packages/fff: drop redundant PKG_BUILD_DIR

PKG_BUILD_DIR has the following default values set in include/package.mk,
in case no BUILD_VARIANT is set:

With PKG_VERSION set: $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
Without PKG_VERSION:  $(BUILD_DIR)/$(PKG_NAME)

Consequently, all PKG_BUILD_DIR definitions in our packages are
redundant. Remove them.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>

README.md

@@ -8,7 +8,7 @@ Weitere Informationen gibt es auf <https://freifunk.net/> und auf <https://wiki.
 
 # Firmware selbst kompilieren
 ## Voraussetzungen
-* `apt-get install zlib1g-dev lua5.2 build-essential unzip libncurses-dev gawk git subversion realpath libssl-dev` (Sicherlich müssen noch mehr Abhängigkeiten installiert werden, diese Liste wird sich hoffentlich nach und nach füllen. Ein erster Ansatzpunkt sind die Abhängigkeiten von OpenWrt selbst)
+* `apt-get install zlib1g-dev lua5.2 build-essential unzip libncurses-dev gawk git subversion libssl-dev` (Sicherlich müssen noch mehr Abhängigkeiten installiert werden, diese Liste wird sich hoffentlich nach und nach füllen. Ein erster Ansatzpunkt sind die Abhängigkeiten von OpenWrt selbst)
 * `git clone https://git.freifunk-franken.de/freifunk-franken/firmware.git`
 * `cd firmware`
 

bsp/default/root_file_system/etc/profile

@@ -13,6 +13,9 @@ export HOME=${HOME:-/root}
 [ -x /usr/bin/arp ] || arp() { cat /proc/net/arp; }
 [ -x /usr/bin/ldd ] || ldd() { LD_TRACE_LOADED_OBJECTS=1 $*; }
 
+# update uhttpd passwd on passwd-change
+[ -e /etc/rc.d/S50uhttpd ] && passwd() { /bin/passwd && /etc/init.d/uhttpd restart; }
+
 # I'm lazy, let's add some aliases
 alias ..='cd ..'
 alias ...='cd ../..'
@@ -22,4 +25,4 @@ alias ll='ls -alF'
 alias ls='ls --color=auto'
 
 # and color my prompt
-export PS1='\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+export PS1='\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '

build_patches/openwrt/0006-vxlan-add-extra-config-options.patch

@@ -0,0 +1,90 @@
+From: Hans Dedecker <dedeckeh@gmail.com>
+Date: Mon, 14 Sep 2020 21:55:01 +0200
+Subject: vxlan: add extra config options
+
+Add config options:
+  srcportmin/srcportmax : range of port numbers to use as  UDP source ports
+                          to communicate to the remote VXLAN tunnel endpoint
+  ageing                : lifetime in seconds of FDB entries learnt by the kernel
+  maxaddress            : maximum number of FDB entries
+  learning              : enable/disable entering unknown source link layer addresses
+                          and IP addresses into the VXLAN device FDB.
+  rsc                   : enable/disable route short circuit
+  proxy                 : enable/disable ARP proxy
+  l2miss                : enable/disable netlink LLADDR miss notifications
+  l3miss                : enable/disable netlink IP ADDR miss notifications
+  gbp                   : enable/disable the Group Policy extension
+
+Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
+(cherry picked from commit 036221ce5a899eb99ef1c1623fc9460af00a69e7)
+
+diff --git a/package/network/config/vxlan/Makefile b/package/network/config/vxlan/Makefile
+index 7232f71b45e6f72f2c62a245ad44cb9ade144f52..eb053bf1118dd300db549906bfd474a19f5e3752 100644
+--- a/package/network/config/vxlan/Makefile
++++ b/package/network/config/vxlan/Makefile
+@@ -1,7 +1,7 @@
+ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=vxlan
+-PKG_RELEASE:=4
++PKG_RELEASE:=5
+ PKG_LICENSE:=GPL-2.0
+ 
+ include $(INCLUDE_DIR)/package.mk
+diff --git a/package/network/config/vxlan/files/vxlan.sh b/package/network/config/vxlan/files/vxlan.sh
+index d063c47d47d0f4e339b21e97f4e25f55a33c0497..8b3a0a53d47c675fcf89981061a250b5f526df3e 100755
+--- a/package/network/config/vxlan/files/vxlan.sh
++++ b/package/network/config/vxlan/files/vxlan.sh
+@@ -59,8 +59,8 @@ vxlan_generic_setup() {
+ 
+ 	local link="$cfg"
+ 
+-	local port vid ttl tos mtu macaddr zone rxcsum txcsum
+-	json_get_vars port vid ttl tos mtu macaddr zone rxcsum txcsum
++	local port vid ttl tos mtu macaddr zone rxcsum txcsum srcportmin srcportmax ageing maxaddress learning proxy l2miss l3miss gbp
++	json_get_vars port vid ttl tos mtu macaddr zone rxcsum txcsum srcportmin srcportmax ageing maxaddress learning proxy l2miss l3miss gbp
+ 
+ 	proto_init_update "$link" 1
+ 
+@@ -78,9 +78,20 @@ vxlan_generic_setup() {
+ 	json_add_object 'data'
+ 	[ -n "$port" ] && json_add_int port "$port"
+ 	[ -n "$vid" ] && json_add_int id "$vid"
++	[ -n "$srcportmin" ] && json_add_int srcportmin "$srcportmin"
++	[ -n "$srcportmax" ] && json_add_int srcportmax "$srcportmax"
++	[ -n "$ageing" ] && json_add_int ageing "$ageing"
++	[ -n "$maxaddress" ] && json_add_int maxaddress "$maxaddress"
+ 	[ -n "$macaddr" ] && json_add_string macaddr "$macaddr"
+ 	[ -n "$rxcsum" ] && json_add_boolean rxcsum "$rxcsum"
+ 	[ -n "$txcsum" ] && json_add_boolean txcsum "$txcsum"
++	[ -n "$learning" ] && json_add_boolean learning "$learning"
++	[ -n "$rsc" ] && json_add_boolean rsc "$rsc"
++	[ -n "$proxy" ] && json_add_boolean proxy "$proxy"
++	[ -n "$l2miss" ] && json_add_boolean l2miss "$l2miss"
++	[ -n "$l3miss" ] && json_add_boolean l3miss "$l3miss"
++	[ -n "$gbp" ] && json_add_boolean gbp "$gbp"
++
+ 	json_close_object
+ 
+ 	proto_close_tunnel
+@@ -163,9 +174,20 @@ vxlan_generic_init_config() {
+ 	proto_config_add_int "ttl"
+ 	proto_config_add_int "tos"
+ 	proto_config_add_int "mtu"
++	proto_config_add_int "srcportmin"
++	proto_config_add_int "srcportmax"
++	proto_config_add_int "ageing"
++	proto_config_add_int "maxaddress"
+ 	proto_config_add_boolean "rxcsum"
+ 	proto_config_add_boolean "txcsum"
++	proto_config_add_boolean "learning"
++	proto_config_add_boolean "rsc"
++	proto_config_add_boolean "proxy"
++	proto_config_add_boolean "l2miss"
++	proto_config_add_boolean "l3miss"
++	proto_config_add_boolean "gbp"
+ 	proto_config_add_string "macaddr"
++
+ }
+ 
+ proto_vxlan_init_config() {

