├── LICENSE ├── README.md └── lnxrouter /LICENSE: -------------------------------------------------------------------------------- 1 | GNU LESSER GENERAL PUBLIC LICENSE 2 | Version 2.1, February 1999 3 | 4 | Copyright (C) 1991, 1999 Free Software Foundation, Inc. 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | [This is the first released version of the Lesser GPL. It also counts 10 | as the successor of the GNU Library Public License, version 2, hence 11 | the version number 2.1.] 12 | 13 | Preamble 14 | 15 | The licenses for most software are designed to take away your 16 | freedom to share and change it. By contrast, the GNU General Public 17 | Licenses are intended to guarantee your freedom to share and change 18 | free software--to make sure the software is free for all its users. 19 | 20 | This license, the Lesser General Public License, applies to some 21 | specially designated software packages--typically libraries--of the 22 | Free Software Foundation and other authors who decide to use it. You 23 | can use it too, but we suggest you first think carefully about whether 24 | this license or the ordinary General Public License is the better 25 | strategy to use in any particular case, based on the explanations below. 26 | 27 | When we speak of free software, we are referring to freedom of use, 28 | not price. Our General Public Licenses are designed to make sure that 29 | you have the freedom to distribute copies of free software (and charge 30 | for this service if you wish); that you receive source code or can get 31 | it if you want it; that you can change the software and use pieces of 32 | it in new free programs; and that you are informed that you can do 33 | these things. 34 | 35 | To protect your rights, we need to make restrictions that forbid 36 | distributors to deny you these rights or to ask you to surrender these 37 | rights. These restrictions translate to certain responsibilities for 38 | you if you distribute copies of the library or if you modify it. 39 | 40 | For example, if you distribute copies of the library, whether gratis 41 | or for a fee, you must give the recipients all the rights that we gave 42 | you. You must make sure that they, too, receive or can get the source 43 | code. If you link other code with the library, you must provide 44 | complete object files to the recipients, so that they can relink them 45 | with the library after making changes to the library and recompiling 46 | it. And you must show them these terms so they know their rights. 47 | 48 | We protect your rights with a two-step method: (1) we copyright the 49 | library, and (2) we offer you this license, which gives you legal 50 | permission to copy, distribute and/or modify the library. 51 | 52 | To protect each distributor, we want to make it very clear that 53 | there is no warranty for the free library. Also, if the library is 54 | modified by someone else and passed on, the recipients should know 55 | that what they have is not the original version, so that the original 56 | author's reputation will not be affected by problems that might be 57 | introduced by others. 58 | 59 | Finally, software patents pose a constant threat to the existence of 60 | any free program. We wish to make sure that a company cannot 61 | effectively restrict the users of a free program by obtaining a 62 | restrictive license from a patent holder. Therefore, we insist that 63 | any patent license obtained for a version of the library must be 64 | consistent with the full freedom of use specified in this license. 65 | 66 | Most GNU software, including some libraries, is covered by the 67 | ordinary GNU General Public License. This license, the GNU Lesser 68 | General Public License, applies to certain designated libraries, and 69 | is quite different from the ordinary General Public License. We use 70 | this license for certain libraries in order to permit linking those 71 | libraries into non-free programs. 72 | 73 | When a program is linked with a library, whether statically or using 74 | a shared library, the combination of the two is legally speaking a 75 | combined work, a derivative of the original library. The ordinary 76 | General Public License therefore permits such linking only if the 77 | entire combination fits its criteria of freedom. The Lesser General 78 | Public License permits more lax criteria for linking other code with 79 | the library. 80 | 81 | We call this license the "Lesser" General Public License because it 82 | does Less to protect the user's freedom than the ordinary General 83 | Public License. It also provides other free software developers Less 84 | of an advantage over competing non-free programs. These disadvantages 85 | are the reason we use the ordinary General Public License for many 86 | libraries. However, the Lesser license provides advantages in certain 87 | special circumstances. 88 | 89 | For example, on rare occasions, there may be a special need to 90 | encourage the widest possible use of a certain library, so that it becomes 91 | a de-facto standard. To achieve this, non-free programs must be 92 | allowed to use the library. A more frequent case is that a free 93 | library does the same job as widely used non-free libraries. In this 94 | case, there is little to gain by limiting the free library to free 95 | software only, so we use the Lesser General Public License. 96 | 97 | In other cases, permission to use a particular library in non-free 98 | programs enables a greater number of people to use a large body of 99 | free software. For example, permission to use the GNU C Library in 100 | non-free programs enables many more people to use the whole GNU 101 | operating system, as well as its variant, the GNU/Linux operating 102 | system. 103 | 104 | Although the Lesser General Public License is Less protective of the 105 | users' freedom, it does ensure that the user of a program that is 106 | linked with the Library has the freedom and the wherewithal to run 107 | that program using a modified version of the Library. 108 | 109 | The precise terms and conditions for copying, distribution and 110 | modification follow. Pay close attention to the difference between a 111 | "work based on the library" and a "work that uses the library". The 112 | former contains code derived from the library, whereas the latter must 113 | be combined with the library in order to run. 114 | 115 | GNU LESSER GENERAL PUBLIC LICENSE 116 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 117 | 118 | 0. This License Agreement applies to any software library or other 119 | program which contains a notice placed by the copyright holder or 120 | other authorized party saying it may be distributed under the terms of 121 | this Lesser General Public License (also called "this License"). 122 | Each licensee is addressed as "you". 123 | 124 | A "library" means a collection of software functions and/or data 125 | prepared so as to be conveniently linked with application programs 126 | (which use some of those functions and data) to form executables. 127 | 128 | The "Library", below, refers to any such software library or work 129 | which has been distributed under these terms. A "work based on the 130 | Library" means either the Library or any derivative work under 131 | copyright law: that is to say, a work containing the Library or a 132 | portion of it, either verbatim or with modifications and/or translated 133 | straightforwardly into another language. (Hereinafter, translation is 134 | included without limitation in the term "modification".) 135 | 136 | "Source code" for a work means the preferred form of the work for 137 | making modifications to it. For a library, complete source code means 138 | all the source code for all modules it contains, plus any associated 139 | interface definition files, plus the scripts used to control compilation 140 | and installation of the library. 141 | 142 | Activities other than copying, distribution and modification are not 143 | covered by this License; they are outside its scope. The act of 144 | running a program using the Library is not restricted, and output from 145 | such a program is covered only if its contents constitute a work based 146 | on the Library (independent of the use of the Library in a tool for 147 | writing it). Whether that is true depends on what the Library does 148 | and what the program that uses the Library does. 149 | 150 | 1. You may copy and distribute verbatim copies of the Library's 151 | complete source code as you receive it, in any medium, provided that 152 | you conspicuously and appropriately publish on each copy an 153 | appropriate copyright notice and disclaimer of warranty; keep intact 154 | all the notices that refer to this License and to the absence of any 155 | warranty; and distribute a copy of this License along with the 156 | Library. 157 | 158 | You may charge a fee for the physical act of transferring a copy, 159 | and you may at your option offer warranty protection in exchange for a 160 | fee. 161 | 162 | 2. You may modify your copy or copies of the Library or any portion 163 | of it, thus forming a work based on the Library, and copy and 164 | distribute such modifications or work under the terms of Section 1 165 | above, provided that you also meet all of these conditions: 166 | 167 | a) The modified work must itself be a software library. 168 | 169 | b) You must cause the files modified to carry prominent notices 170 | stating that you changed the files and the date of any change. 171 | 172 | c) You must cause the whole of the work to be licensed at no 173 | charge to all third parties under the terms of this License. 174 | 175 | d) If a facility in the modified Library refers to a function or a 176 | table of data to be supplied by an application program that uses 177 | the facility, other than as an argument passed when the facility 178 | is invoked, then you must make a good faith effort to ensure that, 179 | in the event an application does not supply such function or 180 | table, the facility still operates, and performs whatever part of 181 | its purpose remains meaningful. 182 | 183 | (For example, a function in a library to compute square roots has 184 | a purpose that is entirely well-defined independent of the 185 | application. Therefore, Subsection 2d requires that any 186 | application-supplied function or table used by this function must 187 | be optional: if the application does not supply it, the square 188 | root function must still compute square roots.) 189 | 190 | These requirements apply to the modified work as a whole. If 191 | identifiable sections of that work are not derived from the Library, 192 | and can be reasonably considered independent and separate works in 193 | themselves, then this License, and its terms, do not apply to those 194 | sections when you distribute them as separate works. But when you 195 | distribute the same sections as part of a whole which is a work based 196 | on the Library, the distribution of the whole must be on the terms of 197 | this License, whose permissions for other licensees extend to the 198 | entire whole, and thus to each and every part regardless of who wrote 199 | it. 200 | 201 | Thus, it is not the intent of this section to claim rights or contest 202 | your rights to work written entirely by you; rather, the intent is to 203 | exercise the right to control the distribution of derivative or 204 | collective works based on the Library. 205 | 206 | In addition, mere aggregation of another work not based on the Library 207 | with the Library (or with a work based on the Library) on a volume of 208 | a storage or distribution medium does not bring the other work under 209 | the scope of this License. 210 | 211 | 3. You may opt to apply the terms of the ordinary GNU General Public 212 | License instead of this License to a given copy of the Library. To do 213 | this, you must alter all the notices that refer to this License, so 214 | that they refer to the ordinary GNU General Public License, version 2, 215 | instead of to this License. (If a newer version than version 2 of the 216 | ordinary GNU General Public License has appeared, then you can specify 217 | that version instead if you wish.) Do not make any other change in 218 | these notices. 219 | 220 | Once this change is made in a given copy, it is irreversible for 221 | that copy, so the ordinary GNU General Public License applies to all 222 | subsequent copies and derivative works made from that copy. 223 | 224 | This option is useful when you wish to copy part of the code of 225 | the Library into a program that is not a library. 226 | 227 | 4. You may copy and distribute the Library (or a portion or 228 | derivative of it, under Section 2) in object code or executable form 229 | under the terms of Sections 1 and 2 above provided that you accompany 230 | it with the complete corresponding machine-readable source code, which 231 | must be distributed under the terms of Sections 1 and 2 above on a 232 | medium customarily used for software interchange. 233 | 234 | If distribution of object code is made by offering access to copy 235 | from a designated place, then offering equivalent access to copy the 236 | source code from the same place satisfies the requirement to 237 | distribute the source code, even though third parties are not 238 | compelled to copy the source along with the object code. 239 | 240 | 5. A program that contains no derivative of any portion of the 241 | Library, but is designed to work with the Library by being compiled or 242 | linked with it, is called a "work that uses the Library". Such a 243 | work, in isolation, is not a derivative work of the Library, and 244 | therefore falls outside the scope of this License. 245 | 246 | However, linking a "work that uses the Library" with the Library 247 | creates an executable that is a derivative of the Library (because it 248 | contains portions of the Library), rather than a "work that uses the 249 | library". The executable is therefore covered by this License. 250 | Section 6 states terms for distribution of such executables. 251 | 252 | When a "work that uses the Library" uses material from a header file 253 | that is part of the Library, the object code for the work may be a 254 | derivative work of the Library even though the source code is not. 255 | Whether this is true is especially significant if the work can be 256 | linked without the Library, or if the work is itself a library. The 257 | threshold for this to be true is not precisely defined by law. 258 | 259 | If such an object file uses only numerical parameters, data 260 | structure layouts and accessors, and small macros and small inline 261 | functions (ten lines or less in length), then the use of the object 262 | file is unrestricted, regardless of whether it is legally a derivative 263 | work. (Executables containing this object code plus portions of the 264 | Library will still fall under Section 6.) 