By emitting Lua code to call translate() and pcdata(), we are more
flexible than when doing this internally in the parser. The performance
penalty should be negligible.
This patch moves the prefix4 subnet route from the local-node veth
device to br-client (while keeping the next node ipv4 address on the
local node device).
This is in preparation to allow routing over the br-client interface
later.
This package adds filters to limit the amount of ARP Requests
devices are allowed to send into the mesh. The limits are 6 packets
per minute per client device, by MAC address, and 1 per second per
node in total.
A burst of up to 50 ARP Requests is allowed until the rate-limiting
takes effect (see --limit-burst in the ebtables manpage).
Furthermore, ARP Requests with a target IP already present in the
batman-adv DAT Cache are excluded from the rate-limiting,
both regarding counting and filtering, as batman-adv will respond
locally with no burden for the mesh. Therefore, this limiter
should not affect popular target IPs, like gateways.
However it should mitigate the problem of curious people or
smart devices scanning the whole IP range. Which could create
a significant amount of overhead for all participants so far.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Both gluon.sysconfig and libgluonutil already remove the trailing newline
if it exists. It's nicer to avoid files without a trailing newline, e.g.
for printing the file contents in a terminal.
This is currently only implemented in the gluon-mesh-vpn-fastd
package.
Advertising the public key may be deemed problematic when
your threat-model involves protecting the nodes privacy
from tunnel traffic correlation by onlink observers.
It can be enabled by setting site.mesh_vpn.fastd.pubkey_privacy
to `false`.
If a value is unset or optional, an empty choice is added to the selection.
This empty choice will be marked as invalid if the value is not optional.
This is properly supported for the 'select' widget only for now, and not
for 'radio'.
This package drops all incoming router advertisements except for the
default router with the best metric according to B.A.T.M.A.N. advanced.
Note that advertisements originating from the node itself (for example
via gluon-radvd) are not affected.
Also disabling TX checksums and not only allowing incoming packets without
checksum will provide another small speedup. As doing so would break wired
meshing with VXLAN-enabled nodes that require non-zero checksums, we will
wait a few days before this step.
In addition to significant internal differences in check_site_lib.lua (in
particular unifying error handling to a single place for the upcoming
multi-domain support), this changes the way fields are addressed in site
check scripts: rather than providing a string like 'next_node.ip6', the
path is passed as an array {'next_node', 'ip6'}.
Other changes in site check scripts:
* need_array and need_table now pass the full path to the sub fields to the
subcheck instead of the key and value
* Any check referring to a field inside a table implies that all higher
levels must be tables if they exist: a check for {'next_node', 'ip6'} adds
an implicit (optional) check for {'next_node'}, which allows to remove many
explicit checks for such tables
This should not convert JSON to a Lua table and back, as this loses the
distinction between arrays and objects, but as our site.conf is defined in
Lua anyways (for now), this can be fixed in a later revision.
[Matthias Schiffer: rename to gluon-show-site, rebase]
By basing the Lua gluon.site module on gluonutil_load_site_config(), the
config load implementation needs to changed only in a single place for
multi-domain support.
This enables the ebtables internal locking mechanism which
will avoid race conditions between multiple, concurrent
ebtables calls.
This is a preparation for the upcoming gluon-arp-limiter
daemon, to avoid issues if upon restarting gluon-ebtables
the gluon-arp-limiter daemon tries to modify the tables.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Interacting with batman-adv's genl interface requires some code and
definitions which could be shared between different packages. libbatadv is
trying to do this without providing any guarantee for ABI or API stability.
It is only useful in very controlled environments like gluon.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
* gluon-core, gluon-client-bridge: introduce new firewall zone: local_client
* gluon-core: put clients in local_client zone, introduce drop-zone,
set dns-rules and zones
* gluon-respondd: allow respondd on mesh
* gluon-status-page-api: allow http input on mesh and client
Filtering by MAC address won't filter out multicast packages like router
solicitations, causing uradvd to send out router advertisements with
maximum frequency (every 3 seconds) in active meshes, even when no local
client is actually interested in the advertisements.
Fixes#1230
The new gluon.site lua library will eventually replace gluon.site_config
(which is hereby deprecated, but will continue to be supported for a
while).
