The amount of local wifi clients is currently counted by two different
ways:
* asking the kernel wifi layer for the number of of clients on 2.4GHz and
5GHz band
* asking batman-adv for the number of non-timed out entries in the local
translation table with WiFi flag
The number of wifi24+wifi5 and the number of TT wifi client counts are
reported via respondd to various consumers. The ffrgb meshviewer is
displaying these values as:
* 2,4 GHz: wifi24
* 5 GHz: wifi5
* other: (TT local wifi+non-wifi clients) - (wifi24 + wifi5)
But the local translation table is holding entries much longer than the
wifi layer. It can therefore easily happen that a wifi client disappears in
the kernel wifi layer and batman-adv still has the entry stored in the
local TT.
The ffrgb meshviewer would then show this count in the category "other".
This often results in confusions because "other" is usually for ethernet
clients. And nodes with a frequently disappearing larger group of clients
(near bus stations or larger intersections) often show most clients under
the group "other" even when this devices doesn't have a LAN ethernet port.
It is better for presentation to calculate the number of total wifi clients
by summing up wifi24 + wifi5. And getting the number of total clients (non
wifi + wifi) by adding the result of the previous calculation to the sum of
non-wifi client in the local batman-adv translation table.
Fixes: 89a9d8138c ("gluon-mesh-batman-adv-core: Announce client count by frequency")
Reported-by: Pascal Wettin <p.wettin@gmx.de>
Gluon has multiple ways to obtain unique MAC-addresses. They are either
provided by the WiFi driver or derived from the primary MAC-address.
Quoting the same file:
> It's necessary that the first 45 bits of the MAC address don't
> vary on a single hardware interface, since some chips are using
> a hardware MAC filter. (e.g 'rt305x')
This currently fails in case the rt35xx based chips mac address differs
from the primary MAC. In this case, the MAC address for the client0 radio
(vif 1) comes from the WiFi driver. As there is only a single
MAC-address provided by '/sys/class/ieee80211/phyX/addresses' but the
MAC-address for mesh 0 (vif 2) is derived from the Node-ID, resulting in
different first 45 bits. The WiFi won't come up altogether in this case.
This commit verifies at least 4 MAC-Addresses are provided by the WiFi
driver. If this is not the case, all MAC-addresses are derived from the
primary MAC. This way, affected radios are working correctly.
This commit distributes dualband radios evenly on 2.4 GHz and 5GHz with
2.4 GHz being prioritised higher than 5 GHz. This means in case a device
has only a single radio and this radio supports operation in both bands,
it will be set to 2.4 GHz.
Tested-by: Martin Weinelt <martin@darmstadt.freifunk.net>
Signed-off-by: David Bauer <mail@david-bauer.net>
Allow odhcp6c to fork the script to handle router
advertisments in 30 seconds intervals. This is the value
that was previously used in Gluon v2018.1 / LEDE 17.01.
The default value is 3 seconds and while it is RFC compliant
it can put alot of pressure on even moderately sized devices.
Signed-off-by: Martin Weinelt <martin@darmstadt.freifunk.net>
log-file /dev/stderr is broken for babeld as it eats log messages for debug log.
This commit gets rid of the option. This allows -d N to be used as babeld command
line option.
This patch makes use of the new feature in l3roamd to gracefully
add, remove and list the mesh interfaces that are currently in use. This
helps when changing mesh interfaces often - a characteristic of the
wireguard protocol implementation as in the previous behavior all local
clients are dropped when adjusting mesh interfaces.
gluon-wan is a sudo-like exec wrapper that switches the process group to
gluon-mesh-vpn, making it use the WAN dnsmasq rather than resolving over
the mesh.
Note that this only affects DNS at the moment. Processes running under
gluon-wan will still use the regular mesh IPv6 routing table, and not the
WAN routing table. This is not a problem for IPv4, as there is only one
IPv4 routing table.
Fixes#1575
Rename to respondd.c / respondd.so, gluon.mk expects these names. This way
we can remove the install code. The installed filename is changed to
gluon-mesh-babel.so, bringing it in line with out common naming scheme.
