Some users might want to prefer one babel implementation over another
for various reasons. Having to compile the firmware from scratch can be
quite tedious in that case.
Instead, make the babel implementation switchable at runtime.
The implementation can be switched manually using the uci option
`babelimpl.impl.impl`, which currently is not upgrade-safe.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
Bird 2 has a few advantages over babeld. Especially the possiblity to
dynamically reload the configuration without restarting the daemon and
birds significant performance advantage make it an interesting
alternative to babeld for our firmware.
This adds the necessary implementation-specific fff-babel-bird2 package,
which allows to integrate bird2 into the fff firmware.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
To be able to swap out babeld for a different babel implementation in
the future, this splits all fff-specific configuration into a seperate
fff-babel package.
Implementation specific configuration is done in
/lib/functions/fff/babeldaemon, which is included with every selectable
babel implementation. It contains functions, which are called by the
fff-specific code, and therefore allows to configure the implementation
specific parts.
The babel implementation is provided by implementation-specific
fff-packages, which provide 'fff-babel-implementation'. At the moment,
only fff-babeld is supported for use as babel implementation.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
This patch adds support for the x86_64 target. Both legacy and UEFI boot
are supported.
Currently, only a single network interface is supported, which is
configured like any other ONE_PORT device. Therefore, this target is not
very useful for the node variant. However, vlan interfaces can be
configured for client, wan and peering sections in the layer3
configuation.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
If a prefix is used for a client interface utilizing snat, it shall
not be publicly reachable, so it can be reused across multiple routers.
To prevent such prefixes from leaking, create appropriate babel filters
if snat is used.
Fixes: #196
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
The default cachesize for dnsmasq is 150 entries, which results in a
poor cache hit rate.
Raise the default to 1024 to provide better cache hit rates on all
devices while still keeping memory usage in check.
Further increase the cachesize to 8192 entries for systems with enough
ram (currently more than 64MB).
The memory usage will increase roughly 100B per entry.
The size was chosen empirically. Higher values don't seem to increase
cache hit rate a lot.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
This adds snmp-utils support to facilitate testing future uses for s2nproxy
WIP/RFC for s2nproxy:
freifunk-franken/firmware#194
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
The OOM killer does not make much sense on a router, because regardless
of which process is killed, most of the time some essential core
functionality is affected.
Set the panic on OOM sysctl, so every OOM leads to a kernel panic and
results in a reboot of the router, which restores a clean state.
Fixes: #131
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Previously, some interfaces in the client ifname list have been kept.
The actual reason for this is unknown, it might have been used for the
bat0 interfaces.
Filtering the interface list in this way might lead to interfaces being
retained unintentionally, especially with the diverse naming of DSA
interfaces.
As it is not required anymore, remove the retention of some interfaces
completely.
Fixes: #207
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
The base network configuration has been completely migrated to
uci-defaults scripts and any existing network configuration is dropped.
Therefore, the hardcoded /etc/config/network configuration file is not
required anymore. Remove it.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
With the recent rework of the network configuration, any existing
configuration is dropped in a uci-defaults script (22-network-base) and
generated from scratch. When rebasing this rather old patchset, the
packet_steering option was overlooked, so it is missing now.
Restore the removed packet_steering option by setting it using a
dedicated uci-defaults script.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
With a recent patchset the initial boot process of the fff-network
package has been significantly altered. The base network configuration
is now generated by a uci-defaults script which completely drops
any existing network configuration first (22-network-base).
Reorder some uci-defaults scripts which extend the base network
configuration with layer3-specific rules, so they are executed after
22-network-base.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Most of the configuration done in configurenetwork is static and does
not change after the first boot. Move this static configuration into a
uci-defaults script, which is only executed on first boot.
Configuration which might be changed at runtime (e.g. port assignment),
is kept in the configurenetwork script.
To improve readability and speed, combine multiple uci commands into a
uci batch. Drop any existing network configuration before applying our
own configuration. This requires the network.globals section to be
created explicitly. Also, the fdff:: addresses, ETHMESHMAC and ROUTERMAC
can be set unconditionally, as the uci-defaults script is only executed
once. Other than that, the static configuration has not been altered.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
The explicit restat of fff-uradvd is not necessary anymore, as
appropriate procd reload triggers have been added, and reload_config is
executed after every run of configurenetwork.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Instead of both setting values in the uci configuration and applying
them manually, only set the values in the uci configuration and do a
combined reload_config afterward.
