testing something

gluon-info: Add domain to gluon-info

.ecrc

@@ -0,0 +1,3 @@
+{
+  "Exclude": ["docs/_build"]
+}

.editorconfig

@@ -0,0 +1,67 @@
+# Top-most EditorConfig file
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+indent_style = tab
+charset = utf-8
+
+[Dockerfile]
+indent_style = space
+indent_size = 4
+
+[/patches/**]
+indent_style = unset
+indent_size = unset
+
+[*.c]
+
+[*.css]
+
+[*.dia]
+indent_style = space
+indent_size = 2
+
+[*.h]
+
+[*.html]
+
+[*.js]
+
+[*{.json,.ecrc}]
+indent_style = space
+indent_size = 2
+
+[*.lua]
+
+[{Makefile,*.mk}]
+indent_style = unset
+
+[*.md]
+indent_style = space
+indent_size = 4
+
+[*.pl]
+
+[*.py]
+indent_style = space
+indent_size = 4
+
+[*.rst]
+indent_style = space
+indent_size = 2
+
+[*.sh]
+
+[*.yml]
+indent_style = space
+indent_size = 2
+
+[CMakeLists.txt]
+indent_style = space
+indent_size = 2
+
+[{docs,contrib/ci}/*site*/**/*.conf]
+indent_style = space
+indent_size = 2

.github/ISSUE_TEMPLATE/bug_report.md

@@ -6,7 +6,7 @@ label: bug
 
 <!--
 
-Please carefully fill out the questionaire below to help improve the
+Please carefully fill out the questionnaire below to help improve the
 timely triaging of issues. Walk through the questions below and use
 them as an inspiration for what information you can provide.
 

.github/dependabot.yml

@@ -0,0 +1,12 @@
+# Docs: <https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates>
+
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule: {interval: monthly}
+
+  - package-ecosystem: pip
+    directory: /docs/
+    schedule: {interval: monthly}

.github/filters.yml

@@ -0,0 +1,237 @@
+{
+  "ath79-generic": [
+    "targets/ath79-generic",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "ath79-nand": [
+    "targets/ath79-nand",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "ath79-mikrotik": [
+    "targets/ath79-mikrotik",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk",
+    "targets/mikrotik.inc"
+  ],
+  "bcm27xx-bcm2708": [
+    "targets/bcm27xx-bcm2708",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk",
+    "targets/bcm27xx.inc"
+  ],
+  "bcm27xx-bcm2709": [
+    "targets/bcm27xx-bcm2709",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk",
+    "targets/bcm27xx.inc"
+  ],
+  "ipq40xx-generic": [
+    "targets/ipq40xx-generic",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "ipq40xx-mikrotik": [
+    "targets/ipq40xx-mikrotik",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk",
+    "targets/mikrotik.inc"
+  ],
+  "ipq806x-generic": [
+    "targets/ipq806x-generic",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "lantiq-xrx200": [
+    "targets/lantiq-xrx200",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "lantiq-xway": [
+    "targets/lantiq-xway",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "mediatek-mt7622": [
+    "targets/mediatek-mt7622",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "mpc85xx-p1010": [
+    "targets/mpc85xx-p1010",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "mpc85xx-p1020": [
+    "targets/mpc85xx-p1020",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "ramips-mt7620": [
+    "targets/ramips-mt7620",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "ramips-mt7621": [
+    "targets/ramips-mt7621",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "ramips-mt76x8": [
+    "targets/ramips-mt76x8",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "realtek-rtl838x": [
+    "targets/realtek-rtl838x",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "rockchip-armv8": [
+    "targets/rockchip-armv8",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "sunxi-cortexa7": [
+    "targets/sunxi-cortexa7",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "x86-generic": [
+    "targets/x86-generic",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk",
+    "targets/x86.inc"
+  ],
+  "x86-geode": [
+    "targets/x86-geode",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ],
+  "x86-legacy": [
+    "targets/x86-legacy",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk",
+    "targets/x86.inc"
+  ],
+  "x86-64": [
+    "targets/x86-64",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk",
+    "targets/x86.inc",
+    "contrib/ci/minimal-site/**",
+    "package/**"
+  ],
+  "bcm27xx-bcm2710": [
+    "targets/bcm27xx-bcm2710",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk",
+    "targets/bcm27xx.inc"
+  ],
+  "mvebu-cortexa9": [
+    "targets/mvebu-cortexa9",
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk"
+  ]
+}

.github/labeler.yml

@@ -0,0 +1,59 @@
+---
+"3. topic: babel":
+  - package/gluon-l3roamd/**
+  - package/gluon-mesh-babel/**
+  - package/gluon-mmfd/**
+"3. topic: batman-adv":
+  - docs/package/gluon-mesh-batman-adv*
+  - package/gluon-alfred/**
+  - package/gluon-cient-bridge/**
+  - package/gluon-mesh-batman-adv/**
+  - package/libbatadv/**
+"3. topic: build":
+  - Makefile
+  - scripts/**
+"3. topic: config-mode":
+  - docs/dev/web/config-mode.rst
+  - docs/package/gluon-config-mode-*
+  - packge/gluon-config-mode-*/**
+  - package/gluon-web*/**
+"3. topic: continous integration":
+  - .github/workflows/*
+  - contrib/actions/**
+  - contrib/ci/**
+"3. topic: docs":
+  - docs/**
+"3. topic: fastd":
+  - docs/features/fastd*
+  - package/gluon-mesh-vpn-fastd/**
+"3. topic: firewall":
+  - package/**/*-firewall
+  - package/gluon-ebtables-*/**
+"3. topic: hardware":
+  - package/gluon-core/luasrc/lib/gluon/upgrade/010-primary-mac
+  - package/gluon-core/luasrc/usr/lib/lua/gluon/platform.lua
+  - targets/*
+"3. topic: multidomain":
+  - docs/features/multidomain*
+  - docs/multidomain-site-example/**
+  - package/gluon-config-mode-domain-select/**
+  - package/gluon-scheduled-domain-switch/**
+"3. topic: package":
+  - package/**
+"3. topic: respondd":
+  - package/**/*respondd*
+  - package/gluon-respondd/**
+"3. topic: status-page":
+  - package/gluon-status-page/**
+"3. topic: tests":
+  - tests/**
+"3. topic: tunneldigger":
+  - package/gluon-mesh-vpn-tunneldigger/**
+"3. topic: wireguard":
+  - package/gluon-mesh-vpn-wireguard/**
+"3. topic: wireless":
+  - package/gluon-mesh-wireless-sae/**
+  - package/gluon-private-wifi/**
+  - package/gluon-web-private-wifi/**
+  - package/gluon-web-wifi-config/**
+  - package/gluon-wireless-encryption/**

.github/workflows/backport.yml

@@ -0,0 +1,20 @@
+name: Backport
+on:
+  pull_request_target:
+    types: [closed, labeled]
+permissions:
+  contents: write # so it can comment
+  pull-requests: write # so it can create pull requests
+jobs:
+  backport:
+    name: Backport Pull Request
+    if: github.repository_owner == 'freifunk-gluon' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Create backport PRs
+        uses: korthout/backport-action@v1.2.0
+        with:
+          # Config README: https://github.com/korthout/backport-action#backport-action
+          pull_description: |-
+            Automatic backport to `${target_branch}`, triggered by a label in #${pull_number}.