The redirect and dnat target are needed for gluon-alt-esc-client to
forward frames to the selected, alternative gateways.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
This adds support for the TP-Link TL-WR902Ac v1 travel router.
The device is marked as broken due to 64MB which might be insufficient
in certain environments.
Before 7827f89, mandatory hostname field in config mode was
pre-filled with the default hostname.
This commit adds the config_mode.hostname.prefill option for
controlling the default value.
this activates the package by default when using the batman feature
while still allowing to explicitly remove it like this:
GLUON_SITE_PACKAGES := \
-gluon-ebtables-limit-arp
gluon-config-mode-geo-location-osm extends the
gluon-config-mode-geo-location with a location picker based on
OpenStreetMaps.
Based-on-patch-by: Jan-Tarek Butt <tarek@ring0.de>
The new code is shorter and uses more readable variable names. It does not
depend on specifically named input fields anymore (allowing to use multiple
maps on the same page), and only uses well-defined interfaces to trigger
revalidation of input fields.
The Map model class allows to add OSM maps to gluon-web forms.
Let gluon-respondd expose "MemAvailable" from /proc/meminfo to allow for
a more realistic memory-usage estimation.
Information on MemAvailable can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
commit/?id=34e431b0ae398fc54ea69ff85ec700722c9da773
As already done with other config mode texts, the altitude field now has
default texts that are used when they are not set in the site i18n files.
The altitude-help text has been removed from site i18n; instead, the
geo-location-help text now overrides the whole section description
including the part that mentions the altitude.
This reverts commit b3d7011130.
with this change, DNS in batman-adv based networks is broken.
although the revert breaks babel based networks, this is not as big of a problem.
This device is a dual 5GHz device. It is recommended to manually change the
radio of the first device to the lower 5GHz channels and the second radio
to the upper 5GHz channels.
The commit b3762fc61c ("gluon-client-bridge: move IPv4 local subnet route
to br-client (#1312)") moves the IPv4 prefix from the local-port interface
to br-client. A client requesting an IPv4 connection to the IPv4 anycast
address of the node (the device running gluon) will create following
packets:
1. ARP packet from client to get the MAC of the mac address of the anycast
IPv4 address
2. ARP reply from node to client with the anycast MAC address for the IPv4
anycast address
3. IPv4 packet from client which requires reply (for example ICMP echo
request)
4. ARP request for the client MAC address for its IPv4 address in prefix4
(done with the mac address of br-client and transmitted over br-client)
5. IPv4 packet from node (transmitted over br-client with br-client MAC
address) as reply for the client IPv4 packet (for example ICMP echo
reply)
The step 4 and 5 are problematic here because packets use the node specific
MAC addresses from br-client instead of the anycast MAC address. The client
will receive the ARP packet with the node specific MAC address and change
their own neighbor IP (translation) table. This will for example break the
access to the status page to the connected device or the anycast DNS
forwarder implementation when the client roams to a different node.
This reverts commit b3762fc61c and adds an
upgrade code to remove local_node_route on on existing installations.
The commit b3762fc61c ("gluon-client-bridge: move IPv4 local subnet route
to br-client (#1312)") moves the IPv4 prefix from the local-port interface
to br-client. A client requesting an IPv4 connection to the IPv4 anycast
address of the node (the device running gluon) will create following
packets:
1. ARP packet from client to get the MAC of the mac address of the anycast
IPv4 address
2. ARP reply from node to client with the anycast MAC address for the IPv4
anycast address
3. IPv4 packet from client which requires reply (for example ICMP echo
request)
4. ARP request for the client MAC address for its IPv4 address in prefix4
(done with the mac address of br-client and transmitted over br-client)
5. IPv4 packet from node (transmitted over br-client with br-client MAC
address) as reply for the client IPv4 packet (for example ICMP echo
reply)
The step 4 is extremely problematic here. ARP replies with the anycast IPv4
address must not be submitted or received via bat0 - expecially not when it
contains an node specific MAC address as source. When it is still done then
the wrong MAC address is stored in the batadv DAT cache and ARP packet is
maybe even forwarded to clients. This latter is especially true for ARP
requests which are broadcast and will be flooded to the complete mesh.
