As gluon-web uses standard multipart/form-data requests, browsers don't
enforce any cross-origin restrictions. To prevent malicious injection of
POST requests into the config mode, match the Origin header against the
Host header of the request.
Actually raise an error and turn it into an HTTP 400 return code when
something goes wrong, rather than ignoring the error.
We also improve the conditions under which errors are thrown before
pump() is called: We don't need to check for the multipart/form-data
content-type twice, and a POST without this content-type is now always
an error.
Swap the interfaces so than the PoE input port LAN0 is used for WAN and
config mode, and LAN1 becomes LAN.
To this end, the code previously used for ar71xx and removed in
commit 9fdc57c175 ("treewide: drop ar71xx platform specific code") is
reintroduced.
Fixes#2384
There wasn't really a reason to have a separate script to set a single
value.
In addition, the old script was using the identifier 'c' instead of
'uci' for the UCI cursor. Following the convention of the other scripts
is helpful so it is easy to grep for all uses of a certain config file/
option.
This copies the code from web-admin and uses it to create a neat
cli-accessible summary about a node
This could also be extended or possibly have all the data the status
page has
Co-Authored-By: Matthias Schiffer <mschiffer@universe-factory.net>
Declare the clock variable as extern in the header file.
Fixes compilation of gluon-ebtables-limit-arp with OpenWrt master:
multiple definition of `clock'; /gluon/openwrt/tmp/ccuynR0G.o:(.bss+0x230): first defined here
Signed-off-by: David Bauer <mail@david-bauer.net>
The 'hwmode' setting has been replaced with 'band' in OpenWrt to add
support for newer bands outside of 2.4G and 5G. Adjust Gluon accordingly.
[Matthias Schiffer: rebased, extended commit message]
In meshes without VPN or supernodes, it may be desirable to connect a
router providing IPv4 addresses directly to a regular Gluon node. For
this to work, it was necessary to remove the gluon-ebtables-filter-ra-dhcp
package from the node, so the autoupdater also needed to be disabled.
To avoid this, make gluon-ebtables-filter-ra-dhcp disable the DHCPv4
filter rules when gw_mode is set to 'server'.
No solution is provided for RA/DHCPv6, but this seems less pressing for
local meshes, as nodes can already provide working IPv6 connectivity
by themselves through gluon-radvd.
The network.wireless status ubus call only returns the configured
channel from UCI, breaking the status page in outdoor mode, where the
configuration contains 'auto' instead of a number.
Fixes: 0d3fa6b59b ("gluon-status-page: use ubus to get radio channels")
Closes#2336
In js `return` does behave like `continue` in a forEach() iteration.
The fixed function was intended to return nothing on error and does so
now, instead of a shorter (useless) array like before.
Calling functions like recv() with a NULL buffer is not explicitly
allowed by the POSIX standard, so it must be avoided to be portable
across different libc implementations. Allocate an initial buffer before
handling requests, and also pass this buffer to the peek recv() call.
Fixes: 531937cf6f ("gluon-neighbour-info: fix broken output with large results")
This removes PKG_VERSION and PKG_RELEASE from most Makefiles, as the
value was never useful for Gluon packages; instead, PKG_VERSION is set
to 1 in gluon.mk.
It also removes two other weird definitions:
- gluon-iptables-clamp-mss-to-pmtu replicating the old PKG_VERSION logic
from gluon-core, but without the fixed PKG_BUILD_DIR to prevent
unnessary rebuilds
- gluon-hoodselector set GLUON_VERSION=3
Calling git describe directly breaks isolation between the build system
and packages. Replace this with proper .config variables, like we
already do for GLUON_RELEASE.
Also replace the PKG_VERSION hack with a static '1', as we do for other
packages - while having those version numbers in opkg was cute, it was
also entirely useless. Having a fixed PKG_VERSION allows us to remove
the PKG_BUILD_DIR override as well.
Currently a buffer with a fixed size of 8192 bytes is used. However the
result can potentially be larger, which leads to a truncated JSON
output on stdout. UDP packets, without compression and with IP
fragmentation, can be up to 64KiB large.
Instead of using a fixed size buffer on the stack ask the kernel first
about the size of the UDP data and allocate a buffer of appropriate size
on the heap before receiving the UDP data.
The issue was observed with a custom respondd provider.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
The address of the vpn interface is calculated in the style of
modified EUI-64, based on a virtual mac address. This virtual mac
address consists of 0x00 as first byte and the other five bytes
are taken from the first bytes of md5sum(base64 encoded public key).
The algorithm was taken by the ffmuc, with a slight difference. ffmuc
calculated the result of md5sum(base64 encoded public key + '\n')
which was interpreted as accidential fault and therefore dropped.
Example:
- Public-Key: "gP3VJnTTvnQut+z4O+m0N9RgMyXbgyUbUkF3E3TKX2w="
- Address: "fe80::02ca:b8ff:fedc:2eb3"
The following interfaces are used for wireguard:
- wg_mesh -> wireguard interface
- mesh-vpn -> vxlan iface on top of wg_mesh
If you use this new feature, make sure the NTP servers in your site
config are publicly reachable. This is necessary, since wireguard
requires correct time before the vpn connection is established.
