From 45e0e2a0b96c1f0268a71d50d8ead2d109cfa113 Mon Sep 17 00:00:00 2001
From: Imre Kaloz <kaloz@openwrt.org>
Date: Tue, 28 Apr 2015 15:08:15 +0200
Subject: [PATCH] coova-chilli: add uci configuration file, init.d and firewall
 script

---
 net/coova-chilli/Makefile              |  10 +-
 net/coova-chilli/files/chilli.config   | 230 +++++++++++++++++++++++++
 net/coova-chilli/files/chilli.firewall |  41 +++++
 net/coova-chilli/files/chilli.init     |  61 +++++++
 4 files changed, 340 insertions(+), 2 deletions(-)
 create mode 100644 net/coova-chilli/files/chilli.config
 create mode 100644 net/coova-chilli/files/chilli.firewall
 create mode 100644 net/coova-chilli/files/chilli.init

diff --git a/net/coova-chilli/Makefile b/net/coova-chilli/Makefile
index e6be63756..0930a929a 100644
--- a/net/coova-chilli/Makefile
+++ b/net/coova-chilli/Makefile
@@ -12,7 +12,7 @@ PKG_VERSION:=1.3.0+20141128
 PKG_MAINTAINER:=Imre Kaloz <kaloz@openwrt.org>
 PKG_LICENSE:=GPL-2.0+
 PKG_LICENSE_FILES:=COPYING
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=git://github.com/coova/coova-chilli
@@ -120,7 +120,7 @@ define Build/Configure
 endef
 
 define Package/coova-chilli/conffiles
-/etc/chilli.conf
+/etc/config/chilli
 endef
 
 define Package/coova-chilli/install
@@ -136,6 +136,12 @@ define Package/coova-chilli/install
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so.* $(1)/usr/lib/
 	$(INSTALL_DIR) $(1)/usr/lib/iptables
 	$(CP) $(PKG_INSTALL_DIR)/usr/iptables/lib*.so $(1)/usr/lib/iptables
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) files/chilli.init $(1)/etc/init.d/chilli
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_DATA) files/chilli.config $(1)/etc/config/chilli
+	$(INSTALL_DIR) $(1)/lib/firewall
+	$(CP) files/chilli.firewall $(1)/lib/firewall/chilli.sh
 endef
 
