From cf0575681e5b16b105fb9f0cd42321568fdcc436 Mon Sep 17 00:00:00 2001 From: RISCi_ATOM Date: Mon, 23 Mar 2020 17:09:38 -0400 Subject: [PATCH] Add nodogsplash and libmicrohttpd --- libs/libmicrohttpd/Makefile | 91 +++++ net/nodogsplash/Makefile | 82 +++++ net/nodogsplash/files/etc/config/nodogsplash | 316 ++++++++++++++++++ net/nodogsplash/files/etc/init.d/nodogsplash | 209 ++++++++++++ .../files/etc/uci-defaults/40_nodogsplash | 9 + .../files/usr/lib/nodogsplash/restart.sh | 10 + 6 files changed, 717 insertions(+) create mode 100644 libs/libmicrohttpd/Makefile create mode 100644 net/nodogsplash/Makefile create mode 100644 net/nodogsplash/files/etc/config/nodogsplash create mode 100755 net/nodogsplash/files/etc/init.d/nodogsplash create mode 100644 net/nodogsplash/files/etc/uci-defaults/40_nodogsplash create mode 100755 net/nodogsplash/files/usr/lib/nodogsplash/restart.sh diff --git a/libs/libmicrohttpd/Makefile b/libs/libmicrohttpd/Makefile new file mode 100644 index 0000000..c8f8ddb --- /dev/null +++ b/libs/libmicrohttpd/Makefile @@ -0,0 +1,91 @@ +# +# Copyright (C) 2010-2014 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libmicrohttpd +PKG_VERSION:=0.9.69 +PKG_RELEASE:=1 +PKG_MAINTAINER:=Alexander Couzens +PKG_LICENSE:=LGPL-2.1 +PKG_LICENSE_FILES:=COPYING + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=@GNU/libmicrohttpd +PKG_HASH:=fb9b6b148b787493e637d3083588711e65cbcb726fa02cee2cd543c5de27e37e + +PKG_BUILD_PARALLEL:=1 +PKG_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/libmicrohttpd/default + SECTION:=libs + CATEGORY:=Libraries + TITLE:=GNU libmicrohttpd is a library that runs an HTTP server. + URL:=http://www.gnu.org/software/libmicrohttpd/ +endef + +define Package/libmicrohttpd-no-ssl +$(call Package/libmicrohttpd/default) + VARIANT:=nossl + DEFAULT_VARIANT:=1 + PROVIDES:=libmicrohttpd +endef + +define Package/libmicrohttpd-ssl +$(call Package/libmicrohttpd/default) + TITLE+= with SSL support + VARIANT:=ssl + DEPENDS:=+libgcrypt +libgnutls +libgpg-error + PROVIDES:=libmicrohttpd +endef + +CONFIGURE_ARGS+= \ + --disable-curl \ + --disable-rpath \ + --disable-doc \ + --disable-examples \ + --enable-poll=no \ + --enable-epoll=yes \ + +ifeq ($(BUILD_VARIANT),ssl) +CONFIGURE_ARGS += \ + --enable-https \ + --with-gnutls +else +CONFIGURE_ARGS += \ + --disable-https \ + --without-gnutls +endif + +define Package/libmicrohttpd/description + GNU libmicrohttpd is a small C library that is supposed to make it easy + to run an HTTP server as part of another application. +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include/ + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/include/microhttpd.h $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libmicrohttpd.{so*,a,la} $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig/ + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libmicrohttpd.pc $(1)/usr/lib/pkgconfig/ +endef + +define Package/libmicrohttpd-no-ssl/install + $(INSTALL_DIR) $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libmicrohttpd.so* $(1)/usr/lib/ +endef + +define Package/libmicrohttpd-ssl/install + $(INSTALL_DIR) $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libmicrohttpd.so* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libmicrohttpd-no-ssl)) +$(eval $(call BuildPackage,libmicrohttpd-ssl)) diff --git a/net/nodogsplash/Makefile b/net/nodogsplash/Makefile new file mode 100644 index 0000000..e38c4cc --- /dev/null +++ b/net/nodogsplash/Makefile @@ -0,0 +1,82 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=nodogsplash +PKG_FIXUP:=autoreconf +PKG_VERSION:=4.5.0 +PKG_RELEASE:=1 + +PKG_SOURCE_URL:=https://librecmc.org/librecmc/downloads/sources/v1.5/ +PKG_SOURCE:=nodogsplash-$(PKG_VERSION).tar.gz +PKG_HASH:=3c308b6e3e43c7ed42b3172b1583bd36ec3bcfa482029f56e4491dc811d8508a +PKG_BUILD_DIR:=$(BUILD_DIR)/nodogsplash-$(PKG_VERSION) + +PKG_MAINTAINER:=Moritz Warning +PKG_BUILD_PARALLEL:=1 +PKG_LICENSE:=GPL-2.0+ + +include $(INCLUDE_DIR)/package.mk + + +define Package/nodogsplash + SUBMENU:=Captive Portals + SECTION:=net + CATEGORY:=Network + DEPENDS:=+libpthread +iptables-mod-ipopt +libmicrohttpd-no-ssl + TITLE:=Open public network gateway daemon + URL:=https://github.com/nodogsplash/nodogsplash + CONFLICTS:=nodogsplash2 +endef + +define Package/nodogsplash/description + Nodogsplash is a Captive Portal that offers a simple way to + provide restricted access to the Internet by showing a splash + page to the user before Internet access is granted. + It also incorporates an API that allows the creation of + sophisticated authentication applications. +endef + +define Package/nodogsplash/install + + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/nodogsplash $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_BUILD_DIR)/ndsctl $(1)/usr/bin/ + + $(INSTALL_DIR) $(1)/etc/nodogsplash/htdocs/images + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_DIR) $(1)/etc/uci-defaults + $(INSTALL_DIR) $(1)/usr/lib/nodogsplash + $(CP) $(PKG_BUILD_DIR)/resources/splash.html $(1)/etc/nodogsplash/htdocs/ + $(CP) $(PKG_BUILD_DIR)/resources/splash.css $(1)/etc/nodogsplash/htdocs/ + $(CP) $(PKG_BUILD_DIR)/resources/status.html $(1)/etc/nodogsplash/htdocs/ + $(CP) $(PKG_BUILD_DIR)/resources/splash.jpg $(1)/etc/nodogsplash/htdocs/images/ + $(CP) $(PKG_BUILD_DIR)/openwrt/nodogsplash/files/etc/config/nodogsplash $(1)/etc/config/ + $(CP) $(PKG_BUILD_DIR)/openwrt/nodogsplash/files/etc/init.d/nodogsplash $(1)/etc/init.d/ + $(CP) $(PKG_BUILD_DIR)/openwrt/nodogsplash/files/etc/uci-defaults/40_nodogsplash $(1)/etc/uci-defaults/ + $(CP) $(PKG_BUILD_DIR)/openwrt/nodogsplash/files/usr/lib/nodogsplash/restart.sh $(1)/usr/lib/nodogsplash/ + $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/PreAuth/demo-preauth.sh $(1)/usr/lib/nodogsplash/login.sh + $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/libs/get_client_interface.sh $(1)/usr/lib/nodogsplash/ + $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/libs/get_client_token.sh $(1)/usr/lib/nodogsplash/ + $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/libs/unescape.sh $(1)/usr/lib/nodogsplash/ + $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/libs/authmon.sh $(1)/usr/lib/nodogsplash/ + $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/libs/post-request.php $(1)/usr/lib/nodogsplash/ + $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/fas-aes/fas-aes.php $(1)/etc/nodogsplash/ + $(CP) $(PKG_BUILD_DIR)/forward_authentication_service/fas-aes/fas-aes-https.php $(1)/etc/nodogsplash/ +endef + +define Package/nodogsplash/postrm +#!/bin/sh +uci delete firewall.nodogsplash +uci commit firewall +endef + +define Package/nodogsplash/conffiles +/etc/config/nodogsplash +endef + +$(eval $(call BuildPackage,nodogsplash)) diff --git a/net/nodogsplash/files/etc/config/nodogsplash b/net/nodogsplash/files/etc/config/nodogsplash new file mode 100644 index 0000000..dbb459a --- /dev/null +++ b/net/nodogsplash/files/etc/config/nodogsplash @@ -0,0 +1,316 @@ + +# The options available here are an adaptation of the settings used in nodogsplash.conf. +# See https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf + +config nodogsplash + # Set to 0 to disable nodogsplash + option enabled 1 + + # Set to 0 to disable hook that makes nodogsplash restart when the firewall restarts. + # This hook is needed as a restart of Firewall overwrites nodogsplash iptables entries. + option fwhook_enabled '1' + + # Login Option + # Default: 0 + # + # NoDogSplash comes preconfigured for two basic modes of operation + # A default preauth login script, requiring username and email address to be entered. + # and + # A