265 | 266 | Otherwise, if the work is a derivative of the Library, you may 267 | distribute the object code for the work under the terms of Section 6. 268 | Any executables containing that work also fall under Section 6, 269 | whether or not they are linked directly with the Library itself. 270 | 271 | 6. As an exception to the Sections above, you may also combine or 272 | link a "work that uses the Library" with the Library to produce a 273 | work containing portions of the Library, and distribute that work 274 | under terms of your choice, provided that the terms permit 275 | modification of the work for the customer's own use and reverse 276 | engineering for debugging such modifications. 277 | 278 | You must give prominent notice with each copy of the work that the 279 | Library is used in it and that the Library and its use are covered by 280 | this License. You must supply a copy of this License. If the work 281 | during execution displays copyright notices, you must include the 282 | copyright notice for the Library among them, as well as a reference 283 | directing the user to the copy of this License. Also, you must do one 284 | of these things: 285 | 286 | a) Accompany the work with the complete corresponding 287 | machine-readable source code for the Library including whatever 288 | changes were used in the work (which must be distributed under 289 | Sections 1 and 2 above); and, if the work is an executable linked 290 | with the Library, with the complete machine-readable "work that 291 | uses the Library", as object code and/or source code, so that the 292 | user can modify the Library and then relink to produce a modified 293 | executable containing the modified Library. (It is understood 294 | that the user who changes the contents of definitions files in the 295 | Library will not necessarily be able to recompile the application 296 | to use the modified definitions.) 297 | 298 | b) Use a suitable shared library mechanism for linking with the 299 | Library. A suitable mechanism is one that (1) uses at run time a 300 | copy of the library already present on the user's computer system, 301 | rather than copying library functions into the executable, and (2) 302 | will operate properly with a modified version of the library, if 303 | the user installs one, as long as the modified version is 304 | interface-compatible with the version that the work was made with. 305 | 306 | c) Accompany the work with a written offer, valid for at 307 | least three years, to give the same user the materials 308 | specified in Subsection 6a, above, for a charge no more 309 | than the cost of performing this distribution. 310 | 311 | d) If distribution of the work is made by offering access to copy 312 | from a designated place, offer equivalent access to copy the above 313 | specified materials from the same place. 314 | 315 | e) Verify that the user has already received a copy of these 316 | materials or that you have already sent this user a copy. 317 | 318 | For an executable, the required form of the "work that uses the 319 | Library" must include any data and utility programs needed for 320 | reproducing the executable from it. However, as a special exception, 321 | the materials to be distributed need not include anything that is 322 | normally distributed (in either source or binary form) with the major 323 | components (compiler, kernel, and so on) of the operating system on 324 | which the executable runs, unless that component itself accompanies 325 | the executable. 326 | 327 | It may happen that this requirement contradicts the license 328 | restrictions of other proprietary libraries that do not normally 329 | accompany the operating system. Such a contradiction means you cannot 330 | use both them and the Library together in an executable that you 331 | distribute. 332 | 333 | 7. You may place library facilities that are a work based on the 334 | Library side-by-side in a single library together with other library 335 | facilities not covered by this License, and distribute such a combined 336 | library, provided that the separate distribution of the work based on 337 | the Library and of the other library facilities is otherwise 338 | permitted, and provided that you do these two things: 339 | 340 | a) Accompany the combined library with a copy of the same work 341 | based on the Library, uncombined with any other library 342 | facilities. This must be distributed under the terms of the 343 | Sections above. 344 | 345 | b) Give prominent notice with the combined library of the fact 346 | that part of it is a work based on the Library, and explaining 347 | where to find the accompanying uncombined form of the same work. 348 | 349 | 8. You may not copy, modify, sublicense, link with, or distribute 350 | the Library except as expressly provided under this License. Any 351 | attempt otherwise to copy, modify, sublicense, link with, or 352 | distribute the Library is void, and will automatically terminate your 353 | rights under this License. However, parties who have received copies, 354 | or rights, from you under this License will not have their licenses 355 | terminated so long as such parties remain in full compliance. 356 | 357 | 9. You are not required to accept this License, since you have not 358 | signed it. However, nothing else grants you permission to modify or 359 | distribute the Library or its derivative works. These actions are 360 | prohibited by law if you do not accept this License. Therefore, by 361 | modifying or distributing the Library (or any work based on the 362 | Library), you indicate your acceptance of this License to do so, and 363 | all its terms and conditions for copying, distributing or modifying 364 | the Library or works based on it. 365 | 366 | 10. Each time you redistribute the Library (or any work based on the 367 | Library), the recipient automatically receives a license from the 368 | original licensor to copy, distribute, link with or modify the Library 369 | subject to these terms and conditions. You may not impose any further 370 | restrictions on the recipients' exercise of the rights granted herein. 371 | You are not responsible for enforcing compliance by third parties with 372 | this License. 373 | 374 | 11. If, as a consequence of a court judgment or allegation of patent 375 | infringement or for any other reason (not limited to patent issues), 376 | conditions are imposed on you (whether by court order, agreement or 377 | otherwise) that contradict the conditions of this License, they do not 378 | excuse you from the conditions of this License. If you cannot 379 | distribute so as to satisfy simultaneously your obligations under this 380 | License and any other pertinent obligations, then as a consequence you 381 | may not distribute the Library at all. For example, if a patent 382 | license would not permit royalty-free redistribution of the Library by 383 | all those who receive copies directly or indirectly through you, then 384 | the only way you could satisfy both it and this License would be to 385 | refrain entirely from distribution of the Library. 386 | 387 | If any portion of this section is held invalid or unenforceable under any 388 | particular circumstance, the balance of the section is intended to apply, 389 | and the section as a whole is intended to apply in other circumstances. 390 | 391 | It is not the purpose of this section to induce you to infringe any 392 | patents or other property right claims or to contest validity of any 393 | such claims; this section has the sole purpose of protecting the 394 | integrity of the free software distribution system which is 395 | implemented by public license practices. Many people have made 396 | generous contributions to the wide range of software distributed 397 | through that system in reliance on consistent application of that 398 | system; it is up to the author/donor to decide if he or she is willing 399 | to distribute software through any other system and a licensee cannot 400 | impose that choice. 401 | 402 | This section is intended to make thoroughly clear what is believed to 403 | be a consequence of the rest of this License. 404 | 405 | 12. If the distribution and/or use of the Library is restricted in 406 | certain countries either by patents or by copyrighted interfaces, the 407 | original copyright holder who places the Library under this License may add 408 | an explicit geographical distribution limitation excluding those countries, 409 | so that distribution is permitted only in or among countries not thus 410 | excluded. In such case, this License incorporates the limitation as if 411 | written in the body of this License. 412 | 413 | 13. The Free Software Foundation may publish revised and/or new 414 | versions of the Lesser General Public License from time to time. 415 | Such new versions will be similar in spirit to the present version, 416 | but may differ in detail to address new problems or concerns. 417 | 418 | Each version is given a distinguishing version number. If the Library 419 | specifies a version number of this License which applies to it and 420 | "any later version", you have the option of following the terms and 421 | conditions either of that version or of any later version published by 422 | the Free Software Foundation. If the Library does not specify a 423 | license version number, you may choose any version ever published by 424 | the Free Software Foundation. 425 | 426 | 14. If you wish to incorporate parts of the Library into other free 427 | programs whose distribution conditions are incompatible with these, 428 | write to the author to ask for permission. For software which is 429 | copyrighted by the Free Software Foundation, write to the Free 430 | Software Foundation; we sometimes make exceptions for this. Our 431 | decision will be guided by the two goals of preserving the free status 432 | of all derivatives of our free software and of promoting the sharing 433 | and reuse of software generally. 434 | 435 | NO WARRANTY 436 | 437 | 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO 438 | WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. 439 | EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR 440 | OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY 441 | KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE 442 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 443 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE 444 | LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME 445 | THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 446 | 447 | 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN 448 | WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY 449 | AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU 450 | FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR 451 | CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE 452 | LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING 453 | RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A 454 | FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF 455 | SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH 456 | DAMAGES. 457 | 458 | END OF TERMS AND CONDITIONS 459 | 460 | How to Apply These Terms to Your New Libraries 461 | 462 | If you develop a new library, and you want it to be of the greatest 463 | possible use to the public, we recommend making it free software that 464 | everyone can redistribute and change. You can do so by permitting 465 | redistribution under these terms (or, alternatively, under the terms of the 466 | ordinary General Public License). 467 | 468 | To apply these terms, attach the following notices to the library. It is 469 | safest to attach them to the start of each source file to most effectively 470 | convey the exclusion of warranty; and each file should have at least the 471 | "copyright" line and a pointer to where the full notice is found. 472 | 473 | 474 | Copyright (C) 475 | 476 | This library is free software; you can redistribute it and/or 477 | modify it under the terms of the GNU Lesser General Public 478 | License as published by the Free Software Foundation; either 479 | version 2.1 of the License, or (at your option) any later version. 480 | 481 | This library is distributed in the hope that it will be useful, 482 | but WITHOUT ANY WARRANTY; without even the implied warranty of 483 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 484 | Lesser General Public License for more details. 485 | 486 | You should have received a copy of the GNU Lesser General Public 487 | License along with this library; if not, write to the Free Software 488 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 489 | 490 | Also add information on how to contact you by electronic and paper mail. 491 | 492 | You should also get your employer (if you work as a programmer) or your 493 | school, if any, to sign a "copyright disclaimer" for the library, if 494 | necessary. Here is a sample; alter the names: 495 | 496 | Yoyodyne, Inc., hereby disclaims all copyright interest in the 497 | library `Frob' (a library for tweaking knobs) written by James Random Hacker. 498 | 499 | , 1 April 1990 500 | Ty Coon, President of Vice 501 | 502 | That's all there is to it! 503 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Linux-router 2 | 3 | Set Linux as router in one command. Able to provide Internet, or create WiFi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers. 4 | 5 | It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window). 6 | 7 | [Linux-Router News & Developer Notes 📰](https://github.com/garywill/linux-router/issues/28) | [More tools and projects 🛠️](https://garywill.github.io) | [🍻 Buy me a coffee ❤️](https://github.com/garywill/receiving/blob/master/receiving_methods.md) 8 | 9 | 10 | ## Features 11 | 12 | Basic features: 13 | 14 | - Create a NATed sub-network 15 | - Provide Internet 16 | - DHCP server (and RA) 17 | - Specify what DNS the DHCP server assigns to clients 18 | - DNS server 19 | - Specify upstream DNS (kind of a plain DNS proxy) 20 | - IPv6 (behind NATed LAN, like IPv4) 21 | - Creating WiFi hotspot: 22 | - Channel selecting 23 | - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption 24 | - Create AP on the same interface you are getting Internet (usually require same channel) 25 | - Transparent proxy (redsocks) 26 | - Transparent DNS proxy (hijack port 53 packets) 27 | - Detect NetworkManager and make sure it won't interfere (handle interface (un)managed status) 28 | - Detect firewalld and make sure it won't interfere our (by using `trusted` zone) 29 | - You can run many instances, to create many different networks. Has instances managing feature. 