section to assign ifnames
to uspot interfaces like so:
config devices 'devices'
option wlanc0 'hotspot1'
option wlanc1 'hotspot1'
Where 'wlanc0' and 'wlanc1' are physical ifnames.
Code in common.uc also hardcodes a check to match ifnames with 'wlanc*'.
This comit gets rid of the "config device" sections and accepts in the
"config uspot" sections e.g.:
option ifname 'wlanc0'
or
list ifname 'wlanc0'
list ifname 'wlanc1'
The listed devices are then associated with the current uspot config
exactly as they were with the previous configuration system.
The hardcoded check in common.uc is also removed, allowing arbitrary
ifnames to be used.
Malformed sections are ignored with a warning. Subsequent duplicate
entries for a given ifname are be ignored with a warning.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This commit moves session id creation outside of radius_init() and
stores the identifier in ctx and client data, making it available to
various handlers.
The id is added to the list of uam_url parameters to be sent to the
backend.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
