nils/gluon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #2186 from freifunk-gluon/fastd-l2tp

Browse Source 
fastd: add L2TP offload support
This commit is contained in:
David Bauer 2022-02-23 19:03:19 +01:00 committed by GitHub
commit 428b8afb92
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 623 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
docs/features/vpn.rst
View File

@ -1,57 +1,121 @@
Mesh-VPN Mesh VPN
======== ========
Gluon integrates several OSI-Layer 2 tunneling protocols to Gluon integrates several layer 2 tunneling protocols to
enable interconnects between local meshes and provide allow connections between local meshes through the internet.
internetwork access. Available protocols currently are:
- fastd Protocol handlers
- L2TPv3 (via tunneldigger) ^^^^^^^^^^^^^^^^^
fastd is a lightweight userspace tunneling daemon, that There are currently three protocol handlers which can be selected
via ``GLUON_FEATURES`` in ``site.mk``:
mesh-vpn-fastd
~~~~~~~~~~~~~~
fastd is a lightweight userspace tunneling daemon that
implements cipher suites that are specifically designed implements cipher suites that are specifically designed
to work well on embedded devices. It offers encryption to work well on embedded devices. It offers encryption
and authentication. Its primary drawback are the necessary and authentication.
context-switches when forwarding packets. The primary drawback of fastd's encrypted connection modes
is the necessary context switches when forwarding packets.
A kernel-supported L2TPv3 offloading option is available to
work around the context-switching bottleneck, but it comes
at the cost of losing the ability to protect tunnel connections
against eavesdropping or manipulation.
L2TPv3 is an in-kernel tunneling protocol that performs well, mesh-vpn-tunneldigger
but offers no security properties by itself. ~~~~~~~~~~~~~~~~~~~~~
The brokering of the tunnel happens through tunneldigger,
its primary drawback being the lack of IPv6 support. Tunneldigger always uses L2TPv3, generally achieving the same
performance as fastd with the ``null@l2tp`` method, but offering
no security.
Tunneldigger's primary drawback is the lack of IPv6 support.
It also provides less configurability than fastd.
mesh-vpn-wireguard (experimental)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wireguard is a new tunneling software that offers modern encryption
methods and is implemented in the kernel, resulting in high throughput.
It is implemented in Gluon using the *wgpeerselector* tool.
fastd fastd
----- ^^^^^
Configurable Cipher Methods
^^^^^^^^^^^^^^^^^^^ ~~~~~~~
fastd offers various different connection "methods" with different
security properties that can be configured in the site configuration.
From the site configuration fastd can be allowed to offer The following methods are currently recommended:
- ``salsa2012+umac``: Encrypted + authenticated
- ``null+salsa2012+umac``: Unencrypted, authenticated
- ``null@l2tp``: Unencrypted, unauthenticated
Multiple methods can be listed in ``site.conf``. The first listed method
supported by both the node and its peer will be used.
The use of the ``null@l2tp`` method with offloading enabled can provide a
considerable performance gain, especially on weaker embedded hardware.
For L2TP offloading, the ``mesh-vpn-fastd-l2tp`` feature needs to be enabled in
``site.mk``.
Configurable Method
~~~~~~~~~~~~~~~~~~~
From the site configuration, fastd can be allowed to offer
toggleable encryption in the config mode with the intent to toggleable encryption in the config mode with the intent to
increase throughput, although in practice the gain is minimal. increase throughput.
**Site configuration:** There is also an older unprotected method ``null``. Use of the newer
``null@l2tp`` method is generally recommended over ``null``, as the
performance gains provided by the latter (compared to the encrypted
and authenticated methods) are very small.
1) Add the feature ``web-mesh-vpn-fastd`` in ``site.mk`` Site configuration
2) Set ``mesh_vpn.fastd.configurable = true`` in ``site.conf`` ------------------
3) Optionally add ``null`` to the ``mesh_vpn.fastd.methods`` table if you want "Performance mode" as default (not recommended)
**Gateway configuration:** 1)
Add the feature ``web-mesh-vpn-fastd`` in ``site.mk``
2)
Set ``mesh_vpn.fastd.configurable = true`` in ``site.conf``
3)
Optionally, add ``null@l2tp`` to the ``mesh_vpn.fastd.methods`` table if you want
"Performance mode" as default (not recommended)
1) Prepend the ``null`` cipher in fastd's method list Gateway / Supernode Configuration
---------------------------------
When only using the ``null`` or ``null@l2tp`` methods without offloading,
simply add these methods to the front of the method list. ``null@l2tp``
should always appear before ``null`` in the configuration when both are enabled.
fastd v22 or newer is needed for the ``null@l2tp`` method.
It is often not necessary to enable L2TP offloading on supernodes for
performance reasons. Nodes using offloading can communicate with supornodes that
don't use offloading as long as both use the ``null@l2tp`` method.
To enable L2TP offloading on the supornodes as well, it is recommended to study
the fastd documentation section pertaining to the `offload configuration option
<https://fastd.readthedocs.io/en/stable/manual/config.html#option-offload>`_.
Note that in ``multitap`` mode, which is required when using
L2TP offloading, fastd will create one interface per peer
on the supernode's side and it is the administrator's
responsibility to ensure that these interfaces are handled correctly.
In batman-adv-based setups this involves adding the dynamically created
interfaces to an batadv interface using fastd's ``on up`` scripts or some
network configuration daemon like systemd-networkd.
Config Mode
-----------
**Config Mode:**
The resulting firmware will allow users to choose between secure (encrypted) and fast (unencrypted) transport. The resulting firmware will allow users to choose between secure (encrypted) and fast (unencrypted) transport.
.. image:: fastd_mode.gif .. image:: fastd_mode.gif
**Unix socket:** To confirm whether the correct cipher is being used, the log output
To confirm whether the correct cipher is being used, fastd's unix of fastd can be checked using ``logread``.
socket can be interrogated, after installing for example `socat`.
::
opkg update
opkg install socat
socat - UNIX-CONNECT:/var/run/fastd.mesh_vpn.socket

