Intial clone from nodogsplash master

Signed-off-by: Rob White <rob@blue-wave.net>

AUTHORS

@@ -1,15 +1,16 @@
-On the Nodogsplash project:
-Active:
- Alexander Couzens <lynxis@fe80.eu>
- Moritz Warning <moritzwarning@web.de>
- Rob White <dot@blue-wave.net>
-Inactive:
- Shiao-An Yuan <shiao.an.yuan@gmail.com>
- Fred Moyer <fred@slwifi.com>
- Paul Kube <nodogsplash@kokoro.ucsd.edu>
+On the openNDS project:
+	Active:
+		Rob White <dot@blue-wave.net>
+		Moritz Warning <moritzwarning@web.de>
+
+On the Nodogsplash project:
+	Active:
+		Alexander Couzens <lynxis@fe80.eu>
+		Moritz Warning <moritzwarning@web.de>
+
+	Inactive:
+		Rob White <dot@blue-wave.net>
+		Shiao-An Yuan <shiao.an.yuan@gmail.com>
+		Fred Moyer <fred@slwifi.com>
+		Paul Kube <nodogsplash@kokoro.ucsd.edu>
 
-On the WifiDog project:
-Philippe April <papril777@yahoo.com>
-Mina Naguib <webmaster@topfx.com>
-Benoit Grégoire <bock@step.polymtl.ca>
-Alexandre Carmel-Veilleux <acv@miniguru.ca>

Makefile

@@ -14,49 +14,49 @@ NDS_OBJS=src/auth.o src/client_list.o src/commandline.o src/conf.o \
 
 .PHONY: all clean install checkastyle fixstyle deb
 
-all: nodogsplash ndsctl
+all: opennds ndsctl
 
 %.o : %.c
 	$(CC) $(CPPFLAGS) $(CFLAGS) -c $< -o $@
 
-nodogsplash: $(NDS_OBJS) $(LIBHTTPD_OBJS)
-	$(CC) $(LDFLAGS) -o nodogsplash $+ $(LDLIBS)
+opennds: $(NDS_OBJS) $(LIBHTTPD_OBJS)
+	$(CC) $(LDFLAGS) -o opennds $+ $(LDLIBS)
 
 ndsctl: src/ndsctl.o
 	$(CC) $(LDFLAGS) -o ndsctl $+ $(LDLIBS)
 
 clean:
-	rm -f nodogsplash ndsctl src/*.o
+	rm -f opennds ndsctl src/*.o
 	rm -rf dist
 
