Hello,
I'm trying to set up a captive portal using pf (OpenBSD snapshot from
October on i386).
I'm using pf rdr to direct all tcp/80 traffic to a cgi script. If a
user completes the form, they are added to a table that does not get
redirected and is able to access the Web.
Once the client submits the form, I'd like to refresh their browser with
their original request (using META_REFRESH), and this is where I'm
having trouble.
When the client refreshes, they are still redirected to the cgi, though
they can load any other pages properly. The only reason I can find for
this is the state that was created by the initial rdr (see below).
I looked at per-rule timeouts, but they only appear to work on filter
rules that create state. I've tried killing the state (pfctl -k), but I
haven't gotten that to fix the problem, either.
Does anyone have a suggestion about how to fix the problem?
Thanks!
Mike
Here's some output from my testing:
### just after clearing everything
# pfctl -vvsT
-pa-r- captive_users
Addresses: 0
Cleared: Wed Jan 4 14:44:21 2006
References: [ Anchors: 0 Rules: 5 ]
Evaluations: [ NoMatch: 0 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
# pfctl -vsa
TRANSLATION RULES:
nat on vr0 inet from <captive_users> to any -> 192.168.4.102
[ Evaluations: 0 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 4274 ]
no rdr on vr1 inet proto tcp from <captive_users> to any port = www
[ Evaluations: 1 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 4274 ]
rdr on vr1 inet proto tcp from ! <captive_users> to any port = www ->
192.168.6.254 port 8080
[ Evaluations: 1 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 4274 ]
FILTER RULES:
scrub in all fragment reassemble
[ Evaluations: 1 Packets: 1 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 4274 ]
pass log all
[ Evaluations: 1 Packets: 1 Bytes: 229 States:
0 ]
[ Inserted: uid 0 pid 4274 ]
State Table Total Rate
current entries 0
searches 1 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
### attempt to browse to google.com, redirected to cgi
# pfctl -vsa
TRANSLATION RULES:
nat on vr0 inet from <captive_users> to any -> 192.168.4.102
[ Evaluations: 29 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 4274 ]
no rdr on vr1 inet proto tcp from <captive_users> to any port = www
[ Evaluations: 34 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 4274 ]
rdr on vr1 inet proto tcp from ! <captive_users> to any port = www ->
192.168.6.254 port 8080
[ Evaluations: 20 Packets: 11 Bytes: 3462 States:
1 ]
[ Inserted: uid 0 pid 4274 ]
FILTER RULES:
scrub in all fragment reassemble
[ Evaluations: 84 Packets: 45 Bytes: 811 States:
0 ]
[ Inserted: uid 0 pid 4274 ]
pass log all
[ Evaluations: 63 Packets: 73 Bytes: 10165 States:
1 ]
[ Inserted: uid 0 pid 4274 ]
STATES:
all tcp 192.168.6.254:8080 <- 64.233.187.104:80 <- 192.168.6.51:7251
ESTABLISHED:ESTABLISHED
[3810087587 + 11632] wscale 0 [3873677639 + 17376] wscale 2
age 00:00:03, expires in 04:59:58, 6:5 pkts, 811:2651 bytes, rule 0
### after completing cgi form, still redirected to cgi, even though the
client is in the captive_users table
### which should match the "no rdr" rule...
# pfctl -t captive_users -T show
192.168.6.51
# pfctl -vvsT
-pa-r- captive_users
Addresses: 1
Cleared: Wed Jan 4 14:44:21 2006
References: [ Anchors: 0 Rules: 5 ]
Evaluations: [ NoMatch: 17 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
# pfctl -vsa
TRANSLATION RULES:
nat on vr0 inet from <captive_users> to any -> 192.168.4.102
[ Evaluations: 29 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 4274 ]
no rdr on vr1 inet proto tcp from <captive_users> to any port = www
[ Evaluations: 34 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 4274 ]
rdr on vr1 inet proto tcp from ! <captive_users> to any port = www ->
192.168.6.254 port 8080
[ Evaluations: 20 Packets: 27 Bytes: 8697 States:
1 ]
[ Inserted: uid 0 pid 4274 ]
FILTER RULES:
scrub in all fragment reassemble
[ Evaluations: 116 Packets: 61 Bytes: 2337 States:
0 ]
[ Inserted: uid 0 pid 4274 ]
pass log all
[ Evaluations: 63 Packets: 89 Bytes: 15400 States:
1 ]
[ Inserted: uid 0 pid 4274 ]
STATES:
all tcp 192.168.6.254:8080 <- 64.233.187.104:80 <- 192.168.6.51:7251
ESTABLISHED:ESTABLISHED
[3810090880 + 20320] wscale 0 [3873678749 + 17376] wscale 2
age 00:00:19, expires in 04:59:58, 14:13 pkts, 2337:6360 bytes, rule 0
