blob: a7f85dd6184a50f2ade882d82223b17082d733b5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
|
#!/bin/sh /etc/rc.common
# Copyright (C) 2018 Dengfeng Liu
. /lib/functions/network.sh
START=99
USE_PROCD=1
PROG=/usr/bin/wifidogx
CONFIGFILE=/tmp/wifidogx.conf
extra_command "status" "Print the status of the service"
PX5G_BIN="/usr/sbin/px5g"
OPENSSL_BIN="/usr/bin/openssl"
APFREE_CERT="/etc/apfree.crt"
APFREE_KEY="/etc/apfree.key"
generate_keys() {
local days bits country state location commonname
local UNIQUEID GENKEY_CMD
# Prefer px5g for certificate generation (existence evaluated last)
UNIQUEID=$(hexdump -n 4 -e '4/1 "%02x" "\n"' /dev/urandom)
[ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -sha256 -outform pem -nodes"
[ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -pem"
[ -n "$GENKEY_CMD" ] && {
$GENKEY_CMD \
-days "${days:-720}" -newkey rsa:"${bits:-2048}" -keyout "${APFREE_KEY}.new" -out "${APFREE_CERT}.new" \
-subj /C="${country:-CN}"/ST="${state:-Beijing}"/L="${location:-Unknown}"/O="${commonname:-ApFreeWiFidog}$UNIQUEID"/CN="${commonname:-ApFreeWiFidog}"
sync
mv "${APFREE_KEY}.new" "${APFREE_KEY}"
mv "${APFREE_CERT}.new" "${APFREE_CERT}"
}
}
service_trigger() {
procd_add_reload_trigger "wifidogx"
}
echo_firewall_rule() {
echo " FirewallRule $1"
}
prepare_mqtt_conf() {
local cfg=$1
local serveraddr
local serverport
config_get serveraddr "$cfg" "serveraddr"
config_get serverport "$cfg" "serverport"
[ -z "${serveraddr}" ] || [ -z "${serverport}" ] && return 1
cat <<-EOF >>${CONFIGFILE}
MQTT {
ServerAddr ${serveraddr}
ServerPort ${serverport}
}
EOF
}
prepare_wifidog_conf() {
local cfg=$1
local disabled
local gateway_id
local gateway_interface
local auth_server_hostname
local auth_server_path
local auth_server_path_login
local auth_server_path_portal
local auth_server_path_msg
local auth_server_path_ping
local auth_server_path_auth
local delta_traffic
local check_interval
local client_timeout
local trusted_domains
local js_filter
local trusted_maclist
local untrusted_maclist
local pool_mode
local thread_number
local queue_size
local wired_passed
local trusted_iplist
local trusted_pan_domains
local proxy_port
local no_auth
local apple_cna
local update_domain_interval
local dns_timeout
local default_gateway_id
local external_interface
local auth_server_port
[ -f ${CONFIGFILE} ] && rm -f ${CONFIGFILE}
config_get disabled "${cfg}" "disabled" 1
if [ "${disabled}" = "1" ]; then
echo "wifidogx disabled in /etc/config/wifidogx file, please set disabled to 0 to enable it" >&2
return
fi
default_gateway_id=$(sed -e 's/://g' /sys/class/net/br-lan/address)
network_get_device external_interface wan
config_get gateway_id "${cfg}" "gateway_id" "${default_gateway_id}"
config_get gateway_interface "${cfg}" "gateway_interface" "br-lan"
config_get auth_server_hostname "${cfg}" "auth_server_hostname"
config_get auth_server_port "${cfg}" "auth_server_port" "80"
config_get auth_server_path "${cfg}" "auth_server_path" "/wifidog/"
config_get auth_server_path_login "${cfg}" "auth_server_path_login"
config_get auth_server_path_portal "${cfg}" "auth_server_path_portal"
config_get auth_server_path_msg "${cfg}" "auth_server_path_msg"
config_get auth_server_path_ping "${cfg}" "auth_server_path_ping"
config_get auth_server_path_auth "${cfg}" "auth_server_path_auth"
config_get delta_traffic "${cfg}" "delta_traffic"
config_get check_interval "${cfg}" "check_interval" "60"
config_get js_filter "${cfg}" "js_filter" 1
config_get client_timeout "${cfg}" "client_timeout" "5"
config_get trusted_domains "${cfg}" "trusted_domains"
config_get trusted_maclist "${cfg}" "trusted_maclist"
config_get untrusted_maclist "${cfg}" "untrusted_maclist"
config_get pool_mode "${cfg}" "pool_mode" 0
config_get thread_number "${cfg}" "thread_number" 20
config_get queue_size "${cfg}" "queue_size" 200
config_get wired_passed "${cfg}" "wired_passed" 1
config_get trusted_iplist "${cfg}" "trusted_iplist"
config_get trusted_pan_domains "${cfg}" "trusted_pan_domains"
config_get proxy_port "${cfg}" "proxy_port"
config_get no_auth "${cfg}" "no_auth"
config_get apple_cna "${cfg}" "bypass_apple_cna"
config_get update_domain_interval "${cfg}" "update_domain_interval"
config_get dns_timeout "${cfg}" "dns_timeout"
local set_auth_server_path_login
local set_auth_server_path_portal
local set_auth_server_path_msg
local set_auth_server_path_ping
local set_auth_server_path_auth
local set_delta_traffic
local set_trusted_maclist
local set_untrusted_maclist
local set_trusted_domains
local set_trusted_iplist
