OpenWrt only removes uci-defaults scripts if the exit status of the
executed script is 0. Fix the exit code of the layer3-config migration
scripts so they are removed as intended.
Fixes: #313
Signed-off-by: Fabian Bläse <fabian@blaese.de>
The international variant of the Xiaomi Mi Router 4A (100m) has a
different partition layout as the chinese version and was added to
OpenWrt at a later time. Using the OpenWrt image for the international
variant saves the extra step of flashing the chinese firmware variant
via TFTP before OpenWrt itself.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Most of the entries in /etc/sysupgrade.conf are generated by a
uci-defaults script in the fff-sysupgrade package. The only entry
added in a different place is rc.local.fff_userconfig.
Consolidate all entries to be added by the uci-defaults script in
fff-sysupgrade.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Currently there is no way to persistently configure firewall rules on a
router. This might be desirable as home-use of the Freifunk network is
quite common these days.
To allow for the most flexibility while keeping maintenance efforts low,
add a persistent, user-customizable nftables hook. It is evaluated after
all firewall rules have already been configured, so it is possible to
override them.
Users of this hook are responsible for keeping up with changes to the
firmware and modify it appropriately, before updating the system.
Fixes: #314
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Introduce a workaround for an OpenWrt bug on the Xiaomi Mi 4A (Gigabit
Edition). After an update of the firmware, the wireless interfaces are
not properly created as configured.
When configuring the WiFi interfaces via uci and applying the
settings using reload_config, hostapd reports errors and no WiFi
interfaces are created.
It seems like OpenWrt tries to dynamically reload the settings instead
of restarting hostapd, but hostapd fails to properly apply them.
To work around this regression until the root cause is found, restart
the wifi interfaces manually after a firmware upgrade.
Fixes: #319
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: ArchTux <alex@tux-hausen.de>
When switching from ebtables to nftables, the --logical-in and
--logical-out selectors of some rules were missed. This might have been
caused by kmod-nft-bridge not being installed, which is required for the
ibrname and obrname selectors, so it is possible that the migration
(using ebtables-nft) did not apply these selectors.
Add the ibrname and obrname selectors and add the required kernel
module.
Fixes: #315
Fixes: 157fa4eac5 ("fff-firewall: Switch from ip/ebtables to nftables")
Reported-by: Robert Langhammer <rlanghammer@web.de>
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Robert Langhammer <rlanghammer@web.de>
Because of to the switch from swconfig to DSA, the switchport names
have to be migrated for a few devices. Due to past migrations, we
already have developed a migration script for that.
Duplicate and adjust the script for the newly migrated devices. While at
it, rename the old script to reflect the configuration version bump.
Fixes: #301
Signed-off-by: Fabian Bläse <fabian@blaese.de>
the TL-WDR4900 was migrated to a DSA driver with OpenWrt 23.05. Adjust
our network configuration accordingly.
Fixes: #302
Signed-off-by: Fabian Bläse <fabian@blaese.de>
When adjusting our configuration for the DSA migration of the FritzBox
4040, the cpuport was forgotten. The cpuport has to be removed for DSA
devices.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
With OpenWrt 23.05 a few more devices have been migrated to DSA. Bump
the config_version of layer3-config to reflect the necessary migration.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Device support is based on the patch set linked in the OpenWrt Wiki. [1][2]
The aux-loader blob is not included, as it is only required for initial
installation.
Two additional kernel patches for mvpp2 are added to allow receive
hashing to work properly in the DSA setup of the device.
[1] https://openwrt.org/toh/mikrotik/rb5009ug_s_in#installation
[2] https://paste.myconan.net/482114
Signed-off-by: Fabian Bläse <fabian@blaese.de>
- enable persistent history, save it to tmpfs (ram)
- increase history size to 1024
- enable reverse-i search
- enable watch command
- enable top SMP command
Signed-off-by: Fabian Bläse <fabian@blaese.de>
fff-extra: feature_top_smp (apply for all targets or move to dependency!)
Devices with large flash can hold more packages and tools to improve
user experience. Create an additional package which can be used to
select packages only on targets with large flash (currently >= 16 MiB).
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Babeld has been replaced with bird by default for quite some time now.
Remove babeld and all configurations scripts (fff-babeld) to reduce
image size.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Add the following option to the client config section in
`/etc/config/gateway` to enable a basic stateful firewall:
```
config client
option stateful_firewall '1'
```
The firewall will forward icmp mesages and allow any outbound client
traffic and related inbound traffic.
Acked-by: Fabian Bläse <fabian@blaese.de>
Include nftables and appropriate modules. Translate ip- and ebtables
rules to their nftables counterparts. Remove ip/ebtables and modules.
This change intentionally tries to keep structural changes at a minimum
to keep the rule translation comprehensible.
kmod-nft-bridge is not required for fff-node, because it was merged into
a single kernel module since Linux 4.17:
[1] 02c7b25e5f
[2] fbaf48387eFixes: #252
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Co-authored-by: Johannes Kimmel <fff@bareminimum.eu>
It might be desired by the user to change the channel width of the
wireless radios. Implement a layer3 option to make channel width
configurable by the user.
