merlin-ac68u-add-networks.sh

#!/bin/sh
#DEBUG= # uncomment/comment to enable/disable debug mode

#          name: merlin-ac68u-add-networks.sh
#       version: 2.0.1, 27-jun-2024, by eibgrad
#       purpose: add ip networks using vlans, aps/vaps, bridges, etc.
#       type(s): dnsmasq.postconf (optional), firewall-start (optional),
#                service-event-end, services-start
#          href: https://tinyurl.com/kumyymcw (version 1.x.x)
#          href: https://tinyurl.com/ycxxmw6d (version 2.x.x)
#  installation:
#    1. enable jffs custom scripts and configs (administration->system)
#    2. ssh to router and copy/paste the following command:
#         curl -kLs bit.ly/merlin-installer|tr -d '\r'|sh -s hvHHic1V
#    3. use nano editor to modify script w/ your preferred options:
#         nano /jffs/configs/merlin-ac68u-add-networks.options
#    4. reboot

# compatibility checks
if [ "$(nvram get sw_mode)" != '1' ]; then
    echo 'error: script only supports a routed configuration'
    exit 1
elif ! which robocfg &>/dev/null; then
    echo 'error: script is NOT compatible w/ this firmware; requires robocfg'
    exit 1
fi

CONFIGS_DIR='/jffs/configs'
CONFIG="$CONFIGS_DIR/merlin-ac68u-add-networks.options"

SCRIPTS_DIR='/jffs/scripts'
SCRIPT1="$SCRIPTS_DIR/merlin-ac68u-add-networks.dnsmasq"
SCRIPT2="$SCRIPTS_DIR/merlin-ac68u-add-networks.firewall"
SCRIPT3="$SCRIPTS_DIR/merlin-ac68u-add-networks.service-event-end"
SCRIPT4="$SCRIPTS_DIR/merlin-ac68u-add-networks.services-start"
SCRIPT5="$SCRIPTS_DIR/dnsmasq.postconf"
SCRIPT6="$SCRIPTS_DIR/firewall-start"
SCRIPT7="$SCRIPTS_DIR/service-event-end"
SCRIPT8="$SCRIPTS_DIR/services-start"

mkdir -p $CONFIGS_DIR $SCRIPTS_DIR

# ----------------- begin merlin-ac68u-add-networks.options ------------------ #
cat << 'EOF' > $CONFIG

# ------------------------------ BEGIN OPTIONS ------------------------------- #

# VLANS_PORTS='[<vlan-id>[/<port>...] ...]'
VLANS_PORTS='1/1/2/3 3/4'          # vlan1 ports 1 2 3, vlan3 port 4
#VLANS_PORTS='1/1/2 3/3/4'          # vlan1 ports 1 2, vlan3 ports 3 4
#VLANS_PORTS='1 10/1/2/3/4'         # vlan1 no ports, vlan10 ports 1 2 3 4
#VLANS_PORTS='1/1 10/2 11/3 12/4'   # vlan1/vlan10/vlan11/vlan12, one port each
#VLANS_PORTS='1/1/2/3/4t 3/4t'      # vlan1/vlan3 port 4 trunk

# VLANS_WL='[<vlan-id>[/<wireless-if>...] ...]'
#VLANS_WL=''                        # no wireless changes required
#VLANS_WL='3/eth1'                  # bridge vlan3 w/ 2.4ghz
VLANS_WL='3/eth2'                  # bridge vlan3 w/ 5ghz
#VLANS_WL='3/wl0.1/wl1.1'           # bridge vlan3 w/ guest 1 (2.4+5ghz)
#VLANS_WL='3/wl0.1 4/wl1.1'         # bridge vlan3/vlan4 w/ guest 1 (2.4/5ghz)
#VLANS_WL='10/wl0.1/wl1.1'          # bridge vlan10 w/ guest 1 (2.4+5ghz)
#VLANS_WL='11/wl0.2/wl1.2'          # bridge vlan11 w/ guest 2 (2.4+5ghz)
#VLANS_WL='12/wl0.3/wl1.3'          # bridge vlan12 w/ guest 3 (2.4+5ghz)
# bridge vlans 10/11/12 /w guests 1/2/3 respectively
#VLANS_WL='10/wl0.1/wl1.1 11/wl0.2/wl1.2 12/wl0.3/wl1.3'

