Switch to:
1. WAN
2. LAN
3. Mesh VPN
As WAN and LAN are setup in gluon-mesh-batman-adv-core (and will be moved
to gluon-core), while the mesh VPN has its own package, giving WAN and LAN
the first indices is preferable.
Just like we enabled multicast snooping on the batman-adv client bridge
again, let's do the same for the WAN side.
With one exception: The IGMP/MLD querier is kept disabled to avoid
becoming too "bossy"/"noisy" on a foreign network. The main router on
the WAN side should perform querying and by that enable
IGMP/MLD/snooping if it considers this appropriate there.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
A few issues with the bridge snooping were identified and fixed
upstream in OpenWRT:
* "firewall: Allow IGMP and MLD input on WAN" (r45613)
* "kernel: bridge: backport two snooping related patches" (r45783)
* netifd: "bridge: Fix multicast_to_unicast feature by hairpin+isolate"
(OW: "netifd: update to the latest version, adds multicast-to-unicast fixes" (r46719))
* "kernel: bridge, multicast-to-unicast: assign src after pskb_may_pull()" (r46721)
* "kernel: bridge, multicast-to-unicast: fix echoes on STA" (46765)
These have very likely caused issues with the bridge snooping before,
which led to disabling it in the past. Let's reenable the multicast
snooping now that they were fixed for reduced multicast overhead on the
wifi.
Advantages are the following:
This mildly reduces overhead on the mesh layer. And significantly reduces
overhead on the AP interface and therefore significantly increases
available airtime (the currently most significant scalability bottleneck).
Secondly removes an easy, often accidental node-local Denial-of-Service
vector based on multicast flooding / streaming.
Thirdly, makes node-local multicast streaming feasible.
Finally should noticably increase battery life of mobile devices.
Note: bridge querier is disabled for br-wan. We want to avoid becoming
too "bossy"/"noisy" on a foreign network.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
The mesh side has become fairly huge in many communities. Up to
a few thousand entries can currently be found in the forwarding
database (fdb) of a bridge for its bridge port bat0.
The bridge fdb is kind of redundant to the batman-adv global translation
table here. Therefore this patch tries to reduce memory footprint by
following an approach similar to the IGMP/MLD split patchset approach:
Make the bridge oblivious not only regarding multicast listeners towards
the mesh but with this patch unicast hosts on the mesh, too.
If the destination of an ethernet frame is known by the bridge to be a
local one, then the frame is forwarded to the according port. If it is
unknown, then the frame is forwarded to the wifi AP interface and bat0.
mac80211 and batman-adv then know whether to drop or forward a frame
further through their own book-keeping.
Note that unicast-flood is not disabled for the wifi AP bridge port, nor
is learning disabled on the wifi AP. This is mainly to keep the
configuration in UCI and according setup scripts simple ;). However, not
disalbling unicast-flood on the wifi AP interface might also give a
minor latency improvement for newly joining wifi clients.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
The arguments are now provided by gluon-mesh-batman-adv-core, so
gluon-radvd can be used with other mesh protocols.
[Matthias Schiffer: removed PROVIDES dependency]
Some drivers (mt76) don't support arbitrary MAC addresses. Use the
addresses provided by the driver (avoiding the primary address) by default,
but fall back to our has-based scheme when the driver doesn't provide
(enough) addresses.
The new MR1750v2 device support is only available in LEDE master. The
relevant patches have to backported to add support for them in Gluon
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
The new OM2P-HSv3 device support is only available in LEDE master. The
relevant patches have to backported to add support for them in Gluon
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
Most doubles that are delivered via respondd have limited input
precision, but are converted with up to 17 digits of precision. That can
cause ugly blowups like 0.2800000000000001 in the output, which is
avoided by specifying better format strings (like "%.2f" in most cases).
The OpenMesh devices have a sticker with the eth0 mac address on the
bottom. Also all other mac addresses are calculated based on this address.
Therefore, it is better to use this as primary mac address instead of the
WiFi mac address.
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
This patch adds a new gluon-ebtables package to filter IGMP/MLD messages
via ebtables.
For one thing this reduces multicast overhead: About one third of all
ICMPv6 multicast traffic in Lübeck or Hamburg is MLD.
Furthermore it removes a potential Distributed Denial-of-Service vector
(see Gluon ticket #553).
Finally, it is a prerequisite for enabling bridge multicast snooping in
a decentral and robust fashion.
Note that IGMP/MLD are filtered for multicast traffic coming from
the mesh, too (new MULTICAST_IN), as unfortunately there seem to
be other queriers somewhere in the mesh at least for Freifunk
Lübeck. Also adding these rules to be prepared to anyone intentionally
or unintentionally disabling these filters on his/her node.
Node operators not running Gluon (for instance gateway nodes) should
make sure to either enable multicast_router towards bat0 or disable
multicast snooping entirely if they have a bridge on top of bat0.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
ebtables actually skips any IPv6 extension headers like the hop-by-hop
one. So this rule is actually void.
The intend back then was to allow passing MLD messages into the mesh.
Since extension headers are skipped, the general icmpv6 rule will
actually match MLD messages. So the hop-by-hop rule is unnecessary,
too.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Don't fork reboot process before all package hooks have been handled and
rendering is complete.
Replace debug.setfenv hack to close stdout with nixio.dup.
Fixes#772
The image validation currently fails on some devices (tested OpenMesh)
because it isn't done via sysupgrade. But the checks depend partially on
the integration in sysupgrade (e.g. via loops that can be stopped via
"break statements").
Instead of hacking its own version check, it is easier and better tested to
just use 'sysupgrade -T' like it is already done by LuCI.
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
