function iptablesUpdateWanUsersChain()
{
$iptUsers = iptablesGetWanUsers();
$users = iptablesGetDbWanUsers();
$toAdd = array();
$toDelete = array();
// pass 1: identify users to remove from chain
foreach ($iptUsers as $user) {
if (!in_array($user, $users)) {
$toDelete[] = $user;
}
}
// pass 2: identify users to add to chain
foreach ($users as $user) {
if (!in_array($user, $iptUsers)) {
$toAdd[] = $user;
} else {
// also check for duplicates in chain
$count = count(array_keys($iptUsers, $user));
while ($count > 1) {
$toDelete[] = $user;
$count--;
}
}
}
foreach ($toAdd as $user) {
iptablesAddWanUser($user[0], $user[1]);
}
foreach ($toDelete as $user) {
iptablesRemoveWanUser($user[0], $user[1]);
}
}
if (is_null($sessionId)) {
// no session, but a matching device record was found, so we're ready to authorise a new session
$usedPorts = explode(",", $usedPorts);
// first, identify a spare port
foreach ($SQUID_WAN_PORTS as $port) {
if (!in_array($port, $usedPorts)) {
$proxyPort = $port;
break;
}
}
if (is_null($proxyPort)) {
releaseLock();
exit("No spare WAN ports for this IP address.");
}
if ($conn->query("insert into wan_sessions (username, serial_number, ip_address, proxy_port, auth_time_utc, expiry_time_utc)\nvalues ('" . $conn->escape_string($username) . "', '" . $conn->escape_string($serialNumber) . "', '{$srcIP}', {$proxyPort}, UTC_TIMESTAMP(), ADDTIME(UTC_TIMESTAMP(), '" . SQUID_WAN_SESSION_DURATION . "'))")) {
iptablesAddWanUser($srcIP, $proxyPort);
} else {
releaseLock();
exit("Error creating session.");
}
} else {
renewWanSession($sessionId, $conn);
}
releaseLock();
// check that our user is active, and hand out a custom PAC if required
$userGroups = getUserGroups($username, true, false);
// if $userGroups === FALSE, the user is inactive (or we encountered an LDAP error)
if (is_array($userGroups)) {
$pacFile = SQUID_ROOT . "/pac.wan.js";
$subs["{PORT}"] = $proxyPort;
foreach ($userGroups as $userGroup) {
