OpenWrt only removes uci-defaults scripts if the exit status of the
executed script is 0. Fix the exit code of the layer3-config migration
scripts so they are removed as intended.
Fixes: #313
Signed-off-by: Fabian Bläse <fabian@blaese.de>
The international variant of the Xiaomi Mi Router 4A (100m) has a
different partition layout as the chinese version and was added to
OpenWrt at a later time. Using the OpenWrt image for the international
variant saves the extra step of flashing the chinese firmware variant
via TFTP before OpenWrt itself.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Most of the entries in /etc/sysupgrade.conf are generated by a
uci-defaults script in the fff-sysupgrade package. The only entry
added in a different place is rc.local.fff_userconfig.
Consolidate all entries to be added by the uci-defaults script in
fff-sysupgrade.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Currently there is no way to persistently configure firewall rules on a
router. This might be desirable as home-use of the Freifunk network is
quite common these days.
To allow for the most flexibility while keeping maintenance efforts low,
add a persistent, user-customizable nftables hook. It is evaluated after
all firewall rules have already been configured, so it is possible to
override them.
Users of this hook are responsible for keeping up with changes to the
firmware and modify it appropriately, before updating the system.
Fixes: #314
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Introduce a workaround for an OpenWrt bug on the Xiaomi Mi 4A (Gigabit
Edition). After an update of the firmware, the wireless interfaces are
not properly created as configured.
When configuring the WiFi interfaces via uci and applying the
settings using reload_config, hostapd reports errors and no WiFi
interfaces are created.
It seems like OpenWrt tries to dynamically reload the settings instead
of restarting hostapd, but hostapd fails to properly apply them.
To work around this regression until the root cause is found, restart
the wifi interfaces manually after a firmware upgrade.
Fixes: #319
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: ArchTux <alex@tux-hausen.de>
When switching from ebtables to nftables, the --logical-in and
--logical-out selectors of some rules were missed. This might have been
caused by kmod-nft-bridge not being installed, which is required for the
ibrname and obrname selectors, so it is possible that the migration
(using ebtables-nft) did not apply these selectors.
Add the ibrname and obrname selectors and add the required kernel
module.
Fixes: #315
Fixes: 157fa4eac5 ("fff-firewall: Switch from ip/ebtables to nftables")
Reported-by: Robert Langhammer <rlanghammer@web.de>
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Robert Langhammer <rlanghammer@web.de>
OpenWrt v23.05 releases up to and including v23.05.2 contain a bug
which causes some SPI flashes to be partially or fully unwriteable [1].
A workaround for this bug has already been added to the v23.05 branch,
but no new version has been released since.
Bump OpenWrt and corresponding feeds to the most recent commit
on the v23.05 branch.
[1] https://github.com/openwrt/openwrt/pull/14361
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Because of to the switch from swconfig to DSA, the switchport names
have to be migrated for a few devices. Due to past migrations, we
already have developed a migration script for that.
Duplicate and adjust the script for the newly migrated devices. While at
it, rename the old script to reflect the configuration version bump.
Fixes: #301
Signed-off-by: Fabian Bläse <fabian@blaese.de>
OpenWrt images contain a compat_version, which is used to block upgrades
to newer versions with incompatible configuration, if the configuration
cannot be migrated.
As we maintain our own configuration and all OpenWrt configuration files
are dropped on an upgrade, this upgrade block is not required.
To simplify the upgrade process, retain the old compat_version for the
next sysupgrade release. The compat_version will then be bumped
automatically by the `05_compat-version` board.d script.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
the TL-WDR4900 was migrated to a DSA driver with OpenWrt 23.05. Adjust
our network configuration accordingly.
Fixes: #302
Signed-off-by: Fabian Bläse <fabian@blaese.de>
When adjusting our configuration for the DSA migration of the FritzBox
4040, the cpuport was forgotten. The cpuport has to be removed for DSA
devices.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
With OpenWrt 23.05 a few more devices have been migrated to DSA. Bump
the config_version of layer3-config to reflect the necessary migration.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
All of our devices are routers. Because they all serve the same purpose,
it is quite common that the first part of the hostname is the same for
multiple devices, and the location of the device is only included in
subsequent parts of the hostname.
