Index: /branches/releng-10/nanobsd/README.txt =================================================================== --- /branches/releng-10/nanobsd/README.txt (revision 12525) +++ /branches/releng-10/nanobsd/README.txt (revision 12525) @@ -0,0 +1,14 @@ +Please find the build procedure and other supporting documents at + +http://www.wirelessleiden.nl/projects/nodefactory/wiki/NanoBSD + += Directory layout = +README.txt = currently reading +cfg-files = extension for auto populate /cfg slice in image +cfg/kernel.* = kernel config files, different hosts +cfg/nanobsd.* = nanobsd config files +files = extension for auto populate / slice in image +pkg = Packages to be installed +tools = Helper scripts for use after image +patches = Patches to stock FreeBSD, mostly backports from -CURRENT + Index: /branches/releng-10/nanobsd/cfg/kernel.wleiden =================================================================== --- /branches/releng-10/nanobsd/cfg/kernel.wleiden (revision 12525) +++ /branches/releng-10/nanobsd/cfg/kernel.wleiden (revision 12525) @@ -0,0 +1,192 @@ +# +# WLEIDEN -- Wireless Leiden kernel configuration file for FreeBSD/i386 +# +# For more information on this file, please read the handbook section on +# Kernel Configuration Files: +# +# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html +# +# This config is tweaked for ALIX.2D, Soekris 4521 and Soekris 4801 with +# Atheros Wireless Cards and meant to run an a remote location. +# + +cpu I486_CPU +cpu I586_CPU +ident WLEIDEN + +# Uncomment if you like to compile a debugging kernel +#makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols +#options KDB # Kernel debugger related code +#options KDB_TRACE # Print a stack trace for a panic +#options STACK # stack(9) support + + +options CPU_ELAN +options CPU_SOEKRIS # Some units are Soekris Machines. +options CPU_GEODE # net4801 requirement +options HZ=250 # Because ofthe "ELAN" timecounter. + +options DEVICE_POLLING # Make our (old board) sis(4) faster. + +options NO_SWAPPING # Embedded Machines. +options SW_WATCHDOG # Remote emergency reboots. + +options ROUTETABLES=6 # Multiple routing table support + +# To statically compile in device wiring instead of /boot/device.hints +#hints "GENERIC.hints" # Default places to look for devices. + +options SCHED_ULE # ULE scheduler +options PREEMPTION # Enable kernel thread preemption +options INET # InterNETworking +options INET6 # IPv6 communications protocols +options SCTP # Stream Control Transmission Protocol +options FFS # Berkeley Fast Filesystem +options SOFTUPDATES # Enable FFS soft updates support +options NFS_ROOT # Allow NFS to be / mount (testing purposes) +options NFSCLIENT # Network Filesystem Client +options PSEUDOFS # Pseudo-filesystem framework +options GEOM_LABEL # Provides labelization +options KTRACE # ktrace(1) support +options SYSVSHM # SYSV-style shared memory +options SYSVMSG # SYSV-style message queues +options SYSVSEM # SYSV-style semaphores +options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions +options KBD_INSTALL_CDEV # install a CDEV entry in /dev +options INCLUDE_CONFIG_FILE # Include this file in kernel + +# Bus support. +device eisa +device pci + +# ATA controllers +device ahci # AHCI-compatible SATA controllers +device ata # Legacy ATA/SATA controllers +options ATA_CAM # Handle legacy controllers with CAM +options ATA_STATIC_ID # Static device numbering + +# ATA/SCSI peripherals +device scbus # SCSI bus (required for ATA/SCSI) +device da # Direct Access (disks) + +# Add suspend/resume support for the i8254. +device pmtimer + +# PCCARD (PCMCIA) support +# PCMCIA and cardbus bridge support +device cbb # cardbus (yenta) bridge +device pccard # PC Card (16-bit) bus +device cardbus # CardBus (32-bit) bus + +# Serial (COM) ports +device uart # Generic UART driver + +# PCI Ethernet NICs that use the common MII bus controller code. +# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! +device miibus # MII bus support +device vr # VIA Rhine, Rhine II +device sis # SiS 900/SiS 7016 + +# Wireless NIC cards +device wlan # 802.11 support +options IEEE80211_DEBUG # enable debug msgs +options IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's +options IEEE80211_SUPPORT_MESH # enable 802.11s draft support +device ath # Atheros NIC's +device ath_pci # Atheros pci/cardbus glue +device ath_hal # pci/cardbus chip support +options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors +device ath_rate_sample # SampleRate tx rate control for ath +device ral # Ralink Technology RT2500 wireless NICs. +device wi # WaveLan/Intersil/Symbol 802.11 wireless NICs. + +# Pseudo devices. +device loop # Network loopback +device random # Entropy device +device ether # Ethernet support +device vlan # 802.1Q VLAN support +device tun # Packet tunnel. +device pty # BSD-style compatibility pseudo ttys +device md # Memory "disks" +device gif # IPv6 and IPv4 tunneling +device faith # IPv6-to-IPv4 relaying (translation) +device firmware # firmware assist module + +# The `bpf' device enables the Berkeley Packet Filter. +# Be aware of the administrative consequences of enabling this! +# Note that 'bpf' is required for DHCP. +device bpf # Berkeley packet filter + +# USB support +options USB_DEBUG # enable debug msgs +device uhci # UHCI PCI->USB interface +device ohci # OHCI PCI->USB interface +device ehci # EHCI PCI->USB interface (USB 2.0) +device xhci # XHCI PCI->USB interface (USB 3.0) +device usb # USB Bus (required) +device umass # Disks/Mass storage - Requires scbus and da +# USB Serial devices +device u3g # USB-based 3G modems (Option, Huawei, Sierra) +device uark # Technologies ARK3116 based serial adapters +device ubsa # Belkin F5U103 and compatible serial adapters +device uftdi # For FTDI usb serial adapters +device uipaq # Some WinCE based devices +device uplcom # Prolific PL-2303 serial adapters +device uslcom # SI Labs CP2101/CP2102 serial adapters +device uvisor # Visor and Palm devices +device uvscom # USB serial support for DDI pocket's PHS +# USB Ethernet, requires miibus +device aue # ADMtek USB Ethernet +device axe # ASIX Electronics USB Ethernet +device cdce # Generic USB over Ethernet +device cue # CATC USB Ethernet +device kue # Kawasaki LSI USB Ethernet +device mos # Mos USB Ethernet +device rue # RealTek RTL8150 USB Ethernet +device udav # Davicom DM9601E USB +# USB Wireless +device rum # Ralink Technology RT2501USB wireless NICs +device run # Ralink Technology RT2700/RT2800/RT3000 NICs. +device uath # Atheros AR5523 wireless NICs +device upgt # Conexant/Intersil PrismGT wireless NICs. +device ural # Ralink Technology RT2500USB wireless NICs +device urtw # Realtek RTL8187B/L wireless NICs +device zyd # ZyDAS zd1211/zd1211b wireless NICs + +# +# Authentication, encryption and protection on network layer +device wlan_xauth #802.11 external authenticator support +device enc #IPsec interface +device crypto # core crypto support +device cryptodev # /dev/crypto for access to h/w +device pf #PF OpenBSD packet-filter firewall +device pflog #logging support interface for PF +options IPSEC #IP security (requires device crypto) +options IPSEC_FILTERTUNNEL #filter ipsec packets from a tunnel + +# glxsb is a driver for the Security Block in AMD Geode LX processors. +# Requires 'device crypto'. +device glxsb # AMD Geode LX Security Block + +# Allow combining interfaces +device if_bridge + +# Needed for VPN and other alternative tunnels +device tap + +# In case we like to limit and play more clever with inet traffic and running +# queues and such. +options ALTQ +options ALTQ_CBQ # Class Bases Queuing (CBQ) +options ALTQ_RED # Random Early Detection (RED) +options ALTQ_RIO # RED In/Out +options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) +options ALTQ_PRIQ # Priority Queuing (PRIQ) + +# Make ipfw firewall with NAT available for use, also see: +# http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html +options IPFIREWALL +options IPFIREWALL_VERBOSE +options IPFIREWALL_VERBOSE_LIMIT=5 +options IPFIREWALL_DEFAULT_TO_ACCEPT +options IPDIVERT Index: /branches/releng-10/nanobsd/cfg/nanobsd.wleiden =================================================================== --- /branches/releng-10/nanobsd/cfg/nanobsd.wleiden (revision 12525) +++ /branches/releng-10/nanobsd/cfg/nanobsd.wleiden (revision 12525) @@ -0,0 +1,455 @@ +## Dit is een NanoBSD configuratie-template voor WirelessLeiden. +## Instellingen weergegeven binnen dit bestand gelden als +## standaard binnen de organisatie. + +# Little hack to allow proper secify of KERNL/PKG location +if [ -n "$NANO_CFG_FILE" ]; then + NANO_CONF_DIR=$(cd $(dirname $NANO_CFG_FILE); pwd -P) +else + NANO_CONF_DIR=$(cd $(dirname $2); pwd -P) +fi + +# object naam in /usr/obj/nanobsd.{obj} +NANO_NAME=wleiden-hybrid +NANO_SRC=/usr/src # nanobsd source tree +NANO_KERNEL=$NANO_CONF_DIR/kernel.wleiden # naam van het kernel configuratiebestand +NANO_IMAGES=2 # aantal nanobsd code slices/installs (1/2) + +NANO_CONFSIZE=8192 # volume van de config slice, default 2048 (512bs) +NANO_DATASIZE=0 # volume van de data slice, 0 = not configured +NANO_CODESIZE=819200 +NANO_RAM_TMPVARSIZE=20480 + +NANO_DRIVE=ada0 + +#XXX: Eeks, fixed packages, needs building a hook to allow building the package +# of the shelfs if needed, copy to right directory, done. With only input needed +# a list of ports in the format like net/net-snmp +NANO_PACKAGE_DIR=$NANO_CONF_DIR/../pkg/All + +# Wireless Leiden ports from $WL_PORTSDIR are copied OVER $PORTSDIR +PORTSDIR='/usr/ports' +WL_PORTSDIR="$NANO_CONF_DIR/../ports/" + +# Dirty quirk to allow comments in part below +PACKAGE_LIST=`cat < on motherboard' /var/run/dmesg.boot`; then + # Mac OS X Parallels virtual machine + NANO_PMAKE="make -B" +else + # Default 2 times number of CPU's inside machine + NANO_PARALLEL_MAKE=`expr $(sysctl -n hw.ncpu) \* 2` + NANO_PMAKE="make -j ${NANO_PARALLEL_MAKE}" +fi + +# Starting from soekris bios version 1.31 upwards boot0sio does not seems work +# anymore, but boot0 does (weird) +NANO_BOOTLOADER="boot/boot0" + +# Strip down to a more acceptable size +# hints from http://people.freebsd.org/~phk/nanobsd/soekris_4x26/make.soekris_4x26.conf (46MB) +NANO_PRUNE="$NANO_PRUNE usr/share/examples" +NANO_PRUNE="$NANO_PRUNE usr/share/syscons" +NANO_PRUNE="$NANO_PRUNE usr/share/calendar" +# NB! usr/share/misc contains termcap, vi(1) etc fails to work without it. +# NANOBSD_PRUNE += usr/share/misc +NANO_PRUNE="$NANO_PRUNE usr/share/pcvt" +NANO_PRUNE="$NANO_PRUNE usr/share/me" +NANO_PRUNE="$NANO_PRUNE usr/share/doc" + + + + + +# Opties parsed gedurende build & install world +# Also check man 3 src.conf for details +# Some flags are misleading, e.g. could only be installworld (e.g.), for details: +# http://phk.freebsd.dk/misc/build_options/ +# For details on make options also check: +# /usr/src/share/mk/bsd.own.mk +CONF_COMMON=' +# Specific enabled options +#WITHOUT_ACPI=YES # geen advanced configuration power interface +#WITHOUT_BIND=YES # geen bind tools, dns/named geinstalleerd +#WITHOUT_CXX=YES # Set to not build g++(1) and related libraries. +#WITHOUT_GROFF=YES # Set to not build groff(1). +#WITHOUT_INET6=YES # geen ondersteuning inet versie 6 architectuur +#WITHOUT_INFO=YES # geen info bestanden, readable online docs +#WITHOUT_IPFILTER=YES # geen ip filtering geinstalleerd +#WITHOUT_KLDLOAD=YES # do not allow loading of kernel modules +#WITHOUT_MAILWRAPPER=YES # geen mailwrapper bij gebruik sendmail +#WITHOUT_MAN=YES # geen handleidingen gecompileerd +#WITHOUT_MISC=YES # geen misc sub directory +#WITHOUT_MODULES=YES # geen ondersteuning toevoegen modules +#WITHOUT_PAM=YES # geen ondersteuning pa modules +#WITHOUT_PF=YES # geen packet filtering geinstalleerd +#WITHOUT_SHARE=YES # geen share sub directory +#WITHOUT_USB=YES # geen ondersteuning usb modules +# Specific disabled options +WITHOUT_ATM=YES # geen ondersteuning Asynchronous Transfer Mode +WITHOUT_AUDIT=YES # geen event auditing / audit trails +WITHOUT_AUTHPF=YES # geen authenticating gateway user shell +WITHOUT_BLUETOOTH=YES # geen ondersteuning Bluetooth modules +WITHOUT_CALENDAR=YES # geen calendar reminder service gecompileerd +WITHOUT_CDDL=YES # Set to not build code licensed under Sun CDDL. (also ZFS) +WITHOUT_CPP=YES # Set to not build cpp(1). +WITHOUT_CVS=YES # geen cvs tools geinstalleerd +WITHOUT_DICT=YES # geen dictionary ondersteuning +WITHOUT_EXAMPLES=YES # geen voorbeeld configuratiebestanden +WITHOUT_FORTRAN=YES # geen ondersteuning fortran compilers +WITHOUT_GAMES=YES # geen games gecompileerd +WITHOUT_GCOV=YES # geen gcov test coverage program +WITHOUT_GDB=YES # geen gnu debugger gecompileerd +WITHOUT_GPIB=YES # geen ondersteuning gpib kaarten +WITHOUT_HTML=YES # geen html help bestanden gecompileerd +WITHOUT_I4B=YES # geen ondersteuning voor isdn +WITHOUT_IPX=YES # geen ondersteuning ipx protocols +WITHOUT_KERBEROS=YES # geen ondersteuning Kerberos authenticatie +WITHOUT_LOCALES=YES # geen ondersteuning lokalisatie +WITHOUT_LPR=YES # geen ondersteuning print services +WITHOUT_NIS=YES # geen ondersteuning network information system +WITHOUT_PROFILE=YES # Set to avoid compiling profiled libraries. +WITHOUT_RCMDS=YES # geen ondersteuning rcmds, +WITHOUT_RESCUE=YES # geen rescue bestanden gecompileerd +WITHOUT_SENDMAIL=YES # geen sendmail geinstalleerd +WITHOUT_SHAREDOCS=YES # geen share/docs directories +WITHOUT_SYSCONS=YES # geen syscon devices gecompileerd +' + +CONF_BUILD=" +${CONF_COMMON} +" + +CONF_INSTALL=" +${CONF_COMMON} +WITHOUT_TOOLCHAIN=YES # geen freebsd toolchain +" + + +# Flash disks arrived, sandisk 1g seems to match the geometry of the (blanc) cards +#FlashDevice sandisk 1g # nanobsd flashdevice entry +#FlashDevice sandisk 512mb # nanobsd flashdevice entry +#FlashDevice transcend 2g # nanobsd flashdevice entry +# Calculated value of PEAK hardware 1GB CF card +# C/H/S phys 1954/16/63, logical 977/32/63 +# Mediasize is calculated as C*H*S*512 + +# Using logical values reported by ALIX board +# values for PCEngines blanc 1 GB cards +# C/H/S phys 1966/16/63, logical 983/32/63 +NANO_MEDIASIZE=`expr 1008451584 / 512` +NANO_HEADS=32 +NANO_SECTS=63 + + +# Version tagging +cust_version_tag() ( + VERSION_FILE="${NANO_WORLDDIR}/tools/wl-release.txt" + ( + echo "Generated by `id -un`@`hostname -f` at `date`" + echo "" + echo "=== CONFIG specifics ===" + svn info ${NANO_CONF_DIR}/../ || exit 0 + svn diff ${NANO_CONF_DIR}/../ || exit 0 + echo "=== BEGIN CONFIG specifics ===" + ) > $VERSION_FILE +) + +# Takes a very long time (10+) minutes to generate this file on an ALIX board, +# not practical for quick debugging and configuration. +cust_openvpn_dhparam() ( + DHFILE=${NANO_WORLDDIR}/etc/easy-rsa-keys/dh1024.pem + mkdir -p `dirname $DHFILE` + openssl dhparam -out $DHFILE 1024 +) + + + +# Assuming we are running a safe envirionment where snooping could occur during or after the build +cust_set_root_password() ( + if [ -n "${CFG_ROOT_PASSWORD}" ]; then + pprint 2 "Set root password using CFG_ROOT_PASSWORD variable" + chroot ${NANO_WORLDDIR} sh -c "echo '${CFG_ROOT_PASSWORD}' | pw usermod -h 0 -u root" + else + pprint 2 "Root password is , no password provided at variable CFG_ROOT_PASSWORD" + fi +) + + + +# EXPERIMENTAL patch like envirionment +# Using '*-nanobsd.patch' files to only specify the bare differences between the base/default file to +# keep us as close as possible to the base OS +# Patches are applied to the directory they live in +cust_apply_nanobsd_patches() ( + for PATCHFILE in `find ${NANO_WORLDDIR} -regex '.*-nanobsd\.patch$'`; do + cd `dirname ${PATCHFILE}` + patch -t -N -p0 -i `basename ${PATCHFILE}` + #XX: What to with installed patch files? Delete them for the time beeing + rm -v ${PATCHFILE} + done + + + +) + + + +# Compile & install lvroute daemon vanuit source in svn +cust_install_lvrouted() ( + svn co http://svn.wirelessleiden.nl/svn/node-config/other/lvrouted/trunk/ /tmp/lvrouted + cd /tmp/lvrouted && autoconf && autoheader && ./configure && make || true + cp src/lvrouted.opt ${NANO_WORLDDIR}/usr/local/sbin +) + + + +# Customize ntpd +cust_ntpd() ( + chroot ${NANO_WORLDDIR} sh -c "ln -fs /usr/local/etc/ntp.drift /var/db/ntp.drift" +) + + +# Enable Serial TTYs +cust_serial_ttys() ( + chroot ${NANO_WORLDDIR} sed -i '' -e '/ttyv[0-9]/s/on /off/' -e '/ttyu0/s/off/on/' -e '/ttyu0/s/dialup/ansi/' /etc/ttys +) + + + +# Install files from specific relative location +cust_install_files () ( + cd ${NANO_CONF_DIR}/../files + find . -print | grep -v -e /CVS -e .svn | cpio -dumpv ${NANO_WORLDDIR} +) + + +# pkgdb should live on persistent storage only +cust_alternate_pkg_db () ( + mkdir -p ${NANO_WORLDDIR}/usr/local/var/db/pkg ${NANO_WORLDDIR}/usr/local/tmp + touch ${NANO_WORLDDIR}/usr/local/tmp/.hack-to-avoid-pruning-directory + # sh profile + ( echo 'PKG_DBDIR=/usr/local/var/db/pkg; export PKG_DBDIR'; \ + echo 'PKG_TMPDIR=/usr/local/tmp; export PKG_TMPDIR' ) >> ${NANO_WORLDDIR}/etc/profile + # csh profile + ( echo 'setenv PKG_DBDIR /usr/local/var/db/pkg'; \ + echo 'setenv PKG_TMPDIR /usr/local/tmp' ) >> ${NANO_WORLDDIR}/etc/csh.cshrc + + rmdir ${NANO_WORLDDIR}/var/db/pkg + ln -s /usr/local/var/db/pkg ${NANO_WORLDDIR}/var/db/pkg +) + +# Make tools available for root by default +cust_root_bin_to_tools() { + ln -s /tools ${NANO_WORLDDIR}/root/bin +} + +# Directly stolen from /usr/src/tools/tools/nanobsd/nanobsd.sh, and make sure +# to source /etc/profile in chroot to get PKG_* included, for alternate installs +cust_pkg () ( + # If the package directory doesn't exist, we're done. + if [ ! -d ${NANO_PACKAGE_DIR} ]; then + echo "DONE 0 packages" + return 0 + fi + + # Make sure to enable /dev as easy_install requires it for example + mount -t devfs devfs ${NANO_WORLDDIR}/dev + trap "umount ${NANO_WORLDDIR}/dev" 0 + trap "exit 1" 1 2 3 15 + + # Copy packages into chroot + mkdir -p ${NANO_WORLDDIR}/Pkg + ( + cd ${NANO_PACKAGE_DIR} + find ${NANO_PACKAGE_LIST} -print | + cpio -Ldumpv ${NANO_WORLDDIR}/Pkg + ) + + # Count & report how many we have to install + todo=`ls ${NANO_WORLDDIR}/Pkg | wc -l` + echo "=== TODO: $todo" + ls ${NANO_WORLDDIR}/Pkg + echo "===" + NANO_PKG_DBDIR=${NANO_WORLDDIR}/`chroot ${NANO_WORLDDIR} sh -c '. /etc/profile; echo ${PKG_DBDIR:-/var/db/pkg}'` + while true + do + # Record how many we have now + have=`ls ${NANO_PKG_DBDIR} | wc -l` + + # Attempt to install more packages + # ...but no more than 200 at a time due to pkg_add's internal + # limitations. + chroot ${NANO_WORLDDIR} sh -c \ + '. /etc/profile; ls Pkg/*tbz | xargs -n 200 pkg_add -F' || true + + # See what that got us + now=`ls ${NANO_PKG_DBDIR} | wc -l` + echo "=== NOW $now" + ls ${NANO_PKG_DBDIR} + echo "===" + + + if [ $now -eq $todo ] ; then + echo "DONE $now packages" + break + elif [ $now -eq $have ] ; then + echo "FAILED: Nothing happened on this pass" + exit 2 + fi + done + rm -rf ${NANO_WORLDDIR}/Pkg + + # Return normal trap behaviour + trap - 1 2 3 15 +) + + +# Prune no needed directories of image +cust_nano_prune () ( + cd ${NANO_WORLDDIR} + for ENTRY in ${NANO_PRUNE}; do + rm -vfR ${ENTRY} + done +) + +# We actually do need an seperate /tmp, so undo the symlinking done in +# setup_nanobsd() +late_cust_unset_common_var_and_tmp() ( + cd ${NANO_WORLDDIR} + rm tmp + mkdir -m 1777 tmp +) + + +# Fill /cfg wmth custom files, based on 'create_i386_diskimage ( )' +last_nano_fill_cfg () ( + # Variables to be used + IMG=${NANO_DISKIMGDIR}/${NANO_IMGNAME} + MNT=${MAKEOBJDIRPREFIX}/_.mnt + + # Mount '/cfg' slize in image + MD=`mdconfig -a -t vnode -f ${IMG}` + mount /dev/${MD}s3 ${MNT} + + # Location of '/cfg' directory + cd ${NANO_CONF_DIR}/../cfg-files + find . -print | grep -v -e /CVS -e .svn | cpio -dumpv ${MNT} + + + # Leave in nice end state + umount ${MNT} + mdconfig -d -u ${MD} +) > ${MAKEOBJDIRPREFIX}/_.fc 2>&1 + +last_nano_disk_usage () ( + # Variables to be used + IMG=${NANO_DISKIMGDIR}/${NANO_IMGNAME} + MNT=${MAKEOBJDIRPREFIX}/_.mnt + + # Mount root slize + MD=`mdconfig -a -t vnode -f ${IMG}` + mount /dev/${MD}s1a ${MNT} + + # Show disk usage (percent free) inc header + pprint 2 $(df -h | head -1) + pprint 2 "$(df -h | grep /dev/${MD})" + + # Leave in nice end state + umount ${MNT} + mdconfig -d -u ${MD} +) + +last_orders () ( + last_nano_fill_cfg + last_nano_disk_usage +) + +# Ugly hack to 'escaping' pprint from inside a customize_cmd to output +# instead of a file +exec 3>/dev/stdout +# Progress Print +# Print $2 at level $1 +pprint() { + if [ "$1" -le $PPLEVEL ]; then + printf "%.${1}s %s\n" "#####" "$2" 1>&3 + fi +} + +# Cust macro`s gestart in onderstaande volgorde +# XXX: Determine size before installing all find of additions to see how much +# base we are actually using ## du -h -d 0 +customize_cmd cust_alternate_pkg_db +customize_cmd cust_pkg +customize_cmd cust_install_files +customize_cmd cust_ntpd +customize_cmd cust_serial_ttys +customize_cmd cust_version_tag +customize_cmd cust_root_bin_to_tools +customize_cmd cust_allow_ssh_root +customize_cmd cust_openvpn_dhparam +customize_cmd cust_nano_prune +customize_cmd cust_set_root_password +customize_cmd cust_apply_nanobsd_patches +late_customize_cmd late_cust_unset_common_var_and_tmp + +# Standard overwrite +if [ -r "$NANO_CONF_DIR/nanobsd.local" ]; then + . $NANO_CONF_DIR/nanobsd.local +fi + +# Extra config if existing is not suffient +if [ -n "$EXTRA_NANOBSD_CONFIG" ]; then + for FILE in $EXTRA_NANOBSD_CONFIG; do + # File relative to config directory + if [ "`echo $FILE | cut -c1`" != "/" ]; then + FILE=$NANO_CONF_DIR/$FILE + fi + pprint 1 "Loading $FILE" + . $FILE || exit 1 + done +fi Index: /branches/releng-10/nanobsd/files/CREDITS =================================================================== --- /branches/releng-10/nanobsd/files/CREDITS (revision 12525) +++ /branches/releng-10/nanobsd/files/CREDITS (revision 12525) @@ -0,0 +1,4 @@ +Stichting Wireless Leiden likes to thanks their valuable contributers for +contributions present and in the past. + +XXX: Make me an name listing here (or sync it from the website). Index: /branches/releng-10/nanobsd/files/FILE_LISTING.txt =================================================================== --- /branches/releng-10/nanobsd/files/FILE_LISTING.txt (revision 12525) +++ /branches/releng-10/nanobsd/files/FILE_LISTING.txt (revision 12525) @@ -0,0 +1,22 @@ +# File or directory and it's purpose in this build +./boot.config # Serial console output +./boot/loader.conf # Serial console output +./etc/crontab # Extra calls for pen & ntp +./etc/namedb/named.conf # Custom named configuration +./etc/ntp.conf # Custom ntp configuration +./etc/rc.conf # Highly customized rc.conf +./etc/syslog.conf # Remote syslogging enabing +./root/.ssh # Template directory for authorized_keys file +./tools/change_password # Allow persistent changing of root password +./tools/save_sshkeys # Allow persistent saving of host ssh keys +./tools/updatep1 # phk image on slice 1 update script +./tools/updatep2 # phk image on slice 2 update script +./tools/wl-config # WL node specific configuration fetch and update script +./tools/wl-version # Version debug tool, gather statistics for debugging +./usr/lib/aout/.keep_me # Little hack to have /etc/rc.d/ldconfig stop nagging about missing (pruned) dir +./usr/local/etc/dhcpd-snmp.conf # dhcp-snmp cofiguration +./usr/local/etc/dhcpd.conf # Initial custom dhcpd.conf +./usr/local/etc/rc.d/lvrouted.sh # lvrouted startup script +./usr/local/etc/rc.d/nanobsd-save-sshkeys # Allow saving ssh-keys after generation +./usr/local/share/snmp/mibs/IEEE802dot11-MIB.txt # Draft MIB +./usr/local/share/snmp/snmpd.conf # Custom snmpd configuration Index: /branches/releng-10/nanobsd/files/LICENSE =================================================================== --- /branches/releng-10/nanobsd/files/LICENSE (revision 12525) +++ /branches/releng-10/nanobsd/files/LICENSE (revision 12525) @@ -0,0 +1,33 @@ +Copyright (c) 2002-2012 Stichting Wireless Leiden, + All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE STICHTING WIRELESS LEIDEN, ITS +MEMBERS, THE SOFTWARE AUTHORS OR ITS CONTRIBUTORS BE LIABLE FOR +ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + +This software consists of voluntary contributions made by many +individuals on behalf of the Stichting Wireless Leiden. For more +information see http://www.wirelessleiden.nl/ Index: /branches/releng-10/nanobsd/files/boot.config =================================================================== --- /branches/releng-10/nanobsd/files/boot.config (revision 12525) +++ /branches/releng-10/nanobsd/files/boot.config (revision 12525) @@ -0,0 +1,1 @@ +-h Index: /branches/releng-10/nanobsd/files/boot/loader.conf =================================================================== --- /branches/releng-10/nanobsd/files/boot/loader.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/boot/loader.conf (revision 12525) @@ -0,0 +1,21 @@ +# No funky Beasty, but boring default, and gone in 1 second to make it go quick :-( +beastie_disable="YES" +autoboot_delay="1" + +# Some apache hyper speed module, we properly this don't need this, but still +# saves a startup warning +accf_http_load="YES" + +# Named started nagging, claiming (to many) files if unable to reach master for +# quite some time +kern.maxfiles="5000" + +# The unlucky NET4801 does not properly support DMA (we don't need it anyways) +# http://lists.soekris.com/pipermail/soekris-tech/2008-August/014788.html +hw.ata.ata_dma="0" + +# Prefers stability over preformance disable Write Caching (man 4 ata) +hw.ata.wc="0" + +# Force output to run trough the comconsole, no exceptions +console="comconsole" Index: /branches/releng-10/nanobsd/files/etc/crontab =================================================================== --- /branches/releng-10/nanobsd/files/etc/crontab (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/crontab (revision 12525) @@ -0,0 +1,41 @@ +# /etc/crontab - root's crontab for FreeBSD +# +# $FreeBSD: src/etc/crontab,v 1.32.32.1 2008/11/25 02:59:29 kensmith Exp $ +# +SHELL=/bin/sh +PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin +HOME=/var/log +# +#minute hour mday month wday who command +# +*/5 * * * * root /usr/libexec/atrun +# +# Save some entropy so that /dev/random can re-seed on boot. +*/11 * * * * operator /usr/libexec/save-entropy +# +# Rotate log files every hour, if necessary. +0 * * * * root newsyslog +# +# Perform daily/weekly/monthly maintenance. +1 3 * * * root periodic daily +15 4 * * 6 root periodic weekly +30 5 1 * * root periodic monthly +# +# Adjust the time zone if the CMOS clock keeps local time, as opposed to +# UTC time. See adjkerntz(8) for details. +1,31 0-5 * * * root adjkerntz -a +# +# WL NanoBSD Custom Rules +# +# Write updates for ntp.drift to flash +0 12 * * * root /tools/store-ntpdrift +# +# Nagios checks +*/15 * * * * root /tools/check-inet-alive +# Portal maintenance +*/5 * * * * root /usr/local/www/wlportal/index.cgi cleanup +# Resolv optimizer +*/15 * * * * root /tools/nameserver-shuffle cron +# Sync ``shadow'' routing table +*/5 * * * * root /tools/sync-fib-tables + Index: /branches/releng-10/nanobsd/files/etc/dhclient-exit-hooks =================================================================== --- /branches/releng-10/nanobsd/files/etc/dhclient-exit-hooks (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/dhclient-exit-hooks (revision 12525) @@ -0,0 +1,53 @@ +#!/bin/sh - +# +# An normal proxy should not have an defaultrouter configured, as all calls to +# the outside world are handled via PF redirects. +# +# Rick van der Zwet + +. /etc/rc.subr + +: ${service_proxy_normal="NO"} +: ${service_proxy_ileiden="NO"} +: ${service_accesspoint="NO"} + +load_rc_config 'ileiden' + +update_pf_conf() { + $LOGGER "reason: $reason" + if is_default_interface 2>/dev/null; then + $LOGGER "is_default_interface: TRUE" + $LOGGER "`sysctl net.my_fib`" + new_ext_if_gw=`route -n get default 2>/dev/null | awk '/gateway/ {print $2}'` + $LOGGER "prev default gateway: $ext_if_gw" + $LOGGER "curr default gateway: $new_ext_if_gw" + if [ -n "$new_ext_if_gw" -a "$new_ext_if_gw" != "$ext_if_gw" ]; then + $LOGGER "Syncing new default route ($new_ext_if_gw) to routing table 1" + { grep -v '^ext_if_gw=' $rc_conf_running; echo "ext_if_gw=$new_ext_if_gw"; } > $rc_conf_running + $LOGGER "`setfib 1 route -q del default 2>&1`" + $LOGGER "`setfib 1 route -q add default $new_ext_if_gw 2>&1`" + fi + else + $LOGGER "is_default_interface: FALSE" + fi + + # Make sure not to nuke the default route on an ileiden proxy, + # as it will rendering it usefull + checkyesno "service_proxy_ileiden" && return + + if [ -n "$new_ext_if_gw" ] && checkyesno "service_proxy_normal" && checkyesno "service_accesspoint"; then + $LOGGER "Removing default route from routing table 0 as machine is marked as service_proxy AND service_accesspoint" + $LOGGER "`setfib 0 route -q del default 2>&1`" + fi +} + +reason=${reason:-${REASON:-"BOUND"}} +case $reason in + BOUND|RENEW|REBIND|REBOOT) + update_pf_conf + ;; + TIMEOUT) + update_pf_conf + ;; +esac + Index: /branches/releng-10/nanobsd/files/etc/dhclient.conf =================================================================== --- /branches/releng-10/nanobsd/files/etc/dhclient.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/dhclient.conf (revision 12525) @@ -0,0 +1,11 @@ +# $FreeBSD: src/etc/dhclient.conf,v 1.3.36.1.2.1 2009/10/25 01:10:29 kensmith Exp $ +# +# This file is required by the ISC DHCP client. +# See ``man 5 dhclient.conf'' for details. +# +# In most cases an empty file is sufficient for most people as the +# defaults are usually fine. + +# If a proxy get his IP via DHCP it's resolv.conf should keep the relevant entries +prepend domain-name "wleiden.net "; +prepend domain-name-servers 127.0.0.1; Index: /branches/releng-10/nanobsd/files/etc/motd =================================================================== --- /branches/releng-10/nanobsd/files/etc/motd (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/motd (revision 12525) @@ -0,0 +1,3 @@ +Stiching Wireless Leiden Node + +WWW: http://www.wirelessleiden.nl Index: /branches/releng-10/nanobsd/files/etc/motd.cshrc =================================================================== --- /branches/releng-10/nanobsd/files/etc/motd.cshrc (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/motd.cshrc (revision 12525) @@ -0,0 +1,24 @@ +#!/bin/csh +# +# Display some tricks and pointers for management on login. +# +# Rick van der Zwet +# +echo "" +echo "Statistics:" +echo " - Build "`grep 'Revision:' /tools/wl-release.txt` +echo " - Config "`grep Generated /usr/local/etc/wleiden.yaml | tr -d '#'` +setenv cs_conn `arp -na | grep -v -e ' 00:15:6d' -e 'incomplete' -e 'permanent' -e ' 00:0d:b9' | wc -l` +setenv cs_auth `pfctl -twlportal -Tshow | wc -l` +echo " - $cs_conn clients and $cs_auth authenticated" +echo " - "`uptime` +echo "" +echo "Active Bridges:" +arp -na | grep -e ' 00:15:6d' | sed -e 's/^/ - /' | grep ' ' || echo " - none" +echo "" +echo "Active Neighbors:" +arp -a | grep -v 'permanent' | grep ' 00:0d:b9' |\ + sed -e 's/^/ - /' -e 's/.wleiden.net//' -e 's/expires .*$//' |\ + grep ' ' || echo " - none" +echo "" + Index: /branches/releng-10/nanobsd/files/etc/newsyslog.conf =================================================================== --- /branches/releng-10/nanobsd/files/etc/newsyslog.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/newsyslog.conf (revision 12525) @@ -0,0 +1,47 @@ +# configuration file for newsyslog +# $FreeBSD: src/etc/newsyslog.conf,v 1.52.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $ +# +# Entries which do not specify the '/pid_file' field will cause the +# syslogd process to be signalled when that log file is rotated. This +# action is only appropriate for log files which are written to by the +# syslogd process (ie, files listed in /etc/syslog.conf). If there +# is no process which needs to be signalled when a given log file is +# rotated, then the entry for that file should include the 'N' flag. +# +# The 'flags' field is one or more of the letters: BCGJNUWZ or a '-'. +# +# Note: some sites will want to select more restrictive protections than the +# defaults. In particular, it may be desirable to switch many of the 644 +# entries to 640 or 600. For example, some sites will consider the +# contents of maillog, messages, and lpd-errs to be confidential. In the +# future, these defaults may change to more conservative ones. +# +# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num] +/var/log/all.log 600 7 * @T00 J +/var/log/amd.log 644 7 100 * J +/var/log/auth.log 600 7 100 * JC +/var/log/console.log 600 5 100 * J +/var/log/cron 600 3 100 * JC +/var/log/daily.log 640 7 * @T00 JN +/var/log/debug.log 600 7 100 * JC +/var/log/kerberos.log 600 7 100 * J +/var/log/lpd-errs 644 7 100 * JC +/var/log/maillog 640 7 * @T00 JC +/var/log/messages 644 5 100 * JC +/var/log/monthly.log 640 12 * $M1D0 JN +/var/log/pflog 600 3 100 * JB /var/run/pflogd.pid +/var/log/ppp.log root:network 640 3 100 * JC +/var/log/security 600 10 100 * JC +/var/log/sendmail.st 640 10 * 168 B +/var/log/weekly.log 640 5 1 $W6D0 JN +/var/log/wtmp 644 3 * @01T05 B +/var/log/xferlog 600 7 100 * JC +# +# WL NanoBSD Custom Log Files. As-rule-of-thumb, use syslog(4) instead custom +# created logfile because of locking issues. +# +/var/log/wlportal.log 664 3 100 * JC /var/run/wlportal.pid +/var/log/snmpd.log 644 3 100 * JC +/var/log/thttpd.log 644 3 100 * JC +/var/log/openvpn.log 644 3 100 * JC +/var/log/tinyproxy.log 644 3 100 * JC Index: /branches/releng-10/nanobsd/files/etc/nsswitch.conf =================================================================== --- /branches/releng-10/nanobsd/files/etc/nsswitch.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/nsswitch.conf (revision 12525) @@ -0,0 +1,16 @@ +# +# nsswitch.conf(5) - name service switch configuration file +# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 kensmith Exp $ +# no NIS +group: compat +# group_compat: nis +hosts: files dns +networks: files +passwd: compat +# passwd_compat: nis +shells: files +services: compat +# services_compat: nis +protocols: files +rpc: files + Index: /branches/releng-10/nanobsd/files/etc/ntp.conf =================================================================== --- /branches/releng-10/nanobsd/files/etc/ntp.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/ntp.conf (revision 12525) @@ -0,0 +1,21 @@ +# In case machine get hooked to internet. +server 0.nl.pool.ntp.org iburst maxpoll 9 +server 1.nl.pool.ntp.org iburst maxpoll 9 +server 2.nl.pool.ntp.org iburst maxpoll 9 +server 3.nl.pool.ntp.org iburst maxpoll 9 + +# Local Wireless Leiden NTP Servers. +server 0.pool.ntp.wleiden.net iburst maxpoll 9 +server 1.pool.ntp.wleiden.net iburst maxpoll 9 +server 2.pool.ntp.wleiden.net iburst maxpoll 9 +server 3.pool.ntp.wleiden.net iburst maxpoll 9 + +# If a server loses sync with all upstream servers, NTP clients +# no longer follow that server. The local clock can be configured +# to provide a time source when this happens, but it should usually +# be configured on just one server on a network. For more details see +# http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock +# The use of Orphan Mode may be preferable. +# +server 127.127.1.0 +fudge 127.127.1.0 stratum 10 Index: /branches/releng-10/nanobsd/files/etc/periodic.conf =================================================================== --- /branches/releng-10/nanobsd/files/etc/periodic.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/periodic.conf (revision 12525) @@ -0,0 +1,6 @@ +# +# Disable an whole bunch of the periodic checks, done automatically. Cause they +# cause systems to run out of memory or perform any other harm. +# +weekly_locate_enable="no" +daily_clean_tmps_enable="yes" Index: /branches/releng-10/nanobsd/files/etc/pf.hybrid.conf =================================================================== --- /branches/releng-10/nanobsd/files/etc/pf.hybrid.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/pf.hybrid.conf (revision 12525) @@ -0,0 +1,127 @@ +# +# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup. +# +# N.B: The features points are shared between all firewall configurations to +# make comparisions more easy to do +# +# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup. +# 2) It supports incoming NAT from the private MGMT network, for maintenance use. +# 3) It protects the private MGMT network from WL requests to it's own services. +# 4) It portects the $ext_if by only allowing an subset of services. +# 5) The Wireless Leiden facing interfaces are not firewalled. +# 6) WL Captive Portal Support for interfaces who needs it. +# 7) Optional: Exposure of WL services to the outside +# 9) Protect the Wireless Network from junk traffic. +# +# Rick van der Zwet +# + +# Standard port allow listings +allow_ext_in_tcp="ssh, domain, openvpn" +allow_ext_in_udp="domain, snmp, openvpn" + +allow_ext_out_tcp = "domain, http, https, openvpn" +allow_ext_out_udp = "domain, ntp, openvpn" + + +# Default configuration for ALIX2 with vr0 as external interface and wlan0 as +# the public accesspoint in iLeiden setup, no aliases on interfaces. +ext_if="vr0" +ext_ip="(vr0:0)" +inet_if="vr0" +inet_ip="(vr0:0)" +captive_portal_interfaces="wlan0" +publicnat="http,https" +masterip="127.0.0.1" +# For an traditional proxy setup set (no iLeiden clients!), uncomment: +#publicnat=0 + +# Global standards. NOT to be edited. +wl_net="172.16.0.0/12" +private="{ 10.0.0.0/8, 192.168.0.0/16 }" +ileiden_ports="http,https" + +# Always be nice, and return the fact we are blocking the packets +set block-policy return + +# Table used to authorized hosts (6) +table persist counters + +# NAT MGMT to Wireless Leiden (2) +nat on ! $ext_if from $private to $wl_net -> $masterip + +# Do NOT allow NAT to the Private Network (3) +no nat from $wl_net to $private + +# Nat the internet for iLeiden functionality (1) +nat on $inet_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($inet_if) + + +# Redirect user to captive portal they have not clicked OK yet (6) +no rdr on { $captive_portal_interfaces } proto tcp from to !