 install:
 #ifeq(yes,$(STRIP))
-	strip nodogsplash
+	strip opennds
 	strip ndsctl
 #endif
 	mkdir -p $(DESTDIR)/usr/bin/
 	cp ndsctl $(DESTDIR)/usr/bin/
-	cp nodogsplash $(DESTDIR)/usr/bin/
-	mkdir -p $(DESTDIR)/etc/nodogsplash/htdocs/images
-	cp resources/nodogsplash.conf $(DESTDIR)/etc/nodogsplash/
-	cp resources/splash.html $(DESTDIR)/etc/nodogsplash/htdocs/
-	cp resources/splash.css $(DESTDIR)/etc/nodogsplash/htdocs/
-	cp resources/status.html $(DESTDIR)/etc/nodogsplash/htdocs/
-	cp resources/splash.jpg $(DESTDIR)/etc/nodogsplash/htdocs/images/
-	mkdir -p $(DESTDIR)/usr/lib/nodogsplash
-	cp forward_authentication_service/PreAuth/demo-preauth.sh $(DESTDIR)/usr/lib/nodogsplash/login.sh
-	sed -i 's/#!\/bin\/sh/#!\/bin\/bash/' $(DESTDIR)/usr/lib/nodogsplash/login.sh
-	cp forward_authentication_service/libs/get_client_interface.sh $(DESTDIR)/usr/lib/nodogsplash/
-	sed -i 's/#!\/bin\/sh/#!\/bin\/bash/' $(DESTDIR)/usr/lib/nodogsplash/get_client_interface.sh
-	cp forward_authentication_service/libs/get_client_token.sh $(DESTDIR)/usr/lib/nodogsplash/
-	sed -i 's/#!\/bin\/sh/#!\/bin\/bash/' $(DESTDIR)/usr/lib/nodogsplash/get_client_token.sh
-	cp forward_authentication_service/libs/unescape.sh $(DESTDIR)/usr/lib/nodogsplash/
-	sed -i 's/#!\/bin\/sh/#!\/bin\/bash/' $(DESTDIR)/usr/lib/nodogsplash/unescape.sh
-	cp forward_authentication_service/libs/authmon.sh $(DESTDIR)/usr/lib/nodogsplash/
-	sed -i 's/#!\/bin\/sh/#!\/bin\/bash/' $(DESTDIR)/usr/lib/nodogsplash/authmon.sh
-	cp forward_authentication_service/libs/post-request.php $(DESTDIR)/usr/lib/nodogsplash/
-	cp forward_authentication_service/fas-aes/fas-aes.php $(DESTDIR)/etc/nodogsplash/
-	cp forward_authentication_service/fas-aes/fas-aes-https.php $(DESTDIR)/etc/nodogsplash/
+	cp opennds $(DESTDIR)/usr/bin/
+	mkdir -p $(DESTDIR)/etc/opennds/htdocs/images
+	cp resources/opennds.conf $(DESTDIR)/etc/opennds/
+	cp resources/splash.html $(DESTDIR)/etc/opennds/htdocs/
+	cp resources/splash.css $(DESTDIR)/etc/opennds/htdocs/
+	cp resources/status.html $(DESTDIR)/etc/opennds/htdocs/
+	cp resources/splash.jpg $(DESTDIR)/etc/opennds/htdocs/images/
+	mkdir -p $(DESTDIR)/usr/lib/opennds
+	cp forward_authentication_service/PreAuth/demo-preauth.sh $(DESTDIR)/usr/lib/opennds/login.sh
+	sed -i 's/#!\/bin\/sh/#!\/bin\/bash/' $(DESTDIR)/usr/lib/opennds/login.sh
+	cp forward_authentication_service/libs/get_client_interface.sh $(DESTDIR)/usr/lib/opennds/
+	sed -i 's/#!\/bin\/sh/#!\/bin\/bash/' $(DESTDIR)/usr/lib/opennds/get_client_interface.sh
+	cp forward_authentication_service/libs/get_client_token.sh $(DESTDIR)/usr/lib/opennds/
+	sed -i 's/#!\/bin\/sh/#!\/bin\/bash/' $(DESTDIR)/usr/lib/opennds/get_client_token.sh
+	cp forward_authentication_service/libs/unescape.sh $(DESTDIR)/usr/lib/opennds/
+	sed -i 's/#!\/bin\/sh/#!\/bin\/bash/' $(DESTDIR)/usr/lib/opennds/unescape.sh
+	cp forward_authentication_service/libs/authmon.sh $(DESTDIR)/usr/lib/opennds/
+	sed -i 's/#!\/bin\/sh/#!\/bin\/bash/' $(DESTDIR)/usr/lib/opennds/authmon.sh
+	cp forward_authentication_service/libs/post-request.php $(DESTDIR)/usr/lib/opennds/
+	cp forward_authentication_service/fas-aes/fas-aes.php $(DESTDIR)/etc/opennds/
+	cp forward_authentication_service/fas-aes/fas-aes-https.php $(DESTDIR)/etc/opennds/
 
 
 
@@ -89,8 +89,8 @@ fixstyle: checkastyle
 
 DEBVERSION=$(shell dpkg-parsechangelog | awk -F'[ -]' '/^Version/{print($$2); exit;}' )
 deb: clean
-	mkdir -p dist/nodogsplash-$(DEBVERSION)
-	tar --exclude dist --exclude ".git*" -cf - . | (cd dist/nodogsplash-$(DEBVERSION) && tar xf -)
-	cd dist && tar cjf nodogsplash_$(DEBVERSION).orig.tar.bz2 nodogsplash-$(DEBVERSION) && cd -
-	cd dist/nodogsplash-$(DEBVERSION) && dpkg-buildpackage -us -uc && cd -
-	rm -rf dist/nodogsplash-$(DEBVERSION)
+	mkdir -p dist/opennds-$(DEBVERSION)
+	tar --exclude dist --exclude ".git*" -cf - . | (cd dist/opennds-$(DEBVERSION) && tar xf -)
+	cd dist && tar cjf opennds_$(DEBVERSION).orig.tar.bz2 opennds-$(DEBVERSION) && cd -
+	cd dist/opennds-$(DEBVERSION) && dpkg-buildpackage -us -uc && cd -
+	rm -rf dist/opennds-$(DEBVERSION)

