LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
25379 Commits
1 Branch
46 MiB
 
 
 
 
 
 
Tree: 8a6def501a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8a6def501a'
${ noResults }
openwrt-packages-dist/net/yggdrasil/files/yggdrasil.defaults

110 lines
3.5 KiB
Raw Blame History

#!/bin/sh
yggConfig="/etc/config/yggdrasil"
first_boot_genConfig()
{
. /usr/share/libubox/jshn.sh
boardcfg=$(ubus call system board)
touch ${yggConfig}
yggdrasil -genconf -json | ygguci set
json_load "$boardcfg"
json_get_var kernel kernel
json_get_var system system
json_get_var model model
json_get_var board_name board_name
nodeinfo='{"kernel": "'$kernel'", "hostname":"'OpenWrt'", "system": "'$system'", "model": "'$model'", "board_name": "'$board_name'"}'
uci set yggdrasil.yggdrasil.IfName="ygg0"
uci set yggdrasil.yggdrasil.NodeInfo="$nodeinfo"
uci commit yggdrasil
}
if [ -e /etc/yggdrasil.conf ]; then
echo "config: import config from /etc/yggdrasil.conf to /etc/config/yggdrasil" | logger -t yggdrasil
touch ${yggConfig}
cat /etc/yggdrasil.conf | ygguci set
mv /etc/yggdrasil.conf /etc/yggdrasil.conf.bak
elif [ ! -e ${yggConfig} ]; then
echo "first_boot: adding system board details to NodeInfo[] in NEW config: ${yggConfig}" | logger -t yggdrasil
first_boot_genConfig
# create the network interface
uci -q batch <<-EOF >/dev/null
set network.yggdrasil=interface
set network.yggdrasil.device=ygg0
set network.yggdrasil.proto=none
EOF
# create the firewall zone
uci -q batch <<-EOF >/dev/null
set firewall.yggdrasil=zone
set firewall.yggdrasil.name=yggdrasil
add_list firewall.yggdrasil.network=yggdrasil
set firewall.yggdrasil.input=REJECT
set firewall.yggdrasil.output=ACCEPT
set firewall.yggdrasil.forward=REJECT
set firewall.yggdrasil.conntrack=1
EOF
# allow ICMP from yggdrasil zone, e.g. ping6
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].name='Allow-ICMPv6-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=icmp
add_list firewall.@rule[-1].icmp_type=echo-request
add_list firewall.@rule[-1].icmp_type=echo-reply
add_list firewall.@rule[-1].icmp_type=destination-unreachable
add_list firewall.@rule[-1].icmp_type=packet-too-big
add_list firewall.@rule[-1].icmp_type=time-exceeded
add_list firewall.@rule[-1].icmp_type=bad-header
add_list firewall.@rule[-1].icmp_type=unknown-header-type
set firewall.@rule[-1].limit='1000/sec'
set firewall.@rule[-1].family=ipv6
set firewall.@rule[-1].target=ACCEPT
EOF
# allow SSH from yggdrasil zone, needs to be explicitly enabled
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled=0
set firewall.@rule[-1].name='Allow-SSH-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=tcp
set firewall.@rule[-1].dest_port=22
set firewall.@rule[-1].target=ACCEPT
EOF
# allow LuCI access from yggdrasil zone, needs to be explicitly enabled
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled=0
set firewall.@rule[-1].name='Allow-HTTP-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=tcp
set firewall.@rule[-1].dest_port=80
set firewall.@rule[-1].target=ACCEPT
EOF
# allow LuCI access with SSL from yggdrasil zone, needs to be explicitly enabled
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled=0
set firewall.@rule[-1].name='Allow-HTTPS-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=tcp
set firewall.@rule[-1].dest_port=443
set firewall.@rule[-1].target=ACCEPT
EOF
uci commit firewall
uci commit network
else
:
fi
exit 0