$wl_net port http +rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081 + +# Load autogenerated entries, like the remote mappings (7) +include "/etc/pf.hybrid.conf.local" + +# Make the device on WL find the proper gateway back (7) +nat on ! $ext_if inet from any to $wl_net tagged SRV -> $masterip + +# Special allow rules for inbound piercing (7) +pass in quick on $ext_if inet tagged SRV keep state + +# Localhost is considered safe (5) +pass quick on lo0 all + +# By default all interfaces are open (5) +pass all + +# By default deny all outgoing traffic to avoid systems spamming the network (9) +block out on { $captive_portal_interfaces } from any to !$wl_net + +# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6) +pass out on { $captive_portal_interfaces } proto tcp from to !$wl_net port { $publicnat } keep state + +# External interface is permissive (4) +block on $ext_if inet from any to !$wl_net +block on $inet_if inet from any to !$wl_net + +# Allow internal WL traffic on alias $ext_if interfaces (5) +pass in quick on $ext_if from $wl_net to $wl_net +pass out quick on $ext_if from $wl_net to $wl_net + +# Expose some local services (4) +pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state +pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state +pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq } + +# Packets from the management LAN are allowed in (2) +pass in on $ext_if from $private to $wl_net keep state + +# Packets going out are the ones to the internet with an certain limit (1) +pass out on $inet_if inet proto tcp from $wl_net to any port { $publicnat } keep state \ + (max-src-conn-rate 100/10, max-src-conn 10) + +# For proper functioning allow the local machine to initiate requests outside (4) +pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state +pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state +pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq, trace } + +# For proper functioning allow the local machine to initiate requests outside + vpn (4) +pass out on $inet_if inet proto udp from $inet_if to any port { $allow_ext_out_udp } keep state +pass out on $inet_if inet proto tcp from $inet_if to any port { $allow_ext_out_tcp } keep state +pass out on $inet_if inet proto icmp from $inet_if to any icmp-type { echoreq, trace } + +# Uncomment to UDP traceroute from this host to start +#pass out on $ext_if inet proto udp from $ext_if to any port 33434 >< 33464 keep state +#pass out on $inet_if inet proto udp from $inet_if to any port 33434 >< 33464 keep state + +# Do not allow connections to the local MGNT LAN to start (3) +block out on $ext_if from any to $private + +# Limited acess PRIVATE network to allow DHCP/DNS to function (3) +pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state + +# Uncomment to allow limited access to MGNT interfaces ON the private network (3) +#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state + Index: /branches/releng-10/nanobsd/files/etc/pf.hybrid.conf.local =================================================================== --- /branches/releng-10/nanobsd/files/etc/pf.hybrid.conf.local (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/pf.hybrid.conf.local (revision 12525) @@ -0,0 +1,6 @@ +# +# This is an example file and WILL be overwritten when running /tools/wl-config +# + +# Redirect some internal facing services outside (7) +rdr on $ext_if inet proto tcp from any to $ext_if port 8081 tag SRV -> 172.16.4.46 port http Index: /branches/releng-10/nanobsd/files/etc/pf.node.conf =================================================================== --- /branches/releng-10/nanobsd/files/etc/pf.node.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/pf.node.conf (revision 12525) @@ -0,0 +1,44 @@ +# +# Wireless Leiden PF firewall configuration for iLeiden Node. +# +# N.B: The features points are shared between all firewall configurations to +# make comparisions more easy to do +# +# 5) The Wireless Leiden facing interfaces are not firewalled. +# 6) WL Captive Portal Support for interfaces who needs it. +# 9) Protect the Wireless Network from junk traffic. +# +# Rick van der Zwet +# + +# Global standards. NOT to be edited. +wl_net="172.16.0.0/12" +private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }" +ileiden_ports="http,https" + + +# Default configuration for ALIX2 with ue0 as public interface and wlan0 as +# the public accesspoint in iLeiden setup. +captive_portal_interfaces="ue0, wlan0" + +# Table used to authorized hosts (6) +table persist counters + +# Always be nice, and return the fact we are blocking the packets +set block-policy return + +# Redirect user to captive portal they have not clicked OK yet (6) +no rdr on { $captive_portal_interfaces } proto tcp from to !$wl_net port 80 +rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081 + +# Localhost is considered safe (5) +pass quick on lo0 all + +# By default all interfaces are open (5) +pass all + +# By default deny all outgoing traffic to avoid systems spamming the network (9) +block out on { $captive_portal_interfaces } from any to !$wl_net + +# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6) +pass out on { $captive_portal_interfaces } proto tcp from to !$wl_net port { $ileiden_ports } keep state Index: /branches/releng-10/nanobsd/files/etc/pf.open.conf =================================================================== --- /branches/releng-10/nanobsd/files/etc/pf.open.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/pf.open.conf (revision 12525) @@ -0,0 +1,5 @@ +# Localhost is considered safe +pass quick on lo0 all + +# Default allow +pass all Index: /branches/releng-10/nanobsd/files/etc/rc.conf =================================================================== --- /branches/releng-10/nanobsd/files/etc/rc.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/rc.conf (revision 12525) @@ -0,0 +1,119 @@ +# Stolen from /sbin/dhclient-script using using no /usr based binaries. +# Converts an commented list into a SEP (default space) seperated list. +make_list() { + SEP=${2:-' '} + oldifs="$IFS" + IFS=" +" + list="" + for line in $1; do + line=${line%%[ \t#]*} + [ -n "$line" ] && list="$list$SEP$line" + done + IFS=${oldifs} + echo ${list##$SEP} +} + +# No kernel dumps as we don't have a place to store them +dumpdev="NO" + +# We are an router/gateway (wireless to be precise) running the lvrouted +# routing daemon. +gateway_enable="YES" +lvrouted_enable="YES" +lvrouted_flags="-u -s s00p3rs3kr3t -m 28" + +# Takes lvrouted an small while to create reachable network nodes, make sure to +# wait on it,to saves some bootup warnings. +netwait_enable="YES" +netwait_timeout="20" +netwait_ip="8.8.8.8 172.16.4.46 172.27.129.1 172.17.14.1" + + +# Block the full range as smaller subnets are used for allowances, this avoids +# traffic going out (due to the default route) to unreachable parts to the +# 172.16.0.0/12 network. +static_routes="quickstop" +route_quickstop="-net 172.16.0.0/12 127.0.0.1 -reject" + +# NTP server needs working config with WL network or internet on boot +# so some warnings might pop up, but no harm +ntpdate_enable="YES" +ntpdate_flags="-b -s" +ntpd_enable="YES" +ntpd_sync_on_start="YES" +ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntp.drift" + +# We need no running mail server +sendmail_enable="NONE" + +# Don't let syslog accept input from other remote hosts +syslogd_enable="YES" +syslogd_flags="-s -A -c" + +# Remote login without DNS checking as it might not also be functionable +# -u0 prevent sshd from making DNS requests unless the authentication mechanism +# or configuration requires it. +sshd_enable="YES" +sshd_flags="-u0" + +# Watchdogd: avoid visits because of unit not reachable. If sshd is not running +# for -t seconds than reboot. This is checked evert -s seconds. +watchdogd_enable="YES" +watchdogd_flags="-t 300 -s 60 -e '/etc/rc.d/sshd status'" + +# Monitoring deamons +nrpe2_enable="YES" +snmpd_enable="YES" +snmpd_flags="-Ls 1" + +# Performance profiling +iperf_enable="YES" + +# HTTP(S) proxy server +tinyproxy_enable="NO" + +# Make sure generated ssh keys are saved +nanobsd_save_sshkeys_enable="YES" + +# low-memory footprint DHCP and non-autoritive recursive DNS resolver +dnsmasq_enable="YES" + +# Explicitly disable the memory-hungry alternatives +dhcpd_enable="NO" +dhcpd_flags="-q" +named_enable="NO" +named_chrootdir="" +named_auto_forward="YES" + +# WL Captive Portal and WL Web Config Overview +thttpd_enable="YES" +http302_enable="YES" + +# Hybrid setup, requires outgoing VPN Server +openvpn_enable="NO" +openvpn_if="tap" +openvpn_configfile="/usr/local/etc/openvpn/client.conf" + +# Enable the firewall by default +pf_enable="YES" +pf_rules="/etc/pf.open.conf" +pf_flags='' +# Used with Proxy Configuration +#pf_rules="/etc/pf.proxy.conf" +#pf_flags="-D ext_if=vr0 -D int_if=vr1 -D publicnat={80,443}" +# Used with Node Configuration +#pf_rules="/etc/pf.node.conf" +#pf_flags="-D captive_portal_interfaces=wlan0,wlan1" +# Used with Hybrid Configuration +#pf_rules="/etc/pf.hybrid.conf" +#pf_flags="-D ext_if=vr0 -D captive_portal_interfaces=wlan0 -D publicnat=80,443" + + +# Autogenerated flags are used during runtime +rc_conf_running='/etc/rc.conf.running' +if [ -r $rc_conf_running ]; then + . $rc_conf_running +else + : > $rc_conf_running +fi Index: /branches/releng-10/nanobsd/files/etc/rc.d/iperf =================================================================== --- /branches/releng-10/nanobsd/files/etc/rc.d/iperf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/rc.d/iperf (revision 12525) @@ -0,0 +1,32 @@ +#!/bin/sh +# +# PROVIDE: iperf +# BEFORE: DAEMON +# KEYWORD: shutdown +# +# Add the following line to /etc/rc.conf to enable iperf in server mode: +# +# iperf_enable="YES" +# +. /etc/rc.subr + +name=iperf +rcvar=`set_rcvar` + +#command=/usr/local/bin/iperf +#command_args="-s -D" + +load_rc_config ${name} + +iperf_enable=${iperf_enable-"NO"} + +#### +# iperf does not generate a pid file +# iperf_pidfile=${iperf_pidfile-"/var/run/.pid"} +# pidfile="${iperf_pidfile}" + +# Quick to start iperf in deamon mode and make sure logfiles get writting in +# parseable way +start_cmd="sh -c 'iperf -s -D -y c 1>>/var/log/iperf.log 2>>/var/log/iperf.log'" + +run_rc_command "$1" Index: /branches/releng-10/nanobsd/files/etc/rc.d/named =================================================================== --- /branches/releng-10/nanobsd/files/etc/rc.d/named (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/rc.d/named (revision 12525) @@ -0,0 +1,303 @@ +#!/bin/sh +# +# $FreeBSD: release/9.0.0/etc/rc.d/named 220962 2011-04-23 04:26:31Z dougb $ +# + +# PROVIDE: named +# REQUIRE: SERVERS cleanvar +# KEYWORD: shutdown + +. /etc/rc.subr + +name="named" +rcvar=named_enable + +extra_commands="reload" + +start_precmd="named_prestart" +start_postcmd="named_poststart" +reload_cmd="named_reload" +stop_cmd="named_stop" +stop_postcmd="named_poststop" + +# If running in a chroot cage, ensure that the appropriate files +# exist inside the cage, as well as helper symlinks into the cage +# from outside. +# +# As this is called after the is_running and required_dir checks +# are made in run_rc_command(), we can safely assume ${named_chrootdir} +# exists and named isn't running at this point (unless forcestart +# is used). +# +chroot_autoupdate() +{ + local file + + # Create (or update) the chroot directory structure + # + if [ -r /etc/mtree/BIND.chroot.dist ]; then + mtree -deU -f /etc/mtree/BIND.chroot.dist \ + -p ${named_chrootdir} + else + warn "/etc/mtree/BIND.chroot.dist missing," + warn "chroot directory structure not updated" + fi + + # Create (or update) the configuration directory symlink + # + if [ ! -L "${named_conf%/*}" ]; then + if [ -d "${named_conf%/*}" ]; then + warn "named chroot: ${named_conf%/*} is a directory!" + elif [ -e "${named_conf%/*}" ]; then + warn "named chroot: ${named_conf%/*} exists!" + else + ln -s ${named_confdir} ${named_conf%/*} + fi + else + # Make sure it points to the right place. + ln -shf ${named_confdir} ${named_conf%/*} + fi + + # Mount a devfs in the chroot directory if needed + # + if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then + umount ${named_chrootdir}/dev 2>/dev/null + devfs_domount ${named_chrootdir}/dev devfsrules_hide_all + devfs -m ${named_chrootdir}/dev rule apply path null unhide + devfs -m ${named_chrootdir}/dev rule apply path random unhide + else + if [ -c ${named_chrootdir}/dev/null -a \ + -c ${named_chrootdir}/dev/random ]; then + info "named chroot: using pre-mounted devfs." + else + err 1 "named chroot: devfs cannot be mounted from" \ + "within a jail. Thus a chrooted named cannot" \ + "be run from within a jail." \ + "To run named without chrooting it, set" \ + "named_chrootdir=\"\" in /etc/rc.conf." + fi + fi + + # Copy and/or update key files to the chroot /etc + # + for file in localtime protocols services; do + if [ -r /etc/$file ]; then + cmp -s /etc/$file "${named_chrootdir}/etc/$file" || + cp -p /etc/$file "${named_chrootdir}/etc/$file" + fi + done +} + +# Make symlinks to the correct pid file +# +make_symlinks() +{ + checkyesno named_symlink_enable && + ln -fs "${named_chrootdir}${pidfile}" ${pidfile} +} + +named_poststart () { + make_symlinks + + if checkyesno named_wait; then + until ${command%/sbin/named}/bin/host $named_wait_host >/dev/null 2>&1; do + echo " Waiting for nameserver to resolve $named_wait_host" + sleep 1 + done + fi +} + +named_reload() +{ + ${command%/named}/rndc reload +} + +find_pidfile() +{ + if get_pidfile_from_conf pid-file $named_conf; then + pidfile="$_pidfile_from_conf" + else + pidfile="/var/run/named/pid" + fi +} + +named_stop() +{ + find_pidfile + + # This duplicates an undesirably large amount of code from the stop + # routine in rc.subr in order to use rndc to shut down the process, + # and to give it a second chance in case rndc fails. + rc_pid=$(check_pidfile $pidfile $command) + if [ -z "$rc_pid" ]; then + [ -n "$rc_fast" ] && return 0 + _run_rc_notrunning + return 1 + fi + echo 'Stopping named.' + if ${command%/named}/rndc stop 2>/dev/null; then + wait_for_pids $rc_pid + else + echo -n 'rndc failed, trying kill: ' + kill -TERM $rc_pid + wait_for_pids $rc_pid + fi +} + +named_poststop() +{ + if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then + if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then + umount ${named_chrootdir}/dev 2>/dev/null || true + else + warn "named chroot:" \ + "cannot unmount devfs from inside jail!" + fi + fi +} + +create_file () { + if [ -e "$1" ]; then + unlink $1 + fi + > $1 + chown root:wheel $1 + chmod 644 $1 +} + +named_prestart() +{ + find_pidfile + + if [ -n "$named_pidfile" ]; then + warn 'named_pidfile: now determined from the conf file' + fi + + command_args="-u ${named_uid:=root}" + + if [ ! "$named_conf" = '/etc/namedb/named.conf' ]; then + case "$named_flags" in + -c*|*' -c'*) ;; # No need to add it + *) command_args="-c $named_conf $command_args" ;; + esac + fi + + local line nsip firstns + + # Is the user using a sandbox? + # + if [ -n "$named_chrootdir" ]; then + rc_flags="$rc_flags -t $named_chrootdir" + checkyesno named_chroot_autoupdate && chroot_autoupdate + else + named_symlink_enable=NO + fi + + # Create an rndc.key file for the user if none exists + # + confgen_command="${command%/named}/rndc-confgen -a -b256 -u $named_uid \ + -c ${named_confdir}/rndc.key" + if [ -s "${named_confdir}/rndc.conf" ]; then + unset confgen_command + fi + if [ -s "${named_confdir}/rndc.key" ]; then + case `stat -f%Su ${named_confdir}/rndc.key` in + root|$named_uid) ;; + *) $confgen_command ;; + esac + else + $confgen_command + fi + + local checkconf + + checkconf="${command%/named}/named-checkconf" + if ! checkyesno named_chroot_autoupdate && [ -n "$named_chrootdir" ]; then + checkconf="$checkconf -t $named_chrootdir" + fi + + # Create a forwarder configuration based on /etc/resolv.conf + if checkyesno named_auto_forward; then + if [ ! -s /etc/resolv.conf ]; then + warn "named_auto_forward enabled, but no /etc/resolv.conf" + + # Empty the file in case it is included in named.conf + [ -s "${named_confdir}/auto_forward.conf" ] && + create_file ${named_confdir}/auto_forward.conf + + $checkconf $named_conf || + err 3 'named-checkconf for $named_conf failed' + return + fi + + create_file /var/run/naf-resolv.conf + create_file /var/run/auto_forward.conf + + echo ' forwarders {' > /var/run/auto_forward.conf + + while read line; do + case "$line" in + 'nameserver '*|'nameserver '*) + # Make sure to strip the optional trailing comment + line=${line%%#*} + nsip=${line##nameserver[ ]} + + if [ -z "$firstns" ]; then + if [ ! "$nsip" = '127.0.0.1' ]; then + echo 'nameserver 127.0.0.1' + echo " ${nsip};" >> /var/run/auto_forward.conf + fi + + firstns=1 + else + [ "$nsip" = '127.0.0.1' ] && continue + echo " ${nsip};" >> /var/run/auto_forward.conf + fi + ;; + esac + + echo $line + done < /etc/resolv.conf > /var/run/naf-resolv.conf + + echo ' };' >> /var/run/auto_forward.conf + echo '' >> /var/run/auto_forward.conf + if checkyesno named_auto_forward_only; then + echo " forward only;" >> /var/run/auto_forward.conf + else + echo " forward first;" >> /var/run/auto_forward.conf + fi + + if cmp -s /etc/resolv.conf /var/run/naf-resolv.conf; then + unlink /var/run/naf-resolv.conf + else + [ -e /etc/resolv.conf ] && unlink /etc/resolv.conf + mv /var/run/naf-resolv.conf /etc/resolv.conf + fi + + if cmp -s ${named_confdir}/auto_forward.conf \ + /var/run/auto_forward.conf; then + unlink /var/run/auto_forward.conf + else + [ -e "${named_confdir}/auto_forward.conf" ] && + unlink ${named_confdir}/auto_forward.conf + mv /var/run/auto_forward.conf \ + ${named_confdir}/auto_forward.conf + fi + else + # Empty the file in case it is included in named.conf + [ -s "${named_confdir}/auto_forward.conf" ] && + create_file ${named_confdir}/auto_forward.conf + fi + + $checkconf $named_conf || err 3 'named-checkconf for $named_conf failed' +} + +load_rc_config $name + +# Updating the following variables requires that rc.conf be loaded first +# +required_dirs="$named_chrootdir" # if it is set, it must exist + +named_confdir="${named_chrootdir}${named_conf%/*}" + +run_rc_command "$1" Index: /branches/releng-10/nanobsd/files/etc/rc.d/pf =================================================================== --- /branches/releng-10/nanobsd/files/etc/rc.d/pf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/rc.d/pf (revision 12525) @@ -0,0 +1,72 @@ +#!/bin/sh +# +# $FreeBSD: releng/9.0/etc/rc.d/pf 222007 2011-05-17 07:40:13Z hrs $ +# + +# PROVIDE: pf +# REQUIRE: FILESYSTEMS netif pflog pfsync +# BEFORE: routing +# KEYWORD: nojail + +. /etc/rc.subr + +name="pf" +rcvar=`set_rcvar` +load_rc_config $name +start_cmd="pf_start" +stop_cmd="pf_stop" +check_cmd="pf_check" +reload_cmd="pf_reload" +resync_cmd="pf_resync" +status_cmd="pf_status" +extra_commands="check reload resync" +required_files="$pf_rules" +required_modules="pf" + +pf_start() +{ + check_startmsgs && echo -n 'Enabling pf' + $pf_program -F all > /dev/null 2>&1 + $pf_program -f "$pf_rules" $pf_flags + if ! $pf_program -s info | grep -q "Enabled" ; then + $pf_program -eq + fi + check_startmsgs && echo '.' +} + +pf_stop() +{ + if $pf_program -s info | grep -q "Enabled" ; then + echo -n 'Disabling pf' + $pf_program -dq + echo '.' + fi +} + +pf_check() +{ + echo "Checking pf rules." + $pf_program -n -f "$pf_rules" $pf_flags +} + +pf_reload() +{ + echo "Reloading pf rules." + $pf_program -n -f "$pf_rules" $pf_flags || return 1 + # Flush everything but existing state entries that way when + # rules are read in, it doesn't break established connections. + $pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1 + $pf_program -f "$pf_rules" $pf_flags +} + +pf_resync() +{ + $pf_program -f "$pf_rules" $pf_flags +} + +pf_status() +{ + $pf_program -s info +} + +run_rc_command "$1" Index: /branches/releng-10/nanobsd/files/etc/rc.subr-nanobsd.patch =================================================================== --- /branches/releng-10/nanobsd/files/etc/rc.subr-nanobsd.patch (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/rc.subr-nanobsd.patch (revision 12525) @@ -0,0 +1,44 @@ +# +# Add ${name}_setfib functionality to rc.subr +# +--- rc.subr.orig 2012-01-03 08:26:59.000000000 +0100 ++++ rc.subr 2012-05-02 23:16:44.000000000 +0200 +@@ -499,6 +499,10 @@ + # + # ${name}_nice n Nice level to run ${command} at. + # ++# ${name}_setfib n Routing table for ${command} to use. Requires ++# kernel with options ROUTETABLES= compiled. ++# ++# + # ${name}_user n User to run ${command} as, using su(1) if not + # using ${name}_chroot. + # Requires /usr to be mounted. +@@ -675,7 +679,8 @@ + fi + eval _chdir=\$${name}_chdir _chroot=\$${name}_chroot \ + _nice=\$${name}_nice _user=\$${name}_user \ +- _group=\$${name}_group _groups=\$${name}_groups ++ _group=\$${name}_group _groups=\$${name}_groups \ ++ _setfib=\$${name}_setfib + + if [ -n "$_user" ]; then # unset $_user if running as that user + if [ "$_user" = "$(eval $IDCMD)" ]; then +@@ -755,6 +760,7 @@ + check_startmsgs && echo "Starting ${name}." + if [ -n "$_chroot" ]; then + _doit="\ ++${_setfib:+setfib -F $_setfib }\ + ${_nice:+nice -n $_nice }\ + chroot ${_user:+-u $_user }${_group:+-g $_group }${_groups:+-G $_groups }\ + $_chroot $command $rc_flags $command_args" +@@ -771,6 +777,9 @@ + fi + _doit="nice -n $_nice $_doit" + fi ++ if [ -n "$_setfib" ]; then ++ _doit="setfib -F $_setfib $_doit" ++ fi + fi + + # run the full command Index: /branches/releng-10/nanobsd/files/etc/resolv.conf =================================================================== --- /branches/releng-10/nanobsd/files/etc/resolv.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/resolv.conf (revision 12525) @@ -0,0 +1,4 @@ +nameserver 127.0.0.1 +nameserver 8.8.8.8 +nameserver 8.8.4.4 +search wleiden.net Index: /branches/releng-10/nanobsd/files/etc/ssh/ssh-external-banner =================================================================== --- /branches/releng-10/nanobsd/files/etc/ssh/ssh-external-banner (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/ssh/ssh-external-banner (revision 12525) @@ -0,0 +1,1 @@ +Stichting Wireless Leiden - External Access (key only) Index: /branches/releng-10/nanobsd/files/etc/ssh/ssh-internal-banner =================================================================== --- /branches/releng-10/nanobsd/files/etc/ssh/ssh-internal-banner (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/ssh/ssh-internal-banner (revision 12525) @@ -0,0 +1,1 @@ +Stichting Wireless Leiden - Internal Access (password or key) Index: /branches/releng-10/nanobsd/files/etc/ssh/ssh_config =================================================================== --- /branches/releng-10/nanobsd/files/etc/ssh/ssh_config (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/ssh/ssh_config (revision 12525) @@ -0,0 +1,3 @@ +UserKnownHostsFile /etc/ssh/authorized_keys +StrictHostKeyChecking no +ForwardAgent yes Index: /branches/releng-10/nanobsd/files/etc/ssh/sshd_config =================================================================== --- /branches/releng-10/nanobsd/files/etc/ssh/sshd_config (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/ssh/sshd_config (revision 12525) @@ -0,0 +1,134 @@ +# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ +# $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +# Note that some of FreeBSD's defaults differ from OpenBSD's, and +# FreeBSD has a few additional options. + +#VersionAddendum FreeBSD-20090522 + +#Port 22 +#Protocol 2 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# Disable legacy (protocol version 1) support in the server for new +# installations. In future the default will change to require explicit +# activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys +AuthorizedKeysFile /etc/ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# Change to yes to enable built-in password authentication. +#PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable PAM authentication +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'no' to disable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +PermitRootLogin yes +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server + +Banner /etc/ssh/ssh-external-banner +PasswordAuthentication no +Match address 172.16.0.0/12 +Banner /etc/ssh/ssh-internal-banner +PasswordAuthentication yes + Index: /branches/releng-10/nanobsd/files/etc/sysctl.conf =================================================================== --- /branches/releng-10/nanobsd/files/etc/sysctl.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/sysctl.conf (revision 12525) @@ -0,0 +1,5 @@ +#XXX: Might needs to be dynamic as value depends on link length +# Turned of since it is highly unlikely that a proxy will use a wlan interface +# dev.ath.0.acktimeout=35 +# dev.ath.1.acktimeout=35 +# dev.ath.2.acktimeout=35 Index: /branches/releng-10/nanobsd/files/etc/syslog.conf =================================================================== --- /branches/releng-10/nanobsd/files/etc/syslog.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/etc/syslog.conf (revision 12525) @@ -0,0 +1,38 @@ +# $FreeBSD: src/etc/syslog.conf,v 1.28 2005/03/12 12:31:16 glebius Exp $ +# +# Spaces ARE valid field separators in this file. However, +# other *nix-like systems still insist on using tabs as field +# separators. If you are sharing this file between systems, you +# may want to use only tabs as field separators here. +# Consult the syslog.conf(5) manpage. +*.err;kern.warning;auth.notice;mail.crit /dev/console +*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages +security.* /var/log/security +auth.info;authpriv.info /var/log/auth.log +mail.info /var/log/maillog +lpr.info /var/log/lpd-errs +ftp.info /var/log/xferlog +cron.* /var/log/cron +*.=debug /var/log/debug.log +*.emerg * +# uncomment this to log all writes to /dev/console to /var/log/console.log +#console.info /var/log/console.log +# uncomment this to enable logging of all log messages to /var/log/all.log +# touch /var/log/all.log and chmod it to mode 600 before it will work +#*.* /var/log/all.log +# uncomment this to enable logging to a remote loghost named loghost +*.* @loghost +# uncomment these if you're running inn +# news.crit /var/log/news/news.crit +# news.err /var/log/news/news.err +# news.notice /var/log/news/news.notice +!ppp +*.* /var/log/ppp.log +!thttpd +*.* /var/log/thttpd.log +!openvpn +*.* /var/log/openvpn.log +!tinyproxy +*.* /var/log/tinyproxy.log +!snmpd +*.* /var/log/snmpd.log Index: /branches/releng-10/nanobsd/files/root/.cshrc =================================================================== --- /branches/releng-10/nanobsd/files/root/.cshrc (revision 12525) +++ /branches/releng-10/nanobsd/files/root/.cshrc (revision 12525) @@ -0,0 +1,52 @@ +# $FreeBSD: releng/9.0/etc/root/dot.cshrc 170088 2007-05-29 06:37:58Z dougb $ +# +# .cshrc - csh resource script, read at beginning of execution by each shell +# +# see also csh(1), environ(7). +# + +alias h history 25 +alias j jobs -l +alias la ls -a +alias lf ls -FA +alias ll ls -lA + +# A righteous umask +umask 22 + +set path = (/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin $HOME/bin /tools) + +setenv EDITOR vim +setenv PAGER more +setenv BLOCKSIZE K + +if ($?prompt) then + # An interactive shell -- set some stuff up + set prompt = "`/bin/hostname -s`# " + set filec + set histfile = /tmp/.history + set history = 1000 + set savehist = 1000 + set mail = (/var/mail/$USER) + if ( $?tcsh ) then + bindkey "^W" backward-delete-word + bindkey -k up history-search-backward + bindkey -k down history-search-forward + endif +endif + +# Quirck to make sure the current interactive session actually has FIB=0 +# assigned. When sshd(4) is running under FIB=1 for example, it will default to +# FIB=1. This will make sure the shell behaviour routing wise is like an +# normal client. +if ($?prompt) then + if (`sysctl -n net.my_fibnum` != 0) then + echo "# WARN: Multiple routing tables use! Defaulting new shell to FIB=0" + setfib -0 csh + logout + endif +endif + +if ($?prompt) then + [ -x /etc/motd.cshrc ] && source /etc/motd.cshrc +endif Index: /branches/releng-10/nanobsd/files/root/.ssh/README =================================================================== --- /branches/releng-10/nanobsd/files/root/.ssh/README (revision 12525) +++ /branches/releng-10/nanobsd/files/root/.ssh/README (revision 12525) @@ -0,0 +1,4 @@ +To make maintainance and control more easy, please note: + * authorized_keys are stored globally at /etc/ssh/authorized_keys + * known host entries are automatically added to /etc/ssh/ssh_known_hosts + * Config is stored at /etc/ssh/ssh_config Index: /branches/releng-10/nanobsd/files/root/.vimrc =================================================================== --- /branches/releng-10/nanobsd/files/root/.vimrc (revision 12525) +++ /branches/releng-10/nanobsd/files/root/.vimrc (revision 12525) @@ -0,0 +1,4 @@ +syntax on +set tabstop=4 +set shiftwidth=4 +set viminfo='50,n/tmp/viminfo Index: /branches/releng-10/nanobsd/files/tools/cfedit =================================================================== --- /branches/releng-10/nanobsd/files/tools/cfedit (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/cfedit (revision 12525) @@ -0,0 +1,22 @@ +#!/bin/sh - +# +# Toggle writable state of the disk +# +# Rick van der Zwet +# + + +mount -p | awk '{if($2 == "/"){ print $4}}' | grep -q ro && { + mount -uwo noatime / + mount -wo noatime /cfg + echo "# / - write" + echo "# /cfg - write" + echo "# Run again to protect" + } || { + mount -ur / + umount /cfg + echo "# / - read" + echo "# /cfg - ejected" + echo "# Run again to edit" + } + Index: /branches/releng-10/nanobsd/files/tools/change_password =================================================================== --- /branches/releng-10/nanobsd/files/tools/change_password (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/change_password (revision 12525) @@ -0,0 +1,40 @@ +#!/bin/sh +# +# Copyright (c) 2004-2005 Poul-Henning Kamp. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD: src/tools/tools/nanobsd/Files/root/change_password,v 1.3.6.1 2008/11/25 02:59:29 kensmith Exp $ +# + +set -e + +passwd root + +cfgslice=`grep '/cfg' /etc/fstab | cut -d \ -f 1` + +trap "umount /cfg" 1 2 15 EXIT +mount /cfg +cp /etc/master.passwd /etc/passwd /etc/pwd.db /etc/spwd.db /etc/group /cfg +umount /cfg +trap 1 2 15 EXIT Index: /branches/releng-10/nanobsd/files/tools/check-inet-alive =================================================================== --- /branches/releng-10/nanobsd/files/tools/check-inet-alive (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/check-inet-alive (revision 12525) @@ -0,0 +1,76 @@ +#!/bin/sh +# +# Internet Connection Wrapper From Cron +# +# a) Disable lvrouted if the internet is down. +# b) Re-enable lvrouted if the internet is back up. +# +# XXX: Do we need build an fail-save for flapping states? +# XXX: Do we need to manage state, like DHCP here? +# XXX: Check if page output is actually the output expected and not some weird captive portal somewhere. +# XXX: For effiently reasons this should be combined with the nagios check_inet check +# +# Rick van der Zwet +# + +TAG=`basename $0` +logit() { + logger -t "$TAG" $* +} + +# Check if we need to check inet at all +. /etc/rc.subr + +load_rc_config "lvrouted" +load_rc_config "tinyproxy" + +: ${lvouted_enable="NO"} +: ${tinyproxy_enable="NO"} +: ${service_ileiden="NO"} +: ${service_proxy="NO"} + +control_lvrouted=false +control_tinyproxy=false +checkyesno service_proxy_ileiden && checkyesno lvouted_enable control_lvrouted=true +checkyesno service_proxy_normal && checkyesno tinyproxy_enable || control_tinyproxy=false + + +# Get current state of the daemons +lvouted_status="stopped" +tinyproxy_status="stopped" +service lvrouted onestatus > /dev/null && lvouted_status="running" +service tinyproxy onestatus > /dev/null && tinyproxy_status="running" + +check_http() { + fetch -o /dev/null -q $* 2>/dev/null +} + +# Get connection stats for internet direct and via proxy +inet_status=up +proxy_status=up +check_http http://proxy-test.wirelessleiden.nl || check_http http://ams-ix.net || inet_status=down +export HTTP_PROXY=${HTTP_PROXY-:http://proxy.wleiden.net:3128} +check_http http://tinyproxy.stats || check_http http://ams-ix.net || proxy_status=down + +# Log Network Status +cat < /tmp/network.status +internet=$inet_status +proxy=$proxy_status +EOF + +# Control connections +if $control_lvrouted; then + if [ $lvrouted_status = "stopped" ] && [ $inet_status = "up" ]; then + service lvrouted start | logit + elif [ $lvrouted_status = "running" ] && [ $inet_status = "down" ]; then + service lvrouted stop | logit + fi +fi + +if $control_tinyproxy; then + if [ $tinyproxy_status = "stopped" ] && [ $inet_status = "up" ]; then + service tinyproxy start | logit + elif [ $tinyproxy_status = "running" ] && [ $inet_status = "down" ]; then + service tinyproxy stop | logit + fi +fi Index: /branches/releng-10/nanobsd/files/tools/dhcpd_snmp.sh =================================================================== --- /branches/releng-10/nanobsd/files/tools/dhcpd_snmp.sh (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/dhcpd_snmp.sh (revision 12525) @@ -0,0 +1,15 @@ +#!/bin/sh +# Write dhcpd ranges to dhcpd-snmp.conf + +DHCPD="/usr/local/etc/dhcpd.conf" +DHSNMP="/usr/local/etc/dhcpd-snmp.conf" +INDEX="0" + +DHPOOL=`cat ${DHCPD} | grep range | awk '{print $2"-"$3}' | cut -d";" -f1` +for range in ${DHPOOL} +do + $((INDEX=INDEX+1)) + echo "`echo "pool:" $INDEX", pool"$INDEX", "$range | \ + sed 's/^.*(//'`" >> $DHSNMP +done + Index: /branches/releng-10/nanobsd/files/tools/find-nanostation =================================================================== --- /branches/releng-10/nanobsd/files/tools/find-nanostation (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/find-nanostation (revision 12525) @@ -0,0 +1,17 @@ +#!/bin/sh +# Discover nanostation using CDPv1 packets +# Credits: http://sidewynder.blogspot.com/2005/07/tcpdump-filter-for-capturing-only.html + +if [ "x$1" = "x" ]; then + echo "Usage: $0 [count]" 1>&2 + echo "Find (lost) Nanostation IP using 'count' CDPv1 packet(s)" + echo "Normally CDPv1 packets get send every minute" 1>&2 + echo "Interface hints: `ifconfig -l`" 1>&2 + exit 1 +fi +IFACE=$1 +# By default the local and remote will announce a broadcast. +COUNT=${2-2} + + +tcpdump -nn -v -i $IFACE -s 1500 -c $COUNT 'ether[18:4] == 0x000c2000' Index: /branches/releng-10/nanobsd/files/tools/motd =================================================================== --- /branches/releng-10/nanobsd/files/tools/motd (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/motd (revision 12525) @@ -0,0 +1,8 @@ +#!/bin/csh +# +# Re-display MOTD and other startup messages. +# +# Rick van der Zwet +# +cat /etc/motd +[ -x /etc/motd.cshrc ] && source /etc/motd.cshrc Index: /branches/releng-10/nanobsd/files/tools/mvim =================================================================== --- /branches/releng-10/nanobsd/files/tools/mvim (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/mvim (revision 12525) @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Wrapper to support file hacking on read-only file systems more easily +# +# Rick van der Zwet + + +mount -uwo noatime || exit +vim $* +mount -uro noatime / Index: /branches/releng-10/nanobsd/files/tools/nameserver-shuffle =================================================================== --- /branches/releng-10/nanobsd/files/tools/nameserver-shuffle (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/nameserver-shuffle (revision 12525) @@ -0,0 +1,67 @@ +#!