Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add initial luci-app-fwknopd - a way to control the firewall knock daemon from luci

Browse source 
Signed-off-by: Jonathan Bennett <jbennett@incomsystems.biz>
This commit is contained in:
Jonathan Bennett 2015-05-08 23:30:02 -05:00
parent 7a54785ea6
commit d009a73bd1
6 changed files with 278 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
applications/luci-app-fwknopd/Makefile Normal file
View file

@ -0,0 +1,17 @@
#
# Copyright (C) 2015 The LuCI Team <luci@lists.subsignal.org>
#
# This is free software, licensed under the GNU General Public License v2.
#
include $(TOPDIR)/rules.mk
LUCI_TITLE:=Fwknopd config - web config for the firewall knock daemon
LUCI_DEPENDS:=+fwknopd
PKG_VERSION:=1.0
PKG_RELEASE:=1
PKG_LICENSE:=GPLv2
PKG_MAINTAINER:=Jonathan Bennett <JBennett@incomsystems.biz>
include ../../luci.mk
# call BuildPackage - OpenWrt buildroot signature

15
applications/luci-app-fwknopd/luasrc/controller/fwknopd.lua Normal file
View file

@ -0,0 +1,15 @@
-- Copyright 2015 Jonathan Bennett <jbennett@incomsystems.biz>
-- Licensed to the public under the GNU General Public License v2.
module("luci.controller.fwknopd", package.seeall)
function index()
if not nixio.fs.access("/etc/config/fwknopd") then
return
end
local page
page = entry({"admin", "services", "fwknopd"}, cbi("fwknopd"), _("Firewall Knock Daemon"))
page.dependent = true
end

49
applications/luci-app-fwknopd/luasrc/model/cbi/fwknopd.lua Normal file
View file

@ -0,0 +1,49 @@
-- Copyright 2015 Jonathan Bennett <jbennett@incomsystems.biz>
-- Licensed to the public under the GNU General Public License v2.
m = Map("fwknopd", translate("Firewall Knock Operator"))
s = m:section(TypedSection, "global", translate("Enable Uci/Luci control")) -- Set uci control on or off
s.anonymous=true
s:option(Flag, "uci_enabled", translate("Enable config overwrite"), translate("When unchecked, the config files in /etc/fwknopd will be used as is, ignoring any settings here."))
s = m:section(TypedSection, "access", translate("access.conf stanzas")) -- set the access.conf settings
s.anonymous=true
s.addremove=true
s.dynamic=true
s:option(Value, "SOURCE", "SOURCE", translate("Use ANY for any source ip"))
k1 = s:option(Value, "KEY", "KEY", translate("Define the symmetric key used for decrypting an incoming SPA packet that is encrypted by the fwknop client with Rijndael."))
k1:depends("keytype", translate("Normal Key"))
k2 = s:option(Value, "KEY_BASE64", "KEY_BASE64", translate("Define the symmetric key used for decrypting an incoming SPA \
packet that is encrypted by the fwknop client with Rijndael."))
k2:depends("keytype", translate("Base 64 key"))
l1 = s:option(ListValue, "keytype", "Key type")
l1:value("Normal Key", "Normal Key")
l1:value("Base 64 key", "Base 64 key")
k3 = s:option(Value, "HMAC_KEY", "HMAC_KEY", "The hmac key")
k3:depends("hkeytype", "Normal Key")
k4 = s:option(Value, "HMAC_KEY_BASE64", "HMAC_KEY_BASE64", translate("The base64 hmac key"))
k4:depends("hkeytype", "Base 64 key")
l2 = s:option(ListValue, "hkeytype", "HMAC Key type")
l2:value("Normal Key", "Normal Key")
l2:value("Base 64 key", "Base 64 key")
s:option(Value, "OPEN_PORTS", "OPEN_PORTS", translate("Define a set of ports and protocols (tcp or udp) that will be opened if a valid knock sequence is seen. \
If this entry is not set, fwknopd will attempt to honor any proto/port request specified in the SPA data \
(unless of it matches any RESTRICT_PORTS entries). Multiple entries are comma-separated."))
s:option(Value, "FW_ACCESS_TIMEOUT", "FW_ACCESS_TIMEOUT", translate("Define the length of time access will be granted by fwknopd through the firewall after a \
valid knock sequence from a source IP address. If FW_ACCESS_TIMEOUT is not set then the default \
timeout of 30 seconds will automatically be set."))
s:option(Value, "REQUIRE_SOURCE_ADDRESS", "REQUIRE_SOURCE_ADDRESS", translate("Force all SPA packets to contain a real IP address within the encrypted data. \
This makes it impossible to use the -s command line argument on the fwknop client command line, so either -R \
has to be used to automatically resolve the external address (if the client behind a NAT) or the client must \
know the external IP and set it via the -a argument."))
s:option(DummyValue, "note1", translate("Enter custom access.conf variables below:"))
s = m:section(TypedSection, "config", translate("fwknopd.conf config options"))
s.anonymous=true
s.dynamic=true
s:option(Value, "MAX_SPA_PACKET_AGE", "MAX_SPA_PACKET_AGE", translate("Maximum age in seconds that an SPA packet will be accepted. defaults to 120 seconds"))
s:option(DummyValue, "note2", translate("Enter custom fwknopd.conf variables below:"))
return m

