You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

302 lines
9.2 KiB

  1. #!/bin/sh /etc/rc.common
  2. # Copyright (C) 2018 Dengfeng Liu
  3. . /lib/functions/network.sh
  4. START=99
  5. USE_PROCD=1
  6. PROG=/usr/bin/wifidogx
  7. CONFIGFILE=/tmp/wifidog.conf
  8. EXTRA_COMMANDS="status"
  9. EXTRA_HELP=" status Print the status of the service"
  10. PX5G_BIN="/usr/sbin/px5g"
  11. OPENSSL_BIN="/usr/bin/openssl"
  12. APFREE_CERT="/etc/apfree.crt"
  13. APFREE_KEY="/etc/apfree.key"
  14. generate_keys() {
  15. local days bits country state location commonname
  16. local UNIQUEID GENKEY_CMD
  17. # Prefer px5g for certificate generation (existence evaluated last)
  18. UNIQUEID=$(hexdump -n 4 -e '4/1 "%02x" "\n"' /dev/urandom)
  19. [ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -sha256 -outform pem -nodes"
  20. [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -pem"
  21. [ -n "$GENKEY_CMD" ] && {
  22. $GENKEY_CMD \
  23. -days "${days:-720}" -newkey rsa:"${bits:-2048}" -keyout "${APFREE_KEY}.new" -out "${APFREE_CERT}.new" \
  24. -subj /C="${country:-CN}"/ST="${state:-Beijing}"/L="${location:-Unknown}"/O="${commonname:-ApFreeWiFidog}$UNIQUEID"/CN="${commonname:-ApFreeWiFidog}"
  25. sync
  26. mv "${APFREE_KEY}.new" "${APFREE_KEY}"
  27. mv "${APFREE_CERT}.new" "${APFREE_CERT}"
  28. }
  29. }
  30. service_trigger() {
  31. procd_add_reload_trigger "wifidogx"
  32. }
  33. echo_firewall_rule() {
  34. echo " FirewallRule $1"
  35. }
  36. prepare_mqtt_conf() {
  37. local cfg=$1
  38. local serveraddr
  39. local serverport
  40. config_get serveraddr "$cfg" "serveraddr"
  41. config_get serverport "$cfg" "serverport"
  42. [ -z "${serveraddr}" -o -z "${serverport}" ] && return 1
  43. cat <<-EOF >>${CONFIGFILE}
  44. MQTT {
  45. ServerAddr ${serveraddr}
  46. ServerPort ${serverport}
  47. }
  48. EOF
  49. }
  50. prepare_wifidog_conf() {
  51. local cfg=$1
  52. local enable
  53. local gateway_id
  54. local gateway_interface
  55. local auth_server_hostname
  56. local auth_server_path
  57. local auth_server_path_login
  58. local auth_server_path_portal
  59. local auth_server_path_msg
  60. local auth_server_path_ping
  61. local auth_server_path_auth
  62. local delta_traffic
  63. local check_interval
  64. local client_timeout
  65. local httpd_max_conn
  66. local trusted_domains
  67. local js_filter
  68. local trusted_maclist
  69. local untrusted_maclist
  70. local pool_mode
  71. local thread_number
  72. local queue_size
  73. local wired_passed
  74. local trusted_iplist
  75. local trusted_pan_domains
  76. local proxy_port
  77. local no_auth
  78. local apple_cna
  79. local update_domain_interval
  80. local dns_timeout
  81. local default_gateway_id
  82. local external_interface
  83. local auth_server_port
  84. [ -f ${CONFIGFILE} ] && rm -f ${CONFIGFILE}
  85. config_get enable "${cfg}" "enable" 0
  86. [ "${enable}" = "1" ] || return
  87. default_gateway_id=$(sed -e 's/://g' /sys/class/net/br-lan/address)
  88. network_get_device external_interface wan
  89. config_get gateway_id "${cfg}" "gateway_id" "${default_gateway_id}"
  90. config_get gateway_interface "${cfg}" "gateway_interface" "br-lan"
  91. config_get auth_server_hostname "${cfg}" "auth_server_hostname"
  92. config_get auth_server_port "${cfg}" "auth_server_port" "80"
  93. config_get auth_server_path "${cfg}" "auth_server_path" "/wifidog/"
  94. config_get auth_server_path_login "${cfg}" "auth_server_path_login"
  95. config_get auth_server_path_portal "${cfg}" "auth_server_path_portal"