/bin/sh - +# +# Shuffle nameservers listed based on the query times, if enabled in +# resolv.conf. Bare in mind the special syntax. +# +# Rick van der Zwet +# + +# ``Random'' sleep to avoid ``slamming'' on the DNS door +verbose=true +if [ "$1" = "cron" ]; then + verbose=false + sleep `expr $$ % 30` +fi + +TAG='^# START DYNAMIC LIST - updated by /tools/nameserver-shuffle$' +$verbose && echo "# Searching in /etc/resolv.conf for tag '$TAG'" + +TDIR=`mktemp -d -t $(basename $0)` +# Cleanup before going home +trap "rm -Rf $TDIR; exit 1" 1 2 3 15 +trap "rm -Rf $TDIR; exit 0" 0 + +DYNLIST=$TDIR/dynlist +RESULTLIST=$TDIR/resultlist +NEWRESOLV=$TDIR/resolv.conf.new + +# Get enabled DYNAMIC LIST nameservers +sed "1,\+$TAG+d" /etc/resolv.conf > $DYNLIST || exit 1 +NAMESERVERS=`awk '/^nameserver/ {print $2}' $DYNLIST` || exit 1 + +# Only do something if we have dynamic nameservers +$verbose && echo "# Processing" `echo $NAMESERVERS | wc -w` nameservers +if [ -n "$NAMESERVERS" ]; then + # Find query times + for NAMESERVER in $NAMESERVERS; do + $verbose && printf "## Testing nameserver %-16s query time: " $NAMESERVER + # Strict checking to avoid buggy links to return decent results. + QUERY_TIME=`dig +time=1 +tries=1 SOA wleiden.net @$NAMESERVER | awk '/Query time:/ {print $4}'` + # Failed to complete succesfully + [ -z "$QUERY_TIME" ] && QUERY_TIME="9999" + $verbose && echo "$QUERY_TIME" + echo "$QUERY_TIME $NAMESERVER" >> $RESULTLIST + done + + # Get the header part + sed -n "1,\+$TAG+p" /etc/resolv.conf > $NEWRESOLV || exit 1 + + # Output sorted list + NAMESERVERS=`sort -n $RESULTLIST | awk '{print $2}'` + for NAMESERVER in $NAMESERVERS; do + QUERY_TIME=`grep $NAMESERVER $RESULTLIST | cut -d' ' -f1` + [ $QUERY_TIME = "9999" ] && STATUS="Query time: down" || STATUS="Query time: $QUERY_TIME" + # awk magic to get maximum length of comment field (for display purposes). + ML=`awk '/^nameserver/ {l=length($4);if (l>ml){ml=l}}END{print ml}' $DYNLIST` + # awk magic allows adding or updating of status of nameserver + awk '/^nameserver[[:blank:]]+'"$NAMESERVER"'[[:blank:]]*/ {printf "nameserver %-16s # %-'$ML's (%s)\n", $2, $4,"'"$STATUS"'"}' $DYNLIST >> $NEWRESOLV || exit 1 + done + $verbose && echo "################################" + $verbose && echo "## BEGIN new /etc/resolv.conf ##" + $verbose && echo "################################" + $verbose && cat $NEWRESOLV + $verbose && echo "################################" + $verbose && echo "## END new /etc/resolv.conf ##" + $verbose && echo "################################" + cat $NEWRESOLV > /etc/resolv.conf || exit 1 +fi Index: /branches/releng-10/nanobsd/files/tools/nsdc-rebuild.sh =================================================================== --- /branches/releng-10/nanobsd/files/tools/nsdc-rebuild.sh (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/nsdc-rebuild.sh (revision 12525) @@ -0,0 +1,6 @@ +#!/bin/sh + +if [ ! -f /var/db/nsd/ixfr.db ]; then + nsdc rebuild + nsdc start +fi Index: /branches/releng-10/nanobsd/files/tools/openvpn-easy-rsa =================================================================== --- /branches/releng-10/nanobsd/files/tools/openvpn-easy-rsa (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/openvpn-easy-rsa (revision 12525) @@ -0,0 +1,102 @@ +#!/bin/sh +# +# Initialize the OpenVPN Easy-RSA 2.0 scripts +# +# Rick van der Zwet +# + +# This variable should point to +# the top level of the easy-rsa +# tree. +export EASY_RSA=${EASY_RSA:-"/usr/local/share/easy-rsa"} + +if [ ! -d "$EASY_RSA" ]; then + echo "# Installing easy-rsa at $EASY_RSA" + trap "mount -ur /; exit 1" 1 2 15 + mount -uwo noatime / || exit 1 + make -C /usr/local/share/doc/openvpn/easy-rsa/2.0 install DESTDIR=$EASY_RSA || exit 1 + # Avoid disasters and move the vars template holder + mv $EASY_RSA/vars $EASY_RSA/vars.old || exit 1 + mount -ur / + trap - 1 2 15 +fi + +# +# This variable should point to +# the requested executables +# +export OPENSSL="openssl" +export PKCS11TOOL="pkcs11-tool" +export GREP="grep" + + +# This variable should point to +# the openssl.cnf file included +# with easy-rsa. +export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` + +# Edit this variable to point to +# your soon-to-be-created key +# directory. +# +# WARNING: clean-all will do +# a rm -rf on this directory +# so make sure you define +# it correctly! +export KEY_DIR="${KEY_DIR:-/etc/easy-rsa-keys}" + +# Issue rm -rf warning +echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR + +# PKCS11 fixes +export PKCS11_MODULE_PATH="dummy" +export PKCS11_PIN="dummy" + +# Increase this to 2048 if you +# are paranoid. This will slow +# down TLS negotiation performance +# as well as the one-time DH parms +# generation process. +export KEY_SIZE=1024 + +# In how many days should the root CA key expire? +export CA_EXPIRE=3650 + +# In how many days should certificates expire? +export KEY_EXPIRE=3650 + +# These are the default values for fields +# which will be placed in the certificate. +# Don't leave any of these fields blank. +export KEY_COUNTRY="US" +export KEY_PROVINCE="CA" +export KEY_CITY="SanFrancisco" +export KEY_ORG="Fort-Funston" +export KEY_EMAIL="me@myhost.mydomain" +export KEY_EMAIL=mail@host.domain +export KEY_CN=changeme +export KEY_NAME=changeme +export KEY_OU=changeme +export PKCS11_MODULE_PATH=changeme +export PKCS11_PIN=1234 + +# Start the local shell +cd $EASY_RSA +echo "#" +echo "# Type exit when done to write changes to persistent disk" +echo "#" +# Primer to remember what we are doing +sed -n -e '/Typical/,$p' README | sed -e 's/^/## /g' | grep -v '. ./vars' +echo "#" +bash || sh + +echo "# Writing changes to persistent storage (/cfg)" +trap "umount /cfg; exit 1" 1 2 15 EXIT + +mount -ro noatime /cfg || exit 1 +CFG_KEY_DIR=/cfg/`basename $KEY_DIR` +diff -b -B -q -r $KEY_DIR $CFG_KEY_DIR || { + mount -uwo noatime /cfg || exit 1 + rm -fR $CFG_KEY_DIR || exit 1 + cp -R $KEY_DIR $CFG_KEY_DIR || exit 1 +} Index: /branches/releng-10/nanobsd/files/tools/save_sshkeys =================================================================== --- /branches/releng-10/nanobsd/files/tools/save_sshkeys (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/save_sshkeys (revision 12525) @@ -0,0 +1,40 @@ +#!/bin/sh +# +# Copyright (c) 2004-2005 Poul-Henning Kamp. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD: src/tools/tools/nanobsd/Files/root/save_sshkeys,v 1.4.6.1 2008/11/25 02:59:29 kensmith Exp $ +# + +set -e + +trap "umount /cfg" 1 2 15 EXIT +mount /cfg +mkdir -p /cfg/ssh +( +cd /etc/ssh +cp ssh_host_* /cfg/ssh +) +umount /cfg +trap 1 2 15 EXIT Index: /branches/releng-10/nanobsd/files/tools/store-ntpdrift =================================================================== --- /branches/releng-10/nanobsd/files/tools/store-ntpdrift (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/store-ntpdrift (revision 12525) @@ -0,0 +1,30 @@ +#!/bin/sh +# Back-up ntp.drift file changes to flash. + +SRC="/var/db/ntp.drift" +DST="/cfg/local/ntp.drift" + +trap "umount /cfg" 1 2 15 EXIT + +EX_OK=0 +EX_NOINPUT=66 +EX_CANTCREAT=73 + +mount -ro noatime /cfg + +# Check whether source exists +if [ ! -r $SRC ]; then + echo "ERROR: '$SRC' not readable!" 1>&2 + exit $EX_NOINPUT +fi + +# Compare files, ignore white spaces, modification, etc +diff -b -B -q ${SRC} ${DST}; RETVAL=$? +if [ $RETVAL -ne 0 ]; then + # 2: DST does not yet, exists, 1: file differs + mount -uwo noatime /cfg + mkdir -p /cfg/local + cp ${SRC} ${DST} +fi + +exit $EX_OK Index: /branches/releng-10/nanobsd/files/tools/sync-etc-changes-to-cf =================================================================== --- /branches/releng-10/nanobsd/files/tools/sync-etc-changes-to-cf (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/sync-etc-changes-to-cf (revision 12525) @@ -0,0 +1,66 @@ +#!/bin/sh +# +# Quick to do sync only the /etc (most) changed entry to permanent storage. +# +# Rick van der Zwet +# + +: ${VERBOSE=false} + +usage() { + cat < +Options: + -v - Verbose diffs +Arguments: + dryrun - Check the pending changes [default] + sync - Sync the pending changes +EOF + exit ${1:-128} +} + +SYNC=false +while [ -n "$1" ]; do + case "$1" in + "-v") + VERBOSE=true; shift + ;; + "dryrun") + SYNC=false; shift + ;; + "sync") + SYNC=true; shift + ;; + "-h") + usage; exit 0;; + *) + echo "Invalid Argument -- $1" + usage + ;; + esac +done + +# To sync we need to now the content of /cfg +mount -r /cfg || exit 1 + +# Leave disks in consistent state on exit +trap "umount /cfg; mount -ur /" +trap "exit 1" 1 2 15 + +$SYNC && mount -uwo noatime / || exit 1 +for file in `find /conf/base/etc -type f`; do + live_file=${file##/conf/base} + conf_file=/cfg${file##/conf/base/etc} + + # Do not sync files stored on the config mount + [ -r $conf_file ] && continue + + if ! cmp $file $live_file; then + $VERBOSE && diff $file $live_file + $SYNC && cp -v $live_file $file + fi +done + +if ! $SYNC; then + echo "# Dryrun done, commit changes by calling: $0 sync" +fi Index: /branches/releng-10/nanobsd/files/tools/sync-fib-tables =================================================================== --- /branches/releng-10/nanobsd/files/tools/sync-fib-tables (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/sync-fib-tables (revision 12525) @@ -0,0 +1,21 @@ +#!/bin/sh - +# +# Clone routing table SRC into routing table DST +# +# Rick van der Zwet +# +SRC=${1:-0} +DST=${2:-1} + +# Flush all routes and make sure to re-apply gateway (if existed) +gateway=`setfib $DST route -n get default | awk '/gateway:/ {print $2}'` +setfib $DST route -qn flush +[ -n "$gateway" ] && setfib $DST route -qn add default $gateway + +# Hack to sync remaining dynamic routes +setfib $SRC netstat -nr -f inet | grep -v 'default' | awk '/UGD/ {print $1" "$2}' | while read tgt gw; do + setfib $DST route -qn add $tgt $gw +done + + + Index: /branches/releng-10/nanobsd/files/tools/update =================================================================== --- /branches/releng-10/nanobsd/files/tools/update (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/update (revision 12525) @@ -0,0 +1,27 @@ +#!/bin/sh +# +# Update the non-active partition, input will stdin if no argument given else a +# listing netcat sesion will be opened at the given port +# Can be used in the following setups: +# 1) Systems with CPU limits (e.g. no encryption and/or compression): +# ssh -oBatchMode=yes root@node.example.org /tools/update-wrapper 3333 & +# cat nanobsd.image | nc node.example.org 3333 +# 2) Standard setup: +# cat nanobsd.image | ssh -oBatchMode=yes root@node.example.org /tools/update-wrapper +# +# Licence: BSD http://wirelessleiden.nl/LICENSE +# +# Rick van der Zwet + +. /etc/nanobsd.conf + +ROOT=`cd $(dirname $0); pwd -P` + +# Find out which partion to use +mount | grep -q ${NANO_DRIVE}s1 && UPDATE=$ROOT/updatep2 || UPDATE=$ROOT/updatep1 + +if [ -z $1 ]; then + $UPDATE +else + nc -l $1 | $UPDATE +fi Index: /branches/releng-10/nanobsd/files/tools/update-file =================================================================== --- /branches/releng-10/nanobsd/files/tools/update-file (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/update-file (revision 12525) @@ -0,0 +1,60 @@ +#!/bin/sh +# +# Update an single file (content via stdin) on the flash disk if the md5 does +# not match. This script tries to be on the safe side by checking md5 at +# various stages. +# +# TODO: Maybe rsync is also able to perform the mount and umount before and +# after, this will eliminate all the hacking with md5 checks. +# +# Rick van der Zwet +# + +if [ -z "$1" ]; then + echo "Usage: $0 [ [ []]]" 1>&2 + exit 128 +fi + +FILE=$1 +NEW_MD5=${2:-""} +MODE_BITS=${3:-""} +OWNERSHIP=${4:-""} + +if [ ! -f "$FILE" ]; then + echo "# ERROR: File $FILE does not exists" 1>&2 + exit 1 +fi + +# First try to transfer file to local system +# this restricts the filesize to the maximum size of the /tmp system +TMPFILE=`mktemp -t $(basename $0)` || exit 1 +cat > $TMPFILE || exit 1 +TMP_MD5="`md5 -q $TMPFILE`" || exit 1 + +# Check which md5 to use, the given one or the calculated one +if [ -n "$NEW_MD5" ]; then + TARGET_MD5="$NEW_MD5" + if [ "$TMP_MD5" != "$TARGET_MD5" ]; then + echo "# ERROR: File transfer failed" 1>&2 + exit 2 + fi +else + TARGET_MD5="$TMP_MD5" +fi + +# Actually check whether we need to copy the file +CURRENT_MD5=`md5 -q $FILE` || exit 1 +if [ "$CURRENT_MD5" != "$TARGET_MD5" ]; then + echo "# INFO: Updating $FILE; old MD5 $CURRENT_MD5" + mount -uwo noatime / || exit 1 + cp -f $TMPFILE $FILE + [ -n "$MODE_BITS" ] && chmod $MODE_BITS $FILE + [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $FILE + mount -ur / + + # Make sure to recheck the md5 alter write to make sure all went ok + RECHECK_MD5=`md5 -q $FILE` + echo "# INFO: Updated $FILE; new MD5 $RECHECK_MD5" +else + echo "# INFO: File $FILE already has md5 $CURRENT_MD5" +fi Index: /branches/releng-10/nanobsd/files/tools/updatep1 =================================================================== --- /branches/releng-10/nanobsd/files/tools/updatep1 (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/updatep1 (revision 12525) @@ -0,0 +1,55 @@ +#!/bin/sh +# +# Copyright (c) 2004-2005 Poul-Henning Kamp. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD: src/tools/tools/nanobsd/Files/root/updatep1,v 1.2.6.1 2008/11/25 02:59:29 kensmith Exp $ +# +# Script to update partition 1 on a NanoBSD system. +# +# usage: +# ssh somewhere cat image.s1 | sh updatep1 +# + +set -e + +. /etc/nanobsd.conf + +if mount | grep ${NANO_DRIVE}s1 > /dev/null ; then + echo "You are running partition 1 already" + echo "you probably want to use 'updatep2' instead" + exit 1 +fi + +# Blow away old system. +dd if=/dev/zero of=/dev/${NANO_DRIVE}s1 bs=1m count=1 > /dev/null 2>&1 + +# Copy in new system +dd of=/dev/${NANO_DRIVE}s1 obs=64k + +# Check that it worked +fsck_ffs -n /dev/${NANO_DRIVE}s1a + +gpart set -a active -i 1 ${NANO_DRIVE} + Index: /branches/releng-10/nanobsd/files/tools/updatep2 =================================================================== --- /branches/releng-10/nanobsd/files/tools/updatep2 (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/updatep2 (revision 12525) @@ -0,0 +1,63 @@ +#!/bin/sh +# +# Copyright (c) 2004-2005 Poul-Henning Kamp. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD: src/tools/tools/nanobsd/Files/root/updatep2,v 1.2.6.1 2008/11/25 02:59:29 kensmith Exp $ +# +# Script to update partition 2 on a NanoBSD system. +# +# usage: +# ssh somewhere cat image.s1 | sh updatep2 +# + +set -e + +. /etc/nanobsd.conf + +if mount | grep ${NANO_DRIVE}s2 > /dev/null ; then + echo "You are running partition 2 already" + echo "you probably want to use 'updatep1' instead" + exit 1 +fi + +# Blow away old system. +dd if=/dev/zero of=/dev/${NANO_DRIVE}s2 bs=1m count=1 > /dev/null 2>&1 + +# Copy in new system +dd of=/dev/${NANO_DRIVE}s2 obs=64k + +# Check that it worked +fsck_ffs -n /dev/${NANO_DRIVE}s2a + +# Update the /etc/fstab +trap "umount /mnt" 1 2 15 EXIT +mount /dev/${NANO_DRIVE}s2a /mnt +sed -i "" "s/${NANO_DRIVE}s1/${NANO_DRIVE}s2/" /mnt/conf/base/etc/fstab +sed -i "" "s/${NANO_DRIVE}s1/${NANO_DRIVE}s2/" /mnt/etc/fstab +umount /mnt +trap 1 2 15 EXIT + +gpart set -a active -i 2 ${NANO_DRIVE} + Index: /branches/releng-10/nanobsd/files/tools/wl-config =================================================================== --- /branches/releng-10/nanobsd/files/tools/wl-config (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/wl-config (revision 12525) @@ -0,0 +1,305 @@ +#!/bin/sh +# Wireless Leiden config-update script for FreeBSD 8.0 (nanobsd) +# Based on the 'API' of Jasper +# Rick van der Zwet +# XXX: TODO, some proper error checking for fetch + + +# Slow connection = no connection +export HTTP_TIMEOUT=10 + + +check_access() { + # Direct Access - External + BASEURL="http://wirelessleiden.nl/config/" + fetch -o /dev/null -q $BASEURL > /dev/null && return + echo "# WARN: Fetch via external $BASEURL failed" + + # Direct Access - Internal IP + BASEURL="http://172.16.4.46/wleiden/config/" + # Connectivity check + fetch -o /dev/null -q $BASEURL > /dev/null && return + echo "# WARN: Fetch via internal $BASEURL failed" + + # Direct Access - External DNS + BASEURL="http://132.229.112.21/wleiden/config/" + fetch -o /dev/null -q $BASEURL > /dev/null && return + echo "# CRIT: Fetch via external $BASEURL failed" + + exit 1 +} +check_access + + +# Default config to fetch +CONFIG=`hostname -s` + +# Determine it's statup and running location and some other hints +# Skip named.conf as it not planned in current release +FILES="authorized_keys dhcpd.conf dnsmasq.conf motd rc.conf.local resolv.conf pf.hybrid.conf.local wleiden.yaml" +file_details() { + POST_CMD="" + FILE_HINT="" + + case "$1" in + 'authorized_keys') + STARTUP_LOC="/cfg/ssh/${FILE}" + RUNNING_LOC="/etc/ssh/${FILE}" + ;; + 'dhcpd.conf') + STARTUP_LOC="/cfg/local/${FILE}" + RUNNING_LOC="/usr/local/etc/${FILE}" + POST_CMD="service isc-dhcpd restart" + ;; + 'dnsmasq.conf') + STARTUP_LOC="/cfg/local/${FILE}" + RUNNING_LOC="/usr/local/etc/${FILE}" + POST_CMD="service dnsmasq restart" + ;; + 'motd') + STARTUP_LOC="/cfg/${FILE}" + RUNNING_LOC="/etc/${FILE}" + POST_CMD="/etc/rc.d/motd onestart" + ;; + 'named.conf') + STARTUP_LOC="/cfg/namedb/${FILE}" + RUNNING_LOC="/etc/namedb/${FILE}" + POST_CMD="service named restart" + ;; + 'rc.conf.local') + STARTUP_LOC="/cfg/${FILE}" + RUNNING_LOC="/etc/${FILE}" + FILE_HINT="Restart interfaces with: nohup service netif restart" + ;; + 'resolv.conf') + STARTUP_LOC="/cfg/${FILE}" + RUNNING_LOC="/etc/${FILE}" + FILE_HINT="To get the ordering right run: nameserver-shuffle" + ;; + 'pf.hybrid.conf.local') + STARTUP_LOC="/cfg/${FILE}" + RUNNING_LOC="/etc/${FILE}" + POST_CMD="service pf reload" + ;; + 'wleiden.yaml') + STARTUP_LOC="/cfg/local/${FILE}" + RUNNING_LOC="/usr/local/etc/${FILE}" + ;; + esac +} + +usage() { + ( + echo "Usage: $0 [-bpn] [-c ] [-m ]" + echo " -b = batch mode, no user input" + echo " -c = default configuration to fetch" + echo " -d = do not run the POST_CMD commands [default]" + echo " -p = run the POST_CMD commands to activate the services right-away" + echo " -n = do not mount config partition" + echo " -m all = copy config files to running & config partition [default]" + echo " -m startup = copy config files to config partition" + echo " -m testing = do not copy config files" + echo " -m running = copy config files to running partition" + echo " -m hack = copy running files to config partition" + ) 1>&2 + exit 2 +} + +# Argument parsing using getopts +USE_API=1 # Whether or not to use the webinterface +OPT_MOUNT=1 +OPT_RUNNING=1 +OPT_STARTUP=1 +OPT_HACK=0 # Hack for people without configuration managment and testing +OPT_BATCH=0 +OPT_POSTCMD=false + +parse_options() { + while getopts "bc:nm:dp" OPT; do + case "$OPT" in + b) OPT_BATCH=1;; + c) CONFIG="${OPTARG}";; + d) OPT_POSTCMD=false;; + n) OPT_MOUNT=0;; + m) case "$OPTARG" in + all) true;; + live) OPT_STARTUP=0;; + startup) OPT_RUNNING=0;; + testing) OPT_RUNNING=0; OPT_STARTUP=0; OPT_MOUNT=0;; + hack) OPT_RUNNING=0; OPT_STARTUP=0; OPT_HACK=1; USE_API=0;; + *) usage;; + esac;; + h) usage;; + p) OPT_POSTCMD=true;; + \?) usage;; + esac + done + # Allow to override automatic mounting, in case of external mount 'managment' + if [ "$1" = "-n" ]; then + OPT_MOUNT=0 + fi + + if [ "${OPT_RUNNING}" -eq 1 ]; then + echo "# INFO: Storing new config files in running configuration" + fi + + if [ "${OPT_STARTUP}" -eq 1 ]; then + echo "# INFO: Storing new config files in startup configuration" + fi + + if [ "${OPT_HACK}" -eq 1 ]; then + echo "# WARN: Copy running configuration to startup configuration" + echo "# WARN: Please do mind to document/mention this changes somewhere" + fi + + if /bin/df / | grep -q "^/dev/md[0-9]"; then + OPT_MOUNT=0 + echo "# WARN: Mount operations disabled as we are running in a md(4) image" + fi + + # New line before the real work gets started + echo "" +} + + + + +# test validity of input +config_validator() { + INPUT="$1" + `grep -q "^${INPUT}\$" ${TMPDIR}/node_list.txt` + if [ $? -eq 0 ]; then + return 0 + else + echo "WARNING: Input '${INPUT}' is not valid, some hints..." + grep -i "${INPUT}" ${TMPDIR}/node_list.txt + return 1 + fi +} + + + +select_node() { + # List of all available nodes + fetch -q -o ${TMPDIR}/node_list.txt ${BASEURL} || exit 1 + + if [ ${OPT_BATCH} -eq 1 ]; then + config_validator "${CONFIG}" + if [ $? -eq 1 ]; then + echo "ERROR: Please provide valid config" 1>&2 + exit 1 + fi + else + # Provide Nodelist and feedback + cat ${TMPDIR}/node_list.txt | column + echo ' THIS script adds the config from GENESIS to this operating system' + echo ' make sure you know what you are doing, if not press control-C' + echo ' ENTER CONFIG NAME ......(and press enter)' + + # Have the user to select the right node + INVALID_CONFIG=1 + while [ ${INVALID_CONFIG} -eq 1 ]; do + # Ask for node name, play around with prev option + echo -n "Name [${CONFIG}]: " + read INPUT + if [ -z "${INPUT}" ]; then + INPUT=${CONFIG} + else + CONFIG=${INPUT} + fi + + config_validator "${INPUT}" + if [ $? -eq 0 ]; then + INVALID_CONFIG=0 + fi + done + fi +} + + + + +# Copy file, saving some bits if no change needed +copy_file() { + SOURCE=$1 + TARGET=$2 + diff -I '^FreeBSD ' -I '^# Generated at ' ${TARGET} ${SOURCE} 2>/dev/null + if [ $? -ne 0 ]; then + mkdir -p `dirname ${TARGET}` || exit 1 + cp ${SOURCE} ${TARGET} || exit 1 + return $? + fi + return 1 +} + +# Main function +main() { + TMPDIR=`mktemp -d -t $(basename $0)` + # Clear out tempdir when done + if [ ${OPT_MOUNT} -eq 1 ]; then + trap "rm -Rf ${TMPDIR}; umount /cfg; mount -ro noatime /; exit" 0 1 2 3 15 + else + trap "rm -Rf ${TMPDIR}; exit" 0 1 2 3 15 + + fi + + # Mount if requested + if [ ${OPT_MOUNT} -eq 1 ]; then + mount -uwo noatime / + mount /cfg + fi + + # Select node from web-interface + if [ ${USE_API} -eq 1 ]; then + select_node + fi + + # Worker, place all files in required directory + for FILE in ${FILES}; do + if [ ${USE_API} -eq 1 ]; then + # Fetch needed file + FRESH_LOC=${TMPDIR}/${FILE} + fetch -q -o ${FRESH_LOC} ${BASEURL}/${CONFIG}/${FILE} || exit 1 + fi + + # Needed file details, like locations and hints + file_details ${FILE} + + echo "# INFO: Working on file: '${FILE}'" + # Copy file boot location + if [ ${OPT_STARTUP} -eq 1 ]; then + copy_file ${FRESH_LOC} ${STARTUP_LOC} + fi + + # Copy file running location + if [ ${OPT_RUNNING} -eq 1 ]; then + copy_file ${FRESH_LOC} ${RUNNING_LOC} + if [ $? -eq 0 ]; then + echo "# INFO: '${FILE}' changed" + if [ -n "${POST_CMD}" ]; then + if $OPT_POSTCMD; then + echo "## Running post_cmd: $POST_CMD" + $POST_CMD + else + echo "## To activate run the post_cmd: $POST_CMD" + fi + fi + if [ -n "${FILE_HINT}" ]; then + echo "# INFO: ${FILE_HINT}" + echo "" + fi + fi + fi + + # Direct copy + if [ ${OPT_HACK} -eq 1 ]; then + # No checking, just dumb try to copy mode + cp -v ${RUNNING_LOC} ${STARTUP_LOC} + fi + done + + exit 0 +} + +parse_options $* +main Index: /branches/releng-10/nanobsd/files/tools/wl-version =================================================================== --- /branches/releng-10/nanobsd/files/tools/wl-version (revision 12525) +++ /branches/releng-10/nanobsd/files/tools/wl-version (revision 12525) @@ -0,0 +1,35 @@ +#!/bin/sh +# Get bare minimal information of node, for the use of easy debugging +# Rick van der Zwet + +# Trac specific code +echo "----" +echo "{{{" + +# Introduction +echo "Generated by $USER@`hostname`" +echo "Date: `date`" + +# Kernel information +uname -a | fold + +# Mount information, for the use of checking which slize is usd +mount + +# static iinformation, on image, like build, time, who, +VERSION='/tools/wl-release.txt' +cat $VERSION + +if [ -r /VERSION ]; then + cat /VERSION + seperator +fi + +# Current ip configuration +ifconfig -a + +# XXX: Configuration specifics + +# Trac specific code +echo "}}}" +echo "----" Index: /branches/releng-10/nanobsd/files/usr/local/bin/http302 =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/bin/http302 (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/bin/http302 (revision 12525) @@ -0,0 +1,11 @@ +#!/bin/sh +# +# Only purpose is to send somebody to the Captive Portal +# +URL=${URL:-http://172.31.255.1/wlportal} + +# Send information to client +echo -e "HTTP/1.1 302 OK\r" +echo -e "Location: $URL\r" +echo -e "\r" + Index: /branches/releng-10/nanobsd/files/usr/local/bin/pen_wrapper =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/bin/pen_wrapper (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/bin/pen_wrapper (revision 12525) @@ -0,0 +1,80 @@ +#!/bin/sh +# +# Pen proxy wrapper, periodic check for best connections available. +# +# Stichting Wireless Leiden +# +# Rick van der Zwet +# + +BIND_ADDR=${1:-172.31.255.1} +BIND_PORT=${2:-3128} + + +# Internal parameters, don't touch unless you know what you are doing. +TEST_URL="http://tinyproxy.stats/" +TEST_INTERVAL=`expr 15 \* 60` +PIDFILE='/var/run/pen.pid' +PEN='/usr/local/bin/pen' +PEN_FLAGS="-S 20 -b 30 -p ${PIDFILE} ${BIND_ADDR}:${BIND_PORT}" + +TAG=`basename $0` +logit() { + logger -t "$TAG" $* +} + +get_proxy_list() { + # Get (updated) proxy listing from configuration files. + . /etc/rc.subr + load_rc_config "pen_wrapper" + make_list "$list_normal_proxies" " " +} + + +# Return speed value, higher is better +test_proxy() { + PROXY=$1 + retstr=`HTTP_PROXY=http://$PROXY fetch -T 3 -o /dev/null ${TEST_URL} 2>&1` + bps=`echo "${retstr}" | awk '/Bps/ {printf $4}'` + echo ${bps:-"0"} +} + +# Sort proxy list on highest bandwidth +test_proxies() { + result='' + for host in $*; do + bps=`test_proxy $host:3128` + if [ "$bps" != "0" ]; then + result="$result $bps:$host:3128" + fi + done + + echo $result | xargs -n1 | sort -t':' -k1 -n -r | cut -d: -f 2,3 | xargs +} + + +## +# Main loop +LIVE_PROXY_LIST='' +while true; do + PROXY_LIST=`get_proxy_list` + if [ -z "$PROXY_LIST" ]; then + logit "Not starting: list_normal_proxies variable not configured" + else + NEW_PROXY_LIST=`test_proxies $PROXY_LIST` + if [ "${LIVE_PROXY_LIST}" != "${NEW_PROXY_LIST}" ]; then + logit "INFO: New listing to be configured '${NEW_PROXY_LIST}'" + + # Pen should only be started if alias exists + ifconfig | grep -q ${BIND_ADDR} || { + logit "Not starting: alias $BIND_ADDR not configured!" + } && { + [ -r ${PIDFILE} ] && kill `cat ${PIDFILE}` + ${PEN} ${PEN_FLAGS} ${NEW_PROXY_LIST} + LIVE_PROXY_LIST="${NEW_PROXY_LIST}" + } + fi + fi + + sleep ${TEST_INTERVAL} +done Index: /branches/releng-10/nanobsd/files/usr/local/bin/ssh-copy-id =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/bin/ssh-copy-id (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/bin/ssh-copy-id (revision 12525) @@ -0,0 +1,50 @@ +#!/bin/sh + +# Shell script to install your public key on a remote machine +# Takes the remote machine name as an argument. +# Obviously, the remote machine must accept password authentication, +# or one of the other keys in your ssh-agent, for this to work. + +ID_FILE="${HOME}/.ssh/id_rsa.pub" + +if [ "-i" = "$1" ]; then + shift + # check if we have 2 parameters left, if so the first is the new ID file + if [ -n "$2" ]; then + if expr "$1" : ".*\.pub" >/dev/null; then + ID_FILE="$1" + else + ID_FILE="$1.pub" + fi + shift # and this should leave $1 as the target name + fi +else + if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then + GET_ID="$GET_ID ssh-add -L" + fi +fi + +if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then + GET_ID="cat ${ID_FILE}" +fi + +if [ -z "`eval $GET_ID`" ]; then + echo "$0: ERROR: No identities found" >&2 + exit 1 +fi + +if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2 + exit 1 +fi + +{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 + +cat < / +31 71 5139817" + + +# Process checks. + +# name max min +proc lvrouted.opt 1 1 +proc sshd 8 1 +proc syslogd 1 1 +proc ntpd 1 1 +proc snmpd 1 1 +proc dhcpd 1 1 +proc pen 1 1 +proc cron 2 1 +proc named 1 1 + + +# disk checks + +# path min +#disk / 90% +#disk /var 80% +#disk /usr 80% +#disk /tmp 60% +includeAllDisks 85% + + +# load average checks + +# 1max 5max 15max +load 12 14 14 + + +# Pass through control + +# miboid exec-command +extend .1.3.6.1.4.1.2021.70 dhcp-users /bin/sh -c "cat /var/db/dnsmasq.leases \| awk '{ print $1,$2,$3 }'" +extend .1.3.6.1.4.1.2021.71 portal-users /bin/sh -c "cat /var/db/clients \| awk '{ print $1,$2,$3 }'" +extend .1.3.6.1.4.1.2021.72 arp-users /bin/sh -c "cat /var/db/connect.gone \| awk '{ print $1,$2,$3,$4,$5 }'" +extend .1.3.6.1.4.1.2012.73 proxy-users bin/sh -c "cat /var/log/tinyproxy.log \| grep -v 2cnode \| awk '/.wleiden.net/ { print $2,$3,$11 }' \| tr -d '[]' \| sort \| uniq " + +extend .1.3.6.1.4.1.2021.80 etc-checksum /bin/sh -c "cat `find /etc` \| md5" +extend .1.3.6.1.4.1.2021.81 local-list /bin/sh -c "find /usr/local/ \| wc -l" +extend .1.3.6.1.4.1.2021.82 build-box /bin/sh -c "uname -v \| awk '{ print $10 }' \| cut -d \\: -f 1" +extend .1.3.6.1.4.1.2021.83 freebsd-ver /bin/sh -c "uname -r" +extend .1.3.6.1.4.1.2021.84 wl-ver /bin/sh -c "cat /tools/wl-release.txt \| awk '/Revision/ {print $2 }' " +extend .1.3.6.1.4.1.2021.85 wl-date /bin/sh -c "cat /tools/wl-release.txt | awk '/Changed\ Date/ {print $4,$5 }'" + +extend .1.3.6.1.4.1.2021.90 uptime /bin/sh -c "uptime" +extend .1.3.6.1.4.1.2021.91 vmstat /bin/sh -c "vmstat 1 2" +extend .1.3.6.1.4.1.2021.92 uptime /bin/sh -c "uptime \| awk '{ split($5,a,\":\"); print ($3*60*24+a[1]*60+a[2]) }'" +extend .1.3.6.1.4.1.2021.93 soa /bin/sh -c "dig +short soa wleiden.net @localhost \| awk '{ print $3 }' \| tail -1" +extend .1.3.6.1.4.1.2021.94 physmem /bin/sh -c "sysctl -n hw.physmem" Index: /branches/releng-10/nanobsd/files/usr/local/etc/thttpd.conf =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/etc/thttpd.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/etc/thttpd.conf (revision 12525) @@ -0,0 +1,5 @@ +user=root +dir=/usr/local/www +cgipat=** +nochroot +pidfile=/var/run/thttpd.pid Index: /branches/releng-10/nanobsd/files/usr/local/etc/tinyproxy.conf =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/etc/tinyproxy.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/etc/tinyproxy.conf (revision 12525) @@ -0,0 +1,228 @@ +## +## tinyproxy.conf -- tinyproxy daemon configuration file +## + +# +# Name of the user the tinyproxy daemon should switch to after the port +# has been bound. +# +User nobody +Group nogroup + +# +# Port to listen on. +# +Port 3128 + +# +# If you have multiple interfaces this allows you to bind to only one. If +# this is commented out, tinyproxy will bind to all interfaces present. +# +#Listen 192.168.0.1 +Listen 0.0.0.0 +# +# The Bind directive allows you to bind the outgoing connections to a +# particular IP address. +# +#Bind 192.168.0.1 + +# +# Timeout: The number of seconds of inactivity a connection is allowed to +# have before it closed by tinyproxy. +# +Timeout 600 + +# +# ErrorFile: Defines the HTML file to send when a given HTTP error +# occurs. You will probably need to customize the location to your +# particular install. The usual locations to check are: +# /usr/local/share/tinyproxy +# /usr/local/share/tinyproxy +# /etc/tinyproxy +# +# ErrorFile 404 "/usr/local/share/tinyproxy/404.html" +# ErrorFile 400 "/usr/local/share/tinyproxy/400.html" +# ErrorFile 503 "/usr/local/share/tinyproxy/503.html" +# ErrorFile 403 "/usr/local/share/tinyproxy/403.html" +# ErrorFile 408 "/usr/local/share/tinyproxy/408.html" + +# +# DefaultErrorFile: The HTML file that gets sent if there is no +# HTML file defined with an ErrorFile keyword for the HTTP error +# that has occured. +# +DefaultErrorFile "/usr/local/share/tinyproxy/default.html" + +# +# StatFile: The HTML file that gets sent when a request is made +# for the stathost. If this file doesn't exist a basic page is +# hardcoded in tinyproxy. +# +StatFile "/usr/local/share/tinyproxy/stats.html" + +# +# Where to log the information. Either LogFile or Syslog should be set, +# but not both. +# +#Logfile "/var/log/tinyproxy.log" +Syslog On + +# +# Set the logging level. Allowed settings are: +# Critical (least verbose) +# Error +# Warning +# Notice +# Connect (to log connections without Info's noise) +# Info (most verbose) +# The LogLevel logs from the set level and above. For example, if the LogLevel +# was set to Warning, than all log messages from Warning to Critical would be +# output, but Notice and below would be suppressed. +# +LogLevel Connect + +# +# PidFile: Write the PID of the main tinyproxy thread to this file so it +# can be used for signalling purposes. +# +PidFile "/var/run/tinyproxy.pid" + +# +# Include the X-Tinyproxy header, which has the client's IP address when +# connecting to the sites listed. +# +#XTinyproxy mydomain.com + +# +# Turns on upstream proxy support. +# +# The upstream rules allow you to selectively route upstream connections +# based on the host/domain of the site being accessed. +# +# For example: +# # connection to test domain goes through testproxy +# upstream testproxy:8008 ".test.domain.invalid" +# upstream testproxy:8008 ".our_testbed.example.com" +# upstream testproxy:8008 "192.168.128.0/255.255.254.0" +# +# # no upstream proxy for internal websites and unqualified hosts +# no upstream ".internal.example.com" +# no upstream "www.example.com" +# no upstream "10.0.0.0/8" +# no upstream "192.168.0.0/255.255.254.0" +# no upstream "." +# +# # connection to these boxes go through their DMZ firewalls +# upstream cust1_firewall:8008 "testbed_for_cust1" +# upstream cust2_firewall:8008 "testbed_for_cust2" +# +# # default upstream is internet firewall +# upstream firewall.internal.example.com:80 +# +# The LAST matching rule wins the route decision. As you can see, you +# can use a host, or a domain: +# name matches host exactly +# .name matches any host in domain "name" +# . matches any host with no domain (in 'empty' domain) +# IP/bits matches network/mask +# IP/mask matches network/mask +# +#Upstream some.remote.proxy:port + +# +# This is the absolute highest number of threads which will be created. In +# other words, only MaxClients number of clients can be connected at the +# same time. +# +MaxClients 100 + +# +# These settings set the upper and lower limit for the number of +# spare servers which should be available. If the number of spare servers +# falls below MinSpareServers then new ones will be created. If the number +# of servers exceeds MaxSpareServers then the extras will be killed off. +# +MinSpareServers 5 +MaxSpareServers 20 + +# +# Number of servers to start initially. +# +StartServers 10 + +# +# MaxRequestsPerChild is the number of connections a thread will handle +# before it is killed. In practise this should be set to 0, which disables +# thread reaping. If you do notice problems with memory leakage, then set +# this to something like 10000 +# +MaxRequestsPerChild 0 + +# +# The following is the authorization controls. If there are any access +# control keywords then the default action is to DENY. Otherwise, the +# default action is ALLOW. +# +# Also the order of the controls are important. The incoming connections +# are tested against the controls based on order. +# +Allow 127.0.0.1 +Allow 172.16.0.0/12 + +# +# The "Via" header is required by the HTTP RFC, but using the real host name +# is a security concern. If the following directive is enabled, the string +# supplied will be used as the host name in the Via header; otherwise, the +# server's host name will be used. +# +#ViaProxyName "tinyproxy" + +# +# The location of the filter file. +# +Filter "/usr/local/etc/tinyproxy.filter" + +# +# Filter based on URLs rather than domains. +# +#FilterURLs On + +# +# Use POSIX Extended regular expressions rather than basic. +# +#FilterExtended On + +# +# Use case sensitive regular expressions. +# +#FilterCaseSensitive On + +# +# Change the default policy of the filtering system. If this directive is +# commented out, or is set to "No" then the default policy is to allow +# everything which is not specifically denied by the filter file. +# +# However, by setting this directive to "Yes" the default policy becomes to +# deny everything which is _not_ specifically allowed by the filter file. +# +FilterDefaultDeny No + +# +# If an Anonymous keyword is present, then anonymous proxying is enabled. +# The headers listed are allowed through, while all others are denied. If +# no Anonymous keyword is present, then all header are allowed through. +# You must include quotes around the headers. +# +#Anonymous "Host" +#Anonymous "Authorization" + +# +# This is a list of ports allowed by tinyproxy when the CONNECT method +# is used. To disable the CONNECT method altogether, set the value to 0. +# If no ConnectPort line is found, all ports are allowed (which is not +# very secure.) +# +# The following two ports are used by SSL. +# +ConnectPort 443 +#ConnectPort 563 Index: /branches/releng-10/nanobsd/files/usr/local/etc/tinyproxy.filter =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/etc/tinyproxy.filter (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/etc/tinyproxy.filter (revision 12525) @@ -0,0 +1,2 @@ +192.168.*.* +10.*.*.* Index: /branches/releng-10/nanobsd/files/usr/local/etc/wlportal/autologin.tmpl =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/etc/wlportal/autologin.tmpl (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/etc/wlportal/autologin.tmpl (revision 12525) @@ -0,0 +1,86 @@ + + + Welkom aan Boord van %(portal_sponsor)s || Connectiviteit door Stichting Wireless Leiden + + +
+ + +
+

