We always want to prefer the unique node address for outgoing traffic. Note
that this doesn't have an effect with batman-adv, as usually br-client will
be the outgoing interface, so the unique address would be chosen anyways.
macvlan interfaces never directly exchange traffic with the underlying
interface, but only with other hosts behind the interface. In consequence,
router advertisements from the uradvd running on br-client could never
reach local-node, preventing it from getting an IPv6 address without RAs
from an external radvd. Fix this be replacing the macvlan interface with
a veth pair (with the peer interface in br-client).
As a side effect, this saves about 5KB of flash, as the veth module is
simpler than macvlan.
When preparing the migration from macvlan to veth for local-node, MAC
address conflicts occurred as some ports of br-client had the same address
as local-node. Reverting the roles of both interfaces fixes this.
By default, br-client is left as an interface without addresses and
firewall rules that drop everything, so the bridge is used to connect its
ports only. gluon-mesh-batman-adv-core changes this to the usual set
of addresses and firewall rules.
The batadv debugfs requires large memory blocks to write the text debug
tables. This is inefficient for large tables like the global translation
table or the originators table.
The memory requirement can be reduced by using netlink. It copies smaller
packets in a binary format to the userspace program. The respondd module of
gluon-mesh-batman-adv-core can therefore parse larger originator tables
without causing an OOM on systems which are tight on memory.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
The batadv debugfs requires large memory blocks to write the text debug
tables. This is inefficient for large tables like the global translation
table or the originators table.
The memory requirement can be reduced by using netlink. It copies smaller
packets in a binary format to the userspace program. gluon-status-page-api
can therefore parse larger originator tables without causing an OOM on
systems which are tight on memory.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
MAC and IP addresses are switched. This makes the gluon-client-bridge
package more useful for different routing protocols that don't need a
unique address on the client bridge.
As a side effect, gluon-radvd is now using the next-node address, which had
been considered before, but was dismissed to avoid having gluon-radvd
depend on gluon-next-node and gluon-mesh-batman-adv. This will be useful
for announcing default routes via gluon-radvd.
One downside is that this introduces a minor dependency on batman-adv in
gluon-respondd: the hotplug script that checked for the client interface
before will now check for local-node. This doesn't really matter: for mesh
protocols without a local-node interface, the check will do nothing (which
makes sense, as there is no interface to bind to for mesh-wide respondd).
Because we unconditionally appended `-i br-client` to the command line of
respondd, it wasn't restarted when br-client changed state. Now, we use a
jsonfilter expression on the network.interface dump data, similar to how the
other interface names are generated, and only add the interface to the argument
list if it is up.
If cookies are disabled, the Statuspage only displays an empty ("Not connected")
This checks if the localStorage API is available and working and only uses it in this case
Also allows better backwards compatibility.
Users may have defined additional mesh interfaces. Properly migrate these
to avoid subtly breaking the network config (and make them ready for new
mesh protocols).
Switch to:
1. WAN
2. LAN
3. Mesh VPN
As WAN and LAN are setup in gluon-mesh-batman-adv-core (and will be moved
to gluon-core), while the mesh VPN has its own package, giving WAN and LAN
the first indices is preferable.
Just like we enabled multicast snooping on the batman-adv client bridge
again, let's do the same for the WAN side.
With one exception: The IGMP/MLD querier is kept disabled to avoid
becoming too "bossy"/"noisy" on a foreign network. The main router on
the WAN side should perform querying and by that enable
IGMP/MLD/snooping if it considers this appropriate there.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
A few issues with the bridge snooping were identified and fixed
upstream in OpenWRT:
* "firewall: Allow IGMP and MLD input on WAN" (r45613)
* "kernel: bridge: backport two snooping related patches" (r45783)
* netifd: "bridge: Fix multicast_to_unicast feature by hairpin+isolate"
(OW: "netifd: update to the latest version, adds multicast-to-unicast fixes" (r46719))
* "kernel: bridge, multicast-to-unicast: assign src after pskb_may_pull()" (r46721)
* "kernel: bridge, multicast-to-unicast: fix echoes on STA" (46765)
These have very likely caused issues with the bridge snooping before,
which led to disabling it in the past. Let's reenable the multicast
snooping now that they were fixed for reduced multicast overhead on the
wifi.
Advantages are the following:
This mildly reduces overhead on the mesh layer. And significantly reduces
overhead on the AP interface and therefore significantly increases
available airtime (the currently most significant scalability bottleneck).