build_patches/openwrt/0007-vxlan-fix-rsc-config-option.patch

@@ -0,0 +1,37 @@
+From: Hans Dedecker <dedeckeh@gmail.com>
+Date: Thu, 24 Sep 2020 22:04:39 +0200
+Subject: vxlan: fix rsc config option
+
+Fix route short circuit config option; fixes commit 036221ce5a899eb99ef1c1623fc9460af00a69e7
+
+Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
+(cherry picked from commit ad3044c424510668dd318c6a48c0b56bfba3c2da)
+
+diff --git a/package/network/config/vxlan/Makefile b/package/network/config/vxlan/Makefile
+index eb053bf1118dd300db549906bfd474a19f5e3752..0b4d6713f9e1cfcad9f4c94272f8dc9192b7f3b4 100644
+--- a/package/network/config/vxlan/Makefile
++++ b/package/network/config/vxlan/Makefile
+@@ -1,7 +1,7 @@
+ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=vxlan
+-PKG_RELEASE:=5
++PKG_RELEASE:=6
+ PKG_LICENSE:=GPL-2.0
+ 
+ include $(INCLUDE_DIR)/package.mk
+diff --git a/package/network/config/vxlan/files/vxlan.sh b/package/network/config/vxlan/files/vxlan.sh
+index 8b3a0a53d47c675fcf89981061a250b5f526df3e..5c1c484c47f7fb48f1cb705b200d589df77a60f6 100755
+--- a/package/network/config/vxlan/files/vxlan.sh
++++ b/package/network/config/vxlan/files/vxlan.sh
+@@ -59,8 +59,8 @@ vxlan_generic_setup() {
+ 
+ 	local link="$cfg"
+ 
+-	local port vid ttl tos mtu macaddr zone rxcsum txcsum srcportmin srcportmax ageing maxaddress learning proxy l2miss l3miss gbp
+-	json_get_vars port vid ttl tos mtu macaddr zone rxcsum txcsum srcportmin srcportmax ageing maxaddress learning proxy l2miss l3miss gbp
++	local port vid ttl tos mtu macaddr zone rxcsum txcsum srcportmin srcportmax ageing maxaddress learning rsc proxy l2miss l3miss gbp
++	json_get_vars port vid ttl tos mtu macaddr zone rxcsum txcsum srcportmin srcportmax ageing maxaddress learning rsc proxy l2miss l3miss gbp
+ 
+ 	proto_init_update "$link" 1
+ 

build_patches/openwrt/0008-vxlan-allow-for-dynamic-source-ip-selection-FS-3426.patch

@@ -0,0 +1,101 @@
+From: Johannes Kimmel <fff@bareminimum.eu>
+Date: Tue, 15 Dec 2020 00:31:52 +0100
+Subject: vxlan: allow for dynamic source ip selection (FS#3426)
+
+By setting 'auto', the zero address or the empty string as source
+address (option ipaddr, option ip6addr), vxlan will choose one
+dynamically. This helps in setups where a wan ip or prefix changes.
+
+This corresponse to setting up an vxlan tunnel with:
+
+proto vxlan6:
+    # ip link add vx0 type vxlan id ID local :: ...
+proto vxlan:
+    # ip link add vx0 type vxlan id ID local 0.0.0.0 ...
+
+While it is possible to not specify a source ip at all, the kernel will
+default to setting up a ipv4 tunnel. The kernel will take any hint from
+source and peer ips to figure out, what tunnel type to use. To make sure
+we setup an ipv6 tunnel for proto vxlan6, this workaround is needed.
+
+This will not change the behaviour of currently working configurations.
+However this will allow former broken configurations, namely those not
+specifying both a source address and tunnel interface, to setup a
+tunnel interface. Previously those configurations weren't reporting an
+error and were stueck in a setup loop like in Bug FS#3426.
+
+This change lifts the currently very strict behaviour and should fix the
+following bug:
+
+Fixes: FS#3426
+Ref: https://bugs.openwrt.org/index.php?do=details&task_id=3426
+
+Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
+(cherry picked from commit 3f5619f259de42af4404e0e36d11df4adcef9f5e)
+
+diff --git a/package/network/config/vxlan/Makefile b/package/network/config/vxlan/Makefile
+index 0b4d6713f9e1cfcad9f4c94272f8dc9192b7f3b4..97972d6d85bddc56d1575088d3966ae6899f06da 100644
+--- a/package/network/config/vxlan/Makefile
++++ b/package/network/config/vxlan/Makefile
+@@ -1,7 +1,7 @@
+ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=vxlan
+-PKG_RELEASE:=6
++PKG_RELEASE:=7
+ PKG_LICENSE:=GPL-2.0
+ 
+ include $(INCLUDE_DIR)/package.mk
+diff --git a/package/network/config/vxlan/files/vxlan.sh b/package/network/config/vxlan/files/vxlan.sh
+index 5c1c484c47f7fb48f1cb705b200d589df77a60f6..a087c4a3ce2ca42a6b8d43b2254d0ea7379c0936 100755
+--- a/package/network/config/vxlan/files/vxlan.sh
++++ b/package/network/config/vxlan/files/vxlan.sh
+@@ -114,18 +114,11 @@ proto_vxlan_setup() {
+ 
+ 	( proto_add_host_dependency "$cfg" '' "$tunlink" )
+ 
+-	[ -z "$ipaddr" ] && {
+-		local wanif="$tunlink"
+-		if [ -z "$wanif" ] && ! network_find_wan wanif; then
+-			proto_notify_error "$cfg" "NO_WAN_LINK"
+-			exit
+-		fi
+-
+-		if ! network_get_ipaddr ipaddr "$wanif"; then
+-			proto_notify_error "$cfg" "NO_WAN_LINK"
+-			exit
+-		fi
+-	}
++	case "$ipaddr" in
++		"auto"|"")
++			ipaddr="0.0.0.0"
++			;;
++	esac
+ 
+ 	vxlan_generic_setup "$cfg" 'vxlan' "$ipaddr" "$peeraddr"
+ }
+@@ -138,18 +131,12 @@ proto_vxlan6_setup() {
+ 
+ 	( proto_add_host_dependency "$cfg" '' "$tunlink" )
+ 
+-	[ -z "$ip6addr" ] && {
+-		local wanif="$tunlink"
+-		if [ -z "$wanif" ] && ! network_find_wan6 wanif; then
+-			proto_notify_error "$cfg" "NO_WAN_LINK"
+-			exit
+-		fi
+-
+-		if ! network_get_ipaddr6 ip6addr "$wanif"; then
+-			proto_notify_error "$cfg" "NO_WAN_LINK"
+-			exit
+-		fi
+-	}
++	case "$ip6addr" in
++		"auto"|"")
++			# ensure tunnel via ipv6
++			ip6addr="::"
++			;;
++	esac
+ 
+ 	vxlan_generic_setup "$cfg" 'vxlan6' "$ip6addr" "$peer6addr"
+ }