%(status_msg)s

+

Welkom aan Boord met %(portal_sponsor)s

+ +%(portal_sponsor)s bied u in samenwerking met Stichting Wireless Leiden op deze locatie internet aan. Twee ``huisregels'': +
    +
  1. Het gebruik van het Wireless Leiden netwerk en de internettoegang zijn +kostenloos en u hoeft zich niet aan te melden. Maar u dient zich te houden aan +de Nederlandse wetgeving en geen schade toe te brengen of ongemak te +veroorzaken voor anderen.
    2. +
  2. Stichting Wireless Leiden en %(portal_sponsor)s accepteren geen enkele +aansprakelijkheid voor schade in welke vorm dan ook die is ontstaan door of +verband houdt met het gebruik van het netwerk.
    3. +
+ +

+Wij wensen u nog een fijne dag,
+%(portal_sponsor)s & Stichting Wireless Leiden
+

PS: Voor de techneuten: TCP:80 (HTTP) en TCP:443 (HTTPS) zijn toegestaan
+ + +
+
+

Internettoegang

+

U bent verbonden met het lokale Wireless Leiden network. Om te internetten moet u in uw browser een 'proxy' instellen en hieronder op 'accoord' klikken. Afhankelijk van de locatie kan het ook zonder proxy-instelling, maar de snelheid zal in het algemeen lager zijn. +

Instellen proxy in browser

+ In Firefox: ga naar Edit->Preferences->Advanced->Network->Settings.
+ Handmatige proxy-configuratie: vul in HTTP proxy: proxy.wleiden.net port 3128.
+ Gedetailleerde instructies kunt u vinden op onze website. +

+N.B. U kunt alleen internetten via uw webbrowser, andere toepassingen zoals Microsoft Outlook zijn niet mogelijk. Gebruik webmail om te e-mailen. + +

Eerlijk gebruikmaken van Wireless Leiden

+ Het gebruik van het Wireless Leiden netwerk en de internettoegang zijn kostenloos en u hoeft zich niet aan te melden. Maar u dient zich te houden aan de Nederlandse wetgeving en geen schade toe te brengen of ongemak te veroorzaken voor anderen.
+ De Stichting Wireless Leiden accepteert geen enkele aansprakelijkheid voor schade in welke vorm dan ook die is ontstaan door of verband houdt met het gebruik van het netwerk.
+Geef hieronder aan of u accoord gaat met deze voorwaarden: +
+ + +
+ + +
+

Welcome to Wireless Leiden

+

Internet access

+

You are connected to the local Wireless Leiden network. To use one of the gateways (proxies) to Internet you have to specify a proxy in your web browser.
+ For instance in Firefox go to Edit->Preferences->Advanced->Network->Settings.
+ Manual proxy configuration: specify HTTP proxy: proxy.wleiden.net port 3128.
+ Detailed instructions can be downloaded from our website. +

+

+ Please note that you can only access the internet via your webbrowser, use of other applications like Microsoft Outlook is not possible (you have to use webmail). + +

Fair Use of Wireless Leiden

+ The use of the Wireless Leiden network and the internet connection are free and no registration is required. However, you should refrain from any illegal activity and not provide harm of any kind or inconvenience to other users.
+ The Wireless Leiden Foundation does not accept any responsibility whatsoever for damage related to or originated from the use of the network. + +
+ + +
+ +
+
+ + Wireless Leiden Homepage +
+ +

More options

+
+ + +
+
Technical Details:
+%(tech_footer)s
+
+ + Index: /branches/releng-10/nanobsd/files/usr/local/etc/wlportal/config.yaml.sample =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/etc/wlportal/config.yaml.sample (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/etc/wlportal/config.yaml.sample (revision 12525) @@ -0,0 +1,6 @@ +whitelist: + - 00:11:22:33:44:55 + - 172.16.16.16 +portal_sponsor : Stichting Aalsmeer WestEinder +portal_url : http://www.aalsmeerwesteinder.nl +refresh_delay : 10 Index: /branches/releng-10/nanobsd/files/usr/local/etc/wlportal/login.tmpl =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/etc/wlportal/login.tmpl (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/etc/wlportal/login.tmpl (revision 12525) @@ -0,0 +1,93 @@ + + + + Welkom bij Wireless Leiden captive portal + + + + + + +
+

{{ status_msg }}

+
{{ warning_msg }}
+
+
+ For English see bottom of this page +

Eerlijk gebruikmaken van Wireless Leiden

+ 
+   A) Het gebruik van het Wireless Leiden netwerk en de internettoegang zijn
+      kostenloos en u hoeft zich niet aan te melden. 
+   B) U dient zich te houden aan de Nederlandse wetgeving en geen schade toe te
+      brengen of ongemak te veroorzaken voor anderen.
+   C) De Stichting Wireless Leiden accepteert geen enkele aansprakelijkheid
+      voor schade in welke vorm dan ook die is ontstaan door of verband houdt
+      met het gebruik van het netwerk.
+
+ +

Internet Toegang

+

Internetten op het Wireless Leiden netwerk kan op twee manieren:
+ N.B. U kunt alleen internetten via uw webbrowser, andere toepassingen zoals Microsoft Outlook zijn niet mogelijk. Gebruik webmail om te e-mailen. +

    +
  1. In uw browser een 'proxy' instellen. (in het algemeen sneller internet).
    2. +
  2. Gebruik maken van de iLeiden service (gemakkelijk voor mobiele apparaten).
    3. +
+ +
+ + +
+ +

Instellen proxy in browser

+ In Firefox: ga naar Edit->Preferences->Advanced->Network->Settings.
+ Handmatige proxy-configuratie: vul in HTTP proxy: proxy.wleiden.net port 3128.
+

+ N.B. Haal na gebruik de instellingen weer weg +

Contact

+Vragen en opmerkingen kunt u kwijt op onze gebruikers mailing lijst. +
+ +

Welcome to Wireless Leiden

+

Internet access

+

You are connected to the local Wireless Leiden network. To use one of the gateways (proxies) to Internet you have to specify a proxy in your web browser OR click on the button bellow.
+ To set the proxy for instance in Firefox go to Edit->Preferences->Advanced->Network->Settings.
+ Manual proxy configuration: specify HTTP proxy: proxy.wleiden.net port 3128.
+ Detailed instructions can be downloaded from our website. +

+

+ Please note that you can only access the internet via your webbrowser, use of other applications like Microsoft Outlook is not possible (you have to use webmail). + +

Fair Use of Wireless Leiden

+ The use of the Wireless Leiden network and the internet connection are free and no registration is required. However, you should refrain from any illegal activity and not provide harm of any kind or inconvenience to other users.
+ The Wireless Leiden Foundation does not accept any responsibility whatsoever for damage related to or originated from the use of the network. + +
+ + +
+ +
+
+ + Wireless Leiden Homepage +
+ +