Secondly removes an easy, often accidental node-local Denial-of-Service
vector based on multicast flooding / streaming.
Thirdly, makes node-local multicast streaming feasible.
Finally should noticably increase battery life of mobile devices.
Note: bridge querier is disabled for br-wan. We want to avoid becoming
too "bossy"/"noisy" on a foreign network.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
The mesh side has become fairly huge in many communities. Up to
a few thousand entries can currently be found in the forwarding
database (fdb) of a bridge for its bridge port bat0.
The bridge fdb is kind of redundant to the batman-adv global translation
table here. Therefore this patch tries to reduce memory footprint by
following an approach similar to the IGMP/MLD split patchset approach:
Make the bridge oblivious not only regarding multicast listeners towards
the mesh but with this patch unicast hosts on the mesh, too.
If the destination of an ethernet frame is known by the bridge to be a
local one, then the frame is forwarded to the according port. If it is
unknown, then the frame is forwarded to the wifi AP interface and bat0.
mac80211 and batman-adv then know whether to drop or forward a frame
further through their own book-keeping.
Note that unicast-flood is not disabled for the wifi AP bridge port, nor
is learning disabled on the wifi AP. This is mainly to keep the
configuration in UCI and according setup scripts simple ;). However, not
disalbling unicast-flood on the wifi AP interface might also give a
minor latency improvement for newly joining wifi clients.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
The arguments are now provided by gluon-mesh-batman-adv-core, so
gluon-radvd can be used with other mesh protocols.
[Matthias Schiffer: removed PROVIDES dependency]
Some drivers (mt76) don't support arbitrary MAC addresses. Use the
addresses provided by the driver (avoiding the primary address) by default,
but fall back to our has-based scheme when the driver doesn't provide
(enough) addresses.
The new MR1750v2 device support is only available in LEDE master. The
relevant patches have to backported to add support for them in Gluon
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
The new OM2P-HSv3 device support is only available in LEDE master. The
relevant patches have to backported to add support for them in Gluon
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
Most doubles that are delivered via respondd have limited input
precision, but are converted with up to 17 digits of precision. That can
cause ugly blowups like 0.2800000000000001 in the output, which is
avoided by specifying better format strings (like "%.2f" in most cases).
The OpenMesh devices have a sticker with the eth0 mac address on the
bottom. Also all other mac addresses are calculated based on this address.
Therefore, it is better to use this as primary mac address instead of the
WiFi mac address.
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
This patch adds a new gluon-ebtables package to filter IGMP/MLD messages
via ebtables.
For one thing this reduces multicast overhead: About one third of all
ICMPv6 multicast traffic in Lübeck or Hamburg is MLD.
Furthermore it removes a potential Distributed Denial-of-Service vector
(see Gluon ticket #553).
Finally, it is a prerequisite for enabling bridge multicast snooping in
a decentral and robust fashion.
Note that IGMP/MLD are filtered for multicast traffic coming from
the mesh, too (new MULTICAST_IN), as unfortunately there seem to
be other queriers somewhere in the mesh at least for Freifunk
Lübeck. Also adding these rules to be prepared to anyone intentionally
or unintentionally disabling these filters on his/her node.
Node operators not running Gluon (for instance gateway nodes) should
make sure to either enable multicast_router towards bat0 or disable
multicast snooping entirely if they have a bridge on top of bat0.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
ebtables actually skips any IPv6 extension headers like the hop-by-hop
one. So this rule is actually void.
The intend back then was to allow passing MLD messages into the mesh.
Since extension headers are skipped, the general icmpv6 rule will
actually match MLD messages. So the hop-by-hop rule is unnecessary,
too.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Don't fork reboot process before all package hooks have been handled and
rendering is complete.
Replace debug.setfenv hack to close stdout with nixio.dup.
Fixes#772
The image validation currently fails on some devices (tested OpenMesh)
because it isn't done via sysupgrade. But the checks depend partially on
the integration in sysupgrade (e.g. via loops that can be stopped via
"break statements").
Instead of hacking its own version check, it is easier and better tested to
just use 'sysupgrade -T' like it is already done by LuCI.
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
Lua's tables are 1-based, so we must decrement the index by 1 to get the
desired MAC addresses. By not doing this, the second IBSS interface would
get the address with index 8, but only indices 0..7 are available.
Fixes: c73a12e0ea