30 | 31 | **For many other features, see below [CLI usage](#cli-usage-and-other-features)** 32 | 33 | ### Useful in these situations 34 | 35 | ``` 36 | Internet----(eth0/wlan0)-Linux-(wlanX)AP 37 | |--client 38 | |--client 39 | ``` 40 | 41 | ``` 42 | Internet 43 | WiFi AP(no DHCP) | 44 | |----(wlan1)-Linux-(eth0/wlan0)------ 45 | | (DHCP) 46 | |--client 47 | |--client 48 | ``` 49 | 50 | ``` 51 | Internet 52 | Switch | 53 | |---(eth1)-Linux-(eth0/wlan0)-------- 54 | |--client 55 | |--client 56 | ``` 57 | 58 | ``` 59 | Internet----(eth0/wlan0)-Linux-(eth1)------Another PC 60 | ``` 61 | 62 | ``` 63 | Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container 64 | ``` 65 | 66 | ## Install 67 | 68 | 1-file-script. Release on [Linux-router repo on Github](https://github.com/garywill/linux-router). Just download and run the bash script (meet the dependencies). In this case use without installation. 69 | 70 | I'm currently not packaging for any distro. If you do, open a PR and add the link (can be with a version badge) to list here 71 | 72 | | Linux distro | | 73 | | ------------ | ---------------------------------------------------------------------------------------------------------- | 74 | | Any | download [1-file-script](https://raw.githubusercontent.com/garywill/linux-router/master/lnxrouter) and run without installation | 75 | 76 | ### Dependencies 77 | 78 | - bash 79 | - procps or procps-ng 80 | - iproute2 81 | - dnsmasq 82 | - iptables (or nftables with `iptables-nft` translation linked) 83 | - WiFi hotspot dependencies 84 | - hostapd 85 | - iw 86 | - iwconfig (you only need this if 'iw' can not recognize your adapter) 87 | - haveged (optional) 88 | 89 | 90 | 91 | ## Usage 92 | 93 | ### Provide Internet to an interface 94 | 95 | ```bash 96 | sudo lnxrouter -i eth1 97 | ``` 98 | 99 | no matter which interface (other than `eth1`) you're getting Internet from. 100 | 101 | ### Create WiFi hotspot 102 | 103 | ```bash 104 | sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase 105 | ``` 106 | 107 | no matter which interface you're getting Internet from (even from `wlan0`). Will create virtual Interface `x0wlan0` for hotspot. 108 | 109 | ### Provide an interface's Internet to another interface 110 | 111 | Clients access Internet through only `isp5` 112 | 113 |
114 | 115 | ```bash 116 | sudo lnxrouter -i eth1 -o isp5 --no-dns --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [2606:4700:4700::1111] 117 | ``` 118 | 119 | > In this case of usage, it's recommended to: 120 | > 121 | > 1. Stop serving local DNS 122 | > 2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example) 123 | 124 |
125 | 126 | ### Create LAN without providing Internet 127 | 128 |
129 | 130 | ```bash 131 | sudo lnxrouter -n -i eth1 132 | ``` 133 | 134 | ```bash 135 | sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase 136 | ``` 137 | 138 |
139 | 140 | ### Internet for LXC 141 | 142 |
143 | 144 | Create a bridge 145 | 146 | ```bash 147 | sudo brctl addbr lxcbr5 148 | ``` 149 | 150 | In LXC container `config` 151 | 152 | ``` 153 | lxc.network.type = veth 154 | lxc.network.flags = up 155 | lxc.network.link = lxcbr5 156 | lxc.network.hwaddr = xx:xx:xx:xx:xx:xx 157 | ``` 158 | 159 | ```bash 160 | sudo lnxrouter -i lxcbr5 161 | ``` 162 | 163 |
164 | 165 | ### Transparent proxy 166 | 167 | All clients' Internet traffic go through, for example, Tor (notice this example is NOT an anonymity use) 168 | 169 |
170 | 171 | ```bash 172 | sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 -6 --p6 fd00:5:6:7:: 173 | ``` 174 | 175 | In `torrc` 176 | 177 | ``` 178 | TransPort 192.168.55.1:9040 179 | DNSPort 192.168.55.1:9053 180 | TransPort [fd00:5:6:7::1]:9040 181 | DNSPort [fd00:5:6:7::1]:9053 182 | ``` 183 | 184 | > **Warn**: Tor's anonymity relies on a purpose-made browser. Using Tor like this (sharing Tor's network to LAN clients) will NOT ensure anonymity. 185 | > 186 | > Although we use Tor as example here, Linux-router does NOT ensure nor is NOT aiming at anonymity. 187 | 188 |
189 | 190 | ### Clients-in-sandbox network 191 | 192 | To not give our infomation to clients. Clients can still access Internet. 193 | 194 |
195 | 196 | ```bash 197 | sudo lnxrouter -i eth1 \ 198 | --tp 9040 --dns 9053 \ 199 | --random-mac \ 200 | --ban-priv \ 201 | --catch-dns --log-dns # optional 202 | ``` 203 | 204 |
205 | 206 | > Linux-router comes with no warranty. Use on your own risk 207 | 208 | ### Use as transparent proxy for LXD 209 | 210 |
211 | 212 | Create a bridge 213 | 214 | ```bash 215 | sudo brctl addbr lxdbr5 216 | ``` 217 | 218 | Create and add a new LXD profile overriding container's `eth0` 219 | 220 | ```bash 221 | lxc profile create profile5 222 | lxc profile edit profile5 223 | 224 | ### profile content ### 225 | config: {} 226 | description: "" 227 | devices: 228 | eth0: 229 | name: eth0 230 | nictype: bridged 231 | parent: lxdbr5 232 | type: nic 233 | name: profile5 234 | 235 | lxc profile add profile5 236 | ``` 237 | 238 | ```bash 239 | sudo lnxrouter -i lxdbr5 --tp 9040 --dns 9053 240 | ``` 241 | 242 | To remove that new profile from container 243 | 244 | ```bash 245 | lxc profile remove profile5 246 | ``` 247 | 248 | #### To not use profile 249 | 250 | Add new `eth0` to container overriding default `eth0` 251 | 252 | ```bash 253 | lxc config device add eth0 nic name=eth0 nictype=bridged parent=lxdbr5 254 | ``` 255 | 256 | To remove the customized `eth0` to restore default `eth0` 257 | 258 | ```bash 259 | lxc config device remove eth0 260 | ``` 261 | 262 |
263 | 264 | ### Use as transparent proxy for VirtualBox 265 | 266 |
267 | 268 | In VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP disabled. 269 | 270 | ```bash 271 | sudo lnxrouter -i vboxnet5 --tp 9040 --dns 9053 272 | ``` 273 | 274 |
275 | 276 | ### Use as transparent proxy for firejail 277 | 278 |
279 | 280 | Create a bridge 281 | 282 | ```bash 283 | sudo brctl addbr firejail5 284 | ``` 285 | 286 | ```bash 287 | sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 288 | firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd 289 | ``` 290 | 291 | Firejail's `/etc/resolv.conf` doesn't obtain DNS from DHCP, so we need to assign. 292 | 293 | nscd is domain name cache service, which shouldn't be accessed from in jail here. 294 | 295 |
296 | 297 | ### CLI usage and other features 298 | 299 |
300 | 301 | ``` 302 | Usage: lnxrouter 303 | 304 | Options: 305 | -h, --help Show this help 306 | --version Print version number 307 | 308 | -i Interface to make NATed sub-network, 309 | and to provide Internet to 310 | (To create WiFi hotspot use '--ap' instead) 311 | -o Specify an inteface to provide Internet from. 312 | (Note using this with default DNS option may leak 313 | queries to other interfaces) 314 | -n Do not provide Internet 315 | --ban-priv Disallow clients to access my private network 316 | 317 | -g This host's IPv4 address in subnet (mask is /24) 318 | (example: '192.168.5.1' or '5' shortly) 319 | -6 Enable IPv6 (NAT) 320 | --no4 Disable IPv4 Internet (not forwarding IPv4). 321 | Usually used with '-6' 322 | 323 | --p6 Set IPv6 LAN address prefix (length 64) 324 | (example: 'fd00:0:0:5::' or '5' shortly) 325 | Using this enables '-6' 326 | 327 | --dns || 328 | DNS server's upstream DNS. 329 | Use ',' to seperate multiple servers 330 | (default: use /etc/resolv.conf) 331 | (Note IPv6 addresses need '[]' around) 332 | --no-dns Do not serve DNS 333 | --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) 334 | --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) 335 | whose destination port is 53 to this host 336 | --log-dns Show DNS query log (dnsmasq) 337 | --dhcp-dns |no 338 | Set IPv4 DNS offered by DHCP (default: this host). 339 | --dhcp-dns6 |no 340 | Set IPv6 DNS offered by DHCP (RA) 341 | (default: this host) 342 | (Note IPv6 addresses need '[]' around) 343 | Using both above two will enable '--no-dns' 344 | --hostname DNS server associate this name with this host. 345 | Use '-' to read name from /etc/hostname 346 | -d DNS server will take into account /etc/hosts 347 | -e DNS server will take into account additional 348 | hosts file 349 | --dns-nocache DNS server no cache 350 | 351 | --mac Set MAC address 352 | --random-mac Use random MAC address 353 | 354 | --tp Transparent proxy, 355 | redirect non-LAN TCP and UDP(not tested) traffic to 356 | port. (usually used with '--dns') 357 | 358 | WiFi hotspot options: 359 | --ap 360 | Create WiFi access point 361 | -p, --password 362 | WiFi password 363 | --qr Show WiFi QR code in terminal (need qrencode) 364 | 365 | --hidden Hide access point (not broadcast SSID) 366 | --no-virt Do not create virtual interface 367 | Using this you can't use same wlan interface 368 | for both Internet and AP 369 | --virt-name Set name of virtual interface 370 | -c Specify channel (default: use current, or 1 / 36) 371 | --country Set two-letter country code for regularity 372 | (example: US) 373 | --freq-band Set frequency band: 2.4 or 5 (default: 2.4) 374 | --driver Choose your WiFi adapter driver (default: nl80211) 375 | -w '2' for WPA2, '1' for WPA, '1+2' for both 376 | (default: 2) 377 | --psk Use 64 hex digits pre-shared-key instead of 378 | passphrase 379 | --mac-filter Enable WiFi hotspot MAC address filtering 380 | --mac-filter-accept Location of WiFi hotspot MAC address filter list 381 | (defaults to /etc/hostapd/hostapd.accept) 382 | --hostapd-debug 1 or 2. Passes -d or -dd to hostapd 383 | --isolate-clients Disable wifi communication between clients 384 | --no-haveged Do not run haveged automatically when needed 385 | --hs20 Enable Hotspot 2.0 386 | 387 | WiFi 4 (802.11n) configs: 388 | --wifi4 Enable IEEE 802.11n (HT) 389 | --req-ht Require station HT (High Throughput) mode 390 | --ht-capab HT capabilities (default: [HT40+]) 391 | 392 | WiFi 5 (802.11ac) configs: 393 | --wifi5 Enable IEEE 802.11ac (VHT) 394 | --req-vht Require station VHT (Very High Thoughtput) mode 395 | --vht-capab VHT capabilities 396 | 397 | --vht-ch-width Index of VHT channel width: 398 | 0 for 20MHz or 40MHz (default) 399 | 1 for 80MHz 400 | 2 for 160MHz 401 | 3 for 80+80MHz (Non-contigous 160MHz) 402 | --vht-seg0-ch Channel index of VHT center frequency for primary 403 | segment. Use with '--vht-ch-width' 404 | --vht-seg1-ch Channel index of VHT center frequency for secondary 405 | (second 80MHz) segment. Use with '--vht-ch-width 3' 406 | 407 | Instance managing: 408 | --daemon Run in background 409 | -l, --list-running Show running instances 410 | --lc, --list-clients 411 | List clients of an instance. Or list neighbors of 412 | an interface, even if it isn't handled by us. 413 | (passive mode) 414 | --stop Stop a running instance 415 | For you can use PID or subnet interface name. 416 | You can get them with '--list-running' 417 | 418 | Examples: 419 | lnxrouter -i eth1 420 | lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase 421 | lnxrouter -i eth1 --tp --dns 422 | ``` 423 | 424 |
425 | 426 | ## What changes are done to Linux system 427 | 428 | On exit of a linux-router instance, script **will do cleanup**, i.e. undo most changes to system. Though, **some** changes (if needed) will **not** be undone, which are: 429 | 430 | 1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1` 431 | 2. dnsmasq in Apparmor complain mode 432 | 3. hostapd in Apparmor complain mode 433 | 4. Kernel module `nf_nat_pptp` loaded 434 | 5. The wifi device which is used to create hotspot is `rfkill unblock`ed 435 | 6. WiFi country code, if user assigns 436 | 437 | ## Meet contributor(s) and become one of them 438 | 439 | Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and projects** 🛠️. 440 | 441 | > [❤️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❤️ 扫码领红包并打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md)) 442 | > 443 | > 🥂 ( ^\_^) o自自o (^_^ ) 🍻 444 | 445 | 🤝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🤝 Also thank those who contributed to that project. 446 | 447 | 👨‍💻 You can be contributor, too! 448 | 449 | - 🍃 There're some TO-DOs listed, in both [readme TODO](#todo) and [in the code file](https://github.com/garywill/linux-router/search?q=TODO&type=code) 450 | - 🍃 Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement) 451 | - 🙋‍♂️ Contributions are not limited to coding. There're [some posts and questions](https://github.com/garywill/linux-router/issues) that need more people to answer 452 | 453 | ## TODO 454 | - WPA3 455 | - Global IPv6 456 | 457 | ## License 458 | 459 | linux-router is LGPL licensed 460 | 461 |
462 | 463 | ``` 464 | linux-router 465 | Copyright (C) 2018 garywill 466 | 467 | This library is free software; you can redistribute it and/or 468 | modify it under the terms of the GNU Lesser General Public 469 | License as published by the Free Software Foundation; either 470 | version 2.1 of the License, or (at your option) any later version. 471 | 472 | This library is distributed in the hope that it will be useful, 473 | but WITHOUT ANY WARRANTY; without even the implied warranty of 474 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 475 | Lesser General Public License for more details. 476 | 477 | You should have received a copy of the GNU Lesser General Public 478 | License along with this library; if not, write to the Free Software 479 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 480 | ``` 481 | 482 |
483 | 484 | Upstream create_ap was BSD licensed 485 | 486 |
487 | 488 | ``` 489 | Copyright (c) 2013, oblique 490 | All rights reserved. 491 | 492 | Redistribution and use in source and binary forms, with or without 493 | modification, are permitted provided that the following conditions are met: 494 | 495 | * Redistributions of source code must retain the above copyright notice, this 496 | list of conditions and the following disclaimer. 497 | 498 | * Redistributions in binary form must reproduce the above copyright notice, 499 | this list of conditions and the following disclaimer in the documentation 500 | and/or other materials provided with the distribution. 501 | 502 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 503 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 504 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 505 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 506 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 507 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 508 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 509 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 510 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 511 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 512 | ``` 513 | 514 |
