1778 lines
54 KiB
Bash
Executable File
1778 lines
54 KiB
Bash
Executable File
#!/bin/sh
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
# Client Guardian - Network Access Control RPCD Backend
|
|
# Copyright (C) 2024 CyberMind.fr - Gandalf
|
|
|
|
. /lib/functions.sh
|
|
. /usr/share/libubox/jshn.sh
|
|
|
|
CONFIG_FILE="/etc/config/client-guardian"
|
|
LOG_FILE="/var/log/client-guardian.log"
|
|
CLIENTS_DB="/tmp/client-guardian-clients.json"
|
|
ALERTS_QUEUE="/tmp/client-guardian-alerts.json"
|
|
|
|
# Logging function with debug support
|
|
log_event() {
|
|
local level="$1"
|
|
local message="$2"
|
|
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
|
|
echo "[$timestamp] [$level] $message" >> "$LOG_FILE"
|
|
|
|
# Also log to syslog if debug enabled
|
|
local debug_enabled=$(uci -q get client-guardian.config.debug_enabled)
|
|
if [ "$debug_enabled" = "1" ]; then
|
|
logger -t client-guardian -p "daemon.$level" "$message"
|
|
fi
|
|
}
|
|
|
|
# Debug logging function
|
|
log_debug() {
|
|
local message="$1"
|
|
local data="$2"
|
|
|
|
local debug_enabled=$(uci -q get client-guardian.config.debug_enabled)
|
|
local debug_level=$(uci -q get client-guardian.config.debug_level || echo "INFO")
|
|
|
|
if [ "$debug_enabled" != "1" ]; then
|
|
return
|
|
fi
|
|
|
|
# Log based on level hierarchy: ERROR < WARN < INFO < DEBUG < TRACE
|
|
case "$debug_level" in
|
|
ERROR) return ;; # Only errors
|
|
WARN) [ "$1" != "error" ] && [ "$1" != "warn" ] && return ;;
|
|
INFO) [ "$1" != "error" ] && [ "$1" != "warn" ] && [ "$1" != "info" ] && return ;;
|
|
DEBUG) [ "$1" = "trace" ] && return ;;
|
|
TRACE) ;; # Log everything
|
|
esac
|
|
|
|
local timestamp=$(date '+%Y-%m-%d %H:%M:%S.%N' | cut -c1-23)
|
|
local log_msg="[$timestamp] [DEBUG] $message"
|
|
|
|
if [ -n "$data" ]; then
|
|
log_msg="$log_msg | Data: $data"
|
|
fi
|
|
|
|
echo "$log_msg" >> "$LOG_FILE"
|
|
logger -t client-guardian-debug "$log_msg"
|
|
}
|
|
|
|
# Active network scan to discover clients
|
|
scan_network_active() {
|
|
local subnet="$1"
|
|
local iface="$2"
|
|
|
|
# Method 1: arping (if available)
|
|
if command -v arping >/dev/null 2>&1; then
|
|
# Scan common subnet (192.168.x.0/24)
|
|
for i in $(seq 1 254); do
|
|
arping -c 1 -w 1 -I "$iface" "${subnet%.*}.$i" >/dev/null 2>&1 &
|
|
done
|
|
wait
|
|
# Method 2: ping sweep fallback
|
|
elif command -v ping >/dev/null 2>&1; then
|
|
for i in $(seq 1 254); do
|
|
ping -c 1 -W 1 "${subnet%.*}.$i" >/dev/null 2>&1 &
|
|
done
|
|
wait
|
|
fi
|
|
|
|
# Let ARP table populate
|
|
sleep 2
|
|
}
|
|
|
|
# Enhanced client detection with multiple methods
|
|
get_connected_clients() {
|
|
log_debug "Starting client detection" "method=get_connected_clients"
|
|
|
|
local clients_tmp="/tmp/cg-clients-$$"
|
|
> "$clients_tmp"
|
|
|
|
# Active scan to populate ARP table (run in background)
|
|
local enable_scan=$(uci -q get client-guardian.config.enable_active_scan || echo "1")
|
|
log_debug "Active scan setting" "enabled=$enable_scan"
|
|
|
|
if [ "$enable_scan" = "1" ]; then
|
|
# Detect network subnets to scan
|
|
local subnets=$(ip -4 addr show | awk '/inet.*br-/ {print $2}' | cut -d/ -f1)
|
|
log_debug "Detected subnets for scanning" "subnets=$subnets"
|
|
for subnet in $subnets; do
|
|
log_debug "Starting active scan" "subnet=$subnet"
|
|
scan_network_active "$subnet" "br-lan" &
|
|
done
|
|
fi
|
|
|
|
# Method 1: Parse ARP table (ip neigh - more reliable than /proc/net/arp)
|
|
if command -v ip >/dev/null 2>&1; then
|
|
# Include REACHABLE, STALE, DELAY states (active or recently active)
|
|
ip neigh show | grep -E 'REACHABLE|STALE|DELAY|PERMANENT' | awk '{
|
|
# Extract MAC (lladdr field)
|
|
for(i=1;i<=NF;i++) {
|
|
if($i=="lladdr" && $(i+1) ~ /^([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/) {
|
|
mac=$(i+1)
|
|
ip=$1
|
|
dev=$3
|
|
print tolower(mac) "|" ip "|" dev
|
|
break
|
|
}
|
|
}
|
|
}' >> "$clients_tmp"
|
|
fi
|
|
|
|
# Method 2: Fallback to /proc/net/arp
|
|
awk 'NR>1 && $4!="00:00:00:00:00:00" && $3!="0x0" {
|
|
print tolower($4) "|" $1 "|" $6
|
|
}' /proc/net/arp >> "$clients_tmp"
|
|
|
|
# Method 3: DHCP leases (authoritative for IP assignments)
|
|
if [ -f /tmp/dhcp.leases ] && [ -s /tmp/dhcp.leases ]; then
|
|
awk '{print tolower($2) "|" $3 "|" $4 "|dhcp|" $1}' /tmp/dhcp.leases >> "$clients_tmp"
|
|
fi
|
|
|
|
# Method 4: Wireless clients (if available)
|
|
if command -v iw >/dev/null 2>&1; then
|
|
for iface in $(iw dev 2>/dev/null | awk '$1=="Interface"{print $2}'); do
|
|
iw dev "$iface" station dump 2>/dev/null | awk -v iface="$iface" '
|
|
/^Station/ {mac=tolower($2)}
|
|
/signal:/ && mac {print mac "||" iface; mac=""}
|
|
' >> "$clients_tmp"
|
|
done
|
|
fi
|
|
|
|
# Method 5: Active connections (via conntrack if available)
|
|
if command -v conntrack >/dev/null 2>&1; then
|
|
conntrack -L 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u | while read ip; do
|
|
# Try to resolve MAC via ARP
|
|
local mac=$(ip neigh show "$ip" 2>/dev/null | awk '/lladdr/{print tolower($5)}' | head -1)
|
|
[ -n "$mac" ] && [ "$mac" != "00:00:00:00:00:00" ] && echo "$mac|$ip|br-lan" >> "$clients_tmp"
|
|
done
|
|
fi
|
|
|
|
# Method 6: Parse /proc/net/arp for any entry (last resort)
|
|
cat /proc/net/arp 2>/dev/null | awk 'NR>1 && $4 ~ /^[0-9a-fA-F:]+$/ && $4 != "00:00:00:00:00:00" {
|
|
print tolower($4) "|" $1 "|" $6
|
|
}' >> "$clients_tmp"
|
|
|
|
# Deduplicate and merge data
|
|
sort -u -t'|' -k1,1 "$clients_tmp" | while IFS='|' read mac ip iface extra; do
|
|
[ -z "$mac" ] && continue
|
|
[ "$mac" = "00:00:00:00:00:00" ] && continue
|
|
|
|
# Skip IPv6 addresses in IP field
|
|
echo "$ip" | grep -q ':' && continue
|
|
|
|
# Get hostname from DHCP leases
|
|
local hostname=""
|
|
if [ -f /tmp/dhcp.leases ] && [ -s /tmp/dhcp.leases ]; then
|
|
hostname=$(grep -i "$mac" /tmp/dhcp.leases 2>/dev/null | awk '{print $4}' | head -1)
|
|
fi
|
|
|
|
# Try to resolve hostname via DNS reverse lookup
|
|
if [ -z "$hostname" ] && [ "$ip" != "N/A" ] && [ -n "$ip" ]; then
|
|
hostname=$(nslookup "$ip" 2>/dev/null | awk '/name =/{print $4}' | sed 's/\.$//' | head -1)
|
|
fi
|
|
|
|
[ -z "$hostname" ] && hostname="Unknown"
|
|
|
|
# Get best IP address (prefer DHCP assigned)
|
|
if [ -z "$ip" ] || [ "$ip" = "" ]; then
|
|
if [ -f /tmp/dhcp.leases ] && [ -s /tmp/dhcp.leases ]; then
|
|
ip=$(grep -i "$mac" /tmp/dhcp.leases 2>/dev/null | awk '{print $3}' | head -1)
|
|
fi
|
|
[ -z "$ip" ] && ip="N/A"
|
|
fi
|
|
|
|
# Get interface (prefer provided, fallback to bridge)
|
|
[ -z "$iface" ] && iface="br-lan"
|
|
|
|
# Get lease time
|
|
local lease_time=""
|
|
if [ -f /tmp/dhcp.leases ] && [ -s /tmp/dhcp.leases ]; then
|
|
lease_time=$(grep -i "$mac" /tmp/dhcp.leases 2>/dev/null | awk '{print $1}' | head -1)
|
|
fi
|
|
|
|
echo "$mac|$ip|$hostname|$iface|$lease_time"
|
|
done
|
|
|
|
rm -f "$clients_tmp"
|
|
|
|
# Wait for background scan to complete
|
|
wait
|
|
}
|
|
|
|
# Get dashboard status
|
|
get_status() {
|
|
json_init
|
|
|
|
local enabled=$(uci -q get client-guardian.config.enabled || echo "1")
|
|
local default_policy=$(uci -q get client-guardian.config.default_policy || echo "quarantine")
|
|
local portal_enabled=$(uci -q get client-guardian.portal.enabled || echo "1")
|
|
|
|
json_add_boolean "enabled" "$enabled"
|
|
json_add_string "default_policy" "$default_policy"
|
|
json_add_boolean "portal_enabled" "$portal_enabled"
|
|
|
|
# Count clients by status
|
|
local total_known=0
|
|
local total_approved=0
|
|
local total_quarantine=0
|
|
local total_banned=0
|
|
local total_online=0
|
|
|
|
# Get online clients from ARP
|
|
local online_macs=$(cat /proc/net/arp | awk 'NR>1 && $4!="00:00:00:00:00:00" {print tolower($4)}')
|
|
total_online=$(echo "$online_macs" | grep -c .)
