personal_interest_mirrors/linux-router
1
0
Fork 0
mirror of https://github.com/garywill/linux-router.git synced 2025-12-30 10:48:28 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: personal_interest_mirrors:0.6.0
Branches Tags
personal_interest_mirrors:master personal_interest_mirrors:workaround-31 personal_interest_mirrors:dev-12 personal_interest_mirrors:history
personal_interest_mirrors:0.8.1 personal_interest_mirrors:0.7.6 personal_interest_mirrors:0.7.3 personal_interest_mirrors:0.7.1 personal_interest_mirrors:0.7.1b personal_interest_mirrors:0.6.7 personal_interest_mirrors:0.6.6 personal_interest_mirrors:0.6.5 personal_interest_mirrors:0.6.2 personal_interest_mirrors:0.6.0
..
compare: personal_interest_mirrors:0.6.5
Branches Tags
personal_interest_mirrors:master personal_interest_mirrors:workaround-31 personal_interest_mirrors:dev-12 personal_interest_mirrors:history
personal_interest_mirrors:0.8.1 personal_interest_mirrors:0.7.6 personal_interest_mirrors:0.7.3 personal_interest_mirrors:0.7.1 personal_interest_mirrors:0.7.1b personal_interest_mirrors:0.6.7 personal_interest_mirrors:0.6.6 personal_interest_mirrors:0.6.5 personal_interest_mirrors:0.6.2 personal_interest_mirrors:0.6.0

9 Commits
0.6.0 ... 0.6.5

Author SHA1 Message Date
garywill
7c6113f1d2 0.6.5 2021-11-07 10:29:12 +08:00
garywill
0ccdcf647a correct description about '--dhcp-dns(6)' 2021-11-07 10:28:36 +08:00
garywill
61a5af2202 more text 2021-10-23 10:56:51 +08:00
garywill
d2bc2d9460 readme fold 2021-10-23 10:16:12 +08:00
garywill
2468b5a415 Version 0.6.3. Tested nftables 
Stop judging xt_comment by lsmod, which wasn't reliable
Users who want to disable iptables comment should set env var
 2021-08-29 10:27:17 +08:00
garywill
3b71515e07 hostapd in apparmor complain mode 
to solve problem that openSUSE users meet
 2021-08-29 10:24:50 +08:00
garywill
c2b21bb391 0.6.2 2021-08-22 09:27:49 +08:00
garywill
e5fc9efe48 support short gateway ip expression 
fix dnsmasq pid not get
watchdog zombie judgement
iptables nft and comment judgement
use fifo for dnsmasq log
 2021-04-17 12:29:53 +08:00
garywill
1e3c5004c3 some improvements 
add '-l'

change MAC addr backking up and restoring judgement to OLD_MACADDR ==
now

filter --lc STATUS==FAILED line

fix iw and iwconfig availability not checked

not use die() before trap
 2021-02-22 09:20:41 +08:00
3 changed files with 315 additions and 141 deletions
Expand all files Collapse all files

42
NOTICE
View File

@@ -1,42 +0,0 @@
Copyright (c) 2013, oblique
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
================================================================================
linux-router
Copyright (C) 2018 garywill
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

226
README.md
View File

@@ -4,7 +4,7 @@ Set Linux as router in one command. Able to Provide Internet, or create Wifi hot
It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window). It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window).
[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) :) [More tools and projects 🛠️](https://garywill.github.io) | [🍻 Buy me a coffee ❤️](https://github.com/garywill/receiving/blob/master/receiving_methods.md)
## Features ## Features
@@ -12,15 +12,16 @@ Basic features:
- Create a NATed sub-network - Create a NATed sub-network
- Provide Internet - Provide Internet
- DHCP server and RA - DHCP server (and RA) + DNS server
- DNS server - Configuring what DNS the DHCP server offers to clients
- Configuring upstream DNS for local DNS server (kind of a DNS proxy)
- IPv6 (behind NATed LAN, like IPv4) - IPv6 (behind NATed LAN, like IPv4)
- Creating Wifi hotspot: - Creating Wifi hotspot:
- Channel selecting - Channel selecting
- Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
- Create AP on the same interface you are getting Internet (require same channel) - Create AP on the same interface you are getting Internet (usually require same channel)
- Transparent proxy (redsocks) - Transparent proxy (redsocks)
- DNS proxy - Transparent DNS proxy (hijack port 53 packets)
- Compatible with NetworkManager (automatically set interface as unmanaged) - Compatible with NetworkManager (automatically set interface as unmanaged)
**For many other features, see below [CLI usage](#cli-usage-and-other-features)** **For many other features, see below [CLI usage](#cli-usage-and-other-features)**
@@ -66,12 +67,7 @@ Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container
sudo lnxrouter -i eth1 sudo lnxrouter -i eth1
``` ```
### Provide an interface's Internet to another interface no matter which interface (other than `eth1`) you're getting Internet from.
```
sudo lnxrouter -i eth1 -o vpn0 --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [2606:4700:4700::1111]
```
> Read _Notice 1_
### Create Wifi hotspot ### Create Wifi hotspot
@@ -79,8 +75,31 @@ sudo lnxrouter -i eth1 -o vpn0 --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [2606:4700:4700
sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
``` ```
no matter which interface you're getting Internet from (even from `wlan0`). Will create virtual Interface `x0wlan0` for hotspot.