7
package/features
View File

@ -16,7 +16,12 @@ when(_'web-wizard' and _'autoupdater', {
'gluon-config-mode-autoupdater', 'gluon-config-mode-autoupdater',
}) })
when(_'web-wizard' and (_'mesh-vpn-fastd' or _'mesh-vpn-tunneldigger' or _'mesh-vpn-wireguard'), { when(_'web-wizard' and (
_'mesh-vpn-fastd' or
_'mesh-vpn-fastd-l2tp' or
_'mesh-vpn-tunneldigger' or
_'mesh-vpn-wireguard'
), {
'gluon-config-mode-mesh-vpn', 'gluon-config-mode-mesh-vpn',
}) })

13
package/gluon-mesh-vpn-fastd-l2tp/Makefile Normal file
View File

@ -0,0 +1,13 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=gluon-mesh-vpn-fastd-l2tp
PKG_VERSION:=1
include ../gluon.mk
define Package/gluon-mesh-vpn-fastd-l2tp
TITLE:=Support for connecting meshes via fastd (with L2TP kernel offloading)
DEPENDS:=+gluon-core +gluon-mesh-vpn-fastd +kmod-l2tp-eth +@GLUON_SPECIALIZE_KERNEL:KERNEL_L2TP
endef
$(eval $(call BuildPackageGluon,gluon-mesh-vpn-fastd-l2tp))

0
package/gluon-mesh-vpn-fastd-l2tp/files/lib/gluon/mesh-vpn/fastd/l2tp Normal file
View File

2
package/gluon-mesh-vpn-fastd/check_site.lua
View File

@ -1,4 +1,4 @@
local fastd_methods = {'salsa2012+gmac', 'salsa2012+umac', 'null+salsa2012+gmac', 'null+salsa2012+umac', 'null'} local fastd_methods = {'salsa2012+umac', 'null+salsa2012+umac', 'null@l2tp', 'null'}
need_array_of({'mesh_vpn', 'fastd', 'methods'}, fastd_methods) need_array_of({'mesh_vpn', 'fastd', 'methods'}, fastd_methods)
need_boolean(in_site({'mesh_vpn', 'fastd', 'configurable'}), false) need_boolean(in_site({'mesh_vpn', 'fastd', 'configurable'}), false)

