--- /dev/null
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=nodogsplash
+PKG_FIXUP:=autoreconf
+PKG_VERSION:=3.2.0
+PKG_RELEASE:=0
+
+PKG_SOURCE_URL:=https://codeload.github.com/nodogsplash/nodogsplash/tar.gz/v$(PKG_VERSION)?
+PKG_SOURCE:=nodogsplash-$(PKG_VERSION).tar.gz
+PKG_HASH:=c9712c21c2cc88724a8104fa63edd4f69d31af24db0fad84db6105fae2d65809
+PKG_BUILD_DIR:=$(BUILD_DIR)/nodogsplash-$(PKG_VERSION)
+
+PKG_MAINTAINER:=Moritz Warning <moritzwarning@web.de>
+PKG_BUILD_PARALLEL:=1
+PKG_LICENSE:=GPL-2.0+
+
+include $(INCLUDE_DIR)/package.mk
+
+
+define Package/nodogsplash
+ SUBMENU:=Captive Portals
+ SECTION:=net
+ CATEGORY:=Network
+ DEPENDS:=+libpthread +iptables-mod-ipopt +libmicrohttpd-no-ssl
+ TITLE:=Open public network gateway daemon
+ URL:=https://github.com/nodogsplash/nodogsplash
+ CONFLICTS:=nodogsplash2
+endef
+
+define Package/nodogsplash/description
+ Nodogsplash is a Captive Portal that offers a simple way to
+ provide restricted access to the Internet by showing a splash
+ page to the user before Internet access is granted.
+ It also incorporates an API that allows the creation of
+ sophisticated authentication applications.
+endef
+
+define Package/nodogsplash/install
+ $(CP) ./files/* $(1)/
+
+ $(INSTALL_DIR) $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/nodogsplash $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/ndsctl $(1)/usr/bin/
+
+ $(INSTALL_DIR) $(1)/etc/nodogsplash/htdocs/images
+ $(CP) $(PKG_BUILD_DIR)/resources/splash.html $(1)/etc/nodogsplash/htdocs/
+ $(CP) $(PKG_BUILD_DIR)/resources/status.html $(1)/etc/nodogsplash/htdocs/
+ $(CP) $(PKG_BUILD_DIR)/resources/splash.jpg $(1)/etc/nodogsplash/htdocs/images/
+endef
+
+define Package/nodogsplash/postrm
+#!/bin/sh
+uci delete firewall.nodogsplash
+uci commit firewall
+endef
+
+define Package/nodogsplash/conffiles
+/etc/config/nodogsplash
+endef
+
+$(eval $(call BuildPackage,nodogsplash))
--- /dev/null
+
+# The options available here are an adaptation of the settings used in nodogsplash.conf.
+# See https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf
+
+config nodogsplash
+ # Set to 0 to disable nodogsplash
+ option enabled 1
+
+ # Set to 0 to disable hook that makes nodogsplash restart when the firewall restarts.
+ # This hook is needed as a restart of Firewall overwrites nodogsplash iptables entries.
+ option fwhook_enabled '1'
+
+ # Serve the file splash.html from this directory
+ option webroot '/etc/nodogsplash/htdocs'
+
+ # Use plain configuration file
+ #option config '/etc/nodogsplash/nodogsplash.conf'
+
+ # Use this option to set the device nogogsplash will bind to.
+ # The value may be an interface section in /etc/config/network or a device name such as br-lan.
+ option gatewayinterface 'br-lan'
+
+ option gatewayname 'OpenWrt Nodogsplash'
+ option maxclients '250'
+
+ # Enables debug output (0-7)
+ #option debuglevel '7'
+
+ # Client timeouts in minutes
+ option preauthidletimeout '10'
+ option authidletimeout '120'
+
+ # Enable BinAuth Support.
+ # If set, a program is called with several parameters on authentication (request) and deauthentication.
