20-clamp-mss:
Clamping is done in other parts of the network and to a very low static
value. This rules is very likely doing nothing at the moment.
20-filter-ssh:
These rules make use of the conntrack module to ratelimit incoming
connections. Using conntrack comes with a performance penalty for all
traffic. As an alternative, dropbear could be run behind an inetd(-like)
service that does the ratelimit, should removing this rule result in an
actual attack vector.
Removing both rules would enable us to unload the conntrack module all
together, potentially improving overall performance.
Fixes#183
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Acked-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Suppresses the unhelpful "uci: Entry not found" message when running
configure-layer3 -c in case there is no `ip6addr` set on the client
interface.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Some OpenWrt targets do not have subtargets. The filename only contains
the chipset in that case. Split the removal of chipset and subtarget
into multiple expressions, so the removal of the chipset works on
targets without subtargets as well.
Fixes: #187
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
This reverts commit de9d4abf44.
As the compat_version has been bumped with the last release, this hack
can be removed, because the compat_version now is in sync with upstream.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Some devices use .tar or .img for their firmware images. Our buildscript
currently only generates checksums for .bin files. Therefore, generate
checksums for .tar and .img files as well.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Acked-By: Johannes Kimmel <fff@bareminimum.eu>
Our last firmware release has a very specific edge case failure, where
only the edgerouter-x using the node-variant images is unable to boot.
The root cause of this issue could not be identified, but using a
slightly newer or slightly older kernel release than the 5.4.154
included with openwrt-21.02.1 fixes this issue.
Therefore, cherry pick the kernel bumps to 5.4.163 from the
openwrt-21.02 branch until the next OpenWrt release to fix this issue.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Acked-By: Johannes Kimmel <fff@bareminimum.eu>
The mosquitto server is not necessary for the intended use case of
fff-mqtt. It was added to this package accidentally. Remove it to
prevent from running the server unintentionally.
Fixes: #174
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Add the missing subtarget variable, so the resulting binary is copied
from the correct location inside the OpenWrt build dir.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
If the router_ips don't happen to be included in the client network's
subnet, the decision defaults to a main table lookup. This causes
packets to choose the wrong interface.
This patch forces packets from a router_ip to be routed via the fff table.
Fixes: #175
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Memory consumption has increased enough with OpenWrt 21.02, that
devices with 32 MB memory do not work reliably anymore.
It might be possible to work around the 4 MB flash limitation, but
reducing memory consumption is quite a bit harder. It is very likely
that this is only possible with a signifcant reduction of feature.
As we do not support any devices that have enough memory but only 4 MB
of flash, drop support for devices with less than 8/64 MB alltogether.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed by: Robert Langhammer <rlanghammer@web.de>
OpenWrt images contain a compat_version, which is used to block upgrades
to newer versions with incompatible configuration, if the configuration
cannot be migrated.
As we maintain our own configuration and all OpenWrt configuration files
are dropped on an upgrade, this upgrade block is not required.
To simplify the upgrade process, retain the old compat_version for the
next release. The compat_version should be bumped manually on release, so
we stay compatible with OpenWrt releases.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed by: Robert Langhammer <rlanghammer@web.de>
The port override feature of network.config is hard to maintain, since
changes to devices (e.g. port configuration updates, switch to DSA) have
to be applied to this manual override as well.
As this feature is probably hardly used anyway, remove it.
The port override migration for the Archer C7 v2 is not necessary
anymore, remove it as well.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
With this package the mqtt settings can be configured over the webui.
Each user can use its own mqtt broker or a broker from another user.
This means that the user has a free choice of where to send or get data.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Acked-by: Fabian Bläse <fabian@blaese.de>
This package allows to publish monitoring data from alfred
to the mqtt broker.
Anyone can access this data and can build its own monitoring.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Acked-by: Fabian Bläse <fabian@blaese.de>
This package provides mosquitto and default settings.
mosquitto is used for mqtt communication.
With mqtt we can use a distributed mqtt broker for decentralized
communication.