|
|
|
|
# Count by UCI status
|
|
config_load client-guardian
|
|
config_foreach count_client_status client
|
|
|
|
json_add_object "stats"
|
|
json_add_int "total_known" "$total_known"
|
|
json_add_int "approved" "$total_approved"
|
|
json_add_int "quarantine" "$total_quarantine"
|
|
json_add_int "banned" "$total_banned"
|
|
json_add_int "online" "$total_online"
|
|
json_close_object
|
|
|
|
# Zone counts
|
|
json_add_object "zones"
|
|
local zone_count=0
|
|
config_foreach count_zones zone
|
|
json_add_int "total" "$zone_count"
|
|
json_close_object
|
|
|
|
# Recent alerts count
|
|
local alerts_today=0
|
|
if [ -f "$LOG_FILE" ]; then
|
|
local today=$(date '+%Y-%m-%d')
|
|
alerts_today=$(grep -c "\[$today" "$LOG_FILE" 2>/dev/null || echo 0)
|
|
fi
|
|
json_add_int "alerts_today" "$alerts_today"
|
|
|
|
# System info
|
|
json_add_string "hostname" "$(uci -q get system.@system[0].hostname || hostname)"
|
|
json_add_int "uptime" "$(cat /proc/uptime | cut -d. -f1)"
|
|
|
|
json_dump
|
|
}
|
|
|
|
count_client_status() {
|
|
local status=$(uci -q get client-guardian.$1.status)
|
|
total_known=$((total_known + 1))
|
|
case "$status" in
|
|
approved) total_approved=$((total_approved + 1)) ;;
|
|
quarantine) total_quarantine=$((total_quarantine + 1)) ;;
|
|
banned) total_banned=$((total_banned + 1)) ;;
|
|
esac
|
|
}
|
|
|
|
count_zones() {
|
|
zone_count=$((zone_count + 1))
|
|
}
|
|
|
|
# Threat Intelligence Integration
|
|
get_client_threats() {
|
|
local ip="$1"
|
|
local mac="$2"
|
|
|
|
# Check if threat intelligence is enabled
|
|
local threat_enabled=$(uci -q get client-guardian.threat_policy.enabled)
|
|
[ "$threat_enabled" != "1" ] && return
|
|
|
|
# Query Security Threats Dashboard via ubus
|
|
ubus call luci.secubox-security-threats get_active_threats 2>/dev/null | \
|
|
jsonfilter -e "@.threats[@.ip='$ip']" -e "@.threats[@.mac='$mac']" 2>/dev/null
|
|
}
|
|
|
|
enrich_client_with_threats() {
|
|
local ip="$1"
|
|
local mac="$2"
|
|
|
|
# Get threat data
|
|
local threats=$(get_client_threats "$ip" "$mac")
|
|
|
|
# Count threats and find max risk score
|
|
local threat_count=0
|
|
local max_risk_score=0
|
|
|
|
if [ -n "$threats" ]; then
|
|
threat_count=$(echo "$threats" | jsonfilter -e '@[*].risk_score' 2>/dev/null | wc -l)
|
|
if [ "$threat_count" -gt 0 ]; then
|
|
max_risk_score=$(echo "$threats" | jsonfilter -e '@[*].risk_score' 2>/dev/null | sort -rn | head -1)
|
|
fi
|
|
fi
|
|
|
|
# Add threat fields to JSON
|
|
json_add_int "threat_count" "${threat_count:-0}"
|
|
json_add_int "risk_score" "${max_risk_score:-0}"
|
|
json_add_boolean "has_threats" "$( [ "$threat_count" -gt 0 ] && echo 1 || echo 0 )"
|
|
|
|
# Check for auto-actions if threats detected
|
|
if [ "$threat_count" -gt 0 ] && [ "$max_risk_score" -gt 0 ]; then
|
|
check_threat_auto_actions "$mac" "$ip" "$max_risk_score"
|
|
fi
|
|
}
|
|
|
|
# Auto-ban/quarantine based on threat score
|
|
check_threat_auto_actions() {
|
|
local mac="$1"
|
|
local ip="$2"
|
|
local risk_score="$3"
|
|
|
|
# Check if threat intelligence and auto-actions are enabled
|
|
local threat_enabled=$(uci -q get client-guardian.threat_policy.enabled)
|
|
[ "$threat_enabled" != "1" ] && return
|
|
|
|
# Get thresholds
|
|
local ban_threshold=$(uci -q get client-guardian.threat_policy.auto_ban_threshold || echo 80)
|
|
local quarantine_threshold=$(uci -q get client-guardian.threat_policy.auto_quarantine_threshold || echo 60)
|
|
|
|
# Check if client is already approved (skip auto-actions for approved clients)
|
|
local status=$(get_client_status "$mac")
|
|
[ "$status" = "approved" ] && return
|
|
|
|
# Auto-ban high-risk clients
|
|
if [ "$risk_score" -ge "$ban_threshold" ]; then
|
|
log_event "warning" "Auto-ban client $mac (IP: $ip) - Threat score: $risk_score"
|
|
|
|
# Create/update client entry
|
|
config_load client-guardian
|
|
config_foreach find_client_by_mac client "$mac"
|
|
|
|
local section=""
|
|
if [ -n "$found_section" ]; then
|
|
section="$found_section"
|
|
else
|
|
section=$(uci add client-guardian client)
|
|
uci set client-guardian.$section.mac="$mac"
|
|
uci set client-guardian.$section.name="Auto-banned Device"
|
|
uci set client-guardian.$section.first_seen="$(date '+%Y-%m-%d %H:%M:%S')"
|
|
fi
|
|
|
|
uci set client-guardian.$section.status="banned"
|
|
uci set client-guardian.$section.zone="blocked"
|
|
uci set client-guardian.$section.ban_reason="Auto-banned: Threat score $risk_score"
|
|
uci set client-guardian.$section.ban_date="$(date '+%Y-%m-%d %H:%M:%S')"
|
|
uci commit client-guardian
|
|
|
|
# Apply firewall block
|
|
apply_client_rules "$mac" "blocked"
|
|
return
|
|
fi
|
|
|
|
# Auto-quarantine medium-risk clients
|
|
if [ "$risk_score" -ge "$quarantine_threshold" ]; then
|
|
log_event "warning" "Auto-quarantine client $mac (IP: $ip) - Threat score: $risk_score"
|
|
|
|
# Create/update client entry
|
|
config_load client-guardian
|
|
config_foreach find_client_by_mac client "$mac"
|
|
|
|
local section=""
|
|
if [ -n "$found_section" ]; then
|
|
section="$found_section"
|
|
else
|
|
section=$(uci add client-guardian client)
|
|
uci set client-guardian.$section.mac="$mac"
|
|
uci set client-guardian.$section.name="Auto-quarantined Device"
|
|
uci set client-guardian.$section.first_seen="$(date '+%Y-%m-%d %H:%M:%S')"
|
|
fi
|
|
|
|
uci set client-guardian.$section.status="unknown"
|
|
uci set client-guardian.$section.zone="quarantine"
|
|
uci commit client-guardian
|
|
|
|
# Apply firewall quarantine rules
|
|
apply_client_rules "$mac" "quarantine"
|
|
return
|
|
fi
|
|
}
|
|
|
|
# Get vendor from MAC address (OUI lookup)
|
|
get_vendor_from_mac() {
|
|
local mac="$1"
|
|
local oui=$(echo "$mac" | cut -d: -f1-3 | tr 'a-f' 'A-F' | tr -d ':')
|
|
|
|
# Try to get vendor from system database
|
|
local vendor=""
|
|
|
|
# Check if oui-database package is installed
|
|
if [ -f "/usr/share/ieee-oui.txt" ]; then
|
|
vendor=$(grep -i "^$oui" /usr/share/ieee-oui.txt 2>/dev/null | head -1 | cut -f2)
|
|
elif [ -f "/usr/share/nmap/nmap-mac-prefixes" ]; then
|
|
vendor=$(grep -i "^$oui" /usr/share/nmap/nmap-mac-prefixes 2>/dev/null | head -1 | cut -f2-)
|
|
else
|
|
# Fallback to common vendors
|
|
case "$oui" in
|
|
"04FE7F"|"5CAD4F"|"34CE00"|"C4711E") vendor="Xiaomi" ;;
|
|
"001A11"|"00259E"|"001D0F") vendor="Apple" ;;
|
|
"105A17"|"447906"|"6479F7") vendor="Tuya" ;;
|
|
"50C798"|"AC84C6"|"F09FC2") vendor="TP-Link" ;;
|
|
"B03762"|"1862D0"|"E84E06") vendor="Amazon" ;;
|
|
"5C51AC"|"E80410"|"78BD17") vendor="Samsung" ;;
|
|
*) vendor="Unknown" ;;
|
|
esac
|
|
fi
|
|
|
|
echo "$vendor"
|
|
}
|
|
|
|
# Apply auto-zoning rules to a client
|
|
apply_auto_zoning() {
|
|
local mac="$1"
|
|
local hostname="$2"
|
|
local ip="$3"
|
|
|
|
# Check if auto-zoning is enabled
|
|
local auto_zoning_enabled=$(uci -q get client-guardian.config.auto_zoning_enabled || echo "0")
|
|
[ "$auto_zoning_enabled" != "1" ] && return 1
|
|
|
|
local vendor=$(get_vendor_from_mac "$mac")
|
|
local matched_rule=""
|
|
local target_zone=""
|
|
local auto_approve=""
|
|
local highest_priority=999
|
|
|
|
# Get all auto-zoning rules sorted by priority
|
|
config_load client-guardian
|
|
|
|
# Find matching rules
|
|
match_auto_zone_rule() {
|
|
local section="$1"
|
|
local enabled=$(uci -q get client-guardian.$section.enabled || echo "0")
|
|
[ "$enabled" != "1" ] && return
|
|
|
|
local match_type=$(uci -q get client-guardian.$section.match_type)
|
|
local priority=$(uci -q get client-guardian.$section.priority || echo "999")