build_patches/openwrt/0009-netifd-backport-vxlan-patches.patch

@@ -0,0 +1,324 @@
+From: Johannes Kimmel <fff@bareminimum.eu>
+Date: Fri, 1 Jan 2021 09:55:25 +0100
+Subject: netifd: backport vxlan patches
+
+Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
+[refresh patches]
+Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
+
+diff --git a/package/network/config/netifd/patches/0001-netifd-vxlan-handle-srcport-range.patch b/package/network/config/netifd/patches/0001-netifd-vxlan-handle-srcport-range.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..0b803aca8bebe33ad47f7e441bc9aa36d42b0aea
+--- /dev/null
++++ b/package/network/config/netifd/patches/0001-netifd-vxlan-handle-srcport-range.patch
+@@ -0,0 +1,89 @@
++From a3c033e2afc289672e0ed4b8d8a835d509715af8 Mon Sep 17 00:00:00 2001
++From: Johannes Kimmel <fff@bareminimum.eu>
++Date: Fri, 4 Sep 2020 04:59:40 +0200
++Subject: [PATCH 1/4] netifd: vxlan: handle srcport range
++
++This adds adds the ability to set the source port range for vxlan
++interfaces.
++
++By default vxlans will use a random port within the ephermal range as
++source ports for packets. This is done to aid scaleability within a
++datacenter.
++
++But with these defaults it's impossible to punch through NATs or
++traverese most stateful firewalls easily. One solution is to fix the
++srcport to the same as dstport.
++
++If only srcportmin is specified, then srcportmax is set in a way that
++outgoing packets will only use srcportmin.
++
++If a range is to be specified, srcportmin and srcportmax have to be
++specified. srcportmax is exclusive.
++
++If only srcportmax is specified, the value is ignored and defaults are
++used.
++
++Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
++---
++ system-linux.c | 26 ++++++++++++++++++++++++++
++ system.c       |  2 ++
++ system.h       |  2 ++
++ 3 files changed, 30 insertions(+)
++
++--- a/system-linux.c
+++++ b/system-linux.c
++@@ -3062,6 +3062,32 @@ static int system_add_vxlan(const char *
++ 	}
++ 	nla_put_u16(msg, IFLA_VXLAN_PORT, htons(port));
++ 
+++	if ((cur = tb_data[VXLAN_DATA_ATTR_SRCPORTMIN])) {
+++		struct ifla_vxlan_port_range srcports = {0,0};
+++
+++		uint32_t low = blobmsg_get_u32(cur);
+++		if (low < 1 || low > 65535 - 1) {
+++			ret = -EINVAL;
+++			goto failure;
+++		}
+++
+++		srcports.low = htons((uint16_t) low);
+++		srcports.high = htons((uint16_t) (low+1));
+++
+++		if ((cur = tb_data[VXLAN_DATA_ATTR_SRCPORTMAX])) {
+++			uint32_t high = blobmsg_get_u32(cur);
+++			if (high < 1 || high > 65535) {
+++				ret = -EINVAL;
+++				goto failure;
+++			}
+++
+++			if (high > low)
+++				srcports.high = htons((uint16_t) high);
+++		}
+++
+++		nla_put(msg, IFLA_VXLAN_PORT_RANGE, sizeof(srcports), &srcports);
+++	}
+++
++ 	if ((cur = tb_data[VXLAN_DATA_ATTR_RXCSUM])) {
++ 		bool rxcsum = blobmsg_get_bool(cur);
++ 		nla_put_u8(msg, IFLA_VXLAN_UDP_ZERO_CSUM6_RX, !rxcsum);
++--- a/system.c
+++++ b/system.c
++@@ -38,6 +38,8 @@ static const struct blobmsg_policy vxlan
++ 	[VXLAN_DATA_ATTR_MACADDR] = { .name = "macaddr", .type = BLOBMSG_TYPE_STRING },
++ 	[VXLAN_DATA_ATTR_RXCSUM] = { .name = "rxcsum", .type = BLOBMSG_TYPE_BOOL },
++ 	[VXLAN_DATA_ATTR_TXCSUM] = { .name = "txcsum", .type = BLOBMSG_TYPE_BOOL },
+++	[VXLAN_DATA_ATTR_SRCPORTMIN] = { .name = "srcportmin", .type = BLOBMSG_TYPE_INT32 },
+++	[VXLAN_DATA_ATTR_SRCPORTMAX] = { .name = "srcportmax", .type = BLOBMSG_TYPE_INT32 },
++ };
++ 
++ const struct uci_blob_param_list vxlan_data_attr_list = {
++--- a/system.h
+++++ b/system.h
++@@ -43,6 +43,8 @@ enum vxlan_data {
++ 	VXLAN_DATA_ATTR_MACADDR,
++ 	VXLAN_DATA_ATTR_RXCSUM,
++ 	VXLAN_DATA_ATTR_TXCSUM,
+++	VXLAN_DATA_ATTR_SRCPORTMIN,
+++	VXLAN_DATA_ATTR_SRCPORTMAX,
++ 	__VXLAN_DATA_ATTR_MAX
++ };
++ 
+diff --git a/package/network/config/netifd/patches/0002-netifd-vxlan-refactor-mapping-of-boolean-attrs.patch b/package/network/config/netifd/patches/0002-netifd-vxlan-refactor-mapping-of-boolean-attrs.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..3c60665354a52159566826bbedf59964077205d5
+--- /dev/null
++++ b/package/network/config/netifd/patches/0002-netifd-vxlan-refactor-mapping-of-boolean-attrs.patch
+@@ -0,0 +1,54 @@
++From 226566b967dc4ef4d83ed7844b8ad746f4306f8d Mon Sep 17 00:00:00 2001
++From: Johannes Kimmel <fff@bareminimum.eu>
++Date: Fri, 4 Sep 2020 04:59:41 +0200
++Subject: [PATCH 2/4] netifd: vxlan: refactor mapping of boolean attrs
++
++Add a small function to handle boolean options and make use of it to handle:
++  - rxcsum
++  - txcsum
++
++Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
++---
++ system-linux.c | 24 ++++++++++++++----------
++ 1 file changed, 14 insertions(+), 10 deletions(-)
++
++--- a/system-linux.c
+++++ b/system-linux.c
++@@ -2951,6 +2951,17 @@ failure:
++ #endif
++ 
++ #ifdef IFLA_VXLAN_MAX
+++static void system_vxlan_map_bool_attr(struct nl_msg *msg, struct blob_attr **tb_data, int attrtype, int vxlandatatype, bool invert) {
+++	struct blob_attr *cur;
+++	if ((cur = tb_data[vxlandatatype])) {
+++		bool val = blobmsg_get_bool(cur);
+++		if (invert) {
+++			val = !val;
+++		}
+++		nla_put_u8(msg, attrtype, val);
+++	}
+++}
+++
++ static int system_add_vxlan(const char *name, const unsigned int link, struct blob_attr **tb, bool v6)
++ {
++ 	struct blob_attr *tb_data[__VXLAN_DATA_ATTR_MAX];
++@@ -3088,16 +3099,9 @@ static int system_add_vxlan(const char *
++ 		nla_put(msg, IFLA_VXLAN_PORT_RANGE, sizeof(srcports), &srcports);
++ 	}
++ 
++-	if ((cur = tb_data[VXLAN_DATA_ATTR_RXCSUM])) {
++-		bool rxcsum = blobmsg_get_bool(cur);
++-		nla_put_u8(msg, IFLA_VXLAN_UDP_ZERO_CSUM6_RX, !rxcsum);
++-	}
++-
++-	if ((cur = tb_data[VXLAN_DATA_ATTR_TXCSUM])) {
++-		bool txcsum = blobmsg_get_bool(cur);
++-		nla_put_u8(msg, IFLA_VXLAN_UDP_CSUM, txcsum);
++-		nla_put_u8(msg, IFLA_VXLAN_UDP_ZERO_CSUM6_TX, !txcsum);
++-	}
+++	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_UDP_CSUM, VXLAN_DATA_ATTR_TXCSUM, false);
+++	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_UDP_ZERO_CSUM6_RX, VXLAN_DATA_ATTR_RXCSUM, true);
+++	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_UDP_ZERO_CSUM6_TX, VXLAN_DATA_ATTR_TXCSUM, true);
++ 
++ 	if ((cur = tb[TUNNEL_ATTR_TOS])) {
++ 		char *str = blobmsg_get_string(cur);
+diff --git a/package/network/config/netifd/patches/0003-netifd-vxlan-add-most-missing-boolean-options.patch b/package/network/config/netifd/patches/0003-netifd-vxlan-add-most-missing-boolean-options.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..693e92b9f6b50f20d8fd220c196440d7bf894eb9