515 | 516 | 517 | -------------------------------------------------------------------------------- /lnxrouter: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | VERSION=0.7.6 4 | PROGNAME="$(basename "$0")" 5 | 6 | export LC_ALL=C 7 | 8 | SCRIPT_UMASK=0122 9 | umask $SCRIPT_UMASK 10 | 11 | phead() { 12 | echo "linux-router $VERSION (https://github.com/garywill/linux-router)" 13 | } 14 | phead2() { 15 | echo "Released under LGPL, with no warranty. Use on your own risk." 16 | } 17 | usage() { 18 | phead 19 | phead2 20 | cat << EOF 21 | 22 | Usage: $PROGNAME 23 | 24 | Options: 25 | -h, --help Show this help 26 | --version Print version number 27 | 28 | -i Interface to make NATed sub-network, 29 | and to provide Internet to 30 | (To create WiFi hotspot use '--ap' instead) 31 | -o Specify an inteface to provide Internet from. 32 | (Note using this with default DNS option may leak 33 | queries to other interfaces) 34 | -n Do not provide Internet 35 | --ban-priv Disallow clients to access my private network 36 | 37 | -g This host's IPv4 address in subnet (mask is /24) 38 | (example: '192.168.5.1' or '5' shortly) 39 | -6 Enable IPv6 (NAT) 40 | --no4 Disable IPv4 Internet (not forwarding IPv4). 41 | Usually used with '-6' 42 | 43 | --p6 Set IPv6 LAN address prefix (length 64) 44 | (example: 'fd00:0:0:5::' or '5' shortly) 45 | Using this enables '-6' 46 | 47 | --dns || 48 | DNS server's upstream DNS. 49 | Use ',' to seperate multiple servers 50 | (default: use /etc/resolv.conf) 51 | (Note IPv6 addresses need '[]' around) 52 | --no-dns Do not serve DNS 53 | --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) 54 | --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) 55 | whose destination port is 53 to this host 56 | --log-dns Show DNS query log (dnsmasq) 57 | --dhcp-dns |no 58 | Set IPv4 DNS offered by DHCP (default: this host). 59 | --dhcp-dns6 |no 60 | Set IPv6 DNS offered by DHCP (RA) 61 | (default: this host) 62 | (Note IPv6 addresses need '[]' around) 63 | Using both above two will enable '--no-dns' 64 | --hostname DNS server associate this name with this host. 65 | Use '-' to read name from /etc/hostname 66 | -d DNS server will take into account /etc/hosts 67 | -e DNS server will take into account additional 68 | hosts file 69 | --dns-nocache DNS server no cache 70 | 71 | --mac Set MAC address 72 | --random-mac Use random MAC address 73 | 74 | --tp Transparent proxy, 75 | redirect non-LAN TCP and UDP(not tested) traffic to 76 | port. (usually used with '--dns') 77 | 78 | WiFi hotspot options: 79 | --ap 80 | Create WiFi access point 81 | -p, --password 82 | WiFi password 83 | --qr Show WiFi QR code in terminal (need qrencode) 84 | 85 | --hidden Hide access point (not broadcast SSID) 86 | --no-virt Do not create virtual interface 87 | Using this you can't use same wlan interface 88 | for both Internet and AP 89 | --virt-name Set name of virtual interface 90 | -c Specify channel (default: use current, or 1 / 36) 91 | --country Set two-letter country code for regularity 92 | (example: US) 93 | --freq-band Set frequency band: 2.4 or 5 (default: 2.4) 94 | --driver Choose your WiFi adapter driver (default: nl80211) 95 | -w '2' for WPA2, '1' for WPA, '1+2' for both 96 | (default: 2) 97 | --psk Use 64 hex digits pre-shared-key instead of 98 | passphrase 99 | --mac-filter Enable WiFi hotspot MAC address filtering 100 | --mac-filter-accept Location of WiFi hotspot MAC address filter list 101 | (defaults to /etc/hostapd/hostapd.accept) 102 | --hostapd-debug 1 or 2. Passes -d or -dd to hostapd 103 | --isolate-clients Disable wifi communication between clients 104 | --no-haveged Do not run haveged automatically when needed 105 | --hs20 Enable Hotspot 2.0 106 | 107 | WiFi 4 (802.11n) configs: 108 | --wifi4 Enable IEEE 802.11n (HT) 109 | --req-ht Require station HT (High Throughput) mode 110 | --ht-capab HT capabilities (default: [HT40+]) 111 | 112 | WiFi 5 (802.11ac) configs: 113 | --wifi5 Enable IEEE 802.11ac (VHT) 114 | --req-vht Require station VHT (Very High Thoughtput) mode 115 | --vht-capab VHT capabilities 116 | 117 | --vht-ch-width Index of VHT channel width: 118 | 0 for 20MHz or 40MHz (default) 119 | 1 for 80MHz 120 | 2 for 160MHz 121 | 3 for 80+80MHz (Non-contigous 160MHz) 122 | --vht-seg0-ch Channel index of VHT center frequency for primary 123 | segment. Use with '--vht-ch-width' 124 | --vht-seg1-ch Channel index of VHT center frequency for secondary 125 | (second 80MHz) segment. Use with '--vht-ch-width 3' 126 | 127 | Instance managing: 128 | --daemon Run in background 129 | -l, --list-running Show running instances 130 | --lc, --list-clients 131 | List clients of an instance. Or list neighbors of 132 | an interface, even if it isn't handled by us. 133 | (passive mode) 134 | --stop Stop a running instance 135 | For you can use PID or subnet interface name. 136 | You can get them with '--list-running' 137 | 138 | Examples: 139 | $PROGNAME -i eth1 140 | $PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase 141 | $PROGNAME -i eth1 --tp --dns 142 | EOF 143 | } 144 | 145 | check_empty_option(){ 146 | if [[ "$1" == "" ]]; then 147 | usage 148 | exit 0 149 | fi 150 | } 151 | 152 | 153 | define_global_variables(){ 154 | # user options 155 | GATEWAY4= # IPv4 address for this host 156 | PREFIX6= # IPv6 LAN address prefix for this host 157 | IID6=1 # IPv6 LAN ID for this host 158 | IPV6=0 # enable ipv6 159 | NO4=0 # no IPv4 Internet 160 | BANLAN=0 # ban clients from accessing private addresses 161 | DHCP_DNS=gateway # which ipv4 DNS the DHCP gives clients 162 | DHCP_DNS6=gateway # which ipv6 DNS the DHCP gives clients 163 | dnsmasq_NO_DNS=0 # disable dns server 164 | NO_DNSMASQ=0 # disable dnsmasq (dns and dhcp) 165 | CATCH_DNS=0 # catch clients 53 port packets 166 | SHOW_DNS_QUERY=0 # log dns 167 | ETC_HOSTS=0 168 | ADDN_HOSTS= 169 | DNS_NOCACHE= 170 | CONN_IFACE= # which interface user choose to use to create network 171 | INTERNET_IFACE= # which interface to get Internet from 172 | THISHOSTNAME= # this host's name the DNS tells clients 173 | TP_PORT= # transparent proxy port 174 | DNS= # upstream DNS 175 | MAC_USE_RANDOM=0 176 | NEW_MACADDR= 177 | DAEMONIZE=0 178 | 179 | # script variables 180 | SUBNET_IFACE= # which interface to create network 181 | SHARE_METHOD=nat 182 | OLD_MACADDR= 183 | SUBNET_NET4= 184 | SUBNET_NET6= 185 | 186 | 187 | ##### wifi hotspot 188 | # user options 189 | HIDDEN=0 # hidden wifi hotspot 190 | WIFI_IFACE= 191 | CHANNEL=default 192 | HOTSPOT20=0 # For enabling Hotspot 2.0 193 | WPA_VERSION=2 194 | MAC_FILTER=0 195 | MAC_FILTER_ACCEPT=/etc/hostapd/hostapd.accept 196 | IEEE80211N=0 197 | REQUIREHT=0 198 | IEEE80211AC=0 199 | REQUIREVHT=0 200 | HT_CAPAB='[HT40+]' 201 | VHT_CAPAB= 202 | VHTCHANNELWIDTH=0 203 | VHTSEG0CHINDEX=0 204 | VHTSEG1CHINDEX=0 205 | DRIVER=nl80211 206 | NO_VIRT=0 # not use virtual interface 207 | COUNTRY= 208 | FREQ_BAND=2.4 209 | NO_HAVEGED=0 210 | HOSTAPD_DEBUG_ARGS= 211 | USE_PSK=0 212 | ISOLATE_CLIENTS=0 213 | QR=0 # show wifi qr 214 | 215 | # script variables 216 | VWIFI_IFACE= # virtual wifi interface name, if created 217 | VIRT_NAME= # name to use for virtual interface if --virt-name is used 218 | AP_IFACE= # can be VWIFI_IFACE or WIFI_IFACE 219 | USE_IWCONFIG=0 # some device can't use iw 220 | ####### 221 | 222 | #-- to deal with info of a running instance. then will exit 223 | LIST_RUNNING=0 224 | STOP_ID= 225 | LIST_CLIENTS_ID= 226 | 227 | # -- variables for running 228 | CONFDIR= 229 | IP_VERs= 230 | NM_UNM_LIST= # it's called "list" but for now one interface 231 | NM_PID= 232 | FIREWALLD_PID= 233 | TMP_FIREWALLD_ZONE= 234 | } 235 | 236 | parse_user_options(){ 237 | while [[ -n "$1" ]]; do 238 | case "$1" in 239 | -h|--help) 240 | usage 241 | exit 0 242 | ;; 243 | --version) 244 | echo "$VERSION" 245 | exit 0 246 | ;; 247 | -i) 248 | shift 249 | CONN_IFACE="$1" 250 | shift 251 | ;; 252 | -o) 253 | shift 254 | INTERNET_IFACE="$1" 255 | shift 256 | ;; 257 | -n) 258 | shift 259 | SHARE_METHOD=none 260 | ;; 261 | --ban-priv) 262 | shift 263 | BANLAN=1 264 | ;; 265 | --tp) 266 | shift 267 | TP_PORT="$1" 268 | SHARE_METHOD=redsocks 269 | shift 270 | ;; 271 | 272 | 273 | -g) 274 | shift 275 | GATEWAY4="$1" 276 | shift 277 | ;; 278 | -6) 279 | shift 280 | IPV6=1 281 | ;; 282 | --no4) 283 | shift 284 | NO4=1 285 | ;; 286 | --p6) 287 | shift 288 | PREFIX6="$1" 289 | IPV6=1 290 | shift 291 | ;; 292 | --mac) 293 | shift 294 | NEW_MACADDR="$1" 295 | shift 296 | ;; 297 | --random-mac) 298 | shift 299 | MAC_USE_RANDOM=1 300 | ;; 301 | 302 | --dns) 303 | shift 304 | DNS="$1" 305 | shift 306 | ;; 307 | --no-dns) 308 | shift 309 | dnsmasq_NO_DNS=1 310 | ;; 311 | --no-dnsmasq) 312 | shift 313 | NO_DNSMASQ=1 314 | ;; 315 | --dhcp-dns) 316 | shift 317 | DHCP_DNS="$1" 318 | shift 319 | ;; 320 | --dhcp-dns6) 321 | shift 322 | DHCP_DNS6="$1" 323 | shift 324 | ;; 325 | --catch-dns) 326 | shift 327 | CATCH_DNS=1 328 | ;; 329 | --log-dns) 330 | shift 331 | SHOW_DNS_QUERY=1 332 | ;; 333 | --hostname) 334 | shift 335 | THISHOSTNAME="$1" 336 | shift 337 | ;; 338 | -d) 339 | shift 340 | ETC_HOSTS=1 341 | ;; 342 | -e) 343 | shift 344 | ADDN_HOSTS="$1" 345 | shift 346 | ;; 347 | --dns-nocache) 348 | shift 349 | DNS_NOCACHE=1 350 | ;; 351 | 352 | --isolate-clients) 353 | shift 354 | ISOLATE_CLIENTS=1 355 | ;; 356 | 357 | --ap) 358 | shift 359 | WIFI_IFACE="$1" 360 | shift 361 | SSID="$1" 362 | shift 363 | ;; 364 | -p|--password) 365 | shift 366 | PASSPHRASE="$1" 367 | shift 368 | ;; 369 | --qr) 370 | shift 371 | QR=1 372 | ;; 373 | 374 | 375 | --hidden) 376 | shift 377 | HIDDEN=1 378 | ;; 379 | --mac-filter) 380 | shift 381 | MAC_FILTER=1 382 | ;; 383 | --mac-filter-accept) 384 | shift 385 | MAC_FILTER_ACCEPT="$1" 386 | shift 387 | ;; 388 | 389 | -c) 390 | shift 391 | CHANNEL="$1" 392 | shift 393 | ;; 394 | --hs20) 395 | shift 396 | HOTSPOT20=1 397 | ;; 398 | -w) 399 | shift 400 | WPA_VERSION="$1" 401 | [[ "$WPA_VERSION" == "2+1" ]] && WPA_VERSION=1+2 402 | shift 403 | ;; 404 | 405 | --wifi4|--ieee80211n) 406 | shift 407 | IEEE80211N=1 408 | ;; 409 | --req-ht|--require-ht) 410 | shift 411 | REQUIREHT=1 412 | ;; 413 | --wifi5|--ieee80211ac) 414 | shift 415 | IEEE80211AC=1 416 | ;; 417 | --req-vht|--require-vht) 418 | shift 419 | REQUIREVHT=1 420 | ;; 421 | --ht-capab) 422 | shift 423 | HT_CAPAB="$1" 424 | shift 425 | ;; 426 | --vht-capab) 427 | shift 428 | VHT_CAPAB="$1" 429 | shift 430 | ;; 431 | --vht-ch-width|--vht-channel-width) 432 | shift 433 | VHTCHANNELWIDTH="$1" 434 | shift 435 | ;; 436 | --vht-seg0-ch|--vht-seg0-channel) 437 | shift 438 | VHTSEG0CHINDEX="$1" 439 | shift 440 | ;; 441 | --vht-seg1-ch|--vht-seg1-channel) 442 | shift 443 | VHTSEG1CHINDEX="$1" 444 | shift 445 | ;; 446 | --driver) 447 | shift 448 | DRIVER="$1" 449 | shift 450 | ;; 451 | --no-virt) 452 | shift 453 | NO_VIRT=1 454 | ;; 455 | --virt-name) 456 | shift 457 | VIRT_NAME="$1" 458 | shift 459 | ;; 460 | 461 | --country) 462 | shift 463 | COUNTRY="$1" 464 | shift 465 | ;; 466 | --freq-band) 467 | shift 468 | FREQ_BAND="$1" 469 | shift 470 | ;; 471 | --no-haveged) 472 | shift 473 | NO_HAVEGED=1 474 | ;; 475 | --hostapd-debug) 476 | shift 477 | if [ "$1" = "1" ]; then 478 | HOSTAPD_DEBUG_ARGS="-d" 479 | elif [ "$1" = "2" ]; then 480 | HOSTAPD_DEBUG_ARGS="-dd" 481 | else 482 | printf "Error: argument for --hostapd-debug expected 1 or 2, got %s\n" "$1" 483 | exit 1 484 | fi 485 | shift 486 | ;; 487 | --psk) 488 | shift 489 | USE_PSK=1 490 | ;; 491 | 492 | --daemon) 493 | shift 494 | DAEMONIZE=1 495 | ;; 496 | --stop) 497 | shift 498 | STOP_ID="$1" 499 | shift 500 | ;; 501 | -l|--list-running) 502 | shift 503 | LIST_RUNNING=1 504 | ;; 505 | --lc|--list-clients) 506 | shift 507 | LIST_CLIENTS_ID="$1" 508 | shift 509 | ;; 510 | 511 | *) 512 | echo "Invalid parameter: $1" 1>&2 513 | exit 1 514 | ;; 515 | esac 516 | done 517 | } 518 | 519 | 520 | # seperate ip and port 521 | sep_ip_port() { 522 | # usage: sep_ip_port 523 | # input can be: 524 | # port (ip is 127.0.0.1) 525 | # ipv4 526 | # [ipv6] 527 | # ipv4:port 528 | # [ipv6]:port 529 | local IP 530 | local PORT 531 | local INPUT 532 | INPUT="$1" 533 | if (echo "$INPUT" | grep '\.' >/dev/null 2>&1) ;then 534 | if (echo "$INPUT" | grep ':' >/dev/null 2>&1) ;then 535 | # ipv4 + port 536 | IP="$(echo "$INPUT" | cut -d: -f1)" 537 | PORT="$(echo "$INPUT" | cut -d: -f2)" 538 | else 539 | # ipv4 540 | IP="$INPUT" 541 | fi 542 | elif (echo "$INPUT" | grep '\]' >/dev/null 2>&1) ;then 543 | if (echo "$INPUT" | grep '\]\:' >/dev/null 2>&1) ;then 544 | # ipv6 + port 545 | IP="$(echo "$INPUT" | cut -d']' -f1 | cut -d'[' -f2)" 546 | PORT="$(echo "$INPUT" | cut -d']' -f2 |cut -d: -f2)" 547 | else 548 | # ipv6 549 | IP="$(echo "$INPUT" | cut -d']' -f1 | cut -d'[' -f2)" 550 | fi 551 | else 552 | # port 553 | IP='127.0.0.1' 554 | PORT="$INPUT" 555 | fi 556 | printf -v "$2" %s "$IP" 557 | printf -v "$3" %s "$PORT" 558 | } 559 | 560 | #========================= 561 | is_interface() { 562 | [[ -z "$1" ]] && return 1 563 | [[ -d "/sys/class/net/${1}" ]] 564 | } 565 | 566 | is_vface_name_allocated(){ 567 | is_interface "$1" || [[ -f "$COMMON_CONFDIR/vfaces/${1}" ]] 568 | } 569 | 570 | get_interface_phy_device() { # only for wifi interface 571 | local x 572 | for x in /sys/class/ieee80211/*; do 573 | [[ ! -e "$x" ]] && continue 574 | if [[ "${x##*/}" = "$1" ]]; then 575 | echo "$1" 576 | return 0 577 | elif [[ -e "$x/device/net/$1" ]]; then 578 | echo "${x##*/}" 579 | return 0 580 | elif [[ -e "$x/device/net:$1" ]]; then 581 | echo "${x##*/}" 582 | return 0 583 | fi 584 | done 585 | echo "Failed to get phy interface" >&2 586 | return 1 587 | } 588 | 589 | get_adapter_info() { # only for wifi interface 590 | local iPHY 591 | iPHY=$(get_interface_phy_device "$1") 592 | [[ $? -ne 0 ]] && return 1 593 | iw phy "$iPHY" info 594 | } 595 | 596 | get_adapter_kernel_module() { 597 | local MODULE 598 | MODULE=$(readlink -f "/sys/class/net/$1/device/driver/module") 599 | echo "${MODULE##*/}" 600 | } 601 | 602 | can_be_sta_and_ap() { 603 | # iwconfig does not provide this information, assume false 604 | [[ $USE_IWCONFIG -eq 1 ]] && return 1 605 | if [[ "$(get_adapter_kernel_module "$1")" == "brcmfmac" ]]; then 606 | echo "WARN: brmfmac driver doesn't work properly with virtual interfaces and" >&2 607 | echo " it can cause kernel panic. For this reason we disallow virtual" >&2 608 | echo " interfaces for your adapter." >&2 609 | echo " For more info: https://github.com/oblique/create_ap/issues/203" >&2 610 | return 1 611 | fi 612 | get_adapter_info "$1" | grep -E '{.* managed.* AP.*}' > /dev/null 2>&1 && return 0 613 | get_adapter_info "$1" | grep -E '{.* AP.* managed.*}' > /dev/null 2>&1 && return 0 614 | return 1 615 | } 616 | 617 | can_be_ap() { 618 | # iwconfig does not provide this information, assume true 619 | [[ $USE_IWCONFIG -eq 1 ]] && return 0 620 | get_adapter_info "$1" | grep -E '\* AP$' > /dev/null 2>&1 && return 0 621 | return 1 622 | } 623 | 624 | can_transmit_to_channel() { 625 | local IFACE CHANNEL_NUM CHANNEL_INFO 626 | IFACE=$1 627 | CHANNEL_NUM=$2 628 | 629 | if [[ $USE_IWCONFIG -eq 0 ]]; then 630 | CHANNEL_INFO=$(get_adapter_info "${IFACE}" | grep -E " [0-9]+(\.