.github/workflows/build-docs.yml

@@ -0,0 +1,29 @@
+name: Build Documentation
+on:
+  push:
+    paths:
+      - 'docs/**'
+      - '.github/workflows/build-docs.yml'
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'docs**/'
+      - '.github/workflows/build-docs.yml'
+permissions:
+  contents: read
+
+jobs:
+  build-documentation:
+    name: docs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install Dependencies
+        run: sudo pip3 install sphinx-rtd-theme
+      - name: Build documentation
+        run: make -C docs html
+      - name: Archive build output
+        uses: actions/upload-artifact@v3
+        with:
+          name: docs_output
+          path: docs/_build/html

.github/workflows/build-gluon.yml

@@ -0,0 +1,61 @@
+name: Build Gluon
+on:
+  push:
+    branches:
+      - master
+      - next*
+      - v20*
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+
+jobs:
+  changed:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
+    runs-on: ubuntu-latest
+    outputs:
+      targets: ${{ steps.filter.outputs.changes }}
+    steps:
+      - uses: actions/checkout@v3
+
+      # Filter targets based on changed files
+      - uses: dorny/paths-filter@v2
+        id: filter
+        with:
+          filters: .github/filters.yml
+
+  build_firmware:
+    needs: changed
+    if: ${{ needs.changed.outputs.targets != '[]' && needs.changed.outputs.targets != '' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        # Read back changed targets to create build matrix
+        target: ${{ fromJSON(needs.changed.outputs.targets) }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install Dependencies
+        run: sudo contrib/actions/install-dependencies.sh
+
+      - name: Build
+        run: contrib/actions/run-build.sh ${{ matrix.target }}
+
+      - name: Archive build logs
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ matrix.target }}_logs
+          path: openwrt/logs
+
+      - name: Archive build output
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ matrix.target }}_output
+          path: output
+

.github/workflows/check-patches.yml

@@ -0,0 +1,30 @@
+---
+name: Check patches
+on:
+  push:
+    paths:
+      - 'modules'
+      - 'patches/**'
+      - '.github/workflows/check-patches.yml'
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'modules'
+      - 'patches/**'
+      - '.github/workflows/check-patches.yml'
+permissions:
+  contents: read
+
+jobs:
+  check-patches:
+    name: Check patches
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Refresh patches
+        run: make refresh-patches GLUON_SITEDIR="contrib/ci/minimal-site"
+      - name: Show diff
+        run: git status; git diff
+      - name: Patch status
+        run: git diff-files --quiet
+

.github/workflows/labels.yml

@@ -0,0 +1,21 @@
+name: "Label PRs"
+
+on:
+  # only execute base branch actions
+  pull_request_target:
+
+permissions:
+  contents: read
+
+jobs:
+  labels:
+    permissions:
+      contents: read  # for actions/labeler to determine modified files
+      pull-requests: write  # for actions/labeler to add labels to PRs
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'freifunk-gluon'
+    steps:
+    - uses: actions/labeler@v4
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        sync-labels: true

.github/workflows/lint.yml

@@ -0,0 +1,54 @@
+name: Lint
+on:
+  push:
+  pull_request:
+    types: [opened, synchronize, reopened]
+permissions:
+  contents: read
+
+jobs:
+  lua:
+    name: Lua
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install Dependencies
+        run: sudo apt-get -y update && sudo apt-get -y install lua-check
+      - name: Install example site
+        run: ln -s ./docs/site-example ./site
+      - name: Lint Lua code
+        run: make lint-lua
+
+  sh:
+    name: Shell
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install Dependencies
+        run: sudo apt-get -y update && sudo apt-get -y install shellcheck
+      - name: Install example site
+        run: ln -s ./docs/site-example ./site
+      - name: Lint shell code
+        run: make lint-sh
+
+  editorconfig:
+    name: Editorconfig
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install Dependencies
+        run: sudo apt install curl tar
+      - name: Install editorconfig-checker
+        env:
+          VERSION: 2.7.0
+          OS: linux
+          ARCH: amd64
+        run: |
+          curl -O -L -C - https://github.com/editorconfig-checker/editorconfig-checker/releases/download/$VERSION/ec-$OS-$ARCH.tar.gz
+          tar xzf ec-$OS-$ARCH.tar.gz
+          sudo mv ./bin/ec-$OS-$ARCH /usr/bin/editorconfig-checker
+          sudo chmod +x /usr/bin/editorconfig-checker
+      - name: Install example site
+        run: ln -s ./docs/site-example ./site
+      - name: Lint editorconfig
+        run: make lint-editorconfig

.gitignore

@@ -4,3 +4,7 @@
 /site
 /tmp
 /packages
+.bash_history
+.subversion
+.wget-hsts
+/.scmversion

.luacheckrc

@@ -12,6 +12,7 @@ include_files = {
 	"**/*.lua",
 	"package/**/luasrc/**/*",
 	"targets/*",
+	"package/features",
 }
 
 exclude_files = {
@@ -24,14 +25,17 @@ files["package/**/check_site.lua"] = {
 		"extend",
 		"in_domain",
 		"in_site",
+		"value",
 		"need",
 		"need_alphanumeric_key",
 		"need_array",
+		"need_array_elements_exclusive",
 		"need_array_of",
 		"need_boolean",
 		"need_chanlist",
 		"need_domain_name",
 		"need_number",
+		"need_number_range",
 		"need_one_of",
 		"need_string",
 		"need_string_array",
@@ -47,6 +51,7 @@ files["package/**/check_site.lua"] = {
 
 files["package/**/luasrc/lib/gluon/config-mode/*"] = {
 	globals = {
+		"MultiListValue",
 		"DynamicList",
 		"Flag",
 		"Form",
@@ -60,6 +65,7 @@ files["package/**/luasrc/lib/gluon/config-mode/*"] = {
 		"translate",
 		"translatef",
 		"Value",
+		"Element",
 	},
 }
 
@@ -85,20 +91,29 @@ files["package/**/luasrc/lib/gluon/ebtables/*"] = {
 
 files["targets/*"] = {
 	read_globals = {
+		"class",
 		"config",
 		"defaults",
 		"device",
 		"env",
-		"envtrue",
 		"exec",
 		"exec_capture",
 		"exec_capture_raw",
 		"exec_raw",
 		"factory_image",
 		"include",
+		"istrue",
 		"no_opkg",
 		"packages",
 		"sysupgrade_image",
 		"try_config",
 	},
 }
+
+files["package/features"] = {
+	read_globals = {
+		"_",
+		"feature",
+		"when",
+	},
+}

.readthedocs.yml

@@ -0,0 +1,20 @@
+# .readthedocs.yaml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+# Build documentation in the docs/ directory with Sphinx
+sphinx:
+  configuration: docs/conf.py
+
+# Optionally set the version of Python and requirements required to build your docs
+python:
+   install:
+   - requirements: docs/requirements.txt
+
+build:
+    os: ubuntu-22.04
+    tools:
+        python: "3.8"

.woodpecker.yml

@@ -0,0 +1,30 @@
+workspace:
+  base: /build
+
+#clone:
+# git:
+#   image: woodpeckerci/plugin-git
+#   settings:
+#     recursive: true
+
+pipeline:
+  build-${TARGET}:
+    image: "ubuntu:latest"
+    pull: true
+    environment:
+      - input_version=v2022.1.4
+      - GLUON_SITEDIR=../site
+      - FORCE_UNSAFE_CONFIGURE=1
+      - GLUON_TARGET=${TARGET}
+      - GLUON_DEPRECATED=1
+    commands:
+      - echo ${TARGET}
+      # - git config --global init.defaultBranch main
+      # - sed -i 's/install/install file/' contrib/actions/install-dependencies.sh
+      # - sh contrib/actions/install-dependencies.sh
+      # - sh contrib/actions/run-build.sh ${TARGET}
+
+matrix:
+  TARGET:
+    - ath79-generic
+    - x86-64

CONTRIBUTING.md

@@ -23,8 +23,8 @@ using other parts or why the proposed change breaks other parts of the system.
 They might even refuse the idea altogether - after all, they have to sleep well
 after merging the changes, too.
 
-The preferred way to discuss in the IRC channel ([#gluon] on irc.hackint.org)
+The preferred way to discuss is in the IRC channel ([#gluon] on irc.hackint.org)
-or on the [mailing list], however, you can also open a new issue on Github to
+or on the [mailing list], however, you can also open a new issue on GitHub to
 discuss there. We maintain a [list of rejected features] and we'd like to
 kindly ask you to review it first. In general, looking for duplicates may save
 you some time.