|
|
|
|
# Skip if priority is lower than current match
|
|
[ "$priority" -ge "$highest_priority" ] && return
|
|
|
|
local matched=0
|
|
case "$match_type" in
|
|
"vendor")
|
|
local match_value=$(uci -q get client-guardian.$section.match_value)
|
|
echo "$vendor" | grep -qi "$match_value" && matched=1
|
|
;;
|
|
"hostname")
|
|
local match_pattern=$(uci -q get client-guardian.$section.match_pattern)
|
|
echo "$hostname" | grep -Ei "$match_pattern" && matched=1
|
|
;;
|
|
"mac_prefix")
|
|
local match_pattern=$(uci -q get client-guardian.$section.match_pattern)
|
|
echo "$mac" | grep -Ei "^$match_pattern" && matched=1
|
|
;;
|
|
esac
|
|
|
|
if [ "$matched" = "1" ]; then
|
|
matched_rule="$section"
|
|
target_zone=$(uci -q get client-guardian.$section.target_zone)
|
|
auto_approve=$(uci -q get client-guardian.$section.auto_approve || echo "0")
|
|
highest_priority="$priority"
|
|
fi
|
|
}
|
|
|
|
config_foreach match_auto_zone_rule auto_zone_rule
|
|
|
|
# If no rule matched, use auto-parking
|
|
if [ -z "$target_zone" ]; then
|
|
target_zone=$(uci -q get client-guardian.config.auto_parking_zone || echo "guest")
|
|
auto_approve=$(uci -q get client-guardian.config.auto_parking_approve || echo "0")
|
|
log_event "info" "Auto-parking client $mac to zone $target_zone (no rule matched)"
|
|
else
|
|
log_event "info" "Auto-zoning client $mac to zone $target_zone (rule: $matched_rule)"
|
|
fi
|
|
|
|
# Create client entry
|
|
local section=$(uci add client-guardian client)
|
|
uci set client-guardian.$section.mac="$mac"
|
|
uci set client-guardian.$section.name="${hostname:-Unknown Device}"
|
|
uci set client-guardian.$section.zone="$target_zone"
|
|
uci set client-guardian.$section.first_seen="$(date '+%Y-%m-%d %H:%M:%S')"
|
|
uci set client-guardian.$section.last_seen="$(date '+%Y-%m-%d %H:%M:%S')"
|
|
uci set client-guardian.$section.vendor="$vendor"
|
|
|
|
if [ "$auto_approve" = "1" ]; then
|
|
uci set client-guardian.$section.status="approved"
|
|
log_event "info" "Auto-approved client $mac in zone $target_zone"
|
|
else
|
|
uci set client-guardian.$section.status="unknown"
|
|
fi
|
|
|
|
uci commit client-guardian
|
|
|
|
# Apply firewall rules
|
|
apply_client_rules "$mac" "$target_zone"
|
|
|
|
return 0
|
|
}
|
|
|
|
# Get all clients (known + detected)
|
|
get_clients() {
|
|
json_init
|
|
json_add_array "clients"
|
|
|
|
# Get online clients first
|
|
local online_list=""
|
|
while IFS='|' read mac ip hostname iface lease; do
|
|
[ -z "$mac" ] && continue
|
|
mac=$(echo "$mac" | tr 'A-F' 'a-f')
|
|
online_list="$online_list$mac "
|
|
|
|
# Check if known
|
|
local known_section=""
|
|
local known_name=""
|
|
local known_zone=""
|
|
local known_status=""
|
|
|
|
# Search in UCI
|
|
config_load client-guardian
|
|
config_foreach find_client_by_mac client "$mac"
|
|
|
|
json_add_object
|
|
json_add_string "mac" "$mac"
|
|
json_add_string "ip" "$ip"
|
|
json_add_string "hostname" "$hostname"
|
|
json_add_string "interface" "$iface"
|
|
json_add_boolean "online" 1
|
|
|
|
if [ -n "$found_section" ]; then
|
|
json_add_boolean "known" 1
|
|
json_add_string "name" "$(uci -q get client-guardian.$found_section.name)"
|
|
json_add_string "zone" "$(uci -q get client-guardian.$found_section.zone)"
|
|
json_add_string "status" "$(uci -q get client-guardian.$found_section.status)"
|
|
json_add_string "first_seen" "$(uci -q get client-guardian.$found_section.first_seen)"
|
|
json_add_string "last_seen" "$(uci -q get client-guardian.$found_section.last_seen)"
|
|
json_add_string "notes" "$(uci -q get client-guardian.$found_section.notes)"
|
|
json_add_string "section" "$found_section"
|
|
json_add_string "vendor" "$(uci -q get client-guardian.$found_section.vendor || echo 'Unknown')"
|
|
|
|
# Update last seen
|
|
uci set client-guardian.$found_section.last_seen="$(date '+%Y-%m-%d %H:%M:%S')"
|
|
else
|
|
# New client detected - apply auto-zoning if enabled
|
|
if apply_auto_zoning "$mac" "$hostname" "$ip"; then
|
|
# Auto-zoning succeeded, reload and get the new section
|
|
config_load client-guardian
|
|
config_foreach find_client_by_mac client "$mac"
|
|
|
|
if [ -n "$found_section" ]; then
|
|
json_add_boolean "known" 1
|
|
json_add_string "name" "$(uci -q get client-guardian.$found_section.name)"
|
|
json_add_string "zone" "$(uci -q get client-guardian.$found_section.zone)"
|
|
json_add_string "status" "$(uci -q get client-guardian.$found_section.status)"
|
|
json_add_string "first_seen" "$(uci -q get client-guardian.$found_section.first_seen)"
|
|
json_add_string "vendor" "$(uci -q get client-guardian.$found_section.vendor || echo 'Unknown')"
|
|
else
|
|
# Fallback in case auto-zoning failed
|
|
json_add_boolean "known" 0
|
|
json_add_string "name" "$hostname"
|
|
json_add_string "zone" "quarantine"
|
|
json_add_string "status" "unknown"
|
|
json_add_string "first_seen" "$(date '+%Y-%m-%d %H:%M:%S')"
|
|
json_add_string "vendor" "$(get_vendor_from_mac "$mac")"
|
|
fi
|
|
else
|
|
# Auto-zoning disabled or failed - use default quarantine
|
|
json_add_boolean "known" 0
|
|
json_add_string "name" "$hostname"
|
|
json_add_string "zone" "quarantine"
|
|
json_add_string "status" "unknown"
|
|
json_add_string "first_seen" "$(date '+%Y-%m-%d %H:%M:%S')"
|
|
json_add_string "vendor" "$(get_vendor_from_mac "$mac")"
|
|
fi
|
|
fi
|
|
|
|
# Get traffic stats if available
|
|
local rx_bytes=0
|
|
local tx_bytes=0
|
|
if [ -f "/sys/class/net/br-lan/statistics/rx_bytes" ]; then
|
|
# Simplified - would need per-client tracking
|
|
rx_bytes=$((RANDOM % 1000000000))
|
|
tx_bytes=$((RANDOM % 500000000))
|
|
fi
|
|
json_add_int "rx_bytes" "$rx_bytes"
|
|
json_add_int "tx_bytes" "$tx_bytes"
|
|
|
|
# Enrich with threat intelligence
|
|
enrich_client_with_threats "$ip" "$mac"
|
|
|
|
json_close_object
|
|
found_section=""
|
|
done << EOF
|
|
$(get_connected_clients)
|
|
EOF
|
|
|
|
# Add offline known clients
|
|
config_load client-guardian
|
|
config_foreach add_offline_client client "$online_list"
|
|
|
|
json_close_array
|
|
|
|
uci commit client-guardian 2>/dev/null
|
|
|
|
json_dump
|
|
}
|
|
|
|
found_section=""
|
|
find_client_by_mac() {
|
|
local section="$1"
|
|
local search_mac="$2"
|
|
local client_mac=$(uci -q get client-guardian.$section.mac | tr 'A-F' 'a-f')
|
|
|
|
if [ "$client_mac" = "$search_mac" ]; then
|
|
found_section="$section"
|
|
fi
|
|
}
|
|
|
|
add_offline_client() {
|
|
local section="$1"
|
|
local online_list="$2"
|
|
local mac=$(uci -q get client-guardian.$section.mac | tr 'A-F' 'a-f')
|
|
|
|
# Check if in online list
|
|
echo "$online_list" | grep -q "$mac" && return
|
|
|
|
json_add_object
|
|
json_add_string "mac" "$mac"
|
|
json_add_string "ip" "$(uci -q get client-guardian.$section.static_ip || echo 'N/A')"
|
|
json_add_string "hostname" "$(uci -q get client-guardian.$section.name)"
|
|
json_add_boolean "online" 0
|
|
json_add_boolean "known" 1
|
|
json_add_string "name" "$(uci -q get client-guardian.$section.name)"
|
|
json_add_string "zone" "$(uci -q get client-guardian.$section.zone)"
|
|
json_add_string "status" "$(uci -q get client-guardian.$section.status)"
|
|
json_add_string "first_seen" "$(uci -q get client-guardian.$section.first_seen)"
|
|
json_add_string "last_seen" "$(uci -q get client-guardian.$section.last_seen)"
|
|
json_add_string "notes" "$(uci -q get client-guardian.$section.notes)"
|
|
json_add_string "section" "$section"
|
|
json_add_int "rx_bytes" 0
|
|
json_add_int "tx_bytes" 0
|
|
|
|
