forked from logzhan/UPBot-Pioneer
				
			
		
			
				
	
	
		
			2132 lines
		
	
	
		
			70 KiB
		
	
	
	
		
			Bash
		
	
	
			
		
		
	
	
			2132 lines
		
	
	
		
			70 KiB
		
	
	
	
		
			Bash
		
	
	
| #!/bin/bash
 | |
| 
 | |
| VERSION=0.6.3
 | |
| PROGNAME="$(basename $0)"
 | |
| 
 | |
| export LC_ALL=C
 | |
| 
 | |
| SCRIPT_UMASK=0122
 | |
| umask $SCRIPT_UMASK
 | |
| 
 | |
| phead() {
 | |
|     echo "linux-router $VERSION (https://github.com/garywill/linux-router)"
 | |
| }
 | |
| usage() {
 | |
|     phead
 | |
|     cat << EOF
 | |
| Released under LGPL, with no warranty. Use on your own risk.
 | |
| 
 | |
| Usage: $PROGNAME <options>
 | |
| 
 | |
| Options:
 | |
|     -h, --help              Show this help
 | |
|     --version               Print version number
 | |
| 
 | |
|     -i <interface>          Interface to make NATed sub-network,
 | |
|                             and to provide Internet to
 | |
|                             (To create Wifi hotspot use '--ap' instead)
 | |
|     -o <interface>          Specify an inteface to provide Internet from.
 | |
|                             (Note using this with default DNS option may leak
 | |
|                             queries to other interfaces)
 | |
|     -n                      Do not provide Internet (See Notice 1)
 | |
|     --ban-priv              Disallow clients to access my private network
 | |
|     
 | |
|     -g <ip>                 This host's IPv4 address in subnet (mask is /24)
 | |
|                             (example: '192.168.5.1' or '5' shortly)
 | |
|     -6                      Enable IPv6 (NAT)
 | |
|     --no4                   Disable IPv4 Internet (not forwarding IPv4)
 | |
|                             (See Notice 1). Usually used with '-6'
 | |
|                             
 | |
|     --p6 <prefix>           Set IPv6 LAN address prefix (length 64) 
 | |
|                             (example: 'fd00:0:0:5::' or '5' shortly) 
 | |
|                             Using this enables '-6'
 | |
|                             
 | |
|     --dns <ip>|<port>|<ip:port>
 | |
|                             DNS server's upstream DNS.
 | |
|                             Use ',' to seperate multiple servers
 | |
|                             (default: use /etc/resolve.conf)
 | |
|                             (Note IPv6 addresses need '[]' around)
 | |
|     --no-dns                Do not serve DNS
 | |
|     --no-dnsmasq            Disable dnsmasq server (DHCP, DNS, RA)
 | |
|     --catch-dns             Transparent DNS proxy, redirect packets(TCP/UDP) 
 | |
|                             whose destination port is 53 to this host
 | |
|     --log-dns               Show DNS query log
 | |
|     --dhcp-dns <IP1[,IP2]>|no
 | |
|                             Set IPv4 DNS offered by DHCP (default: this host)
 | |
|     --dhcp-dns6 <IP1[,IP2]>|no
 | |
|                             Set IPv6 DNS offered by DHCP (RA) 
 | |
|                             (default: this host)
 | |
|                             (Note IPv6 addresses need '[]' around)
 | |
|     --hostname <name>       DNS server associate this name with this host.
 | |
|                             Use '-' to read name from /etc/hostname
 | |
|     -d                      DNS server will take into account /etc/hosts
 | |
|     -e <hosts_file>         DNS server will take into account additional 
 | |
|                             hosts file
 | |
|     
 | |
|     --mac <MAC>             Set MAC address
 | |
|     --random-mac            Use random MAC address
 | |
|  
 | |
|     --tp <port>             Transparent proxy,
 | |
|                             redirect non-LAN TCP and UDP traffic to port.
 | |
|                             (usually used with '--dns')
 | |
|     
 | |
|   Wifi hotspot options:
 | |
|     --ap <wifi interface> <SSID>
 | |
|                             Create Wifi access point
 | |
|     -p, --password <password>   
 | |
|                             Wifi password
 | |
|     --qr                    Show Wifi QR code in terminal
 | |
|     
 | |
|     --hidden                Hide access point (not broadcast SSID)
 | |
|     --no-virt               Do not create virtual interface
 | |
|                             Using this you can't use same wlan interface
 | |
|                             for both Internet and AP
 | |
|     -c <channel>            Channel number (default: 1)
 | |
|     --country <code>        Set two-letter country code for regularity
 | |
|                             (example: US)
 | |
|     --freq-band <GHz>       Set frequency band: 2.4 or 5 (default: 2.4)
 | |
|     --driver                Choose your WiFi adapter driver (default: nl80211)
 | |
|     -w <WPA version>        '2' for WPA2, '1' for WPA, '1+2' for both
 | |
|                             (default: 2)
 | |
|     --psk                   Use 64 hex digits pre-shared-key instead of
 | |
|                             passphrase
 | |
|     --mac-filter            Enable Wifi hotspot MAC address filtering
 | |
|     --mac-filter-accept     Location of Wifi hotspot MAC address filter list
 | |
|                             (defaults to /etc/hostapd/hostapd.accept)
 | |
|     --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
 | |
|     --isolate-clients       Disable wifi communication between clients
 | |
|     
 | |
|     --ieee80211n            Enable IEEE 802.11n (HT)
 | |
|     --ieee80211ac           Enable IEEE 802.11ac (VHT)
 | |
|     --ht_capab <HT>         HT capabilities (default: [HT40+])
 | |
|     --vht_capab <VHT>       VHT capabilities
 | |
|     
 | |
|     --no-haveged            Do not run haveged automatically when needed
 | |
| 
 | |
|   Instance managing:
 | |
|     --daemon                Run in background
 | |
|     -l, --list-running      Show running instances
 | |
|     --lc, --list-clients <id|interface>     
 | |
|                             List clients of an instance. Or list neighbors of
 | |
|                             an interface, even if it isn't handled by us.
 | |
|                             (passive mode)
 | |
|     --stop <id>             Stop a running instance
 | |
|         For <id> you can use PID or subnet interface name.
 | |
|         You can get them with '--list-running'
 | |
| 
 | |
|     Notice 1:   This script assume your host's default policy won't forward
 | |
|                 packets, so the script won't explictly ban forwarding in any
 | |
|                 mode. In some unexpected case may cause unwanted packets 
 | |
|                 leakage between 2 networks, which you should be aware of if you
 | |
|                 want isolated network
 | |
|                 
 | |
| Examples:
 | |
|     $PROGNAME -i eth1
 | |
|     $PROGNAME --ap wlan0 MyAccessPoint
 | |
|     $PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase
 | |
|     $PROGNAME -i eth1 --tp <transparent-proxy> --dns <dns-proxy>
 | |
| EOF
 | |
| }
 | |
| 
 | |
| check_empty_option(){
 | |
|     if [[ "$1" == "" ]]; then
 | |
|         usage
 | |
|         exit 0
 | |
|     fi
 | |
| }
 | |
| 
 | |
| 
 | |
| define_global_variables(){
 | |
|     # user options
 | |
|     GATEWAY=  # IPv4 address for this host
 | |
|     PREFIX6=  # IPv6 LAN address prefix for this host
 | |
|     IID6=1    # IPv6 LAN ID for this host
 | |
|     IPV6=0  # enable ipv6
 | |
|     NO4=0   # no IPv4 Internet
 | |
|     BANLAN=0 # ban clients from accessing private addresses
 | |
|     DHCP_DNS=gateway  # which ipv4 DNS the DHCP gives clients
 | |
|     DHCP_DNS6=gateway # which ipv6 DNS the DHCP gives clients
 | |
|     dnsmasq_NO_DNS=0  # disable dns server
 | |
|     NO_DNSMASQ=0  # disable dnsmasq (dns and dhcp)
 | |
|     CATCH_DNS=0   # catch clients 53 port packets
 | |
|     SHOW_DNS_QUERY=0  # log dns
 | |
|     ETC_HOSTS=0
 | |
|     ADDN_HOSTS=
 | |
|     CONN_IFACE=    # which interface user choose to use to create network
 | |
|     INTERNET_IFACE= # which interface to get Internet from
 | |
|     THISHOSTNAME=   # this host's name the DNS tells clients 
 | |
|     TP_PORT=  # transparent proxy port
 | |
|     DNS=  # upstream DNS
 | |
|     MAC_USE_RANDOM=0
 | |
|     NEW_MACADDR=
 | |
|     DAEMONIZE=0
 | |
|     
 | |
|     # script variables
 | |
|     SUBNET_IFACE=  # which interface to create network
 | |
|     SHARE_METHOD=nat 
 | |
|     OLD_MACADDR=
 | |
|     
 | |
| 
 | |
|     ##### wifi hotspot
 | |
|     # user options
 | |
|     HIDDEN=0 # hidden wifi hotspot
 | |
|     WIFI_IFACE=
 | |
|     CHANNEL=default 
 | |
|     WPA_VERSION=2
 | |
|     MAC_FILTER=0
 | |
|     MAC_FILTER_ACCEPT=/etc/hostapd/hostapd.accept
 | |
|     IEEE80211N=0
 | |
|     IEEE80211AC=0
 | |
|     HT_CAPAB='[HT40+]'
 | |
|     VHT_CAPAB=
 | |
|     DRIVER=nl80211
 | |
|     NO_VIRT=0 # not use virtual interface
 | |
|     COUNTRY=
 | |
|     FREQ_BAND=2.4
 | |
|     NO_HAVEGED=0
 | |
|     HOSTAPD_DEBUG_ARGS=
 | |
|     USE_PSK=0
 | |
|     ISOLATE_CLIENTS=0
 | |
|     QR=0 # show wifi qr
 | |
|     
 | |
|     # script variables
 | |
|     VWIFI_IFACE=  # virtual wifi interface name, if created
 | |
|     AP_IFACE=     # can be VWIFI_IFACE or WIFI_IFACE
 | |
|     USE_IWCONFIG=0  # some device can't use iw
 | |
|     
 | |
|     #######
 | |
|     
 | |
|     #-- to deal with info of a running instance. then will exit
 | |
|     LIST_RUNNING=0
 | |
|     STOP_ID=
 | |
|     LIST_CLIENTS_ID=
 | |
| 
 | |
|     # -- variables for running
 | |
|     CONFDIR=
 | |
|     NM_RUNNING=0
 | |
|     NM_UNM_LIST=  # it's called "list" but for now one interface
 | |
| }
 | |
| 
 | |
| parse_user_options(){
 | |
|     while [[ -n "$1" ]]; do
 | |
|         case "$1" in
 | |
|             -h|--help)
 | |
|                 usage
 | |
|                 exit 0
 | |
|                 ;;
 | |
|             --version)
 | |
|                 echo "$VERSION"
 | |
|                 exit 0
 | |
|                 ;;
 | |
|             -i)
 | |
|                 shift
 | |
|                 CONN_IFACE="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             -o)
 | |
|                 shift
 | |
|                 INTERNET_IFACE="$1"
 | |
|                 shift
 | |
|                 echo ""
 | |
|                 echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
 | |
|                 echo ""
 | |
|                 ;;
 | |
|             -n)
 | |
|                 shift
 | |
|                 SHARE_METHOD=none
 | |
|                 echo ""