README.md

@@ -1,53 +1,48 @@
-## 0. The Nodogsplash project
+## 0. The openNDS project
 
-Nodogsplash is a Captive Portal that offers a simple way to provide restricted access to the Internet by showing a splash page to the user before Internet access is granted.
+openNDS is a Captive Portal that offers a simple way to provide restricted access to the Internet by showing a splash page to the user before Internet access is granted.
 
 It also incorporates an API that allows the creation of sophisticated authentication applications.
 
-It was derived originally from the codebase of the Wifi Guard Dog project.
+It was derived originally from the codebase of the NoDogSplash project.
 
-Nodogsplash is released under the GNU General Public License.
+openNDS is released under the GNU General Public License.
 
-* Mailing List: http://ml.ninux.org/mailman/listinfo/nodogsplash
-* Original Homepage (no longer available): http://kokoro.ucsd.edu/nodogsplash
-* Wifidog: http://dev.wifidog.org/
-* GNU GPL: http://www.gnu.org/copyleft/gpl.html
-
-The following describes what Nodogsplash does, how to get it and run it, and
+The following describes what openNDS does, how to get it and run it, and
 how to customize its behaviour for your application.
 
 ## 1. Overview
 
-**Nodogsplash** (NDS) is a high performance, small footprint Captive Portal, offering by default a simple splash page restricted Internet connection, yet incorporates an API that allows the creation of sophisticated authentication applications.
+**openNDS** is a high performance, small footprint Captive Portal, offering by default a simple splash page restricted Internet connection, yet incorporates an API that allows the creation of sophisticated authentication applications.
 
 **Captive Portal Detection (CPD)**
 
- All modern mobile devices, most desktop operating systems and most browsers now have a CPD process that automatically issues a port 80 request on connection to a network. NDS detects this and serves a special "**splash**" web page to the connecting client device.
+ All modern mobile devices, most desktop operating systems and most browsers now have a CPD process that automatically issues a port 80 request on connection to a network. openNDS detects this and serves a special "**splash**" web page to the connecting client device.
 
 **Provide simple and immediate public Internet access**
 
- NDS provides two pre-installed methods.
+ openNDS provides two pre-installed methods.
 
  * **Click to Continue**. A simple static web page with template variables (*default*). This provides basic notification and a simple click/tap to continue button.
- * **Username/email-address login**. A simple dynamic set of web pages that provide username/email-address login, a welcome page and logs access by client users. (*Installed by default and enabled by un-commenting a line in the configuration file*)
+ * **Username/email-address login**. A simple dynamic set of web pages that provide username/email-address login, a welcome page and logs access by client users. (*Installed by default and enabled by a single entry in the configuration file*)
 
 Customising the page seen by users is a simple matter of editing the respective html or script files.
 
 **Write Your Own Captive Portal.**
 
- NDS can be used as the "Engine" behind the most sophisticated Captive Portal systems using the tools provided.
+ openNDS can be used as the "Engine" behind the most sophisticated Captive Portal systems using the tools provided.
 
- * **Forward Authentication Service (FAS)**. FAS provides pre-authentication user validation in the form of a set of dynamic web pages, typically served by a web service independent of NDS, located remotely on the Internet, on the local area network or on the NDS router.
- * **PreAuth**. A special case of FAS that runs locally on the NDS router with dynamic html served by NDS itself. This requires none of the overheads of a full FAS implementation and is ideal for NDS routers with limited RAM and Flash memory.
+ * **Forward Authentication Service (FAS)**. FAS provides pre-authentication user validation in the form of a set of dynamic web pages, typically served by a web service independent of openNDS, located remotely on the Internet, on the local area network or on the openNDS router.
+ * **PreAuth**. A special case of FAS that runs locally on the openNDS router with dynamic html served by openNDS itself. This requires none of the overheads of a full FAS implementation and is ideal for openNDS routers with limited RAM and Flash memory.
  * **BinAuth**. A method of running a post authentication script or extension program.
 
