#!/bin/sh /etc/rc.common # Copyright (C) 2018 Dengfeng Liu . /lib/functions/network.sh START=99 USE_PROCD=1 PROG=/usr/bin/wifidogx CONFIGFILE=/tmp/wifidogx.conf extra_command "status" "Print the status of the service" PX5G_BIN="/usr/sbin/px5g" OPENSSL_BIN="/usr/bin/openssl" APFREE_CERT="/etc/apfree.crt" APFREE_KEY="/etc/apfree.key" generate_keys() { local days bits country state location commonname local UNIQUEID GENKEY_CMD # Prefer px5g for certificate generation (existence evaluated last) UNIQUEID=$(hexdump -n 4 -e '4/1 "%02x" "\n"' /dev/urandom) [ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -sha256 -outform pem -nodes" [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -pem" [ -n "$GENKEY_CMD" ] && { $GENKEY_CMD \ -days "${days:-720}" -newkey rsa:"${bits:-2048}" -keyout "${APFREE_KEY}.new" -out "${APFREE_CERT}.new" \ -subj /C="${country:-CN}"/ST="${state:-Beijing}"/L="${location:-Unknown}"/O="${commonname:-ApFreeWiFidog}$UNIQUEID"/CN="${commonname:-ApFreeWiFidog}" sync mv "${APFREE_KEY}.new" "${APFREE_KEY}" mv "${APFREE_CERT}.new" "${APFREE_CERT}" } } service_trigger() { procd_add_reload_trigger "wifidogx" } echo_firewall_rule() { echo " FirewallRule $1" } prepare_mqtt_conf() { local cfg=$1 local serveraddr local serverport config_get serveraddr "$cfg" "serveraddr" config_get serverport "$cfg" "serverport" [ -z "${serveraddr}" ] || [ -z "${serverport}" ] && return 1 cat <<-EOF >>${CONFIGFILE} MQTT { ServerAddr ${serveraddr} ServerPort ${serverport} } EOF } prepare_wifidog_conf() { local cfg=$1 local disabled local gateway_id local gateway_interface local auth_server_hostname local auth_server_path local auth_server_path_login local auth_server_path_portal local auth_server_path_msg local auth_server_path_ping local auth_server_path_auth local delta_traffic local check_interval local client_timeout local trusted_domains local js_filter local trusted_maclist local untrusted_maclist local pool_mode local thread_number local queue_size local wired_passed local trusted_iplist local trusted_pan_domains local proxy_port local no_auth local apple_cna local update_domain_interval local dns_timeout local default_gateway_id local external_interface local auth_server_port [ -f ${CONFIGFILE} ] && rm -f ${CONFIGFILE} config_get disabled "${cfg}" "disabled" 1 if [ "${disabled}" = "1" ]; then echo "wifidogx disabled in /etc/config/wifidogx file, please set disabled to 0 to enable it" >&2 return fi default_gateway_id=$(sed -e 's/://g' /sys/class/net/br-lan/address) network_get_device external_interface wan config_get gateway_id "${cfg}" "gateway_id" "${default_gateway_id}" config_get gateway_interface "${cfg}" "gateway_interface" "br-lan" config_get auth_server_hostname "${cfg}" "auth_server_hostname" config_get auth_server_port "${cfg}" "auth_server_port" "80" config_get auth_server_path "${cfg}" "auth_server_path" "/wifidog/" config_get auth_server_path_login "${cfg}" "auth_server_path_login" config_get auth_server_path_portal "${cfg}" "auth_server_path_portal" config_get auth_server_path_msg "${cfg}" "auth_server_path_msg" config_get auth_server_path_ping "${cfg}" "auth_server_path_ping" config_get auth_server_path_auth "${cfg}" "auth_server_path_auth" config_get delta_traffic "${cfg}" "delta_traffic" config_get check_interval "${cfg}" "check_interval" "60" config_get js_filter "${cfg}" "js_filter" 1 config_get client_timeout "${cfg}" "client_timeout" "5" config_get trusted_domains "${cfg}" "trusted_domains" config_get trusted_maclist "${cfg}" "trusted_maclist" config_get untrusted_maclist "${cfg}" "untrusted_maclist" config_get pool_mode "${cfg}" "pool_mode" 0 config_get thread_number "${cfg}" "thread_number" 20 config_get queue_size "${cfg}" "queue_size" 200 config_get wired_passed "${cfg}" "wired_passed" 1 config_get trusted_iplist "${cfg}" "trusted_iplist" config_get trusted_pan_domains "${cfg}" "trusted_pan_domains" config_get proxy_port "${cfg}" "proxy_port" config_get no_auth "${cfg}" "no_auth" config_get apple_cna "${cfg}" "bypass_apple_cna" config_get update_domain_interval "${cfg}" "update_domain_interval" config_get dns_timeout "${cfg}" "dns_timeout" local set_auth_server_path_login local set_auth_server_path_portal local set_auth_server_path_msg local set_auth_server_path_ping local set_auth_server_path_auth local set_delta_traffic local set_trusted_maclist local set_untrusted_maclist local set_trusted_domains local set_trusted_iplist local set_trusted_pan_domains local set_proxy_port local set_no_auth