[0-9]+){0,1} MHz \[${CHANNEL_NUM}\]") 631 | [[ -z "${CHANNEL_INFO}" ]] && return 1 632 | [[ "${CHANNEL_INFO}" == *no\ IR* ]] && return 1 633 | [[ "${CHANNEL_INFO}" == *disabled* ]] && return 1 634 | return 0 635 | else 636 | CHANNEL_NUM=$(printf '%02d' ${CHANNEL_NUM}) 637 | CHANNEL_INFO=$(iwlist "${IFACE}" channel | grep -E "Channel[[:blank:]]${CHANNEL_NUM}[[:blank:]]?:") 638 | [[ -z "${CHANNEL_INFO}" ]] && return 1 639 | return 0 640 | fi 641 | } 642 | 643 | # taken from iw/util.c 644 | ieee80211_frequency_to_channel() { 645 | local FREQ=$1 646 | if [[ $FREQ -eq 2484 ]]; then 647 | echo 14 648 | elif [[ $FREQ -lt 2484 ]]; then 649 | echo $(( ($FREQ - 2407) / 5 )) 650 | elif [[ $FREQ -ge 4910 && $FREQ -le 4980 ]]; then 651 | echo $(( ($FREQ - 4000) / 5 )) 652 | elif [[ $FREQ -le 45000 ]]; then 653 | echo $(( ($FREQ - 5000) / 5 )) 654 | elif [[ $FREQ -ge 58320 && $FREQ -le 64800 ]]; then 655 | echo $(( ($FREQ - 56160) / 2160 )) 656 | else 657 | echo 0 658 | fi 659 | } 660 | 661 | 662 | is_interface_wifi_connected() { 663 | if [[ $USE_IWCONFIG -eq 0 ]]; then 664 | iw dev "$1" link 2>&1 | grep -E '^Connected to' > /dev/null 2>&1 && return 0 665 | else 666 | iwconfig "$1" 2>&1 | grep -E 'Access Point: [0-9a-fA-F]{2}:' > /dev/null 2>&1 && return 0 667 | fi 668 | return 1 669 | } 670 | 671 | 672 | is_unicast_macaddr() { 673 | local x 674 | x=$(echo "$1" | cut -d: -f1) 675 | x=$(printf '%d' "0x${x}") 676 | [[ $(expr $x % 2) -eq 0 ]] 677 | } 678 | 679 | get_interface_mac() { 680 | is_interface "$1" || return 681 | cat "/sys/class/net/${1}/address" 682 | } 683 | 684 | show_interface_pci_info() { # pci id / model / virtual 685 | is_interface "$1" || return 686 | 687 | local device_path 688 | local bus_id="" 689 | local device_type_and_bus_id="unknown" 690 | local driver="" 691 | local device_fullname="" 692 | 693 | device_path="$(readlink -f /sys/class/net/$1)" 694 | 695 | if [[ "$device_path" == "/sys/devices/pci"* ]]; then 696 | local pci_path 697 | 698 | pci_path=$device_path/../.. 699 | 700 | if [[ -d "$pci_path/driver" ]] ; then 701 | driver=$(readlink -f "$pci_path/driver" | sed 's/\//\n/g' | tail -n 1) 702 | fi 703 | 704 | bus_id="$(echo "$device_path" | sed 's/\//\n/g' | tail -n 3 |sed -n 1p)" 705 | device_type_and_bus_id="PCI: $bus_id" 706 | 707 | if which lspci >/dev/null 2>&1 ; then 708 | device_fullname="$( lspci -D -nn -s "$bus_id" | awk '{$1="" ; print $0}' )" 709 | fi 710 | 711 | elif [[ "$device_path" == *"/virtual/"* ]]; then 712 | device_type_and_bus_id="virtual interface" 713 | fi 714 | 715 | echo "$device_type_and_bus_id" 716 | [[ -n "$driver" ]] && echo "System-already-loaded driver: $driver" 717 | [[ -n "$device_fullname" ]] && echo "$device_fullname" 718 | echo "" 719 | # TODO usb 720 | } 721 | 722 | alloc_new_vface_name() { # only for wifi 723 | local i=0 724 | local v_iface_name="$VIRT_NAME" 725 | if [[ -z $VIRT_NAME ]]; then 726 | while :; do 727 | v_iface_name="x$i${WIFI_IFACE}" 728 | i=$((i + 1)) 729 | is_vface_name_allocated "${v_iface_name}" || break 730 | done 731 | fi 732 | mkdir -p "$COMMON_CONFDIR/vfaces" 733 | touch "$COMMON_CONFDIR/vfaces/${v_iface_name}" 734 | echo "${v_iface_name}" 735 | } 736 | 737 | dealloc_vface_name() { 738 | rm -f "$COMMON_CONFDIR/vfaces/$1" 739 | } 740 | 741 | #====== 742 | 743 | get_all_mac_in_system() { 744 | cat /sys/class/net/*/address 745 | } 746 | 747 | get_new_macaddr_according_to_existing() { 748 | local REALDEV OLDMAC NEWMAC LAST_BYTE i 749 | REALDEV=$1 750 | OLDMAC=$(get_interface_mac "$REALDEV") 751 | NEWMAC="" 752 | LAST_BYTE=$(printf %d 0x${OLDMAC##*:}) 753 | for i in {10..240}; do 754 | NEWMAC="${OLDMAC%:*}:$(printf %02x $(( ($LAST_BYTE + $i) % 256 )))" 755 | (get_all_mac_in_system | grep "$NEWMAC" > /dev/null 2>&1) || break 756 | done 757 | echo "$NEWMAC" 758 | } 759 | 760 | generate_random_mac() { 761 | local r1 r2 r3 r4 r5 r6 762 | local RAND_MAC 763 | while :; do 764 | r1=$( printf "%02x" $(($RANDOM%256/4*4)) ) 765 | r2=$( printf "%02x" $(($RANDOM%256)) ) 766 | r3=$( printf "%02x" $(($RANDOM%256)) ) 767 | r4=$( printf "%02x" $(($RANDOM%256)) ) 768 | r5=$( printf "%02x" $(($RANDOM%256)) ) 769 | r6=$( printf "%02x" $(($RANDOM%256)) ) 770 | RAND_MAC="$r1:$r2:$r3:$r4:$r5:$r6" 771 | ( ! ip link | grep "link" | grep "$RAND_MAC" > /dev/null 2>&1 ) && \ 772 | ( ! ip maddress | grep "link" | grep "$RAND_MAC" > /dev/null 2>&1 ) && \ 773 | ( ! ip neigh | grep "lladdr $RAND_MAC" > /dev/null 2>&1 ) && \ 774 | ( ! get_all_mac_in_system | grep "$RAND_MAC" ) && \ 775 | break 776 | done 777 | echo "$RAND_MAC" 778 | } 779 | 780 | 781 | is_ip4_lan_range_available() { # checks 192.168.x.x 782 | ( ip -4 address | grep "inet 192\.168\.$1\." > /dev/null 2>&1 ) && return 1 783 | ( ip -4 route | grep "^192\.168\.$1\." > /dev/null 2>&1 ) && return 1 784 | ( ip -4 route get 192.168.$1.0 2>&1 | grep -E "\bvia\b|\bunreachable\b" > /dev/null 2>&1 ) && \ 785 | ( ip -4 route get 192.168.$1.255 2>&1 | grep -E "\bvia\b|\bunreachable\b" > /dev/null 2>&1 ) && return 0 786 | return 1 787 | } 788 | is_ip6_lan_range_available() { # checks fdxx:: 789 | ( ip -6 address | grep -i "inet6 fd$1:$2$3:$4$5:$6$7:" > /dev/null 2>&1 ) && return 1 790 | ( ip -6 route | grep -i "^fd$1:$2$3:$4$5:$6$7:" > /dev/null 2>&1 ) && return 1 791 | ( ip -6 route get fd$1:$2$3:$4$5:$6$7:: 2>&1 | grep -E "\bvia\b|\bunreachable\b" > /dev/null 2>&1 ) && \ 792 | ( ip -6 route get fd$1:$2$3:$4$5:$6$7:ffff:ffff:ffff:ffff 2>&1 | grep -E "\bvia\b|\bunreachable\b" > /dev/null 2>&1 ) && return 0 793 | return 1 794 | } 795 | 796 | generate_random_ip4() { 797 | local random_ip4 798 | while :; do 799 | random_ip4=$(($RANDOM%256)) 800 | is_ip4_lan_range_available $random_ip4 && break 801 | done 802 | echo "192.168.$random_ip4.1" 803 | } 804 | generate_random_lan_ip6_prefix() { 805 | local r1 r2 r3 r4 r5 r6 r7 806 | while :; do 807 | r1=$( printf "%x" $(($RANDOM%240+16)) ) 808 | r2=$( printf "%x" $(($RANDOM%240+16)) ) 809 | r3=$( printf "%x" $(($RANDOM%240+16)) ) 810 | r4=$( printf "%x" $(($RANDOM%240+16)) ) 811 | r5=$( printf "%x" $(($RANDOM%240+16)) ) 812 | r6=$( printf "%x" $(($RANDOM%240+16)) ) 813 | r7=$( printf "%x" $(($RANDOM%240+16)) ) 814 | is_ip6_lan_range_available "$r1" "$r2" "$r3" "$r4" "$r5" "$r6" "$r7" && break 815 | done 816 | echo "fd$r1:$r2$r3:$r4$r5:$r6$r7::" 817 | } 818 | 819 | 820 | 821 | # start haveged when needed 822 | haveged_watchdog() { 823 | local show_warn=1 824 | while :; do 825 | if [[ $(cat /proc/sys/kernel/random/entropy_avail) -lt 1000 ]]; then 826 | if ! which haveged > /dev/null 2>&1; then 827 | if [[ $show_warn -eq 1 ]]; then 828 | echo "WARN: Low entropy detected. We recommend you to install \`haveged'" 1>&2 829 | show_warn=0 830 | fi 831 | elif ! pidof haveged > /dev/null 2>&1; then # TODO judge zombie ? 832 | echo "Low entropy detected, starting haveged" 1>&2 833 | # boost low-entropy 834 | haveged -w 1024 -p $COMMON_CONFDIR/haveged.pid 835 | fi 836 | fi 837 | sleep 2 838 | done 839 | } 840 | pid_watchdog() { 841 | local PID="$1" 842 | local SLEEP="$2" 843 | local ERR_MSG="$3" 844 | local ST 845 | while true 846 | do 847 | if [[ -e "/proc/$PID" ]]; then 848 | ST="$(cat "/proc/$PID/status" | grep "^State:" | awk '{print $2}')" 849 | if [[ "$ST" != 'Z' ]]; then 850 | sleep "$SLEEP" 851 | continue 852 | fi 853 | fi 854 | die "$ERR_MSG" 855 | done 856 | 857 | } 858 | #======== 859 | get_pid_by_dbus_name() { 860 | local DBUS_NAME="$1" 861 | local pid r 862 | 863 | which dbus-send >/dev/null 2>&1 || return 1 864 | 865 | pid="$( dbus-send --system --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetConnectionUnixProcessID string:$DBUS_NAME 2>/dev/null | grep " uint32 " | awk '{print $2}' )" 866 | r=$? 867 | 868 | echo "$pid" 869 | return $r 870 | } 871 | is_same_netns() { 872 | local pid2="$1" 873 | [[ ! -f /proc/$$/ns/net ]] && return 0 # no netns feature. treat as same 874 | [[ "$(readlink /proc/$$/ns/net)" == "$(readlink /proc/$pid2/ns/net)" ]] && return 0 875 | return 1 876 | } 877 | #----------------- 878 | # only support NetworkManager >= 0.9.9 879 | is_nm_running() { 880 | NM_PID="$(get_pid_by_dbus_name "org.freedesktop.NetworkManager")" 881 | 882 | [[ ! -n "$NM_PID" ]] && return 1 # not running 883 | 884 | if (which nmcli >/dev/null 2>&1 ) && (nmcli -t -f RUNNING g 2>&1 | grep -E '^running$' >/dev/null 2>&1 ) ; then 885 | if is_same_netns "$NM_PID"; then 886 | return 0 887 | fi 888 | fi 889 | 890 | NM_PID= # cancel value if treat as not running 891 | return 1 # not running 892 | } 893 | 894 | nm_knows() { 895 | (nmcli dev show "$1" | grep -E "^GENERAL.STATE:" >/dev/null 2>&1 ) && return 0 # nm sees 896 | return 1 # nm doesn't see this interface 897 | } 898 | nm_get_manage() { # get an interface's managed state 899 | local s 900 | s=$(nmcli dev show "$1" | grep -E "^GENERAL.STATE:") || return 2 # no such interface 901 | (echo "$s" | grep "unmanaged" >/dev/null 2>&1) && return 1 # unmanaged 902 | return 0 # managed 903 | } 904 | nm_set_unmanaged() { 905 | while ! nm_knows "$1" ; do # wait for virtual wifi interface seen by NM 906 | sleep 0.5 907 | done 908 | if nm_get_manage "$1" ;then 909 | echo "Set $1 unmanaged by NetworkManager" 910 | nmcli dev set "$1" managed no || die "Failed to set $1 unmanaged by NetworkManager" 911 | NM_UNM_LIST=$1 912 | sleep 1 913 | fi 914 | } 915 | 916 | nm_set_managed() { 917 | nmcli dev set "$1" managed yes 918 | NM_UNM_LIST= 919 | } 920 | nm_restore_manage() { 921 | if [[ $NM_UNM_LIST ]]; then 922 | echo "Restore $NM_UNM_LIST managed by NetworkManager" 923 | nm_set_managed "$NM_UNM_LIST" 924 | sleep 0.5 925 | fi 926 | } 927 | #------- 928 | is_firewalld_running() { 929 | FIREWALLD_PID="$(get_pid_by_dbus_name "org.fedoraproject.FirewallD1")" 930 | 931 | [[ ! -n "$FIREWALLD_PID" ]] && return 1 # not running 932 | 933 | if (which firewall-cmd >/dev/null 2>&1 ) && [[ "$(firewall-cmd --state 2>&1)" == "running" ]] ; then 934 | if is_same_netns "$FIREWALLD_PID"; then 935 | echo "firewalld is running ($(firewall-cmd --version))" 936 | return 0 937 | fi 938 | fi 939 | 940 | FIREWALLD_PID= # cancel value if treat as not running 941 | return 1 # not running 942 | } 943 | firewalld_add_tmpzone() { 944 | # TMP_FIREWALLD_ZONE="lrt${$}${SUBNET_IFACE}" 945 | TMP_FIREWALLD_ZONE="trusted" 946 | # firewall-cmd --new-zone=$TMP_FIREWALLD_ZONE || die "Failed creating temporary firewalld zone" 947 | echo "Adding $SUBNET_IFACE to firewalld '$TMP_FIREWALLD_ZONE' zone" 948 | firewall-cmd --zone=$TMP_FIREWALLD_ZONE --add-interface=$SUBNET_IFACE >/dev/null || die "Failed adding interface to firewalld temporary zone" 949 | } 950 | firewalld_del_tmpzone() { 951 | if [[ -n "$TMP_FIREWALLD_ZONE" ]];then 952 | echo "Removing $SUBNET_IFACE from firewalld '$TMP_FIREWALLD_ZONE' zone" 953 | firewall-cmd --zone=$TMP_FIREWALLD_ZONE --remove-interface=$SUBNET_IFACE >/dev/null 954 | # firewall-cmd --delete-zone=$TMP_FIREWALLD_ZONE 955 | fi 956 | } 957 | 958 | #========= 959 | CUSTOM_CHAINS_4_filter= 960 | CUSTOM_CHAINS_4_nat= 961 | CUSTOM_CHAINS_6_filter= 962 | CUSTOM_CHAINS_6_nat= 963 | iptb() 964 | { 965 | local FoS=$1 # 4 | 6 966 | shift 967 | local Vis=$1 # 'v' | 'n' 968 | shift 969 | local T=$1 # table 970 | shift 971 | local ACT=$1 # action: I | A | N . On undo: I or A -> D , N -> F+X 972 | shift 973 | local CH=$1 # chain 974 | shift 975 | 976 | [[ "$IPV6" -ne 1 && "$FoS" == "6" ]] && return 977 | 978 | local CMD_HEAD="" 979 | local MOUTH="" 980 | local NECK="" 981 | local HAND_UN_NC=0 982 | local TAIL="" 983 | 984 | local FULL="" 985 | local ADD_TO_UNDO=1 986 | 987 | local arr_name w 988 | 989 | for arr_name in CUSTOM_CHAINS_4_filter CUSTOM_CHAINS_4_nat CUSTOM_CHAINS_6_filter CUSTOM_CHAINS_6_nat 990 | do 991 | local arr_content 992 | eval arr_content=\"\${$arr_name}\" 993 | #echo $arr_content 994 | 995 | for w in $arr_content 996 | do 997 | if [[ "$arr_name" =~ "$FoS" && "$arr_name" =~ "$T" && "$w" == "$CH" ]]; then 998 | ADD_TO_UNDO=0 999 | fi 1000 | done 1001 | done 1002 | 1003 | 1004 | [[ "$FoS" == "4" ]] && CMD_HEAD="iptables -w " 1005 | [[ "$FoS" == "6" ]] && CMD_HEAD="ip6tables -w " 1006 | 1007 | [[ "$Vis" == 'v' ]] && MOUTH="-v" 1008 | 1009 | NECK="-t ${T}" 1010 | 1011 | if [[ "$ACT" == "N" ]]; then 1012 | eval CUSTOM_CHAINS_${FoS}_${T}=\"\${CUSTOM_CHAINS_${FoS}_${T}} ${CH}\" 1013 | HAND_UN_NC=1 1014 | fi 1015 | 1016 | 1017 | 1018 | [[ ! "$NETFILTER_XT_MATCH_COMMENT" == "0" ]] && TAIL="-m comment --comment lrt${$}${SUBNET_IFACE}" 1019 | 1020 | if [[ "$ADD_TO_UNDO" -eq 1 ]]; then 1021 | if [[ "$ACT" == "I" || "$ACT" == "A" ]]; then 1022 | echo "$CMD_HEAD $NECK -D ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables.sh 1023 | fi 1024 | 1025 | if [[ "$HAND_UN_NC" -eq 1 ]]; then 1026 | echo "$CMD_HEAD $NECK -F ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh 1027 | echo "$CMD_HEAD $NECK -X ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh 1028 | fi 1029 | fi 1030 | 1031 | 1032 | 1033 | 1034 | FULL="$CMD_HEAD $MOUTH $NECK -${ACT} ${CH} $@ $TAIL" 1035 | #echo $FULL 1036 | $FULL 1037 | return $? 