smecontribs/smeserver-coova-chilli
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit of file from CVS for smeserver-coova-chilli on Sat Sep 7 20:15:38 AEST 2024

Browse Source
This commit is contained in:
Trevor Batley
2024-09-07 20:15:38 +10:00
parent ee4df6cdb4
commit 2120fa2210
85 changed files with 1432 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
root/etc/e-smith/templates/etc/chilli.conf/00setup Normal file
View File

@@ -0,0 +1,3 @@
{
use NetAddr::IP;
}

1
root/etc/e-smith/templates/etc/chilli.conf/10socket Normal file
View File

@@ -0,0 +1 @@
cmdsock /var/run/chilli.sock

1
root/etc/e-smith/templates/etc/chilli.conf/15pid Normal file
View File

@@ -0,0 +1 @@
pidfile /var/run/chilli.pid

2
root/etc/e-smith/templates/etc/chilli.conf/20net Normal file
View File

@@ -0,0 +1,2 @@
net {$chilli{'net'} || '10.1.0.0/255.255.255.0';}

2
root/etc/e-smith/templates/etc/chilli.conf/22dev Normal file
View File

@@ -0,0 +1,2 @@
tundev {$chilli{'tundev'} || 'tun0';}

10
root/etc/e-smith/templates/etc/chilli.conf/25listen Normal file
View File

@@ -0,0 +1,10 @@
{
# Compute the first IP of the network
our $net = $chilli{'net'} || '10.1.0.0/255.255.255.0';
our $chillip = NetAddr::IP->new($net) + 1;
$chillip = $chillip->addr;
$OUT = "uamlisten $chillip\n";
}

2
root/etc/e-smith/templates/etc/chilli.conf/30port Normal file
View File

@@ -0,0 +1,2 @@
uamport {$chilli{'TCPPort'} || '3990';}

2
root/etc/e-smith/templates/etc/chilli.conf/35dhcpif Normal file
View File

@@ -0,0 +1,2 @@
dhcpif {$chilli{'dhcpif'} || 'eth2';}

4
root/etc/e-smith/templates/etc/chilli.conf/37dhcpRange Normal file
View File

@@ -0,0 +1,4 @@
dhcpstart {$chilli{'dhcpstart'} || '10';}
dhcpend {$chilli{'dhcpend'} || '254';}

10
root/etc/e-smith/templates/etc/chilli.conf/40uamallowed Normal file
View File

@@ -0,0 +1,10 @@
{
my @uamalloweds = split(/[;,]/, ($chilli{'uamallowed'} || ''));
$OUT = '';
# TODO: check the entry with a good regex
$OUT .= 'uamallowed '.$_."\n" foreach (@uamalloweds);
}

5
root/etc/e-smith/templates/etc/chilli.conf/45domain Normal file
View File

@@ -0,0 +1,5 @@
domain lan
dns1 {$chilli{'dns1'} || '212.73.209.226';}
dns2 {$chilli{'dns2'} || '194.206.120.1';}
dnsparanoia

14
root/etc/e-smith/templates/etc/chilli.conf/50radius Normal file
View File

@@ -0,0 +1,14 @@
radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
{
use esmith::util;
$pw = esmith::util::LdapPassword;
$pw =~ s/^(.{31}).*$/$1/;
"";
}
radiussecret {$pw || 'azerty';}
radiusauthport {$radiusd{'UDPPort'} || '1812';}
radiusacctport 1813
radiusnasid localhost
radiustimeout 3

11
root/etc/e-smith/templates/etc/chilli.conf/55uamserver Normal file
View File

@@ -0,0 +1,11 @@
{
my $uamsecret = $chilli{'uamsecret'} || 'azerty';
my $uamhomepage = $chilli{'uamhomepage'} || '';
$OUT = "uamserver https://$chillip/chilli/cgi-bin/hotspotlogin.cgi\n";
$OUT .= "uamsecret $uamsecret\n";
$OUT .= "uamhomepage $uamhomepage\n" if ($uamhomepage ne '');
}