+--- /dev/null
++++ b/package/network/config/netifd/patches/0003-netifd-vxlan-add-most-missing-boolean-options.patch
+@@ -0,0 +1,93 @@
++From 11223f5550f7dd8faefb85441065b682be16e61f Mon Sep 17 00:00:00 2001
++From: Johannes Kimmel <fff@bareminimum.eu>
++Date: Fri, 4 Sep 2020 04:59:42 +0200
++Subject: [PATCH 3/4] netifd: vxlan: add most missing boolean options
++
++adds the folloing missing options:
++  - learning
++  - rsc
++  - proxy
++  - l2miss
++  - l3miss
++  - gbp
++
++See ip-link(3) for their meaning.
++
++still missing:
++  - external
++  - gpe
++
++I'm not sure how to handle them at the moment. It's unclear to me what
++IFLA_VXLAN_* value corresponds to the 'external' option and according to
++the manpage, gpe depends on it.
++
++Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
++---
++ system-linux.c | 16 +++++++++++++---
++ system.c       |  6 ++++++
++ system.h       |  6 ++++++
++ 3 files changed, 25 insertions(+), 3 deletions(-)
++
++--- a/system-linux.c
+++++ b/system-linux.c
++@@ -2955,10 +2955,14 @@ static void system_vxlan_map_bool_attr(s
++ 	struct blob_attr *cur;
++ 	if ((cur = tb_data[vxlandatatype])) {
++ 		bool val = blobmsg_get_bool(cur);
++-		if (invert) {
+++		if (invert)
++ 			val = !val;
++-		}
++-		nla_put_u8(msg, attrtype, val);
+++
+++		if ((attrtype == IFLA_VXLAN_GBP) && val)
+++			nla_put_flag(msg, attrtype);
+++		else 
+++			nla_put_u8(msg, attrtype, val);
+++
++ 	}
++ }
++ 
++@@ -3102,6 +3106,12 @@ static int system_add_vxlan(const char *
++ 	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_UDP_CSUM, VXLAN_DATA_ATTR_TXCSUM, false);
++ 	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_UDP_ZERO_CSUM6_RX, VXLAN_DATA_ATTR_RXCSUM, true);
++ 	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_UDP_ZERO_CSUM6_TX, VXLAN_DATA_ATTR_TXCSUM, true);
+++	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_LEARNING, VXLAN_DATA_ATTR_LEARNING, false);
+++	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_RSC , VXLAN_DATA_ATTR_RSC, false);
+++	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_PROXY , VXLAN_DATA_ATTR_PROXY, false);
+++	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_L2MISS , VXLAN_DATA_ATTR_L2MISS, false);
+++	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_L3MISS , VXLAN_DATA_ATTR_L3MISS, false);
+++	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_GBP , VXLAN_DATA_ATTR_GBP, false);
++ 
++ 	if ((cur = tb[TUNNEL_ATTR_TOS])) {
++ 		char *str = blobmsg_get_string(cur);
++--- a/system.c
+++++ b/system.c
++@@ -40,6 +40,12 @@ static const struct blobmsg_policy vxlan
++ 	[VXLAN_DATA_ATTR_TXCSUM] = { .name = "txcsum", .type = BLOBMSG_TYPE_BOOL },
++ 	[VXLAN_DATA_ATTR_SRCPORTMIN] = { .name = "srcportmin", .type = BLOBMSG_TYPE_INT32 },
++ 	[VXLAN_DATA_ATTR_SRCPORTMAX] = { .name = "srcportmax", .type = BLOBMSG_TYPE_INT32 },
+++	[VXLAN_DATA_ATTR_LEARNING] = { .name = "learning", .type = BLOBMSG_TYPE_BOOL },
+++	[VXLAN_DATA_ATTR_RSC] = { .name = "rsc", .type = BLOBMSG_TYPE_BOOL },
+++	[VXLAN_DATA_ATTR_PROXY] = { .name = "proxy", .type = BLOBMSG_TYPE_BOOL },
+++	[VXLAN_DATA_ATTR_L2MISS] = { .name = "l2miss", .type = BLOBMSG_TYPE_BOOL },
+++	[VXLAN_DATA_ATTR_L3MISS] = { .name = "l3miss", .type = BLOBMSG_TYPE_BOOL },
+++	[VXLAN_DATA_ATTR_GBP] = { .name = "gbp", .type = BLOBMSG_TYPE_BOOL },
++ };
++ 
++ const struct uci_blob_param_list vxlan_data_attr_list = {
++--- a/system.h
+++++ b/system.h
++@@ -45,6 +45,12 @@ enum vxlan_data {
++ 	VXLAN_DATA_ATTR_TXCSUM,
++ 	VXLAN_DATA_ATTR_SRCPORTMIN,
++ 	VXLAN_DATA_ATTR_SRCPORTMAX,
+++	VXLAN_DATA_ATTR_LEARNING,
+++	VXLAN_DATA_ATTR_RSC,
+++	VXLAN_DATA_ATTR_PROXY,
+++	VXLAN_DATA_ATTR_L2MISS,
+++	VXLAN_DATA_ATTR_L3MISS,
+++	VXLAN_DATA_ATTR_GBP,
++ 	__VXLAN_DATA_ATTR_MAX
++ };
++ 
+diff --git a/package/network/config/netifd/patches/0004-netifd-vxlan-add-aging-and-maxaddress-options.patch b/package/network/config/netifd/patches/0004-netifd-vxlan-add-aging-and-maxaddress-options.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..8a2b4424fe282492ecf64522ecf3d1b3ba106bbb
+--- /dev/null
++++ b/package/network/config/netifd/patches/0004-netifd-vxlan-add-aging-and-maxaddress-options.patch
+@@ -0,0 +1,56 @@
++From 55a7b6b7f2f773c06a79cb7359ffdab54ba32450 Mon Sep 17 00:00:00 2001
++From: Johannes Kimmel <fff@bareminimum.eu>
++Date: Fri, 4 Sep 2020 04:59:43 +0200
++Subject: [PATCH 4/4] netifd: vxlan: add aging and maxaddress options
++
++For both options the values can just be passed to the kernel. All
++unsigned values are accepted, thus no range checking required.
++
++Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
++---
++ system-linux.c | 10 ++++++++++
++ system.c       |  2 ++
++ system.h       |  2 ++
++ 3 files changed, 14 insertions(+)
++
++--- a/system-linux.c
+++++ b/system-linux.c
++@@ -3113,6 +3113,16 @@ static int system_add_vxlan(const char *
++ 	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_L3MISS , VXLAN_DATA_ATTR_L3MISS, false);
++ 	system_vxlan_map_bool_attr(msg, tb_data, IFLA_VXLAN_GBP , VXLAN_DATA_ATTR_GBP, false);
++ 
+++	if ((cur = tb_data[VXLAN_DATA_ATTR_AGEING])) {
+++		uint32_t ageing = blobmsg_get_u32(cur);
+++		nla_put_u32(msg, IFLA_VXLAN_AGEING, ageing);
+++	}
+++
+++	if ((cur = tb_data[VXLAN_DATA_ATTR_LIMIT])) {
+++		uint32_t maxaddress = blobmsg_get_u32(cur);
+++		nla_put_u32(msg, IFLA_VXLAN_LIMIT, maxaddress);
+++	}
+++
++ 	if ((cur = tb[TUNNEL_ATTR_TOS])) {
++ 		char *str = blobmsg_get_string(cur);
++ 		unsigned tos = 1;
++--- a/system.c
+++++ b/system.c
++@@ -46,6 +46,8 @@ static const struct blobmsg_policy vxlan
++ 	[VXLAN_DATA_ATTR_L2MISS] = { .name = "l2miss", .type = BLOBMSG_TYPE_BOOL },
++ 	[VXLAN_DATA_ATTR_L3MISS] = { .name = "l3miss", .type = BLOBMSG_TYPE_BOOL },
++ 	[VXLAN_DATA_ATTR_GBP] = { .name = "gbp", .type = BLOBMSG_TYPE_BOOL },
+++	[VXLAN_DATA_ATTR_AGEING] = { .name = "ageing", .type = BLOBMSG_TYPE_INT32 },
+++	[VXLAN_DATA_ATTR_LIMIT] = { .name = "maxaddress", .type = BLOBMSG_TYPE_INT32 },
++ };
++ 
++ const struct uci_blob_param_list vxlan_data_attr_list = {
++--- a/system.h
+++++ b/system.h
++@@ -51,6 +51,8 @@ enum vxlan_data {
++ 	VXLAN_DATA_ATTR_L2MISS,
++ 	VXLAN_DATA_ATTR_L3MISS,
++ 	VXLAN_DATA_ATTR_GBP,
+++	VXLAN_DATA_ATTR_AGEING,
+++	VXLAN_DATA_ATTR_LIMIT,
++ 	__VXLAN_DATA_ATTR_MAX
++ };
++ 

