fff-layer-config: move fff to gateway

With this patch, the layer3 config is summearized in one place on /etc/config/gateway Signed-off-by: Christian Dresel <freifunk@dresel.systems>
treewide: set PKG_RELEASE automatically
2022-02-28 08:11:59 +01:00 · 2022-01-09 22:03:09 +01:00 · 2022-01-09 21:58:30 +01:00 · 2022-01-06 01:07:17 +01:00 · 2022-01-06 01:07:15 +01:00 · 2022-01-05 22:18:20 +01:00
48 changed files with 256 additions and 128 deletions
--- a/build_patches/openwrt/0020-mt7621-retain-old-compat_version.patch
+++ b/build_patches/openwrt/0020-mt7621-retain-old-compat_version.patch
@ -1,19 +0,0 @@
-From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
-Date: Sat, 23 Oct 2021 23:34:07 +0200
-Subject: [PATCH] mt7621: retain old compat_version
-
-diff --git a/target/linux/ramips/image/mt7621.mk b/target/linux/ramips/image/mt7621.mk
-index a3bc14d59d..99887e8192 100644
--- a/target/linux/ramips/image/mt7621.mk
-+++ b/target/linux/ramips/image/mt7621.mk
-@@ -91,8 +91,7 @@ define Build/zytrx-header
- endef
- 
- define Device/dsa-migration
-  DEVICE_COMPAT_VERSION := 1.1
-  DEVICE_COMPAT_MESSAGE := Config cannot be migrated from swconfig to DSA
-+  DEVICE_COMPAT_VERSION := 1.0
- endef
- 
- define Device/adslr_g7
-
--- a/3
+++ b/3
@ -290,7 +290,8 @@ cp_firmware() {
            filename_build=${f##*/}
            filename_build=${filename_build//openwrt/fff-${version}}
            filename_build=${filename_build//squashfs-/}
-            filename_build=${filename_build//${chipset}-${subtarget}-/}
+            filename_build=${filename_build//${chipset}-/}
+            filename_build=${filename_build//${subtarget}-/}
            cp "$f" "$imagedestpath/$filename_build"
        done
    done
--- a/src/packages/fff/fff-alfred-monitoring-proxy/Makefile
+++ b/src/packages/fff/fff-alfred-monitoring-proxy/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-alfred-monitoring-proxy
-PKG_RELEASE:=5
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-alfred/Makefile
+++ b/src/packages/fff/fff-alfred/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-alfred
-PKG_RELEASE:=2
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-babeld/Makefile
+++ b/src/packages/fff/fff-babeld/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-babeld
-PKG_RELEASE:=8
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-babeld/files/lib/functions/fff/babel
+++ b/src/packages/fff/fff-babeld/files/lib/functions/fff/babel
@ -38,10 +38,18 @@ babel_add_peeraddr() {
 		uci add_list "$option"="$peer_ip"
 	elif router_ip=$(uci -q get gateway.meta.router_ip); then
 		# use router_ip if no peer_ip is set
-		uci add_list "$option"="$router_ip"
+		ip=$router_ip
+
+		# use only first ip
+		ip=${ip%% *}
+
+		# remove CIDR mask
+		ip=${ip%%/*}
+
+		uci add_list "$option"="$ip"
 	elif ipaddr=$(uci -q get gateway.@client[0].ipaddr); then
 		# use client interface address (without subnet) if no router_ip is set
-		uci add_list "$option"=$(echo $ipaddr | cut -d / -f1)
+		uci add_list "$option"=${ipaddr%%/*}
 	else
 		echo "WARNING: No peer_ip, router_ip or client interface ipaddr set! IPv4 routing is not possible."
 		return 1
--- a/src/packages/fff/fff-batman-adv/Makefile
+++ b/src/packages/fff/fff-batman-adv/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-batman-adv
-PKG_RELEASE:=4
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-boardname/Makefile
+++ b/src/packages/fff/fff-boardname/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-boardname
-PKG_RELEASE:=8
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-config/Makefile
+++ b/src/packages/fff/fff-config/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-config
-PKG_RELEASE:=2
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-dhcp/Makefile
+++ b/src/packages/fff/fff-dhcp/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-dhcp
-PKG_RELEASE:=6
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-fastd/Makefile
+++ b/src/packages/fff/fff-fastd/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-fastd
-PKG_RELEASE:=3
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
+++ b/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
@ -29,6 +29,7 @@ ln -s /tmp/fastd_fff_peers /etc/fastd/fff/peers
 echo "#!/bin/sh" > /etc/fastd/fff/up.sh
 echo "ip link set up dev fffVPN" >> /etc/fastd/fff/up.sh
 echo "batctl if add fffVPN" >> /etc/fastd/fff/up.sh
+echo "batctl hardif fffVPN hop_penalty 30" >> /etc/fastd/fff/up.sh
 chmod +x /etc/fastd/fff/up.sh

