ci/woodpecker/push/woodpecker Pipeline was successfulDetails
Do not hide uci errors when checking if gateway config exists, so an
appropriate uci error message is displayed. This can be helpful to find
syntax errors.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
When advertising network prefixes gathered from the interface, odhcpd
sets the preferred and valid lifetime of those prefixes in the router
advertisement to the values set for those addresses on the interface.
When prefixes are configured statically (as done in our firmware), this
means that odhcp announces these prefixes for SLAAC with infinite
preferred and valid lifetimes.
While this does not seem like a problem at first, it hurts significantly
when configuration errors are made or cables are plugged into the wrong
ports, because those addresses never vanish from devices anymore, as long
as they are powered up. Also, it makes it impossible to change prefixes
without gracefully shutting down the RA server, so it can announce zero
lifetimes for previously announced prefixes.
Sadly, odhcp does not have an option to configure these lifetimes
explicitly, but it is possible to limit these lifetimes to the lease
time configured and used for the DHCP functionality of odhcpd.
Enable the appropriate 'ra_useleasetime' option to reduce impact of the
before mentioned problems.
Fixes: #142
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
ci/woodpecker/push/woodpecker Pipeline was successfulDetails
Add pipeline configuration for Woodpecker CI. This tells Woodpecker how
to build our firmware, so it can automatically generate firmware images
for all commits to the master branch.
Continuous integration not only helps spotting build errors early, but
also allows non-developers to test the firmware during development.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
The x86 OpenWrt target does not have device names, as x86 images are
generic for various hardware. Therefore, removing the target and
subtarget from the image name results in an indistiguishable image name.
Keep the target name for x86 images, so the resulting images are
distinguishable.
Fixes: #229
Signed-off-by: Fabian Bläse <fabian@blaese.de>
*-ssl variants of mosquitto require libopenssl, which increases the
storage requirement by almost 1 MB, even when compressed with squashfs.
Because we currently do not need TLS support for fff-mqtt, switch to the
nossl variant to save space and allow building for devices with 8 MiB
flash.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Disabling vxlan via uci solves all problemes.
A reload_config does now everything we need. Bringing up vxlan if peers available and shuting down the Interface if not.
This will also remove old fdb entries and clear the batman tables immediately.
No ifup and no extra cleaning of the fdb is required.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
Reset vid if no peers are available.
If a router switches to a hood without vxlan, or the peers in the hoodfile disappear, the vid should be reset.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
Without "uci commit" peers do not appear in /etc/config network. Use uci show instead.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
In a previous change all static configuration has been moved from
configurenetwork to a static uci-defaults script. As the configuration
of the switch is completely static, while port assignment for ONE and
TWO_PORT devices is dynamic, this patch slightly changed the condition
for the creation of the switch config.
Instead of only configuring the switch, if ONE_PORT and TWO_PORT is not
set, the switch is now always configured if a swconfig device is
present. However, some ONE and TWO_PORT devices have a swconfig device,
even though only a single physical port is connected to it. Those
devices require an unconfigured switch to function properly.
Therefore, introduce additional conditions, so the switch configuration
is not generated if ONE_PORT or TWO_PORT is set.
Fixes: 1c3328e64a ("Remove static configuration from dynamic script")
Signed-off-by: Fabian Bläse <fabian@blaese.de>
ETHPORT was used to configure devices with two physical ethernet ports,
one of them being connected directly to the CPU, while the other one is
connected to the internal switch of the platform.
As the GL-AR150 has been converted to the TWO_PORT codepath and no other
devices utilizes ETHPORT, remove all leftovers.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Sebastian Beck <freifunk@beibecks.de>
The GL-AR150 has two ethernet ports. One of them is connected directly
to the CPU (labeled "WAN"), while the other one (labeled "LAN") is
connected to the internal switch of the AR9330 platform.
Previously, this device had its own codepath in configurenetwork,
utilizing the ETHPORT variable, so the single physical port of the
switch could be connected to either the CLIENT or BATMAN vlan of the
SWITCHPORT.
When adding support for TWO_PORT devices, this codepath was accidentally
removed, so the LAN-Port was not configured anymore.
Configuring the internal switch is not necessary when only a single
physical port ist connected to it. Instead, leave the switch
unconfigured, so it behaves like an unmanaged vlan-transparent switch.