The new gluon.site library will wrap all values to allow traversing
non-existing tables without errors.
site = require 'gluon.site'
c = site.a.b.c -- doesn't fail even if a or a.b don't exist
The wrapped values must be unwrapped using call syntax:
site_name = site.site_name()
Using the call syntax on a non-existing value will return nil. An
alternative default value may be passed instead:
mac = site.next_node.mac('16:41:95:40:f7:dc')
The generic upgrade script is moved to run after the more specific scripts.
In addition, the script will now remove the configuration sections of
uninstalled VPN packages, so both positive and negative changes of the
default enable state can be migrated correctly.
Based-on-patch-by: Cyrus Fox <cyrus@lambdacore.de>
Fixes: #1187
When a Gluon node is used to connect to an uplink router/DHCP server (for
example in deployments without VPN tunnels), the gw_mode must be set to
server; this should be preserved on upgrades.
Fixes#1196
To reduce the number of packages that need to be listed in
GLUON_SITE_PACKAGES, this adds a new variable GLUON_FEATURES. Sets of
packages are enabled automatically based on the combination of listed
feature flags.
Site-specified package feeds can provide their own feature flag
definitions.
As PROVIDES can be used to replace real packages now, we don't need the
virtual packages as workaround anymore. This also means that the providing
packages don't need to be added to site.mk explicitly anymore when the
default provider is used.
We now create bat0 and primary0 independently of the lower mesh interfaces,
making the whole setup a lot more robust. In particular:
- we can't accidentially destroy primary0 because of concurrent setup and
teardown runs of different interfaces
- bat0 will always exist, even when no mesh interfaces are up (e.g. no link
on wired mesh)
- interfaces going down and up again will never tear down the whole of
batman-adv
- we can enable and disable bat0 independently of the lower interface
states
We always want to prefer the unique node address for outgoing traffic. Note
that this doesn't have an effect with batman-adv, as usually br-client will
be the outgoing interface, so the unique address would be chosen anyways.
macvlan interfaces never directly exchange traffic with the underlying
interface, but only with other hosts behind the interface. In consequence,
router advertisements from the uradvd running on br-client could never
reach local-node, preventing it from getting an IPv6 address without RAs
from an external radvd. Fix this be replacing the macvlan interface with
a veth pair (with the peer interface in br-client).
As a side effect, this saves about 5KB of flash, as the veth module is
simpler than macvlan.
When preparing the migration from macvlan to veth for local-node, MAC
address conflicts occurred as some ports of br-client had the same address
as local-node. Reverting the roles of both interfaces fixes this.
By default, br-client is left as an interface without addresses and
firewall rules that drop everything, so the bridge is used to connect its
ports only. gluon-mesh-batman-adv-core changes this to the usual set
of addresses and firewall rules.
The batadv debugfs requires large memory blocks to write the text debug
tables. This is inefficient for large tables like the global translation
table or the originators table.
The memory requirement can be reduced by using netlink. It copies smaller
packets in a binary format to the userspace program. The respondd module of
gluon-mesh-batman-adv-core can therefore parse larger originator tables
without causing an OOM on systems which are tight on memory.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
The batadv debugfs requires large memory blocks to write the text debug
tables. This is inefficient for large tables like the global translation
table or the originators table.
The memory requirement can be reduced by using netlink. It copies smaller
packets in a binary format to the userspace program. gluon-status-page-api
can therefore parse larger originator tables without causing an OOM on
systems which are tight on memory.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
MAC and IP addresses are switched. This makes the gluon-client-bridge
package more useful for different routing protocols that don't need a
unique address on the client bridge.
As a side effect, gluon-radvd is now using the next-node address, which had
been considered before, but was dismissed to avoid having gluon-radvd
depend on gluon-next-node and gluon-mesh-batman-adv. This will be useful
for announcing default routes via gluon-radvd.
One downside is that this introduces a minor dependency on batman-adv in
gluon-respondd: the hotplug script that checked for the client interface
before will now check for local-node. This doesn't really matter: for mesh
protocols without a local-node interface, the check will do nothing (which
makes sense, as there is no interface to bind to for mesh-wide respondd).
Because we unconditionally appended `-i br-client` to the command line of
respondd, it wasn't restarted when br-client changed state. Now, we use a
jsonfilter expression on the network.interface dump data, similar to how the
other interface names are generated, and only add the interface to the argument
list if it is up.