#VLANS_PORTS=''; VLANS_WL=''        # for cleanup purposes only

# ip network prefix (default is based on private network (e.g., 192.168.))
#IP_PFX='10.99.' # first two dotted octets only

# uncomment/comment to include/exclude pre-defined dnsmasq directives
#   warning: any change requires reinstallation w/ this script!
INCLUDE_DNSMASQ=

# uncomment/comment to use specified/default dns server(s)
DNS_SERVERS='8.8.8.8,8.8.4.4' # comma-separated

# uncomment/comment to include/exclude pre-defined firewall rules
#   warning: any change requires reinstallation w/ this script!
INCLUDE_FIREWALL=

# uncomment/comment to allow/deny access from private network to new networks
#ALLOW_PRIVATE_TO_ANY=

# uncomment/comment to allow/deny access to/from openvpn clients/servers
#ALLOW_OVPN_ACCESS=

# these are just examples; uncomment and modify as you see fit
DNSMASQ_ADDITIONS='
# static leases (hostname and lease time optional)
#dhcp-host=br3,47:b5:1d:54:5c:fb,192.168.3.100,desktop,24h
#dhcp-host=br3,64:67:16:cd:c7:c0,59:21:2d:99:28:70,192.168.3.101
# per-network static leases for device w/ multiple network adapters
#dhcp-host=br0,b8:70:f4:b3:4d:6a,38:59:f9:14:1f:d3,192.168.1.99,laptop
#dhcp-host=br10,b8:70:f4:b3:4d:6a,38:59:f9:14:1f:d3,192.168.10.99,laptop
#dhcp-host=br11,b8:70:f4:b3:4d:6a,38:59:f9:14:1f:d3,192.168.11.99,laptop
#dhcp-host=br12,b8:70:f4:b3:4d:6a,38:59:f9:14:1f:d3,192.168.12.99,laptop
# hostnames (dynamic leases only)
#dhcp-host=a3:fa:ca:ba:07:2c,somehostname1
#dhcp-host=43:f3:52:dd:67:d9,somehostname2
'
# function firewall_additions( vlan-id )
firewall_additions() {

local brx=br${1} # generalize reference to current bridge under examination

# useful constants
local WAN_IF="$WAN_IF"
local LAN_IP="$(nvram get lan_ipaddr)" # (e.g., 192.168.1.1)
local LAN_NET="$LAN_IP/$(nvram get lan_netmask)" # (e.g., 192.168.1.0/24)
local LAN_PFX="$(echo $LAN_IP | grep -o '^.*\.')" # (e.g., 192.168.1.)

case "$1" in

# these are just examples; uncomment and modify as you see fit

3) ### vlan3/br3 rules go here ###
# allow access to printer hosted on router
#iptables -I INPUT -p tcp -i $brx --dport 9100 -j ACCEPT
:;; # DO NOT DISTURB

4) ### vlan4/br4 rules go here ###
# deny routing to internet based on source ip range
#iptables -I FORWARD -i $brx -o $WAN_IF -m iprange \
#    --src-range "${IP_PFX}${1}.110-${IP_PFX}${1}.119" -j REJECT
# deny routing to internet based on source mac address
#iptables -I FORWARD -i $brx -o $WAN_IF -m mac --mac-source \
#    0a:32:13:75:7d:95 -j REJECT
:;; # DO NOT DISTURB

5) ### vlan5/br5 rules go here ###
# deny routing from 10:00PM to 6:00AM, Sunday->Friday (student schedule)
#iptables -I FORWARD -i $brx -m time --timestart 22:00 --timestop 00:00 \
#    --weekdays Sun,Mon,Tue,Wed,Thu --kerneltz -j REJECT
#iptables -I FORWARD -i $brx -m time --timestart 00:00 --timestop 06:00 \
#    --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j REJECT
:;; # DO NOT DISTURB

# repeat as necessary for additional vlans/bridges

*) ### rules that apply across all vlans/bridges (br+) go here ###
# allow access to printer hosted on private network (other than router)
#iptables -I FORWARD -p tcp -i $brx -o br0 -d "${LAN_PFX}100" \
#    --dport 9100 -j ACCEPT
:;; # DO NOT DISTURB

esac
}

# ------------------------------- END OPTIONS -------------------------------- #

# ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #

# shared/global functions and constants (do NOT touch!)

debug_enabled() { set -o | grep -Eq '^xtrace\s+on$'; }

BASENAME="$(basename $0)"
NOW="$(date +'%Y-%m-%d-%H%M%S')"
LOG="$(debug_enabled && echo /tmp/${BASENAME}_${NOW}_$$.log || echo /dev/null)"
MIN_VID=3 MAX_VID=255 MIN_PORT=1 MAX_PORT=4
[ "$IP_PFX" ] || IP_PFX="$(nvram get lan_ipaddr | grep -Eo '^(.{1,3}\.){2}')"