LICENSE

@@ -1,7 +1,7 @@
 The code of Project Gluon may be distributed under the following terms, unless
 noted otherwise in individual files or subtrees.
 
-Copyright (c) 2013-2018, Project Gluon
+Copyright (c) Project Gluon
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Makefile

@@ -4,31 +4,45 @@ LC_ALL:=C
 LANG:=C
 export LC_ALL LANG
 
+.SHELLFLAGS = -ec
+
 # check for spaces & resolve possibly relative paths
 define mkabspath
- ifneq (1,$(words [$($(1))]))
+   ifneq (1,$(words [$($(1))]))
-  $$(error $(1) must not contain spaces)
+     $$(error $(1) must not contain spaces)
- endif
+   endif
- override $(1) := $(abspath $($(1)))
+   override $(1) := $(abspath $($(1)))
 endef
 
+escape = '$(subst ','\'',$(1))'
+
 GLUON_SITEDIR ?= site
 $(eval $(call mkabspath,GLUON_SITEDIR))
 
-$(GLUON_SITEDIR)/site.mk:
+ifeq ($(realpath $(GLUON_SITEDIR)/site.mk),)
-	$(error No site configuration was found. Please check out a site configuration to $(GLUON_SITEDIR))
+$(error No site configuration was found. Please check out a site configuration to $(GLUON_SITEDIR))
+endif
 
 include $(GLUON_SITEDIR)/site.mk
 
 GLUON_RELEASE ?= $(error GLUON_RELEASE not set. GLUON_RELEASE can be set in site.mk or on the command line)
 
-GLUON_DEPRECATED ?= $(error GLUON_DEPRECATED not set. Please consult the documentation)
+GLUON_DEPRECATED ?= 0
+
+ifneq ($(GLUON_BRANCH),)
+  $(warning *** Warning: GLUON_BRANCH has been deprecated, please set GLUON_AUTOUPDATER_BRANCH and GLUON_AUTOUPDATER_ENABLED instead.)
+  GLUON_AUTOUPDATER_BRANCH ?= $(GLUON_BRANCH)
+  GLUON_AUTOUPDATER_ENABLED ?= 1
+endif
+
+GLUON_AUTOUPDATER_ENABLED ?= 0
 
 # initialize (possibly already user set) directory variables
 GLUON_TMPDIR ?= tmp
 GLUON_OUTPUTDIR ?= output
 GLUON_IMAGEDIR ?= $(GLUON_OUTPUTDIR)/images
 GLUON_PACKAGEDIR ?= $(GLUON_OUTPUTDIR)/packages
+GLUON_DEBUGDIR ?= $(GLUON_OUTPUTDIR)/debug
 GLUON_TARGETSDIR ?= targets
 GLUON_PATCHESDIR ?= patches
 
@@ -39,30 +53,63 @@ $(eval $(call mkabspath,GLUON_PACKAGEDIR))
 $(eval $(call mkabspath,GLUON_TARGETSDIR))
 $(eval $(call mkabspath,GLUON_PATCHESDIR))
 
-GLUON_MULTIDOMAIN ?= 0
+GLUON_VERSION := $(shell scripts/getversion.sh '.')
-GLUON_WLAN_MESH ?= 11s
+GLUON_SITE_VERSION := $(shell scripts/getversion.sh '$(GLUON_SITEDIR)')
-GLUON_DEBUG ?= 0
 
-export GLUON_RELEASE GLUON_REGION GLUON_MULTIDOMAIN GLUON_WLAN_MESH GLUON_DEBUG GLUON_DEPRECATED GLUON_DEVICES \
+GLUON_MULTIDOMAIN ?= 0
-	 GLUON_TARGETSDIR GLUON_PATCHESDIR GLUON_TMPDIR GLUON_IMAGEDIR GLUON_PACKAGEDIR
+GLUON_AUTOREMOVE ?= 0
+GLUON_DEBUG ?= 0
+GLUON_MINIFY ?= 1
+
+# Can be overridden via environment/command line/... to use the Gluon
+# build system for non-Gluon builds
+define GLUON_BASE_FEEDS ?=
+src-link gluon_base ../../package
+endef
+
+GLUON_VARS = \
+	GLUON_VERSION GLUON_SITE_VERSION \
+	GLUON_RELEASE GLUON_REGION GLUON_MULTIDOMAIN GLUON_AUTOREMOVE GLUON_DEBUG GLUON_MINIFY GLUON_DEPRECATED \
+	GLUON_DEVICES GLUON_TARGETSDIR GLUON_PATCHESDIR GLUON_TMPDIR GLUON_IMAGEDIR GLUON_PACKAGEDIR GLUON_DEBUGDIR \
+	GLUON_SITEDIR GLUON_AUTOUPDATER_BRANCH GLUON_AUTOUPDATER_ENABLED GLUON_LANGS GLUON_BASE_FEEDS \
+	GLUON_TARGET BOARD SUBTARGET
+
+unexport $(GLUON_VARS)
+GLUON_ENV = $(foreach var,$(GLUON_VARS),$(var)=$(call escape,$($(var))))
 
 show-release:
 	@echo '$(GLUON_RELEASE)'
 
 
 update: FORCE
-	@GLUON_SITEDIR='$(GLUON_SITEDIR)' scripts/update.sh
+	@
-	@GLUON_SITEDIR='$(GLUON_SITEDIR)' scripts/patch.sh
+	export $(GLUON_ENV)
-	@GLUON_SITEDIR='$(GLUON_SITEDIR)' scripts/feeds.sh
+	scripts/update.sh
+	scripts/patch.sh
+	scripts/feeds.sh
 
 update-patches: FORCE
-	@GLUON_SITEDIR='$(GLUON_SITEDIR)' scripts/update.sh
+	@
-	@GLUON_SITEDIR='$(GLUON_SITEDIR)' scripts/update-patches.sh
+	export $(GLUON_ENV)
-	@GLUON_SITEDIR='$(GLUON_SITEDIR)' scripts/patch.sh
+	scripts/update.sh
+	scripts/update-patches.sh
+	scripts/patch.sh
+
+refresh-patches: FORCE
+	@
+	export $(GLUON_ENV)
+	scripts/update.sh
+	scripts/patch.sh
+	scripts/update-patches.sh
 
 update-feeds: FORCE
-	@GLUON_SITEDIR='$(GLUON_SITEDIR)' scripts/feeds.sh
+	@$(GLUON_ENV) scripts/feeds.sh
 
+update-modules: FORCE
+	@scripts/update-modules.sh
+
+update-ci: FORCE
+	@$(GLUON_ENV) scripts/update-ci.sh
 
 GLUON_TARGETS :=
 
@@ -81,105 +128,109 @@ OPENWRTMAKE = $(MAKE) -C openwrt
 BOARD := $(GLUON_TARGET_$(GLUON_TARGET)_BOARD)
 SUBTARGET := $(GLUON_TARGET_$(GLUON_TARGET)_SUBTARGET)
 
-GLUON_CONFIG_VARS := \
-	GLUON_SITEDIR='$(GLUON_SITEDIR)' \
-	GLUON_RELEASE='$(GLUON_RELEASE)' \
-	GLUON_BRANCH='$(GLUON_BRANCH)' \
-	GLUON_LANGS='$(GLUON_LANGS)' \
-	BOARD='$(BOARD)' \
-	SUBTARGET='$(SUBTARGET)'
 