If cookies are disabled, the Statuspage only displays an empty ("Not connected")
This checks if the localStorage API is available and working and only uses it in this case
Also allows better backwards compatibility.
Users may have defined additional mesh interfaces. Properly migrate these
to avoid subtly breaking the network config (and make them ready for new
mesh protocols).
Switch to:
1. WAN
2. LAN
3. Mesh VPN
As WAN and LAN are setup in gluon-mesh-batman-adv-core (and will be moved
to gluon-core), while the mesh VPN has its own package, giving WAN and LAN
the first indices is preferable.
Just like we enabled multicast snooping on the batman-adv client bridge
again, let's do the same for the WAN side.
With one exception: The IGMP/MLD querier is kept disabled to avoid
becoming too "bossy"/"noisy" on a foreign network. The main router on
the WAN side should perform querying and by that enable
IGMP/MLD/snooping if it considers this appropriate there.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
A few issues with the bridge snooping were identified and fixed
upstream in OpenWRT:
* "firewall: Allow IGMP and MLD input on WAN" (r45613)
* "kernel: bridge: backport two snooping related patches" (r45783)
* netifd: "bridge: Fix multicast_to_unicast feature by hairpin+isolate"
(OW: "netifd: update to the latest version, adds multicast-to-unicast fixes" (r46719))
* "kernel: bridge, multicast-to-unicast: assign src after pskb_may_pull()" (r46721)
* "kernel: bridge, multicast-to-unicast: fix echoes on STA" (46765)
These have very likely caused issues with the bridge snooping before,
which led to disabling it in the past. Let's reenable the multicast
snooping now that they were fixed for reduced multicast overhead on the
wifi.
Advantages are the following:
This mildly reduces overhead on the mesh layer. And significantly reduces
overhead on the AP interface and therefore significantly increases
available airtime (the currently most significant scalability bottleneck).
Secondly removes an easy, often accidental node-local Denial-of-Service
vector based on multicast flooding / streaming.
Thirdly, makes node-local multicast streaming feasible.
Finally should noticably increase battery life of mobile devices.
Note: bridge querier is disabled for br-wan. We want to avoid becoming
too "bossy"/"noisy" on a foreign network.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
The mesh side has become fairly huge in many communities. Up to
a few thousand entries can currently be found in the forwarding
database (fdb) of a bridge for its bridge port bat0.
The bridge fdb is kind of redundant to the batman-adv global translation
table here. Therefore this patch tries to reduce memory footprint by
following an approach similar to the IGMP/MLD split patchset approach:
Make the bridge oblivious not only regarding multicast listeners towards
the mesh but with this patch unicast hosts on the mesh, too.
If the destination of an ethernet frame is known by the bridge to be a
local one, then the frame is forwarded to the according port. If it is
unknown, then the frame is forwarded to the wifi AP interface and bat0.
mac80211 and batman-adv then know whether to drop or forward a frame
further through their own book-keeping.
Note that unicast-flood is not disabled for the wifi AP bridge port, nor
is learning disabled on the wifi AP. This is mainly to keep the
configuration in UCI and according setup scripts simple ;). However, not
disalbling unicast-flood on the wifi AP interface might also give a
minor latency improvement for newly joining wifi clients.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
The arguments are now provided by gluon-mesh-batman-adv-core, so
gluon-radvd can be used with other mesh protocols.
[Matthias Schiffer: removed PROVIDES dependency]
Some drivers (mt76) don't support arbitrary MAC addresses. Use the
addresses provided by the driver (avoiding the primary address) by default,
but fall back to our has-based scheme when the driver doesn't provide
(enough) addresses.
The new MR1750v2 device support is only available in LEDE master. The
relevant patches have to backported to add support for them in Gluon
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
The new OM2P-HSv3 device support is only available in LEDE master. The
relevant patches have to backported to add support for them in Gluon
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
Most doubles that are delivered via respondd have limited input
precision, but are converted with up to 17 digits of precision. That can
cause ugly blowups like 0.2800000000000001 in the output, which is
avoided by specifying better format strings (like "%.2f" in most cases).
The OpenMesh devices have a sticker with the eth0 mac address on the
bottom. Also all other mac addresses are calculated based on this address.
Therefore, it is better to use this as primary mac address instead of the
WiFi mac address.