  96. config_get auth_server_path_msg "${cfg}" "auth_server_path_msg"
  97. config_get auth_server_path_ping "${cfg}" "auth_server_path_ping"
  98. config_get auth_server_path_auth "${cfg}" "auth_server_path_auth"
  99. config_get delta_traffic "${cfg}" "delta_traffic"
  100. config_get check_interval "${cfg}" "check_interval" "60"
  101. config_get js_filter "${cfg}" "js_filter" 1
  102. config_get client_timeout "${cfg}" "client_timeout" "5"
  103. config_get httpd_max_conn "${cfg}" "httpd_max_conn" "200"
  104. config_get trusted_domains "${cfg}" "trusted_domains"
  105. config_get trusted_maclist "${cfg}" "trusted_maclist"
  106. config_get untrusted_maclist "${cfg}" "untrusted_maclist"
  107. config_get pool_mode "${cfg}" "pool_mode" 0
  108. config_get thread_number "${cfg}" "thread_number" 20
  109. config_get queue_size "${cfg}" "queue_size" 200
  110. config_get wired_passed "${cfg}" "wired_passed" 1
  111. config_get trusted_iplist "${cfg}" "trusted_iplist"
  112. config_get trusted_pan_domains "${cfg}" "trusted_pan_domains"
  113. config_get proxy_port "${cfg}" "proxy_port"
  114. config_get no_auth "${cfg}" "no_auth"
  115. config_get apple_cna "${cfg}" "bypass_apple_cna"
  116. config_get update_domain_interval "${cfg}" "update_domain_interval"
  117. config_get dns_timeout "${cfg}" "dns_timeout"
  118. local set_auth_server_path_login
  119. local set_auth_server_path_portal
  120. local set_auth_server_path_msg
  121. local set_auth_server_path_ping
  122. local set_auth_server_path_auth
  123. local set_delta_traffic
  124. local set_trusted_maclist
  125. local set_untrusted_maclist
  126. local set_trusted_domains
  127. local set_trusted_iplist
  128. local set_trusted_pan_domains
  129. local set_proxy_port
  130. local set_no_auth
  131. local set_firewall_rule_global
  132. local set_firewall_rule_validating_users
  133. local set_firewall_rule_known_users
  134. local set_firewall_rule_auth_is_down
  135. local set_firewall_rule_unknown_users
  136. local set_firewall_rule_locked_users
  137. local set_apple_cna
  138. local set_update_domain_interval
  139. local set_dns_timeout
  140. set_auth_server_path_login=$([ -n "$auth_server_path_login" ] && echo " LoginScriptPathFragment $auth_server_path_login")
  141. set_auth_server_path_portal=$([ -n "$auth_server_path_portal" ] && echo " PortalScriptPathFragment $auth_server_path_portal")
  142. set_auth_server_path_msg=$([ -n "$auth_server_path_msg" ] && echo " MsgScriptPathFragment $auth_server_path_msg")
  143. set_auth_server_path_ping=$([ -n "$auth_server_path_ping" ] && echo " PingScriptPathFragment $auth_server_path_ping")
  144. set_auth_server_path_auth=$([ -n "$auth_server_path_auth" ] && echo " AuthScriptPathFragment $auth_server_path_auth")
  145. set_delta_traffic=$([ -n "$delta_traffic" ] && echo "DeltaTraffic $delta_traffic")
  146. set_trusted_maclist=$([ -n "$trusted_maclist" ] && echo "TrustedMACList $trusted_maclist")
  147. set_untrusted_maclist=$([ -n "$untrusted_maclist" ] && echo "UntrustedMACList $untrusted_maclist")
  148. set_trusted_domains=$([ -n "$trusted_domains" ] && echo "TrustedDomains $trusted_domains")
  149. set_trusted_iplist=$([ -n "$trusted_iplist" ] && echo "TrustedIpList $trusted_iplist")
  150. set_trusted_pan_domains=$([ -n "$trusted_pan_domains" ] && echo "TrustedPanDomains $trusted_pan_domains")
  151. set_proxy_port=$([ -n "$proxy_port" ] && echo "Proxyport $proxy_port")
  152. set_no_auth=$([ -n "$no_auth" ] && echo "NoAuth $no_auth")
  153. set_firewall_rule_global=$(config_list_foreach "$cfg" "firewall_rule_global" echo_firewall_rule)