More options

+
+ + +
+
Technical Details:
+{{ tech_footer }}
+
+ + Index: /branches/releng-10/nanobsd/files/usr/local/libexec/nagios/check_inet =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/libexec/nagios/check_inet (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/libexec/nagios/check_inet (revision 12525) @@ -0,0 +1,40 @@ +#!/bin/sh + +PATH=$PATH:/bin:/usr/bin +export PATH + +# HTTP proxy to use +HTTP_PROXY=http://proxy.wleiden.net:3128 + +# Test page to query +PROXY_TEST=http://proxy-test.wirelessleiden.nl/ + +# Make variable global, so fetch can use it +export HTTP_PROXY + +# Query the webpage +SPEEDOUT=`fetch -o /dev/null ${PROXY_TEST} 2>&1` + +# What is the Exit code of fetch? +SPEEDEXIT=$? + +# The speed by which the webpages was retrieved" +SPEED=`echo ${SPEEDOUT} | awk '{ print $4 " " $5 }'` + +# What was the format of speed (Bps) +TYPE=`echo ${SPEEDOUT} | awk '{ print $5 }'` + +# Dit the fetcommand exit happy, and was the format as we expected +if [ ${SPEEDEXIT} -eq 0 -a "$TYPE" = "Bps" ]; then + + # Let's celebrate, it was successfull + echo "INET OK: $SPEED" + exit 0 +else + + # Oh no, time to get drunk, retrieval was unsuccessfull + echo "INET CRITICAL: $SPEEDOUT\n" + exit 2 + +fi + Index: /branches/releng-10/nanobsd/files/usr/local/libexec/nagios/check_inet2 =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/libexec/nagios/check_inet2 (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/libexec/nagios/check_inet2 (revision 12525) @@ -0,0 +1,31 @@ +#!/bin/sh + +PATH=$PATH:/bin:/usr/bin +export PATH + +# Test page to query +PROXY_TEST=http://proxy-test.wirelessleiden.nl/ + +# Query the webpage +SPEEDOUT=`fetch -o /dev/null ${PROXY_TEST} 2>&1` + +# What is the Exit code of fetch? +SPEEDEXIT=$? + +# The speed by which the webpages was retrieved" +SPEED=`echo ${SPEEDOUT} | awk '/Bps/ { print $13 " " $14 }'` + +# Dit the fetcommand exit happy, and was the format as we expected +if [ ${SPEEDEXIT} -eq 0 -a "$SPEED" ]; then + + # Let's celebrate, it was successfull + printf "INET OK: $SPEED\n" + exit 0 +else + + # Oh no, time to get drunk, retrieval was unsuccessfull + echo "INET CRITICAL: $SPEEDOUT\n" + exit 2 + +fi + Index: /branches/releng-10/nanobsd/files/usr/local/libexec/nagios/check_lv =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/libexec/nagios/check_lv (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/libexec/nagios/check_lv (revision 12525) @@ -0,0 +1,107 @@ +#!/usr/local/bin/python + +import os +import re + +# Bsd config file +config="/etc/rc.conf.local" + +def gettrees () : + ip = [] + + # Run through all the files in /tmp + for filename in os.listdir('/tmp'): + + # Match lvrouted tree files and get ip address + # lvrouted.tree-172.16.4.9 + match = re.match(r'lvrouted.tree-(.*)$', filename) + if match: + + # append ip address to list + ip.append(match.group(1)) + + return ip + +# Get all ips in the subnet (based on ip and mask) +def iprange (ip, mask) : + + # Max number of bits in the subnetmask + max=32 + + # Make sure the mask is integer + mask=int(mask) + + # Don't do anything with certain subnet sizes + if mask > 27 and mask < 32 : + + # Make an ip list + iplist = [] + + # Split the ip + oc = ip.split(".") + + # Calculate the total subnet size + max = 2 ** ( max - mask ) + + # Make sure the last oclet of the ip is integer + oc[3] = int(oc[3]) + + # Calculate the lower end of the subnet + min = oc[3] - ( oc[3] % max ) + 1 + + # Calculate the upper end of the subnet + max = min + max - 2 + + # Run through all possible ip's + for oc3 in range(min, max): + + # Add Ip to iplist + iplist.append(str(oc[0]) + "." + str(oc[1]) + "." + str(oc[2]) + "." + str(oc3)) + + # Return the iplist to the caller + return iplist + +# Open the config file and run through it +file = open (config) +treeips = gettrees() +invalid = [] +rcips = [] + +for line in file.readlines(): + + # Get variable's out of the config file and validate it + match = re.match(r'ipv4_addrs_(.*?)="(.*?)/([\d]{1,2})(.*)"$', line) + if match: + + # Get info + iface = match.group(1) + ip = match.group(2) + mask = match.group(3) + + # Call iprange, get all ip's in the subnet + allips = iprange(ip, mask) + + # Don't iterate through empty list + if allips: + + valid=0 + + # Check if one of the ip's in the lvrouted list (one must be present) + for rangeip in allips: + if rangeip in treeips: + valid=1 + + if not valid: + invalid.append(iface) + +if invalid: + retval = "LV ERROR:" + for iface in invalid: + retval = retval + " " + iface + print retval + exit(2) +else: + print "LV OK" + exit(0) + + Index: /branches/releng-10/nanobsd/files/usr/local/sbin/fetchzone.sh =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/sbin/fetchzone.sh (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/sbin/fetchzone.sh (revision 12525) @@ -0,0 +1,77 @@ +#!/bin/sh +# $Id: fetchzone.sh 9970 2012-02-15 18:04:47Z rick $ +# +# Wireless Leiden specific configuration to fetch DNS zones +# used by MaraDNS +# + +# Script is running in deamon mode to discriptors available, so make sure to +# close them to avoid 'hanging' scripts. +exec <&- +exec 1>/dev/null +exec 2>/dev/null + + +# Updates of $ZONES we are going to fetch from the $SERVER every $IDLE seconds +ZONES="wleiden.net. 16.172.in-addr.arpa. 17.172.in-addr.arpa. +18.172.in-addr.arpa. 19.172.in-addr.arpa. 20.172.in-addr.arpa. +21.172.in-addr.arpa. 22.172.in-addr.arpa. 23.172.in-addr.arpa. +24.172.in-addr.arpa. 25.172.in-addr.arpa. 26.172.in-addr.arpa. +27.172.in-addr.arpa. 28.172.in-addr.arpa. 29.172.in-addr.arpa. +30.172.in-addr.arpa. 31.172.in-addr.arpa." +SERVER=172.16.4.46 +IDLE=3600 + +LOGFILE=/var/log/fetchzone.log +PIDFILE=/var/run/fetchzone.pid +### END OF USER CONFIGURABLE VARIABLES ### + +TAGNAME=`basename $0 .sh` +# Create logging service +log() { + echo `date "+%b %e %T"`":" $* >> ${LOGFILE} + echo $* | logger -t "$TAGNAME" +} + +# Register PID +PID=$$ +echo ${PID} > ${PIDFILE} +log "[INFO] Fetchzone starting with PID: $PID" + +# Make me a deamon script +while [ true ]; do + + CHANGED_ZONES="" + # Run through multiple zones + for ZONE in ${ZONES}; do + # (re) Set some extra vars + TMPFILE=/tmp/dns-tmp-${ZONE} + REALFILE=/usr/local/etc/maradns/db.${ZONE} + # Execute Fetchzone + /usr/local/bin/fetchzone ${ZONE} ${SERVER} > ${TMPFILE} + + # Did Fetchzone exit unhappy + if [ $? -ne 0 ]; then + # Something went wrong lets log it + log "[ERROR] [$ZONE] Errors found in fetchzone query" + continue + fi + + # Are there any changes, we need to put active? + cmp -s ${TMPFILE} ${REALFILE} + if [ $? -ne 0 ]; then + log "[INFO] [$ZONE] Changes found" + cp ${TMPFILE} ${REALFILE} + CHANGED_ZONES="$CHANGED_ZONES $ZONE" + fi + done + + # Maradns requires a restart to load new zonefile + if [ -n "$CHANGED_ZONES" ]; then + log "[INFO] `/usr/local/etc/rc.d/maradns restart`" + fi + + # Next run in $IDLE seconds + sleep ${IDLE} +done + Index: /branches/releng-10/nanobsd/files/usr/local/share/snmp/mibs/IEEE802dot11-MIB.txt =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/share/snmp/mibs/IEEE802dot11-MIB.txt (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/share/snmp/mibs/IEEE802dot11-MIB.txt (revision 12525) @@ -0,0 +1,2978 @@ +-- ***************************************************************** +-- IEEE802dot11-MIB : +-- IEEE 802.11 Management Information Base file +-- +-- Nov 2002, Francis Pang +-- +-- Copyright (c) 2002 by cisco Systems, Inc. +-- All rights reserved. +-- ***************************************************************** + +-- ********************************************************************** +-- * IEEE 802.11 Management Information Base +-- ********************************************************************** + +IEEE802dot11-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + NOTIFICATION-TYPE,Integer32, Counter32, + Unsigned32 FROM SNMPv2-SMI + + DisplayString , MacAddress, RowStatus, + TruthValue FROM SNMPv2-TC + + MODULE-COMPLIANCE, OBJECT-GROUP, + NOTIFICATION-GROUP FROM SNMPv2-CONF + + ifIndex FROM RFC1213-MIB; + +-- ********************************************************************** +-- * Tree Definition +-- ********************************************************************** + + member-body OBJECT IDENTIFIER ::= { iso 2 } + us OBJECT IDENTIFIER ::= { member-body 840 } + +-- ********************************************************************** +-- * MODULE IDENTITY +-- ********************************************************************** + +ieee802dot11 MODULE-IDENTITY + LAST-UPDATED "0208300000Z" + ORGANIZATION "IEEE 802.11" + CONTACT-INFO + "WG E-mail: stds-802-11@ieee.org + + Chair: Stuart J. Kerry + Postal: Philips Semiconductors, Inc. + 1109 McKay Drive + M/S 48 SJ + San Jose, CA 95130-1706 USA + Tel: +1 408 474 7356 + Fax: +1 408 474 7247 + E-mail: stuart.kerry@philips.com + + Editor: Bob O'Hara + Postal: Informed Technology, Inc. + 1750 Nantucket Circle, Suite 138 + Santa Clara, CA 95054 USA + Tel: +1 408 986 9596 + Fax: +1 408 727 2654 + E-mail: bob@informed-technology.com" + DESCRIPTION + "The MIB module for IEEE 802.11 entities. + iso(1).member-body(2).us(840).ieee802dot11(10036)" + ::= { us 10036 } + +-- ********************************************************************** +-- * Major sections +-- ********************************************************************** + +-- Station ManagemenT (SMT) Attributes + -- DEFINED AS "The SMT object class provides the necessary support + -- at the station to manage the processes in the station such that + -- the station may work cooperatively as a part of an IEEE 802.11 + -- network." + + dot11smt OBJECT IDENTIFIER ::= { ieee802dot11 1 } + + -- dot11smt GROUPS + -- dot11StationConfigTable ::= { dot11smt 1 } + -- dot11AuthenticationAlgorithmsTable ::= { dot11smt 2 } + -- dot11WEPDefaultKeysTable ::= { dot11smt 3 } + -- dot11WEPKeyMappingsTable ::= { dot11smt 4 } + -- dot11PrivacyTable ::= { dot11smt 5 } + -- dot11SMTnotification ::= { dot11smt 6 } + -- dot11MultiDomainCapabilityTable ::= { dot11smt 7 } + +-- MAC Attributes + -- DEFINED AS "The MAC object class provides the necessary support + -- for the access control, generation, and verification of frame + -- check sequences (FCSs), and proper delivery of valid data to + -- upper layers." + + dot11mac OBJECT IDENTIFIER ::= { ieee802dot11 2 } + + -- MAC GROUPS + -- reference IEEE Std 802.1f-1993 + -- dot11OperationTable ::= { dot11mac 1 } + -- dot11CountersTable ::= { dot11mac 2 } + -- dot11GroupAddressesTable ::= { dot11mac 3 } + +-- Resource Type ID + dot11res OBJECT IDENTIFIER ::= { ieee802dot11 3 } + dot11resAttribute OBJECT IDENTIFIER ::= { dot11res 1 } + +-- PHY Attributes + -- DEFINED AS "The PHY object class provides the necessary support + -- for required PHY operational information that may vary from PHY + -- to PHY and from STA to STA to be communicated to upper layers." + + dot11phy OBJECT IDENTIFIER ::= { ieee802dot11 4 } + + -- PHY GROUPS + -- dot11PhyOperationTable ::= { dot11phy 1 } + -- dot11PhyAntennaTable ::= { dot11phy 2 } + -- dot11PhyTxPowerTable ::= { dot11phy 3 } + -- dot11PhyFHSSTable ::= { dot11phy 4 } + -- dot11PhyDSSSTable ::= { dot11phy 5 } + -- dot11PhyIRTable ::= { dot11phy 6 } + -- dot11RegDomainsSupportedTable ::= { dot11phy 7 } + -- dot11AntennasListTable ::= { dot11phy 8 } + -- dot11SupportedDataRatesTxTable ::= { dot11phy 9 } + -- dot11SupportedDataRatesRxTable ::= { dot11phy 10 } + -- dot11PhyOFDMTable ::= { dot11phy 11 } + -- dot11PhyHRDSSSTable ::= { dot11phy 12 } + -- dot11EHCCHoppingPatternTable ::= { dot11phy 13 } + +-- ********************************************************************** +-- * Textual conventions from 802 definitions +-- ********************************************************************** + + WEPKeytype ::= OCTET STRING (SIZE (5)) + +-- ********************************************************************** +-- * MIB attribute OBJECT-TYPE definitions follow +-- ********************************************************************** + +-- ********************************************************************** +-- * SMT Station Config Table +-- ********************************************************************** + +dot11StationConfigTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11StationConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Station Configuration attributes. In tablular form to + allow for multiple instances on an agent." + ::= { dot11smt 1 } + +dot11StationConfigEntry OBJECT-TYPE + SYNTAX Dot11StationConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11StationConfigTable. It is + possible for there to be multiple IEEE 802.11 interfaces + on one agent, each with its unique MAC address. The + relationship between an IEEE 802.11 interface and an + interface in the context of the Internet-standard MIB is + one-to-one. As such, the value of an ifIndex object + instance can be directly used to identify corresponding + instances of the objects defined herein. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11StationConfigTable 1 } + +Dot11StationConfigEntry ::= + SEQUENCE { + dot11StationID MacAddress, + dot11MediumOccupancyLimit INTEGER, + dot11CFPollable TruthValue, + dot11CFPPeriod INTEGER, + dot11CFPMaxDuration INTEGER, + dot11AuthenticationResponseTimeOut Unsigned32, + dot11PrivacyOptionImplemented TruthValue, + dot11PowerManagementMode INTEGER, + dot11DesiredSSID OCTET STRING, + dot11DesiredBSSType INTEGER, + dot11OperationalRateSet OCTET STRING, + dot11BeaconPeriod INTEGER, + dot11DTIMPeriod INTEGER, + dot11AssociationResponseTimeOut Unsigned32, + dot11DisassociateReason INTEGER, + dot11DisassociateStation MacAddress, + dot11DeauthenticateReason INTEGER, + dot11DeauthenticateStation MacAddress, + dot11AuthenticateFailStatus INTEGER, + dot11AuthenticateFailStation MacAddress, + dot11MultiDomainCapabilityImplemented TruthValue, + dot11MultiDomainCapabilityEnabled TruthValue, + dot11CountryString OCTET STRING } + +dot11StationID OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-write + STATUS deprecated + DESCRIPTION + "The purpose of dot11StationID is to allow a manager to + identify a station for its own purposes. This attribute + provides for that eventuality while keeping the true MAC + address independent. Its syntax is MAC address, and the + default value is the station's assigned, unique + MAC address." + ::= { dot11StationConfigEntry 1 } + +dot11MediumOccupancyLimit OBJECT-TYPE + SYNTAX INTEGER (0..1000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall indicate the maximum amount of time, + in TU, that a point coordinator (PC) may control the usage + of the wireless medium (WM) without relinquishing control + for long enough to allow at least one instance of DCF access + to the medium. The default value of this attribute shall + be 100, and the maximum value shall be 1000." + ::= { dot11StationConfigEntry 2 } + +dot11CFPollable OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When this attribute is true, it shall indicate that + the STA is able to respond to a CF-Poll with a data frame + within a SIFS time. This attribute shall be false if + the STA is not able to respond to a CF-Poll with a data + frame within a SIFS time." + ::= { dot11StationConfigEntry 3 } + +dot11CFPPeriod OBJECT-TYPE + SYNTAX INTEGER (0..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The attribute shall describe the number of DTIM intervals + between the start of CFPs. It is modified by + MLME-START.request primitive." + ::= { dot11StationConfigEntry 4 } + +dot11CFPMaxDuration OBJECT-TYPE + SYNTAX INTEGER (0..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The attribute shall describe the maximum duration of + the CFP in TU that may be generated by the PCF. It is + modified by MLME-START.request primitive." + ::= { dot11StationConfigEntry 5 } + +dot11AuthenticationResponseTimeOut OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall specify the number of time units (TUs) + that a responding STA should wait for the next frame in the + authentication sequence." + ::= { dot11StationConfigEntry 6 } + +dot11PrivacyOptionImplemented OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute, when true, shall indicate that the IEEE + 802.11 WEP option is implemented. The default value of + this attribute shall be false." + ::= { dot11StationConfigEntry 7 } + +dot11PowerManagementMode OBJECT-TYPE + SYNTAX INTEGER { active(1), powersave(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall specify the power management + mode of the STA. When set to active, it shall + indicate that the station is not in power-save + (PS) mode. When set to powersave, it shall indicate + that the station is in power-save mode. The power + management mode is transmitted in all frames + according to the rules in 7.1.3.1.7." + ::= { dot11StationConfigEntry 8 } + +dot11DesiredSSID OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute reflects the Service Set ID (SSID) + used in the DesiredSSID parameter of the most recent + MLME_Scan.request. This value may be modified + by an external management entity and used by the + local SME to make decisions about the Scanning + process." + ::= { dot11StationConfigEntry 9 } + +dot11DesiredBSSType OBJECT-TYPE + SYNTAX INTEGER { infrastructure(1), independent(2), any(3) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall specify the type of BSS the + station shall use when scanning for a BSS with + which to synchronize. This value is used to filter + Probe Response frames and Beacons. When set to + infrastructure, the station shall only synchronize + with a BSS whose Capability Information field has + the ESS subfield set to 1. When set to independent, + the station shall only synchronize with a BSS whose + Capability Information field has the IBSS subfield + set to 1. When set to any, the station may + synchronize to either type of BSS." + ::= { dot11StationConfigEntry 10 } + +dot11OperationalRateSet OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(1..126)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall specify the set of data + rates at which the station may transmit data. + Each octet contains a value representing a rate. + Each rate shall be within the range from 2 to 127, + corresponding to data rates in increments of + 500 kbit/s from 1 Mbit/s to 63.5 Mbit/s, and shall + be supported (as indicated in the supported rates + table) for receiving data. This value is reported in + transmitted Beacon, Probe Request, Probe Response, + Association Request, Association Response, + Reassociation Request, and Reassociation Response + frames, and is used to determine whether a BSS + with which the station desires to synchronize is + suitable. It is also used when starting a BSS, + as specified in 10.3." + ::= { dot11StationConfigEntry 11 } + +dot11BeaconPeriod OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall specify the number of TUs that + a station shall use for scheduling Beacon + transmissions. This value is transmitted in Beacon + and Probe Response frames." + ::= { dot11StationConfigEntry 12 } + +dot11DTIMPeriod OBJECT-TYPE + SYNTAX INTEGER(1..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall specify the number of beacon + intervals that shall elapse between transmission of + Beacons frames containing a TIM element whose DTIM + Count field is 0. This value is transmitted in + the DTIM Period field of Beacon frames." + ::= { dot11StationConfigEntry 13 } + +dot11AssociationResponseTimeOut OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall specify the number of TU that a + requesting STA should wait for a response to a + transmitted association-request MMPDU." + ::= { dot11StationConfigEntry 14 } + +dot11DisassociateReason OBJECT-TYPE + SYNTAX INTEGER(0..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute holds the most recently + transmitted Reason Code in a Disassociation + frame. If no Disassociation frame has been + transmitted, the value of this attribute shall + be 0." + REFERENCE "IEEE Std 802.11-2002, 7.3.1.7" + ::= { dot11StationConfigEntry 15 } + +dot11DisassociateStation OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute holds the MAC address from the + Address 1 field of the most recently transmitted + Disassociation frame. If no Disassociation + frame has been transmitted, the value of this + attribute shall be 0." + ::= { dot11StationConfigEntry 16 } + +dot11DeauthenticateReason OBJECT-TYPE + SYNTAX INTEGER(0..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute holds the most recently + transmitted Reason Code in a Deauthentication + frame. If no Deauthentication frame has been + transmitted, the value of this attribute shall + be 0." + REFERENCE "IEEE Std 802.11-2002, 7.3.1.7" + ::= { dot11StationConfigEntry 17 } + +dot11DeauthenticateStation OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute holds the MAC address from the + Address 1 field of the most recently transmitted + Deauthentication frame. If no Deauthentication + frame has been transmitted, the value of this + attribute shall be 0." + ::= { dot11StationConfigEntry 18 } + +dot11AuthenticateFailStatus OBJECT-TYPE + SYNTAX INTEGER(0..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute holds the most recently + transmitted Status Code in a failed + Authentication frame. If no failed + Authentication frame has been transmitted, the + value of this attribute shall be 0." + REFERENCE "IEEE Std 802.11-2002, 7.3.1.9" + ::= { dot11StationConfigEntry 19 } + +dot11AuthenticateFailStation OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute holds the MAC address from the + Address 1 field of the most recently transmitted + failed Authentication frame. If no failed + Authentication frame has been transmitted, the + value of this attribute shall be 0." + ::= { dot11StationConfigEntry 20 } + +dot11MultiDomainCapabilityImplemented OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute, when TRUE, indicates that the + station implementation is capable of supporting + multiple regulatory domains. The capability is + disabled, otherwise. The default value of this + attribute is FALSE." + ::= { dot11StationConfigEntry 21 } + +dot11MultiDomainCapabilityEnabled OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute, when TRUE, indicates that the + capability of the station to operate in multiple + regulatory domains is enabled. The capability is + disabled, otherwise. The default value of this + attribute is FALSE." + ::= { dot11StationConfigEntry 22 } + +dot11CountryString OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(3)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute identifies the country in which the + station is operating. The first two octets of this + string is the two character country code as described + in document ISO/IEC 3166-1. The third octet shall + be one of the following: + + 1. an ASCII space character, if the regulations under + which the station is operating encompass all + environments in the country, + + 2. an ASCII 'O' character, if the regulations under + which the station is operating are for an Outdoor + environment only, or + + 3. an ASCII 'I' character, if the regulations under + which the station is operating are for an Indoor + environment only." + ::= { dot11StationConfigEntry 23 } + +-- ********************************************************************** +-- * End of dot11StationConfig TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * AuthenticationAlgorithms TABLE +-- ********************************************************************** + +dot11AuthenticationAlgorithmsTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11AuthenticationAlgorithmsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This (conceptual) table of attributes shall be a set of + all the authentication algorithms supported by the + stations. The following are the default values and the + associated algorithm: + Value = 1: Open System + Value = 2: Shared Key" + REFERENCE "IEEE Std 802.11-2002, 7.3.1.1" + ::= { dot11smt 2 } + +dot11AuthenticationAlgorithmsEntry OBJECT-TYPE + SYNTAX Dot11AuthenticationAlgorithmsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An Entry (conceptual row) in the Authentication + Algorithms Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex, + dot11AuthenticationAlgorithmsIndex } + ::= { dot11AuthenticationAlgorithmsTable 1 } + +Dot11AuthenticationAlgorithmsEntry ::= + SEQUENCE { dot11AuthenticationAlgorithmsIndex Integer32, + dot11AuthenticationAlgorithm INTEGER, + dot11AuthenticationAlgorithmsEnable TruthValue } + +dot11AuthenticationAlgorithmsIndex OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The auxiliary variable used to identify instances + of the columnar objects in the Authentication Algorithms Table." + ::= { dot11AuthenticationAlgorithmsEntry 1 } + +dot11AuthenticationAlgorithm OBJECT-TYPE + SYNTAX INTEGER { openSystem(1), sharedKey(2) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute shall be a set of all the authentication + algorithms supported by the STAs. The following are the + default values and the associated algorithm. + Value = 1: Open System + Value = 2: Shared Key" + ::= { dot11AuthenticationAlgorithmsEntry 2 } + +dot11AuthenticationAlgorithmsEnable OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute, when true at a station, shall enable the acceptance + of the authentication algorithm described in the corresponding table + entry in authentication frames received by the station that have odd + authentication sequence numbers. The default value of this attribute + shall be 1 for the Open System table entry and 2 for all other table + entries." + ::= { dot11AuthenticationAlgorithmsEntry 3 } + +-- ********************************************************************** +-- * End of AuthenticationAlgorithms TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * WEPDefaultKeys TABLE +-- ********************************************************************** + +dot11WEPDefaultKeysTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11WEPDefaultKeysEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Conceptual table for WEP default keys. This table shall + contain the four WEP default secret key values + corresponding to the four possible KeyID values. The WEP + default secret keys are logically WRITE-ONLY. Attempts to + read the entries in this table shall return unsuccessful + status and values of null or zero. The default value of + each WEP default key shall be null." + REFERENCE "IEEE Std 802.11-2002, 8.3.2" + ::= { dot11smt 3 } + +dot11WEPDefaultKeysEntry OBJECT-TYPE + SYNTAX Dot11WEPDefaultKeysEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An Entry (conceptual row) in the WEP Default Keys Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex, + dot11WEPDefaultKeyIndex} + ::= { dot11WEPDefaultKeysTable 1 } + +Dot11WEPDefaultKeysEntry ::= + SEQUENCE { dot11WEPDefaultKeyIndex INTEGER, + dot11WEPDefaultKeyValue WEPKeytype } + +dot11WEPDefaultKeyIndex OBJECT-TYPE + SYNTAX INTEGER (1..4) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The auxiliary variable used to identify instances + of the columnar objects in the WEP Default Keys Table. + The value of this variable is equal to the WEPDefaultKeyID + 1" + ::= { dot11WEPDefaultKeysEntry 1 } + +dot11WEPDefaultKeyValue OBJECT-TYPE + SYNTAX WEPKeytype + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A WEP default secret key value." + ::= { dot11WEPDefaultKeysEntry 2 } + +-- ********************************************************************** +-- * End of WEPDefaultKeys TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * WEPKeyMappings TABLE +-- ********************************************************************** + +dot11WEPKeyMappingsTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11WEPKeyMappingsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Conceptual table for WEP Key Mappings. The MIB supports + the ability to share a separate WEP key for each RA/TA + pair. The Key Mappings Table contains zero or one entry + for each MAC address and contains two fields for each + entry: WEPOn and the corresponding WEP key. The WEP key + mappings are logically WRITE-ONLY. Attempts to read the + entries in this table shall return unsuccessful status and + values of null or zero. The default value for all WEPOn + fields is false." + REFERENCE "IEEE Std 802.11-2002, 8.3.2" + ::= { dot11smt 4 } + +dot11WEPKeyMappingsEntry OBJECT-TYPE + SYNTAX Dot11WEPKeyMappingsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An Entry (conceptual row) in the WEP Key Mappings Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex, + dot11WEPKeyMappingIndex } + ::= { dot11WEPKeyMappingsTable 1 } + +Dot11WEPKeyMappingsEntry ::= + SEQUENCE { dot11WEPKeyMappingIndex Integer32, + dot11WEPKeyMappingAddress MacAddress, + dot11WEPKeyMappingWEPOn TruthValue, + dot11WEPKeyMappingValue WEPKeytype, + dot11WEPKeyMappingStatus RowStatus } + +dot11WEPKeyMappingIndex OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The auxiliary variable used to identify instances + of the columnar objects in the WEP Key Mappings Table." + ::= { dot11WEPKeyMappingsEntry 1 } + +dot11WEPKeyMappingAddress OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The MAC address of the STA for which the values from this + key mapping entry are to be used." + ::= { dot11WEPKeyMappingsEntry 2 } + +dot11WEPKeyMappingWEPOn OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Boolean as to whether WEP is to be used when communicating + with the dot11WEPKeyMappingAddress STA." + ::= { dot11WEPKeyMappingsEntry 3 } + +dot11WEPKeyMappingValue OBJECT-TYPE + SYNTAX WEPKeytype + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A WEP secret key value." + ::= { dot11WEPKeyMappingsEntry 4 } + +dot11WEPKeyMappingStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status column used for creating, modifying, and + deleting instances of the columnar objects in the WEP key + mapping Table." + DEFVAL { active } + ::= { dot11WEPKeyMappingsEntry 5 } + +-- ********************************************************************** +-- * End of WEPKeyMappings TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * dot11PrivacyTable TABLE +-- ********************************************************************** + +dot11PrivacyTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11PrivacyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Group containing attributes concerned with IEEE 802.11 + Privacy. Created as a table to allow multiple + instantiations on an agent." + ::= { dot11smt 5 } + +dot11PrivacyEntry OBJECT-TYPE + SYNTAX Dot11PrivacyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11PrivacyTable Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11PrivacyTable 1 } + +Dot11PrivacyEntry ::= + SEQUENCE { dot11PrivacyInvoked TruthValue, + dot11WEPDefaultKeyID INTEGER, + dot11WEPKeyMappingLength Unsigned32, + dot11ExcludeUnencrypted TruthValue, + dot11WEPICVErrorCount Counter32, + dot11WEPExcludedCount Counter32 } + +dot11PrivacyInvoked OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "When this attribute is true, it shall indicate that the IEEE + 802.11 WEP mechanism is used for transmitting frames of type + Data. The default value of this attribute shall be false." + ::= { dot11PrivacyEntry 1 } + +dot11WEPDefaultKeyID OBJECT-TYPE + SYNTAX INTEGER (0..3) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall indicate the use of the first, + second, third, or fourth element of the WEPDefaultKeys + array when set to values of zero, one, two, or three. The + default value of this attribute shall be 0." + REFERENCE "IEEE Std 802.11-2002, 8.3.2" + ::= { dot11PrivacyEntry 2 } + +dot11WEPKeyMappingLength OBJECT-TYPE + SYNTAX Unsigned32 (10..4294967295) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The maximum number of tuples that dot11WEPKeyMappings can hold." + REFERENCE "IEEE Std 802.11-2002, 8.3.2" + ::= { dot11PrivacyEntry 3 } + +dot11ExcludeUnencrypted OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "When this attribute is true, the STA shall not indicate at + the MAC service interface received MSDUs that have the WEP + subfield of the Frame Control field equal to zero. When this + attribute is false, the STA may accept MSDUs that have the WEP + subfield of the Frame Control field equal to zero. The default + value of this attribute shall be false." + ::= { dot11PrivacyEntry 4 } + +dot11WEPICVErrorCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment when a frame is received with the + WEP subfield of the Frame Control field set to one and the value + of the ICV as received in the frame does not match the ICV value + that is calculated for the contents of the received frame." + ::= { dot11PrivacyEntry 5 } + +dot11WEPExcludedCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment when a frame is received with the + WEP subfield of the Frame Control field set to zero and the value + of dot11ExcludeUnencrypted causes that frame to be discarded." + ::= { dot11PrivacyEntry 6 } + +-- ********************************************************************** +-- * End of dot11Privacy TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * SMT notification Objects +-- ********************************************************************** + +dot11SMTnotification OBJECT IDENTIFIER ::= { dot11smt 6 } + +dot11Disassociate NOTIFICATION-TYPE + OBJECTS { ifIndex, dot11DisassociateReason, dot11DisassociateStation } + STATUS current + DESCRIPTION + "The disassociate notification shall be sent when the STA + sends a Disassociation frame. The value of the notification + shall include the MAC address of the MAC to which the Disassociation + frame was sent and the reason for the disassociation. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + ::= { dot11SMTnotification 0 1 } + +dot11Deauthenticate NOTIFICATION-TYPE + OBJECTS { ifIndex, dot11DeauthenticateReason, dot11DeauthenticateStation } + STATUS current + DESCRIPTION + "The deauthenticate notification shall be sent when the STA + sends a Deauthentication frame. The value of the notification + shall include the MAC address of the MAC to which the Deauthentication + frame was sent and the reason for the deauthentication. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + ::= { dot11SMTnotification 0 2 } + +dot11AuthenticateFail NOTIFICATION-TYPE + OBJECTS { ifIndex, dot11AuthenticateFailStatus, dot11AuthenticateFailStation } + STATUS current + DESCRIPTION + "The authenticate failure notification shall be sent when the STA + sends an Authentication frame with a status code other than + 'successful'. The value of the notification + shall include the MAC address of the MAC to which the Authentication + frame was sent and the reason for the authentication failure. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + ::= { dot11SMTnotification 0 3 } + + +-- ********************************************************************** +-- * End of SMT notification Objects +-- ********************************************************************** + +-- ******************************************************************** +-- * dot11MultiDomainCapability TABLE +-- ******************************************************************** + +dot11MultiDomainCapabilityTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11MultiDomainCapabilityEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This (conceptual) table of attributes for + cross-domain mobility." + ::= { dot11smt 7 } + +dot11MultiDomainCapabilityEntry OBJECT-TYPE + SYNTAX Dot11MultiDomainCapabilityEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry (conceptual row) in the Multiple Domain + Capability Table. + + IfIndex - Each IEEE 802.11 interface is represented + by an ifEntry. Interface tables in this MIB are + indexed by ifIndex." + INDEX { ifIndex, + dot11MultiDomainCapabilityIndex } + ::= { dot11MultiDomainCapabilityTable 1 } + +Dot11MultiDomainCapabilityEntry ::= + SEQUENCE { dot11MultiDomainCapabilityIndex Integer32, + dot11FirstChannelNumber Integer32, + dot11NumberofChannels Integer32, + dot11MaximumTransmitPowerLevel Integer32 } + +dot11MultiDomainCapabilityIndex OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The auxiliary variable used to identify instances of + the columnar objects in the Multi Domain Capability Table." + ::= { dot11MultiDomainCapabilityEntry 1 } + +dot11FirstChannelNumber OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall indicate the value of the lowest + channel number in the subband for the associated domain + country string. The default value of this attribute + shall be zero." + ::= { dot11MultiDomainCapabilityEntry 2 } + +dot11NumberofChannels OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall indicate the value of the total + number of channels allowed in the subband for the + associated domain country string. The default value of + this attribute shall be zero." + ::= { dot11MultiDomainCapabilityEntry 3 } + +dot11MaximumTransmitPowerLevel OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall indicate the maximum transmit power, + in dBm, allowed in the subband for the associated domain + country string. The default value of this attribute shall + be zero." + ::= { dot11MultiDomainCapabilityEntry 4 } + +-- ******************************************************************** +-- * End of dot11MultiDomainCapability TABLE +-- ******************************************************************** + + +-- ********************************************************************** +-- * MAC Attribute Templates +-- ********************************************************************** + +-- ********************************************************************** +-- * dot11OperationTable TABLE +-- ********************************************************************** + +dot11OperationTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11OperationEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Group contains MAC attributes pertaining to the operation + of the MAC. This has been implemented as a table in order + to allow for multiple instantiations on an agent." + ::= { dot11mac 1 } + +dot11OperationEntry OBJECT-TYPE + SYNTAX Dot11OperationEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11OperationEntry Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11OperationTable 1 } + +Dot11OperationEntry ::= + SEQUENCE { dot11MACAddress MacAddress, + dot11RTSThreshold INTEGER, + dot11ShortRetryLimit INTEGER, + dot11LongRetryLimit INTEGER, + dot11FragmentationThreshold INTEGER, + dot11MaxTransmitMSDULifetime Unsigned32, + dot11MaxReceiveLifetime Unsigned32, + dot11ManufacturerID DisplayString, + dot11ProductID DisplayString } + +dot11MACAddress OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Unique MAC Address assigned to the STA." + ::= { dot11OperationEntry 1 } + +dot11RTSThreshold OBJECT-TYPE + SYNTAX INTEGER (0..2347) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall indicate the number of octets in an MPDU, + below which an RTS/CTS handshake shall not be performed. An + RTS/CTS handshake shall be performed at the beginning of any + frame exchange sequence where the MPDU is of type Data or + Management, the MPDU has an individual address in the Address1 + field, and the length of the MPDU is greater than + this threshold. (For additional details, refer to Table 21 in + 9.7.) Setting this attribute to be larger than the maximum + MSDU size shall have the effect of turning off the RTS/CTS + handshake for frames of Data or Management type transmitted by + this STA. Setting this attribute to zero shall have the effect + of turning on the RTS/CTS handshake for all frames of Data or + Management type transmitted by this STA. The default value of + this attribute shall be 2347." + ::= { dot11OperationEntry 2 } + +dot11ShortRetryLimit OBJECT-TYPE + SYNTAX INTEGER (1..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall indicate the maximum number of + transmission attempts of a frame, the length of which is less + than or equal to dot11RTSThreshold, that shall be made before a + failure condition is indicated. The default value of this + attribute shall be 7." + ::= { dot11OperationEntry 3 } + +dot11LongRetryLimit OBJECT-TYPE + SYNTAX INTEGER (1..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall indicate the maximum number of + transmission attempts of a frame, the length of which is + greater than dot11RTSThreshold, that shall be made before a + failure condition is indicated. The default value of this + attribute shall be 4." + ::= { dot11OperationEntry 4 } + +dot11FragmentationThreshold OBJECT-TYPE + SYNTAX INTEGER (256..2346) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall specify the current maximum size, in + octets, of the MPDU that may be delivered to the PHY. An MSDU + shall be broken into fragments if its size exceeds the value + of this attribute after adding MAC headers and trailers. An MSDU + or MMPDU shall be fragmented when the resulting frame has an + individual address in the Address1 field, and the length of the + frame is larger than this threshold. The default value for this + attribute shall be the lesser of 2346 or the aMPDUMaxLength of + the attached PHY and shall never exceed the lesser of 2346 or + the aMPDUMaxLength of the attached PHY. The value of this + attribute shall never be less than 256. " + ::= { dot11OperationEntry 5 } + +dot11MaxTransmitMSDULifetime OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The MaxTransmitMSDULifetime shall be the elapsed time in TU, + after the initial transmission of an MSDU, after which further + attempts to transmit the MSDU shall be terminated. The default + value of this attribute shall be 512." + ::= { dot11OperationEntry 6 } + +dot11MaxReceiveLifetime OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The MaxReceiveLifetime shall be the elapsed time in TU, + after the initial reception of a fragmented MMPDU or MSDU, + after which further attempts to reassemble the MMPDU or + MSDU shall be terminated. The default value shall be + 512." + ::= { dot11OperationEntry 7 } + +dot11ManufacturerID OBJECT-TYPE + SYNTAX DisplayString (SIZE(0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The ManufacturerID shall include, at a minimum, the name + of the manufacturer. It may include additional + information at the manufacturer's discretion. The default + value of this attribute shall be null." + ::= { dot11OperationEntry 8 } + +dot11ProductID OBJECT-TYPE + SYNTAX DisplayString (SIZE(0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The ProductID shall include, at a minimum, an identifier + that is unique to the manufacturer. It may include + additional information at the manufacturer's discretion. + The default value of this attribute shall be null." + ::= { dot11OperationEntry 9 } + +-- ********************************************************************** +-- * End of dot11OperationEntry TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * dot11Counters TABLE +-- ********************************************************************** + +dot11CountersTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11CountersEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Group containing attributes that are MAC counters. + Implemented as a table to allow for multiple + instantiations on an agent." + ::= { dot11mac 2 } + +dot11CountersEntry OBJECT-TYPE + SYNTAX Dot11CountersEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11CountersEntry Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11CountersTable 1 } + +Dot11CountersEntry ::= + SEQUENCE { dot11TransmittedFragmentCount Counter32, + dot11MulticastTransmittedFrameCount Counter32, + dot11FailedCount Counter32, + dot11RetryCount Counter32, + dot11MultipleRetryCount Counter32, + dot11FrameDuplicateCount Counter32, + dot11RTSSuccessCount Counter32, + dot11RTSFailureCount Counter32, + dot11ACKFailureCount Counter32, + dot11ReceivedFragmentCount Counter32, + dot11MulticastReceivedFrameCount Counter32, + dot11FCSErrorCount Counter32, + dot11TransmittedFrameCount Counter32, + dot11WEPUndecryptableCount Counter32 } + +dot11TransmittedFragmentCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall be incremented for an acknowledged MPDU + with an individual address in the address 1 field or an MPDU + with a multicast address in the address 1 field of type Data + or Management." + ::= { dot11CountersEntry 1 } + +dot11MulticastTransmittedFrameCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment only when the multicast bit + is set in the destination MAC address of a successfully + transmitted MSDU. When operating as a STA in an ESS, where + these frames are directed to the AP, this implies having + received an acknowledgment to all associated MPDUs." + ::= { dot11CountersEntry 2 } + +dot11FailedCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment when an MSDU is not transmitted + successfully due to the number of transmit attempts exceeding + either the dot11ShortRetryLimit or dot11LongRetryLimit." + ::= { dot11CountersEntry 3 } + +dot11RetryCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment when an MSDU is successfully + transmitted after one or more retransmissions." + ::= { dot11CountersEntry 4 } + +dot11MultipleRetryCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment when an MSDU is successfully + transmitted after more than one retransmission." + ::= { dot11CountersEntry 5 } + +dot11FrameDuplicateCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment when a frame is received + that the Sequence Control field indicates is a + duplicate." + ::= { dot11CountersEntry 6 } + +dot11RTSSuccessCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment when a CTS is received in + response to an RTS." + ::= { dot11CountersEntry 7 } + +dot11RTSFailureCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment when a CTS is not received in + response to an RTS." + ::= { dot11CountersEntry 8 } + +dot11ACKFailureCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment when an ACK is not received + when expected." + ::= { dot11CountersEntry 9 } + +dot11ReceivedFragmentCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall be incremented for each successfully + received MPDU of type Data or Management." + ::= { dot11CountersEntry 10 } + +dot11MulticastReceivedFrameCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment when a MSDU is received + with the multicast bit set in the destination + MAC address." + ::= { dot11CountersEntry 11 } + +dot11FCSErrorCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment when an FCS error is + detected in a received MPDU." + ::= { dot11CountersEntry 12 } + +dot11TransmittedFrameCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment for each successfully transmitted MSDU." + ::= { dot11CountersEntry 13 } + +dot11WEPUndecryptableCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This counter shall increment when a frame is received with + the WEP subfield of the Frame Control field set to one and the + WEPOn value for the key mapped to the TA's MAC address + indicates that the frame should not have been encrypted or + that frame is discarded due to the receiving STA not + implementing the privacy option." + ::= { dot11CountersEntry 14 } + +-- ********************************************************************** +-- * End of dot11CountersEntry TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * GroupAddresses TABLE +-- ********************************************************************** + +dot11GroupAddressesTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11GroupAddressesEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A conceptual table containing a set of MAC addresses + identifying the multicast addresses for which this STA + will receive frames. The default value of this attribute + shall be null." + ::= { dot11mac 3 } + +dot11GroupAddressesEntry OBJECT-TYPE + SYNTAX Dot11GroupAddressesEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An Entry (conceptual row) in the Group Addresses Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex, + dot11GroupAddressesIndex} + ::= { dot11GroupAddressesTable 1 } + +Dot11GroupAddressesEntry ::= + SEQUENCE { dot11GroupAddressesIndex Integer32, + dot11Address MacAddress, + dot11GroupAddressesStatus RowStatus } + +dot11GroupAddressesIndex OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The auxiliary variable used to identify instances + of the columnar objects in the Group Addresses Table." + ::= { dot11GroupAddressesEntry 1 } + +dot11Address OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "MAC address identifying a multicast addresses + from which this STA will receive frames." + ::= { dot11GroupAddressesEntry 2 } + +dot11GroupAddressesStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status column used for creating, modifying, and + deleting instances of the columnar objects in the Group + Addresses Table." + DEFVAL { active } + ::= { dot11GroupAddressesEntry 3 } + +-- ********************************************************************** +-- * End of GroupAddress TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * Resource Type Attribute Templates +-- ********************************************************************** + +dot11ResourceTypeIDName OBJECT-TYPE + SYNTAX DisplayString (SIZE(4)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Contains the name of the Resource Type ID managed object. + The attribute is read-only and always contains the value + RTID. This attribute value shall not be used as a naming + attribute for any other managed object class." + REFERENCE "IEEE Std 802.1F-1993, A.7" + DEFVAL { "RTID" } + ::= { dot11resAttribute 1 } + +-- ********************************************************************** +-- * dot11ResourceInfo TABLE +-- ********************************************************************** + +dot11ResourceInfoTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11ResourceInfoEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Provides a means of indicating, in data readable from a + managed object, information that identifies the source of + the implementation." + REFERENCE "IEEE Std 802.1F-1993, A.7" + ::= { dot11resAttribute 2 } + +dot11ResourceInfoEntry OBJECT-TYPE + SYNTAX Dot11ResourceInfoEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11ResourceInfo Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11ResourceInfoTable 1 } + +Dot11ResourceInfoEntry ::= + SEQUENCE { dot11manufacturerOUI OCTET STRING, + dot11manufacturerName DisplayString, + dot11manufacturerProductName DisplayString, + dot11manufacturerProductVersion DisplayString } + +dot11manufacturerOUI OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(3)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Takes the value of an organizationally unique identifier." + ::= { dot11ResourceInfoEntry 1 } + +dot11manufacturerName OBJECT-TYPE + SYNTAX DisplayString (SIZE(0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A printable string used to identify the manufacturer of the + resource. Maximum string length is 128 octets." + ::= { dot11ResourceInfoEntry 2 } + +dot11manufacturerProductName OBJECT-TYPE + SYNTAX DisplayString (SIZE(0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A printable string used to identify the manufacturer's product + name of the resource. Maximum string length is 128 octets." + ::= { dot11ResourceInfoEntry 3 } + +dot11manufacturerProductVersion OBJECT-TYPE + SYNTAX DisplayString (SIZE(0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Printable string used to identify the manufacturer's product + version of the resource. Maximum string length is 128 octets." + ::= { dot11ResourceInfoEntry 4 } + +-- ********************************************************************** +-- * End of dot11ResourceInfo TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * PHY Attribute Templates +-- ********************************************************************** + +-- ********************************************************************** +-- * dot11PhyOperation TABLE +-- ********************************************************************** + +dot11PhyOperationTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11PhyOperationEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "PHY level attributes concerned with + operation. Implemented as a table indexed on + + ifIndex to allow for multiple instantiations on an + Agent." + ::= { dot11phy 1 } + +dot11PhyOperationEntry OBJECT-TYPE + SYNTAX Dot11PhyOperationEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11PhyOperation Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11PhyOperationTable 1 } + +Dot11PhyOperationEntry ::= + SEQUENCE { dot11PHYType INTEGER, + dot11CurrentRegDomain Integer32, + dot11TempType INTEGER } + +dot11PHYType OBJECT-TYPE + SYNTAX INTEGER { fhss(1), dsss(2), irbaseband(3), ofdm(4), + hrdsss(5) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This is an 8-bit integer value that identifies the PHY type + supported by the attached PLCP and PMD. Currently defined + values and their corresponding PHY types are: + + FHSS 2.4 GHz = 01 , DSSS 2.4 GHz = 02, IR Baseband = 03, + OFDM 5GHz = 04, HRDSSS = 05" + ::= { dot11PhyOperationEntry 1 } + +dot11CurrentRegDomain OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The current regulatory domain this instance of the PMD is + supporting. This object corresponds to one of the + RegDomains listed in dot11RegDomainsSupported." + ::= { dot11PhyOperationEntry 2 } + +dot11TempType OBJECT-TYPE + SYNTAX INTEGER { tempType1(1), tempType2(2) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "There are different operating temperature requirements + dependent on the anticipated environmental conditions. This + attribute describes the current PHY's operating temperature + range capability. Currently defined values and their + corresponding temperature ranges are: + + Type 1 = X'01'-Commercial range of 0 to 40 degrees C, + + Type 2 = X'02'-Industrial range of -30 to 70 degrees C." + ::= { dot11PhyOperationEntry 3 } + +-- ********************************************************************** +-- * End of dot11PhyOperation TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * dot11PhyAntenna TABLE +-- ********************************************************************** + +dot11PhyAntennaTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11PhyAntennaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Group of attributes for PhyAntenna. Implemented as a + table indexed on ifIndex to allow for multiple instances on + an agent." + ::= { dot11phy 2} + +dot11PhyAntennaEntry OBJECT-TYPE + SYNTAX Dot11PhyAntennaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11PhyAntenna Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11PhyAntennaTable 1 } + +Dot11PhyAntennaEntry ::= + SEQUENCE { dot11CurrentTxAntenna Integer32, + dot11DiversitySupport INTEGER, + dot11CurrentRxAntenna Integer32 } + +dot11CurrentTxAntenna OBJECT-TYPE + SYNTAX Integer32 (1..