(captive portal / traffic shaper) work in progress moving captive portal rule...

(captive portal / traffic shaper) work in progress moving captive portal rule generation into template system

Make room for traffic shaper rules and restructure ipfw rule parsing

src/opnsense/service/templates/OPNsense/IPFW/+MANIFEST

+name: opnsense-ipfw
+version: 0.1
+origin: opnsense/proxy
+comment: IPFW configuration
+desc: configuration templates for ipfw rulesets
+maintainer: ad at opnsense.org
+www: https://opnsense.org
+prefix: /

src/opnsense/service/templates/OPNsense/IPFW/+TARGETS

+ipfw.conf:/tmp/ipfw.rules.new

src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf

+#======================================================================================
+# flush ruleset
+#======================================================================================
+flush
+
+#======================================================================================
+# general purpose rules 1...1000
+#======================================================================================
+add 100 allow pfsync from any to any
+add 110 allow carp from any to any
+# layer 2: pass ARP
+add 120 pass layer2 mac-type arp,rarp
+# OPNsense requires for WPA
+add 130 pass layer2 mac-type 0x888e,0x88c7
+# PPP Over Ethernet Session Stage/Discovery Stage
+add 140 pass layer2 mac-type 0x8863,0x8864
+# layer 2: block anything else non-IP(v4/v6)
+add 150 deny layer2 not mac-type ip,ipv6
+
+#======================================================================================
+# Allow traffic to this hosts static ip's
+#======================================================================================
+{% for intf_key,interface in interfaces.iteritems() %}
+{% if intf_key != "wan" and interface.ipaddr != "dhcp" and interface.ipaddr != "" %}
+add {{loop.index  + 1000}} allow udp from any to {{ interface.ipaddr }} dst-port 53 keep-state
+add {{loop.index  + 1000}} allow ip from any to { 255.255.255.255 or {{interface.ipaddr}} } in
+add {{loop.index  + 1000}} allow ip from { 255.255.255.255 or {{interface.ipaddr}} } to any out
+add {{loop.index  + 1000}} allow icmp from { 255.255.255.255 or {{interface.ipaddr}} } to any out icmptypes 0
+add {{loop.index  + 1000}} allow icmp from any to { 255.255.255.255 or {{interface.ipaddr}} } in icmptypes 8
+{% endif %}
+{% endfor %}
+
+{% if helpers.exists('captiveportal') %}
+{% for cp_key,cp_item in captiveportal.iteritems() %}
+{%      for intf_key,interface in interfaces.iteritems() %}
+{%          if intf_key == cp_item.interface and interface.ipaddr != 'dhcp' %}
+#===================================================================================
+# zone {{cp_key}} ({{cp_item.zoneid}}) configuration
+#===================================================================================
+{# authenticated users ( table 1 + 2 ) #}
+add {{3000 + cp_item.zoneid|int * 10 + 1 }}  skipto {{10001 + cp_item.zoneid|int * 1000  }} ip from table({{6*(cp_item.zoneid|int-1) + 1 }}) to any via {{interface.if}}
+add {{3000 + cp_item.zoneid|int * 10 + 2 }}  skipto {{10001 + cp_item.zoneid|int * 1000  }} ip from table({{6*(cp_item.zoneid|int-1) + 1 }}) to any via {{interface.if}}
+{# authenticated hosts ( table 3 + 4 ) #}
+add {{3000 + cp_item.zoneid|int * 10 + 3 }}  skipto {{10001 + cp_item.zoneid|int * 1000  }} ip from table({{6*(cp_item.zoneid|int-1) + 3 }}) to any via {{interface.if}}
+add {{3000 + cp_item.zoneid|int * 10 + 4 }}  skipto {{10001 + cp_item.zoneid|int * 1000  }} ip from table({{6*(cp_item.zoneid|int-1) + 3 }}) to any via {{interface.if}}
+{# authenticated mac addresses ( table 5 + 6 ) #}
+add {{3000 + cp_item.zoneid|int * 10 + 5 }}  skipto {{10001 + cp_item.zoneid|int * 1000  }} ip from table({{6*(cp_item.zoneid|int-1) + 5 }}) to any via {{interface.if}}
+add {{3000 + cp_item.zoneid|int * 10 + 6 }}  skipto {{10001 + cp_item.zoneid|int * 1000  }} ip from table({{6*(cp_item.zoneid|int-1) + 5 }}) to any via {{interface.if}}
+{%          endif %}
+{%      endfor %}
+{% endfor %}
+{% endif %}
+
+
+
+#======================================================================================
+# setup zone accounting section
+#======================================================================================
+{% if helpers.exists('captiveportal') %}
+{% for cp_key,cp_item in captiveportal.iteritems() %}
+{%      for intf_key,interface in interfaces.iteritems() %}
+{%          if intf_key == cp_item.interface and interface.ipaddr != 'dhcp' %}
+# zone {{cp_key}} ({{cp_item.zoneid}})
+add {{ (cp_item.zoneid|int * 1000) + 10001 }} count ip from any to any via {{interface.if}}
+add {{ (cp_item.zoneid|int * 1000) + 10998 }} skipto 30000 all from any to any via {{interface.if}}
+add {{ (cp_item.zoneid|int * 1000) + 10999 }} deny all from any to any not via {{interface.if}}
+{%          endif %}
+{%      endfor %}
+{% endfor %}
+{% endif %}

src/opnsense/service/templates/OPNsense/Proxy/+MANIFEST

@@ -3,6 +3,6 @@ version: 0.1
 origin: opnsense/proxy
 comment: Squid proxy configuration
 desc: configuration templates for squid proxy
-maintainer: ad@opnsense.org
+maintainer: ad at opnsense.org
 www: https://opnsense.org
 prefix: /

src/opnsense/service/templates/OPNsense/Sample/+MANIFEST

@@ -3,6 +3,6 @@ version: 0.1
 origin: opnsense/sample
 comment: OPNsense configuration template example
 desc: creates some files in /tmp/.../ based on reporting definitions found in +TARGETS
-maintainer: ad@opnsense.org
+maintainer: ad at opnsense.org
 www: https://opnsense.org
 prefix: /