As we support TWO_PORT devices now, utilize the TWO_PORT codepath
(instead of the ONE_PORT codepath, which would be equivalent to the old
behaviour) to make both ports configureable. To retain the previously
configured mode of the LAN-Port, migrate ETHPORT to LAN1MODE before
executing configurenetwork.
Fixes: #222
Fixes: c22032e254 ("fff-network: support native two-port devices")
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Sebastian Beck <freifunk@beibecks.de>
Instead of tampering with the 'DEFAULT' property of meta packages on
every build in a non-portable way, use the build system as intended and
select packages using an approriate build config ('.config').
This is achived by adding the approriate variant package to the build
config before expanding it using defconfig.
By that, the fff-variant-* packages and FFF_VARIANT environment variable
can be removed. Base packages required in both variants are now included
via fff-base (formerly fff-variant/default).
Besides cleaning up the build process, this change also fixes a recent
issue with build dependencies, as they are evaluated on a per-package
basis instead of per-variant. Due to that, dependencies of all
variants are compiled, regardless of the selected variant. Combined with
a recent build issue of mosquitto (see [1]), the node variant could not
be built from a clean state.
[1] https://github.com/eclipse/mosquitto/issues/2432
Signed-off-by: Fabian Bläse <fabian@blaese.de>
fastd startup changed to procd. That's why it's broken.
Now a fastd reload can be used for all conditions.
An extra fastd stop is implemented to bring down the Interface.
fastd reload doesn't do that.
Fixes: #215
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
There are two reasons why there should be no peers.
Meshrouter without wan or no peers in hoodfile for a protocol.
With this patch there is only one condition left for vpn-start-stop.
Peers present or not. And it is less complicated to implement start/stop.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
This patch add the latency to the nodewatcher data.
The target of the ping can configure in /etc/config/fff
Example:
config latency 'latency'
option ipv4 'ff1.zbau.f3netze.de'
option ipv6 'ff1.zbau.f3netze.de'
if no target is set, no latency is send.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Acked-by: Fabian Bläse <fabian@blaese.de>
Some users might want to prefer one babel implementation over another
for various reasons. Having to compile the firmware from scratch can be
quite tedious in that case.
Instead, make the babel implementation switchable at runtime.
The implementation can be switched manually using the uci option
`babelimpl.impl.impl`, which currently is not upgrade-safe.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
Bird 2 has a few advantages over babeld. Especially the possiblity to
dynamically reload the configuration without restarting the daemon and
birds significant performance advantage make it an interesting
alternative to babeld for our firmware.
This adds the necessary implementation-specific fff-babel-bird2 package,
which allows to integrate bird2 into the fff firmware.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
To be able to swap out babeld for a different babel implementation in
the future, this splits all fff-specific configuration into a seperate
fff-babel package.
Implementation specific configuration is done in
/lib/functions/fff/babeldaemon, which is included with every selectable
babel implementation. It contains functions, which are called by the
fff-specific code, and therefore allows to configure the implementation
specific parts.
The babel implementation is provided by implementation-specific
fff-packages, which provide 'fff-babel-implementation'. At the moment,
only fff-babeld is supported for use as babel implementation.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
This patch adds support for the x86_64 target. Both legacy and UEFI boot
are supported.
Currently, only a single network interface is supported, which is
configured like any other ONE_PORT device. Therefore, this target is not
very useful for the node variant. However, vlan interfaces can be
configured for client, wan and peering sections in the layer3
configuation.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
If a prefix is used for a client interface utilizing snat, it shall
not be publicly reachable, so it can be reused across multiple routers.
To prevent such prefixes from leaking, create appropriate babel filters
if snat is used.
Fixes: #196
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
The default cachesize for dnsmasq is 150 entries, which results in a
poor cache hit rate.
Raise the default to 1024 to provide better cache hit rates on all
devices while still keeping memory usage in check.
Further increase the cachesize to 8192 entries for systems with enough
ram (currently more than 64MB).
The memory usage will increase roughly 100B per entry.
The size was chosen empirically. Higher values don't seem to increase
cache hit rate a lot.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
This adds snmp-utils support to facilitate testing future uses for s2nproxy
WIP/RFC for s2nproxy:
#194
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
The OOM killer does not make much sense on a router, because regardless
of which process is killed, most of the time some essential core
functionality is affected.
