Some drivers (mt76) don't support arbitrary MAC addresses. Use the
addresses provided by the driver (avoiding the primary address) by default,
but fall back to our has-based scheme when the driver doesn't provide
(enough) addresses.
The new MR1750v2 device support is only available in LEDE master. The
relevant patches have to backported to add support for them in Gluon
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
The new OM2P-HSv3 device support is only available in LEDE master. The
relevant patches have to backported to add support for them in Gluon
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
Most doubles that are delivered via respondd have limited input
precision, but are converted with up to 17 digits of precision. That can
cause ugly blowups like 0.2800000000000001 in the output, which is
avoided by specifying better format strings (like "%.2f" in most cases).
The OpenMesh devices have a sticker with the eth0 mac address on the
bottom. Also all other mac addresses are calculated based on this address.
Therefore, it is better to use this as primary mac address instead of the
WiFi mac address.
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
This patch adds a new gluon-ebtables package to filter IGMP/MLD messages
via ebtables.
For one thing this reduces multicast overhead: About one third of all
ICMPv6 multicast traffic in Lübeck or Hamburg is MLD.
Furthermore it removes a potential Distributed Denial-of-Service vector
(see Gluon ticket #553).
Finally, it is a prerequisite for enabling bridge multicast snooping in
a decentral and robust fashion.
Note that IGMP/MLD are filtered for multicast traffic coming from
the mesh, too (new MULTICAST_IN), as unfortunately there seem to
be other queriers somewhere in the mesh at least for Freifunk
Lübeck. Also adding these rules to be prepared to anyone intentionally
or unintentionally disabling these filters on his/her node.
Node operators not running Gluon (for instance gateway nodes) should
make sure to either enable multicast_router towards bat0 or disable
multicast snooping entirely if they have a bridge on top of bat0.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
ebtables actually skips any IPv6 extension headers like the hop-by-hop
one. So this rule is actually void.
The intend back then was to allow passing MLD messages into the mesh.
Since extension headers are skipped, the general icmpv6 rule will
actually match MLD messages. So the hop-by-hop rule is unnecessary,
too.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Don't fork reboot process before all package hooks have been handled and
rendering is complete.
Replace debug.setfenv hack to close stdout with nixio.dup.
Fixes#772
The image validation currently fails on some devices (tested OpenMesh)
because it isn't done via sysupgrade. But the checks depend partially on
the integration in sysupgrade (e.g. via loops that can be stopped via
"break statements").
Instead of hacking its own version check, it is easier and better tested to
just use 'sysupgrade -T' like it is already done by LuCI.
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
Lua's tables are 1-based, so we must decrement the index by 1 to get the
desired MAC addresses. By not doing this, the second IBSS interface would
get the address with index 8, but only indices 0..7 are available.
Fixes: c73a12e0ea
There are a few devices which have more than one LAN interface (for example
some revision of the TL-WR941ND, which uses a DSA-based switch, so each
switch port has its own netdev.) On these devices we need a bridge for
mesh-on-lan (as the alternative of adding them to batman-adv individually
would need too many MAC addresses.)
While ath9k/ath10k devices can supprt VIFs with any combination of MAC addresses, there are also adapters which have a hardware MAC filter which only allows a few bits to differ. This commit changes the addresses of all VIFs to ony differ in the last 3 bits, which is required to support many Ralink/Mediatek based WLAN adapters.
Technically, the new addresses are generated by calculating an MD5 hash of the primary MAC address and using a part of this hash as a prefix for the MAC addresses.
The addresses (BSSIDs) of the AP VIFs are also reused for the LAN and WAN interfaces in mesh-on-LAN/WAN mode to reduce the number of needed addresses, and thus reduce the chance of collisions. This is not a problem as the MAC addresses of the AP VIFs are never used except as BSSID, and thus not seen by routing protocols like batman-adv.
Fixes#648
[Matthias Schiffer: rewrote commit message]
Device information can be found at:
http://www.8devices.com/products/carambola-2https://wiki.openwrt.org/toh/8devices/carambola2
I only did some minimal testing of gluon on the carambola 2 development
board:
- Config mode works
- Connects to Wifi Mesh
- Allows clients to connect
Notably, autoupgrade has not yet been tested.
Change to 010-primary-mac is necessary as the mac address printed
on the sticker is the one of eth0, not the wifi mac.
We are mostly dealing with the 2.4GHz crap-band here, so increasing the
IGMP/MLD robustness parameter to three to be able to compensate for up
to two consecutive instead of just one lost packet.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
There are some devices not acting properly to roaming events, in that
they do not timely reissue IGMP/MLD reports after reconnecting.
To compensate for that this commit reduces the query interval from 125
seconds to 20 and the query response interval from 20 seconds to 5.
This reduces a timeout to 20+5 seconds in the worst-case (12.5s average)
after a roaming event for such broken devices. This should be below the
30s "impatient user threshold" and below any connection timeout.
