From ba960a0c9d71a29dea7d72bbb19512755efaef40 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sat, 13 Mar 2021 09:12:31 +0100 Subject: [PATCH 1/4] opkg: libopkg: pkg_hash: prefer original packages to satisfy dependencies --- ...nal-packages-to-satisfy-dependencies.patch | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 patches/openwrt/0023-opkg-libopkg-pkg_hash-prefer-original-packages-to-satisfy-dependencies.patch diff --git a/patches/openwrt/0023-opkg-libopkg-pkg_hash-prefer-original-packages-to-satisfy-dependencies.patch b/patches/openwrt/0023-opkg-libopkg-pkg_hash-prefer-original-packages-to-satisfy-dependencies.patch new file mode 100644 index 00000000..dc714054 --- /dev/null +++ b/patches/openwrt/0023-opkg-libopkg-pkg_hash-prefer-original-packages-to-satisfy-dependencies.patch @@ -0,0 +1,66 @@ +From: Matthias Schiffer +Date: Sat, 13 Mar 2021 09:10:31 +0100 +Subject: opkg: libopkg: pkg_hash: prefer original packages to satisfy dependencies + +Signed-off-by: Matthias Schiffer + +diff --git a/package/system/opkg/patches/0001-libopkg-pkg_hash-prefer-original-packages-to-satisfy.patch b/package/system/opkg/patches/0001-libopkg-pkg_hash-prefer-original-packages-to-satisfy.patch +new file mode 100644 +index 0000000000000000000000000000000000000000..a06c9974ea66efb5d577a481f2fe28a8be9175fd +--- /dev/null ++++ b/package/system/opkg/patches/0001-libopkg-pkg_hash-prefer-original-packages-to-satisfy.patch +@@ -0,0 +1,54 @@ ++From 9c1e3dd3bf12684c67d7da433594bfb7e3f40f82 Mon Sep 17 00:00:00 2001 ++Message-Id: <9c1e3dd3bf12684c67d7da433594bfb7e3f40f82.1615622873.git.mschiffer@universe-factory.net> ++From: Matthias Schiffer ++Date: Sat, 13 Mar 2021 02:00:40 +0100 ++Subject: [PATCH] libopkg: pkg_hash: prefer original packages to satisfy ++ dependencies ++ ++When one package "provides" another non-virtual package, prefer to use ++the original package instead of the providing package. ++ ++Example: ++ ++Consider packages "foo" and "bar", where "foo" provides "bar". ++The current code will sort all candidates by name and use the last entry ++by default, so "foo" would be used to satisfy a dependency on "bar". ++Change the logic to prefer the actual package "bar" in this case. ++ ++Signed-off-by: Matthias Schiffer ++Reviewed-by: Daniel Golle ++--- ++ libopkg/pkg_hash.c | 14 ++++++++++++-- ++ 1 file changed, 12 insertions(+), 2 deletions(-) ++ ++--- a/libopkg/pkg_hash.c +++++ b/libopkg/pkg_hash.c ++@@ -285,6 +285,7 @@ pkg_t *pkg_hash_fetch_best_installation_ ++ int nmatching = 0; ++ int wrong_arch_found = 0; ++ int arch_priority; +++ int good_pkg_score = 0; ++ pkg_vec_t *matching_pkgs; ++ abstract_pkg_vec_t *matching_apkgs; ++ abstract_pkg_vec_t *provided_apkg_vec; ++@@ -408,9 +409,18 @@ pkg_t *pkg_hash_fetch_best_installation_ ++ for (i = 0; i < matching_pkgs->len; i++) { ++ pkg_t *matching = matching_pkgs->pkgs[i]; ++ if (constraint_fcn(matching, cdata)) { ++- opkg_msg(DEBUG, "Candidate: %s %s.\n", ++- matching->name, pkg_get_string(matching, PKG_VERSION)); +++ int score = 1; +++ if (strcmp(matching->name, apkg->name) == 0) +++ score++; +++ +++ opkg_msg(DEBUG, "Candidate: %s %s (score %d).\n", +++ matching->name, pkg_get_string(matching, PKG_VERSION), +++ score); +++ if (score < good_pkg_score) +++ continue; +++ ++ good_pkg_by_name = matching; +++ good_pkg_score = score; ++ /* It has been provided by hand, so it is what user want */ ++ if (matching->provided_by_hand == 1) ++ break; From 9a06cac09f60126c68c563d16b245edbe982eda9 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 7 Mar 2021 13:29:44 +0100 Subject: [PATCH 2/4] fastd: update and add L2TP variant This also drops the GMAC-based methods from gluon-mesh-vpn-fastd's check_site.lua, as they are not supported anymore. --- package/gluon-mesh-vpn-fastd/check_site.lua | 2 +- .../0003-fastd-simplify-Config.in.patch | 123 ++++++++++++++++++ ...isable-GMAC-based-methods-by-default.patch | 31 +++++ ...fastd-update-to-main-branch-snapshot.patch | 61 +++++++++ .../0006-fastd-add-L2TP-variant.patch | 87 +++++++++++++ 5 files changed, 303 insertions(+), 1 deletion(-) create mode 100644 patches/packages/packages/0003-fastd-simplify-Config.in.patch create mode 100644 patches/packages/packages/0004-fastd-disable-GMAC-based-methods-by-default.patch create mode 100644 patches/packages/packages/0005-fastd-update-to-main-branch-snapshot.patch create mode 100644 patches/packages/packages/0006-fastd-add-L2TP-variant.patch diff --git a/package/gluon-mesh-vpn-fastd/check_site.lua b/package/gluon-mesh-vpn-fastd/check_site.lua index 70c0d079..57cc7bb1 100644 --- a/package/gluon-mesh-vpn-fastd/check_site.lua +++ b/package/gluon-mesh-vpn-fastd/check_site.lua @@ -1,4 +1,4 @@ -local fastd_methods = {'salsa2012+gmac', 'salsa2012+umac', 'null+salsa2012+gmac', 'null+salsa2012+umac', 'null'} +local fastd_methods = {'salsa2012+umac', 'null+salsa2012+umac', 'null'} need_array_of({'mesh_vpn', 'fastd', 'methods'}, fastd_methods) need_boolean(in_site({'mesh_vpn', 'fastd', 'configurable'}), false) diff --git a/patches/packages/packages/0003-fastd-simplify-Config.in.patch b/patches/packages/packages/0003-fastd-simplify-Config.in.patch new file mode 100644 index 00000000..052d93a6 --- /dev/null +++ b/patches/packages/packages/0003-fastd-simplify-Config.in.patch @@ -0,0 +1,123 @@ +From: Matthias Schiffer +Date: Sun, 7 Mar 2021 11:48:32 +0100 +Subject: fastd: simplify Config.in + +Signed-off-by: Matthias Schiffer + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index 8302f7ee4dac874b1303ebeeb836551ef202c261..89ff6850aa5ab4ad0e762d8fb9473d5e5c820089 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -1,102 +1,79 @@ ++if PACKAGE_fastd ++ + menu "Configuration" +- depends on PACKAGE_fastd + + config FASTD_ENABLE_METHOD_CIPHER_TEST + bool "Enable cipher-test method provider" +- depends on PACKAGE_fastd +- default n + + config FASTD_ENABLE_METHOD_COMPOSED_GMAC + bool "Enable composed-gmac method provider" +- depends on PACKAGE_fastd ++ select FASTD_ENABLE_MAC_GHASH + default y + + config FASTD_ENABLE_METHOD_COMPOSED_UMAC + bool "Enable composed-umac method provider" +- depends on PACKAGE_fastd ++ select FASTD_ENABLE_MAC_UHASH + default y + + config FASTD_ENABLE_METHOD_GENERIC_GMAC + bool "Enable generic-gmac method provider" +- depends on PACKAGE_fastd ++ select FASTD_ENABLE_MAC_GHASH + default y + + config FASTD_ENABLE_METHOD_GENERIC_POLY1305 + bool "Enable generic-poly1305 method provider" +- depends on PACKAGE_fastd +- default n + + config FASTD_ENABLE_METHOD_GENERIC_UMAC + bool "Enable generic-umac method provider" +- depends on PACKAGE_fastd ++ select FASTD_ENABLE_MAC_UHASH + default y + + config FASTD_ENABLE_METHOD_NULL + bool "Enable null method" +- depends on PACKAGE_fastd + default y + + + config FASTD_ENABLE_CIPHER_NULL + bool "Enable the null cipher" +- depends on PACKAGE_fastd + default y + + config FASTD_ENABLE_CIPHER_SALSA20 + bool "Enable the Salsa20 cipher" +- depends on PACKAGE_fastd +- default n + + config FASTD_ENABLE_CIPHER_SALSA2012 + bool "Enable the Salsa20/12 cipher" +- depends on PACKAGE_fastd + default y + + + config FASTD_ENABLE_MAC_GHASH +- bool "Enable the GHASH message authentication code" +- depends on PACKAGE_fastd +- default y ++ bool + + config FASTD_ENABLE_MAC_UHASH +- bool "Enable the UHASH message authentication code" +- depends on PACKAGE_fastd +- default y ++ bool + + + config FASTD_WITH_CAPABILITIES + bool "Enable POSIX capability support" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_CMDLINE_USER + bool "Include support for setting user/group related options on the command line" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_CMDLINE_LOGGING + bool "Include support for setting logging related options on the command line" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_CMDLINE_OPERATION + bool "Include support for setting options related to the VPN operation (like mode, interface, encryption method) on the command line" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_CMDLINE_COMMANDS + bool "Include support for setting handler scripts (e.g. --on-up) on the command line" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_DYNAMIC_PEERS + bool "Include support for dynamic peers (using on-verify handlers)" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_STATUS_SOCKET + bool "Include support for status sockets" +- depends on PACKAGE_fastd + default y + + endmenu ++ ++endif diff --git a/patches/packages/packages/0004-fastd-disable-GMAC-based-methods-by-default.patch b/patches/packages/packages/0004-fastd-disable-GMAC-based-methods-by-default.patch new file mode 100644 index 00000000..730a97b1 --- /dev/null +++ b/patches/packages/packages/0004-fastd-disable-GMAC-based-methods-by-default.patch @@ -0,0 +1,31 @@ +From: Matthias Schiffer +Date: Sun, 7 Mar 2021 11:50:04 +0100 +Subject: fastd: disable GMAC-based methods by default + +The UMAC-based methods provide higher performance than GMAC and aren't +suspectible to timing attacks when implemented in software (which is +always the case on OpenWrt, as OpenSSL support is disabled). Disable +GMAC by default to save a few KiB. + +Signed-off-by: Matthias Schiffer + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index 89ff6850aa5ab4ad0e762d8fb9473d5e5c820089..b6d46246e53516cdb7fc6e4857ea62481b4e8276 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -8,7 +8,6 @@ config FASTD_ENABLE_METHOD_CIPHER_TEST + config FASTD_ENABLE_METHOD_COMPOSED_GMAC + bool "Enable composed-gmac method provider" + select FASTD_ENABLE_MAC_GHASH +- default y + + config FASTD_ENABLE_METHOD_COMPOSED_UMAC + bool "Enable composed-umac method provider" +@@ -18,7 +17,6 @@ config FASTD_ENABLE_METHOD_COMPOSED_UMAC + config FASTD_ENABLE_METHOD_GENERIC_GMAC + bool "Enable generic-gmac method provider" + select FASTD_ENABLE_MAC_GHASH +- default y + + config FASTD_ENABLE_METHOD_GENERIC_POLY1305 + bool "Enable generic-poly1305 method provider" diff --git a/patches/packages/packages/0005-fastd-update-to-main-branch-snapshot.patch b/patches/packages/packages/0005-fastd-update-to-main-branch-snapshot.patch new file mode 100644 index 00000000..a995fc8f --- /dev/null +++ b/patches/packages/packages/0005-fastd-update-to-main-branch-snapshot.patch @@ -0,0 +1,61 @@ +From: Matthias Schiffer +Date: Sun, 7 Mar 2021 11:56:31 +0100 +Subject: fastd: update to main branch snapshot + +Signed-off-by: Matthias Schiffer + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index b6d46246e53516cdb7fc6e4857ea62481b4e8276..157d1e39931cc0163785212cb5eea7d8af4f46f2 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -30,6 +30,10 @@ config FASTD_ENABLE_METHOD_NULL + bool "Enable null method" + default y + ++config FASTD_ENABLE_METHOD_NULL_L2TP ++ bool "Enable null@l2tp method" ++ default y ++ + + config FASTD_ENABLE_CIPHER_NULL + bool "Enable the null cipher" +diff --git a/net/fastd/Makefile b/net/fastd/Makefile +index c7ab056a9ae005a75a75911658607e64d6228aac..12c9dbc73a9a57d9518cf243674a4104cbacab5b 100644 +--- a/net/fastd/Makefile ++++ b/net/fastd/Makefile +@@ -8,12 +8,14 @@ + include $(TOPDIR)/rules.mk + + PKG_NAME:=fastd +-PKG_VERSION:=21 ++PKG_VERSION:=21.37.g7dc53ab69e49 + + PKG_MAINTAINER:=Matthias Schiffer + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +-PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd/releases/download/v$(PKG_VERSION) +-PKG_HASH:=942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c ++PKG_SOURCE_VERSION:=7dc53ab69e494b9bfb982f729d9f2c510b3629ec ++PKG_SOURCE_PROTO:=git ++PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd.git ++PKG_MIRROR_HASH:=cae8b5d76305617c7946a67e1d21136d53b60a7fea67d45258ff566e1b787a90 + + PKG_LICENSE:=BSD-2-Clause + PKG_LICENSE_FILES:=COPYRIGHT +@@ -26,6 +28,7 @@ PKG_CONFIG_DEPENDS:=\ + CONFIG_FASTD_ENABLE_METHOD_GENERIC_POLY1305 \ + CONFIG_FASTD_ENABLE_METHOD_GENERIC_UMAC \ + CONFIG_FASTD_ENABLE_METHOD_NULL \ ++ CONFIG_FASTD_ENABLE_METHOD_NULL_L2TP \ + CONFIG_FASTD_ENABLE_CIPHER_NULL \ + CONFIG_FASTD_ENABLE_CIPHER_SALSA20 \ + CONFIG_FASTD_ENABLE_CIPHER_SALSA2012 \ +@@ -81,7 +84,9 @@ MESON_ARGS += \ + -Dmethod_generic-poly1305=$(call feature,ENABLE_METHOD_GENERIC_POLY1305) \ + -Dmethod_generic-umac=$(call feature,ENABLE_METHOD_GENERIC_UMAC) \ + -Dmethod_null=$(call feature,ENABLE_METHOD_NULL) \ ++ -Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \ + -Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \ ++ -Doffload_l2tp=disabled \ + -Dsystemd=disabled \ + -Duse_nacl=true \ + -Db_lto=true \ diff --git a/patches/packages/packages/0006-fastd-add-L2TP-variant.patch b/patches/packages/packages/0006-fastd-add-L2TP-variant.patch new file mode 100644 index 00000000..8b8265da --- /dev/null +++ b/patches/packages/packages/0006-fastd-add-L2TP-variant.patch @@ -0,0 +1,87 @@ +From: Matthias Schiffer +Date: Sun, 7 Mar 2021 12:05:28 +0100 +Subject: fastd: add L2TP variant + +Signed-off-by: Matthias Schiffer + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index 157d1e39931cc0163785212cb5eea7d8af4f46f2..3da5e1f183c5400cc38650efad39edf31c6f18d0 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -1,4 +1,4 @@ +-if PACKAGE_fastd ++if PACKAGE_fastd || PACKAGE_fastd-l2tp + + menu "Configuration" + +diff --git a/net/fastd/Makefile b/net/fastd/Makefile +index 12c9dbc73a9a57d9518cf243674a4104cbacab5b..a9280562cb139418b21ecf72cc2c31a5893c3380 100644 +--- a/net/fastd/Makefile ++++ b/net/fastd/Makefile +@@ -17,8 +17,8 @@ PKG_SOURCE_PROTO:=git + PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd.git + PKG_MIRROR_HASH:=cae8b5d76305617c7946a67e1d21136d53b60a7fea67d45258ff566e1b787a90 + +-PKG_LICENSE:=BSD-2-Clause +-PKG_LICENSE_FILES:=COPYRIGHT ++PKG_LICENSE:=BSD-2-Clause LGPL-2.1-or-later ++PKG_LICENSE_FILES:=COPYRIGHT src/dep/libmnl/COPYING + + PKG_CONFIG_DEPENDS:=\ + CONFIG_FASTD_ENABLE_METHOD_CIPHER_TEST \ +@@ -56,6 +56,14 @@ define Package/fastd + TITLE:=Fast and Secure Tunneling Daemon + URL:=https://github.com/NeoRaider/fastd/ + SUBMENU:=VPN ++ VARIANT:=default ++endef ++define Package/fastd-l2tp ++$(Package/fastd) ++ DEPENDS+=+kmod-l2tp +kmod-l2tp-eth ++ TITLE+=(L2TP kernel offloading) ++ VARIANT:=l2tp ++ PROVIDES:=fastd + endef + + define Package/fastd/config +@@ -87,18 +95,31 @@ MESON_ARGS += \ + -Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \ + -Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \ + -Doffload_l2tp=disabled \ ++ -Dlibmnl_builtin=true \ + -Dsystemd=disabled \ + -Duse_nacl=true \ + -Db_lto=true \ + -Dprefix=/usr + ++ifeq ($(BUILD_VARIANT),l2tp) ++ MESON_ARGS += \ ++ -Dmethod_null_l2tp=enabled \ ++ -Doffload_l2tp=enabled ++endif ++ + define Package/fastd/description +- Fast and secure tunneling daemon, which is optimized on small code size and few dependencies ++Fast and secure tunneling daemon, which is optimized on small code size and few dependencies ++endef ++define Package/fastd-l2tp/description ++$(Package/fastd/description) ++ ++This variant enables L2TP kernel offloadig support. + endef + + define Package/fastd/conffiles + /etc/config/fastd + endef ++Package/fastd-l2tp/conffiles = $(Package/fastd/conffiles) + + define Package/fastd/install + $(INSTALL_DIR) $(1)/usr/bin +@@ -112,5 +133,7 @@ define Package/fastd/install + $(INSTALL_DIR) $(1)/lib/upgrade/keep.d + $(INSTALL_DATA) files/fastd.upgrade $(1)/lib/upgrade/keep.d/fastd + endef ++Package/fastd-l2tp/install = $(Package/fastd/install) + + $(eval $(call BuildPackage,fastd)) ++$(eval $(call BuildPackage,fastd-l2tp)) From eb290000d1dca67e3e0ab82728f73063a989fa2f Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 7 Mar 2021 20:13:41 +0100 Subject: [PATCH 3/4] gluon-{,web-}mesh-vpn-fastd: add support for null@l2tp method THe "null" and "null@l2tp" methods are considered equivalent and always added and removed together when the method list is "configurable". "null@l2tp" is added before "null", so it is preferred when the peer supports both. Offloading is not supported yet. --- package/gluon-mesh-vpn-fastd/check_site.lua | 2 +- .../luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd | 10 ++++++---- .../gluon/config-mode/model/admin/mesh_vpn_fastd.lua | 5 +++-- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/package/gluon-mesh-vpn-fastd/check_site.lua b/package/gluon-mesh-vpn-fastd/check_site.lua index 57cc7bb1..6f3c0832 100644 --- a/package/gluon-mesh-vpn-fastd/check_site.lua +++ b/package/gluon-mesh-vpn-fastd/check_site.lua @@ -1,4 +1,4 @@ -local fastd_methods = {'salsa2012+umac', 'null+salsa2012+umac', 'null'} +local fastd_methods = {'salsa2012+umac', 'null+salsa2012+umac', 'null@l2tp', 'null'} need_array_of({'mesh_vpn', 'fastd', 'methods'}, fastd_methods) need_boolean(in_site({'mesh_vpn', 'fastd', 'configurable'}), false) diff --git a/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd b/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd index 0312b29c..908c053f 100755 --- a/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd +++ b/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd @@ -11,20 +11,22 @@ local syslog_level = uci:get('fastd', 'mesh_vpn', 'syslog_level') or 'verbose' local methods if site.mesh_vpn.fastd.configurable(false) then - local has_null = util.contains(site.mesh_vpn.fastd.methods(), 'null') + local site_methods = site.mesh_vpn.fastd.methods() + local has_null = util.contains(site_methods, 'null@l2tp') or util.contains(site_methods, 'null') local old_methods = uci:get('fastd', 'mesh_vpn', 'method') if old_methods then - has_null = util.contains(old_methods, 'null') + has_null = util.contains(old_methods, 'null@l2tp') or util.contains(old_methods, 'null') end methods = {} if has_null then + table.insert(methods, 'null@l2tp') table.insert(methods, 'null') end - for _, method in ipairs(site.mesh_vpn.fastd.methods()) do - if method ~= 'null' then + for _, method in ipairs(site_methods) do + if method ~= 'null@l2tp' and method ~= 'null' then table.insert(methods, method) end end diff --git a/package/gluon-web-mesh-vpn-fastd/luasrc/lib/gluon/config-mode/model/admin/mesh_vpn_fastd.lua b/package/gluon-web-mesh-vpn-fastd/luasrc/lib/gluon/config-mode/model/admin/mesh_vpn_fastd.lua index ad890c31..9243ec92 100644 --- a/package/gluon-web-mesh-vpn-fastd/luasrc/lib/gluon/config-mode/model/admin/mesh_vpn_fastd.lua +++ b/package/gluon-web-mesh-vpn-fastd/luasrc/lib/gluon/config-mode/model/admin/mesh_vpn_fastd.lua @@ -10,7 +10,7 @@ mode.package = "gluon-web-mesh-vpn-fastd" mode.template = "mesh-vpn-fastd" local methods = uci:get('fastd', 'mesh_vpn', 'method') -if util.contains(methods, 'null') then +if util.contains(methods, 'null@l2tp') or util.contains(methods, 'null') then -- performance mode will only be used as default, if it is present in site.mesh_vpn.fastd.methods mode.default = 'performance' else @@ -24,11 +24,12 @@ function mode:write(data) -- if performance mode was selected, and the method 'null' was not present in the original table, it will be added local site_methods = {} if data == 'performance' then + table.insert(site_methods, 'null@l2tp') table.insert(site_methods, 'null') end for _, method in ipairs(site.mesh_vpn.fastd.methods()) do - if method ~= 'null' then + if method ~= 'null@l2tp' and method ~= 'null' then table.insert(site_methods, method) end end From b834df4d1274d651e8c0a84957af8d430ea8d446 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 7 Mar 2021 20:47:27 +0100 Subject: [PATCH 4/4] gluon-mesh-vpn-fastd: add L2TP offload support --- package/features | 2 +- package/gluon-mesh-vpn-fastd-l2tp/Makefile | 13 +++++++++++++ .../files/lib/gluon/mesh-vpn/fastd/l2tp} | 0 .../files/lib/gluon/mesh-vpn/fastd/.keep | 0 .../lib/gluon/upgrade/400-mesh-vpn-fastd | 19 +++++++++++++++++++ 5 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 package/gluon-mesh-vpn-fastd-l2tp/Makefile rename package/{gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn/fastd => gluon-mesh-vpn-fastd-l2tp/files/lib/gluon/mesh-vpn/fastd/l2tp} (100%) create mode 100644 package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn/fastd/.keep diff --git a/package/features b/package/features index 72887e3a..a061dd16 100644 --- a/package/features +++ b/package/features @@ -16,7 +16,7 @@ when(_'web-wizard' and _'autoupdater', { 'gluon-config-mode-autoupdater', }) -when(_'web-wizard' and (_'mesh-vpn-fastd' or _'mesh-vpn-tunneldigger'), { +when(_'web-wizard' and (_'mesh-vpn-fastd' or _'mesh-vpn-fastd-l2tp' or _'mesh-vpn-tunneldigger'), { 'gluon-config-mode-mesh-vpn', }) diff --git a/package/gluon-mesh-vpn-fastd-l2tp/Makefile b/package/gluon-mesh-vpn-fastd-l2tp/Makefile new file mode 100644 index 00000000..5add4f1d --- /dev/null +++ b/package/gluon-mesh-vpn-fastd-l2tp/Makefile @@ -0,0 +1,13 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-mesh-vpn-fastd-l2tp +PKG_VERSION:=1 + +include ../gluon.mk + +define Package/gluon-mesh-vpn-fastd-l2tp + TITLE:=Support for connecting meshes via fastd (with L2TP kernel offloading) + DEPENDS:=+gluon-core +gluon-mesh-vpn-fastd +fastd-l2tp +@GLUON_SPECIALIZE_KERNEL:KERNEL_L2TP +endef + +$(eval $(call BuildPackageGluon,gluon-mesh-vpn-fastd-l2tp)) diff --git a/package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn/fastd b/package/gluon-mesh-vpn-fastd-l2tp/files/lib/gluon/mesh-vpn/fastd/l2tp similarity index 100% rename from package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn/fastd rename to package/gluon-mesh-vpn-fastd-l2tp/files/lib/gluon/mesh-vpn/fastd/l2tp diff --git a/package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn/fastd/.keep b/package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn/fastd/.keep new file mode 100644 index 00000000..e69de29b diff --git a/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd b/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd index 908c053f..668dc90b 100755 --- a/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd +++ b/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd @@ -4,6 +4,7 @@ local site = require 'gluon.site' local util = require 'gluon.util' local uci = require('simple-uci').cursor() +local unistd = require 'posix.unistd' local syslog_level = uci:get('fastd', 'mesh_vpn', 'syslog_level') or 'verbose' @@ -45,9 +46,20 @@ uci:section('fastd', 'fastd', 'mesh_vpn', { secure_handshakes = true, method = methods, packet_mark = 1, + persist_interface = true, + offload_l2tp = false, status_socket = '/var/run/fastd.mesh_vpn.socket', }) uci:delete('fastd', 'mesh_vpn', 'user') +uci:delete('fastd', 'mesh_vpn', 'peer_limit') + +-- L2TP offload support +if unistd.access('/lib/gluon/mesh-vpn/fastd/l2tp') then + uci:set('fastd', 'mesh_vpn', 'mode', 'multitap') + uci:set('fastd', 'mesh_vpn', 'persist_interface', false) + uci:set('fastd', 'mesh_vpn', 'offload_l2tp', true) + uci:set('fastd', 'mesh_vpn', 'peer_limit', 1) +end -- Collect list of groups that have peers with 'preserve' flag @@ -90,6 +102,7 @@ local function add_peer(group, name, config) enabled = true, net = 'mesh_vpn', group = group, + interface = 'mesh-vpn', key = config.key, remote = config.remotes, }) @@ -119,5 +132,11 @@ end add_groups('mesh_vpn', site.mesh_vpn.fastd.groups()) +-- Update preserved peers as well +uci:foreach('fastd', 'peer', function(peer) + if peer.net == 'mesh_vpn' then + uci:set('fastd', peer['.name'], 'interface', 'mesh-vpn') + end +end) uci:save('fastd')