#!/bin/sh # if there is an existing config, our work is already done uci get cjdns.cjdns.ipv6 >/dev/null 2>&1 if [ $? -ne 0 ]; then # register commit handler uci -q batch <<-EOF >/dev/null delete ucitrack.@cjdns[-1] add ucitrack cjdns set ucitrack.@cjdns[-1].init=cjdns commit ucitrack EOF # generate configuration touch /etc/config/cjdns cjdroute --genconf | cjdroute --cleanconf | cjdrouteconf set # make sure config is present (might fail for any reason) uci get cjdns.cjdns.ipv6 >/dev/null 2>&1 if [ $? -ne 0 ]; then exit 1 fi # enable auto-peering on ethernet interface lan, if existing uci get network.lan | grep interface >/dev/null 2>&1 if [ $? -eq 0 ]; then uci get network.lan.type | grep bridge >/dev/null 2>&1 if [ $? -eq 0 ]; then # most routers will set up an ethernet bridge for the lan ifname="br-lan" else # docker containers don't have permission to create bridges by default, # so we bind to the underlying interface instead (likely eth0) ifname=`uci get network.lan.ifname` fi uci -q batch <<-EOF >/dev/null add cjdns eth_interface set cjdns.@eth_interface[-1].beacon=2 set cjdns.@eth_interface[-1].bind=$ifname EOF fi # set the tun interface name uci set cjdns.cjdns.tun_device=tuncjdns # create the network interface uci -q batch <<-EOF >/dev/null set network.cjdns=interface set network.cjdns.ifname=tuncjdns set network.cjdns.proto=none EOF # firewall rules by @dangowrt -- thanks <3 # create the firewall zone uci -q batch <<-EOF >/dev/null add firewall zone set firewall.@zone[-1].name=cjdns add_list firewall.@zone[-1].network=cjdns set firewall.@zone[-1].input=REJECT set firewall.@zone[-1].output=ACCEPT set firewall.@zone[-1].forward=REJECT set firewall.@zone[-1].conntrack=1 set firewall.@zone[-1].family=ipv6 EOF # allow ICMP from cjdns zone, e.g. ping6 uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].name='Allow-ICMPv6-cjdns' set firewall.@rule[-1].src=cjdns set firewall.@rule[-1].proto=icmp add_list firewall.@rule[-1].icmp_type=echo-request add_list firewall.@rule[-1].icmp_type=echo-reply add_list firewall.@rule[-1].icmp_type=destination-unreachable add_list firewall.@rule[-1].icmp_type=packet-too-big add_list firewall.@rule[-1].icmp_type=time-exceeded add_list firewall.@rule[-1].icmp_type=bad-header add_list firewall.@rule[-1].icmp_type=unknown-header-type set firewall.@rule[-1].limit='1000/sec' set firewall.@rule[-1].family=ipv6 set firewall.@rule[-1].target=ACCEPT EOF # allow SSH from cjdns zone, needs to be explicitly enabled uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled=0 set firewall.@rule[-1].name='Allow-SSH-cjdns' set firewall.@rule[-1].src=cjdns set firewall.@rule[-1].proto=tcp set firewall.@rule[-1].dest_port=22 set firewall.@rule[-1].target=ACCEPT EOF # allow LuCI access from cjdns zone, needs to be explicitly enabled uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].enabled=0 set firewall.@rule[-1].name='Allow-HTTP-cjdns' set firewall.@rule[-1].src=cjdns set firewall.@rule[-1].proto=tcp set firewall.@rule[-1].dest_port=80 set firewall.@rule[-1].target=ACCEPT EOF # allow UDP peering from wan zone, if it exists uci show network.wan >/dev/null 2>&1 if [ $? -eq 0 ]; then peeringPort=`uci get cjdns.@udp_interface[0].port` uci -q batch <<-EOF >/dev/null add firewall rule set firewall.@rule[-1].name='Allow-cjdns-wan' set firewall.@rule[-1].src=wan set firewall.@rule[-1].proto=udp set firewall.@rule[-1].dest_port=$peeringPort set firewall.@rule[-1].target=ACCEPT EOF fi uci commit cjdns uci commit firewall uci commit network fi exit 0