default static splash page (splash.html) with template variables and click to continue + # + # 0: Use static splash page or FAS config options + # 1: Use default preauth login script + # + # The default preauth login script is installed as part of the NoDogSplash package providing + # username/emailaddress login as an alternative to the basic splash page. + # + # It generates a login page asking for username and email address. + # User logins are recorded in the log file /tmp/ndslog.log + # Details of how the script works are contained in comments in the script itself. + # + # Both modes may be customised or a full custom system can be developed using FAS and BinAuth + # See documentation at: https://nodogsplashdocs.readthedocs.io/ + # + option login_option_enabled '0' + + # Use outdated libmicrohttpd (MHD) + # Older versions of MHD convert & and + characters to spaces when present in form data + # This can make a PreAuth or BinAuth impossible to use for a client if form data contains either of these characters + # eg. in username or password + # MHD versions earlier than 0.9.69 are detected. + # If this option is set to 0 (default), NDS will terminate if MHD is earlier than 0.9.69 + # If this option is set to 1, NDS will start but log an error. + option use_outdated_mhd '0' + + # MHD Unescape callback + # MHD has a built in unescape function that urldecodes incoming queries from browsers + # This option allows an external unescape script to be enabled + # The script must be named unescape.sh, be present in /usr/lib/nodogsplash/ and be executable. + # A standard unescape.sh script is installed by default + # Set to 1 to enable this option, 0 to disable + # default is disabled + option unescape_callback_enabled '0' + + + # WebRoot + # Default: /etc/nodogsplash/htdocs + # + # The local path where the splash page content resides. + # ie. Serve the file splash.html from this directory + #option webroot '/etc/nodogsplash/htdocs' + + # Use plain configuration file + #option config '/etc/nodogsplash/nodogsplash.conf' + + # Use this option to set the device nodogsplash will bind to. + # The value may be an interface section in /etc/config/network or a device name such as br-lan. + option gatewayinterface 'br-lan' + + # GatewayPort + # Default: 2050 + # + # Nodogsplash's own http server uses gateway address as its IP address. + # The port it listens to at that IP can be set here; default is 2050. + # + #option gatewayport '2050' + + # GatewayName + # Default: NoDogSplash + # + # gatewayname is used as an identifier for the instance of NoDogSplash + # + # It is displayed on the default static splash page and the default preauth login script. + # + # It is particularly useful in the case of a single remote FAS server that serves multiple + # NoDogSplash sites, allowing the FAS to customise its response for each site. + # + # Note: The single quote (or apostrophe) character ('), cannot be used in the gatewayname. + # If it is required, use the htmlentity ' instead. + # + # For example: + # option gatewayname 'Bill's WiFi' is invalid. + # Instead use: + # option gatewayname 'Bill's WiFi' + # + option gatewayname 'OpenWrt Nodogsplash' + + # MaxClients + # Default 20 + # The maximum number of clients allowed to connect + # This should be less than or equal to the number of allowed DHCP leases + # For example: + option maxclients '250' + + # Enables debug output (0-3) + # Default: 1 + # 0 : Silent (only LOG_ERR and LOG_EMERG messages will be seen, otherwise there will be no logging.) + # 1 : LOG_ERR, LOG_EMERG, LOG_WARNING and LOG_NOTICE (this is the default level). + # 2 : debuglevel 1 + LOG_INFO + # 3 : debuglevel 2 + LOG_DEBUG + #option debuglevel '1' + + # Client timeouts in minutes + option preauthidletimeout '30' + option authidletimeout '120' + # Session