103
applications/luci-app-fwknopd/po/en/en.po Normal file
View file

@ -0,0 +1,103 @@
msgid ""
msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Project-Id-Version: PACKAGE VERSION\n"
"PO-Revision-Date: 2015-05-12 21:03-0500\n"
"Last-Translator: Jonathan Bennett <JBennett@incomsystems.biz>\n"
"Language-Team: English\n"
"Language: en\n"
"MIME-Version: 1.0\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
msgid "Base 64 key"
msgstr "Base 64 key"
msgid ""
"Define a set of ports and protocols (tcp or udp) that will be opened if a "
"valid knock sequence is seen. If this entry is not set, fwknopd will attempt "
"to honor any proto/port request specified in the SPA data (unless of it "
"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated."
msgstr ""
"Define a set of ports and protocols (tcp or udp) that will be opened if a "
"valid knock sequence is seen. If this entry is not set, fwknopd will attempt "
"to honor any proto/port request specified in the SPA data (unless of it "
"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated."
msgid ""
"Define the length of time access will be granted by fwknopd through the "
"firewall after a valid knock sequence from a source IP address. If "
"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will "
"automatically be set."
msgstr ""
"Define the length of time access will be granted by fwknopd through the "
"firewall after a valid knock sequence from a source IP address. If "
"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will "
"automatically be set."
msgid ""
"Define the symmetric key used for decrypting an incoming SPA packet that is "
"encrypted by the fwknop client with Rijndael."
msgstr ""
"Define the symmetric key used for decrypting an incoming SPA packet that is "
"encrypted by the fwknop client with Rijndael."
msgid "Enable Uci/Luci control"
msgstr "Enable Uci/Luci control"
msgid "Enable config overwrite"
msgstr "Enable config overwrite"
msgid "Enter custom access.conf variables below:"
msgstr "Enter custom access.conf variables below:"
msgid "Enter custom fwknopd.conf variables below:"
msgstr "Enter custom fwknopd.conf variables below:"
msgid "Firewall Knock Daemon"
msgstr "Firewall Knock Daemon"
msgid "Firewall Knock Operator"
msgstr "Firewall Knock Operator"
msgid ""
"Force all SPA packets to contain a real IP address within the encrypted "
"data. This makes it impossible to use the -s command line argument on the "
"fwknop client command line, so either -R has to be used to automatically "
"resolve the external address (if the client behind a NAT) or the client must "
"know the external IP and set it via the -a argument."
msgstr ""
"Force all SPA packets to contain a real IP address within the encrypted "
"data. This makes it impossible to use the -s command line argument on the "
"fwknop client command line, so either -R has to be used to automatically "
"resolve the external address (if the client behind a NAT) or the client must "
"know the external IP and set it via the -a argument."
msgid ""
"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 "
"seconds"
msgstr ""
"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 "
"seconds"
msgid "Normal Key"
msgstr "Normal Key"
msgid "The base64 hmac key"
msgstr "The base64 hmac key"
msgid "Use ANY for any source ip"
msgstr "Use ANY for any source ip"
msgid ""
"When unchecked, the config files in /etc/fwknopd will be used as is, "
"ignoring any settings here."
msgstr ""
"When unchecked, the config files in /etc/fwknopd will be used as is, "
"ignoring any settings here."
msgid "access.conf stanzas"
msgstr "access.conf stanzas"
msgid "fwknopd.conf config options"
msgstr "fwknopd.conf config options"

