3 # if there is an existing config, our work is already done
4 uci get cjdns.cjdns.ipv6
>/dev
/null
2>&1
7 # register commit handler
8 uci
-q batch <<-EOF >/dev/null
9 delete ucitrack.@cjdns[-1]
11 set ucitrack.@cjdns[-1].init=cjdns
15 # generate configuration
16 touch /etc
/config
/cjdns
17 cjdroute
--genconf | cjdroute
--cleanconf | cjdrouteconf
set
19 # make sure config is present (might fail for any reason)
20 uci get cjdns.cjdns.ipv6
>/dev
/null
2>&1
25 # enable auto-peering on ethernet
26 uci show network.lan |
grep type=bridge
>/dev
/null
2>&1
28 # most routers will set up an ethernet bridge for the lan
31 # docker containers don't have permission to create bridges by default,
32 # so we bind to the underlying interface instead (likely eth0)
33 ifname
=`uci get network.lan.ifname`
35 uci
-q batch <<-EOF >/dev/null
36 add cjdns eth_interface
37 set cjdns.@eth_interface[-1].beacon=2
38 set cjdns.@eth_interface[-1].bind=$ifname
41 # set the tun interface name
42 uci
set cjdns.cjdns.tun_device
=tuncjdns
44 # create the network interface
45 uci
-q batch <<-EOF >/dev/null
46 set network.cjdns=interface
47 set network.cjdns.ifname=tuncjdns
48 set network.cjdns.proto=none
51 # firewall rules by @dangowrt -- thanks <3
53 # create the firewall zone
54 uci
-q batch <<-EOF >/dev/null
56 set firewall.@zone[-1].name=cjdns
57 add_list firewall.@zone[-1].network=cjdns
58 set firewall.@zone[-1].input=REJECT
59 set firewall.@zone[-1].output=ACCEPT
60 set firewall.@zone[-1].forward=REJECT
61 set firewall.@zone[-1].conntrack=1
62 set firewall.@zone[-1].family=ipv6
65 # allow ICMP from cjdns zone, e.g. ping6
66 uci
-q batch <<-EOF >/dev/null
68 set firewall.@rule[-1].name='Allow-ICMPv6-cjdns'
69 set firewall.@rule[-1].src=cjdns
70 set firewall.@rule[-1].proto=icmp
71 add_list firewall.@rule[-1].icmp_type=echo-request
72 add_list firewall.@rule[-1].icmp_type=echo-reply
73 add_list firewall.@rule[-1].icmp_type=destination-unreachable
74 add_list firewall.@rule[-1].icmp_type=packet-too-big
75 add_list firewall.@rule[-1].icmp_type=time-exceeded
76 add_list firewall.@rule[-1].icmp_type=bad-header
77 add_list firewall.@rule[-1].icmp_type=unknown-header-type
78 set firewall.@rule[-1].limit='1000/sec'
79 set firewall.@rule[-1].family=ipv6
80 set firewall.@rule[-1].target=ACCEPT
83 # allow SSH from cjdns zone, needs to be explicitly enabled
84 uci
-q batch <<-EOF >/dev/null
86 set firewall.@rule[-1].enabled=0
87 set firewall.@rule[-1].name='Allow-SSH-cjdns'
88 set firewall.@rule[-1].src=cjdns
89 set firewall.@rule[-1].proto=tcp
90 set firewall.@rule[-1].dest_port=22
91 set firewall.@rule[-1].target=ACCEPT
94 # allow LuCI access from cjdns zone, needs to be explicitly enabled
95 uci
-q batch <<-EOF >/dev/null
97 set firewall.@rule[-1].enabled=0
98 set firewall.@rule[-1].name='Allow-HTTP-cjdns'
99 set firewall.@rule[-1].src=cjdns
100 set firewall.@rule[-1].proto=tcp
101 set firewall.@rule[-1].dest_port=80
102 set firewall.@rule[-1].target=ACCEPT
105 # allow UDP peering from wan zone, if it exists
106 uci show network.wan
>/dev
/null
2>&1
107 if [ $?
-eq 0 ]; then
108 peeringPort
=`uci get cjdns.@udp_interface[0].port`
109 uci
-q batch <<-EOF >/dev/null
111 set firewall.@rule[-1].name='Allow-cjdns-wan'
112 set firewall.@rule[-1].src=wan
113 set firewall.@rule[-1].proto=udp
114 set firewall.@rule[-1].dest_port=$peeringPort
115 set firewall.@rule[-1].target=ACCEPT