t38modem.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262

#!/usr/bin/bash

set -e
set -u

g_opt_F='t38fax' # function to run
g_opt_T='ttyT'
while getopts 'F:T:' opt; do
  case "${opt}" in
  F)g_opt_F="${OPTARG}";;
  T)g_opt_T="${OPTARG}";;
  esac
done
shift "$((OPTIND-1))"
unset opt OPTARG OPTIND

if [ "$(awk '{print int($1)}' '/proc/uptime')" -le 120 ]; then
  sleep 30
fi

g_lan_ip=''             # 0.0.0.0 if not multi homing. Else the default outgoing interface to prevent multiple registrations. Wihout a port mapping you get error: Call cleared due to loss of media flow.
g_pub_ip=''
case "${g_opt_T}" in
'ttyT')
  g_opt_Tx=''
  g_udid=''           # Usually an 10 or 11 digit phone number
  g_pw=''
  g_pub_port='5090'              # Always even number. Need router port mapping for this and RTP ports
  g_lan_ip+=":${g_pub_port}"
  g_sip_ip='sip.t38fax.com:5080' # port 5060,5090 returns SIP registration of sip:<dn>@sip.t38fax.com failed (513 Message Too Large)
# https://community.fortinet.com/t5/FortiGate/Technical-Tip-Session-timeout-settings/ta-p/191228
# https://community.fortinet.com/t5/FortiGate/Technical-Tip-Change-session-ttl-on-firewall-policy/ta-p/195971?externalID=FD35176
# https://www.hex64.net/blog/how-to-change-session-ttl-for-a-firewall-policy-in-fortigate/
# https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-VIP-responds-to-telnet-on-port-5060-and/ta-p/195354
# Remove ALG and other SIP trash until nmap shows that the Fortiate ALG is no longer listening on ports 5060,2000
# Debug SIP registration problems with WireShark or tcpdump -v
  g_sip_ping="${g_sip_ip%%:*}"
  g_sip_expires='300'            # need router TTL adjustment to +60 seconds, 423 Interval Too Brief: find this value with tcpdump -v
  g_ctty=1
  ;;
'ttyAC')
  #g_pub_port='5082'
  #g_ctty=1
  #g_udid=''           # Usually an 10 or 11 digit phone number
  #g_pw=''
  g_pub_port='5104'
  g_ctty=6
  g_udid=''           # Usually an 10 or 11 digit phone number
  g_pw=''

  g_opt_Tx="${g_opt_T}"
  g_sip_ip='sip.example.com:5060'
  g_sip_ping="${g_sip_ip%%:*}"
  g_sip_expires='3600'
  g_lan_ip+=":${g_pub_port}"
  ;;
*) printf '%s not supported by %s\n' "${g_opt_T}" "$0"; exit 1;;
esac

g_dnsa=('api.ipify.org' 'ifconfig.me' 'icanhazip.com' 'ipinfo.io/ip' 'ident.me' 'ipecho.net/plain') # https://opensource.com/article/18/5/how-find-ip-address-linux
# https://stackoverflow.com/questions/5533569/simple-method-to-shuffle-the-elements-of-an-array-in-bash-shell
shuffle() {
  local i tmp size max rand

  # $RANDOM % (i+1) is biased because of the limited range of $RANDOM
  # Compensate by using a range which is a multiple of the array size.
  size="${#g_dnsa[*]}"
  max="$(( 32768 / size * size ))"

  for ((i=size-1; i>0; i--)); do
    while (( (rand="$RANDOM") >= max )); do :; done
    rand="$(( rand % (i+1) ))"
    tmp="${g_dnsa[i]}" g_dnsa[i]="${g_dnsa[rand]}" g_dnsa[rand]="${tmp}"
  done
}