buildscript

@@ -13,31 +13,36 @@
 
 builddir=./build
 
-OPENWRTREV="v19.07.5"
-OPENWRTURL="https://git.openwrt.org/openwrt/openwrt.git"
-PACKAGEREV="2974079d3db786fe5da00c10f1d80e79b0112093" # openwrt-19.07.5
-PACKAGEURL="https://git.openwrt.org/feed/packages.git"
+# OpenWrt: openwrt-19.07.5
+OPENWRTREV="v19.07.6"
+PACKAGEREV="ce5a4eaea218111350e05ea86de8171344a70ce4"
+ROUTINGREV="02b4dbfcb7b8f8b566940847d22d5a6f229d2e66"
 
-## Feed definition [0]: name aka directory, [1]: url, [2]: revision, [3..n]: patches
+# Gluon packages: master from 2020-02-04
+GLUONREV="12e41d0ff07ec54bbd67a31ab50d12ca04f2238c"
+
+OPENWRT_PKGS="gpioctl-sysfs libugpio fastd haserl micrond mtr bmon"
+ROUTING_PKGS="kmod-batman-adv batctl alfred babeld"
+GLUON_PKGS="simple-tc uradvd"
+
+OPENWRTURL="https://git.openwrt.org/openwrt/openwrt.git"
+
+## Feed definition [0]: name aka directory, [1]: url, [2]: revision
 
 #official openwrt packages
 OPENWRT=(openwrt
-         $PACKAGEURL
+         https://git.openwrt.org/feed/packages.git
          $PACKAGEREV)
-OPENWRT_PKGS="gpioctl-sysfs libugpio fastd haserl micrond mtr bmon"
 
-## Be careful: FFF uses COMPAT_VERSION 15 as default at the moment.
-## See http://www.open-mesh.org/projects/batman-adv/wiki/Compatversion
+#gluon packages
 GLUON=(gluon
-            https://github.com/freifunk-gluon/packages.git
-            12e41d0ff07ec54bbd67a31ab50d12ca04f2238c) # 2020-02-04
-GLUON_PKGS="simple-tc uradvd"
+       https://github.com/freifunk-gluon/packages.git
+       $GLUONREV)
 
 #official openwrt routing packages
 ROUTING=(routing
          https://git.openwrt.org/feed/routing.git
-         02b4dbfcb7b8f8b566940847d22d5a6f229d2e66) # openwrt-19.07.5
-ROUTING_PKGS="kmod-batman-adv batctl alfred babeld"
+         $ROUTINGREV)
 
 FFF=(fff)
 FFF_PKGS="-a"
@@ -230,7 +235,7 @@ build() {
 
     opath=$(pwd)
     cd "$builddir"
-    cpus=$(grep -c processor /proc/cpuinfo)
+    cpus=$(nproc)
 
     case "$1" in
         "debug")

src/packages/fff/fff-alfred-monitoring-proxy/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-alfred-monitoring-proxy
 PKG_RELEASE:=4
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/fff-alfred-monitoring-proxy
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/fff-alfred-monitoring-proxy

src/packages/fff/fff-alfred/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-alfred
 PKG_RELEASE:=2
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-babeld/Makefile

@@ -1,9 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-babeld
-PKG_RELEASE:=5
-
-PKG_BUILD_DIR:=$(BUILD_DIR)/fff-babeld
+PKG_RELEASE:=6
 
 include $(INCLUDE_DIR)/package.mk
 

src/packages/fff/fff-babeld/files/lib/functions/fff/babel

@@ -40,7 +40,7 @@ babel_add_peeraddr() {
 		# use ipaddr (without subnet) if no peer_ip set
 		uci add_list "$option"=$(echo $ipaddr | cut -d / -f1)
 	else
-		echo "FATAL: Neither peer_ip nor ipaddr set! No peering ipv4 set!"
+		echo "WARNING: Neither peer_ip nor ipaddr set! IPv4 routing is not possible."
 		return 1
 	fi
 

src/packages/fff/fff-batman-adv/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-batman-adv
 PKG_RELEASE:=4
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-boardname/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-boardname
 PKG_RELEASE:=8
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-config/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-config
 PKG_RELEASE:=2
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-dhcp/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-dhcp
 PKG_RELEASE:=4
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/fff-dhcp
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/fff-dhcp

src/packages/fff/fff-fastd/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-fastd
 PKG_RELEASE:=3
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-firewall/Makefile

@@ -1,9 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-firewall
-PKG_RELEASE:=5
-
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
+PKG_RELEASE:=6
 
 include $(INCLUDE_DIR)/package.mk
 

src/packages/fff/fff-firewall/files/etc/init.d/fff-firewall

@@ -4,14 +4,11 @@ START=50
 
 USE_PROCD=1
 
-SERVICE_WRITE_PID=1
-SERVICE_DAEMONIZE=1
-
 FIREWALL_DIR=/usr/lib/firewall.d
 
 service_triggers()
 {
-    procd_add_reload_trigger "fff-firewall"
+    procd_add_reload_trigger "fff-firewall" "network"
 }
 
 start_service()

src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare

@@ -5,5 +5,7 @@ ebtables -X
 iptables -F
 iptables -X
 
+iptables -t nat -F
+
 ip6tables -F
 ip6tables -X

src/packages/fff/fff-hoods/Makefile

@@ -1,9 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-hoods
-PKG_RELEASE:=17
-
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
+PKG_RELEASE:=18
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -22,6 +20,7 @@ define Package/$(PKG_NAME)
 		+fff-web-hood \
 		+fff-wireless \
 		+jshn \
+		+owipcalc \
 		+@BUSYBOX_CONFIG_WGET \
 		+@BUSYBOX_CONFIG_FEATURE_WGET_TIMEOUT
 endef

