From b573148aa787ce650408e46aa24bda8a3807cd97 Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 9 Mar 2026 16:08:21 +0100 Subject: [PATCH 1/9] feat: add nethsupport UI on port 8443 with automatic firewall rules - Add support for netlsupport-specific nginx instance on port 8443 - Automatically activate/deactivate UI when don service starts/stops - Configure firewall zone 'don' for tunDON interface - Create firewall rule to allow port 8443 from VPN tunnel to LAN - Refactor ns-ui script to support multiple custom ports via function - Use same SSL certificate and backend API as main UI When don start is executed: - Enables port 8443 for nethsupport UI - Creates firewall zone for tunDON interface - Creates accept rule for port 8443 from don zone When don stop is executed: - Disables port 8443 - Removes firewall rules and zone --- packages/ns-don/files/don | 51 +++++++++++++++++++++++++++++++++ packages/ns-ui/files/config | 2 ++ packages/ns-ui/files/ns-ui | 37 +++++++++++++++++------- packages/ns-ui/files/ns-ui.init | 4 +++ 4 files changed, 84 insertions(+), 10 deletions(-) diff --git a/packages/ns-don/files/don b/packages/ns-don/files/don index 000a7c085..bac86f9d6 100755 --- a/packages/ns-don/files/don +++ b/packages/ns-don/files/don @@ -37,6 +37,18 @@ function cleanup uci -q delete rpcd.ns_don # commit rpcd changes uci commit rpcd + # disable nethsupport UI on port 8443 + uci set ns-ui.config.nsui_nethsupport_enable='0' + uci commit ns-ui + /usr/sbin/ns-ui + # Remove network and firewall configuration + uci -q delete network.don + uci commit network + uci -q delete firewall.ns_don_zone + uci -q delete firewall.ns_don_8443 + uci -q delete firewall.ns_don_forward + uci commit firewall + /etc/init.d/firewall reload # destroy ubus sessions session=$(ubus call session list | jq -r '.ubus_rpc_session as $parent | .data.username | select(. == "nethsupport") | $parent') if [ "$session" != "" ]; then @@ -175,6 +187,45 @@ EOF # commit rpcd changes uci commit rpcd + # Enable nethsupport UI on port 8443 + uci set ns-ui.config.nsui_nethsupport_enable='1' + uci commit ns-ui + /usr/sbin/ns-ui + + # Configure network and firewall for remote access + # Declare tunDON as a network interface + uci set network.don=interface + uci set network.don.proto='none' + uci set network.don.ifname='tunDON' + uci commit network + + # Create zone for don network interface + uci set firewall.ns_don_zone=zone + uci set firewall.ns_don_zone.name='don' + uci set firewall.ns_don_zone.input='ACCEPT' + uci set firewall.ns_don_zone.output='ACCEPT' + uci set firewall.ns_don_zone.forward='ACCEPT' + uci del_list firewall.ns_don_zone.network 2>/dev/null || true + uci add_list firewall.ns_don_zone.network='don' + + # Create rule to allow port 8443 from VPN network 172.29.0.0/16 + uci set firewall.ns_don_8443=rule + uci set firewall.ns_don_8443.name='Allow-Nethsupport-Port-8443' + uci set firewall.ns_don_8443.src='don' + uci set firewall.ns_don_8443.dest='lan' + uci set firewall.ns_don_8443.proto='tcp' + uci set firewall.ns_don_8443.src_ip='172.29.0.0/16' + uci set firewall.ns_don_8443.dest_port='8443' + uci set firewall.ns_don_8443.target='ACCEPT' + + # Create forward rule from don to lan + uci set firewall.ns_don_forward=forwarding + uci set firewall.ns_don_forward.src='don' + uci set firewall.ns_don_forward.dest='lan' + + uci commit firewall + /etc/init.d/firewall reload + show_credentials ;; stop) diff --git a/packages/ns-ui/files/config b/packages/ns-ui/files/config index e1604c8a7..948d4832d 100644 --- a/packages/ns-ui/files/config +++ b/packages/ns-ui/files/config @@ -4,4 +4,6 @@ config main 'config' option nsui_enable '1' option nsui_extra_port '9090' option nsui_extra_enable '1' + option nsui_nethsupport_port '8443' + option nsui_nethsupport_enable '0' option server_tokens 'on' diff --git