 | |
|                 echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
 | |
|                 echo ""
 | |
|                 ;;
 | |
|             --ban-priv)
 | |
|                 shift
 | |
|                 BANLAN=1
 | |
|                 ;;
 | |
|             --tp)
 | |
|                 shift
 | |
|                 TP_PORT="$1"
 | |
|                 SHARE_METHOD=redsocks
 | |
|                 shift
 | |
|                 ;;
 | |
|                 
 | |
|                 
 | |
|             -g)
 | |
|                 shift
 | |
|                 GATEWAY="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             -6)
 | |
|                 shift
 | |
|                 IPV6=1
 | |
|                 ;;
 | |
|             --no4)
 | |
|                 shift
 | |
|                 NO4=1
 | |
|                 echo ""
 | |
|                 echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
 | |
|                 echo ""
 | |
|                 ;;
 | |
|             --p6)
 | |
|                 shift
 | |
|                 PREFIX6="$1"
 | |
|                 IPV6=1
 | |
|                 shift
 | |
|                 ;;
 | |
|             --mac)
 | |
|                 shift
 | |
|                 NEW_MACADDR="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             --random-mac)
 | |
|                 shift
 | |
|                 MAC_USE_RANDOM=1
 | |
|                 ;;
 | |
|                 
 | |
|             --dns)
 | |
|                 shift
 | |
|                 DNS="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             --no-dns)
 | |
|                 shift
 | |
|                 dnsmasq_NO_DNS=1
 | |
|                 ;;
 | |
|             --no-dnsmasq)
 | |
|                 shift
 | |
|                 NO_DNSMASQ=1
 | |
|                 ;;
 | |
|             --dhcp-dns)
 | |
|                 shift
 | |
|                 DHCP_DNS="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             --dhcp-dns6)
 | |
|                 shift
 | |
|                 DHCP_DNS6="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             --catch-dns)
 | |
|                 shift
 | |
|                 CATCH_DNS=1
 | |
|                 ;;    
 | |
|             --log-dns)
 | |
|                 shift
 | |
|                 SHOW_DNS_QUERY=1
 | |
|                 ;;
 | |
|             --hostname)
 | |
|                 shift
 | |
|                 THISHOSTNAME="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             -d)
 | |
|                 shift
 | |
|                 ETC_HOSTS=1
 | |
|                 ;;
 | |
|             -e)
 | |
|                 shift
 | |
|                 ADDN_HOSTS="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             
 | |
|             --isolate-clients)
 | |
|                 shift
 | |
|                 ISOLATE_CLIENTS=1
 | |
|                 ;;
 | |
|                 
 | |
|             --ap)
 | |
|                 shift
 | |
|                 WIFI_IFACE="$1"
 | |
|                 shift
 | |
|                 SSID="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             -p|--password)
 | |
|                 shift
 | |
|                 PASSPHRASE="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             --qr)
 | |
|                 shift
 | |
|                 QR=1
 | |
|                 ;;
 | |
|                 
 | |
|                 
 | |
|             --hidden)
 | |
|                 shift
 | |
|                 HIDDEN=1
 | |
|                 ;;
 | |
|             --mac-filter)
 | |
|                 shift
 | |
|                 MAC_FILTER=1
 | |
|                 ;;
 | |
|             --mac-filter-accept)
 | |
|                 shift
 | |
|                 MAC_FILTER_ACCEPT="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
| 
 | |
|             -c)
 | |
|                 shift
 | |
|                 CHANNEL="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             -w)
 | |
|                 shift
 | |
|                 WPA_VERSION="$1"
 | |
|                 [[ "$WPA_VERSION" == "2+1" ]] && WPA_VERSION=1+2
 | |
|                 shift
 | |
|                 ;;
 | |
| 
 | |
|             --ieee80211n)
 | |
|                 shift
 | |
|                 IEEE80211N=1
 | |
|                 ;;
 | |
|             --ieee80211ac)
 | |
|                 shift
 | |
|                 IEEE80211AC=1
 | |
|                 ;;
 | |
|             --ht_capab)
 | |
|                 shift
 | |
|                 HT_CAPAB="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             --vht_capab)
 | |
|                 shift
 | |
|                 VHT_CAPAB="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             --driver)
 | |
|                 shift
 | |
|                 DRIVER="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             --no-virt)
 | |
|                 shift
 | |
|                 NO_VIRT=1
 | |
|                 ;;
 | |
| 
 | |
|             --country)
 | |
|                 shift
 | |
|                 COUNTRY="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             --freq-band)
 | |
|                 shift
 | |
|                 FREQ_BAND="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             --no-haveged)
 | |
|                 shift
 | |
|                 NO_HAVEGED=1
 | |
|                 ;;
 | |
|             --hostapd-debug)
 | |
|                 shift
 | |
|                 if [ "x$1" = "x1" ]; then
 | |
|                     HOSTAPD_DEBUG_ARGS="-d"
 | |
|                 elif [ "x$1" = "x2" ]; then
 | |
|                     HOSTAPD_DEBUG_ARGS="-dd"
 | |
|                 else
 | |
|                     printf "Error: argument for --hostapd-debug expected 1 or 2, got %s\n" "$1"
 | |
|                     exit 1
 | |
|                 fi
 | |
|                 shift
 | |
|                 ;;
 | |
|             --psk)
 | |
|                 shift
 | |
|                 USE_PSK=1
 | |
|                 ;;
 | |
| 
 | |
|             --daemon)
 | |
|                 shift
 | |
|                 DAEMONIZE=1
 | |
|                 ;;
 | |
|             --stop)
 | |
|                 shift
 | |
|                 STOP_ID="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
|             -l|--list-running)
 | |
|                 shift
 | |
|                 LIST_RUNNING=1
 | |
|                 ;;
 | |
|             --lc|--list-clients)
 | |
|                 shift
 | |
|                 LIST_CLIENTS_ID="$1"
 | |
|                 shift
 | |
|                 ;;
 | |
| 
 | |
|             *)
 | |
|                 echo  "Invalid parameter: $1" 1>&2
 | |
|                 exit 1
 | |
|                 ;;
 | |
|         esac
 | |
|     done
 | |
| }
 | |
| 
 | |
| 
 | |
| # seperate ip and port
 | |
| sep_ip_port() {
 | |
|     # usage: sep_ip_port <ip:port> <var for ip> <var for port>
 | |
|     # input <ip:port> can be:
 | |
|     #   port (ip is 127.0.0.1)
 | |
|     #   ipv4
 | |
|     #   [ipv6]
 | |
|     #   ipv4:port
 | |
|     #   [ipv6]:port
 | |
|     local IP
 | |
|     local PORT
 | |
|     local INPUT
 | |
|     INPUT="$1"
 | |
|     if (echo "$INPUT" | grep '\.' >/dev/null 2>&1) ;then  
 | |
|         if (echo "$INPUT" | grep ':' >/dev/null 2>&1) ;then
 | |
|             # ipv4 + port
 | |
|             IP="$(echo $INPUT | cut -d: -f1)"
 | |
|             PORT="$(echo $INPUT | cut -d: -f2)"
 | |
|         else
 | |
|             # ipv4
 | |
|             IP="$INPUT"
 | |
|         fi
 | |
|     elif (echo "$INPUT" | grep '\]' >/dev/null 2>&1) ;then 
 | |
|         if (echo "$INPUT" | grep '\]\:' >/dev/null 2>&1) ;then
 | |
|             # ipv6 + port
 | |
|             IP="$(echo $INPUT | cut -d']' -f1 | cut -d'[' -f2)"
 | |
|             PORT="$(echo $INPUT | cut -d']' -f2 |cut -d: -f2)"
 | |
|         else
 | |
|             # ipv6
 | |
|             IP="$(echo $INPUT | cut -d']' -f1 | cut -d'[' -f2)"
 | |
|         fi
 | |
|     else 
 | |
|         # port
 | |
|         IP='127.0.0.1'
 | |
|         PORT="$INPUT"
 | |
|     fi
 | |
|     printf -v "$2" %s "$IP"
 | |
|     printf -v "$3" %s "$PORT"
 | |
| }
 | |
| 
 | |
| #=========================
 | |
| is_interface() {
 | |
|     [[ -z "$1" ]] && return 1
 | |
|     [[ -d "/sys/class/net/${1}" ]]
 | |
| }
 | |
| 
 | |
| get_interface_phy_device() { # only for wifi interface
 | |
|     local x
 | |
|     for x in /sys/class/ieee80211/*; do
 | |
|         [[ ! -e "$x" ]] && continue
 | |
|         if [[ "${x##*/}" = "$1" ]]; then
 | |
|             echo "$1"
 | |
|             return 0
 | |
|         elif [[ -e "$x/device/net/$1" ]]; then
 | |
|             echo ${x##*/}
 | |
|             return 0
 | |
|         elif [[ -e "$x/device/net:$1" ]]; then
 | |
|             echo ${x##*/}
 | |
|             return 0
 | |
|         fi
 | |
|     done
 | |
|     echo "Failed to get phy interface" >&2
 | |
|     return 1
 | |
| }
 | |
| 
 | |
| get_adapter_info() { # only for wifi interface
 | |
|     local iPHY
 | |
|     iPHY=$(get_interface_phy_device "$1")
 | |
|     [[ $? -ne 0 ]] && return 1
 | |
|     iw phy $iPHY info
 | |
| }
 | |
| 
 | |
| get_adapter_kernel_module() {
 | |
|     local MODULE
 | |
|     MODULE=$(readlink -f "/sys/class/net/$1/device/driver/module")
 | |
|     echo ${MODULE##*/}
 | |
| }
 | |
| 
 | |
| can_be_sta_and_ap() {
 | |
|     # iwconfig does not provide this information, assume false
 | |
|     [[ $USE_IWCONFIG -eq 1 ]] && return 1
 | |
|     if [[ "$(get_adapter_kernel_module "$1")" == "brcmfmac" ]]; then
 | |
|         echo "WARN: brmfmac driver doesn't work properly with virtual interfaces and" >&2
 | |
|         echo "      it can cause kernel panic. For this reason we disallow virtual" >&2
 | |
|         echo "      interfaces for your adapter." >&2
 | |
|         echo "      For more info: https://github.com/oblique/create_ap/issues/203" >&2
 | |
|         return 1
 | |
|     fi
 | |
|     get_adapter_info "$1" | grep -E '{.* managed.* AP.*}' > /dev/null 2>&1 && return 0
 | |
|     get_adapter_info "$1" | grep -E '{.* AP.* managed.*}' > /dev/null 2>&1 && return 0
 | |
|     return 1
 | |
| }
 | |
| 
 | |
| can_be_ap() {
 | |
|     # iwconfig does not provide this information, assume true
 | |
|     [[ $USE_IWCONFIG -eq 1 ]] && return 0
 | |
|     get_adapter_info "$1" | grep -E '\* AP$' > /dev/null 2>&1 && return 0
 | |
|     return 1
 | |
| }
 | |
| 
 | |
