Delete all default network device sections upon first boot.
Only LAN & WAN networks are defined at this point. We are using the
legacy way of definiting bridges via the interface sections ifname
option.
The prior filtering was based upon a single device and didn't take into
consideration that DSA interface names can be named arbitrarily.
Signed-off-by: David Bauer <mail@david-bauer.net>
VoCores aren't exactly useful mesh nodes except for experimentation.
They certainly aren't worth maintaining a whole target, in particular
one that has a WLAN driver not used by any other target.
It was found that a one second timeout for nodeinfo data may be too low,
so that when a node is otherwise occupied that timeout may be reached
too often.
The nodeinfo query response is also vital to the status-page base
template, so that when it times out, the site will be turned in a broken
state, that it cannot recover from.
Fixes: #2256
A leading tab character usually marks recipe lines in Makefiles;
non-recipe lines must be indented using spaces.
The incorrect tab character doesn't seen to have caused any issues in
this case, but it should be fixed nonetheless, if only for consistency.
The file_contains_line helper function was not testing whether a file
exists or not prior attempting to read from it.
Add this check to circumvent errors on the private WiFi config in
case the hwflags file is missing.
Reported-by: Tom Herbers <freifunk@tomherbers.de>
Tested-by: Tom Herbers <freifunk@tomherbers.de>
Signed-off-by: David Bauer <mail@david-bauer.net>
The relevant entry for the primary MAC location was lost when rebasing
the patch on OpenWrt 21.02.
Fixes commit ded4b8a711 ("rockchip-armv8: add FriendlyARM NanoPi R2S")
Signed-off-by: David Bauer <mail@david-bauer.net>
Configure a radio for HE (802.11ax) operation in case it's supported by
the hardware. This can be the case for 2.4 GHz as well as 5 GHz.
Signed-off-by: David Bauer <mail@david-bauer.net>
In case the limit_ingress or limit_egress options are not present in
gluon's mesh_vpn section the respondd provider compares a string literal
with a NULL pointer, crashing respondd.
Check both pointers prior to comparing them in order to mitigate this
issue.
Suggested-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: David Bauer <mail@david-bauer.net>
This fully abstracts VPN methods, making gluon-mesh-vpn-fastd and
gluon-mesh-vpn-tunneldigger completely self-contained.
Provide a LUA interface for generic interacting with VPN methods in
gluon-mesh-vpn-core and web packages.
This also adds the ability to install tunneldigger and fastd to the same
image, selecting the VPN method based on the selected domain.
Signed-off-by: David Bauer <mail@david-bauer.net>
Simplify the individual form providers by always running reconfigure. This
also commits all UCI packages, so we can remove all tracking of UCI
sections from the wizard code.
Instead of returning a list of packages to commit, the providers just
save their settings directly. Explicit runs of upgrade scripts are
removed, as they are now run by reconfigure.
This add support for a write() method on sections, in addition to the
value and form level write(). write() is only called when the section is
valid and visible. In addition, write() is empty by default, so it can be
overridden more easily.
Before this commit the decision whether a vxlan layer will be
introduced between the lower interface before the interface is
added to batman was inside the proto. Now the decision is moved
to the user of the proto.
Add a package for handling upgrade-scripts speific for the WAN radio
operation.
This way, the config mode interface can be removed seperately from the
core functionality to perform tasks on system upgrade. This can be
useful when the setup-mode is removed entirely for space preservation.
Allow the transmission of IPv6 multicast packets as long as they are not
flooded through the whole mesh.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Set the ifname for the WAN radio (Private WLAN) to wanX, X being the
radio index.
All other radios created by Gluon already have their ifname defined
following this pattern.
Signed-off-by: David Bauer <mail@david-bauer.net>
The rudimentary flash size determination function expects the partition
for the devices firmware to be called "linux" while it is (since quite
some time) "firmware".
Fix this error to display available flash size as well as more useful
error message in case the uploaded firmware image exceeds the flash
space.
Signed-off-by: David Bauer <mail@david-bauer.net>
With batman-adv 2020.4 and the according backports to batman-adv v2019.2
several more bugs were found and fixed regarding the batman-adv
multicast optimizations feature.
Also a "wakeup-call" feature was added to the Linux bridge IGMP/MLD
snooping code in Gluon to work around issues with Android devices.