EOF
echo "installed: $CONFIG"
# ------------------ end merlin-ac68u-add-networks.options ------------------- #

# ----------------- begin merlin-ac68u-add-networks.dnsmasq ------------------ #
if grep -q '^INCLUDE_DNSMASQ=' $CONFIG; then
cat << 'EOF' > $SCRIPT1
#!/bin/sh
#set -x # comment/uncomment to disable/enable debug mode
. $CONFIG
{
. /usr/sbin/helper.sh

DNSMASQ_CONFIG="$1"

# function write( string )
write() { pc_append "$1" $DNSMASQ_CONFIG; }

# function validate_vlan_id( vlan-id )
validate_vlan_id() {
    local vlan_id=$1

    if ! echo $vlan_id | grep -Eq '^[0-9]+$'; then
        return 1
    elif [[ $vlan_id -lt $MIN_VID || $vlan_id -gt $MAX_VID ]]; then
        return 1
    fi

    return 0
}

# function add_dhcp_server( bridge-index )
add_dhcp_server() {
    write "interface=br${1}"
    write "dhcp-range=br${1},${IP_PFX}${1}.100,${IP_PFX}${1}.254,255.255.255.0,24h"
    write "dhcp-option=br${1},3,${IP_PFX}${1}.1"
    [ "$DNS_SERVERS" ] && write "dhcp-option=br${1},6,$DNS_SERVERS"
}

write "# --- begin additions by $BASENAME --- #"

# add dhcp server configuration for each new bridge
for vp in $VLANS_PORTS; do
    vlan_id="$(echo $vp | cut -d/ -f1)"

    # ignore bad/missing input
    [ $vlan_id ] || continue

    # validate and add dhcp server for this vlan-id
    validate_vlan_id $vlan_id && add_dhcp_server $vlan_id
done

# add user-defined directives
OIFS="$IFS"; IFS=$'\n'
for line in $DNSMASQ_ADDITIONS; do
    echo $line | grep -Eq '^[[:space:]]*(#|$)' || write "$line"
done
IFS="$OIFS"

write "# ---- end additions by $BASENAME ---- #"

exit 0
} 2>&1 | tee $LOG | logger -t $BASENAME[$$]
EOF
[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT1
sed -i "s:\$CONFIG:$CONFIG:g" $SCRIPT1
chmod +x $SCRIPT1
echo "installed: $SCRIPT1"
fi
# ------------------ end merlin-ac68u-add-networks.dnsmasq ------------------- #

# ----------------- begin merlin-ac68u-add-networks.firewall ----------------- #
if grep -q '^INCLUDE_FIREWALL=' $CONFIG; then
cat << 'EOF' > $SCRIPT2
#!/bin/sh
#set -x # comment/uncomment to disable/enable debug mode
. $CONFIG
{
WAN_IF="$([ $1 ] && echo $1 || echo $(nvram get wan0_ifname))"

# function validate_vlan_id( vlan-id )
validate_vlan_id() {
    local vlan_id=$1

    if ! echo $vlan_id | grep -Eq '^[0-9]+$'; then
        return 1
    elif [[ $vlan_id -lt $MIN_VID || $vlan_id -gt $MAX_VID ]]; then
        return 1
    fi

    return 0
}

# function add_rules( bridge-index )
add_rules() {
    # limit new bridge to essential router services (dhcp, dns, ping)
    iptables -I INPUT -i br${1} -j REJECT
    iptables -I INPUT -i br${1} -d ${IP_PFX}${1}.1 -p icmp -j ACCEPT
    if [ ! "$DNS_SERVERS" ]; then
        iptables -I INPUT -i br${1} -d ${IP_PFX}${1}.1 -p tcp --dport 53 -j ACCEPT
        iptables -I INPUT -i br${1} -d ${IP_PFX}${1}.1 -p udp --dport 53 -j ACCEPT
    fi
    iptables -I INPUT -i br${1} -p udp --dport 67 -j ACCEPT