1038 | } 1039 | 1040 | disable_unwanted_forwarding() { 1041 | for iv in "${IP_VERs[@]}"; do 1042 | if [[ "$INTERNET_IFACE" ]]; then 1043 | iptb "$iv" n filter I FORWARD \ 1044 | -i "$SUBNET_IFACE" ! -o "$INTERNET_IFACE" \ 1045 | -j REJECT || die 1046 | iptb "$iv" n filter I FORWARD \ 1047 | ! -i "$INTERNET_IFACE" -o "$SUBNET_IFACE" \ 1048 | -j REJECT || die 1049 | fi 1050 | 1051 | if [[ "$SHARE_METHOD" == 'redsocks' || "$SHARE_METHOD" == 'none' \ 1052 | || ( "$iv" -eq "4" && "$NO4" -eq 1 ) ]];then 1053 | iptb "$iv" n filter I FORWARD -i "$SUBNET_IFACE" -j REJECT || die 1054 | iptb "$iv" n filter I FORWARD -o "$SUBNET_IFACE" -j REJECT || die 1055 | fi 1056 | done 1057 | 1058 | } 1059 | start_nat() { 1060 | local SUBNET_NET 1061 | 1062 | local iv 1063 | 1064 | echo 1065 | echo "iptables: NAT " 1066 | 1067 | for iv in "${IP_VERs[@]}"; do 1068 | [[ "$iv" -eq "4" && ! $NO4 -eq 0 ]] && continue 1069 | 1070 | [[ "$iv" -eq "4" ]] && SUBNET_NET="$SUBNET_NET4" 1071 | [[ "$iv" -eq "6" ]] && SUBNET_NET="$SUBNET_NET6" 1072 | 1073 | if [[ -n "$INTERNET_IFACE" ]]; then # only one Internet interface 1074 | # masquerade subnet -> internet 1075 | iptb "$iv" v nat I POSTROUTING -s "$SUBNET_NET" ! -d "$SUBNET_NET" \ 1076 | -o "$INTERNET_IFACE" \ 1077 | -j MASQUERADE || die 1078 | 1079 | # forward subnet -> internet 1080 | iptb "$iv" v filter I FORWARD -i "$SUBNET_IFACE" -s "$SUBNET_NET" \ 1081 | -o $INTERNET_IFACE \ 1082 | -j ACCEPT || die 1083 | 1084 | # forward any -> subnet 1085 | iptb "$iv" v filter I FORWARD -o "$SUBNET_IFACE" -d "$SUBNET_NET" \ 1086 | -i "$INTERNET_IFACE" \ 1087 | -j ACCEPT || die 1088 | else # any interface can be Internet 1089 | # masquerade subnet -> any(!subnet) 1090 | iptb "$iv" v nat I POSTROUTING -s "$SUBNET_NET" ! -d "$SUBNET_NET" \ 1091 | ! -o "$SUBNET_IFACE" \ 1092 | -j MASQUERADE || die 1093 | 1094 | # forward subnet -> any 1095 | iptb "$iv" v filter I FORWARD -i "$SUBNET_IFACE" -s "$SUBNET_NET" \ 1096 | -j ACCEPT || die 1097 | 1098 | # forward any -> subnet 1099 | iptb "$iv" v filter I FORWARD -o "$SUBNET_IFACE" -d "$SUBNET_NET" \ 1100 | -j ACCEPT || die 1101 | fi 1102 | done 1103 | } 1104 | 1105 | start_ban_lan() { 1106 | local arr_nets_to_protect 1107 | local ICMP_NAME 1108 | local iv s 1109 | 1110 | echo 1111 | echo "iptables: Disallow clients to access LAN" 1112 | 1113 | for iv in "${IP_VERs[@]}"; do 1114 | # ban forwarding for subnet 1115 | iptb "$iv" n filter N lrt${$}${SUBNET_IFACE}-BLF || die 1116 | # TODO: allow '--dhcp-dns(6)' address port 53, which can be something needed, e.g. a VPN's internal private IP 1117 | if [[ "$iv" -eq "4" ]]; then 1118 | arr_nets_to_protect=("0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.168.0.0/16" "224.0.0.0/4" "255.255.255.255") 1119 | ICMP_NAME="icmp" 1120 | elif [[ "$iv" -eq "6" ]]; then 1121 | arr_nets_to_protect=("fc00::/7" "fe80::/10" "ff00::/8" "::1" "::/128" "::ffff:0:0/96" "::ffff:0:0:0/96") 1122 | ICMP_NAME="icmpv6" 1123 | fi 1124 | for s in "${arr_nets_to_protect[@]}"; do 1125 | iptb "$iv" v filter I lrt${$}${SUBNET_IFACE}-BLF -d "$s" -j REJECT || die 1126 | done 1127 | iptb "$iv" n filter I FORWARD -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLF || die 1128 | 1129 | # ban input from subnet 1130 | iptb "$iv" n filter N lrt${$}${SUBNET_IFACE}-BLI || die 1131 | iptb "$iv" v filter I lrt${$}${SUBNET_IFACE}-BLI -i ${SUBNET_IFACE} ! -p "$ICMP_NAME" -j REJECT || die # ipv6 need icmp to function. TODO: maybe we can block some unneeded icmp to improve security 1132 | iptb "$iv" n filter I INPUT -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLI || die 1133 | done 1134 | 1135 | } 1136 | 1137 | allow_dns_port() { 1138 | local SUBNET_NET 1139 | local GATEWAY 1140 | local PROTs 1141 | local iv pt 1142 | 1143 | 1144 | echo 1145 | echo "iptables: allow DNS" 1146 | 1147 | for iv in "${IP_VERs[@]}"; do 1148 | [[ "$iv" -eq "4" ]] && GATEWAY="$GATEWAY4" 1149 | [[ "$iv" -eq "6" ]] && GATEWAY="$GATEWAY6" 1150 | 1151 | [[ "$iv" -eq "4" ]] && SUBNET_NET="$SUBNET_NET4" 1152 | [[ "$iv" -eq "6" ]] && SUBNET_NET="$SUBNET_NET6" 1153 | 1154 | 1155 | PROTs=("tcp" "udp") 1156 | for pt in "${PROTs[@]}"; do 1157 | iptb "$iv" v filter I INPUT -i "$SUBNET_IFACE" -s "$SUBNET_NET" -d "$GATEWAY" -p "$pt" -m "$pt" --dport 53 -j ACCEPT || die 1158 | done 1159 | done 1160 | } 1161 | 1162 | 1163 | start_catch_dns() { 1164 | local GATEWAY 1165 | local PROTs 1166 | local iv pt 1167 | 1168 | echo 1169 | echo "iptables: redirect DNS queries to this host" 1170 | 1171 | for iv in "${IP_VERs[@]}"; do 1172 | [[ "$iv" -eq "4" ]] && GATEWAY="$GATEWAY4" 1173 | [[ "$iv" -eq "6" ]] && GATEWAY="$GATEWAY6" 1174 | 1175 | PROTs=("tcp" "udp") 1176 | for pt in "${PROTs[@]}"; do 1177 | iptb "$iv" v nat I PREROUTING -i "$SUBNET_IFACE" ! -d "$GATEWAY" -p "$pt" -m "$pt" --dport 53 -j REDIRECT --to-ports 53 || die 1178 | done 1179 | done 1180 | } 1181 | 1182 | 1183 | allow_dhcp() { 1184 | echo 1185 | echo "iptables: allow dhcp" 1186 | 1187 | iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die 1188 | iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT || die 1189 | } 1190 | 1191 | # TODO: use 'DNAT' instead of '--to-ports' to support other IP 1192 | start_redsocks() { 1193 | local SUBNET_NET 1194 | local arr_nets_to_ignore 1195 | local s iv 1196 | 1197 | echo 1198 | echo "iptables: transparent proxy non-LAN TCP and UDP(not tested) traffic to port ${TP_PORT}" 1199 | 1200 | for iv in "${IP_VERs[@]}"; do 1201 | [[ "$iv" -eq "4" && ! $NO4 -eq 0 ]] && continue 1202 | 1203 | [[ "$iv" -eq "4" ]] && SUBNET_NET="$SUBNET_NET4" 1204 | [[ "$iv" -eq "6" ]] && SUBNET_NET="$SUBNET_NET6" 1205 | 1206 | 1207 | iptb "$iv" n nat N lrt${$}${SUBNET_IFACE}-TP || die 1208 | 1209 | if [[ "$iv" -eq "4" ]]; then 1210 | arr_nets_to_ignore=("0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.168.0.0/16" "224.0.0.0/4" "255.255.255.255") 1211 | elif [[ "$iv" -eq "6" ]];then 1212 | arr_nets_to_ignore=("fc00::/7" "fe80::/10" "ff00::/8" "::1" "::") 1213 | fi 1214 | 1215 | for s in "${arr_nets_to_ignore[@]}"; do 1216 | iptb "$iv" n nat A lrt${$}${SUBNET_IFACE}-TP -d "$s" -j RETURN || die 1217 | done 1218 | 1219 | iptb "$iv" v nat A lrt${$}${SUBNET_IFACE}-TP -p tcp -j REDIRECT --to-ports ${TP_PORT} || die 1220 | iptb "$iv" v nat A lrt${$}${SUBNET_IFACE}-TP -p udp -j REDIRECT --to-ports ${TP_PORT} || die 1221 | 1222 | iptb "$iv" v nat I PREROUTING -i "$SUBNET_IFACE" -s "$SUBNET_NET" -j lrt${$}${SUBNET_IFACE}-TP || die 1223 | 1224 | 1225 | iptb "$iv" v filter I INPUT -i "$SUBNET_IFACE" -s "$SUBNET_NET" -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die 1226 | iptb "$iv" v filter I INPUT -i "$SUBNET_IFACE" -s "$SUBNET_NET" -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die 1227 | done 1228 | } 1229 | 1230 | #--------------------------------------- 1231 | backup_ipv6_bits() { 1232 | mkdir "$CONFDIR/sys_6_conf_iface" || die "Failed making dir to save interface IPv6 status" 1233 | cp "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6" \ 1234 | "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra" \ 1235 | "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr" \ 1236 | "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode" \ 1237 | "$CONFDIR/sys_6_conf_iface/" || die "Failed backing up interface ipv6 bits" 1238 | 1239 | if [[ "$SHARE_METHOD" == 'redsocks' ]] ; then 1240 | cp "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" \ 1241 | "$CONFDIR/sys_6_conf_iface/" || die "Failed backking up interface ipv6 bits" 1242 | fi 1243 | } 1244 | set_ipv6_bits() { 1245 | if [[ $IPV6 -eq 1 ]]; then 1246 | echo 0 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6" 1247 | echo 0 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra" 1248 | echo 0 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr" 1249 | echo 0 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode" 1250 | else 1251 | echo 1 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6" 1252 | fi 1253 | } 1254 | restore_ipv6_bits() { 1255 | if [[ -d "$CONFDIR/sys_6_conf_iface" ]]; then 1256 | cp -f "$CONFDIR/sys_6_conf_iface/*" "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/" 1257 | fi 1258 | } 1259 | 1260 | set_interface_mac() { 1261 | local INTERFACE 1262 | local MAC 1263 | 1264 | INTERFACE=$1 1265 | MAC=$2 1266 | 1267 | ip link set dev "${INTERFACE}" address "${MAC}" 1268 | } 1269 | 1270 | backup_interface_status() { 1271 | # virtual wifi interface will be destroyed, so no need to save status 1272 | 1273 | # backup interface up or down status 1274 | (ip link show "${SUBNET_IFACE}" |grep -q "state UP") && SUBNET_IFACE_ORIGINAL_UP_STATUS=1 1275 | 1276 | # save interface old mac 1277 | #if [[ -n "$NEW_MACADDR" ]]; then 1278 | OLD_MACADDR=$(get_interface_mac "$SUBNET_IFACE") 1279 | #echo "Saved ${SUBNET_IFACE} old MAC address ${OLD_MACADDR} into RAM" 1280 | #fi 1281 | 1282 | backup_ipv6_bits 1283 | 1284 | # TODO : ? backup ip and others??? 1285 | 1286 | # nm managing status is saved when nm_set_unmanaged() 1287 | } 1288 | restore_interface_status() { 1289 | # virtual wifi interface will be destroyed, so no need to restore status 1290 | # don't use [[ $VWIFI_IFACE ]] to judge, if creating virtual wifi failed, VWIFI_IFACE is empty 1291 | [[ "$WIFI_IFACE" && "$NO_VIRT" -eq 0 ]] && return 1292 | 1293 | restore_ipv6_bits 1294 | 1295 | if [[ -n "$OLD_MACADDR" && "$(get_interface_mac "$SUBNET_IFACE")" != "$OLD_MACADDR" ]] ; then 1296 | echo "Restoring ${SUBNET_IFACE} to old MAC address ${OLD_MACADDR} ..." 1297 | set_interface_mac "${SUBNET_IFACE}" "${OLD_MACADDR}" || echo "Failed restoring ${SUBNET_IFACE} to old MAC address ${OLD_MACADDR}" >&2 1298 | fi 1299 | 1300 | nm_restore_manage 1301 | 1302 | [[ $SUBNET_IFACE_ORIGINAL_UP_STATUS -eq 1 ]] && ip link set up dev "${SUBNET_IFACE}" && echo "Restore ${SUBNET_IFACE} to link up" 1303 | } 1304 | #--------------------------------------- 1305 | 1306 | kill_processes() { # for this instance 1307 | #echo "Killing processes" 1308 | local x pid 1309 | for x in $CONFDIR/*.pid; do 1310 | # even if the $CONFDIR is empty, the for loop will assign 1311 | # a value in $x. so we need to check if the value is a file 1312 | if [[ -f $x ]] && sleep 0.3 && [[ -f $x ]]; then 1313 | pid=$(cat "$x") 1314 | pn=$( ps -p "$pid" -o comm= ) 1315 | #echo "Killing $pid $pn ... " 1316 | pkill -P "$pid" 1317 | kill "$pid" 2>/dev/null && ( echo "Killed $(basename "$x") $pid $pn" && rm "$x" ) || echo "Failed to kill $(basename "$x") $pid $pn, it may have exited" 1318 | fi 1319 | done 1320 | } 1321 | 1322 | _cleanup() { 1323 | local x 1324 | 1325 | ip addr flush "${SUBNET_IFACE}" 1326 | 1327 | rm -rf "$CONFDIR" 1328 | 1329 | ip link set down dev "${SUBNET_IFACE}" 1330 | 1331 | firewalld_del_tmpzone 1332 | 1333 | if [[ $VWIFI_IFACE ]]; then # the subnet interface (virtual wifi interface) will be removed 1334 | iw dev "${VWIFI_IFACE}" del 1335 | dealloc_vface_name "$VWIFI_IFACE" 1336 | fi 1337 | 1338 | restore_interface_status 1339 | 1340 | if ! has_running_instance; then 1341 | echo "Exiting: This is the only running instance" 1342 | # kill common processes 1343 | for x in $COMMON_CONFDIR/*.pid; do 1344 | [[ -f $x ]] && kill -9 $(cat "$x") && rm "$x" 1345 | done 1346 | 1347 | rm -d "$COMMON_CONFDIR/vfaces" 1348 | rm -d "$COMMON_CONFDIR" 1349 | rm -d "$TMPDIR" 1350 | else 1351 | echo "Exiting: This is NOT the only running instance" 1352 | fi 1353 | } 1354 | 1355 | clean_iptables() { 1356 | [[ -f $CONFDIR/undo_iptables.sh ]] && bash $CONFDIR/undo_iptables.sh 1357 | 1358 | [[ -f $CONFDIR/undo_iptables_2.sh ]] && bash $CONFDIR/undo_iptables_2.sh 1359 | } 1360 | 1361 | cleanup() { 1362 | trap "" SIGINT SIGUSR1 SIGUSR2 EXIT SIGTERM 1363 | echo 1364 | echo 1365 | echo "Doing cleanup.. " 1366 | kill_processes 1367 | echo "Undoing iptables changes .." 1368 | clean_iptables > /dev/null 1369 | _cleanup 2> /dev/null 1370 | 1371 | #pgid=$(ps opgid= $$ |awk '{print $1}' ) 1372 | #echo "Killing PGID $pgid ..." 1373 | #kill -15 -$pgid 1374 | #sleep 1 1375 | echo "Cleaning up done" 1376 | #kill -9 -$pgid 1377 | } 1378 | 1379 | # NOTE function die() is designed NOT to be used before init_trap() executed 1380 | die() { # SIGUSR2 1381 | echo "Error occured" 1382 | [[ -n "$1" ]] && echo -e "\nERROR: $1\n" >&2 1383 | # send die signal to the main process 1384 | [[ $BASHPID -ne $$ ]] && kill -USR2 $$ || cleanup 1385 | exit 1 1386 | } 1387 | 1388 | clean_exit() { # SIGUSR1 1389 | # send clean_exit signal to the main process 1390 | [[ $BASHPID -ne $$ ]] && kill -USR1 $$ || cleanup 1391 | exit 0 1392 | } 1393 | 1394 | init_trap(){ 1395 | trap "cleanup" EXIT 1396 | trap "clean_exit" SIGINT SIGUSR1 SIGTERM 1397 | trap "die" SIGUSR2 1398 | } 1399 | init_conf_dirs() { 1400 | mkdir -p "$TMPDIR" || die "Couldn't make linux-router's temporary dir" 1401 | chmod 755 "$TMPDIR" 2>/dev/null 1402 | cd "$TMPDIR" || die "Couldn't change directory to linux-router's temporary path" 1403 | 1404 | CONFDIR="$(mktemp -d $TMPDIR/lnxrouter.${TARGET_IFACE}.conf.XXXXXX)" || die "Instance couldn't make config dir" # config dir for one instance 1405 | chmod 755 "$CONFDIR" 1406 | #echo "Config dir: $CONFDIR" 1407 | echo $$ > "$CONFDIR/pid" 1408 | 1409 | COMMON_CONFDIR="$TMPDIR/lnxrouter_common.conf" # config dir for all instances 1410 | mkdir -p "$COMMON_CONFDIR" 1411 | } 1412 | 1413 | #== functions to deal with running instances 1414 | 1415 | list_running_conf() { 1416 | local x 1417 | for x in $TMPDIR/lnxrouter.*; do 1418 | if [[ -f $x/pid && -f $x/subn_iface && -d /proc/$(cat $x/pid) ]]; then 1419 | echo "$x" 1420 | fi 1421 | done 1422 | } 1423 | 1424 | list_running() { 1425 | local IFACE subn_iface x 1426 | for x in $(list_running_conf); do 1427 | IFACE=${x#*.} 1428 | IFACE=${IFACE%%.*} 1429 | subn_iface=$(cat $x/subn_iface) 1430 | 1431 | if [[ "$IFACE" == "$subn_iface" ]]; then 1432 | echo $(cat $x/pid) $IFACE 1433 | else 1434 | echo $(cat $x/pid) $IFACE '('$(cat $x/subn_iface)')' 1435 | fi 1436 | done 1437 | } 1438 | 1439 | get_subn_iface_from_pid() { 1440 | list_running | awk '{print $1 " " $NF}' | tr -d '\(\)' | grep -E "^${1} " | cut -d' ' -f2 1441 | } 1442 | 1443 | get_pid_from_subn_iface() { 1444 | list_running | awk '{print $1 " " $NF}' | tr -d '\(\)' | grep -E " ${1}$" | cut -d' ' -f1 1445 | } 1446 | 1447 | get_confdir_from_pid() { 1448 | local IFACE x 1449 | for x in $(list_running_conf); do 1450 | if [[ $(cat $x/pid) == "$1" ]]; then 1451 | echo "$x" 1452 | break 1453 | fi 1454 | done 1455 | } 1456 | 1457 | #====================================================== 1458 | 1459 | print_clients_from_leases() { # MAC|IP|HOST|lease 1460 | local LEASE_FILE="$1" 1461 | local FILEC 1462 | local line 1463 | local LEASEstr LEASEstamp 1464 | 1465 | FILEC="$(cat "$LEASE_FILE" | grep -v -E "^duid\b" | sed -r '/^\s*$/d' )" 1466 | 1467 | # TODO: duid is somewhat related to ipv6. I don't know about it. Not sure excluding it miss some info or not 1468 | echo "$FILEC" | while read -r line 1469 | do 1470 | #echo aa$line 1471 | LEASEstamp="$(echo "$line" | awk '{print $1}')" 1472 | MAC="$(echo "$line" | awk '{print $2}')" 1473 | IP="$(echo "$line" | awk '{print $3}' | sed 's/\[//g' | sed 's/\]//g')" 1474 | HOST="$(echo "$line" | awk '{print $4}' | sed 's/*/?/g' | sed 's/|/_/g' | sed 's/ /_/g' )" 1475 | 1476 | if [[ -n "$MAC" ]]; then 1477 | LEASEstr="$(date -d @${LEASEstamp} +%m-%d_%X)" 1478 | 1479 | echo "$MAC|$IP|$HOST|lease_$LEASEstr" 1480 | fi 1481 | done 1482 | 1483 | } 1484 | print_interface_neighbors_via_iproute() { # MAC|IP|_|STATUS 1485 | local IFACE=$1 1486 | 1487 | local line 1488 | 1489 | ip n | grep -E "\bdev $IFACE\b" | sed 's/ /|/g' | while read -r line 1490 | do 1491 | local MAC IP STATUS 1492 | 1493 | IP="$(echo "$line" | awk -F'|' '{print $1}')" 1494 | 1495 | if [[ "$(echo "$line" | awk -F'|' '{print $4}')" == "lladdr" ]]; then # has mac 1496 | # if has mac, $4="lladdr" and $5=macaddress and $6+=status 1497 | MAC="$(echo "$line" | awk -F'|' '{print $5}')" 1498 | STATUS="$(echo "$line" | awk -F'|' '$1="";$2="";$3="";$4="";$5="";{print}' | awk '{$1=$1;print}'| sed 's/ /,/g')" 1499 | else # no mac 1500 | # if no mac, $4="" and $5+=status 1501 | MAC="?" 1502 | STATUS="$(echo "$line" | awk -F'|' '$1="";$2="";$3="";$4="";{print}' | awk '{$1=$1;print}' | sed 's/ /,/g')" 1503 | fi 1504 | if [[ -n "$IP" && ( "$MAC" != "?" || "$STATUS" != "FAILED" ) ]]; then 1505 | echo "$MAC|$IP|?|$STATUS" 1506 | fi 1507 | done 1508 | } 1509 | print_interface_neighbors_via_iw() { # MAC|_|_|signal 1510 | local IFACE=$1 1511 | local MAC SIGNAL 1512 | iw dev "$IFACE" station dump | awk '($1 ~ /Station$/) {print $2}' | while read -r MAC 1513 | do 1514 | if [[ -n "$MAC" ]]; then 1515 | SIGNAL="$(iw dev "$IFACE" station get "$MAC" | grep "signal:" | awk '{print $2}')" 1516 | echo "${MAC}|?