We can use this for monitoring data or router configuration.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Acked-by: Fabian Bläse <fabian@blaese.de>
If the user did not specify a dns server, set a fallback. Since we
already have multiple servers available on an anycast address, this
address is chosen instead of as specific server. This should avoid the
issue that the default server might deprecate suddenly.
A warning is still displayed to remind the user to conscientiously
choose a server and not rely on defaults.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
These entries are overwritten by any call to `configuregateway`.
Since they never get used, they should be removed.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
With this patch all installed tables are flushed.
We no longer have to worry about the modules
installed or not. (nat, mangle ...)
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
If the bridge created for DSA devices is configured without any members,
a single netifd reload is currently not sufficient to correctly apply
network settings. This is due to a bug in netifd (FS#4104).
Temporarily add a simple workaround by always configuring the bridge,
even if it does not have any member ports.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Due to the switch from swconfig to DSA, the switchport names have to be
migrated for some devices. Add a script to translate the switchport
names to their DSA equivalents, where applicable.
Fixes: #156
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Tested-by: Fabian Bläse <fabian@blaese.de>
This patch fixes the forwarding behavior of bridge in bridge
configurations with DSA.
Without it, the configuration of the upper bridge might overwrite
settings of the lower bridge. For example, a vlan-aware bridge
with DSA interfaces in it might be offloaded to the DSA hardware. If the
bridge interface itself gets slave of a different bridge without vlan
filtering, the vlan filtering setting of the lower bridge is overwritten
by the upper bridge, which results in an incorrect hardware
configuration.
This was backported from kernel 5.7.
Ref: https://github.com/openwrt/openwrt/pull/4493
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Since the ipq40xx ethernet driver has built-in handling for a few vlan
ids, this target requires a driver patch that disables this
functionality, so all vlan ids can be handled by the linux kernel.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Tested-by: Fabian Bläse <fabian@blaese.de>
For some purposes (e.g. SNAT, vxlan) it might be necessary to have an
additional address just for the router which is not attached to any
interfaces. Addresses like this are typically added to the loopback
interface.
The new options "router_ip" and "router_ip6" are added to the gateway
config to allow the user to configure such addresses. It is possible to
both specify the address with or without a subnet size.
The default configuration contains the IPv4 loopback address
(127.0.0.1/8) explicitly, but this is not necessary. These addresses are
configured automatically, even if they are not present in the
configuration, so they can safely be removed, if present.
The filters of our routing daemon babeld are adjusted accordingly, so
the newly added addresses are announced correctly.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
This currently includes a patch to add the label-mac alias in the
devices DTS file, which is also submitted upstream.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Tested-by: Fabian Bläse <fabian@blaese.de>
The SIGHUP signal is sent to a process if a hangup is detected on the
controlling terminal. This might happen if the ssh session, from which
the test mode was started, is disconnected.
Because ssh session disconnects might happen due to network
reconfiguration, aborting the test mode without restoring the old
settings might make the device unreachable.
Instead, disable the SIGHUP signal when test mode is activated, so
the script is either killed by the user (after successful configuration)
or the timer expires and the old settings are restored.
Fixes: #141
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
The IPv4 source routing features was removed from babeld with version
1.10. Therefore, the first_table_number option is not needed anymore and
its existance stops babeld from starting up.
As babeld 1.10 is included with OpenWrt 21.02, which is currently used
for our firmware, this option is removed.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
The OpenWrt function get_mac_label resides in /lib/functions/system.sh,
so it has to be included, if we want to use this function.
This include was missing in the fff-wireguard layer3 configuration
script, so it is added here.
Fixes: 68c7d75a1b ("treewide: exploit label MAC address from OpenWrt")
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Receive packet steering (RPS) is a linux feature to improve forwarding
performance by distributing the forwarding of packets across multiple
cpus. This is necessary for network devices which have less queues than
cpu cores.
OpenWrt allows to enable RPS easily by setting the global option
'packet_steering' in the network configuration. With earlier OpenWrt
versions this option was enabled by default. However, the default value
was changed with OpenWrt 21.02.