Until the bridge multicast snooping + querier gets re-enabled this is a
no-op.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Adopt the according modifications to the default firewall settings of
the WAN interface from OpenWRT, revision 45613.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
An IGMP/MLD domain split will prevent us from being able to track
multicast listeners on other nodes.
Therefore we need to always hand any multicast packets we received from
local clients to batman-adv. With bridge multicast snooping disabled,
the current setting in Gluon, this is already the case.
However, in preparation to enabling multicast snooping, we need to
enforce forwarding towards batman-adv by setting the bridge port
option "multicast_router" to 2.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
It is not supported by all browsers yet.
Also change load display always to display 2 decimal digits (as it is read
from the kernel with 2 decimal digits).
Fixes#606
Mobile browsers will often show or hide the address bar while scrolling.
This causes resize events which would often reset the signal graphs.
Fixes#662
Ethernet links provide transitive connectivity in all but very unusual
setup, enable mesh_no_rebroadcast to reduce load for devices on links with
many nodes.
Fixes#652
This new feature introduces the new uci section 'gluon-core.wireless' with a preserve_channels option:
* preserve_channels (boolean)
By setting this option to 1 (true) wifi channels will be preserved during upgrades.
Instead of starting gluon-respondd from a hotplug handler, add a proper
init script. The new init script has a restart_if_running argument which
is now used by the hotplug handler.
introduce function to recurse down to the lowest layer-2 interface
corresponding to a given interface.
also re-introduce some of the previously removed input validation plus
some more to protect against glob and path based exploits.
The timeout was calculated incorrectly (in each iteration the span between
the start time and the current time was substracted from the timeout
again), and would often become negative, causing warnings in the kernel
log.
On the status page statistics section counters for transmitted and received traffic were mixed up. Transmitted traffic was shown as received while received traffic was shown as being transmitted.
Fixes#586
Is makes sense to always look for both ibss_radio* and mesh_radio* sections
to determine if the meshing should be enabled when regenerating these
sections. Doing this, the disabled state will survive updates changing the
section name (either updating from pre-2015.2 while keeping IBSS, or
changing from IBSS to 11s or vice-versa).
If both ibss_radio* and mesh_radio* sections exist, the disabled state will
be kept correctly for each section, the behaviour is changed only when
creating a section that didn't exist before.
Fixes#549
PKG_FILE_DEPENDS caused the whole site repo to be hashed to determine if
gluon-site needed rebuilding. While this is normally no problem,
alternative build setups sometimes put the Gluon repo inside the site repo,
causing long build times and parallel build failures.
in a layer 2 mesh network, multicast pings cause a lot of traffic in the
network, significantly increasing the 'backgroudn noise' (= Grundrauschen)
and stressing nodes in the network.
this commit blacklists all icmpv4 multicast traffic as well as multicast
icmpv6 echo-requests and node iformation queries. as no application
depending on these types of multicast traffic is known, blacklisting is safe.
gluon-radio-config contained only a single file. The code has been adjusted
to allow creating a Gluon configuration without WLAN support by removing
the wifi24 and wifi5 sections from site.conf.
The file promotes the probably unnecessary re-execution of the announce
scripts. Instead, gluon-announced should be queried using
gluon-neighbour-info -d ::1 -p 1001 -t0 -r nodeinfo
if both gluon-announced and gluon-neighbour-info are present. But to not
depend on any of those, no script for this one-liner is provided.
Now that the status page api has been rewritten in C CPU load and memory
usage is much lower. Also, nodes with both ibss and 11s mesh and dual
band wifi may require up to 9 connections for a single client, thus the
previous limit of 12 seemed a little low.
Convert option ifname in br-client to use a list instead. This
simplifies adding and remove interfaces:
uci:add_to_set("network", "client", "ifname", "eth0")
uci:remove_from_set("network", "client", "ifname", "eth0")
An option ifname will be automatically converted to a list when
performing an upgrade.
Packages affected: gluon-mesh-batman-adv-core, gluon-luci-portconfig
When rebooting the node in config mode, currently the fastd key is
forcefully displayed in a fixed format. This is confusing in communities
where fastd accepts all keys and no key submission is needed.
Furthermore, some communities might want to personalize the display of
the key (see #387).
This patch moves the displaying <div> from the package's lua file to the
translation files of the sample site configuration and mentiones the
change in the release notes.
Apart from replacing a patch for the former by two patches for latter,
this involved minimal adaptations of the lua scripts in the following
packages:
* gluon-announce
* gluon-announced
* gluon-mesh-batman-adv-core
* gluon-status-page
Split basic radio configuration from gluon-mesh-batman-adv as this will
be required for virtually any wireless mesh protocol.
This package takes care of setting:
- wireless channel,
- htmode and
- regulatory domain
gluon-mesh-batman-adv-core depends on this package.
This is a site.conf-breaking change in regard to the wireless config.
Make sure to read http://gluon.readthedocs.org/en/latest/user/site.html
and update your site.conf accordingly!