Set the panic on OOM sysctl, so every OOM leads to a kernel panic and
results in a reboot of the router, which restores a clean state.
Fixes: #131
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Previously, some interfaces in the client ifname list have been kept.
The actual reason for this is unknown, it might have been used for the
bat0 interfaces.
Filtering the interface list in this way might lead to interfaces being
retained unintentionally, especially with the diverse naming of DSA
interfaces.
As it is not required anymore, remove the retention of some interfaces
completely.
Fixes: #207
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Currently we are utilizing stacked bridges to keep configuration of DSA
devices as close as possible to swconfig devices. The lower bridge is
for configuration of the DSA hardware and is vlan-aware, while the upper
bridge is used to connect wireless interfaces to the client interface.
A packet arriving from the switch might have the offload_fwd_mark flag
set in the skb to prevent it from being sent to DSA ports, as this has
already been done in hardware.
However, this flag is not cleared before the skb is processed by the
upper bridge, which prevents it from being sent to any other ports of
that bridge. Therefore, communication is not possible between different
ports of that bridge, while communication with the bridge interface
itself is possible.
This issue affects both the layer3 and node variant, but due to the
layer 2 architecture of the node firmware, it is far more noticeable in
the node firmware, as it prevents ethernet clients from sending packets
to the gateway.
Work around this issue by clearing the offload_fwd_mark flag before
passing the skb up.
Fixes: #205
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
The base network configuration has been completely migrated to
uci-defaults scripts and any existing network configuration is dropped.
Therefore, the hardcoded /etc/config/network configuration file is not
required anymore. Remove it.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
With the recent rework of the network configuration, any existing
configuration is dropped in a uci-defaults script (22-network-base) and
generated from scratch. When rebasing this rather old patchset, the
packet_steering option was overlooked, so it is missing now.
Restore the removed packet_steering option by setting it using a
dedicated uci-defaults script.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
With a recent patchset the initial boot process of the fff-network
package has been significantly altered. The base network configuration
is now generated by a uci-defaults script which completely drops
any existing network configuration first (22-network-base).
Reorder some uci-defaults scripts which extend the base network
configuration with layer3-specific rules, so they are executed after
22-network-base.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Most of the configuration done in configurenetwork is static and does
not change after the first boot. Move this static configuration into a
uci-defaults script, which is only executed on first boot.
Configuration which might be changed at runtime (e.g. port assignment),
is kept in the configurenetwork script.
To improve readability and speed, combine multiple uci commands into a
uci batch. Drop any existing network configuration before applying our
own configuration. This requires the network.globals section to be
created explicitly. Also, the fdff:: addresses, ETHMESHMAC and ROUTERMAC
can be set unconditionally, as the uci-defaults script is only executed
once. Other than that, the static configuration has not been altered.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
The explicit restat of fff-uradvd is not necessary anymore, as
appropriate procd reload triggers have been added, and reload_config is
executed after every run of configurenetwork.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Instead of both setting values in the uci configuration and applying
them manually, only set the values in the uci configuration and do a
combined reload_config afterward.
This not only ensures that the changes to the configuration are actually
correct, but also decreases the runtime of configurenetwork.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
fff-uradvd depends on values stored in the uci network config.
Therefore, a reload is required if the uci network config is modified.
As fff-uradvd does not support reloads, and possibly changing values are
given as command parameters, do a restart on procd reload.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Bump core, packages and routing.
Remove upstreamed build patches.
Remove ath10k memory hack and use the newly added ath10k-smallbuffers
variant instead, but only for devices which actually require it
(and therefore use ath10k-ct-smallbuffers by default).
Adjust for the newly introduced band option for wireless devices, which
is now emitted by OpenWrt by default.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
COMMITCOUNT allows to have the PKG_RELEASE calculated automatically
based on the number of commits for the package folder.
AUTORELEASE will count the number of commits since the last upstream
bump. This is relevant for packages with PKG_VERSION or
PKG_SOURCE_DATE set, but will not work for us since it assumes the
use of certain identifiers in commit titles.
COMMITCOUNT works fine for most of our packages, with the following
exceptions:
* fff-nodewatcher would yield a commit count of 55, while the
current PKG_RELEASE is 61. Thus, we do not touch it for now.