-
+define CheckTarget
-CheckTarget := [ '$(BOARD)' ] \
+	if [ -z '$(BOARD)' ]; then
-	|| (echo 'Please set GLUON_TARGET to a valid target. Gluon supports the following targets:'; $(foreach target,$(GLUON_TARGETS),echo ' * $(target)';) false)
+		echo 'Please set GLUON_TARGET to a valid target. Gluon supports the following targets:'
-
+		for target in $(GLUON_TARGETS); do
-CheckExternal := test -d openwrt || (echo 'You don'"'"'t seem to have obtained the external repositories needed by Gluon; please call `make update` first!'; false)
+			echo " * $$target"
+		done
+		exit 1
+	fi
+endef
 
 define CheckSite
-	@GLUON_SITEDIR='$(GLUON_SITEDIR)' GLUON_SITE_CONFIG='$(1).conf' $(LUA) -e 'assert(dofile("scripts/site_config.lua")(os.getenv("GLUON_SITE_CONFIG")))' \
+	if ! GLUON_SITEDIR='$(GLUON_SITEDIR)' GLUON_SITE_CONFIG='$(1).conf' $(LUA) -e 'assert(dofile("scripts/site_config.lua")(os.getenv("GLUON_SITE_CONFIG")))'; then
-		|| (echo 'Your site configuration ($(1).conf) did not pass validation.'; false)
+		echo 'Your site configuration ($(1).conf) did not pass validation'
-
+		exit 1
+	fi
 endef
 
 list-targets: FORCE
-	@$(foreach target,$(GLUON_TARGETS),echo '$(target)';)
+	@for target in $(GLUON_TARGETS); do
+		echo "$$target"
+	done
 
+lint: lint-editorconfig lint-lua lint-sh
 
-GLUON_DEFAULT_PACKAGES := hostapd-mini
+lint-editorconfig: FORCE
+	@scripts/lint-editorconfig.sh
 
-GLUON_FEATURE_PACKAGES := $(shell scripts/features.sh '$(GLUON_FEATURES)' || echo '__ERROR__')
+lint-lua: FORCE
-ifneq ($(filter __ERROR__,$(GLUON_FEATURE_PACKAGES)),)
+	@scripts/lint-lua.sh
-$(error Error while evaluating GLUON_FEATURES)
-endif
 
-
+lint-sh: FORCE
-GLUON_PACKAGES :=
+	@scripts/lint-sh.sh
-define merge_packages
-  $(foreach pkg,$(1),
-    GLUON_PACKAGES := $$(strip $$(filter-out -$$(patsubst -%,%,$(pkg)) $$(patsubst -%,%,$(pkg)),$$(GLUON_PACKAGES)) $(pkg))
-  )
-endef
-$(eval $(call merge_packages,$(GLUON_DEFAULT_PACKAGES) $(GLUON_FEATURE_PACKAGES) $(GLUON_SITE_PACKAGES)))
 
 
 LUA := openwrt/staging_dir/hostpkg/bin/lua
 
 $(LUA):
-	@$(CheckExternal)
+	+@
 
-	+@[ -e openwrt/.config ] || $(OPENWRTMAKE) defconfig
+	scripts/module_check.sh
-	+@$(OPENWRTMAKE) tools/install
+
-	+@$(OPENWRTMAKE) package/lua/host/compile
+	[ -e openwrt/.config ] || $(OPENWRTMAKE) defconfig
+	$(OPENWRTMAKE) tools/install
+	$(OPENWRTMAKE) package/lua/host/compile
 
 
 config: $(LUA) FORCE
-	@$(CheckExternal)
+	+@
-	@$(CheckTarget)
-	$(foreach conf,site $(patsubst $(GLUON_SITEDIR)/%.conf,%,$(wildcard $(GLUON_SITEDIR)/domains/*.conf)),$(call CheckSite,$(conf)))
 
-	@$(GLUON_CONFIG_VARS) \
+	scripts/module_check.sh
-		$(LUA) scripts/target_config.lua '$(GLUON_TARGET)' '$(GLUON_PACKAGES)' \
+	$(CheckTarget)
-		> openwrt/.config
+	$(foreach conf,site $(patsubst $(GLUON_SITEDIR)/%.conf,%,$(wildcard $(GLUON_SITEDIR)/domains/*.conf)),\
-	+@$(OPENWRTMAKE) defconfig
+		$(call CheckSite,$(conf)); \
+	)
 
-	@$(GLUON_CONFIG_VARS) \
+	$(OPENWRTMAKE) prepare-tmpinfo
-		$(LUA) scripts/target_config_check.lua '$(GLUON_TARGET)' '$(GLUON_PACKAGES)'
+	$(GLUON_ENV) $(LUA) scripts/target_config.lua > openwrt/.config
+	$(OPENWRTMAKE) defconfig
+	$(GLUON_ENV) $(LUA) scripts/target_config_check.lua
+
+
+container: FORCE
+	@scripts/container.sh
 
 
 all: config
-	@$(GLUON_CONFIG_VARS) \
+	+@
-		$(LUA) scripts/clean_output.lua
+	$(GLUON_ENV) $(LUA) scripts/clean_output.lua
-	+@$(OPENWRTMAKE)
+	$(OPENWRTMAKE)
-	@$(GLUON_CONFIG_VARS) \
+	$(GLUON_ENV) $(LUA) scripts/copy_output.lua
-		$(LUA) scripts/copy_output.lua '$(GLUON_TARGET)'
 
 clean download: config
 	+@$(OPENWRTMAKE) $@
 
 dirclean: FORCE
-	+@[ -e openwrt/.config ] || $(OPENWRTMAKE) defconfig
+	+@
-	+@$(OPENWRTMAKE) dirclean
+	[ -e openwrt/.config ] || $(OPENWRTMAKE) defconfig
-	@rm -rf $(GLUON_TMPDIR) $(GLUON_OUTPUTDIR)
+	$(OPENWRTMAKE) dirclean
+	rm -rf $(GLUON_TMPDIR) $(GLUON_OUTPUTDIR)
 
 manifest: $(LUA) FORCE
-	@[ '$(GLUON_BRANCH)' ] || (echo 'Please set GLUON_BRANCH to create a manifest.'; false)
+	@
-	@echo '$(GLUON_PRIORITY)' | grep -qE '^([0-9]*\.)?[0-9]+$$' || (echo 'Please specify a numeric value for GLUON_PRIORITY to create a manifest.'; false)
+	[ '$(GLUON_AUTOUPDATER_BRANCH)' ] || (echo 'Please set GLUON_AUTOUPDATER_BRANCH to create a manifest.'; false)
-	@$(CheckExternal)
+	echo '$(GLUON_PRIORITY)' | grep -qE '^([0-9]*\.)?[0-9]+$$' || (echo 'Please specify a numeric value for GLUON_PRIORITY to create a manifest.'; false)
+	scripts/module_check.sh
 
-	@( \
+	(
-		echo 'BRANCH=$(GLUON_BRANCH)' && \
+		export $(GLUON_ENV)
-		echo "DATE=$$($(LUA) scripts/rfc3339date.lua)" && \
+		echo 'BRANCH=$(GLUON_AUTOUPDATER_BRANCH)'
-		echo 'PRIORITY=$(GLUON_PRIORITY)' && \
+		echo "DATE=$$($(LUA) scripts/rfc3339date.lua)"
-		echo && \
+		echo 'PRIORITY=$(GLUON_PRIORITY)'
-		$(foreach GLUON_TARGET,$(GLUON_TARGETS), \
+		echo
-			GLUON_SITEDIR='$(GLUON_SITEDIR)' $(LUA) scripts/generate_manifest.lua '$(GLUON_TARGET)' && \
+		for target in $(GLUON_TARGETS); do
-		) : \
+			$(LUA) scripts/generate_manifest.lua "$$target"
-	) > 'tmp/$(GLUON_BRANCH).manifest.tmp'
+		done
+	) > 'tmp/$(GLUON_AUTOUPDATER_BRANCH).manifest.tmp'
 
-	@mkdir -p '$(GLUON_IMAGEDIR)/sysupgrade'
+	mkdir -p '$(GLUON_IMAGEDIR)/sysupgrade'
-	@mv 'tmp/$(GLUON_BRANCH).manifest.tmp' '$(GLUON_IMAGEDIR)/sysupgrade/$(GLUON_BRANCH).manifest'
+	mv 'tmp/$(GLUON_AUTOUPDATER_BRANCH).manifest.tmp' '$(GLUON_IMAGEDIR)/sysupgrade/$(GLUON_AUTOUPDATER_BRANCH).manifest'
 
 FORCE: ;
 
 .PHONY: FORCE
 .NOTPARALLEL:
+.ONESHELL:

README.md

@@ -1,12 +1,21 @@
-Documentation (incomplete at this time, contribute if you can!) may be found at
+[![Build Gluon](https://github.com/freifunk-gluon/gluon/actions/workflows/build-gluon.yml/badge.svg?branch=master)](https://github.com/freifunk-gluon/gluon/actions/workflows/build-gluon.yml)
-https://gluon.readthedocs.io/.
+[![License](https://img.shields.io/badge/License-BSD%202--Clause-orange.svg)](https://opensource.org/license/bsd-2-clause/)
+[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/freifunk-gluon/gluon?sort=semver)](https://github.com/freifunk-gluon/gluon/releases/latest)
+
+# Gluon
+
+Gluon is a firmware framework to build preconfigured OpenWrt images for public mesh networks.
+
+## Getting started
+
+We have a huge amount of documentation over at https://gluon.readthedocs.io/.
 