This not only ensures that the changes to the configuration are actually
correct, but also decreases the runtime of configurenetwork.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
fff-uradvd depends on values stored in the uci network config.
Therefore, a reload is required if the uci network config is modified.
As fff-uradvd does not support reloads, and possibly changing values are
given as command parameters, do a restart on procd reload.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Bump core, packages and routing.
Remove upstreamed build patches.
Remove ath10k memory hack and use the newly added ath10k-smallbuffers
variant instead, but only for devices which actually require it
(and therefore use ath10k-ct-smallbuffers by default).
Adjust for the newly introduced band option for wireless devices, which
is now emitted by OpenWrt by default.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
COMMITCOUNT allows to have the PKG_RELEASE calculated automatically
based on the number of commits for the package folder.
AUTORELEASE will count the number of commits since the last upstream
bump. This is relevant for packages with PKG_VERSION or
PKG_SOURCE_DATE set, but will not work for us since it assumes the
use of certain identifiers in commit titles.
COMMITCOUNT works fine for most of our packages, with the following
exceptions:
* fff-nodewatcher would yield a commit count of 55, while the
current PKG_RELEASE is 61. Thus, we do not touch it for now.
* Packages that have been renamed will start counting from 1 after
the rename, since folder renames are not tracked by git. This
will result in descreasing PKG_RELEASE after the change for
these packages.
However, since moving essentially creates a new package anyway,
counting from 1 makes sense conceptually, and PKG_RELEASE is
still replaced for these packages.
* alfred-json and fff-macnock use upstream code and thus would
normally require AUTORELEASE. As discussed above, this will
not work for us, so just leave these two untouched.
Note that all this is quite irrelevant for the way we use packages
currently, as without opkg PKG_RELEASE does not matter to us anyway.
So, let's just be happy about not having to bump PKG_RELEASE
anymore, while keeping the basic functionality intact.
The only package where the PKG_RELEASE is actually used for
something is fff-nodewatcher, where the version will be displayed
in the Monitoring.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
[fabian@blaese.de: rebase, add new packages]
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
With this new package it is possible to do SNAT for client IPv4.
The user must set a router_ip in gateway.meta.router_ip, so an ip
address is available for peering interfaces and reachability.
Currently, no extra filtering is done, so the client interface should
only use ip ranges, which are already filtered from being announced
(e.g. 192.168.0.0/16).
Using NAT for IPv4 significantly reduces the need for big
Freifunk-global IP range allocations.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Co-authored-by: Fabian Bläse <fabian@blaese.de>
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Christian Dresel <freifunk@dresel.systems>
The removal of CIDR masks from ip addresses is changed to utilize
variable substitutions, which simplifies the expression.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
The router_ip option can be a list of multiple ip addresses. It is also
possible to specify a subnet using a CIDR mask.
Only a single ip is required for peering interfaces, so select only the
first list entry and remove the CIDR mask.
Fixes: #197
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Without a vid, netifd is running in an ifup-loop.
This situation is comming up after firstboot. An existing hoodfile causes a set vid.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Openwrt v21.02.0 contains a new Batman Adv that now offers hop_penalty per hardif.
We can use this to prefer one tunnel for outgoing traffic if there are several VPNs. Eg. fastd and vxlan.
This Patch sets the hop_penalty for the fastd tunnel to 30.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
This package adds vxlan support to the node variant and configures the vxlan-vpn tunnels to the gateways.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
---
A vpn section for vxlan in hoodfile:
"vpn": [
{
"name": "gatewayname",
"protocol": "vxlan",
"address": "gateway.url" (or IP)
}
"name" is optional.
---
This rewrite makes vpn-select modular to easely add new vpn-protocols.
The stuff dependent on the vpn-protocol is outsourced to files in /usr/lib/vpn-select.d/ and comes in with the respective vpn package. In this way it is easy to select or deselect vpnprotocols to be build in.
vpn-stop is removed to use the protocol independent start/stop mechanism of vpn-select. Instead, a symlink is used.
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
20-clamp-mss:
Clamping is done in other parts of the network and to a very low static
value. This rules is very likely doing nothing at the moment.
20-filter-ssh:
These rules make use of the conntrack module to ratelimit incoming
connections. Using conntrack comes with a performance penalty for all
traffic. As an alternative, dropbear could be run behind an inetd(-like)
service that does the ratelimit, should removing this rule result in an
actual attack vector.