0
package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn/fastd/.keep Normal file
View File

28
package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd
View File

@ -5,6 +5,7 @@ local util = require 'gluon.util'
local vpn_core = require 'gluon.mesh-vpn' local vpn_core = require 'gluon.mesh-vpn'
local uci = require('simple-uci').cursor() local uci = require('simple-uci').cursor()
local unistd = require 'posix.unistd'
local syslog_level = uci:get('fastd', 'mesh_vpn', 'syslog_level') or 'verbose' local syslog_level = uci:get('fastd', 'mesh_vpn', 'syslog_level') or 'verbose'
@ -17,20 +18,22 @@ end
local methods local methods
if site.mesh_vpn.fastd.configurable(false) then if site.mesh_vpn.fastd.configurable(false) then
local has_null = util.contains(site.mesh_vpn.fastd.methods(), 'null') local site_methods = site.mesh_vpn.fastd.methods()
local has_null = util.contains(site_methods, 'null@l2tp') or util.contains(site_methods, 'null')
local old_methods = uci:get('fastd', 'mesh_vpn', 'method') local old_methods = uci:get('fastd', 'mesh_vpn', 'method')
if old_methods then if old_methods then
has_null = util.contains(old_methods, 'null') has_null = util.contains(old_methods, 'null@l2tp') or util.contains(old_methods, 'null')
end end
methods = {} methods = {}
if has_null then if has_null then
table.insert(methods, 'null@l2tp')
table.insert(methods, 'null') table.insert(methods, 'null')
end end
for _, method in ipairs(site.mesh_vpn.fastd.methods()) do for _, method in ipairs(site_methods) do
if method ~= 'null' then if method ~= 'null@l2tp' and method ~= 'null' then
table.insert(methods, method) table.insert(methods, method)
end end
end end
@ -50,9 +53,19 @@ uci:section('fastd', 'fastd', 'mesh_vpn', {
secure_handshakes = true, secure_handshakes = true,
method = methods, method = methods,
packet_mark = 1, packet_mark = 1,
persist_interface = true,
offload_l2tp = false,
status_socket = '/var/run/fastd.mesh_vpn.socket', status_socket = '/var/run/fastd.mesh_vpn.socket',
}) })
uci:delete('fastd', 'mesh_vpn', 'peer_limit')
-- L2TP offload support
if unistd.access('/lib/gluon/mesh-vpn/fastd/l2tp') then
uci:set('fastd', 'mesh_vpn', 'mode', 'multitap')
uci:set('fastd', 'mesh_vpn', 'persist_interface', false)
uci:set('fastd', 'mesh_vpn', 'offload_l2tp', true)
uci:set('fastd', 'mesh_vpn', 'peer_limit', 1)
end
-- Collect list of groups that have peers with 'preserve' flag -- Collect list of groups that have peers with 'preserve' flag
local preserve_groups = {} local preserve_groups = {}
@ -94,6 +107,7 @@ local function add_peer(group, name, config)
enabled = true, enabled = true,
net = 'mesh_vpn', net = 'mesh_vpn',
group = group, group = group,
interface = 'mesh-vpn',
key = config.key, key = config.key,
remote = config.remotes, remote = config.remotes,
}) })
@ -123,5 +137,11 @@ end
add_groups('mesh_vpn', site.mesh_vpn.fastd.groups()) add_groups('mesh_vpn', site.mesh_vpn.fastd.groups())
-- Update preserved peers as well
uci:foreach('fastd', 'peer', function(peer)
if peer.net == 'mesh_vpn' then
uci:set('fastd', peer['.name'], 'interface', 'mesh-vpn')
end
end)
uci:save('fastd') uci:save('fastd')

5
package/gluon-web-mesh-vpn-fastd/luasrc/lib/gluon/config-mode/model/admin/mesh_vpn_fastd.lua
View File