|?|${SIGNAL}_dBm" 1517 | fi 1518 | done 1519 | } 1520 | 1521 | list_clients() { # passive mode. (use 'arp-scan' or 'netdiscover' if want active mode) 1522 | local IFACE pid 1523 | local CONFDIR 1524 | 1525 | local output="" 1526 | # If number (PID) is given, get the associated wifi iface 1527 | if [[ "$1" =~ ^[1-9][0-9]*$ ]]; then 1528 | pid="$1" 1529 | IFACE=$(get_subn_iface_from_pid "$pid") 1530 | if [[ -z "$IFACE" ]] ; then 1531 | echo "'$pid' is not the pid of a running $PROGNAME instance." >&2 1532 | exit 1 1533 | fi 1534 | else # non-number given 1535 | IFACE="$1" 1536 | if ( ! is_interface "$IFACE" ) ; then 1537 | echo "'$IFACE' is not an interface or PID" >&2 1538 | exit 1 1539 | fi 1540 | pid=$(get_pid_from_subn_iface "$IFACE") 1541 | if [[ -n "$pid" ]] ; then # if this interface is hosted by us 1542 | CONFDIR=$(get_confdir_from_pid "$pid") 1543 | output="$(print_clients_from_leases "$CONFDIR/dnsmasq.leases" )" 1544 | else # this interface NOT hosted by us 1545 | echo "Tip: '$IFACE' is not an interface hosted by $PROGNAME" >&2 1546 | fi 1547 | fi 1548 | output="$(echo "$output" ; print_interface_neighbors_via_iw "$IFACE") " 1549 | output="$(echo "$output" ; print_interface_neighbors_via_iproute "$IFACE")" 1550 | 1551 | output="$(echo "$output" | sort -k 1 -k 2 -t '|' | uniq | sed -r '/^\s*$/d')" 1552 | 1553 | echo "$IFACE ($(get_interface_mac "$IFACE")) neighbors:" 1554 | 1555 | local fmt="%-19s%-41s%-20s%s" # string length: MAC 17, ipv4 15, ipv6 39, hostname ? 1556 | printf "$fmt\n" "MAC" "IP" "HOSTNAME" "INFO" 1557 | 1558 | local line 1559 | echo "$output"| while read -r line 1560 | do 1561 | if [[ -n "$line" ]]; then 1562 | echo "$line" | awk -F'|' "{printf \"$fmt\n\",\$1,\$2,\$3,\$4}" 1563 | fi 1564 | done 1565 | # TODO : merge same mac and same ip line 1566 | } 1567 | 1568 | has_running_instance() { 1569 | local PID x 1570 | 1571 | for x in $TMPDIR/lnxrouter.*; do 1572 | if [[ -f $x/pid ]]; then 1573 | PID=$(cat $x/pid) 1574 | if [[ -d /proc/$PID ]]; then 1575 | return 0 1576 | fi 1577 | fi 1578 | done 1579 | 1580 | return 1 1581 | } 1582 | 1583 | is_running_pid() { 1584 | list_running | grep -E "^${1} " > /dev/null 2>&1 1585 | } 1586 | 1587 | send_stop() { 1588 | local x 1589 | 1590 | # send stop signal to specific pid 1591 | if is_running_pid "$1"; then 1592 | kill -USR1 "$1" 1593 | return 1594 | fi 1595 | 1596 | # send stop signal to specific interface 1597 | for x in $(list_running | grep -E " \(?${1}( |\)?\$)" | cut -f1 -d' '); do 1598 | kill -USR1 "$x" 1599 | done 1600 | } 1601 | 1602 | 1603 | ## ======================================================== 1604 | ## ======================================================== 1605 | # decide linux-router's global temporary path for all instances 1606 | # this is different and should be before config-saving dir. The latter is for one instance 1607 | decide_tmpdir(){ 1608 | local TMPD 1609 | if [[ -d /dev/shm ]]; then 1610 | TMPD=/dev/shm 1611 | elif [[ -d /run/shm ]]; then 1612 | TMPD=/run/shm 1613 | else 1614 | TMPD=/tmp 1615 | fi 1616 | #TMPDIR=$TMPD/lnxrouter_tmp 1617 | echo "$TMPD/lnxrouter_tmp" 1618 | } 1619 | 1620 | #====== 1621 | 1622 | check_other_functions(){ 1623 | if [[ $LIST_RUNNING -eq 1 ]]; then 1624 | echo -e "List of running $PROGNAME instances:\n" 1625 | list_running 1626 | exit 0 1627 | fi 1628 | 1629 | if [[ -n "$LIST_CLIENTS_ID" ]]; then 1630 | list_clients "$LIST_CLIENTS_ID" 1631 | exit 0 1632 | fi 1633 | 1634 | ##### root test ##### NOTE above don't require root ########## 1635 | if [[ $(id -u) -ne 0 ]]; then 1636 | echo "ERROR: Need root to continue" >&2 1637 | exit 1 1638 | fi 1639 | ###### NOTE below require root ########## 1640 | 1641 | if [[ -n "$STOP_ID" ]]; then 1642 | echo "Trying to kill $PROGNAME instance associated with $STOP_ID..." 1643 | send_stop "$STOP_ID" 1644 | exit 0 1645 | fi 1646 | } 1647 | 1648 | 1649 | daemonizing_check(){ 1650 | if [[ $DAEMONIZE -eq 1 && $RUNNING_AS_DAEMON -eq 0 ]]; then 1651 | echo "Running as Daemon..." 1652 | # run a detached lnxrouter 1653 | RUNNING_AS_DAEMON=1 setsid "$0" "${ARGS[@]}" & 1654 | exit 0 1655 | fi 1656 | } 1657 | 1658 | #============================ 1659 | check_wifi_settings() { 1660 | 1661 | if ! ( which iw > /dev/null 2>&1 && iw dev "$WIFI_IFACE" info > /dev/null 2>&1 ); then 1662 | echo "WARN: Can't use 'iw' to operate interfce '$WIFI_IFACE', trying 'iwconfig' (not as good as 'iw') ... (Did you spell the interface name right?)" >&2 1663 | USE_IWCONFIG=1 1664 | fi 1665 | 1666 | if [[ $USE_IWCONFIG -eq 1 ]]; then 1667 | if ! (which iwconfig > /dev/null 2>&1 && iwconfig "$WIFI_IFACE" > /dev/null 2>&1); then 1668 | echo "ERROR: Can't use 'iwconfig' to operate interfce '$WIFI_IFACE'" >&2 1669 | exit 1 1670 | fi 1671 | fi 1672 | 1673 | if [[ $FREQ_BAND != 2.4 && $FREQ_BAND != 5 ]]; then 1674 | echo "ERROR: Invalid frequency band" >&2 1675 | exit 1 1676 | fi 1677 | 1678 | if [[ $FREQ_BAND != 5 && $CHANNEL -gt 14 ]]; then 1679 | echo "Channel number is greater than 14, assuming 5GHz frequency band" 1680 | FREQ_BAND=5 1681 | fi 1682 | 1683 | if ! can_be_ap "${WIFI_IFACE}"; then 1684 | echo "ERROR: Your adapter does not support AP (master) mode" >&2 1685 | exit 1 1686 | fi 1687 | 1688 | if ! can_be_sta_and_ap "${WIFI_IFACE}"; then 1689 | if is_interface_wifi_connected "${WIFI_IFACE}"; then 1690 | echo "ERROR: Your adapter can not be a station (i.e. be connected) and an AP at the same time" >&2 1691 | exit 1 1692 | elif [[ $NO_VIRT -eq 0 ]]; then 1693 | echo "WARN: Your adapter does not fully support AP virtual interface, enabling --no-virt" >&2 1694 | NO_VIRT=1 1695 | fi 1696 | fi 1697 | 1698 | HOSTAPD=$(which hostapd) 1699 | 1700 | if [[ $(get_adapter_kernel_module "${WIFI_IFACE}") =~ ^(8192[cd][ue]|8723a[sue])$ ]]; then 1701 | if ! strings "$HOSTAPD" | grep -m1 rtl871xdrv > /dev/null 2>&1; then 1702 | echo "ERROR: You need to patch your hostapd with rtl871xdrv patches." >&2 1703 | exit 1 1704 | fi 1705 | 1706 | if [[ $DRIVER != "rtl871xdrv" ]]; then 1707 | echo "WARN: Your adapter needs rtl871xdrv, enabling --driver=rtl871xdrv" >&2 1708 | DRIVER=rtl871xdrv 1709 | fi 1710 | fi 1711 | 1712 | if [[ ${#SSID} -lt 1 || ${#SSID} -gt 32 ]]; then 1713 | echo "ERROR: Invalid SSID length ${#SSID} (expected 1..32)" >&2 1714 | exit 1 1715 | fi 1716 | 1717 | if [[ $USE_PSK -eq 0 ]]; then 1718 | if [[ ${#PASSPHRASE} -gt 0 && ${#PASSPHRASE} -lt 8 ]] || [[ ${#PASSPHRASE} -gt 63 ]]; then 1719 | echo "ERROR: Invalid passphrase length ${#PASSPHRASE} (expected 8..63)" >&2 1720 | exit 1 1721 | fi 1722 | elif [[ ${#PASSPHRASE} -gt 0 && ${#PASSPHRASE} -ne 64 ]]; then 1723 | echo "ERROR: Invalid pre-shared-key length ${#PASSPHRASE} (expected 64)" >&2 1724 | exit 1 1725 | fi 1726 | 1727 | if [[ $(get_adapter_kernel_module "${WIFI_IFACE}") =~ ^rtl[0-9].*$ ]]; then 1728 | if [[ $WPA_VERSION == '1' || $WPA_VERSION == '1+2' ]]; then 1729 | echo "WARN: Realtek drivers usually have problems with WPA1, WPA2 is recommended" >&2 1730 | fi 1731 | echo "WARN: If AP doesn't work, read https://github.com/oblique/create_ap/blob/master/howto/realtek.md" >&2 1732 | fi 1733 | 1734 | if [[ -z $VIRT_NAME ]]; then 1735 | if [[ ${#WIFI_IFACE} -gt 13 ]]; then 1736 | echo "WARN: $WIFI_IFACE has ${#WIFI_IFACE} characters which might be too long. If AP doesn't work, see --virt-name and https://github.com/garywill/linux-router/issues/44" >&2 1737 | fi 1738 | elif [[ ${#VIRT_NAME} -gt 15 ]]; then 1739 | echo "WARN: option --virt-name $VIRT_NAME has ${#VIRT_NAME} characters which might be too long, consider making it shorter in case of errors" >&2 1740 | fi 1741 | 1742 | if [[ ! -z $VIRT_NAME ]] && is_vface_name_allocated "$VIRT_NAME"; then 1743 | echo "WARN: interface $VIRT_NAME aleady exists, this will cause an error" 1744 | fi 1745 | } 1746 | 1747 | check_if_new_mac_valid() { 1748 | if ! is_unicast_macaddr "$NEW_MACADDR"; then 1749 | echo "ERROR: The first byte of MAC address (${NEW_MACADDR}) must be even" >&2 1750 | exit 1 1751 | fi 1752 | 1753 | if [[ $(get_all_mac_in_system | grep -c "${NEW_MACADDR}") -ne 0 ]]; then 1754 | echo "WARN: MAC address '${NEW_MACADDR}' already exists" >&2 1755 | fi 1756 | } 1757 | 1758 | decide_target_interface() { 1759 | # TARGET_IFACE is a existing physical interface 1760 | if [[ "$CONN_IFACE" ]]; then 1761 | echo "$CONN_IFACE" 1762 | elif [[ "$WIFI_IFACE" ]]; then 1763 | echo "$WIFI_IFACE" 1764 | else 1765 | echo "No target interface specified" >&2 1766 | return 1 1767 | fi 1768 | } 1769 | 1770 | decide_ip_addresses() { 1771 | if [[ ! -n $GATEWAY4 ]]; then 1772 | GATEWAY4="$(generate_random_ip4)" 1773 | echo "Use random LAN IPv4 address $GATEWAY4" 1774 | elif [[ ! "$GATEWAY4" =~ "." ]]; then 1775 | GATEWAY4="192.168.${GATEWAY4}.1" 1776 | fi 1777 | 1778 | if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then 1779 | PREFIX6="$(generate_random_lan_ip6_prefix)" 1780 | echo "Use random LAN IPv6 address ${PREFIX6}${IID6}" 1781 | elif [[ ! "$PREFIX6" =~ ":" ]]; then 1782 | PREFIX6="fd00:0:0:${PREFIX6}::" 1783 | fi 1784 | if [[ $IPV6 -eq 1 ]]; then 1785 | GATEWAY6="${PREFIX6}${IID6}" 1786 | fi 1787 | 1788 | SUBNET_NET4="${GATEWAY4%.*}.0/24" 1789 | [[ $IPV6 -eq 1 ]] && SUBNET_NET6="${PREFIX6}/64" 1790 | 1791 | } 1792 | 1793 | prepare_wifi_interface() { 1794 | if [[ $USE_IWCONFIG -eq 0 ]]; then 1795 | iw dev "${WIFI_IFACE}" set power_save off 1796 | fi 1797 | 1798 | if [[ $NO_VIRT -eq 0 ]]; then 1799 | ## Will generate virtual wifi interface 1800 | 1801 | # TODO move this to check_wifi_settings() ? 1802 | if is_interface_wifi_connected "${WIFI_IFACE}"; then 1803 | WIFI_IFACE_FREQ=$(iw dev "${WIFI_IFACE}" link | grep -i freq | awk '{print $2}' | sed 's/\.00*$//g') # NOTE we assume integer currently, which can be right, or wrong in the future 1804 | WIFI_IFACE_CHANNEL=$(ieee80211_frequency_to_channel "${WIFI_IFACE_FREQ}") 1805 | 1806 | echo "${WIFI_IFACE} already working in channel ${WIFI_IFACE_CHANNEL} (${WIFI_IFACE_FREQ} MHz)" 1807 | 1808 | if [[ $CHANNEL == default ]]; then 1809 | echo "Use wifi adapter current channel $WIFI_IFACE_CHANNEL as target channel" 1810 | CHANNEL=$WIFI_IFACE_CHANNEL 1811 | fi 1812 | 1813 | if [[ $WIFI_IFACE_CHANNEL -ne $CHANNEL ]]; then 1814 | echo "WARN: Wifi adapter already working in channel ${WIFI_IFACE_CHANNEL}, which is different than target channel $CHANNEL" >&2 1815 | fi 1816 | fi 1817 | 1818 | echo "Creating a virtual WiFi interface... " 1819 | VWIFI_IFACE=$(alloc_new_vface_name) 1820 | if iw dev "${WIFI_IFACE}" interface add "${VWIFI_IFACE}" type __ap; then 1821 | # Successfully created virtual wifi interface 1822 | # if NM running, it will give the new virtual interface a random MAC. MAC will go back after setting NM unmanaged 1823 | sleep 2 1824 | echo "${VWIFI_IFACE} created" 1825 | else 1826 | VWIFI_IFACE= 1827 | if [[ ! -z ${VIRT_NAME} ]] && [[ ${#VIRT_NAME} -gt 15 ]]; then 1828 | die "Failed creating virtual WiFi interface. This is likely because you have set a long name for your virtual interface using --virt-name, try making it shorter'" 1829 | elif [[ -z ${VIRT_NAME} ]] && [[ ${#WIFI_IFACE} -gt 13 ]]; then 1830 | die "Failed creating virtual WiFi interface. This is likely because your interface name is too long. Try using '--virt-name '" 1831 | else 1832 | die "Failed creating virtual WiFi interface. Maybe your WiFi adapter does not fully support virtual interfaces. Try again with '--no-virt'" 1833 | fi 1834 | fi 1835 | 1836 | AP_IFACE=${VWIFI_IFACE} 1837 | else # no virtual wifi interface, use wifi device interface itself 1838 | AP_IFACE=${WIFI_IFACE} 1839 | fi 1840 | 1841 | if [[ $CHANNEL == default ]]; then 1842 | echo "Channel not specified, use default" 1843 | if [[ $FREQ_BAND == 2.4 ]]; then 1844 | CHANNEL=1 1845 | else 1846 | CHANNEL=36 1847 | fi 1848 | fi 1849 | } 1850 | 1851 | decide_subnet_interface() { 1852 | if [[ $WIFI_IFACE ]]; then 1853 | echo "${AP_IFACE}" 1854 | else 1855 | echo "${TARGET_IFACE}" 1856 | fi 1857 | } 1858 | 1859 | dealwith_mac() { 1860 | local VMAC 1861 | 1862 | if [[ -n "$NEW_MACADDR" ]] ; then # user choose to set subnet mac 1863 | 1864 | echo "Setting ${SUBNET_IFACE} new MAC address ${NEW_MACADDR} ..." 1865 | set_interface_mac "${SUBNET_IFACE}" "${NEW_MACADDR}" || die "Failed setting new MAC address" 1866 | 1867 | elif [[ $VWIFI_IFACE ]]; then # user didn't choose to set mac, but using virtual wifi interface 1868 | 1869 | VMAC=$(get_new_macaddr_according_to_existing "${WIFI_IFACE}") 1870 | if [[ "$VMAC" ]]; then 1871 | echo "Assigning MAC address $VMAC to virtual interface $VWIFI_IFACE according to $WIFI_IFACE ..." 1872 | set_interface_mac "$VWIFI_IFACE" "$VMAC" 1873 | fi 1874 | fi 1875 | } 1876 | 1877 | write_hostapd_conf() { 1878 | cat <<- EOF > "$CONFDIR/hostapd.conf" 1879 | beacon_int=100 1880 | ssid=${SSID} 1881 | interface=${AP_IFACE} 1882 | driver=${DRIVER} 1883 | channel=${CHANNEL} 1884 | ctrl_interface=$CONFDIR/hostapd_ctrl 1885 | ctrl_interface_group=0 1886 | ignore_broadcast_ssid=$HIDDEN 1887 | ap_isolate=$ISOLATE_CLIENTS 1888 | EOF 1889 | 1890 | if [[ -n "$COUNTRY" ]]; then 1891 | cat <<- EOF >> "$CONFDIR/hostapd.conf" 1892 | country_code=${COUNTRY} 1893 | ieee80211d=1 1894 | EOF 1895 | fi 1896 | 1897 | if [[ $FREQ_BAND == 2.4 ]]; then 1898 | echo "hw_mode=g" >> "$CONFDIR/hostapd.conf" 1899 | else 1900 | echo "hw_mode=a" >> "$CONFDIR/hostapd.conf" 1901 | fi 1902 | 1903 | if [[ $MAC_FILTER -eq 1 ]]; then 1904 | cat <<- EOF >> "$CONFDIR/hostapd.conf" 1905 | macaddr_acl=${MAC_FILTER} 1906 | accept_mac_file=${MAC_FILTER_ACCEPT} 1907 | EOF 1908 | fi 1909 | 1910 | if [[ $HOTSPOT20 -eq 1 ]]; then 1911 | echo "hs20=1" >> "$CONFDIR/hostapd.conf" 1912 | fi 1913 | 1914 | if [[ $IEEE80211N -eq 1 ]]; then 1915 | cat <<- EOF >> "$CONFDIR/hostapd.conf" 1916 | ieee80211n=1 1917 | ht_capab=${HT_CAPAB} 1918 | EOF 1919 | fi 1920 | 1921 | if [[ $REQUIREHT -eq 1 ]]; then 1922 | echo "require_ht=1" >> "$CONFDIR/hostapd.conf" 1923 | fi 1924 | 1925 | if [[ $IEEE80211AC -eq 1 ]]; then 1926 | echo "ieee80211ac=1" >> "$CONFDIR/hostapd.conf" 1927 | fi 1928 | 1929 | if [[ $REQUIREVHT -eq 1 ]]; then 1930 | echo "require_vht=1" >> "$CONFDIR/hostapd.conf" 1931 | fi 1932 | 1933 | if [[ -n "$VHT_CAPAB" ]]; then 1934 | echo "vht_capab=${VHT_CAPAB}" >> "$CONFDIR/hostapd.conf" 1935 | fi 1936 | 1937 | if [[ $VHTCHANNELWIDTH -gt 0 ]]; then 1938 | cat <<- EOF >> "$CONFDIR/hostapd.conf" 1939 | vht_oper_chwidth=${VHTCHANNELWIDTH} 1940 | EOF 1941 | fi 1942 | 1943 | if [[ $VHTSEG0CHINDEX -gt 0 ]]; then 1944 | cat <<- EOF >> "$CONFDIR/hostapd.conf" 1945 | vht_oper_centr_freq_seg0_idx=${VHTSEG0CHINDEX} 1946 | EOF 1947 | fi 1948 | 1949 | if [[ $VHTSEG1CHINDEX -gt 0 ]]; then 1950 | cat <<- EOF >> "$CONFDIR/hostapd.conf" 1951 | vht_oper_centr_freq_seg1_idx=${VHTSEG1CHINDEX} 1952 | EOF 1953 | fi 1954 | 1955 | if [[ $IEEE80211N -eq 1 ]] || [[ $IEEE80211AC -eq 1 ]]; then 1956 | echo "wmm_enabled=1" >> "$CONFDIR/hostapd.conf" 1957 | fi 1958 | 1959 | if [[ -n "$PASSPHRASE" ]]; then 1960 | [[ "$WPA_VERSION" == "1+2" ]] && WPA_VERSION=3 1961 | if [[ $USE_PSK -eq 0 ]]; then 1962 | WPA_KEY_TYPE=passphrase 1963 | else 1964 | WPA_KEY_TYPE=psk 1965 | fi 1966 | cat <<- EOF >> "$CONFDIR/hostapd.conf" 1967 | wpa=${WPA_VERSION} 1968 | wpa_${WPA_KEY_TYPE}=${PASSPHRASE} 1969 | wpa_key_mgmt=WPA-PSK 1970 | wpa_pairwise=CCMP 1971 | rsn_pairwise=CCMP 1972 | EOF 1973 | else 1974 | echo "WARN: WiFi is not protected by password" >&2 1975 | fi 1976 | chmod 600 "$CONFDIR/hostapd.conf" 1977 | } 1978 | 1979 | write_dnsmasq_conf() { 1980 | local i 1981 | if grep "^nobody:" /etc/group >/dev/null 2>&1 ; then 1982 | NOBODY_GROUP="nobody" 1983 | else 1984 | NOBODY_GROUP="nogroup" 1985 | fi 1986 | 1987 | mkfifo "$CONFDIR/dnsmasq.log" || die "Failed creating pipe file for dnsmasq" 1988 | chown nobody "$CONFDIR/dnsmasq.log" || die "Failed changing dnsmasq log file owner" 1989 | cat "$CONFDIR/dnsmasq.log" & 1990 | 1991 | cat <<- EOF > "$CONFDIR/dnsmasq.conf" 1992 | user=nobody 1993 | group=$NOBODY_GROUP 1994 | bind-dynamic 1995 | listen-address=${GATEWAY4} 1996 | interface=$SUBNET_IFACE 1997 | except-interface=lo 1998 | no-dhcp-interface=lo 1999 | dhcp-range=${GATEWAY4%.