This adds snmp-utils support to facilitate testing future uses for s2nproxy
WIP/RFC for s2nproxy:
freifunk-franken/firmware#194
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
The OOM killer does not make much sense on a router, because regardless
of which process is killed, most of the time some essential core
functionality is affected.
Set the panic on OOM sysctl, so every OOM leads to a kernel panic and
results in a reboot of the router, which restores a clean state.
Fixes: #131
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Previously, some interfaces in the client ifname list have been kept.
The actual reason for this is unknown, it might have been used for the
bat0 interfaces.
Filtering the interface list in this way might lead to interfaces being
retained unintentionally, especially with the diverse naming of DSA
interfaces.
As it is not required anymore, remove the retention of some interfaces
completely.
Fixes: #207
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
The base network configuration has been completely migrated to
uci-defaults scripts and any existing network configuration is dropped.
Therefore, the hardcoded /etc/config/network configuration file is not
required anymore. Remove it.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
With the recent rework of the network configuration, any existing
configuration is dropped in a uci-defaults script (22-network-base) and
generated from scratch. When rebasing this rather old patchset, the
packet_steering option was overlooked, so it is missing now.
Restore the removed packet_steering option by setting it using a
dedicated uci-defaults script.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
With a recent patchset the initial boot process of the fff-network
package has been significantly altered. The base network configuration
is now generated by a uci-defaults script which completely drops
any existing network configuration first (22-network-base).
Reorder some uci-defaults scripts which extend the base network
configuration with layer3-specific rules, so they are executed after
22-network-base.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Most of the configuration done in configurenetwork is static and does
not change after the first boot. Move this static configuration into a
uci-defaults script, which is only executed on first boot.
Configuration which might be changed at runtime (e.g. port assignment),
is kept in the configurenetwork script.
To improve readability and speed, combine multiple uci commands into a
uci batch. Drop any existing network configuration before applying our
own configuration. This requires the network.globals section to be
created explicitly. Also, the fdff:: addresses, ETHMESHMAC and ROUTERMAC
can be set unconditionally, as the uci-defaults script is only executed
once. Other than that, the static configuration has not been altered.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
The explicit restat of fff-uradvd is not necessary anymore, as
appropriate procd reload triggers have been added, and reload_config is
executed after every run of configurenetwork.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Instead of both setting values in the uci configuration and applying
them manually, only set the values in the uci configuration and do a
combined reload_config afterward.
This not only ensures that the changes to the configuration are actually
correct, but also decreases the runtime of configurenetwork.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
fff-uradvd depends on values stored in the uci network config.
Therefore, a reload is required if the uci network config is modified.
As fff-uradvd does not support reloads, and possibly changing values are
given as command parameters, do a restart on procd reload.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Bump core, packages and routing.
Remove upstreamed build patches.
Remove ath10k memory hack and use the newly added ath10k-smallbuffers
variant instead, but only for devices which actually require it
(and therefore use ath10k-ct-smallbuffers by default).
Adjust for the newly introduced band option for wireless devices, which
is now emitted by OpenWrt by default.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
COMMITCOUNT allows to have the PKG_RELEASE calculated automatically
based on the number of commits for the package folder.
AUTORELEASE will count the number of commits since the last upstream
bump. This is relevant for packages with PKG_VERSION or
PKG_SOURCE_DATE set, but will not work for us since it assumes the
use of certain identifiers in commit titles.
COMMITCOUNT works fine for most of our packages, with the following
exceptions:
* fff-nodewatcher would yield a commit count of 55, while the
current PKG_RELEASE is 61. Thus, we do not touch it for now.
* Packages that have been renamed will start counting from 1 after
the rename, since folder renames are not tracked by git. This
will result in descreasing PKG_RELEASE after the change for
these packages.
However, since moving essentially creates a new package anyway,
counting from 1 makes sense conceptually, and PKG_RELEASE is
still replaced for these packages.
* alfred-json and fff-macnock use upstream code and thus would
normally require AUTORELEASE. As discussed above, this will
not work for us, so just leave these two untouched.
Note that all this is quite irrelevant for the way we use packages
currently, as without opkg PKG_RELEASE does not matter to us anyway.
So, let's just be happy about not having to bump PKG_RELEASE
anymore, while keeping the basic functionality intact.
The only package where the PKG_RELEASE is actually used for
something is fff-nodewatcher, where the version will be displayed
in the Monitoring.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
[fabian@blaese.de: rebase, add new packages]
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
With this new package it is possible to do SNAT for client IPv4.
The user must set a router_ip in gateway.meta.router_ip, so an ip
address is available for peering interfaces and reachability.
Currently, no extra filtering is done, so the client interface should
only use ip ranges, which are already filtered from being announced
(e.g. 192.168.0.0/16).
