initial commit of file from CVS for smeserver-coova-chilli on Sat Sep 7 20:15:38 AEST 2024

This commit is contained in:
Trevor Batley 2024-09-07 20:15:38 +10:00
parent ee4df6cdb4
commit 2120fa2210
85 changed files with 1432 additions and 2 deletions

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
*.rpm
*.log
*spec-20*
*.tar.xz

21
Makefile Normal file
View File

@ -0,0 +1,21 @@
# Makefile for source rpm: smeserver-coova-chilli
# $Id: Makefile,v 1.1 2020/12/21 16:38:33 brianr Exp $
NAME := smeserver-coova-chilli
SPECFILE = $(firstword $(wildcard *.spec))
define find-makefile-common
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
endef
MAKEFILE_COMMON := $(shell $(find-makefile-common))
ifeq ($(MAKEFILE_COMMON),)
# attept a checkout
define checkout-makefile-common
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
endef
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
endif
include $(MAKEFILE_COMMON)

View File

@ -1,3 +1,15 @@
# smeserver-coova-chilli # <img src="https://www.koozali.org/images/koozali/Logo/Png/Koozali_logo_2016.png" width="25%" vertical="auto" style="vertical-align:bottom"> smeserver-coova-chilli
SMEServer Koozali developed git repo for smeserver-coova-chilli smecontribs SMEServer Koozali developed git repo for smeserver-coova-chilli smecontribs
## Wiki
<br />https://wiki.koozali.org/
## Bugzilla
Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-coova-chilli&product=SME%20Contribs&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
## Description
<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
*Once it has been checked, then this comment will be deleted*
<br />

1
contriborbase Normal file
View File

@ -0,0 +1 @@
contribs10

27
createlinks Normal file
View File

@ -0,0 +1,27 @@
#!/usr/bin/perl -w
use esmith::Build::CreateLinks qw(:all);
safe_symlink("restart", "root/etc/e-smith/events/chilli-update/services2adjust/chilli");
safe_symlink("adjust", "root/etc/e-smith/events/chilli-update/services2adjust/masq");
safe_symlink("sigusr1", "root/etc/e-smith/events/chilli-update/services2adjust/httpd-e-smith");
safe_symlink("restart", "root/etc/e-smith/events/chilli-update/services2adjust/squid");
safe_symlink("sigterm", "root/etc/e-smith/events/chilli-update/services2adjust/radiusd");
safe_touch("root/etc/e-smith/events/chilli-update/templates2expand/etc/sudoers");
safe_touch("root/etc/e-smith/events/chilli-update/templates2expand/etc/chilli.conf");
safe_touch("root/etc/e-smith/events/chilli-update/templates2expand/etc/chilli/config");
safe_touch("root/etc/e-smith/events/chilli-update/templates2expand/etc/raddb/radiusd.conf");
safe_touch("root/etc/e-smith/events/chilli-update/templates2expand/etc/raddb/clients.conf");
safe_touch("root/etc/e-smith/events/chilli-update/templates2expand/etc/httpd/conf/httpd.conf");
safe_touch("root/etc/e-smith/events/chilli-update/templates2expand/etc/squid/squid.conf");
safe_touch("root/etc/e-smith/events/chilli-update/templates2expand/etc/rc.d/init.d/masq");
safe_touch("root/etc/e-smith/events/chilli-update/templates2expand/opt/chilli/hotspotlogin-conf.pl");
service_link_enhanced("chilli", "S80", "7");
service_link_enhanced("chilli", "K25", "6");
service_link_enhanced("chilli", "K25", "0");
#safe_symlink("../../../functions/chilli", "root/etc/e-smith/web/panels/manager/cgi-bin/chilli");

View File

@ -0,0 +1,5 @@
#!/bin/bash
exec /usr/bin/sudo /etc/chilli/condown.sh $ADDR $FRAMED_IP_ADDRESS

View File

@ -0,0 +1,4 @@
#!/bin/bash
exec /usr/bin/sudo /etc/chilli/conup.sh $ADDR $FRAMED_IP_ADDRESS

View File

@ -0,0 +1,13 @@
#!/bin/bash
SQUID_STATUS=$(/sbin/e-smith/db configuration getprop squid status)
WEB_REQ=$(/sbin/e-smith/db configuration getprop chilli WebRequests)
if [[ $SQUID_STATUS == 'enabled' && $WEB_REQ == 'squid' ]]; then
SQUID_PORT=$(/sbin/e-smith/db configuration getprop squid TransparentPort)
/sbin/iptables -D IN_FROM_CHILLI -s $2 \
-p tcp --dport $SQUID_PORT --syn -j ACCEPT
/sbin/iptables -t nat -D PREROUTING_FROM_CHILLI -s $2 \
-p tcp --dport 80 -j DNAT --to $1:$SQUID_PORT
fi

16
root/etc/chilli/conup.sh Normal file
View File

@ -0,0 +1,16 @@
#!/bin/bash
SQUID_STATUS=$(/sbin/e-smith/db configuration getprop squid status)
WEB_REQ=$(/sbin/e-smith/db configuration getprop chilli WebRequests)
if [[ $SQUID_STATUS == 'enabled' && $WEB_REQ == 'squid' ]]; then
SQUID_PORT=$(/sbin/e-smith/db configuration getprop squid TransparentPort)
# We need to insert rules just before the accept, so we'll have to compute this position
POSITION=$(LANG=C iptables -t nat -L PREROUTING_FROM_CHILLI -n | \
egrep -v '(Chain|target)' | grep -n ACCEPT | cut -d':' -f1)
/sbin/iptables -t nat -I PREROUTING_FROM_CHILLI $POSITION -s $2 \
-p tcp --dport 80 -j DNAT --to $1:$SQUID_PORT
/sbin/iptables -I IN_FROM_CHILLI 7 -s $2 \
-p tcp --dport $SQUID_PORT --syn -j ACCEPT
fi

View File

@ -0,0 +1 @@
tcp:any:443

View File

@ -0,0 +1 @@
3990

View File

@ -0,0 +1 @@
direct

View File

@ -0,0 +1 @@
private

View File

@ -0,0 +1 @@
900

View File

@ -0,0 +1 @@
7200

View File

@ -0,0 +1 @@
254

View File

@ -0,0 +1 @@
eth2

View File

@ -0,0 +1 @@
10

View File

@ -0,0 +1 @@
8.8.8.8

View File

@ -0,0 +1 @@
8.8.4.4

View File

@ -0,0 +1 @@
disabled

View File

@ -0,0 +1 @@
400

View File

@ -0,0 +1 @@
64

View File

@ -0,0 +1 @@
10.1.0.0/255.255.255.0

View File

@ -0,0 +1 @@
enabled

View File

@ -0,0 +1 @@
disabled

View File

@ -0,0 +1 @@
tun0

View File

@ -0,0 +1 @@
service

View File

@ -0,0 +1 @@

View File

@ -0,0 +1,16 @@
{
my $chilliconf = $DB->get('chilli') || $DB->new_record('chilli', {type => 'service'});
my $uamsecret = $chilliconf->prop('uamsecret') || '';
if ($uamsecret eq ''){
$pass=`/usr/bin/openssl rand -base64 60 | tr -c -d '[:graph:]'`;
$chilliconf->set_prop('uamsecret',$pass);
}
# change default dns server as they are not available anymore
# new default is google
my $dns1 = $chilliconf->prop('dns1') || '212.73.209.226';
my $dns2 = $chilliconf->prop('dns2') || '194.206.120.1';
$chilliconf->set_prop('dns1','8.8.8.8') if $dns1 eq '212.73.209.226';
$chilliconf->set_prop('dns2','8.8.4.4') if $dns2 eq '194.206.120.1';
}

