linux-router/lnxrouter

#!/bin/bash

# general dependencies:
#    bash (to run this script)
#    procps or procps-ng
#    iproute2
#    dnsmasq
#    iptables

#    hostapd
#    iw
#    iwconfig (you only need this if 'iw' can not recognize your adapter)
#    haveged (optional)


VERSION=0.5.0
PROGNAME="$(basename $0)"

# make sure that all command outputs are in english
# so we can parse them correctly
export LC_ALL=C

# all new files and directories must be readable only by root.
# in special cases we must use chmod to give any other permissions.
SCRIPT_UMASK=0077
umask $SCRIPT_UMASK

usage() {
    echo "$PROGNAME $VERSION (https://github.com/garywill/linux-router)"
    echo "$PROGNAME is a fork of create_ap(https://github.com/oblique/create_ap)"
    echo 
    echo "Usage: "$PROGNAME" [options] "
    echo
    echo "Options:"
    echo "  -h, --help              Show this help"
    echo "  --version               Print version number"
    echo

    
    #echo "  -m <method>             Method for Internet sharing."
    #echo "                          Use: 'nat' for NAT (default)"
    #echo "                               'redsocks' for transparent proxy. Usually use with --dns-proxy"
    #echo "                               'none' for no Internet sharing (equivalent to -n)"
    echo "  -n                      Disable Internet sharing"
    echo "  --tp <port>             Transparent proxy (redsocks), redirect tcp and udp traffic to port."
    echo "                          Usually use with --dns-proxy"
    echo 
    echo "  -g <gateway>            Set Gateway IPv4 address, netmask is /24 (default: 192.168.18.1)"
    echo "  --dns-proxy <port>      Redirect 53 port to DNS proxy port. dnsmasq DNS is disabled"
    echo "  --no-serve-dns          dnsmasq DNS disabled"
    echo "  --no-dnsmasq            Disable dnsmasq server completely (dhcp and dns)"
    echo "  --log-dns               Show dnsmasq DNS server query log"
    echo "  --dhcp-dns <IP1[,IP2]>|no"
    echo "                          Set DNS offered by DHCP, or no DNS offered (default: gateway as DNS)"
    echo "  -d                      DNS server will take into account /etc/hosts"
    echo "  -e <hosts_file>         DNS server will take into account additional hosts file"
    echo 
    echo "  --mac <MAC>             Set MAC address"
    echo 
    echo " Wifi hotspot options:"
    echo "  --ap <wlan card interface> <access point name>"
    echo "                          Create Wifi access point using wlan card, and set SSID"
    echo "  --password <passphrase> Wifi password"
    echo 
    echo "  --hidden                Make the Access Point hidden (do not broadcast the SSID)"
    echo "  --no-virt               Do not create virtual interface. "
    echo "                          Using this you can't use same wlan card as Internet and AP"
    echo "  -c <channel>            Channel number (default: 1)"
    echo "  --country <code>        Set two-letter country code for regularity (example: US)"
    echo "  --freq-band <GHz>       Set frequency band. Valid inputs: 2.4, 5 (default: 2.4)"
    echo "  --driver                Choose your WiFi adapter driver (default: nl80211)"
    echo "  -w <WPA version>        Use 1 for WPA, use 2 for WPA2, use 1+2 for both (default: 1+2)"
    echo "  --psk                   Use 64 hex digits pre-shared-key instead of passphrase"
    echo "  --mac-filter            Enable Wifi hotspot MAC address filtering"
    echo "  --mac-filter-accept     Location of Wifi hotspot MAC address filter list (defaults to /etc/hostapd/hostapd.accept)"
    echo "  --hostapd-debug <level> With level between 1 and 2, passes arguments -d or -dd to hostapd for debugging."
    echo "  --isolate-clients       Disable communication between clients"
    echo "  --ieee80211n            Enable IEEE 802.11n (HT)"
    echo "  --ieee80211ac           Enable IEEE 802.11ac (VHT)"
    echo "  --ht_capab <HT>         HT capabilities (default: [HT40+])"
    echo "  --vht_capab <VHT>       VHT capabilities"
    echo "  --no-haveged            Do not run 'haveged' automatically when needed"
    echo "  --fix-unmanaged         If NetworkManager shows your interface as unmanaged after you"
    echo "                          close lnxrouter, then use this option to switch your interface"
    echo "                          back to managed"
    echo
    echo " Instance managing:"
    echo "  --daemon                Run lnxrouter in the background"
    echo "  --stop <id>             Send stop command to an already running lnxrouter. For an <id>"
    echo "                          you can put the PID of lnxrouter or interface. You can"
    echo "                          get them with --list-running"
    echo "  --list-running          Show the lnxrouter processes that are already running"
    echo "  --list-clients <id>     List the clients connected to lnxrouter instance associated with <id>."
    echo "                          For an <id> you can put the PID of lnxrouter or interface."
    echo "                          If virtual WiFi interface was created, then use that one."
    echo "                          You can get them with --list-running"

    echo
    echo
    echo "Examples:"
    echo "  "$PROGNAME" --ap wlan0 MyAccessPoint --password MyPassPhrase"
    echo "  "$PROGNAME" --ap wlan0 MyAccessPoint"
    echo "  "$PROGNAME" -n --ap wlan0 MyAccessPoint --password MyPassPhrase"
    echo "  "$PROGNAME" --driver rtl871xdrv --ap wlan0 MyAccessPoint --password MyPassPhrase"
    echo "  "$PROGNAME" --daemon --ap wlan0 MyAccessPoint --password MyPassPhrase"
    echo "  "$PROGNAME" --stop wlan0"
    echo "  "$PROGNAME" --ap wlan0 MyAccessPoint --password MyPassPhrase --tp <transparent-proxy> --dns-proxy <dns-proxy>"
}

if [[ "$1" == "" ]]; then
    usage
    exit 0
fi

GATEWAY=192.168.18.1
ROUTE_ADDRS=
DHCP_DNS=gateway
dnsmasq_NO_DNS=0
NO_DNSMASQ=0
SHOW_DNS_QUERY=0
ETC_HOSTS=0
ADDN_HOSTS=
SUBNET_IFACE=

ISOLATE_CLIENTS=0
SHARE_METHOD=nat
TP_PORT=
TP_DNS_PORT=

NEW_MACADDR=
OLD_MACADDR=
DAEMONIZE=0

HIDDEN=0
WIFI_IFACE=
VWIFI_IFACE=
AP_IFACE=
CHANNEL=default
WPA_VERSION=1+2
MAC_FILTER=0
MAC_FILTER_ACCEPT=/etc/hostapd/hostapd.accept
IEEE80211N=0
IEEE80211AC=0
HT_CAPAB='[HT40+]'
VHT_CAPAB=
DRIVER=nl80211
NO_VIRT=0
COUNTRY=
FREQ_BAND=2.4
NO_HAVEGED=0
HAVEGED_WATCHDOG_PID=
HOSTAPD_DEBUG_ARGS=
USE_PSK=0
FIX_UNMANAGED=0

LIST_RUNNING=0
STOP_ID=
LIST_CLIENTS_ID=
CONFDIR=

ARGS=( "$@" )

while [[ -n "$1" ]]; do
    case "$1" in
        -h|--help)
            usage
            exit 0
            ;;
        --version)
            echo $VERSION
            exit 0
            ;;
        -n)
            shift
            SHARE_METHOD=none
            ;;
        --tp)
            shift
            TP_PORT="$1"
            shift
            ;;
            