3
root/etc/e-smith/templates/etc/chilli.conf/60timeout Normal file
View File

@@ -0,0 +1,3 @@
defsessiontimeout {$chilli{'defsessiontimeout'} || '7200';}
defidletimeout {$chilli{'defidletimeout'} || '900';}

3
root/etc/e-smith/templates/etc/chilli.conf/65conscripts Normal file
View File

@@ -0,0 +1,3 @@
conup /etc/chilli/call_conup.sh
condown /etc/chilli/call_condown.sh

4
root/etc/e-smith/templates/etc/chilli.conf/70UidGid Normal file
View File

@@ -0,0 +1,4 @@
uid={getpwnam("coovachilli");}
gid={getgrnam("coovachilli");}

4
root/etc/e-smith/templates/etc/chilli.conf/75noc2c Normal file
View File

@@ -0,0 +1,4 @@
{
return '' if (($chilli{'noc2c'} || 'enabled') eq 'disabled');
$OUT .= "noc2c\n";
}

15
root/etc/e-smith/templates/etc/chilli.conf/95macallowed Normal file
View File

@@ -0,0 +1,15 @@
macallowlocal
{
my @macalloweds = split(/[;,]/, ($chilli{'macallowed'} || ''));
$OUT = '';
# TODO: check the entry with a good regex
foreach (@macalloweds){
$_ =~ s/:/-/g;
$OUT .= 'macallowed '.uc($_)."\n";
}
}

1
root/etc/e-smith/templates/etc/chilli/config/10dhcpif Normal file
View File

@@ -0,0 +1 @@
HS_LANIF={$chilli{'dhcpif'} || 'eth2';}

2
root/etc/e-smith/templates/etc/chilli/config/20radconf Normal file
View File

@@ -0,0 +1,2 @@
HS_RADCONF=off

31
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/98chilli Normal file
View File

@@ -0,0 +1,31 @@
{
my $net = $chilli{'net'} || '10.1.0.0/255.255.255.0';
if ($chilli{'status'} eq 'enabled'){
$OUT .=<<END
# Chilli config
ScriptAlias /chilli/cgi-bin /opt/chilli/cgi-bin
Alias /chilli /opt/chilli
<Directory /opt/chilli>
AllowOverride None
<FilesMatch "hotspotlogin-conf.pl">
Require all denied
</FilesMatch>
Require ip $net
</Directory>
<Directory /opt/chilli/cgi-bin>
Options ExecCGI
</Directory>
<Directory /opt/chilli/lang>
Require all denied
</Directory>
END
}
}

8
root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules31unix Normal file
View File

@@ -0,0 +1,8 @@
#Unix Auth for Chilli
unix \{
cache = yes
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
\}

4
root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate25AuthUnix Normal file
View File

@@ -0,0 +1,4 @@
{
push(@authModules, "\tunix\n");
}

29
root/etc/e-smith/templates/etc/raddb/users/40chilli Normal file
View File

@@ -0,0 +1,29 @@
{
if ((($chilli{'status'} || 'disabled') eq 'enabled') &&
($chilli{'guestAccess'} || 'disabled') eq 'enabled'){
my $downlink = $chilli{'guestDownLink'} || '400';
my $uplink = $chilli{'guestUpLink'} || '64';
$downlink = $downlink * 1000;
$uplink = $uplink * 1000;
$OUT =<<"END";
guest NAS-Identifier == "localhost", Auth-Type := Local, User-Password == 'guest'
WISPr-Bandwidth-Max-Down = $downlink, WISPr-Bandwidth-Max-Up = $uplink
END
}
if (($chilli{'status'} || 'disabled') eq 'enabled'){
$OUT .=<<END;
DEFAULT Group == "chilli", NAS-Identifier == "localhost", Auth-Type := unix
# WISPr-Bandwidth-Max-Down = 512000, WISPr-Bandwidth-Max-Up = 128000
DEFAULT Group != "chilli", NAS-Identifier == "localhost", Auth-Type := Reject
Reply-Message = "Your are not member of the allowed group"
END
}
}