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The current antenna being used to transmit. This value + is one of the values appearing in dot11SupportedTxAntenna. This + may be used by a management agent to control which antenna is + used for transmission. " + ::= { dot11PhyAntennaEntry 1 } + +dot11DiversitySupport OBJECT-TYPE + SYNTAX INTEGER { fixedlist(1), notsupported(2), dynamic(3) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This implementation's support for diversity, encoded as: + + X'01'-diversity is available and is performed over the fixed + list of antennas defined in dot11DiversitySelectionRx. + + X'02'-diversity is not supported. + + X'03'-diversity is supported and control of diversity is also + available, in which case the attribute + dot11DiversitySelectionRx can be dynamically modified by the + LME." + ::= { dot11PhyAntennaEntry 2 } + +dot11CurrentRxAntenna OBJECT-TYPE + SYNTAX Integer32 (1..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The current antenna being used to receive, if the dot11 + DiversitySupport indicates that diversity is not supported. + The selected antenna shall be one of the antennae marked + for receive in the dot11AntennasListTable." + ::= { dot11PhyAntennaEntry 3 } + +-- ********************************************************************** +-- * End of dot11PhyAntenna TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * dot11PhyTxPower TABLE +-- ********************************************************************** + +dot11PhyTxPowerTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11PhyTxPowerEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Group of attributes for dot11PhyTxPowerTable. Implemented + as a table indexed on STA ID to allow for multiple + instances on an Agent." + ::= { dot11phy 3} + +dot11PhyTxPowerEntry OBJECT-TYPE + SYNTAX Dot11PhyTxPowerEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11PhyTxPower Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11PhyTxPowerTable 1 } + +Dot11PhyTxPowerEntry ::= + SEQUENCE { dot11NumberSupportedPowerLevels INTEGER, + dot11TxPowerLevel1 INTEGER, + dot11TxPowerLevel2 INTEGER, + dot11TxPowerLevel3 INTEGER, + dot11TxPowerLevel4 INTEGER, + dot11TxPowerLevel5 INTEGER, + dot11TxPowerLevel6 INTEGER, + dot11TxPowerLevel7 INTEGER, + dot11TxPowerLevel8 INTEGER, + dot11CurrentTxPowerLevel INTEGER } + +dot11NumberSupportedPowerLevels OBJECT-TYPE + SYNTAX INTEGER (1..8) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of power levels supported by the PMD. + This attribute can have a value of 1 to 8." + ::= { dot11PhyTxPowerEntry 1 } + +dot11TxPowerLevel1 OBJECT-TYPE + SYNTAX INTEGER (0..10000) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The transmit output power for LEVEL1 in mW. + This is also the default power level." + ::= { dot11PhyTxPowerEntry 2 } + +dot11TxPowerLevel2 OBJECT-TYPE + SYNTAX INTEGER (0..10000) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The transmit output power for LEVEL2 in mW." + ::= { dot11PhyTxPowerEntry 3 } + +dot11TxPowerLevel3 OBJECT-TYPE + SYNTAX INTEGER (0..10000) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The transmit output power for LEVEL3 in mW." + ::= { dot11PhyTxPowerEntry 4 } + +dot11TxPowerLevel4 OBJECT-TYPE + SYNTAX INTEGER (0..10000) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The transmit output power for LEVEL4 in mW." + ::= { dot11PhyTxPowerEntry 5 } + +dot11TxPowerLevel5 OBJECT-TYPE + SYNTAX INTEGER (0..10000) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The transmit output power for LEVEL5 in mW." + ::= { dot11PhyTxPowerEntry 6 } + +dot11TxPowerLevel6 OBJECT-TYPE + SYNTAX INTEGER (0..10000) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The transmit output power for LEVEL6 in mW." + ::= { dot11PhyTxPowerEntry 7 } + +dot11TxPowerLevel7 OBJECT-TYPE + SYNTAX INTEGER (0..10000) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The transmit output power for LEVEL7 in mW." + ::= { dot11PhyTxPowerEntry 8 } + +dot11TxPowerLevel8 OBJECT-TYPE + SYNTAX INTEGER (0..10000) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The transmit output power for LEVEL8 in mW." + ::= { dot11PhyTxPowerEntry 9 } + +dot11CurrentTxPowerLevel OBJECT-TYPE + SYNTAX INTEGER (1..8) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The TxPowerLevel N currently being used to transmit data. + Some PHYs also use this value to determine the receiver + sensitivity requirements for CCA." + ::= { dot11PhyTxPowerEntry 10 } + +-- ********************************************************************** +-- * End of dot11PhyTxPower TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * dot11PhyFHSS TABLE +-- ********************************************************************** + +dot11PhyFHSSTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11PhyFHSSEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Group of attributes for dot11PhyFHSSTable. Implemented as a + table indexed on STA ID to allow for multiple instances on + an Agent." + ::= { dot11phy 4 } + +dot11PhyFHSSEntry OBJECT-TYPE + SYNTAX Dot11PhyFHSSEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11PhyFHSS Table. + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11PhyFHSSTable 1 } + +Dot11PhyFHSSEntry ::= + SEQUENCE { dot11HopTime INTEGER, + dot11CurrentChannelNumber INTEGER, + dot11MaxDwellTime INTEGER, + dot11CurrentDwellTime INTEGER, + dot11CurrentSet INTEGER, + dot11CurrentPattern INTEGER, + dot11CurrentIndex INTEGER, + dot11EHCCPrimeRadix Integer32, + dot11EHCCNumberofChannelsFamilyIndex Integer32, + dot11EHCCCapabilityImplemented TruthValue, + dot11EHCCCapabilityEnabled TruthValue, + dot11HopAlgorithmAdopted INTEGER, + dot11RandomTableFlag TruthValue, + dot11NumberofHoppingSets Integer32, + dot11HopModulus Integer32, + dot11HopOffset Integer32 } + +dot11HopTime OBJECT-TYPE + SYNTAX INTEGER (224) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The time in microseconds for the PMD to change from + channel 2 to channel 80." + ::= { dot11PhyFHSSEntry 1 } + +dot11CurrentChannelNumber OBJECT-TYPE + SYNTAX INTEGER (0..200) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The current channel number of the frequency output by the RF + synthesizer." + ::= { dot11PhyFHSSEntry 2 } + +dot11MaxDwellTime OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum time in TU that the transmitter + is permitted to operate on a single channel." + ::= { dot11PhyFHSSEntry 3 } + +dot11CurrentDwellTime OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The current time in TU that the transmitter shall operate + on a single channel, as set by the MAC. Default is 19 TU." + ::= { dot11PhyFHSSEntry 4 } + +dot11CurrentSet OBJECT-TYPE + SYNTAX INTEGER (1..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The current set of patterns the PLME + is using to determine the hopping sequence. " + ::= { dot11PhyFHSSEntry 5 } + +dot11CurrentPattern OBJECT-TYPE + SYNTAX INTEGER (0..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The current pattern the PLME is + using to determine the hop sequence." + ::= { dot11PhyFHSSEntry 6 } + +dot11CurrentIndex OBJECT-TYPE + SYNTAX INTEGER (1..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The current index value the PLME is using to determine + the CurrentChannelNumber." + ::= { dot11PhyFHSSEntry 7 } + +dot11EHCCPrimeRadix OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute indicates the value to be + used as the prime radix (N) in the HCC and + EHCC algorithms." + ::= { dot11PhyFHSSEntry 8 } + +dot11EHCCNumberofChannelsFamilyIndex OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute indicates the value to be + used as the maximum for the family index (a) + in the HCC and EHCC algorithms. The value of + this field shall not be less than the prime + radix minus 3 (N - 3). The valid range of + allowed values is (N - 1), (N - 2), and (N - 3)." + ::= { dot11PhyFHSSEntry 9 } + +dot11EHCCCapabilityImplemented OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute, when TRUE, indicates that the + station implementation is capable of generating + the HCC or EHCC algorithms for determining Hopping + patterns. The capability is disabled, otherwise. + The default value of this attribute is FALSE." + ::= { dot11PhyFHSSEntry 10 } + +dot11EHCCCapabilityEnabled OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute, when TRUE, indicates that the + capability of the station to operate using the HCC + or EHCC algorithms for determining Hopping Patterns + is enabled. The capability is disabled, otherwise. + The default value of this attribute is FALSE." + ::= { dot11PhyFHSSEntry 11 } + +dot11HopAlgorithmAdopted OBJECT-TYPE + SYNTAX INTEGER { crnt(1), hopindex(2), hcc(3) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute, indicates which of the algorithms + will be used to generate the Hopping Patterns. + Valid values are: + + 1 - hopping patterns as defined in clause 14 + 2 - hop index method (with or without table) + 3 - HCC/EHCC method" + ::= { dot11PhyFHSSEntry 12 } + +dot11RandomTableFlag OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute, indicates that a Random Table is + present when the value is True. When the value is + False it indicates that a Random Table is not + present and that the hop index method is to be + used to determine the hopping sequence. The default + value of this attribute is True." + ::= { dot11PhyFHSSEntry 13 } + +dot11NumberofHoppingSets OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Number of Sets field indicates the total + number of sets within the hopping patterns." + ::= { dot11PhyFHSSEntry 14 } + +dot11HopModulus OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of allowed channels for the hopping + set. This is defined by the governing regulatory + agency for the country code of the country + in which this device is operating." + ::= { dot11PhyFHSSEntry 15 } + +dot11HopOffset OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The next position in the hopping set." + ::= { dot11PhyFHSSEntry 16 } + +-- ********************************************************************** +-- * End of dot11PhyFHSS TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * dot11PhyDSSSEntry TABLE +-- ********************************************************************** + +dot11PhyDSSSTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11PhyDSSSEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Entry of attributes for dot11PhyDSSSEntry. Implemented as a + table indexed on ifIndex allow for multiple instances on + an Agent." + ::= { dot11phy 5 } + +dot11PhyDSSSEntry OBJECT-TYPE + SYNTAX Dot11PhyDSSSEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11PhyDSSSEntry Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11PhyDSSSTable 1 } + +Dot11PhyDSSSEntry ::= + SEQUENCE { dot11CurrentChannel INTEGER, + dot11CCAModeSupported INTEGER, + dot11CurrentCCAMode INTEGER, + dot11EDThreshold Integer32 } + +dot11CurrentChannel OBJECT-TYPE + SYNTAX INTEGER (1..14) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The current operating frequency channel of the DSSS + PHY. Valid channel numbers are as defined in 15.4.6.2" + ::= { dot11PhyDSSSEntry 1 } + +dot11CCAModeSupported OBJECT-TYPE + SYNTAX INTEGER (1..7) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "dot11CCAModeSupported is a bit-significant value, + representing all of the CCA modes supported by the PHY. + Valid values are: + + energy detect only (ED_ONLY) = 01, + carrier sense only (CS_ONLY) = 02, + carrier sense and energy detect (ED_and_CS)= 04 + or the logical sum of any of these values. This + attribute shall not be used to indicate the CCA modes + supported by a higher rate extension PHY. Rather, the + dot11HRCCAModeSupported attribute shall be used to + indicate the CCA modes of the higher rate extension PHY." + ::= { dot11PhyDSSSEntry 2 } + +dot11CurrentCCAMode OBJECT-TYPE + SYNTAX INTEGER { edonly(1), csonly(2), edandcs(4), cswithtimer(8), + hrcsanded(16) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The current CCA method in operation. Valid values are: + energy detect only (edonly) = 01, + carrier sense only (csonly) = 02, + carrier sense and energy detect (edandcs)= 04 + carrier sense with timer (cswithtimer)= 08 + high rate carrier sense and energy detect (hrcsanded)=16." + ::= { dot11PhyDSSSEntry 3 } + +dot11EDThreshold OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The current Energy Detect Threshold being used by the DSSS PHY." + ::= { dot11PhyDSSSEntry 4 } + +-- ********************************************************************** +-- * End of dot11PhyDSSSEntry TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * dot11PhyIR TABLE +-- ********************************************************************** + +dot11PhyIRTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11PhyIREntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Group of attributes for dot11PhyIRTable. Implemented as a + table indexed on ifIndex to allow for multiple instances on + an Agent." + ::= { dot11phy 6 } + +dot11PhyIREntry OBJECT-TYPE + SYNTAX Dot11PhyIREntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11PhyIR Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11PhyIRTable 1 } + +Dot11PhyIREntry ::= + SEQUENCE { dot11CCAWatchdogTimerMax Integer32, + dot11CCAWatchdogCountMax Integer32, + dot11CCAWatchdogTimerMin Integer32, + dot11CCAWatchdogCountMin Integer32 } + +dot11CCAWatchdogTimerMax OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This parameter, together with CCAWatchdogCountMax, + determines when energy detected in the channel can be + ignored." + ::= { dot11PhyIREntry 1 } + +dot11CCAWatchdogCountMax OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This parameter, together with CCAWatchdogTimerMax, + determines when energy detected in the channel can be + ignored." + ::= { dot11PhyIREntry 2 } + +dot11CCAWatchdogTimerMin OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The minimum value to which CCAWatchdogTimerMax can be + set." + ::= { dot11PhyIREntry 3 } + +dot11CCAWatchdogCountMin OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The minimum value to which CCAWatchdogCount can be set." + ::= { dot11PhyIREntry 4 } + +-- ********************************************************************** +-- * End of dot11PhyIR TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * dot11RegDomainsSupported TABLE +-- ********************************************************************** + +dot11RegDomainsSupportedTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11RegDomainsSupportedEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "There are different operational requirements dependent on + the regulatory domain. This attribute list describes the + regulatory domains the PLCP and PMD support in this + implementation. Currently defined values and their + corresponding Regulatory Domains are: + + FCC (USA) = X'10', DOC (Canada) = X'20', ETSI (most of + Europe) = X'30', Spain = X'31', France = X'32', MKK + (Japan) = X'40', Others = X'00' " + ::= { dot11phy 7} + +dot11RegDomainsSupportedEntry OBJECT-TYPE + SYNTAX Dot11RegDomainsSupportedEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11RegDomainsSupportedTable. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex, + dot11RegDomainsSupportedIndex } + ::= { dot11RegDomainsSupportedTable 1 } + +Dot11RegDomainsSupportedEntry ::= + SEQUENCE { dot11RegDomainsSupportedIndex Integer32, + dot11RegDomainsSupportedValue INTEGER } + +dot11RegDomainsSupportedIndex OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The auxiliary variable used to identify instances + of the columnar objects in the RegDomainsSupport Table." + ::= { dot11RegDomainsSupportedEntry 1 } + +dot11RegDomainsSupportedValue OBJECT-TYPE + SYNTAX INTEGER { fcc(16), doc(32), etsi(48), spain (49), france(50), + mkk (64) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "There are different operational requirements dependent on + the regulatory domain. This attribute list describes the + regulatory domains the PLCP and PMD support in this + implementation. Currently defined values and their + corresponding Regulatory Domains are: + + FCC (USA) = X'10', DOC (Canada) = X'20', ETSI (most of + Europe) = X'30', Spain = X'31', France = X'32', MKK + (Japan) = X'40' " + ::= { dot11RegDomainsSupportedEntry 2 } + +-- ********************************************************************** +-- * End of dot11RegDomainsSupported TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * dot11AntennasList TABLE +-- ********************************************************************** + +dot11AntennasListTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11AntennasListEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table represents the list of antennae. An antenna can be + marked to be capable of transmitting, receiving, and/or for + participation in receive diversity. Each entry in this table + represents a single antenna with its properties. The maximum + number of antennae that can be contained in this table is 255." + ::= { dot11phy 8 } + +dot11AntennasListEntry OBJECT-TYPE + SYNTAX Dot11AntennasListEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11AntennasListTable, representing the properties + of a single antenna. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex, + dot11AntennaListIndex } + ::= { dot11AntennasListTable 1 } + +Dot11AntennasListEntry ::= + SEQUENCE { dot11AntennaListIndex Integer32, + dot11SupportedTxAntenna TruthValue, + dot11SupportedRxAntenna TruthValue, + dot11DiversitySelectionRx TruthValue } + +dot11AntennaListIndex OBJECT-TYPE + SYNTAX Integer32 (1..255) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The unique index of an antenna which is used to identify the columnar + objects in the dot11AntennasList Table." + ::= { dot11AntennasListEntry 1 } + +dot11SupportedTxAntenna OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "When true, this object indicates that the antenna represented by + dot11AntennaIndex can be used as a transmit antenna." + ::= { dot11AntennasListEntry 2 } + +dot11SupportedRxAntenna OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "When true, this object indicates that the antenna represented by the + dot11AntennaIndex xan be used as a receive antenna." + ::= { dot11AntennasListEntry 3 } + +dot11DiversitySelectionRx OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "When true, this object indicates that the antenna represented by + dot11AntennaIndex can be used for receive diversity. This object + may only be true if the antenna can be used as a receive antenna, + as indicated by dot11SupportedRxAntenna." + ::= { dot11AntennasListEntry 4 } + +-- ********************************************************************** +-- * End of dot11AntennasList TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * SupportedDataRatesTx TABLE +-- ********************************************************************** + +dot11SupportedDataRatesTxTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11SupportedDataRatesTxEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The Transmit bit rates supported by the PLCP and PMD, + represented by a count from X'02-X'7f, corresponding to data + rates in increments of 500kbit/s from 1 Mbit/s to 63.5 Mbit/s subject + to limitations of each individual PHY." + ::= { dot11phy 9 } + +dot11SupportedDataRatesTxEntry OBJECT-TYPE + SYNTAX Dot11SupportedDataRatesTxEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An Entry (conceptual row) in the dot11SupportedDataRatesTx + Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex, + dot11SupportedDataRatesTxIndex } + ::= { dot11SupportedDataRatesTxTable 1 } + +Dot11SupportedDataRatesTxEntry ::= + SEQUENCE { dot11SupportedDataRatesTxIndex Integer32, + dot11SupportedDataRatesTxValue Integer32 } + +dot11SupportedDataRatesTxIndex OBJECT-TYPE + SYNTAX Integer32 (1..8) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Index object which identifies which data rate to access. + Range is 1..8." + ::= { dot11SupportedDataRatesTxEntry 1 } + +dot11SupportedDataRatesTxValue OBJECT-TYPE + SYNTAX Integer32 (2..127) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Transmit bit rates supported by the PLCP and PMD, + represented by a count from X'02-X'7f, corresponding to data + rates in increments of 500kbit/s from 1 Mbit/s to 63.5 Mbit/s subject + to limitations of each individual PHY." + ::= { dot11SupportedDataRatesTxEntry 2 } + +-- ********************************************************************** +-- * End of dot11SupportedDataRatesTx TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * SupportedDataRatesRx TABLE +-- ********************************************************************** + +dot11SupportedDataRatesRxTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11SupportedDataRatesRxEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The receive bit rates supported by the PLCP and PMD, + represented by a count from X'002-X'7f, corresponding to data + rates in increments of 500kbit/s from 1 Mbit/s to 63.5 Mbit/s." + ::= { dot11phy 10 } + +dot11SupportedDataRatesRxEntry OBJECT-TYPE + SYNTAX Dot11SupportedDataRatesRxEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An Entry (conceptual row) in the dot11SupportedDataRatesRx Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex, + dot11SupportedDataRatesRxIndex } + ::= { dot11SupportedDataRatesRxTable 1 } + +Dot11SupportedDataRatesRxEntry ::= + SEQUENCE { dot11SupportedDataRatesRxIndex Integer32, + dot11SupportedDataRatesRxValue Integer32 } + +dot11SupportedDataRatesRxIndex OBJECT-TYPE + SYNTAX Integer32 (1..8) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Index object which identifies which data rate to access. + Range is 1..8." + ::= { dot11SupportedDataRatesRxEntry 1 } + +dot11SupportedDataRatesRxValue OBJECT-TYPE + SYNTAX Integer32 (2..127) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The receive bit rates supported by the PLCP and PMD, + represented by a count from X'02-X'7f, corresponding to data + rates in increments of 500kbit/s from 1 Mbit/s to 63.5 Mbit/s." + ::= { dot11SupportedDataRatesRxEntry 2 } + +-- ********************************************************************** +-- * End of dot11SupportedDataRatesRx TABLE +-- ********************************************************************** + +--********************************************************************** +-- * dot11PhyOFDM TABLE +--********************************************************************** + +dot11PhyOFDMTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11PhyOFDMEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Group of attributes for dot11PhyOFDMTable. Implemented as a + table indexed on ifindex to allow for multiple instances on + an Agent." + ::= { dot11phy 11 } + +dot11PhyOFDMEntry OBJECT-TYPE + SYNTAX Dot11PhyOFDMEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11PhyOFDM Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11PhyOFDMTable 1 } + +Dot11PhyOFDMEntry ::= + SEQUENCE { dot11CurrentFrequency INTEGER, + dot11TIThreshold Integer32, + dot11FrequencyBandsSupported INTEGER } + +dot11CurrentFrequency OBJECT-TYPE + SYNTAX INTEGER (0..99) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The number of the current operating frequency channel of the OFDM PHY." + ::= { dot11PhyOFDMEntry 1 } + +dot11TIThreshold OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The Threshold being used to detect a busy medium (frequency). + CCA shall report a busy medium upon detecting the RSSI above + this threshold." + ::= { dot11PhyOFDMEntry 2 } + +dot11FrequencyBandsSupported OBJECT-TYPE + SYNTAX INTEGER (1..7) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The capability of the OFDM PHY implementation to operate in + the three U-NII bands. Coded as an integer value of a three + bit field as follows: + bit 0 .. capable of operating in the lower (5.15-5.25 GHz) + U-NII band + bit 1 .. capable of operating in the middle (5.25-5.35 GHz) + U-NII band + bit 2 .. capable of operating in the upper (5.725-5.825 GHz) + U-NII band + For example, for an implementation capable of operating in the + lower and mid bands this attribute would take the value 3." + ::= { dot11PhyOFDMEntry 3 } + +-- ********************************************************************** +-- * End of dot11PhyOFDM TABLE +-- ********************************************************************** + +-- ********************************************************************** +-- * dot11PhyHRDSSSEntry TABLE +-- ********************************************************************** + +dot11PhyHRDSSSTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11PhyHRDSSSEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Entry of attributes for dot11PhyHRDSSSEntry. + Implemented as a table indexed on ifIndex to allow for + multiple instances on an Agent." + ::= { dot11phy 12 } + +dot11PhyHRDSSSEntry OBJECT-TYPE + SYNTAX Dot11PhyHRDSSSEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the dot11PhyHRDSSSEntry Table. + + ifIndex - Each IEEE 802.11 interface is represented by an + ifEntry. Interface tables in this MIB module are indexed + by ifIndex." + INDEX { ifIndex } + ::= { dot11PhyHRDSSSTable 1 } + +Dot11PhyHRDSSSEntry ::= + SEQUENCE { dot11ShortPreambleOptionImplemented TruthValue, + dot11PBCCOptionImplemented TruthValue, + dot11ChannelAgilityPresent TruthValue, + dot11ChannelAgilityEnabled TruthValue, + dot11HRCCAModeSupported INTEGER } + +dot11ShortPreambleOptionImplemented OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute, when true, shall indicate that the + short preamble option as defined in subclause 18.2.2.2 + is implemented. The default value of this attribute + shall be false." + ::= {dot11PhyHRDSSSEntry 1 } + +dot11PBCCOptionImplemented OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute, when true, shall indicate that the PBCC + modulation option as defined in subclause 18.4.6.6 is + implemented. The default value of this attribute shall + be false." + ::= {dot11PhyHRDSSSEntry 2 } + +dot11ChannelAgilityPresent OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute indicates that the PHY is capable of + channel agility." + ::= { dot11PhyHRDSSSEntry 3 } + +dot11ChannelAgilityEnabled OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This attribute indicates that the PHY channel agility + functionality is enabled." + ::= { dot11PhyHRDSSSEntry 4 } + +dot11HRCCAModeSupported OBJECT-TYPE + SYNTAX INTEGER (1..31) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "dot11HRCCAModeSupported is a bit-significant value, + representing all of the CCA modes supported by the PHY. + Valid values are: + energy detect only (ED_ONLY) = 01, + carrier sense only (CS_ONLY) = 02, + carrier sense and energy detect (ED_and_CS)= 04, + carrier sense with timer (CS_and_Timer)= 08, + high rate carrier sense and energy detect + (HRCS_and_ED)= 16 + or the logical sum of any of these values. In + the high rate extension PHY, this attribute shall + be used in preference to the dot11CCAModeSupported + attribute." + ::= { dot11PhyHRDSSSEntry 5 } + +-- ********************************************************************** +-- * End of dot11PhyHRDSSSEntry TABLE +-- ********************************************************************** + +-- ******************************************************************** +-- * dot11 Hopping Pattern TABLE +-- ******************************************************************** + +dot11HoppingPatternTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot11HoppingPatternEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table of attributes necessary for + a frequency hopping implementation to be able to + create the hopping sequences necessary to operate + in the subband for the associated domain country string." + ::= { dot11phy 13 } + +dot11HoppingPatternEntry OBJECT-TYPE + SYNTAX Dot11HoppingPatternEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry (conceptual row) in the Hopping Pattern Table + that indicates the random hopping sequence to be followed. + + IfIndex - Each IEEE 802.11 interface is represented + by an ifEntry. Interface tables in this MIB are indexed + by ifIndex." + INDEX { ifIndex, + dot11HoppingPatternIndex } + ::= { dot11HoppingPatternTable 1 } + +Dot11HoppingPatternEntry ::= + SEQUENCE { + dot11HoppingPatternIndex Integer32, + dot11RandomTableFieldNumber Integer32 } + +dot11HoppingPatternIndex OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The auxiliary variable used to identify instances of + the columnar objects in the Hopping Pattern Table." + ::= { dot11HoppingPatternEntry 1} + +dot11RandomTableFieldNumber OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This attribute shall indicate the value of the + starting channel number in the hopping sequence of + the subband for the associated domain country string. + The default value of this attribute shall be zero." + ::= { dot11HoppingPatternEntry 2} + +-- ********************************************************************** +-- * End of dot11 Hopping Pattern TABLE +--********************************************************************** + +-- ********************************************************************** +-- * Conformance Information +-- ********************************************************************** + +dot11Conformance OBJECT IDENTIFIER ::= { ieee802dot11 5 } +dot11Groups OBJECT IDENTIFIER ::= { dot11Conformance 1 } +dot11Compliances OBJECT IDENTIFIER ::= { dot11Conformance 2 } + +-- ********************************************************************** +-- * Compliance Statements +-- ********************************************************************** + +dot11Compliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMPv2 entities + that implement the IEEE 802.11 MIB." + MODULE -- this module + MANDATORY-GROUPS { + dot11SMTbase2, + dot11MACbase, dot11CountersGroup, + dot11SmtAuthenticationAlgorithms, + dot11ResourceTypeID, dot11PhyOperationComplianceGroup } + + GROUP dot11PhyDSSSComplianceGroup + DESCRIPTION + "Implementation of this group is required when object + dot11PHYType has the value of dsss. This group is + mutually exclusive with the groups dot11PhyIRComplianceGroup, + dot11PhyFHSSComplianceGroup, dot11PhyOFDMComplianceGroup + and dot11PhyHRDSSSComplianceGroup." + + GROUP dot11PhyIRComplianceGroup + DESCRIPTION + "Implementation of this group is required when object + dot11PHYType has the value of irbaseband. This group is + mutually exclusive with the groups dot11PhyDSSSComplianceGroup, + dot11PhyFHSSComplianceGroup, dot11PhyOFDMComplianceGroup + and dot11PhyHRDSSSComplianceGroup." + + GROUP dot11PhyFHSSComplianceGroup + DESCRIPTION + "Implementation of this group is required when object + dot11PHYType has the value of fhss. This group is + mutually exclusive with the groups dot11PhyDSSSComplianceGroup, + dot11PhyIRComplianceGroup, dot11PhyOFDMComplianceGroup + and dot11PhyHRDSSSComplianceGroup." + + GROUP dot11PhyOFDMComplianceGroup + DESCRIPTION + "Implementation of this group is required when object + dot11PHYType has the value of ofdm. This group is + mutually exclusive with the groups dot11PhyDSSSComplianceGroup, + dot11PhyIRComplianceGroup, dot11PhyFHSSComplianceGroup + and dot11PhyHRDSSSComplianceGroup." + + GROUP dot11PhyHRDSSSComplianceGroup + DESCRIPTION + "Implementation of this group is required when object + dot11PHYType has the value of hrdsss. This group is + mutually exclusive with the groups + dot11PhyDSSSComplianceGroup, dot11PhyIRComplianceGroup, + dot11PhyFHSSComplianceGroup and dot11PhyOFDMComplianceGroup." + + -- OPTIONAL-GROUPS { dot11SMTprivacy, dot11MACStatistics, + -- dot11PhyAntennaComplianceGroup, dot11PhyTxPowerComplianceGroup, + -- dot11PhyRegDomainsSupportGroup, + -- dot11PhyAntennasListGroup, dot11PhyRateGroup } + + ::= { dot11Compliances 1 } + +-- ********************************************************************** +-- * Groups - units of conformance +-- ********************************************************************** + +dot11SMTbase OBJECT-GROUP + OBJECTS { dot11StationID, dot11MediumOccupancyLimit, + dot11CFPollable, + dot11CFPPeriod, + dot11CFPMaxDuration, + dot11AuthenticationResponseTimeOut, + dot11PrivacyOptionImplemented, + dot11PowerManagementMode, + dot11DesiredSSID, dot11DesiredBSSType, + dot11OperationalRateSet, + dot11BeaconPeriod, dot11DTIMPeriod, + dot11AssociationResponseTimeOut } + STATUS deprecated + DESCRIPTION + "The SMT object class provides the necessary support at the + STA to manage the processes in the STA such that the STA may + work cooperatively as a part of an IEEE 802.11 network." + ::= { dot11Groups 1 } + +dot11SMTprivacy OBJECT-GROUP + OBJECTS { dot11PrivacyInvoked, + dot11WEPKeyMappingLength, dot11ExcludeUnencrypted, + dot11WEPICVErrorCount , dot11WEPExcludedCount , + dot11WEPDefaultKeyID, + dot11WEPDefaultKeyValue, + dot11WEPKeyMappingWEPOn, + dot11WEPKeyMappingValue , dot11WEPKeyMappingAddress, + dot11WEPKeyMappingStatus } + STATUS current + DESCRIPTION + "The SMTPrivacy package is a set of attributes that shall be + present if WEP is implemented in the STA." + ::= { dot11Groups 2 } + +dot11MACbase OBJECT-GROUP + OBJECTS { dot11MACAddress, dot11Address, + dot11GroupAddressesStatus, + dot11RTSThreshold, dot11ShortRetryLimit, + dot11LongRetryLimit, dot11FragmentationThreshold, + dot11MaxTransmitMSDULifetime, + dot11MaxReceiveLifetime, dot11ManufacturerID, + dot11ProductID } + STATUS current + DESCRIPTION + "The MAC object class provides the necessary support for the + access control, generation, and verification of frame check + sequences (FCSs), and proper delivery of valid data to upper + layers." + ::= { dot11Groups 3 } + +dot11MACStatistics OBJECT-GROUP + OBJECTS { dot11RetryCount, dot11MultipleRetryCount, + dot11RTSSuccessCount, dot11RTSFailureCount, + dot11ACKFailureCount, dot11FrameDuplicateCount } + STATUS current + DESCRIPTION + "The MACStatistics package provides extended statistical + information on the operation of the MAC. This + package is completely optional." + ::= { dot11Groups 4 } + +dot11ResourceTypeID OBJECT-GROUP + OBJECTS { dot11ResourceTypeIDName, dot11manufacturerOUI, + dot11manufacturerName, dot11manufacturerProductName, + dot11manufacturerProductVersion } + STATUS current + DESCRIPTION + "Attributes used to identify a STA, its manufacturer, + and various product names and versions." + ::= { dot11Groups 5 } + +dot11SmtAuthenticationAlgorithms OBJECT-GROUP + OBJECTS { dot11AuthenticationAlgorithm, + dot11AuthenticationAlgorithmsEnable } + STATUS current + DESCRIPTION + "Authentication Algorithm Table." + ::= { dot11Groups 6 } + +dot11PhyOperationComplianceGroup OBJECT-GROUP + OBJECTS { dot11PHYType, dot11CurrentRegDomain, dot11TempType } + STATUS current + DESCRIPTION + "PHY layer operations attributes." + ::= { dot11Groups 7 } + +dot11PhyAntennaComplianceGroup OBJECT-GROUP + OBJECTS { dot11CurrentTxAntenna, dot11DiversitySupport, + dot11CurrentRxAntenna } + STATUS current + DESCRIPTION + "Attributes for Data Rates for IEEE 802.11." + ::= { dot11Groups 8 } + +dot11PhyTxPowerComplianceGroup OBJECT-GROUP + OBJECTS { dot11NumberSupportedPowerLevels, dot11TxPowerLevel1, + dot11TxPowerLevel2, dot11TxPowerLevel3, dot11TxPowerLevel4, + dot11TxPowerLevel5, dot11TxPowerLevel6, dot11TxPowerLevel7, + dot11TxPowerLevel8, dot11CurrentTxPowerLevel } + STATUS current + DESCRIPTION + "Attributes for Control and Management of transmit power." + ::= { dot11Groups 9 } + +dot11PhyFHSSComplianceGroup OBJECT-GROUP + OBJECTS { dot11HopTime, dot11CurrentChannelNumber, dot11MaxDwellTime, + dot11CurrentDwellTime, dot11CurrentSet, dot11CurrentPattern, + dot11CurrentIndex} + STATUS current + DESCRIPTION + "Attributes that configure the Frequency Hopping for IEEE + 802.11." + ::= { dot11Groups 10 } + +dot11PhyDSSSComplianceGroup OBJECT-GROUP + OBJECTS { dot11CurrentChannel, dot11CCAModeSupported, + dot11CurrentCCAMode, dot11EDThreshold} + STATUS current + DESCRIPTION + "Attributes that configure the DSSS for IEEE 802.11." + ::= { dot11Groups 11 } + +dot11PhyIRComplianceGroup OBJECT-GROUP + OBJECTS { dot11CCAWatchdogTimerMax, dot11CCAWatchdogCountMax, + dot11CCAWatchdogTimerMin, dot11CCAWatchdogCountMin} + STATUS current + DESCRIPTION + "Attributes that configure the baseband IR for IEEE 802.11." + ::= { dot11Groups 12 } + +dot11PhyRegDomainsSupportGroup OBJECT-GROUP + OBJECTS { dot11RegDomainsSupportedValue} + STATUS current + DESCRIPTION + "Attributes that specify the supported Regulation Domains." + ::= { dot11Groups 13} + +dot11PhyAntennasListGroup OBJECT-GROUP + OBJECTS { dot11SupportedTxAntenna, + dot11SupportedRxAntenna, dot11DiversitySelectionRx } + STATUS current + DESCRIPTION + "Attributes that specify the supported Regulation Domains." + ::= { dot11Groups 14 } + +dot11PhyRateGroup OBJECT-GROUP + OBJECTS { dot11SupportedDataRatesTxValue, + dot11SupportedDataRatesRxValue } + STATUS current + DESCRIPTION + "Attributes for Data Rates for IEEE 802.11." + ::= { dot11Groups 15 } + +dot11CountersGroup OBJECT-GROUP + OBJECTS { dot11TransmittedFragmentCount, + dot11MulticastTransmittedFrameCount, + dot11FailedCount, dot11ReceivedFragmentCount, + dot11MulticastReceivedFrameCount, + dot11FCSErrorCount, + dot11WEPUndecryptableCount, + dot11TransmittedFrameCount } + STATUS current + DESCRIPTION + "Attributes from the dot11CountersGroup that are not described + in the dot11MACStatistics group. These objects are + mandatory." + ::= { dot11Groups 16 } + +dot11NotificationGroup NOTIFICATION-GROUP + NOTIFICATIONS { dot11Disassociate, + dot11Deauthenticate, + dot11AuthenticateFail } + STATUS current + DESCRIPTION + "IEEE 802.11 notifications" + ::= { dot11Groups 17 } + +dot11SMTbase2 OBJECT-GROUP + OBJECTS { dot11MediumOccupancyLimit, + dot11CFPollable, + dot11CFPPeriod, + dot11CFPMaxDuration, + dot11AuthenticationResponseTimeOut, + dot11PrivacyOptionImplemented, + dot11PowerManagementMode, + dot11DesiredSSID, dot11DesiredBSSType, + dot11OperationalRateSet, + dot11BeaconPeriod, dot11DTIMPeriod, + dot11AssociationResponseTimeOut, + dot11DisassociateReason, + dot11DisassociateStation, + dot11DeauthenticateReason, + dot11DeauthenticateStation, + dot11AuthenticateFailStatus, + dot11AuthenticateFailStation } + STATUS current + DESCRIPTION + "The SMTbase2 object class provides the necessary support at the + STA to manage the processes in the STA such that the STA may + work cooperatively as a part of an IEEE 802.11 network." + ::= { dot11Groups 18 } + +dot11PhyOFDMComplianceGroup OBJECT-GROUP + OBJECTS { dot11CurrentFrequency, + dot11TIThreshold, + dot11FrequencyBandsSupported } + STATUS current + DESCRIPTION + "Attributes that configure the OFDM for IEEE 802.11." + ::= { dot11Groups 19 } + +dot11SMTbase3 OBJECT-GROUP + OBJECTS { dot11MediumOccupancyLimit, + dot11CFPollable, + dot11CFPPeriod, + dot11CFPMaxDuration, + dot11AuthenticationResponseTimeOut, + dot11PrivacyOptionImplemented, + dot11PowerManagementMode, + dot11DesiredSSID, dot11DesiredBSSType, + dot11OperationalRateSet, + dot11BeaconPeriod, dot11DTIMPeriod, + dot11AssociationResponseTimeOut, + dot11DisassociateReason, + dot11DisassociateStation, + dot11DeauthenticateReason, + dot11DeauthenticateStation, + dot11AuthenticateFailStatus, + dot11AuthenticateFailStation, + dot11MultiDomainCapabilityImplemented, + dot11MultiDomainCapabilityEnabled, + dot11CountryString } + STATUS current + DESCRIPTION + "The SMTbase3 object class provides the necessary support at the + STA to manage the processes in the STA such that the STA may + work cooperatively as a part of an IEEE 802.11 network, when the STA + is capable of multi-domain operation. This object group should be + implemented when the multi-domain capability option is implemented." + ::= { dot11Groups 20 } + +dot11MultiDomainCapabilityGroup OBJECT-GROUP + OBJECTS { dot11FirstChannelNumber, + dot11NumberofChannels, + dot11MaximumTransmitPowerLevel } + STATUS current + DESCRIPTION + "The dot11MultiDomainCapabilityGroup object class provides + the objects necessary to manage the channels usable by a STA, + when the multi-domain capability option is implemented." + ::= { dot11Groups 21 } + +dot11PhyFHSSComplianceGroup2 OBJECT-GROUP + OBJECTS { dot11HopTime, dot11CurrentChannelNumber, dot11MaxDwellTime, + dot11CurrentDwellTime, dot11CurrentSet, dot11CurrentPattern, + dot11CurrentIndex, dot11EHCCPrimeRadix, + dot11EHCCNumberofChannelsFamilyIndex, + dot11EHCCCapabilityImplemented, dot11EHCCCapabilityEnabled, + dot11HopAlgorithmAdopted, dot11RandomTableFlag, + dot11NumberofHoppingSets, dot11HopModulus, + dot11HopOffset, dot11RandomTableFieldNumber } + STATUS current + DESCRIPTION + "Attributes that configure the Frequency Hopping for IEEE + 802.11 when multi-domain capability option is implemented." + ::= { dot11Groups 22 } + +dot11PhyHRDSSSComplianceGroup OBJECT-GROUP + OBJECTS { dot11CurrentChannel, dot11CCAModeSupported, + dot11CurrentCCAMode, dot11EDThreshold, + dot11ShortPreambleOptionImplemented, + dot11PBCCOptionImplemented, dot11ChannelAgilityPresent, + dot11ChannelAgilityEnabled, dot11HRCCAModeSupported } + STATUS current + DESCRIPTION + "Attributes that configure the HRDSSS for IEEE 802.11." + ::= { dot11Groups 23 } + +-- ********************************************************************** +-- * End of 802.11 MIB +-- ********************************************************************** + +END + Index: /branches/releng-10/nanobsd/files/usr/local/www/index.html =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/www/index.html (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/www/index.html (revision 12525) @@ -0,0 +1,8 @@ + + + + + + Wireless Leiden + + Index: /branches/releng-10/nanobsd/files/usr/local/www/wlportal/index.cgi =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/www/wlportal/index.cgi (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/www/wlportal/index.cgi (revision 12525) @@ -0,0 +1,368 @@ +#!/usr/bin/env python +# +# Wrap me around tcpserver or inetd, example usage for tcpserver (debug): +# tcpserver -HRl localhost 172.31.255.1 /root/wlportal.py +# +# Or put me in a CGI script in for example thttpd server: +# +# = Usage = +# This is a wrapper script which does very basic HTML parsing and altering of +# pfctl tables rules to build a basic Captive Portal, with basic sanity +# checking. The ACL is IP based (this is a poor mans solution, layer2 +# ACL would be much better), so don't take security very seriously. +# +# To get traffic by default to the portal iI requires a few special rules in +# pfctl to work properly: +# no rdr on { $captive_ifs } proto tcp from to !$wl_net port 80 +# rdr on { $captive_ifs } proto tcp from $wl_net to !$wl_net port 80 -> 127.0.0.1 port 8082 +# +# Enties older than 5 minutes not being used will be removed if the (hidden) +# argument action=cleanup is given as GET variable. So having this in cron (would fix it): +# */5 * * * * /usr/bin/fetch -q http://172.31.255.1/wlportal?action=cleanup +# +# XXX: The whitelist entries first needs to contact the wlportal.py to get +# added to the whitelist, this may cause issues during initial setup and hence +# it might be advised to create a block of static whitelist IP addresses which +# get added during boot and will never disappear. +# +# State : v0.6.0 +# Version : $Id$ +# Author : Rick van der Zwet +# Licence : BSDLike http://wirelessleiden.nl/LICENSE + +class MultiTracebackHook: + """A hook to replace sys.excepthook that shows tracebacks in syslog & HTML (using cgitb)""" + def __init__(self, ident=None, enable=False): + self.ident = ident + if enable: + self.enable() + + def __call__(self, etype, evalue, etb): + self.handle((etype, evalue, etb)) + + def handle(self, info=None): + import cgitb + import os + import sys + import syslog + import traceback + info = info or sys.exc_info() + tb = traceback.format_exception(*info) + if self.ident: + syslog.openlog(self.ident) + prefix = '[%i]' % os.getpid() + for line in tb: + syslog.syslog(line) + cgitb.handler(info) + + def enable(self): + import sys + sys.excepthook = self + +MultiTracebackHook(ident='wlportal', enable=True) + +import os +import signal +import subprocess +import socket +import sys +import time +import traceback +import urlparse +import yaml + +from jinja2 import Template + +# XXX: Make me dynamic for example put me in the conf file +cfg = { + 'autologin' : False, + 'cmd_arp' : '/usr/sbin/arp', + 'pfctl' : '/sbin/pfctl', + 'portal_sponsor': 'Sponsor van Stichting Wireless Leiden', + 'portal_url' : 'http://wirelessleiden.nl/welkom?connected_to=%s' % socket.gethostname(), + 'portalroot' : '172.31.255.1', + 'refresh_delay' : 3, + 'tmpl_autologin': '/usr/local/etc/wlportal/autologin.tmpl', + 'tmpl_login' : '/usr/local/etc/wlportal/login.tmpl', + 'warnlist' : [], + 'whitelist' : [], + 'blacklist' : [], + 'config_files' : ['/usr/local/etc/wlportal/config.yaml','/usr/local/etc/wleiden.yaml'], + 'expire_time' : None, + 'accessdb' : '/var/db/clients', + 'net_status' : '/tmp/network.status', +} + + +# No failback if config does not exist, to really make sure the user knows if +# the config file failed to parse properly or is non-existing +for config_file in cfg['config_files']: + if os.path.isfile(config_file): + cfg.update(yaml.load(open(config_file))) + +internet_up = True +if os.path.isfile(cfg['net_status']): + internet_up = 'internet=up' in open(cfg['net_status'], 'r').read().lower() + +if not internet_up: + cfg['warning_msg'] = "Internet Problemen: De laatste 15 minuten zijn er problemen met de (internet) verbinding geconstateerd, de gebruikers ervaring kan dus niet optimaal zijn. Onze excuses voor het eventuele ongemak. Bij aanhoudende problemen kunt u contact opnemen met gebruikers@lijst.wirelessleiden.nl" + +def log_registered_host(remote_mac, remote_host): + """ + Write statistics file, used for (nagios) monitoring purposes + """ + with open(cfg['accessdb'],"a") as fh: + epoch = int(time.time()) + fh.write("%s %s %s \n" % (epoch, remote_mac, remote_host) ) + +class MACnotFound(Exception): + pass + +def get_mac(ipaddr): + """ Find out the MAC for a certain IP address """ + try: + # ? (172.17.32.1) at 00:12:34:45:67:90 on ue0 permanent [ethernet] + return subprocess.check_output(['/usr/sbin/arp', '-n' ,ipaddr], shell=False).split()[3] + except subprocess.CalledProcessError: + raise MACnotFound + +def get_active_MACs(): + """ Return dictionary with active IPs as keys """ + # ? (172.17.32.1) at 00:12:34:45:67:90 on ue0 permanent [ethernet] + # ? (172.17.32.2) at 00:aa:bb:cc:dd:ee on ue0 expires in 964 seconds [ethernet] + # ? (172.16.3.38) at (incomplete) on vr2 expired [ethernet] + output = subprocess.check_output(['/usr/sbin/arp', '-n' ,'-a'], shell=False) + db = {} + for line in output.strip().split('\n'): + i = line.split() + ip = i[1][1:-1] + mac = i[3] + db[ip] = mac + return db + + +class PacketFilterControl(): + """ Manage an Packet Filter using pfctl and table wlportal""" + def add(self, ipaddr): + """ Add Allow Entry in Firewall""" + output = subprocess.Popen([cfg['pfctl'],'-t','wlportal', '-T', 'add', ipaddr], stderr=subprocess.PIPE).communicate()[1] + is_added = '1/1 addresses added.' in output + return is_added + def delete(self, ipaddr): + """ Delete one Allow Entry to Firewall""" + output = subprocess.Popen([cfg['pfctl'],'-t','wlportal', '-T', 'delete', ipaddr], stderr=subprocess.PIPE).communicate()[1] + def flush(self): + """ Delete all Allow Entries from Firewall""" + output = subprocess.Popen([cfg['pfctl'],'-t','wlportal', '-T', 'flush'], stderr=subprocess.PIPE).communicate()[1] + #0 addresses deleted. + return int(output.strip().split('\n')[-1].split()[0]) + def cleanup(self, expire_time=None): + """ Delete obsolete entries and expired entries from the Firewall""" + deleted_entries = 0 + # Delete entries older than certain time + if expire_time: + output = subprocess.Popen([cfg['pfctl'],'-t','wlportal', '-T', 'expire', expire_time], stdout=subprocess.PIPE).communicate()[0] + # 0/0 addresses expired. + deleted_entries += int(output.strip.split()[-1].split('/')[0]) + + # Delete entries which the MAC<>IP mapping does no longer hold. The + # ``rogue'' clients, commonly seen when DHCP scope is small and IPs get + # re-used frequently, are wipped and require an re-connect. + stored_mac = {} + if os.path.isfile(cfg['accessdb']): + for line in open(cfg['accessdb'],'r'): + (epoch, mac, ipaddr) = line.split() + stored_mac[ipaddr] = mac + # Live configuration + active_mac = get_active_MACs() + # Process all active ip addresses from firewall and compare changes + output = subprocess.Popen([cfg['pfctl'],'-t','wlportal', '-T', 'show'], stdout=subprocess.PIPE).communicate()[0] + for ip in output.split(): + if ip in cfg['whitelist']: + # IP is whitelisted + continue + elif active_mac.has_key(ip) and active_mac[ip] in cfg['whitelist']: + # MAC is whitelisted + continue + elif not active_mac.has_key(ip) and stored_mac.has_key(ip): + # In-active connection - Keep entry with normal expire time, as user + # might come back (temponary disconnect). + continue + elif active_mac.has_key(ip) and stored_mac.has_key(ip) and active_mac[ip] == stored_mac[ip]: + # Active connection - previous record found - Stored v.s. Active happy + continue + else: + self.delete(ip) + deleted_entries =+ 1 + return deleted_entries + + +# Call from crontab +if sys.argv[1:]: + if sys.argv[1] == 'cleanup': + fw = PacketFilterControl() + fw.cleanup() + sys.exit(0) + +### BEGIN STANDALONE/CGI PARSING ### +# +# Query String Dictionaries +qs_post = None +qs = None +header = [] +if not os.environ.has_key('REQUEST_METHOD'): + # a) We are not wrapped around in a HTTP server, so this _is_ the + # HTTP server, so act like one. + class TimeoutException(Exception): + """ Helper for alarm signal handling""" + pass + + def handler(signum, frame): + """ Helper for alarm signal handling""" + raise TimeoutException + + + # Parse the HTTP/1.1 Content-Header (partially) + signal.signal(signal.SIGALRM,handler) + us = None + method = None + hostname = None + content_length = None + remote_host = None + while True: + try: + signal.alarm(1) + line = sys.stdin.readline().strip() + if not line: + break + header.append(line) + signal.alarm(0) + if line.startswith('GET '): + us = urlparse.urlsplit(line.split()[1]) + method = 'GET' + elif line.startswith('POST '): + method = 'POST' + us = urlparse.urlsplit(line.split()[1]) + elif line.startswith('Host: '): + hostname = line.split()[1] + elif line.startswith('Content-Length: '): + content_length = int(line.split()[1]) + except TimeoutException: + break + + # Capture Portal, make sure to redirect all to portal + if hostname != cfg['portalroot']: + print "HTTP/1.1 302 Moved Temponary\r\n", + print "Location: http://%(portalroot)s/\r\n" % cfg, + sys.exit(0) + + + # Handle potential POST + if method == 'POST' and content_length: + body = sys.stdin.read(content_length) + qs_post = urlparse.parse_qs(body) + + # Parse Query String + if us and us.path == "/wlportal" and us.query: + qs = urlparse.parse_qs(us.query) + + remote_host = os.environ['REMOTEHOST'] +else: + # b) CGI Script: Parse the CGI Variables if present + if os.environ['REQUEST_METHOD'] == "POST": + content_length = int(os.environ['CONTENT_LENGTH']) + body = sys.stdin.read(content_length) + qs_post = urlparse.parse_qs(body) + + if os.environ.has_key('QUERY_STRING'): + qs = urlparse.parse_qs(os.environ['QUERY_STRING']) + + remote_host = os.environ['REMOTE_ADDR'] +# +### END STANDALONE/CGI PARSING ### + + +# Helpers for HTML 'templates' +content = cfg.copy() +content.update(extra_header='') + +# IP or MAC on the whitelist does not need to authenticate, used for devices +# which need to connect to the internet, but has no 'buttons' to press OK. +# +# This assumes that devices will re-connect if they are not able to connect +# to their original host, as we do not preserve the original URI. +remote_mac = get_mac(remote_host) +if cfg['autologin'] or remote_host in cfg['whitelist'] or remote_mac in cfg['whitelist']: + qs_post = { 'action' : 'login' } + +if remote_mac in cfg['warnlist']: + connect['status_msg'] = "U veroorzaakt overlast op het WL netwerk || You are causing WL network abuse" + +try: + fw = PacketFilterControl() + + # Put authenticate use and process response + if qs and qs.has_key('action'): + if 'flush' in qs['action']: + retval = fw.flush() + content['status_msg'] += "# [INFO] Deleted %s entries\n" % retval + elif 'update' in qs['action']: + tech_footer = "# [INFO] Update timestamp of all entries\n" + fw.update() + content['status_msg'] += fw.get_log() + elif 'cleanup' in qs['action']: + retval = fw.cleanup(cfg['expire_time']) + content['status_msg'] += "# [INFO] Deleted %s entries\n" % retval + elif qs_post and qs_post.has_key('action'): + if 'login' in qs_post['action']: + if remote_mac in cfg['blacklist']: + content['status_msg'] = "Toegang ontzegt ipv misbruik WL netwerk || Access denied due to WL network abuse" + elif fw.add(remote_host): + content['extra_header'] = "Refresh: %(refresh_delay)s; url=%(portal_url)s\r" % content + content['status_msg'] = "Sucessfully Logged In! || " +\ + """ Will redirect you in %(refresh_delay)s seconds to %(portal_url)s """ % content + log_registered_host(remote_mac, remote_host) + else: + content['status_msg'] = "ERROR! Already Logged On" + elif 'logout' in qs_post['action']: + fw.delete(remote_host) + content['status_msg'] = "Succesfully logged out!" + +except Exception, e: + content['tech_footer'] += traceback.format_exc() + content['status_msg'] = "
Internal error!
%s
" % traceback.format_exc() + pass + + # Present Main Screen +print """\ +HTTP/1.1 200 OK\r +Content-Type: text/html\r +%(extra_header)s +""" % content + +try: + tmpl_file = cfg['tmpl_autologin'] if cfg['autologin'] else cfg['tmpl_login'] + page = open(tmpl_file,'r').read() +except IOError: + page = """ + +