            
        -g)
            shift
            GATEWAY="$1"
            shift
            ;;
        --mac)
            shift
            NEW_MACADDR="$1"
            shift
            ;;
            
        --dns-proxy)
            shift
            TP_DNS_PORT="$1"
            shift
            ;;
        --no-serve-dns)
            shift
            dnsmasq_NO_DNS=1
            ;;
        --no-dnsmasq)
            shift
            NO_DNSMASQ=1
            ;;
        --dhcp-dns)
            shift
            DHCP_DNS="$1"
            shift
            ;;
        --log-dns)
            shift
            SHOW_DNS_QUERY=1
            ;;
        -d)
            shift
            ETC_HOSTS=1
            ;;
        -e)
            shift
            ADDN_HOSTS="$1"
            shift
            ;;
        
        --isolate-clients)
            shift
            ISOLATE_CLIENTS=1
            ;;
            
        --ap)
            shift
            WIFI_IFACE="$1"
            shift
            SSID="$1"
            shift
            ;;
        --password)
            shift
            PASSPHRASE="$1"
            shift
            ;;
            
            
        --hidden)
            shift
            HIDDEN=1
            ;;
        --mac-filter)
            shift
            MAC_FILTER=1
            ;;
        --mac-filter-accept)
            shift
            MAC_FILTER_ACCEPT="$1"
            shift
            ;;

        -c)
            shift
            CHANNEL="$1"
            shift
            ;;
        -w)
            shift
            WPA_VERSION="$1"
            [[ "$WPA_VERSION" == "2+1" ]] && WPA_VERSION=1+2
            shift
            ;;



        --ieee80211n)
            shift
            IEEE80211N=1
            ;;
        --ieee80211ac)
            shift
            IEEE80211AC=1
            ;;
        --ht_capab)
            shift
            HT_CAPAB="$1"
            shift
            ;;
        --vht_capab)
            shift
            VHT_CAPAB="$1"
            shift
            ;;
        --driver)
            shift
            DRIVER="$1"
            shift
            ;;
        --no-virt)
            shift
            NO_VIRT=1
            ;;
        --fix-unmanaged)
            shift
            FIX_UNMANAGED=1
            ;;
        --country)
            shift
            COUNTRY="$1"
            shift
            ;;
        --freq-band)
            shift
            FREQ_BAND="$1"
            shift
            ;;
        --no-haveged)
            shift
            NO_HAVEGED=1
            ;;
        --hostapd-debug)
            shift
            if [ "x$1" = "x1" ]; then
                HOSTAPD_DEBUG_ARGS="-d"
            elif [ "x$1" = "x2" ]; then
                HOSTAPD_DEBUG_ARGS="-dd"
            else
                printf "Error: argument for --hostapd-debug expected 1 or 2, got %s\n" "$1"
                exit 1
            fi
            shift
            ;;
        --psk)
            shift
            USE_PSK=1
            ;;

        --daemon)
            shift
            DAEMONIZE=1
            ;;
        --stop)
            shift
            STOP_ID="$1"
            shift
            ;;
        --list-running)
            shift
            LIST_RUNNING=1
            ;;
        --list-clients)
            shift
            LIST_CLIENTS_ID="$1"
            shift
            ;;



        *)
            echo  "Invalid parameter: $1" 1>&2
            exit 1
            ;;
    esac
done


# on success it echos a non-zero unused FD
# on error it echos 0
get_avail_fd() {
    local x
    for x in $(seq 1 $(ulimit -n)); do
        if [[ ! -a "/proc/$BASHPID/fd/$x" ]]; then
            echo $x
            return
        fi
    done
    echo 0
}

# lock file for the mutex counter
COUNTER_LOCK_FILE=/tmp/lnxrouter.$$.lock

cleanup_lock() {
    rm -f $COUNTER_LOCK_FILE
}

init_lock() {
    local LOCK_FILE=/tmp/lnxrouter.all.lock

    # we initialize only once
    [[ $LOCK_FD -ne 0 ]] && return 0

    LOCK_FD=$(get_avail_fd)
    [[ $LOCK_FD -eq 0 ]] && return 1

    # open/create lock file with write access for all users
    # otherwise normal users will not be able to use it.
    # to avoid race conditions on creation, we need to
    # use umask to set the permissions.
    umask 0555
    eval "exec $LOCK_FD>$LOCK_FILE" > /dev/null 2>&1 || return 1
    umask $SCRIPT_UMASK

    # there is a case where lock file was created from a normal
    # user. change the owner to root as soon as we can.
    [[ $(id -u) -eq 0 ]] && chown 0:0 $LOCK_FILE

    # create mutex counter lock file
    echo 0 > $COUNTER_LOCK_FILE

    return $?
}

# recursive mutex lock for all lnxrouter processes
mutex_lock() {
    local counter_mutex_fd
    local counter

    # lock local mutex and read counter
    counter_mutex_fd=$(get_avail_fd)
    if [[ $counter_mutex_fd -ne 0 ]]; then
        eval "exec $counter_mutex_fd<>$COUNTER_LOCK_FILE"
        flock $counter_mutex_fd
        read -u $counter_mutex_fd counter
    else
        echo "Failed to lock mutex counter" >&2
        return 1
    fi

    # lock global mutex and increase counter
    [[ $counter -eq 0 ]] && flock $LOCK_FD
    counter=$(( $counter + 1 ))

    # write counter and unlock local mutex
    echo $counter > /proc/$BASHPID/fd/$counter_mutex_fd
    eval "exec ${counter_mutex_fd}<&-"
    return 0
}

# recursive mutex unlock for all lnxrouter processes
mutex_unlock() {
    local counter_mutex_fd
    local counter

    # lock local mutex and read counter
    counter_mutex_fd=$(get_avail_fd)
    if [[ $counter_mutex_fd -ne 0 ]]; then
        eval "exec $counter_mutex_fd<>$COUNTER_LOCK_FILE"
        flock $counter_mutex_fd
        read -u $counter_mutex_fd counter
    else
        echo "Failed to lock mutex counter" >&2
        return 1
    fi

    # decrease counter and unlock global mutex
    if [[ $counter -gt 0 ]]; then
        counter=$(( $counter - 1 ))
        [[ $counter -eq 0 ]] && flock -u $LOCK_FD
    fi

    # write counter and unlock local mutex
    echo $counter > /proc/$BASHPID/fd/$counter_mutex_fd
    eval "exec ${counter_mutex_fd}<&-"
    return 0
}

# it takes 2 arguments
# returns:
#  0 if v1 (1st argument) and v2 (2nd argument) are the same
#  1 if v1 is less than v2
#  2 if v1 is greater than v2
version_cmp() {
    local V1 V2 VN x
    [[ ! $1 =~ ^[0-9]+(\.[0-9]+)*$ ]] && die "Wrong version format!"
    [[ ! $2 =~ ^[0-9]+(\.[0-9]+)*$ ]] && die "Wrong version format!"