75
applications/luci-app-fwknopd/po/templates/fwknopd.pot Normal file
View file

@ -0,0 +1,75 @@
msgid ""
msgstr "Content-Type: text/plain; charset=UTF-8"
msgid "Base 64 key"
msgstr ""
msgid ""
"Define a set of ports and protocols (tcp or udp) that will be opened if a "
"valid knock sequence is seen. If this entry is not set, fwknopd will attempt "
"to honor any proto/port request specified in the SPA data (unless of it "
"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated."
msgstr ""
msgid ""
"Define the length of time access will be granted by fwknopd through the "
"firewall after a valid knock sequence from a source IP address. If "
"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will "
"automatically be set."
msgstr ""
msgid ""
"Define the symmetric key used for decrypting an incoming SPA packet that is "
"encrypted by the fwknop client with Rijndael."
msgstr ""
msgid "Enable Uci/Luci control"
msgstr ""
msgid "Enable config overwrite"
msgstr ""
msgid "Enter custom access.conf variables below:"
msgstr ""
msgid "Enter custom fwknopd.conf variables below:"
msgstr ""
msgid "Firewall Knock Daemon"
msgstr ""
msgid "Firewall Knock Operator"
msgstr ""
msgid ""
"Force all SPA packets to contain a real IP address within the encrypted "
"data. This makes it impossible to use the -s command line argument on the "
"fwknop client command line, so either -R has to be used to automatically "
"resolve the external address (if the client behind a NAT) or the client must "
"know the external IP and set it via the -a argument."
msgstr ""
msgid ""
"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 "
"seconds"
msgstr ""
msgid "Normal Key"
msgstr ""
msgid "The base64 hmac key"
msgstr ""
msgid "Use ANY for any source ip"
msgstr ""
msgid ""
"When unchecked, the config files in /etc/fwknopd will be used as is, "
"ignoring any settings here."
msgstr ""
msgid "access.conf stanzas"
msgstr ""
msgid "fwknopd.conf config options"
msgstr ""

19
applications/luci-app-fwknopd/root/etc/uci-defaults/luci-fwknopd Normal file
View file

@ -0,0 +1,19 @@
#!/bin/sh
#-- Copyright 2015 Jonathan Bennett <jbennett@incomsystems.biz>
#-- Licensed to the public under the GNU General Public License v2.
uci batch <<EOF
add ucitrack fwknopd
set ucitrack.@fwknopd[-1].init=fwknopd
commit ucitrack
EOF
if [ -f /usr/bin/fwknop ]; then
uci set fwknopd.@access[0].keytype='Base 64 key'
uci set fwknopd.@access[0].hkeytype='Base 64 key'
uci set fwknopd.@access[0].KEY_BASE64=`fwknop --key-gen | awk '/^KEY/ {print $2;}'`
uci set fwknopd.@access[0].HMAC_KEY_BASE64=`fwknop --key-gen | awk '/^HMAC/ {print $2;}'`
uci commit fwknopd
fi
rm -f /tmp/luci-indexcache
exit 0