View File

@ -0,0 +1,3 @@
PERMS=0750
UID="root"
GID="www"

View File

@ -0,0 +1,3 @@
{
use NetAddr::IP;
}

View File

@ -0,0 +1 @@
cmdsock /var/run/chilli.sock

View File

@ -0,0 +1 @@
pidfile /var/run/chilli.pid

View File

@ -0,0 +1,2 @@
net {$chilli{'net'} || '10.1.0.0/255.255.255.0';}

View File

@ -0,0 +1,2 @@
tundev {$chilli{'tundev'} || 'tun0';}

View File

@ -0,0 +1,10 @@
{
# Compute the first IP of the network
our $net = $chilli{'net'} || '10.1.0.0/255.255.255.0';
our $chillip = NetAddr::IP->new($net) + 1;
$chillip = $chillip->addr;
$OUT = "uamlisten $chillip\n";
}

View File

@ -0,0 +1,2 @@
uamport {$chilli{'TCPPort'} || '3990';}

View File

@ -0,0 +1,2 @@
dhcpif {$chilli{'dhcpif'} || 'eth2';}

View File

@ -0,0 +1,4 @@
dhcpstart {$chilli{'dhcpstart'} || '10';}
dhcpend {$chilli{'dhcpend'} || '254';}

View File

@ -0,0 +1,10 @@
{
my @uamalloweds = split(/[;,]/, ($chilli{'uamallowed'} || ''));
$OUT = '';
# TODO: check the entry with a good regex
$OUT .= 'uamallowed '.$_."\n" foreach (@uamalloweds);
}

View File

@ -0,0 +1,5 @@
domain lan
dns1 {$chilli{'dns1'} || '212.73.209.226';}
dns2 {$chilli{'dns2'} || '194.206.120.1';}
dnsparanoia

View File

@ -0,0 +1,14 @@
radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
{
use esmith::util;
$pw = esmith::util::LdapPassword;
$pw =~ s/^(.{31}).*$/$1/;
"";
}
radiussecret {$pw || 'azerty';}
radiusauthport {$radiusd{'UDPPort'} || '1812';}
radiusacctport 1813
radiusnasid localhost
radiustimeout 3

View File

@ -0,0 +1,11 @@
{
my $uamsecret = $chilli{'uamsecret'} || 'azerty';
my $uamhomepage = $chilli{'uamhomepage'} || '';
$OUT = "uamserver https://$chillip/chilli/cgi-bin/hotspotlogin.cgi\n";
$OUT .= "uamsecret $uamsecret\n";
$OUT .= "uamhomepage $uamhomepage\n" if ($uamhomepage ne '');
}

View File

@ -0,0 +1,3 @@
defsessiontimeout {$chilli{'defsessiontimeout'} || '7200';}
defidletimeout {$chilli{'defidletimeout'} || '900';}

View File

@ -0,0 +1,3 @@
conup /etc/chilli/call_conup.sh
condown /etc/chilli/call_condown.sh

View File

@ -0,0 +1,4 @@
uid={getpwnam("coovachilli");}
gid={getgrnam("coovachilli");}

View File

@ -0,0 +1,4 @@
{
return '' if (($chilli{'noc2c'} || 'enabled') eq 'disabled');
$OUT .= "noc2c\n";
}

View File

@ -0,0 +1,15 @@
macallowlocal
{
my @macalloweds = split(/[;,]/, ($chilli{'macallowed'} || ''));
$OUT = '';
# TODO: check the entry with a good regex
foreach (@macalloweds){
$_ =~ s/:/-/g;
$OUT .= 'macallowed '.uc($_)."\n";
}
}

View File

@ -0,0 +1 @@
HS_LANIF={$chilli{'dhcpif'} || 'eth2';}

View File

@ -0,0 +1,2 @@
HS_RADCONF=off

View File

@ -0,0 +1,31 @@
{
my $net = $chilli{'net'} || '10.1.0.0/255.255.255.0';
if ($chilli{'status'} eq 'enabled'){
$OUT .=<<END
# Chilli config
ScriptAlias /chilli/cgi-bin /opt/chilli/cgi-bin
Alias /chilli /opt/chilli
<Directory /opt/chilli>
AllowOverride None
<FilesMatch "hotspotlogin-conf.pl">
Require all denied
</FilesMatch>
Require ip $net
</Directory>
<Directory /opt/chilli/cgi-bin>
Options ExecCGI
</Directory>
<Directory /opt/chilli/lang>
Require all denied
</Directory>
END
}
}

View File

@ -0,0 +1,8 @@
#Unix Auth for Chilli
unix \{
cache = yes
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
\}

View File

@ -0,0 +1,4 @@
{
push(@authModules, "\tunix\n");
}

View File

@ -0,0 +1,29 @@
{
if ((($chilli{'status'} || 'disabled') eq 'enabled') &&
($chilli{'guestAccess'} || 'disabled') eq 'enabled'){
my $downlink = $chilli{'guestDownLink'} || '400';
my $uplink = $chilli{'guestUpLink'} || '64';
$downlink = $downlink * 1000;
$uplink = $uplink * 1000;
$OUT =<<"END";
guest NAS-Identifier == "localhost", Auth-Type := Local, User-Password == 'guest'
WISPr-Bandwidth-Max-Down = $downlink, WISPr-Bandwidth-Max-Up = $uplink
END
}
if (($chilli{'status'} || 'disabled') eq 'enabled'){
$OUT .=<<END;
DEFAULT Group == "chilli", NAS-Identifier == "localhost", Auth-Type := unix
# WISPr-Bandwidth-Max-Down = 512000, WISPr-Bandwidth-Max-Up = 128000
DEFAULT Group != "chilli", NAS-Identifier == "localhost", Auth-Type := Reject
Reply-Message = "Your are not member of the allowed group"
END
}
}

View File

@ -0,0 +1,20 @@
{
# Compute the first IP of the network
our $net = ${'chilli'}{'net'} || '10.1.0.0/255.255.255.0';
my @netaddr = split(/\//,$net);
my $netaddr = $netaddr[0];
my @nums = split(/\./,$netaddr);
my $i = 0;
our $chillip = '';
foreach (@nums){
$chillip .= $_."." if ($i ne '3');
$chillip .= "1" if ($i eq '3');
$i++;
}
our $tundev = ${'chilli'}{'tundev'} || 'tun0';
our $chilliport = ${'chilli'}{'TCPPort'} || '3990';
$OUT .= '';
}