    V1=( $(echo $1 | tr '.' ' ') )
    V2=( $(echo $2 | tr '.' ' ') )
    VN=${#V1[@]}
    [[ $VN -lt ${#V2[@]} ]] && VN=${#V2[@]}

    for ((x = 0; x < $VN; x++)); do
        [[ ${V1[x]} -lt ${V2[x]} ]] && return 1
        [[ ${V1[x]} -gt ${V2[x]} ]] && return 2
    done

    return 0
}

USE_IWCONFIG=0

is_interface() {
    [[ -z "$1" ]] && return 1
    [[ -d "/sys/class/net/${1}" ]]
}

is_wifi_interface() {
    which iw > /dev/null 2>&1 && iw dev $1 info > /dev/null 2>&1 && return 0
    if which iwconfig > /dev/null 2>&1 && iwconfig $1 > /dev/null 2>&1; then
        USE_IWCONFIG=1
        return 0
    fi
    return 1
}



get_phy_device() {
    local x
    for x in /sys/class/ieee80211/*; do
        [[ ! -e "$x" ]] && continue
        if [[ "${x##*/}" = "$1" ]]; then
            echo $1
            return 0
        elif [[ -e "$x/device/net/$1" ]]; then
            echo ${x##*/}
            return 0
        elif [[ -e "$x/device/net:$1" ]]; then
            echo ${x##*/}
            return 0
        fi
    done
    echo "Failed to get phy interface" >&2
    return 1
}

get_adapter_info() {
    local PHY
    PHY=$(get_phy_device "$1")
    [[ $? -ne 0 ]] && return 1
    iw phy $PHY info
}

get_adapter_kernel_module() {
    local MODULE
    MODULE=$(readlink -f "/sys/class/net/$1/device/driver/module")
    echo ${MODULE##*/}
}

can_be_sta_and_ap() {
    # iwconfig does not provide this information, assume false
    [[ $USE_IWCONFIG -eq 1 ]] && return 1
    if [[ "$(get_adapter_kernel_module "$1")" == "brcmfmac" ]]; then
        echo "WARN: brmfmac driver doesn't work properly with virtual interfaces and" >&2
        echo "      it can cause kernel panic. For this reason we disallow virtual" >&2
        echo "      interfaces for your adapter." >&2
        echo "      For more info: https://github.com/oblique/create_ap/issues/203" >&2
        return 1
    fi
    get_adapter_info "$1" | grep -E '{.* managed.* AP.*}' > /dev/null 2>&1 && return 0
    get_adapter_info "$1" | grep -E '{.* AP.* managed.*}' > /dev/null 2>&1 && return 0
    return 1
}

can_be_ap() {
    # iwconfig does not provide this information, assume true
    [[ $USE_IWCONFIG -eq 1 ]] && return 0
    get_adapter_info "$1" | grep -E '\* AP$' > /dev/null 2>&1 && return 0
    return 1
}

can_transmit_to_channel() {
    local IFACE CHANNEL_NUM CHANNEL_INFO
    IFACE=$1
    CHANNEL_NUM=$2

    if [[ $USE_IWCONFIG -eq 0 ]]; then
        if [[ $FREQ_BAND == 2.4 ]]; then
            CHANNEL_INFO=$(get_adapter_info ${IFACE} | grep " 24[0-9][0-9] MHz \[${CHANNEL_NUM}\]")
        else
            CHANNEL_INFO=$(get_adapter_info ${IFACE} | grep " \(49[0-9][0-9]\|5[0-9]\{3\}\) MHz \[${CHANNEL_NUM}\]")
        fi
        [[ -z "${CHANNEL_INFO}" ]] && return 1
        [[ "${CHANNEL_INFO}" == *no\ IR* ]] && return 1
        [[ "${CHANNEL_INFO}" == *disabled* ]] && return 1
        return 0
    else
        CHANNEL_NUM=$(printf '%02d' ${CHANNEL_NUM})
        CHANNEL_INFO=$(iwlist ${IFACE} channel | grep -E "Channel[[:blank:]]${CHANNEL_NUM}[[:blank:]]?:")
        [[ -z "${CHANNEL_INFO}" ]] && return 1
        return 0
    fi
}

# taken from iw/util.c
ieee80211_frequency_to_channel() {
    local FREQ=$1
    if [[ $FREQ -eq 2484 ]]; then
        echo 14
    elif [[ $FREQ -lt 2484 ]]; then
        echo $(( ($FREQ - 2407) / 5 ))
    elif [[ $FREQ -ge 4910 && $FREQ -le 4980 ]]; then
        echo $(( ($FREQ - 4000) / 5 ))
    elif [[ $FREQ -le 45000 ]]; then
        echo $(( ($FREQ - 5000) / 5 ))
    elif [[ $FREQ -ge 58320 && $FREQ -le 64800 ]]; then
        echo $(( ($FREQ - 56160) / 2160 ))
    else
        echo 0
    fi
}

is_5ghz_frequency() {
    [[ $1 =~ ^(49[0-9]{2})|(5[0-9]{3})$ ]]
}

is_wifi_connected() {
    if [[ $USE_IWCONFIG -eq 0 ]]; then
        iw dev "$1" link 2>&1 | grep -E '^Connected to' > /dev/null 2>&1 && return 0
    else
        iwconfig "$1" 2>&1 | grep -E 'Access Point: [0-9a-fA-F]{2}:' > /dev/null 2>&1 && return 0
    fi
    return 1
}

is_macaddr() {
    echo "$1" | grep -E "^([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$" > /dev/null 2>&1
}

is_unicast_macaddr() {
    local x
    is_macaddr "$1" || return 1
    x=$(echo "$1" | cut -d: -f1)
    x=$(printf '%d' "0x${x}")
    [[ $(expr $x % 2) -eq 0 ]]
}

get_macaddr() {
    is_interface "$1" || return
    cat "/sys/class/net/${1}/address"
}


alloc_new_iface() {
    local i=0
    local v_iface_name=
    mutex_lock
    while :; do
        v_iface_name="x$i${WIFI_IFACE}"
        if ! is_interface ${v_iface_name} && [[ ! -f $COMMON_CONFDIR/ifaces/${v_iface_name} ]]; then
            mkdir -p $COMMON_CONFDIR/ifaces
            touch $COMMON_CONFDIR/ifaces/${v_iface_name}
            echo ${v_iface_name}
            mutex_unlock
            return
        fi
        i=$((i + 1))
    done
    mutex_unlock
}

dealloc_iface() {
    rm -f $COMMON_CONFDIR/ifaces/$1
}

get_all_macaddrs() {
    cat /sys/class/net/*/address
}

get_new_macaddr() {
    local OLDMAC NEWMAC LAST_BYTE i
    OLDMAC=$(get_macaddr "$1")
    LAST_BYTE=$(printf %d 0x${OLDMAC##*:})
    mutex_lock
    for i in {1..255}; do
        NEWMAC="${OLDMAC%:*}:$(printf %02x $(( ($LAST_BYTE + $i) % 256 )))"
        (get_all_macaddrs | grep "$NEWMAC" > /dev/null 2>&1) || break
    done
    mutex_unlock
    echo $NEWMAC
}

# start haveged when needed
haveged_watchdog() {
    local show_warn=1
    while :; do
        mutex_lock
        if [[ $(cat /proc/sys/kernel/random/entropy_avail) -lt 1000 ]]; then
            if ! which haveged > /dev/null 2>&1; then
                if [[ $show_warn -eq 1 ]]; then
                    echo "WARN: Low entropy detected. We recommend you to install \`haveged'"
                    show_warn=0
                fi
            elif ! pidof haveged > /dev/null 2>&1; then
                echo "Low entropy detected, starting haveged"
                # boost low-entropy
                haveged -w 1024 -p $COMMON_CONFDIR/haveged.pid
            fi
        fi
        mutex_unlock
        sleep 2
    done
}