a/packages/ns-ui/files/ns-ui b/packages/ns-ui/files/ns-ui index e5838e8aa..b3b6f457b 100755 --- a/packages/ns-ui/files/ns-ui +++ b/packages/ns-ui/files/ns-ui @@ -27,17 +27,21 @@ else [ -f "$LUCI_FILE" ] && mv -f "$LUCI_FILE" "$LUCI_FILE.disabled" fi -# Manage extra ns-ui instance on custom port -nsui_extra_enable=$(uci -q get ns-ui.config.nsui_extra_enable) -nsui_extra_port=$(uci -q get ns-ui.config.nsui_extra_port) crt=$(uci -q get nginx._lan.ssl_certificate) key=$(uci -q get nginx._lan.ssl_certificate_key) server_tokens=$(uci -q get ns-ui.config.server_tokens) -if [[ "$nsui_extra_enable" == "1" && "$nsui_extra_port" != "" ]]; then - cat < "$NSUI_EXTRA_FILE" + +# Function to generate extra ns-ui instances on custom ports +generate_extra_instance() { + local enable=$1 + local port=$2 + local config_file=$3 + + if [[ "$enable" == "1" && "$port" != "" ]]; then + cat < "$config_file" server { - listen $nsui_extra_port ssl default_server; - listen [::]:$nsui_extra_port ssl default_server; + listen $port ssl default_server; + listen [::]:$port ssl default_server; server_name _lan; ssl_certificate $crt; ssl_certificate_key $key; @@ -62,9 +66,22 @@ server { } } EOF -else - rm -f "$NSUI_EXTRA_FILE" || : -fi + else + rm -f "$config_file" || : + fi +} + +# Manage extra ns-ui instance on custom port (default 9090) +nsui_extra_enable=$(uci -q get ns-ui.config.nsui_extra_enable) +nsui_extra_port=$(uci -q get ns-ui.config.nsui_extra_port) +NSUI_EXTRA_FILE=/etc/nginx/conf.d/ns-ui.conf +generate_extra_instance "$nsui_extra_enable" "$nsui_extra_port" "$NSUI_EXTRA_FILE" + +# Manage nethsupport instance on port 8443 +nsui_nethsupport_enable=$(uci -q get ns-ui.config.nsui_nethsupport_enable) +nsui_nethsupport_port=$(uci -q get ns-ui.config.nsui_nethsupport_port) +NSUI_NETHSUPPORT_FILE=/etc/nginx/conf.d/ns-ui-nethsupport.conf +generate_extra_instance "$nsui_nethsupport_enable" "$nsui_nethsupport_port" "$NSUI_NETHSUPPORT_FILE" if /usr/sbin/nginx -c /etc/nginx/uci.conf -T &> /dev/null ; then /etc/init.d/nginx restart diff --git a/packages/ns-ui/files/ns-ui.init b/packages/ns-ui/files/ns-ui.init index 309012698..702b91841 100644 --- a/packages/ns-ui/files/ns-ui.init +++ b/packages/ns-ui/files/ns-ui.init @@ -17,6 +17,10 @@ start_service() { procd_close_instance } +reload_service() { + /usr/sbin/ns-ui +} + service_triggers() { procd_add_reload_trigger ns-ui From 417318ae6bedf3557e4e6ac009ca0543e4e12f39 Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 9 Mar 2026 16:34:28 +0100 Subject: [PATCH 2/9] refactor: remove reload_service from ns-ui init script Since we now call /usr/sbin/ns-ui directly in the don script, we no longer need the reload_service() function in the init script. This simplifies the code and avoids an unnecessary layer of indirection. --- packages/ns-ui/files/ns-ui.init | 4 ---- 1 file changed, 4 deletions(-) diff --git a/packages/ns-ui/files/ns-ui.init b/packages/ns-ui/files/ns-ui.init index 702b91841..309012698 100644 --- a/packages/ns-ui/files/ns-ui.init +++ b/packages/ns-ui/files/ns-ui.init @@ -17,10 +17,6 @@ start_service() { procd_close_instance } -reload_service() { - /usr/sbin/ns-ui -} - service_triggers() { procd_add_reload_trigger ns-ui From 28be044d32ef57f1d928e6d3df3032e1064c09f9 Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 9 Mar 2026 16:58:24 +0100 Subject: [PATCH 3/9] fix: add port 8443 to don nftables input rule --- packages/ns-don/files/20-don.nft | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/ns-don/files/20-don.nft b/packages/ns-don/files/20-don.nft index 3d39b8a7d..51f2d87c7 100644 --- a/packages/ns-don/files/20-don.nft +++ b/packages/ns-don/files/20-don.nft @@ -1 +1 @@ -iifname "tunDON" tcp dport {981,9090,443,19999} counter accept comment ns-allow-don +iifname "tunDON" tcp dport {981,9090,443,8443,19999} counter accept comment ns-allow-don