 
 ## 2. Documentation
 
-For full documentation please look at https://nodogsplashdocs.rtfd.io/
+For full documentation please look at https://openndsdocs.rtfd.io/
 
 You can select either *Stable* or *Latest* documentation.
 
 ---
 
-Email contact: nodogsplash (at) ml.ninux.org
+

resources/opennds.conf

@@ -0,0 +1,542 @@
+#
+# openNDS Configuration File
+#
+# The "#" character at the beginning of a line indicates that the whole line is a comment.
+#
+# "#" characters within a line are assumed to be part of the configured option
+#
+
+# Option: GatewayInterface
+# Default: NONE
+#
+# GatewayInterface is not autodetected, has no default, and must be set here.
+# Set GatewayInterface to the interface on your router
+# that is to be managed by openNDS.
+# Typically br-lan for the wired and wireless lan.
+#
+GatewayInterface br-lan
+
+# Login Option
+# Default: 0
+#
+# openNDS comes preconfigured for two basic modes of operation
+# A default preauth login script, requiring username and email address to be entered.
+# and
+# A default static splash page (splash.html) with template variables and click to continue
+#
+# 0: Use static splash page or FAS config options
+# 1: Use default preauth login script
+#
+# The default preauth login script is installed as part of the openNDS package providing
+# username/emailaddress login as an alternative to the basic splash page.
+#
+# It generates a login page asking for username and email address.
+# User logins are recorded in the log file /tmp/ndslog.log
+# Details of how the script works are contained in comments in the script itself.
+#
+# Both modes may be customised or a full custom system can be developed using FAS and BinAuth
+# See documentation at: https://openNDSdocs.readthedocs.io/
+#
+login_option_enabled 0
+
+# Use outdated libmicrohttpd (MHD)
+# Older versions of MHD convert & and + characters to spaces when present in form data
+# This can make a PreAuth or BinAuth impossible to use for a client if form data contains either of these characters
+# eg. in username or password
+# MHD versions earlier than 0.9.69 are detected.
+# If this option is set to 0 (default), NDS will terminate if MHD is earlier than 0.9.69
+# If this option is set to 1, NDS will start but log an error.
+use_outdated_mhd 0
+
+# MHD Unescape callback
+# MHD has a built in unescape function that urldecodes incoming queries from browsers
+# This option allows an external unescape script to be enabled
+# The script must be named unescape.sh, be present in /usr/lib/openNDS/ and be executable.
+# A standard unescape.sh script is installed by default
+# Set to 1 to enable this option, 0 to disable
+# default is disabled
+#
+unescape_callback_enabled 0
+
+# Option: WebRoot
+# Default: /etc/openNDS/htdocs
+#
+# The local path where the splash page content resides.
+
+# FirewallRuleSet: authenticated-users
+#
+# Control access for users after authentication.
+# These rules are inserted at the beginning of the
+# FORWARD chain of the router's filter table, and
+# apply to packets that have come in to the router
+# over the GatewayInterface from MAC addresses that
+# have authenticated with openNDS, and that are
+# destined to be routed through the router.  The rules are
+# considered in order, and the first rule that matches
+# a packet applies to it.
+# If there are any rules in this ruleset, an authenticated
+# packet that does not match any rule is rejected.
+# N.B.: This ruleset is completely independent of
+# the preauthenticated-users ruleset.
+#
+FirewallRuleSet authenticated-users {
+
+# You may want to open access to a machine on a local
+# subnet that is otherwise blocked (for example, to
+# serve a redirect page; see RedirectURL).  If so,
+# allow that explicitly here, e.g:
+#  FirewallRule allow tcp port 80 to 192.168.254.254
+
+# Your router may have several interfaces, and you
+# probably want to keep them private from the GatewayInterface.
+# If so, you should block the entire subnets on those interfaces, e.g.:
+#  FirewallRule block to 192.168.0.0/16
+#  FirewallRule block to 10.0.0.0/8