_fn_dnstest() {
  local pub_ip2
  for dns in "${g_dnsa[@]}"; do
    set +e
    pub_ip2="$(curl -4 -s "${dns}")"
    set -e
    if [[ "${pub_ip2}" =~ ^[0-9.]{8,15}$ ]]; then
      printf 'Success: %s %s\n' "${pub_ip2}" "${dns}"
    else
      printf 'Fail: %s\n' "${dns}"
    fi
  done
}

g_tmp='/tmp/devt38modem'
# https://unix.stackexchange.com/questions/7738/how-can-i-use-variable-in-a-shell-brace-expansion-of-a-sequence
test "${g_ctty}" -gt 0
for (( idx = 0; idx < "${g_ctty}"; idx++ )); do
  g_ptty+=("${g_opt_T}${idx}")
done
unset idx
g_uid='uucp'
g_gid='uucp'
g_watchdog="${g_tmp}/t38modem.watchdog.${g_opt_T}.txt"
g_restarts='Assertion fail|Call failed security check|has no compatible listener|failed .403'

# 0 - create shadow symlinks in g_tmp. Use this when systemd sets User=uucp Group=uucp
# 1 - no shadow links. Use with 0005-privileges-uucp.patch or if running as root
_opt_ShadowTMP=0

_fn_cleantty() {
  if [ "${EUID}" -eq 0 ]; then
    if [ "${_opt_ShadowTMP}" -eq 0 ]; then
      rm -f "${g_ptty[@]/#/${g_tmp}/}"
    fi
    rm -f "${g_ptty[@]/#//dev/}"
  fi
}

mvwatchdog() {
  local wn="${g_watchdog##*/}"
  wn="${wn%.txt}-$(date +'%+4Y-%m-%d_%H-%M-%S').log"
  mv "${g_watchdog}" "/var/log/t38modem/${wn}"
}

_fn_watchdog() {
  if [ "${EUID}" -eq 0 ]; then
    if [ -s "${g_watchdog}" ]; then
      if ping -w '2' -q -n -c '1' "${g_sip_ping}" > /dev/null; then
        local wd='t38modem'
        if [ ! -z "${g_opt_Tx}" ]; then
          wd+="@${g_opt_Tx}"
        fi
        systemctl stop "${wd}.service"
        mvwatchdog
        printf 'Restarting %s due to crash' "${wd}"
        systemctl start "${wd}.service"
        local pt
        for pt in "${g_ptty[@]}"; do
          pt="faxgetty@${pt}.service"
          if systemctl -q 'is-enabled' "${pg}"; then
            systemctl restart "${pt}"
          fi
        done
      fi
    elif ! pgrep -f -c -u "root,${g_uid}" "t38modem .+/${g_opt_T}" > /dev/null; then
      _fn_cleantty
    fi
  fi
}

# I tried to get Hylafax+ to run faxgetty with full paths. It just didn't work.
_fn_prep() {
  if [ "${EUID}" -eq 0 ]; then
    #chown "root:${g_gid}" "$0"
    chown "${g_uid}:root" "$0"
    chmod 700 "$0"
    umask 007
    mkdir -p "${g_tmp}"
    chown -R "${g_uid}:${g_gid}" "${g_tmp}"
    chmod 750 "${g_tmp}"
    if [ "${_opt_ShadowTMP}" -eq 0 ]; then
      cd '/dev'
      local p
      for p in "${g_ptty[@]}"; do
        ln -sf "${g_tmp}/${p}"
      done
    fi
  fi
}