src/packages/fff/fff-hoods/files/usr/sbin/configurehood

@@ -189,12 +189,13 @@ if [ -s "$hoodfiletmp" ]; then
 	json_get_var prefix ula_prefix
 	# Set $prefix::MAC as IP
 	if [ -n "$prefix" ] ; then
-		prefix="$(echo "$prefix" | sed -e 's,\\,,')"
-		mac="$(cat "/sys/class/net/br-client/address")"
-		addr="$(ipMacAssemble "$prefix" "$mac")"
-		addr="$(ipTidyColon "$addr")"
-		addr_eui="$(ipEUIAssemble "$prefix" "$mac")"
-		addr_eui="$(ipTidyColon "$addr_eui")"
+		# remove escape character
+		prefix=$(echo "$prefix" | sed -e 's,\\,,')
+		# create proper prefix
+		prefix=$(echo "$prefix" | sed -e 's,/,:/,')
+		mac=$(cat "/sys/class/net/br-client/address")
+		addr=$(owipcalc "$prefix" add "::$(ipMacSuffix "$mac")")
+		addr_eui=$(owipcalc "$prefix" add "::$(ipEUISuffix "$mac")")
 		for ip in $(ip -6 addr show dev br-client | grep inet6 | grep -v -e " $addr" -e " $addr_eui" -e " fe80::" -e " fdff::" | cut -f6 -d " "); do
 			ip -6 addr del "$ip" dev br-client
 		done

src/packages/fff/fff-hoodutils/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-hoodutils
 PKG_RELEASE:=2
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-layer3-config/Makefile

@@ -1,9 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-layer3-config
-PKG_RELEASE:=2
-
-PKG_BUILD_DIR:=$(BUILD_DIR)/fff-layer3-config
+PKG_RELEASE:=4
 
 include $(INCLUDE_DIR)/package.mk
 

src/packages/fff/fff-layer3-config/files/etc/init.d/fff-layer3-update

@@ -0,0 +1,17 @@
+#!/bin/sh /etc/rc.common
+
+START=99
+
+boot() {
+	# Reapply gateway settings, if configuration succeeds
+	if yes | configure-layer3 -c; then
+		configure-layer3 -a
+	else
+		configure-layer3 -r
+	fi
+
+	# first we disable the init.d
+	/etc/init.d/fff-layer3-update disable
+	# we must delete the symlink manually
+	rm -f /etc/rc.d/S99fff-layer3-update
+}

src/packages/fff/fff-layer3-config/files/usr/sbin/configure-layer3

@@ -66,15 +66,35 @@ revert_changes() {
 	exit 0
 }
 
+keep_changes() {
+	if [ -f "/tmp/configure-layer3-pid" ]; then
+		echo "Keep changes"
+		kill -9 $(cat /tmp/configure-layer3-pid)
+		rm /tmp/configure-layer3-pid
+		# We need exit because trap in test_changes() will not stop
+		# the script here and revert settings otherwise
+		exit
+	else
+		echo "configure-layer3 -t is not running"
+	fi
+}
+
 test_changes() {
+	echo $$ > /tmp/configure-layer3-pid
+	trap keep_changes SIGINT SIGTERM
+
 	reload_services
 
 	sleep 5
-	echo "Configuration reloaded. Changes will be reverted in 200s."
-	echo "Kill this script to keep changes."
-	sleep 200
-	echo "Reverting changes.."
 
+	echo "Configuration reloaded. Changes will be reverted in 200s."
+	echo "Kill this script or use configure-layer3 -k to keep changes."
+
+	sleep 200
+
+	echo "Reverting changes.."
+	# on revert we must delete the pid-file
+	rm /tmp/configure-layer3-pid
 	revert_changes
 	reload_services
 }
@@ -86,6 +106,7 @@ usage() {
 	echo "Options:"
 	echo "	-c: configure. No commit, no restart!"
 	echo "	-t: test changes. Restarts services, waits up to 200s for SIGINT"
+	echo "	-k: keep changes from test mode"
 	echo "	-a: apply changes"
 	echo "	-r: revert changes"
 }
@@ -98,6 +119,7 @@ fi
 case "$1" in
 	-c) configure ;;
 	-t) test_changes ;;
+	-k) keep_changes ;;
 	-a) apply_changes ;;
 	-r) revert_changes ;;
 	*) usage; exit 1 ;;

src/packages/fff/fff-layer3-ipv4snat/Makefile

@@ -0,0 +1,32 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-layer3-ipv4snat
+PKG_RELEASE:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-layer3-ipv4snat
+	SECTION:=base
+	CATEGORY:=Freifunk
+	TITLE:=Freifunk-Franken layer3 configuration with SNAT
+	URL:=https://www.freifunk-franken.de
+	DEPENDS:= \
+		+iptables-mod-nat-extra \
+		+fff-firewall \
+		+fff-layer3-config
+
+endef
+
+define Package/fff-layer3-ipv4snat/description
+	With this package it is possible to make SNAT with IPv4 on the router
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/fff-layer3-ipv4snat/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-layer3-ipv4snat))

src/packages/fff/fff-layer3-ipv4snat/files/etc/layer3.d/33-snat.conf

@@ -0,0 +1,31 @@
+configure() {
+	# first we delete the snat config
+	uci del network.client.nat
+	if [ "$(uci -q get gateway.@client[0].nat)" = '1' ]; then
+
+		# first check the config is plausible
+		if ! peer_ip=$(uci get gateway.meta.peer_ip); then
+			echo "ERROR: No peer_ip set! For SNAT use you must set a peer_ip"
+			return 1
+		fi
+		if ! ipaddr=$(uci get gateway.@client[0].ipaddr); then
+			echo "ERROR: No ipaddr set! For SNAT use you must set ipaddr"
+			return 1
+		fi
+
+		# We set the snat config
+		uci set network.client.nat=1
+	fi
+}
+
+reload() {
+	/etc/init.d/fff-firewall start
+}
+
+apply() {
+	uci commit network
+}
+
+revert() {
+	uci revert network
+}

src/packages/fff/fff-layer3-ipv4snat/files/usr/lib/firewall.d/30-SNAT

@@ -0,0 +1,7 @@
+if [ "$(uci -q get gateway.@client[0].nat)" = '1' ]; then
+	peer_ip=$(uci get gateway.meta.peer_ip)
+	ipaddr=$(uci get gateway.@client[0].ipaddr)
+	for ip in $ipaddr; do
+		iptables -t nat -A POSTROUTING -s $ip -j SNAT --to-source $peer_ip
+	done
+fi

src/packages/fff/fff-layer3/Makefile

@@ -1,9 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-layer3
-PKG_RELEASE:=7
-
-PKG_BUILD_DIR:=$(BUILD_DIR)/fff-layer3
+PKG_RELEASE:=8
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -17,8 +15,11 @@ define Package/fff-layer3
 	         +fff-boardname \
 	         +fff-dhcp \
 	         +fff-layer3-config \
+	         +fff-mqtt-monitoring \
+                 +fff-layer3-ipv4snat \
 	         +fff-network \
 	         +fff-ra \
+	         +fff-web-mqtt \
 	         +fff-wireguard \
 	         +arptables \
 	         +bmon \
@@ -26,6 +27,7 @@ define Package/fff-layer3
 	         +ebtables-utils \
 	         +kmod-ebtables-ipv4 \
 	         +kmod-ebtables-ipv6 \
+	         +kmod-sched-cake \
 	         +gre \
 	         +@PACKAGE_grev4 \
 	         +@PACKAGE_grev6 \

src/packages/fff/fff-mqtt-monitoring/Makefile

@@ -0,0 +1,35 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-mqtt-monitoring
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/fff-mqtt-monitoring
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-mqtt-monitoring
+	SECTION:=base
+	CATEGORY:=Freifunk
+	TITLE:=Freifunk-Franken mqtt configuration
+	URL:=https://www.freifunk-franken.de
+	DEPENDS:= \
+		+alfred-json \
+		+fff-mqtt \
+		+micrond \
+		+fff-alfred
+endef
+
+define Package/fff-mqtt-monitoring/description
+	This package send monitoring informations to
+	the mqtt broker
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/fff-mqtt-monitoring/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-mqtt-monitoring))

src/packages/fff/fff-mqtt-monitoring/files/usr/lib/micron.d/fff-alfred-mqtt-proxy