*}.10,${GATEWAY4%.*}.250,255.255.255.0 2000 | dhcp-option-force=option:router,${GATEWAY4} 2001 | #log-dhcp 2002 | log-facility=$CONFDIR/dnsmasq.log 2003 | bogus-priv 2004 | domain-needed 2005 | EOF 2006 | # 'log-dhcp'(Extra logging for DHCP) shows too much logs. 2007 | # if use '-d', 'log-facility' should = /dev/null 2008 | if [[ $SHARE_METHOD == "none" ]]; then 2009 | echo "no-resolv" >> "$CONFDIR/dnsmasq.conf" 2010 | echo "no-poll" >> "$CONFDIR/dnsmasq.conf" 2011 | fi 2012 | if [[ "$DHCP_DNS" != "no" ]]; then 2013 | if [[ "$DHCP_DNS" == "gateway" ]]; then 2014 | dns_offer="$GATEWAY4" 2015 | else 2016 | dns_offer="$DHCP_DNS" 2017 | fi 2018 | echo "dhcp-option-force=option:dns-server,${dns_offer}" >> "$CONFDIR/dnsmasq.conf" 2019 | fi 2020 | 2021 | if [[ ! "$dnsmasq_NO_DNS" -eq 0 ]]; then 2022 | echo "port=0" >> "$CONFDIR/dnsmasq.conf" 2023 | fi 2024 | 2025 | [[ -n "$MTU" ]] && echo "dhcp-option-force=option:mtu,${MTU}" >> "$CONFDIR/dnsmasq.conf" 2026 | [[ $ETC_HOSTS -eq 0 ]] && echo no-hosts >> "$CONFDIR/dnsmasq.conf" 2027 | [[ -n "$ADDN_HOSTS" ]] && echo "addn-hosts=${ADDN_HOSTS}" >> "$CONFDIR/dnsmasq.conf" 2028 | if [[ "$THISHOSTNAME" ]]; then 2029 | [[ "$THISHOSTNAME" == "-" ]] && THISHOSTNAME="$(cat /etc/hostname)" 2030 | echo "interface-name=$THISHOSTNAME,$SUBNET_IFACE" >> "$CONFDIR/dnsmasq.conf" 2031 | fi 2032 | if [[ ! "$SHOW_DNS_QUERY" -eq 0 ]]; then 2033 | echo log-queries=extra >> "$CONFDIR/dnsmasq.conf" 2034 | fi 2035 | 2036 | if [[ $DNS ]]; then 2037 | DNS_count=$(echo "$DNS" | awk -F, '{print NF}') 2038 | for (( i=1;i<=DNS_count;i++ )); do 2039 | sep_ip_port "$(echo "$DNS" | cut -d, -f$i)" DNS_IP DNS_PORT 2040 | [[ "$DNS_PORT" ]] && DNS_PORT_D="#$DNS_PORT" 2041 | echo "server=${DNS_IP}${DNS_PORT_D}" >> "$CONFDIR/dnsmasq.conf" 2042 | done 2043 | 2044 | cat <<- EOF >> "$CONFDIR/dnsmasq.conf" 2045 | no-resolv 2046 | no-poll 2047 | EOF 2048 | fi 2049 | if [[ $DNS_NOCACHE -eq 1 ]]; then 2050 | echo "cache-size=0" >> "$CONFDIR/dnsmasq.conf" 2051 | echo "no-negcache" >> "$CONFDIR/dnsmasq.conf" 2052 | fi 2053 | if [[ $IPV6 -eq 1 ]];then 2054 | cat <<- EOF >> "$CONFDIR/dnsmasq.conf" 2055 | listen-address=${GATEWAY6} 2056 | enable-ra 2057 | #quiet-ra 2058 | dhcp-range=interface:${SUBNET_IFACE},::,::ffff:ffff:ffff:ffff,constructor:${SUBNET_IFACE},ra-stateless,64 2059 | EOF 2060 | if [[ "$DHCP_DNS6" != "no" ]]; then 2061 | if [[ "$DHCP_DNS6" == "gateway" ]]; then 2062 | dns_offer6="[$GATEWAY6]" 2063 | else 2064 | dns_offer6="$DHCP_DNS6" 2065 | fi 2066 | echo "dhcp-option=option6:dns-server,${dns_offer6}" >> "$CONFDIR/dnsmasq.conf" 2067 | fi 2068 | fi 2069 | } 2070 | 2071 | run_wifi_ap_processes() { 2072 | if [[ $NO_HAVEGED -eq 0 ]]; then 2073 | haveged_watchdog & 2074 | HAVEGED_WATCHDOG_PID=$! 2075 | echo "$HAVEGED_WATCHDOG_PID" > "$CONFDIR/haveged_watchdog.pid" 2076 | echo 2077 | echo "haveged_watchdog PID: $HAVEGED_WATCHDOG_PID" 2078 | fi 2079 | 2080 | # start access point 2081 | #echo "hostapd command-line interface: hostapd_cli -p $CONFDIR/hostapd_ctrl" 2082 | # start hostapd (use stdbuf when available for no delayed output in programs that redirect stdout) 2083 | STDBUF_PATH=$(which stdbuf) 2084 | if [ $? -eq 0 ]; then 2085 | STDBUF_PATH=$STDBUF_PATH" -oL" 2086 | fi 2087 | echo 2088 | echo "Starting hostapd" 2089 | 2090 | if COMPLAIN_CMD="$(command -v aa-complain || command -v complain)"; then 2091 | echo "Setting hostapd to AppArmor complain mode..." 2092 | "$COMPLAIN_CMD" hostapd 2093 | fi 2094 | 2095 | # hostapd '-P' works only when use '-B' (run in background) 2096 | $STDBUF_PATH hostapd $HOSTAPD_DEBUG_ARGS -P "$CONFDIR/hostapd.pid" "$CONFDIR/hostapd.conf" & 2097 | HOSTAPD_PID=$! 2098 | echo "$HOSTAPD_PID" > "$CONFDIR/hostapd.pid" 2099 | echo "hostapd PID: $HOSTAPD_PID" 2100 | #while [[ ! -f $CONFDIR/hostapd.pid ]]; do 2101 | # sleep 1 2102 | #done 2103 | #echo -n "hostapd PID: " ; cat $CONFDIR/hostapd.pid 2104 | pid_watchdog "$HOSTAPD_PID" 10 "hostapd failed. (tip: try '--hostapd-debug' to get some debug info)" & 2105 | sleep 3 2106 | } 2107 | 2108 | start_dnsmasq() { 2109 | echo 2110 | echo "Starting dnsmasq" 2111 | 2112 | if COMPLAIN_CMD="$(command -v aa-complain || command -v complain)"; then 2113 | echo "Setting dnsmasq to AppArmor complain mode..." 2114 | "$COMPLAIN_CMD" dnsmasq 2115 | fi 2116 | 2117 | # Using '-d'(no daemon) dnsmasq will not turn into 'nobody' 2118 | # '-x' works only when no '-d' 2119 | dnsmasq -k -C "$CONFDIR/dnsmasq.conf" -x "$CONFDIR/dnsmasq.pid" -l "$CONFDIR/dnsmasq.leases" & 2120 | #####DNSMASQ_PID=$! # only when with '-d' 2121 | ######echo "dnsmasq PID: $DNSMASQ_PID" # only when with '-d' 2122 | i=0; while [[ ! -f "$CONFDIR/dnsmasq.pid" ]]; do 2123 | sleep 1 2124 | i=$((i + 1)) 2125 | if [[ $i -gt 10 ]]; then die "Couldn't get dnsmasq PID" ; fi 2126 | done 2127 | DNSMASQ_PID="$(cat "$CONFDIR/dnsmasq.pid" )" 2128 | echo "dnsmasq PID: $DNSMASQ_PID" 2129 | ######(wait $DNSMASQ_PID ; die "dnsmasq failed") & # wait can't deal with non-child 2130 | pid_watchdog "$DNSMASQ_PID" 9 "dnsmasq failed" & 2131 | sleep 2 2132 | } 2133 | 2134 | check_rfkill_unblock_wifi() { 2135 | local PHY 2136 | if which rfkill > /dev/null 2>&1 ; then 2137 | PHY=$(get_interface_phy_device "${SUBNET_IFACE}") 2138 | [[ -n $PHY ]] && rfkill unblock $(rfkill | grep "$PHY" | awk '{print $1}') >/dev/null 2>&1 2139 | fi 2140 | } 2141 | 2142 | #=========== Above are functions ====================== 2143 | #=========== Executing begin ============================== 2144 | 2145 | # if empty option, show usage and exit 2146 | check_empty_option "$@" 2147 | 2148 | # TODO: are some global variables are still defined in those following code? 2149 | define_global_variables 2150 | 2151 | ARGS=( "$@" ) 2152 | 2153 | parse_user_options "$@" 2154 | # TODO: detect user option conflict 2155 | 2156 | 2157 | TMPDIR="$(decide_tmpdir)" 2158 | 2159 | # if user choose to deal with running instances, will output some info then exit after this 2160 | # NOTE above don't require root 2161 | check_other_functions 2162 | # NOTE below require root 2163 | 2164 | # if user choose to daemonize, will start new background process and exit this 2165 | daemonizing_check 2166 | 2167 | # check if wifi will work on this system and user settings 2168 | [[ $WIFI_IFACE ]] && check_wifi_settings 2169 | 2170 | [[ -n "$NEW_MACADDR" ]] && check_if_new_mac_valid # check NEW_MACADDR. will exit if not valid 2171 | 2172 | # checks finished 2173 | 2174 | ## ===== Above don't echo anything if no warning or error==================== 2175 | ## ======================================================== 2176 | phead 2177 | phead2 2178 | echo 2179 | 2180 | echo "PID: $$" 2181 | 2182 | TARGET_IFACE="$(decide_target_interface)" || exit 1 # judge wired (-i CONN_IFACE) or wireless hotspot (--ap $WIFI_IFACE) 2183 | echo "Target interface is ${TARGET_IFACE} ($(get_interface_mac "$TARGET_IFACE")) " 2184 | show_interface_pci_info "$TARGET_IFACE" 2185 | 2186 | if [[ "$MAC_USE_RANDOM" -eq 1 ]] ; then 2187 | NEW_MACADDR="$(generate_random_mac)" 2188 | echo "Use random MAC address $NEW_MACADDR" 2189 | fi 2190 | 2191 | decide_ip_addresses # ip 4 & 6 lan addresses 2192 | 2193 | # if user choose to make DHCP to tell clients to use other DNS, we don't have to serve DNS 2194 | [[ $DHCP_DNS != 'gateway' && $DHCP_DNS6 != 'gateway' ]] && dnsmasq_NO_DNS=1 2195 | 2196 | #=========================================================== 2197 | #==== begin to do some change on config files and system=== 2198 | 2199 | init_trap 2200 | # NOTE function die() is designed not to be used before init_trap() executed 2201 | 2202 | init_conf_dirs # CONFDIR , COMMON_CONFDIR . make dir 2203 | 2204 | [[ $WIFI_IFACE ]] && prepare_wifi_interface # this will create virtual ap interface (if needed) and set VWIFI_IFACE and AP_IFACE (if success) 2205 | 2206 | SUBNET_IFACE="$(decide_subnet_interface)" # SUBNET_IFACE can be TARGET_IFACE (wired) or AP_IFACE (ap) .this is after prepare_wifi_interface() 2207 | echo "$SUBNET_IFACE" > "$CONFDIR/subn_iface" 2208 | 2209 | # if virtual wifi interface, will be destroyed, so only need to save status when not 2210 | [[ -z $VWIFI_IFACE ]] && backup_interface_status 2211 | 2212 | # TODO: should these 2 before calling prepare_wifi_interface ? in check_wifi_settings() ? 2213 | # set iw country code 2214 | if [[ $WIFI_IFACE && -n "$COUNTRY" && $USE_IWCONFIG -eq 0 ]]; then 2215 | iw reg set "$COUNTRY" || die "Failed setting country code" 2216 | fi 2217 | 2218 | # judge channel availability after changing country code 2219 | if [[ $WIFI_IFACE ]] ; then 2220 | can_transmit_to_channel "${AP_IFACE}" ${CHANNEL} || die "Your adapter can not transmit to channel ${CHANNEL}, frequency band ${FREQ_BAND}GHz." 2221 | fi 2222 | 2223 | [[ $WIFI_IFACE ]] && write_hostapd_conf 2224 | #=================================================== 2225 | #=================================================== 2226 | 2227 | # set interface unmanaged by networkManager 2228 | if is_nm_running && nm_knows "$TARGET_IFACE"; then # if nm knows target iface, should know subnet iface too. but need to wait until nm finds subnet iface (waiting code is in nm_set_unmanaged() 2229 | nm_set_unmanaged "${SUBNET_IFACE}" # will write NM_UNM_LIST 2230 | fi 2231 | 2232 | [[ $NO_DNSMASQ -eq 0 ]] && write_dnsmasq_conf 2233 | #=========================== 2234 | 2235 | # initialize subnet interface 2236 | # take subnet interface down first 2237 | ip link set down dev "${SUBNET_IFACE}" || die "Failed setting ${SUBNET_IFACE} down" 2238 | # flush old IPs of subnet interface 2239 | ip addr flush "${SUBNET_IFACE}" || die "Failed flush ${SUBNET_IFACE} IP" 2240 | 2241 | dealwith_mac # setting MAC should be after setting NM unmanaged 2242 | 2243 | [[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi 2244 | 2245 | 2246 | echo 2247 | iptables --version 2248 | echo "Notice: Not showing all operations done to iptables rules" 2249 | 2250 | if [[ "$IPV6" -eq 0 ]]; then 2251 | IP_VERs=("4") 2252 | else 2253 | IP_VERs=("4" "6") 2254 | fi 2255 | 2256 | disable_unwanted_forwarding 2257 | 2258 | 2259 | # bring subnet interface up 2260 | ip link set up dev "${SUBNET_IFACE}" || die "Failed bringing ${SUBNET_IFACE} up" 2261 | 2262 | # hostapd , haveged 2263 | [[ $WIFI_IFACE ]] && run_wifi_ap_processes 2264 | 2265 | # add ipv4 address to subnet interface 2266 | ip -4 addr add ${GATEWAY4}/24 broadcast ${GATEWAY4%.*}.255 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv4 address" 2267 | 2268 | set_ipv6_bits 2269 | 2270 | # add ipv6 address to subnet interface 2271 | if [[ $IPV6 -eq 1 ]] ; then 2272 | ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address" 2273 | fi 2274 | 2275 | 2276 | # enable Internet sharing 2277 | if [[ "$SHARE_METHOD" == "none" ]]; then 2278 | 2279 | echo "No Internet sharing" 2280 | 2281 | [[ "$BANLAN" -eq 1 ]] && start_ban_lan 2282 | 2283 | elif [[ "$SHARE_METHOD" == "nat" ]]; then 2284 | [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2 2285 | 2286 | start_nat 2287 | 2288 | [[ "$BANLAN" -eq 1 ]] && start_ban_lan 2289 | 2290 | echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding" # TODO maybe uneeded in '--no4' mode 2291 | 2292 | if [[ $IPV6 -eq 1 ]]; then 2293 | echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding" # TODO if '-o' used, set only 2 interfaces' bits 2294 | fi 2295 | 2296 | # to enable clients to establish PPTP connections we must 2297 | # load nf_nat_pptp module 2298 | modprobe nf_nat_pptp > /dev/null 2>&1 && echo "Loaded kernel module nf_nat_pptp" 2299 | 2300 | elif [[ "$SHARE_METHOD" == "redsocks" ]]; then 2301 | 2302 | if [[ $IPV6 -eq 1 ]]; then 2303 | echo 1 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" || die "Failed enabling $SUBNET_IFACE ipv6 forwarding" # to set NA router bit 2304 | fi 2305 | 2306 | [[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] && echo -e "\nWARN: You are using in transparent proxy mode but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2 2307 | 2308 | [[ "$BANLAN" -eq 1 ]] && start_ban_lan 2309 | 2310 | start_redsocks 2311 | fi 2312 | 2313 | # start dhcp + dns (optional) 2314 | 2315 | # allow dns port input even if we don't run dnsmasq 2316 | # user can serve their own dns server 2317 | [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]] && allow_dns_port 2318 | 2319 | [[ "$CATCH_DNS" -eq 1 ]] && start_catch_dns 2320 | 2321 | [[ $NO_DNSMASQ -eq 0 ]] && ( allow_dhcp ; start_dnsmasq ) 2322 | 2323 | 2324 | echo "" 2325 | is_firewalld_running && firewalld_add_tmpzone 2326 | 2327 | 2328 | echo 2329 | echo "== Setting up completed, now linux-router should be working ==" 2330 | 2331 | #============================================================ 2332 | #============================================================ 2333 | #============================================================ 2334 | 2335 | show_qr() { 2336 | local T S P H 2337 | S="$SSID" 2338 | if [[ -n "$PASSPHRASE" ]]; then 2339 | T="WPA" 2340 | P="$PASSPHRASE" 2341 | else 2342 | T="nopass" 2343 | fi 2344 | [[ "$HIDDEN" -eq 1 ]] && H="true" 2345 | echo "Scan QR code on phone to connect to WiFi" 2346 | qrencode -m 2 -t ANSIUTF8 "WIFI:T:${T};S:${S};P:${P};H:${H};" 2347 | echo "Use this command to save QR code to image file:" 2348 | echo " qrencode -m 2 -o \"WIFI:T:${T};S:${S};P:${P};H:${H};\"" 2349 | echo 2350 | } 2351 | 2352 | [[ "$QR" -eq 1 ]] && show_qr 2353 | 2354 | # need loop to keep this script running 2355 | bash -c "while :; do sleep 8000 ; done " & 2356 | KEEP_RUNNING_PID=$! 2357 | echo "$KEEP_RUNNING_PID" > "$CONFDIR/keep_running.pid" 2358 | wait "$KEEP_RUNNING_PID" 2359 | 2360 | clean_exit 2361 | --------------------------------------------------------------------------------