| can_transmit_to_channel() {
 | |
|     local IFACE CHANNEL_NUM CHANNEL_INFO
 | |
|     IFACE=$1
 | |
|     CHANNEL_NUM=$2
 | |
| 
 | |
|     if [[ $USE_IWCONFIG -eq 0 ]]; then
 | |
|         if [[ $FREQ_BAND == 2.4 ]]; then
 | |
|             CHANNEL_INFO=$(get_adapter_info ${IFACE} | grep " 24[0-9][0-9] MHz \[${CHANNEL_NUM}\]")
 | |
|         else
 | |
|             CHANNEL_INFO=$(get_adapter_info ${IFACE} | grep " \(49[0-9][0-9]\|5[0-9]\{3\}\) MHz \[${CHANNEL_NUM}\]")
 | |
|         fi
 | |
|         [[ -z "${CHANNEL_INFO}" ]] && return 1
 | |
|         [[ "${CHANNEL_INFO}" == *no\ IR* ]] && return 1
 | |
|         [[ "${CHANNEL_INFO}" == *disabled* ]] && return 1
 | |
|         return 0
 | |
|     else
 | |
|         CHANNEL_NUM=$(printf '%02d' ${CHANNEL_NUM})
 | |
|         CHANNEL_INFO=$(iwlist ${IFACE} channel | grep -E "Channel[[:blank:]]${CHANNEL_NUM}[[:blank:]]?:")
 | |
|         [[ -z "${CHANNEL_INFO}" ]] && return 1
 | |
|         return 0
 | |
|     fi
 | |
| }
 | |
| 
 | |
| # taken from iw/util.c
 | |
| ieee80211_frequency_to_channel() {
 | |
|     local FREQ=$1
 | |
|     if [[ $FREQ -eq 2484 ]]; then
 | |
|         echo 14
 | |
|     elif [[ $FREQ -lt 2484 ]]; then
 | |
|         echo $(( ($FREQ - 2407) / 5 ))
 | |
|     elif [[ $FREQ -ge 4910 && $FREQ -le 4980 ]]; then
 | |
|         echo $(( ($FREQ - 4000) / 5 ))
 | |
|     elif [[ $FREQ -le 45000 ]]; then
 | |
|         echo $(( ($FREQ - 5000) / 5 ))
 | |
|     elif [[ $FREQ -ge 58320 && $FREQ -le 64800 ]]; then
 | |
|         echo $(( ($FREQ - 56160) / 2160 ))
 | |
|     else
 | |
|         echo 0
 | |
|     fi
 | |
| }
 | |
| 
 | |
| is_5ghz_frequency() {
 | |
|     [[ $1 =~ ^(49[0-9]{2})|(5[0-9]{3})$ ]]
 | |
| }
 | |
| 
 | |
| is_interface_wifi_connected() {
 | |
|     if [[ $USE_IWCONFIG -eq 0 ]]; then
 | |
|         iw dev "$1" link 2>&1 | grep -E '^Connected to' > /dev/null 2>&1 && return 0
 | |
|     else
 | |
|         iwconfig "$1" 2>&1 | grep -E 'Access Point: [0-9a-fA-F]{2}:' > /dev/null 2>&1 && return 0
 | |
|     fi
 | |
|     return 1
 | |
| }
 | |
| 
 | |
| 
 | |
| is_unicast_macaddr() {
 | |
|     local x
 | |
|     x=$(echo "$1" | cut -d: -f1)
 | |
|     x=$(printf '%d' "0x${x}")
 | |
|     [[ $(expr $x % 2) -eq 0 ]]
 | |
| }
 | |
| 
 | |
| get_interface_mac() {
 | |
|     is_interface "$1" || return
 | |
|     cat "/sys/class/net/${1}/address"
 | |
| }
 | |
| 
 | |
| alloc_new_vface_name() { # only for wifi
 | |
|     local i=0
 | |
|     local v_iface_name=
 | |
|     while :; do
 | |
|         v_iface_name="x$i${WIFI_IFACE}"
 | |
|         if ! is_interface ${v_iface_name} && [[ ! -f $COMMON_CONFDIR/vfaces/${v_iface_name} ]]; then
 | |
|             mkdir -p $COMMON_CONFDIR/vfaces
 | |
|             touch $COMMON_CONFDIR/vfaces/${v_iface_name}
 | |
|             echo "${v_iface_name}"
 | |
|             return
 | |
|         fi
 | |
|         i=$((i + 1))
 | |
|     done
 | |
| }
 | |
| 
 | |
| dealloc_vface_name() {
 | |
|     rm -f $COMMON_CONFDIR/vfaces/$1
 | |
| }
 | |
| 
 | |
| #======
 | |
| 
 | |
| get_all_mac_in_system() {
 | |
|     cat /sys/class/net/*/address
 | |
| }
 | |
| 
 | |
| get_new_macaddr_according_to_existing() {
 | |
|     local REALDEV OLDMAC NEWMAC LAST_BYTE i
 | |
|     REALDEV=$1
 | |
|     OLDMAC=$(get_interface_mac "$REALDEV")
 | |
|     NEWMAC=""
 | |
|     LAST_BYTE=$(printf %d 0x${OLDMAC##*:})
 | |
|     for i in {10..240}; do
 | |
|         NEWMAC="${OLDMAC%:*}:$(printf %02x $(( ($LAST_BYTE + $i) % 256 )))"
 | |
|         (get_all_mac_in_system | grep "$NEWMAC" > /dev/null 2>&1) || break
 | |
|     done
 | |
|     echo "$NEWMAC"
 | |
| }
 | |
| 
 | |
| generate_random_mac() {
 | |
|     local r1 r2 r3 r4 r5 r6 
 | |
|     local RAND_MAC
 | |
|     while :; do
 | |
|         r1=$( printf "%02x" $(($RANDOM%256/4*4)) )
 | |
|         r2=$( printf "%02x" $(($RANDOM%256)) )
 | |
|         r3=$( printf "%02x" $(($RANDOM%256)) )
 | |
|         r4=$( printf "%02x" $(($RANDOM%256)) )
 | |
|         r5=$( printf "%02x" $(($RANDOM%256)) )
 | |
|         r6=$( printf "%02x" $(($RANDOM%256)) )
 | |
|         RAND_MAC="$r1:$r2:$r3:$r4:$r5:$r6"
 | |
|         ( ! ip link | grep "link" | grep $RAND_MAC > /dev/null 2>&1 ) && \
 | |
|         ( ! ip maddress | grep "link" | grep $RAND_MAC > /dev/null 2>&1 ) && \
 | |
|         ( ! ip neigh | grep "lladdr $RAND_MAC" > /dev/null 2>&1 ) && \
 | |
|         ( ! get_all_mac_in_system | grep $RAND_MAC ) && \
 | |
|         break
 | |
|     done
 | |
|     echo "$RAND_MAC"
 | |
| }
 | |
| 
 | |
| 
 | |
| is_ip4_lan_range_available() { # checks 192.168.x.x
 | |
|     ( ip -4 address | grep "inet 192\.168\.$1\." > /dev/null 2>&1 ) && return 1
 | |
|     ( ip -4 route | grep "^192\.168\.$1\." > /dev/null 2>&1 ) && return 1
 | |
|     ( ip -4 route get 192.168.$1.0 2>&1 | grep -E "\bvia\b|\bunreachable\b" > /dev/null 2>&1 ) && \
 | |
|     ( ip -4 route get 192.168.$1.255 2>&1 | grep  -E "\bvia\b|\bunreachable\b" > /dev/null 2>&1 )  && return 0
 | |
|     return 1
 | |
| }
 | |
| is_ip6_lan_range_available() {  # checks fdxx::
 | |
|     ( ip -6 address | grep -i "inet6 fd$1:$2$3:$4$5:$6$7:" > /dev/null 2>&1 ) && return 1
 | |
|     ( ip -6 route | grep -i "^fd$1:$2$3:$4$5:$6$7:" > /dev/null 2>&1 ) && return 1
 | |
|     ( ip -6 route get fd$1:$2$3:$4$5:$6$7:: 2>&1 | grep -E "\bvia\b|\bunreachable\b" > /dev/null 2>&1 ) && \
 | |
|     ( ip -6 route get fd$1:$2$3:$4$5:$6$7:ffff:ffff:ffff:ffff 2>&1 | grep -E "\bvia\b|\bunreachable\b" > /dev/null 2>&1 )  && return 0
 | |
|     return 1
 | |
| }
 | |
| 
 | |
| generate_random_ip4() {
 | |
|     local random_ip4
 | |
|     while :; do
 | |
|         random_ip4=$(($RANDOM%256))
 | |
|         is_ip4_lan_range_available $random_ip4 && break
 | |
|     done
 | |
|     echo "192.168.$random_ip4.1"
 | |
| }
 | |
| generate_random_lan_ip6_prefix() {
 | |
|     local r1 r2 r3 r4 r5 r6 r7
 | |
|     while :; do
 | |
|         r1=$( printf "%x" $(($RANDOM%240+16)) )
 | |
|         r2=$( printf "%x" $(($RANDOM%240+16)) )
 | |
|         r3=$( printf "%x" $(($RANDOM%240+16)) )
 | |
|         r4=$( printf "%x" $(($RANDOM%240+16)) )
 | |
|         r5=$( printf "%x" $(($RANDOM%240+16)) )
 | |
|         r6=$( printf "%x" $(($RANDOM%240+16)) )
 | |
|         r7=$( printf "%x" $(($RANDOM%240+16)) )
 | |
|         is_ip6_lan_range_available $r1 $r2 $r3 $r4 $r5 $r6 $r7 && break
 | |
|     done
 | |
|     echo "fd$r1:$r2$r3:$r4$r5:$r6$r7::"
 | |
| }
 | |
| 
 | |
| 
 | |
| 
 | |
| # start haveged when needed
 | |
| haveged_watchdog() {
 | |
|     local show_warn=1
 | |
|     while :; do
 | |
|         if [[ $(cat /proc/sys/kernel/random/entropy_avail) -lt 1000 ]]; then
 | |
|             if ! which haveged > /dev/null 2>&1; then
 | |
|                 if [[ $show_warn -eq 1 ]]; then
 | |
|                     echo "WARN: Low entropy detected. We recommend you to install \`haveged'" 1>&2
 | |
|                     show_warn=0
 | |
|                 fi
 | |
|             elif ! pidof haveged > /dev/null 2>&1; then # TODO judge zombie ?
 | |
|                 echo "Low entropy detected, starting haveged" 1>&2
 | |
|                 # boost low-entropy
 | |
|                 haveged -w 1024 -p $COMMON_CONFDIR/haveged.pid
 | |
|             fi
 | |
|         fi
 | |
|         sleep 2
 | |
|     done
 | |
| }
 | |
| pid_watchdog() {
 | |
|     local PID="$1"
 | |
|     local SLEEP="$2"
 | |
|     local ERR_MSG="$3"
 | |
|     local ST
 | |
|     while true
 | |
|     do 
 | |
|         if [[ -e "/proc/$PID" ]]; then
 | |
|             ST="$(cat "/proc/$PID/status" | grep "^State:" | awk '{print $2}')"
 | |
|             if [[ "$ST" != 'Z' ]]; then
 | |
|                 sleep $SLEEP
 | |
|                 continue
 | |
|             fi
 | |
|         fi
 | |
|         die "$ERR_MSG"
 | |
|     done
 | |
|     
 | |
| }
 | |
| #========
 | |
| 
 | |
| 
 | |
| # only support NetworkManager >= 0.9.9
 | |
| is_nm_running() {
 | |
|     if (which nmcli >/dev/null 2>&1 ) && (nmcli -t -f RUNNING g 2>&1 | grep -E '^running$' >/dev/null 2>&1 ) ; then
 | |
|         echo 1
 | |
|     else
 | |
|         echo 0
 | |
|     fi
 | |
| }
 | |
| 
 | |
| nm_knows() {
 | |
|     (nmcli dev show $1 | grep -E "^GENERAL.STATE:" >/dev/null 2>&1 ) && return 0 # nm sees
 | |
|     return 1 # nm doesn't see this interface
 | |
| }
 | |
| nm_get_manage() { # get an interface's managed state
 | |
|     local s
 | |
|     s=$(nmcli dev show $1 | grep -E "^GENERAL.STATE:") || return 2 # no such interface
 | |
|     (echo $s | grep "unmanaged" >/dev/null 2>&1) && return 1 # unmanaged
 | |
|     return 0 # managed
 | |
| }
 | |
| nm_set_unmanaged() {
 | |
|     while ! nm_knows $1 ; do # wait for virtual wifi interface seen by NM
 | |
|         sleep 0.5
 | |
|     done
 | |
|     if nm_get_manage $1 ;then
 | |
|         echo "Set $1 unmanaged by NetworkManager"
 | |
|         nmcli dev set $1 managed no || die "Failed to set $1 unmanaged by NetworkManager"
 | |
|         NM_UNM_LIST=$1
 | |
|         sleep 1
 | |
|     fi
 | |
| }
 | |
| 
 | |
| nm_set_managed() {
 | |
|     nmcli dev set $1 managed yes
 | |
|     NM_UNM_LIST=
 | |
| }
 | |
| nm_restore_manage() {
 | |
|     if [[ $NM_UNM_LIST ]]; then
 | |
|         echo "Restore $NM_UNM_LIST managed by NetworkManager"
 | |
|         nm_set_managed $NM_UNM_LIST
 | |
|         sleep 0.5
 | |
|     fi
 | |
| }
 | |
| #=========
 | |
| check_iptables()
 | |
| {
 | |
|     echo
 | |
|     iptables --version
 | |
|     
 | |
|     if which firewall-cmd > /dev/null 2>&1; then
 | |
|         if [[ "$(firewall-cmd --state)" == "running" ]]; then
 | |
|             echo "firewalld is running ($(firewall-cmd --version))"
 | |
|             #echo "firewalld version "
 | |
|         fi
 | |
|     fi
 | |
| }
 | |
| iptables_()
 | |
| {
 | |
|     # NETFILTER_XT_MATCH_COMMENT would be a env variable if user wants to disable '-m comment'
 | |
|     if [[ "$NETFILTER_XT_MATCH_COMMENT" == "0" ]]; then
 | |
|         iptables -w $@ 
 | |
|     else
 | |
|         iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
 | |
|     fi
 | |
|     return $?
 | |
| }
 | |
| ip6tables_()
 | |
| {
 | |
|     if [[ "$NETFILTER_XT_MATCH_COMMENT" == "0" ]]; then
 | |
|         ip6tables -w $@
 | |
|     else
 | |
|         ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
 | |
|     fi
 | |
|     return $?
 | |
| }
 | |
| 
 | |
| start_nat() {
 | |
|     if [[ $INTERNET_IFACE ]]; then
 | |