Removing both rules would enable us to unload the conntrack module all
together, potentially improving overall performance.
Fixes#183
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Acked-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Suppresses the unhelpful "uci: Entry not found" message when running
configure-layer3 -c in case there is no `ip6addr` set on the client
interface.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
The mosquitto server is not necessary for the intended use case of
fff-mqtt. It was added to this package accidentally. Remove it to
prevent from running the server unintentionally.
Fixes: #174
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
If the router_ips don't happen to be included in the client network's
subnet, the decision defaults to a main table lookup. This causes
packets to choose the wrong interface.
This patch forces packets from a router_ip to be routed via the fff table.
Fixes: #175
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Memory consumption has increased enough with OpenWrt 21.02, that
devices with 32 MB memory do not work reliably anymore.
It might be possible to work around the 4 MB flash limitation, but
reducing memory consumption is quite a bit harder. It is very likely
that this is only possible with a signifcant reduction of feature.
As we do not support any devices that have enough memory but only 4 MB
of flash, drop support for devices with less than 8/64 MB alltogether.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed by: Robert Langhammer <rlanghammer@web.de>
OpenWrt images contain a compat_version, which is used to block upgrades
to newer versions with incompatible configuration, if the configuration
cannot be migrated.
As we maintain our own configuration and all OpenWrt configuration files
are dropped on an upgrade, this upgrade block is not required.
To simplify the upgrade process, retain the old compat_version for the
next release. The compat_version should be bumped manually on release, so
we stay compatible with OpenWrt releases.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed by: Robert Langhammer <rlanghammer@web.de>
The port override feature of network.config is hard to maintain, since
changes to devices (e.g. port configuration updates, switch to DSA) have
to be applied to this manual override as well.
As this feature is probably hardly used anyway, remove it.
The port override migration for the Archer C7 v2 is not necessary
anymore, remove it as well.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
With this package the mqtt settings can be configured over the webui.
Each user can use its own mqtt broker or a broker from another user.
This means that the user has a free choice of where to send or get data.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Acked-by: Fabian Bläse <fabian@blaese.de>
This package allows to publish monitoring data from alfred
to the mqtt broker.
Anyone can access this data and can build its own monitoring.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Acked-by: Fabian Bläse <fabian@blaese.de>
This package provides mosquitto and default settings.
mosquitto is used for mqtt communication.
With mqtt we can use a distributed mqtt broker for decentralized
communication.
We can use this for monitoring data or router configuration.
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Acked-by: Fabian Bläse <fabian@blaese.de>
If the user did not specify a dns server, set a fallback. Since we
already have multiple servers available on an anycast address, this
address is chosen instead of as specific server. This should avoid the
issue that the default server might deprecate suddenly.
A warning is still displayed to remind the user to conscientiously
choose a server and not rely on defaults.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
These entries are overwritten by any call to `configuregateway`.
Since they never get used, they should be removed.
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
With this patch all installed tables are flushed.
We no longer have to worry about the modules
installed or not. (nat, mangle ...)
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
If the bridge created for DSA devices is configured without any members,
a single netifd reload is currently not sufficient to correctly apply
network settings. This is due to a bug in netifd (FS#4104).
Temporarily add a simple workaround by always configuring the bridge,
even if it does not have any member ports.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Due to the switch from swconfig to DSA, the switchport names have to be
migrated for some devices. Add a script to translate the switchport
names to their DSA equivalents, where applicable.
Fixes: #156
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Tested-by: Fabian Bläse <fabian@blaese.de>
Since the ipq40xx ethernet driver has built-in handling for a few vlan
ids, this target requires a driver patch that disables this
functionality, so all vlan ids can be handled by the linux kernel.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Tested-by: Fabian Bläse <fabian@blaese.de>
For some purposes (e.g. SNAT, vxlan) it might be necessary to have an
additional address just for the router which is not attached to any
interfaces. Addresses like this are typically added to the loopback
interface.
The new options "router_ip" and "router_ip6" are added to the gateway
config to allow the user to configure such addresses. It is possible to
both specify the address with or without a subnet size.
The default configuration contains the IPv4 loopback address
(127.0.0.1/8) explicitly, but this is not necessary. These addresses are
configured automatically, even if they are not present in the
configuration, so they can safely be removed, if present.
