3 # if there is an existing config, our work is already done
4 uci get cjdns.cjdns.ipv6
>/dev
/null
2>&1
7 # register commit handler
8 uci
-q batch <<-EOF >/dev/null
9 delete ucitrack.@cjdns[-1]
11 set ucitrack.@cjdns[-1].init=cjdns
15 # generate configuration
16 touch /etc
/config
/cjdns
17 cjdroute
--genconf | cjdroute
--cleanconf | cjdrouteconf
set
19 # make sure config is present (might fail for any reason)
20 uci get cjdns.cjdns.ipv6
>/dev
/null
2>&1
25 # enable auto-peering on ethernet interface lan, if existing
26 ifname
=$
(uci
-q get network.lan.device || \
27 ([ "$(uci -q get network.lan.type)" == "bridge" ] && echo br-lan
) || \
28 uci
-q get network.lan.ifname
)
29 if [ -n "$ifname" ]; then
30 uci
-q batch <<-EOF >/dev/null
31 add cjdns eth_interface
32 set cjdns.@eth_interface[-1].beacon=2
33 set cjdns.@eth_interface[-1].bind=$ifname
36 # set the tun interface name
37 uci
set cjdns.cjdns.tun_device
=tuncjdns
39 # create the network interface
40 uci
-q batch <<-EOF >/dev/null
41 set network.cjdns=interface
42 set network.cjdns.device=tuncjdns
43 set network.cjdns.proto=none
46 # firewall rules by @dangowrt -- thanks <3
48 # create the firewall zone
49 uci
-q batch <<-EOF >/dev/null
51 set firewall.@zone[-1].name=cjdns
52 add_list firewall.@zone[-1].network=cjdns
53 set firewall.@zone[-1].input=REJECT
54 set firewall.@zone[-1].output=ACCEPT
55 set firewall.@zone[-1].forward=REJECT
56 set firewall.@zone[-1].conntrack=1
57 set firewall.@zone[-1].family=ipv6
60 # allow ICMP from cjdns zone, e.g. ping6
61 uci
-q batch <<-EOF >/dev/null
63 set firewall.@rule[-1].name='Allow-ICMPv6-cjdns'
64 set firewall.@rule[-1].src=cjdns
65 set firewall.@rule[-1].proto=icmp
66 add_list firewall.@rule[-1].icmp_type=echo-request
67 add_list firewall.@rule[-1].icmp_type=echo-reply
68 add_list firewall.@rule[-1].icmp_type=destination-unreachable
69 add_list firewall.@rule[-1].icmp_type=packet-too-big
70 add_list firewall.@rule[-1].icmp_type=time-exceeded
71 add_list firewall.@rule[-1].icmp_type=bad-header
72 add_list firewall.@rule[-1].icmp_type=unknown-header-type
73 set firewall.@rule[-1].limit='1000/sec'
74 set firewall.@rule[-1].family=ipv6
75 set firewall.@rule[-1].target=ACCEPT
78 # allow SSH from cjdns zone, needs to be explicitly enabled
79 uci
-q batch <<-EOF >/dev/null
81 set firewall.@rule[-1].enabled=0
82 set firewall.@rule[-1].name='Allow-SSH-cjdns'
83 set firewall.@rule[-1].src=cjdns
84 set firewall.@rule[-1].proto=tcp
85 set firewall.@rule[-1].dest_port=22
86 set firewall.@rule[-1].target=ACCEPT
89 # allow LuCI access from cjdns zone, needs to be explicitly enabled
90 uci
-q batch <<-EOF >/dev/null
92 set firewall.@rule[-1].enabled=0
93 set firewall.@rule[-1].name='Allow-HTTP-cjdns'
94 set firewall.@rule[-1].src=cjdns
95 set firewall.@rule[-1].proto=tcp
96 set firewall.@rule[-1].dest_port=80
97 set firewall.@rule[-1].target=ACCEPT
100 # allow UDP peering from wan zone, if it exists
101 uci show network.wan
>/dev
/null
2>&1
102 if [ $?
-eq 0 ]; then
103 peeringPort
=`uci get cjdns.@udp_interface[0].port`
104 uci
-q batch <<-EOF >/dev/null
106 set firewall.@rule[-1].name='Allow-cjdns-wan'
107 set firewall.@rule[-1].src=wan
108 set firewall.@rule[-1].proto=udp
109 set firewall.@rule[-1].dest_port=$peeringPort
110 set firewall.@rule[-1].target=ACCEPT