### Provide an interface's Internet to another interface
Clients access Internet through only `isp5`
<details>
```
sudo lnxrouter -i eth1 -o isp5 --no-dns --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [2606:4700:4700::1111]
```
> In this case of usage, it's recommended to:
>
> 1. Stop serving local DNS
> 2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example)
> Also, read *Notice 1*
</details>
### LAN without Internet ### LAN without Internet
<details>
``` ```
sudo lnxrouter -n -i eth1 sudo lnxrouter -n -i eth1
sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase
@@ -88,9 +107,12 @@ sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase
> Read _Notice 1_ > Read _Notice 1_
</details>
### Internet for LXC ### Internet for LXC
<details>
Create a bridge Create a bridge
``` ```
@@ -110,10 +132,16 @@ lxc.network.hwaddr = xx:xx:xx:xx:xx:xx
sudo lnxrouter -i lxcbr5 sudo lnxrouter -i lxcbr5
``` ```
### Transparent proxy with Tor </details>
### Transparent proxy
All clients' Internet traffic go through, for example, Tor
<details>
``` ```
sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 --p6 fd00:5:6:7:: sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 -6 --p6 fd00:5:6:7::
``` ```
In `torrc` In `torrc`
@@ -125,9 +153,13 @@ TransPort [fd00:5:6:7::1]:9040
DNSPort [fd00:5:6:7::1]:9053 DNSPort [fd00:5:6:7::1]:9053
``` ```
</details>
### Clients-in-sandbox network ### Clients-in-sandbox network
To not give our infomation to clients: To not give our infomation to clients. Clients can still access Internet.
<details>
``` ```
sudo lnxrouter -i eth1 \ sudo lnxrouter -i eth1 \
@@ -137,11 +169,14 @@ sudo lnxrouter -i eth1 \
--catch-dns --log-dns # optional --catch-dns --log-dns # optional
``` ```
> This script comes with no warrenty, use on your own risk </details>
> This script comes with no warrenty. Use on your own risk
### Use as transparent proxy for LXD ### Use as transparent proxy for LXD
<details>
Create a bridge Create a bridge
``` ```
@@ -192,16 +227,24 @@ To remove the customized `eth0` to restore default `eth0`
lxc config device remove <container> eth0 lxc config device remove <container> eth0
``` ```
</details>
### Use as transparent proxy for VirtualBox ### Use as transparent proxy for VirtualBox
<details>
In VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP disabled. In VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP disabled.
``` ```
sudo lnxrouter -i vboxnet5 --tp 9040 --dns 9053 sudo lnxrouter -i vboxnet5 --tp 9040 --dns 9053
``` ```
</details>
### Use as transparent proxy for firejail ### Use as transparent proxy for firejail
<details>
Create a bridge Create a bridge
``` ```
@@ -210,11 +253,15 @@ sudo brctl addbr firejail5
``` ```
sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053
firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd # nscd is cache service, which shouldn't be accessed in jail here
``` ```
</details>
### CLI usage and other features ### CLI usage and other features
<details>
``` ```
Usage: lnxrouter <options> Usage: lnxrouter <options>
@@ -226,19 +273,22 @@ Options:
and to provide Internet to and to provide Internet to
(To create Wifi hotspot use '--ap' instead) (To create Wifi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from. -o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
queries to other interfaces) queries to other interfaces)
-n Do not provide Internet (See Notice 1) -n Do not provide Internet (See Notice 1)
--ban-priv Disallow clients to access my private network --ban-priv Disallow clients to access my private network
-g <ip> This host's IPv4 address in subnet (mask is /24) -g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly)
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4) --no4 Disable IPv4 Internet (not forwarding IPv4)
(See Notice 1). Usually used with '-6' (See Notice 1). Usually used with '-6'
--p6 <prefix> Set IPv6 LAN address prefix (length 64) --p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: fd00:1:2:3::) Using this enables '-6' (example: 'fd00:0:0:5::' or '5' shortly)
Using this enables '-6'
--dns <ip>|<port>|<ip:port> --dns <ip>|<port>|<ip:port>
DNS server's upstream DNS. DNS server's upstream DNS.
Use ',' to seperate multiple servers Use ',' to seperate multiple servers
@@ -248,33 +298,34 @@ Options:
--no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA)
--catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP)
whose destination port is 53 to this host whose destination port is 53 to this host
--log-dns Show DNS query log --log-dns Show DNS query log (dnsmasq)
--dhcp-dns <IP1[,IP2]>|no --dhcp-dns <IP1[,IP2]>|no
Set IPv4 DNS offered by DHCP (default: this host) Set IPv4 DNS offered by DHCP (default: this host).
--dhcp-dns6 <IP1[,IP2]>|no --dhcp-dns6 <IP1[,IP2]>|no
Set IPv6 DNS offered by DHCP (RA) Set IPv6 DNS offered by DHCP (RA)
(default: this host) (default: this host)
(Note IPv6 addresses need '[]' around) (Note IPv6 addresses need '[]' around)
Using both above two will enable '--no-dns'
--hostname <name> DNS server associate this name with this host. --hostname <name> DNS server associate this name with this host.
Use '-' to read name from /etc/hostname Use '-' to read name from /etc/hostname
-d DNS server will take into account /etc/hosts -d DNS server will take into account /etc/hosts
-e <hosts_file> DNS server will take into account additional -e <hosts_file> DNS server will take into account additional
hosts file hosts file
--mac <MAC> Set MAC address --mac <MAC> Set MAC address
--random-mac Use random MAC address --random-mac Use random MAC address
--tp <port> Transparent proxy, --tp <port> Transparent proxy,
redirect non-LAN TCP and UDP traffic to port. redirect non-LAN TCP and UDP traffic to port.