20
root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli00setup Normal file
View File

@@ -0,0 +1,20 @@
{
# Compute the first IP of the network
our $net = ${'chilli'}{'net'} || '10.1.0.0/255.255.255.0';
my @netaddr = split(/\//,$net);
my $netaddr = $netaddr[0];
my @nums = split(/\./,$netaddr);
my $i = 0;
our $chillip = '';
foreach (@nums){
$chillip .= $_."." if ($i ne '3');
$chillip .= "1" if ($i eq '3');
$i++;
}
our $tundev = ${'chilli'}{'tundev'} || 'tun0';
our $chilliport = ${'chilli'}{'TCPPort'} || '3990';
$OUT .= '';
}

43
root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli10stop Normal file
View File

@@ -0,0 +1,43 @@
{
$OUT .=<<"HERE";
# This will flush any existing rules for coova-chilli
stopChilli()\{
CHAIN='IN_FROM_CHILLI'
STATE=\$(/sbin/iptables -L -n | grep -c \$CHAIN)
if [ \$STATE -ge 1 ]; then
/sbin/iptables -D INPUT -i $tundev -j \$CHAIN
/sbin/iptables -F \$CHAIN
/sbin/iptables -X \$CHAIN
fi
CHAIN='OUT_TO_CHILLI'
STATE=\$(/sbin/iptables -L -n | grep -c \$CHAIN)
if [ \$STATE -ge 1 ]; then
/sbin/iptables -D OUTPUT -o $tundev -j \$CHAIN
/sbin/iptables -F \$CHAIN
/sbin/iptables -X \$CHAIN
fi
CHAIN='FORWARD_FROM_CHILLI'
STATE=\$(/sbin/iptables -L -n | grep -c \$CHAIN)
if [ \$STATE -ge 1 ]; then
/sbin/iptables -D FORWARD -i $tundev -j \$CHAIN
/sbin/iptables -F \$CHAIN
/sbin/iptables -X \$CHAIN
fi
CHAIN='FORWARD_TO_CHILLI'
STATE=\$(/sbin/iptables -L -n | grep -c \$CHAIN)
if [ \$STATE -ge 1 ]; then
/sbin/iptables -D FORWARD -o $tundev -j \$CHAIN
/sbin/iptables -F \$CHAIN
/sbin/iptables -X \$CHAIN
fi
CHAIN='PREROUTING_FROM_CHILLI'
STATE=\$(/sbin/iptables -t nat -L -n | grep -c \$CHAIN)
if [ \$STATE -ge 1 ]; then
/sbin/iptables -D PREROUTING -t nat -i $tundev -j \$CHAIN
/sbin/iptables -t nat -F \$CHAIN
/sbin/iptables -t nat -X \$CHAIN
fi
\}
HERE
}

46
root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli20input Normal file
View File