View File

@ -0,0 +1,43 @@
{
$OUT .=<<"HERE";
# This will flush any existing rules for coova-chilli
stopChilli()\{
CHAIN='IN_FROM_CHILLI'
STATE=\$(/sbin/iptables -L -n | grep -c \$CHAIN)
if [ \$STATE -ge 1 ]; then
/sbin/iptables -D INPUT -i $tundev -j \$CHAIN
/sbin/iptables -F \$CHAIN
/sbin/iptables -X \$CHAIN
fi
CHAIN='OUT_TO_CHILLI'
STATE=\$(/sbin/iptables -L -n | grep -c \$CHAIN)
if [ \$STATE -ge 1 ]; then
/sbin/iptables -D OUTPUT -o $tundev -j \$CHAIN
/sbin/iptables -F \$CHAIN
/sbin/iptables -X \$CHAIN
fi
CHAIN='FORWARD_FROM_CHILLI'
STATE=\$(/sbin/iptables -L -n | grep -c \$CHAIN)
if [ \$STATE -ge 1 ]; then
/sbin/iptables -D FORWARD -i $tundev -j \$CHAIN
/sbin/iptables -F \$CHAIN
/sbin/iptables -X \$CHAIN
fi
CHAIN='FORWARD_TO_CHILLI'
STATE=\$(/sbin/iptables -L -n | grep -c \$CHAIN)
if [ \$STATE -ge 1 ]; then
/sbin/iptables -D FORWARD -o $tundev -j \$CHAIN
/sbin/iptables -F \$CHAIN
/sbin/iptables -X \$CHAIN
fi
CHAIN='PREROUTING_FROM_CHILLI'
STATE=\$(/sbin/iptables -t nat -L -n | grep -c \$CHAIN)
if [ \$STATE -ge 1 ]; then
/sbin/iptables -D PREROUTING -t nat -i $tundev -j \$CHAIN
/sbin/iptables -t nat -F \$CHAIN
/sbin/iptables -t nat -X \$CHAIN
fi
\}
HERE
}

View File

@ -0,0 +1,46 @@
{
$OUT .=<<"HERE";
# Input (from the wireless client to the server)
inFromChilli()\{
/sbin/iptables -N IN_FROM_CHILLI
/sbin/iptables -A IN_FROM_CHILLI -j state_chk
# DHCP requests are allowed
/sbin/iptables -A IN_FROM_CHILLI -p udp --dport 67:68 --sport 67:68 -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
/sbin/iptables -A IN_FROM_CHILLI ! -s $net -j denylog
# Allow wireless clients to ping the server
/sbin/iptables -A IN_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT
# Mandatory services for chilli (https, coova-chill)
# /sbin/iptables -A IN_FROM_CHILLI -p tcp --dport ${'httpd-e-smith'}{'TCPPort'} --syn -j ACCEPT
/sbin/iptables -A IN_FROM_CHILLI -p tcp --dport ${'modSSL'}{'TCPPort'} --syn -j ACCEPT
/sbin/iptables -A IN_FROM_CHILLI -p tcp --dport $chilliport --syn -j ACCEPT
HERE
foreach (split(/[;,]/, ${'chilli'}{'AllowedServices'} || '')){
my $service = $_;
next if ((${"$service"}{'status'} || 'disabled') ne 'enabled');
my @tcpports = split(/[;,]/, (${"$service"}{'TCPPort'} || '').",".(${"$service"}{'TCPPorts'} || ''));
my @udpports = split(/[;,]/, (${"$service"}{'UDPPort'} || '').",".(${"$service"}{'UDPPorts'} || ''));
if (@tcpports > 0){
foreach(@tcpports){
$OUT .= " # Acces to $service is allowed:\n" .
" /sbin/iptables -A IN_FROM_CHILLI -p tcp --dport $_ --syn -j ACCEPT\n" if ($_ ne '');
}
}
if (@udpports > 0){
foreach(@udpports){
$OUT .= " # Acces to $service is allowed:\n" .
" /sbin/iptables -A IN_FROM_CHILLI -p udp --dport $_ -j ACCEPT\n" if ($_ ne '');
}
}
# Special case for pptp, which uses GRE proto
if ($service eq 'pptpd'){
$OUT .= " /sbin/iptables -A IN_FROM_CHILLI -p 47 -j gre-in\n";
$OUT .= " /sbin/iptables -I gre-in -s $net -j ACCEPT\n";
}
}
$OUT .= " /sbin/iptables -A IN_FROM_CHILLI -j denylog\n\}\n";
}

View File

@ -0,0 +1,14 @@
{
$OUT .=<<"HERE";
# Output (from the server to the wireless clients)
outToChilli()\{
/sbin/iptables -N OUT_TO_CHILLI
/sbin/iptables -A OUT_TO_CHILLI -j state_chk
/sbin/iptables -A OUT_TO_CHILLI -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A OUT_TO_CHILLI -j denylog
\}
HERE
}

View File

@ -0,0 +1,69 @@
{
$OUT .=<<"HERE";
# Forward from chilli (from the wireless clients to the internet)
forwardFromChilli()\{
/sbin/iptables -N FORWARD_FROM_CHILLI
/sbin/iptables -A FORWARD_FROM_CHILLI -j state_chk
/sbin/iptables -A FORWARD_FROM_CHILLI ! -s $net -j denylog
/sbin/iptables -A FORWARD_FROM_CHILLI ! -o \$OUTERIF -j denylog
/sbin/iptables -A FORWARD_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT
# Allow http for un-authenticated clients so uamallowed works
# Https need to be allowed in AllowedOutgoing
/sbin/iptables -A FORWARD_FROM_CHILLI -p tcp --dport 80 -j ACCEPT
HERE
my $ReIpNum = qr{([01]?\d\d?|2[0-4]\d|25[0-5])};
my $ReIpAddr = qr{($ReIpNum\.$ReIpNum\.$ReIpNum\.$ReIpNum)|any|ANY|\*};
my $RePort = qr/\d{1,4}|[0-6]\d{4}|any|ANY|\*/;
# Allow services specidied in AllowedOutgoing
foreach (split(/[;,]/, ${'chilli'}{'AllowedOutgoing'} || '')){
# Check the rules has the form proto:remote_host:remote_port
next unless /^(tcp|TCP|udp|UDP):${ReIpAddr}:${RePort}$/;
my @params = split(/:/, $_);
my $proto = $params[0];
my $host = $params[1];
my $dport = $params[2];
$OUT .= " # $_ is allowed:\n";
$OUT .= " /sbin/iptables -A FORWARD_FROM_CHILLI ";
$OUT .= "-p $proto ";
$OUT .= "-d $host " if ($host !~ /(any|\*)/i);
$OUT .= "--dport $dport " if ($dport !~ /(any|\*)/i);
$OUT .= "--syn " if ($proto =~ /tcp/i);
$OUT .= "-j ACCEPT\n"
}
foreach (split(/[;,]/, ${'chilli'}{'uamallowed'} || '')){
# Check the rules has the form proto:remote_host:remote_port
# Or host:port or protocol:host
next unless /^((tcp|TCP|udp|UDP):)?(${ReIpAddr})(:${RePort})?$/;
my @param = split(/:/, $_);
my $proto = $param[0];
my $host = $param[1];
my $dport = $param[2];
$OUT .= " # $_ is allowed:\n";
$OUT .= " /sbin/iptables -A FORWARD_FROM_CHILLI ";
$OUT .= "-p $proto " if (($proto) && ($proto ne ''));
$OUT .= "-d $host ";
$OUT .= "--dport $dport " if (($dport) && ($dport ne ''));
$OUT .= "--syn " if ($proto =~ /tcp/i);
$OUT .= "-j ACCEPT\n"
}
# Allow the two dns servers specified
$OUT .= " # Allow dns requests to ${'chilli'}{'dns1'}\n" .
" /sbin/iptables -A FORWARD_FROM_CHILLI -p udp --dport 53 -d ${'chilli'}{'dns1'} -j ACCEPT\n"
if ((${'chilli'}{'dns1'} || '') ne '');
$OUT .= " # Allow dns requests to ${'chilli'}{'dns2'}\n" .
" /sbin/iptables -A FORWARD_FROM_CHILLI -p udp --dport 53 -d ${'chilli'}{'dns2'} -j ACCEPT\n"
if ((${'chilli'}{'dns2'} || '') ne '');
$OUT .= " /sbin/iptables -A FORWARD_FROM_CHILLI -j denylog\n\}\n";
}