Enable this option agian to improve forwarding performance on routers
with multiple cpu cores.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Some devices had to be disabled starting with OpenWrt 21.02 due to their
new DSA switch drivers.
As support for DSA configuration has since been added to fff-network,
this makes use of this configuration for devices with DSA drivers.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
Starting with OpenWrt 21.02 some devices now use upstream kernel drivers
for the built-in switch instead of relying on OpenWrt's swconfig driver.
The upstream kernel drivers use the Distributed Switch Architecture
(DSA) for configuration of the switch. Instead of explicitly configuring
the hardware switch, all ports appear as distinct interfaces and linux
bridges are offloaded to the hardware switch if possible.
To keep changes small, this patch adds support for DSA devices by
setting up a linux bridge, which is then treated just like the
cpuport-interface of the swconfig driver.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
With commit 1946aaca87 the variantselection has changed.
This adapts dep-tree to the new situation.
Additional:
* The variant can now passed by as an option.
* A help text is added.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
git pull combines two steps: fetch and merge. When checking out
another revision into an existing build directory, git pull tries to merge
the changes from the new revision into the current HEAD, before checking
out the new revision with git checkout. Because we apply various patches
to OpenWrt, the merge step almost certainly fails, so the new revision
is not checked out.
As the merge isn't needed anyway, use git fetch instead, which only
fetches updates from the remote without actually applying them.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
It is hard to read non colorized ip output.
This adds an alias to colorize ip by default.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
To make it clear why the set sysctls are necessary, add appropriate
comments to them. Also reorder them for improved readability.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
Many of the set sysctls are either unnecessary, are already default in
the kernel or in OpenWrts defaults, or the reason for them being
explicitly set is unknown.
Remove all those sysctls from fff-network, as unfounded deviations from
default values will cause hard-to-debug problems in the future.
The original motivation for this patch is the netdev_max_backlog sysctl,
which was set to a very low value without any reason or comment.
This hurt forwarding performance on mt7621 with DSA significantly and
took quite a while to discover.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
Use the git.freifunk-franken.de OpenWrt mirror for OpenWrt itsel and
OpenWrt feeds to reduce upstream traffic.
This is especially important since a clean build currently requires
a fresh clone of all repositories.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
Bump core, packages and routing.
Refresh patches.
This includes babeld 1.10.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
This migrates the support for the TP-Link CPE210 v1 and CPE510 v1
so they are recognized by the new two-port setup code.
Assignment of ports should be consistent to the ar71xx implementation,
i.e. primary port (PoE in) assigned to WAN and secondary port (PoE out)
assigned to CLIENT by default.
Note that this is the exact opposite of the default configuration of
what OpenWrt does (but both have been consistent in behavior).
Since they work again, also re-enable image transfer.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Support native two-port devices by adding TWO_PORT variable and
exploiting the LAN0PORT and LAN1PORT variables designed for the
TP-Link CPE devices. Since the latter have been converted to
real two-port devices, we can now repurpose these variable for
the new setup.
This exploits the existing WANDEV and SWITCHDEV variables to
define the primary and secondary interfaces.
Note that by default this takes the initial values from network.mode,
so if initial WAN/CLIENT should swapped, this has to be added to
the relevant network.* file of the devices.
No device-specific changes are done in this patch.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
So far, all one-port devices also triggered the switch-based setup
in configurenetwork, as the one-port condition was not checked
there. While the relevant parts are overwritten by the one-port
config which comes later in the script, it still creates a lot
of useless/broken switch/vlan setup entries in /etc/config/network.
Properly check for one-port vs. non-one-port in the file, without
touching anything else.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Dropbear supports ed25519 keys since OpenWrt 21.02.
Also, ecdsa is supported since v19.07, but disabled in our firmware.
Keep the generated ed25519 and ecdsa host key accross upgrades.
While at it, remove dss host keys, as they are not supported anymore.
5eb7864aadd5 ("dropbear: rewrite init script startup logic to handle both host key files")
8a7a93947004 ("dropbear: remove generation and configuration of DSS keys")
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>