+ # Request for authentication:
+ # $<BinAuth> auth_client <client_mac> '<username>' '<password>'
+ #
+ # The username and password values may be empty strings and are URL encoded.
+ # The program is expected to output the number of seconds the client
+ # is to be authenticated. Zero or negative seconds will cause the authentification request
+ # to be rejected. The same goes for an exit code that is not 0.
+ # The output may contain a user specific download and upload limit in KBit/s:
+ # <seconds> <upload> <download>
+ #
+ # Called on authentication or deauthentication:
+ # $<BinAuth> <*auth|*deauth> <incoming_bytes> <outgoing_bytes> <session_start> <session_end>
+ #
+ # "client_auth": Client authenticated via this script.
+ # "client_deauth": Client deauthenticated by the client via splash page.
+ # "idle_deauth": Client was deauthenticated because of inactivity.
+ # "timeout_deauth": Client was deauthenticated because the session timed out.
+ # "ndsctl_auth": Client was authenticated manually by the ndsctl tool.
+ # "ndsctl_deauth": Client was deauthenticated by the ndsctl tool.
+ # "shutdown_deauth": Client was deauthenticated by Nodogsplash terminating.
+ #
+ # Values session_start and session_start are in seconds since 1970 or 0 for unknown/unlimited.
+ #
+ #option binauth '/bin/myauth.sh'
+
+ # Enable Forwarding Authentication Service (FAS)
+ # If set redirection is changed from splash.html to a FAS (provided by the system administrator)
+ # The value is the IP port number of the FAS
+ #option fasport '80'
+
+ # Option: fasremoteip
+ # Default: GatewayAddress (the IP of NDS)
+ # If set, this is the remote ip address of the FAS.
+ #option fasremoteip '46.32.240.41'
+
+ # Option: faspath
+ # Default: /
+ # This is the path from the FAS Web Root to the FAS login page
+ # (not the file system root).
+ #option faspath '/onboard-wifi.net/nodog/fas.php'
+
+ # Option: fas_secure_enabled
+ # Default: 1
+ # If set to "1", authaction and the client token are not revealed and it is the responsibility
+ # of the FAS to request the token from NDSCTL.
+ # If set to "0", the client token is sent to the FAS in clear text in the query string of the
+ # redirect along with authaction and redir.
+ #option fas_secure_enabled '0'
+
+ # Your router may have several interfaces, and you
+ # probably want to keep them private from the network/gatewayinterface.
+ # If so, you should block the entire subnets on those interfaces, e.g.:
+ #list authenticated_users 'block to 192.168.0.0/16'
+ #list authenticated_users 'block to 10.0.0.0/8'
+
+ # Typical ports you will probably want to open up.
+ #list authenticated_users 'allow tcp port 22'
+ #list authenticated_users 'allow tcp port 53'
+ #list authenticated_users 'allow udp port 53'
+ #list authenticated_users 'allow tcp port 80'
+ #list authenticated_users 'allow tcp port 443'
+ # Or for happy customers allow all
+ list authenticated_users 'allow all'
+
+ # For preauthenticated users to resolve IP addresses in their
+ # initial request not using the router itself as a DNS server,
+ # Leave commented to help prevent DNS tunnelling
+ #list preauthenticated_users 'allow tcp port 53'
+ #list preauthenticated_users 'allow udp port 53'
+
+ # Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS
+ list users_to_router 'allow tcp port 22'
+ list users_to_router 'allow tcp port 23'
+ list users_to_router 'allow tcp port 53'
+ list users_to_router 'allow udp port 53'
+ list users_to_router 'allow udp port 67'
+ list users_to_router 'allow tcp port 80'
+
+ # MAC addresses that are / are not allowed to access the splash page
+ # Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.
+ #option macmechanism 'allow'
+ #list allowedmac '00:00:C0:01:D0:0D'
+ #list allowedmac '00:00:C0:01:D0:1D'
+ #list blockedmac '00:00:C0:01:D0:2D'
+
+ # MAC addresses that do not need to authenticate
+ #list trustedmac '00:00:C0:01:D0:1D'
+
+ # Nodogsplash uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask.
