captive portal fixes

src/etc/inc/captiveportal.inc

@@ -104,8 +104,9 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut
     global $cpzone ,$type,$g;
 
     // Ensure we create an array if we are missing attributes
-    if (!is_array($attributes))
+    if (!is_array($attributes)) {
 		$attributes = array();
+	}
 
     // handle
     $dwfaultbw_up = isset($config['captiveportal'][$cpzone]['bwdefaultup']) ? $config['captiveportal'][$cpzone]['bwdefaultup'] : 0;

src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CPClient.php

@@ -58,7 +58,7 @@ class CPClient {
 
     /**
      * link to shell object
-     * @var  \Core\Shell
+     * @var  Core\Shell
      */
     private $shell = null;
 
@@ -71,10 +71,10 @@ class CPClient {
      * @param $ip
      * @param string $message
      */
-    private function logportalauth($user,$mac,$ip,$status,$message=""){
+    private function logportalauth($cpzonename, $user, $mac, $ip, $status, $message=""){
 
         $message = trim($message);
-        $message = "{$status}: {$user}, {$mac}, {$ip}, {$message}";
+        $message = "Zone : {$cpzonename} {$status}: {$user}, {$mac}, {$ip}, {$message}";
 
         $logger = new \Phalcon\Logger\Adapter\Syslog("logportalauth", array(
             'option' => LOG_PID,
@@ -83,6 +83,7 @@ class CPClient {
         $logger->info($message);
 
     }
+
     /**
      * Request new pipeno
      * @return int
@@ -134,13 +135,30 @@ class CPClient {
         }
     }
 
+    /**
+     * load accounting rules into ruleset, used for reinitialisation of the ruleset.
+     * triggers add_accounting() for all active clients in all zones
+     */
+    private function loadAccounting()
+    {
+        foreach ($this->config->object()->captiveportal->children() as $cpzonename => $zone)
+        {
+            $db = new DB($cpzonename);
+            foreach ($db->listClients(array()) as $client)
+            {
+                $this->add_accounting($zone->zoneid, $client->ip) ;
+            }
+            unset($db);
+        }
+    }
+
     /**
      *
      * @param $zoneid
      * @param $ip
      */
     public function add_accounting($zoneid,$ip){
-        // TODO: check speed, this might need some improvement
+        // TODO: check processing speed, this might need some improvement
         // check if our ip is already in the list and collect first free rule number to place it there if necessary
         $shell_output=array();
         $this->shell->exec("/sbin/ipfw show",false,false,$shell_output);
@@ -227,7 +245,7 @@ class CPClient {
      */
     function __construct() {
         // Request handle to configuration
-        $this->config = \Core\Config::getInstance();
+        $this->config = Core\Config::getInstance();
         // generate new ruleset
         $this->rules = new Rules();
         // keep a link to the shell object
@@ -246,6 +264,9 @@ class CPClient {
 
         // update tables
         $this->update();
+
+        // after reinit all accounting rules are vanished, reapply them for active sessions
+        $this->loadAccounting();
     }
 
     /**
@@ -552,7 +573,7 @@ class CPClient {
         $this->reset_bandwidth($pipeno_in,$bw_down);
 
         // log
-        $this->logportalauth($username,$clientmac,$clientip,$status="LOGIN");
+        $this->logportalauth($cpzonename, $username, $clientmac, $clientip, $status="LOGIN");
 
         // cleanup
         unset($db);
@@ -576,7 +597,6 @@ class CPClient {
         }
     }
 
-
     /**
      * flush zone (null flushes all zones)
      * @param null $zone
@@ -633,7 +653,7 @@ class CPClient {
                     if (is_numeric($client->session_timeout) && $client->session_timeout > 0 ) {
                         if (((time() - $client->allow_time) / 60) > $client->session_timeout) {
                             $this->disconnect($cpzonename, $client->sessionid);
-                            $this->logportalauth($client->username,$client->mac,$client->ip,$status="SESSION TIMEOUT");
+                            $this->logportalauth($cpzonename, $client->username, $client->mac, $client->ip, $status="SESSION TIMEOUT");
                             continue;
                         }
                     }
@@ -642,7 +662,7 @@ class CPClient {
                     if (is_numeric($client->idle_timeout) && $client->idle_timeout > 0  && $idle_time > 0) {
                         if ($idle_time > $client->idle_timeout) {
                             $this->disconnect($cpzonename, $client->sessionid);
-                            $this->logportalauth($client->username,$client->mac,$client->ip,$status="IDLE TIMEOUT");
+                            $this->logportalauth($cpzonename, $client->username, $client->mac, $client->ip, $status="IDLE TIMEOUT");
                             continue;
                         }
                     }
@@ -650,7 +670,7 @@ class CPClient {
                     // disconnect on session terminate time
                     if ( is_numeric($client->session_terminate_time) && $client->session_terminate_time > 0 && $client->session_terminate_time < time()) {
                         $this->disconnect($cpzonename, $client->sessionid);
-                        $this->logportalauth($client->username,$client->mac,$client->ip,$status="TERMINATE TIME REACHED");
+                        $this->logportalauth($cpzonename, $client->username, $client->mac, $client->ip, $status="TERMINATE TIME REACHED");
                         continue;
                     }
                 }

src/opnsense/mvc/app/models/OPNsense/CaptivePortal/Rules.php

@@ -33,6 +33,7 @@
 
 namespace OPNsense\CaptivePortal;
 
+use OPNsense\Core;
 
 /**
  * Class Rules
@@ -59,7 +60,7 @@ class Rules {
     function __construct()
     {
         // Request handle to configuration
-        $this->config = \Core\Config::getInstance();
+        $this->config = Core\Config::getInstance();
     }
 
 
@@ -130,6 +131,8 @@ class Rules {
         $this->rules[] = "#=========================================================================================================";
         foreach( $this->config->object()->interfaces->children()  as $interface => $content ){
             if ( $interface != "wan" && $content->ipaddr != "dhcp" ){
+                // only keep state of dns traffic to prevent dns resolver failures
+                $this->rules[] = "add ".$rulenum++." allow udp from any to ".$content->ipaddr." dst-port 53 keep-state  in";
                 $this->rules[] = "add ".$rulenum++." allow ip from any to { 255.255.255.255 or ".$content->ipaddr." } in";
                 $this->rules[] = "add ".$rulenum++." allow ip from { 255.255.255.255 or ".$content->ipaddr." } to any out";
                 $this->rules[] = "add ".$rulenum++." allow icmp from { 255.255.255.255 or ".$content->ipaddr." } to any out icmptypes 0";

src/www/status_captiveportal.php

@@ -200,7 +200,7 @@ $mac_man = load_mac_manufacturer_table();
 								    <td class="listr" colspan="2"></td>
 									<?php endif; ?>
 								    <td valign="middle" class="list nowrap">
-								      <a href="?zone=<?=$cpzone;?>&amp;order=<?=$_GET['order'];?>&amp;showact=<?=htmlspecialchars($_GET['showact']);?>&amp;act=del&amp;id=<?=$cpent->username;?>" onclick="return confirm('<?=gettext("Do you really want to disconnect this client?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="<?=gettext("Disconnect");?>"></a>
+								      <a href="?zone=<?=$cpzone;?>&amp;order=<?=$_GET['order'];?>&amp;showact=<?=htmlspecialchars($_GET['showact']);?>&amp;act=del&amp;id=<?=$cpent->sessionid;?>" onclick="return confirm('<?=gettext("Do you really want to disconnect this client?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="<?=gettext("Disconnect");?>"></a>
 								    </td>
 								  </tr>
 								<?php endforeach; endif; ?>