 exit 0
--- a/src/packages/fff/fff-fastd/files/usr/lib/vpn-select.d/fastd
+++ b/src/packages/fff/fff-fastd/files/usr/lib/vpn-select.d/fastd
@ -0,0 +1,34 @@
+protocol=fastd
+
+fastd_clear() {
+	rm /tmp/fastd_fff_peers/*
+}
+
+fastd_addpeer() {
+	[ -d /tmp/fastd_fff_peers ] || mkdir /tmp/fastd_fff_peers
+
+	# write fastd-config
+	json_get_var servername name
+	filename="/etc/fastd/fff/peers/$servername"
+	echo "#name \"${servername}\";" > "$filename"
+	json_get_var key key
+	echo "key \"${key}\";" >> "$filename"
+	json_get_var address address
+	json_get_var port port
+	echo "remote \"${address}\" port ${port};" >> "$filename"
+	echo "" >> "$filename"
+	echo "float yes;" >> "$filename"
+}
+
+fastd_start_stop() {
+	/etc/init.d/fastd reload # does nothing if fastd was not running
+
+	# fastd start/stop for various situations
+	# this is needed for first start and if fastd comes up or disappears in hoodfile
+	pidfile="/tmp/run/fastd.fff.pid"
+	if [ "$(ls /etc/fastd/fff/peers/* 2>/dev/null)" ]; then
+		([ -s "$pidfile" ] && [ -d "/proc/$(cat "$pidfile")" ]) || /etc/init.d/fastd start
+	else
+		([ -s "$pidfile" ] && [ -d "/proc/$(cat "$pidfile")" ]) && /etc/init.d/fastd stop
+	fi
+}
--- a/src/packages/fff/fff-firewall/Makefile
+++ b/src/packages/fff/fff-firewall/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-firewall
-PKG_RELEASE:=8
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-clamp-mss
@ -1,2 +0,0 @@
-#solves MTU problem with bad ISPs
-iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
--- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
@ -1,5 +0,0 @@
-# Limit ssh to 6 new connections per 60 seconds
-/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
-/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP
-/usr/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
-/usr/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP
--- a/src/packages/fff/fff-hoods/Makefile
+++ b/src/packages/fff/fff-hoods/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-hoods
-PKG_RELEASE:=19
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-hoodutils/Makefile
+++ b/src/packages/fff/fff-hoodutils/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-hoodutils
-PKG_RELEASE:=2
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-layer3-config/Makefile
+++ b/src/packages/fff/fff-layer3-config/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-layer3-config
-PKG_RELEASE:=9
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-layer3-config/files/etc/layer3.d/10-meta
+++ b/src/packages/fff/fff-layer3-config/files/etc/layer3.d/10-meta
@ -1,36 +1,27 @@
 configure() {
 	## set hostname
-	if name=$(uci -q get fff.system.hostname); then
+	if name=$(uci -q get gateway.meta.hostname); then
 		uci -q set system.@system[0].hostname="$name"
 	else
 		echo "WARNING: No hostname set!"
 	fi

 	## set contact
-	if ! contact=$(uci -q get fff.system.contact); then
+	if ! contact=$(uci -q get gateway.meta.contact); then
 		echo "WARNING: No contact set!"
 	fi

 	## set location
-	if ! lat=$(uci -q get fff.system.latitude) || ! long=$(uci -q get fff.system.longitude); then
+	if ! lat=$(uci -q get gateway.meta.latitude) || ! long=$(uci -q get gateway.meta.longitude); then
 		echo "WARNING: No location set!"
 	fi
-
-	## hoodname
-	if hood=$(uci -q get fff.system.hoodname); then
-		uci -q set "system.@system[0].hood=$hood"
-	else
-		echo "WARNING: No hoodname set!"
-	fi
 }

 apply() {
 	uci commit system
-	uci commit fff
 	echo "$(uci get "system.@system[0].hostname")" > /proc/sys/kernel/hostname
 }

 revert() {
 	uci revert system
-	uci revert fff
 }
--- a/src/packages/fff/fff-layer3-config/files/etc/layer3.d/30-network-client
+++ b/src/packages/fff/fff-layer3-config/files/etc/layer3.d/30-network-client
@ -20,7 +20,7 @@ configure() {