|         IPTABLES_NAT_OUT="-o ${INTERNET_IFACE}"
 | |
|         IPTABLES_NAT_IN="-i ${INTERNET_IFACE}"
 | |
|         MASQUERADE_NOTOUT=""
 | |
|     else
 | |
|         MASQUERADE_NOTOUT="! -o ${SUBNET_IFACE}"
 | |
|     fi
 | |
|     echo
 | |
|     echo "iptables: NAT "
 | |
|     if [[ $NO4 -eq 0 ]]; then
 | |
|         iptables_ -v -t nat -I POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24  -j MASQUERADE || die
 | |
|         iptables_ -v -I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
 | |
|         iptables_ -v -I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN  -d ${GATEWAY%.*}.0/24 -j ACCEPT || die
 | |
|     fi
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         ip6tables_ -v -t nat -I POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64  -j MASQUERADE || die
 | |
|         ip6tables_ -v -I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT || die
 | |
|         ip6tables_ -v -I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN   -d ${PREFIX6}/64 -j ACCEPT || die
 | |
|     fi
 | |
| }
 | |
| stop_nat() {
 | |
|     echo "iptables: stop NAT"
 | |
|     if [[ $NO4 -eq 0 ]]; then
 | |
|         iptables_ -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24  -j MASQUERADE
 | |
|         iptables_ -D FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT
 | |
|         iptables_ -D FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN  -d ${GATEWAY%.*}.0/24 -j ACCEPT
 | |
|     fi
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         ip6tables_ -t nat -D POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64  -j MASQUERADE
 | |
|         ip6tables_ -D FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT
 | |
|         ip6tables_ -D FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN  -d ${PREFIX6}/64 -j ACCEPT
 | |
|     fi
 | |
| }
 | |
| 
 | |
| start_ban_lan() {
 | |
|     echo
 | |
|     echo "iptables: Disallow clients to access LAN"
 | |
|     iptables_ -N BANLAN-f-${SUBNET_IFACE}  || die
 | |
|     iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die # TODO: use array
 | |
|     iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die
 | |
|     iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die
 | |
|     iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 127.0.0.0/8 -j REJECT || die
 | |
|     iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 169.254.0.0/16 -j REJECT || die
 | |
|     iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 172.16.0.0/12 -j REJECT || die
 | |
|     iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 192.168.0.0/16 -j REJECT || die
 | |
|     iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 224.0.0.0/4 -j REJECT || die
 | |
|     iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 255.255.255.255 -j REJECT || die
 | |
|     
 | |
|     iptables_ -I FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} || die
 | |
|     
 | |
|     iptables_ -N BANLAN-i-${SUBNET_IFACE}
 | |
|     #iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
 | |
|     iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die
 | |
|     # TODO: ipv6 need icmp to function. maybe we can block some unneeded icmp to improve security
 | |
|     
 | |
|     iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die
 | |
|     
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         ip6tables_ -N BANLAN-f-${SUBNET_IFACE}  || die
 | |
|         ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d fc00::/7 -j REJECT || die
 | |
|         ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d fe80::/10 -j REJECT || die
 | |
|         ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ff00::/8 -j REJECT || die
 | |
|         ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::1 -j REJECT || die
 | |
|         ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::/128 -j REJECT || die
 | |
|         ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::ffff:0:0/96 -j REJECT || die
 | |
|         ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::ffff:0:0:0/96 -j REJECT || die
 | |
| 
 | |
|         ip6tables_ -I FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} || die
 | |
|         
 | |
|         ip6tables_ -N BANLAN-i-${SUBNET_IFACE}  || die
 | |
|         #ip6tables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
 | |
|         ip6tables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmpv6 -j REJECT || die
 | |
| 
 | |
|         ip6tables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die
 | |
|     fi
 | |
| }
 | |
| stop_ban_lan() {
 | |
|     echo "iptables: Unban clients' LAN access"
 | |
|     
 | |
|     iptables_ -D FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} 
 | |
|     
 | |
|     iptables_ -F BANLAN-f-${SUBNET_IFACE}
 | |
|     iptables_ -X BANLAN-f-${SUBNET_IFACE}
 | |
|     
 | |
|     iptables_ -D INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE}
 | |
|     
 | |
|     iptables_ -F BANLAN-i-${SUBNET_IFACE}
 | |
|     iptables_ -X BANLAN-i-${SUBNET_IFACE}
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         ip6tables_ -D FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} 
 | |
|     
 | |
|         ip6tables_ -F BANLAN-f-${SUBNET_IFACE}
 | |
|         ip6tables_ -X BANLAN-f-${SUBNET_IFACE} 
 | |
|         
 | |
|         ip6tables_ -D INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE}
 | |
|         
 | |
|         ip6tables_ -F BANLAN-i-${SUBNET_IFACE}
 | |
|         ip6tables_ -X BANLAN-i-${SUBNET_IFACE} 
 | |
|     fi
 | |
| }
 | |
| 
 | |
| allow_dns_port() {
 | |
|     echo
 | |
|     echo "iptables: allow DNS"
 | |
|     iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die
 | |
|     iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT || die
 | |
|         ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT || die
 | |
|     fi
 | |
| }
 | |
| unallow_dns_port() {
 | |
|     echo "iptables: unallow DNS"
 | |
|     iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT
 | |
|     iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY}  -p udp -m udp --dport 53 -j ACCEPT
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT
 | |
|         ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT
 | |
|     fi
 | |
| }
 | |
| 
 | |
| start_catch_dns() {
 | |
|     echo
 | |
|     echo "iptables: redirect all TCP/UDP packet that destination port is 53"
 | |
|     iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
 | |
|     iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
 | |
|         ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
 | |
|     fi
 | |
| }
 | |
| stop_catch_dns() {
 | |
|     echo "iptables: stop redirecting DNS queries"
 | |
|     iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 
 | |
|     iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 
 | |
|         ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 
 | |
|     fi
 | |
| }
 | |
| 
 | |
| allow_dhcp() {
 | |
|     echo 
 | |
|     echo "iptables: allow dhcp"
 | |
|     iptables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT || die
 | |
|     fi
 | |
| }
 | |
| unallow_dhcp() {
 | |
|     echo "iptables: unallow dhcp"
 | |
|     iptables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         ip6tables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT
 | |
|     fi
 | |
| }
 | |
| 
 | |
| # TODO: use 'DNAT' instead of '--to-ports' to support other IP
 | |
| start_redsocks() {
 | |
|     echo
 | |
|     echo "iptables: transparent proxy non-LAN TCP/UDP traffic to port ${TP_PORT}"
 | |
|     if [[ $NO4 -eq 0 ]]; then
 | |
|         iptables_ -t nat -N REDSOCKS-${SUBNET_IFACE} || die
 | |
|         iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 0.0.0.0/8 -j RETURN || die
 | |
|         iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 10.0.0.0/8 -j RETURN || die
 | |
|         iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 100.64.0.0/10  -j RETURN || die
 | |
|         iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 127.0.0.0/8 -j RETURN || die
 | |
|         iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 169.254.0.0/16 -j RETURN || die
 | |
|         iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 172.16.0.0/12 -j RETURN || die
 | |
|         iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 192.168.0.0/16 -j RETURN || die
 | |
|         iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 224.0.0.0/4 -j RETURN || die
 | |
|         iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 255.255.255.255 -j RETURN || die
 | |
|         
 | |
|         iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
 | |
|         iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die
 | |
| 
 | |
|         iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j REDSOCKS-${SUBNET_IFACE} || die
 | |
| 
 | |
|         iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT || die
 | |
|         iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT || die
 | |
|     fi
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         ip6tables_ -t nat -N REDSOCKS-${SUBNET_IFACE} || die
 | |
|         ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fc00::/7 -j RETURN || die
 | |
|         ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fe80::/10 -j RETURN || die
 | |
|         ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ff00::/8 -j RETURN || die
 | |
|         ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ::1 -j RETURN || die
 | |
|         ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d :: -j RETURN || die
 | |
| 
 | |
|         ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
 | |
|         ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die
 | |
| 
 | |
|         ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j REDSOCKS-${SUBNET_IFACE} || die
 | |
| 
 | |
|         ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT || die
 | |
|         ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT || die   
 | |
|     fi
 | |
| }
 | |
| stop_redsocks() {
 | |
|     echo "iptables: stop transparent proxy"
 | |
|     if [[ $NO4 -eq 0 ]]; then
 | |
|         iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24  -j REDSOCKS-${SUBNET_IFACE}
 | |
|         iptables_ -t nat -F REDSOCKS-${SUBNET_IFACE}
 | |
|         iptables_ -t nat -X REDSOCKS-${SUBNET_IFACE}
 | |
|         
 | |
|         iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT
 | |
