Update 99-custom.sh

7edc9f73 · wukongdaily · GitHub · bda1187e · 7edc9f73
Unverified Commit 7edc9f73 authored Jul 07, 2025 by wukongdaily Committed by GitHub Jul 07, 2025
Show whitespace changes
Inline Side-by-side

Showing with 113 additions and 87 deletions

files/etc/uci-defaults/99-custom.sh files/etc/uci-defaults/99-custom.sh +113 -87

No files found.
--- a/files/etc/uci-defaults/99-custom.sh
+++ b/files/etc/uci-defaults/99-custom.sh
@@ -2,7 +2,7 @@
 # 99-custom.sh 就是immortalwrt固件首次启动时运行的脚本 位于固件内的/etc/uci-defaults/99-custom.sh
 # Log file for debugging
 LOGFILE="/tmp/uci-defaults-log.txt"
-echo "Starting 99-custom.sh at $(date)" >> $LOGFILE
+echo "Starting 99-custom.sh at $(date)" >>$LOGFILE
 # 设置默认防火墙规则，方便虚拟机首次访问 WebUI
 uci set firewall.@zone[1].input='ACCEPT'
@@ -14,7 +14,7 @@ uci set "dhcp.@domain[-1].ip=203.107.6.88"
 # 检查配置文件pppoe-settings是否存在 该文件由build.sh动态生成
 SETTINGS_FILE="/etc/config/pppoe-settings"
 if [ ! -f "$SETTINGS_FILE" ]; then
-    echo "PPPoE settings file not found. Skipping." >> $LOGFILE
+    echo "PPPoE settings file not found. Skipping." >>$LOGFILE
 else
    # 读取pppoe信息($enable_pppoe、$pppoe_account、$pppoe_password)
    . "$SETTINGS_FILE"
@@ -57,7 +57,7 @@ elif [ "$count" -gt 1 ]; then
    # 查找对应设备的section名称
    section=$(uci show network | awk -F '[.=]' '/\.@?device\[\d+\]\.name=.br-lan.$/ {print $2; exit}')
    if [ -z "$section" ]; then
-      echo "error：cannot find device 'br-lan'." >> $LOGFILE
+        echo "error：cannot find device 'br-lan'." >>$LOGFILE
    else
        # 删除原来的ports列表
        uci -q delete "network.$section.ports"
@@ -65,7 +65,7 @@ elif [ "$count" -gt 1 ]; then
        for port in $lan_ifnames; do
            uci add_list "network.$section.ports"="$port"
        done
-      echo "ports of device 'br-lan' are update." >> $LOGFILE
+        echo "ports of device 'br-lan' are update." >>$LOGFILE
    fi
    # LAN口设置静态IP
    uci set network.lan.proto='static'
@@ -75,11 +75,11 @@ elif [ "$count" -gt 1 ]; then
    # 情况二旁路由如果是多网口设备，也应当用网关访问网页后，在自行在web网页里设置。总之大家不能直接在代码里修改旁路网关。千万不要徒增bug啦。
    uci set network.lan.ipaddr='192.168.100.1'
    uci set network.lan.netmask='255.255.255.0'
-   echo "set 192.168.100.1 at $(date)" >> $LOGFILE
+    echo "set 192.168.100.1 at $(date)" >>$LOGFILE
    # 判断是否启用 PPPoE
-   echo "print enable_pppoe value=== $enable_pppoe" >> $LOGFILE
+    echo "print enable_pppoe value=== $enable_pppoe" >>$LOGFILE
    if [ "$enable_pppoe" = "yes" ]; then
-      echo "PPPoE is enabled at $(date)" >> $LOGFILE
+        echo "PPPoE is enabled at $(date)" >>$LOGFILE
        # 设置ipv4宽带拨号信息
        uci set network.wan.proto='pppoe'
        uci set network.wan.username=$pppoe_account
@@ -88,34 +88,60 @@ elif [ "$count" -gt 1 ]; then
        uci set network.wan.auto='1'
        # 设置ipv6 默认不配置协议
        uci set network.wan6.proto='none'
-      echo "PPPoE configuration completed successfully." >> $LOGFILE
+        echo "PPPoE configuration completed successfully." >>$LOGFILE
    else
-      echo "PPPoE is not enabled. Skipping configuration." >> $LOGFILE
+        echo "PPPoE is not enabled. Skipping configuration." >>$LOGFILE
    fi
 fi
-# 添加docker zone
+# 若安装了dockerd 则设置docker的防火墙规则
-uci add firewall zone
+# 扩大docker涵盖的子网范围 '172.16.0.0/12'
-uci set firewall.@zone[-1].name='docker'
+# 方便各类docker容器的端口顺利通过防火墙 
-uci set firewall.@zone[-1].input='ACCEPT'
+if command -v dockerd >/dev/null 2>&1; then
-uci set firewall.@zone[-1].output='ACCEPT'
+    echo "检测到 Docker，正在配置防火墙规则..."
-uci set firewall.@zone[-1].forward='ACCEPT'
+    FW_FILE="/etc/config/firewall"
-uci set firewall.@zone[-1].device='docker0'
+    # 删除所有名为 docker 的 zone
-# 添加 forwarding docker -> lan
+    uci delete firewall.docker
-uci add firewall forwarding
-uci set firewall.@forwarding[-1].src='docker'
+    # 先获取所有 forwarding 索引，倒序排列删除
-uci set firewall.@forwarding[-1].dest='lan'
+    for idx in $(uci show firewall | grep "=forwarding" | cut -d[ -f2 | cut -d] -f1 | sort -rn); do
+        src=$(uci get firewall.@forwarding[$idx].src 2>/dev/null)
-# 添加 forwarding docker -> wan
+        dest=$(uci get firewall.@forwarding[$idx].dest 2>/dev/null)
-uci add firewall forwarding
+        echo "Checking forwarding index $idx: src=$src dest=$dest"
-uci set firewall.@forwarding[-1].src='docker'
+        if [ "$src" = "docker" ] || [ "$dest" = "docker" ]; then
-uci set firewall.@forwarding[-1].dest='wan'
+            echo "Deleting forwarding @forwarding[$idx]"
+            uci delete firewall.@forwarding[$idx]
-# 添加 forwarding lan -> docker
+        fi
-uci add firewall forwarding
+    done
-uci set firewall.@forwarding[-1].src='lan'
+    # 提交删除
-uci set firewall.@forwarding[-1].dest='docker'
+    uci commit firewall
+    # 追加新的 zone + forwarding 配置
+    cat <<EOF >>"$FW_FILE"
+config zone 'docker'
+  option input 'ACCEPT'
+  option output 'ACCEPT'
+  option forward 'ACCEPT'
+  option name 'docker'
+  list subnet '172.16.0.0/12'
+config forwarding
+  option src 'docker'
+  option dest 'lan'
+config forwarding
+  option src 'docker'
+  option dest 'wan'
+config forwarding
+  option src 'lan'
+  option dest 'docker'
+EOF
+else
+    echo "未检测到 Docker，跳过防火墙配置。"
+fi
 # 设置所有网口可访问网页终端
 uci delete ttyd.@ttyd[0].interface