    # define routing limits of new bridge (default is internet only)
    iptables -I FORWARD -i br${1} -j REJECT
    if [ ! ${ALLOW_PRIVATE_TO_ANY+x} ]; then
        iptables -I FORWARD -i br0 -o br${1} -j REJECT
    fi
    if [ ${ALLOW_OVPN_ACCESS+x} ]; then
        iptables -I FORWARD -i tun2+  -o br${1} -j ACCEPT
        iptables -I FORWARD -i br${1} -o tun1+  -j ACCEPT
    fi
    iptables -I FORWARD -i br${1} -m conntrack --ctstate DNAT -j ACCEPT
    iptables -I FORWARD -i br${1} -o $WAN_IF -j ACCEPT
}

# add firewall rules for each new bridge
for vp in $VLANS_PORTS; do
    vlan_id="$(echo $vp | cut -d/ -f1)"

    # ignore bad/missing input
    [ $vlan_id ] || continue

    validate_vlan_id $vlan_id || continue

    # add rules for this vlan-id
    add_rules $vlan_id

    # add user-defined rules (if any) for this vlan-id
    firewall_additions $vlan_id
done

# add user-defined rules that apply across all bridges (br+)
firewall_additions '+'

exit 0
} 2>&1 | tee $LOG | logger -t $BASENAME[$$]
EOF
[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT2
sed -i "s:\$CONFIG:$CONFIG:g" $SCRIPT2
chmod +x $SCRIPT2
echo "installed: $SCRIPT2"
fi
# ------------------ end merlin-ac68u-add-networks.firewall ------------------ #

# -------------- begin merlin-ac68u-add-networks.services-start -------------- #
cat << 'EOF' > $SCRIPT3
#!/bin/sh
#set -x # comment/uncomment to disable/enable debug mode
. $CONFIG
{
CPU_PORT="$(robocfg show | awk '/vlan1:/{print $NF}')"

# function validate_vlan_id( vlan-id )
validate_vlan_id() {
    local vlan_id=$1

    if [ $vlan_id != '1' ]; then
        if [ $vlan_id == '2' ]; then
            echo "error: changes to vlan2 (wan) NOT supported"
            return 1
        elif ! echo $vlan_id | grep -Eq '^[0-9]+$'; then
            echo "error: vlan-id ${vlan_id} not numeric"
            return 1
        elif [[ $vlan_id -lt $MIN_VID || $vlan_id -gt $MAX_VID ]]; then
            echo "error: vlan${vlan_id} out of range ($MIN_VID-$MAX_VID)"
            return 1
        fi
    fi

    return 0
}

# function add_vlan_and_bridge( vlan-id ports )
add_vlan_and_bridge() {
    local vlan_id=$1
    local ports="$2"

    # create new vlan w/ specified port(s)
    robocfg vlan $vlan_id ports "$ports"

    # add new vlan to eth0 (cpu) network interface
    vconfig add eth0 $vlan_id

    # bring up new vlan
    ifconfig vlan${vlan_id} up

    # create new bridge and add new vlan
    brctl addbr br${vlan_id}
    brctl addif br${vlan_id} vlan${vlan_id}

    # configure new bridge w/ preferred settings
    stp=$([ "$(nvram get lan_stp)" == '1' ] && echo 'on' || echo 'off')
    brctl stp br${vlan_id} $stp # stp to prevent bridge loops
    brctl setfd br${vlan_id} 2  # stp forward delay (2 secs)

    # config ip on new bridge and bring up network
    ifconfig br${vlan_id} ${IP_PFX}${vlan_id}.1 netmask 255.255.255.0 up
}

# respond to *all* wireless events (start/restart/stop)
[ "$2" == 'wireless' ] || exit 0

# cleanup any previous vlan/bridge configurations
n=$MIN_VID
while [ "$(nvram get br${n}_ifname)" ]; do
    br="$(nvram get br${n}_ifname)"
    vl="$(nvram get br${n}_ifnames | cut -d' ' -f1)"

    ifconfig $br down 2>/dev/null && brctl delbr $br && vconfig rem $vl

    nvram unset  br${n}_ifname
    nvram unset  br${n}_ifnames
    nvram unset lan${n}_ifname
    nvram unset lan${n}_ifnames

    [ $((++n)) -le $MAX_VID ] || break
done

# commit changes from cleanup if no other actions requested/required
[[ $((n)) -gt $MIN_VID && ! "$VLANS_PORTS" && ! "$VLANS_WL" ]] && nvram commit