With batman-adv now at v2019.2, multicast-to-multi-unicasts conversion
is supported, too. Which means that even if there are a few outdated nodes
these and all other recipients will be served multicast packets via unicast,
too, as long as the sum of receiving nodes does not exceed the multicast
fanout setting (default: 16). If is exceeded, then batman-adv will revert
back to broadcast flooding automatically.
Long story short, with all these extra measures in place, let's reenable
the batman-adv multicast optimizations to reduce the layer 2 overhead
and in preparation for multicast applications in the future.
The default is enabled for this feature anyway, so removing the
"batctl multicast_mode 0" overwrite is sufficient.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
End the process after one result in case -l is not given
and destination address is unicast.
Reduces singleshot execution time from timeout seconds to around 150ms.
resolves#2184
This device is a dual 5GHz device. It is recommended to manually change the
radio of the first device to the lower 5GHz channels and the second radio
to the upper 5GHz channels
Fixes respondd on 64bit archs, as gluonutil_get_primary_domain() was
assumed to return int without the prototype.
Fixes: bcf57467dd ("libgluonutil: implement gluonutil_get_primary_domain()")
This adds the OpenWrt label-mac device selection as the most preferred
fallback.
While this is only used on OpenWrt 19.07 for backports, we can also use
the label-mac device when backporting device support. This way, we have
to deal with less device-sepcific code downstream.
Signed-off-by: David Bauer <mail@david-bauer.net>
This switches the used wireless daemons for OWE / SAE to the OpenSSL
flavors. The WolfSSL implementation currently seems to be broken.
THis switch may be reverted at a later point in time when hostapd /
wpa_supplicant implementations for WolfSSL have matured.
Specifications:
* SoC: MT7620A
* RAM: 64 MB DDR
* Flash: 8MB NOR SPI flash
* WiFi: MT7612E (5Ghz) and builtin MT7620A (2.4GHz)
* LAN: 1x100M
The -factory images can be flashed from the device's web
interface or via nmrpflash.
Both devices differ by a additional power outlet for the EX3800.
This patch has been tested on a EX3800 device.
This renames the local_client zone to loc_client, as local_clint exceeds
the maximum zone length allowed for firewall3, which is 11 bytes.
This worked previously due to firewall3 using unsafe string operations.
Now creation of the chain fails (latest OpenWrt master).
This allows running a respondd querier and map server behind a Gluon
node.
For instance at Freifunk Lübeck we now moved the map server
behind a Gluon VM and removed batman-adv and fastd from the
map server VM to reduce the maintenance work.
Increased multicast overhead should be minimal / non existent, as it is
unlikely to accidentally have respondd queriers running behind a Gluon
node.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
The rewrite of the feature handling introduced multiple major bugs. One
of them was caused by the way Lua's logical operators work:
An expression of the form
_'autoupdater' and _'web-advanced'
would return 'web-advanced' rather than the boolean true when _ returned
both strings unchanged (because the features are enabled).
As entries with more than a single feature name in their expressions did
not set no_default, Gluon would then attempt to add gluon-web-advanced to
the package selection, as web-advanced is a "pure" feature.
To fix this, and get rid of the annoying nodefault, separate handling of
"pure" feature and handling of logical expressions into two separate
functions, called feature() and when(). To simplify the feature
definitions, the package list is now passed directly to these functions
rather than in a table with a single field 'packages'.
Fixes: ee5ec5afe5 ("build: rewrite features.sh in Lua")
The new options are CONFIG_GLUON_AUTOUPDATER_BRANCH and
CONFIG_GLUON_AUTOUPDATER_ENABLED and allow to control the default branch
and default enable status separately.
The `or ''` fallback in targets/generic is removed, as GLUON_ENV will
set all variables in GLUON_VARS, making previously non-existing
variables exist with an empty value.
We already have a proper message when the creation of an alias fails
because of a name conflict. Also add a message when the primary filename
of a domain config is already occupied by another domain's alias.
Also add an 'Error:' prefix to the existing message to easier to see.
Reorder scripts so that the mesh_lan interface is accounted for.
Two other firewall upgrade scripts (mesh-babel and l3roamd) are
reordered as well. While there seems to be no hard dependency at the
moment, it makes sense to run the basic setup first, also to avoid
problems with future changes.
Closes: #2090
Fixes: ed094bc68c ("gluon-core: firewall: Allow custom gluon_wired interfaces (#2041)")
This adds the wireless client count for 2.4GHz and 5 GHz radios to the
status page. Previously, only the total client count advertised by
the mesh protocol was visible.