The filters of our routing daemon babeld are adjusted accordingly, so
the newly added addresses are announced correctly.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
This currently includes a patch to add the label-mac alias in the
devices DTS file, which is also submitted upstream.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Tested-by: Fabian Bläse <fabian@blaese.de>
The SIGHUP signal is sent to a process if a hangup is detected on the
controlling terminal. This might happen if the ssh session, from which
the test mode was started, is disconnected.
Because ssh session disconnects might happen due to network
reconfiguration, aborting the test mode without restoring the old
settings might make the device unreachable.
Instead, disable the SIGHUP signal when test mode is activated, so
the script is either killed by the user (after successful configuration)
or the timer expires and the old settings are restored.
Fixes: #141
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
The IPv4 source routing features was removed from babeld with version
1.10. Therefore, the first_table_number option is not needed anymore and
its existance stops babeld from starting up.
As babeld 1.10 is included with OpenWrt 21.02, which is currently used
for our firmware, this option is removed.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
The OpenWrt function get_mac_label resides in /lib/functions/system.sh,
so it has to be included, if we want to use this function.
This include was missing in the fff-wireguard layer3 configuration
script, so it is added here.
Fixes: 68c7d75a1b ("treewide: exploit label MAC address from OpenWrt")
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Receive packet steering (RPS) is a linux feature to improve forwarding
performance by distributing the forwarding of packets across multiple
cpus. This is necessary for network devices which have less queues than
cpu cores.
OpenWrt allows to enable RPS easily by setting the global option
'packet_steering' in the network configuration. With earlier OpenWrt
versions this option was enabled by default. However, the default value
was changed with OpenWrt 21.02.
Enable this option agian to improve forwarding performance on routers
with multiple cpu cores.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Some devices had to be disabled starting with OpenWrt 21.02 due to their
new DSA switch drivers.
As support for DSA configuration has since been added to fff-network,
this makes use of this configuration for devices with DSA drivers.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
Starting with OpenWrt 21.02 some devices now use upstream kernel drivers
for the built-in switch instead of relying on OpenWrt's swconfig driver.
The upstream kernel drivers use the Distributed Switch Architecture
(DSA) for configuration of the switch. Instead of explicitly configuring
the hardware switch, all ports appear as distinct interfaces and linux
bridges are offloaded to the hardware switch if possible.
To keep changes small, this patch adds support for DSA devices by
setting up a linux bridge, which is then treated just like the
cpuport-interface of the swconfig driver.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
To make it clear why the set sysctls are necessary, add appropriate
comments to them. Also reorder them for improved readability.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
Many of the set sysctls are either unnecessary, are already default in
the kernel or in OpenWrts defaults, or the reason for them being
explicitly set is unknown.
Remove all those sysctls from fff-network, as unfounded deviations from
default values will cause hard-to-debug problems in the future.
The original motivation for this patch is the netdev_max_backlog sysctl,
which was set to a very low value without any reason or comment.
This hurt forwarding performance on mt7621 with DSA significantly and
took quite a while to discover.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
This migrates the support for the TP-Link CPE210 v1 and CPE510 v1
so they are recognized by the new two-port setup code.
Assignment of ports should be consistent to the ar71xx implementation,
i.e. primary port (PoE in) assigned to WAN and secondary port (PoE out)
assigned to CLIENT by default.
Note that this is the exact opposite of the default configuration of
what OpenWrt does (but both have been consistent in behavior).
Since they work again, also re-enable image transfer.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Support native two-port devices by adding TWO_PORT variable and
exploiting the LAN0PORT and LAN1PORT variables designed for the
TP-Link CPE devices. Since the latter have been converted to
real two-port devices, we can now repurpose these variable for
the new setup.
This exploits the existing WANDEV and SWITCHDEV variables to
define the primary and secondary interfaces.
Note that by default this takes the initial values from network.mode,
so if initial WAN/CLIENT should swapped, this has to be added to
the relevant network.* file of the devices.
No device-specific changes are done in this patch.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
So far, all one-port devices also triggered the switch-based setup
in configurenetwork, as the one-port condition was not checked
there. While the relevant parts are overwritten by the one-port
config which comes later in the script, it still creates a lot
of useless/broken switch/vlan setup entries in /etc/config/network.
Properly check for one-port vs. non-one-port in the file, without
touching anything else.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Dropbear supports ed25519 keys since OpenWrt 21.02.