* Packages that have been renamed will start counting from 1 after
the rename, since folder renames are not tracked by git. This
will result in descreasing PKG_RELEASE after the change for
these packages.
However, since moving essentially creates a new package anyway,
counting from 1 makes sense conceptually, and PKG_RELEASE is
still replaced for these packages.
* alfred-json and fff-macnock use upstream code and thus would
normally require AUTORELEASE. As discussed above, this will
not work for us, so just leave these two untouched.
Note that all this is quite irrelevant for the way we use packages
currently, as without opkg PKG_RELEASE does not matter to us anyway.
So, let's just be happy about not having to bump PKG_RELEASE
anymore, while keeping the basic functionality intact.
The only package where the PKG_RELEASE is actually used for
something is fff-nodewatcher, where the version will be displayed
in the Monitoring.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
[fabian@blaese.de: rebase, add new packages]
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
With this new package it is possible to do SNAT for client IPv4.
The user must set a router_ip in gateway.meta.router_ip, so an ip
address is available for peering interfaces and reachability.
Currently, no extra filtering is done, so the client interface should
only use ip ranges, which are already filtered from being announced
(e.g. 192.168.0.0/16).
Using NAT for IPv4 significantly reduces the need for big
Freifunk-global IP range allocations.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Co-authored-by: Fabian Bläse <fabian@blaese.de>
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Christian Dresel <freifunk@dresel.systems>
The removal of CIDR masks from ip addresses is changed to utilize
variable substitutions, which simplifies the expression.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
The router_ip option can be a list of multiple ip addresses. It is also
possible to specify a subnet using a CIDR mask.
Only a single ip is required for peering interfaces, so select only the
first list entry and remove the CIDR mask.
Fixes: #197
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Without a vid, netifd is running in an ifup-loop.
This situation is comming up after firstboot. An existing hoodfile causes a set vid.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Openwrt v21.02.0 contains a new Batman Adv that now offers hop_penalty per hardif.
We can use this to prefer one tunnel for outgoing traffic if there are several VPNs. Eg. fastd and vxlan.
This Patch sets the hop_penalty for the fastd tunnel to 30.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
This package adds vxlan support to the node variant and configures the vxlan-vpn tunnels to the gateways.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
---
A vpn section for vxlan in hoodfile:
"vpn": [
{
"name": "gatewayname",
"protocol": "vxlan",
"address": "gateway.url" (or IP)
}
"name" is optional.
---
This rewrite makes vpn-select modular to easely add new vpn-protocols.
The stuff dependent on the vpn-protocol is outsourced to files in /usr/lib/vpn-select.d/ and comes in with the respective vpn package. In this way it is easy to select or deselect vpnprotocols to be build in.
vpn-stop is removed to use the protocol independent start/stop mechanism of vpn-select. Instead, a symlink is used.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
20-clamp-mss:
Clamping is done in other parts of the network and to a very low static
value. This rules is very likely doing nothing at the moment.
20-filter-ssh:
These rules make use of the conntrack module to ratelimit incoming
connections. Using conntrack comes with a performance penalty for all
traffic. As an alternative, dropbear could be run behind an inetd(-like)
service that does the ratelimit, should removing this rule result in an
actual attack vector.
Removing both rules would enable us to unload the conntrack module all
together, potentially improving overall performance.
Fixes#183
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Acked-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Suppresses the unhelpful "uci: Entry not found" message when running
configure-layer3 -c in case there is no `ip6addr` set on the client
interface.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Some OpenWrt targets do not have subtargets. The filename only contains
the chipset in that case. Split the removal of chipset and subtarget
into multiple expressions, so the removal of the chipset works on
targets without subtargets as well.
Fixes: #187
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
This reverts commit de9d4abf44.
As the compat_version has been bumped with the last release, this hack
can be removed, because the compat_version now is in sync with upstream.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Some devices use .tar or .img for their firmware images. Our buildscript
currently only generates checksums for .bin files. Therefore, generate
checksums for .tar and .img files as well.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Acked-By: Johannes Kimmel <fff@bareminimum.eu>
Fabian Bläse
Robert Langhammer
Christian Dresel
Johannes Kimmel
Adrian Schmutzler