Using NAT for IPv4 significantly reduces the need for big
Freifunk-global IP range allocations.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Co-authored-by: Fabian Bläse <fabian@blaese.de>
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Christian Dresel <freifunk@dresel.systems>
The removal of CIDR masks from ip addresses is changed to utilize
variable substitutions, which simplifies the expression.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
The router_ip option can be a list of multiple ip addresses. It is also
possible to specify a subnet using a CIDR mask.
Only a single ip is required for peering interfaces, so select only the
first list entry and remove the CIDR mask.
Fixes: #197
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Without a vid, netifd is running in an ifup-loop.
This situation is comming up after firstboot. An existing hoodfile causes a set vid.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Openwrt v21.02.0 contains a new Batman Adv that now offers hop_penalty per hardif.
We can use this to prefer one tunnel for outgoing traffic if there are several VPNs. Eg. fastd and vxlan.
This Patch sets the hop_penalty for the fastd tunnel to 30.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
This package adds vxlan support to the node variant and configures the vxlan-vpn tunnels to the gateways.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
---
A vpn section for vxlan in hoodfile:
"vpn": [
{
"name": "gatewayname",
"protocol": "vxlan",
"address": "gateway.url" (or IP)
}
"name" is optional.
---
This rewrite makes vpn-select modular to easely add new vpn-protocols.
The stuff dependent on the vpn-protocol is outsourced to files in /usr/lib/vpn-select.d/ and comes in with the respective vpn package. In this way it is easy to select or deselect vpnprotocols to be build in.
vpn-stop is removed to use the protocol independent start/stop mechanism of vpn-select. Instead, a symlink is used.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
20-clamp-mss:
Clamping is done in other parts of the network and to a very low static
value. This rules is very likely doing nothing at the moment.
20-filter-ssh:
These rules make use of the conntrack module to ratelimit incoming
connections. Using conntrack comes with a performance penalty for all
traffic. As an alternative, dropbear could be run behind an inetd(-like)
service that does the ratelimit, should removing this rule result in an
actual attack vector.
Removing both rules would enable us to unload the conntrack module all
together, potentially improving overall performance.
Fixes#183
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Acked-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Suppresses the unhelpful "uci: Entry not found" message when running
configure-layer3 -c in case there is no `ip6addr` set on the client
interface.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
The mosquitto server is not necessary for the intended use case of
fff-mqtt. It was added to this package accidentally. Remove it to
prevent from running the server unintentionally.
Fixes: #174
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
If the router_ips don't happen to be included in the client network's
subnet, the decision defaults to a main table lookup. This causes
packets to choose the wrong interface.
This patch forces packets from a router_ip to be routed via the fff table.
Fixes: #175
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Memory consumption has increased enough with OpenWrt 21.02, that
devices with 32 MB memory do not work reliably anymore.
It might be possible to work around the 4 MB flash limitation, but
reducing memory consumption is quite a bit harder. It is very likely
that this is only possible with a signifcant reduction of feature.
As we do not support any devices that have enough memory but only 4 MB
of flash, drop support for devices with less than 8/64 MB alltogether.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed by: Robert Langhammer <rlanghammer@web.de>
OpenWrt images contain a compat_version, which is used to block upgrades
to newer versions with incompatible configuration, if the configuration
cannot be migrated.
As we maintain our own configuration and all OpenWrt configuration files
are dropped on an upgrade, this upgrade block is not required.
To simplify the upgrade process, retain the old compat_version for the
next release. The compat_version should be bumped manually on release, so
we stay compatible with OpenWrt releases.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed by: Robert Langhammer <rlanghammer@web.de>
The port override feature of network.config is hard to maintain, since
changes to devices (e.g. port configuration updates, switch to DSA) have
to be applied to this manual override as well.
As this feature is probably hardly used anyway, remove it.
The port override migration for the Archer C7 v2 is not necessary
anymore, remove it as well.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
With this package the mqtt settings can be configured over the webui.
Each user can use its own mqtt broker or a broker from another user.
This means that the user has a free choice of where to send or get data.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Acked-by: Fabian Bläse <fabian@blaese.de>
This package allows to publish monitoring data from alfred
to the mqtt broker.
Anyone can access this data and can build its own monitoring.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Acked-by: Fabian Bläse <fabian@blaese.de>
This package provides mosquitto and default settings.
mosquitto is used for mqtt communication.
With mqtt we can use a distributed mqtt broker for decentralized
communication.
We can use this for monitoring data or router configuration.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Acked-by: Fabian Bläse <fabian@blaese.de>
If the user did not specify a dns server, set a fallback. Since we
already have multiple servers available on an anycast address, this
address is chosen instead of as specific server. This should avoid the
issue that the default server might deprecate suddenly.