Support for 802.11s mesh interfaces has been added. Gluon now supports
three interface types: ap, ibss and mesh. All of them are now optional
and may be configured independently in site.conf.
A sample site.conf may look like this:
wifi24 = {
channel = 1,
htmode = 'HT40+',
ap = {
ssid = 'luebeck.freifunk.net',
},
ibss = {
ssid = '02:d1:11:37:fc:38',
bssid = '02:d1:11:37:fc:38',
mcast_rate = 12000,
},
mesh = {
id = 'ffhl-mesh',
mcast_rate = 12000,
},
},
The nodeinfo/network/addresses announcement included deprecated and
tentative addresses, which it clearly shouldn't as the host doesn't want
to be contacted on those addresses. They are now filtered out.
Always output empty objects or nothing at all where objects are expected, but
no elements exist.
Also remove a few unneeded "requires", a few basic modules are provided by
announce.lua by default.
By introducing a new option -a in addition to -p this patch allows
controlling the on-link flag of announcements.
A prefix specified using -a will have the on-link flag set to zero
while a prefix specified using -p will retain its behaviour (i.e.
on-link flag set).
Example:
gluon-radvd -i local-node -p 2001:db8:aaaa:/64 -a 2001:db8:bbbb::/64
This will announce 2001:db8:aaaa::/64 with the on-link flag set and
2001:db8:bbbb::/64 with the flag unset.
This adds mesh_on_lan functionality.
A new optional site.conf option, mesh_on_lan, has been added. If set to
'true', all LAN ports will be used for meshing instead of being part of
the client bridge.
This will introduce a new nodeinfo object, network.mesh.bat0.interfaces,
containing any of the the following subordinated objects:
- wireless
- tunnel
- other
Each of these objects contains a (possibly empty) list of MAC addresses
(lowercase, colon-notation) corresponding to a interface of the given
class. Combined with a batman graph it is thus possible to mark
sub-graphs as "wireless" or "vpn".
The previously used object mesh_intefaces is superseded by this new
object structure and mesh_interfaces will be removed in a future Gluon
release.
OpenWrt doesn't set the regdom unless a WLAN device is started. Explicitly set
the regdom in the setup mode to get the correct list of allowed txpower entries
in the planned LuCI module.
In Bremen it has been noted that a prefix may lead people to believe it
has to stay there and thus naming their nodes "ffhb-*", which is not
what the community wants (see FreifunkBremen/gluon-site-ffhb#1).
However, an empty prefix lead to the connecting hyphen still being
inserted. This commit thus makes the hyphen part of the configured
prefix and allows the prefix to be missing from the `site.conf`.
This adds a new announce.d datum "neighbours" (alfred 160) containing
information about mesh neighbours. It's intended to be an replacement
for batadv-vis.
In addition to the data already provided by batadv-vis it'll also
provide information about direct wifi neighbours.
Unlike batadv-vis, no data about clients is transmitted.
Sample data:
{
"wifi": {
"90:f6:52:82:06:02": {
"neighbours": {
"f8:d1:11:2c:a7:d2": {
"noise": -95,
"inactive": 0,
"signal": 0
},
"96:f6:52:ff:cd:6f": {
"noise": -95,
"inactive": 0,
"signal": -37
}
}
}
},
"batadv": {
"90:f6:52:82:06:02": {
"neighbours": {
"96:f6:52:ff:cd:6f": {
"lastseen": 2.8500000000000001,
"tq": 177
}
}
},
"90:f6:52:82:06:03": {
"neighbours": {
"f8:d1:11:2c:a7:d3": {
"lastseen": 2.3500000000000001,
"tq": 206
}
}
}
},
"node_id": "90f652820602"
}
Moving the scripts to a common directory not only vastly simplifies the
zzz-gluon-upgrade script, but also allows to define an ordering of such
scripts across packages.
add invariant script "001-node-system" to add section "system" if not exist; add invariant script "010-node-role"
to add section "system" if not exist; add invariant script "010-node-role" to set role to default value
(site.roles.default) if not exist; depends on new site.conf section
When an early reboot is triggered because an upgrade script has disabled the
config mode, we need to explicitly call /etc/init.d/done, otherwise the overlay
will not be finalized after a firstboot and we get an endless reboot loop.
the gluon-announced package installs a hotplug script
that uses announce.lua from the gluon-announce package.
So we need to include gluon-announce as dependency.
Signed-off-by: flokli <florian@darmstadt.freifunk.net>
the ports were interchanged, see the following packet flow:
client:546 --> [ff02::1:2]:547
server:547 --> client:546
therefore we need to allow outgoing multicast packets with dst-port 547
and unicast packets from bat0 to clients with dst-port 546 and 547 in the other direction
This package will run as invariant script after each upgrade and copy
all keys from site.conf's authorized_keys entry to
/etc/dropbear/authorized_keys.
Existing keys will be preserved.
The site.conf entry 'authorized_keys' is required (if this package is
selected) and must contain a list of strings, each representing a line
of the resulting file.