|         iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT
 | |
|     fi
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64  -j REDSOCKS-${SUBNET_IFACE}
 | |
|         ip6tables_ -t nat -F REDSOCKS-${SUBNET_IFACE}
 | |
|         ip6tables_ -t nat -X REDSOCKS-${SUBNET_IFACE}
 | |
|         
 | |
|         ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT
 | |
|         ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT
 | |
|     fi
 | |
| }
 | |
| #---------------------------------------
 | |
| backup_ipv6_bits() {
 | |
|     mkdir "$CONFDIR/sys_6_conf_iface" || die "Failed making dir to save interface IPv6 status"
 | |
|     cp  "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6" \
 | |
|         "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra"     \
 | |
|         "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr"  \
 | |
|         "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode" \
 | |
|             "$CONFDIR/sys_6_conf_iface/" || die "Failed backing up interface ipv6 bits"
 | |
|             
 | |
|     if [[ "$SHARE_METHOD" == 'redsocks' ]] ; then
 | |
|         cp "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" \
 | |
|             "$CONFDIR/sys_6_conf_iface/" || die "Failed backking up interface ipv6 bits"
 | |
|     fi
 | |
| }
 | |
| set_ipv6_bits() {
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         echo 0 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6"
 | |
|         echo 0 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra"
 | |
|         echo 0 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr"
 | |
|         echo 0 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode"
 | |
|     else
 | |
|         echo 1 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6"
 | |
|     fi
 | |
| }
 | |
| restore_ipv6_bits() {
 | |
|     if [[ -d "$CONFDIR/sys_6_conf_iface" ]]; then
 | |
|         cp -f "$CONFDIR/sys_6_conf_iface/*" "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/"
 | |
|     fi
 | |
| }
 | |
| 
 | |
| set_interface_mac() {
 | |
|     local INTERFACE
 | |
|     local MAC
 | |
|     
 | |
|     INTERFACE=$1
 | |
|     MAC=$2
 | |
|     
 | |
|     ip link set dev ${INTERFACE} address ${MAC} 
 | |
| }
 | |
| 
 | |
| backup_interface_status() {
 | |
|     # virtual wifi interface will be destroyed, so no need to save status
 | |
|     
 | |
|     # backup interface up or down status
 | |
|     (ip link show ${SUBNET_IFACE} |grep -q "state UP") && SUBNET_IFACE_ORIGINAL_UP_STATUS=1
 | |
|     
 | |
|     # save interface old mac 
 | |
|     #if [[ -n "$NEW_MACADDR" ]]; then 
 | |
|         OLD_MACADDR=$(get_interface_mac $SUBNET_IFACE)
 | |
|         #echo "Saved ${SUBNET_IFACE} old MAC address ${OLD_MACADDR} into RAM"
 | |
|     #fi
 | |
|     
 | |
|     backup_ipv6_bits
 | |
|     
 | |
|     # TODO : backup ip and others
 | |
|     
 | |
|     # nm managing status is saved when nm_set_unmanaged()
 | |
| }
 | |
| restore_interface_status() {
 | |
|     # virtual wifi interface will be destroyed, so no need to restore status
 | |
|     # don't use [[ $VWIFI_IFACE ]] to judge, if creating virtual wifi failed, VWIFI_IFACE is empty
 | |
|     [[ "$WIFI_IFACE" && "$NO_VIRT" -eq 0 ]] && return
 | |
|     
 | |
|     restore_ipv6_bits
 | |
| 
 | |
|     if [[ -n "$OLD_MACADDR" && "$(get_interface_mac $SUBNET_IFACE)" != "$OLD_MACADDR" ]] ; then
 | |
|         echo "Restoring ${SUBNET_IFACE} to old MAC address ${OLD_MACADDR} ..."
 | |
|         set_interface_mac ${SUBNET_IFACE} ${OLD_MACADDR} || echo "Failed restoring ${SUBNET_IFACE} to old MAC address ${OLD_MACADDR}" >&2
 | |
|     fi
 | |
|     
 | |
|     nm_restore_manage
 | |
|     
 | |
|     [[ $SUBNET_IFACE_ORIGINAL_UP_STATUS -eq 1 ]] && ip link set up dev ${SUBNET_IFACE} && echo "Restore ${SUBNET_IFACE} to link up"
 | |
| }
 | |
| #---------------------------------------
 | |
| 
 | |
| kill_processes() { # for this instance
 | |
|     #echo "Killing processes"
 | |
|     local x  pid
 | |
|     for x in $CONFDIR/*.pid; do
 | |
|         # even if the $CONFDIR is empty, the for loop will assign
 | |
|         # a value in $x. so we need to check if the value is a file
 | |
|         if [[ -f $x ]] &&  sleep 0.3  && [[ -f $x ]]; then
 | |
|             pid=$(cat $x)
 | |
|             pn=$( ps -p $pid -o comm= ) 
 | |
|             #echo "Killing $pid $pn ... "
 | |
|             pkill -P $pid
 | |
|             kill $pid 2>/dev/null && ( echo "Killed $pid $pn" && rm $x ) || echo "Failed to kill $pid $pn, it may have exited"
 | |
|         fi
 | |
|     done
 | |
| }
 | |
| 
 | |
| _cleanup() {
 | |
|     local x
 | |
| 
 | |
|     ip addr flush ${SUBNET_IFACE}
 | |
|     
 | |
|     rm -rf $CONFDIR
 | |
|     
 | |
|     ip link set down dev ${SUBNET_IFACE}
 | |
|     
 | |
|     if [[ $VWIFI_IFACE ]]; then # the subnet interface (virtual wifi interface) will be removed
 | |
|         iw dev ${VWIFI_IFACE} del
 | |
|         dealloc_vface_name $VWIFI_IFACE
 | |
|     fi
 | |
|     
 | |
|     restore_interface_status
 | |
|     
 | |
|     if ! has_running_instance; then
 | |
|         echo "Exiting: This is the only running instance"
 | |
|         # kill common processes
 | |
|         for x in $COMMON_CONFDIR/*.pid; do
 | |
|             [[ -f $x ]] && kill -9 $(cat $x) && rm $x
 | |
|         done
 | |
|         
 | |
|         rm -d $COMMON_CONFDIR/vfaces
 | |
|         rm -d $COMMON_CONFDIR
 | |
|         rm -d $TMPDIR
 | |
|     else
 | |
|         echo "Exiting: This is NOT the only running instance"
 | |
|     fi
 | |
| }
 | |
| 
 | |
| clean_iptables() {
 | |
| 
 | |
|     if [[ "$SHARE_METHOD" == "nat" ]]; then
 | |
|         stop_nat
 | |
|     elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
 | |
|         stop_redsocks
 | |
|     fi
 | |
|     
 | |
|     if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then
 | |
|         unallow_dns_port
 | |
|     fi
 | |
|     
 | |
|     [[ "$CATCH_DNS" -eq 1 ]] && stop_catch_dns
 | |
|     
 | |
|     
 | |
|     if [[ $NO_DNSMASQ -eq 0 ]]; then
 | |
|         unallow_dhcp
 | |
|     fi
 | |
|     
 | |
|     [[ "$BANLAN" -eq 1 ]] && stop_ban_lan
 | |
| }
 | |
| 
 | |
| cleanup() {
 | |
|     trap "" SIGINT SIGUSR1 SIGUSR2 EXIT SIGTERM
 | |
|     echo
 | |
|     echo
 | |
|     echo "Doing cleanup.. "
 | |
|     kill_processes
 | |
|     clean_iptables  2> /dev/null
 | |
|     _cleanup 2> /dev/null
 | |
|     
 | |
|     pgid=$(ps opgid= $$ |awk '{print $1}' )
 | |
|     kill -15 -$pgid
 | |
|     sleep 1 
 | |
|     echo "Cleaning up done"
 | |
|     #kill -9 -$pgid
 | |
| }
 | |
| 
 | |
| # NOTE function die() is designed not to be used before init_trap() executed
 | |
| die() { # SIGUSR2
 | |
|     echo "Error occured"
 | |
|     [[ -n "$1" ]] && echo -e "\nERROR: $1\n" >&2
 | |
|     # send die signal to the main process
 | |
|     [[ $BASHPID -ne $$ ]] && kill -USR2 $$ || cleanup
 | |
|     exit 1
 | |
| }
 | |
| 
 | |
| clean_exit() { # SIGUSR1
 | |
|     # send clean_exit signal to the main process
 | |
|     [[ $BASHPID -ne $$ ]] && kill -USR1 $$ || cleanup
 | |
|     exit 0
 | |
| }
 | |
| 
 | |
| init_trap(){
 | |
|     trap "cleanup" EXIT
 | |
|     trap "clean_exit" SIGINT SIGUSR1 SIGTERM
 | |
|     trap "die" SIGUSR2
 | |
| }
 | |
| init_conf_dirs() {
 | |
|     mkdir -p "$TMPDIR" || die "Couldn't make linux-router's temporary dir"
 | |
|     chmod 755 "$TMPDIR" 2>/dev/null
 | |
|     cd "$TMPDIR" || die "Couldn't change directory to linux-router's temporary path"
 | |
| 
 | |
|     CONFDIR="$(mktemp -d $TMPDIR/lnxrouter.${TARGET_IFACE}.conf.XXXXXX)" || die "Instance couldn't make config dir" # config dir for one instance
 | |
|     chmod 755 "$CONFDIR"
 | |
|     #echo "Config dir: $CONFDIR"
 | |
|     echo $$ > "$CONFDIR/pid"
 | |
| 
 | |
|     COMMON_CONFDIR="$TMPDIR/lnxrouter_common.conf" # config dir for all instances
 | |
|     mkdir -p "$COMMON_CONFDIR"
 | |
| }
 | |
| 
 | |
| #== functions to deal with running instances
 | |
| 
 | |
| list_running_conf() {
 | |
|     local x
 | |
|     for x in $TMPDIR/lnxrouter.*; do
 | |
|         if [[ -f $x/pid && -f $x/subn_iface && -d /proc/$(cat $x/pid) ]]; then
 | |
|             echo "$x"
 | |
|         fi
 | |
|     done
 | |
| }
 | |
| 
 | |
| list_running() {
 | |
|     local IFACE subn_iface x
 | |
|     for x in $(list_running_conf); do
 | |
|         IFACE=${x#*.}
 | |
|         IFACE=${IFACE%%.*}
 | |
|         subn_iface=$(cat $x/subn_iface)
 | |
| 
 | |
|         if [[ $IFACE == $subn_iface ]]; then
 | |
|             echo $(cat $x/pid) $IFACE
 | |
|         else
 | |
|             echo $(cat $x/pid) $IFACE '('$(cat $x/subn_iface)')'
 | |
|         fi
 | |
|     done
 | |
| }
 | |
| 
 | |
| get_subn_iface_from_pid() {
 | |
|     list_running | awk '{print $1 " " $NF}' | tr -d '\(\)' | grep -E "^${1} " | cut -d' ' -f2
 | |
| }
 | |
| 
 | |
| get_pid_from_subn_iface() {
 | |
|     list_running | awk '{print $1 " " $NF}' | tr -d '\(\)' | grep -E " ${1}$" | cut -d' ' -f1
 | |
| }
 | |
| 
 | |
| get_confdir_from_pid() {
 | |
|     local IFACE x
 | |
|     for x in $(list_running_conf); do
 | |
|         if [[ $(cat $x/pid) == "$1" ]]; then
 | |
|             echo "$x"
 | |
|             break
 | |
|         fi
 | |
|     done
 | |
| }
 | |
| 
 | |
| #======================================================
 | |
| 
 | |
| print_clients_from_leases() {  # MAC|IP|HOST|lease
 | |
|     local LEASE_FILE="$1"
 | |
|     local FILEC
 | |
|     local line
 | |
|     local LEASEstr LEASEstamp
 | |
|     
 | |
|     FILEC="$(cat "$LEASE_FILE" | grep -v -E "^duid\b" | sed -r '/^\s*$/d' )"
 | |
| 
 | |
|     # TODO: duid is somewhat related to ipv6. I don't know about it. Not sure excluding it miss some info or not
 | |
|     echo "$FILEC" | while read line
 | |
|     do
 | |
|         #echo aa$line
 | |
|         LEASEstamp="$(echo "$line" | awk '{print $1}')"
 | |
|         MAC="$(echo "$line" | awk '{print $2}')"
 | |
|         IP="$(echo "$line" | awk '{print $3}'  | sed 's/\[//g' | sed 's/\]//g')"
 | |
|         HOST="$(echo "$line" | awk '{print $4}' | sed 's/*/?/g' | sed 's/|/_/g' | sed 's/ /_/g' )"
 | |
|         
 | |
|         if [[ -n "$MAC" ]]; then
 | |
|             LEASEstr="$(date -d @${LEASEstamp} +%m-%d_%X)"
 | |
|             
 | |
|             echo "$MAC|$IP|$HOST|lease_$LEASEstr"
 | |
|         fi
 | |
|     done
 | |
|     
 | |
| }
 | |
| print_interface_neighbors_via_iproute() {  # MAC|IP|_|STATUS 