From 34f946defe489ba825206ea4559f1eebaac5a5e0 Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 9 Mar 2026 17:06:04 +0100 Subject: [PATCH 4/9] fix: update firewall rules to allow input on port 8443 from VPN network --- packages/ns-don/files/don | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/packages/ns-don/files/don b/packages/ns-don/files/don index bac86f9d6..af28e86bd 100755 --- a/packages/ns-don/files/don +++ b/packages/ns-don/files/don @@ -208,17 +208,16 @@ EOF uci del_list firewall.ns_don_zone.network 2>/dev/null || true uci add_list firewall.ns_don_zone.network='don' - # Create rule to allow port 8443 from VPN network 172.29.0.0/16 + # Create input rule to allow port 8443 from VPN network 172.29.0.0/16 uci set firewall.ns_don_8443=rule uci set firewall.ns_don_8443.name='Allow-Nethsupport-Port-8443' uci set firewall.ns_don_8443.src='don' - uci set firewall.ns_don_8443.dest='lan' uci set firewall.ns_don_8443.proto='tcp' uci set firewall.ns_don_8443.src_ip='172.29.0.0/16' uci set firewall.ns_don_8443.dest_port='8443' uci set firewall.ns_don_8443.target='ACCEPT' - # Create forward rule from don to lan + # Create forward rule from don to lan (for general traffic) uci set firewall.ns_don_forward=forwarding uci set firewall.ns_don_forward.src='don' uci set firewall.ns_don_forward.dest='lan' From eda4027ae756844e28338638cf13e5fe2ca506cc Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 9 Mar 2026 17:14:39 +0100 Subject: [PATCH 5/9] fix: restrict firewall zone input to REJECT by default, only allow 8443 from VPN --- packages/ns-don/files/don | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/ns-don/files/don b/packages/ns-don/files/don index af28e86bd..04f4a75fc 100755 --- a/packages/ns-don/files/don +++ b/packages/ns-don/files/don @@ -202,7 +202,7 @@ EOF # Create zone for don network interface uci set firewall.ns_don_zone=zone uci set firewall.ns_don_zone.name='don' - uci set firewall.ns_don_zone.input='ACCEPT' + uci set firewall.ns_don_zone.input='REJECT' uci set firewall.ns_don_zone.output='ACCEPT' uci set firewall.ns_don_zone.forward='ACCEPT' uci del_list firewall.ns_don_zone.network 2>/dev/null || true From 0c1cdae3e63e1328dcfd0e2d83a47a69f06ea5b7 Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 9 Mar 2026 17:19:57 +0100 Subject: [PATCH 6/9] fix: block access to port 8443 from LAN and WAN, allowing only VPN access --- packages/ns-don/files/don | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/packages/ns-don/files/don b/packages/ns-don/files/don index 04f4a75fc..ddaabe5c2 100755 --- a/packages/ns-don/files/don +++ b/packages/ns-don/files/don @@ -46,6 +46,8 @@ function cleanup uci commit network uci -q delete firewall.ns_don_zone uci -q delete firewall.ns_don_8443 + uci -q delete firewall.block_8443_lan + uci -q delete firewall.block_8443_wan uci -q delete firewall.ns_don_forward uci commit firewall /etc/init.d/firewall reload @@ -217,6 +219,22 @@ EOF uci set firewall.ns_don_8443.dest_port='8443' uci set firewall.ns_don_8443.target='ACCEPT' + # Block port 8443 from LAN (only accessible from VPN) + uci set firewall.block_8443_lan=rule + uci set firewall.block_8443_lan.name='Block-Port-8443-from-LAN' + uci set firewall.block_8443_lan.src='lan' + uci set firewall.block_8443_lan.proto='tcp' + uci set firewall.block_8443_lan.dest_port='8443' + uci set firewall.block_8443_lan.target='REJECT' + + # Block port 8443 from WAN (only accessible from VPN) + uci set firewall.block_8443_wan=rule + uci set firewall.block_8443_wan.name='Block-Port-8443-from-WAN' + uci set firewall.block_8443_wan.src='wan' + uci set firewall.block_8443_wan.proto='tcp' + uci set firewall.block_8443_wan.dest_port='8443' + uci set firewall.block_8443_wan.target='REJECT' + # Create forward rule from don to lan (for general traffic) uci set firewall.ns_don_forward=forwarding