 	# ip6addr
 	#remove old ip6addr
-	for ip in $(uci get network.client.ip6addr); do
+	for ip in $(uci -q get network.client.ip6addr); do
 		if echo "$ip" | grep -v -e "fdff:" -e "fe80::1/64" > /dev/null; then
 			uci del_list network.client.ip6addr="$ip"
 		fi
--- a/src/packages/fff/fff-layer3-snat/Makefile
+++ b/src/packages/fff/fff-layer3-snat/Makefile
@ -0,0 +1,31 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-layer3-snat
+PKG_RELEASE:=$(COMMITCOUNT)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-layer3-snat
+	SECTION:=base
+	CATEGORY:=Freifunk
+	TITLE:=Freifunk-Franken layer3 configuration with SNAT
+	URL:=https://www.freifunk-franken.de
+	DEPENDS:= \
+		+fff-firewall \
+		+fff-layer3-config \
+		+kmod-ipt-nat
+endef
+
+define Package/fff-layer3-snat/description
+	With this package it is possible to make SNAT with IPv4 on the router
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/fff-layer3-snat/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-layer3-snat))
--- a/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf
+++ b/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf
@ -0,0 +1,34 @@
+configure() {
+	# first we delete the snat config
+	uci -q del network.client.fff_snat
+	uci -q del network.client.fff_snat_sourceip
+	if [ "$(uci -q get gateway.@client[0].snat)" = '1' ]; then
+
+		# first check the config is plausible
+		if ! routerip=$(uci -q get gateway.meta.router_ip); then
+			echo "ERROR: No router_ip set, which is required for SNAT!"
+			return 1
+		fi
+		if ! uci -q get gateway.@client[0].ipaddr >/dev/null; then
+			echo "ERROR: No ipaddr set, which is required for SNAT!"
+			return 1
+		fi
+
+		# keep only the first IP
+		routerip=${routerip%% *}
+		# keep only the IP without the CIDR
+		routerip=${routerip%%/*}
+
+		# We set the snat config
+		uci set network.client.fff_snat=1
+		uci set network.client.fff_snat_sourceip=$routerip
+	fi
+}
+
+apply() {
+	uci commit network
+}
+
+revert() {
+	uci revert network
+}
--- a/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat
+++ b/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat
@ -0,0 +1,4 @@
+if [ "$(uci -q get network.client.fff_snat)" = '1' ]; then
+	iptables -t mangle -A PREROUTING -i br-client -j MARK --set-mark 0x736e6174
+	iptables -t nat -A POSTROUTING -m mark --mark 0x736e6174 -j SNAT --to-source $(uci -q get network.client.fff_snat_sourceip)
+fi
--- a/src/packages/fff/fff-layer3/Makefile
+++ b/src/packages/fff/fff-layer3/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-layer3
-PKG_RELEASE:=9
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

@ -15,6 +15,7 @@ define Package/fff-layer3
 	         +fff-boardname \
 	         +fff-dhcp \
 	         +fff-layer3-config \
+	         +fff-layer3-snat \
 	         +fff-mqtt-monitoring \
 	         +fff-network \
 	         +fff-ra \
--- a/src/packages/fff/fff-mqtt-monitoring/Makefile
+++ b/src/packages/fff/fff-mqtt-monitoring/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-mqtt-monitoring
-PKG_RELEASE:=1
+PKG_RELEASE:=$(COMMITCOUNT)

 PKG_BUILD_DIR:=$(BUILD_DIR)/fff-mqtt-monitoring

--- a/src/packages/fff/fff-mqtt/Makefile
+++ b/src/packages/fff/fff-mqtt/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-mqtt
-PKG_RELEASE:=2
+PKG_RELEASE:=$(COMMITCOUNT)

 PKG_BUILD_DIR:=$(BUILD_DIR)/fff-mqtt

--- a/src/packages/fff/fff-network/Makefile
+++ b/src/packages/fff/fff-network/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-network
-PKG_RELEASE:=50
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-node/Makefile
+++ b/src/packages/fff/fff-node/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-node
-PKG_RELEASE:=3
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

