Dropbear supports ed25519 keys since OpenWrt 21.02.
Also, ecdsa is supported since v19.07, but disabled in our firmware.
Keep the generated ed25519 and ecdsa host key accross upgrades.
While at it, remove dss host keys, as they are not supported anymore.
5eb7864aadd5 ("dropbear: rewrite init script startup logic to handle both host key files")
8a7a93947004 ("dropbear: remove generation and configuration of DSS keys")
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Because wireguard is part of the Linux kernel starting with version 5.6,
the wireguard packages have been renamed upstream.
Update our dependencies to match this.
This fixes build for the layer3 variant.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
[add fix comment]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
OpenWrt 21.02 has switched all MT7621 devices to DSA. Since we
do not support network config in this case, disable all these
devices by commenting out their image selectors.
Note that this will still build them, and only prevent having the
images in our dedicated folder.
If support is reestablished, this patch simply needs to be
reverted.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
OpenWrt 21.02 only uses ath79, ar71xx has been dropped. However,
in ath79 the TP-Link CPE210 v1 and CPE510 v1 are implemented as
two-port devices. We currently do not support that in our firmware.
Thus, disable both devices by commenting out their image selectors.
Note that this will still build them, and only prevent having the
images in our dedicated folder.
If support is reestablished, this patch simply needs to be
reverted.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The subtarget has been renamed upstream, so let's just update our
stuff.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
The Bullet M (XM) was sold with two different SoCs, AR7241 and
AR7240, which cannot be served by one DTS. This implements both
versions as done in OpenWrt.
Note that those variants may not be distinguished from the outside.
The AR7241 version appears to be the more recent and more abundant
version.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
These hacks have been removed in OpenWrt commit 1e27befe63ff ("mac80211:
remove ath10k_pci memory hacks").
However, since we still use mainline ath10k, we will need them.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
This effectively reverts upstream commit e79df3516d3e ("build: add
libustream and certs to default pkgs").
The libustream-wolfssl library conflicts with the libustream-mbedtls
we are selecting in fff-web-ui and is probably much bigger.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
In the latest release, OpenWrt provides the label MAC address for
many devices. All of our devices should be covered.
In can be retrieved by the function
get_mac_label
from /lib/functions/system.sh
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Some devices were renamed since the last stable release.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Bump core, packages and routing.
Refresh patches, remove upstreamed ones.
The patch "Add batman-adv patch to remove gw mode switch message" is
removed since batman-adv dropped the sysfs entirely. There was no
obvious replacement for the debug output, so this is dropped until
the problem is found again with a different source (which may never
happen).
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
The SPDX license identifier provides a standardized way for specifying
licenses that is both human- and machine-readable. It is used upstream
both in OpenWrt and the Linux kernel.
Replace licenses in our repository by those identifiers.
The full-text licenses corresponding to these identifiers are
provided in the LICENSES folder.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
We do not use any *.tpl files anymore, so remove the routine for
installing them.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
So far, we remove the old and copy a fresh new OpenWrt directory
into the build directory on prepare. There is no need to do this,
as OpenWrt/Make is capable of detecting changes and we do properly
update the feeds and patches already.
So, just clone the OpenWrt main repo into builddir directly, and
just checkout/apply patches during prepare.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Bump main repo, packages and routing.
Refresh patches, drop patch applied to mt76.
Relevant changes are mostly security fixes for netifd and odhcp6c
and bug fixes for dnsmasq.
More information:
https://openwrt.org/releases/19.07/notes-19.07.7
This also includes two non-trivial fixes to alfred (openwrt-routing):
97e760095578 ("alfred: Fix procd process handling for disable state")
369908cb0a0e ("alfred: Start up alfred without valid interfaces")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
This adds an option 'disabled' that will allow to disable
nodewatcher when desired.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
This package is the owner of the config file, so add it to the
Makefile. This will have vanilla OpenWrt copy it during upgrade.
Since we disable this mechanism, it will not change anything for
our standard firmware. But it will improve the situation if this
package is used in vanilla OpenWrt.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
If /etc/config/nodewatcher already exists, a proper uci-defaults
script should not overwrite it. Since this package is the owner
of the config file, this change won't change anything for the
current firmware, but will allow to use this as a package, too.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
The uci-defaults scripts are meant to provide defaults for a
specific package. Distributing them across several packages makes
no sense and just makes maintainance worse.
Thus, move the network part of the initialization back to the
proper package. While at it, suppress output from add commands.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
With commit [1] the ipv4 firewall on wan interface was removed.
This patch adds the ssh connection limit for ipv4.
IPv6 is already limited.
[1] 52e15e072c ("fff-firewall: Remove ssh firewall on WAN interface")
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
[improve commit reference]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The dynamic completion of the variants is broken since 1946aaca87
("fff: create proper package variants instead of copying file").
This hardcodes the available variants. They won't change often.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
[add more verbose commit reference]
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Removes the firewall ebtables entry.
alfred-monitoring-proxy is only useful in layer3 variant, where no
ebtables rules are set.
With this typo the ebtables command was never active and the
resulting error was never shown.
