feat: add nethsupport UI on port 8443 with automatic firewall rules

packages/ns-don/files/20-don.nft

@@ -1 +1 @@
-iifname "tunDON" tcp dport {981,9090,443,19999} counter accept comment ns-allow-don
+iifname "tunDON" tcp dport {981,9090,443,8443,19999} counter accept comment ns-allow-don

packages/ns-don/files/don

@@ -37,6 +37,18 @@ function cleanup
     uci -q delete rpcd.ns_don
     # commit rpcd changes
     uci commit rpcd
+    # disable nethsupport UI on port 8443
+    uci set ns-ui.config.nsui_nethsupport_enable='0'
+    uci commit ns-ui
+    /usr/sbin/ns-ui
+    # Remove network and firewall configuration
+    uci -q delete network.don
+    uci commit network
+    uci -q delete firewall.ns_don_zone
+    uci -q delete firewall.ns_don_8443
+    uci -q delete firewall.block_8443_lan
+    uci commit firewall
+    /etc/init.d/firewall reload &> /dev/null
     # destroy ubus sessions
     session=$(ubus call session list | jq -r '.ubus_rpc_session as $parent | .data.username | select(. == "nethsupport") | $parent')
     if [ "$session" != "" ]; then
@@ -175,6 +187,48 @@ EOF
     # commit rpcd changes
     uci commit rpcd
 
+    # Enable nethsupport UI on port 8443
+    uci set ns-ui.config.nsui_nethsupport_enable='1'
+    uci commit ns-ui
+    /usr/sbin/ns-ui
+
+    # Configure network and firewall for remote access
+    # Declare tunDON as a network interface
+    uci set network.don=interface
+    uci set network.don.proto='none'
+    uci set network.don.ifname='tunDON'
+    uci commit network
+
+    # Create zone for don network interface
+    uci set firewall.ns_don_zone=zone
+    uci set firewall.ns_don_zone.name='don'
+    uci set firewall.ns_don_zone.input='REJECT'
+    uci set firewall.ns_don_zone.output='ACCEPT'
+    uci set firewall.ns_don_zone.forward='ACCEPT'
+    uci del_list firewall.ns_don_zone.network 2>/dev/null || true
+    uci add_list firewall.ns_don_zone.network='don'
+
+    # Create input rule to allow port 8443 from VPN network 172.29.0.0/16
+    uci set firewall.ns_don_8443=rule
+    uci set firewall.ns_don_8443.name='Allow-Nethsupport-Port-8443'
+    uci set firewall.ns_don_8443.src='don'
+    uci set firewall.ns_don_8443.proto='tcp'
+    uci set firewall.ns_don_8443.src_ip='172.29.0.0/16'
+    uci set firewall.ns_don_8443.dest_port='8443'
+    uci set firewall.ns_don_8443.target='ACCEPT'
+
+    # Block port 8443 from LAN (only accessible from VPN)
+    # Note: WAN already rejects all input by default, so no need to block 8443 there
+    uci set firewall.block_8443_lan=rule
+    uci set firewall.block_8443_lan.name='Block-Port-8443-from-LAN'
+    uci set firewall.block_8443_lan.src='lan'
+    uci set firewall.block_8443_lan.proto='tcp'
+    uci set firewall.block_8443_lan.dest_port='8443'
+    uci set firewall.block_8443_lan.target='REJECT'
+
+    uci commit firewall
+    /etc/init.d/firewall reload &> /dev/null
+
     show_credentials
 ;;
 stop)

packages/ns-ui/files/config

@@ -4,4 +4,6 @@ config main 'config'
 	option nsui_enable '1'
 	option nsui_extra_port '9090'
 	option nsui_extra_enable '1'
+	option nsui_nethsupport_port '8443'
+	option nsui_nethsupport_enable '0'
 	option server_tokens 'on'

packages/ns-ui/files/ns-ui

@@ -27,17 +27,21 @@ else
     [ -f "$LUCI_FILE" ] && mv -f "$LUCI_FILE" "$LUCI_FILE.disabled"
 fi
 
-# Manage extra ns-ui instance on custom port
-nsui_extra_enable=$(uci -q get ns-ui.config.nsui_extra_enable)
-nsui_extra_port=$(uci -q get ns-ui.config.nsui_extra_port)
 crt=$(uci -q get nginx._lan.ssl_certificate)
 key=$(uci -q get nginx._lan.ssl_certificate_key)
 server_tokens=$(uci -q get ns-ui.config.server_tokens)
-if [[ "$nsui_extra_enable" == "1" && "$nsui_extra_port" != "" ]]; then
-    cat <<EOF > "$NSUI_EXTRA_FILE"
+
+# Function to generate extra ns-ui instances on custom ports
+generate_extra_instance() {
+    local enable=$1
+    local port=$2
+    local config_file=$3
+
+    if [[ "$enable" == "1" && "$port" != "" ]]; then
+        cat <<EOF > "$config_file"
 server {
-	listen $nsui_extra_port ssl default_server;
-	listen [::]:$nsui_extra_port ssl default_server;
+	listen $port ssl default_server;
+	listen [::]:$port ssl default_server;
 	server_name _lan;
 	ssl_certificate $crt;
 	ssl_certificate_key $key;
@@ -62,9 +66,22 @@ server {
 	}
 }
 EOF
-else
-    rm -f "$NSUI_EXTRA_FILE" ||  :
-fi
+    else
+        rm -f "$config_file" || :
+    fi
+}
+
+# Manage extra ns-ui instance on custom port (default 9090)
+nsui_extra_enable=$(uci -q get ns-ui.config.nsui_extra_enable)
+nsui_extra_port=$(uci -q get ns-ui.config.nsui_extra_port)
+NSUI_EXTRA_FILE=/etc/nginx/conf.d/ns-ui.conf
+generate_extra_instance "$nsui_extra_enable" "$nsui_extra_port" "$NSUI_EXTRA_FILE"
+
+# Manage nethsupport instance on port 8443
+nsui_nethsupport_enable=$(uci -q get ns-ui.config.nsui_nethsupport_enable)
+nsui_nethsupport_port=$(uci -q get ns-ui.config.nsui_nethsupport_port)
+NSUI_NETHSUPPORT_FILE=/etc/nginx/conf.d/ns-ui-nethsupport.conf
+generate_extra_instance "$nsui_nethsupport_enable" "$nsui_nethsupport_port" "$NSUI_NETHSUPPORT_FILE"
 
 if /usr/sbin/nginx -c /etc/nginx/uci.conf -T &> /dev/null ; then
     /etc/init.d/nginx restart