(usually used with '--dns') (usually used with '--dns')
Wifi hotspot options: Wifi hotspot options:
--ap <wifi interface> <SSID> --ap <wifi interface> <SSID>
Create Wifi access point Create Wifi access point
-p, --password <password> -p, --password <password>
Wifi password Wifi password
--qr Show Wifi QR code in terminal --qr Show Wifi QR code in terminal
--hidden Hide access point (not broadcast SSID) --hidden Hide access point (not broadcast SSID)
--no-virt Do not create virtual interface --no-virt Do not create virtual interface
Using this you can't use same wlan interface Using this you can't use same wlan interface
@@ -293,24 +344,33 @@ Options:
(defaults to /etc/hostapd/hostapd.accept) (defaults to /etc/hostapd/hostapd.accept)
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
--isolate-clients Disable wifi communication between clients --isolate-clients Disable wifi communication between clients
--ieee80211n Enable IEEE 802.11n (HT) --ieee80211n Enable IEEE 802.11n (HT)
--ieee80211ac Enable IEEE 802.11ac (VHT) --ieee80211ac Enable IEEE 802.11ac (VHT)
--ht_capab <HT> HT capabilities (default: [HT40+]) --ht_capab <HT> HT capabilities (default: [HT40+])
--vht_capab <VHT> VHT capabilities --vht_capab <VHT> VHT capabilities
--no-haveged Do not run haveged automatically when needed --no-haveged Do not run haveged automatically when needed
Instance managing: Instance managing:
--daemon Run in background --daemon Run in background
--list-running Show running instances -l, --list-running Show running instances
--lc, --list-clients <id> --lc, --list-clients <id|interface>
List clients of an instance. Or list neighbors of List clients of an instance. Or list neighbors of
any interface, even if it isn't handled by us an interface, even if it isn't handled by us.
(passive mode)
--stop <id> Stop a running instance --stop <id> Stop a running instance
For <id> you can use PID or subnet interface name. For <id> you can use PID or subnet interface name.
You can get them with '--list-running' You can get them with '--list-running'
```
</details>
## Notice
<details>
```
Notice 1: This script assume your host's default policy won't forward Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case may cause unwanted packets mode. In some unexpected case may cause unwanted packets
@@ -318,13 +378,18 @@ Options:
want isolated network want isolated network
``` ```
> These changes to system will not be restored by script's cleanup: </details>
> 1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1`
> 1. dnsmasq in Apparmor complain mode
> 1. Kernel module `nf_nat_pptp` loaded
> 1. The wifi device which is used to create hotspot is `rfkill unblock`ed
> 1. Wifi country code, if user specified
## What changes are done to Linux system
On exit of a linux-router instance, script **will do cleanup**, i.e. undo most changes to system. Though, **some** changes will **not** be undone, which are:
1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1`
2. dnsmasq (if used) in Apparmor complain mode
3. hostapd (if used) in Apparmor complain mode
4. Kernel module `nf_nat_pptp` loaded
5. The wifi device which is used to create hotspot is `rfkill unblock`ed
6. Wifi country code, if user specified
## Dependencies ## Dependencies
@@ -332,31 +397,92 @@ Options:
- procps or procps-ng - procps or procps-ng
- iproute2 - iproute2
- dnsmasq - dnsmasq
- iptables - iptables (or nftables with `iptables-nft` translation linked)
- WiFi hotspot dependencies - WiFi hotspot dependencies
- hostapd - hostapd
- iw - iw
- iwconfig (you only need this if 'iw' can not recognize your adapter) - iwconfig (you only need this if 'iw' can not recognize your adapter)
- haveged (optional) - haveged (optional)
- qrencode (opional) - qrencode (optional)
## TODO ## TODO
<details>
- WPA3 - WPA3
- Global IPv6 - Global IPv6
- Explictly ban forwarding if not needed - Explictly ban forwarding if not needed
- Bring bridging method back - Bring bridging method back
## Donate </details>
[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ## License
^\_^o自自o^_^ linux-router is LGPL licensed
No? Okay, or just give me a star! <details>
## For developers ```
linux-router
Copyright (C) 2018 garywill
**Many thanks to project [create_ap](https://github.com/oblique/create_ap)**. This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This script was forked from create\_ap. Now it's quite different from it. (See `history` branch for how I modified create_ap) This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
```
</details>
Upstream create_ap was BSD licensed
<details>
```
Copyright (c) 2013, oblique
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
```
</details>
## Meet developer(s) and become one of them
Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and projects** 🛠️.
> [❤️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❤️ 打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md))
>
> 🥂 ( ^\_^) o自自o (^_^ ) 🍻
🤝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🤝 Also thank those who contributed to that project.
👨‍💻 You can be contributor, too! 🍃 There're some TO-DOs listed, at both above and in the code file. Also some unfulfilled enhancements in the Issues. Your name can be here!

188
lnxrouter Executable file → Normal file
View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
VERSION=0.6.0 VERSION=0.6.5
PROGNAME="$(basename $0)" PROGNAME="$(basename $0)"
export LC_ALL=C export LC_ALL=C
@@ -8,10 +8,16 @@ export LC_ALL=C
SCRIPT_UMASK=0122 SCRIPT_UMASK=0122
umask $SCRIPT_UMASK umask $SCRIPT_UMASK
phead() {
echo "linux-router $VERSION (https://github.com/garywill/linux-router)"
}
phead2() {
echo "Released under LGPL, with no warranty. Use on your own risk."
}
usage() { usage() {
phead
phead2
cat << EOF cat << EOF
linux-router $VERSION (https://github.com/garywill/linux-router)
Released under LGPL, with no warranty. Use on your own risk.
