projects / feed / routing.git / blob
? search:


0624daf7358973f37be071645ebd8ec0a813ef4f
[feed/routing.git] / cjdns / files / cjdns.defaults
1 #!/bin/sh
2
3 # if there is an existing config, our work is already done
4 uci get cjdns.cjdns.ipv6 >/dev/null 2>&1
5 if [ $? -ne 0 ]; then
6
7 # register commit handler
8 uci -q batch <<-EOF >/dev/null
9 delete ucitrack.@cjdns[-1]
10 add ucitrack cjdns
11 set ucitrack.@cjdns[-1].init=cjdns
12 commit ucitrack
13 EOF
14
15 # generate configuration
16 touch /etc/config/cjdns
17 cjdroute --genconf | cjdroute --cleanconf | cjdrouteconf set
18
19 # make sure config is present (might fail for any reason)
20 uci get cjdns.cjdns.ipv6 >/dev/null 2>&1
21 if [ $? -ne 0 ]; then
22 exit 1
23 fi
24
25 # enable auto-peering on ethernet
26 uci show network.lan | grep bridge >/dev/null 2>&1
27 if [ $? -eq 0 ]; then
28 # most routers will set up an ethernet bridge for the lan
29 ifname="br-lan"
30 else
31 # docker containers don't have permission to create bridges by default,
32 # so we bind to the underlying interface instead (likely eth0)
33 ifname=`uci get network.lan.ifname`
34 fi
35 uci -q batch <<-EOF >/dev/null
36 add cjdns eth_interface
37 set cjdns.@eth_interface[-1].beacon=2
38 set cjdns.@eth_interface[-1].bind=$ifname
39 EOF
40
41 # set the tun interface name
42 uci set cjdns.cjdns.tun_device=tuncjdns
43
44 # create the network interface
45 uci -q batch <<-EOF >/dev/null
46 set network.cjdns=interface
47 set network.cjdns.ifname=tuncjdns
48 set network.cjdns.proto=none
49 EOF
50
51 # firewall rules by @dangowrt -- thanks <3
52
53 # create the firewall zone
54 uci -q batch <<-EOF >/dev/null
55 add firewall zone
56 set firewall.@zone[-1].name=cjdns
57 add_list firewall.@zone[-1].network=cjdns
58 set firewall.@zone[-1].input=REJECT
59 set firewall.@zone[-1].output=ACCEPT
60 set firewall.@zone[-1].forward=REJECT
61 set firewall.@zone[-1].conntrack=1
62 set firewall.@zone[-1].family=ipv6
63 EOF
64
65 # allow ICMP from cjdns zone, e.g. ping6
66 uci -q batch <<-EOF >/dev/null
67 add firewall rule
68 set firewall.@rule[-1].name='Allow-ICMPv6-cjdns'
69 set firewall.@rule[-1].src=cjdns
70 set firewall.@rule[-1].proto=icmp
71 add_list firewall.@rule[-1].icmp_type=echo-request
72 add_list firewall.@rule[-1].icmp_type=echo-reply
73 add_list firewall.@rule[-1].icmp_type=destination-unreachable
74 add_list firewall.@rule[-1].icmp_type=packet-too-big
75 add_list firewall.@rule[-1].icmp_type=time-exceeded
76 add_list firewall.@rule[-1].icmp_type=bad-header
77 add_list firewall.@rule[-1].icmp_type=unknown-header-type
78 set firewall.@rule[-1].limit='1000/sec'
79 set firewall.@rule[-1].family=ipv6
80 set firewall.@rule[-1].target=ACCEPT
81 EOF
82
83 # allow SSH from cjdns zone, needs to be explicitly enabled
84 uci -q batch <<-EOF >/dev/null
85 add firewall rule
86 set firewall.@rule[-1].enabled=0
87 set firewall.@rule[-1].name='Allow-SSH-cjdns'
88 set firewall.@rule[-1].src=cjdns
89 set firewall.@rule[-1].proto=tcp
90 set firewall.@rule[-1].dest_port=22
91 set firewall.@rule[-1].target=ACCEPT
92 EOF
93
94 # allow LuCI access from cjdns zone, needs to be explicitly enabled
95 uci -q batch <<-EOF >/dev/null
96 add firewall rule
97 set firewall.@rule[-1].enabled=0
98 set firewall.@rule[-1].name='Allow-HTTP-cjdns'
99 set firewall.@rule[-1].src=cjdns
100 set firewall.@rule[-1].proto=tcp
101 set firewall.@rule[-1].dest_port=80
102 set firewall.@rule[-1].target=ACCEPT
103 EOF
104
105 # allow UDP peering from wan zone, if it exists
106 uci show network.wan >/dev/null 2>&1
107 if [ $? -eq 0 ]; then
108 peeringPort=`uci get cjdns.@udp_interface[0].port`
109 uci -q batch <<-EOF >/dev/null
110 add firewall rule
111 set firewall.@rule[-1].name='Allow-cjdns-wan'
112 set firewall.@rule[-1].src=wan
113 set firewall.@rule[-1].proto=udp
114 set firewall.@rule[-1].dest_port=$peeringPort
115 set firewall.@rule[-1].target=ACCEPT
116 EOF
117 fi
118
119 uci commit cjdns
120 uci commit firewall
121 uci commit network
122
123 fi
124
125 exit 0
Mirror of routing feed