# assign ports to vlans
for vp in $VLANS_PORTS; do
    vlan_id="$(echo $vp | cut -d/ -f1)"

    # ignore bad/missing input
    [ $vlan_id ] || continue

    validate_vlan_id $vlan_id || continue

    # isolate ports from vlan-id
    vlan_ports="$(echo $vp | awk -F/ '{$1=""; print $0}')"

    # validate ports
    for p in $vlan_ports; do
        if ! echo $p | grep -Eq '^[0-9]+[tu*]{0,1}$'; then
            echo "error: port $p specification not valid"
            continue 2
        fi
        _p="$(echo $p | grep -Eo '^[0-9]*')"
        if [[ $_p -lt $MIN_PORT || $_p -gt $MAX_PORT ]]; then
            echo "error: port $p out of range ($MIN_PORT-$MAX_PORT)"
            continue 2
        fi
    done

    # add cpu port to ports
    vlan_ports="$(echo $vlan_ports $CPU_PORT)"

    if [ $vlan_id == '1' ]; then
        robocfg vlan 1 ports "$vlan_ports"
        continue
    fi

    add_vlan_and_bridge $vlan_id "$vlan_ports"

    # determine next available bridge/lan index
    #n=$vlan_id # doesn't work; must be assigned sequentially
    n=$MIN_VID; while [ "$(nvram get lan${n}_ifname)" ]; do let n++; done

    # add and initialize network interface names
    nvram set  br${n}_ifname=br${vlan_id}
    nvram set  br${n}_ifnames=vlan${vlan_id}
    nvram set lan${n}_ifname=br${vlan_id}
    nvram set lan${n}_ifnames=vlan${vlan_id}
done

# bridge wireless to vlans
for vw in $VLANS_WL; do
    vlan_id="$(echo $vw | cut -d/ -f1)"

    # ignore bad/missing input
    [ $vlan_id ] || continue

    validate_vlan_id $vlan_id || continue

    # validate vlan-id usage
    if ! ifconfig vlan${vlan_id} &>/dev/null; then
        echo "error: vlan${vlan_id} not found"
        continue
    fi

    # isolate wireless network interfaces from vlan-id
    vlan_wl="$(echo $(echo $vw | awk -F/ '{$1=""; print $0}'))"

    # move wireless network interfaces to new bridge
    for wl in $vlan_wl; do
        # validate wireless network interface
        case $wl in
            'eth1'|'eth2'|'wl0.1'|'wl1.1'|'wl0.2'|'wl1.2'|'wl0.3'|'wl1.3') :;;
          *) echo "error: unknown wireless network interface: ${wl}"; continue 2;;
        esac

        # wireless network interface must be up and running
        if ! ifconfig $wl &>/dev/null; then
            echo "error: wireless network interface not available: ${wl}"
            continue 2
        fi

        # delete wireless network interface from current bridge
        n=0
        if brctl show | grep -q "\s${wl}\$"; then
            while ! brctl delif br${n} $wl 2>/dev/null; do
                if [ $((++n)) -gt $MAX_VID ]; then
                    echo "program error: wireless network interface not found: ${wl}"
                    break
                fi
            done
        fi

        # add wireless network interface to new bridge
        brctl addif br${vlan_id} $wl
    done

    # find bridge/lan index for this vlan
    n=$MIN_VID
    while ! nvram get br${n}_ifnames | grep -Eq "^vlan${vlan_id}( |$)"; do
        if [ $((++n)) -gt $MAX_VID ]; then
            echo "program error: bridge/lan index not found: ($n)"
            continue 2
        fi
    done

    # add wireless network interface names to corresponding bridge/lan
    nvram set  br${n}_ifnames="$(nvram get  br${n}_ifnames) $vlan_wl"
    nvram set lan${n}_ifnames="$(nvram get lan${n}_ifnames) $vlan_wl"

    # convert wireless network interface names to sed search mask
    mask=''; for wl in $vlan_wl; do mask="${mask}${wl}(\s|\$)|"; done

    # remove wireless network interface names from system bridges/lans
    for i in 0 1 2; do
        [ "$(nvram get  br${i}_ifnames)" ] && \
             nvram set  br${i}_ifnames="$(echo $(nvram get  br${i}_ifnames | \
                 sed -r s/$mask//g))"
        [ "$i" == '0' ] && j='' || j="$i"
        [ "$(nvram get lan${j}_ifnames)" ] && \
             nvram set lan${j}_ifnames="$(echo $(nvram get lan${j}_ifnames | \
                 sed -r s/$mask//g))"
    done
done