Usage: $PROGNAME <options> Usage: $PROGNAME <options>
@@ -23,18 +29,21 @@ Options:
and to provide Internet to and to provide Internet to
(To create Wifi hotspot use '--ap' instead) (To create Wifi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from. -o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
queries to other interfaces) queries to other interfaces)
-n Do not provide Internet (See Notice 1) -n Do not provide Internet (See Notice 1)
--ban-priv Disallow clients to access my private network --ban-priv Disallow clients to access my private network
-g <ip> This host's IPv4 address in subnet (mask is /24) -g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly)
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4) --no4 Disable IPv4 Internet (not forwarding IPv4)
(See Notice 1). Usually used with '-6' (See Notice 1). Usually used with '-6'
--p6 <prefix> Set IPv6 LAN address prefix (length 64) --p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: fd00:1:2:3::) Using this enables '-6' (example: 'fd00:0:0:5::' or '5' shortly)
Using this enables '-6'
--dns <ip>|<port>|<ip:port> --dns <ip>|<port>|<ip:port>
DNS server's upstream DNS. DNS server's upstream DNS.
@@ -45,13 +54,14 @@ Options:
--no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA)
--catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP)
whose destination port is 53 to this host whose destination port is 53 to this host
--log-dns Show DNS query log --log-dns Show DNS query log (dnsmasq)
--dhcp-dns <IP1[,IP2]>|no --dhcp-dns <IP1[,IP2]>|no
Set IPv4 DNS offered by DHCP (default: this host) Set IPv4 DNS offered by DHCP (default: this host).
--dhcp-dns6 <IP1[,IP2]>|no --dhcp-dns6 <IP1[,IP2]>|no
Set IPv6 DNS offered by DHCP (RA) Set IPv6 DNS offered by DHCP (RA)
(default: this host) (default: this host)
(Note IPv6 addresses need '[]' around) (Note IPv6 addresses need '[]' around)
Using both above two will enable '--no-dns'
--hostname <name> DNS server associate this name with this host. --hostname <name> DNS server associate this name with this host.
Use '-' to read name from /etc/hostname Use '-' to read name from /etc/hostname
-d DNS server will take into account /etc/hosts -d DNS server will take into account /etc/hosts
@@ -100,10 +110,11 @@ Options:
Instance managing: Instance managing:
--daemon Run in background --daemon Run in background
--list-running Show running instances -l, --list-running Show running instances
--lc, --list-clients <id> --lc, --list-clients <id|interface>
List clients of an instance. Or list neighbors of List clients of an instance. Or list neighbors of
any interface, even if it isn't handled by us an interface, even if it isn't handled by us.
(passive mode)
--stop <id> Stop a running instance --stop <id> Stop a running instance
For <id> you can use PID or subnet interface name. For <id> you can use PID or subnet interface name.
You can get them with '--list-running' You can get them with '--list-running'
@@ -116,9 +127,7 @@ Options:
Examples: Examples:
$PROGNAME -i eth1 $PROGNAME -i eth1
$PROGNAME --ap wlan0 MyAccessPoint
$PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase $PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase
$PROGNAME -n --ap wlan0 MyAccessPoint -p MyPassPhrase
$PROGNAME -i eth1 --tp <transparent-proxy> --dns <dns-proxy> $PROGNAME -i eth1 --tp <transparent-proxy> --dns <dns-proxy>
EOF EOF
} }
@@ -440,7 +449,7 @@ parse_user_options(){
STOP_ID="$1" STOP_ID="$1"
shift shift
;; ;;
--list-running) -l|--list-running)
shift shift
LIST_RUNNING=1 LIST_RUNNING=1
;; ;;
@@ -735,7 +744,7 @@ haveged_watchdog() {
echo "WARN: Low entropy detected. We recommend you to install \`haveged'" 1>&2 echo "WARN: Low entropy detected. We recommend you to install \`haveged'" 1>&2
show_warn=0 show_warn=0
fi fi
elif ! pidof haveged > /dev/null 2>&1; then elif ! pidof haveged > /dev/null 2>&1; then # TODO judge zombie ?
echo "Low entropy detected, starting haveged" 1>&2 echo "Low entropy detected, starting haveged" 1>&2
# boost low-entropy # boost low-entropy
haveged -w 1024 -p $COMMON_CONFDIR/haveged.pid haveged -w 1024 -p $COMMON_CONFDIR/haveged.pid
@@ -744,7 +753,24 @@ haveged_watchdog() {
sleep 2 sleep 2
done done
} }
pid_watchdog() {
local PID="$1"
local SLEEP="$2"
local ERR_MSG="$3"
local ST
while true
do
if [[ -e "/proc/$PID" ]]; then
ST="$(cat "/proc/$PID/status" | grep "^State:" | awk '{print $2}')"
if [[ "$ST" != 'Z' ]]; then
sleep $SLEEP
continue
fi
fi
die "$ERR_MSG"
done
}
#======== #========
@@ -791,15 +817,36 @@ nm_restore_manage() {
fi fi
} }
#========= #=========
check_iptables()
{
echo
iptables --version
if which firewall-cmd > /dev/null 2>&1; then
if [[ "$(firewall-cmd --state 2>&1)" == "running" ]]; then
echo "firewalld is running ($(firewall-cmd --version))"
echo -e "\nWARN: We haven't completed the compatibility with firewalld.\nWARN: If you see any trouble, try:\nWARN: 1) 'firewall-cmd --zone=trusted --add-interface=<SUBN_IFACE>'\nWARN: 2) disable firewalld\n" >&2
# TODO
fi
fi
}
iptables_() iptables_()
{ {
iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" # NETFILTER_XT_MATCH_COMMENT would be a env variable if user wants to disable '-m comment'
if [[ "$NETFILTER_XT_MATCH_COMMENT" == "0" ]]; then
iptables -w $@
else
iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
fi
return $? return $?