 If you're new to Gluon and ready to get your feet wet, have a look at the
 [Getting Started Guide](https://gluon.readthedocs.io/en/latest/user/getting_started.html).
 
 Gluon's developers frequent an IRC chatroom at [#gluon](ircs://irc.hackint.org/#gluon)
 on [hackint](https://hackint.org/). There is also a [webchat](https://webirc.hackint.org/#irc://irc.hackint.org/#gluon)
-that allows for access from within your browser.
+that allows for uncomplicated access from within your browser. This channel is also available as a bridged Matrix Room at [#gluon:hackint.org](https://matrix.to/#/#gluon:hackint.org).
 
 ## Issues & Feature requests
 
@@ -21,10 +30,10 @@ the future development of Gluon.
 
 Please refrain from using the `master` branch for anything else but development purposes!
 Use the most recent release instead. You can list all releases by running `git tag`
-and switch to one by running `git checkout v2019.1 && make update`.
+and switch to one by running `git checkout v2022.1 && make update`.
 
 If you're using the autoupdater, do not autoupdate nodes with anything but releases.
-If you upgrade using random master commits the nodes *will break* eventually.
+If you upgrade using random master commits the nodes *might break* eventually.
 
 ## Mailinglist
 

contrib/Dockerfile

@@ -1,26 +0,0 @@
-FROM debian:buster-slim
-
-RUN apt update && apt install -y --no-install-recommends \
-    ca-certificates \
-    file \
-    git \
-    subversion \
-    python \
-    build-essential \
-    gawk \
-    unzip \
-    libncurses5-dev \
-    zlib1g-dev \
-    libssl-dev \
-    libelf-dev \
-    wget \
-    time \
-    ecdsautils \
-    lua-check \
-  && rm -rf /var/lib/apt/lists/*
-
-RUN useradd -d /gluon gluon
-USER gluon
-
-VOLUME /gluon
-WORKDIR /gluon

contrib/actions/generate-target-filters.py

@@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+
+# Update target filters using
+#   make update-ci
+
+import re
+import os
+import sys
+import json
+
+# these changes trigger rebuilds on all targets
+common = [
+    "modules",
+    "Makefile",
+    "patches/**",
+    "scripts/**",
+    "targets/generic",
+    "targets/targets.mk",
+]
+
+# these changes are only built on x86-64
+extra = [
+    "contrib/ci/minimal-site/**",
+    "package/**"
+]
+
+_filter = dict()
+
+# INCLUDE_PATTERN matches:
+# include '...'
+# include "..."
+# include("...")
+# include('...')
+INCLUDE_PATTERN = "^\\s*include *\\(? *[\"']([^\"']+)[\"']"
+
+# construct filters map from stdin
+for target in sys.stdin:
+    target = target.strip()
+
+    _filter[target] = [
+        f"targets/{target}"
+    ] + common
+
+    target_file = os.path.join(os.environ['GLUON_TARGETSDIR'], target)
+    with open(target_file) as f:
+        includes = re.findall(INCLUDE_PATTERN, f.read(), re.MULTILINE)
+        _filter[target].extend([f"targets/{i}" for i in includes])
+
+    if target == "x86-64":
+        _filter[target].extend(extra)
+
+# print filters to stdout in json format, because json is stdlib and yaml compatible.
+print(json.dumps(_filter, indent=2))

contrib/actions/install-dependencies.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+
+apt-get -y update
+apt-get -y install git build-essential python3 gawk unzip libncurses5-dev zlib1g-dev libssl-dev libelf-dev wget rsync time qemu-utils
+apt-get -y clean
+rm -rf /var/lib/apt/lists/*

contrib/actions/run-build.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -e
+
+export BROKEN=1
+export GLUON_AUTOREMOVE=1
+export GLUON_DEPRECATED=1
+export GLUON_SITEDIR="contrib/ci/minimal-site"
+export GLUON_TARGET="$1"
+export BUILD_LOG=1
+
+make update
+make -j2 V=s