local set_firewall_rule_global local set_firewall_rule_validating_users local set_firewall_rule_known_users local set_firewall_rule_auth_is_down local set_firewall_rule_unknown_users local set_firewall_rule_locked_users local set_apple_cna local set_update_domain_interval local set_dns_timeout set_auth_server_path_login=$([ -n "$auth_server_path_login" ] && echo " LoginScriptPathFragment $auth_server_path_login") set_auth_server_path_portal=$([ -n "$auth_server_path_portal" ] && echo " PortalScriptPathFragment $auth_server_path_portal") set_auth_server_path_msg=$([ -n "$auth_server_path_msg" ] && echo " MsgScriptPathFragment $auth_server_path_msg") set_auth_server_path_ping=$([ -n "$auth_server_path_ping" ] && echo " PingScriptPathFragment $auth_server_path_ping") set_auth_server_path_auth=$([ -n "$auth_server_path_auth" ] && echo " AuthScriptPathFragment $auth_server_path_auth") set_delta_traffic=$([ -n "$delta_traffic" ] && echo "DeltaTraffic $delta_traffic") set_trusted_maclist=$([ -n "$trusted_maclist" ] && echo "TrustedMACList $trusted_maclist") set_untrusted_maclist=$([ -n "$untrusted_maclist" ] && echo "UntrustedMACList $untrusted_maclist") set_trusted_domains=$([ -n "$trusted_domains" ] && echo "TrustedDomains $trusted_domains") set_trusted_iplist=$([ -n "$trusted_iplist" ] && echo "TrustedIpList $trusted_iplist") set_trusted_pan_domains=$([ -n "$trusted_pan_domains" ] && echo "TrustedPanDomains $trusted_pan_domains") set_proxy_port=$([ -n "$proxy_port" ] && echo "Proxyport $proxy_port") set_no_auth=$([ -n "$no_auth" ] && echo "NoAuth $no_auth") set_firewall_rule_global=$(config_list_foreach "$cfg" "firewall_rule_global" echo_firewall_rule) set_firewall_rule_validating_users=$(config_list_foreach "$cfg" "firewall_rule_validating_users" echo_firewall_rule) set_firewall_rule_known_users=$(config_list_foreach "$cfg" "firewall_rule_known_users" echo_firewall_rule) set_firewall_rule_auth_is_down=$(config_list_foreach "$cfg" "firewall_rule_auth_is_down" echo_firewall_rule) set_firewall_rule_unknown_users=$(config_list_foreach "$cfg" "firewall_rule_unknown_users" echo_firewall_rule) set_firewall_rule_locked_users=$(config_list_foreach "$cfg" "firewall_rule_locked_users" echo_firewall_rule) set_apple_cna=$([ -n "$apple_cna" ] && echo "BypassAppleCNA $apple_cna") set_update_domain_interval=$([ -n "$update_domain_interval" ] && echo "UpdateDomainInterval $update_domain_interval") set_dns_timeout=$([ -n "$dns_timeout" ] && echo "DNSTimeout $dns_timeout") cat <<-EOF >$CONFIGFILE GatewayID $gateway_id GatewayInterface $gateway_interface Externalinterface $external_interface AuthServer { Hostname $auth_server_hostname HTTPPort $auth_server_port Path $auth_server_path $set_auth_server_path_login $set_auth_server_path_portal $set_auth_server_path_msg $set_auth_server_path_ping $set_auth_server_path_auth } $set_delta_traffic CheckInterval $check_interval ClientTimeout $client_timeout JsFilter $js_filter WiredPassed $wired_passed $set_trusted_domains $set_untrusted_maclist $set_trusted_maclist $set_trusted_iplist $set_trusted_pan_domains $set_proxy_port $set_no_auth $set_apple_cna $set_update_domain_interval $set_dns_timeout FirewallRuleSet global { $set_firewall_rule_global } FirewallRuleSet validating-users { $set_firewall_rule_validating_users FirewallRule allow to 0.0.0.0/0 } FirewallRuleSet known-users { $set_firewall_rule_known_users FirewallRule allow to 0.0.0.0/0 } FirewallRuleSet auth-is-down { $set_firewall_rule_auth_is_down } FirewallRuleSet unknown-users { $set_firewall_rule_unknown_users FirewallRule allow udp port 53 FirewallRule allow tcp port 53 FirewallRule allow udp port 67 FirewallRule allow tcp port 67 } FirewallRuleSet locked-users { $set_firewall_rule_locked_users FirewallRule block to 0.0.0.0/0 } EOF } init_config() { config_load wifidogx config_foreach prepare_wifidog_conf wifidog if [ ! -f ${CONFIGFILE} ]; then echo "no wifidogx.conf, exit..." >&2 exit fi if [ ! -s "${APFREE_CERT}" ] || [ ! -s "${APFREE_KEY}" ]; then generate_keys fi if [ ! -s ${APFREE_KEY} ] || [ ! -s ${APFREE_CERT} ]; then echo "no cert or key, exit..." >&2 exit fi config_foreach prepare_mqtt_conf mqtt sed -i -e '/^$/d' ${CONFIGFILE} } start_service() { init_config procd_open_instance # -f: run in foreground procd_set_param command $PROG -c $CONFIGFILE -f -d 0 procd_set_param respawn # respawn automatically if something died procd_set_param file $CONFIGFILE procd_close_instance } status_service() { /usr/bin/wdctlx status }