Timeout is the interval after which clients are forced out (a value of 0 means never) + option sessiontimeout '1200' + + # The interval in seconds at which nodogsplash checks client timeout status + option checkinterval '600' + + # Enable BinAuth Support. + # If set, a program is called with several parameters on authentication (request) and deauthentication. + # Request for authentication: + # $ auth_client '' '' + # + # The username and password values may be empty strings and are URL encoded. + # The program is expected to output the number of seconds the client + # is to be authenticated. Zero or negative seconds will cause the authentification request + # to be rejected. The same goes for an exit code that is not 0. + # The output may contain a user specific download and upload limit in KBit/s: + # + # + # Called on authentication or deauthentication: + # $ <*auth|*deauth> + # + # "client_auth": Client authenticated via this script. + # "client_deauth": Client deauthenticated by the client via splash page. + # "idle_deauth": Client was deauthenticated because of inactivity. + # "timeout_deauth": Client was deauthenticated because the session timed out. + # "ndsctl_auth": Client was authenticated manually by the ndsctl tool. + # "ndsctl_deauth": Client was deauthenticated by the ndsctl tool. + # "shutdown_deauth": Client was deauthenticated by Nodogsplash terminating. + # + # Values session_start and session_start are in seconds since 1970 or 0 for unknown/unlimited. + # + #option binauth '/bin/myauth.sh' + + # Enable Forwarding Authentication Service (FAS) + # If set redirection is changed from splash.html to a FAS (provided by the system administrator) + # The value is the IP port number of the FAS + # Note: if FAS is running locally (ie fasremoteip is NOT set), port 80 cannot be used. + # + # Typical Remote Shared Hosting Example: + #option fasport '80' + # + # Typical Locally Hosted example (ie fasremoteip not set): + #option fasport '2080' + + # Option: fasremotefqdn + # Default: Not set + # If set, this is the remote fully qualified domain name (FQDN) of the FAS. + # The protocol must NOT be prepended to the FQDN (ie http:// or https://) + # To prevent CPD or browser security errors NDS prepends http:// before redirection. + # If set, DNS MUST resolve fasremotefqdn to be the same ip address as fasremoteip. + # Typical Remote Shared Hosting Example: + #option fasremotefqdn 'onboard-wifi.net' + + # Option: fasremoteip + # Default: GatewayAddress (the IP of NDS) + # If set, this is the remote ip address of the FAS. + # + # Typical Remote Shared Hosting Example: + #option fasremoteip '46.32.240.41' + + # Option: faspath + # Default: / + # This is the path from the FAS Web Root to the FAS login page + # (not the file system root). + # + # Typical Remote Shared Hosting Example (if fasremotefqdn is not specified): + #option faspath '/onboard-wifi.net/nodog/fas.php' + # + # Typical Remote Shared Hosting Example (ie BOTH fasremoteip AND fasremotefqdn set): + #option faspath '/nodog/fas.php' + # + # Typical Locally Hosted Example (ie fasremoteip not set): + #option faspath '/nodog/fas.php' + + # Option: faskey + # Default: not set + # A key phrase for NDS to encrypt the query string sent to FAS + # Can be any combination of A-Z, a-z and 0-9, up to 16 characters with no white space + #option faskey '1234567890' + + # Option: fas_secure_enabled + # Default: 1 + # + # ****If set to "0"**** + # the client token is sent to the FAS in clear text in the query string of the + # redirect along with authaction and redir. + # + # ****If set to "1" and option faskey is NOT set**** + # authaction and the client token are not revealed and it is the responsibility + # of the FAS to request the token from NDSCTL. + # + # ****If set to "1" and option faskey IS