contrib/ci/minimal-site/i18n

@@ -0,0 +1 @@
+../../../docs/site-example/i18n/

contrib/ci/minimal-site/modules

@@ -0,0 +1 @@
+../../../docs/site-example/modules

contrib/ci/minimal-site/site.conf

@@ -0,0 +1,180 @@
+-- This is an example site configuration for Gluon v2022.1
+--
+-- Take a look at the documentation located at
+-- https://gluon.readthedocs.io/ for details.
+--
+-- This configuration will not work as is. You're required to make
+-- community specific changes to it!
+{
+  -- Used for generated hostnames, e.g. freifunk-abcdef123456. (optional)
+  -- hostname_prefix = 'freifunk-',
+
+  -- Name of the community.
+  site_name = 'Continuous Integration',
+
+  -- Shorthand of the community.
+  site_code = 'ci',
+
+  -- 32 bytes of random data, encoded in hexadecimal
+  -- This data must be unique among all sites and domains!
+  -- Can be generated using: echo $(hexdump -v -n 32 -e '1/1 "%02x"' </dev/urandom)
+  domain_seed = 'e9608c4ff338b920992d629190e9ff11049de1dfc3f299eac07792dfbcda341c',
+
+  -- Prefixes used within the mesh.
+  -- prefix6 is required, prefix4 can be omitted if next_node.ip4
+  -- is not set.
+  prefix4 = '10.0.0.0/20',
+  prefix6 = 'fd::/64',
+
+  -- Timezone of your community.
+  -- See https://openwrt.org/docs/guide-user/base-system/system_configuration#time_zones
+  timezone = 'CET-1CEST,M3.5.0,M10.5.0/3',
+
+  -- List of NTP servers in your community.
+  -- Must be reachable using IPv6!
+  --  ntp_servers = {'1.ntp.services.ffxx'},
+
+  -- Wireless regulatory domain of your community.
+  regdom = 'DE',
+
+  -- Wireless configuration for 2.4 GHz interfaces.
+  wifi24 = {
+    -- Wireless channel.
+    channel = 1,
+
+    -- ESSIDs used for client network.
+    ap = {
+      ssid = 'gluon-ci-ssid',
+      -- disabled = true, -- (optional)
+
+      -- Configuration for a backward compatible OWE network below.
+      owe_ssid = 'owe.gluon-ci-ssid', -- (optional - SSID for OWE client network)
+      owe_transition_mode = true, -- (optional - enables transition-mode - requires ssid as well as owe_ssid)
+    },
+
+    mesh = {
+      -- Adjust these values!
+      id = 'ueH3uXjdp', -- usually you don't want users to connect to this mesh-SSID, so use a cryptic id that no one will accidentally mistake for the client WiFi
+      mcast_rate = 12000,
+      -- disabled = true, -- (optional)
+    },
+  },
+
+  -- Wireless configuration for 5 GHz interfaces.
+  -- This should be equal to the 2.4 GHz variant, except
+  -- for channel.
+  wifi5 = {
+    channel = 44,
+    outdoor_chanlist = '100-140',
+    ap = {
+      ssid = 'gluon-ci-ssid',
+    },
+    mesh = {
+      -- Adjust these values!
+      id = 'ueH3uXjdp',
+      mcast_rate = 12000,
+    },
+  },
+
+  mesh = {
+    vxlan = true,
+    batman_adv = {
+      routing_algo = 'BATMAN_IV',
+    },
+  },
+
+  -- The next node feature allows clients to always reach the node it is
+  -- connected to using a known IP address.
+  next_node = {
+    -- anycast IPs of all nodes
+    -- name = { 'nextnode.location.community.example.org', 'nextnode', 'nn' },
+    ip4 = '10.0.0.1',
+    ip6 = 'fd::1',
+  },
+
+  -- Options specific to routing protocols (optional)
+  -- mesh = {
+    -- Options specific to the batman-adv routing protocol (optional)
+    -- batman_adv = {
+      -- Gateway selection class (optional)
+      -- The default class 20 is based on the link quality (TQ) only,
+      -- class 1 is calculated from both the TQ and the announced bandwidth
+      -- gw_sel_class = 1,
+    -- },
+  -- },
+
+  mesh_vpn = {
+    -- enabled = true,
+
+    fastd = {
+      -- Refer to https://fastd.readthedocs.io/en/latest/ to better understand
+      -- what these options do.
+
+      -- List of crypto-methods to use.
+      methods = {'salsa2012+umac'},
+      mtu = 1312,
+      -- configurable = true,
+      -- syslog_level = 'warn',
+
+      groups = {
+        backbone = {
+          -- Limit number of connected peers to reduce bandwidth.
+          limit = 1,
+
+          -- List of peers.
+          peers = {
+          },
+
+          -- Optional: nested peer groups
+          -- groups = {
+            -- backbone_sub = {
+              -- ...
+            -- },
+          -- ...
+          -- },
+        },
+        -- Optional: additional peer groups, possibly with other limits
+        -- backbone2 = {
+          -- ...
+        -- },
+      },
+    },
+
+    bandwidth_limit = {
+      -- The bandwidth limit can be enabled by default here.
+      enabled = false,
+
+      -- Default upload limit (kbit/s).
+      egress = 200,
+
+      -- Default download limit (kbit/s).
+      ingress = 3000,
+    },
+  },
+
+  autoupdater = {
+    -- Default branch (optional), can be overridden by setting GLUON_AUTOUPDATER_BRANCH when building.
+    -- Set GLUON_AUTOUPDATER_ENABLED to enable the autoupdater by default for newly installed nodes.
+    branch = 'stable',
+
+    -- List of branches. You may define multiple branches.
+    branches = {
+      stable = {
+        name = 'stable',
+
+        -- List of mirrors to fetch images from. IPv6 required!
+        mirrors = {'http://1.updates.services.ffhl/stable/sysupgrade'},
+
+        -- Number of good signatures required.
+        -- Have multiple maintainers sign your build and only
+        -- accept it when a sufficient number of them have
+        -- signed it.
+        good_signatures = 0,
+
+        -- List of public keys of maintainers.
+        pubkeys = {
+        },
+      },
+    },
+  },
+}

contrib/ci/minimal-site/site.mk

@@ -0,0 +1 @@
+../../../docs/site-example/site.mk

contrib/ci/olsr-site/i18n

@@ -0,0 +1 @@
+../minimal-site/i18n

contrib/ci/olsr-site/modules

@@ -0,0 +1 @@
+../minimal-site/modules

contrib/ci/olsr-site/site.conf

@@ -0,0 +1,176 @@
+-- This is an example site configuration for Gluon v2022.1
+--
+-- Take a look at the documentation located at
+-- https://gluon.readthedocs.io/ for details.
+--
+-- This configuration will not work as is. You're required to make
+-- community specific changes to it!
+{
+  -- Used for generated hostnames, e.g. freifunk-abcdef123456. (optional)
+  -- hostname_prefix = 'freifunk-',
+
+  -- Name of the community.
+  site_name = 'Continuous Integration',
+
+  -- Shorthand of the community.
+  site_code = 'ci',
+
+  -- 32 bytes of random data, encoded in hexadecimal
+  -- This data must be unique among all sites and domains!
+  -- Can be generated using: echo $(hexdump -v -n 32 -e '1/1 "%02x"' </dev/urandom)
+  domain_seed = 'e9608c4ff338b920992d629190e9ff11049de1dfc3f299eac07792dfbcda341c',
+
+  -- Prefixes used by clients within the mesh.
+  -- prefix6 is required, prefix4 can be omitted if next_node.ip4
+  -- is not set.
+  prefix6 = 'fdff:cafe:cafe:cafe::/64',
+
+  -- Prefixes used by nodes within the mesh
+  node_prefix6 = 'fdff:cafe:cafe:cafe::/64',
+
+  -- Timezone of your community.
+  -- See https://openwrt.org/docs/guide-user/base-system/system_configuration#time_zones
+  timezone = 'CET-1CEST,M3.5.0,M10.5.0/3',
+
+  -- List of NTP servers in your community.
+  -- Must be reachable using IPv6!
+  --  ntp_servers = {'1.ntp.services.ffxx'},
+
+  -- Wireless regulatory domain of your community.
+  regdom = 'DE',
+
+  -- Wireless configuration for 2.4 GHz interfaces.
+  wifi24 = {
+    -- Wireless channel.
+    channel = 1,
+
+    -- ESSIDs used for client network.
+    ap = {
+      ssid = 'gluon-ci-ssid',
+      -- disabled = true, -- (optional)
+
+      -- Configuration for a backward compatible OWE network below.
+      owe_ssid = 'owe.gluon-ci-ssid', -- (optional - SSID for OWE client network)
+      owe_transition_mode = true, -- (optional - enables transition-mode - requires ssid as well as owe_ssid)
+    },
+
+    mesh = {
+      -- Adjust these values!
+      id = 'ueH3uXjdp', -- usually you don't want users to connect to this mesh-SSID, so use a cryptic id that no one will accidentally mistake for the client WiFi
+      mcast_rate = 12000,
+      -- disabled = true, -- (optional)
+    },
+  },
+
+  -- Wireless configuration for 5 GHz interfaces.
+  -- This should be equal to the 2.4 GHz variant, except
+  -- for channel.
+  wifi5 = {
+    channel = 44,
+    outdoor_chanlist = '100-140',
+    ap = {
+      ssid = 'gluon-ci-ssid',
+      -- disabled = true, -- (optional)
+
+      -- Configuration for a backward compatible OWE network below.
+      owe_ssid = 'owe.gluon-ci-ssid', -- (optional - SSID for OWE client network)
+      owe_transition_mode = true, -- (optional - enables transition-mode - requires ssid as well as owe_ssid)
+    },
+    mesh = {
+      -- Adjust these values!
+      id = 'ueH3uXjdp',
+      mcast_rate = 12000,
+    },
+  },
+
+
+  -- The next node feature allows clients to always reach the node it is
+  -- connected to using a known IP address.
+  next_node = {
+    -- anycast IPs of all nodes
+    name = { 'nextnode.location.community.example.org', 'nextnode', 'nn' },
+    ip4 = '10.0.0.1',
+    ip6 = 'fd::1',
+  },
+
+  -- Options specific to routing protocols (optional)
+  mesh = {
+    vxlan = true,
+    olsrd = {},
+  },
+
+  mesh_vpn = {
+    -- enabled = true,
+
+    fastd = {
+      -- Refer to https://fastd.readthedocs.io/en/latest/ to better understand
+      -- what these options do.
+
+      -- List of crypto-methods to use.
+      methods = {'salsa2012+umac'},
+      mtu = 1312,
+      -- configurable = true,
+      -- syslog_level = 'warn',
+
+      groups = {
+        backbone = {
+          -- Limit number of connected peers to reduce bandwidth.
+          limit = 1,
+
+          -- List of peers.
+          peers = {
+          },
+
+          -- Optional: nested peer groups
+          -- groups = {
+            -- backbone_sub = {
+              -- ...
+            -- },
+          -- ...
+          -- },
+        },
+        -- Optional: additional peer groups, possibly with other limits
+        -- backbone2 = {
+          -- ...
+        -- },
+      },
+    },
+
+    bandwidth_limit = {
+      -- The bandwidth limit can be enabled by default here.
+      enabled = false,
+
+      -- Default upload limit (kbit/s).
+      egress = 200,
+
+      -- Default download limit (kbit/s).
+      ingress = 3000,
+    },
+  },
+
+  autoupdater = {
+    -- Default branch (optional), can be overridden by setting GLUON_AUTOUPDATER_BRANCH when building.
+    -- Set GLUON_AUTOUPDATER_ENABLED to enable the autoupdater by default for newly installed nodes.
+    branch = 'stable',
+
+    -- List of branches. You may define multiple branches.
+    branches = {
+      stable = {
+        name = 'stable',
+
+        -- List of mirrors to fetch images from. IPv6 required!
+        mirrors = {'http://1.updates.services.ffhl/stable/sysupgrade'},
+
+        -- Number of good signatures required.
+        -- Have multiple maintainers sign your build and only
+        -- accept it when a sufficient number of them have
+        -- signed it.
+        good_signatures = 0,
+
+        -- List of public keys of maintainers.
+        pubkeys = {
+        },
+      },
+    },
+  },
+}