 | |
|     local IFACE=$1
 | |
|     
 | |
|     local line
 | |
|     
 | |
|     ip n | grep -E "\bdev $IFACE\b" | sed 's/ /|/g' | while read line
 | |
|     do
 | |
|         local MAC IP STATUS
 | |
|         
 | |
|         IP="$(echo $line | awk -F'|' '{print $1}')"
 | |
|         
 | |
|         if [[ "$(echo $line | awk -F'|' '{print $4}')" == "lladdr" ]]; then # has mac
 | |
|             # if has mac, $4="lladdr" and $5=macaddress and $6+=status
 | |
|             MAC="$(echo $line | awk -F'|' '{print $5}')"
 | |
|             STATUS="$(echo $line | awk -F'|' '$1="";$2="";$3="";$4="";$5="";{print}' | awk '{$1=$1;print}'| sed 's/ /,/g')"
 | |
|         else # no mac 
 | |
|             # if no mac, $4="" and $5+=status
 | |
|             MAC="?"
 | |
|             STATUS="$(echo $line | awk -F'|' '$1="";$2="";$3="";$4="";{print}' | awk '{$1=$1;print}' | sed 's/ /,/g')"
 | |
|         fi
 | |
|         if [[ -n "$IP" && ( "$MAC" != "?" || "$STATUS" != "FAILED" ) ]]; then
 | |
|             echo "$MAC|$IP|?|$STATUS"
 | |
|         fi
 | |
|     done
 | |
| }
 | |
| print_interface_neighbors_via_iw() {  # MAC|_|_|signal  
 | |
|     local IFACE=$1
 | |
|     local MAC SIGNAL
 | |
|     iw dev $IFACE station dump | awk '($1 ~ /Station$/) {print $2}' | while read MAC
 | |
|     do
 | |
|         if [[ -n "$MAC" ]]; then
 | |
|             SIGNAL="$(iw dev $IFACE station get $MAC | grep "signal:" | awk '{print $2}')"
 | |
|             echo "${MAC}|?|?|${SIGNAL}_dBm"
 | |
|         fi
 | |
|     done
 | |
| }
 | |
| 
 | |
| list_clients() { # passive mode. (use 'arp-scan' or 'netdiscover' if want active mode)
 | |
|     local IFACE pid
 | |
|     local CONFDIR
 | |
|     
 | |
|     local output=""
 | |
|     # If number (PID) is given, get the associated wifi iface
 | |
|     if [[ "$1" =~ ^[1-9][0-9]*$ ]]; then
 | |
|         pid="$1"
 | |
|         IFACE=$(get_subn_iface_from_pid "$pid")
 | |
|         if [[ -z "$IFACE" ]] ; then
 | |
|             echo "'$pid' is not the pid of a running $PROGNAME instance." >&2 
 | |
|             exit 1
 | |
|         fi
 | |
|     else # non-number given
 | |
|         IFACE="$1"
 | |
|         if ( ! is_interface $IFACE ) ; then
 | |
|             echo "'$IFACE' is not an interface or PID" >&2
 | |
|             exit 1
 | |
|         fi
 | |
|         pid=$(get_pid_from_subn_iface "$IFACE")
 | |
|         if [[ -n "$pid" ]] ; then  # if this interface is hosted by us
 | |
|             CONFDIR=$(get_confdir_from_pid "$pid")
 | |
|             output="$(print_clients_from_leases "$CONFDIR/dnsmasq.leases" )"
 | |
|         else    # this interface NOT hosted by us
 | |
|             echo "Tip: '$IFACE' is not an interface hosted by $PROGNAME" >&2
 | |
|         fi
 | |
|     fi
 | |
|     output="$(echo "$output" ; print_interface_neighbors_via_iw $IFACE) "
 | |
|     output="$(echo "$output" ; print_interface_neighbors_via_iproute $IFACE)"
 | |
|     
 | |
|     output="$(echo "$output" | sort -k 1 -k 2 -t '|' | uniq | sed -r '/^\s*$/d')"
 | |
| 
 | |
|     echo "$IFACE ($(get_interface_mac $IFACE)) neighbors:"
 | |
|     
 | |
|     local fmt="%-19s%-41s%-20s%s" # string length: MAC 17, ipv4 15, ipv6 39, hostname ?
 | |
|     printf "$fmt\n"  "MAC" "IP" "HOSTNAME" "INFO"
 | |
|     
 | |
|     local line
 | |
|     echo "$output"| while read line
 | |
|     do
 | |
|         if [[ -n "$line" ]]; then
 | |
|             echo "$line" | awk -F'|' "{printf \"$fmt\n\",\$1,\$2,\$3,\$4}"
 | |
|         fi
 | |
|     done
 | |
|     # TODO : merge same mac and same ip line
 | |
| }
 | |
| 
 | |
| has_running_instance() {
 | |
|     local PID x
 | |
| 
 | |
|     for x in $TMPDIR/lnxrouter.*; do
 | |
|         if [[ -f $x/pid ]]; then
 | |
|             PID=$(cat $x/pid)
 | |
|             if [[ -d /proc/$PID ]]; then
 | |
|                 return 0
 | |
|             fi
 | |
|         fi
 | |
|     done
 | |
| 
 | |
|     return 1
 | |
| }
 | |
| 
 | |
| is_running_pid() {
 | |
|     list_running | grep -E "^${1} " > /dev/null 2>&1
 | |
| }
 | |
| 
 | |
| send_stop() {
 | |
|     local x
 | |
| 
 | |
|     # send stop signal to specific pid
 | |
|     if is_running_pid $1; then
 | |
|         kill -USR1 $1
 | |
|         return
 | |
|     fi
 | |
| 
 | |
|     # send stop signal to specific interface
 | |
|     for x in $(list_running | grep -E " \(?${1}( |\)?\$)" | cut -f1 -d' '); do
 | |
|         kill -USR1 $x
 | |
|     done
 | |
| }
 | |
| 
 | |
| 
 | |
| ## ========================================================
 | |
| ## ========================================================
 | |
| # decide linux-router's global temporary path for all instances
 | |
| # this is different and should be before config-saving dir. The latter is for one instance
 | |
| decide_tmpdir(){
 | |
|     local TMPD
 | |
|     if [[ -d /dev/shm ]]; then
 | |
|         TMPD=/dev/shm
 | |
|     elif [[ -d /run/shm ]]; then
 | |
|         TMPD=/run/shm
 | |
|     else
 | |
|         TMPD=/tmp
 | |
|     fi
 | |
|     #TMPDIR=$TMPD/lnxrouter_tmp
 | |
|     echo "$TMPD/lnxrouter_tmp"
 | |
| }
 | |
| 
 | |
| #======
 | |
| 
 | |
| check_other_functions(){
 | |
|     if [[ $LIST_RUNNING -eq 1 ]]; then
 | |
|         echo -e "List of running $PROGNAME instances:\n"
 | |
|         list_running
 | |
|         exit 0
 | |
|     fi
 | |
| 
 | |
|     if [[ -n "$LIST_CLIENTS_ID" ]]; then
 | |
|         list_clients "$LIST_CLIENTS_ID"
 | |
|         exit 0
 | |
|     fi
 | |
| 
 | |
|     ##### root test ##### NOTE above don't require root ##########
 | |
|     if [[ $(id -u) -ne 0 ]]; then
 | |
|         echo "You must run it as root." >&2
 | |
|         exit 1
 | |
|     fi
 | |
|     ###### NOTE below require root ##########
 | |
| 
 | |
|     if [[ -n "$STOP_ID" ]]; then
 | |
|         echo "Trying to kill $PROGNAME instance associated with $STOP_ID..."
 | |
|         send_stop "$STOP_ID"
 | |
|         exit 0
 | |
|     fi
 | |
| }
 | |
| 
 | |
| 
 | |
| daemonizing_check(){
 | |
|     if [[ $DAEMONIZE -eq 1 && $RUNNING_AS_DAEMON -eq 0 ]]; then
 | |
|         echo "Running as Daemon..."
 | |
|         # run a detached lnxrouter
 | |
|         RUNNING_AS_DAEMON=1 setsid "$0" "${ARGS[@]}" &
 | |
|         exit 0
 | |
|     fi
 | |
| }
 | |
| 
 | |
| #============================
 | |
| check_wifi_settings() {
 | |
| 
 | |
|     if ! ( which iw > /dev/null 2>&1 && iw dev $WIFI_IFACE info > /dev/null 2>&1 ); then
 | |
|         echo "WARN: Can't use 'iw' to operate interfce '$WIFI_IFACE', trying 'iwconfig' (not as good as 'iw') ..." >&2
 | |
|         USE_IWCONFIG=1
 | |
|     fi
 | |
|     
 | |
|     if [[ $USE_IWCONFIG -eq 1 ]]; then
 | |
|         if ! (which iwconfig > /dev/null 2>&1 && iwconfig $WIFI_IFACE > /dev/null 2>&1); then
 | |
|             echo "ERROR: Can't use 'iwconfig' to operate interfce '$WIFI_IFACE'" >&2
 | |
|             exit 1
 | |
|         fi
 | |
|     fi
 | |
|     
 | |
|     if [[ $FREQ_BAND != 2.4 && $FREQ_BAND != 5 ]]; then
 | |
|         echo "ERROR: Invalid frequency band" >&2
 | |
|         exit 1
 | |
|     fi
 | |
| 
 | |
|     if [[ $CHANNEL == default ]]; then
 | |
|         if [[ $FREQ_BAND == 2.4 ]]; then
 | |
|             CHANNEL=1
 | |
|         else
 | |
|             CHANNEL=36
 | |
|         fi
 | |
|     fi
 | |
| 
 | |
|     if [[ $FREQ_BAND != 5 && $CHANNEL -gt 14 ]]; then
 | |
|         echo "Channel number is greater than 14, assuming 5GHz frequency band"
 | |
|         FREQ_BAND=5
 | |
|     fi
 | |
| 
 | |
|     if ! can_be_ap ${WIFI_IFACE}; then
 | |
|         echo "ERROR: Your adapter does not support AP (master) mode" >&2
 | |
|         exit 1
 | |
|     fi
 | |
| 
 | |
|     if ! can_be_sta_and_ap ${WIFI_IFACE}; then
 | |
|         if is_interface_wifi_connected ${WIFI_IFACE}; then
 | |
|             echo "ERROR: Your adapter can not be a station (i.e. be connected) and an AP at the same time" >&2
 | |
|             exit 1
 | |
|         elif [[ $NO_VIRT -eq 0 ]]; then
 | |
|             echo "WARN: Your adapter does not fully support AP virtual interface, enabling --no-virt" >&2
 | |
|             NO_VIRT=1
 | |
|         fi
 | |
|     fi
 | |
| 
 | |
|     HOSTAPD=$(which hostapd)
 | |
| 
 | |
|     if [[ $(get_adapter_kernel_module ${WIFI_IFACE}) =~ ^(8192[cd][ue]|8723a[sue])$ ]]; then
 | |
|         if ! strings "$HOSTAPD" | grep -m1 rtl871xdrv > /dev/null 2>&1; then
 | |
|             echo "ERROR: You need to patch your hostapd with rtl871xdrv patches." >&2
 | |
|             exit 1
 | |
|         fi
 | |
| 
 | |
|         if [[ $DRIVER != "rtl871xdrv" ]]; then
 | |
|             echo "WARN: Your adapter needs rtl871xdrv, enabling --driver=rtl871xdrv" >&2
 | |
|             DRIVER=rtl871xdrv
 | |
|         fi
 | |
|     fi
 | |
|     
 | |
|     if [[ ${#SSID} -lt 1 || ${#SSID} -gt 32 ]]; then
 | |
|         echo "ERROR: Invalid SSID length ${#SSID} (expected 1..32)" >&2
 | |
|         exit 1
 | |
|     fi
 | |
| 
 | |
|     if [[ $USE_PSK -eq 0 ]]; then
 | |
|         if [[ ${#PASSPHRASE} -gt 0 && ${#PASSPHRASE} -lt 8 ]] || [[ ${#PASSPHRASE} -gt 63 ]]; then
 | |
|             echo "ERROR: Invalid passphrase length ${#PASSPHRASE} (expected 8..63)" >&2
 | |
|             exit 1
 | |
|         fi
 | |
|     elif [[ ${#PASSPHRASE} -gt 0 && ${#PASSPHRASE} -ne 64 ]]; then
 | |
|         echo "ERROR: Invalid pre-shared-key length ${#PASSPHRASE} (expected 64)" >&2
 | |
|         exit 1
 | |
|     fi
 | |
| 
 | |
|     if [[ $(get_adapter_kernel_module ${WIFI_IFACE}) =~ ^rtl[0-9].*$ ]]; then
 | |
|         if [[ $WPA_VERSION == '1' || $WPA_VERSION == '1+2' ]]; then
 | |
|             echo "WARN: Realtek drivers usually have problems with WPA1, WPA2 is recommended" >&2
 | |
|         fi
 | |
|         echo "WARN: If AP doesn't work, read https://github.com/oblique/create_ap/blob/master/howto/realtek.md" >&2
 | |
|     fi
 | |
| }
 | |
| 
 | |
| check_if_new_mac_valid() {
 | |
|     if ! is_unicast_macaddr "$NEW_MACADDR"; then
 | |
|         echo "ERROR: The first byte of MAC address (${NEW_MACADDR}) must be even" >&2
 | |
|         exit 1
 | |
|     fi
 | |
| 
 | |
|     if [[ $(get_all_mac_in_system | grep -c ${NEW_MACADDR}) -ne 0 ]]; then
 | |
|         echo "WARN: MAC address '${NEW_MACADDR}' already exists" >&2
 | |
|     fi
 | |
| }
 | |
| 
 | |
| decide_target_interface() {
 | |
|     # TARGET_IFACE is a existing physical interface
 | |
|     if [[ "$CONN_IFACE" ]]; then