View File

@ -0,0 +1,14 @@
{
$OUT .=<<"HERE";
# Forward to (from the local network or the internet to the wireless clients)
forwardToChilli()\{
/sbin/iptables -N FORWARD_TO_CHILLI
/sbin/iptables -A FORWARD_TO_CHILLI -j state_chk
/sbin/iptables -A FORWARD_TO_CHILLI -p icmp --icmp-type destination-unreachable -j ACCEPT
/sbin/iptables -A FORWARD_TO_CHILLI -j denylog
\}
HERE
}

View File

@ -0,0 +1,29 @@
{
$OUT .=<<"HERE";
# Prerouting from chilli (before the server routes paquets from wireless clients)
preroutingFromChilli()\{
/sbin/iptables -N PREROUTING_FROM_CHILLI -t nat
/sbin/iptables -A PREROUTING_FROM_CHILLI -t nat -d $LocalIP -j DNAT --to $chillip
HERE
$OUT .=" /sbin/iptables -A PREROUTING_FROM_CHILLI -t nat -d $ExternalIP -j DNAT --to $chillip\n" if $ExternalIP;
# Redirect also addresses specified in RedirectToChilli
foreach my $ip (split(/[;,]/,(${'chilli'}{'RedirectToChilli'} || ''))){
my $ReIpNum = qr{([01]?\d\d?|2[0-4]\d|25[0-5])};
my $ReIpAddr = qr{($ReIpNum\.$ReIpNum\.$ReIpNum\.$ReIpNum)};
# Check the $ip is a valid ip address
next unless $ip =~ /^${ReIpAddr}$/;
$OUT .=" /sbin/iptables -A PREROUTING_FROM_CHILLI -t nat -d $ip -j DNAT --to $chillip\n";
}
# Accept other connexions in order to skip other pre-routing rules. Note that packets will be filtered
# in the FORWARD_FROM_CHILLI chain
$OUT .=" /sbin/iptables -t nat -A PREROUTING_FROM_CHILLI -j ACCEPT\n";
$OUT .= "\}\n";
}

View File

@ -0,0 +1,20 @@
{
$OUT .=<<"HERE";
# Send the paquets from and to chilli to the correct chains
startChilli()\{
inFromChilli
outToChilli
preroutingFromChilli
forwardFromChilli
forwardToChilli
/sbin/iptables -I INPUT -i $tundev -j IN_FROM_CHILLI
/sbin/iptables -I OUTPUT -o $tundev -j OUT_TO_CHILLI
/sbin/iptables -I FORWARD -o $tundev -j FORWARD_TO_CHILLI
/sbin/iptables -I FORWARD -i $tundev -j FORWARD_FROM_CHILLI
/sbin/iptables -I PREROUTING -t nat -i $tundev -j PREROUTING_FROM_CHILLI
\}
HERE
}

View File

@ -0,0 +1,11 @@
# First, remove hotspot rules
stopChilli
# Then, insert it if chilli is enabled
status=$(/sbin/e-smith/config getprop chilli status)
if [ $status = "enabled" ]
then
startChilli
fi

View File

@ -0,0 +1,18 @@
{
use NetAddr::IP;
my $net = $chilli{'net'} || '10.1.0.0/255.255.255.0';
$net = NetAddr::IP->new($net) + 1;
my $chillip = $net->addr;
my $transparent = ' transparent';
my $squid = `rpm -q --qf %{VERSION} squid`;
$transparent = '' if ($squid =~ /^2\.5/);
$OUT ='';
if ($chilli{'status'} eq 'enabled'){
my $squidport = $squid{'TCPPort'} || '3128';
$OUT = "http_port $chillip:$squidport$transparent\n";
}
}

View File

@ -0,0 +1,14 @@
{
if ((($chilli{'status'} || 'disabled') eq 'enabled') &&
(($chilli{'WebRequests'} || 'direct') eq 'squid')){
my $net = $chilli{'net'} || '10.1.0.0/255.255.255.0';
$OUT .=<<END
acl chillisrc src $net
acl chillidst dst $net
END
}
}

View File

@ -0,0 +1,6 @@
{
if ((($chilli{'status'} || 'disabled') eq 'enabled') &&
(($chilli{'WebRequests'} || 'direct') eq 'squid')){
$OUT = "http_access allow chillisrc\n";
}
}

View File

@ -0,0 +1,3 @@
Cmnd_Alias CHILLI = /etc/chilli/conup.sh, /etc/chilli/condown.sh

View File

@ -0,0 +1,3 @@
coovachilli ALL=(root) NOPASSWD: CHILLI

View File

@ -0,0 +1,7 @@
$conf\{domain\} = "{"$DomainName";}";
$conf\{contactinfo\} = "admin\@{"$DomainName";}";
$conf\{uamsecret\} = "{($chilli{'uamsecret'} || 'azerty');}";
$conf\{userpassword\} = 1;
$conf\{guestaccess\} = {($chilli{'guestAccess'} || 'disabled') eq 'enabled' ? '1':'0';};
1

