You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

100 lines
3.1 KiB

  1. #!/bin/sh
  2. yggConfig="/etc/config/yggdrasil"
  3. first_boot_genConfig()
  4. {
  5. . /usr/share/libubox/jshn.sh
  6. boardcfg=$(ubus call system board)
  7. touch ${yggConfig}
  8. yggdrasil -genconf -json | ygguci set
  9. json_load "$boardcfg"
  10. json_get_var kernel kernel
  11. json_get_var hostname hostname
  12. json_get_var system system
  13. json_get_var model model
  14. json_get_var board_name board_name
  15. nodeinfo='{"kernel": "'$kernel'", "hostname":"'$hostname'", "system": "'$system'", "model": "'$model'", "board_name": "'$board_name'"}'
  16. uci set yggdrasil.yggdrasil.IfName="ygg0"
  17. uci set yggdrasil.yggdrasil.NodeInfo="$nodeinfo"
  18. uci commit yggdrasil
  19. }
  20. if [ -e /etc/yggdrasil.conf ]; then
  21. echo "config: import config from /etc/yggdrasil.conf to /etc/config/yggdrasil" | logger -t yggdrasil
  22. touch ${yggConfig}
  23. cat /etc/yggdrasil.conf | ygguci set
  24. mv /etc/yggdrasil.conf /etc/yggdrasil.conf.bak
  25. elif [ ! -e ${yggConfig} ]; then
  26. echo "first_boot: adding system board details to NodeInfo[] in NEW config: ${yggConfig}" | logger -t yggdrasil
  27. first_boot_genConfig
  28. # create the network interface
  29. uci -q batch <<-EOF >/dev/null
  30. set network.yggdrasil=interface
  31. set network.yggdrasil.ifname=ygg0
  32. set network.yggdrasil.proto=none
  33. EOF
  34. # create the firewall zone
  35. uci -q batch <<-EOF >/dev/null
  36. set firewall.yggdrasil=zone
  37. set firewall.yggdrasil.name=yggdrasil
  38. add_list firewall.yggdrasil.network=yggdrasil
  39. set firewall.yggdrasil.input=REJECT
  40. set firewall.yggdrasil.output=ACCEPT
  41. set firewall.yggdrasil.forward=REJECT
  42. set firewall.yggdrasil.conntrack=1
  43. EOF
  44. # allow ICMP from yggdrasil zone, e.g. ping6
  45. uci -q batch <<-EOF >/dev/null
  46. add firewall rule
  47. set firewall.@rule[-1].name='Allow-ICMPv6-yggdrasil'
  48. set firewall.@rule[-1].src=yggdrasil
  49. set firewall.@rule[-1].proto=icmp
  50. add_list firewall.@rule[-1].icmp_type=echo-request
  51. add_list firewall.@rule[-1].icmp_type=echo-reply
  52. add_list firewall.@rule[-1].icmp_type=destination-unreachable
  53. add_list firewall.@rule[-1].icmp_type=packet-too-big
  54. add_list firewall.@rule[-1].icmp_type=time-exceeded
  55. add_list firewall.@rule[-1].icmp_type=bad-header
  56. add_list firewall.@rule[-1].icmp_type=unknown-header-type
  57. set firewall.@rule[-1].limit='1000/sec'
  58. set firewall.@rule[-1].family=ipv6
  59. set firewall.@rule[-1].target=ACCEPT
  60. EOF
  61. # allow SSH from yggdrasil zone, needs to be explicitly enabled
  62. uci -q batch <<-EOF >/dev/null
  63. add firewall rule
  64. set firewall.@rule[-1].enabled=0
  65. set firewall.@rule[-1].name='Allow-SSH-yggdrasil'
  66. set firewall.@rule[-1].src=yggdrasil
  67. set firewall.@rule[-1].proto=tcp
  68. set firewall.@rule[-1].dest_port=22
  69. set firewall.@rule[-1].target=ACCEPT
  70. EOF
  71. # allow LuCI access from yggdrasil zone, needs to be explicitly enabled
  72. uci -q batch <<-EOF >/dev/null
  73. add firewall rule
  74. set firewall.@rule[-1].enabled=0
  75. set firewall.@rule[-1].name='Allow-HTTP-yggdrasil'
  76. set firewall.@rule[-1].src=yggdrasil
  77. set firewall.@rule[-1].proto=tcp
  78. set firewall.@rule[-1].dest_port=80
  79. set firewall.@rule[-1].target=ACCEPT
  80. EOF
  81. uci commit firewall
  82. uci commit network
  83. else
  84. :
  85. fi
  86. exit 0