} }
ip6tables_() ip6tables_()
{ {
ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" if [[ "$NETFILTER_XT_MATCH_COMMENT" == "0" ]]; then
ip6tables -w $@
else
ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
fi
return $? return $?
} }
@@ -842,7 +889,8 @@ start_ban_lan() {
echo echo
echo "iptables: Disallow clients to access LAN" echo "iptables: Disallow clients to access LAN"
iptables_ -N BANLAN-f-${SUBNET_IFACE} || die iptables_ -N BANLAN-f-${SUBNET_IFACE} || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die # TODO: allow '--dhcp-dns(6)' address port 53, which can be something needed, e.g. a VPN's internal private IP
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die # TODO: use array
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 127.0.0.0/8 -j REJECT || die iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 127.0.0.0/8 -j REJECT || die
@@ -857,6 +905,7 @@ start_ban_lan() {
iptables_ -N BANLAN-i-${SUBNET_IFACE} iptables_ -N BANLAN-i-${SUBNET_IFACE}
#iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die #iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die
# ipv6 need icmp to function. TODO: maybe we can block some unneeded icmp to improve security
iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die
@@ -960,6 +1009,7 @@ unallow_dhcp() {
fi fi
} }
# TODO: use 'DNAT' instead of '--to-ports' to support other IP
start_redsocks() { start_redsocks() {
echo echo
echo "iptables: transparent proxy non-LAN TCP/UDP traffic to port ${TP_PORT}" echo "iptables: transparent proxy non-LAN TCP/UDP traffic to port ${TP_PORT}"
@@ -1026,7 +1076,7 @@ backup_ipv6_bits() {
"/proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra" \ "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra" \
"/proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr" \ "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr" \
"/proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode" \ "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode" \
"$CONFDIR/sys_6_conf_iface/" || die "Failed backking up interface ipv6 bits" "$CONFDIR/sys_6_conf_iface/" || die "Failed backing up interface ipv6 bits"
if [[ "$SHARE_METHOD" == 'redsocks' ]] ; then if [[ "$SHARE_METHOD" == 'redsocks' ]] ; then
cp "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" \ cp "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" \
@@ -1066,10 +1116,10 @@ backup_interface_status() {
(ip link show ${SUBNET_IFACE} |grep -q "state UP") && SUBNET_IFACE_ORIGINAL_UP_STATUS=1 (ip link show ${SUBNET_IFACE} |grep -q "state UP") && SUBNET_IFACE_ORIGINAL_UP_STATUS=1
# save interface old mac # save interface old mac
if [[ -n "$NEW_MACADDR" ]]; then #if [[ -n "$NEW_MACADDR" ]]; then
OLD_MACADDR=$(get_interface_mac $SUBNET_IFACE) OLD_MACADDR=$(get_interface_mac $SUBNET_IFACE)
echo "Saved ${SUBNET_IFACE} old MAC address ${OLD_MACADDR} into RAM" #echo "Saved ${SUBNET_IFACE} old MAC address ${OLD_MACADDR} into RAM"
fi #fi
backup_ipv6_bits backup_ipv6_bits
@@ -1084,9 +1134,9 @@ restore_interface_status() {
restore_ipv6_bits restore_ipv6_bits
if [[ -n "$OLD_MACADDR" ]] ; then if [[ -n "$OLD_MACADDR" && "$(get_interface_mac $SUBNET_IFACE)" != "$OLD_MACADDR" ]] ; then
echo "Restoring ${SUBNET_IFACE} to old MAC address ${OLD_MACADDR} ..." echo "Restoring ${SUBNET_IFACE} to old MAC address ${OLD_MACADDR} ..."
set_interface_mac ${SUBNET_IFACE} ${OLD_MACADDR} && echo "Successfully restored ${SUBNET_IFACE} to old MAC address ${OLD_MACADDR}" set_interface_mac ${SUBNET_IFACE} ${OLD_MACADDR} || echo "Failed restoring ${SUBNET_IFACE} to old MAC address ${OLD_MACADDR}" >&2
fi fi
nm_restore_manage nm_restore_manage
@@ -1106,7 +1156,7 @@ kill_processes() { # for this instance
pn=$( ps -p $pid -o comm= ) pn=$( ps -p $pid -o comm= )
#echo "Killing $pid $pn ... " #echo "Killing $pid $pn ... "
pkill -P $pid pkill -P $pid
kill $pid 2>/dev/null && ( echo "Killed $pid $pn" && rm $x ) || echo "Failed to kill $pid $pn, it may have exited" kill $pid 2>/dev/null && ( echo "Killed $(basename $x) $pid $pn" && rm $x ) || echo "Failed to kill $(basename $x) $pid $pn, it may have exited"