 | |
|         echo "$CONN_IFACE"
 | |
|     elif [[ "$WIFI_IFACE" ]]; then
 | |
|         echo "$WIFI_IFACE"
 | |
|     else
 | |
|         echo "No target interface specified"  >&2
 | |
|         return 1
 | |
|     fi
 | |
| }
 | |
| 
 | |
| decide_ip_addresses() {
 | |
|     if [[ ! -n $GATEWAY ]]; then
 | |
|         GATEWAY="$(generate_random_ip4)"
 | |
|         echo "Use random LAN IPv4 address $GATEWAY"
 | |
|     elif [[ ! "$GATEWAY" =~ "." ]]; then
 | |
|         GATEWAY="192.168.${GATEWAY}.1"
 | |
|     fi
 | |
| 
 | |
|     if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then
 | |
|         PREFIX6="$(generate_random_lan_ip6_prefix)"
 | |
|         echo "Use random LAN IPv6 address ${PREFIX6}${IID6}"
 | |
|     elif [[ ! "$PREFIX6" =~ ":" ]]; then
 | |
|         PREFIX6="fd00:0:0:${PREFIX6}::"
 | |
|     fi
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         GATEWAY6="${PREFIX6}${IID6}"
 | |
|     fi
 | |
| }
 | |
| 
 | |
| prepare_wifi_interface() {
 | |
|     if [[ $USE_IWCONFIG -eq 0 ]]; then
 | |
|         iw dev ${WIFI_IFACE} set power_save off
 | |
|     fi
 | |
|     
 | |
|     if [[ $NO_VIRT -eq 0 ]]; then
 | |
|     ## Will generate virtual wifi interface
 | |
|         if is_interface_wifi_connected ${WIFI_IFACE}; then
 | |
|             WIFI_IFACE_FREQ=$(iw dev ${WIFI_IFACE} link | grep -i freq | awk '{print $2}')
 | |
|             WIFI_IFACE_CHANNEL=$(ieee80211_frequency_to_channel ${WIFI_IFACE_FREQ})
 | |
|             echo "${WIFI_IFACE} already in channel ${WIFI_IFACE_CHANNEL} (${WIFI_IFACE_FREQ} MHz)"
 | |
|             if is_5ghz_frequency $WIFI_IFACE_FREQ; then
 | |
|                 FREQ_BAND=5
 | |
|             else
 | |
|                 FREQ_BAND=2.4
 | |
|             fi
 | |
|             if [[ $WIFI_IFACE_CHANNEL -ne $CHANNEL ]]; then
 | |
|                 echo "Channel fallback to ${WIFI_IFACE_CHANNEL}"
 | |
|                 CHANNEL=$WIFI_IFACE_CHANNEL
 | |
|             else
 | |
|                 echo
 | |
|             fi
 | |
|         fi
 | |
| 
 | |
|         echo "Creating a virtual WiFi interface... "
 | |
|         VWIFI_IFACE=$(alloc_new_vface_name)
 | |
|         if iw dev ${WIFI_IFACE} interface add ${VWIFI_IFACE} type __ap; then
 | |
|             # Successfully created virtual wifi interface
 | |
|             # if NM running, it will give the new virtual interface a random MAC. MAC will go back after setting NM unmanaged
 | |
|             sleep 2  
 | |
|             echo "${VWIFI_IFACE} created"
 | |
|         else
 | |
|             VWIFI_IFACE=
 | |
|             die "Failed creating virtual WiFi interface. Maybe your WiFi adapter does not fully support virtual interfaces. Try again with '--no-virt'"
 | |
|         fi
 | |
|         
 | |
|         AP_IFACE=${VWIFI_IFACE}
 | |
|     else # no virtual wifi interface, use wifi device interface itself
 | |
|         AP_IFACE=${WIFI_IFACE}
 | |
|     fi
 | |
| }
 | |
| 
 | |
| decide_subnet_interface() {
 | |
|     if [[ $WIFI_IFACE ]]; then
 | |
|         echo "${AP_IFACE}"
 | |
|     else
 | |
|         echo "${TARGET_IFACE}"
 | |
|     fi
 | |
| }
 | |
| 
 | |
| dealwith_mac() {
 | |
|     local VMAC
 | |
|     
 | |
|     if [[ -n "$NEW_MACADDR" ]] ; then  # user choose to set subnet mac 
 | |
| 
 | |
|         echo "Setting ${SUBNET_IFACE} new MAC address ${NEW_MACADDR} ..."
 | |
|         set_interface_mac ${SUBNET_IFACE} ${NEW_MACADDR} || die "Failed setting new MAC address"
 | |
|         
 | |
|     elif [[ $VWIFI_IFACE ]]; then # user didn't choose to set mac, but using virtual wifi interface
 | |
| 
 | |
|         VMAC=$(get_new_macaddr_according_to_existing ${WIFI_IFACE})
 | |
|         if [[ "$VMAC" ]]; then
 | |
|             echo "Assigning MAC address $VMAC to virtual interface $VWIFI_IFACE according to $WIFI_IFACE ..."
 | |
|             set_interface_mac $VWIFI_IFACE $VMAC
 | |
|         fi
 | |
|     fi
 | |
| }
 | |
| 
 | |
| write_hostapd_conf() {  
 | |
|     cat <<- EOF > "$CONFDIR/hostapd.conf"
 | |
| 		beacon_int=100
 | |
| 		ssid=${SSID}
 | |
| 		interface=${AP_IFACE}
 | |
| 		driver=${DRIVER}
 | |
| 		channel=${CHANNEL}
 | |
| 		ctrl_interface=$CONFDIR/hostapd_ctrl
 | |
| 		ctrl_interface_group=0
 | |
| 		ignore_broadcast_ssid=$HIDDEN
 | |
| 		ap_isolate=$ISOLATE_CLIENTS
 | |
| 	EOF
 | |
| 
 | |
|     if [[ -n "$COUNTRY" ]]; then
 | |
|         cat <<- EOF >> "$CONFDIR/hostapd.conf"
 | |
| 			country_code=${COUNTRY}
 | |
| 			ieee80211d=1
 | |
| 		EOF
 | |
|     fi
 | |
| 
 | |
|     if [[ $FREQ_BAND == 2.4 ]]; then
 | |
|         echo "hw_mode=g" >> "$CONFDIR/hostapd.conf"
 | |
|     else
 | |
|         echo "hw_mode=a" >> "$CONFDIR/hostapd.conf"
 | |
|     fi
 | |
| 
 | |
|     if [[ $MAC_FILTER -eq 1 ]]; then
 | |
|         cat <<- EOF >> "$CONFDIR/hostapd.conf"
 | |
| 			macaddr_acl=${MAC_FILTER}
 | |
| 			accept_mac_file=${MAC_FILTER_ACCEPT}
 | |
| 		EOF
 | |
|     fi
 | |
| 
 | |
|     if [[ $IEEE80211N -eq 1 ]]; then
 | |
|         cat <<- EOF >> "$CONFDIR/hostapd.conf"
 | |
| 			ieee80211n=1
 | |
| 			ht_capab=${HT_CAPAB}
 | |
| 		EOF
 | |
|     fi
 | |
| 
 | |
|     if [[ $IEEE80211AC -eq 1 ]]; then
 | |
|         echo "ieee80211ac=1" >> "$CONFDIR/hostapd.conf"
 | |
|     fi
 | |
| 
 | |
|     if [[ -n "$VHT_CAPAB" ]]; then
 | |
|         echo "vht_capab=${VHT_CAPAB}" >> "$CONFDIR/hostapd.conf"
 | |
|     fi
 | |
| 
 | |
|     if [[ $IEEE80211N -eq 1 ]] || [[ $IEEE80211AC -eq 1 ]]; then
 | |
|         echo "wmm_enabled=1" >> "$CONFDIR/hostapd.conf"
 | |
|     fi
 | |
| 
 | |
|     if [[ -n "$PASSPHRASE" ]]; then
 | |
|         [[ "$WPA_VERSION" == "1+2" ]] && WPA_VERSION=3
 | |
|         if [[ $USE_PSK -eq 0 ]]; then
 | |
|             WPA_KEY_TYPE=passphrase
 | |
|         else
 | |
|             WPA_KEY_TYPE=psk
 | |
|         fi
 | |
|         cat <<- EOF >> "$CONFDIR/hostapd.conf"
 | |
| 			wpa=${WPA_VERSION}
 | |
| 			wpa_${WPA_KEY_TYPE}=${PASSPHRASE}
 | |
| 			wpa_key_mgmt=WPA-PSK
 | |
| 			wpa_pairwise=CCMP
 | |
| 			rsn_pairwise=CCMP
 | |
| 		EOF
 | |
|     else
 | |
|         echo "WARN: Wifi is not protected by password" >&2
 | |
|     fi
 | |
|     chmod 600 "$CONFDIR/hostapd.conf"
 | |
| }
 | |
| 
 | |
| write_dnsmasq_conf() {
 | |
|     if grep "^nobody:" /etc/group >/dev/null 2>&1 ; then
 | |
|         NOBODY_GROUP="nobody"
 | |
|     else
 | |
|         NOBODY_GROUP="nogroup"
 | |
|     fi
 | |
|     
 | |
|     mkfifo "$CONFDIR/dnsmasq.log" || die "Failed creating pipe file for dnsmasq"
 | |
|     chown nobody "$CONFDIR/dnsmasq.log" || die "Failed changing dnsmasq log file owner"
 | |
|     cat "$CONFDIR/dnsmasq.log" & 
 | |
|     
 | |
|     cat <<- EOF > "$CONFDIR/dnsmasq.conf"
 | |
| 		user=nobody
 | |
| 		group=$NOBODY_GROUP
 | |
| 		bind-dynamic
 | |
| 		listen-address=${GATEWAY}
 | |
| 		interface=$SUBNET_IFACE
 | |
| 		except-interface=lo
 | |
| 		no-dhcp-interface=lo
 | |
| 		dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0
 | |
| 		dhcp-option-force=option:router,${GATEWAY}
 | |
| 		#log-dhcp
 | |
| 		log-facility=$CONFDIR/dnsmasq.log
 | |
| 		bogus-priv
 | |
| 		domain-needed
 | |
| 	EOF
 | |
|     # 'log-dhcp'(Extra logging for DHCP) shows too much logs.
 | |
|     # if use '-d', 'log-facility' should = /dev/null
 | |
|     if [[ $SHARE_METHOD == "none" ]]; then    
 | |
|         echo "no-resolv"  >> "$CONFDIR/dnsmasq.conf"
 | |
|         echo "no-poll" >> "$CONFDIR/dnsmasq.conf"
 | |
|     fi
 | |
|     if [[ "$DHCP_DNS" != "no" ]]; then
 | |
|         if [[ "$DHCP_DNS" == "gateway" ]]; then
 | |
|             dns_offer="$GATEWAY"
 | |
|         else
 | |
|             dns_offer="$DHCP_DNS"
 | |
|         fi
 | |
|         echo "dhcp-option-force=option:dns-server,${dns_offer}" >> "$CONFDIR/dnsmasq.conf"
 | |
|     fi
 | |
|     
 | |
|     if [[ ! "$dnsmasq_NO_DNS" -eq 0 ]]; then
 | |
|         echo "port=0"  >> "$CONFDIR/dnsmasq.conf"
 | |
|     fi
 | |
| 
 | |
|     [[ -n "$MTU" ]] && echo "dhcp-option-force=option:mtu,${MTU}" >> "$CONFDIR/dnsmasq.conf"
 | |
|     [[ $ETC_HOSTS -eq 0 ]] && echo no-hosts >> "$CONFDIR/dnsmasq.conf"
 | |
|     [[ -n "$ADDN_HOSTS" ]] && echo "addn-hosts=${ADDN_HOSTS}" >> "$CONFDIR/dnsmasq.conf"
 | |
|     if [[ "$THISHOSTNAME" ]]; then
 | |
|         [[ "$THISHOSTNAME" == "-" ]] && THISHOSTNAME="$(cat /etc/hostname)"
 | |
|         echo "interface-name=$THISHOSTNAME,$SUBNET_IFACE" >> "$CONFDIR/dnsmasq.conf"
 | |
|     fi
 | |
|     if [[ ! "$SHOW_DNS_QUERY" -eq 0 ]]; then
 | |
|         echo log-queries=extra >> "$CONFDIR/dnsmasq.conf"
 | |
|     fi
 | |
|     
 | |
|     if [[ $DNS ]]; then
 | |
|         DNS_count=$(echo "$DNS" | awk -F, '{print NF}')
 | |
|         for (( i=1;i<=DNS_count;i++ )); do
 | |
|             sep_ip_port "$(echo $DNS | cut -d, -f$i)" DNS_IP DNS_PORT
 | |
|             [[ "$DNS_PORT" ]] && DNS_PORT_D="#$DNS_PORT"
 | |
|             echo "server=${DNS_IP}${DNS_PORT_D}" >> "$CONFDIR/dnsmasq.conf"
 | |
|         done
 | |
|         
 | |
|         cat <<- EOF >> "$CONFDIR/dnsmasq.conf"
 | |
| 			no-resolv
 | |
| 			no-poll
 | |
| 		EOF
 | |
|     fi
 | |
|     if [[ $IPV6 -eq 1 ]];then
 | |
|         cat <<- EOF  >> "$CONFDIR/dnsmasq.conf"
 | |
| 			listen-address=${GATEWAY6}
 | |
| 			enable-ra
 | |
| 			#quiet-ra
 | |
| 			dhcp-range=interface:${SUBNET_IFACE},::,::ffff:ffff:ffff:ffff,constructor:${SUBNET_IFACE},ra-stateless,64
 | |
| 		EOF
 | |
|         if [[ "$DHCP_DNS6" != "no" ]]; then
 | |
|             if [[ "$DHCP_DNS6" == "gateway" ]]; then
 | |
|                 dns_offer6="[$GATEWAY6]"
 | |
|             else
 | |
|                 dns_offer6="$DHCP_DNS6"
 | |
|             fi
 | |
|             echo "dhcp-option=option6:dns-server,${dns_offer6}" >> "$CONFDIR/dnsmasq.conf"
 | |
|         fi
 | |
|     fi
 | |
| }
 | |
| 
 | |
| run_wifi_ap_processes() {
 | |
|     if [[ $NO_HAVEGED -eq 0 ]]; then
 | |
|         haveged_watchdog &
 | |
|         HAVEGED_WATCHDOG_PID=$!
 | |
|         echo "$HAVEGED_WATCHDOG_PID" > "$CONFDIR/haveged_watchdog.pid"
 | |
|         echo
 | |
|         echo "haveged_watchdog PID: $HAVEGED_WATCHDOG_PID" 
 | |
|     fi
 | |
| 
 | |
|     # start access point
 | |
|     #echo "hostapd command-line interface: hostapd_cli -p $CONFDIR/hostapd_ctrl"
 | |
|     # start hostapd (use stdbuf when available for no delayed output in programs that redirect stdout)
 | |
|     STDBUF_PATH=`which stdbuf`
 | |
|     if [ $? -eq 0 ]; then
 | |
|         STDBUF_PATH=$STDBUF_PATH" -oL"
 | |