@ -10,7 +10,7 @@ mode.package = "gluon-web-mesh-vpn-fastd"
mode.template = "mesh-vpn-fastd" mode.template = "mesh-vpn-fastd"
local methods = uci:get('fastd', 'mesh_vpn', 'method') local methods = uci:get('fastd', 'mesh_vpn', 'method')
if util.contains(methods, 'null') then if util.contains(methods, 'null@l2tp') or util.contains(methods, 'null') then
-- performance mode will only be used as default, if it is present in site.mesh_vpn.fastd.methods -- performance mode will only be used as default, if it is present in site.mesh_vpn.fastd.methods
mode.default = 'performance' mode.default = 'performance'
else else
@ -24,11 +24,12 @@ function mode:write(data)
-- if performance mode was selected, and the method 'null' was not present in the original table, it will be added -- if performance mode was selected, and the method 'null' was not present in the original table, it will be added
local site_methods = {} local site_methods = {}
if data == 'performance' then if data == 'performance' then
table.insert(site_methods, 'null@l2tp')
table.insert(site_methods, 'null') table.insert(site_methods, 'null')
end end
for _, method in ipairs(site.mesh_vpn.fastd.methods()) do for _, method in ipairs(site.mesh_vpn.fastd.methods()) do
if method ~= 'null' then if method ~= 'null@l2tp' and method ~= 'null' then
table.insert(site_methods, method) table.insert(site_methods, method)
end end
end end

124
patches/packages/packages/0001-fastd-simplify-Config.in.patch Normal file
View File

@ -0,0 +1,124 @@
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Sun, 7 Mar 2021 11:48:32 +0100
Subject: fastd: simplify Config.in
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 45976ff31a9894dec35fc4a077c9652f6cb59a54)
diff --git a/net/fastd/Config.in b/net/fastd/Config.in
index 8302f7ee4dac874b1303ebeeb836551ef202c261..89ff6850aa5ab4ad0e762d8fb9473d5e5c820089 100644
--- a/net/fastd/Config.in
+++ b/net/fastd/Config.in
@@ -1,102 +1,79 @@
+if PACKAGE_fastd
+
menu "Configuration"
- depends on PACKAGE_fastd
config FASTD_ENABLE_METHOD_CIPHER_TEST
bool "Enable cipher-test method provider"
- depends on PACKAGE_fastd
- default n
config FASTD_ENABLE_METHOD_COMPOSED_GMAC
bool "Enable composed-gmac method provider"
- depends on PACKAGE_fastd
+ select FASTD_ENABLE_MAC_GHASH
default y
config FASTD_ENABLE_METHOD_COMPOSED_UMAC
bool "Enable composed-umac method provider"
- depends on PACKAGE_fastd
+ select FASTD_ENABLE_MAC_UHASH
default y
config FASTD_ENABLE_METHOD_GENERIC_GMAC
bool "Enable generic-gmac method provider"
- depends on PACKAGE_fastd
+ select FASTD_ENABLE_MAC_GHASH
default y
config FASTD_ENABLE_METHOD_GENERIC_POLY1305
bool "Enable generic-poly1305 method provider"
- depends on PACKAGE_fastd
- default n
config FASTD_ENABLE_METHOD_GENERIC_UMAC
bool "Enable generic-umac method provider"
- depends on PACKAGE_fastd
+ select FASTD_ENABLE_MAC_UHASH
default y
config FASTD_ENABLE_METHOD_NULL
bool "Enable null method"
- depends on PACKAGE_fastd
default y
config FASTD_ENABLE_CIPHER_NULL
bool "Enable the null cipher"
- depends on PACKAGE_fastd
default y
config FASTD_ENABLE_CIPHER_SALSA20
bool "Enable the Salsa20 cipher"
- depends on PACKAGE_fastd
- default n
config FASTD_ENABLE_CIPHER_SALSA2012
bool "Enable the Salsa20/12 cipher"
- depends on PACKAGE_fastd
default y
config FASTD_ENABLE_MAC_GHASH
- bool "Enable the GHASH message authentication code"
- depends on PACKAGE_fastd
- default y
+ bool
config FASTD_ENABLE_MAC_UHASH
- bool "Enable the UHASH message authentication code"
- depends on PACKAGE_fastd
- default y
+ bool
config FASTD_WITH_CAPABILITIES
bool "Enable POSIX capability support"
- depends on PACKAGE_fastd
- default n
config FASTD_WITH_CMDLINE_USER
bool "Include support for setting user/group related options on the command line"
- depends on PACKAGE_fastd
- default n
config FASTD_WITH_CMDLINE_LOGGING
bool "Include support for setting logging related options on the command line"
- depends on PACKAGE_fastd
- default n
config FASTD_WITH_CMDLINE_OPERATION
bool "Include support for setting options related to the VPN operation (like mode, interface, encryption method) on the command line"
- depends on PACKAGE_fastd
- default n
config FASTD_WITH_CMDLINE_COMMANDS
bool "Include support for setting handler scripts (e.g. --on-up) on the command line"
- depends on PACKAGE_fastd
- default n
config FASTD_WITH_DYNAMIC_PEERS
bool "Include support for dynamic peers (using on-verify handlers)"
- depends on PACKAGE_fastd
- default n
config FASTD_WITH_STATUS_SOCKET
bool "Include support for status sockets"
- depends on PACKAGE_fastd
default y
endmenu
+
+endif