View File

@ -0,0 +1,485 @@
#!/usr/bin/perl -w
# chilli - ChilliSpot.org. A Wireless LAN Access Point Controller
# Copyright (C) 2003, 2004 Mondru AB.
#
# The contents of this file may be used under the terms of the GNU
# General Public License Version 2, provided that the above copyright
# notice and this permission notice is included in all copies or
# substantial portions of the software.
# Adapted for SME Server by Daniel B. <daniel@firewall-services.com>
use Digest::MD5 qw(md5 md5_hex md5_base64);
# Import the config
require ('../hotspotlogin-conf.pl');
# detect browser language
$language = $ENV{'HTTP_ACCEPT_LANGUAGE'};
@array = split(',',$language);
foreach $var ( @array )
{
$var = substr($var,0,2);
if($var =~ /^fr$/) { $language = "fr"; last; }
if($var =~ /^en$/) { $language = "en"; last; }
}
if(-e "../lang/hotspotlogin.$language.pl"){
require("../lang/hotspotlogin.$language.pl");
}
else{
require('../lang/hotspotlogin.en.pl');
}
# Login page need https
if (!($ENV{HTTPS} =~ /^on$/)) {
print "Content-type: text/html\n\n
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<title>$conf{domain}/title>
<meta http-equiv=\"Cache-control\" content=\"no-cache\">
<meta http-equiv=\"Pragma\" content=\"no-cache\">
<link rel=\"stylesheet\" type=\"text/css\" href=\"/chilli/css/sme.css\" />
</head>
<body>
<p>&nbsp;</p><p>&nbsp;</p>
<h2>$lang{loginfailed}</H2><br>
$lang{neddencrypted}</body></html>";
exit(0);
}
$loginpath = $ENV{'SCRIPT_NAME'};
# Make sure that the form parameters are clean
$OK_CHARS='-a-zA-Z0-9_.@&=%!';
$_ = (<STDIN> || '');
s/[^$OK_CHARS]/_/go;
$input = $_;
# Make sure that the get query parameters are clean
$OK_CHARS='-a-zA-Z0-9_.@&=%!';
$_ = $query=$ENV{QUERY_STRING};
s/[^$OK_CHARS]/_/go;
$query = $_;
#Read form parameters which we care about
@array = split('&',$input);
$replyencoded = '';
$username = '';
$password = '';
$challenge = '';
$button = '';
$res = '';
$uamip = '';
$uamport = '';
$userurl = '';
$timeleft = '';
$redirurl = '';
$mac = '';
foreach $var ( @array )
{
@array2 = split('=',$var);
if ($array2[0] =~ /^UserName$/) { $username = $array2[1]; }
if ($array2[0] =~ /^Password$/) { $password = $array2[1]; }
if ($array2[0] =~ /^challenge$/) { $challenge = $array2[1]; }
if ($array2[0] =~ /^button$/) { $button = $array2[1]; }
if ($array2[0] =~ /^res$/) { $res = $array2[1]; }
if ($array2[0] =~ /^uamip$/) { $uamip = $array2[1]; }
if ($array2[0] =~ /^uamport$/) { $uamport = $array2[1]; }
if ($array2[0] =~ /^userurl$/) { $userurl = $array2[1]; }
if ($array2[0] =~ /^timeleft$/) { $timeleft = $array2[1]; }
if ($array2[0] =~ /^redirurl$/) { $redirurl = $array2[1]; }
if ($array2[0] =~ /^mac$/) { $mac = $array2[1]; }
# This should be added to 'standard' cgi script also
if ($array2[0] =~ /^reply$/) { $replyencoded = $array2[1]; }
}
#Read query parameters which we care about
@array = split('&',$query);
foreach $var ( @array )
{
@array2 = split('=',$var);
if ($array2[0] =~ /^res$/) { $res = $array2[1]; }
if ($array2[0] =~ /^challenge$/) { $challenge = $array2[1]; }
if ($array2[0] =~ /^uamip$/) { $uamip = $array2[1]; }
if ($array2[0] =~ /^uamport$/) { $uamport = $array2[1]; }
# This should be changed in 'standard' cgi script also
if ($array2[0] =~ /^reply$/) { $replyencoded = $array2[1]; }
if ($array2[0] =~ /^userurl$/) { $userurl = $array2[1]; }
if ($array2[0] =~ /^timeleft$/) { $timeleft = $array2[1]; }
if ($array2[0] =~ /^redirurl$/) { $redirurl = $array2[1]; }
if ($array2[0] =~ /^mac$/) { $mac = $array2[1]; }
}
# This should be added to 'standard' cgi script also
$reply = $replyencoded;
$reply =~ s/\+/ /g;
$reply =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/seg;
$button =~ s/\+/ /g;
$button =~ s/\_/ /g;
$userurldecode = $userurl;
$userurldecode =~ s/\+/ /g;
$userurldecode =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/seg;
$redirurldecode = $redirurl;
$redirurldecode =~ s/\+/ /g;
$redirurldecode =~s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/seg;
# Tim added these two lines:
$username =~ s/\+/ /g;
$username =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/seg;
$password =~ s/\+/ /g;
$password =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/seg;
# If attempt to login
if (($button =~ $lang{login} || $button =~ $lang{guestbutton})) {
$hexchal = pack "H32", $challenge;
if (defined $conf{uamsecret}) {
$newchal = md5($hexchal, $conf{uamsecret});
}
else {
$newchal = $hexchal;
}
$response = md5_hex("\0", $password, $newchal);
$pappassword = unpack "H32", ($password ^ $newchal);
print "Content-type: text/html\n\n";
print "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<title>$conf{domain}</title>
<meta http-equiv=\"Cache-control\" content=\"no-cache\">
<meta http-equiv=\"Pragma\" content=\"no-cache\">";
if ( (defined $conf{uamsecret}) && (defined $conf{userpassword})) {
print "<meta http-equiv=\"refresh\" content=\"0;url=http://$uamip:$uamport/logon?username=$username&password=$pappassword&userurl=$userurl\">";
}
else {
print "<meta http-equiv=\"refresh\" content=\"0;url=http://$uamip:$uamport/logon?username=$username&response=$response&userurl=$userurl\">";
}
print "<link rel=\"stylesheet\" type=\"text/css\" href=\"/chilli/css/sme.css\" />
</head><body>
<center>";
print "<p>&nbsp;</p><p>&nbsp;</p>
<h3>$lang{longgingin}</H3><br>$lang{wait}</center></body></html>";
exit(0);
}
# Default: It was not a form request
$result = 0;
# If login successful
if ($res =~ /^success$/) { $result = 1; }
# If login failed
if ($res =~ /^failed$/) { $result = 2; }
# If logout successful
if ($res =~ /^logoff$/) { $result = 3; }
# If tried to login while already logged in
if ($res =~ /^already$/) { $result = 4; }
# If not logged in yet
if ($res =~ /^notyet$/) { $result = 5; }
# If login from smart client
if ($res =~ /^smartclient$/) { $result = 6; }
# If requested a logging in pop up window
if ($res =~ /^popup1$/) { $result = 11; }
# If requested a success pop up window
if ($res =~ /^popup2$/) { $result = 12; }
# If requested a logout pop up window
if ($res =~ /^popup3$/) { $result = 13; }
# Otherwise it was not a form request
# Send out an error message
if ($result == 0) {
print "Content-type: text/html\n\n
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<title>$conf{domain}</title>
<meta http-equiv=\"Cache-control\" content=\"no-cache\">
<meta http-equiv=\"Pragma\" content=\"no-cache\">
<link rel=\"stylesheet\" type=\"text/css\" href=\"/chilli/css/sme.css\" />
</head>
<body>
<center>
<p>&nbsp;</p><p>&nbsp;</p>
<h3>$lang{loginfailed}</h3><br>
$lang{chillierror}</center></body></html>";
exit(0);
}
#Generate the output
print "Content-type: text/html\n\n
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">
<html>
<head>
<title>$conf{domain}</title>
<meta http-equiv=\"Cache-control\" content=\"no-cache\">
<meta http-equiv=\"Pragma\" content=\"no-cache\">
<SCRIPT LANGUAGE=\"JavaScript\">
var blur = 0;
var starttime = new Date();
var startclock = starttime.getTime();
var mytimeleft = 0;
var user = \"\";