@@ -0,0 +1,46 @@
{
$OUT .=<<"HERE";
# Input (from the wireless client to the server)
inFromChilli()\{
/sbin/iptables -N IN_FROM_CHILLI
/sbin/iptables -A IN_FROM_CHILLI -j state_chk
# DHCP requests are allowed
/sbin/iptables -A IN_FROM_CHILLI -p udp --dport 67:68 --sport 67:68 -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
/sbin/iptables -A IN_FROM_CHILLI ! -s $net -j denylog
# Allow wireless clients to ping the server
/sbin/iptables -A IN_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT
# Mandatory services for chilli (https, coova-chill)
# /sbin/iptables -A IN_FROM_CHILLI -p tcp --dport ${'httpd-e-smith'}{'TCPPort'} --syn -j ACCEPT
/sbin/iptables -A IN_FROM_CHILLI -p tcp --dport ${'modSSL'}{'TCPPort'} --syn -j ACCEPT
/sbin/iptables -A IN_FROM_CHILLI -p tcp --dport $chilliport --syn -j ACCEPT
HERE
foreach (split(/[;,]/, ${'chilli'}{'AllowedServices'} || '')){
my $service = $_;
next if ((${"$service"}{'status'} || 'disabled') ne 'enabled');
my @tcpports = split(/[;,]/, (${"$service"}{'TCPPort'} || '').",".(${"$service"}{'TCPPorts'} || ''));
my @udpports = split(/[;,]/, (${"$service"}{'UDPPort'} || '').",".(${"$service"}{'UDPPorts'} || ''));
if (@tcpports > 0){
foreach(@tcpports){
$OUT .= " # Acces to $service is allowed:\n" .
" /sbin/iptables -A IN_FROM_CHILLI -p tcp --dport $_ --syn -j ACCEPT\n" if ($_ ne '');
}
}
if (@udpports > 0){
foreach(@udpports){
$OUT .= " # Acces to $service is allowed:\n" .
" /sbin/iptables -A IN_FROM_CHILLI -p udp --dport $_ -j ACCEPT\n" if ($_ ne '');
}
}
# Special case for pptp, which uses GRE proto
if ($service eq 'pptpd'){
$OUT .= " /sbin/iptables -A IN_FROM_CHILLI -p 47 -j gre-in\n";
$OUT .= " /sbin/iptables -I gre-in -s $net -j ACCEPT\n";
}
}
$OUT .= " /sbin/iptables -A IN_FROM_CHILLI -j denylog\n\}\n";
}

14
root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli30output Normal file
View File

@@ -0,0 +1,14 @@
{
$OUT .=<<"HERE";
# Output (from the server to the wireless clients)
outToChilli()\{
/sbin/iptables -N OUT_TO_CHILLI
/sbin/iptables -A OUT_TO_CHILLI -j state_chk
/sbin/iptables -A OUT_TO_CHILLI -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A OUT_TO_CHILLI -j denylog
\}
HERE
}

69
root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom Normal file
View File

