With OpenWrt 23.05 a few more devices have been migrated to DSA. Bump
the config_version of layer3-config to reflect the necessary migration.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Add the following option to the client config section in
`/etc/config/gateway` to enable a basic stateful firewall:
```
config client
option stateful_firewall '1'
```
The firewall will forward icmp mesages and allow any outbound client
traffic and related inbound traffic.
Acked-by: Fabian Bläse <fabian@blaese.de>
ci/woodpecker/push/woodpecker Pipeline was successfulDetails
Do not hide uci errors when checking if gateway config exists, so an
appropriate uci error message is displayed. This can be helpful to find
syntax errors.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Previously, some interfaces in the client ifname list have been kept.
The actual reason for this is unknown, it might have been used for the
bat0 interfaces.
Filtering the interface list in this way might lead to interfaces being
retained unintentionally, especially with the diverse naming of DSA
interfaces.
As it is not required anymore, remove the retention of some interfaces
completely.
Fixes: #207
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Suppresses the unhelpful "uci: Entry not found" message when running
configure-layer3 -c in case there is no `ip6addr` set on the client
interface.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
If the router_ips don't happen to be included in the client network's
subnet, the decision defaults to a main table lookup. This causes
packets to choose the wrong interface.
This patch forces packets from a router_ip to be routed via the fff table.
Fixes: #175
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
For some purposes (e.g. SNAT, vxlan) it might be necessary to have an
additional address just for the router which is not attached to any
interfaces. Addresses like this are typically added to the loopback
interface.
The new options "router_ip" and "router_ip6" are added to the gateway
config to allow the user to configure such addresses. It is possible to
both specify the address with or without a subnet size.
The default configuration contains the IPv4 loopback address
(127.0.0.1/8) explicitly, but this is not necessary. These addresses are
configured automatically, even if they are not present in the
configuration, so they can safely be removed, if present.
The filters of our routing daemon babeld are adjusted accordingly, so
the newly added addresses are announced correctly.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Starting with OpenWrt 21.02 some devices now use upstream kernel drivers
for the built-in switch instead of relying on OpenWrt's swconfig driver.
The upstream kernel drivers use the Distributed Switch Architecture
(DSA) for configuration of the switch. Instead of explicitly configuring
the hardware switch, all ports appear as distinct interfaces and linux
bridges are offloaded to the hardware switch if possible.
To keep changes small, this patch adds support for DSA devices by
setting up a linux bridge, which is then treated just like the
cpuport-interface of the swconfig driver.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
Allow setting WAN vlan/interface from gateway config.
A configuration without explicit definition of a WAN interface is
valid at the moment and results in the default configuration from
fff-network being used.
Originally, it was intended to automatically set WAN to vlan 2, if nothing was
specified. As this would break devices, which don't use swconfig for
WAN, the already configured WAN interface is left untouched.
Fixes: #85 (gitea)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Instead of exposing the CPUPORT variable to the calling script
directly, wrap it into a function which can be called there.
Fixes: #52 (gitea)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
The name br-mesh is actually quite misleading, since the bridge
actually includes the "client" interfaces. In order to make this
obvious, and to prevent confusion with the properly named wXmesh
interfaces, rename them to br-client.
Note that br-mesh is also particularly disturbing for the layer 3
firmware without batman-adv.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
configuregateway and it's gateway.d files represent a specific
functionality that other packages depend on. Thus, it is put into
a package of its own so dependencies can be expressed more properly.
While at, use the chance to get rid of the ambiguous term "gateway"
and rename the script to configure-layer3 and the folders to layer3.d.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>