@@ -0,0 +1 @@
+*/5 * * * * sleep $(/usr/bin/random 0 29); /usr/sbin/alfred-mqtt-proxy

src/packages/fff/fff-mqtt-monitoring/files/usr/sbin/alfred-mqtt-proxy

@@ -0,0 +1,8 @@
+#!/bin/sh
+MACADDR=$(cat /sys/class/net/br-client/address | /bin/sed 's/://g')
+
+fetch_id="64"
+if [ -n "$(uci -q get fff.mqtt.server)" ] ; then
+	mosquitto_pub -h "$(uci get fff.mqtt.server)" -p 1883 -t /monitoring/v1/$MACADDR -m "$(/bin/alfred-json -r "$fetch_id")"
+fi
+

src/packages/fff/fff-mqtt/Makefile

@@ -0,0 +1,34 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-mqtt
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/fff-mqtt
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-mqtt
+	SECTION:=base
+	CATEGORY:=Freifunk
+	TITLE:=Freifunk-Franken mqtt configuration
+	URL:=https://www.freifunk-franken.de
+	DEPENDS:= \
+		+fff-config \
+		+libmosquitto-ssl \
+		+mosquitto-client-ssl \
+		+mosquitto-ssl 
+endef
+
+define Package/fff-mqtt/description
+	This package provides mosquitto and settings
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/fff-mqtt/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-mqtt))

src/packages/fff/fff-mqtt/files/etc/uci-defaults/35-fff-mqtt

@@ -0,0 +1,3 @@
+uci set fff.mqtt=mqtt
+
+exit 0

src/packages/fff/fff-network/Makefile

@@ -1,9 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-network
-PKG_RELEASE:=26
-
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
+PKG_RELEASE:=28
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -12,7 +10,10 @@ define Package/$(PKG_NAME)
 	CATEGORY:=Freifunk
 	TITLE:=Freifunk-Franken network configuration
 	URL:=http://www.freifunk-franken.de
-	DEPENDS:=+fff-boardname +fff-firewall
+	DEPENDS:= \
+		+owipcalc \
+		+fff-boardname \
+		+fff-firewall
 endef
 
 define Package/$(PKG_NAME)/description

src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf

@@ -6,11 +6,6 @@ net.ipv4.tcp_ecn=0
 net.ipv4.tcp_fin_timeout=30
 net.ipv4.tcp_keepalive_time=120
 net.ipv4.tcp_syncookies=1
-net.ipv4.netfilter.ip_conntrack_checksum=0
-net.ipv4.netfilter.ip_conntrack_max=16384
-net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600
-net.ipv4.netfilter.ip_conntrack_udp_timeout=60
-net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
 net.core.netdev_max_backlog=30
 net.netfilter.nf_conntrack_checksum=0
 
@@ -26,11 +21,6 @@ net.ipv4.icmp_echo_ignore_broadcasts=1
 net.ipv4.icmp_ignore_bogus_error_responses=1
 net.ipv4.ip_forward=0
 
-# disable bridge firewalling by default
-net.bridge.bridge-nf-call-arptables=0
-net.bridge.bridge-nf-call-ip6tables=0
-net.bridge.bridge-nf-call-iptables=0
-
 net.ipv6.conf.default.accept_dad=0
 net.ipv6.conf.default.accept_ra=0
 net.ipv6.conf.default.accept_redirects=0
@@ -38,14 +28,10 @@ net.ipv6.conf.all.accept_dad=0
 net.ipv6.conf.all.accept_ra=0
 net.ipv6.conf.all.accept_redirects=0
 
-# Accept Router Preference in RA?
-net.ipv6.conf.default.accept_ra_rtr_pref = 0
-net.ipv6.conf.all.accept_ra_rtr_pref = 0
- 
 # Learn Prefix Information in Router Advertisement
 net.ipv6.conf.default.accept_ra_pinfo = 0
 net.ipv6.conf.all.accept_ra_pinfo = 0
- 
+
 # Setting controls whether the system will accept Hop Limit settings from a router advertisement
 net.ipv6.conf.default.accept_ra_defrtr = 0
 net.ipv6.conf.all.accept_ra_defrtr = 0

src/packages/fff/fff-network/files/lib/functions/fff/network

@@ -29,62 +29,6 @@ ipEUISuffix() {
 	return 0
 }
 
-ipAssemble() {
-	# Concatenates a prefix (1st argument) and a suffix (2nd argument) to a merged IPv6 address
-	# (The prefix has to bear the subnet: fdff::/64)
-	# (The prefix must only contain the higher 64 bits (correct: 0:0:0:0: or 0:: - wrong: 0:0:0:0::)
-
-	[ $# -ne "2" ] && return 1
-
-	local prefix=$1
-	local suffix=$2
-
-	echo "$prefix" | sed -e 's,/,'$suffix'/,'
-	return 0
-}
-
-ipMacAssemble() {
-	# Concatenates a prefix (1st argument) and a MAC-based suffix (MAC address as 2nd argument) to a merged IPv6 address
-	# (Details on prefix: Check ipAssemble(), details on suffix: Check ipMacSuffix())
-
-	[ $# -ne "2" ] && return 1
-
-	local prefix=$1
-	local mac=$2
-
-	suffix="$(ipMacSuffix "$mac")"
-	ipAssemble "$prefix" "$suffix"
-	return 0
-}
-
-ipEUIAssemble() {
-	# Concatenates a prefix (1st argument) and an EUI-based suffix (MAC address as 2nd argument) to a merged IPv6 address
-	# (Details on prefix: Check ipAssemble(), details on suffix: Check ipEUISuffix())
-
-	[ $# -ne "2" ] && return 1
-
-	local prefix=$1
-	local mac=$2
-
-	suffix="$(ipEUISuffix "$mac")"
-	ipAssemble "$prefix" "$suffix"
-	return 0
-}
-
-ipTidyColon() {
-	# Collapses zeros to :: to yield short but valid IPv6 addresses
-	#
-	# Argument: IPv6 address to be shortened
-
-	[ $# -ne "1" ] && return 1
-
-	local addr=$1
-
-	echo "$addr" | grep -q "::" || addr="$(echo "$addr" | sed -e 's,:[0:]*:,::,')"
-	echo "$addr"
-	return 0
-}
-
 macFlipLocalBit() {
 	# Returns given MAC-address with locally administered bit flipped
 	#

src/packages/fff/fff-network/files/usr/sbin/configurenetwork

@@ -195,9 +195,9 @@ else
         ip -6 addr del $ip dev br-client
     done
 
-    prefix="fdff:0::/64"
+    prefix="fdff::/64"
     # Set $prefix::MAC as IP
-    addr="$(ipMacAssemble "$prefix" "$ROUTERMAC")"
+    addr=$(owipcalc "$prefix" add "::$(ipMacSuffix "$ROUTERMAC")")
     ip -6 addr add $addr dev br-client
 
     uci -q del network.globals
@@ -207,12 +207,12 @@ else
     uci -q set network.client.proto=static
 
