LMS-MGC is "magical" configuration file generator. With some efforts, you can create virtually any configuration file using it (ie. zone definition file for BIND) LMS-MGC has its own configuration file: lms-mgc.ini. You should install script by moving it to /usr/sbin directory. LMS-MGC should be used in two either ways: scheduled from cron (eg. hourly) 0 * * * * /usr/sbin/lms-mgc 1 > /dev/null or called from LMS 'Reload' menu. Second setup requires sudo to be used. Unfortunately this method requires you to add user to sudo, and set in configuration section [phpui] reload_type = exec reload_execcmd = sudo /usr/sbin/lms-mgc LMS-MGC has following command line options: -C, --config-file=/path/lms-mgc.ini alternative configuration file (default: /etc/lms/lms-mgc.ini); -i, --instances=name instance name (number) to launch, without reading lms-mgc.ini configuration, ie. -i "name1 name2" -h, --help shows help; -v, --version shows version number; -q, --quiet shows only errors during execution; -d, --debug verbose information for each IP; Configuration of LMS-MGC is held in lms-mgc.ini file. type Database type. Currently only 'mysql' is 100% supported, however there seems to be no significant problems with 'postgres'. Default: mysql Example: type = mysql host Database host. Usually localhost, but you can set it to anything (IP, domain, path to socket in 'localhost:/path/to/socket' format). Default: localhost Example: host = localhost user Database user. In most cases (if you followed this documentation) it should be 'lms'. If you want to use privileged account, you should enter 'root' (MySQL on *nices), 'mysql' (on PLD) or 'postgres' (PostgreSQL). Default: root Example: user = mysql password Database password. Default: empty. Example: password = secret_password database Database name. Default: lms. Example: database = lms Significant parts of configuration are placed in section [mgc] and its derivative sections. In [mgc] alone you can use the following parameter: instances List of instances (separated by spaces). Example: instances = dhcp firewall squid You can also place instances variable in any derivative instance section. See below. Each instance has its name and its configuration is created by creating derivative section of name [mgc:name], eg. [mgc:mydaemon] All of those sections may include following configuration options: instances This variable allows you to group a list of other instances (eg. instances = ins1 ins2 ins3), and then call your mgc with 'lms-mgc -i mydaemon' instead of 'lms-mgc -i "ins1 ins2 ins3"'. If you use this variable all other settings in this section will be ignored. Example: instances = dns1 dns2 dns3 outfile Output file, where instance structured dump will be saved (instance will quit instantly if this variable is not set). Example: outfile = /etc/somefile append It allows you to define to not overwrite outfile, but append to its end instead. Example: append = 1 outfile_perm Permissions for output file. Default: 600 (-rw-------) Example: outfile_perm = 700 outfile_owner UID of output file owner. Default: 0 Example: outfile_owner = 0 You have to provide numerical UID, not username! outfile_group GID of output file owner. Default: 0 Example: outfile_group = 0 You have to provide numerical GID, not group name! header_file Filename, that should be prepended at beginning of output file. Default: unset Example: header_file = /etc/lms/myservice_header header String, which should be put at beginning of output file. Default: unset Example: header = option1 = blah\noption2 = blab-la You should use \n as line separator. You may omit line separator at the end of last line. customergroups >List of (space separated) groups of customers, that should be considered while creating configuration file. If unset, configuration will include all groups. Example: customergroups = group1 group2 excluded_customergroups >List of (space separated) groups of customers, that should be ommited while creating configuration file. Example: excluded_customergroups = group3 group4 networks >List of (space separated) networks, that should be considered while creating configuration file. If unset, configuration will include all networks. Example: networks = cust1-publ cust2-publ cust3-priv excluded_networks >List of (space separated) networks, that should be ommited while creating configuration file. Example: excluded_networks = cust4-publ cust5-publ Mgc script now loops for each network and performs the following tasks: network_header String, which should be put at beginning of network section. Default: empty Example: network_header = network %ADDR/%MASK { # Config section for %NAME dst_networks List of destination network names, for which dst_network_header variable (see below) will be used. Default: all Example: dst_networks = main coalloc dst_network_header Lets you to set destination networks header. Example: dst_network_header = \tallow to %DADDR/%DMASK; network_body This parameter is parsed after network headers and before IP addresses loop. Example: network_body = \tnodes { Mgc script now loops into below rules for each IP address for given range. It takes each IP address and checks if a rule is defined for this address, if yes - it executes first rule that matches. Matches are being parsed in specific order, as described below: ignore Lets you setup list of addresses (in address/prefix or address/netmask form, space separated) which should be skipped. Example: ignore = 192.168.0.100/32 node(IP) Allows you to add line for given IP address. IP address should be provided in parenthesis. Each section may have unlimited number of such options. Example: node(192.168.0.20) = ?? allnodes Adds line for each non-ignored IP address. Example: allnodes = ?? allexistnodes Adds line for each IP address that is 'owner' by a computer in database. Example: allexistnodes = ?? netdevnode Adds line for each IP address of network device. Example: netdevnode = ?? grantednode_priv Adds line for each IP address with 'connected' status in database (parsed only for private address pools). Example: grantednode_priv = \t\tnode %NAME (%IP/%MAC) unique %ID; grantednode_publ Adds line for each IP address with 'connected' status in database (parsed only for public address pools). Example: grantednode_publ = \t\tnode %NAME (%IP/%MAC) unique %ID; deniednode_priv Adds line for each IP address with 'disconnected' status in database (parsed only for private address pools). Example: deniednode_priv = node %NAME (%IP/%MAC) unique %ID deny; deniednode_publ Adds line for each IP address with 'disconnected' status in database (parsed only for public address pools). Example: deniednode_publ = node %NAME (%IP/%MAC) unique %ID deny; dhcpnode_priv Adds line for each IP address within DHCP dynamic range (parsed only for private address pools). Example: dhcpnode_priv = node unknown (%IP) reject; dhcpnode_publ Adds line for each IP address within DHCP dynamic range (parsed only for public address pools). Example: dhcpnode_publ = node unknown (%IP) reject; freeip_priv Adds line for each IP address that is not occupied by any computer in database (parsed only for private address pools). Example: freeip_priv = node unknown (%IP) lock_as_unused; freeip_publ Adds line for each IP address that is not occupied by any computer in database (parsed only for public address pools). Example: freeip_publ = node unknown (%IP) lock_as_unused; default_priv Default line, which is inserted when none of grantednode or deniednode matches for given IP address (parsed only for private address pools) Example: default_priv = node unknown (%IP) lock_as_intruder; Mgc automatically detects if given address belongs to private or public network. default_publ Default line, which is inserted when none of grantednode or deniednode matches for given IP address (parsed only for public address pools) Example: default_publ = node unknown (%IP) lock_as_intruder; Mgc now is ready to append final part of the file and execute system command. network_footer Adds line for currently processed network. Example: network_footer = ?? footer_file Filename, that should be appended at the end of output file. Default: unset Example: footer_file = /etc/lms/myservice_footer footer String, which should be put at the end of output file. Default: unset Example: footer = # End. post_exec System command that should be executed after saving output file. Example: post_exec = killall -HUP mydaemon You can use the following templates in your configuration variables. They all will be substituted with appropriate data from LMS database. Computer templates: %IP - IP address %PUBIP - second (public) IP address %PIN - PIN of customer who owns node %ID - ID of computer %MAC - MAC address %SMAC - MAC address in lowercase and without colon separators %CMAC - MAC address in CISCO format (FFFF.FFFF.FFFF) %OWNER - owner's ID %CUSTOMER - owner's lastname and name %NAME - computer name, in uppercase %name - computer name, in lowercase %INFO - computer description %PASSWD - node password %PORT - device's port, to which node is connected %UPRATE - guaranteed upload rate %NUPRATE - guaranteed upload rate (for night hours) %DOWNRATE - guaranteed download rate %NDOWNRATE - guaranteed download rate (for night hours) %UPCEIL - maximum upload rate %NUPCEIL - maximum upload rate (for night hours) %DOWNCEIL - maximum download rate %NDOWNCEIL - maximum download rate (for night hours) %CLIMIT - limit of concurrent connections %NCLIMIT - limit of concurrent connections (for night hours) %PLIMIT - maximum number of packets per second %NPLIMIT - maximum number of packets per second (for night hours) %1 %2 %3 %4 - consecutive (left to right) decimal octets of IP address %NID - network ID where computer belongs %NNAME - network name, in uppercase %nname - network name, in lowercase %NADDR - network address %NIFACE - network interface %NMASK - network mask %NGATE - network gateway IP address %NDNS - primary DNS server IP address %NDNS2 - secondary DNS server IP address %NDOMAIN - domain name of the network %NWINS - WINS server IP address %NDHCPS - first IP address of dynamic DHCP range %NDHCPE - last IP address of dynamic DHCP range Network templates (for sections relevant to networks only): %ID - network ID %NAME - network name, in uppercase %name - network name, in lowercase %ADDR - network IP address %IFACE - network interface %MASK - network IP mask %GATE - network gateway IP address %DNS - primary DNS server IP address %DNS2 - secondary DNS server IP address %DOMAIN - domain name of the network %WINS - WINS server IP address for the network %DHCPS - first IP address of dynamic DHCP range for the network %DHCPE - last IP address of dynamic DHCP range for the network Additionally, dst_network_header variable may include above templates prepended with D (ie. %DADDR, %dname) to get data relevant to destination networks. Templates which can be used everywhere: %DATE - date in YYYYMMDD format; %TIME - time in HHMM format; %TIMES - time in HHMMSS format; %UTIME - time in unix timestamp format; Configuration and implementation of lms-mgc might seem quite complex, so we provide small example. Below you can find rules to create and execute quite simple ipchains firewall. You should start with creating new mgc section in lms-mgc.ini, with relevant name ('ipchains') and put a simple masquerade rules, per IP, inside: [mgc:ipchains] outfile = /etc/rc.d/rc.masq outfile_perm = 700 header = #!/bin/sh\n/sbin/ipchains -F\n/sbin/ipchains -X\n/sbin/ipchains -P forward DENY grantednode_priv = /sbin/ipchains -A forward -s %IP -j MASQ post_exec = /etc/rc.d/rc.masq You can also add your ipchains subsection to main mgc section, so that it executes it by default: [mgc] instances = ipchains If you run lms-mgc now, without any arguments, you should have simple script /etc/rc.d/rc.masq generated and already executed.