@@ -0,0 +1,69 @@
{
$OUT .=<<"HERE";
# Forward from chilli (from the wireless clients to the internet)
forwardFromChilli()\{
/sbin/iptables -N FORWARD_FROM_CHILLI
/sbin/iptables -A FORWARD_FROM_CHILLI -j state_chk
/sbin/iptables -A FORWARD_FROM_CHILLI ! -s $net -j denylog
/sbin/iptables -A FORWARD_FROM_CHILLI ! -o \$OUTERIF -j denylog
/sbin/iptables -A FORWARD_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT
# Allow http for un-authenticated clients so uamallowed works
# Https need to be allowed in AllowedOutgoing
/sbin/iptables -A FORWARD_FROM_CHILLI -p tcp --dport 80 -j ACCEPT
HERE
my $ReIpNum = qr{([01]?\d\d?|2[0-4]\d|25[0-5])};
my $ReIpAddr = qr{($ReIpNum\.$ReIpNum\.$ReIpNum\.$ReIpNum)|any|ANY|\*};
my $RePort = qr/\d{1,4}|[0-6]\d{4}|any|ANY|\*/;
# Allow services specidied in AllowedOutgoing
foreach (split(/[;,]/, ${'chilli'}{'AllowedOutgoing'} || '')){
# Check the rules has the form proto:remote_host:remote_port
next unless /^(tcp|TCP|udp|UDP):${ReIpAddr}:${RePort}$/;
my @params = split(/:/, $_);
my $proto = $params[0];
my $host = $params[1];
my $dport = $params[2];
$OUT .= " # $_ is allowed:\n";
$OUT .= " /sbin/iptables -A FORWARD_FROM_CHILLI ";
$OUT .= "-p $proto ";
$OUT .= "-d $host " if ($host !~ /(any|\*)/i);
$OUT .= "--dport $dport " if ($dport !~ /(any|\*)/i);
$OUT .= "--syn " if ($proto =~ /tcp/i);
$OUT .= "-j ACCEPT\n"
}
foreach (split(/[;,]/, ${'chilli'}{'uamallowed'} || '')){
# Check the rules has the form proto:remote_host:remote_port
# Or host:port or protocol:host
next unless /^((tcp|TCP|udp|UDP):)?(${ReIpAddr})(:${RePort})?$/;
my @param = split(/:/, $_);
my $proto = $param[0];
my $host = $param[1];
my $dport = $param[2];
$OUT .= " # $_ is allowed:\n";
$OUT .= " /sbin/iptables -A FORWARD_FROM_CHILLI ";
$OUT .= "-p $proto " if (($proto) && ($proto ne ''));
$OUT .= "-d $host ";
$OUT .= "--dport $dport " if (($dport) && ($dport ne ''));
$OUT .= "--syn " if ($proto =~ /tcp/i);
$OUT .= "-j ACCEPT\n"
}
# Allow the two dns servers specified
$OUT .= " # Allow dns requests to ${'chilli'}{'dns1'}\n" .
" /sbin/iptables -A FORWARD_FROM_CHILLI -p udp --dport 53 -d ${'chilli'}{'dns1'} -j ACCEPT\n"
if ((${'chilli'}{'dns1'} || '') ne '');
$OUT .= " # Allow dns requests to ${'chilli'}{'dns2'}\n" .
" /sbin/iptables -A FORWARD_FROM_CHILLI -p udp --dport 53 -d ${'chilli'}{'dns2'} -j ACCEPT\n"
if ((${'chilli'}{'dns2'} || '') ne '');
$OUT .= " /sbin/iptables -A FORWARD_FROM_CHILLI -j denylog\n\}\n";
}

14
root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli45forwardTo Normal file
View File

@@ -0,0 +1,14 @@
{
$OUT .=<<"HERE";
# Forward to (from the local network or the internet to the wireless clients)
forwardToChilli()\{
/sbin/iptables -N FORWARD_TO_CHILLI
/sbin/iptables -A FORWARD_TO_CHILLI -j state_chk
/sbin/iptables -A FORWARD_TO_CHILLI -p icmp --icmp-type destination-unreachable -j ACCEPT
/sbin/iptables -A FORWARD_TO_CHILLI -j denylog
\}
HERE
}

29
root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli50prerouting Normal file
View File

@@ -0,0 +1,29 @@
{
$OUT .=<<"HERE";
# Prerouting from chilli (before the server routes paquets from wireless clients)
preroutingFromChilli()\{
/sbin/iptables -N PREROUTING_FROM_CHILLI -t nat
/sbin/iptables -A PREROUTING_FROM_CHILLI -t nat -d $LocalIP -j DNAT --to $chillip
HERE
$OUT .=" /sbin/iptables -A PREROUTING_FROM_CHILLI -t nat -d $ExternalIP -j DNAT --to $chillip\n" if $ExternalIP;
# Redirect also addresses specified in RedirectToChilli
foreach my $ip (split(/[;,]/,(${'chilli'}{'RedirectToChilli'} || ''))){
my $ReIpNum = qr{([01]?\d\d?|2[0-4]\d|25[0-5])};
my $ReIpAddr = qr{($ReIpNum\.$ReIpNum\.$ReIpNum\.$ReIpNum)};
# Check the $ip is a valid ip address
next unless $ip =~ /^${ReIpAddr}$/;
$OUT .=" /sbin/iptables -A PREROUTING_FROM_CHILLI -t nat -d $ip -j DNAT --to $chillip\n";
}
# Accept other connexions in order to skip other pre-routing rules. Note that packets will be filtered
# in the FORWARD_FROM_CHILLI chain
$OUT .=" /sbin/iptables -t nat -A PREROUTING_FROM_CHILLI -j ACCEPT\n";
$OUT .= "\}\n";
}