NETWORKMANAGER_CONF=/etc/NetworkManager/NetworkManager.conf
NM_OLDER_VERSION=1

networkmanager_exists() {
    local NM_VER
    which nmcli > /dev/null 2>&1 || return 1
    NM_VER=$(nmcli -v | grep -m1 -oE '[0-9]+(\.[0-9]+)*\.[0-9]+')
    version_cmp $NM_VER 0.9.9
    if [[ $? -eq 1 ]]; then
        NM_OLDER_VERSION=1
    else
        NM_OLDER_VERSION=0
    fi
    return 0
}

networkmanager_is_running() {
    local NMCLI_OUT
    networkmanager_exists || return 1
    if [[ $NM_OLDER_VERSION -eq 1 ]]; then
        NMCLI_OUT=$(nmcli -t -f RUNNING nm 2>&1 | grep -E '^running$')
    else
        NMCLI_OUT=$(nmcli -t -f RUNNING g 2>&1 | grep -E '^running$')
    fi
    [[ -n "$NMCLI_OUT" ]]
}

networkmanager_iface_is_unmanaged() {
    is_interface "$1" || return 2
    (nmcli -t -f DEVICE,STATE d 2>&1 | grep -E "^$1:unmanaged$" > /dev/null 2>&1) || return 1
}

ADDED_UNMANAGED=

networkmanager_add_unmanaged() {
    local MAC UNMANAGED WAS_EMPTY x
    networkmanager_exists || return 1

    [[ -d ${NETWORKMANAGER_CONF%/*} ]] || mkdir -p ${NETWORKMANAGER_CONF%/*}
    [[ -f ${NETWORKMANAGER_CONF} ]] || touch ${NETWORKMANAGER_CONF}

    if [[ $NM_OLDER_VERSION -eq 1 ]]; then
        if [[ -z "$2" ]]; then
            MAC=$(get_macaddr "$1")
        else
            MAC="$2"
        fi
        [[ -z "$MAC" ]] && return 1
    fi

    mutex_lock
    UNMANAGED=$(grep -m1 -Eo '^unmanaged-devices=[[:alnum:]:;,-]*' /etc/NetworkManager/NetworkManager.conf)

    WAS_EMPTY=0
    [[ -z "$UNMANAGED" ]] && WAS_EMPTY=1
    UNMANAGED=$(echo "$UNMANAGED" | sed 's/unmanaged-devices=//' | tr ';,' ' ')

    # if it exists, do nothing
    for x in $UNMANAGED; do
        if [[ $x == "mac:${MAC}" ]] ||
               [[ $NM_OLDER_VERSION -eq 0 && $x == "interface-name:${1}" ]]; then
            mutex_unlock
            return 2
        fi
    done

    if [[ $NM_OLDER_VERSION -eq 1 ]]; then
        UNMANAGED="${UNMANAGED} mac:${MAC}"
    else
        UNMANAGED="${UNMANAGED} interface-name:${1}"
    fi

    UNMANAGED=$(echo $UNMANAGED | sed -e 's/^ //')
    UNMANAGED="${UNMANAGED// /;}"
    UNMANAGED="unmanaged-devices=${UNMANAGED}"

    if ! grep -E '^\[keyfile\]' ${NETWORKMANAGER_CONF} > /dev/null 2>&1; then
        echo -e "\n\n[keyfile]\n${UNMANAGED}" >> ${NETWORKMANAGER_CONF}
    elif [[ $WAS_EMPTY -eq 1 ]]; then
        sed -e "s/^\(\[keyfile\].*\)$/\1\n${UNMANAGED}/" -i ${NETWORKMANAGER_CONF}
    else
        sed -e "s/^unmanaged-devices=.*/${UNMANAGED}/" -i ${NETWORKMANAGER_CONF}
    fi

    ADDED_UNMANAGED="${ADDED_UNMANAGED} ${1} "
    mutex_unlock

    local nm_pid=$(pidof NetworkManager)
    [[ -n "$nm_pid" ]] && kill -HUP $nm_pid

    return 0
}

networkmanager_rm_unmanaged() {
    local MAC UNMANAGED
    networkmanager_exists || return 1
    [[ ! -f ${NETWORKMANAGER_CONF} ]] && return 1

    if [[ $NM_OLDER_VERSION -eq 1 ]]; then
        if [[ -z "$2" ]]; then
            MAC=$(get_macaddr "$1")
        else
            MAC="$2"
        fi
        [[ -z "$MAC" ]] && return 1
    fi

    mutex_lock
    UNMANAGED=$(grep -m1 -Eo '^unmanaged-devices=[[:alnum:]:;,-]*' /etc/NetworkManager/NetworkManager.conf | sed 's/unmanaged-devices=//' | tr ';,' ' ')

    if [[ -z "$UNMANAGED" ]]; then
        mutex_unlock
        return 1
    fi

    [[ -n "$MAC" ]] && UNMANAGED=$(echo $UNMANAGED | sed -e "s/mac:${MAC}\( \|$\)//g")
    UNMANAGED=$(echo $UNMANAGED | sed -e "s/interface-name:${1}\( \|$\)//g")
    UNMANAGED=$(echo $UNMANAGED | sed -e 's/ $//')

    if [[ -z "$UNMANAGED" ]]; then
        sed -e "/^unmanaged-devices=.*/d" -i ${NETWORKMANAGER_CONF}
    else
        UNMANAGED="${UNMANAGED// /;}"
        UNMANAGED="unmanaged-devices=${UNMANAGED}"
        sed -e "s/^unmanaged-devices=.*/${UNMANAGED}/" -i ${NETWORKMANAGER_CONF}
    fi

    ADDED_UNMANAGED="${ADDED_UNMANAGED/ ${1} /}"
    mutex_unlock

    local nm_pid=$(pidof NetworkManager)
    [[ -n "$nm_pid" ]] && kill -HUP $nm_pid

    return 0
}

networkmanager_fix_unmanaged() {
    [[ -f ${NETWORKMANAGER_CONF} ]] || return

    mutex_lock
    sed -e "/^unmanaged-devices=.*/d" -i ${NETWORKMANAGER_CONF}
    mutex_unlock

    local nm_pid=$(pidof NetworkManager)
    [[ -n "$nm_pid" ]] && kill -HUP $nm_pid
}

networkmanager_rm_unmanaged_if_needed() {
    [[ $ADDED_UNMANAGED =~ .*\ ${1}\ .* ]] && networkmanager_rm_unmanaged $1 $2
}

networkmanager_wait_until_unmanaged() {
    local RES
    networkmanager_is_running || return 1
    while :; do
        networkmanager_iface_is_unmanaged "$1"
        RES=$?
        [[ $RES -eq 0 ]] && break
        [[ $RES -eq 2 ]] && die "Interface '${1}' does not exist.
       It's probably renamed by a udev rule.
       use   iwconfig   to see devices.
       use   iw dev <dev name> del   to delete uneeded device"
        sleep 1
    done
    sleep 2
    return 0
}




start_nat() {
    echo Setting iptables rules to NAT 
    iptables -w -v -t nat -I POSTROUTING -s ${GATEWAY%.*}.0/24  -j MASQUERADE || die
    iptables -w -v -I FORWARD -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
    iptables -w -v -I FORWARD -o ${SUBNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT || die
}
stop_nat() {
    iptables -w -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24  -j MASQUERADE
    iptables -w -D FORWARD -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT
    iptables -w -D FORWARD -o ${SUBNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT
}