var password = \"\";
function getCookie(c_name)
{
if (document.cookie.length>0)
{
c_start=document.cookie.indexOf(c_name + \"=\");
if(c_start!=-1)
{
c_start=c_start + c_name.length+1;
c_end=document.cookie.indexOf(\";\",c_start);
if (c_end==-1) c_end=document.cookie.length;
return unescape(document.cookie.substring(c_start,c_end));
}
}
return \"\";
}
function setCookie(c_name,value,expiredays)
{
var exdate=new Date();
exdate.setDate(exdate.getDate()+expiredays);
document.cookie=c_name+ \"=\" +escape(value)+((expiredays==null) ? \"\" : \";expires=\"+exdate.toGMTString());
}
function getCookies()
{
user=getCookie('user');
if(user!=null && user!=\"\")
{
document.form1.UserName.value = user;
document.form1.saveusrpass.checked = true;
}
password=getCookie('password');
if(password!=null && password!=\"\")
{
document.form1.Password.value = password;
}
}
function setCookies()
{
if(!document.form1.saveusrpass.checked)
{
setCookie('user',\"\",365);
setCookie('password',\"\",365);
return;
}
user = document.form1.UserName.value;
password = document.form1.Password.value;
if(user!=null && user!=\"\")
{
if(password!=null && password!=\"\")
{
setCookie('user',user,365);
setCookie('password',password,365);
}
}
}
function doTime() {
window.setTimeout( \"doTime()\", 1000 );
t = new Date();
time = Math.round((t.getTime() - starttime.getTime())/1000);
if (mytimeleft) {
time = mytimeleft - time;
if (time <= 0) {
window.location = \"$loginpath?res=popup3&uamip=$uamip&uamport=$uamport\";
}
}
if (time < 0) time = 0;
hours = (time - (time % 3600)) / 3600;
time = time - (hours * 3600);
mins = (time - (time % 60)) / 60;
secs = time - (mins * 60);
if (hours < 10) hours = \"0\" + hours;
if (mins < 10) mins = \"0\" + mins;
if (secs < 10) secs = \"0\" + secs;
title = \"$lang{onlinetime}: \" + hours + \":\" + mins + \":\" + secs;
if (mytimeleft) {
title = \"$lang{remainingtime}: \" + hours + \":\" + mins + \":\" + secs;
}
if(document.all || document.getElementById){
document.title = title;
}
else {
self.status = title;
}
}
function popUp(URL) {
if (self.name != \"chillispot_popup\") {
chillispot_popup = window.open(URL, 'chillispot_popup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=310');
}
}
function doOnLoad(result, URL, userurl, redirurl, timeleft) {
if (timeleft) {
mytimeleft = timeleft;
}
if ((result == 1) && (self.name == \"chillispot_popup\")) {
doTime();
}
if ((result == 1) && (self.name != \"chillispot_popup\")) {
chillispot_popup = window.open(URL, 'chillispot_popup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=300');
}
if ((result == 2) || result == 5) {
getCookies();
document.form1.UserName.focus()
}
if ((result == 2) && (self.name != \"chillispot_popup\")) {
chillispot_popup = window.open('', 'chillispot_popup', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=400,height=200');
chillispot_popup.close();
}
if ((result == 12) && (self.name == \"chillispot_popup\")) {
doTime();
if (redirurl) {
window.opener.top.location.href = redirurl;
}
else if (userurl) {
window.opener.top.location.href = userurl;
}
else if (opener.home) {
window.opener.top.location.href.home();
}
else {
window.opener.top.location.href = \"about:home\";
}
self.focus();
blur = 0;
}
if ((result == 13) && (self.name == \"chillispot_popup\")) {
self.focus();
blur = 1;
}
}
function doOnBlur(result) {
if ((result == 12) && (self.name == \"chillispot_popup\")) {
if (blur == 0) {
blur = 1;
self.focus();
}
}
}
function doOnBeforeUnLoad(result) {
if ((result==12) && (self.name=='chillispot_popup')) {
document.location.href=('http://$uamip:$uamport/logoff');
window.close();
}
}
function fillGuestAccess() {
form1.UserName.value = 'guest';
form1.Password.value = 'guest';
}
</script>
<link rel=\"stylesheet\" type=\"text/css\" href=\"/chilli/css/sme.css\" />
</head>
<body onLoad=\"javascript:doOnLoad($result, '$loginpath?res=popup2&uamip=$uamip&uamport=$uamport&userurl=$userurl&redirurl=$redirurl&timeleft=$timeleft&reply=$replyencoded','$userurldecode', '$redirurldecode', '$timeleft')\" onBlur = \"javascript:doOnBlur($result)\" onBeforeUnLoad = \"doOnBeforeUnLoad($result)\"><center>";
# In body onLoad above, after $timeleft, add '&reply=$replyencoded to 'standard' cgi script
if ($result == 2){
print "<p>&nbsp;</p><p>&nbsp;</p><h3>$lang{loginfailed}</h3>";
if ($reply) { print "$reply<br>"; }
}
if ($result == 2 || $result == 5){
print "<p>&nbsp;</p><p>&nbsp;</p>
<form name=\"form1\" method=\"post\" action=\"$loginpath\"\" onSubmit=\"setCookies()\">
<INPUT TYPE=\"hidden\" NAME=\"challenge\" VALUE=\"$challenge\">
<INPUT TYPE=\"hidden\" NAME=\"uamip\" VALUE=\"$uamip\">
<INPUT TYPE=\"hidden\" NAME=\"uamport\" VALUE=\"$uamport\">
<INPUT TYPE=\"hidden\" NAME=\"userurl\" VALUE=\"$userurldecode\">
<INPUT TYPE=\"hidden\" NAME=\"mac\" VALUE=\"$mac\">
<table style=\"width: 570px;\">
<tr>
<td align=\"right\">$lang{username}:</td>
<td><input type=\"text\" name=\"UserName\" size=\"14\" maxlength=\"128\"></td>
</tr>
<tr>
<td align=\"right\">$lang{password}:</td>
<td><input type=\"password\" name=\"Password\" size=\"14\" maxlength=\"128\"></td>
</tr>
<tr>
<td align=\"center\" colspan=\"2\" height=\"23\"><input type=\"submit\" name=\"button\" value=\"$lang{login}\" onClick=\"javascript:popUp('$loginpath?res=popup1&uamip=$uamip&uamport=$uamport&mac=$mac')\"></td></tr>
<tr>
<td align=\"center\" colspan=\"2\">
<input type=\"checkbox\" name=\"saveusrpass\"> $lang{saveuser}";
if($conf{guestaccess}){
print "<tr><td align=\"center\" colspan=\"2\" height=\"23\">$lang{guestdesc}</td></tr><tr><td align=\"center\" colspan=\"2\" height=\"23\"><input type=\"button\" name=\"button_guest\" value=\"$lang{guestbutton}\" onClick=\"javascript:fillGuestAccess()\"></td></tr>";
}
print " </table></form>";
if($lang{loginstring}) { print "<div style=\"width: 90%; height:330px; overflow:auto; padding-right : 12px; align:center;\"><table><td>$lang{loginstring}</td></table></div>"; }
print "</center></body></html>";
}
if ($result == 1){
print "<p>&nbsp;</p><p>&nbsp;</p><h3>$lang{loggedin}</h3><br>";
if ($lang{loggedinstring}) { print "$lang{loggedinstring}<br><br>"; }
if ($reply) { print "$reply</BR></BR>"; }
print "<a href=\"javascript:doOnBeforeUnLoad(12);\">$lang{logout}</a></center></body></html>";
}
if (($result == 4) || ($result == 12)){
print "<p>&nbsp;</p><p>&nbsp;</p><h3>$lang{loggedin}</h3><br>";
if ($lang{loggedinstring}) { print "$lang{loggedinstring}<br><br>"; }
if ($reply) { print "$reply</BR></BR>"; }
print "<a href=\"javascript:doOnBeforeUnLoad(12);\">$lang{logout}</a><br></center></body></html>";
}
if ($result == 11){
print "<p>&nbsp;</p><p>&nbsp;</p><h3>$lang{longgingin}</h3><br>";
print "<br>$lang{wait}</center></body></html>";
}
if (($result == 3) || ($result == 13)){
print "<p>&nbsp;</p><p>&nbsp;</p><h3>$lang{loggedout}</h3><br>";
if ($lang{loggedoutstring}) { print "$lang{loggedoutstring}<br><br>"; }
print "<a href=\"http://$uamip:$uamport/prelogin\">$lang{login}</a></center></body></html>";
}
exit(0);