+
+# Typical ports you will probably want to open up include
+# 53 udp and tcp for DNS,
+# 80 for http,
+# 443 for https,
+# 22 for ssh:
+#  FirewallRule allow tcp port 53	
+#  FirewallRule allow udp port 53	
+#  FirewallRule allow tcp port 80
+#  FirewallRule allow tcp port 443
+#  FirewallRule allow tcp port 22
+# Or for happy customers allow all
+  FirewallRule allow all
+# You might use ipset to easily allow/block range of ips, e.g.: 
+# FirewallRule allow ipset WHITELISTED_IPS
+# FirewallRule allow tcp port 80 ipset WHITELISTED_IPS
+}
+# end FirewallRuleSet authenticated-users
+
+
+# FirewallRuleSet: preauthenticated-users
+#
+# Control access for users before authentication.
+# These rules are inserted in the PREROUTING chain
+# of the router's nat table, and in the
+# FORWARD chain of the router's filter table.
+# These rules apply to packets that have come in to the 
+# router over the GatewayInterface from MAC addresses that
+# are not on the BlockedMACList or TrustedMACList,
+# are *not* authenticated with openNDS.  The rules are
+# considered in order, and the first rule that matches
+# a packet applies to it. A packet that does not match 
+# any rule here is rejected.
+# N.B.: This ruleset is completely independent of
+# the authenticated-users and users-to-router rulesets.
+#
+FirewallRuleSet preauthenticated-users {
+# For preauthenticated users to resolve IP addresses in their
+# initial request not using the router itself as a DNS server.
+# Leave commented to help prevent DNS tunnelling
+#  FirewallRule allow tcp port 53	
+#  FirewallRule allow udp port 53
+#
+# For splash page content not hosted on the router, you
+# will want to allow port 80 tcp to the remote host here.
+# Doing so circumvents the usual capture and redirect of
+# any port 80 request to this remote host.
+# Note that the remote host's numerical IP address must be known
+# and used here.  
+#  FirewallRule allow tcp port 80 to 123.321.123.321
+}
+# end FirewallRuleSet preauthenticated-users
+
+
+# FirewallRuleSet: users-to-router
+#
+# Control access to the router itself from the GatewayInterface.
+# These rules are inserted at the beginning of the
+# INPUT chain of the router's filter table, and
+# apply to packets that have come in to the router
+# over the GatewayInterface from MAC addresses that
+# are not on the TrustedMACList, and are destined for
+# the router itself.  The rules are
+# considered in order, and the first rule that matches
+# a packet applies to it. 
+# If there are any rules in this ruleset, a
+# packet that does not match any rule is rejected.
+#
+FirewallRuleSet users-to-router {
+ # openNDS automatically allows tcp to GatewayPort,
+ # at GatewayAddress, to serve the splash page.
+ # However you may want to open up other ports, e.g.
+ # 53 for DNS and 67 for DHCP if the router itself is
+ # providing these services.
+    FirewallRule allow udp port 53	
+    FirewallRule allow tcp port 53	
+    FirewallRule allow udp port 67
+ # You may want to allow ssh, http, and https to the router
+ # for administration from the GatewayInterface.  If not,
+ # comment these out.
+   FirewallRule allow tcp port 22
+   FirewallRule allow tcp port 80
+   FirewallRule allow tcp port 443
+}
+# end FirewallRuleSet users-to-router
+
+# EmptyRuleSetPolicy directives
+# The FirewallRuleSets that openNDS permits are:
+#
+# authenticated-users
+# preauthenticated-users
+# users-to-router
+# trusted-users
+# trusted-users-to-router
+#
+# For each of these, an EmptyRuleSetPolicy can be specified.
+# An EmptyRuleSet policy applies to a FirewallRuleSet if the
+# FirewallRuleSet is missing from this configuration file,
+# or if it exists but contains no FirewallRules.
+#
+# The possible values of an EmptyRuleSetPolicy are:
+# allow  -- packets are accepted
+# block  -- packets are rejected
+# passthrough -- packets are passed through to pre-existing firewall rules
+#
+# Default EmptyRuleSetPolicies are set as follows:
+# EmptyRuleSetPolicy authenticated-users passthrough
+# EmptyRuleSetPolicy preauthenticated-users block
