kissbac
/
packages


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196
							#!/bin/sh /etc/rc.common

SERVICE_USE_PID=1

START=50

setup_firewall() {
	local port fw
	config_get port		$1 port
	test -z "$port" && return

	config_get fwport		$1 "fwport"
	test "$fwport" = "$port" && return

	#can we remove the old rule?
	uci add firewall rule
	uci set firewall.@rule[-1].src=wan
	uci set firewall.@rule[-1].target=ACCEPT
	uci set firewall.@rule[-1].proto=tcpudp
	uci set firewall.@rule[-1].dest_port=$port
	uci commit firewall
	/etc/init.d/firewall restart

	uci set ocserv.config.fwport="$port"
	uci commit ocserv
}

clear_firewall() {
	iptables-save | grep -v ocserv-rule | iptables-restore
}

setup_config() {
	config_get port         $1 port "4443"
	config_get max_clients  $1 max_clients "8"
	config_get max_same     $1 max_same "2"
	config_get dpd          $1 dpd "120"
	config_get predictable_ips  $1 predictable_ips "1"
	config_get udp          $1 udp "1"
	config_get auth         $1 auth "plain"
	config_get cisco_compat $1 cisco_compat "1"
	config_get ipaddr       $1 ipaddr "192.168.100.0"
	config_get netmask      $1 netmask "255.255.255.0"
	config_get ip6addr      $1 ip6addr ""

	test $predictable_ips = "0" && predictable_ips="false"
	test $predictable_ips = "1" && predictable_ips="true"
	test $cisco_compat = "0" && cisco_compat="false"
	test $cisco_compat = "1" && cisco_compat="true"
	test $udp = "0" && udp="#"
	test $udp = "1" && udp=""
	test -z $ip6addr && enable_ipv6="#"

	ipv6_addr=`echo $ip6addr|cut -d '/' -f 1`
	ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2`

	test $auth = "plain" && authsuffix="\[/var/etc/ocpasswd\]"

	mkdir -p /var/etc
	sed -e "s/|PORT|/$port/g" \
	    -e "s/|MAX_CLIENTS|/$max_clients/g" \
	    -e "s/|MAX_SAME|/$max_same/g" \
	    -e "s/|DPD|/$dpd/g" \
	    -e "s#|AUTH|#$auth$authsuffix#g" \
	    -e "s/|PREDICTABLE_IPS|/$predictable_ips/g" \
	    -e "s/|CISCO_COMPAT|/$cisco_compat/g" \
	    -e "s/|UDP|/$udp/g" \
	    -e "s/|IPV4ADDR|/$ipaddr/g" \
	    -e "s/|NETMASK|/$netmask/g" \
	    -e "s/|IPV6ADDR|/$ipv6_addr/g" \
	    -e "s/|IPV6PREFIX|/$ipv6_prefix/g" \
	    -e "s/|ENABLE_IPV6|/$enable_ipv6/g" \
	    /etc/ocserv/ocserv.conf.template > /var/etc/ocserv.conf
}

setup_users() {
	local name
	local group
	local password

	config_get name $1 name
	config_get group $1 group
	config_get password $1 password

	[ -z "$group" ] && group='*'
	[ -z "$name" -o -z "$password" ] && return

	echo "$name:$group:$password" >> /var/etc/ocpasswd
}

setup_routes() {
	local routes

	config_get ip $1 ip
	config_get netmask $1 netmask

	[ -z "$ip" -o -z "$netmask" ] && return

	echo "route = $ip/$netmask" >> /var/etc/ocserv.conf
}

setup_dns() {
	local routes

	config_get ip $1 ip

	[ -z "$ip" ] && return

	echo "dns = $ip" >> /var/etc/ocserv.conf
}

start() {
	local hostname iface

	user_exists ocserv 72 || user_add ocserv 72 72 /var/lib/ocserv
	group_exists ocserv 72 || group_add ocserv 72

	hostname=`uci get ddns.myddns.domain`
	[ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname`

	[ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
		logger -t ocserv "Generating CA certificate..."
		mkdir -p /etc/ocserv/pki/
		certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1
		echo "cn=$hostname CA" >/etc/ocserv/pki/ca.tmpl
		echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl
		echo "serial=1" >>/etc/ocserv/pki/ca.tmpl
		echo "ca" >>/etc/ocserv/pki/ca.tmpl
		echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl

		certtool --template /etc/ocserv/pki/ca.tmpl \
			--generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \
			--outfile /etc/ocserv/ca.pem >/dev/null 2>&1
	}

	#generate server certificate/key
	[ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
		logger -t ocserv "Generating server certificate..."
		mkdir -p /etc/ocserv/pki/
		certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
		echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl
		echo "serial=2" >>/etc/ocserv/pki/server.tmpl
		echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl
		echo "signing_key" >>/etc/ocserv/pki/server.tmpl
		echo "encryption_key" >>/etc/ocserv/pki/server.tmpl
		certtool --template /etc/ocserv/pki/server.tmpl \
			--generate-certificate --load-privkey /etc/ocserv/server-key.pem \
			--load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \
			/etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1
	}

	[ -f /var/run/ocserv.pid ] || {
		touch /var/run/ocserv.pid
		chown ocserv:ocserv /var/run/ocserv.pid
	}
	[ -d /var/lib/ocserv ] || {
		mkdir -m 0755 -p /var/lib/ocserv
		chmod 0700 /var/lib/ocserv
		chown ocserv:ocserv /var/lib/ocserv
	}

	config_load "ocserv"

	rm -f /var/etc/ocserv.conf
	touch /var/etc/ocserv.conf
	setup_config config
	config_foreach setup_routes routes
	config_foreach setup_dns dns

	rm -f /var/etc/ocpasswd
	touch /var/etc/ocpasswd
	chmod 600 /var/etc/ocpasswd
	config_foreach setup_users ocservusers

	setup_firewall config

	service_start /usr/sbin/ocserv -c /var/etc/ocserv.conf
}

stop() {
	service_stop /usr/sbin/ocserv
	clear_firewall
}
       
reload() {
	rm -f /var/etc/ocpasswd
	touch /var/etc/ocpasswd
	chmod 600 /var/etc/ocpasswd
	config_foreach setup_users ocservusers

	/usr/bin/occtl show status >/dev/null 2>&1
	if test $? != 0;then
		start
	else
		/usr/bin/occtl reload
	fi
}