WolfSSL has a significant lower flash footprint. Also, issues with OWE /
SAE connections were fixed in OpenWrt a while ago.
See ddcb970274
Signed-off-by: David Bauer <mail@david-bauer.net>
Instead of using roles.wan directly as the default for roles.single,
create a copy of the table, so subsequent modifications of roles.single
don't affect roles.wan as well.
Fixes migration of Mesh-on-WAN status when no default for "single"
interfaces is set in site.conf.
luasrcdiet will not print the name of its input file when an error
occurs. To facilitate debugging, echo the name before calling it, so it
is visible with V=s or BUILD_LOG=1.
A section can be marked as preseved by setting the gluon_preserve option
to 1. In addition the following conditions must hold:
- The preserved section must not already exist after OpenWrt's and
Gluons setup scripts run. Modifying existing sections is currently
unsupported.
- Preserved sections must be named, so it can be detected whether a
section conflicts with a preexisting one.
Allow interface names to change on updates to handle hwconfig -> DSA and
similar migrations.
On devices with only a single interface, a sysconfig single_ifname is
created instead of wan_ifname or lan_ifname to allow separate
configuration in site.conf.
With the new role-based interface configuration, it would be better to
rename the wan/wan6 interfaces to uplink/uplink6, but that would cause
unnecessary churn for the firewall configuration, so it is left for a
later update.
As all interfaces with the 'uplink' role are in the br-wan bridge, it is
not possible to assign these to the 'mesh' role independently - instead,
br-wan is added as a mesh interface as soon as a single interface has
both the 'uplink' and 'mesh' roles. The UCI section for this
configuration is now called 'mesh_uplink' instead of 'mesh_wan'.
For all interfaces that have the 'mesh', but not the 'uplink' role a
second configuration 'mesh_other' is created. If there is more than one
such interface, all these interfaces are bridged as well (creating a
bridge 'br-mesh_other'). This replaces the 'mesh_lan' section with its
optional 'br-mesh_lan' bridge, but can also include interfaces that were
not considered "LAN" when interfaces roles are modified (via site.conf
or manually).
The new configuration generates sections iface_single/lan/wan in
/etc/config/gluon. These sections usually refer to a sysconfig-controlled
interface list, but adding custom sections with verbatim interfaces names
is also possible.
Each interface section contains a list of roles. The supported roles are
'client', 'uplink' and 'mesh'. Multiple roles can be configured on the
same interface (for example the old 'mesh_on_wan' setting would become
'uplink'+'mesh').
'client' is subsumed by any other role configured on the same interface
('client'+'mesh' is equivalent to 'mesh'). This property is important, as
it allows the Wired Mesh settings in gluon-web-network to simply add and
remove the mesh role without having to care what other roles are set -
so in the default setup, this would switch between 'client' and
'client'+'mesh' for the LAN interface.
By default, the WAN interface has role 'uplink' and the LAN interface
'client'; if only a single interface exists, the roles from the WAN
interface are used by default. The default for each of the three
interfaces (WAN/LAN/single) can be changed separated in site.conf,
superseding the old mesh_on_wan, mesh_on_lan and single_as_lan settings.
The stdout output of gluon-web scripts is directly sent to uhttpd,
becoming a part of the HTML output or even replacing HTTP status or
headers. The output of gluon-reconfigure is not supposed to end up
there.
While we're at it, also add an exec to avoid an unnecessary shell
process.
The OpenLayers JS/CSS download URL is dead. Update it to make the map
work again:
- Update from OpenLayers 5.2.0 to 5.3.0
- Switch from the obsolete rawgit.com URL to jsdelivr.net (rawgit.com
was only redirecting to jsdelivr.net for the last few years anyways)
- Set a fixed commit in the URL, so the URL doesn't become outdated again
THe "null" and "null@l2tp" methods are considered equivalent and always
added and removed together when the method list is "configurable".
"null@l2tp" is added before "null", so it is preferred when the peer
supports both.
As gluon-web uses standard multipart/form-data requests, browsers don't
enforce any cross-origin restrictions. To prevent malicious injection of
POST requests into the config mode, match the Origin header against the
Host header of the request.
Actually raise an error and turn it into an HTTP 400 return code when
something goes wrong, rather than ignoring the error.
We also improve the conditions under which errors are thrown before
pump() is called: We don't need to check for the multipart/form-data
content-type twice, and a POST without this content-type is now always
an error.
Swap the interfaces so than the PoE input port LAN0 is used for WAN and
config mode, and LAN1 becomes LAN.
To this end, the code previously used for ar71xx and removed in
commit 9fdc57c175 ("treewide: drop ar71xx platform specific code") is
reintroduced.
Fixes#2384
There wasn't really a reason to have a separate script to set a single
value.
In addition, the old script was using the identifier 'c' instead of
'uci' for the UCI cursor. Following the convention of the other scripts
is helpful so it is easy to grep for all uses of a certain config file/
option.
This copies the code from web-admin and uses it to create a neat
cli-accessible summary about a node
This could also be extended or possibly have all the data the status
page has
Co-Authored-By: Matthias Schiffer <mschiffer@universe-factory.net>
Declare the clock variable as extern in the header file.