contrib/ci/olsr-site/site.mk

@@ -0,0 +1,57 @@
+##	gluon site.mk makefile example
+
+##	GLUON_FEATURES
+#		Specify Gluon features/packages to enable;
+#		Gluon will automatically enable a set of packages
+#		depending on the combination of features listed
+
+GLUON_FEATURES := \
+	autoupdater \
+	ebtables-filter-multicast \
+	ebtables-filter-ra-dhcp \
+	ebtables-limit-arp \
+	mesh-olsrd \
+	mesh-vpn-fastd \
+	respondd \
+	status-page \
+	web-advanced \
+	web-wizard
+
+GLUON_FEATURES_standard := \
+  wireless-encryption-wpa3
+
+##	GLUON_SITE_PACKAGES
+#		Specify additional Gluon/OpenWrt packages to include here;
+#		A minus sign may be prepended to remove a packages from the
+#		selection that would be enabled by default or due to the
+#		chosen feature flags
+
+GLUON_SITE_PACKAGES := iwinfo
+
+##	DEFAULT_GLUON_RELEASE
+#		version string to use for images
+#		gluon relies on
+#			opkg compare-versions "$1" '>>' "$2"
+#		to decide if a version is newer or not.
+
+DEFAULT_GLUON_RELEASE := 0.6+exp$(shell date '+%Y%m%d')
+
+# Variables set with ?= can be overwritten from the command line
+
+##	GLUON_RELEASE
+#		call make with custom GLUON_RELEASE flag, to use your own release version scheme.
+#		e.g.:
+#			$ make images GLUON_RELEASE=23.42+5
+#		would generate images named like this:
+#			gluon-ff%site_code%-23.42+5-%router_model%.bin
+
+GLUON_RELEASE ?= $(DEFAULT_GLUON_RELEASE)
+
+# Default priority for updates.
+GLUON_PRIORITY ?= 0
+
+# Region code required for some images; supported values: us eu
+GLUON_REGION ?= eu
+
+# Languages to include
+GLUON_LANGS ?= en de

contrib/depdot.sh

@@ -5,8 +5,7 @@
 #  * Works only if directory names and package names are the same (true for all Gluon packages)
 #  * Doesn't show dependencies through virtual packages correctly
 
-
+set -e
-
 shopt -s nullglob
 
 

contrib/docker/Dockerfile

@@ -0,0 +1,36 @@
+FROM debian:bullseye-slim
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    file \
+    git \
+    python3 \
+    build-essential \
+    gawk \
+    unzip \
+    libncurses5-dev \
+    zlib1g-dev \
+    libssl-dev \
+    libelf-dev \
+    wget \
+    rsync \
+    time \
+    qemu-utils \
+    ecdsautils \
+    lua-check \
+    shellcheck \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /tmp/ec &&\
+    wget -O /tmp/ec/ec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/download/2.7.0/ec-linux-amd64.tar.gz &&\
+    tar -xvzf /tmp/ec/ec-linux-amd64.tar.gz &&\
+    mv bin/ec-linux-amd64 /usr/local/bin/editorconfig-checker &&\
+    rm -rf /tmp/ec
+
+RUN useradd -d /gluon gluon
+USER gluon
+
+VOLUME /gluon
+WORKDIR /gluon

contrib/i18n-scan.pl

@@ -4,7 +4,7 @@ use strict;
 use warnings;
 use Text::Balanced qw(extract_bracketed extract_delimited extract_tagged);
 
-@ARGV >= 1 || die "Usage: $0 <source direcory>\n";
+@ARGV >= 1 || die "Usage: $0 <source directory>\n";
 
 
 my %stringtable;
@@ -79,7 +79,7 @@ if( open F, "find @ARGV -type f '(' -name '*.html' -o -name '*.lua' ')' |" )
 				{
 					my $stag = quotemeta $1;
 					my $etag = $stag;
-					   $etag =~ s/\[/]/g;
+					$etag =~ s/\[/]/g;
 
 					( $res ) = extract_tagged($code, $stag, $etag);
 

contrib/lsupgrade.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+set -e
 # Script to list all upgrade scripts in a clear manner
 # Limitations:
 #  * Does only show scripts of packages whose `files'/`luasrc' directories represent the whole image filesystem (which are all Gluon packages)
@@ -27,7 +28,7 @@ fi
 
 pushd "$(dirname "$0")/.." >/dev/null
 
-find ./package packages -name Makefile | while read makefile; do
+find ./package packages -name Makefile | grep -v '^packages/packages/' | while read -r makefile; do
 	dir="$(dirname "$makefile")"
 
 	pushd "$dir" >/dev/null
@@ -36,13 +37,12 @@ find ./package packages -name Makefile | while read makefile; do
 	dirname="$(dirname "$dir" | cut -d/ -f 3-)"
 	package="$(basename "$dir")"
 
-	for file in "${SUFFIX1}"/*; do
+	for file in "${SUFFIX1}"/* "${SUFFIX2}"/*; do
-		echo "${GREEN}$(basename "${file}")${RESET}" "(${BLUE}${repo}${RESET}/${dirname}${dirname:+/}${RED}${package}${RESET}/${SUFFIX1})"
+		basename="$(basename "${file}")"
-	done
+		suffix="$(dirname "${file}")"
-	for file in "${SUFFIX2}"/*; do
+		printf "%s\t%s\n" "${basename}" "${BLUE}${repo}${RESET}/${dirname}${dirname:+/}${RED}${package}${RESET}/${suffix}/${GREEN}${basename}${RESET}"
-		echo "${GREEN}$(basename "${file}")${RESET}" "(${BLUE}${repo}${RESET}/${dirname}${dirname:+/}${RED}${package}${RESET}/${SUFFIX2})"
 	done
 	popd >/dev/null
-done | sort
+done | sort | cut -f2-
 