This will hide the outdoor mode setting on compatible devices in case
the defined channels should be preserved.
Otherwise a user might be under the impression their device is compliant
with outdoor operation when in reality it still uses prohibited
channels.
* build: target_config_lib: introduce concat_list helper
* build: rewrite features.sh in Lua
The `features` file is converted to a Lua-based DSL.
A helper function `_` is used in the DSL; this will return the original
string for enabled features, and nil for disabled features. This allows
to use boolean operations on features without making the code too
verbose.
Besides having more readable and robust code, this also fixes the bug
that all files `packages/*/features` were evaluated instead of only
using the feature definitions of currently active feeds.
* build: add luacheck support for package/features
Replace the ugly arrow shown in Firefox with a custom SVG arrow. Tested
and working in Firefox, Chrome and Edge. The arrow doesn't show in IE, but
the gluon-web-model JavaScript is already severely broken in IE, so we
don't care.
When the network connectivity is bad, routers may not appear in the
translation tables, or there may be no originator with TQ >0. Such
conditions to not warrant spamming the log with error messages.
The `features` file is converted to a Lua-based DSL.
A helper function `_` is used in the DSL; this will return the original
string for enabled features, and nil for disabled features. This allows
to use boolean operations on features without making the code too
verbose.
Besides having more readable and robust code, this also fixes the bug
that all files `packages/*/features` were evaluated instead of only
using the feature definitions of currently active feeds.
This commit changes the behavior for the wan-dnsmasq to read the
interfaces to update the DNS servers on from flag-files.
This way, external custom packages which add a custom VPN WAN interface
can update the DNS server gluon is using for WAN resolving.
On lantiq, the default WAN ifname is 'dsl0' even on devices that have a
separate WAN port. At least on devices using swconfig we can override
this with the switch port labelled as 'wan'.
With very bad timing, it is possible that the teardown script of a
gluon_mesh interface runs when bat0 was just created, but primary0 is not
yet added to it. Although there is no hardif to remove in this case,
bat0 will still be deleted, because there is no hardif in bat0.
Disable the interface removal logic by passing `-M` to `batctl interface`.
There is no setting to explicitly enable mesh interfaces in the config
wizard, so we need to enable mesh interfaces by default when the outdoor
mode is disabled (unless site.conf dictates otherwise).
The simplest way to achieve this is to delete the 5GHz mesh interface
sections when outdoor mode is disabled: 200-wireless would delete and
recreate them a moment later anyways, but by deleting them earlier we
ensure that the disabled status is initialized from site.conf again.
Because is_disabled() was always returning true or false, the
first_non_nil() would never actually check the default setting from
site.conf. This was broken since v2017.1.
Fixes: 6cf03bab37 ("treewide: replace normal uses of luci.model.uci with simple-uci to reduce LuCI dependencies")
With 11a3b56617 ("gluon-web-model: add dependency support for
sections"), a "reset" function was added to all model nodes. This
conflicts with the "reset" field of the Form object, making reset
buttons show labels like "function: 0xbb8d50" and possibly breaking form
processing when packages override the reset field.
The interfaces should always exist and just be disabled when outdoor
mode is enabled. Not creating them at all leads to an issue in the
advanced wifi settings where an additional reload of the page is
necessary after enabling or disabling the ourdoor mode to make the mesh
VIF options appear or disappear.
Instead of relying on the existence of interface sections only (which is
still used for the case of interface types that are not configured at
all in the site config), add a proper dependency.
This fixes section visiblity with enabled outdoor mode after the following
fix, and gives the user immediate feedback (allowing to disable outdoor
mode and enable meshing in a single step).
200-wireless will add or remove the mesh network sections of
/etc/config/network. Commit this file, so the modified setting doesn't
get lost on reboot.
Fixes: #2048
Validation errors are mostly handled in the frontend (by displaying
invalid fields with a red background). There was some code left in the
backend for handling different kinds of errors, and returning custom
error messages from validate(), but the resulting value was not used
anywhere.