Include the full hostname in the shell prompt, so it is easier to
determine the devices location.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
The packages rsync and python3-distutils are required for a successful
build, but missing in the prerequisites of the README. Add them.
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Use color output when the `tput` command is available.
`tput` handles terminal-dependant capabilities, so the script should
remain portable.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
This reverts commit 3e27bff731.
Removing these busybox features breaks wireless configuration in various
confusing ways. Revert this change until further analysis.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Device support is based on the patch set linked in the OpenWrt Wiki. [1][2]
The aux-loader blob is not included, as it is only required for initial
installation.
Two additional kernel patches for mvpp2 are added to allow receive
hashing to work properly in the DSA setup of the device.
[1] https://openwrt.org/toh/mikrotik/rb5009ug_s_in#installation
[2] https://paste.myconan.net/482114
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Building htop with lm-sensors support currently breaks x86_64 image
building. Disable lm-sensors support for all platforms for now, because
we are currently not including lm-sensors anyway.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
- enable persistent history, save it to tmpfs (ram)
- increase history size to 1024
- enable reverse-i search
- enable watch command
- enable top SMP command
Signed-off-by: Fabian Bläse <fabian@blaese.de>
fff-extra: feature_top_smp (apply for all targets or move to dependency!)
A bigger squashfs block size improves compression ratio. The improved
compression ratio is necessary for the Archer C60 devices (v1 + v2)
because they include large wifi drivers.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
On a typical Freifunk router, only a small subset of bird protocols
is in use. Disable unused bird protocols to save disk space.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Devices with large flash can hold more packages and tools to improve
user experience. Create an additional package which can be used to
select packages only on targets with large flash (currently >= 16 MiB).
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Babeld has been replaced with bird by default for quite some time now.
Remove babeld and all configurations scripts (fff-babeld) to reduce
image size.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Instead of fetching the complete git repositories, only download
reachable commits and trees. Anything missing will be automatically
fetched on-demand.
The blobless prepare step is about 10% faster and uses 300M less
diskspace.
Additionally the following repository options are disabled:
gc.auto:
The checkouts are short lived, garbage collection are likely never
useful
advice.detachedHead:
Disable the repeating warning message that the repositories are in a
detached state for cleaner logs.
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Add the following option to the client config section in
`/etc/config/gateway` to enable a basic stateful firewall:
```
config client
option stateful_firewall '1'
```
The firewall will forward icmp mesages and allow any outbound client
traffic and related inbound traffic.
Acked-by: Fabian Bläse <fabian@blaese.de>
OpenWrt images contain a compat_version, which is used to block upgrades
to newer versions with incompatible configuration, if the configuration
cannot be migrated.
As we maintain our own configuration and all OpenWrt configuration files
are dropped on an upgrade, this upgrade block is not required.
To simplify the upgrade process, retain the old compat_version for the
next sysupgrade release. The compat_version will then be bumped
automatically by the `05_compat-version` board.d script.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Include nftables and appropriate modules. Translate ip- and ebtables
rules to their nftables counterparts. Remove ip/ebtables and modules.
This change intentionally tries to keep structural changes at a minimum
to keep the rule translation comprehensible.
kmod-nft-bridge is not required for fff-node, because it was merged into
a single kernel module since Linux 4.17:
[1] 02c7b25e5f
[2] fbaf48387eFixes: #252
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Co-authored-by: Johannes Kimmel <fff@bareminimum.eu>
OpenWrt 22.03 introduced a generic subtarget for the octeon platform and
moved all targets without a subtarget into it. Adjust our BSP and config
to accomodate this change.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
It might be desired by the user to change the channel width of the
wireless radios. Implement a layer3 option to make channel width
configurable by the user.
Fixes: #276
Signed-off-by: Fabian Bläse <fabian@blaese.de>
When reverting configured settings, it is not an error if no temporary
directory for bird babel peers has been created.
Use rm -rf to prevent an error message and early exit of
configure-layer3 scripts.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
The flash of some devices is too small to accomodate the additional
wolfssl library, which is included by default on OpenWrt 22.03.
In the future, the currently included mbedtls library should be replaced
with wolfssl, so WPA3, OWE and 802.11s encryption can be used.
Signed-off-by: Fabian Bläse <fabian@blaese.de>