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
This patch adds a new gluon-ebtables package to filter IGMP/MLD messages
via ebtables.
For one thing this reduces multicast overhead: About one third of all
ICMPv6 multicast traffic in Lübeck or Hamburg is MLD.
Furthermore it removes a potential Distributed Denial-of-Service vector
(see Gluon ticket #553).
Finally, it is a prerequisite for enabling bridge multicast snooping in
a decentral and robust fashion.
Note that IGMP/MLD are filtered for multicast traffic coming from
the mesh, too (new MULTICAST_IN), as unfortunately there seem to
be other queriers somewhere in the mesh at least for Freifunk
Lübeck. Also adding these rules to be prepared to anyone intentionally
or unintentionally disabling these filters on his/her node.
Node operators not running Gluon (for instance gateway nodes) should
make sure to either enable multicast_router towards bat0 or disable
multicast snooping entirely if they have a bridge on top of bat0.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
ebtables actually skips any IPv6 extension headers like the hop-by-hop
one. So this rule is actually void.
The intend back then was to allow passing MLD messages into the mesh.
Since extension headers are skipped, the general icmpv6 rule will
actually match MLD messages. So the hop-by-hop rule is unnecessary,
too.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Don't fork reboot process before all package hooks have been handled and
rendering is complete.
Replace debug.setfenv hack to close stdout with nixio.dup.
Fixes#772
The image validation currently fails on some devices (tested OpenMesh)
because it isn't done via sysupgrade. But the checks depend partially on
the integration in sysupgrade (e.g. via loops that can be stopped via
"break statements").
Instead of hacking its own version check, it is easier and better tested to
just use 'sysupgrade -T' like it is already done by LuCI.
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
Lua's tables are 1-based, so we must decrement the index by 1 to get the
desired MAC addresses. By not doing this, the second IBSS interface would
get the address with index 8, but only indices 0..7 are available.
Fixes: c73a12e0ea
There are a few devices which have more than one LAN interface (for example
some revision of the TL-WR941ND, which uses a DSA-based switch, so each
switch port has its own netdev.) On these devices we need a bridge for
mesh-on-lan (as the alternative of adding them to batman-adv individually
would need too many MAC addresses.)
While ath9k/ath10k devices can supprt VIFs with any combination of MAC addresses, there are also adapters which have a hardware MAC filter which only allows a few bits to differ. This commit changes the addresses of all VIFs to ony differ in the last 3 bits, which is required to support many Ralink/Mediatek based WLAN adapters.
Technically, the new addresses are generated by calculating an MD5 hash of the primary MAC address and using a part of this hash as a prefix for the MAC addresses.
The addresses (BSSIDs) of the AP VIFs are also reused for the LAN and WAN interfaces in mesh-on-LAN/WAN mode to reduce the number of needed addresses, and thus reduce the chance of collisions. This is not a problem as the MAC addresses of the AP VIFs are never used except as BSSID, and thus not seen by routing protocols like batman-adv.
Fixes#648
[Matthias Schiffer: rewrote commit message]
Device information can be found at:
http://www.8devices.com/products/carambola-2https://wiki.openwrt.org/toh/8devices/carambola2
I only did some minimal testing of gluon on the carambola 2 development
board:
- Config mode works
- Connects to Wifi Mesh
- Allows clients to connect
Notably, autoupgrade has not yet been tested.
Change to 010-primary-mac is necessary as the mac address printed
on the sticker is the one of eth0, not the wifi mac.
We are mostly dealing with the 2.4GHz crap-band here, so increasing the
IGMP/MLD robustness parameter to three to be able to compensate for up
to two consecutive instead of just one lost packet.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
There are some devices not acting properly to roaming events, in that
they do not timely reissue IGMP/MLD reports after reconnecting.
To compensate for that this commit reduces the query interval from 125
seconds to 20 and the query response interval from 20 seconds to 5.
This reduces a timeout to 20+5 seconds in the worst-case (12.5s average)
after a roaming event for such broken devices. This should be below the
30s "impatient user threshold" and below any connection timeout.
Until the bridge multicast snooping + querier gets re-enabled this is a
no-op.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Adopt the according modifications to the default firewall settings of
the WAN interface from OpenWRT, revision 45613.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
An IGMP/MLD domain split will prevent us from being able to track
multicast listeners on other nodes.