- Add a dependency array to section template
- Lift dependency handling from AbstractValue to Node
- Split resolve_depends() into a function handling dependencies of a
node itself (resolve_node_depends()), which now is used for all nodes,
and the existing recursive descent through the node tree
- When any node's dependencies are not satisfied, all descendents are
reset recursively, meaning that an option in a section that is hidden
will always be ignored, as if the option's own dependencies were
unsatisfied
Fixes: #1349
- If luasrcdiet fails for a Lua script, this is a bug that should be
noticed rather than including the unminified script
- Use .tmp suffix for temporary file rather than .o
- Replace chmod + stat + mv with simpler cp + rm to overwrite file while
preserving file mode
gluonutil_get_interface_lower() recursively determines the lower of an
interface until the base interface is found.
gluonutil_get_interface_type() tries do distinguish wired, wireless and
tunnel interfaces. For tunnel interfaces, TUN/TAP, L2TPETH and Wireguard
are supported at the moment.
- Rename obtain_if_addr() to get_linklocal_address()
- Pass buffer of size INET6_ADDRSTRLEN instead of the oversized NI_MAXHOST
- Check if an address is link-local before converting to a string
- Replace an incorrect use of strncmp() with strcmp()
- Return status to caller
- Streamline control flow
While we're at it, the function handle_neighbour(), which is one of the
callers of get_linklocal_address() is slightly cleaned up as well.
This switches hostapd variant used for SAE and OWE from hostapd-openssl
to hostapd-wolfssl.
The bug shich one broke the wolfssl implementation was resolved upstream
with commit 631c437a91c2 ("hostapd: backport wolfssl bignum fixes").
This particular commit also got backported to OpenWrt 19.07.
This allows for multiple mesh legs out of one box. Useful for offloaders
and networks using vlan for separate mesh transport.
Custom mesh interfaces in a VXLAN domain are otherwise firewalled.
This fixes#1479
This adds support for the beacon interval to be set on a per-band base.
This has the potential to reduce the amount of airtime used up for
sending beacon frames.
Separate wireless-related helper methods from the util module to a
new wireless module. This keeps them separated, as the amount of
wireless helpers increased in the past, justifying a separate module.
xt_CT was added to kmod-ipt-conntrack a while back. Update our
GLUON_SPECIALIZE_KERNEL rules accordingly.
When building xt_CT into the kernel, one of the symbols IP_NF_RAW and
IP6_NF_RAW must be enabled as well, even though there is no runtime
dependency when building as modules. The kernel grows by less than 1KB
even when both IP_NF_RAW and NETFILTER_XT_TARGET_CT are enabled, making
this change a (very slight) net win in both flash and RAM usage.
As a partial fix to #496, do not touch the MAC address of the WAN
interface when using VXLANs (as only the MAC address of the VXLAN
interface matters to batman-adv).
On PoE-powered devices, we usually want to use WAN for the setup mode.
As all outdoor devices are PoE-powered, we can reuse this function. This
switches the setup mode interface for new installations / after config
reset on a few devices that were missing in this list before.
The 'preserve' flag can be used to mark a peer so it is not removed or
modified on upgrades. In addition, groups containing preserved peers are
not removed.
Fixes: #557
The netdev() lookup is confusing to use: whenever a interface does not
exist during boot (for example VLAN) or when the address is overridden
from board.json (which is not obvious at all), it will yield either no
address, or a different address than expected.
To avoid this confusion, using board.json-based interface() is
preferable. This converts all uses of netdev() to the corresponding
lan/wan lookups, except for the final fallback for eth0.
- Replace misnamed, closure-returning sysfs() to a reusable read() function
- Rename eth() to netdev(), pass full interface name
- Rename board() to interface()
- Split reuable get_netdev_addr() out of netdev()
gsub() returns the number of matches as its second return value. This
was unintendedly passed through by the util functions trim() and
node_id(). It can be presumed that this had no effect in practice, but
it can lead to surprising output when passing values to print() for
debugging.
Allows reconfigurtion of remote syslog from within site.conf.
Conflicts with the gluon-web-logging package as user made changes
will be overwritten, because this package will reconfigure the syslog
destination on every upgrade.
Resolves#1845
Use the value of the `name` site.conf field as label (it was
accidentally unused before).
Our site.conf currently doesn't define a specific order for the branch
entries. To avoid changing branch orders, sort entries by this label.
Fixes: #1961
Register to 'reset' event on form element and make call to 'update' function
delayed in 'data-update' handler to allow the form values to update beforehand.
When using a form's 'reset' button, form field visibility was not updated.
This could lead to situations where a checkbox had to be toggled again
twice to display the detail text inputs. (Example taken from private
wifi package)
This adds a helper method, which determines if the current platform
supports WPA3 or not.