Clients will see these ARP packets and change their own neighbor IP
(translation) table. They will then try to submit the packets for IPv4
anycast addresses to the complete wrong device in the mesh. This will for
example break the access to the status page to the connected device or the
anycast DNS forwarder implementation. Especially the latter causes extreme
latency when clients try to connect to server using a domain name or even
breaks the connection setup process completely. Both are caused by the
unanswered DNS requests which at first glance look like packet loss.
An node must therefore take care of:
* not transmitting ARP packets related to the anycast IPv4 address over
bat0
* drop ARP packets related to the anycast IPv4 when they are received on
bat0 from a still broken node
* don't accept ARP packets related to the anycast IPv4 replies on local
node when it comes from bat0
Fixes: b3762fc61c ("gluon-client-bridge: move IPv4 local subnet route to br-client (#1312)")
optional = true does not make sense without a datatype. When no datatype is
set, the empty string will be a valid value, so data is never unset in the
write function. Restore the minlength(1) datatype so the contact setting is
deleted as intended when no value is provided.
* do not allow to obligatorily require contact information
* add remark that the data is provided voluntarily
* mention how to delete the data
* be very clear about the fact that the data being entered is public and
can be downloaded and processed by anyone.
This commit adds information about:
- how cpu time is spent since boot in jiffies (1/100*sek) (cpu)
- the value is summed for all cores, so in 10 seconds the
summed values will increase by 4000, if the cpu has
4 cores
- context switches since boot (ctxt)
- interrupt counters since boot (intr, softirq)
- forks since boot (processes)
{ "stat": {
"cpu": {
"user": 219403,
"nice": 1714,
"system": 75159,
"idle": 2727739,
"iowait": 2943,
"irq": 0,
"softirq": 571
},
"intr": 8426340,
"ctxt": 50992590,
"processes": 10549,
"softirq": 5161884
} }
In multidomain setups, VXLAN is enabled by default, but can be disabled in
domain configs using the mesh/vxlan option. In single domain setups, the
mesh/vxlan option is mandatory.
The UCI option for legacy mode is removed.
Fixes#1364
dnsmasq's caching is severly broken and does not handle all answer records
equally. In particular, its cached answers are missing DNSKEY and DS
records, breaking DNSSEC validation on clients.
Remove the cache for now. It may return if dnsmasq is fixed or we switch to
a different resolver.
net.ipv6.conf.br-client.forwarding is moved from gluon-client-bridge to
gluon-mesh-batman-adv, as the setting is not useful with non-bridged
protocols.
With the batman-adv multicast support compiled back in again we end up
with multicast addresses in the batman-adv translation table.
Currently we wrongly interpret multicast addresses returned by TT as a
unique host, too, which adds them with a source address filter to
ebtables as well. However, the source address of an ethernet frames is
never supposed to be a multicat one.
This leads to unnecessary entries in ebtables. Fixing this by ignoring
those MAC addreses returned by TT which have the multicast bit set.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
This setting allows to enforce manually setting a hostname.
In the initial configuration, the hostname field is now left empty; when
setting the hostname is not enforced, the default hostname is shown as the
field placeholder.
Fixes#1139
Our VXLAN setup was changed to accept VXLAN packets without checksum almost
2 months ago, so we can disable sending the checksums now as well. Slightly
improves performance.
The RFC standard multicast querier interval is 120s. Our querier uses in
interval of 20s for better support of roaming clients, but our robustness
setting of 3 leads to external queriers using the standard interval to be
timeout after only 60s, leading to frequent "querier appeared/disappeared"
messages. Increase robustness so that external queriers with any interval
<180s are supported.
We must ensure that each node becomes IGMP/MLD querier for its local
clients; having only a single querier for the whole mesh is generally
unreliable, leading to frequent "IGMP/MLD querier appeared/disappeared"
messages from batman-adv and unreliable snooping.
