| #!/bin/sh /etc/rc.common |
| # Copyright (C) 2018 Dengfeng Liu |
| |
| . /lib/functions/network.sh |
| |
| START=99 |
| |
| USE_PROCD=1 |
| PROG=/usr/bin/wifidogx |
| CONFIGFILE=/tmp/wifidogx.conf |
| |
| extra_command "status" "Print the status of the service" |
| |
| PX5G_BIN="/usr/sbin/px5g" |
| OPENSSL_BIN="/usr/bin/openssl" |
| APFREE_CERT="/etc/apfree.crt" |
| APFREE_KEY="/etc/apfree.key" |
| |
| generate_keys() { |
| local days bits country state location commonname |
| local UNIQUEID GENKEY_CMD |
| |
| # Prefer px5g for certificate generation (existence evaluated last) |
| UNIQUEID=$(hexdump -n 4 -e '4/1 "%02x" "\n"' /dev/urandom) |
| [ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -sha256 -outform pem -nodes" |
| [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -pem" |
| [ -n "$GENKEY_CMD" ] && { |
| $GENKEY_CMD \ |
| -days "${days:-720}" -newkey rsa:"${bits:-2048}" -keyout "${APFREE_KEY}.new" -out "${APFREE_CERT}.new" \ |
| -subj /C="${country:-CN}"/ST="${state:-Beijing}"/L="${location:-Unknown}"/O="${commonname:-ApFreeWiFidog}$UNIQUEID"/CN="${commonname:-ApFreeWiFidog}" |
| sync |
| mv "${APFREE_KEY}.new" "${APFREE_KEY}" |
| mv "${APFREE_CERT}.new" "${APFREE_CERT}" |
| } |
| } |
| |
| service_trigger() { |
| procd_add_reload_trigger "wifidogx" |
| } |
| |
| echo_firewall_rule() { |
| echo " FirewallRule $1" |
| } |
| |
| prepare_mqtt_conf() { |
| local cfg=$1 |
| local serveraddr |
| local serverport |
| |
| config_get serveraddr "$cfg" "serveraddr" |
| config_get serverport "$cfg" "serverport" |
| [ -z "${serveraddr}" ] || [ -z "${serverport}" ] && return 1 |
| |
| cat <<-EOF >>${CONFIGFILE} |
| MQTT { |
| ServerAddr ${serveraddr} |
| ServerPort ${serverport} |
| } |
| EOF |
| } |
| |
| prepare_wifidog_conf() { |
| local cfg=$1 |
| local disabled |
| local gateway_id |
| local gateway_interface |
| local auth_server_hostname |
| local auth_server_path |
| local auth_server_path_login |
| local auth_server_path_portal |
| local auth_server_path_msg |
| local auth_server_path_ping |
| local auth_server_path_auth |
| local delta_traffic |
| local check_interval |
| local client_timeout |
| local trusted_domains |
| local js_filter |
| local trusted_maclist |
| local untrusted_maclist |
| local pool_mode |
| local thread_number |
| local queue_size |
| local wired_passed |
| local trusted_iplist |
| local trusted_pan_domains |
| local proxy_port |
| local no_auth |
| local apple_cna |
| local update_domain_interval |
| local dns_timeout |
| local default_gateway_id |
| local external_interface |
| local auth_server_port |
| |
| [ -f ${CONFIGFILE} ] && rm -f ${CONFIGFILE} |
| |
| config_get disabled "${cfg}" "disabled" 1 |
| if [ "${disabled}" = "1" ]; then |
| echo "wifidogx disabled in /etc/config/wifidogx file, please set disabled to 0 to enable it" >&2 |
| return |
| fi |
| |
| default_gateway_id=$(sed -e 's/://g' /sys/class/net/br-lan/address) |
| |
| network_get_device external_interface wan |
| |
| config_get gateway_id "${cfg}" "gateway_id" "${default_gateway_id}" |
| config_get gateway_interface "${cfg}" "gateway_interface" "br-lan" |
| config_get auth_server_hostname "${cfg}" "auth_server_hostname" |
| config_get auth_server_port "${cfg}" "auth_server_port" "80" |
| config_get auth_server_path "${cfg}" "auth_server_path" "/wifidog/" |
| config_get auth_server_path_login "${cfg}" "auth_server_path_login" |