Fixes: #276
Signed-off-by: Fabian Bläse <fabian@blaese.de>
When reverting configured settings, it is not an error if no temporary
directory for bird babel peers has been created.
Use rm -rf to prevent an error message and early exit of
configure-layer3 scripts.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
By default OpenWRT generates A and AAAA records for the routers
hostname. This might interferes with upstream records and breaks when
DNSSEC is utilized.
Therefore, disable this features.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
The bird2 babel implementation has proven to be the more reliable option
over babeld, especially on low-end hardware. It has been working
flawlessly on many test installations.
Use bird2 instead of babeld, if no implementation is specified via uci.
While at it, use the automatically incrementing $(COMMITCOUNT) for
PKG_RELEASE.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Many functions of configure-layer3 terminate the program after
successful execution, as they were originally only intended for
execution of configure-layer3 commands.
However, some functions are used both for command exection, but also as
helper functions. For example, revert_changes() is used as a helper
function in test_changes(). Terminating the program at the end of the
function therefore ends the exection of test_changes() prematurely. As a
result, the test mode of configure-layer3 never reloads services after
a successful configuration revert.
Replace exit commands with appropriate function return values, which can
then be evaluated by the caller where appropriate.
While at it, add a missing return to the parameter validation in
execute_subshell().
Fixes: #256
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Support for devices with two ports was originally intended for built-in
swconfig switches with only two externally exposed ethernet ports.
With the switch from ath71xx to ath79, the only device which ever made
use of this uncommon configuration (CPE210-v1) now has to dedicated
interfaces exposed to Linux. Therefore, two-port support was modified to
support two distinct interfaces instead of swconfig switch
configuration, which also simplified support for a few other devices.
However, the Web UI has not been taken into account. Due to the way the
Web UI detected a two-port device, the already implemented port selector
is not shown.
Use the TWO_PORT variable introduced with the change mentioned above to
detect two-port devices instead.
Fixes: #257
Fixes: c22032e254 ("fff-network: support native two-port devices")
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Currently router ipv6 addresses imported via the direct protocol from
the lo interface are all filtered. This should fix it.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
The stderr of batctl should be redirected.
In a row of pipes a redirection at the end will only redirect the output of the last command! Put it on the right place.
It's just shell grammar.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
The update notification has been botched into the web ui a long time
ago. It has not been overhauled ever since.
Make it at least a little bit less ugly.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
None of our current settings require a reboot to be applied. Only a
hood change is not done immediately. Therefore, the user is not required
to reboot the router after changing settings, so remove the reboot
request.
Fixes: #107
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
A full reboot is not required for changing the port mode. The port mode
is configured dynamically using configurenetwork, which can be launched
after the port mode has been changed.
Fixes: #107
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
A recent change (b26399283a) introduced an upper limit for the preferred
and valid lifetimes, so the statically configured addresses on the client
interface do not result in infinite lifetimes.
This upper bound is derived from the dhcp lease time. However, the
preferred lifetime is unexpectedly bound by an explicit configuration
option in recent versions of odhcpd. Due to our short dhcp leasetime,
the default value of this option is higher than the lease time, which
results preferred lifetimes longer than the valid lifetime.
As this behavior is rather unintuitive, a proper fix for it should be
done upstream (see #238). Until then, lower the preferred lifetime
option to the same value as our leasetime.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Insert the lost "&"
Fixes: #239
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Do not hide uci errors when checking if gateway config exists, so an
appropriate uci error message is displayed. This can be helpful to find
syntax errors.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
When advertising network prefixes gathered from the interface, odhcpd
sets the preferred and valid lifetime of those prefixes in the router
advertisement to the values set for those addresses on the interface.
When prefixes are configured statically (as done in our firmware), this
means that odhcp announces these prefixes for SLAAC with infinite
preferred and valid lifetimes.
While this does not seem like a problem at first, it hurts significantly
when configuration errors are made or cables are plugged into the wrong
ports, because those addresses never vanish from devices anymore, as long
as they are powered up. Also, it makes it impossible to change prefixes
without gracefully shutting down the RA server, so it can announce zero
lifetimes for previously announced prefixes.
Sadly, odhcp does not have an option to configure these lifetimes
explicitly, but it is possible to limit these lifetimes to the lease
time configured and used for the DHCP functionality of odhcpd.
Enable the appropriate 'ra_useleasetime' option to reduce impact of the
before mentioned problems.
Fixes: #142
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
*-ssl variants of mosquitto require libopenssl, which increases the
storage requirement by almost 1 MB, even when compressed with squashfs.
Because we currently do not need TLS support for fff-mqtt, switch to the
nossl variant to save space and allow building for devices with 8 MiB
flash.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Disabling vxlan via uci solves all problemes.
A reload_config does now everything we need. Bringing up vxlan if peers available and shuting down the Interface if not.
This will also remove old fdb entries and clear the batman tables immediately.
No ifup and no extra cleaning of the fdb is required.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
Reset vid if no peers are available.
If a router switches to a hood without vxlan, or the peers in the hoodfile disappear, the vid should be reset.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
Without "uci commit" peers do not appear in /etc/config network. Use uci show instead.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>