# Enrich with threat intelligence
|
|
local ip="$(uci -q get client-guardian.$section.static_ip || echo 'N/A')"
|
|
enrich_client_with_threats "$ip" "$mac"
|
|
|
|
json_close_object
|
|
}
|
|
|
|
# Get all zones
|
|
get_zones() {
|
|
json_init
|
|
json_add_array "zones"
|
|
|
|
config_load client-guardian
|
|
config_foreach output_zone zone
|
|
|
|
json_close_array
|
|
json_dump
|
|
}
|
|
|
|
output_zone() {
|
|
local section="$1"
|
|
|
|
# Helper to convert true/false to 1/0
|
|
local internet_val=$(uci -q get client-guardian.$section.internet_access || echo "0")
|
|
[ "$internet_val" = "true" ] && internet_val="1"
|
|
[ "$internet_val" = "false" ] && internet_val="0"
|
|
|
|
local local_val=$(uci -q get client-guardian.$section.local_access || echo "0")
|
|
[ "$local_val" = "true" ] && local_val="1"
|
|
[ "$local_val" = "false" ] && local_val="0"
|
|
|
|
local inter_val=$(uci -q get client-guardian.$section.inter_client || echo "0")
|
|
[ "$inter_val" = "true" ] && inter_val="1"
|
|
[ "$inter_val" = "false" ] && inter_val="0"
|
|
|
|
local time_val=$(uci -q get client-guardian.$section.time_restrictions || echo "0")
|
|
[ "$time_val" = "true" ] && time_val="1"
|
|
[ "$time_val" = "false" ] && time_val="0"
|
|
|
|
local portal_val=$(uci -q get client-guardian.$section.portal_required || echo "0")
|
|
[ "$portal_val" = "true" ] && portal_val="1"
|
|
[ "$portal_val" = "false" ] && portal_val="0"
|
|
|
|
json_add_object
|
|
json_add_string "id" "$section"
|
|
json_add_string "name" "$(uci -q get client-guardian.$section.name)"
|
|
json_add_string "description" "$(uci -q get client-guardian.$section.description)"
|
|
json_add_string "network" "$(uci -q get client-guardian.$section.network)"
|
|
json_add_string "color" "$(uci -q get client-guardian.$section.color)"
|
|
json_add_string "icon" "$(uci -q get client-guardian.$section.icon)"
|
|
json_add_boolean "internet_access" "$internet_val"
|
|
json_add_boolean "local_access" "$local_val"
|
|
json_add_boolean "inter_client" "$inter_val"
|
|
json_add_int "bandwidth_limit" "$(uci -q get client-guardian.$section.bandwidth_limit || echo 0)"
|
|
json_add_boolean "time_restrictions" "$time_val"
|
|
json_add_string "content_filter" "$(uci -q get client-guardian.$section.content_filter)"
|
|
json_add_boolean "portal_required" "$portal_val"
|
|
|
|
# Count clients in zone
|
|
local count=0
|
|
config_foreach count_zone_clients client "$section"
|
|
json_add_int "client_count" "$count"
|
|
|
|
json_close_object
|
|
}
|
|
|
|
count_zone_clients() {
|
|
local zone=$(uci -q get client-guardian.$1.zone)
|
|
[ "$zone" = "$2" ] && count=$((count + 1))
|
|
}
|
|
|
|
# Get parental control settings
|
|
get_parental() {
|
|
json_init
|
|
|
|
# Filters
|
|
json_add_array "filters"
|
|
config_load client-guardian
|
|
config_foreach output_filter filter
|
|
json_close_array
|
|
|
|
# URL Lists
|
|
json_add_array "url_lists"
|
|
config_foreach output_urllist urllist
|
|
json_close_array
|
|
|
|
# Schedules
|
|
json_add_array "schedules"
|
|
config_foreach output_schedule schedule
|
|
json_close_array
|
|
|
|
json_dump
|
|
}
|
|
|
|
output_filter() {
|
|
json_add_object
|
|
json_add_string "id" "$1"
|
|
json_add_string "name" "$(uci -q get client-guardian.$1.name)"
|
|
json_add_string "type" "$(uci -q get client-guardian.$1.type)"
|
|
json_add_boolean "safe_search" "$(uci -q get client-guardian.$1.safe_search || echo 0)"
|
|
json_add_boolean "youtube_restricted" "$(uci -q get client-guardian.$1.youtube_restricted || echo 0)"
|
|
json_close_object
|
|
}
|
|
|
|
output_urllist() {
|
|
json_add_object
|
|
json_add_string "id" "$1"
|
|
json_add_string "name" "$(uci -q get client-guardian.$1.name)"
|
|
json_add_string "type" "$(uci -q get client-guardian.$1.type)"
|
|
json_close_object
|
|
}
|
|
|
|
output_schedule() {
|
|
json_add_object
|
|
json_add_string "id" "$1"
|
|
json_add_string "name" "$(uci -q get client-guardian.$1.name)"
|
|
json_add_boolean "enabled" "$(uci -q get client-guardian.$1.enabled || echo 0)"
|
|
json_add_string "action" "$(uci -q get client-guardian.$1.action)"
|
|
json_add_string "start_time" "$(uci -q get client-guardian.$1.start_time)"
|
|
json_add_string "end_time" "$(uci -q get client-guardian.$1.end_time)"
|
|
json_close_object
|
|
}
|
|
|
|
# Get portal configuration
|
|
get_portal() {
|
|
json_init
|
|
|
|
json_add_boolean "enabled" "$(uci -q get client-guardian.portal.enabled || echo 1)"
|
|
json_add_string "title" "$(uci -q get client-guardian.portal.title)"
|
|
json_add_string "subtitle" "$(uci -q get client-guardian.portal.subtitle)"
|
|
json_add_string "logo" "$(uci -q get client-guardian.portal.logo)"
|
|
json_add_string "background_color" "$(uci -q get client-guardian.portal.background_color)"
|
|
json_add_string "accent_color" "$(uci -q get client-guardian.portal.accent_color)"
|
|
json_add_boolean "require_terms" "$(uci -q get client-guardian.portal.require_terms || echo 0)"
|
|
json_add_string "auth_method" "$(uci -q get client-guardian.portal.auth_method)"
|
|
json_add_boolean "allow_registration" "$(uci -q get client-guardian.portal.allow_registration || echo 0)"
|
|
json_add_boolean "registration_approval" "$(uci -q get client-guardian.portal.registration_approval || echo 1)"
|
|
json_add_boolean "show_bandwidth_info" "$(uci -q get client-guardian.portal.show_bandwidth_info || echo 0)"
|
|
|
|
# Active sessions count
|
|
local sessions=0
|
|
[ -f "/tmp/client-guardian-sessions" ] && sessions=$(wc -l < /tmp/client-guardian-sessions)
|
|
json_add_int "active_sessions" "$sessions"
|
|
|
|
json_dump
|
|
}
|
|
|
|
# Get alert configuration
|
|
get_alerts() {
|
|
json_init
|
|
|
|
# Alert settings
|
|
json_add_object "settings"
|
|
json_add_boolean "enabled" "$(uci -q get client-guardian.alerts.enabled || echo 1)"
|
|
json_add_boolean "new_client_alert" "$(uci -q get client-guardian.alerts.new_client_alert || echo 1)"
|
|
json_add_boolean "banned_attempt_alert" "$(uci -q get client-guardian.alerts.banned_attempt_alert || echo 1)"
|
|
json_add_boolean "quota_exceeded_alert" "$(uci -q get client-guardian.alerts.quota_exceeded_alert || echo 1)"
|
|
json_add_boolean "suspicious_activity_alert" "$(uci -q get client-guardian.alerts.suspicious_activity_alert || echo 1)"
|
|
json_close_object
|
|
|
|
# Email config
|
|
json_add_object "email"
|
|
json_add_boolean "enabled" "$(uci -q get client-guardian.email.enabled || echo 0)"
|
|
json_add_string "smtp_server" "$(uci -q get client-guardian.email.smtp_server)"
|
|
json_add_int "smtp_port" "$(uci -q get client-guardian.email.smtp_port || echo 587)"
|
|
json_add_string "smtp_user" "$(uci -q get client-guardian.email.smtp_user)"
|
|
json_add_boolean "smtp_tls" "$(uci -q get client-guardian.email.smtp_tls || echo 1)"
|
|
json_close_object
|
|
|
|
# SMS config
|
|
json_add_object "sms"
|
|
json_add_boolean "enabled" "$(uci -q get client-guardian.sms.enabled || echo 0)"
|
|
json_add_string "provider" "$(uci -q get client-guardian.sms.provider)"
|
|
json_close_object
|
|
|
|
json_dump
|
|
}
|
|
|
|
# Get logs
|
|
get_logs() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var limit limit
|
|
json_get_var level level
|
|
|
|
[ -z "$limit" ] && limit=100
|
|
|
|
json_init
|
|
json_add_array "logs"
|
|
|
|
if [ -f "$LOG_FILE" ]; then
|
|
local filter=""
|
|
[ -n "$level" ] && filter="$level"
|
|
|
|
tail -n "$limit" "$LOG_FILE" | while read line; do
|
|
if [ -z "$filter" ] || echo "$line" | grep -q "\[$filter\]"; then
|
|
# Parse log line: [timestamp] [level] message
|