Also, ecdsa is supported since v19.07, but disabled in our firmware.
Keep the generated ed25519 and ecdsa host key accross upgrades.
While at it, remove dss host keys, as they are not supported anymore.
5eb7864aadd5 ("dropbear: rewrite init script startup logic to handle both host key files")
8a7a93947004 ("dropbear: remove generation and configuration of DSS keys")
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Because wireguard is part of the Linux kernel starting with version 5.6,
the wireguard packages have been renamed upstream.
Update our dependencies to match this.
This fixes build for the layer3 variant.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
[add fix comment]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The Bullet M (XM) was sold with two different SoCs, AR7241 and
AR7240, which cannot be served by one DTS. This implements both
versions as done in OpenWrt.
Note that those variants may not be distinguished from the outside.
The AR7241 version appears to be the more recent and more abundant
version.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
In the latest release, OpenWrt provides the label MAC address for
many devices. All of our devices should be covered.
In can be retrieved by the function
get_mac_label
from /lib/functions/system.sh
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Some devices were renamed since the last stable release.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
The SPDX license identifier provides a standardized way for specifying
licenses that is both human- and machine-readable. It is used upstream
both in OpenWrt and the Linux kernel.
Replace licenses in our repository by those identifiers.
The full-text licenses corresponding to these identifiers are
provided in the LICENSES folder.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Fabian Bläse <fabian@blaese.de>
This adds an option 'disabled' that will allow to disable
nodewatcher when desired.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
This package is the owner of the config file, so add it to the
Makefile. This will have vanilla OpenWrt copy it during upgrade.
Since we disable this mechanism, it will not change anything for
our standard firmware. But it will improve the situation if this
package is used in vanilla OpenWrt.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
If /etc/config/nodewatcher already exists, a proper uci-defaults
script should not overwrite it. Since this package is the owner
of the config file, this change won't change anything for the
current firmware, but will allow to use this as a package, too.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
The uci-defaults scripts are meant to provide defaults for a
specific package. Distributing them across several packages makes
no sense and just makes maintainance worse.
Thus, move the network part of the initialization back to the
proper package. While at it, suppress output from add commands.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
With commit [1] the ipv4 firewall on wan interface was removed.
This patch adds the ssh connection limit for ipv4.
IPv6 is already limited.
[1] 52e15e072c ("fff-firewall: Remove ssh firewall on WAN interface")
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
[improve commit reference]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Removes the firewall ebtables entry.
alfred-monitoring-proxy is only useful in layer3 variant, where no
ebtables rules are set.
With this typo the ebtables command was never active and the
resulting error was never shown.
Fixes: 9b5d3f1aeb ("fff-alfred-monitoring-proxy: add package")
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
[fix typos in message, add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
In '/etc/network.ubnt,unifiac-mesh', we include a file that does
not exist on ath79 anymore. This causes the script execution to
abort and will have configurenetwork not run at all, making the
device quite inaccessible.
Remove the include as it never had any use anyway. Remove another
unused include as well, and add the proper dependency instead.
This fix was first proposed more than 2.5 years ago.
Fixes: #130 (gitea)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
The "available" amount of memory is helpful for several forensic
and debugging cases. Send it via alfred.
Monitoring support has already been implemented.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Source address filtering (RFC3704) can be used to mitigate source
address spoofing. However, strict mode only works when routes are
strictly symmetric. If routes are asymmetric, it can happen that
the best route to the source address of a packet is via a different
interface.
Because there is no guarantee that routes have to be symmetric in the
Freifunk Franken backbone network, we cannot use strict mode. Because
default routes are used in the Freifunk Franken backone, loose mode
could be used, but does not make any sense. Instead, revert back to the
kernel default setting, which currently is 0 (disabled).
While this change affects both layer3 and node variant, nothing changes
for the node firmware, because it does not forward packets.
Fixes: #123
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Previously, an additional wan6 interface for SLAAC has been added, which
references the wan interface for its interface.
However, OpenWrt waits until the wan interface is completely up, until
it tries to start up interfaces that depend on it.
This not only can delay the configuration of IPv6 addresses
significantly, but also makes configuration of the wan6 interface
impossible in WAN networks with out a DHCP server.
To solve this issue, a separate interface wan4 for dhcp, which also
reference the wan interface, is created and the proto of wan is set to
none.
Fixes: #114
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Migration from ar71xx to ath79 included changes to the ethernet/switch
driver for the target. This introduced a peculiar issue where
eth0 and eth1 are swapped for several devices. Most of the relevant
cases were already covered in 1cf4d762ff ("treewide: move devices
from ar71xx to ath79").
This switch also affects the Nanostation M, where the PoE-in port
is now eth1 und the PoE-out port is eth0. However, no action was
taken in the referenced patch, as nobody was aware of it then.
Since the Nanostation M is a two-port device, which we cannot
implement properly so far, it was implemented as a one-port with
the "primary" PoE-in port so far. This was broken by the ath79
introduction and is now fixed in this patch by using the one-port
setup on eth1. That way, the PoE-in port can now be switched by
ETHMODE as usual again.
Note that custom scripts, e.g. to set up the second port, need to
be adjusted manually, as that one is eth0 now.
Fixes: 1cf4d762ff ("treewide: move devices from ar71xx to ath79")
Fixes: #109 (gitea)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
We use the one-port implementation also on two-ports like the
Nanostation M. Therefore, hard-coding eth0 in configurenetwork
will break if the port implemented for the one-port setup
(SWITCHDEV/WANDEV) is not eth0.
Just use SWITCHDEV instead, like done for the rest of the one-port
setup.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Fabian Bläse <fabian@blaese.de>
When creating a new uci section, the safest way to refer to it is
with index '-1'. While it (probably) does not make a functional
difference for our specific case, since we expect to only have one
section anyway, let's just make sure and use the proper indexing.
While at it, suppress output from the 'add' command.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
So far, we ensure the selection of a specific variant by copying
included Make files. This not only breaks if the packages are used
as a feed, but also is against the concept of how packages are used.
In this patch, the fff package is converted into a set of variants
that allow selection via a FFF_VARIANT variable that is exported by
buildscript. If no export happens, e.g. when using packages in a
feed, no package is selected.
Since the names fff-node and fff-layer3 are not available anymore,
the packages for the variants are called (though irrelevant for
the user):
* fff-variant-layer3
* fff-variant-node
The only drawback is that we now have to specify the list of
available variants in the buildscript. However, these values are
hardcoded in several other places as well, and the former code
based on file names was not really appealing anyway.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Allow setting WAN vlan/interface from gateway config.
A configuration without explicit definition of a WAN interface is
valid at the moment and results in the default configuration from
fff-network being used.
Originally, it was intended to automatically set WAN to vlan 2, if nothing was
specified. As this would break devices, which don't use swconfig for
WAN, the already configured WAN interface is left untouched.
Fixes: #85 (gitea)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Instead of exposing the CPUPORT variable to the calling script
directly, wrap it into a function which can be called there.
Fixes: #52 (gitea)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
So far, we define PORTORDER individually in each network.* file.
This creates a lot of duplications, and makes the code to parse those
values very ugly (and it's only used outside of configurenetwork
anyway).
Therefore, move the assignment to a library file, and wrap it into
a function for tidyness. This gives us more overview and nicer
implementation of the retrieval.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
With 8d66bdf the port configuration of TP-Link Archer C7 has been
changed to a single-interface configuration.
This had unforseen side effects on upgraded devices. Because WANDEV
is evaluated from the updated network.* file, the port configuration
of the switch is evaluated from the update-safe network.config, which
is now incompatible with the updated interface configuration.
Therefore, a migration script has to be added, which updates the port
configuration in network.config to the new single-interface network
configuration.
Fixes: #60 (gitea)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
In earlier firmware versions the prefix had to be written
in an incorrect syntax (missing a trailing colon).
To make hoodfiles with this old incorrect syntax work with
newer firmware versions like this one, we have to fix the
incorrect syntax. Both the old, incorrect and the correct
syntax work with this fix, so in the far away future, the
correct syntax can be used in hoodfiles.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This reverts commit e5da228cb1.
With the patch there can be situations with just "*" in traceroute,
breaking MTU in wireguard. If R1 with IPv6 address from provider P1
is connected to Freifunk via wireguard, and another R2 with address
from provider P2 is behind it, then R1 won't answer to traceroutes
sent from R2.
Revert the patch for now.