32
patches/packages/packages/0002-fastd-disable-GMAC-based-methods-by-default.patch Normal file
View File

@ -0,0 +1,32 @@
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Sun, 7 Mar 2021 11:50:04 +0100
Subject: fastd: disable GMAC-based methods by default
The UMAC-based methods provide higher performance than GMAC and aren't
suspectible to timing attacks when implemented in software (which is
always the case on OpenWrt, as OpenSSL support is disabled). Disable
GMAC by default to save a few KiB.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 916a65781829d93856bfb82cf78ba333b8fbc973)
diff --git a/net/fastd/Config.in b/net/fastd/Config.in
index 89ff6850aa5ab4ad0e762d8fb9473d5e5c820089..b6d46246e53516cdb7fc6e4857ea62481b4e8276 100644
--- a/net/fastd/Config.in
+++ b/net/fastd/Config.in
@@ -8,7 +8,6 @@ config FASTD_ENABLE_METHOD_CIPHER_TEST
config FASTD_ENABLE_METHOD_COMPOSED_GMAC
bool "Enable composed-gmac method provider"
select FASTD_ENABLE_MAC_GHASH
- default y
config FASTD_ENABLE_METHOD_COMPOSED_UMAC
bool "Enable composed-umac method provider"
@@ -18,7 +17,6 @@ config FASTD_ENABLE_METHOD_COMPOSED_UMAC
config FASTD_ENABLE_METHOD_GENERIC_GMAC
bool "Enable generic-gmac method provider"
select FASTD_ENABLE_MAC_GHASH
- default y
config FASTD_ENABLE_METHOD_GENERIC_POLY1305
bool "Enable generic-poly1305 method provider"

59
patches/packages/packages/0003-fastd-update-to-v22.patch Normal file
View File

@ -0,0 +1,59 @@
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Sun, 27 Jun 2021 13:07:49 +0200
Subject: fastd: update to v22
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit c8ca43865dcc7be0e3193f9b7d12f40d3441c258)
diff --git a/net/fastd/Config.in b/net/fastd/Config.in
index b6d46246e53516cdb7fc6e4857ea62481b4e8276..157d1e39931cc0163785212cb5eea7d8af4f46f2 100644
--- a/net/fastd/Config.in
+++ b/net/fastd/Config.in
@@ -30,6 +30,10 @@ config FASTD_ENABLE_METHOD_NULL
bool "Enable null method"
default y
+config FASTD_ENABLE_METHOD_NULL_L2TP
+ bool "Enable null@l2tp method"
+ default y
+
config FASTD_ENABLE_CIPHER_NULL
bool "Enable the null cipher"
diff --git a/net/fastd/Makefile b/net/fastd/Makefile
index c7ab056a9ae005a75a75911658607e64d6228aac..d1ed4cf9afbe2faf11a0fa3b7b4d281848a8df2d 100644
--- a/net/fastd/Makefile
+++ b/net/fastd/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=fastd
-PKG_VERSION:=21
+PKG_VERSION:=22
PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd/releases/download/v$(PKG_VERSION)
-PKG_HASH:=942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c
+PKG_HASH:=19750b88705d66811b7c21b672537909c19ae6b21350688cbd1a3a54d08a8951
PKG_LICENSE:=BSD-2-Clause
PKG_LICENSE_FILES:=COPYRIGHT
@@ -26,6 +26,7 @@ PKG_CONFIG_DEPENDS:=\
CONFIG_FASTD_ENABLE_METHOD_GENERIC_POLY1305 \
CONFIG_FASTD_ENABLE_METHOD_GENERIC_UMAC \
CONFIG_FASTD_ENABLE_METHOD_NULL \
+ CONFIG_FASTD_ENABLE_METHOD_NULL_L2TP \
CONFIG_FASTD_ENABLE_CIPHER_NULL \
CONFIG_FASTD_ENABLE_CIPHER_SALSA20 \
CONFIG_FASTD_ENABLE_CIPHER_SALSA2012 \
@@ -81,7 +82,9 @@ MESON_ARGS += \
-Dmethod_generic-poly1305=$(call feature,ENABLE_METHOD_GENERIC_POLY1305) \
-Dmethod_generic-umac=$(call feature,ENABLE_METHOD_GENERIC_UMAC) \
-Dmethod_null=$(call feature,ENABLE_METHOD_NULL) \
+ -Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \
-Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \
+ -Doffload_l2tp=disabled \
-Dsystemd=disabled \
-Duse_nacl=true \
-Db_lto=true \

88
patches/packages/packages/0004-fastd-add-L2TP-variant.patch Normal file
View File

@ -0,0 +1,88 @@
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Sun, 27 Jun 2021 13:26:26 +0200
Subject: fastd: add L2TP variant
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 7b9c04f95b5202d5eb75e4bf1c6831a667ac3d0f)
diff --git a/net/fastd/Config.in b/net/fastd/Config.in
index 157d1e39931cc0163785212cb5eea7d8af4f46f2..3da5e1f183c5400cc38650efad39edf31c6f18d0 100644
--- a/net/fastd/Config.in
+++ b/net/fastd/Config.in
@@ -1,4 +1,4 @@
-if PACKAGE_fastd
+if PACKAGE_fastd || PACKAGE_fastd-l2tp
menu "Configuration"
diff --git a/net/fastd/Makefile b/net/fastd/Makefile
index d1ed4cf9afbe2faf11a0fa3b7b4d281848a8df2d..58255cb0ba1a3b00fbca7cfdd44abd3a923603f3 100644
--- a/net/fastd/Makefile
+++ b/net/fastd/Makefile
@@ -15,8 +15,8 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd/releases/download/v$(PKG_VERSION)
PKG_HASH:=19750b88705d66811b7c21b672537909c19ae6b21350688cbd1a3a54d08a8951
-PKG_LICENSE:=BSD-2-Clause
-PKG_LICENSE_FILES:=COPYRIGHT
+PKG_LICENSE:=BSD-2-Clause LGPL-2.1-or-later
+PKG_LICENSE_FILES:=COPYRIGHT src/dep/libmnl/COPYING
PKG_CONFIG_DEPENDS:=\
CONFIG_FASTD_ENABLE_METHOD_CIPHER_TEST \
@@ -54,6 +54,14 @@ define Package/fastd
TITLE:=Fast and Secure Tunneling Daemon
URL:=https://github.com/NeoRaider/fastd/
SUBMENU:=VPN
+ VARIANT:=default
+endef
+define Package/fastd-l2tp
+$(Package/fastd)
+ DEPENDS+=+kmod-l2tp +kmod-l2tp-eth
+ TITLE+=(L2TP kernel offloading)
+ VARIANT:=l2tp
+ PROVIDES:=fastd
endef
define Package/fastd/config
@@ -85,18 +93,31 @@ MESON_ARGS += \
-Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \
-Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \
-Doffload_l2tp=disabled \
+ -Dlibmnl_builtin=true \
-Dsystemd=disabled \
-Duse_nacl=true \
-Db_lto=true \
-Dprefix=/usr
+ifeq ($(BUILD_VARIANT),l2tp)
+ MESON_ARGS += \
+ -Dmethod_null_l2tp=enabled \
+ -Doffload_l2tp=enabled
+endif
+
define Package/fastd/description
- Fast and secure tunneling daemon, which is optimized on small code size and few dependencies
+Fast and secure tunneling daemon, which is optimized on small code size and few dependencies
+endef
+define Package/fastd-l2tp/description
+$(Package/fastd/description)
+
+This variant enables L2TP kernel offloadig support.
endef
define Package/fastd/conffiles
/etc/config/fastd
endef
+Package/fastd-l2tp/conffiles = $(Package/fastd/conffiles)
define Package/fastd/install
$(INSTALL_DIR) $(1)/usr/bin
@@ -110,5 +131,7 @@ define Package/fastd/install
$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
$(INSTALL_DATA) files/fastd.upgrade $(1)/lib/upgrade/keep.d/fastd
endef
+Package/fastd-l2tp/install = $(Package/fastd/install)
$(eval $(call BuildPackage,fastd))
+$(eval $(call BuildPackage,fastd-l2tp))

63
patches/packages/packages/0005-fastd-fix-start-of-non-L2TP-variant.patch Normal file
View File

@ -0,0 +1,63 @@
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Sun, 27 Jun 2021 14:48:48 +0200
Subject: fastd: fix start of non-L2TP variant
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 62742985d7cf15029b4d6027a7ccfa0e480278ca)
diff --git a/net/fastd/Makefile b/net/fastd/Makefile
index 58255cb0ba1a3b00fbca7cfdd44abd3a923603f3..6fd316374d876834995f696fc63e7fbb98fb437c 100644
--- a/net/fastd/Makefile
+++ b/net/fastd/Makefile
@@ -9,6 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=fastd
PKG_VERSION:=22
+PKG_RELEASE=2
PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
diff --git a/net/fastd/patches/0001-config-allow-disabling-L2TP-offload-when-fastd-doesn.patch b/net/fastd/patches/0001-config-allow-disabling-L2TP-offload-when-fastd-doesn.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f2eabc95d61abf070907239b9d5d5935bd82966c
--- /dev/null
+++ b/net/fastd/patches/0001-config-allow-disabling-L2TP-offload-when-fastd-doesn.patch
@@ -0,0 +1,38 @@
+From d95ae843845760aecbbc62a734c2b93b401b1834 Mon Sep 17 00:00:00 2001
+Message-Id: <d95ae843845760aecbbc62a734c2b93b401b1834.1624798048.git.mschiffer@universe-factory.net>
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sun, 27 Jun 2021 14:45:46 +0200
+Subject: [PATCH] config: allow disabling L2TP offload when fastd doesn't
+ support it
+
+Only attempting to enable the offloading should raise an error when it
+is not supported.
+---
+ src/config.y | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/config.y b/src/config.y
+index a107d7b9fda7..7a3ec6a32649 100644
+--- a/src/config.y
++++ b/src/config.y
+@@ -282,12 +282,14 @@ offload: TOK_L2TP boolean {
+ #ifdef WITH_OFFLOAD_L2TP
+ conf.offload_l2tp = $2;
+ #else
++ if ($2) {
+ # ifdef __linux__
+- fastd_config_error(&@$, state, "L2TP offload is not supported by this build of fastd");
++ fastd_config_error(&@$, state, "L2TP offload is not supported by this build of fastd");
+ # else
+- fastd_config_error(&@$, state, "L2TP offload is not supported on this platform");
++ fastd_config_error(&@$, state, "L2TP offload is not supported on this platform");
+ # endif
+- YYERROR;
++ YYERROR;
++ }
+ #endif
+ }
+ ;
+--
+2.32.0
+

112
patches/packages/packages/0006-fastd-make-L2TP-support-a-config-option-instead-of-a-variant.patch Normal file
View File