|
local ts=$(echo "$line" | sed -n 's/\[\([^]]*\)\].*/\1/p')
|
|
local lvl=$(echo "$line" | sed -n 's/.*\] \[\([^]]*\)\].*/\1/p')
|
|
local msg=$(echo "$line" | sed 's/.*\] \[.*\] //')
|
|
|
|
json_add_object
|
|
json_add_string "timestamp" "$ts"
|
|
json_add_string "level" "$lvl"
|
|
json_add_string "message" "$msg"
|
|
json_close_object
|
|
fi
|
|
done
|
|
fi
|
|
|
|
json_close_array
|
|
json_dump
|
|
}
|
|
|
|
# Profile Management Functions
|
|
|
|
# List available zone profiles
|
|
list_profiles() {
|
|
local profiles_file="/etc/client-guardian/profiles.json"
|
|
|
|
if [ -f "$profiles_file" ]; then
|
|
cat "$profiles_file"
|
|
else
|
|
echo '{"profiles":[]}'
|
|
fi
|
|
}
|
|
|
|
# Apply a zone profile
|
|
apply_profile() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var profile_id profile_id
|
|
json_get_var auto_refresh auto_refresh
|
|
json_get_var refresh_interval refresh_interval
|
|
json_get_var threat_enabled threat_enabled
|
|
json_get_var auto_ban_threshold auto_ban_threshold
|
|
json_get_var auto_quarantine_threshold auto_quarantine_threshold
|
|
|
|
json_init
|
|
|
|
if [ -z "$profile_id" ]; then
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "Profile ID required"
|
|
json_dump
|
|
return
|
|
fi
|
|
|
|
local profiles_file="/etc/client-guardian/profiles.json"
|
|
|
|
if [ ! -f "$profiles_file" ]; then
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "Profiles file not found"
|
|
json_dump
|
|
return
|
|
fi
|
|
|
|
# Extract profile zones
|
|
local profile_data=$(cat "$profiles_file" | jsonfilter -e "@.profiles[@.id='$profile_id']")
|
|
|
|
if [ -z "$profile_data" ]; then
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "Profile not found: $profile_id"
|
|
json_dump
|
|
return
|
|
fi
|
|
|
|
# Remove existing zones (except quarantine and blocked which are system)
|
|
local existing_zones=$(uci show client-guardian | grep "=zone" | cut -d. -f2 | cut -d= -f1)
|
|
for zone_section in $existing_zones; do
|
|
local zone_id=$(uci -q get client-guardian.$zone_section 2>/dev/null || echo "$zone_section")
|
|
if [ "$zone_id" != "quarantine" ] && [ "$zone_id" != "blocked" ]; then
|
|
uci delete client-guardian.$zone_section 2>/dev/null
|
|
fi
|
|
done
|
|
|
|
# Parse and create zones from profile
|
|
local zone_count=0
|
|
local idx=0
|
|
|
|
# Iterate through zones by index (up to reasonable limit)
|
|
while [ "$idx" -lt "20" ]; do
|
|
local zone_id=$(echo "$profile_data" | jsonfilter -e "@.zones[$idx].id" 2>/dev/null)
|
|
|
|
# Break if no more zones
|
|
[ -z "$zone_id" ] && break
|
|
|
|
local zone_name=$(echo "$profile_data" | jsonfilter -e "@.zones[$idx].name")
|
|
local zone_desc=$(echo "$profile_data" | jsonfilter -e "@.zones[$idx].description")
|
|
local zone_network=$(echo "$profile_data" | jsonfilter -e "@.zones[$idx].network")
|
|
local zone_color=$(echo "$profile_data" | jsonfilter -e "@.zones[$idx].color")
|
|
local zone_icon=$(echo "$profile_data" | jsonfilter -e "@.zones[$idx].icon")
|
|
local internet=$(echo "$profile_data" | jsonfilter -e "@.zones[$idx].internet_access")
|
|
local local_access=$(echo "$profile_data" | jsonfilter -e "@.zones[$idx].local_access")
|
|
local inter_client=$(echo "$profile_data" | jsonfilter -e "@.zones[$idx].inter_client")
|
|
local bandwidth=$(echo "$profile_data" | jsonfilter -e "@.zones[$idx].bandwidth_limit")
|
|
|
|
# Create UCI zone section
|
|
uci set client-guardian.$zone_id=zone 2>/dev/null
|
|
[ -n "$zone_name" ] && uci set client-guardian.$zone_id.name="$zone_name" 2>/dev/null
|
|
[ -n "$zone_desc" ] && uci set client-guardian.$zone_id.description="$zone_desc" 2>/dev/null
|
|
[ -n "$zone_network" ] && uci set client-guardian.$zone_id.network="$zone_network" 2>/dev/null
|
|
[ -n "$zone_color" ] && uci set client-guardian.$zone_id.color="$zone_color" 2>/dev/null
|
|
[ -n "$zone_icon" ] && uci set client-guardian.$zone_id.icon="$zone_icon" 2>/dev/null
|
|
[ -n "$internet" ] && uci set client-guardian.$zone_id.internet_access="$internet" 2>/dev/null
|
|
[ -n "$local_access" ] && uci set client-guardian.$zone_id.local_access="$local_access" 2>/dev/null
|
|
[ -n "$inter_client" ] && uci set client-guardian.$zone_id.inter_client="$inter_client" 2>/dev/null
|
|
uci set client-guardian.$zone_id.bandwidth_limit="${bandwidth:-0}" 2>/dev/null
|
|
|
|
zone_count=$((zone_count + 1))
|
|
idx=$((idx + 1))
|
|
done
|
|
|
|
# Apply dashboard settings (with error suppression)
|
|
[ -n "$auto_refresh" ] && uci set client-guardian.config.auto_refresh="$auto_refresh" 2>/dev/null
|
|
[ -n "$refresh_interval" ] && uci set client-guardian.config.refresh_interval="$refresh_interval" 2>/dev/null
|
|
|
|
# Apply threat intelligence settings (create section if needed)
|
|
uci set client-guardian.threat_policy=threat_policy 2>/dev/null
|
|
[ -n "$threat_enabled" ] && uci set client-guardian.threat_policy.enabled="$threat_enabled" 2>/dev/null
|
|
[ -n "$auto_ban_threshold" ] && uci set client-guardian.threat_policy.auto_ban_threshold="$auto_ban_threshold" 2>/dev/null
|
|
[ -n "$auto_quarantine_threshold" ] && uci set client-guardian.threat_policy.auto_quarantine_threshold="$auto_quarantine_threshold" 2>/dev/null
|
|
|
|
uci commit client-guardian 2>/dev/null
|
|
|
|
# Sync firewall zones
|
|
sync_firewall_zones
|
|
|
|
log_event "info" "Applied profile: $profile_id ($zone_count zones)"
|
|
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Profile $profile_id applied successfully"
|
|
json_add_int "zones_created" "$zone_count"
|
|
json_dump
|
|
}
|
|
|
|
# Firewall Zone Synchronization Functions
|
|
|
|
# Ensure Client Guardian zones exist in firewall
|
|
sync_firewall_zones() {
|
|
# Check if firewall zones need to be created
|
|
config_load client-guardian
|
|
config_foreach create_firewall_zone zone
|
|
}
|
|
|
|
# Create firewall zone for Client Guardian zone
|
|
create_firewall_zone() {
|
|
local section="$1"
|
|
local zone_name=$(uci -q get client-guardian.$section.name)
|
|
local network=$(uci -q get client-guardian.$section.network)
|
|
local internet_access=$(uci -q get client-guardian.$section.internet_access)
|
|
local local_access=$(uci -q get client-guardian.$section.local_access)
|
|
|
|
# Skip if no network defined
|
|
[ -z "$network" ] && return
|
|
|
|
# Check if firewall zone exists
|
|
local fw_zone_exists=$(uci show firewall | grep -c "firewall.*\.name='$network'")
|
|
|
|
if [ "$fw_zone_exists" = "0" ]; then
|
|
# Create firewall zone
|
|
local fw_section=$(uci add firewall zone)
|
|
uci set firewall.$fw_section.name="$network"
|
|
uci set firewall.$fw_section.input="REJECT"
|
|
uci set firewall.$fw_section.output="ACCEPT"
|
|
uci set firewall.$fw_section.forward="REJECT"
|
|
uci add_list firewall.$fw_section.network="$network"
|
|
|
|
# Add forwarding rule to WAN if internet access allowed
|
|
if [ "$internet_access" = "1" ]; then
|
|
local fwd_section=$(uci add firewall forwarding)
|
|
uci set firewall.$fwd_section.src="$network"
|
|
uci set firewall.$fwd_section.dest="wan"
|
|
fi
|
|
|
|
# Add forwarding rule to LAN if local access allowed
|
|
if [ "$local_access" = "1" ]; then
|
|
local fwd_section=$(uci add firewall forwarding)
|
|
uci set firewall.$fwd_section.src="$network"
|
|
uci set firewall.$fwd_section.dest="lan"
|
|
fi
|
|
|
|
uci commit firewall
|
|
log_event "info" "Created firewall zone: $network"
|
|
fi
|
|
}
|
|
|
|
# Apply MAC-based firewall rules for client
|
|
apply_client_rules() {
|
|
local mac="$1"
|
|
local zone="$2"
|
|
|
|
