Add initial luci-app-fwknopd - a way to control the firewall knock daemon from luci

Signed-off-by: Jonathan Bennett <jbennett@incomsystems.biz>

6 files changed, 278 insertions, 0 deletions

diff --git a/applications/luci-app-fwknopd/Makefile b/applications/luci-app-fwknopd/Makefile
new file mode 100644
index 000000000..a24b56285
--- /dev/null
+++ b/applications/luci-app-fwknopd/Makefile
@@ -0,0 +1,17 @@
+#
+# Copyright (C) 2015 The LuCI Team <luci@lists.subsignal.org>
+#
+# This is free software, licensed under the GNU General Public License v2.
+#
+
+include $(TOPDIR)/rules.mk
+
+LUCI_TITLE:=Fwknopd config - web config for the firewall knock daemon
+LUCI_DEPENDS:=+fwknopd
+PKG_VERSION:=1.0
+PKG_RELEASE:=1
+PKG_LICENSE:=GPLv2
+PKG_MAINTAINER:=Jonathan Bennett <JBennett@incomsystems.biz>
+include ../../luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
diff --git a/applications/luci-app-fwknopd/luasrc/controller/fwknopd.lua b/applications/luci-app-fwknopd/luasrc/controller/fwknopd.lua
new file mode 100644
index 000000000..069a77ea3
--- /dev/null
+++ b/applications/luci-app-fwknopd/luasrc/controller/fwknopd.lua
@@ -0,0 +1,15 @@
+-- Copyright 2015 Jonathan Bennett <jbennett@incomsystems.biz>
+-- Licensed to the public under the GNU General Public License v2.
+
+module("luci.controller.fwknopd", package.seeall)
+
+function index()
+	if not nixio.fs.access("/etc/config/fwknopd") then
+		return
+	end
+
+	local page
+
+	page = entry({"admin", "services", "fwknopd"}, cbi("fwknopd"), _("Firewall Knock Daemon"))
+	page.dependent = true
+end
diff --git a/applications/luci-app-fwknopd/luasrc/model/cbi/fwknopd.lua b/applications/luci-app-fwknopd/luasrc/model/cbi/fwknopd.lua
new file mode 100644
index 000000000..8a454dd58
--- /dev/null
+++ b/applications/luci-app-fwknopd/luasrc/model/cbi/fwknopd.lua
@@ -0,0 +1,49 @@
+-- Copyright 2015 Jonathan Bennett <jbennett@incomsystems.biz>
+-- Licensed to the public under the GNU General Public License v2.
+
+m = Map("fwknopd", translate("Firewall Knock Operator"))
+
+s = m:section(TypedSection, "global", translate("Enable Uci/Luci control")) -- Set uci control on or off
+s.anonymous=true
+s:option(Flag, "uci_enabled", translate("Enable config overwrite"), translate("When unchecked, the config files in /etc/fwknopd will be used as is, ignoring any settings here."))
+
+s = m:section(TypedSection, "access", translate("access.conf stanzas")) -- set the access.conf settings
+s.anonymous=true
+s.addremove=true
+s.dynamic=true
+s:option(Value, "SOURCE", "SOURCE", translate("Use ANY for any source ip"))
+k1 = s:option(Value, "KEY", "KEY", translate("Define the symmetric key used for decrypting an incoming SPA packet that is encrypted by the fwknop client with Rijndael."))
+k1:depends("keytype", translate("Normal Key"))
+k2 = s:option(Value, "KEY_BASE64", "KEY_BASE64", translate("Define the symmetric key used for decrypting an incoming SPA \
+						packet that is encrypted by the fwknop client with Rijndael."))
+k2:depends("keytype", translate("Base 64 key"))
+l1 = s:option(ListValue, "keytype", "Key type")
+l1:value("Normal Key", "Normal Key")
+l1:value("Base 64 key", "Base 64 key")
+k3 = s:option(Value, "HMAC_KEY", "HMAC_KEY", "The hmac key")
+k3:depends("hkeytype", "Normal Key")
+k4 = s:option(Value, "HMAC_KEY_BASE64", "HMAC_KEY_BASE64", translate("The base64 hmac key"))
+k4:depends("hkeytype", "Base 64 key")
+l2 = s:option(ListValue, "hkeytype", "HMAC Key type")
+l2:value("Normal Key", "Normal Key")
+l2:value("Base 64 key", "Base 64 key")
+s:option(Value, "OPEN_PORTS", "OPEN_PORTS", translate("Define a set of ports and protocols (tcp or udp) that will be opened if a valid knock sequence is seen. \
+					If this entry is not set, fwknopd will attempt to honor any proto/port request specified in the SPA data \
+					(unless of it matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated."))