@ -0,0 +1,112 @@
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Sun, 27 Jun 2021 16:46:38 +0200
Subject: fastd: make L2TP support a config option instead of a variant
We enable the option by default, but do not depend on the kernel modules
required for L2TP offloading to avoid wasting space when the feature is
not needed. To use offloading, kmod-l2tp-eth must be installed.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 03ff71d5ba955ad2d3f23de30e526ab6452297d4)
diff --git a/net/fastd/Config.in b/net/fastd/Config.in
index 3da5e1f183c5400cc38650efad39edf31c6f18d0..67ae7c6b1390632735c5d26bade2cb2c570a9a43 100644
--- a/net/fastd/Config.in
+++ b/net/fastd/Config.in
@@ -1,4 +1,4 @@
-if PACKAGE_fastd || PACKAGE_fastd-l2tp
+if PACKAGE_fastd
menu "Configuration"
@@ -76,6 +76,10 @@ config FASTD_WITH_STATUS_SOCKET
bool "Include support for status sockets"
default y
+config FASTD_WITH_OFFLOAD_L2TP
+ bool "Enable L2TP offloading"
+ default y
+
endmenu
endif
diff --git a/net/fastd/Makefile b/net/fastd/Makefile
index 6fd316374d876834995f696fc63e7fbb98fb437c..9175227a5fe179bdb9d38d5e173f84908fb216ef 100644
--- a/net/fastd/Makefile
+++ b/net/fastd/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=fastd
PKG_VERSION:=22
-PKG_RELEASE=2
+PKG_RELEASE=3
PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
@@ -39,7 +39,8 @@ PKG_CONFIG_DEPENDS:=\
CONFIG_FASTD_WITH_CMDLINE_OPERATION \
CONFIG_FASTD_WITH_CMDLINE_COMMANDS \
CONFIG_FASTD_WITH_DYNAMIC_PEERS \
- CONFIG_FASTD_WITH_STATUS_SOCKET
+ CONFIG_FASTD_WITH_STATUS_SOCKET \
+ CONFIG_FASTD_WITH_OFFLOAD_L2TP
PKG_BUILD_DEPENDS:=meson/host nacl
@@ -55,14 +56,6 @@ define Package/fastd
TITLE:=Fast and Secure Tunneling Daemon
URL:=https://github.com/NeoRaider/fastd/
SUBMENU:=VPN
- VARIANT:=default
-endef
-define Package/fastd-l2tp
-$(Package/fastd)
- DEPENDS+=+kmod-l2tp +kmod-l2tp-eth
- TITLE+=(L2TP kernel offloading)
- VARIANT:=l2tp
- PROVIDES:=fastd
endef
define Package/fastd/config
@@ -93,32 +86,20 @@ MESON_ARGS += \
-Dmethod_null=$(call feature,ENABLE_METHOD_NULL) \
-Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \
-Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \
- -Doffload_l2tp=disabled \
+ -Doffload_l2tp=$(call feature,WITH_OFFLOAD_L2TP) \
-Dlibmnl_builtin=true \
-Dsystemd=disabled \
-Duse_nacl=true \
-Db_lto=true \
-Dprefix=/usr
-ifeq ($(BUILD_VARIANT),l2tp)
- MESON_ARGS += \
- -Dmethod_null_l2tp=enabled \
- -Doffload_l2tp=enabled
-endif
-
define Package/fastd/description
Fast and secure tunneling daemon, which is optimized on small code size and few dependencies
endef
-define Package/fastd-l2tp/description
-$(Package/fastd/description)
-
-This variant enables L2TP kernel offloadig support.
-endef
define Package/fastd/conffiles
/etc/config/fastd
endef
-Package/fastd-l2tp/conffiles = $(Package/fastd/conffiles)
define Package/fastd/install
$(INSTALL_DIR) $(1)/usr/bin
@@ -132,7 +113,5 @@ define Package/fastd/install
$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
$(INSTALL_DATA) files/fastd.upgrade $(1)/lib/upgrade/keep.d/fastd
endef
-Package/fastd-l2tp/install = $(Package/fastd/install)
$(eval $(call BuildPackage,fastd))
-$(eval $(call BuildPackage,fastd-l2tp))