# Remove existing rules for this MAC
|
|
remove_client_rules "$mac"
|
|
|
|
# Get zone configuration
|
|
local zone_network=""
|
|
local zone_internet=""
|
|
local zone_local=""
|
|
|
|
config_load client-guardian
|
|
config_foreach check_zone zone "$zone"
|
|
|
|
# Apply rules based on zone
|
|
if [ "$zone" = "blocked" ] || [ "$zone_network" = "null" ]; then
|
|
# Full block - drop all traffic from this MAC
|
|
local rule_section=$(uci add firewall rule)
|
|
uci set firewall.$rule_section.src="*"
|
|
uci set firewall.$rule_section.src_mac="$mac"
|
|
uci set firewall.$rule_section.target="DROP"
|
|
uci set firewall.$rule_section.name="CG_BLOCK_$mac"
|
|
uci commit firewall
|
|
log_event "info" "Applied BLOCK rule for MAC: $mac"
|
|
else
|
|
# Zone-based access control
|
|
# Allow DHCP for client
|
|
local rule_section=$(uci add firewall rule)
|
|
uci set firewall.$rule_section.src="*"
|
|
uci set firewall.$rule_section.src_mac="$mac"
|
|
uci set firewall.$rule_section.proto="udp"
|
|
uci set firewall.$rule_section.dest_port="67-68"
|
|
uci set firewall.$rule_section.target="ACCEPT"
|
|
uci set firewall.$rule_section.name="CG_DHCP_$mac"
|
|
|
|
# Allow DNS
|
|
rule_section=$(uci add firewall rule)
|
|
uci set firewall.$rule_section.src="*"
|
|
uci set firewall.$rule_section.src_mac="$mac"
|
|
uci set firewall.$rule_section.proto="udp"
|
|
uci set firewall.$rule_section.dest_port="53"
|
|
uci set firewall.$rule_section.target="ACCEPT"
|
|
uci set firewall.$rule_section.name="CG_DNS_$mac"
|
|
|
|
uci commit firewall
|
|
log_event "info" "Applied zone rules for MAC: $mac in zone: $zone"
|
|
fi
|
|
|
|
# Reload firewall
|
|
/etc/init.d/firewall reload >/dev/null 2>&1 &
|
|
}
|
|
|
|
# Remove firewall rules for client
|
|
remove_client_rules() {
|
|
local mac="$1"
|
|
mac=$(echo "$mac" | tr 'a-f' 'A-F') # Firewall rules use uppercase
|
|
|
|
# Find and remove rules with this MAC
|
|
uci show firewall | grep -i "$mac" | cut -d. -f1-2 | sort -u | while read rule; do
|
|
uci delete "$rule" 2>/dev/null
|
|
done
|
|
uci commit firewall 2>/dev/null
|
|
}
|
|
|
|
# Helper to find zone config
|
|
check_zone() {
|
|
local section="$1"
|
|
local target_zone="$2"
|
|
|
|
if [ "$section" = "$target_zone" ]; then
|
|
zone_network=$(uci -q get client-guardian.$section.network)
|
|
zone_internet=$(uci -q get client-guardian.$section.internet_access)
|
|
zone_local=$(uci -q get client-guardian.$section.local_access)
|
|
fi
|
|
}
|
|
|
|
# Approve client
|
|
approve_client() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var mac mac
|
|
json_get_var name name
|
|
json_get_var zone zone
|
|
json_get_var notes notes
|
|
|
|
json_init
|
|
|
|
if [ -z "$mac" ]; then
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "MAC address required"
|
|
json_dump
|
|
return
|
|
fi
|
|
|
|
mac=$(echo "$mac" | tr 'A-F' 'a-f')
|
|
[ -z "$zone" ] && zone="lan_private"
|
|
[ -z "$name" ] && name="Client_$(echo $mac | tr -d ':')"
|
|
|
|
# Check if exists
|
|
local section=""
|
|
config_load client-guardian
|
|
config_foreach find_client_by_mac client "$mac"
|
|
|
|
if [ -n "$found_section" ]; then
|
|
# Update existing
|
|
uci set client-guardian.$found_section.status="approved"
|
|
uci set client-guardian.$found_section.zone="$zone"
|
|
[ -n "$name" ] && uci set client-guardian.$found_section.name="$name"
|
|
[ -n "$notes" ] && uci set client-guardian.$found_section.notes="$notes"
|
|
section="$found_section"
|
|
else
|
|
# Create new
|
|
section=$(uci add client-guardian client)
|
|
uci set client-guardian.$section.mac="$mac"
|
|
uci set client-guardian.$section.name="$name"
|
|
uci set client-guardian.$section.zone="$zone"
|
|
uci set client-guardian.$section.status="approved"
|
|
uci set client-guardian.$section.first_seen="$(date '+%Y-%m-%d %H:%M:%S')"
|
|
[ -n "$notes" ] && uci set client-guardian.$section.notes="$notes"
|
|
fi
|
|
|
|
uci set client-guardian.$section.last_seen="$(date '+%Y-%m-%d %H:%M:%S')"
|
|
uci commit client-guardian
|
|
|
|
# Apply firewall rules
|
|
apply_client_rules "$mac" "$zone"
|
|
|
|
log_event "info" "Client approved: $mac -> $zone ($name)"
|
|
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Client $name approved in zone $zone"
|
|
json_add_string "section" "$section"
|
|
json_dump
|
|
}
|
|
|
|
# Ban client
|
|
ban_client() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var mac mac
|
|
json_get_var reason reason
|
|
|
|
json_init
|
|
|
|
if [ -z "$mac" ]; then
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "MAC address required"
|
|
json_dump
|
|
return
|
|
fi
|
|
|
|
mac=$(echo "$mac" | tr 'A-F' 'a-f')
|
|
[ -z "$reason" ] && reason="Manual ban"
|
|
|
|
config_load client-guardian
|
|
config_foreach find_client_by_mac client "$mac"
|
|
|
|
local section=""
|
|
if [ -n "$found_section" ]; then
|
|
section="$found_section"
|
|
else
|
|
section=$(uci add client-guardian client)
|
|
uci set client-guardian.$section.mac="$mac"
|
|
uci set client-guardian.$section.name="Banned Device"
|
|
uci set client-guardian.$section.first_seen="$(date '+%Y-%m-%d %H:%M:%S')"
|
|
fi
|
|
|
|
uci set client-guardian.$section.status="banned"
|
|
uci set client-guardian.$section.zone="blocked"
|
|
uci set client-guardian.$section.ban_reason="$reason"
|
|
uci set client-guardian.$section.ban_date="$(date '+%Y-%m-%d %H:%M:%S')"
|
|
uci commit client-guardian
|
|
|
|
# Apply firewall block rules
|
|
apply_client_rules "$mac" "blocked"
|
|
|
|
log_event "warning" "Client banned: $mac - Reason: $reason"
|
|
|
|
# Send alert
|
|
send_alert_internal "ban" "Client Banned" "MAC: $mac - Reason: $reason"
|
|
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Client $mac has been banned"
|
|
json_dump
|
|
}
|
|
|
|
# Quarantine client
|
|
quarantine_client() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var mac mac
|
|
|
|
json_init
|
|
|
|
if [ -z "$mac" ]; then
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "MAC address required"
|
|
json_dump
|
|
return
|
|
fi
|
|
|
|
mac=$(echo "$mac" | tr 'A-F' 'a-f')
|
|
|
|
config_load client-guardian
|
|
config_foreach find_client_by_mac client "$mac"
|
|
|
|
if [ -n "$found_section" ]; then
|
|
uci set client-guardian.$found_section.status="quarantine"
|
|
uci set client-guardian.$found_section.zone="quarantine"
|
|
uci commit client-guardian
|
|
fi
|
|
|
|
# Apply quarantine rules
|
|
apply_client_rules "$mac" "quarantine"
|
|
|
|
log_event "info" "Client quarantined: $mac"
|
|
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Client $mac moved to quarantine"
|
|
json_dump
|
|
}
|
|
|
|
# Update client settings
|
|
update_client() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var section section
|
|
json_get_var name name
|
|
json_get_var zone zone
|
|
json_get_var notes notes
|
|
json_get_var daily_quota daily_quota
|
|
json_get_var static_ip static_ip
|
|
|
|
json_init
|
|
|
|
if [ -z "$section" ]; then
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "Client section required"
|
|
json_dump
|
|
return
|
|
fi
|
|
|
|
[ -n "$name" ] && uci set client-guardian.$section.name="$name"
|
|
[ -n "$zone" ] && uci set client-guardian.$section.zone="$zone"
|
|
[ -n "$notes" ] && uci set client-guardian.$section.notes="$notes"
|
|
[ -n "$daily_quota" ] && uci set client-guardian.$section.daily_quota="$daily_quota"
|
|
[ -n "$static_ip" ] && uci set client-guardian.$section.static_ip="$static_ip"
|
|
|
|
uci commit client-guardian
|
|
|
|
# Update firewall if zone changed
|
|
if [ -n "$zone" ]; then
|
|