allow_dns_port() {
    echo Setting iptables rules to allow DNS port access
    iptables -w -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die
    iptables -w -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die
}
unallow_dns_port() {
    iptables -w -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT
    iptables -w -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY}  -p udp -m udp --dport 53 -j ACCEPT
}

start_dhcp() {
    echo Setting iptables rules to allow DHCP port access
    iptables -w -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die
}
stop_dhcp() {
    iptables -w -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT
}

redirect_dns() {
    echo "Redirect port 53 to ${TP_DNS_PORT}"
    # allow input to  dns proxy port
    iptables -w -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT || die
    iptables -w -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT || die
    # redirect 53 to dns proxy
    iptables -w -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die
    iptables -w -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die
}
unredirect_dns() {
    iptables -w -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT
    iptables -w -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT

    iptables -w -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT}
    iptables -w -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT}
}

start_redsocks() {
    echo "Redirect all TCP and UDP traffic to transparent proxy port ${TP_PORT}"
    iptables -w -t nat -N REDSOCKS-${SUBNET_IFACE} || die
    iptables -w -t nat -A REDSOCKS-${SUBNET_IFACE} -d 0.0.0.0/8 -j RETURN || die
    iptables -w -t nat -A REDSOCKS-${SUBNET_IFACE} -d 10.0.0.0/8 -j RETURN || die
    iptables -w -t nat -A REDSOCKS-${SUBNET_IFACE} -d 127.0.0.0/8 -j RETURN || die
    iptables -w -t nat -A REDSOCKS-${SUBNET_IFACE} -d 169.254.0.0/16 -j RETURN || die
    iptables -w -t nat -A REDSOCKS-${SUBNET_IFACE} -d 172.16.0.0/12 -j RETURN || die
    iptables -w -t nat -A REDSOCKS-${SUBNET_IFACE} -d 192.168.0.0/16 -j RETURN || die
    iptables -w -t nat -A REDSOCKS-${SUBNET_IFACE} -d 224.0.0.0/4 -j RETURN || die
    iptables -v -w -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
    iptables -v -w -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die

    iptables -v -w -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j REDSOCKS-${SUBNET_IFACE} || die

    iptables -v -w -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT || die
    iptables -v -w -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT || die
}
stop_redsocks() {
    iptables -w -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24  -j REDSOCKS-${SUBNET_IFACE}
    iptables -w -t nat -F REDSOCKS-${SUBNET_IFACE}
    iptables -w -t nat -X REDSOCKS-${SUBNET_IFACE}
    
    iptables -w -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT
    iptables -w -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT
}

_cleanup() {
    local PID x

    trap "" SIGINT SIGUSR1 SIGUSR2 EXIT
    mutex_lock
    disown -a

    # kill haveged_watchdog
    [[ -n "$HAVEGED_WATCHDOG_PID" ]] && kill $HAVEGED_WATCHDOG_PID

    # kill processes
    for x in $CONFDIR/*.pid; do
        # even if the $CONFDIR is empty, the for loop will assign
        # a value in $x. so we need to check if the value is a file
        [[ -f $x ]] && kill -9 $(cat $x)
    done

    rm -rf $CONFDIR


    # if we are the last lnxrouter instance then set back the common values
    if ! has_running_instance; then
        echo "Exiting: This is the only running instance"
        # kill common processes
        for x in $COMMON_CONFDIR/*.pid; do
            [[ -f $x ]] && kill -9 $(cat $x)
        done

        # set old ip_forward
        if [[ -f $COMMON_CONFDIR/ip_forward ]]; then
            echo Set to old value: /proc/sys/net/ipv4/ip_forward=$(cat $COMMON_CONFDIR/ip_forward)
            cp -f $COMMON_CONFDIR/ip_forward /proc/sys/net/ipv4
            rm -f $COMMON_CONFDIR/ip_forward
        fi


        rm -rf $COMMON_CONFDIR
    else
        echo "Exiting: This is NOT the only running instance"
    fi
    
    ip link set down dev ${AP_IFACE}
    ip addr flush ${AP_IFACE}
    if [[ $NO_VIRT -eq 0 ]]; then
        networkmanager_rm_unmanaged_if_needed ${VWIFI_IFACE} ${OLD_MACADDR}
        iw dev ${VWIFI_IFACE} del
        dealloc_iface $VWIFI_IFACE
    else
        if [[ -n "$NEW_MACADDR" ]]; then
            ip link set dev ${WIFI_IFACE} address ${OLD_MACADDR}
        fi
        networkmanager_rm_unmanaged_if_needed ${WIFI_IFACE} ${OLD_MACADDR}
    fi

    mutex_unlock
    cleanup_lock
}

clean_iptables() {

    if [[ "$SHARE_METHOD" == "nat" ]]; then
        stop_nat
    elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
        stop_redsocks
    fi


    
    if [[ "$DHCP_DNS" == "gateway" ]]; then
        unallow_dns_port
    fi
    
    if [[ "$TP_DNS_PORT" ]]; then
        unredirect_dns
    fi
    
    if [[ $NO_DNSMASQ -eq 0 ]]; then
        stop_dhcp
    fi
}

cleanup() {
    echo
    echo -n "Doing cleanup.. "
    clean_iptables
    _cleanup 2> /dev/null
    echo "done"
}

die() {
    [[ -n "$1" ]] && echo -e "\nERROR: $1\n" >&2
    # send die signal to the main process
    [[ $BASHPID -ne $$ ]] && kill -USR2 $$
    # we don't need to call cleanup because it's traped on EXIT
    exit 1
}

clean_exit() {
    # send clean_exit signal to the main process
    [[ $BASHPID -ne $$ ]] && kill -USR1 $$
    # we don't need to call cleanup because it's traped on EXIT
    exit 0
}

list_running_conf() {
    local x
    mutex_lock
    for x in /tmp/lnxrouter.*; do
        if [[ -f $x/pid && -f $x/subn_iface && -d /proc/$(cat $x/pid) ]]; then
            echo $x
        fi
    done
    mutex_unlock
}

list_running() {
    local IFACE subn_iface x
    mutex_lock
    for x in $(list_running_conf); do
        IFACE=${x#*.}
        IFACE=${IFACE%%.*}
        subn_iface=$(cat $x/subn_iface)

        if [[ $IFACE == $subn_iface ]]; then
            echo $(cat $x/pid) $IFACE
        else
            echo $(cat $x/pid) $IFACE '('$(cat $x/subn_iface)')'
        fi
    done
    mutex_unlock
}

get_subn_iface_from_pid() {
    list_running | awk '{print $1 " " $NF}' | tr -d '\(\)' | grep -E "^${1} " | cut -d' ' -f2
}

get_pid_from_subn_iface() {
    list_running | awk '{print $1 " " $NF}' | tr -d '\(\)' | grep -E " ${1}$" | cut -d' ' -f1
}

get_confdir_from_pid() {
    local IFACE x
    mutex_lock
    for x in $(list_running_conf); do
        if [[ $(cat $x/pid) == "$1" ]]; then
            echo $x
            break
        fi
    done
    mutex_unlock
}

print_client_by_mac() {
    local line ipaddr hostname
    local mac="$1"

    if [[ -f $CONFDIR/dnsmasq.leases ]]; then
        line=$(grep " $mac " $CONFDIR/dnsmasq.leases | tail -n 1)
        ipaddr=$(echo $line | cut -d' ' -f3)
        hostname=$(echo $line | cut -d' ' -f4)
    fi