@ -12,6 +12,7 @@ define Package/fff-node
 	URL:=https://www.freifunk-franken.de
 	DEPENDS:=+fff-batman-adv \
 	         +fff-fastd \
+	         +fff-vxlan-node-vpn \
 	         +fff-firewall \
 	         +fff-hoods \
 	         +fff-uradvd
--- a/src/packages/fff/fff-ra/Makefile
+++ b/src/packages/fff/fff-ra/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-ra
-PKG_RELEASE:=3
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-random/Makefile
+++ b/src/packages/fff/fff-random/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-random
-PKG_RELEASE:=3
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-simple-tc/Makefile
+++ b/src/packages/fff/fff-simple-tc/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-simple-tc
-PKG_RELEASE:=2
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-support/Makefile
+++ b/src/packages/fff/fff-support/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-support
-PKG_RELEASE:=9
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-sysupgrade/Makefile
+++ b/src/packages/fff/fff-sysupgrade/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-sysupgrade
-PKG_RELEASE:=13
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-timeserver/Makefile
+++ b/src/packages/fff/fff-timeserver/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-timeserver
-PKG_RELEASE:=3
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-uradvd/Makefile
+++ b/src/packages/fff/fff-uradvd/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-uradvd
-PKG_RELEASE:=2
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-vpn-select/Makefile
+++ b/src/packages/fff/fff-vpn-select/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-vpn-select
-PKG_RELEASE:=5
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-vpn-select/files/usr/sbin/vpn-select
+++ b/src/packages/fff/fff-vpn-select/files/usr/sbin/vpn-select
@ -1,65 +1,45 @@
 #!/bin/sh

 # Usage: vpn-select <path-to-hood-file>
+# To add a new protocol, put a file with three functions to /usr/lib/vpn-select.d/ .
+# The file must start with protocol=name. It is most important to use the same name here and in hoodfile.
+# The old config can be cleared in function ${protocol}_clear(). It is called first once per installed protocol.
+# The function ${protocol}_addpeer() is called for every selected peer in hoodfile.
+# The function ${protocol}_start_stop() is called at the end once per installed protocol.

 . /usr/share/libubox/jshn.sh

 hoodfile="$1"

-make_config() {
-	# remove old config
-	rm /tmp/fastd_fff_peers/*
+# source functions
+for file in /usr/lib/vpn-select.d/*; do
+	[ -f $file ] && . "$file"
+	supported_protocols="$supported_protocols $protocol"
+done