Fixes: 9b5d3f1aeb ("fff-alfred-monitoring-proxy: add package")
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
[fix typos in message, add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
In '/etc/network.ubnt,unifiac-mesh', we include a file that does
not exist on ath79 anymore. This causes the script execution to
abort and will have configurenetwork not run at all, making the
device quite inaccessible.
Remove the include as it never had any use anyway. Remove another
unused include as well, and add the proper dependency instead.
This fix was first proposed more than 2.5 years ago.
Fixes: #130 (gitea)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
The "available" amount of memory is helpful for several forensic
and debugging cases. Send it via alfred.
Monitoring support has already been implemented.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Source address filtering (RFC3704) can be used to mitigate source
address spoofing. However, strict mode only works when routes are
strictly symmetric. If routes are asymmetric, it can happen that
the best route to the source address of a packet is via a different
interface.
Because there is no guarantee that routes have to be symmetric in the
Freifunk Franken backbone network, we cannot use strict mode. Because
default routes are used in the Freifunk Franken backone, loose mode
could be used, but does not make any sense. Instead, revert back to the
kernel default setting, which currently is 0 (disabled).
While this change affects both layer3 and node variant, nothing changes
for the node firmware, because it does not forward packets.
Fixes: #123
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Previously, an additional wan6 interface for SLAAC has been added, which
references the wan interface for its interface.
However, OpenWrt waits until the wan interface is completely up, until
it tries to start up interfaces that depend on it.
This not only can delay the configuration of IPv6 addresses
significantly, but also makes configuration of the wan6 interface
impossible in WAN networks with out a DHCP server.
To solve this issue, a separate interface wan4 for dhcp, which also
reference the wan interface, is created and the proto of wan is set to
none.
Fixes: #114
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Migration from ar71xx to ath79 included changes to the ethernet/switch
driver for the target. This introduced a peculiar issue where
eth0 and eth1 are swapped for several devices. Most of the relevant
cases were already covered in 1cf4d762ff ("treewide: move devices
from ar71xx to ath79").
This switch also affects the Nanostation M, where the PoE-in port
is now eth1 und the PoE-out port is eth0. However, no action was
taken in the referenced patch, as nobody was aware of it then.
Since the Nanostation M is a two-port device, which we cannot
implement properly so far, it was implemented as a one-port with
the "primary" PoE-in port so far. This was broken by the ath79
introduction and is now fixed in this patch by using the one-port
setup on eth1. That way, the PoE-in port can now be switched by
ETHMODE as usual again.
Note that custom scripts, e.g. to set up the second port, need to
be adjusted manually, as that one is eth0 now.
Fixes: 1cf4d762ff ("treewide: move devices from ar71xx to ath79")
Fixes: #109 (gitea)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
We use the one-port implementation also on two-ports like the
Nanostation M. Therefore, hard-coding eth0 in configurenetwork
will break if the port implemented for the one-port setup
(SWITCHDEV/WANDEV) is not eth0.
Just use SWITCHDEV instead, like done for the rest of the one-port
setup.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
Previously, we have added a passwd function to our shell which executes
passwd and restarts uhttpd afterwards, so the WebUI password is updated.
This adds the ability to still pass command-line arguments to passwd.
The quoting of the shell variable $@ is special:
"$@" expands to "$1" "$2" .., so its use is correct here.
Fixes: #117
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Some time ago, the firmware created a directory for each target
and built OpenWrt separately there. In this situation, it made
sense to download files only once and share them between these
build directories.
However, since we nowadays only have one build directory for all
targets, this makes no sense anymore. Remove the link.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
When creating a new uci section, the safest way to refer to it is
with index '-1'. While it (probably) does not make a functional
difference for our specific case, since we expect to only have one
section anyway, let's just make sure and use the proper indexing.
While at it, suppress output from the 'add' command.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
So far, we ensure the selection of a specific variant by copying
included Make files. This not only breaks if the packages are used
as a feed, but also is against the concept of how packages are used.
In this patch, the fff package is converted into a set of variants
that allow selection via a FFF_VARIANT variable that is exported by
buildscript. If no export happens, e.g. when using packages in a
feed, no package is selected.
Since the names fff-node and fff-layer3 are not available anymore,
the packages for the variants are called (though irrelevant for
the user):
* fff-variant-layer3
* fff-variant-node
The only drawback is that we now have to specify the list of
available variants in the buildscript. However, these values are
hardcoded in several other places as well, and the former code
based on file names was not really appealing anyway.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Allow setting WAN vlan/interface from gateway config.
A configuration without explicit definition of a WAN interface is
valid at the moment and results in the default configuration from
fff-network being used.
Originally, it was intended to automatically set WAN to vlan 2, if nothing was
specified. As this would break devices, which don't use swconfig for
WAN, the already configured WAN interface is left untouched.
Fixes: #85 (gitea)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Instead of exposing the CPUPORT variable to the calling script
directly, wrap it into a function which can be called there.
Fixes: #52 (gitea)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
So far, we define PORTORDER individually in each network.* file.
This creates a lot of duplications, and makes the code to parse those
values very ugly (and it's only used outside of configurenetwork
anyway).