Therefore gluon performs ntp time synchronisation via WAN before it
establishes the vpn connection. Therefore the NTP servers have to
be publicly reachable (and not only via mesh).
Before this commit, some *.po files contained the same translation
twice within the same file. While this did not led to errors in
gluon yet, it is still invalid. This commit fixes that and removes
the duplicates.
- Move site check for prefix4 and extra_prefixes6 to gluon-core, so the
rules don't need to be duplicated in several packages. This also fixes
gluon-respondd not checking extra_prefixes6 at all when
gluon-ebtables-source-filter is not installed as well.
- A redundant check for prefix6 is removed from gluon-l3roamd (this was
already checked by gluon-core)
- A separate check for prefix4 remains in gluon-client-bridge, as the
setting in mandatory there
Fixes the display of client counts, which are numbers and not strings
in the respondd data.
Fixes: 3a885a1b22 ("gluon-status-page: make "gateway nexthop" a link (#2278)")
Do not depend on the respondd-airtime module just to get the configured
channels. This removes the display of the frequency in addition to the
channel, as it is not readily available.
In addition, the translation string is improved to allow for text after
the channel number.
This code is usually running on an embedded CPU without FPU. In
addtition to its inefficience, the algorithm is also much harder to
understand.
Replace the logarithm formula with a simple loop.
Specify conffiles for our packages, so they aren't overwritten during
opkg updates. While this only matters during development, it is
unintended to have different behaviour for opkg update and full firmware
updates.
The PHY lookup helper "find_phy_by_path" could not lookup the PHY name
for paths from multi-phy devices.
An example for such a path would be:
'1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
The integer after the plus (+) character determines the PHY index of the
specific device in relation to the PHY with the lowest index of the
device.
For example, if the device provides phy2 and phy3, the above path would
describe phy3. In case the device provides phy0 and phy1, it would
describe phy1.
Rewrite the "find_phy_by_path" function to support those paths as well
as regular device paths in a universal manner.
Signed-off-by: David Bauer <mail@david-bauer.net>
Delete all default network device sections upon first boot.
Only LAN & WAN networks are defined at this point. We are using the
legacy way of definiting bridges via the interface sections ifname
option.
The prior filtering was based upon a single device and didn't take into
consideration that DSA interface names can be named arbitrarily.
Signed-off-by: David Bauer <mail@david-bauer.net>
VoCores aren't exactly useful mesh nodes except for experimentation.
They certainly aren't worth maintaining a whole target, in particular
one that has a WLAN driver not used by any other target.
It was found that a one second timeout for nodeinfo data may be too low,
so that when a node is otherwise occupied that timeout may be reached
too often.
The nodeinfo query response is also vital to the status-page base
template, so that when it times out, the site will be turned in a broken
state, that it cannot recover from.
Fixes: #2256
A leading tab character usually marks recipe lines in Makefiles;
non-recipe lines must be indented using spaces.
The incorrect tab character doesn't seen to have caused any issues in
this case, but it should be fixed nonetheless, if only for consistency.
The file_contains_line helper function was not testing whether a file
exists or not prior attempting to read from it.
Add this check to circumvent errors on the private WiFi config in
case the hwflags file is missing.
Reported-by: Tom Herbers <freifunk@tomherbers.de>
Tested-by: Tom Herbers <freifunk@tomherbers.de>
Signed-off-by: David Bauer <mail@david-bauer.net>
The relevant entry for the primary MAC location was lost when rebasing
the patch on OpenWrt 21.02.
Fixes commit ded4b8a711 ("rockchip-armv8: add FriendlyARM NanoPi R2S")
Signed-off-by: David Bauer <mail@david-bauer.net>
Configure a radio for HE (802.11ax) operation in case it's supported by
the hardware. This can be the case for 2.4 GHz as well as 5 GHz.
Signed-off-by: David Bauer <mail@david-bauer.net>
In case the limit_ingress or limit_egress options are not present in
gluon's mesh_vpn section the respondd provider compares a string literal
with a NULL pointer, crashing respondd.
Check both pointers prior to comparing them in order to mitigate this
issue.
Suggested-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: David Bauer <mail@david-bauer.net>
This fully abstracts VPN methods, making gluon-mesh-vpn-fastd and
gluon-mesh-vpn-tunneldigger completely self-contained.
Provide a LUA interface for generic interacting with VPN methods in
gluon-mesh-vpn-core and web packages.
This also adds the ability to install tunneldigger and fastd to the same
image, selecting the VPN method based on the selected domain.
Signed-off-by: David Bauer <mail@david-bauer.net>
Simplify the individual form providers by always running reconfigure. This
also commits all UCI packages, so we can remove all tracking of UCI
sections from the wizard code.