 $(eval $(call BuildPackage,coova-chilli))
diff --git a/net/coova-chilli/files/chilli.config b/net/coova-chilli/files/chilli.config
new file mode 100644
index 000000000..6aa98373d
--- /dev/null
+++ b/net/coova-chilli/files/chilli.config
@@ -0,0 +1,230 @@
+#
+# Sample Coova-Chilli configuration file
+#
+
+config chilli
+    # disable to running chilli. remove this option before running.
+    option disabled 1
+
+    # name of TUN device name. required.
+    option tundev 'tun0'
+
+    # Include this flag if process is to run in the foreground
+    #option fg
+
+    # Include this flag to include debug information.
+    #option debug 9
+
+    # Re-read configuration file at this interval. Will also cause new domain
+    # name lookups to be performed. Value is given in seconds.
+    #option interval 3600
+
+    # File to store information about the process id of the program.
+    # The program must have write access to this file/directory.
+    #option pidfile /var/run/chilli.pid
+
+    # Directory to use for nonvolatile storage.
+    # The program must have write access to this directory.
+    # this option is currently ignored
+    #option statedir ./
+
+
+    # TUN parameters
+
+    # IP network address of external packet data network
+    # Used to allocate dynamic IP addresses and set up routing.
+    # Normally you do not need to uncomment this option.
+    #option net 192.168.182.0/24
+
+    # Dynamic IP address pool
+    # Used to allocate dynamic IP addresses to clients.
+    # If not set it defaults to the net tag.
+    # Do not uncomment this option unless you are an experienced user!
+    #option dynip 192.168.182.0/24
+
+    # Static IP address pool
+    # Used to allocate static IP addresses to clients.
+    # Do not uncomment this option unless you are an experienced user!
+    #option statip 192.168.182.0/24
+
+
+    # Primary DNS server.
+    # Will be suggested to the client.
+    # If omitted the system default will be used.
+    # Normally you do not need to uncomment this option.
+    #option dns1 172.16.0.5
+
+    # Secondary DNS server.
+    # Will be suggested to the client.
+    # If omitted the system default will be used.
+    # Normally you do not need to uncomment this option.
+    #option dns2 172.16.0.6
+
+    # Domain name
+    # Will be suggested to the client.
+    # Normally you do not need to uncomment this option.
+    #option domain key.chillispot.org
+
+    # Script executed after network interface has been brought up.
+    # Executed with the following parameters: <devicename> <ip address>
+    # <mask>
+    # Normally you do not need to uncomment this option.
+    #option ipup /etc/chilli.ipup
+
+    # Script executed after network interface has been taken down.
+    # Executed with the following parameters: <devicename> <ip address>
+    # <mask>
+    # Normally you do not need to uncomment this option.
+    #option ipdown /etc/chilli.ipdown
+
+
+    # Radius parameters
+
+    # IP address to listen to
+    # Normally you do not need to uncomment this option.
+    #option radiuslisten 127.0.0.1
+
+    # IP address of radius server 1
+    # For most installations you need to modify this option.
+    radiusserver1 rad01.chillispot.org
+
+    # IP address of radius server 2
+    # If you have only one radius server you should set radiusserver2 to the
+    # same value as radiusserver1.
+    # For most installations you need to modify this option.
+    radiusserver2 rad02.chillispot.org
+
+    # Radius authentication port
+    # The UDP port number to use for radius authentication requests.
+    # The same port number is used for both radiusserver1 and radiusserver2.
+    # Normally you do not need to uncomment this option.
+    #option radiusauthport 1812
+
+    # Radius accounting port
+    # The UDP port number to use for radius accounting requests.
+    # The same port number is used for both radiusserver1 and radiusserver2.
+    # Normally you do not need to uncomment this option.
+    #option radiusacctport 1813
+
+    # Radius shared secret for both servers
+    # For all installations you should modify this option.
+    #option radiussecret testing123
+
+    # Radius NAS-Identifier
+    # Normally you do not need to uncomment this option.
+    #option radiusnasid nas01
+
+    # WISPr Location ID. Should be in the format: isocc=<ISO_Country_Code>,
+    # cc=<E.164_Country_Code>,ac=<E.164_Area_Code>,network=<ssid/ZONE>
+    # Normally you do not need to uncomment this option.
+    #option radiuslocationid isocc=us,cc=1,ac=408,network=ACMEWISP_NewarkAirport
+
+    # WISPr Location Name. Should be in the format:
+    # <HOTSPOT_OPERATOR_NAME>,<LOCATION>
+    # Normally you do not need to uncomment this option.
+    #option radiuslocationname ACMEWISP,Gate_14_Terminal_C_of_Newark_Airport
+
+
+    # Radius proxy parameters
+
+    # IP address to listen to
+    # Normally you do not need to uncomment this option.
+    #option proxylisten 10.0.0.1
+
+    # UDP port to listen to.
+    # If not specified a port will be selected by the system
+    # Normally you do not need to uncomment this option.
+    #option proxyport 1645
+
+    # Client(s) from which we accept radius requests
+    # Normally you do not need to uncomment this option.
+    #option proxyclient 10.0.0.1/24
+
+    # Radius proxy shared secret for all clients
+    # If not specified defaults to radiussecret
+    # Normally you do not need to uncomment this option.
+    #option proxysecret testing123
+
+
+    # DHCP Parameters
+
+    # Ethernet interface to listen to.
+    # This is the network interface which is connected to the access points.
+    # In a typical configuration this option should be set to eth1.
+    dhcpif eth1
+
+    # Use specified MAC address.
+    # An address in the range  00:00:5E:00:02:00 - 00:00:5E:FF:FF:FF falls
+    # within the IANA range of addresses and is not allocated for other
+    # purposes.
+    # Normally you do not need to uncomment this option.
+    #option dhcpmac 00:00:5E:00:02:00
+
+    # Time before DHCP lease expires
+    # Normally you do not need to uncomment this option.
+    #option lease 600
