cjdns/files/cjdns.defaults

   1 #!/bin/sh
   2
   3 # if there is an existing config, our work is already done
   4 uci get cjdns.cjdns.ipv6 >/dev/null 2>&1
   5 if [ $? -ne 0 ]; then
   6
   7   # generate configuration
   8   touch /etc/config/cjdns
   9   cjdroute --genconf | cjdroute --cleanconf | cjdrouteconf set
  10
  11   # make sure config is present (might fail for any reason)
  12   uci get cjdns.cjdns.ipv6 >/dev/null 2>&1
  13   if [ $? -ne 0 ]; then
  14     exit 1
  15   fi
  16
  17   # enable auto-peering on ethernet interface lan, if existing
  18   ifname=$(uci -q get network.lan.device || \
  19            ([ "$(uci -q get network.lan.type)" == "bridge" ] && echo br-lan) || \
  20            uci -q get network.lan.ifname)
  21   if [ -n "$ifname" ]; then
  22     uci -q batch <<-EOF >/dev/null
  23       add cjdns eth_interface
  24       set cjdns.@eth_interface[-1].beacon=2
  25       set cjdns.@eth_interface[-1].bind=$ifname
  26 EOF
  27   fi
  28   # set the tun interface name
  29   uci set cjdns.cjdns.tun_device=tuncjdns
  30
  31   # create the network interface
  32   uci -q batch <<-EOF >/dev/null
  33     set network.cjdns=interface
  34     set network.cjdns.device=tuncjdns
  35     set network.cjdns.proto=none
  36 EOF
  37
  38   # firewall rules by @dangowrt -- thanks <3
  39
  40   # create the firewall zone
  41   uci -q batch <<-EOF >/dev/null
  42     add firewall zone
  43     set firewall.@zone[-1].name=cjdns
  44     add_list firewall.@zone[-1].network=cjdns
  45     set firewall.@zone[-1].input=REJECT
  46     set firewall.@zone[-1].output=ACCEPT
  47     set firewall.@zone[-1].forward=REJECT
  48     set firewall.@zone[-1].conntrack=1
  49     set firewall.@zone[-1].family=ipv6
  50 EOF
  51
  52   # allow ICMP from cjdns zone, e.g. ping6
  53   uci -q batch <<-EOF >/dev/null
  54     add firewall rule
  55     set firewall.@rule[-1].name='Allow-ICMPv6-cjdns'
  56     set firewall.@rule[-1].src=cjdns
  57     set firewall.@rule[-1].proto=icmp
  58     add_list firewall.@rule[-1].icmp_type=echo-request
  59     add_list firewall.@rule[-1].icmp_type=echo-reply
  60     add_list firewall.@rule[-1].icmp_type=destination-unreachable
  61     add_list firewall.@rule[-1].icmp_type=packet-too-big
  62     add_list firewall.@rule[-1].icmp_type=time-exceeded
  63     add_list firewall.@rule[-1].icmp_type=bad-header
  64     add_list firewall.@rule[-1].icmp_type=unknown-header-type
  65     set firewall.@rule[-1].limit='1000/sec'
  66     set firewall.@rule[-1].family=ipv6
  67     set firewall.@rule[-1].target=ACCEPT
  68 EOF
  69
  70   # allow SSH from cjdns zone, needs to be explicitly enabled
  71   uci -q batch <<-EOF >/dev/null
  72     add firewall rule
  73     set firewall.@rule[-1].enabled=0
  74     set firewall.@rule[-1].name='Allow-SSH-cjdns'
  75     set firewall.@rule[-1].src=cjdns
  76     set firewall.@rule[-1].proto=tcp
  77     set firewall.@rule[-1].dest_port=22
  78     set firewall.@rule[-1].target=ACCEPT
  79 EOF
  80
  81   # allow LuCI access from cjdns zone, needs to be explicitly enabled
  82   uci -q batch <<-EOF >/dev/null
  83     add firewall rule
  84     set firewall.@rule[-1].enabled=0
  85     set firewall.@rule[-1].name='Allow-HTTP-cjdns'
  86     set firewall.@rule[-1].src=cjdns
  87     set firewall.@rule[-1].proto=tcp
  88     set firewall.@rule[-1].dest_port=80
  89     set firewall.@rule[-1].target=ACCEPT
  90 EOF
  91
  92   # allow UDP peering from wan zone, if it exists
  93   uci show network.wan >/dev/null 2>&1
  94   if [ $? -eq 0 ]; then
  95     peeringPort=`uci get cjdns.@udp_interface[0].port`
  96     uci -q batch <<-EOF >/dev/null
  97       add firewall rule
  98       set firewall.@rule[-1].name='Allow-cjdns-wan'
  99       set firewall.@rule[-1].src=wan
 100       set firewall.@rule[-1].proto=udp
 101       set firewall.@rule[-1].dest_port=$peeringPort
 102       set firewall.@rule[-1].target=ACCEPT
 103 EOF
 104   fi
 105
 106   uci commit cjdns
 107   uci commit firewall
 108   uci commit network
 109
 110 fi
 111
 112 exit 0