-	# prepare
-	Index=1
+# clear old config
+for protocol in $supported_protocols; do
+	"${protocol}_clear"
+done
+
+# configure vpn
+
+if [ -n "$hoodfile" ] && [ -s "$hoodfile" ] ; then
 	json_load "$(cat "$hoodfile")"
+	json_select hood
+	json_get_var id id
+	json_select ".."
 	json_select vpn
-
-	# get fastd peers
-	while json_select "$Index" > /dev/null
-	do
+	json_get_keys vpn_keys
+	for key in $vpn_keys; do
+		json_select $key
 		json_get_var protocol protocol
-		if [ "$protocol" = "fastd" ]; then
-			# set up fastd
-			json_get_var servername name
-			filename="/etc/fastd/fff/peers/$servername"
-			echo "#name \"${servername}\";" > "$filename"
-			json_get_var key key
-			echo "key \"${key}\";" >> "$filename"
-			json_get_var address address
-			json_get_var port port
-			echo "remote \"${address}\" port ${port};" >> "$filename"
-			echo "" >> "$filename"
-			echo "float yes;" >> "$filename"
-		fi
+		"${protocol}_addpeer"
 		json_select ".." # back to vpn
-		Index=$(( Index + 1 ))
 	done
-	json_select ".." # back to root
-}
-
-# Only do something if file is there and not empty; otherwise exit 1
-if [ -s "$hoodfile" ]; then
-	if [ ! -d /tmp/fastd_fff_peers ]; then
-		# first run after reboot
-		mkdir /tmp/fastd_fff_peers
-		make_config
-		# start fastd only if there are some peers
-		[ "$(ls /etc/fastd/fff/peers/* 2>/dev/null)" ] && /etc/init.d/fastd start
-	else
-		make_config
-		/etc/init.d/fastd reload
-
-		# fastd start/stop for various situations
-		pidfile="/tmp/run/fastd.fff.pid"
-		if [ "$(ls /etc/fastd/fff/peers/* 2>/dev/null)" ]; then
-			([ -s "$pidfile" ] && [ -d "/proc/$(cat "$pidfile")" ]) || /etc/init.d/fastd start
-		else
-			([ -s "$pidfile" ] && [ -d "/proc/$(cat "$pidfile")" ]) && /etc/init.d/fastd stop
-		fi
-	fi
-	exit 0
-else
-	echo "vpn-select: Hood file not found or empty!"
-	exit 1
 fi
+
+# start/restart/stop vpnservices
+for protocol in $supported_protocols; do
+	"${protocol}_start_stop"
+done
--- a/src/packages/fff/fff-vpn-select/files/usr/sbin/vpn-stop
+++ b/src/packages/fff/fff-vpn-select/files/usr/sbin/vpn-stop
@ -1,5 +0,0 @@
-#!/bin/sh
-
-rm /tmp/fastd_fff_peers/*
-/etc/init.d/fastd stop
-
--- a/src/packages/fff/fff-vpn-select/files/usr/sbin/vpn-stop
+++ b/src/packages/fff/fff-vpn-select/files/usr/sbin/vpn-stop
@ -0,0 +1 @@
+vpn-select
--- a/src/packages/fff/fff-vxlan-node-vpn/Makefile
+++ b/src/packages/fff/fff-vxlan-node-vpn/Makefile
@ -0,0 +1,29 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-vxlan-node-vpn
+PKG_RELEASE:=$(COMMITCOUNT)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/$(PKG_NAME)
+	SECTION:=base
+	CATEGORY:=Freifunk
+	TITLE:=Freifunk-Franken vxlan-node
+	URL:=http://www.freifunk-franken.de
+	DEPENDS:=+vxlan
+endef
+
+define Package/$(PKG_NAME)/description
+	This is the vxlan-node-vpn package for the Freifunk Franken Firmware
+	This will configure and set up the VPN via vxlan
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/$(PKG_NAME)/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,$(PKG_NAME)))
--- a/src/packages/fff/fff-vxlan-node-vpn/files/etc/uci-defaults/53-vxlan-node
+++ b/src/packages/fff/fff-vxlan-node-vpn/files/etc/uci-defaults/53-vxlan-node
@ -0,0 +1,16 @@
+uci batch <<EOF
+ set network.vxlan0=interface
+ set network.vxlan0.proto=vxlan6
+ set network.vxlan0.port=8472
+ set network.vxlan0.ip6addr=auto
+ set network.vxlan0.srcportmin=8472
+ set network.vxlan0.srcportmax=8473
+ set network.vxlan0.ageing=30
+ set network.vxlan0.mtu=1422
+ set network.vxlan0.vid=0
+
+ set network.vxbat=interface
+ set network.vxbat.proto=batadv_hardif
+ set network.vxbat.master=bat0
+ set network.vxbat.ifname=vxlan0
+EOF
--- a/src/packages/fff/fff-vxlan-node-vpn/files/usr/lib/vpn-select.d/vxlan
+++ b/src/packages/fff/fff-vxlan-node-vpn/files/usr/lib/vpn-select.d/vxlan
@ -0,0 +1,27 @@
+protocol=vxlan
+
+vxlan_clear() {
+	while uci -q delete network.@vxlan_peer[0]; do :; done
+}
+
+vxlan_addpeer() {
+	uci set network.vxlan0.vid="$id"
+	json_get_var address address
+	address=$(ping6 -w1 -c1 "$address" | awk '/from/ {print substr($4, 1, length($4)-1); exit}')
+	[ -z $address ] && return ## address not reachable
+	uci add network vxlan_peer
+	uci set network.@vxlan_peer[-1].vxlan="vxlan0"
+	uci set network.@vxlan_peer[-1].dst="$address"
+}
+
+vxlan_start_stop() {
+	uci commit network
+	# reload_config will not add new peers. A ifup is needed
+	ifup vxlan0
+
+	# this workaround is cleaning up old fdb entries
+	# and can be removed if someday netifd will do that
+	bridge fdb show dev vxlan0 state permanent | while read mac dst ip rest ; do
+		grep -q "$ip" /etc/config/network || bridge fdb del $mac dev vxlan0 dst $ip
+	done
+}
--- a/src/packages/fff/fff-web-hood/Makefile
+++ b/src/packages/fff/fff-web-hood/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-web-hood
-PKG_RELEASE:=2
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-web-mqtt/Makefile
+++ b/src/packages/fff/fff-web-mqtt/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-web-mqtt
-PKG_RELEASE:=1
+PKG_RELEASE:=$(COMMITCOUNT)