+
+
+    # Universal access method (UAM) parameters
+
+    # URL of web server handling authentication.
+    uamserver https://radius.chillispot.org/hotspotlogin
+
+    # URL of welcome homepage.
+    # Unauthenticated users will be redirected to this URL. If not specified
+    # users will be redirected to the uamserver instead.
+    # Normally you do not need to uncomment this option.
+    #option uamhomepage http://192.168.182.1/welcome.html
+
+    # Shared between chilli and authentication web server
+    #option uamsecret ht2eb8ej6s4et3rg1ulp
+
+    # IP address to listen to for authentication requests
+    # Do not uncomment this option unless you are an experienced user!
+    #option uamlisten 192.168.182.1
+
+    # TCP port to listen to for authentication requests
+    # Do not uncomment this option unless you are an experienced user!
+    #option uamport 3990
+
+    # Comma separated list of domain names, IP addresses or network segments
+    # the client can access without first authenticating.
+    # It is possible to specify this option multiple times.
+    # Normally you do not need to uncomment this option.
+    #option uamallowed www.chillispot.org,10.11.12.0/24
+
+    # Comma separated list of domain names
+    # the client can access without first authenticating.
+    # It is possible to specify this option multiple times.
+    # Normally you do not need to uncomment this option.
+    #option uamdomain .chillispot.org,.coova.org
+
+    # If this flag is given unauthenticated users are allowed to use
+    # any DNS server.
+    # Normally you do not need to uncomment this option.
+    #option uamanydns
+
+
+    # MAC authentication
+
+    # If this flag is given users will be authenticated only on their MAC
+    # address.
+    # Normally you do not need to uncomment this option.
+    #option macauth
+
+    # List of MAC addresses.
+    # The MAC addresses specified in this list will be authenticated only on
+    # their MAC address.
+    # this option is ignored if the macauth tag is given.
+    # It is possible to specify this option multiple times.
+    # Normally you do not need to uncomment this option.
+    #option macallowed 00-0A-5E-AC-BE-51,00-30-1B-3C-32-E9
+
+    # Password to use for MAC authentication.
+    # Normally you do not need to uncomment this option.
+    #option macpasswd password
+
+    # Suffix to add to MAC address in order to form the username.
+    # Normally you do not need to uncomment this option.
+    #option macsuffix suffix
+
diff --git a/net/coova-chilli/files/chilli.firewall b/net/coova-chilli/files/chilli.firewall
new file mode 100644
index 000000000..a5b1d001e
--- /dev/null
+++ b/net/coova-chilli/files/chilli.firewall
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+chilli_firewall() {
+    local cfg="$1"
+
+    local network ifname tun
+
+    config_get network "$cfg" network
+
+    . /lib/functions/network.sh
+    network_get_device ifname ${network:-lan}
+
+    if [ "$ifname" = "" ]
+    then
+       config_get ifname "$cfg" dhcpif
+    fi
+
+    config_get tun "$cfg" tundev
+
+    for n in ACCEPT DROP REJECT
+    do
+       iptables -F zone_${network}_${n}
+       iptables -I zone_${network}_${n} -i $tun -j $n
+       iptables -I zone_${network}_${n} -o $tun -j $n
+    done
+
+    iptables -D forward -i ${ifname} -j zone_${network}_forward
+    iptables -A forward -i ${ifname} -j DROP
+    iptables -A forward -i $tun -j zone_${network}_forward
+
+    iptables -D input -i ${ifname} -j zone_${network}
+    iptables -A input -i $tun -j zone_${network}
+
+    iptables -I zone_${network} -p tcp --dport 3990 -j ACCEPT
+    iptables -I zone_${network} -p tcp --dport 3991 -j ACCEPT
+}
+
+chilli_post_core_cb() {
+    config_load chilli
+    config_foreach chilli_firewall chilli
+}
diff --git a/net/coova-chilli/files/chilli.init b/net/coova-chilli/files/chilli.init
new file mode 100644
index 000000000..15b79af37
--- /dev/null
+++ b/net/coova-chilli/files/chilli.init
@@ -0,0 +1,61 @@
+#!/bin/sh /etc/rc.common
+
+START=30
+STOP=90
+
+config_cb() {
+    chilli_inst=$2
+    if [ "$chilli_inst" != "" ]
+    then
+       rm -f /var/run/chilli_${chilli_inst}*
+       chilli_conf=/var/run/chilli_${chilli_inst}.conf
+       eval "start_chilli_$chilli_inst=1"
+    fi
+}
+
+option_cb() {
+    case "$1" in
+        # UCI settings
+       network)
+           . /lib/functions/network.sh
+           local ifname
+           network_get_device ifname $2
+           echo "dhcpif=\"$ifname\"" >> $chilli_conf
+           ;;
+       disabled)
+           eval "start_chilli_$chilli_inst=0"
+           ;;
+        # boolean settings
+       dhcpbroadcast|nodynip|vlanlocation|locationstopstart|locationcopycalled|locationimmediateupdate|locationopt82|coanoipcheck|noradallow|proxymacaccept|proxyonacct|dhcpmacset|dhcpradius|noc2c|eapolenable|uamanydns|uamanyip|uamnatanyip|nouamsuccess|nowispr1|nowispr2|domaindnslocal|radsec|macauth|macreauth|macauthdeny|macallowlocal|strictmacauth|strictdhcp|ieee8021q|only8021q|radiusoriginalurl|swapoctets|statusfilesave|wpaguests|openidauth|papalwaysok|mschapv2|chillixml|acctupdate|dnsparanoia|seskeepalive|usetap|noarpentries|framedservice|scalewin|redir|injectwispr|redirurl|routeonetone|nousergardendata|uamgardendata|uamotherdata|withunixipc|uamallowpost|redirssl|uamuissl|layer3|patricia|redirdnsreq|dhcpnotidle|ipv6|ipv6only)
+           [ "$2" = "true" -o "$2" = "1" ] && echo "$1" >> $chilli_conf
+           ;;
+       *)
+           echo "$1=\"$2\"" >> $chilli_conf
+           ;;
+    esac
+}
+
+start_chilli() {
+    local cfg="$1"
+    local start_chilli=$(eval "echo \$start_chilli_$cfg")
+    [ "$start_chilli" = "0" ] && return
+    local base=/var/run/chilli_${cfg}
+    chilli -c ${base}.conf \
+       --pidfile ${base}.pid \
+       --cmdsocket ${base}.sock \
+       --unixipc ${base}.ipc &
+}
+
+start() {
+    config_load chilli
+    config_foreach start_chilli chilli
+}
+
+stop() {
+    ls /var/run/chilli*.pid 2>/dev/null && {
+       kill $(cat /var/run/chilli*.pid)
+       sleep 1
+       killall -9 chilli
+       rm -f /var/run/chilli*
+    }
+}