9797d7e allow using a shared service->captive for multiple instances
ad7eb8e rename strict-isolation -> strict-forwarding
43c44c1 force spotfilter off prior to config apply
11fffcf captive: fix credentials configuration
Signed-off-by: John Crispin <john@phrozen.org>
This commit fixes a bug where the SSID value would be set to "unknown"
in spotfilter data when the hostapd call returned without SSID data; but
this value was not propagated internally, resulting in a null value
being used in other parts of the portal code. Furthermore, if the
hostapd call returned null data, the spotfilter assignment correctly
handled this case but not the subsequent internal assignment, resulting
in a potential null dereference and crash.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This commit removes CONNMARK marking of all authenticated clients
packets. In client_kick() we now delete all conntrack entries for the
client.
This simplifies firewall.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Default firewall rules apply to unauthenticated clients, there is no
need to specifically fwmark their packets. This reduces the firewall
complexity and makes very clear what happens "by default".
Add a preliminary README with a sample firewall illustrating this setup.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This file is run by /etc/init.d/uspot, uses /etc/config/uspot and
basically handles uspot state (beyond mere accounting).
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Avoid again having the init and exit stages of a specific subsystem
spread across multiple modules.
We no longer need to lowercase the MAC address and can use the
spotfilter native (uppercase) format for ratelimit calls.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
When a client is removed, call ratelimit client_delete to remove any
lingering related bandwidth limits.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Reading [1] and [2], it appears that the hard-coded value "2" is
incorrect and "10" should be used instead. [1] provides that:
Checks for the presence of a Service-Type == 'Call-Check' AVP as an
explicit indication that the NAS wants to do Mac-Auth.
"Call-Check" is defined in [2] as value 10.
[1]: https://wiki.freeradius.org/guide/mac-auth#web-auth-safe-mac-auth
[2]: https://freeradius.org/rfc/rfc2865.html#Service-Type
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Now that accounting is entirely handled in accounting.uc, the rest of
the system no longer needs to carry around that information.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This commit introduces an "acct_start" ubus endpoint for accounting.uc
that is used to register a new client and start accounting.
This moves the entirety of accounting management under accounting.uc,
instead of having e.g. the RADIUS Start call separate in handler-uam.uc.
Furthermore, accounting.uc no longer needs to poll for new clients: they
are now registered from portal.allow_client().
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
RFC[1] says that Acct-Session-Id should be an UTF-8-encoded string.
Increase uniqueness by using hex values instead of decimal ones.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