  154. set_firewall_rule_validating_users=$(config_list_foreach "$cfg" "firewall_rule_validating_users" echo_firewall_rule)
  155. set_firewall_rule_known_users=$(config_list_foreach "$cfg" "firewall_rule_known_users" echo_firewall_rule)
  156. set_firewall_rule_auth_is_down=$(config_list_foreach "$cfg" "firewall_rule_auth_is_down" echo_firewall_rule)
  157. set_firewall_rule_unknown_users=$(config_list_foreach "$cfg" "firewall_rule_unknown_users" echo_firewall_rule)
  158. set_firewall_rule_locked_users=$(config_list_foreach "$cfg" "firewall_rule_locked_users" echo_firewall_rule)
  159. set_apple_cna=$([ -n "$apple_cna" ] && echo "BypassAppleCNA $apple_cna")
  160. set_update_domain_interval=$([ -n "$update_domain_interval" ] && echo "UpdateDomainInterval $update_domain_interval")
  161. set_dns_timeout=$([ -n "$dns_timeout" ] && echo "DNSTimeout $dns_timeout")
  162. cat <<-EOF >$CONFIGFILE
  163. GatewayID $gateway_id
  164. GatewayInterface $gateway_interface
  165. Externalinterface $external_interface
  166. AuthServer {
  167. Hostname $auth_server_hostname
  168. HTTPPort $auth_server_port
  169. Path $auth_server_path
  170. $set_auth_server_path_login
  171. $set_auth_server_path_portal
  172. $set_auth_server_path_msg
  173. $set_auth_server_path_ping
  174. $set_auth_server_path_auth
  175. }
  176. $set_delta_traffic
  177. CheckInterval $check_interval
  178. ClientTimeout $client_timeout
  179. JsFilter $js_filter
  180. WiredPassed $wired_passed
  181. HTTPDMaxConn $httpd_max_conn
  182. PoolMode $pool_mode
  183. ThreadNumber $thread_number
  184. QueueSize $queue_size
  185. $set_trusted_domains
  186. $set_untrusted_maclist
  187. $set_trusted_maclist
  188. $set_trusted_iplist
  189. $set_trusted_pan_domains
  190. $set_proxy_port
  191. $set_no_auth
  192. $set_apple_cna
  193. $set_update_domain_interval
  194. $set_dns_timeout
  195. FirewallRuleSet global {
  196. $set_firewall_rule_global
  197. }
  198. FirewallRuleSet validating-users {
  199. $set_firewall_rule_validating_users
  200. FirewallRule allow to 0.0.0.0/0
  201. }
  202. FirewallRuleSet known-users {
  203. $set_firewall_rule_known_users
  204. FirewallRule allow to 0.0.0.0/0
  205. }
  206. FirewallRuleSet auth-is-down {
  207. $set_firewall_rule_auth_is_down
  208. }
  209. FirewallRuleSet unknown-users {
  210. $set_firewall_rule_unknown_users
  211. FirewallRule allow udp port 53
  212. FirewallRule allow tcp port 53
  213. FirewallRule allow udp port 67
  214. FirewallRule allow tcp port 67
  215. }
  216. FirewallRuleSet locked-users {
  217. $set_firewall_rule_locked_users
  218. FirewallRule block to 0.0.0.0/0
  219. }
  220. EOF
  221. }
  222. init_config() {
  223. config_load wifidogx
  224. config_foreach prepare_wifidog_conf wifidog
  225. [ ! -f ${CONFIGFILE} ] && {
  226. echo "no wifidog.conf, exit..."
  227. stop
  228. exit
  229. }
  230. [ -s "${APFREE_CERT}" -a -s "${APFREE_KEY}" ] || {
  231. generate_keys
  232. }
  233. [ -s ${APFREE_KEY} -a -s ${APFREE_CERT} ] || {
  234. echo "no cert or key, exit..."
  235. stop
  236. exit
  237. }
  238. config_foreach prepare_mqtt_conf mqtt
  239. sed -i -e '/^$/d' ${CONFIGFILE}
  240. }
  241. start_service() {
  242. init_config
  243. procd_open_instance
  244. # -f: run in foreground
  245. procd_set_param command $PROG -c $CONFIGFILE -f -d 0
  246. procd_set_param respawn # respawn automatically if something died
  247. procd_set_param file $CONFIGFILE
  248. procd_close_instance
  249. }
  250. status() {
  251. /usr/bin/wdctlx status
  252. }