set**** + # The client token will be hashed and sent to the FAS identified as “hid” in the query string. + # The gatewayaddress is also sent on the query string, allowing the FAS to construct the authaction parameter. + # FAS must return the sha256sum of the concatenation of the original hid and faskey, to be used by NDS for client authentication. + # This is returned in the normal way in the query string identified as “tok”. + # NDS will automatically detect whether hid mode is active or the raw token is being returned. + # Should sha256sum not be available to NDS when faskey is set, NDS will exit gracefully, logging the error in syslog. + # + # *****If set to 2**** + # clientip, clientmac, gatewayname, client token, gatewayaddress, authdir, originurl and clientif + # are encrypted using faskey and passed to FAS in the query string. + # The query string will also contain a randomly generated initialization vector to be used by the FAS for decryption. + # The "php-cli" package and the "php-openssl" module must both be installed for fas_secure level 2. + # Nodogsplash does not depend on this package and module, but will exit gracefully + # if this package and module are not installed when this level is set, logging the error in syslog. + # The FAS must use the query string passed initialisation vector and the pre shared fas_key to decrypt the query string. + # An example FAS php script is supplied in the source code. + # + #option fas_secure_enabled '0' + + # PreAuth + # PreAuth support allows FAS to call a local program or script with html served by the built in NDS web server + # If the option is set, it points to a program/script that is called by the NDS FAS handler + # All other FAS settings will be overidden. + # Initially FAS appends its query string to faspath. + # The Preauth program will output html code that will be served to the client by NDS + # Using html GET the Preauth program may call: + # /nodogsplash_preauth/ to ask the client for more information + # or + # /nodogsplash_auth/ to authenticate the client + # + # The Preauth program should append at least the client ip to the query string + # (using html input type hidden) for all calls to /nodogsplash_preauth/ + # It must also obtain the client token (using ndsctl), for NDS authentication when calling /nodogsplash_auth/ + # + #option preauth '/path/to/myscript/myscript.sh' + + + # Your router may have several interfaces, and you + # probably want to keep them private from the gatewayinterface. + # If so, you should block the entire subnets on those interfaces, e.g.: + #list authenticated_users 'block to 192.168.0.0/16' + #list authenticated_users 'block to 10.0.0.0/8' + + # Typical ports you will probably want to open up. + #list authenticated_users 'allow tcp port 22' + #list authenticated_users 'allow tcp port 53' + #list authenticated_users 'allow udp port 53' + #list authenticated_users 'allow tcp port 80' + #list authenticated_users 'allow tcp port 443' + # Or for happy customers allow all + list authenticated_users 'allow all' + + # For preauthenticated users: + # + # *****IMPORTANT***** + # + # To help prevent DNS tunnelling, DNS Hijacking and generally improve security, + # DO NOT UNCOMMENT THE FOLLOWING TWO LINES: + #list preauthenticated_users 'allow tcp port 53' + #list preauthenticated_users 'allow udp port 53' + + # Walled Garden + # Allow preauthenticated users to access an external IP address + # This is commonly referred to as a Walled Garden. + # Only IPv4 addresses can be used (not domain names) + #list preauthenticated_users 'allow tcp port 80 to 112.122.123.124' + #list preauthenticated_users 'allow udp port 8020 to 112.122.123.124' + # + # Alternatively, a preconfigured ipset can be used: + #list preauthenticated_users 'allow tcp port [port number] ipset [ipset rule