A warning is still displayed to remind the user to conscientiously
choose a server and not rely on defaults.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
These entries are overwritten by any call to `configuregateway`.
Since they never get used, they should be removed.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
With this patch all installed tables are flushed.
We no longer have to worry about the modules
installed or not. (nat, mangle ...)
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
If the bridge created for DSA devices is configured without any members,
a single netifd reload is currently not sufficient to correctly apply
network settings. This is due to a bug in netifd (FS#4104).
Temporarily add a simple workaround by always configuring the bridge,
even if it does not have any member ports.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Due to the switch from swconfig to DSA, the switchport names have to be
migrated for some devices. Add a script to translate the switchport
names to their DSA equivalents, where applicable.
Fixes: #156
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Tested-by: Fabian Bläse <fabian@blaese.de>
Since the ipq40xx ethernet driver has built-in handling for a few vlan
ids, this target requires a driver patch that disables this
functionality, so all vlan ids can be handled by the linux kernel.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Tested-by: Fabian Bläse <fabian@blaese.de>
For some purposes (e.g. SNAT, vxlan) it might be necessary to have an
additional address just for the router which is not attached to any
interfaces. Addresses like this are typically added to the loopback
interface.
The new options "router_ip" and "router_ip6" are added to the gateway
config to allow the user to configure such addresses. It is possible to
both specify the address with or without a subnet size.
The default configuration contains the IPv4 loopback address
(127.0.0.1/8) explicitly, but this is not necessary. These addresses are
configured automatically, even if they are not present in the
configuration, so they can safely be removed, if present.
The filters of our routing daemon babeld are adjusted accordingly, so
the newly added addresses are announced correctly.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
This currently includes a patch to add the label-mac alias in the
devices DTS file, which is also submitted upstream.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Tested-by: Fabian Bläse <fabian@blaese.de>
The SIGHUP signal is sent to a process if a hangup is detected on the
controlling terminal. This might happen if the ssh session, from which
the test mode was started, is disconnected.
Because ssh session disconnects might happen due to network
reconfiguration, aborting the test mode without restoring the old
settings might make the device unreachable.
Instead, disable the SIGHUP signal when test mode is activated, so
the script is either killed by the user (after successful configuration)
or the timer expires and the old settings are restored.
Fixes: #141
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
The IPv4 source routing features was removed from babeld with version
1.10. Therefore, the first_table_number option is not needed anymore and
its existance stops babeld from starting up.
As babeld 1.10 is included with OpenWrt 21.02, which is currently used
for our firmware, this option is removed.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
The OpenWrt function get_mac_label resides in /lib/functions/system.sh,
so it has to be included, if we want to use this function.
This include was missing in the fff-wireguard layer3 configuration
script, so it is added here.
Fixes: 68c7d75a1b ("treewide: exploit label MAC address from OpenWrt")
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Receive packet steering (RPS) is a linux feature to improve forwarding
performance by distributing the forwarding of packets across multiple
cpus. This is necessary for network devices which have less queues than
cpu cores.
OpenWrt allows to enable RPS easily by setting the global option
'packet_steering' in the network configuration. With earlier OpenWrt
versions this option was enabled by default. However, the default value
was changed with OpenWrt 21.02.
Enable this option agian to improve forwarding performance on routers
with multiple cpu cores.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Some devices had to be disabled starting with OpenWrt 21.02 due to their
new DSA switch drivers.
As support for DSA configuration has since been added to fff-network,
this makes use of this configuration for devices with DSA drivers.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
Starting with OpenWrt 21.02 some devices now use upstream kernel drivers
for the built-in switch instead of relying on OpenWrt's swconfig driver.
The upstream kernel drivers use the Distributed Switch Architecture
(DSA) for configuration of the switch. Instead of explicitly configuring
the hardware switch, all ports appear as distinct interfaces and linux
bridges are offloaded to the hardware switch if possible.
To keep changes small, this patch adds support for DSA devices by
setting up a linux bridge, which is then treated just like the
cpuport-interface of the swconfig driver.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
To make it clear why the set sysctls are necessary, add appropriate
comments to them. Also reorder them for improved readability.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
Many of the set sysctls are either unnecessary, are already default in
the kernel or in OpenWrts defaults, or the reason for them being
explicitly set is unknown.
Remove all those sysctls from fff-network, as unfounded deviations from
default values will cause hard-to-debug problems in the future.
The original motivation for this patch is the netdev_max_backlog sysctl,
which was set to a very low value without any reason or comment.
This hurt forwarding performance on mt7621 with DSA significantly and
took quite a while to discover.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>