To Do

  • write base access code (pull from capit-mini probably) done
  • split access code into bandwidthprofile and grant sections (probably long…) done
  • start basic grant code, use static auths and static structs, etc done
  • write config code done
    • allow to pass config values from command line (eg. –main.if_up=eth0) done
  • access - move captive code to FORWARD chain done
  • write access/acct code, add to grants
  • write aaa boilerplate done
  • write captive portal socket API for separate portal code
  • write captive portal into access code
  • flesh out minimum captive portal w/ login, etc
  • write static internal user auth
  • write dynamic internal user auth (SQL, flat-file, etc)
  • write URL filter
  • write traffic typing/prioritizing code into access/AAA
  • write licensing code done
    • add checks to main code (probably mostly AAA prims)
  • mock up an admin GUI
  • modularize aaa/access implementations
  • move from a function-calling model to a message-passing model
  • add a socket API to externally get status, drop grants, possibly IMAC users, etc
  • eventually switch to a ucontext-based fibre model
  • add watchdog (monit)
  • make into an installable package
  • get package upgradeable
  • make an installable distribution
  • ???
  • write WAN load balancing
  • include clustering (esp. failover)
  • profit


  • fix profile/grant module code to use static memory when possible for private data
  • fix signal handling to make it thread/signal safe (eg. multiple signals won't screw up queues)
    • fix deinit code to unregister all functions/uncapture all signals
  • fix all code to make it thread safe (mostly structure access)
  • make main loop threaded (eventually)
  • capture HTTP, HTTP/S, DNS
  • dynamic signal capture (capture on first registration, uncapture on last)
  • split config code properly (defaults, config file, cmdline overrides) done

For kernel mod, insert into netfilter on prerouting for incoming (and classification, set connmark) and postrouting for outgoing (check connmark). This will allow for user-space HTTP proxy, etc if required.

  • See Kerio Control kipf code
  • will need to capture right after GSO (to do VLAN/MPLS matching) and release right before GSO (for VLAN/MPLS setting)

Features covered by CapIT

  • access control
  • IP addressing (incl. IPv4 DHCP[c/s]/static, IPv6 RA/DHCP[c/s]/SLAAC/6rd(4rd)/DS-Lite/6in4/6to4/static)
    • also needs to handle hotplugs etc
    • DDNS updating
    • for IPv4 WAN: static, DHCP, PPPoE, PPTP, L2TP, 3G stick, 4rd
    • for IPv6 WAN: RA/SLAAC, DHCP, 6rd, DS-Lite, 6in4, 6to4, static
  • IP routing/NATing (RFC 1812, 6434, 6888, 7084) (see 7526 re 6to4)
  • local wifi (AP/client mode; SSID, auth, etc)
  • bridging/brouting
  • DNS proxying
  • URL logging/blocking
  • NTP
  • software upgrade
  • cloud upload/control (eventually)
  • automatic license download

not fully covered

  • AutoSSH reverse-proxy
  • Logging
  • semi-WLC for Netgear, Cisco (eg. SSID and passphrase update, maybe forced roaming)

Error/Bug reporting

  • last 24 hours full log (possibly debug)
  • all relevant config files
  • dump of current running config
  • possibly license file
  • dmesg
  • syslog/messages
  • uname/hw info
bugs.txt · Last modified: 2016/03/07 06:16 by joel
Recent changes RSS feed Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki