gluon/package/gluon-client-bridge/luasrc/lib/gluon/upgrade/300-gluon-client-bridge-network

#!/usr/bin/lua

local sysconfig = require 'gluon.sysconfig'
local util = require 'gluon.util'

local uci = require('simple-uci').cursor()


local interfaces = util.get_role_interfaces(uci, 'client', true)
util.add_to_set(interfaces, 'local-port')

uci:section('network', 'interface', 'client', {
	type = 'bridge',
	ifname = interfaces,
	proto = 'none',
	auto = true,
	ipv6 = false,
	macaddr = sysconfig.primary_mac,
	igmp_snooping = true,
	multicast_querier = true,
	ra_holdoff = 30,
})

uci:save('network')

uci:section('firewall', 'zone', 'drop', {
	name = 'drop',
	network = {'client'},
	input = 'DROP',
	output = 'DROP',
	forward = 'DROP',
})

local networks = uci:get_list('firewall', 'loc_client', 'network')
util.add_to_set(networks, 'local_node')
uci:set_list('firewall', 'loc_client', 'network', networks)


local dnsmasq = uci:get_first('dhcp', 'dnsmasq')
uci:set('dhcp', dnsmasq, 'boguspriv', false)
uci:set('dhcp', dnsmasq, 'localise_queries', false)
uci:set('dhcp', dnsmasq, 'rebind_protection', false)

uci:section('dhcp', 'dhcp', 'local_client', {
	interface = 'client',
	ignore = true,
})

uci:save('dhcp')
uci:save('firewall')
gluon-client-bridge: basic br-client config and wireless AP This package provides br-client and sets up a wireless AP interface for clients. 2015-08-17 22:53:40 +00:00			`#!/usr/bin/lua`

			`local sysconfig = require 'gluon.sysconfig'`
package: refactor add_to_set/remove_to_set to get rid of last LuCI patch 2017-01-17 22:57:39 +00:00			`local util = require 'gluon.util'`
gluon-client-bridge: add LAN interfaces to client bridge by default (instead of doing this in the batman-adv-specific scripts) This allows to weaken the gluon-mesh-batman-adv-core dependency of gluon-luci-portconfig to gluon-client-bridge. 2016-05-01 12:21:20 +00:00
treewide: replace normal uses of luci.model.uci with simple-uci to reduce LuCI dependencies We also make use of the boolean support of simple-uci to make scripts clearer. 2017-01-19 11:51:04 +00:00			`local uci = require('simple-uci').cursor()`
gluon-client-bridge: basic br-client config and wireless AP This package provides br-client and sets up a wireless AP interface for clients. 2015-08-17 22:53:40 +00:00

treewide: use interface roles as basis for network configuration With the new role-based interface configuration, it would be better to rename the wan/wan6 interfaces to uplink/uplink6, but that would cause unnecessary churn for the firewall configuration, so it is left for a later update. As all interfaces with the 'uplink' role are in the br-wan bridge, it is not possible to assign these to the 'mesh' role independently - instead, br-wan is added as a mesh interface as soon as a single interface has both the 'uplink' and 'mesh' roles. The UCI section for this configuration is now called 'mesh_uplink' instead of 'mesh_wan'. For all interfaces that have the 'mesh', but not the 'uplink' role a second configuration 'mesh_other' is created. If there is more than one such interface, all these interfaces are bridged as well (creating a bridge 'br-mesh_other'). This replaces the 'mesh_lan' section with its optional 'br-mesh_lan' bridge, but can also include interfaces that were not considered "LAN" when interfaces roles are modified (via site.conf or manually). 2022-01-23 13:43:35 +00:00			`local interfaces = util.get_role_interfaces(uci, 'client', true)`
			`util.add_to_set(interfaces, 'local-port')`
gluon-client-bridge: add LAN interfaces to client bridge by default (instead of doing this in the batman-adv-specific scripts) This allows to weaken the gluon-mesh-batman-adv-core dependency of gluon-luci-portconfig to gluon-client-bridge. 2016-05-01 12:21:20 +00:00
Switch back roles of br-client and local-node interfaces When preparing the migration from macvlan to veth for local-node, MAC address conflicts occurred as some ports of br-client had the same address as local-node. Reverting the roles of both interfaces fixes this. By default, br-client is left as an interface without addresses and firewall rules that drop everything, so the bridge is used to connect its ports only. gluon-mesh-batman-adv-core changes this to the usual set of addresses and firewall rules. 2017-02-10 08:32:39 +00:00			`uci:section('network', 'interface', 'client', {`
			`type = 'bridge',`
			`ifname = interfaces,`
			`proto = 'none',`
			`auto = true,`
			`ipv6 = false,`
			`macaddr = sysconfig.primary_mac,`
gluon-client-bridge: reenable multicast snooping for client zone LEDE recently disabled multicast snooping by default: https://git.lede-project.org/?p=project/netifd.git;a=commitdiff;h=52541140f8138e31958cdc3d7e42a4029fa6bbc9 Reenable it for Gluon as there have been no confirmed issues for LEDE and no negative reports concerning Gluon v2016.2.x so far. Closes #1025. Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> 2017-04-13 20:22:34 +00:00			`igmp_snooping = true,`
			`multicast_querier = true,`
gluon-client-bridge: set ra_holdoff interval to 30 seconds (#1597) Allow odhcp6c to fork the script to handle router advertisments in 30 seconds intervals. This is the value that was previously used in Gluon v2018.1 / LEDE 17.01. The default value is 3 seconds and while it is RFC compliant it can put alot of pressure on even moderately sized devices. Signed-off-by: Martin Weinelt <martin@darmstadt.freifunk.net> 2018-12-07 20:40:13 +00:00			`ra_holdoff = 30,`
Switch back roles of br-client and local-node interfaces When preparing the migration from macvlan to veth for local-node, MAC address conflicts occurred as some ports of br-client had the same address as local-node. Reverting the roles of both interfaces fixes this. By default, br-client is left as an interface without addresses and firewall rules that drop everything, so the bridge is used to connect its ports only. gluon-mesh-batman-adv-core changes this to the usual set of addresses and firewall rules. 2017-02-10 08:32:39 +00:00			`})`
package: refactor add_to_set/remove_to_set to get rid of last LuCI patch 2017-01-17 22:57:39 +00:00
gluon-client-bridge, gluon-mesh-batman-adv-core: switch roles of br-client and local-node interfaces MAC and IP addresses are switched. This makes the gluon-client-bridge package more useful for different routing protocols that don't need a unique address on the client bridge. As a side effect, gluon-radvd is now using the next-node address, which had been considered before, but was dismissed to avoid having gluon-radvd depend on gluon-next-node and gluon-mesh-batman-adv. This will be useful for announcing default routes via gluon-radvd. One downside is that this introduces a minor dependency on batman-adv in gluon-respondd: the hotplug script that checked for the client interface before will now check for local-node. This doesn't really matter: for mesh protocols without a local-node interface, the check will do nothing (which makes sense, as there is no interface to bind to for mesh-wide respondd). 2016-11-30 19:29:25 +00:00			`uci:save('network')`
gluon-client-bridge: add LAN interfaces to client bridge by default (instead of doing this in the batman-adv-specific scripts) This allows to weaken the gluon-mesh-batman-adv-core dependency of gluon-luci-portconfig to gluon-client-bridge. 2016-05-01 12:21:20 +00:00
gluon-core: firewall rework, make base policy more restrictive * gluon-core, gluon-client-bridge: introduce new firewall zone: local_client * gluon-core: put clients in local_client zone, introduce drop-zone, set dns-rules and zones * gluon-respondd: allow respondd on mesh * gluon-status-page-api: allow http input on mesh and client 2017-06-14 17:40:08 +00:00			`uci:section('firewall', 'zone', 'drop', {`
			`name = 'drop',`
Switch back roles of br-client and local-node interfaces When preparing the migration from macvlan to veth for local-node, MAC address conflicts occurred as some ports of br-client had the same address as local-node. Reverting the roles of both interfaces fixes this. By default, br-client is left as an interface without addresses and firewall rules that drop everything, so the bridge is used to connect its ports only. gluon-mesh-batman-adv-core changes this to the usual set of addresses and firewall rules. 2017-02-10 08:32:39 +00:00			`network = {'client'},`
			`input = 'DROP',`
			`output = 'DROP',`
			`forward = 'DROP',`
			`})`

treewide: rename local_client zone (#2115) This renames the local_client zone to loc_client, as local_clint exceeds the maximum zone length allowed for firewall3, which is 11 bytes. This worked previously due to firewall3 using unsafe string operations. Now creation of the chain fails (latest OpenWrt master). 2020-09-13 03:24:33 +00:00			`local networks = uci:get_list('firewall', 'loc_client', 'network')`
gluon-core, gluon-client-bridge: create local_client zone in core As core defines basic rules for this zone, it makes sense to create it there. 2017-12-26 22:15:57 +00:00			`util.add_to_set(networks, 'local_node')`
treewide: rename local_client zone (#2115) This renames the local_client zone to loc_client, as local_clint exceeds the maximum zone length allowed for firewall3, which is 11 bytes. This worked previously due to firewall3 using unsafe string operations. Now creation of the chain fails (latest OpenWrt master). 2020-09-13 03:24:33 +00:00			`uci:set_list('firewall', 'loc_client', 'network', networks)`
Switch back roles of br-client and local-node interfaces When preparing the migration from macvlan to veth for local-node, MAC address conflicts occurred as some ports of br-client had the same address as local-node. Reverting the roles of both interfaces fixes this. By default, br-client is left as an interface without addresses and firewall rules that drop everything, so the bridge is used to connect its ports only. gluon-mesh-batman-adv-core changes this to the usual set of addresses and firewall rules. 2017-02-10 08:32:39 +00:00

gluon-client-bridge, gluon-mesh-batman-adv-core: switch roles of br-client and local-node interfaces MAC and IP addresses are switched. This makes the gluon-client-bridge package more useful for different routing protocols that don't need a unique address on the client bridge. As a side effect, gluon-radvd is now using the next-node address, which had been considered before, but was dismissed to avoid having gluon-radvd depend on gluon-next-node and gluon-mesh-batman-adv. This will be useful for announcing default routes via gluon-radvd. One downside is that this introduces a minor dependency on batman-adv in gluon-respondd: the hotplug script that checked for the client interface before will now check for local-node. This doesn't really matter: for mesh protocols without a local-node interface, the check will do nothing (which makes sense, as there is no interface to bind to for mesh-wide respondd). 2016-11-30 19:29:25 +00:00			`local dnsmasq = uci:get_first('dhcp', 'dnsmasq')`
treewide: replace normal uses of luci.model.uci with simple-uci to reduce LuCI dependencies We also make use of the boolean support of simple-uci to make scripts clearer. 2017-01-19 11:51:04 +00:00			`uci:set('dhcp', dnsmasq, 'boguspriv', false)`
			`uci:set('dhcp', dnsmasq, 'localise_queries', false)`
			`uci:set('dhcp', dnsmasq, 'rebind_protection', false)`
gluon-client-bridge, gluon-mesh-batman-adv-core: switch roles of br-client and local-node interfaces MAC and IP addresses are switched. This makes the gluon-client-bridge package more useful for different routing protocols that don't need a unique address on the client bridge. As a side effect, gluon-radvd is now using the next-node address, which had been considered before, but was dismissed to avoid having gluon-radvd depend on gluon-next-node and gluon-mesh-batman-adv. This will be useful for announcing default routes via gluon-radvd. One downside is that this introduces a minor dependency on batman-adv in gluon-respondd: the hotplug script that checked for the client interface before will now check for local-node. This doesn't really matter: for mesh protocols without a local-node interface, the check will do nothing (which makes sense, as there is no interface to bind to for mesh-wide respondd). 2016-11-30 19:29:25 +00:00
gluon-core: firewall rework, make base policy more restrictive * gluon-core, gluon-client-bridge: introduce new firewall zone: local_client * gluon-core: put clients in local_client zone, introduce drop-zone, set dns-rules and zones * gluon-respondd: allow respondd on mesh * gluon-status-page-api: allow http input on mesh and client 2017-06-14 17:40:08 +00:00			`uci:section('dhcp', 'dhcp', 'local_client', {`
gluon-client-bridge, gluon-mesh-batman-adv-core: nicer indentation of uci:section calls Also simplify the local_node.peerdns setting. 2017-02-10 07:16:27 +00:00			`interface = 'client',`
			`ignore = true,`
			`})`
gluon-client-bridge, gluon-mesh-batman-adv-core: switch roles of br-client and local-node interfaces MAC and IP addresses are switched. This makes the gluon-client-bridge package more useful for different routing protocols that don't need a unique address on the client bridge. As a side effect, gluon-radvd is now using the next-node address, which had been considered before, but was dismissed to avoid having gluon-radvd depend on gluon-next-node and gluon-mesh-batman-adv. This will be useful for announcing default routes via gluon-radvd. One downside is that this introduces a minor dependency on batman-adv in gluon-respondd: the hotplug script that checked for the client interface before will now check for local-node. This doesn't really matter: for mesh protocols without a local-node interface, the check will do nothing (which makes sense, as there is no interface to bind to for mesh-wide respondd). 2016-11-30 19:29:25 +00:00
			`uci:save('dhcp')`
gluon-core: firewall rework, make base policy more restrictive * gluon-core, gluon-client-bridge: introduce new firewall zone: local_client * gluon-core: put clients in local_client zone, introduce drop-zone, set dns-rules and zones * gluon-respondd: allow respondd on mesh * gluon-status-page-api: allow http input on mesh and client 2017-06-14 17:40:08 +00:00			`uci:save('firewall')`