|     fi
 | |
|     echo 
 | |
|     echo "Starting hostapd"
 | |
|     
 | |
|     if which complain > /dev/null 2>&1; then
 | |
|         complain hostapd
 | |
|     fi
 | |
|     
 | |
|     # hostapd '-P' works only when use '-B' (run in background)
 | |
|     $STDBUF_PATH hostapd $HOSTAPD_DEBUG_ARGS -P "$CONFDIR/hostapd.pid" "$CONFDIR/hostapd.conf"  &
 | |
|     HOSTAPD_PID=$!
 | |
|     echo "$HOSTAPD_PID" > "$CONFDIR/hostapd.pid"
 | |
|     echo "hostapd PID: $HOSTAPD_PID"
 | |
|     #while [[ ! -f $CONFDIR/hostapd.pid ]]; do
 | |
|     #    sleep 1
 | |
|     #done
 | |
|     #echo -n "hostapd PID: " ; cat $CONFDIR/hostapd.pid
 | |
|     pid_watchdog $HOSTAPD_PID 10 "hostapd failed" &
 | |
|     sleep 3
 | |
| }
 | |
| 
 | |
| start_dnsmasq() {
 | |
|     echo 
 | |
|     echo "Starting dnsmasq"
 | |
|     
 | |
|     if which complain > /dev/null 2>&1; then
 | |
|         # openSUSE's apparmor does not allow dnsmasq to read files.
 | |
|         # remove restriction.
 | |
|         complain dnsmasq
 | |
|     fi
 | |
|     
 | |
|     # Using '-d'(no daemon) dnsmasq will not turn into 'nobody'
 | |
|     # '-x' works only when no '-d'
 | |
|     dnsmasq  -k -C "$CONFDIR/dnsmasq.conf" -x "$CONFDIR/dnsmasq.pid" -l "$CONFDIR/dnsmasq.leases" & 
 | |
|     #####DNSMASQ_PID=$!         # only when with '-d'
 | |
|     ######echo "dnsmasq PID: $DNSMASQ_PID"      # only when with '-d'
 | |
|     i=0; while [[ ! -f "$CONFDIR/dnsmasq.pid" ]]; do
 | |
|         sleep 1
 | |
|         i=$((i + 1))
 | |
|         if [[ $i -gt 10 ]]; then die "Couldn't get dnsmasq PID" ; fi
 | |
|     done
 | |
|     DNSMASQ_PID="$(cat "$CONFDIR/dnsmasq.pid" )"
 | |
|     echo  "dnsmasq PID: $DNSMASQ_PID" 
 | |
|     ######(wait $DNSMASQ_PID ; die "dnsmasq failed") &  # wait can't deal with non-child
 | |
|     pid_watchdog $DNSMASQ_PID 9 "dnsmasq failed" &
 | |
|     sleep 2
 | |
| }
 | |
| 
 | |
| check_rfkill_unblock_wifi() {
 | |
|     local PHY
 | |
|     if which rfkill > /dev/null 2>&1 ; then
 | |
|         PHY=$(get_interface_phy_device ${SUBNET_IFACE})
 | |
|         [[ -n $PHY ]] && rfkill unblock $(rfkill | grep $PHY | awk '{print $1}') >/dev/null 2>&1
 | |
|     fi
 | |
| }
 | |
| 
 | |
| #=========== Above are functions ======================
 | |
| #=========== Executing begin ==============================
 | |
| 
 | |
| # if empty option, show usage and exit 
 | |
| check_empty_option "$@"
 | |
| 
 | |
| # TODO: are some global variables are still defined in those following code?
 | |
| define_global_variables
 | |
| 
 | |
| ARGS=( "$@" )
 | |
| 
 | |
| parse_user_options "$@"
 | |
| # TODO: detect user option conflict
 | |
| 
 | |
| # check if networkManager running
 | |
| NM_RUNNING="$(is_nm_running)"
 | |
| 
 | |
| TMPDIR="$(decide_tmpdir)"
 | |
| 
 | |
| # if user choose to deal with running instances, will output some info then exit after this 
 | |
| # NOTE above don't require root
 | |
| check_other_functions 
 | |
| # NOTE below require root
 | |
| 
 | |
| # if user choose to daemonize, will start new background process and exit this 
 | |
| daemonizing_check
 | |
| 
 | |
| # check if wifi will work on this system and user settings
 | |
| [[ $WIFI_IFACE ]] && check_wifi_settings
 | |
| 
 | |
| [[ -n "$NEW_MACADDR" ]] && check_if_new_mac_valid # check NEW_MACADDR. will exit if not valid
 | |
| 
 | |
| # checks finished
 | |
| 
 | |
| ## ===== Above don't echo anything if no warning or error====================
 | |
| ## ========================================================
 | |
| phead
 | |
| echo "PID: $$"
 | |
| 
 | |
| TARGET_IFACE="$(decide_target_interface)" || exit 1 # judge wired (-i CONN_IFACE) or wireless hotspot (--ap $WIFI_IFACE)
 | |
| echo "Target interface is ${TARGET_IFACE} ($(get_interface_mac $TARGET_IFACE))"
 | |
| # TODO: show interface type, device model and pci/usb id (hwdata  pci.ids), current driver
 | |
| 
 | |
| if [[ "$MAC_USE_RANDOM" -eq 1 ]] ; then
 | |
|     NEW_MACADDR="$(generate_random_mac)"
 | |
|     echo "Use random MAC address $NEW_MACADDR"
 | |
| fi
 | |
| 
 | |
| decide_ip_addresses # ip 4 & 6 lan addresses
 | |
| 
 | |
| # if user choose to make DHCP to tell clients to use other DNS, we don't have to serve DNS
 | |
| [[ $DHCP_DNS != 'gateway' && $DHCP_DNS6 != 'gateway' ]] && dnsmasq_NO_DNS=1
 | |
| 
 | |
| #===========================================================
 | |
| #==== begin to do some change on config files and system===
 | |
| 
 | |
| init_trap
 | |
| # NOTE function die() is designed not to be used before init_trap() executed
 | |
| 
 | |
| init_conf_dirs #   CONFDIR  , COMMON_CONFDIR  . make dir
 | |
| 
 | |
| [[ $WIFI_IFACE ]] && prepare_wifi_interface # this will create virtual ap interface (if needed) and set VWIFI_IFACE and AP_IFACE (if success)
 | |
| 
 | |
| SUBNET_IFACE="$(decide_subnet_interface)"  # SUBNET_IFACE can be TARGET_IFACE (wired) or AP_IFACE (ap) .this is after prepare_wifi_interface()
 | |
| echo "$SUBNET_IFACE" > "$CONFDIR/subn_iface"
 | |
| 
 | |
| # if virtual wifi interface, will be destroyed, so only need to save status when not
 | |
| [[ -z $VWIFI_IFACE ]] && backup_interface_status
 | |
| 
 | |
| # TODO: should these 2 before calling prepare_wifi_interface ? in check_wifi_settings() ?
 | |
| # set iw country code
 | |
| if [[ $WIFI_IFACE && -n "$COUNTRY" && $USE_IWCONFIG -eq 0 ]]; then
 | |
|     iw reg set "$COUNTRY" || die "Failed setting country code"
 | |
| fi
 | |
| 
 | |
| # judge channel availability after changing country code
 | |
| if [[ $WIFI_IFACE ]] ; then
 | |
|     can_transmit_to_channel ${AP_IFACE} ${CHANNEL} || die "Your adapter can not transmit to channel ${CHANNEL}, frequency band ${FREQ_BAND}GHz."
 | |
| fi
 | |
| 
 | |
| [[ $WIFI_IFACE ]] && write_hostapd_conf
 | |
| #===================================================
 | |
| #===================================================
 | |
| 
 | |
| # set interface unmanaged by networkManager
 | |
| if [[ $NM_RUNNING -eq 1 ]] && nm_knows $TARGET_IFACE; then # if nm knows target iface, should know subnet iface too. but need to wait until nm finds subnet iface (waiting code is in nm_set_unmanaged()
 | |
|     nm_set_unmanaged ${SUBNET_IFACE} # will write NM_UNM_LIST
 | |
| fi
 | |
| 
 | |
| [[ $NO_DNSMASQ -eq 0 ]] && write_dnsmasq_conf
 | |
| #===========================
 | |
| 
 | |
| # initialize subnet interface
 | |
| # take subnet interface down first
 | |
| ip link set down dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} down"
 | |
| # flush old IPs of subnet interface
 | |
| ip addr flush ${SUBNET_IFACE} || die "Failed flush ${SUBNET_IFACE} IP"
 | |
| 
 | |
| dealwith_mac # setting MAC should be after setting NM unmanaged
 | |
| 
 | |
| [[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi
 | |
| 
 | |
| # bring subnet interface up
 | |
| ip link set up dev ${SUBNET_IFACE} || die "Failed bringing ${SUBNET_IFACE} up"
 | |
| 
 | |
| # hostapd , haveged
 | |
| [[ $WIFI_IFACE ]] && run_wifi_ap_processes
 | |
| 
 | |
| # add ipv4 address to subnet interface
 | |
| ip -4 addr add ${GATEWAY}/24 broadcast ${GATEWAY%.*}.255 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv4 address"
 | |
| 
 | |
| set_ipv6_bits
 | |
| 
 | |
| # add ipv6 address to subnet interface
 | |
| if [[ $IPV6 -eq 1 ]] ; then
 | |
|     ip -6 addr add ${GATEWAY6}/64  dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address"
 | |
| fi
 | |
| 
 | |
| check_iptables
 | |
| 
 | |
| # enable Internet sharing
 | |
| if [[ "$SHARE_METHOD" == "none" ]]; then
 | |
| 
 | |
|     echo "No Internet sharing"
 | |
|     
 | |
|     [[ "$BANLAN" -eq 1 ]] && start_ban_lan
 | |
|     
 | |
| elif [[ "$SHARE_METHOD" == "nat" ]]; then
 | |
| 
 | |
|     [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS, queries may leak to other interfaces!!!\n" >&2
 | |
|     
 | |
|     start_nat
 | |
|     
 | |
|     [[ "$BANLAN" -eq 1 ]] && start_ban_lan
 | |
|     
 | |
|     echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding"
 | |
|     
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding"
 | |
|     fi
 | |
|     
 | |
|     # to enable clients to establish PPTP connections we must
 | |
|     # load nf_nat_pptp module
 | |
|     modprobe nf_nat_pptp > /dev/null 2>&1 && echo "Loaded kernel module nf_nat_pptp"
 | |
|     
 | |
| elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
 | |
| 
 | |
|     if [[ $IPV6 -eq 1 ]]; then
 | |
|         echo 1 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" || die "Failed enabling $SUBNET_IFACE ipv6 forwarding" # to set NA router bit
 | |
|     fi
 | |
|     
 | |
|     [[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] &&  echo -e "\nWARN: You are using in transparent proxy mode but this host is providing local DNS, this may cause privacy leak !!!\n" >&2
 | |
| 
 | |
|     [[ "$BANLAN" -eq 1 ]] && start_ban_lan
 | |
|     
 | |
|     start_redsocks
 | |
| fi
 | |
| 
 | |
| # start dhcp + dns (optional)
 | |
| 
 | |
| # allow dns port input even if we don't run dnsmasq
 | |
| # user can serve their own dns server
 | |
| [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]] && allow_dns_port
 | |
| 
 | |
| [[ "$CATCH_DNS" -eq 1 ]] && start_catch_dns
 | |
| 
 | |
| [[ $NO_DNSMASQ -eq 0 ]] && ( allow_dhcp ; start_dnsmasq )
 | |
| 
 | |
| echo 
 | |
| echo "== Setting up completed, now linux-router is working =="
 | |
| 
 | |
| #============================================================
 | |
| #============================================================
 | |
| #============================================================
 | |
| 
 | |
| show_qr() {
 | |
|     local T S P H
 | |
|     S="$SSID"
 | |
|     if [[ -n "$PASSPHRASE" ]]; then
 | |
|         T="WPA"
 | |
|         P="$PASSPHRASE"
 | |
|     else
 | |
|         T="nopass"
 | |
|     fi
 | |
|     [[ "$HIDDEN" -eq 1 ]] && H="true"
 | |
|     echo "Scan QR code on phone to connect to WiFi"
 | |
|     qrencode -m 2 -t ANSIUTF8 "WIFI:T:${T};S:${S};P:${P};H:${H};"
 | |
|     echo "Use this command to save QR code to image file:"
 | |
|     echo "    qrencode -m 2 -o <file> \"WIFI:T:${T};S:${S};P:${P};H:${H};\""
 | |
|     echo
 | |
| }
 | |
| 
 | |
| [[ "$QR" -eq 1 ]] && show_qr
 | |
| 
 | |
| # need loop to keep this script running
 | |
| bash -c "while :; do sleep 8000 ; done " &
 | |
| KEEP_RUNNING_PID=$!
 | |
| echo "$KEEP_RUNNING_PID" > "$CONFDIR/keep_running.pid"
 | |
| wait $KEEP_RUNNING_PID
 | |
| 
 | |
| clean_exit
 |