View File

@ -0,0 +1,33 @@
/* mod_auth_tkt example css */
BODY {background-image: url(/chilli/images/smeserver_logo.jpg);
background-repeat: no-repeat;
background-position: 400px 40px;
background-position: top;
font-family: arial, helvetica, sans-serif;
font-size: small;
}
P, TH, TD {
font-family: arial, helvetica, sans-serif;
font-size: small;
}
H1, H2, H3, H4, H5, H6 { color: #006; }
H1 { font-size: x-large; }
H2 { font-size: large; }
H3 { font-size: medium; }
.warning { color: #c00; font-size: medium; font-weight: bold; }
TABLE {
background-color: #eee;
color: #666;
border: 1px solid #ccc;
padding: 20px;
}
/* arch-tag: ac35e093-c2c0-4994-bc18-2d25715b1192 */

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.8 KiB

View File

@ -0,0 +1,21 @@
$lang{chillierror} = "You can only login while connected to the hotspot.";
$lang{login} = "Login";
$lang{guestdesc} = "You can click here to have a limited guest access";
$lang{guestbutton} = "Guest access";
$lang{logout} = "Logout";
$lang{loginfailed} = "Login failed";
$lang{loggingin} = "Logging in";
$lang{loggedin} = "Logged in";
$lang{loggedout} = "Logged out";
$lang{username} = "User";
$lang{password} = "Password";
$lang{wait} = "Please wait ...";
$lang{onlinetime} = "Online time";
$lang{remainingtime} = "Remaining time";
$lang{needencrypted} = "Login must use encrypted connection (https)";
$lang{saveuser} = "Remember user/password";
# Custom resource vars
$lang{loginstring} = "If you have any question, please contact <a href=mailto:$conf{contactinfo}>$conf{contactinfo}</a>";
$lang{loggedinstring} = "Welcome!<br>Closing this windows will disconnect you..";
$lang{loggedoutstring} = "Thanks for using $conf{domain} hotspot service";

View File

@ -0,0 +1,22 @@
$lang{chillierror} = "L'identification doit se faire &agrave; travers le d&eacute;mon Coova-Chilli";
$lang{login} = "Identification";
$lang{guestdesc} = "Si vous n'avez pas d'identifiants, cliquez sur ce boutton pour obtenir un acc&egrave;s limit&eacute;";
$lang{guestbutton} = "Acc&egrave;s invit&eacute;";
$lang{logout} = "Se d&eacute;connecter";
$lang{loginfailed} = "L'identification a &eacute;chou&eacute;";
$lang{loggingin} = "Identification en cours";
$lang{loggedin} = "Authentifi&eacute;";
$lang{loggedout} = "D&eacute;connec&eacute;";
$lang{username} = "Utilisateur";
$lang{password} = "Mot de passe";
$lang{wait} = "Veuillez patienter ...";
$lang{onlinetime} = "Dur&eacute;e de la session";
$lang{remainingtime} = "Temps restant";
$lang{needencrypted} = "L'identification doit utiliser une connexion s&eacute;curis&eacute; (https)";
$lang{saveuser} = "Se souvenir de mes identifiants";
# Custom resource vars
$lang{loginstring} = "Pour toute question relative au fonctionnement de cet acc&egrave;s, vous pouvez contacter le responsable <a href=mailto:$conf{contactinfo}>$conf{contactinfo}</a>";
$lang{loggedinstring} = "Bienvenue!<br>La fermeture de cette fen&ecirc;tre terminera votre session.";
$lang{loggedoutstring} = "$conf{domain} vous remercie";