Therefore we need to always hand any multicast packets we received from
local clients to batman-adv. With bridge multicast snooping disabled,
the current setting in Gluon, this is already the case.
However, in preparation to enabling multicast snooping, we need to
enforce forwarding towards batman-adv by setting the bridge port
option "multicast_router" to 2.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
It is not supported by all browsers yet.
Also change load display always to display 2 decimal digits (as it is read
from the kernel with 2 decimal digits).
Fixes#606
Mobile browsers will often show or hide the address bar while scrolling.
This causes resize events which would often reset the signal graphs.
Fixes#662
Ethernet links provide transitive connectivity in all but very unusual
setup, enable mesh_no_rebroadcast to reduce load for devices on links with
many nodes.
Fixes#652
This new feature introduces the new uci section 'gluon-core.wireless' with a preserve_channels option:
* preserve_channels (boolean)
By setting this option to 1 (true) wifi channels will be preserved during upgrades.
Instead of starting gluon-respondd from a hotplug handler, add a proper
init script. The new init script has a restart_if_running argument which
is now used by the hotplug handler.
introduce function to recurse down to the lowest layer-2 interface
corresponding to a given interface.
also re-introduce some of the previously removed input validation plus
some more to protect against glob and path based exploits.
The timeout was calculated incorrectly (in each iteration the span between
the start time and the current time was substracted from the timeout
again), and would often become negative, causing warnings in the kernel
log.
On the status page statistics section counters for transmitted and received traffic were mixed up. Transmitted traffic was shown as received while received traffic was shown as being transmitted.
Fixes#586
Is makes sense to always look for both ibss_radio* and mesh_radio* sections
to determine if the meshing should be enabled when regenerating these
sections. Doing this, the disabled state will survive updates changing the
section name (either updating from pre-2015.2 while keeping IBSS, or
changing from IBSS to 11s or vice-versa).
If both ibss_radio* and mesh_radio* sections exist, the disabled state will
be kept correctly for each section, the behaviour is changed only when
creating a section that didn't exist before.
Fixes#549
PKG_FILE_DEPENDS caused the whole site repo to be hashed to determine if
gluon-site needed rebuilding. While this is normally no problem,
alternative build setups sometimes put the Gluon repo inside the site repo,
causing long build times and parallel build failures.
in a layer 2 mesh network, multicast pings cause a lot of traffic in the
network, significantly increasing the 'backgroudn noise' (= Grundrauschen)
and stressing nodes in the network.
this commit blacklists all icmpv4 multicast traffic as well as multicast
icmpv6 echo-requests and node iformation queries. as no application
depending on these types of multicast traffic is known, blacklisting is safe.
gluon-radio-config contained only a single file. The code has been adjusted
to allow creating a Gluon configuration without WLAN support by removing
the wifi24 and wifi5 sections from site.conf.
The file promotes the probably unnecessary re-execution of the announce
scripts. Instead, gluon-announced should be queried using
gluon-neighbour-info -d ::1 -p 1001 -t0 -r nodeinfo
if both gluon-announced and gluon-neighbour-info are present. But to not
depend on any of those, no script for this one-liner is provided.
Now that the status page api has been rewritten in C CPU load and memory
usage is much lower. Also, nodes with both ibss and 11s mesh and dual
band wifi may require up to 9 connections for a single client, thus the
previous limit of 12 seemed a little low.
Convert option ifname in br-client to use a list instead. This
simplifies adding and remove interfaces:
uci:add_to_set("network", "client", "ifname", "eth0")
uci:remove_from_set("network", "client", "ifname", "eth0")
An option ifname will be automatically converted to a list when
performing an upgrade.
Packages affected: gluon-mesh-batman-adv-core, gluon-luci-portconfig
When rebooting the node in config mode, currently the fastd key is
forcefully displayed in a fixed format. This is confusing in communities
where fastd accepts all keys and no key submission is needed.
Furthermore, some communities might want to personalize the display of
the key (see #387).
This patch moves the displaying <div> from the package's lua file to the
translation files of the sample site configuration and mentiones the
change in the release notes.
Apart from replacing a patch for the former by two patches for latter,
this involved minimal adaptations of the lua scripts in the following
packages:
* gluon-announce
* gluon-announced
* gluon-mesh-batman-adv-core
* gluon-status-page