Fixes: #66 (gitea)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
PKG_BUILD_DIR has the following default values set in include/package.mk,
in case no BUILD_VARIANT is set:
With PKG_VERSION set: $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
Without PKG_VERSION: $(BUILD_DIR)/$(PKG_NAME)
Consequently, all PKG_BUILD_DIR definitions in our packages are
redundant. Remove them.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
We do not use the IPv4 functionality of odhcpd, but use dnsmasq
for that. Use odhcpd-ipv6only instead.
This is also the default for OpenWrt.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
Other than atoi, strtol allows to detect parsing errors.
Therefore atoi is replaced with strtol and appropriate error
checks are added.
Fixes: #33 (gitea)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
The owipcalc tool provides an "add" algorithm which can be used
to concateneted IPv6 addresses from prefix and suffix.
Since it's available upstream and our string manipulation is ugly,
let's replace our IP concatenation with that tool. The package
consists of a single .c file with about 1000 lines resulting in
about 4 kB for the ipk package.
This patch does _not_ introduce any conceptual changes yet. Thus,
the "wrong" IPv6 prefix from KeyXchange will be expected in the
same format, it is just healed for the new code for now.
The change allows to get rid of some bloat, i.e. some quite trivial
custom functions on the way. This also drops the ipTidyColon()
function, as owipcalc seems to return the collapsed version by default.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
The variables SERVICE_WRITE_PID and SERVICE_DAEMONIZE are not used by
procd, so they are removed.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The configuration of our firewall depends on the network configuration.
Most importantly, the firewall has to be restarted, if the WAN-interface
is changed.
Therefore, a procd reload trigger is added to the init-script, so our
firewall is automatically restarted, when the network configuration is
changed.
Fixes: #46 (gitea)
Signed-off-by: Robert Langhammer <rlanghammer@web.de>
[fabian@blaese.de: Remove unrelated changes]
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Some sysctls currently are completely useless, as they only exist if
specific kernel configurations are enabled, which we have not.
To hide the error message and prevent them from interfering
unintentionally, if new kernel configurations are activated in the
future, they are removed.
Fixes: #42 (gitea)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
The net.ipv4.netfilter.ip* sysctls have been moved to
net.netfilter.nf* a long time ago, so they have been useless in our
firmware for quite a while.
It probably originally has been added because it was included in the
OpenWrt defaults and in earlier versions of our firmware the OpenWrt
defaults file got overwritten by our own one.
Because there does not seem to be any obvious reason to keep them (they
have been added without a comment in the commit or file) and they have
been inactive ever since they were moved in the kernel, they are removed
completely instead of using the correct path.
Fixes: #42 (gitea)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
The cake scheduler is a popular fair queuing scheduler, which is also
capable of shaping traffic. Due to its sensible defaults it is very
easy to set up.
When tunnel traffic exceeds the capability of the transport connection,
firmware users might want to shape traffic, so meaningful queueing can be done
before tunnel packets are dropped. As this is typically combined with a fair
scheduler, cake provides a simple yet very powerful solution for both problems.
Therefore the cake kernel module is now included in the layer3 variant.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
When neither peer_ip nor ipaddr are set, no ipv4 address for peering
interfaces is available. Therefore, no IPv4 routes can be advertised.
Other than that, a configuration like this is perfectly valid and
configuration is already continued. Therefore, the "FATAL" message might
be misleading so it is replaced with "WARNING" and clarified slightly.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Johannes Kimmel <fff@bareminimum.eu>
[bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
On call -t we write the pid on /tmp/configure-layer3-pid.
If the script exits from user we use trap to run the new function keep_changes()
If the connections to the router lost, the user can run configure-layer3 -k after
reconnect to keep changes manually
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
[wrap and rephrase exit comment, bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This adds a script to init.d to automatically call
the appropriate configure-layer3 commands after an upgrade,
so the configuration of the device is restored.
The changes are applied if configure-layer3 is successful.
Otherwise, they are reverted. Due to this, no additional checks for
the configuration are necessary: The configure-layer3 script
will fail if the config version is wrong or no configuration exists at all.
After executing the script destroys itself. With START=99,
the execution happens _after_ uci-defaults and configurenetwork,
and no interference is expected.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
[convert to init.d, extend commit message, rebase]
Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Creating a directory via a .keep subfile is not really nice.
Use the OpenWrt mechanism for this instead.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Acked-by: Christian Dresel <freifunk@dresel.systems>
Fabian Bläse
Johannes Kimmel
Christian Dresel
Adrian Schmutzler
Robert Langhammer