 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)

--- a/src/packages/fff/fff-web-ui/Makefile
+++ b/src/packages/fff/fff-web-ui/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-web-ui
-PKG_RELEASE:=18
+PKG_RELEASE:=$(shell echo -n $$(( $(COMMITCOUNT) + 20 )))

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-wireguard/Makefile
+++ b/src/packages/fff/fff-wireguard/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-wireguard
-PKG_RELEASE:=8
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff-wireless/Makefile
+++ b/src/packages/fff/fff-wireless/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff-wireless
-PKG_RELEASE:=20
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk

--- a/src/packages/fff/fff/Makefile
+++ b/src/packages/fff/fff/Makefile
@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=fff
-PKG_RELEASE:=9
+PKG_RELEASE:=$(COMMITCOUNT)

 include $(INCLUDE_DIR)/package.mk
Author	SHA1	Message	Date
Christian Dresel	18ba1e00fa	fff-layer-config: move fff to gateway With this patch, the layer3 config is summearized in one place on /etc/config/gateway Signed-off-by: Christian Dresel <freifunk@dresel.systems>	2022-02-28 08:11:59 +01:00
Adrian Schmutzler	27baecaf37	treewide: set PKG_RELEASE automatically COMMITCOUNT allows to have the PKG_RELEASE calculated automatically based on the number of commits for the package folder. AUTORELEASE will count the number of commits since the last upstream bump. This is relevant for packages with PKG_VERSION or PKG_SOURCE_DATE set, but will not work for us since it assumes the use of certain identifiers in commit titles. COMMITCOUNT works fine for most of our packages, with the following exceptions: * fff-nodewatcher would yield a commit count of 55, while the current PKG_RELEASE is 61. Thus, we do not touch it for now. * Packages that have been renamed will start counting from 1 after the rename, since folder renames are not tracked by git. This will result in descreasing PKG_RELEASE after the change for these packages. However, since moving essentially creates a new package anyway, counting from 1 makes sense conceptually, and PKG_RELEASE is still replaced for these packages. * alfred-json and fff-macnock use upstream code and thus would normally require AUTORELEASE. As discussed above, this will not work for us, so just leave these two untouched. Note that all this is quite irrelevant for the way we use packages currently, as without opkg PKG_RELEASE does not matter to us anyway. So, let's just be happy about not having to bump PKG_RELEASE anymore, while keeping the basic functionality intact. The only package where the PKG_RELEASE is actually used for something is fff-nodewatcher, where the version will be displayed in the Monitoring. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> [fabian@blaese.de: rebase, add new packages] Signed-off-by: Fabian Bläse <fabian@blaese.de> Reviewed-by: Robert Langhammer <rlanghammer@web.de> Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>	2022-01-09 22:03:09 +01:00
Christian Dresel	825d760bd8	Add package fff-layer3-snat With this new package it is possible to do SNAT for client IPv4. The user must set a router_ip in gateway.meta.router_ip, so an ip address is available for peering interfaces and reachability. Currently, no extra filtering is done, so the client interface should only use ip ranges, which are already filtered from being announced (e.g. 192.168.0.0/16). Using NAT for IPv4 significantly reduces the need for big Freifunk-global IP range allocations. Signed-off-by: Christian Dresel <freifunk@dresel.systems> Co-authored-by: Fabian Bläse <fabian@blaese.de> Signed-off-by: Fabian Bläse <fabian@blaese.de> Tested-by: Christian Dresel <freifunk@dresel.systems>	2022-01-09 21:58:30 +01:00
Fabian Bläse	51ec3648cf	fff-babeld: Simplify CIDR mask removal The removal of CIDR masks from ip addresses is changed to utilize variable substitutions, which simplifies the expression. Signed-off-by: Fabian Bläse <fabian@blaese.de> Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>	2022-01-06 01:07:17 +01:00