     # Set $prefix::1 as IP
-    addr="$(ipAssemble "$prefix" "1")"
+    addr=$(owipcalc "$prefix" add ::1)
     ip -6 addr add $addr dev br-client
     uci -q add_list network.client.ip6addr=$addr
 
     # Set $prefix::link-local as IP
-    addr="$(ipEUIAssemble "$prefix" "$ROUTERMAC")"
+    addr=$(owipcalc "$prefix" add "::$(ipEUISuffix "$ROUTERMAC")")
     ip -6 addr add $addr dev br-client
     uci -q add_list network.client.ip6addr=$addr
 

src/packages/fff/fff-node/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-node
 PKG_RELEASE:=3
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/fff-node
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/fff-node

src/packages/fff/fff-nodewatcher/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-nodewatcher
 PKG_RELEASE:=60
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-ra/Makefile

@@ -1,9 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-ra
-PKG_RELEASE:=2
-
-PKG_BUILD_DIR:=$(BUILD_DIR)/fff-ra
+PKG_RELEASE:=3
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -12,7 +10,7 @@ define Package/fff-ra
 	CATEGORY:=Freifunk
 	TITLE:=Freifunk-Franken Router Advertisements
 	URL:=https://www.freifunk-franken.de
-	DEPENDS:=+odhcpd
+	DEPENDS:=+odhcpd-ipv6only
 endef
 
 define Package/fff-ra/description

src/packages/fff/fff-random/Makefile

@@ -1,9 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-random
-PKG_RELEASE:=2
-
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
+PKG_RELEASE:=3
 
 include $(INCLUDE_DIR)/package.mk
 

src/packages/fff/fff-random/src/random.c

@@ -6,6 +6,36 @@
  */
 #include <stdio.h>
 #include <stdlib.h>
+#include <errno.h>
+
+static int parse_int(char *str) {
+        char *endptr = NULL;
+        errno = 0;
+        long val = strtol(str, &endptr, 10);
+
+        if (errno != 0) {
+                perror("strtol");
+                exit(EXIT_FAILURE);
+        }
+
+        if (endptr == str) {
+                fprintf(stderr, "No digits were found\n");
+                exit(EXIT_FAILURE);
+        }
+
+        if (*endptr != '\0') {
+                fprintf(stderr, "Further characters were found after number: \"%s\"\n", endptr);
+                exit(EXIT_FAILURE);
+        }
+
+        int retVal = (int) val;
+        if (val != retVal) {
+                fprintf(stderr, "Given number is out of range\n");
+                exit(EXIT_FAILURE);
+        }
+
+        return retVal;
+}
 
 int main(int argc, char **argv)
 {
@@ -22,8 +52,8 @@ int main(int argc, char **argv)
         }
         else if (argc == 3)
         {
-                from = atoi(argv[1]);
-                to = atoi(argv[2]);
+                from = parse_int(argv[1]);
+                to = parse_int(argv[2]);
         }
 
         diff = to - from;

src/packages/fff/fff-simple-tc/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-simple-tc
 PKG_RELEASE:=2
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-support/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-support
 PKG_RELEASE:=6
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-sysupgrade/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-sysupgrade
 PKG_RELEASE:=12
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-timeserver/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-timeserver
 PKG_RELEASE:=3
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-uradvd/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-uradvd
 PKG_RELEASE:=2
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-vpn-select/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-vpn-select
 PKG_RELEASE:=5
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff-web-hood/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-web-hood
 PKG_RELEASE:=2
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/fff-web-hood

src/packages/fff/fff-web-mqtt/Makefile

@@ -0,0 +1,32 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-web-mqtt
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-web-mqtt
+	SECTION:=base
+	CATEGORY:=Freifunk
+	TITLE:=Freifunk-Franken mqtt config webui
+	URL:=http://www.freifunk-franken.de
+	DEPENDS:= \
+		+fff-mqtt \
+		+fff-web-ui
+endef
+
+define Package/fff-web-mqtt/description
+	Configure mqtt via a web UI
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/fff-web-mqtt/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-web-mqtt))

src/packages/fff/fff-web-mqtt/files/www/menu/ssl/17-mqtt

@@ -0,0 +1 @@
+mqtt,MQTT-Einstellungen

src/packages/fff/fff-web-mqtt/files/www/ssl/cgi-bin/mqtt.html

@@ -0,0 +1,26 @@
+#!/usr/bin/haserl
+
+<%in /www/include/header %>
+<%in /www/include/helpers %>
+<% show_msg %>
+
+<%
+# write
+if [ "$REQUEST_METHOD" = "POST" ] ; then
+	uci -q set "fff.mqtt.server=${POST_server}"
+	uci commit fff
+fi
+%>
+
+<form method="post">
+
+<fieldset style="min-height: 7em;" class="smallinput"> 
+        <legend>MQTT</legend>
+	<table>
+		<tr><th>Server:</th><td><input type="text" name="server" value="<%= $(uci -q get fff.mqtt.server) %>" /></td></tr>
+	</table>
+</fieldset>
+<input type="submit" style="margin-top: 5px; margin-left: 3px;" />
+</form>
+
+<%in /www/include/footer %>

src/packages/fff/fff-web-ui/Makefile

@@ -1,9 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-web-ui
-PKG_RELEASE:=16
-
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
+PKG_RELEASE:=17
 
 include $(INCLUDE_DIR)/package.mk
 

src/packages/fff/fff-web-ui/files/www/ssl/cgi-bin/password.html

@@ -4,7 +4,7 @@
 # write
 if [ "$REQUEST_METHOD" = "POST" ] ; then
 	#check for special characters in password
-	regex='^[a-zA-Z0-9!#\$%\(\)\*\+,\.:;=\?@\^_-]+$'
+	regex='^[a-zA-Z0-9!#\$%\(\)\*\+,\.:;=\?@\^_&-]+$'
 	if [ "$POST_pass1" = "" ] ; then
 		MSG='<span class="red">Das Passwort darf nicht leer sein!</span>'
     elif ! echo -n "$POST_pass1" | egrep -q "$regex"; then   

src/packages/fff/fff-wireguard/Makefile

@@ -1,9 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-wireguard
-PKG_RELEASE:=4
-
-PKG_BUILD_DIR:=$(BUILD_DIR)/fff-wireguard
+PKG_RELEASE:=5
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -12,9 +10,11 @@ define Package/fff-wireguard
 	CATEGORY:=Freifunk
 	TITLE:=Freifunk-Franken wireguard
 	URL:=https://www.freifunk-franken.de
-	DEPENDS:=+wireguard \
-			 +fff-network \
-			 +fff-babeld
+	DEPENDS:= \
+		+owipcalc \
+		+wireguard \
+		+fff-babeld \
+		+fff-network
 endef
 
 define Package/fff-wireguard/description

src/packages/fff/fff-wireguard/files/etc/layer3.d/50-wireguard

@@ -116,7 +116,7 @@ configure() {
 		uci -q del network.$prefixname.addresses
 
 		# add link local address
-		uci add_list network.$prefixname.addresses="$(ipEUIAssemble "fe80::/64" "$ROUTERMAC")"
+		uci add_list network.$prefixname.addresses="$(owipcalc "fe80::/64" add "::$(ipEUISuffix "$ROUTERMAC")")"
 
 		# add peer_ip
 		babel_add_peeraddr "network.$prefixname.addresses"

src/packages/fff/fff-wireless/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff-wireless
 PKG_RELEASE:=20
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/$(PKG_NAME)

src/packages/fff/fff/Makefile

@@ -3,8 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=fff
 PKG_RELEASE:=8
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/fff
-
 include $(INCLUDE_DIR)/package.mk
 
 define Package/fff-base