+s:option(Value, "FW_ACCESS_TIMEOUT", "FW_ACCESS_TIMEOUT", translate("Define the length of time access will be granted by fwknopd through the firewall after a \
+					valid knock sequence from a source IP address. If “FW_ACCESS_TIMEOUT” is not set then the default \
+					timeout of 30 seconds will automatically be set."))
+s:option(Value, "REQUIRE_SOURCE_ADDRESS", "REQUIRE_SOURCE_ADDRESS", translate("Force all SPA packets to contain a real IP address within the encrypted data. \
+					This makes it impossible to use the -s command line argument on the fwknop client command line, so either -R \
+					has to be used to automatically resolve the external address (if the client behind a NAT) or the client must \
+					know the external IP and set it via the -a argument."))
+s:option(DummyValue, "note1", translate("Enter custom access.conf variables below:"))
+
+s = m:section(TypedSection, "config", translate("fwknopd.conf config options")) 
+s.anonymous=true
+s.dynamic=true
+s:option(Value, "MAX_SPA_PACKET_AGE", "MAX_SPA_PACKET_AGE", translate("Maximum age in seconds that an SPA packet will be accepted. defaults to 120 seconds"))
+s:option(DummyValue, "note2", translate("Enter custom fwknopd.conf variables below:"))
+
+return m
+
diff --git a/applications/luci-app-fwknopd/po/en/en.po b/applications/luci-app-fwknopd/po/en/en.po
new file mode 100644
index 000000000..1abc6a8f9
--- /dev/null
+++ b/applications/luci-app-fwknopd/po/en/en.po
@@ -0,0 +1,103 @@
+msgid ""
+msgstr ""
+"Content-Type: text/plain; charset=UTF-8\n"
+"Project-Id-Version: PACKAGE VERSION\n"
+"PO-Revision-Date: 2015-05-12 21:03-0500\n"
+"Last-Translator: Jonathan Bennett <JBennett@incomsystems.biz>\n"
+"Language-Team: English\n"
+"Language: en\n"
+"MIME-Version: 1.0\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+msgid "Base 64 key"
+msgstr "Base 64 key"
+
+msgid ""
+"Define a set of ports and protocols (tcp or udp) that will be opened if a "
+"valid knock sequence is seen. If this entry is not set, fwknopd will attempt "
+"to honor any proto/port request specified in the SPA data (unless of it "
+"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated."
+msgstr ""
+"Define a set of ports and protocols (tcp or udp) that will be opened if a "
+"valid knock sequence is seen. If this entry is not set, fwknopd will attempt "
+"to honor any proto/port request specified in the SPA data (unless of it "
+"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated."
+
+msgid ""
+"Define the length of time access will be granted by fwknopd through the "
+"firewall after a valid knock sequence from a source IP address. If "
+"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will "
+"automatically be set."
+msgstr ""
+"Define the length of time access will be granted by fwknopd through the "
+"firewall after a valid knock sequence from a source IP address. If "
+"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will "
+"automatically be set."
+
+msgid ""
+"Define the symmetric key used for decrypting an incoming SPA packet that is "
+"encrypted by the fwknop client with Rijndael."
+msgstr ""
+"Define the symmetric key used for decrypting an incoming SPA packet that is "
+"encrypted by the fwknop client with Rijndael."
+
+msgid "Enable Uci/Luci control"
+msgstr "Enable Uci/Luci control"
+
+msgid "Enable config overwrite"
+msgstr "Enable config overwrite"
+
+msgid "Enter custom access.conf variables below:"
+msgstr "Enter custom access.conf variables below:"
+
+msgid "Enter custom fwknopd.conf variables below:"
+msgstr "Enter custom fwknopd.conf variables below:"
+
+msgid "Firewall Knock Daemon"
+msgstr "Firewall Knock Daemon"
+
+msgid "Firewall Knock Operator"
+msgstr "Firewall Knock Operator"
+
+msgid ""
+"Force all SPA packets to contain a real IP address within the encrypted "
+"data. This makes it impossible to use the -s command line argument on the "
+"fwknop client command line, so either -R has to be used to automatically "
+"resolve the external address (if the client behind a NAT) or the client must "
+"know the external IP and set it via the -a argument."
+msgstr ""
+"Force all SPA packets to contain a real IP address within the encrypted "
+"data. This makes it impossible to use the -s command line argument on the "
+"fwknop client command line, so either -R has to be used to automatically "
+"resolve the external address (if the client behind a NAT) or the client must "
+"know the external IP and set it via the -a argument."