Fabian Bläse	8ef6dba5a1	fff-babeld: Only select first list entry from router_ip The router_ip option can be a list of multiple ip addresses. It is also possible to specify a subnet using a CIDR mask. Only a single ip is required for peering interfaces, so select only the first list entry and remove the CIDR mask. Fixes: #197 Signed-off-by: Fabian Bläse <fabian@blaese.de>	2022-01-06 01:07:15 +01:00
Robert Langhammer	a6b90f1a83	vxlan-node-vpn: add initial vid Without a vid, netifd is running in an ifup-loop. This situation is comming up after firstboot. An existing hoodfile causes a set vid. Signed-off-by: Robert Langhammer <rlanghammer@web.de> Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>	2022-01-05 22:18:20 +01:00
Robert Langhammer	085dbb64fe	fff-fastd: Add batman hardif hop_penalty Openwrt v21.02.0 contains a new Batman Adv that now offers hop_penalty per hardif. We can use this to prefer one tunnel for outgoing traffic if there are several VPNs. Eg. fastd and vxlan. This Patch sets the hop_penalty for the fastd tunnel to 30. Signed-off-by: Robert Langhammer <rlanghammer@web.de> Acked-by: Fabian Bläse <fabian@blaese.de>	2021-12-30 16:21:47 +01:00
Robert Langhammer	12f60419cd	fff-node: Add package fff-vxlan-node-vpn This package adds vxlan support to the node variant and configures the vxlan-vpn tunnels to the gateways. Signed-off-by: Robert Langhammer <rlanghammer@web.de> Acked-by: Fabian Bläse <fabian@blaese.de> --- A vpn section for vxlan in hoodfile: "vpn": [ { "name": "gatewayname", "protocol": "vxlan", "address": "gateway.url" (or IP) } "name" is optional. ---	2021-12-30 16:21:37 +01:00
Robert Langhammer	1febd2a9b2	fff-vpn-select: Make vpn-select modular This rewrite makes vpn-select modular to easely add new vpn-protocols. The stuff dependent on the vpn-protocol is outsourced to files in /usr/lib/vpn-select.d/ and comes in with the respective vpn package. In this way it is easy to select or deselect vpnprotocols to be build in. vpn-stop is removed to use the protocol independent start/stop mechanism of vpn-select. Instead, a symlink is used. Signed-off-by: Robert Langhammer <rlanghammer@web.de> Reviewed-by: Fabian Bläse <fabian@blaese.de>	2021-12-30 16:21:29 +01:00
Johannes Kimmel	feeead6c43	fff-firewall: remove obsolete rules 20-clamp-mss: Clamping is done in other parts of the network and to a very low static value. This rules is very likely doing nothing at the moment. 20-filter-ssh: These rules make use of the conntrack module to ratelimit incoming connections. Using conntrack comes with a performance penalty for all traffic. As an alternative, dropbear could be run behind an inetd(-like) service that does the ratelimit, should removing this rule result in an actual attack vector. Removing both rules would enable us to unload the conntrack module all together, potentially improving overall performance. Fixes #183 Signed-off-by: Johannes Kimmel <fff@bareminimum.eu> Acked-by: Fabian Bläse <fabian@blaese.de> Reviewed-by: Robert Langhammer <rlanghammer@web.de>	2021-12-30 16:02:02 +01:00
Johannes Kimmel	9d745d0d5c	fff-layer3-config: add missing -q option for uci get Suppresses the unhelpful "uci: Entry not found" message when running configure-layer3 -c in case there is no `ip6addr` set on the client interface. Signed-off-by: Johannes Kimmel <fff@bareminimum.eu> Reviewed-by: Fabian Bläse <fabian@blaese.de> Reviewed-by: Robert Langhammer <rlanghammer@web.de>	2021-12-30 16:01:44 +01:00
Fabian Bläse	7c3f3230ff	buildscript: Split removal of chipset and subtarget Some OpenWrt targets do not have subtargets. The filename only contains the chipset in that case. Split the removal of chipset and subtarget into multiple expressions, so the removal of the chipset works on targets without subtargets as well. Fixes: #187 Signed-off-by: Fabian Bläse <fabian@blaese.de> Reviewed-by: Robert Langhammer <rlanghammer@web.de>	2021-12-30 16:01:36 +01:00
Fabian Bläse	a3d62c7fcc	Revert "Retain old compat_version for sysupgrade compatibility" This reverts commit `de9d4abf44`. As the compat_version has been bumped with the last release, this hack can be removed, because the compat_version now is in sync with upstream. Signed-off-by: Fabian Bläse <fabian@blaese.de> Reviewed-by: Robert Langhammer <rlanghammer@web.de>	2021-12-30 16:01:12 +01:00