Therefore, move the assignment to a library file, and wrap it into
a function for tidyness. This gives us more overview and nicer
implementation of the retrieval.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
With 8d66bdf the port configuration of TP-Link Archer C7 has been
changed to a single-interface configuration.
This had unforseen side effects on upgraded devices. Because WANDEV
is evaluated from the updated network.* file, the port configuration
of the switch is evaluated from the update-safe network.config, which
is now incompatible with the updated interface configuration.
Therefore, a migration script has to be added, which updates the port
configuration in network.config to the new single-interface network
configuration.
Fixes: #60 (gitea)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
In earlier firmware versions the prefix had to be written
in an incorrect syntax (missing a trailing colon).
To make hoodfiles with this old incorrect syntax work with
newer firmware versions like this one, we have to fix the
incorrect syntax. Both the old, incorrect and the correct
syntax work with this fix, so in the far away future, the
correct syntax can be used in hoodfiles.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This reverts commit e5da228cb1.
With the patch there can be situations with just "*" in traceroute,
breaking MTU in wireguard. If R1 with IPv6 address from provider P1
is connected to Freifunk via wireguard, and another R2 with address
from provider P2 is behind it, then R1 won't answer to traceroutes
sent from R2.
Revert the patch for now.
Fixes: #66 (gitea)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
PKG_BUILD_DIR has the following default values set in include/package.mk,
in case no BUILD_VARIANT is set:
With PKG_VERSION set: $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
Without PKG_VERSION: $(BUILD_DIR)/$(PKG_NAME)
Consequently, all PKG_BUILD_DIR definitions in our packages are
redundant. Remove them.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
We do not use the IPv4 functionality of odhcpd, but use dnsmasq
for that. Use odhcpd-ipv6only instead.
This is also the default for OpenWrt.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Other than atoi, strtol allows to detect parsing errors.
Therefore atoi is replaced with strtol and appropriate error
checks are added.
Fixes: #33 (gitea)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
If the password is changed via SSH, the web UI still
used the old password until uhttpd is restart.
Fix it by forcing uhttpd restart when passwd is called.
Fixes: #11 (gitea)
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
[add commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The owipcalc tool provides an "add" algorithm which can be used
to concateneted IPv6 addresses from prefix and suffix.
Since it's available upstream and our string manipulation is ugly,
let's replace our IP concatenation with that tool. The package
consists of a single .c file with about 1000 lines resulting in
about 4 kB for the ipk package.
This patch does _not_ introduce any conceptual changes yet. Thus,
the "wrong" IPv6 prefix from KeyXchange will be expected in the
same format, it is just healed for the new code for now.
The change allows to get rid of some bloat, i.e. some quite trivial
custom functions on the way. This also drops the ipTidyColon()
function, as owipcalc seems to return the collapsed version by default.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
The variables SERVICE_WRITE_PID and SERVICE_DAEMONIZE are not used by
procd, so they are removed.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The configuration of our firewall depends on the network configuration.
Most importantly, the firewall has to be restarted, if the WAN-interface
is changed.
Therefore, a procd reload trigger is added to the init-script, so our
firewall is automatically restarted, when the network configuration is
changed.
Fixes: #46 (gitea)
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
[fabian@blaese.de: Remove unrelated changes]
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Some sysctls currently are completely useless, as they only exist if
specific kernel configurations are enabled, which we have not.
To hide the error message and prevent them from interfering
unintentionally, if new kernel configurations are activated in the
future, they are removed.
Fixes: #42 (gitea)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
The net.ipv4.netfilter.ip* sysctls have been moved to
net.netfilter.nf* a long time ago, so they have been useless in our
firmware for quite a while.
It probably originally has been added because it was included in the
OpenWrt defaults and in earlier versions of our firmware the OpenWrt
defaults file got overwritten by our own one.
Because there does not seem to be any obvious reason to keep them (they
have been added without a comment in the commit or file) and they have
been inactive ever since they were moved in the kernel, they are removed
completely instead of using the correct path.
Fixes: #42 (gitea)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Bump main repo and packages. (No changes for routing.)
Refresh patches (no diff returned).
This is a small release containing mostly kernel and package updates
and security fixes.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
vxlan support in 19.07.5 is very limited.
This set of patches adds
- more flexible source ip selection
- control over most options
- multiple remote endpoint configuration
List of patches backported:
- 5222aadbf3 vxlan: remove mandatory peeraddr
- 65e9de3c33 vxlan: add capability for multiple fdb entries
- 036221ce5a vxlan: add extra config options
- ad3044c424 vxlan: fix rsc config option
- 3f5619f259 vxlan: allow for dynamic source ip selection (FS#3426)
- a3c033e2af netifd: vxlan: handle srcport range
- 226566b967 netifd: vxlan: refactor mapping of boolean attrs
- 11223f5550 netifd: vxlan: add most missing boolean options
- 55a7b6b7f2 netifd: vxlan: add aging and maxaddress options
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Tested-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
[refresh patches and remove some bloat]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Fabian Bläse
Adrian Schmutzler
Robert Langhammer
Johannes Kimmel