239
smeserver-coova-chilli.spec Normal file
View File

@ -0,0 +1,239 @@
# $Id: smeserver-coova-chilli.spec,v 1.4 2022/07/29 05:25:17 jpp Exp $
# Authority: vip-ire
# Name: Daniel Berteaud
Summary: Coova-Chilli, a captive portal based on ChilliSpot configured for SME server
%define name smeserver-coova-chilli
Name: %{name}
%define version 0.3
%define release 7
Version: %{version}
Release: %{release}%{?dist}
License: GPL
Group: Networking/Remote access
Source: %{name}-%{version}.tar.xz
URL: https://contribs.org
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
BuildArchitectures: noarch
BuildRequires: e-smith-devtools
Requires: e-smith-apache >= 2.6.0-19
Requires: e-smith-release >= 10.0
Requires: openssl
Requires: coova-chilli >= 1.0.13
Requires: e-smith-radiusd >= 1.0.0-18
Requires: perl(NetAddr::IP)
Requires: smeserver-remoteuseraccess
%description
This package allow you to configure a third interface
(eth2). Just plug a WiFi AP on it, and you'll have
a secured captive portal. Users will be redirected
on a logon page and they'll have to enter credentials
(sme accounts) before the server allows them. By default,
they'll only have web access if they are members of the group "chilli"
This contrib will only work in server&gateway mode
%changelog
* Sat Sep 07 2024 cvs2git.sh aka Brian Read <brianr@koozali.org> 0.3-7.sme
- Roll up patches and move to git repo [SME: 12338]
* Sat Sep 07 2024 BogusDateBot
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
by assuming the date is correct and changing the weekday.
* Fri Jul 29 2022 Jean-Philippe Pialasse <tests@pialasse.com> 0.3-6.sme
- update access syntax for httpd 2.4 [SME: 12041]
* Mon Dec 21 2020 Brian Read <brianr@bjsystems.co.uk> 0.3-5.sme
- Initial Import in SME10 [SME: 11289]
* Tue Jul 05 2016 Jean-Philipe Pialasse <tests@pialasse.com> 0.3-4.sme
- fix old dns default are not available [SME: 9514]
* Tue Jul 05 2016 Jean-Philipe Pialasse <tests@pialasse.com> 0.3-3.sme
- fix format for logout screen [SME: 9514]
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
by assuming the date is correct and changing the weekday.
Thu Sep 03 2008 --> Thu Aug 28 2008 or Wed Sep 03 2008 or Thu Sep 04 2008 or ....
Sun Mar 07 2009 --> Sun Mar 01 2009 or Sat Mar 07 2009 or Sun Mar 08 2009 or ....
Wed Mar 13 2009 --> Wed Mar 11 2009 or Fri Mar 13 2009 or Wed Mar 18 2009 or ....
* Thu May 26 2016 Jean-Philipe Pialasse <tests@pialasse.com> 0.3-2.sme
- fix iptables syntax exclamation mark misplaced [SME: 9514]
- smeserver-coova-chilli-0.3-MasqUpdate.patch
* Fri May 13 2016 Daniel Berteaud <daniel@firewall-services.com> 0.3-1
- Roll new stream for sme9
* Mon Mar 28 2011 Daniel B. <daniel@firewall-services.com> 0.2-20
- Fix uamhomepage setting
* Wed Oct 20 2010 Daniel B. <daniel@firewall-services.com> 0.2-19
- Drop all the trafic not going through the external interface
* Thu Jul 29 2010 Daniel B. <daniel@firewall-services.com> 0.2-18
- cleanup CGI login script
- remove obsolete php templates
- add macallowed DB key to bypass auth for some mac addresses
- add uamhomepage DB key
* Mon Jul 19 2010 Daniel B. <daniel@firewall-services.com> 0.2-17
- Fixes sudo env (bug only in SME8)
- Uses TCPPort squid key instead of TransparentPort so coova can
work with dansguardian
- insert NAT rule just before the ACCEPT (PREROUTING_FROM_CHILLI)
- add transparent directive to squid (required for squid => 2.6)
* Wed Apr 14 2010 Daniel B. <daniel@firewall-services.com> 0.2-16
- Fixe a bug in conup.sh and condown.sh
* Thu Jun 11 2009 Daniel B. <daniel@firewall-services.com> 0.2-15
- Fixe a bug in masq template for uamallowed entries
* Thu May 28 2009 Daniel B. <daniel@firewall-services.com> 0.2-14
- Remove space in hotspot-config.pl template
* Tue May 26 2009 Daniel B. <daniel@firewall-services.com> 0.2-13
- Add noc2c key (allow to disable the option, but default to enabled)
* Thu Apr 30 2009 Daniel B. <daniel@firewall-services.com> 0.2-12
- Create a new user coovachilli
- Add support of new options uid and gid to drop privileges
- Enabled noc2c (prevent client to client communication)
- Use sudo to call conup/condown script (as chilli runs under un
unprivileged account now)
- Add smeserver-remoteuseraccess as a dependency (for sudoers metadata templates)
- move templates2expand in creatlinks script
* Fri Mar 13 2009 Daniel B. <daniel@firewall-services.com> 0.2-11
Wed Mar 13 2009 --> Wed Mar 11 2009 or Fri Mar 13 2009 or Wed Mar 18 2009 or ....
- Automatically allow uamallowed entries in the firewall (no need to
explicitly allow it agin in AllowOutgoing)
* Thu Mar 12 2009 Daniel B. <daniel@firewall-services.com> 0.2-10
- Small typo correction
* Tue Mar 10 2009 Daniel B. <daniel@firewall-services.com> 0.2-9
- Use allready defined localhost NAS to fixe PPTP problem [SME: 4996]
(thanks John K Pruder)
- fix a typo in squid template
* Sat Mar 07 2009 Daniel B. <daniel@firewall-services.com> 0.2-8
- Add dhcpstart and dhcpstop db parameters (thanks John K Pruder)
* Sat Mar 07 2009 Daniel B. <daniel@firewall-services.com> 0.2-7
- Fix tundev template [SME: 5054]
* Thu Sep 18 2008 Daniel B. <daniel@firewall-services.com> 0.2-6
- Remove warning in httpd.conf file (httpd -t)
* Mon Sep 15 2008 Daniel B. <daniel@firewall-services.com> 0.2-5
- Fix Syntax Error in /etc/chilli.conf template (25listen) [SME: 4559]
* Mon Sep 08 2008 Daniel B. <daniel@firewall-services.com> 0.2-4
- Requires perl(NetAddr::IP)
* Fri Sep 5 2008 Daniel B. <daniel@firewall-services.com> 0.2-3
- Chilli IP computed with NetAddr::IP
- Radius timeout set to 3 sec
- syntax error in radius users template fixed (for guest access)
* Wed Sep 03 2008 Daniel B. <daniel@firewall-services.com> 0.2-2
Thu Sep 03 2008 --> Thu Aug 28 2008 or Wed Sep 03 2008 or Thu Sep 04 2008 or ....
- Bug fix for guest access
* Tue Sep 2 2008 Daniel B. <daniel@firewall-services.com> 0.2-1
- uplink and downlink for guest account are configurable via db keys
* Tue Sep 2 2008 Daniel B. <daniel@firewall-services.com> 0.2-0
- Login page is a CGI, with a server-manager login page look
- Guest Access can be enabled with guestAccess key (enabled/disabled)
- merge patchs in main package
* Mon Sep 01 2008 Daniel B. <daniel@firewall-services.com> 0.1-8
- Fix uamallowed not working (since bypass_auth_with_squid_fix patch)
- Add WebRequests key (use of squid or direct connexions, default to direct)
- disable radconf in /etc/chilli/config
- possible to disable https (enabled by default in AllowedOutgoing)
- add tcp:static.sourceforge.net:80 in uamallowed so daloradius homepage is displayed correctly
- add radiustimeout directive so authentication errors display the standard message quickly
* Thu Aug 28 2008 Jonathan Martens <smeserver-contribs@snetram.nl> 0.1-7
- Reverted moving of default db entries to SPEC file since common practice is to store them in files
* Thu Aug 28 2008 Daniel B. <daniel@firewall-services.com> 0.1-6
- split uamallowed (one per line)
- Add dnsparanoia directive
- correct cmdsock directive
- initialise default configuration db in the spec file
* Thu Aug 28 2008 Jonathan Martens <smeserver-contribs@snetram.nl> 0.1-5
- Remove the reset of $OUT from the template
* Thu Aug 28 2008 Daniel B. <daniel@firewall-services.com> 0.1-4
- Add template to enable auth module unix (replace the template-custom)
- Copy images to /opt/chilli/template before removing .rpmnew directory
- Correct dependency (e-smith-radiusd not esmith-radiusd)
* Wed Aug 27 2008 Jonathan Martens <smeserver-contribs@snetram.nl> 0.1-3
- Split requirements to one per line
- Removed .rpmnew directory from package
- Removed the need for templates-custom as package now requires e-smith-radiusd >= 1.0.0-18
* Tue Aug 26 2008 Daniel B. <daniel@firewall-services.com>
- [0.1-2]
- Most firewall customizations (for incomming and forwarded traffic from
chilli network only) can be set through db commands (Patch3)
- Outgoing DNS is allowed only for the two DNS servers configured
- Clean spec file, and put php files in /opt/chilli (Patch4)
* Tue Apr 15 2008 Daniel Berteaud <daniel@firewall-services.com>
- [0.1-1]
- security fixe: auth bypass with squid (patch1)
- masq template not expanded (patch2)
* Fri Apr 04 2008 Daniel Berteaud <daniel@firewall-services.com>
- [0.1]
- initiale release
%prep
%setup
%build
/usr/bin/perl createlinks
%install
/bin/rm -rf $RPM_BUILD_ROOT
(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
/bin/rm -f %{name}-%{version}-filelist
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
--file /etc/chilli/conup.sh 'attr(755,root,root)' \
--file /etc/chilli/condown.sh 'attr(750,root,root)' \
--file /etc/chilli/call_conup.sh 'attr(755,root,root)' \
--file /etc/chilli/call_condown.sh 'attr(755,root,root)' \
--file /opt/chilli/cgi-bin/hotspotlogin.cgi 'attr(0750,root,www) %config(noreplace)' \
--file /opt/chilli/lang/hotspotlogin.fr.pl 'config(noreplace)' \
--file /opt/chilli/lang/hotspotlogin.en.pl 'config(noreplace)' \
--file /opt/chilli/css/sme.css 'config(noreplace)' \
> %{name}-%{version}-filelist
%files -f %{name}-%{version}-filelist
%defattr(-,root,root)
%clean
rm -rf $RPM_BUILD_ROOT
%pre
if ! /usr/bin/id coovachilli &>/dev/null; then
/usr/sbin/useradd -c 'Coova Chilli User' -s /sbin/nologin -r -d /etc/chilli coovachilli &>/dev/null || \
%logmsg "Unexpected error adding user \"coovachilli\". Abort installation."
fi
%preun
if [ $1 == 0 ]; then
/sbin/e-smith/db configuration setprop chilli status disabled
/etc/rc.d/init.d/chilli stop >& /dev/null || :
fi