+# EmptyRuleSetPolicy users-to-router block
+# EmptyRuleSetPolicy trusted-users allow
+# EmptyRuleSetPolicy trusted-users-to-router allow
+
+
+# GatewayName
+# Default: openNDS
+#
+# gatewayname is used as an identifier for the instance of openNDS
+#
+# It is displayed on the default static splash page and the default preauth login script.
+#
+# It is particularly useful in the case of a single remote FAS server that serves multiple
+# openNDS sites, allowing the FAS to customise its response for each site.
+#
+# Note: The single quote (or apostrophe) character ('), cannot be used in the gatewayname.
+# If it is required, use the htmlentity ' instead.
+#
+# For example:
+# GatewayName Bill's WiFi is invalid.
+# Instead use:
+# GatewayName Bill's WiFi
+#
+# GatewayName openNDS
+
+# Option: GatewayAddress
+# Default: Discovered from GatewayInterface
+#
+# This should be autodetected and need not be specified.
+# If set here, it must be set to the IP address of the router on
+# the GatewayInterface. Setting incorrectly will result in failure of openNDS.
+#
+# GatewayAddress 192.168.1.1
+
+# Option: StatusPage
+# Default: status.html
+#
+# The page the client is show if the client is already authenticated but navigates to the captive portal.
+#
+# StatusPage status.html
+
+# Option: SplashPage
+# Default: splash.html
+#
+# The page the client is redirected to if not authenticated or whitelisted.
+#
+# SplashPage splash.html
+
+# Option: RedirectURL
+# Default: none
+#
+# After authentication, normally a user is redirected 
+# to their initially requested page. 
+# If RedirectURL is set, the user is redirected to this URL instead.
+
+# NOTE: RedirectURL is deprecated.
+
+#	redirectURL is now redundant as most CPD implementations immediately close the "splash" page
+#	as soon as NDS authenticates, thus redirectURL will not be shown.
+#
+#	This functionality, ie displaying a particular web page as a final "Landing Page",
+#	can be achieved reliably using FAS, with NDS calling the previous "redirectURL" as the FAS page.
+#
+
+# Option: GatewayPort
+# Default: 2050
+#
+# openNDS's own http server uses GatewayAddress as its IP address.
+# The port it listens to at that IP can be set here; default is 2050.
+#
+# GatewayPort 2050
+
+# Option: MaxClients
+# Default: 20
+#
+# Set MaxClients to the maximum number of users allowed to 
+# connect at any time.  (Does not include users on the TrustedMACList,
+# who do not authenticate.)
+#
+  MaxClients 250
+
+# Option: SessionTimeout
+# Default: 0
+#
+# Set the default session length in minutes. A value of 0 is for
+# sessions without an end.
+#
+
+# Option: PreAuthIdleTimeout
+# Default: 10
+#
+# Set PreAuthIdleTimeout to the desired number of minutes before
+# an pre-authenticated user is automatically removed from the client list.
+#
+
+# Option: AuthIdleTimeout
+# Default: 120
+#
+# Set AuthIdleTimeout to the desired number of minutes before
+# an authenticated user is automatically 'deauthenticated'
+# and removed from the client list.
+#
+
+# Option: CheckInterval
+# Default: 30
+#
+# Interval in seconds (!) the timeouts of all clients are checked.
+#
+
+# Option: MACMechanism
+# Default: block
+#
+# Either block or allow.
+# If 'block', MAC addresses on BlockedMACList are blocked from
+# authenticating, and all others are allowed.
+# If 'allow', MAC addresses on AllowedMACList are allowed to
+# authenticate, and all other (non-trusted) MAC's are blocked.
+#
+# MACMechanism block
+
+# Option: BlockedMACList
+# Default: none
+#
+# Comma-separated list of MAC addresses who will be completely blocked
+# from the GatewayInterface. Ignored if MACMechanism is allow.
+# N.B.: weak security, since MAC addresses are easy to spoof.
+#
+# BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D
+
+# Option: AllowedMACList
+# Default: none
+#
+# Comma-separated list of MAC addresses who will not be completely
+# blocked from the GatewayInterface. Ignored if MACMechanism is block.
+# N.B.: weak security, since MAC addresses are easy to spoof.
+#
+# AllowedMACList 00:00:12:34:56:78
+
+# Option: TrustedMACList