    [[ -z "$ipaddr" ]] && ipaddr="*"
    [[ -z "$hostname" ]] && hostname="*"

    printf "%-20s %-18s %s\n" "$mac" "$ipaddr" "$hostname"
}

print_clients_in_leases() {
    local line ipaddr hostname
    local mac

    if [[ -f $CONFDIR/dnsmasq.leases ]]; then
        while read line
        do
            mac=$(echo $line | cut -d' ' -f2)
            ipaddr=$(echo $line | cut -d' ' -f3)
            hostname=$(echo $line | cut -d' ' -f4)
            
            printf "%-20s %-18s %s\n" "MAC" "IP" "Hostname"
            printf "%-20s %-18s %s\n" "$mac" "$ipaddr" "$hostname"
        done < $CONFDIR/dnsmasq.leases
    fi
}

list_clients() {
    local subn_iface pid

    # If PID is given, get the associated wifi iface
    if [[ "$1" =~ ^[1-9][0-9]*$ ]]; then
        pid="$1"
        subn_iface=$(get_subn_iface_from_pid "$pid")
        [[ -z "$subn_iface" ]] && die "'$pid' is not the pid of a running $PROGNAME instance."
    fi

    [[ -z "$subn_iface" ]] && subn_iface="$1"

    [[ -z "$pid" ]] && pid=$(get_pid_from_subn_iface "$subn_iface")
    [[ -z "$pid" ]] && die "'$subn_iface' is not used from $PROGNAME instance.\n\
       Maybe you need to pass the virtual interface instead.\n\
       Use --list-running to find it out."
    [[ -z "$CONFDIR" ]] && CONFDIR=$(get_confdir_from_pid "$pid")

    if [[ -f $CONFDIR/hostapd.conf  && $USE_IWCONFIG -eq 0 ]]; then
        local awk_cmd='($1 ~ /Station$/) {print $2}'
        local client_list=$(iw dev "$subn_iface" station dump | awk "$awk_cmd")

        if [[ -z "$client_list" ]]; then
            echo "No clients connected"
            return
        fi

        printf "%-20s %-18s %s\n" "MAC" "IP" "Hostname"

        local mac
        for mac in $client_list; do
            print_client_by_mac $mac
        done
    else
        echo "Listing clients via DNS lease file. non-DHCPed clients won't be showed"
        print_clients_in_leases
    fi 
}

has_running_instance() {
    local PID x

    mutex_lock
    for x in /tmp/lnxrouter.*; do
        if [[ -f $x/pid ]]; then
            PID=$(cat $x/pid)
            if [[ -d /proc/$PID ]]; then
                mutex_unlock
                return 0
            fi
        fi
    done
    mutex_lock

    return 1
}

is_running_pid() {
    list_running | grep -E "^${1} " > /dev/null 2>&1
}

send_stop() {
    local x

    mutex_lock
    # send stop signal to specific pid
    if is_running_pid $1; then
        kill -USR1 $1
        mutex_unlock
        return
    fi

    # send stop signal to specific interface
    for x in $(list_running | grep -E " \(?${1}( |\)?\$)" | cut -f1 -d' '); do
        kill -USR1 $x
    done
    mutex_unlock
}


trap "cleanup_lock" EXIT

if ! init_lock; then
    echo "ERROR: Failed to initialize lock" >&2
    exit 1
fi

# if the user press ctrl+c or we get USR1 signal
# then run clean_exit()
trap "clean_exit" SIGINT SIGUSR1
# if we get USR2 signal then run die().
trap "die" SIGUSR2

if [[ $TP_PORT ]]; then
    SHARE_METHOD=redsocks
fi

if [[ $TP_DNS_PORT ]]; then
    dnsmasq_NO_DNS=1
fi

if [[ $SHARE_METHOD == 'none' ]]; then
    dnsmasq_NO_DNS=1
fi

if [[ $LIST_RUNNING -eq 1 ]]; then
    echo -e "List of running $PROGNAME instances:\n"
    list_running
    exit 0
fi

if [[ -n "$LIST_CLIENTS_ID" ]]; then
    list_clients "$LIST_CLIENTS_ID"
    exit 0
fi

if [[ $(id -u) -ne 0 ]]; then
    echo "You must run it as root." >&2
    exit 1
fi

if [[ -n "$STOP_ID" ]]; then
    echo "Trying to kill $PROGNAME instance associated with $STOP_ID..."
    send_stop "$STOP_ID"
    exit 0
fi

if [[ $FIX_UNMANAGED -eq 1 ]]; then
    echo "Trying to fix unmanaged status in NetworkManager..."
    networkmanager_fix_unmanaged
    exit 0
fi

if [[ $DAEMONIZE -eq 1 && $RUNNING_AS_DAEMON -eq 0 ]]; then
    echo "Running as Daemon..."
    # run a detached lnxrouter
    RUNNING_AS_DAEMON=1 setsid "$0" "${ARGS[@]}" &
    exit 0
fi

if [[ $FREQ_BAND != 2.4 && $FREQ_BAND != 5 ]]; then
    echo "ERROR: Invalid frequency band" >&2
    exit 1
fi

if [[ $CHANNEL == default ]]; then
    if [[ $FREQ_BAND == 2.4 ]]; then
        CHANNEL=1
    else
        CHANNEL=36
    fi
fi

if [[ $FREQ_BAND != 5 && $CHANNEL -gt 14 ]]; then
    echo "Channel number is greater than 14, assuming 5GHz frequency band"
    FREQ_BAND=5
fi


if ! is_wifi_interface ${WIFI_IFACE}; then
    echo "ERROR: '${WIFI_IFACE}' is not a WiFi interface" >&2
    exit 1
fi

if ! can_be_ap ${WIFI_IFACE}; then
    echo "ERROR: Your adapter does not support AP (master) mode" >&2
    exit 1
fi

if ! can_be_sta_and_ap ${WIFI_IFACE}; then
    if is_wifi_connected ${WIFI_IFACE}; then
        echo "ERROR: Your adapter can not be a station (i.e. be connected) and an AP at the same time" >&2
        exit 1
    elif [[ $NO_VIRT -eq 0 ]]; then
        echo "WARN: Your adapter does not fully support AP virtual interface, enabling --no-virt" >&2
        NO_VIRT=1
    fi
fi