_fn_t38fax() {
  local pwfile="${g_tmp}/t38modem.pw.${g_opt_T}.txt"
  umask 077
  printf '%s' "${g_pw}" > "${pwfile}"
  umask 022
  local topts=()
  topts+=(
    # A registration is sent for every found interface so only enable the used interfaces.
    # No ipv6,tls,ws,wss listener unless used by the fax service.
    # Only a single ip on multi homing systems.
    --sip-listen='udp$'"${g_lan_ip}" # few services support tcp. some services won't allow multiple contact fields
    #--udp-base "$((g_pub_port+1))"
    #--udp-max  "$((g_pub_port+1))"
    #--portbase "$((g_pub_port))"
    #--portmax "$((g_pub_port+2+g_ctty*2))"
    --rtp-base "$((g_pub_port+2))"
    --rtp-max  "$((g_pub_port+2+g_ctty*2))" # 2 RTP ports per line
    --Use-ECM
    #--sip-proxy "${g_udid}:${g_pw}@${g_sip_ip}" # supported but not necessary
    --route={fax:,t38:,modem:}$'.*\t'".*=sip:<dn>@${g_sip_ip}"
    #--route={fax:,t38:,modem:}".*=sip:<dn>@${g_sip_ip}"
    --route='sip:.*\t.*=modem:<dn>'                  # Receive fax routes to Hylafax receive.
    --jitter   '80,80'
    --ssl-ca   '/etc/ssl/certs/ca-certificates.crt'
    --ssl-cert "${g_tmp}/t38modem_opal_certificate-${g_opt_T}.pem"
    --ssl-key  "${g_tmp}/t38modem_opal_private_key-${g_opt_T}.pem"
    #--sip-register "${g_udid}@${g_sip_ip},${g_pw},,,,${g_sip_expires},public"
    --sip-register "${g_udid}@${g_sip_ip},@@@${pwfile},,,,${g_sip_expires},public"
    #-u "${g_udid}"
    #-p "${g_pw}"
  )
  if [ "${_opt_ShadowTMP}" -eq 0 ]; then
    topts+=("${g_ptty[@]/#/--ptty=+${g_tmp}/}")
  else
    topts+=("${g_ptty[@]/#/--ptty=+/dev/}")
  fi

  # Without one of these NAT handlers return connections fail and you get error: Call cleared due to loss of media flow.
  if :; then
    local dns
    shuffle # g_dnsa
    for dns in "${g_dnsa[@]}"; do
      local pub_ip2="$(curl -4 -s "${dns}")"
      if [[ "${pub_ip2}" =~ ^[0-9.]{8,15}$ ]]; then
        printf '%s %s\n' "${pub_ip2}" "${dns}"
        break
      fi
      pub_ip2=''
    done
    if [ -z "${pub_ip2}" ]; then
      pub_ip2="${g_pub_ip}"
      printf '%s %s\n' "${pub_ip2}" '(default)'
    fi
    topts+=(--translate "${pub_ip2}")
  elif :; then
    topts+=(--stun 'stun.ekiga.net')
  fi

  local g_opt_Tx=''
  if [ "${EUID}" -eq "$(id -u "${g_uid}")" ]; then
    # topts+=(-t -o "/var/log/t38modem/t38modem-trace-${g_opt_T}-$(date +'%+4Y-%m-%d_%H-%M-%S').log")
    # Run with systemd
    if [ -s "${g_watchdog}"} ]; then
      mvwatchdog
    fi
    rm -f "${g_watchdog}"
    umask 077
    local pwfake="$(printf '%*s' "${#g_pw}" '')"
    pwfake="${pwfake// /A}"
    local seds=(
      #-e '/^Open / d' -e '/^Close / d'
      #-e 's/Password: .*$/Password: /g'
      #-e "s:${g_pw}:${pwfake}:g"
      #-e "/^Call/! w ${g_watchdog}"
      #-e "/${g_restarts//|/\\|}/I w ${g_watchdog}"
      -E -e "/${g_restarts}/I w ${g_watchdog}"
    )
    g_pw=''
    exec "t38modem${g_opt_Tx}" "${topts[@]}" 2>&1 | sed --unbuffered "${seds[@]}"
  elif pgrep -c -u "root,${g_uid}" "t38modem${g_opt_Tx}$" > /dev/null; then
    printf "t38modem${g_opt_Tx} is already running" 1>&2
  else
    if :; then
      if [ -s "trace-${g_opt_T}.log" ]; then
        mv "trace-${g_opt_T}.log" "trace-${g_opt_T}-$(date -r 'trace.log' +'%+4Y-%m-%d_%H-%M-%S').log"
      fi
    fi
    topts+=(-t -o "trace-${g_opt_T}.log")
    _fn_cleantty
    _fn_prep
    sudo nice -n '-10' "t38modem${g_opt_Tx}" "${topts[@]}"
    _fn_cleantty
  fi
}
_fn_${g_opt_F}