fi fi
done done
} }
@@ -1180,6 +1230,7 @@ cleanup() {
#kill -9 -$pgid #kill -9 -$pgid
} }
# NOTE function die() is designed not to be used before init_trap() executed
die() { # SIGUSR2 die() { # SIGUSR2
echo "Error occured" echo "Error occured"
[[ -n "$1" ]] && echo -e "\nERROR: $1\n" >&2 [[ -n "$1" ]] && echo -e "\nERROR: $1\n" >&2
@@ -1204,7 +1255,7 @@ init_conf_dirs() {
chmod 755 "$TMPDIR" 2>/dev/null chmod 755 "$TMPDIR" 2>/dev/null
cd "$TMPDIR" || die "Couldn't change directory to linux-router's temporary path" cd "$TMPDIR" || die "Couldn't change directory to linux-router's temporary path"
CONFDIR="$(mktemp -d $TMPDIR/lnxrouter.${TARGET_IFACE}.conf.XXX)" || die "Instance couldn't make config dir" # config dir for one instance CONFDIR="$(mktemp -d $TMPDIR/lnxrouter.${TARGET_IFACE}.conf.XXXXXX)" || die "Instance couldn't make config dir" # config dir for one instance
chmod 755 "$CONFDIR" chmod 755 "$CONFDIR"
#echo "Config dir: $CONFDIR" #echo "Config dir: $CONFDIR"
echo $$ > "$CONFDIR/pid" echo $$ > "$CONFDIR/pid"
@@ -1267,18 +1318,19 @@ print_clients_from_leases() { # MAC|IP|HOST|lease
FILEC="$(cat "$LEASE_FILE" | grep -v -E "^duid\b" | sed -r '/^\s*$/d' )" FILEC="$(cat "$LEASE_FILE" | grep -v -E "^duid\b" | sed -r '/^\s*$/d' )"
# TODO: duid is somewhat related to ipv6. I don't know about it. Not sure excluding it miss some info or not
echo "$FILEC" | while read line echo "$FILEC" | while read line
do do
#echo aa$line #echo aa$line
LEASEstamp="$(echo "$line" | awk '{print $1}')" LEASEstamp="$(echo "$line" | awk '{print $1}')"
MAC="$(echo "$line" | awk '{print $2}')" MAC="$(echo "$line" | awk '{print $2}')"
IP="$(echo "$line" | awk '{print $3}' | sed 's/\[//g' | sed 's/\]//g')" IP="$(echo "$line" | awk '{print $3}' | sed 's/\[//g' | sed 's/\]//g')"
HOST="$(echo "$line" | awk '{print $4}' | sed 's/*/?/g')" HOST="$(echo "$line" | awk '{print $4}' | sed 's/*/?/g' | sed 's/|/_/g' | sed 's/ /_/g' )"
if [[ -n "$MAC" ]]; then if [[ -n "$MAC" ]]; then
LEASEstr="$(date -d @${LEASEstamp} +%m-%d_%X)" LEASEstr="$(date -d @${LEASEstamp} +%m-%d_%X)"
echo "$MAC|$IP|$HOST|$LEASEstr" echo "$MAC|$IP|$HOST|lease_$LEASEstr"
fi fi
done done
@@ -1303,7 +1355,7 @@ print_interface_neighbors_via_iproute() { # MAC|IP|_|STATUS
MAC="?" MAC="?"
STATUS="$(echo $line | awk -F'|' '$1="";$2="";$3="";$4="";{print}' | awk '{$1=$1;print}' | sed 's/ /,/g')" STATUS="$(echo $line | awk -F'|' '$1="";$2="";$3="";$4="";{print}' | awk '{$1=$1;print}' | sed 's/ /,/g')"
fi fi
if [[ -n "$IP" ]]; then if [[ -n "$IP" && ( "$MAC" != "?" || "$STATUS" != "FAILED" ) ]]; then
echo "$MAC|$IP|?|$STATUS" echo "$MAC|$IP|?|$STATUS"
fi fi
done done
@@ -1315,12 +1367,12 @@ print_interface_neighbors_via_iw() { # MAC|_|_|signal
do do
if [[ -n "$MAC" ]]; then if [[ -n "$MAC" ]]; then
SIGNAL="$(iw dev $IFACE station get $MAC | grep "signal:" | awk '{print $2}')" SIGNAL="$(iw dev $IFACE station get $MAC | grep "signal:" | awk '{print $2}')"
echo "${MAC}|?|?|${SIGNAL} dBm" echo "${MAC}|?|?|${SIGNAL}_dBm"
fi fi
done done
} }
list_clients() { list_clients() { # passive mode. (use 'arp-scan' or 'netdiscover' if want active mode)
local IFACE pid local IFACE pid
local CONFDIR local CONFDIR
@@ -1336,7 +1388,7 @@ list_clients() {
else # non-number given else # non-number given
IFACE="$1" IFACE="$1"
if ( ! is_interface $IFACE ) ; then if ( ! is_interface $IFACE ) ; then
echo "'$IFACE' is not an interface" >&2 echo "'$IFACE' is not an interface or PID" >&2
exit 1 exit 1
fi fi
pid=$(get_pid_from_subn_iface "$IFACE") pid=$(get_pid_from_subn_iface "$IFACE")
@@ -1459,6 +1511,19 @@ daemonizing_check(){
#============================ #============================
check_wifi_settings() { check_wifi_settings() {
if ! ( which iw > /dev/null 2>&1 && iw dev $WIFI_IFACE info > /dev/null 2>&1 ); then
echo "WARN: Can't use 'iw' to operate interfce '$WIFI_IFACE', trying 'iwconfig' (not as good as 'iw') ..." >&2
USE_IWCONFIG=1
fi
if [[ $USE_IWCONFIG -eq 1 ]]; then