20
root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli60start Normal file
View File

@@ -0,0 +1,20 @@
{
$OUT .=<<"HERE";
# Send the paquets from and to chilli to the correct chains
startChilli()\{
inFromChilli
outToChilli
preroutingFromChilli
forwardFromChilli
forwardToChilli
/sbin/iptables -I INPUT -i $tundev -j IN_FROM_CHILLI
/sbin/iptables -I OUTPUT -o $tundev -j OUT_TO_CHILLI
/sbin/iptables -I FORWARD -o $tundev -j FORWARD_TO_CHILLI
/sbin/iptables -I FORWARD -i $tundev -j FORWARD_FROM_CHILLI
/sbin/iptables -I PREROUTING -t nat -i $tundev -j PREROUTING_FROM_CHILLI
\}
HERE
}

11
root/etc/e-smith/templates/etc/rc.d/init.d/masq/91restartChilli Normal file
View File

@@ -0,0 +1,11 @@
# First, remove hotspot rules
stopChilli
# Then, insert it if chilli is enabled
status=$(/sbin/e-smith/config getprop chilli status)
if [ $status = "enabled" ]
then
startChilli
fi

18
root/etc/e-smith/templates/etc/squid/squid.conf/15HTTPPortChilli Normal file
View File

@@ -0,0 +1,18 @@
{
use NetAddr::IP;
my $net = $chilli{'net'} || '10.1.0.0/255.255.255.0';
$net = NetAddr::IP->new($net) + 1;
my $chillip = $net->addr;
my $transparent = ' transparent';
my $squid = `rpm -q --qf %{VERSION} squid`;
$transparent = '' if ($squid =~ /^2\.5/);
$OUT ='';
if ($chilli{'status'} eq 'enabled'){
my $squidport = $squid{'TCPPort'} || '3128';
$OUT = "http_port $chillip:$squidport$transparent\n";
}
}

14
root/etc/e-smith/templates/etc/squid/squid.conf/20ACL10chilli Normal file
View File

@@ -0,0 +1,14 @@
{
if ((($chilli{'status'} || 'disabled') eq 'enabled') &&
(($chilli{'WebRequests'} || 'direct') eq 'squid')){
my $net = $chilli{'net'} || '10.1.0.0/255.255.255.0';
$OUT .=<<END
acl chillisrc src $net
acl chillidst dst $net
END
}
}

6
root/etc/e-smith/templates/etc/squid/squid.conf/40http_access76AllowChilli Normal file
View File

@@ -0,0 +1,6 @@
{
if ((($chilli{'status'} || 'disabled') eq 'enabled') &&
(($chilli{'WebRequests'} || 'direct') eq 'squid')){
$OUT = "http_access allow chillisrc\n";
}
}

3
root/etc/e-smith/templates/etc/sudoers/00ChilliAlias Normal file
View File

@@ -0,0 +1,3 @@
Cmnd_Alias CHILLI = /etc/chilli/conup.sh, /etc/chilli/condown.sh

3
root/etc/e-smith/templates/etc/sudoers/30Chilli Normal file
View File

@@ -0,0 +1,3 @@
coovachilli ALL=(root) NOPASSWD: CHILLI

7
root/etc/e-smith/templates/opt/chilli/hotspotlogin-conf.pl/all Normal file
View File

@@ -0,0 +1,7 @@
$conf\{domain\} = "{"$DomainName";}";
$conf\{contactinfo\} = "admin\@{"$DomainName";}";
$conf\{uamsecret\} = "{($chilli{'uamsecret'} || 'azerty');}";
$conf\{userpassword\} = 1;
$conf\{guestaccess\} = {($chilli{'guestAccess'} || 'disabled') eq 'enabled' ? '1':'0';};
1