X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=package%2Fnetwork%2Fservices%2Fcjdns%2Ffiles%2Fcjdns.defaults;fp=package%2Fnetwork%2Fservices%2Fcjdns%2Ffiles%2Fcjdns.defaults;h=f2baf6d6c5b51f6ef5dc0cbd3dc95c052a865d9b;hb=9ac3ddc2fd8a02fc4b14d80ae394730e59318121;hp=0000000000000000000000000000000000000000;hpb=a28230f318a4409c59faf79554f73e98632410bb;p=librecmc%2Flibrecmc.git

diff --git a/package/network/services/cjdns/files/cjdns.defaults b/package/network/services/cjdns/files/cjdns.defaults
new file mode 100644
index 0000000000..f2baf6d6c5
--- /dev/null
+++ b/package/network/services/cjdns/files/cjdns.defaults
@@ -0,0 +1,127 @@
+#!/bin/sh
+
+# if there is an existing config, our work is already done
+uci get cjdns.cjdns.ipv6 >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+
+  # register commit handler
+  uci -q batch <<-EOF >/dev/null
+    delete ucitrack.@cjdns[-1]
+    add ucitrack cjdns
+    set ucitrack.@cjdns[-1].init=cjdns
+    commit ucitrack
+EOF
+
+  # generate configuration
+  touch /etc/config/cjdns
+  cjdroute --genconf | cjdroute --cleanconf | cjdrouteconf set
+
+  # make sure config is present (might fail for any reason)
+  uci get cjdns.cjdns.ipv6 >/dev/null 2>&1
+  if [ $? -ne 0 ]; then
+    exit 1
+  fi
+
+  # enable auto-peering on ethernet interface lan, if existing
+  uci get network.lan | grep interface >/dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    uci get network.lan.type | grep bridge >/dev/null 2>&1
+    if [ $? -eq 0 ]; then
+      # most routers will set up an ethernet bridge for the lan
+      ifname="br-lan"
+    else
+      # docker containers don't have permission to create bridges by default,
+      # so we bind to the underlying interface instead (likely eth0)
+      ifname=`uci get network.lan.ifname`
+    fi
+    uci -q batch <<-EOF >/dev/null
+      add cjdns eth_interface
+      set cjdns.@eth_interface[-1].beacon=2
+      set cjdns.@eth_interface[-1].bind=$ifname
+EOF
+  fi
+  # set the tun interface name
+  uci set cjdns.cjdns.tun_device=tuncjdns
+
+  # create the network interface
+  uci -q batch <<-EOF >/dev/null
+    set network.cjdns=interface
+    set network.cjdns.ifname=tuncjdns
+    set network.cjdns.proto=none
+EOF
+
+  # firewall rules by @dangowrt -- thanks <3
+
+  # create the firewall zone
+  uci -q batch <<-EOF >/dev/null
+    add firewall zone
+    set firewall.@zone[-1].name=cjdns
+    add_list firewall.@zone[-1].network=cjdns
+    set firewall.@zone[-1].input=REJECT
+    set firewall.@zone[-1].output=ACCEPT
+    set firewall.@zone[-1].forward=REJECT
+    set firewall.@zone[-1].conntrack=1
+    set firewall.@zone[-1].family=ipv6
+EOF
+
+  # allow ICMP from cjdns zone, e.g. ping6
+  uci -q batch <<-EOF >/dev/null
+    add firewall rule
+    set firewall.@rule[-1].name='Allow-ICMPv6-cjdns'
+    set firewall.@rule[-1].src=cjdns
+    set firewall.@rule[-1].proto=icmp
+    add_list firewall.@rule[-1].icmp_type=echo-request
+    add_list firewall.@rule[-1].icmp_type=echo-reply
+    add_list firewall.@rule[-1].icmp_type=destination-unreachable
+    add_list firewall.@rule[-1].icmp_type=packet-too-big
+    add_list firewall.@rule[-1].icmp_type=time-exceeded
+    add_list firewall.@rule[-1].icmp_type=bad-header
+    add_list firewall.@rule[-1].icmp_type=unknown-header-type
+    set firewall.@rule[-1].limit='1000/sec'
+    set firewall.@rule[-1].family=ipv6
+    set firewall.@rule[-1].target=ACCEPT
+EOF
+
+  # allow SSH from cjdns zone, needs to be explicitly enabled
+  uci -q batch <<-EOF >/dev/null
+    add firewall rule
+    set firewall.@rule[-1].enabled=0
+    set firewall.@rule[-1].name='Allow-SSH-cjdns'
+    set firewall.@rule[-1].src=cjdns
+    set firewall.@rule[-1].proto=tcp
+    set firewall.@rule[-1].dest_port=22
+    set firewall.@rule[-1].target=ACCEPT
+EOF
+
+  # allow LuCI access from cjdns zone, needs to be explicitly enabled
+  uci -q batch <<-EOF >/dev/null
+    add firewall rule
+    set firewall.@rule[-1].enabled=0
+    set firewall.@rule[-1].name='Allow-HTTP-cjdns'
+    set firewall.@rule[-1].src=cjdns
+    set firewall.@rule[-1].proto=tcp
+    set firewall.@rule[-1].dest_port=80
+    set firewall.@rule[-1].target=ACCEPT
+EOF
+
+  # allow UDP peering from wan zone, if it exists
+  uci show network.wan >/dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    peeringPort=`uci get cjdns.@udp_interface[0].port`
+    uci -q batch <<-EOF >/dev/null
+      add firewall rule
+      set firewall.@rule[-1].name='Allow-cjdns-wan'
+      set firewall.@rule[-1].src=wan
+      set firewall.@rule[-1].proto=udp
+      set firewall.@rule[-1].dest_port=$peeringPort
+      set firewall.@rule[-1].target=ACCEPT
+EOF
+  fi
+
+  uci commit cjdns
+  uci commit firewall
+  uci commit network
+
+fi
+
+exit 0