blob: 26972623371b72bb1a83872687dacf582b3cbfd0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
#!/bin/sh
yggConfig="/etc/config/yggdrasil"
first_boot_genConfig()
{
. /usr/share/libubox/jshn.sh
boardcfg=$(ubus call system board)
touch ${yggConfig}
yggdrasil -genconf -json | ygguci set
json_load "$boardcfg"
json_get_var kernel kernel
json_get_var system system
json_get_var model model
json_get_var board_name board_name
nodeinfo='{"kernel": "'$kernel'", "hostname":"'OpenWrt'", "system": "'$system'", "model": "'$model'", "board_name": "'$board_name'"}'
uci set yggdrasil.yggdrasil.IfName="ygg0"
uci set yggdrasil.yggdrasil.NodeInfo="$nodeinfo"
uci commit yggdrasil
}
if [ -e /etc/yggdrasil.conf ]; then
echo "config: import config from /etc/yggdrasil.conf to /etc/config/yggdrasil" | logger -t yggdrasil
touch ${yggConfig}
cat /etc/yggdrasil.conf | ygguci set
mv /etc/yggdrasil.conf /etc/yggdrasil.conf.bak
elif [ ! -e ${yggConfig} ]; then
echo "first_boot: adding system board details to NodeInfo[] in NEW config: ${yggConfig}" | logger -t yggdrasil
first_boot_genConfig
# create the network interface
uci -q batch <<-EOF >/dev/null
set network.yggdrasil=interface
set network.yggdrasil.device=ygg0
set network.yggdrasil.proto=none
EOF
# create the firewall zone
uci -q batch <<-EOF >/dev/null
set firewall.yggdrasil=zone
set firewall.yggdrasil.name=yggdrasil
add_list firewall.yggdrasil.network=yggdrasil
set firewall.yggdrasil.input=REJECT
set firewall.yggdrasil.output=ACCEPT
set firewall.yggdrasil.forward=REJECT
set firewall.yggdrasil.conntrack=1
EOF
# allow ICMP from yggdrasil zone, e.g. ping6
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].name='Allow-ICMPv6-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=icmp
add_list firewall.@rule[-1].icmp_type=echo-request
add_list firewall.@rule[-1].icmp_type=echo-reply
add_list firewall.@rule[-1].icmp_type=destination-unreachable
add_list firewall.@rule[-1].icmp_type=packet-too-big
add_list firewall.@rule[-1].icmp_type=time-exceeded
add_list firewall.@rule[-1].icmp_type=bad-header
add_list firewall.@rule[-1].icmp_type=unknown-header-type
set firewall.@rule[-1].limit='1000/sec'
set firewall.@rule[-1].family=ipv6
set firewall.@rule[-1].target=ACCEPT
EOF
# allow SSH from yggdrasil zone, needs to be explicitly enabled
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled=0
set firewall.@rule[-1].name='Allow-SSH-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=tcp
set firewall.@rule[-1].dest_port=22
set firewall.@rule[-1].target=ACCEPT
EOF
# allow LuCI access from yggdrasil zone, needs to be explicitly enabled
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled=0
set firewall.@rule[-1].name='Allow-HTTP-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=tcp
set firewall.@rule[-1].dest_port=80
set firewall.@rule[-1].target=ACCEPT
EOF
# allow LuCI access with SSL from yggdrasil zone, needs to be explicitly enabled
uci -q batch <<-EOF >/dev/null
add firewall rule
set firewall.@rule[-1].enabled=0
set firewall.@rule[-1].name='Allow-HTTPS-yggdrasil'
set firewall.@rule[-1].src=yggdrasil
set firewall.@rule[-1].proto=tcp
set firewall.@rule[-1].dest_port=443
set firewall.@rule[-1].target=ACCEPT
EOF
uci commit firewall
uci commit network
else
:
fi
exit 0
|