| config_get auth_server_path_portal "${cfg}" "auth_server_path_portal" |
| config_get auth_server_path_msg "${cfg}" "auth_server_path_msg" |
| config_get auth_server_path_ping "${cfg}" "auth_server_path_ping" |
| config_get auth_server_path_auth "${cfg}" "auth_server_path_auth" |
| config_get delta_traffic "${cfg}" "delta_traffic" |
| config_get check_interval "${cfg}" "check_interval" "60" |
| config_get js_filter "${cfg}" "js_filter" 1 |
| config_get client_timeout "${cfg}" "client_timeout" "5" |
| config_get trusted_domains "${cfg}" "trusted_domains" |
| config_get trusted_maclist "${cfg}" "trusted_maclist" |
| config_get untrusted_maclist "${cfg}" "untrusted_maclist" |
| config_get pool_mode "${cfg}" "pool_mode" 0 |
| config_get thread_number "${cfg}" "thread_number" 20 |
| config_get queue_size "${cfg}" "queue_size" 200 |
| config_get wired_passed "${cfg}" "wired_passed" 1 |
| config_get trusted_iplist "${cfg}" "trusted_iplist" |
| config_get trusted_pan_domains "${cfg}" "trusted_pan_domains" |
| config_get proxy_port "${cfg}" "proxy_port" |
| config_get no_auth "${cfg}" "no_auth" |
| config_get apple_cna "${cfg}" "bypass_apple_cna" |
| config_get update_domain_interval "${cfg}" "update_domain_interval" |
| config_get dns_timeout "${cfg}" "dns_timeout" |
| |
| local set_auth_server_path_login |
| local set_auth_server_path_portal |
| local set_auth_server_path_msg |
| local set_auth_server_path_ping |
| local set_auth_server_path_auth |
| local set_delta_traffic |
| local set_trusted_maclist |
| local set_untrusted_maclist |
| local set_trusted_domains |
| local set_trusted_iplist |
| local set_trusted_pan_domains |
| local set_proxy_port |
| local set_no_auth |
| local set_firewall_rule_global |
| local set_firewall_rule_validating_users |
| local set_firewall_rule_known_users |
| local set_firewall_rule_auth_is_down |
| local set_firewall_rule_unknown_users |
| local set_firewall_rule_locked_users |
| local set_apple_cna |
| local set_update_domain_interval |
| local set_dns_timeout |
| |
| set_auth_server_path_login=$([ -n "$auth_server_path_login" ] && echo " LoginScriptPathFragment $auth_server_path_login") |
| set_auth_server_path_portal=$([ -n "$auth_server_path_portal" ] && echo " PortalScriptPathFragment $auth_server_path_portal") |
| set_auth_server_path_msg=$([ -n "$auth_server_path_msg" ] && echo " MsgScriptPathFragment $auth_server_path_msg") |
| set_auth_server_path_ping=$([ -n "$auth_server_path_ping" ] && echo " PingScriptPathFragment $auth_server_path_ping") |
| set_auth_server_path_auth=$([ -n "$auth_server_path_auth" ] && echo " AuthScriptPathFragment $auth_server_path_auth") |
| set_delta_traffic=$([ -n "$delta_traffic" ] && echo "DeltaTraffic $delta_traffic") |
| set_trusted_maclist=$([ -n "$trusted_maclist" ] && echo "TrustedMACList $trusted_maclist") |
| set_untrusted_maclist=$([ -n "$untrusted_maclist" ] && echo "UntrustedMACList $untrusted_maclist") |
| set_trusted_domains=$([ -n "$trusted_domains" ] && echo "TrustedDomains $trusted_domains") |
| set_trusted_iplist=$([ -n "$trusted_iplist" ] && echo "TrustedIpList $trusted_iplist") |
| set_trusted_pan_domains=$([ -n "$trusted_pan_domains" ] && echo "TrustedPanDomains $trusted_pan_domains") |
| set_proxy_port=$([ -n "$proxy_port" ] && echo "Proxyport $proxy_port") |
| set_no_auth=$([ -n "$no_auth" ] && echo "NoAuth $no_auth") |