Instead of returning a list of packages to commit, the providers just
save their settings directly. Explicit runs of upgrade scripts are
removed, as they are now run by reconfigure.
This add support for a write() method on sections, in addition to the
value and form level write(). write() is only called when the section is
valid and visible. In addition, write() is empty by default, so it can be
overridden more easily.
Before this commit the decision whether a vxlan layer will be
introduced between the lower interface before the interface is
added to batman was inside the proto. Now the decision is moved
to the user of the proto.
Add a package for handling upgrade-scripts speific for the WAN radio
operation.
This way, the config mode interface can be removed seperately from the
core functionality to perform tasks on system upgrade. This can be
useful when the setup-mode is removed entirely for space preservation.
Allow the transmission of IPv6 multicast packets as long as they are not
flooded through the whole mesh.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Set the ifname for the WAN radio (Private WLAN) to wanX, X being the
radio index.
All other radios created by Gluon already have their ifname defined
following this pattern.
Signed-off-by: David Bauer <mail@david-bauer.net>
The rudimentary flash size determination function expects the partition
for the devices firmware to be called "linux" while it is (since quite
some time) "firmware".
Fix this error to display available flash size as well as more useful
error message in case the uploaded firmware image exceeds the flash
space.
Signed-off-by: David Bauer <mail@david-bauer.net>
With batman-adv 2020.4 and the according backports to batman-adv v2019.2
several more bugs were found and fixed regarding the batman-adv
multicast optimizations feature.
Also a "wakeup-call" feature was added to the Linux bridge IGMP/MLD
snooping code in Gluon to work around issues with Android devices.
With batman-adv now at v2019.2, multicast-to-multi-unicasts conversion
is supported, too. Which means that even if there are a few outdated nodes
these and all other recipients will be served multicast packets via unicast,
too, as long as the sum of receiving nodes does not exceed the multicast
fanout setting (default: 16). If is exceeded, then batman-adv will revert
back to broadcast flooding automatically.
Long story short, with all these extra measures in place, let's reenable
the batman-adv multicast optimizations to reduce the layer 2 overhead
and in preparation for multicast applications in the future.
The default is enabled for this feature anyway, so removing the
"batctl multicast_mode 0" overwrite is sufficient.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
End the process after one result in case -l is not given
and destination address is unicast.
Reduces singleshot execution time from timeout seconds to around 150ms.
resolves#2184
This device is a dual 5GHz device. It is recommended to manually change the
radio of the first device to the lower 5GHz channels and the second radio
to the upper 5GHz channels
Fixes respondd on 64bit archs, as gluonutil_get_primary_domain() was
assumed to return int without the prototype.
Fixes: bcf57467dd ("libgluonutil: implement gluonutil_get_primary_domain()")
This adds the OpenWrt label-mac device selection as the most preferred
fallback.
While this is only used on OpenWrt 19.07 for backports, we can also use
the label-mac device when backporting device support. This way, we have
to deal with less device-sepcific code downstream.
Signed-off-by: David Bauer <mail@david-bauer.net>
This switches the used wireless daemons for OWE / SAE to the OpenSSL
flavors. The WolfSSL implementation currently seems to be broken.
THis switch may be reverted at a later point in time when hostapd /
wpa_supplicant implementations for WolfSSL have matured.
Specifications:
* SoC: MT7620A
* RAM: 64 MB DDR
* Flash: 8MB NOR SPI flash
* WiFi: MT7612E (5Ghz) and builtin MT7620A (2.4GHz)
* LAN: 1x100M
The -factory images can be flashed from the device's web
interface or via nmrpflash.
Both devices differ by a additional power outlet for the EX3800.
This patch has been tested on a EX3800 device.
This renames the local_client zone to loc_client, as local_clint exceeds
the maximum zone length allowed for firewall3, which is 11 bytes.
This worked previously due to firewall3 using unsafe string operations.
Now creation of the chain fails (latest OpenWrt master).
This allows running a respondd querier and map server behind a Gluon
node.
For instance at Freifunk Lübeck we now moved the map server
behind a Gluon VM and removed batman-adv and fastd from the
map server VM to reduce the maintenance work.
Increased multicast overhead should be minimal / non existent, as it is
unlikely to accidentally have respondd queriers running behind a Gluon
node.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
The rewrite of the feature handling introduced multiple major bugs. One
of them was caused by the way Lua's logical operators work:
An expression of the form
_'autoupdater' and _'web-advanced'
would return 'web-advanced' rather than the boolean true when _ returned
both strings unchanged (because the features are enabled).
As entries with more than a single feature name in their expressions did
not set no_default, Gluon would then attempt to add gluon-web-advanced to
the package selection, as web-advanced is a "pure" feature.
To fix this, and get rid of the annoying nodefault, separate handling of
"pure" feature and handling of logical expressions into two separate
functions, called feature() and when(). To simplify the feature
definitions, the package list is now passed directly to these functions
rather than in a table with a single field 'packages'.
Fixes: ee5ec5afe5 ("build: rewrite features.sh in Lua")