if ! (which iwconfig > /dev/null 2>&1 && iwconfig $WIFI_IFACE > /dev/null 2>&1); then
echo "ERROR: Can't use 'iwconfig' to operate interfce '$WIFI_IFACE'" >&2
exit 1
fi
fi
if [[ $FREQ_BAND != 2.4 && $FREQ_BAND != 5 ]]; then if [[ $FREQ_BAND != 2.4 && $FREQ_BAND != 5 ]]; then
echo "ERROR: Invalid frequency band" >&2 echo "ERROR: Invalid frequency band" >&2
exit 1 exit 1
@@ -1547,8 +1612,8 @@ decide_target_interface() {
elif [[ "$WIFI_IFACE" ]]; then elif [[ "$WIFI_IFACE" ]]; then
echo "$WIFI_IFACE" echo "$WIFI_IFACE"
else else
die "No target interface specified" echo "No target interface specified" >&2
exit 1 return 1
fi fi
} }
@@ -1556,11 +1621,15 @@ decide_ip_addresses() {
if [[ ! -n $GATEWAY ]]; then if [[ ! -n $GATEWAY ]]; then
GATEWAY="$(generate_random_ip4)" GATEWAY="$(generate_random_ip4)"
echo "Use random LAN IPv4 address $GATEWAY" echo "Use random LAN IPv4 address $GATEWAY"
elif [[ ! "$GATEWAY" =~ "." ]]; then
GATEWAY="192.168.${GATEWAY}.1"
fi fi
if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then
PREFIX6="$(generate_random_lan_ip6_prefix)" PREFIX6="$(generate_random_lan_ip6_prefix)"
echo "Use random LAN IPv6 address ${PREFIX6}${IID6}" echo "Use random LAN IPv6 address ${PREFIX6}${IID6}"
elif [[ ! "$PREFIX6" =~ ":" ]]; then
PREFIX6="fd00:0:0:${PREFIX6}::"
fi fi
if [[ $IPV6 -eq 1 ]]; then if [[ $IPV6 -eq 1 ]]; then
GATEWAY6="${PREFIX6}${IID6}" GATEWAY6="${PREFIX6}${IID6}"
@@ -1595,8 +1664,9 @@ prepare_wifi_interface() {
VWIFI_IFACE=$(alloc_new_vface_name) VWIFI_IFACE=$(alloc_new_vface_name)
if iw dev ${WIFI_IFACE} interface add ${VWIFI_IFACE} type __ap; then if iw dev ${WIFI_IFACE} interface add ${VWIFI_IFACE} type __ap; then
# Successfully created virtual wifi interface # Successfully created virtual wifi interface
sleep 2 # wait for virtual interface MAC may change by system (but could be changed back by other programs) # if NM running, it will give the new virtual interface a random MAC. MAC will go back after setting NM unmanaged
echo "${VWIFI_IFACE} created)" sleep 2
echo "${VWIFI_IFACE} created"
else else
VWIFI_IFACE= VWIFI_IFACE=
die "Failed creating virtual WiFi interface. Maybe your WiFi adapter does not fully support virtual interfaces. Try again with '--no-virt'" die "Failed creating virtual WiFi interface. Maybe your WiFi adapter does not fully support virtual interfaces. Try again with '--no-virt'"
@@ -1712,6 +1782,11 @@ write_dnsmasq_conf() {
else else
NOBODY_GROUP="nogroup" NOBODY_GROUP="nogroup"
fi fi
mkfifo "$CONFDIR/dnsmasq.log" || die "Failed creating pipe file for dnsmasq"
chown nobody "$CONFDIR/dnsmasq.log" || die "Failed changing dnsmasq log file owner"
cat "$CONFDIR/dnsmasq.log" &
cat <<- EOF > "$CONFDIR/dnsmasq.conf" cat <<- EOF > "$CONFDIR/dnsmasq.conf"
user=nobody user=nobody
group=$NOBODY_GROUP group=$NOBODY_GROUP
@@ -1723,7 +1798,7 @@ write_dnsmasq_conf() {
dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0 dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0
dhcp-option-force=option:router,${GATEWAY} dhcp-option-force=option:router,${GATEWAY}
#log-dhcp #log-dhcp
log-facility=/dev/stdout log-facility=$CONFDIR/dnsmasq.log
bogus-priv bogus-priv
domain-needed domain-needed
EOF EOF
@@ -1793,6 +1868,7 @@ run_wifi_ap_processes() {
haveged_watchdog & haveged_watchdog &
HAVEGED_WATCHDOG_PID=$! HAVEGED_WATCHDOG_PID=$!
echo "$HAVEGED_WATCHDOG_PID" > "$CONFDIR/haveged_watchdog.pid" echo "$HAVEGED_WATCHDOG_PID" > "$CONFDIR/haveged_watchdog.pid"
echo
echo "haveged_watchdog PID: $HAVEGED_WATCHDOG_PID" echo "haveged_watchdog PID: $HAVEGED_WATCHDOG_PID"
fi fi
@@ -1805,6 +1881,11 @@ run_wifi_ap_processes() {
fi fi
echo echo
echo "Starting hostapd" echo "Starting hostapd"
if which complain > /dev/null 2>&1; then
complain hostapd
fi
# hostapd '-P' works only when use '-B' (run in background) # hostapd '-P' works only when use '-B' (run in background)
$STDBUF_PATH hostapd $HOSTAPD_DEBUG_ARGS -P "$CONFDIR/hostapd.pid" "$CONFDIR/hostapd.conf" & $STDBUF_PATH hostapd $HOSTAPD_DEBUG_ARGS -P "$CONFDIR/hostapd.pid" "$CONFDIR/hostapd.conf" &
HOSTAPD_PID=$! HOSTAPD_PID=$!