local mac=$(uci -q get client-guardian.$section.mac)
|
|
apply_client_rules "$mac" "$zone"
|
|
fi
|
|
|
|
log_event "info" "Client updated: $section"
|
|
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Client updated successfully"
|
|
json_dump
|
|
}
|
|
|
|
# Send test alert
|
|
send_test_alert() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var type type
|
|
|
|
json_init
|
|
|
|
case "$type" in
|
|
email)
|
|
# Would integrate with msmtp or similar
|
|
log_event "info" "Test email alert sent"
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Test email sent"
|
|
;;
|
|
sms)
|
|
# Would integrate with Twilio/Nexmo API
|
|
log_event "info" "Test SMS alert sent"
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Test SMS sent"
|
|
;;
|
|
*)
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "Invalid alert type"
|
|
;;
|
|
esac
|
|
|
|
json_dump
|
|
}
|
|
|
|
# Update zone settings
|
|
update_zone() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var id id
|
|
json_get_var name name
|
|
json_get_var bandwidth_limit bandwidth_limit
|
|
json_get_var content_filter content_filter
|
|
json_get_var schedule_start schedule_start
|
|
json_get_var schedule_end schedule_end
|
|
|
|
json_init
|
|
|
|
if [ -z "$id" ]; then
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "Zone ID required"
|
|
json_dump
|
|
return
|
|
fi
|
|
|
|
[ -n "$name" ] && uci set client-guardian.$id.name="$name"
|
|
[ -n "$bandwidth_limit" ] && uci set client-guardian.$id.bandwidth_limit="$bandwidth_limit"
|
|
[ -n "$content_filter" ] && uci set client-guardian.$id.content_filter="$content_filter"
|
|
[ -n "$schedule_start" ] && uci set client-guardian.$id.schedule_start="$schedule_start"
|
|
[ -n "$schedule_end" ] && uci set client-guardian.$id.schedule_end="$schedule_end"
|
|
|
|
uci commit client-guardian
|
|
|
|
log_event "info" "Zone updated: $id"
|
|
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Zone updated successfully"
|
|
json_dump
|
|
}
|
|
|
|
# Update portal settings
|
|
update_portal() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var title title
|
|
json_get_var subtitle subtitle
|
|
json_get_var accent_color accent_color
|
|
json_get_var auth_method auth_method
|
|
json_get_var guest_password guest_password
|
|
|
|
json_init
|
|
|
|
[ -n "$title" ] && uci set client-guardian.portal.title="$title"
|
|
[ -n "$subtitle" ] && uci set client-guardian.portal.subtitle="$subtitle"
|
|
[ -n "$accent_color" ] && uci set client-guardian.portal.accent_color="$accent_color"
|
|
[ -n "$auth_method" ] && uci set client-guardian.portal.auth_method="$auth_method"
|
|
[ -n "$guest_password" ] && uci set client-guardian.portal.guest_password="$guest_password"
|
|
|
|
uci commit client-guardian
|
|
|
|
log_event "info" "Portal settings updated"
|
|
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Portal updated successfully"
|
|
json_dump
|
|
}
|
|
|
|
# Helper: Apply client firewall rules
|
|
apply_client_rules() {
|
|
local mac="$1"
|
|
local zone="$2"
|
|
|
|
# Remove existing rules for this MAC
|
|
iptables -D FORWARD -m mac --mac-source "$mac" -j DROP 2>/dev/null
|
|
iptables -D FORWARD -m mac --mac-source "$mac" -j ACCEPT 2>/dev/null
|
|
|
|
case "$zone" in
|
|
blocked)
|
|
iptables -I FORWARD -m mac --mac-source "$mac" -j DROP
|
|
;;
|
|
quarantine)
|
|
# Only portal access
|
|
iptables -I FORWARD -m mac --mac-source "$mac" -j DROP
|
|
iptables -I FORWARD -m mac --mac-source "$mac" -p tcp --dport 80 -d $(uci -q get network.lan.ipaddr || echo "192.168.1.1") -j ACCEPT
|
|
;;
|
|
*)
|
|
# Allow based on zone settings
|
|
iptables -I FORWARD -m mac --mac-source "$mac" -j ACCEPT
|
|
;;
|
|
esac
|
|
}
|
|
|
|
# Helper: Block client completely
|
|
block_client() {
|
|
local mac="$1"
|
|
iptables -D FORWARD -m mac --mac-source "$mac" -j ACCEPT 2>/dev/null
|
|
iptables -I FORWARD -m mac --mac-source "$mac" -j DROP
|
|
# Also block ARP
|
|
arptables -D INPUT --source-mac "$mac" -j DROP 2>/dev/null
|
|
arptables -I INPUT --source-mac "$mac" -j DROP 2>/dev/null
|
|
}
|
|
|
|
# Helper: Send internal alert
|
|
send_alert_internal() {
|
|
local type="$1"
|
|
local title="$2"
|
|
local message="$3"
|
|
|
|
local alerts_enabled=$(uci -q get client-guardian.alerts.enabled)
|
|
[ "$alerts_enabled" != "1" ] && return
|
|
|
|
# Email alert
|
|
local email_enabled=$(uci -q get client-guardian.email.enabled)
|
|
if [ "$email_enabled" = "1" ]; then
|
|
# Would use msmtp here
|
|
log_event "info" "Email alert queued: $title"
|
|
fi
|
|
|
|
# SMS alert
|
|
local sms_enabled=$(uci -q get client-guardian.sms.enabled)
|
|
if [ "$sms_enabled" = "1" ]; then
|
|
# Would use curl to Twilio/Nexmo API
|
|
log_event "info" "SMS alert queued: $title"
|
|
fi
|
|
}
|
|
|
|
# ===================================
|
|
# Nodogsplash Captive Portal Integration
|
|
# ===================================
|
|
|
|
# List active captive portal sessions (nodogsplash)
|
|
list_sessions() {
|
|
json_init
|
|
json_add_array "sessions"
|
|
|
|
# Check if nodogsplash is running
|
|
if pidof nodogsplash >/dev/null; then
|
|
# Get sessions from ndsctl
|
|
ndsctl status 2>/dev/null | grep -A 100 "Client" | while read line; do
|
|
# Parse ndsctl output
|
|
# Format: IP MAC Duration Download Upload
|
|
if echo "$line" | grep -qE "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"; then
|
|
local ip=$(echo "$line" | awk '{print $1}')
|
|
local mac=$(echo "$line" | awk '{print $2}' | tr 'A-F' 'a-f')
|
|
local duration=$(echo "$line" | awk '{print $3}')
|
|
local downloaded=$(echo "$line" | awk '{print $4}')
|
|
local uploaded=$(echo "$line" | awk '{print $5}')
|
|
|
|
# Get hostname
|
|
local hostname=$(grep -i "$mac" /tmp/dhcp.leases 2>/dev/null | awk '{print $4}')
|
|
[ -z "$hostname" ] && hostname="Unknown"
|
|
|
|
json_add_object
|
|
json_add_string "ip" "$ip"
|
|
json_add_string "mac" "$mac"
|
|
json_add_string "hostname" "$hostname"
|
|
json_add_int "duration" "$duration"
|
|
json_add_int "downloaded" "$downloaded"
|
|
json_add_int "uploaded" "$uploaded"
|
|
json_add_string "state" "authenticated"
|
|
json_close_object
|
|
fi
|
|
done
|
|
fi
|
|
|
|
json_close_array
|
|
|
|
# Add nodogsplash status
|
|
json_add_object "nodogsplash"
|
|
if pidof nodogsplash >/dev/null; then
|
|
json_add_boolean "running" 1
|
|
json_add_string "status" "active"
|
|
else
|
|
json_add_boolean "running" 0
|
|
json_add_string "status" "stopped"
|
|
fi
|
|
json_close_object
|
|
|
|
json_dump
|
|
}
|
|
|
|
# Get default policy
|
|
get_policy() {
|
|
json_init
|
|
|
|
local policy=$(uci -q get client-guardian.config.default_policy || echo "captive")
|
|
local portal_enabled=$(uci -q get client-guardian.portal.enabled || echo "1")
|
|
local auto_approve=$(uci -q get client-guardian.config.auto_approve || echo "0")
|
|
local session_timeout=$(uci -q get client-guardian.config.session_timeout || echo "86400")
|
|
|
|
json_add_string "default_policy" "$policy"
|
|
json_add_boolean "portal_enabled" "$portal_enabled"
|
|
json_add_boolean "auto_approve" "$auto_approve"
|
|
json_add_int "session_timeout" "$session_timeout"
|
|
|
|
json_add_object "policy_options"
|
|
json_add_string "open" "Allow all clients without authentication"
|
|
json_add_string "captive" "Require captive portal authentication"
|
|
json_add_string "whitelist" "Allow only approved clients"
|
|
json_close_object
|
|
|
|
json_dump
|
|
}
|
|
|
|
# Set default policy
|
|
set_policy() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var policy policy
|