+# Default: none
+#
+# Comma-separated list of MAC addresses who are not subject to
+# authentication, and are not restricted by any FirewallRuleSet.
+# N.B.: weak security, since MAC addresses are easy to spoof.
+#
+# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D
+
+# Option: TrafficControl
+# Default: no
+#
+# Set to yes (or true or 1), to enable traffic control in openNDS.
+#
+# TrafficControl no
+
+# Option: DownloadLimit
+# Default: 0
+#
+# If TrafficControl is enabled, this sets the maximum download
+# speed to the GatewayInterface, in kilobits per second.
+# For example if you have an ADSL connection with 768 kbit
+# download speed, and you want to allow about half of that
+# bandwidth for the GatewayInterface, set this to 384.
+# A value of 0 means no download limiting is done.
+#
+# DownloadLimit 384
+
+# Option: UploadLimit
+# Default: 0
+#
+# If TrafficControl is enabled, this sets the maximum upload
+# speed from the GatewayInterface, in kilobits per second.
+# For example if you have an ADSL connection with 128 kbit
+# upload speed, and you want to allow about half of that
+# bandwidth for the GatewayInterface, set this to 64.
+# A value of 0 means no upload limiting is done.
+#
+# UploadLimit 64
+
+# Option: GatewayIPRange
+# Default: 0.0.0.0/0
+#
+# By setting this parameter, you can specify a range of IP addresses
+# on the GatewayInterface that will be responded to and managed by
+# openNDS.  Addresses outside this range do not have their packets
+# touched by openNDS at all.
+# Defaults to 0.0.0.0/0, that is, all addresses.
+#
+# GatewayIPRange 0.0.0.0/0
+
+# Option: DebugLevel
+# Default: 1
+# 0 : Silent (only LOG_ERR and LOG_EMERG messages will be seen, otherwise there will be no logging.)
+# 1 : LOG_ERR, LOG_EMERG, LOG_WARNING and LOG_NOTICE (this is the default level).
+# 2 : debuglevel 1 + LOG_INFO
+# 3 : debuglevel 2 + LOG_DEBUG
+# DebugLevel 1
+
+# Option: fasport
+# Default: None
+#
+# Enable Forwarding Authentication Service (FAS)
+# If set redirection is changed from splash.html to a FAS (provided by the system administrator)
+# The value is the IP port number of the FAS
+# Note: if FAS is running locally (ie fasremoteip is NOT set), port 80 cannot be used
+#
+# Typical remote Hosted Example:
+# fasport 80
+#
+# Typical Locally Hosted Example:
+# fasport 2080
+
+# Option: fasremotefqdn
+# Default: Not set
+# If set, this is the remote fully qualified domain name (FQDN) of the FAS.
+# The protocol must NOT be prepended to the FQDN (ie http:// or https://)
+# To prevent CPD or browser security errors NDS prepends http:// before redirection.
+# If set, DNS MUST resolve fasremotefqdn to be the same ip address as fasremoteip.
+# Typical Remote Shared Hosting Example:
+# fasremotefqdn onboard-wifi.net
+
+# Option: fasremoteip
+# Default: GatewayAddress (the IP of NDS)
+#
+# If set, this is the remote ip address of the FAS.
+#
+# Typical Locally Hosted example (ie fasremoteip not set):
+# fasremoteip 46.32.240.41
+
+# Option: faspath
+# Default: /
+#
+# This is the path from the FAS Web Root to the FAS login page
+# (not the file system root).
+#
+# Typical Shared Hosting example:
+# faspath '/onboard-wifi.net/nodog/fas.php'
+#
+# Typical Locally Hosted example (ie fasremoteip not set):
+# faspath /nodog/fas.php
+
+
+# Option: faskey
+# Default: not set
+# A key phrase for NDS to encrypt the query string sent to FAS
+# Can be any combination of A-Z, a-z and 0-9, up to 16 characters with no white space
+#option faskey 1234567890
+
+#
+# Option: fas_secure_enabled
+# Default: 1
+#
+# ****If set to "0"****
+# the client token is sent to the FAS in clear text in the query string of the
+# redirect along with authaction and redir.
+#
+# ****If set to "1" and option faskey is NOT set****
+# authaction and the client token are not revealed and it is the responsibility
+# of the FAS to request the token from NDSCTL.
+#
+# ****If set to "1" and option faskey IS set****
+# The client token will be hashed and sent to the FAS identified as “hid” in the query string.