| set_firewall_rule_global=$(config_list_foreach "$cfg" "firewall_rule_global" echo_firewall_rule) |
| set_firewall_rule_validating_users=$(config_list_foreach "$cfg" "firewall_rule_validating_users" echo_firewall_rule) |
| set_firewall_rule_known_users=$(config_list_foreach "$cfg" "firewall_rule_known_users" echo_firewall_rule) |
| set_firewall_rule_auth_is_down=$(config_list_foreach "$cfg" "firewall_rule_auth_is_down" echo_firewall_rule) |
| set_firewall_rule_unknown_users=$(config_list_foreach "$cfg" "firewall_rule_unknown_users" echo_firewall_rule) |
| set_firewall_rule_locked_users=$(config_list_foreach "$cfg" "firewall_rule_locked_users" echo_firewall_rule) |
| set_apple_cna=$([ -n "$apple_cna" ] && echo "BypassAppleCNA $apple_cna") |
| set_update_domain_interval=$([ -n "$update_domain_interval" ] && echo "UpdateDomainInterval $update_domain_interval") |
| set_dns_timeout=$([ -n "$dns_timeout" ] && echo "DNSTimeout $dns_timeout") |
| |
| cat <<-EOF >$CONFIGFILE |
| GatewayID $gateway_id |
| GatewayInterface $gateway_interface |
| Externalinterface $external_interface |
| |
| AuthServer { |
| Hostname $auth_server_hostname |
| HTTPPort $auth_server_port |
| Path $auth_server_path |
| $set_auth_server_path_login |
| $set_auth_server_path_portal |
| $set_auth_server_path_msg |
| $set_auth_server_path_ping |
| $set_auth_server_path_auth |
| } |
| |
| $set_delta_traffic |
| CheckInterval $check_interval |
| ClientTimeout $client_timeout |
| JsFilter $js_filter |
| WiredPassed $wired_passed |
| $set_trusted_domains |
| $set_untrusted_maclist |
| $set_trusted_maclist |
| $set_trusted_iplist |
| $set_trusted_pan_domains |
| $set_proxy_port |
| $set_no_auth |
| $set_apple_cna |
| $set_update_domain_interval |
| $set_dns_timeout |
| |
| FirewallRuleSet global { |
| $set_firewall_rule_global |
| } |
| |
| FirewallRuleSet validating-users { |
| $set_firewall_rule_validating_users |
| FirewallRule allow to 0.0.0.0/0 |
| } |
| |
| FirewallRuleSet known-users { |
| $set_firewall_rule_known_users |
| FirewallRule allow to 0.0.0.0/0 |
| } |
| |
| FirewallRuleSet auth-is-down { |
| $set_firewall_rule_auth_is_down |
| } |
| |
| FirewallRuleSet unknown-users { |
| $set_firewall_rule_unknown_users |
| FirewallRule allow udp port 53 |
| FirewallRule allow tcp port 53 |
| FirewallRule allow udp port 67 |
| FirewallRule allow tcp port 67 |
| } |
| |
| FirewallRuleSet locked-users { |
| $set_firewall_rule_locked_users |
| FirewallRule block to 0.0.0.0/0 |
| } |
| EOF |
| } |
| |
| init_config() { |
| config_load wifidogx |
| config_foreach prepare_wifidog_conf wifidog |
| |
| if [ ! -f ${CONFIGFILE} ]; then |
| echo "no wifidogx.conf, exit..." >&2 |
| exit |
| fi |
| |
| if [ ! -s "${APFREE_CERT}" ] || [ ! -s "${APFREE_KEY}" ]; then |
| generate_keys |
| fi |
| |
| if [ ! -s ${APFREE_KEY} ] || [ ! -s ${APFREE_CERT} ]; then |
| echo "no cert or key, exit..." >&2 |
| exit |
| fi |
| |
| config_foreach prepare_mqtt_conf mqtt |
| |
| sed -i -e '/^$/d' ${CONFIGFILE} |
| } |
| |
| start_service() { |
| init_config |
| |
| procd_open_instance |
| # -f: run in foreground |
| procd_set_param command $PROG -c $CONFIGFILE -f -d 0 |
| procd_set_param respawn # respawn automatically if something died |
| procd_set_param file $CONFIGFILE |
| procd_close_instance |
| } |
| |
| status_service() { |
| /usr/bin/wdctlx status |
| } |