HOSTAPD=$(which hostapd)

if [[ ! -x "$HOSTAPD" ]]; then
    echo "ERROR: hostapd not found." >&2
    exit 1
fi

if [[ $(get_adapter_kernel_module ${WIFI_IFACE}) =~ ^(8192[cd][ue]|8723a[sue])$ ]]; then
    if ! strings "$HOSTAPD" | grep -m1 rtl871xdrv > /dev/null 2>&1; then
        echo "ERROR: You need to patch your hostapd with rtl871xdrv patches." >&2
        exit 1
    fi

    if [[ $DRIVER != "rtl871xdrv" ]]; then
        echo "WARN: Your adapter needs rtl871xdrv, enabling --driver=rtl871xdrv" >&2
        DRIVER=rtl871xdrv
    fi
fi


if [[ -n "$NEW_MACADDR" ]]; then
    if ! is_macaddr "$NEW_MACADDR"; then
        echo "ERROR: '${NEW_MACADDR}' is not a valid MAC address" >&2
        exit 1
    fi

    if ! is_unicast_macaddr "$NEW_MACADDR"; then
        echo "ERROR: The first byte of MAC address (${NEW_MACADDR}) must be even" >&2
        exit 1
    fi

    if [[ $(get_all_macaddrs | grep -c ${NEW_MACADDR}) -ne 0 ]]; then
        echo "WARN: MAC address '${NEW_MACADDR}' already exists. Because of this, you may encounter some problems" >&2
    fi
fi



if [[ ${#SSID} -lt 1 || ${#SSID} -gt 32 ]]; then
    echo "ERROR: Invalid SSID length ${#SSID} (expected 1..32)" >&2
    exit 1
fi

if [[ $USE_PSK -eq 0 ]]; then
    if [[ ${#PASSPHRASE} -gt 0 && ${#PASSPHRASE} -lt 8 ]] || [[ ${#PASSPHRASE} -gt 63 ]]; then
        echo "ERROR: Invalid passphrase length ${#PASSPHRASE} (expected 8..63)" >&2
        exit 1
    fi
elif [[ ${#PASSPHRASE} -gt 0 && ${#PASSPHRASE} -ne 64 ]]; then
    echo "ERROR: Invalid pre-shared-key length ${#PASSPHRASE} (expected 64)" >&2
    exit 1
fi

if [[ $(get_adapter_kernel_module ${WIFI_IFACE}) =~ ^rtl[0-9].*$ ]]; then
    if [[ -n "$PASSPHRASE" ]]; then
        echo "WARN: Realtek drivers usually have problems with WPA1, enabling -w 2" >&2
        WPA_VERSION=2
    fi
    echo "WARN: If AP doesn't work, please read: howto/realtek.md" >&2
fi


mutex_lock
trap "cleanup" EXIT
CONFDIR=$(mktemp -d /tmp/lnxrouter.${WIFI_IFACE}.conf.XXXXXXXX)
echo "Config dir: $CONFDIR"
echo "PID: $$"
echo $$ > $CONFDIR/pid

# to make --list-running work from any user, we must give read
# permissions to $CONFDIR and $CONFDIR/pid
chmod 755 $CONFDIR
chmod 444 $CONFDIR/pid

COMMON_CONFDIR=/tmp/lnxrouter.common.conf
mkdir -p $COMMON_CONFDIR

cp -n /proc/sys/net/ipv4/ip_forward $COMMON_CONFDIR

mutex_unlock



if [[ $USE_IWCONFIG -eq 0 ]]; then
    iw dev ${WIFI_IFACE} set power_save off
fi

if [[ $NO_VIRT -eq 0 ]]; then
    VWIFI_IFACE=$(alloc_new_iface)

    # in NetworkManager 0.9.9 and above we can set the interface as unmanaged without
    # the need of MAC address, so we set it before we create the virtual interface.
    if networkmanager_is_running && [[ $NM_OLDER_VERSION -eq 0 ]]; then
        echo -n "Network Manager found, set ${VWIFI_IFACE} as unmanaged device... "
        networkmanager_add_unmanaged ${VWIFI_IFACE}
        # do not call networkmanager_wait_until_unmanaged because interface does not
        # exist yet
        echo "DONE"
    fi

    if is_wifi_connected ${WIFI_IFACE}; then
        WIFI_IFACE_FREQ=$(iw dev ${WIFI_IFACE} link | grep -i freq | awk '{print $2}')
        WIFI_IFACE_CHANNEL=$(ieee80211_frequency_to_channel ${WIFI_IFACE_FREQ})
        echo -n "${WIFI_IFACE} is already associated with channel ${WIFI_IFACE_CHANNEL} (${WIFI_IFACE_FREQ} MHz)"
        if is_5ghz_frequency $WIFI_IFACE_FREQ; then
            FREQ_BAND=5
        else
            FREQ_BAND=2.4
        fi
        if [[ $WIFI_IFACE_CHANNEL -ne $CHANNEL ]]; then
            echo ", fallback to channel ${WIFI_IFACE_CHANNEL}"
            CHANNEL=$WIFI_IFACE_CHANNEL
        else
            echo
        fi
    fi

    VIRTDIEMSG="Maybe your WiFi adapter does not fully support virtual interfaces.
       Try again with --no-virt."
    echo -n "Creating a virtual WiFi interface... "

    if iw dev ${WIFI_IFACE} interface add ${VWIFI_IFACE} type __ap; then
        # now we can call networkmanager_wait_until_unmanaged
        networkmanager_is_running && [[ $NM_OLDER_VERSION -eq 0 ]] && networkmanager_wait_until_unmanaged ${VWIFI_IFACE}
        echo "${VWIFI_IFACE} created."
    else
        VWIFI_IFACE=
        die "$VIRTDIEMSG"
    fi
    OLD_MACADDR=$(get_macaddr ${VWIFI_IFACE})
    if [[ -z "$NEW_MACADDR" && $(get_all_macaddrs | grep -c ${OLD_MACADDR}) -ne 1 ]]; then
        NEW_MACADDR=$(get_new_macaddr ${VWIFI_IFACE})
    fi
    AP_IFACE=${VWIFI_IFACE}
else
    OLD_MACADDR=$(get_macaddr ${WIFI_IFACE})
    AP_IFACE=${WIFI_IFACE}
fi

mutex_lock
echo $AP_IFACE > $CONFDIR/subn_iface
chmod 444 $CONFDIR/subn_iface
mutex_unlock

if [[ -n "$COUNTRY" && $USE_IWCONFIG -eq 0 ]]; then
    iw reg set "$COUNTRY"
fi

can_transmit_to_channel ${AP_IFACE} ${CHANNEL} || die "Your adapter can not transmit to channel ${CHANNEL}, frequency band ${FREQ_BAND}GHz."

if networkmanager_exists && ! networkmanager_iface_is_unmanaged ${AP_IFACE}; then
    echo -n "Network Manager found, set ${AP_IFACE} as unmanaged device... "
    networkmanager_add_unmanaged ${AP_IFACE}

    if networkmanager_is_running; then
        networkmanager_wait_until_unmanaged ${AP_IFACE}
    fi

    echo "DONE"
fi

[[ $HIDDEN -eq 1 ]] && echo "Access Point's SSID is hidden!"

[[ $MAC_FILTER -eq 1 ]] && echo "MAC address filtering is enabled!"

[[ $ISOLATE_CLIENTS -eq 1 ]] && echo "Access Point's clients will be isolated!"