In smaller meshes it might be interesting only segment querier domains, but
allow membership reports to pass through the mesh, in order to support
snooping switches outside the mesh without special configuration. A
site.conf switch is provided to control this behaviour.
Fixes#1320
A downside of this behaviour is that the page does not work for IPv4-only
clients, as the redirect will always point at an IPv6 address.
Still, it seems like a good idea to enforce the redirect even from the IPv4
next-node address, as switching nodes while being connected to the status
page would lead to unexpected behaviour.
All Access-Control-Allow-Origin are removed to improve users' privacy. As
the status page API is thus not useful without the status page anymore,
merge them back into a single package.
The status-page-api respondd provider is removed as well.
Fixes#1194
This new status page is significantly smaller than the old one. It always
loads its resources from the same host as the page itself, not requiring
cross-origin requests anymore.
It also uses the common i18n infrastructure of gluon-web.
Fixes#914
- CGI script and index.html are moved from gluon-web to
gluon-config-mode-core, the script is renamed to 'config'
- gluon-web and gluon-web-model base views and i18n files are symlinked
into the new path
- gluon-web-theme is renamed to gluon-config-mode-theme and installs
directly into the new path
- all gluon-web-* models, controllers and views are moved into the new
path
By emitting Lua code to call translate() and pcdata(), we are more
flexible than when doing this internally in the parser. The performance
penalty should be negligible.
This patch moves the prefix4 subnet route from the local-node veth
device to br-client (while keeping the next node ipv4 address on the
local node device).
This is in preparation to allow routing over the br-client interface
later.
This package adds filters to limit the amount of ARP Requests
devices are allowed to send into the mesh. The limits are 6 packets
per minute per client device, by MAC address, and 1 per second per
node in total.
A burst of up to 50 ARP Requests is allowed until the rate-limiting
takes effect (see --limit-burst in the ebtables manpage).
Furthermore, ARP Requests with a target IP already present in the
batman-adv DAT Cache are excluded from the rate-limiting,
both regarding counting and filtering, as batman-adv will respond
locally with no burden for the mesh. Therefore, this limiter
should not affect popular target IPs, like gateways.
However it should mitigate the problem of curious people or
smart devices scanning the whole IP range. Which could create
a significant amount of overhead for all participants so far.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Both gluon.sysconfig and libgluonutil already remove the trailing newline
if it exists. It's nicer to avoid files without a trailing newline, e.g.
for printing the file contents in a terminal.
This is currently only implemented in the gluon-mesh-vpn-fastd
package.
Advertising the public key may be deemed problematic when
your threat-model involves protecting the nodes privacy
from tunnel traffic correlation by onlink observers.
It can be enabled by setting site.mesh_vpn.fastd.pubkey_privacy
to `false`.
If a value is unset or optional, an empty choice is added to the selection.
This empty choice will be marked as invalid if the value is not optional.
This is properly supported for the 'select' widget only for now, and not
for 'radio'.
This package drops all incoming router advertisements except for the
default router with the best metric according to B.A.T.M.A.N. advanced.
Note that advertisements originating from the node itself (for example
via gluon-radvd) are not affected.
Also disabling TX checksums and not only allowing incoming packets without
checksum will provide another small speedup. As doing so would break wired
meshing with VXLAN-enabled nodes that require non-zero checksums, we will
wait a few days before this step.
In addition to significant internal differences in check_site_lib.lua (in
particular unifying error handling to a single place for the upcoming
multi-domain support), this changes the way fields are addressed in site
check scripts: rather than providing a string like 'next_node.ip6', the
path is passed as an array {'next_node', 'ip6'}.
Other changes in site check scripts:
* need_array and need_table now pass the full path to the sub fields to the
subcheck instead of the key and value
* Any check referring to a field inside a table implies that all higher
levels must be tables if they exist: a check for {'next_node', 'ip6'} adds
an implicit (optional) check for {'next_node'}, which allows to remove many
explicit checks for such tables
This should not convert JSON to a Lua table and back, as this loses the
distinction between arrays and objects, but as our site.conf is defined in
Lua anyways (for now), this can be fixed in a later revision.
