This patch adds a new gluon-ebtables package to filter IGMP/MLD messages
via ebtables.
For one thing this reduces multicast overhead: About one third of all
ICMPv6 multicast traffic in Lübeck or Hamburg is MLD.
Furthermore it removes a potential Distributed Denial-of-Service vector
(see Gluon ticket #553).
Finally, it is a prerequisite for enabling bridge multicast snooping in
a decentral and robust fashion.
Note that IGMP/MLD are filtered for multicast traffic coming from
the mesh, too (new MULTICAST_IN), as unfortunately there seem to
be other queriers somewhere in the mesh at least for Freifunk
Lübeck. Also adding these rules to be prepared to anyone intentionally
or unintentionally disabling these filters on his/her node.
Node operators not running Gluon (for instance gateway nodes) should
make sure to either enable multicast_router towards bat0 or disable
multicast snooping entirely if they have a bridge on top of bat0.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
ebtables actually skips any IPv6 extension headers like the hop-by-hop
one. So this rule is actually void.
The intend back then was to allow passing MLD messages into the mesh.
Since extension headers are skipped, the general icmpv6 rule will
actually match MLD messages. So the hop-by-hop rule is unnecessary,
too.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Don't fork reboot process before all package hooks have been handled and
rendering is complete.
Replace debug.setfenv hack to close stdout with nixio.dup.
Fixes#772
The image validation currently fails on some devices (tested OpenMesh)
because it isn't done via sysupgrade. But the checks depend partially on
the integration in sysupgrade (e.g. via loops that can be stopped via
"break statements").
Instead of hacking its own version check, it is easier and better tested to
just use 'sysupgrade -T' like it is already done by LuCI.
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
Lua's tables are 1-based, so we must decrement the index by 1 to get the
desired MAC addresses. By not doing this, the second IBSS interface would
get the address with index 8, but only indices 0..7 are available.
Fixes: c73a12e0ea
There are a few devices which have more than one LAN interface (for example
some revision of the TL-WR941ND, which uses a DSA-based switch, so each
switch port has its own netdev.) On these devices we need a bridge for
mesh-on-lan (as the alternative of adding them to batman-adv individually
would need too many MAC addresses.)
While ath9k/ath10k devices can supprt VIFs with any combination of MAC addresses, there are also adapters which have a hardware MAC filter which only allows a few bits to differ. This commit changes the addresses of all VIFs to ony differ in the last 3 bits, which is required to support many Ralink/Mediatek based WLAN adapters.
Technically, the new addresses are generated by calculating an MD5 hash of the primary MAC address and using a part of this hash as a prefix for the MAC addresses.
The addresses (BSSIDs) of the AP VIFs are also reused for the LAN and WAN interfaces in mesh-on-LAN/WAN mode to reduce the number of needed addresses, and thus reduce the chance of collisions. This is not a problem as the MAC addresses of the AP VIFs are never used except as BSSID, and thus not seen by routing protocols like batman-adv.
Fixes#648
[Matthias Schiffer: rewrote commit message]
Device information can be found at:
http://www.8devices.com/products/carambola-2https://wiki.openwrt.org/toh/8devices/carambola2
I only did some minimal testing of gluon on the carambola 2 development
board:
- Config mode works
- Connects to Wifi Mesh
- Allows clients to connect
Notably, autoupgrade has not yet been tested.
Change to 010-primary-mac is necessary as the mac address printed
on the sticker is the one of eth0, not the wifi mac.
We are mostly dealing with the 2.4GHz crap-band here, so increasing the
IGMP/MLD robustness parameter to three to be able to compensate for up
to two consecutive instead of just one lost packet.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
There are some devices not acting properly to roaming events, in that
they do not timely reissue IGMP/MLD reports after reconnecting.
To compensate for that this commit reduces the query interval from 125
seconds to 20 and the query response interval from 20 seconds to 5.
This reduces a timeout to 20+5 seconds in the worst-case (12.5s average)
after a roaming event for such broken devices. This should be below the
30s "impatient user threshold" and below any connection timeout.
Until the bridge multicast snooping + querier gets re-enabled this is a
no-op.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Adopt the according modifications to the default firewall settings of
the WAN interface from OpenWRT, revision 45613.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
An IGMP/MLD domain split will prevent us from being able to track
multicast listeners on other nodes.
Therefore we need to always hand any multicast packets we received from
local clients to batman-adv. With bridge multicast snooping disabled,
the current setting in Gluon, this is already the case.
However, in preparation to enabling multicast snooping, we need to
enforce forwarding towards batman-adv by setting the bridge port
option "multicast_router" to 2.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
It is not supported by all browsers yet.
Also change load display always to display 2 decimal digits (as it is read
from the kernel with 2 decimal digits).
Fixes#606
Mobile browsers will often show or hide the address bar while scrolling.
This causes resize events which would often reset the signal graphs.
Fixes#662
Ethernet links provide transitive connectivity in all but very unusual
setup, enable mesh_no_rebroadcast to reduce load for devices on links with
many nodes.
Fixes#652
This new feature introduces the new uci section 'gluon-core.wireless' with a preserve_channels option:
* preserve_channels (boolean)
By setting this option to 1 (true) wifi channels will be preserved during upgrades.
Instead of starting gluon-respondd from a hotplug handler, add a proper
init script. The new init script has a restart_if_running argument which
is now used by the hotplug handler.