@@ -1814,20 +1895,20 @@ run_wifi_ap_processes() {
# sleep 1 # sleep 1
#done #done
#echo -n "hostapd PID: " ; cat $CONFDIR/hostapd.pid #echo -n "hostapd PID: " ; cat $CONFDIR/hostapd.pid
( while [ -e /proc/$HOSTAPD_PID ]; do sleep 10; done ; die "hostapd exited" ) & pid_watchdog $HOSTAPD_PID 10 "hostapd failed" &
sleep 3 sleep 3
} }
start_dnsmasq() { start_dnsmasq() {
echo
echo "Starting dnsmasq"
if which complain > /dev/null 2>&1; then if which complain > /dev/null 2>&1; then
# openSUSE's apparmor does not allow dnsmasq to read files. # openSUSE's apparmor does not allow dnsmasq to read files.
# remove restriction. # remove restriction.
complain dnsmasq complain dnsmasq
fi fi
echo
echo "Starting dnsmasq"
# Using '-d'(no daemon) dnsmasq will not turn into 'nobody' # Using '-d'(no daemon) dnsmasq will not turn into 'nobody'
# '-x' works only when no '-d' # '-x' works only when no '-d'
dnsmasq -k -C "$CONFDIR/dnsmasq.conf" -x "$CONFDIR/dnsmasq.pid" -l "$CONFDIR/dnsmasq.leases" & dnsmasq -k -C "$CONFDIR/dnsmasq.conf" -x "$CONFDIR/dnsmasq.pid" -l "$CONFDIR/dnsmasq.leases" &
@@ -1838,9 +1919,10 @@ start_dnsmasq() {
i=$((i + 1)) i=$((i + 1))
if [[ $i -gt 10 ]]; then die "Couldn't get dnsmasq PID" ; fi if [[ $i -gt 10 ]]; then die "Couldn't get dnsmasq PID" ; fi
done done
echo -n "dnsmasq PID: " ; cat "$CONFDIR/dnsmasq.pid" DNSMASQ_PID="$(cat "$CONFDIR/dnsmasq.pid" )"
echo "dnsmasq PID: $DNSMASQ_PID"
######(wait $DNSMASQ_PID ; die "dnsmasq failed") & # wait can't deal with non-child ######(wait $DNSMASQ_PID ; die "dnsmasq failed") & # wait can't deal with non-child
( while [ -e "/proc/$DNSMASQ_PID" ]; do sleep 10; done ; die "dnsmasq exited" ) & pid_watchdog $DNSMASQ_PID 9 "dnsmasq failed" &
sleep 2 sleep 2
} }
@@ -1888,10 +1970,15 @@ daemonizing_check
## ===== Above don't echo anything if no warning or error==================== ## ===== Above don't echo anything if no warning or error====================
## ======================================================== ## ========================================================
phead
phead2
echo
echo "PID: $$" echo "PID: $$"
TARGET_IFACE="$(decide_target_interface)" # judge wired (-i CONN_IFACE) or wireless hotspot (--ap $WIFI_IFACE) TARGET_IFACE="$(decide_target_interface)" || exit 1 # judge wired (-i CONN_IFACE) or wireless hotspot (--ap $WIFI_IFACE)
echo "Target interface is ${TARGET_IFACE}" echo "Target interface is ${TARGET_IFACE} ($(get_interface_mac $TARGET_IFACE))"
# TODO: show interface type, device model and pci/usb id (hwdata pci.ids), current driver
if [[ "$MAC_USE_RANDOM" -eq 1 ]] ; then if [[ "$MAC_USE_RANDOM" -eq 1 ]] ; then
NEW_MACADDR="$(generate_random_mac)" NEW_MACADDR="$(generate_random_mac)"
@@ -1907,6 +1994,7 @@ decide_ip_addresses # ip 4 & 6 lan addresses
#==== begin to do some change on config files and system=== #==== begin to do some change on config files and system===
init_trap init_trap
# NOTE function die() is designed not to be used before init_trap() executed
init_conf_dirs # CONFDIR , COMMON_CONFDIR . make dir init_conf_dirs # CONFDIR , COMMON_CONFDIR . make dir
@@ -1947,7 +2035,7 @@ ip link set down dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} down
# flush old IPs of subnet interface # flush old IPs of subnet interface
ip addr flush ${SUBNET_IFACE} || die "Failed flush ${SUBNET_IFACE} IP" ip addr flush ${SUBNET_IFACE} || die "Failed flush ${SUBNET_IFACE} IP"
dealwith_mac dealwith_mac # setting MAC should be after setting NM unmanaged
[[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi [[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi
@@ -1967,6 +2055,8 @@ if [[ $IPV6 -eq 1 ]] ; then
ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address" ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address"
fi fi
check_iptables
# enable Internet sharing # enable Internet sharing
if [[ "$SHARE_METHOD" == "none" ]]; then if [[ "$SHARE_METHOD" == "none" ]]; then
@@ -1976,7 +2066,7 @@ if [[ "$SHARE_METHOD" == "none" ]]; then
elif [[ "$SHARE_METHOD" == "nat" ]]; then elif [[ "$SHARE_METHOD" == "nat" ]]; then
[[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS, queries may leak to other interfaces!!!\n" >&2 [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
start_nat start_nat
@@ -1998,7 +2088,7 @@ elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
echo 1 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" || die "Failed enabling $SUBNET_IFACE ipv6 forwarding" # to set NA router bit echo 1 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" || die "Failed enabling $SUBNET_IFACE ipv6 forwarding" # to set NA router bit
fi fi
[[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] && echo -e "\nWARN: You are using in transparent proxy mode but this host is providing local DNS, this may cause privacy leak !!!\n" >&2 [[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] && echo -e "\nWARN: You are using in transparent proxy mode but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
[[ "$BANLAN" -eq 1 ]] && start_ban_lan [[ "$BANLAN" -eq 1 ]] && start_ban_lan