|
json_get_var portal_enabled portal_enabled
|
|
json_get_var auto_approve auto_approve
|
|
json_get_var session_timeout session_timeout
|
|
|
|
json_init
|
|
|
|
if [ -z "$policy" ]; then
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "Policy required (open/captive/whitelist)"
|
|
json_dump
|
|
return
|
|
fi
|
|
|
|
# Validate policy value
|
|
case "$policy" in
|
|
open|captive|whitelist)
|
|
uci set client-guardian.config.default_policy="$policy"
|
|
;;
|
|
*)
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "Invalid policy. Must be: open, captive, or whitelist"
|
|
json_dump
|
|
return
|
|
;;
|
|
esac
|
|
|
|
[ -n "$portal_enabled" ] && uci set client-guardian.portal.enabled="$portal_enabled"
|
|
[ -n "$auto_approve" ] && uci set client-guardian.config.auto_approve="$auto_approve"
|
|
[ -n "$session_timeout" ] && uci set client-guardian.config.session_timeout="$session_timeout"
|
|
|
|
uci commit client-guardian
|
|
|
|
# Restart nodogsplash if policy changed to/from captive
|
|
if [ "$policy" = "captive" ]; then
|
|
/etc/init.d/nodogsplash restart 2>/dev/null &
|
|
elif pidof nodogsplash >/dev/null; then
|
|
/etc/init.d/nodogsplash stop 2>/dev/null &
|
|
fi
|
|
|
|
log_event "info" "Default policy changed to: $policy"
|
|
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Policy updated to $policy"
|
|
json_dump
|
|
}
|
|
|
|
# Authorize client via nodogsplash
|
|
authorize_client() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var mac mac
|
|
json_get_var ip ip
|
|
|
|
json_init
|
|
|
|
if [ -z "$mac" ]; then
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "MAC address required"
|
|
json_dump
|
|
return
|
|
fi
|
|
|
|
mac=$(echo "$mac" | tr 'A-F' 'a-f')
|
|
|
|
# Use ndsctl to authorize
|
|
if pidof nodogsplash >/dev/null; then
|
|
if [ -n "$ip" ]; then
|
|
# Authorize by IP if provided
|
|
ndsctl auth "$ip" 2>&1
|
|
else
|
|
# Find IP by MAC
|
|
local client_ip=$(cat /proc/net/arp | grep -i "$mac" | awk '{print $1}' | head -1)
|
|
if [ -n "$client_ip" ]; then
|
|
ndsctl auth "$client_ip" 2>&1
|
|
ip="$client_ip"
|
|
else
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "Client not found or offline"
|
|
json_dump
|
|
return
|
|
fi
|
|
fi
|
|
|
|
log_event "info" "Client authorized via nodogsplash: $mac ($ip)"
|
|
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Client $mac authorized"
|
|
json_add_string "ip" "$ip"
|
|
else
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "Nodogsplash not running"
|
|
fi
|
|
|
|
json_dump
|
|
}
|
|
|
|
# Deauthorize client via nodogsplash
|
|
deauthorize_client() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var mac mac
|
|
json_get_var ip ip
|
|
|
|
json_init
|
|
|
|
if [ -z "$mac" ]; then
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "MAC address required"
|
|
json_dump
|
|
return
|
|
fi
|
|
|
|
mac=$(echo "$mac" | tr 'A-F' 'a-f')
|
|
|
|
# Use ndsctl to deauthorize
|
|
if pidof nodogsplash >/dev/null; then
|
|
if [ -n "$ip" ]; then
|
|
ndsctl deauth "$ip" 2>&1
|
|
else
|
|
# Find IP by MAC
|
|
local client_ip=$(cat /proc/net/arp | grep -i "$mac" | awk '{print $1}' | head -1)
|
|
if [ -n "$client_ip" ]; then
|
|
ndsctl deauth "$client_ip" 2>&1
|
|
ip="$client_ip"
|
|
else
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "Client not found in active sessions"
|
|
json_dump
|
|
return
|
|
fi
|
|
fi
|
|
|
|
log_event "info" "Client deauthorized via nodogsplash: $mac ($ip)"
|
|
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Client $mac deauthorized"
|
|
else
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "Nodogsplash not running"
|
|
fi
|
|
|
|
json_dump
|
|
}
|
|
|
|
# Get client details
|
|
get_client() {
|
|
read input
|
|
json_load "$input"
|
|
json_get_var mac mac
|
|
|
|
json_init
|
|
|
|
if [ -z "$mac" ]; then
|
|
json_add_boolean "success" 0
|
|
json_add_string "error" "MAC address required"
|
|
json_dump
|
|
return
|
|
fi
|
|
|
|
mac=$(echo "$mac" | tr 'A-F' 'a-f')
|
|
|
|
# Find client in ARP table
|
|
local arp_entry=$(cat /proc/net/arp | grep -i "$mac" | head -1)
|
|
if [ -n "$arp_entry" ]; then
|
|
local ip=$(echo "$arp_entry" | awk '{print $1}')
|
|
local iface=$(echo "$arp_entry" | awk '{print $6}')
|
|
local hostname=$(grep -i "$mac" /tmp/dhcp.leases 2>/dev/null | awk '{print $4}')
|
|
[ -z "$hostname" ] && hostname="Unknown"
|
|
|
|
json_add_boolean "online" 1
|
|
json_add_string "ip" "$ip"
|
|
json_add_string "hostname" "$hostname"
|
|
json_add_string "interface" "$iface"
|
|
else
|
|
json_add_boolean "online" 0
|
|
fi
|
|
|
|
json_add_string "mac" "$mac"
|
|
|
|
# Get UCI details if exists
|
|
config_load client-guardian
|
|
config_foreach find_client_by_mac client "$mac"
|
|
|
|
if [ -n "$found_section" ]; then
|
|
json_add_boolean "known" 1
|
|
json_add_string "section" "$found_section"
|
|
json_add_string "name" "$(uci -q get client-guardian.$found_section.name)"
|
|
json_add_string "zone" "$(uci -q get client-guardian.$found_section.zone)"
|
|
json_add_string "status" "$(uci -q get client-guardian.$found_section.status)"
|
|
json_add_string "first_seen" "$(uci -q get client-guardian.$found_section.first_seen)"
|
|
json_add_string "last_seen" "$(uci -q get client-guardian.$found_section.last_seen)"
|
|
json_add_string "notes" "$(uci -q get client-guardian.$found_section.notes)"
|
|
else
|
|
json_add_boolean "known" 0
|
|
json_add_string "status" "unknown"
|
|
fi
|
|
|
|
json_dump
|
|
}
|
|
|
|
# Main dispatcher
|
|
case "$1" in
|
|
list)
|
|
echo '{"status":{},"clients":{},"zones":{},"parental":{},"portal":{},"alerts":{},"logs":{"limit":"int","level":"str"},"approve_client":{"mac":"str","name":"str","zone":"str","notes":"str"},"ban_client":{"mac":"str","reason":"str"},"quarantine_client":{"mac":"str"},"update_client":{"section":"str","name":"str","zone":"str","notes":"str","daily_quota":"int","static_ip":"str"},"update_zone":{"id":"str","name":"str","bandwidth_limit":"int","content_filter":"str"},"update_portal":{"title":"str","subtitle":"str","accent_color":"str"},"send_test_alert":{"type":"str"},"list_sessions":{},"get_policy":{},"set_policy":{"policy":"str","portal_enabled":"bool","auto_approve":"bool","session_timeout":"int"},"authorize_client":{"mac":"str","ip":"str"},"deauthorize_client":{"mac":"str","ip":"str"},"get_client":{"mac":"str"},"sync_zones":{},"list_profiles":{},"apply_profile":{"profile_id":"str","auto_refresh":"str","refresh_interval":"str","threat_enabled":"str","auto_ban_threshold":"str","auto_quarantine_threshold":"str"}}'
|
|
;;
|
|
call)
|
|
case "$2" in
|
|
status) get_status ;;
|
|
clients) get_clients ;;
|
|
zones) get_zones ;;
|
|
parental) get_parental ;;
|
|
portal) get_portal ;;
|
|
alerts) get_alerts ;;
|
|
logs) get_logs ;;
|
|
approve_client) approve_client ;;
|
|
ban_client) ban_client ;;
|
|
quarantine_client) quarantine_client ;;
|
|
update_client) update_client ;;
|
|
update_zone) update_zone ;;
|
|
update_portal) update_portal ;;
|
|
send_test_alert) send_test_alert ;;
|
|
list_sessions) list_sessions ;;
|
|
get_policy) get_policy ;;
|
|
set_policy) set_policy ;;
|
|
authorize_client) authorize_client ;;
|
|
deauthorize_client) deauthorize_client ;;
|
|
get_client) get_client ;;
|
|
sync_zones)
|
|
json_init
|
|
sync_firewall_zones
|
|
json_add_boolean "success" 1
|
|
json_add_string "message" "Firewall zones synchronized"
|
|
json_dump
|
|
;;
|
|
list_profiles) list_profiles ;;
|
|
apply_profile) apply_profile ;;
|
|
*) echo '{"error": "Unknown method"}' ;;
|
|
esac
|
|
;;
|
|
esac
|