[Matthias Schiffer: rename to gluon-show-site, rebase]
By basing the Lua gluon.site module on gluonutil_load_site_config(), the
config load implementation needs to changed only in a single place for
multi-domain support.
This enables the ebtables internal locking mechanism which
will avoid race conditions between multiple, concurrent
ebtables calls.
This is a preparation for the upcoming gluon-arp-limiter
daemon, to avoid issues if upon restarting gluon-ebtables
the gluon-arp-limiter daemon tries to modify the tables.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Interacting with batman-adv's genl interface requires some code and
definitions which could be shared between different packages. libbatadv is
trying to do this without providing any guarantee for ABI or API stability.
It is only useful in very controlled environments like gluon.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
* gluon-core, gluon-client-bridge: introduce new firewall zone: local_client
* gluon-core: put clients in local_client zone, introduce drop-zone,
set dns-rules and zones
* gluon-respondd: allow respondd on mesh
* gluon-status-page-api: allow http input on mesh and client
Filtering by MAC address won't filter out multicast packages like router
solicitations, causing uradvd to send out router advertisements with
maximum frequency (every 3 seconds) in active meshes, even when no local
client is actually interested in the advertisements.
Fixes#1230
The new gluon.site lua library will eventually replace gluon.site_config
(which is hereby deprecated, but will continue to be supported for a
while).
The new gluon.site library will wrap all values to allow traversing
non-existing tables without errors.
site = require 'gluon.site'
c = site.a.b.c -- doesn't fail even if a or a.b don't exist
The wrapped values must be unwrapped using call syntax:
site_name = site.site_name()
Using the call syntax on a non-existing value will return nil. An
alternative default value may be passed instead:
mac = site.next_node.mac('16:41:95:40:f7:dc')
The generic upgrade script is moved to run after the more specific scripts.
In addition, the script will now remove the configuration sections of
uninstalled VPN packages, so both positive and negative changes of the
default enable state can be migrated correctly.
Based-on-patch-by: Cyrus Fox <cyrus@lambdacore.de>
Fixes: #1187
When a Gluon node is used to connect to an uplink router/DHCP server (for
example in deployments without VPN tunnels), the gw_mode must be set to
server; this should be preserved on upgrades.
Fixes#1196
To reduce the number of packages that need to be listed in
GLUON_SITE_PACKAGES, this adds a new variable GLUON_FEATURES. Sets of
packages are enabled automatically based on the combination of listed
feature flags.
Site-specified package feeds can provide their own feature flag
definitions.
As PROVIDES can be used to replace real packages now, we don't need the
virtual packages as workaround anymore. This also means that the providing
packages don't need to be added to site.mk explicitly anymore when the
default provider is used.
We now create bat0 and primary0 independently of the lower mesh interfaces,
making the whole setup a lot more robust. In particular:
- we can't accidentially destroy primary0 because of concurrent setup and
teardown runs of different interfaces
- bat0 will always exist, even when no mesh interfaces are up (e.g. no link
on wired mesh)
- interfaces going down and up again will never tear down the whole of
batman-adv
- we can enable and disable bat0 independently of the lower interface
states
We always want to prefer the unique node address for outgoing traffic. Note
that this doesn't have an effect with batman-adv, as usually br-client will
be the outgoing interface, so the unique address would be chosen anyways.
macvlan interfaces never directly exchange traffic with the underlying
interface, but only with other hosts behind the interface. In consequence,
router advertisements from the uradvd running on br-client could never
reach local-node, preventing it from getting an IPv6 address without RAs
from an external radvd. Fix this be replacing the macvlan interface with
a veth pair (with the peer interface in br-client).
As a side effect, this saves about 5KB of flash, as the veth module is
simpler than macvlan.
When preparing the migration from macvlan to veth for local-node, MAC
address conflicts occurred as some ports of br-client had the same address
as local-node. Reverting the roles of both interfaces fixes this.
By default, br-client is left as an interface without addresses and
firewall rules that drop everything, so the bridge is used to connect its
ports only. gluon-mesh-batman-adv-core changes this to the usual set
of addresses and firewall rules.