%(status_msg)s

+ +

Wireless Leiden - Internet Portal

+
+ + +
+ +

More options

+
+ + +
+
Technical Details:
+%(tech_footer)s
+
+ +""" + +print Template(page).render(content) Index: /branches/releng-10/nanobsd/files/usr/local/www/wlweb/index.cgi =================================================================== --- /branches/releng-10/nanobsd/files/usr/local/www/wlweb/index.cgi (revision 12525) +++ /branches/releng-10/nanobsd/files/usr/local/www/wlweb/index.cgi (revision 12525) @@ -0,0 +1,92 @@ +#!/usr/bin/env python +# +# Wireless Leiden webinterface for (embedded) nodes, printing some basic debug +# information, for people who does not like SSH logins +# +# Rick van der Zwet +# Richard van Mansom , stripped the webserver + +class MultiTracebackHook: + """A hook to replace sys.excepthook that shows tracebacks in syslog & HTML (using cgitb)""" + def __init__(self, ident=None, enable=False): + self.ident = ident + if enable: + self.enable() + + def __call__(self, etype, evalue, etb): + self.handle((etype, evalue, etb)) + + def handle(self, info=None): + import cgitb + import os + import sys + import syslog + import traceback + info = info or sys.exc_info() + tb = traceback.format_exception(*info) + if self.ident: + syslog.openlog(self.ident) + prefix = '[%i]' % os.getpid() + for line in tb: + syslog.syslog(line) + cgitb.handler(info) + + def enable(self): + import sys + sys.excepthook = self + +MultiTracebackHook(ident='wlweb', enable=True) + +from subprocess import * +import socket + +def tailFile(file, lines=10): + return("Tail (%i): %s
%s
" % (lines,file,Popen(["/usr/bin/tail", '-%s' % lines, file], stdout=PIPE, shell=False).communicate()[0])) + +def catFile(file): + return("File: %s
%s
" % (file,Popen(["/bin/cat", file], stdout=PIPE, shell=False).communicate()[0])) + +def allRoutes(): + return("netstat -nr
%s
" % Popen(["/usr/bin/netstat", "-n", "-r"], stdout=PIPE, shell=False).communicate()[0]) + +def processList(): + return("ps -ax
%s
" % Popen(["/bin/ps", "-a", "-x"], stdout=PIPE, shell=False).communicate()[0]) + +def interfaceList(): + return("ifconfig -a
%s
" % Popen(["/sbin/ifconfig", "-a"], stdout=PIPE, shell=False).communicate()[0]) + +def arpList(): + return("arp -n -a
%s
" % Popen(["/usr/sbin/arp", "-n", "-a"], stdout=PIPE, shell=False).communicate()[0]) + + +if __name__ == '__main__': + print "Content-Type: text/html\n\n" + print "" + print "Welcome to Stichting Wireless Leiden host/node %s" % socket.gethostname() + + items = ['motd', 'messages', 'debug.log', 'dmesg.boot', 'ps', 'ifconfig', 'arp', 'routes'] + print "' + + def item_label(): + return "Back to Top

" % items.pop(0) + + print item_label() + print catFile('/etc/motd') + print item_label() + print tailFile('/var/log/messages') + print item_label() + print tailFile('/var/log/debug.log') + print item_label() + print catFile('/var/run/dmesg.boot') + print item_label() + print processList() + "

" + print item_label() + print interfaceList() + "

" + print item_label() + print arpList() + "

" + print item_label() + print allRoutes() + "