Fixes compilation of gluon-ebtables-limit-arp with OpenWrt master:
multiple definition of `clock'; /gluon/openwrt/tmp/ccuynR0G.o:(.bss+0x230): first defined here
Signed-off-by: David Bauer <mail@david-bauer.net>
The 'hwmode' setting has been replaced with 'band' in OpenWrt to add
support for newer bands outside of 2.4G and 5G. Adjust Gluon accordingly.
[Matthias Schiffer: rebased, extended commit message]
In meshes without VPN or supernodes, it may be desirable to connect a
router providing IPv4 addresses directly to a regular Gluon node. For
this to work, it was necessary to remove the gluon-ebtables-filter-ra-dhcp
package from the node, so the autoupdater also needed to be disabled.
To avoid this, make gluon-ebtables-filter-ra-dhcp disable the DHCPv4
filter rules when gw_mode is set to 'server'.
No solution is provided for RA/DHCPv6, but this seems less pressing for
local meshes, as nodes can already provide working IPv6 connectivity
by themselves through gluon-radvd.
The network.wireless status ubus call only returns the configured
channel from UCI, breaking the status page in outdoor mode, where the
configuration contains 'auto' instead of a number.
Fixes: 0d3fa6b59b ("gluon-status-page: use ubus to get radio channels")
Closes#2336
In js `return` does behave like `continue` in a forEach() iteration.
The fixed function was intended to return nothing on error and does so
now, instead of a shorter (useless) array like before.
Calling functions like recv() with a NULL buffer is not explicitly
allowed by the POSIX standard, so it must be avoided to be portable
across different libc implementations. Allocate an initial buffer before
handling requests, and also pass this buffer to the peek recv() call.
Fixes: 531937cf6f ("gluon-neighbour-info: fix broken output with large results")
This removes PKG_VERSION and PKG_RELEASE from most Makefiles, as the
value was never useful for Gluon packages; instead, PKG_VERSION is set
to 1 in gluon.mk.
It also removes two other weird definitions:
- gluon-iptables-clamp-mss-to-pmtu replicating the old PKG_VERSION logic
from gluon-core, but without the fixed PKG_BUILD_DIR to prevent
unnessary rebuilds
- gluon-hoodselector set GLUON_VERSION=3
Calling git describe directly breaks isolation between the build system
and packages. Replace this with proper .config variables, like we
already do for GLUON_RELEASE.
Also replace the PKG_VERSION hack with a static '1', as we do for other
packages - while having those version numbers in opkg was cute, it was
also entirely useless. Having a fixed PKG_VERSION allows us to remove
the PKG_BUILD_DIR override as well.
Currently a buffer with a fixed size of 8192 bytes is used. However the
result can potentially be larger, which leads to a truncated JSON
output on stdout. UDP packets, without compression and with IP
fragmentation, can be up to 64KiB large.
Instead of using a fixed size buffer on the stack ask the kernel first
about the size of the UDP data and allocate a buffer of appropriate size
on the heap before receiving the UDP data.
The issue was observed with a custom respondd provider.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
The address of the vpn interface is calculated in the style of
modified EUI-64, based on a virtual mac address. This virtual mac
address consists of 0x00 as first byte and the other five bytes
are taken from the first bytes of md5sum(base64 encoded public key).
The algorithm was taken by the ffmuc, with a slight difference. ffmuc
calculated the result of md5sum(base64 encoded public key + '\n')
which was interpreted as accidential fault and therefore dropped.
Example:
- Public-Key: "gP3VJnTTvnQut+z4O+m0N9RgMyXbgyUbUkF3E3TKX2w="
- Address: "fe80::02ca:b8ff:fedc:2eb3"
The following interfaces are used for wireguard:
- wg_mesh -> wireguard interface
- mesh-vpn -> vxlan iface on top of wg_mesh
If you use this new feature, make sure the NTP servers in your site
config are publicly reachable. This is necessary, since wireguard
requires correct time before the vpn connection is established.
Therefore gluon performs ntp time synchronisation via WAN before it
establishes the vpn connection. Therefore the NTP servers have to
be publicly reachable (and not only via mesh).
Before this commit, some *.po files contained the same translation
twice within the same file. While this did not led to errors in
gluon yet, it is still invalid. This commit fixes that and removes
the duplicates.
- Move site check for prefix4 and extra_prefixes6 to gluon-core, so the
rules don't need to be duplicated in several packages. This also fixes
gluon-respondd not checking extra_prefixes6 at all when
gluon-ebtables-source-filter is not installed as well.
- A redundant check for prefix6 is removed from gluon-l3roamd (this was
already checked by gluon-core)
- A separate check for prefix4 remains in gluon-client-bridge, as the
setting in mandatory there
Fixes the display of client counts, which are numbers and not strings
in the respondd data.
Fixes: 3a885a1b22 ("gluon-status-page: make "gateway nexthop" a link (#2278)")
Do not depend on the respondd-airtime module just to get the configured
channels. This removes the display of the frequency in addition to the
channel, as it is not readily available.
In addition, the translation string is improved to allow for text after
the channel number.