# force system to recognize any changes
eapd

exit 0
} 2>&1 | tee $LOG | logger -t $BASENAME[$$]
EOF
[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT3
sed -i "s:\$CONFIG:$CONFIG:g" $SCRIPT3
chmod +x $SCRIPT3
echo "installed: $SCRIPT3"
# --------------- end merlin-ac68u-add-networks.services-start --------------- #

# ------------ begin merlin-ac68u-add-networks.service-event-end ------------- #
cat << 'EOF' > $SCRIPT4
#!/bin/sh
#set -x # comment/uncomment to disable/enable debug mode
. $CONFIG
{
# on bootup, the router does NOT generate a service-event-end event for the
# wireless service (bug?), so we have to generate our own after all services
# have been started
/jffs/scripts/service-event-end 'start' 'wireless'

exit 0
} 2>&1 | tee $LOG | logger -t $BASENAME[$$]
EOF
[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT4
sed -i "s:\$CONFIG:$CONFIG:g" $SCRIPT4
chmod +x $SCRIPT4
echo "installed: $SCRIPT4"
# ------------- end merlin-ac68u-add-networks.service-event-end -------------- #

# -------------------------- begin dnsmasq.postconf -------------------------- #
if grep -q '^INCLUDE_DNSMASQ=' $CONFIG; then
create_script() {
cat << 'EOF' > $SCRIPT5
#!/bin/sh
#set -x # comment/uncomment to disable/enable debug mode
{
$SCRIPT1 "$1"
} 2>&1 | logger -t $(basename $0)[$$]
EOF
[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT5
sed "s:\$SCRIPT1:$SCRIPT1:g" -i $SCRIPT5
chmod +x $SCRIPT5
}

if [ -f $SCRIPT5 ]; then
    echo "error: $SCRIPT5 already exists; requires manual installation"
else
    create_script
    echo "installed: $SCRIPT5"
fi
fi
# ------------------------ end begin dnsmasq.postconf ------------------------ #

# --------------------------- begin firewall-start --------------------------- #
if grep -q '^INCLUDE_FIREWALL=' $CONFIG; then
create_script() {
cat << 'EOF' > $SCRIPT6
#!/bin/sh
#set -x # comment/uncomment to disable/enable debug mode
{
$SCRIPT2 "$1"
} 2>&1 | logger -t $(basename $0)[$$]
EOF
[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT6
sed "s:\$SCRIPT2:$SCRIPT2:g" -i $SCRIPT6
chmod +x $SCRIPT6
}

if [ -f $SCRIPT6 ]; then
    echo "error: $SCRIPT6 already exists; requires manual installation"
else
    create_script
    echo "installed: $SCRIPT6"
fi
fi
# ---------------------------- end firewall-start ---------------------------- #

# ------------------------- begin service-event-end -------------------------- #
create_script() {
cat << 'EOF' > $SCRIPT7
#!/bin/sh
#set -x # comment/uncomment to disable/enable debug mode
{
$SCRIPT3 "$1" "$2"
} 2>&1 | logger -t $(basename $0)[$$]
EOF
[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT7
sed "s:\$SCRIPT3:$SCRIPT3:g" -i $SCRIPT7
chmod +x $SCRIPT7
}

if [ -f $SCRIPT7 ]; then
    echo "error: $SCRIPT7 already exists; requires manual installation"
else
    create_script
    echo "installed: $SCRIPT7"
fi
# -------------------------- end service-event-end --------------------------- #

# --------------------------- begin services-start --------------------------- #
create_script() {
cat << 'EOF' > $SCRIPT8
#!/bin/sh
#set -x # comment/uncomment to disable/enable debug mode
{
$SCRIPT4
} 2>&1 | logger -t $(basename $0)[$$]
EOF
[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT8
sed "s:\$SCRIPT4:$SCRIPT4:g" -i $SCRIPT8
chmod +x $SCRIPT8
}

if [ -f $SCRIPT8 ]; then
    echo "error: $SCRIPT8 already exists; requires manual installation"
else
    create_script
    echo "installed: $SCRIPT8"
fi
# ---------------------------- end services-start ---------------------------- #