local set_trusted_pan_domains
local set_proxy_port
local set_no_auth
local set_firewall_rule_global
local set_firewall_rule_validating_users
local set_firewall_rule_known_users
local set_firewall_rule_auth_is_down
local set_firewall_rule_unknown_users
local set_firewall_rule_locked_users
local set_apple_cna
local set_update_domain_interval
local set_dns_timeout
set_auth_server_path_login=$([ -n "$auth_server_path_login" ] && echo " LoginScriptPathFragment $auth_server_path_login")
set_auth_server_path_portal=$([ -n "$auth_server_path_portal" ] && echo " PortalScriptPathFragment $auth_server_path_portal")
set_auth_server_path_msg=$([ -n "$auth_server_path_msg" ] && echo " MsgScriptPathFragment $auth_server_path_msg")
set_auth_server_path_ping=$([ -n "$auth_server_path_ping" ] && echo " PingScriptPathFragment $auth_server_path_ping")
set_auth_server_path_auth=$([ -n "$auth_server_path_auth" ] && echo " AuthScriptPathFragment $auth_server_path_auth")
set_delta_traffic=$([ -n "$delta_traffic" ] && echo "DeltaTraffic $delta_traffic")
set_trusted_maclist=$([ -n "$trusted_maclist" ] && echo "TrustedMACList $trusted_maclist")
set_untrusted_maclist=$([ -n "$untrusted_maclist" ] && echo "UntrustedMACList $untrusted_maclist")
set_trusted_domains=$([ -n "$trusted_domains" ] && echo "TrustedDomains $trusted_domains")
set_trusted_iplist=$([ -n "$trusted_iplist" ] && echo "TrustedIpList $trusted_iplist")
set_trusted_pan_domains=$([ -n "$trusted_pan_domains" ] && echo "TrustedPanDomains $trusted_pan_domains")
set_proxy_port=$([ -n "$proxy_port" ] && echo "Proxyport $proxy_port")
set_no_auth=$([ -n "$no_auth" ] && echo "NoAuth $no_auth")
set_firewall_rule_global=$(config_list_foreach "$cfg" "firewall_rule_global" echo_firewall_rule)
set_firewall_rule_validating_users=$(config_list_foreach "$cfg" "firewall_rule_validating_users" echo_firewall_rule)
set_firewall_rule_known_users=$(config_list_foreach "$cfg" "firewall_rule_known_users" echo_firewall_rule)
set_firewall_rule_auth_is_down=$(config_list_foreach "$cfg" "firewall_rule_auth_is_down" echo_firewall_rule)
set_firewall_rule_unknown_users=$(config_list_foreach "$cfg" "firewall_rule_unknown_users" echo_firewall_rule)
set_firewall_rule_locked_users=$(config_list_foreach "$cfg" "firewall_rule_locked_users" echo_firewall_rule)
set_apple_cna=$([ -n "$apple_cna" ] && echo "BypassAppleCNA $apple_cna")
set_update_domain_interval=$([ -n "$update_domain_interval" ] && echo "UpdateDomainInterval $update_domain_interval")
set_dns_timeout=$([ -n "$dns_timeout" ] && echo "DNSTimeout $dns_timeout")
cat <<-EOF >$CONFIGFILE
GatewayID $gateway_id
GatewayInterface $gateway_interface
Externalinterface $external_interface
AuthServer {
Hostname $auth_server_hostname
HTTPPort $auth_server_port
Path $auth_server_path
$set_auth_server_path_login
$set_auth_server_path_portal
$set_auth_server_path_msg
$set_auth_server_path_ping
$set_auth_server_path_auth
}
$set_delta_traffic
CheckInterval $check_interval
ClientTimeout $client_timeout
JsFilter $js_filter
WiredPassed $wired_passed
$set_trusted_domains
$set_untrusted_maclist
$set_trusted_maclist
$set_trusted_iplist
$set_trusted_pan_domains
$set_proxy_port
$set_no_auth
$set_apple_cna
$set_update_domain_interval
$set_dns_timeout
FirewallRuleSet global {
$set_firewall_rule_global
}
FirewallRuleSet validating-users {
$set_firewall_rule_validating_users
FirewallRule allow to 0.0.0.0/0
}
FirewallRuleSet known-users {
$set_firewall_rule_known_users
FirewallRule allow to 0.0.0.0/0
}
FirewallRuleSet auth-is-down {
$set_firewall_rule_auth_is_down
}
FirewallRuleSet unknown-users {
$set_firewall_rule_unknown_users
FirewallRule allow udp port 53
FirewallRule allow tcp port 53
FirewallRule allow udp port 67
FirewallRule allow tcp port 67
}
FirewallRuleSet locked-users {
$set_firewall_rule_locked_users
FirewallRule block to 0.0.0.0/0
}
EOF
}
init_config() {
config_load wifidogx
config_foreach prepare_wifidog_conf wifidog
if [ ! -f ${CONFIGFILE} ]; then
echo "no wifidogx.conf, exit..." >&2
exit
fi
if [ ! -s "${APFREE_CERT}" ] || [ ! -s "${APFREE_KEY}" ]; then
generate_keys
fi
if [ ! -s ${APFREE_KEY} ] || [ ! -s ${APFREE_CERT} ]; then
echo "no cert or key, exit..." >&2
exit
fi
config_foreach prepare_mqtt_conf mqtt
sed -i -e '/^$/d' ${CONFIGFILE}
}
start_service() {
init_config
procd_open_instance
# -f: run in foreground
procd_set_param command $PROG -c $CONFIGFILE -f -d 0
procd_set_param respawn # respawn automatically if something died
procd_set_param file $CONFIGFILE
procd_close_instance
}
status_service() {
/usr/bin/wdctlx status
}
|