name]' + + # Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS + list users_to_router 'allow tcp port 22' + list users_to_router 'allow tcp port 23' + list users_to_router 'allow tcp port 53' + list users_to_router 'allow udp port 53' + list users_to_router 'allow udp port 67' + list users_to_router 'allow tcp port 80' + list users_to_router 'allow tcp port 443' + + # MAC addresses that are / are not allowed to access the splash page + # Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used. + #option macmechanism 'allow' + #list allowedmac '00:00:C0:01:D0:0D' + #list allowedmac '00:00:C0:01:D0:1D' + #list blockedmac '00:00:C0:01:D0:2D' + + # MAC addresses that do not need to authenticate + #list trustedmac '00:00:C0:01:D0:1D' + + # Nodogsplash uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask. + # This mask can conflict with the requirements of other packages. + # + # However the defaults are fully compatible with the defaults used in mwan3 and sqm + # + # Any values set here are interpreted as in hex format. + # + # Option: fw_mark_authenticated + # Default: 30000 (0011|0000|0000|0000|0000 binary) + # + # Option: fw_mark_trusted + # Default: 20000 (0010|0000|0000|0000|0000 binary) + # + # Option: fw_mark_blocked + # Default: 10000 (0001|0000|0000|0000|0000 binary) + # + #option fw_mark_authenticated '30000' + #option fw_mark_trusted '20000' + #option fw_mark_blocked '10000' + diff --git a/net/nodogsplash/files/etc/init.d/nodogsplash b/net/nodogsplash/files/etc/init.d/nodogsplash new file mode 100755 index 0000000..0128309 --- /dev/null +++ b/net/nodogsplash/files/etc/init.d/nodogsplash @@ -0,0 +1,209 @@ +#!/bin/sh /etc/rc.common + +# +# Startup/shutdown script for nodogsplash captive portal +# + +START=95 +STOP=95 + +USE_PROCD=1 + +IPT=/usr/sbin/iptables +WD_DIR=/usr/bin + +# Run in PROCD (-f) and log to SYSLOG (-s) +OPTIONS="-f -s" +# + +CONFIG="" + + +addline() { + append CONFIG "$1" "$N" +} + +setup_mac_lists() { + local cfg="$1" + local macs="" + local val + + append_mac() { + append macs "$1" "," + } + + config_get val "$cfg" macmechanism + if [ -z "$val" ]; then + # Check if we have AllowedMACList or BlockedMACList defined they will be ignored + config_get val "$cfg" allowedmac + if [ -n "$val" ]; then + echo "Ignoring allowedmac - macmechanism not \"allow\"" >&2 + fi + + config_get val "$cfg" blockedmac + if [ -n "$val" ]; then + echo "Ignoring blockedmac - macmechanism not \"block\"" >&2 + fi + elif [ "$val" = "allow" ]; then + config_list_foreach "$cfg" allowedmac append_mac + addline "MACmechanism allow" + addline "AllowedMACList $macs" + elif [ "$val" = "block" ]; then + config_list_foreach "$cfg" blockedmac append_mac + addline "MACmechanism block" + addline "BlockedMACList $macs" + else + echo "Invalid macmechanism '$val' - allow or block are valid." >&2 + return 1 + fi + + macs="" + config_list_foreach "$cfg" trustedmac append_mac + if [ -n "$macs" ]; then + addline "TrustedMACList $macs" + fi + + return 0 +} + +setup_firewall() { + local cfg="$1" + local uci_name + local val + + append_firewall() { + addline " FirewallRule $1" + } + + for rule in authenticated-users preauthenticated-users users-to-router trusted-users trusted-users-to-router; do + # uci does not allow dashes + uci_name=${rule//-/_} + addline "FirewallRuleSet $rule {" + config_list_foreach "$cfg" "$uci_name" append_firewall + addline "}" + config_get val "$cfg" "policy_${uci_name}" + if [ -n "$val" ]; then + addline "EmptyRuleSetPolicy $rule $val" + fi + done +} + +wait_for_interface() { + local ifname="$1" + local timeout=10 + + for i in $(seq $timeout); do + if [ $(ip -4 addr show dev $ifname 2> /dev/null | grep -c inet) -ne 0 ]; then + break + fi + sleep 1 + if [ $i = $timeout ]; then + echo "Interface $ifname not detected." >&2 + return 1 + fi + done + + return 0 +} + +generate_uci_config() { + local cfg="$1" + local val + local ifname + local download + local upload + + # Init config file content + CONFIG="# auto-generated config file from /etc/config/nodogsplash" + + config_get val "$cfg" config + if [ -n "$val" ]; then + if [ ! -f "$val" ]; then + echo "Configuration file '$file' doesn't exist." >&2 + return 1 + fi + addline "$(cat $val)" + fi + + config_get ifname "$cfg" gatewayinterface + + # Get device name if interface name is a section name in /etc/config/network + if network_get_device tmp "$ifname"; then + ifname="$tmp" + fi + + if [ -z "$ifname" ]; then + echo "Option network or gatewayinterface missing." >&2 + return 1 + fi + + wait_for_interface "$ifname" || return 1 + + addline "GatewayInterface $ifname" + + for option in preauth binauth fasport faskey fasremotefqdn fasremoteip faspath fas_secure_enabled \ + login_option_enabled use_outdated_mhd unescape_callback_enabled daemon debuglevel maxclients gatewayname gatewayinterface gatewayiprange \ + gatewayaddress gatewayport webroot splashpage statuspage \ + redirecturl sessiontimeout preauthidletimeout authidletimeout checkinterval \ + setmss mssvalue trafficcontrol downloadlimit uploadlimit \ + syslogfacility ndsctlsocket fw_mark_authenticated \ + fw_mark_blocked fw_mark_trusted + do + config_get val "$cfg" "$option" + + if [ -n "$val" ]; then + addline "$option $val" + fi + done + + config_get download "$cfg" downloadlimit + config_get upload "$cfg" uploadlimit + + if [ -n "$upload" -o -n "$download" ]; then + addline "TrafficControl yes" + fi + + setup_mac_lists "$cfg" || return 1 + setup_firewall "$cfg" + + echo "$CONFIG" > "/tmp/etc/nodogsplash_$cfg.conf" + return 0 +} + +# setup configuration and start instance +create_instance() { + local cfg="$1" + local val + + config_get_bool val "$cfg" enabled 0 + [ $val -gt 0 ] || return 0 + + if ! generate_uci_config "$cfg"; then + echo "Can not generate uci config. Will not start instance $cfg." >&2 + return 1 + fi + + procd_open_instance $cfg + procd_set_param command /usr/bin/nodogsplash -c "/tmp/etc/nodogsplash_$cfg.conf" $OPTIONS + procd_set_param respawn + procd_set_param file "/tmp/etc/nodogsplash_$cfg.conf" + procd_close_instance +} + +start_service() { + # For network_get_device() + include /lib/functions + + # For nodogsplash.conf file + mkdir -p /tmp/etc/ + + config_load nodogsplash + config_foreach create_instance nodogsplash +} + +stop_service() { + # When procd terminates nodogsplash, it does not exit fast enough. + # Otherwise procd will restart nodogsplash twice. First time starting + # nodogsplash fails, second time it succeeds. + sleep 1 +} diff --git a/net/nodogsplash/files/etc/uci-defaults/40_nodogsplash b/net/nodogsplash/files/etc/uci-defaults/40_nodogsplash new file mode 100644 index 0000000..c4f461a --- /dev/null +++ b/net/nodogsplash/files/etc/uci-defaults/40_nodogsplash @@ -0,0 +1,9 @@ +#!/bin/sh + +uci -q batch <<-EOF + delete firewall.nodogsplash + set firewall.nodogsplash=include + set firewall.nodogsplash.type=script + set firewall.nodogsplash.path=/usr/lib/nodogsplash/restart.sh + commit firewall +EOF diff --git a/net/nodogsplash/files/usr/lib/nodogsplash/restart.sh b/net/nodogsplash/files/usr/lib/nodogsplash/restart.sh new file mode 100755 index 0000000..e7e1946 --- /dev/null +++ b/net/nodogsplash/files/usr/lib/nodogsplash/restart.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +# Check if nodogsplash is running +ndspid=$(ps | grep nodogsplash_cfg | awk -F ' ' 'NR==2 {print $1}') +if [ ! -z $ndspid ]; then + if [ "$(uci -q get nodogsplash.@nodogsplash[0].fwhook_enabled)" = "1" ]; then + echo "fwhook restart request received - restarting " | logger -p "daemon.warn" -s -t "nodogsplash[$ndspid]: " + /etc/init.d/nodogsplash restart + fi +fi -- 2.25.1