+ # This mask can conflict with the requirements of other packages such as mwan3, sqm etc
+ # Any values set here are interpreted as in hex format.
+ #
+ # List: fw_mark_authenticated
+ # Default: 30000 (0011|0000|0000|0000|0000 binary)
+ #
+ # List: fw_mark_trusted
+ # Default: 20000 (0010|0000|0000|0000|0000 binary)
+ #
+ # List: fw_mark_blocked
+ # Default: 10000 (0001|0000|0000|0000|0000 binary)
+ #
+ #list fw_mark_authenticated '30000'
+ #list fw_mark_trusted '20000'
+ #list fw_mark_blocked '10000'
+
--- /dev/null
+#!/bin/sh /etc/rc.common
+
+#
+# Startup/shutdown script for nodogsplash captive portal
+#
+
+START=95
+STOP=95
+
+USE_PROCD=1
+
+IPT=/usr/sbin/iptables
+WD_DIR=/usr/bin
+# -s -d 5 runs in background, with level 5 (not so verbose) messages to syslog
+# -f -d 7 runs in foreground, with level 7 (verbose) debug messages to terminal
+OPTIONS="-s -f -d 5"
+CONFIG=""
+
+
+addline() {
+ append CONFIG "$1" "$N"
+}
+
+setup_mac_lists() {
+ local cfg="$1"
+ local macs=""
+ local val
+
+ append_mac() {
+ append macs "$1" ","
+ }
+
+ config_get val "$cfg" macmechanism
+ if [ -z "$val" ]; then
+ # Check if we have AllowedMACList or BlockedMACList defined they will be ignored
+ config_get val "$cfg" allowedmac
+ if [ -n "$val" ]; then
+ echo "Ignoring allowedmac - macmechanism not \"allow\"" >&2
+ fi
+
+ config_get val "$cfg" blockedmac
+ if [ -n "$val" ]; then
+ echo "Ignoring blockedmac - macmechanism not \"block\"" >&2
+ fi
+ elif [ "$val" = "allow" ]; then
+ config_list_foreach "$cfg" allowedmac append_mac
+ addline "AllowedMACList $macs"
+ elif [ "$val" = "block" ]; then
+ config_list_foreach "$cfg" blockedmac append_mac
+ addline "BlockedMACList $macs"
+ else
+ echo "Invalid macmechanism '$val' - allow or block are valid." >&2
+ exit 1
+ fi
+
+ macs=""
+ config_list_foreach "$cfg" trustedmac append_mac
+ if [ -n "$macs" ]; then
+ addline "TrustedMACList $macs"
+ fi
+}
+
+setup_firewall() {
+ local cfg="$1"
+ local uci_name
+ local val
+
+ append_firewall() {
+ addline " FirewallRule $1"
+ }
+
+ for rule in authenticated-users preauthenticated-users users-to-router trusted-users trusted-users-to-router; do
+ # uci does not allow dashes
+ uci_name=${rule//-/_}
+ addline "FirewallRuleSet $rule {"
+ config_list_foreach "$cfg" "$uci_name" append_firewall
+ addline "}"
+ config_get val "$cfg" "policy_${uci_name}"
+ if [ -n "$val" ]; then
+ addline "EmptyRuleSetPolicy $rule $val"
+ fi
+ done
+}
+
+wait_for_interface() {
+ local ifname="$1"
+ local timeout=10
+
+ for i in $(seq $timeout); do
+ if [ $(ip -4 addr show dev $ifname 2> /dev/null | grep -c inet) -ne 0 ]; then
+ break
+ fi
+ sleep 1
+ if [ $i = $timeout ]; then
+ echo "Interface $ifname not detected." >&2
+ exit 1
+ fi
+ done
+}
+
+generate_uci_config() {
+ local cfg="$1"
+ local val
+ local ifname
+ local download
+ local upload
+
+ # Init config file content