uci set firewall.ns_don_forward.src='don' From 99300f87c7bafe1de90bf81ea2104fde305873ae Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 9 Mar 2026 17:27:21 +0100 Subject: [PATCH 7/9] fix: remove redundant WAN block for port 8443, only block from LAN --- packages/ns-don/files/don | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/packages/ns-don/files/don b/packages/ns-don/files/don index ddaabe5c2..e25cfb6c2 100755 --- a/packages/ns-don/files/don +++ b/packages/ns-don/files/don @@ -47,7 +47,6 @@ function cleanup uci -q delete firewall.ns_don_zone uci -q delete firewall.ns_don_8443 uci -q delete firewall.block_8443_lan - uci -q delete firewall.block_8443_wan uci -q delete firewall.ns_don_forward uci commit firewall /etc/init.d/firewall reload @@ -220,6 +219,7 @@ EOF uci set firewall.ns_don_8443.target='ACCEPT' # Block port 8443 from LAN (only accessible from VPN) + # Note: WAN already rejects all input by default, so no need to block 8443 there uci set firewall.block_8443_lan=rule uci set firewall.block_8443_lan.name='Block-Port-8443-from-LAN' uci set firewall.block_8443_lan.src='lan' @@ -227,14 +227,6 @@ EOF uci set firewall.block_8443_lan.dest_port='8443' uci set firewall.block_8443_lan.target='REJECT' - # Block port 8443 from WAN (only accessible from VPN) - uci set firewall.block_8443_wan=rule - uci set firewall.block_8443_wan.name='Block-Port-8443-from-WAN' - uci set firewall.block_8443_wan.src='wan' - uci set firewall.block_8443_wan.proto='tcp' - uci set firewall.block_8443_wan.dest_port='8443' - uci set firewall.block_8443_wan.target='REJECT' - # Create forward rule from don to lan (for general traffic) uci set firewall.ns_don_forward=forwarding uci set firewall.ns_don_forward.src='don' From a2c2e53e1619bb2bd466c2ed9eedd55fd4baa561 Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 9 Mar 2026 17:35:28 +0100 Subject: [PATCH 8/9] refactor: remove forward rule, restrict access to port 8443 only --- packages/ns-don/files/don | 6 ------ 1 file changed, 6 deletions(-) diff --git a/packages/ns-don/files/don b/packages/ns-don/files/don index e25cfb6c2..117ff8220 100755 --- a/packages/ns-don/files/don +++ b/packages/ns-don/files/don @@ -47,7 +47,6 @@ function cleanup uci -q delete firewall.ns_don_zone uci -q delete firewall.ns_don_8443 uci -q delete firewall.block_8443_lan - uci -q delete firewall.ns_don_forward uci commit firewall /etc/init.d/firewall reload # destroy ubus sessions @@ -227,11 +226,6 @@ EOF uci set firewall.block_8443_lan.dest_port='8443' uci set firewall.block_8443_lan.target='REJECT' - # Create forward rule from don to lan (for general traffic) - uci set firewall.ns_don_forward=forwarding - uci set firewall.ns_don_forward.src='don' - uci set firewall.ns_don_forward.dest='lan' - uci commit firewall /etc/init.d/firewall reload From 7fb5f2e6caf00abe9f68837de3627ec1872ed142 Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 9 Mar 2026 17:48:52 +0100 Subject: [PATCH 9/9] fix: suppress firewall reload output in cleanup and configuration functions --- packages/ns-don/files/don | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/ns-don/files/don b/packages/ns-don/files/don index 117ff8220..324184e65 100755 --- a/packages/ns-don/files/don +++ b/packages/ns-don/files/don @@ -48,7 +48,7 @@ function cleanup uci -q delete firewall.ns_don_8443 uci -q delete firewall.block_8443_lan uci commit firewall - /etc/init.d/firewall reload + /etc/init.d/firewall reload &> /dev/null # destroy ubus sessions session=$(ubus call session list | jq -r '.ubus_rpc_session as $parent | .data.username | select(. == "nethsupport") | $parent') if [ "$session" != "" ]; then @@ -227,7 +227,7 @@ EOF uci set firewall.block_8443_lan.target='REJECT' uci commit firewall - /etc/init.d/firewall reload + /etc/init.d/firewall reload &> /dev/null show_credentials ;;