+
+msgid ""
+"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 "
+"seconds"
+msgstr ""
+"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 "
+"seconds"
+
+msgid "Normal Key"
+msgstr "Normal Key"
+
+msgid "The base64 hmac key"
+msgstr "The base64 hmac key"
+
+msgid "Use ANY for any source ip"
+msgstr "Use ANY for any source ip"
+
+msgid ""
+"When unchecked, the config files in /etc/fwknopd will be used as is, "
+"ignoring any settings here."
+msgstr ""
+"When unchecked, the config files in /etc/fwknopd will be used as is, "
+"ignoring any settings here."
+
+msgid "access.conf stanzas"
+msgstr "access.conf stanzas"
+
+msgid "fwknopd.conf config options"
+msgstr "fwknopd.conf config options"
diff --git a/applications/luci-app-fwknopd/po/templates/fwknopd.pot b/applications/luci-app-fwknopd/po/templates/fwknopd.pot
new file mode 100644
index 000000000..ec1550462
--- /dev/null
+++ b/applications/luci-app-fwknopd/po/templates/fwknopd.pot
@@ -0,0 +1,75 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8"
+
+msgid "Base 64 key"
+msgstr ""
+
+msgid ""
+"Define a set of ports and protocols (tcp or udp) that will be opened if a "
+"valid knock sequence is seen. If this entry is not set, fwknopd will attempt "
+"to honor any proto/port request specified in the SPA data (unless of it "
+"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated."
+msgstr ""
+
+msgid ""
+"Define the length of time access will be granted by fwknopd through the "
+"firewall after a valid knock sequence from a source IP address. If "
+"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will "
+"automatically be set."
+msgstr ""
+
+msgid ""
+"Define the symmetric key used for decrypting an incoming SPA packet that is "
+"encrypted by the fwknop client with Rijndael."
+msgstr ""
+
+msgid "Enable Uci/Luci control"
+msgstr ""
+
+msgid "Enable config overwrite"
+msgstr ""
+
+msgid "Enter custom access.conf variables below:"
+msgstr ""
+
+msgid "Enter custom fwknopd.conf variables below:"
+msgstr ""
+
+msgid "Firewall Knock Daemon"
+msgstr ""
+
+msgid "Firewall Knock Operator"
+msgstr ""
+
+msgid ""
+"Force all SPA packets to contain a real IP address within the encrypted "
+"data. This makes it impossible to use the -s command line argument on the "
+"fwknop client command line, so either -R has to be used to automatically "
+"resolve the external address (if the client behind a NAT) or the client must "
+"know the external IP and set it via the -a argument."
+msgstr ""
+
+msgid ""
+"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 "
+"seconds"
+msgstr ""
+
+msgid "Normal Key"
+msgstr ""
+
+msgid "The base64 hmac key"
+msgstr ""
+
+msgid "Use ANY for any source ip"
+msgstr ""
+
+msgid ""
+"When unchecked, the config files in /etc/fwknopd will be used as is, "
+"ignoring any settings here."
+msgstr ""
+
+msgid "access.conf stanzas"
+msgstr ""
+
+msgid "fwknopd.conf config options"
+msgstr ""
diff --git a/applications/luci-app-fwknopd/root/etc/uci-defaults/luci-fwknopd b/applications/luci-app-fwknopd/root/etc/uci-defaults/luci-fwknopd
new file mode 100644
index 000000000..a7c433f2b
--- /dev/null
+++ b/applications/luci-app-fwknopd/root/etc/uci-defaults/luci-fwknopd
@@ -0,0 +1,19 @@
+#!/bin/sh
+#-- Copyright 2015 Jonathan Bennett <jbennett@incomsystems.biz>
+#-- Licensed to the public under the GNU General Public License v2.
+
+uci batch <<EOF
+	add ucitrack fwknopd
+	set ucitrack.@fwknopd[-1].init=fwknopd
+	commit ucitrack
+EOF
+
+if [ -f /usr/bin/fwknop ]; then
+	uci set fwknopd.@access[0].keytype='Base 64 key'
+	uci set fwknopd.@access[0].hkeytype='Base 64 key'
+	uci set fwknopd.@access[0].KEY_BASE64=`fwknop --key-gen | awk '/^KEY/ {print $2;}'`
+	uci set fwknopd.@access[0].HMAC_KEY_BASE64=`fwknop --key-gen | awk '/^HMAC/ {print $2;}'`
+	uci commit fwknopd
+fi
+rm -f /tmp/luci-indexcache
+exit 0