cjdns/files/cjdns.defaults


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

#!/bin/sh

# if there is an existing config, our work is already done
uci get cjdns.cjdns.ipv6 >/dev/null 2>&1
if [ $? -ne 0 ]; then

  # generate configuration
  touch /etc/config/cjdns
  cjdroute --genconf | cjdroute --cleanconf | cjdrouteconf set

  # make sure config is present (might fail for any reason)
  uci get cjdns.cjdns.ipv6 >/dev/null 2>&1
  if [ $? -ne 0 ]; then
    exit 1
  fi

  # enable auto-peering on ethernet interface lan, if existing
  ifname=$(uci -q get network.lan.device || \
           ([ "$(uci -q get network.lan.type)" == "bridge" ] && echo br-lan) || \
           uci -q get network.lan.ifname)
  if [ -n "$ifname" ]; then
    uci -q batch <<-EOF >/dev/null
      add cjdns eth_interface
      set cjdns.@eth_interface[-1].beacon=2
      set cjdns.@eth_interface[-1].bind=$ifname
EOF
  fi
  # set the tun interface name
  uci set cjdns.cjdns.tun_device=tuncjdns

  # create the network interface
  uci -q batch <<-EOF >/dev/null
    set network.cjdns=interface
    set network.cjdns.device=tuncjdns
    set network.cjdns.proto=none
EOF

  # firewall rules by @dangowrt -- thanks <3

  # create the firewall zone
  uci -q batch <<-EOF >/dev/null
    add firewall zone
    set firewall.@zone[-1].name=cjdns
    add_list firewall.@zone[-1].network=cjdns
    set firewall.@zone[-1].input=REJECT
    set firewall.@zone[-1].output=ACCEPT
    set firewall.@zone[-1].forward=REJECT
    set firewall.@zone[-1].conntrack=1
    set firewall.@zone[-1].family=ipv6
EOF

  # allow ICMP from cjdns zone, e.g. ping6
  uci -q batch <<-EOF >/dev/null
    add firewall rule
    set firewall.@rule[-1].name='Allow-ICMPv6-cjdns'
    set firewall.@rule[-1].src=cjdns
    set firewall.@rule[-1].proto=icmp
    add_list firewall.@rule[-1].icmp_type=echo-request
    add_list firewall.@rule[-1].icmp_type=echo-reply
    add_list firewall.@rule[-1].icmp_type=destination-unreachable
    add_list firewall.@rule[-1].icmp_type=packet-too-big
    add_list firewall.@rule[-1].icmp_type=time-exceeded
    add_list firewall.@rule[-1].icmp_type=bad-header
    add_list firewall.@rule[-1].icmp_type=unknown-header-type
    set firewall.@rule[-1].limit='1000/sec'
    set firewall.@rule[-1].family=ipv6
    set firewall.@rule[-1].target=ACCEPT
EOF

  # allow SSH from cjdns zone, needs to be explicitly enabled
  uci -q batch <<-EOF >/dev/null
    add firewall rule
    set firewall.@rule[-1].enabled=0
    set firewall.@rule[-1].name='Allow-SSH-cjdns'
    set firewall.@rule[-1].src=cjdns
    set firewall.@rule[-1].proto=tcp
    set firewall.@rule[-1].dest_port=22
    set firewall.@rule[-1].target=ACCEPT
EOF

  # allow LuCI access from cjdns zone, needs to be explicitly enabled
  uci -q batch <<-EOF >/dev/null
    add firewall rule
    set firewall.@rule[-1].enabled=0
    set firewall.@rule[-1].name='Allow-HTTP-cjdns'
    set firewall.@rule[-1].src=cjdns
    set firewall.@rule[-1].proto=tcp
    set firewall.@rule[-1].dest_port=80
    set firewall.@rule[-1].target=ACCEPT
EOF

  # allow UDP peering from wan zone, if it exists
  uci show network.wan >/dev/null 2>&1
  if [ $? -eq 0 ]; then
    peeringPort=`uci get cjdns.@udp_interface[0].port`
    uci -q batch <<-EOF >/dev/null
      add firewall rule
      set firewall.@rule[-1].name='Allow-cjdns-wan'
      set firewall.@rule[-1].src=wan
      set firewall.@rule[-1].proto=udp
      set firewall.@rule[-1].dest_port=$peeringPort
      set firewall.@rule[-1].target=ACCEPT
EOF
  fi

  uci commit cjdns
  uci commit firewall
  uci commit network

fi

exit 0