WPA3 is supported if
- the device is not in the featureset category "tiny"
- the WiFi driver supports 802.11w management frame protection
The gluon-wireless-encryption package selects a WPA3 supporting
hostapd package as a dependency and stores the information, which
encryption method is supported to the device.
This package adds support for SAE on 802.11s mesh connections.
Enabling this package will require all 802.11s mesh connections
to be encrypted using the SAE key agreement scheme. The security
of SAE relies upon the authentication through a shared secret.
In the context of public mesh networks a shared secret is an
obvious oxymoron. Still this functionality provides an improvement
over unencrypted mesh connections in that it protects against a
passive attacker who did not observe the key agreement. In addition
Management Frame Protection (802.11w) gets automatically enabled on
mesh interfaces to prevent protocol-level deauthentication attacks.
If `wifi.mesh.sae` is enabled a shared secret will automatically be
derived from the `prefix6` variable. This is as secure as it gets
for a public mesh network.
For *private* mesh networks `wifi.mesh.sae_passphrase` should be
set to your shared secret.
Fixes#1636
Remove a lot of redundant code by switching to a match table listing
the targets and boards for each candidate for the primary MAC interface.
In addition, we add some flexiblity by allow to switch out the sysfs file
data source for the MAC address.
This reverts commits
- caf2dd037b.
- 07ebac6a49
- 55eff45f96
I accidentally pushed these commits as I had them lying around on a
dirty checkout I did testing on.
In addition this PR contains:
- split of gluon-respondd provider into multiple source files
- minor additional cleanups in gluon-mesh-babel respondd provider
(untested, as the babel respondd provider already doesn't compile prior
to these changes...)
many AVM devices do not have RESET/WPS buttons. So use the otherwise unused DECT/PHONE button to boot the device into setup mode.
This patch allows to enter the setup-mode by pressing the phone button
(often labeled as DECT) in addition to WPS and reset button.
This patch is necessary to allow supporting boards without a WPS and reset
button (e.g. AVM FRITZ!Box 7312).
With this commit, the status-led is set to be the "led-running"
device-tree alias for targets which do not implement the get_status_led
method in /etc/diag.sh.
This reverts commit 9b1eb40fe7.
With the batman-adv v2019.2 upgrade reverted (c1a7733956), the batman-adv
multicast-to-multi-unicast feature is not available yet. Without that it is
going to be very unlikely of the batman-adv multicast optimizations to
take effect. E.g. some outdated nodes would disable it.
To avoid confusion and diversion with a few communities having it enabled
and most implicitly deactivated, just deactivate it for all for now
until batman-adv is updated to v2019.2 or greater again.
mac_to_ip() calculates an ipv6 address from a mac address according to
RFC 4291. For wireguard we have to use specially crafted addresses that
must be unique. This allows calculating such unique mac-based addresses
by allowing to optionally specifying the bytes to be inserted into the
address.
The new routing_algo site.conf value BATMAN_IV_LEGACY is introduced. With
these changes, the routing_algo setting becomes mandatory.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
We cannot add the same file (here: /lib/gluon/mesh-batman-adv/compat) to
two, installed packages. Therefore, instead of determining the compat
version number from this file, infer it from the batman-adv release
version number instead.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
This is a fix for the broken ingress traffic-shaping in gluon v2018.2.2
and possibly earlier.
For ingress traffic shaping the kernel option NET_ACT_POLICE is needed.
Before this patch there was no dependency to this. Neither in
gluon_core, gluon-mesh-vpn-core nor in the package.
This patch adds this dependency.
[Matthias Schiffer: move dependency from GLUON_CORE to gluon-mesh-vpn-core]
Fixes#1790
package/gluon-web-network/luasrc/lib/gluon/config-mode/model/admin/network.lua:122:16: (W431) shadowing upvalue f on line 19
Fixes: bab4af01e ("gluon-web-network: improve PoE GPIO name translation
handling")
The gluon-authorized-keys is usually installed to use SSH keys to
authenticate a user against the device. To make this useful, it is also
required to disable passwordless SSH access to the device.
This new dependency is only required when the user doesn't have
gluon-setup-mode enabled already.
Fixes: #1777
Reported-by: yanosz <github@yanosz.net>
Fixes: a753fa79e3 ("gluon-authorized-keys: add keys from site.conf")
Signed-off-by: Sven Eckelmann <sven@narfation.org>