projects / feed / routing.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
cjdns: fix uci-defaults (#714)
[feed/routing.git] / cjdns / files / cjdns.defaults
1 #!/bin/sh
2
3 # if there is an existing config, our work is already done
4 uci get cjdns.cjdns.ipv6 >/dev/null 2>&1
5 if [ $? -ne 0 ]; then
6
7 # register commit handler
8 uci -q batch <<-EOF >/dev/null
9 delete ucitrack.@cjdns[-1]
10 add ucitrack cjdns
11 set ucitrack.@cjdns[-1].init=cjdns
12 commit ucitrack
13 EOF
14
15 # generate configuration
16 touch /etc/config/cjdns
17 cjdroute --genconf | cjdroute --cleanconf | cjdrouteconf set
18
19 # make sure config is present (might fail for any reason)
20 uci get cjdns.cjdns.ipv6 >/dev/null 2>&1
21 if [ $? -ne 0 ]; then
22 exit 1
23 fi
24
25 # enable auto-peering on ethernet interface lan, if existing
26 ifname=$(uci -q get network.lan.device || \
27 ([ "$(uci -q get network.lan.type)" == "bridge" ] && echo br-lan) || \
28 uci -q get network.lan.ifname)
29 if [ -n "$ifname" ]; then
30 uci -q batch <<-EOF >/dev/null
31 add cjdns eth_interface
32 set cjdns.@eth_interface[-1].beacon=2
33 set cjdns.@eth_interface[-1].bind=$ifname
34 EOF
35 fi
36 # set the tun interface name
37 uci set cjdns.cjdns.tun_device=tuncjdns
38
39 # create the network interface
40 uci -q batch <<-EOF >/dev/null
41 set network.cjdns=interface
42 set network.cjdns.device=tuncjdns
43 set network.cjdns.proto=none
44 EOF
45
46 # firewall rules by @dangowrt -- thanks <3
47
48 # create the firewall zone
49 uci -q batch <<-EOF >/dev/null
50 add firewall zone
51 set firewall.@zone[-1].name=cjdns
52 add_list firewall.@zone[-1].network=cjdns
53 set firewall.@zone[-1].input=REJECT
54 set firewall.@zone[-1].output=ACCEPT
55 set firewall.@zone[-1].forward=REJECT
56 set firewall.@zone[-1].conntrack=1
57 set firewall.@zone[-1].family=ipv6
58 EOF
59
60 # allow ICMP from cjdns zone, e.g. ping6
61 uci -q batch <<-EOF >/dev/null
62 add firewall rule
63 set firewall.@rule[-1].name='Allow-ICMPv6-cjdns'
64 set firewall.@rule[-1].src=cjdns
65 set firewall.@rule[-1].proto=icmp
66 add_list firewall.@rule[-1].icmp_type=echo-request
67 add_list firewall.@rule[-1].icmp_type=echo-reply
68 add_list firewall.@rule[-1].icmp_type=destination-unreachable
69 add_list firewall.@rule[-1].icmp_type=packet-too-big
70 add_list firewall.@rule[-1].icmp_type=time-exceeded
71 add_list firewall.@rule[-1].icmp_type=bad-header
72 add_list firewall.@rule[-1].icmp_type=unknown-header-type
73 set firewall.@rule[-1].limit='1000/sec'
74 set firewall.@rule[-1].family=ipv6
75 set firewall.@rule[-1].target=ACCEPT
76 EOF
77
78 # allow SSH from cjdns zone, needs to be explicitly enabled
79 uci -q batch <<-EOF >/dev/null
80 add firewall rule
81 set firewall.@rule[-1].enabled=0
82 set firewall.@rule[-1].name='Allow-SSH-cjdns'
83 set firewall.@rule[-1].src=cjdns
84 set firewall.@rule[-1].proto=tcp
85 set firewall.@rule[-1].dest_port=22
86 set firewall.@rule[-1].target=ACCEPT
87 EOF
88
89 # allow LuCI access from cjdns zone, needs to be explicitly enabled
90 uci -q batch <<-EOF >/dev/null
91 add firewall rule
92 set firewall.@rule[-1].enabled=0
93 set firewall.@rule[-1].name='Allow-HTTP-cjdns'
94 set firewall.@rule[-1].src=cjdns
95 set firewall.@rule[-1].proto=tcp
96 set firewall.@rule[-1].dest_port=80
97 set firewall.@rule[-1].target=ACCEPT
98 EOF
99
100 # allow UDP peering from wan zone, if it exists
101 uci show network.wan >/dev/null 2>&1
102 if [ $? -eq 0 ]; then
103 peeringPort=`uci get cjdns.@udp_interface[0].port`
104 uci -q batch <<-EOF >/dev/null
105 add firewall rule
106 set firewall.@rule[-1].name='Allow-cjdns-wan'
107 set firewall.@rule[-1].src=wan
108 set firewall.@rule[-1].proto=udp
109 set firewall.@rule[-1].dest_port=$peeringPort
110 set firewall.@rule[-1].target=ACCEPT
111 EOF
112 fi
113
114 uci commit cjdns
115 uci commit firewall
116 uci commit network
117
118 fi
119
120 exit 0
Mirror of routing feed