" + print "$Id$" Index: /branches/releng-10/nanobsd/files/var/named/etc/namedb/named.conf =================================================================== --- /branches/releng-10/nanobsd/files/var/named/etc/namedb/named.conf (revision 12525) +++ /branches/releng-10/nanobsd/files/var/named/etc/namedb/named.conf (revision 12525) @@ -0,0 +1,383 @@ +// $FreeBSD: release/9.0.0/etc/namedb/named.conf 224125 2011-07-17 06:20:47Z dougb $ +// +// Refer to the named.conf(5) and named(8) man pages, and the documentation +// in /usr/share/doc/bind9 for more details. +// +// If you are going to set up an authoritative server, make sure you +// understand the hairy details of how DNS works. Even with +// simple mistakes, you can break connectivity for affected parties, +// or cause huge amounts of useless Internet traffic. + +options { + // All file and path names are relative to the chroot directory, + // if any, and should be fully qualified. + directory "/etc/namedb/working"; + pid-file "/var/run/named/pid"; + dump-file "/var/dump/named_dump.db"; + statistics-file "/var/stats/named.stats"; + managed-keys-directory "/etc/namedb"; + +// If named is being used only as a local resolver, this is a safe default. +// For named to be accessible to the network, comment this option, specify +// the proper IP address, or delete this option. +// listen-on { 127.0.0.1; }; + +// If you have IPv6 enabled on this system, uncomment this option for +// use as a local resolver. To give access to the network, specify +// an IPv6 address, or the keyword "any". +// listen-on-v6 { ::1; }; + +// These zones are already covered by the empty zones listed below. +// If you remove the related empty zones below, comment these lines out. + disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; + disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; + disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; + +// If you've got a DNS server around at your upstream provider, enter +// its IP address here, and enable the line below. This will make you +// benefit from its cache, thus reduce overall DNS traffic in the Internet. +/* + forwarders { + 127.0.0.1; + }; +*/ + +// If the 'forwarders' clause is not empty the default is to 'forward first' +// which will fall back to sending a query from your local server if the name +// servers in 'forwarders' do not have the answer. Alternatively you can +// force your name server to never initiate queries of its own by enabling the +// following line: +// forward only; + +// If you wish to have forwarding configured automatically based on +// the entries in /etc/resolv.conf, uncomment the following line and +// set named_auto_forward=yes in /etc/rc.conf. You can also enable +// named_auto_forward_only (the effect of which is described above). + include "/etc/namedb/auto_forward.conf"; + + /* + Modern versions of BIND use a random UDP port for each outgoing + query by default in order to dramatically reduce the possibility + of cache poisoning. All users are strongly encouraged to utilize + this feature, and to configure their firewalls to accommodate it. + + AS A LAST RESORT in order to get around a restrictive firewall + policy you can try enabling the option below. Use of this option + will significantly reduce your ability to withstand cache poisoning + attacks, and should be avoided if at all possible. + + Replace NNNNN in the example with a number between 49160 and 65530. + */ + // query-source address * port NNNNN; + allow-transfer { "any"; }; + allow-recursion { "any"; }; +}; + +// If you enable a local name server, don't forget to enter 127.0.0.1 +// first in your /etc/resolv.conf so this server will be queried. +// Also, make sure to enable it in /etc/rc.conf. + +// The traditional root hints mechanism. Use this, OR the slave zones below. +zone "." { type hint; file "/etc/namedb/named.root"; }; + +/* Slaving the following zones from the root name servers has some + significant advantages: + 1. Faster local resolution for your users + 2. No spurious traffic will be sent from your network to the roots + 3. Greater resilience to any potential root server failure/DDoS + + On the other hand, this method requires more monitoring than the + hints file to be sure that an unexpected failure mode has not + incapacitated your server. Name servers that are serving a lot + of clients will benefit more from this approach than individual + hosts. Use with caution. + + To use this mechanism, uncomment the entries below, and comment + the hint zone above. + + As documented at http://dns.icann.org/services/axfr/ these zones: + "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET + are availble for AXFR from these servers on IPv4 and IPv6: + xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org +*/ +/* +zone "." { + type slave; + file "/etc/namedb/slave/root.slave"; + masters { + 192.5.5.241; // F.ROOT-SERVERS.NET. + }; + notify no; +}; +zone "arpa" { + type slave; + file "/etc/namedb/slave/arpa.slave"; + masters { + 192.5.5.241; // F.ROOT-SERVERS.NET. + }; + notify no; +}; +*/ + +/* Serving the following zones locally will prevent any queries + for these zones leaving your network and going to the root + name servers. This has two significant advantages: + 1. Faster local resolution for your users + 2. No spurious traffic will be sent from your network to the roots +*/ +// RFCs 1912, 5735 and 6303 (and BCP 32 for localhost) +zone "localhost" { type master; file "/etc/namedb/master/localhost-forward.db"; }; +zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; +zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// RFC 1912-style zone for IPv6 localhost address (RFC 6303) +zone "0.ip6.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; + +// "This" Network (RFCs 1912, 5735 and 6303) +zone "0.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// Private Use Networks (RFCs 1918, 5735 and 6303) +zone "10.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "18.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "19.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "20.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "21.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "22.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "23.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "24.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "25.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "26.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "27.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "28.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "29.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "30.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +//zone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// Link-local/APIPA (RFCs 3927, 5735 and 6303) +zone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// IETF protocol assignments (RFCs 5735 and 5736) +zone "0.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// TEST-NET-[1-3] for Documentation (RFCs 5735, 5737 and 6303) +zone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "100.51.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "113.0.203.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// IPv6 Example Range for Documentation (RFCs 3849 and 6303) +zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// Domain Names for Documentation and Testing (BCP 32) +zone "test" { type master; file "/etc/namedb/master/empty.db"; }; +zone "example" { type master; file "/etc/namedb/master/empty.db"; }; +zone "invalid" { type master; file "/etc/namedb/master/empty.db"; }; +zone "example.com" { type master; file "/etc/namedb/master/empty.db"; }; +zone "example.net" { type master; file "/etc/namedb/master/empty.db"; }; +zone "example.org" { type master; file "/etc/namedb/master/empty.db"; }; + +// Router Benchmark Testing (RFCs 2544 and 5735) +zone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// IANA Reserved - Old Class E Space (RFC 5735) +zone "240.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "241.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "242.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "243.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "244.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "245.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "246.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "247.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "248.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "249.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "250.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "251.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "252.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "253.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "254.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// IPv6 Unassigned Addresses (RFC 4291) +zone "1.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "3.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "4.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "5.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "6.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "7.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "8.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "9.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "a.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "b.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "c.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "d.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "e.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "0.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "1.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "2.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "3.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "4.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "5.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "6.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "7.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "8.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "9.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "a.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "b.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "0.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "1.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "2.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "3.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "4.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "5.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "6.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "7.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// IPv6 ULA (RFCs 4193 and 6303) +zone "c.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "d.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// IPv6 Link Local (RFCs 4291 and 6303) +zone "8.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "9.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "a.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "b.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303) +zone "c.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "d.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "e.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "f.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; + +// IP6.INT is Deprecated (RFC 4159) +zone "ip6.int" { type master; file "/etc/namedb/master/empty.db"; }; + +// NB: Do not use the IP addresses below, they are faked, and only +// serve demonstration/documentation purposes! +// +// Example slave zone config entries. It can be convenient to become +// a slave at least for the zone your own domain is in. Ask +// your network administrator for the IP address of the responsible +// master name server. +// +// Do not forget to include the reverse lookup zone! +// This is named after the first bytes of the IP address, in reverse +// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. +// +// Before starting to set up a master zone, make sure you fully +// understand how DNS and BIND work. There are sometimes +// non-obvious pitfalls. Setting up a slave zone is usually simpler. +// +// NB: Don't blindly enable the examples below. :-) Use actual names +// and addresses instead. + +/* An example dynamic zone +key "exampleorgkey" { + algorithm hmac-md5; + secret "sf87HJqjkqh8ac87a02lla=="; +}; +zone "example.org" { + type master; + allow-update { + key "exampleorgkey"; + }; + file "/etc/namedb/dynamic/example.org"; +}; +*/ + +/* Example of a slave reverse zone +zone "1.168.192.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/1.168.192.in-addr.arpa"; + masters { + 192.168.1.1; + }; +}; +*/ + +zone "16.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/16.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "17.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/17.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "18.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/18.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "19.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/19.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "20.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/20.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "21.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/21.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "22.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/22.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "23.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/23.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "24.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/24.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "25.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/25.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "26.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/26.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "27.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/27.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "28.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/28.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "29.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/29.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "30.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/30.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "31.172.in-addr.arpa" { + type slave; + file "/etc/namedb/slave/31.172.in-addr.arpa"; + masters { 172.16.4.46;172.16.3.22 }; +}; +zone "wleiden.net" { + type slave; + file "/etc/namedb/slave/wleiden.net"; + masters { 172.16.4.46;172.16.3.22 }; +}; Index: /branches/releng-10/nanobsd/files/var/named/etc/namedb/named.root =================================================================== --- /branches/releng-10/nanobsd/files/var/named/etc/namedb/named.root (revision 12525) +++ /branches/releng-10/nanobsd/files/var/named/etc/namedb/named.root (revision 12525) @@ -0,0 +1,88 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: Jan 3, 2013 +; related version of root zone: 2013010300 +; +; formerly NS.INTERNIC.NET +; +. 3600000 IN NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35 +; End of File Index: /branches/releng-10/nanobsd/patches/udav-broken-phy.patch =================================================================== --- /branches/releng-10/nanobsd/patches/udav-broken-phy.patch (revision 12525) +++ /branches/releng-10/nanobsd/patches/udav-broken-phy.patch (revision 12525) @@ -0,0 +1,70 @@ +#------------------------------------------------------------------------ +#r238466 | rpaulo | 2012-07-15 07:49:02 +0200 (Sun, 15 Jul 2012) | 4 lines +# +#The JP1082 device doesn't respond to the MII_BMSR command and it turns +#out that it has an unusable PHY. It still works, although very slowly, +#without a PHY, so I implemented non-PHY support in the udav driver. +# +#------------------------------------------------------------------------ +Index: sys/dev/usb/net/if_udav.c +=================================================================== +--- sys/dev/usb/net/if_udav.c (revision 238465) ++++ sys/dev/usb/net/if_udav.c (revision 238466) +@@ -169,7 +169,7 @@ + MODULE_DEPEND(udav, miibus, 1, 1, 1); + MODULE_VERSION(udav, 1); + +-static const struct usb_ether_methods udav_ue_methods = { ++static struct usb_ether_methods udav_ue_methods = { + .ue_attach_post = udav_attach_post, + .ue_start = udav_start, + .ue_init = udav_init, +@@ -206,7 +206,8 @@ + {USB_VPI(USB_VENDOR_SHANTOU, USB_PRODUCT_SHANTOU_ADM8515, 0)}, + /* Kontron AG USB Ethernet */ + {USB_VPI(USB_VENDOR_KONTRON, USB_PRODUCT_KONTRON_DM9601, 0)}, +- {USB_VPI(USB_VENDOR_KONTRON, USB_PRODUCT_KONTRON_JP1082, 0)}, ++ {USB_VPI(USB_VENDOR_KONTRON, USB_PRODUCT_KONTRON_JP1082, ++ UDAV_FLAG_NO_PHY)}, + }; + + static void +@@ -259,6 +260,16 @@ + goto detach; + } + ++ /* ++ * The JP1082 has an unusable PHY and provides no link information. ++ */ ++ if (sc->sc_flags & UDAV_FLAG_NO_PHY) { ++ udav_ue_methods.ue_tick = NULL; ++ udav_ue_methods.ue_mii_upd = NULL; ++ udav_ue_methods.ue_mii_sts = NULL; ++ sc->sc_flags |= UDAV_FLAG_LINK; ++ } ++ + ue->ue_sc = sc; + ue->ue_dev = dev; + ue->ue_udev = uaa->device; +@@ -712,7 +723,8 @@ + UDAV_LOCK_ASSERT(sc, MA_OWNED); + + ifp->if_drv_flags &= ~IFF_DRV_RUNNING; +- sc->sc_flags &= ~UDAV_FLAG_LINK; ++ if (!(sc->sc_flags & UDAV_FLAG_NO_PHY)) ++ sc->sc_flags &= ~UDAV_FLAG_LINK; + + /* + * stop all the transfers, if not already stopped: +Index: sys/dev/usb/net/if_udavreg.h +=================================================================== +--- sys/dev/usb/net/if_udavreg.h (revision 238465) ++++ sys/dev/usb/net/if_udavreg.h (revision 238466) +@@ -159,6 +159,7 @@ + int sc_flags; + #define UDAV_FLAG_LINK 0x0001 + #define UDAV_FLAG_EXT_PHY 0x0040 ++#define UDAV_FLAG_NO_PHY 0x0080 + }; + + #define UDAV_LOCK(_sc) mtx_lock(&(_sc)->sc_mtx) Index: /branches/releng-10/nanobsd/ports/dns/maradns2/Makefile =================================================================== --- /branches/releng-10/nanobsd/ports/dns/maradns2/Makefile (revision 12525) +++ /branches/releng-10/nanobsd/ports/dns/maradns2/Makefile (revision 12525) @@ -0,0 +1,78 @@ +# New ports collection makefile for: maradns2 +# Date created: 10 Feb 2012 +# Whom: Rick van der Zwet +# +# $FreeBSD$ +# + +PORTNAME= maradns +PORTVERSION= 2.0.05 +CATEGORIES= dns +MASTER_SITES= http://www.maradns.org/download/2.0/${PORTVERSION}/ \ + SF/${PORTNAME}/MaraDNS/${PORTVERSION}/ + +MAINTAINER= info@rickvanderzwet.nl +COMMENT= DNS server with focus on security and simplicity + +LICENSE= BSD +LICENSE_FILE= ${WRKSRC}/COPYING + +CONFLICTS= maradns-1.? + +OPTIONS= IPV6 "Enable IPv6 Support" Off +.include + +.if defined(WITH_IPV6) +CONFIGURE_ARGS+= --ipv6 +.endif + +LATEST_LINK= maradns2 + +USE_RC_SUBR= ${PORTNAME} deadwood zoneserver +USERS= bind +GROUPS= bind + +MAN1= deadwood.1 askmara.1 fetchzone.1 getzone.1 +MAN5= csv1.5 csv2.5 csv2_txt.5 mararc.5 +MAN8= duende.8 maradns.8 zoneserver.8 + +post-extract: + ${MV} ${WRKSRC}/doc/en/man/Deadwood.1 ${WRKSRC}/doc/en/man/deadwood.1 + # The internal deadwood release seems to differ all the time, but the + # patches needs to stay more and less the same + ${LN} -s ${WRKSRC}/deadwood* ${WRKSRC}/deadwood + +do-install: + ${INSTALL_PROGRAM} ${WRKSRC}/deadwood-*/src/Deadwood ${PREFIX}/sbin/deadwood + ${INSTALL_PROGRAM} ${WRKSRC}/server/maradns ${PREFIX}/sbin/maradns + ${INSTALL_PROGRAM} ${WRKSRC}/tcp/fetchzone ${PREFIX}/bin/fetchzone + ${INSTALL_PROGRAM} ${WRKSRC}/tcp/getzone ${PREFIX}/bin/getzone + ${INSTALL_PROGRAM} ${WRKSRC}/tcp/zoneserver ${PREFIX}/sbin/zoneserver + ${INSTALL_PROGRAM} ${WRKSRC}/tools/askmara ${PREFIX}/bin/askmara + ${INSTALL_PROGRAM} ${WRKSRC}/tools/duende ${PREFIX}/bin/duende + + ${INSTALL_DATA} ${WRKSRC}/doc/en/examples/example_full_mararc ${PREFIX}/etc/mararc.sample + ${INSTALL_DATA} ${WRKSRC}/deadwood-*/doc/dwood3rc ${PREFIX}/etc/dwood3rc.sample + + ${MKDIR} ${PREFIX}/etc/maradns ${PREFIX}/etc/deadwood + +.if !defined(NOPORTEXAMPLES) + ${MKDIR} ${EXAMPLESDIR} + (cd ${WRKSRC}/doc/en/examples/ && ${COPYTREE_SHARE} example_\* ${EXAMPLESDIR}) +.endif +.if !defined(NO_INSTALL_MANPAGES) + ${INSTALL_MAN} ${WRKSRC}/doc/en/man/*.1 ${PREFIX}/man/man1/ + ${INSTALL_MAN} ${WRKSRC}/doc/en/man/*.5 ${PREFIX}/man/man5/ + ${INSTALL_MAN} ${WRKSRC}/doc/en/man/*.8 ${PREFIX}/man/man8/ +.endif +.if !defined(NOPORTDOCS) + ${MKDIR} ${DOCSDIR} + (cd ${WRKSRC}/doc/en/ && ${COPYTREE_SHARE} "misc text tutorial webpage" ${DOCSDIR}) + (cd ${WRKSRC}/doc/en/ && ${COPYTREE_SHARE} \*.txt ${DOCSDIR}) +.endif +#(cd ${WRKSRC}/doc/en/ && ${COPYTREE_SHARE} misc text tutorial webpage ${DOCSDIR}) + +PORTDOCS= misc text tutorial webpage *.txt +PORTEXAMPLES= example_* + +.include Index: /branches/releng-10/nanobsd/ports/dns/maradns2/distinfo =================================================================== --- /branches/releng-10/nanobsd/ports/dns/maradns2/distinfo (revision 12525) +++ /branches/releng-10/nanobsd/ports/dns/maradns2/distinfo (revision 12525) @@ -0,0 +1,2 @@ +SHA256 (maradns-2.0.05.tar.gz) = 5649b11169d20dbbe640110639343dd68eeae718475407200213bbaa52d400ba +SIZE (maradns-2.0.05.tar.gz) = 1525709 Index: /branches/releng-10/nanobsd/ports/dns/maradns2/files/deadwood.in =================================================================== --- /branches/releng-10/nanobsd/ports/dns/maradns2/files/deadwood.in (revision 12525) +++ /branches/releng-10/nanobsd/ports/dns/maradns2/files/deadwood.in (revision 12525) @@ -0,0 +1,25 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: deadwood +# REQUIRE: SERVERS +# BEFORE: DAEMON +# KEYWORD: shutdown +# + +. /etc/rc.subr + +: ${deadwood_enable="NO"} +: ${deadwood_conf="%%PREFIX%%/etc/dwood3rc"} + +name="deadwood" +rcvar=deadwood_enable +command="%%PREFIX%%/bin/duende" +pidfile="/var/run/${name}.pid" +command_args="--pid=$pidfile %%PREFIX%%/sbin/deadwood -f ${deadwood_conf}" + +load_rc_config $name + +run_rc_command "$1" Index: /branches/releng-10/nanobsd/ports/dns/maradns2/files/maradns.in =================================================================== --- /branches/releng-10/nanobsd/ports/dns/maradns2/files/maradns.in (revision 12525) +++ /branches/releng-10/nanobsd/ports/dns/maradns2/files/maradns.in (revision 12525) @@ -0,0 +1,25 @@ +#!/bin/sh +# +# $FreeBSD: ports/dns/maradns/files/maradns.in,v 1.5 2012/01/14 08:55:38 dougb Exp $ +# + +# PROVIDE: maradns +# REQUIRE: SERVERS +# BEFORE: DAEMON +# KEYWORD: shutdown +# + +. /etc/rc.subr + +: ${maradns_enable="NO"} +: ${maradns_conf="%%PREFIX%%/etc/mararc"} + +name="maradns" +rcvar=maradns_enable +command="%%PREFIX%%/bin/duende" +pidfile="/var/run/${name}.pid" +command_args="--pid=$pidfile %%PREFIX%%/sbin/maradns -f ${maradns_conf}" + +load_rc_config $name + +run_rc_command "$1" Index: /branches/releng-10/nanobsd/ports/dns/maradns2/files/patch-change-default-uid =================================================================== --- /branches/releng-10/nanobsd/ports/dns/maradns2/files/patch-change-default-uid (revision 12525) +++ /branches/releng-10/nanobsd/ports/dns/maradns2/files/patch-change-default-uid (revision 12525) @@ -0,0 +1,102 @@ +--- MaraDns.h.orig 2012-02-10 22:16:39.000000000 +0100 ++++ MaraDns.h 2012-02-10 22:17:25.000000000 +0100 +@@ -77,16 +77,16 @@ + line to point to Bash + */ + +-#define MARADNS_DEFAULT_UID 99 ++#define MARADNS_DEFAULT_UID 53 + + /* The default GID (Group ID) that MaraDNS has; see the default UID notes + above. Again: CHANGE THE MARARC MAN PAGE IF YOU CHANGE THIS VALUE */ +-#define MARADNS_DEFAULT_GID 99 ++#define MARADNS_DEFAULT_GID 53 + + /* The UID that the Duende logging process uses. CHANGE THE DUENDE MAN + PAGE IF YOU CHANGE THIS VALUE (same general process as changing the + mararc man page; the source file for the duende man page is duende.ej) */ +-#define DUENDE_LOGGER_UID 66 ++#define DUENDE_LOGGER_UID 65534 + + /* The directory that Duende runs in. This directory has to exist for + Duende to be able to run. Again, IF YOU CHANGE THIS, CHANGE THE +--- doc/en/examples/example_full_mararc.orig 2011-02-06 03:21:42.000000000 +0100 ++++ doc/en/examples/example_full_mararc 2012-02-11 02:13:22.000000000 +0100 +@@ -14,11 +14,11 @@ + # "10.1.2.3,10.1.2.4,127.0.0.1" + ipv4_bind_addresses = "127.0.0.1" + # The directory with all of the zone files +-chroot_dir = "/etc/maradns" ++chroot_dir = "/usr/local/etc/maradns" + # The numeric UID MaraDNS will run as +-maradns_uid = 99 ++maradns_uid = 65534 + # The (optional) numeric GID MaraDNS will run as +-# maradns_gid = 99 ++# maradns_gid = 65534 + + # Normally, MaraDNS has some MaraDNS-specific features, such as DDIP + # synthesizing, a special DNS query ("erre-con-erre-cigarro.maradns.org." +--- doc/en/man/deadwood.1.orig 2012-02-10 22:20:19.000000000 +0100 ++++ doc/en/man/deadwood.1 2012-02-10 22:22:17.000000000 +0100 +@@ -178,15 +178,14 @@ + \fBmaradns_uid\fR + .PP + The user-id Deadwood runs as. This can be any number +-between 10 and 65535; the default value is 99 (nobody on +-RedHat-derived Linux distributions). This value is not +-used on Windows systems. ++between 10 and 65535; the default value is 65534 (nobody). ++This value is not used on Windows systems. + .PP + .in -3 + \fBmaradns_gid\fR + .PP + The group-id Deadwood runs as. This can be any +-number between 10 and 65535; the default value is 99. This ++number between 10 and 65535; the default value is 65534 (nobody). This + value is not used on Windows systems. + .PP + .in -3 +--- doc/en/man/mararc.5.orig 2012-02-10 22:20:28.000000000 +0100 ++++ doc/en/man/mararc.5 2012-02-10 22:21:03.000000000 +0100 +@@ -592,7 +592,7 @@ + damage a potential attacker can cause should there be a security + problem with MaraDNS. This is the UID maradns becomes. + .PP +-The default UID is 99. ++The default UID is 65534. + .PP + .in -3 + \fBmaradns_gid\fR +@@ -601,7 +601,7 @@ + .PP + This accepts a single numerical value: The GID to run MaraDNS as. + .PP +-The default GID is 99. ++The default GID is 65534. + .PP + .in -3 + \fBmax_ar_chain\fR +--- deadwood/doc/dwood3rc.orig 2011-11-01 17:25:23.000000000 +0100 ++++ deadwood/doc/dwood3rc 2012-02-11 02:15:16.000000000 +0100 +@@ -6,7 +6,7 @@ + # The following line is disabled by being commented out + #bind_address="::1" # We have optional IPv6 support + +-chroot_dir = "/etc/deadwood" # Directory we run program from (not used in Win32) ++chroot_dir = "/usr/local/etc/deadwood" # Directory we run program from (not used in Win32) + + # The following upstream DNS servers are Google's newly-announced (as of + # December, 2009) public DNS servers. For more information, see +@@ -37,8 +37,8 @@ + maxprocs = 8 # Maximum number of pending requests + handle_overload = 1 # Send SERVER FAIL when overloaded + +-maradns_uid = 99 # UID Deadwood runs as +-maradns_gid = 99 # GID Deadwood runs as ++maradns_uid = 65534 # UID Deadwood runs as ++maradns_gid = 65534 # GID Deadwood runs as + + maximum_cache_elements = 60000 + Index: /branches/releng-10/nanobsd/ports/dns/maradns2/files/patch-configure =================================================================== --- /branches/releng-10/nanobsd/ports/dns/maradns2/files/patch-configure (revision 12525) +++ /branches/releng-10/nanobsd/ports/dns/maradns2/files/patch-configure (revision 12525) @@ -0,0 +1,14 @@ +--- configure.orig 2012-02-10 22:32:58.000000000 +0100 ++++ configure 2012-02-10 22:34:11.000000000 +0100 +@@ -92,6 +92,11 @@ + echo It looks like you are using Cygwin\; this should compile fine + echo by typing in \'make\'. + EXITCODE=0 ++elif echo $UNAME | grep -i FreeBSD > /dev/null ; then ++ cat $BUILDDIR/Makefile.noflock >> Makefile ++ echo It looks like you are using FreeBSD\; this should compile fine ++ echo by typing in \'make\'. ++ EXITCODE=0 + # This is a a template for adding support to a new OS for MaraDNS. + # Some points: If you port MaraDNS, make sure the underlying OS has + # /dev/urandom support or have the default mararc have a Index: /branches/releng-10/nanobsd/ports/dns/maradns2/files/patch-tools_duende.c =================================================================== --- /branches/releng-10/nanobsd/ports/dns/maradns2/files/patch-tools_duende.c (revision 12525) +++ /branches/releng-10/nanobsd/ports/dns/maradns2/files/patch-tools_duende.c (revision 12525) @@ -0,0 +1,32 @@ +--- tools/duende.c.orig 2011-11-12 09:25:42.000000000 +0100 ++++ tools/duende.c 2012-02-11 01:32:42.000000000 +0100 +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -66,9 +67,20 @@ + /* We can't use our signal handlers because fgets is blocking */ + signal(SIGTERM,SIG_DFL); + signal(SIGHUP,SIG_DFL); ++ ++ /* Prefix MaraDNS syslog messages with ident of "maradns:" ++ instead of "/usr/local/sbin/maradns:" */ ++ char *needle, *ident; ++ needle = strrchr(name,'/'); ++ /* needle found and not at the end of string */ ++ if (needle && *(needle + 1) != '\0') { ++ ident = needle + 1; ++ } else { ++ ident = name; ++ } + + /* Open up the sys log */ +- openlog(name,0,LOG_DAEMON); ++ openlog(ident,0,LOG_DAEMON); + + /* Drop all privileges */ + if(chdir(DUENDE_CHROOT_DIR) != 0) { Index: /branches/releng-10/nanobsd/ports/dns/maradns2/files/zoneserver.in =================================================================== --- /branches/releng-10/nanobsd/ports/dns/maradns2/files/zoneserver.in (revision 12525) +++ /branches/releng-10/nanobsd/ports/dns/maradns2/files/zoneserver.in (revision 12525) @@ -0,0 +1,25 @@ +#!/bin/sh +# +# $FreeBSD: ports/dns/maradns/files/zoneserver.in,v 1.5 2012/01/14 08:55:38 dougb Exp $ +# + +# PROVIDE: zoneserver +# REQUIRE: SERVERS +# BEFORE: DAEMON +# KEYWORD: shutdown +# + +. /etc/rc.subr + +: ${zoneserver_enable="NO"} +: ${maradns_conf="%%PREFIX%%/etc/mararc"} + +name="zoneserver" +rcvar=zoneserver_enable +command="%%PREFIX%%/bin/duende" +command_args="%%PREFIX%%/sbin/zoneserver -f ${maradns_conf}" +pidfile="/var/run/${name}.pid" + +load_rc_config $name + +run_rc_command "$1" Index: /branches/releng-10/nanobsd/ports/dns/maradns2/pkg-descr =================================================================== --- /branches/releng-10/nanobsd/ports/dns/maradns2/pkg-descr (revision 12525) +++ /branches/releng-10/nanobsd/ports/dns/maradns2/pkg-descr (revision 12525) @@ -0,0 +1,24 @@ +MaraDNS is a package that implements the Domain Name Service (DNS), an +essential internet service. MaraDNS has the following advantages: + +o Secure. MaraDNS has a security history as good as or better than any other DNS + server. For example, MaraDNS has always randomized, using a secure random + number generator, the Query ID and source port of DNS queries; and was never + vulnerable to the "new" cache poisoning attack. + +o Supported. MaraDNS has a long history of being maintained and updated. + Actively developed since 2001, MaraDNS continues to be fully supported: The + most recent release was done on August 4, 2009. Deadwood, the code that will + become part of MaraDNS 2.0, is frequently updated. + +o Easy to use. A basic recursive configuration needs only a single three-line + configuration file. A basic authoritative configuration needs only a four-line + configuration file and a one-line zone file. MaraDNS is fully documented, with + both easy-to-follow tutorials and a complete and up-to-date reference manual. + +o Small. MaraDNS is well suited for embedded applications and other environments + where the server must use the absolute minimum number of resources possible. + MaraDNS' binary is smaller than that of any other currently maintained + recursive DNS server. + +WWW: http://www.maradns.org/ Index: /branches/releng-10/nanobsd/ports/dns/maradns2/pkg-plist =================================================================== --- /branches/releng-10/nanobsd/ports/dns/maradns2/pkg-plist (revision 12525) +++ /branches/releng-10/nanobsd/ports/dns/maradns2/pkg-plist (revision 12525) @@ -0,0 +1,13 @@ +bin/askmara +bin/duende +bin/fetchzone +bin/getzone +etc/mararc.sample +etc/dwood3rc.sample +sbin/deadwood +sbin/maradns +sbin/zoneserver +@exec mkdir -p %D/etc/maradns +@dirrmtry etc/maradns +@exec mkdir -p %D/etc/deadwood +@dirrmtry etc/deadwood Index: /branches/releng-10/nanobsd/ports/net/lvrouted/Makefile =================================================================== --- /branches/releng-10/nanobsd/ports/net/lvrouted/Makefile (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/lvrouted/Makefile (revision 12525) @@ -0,0 +1,31 @@ +# New ports collection makefile for: lrvrouted +# Date created: 2009-07-12 +# Whom: Rick van der Zwet +# +# $FreeBSD: $ +# + +PORTNAME= lvrouted +PORTVERSION= 11479 +CATEGORIES= net +MASTER_SITES= http://webfolder.wirelessleiden.nl/lvrouted/ \ + http://rickvanderzwet.nl/mirror/lvrouted/ + +MAINTAINER= info@rickvanderzwet.nl +COMMENT= Lvrouted is a very simple shortest-path routing daemon + +GNU_CONFIGURE= yes +USE_AUTOTOOLS= autoconf autoheader + +BUILD_DEPENDS+= ocamlfind:${PORTSDIR}/devel/ocaml-findlib + +USE_RC_SUBR= lvrouted + +post-install: +.if !defined(NOPORTDOCS) + ${MKDIR} ${DOCSDIR} + ${INSTALL_MAN} ${WRKSRC}/docs/lvrouted.ps ${DOCSDIR} + ${INSTALL_MAN} ${WRKSRC}/docs/lvrouted.html ${DOCSDIR} +.endif + +.include Index: /branches/releng-10/nanobsd/ports/net/lvrouted/distinfo =================================================================== --- /branches/releng-10/nanobsd/ports/net/lvrouted/distinfo (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/lvrouted/distinfo (revision 12525) @@ -0,0 +1,2 @@ +SHA256 (lvrouted-11479.tar.gz) = 34f51acd5e4fbe0e1b1ba39910b6e77698c5e61c36823df649b22de028fd0d58 +SIZE (lvrouted-11479.tar.gz) = 66025 Index: /branches/releng-10/nanobsd/ports/net/lvrouted/files/lvrouted.in =================================================================== --- /branches/releng-10/nanobsd/ports/net/lvrouted/files/lvrouted.in (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/lvrouted/files/lvrouted.in (revision 12525) @@ -0,0 +1,44 @@ +#!/bin/sh +# +# Control lvrouted routing daemon status +# + +# PROVIDE: lvrouted +# REQUIRE: NETWORKING +# BEFORE: netwait +# KEYWORD: nojail + +. /etc/rc.subr + +: ${lvrouted_enable="NO"} +: ${lvrouted_flags=""} + +name="lvrouted" +rcvar="`set_rcvar`" +rcvars="${name}_flags" +load_rc_config $name + +command="%%PREFIX%%/sbin/${name}" +pid_file="/var/run/${name}.pid" + +start_precmd="lvrouted_flush_routes" + +# XXX: Needs to be a flag to disable +# XXX: lvrouted should mark their added routed protocol specific (see: man 8 route) +# lvrouted requires no route to exists before start as it is not able to alter +# old routes, so make it flush all dynamic generated routes +lvrouted_flush_routes() { + + # XXX: Does the looping bug still exists? + # Keep looping till we whiped _all_ dynamic generated routes + while true; do + netstat -nr -f inet | awk '{if ($3 ~ /.*D.*/) { exit 1} }' + if [ $? -eq 0 ]; then + break + fi + echo "WARNING: Flushing all existing DYNAMIC routes" 1>&2 + netstat -nr -f inet | awk '{if ($3 ~ /.*D.*/) {print $1} }' | xargs -n 1 route delete + done +} + +run_rc_command "$1" Index: /branches/releng-10/nanobsd/ports/net/lvrouted/pkg-descr =================================================================== --- /branches/releng-10/nanobsd/ports/net/lvrouted/pkg-descr (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/lvrouted/pkg-descr (revision 12525) @@ -0,0 +1,14 @@ +Lvrouted is a very simple shortest-path routing daemon, featuring: + + - UDP based. no firmware-confusing multi- or broadcasts + - no per-node configuration + - spanning tree, so no count-to-infinity + - some specific wireless hacks, such as keeping an eye on the interface + association status for clients and the list of associated stations for + masters + - the ability to sign packets for some measure of security against malicious + packets + - sequence number against replay attacks. yes I know this is not + bulletproof. + +WWW: http://svn.wirelessleiden.nl/svn/node-config/other/lvrouted/ Index: /branches/releng-10/nanobsd/ports/net/lvrouted/pkg-plist =================================================================== --- /branches/releng-10/nanobsd/ports/net/lvrouted/pkg-plist (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/lvrouted/pkg-plist (revision 12525) @@ -0,0 +1,4 @@ +sbin/lvrouted +%%PORTDOCS%%%%DOCSDIR%%/lvrouted.html +%%PORTDOCS%%%%DOCSDIR%%/lvrouted.ps +%%PORTDOCS%%@dirrm %%DOCSDIR%% Index: /branches/releng-10/nanobsd/ports/net/tproxy/Makefile =================================================================== --- /branches/releng-10/nanobsd/ports/net/tproxy/Makefile (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/tproxy/Makefile (revision 12525) @@ -0,0 +1,26 @@ +# New ports collection makefile for: tproxy +# Date created: 2009-07-13 +# Whom: Rick van der Zwet +# +# $FreeBSD: $ +# + +PORTNAME= tproxy +PORTVERSION= 2 +CATEGORIES= net +MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} +MASTER_SITE_SUBDIR= ${PORTNAME} + +MAINTAINER= info@rickvanderzwet.nl +COMMENT= tpoxy user-space single-port unidirectional tcp proxy + +USE_RC_SUBR= tproxy + +post-extract: + ${MV} ${WRKDIR}/${PORTNAME} ${WRKSRC} + +do-install: + ${INSTALL_PROGRAM} ${WRKSRC}/tproxy ${PREFIX}/bin + +.include + Index: /branches/releng-10/nanobsd/ports/net/tproxy/distinfo =================================================================== --- /branches/releng-10/nanobsd/ports/net/tproxy/distinfo (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/tproxy/distinfo (revision 12525) @@ -0,0 +1,3 @@ +MD5 (tproxy-2.tar.gz) = 6ab0cb46e1eed1ecebd7a0781dfe2a6a +SHA256 (tproxy-2.tar.gz) = 8c59a20a93eda6b57e2a4abd5645e69c13247ebfed45561778e78e16eca7d551 +SIZE (tproxy-2.tar.gz) = 12584 Index: /branches/releng-10/nanobsd/ports/net/tproxy/files/tproxy.in =================================================================== --- /branches/releng-10/nanobsd/ports/net/tproxy/files/tproxy.in (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/tproxy/files/tproxy.in (revision 12525) @@ -0,0 +1,28 @@ +#!/bin/sh +# +# $FreeBSD: $ +# + +# PROVIDE: tproxy +# REQUIRE: NETWORKING SERVERS +# BEFORE: DAEMON +# KEYWORD: shutdown + +# +# Add the following line to /etc/rc.conf to enable tproxy: +# +# tproxy_enable="YES" +# + +. %%RC_SUBR%% + +name=tproxy +rcvar=`set_rcvar` + +command=%%PREFIX%%/bin/${name} + +tproxy_enable=${tproxy_enable:-"NO"} +tproxy_flags=${tproxy_flags:-""} + +load_rc_config $name +run_rc_command "$1" Index: /branches/releng-10/nanobsd/ports/net/tproxy/pkg-descr =================================================================== --- /branches/releng-10/nanobsd/ports/net/tproxy/pkg-descr (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/tproxy/pkg-descr (revision 12525) @@ -0,0 +1,4 @@ +user-space single-port unidirectional tcp proxy which handles out-of-band data, +and telnet-through firewall tunnelling. + +WWW: http://sourceforge.net/projects/tproxy/ Index: /branches/releng-10/nanobsd/ports/net/tproxy/pkg-plist =================================================================== --- /branches/releng-10/nanobsd/ports/net/tproxy/pkg-plist (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/tproxy/pkg-plist (revision 12525) @@ -0,0 +1,1 @@ +bin/tproxy Index: /branches/releng-10/nanobsd/ports/net/transproxy/Makefile =================================================================== --- /branches/releng-10/nanobsd/ports/net/transproxy/Makefile (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/transproxy/Makefile (revision 12525) @@ -0,0 +1,25 @@ +# New ports collection makefile for: transproxy +# Date created: 2009-07-15 +# Whom: Rick van der Zwet +# +# $FreeBSD: $ +# + +PORTNAME= transproxy +PORTVERSION= 1.6 +CATEGORIES= net +MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} +MASTER_SITE_SUBDIR= ${PORTNAME} +EXTRACT_SUFX= .tgz + +MAINTAINER= info@rickvanderzwet.nl +COMMENT= Transproxy is used to transparently proxy HTTP requests + +USE_RC_SUBR= transproxy + +MAN8= tproxy.8 + +post-install: + @${CAT} ${PKGDIR}/pkg-message + +.include Index: /branches/releng-10/nanobsd/ports/net/transproxy/distinfo =================================================================== --- /branches/releng-10/nanobsd/ports/net/transproxy/distinfo (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/transproxy/distinfo (revision 12525) @@ -0,0 +1,3 @@ +MD5 (transproxy-1.6.tgz) = 02cc1160a9db9c49a40491f890083044 +SHA256 (transproxy-1.6.tgz) = 7bc4ce5ab01648dcaca25555eb4d4c3a67aed6bbb42e1432aaa4e9b20b75dab3 +SIZE (transproxy-1.6.tgz) = 23592 Index: /branches/releng-10/nanobsd/ports/net/transproxy/files/transproxy.in =================================================================== --- /branches/releng-10/nanobsd/ports/net/transproxy/files/transproxy.in (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/transproxy/files/transproxy.in (revision 12525) @@ -0,0 +1,47 @@ +#!/bin/sh +# +# $FreeBSD: $ +# + +# PROVIDE: transproxy +# REQUIRE: NETWORKING SERVERS ipfw +# BEFORE: DAEMON +# KEYWORD: shutdown + +# +# Add the following line to /etc/rc.conf to enable transproxy: +# +# transproxy_enable="YES" +# + +. /etc/rc.subr + +name=transproxy +rcvar=`set_rcvar` +start_precmd=${name}_precmd +stop_postcmd=${name}_postcmd + +command=%%PREFIX%%/sbin/tproxy + +transproxy_port=${transproxy_port:-8081} +transproxy_log=${transproxy_log:-"/var/log/transproxy.log"} +transproxy_proxyhost=${transproxy_proxyhost:-"proxy"} +transproxy_proxyport=${transproxy_proxyport:-3128} +transproxy_enable=${transproxy_enable:-"NO"} +transproxy_flags="-s $transproxy_port -l $transproxy_log $transproxy_proxyhost $transproxy_proxyport $transproxy_flags" + +transproxy_precmd () +{ + +} + + +transproxy_postcmd () +{ + ipfw delete 10010 10000 10001 >/dev/null + +} + + +load_rc_config $name +run_rc_command "$1" Index: /branches/releng-10/nanobsd/ports/net/transproxy/pkg-descr =================================================================== --- /branches/releng-10/nanobsd/ports/net/transproxy/pkg-descr (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/transproxy/pkg-descr (revision 12525) @@ -0,0 +1,5 @@ +Transproxy is used in conjunction with the FreeBSD (ipfw and ipnat) or Linux +transparent proxy feature (ipfwadm, ipchains and iptables), to transparently +proxy HTTP requests. + +WWW: http://sourceforge.net/projects/transproxy/ Index: /branches/releng-10/nanobsd/ports/net/transproxy/pkg-message =================================================================== --- /branches/releng-10/nanobsd/ports/net/transproxy/pkg-message (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/transproxy/pkg-message (revision 12525) @@ -0,0 +1,12 @@ +Remember to setup ipfw correctly. + +Sample below, uses following options: + Localip 172.19.152.65/26 + Localnet 172.16.0.0/12 + Transparant proxy enabled for all NOT localnet destinations 80 + transproxy running at port 8081 + + +ipfw add 10000 allow tcp from any to localhost 80 +ipfw add 10001 allow tcp from any to me 80 +ipfw add 10010 fwd 172.19.152.65,8081 tcp from any to no 172.16.0.0/12 80 Index: /branches/releng-10/nanobsd/ports/net/transproxy/pkg-plist =================================================================== --- /branches/releng-10/nanobsd/ports/net/transproxy/pkg-plist (revision 12525) +++ /branches/releng-10/nanobsd/ports/net/transproxy/pkg-plist (revision 12525) @@ -0,0 +1,3 @@ +sbin/tproxy +sbin/tproxyrun +sbin/tproxywatch Index: /branches/releng-10/nanobsd/tools/flash-node.sh =================================================================== --- /branches/releng-10/nanobsd/tools/flash-node.sh (revision 12525) +++ /branches/releng-10/nanobsd/tools/flash-node.sh (revision 12525) @@ -0,0 +1,29 @@ +#!/bin/sh +# +# Upload image to node and flash partition +# +# Rick van der Zwet + +. $(dirname $0)/package-build.inc.sh + +if [ -z "$1" ]; then + echo "Usage: $0 [ ..]" 1>&2 + exit 128 +fi + +BASEDIR=`dirname $0` +CFG="${BASEDIR}/../cfg/nanobsd.wleiden" + +# Find object directory +eval `grep '^NANO_NAME=' ${CFG}` +OBJDIR="/usr/obj/nanobsd.${NANO_NAME}" +IMG=${IMG:-${OBJDIR}/_.disk.image} + +if [ ! -r "${IMG}" ]; then + p_err Source ${IMG} does not exists +fi + +for HOST in $*; do + cat $IMG | ssh -oBatchMode=yes $HOST /tools/update-wrapper +done + Index: /branches/releng-10/nanobsd/tools/image =================================================================== --- /branches/releng-10/nanobsd/tools/image (revision 12525) +++ /branches/releng-10/nanobsd/tools/image (revision 12525) @@ -0,0 +1,289 @@ +#!/bin/sh +# +BASEDIR=`dirname $0` +. ${BASEDIR}/package-build.inc.sh + +NANOBSD="$NANO_SRC/tools/tools/nanobsd/nanobsd.sh" + +usage() { +cat < +# +# Wrapper around nanobsd.sh with autodetection of already processed steps to +# provide some failsafe net, which avoids building world and/or kernel by +# default. +# +# Rick van der Zwet +# +# Arguments: +# build - Build NanoBSD parts which are not build yet +# build force kernel - Build NanoBSD and force rebuilding the kernel +# build force world - Build NanoBSD and force rebuilding world +# edit - Manually edit the image +# config [for ] - Configure image to be used for +# rebuild - Rebuild NanoBSD (aka force rebuilding all) +# deploy on [and reboot] - Deploy the image on node and reboot if needed +# ports update - Update the packages from ports +# ports force rebuild - Forcefully rebuilding all required packages +EOF +} + + +deploy_image() { + # Find object directory + img=${OBJDIR}/_.disk.image + + if [ ! -r "$img" ]; then + p_err Source $img does not exists + exit 1 + fi + + prompt_timeout=5 + p_warn "Going to DEPLOY $img to $host: (8.X-RELEASE and 9.X-RELEASE) to 9.X-RELEASE" + p_warn "You will need to type the root password at least twice, consider using a key" + $do_reboot && p_warn "AND will REBOOT the $host" + + + p_warn "Press CTRL+C in $prompt_timeout seconds to CANCEL" + # sleep $prompt_timeout + + echo "# Trying to connect to $host" + release=`ssh $host 'uname -r'` || exit 1 + echo "# Host has FreeBSD Release: $release, starting update" + if [ "$release" = "9.0-RELEASE" ]; then + cat $img | ssh $host /tools/update || exit 1 + else + # Hack to make sure we update the fstab the right way when converting from + # 8.X-RELEASE to 9.X-RELEASE. ad0 naming changed to ada0, secondly an + # specific update script had to be called. + command="/tmp/update$$" + cat > $command <<'EOF' +# Write new image +echo "FreeBSD Release : `uname -r`" +echo "Active Partition: `df -H / | tail -1`" +if [ "`uname -r`" = "9.0-RELEASE" ]; then + echo "Error not valid update cycle!" + exit 1 +else + if df / | grep -q '1a ' ; then + echo "New Partition : /dev/ad0s2a" + echo /tools/updatep2 + + # Quirck to fix partitions + # mount -uwo noatime /dev/ad0s2a + # sed -i "" "s/ada0s1/ada0s2/" /mnt/conf/base/etc/fstab /mnt/etc/fstab + # umount + else + echo "New Partition : /dev/ad0s1a" + echo /tools/updatep1 + fi +fi +EOF + cat $command | ssh $host "cat > $command" || exit 1 + cat $img | ssh $host "sh $command" || exit 1 + fi + + if $do_reboot; then + echo "# Reboot requested, press CTRL+C in $prompt_timeout seconds to cancel" + sleep $prompt_timeout + ssh $host reboot || exit 1 + fi +} + +config_image() { + node_name=${1:+"-b -c $1"} + + img=$OBJDIR/_.disk.full + + mnt=`mktemp -d -t $(basename $0)` + md=`mdconfig -a -t vnode -f $img` + + # Clean up when done + trap "umount $mnt/dev; umount $mnt/cfg; umount $mnt; mdconfig -d -u $md; rm -d $mnt" 0 + trap "exit 1" 1 2 3 15 + + # Root filesystem + mount /dev/${md}s1a $mnt || exit 1 + + # /dev/null in chroot + mount -t devfs devfs ${mnt}/dev || exit 1 + + # Config files lives at /cfg location + mount /dev/${md}s3 $mnt/cfg || exit 1 + + # Try to fetch and store config + chroot $mnt /tools/wl-config -d -n -m startup $node_name || exit 1 +} + +edit_image() { + img=$OBJDIR/_.disk.full + + mnt=`mktemp -d -t $(basename $0)` + md=`mdconfig -a -t vnode -f $img` + + # Clean up when done + trap "umount $mnt/dev; umount $mnt/cfg; umount $mnt; mdconfig -d -u $md; rm -d $mnt" 0 + trap "exit 1" 1 2 3 15 + + # Root filesystem + mount /dev/${md}s1a $mnt || exit 1 + + # /dev/null in chroot + mount -t devfs devfs ${mnt}/dev || exit 1 + + # Config files lives at /cfg location + mount /dev/${md}s3 $mnt/cfg || exit 1 + + # Nasty hack to set custom prompt + prompt='set prompt = "image# "' + echo $prompt >> $mnt/root/.cshrc + + p_info "Type exit when done" + chroot $mnt + p_info "Any changes are made permanent on image $img" + + # Unset prompt again + sed -I '' "/^$prompt$/d" $mnt/root/.cshrc +} + + +build_image() { + p_info Forcefully building kernel: $FORCE_KERNEL + p_info Forcefully building world : $FORCE_WORLD + + NANOBSD_EXTRA=${NANOBSD_EXTRA:-''} + + if [ ! -r "${NANOBSD}" ]; then + p_err ${NANOBSD} does not exists + exit 1 + fi + + if [ ! -x "${NANOBSD}" ]; then + NANOBSD="sh ${NANOBSD}" + fi + + # Find object directory + OBJDIR="/usr/obj/nanobsd.${NANO_NAME}" + + if [ -d "${OBJDIR}" ]; then + NANOBSD_FLAGS="" + + # Detect succesfull buildworld + tail -10 ${OBJDIR}/_.bw | grep 'World build completed' + if [ $? -eq 0 -a ${FORCE_WORLD} = "no" ]; then + p_info NO building of world + NANOBSD_FLAGS="${NANOBSD_FLAGS} -w" + fi + + # Detect succesfull buildkernel + tail -10 ${OBJDIR}/_.bk | grep 'Kernel build for .* completed' + if [ $? -eq 0 -a ${FORCE_KERNEL} = "no" ]; then + p_info NO building of kernel + NANOBSD_FLAGS="${NANOBSD_FLAGS} -k" + fi + + else + p_warn Nothing yet, starting fresh + NANOBSD_FLAGS="" + fi + + # Provide verbose output by default + COMMAND="${NANOBSD} ${NANOBSD_FLAGS} -c ${NANO_CFG_FILE} -v ${NANOBSD_EXTRA}" + f_time ${COMMAND} + RETVAL=$? + + # Verify on build failures + tail -10 ${OBJDIR}/_.bw | grep 'World build completed' + if [ $? -eq 1 ]; then + p_err Building world FAILED, check ${OBJDIR}/_.bw + fi + tail -10 ${OBJDIR}/_.bk | grep 'Kernel build for .* completed' + if [ $? -eq 1 ]; then + p_err Building kernel FAILED, check ${OBJDIR}/_.bk + fi + if [ $RETVAL -ne 0 ]; then + p_err "Errors in building NanoBSD Image ($RETVAL)" + fi + p_info End time: `date` + exit ${RETVAL} +} + +# +# Argument parsing +# +FORCE_KERNEL=${FORCE_KERNEL:-"no"} +FORCE_WORLD=${FORCE_WORLD:-"no"} +if [ -z "$1" ]; then + usage; exit 1 +elif [ "$1" = "build" ]; then + if [ -z "$2" ]; then + elif [ "$2" = "force" ]; then + if [ "$3" = "kernel" ]; then + FORCE_KERNEL="yes" + elif [ "$3" = "world" ]; then + FORCE_WORLD="yes" + else + echo "Argument Error - '$3'"; exit 128 + fi + else + echo "Argument Error - '$2'"; exit 128 + fi + build_image +elif [ "$1" = "rebuild" ]; then + FORCE_KERNEL="yes" + FORCE_WORLD="yes" + build_image +elif [ "$1" = "deploy" -a "$2" = "on" ]; then + if [ -z "$3" ]; then + echo "Argument Error - '$3'"; exit 128 + fi + host=$3 + do_reboot=false + if [ -n "$4" -o -n "$5" ]; then + if [ "$4" = "and" -a "$5" = "reboot" ]; then + do_reboot=true + else + echo "Argument Error - '$4 $5'"; exit 128 + fi + fi + deploy_image +elif [ "$1" = "ports" ]; then + if [ "$2" = "update" ]; then + # Fetch the latest details and provide listing of packages to be updated + portsnap fetch update || exit 1 + + # HACK: install our own ports _inside_ the normal ports dir + cp -fR $WL_PORTSDIR/* $PORTSDIR || exit 1 + + # Make sure portmaster is present to update all ports + portmaster --version 1>/dev/null 2>/dev/null || make -C /usr/ports/ports-mgmt/portmaster BATCH=yes install clean || exit 1 + + # Update via portmaster + CMD="env `echo $PKG_MAKE_ARGS` portmaster --no-confirm --update-if-newer -t -y -d -G `echo $PACKAGE_LIST`" + echo "# Going to run port upgrade cycle: $CMD"; $CMD || exit 1 + + . ${BASEDIR}/package-build.sh + elif [ "$2" = "force" -a "$3" = "rebuild" ]; then + export FORCE_REBUILD=1 + . ${BASEDIR}/package-build.sh + else + shift 1 + echo "Arguments Error - '$*'"; exit 128 + fi +elif [ "$1" = "config" ]; then + if [ "$2" = "for" ]; then + if [ -n "$3" ]; then + node_name=$3 + else + echo "Arguments Error - '$*'"; exit 128 + fi + else + echo "Arguments Error - '$*'"; exit 128 + fi + config_image $node_name +elif [ "$1" = "edit" ]; then + edit_image +else + echo "Argument Error - '$1'"; exit 128 +fi + Index: /branches/releng-10/nanobsd/tools/image-build.sh =================================================================== --- /branches/releng-10/nanobsd/tools/image-build.sh (revision 12525) +++ /branches/releng-10/nanobsd/tools/image-build.sh (revision 12525) @@ -0,0 +1,84 @@ +#!/bin/sh +# +# Wrapper around nanobsd.sh with autodetection of already processed steps +# to provide some failsafe net +# +# Rick van der Zwet +# + +BASEDIR=`dirname $0` +. ${BASEDIR}/package-build.inc.sh + +NANOBSD="$NANO_SRC/tools/tools/nanobsd/nanobsd.sh" + +FORCE_KERNEL=0 +FORCE_WORLD=0 +#XXX: Proper object handling +if [ "$1" = "-bk" ]; then + p_warn Forcefully building kernel + FORCE_KERNEL=1 +elif [ "$1" = "-bw" ]; then + p_warn Forcefully building world + FORCE_WORLD=1 +elif [ "$1" = "-f" ]; then + p_warn Forcefully building world and kernel + FORCE_KERNEL=1 + FORCE_WORLD=1 +else +fi +shift +NANOBSD_EXTRA=$* + +if [ ! -r "${NANOBSD}" ]; then + p_err ${NANOBSD} does not exists + exit 1 +fi + +if [ ! -x "${NANOBSD}" ]; then + NANOBSD="sh ${NANOBSD}" +fi + +# Find object directory +OBJDIR="/usr/obj/nanobsd.${NANO_NAME}" + +if [ -d "${OBJDIR}" ]; then + NANOBSD_FLAGS="" + + # Detect succesfull buildworld + tail -10 ${OBJDIR}/_.bw | grep 'World build completed' + if [ $? -eq 0 -a ${FORCE_WORLD} -eq 0 ]; then + p_info NO building of world, use $0 -f to force + NANOBSD_FLAGS="${NANOBSD_FLAGS} -w" + fi + + # Detect succesfull buildkernel + tail -10 ${OBJDIR}/_.bk | grep 'Kernel build for .* completed' + if [ $? -eq 0 -a ${FORCE_KERNEL} -eq 0 ]; then + p_info NO building of kernel, use $0 -f to force + NANOBSD_FLAGS="${NANOBSD_FLAGS} -k" + fi + +else + p_warn Nothing yet, starting fresh + NANOBSD_FLAGS="" +fi + +# Provide verbose output by default +COMMAND="${NANOBSD} ${NANOBSD_FLAGS} -c ${NANO_CFG_FILE} -v ${NANOBSD_EXTRA}" +f_time ${COMMAND} +RETVAL=$? + +# Verify on build failures +tail -10 ${OBJDIR}/_.bw | grep 'World build completed' +if [ $? -eq 1 ]; then + p_err Building world FAILED, check ${OBJDIR}/_.bw +fi +tail -10 ${OBJDIR}/_.bk | grep 'Kernel build for .* completed' +if [ $? -eq 1 ]; then + p_err Building kernel FAILED, check ${OBJDIR}/_.bk +fi +if [ $RETVAL -ne 0 ]; then + p_err "Errors in building NanoBSD Image ($RETVAL)" +fi +p_info End time: `date` +exit ${RETVAL} Index: /branches/releng-10/nanobsd/tools/make-release.sh =================================================================== --- /branches/releng-10/nanobsd/tools/make-release.sh (revision 12525) +++ /branches/releng-10/nanobsd/tools/make-release.sh (revision 12525) @@ -0,0 +1,51 @@ +#!/bin/sh +# Small tool to build nanobsd release, ready for distribution: + +BASEDIR="`dirname $0`/.." + +# Some cleaning at start +for PORT in ${BASEDIR}/misc/ports/*/*; do + (cd $PORT; make clean); +done + +# Version target +# Either version from command line or else subversion base +VERSION=${1-`svn info ${BASEDIR} | awk '/Revision:/ {print $2}'`} + +TMPDIR=`mktemp -d -t $(basename $0 .sh)` + +PKGDIR=wl-image-$VERSION +WRKSRC=$TMPDIR/$PKGDIR +mkdir $WRKSRC +cp -R ${BASEDIR}/tools $WRKSRC +cp -R ${BASEDIR}/cfg $WRKSRC +cp -R ${BASEDIR}/misc $WRKSRC +cp -R ${BASEDIR}/files $WRKSRC +cp -R ${BASEDIR}/README.txt $WRKSRC + +# Present real image +# XXX: Make path relative +# XXX: Find some pretty options +IMG=/usr/obj/nanobsd.wleiden/_.disk.full +IMG_DIR=`dirname ${IMG}` +IMG_PKGDIR=${IMG_DIR}/${PKGDIR} +mkdir ${IMG_PKGDIR} +ln ${IMG} ${IMG_PKGDIR}/disk_full.img + +# Make pretty tar file out of it +tar --exclude ".svn" --exclude "Makefile" \ + --exclude "config.cache" --exclude "config.log" --exclude "config.status" \ + --exclude ".depend" \ + -cjf wl-image-$VERSION.tbz \ + -C $TMPDIR \ + $PKGDIR/tools \ + $PKGDIR/cfg \ + $PKGDIR/files \ + $PKGDIR/misc \ + $PKGDIR/README.txt \ + -C $IMG_DIR \ + $PKGDIR/disk_full.img + +rm -fR $TMPDIR +rm -fR $IMG_PKGDIR + Index: /branches/releng-10/nanobsd/tools/package-build.inc.sh =================================================================== --- /branches/releng-10/nanobsd/tools/package-build.inc.sh (revision 12525) +++ /branches/releng-10/nanobsd/tools/package-build.inc.sh (revision 12525) @@ -0,0 +1,88 @@ +# Make sure to only load this file ones, even if sourced from multiple +# locations, preventing weird and wonderfull errors of relative paths. +if [ -n "$PACKAGE_BUILD_INC_SH" ]; then + return +fi +PACKAGE_BUILD_INC_SH=true + +# Used to store profile data +TIME_FILE=$(dirname $0)/eta-times.txt + +p_list () { +echo "$*" | sed -e 's/ /|## /g' -e 's/^/## /g' +} + +p_info () { + echo "$*" | tr '|' '\n' | sed 's/^/# /' +} + +p_warn () { + echo "$*" | tr '|' '\n' | sed 's/^/#WARN: /' +} + +p_err () { + echo "$*" | tr '|' '\n' | sed 's/^/#ERR: /' +} + +p_sleep() { + SLEEP=${1-5} + while [ "${SLEEP}" -gt 0 ]; do + printf '.' + sleep 1 + SLEEP=`expr ${SLEEP} - 1` + done + printf '\n' +} + +# Print estimation on how long it normally if going to take +f_time() { + COMMAND="$*" + ETA_TIME=` grep "${COMMAND}$" ${TIME_FILE} 2>/dev/null | awk '{print $1}'` + if [ -z "${ETA_TIME}" ]; then + ETA_TIME="NaN" + fi + + p_info Last run of "'${COMMAND}'" took ${ETA_TIME} + p_info Start time: `date` + + # Execute command + START_TIME=`date "+%s"` + $COMMAND + RETVAL=$? + STOP_TIME=`date "+%s"` + + p_info End time: `date` + # Calculate time it took + TOTAL_TIME=`expr ${STOP_TIME} - ${START_TIME}` + HUMAN_FMT=`date -ur ${TOTAL_TIME} "+%H:%M:%S"` + + # Store new time if command is succesfull + if [ "${RETVAL}" -eq 0 ]; then + grep -v "${COMMAND}$" ${TIME_FILE} > ${TIME_FILE}.tmp 2>/dev/null + echo "${HUMAN_FMT} ${COMMAND}" >> ${TIME_FILE}.tmp + mv ${TIME_FILE}.tmp ${TIME_FILE} + fi + + # Return the command it's output + return ${RETVAL} +} + +f_check_root() { + # No Root, no fun + if [ `id -u` -ne 0 ]; then + print_err Root only + exit 1 + fi +} + +# Find object directory +BASEDIR=`dirname $0` + +# Load the NanoBSD Configuration entries +NANO_CFG_FILE="${BASEDIR}/../cfg/nanobsd.wleiden" +customize_cmd() { return; } +late_customize_cmd() { return; } +. $NANO_CFG_FILE + +OBJDIR="/usr/obj/nanobsd.${NANO_NAME}" + Index: /branches/releng-10/nanobsd/tools/package-build.sh =================================================================== --- /branches/releng-10/nanobsd/tools/package-build.sh (revision 12525) +++ /branches/releng-10/nanobsd/tools/package-build.sh (revision 12525) @@ -0,0 +1,159 @@ +#!/bin/sh +# Install all required packages +# +# XXX: Welcome to port hell, if /usr/ports has been updated, you actually want +# to delete all installed packages and start over again, hence why people used +# to run this stuff in jails, etc. +# +# Rick van der Zwet +# + +. `dirname $0`/package-build.inc.sh + +DEBUG=${DEBUG:-'0'} +DEP_CHECK_ONLY=${DEP_CHECK_ONLY:-'0'} + +# make options, for package building +LOGDIR=`mktemp -d /tmp/$(basename $0 .sh)-$(date '+%Y%m%d-%H:%M:%S')X` + +p_info Log directory ${LOGDIR} +p_info Make arguments are: +p_info `p_list ${PKG_MAKE_ARGS}` +p_info Make configuration is: +echo "${PKG_MAKE_CONF}" | sed 's/^/## /' + +# HACK: install our own ports _inside_ the normal ports dir +cp -fR $WL_PORTSDIR/* $PORTSDIR || exit 1 + +# Pre-req dependency fixing +p_info Checking whether there are currently unmet dependencies +RETVAL=0 +PKGS=`pkg_info | awk '{print $1}'` +for PKG in ${PKGS} ; do + PKG_DEP_FAIL="" + for PKGDEP in `pkg_info -qr ${PKG} | awk '{print $2}'`; do + pkg_info -e ${PKGDEP} + if [ $? -eq 1 ]; then + PKG_DEP_FAIL="${PKG_DEP_FAIL} ${PKGDEP}" + fi + done + if [ -n "${PKG_DEP_FAIL}" ]; then + p_err Unmet dependencies found at $PKG, please fix manually: + p_err `p_list ${PKG_DEP_FAIL}` + RETVAL=1 + fi +done +if [ $RETVAL -eq 1 ]; then + exit 1 +fi +p_info Dependecy check ok + +if [ ${DEP_CHECK_ONLY} -eq 1 ]; then + exit 0 +fi +echo "" + + +# Cleanup of old packages +if [ -d "${NANO_PACKAGE_DIR}" ]; then + p_warn "Deleted all (old) packages at ${NANO_PACKAGE_DIR}" + rm -R ${NANO_PACKAGE_DIR}/* +fi +p_info Created target dir ${NANO_PACKAGE_DIR} +mkdir -p ${NANO_PACKAGE_DIR} + + +# Build required packages +MAKE_CONF=`mktemp -t $(basename $0)` +echo "${PKG_MAKE_CONF}" > $MAKE_CONF +MAKE="make __MAKE_CONF=$MAKE_CONF ${PKG_MAKE_ARGS}" +BUILD_LIST='' +set `echo ${PACKAGE_LIST} | xargs -n1 -I% echo $PORTSDIR/%` +while [ "$1" ]; do + PACKAGE=$1; shift + BUILD_LIST="${BUILD_LIST} ${PACKAGE}" + + # Build new one + LOGFILE="$LOGDIR/build_`echo $PACKAGE | tr '/' '_'`.log" + echo "" + p_info Packaging $PACKAGE + cd $PACKAGE || exit 1 + + # Check for build dependencies + BUILDDEP_PKG=`${MAKE} build-depends-list | awk -F: '{print $2}'` + if [ -n "${BUILDDEP_PKG}" ]; then + p_info Build dependencies needed are: + p_info `p_list ${BUILDDEP_PKG}` + fi + + # Check for run dependencies + PKGDEP_PKGS=`${MAKE} package-depends-list | awk '{print $2}'` + if [ -n "${PKGDEP_PKGS}" ]; then + p_info Package dependencies also packaged are: + p_info `p_list ${PKGDEP_PKGS}` + fi + + # Check if package is already installed + VERSION=`${MAKE} clean generate-plist check-already-installed | awk '/is already/ {print $2}'` + if [ -n "$FORCE_REBUILD" ]; then + p_warn "${PACKAGE} forcefullly rebuilding..." + MAKE_OPTION='deinstall reinstall' + elif [ "${VERSION}" = "An" ]; then + p_warn "${PACKAGE} outdated, please update" + #XXX: Better way to detect whether a package needs updating + # An older version of lang/python26 is already installed (python26-2.6.2) + #XXX: Broken updatin, please fix + #p_warn "re-run package-build.sh to check for unmet ones done using:" + #p_warn "$0" + #MAKE_OPTION='deinstall reinstall' + MAKE_OPTION='' + elif [ -n "${VERSION}" ]; then + VERSION=`echo ${VERSION} | sed 's/^.*-//g'` + p_info ${PACKAGE} already installed at ${VERSION} + MAKE_OPTION='' + else + p_info ${PACKAGE} not installed, installing... + MAKE_OPTION='install' + fi + + if [ -n "${MAKE_OPTION}" ]; then + p_info Buildlog: $LOGFILE + ${MAKE} ${MAKE_OPTION} 2>>$LOGFILE 1>> $LOGFILE + if [ $? -ne 0 ]; then + p_err building ${PACKAGE} FAILED, logging at $LOGFILE + exit 1 + fi + fi + ${MAKE} package-links + PKGNAME=`${MAKE} extract-message | awk '{print $NF}'` + pkg_create -b $PKGNAME ${NANO_PACKAGE_DIR}/${PKGNAME}.tbz || exit 1 + + p_info Checking dependencies + for PKG in $PKGDEP_PKGS; do + echo "${BUILD_LIST}" | grep -q "$PKG" + if [ $? -eq 0 ]; then + # Already packaged + p_info ${PKG} Already packaged + else + echo $@ | grep -q "${PKG}" + if [ $? -eq 0 ]; then + p_info ${PKG} Already planned + else + set $@ ${PKG} + fi + fi + done + p_info Packaging $PACKAGE succesfull +done + +p_info `echo ${BUILD_LIST} | wc -w` packages build succesfully + +if [ ${DEBUG} -eq 0 ]; then + rm -R ${LOGDIR} +else + p_info Debugging enabled ${LOGDIR} saved +fi + +# House keeping +rm $MAKE_CONF + Index: /branches/releng-10/nanobsd/tools/passwd-image.sh =================================================================== --- /branches/releng-10/nanobsd/tools/passwd-image.sh (revision 12525) +++ /branches/releng-10/nanobsd/tools/passwd-image.sh (revision 12525) @@ -0,0 +1,52 @@ +#!/bin/sh +# Change password if image +# +# XXX: Error handing +. $(dirname $0)/package-build.inc.sh + +BASEDIR=`dirname $0` +if [ -n "$1" ]; then + IMG=$1 +else + CFG="${BASEDIR}/../cfg/nanobsd.wleiden" + + # Find object directory + eval `grep '^NANO_NAME=' ${CFG}` + OBJDIR="/usr/obj/nanobsd.${NANO_NAME}" + IMG=${OBJDIR}/_.disk.full +fi + +if [ ! -r "${IMG}" ]; then + p_err Source ${IMG} does not exists +fi + +# Make sure we are root from this point on +f_check_root + + +MNT=`mktemp -d -t $(basename $0)` + +# If target nfs image is mounted somehow, bail out +if mdconfig -l -v | grep -q "${IMG}"; then + MD=`mdconfig -l -v | grep "${IMG}" | cut -c -4` + p_err "'${IMG}' already mounted at '$MD'" + exit 1 +fi + + +MD=`mdconfig -a -t vnode -f ${IMG}` +mount /dev/${MD}s1a ${MNT} + +# Config files lives at /cfg location +mount /dev/${MD}s3 ${MNT}/cfg + +# Try to fetch and store config +chroot ${MNT} passwd + +# Clean up +umount ${MNT}/cfg +umount ${MNT} +mdconfig -d -u ${MD} +rm -d ${MNT} + + Index: /branches/releng-10/nanobsd/tools/prepare-nfs.sh =================================================================== --- /branches/releng-10/nanobsd/tools/prepare-nfs.sh (revision 12525) +++ /branches/releng-10/nanobsd/tools/prepare-nfs.sh (revision 12525) @@ -0,0 +1,114 @@ +#!/bin/sh +# Get nanobsd image ready to be booted from NFS +# NFS instructions at +# http://www.wirelessleiden.nl/projects/nodefactory/wiki/TestingViaNFS + +IMAGE_BASE="/usr/obj/nanobsd.wleiden" +IMAGE_SLICE="${IMAGE_BASE}/_.disk.image" +IMAGE_FULL="${IMAGE_BASE}/_.disk.full" +IMAGE_NFS="${IMAGE_SLICE}-nfs" +# Structure: $NFSBASE +# ./cfg = /cfg mounpoint +# ./base = / mountpoint +# ./nfs = /nfs mountpoint +NFSBASE='/usr/data' +MNT="${NFSBASE}/base" +CFG="${NFSBASE}/cfg" +NFS="${NFSBASE}/nfs" + +p_err() { + echo "[ERROR] $*" 1>&2 +} + +usage() { + ( + echo "Usage: $0 [-fn]" + echo " -f force umount, memory device whipes" + echo " -n do not delete/clean cfg partition" + echo " -u unload/eject procedure" + ) 1>&2 + exit 2 +} + +# No Root, no fun +if [ `id -u` -ne 0 ]; then + p_err "Root only" + exit 1 +fi + +# Argument parsing using getopts +OPT_FORCE=0 +OPT_CLEAN=1 +OPT_UNLOAD=0 +while getopts "hfnu" OPT; do + case "$OPT" in + f) OPT_FORCE=1;; + n) OPT_CLEAN=0;; + u) OPT_UNLOAD=1;; + h) usage;; + \?) usage;; + esac +done + + +# Eeks, we are going to be nasty, hold your horses +if [ $OPT_FORCE -eq 1 -o $OPT_UNLOAD -eq 1 ]; then + umount -f $MNT + for MD in `mdconfig -l -v | grep "${IMAGE_NFS}" | awk '{print $1}'`; do + mdconfig -d -u $MD + done +fi + +if [ $OPT_UNLOAD -eq 1 ]; then + echo "All done" + exit 1; +fi + +# If mount point is already used, bail out +if mount | grep -q "${MNT}"; then + p_err "'${MNT}' already mounted" + exit 1 +fi + +# If target nfs image is mounted somehow, bail out +if mdconfig -l -v | grep -q "${IMAGE_NFS}"; then + MD=`mdconfig -l -v | grep "${IMAGE_NFS}" | cut -c -4` + p_err "'${IMAGE_NFS}' already mounted at '$MD'" + exit 1 +fi + + +# Prepare image for use with NFS +cp -v ${IMAGE_SLICE} ${IMAGE_NFS} + +MD=`mdconfig -a -t vnode -f ${IMAGE_NFS}` +mount /dev/${MD}a ${MNT} + +# Config files lives at NFS location +echo "mount -t nfs -o ro 192.168.4.1:${CFG}" > ${MNT}/conf/default/etc/remount + +# Create nfs mount location +mkdir ${MNT}/nfs + +# $MNT, $CFG, $NFS lives at nfs +( +echo "192.168.4.1:${MNT} / nfs ro 0 0" +echo "192.168.4.1:${CFG} /cfg nfs rw,noauto 0 0" +echo "192.168.4.1:${NFS} /nfs nfs rw 0 0" +) > /${MNT}/conf/base/etc/fstab + +if [ ${OPT_CLEAN} -eq 1 ]; then + echo "DELETING all files at ${CFG}, start fresh ;-)" + rm -vfR ${CFG}/* +else + echo "PRESERVING all files at ${CFG}" +fi + +echo "DELETING all files at ${NFS}, start fresh ;-)" +rm -vfR ${NFS}/* + +# Allow build images to be used directy via NFS +ln -f ${IMAGE_SLICE} ${NFS}/`basename ${IMAGE_SLICE}` +ln -f ${IMAGE_FULL} ${NFS}/`basename ${IMAGE_FULL}` + +# XXX: Proper unmounting after all has finished Index: /branches/releng-10/nanobsd/tools/rsync-image.sh =================================================================== --- /branches/releng-10/nanobsd/tools/rsync-image.sh (revision 12525) +++ /branches/releng-10/nanobsd/tools/rsync-image.sh (revision 12525) @@ -0,0 +1,43 @@ +#!/bin/sh +# Rsync minimal changes directly to live image + +. $(dirname $0)/package-build.inc.sh + +HOST=${1:-10.0.42.1} +BASEDIR=`dirname $0` +if [ -n "$2" ]; then + IMG=$2 +else + CFG="${BASEDIR}/../cfg/nanobsd.wleiden" + + # Find object directory + eval `grep '^NANO_NAME=' ${CFG}` + OBJDIR="/usr/obj/nanobsd.${NANO_NAME}" + IMG=${OBJDIR}/_.disk.image +fi + +if [ ! -r "${IMG}" ]; then + p_err Source ${IMG} does not exists +fi + +# Make sure we are root from this point on +f_check_root + + +# Prepare image as filesystem +MNT=`mktemp -d -t $(basename $0)` +MD=`mdconfig -a -t vnode -f ${IMG}` +mount /dev/${MD}a ${MNT} || exit 1 + +# On error clean up nicely +trap "cd /; umount ${MNT}; rmdir ${MNT}; mdconfig -d -u ${MD}" 0 1 2 3 15 + +#XXX: Might want to do in one fly +# Set to write mode +ssh $HOST mount -uwo noatime / || exit 1 +# Sync changes +rsync -av --exclude=/dev --exclude=/etc --exclude=/var ${MNT}/ ${HOST}:/ || exit 1 +# Set to read-only mode again +ssh $HOST mount -ur / || exit 1 + +exit 0 Index: /branches/releng-10/nanobsd/tools/test-inc.sh =================================================================== --- /branches/releng-10/nanobsd/tools/test-inc.sh (revision 12525) +++ /branches/releng-10/nanobsd/tools/test-inc.sh (revision 12525) @@ -0,0 +1,5 @@ +#!/bin/sh +. $(dirname $0)/package-build.inc.sh + +f_time sleep 5 + Index: /branches/releng-10/nanobsd/tools/upload-image.sh =================================================================== --- /branches/releng-10/nanobsd/tools/upload-image.sh (revision 12525) +++ /branches/releng-10/nanobsd/tools/upload-image.sh (revision 12525) @@ -0,0 +1,57 @@ +#!/bin/sh +# +# Upload image to the 'distribution' server. First try WL network, +# else use inet as last resort. Need to have shell access to distribution server. +# +# XXX: Needs Type and such as well properly +# +# Rick van der Zwet + +SERVERS="sunfire.wleiden.net sunfire.wirelessleiden.nl" +TIMESTAMP=`date "+%Y%m%d-%H%M"` +BASEDIR=`dirname $0` +SSH_USER=${SSH_USER:-$USER} +TYPE="$1" +RELEASE="$2" + +. $BASEDIR/package-build.inc.sh + +if [ -z "$RELEASE" ]; then + echo "Usage: $0 " + exit 1 +fi + +# Make sure we find the right image +if [ "$TYPE" = "full" ]; then + find_disk_full "" +elif [ "$TYPE" = "image" ]; then + find_disk_image "" +else + echo "Usage: $0 " + exit 1 +fi + +check_reachable() { + ping -c 2 -t 1 -q $1 1>/dev/null 2>/dev/null + return $? +} + +# XXX: Hack this should actually be done during building phase +echo "# Compressing image '$IMG'" +gzip -v -k -f $IMG +IMG="$IMG.gz" + +echo "# Trying to upload to server, alarm messages are normal" +# Upload the image to the defined place +for SERVER in $SERVERS; do + if check_reachable $SERVER; then + TARGET="$SSH_USER@$SERVER:/usr/local/www/images/$RELEASE/node-$TYPE-$TIMESTAMP.img.gz" + echo "# Source: $IMG" + echo "# Target: $TARGET" + echo "# To cancel, please CTRL+C within 3 seconds" + sleep 3 + scp $IMG $TARGET + exit $? + fi +done + Index: /branches/releng-10/nanobsd/tools/write-image.sh =================================================================== --- /branches/releng-10/nanobsd/tools/write-image.sh (revision 12525) +++ /branches/releng-10/nanobsd/tools/write-image.sh (revision 12525) @@ -0,0 +1,74 @@ +#!/bin/sh +# Wrapper allowing to write image to card writer + +. $(dirname $0)/package-build.inc.sh + +BASEDIR=`dirname $0` +if [ -n "$1" ]; then + IMG=$1 +else + CFG="${BASEDIR}/../cfg/nanobsd.wleiden" + + # Find object directory + eval `grep '^NANO_NAME=' ${CFG}` + OBJDIR="/usr/obj/nanobsd.${NANO_NAME}" + IMG=${OBJDIR}/_.disk.full +fi + +if [ ! -r "${IMG}" ]; then + p_err Source ${IMG} does not exists +fi +IMGSIZE=`ls -l ${IMG} | awk '{print $5 / 1024 / 1024}'` + +# Make sure we are root from this point on +f_check_root + +# Find which daX device holds a active flash drive +CARD_FOUND=0 +DA_LIST=`cd /dev/; echo da[0-9]` +for DA in ${DA_LIST}; do + diskinfo ${DA} 1>/dev/null 2>/dev/null + if [ $? -eq 0 ]; then + CARD_FOUND=1 + break + fi +done + +if [ ${CARD_FOUND} -eq 0 ]; then + p_err Sorry no flash card found at active devices, list searched: + p_err $(p_list ${DA_LIST}) + exit 1 +fi + +# Detect cardreader type/version +CARDREADER=`dmesg | grep ${DA}: | awk -F'[<>]' '/Removable Direct Access/ {print $2}' | tail -1` + +#XXX: Issue last chance warning, prompting the user to bail out +p_warn Going to write ${IMG} "(${IMGSIZE}MB)" to ${DA} "(${CARDREADER})" +p_warn 5 seconds to quit using CTRL+C +p_sleep 5 + +TMPFILE=`mktemp -t dd` +p_info Writing image... "(`date`)" +# Sending INFO to dd seems to confuse it sometimes so +# make it EXPERIMENTAL for now + +if [ -n "$ENHANCED_DD" ]; then + dd if=${IMG} of=/dev/${DA} bs=64k 2>${TMPFILE} & + DD_PID=$! + sleep 0.5 + while `ps ${DD_PID} >/dev/null`; do + kill -INFO ${DD_PID} + sleep 0.1 #Micro delay allow TMPFILE to populate + SIZE_DONE=`awk '/transferred/ {print $1}' ${TMPFILE}` + SIZE_DONE=`echo "${SIZE_DONE} / 1024 / 1024" | bc -l` + PERCENT_DONE=`echo "${SIZE_DONE} / ${IMGSIZE} * 100" | bc -l` + p_info `date "+%H:%m:%S"` `printf "%.02f MB (%.01f%%)" ${SIZE_DONE} ${PERCENT_DONE}` + p_sleep 10 + : > ${TMPFILE} + done +else + dd if=${IMG} of=/dev/${DA} bs=64k +fi +rm ${TMPFILE} +p_info Image writing succesfull at /dev/$DA "(`date`)"