+# The gatewayaddress is also sent on the query string, allowing the FAS to construct the authaction parameter.
+# FAS must return the sha256sum of the concatenation of the original hid and faskey, to be used by NDS for client authentication.
+# This is returned in the normal way in the query string identified as “tok”.
+# NDS will automatically detect whether hid mode is active or the raw token is being returned.
+# Should sha256sum not be available to NDS when faskey is set, NDS will exit gracefully, logging the error in syslog.
+#
+# *****If set to 2****
+# clientip, clientmac, gatewayname, client token, gatewayaddress, authdir, originurl and clientif
+# are encrypted using faskey and passed to FAS in the query string.
+# The query string will also contain a randomly generated initialization vector to be used by the FAS for decryption.
+# The "php-cli" package and the "php-openssl" module must both be installed for fas_secure level 2.
+# openNDS does not depend on this package and module, but will exit gracefully
+# if this package and module are not installed when this level is set, logging the error in syslog.
+# The FAS must use the query string passed initialisation vector and the pre shared fas_key to decrypt the query string.
+# An example FAS php script is supplied in the source code.
+#
+#fas_secure_enabled 0
+
+# PreAuth
+# PreAuth support allows FAS to call a local program or script with html served by the built in NDS web server
+# If the option is set, it points to a program/script that is called by the NDS FAS handler
+# All other FAS settings will be overidden.
+# Initially FAS appends its query string to faspath.
+# The Preauth program will output html code that will be served to the client by NDS
+# Using html GET the Preauth program may call:
+# /openNDS_preauth/ to ask the client for more information
+# or
+# /openNDS_auth/ to authenticate the client
+#
+# The Preauth program should append at least the client ip to the query string
+# (using html input type hidden) for all calls to /openNDS_preauth/
+# It must also obtain the client token (using ndsctl), for NDS authentication when calling /openNDS_auth/
+#
+#preauth /path/to/myscript/myscript.sh
+
+# Option: BinAuth
+#
+# Enable BinAuth Support.
+# If set, a program is called with several parameters on authentication (request) and deauthentication.
+#
+# Request for authentication:
+#
+# $<BinAuth> auth_client <client_mac> '<username>' '<password>'
+#
+# The username and password values may be empty strings and are URL encoded.
+# The program is expected to output the number of seconds the client
+# is to be authenticated. Zero or negative seconds will cause the authentification request
+# to be rejected. The same goes for an exit code that is not 0.
+# The output may contain a user specific download and upload limit in KBit/s:
+# <seconds> <upload> <download>
+#
+# Called on authentication or deauthentication:
+# $<BinAuth> <*auth|*deauth> <incoming_bytes> <outgoing_bytes> <session_start> <session_end>
+#
+# "client_auth": Client authenticated via this script.
+# "client_deauth": Client deauthenticated by the client via splash page.
+# "idle_deauth": Client was deauthenticated because of inactivity.
+# "timeout_deauth": Client was deauthenticated because the session timed out.
+# "ndsctl_auth": Client was authenticated manually by the ndsctl tool.
+# "ndsctl_deauth": Client was deauthenticated by the ndsctl tool.
+# "shutdown_deauth": Client was deauthenticated by openNDS terminating.
+#
+# Values session_start and session_start are in seconds since 1970 or 0 for unknown/unlimited.
+#
+# BinAuth /bin/myauth.sh
+
+# openNDS uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask.
+# This mask can conflict with the requirements of other packages such as mwan3, sqm etc
+# Any values set here are interpreted as in hex format.
+#
+# Option: fw_mark_authenticated
+# Default: 30000 (0011|0000|0000|0000|0000 binary)
+#
+# Option: fw_mark_trusted
+# Default: 20000 (0010|0000|0000|0000|0000 binary)
+#
+# Option: fw_mark_blocked
+# Default: 10000 (0001|0000|0000|0000|0000 binary)
+#