# hostapd config
cat << EOF > $CONFDIR/hostapd.conf
beacon_int=100
ssid=${SSID}
interface=${AP_IFACE}
driver=${DRIVER}
channel=${CHANNEL}
ctrl_interface=$CONFDIR/hostapd_ctrl
ctrl_interface_group=0
ignore_broadcast_ssid=$HIDDEN
ap_isolate=$ISOLATE_CLIENTS
EOF

if [[ -n "$COUNTRY" ]]; then
    cat << EOF >> $CONFDIR/hostapd.conf
country_code=${COUNTRY}
ieee80211d=1
EOF
fi

if [[ $FREQ_BAND == 2.4 ]]; then
    echo "hw_mode=g" >> $CONFDIR/hostapd.conf
else
    echo "hw_mode=a" >> $CONFDIR/hostapd.conf
fi

if [[ $MAC_FILTER -eq 1 ]]; then
    cat << EOF >> $CONFDIR/hostapd.conf
macaddr_acl=${MAC_FILTER}
accept_mac_file=${MAC_FILTER_ACCEPT}
EOF
fi

if [[ $IEEE80211N -eq 1 ]]; then
    cat << EOF >> $CONFDIR/hostapd.conf
ieee80211n=1
ht_capab=${HT_CAPAB}
EOF
fi

if [[ $IEEE80211AC -eq 1 ]]; then
    echo "ieee80211ac=1" >> $CONFDIR/hostapd.conf
fi

if [[ -n "$VHT_CAPAB" ]]; then
    echo "vht_capab=${VHT_CAPAB}" >> $CONFDIR/hostapd.conf
fi

if [[ $IEEE80211N -eq 1 ]] || [[ $IEEE80211AC -eq 1 ]]; then
    echo "wmm_enabled=1" >> $CONFDIR/hostapd.conf
fi

if [[ -n "$PASSPHRASE" ]]; then
    [[ "$WPA_VERSION" == "1+2" ]] && WPA_VERSION=3
    if [[ $USE_PSK -eq 0 ]]; then
        WPA_KEY_TYPE=passphrase
    else
        WPA_KEY_TYPE=psk
    fi
    cat << EOF >> $CONFDIR/hostapd.conf
wpa=${WPA_VERSION}
wpa_${WPA_KEY_TYPE}=${PASSPHRASE}
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP
EOF
else
    echo "Warning: Wifi is not protected by password" >&2
fi

SUBNET_IFACE=${AP_IFACE}

if [[ $NO_DNSMASQ -eq 0 ]]; then
    # dnsmasq config (dhcp + dns)
    DNSMASQ_VER=$(dnsmasq -v | grep -m1 -oE '[0-9]+(\.[0-9]+)*\.[0-9]+')
    version_cmp $DNSMASQ_VER 2.63
    if [[ $? -eq 1 ]]; then
        DNSMASQ_BIND=bind-interfaces
    else
        DNSMASQ_BIND=bind-dynamic
    fi
    
    cat << EOF > $CONFDIR/dnsmasq.conf
user=nobody
group=nobody
${DNSMASQ_BIND}
listen-address=${GATEWAY}
interface=$SUBNET_IFACE
except-interface=*
no-dhcp-interface=lo
dhcp-range=${GATEWAY%.*}.1,${GATEWAY%.*}.254,255.255.255.0,24h
dhcp-option-force=option:router,${GATEWAY}
EOF
    if [[ "$DHCP_DNS" != "no" ]]; then
        if [[ "$DHCP_DNS" == "gateway" ]]; then
            dns_offer="$GATEWAY"
        else
            dns_offer="$DHCP_DNS"
            dnsmasq_NO_DNS=1
        fi
        echo "dhcp-option-force=option:dns-server,${dns_offer}" >> $CONFDIR/dnsmasq.conf
    else
        dnsmasq_NO_DNS=1
    fi
    
    if [[ ! "$dnsmasq_NO_DNS" -eq 0 ]]; then
        echo "port=0"  >> $CONFDIR/dnsmasq.conf
    fi
    MTU=1280 # TODO temporary value. This used to be read from the INTERNET_IFACE
    [[ -n "$MTU" ]] && echo "dhcp-option-force=option:mtu,${MTU}" >> $CONFDIR/dnsmasq.conf
    [[ $ETC_HOSTS -eq 0 ]] && echo no-hosts >> $CONFDIR/dnsmasq.conf
    [[ -n "$ADDN_HOSTS" ]] && echo "addn-hosts=${ADDN_HOSTS}" >> $CONFDIR/dnsmasq.conf
    if [[ ! "$SHOW_DNS_QUERY" -eq 0 ]]; then
        echo log-queries=extra >> $CONFDIR/dnsmasq.conf
        echo log-facility=/dev/null >> $CONFDIR/dnsmasq.conf
    fi
fi

# initialize WiFi interface
if [[ $NO_VIRT -eq 0 && -n "$NEW_MACADDR" ]]; then
    ip link set dev ${AP_IFACE} address ${NEW_MACADDR} || die "$VIRTDIEMSG"
fi

ip link set down dev ${AP_IFACE} || die "$VIRTDIEMSG"
ip addr flush ${AP_IFACE} || die "$VIRTDIEMSG"

if [[ $NO_VIRT -eq 1 && -n "$NEW_MACADDR" ]]; then
    ip link set dev ${AP_IFACE} address ${NEW_MACADDR} || die
fi


ip link set up dev ${AP_IFACE} || die "$VIRTDIEMSG"
ip addr add ${GATEWAY}/24 broadcast ${GATEWAY%.*}.255 dev ${AP_IFACE} || die "$VIRTDIEMSG"


# enable Internet sharing
if [[ "$SHARE_METHOD" == "none" ]]; then
    echo "No Internet sharing"
elif [[ "$SHARE_METHOD" == "nat" ]]; then
    start_nat
    echo 1 > /proc/sys/net/ipv4/ip_forward || die
    # to enable clients to establish PPTP connections we must
    # load nf_nat_pptp module
    modprobe nf_nat_pptp > /dev/null 2>&1
elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
    if [[ "$dnsmasq_NO_DNS" -eq 0 ]]; then
        echo 
        echo "Warning: You are using transparent proxy but gateway is providing local DNS, this may cause privacy leak !!!"
        echo 
    fi
    start_redsocks
fi

# start dhcp + dns (optional)

if [[ "$DHCP_DNS" == "gateway" ]]; then
    allow_dns_port
fi

if [[ "$TP_DNS_PORT" ]]; then
    redirect_dns
fi

if [[ $NO_DNSMASQ -eq 0 ]]; then
    start_dhcp

    if which complain > /dev/null 2>&1; then
        # openSUSE's apparmor does not allow dnsmasq to read files.
        # remove restriction.
        complain dnsmasq
    fi

    umask 0033
    dnsmasq -d -C $CONFDIR/dnsmasq.conf -x $CONFDIR/dnsmasq.pid -l $CONFDIR/dnsmasq.leases -u nobody -g nobody|| die & 
    umask $SCRIPT_UMASK
fi


# start access point
echo "hostapd command-line interface: hostapd_cli -p $CONFDIR/hostapd_ctrl"

if [[ $NO_HAVEGED -eq 0 ]]; then
    haveged_watchdog &
    HAVEGED_WATCHDOG_PID=$!
fi

# start hostapd (use stdbuf when available for no delayed output in programs that redirect stdout)
STDBUF_PATH=`which stdbuf`
if [ $? -eq 0 ]; then
    STDBUF_PATH=$STDBUF_PATH" -oL"
fi
$STDBUF_PATH $HOSTAPD $HOSTAPD_DEBUG_ARGS $CONFDIR/hostapd.conf &
HOSTAPD_PID=$!
echo $HOSTAPD_PID > $CONFDIR/hostapd.pid

if ! wait $HOSTAPD_PID; then
    echo -e "\nError: Failed to run hostapd, maybe a program is interfering." >&2
    if networkmanager_is_running; then
        echo "If an error like 'n80211: Could not configure driver mode' was thrown" >&2
        echo "try running the following before starting lnxrouter:" >&2
        if [[ $NM_OLDER_VERSION -eq 1 ]]; then
            echo "    nmcli nm wifi off" >&2
        else
            echo "    nmcli r wifi off" >&2
        fi
        echo "    rfkill unblock wlan" >&2
    fi
    die
fi

clean_exit