+ CONFIG="# auto-generated config file from /etc/config/nodogsplash"
+
+ config_get val "$cfg" config
+ if [ -n "$val" ]; then
+ if [ ! -f "$val" ]; then
+ echo "Configuration file '$file' doesn't exist." >&2
+ exit 1
+ fi
+ addline "$(cat $val)"
+ fi
+
+ config_get ifname "$cfg" gatewayinterface
+ if [ -z "$ifname" ]; then
+ config_get ifname "$cfg" network
+ fi
+
+ # Get device name if interface name is a section name in /etc/config/network
+ if network_get_device tmp "$ifname"; then
+ ifname="$tmp"
+ fi
+
+ if [ -z "$ifname" ]; then
+ echo "Option network or gatewayinterface missing." >&2
+ exit 1
+ fi
+
+ wait_for_interface "$ifname"
+
+ addline "GatewayInterface $ifname"
+
+ for option in binauth fasport fasremoteip faspath fas_secure_enabled \
+ daemon debuglevel maxclients gatewayname gatewayinterface gatewayiprange \
+ gatewayaddress gatewayport webroot splashpage statuspage imagesdir pagesdir \
+ redirecturl preauthidletimeout authidletimeout checkinterval setmss mssvalue \
+ trafficcontrol downloadlimit uploadlimit downloadimq uploadimq syslogfacility \
+ ndsctlsocket fw_mark_authenticated fw_mark_blocked fw_mark_trusted
+ do
+ config_get val "$cfg" "$option"
+
+ if [ -n "$val" ]; then
+ addline "$option $val"
+ fi
+ done
+
+ config_get download "$cfg" downloadlimit
+ config_get upload "$cfg" uploadlimit
+
+ if [ -n "$upload" -o -n "$download" ]; then
+ addline "TrafficControl yes"
+ fi
+
+ setup_mac_lists "$cfg"
+ setup_firewall "$cfg"
+
+ echo "$CONFIG" > "/tmp/etc/nodogsplash_$cfg.conf"
+}
+
+# setup configuration and start instance
+create_instance() {
+ local cfg="$1"
+ local val
+
+ config_get_bool val "$cfg" enabled 0
+ [ $val -gt 0 ] || return 0
+
+ generate_uci_config "$cfg"
+
+ procd_open_instance $cfg
+ procd_set_param command /usr/bin/nodogsplash -c "/tmp/etc/nodogsplash_$cfg.conf" $OPTIONS
+ procd_set_param respawn
+ procd_set_param file "/tmp/etc/nodogsplash_$cfg.conf"
+ procd_close_instance
+}
+
+start_service() {
+ # For network_get_device()
+ include /lib/functions
+
+ # For nodogsplash.conf file
+ mkdir -p /tmp/etc/
+
+ config_load nodogsplash
+ config_foreach create_instance nodogsplash
+}
+
+stop_service() {
+ # When procd terminates nodogsplash, it does not exit fast enough.
+ # Otherwise procd will restart nodogsplash twice. First time starting
+ # nodogsplash fails, second time it succeeds.
+ sleep 1
+}
--- /dev/null
+#!/bin/sh
+
+uci -q batch <<-EOF
+ delete firewall.nodogsplash
+ set firewall.nodogsplash=include
+ set firewall.nodogsplash.type=script
+ set firewall.nodogsplash.path=/usr/lib/nodogsplash/restart.sh
+ commit firewall
+EOF
--- /dev/null
+#!/bin/sh
+
+# Check if nodogsplash is running
+if ndsctl status &> /dev/null; then
+ if [ "$(uci -q get nodogsplash.@nodogsplash[0].fwhook_enabled)" = "1" ]; then
+ /etc/init.d/nodogsplash restart
+ fi
+fi
projects / feed / routing.git / commitdiff