 popd >/dev/null

contrib/push_pkg.sh

@@ -0,0 +1,149 @@
+#!/bin/sh
+
+set -e
+
+topdir="$(realpath "$(dirname "${0}")/../openwrt")"
+
+# defaults to qemu run script
+ssh_host=localhost
+build_only=0
+preserve_config=1
+
+print_help() {
+	echo "$0 [OPTIONS] PACAKGE_DIR [PACKAGE_DIR] ..."
+	echo ""
+	echo " -h          print this help"
+	echo " -r HOST     use a remote machine as target machine. By default if this"
+	echo "             option is not given, push_pkg.sh will use a locally"
+	echo "             running qemu instance started by run_qemu.sh."
+	echo " -p PORT     use PORT as ssh port (default is 22)"
+	echo " -b          build only, do not push"
+	echo " -P          do not preserve /etc/config. By default, if a package"
+	echo "             defines a config file in /etc/config, this config file"
+	echo "             will be preserved. If you specify this flag, the package"
+	echo "             default will be installed instead."
+	echo ""
+	echo ' To change gluon variables, run e.g. "make config GLUON_MINIFY=0"'
+	echo ' because then the gluon logic will be triggered, and openwrt/.config'
+	echo ' will be regenerated. The variables from openwrt/.config are already'
+	echo ' automatically used for this script.'
+	echo
+}
+
+while getopts "p:r:hbP" opt
+do
+	case $opt in
+		P) preserve_config=0;;
+		p) ssh_port="${OPTARG}";;
+		r) ssh_host="${OPTARG}"; [ -z "$ssh_port" ] && ssh_port=22;;
+		b) build_only=1;;
+		h) print_help; exit 0;;
+		*) ;;
+	esac
+done
+shift $(( OPTIND - 1 ))
+
+[ -z "$ssh_port" ] && ssh_port=2223
+
+if [ "$build_only" -eq 0 ]; then
+	remote_info=$(ssh -p "${ssh_port}" "root@${ssh_host}" '
+		source /etc/os-release
+		printf "%s\\t%s\\n" "$OPENWRT_BOARD" "$OPENWRT_ARCH"
+	')
+	REMOTE_OPENWRT_BOARD="$(echo "$remote_info" | cut -f 1)"
+	REMOTE_OPENWRT_ARCH="$(echo "$remote_info" | cut -f 2)"
+
+	# check target
+	if ! grep -q "CONFIG_TARGET_ARCH_PACKAGES=\"${REMOTE_OPENWRT_ARCH}\"" "${topdir}/.config"; then
+		echo "Configured OpenWrt Target is not matching with the target machine!" 1>&2
+		echo
+		printf "%s" "    Configured architecture: " 1>&2
+		grep "CONFIG_TARGET_ARCH_PACKAGES" "${topdir}/.config" 1>&2
+		echo "Target machine architecture: ${REMOTE_OPENWRT_ARCH}" 1>&2
+		echo 1>&2
+		echo "To switch the local with the run with the corresponding GLUON_TARGET:"  1>&2
+		echo "  make GLUON_TARGET=... config" 1>&2
+		exit 1
+	fi
+fi
+
+if [ $# -lt 1 ]; then
+	echo ERROR: Please specify a PACKAGE_DIR. For example:
+	echo
+	echo " \$ $0 package/gluon-core"
+	exit 1
+fi
+
+while [ $# -gt 0 ]; do
+
+	pkgdir="$1"; shift
+	echo "Package: ${pkgdir}"
+
+	if ! [ -f "${pkgdir}/Makefile" ]; then
+		echo "ERROR: ${pkgdir} does not contain a Makefile"
+		exit 1
+	fi
+
+	if ! grep -q BuildPackage "${pkgdir}/Makefile"; then
+		echo "ERROR: ${pkgdir}/Makefile does not contain a BuildPackage command"
+		exit 1
+	fi
+
+	opkg_packages="$(make TOPDIR="${topdir}" -C "${pkgdir}" DUMP=1 | awk '/^Package: / { print $2 }')"
+
+	search_package() {
+		find "$2" -name "$1_*.ipk" -printf '%f\n'
+	}
+
+	make TOPDIR="${topdir}" -C "${pkgdir}" clean
+	make TOPDIR="${topdir}" -C "${pkgdir}" compile
+
+	if [ "$build_only" -eq 1 ]; then
+		continue
+	fi
+
+	# IPv6 addresses need brackets around the ${ssh_host} for scp!
+	if echo "${ssh_host}" | grep -q :; then
+		BL=[
+		BR=]
+	fi
+
+	for pkg in ${opkg_packages}; do
+
+		for feed in "${topdir}/bin/packages/${REMOTE_OPENWRT_ARCH}/"*/ "${topdir}/bin/targets/${REMOTE_OPENWRT_BOARD}/packages/"; do
+			printf "%s" "searching ${pkg} in ${feed}: "
+			filename=$(search_package "${pkg}" "${feed}")
+			if [ -n "${filename}" ]; then
+				echo found!
+				break
+			else
+				echo not found
+			fi
+		done
+
+		if [ "$preserve_config" -eq 0 ]; then
+			opkg_flags=" --force-maintainer"
+		fi
+
+		# shellcheck disable=SC2029
+		if [ -n "$filename" ]; then
+			scp -O -P "${ssh_port}" "$feed/$filename" "root@${BL}${ssh_host}${BR}:/tmp/${filename}"
+			ssh -p "${ssh_port}" "root@${ssh_host}" "
+				set -e
+				echo Running opkg:
+				opkg install --force-reinstall ${opkg_flags} '/tmp/${filename}'
+				rm '/tmp/${filename}'
+				gluon-reconfigure
+			"
+		else
+			# Some packages (e.g. procd-seccomp) seem to contain BuildPackage commands
+			# which do not generate *.ipk files. Till this point, I am not aware why
+			# this is happening. However, dropping a warning if the corresponding
+			# *.ipk is not found (maybe due to other reasons as well), seems to
+			# be more reasonable than aborting. Before this commit, the command
+			# has failed.
+			echo "Warning: ${pkg}*.ipk not found! Ignoring." 1>&2
+		fi
+
+	done
+done

contrib/run_qemu.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Note: You can exit the qemu instance by first pressing "CTRL + a" then "c".
+#       Then you enter the command mode of qemu and can exit by typing "quit".
+
+qemu-system-x86_64 \
+	-d 'cpu_reset' \
+	-enable-kvm \
+	-gdb tcp::1234 \
+	-nographic \
+	-netdev user,id=wan,hostfwd=tcp::2223-10.0.2.15:22 \
+	-device virtio-net-pci,netdev=wan,addr=0x06,id=nic1 \
+	-netdev user,id=lan,hostfwd=tcp::6080-192.168.1.1:80,hostfwd=tcp::2222-192.168.1.1:22,net=192.168.1.100/24 \
+	-device virtio-net-pci,netdev=lan,addr=0x05,id=nic2 \
+	"$@"

contrib/sign.sh

@@ -2,7 +2,7 @@
 
 set -e
 
-if [ $# -ne 2 -o "-h" = "$1" -o "--help" = "$1" -o ! -r "$1" -o ! -r "$2" ]; then
+if [ $# -ne 2 ] || [ "-h" = "$1" ] || [ "--help" = "$1" ] || [ ! -r "$1" ] || [ ! -r "$2" ]; then
 	cat <<EOHELP
 Usage: $0 <secret> <manifest>
 
@@ -29,11 +29,22 @@ lower="$(mktemp)"
 
 trap 'rm -f "$upper" "$lower"' EXIT
 
-awk 'BEGIN    { sep=0 }
+awk 'BEGIN    {
-     /^---$/ { sep=1; next }
+	sep = 0
-              { if(sep==0) print > "'"$upper"'";
+}
-                else       print > "'"$lower"'"}' \
+
-    "$manifest"
+/^---$/ {
+	sep = 1;
+	next
+}
+
+{
+	if(sep == 0) {
+		print > "'"$upper"'"
+	} else {
+		print > "'"$lower"'"
+	}
+}' "$manifest"
 
 ecdsasign "$upper" < "$SECRET" >> "$lower"
 

contrib/sigtest.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-if [ $# -eq 0 -o "-h" = "$1" -o "-help" = "$1" -o "--help" = "$1" ]; then
+if [ $# -eq 0 ] || [ "-h" = "$1" ] || [ "-help" = "$1" ] || [ "--help" = "$1" ]; then
-    cat <<EOHELP
+	cat <<EOHELP
 Usage: $0 <public> <signed manifest>
 
 sigtest.sh checks if a manifest is signed by the public key <public>. There is
@@ -12,7 +12,7 @@ See also:
  * https://gluon.readthedocs.io/en/latest/features/autoupdater.html
 
 EOHELP
-    exit 1
+	exit 1
 fi
 
 public="$1"
@@ -21,18 +21,29 @@ upper="$(mktemp)"
 lower="$(mktemp)"
 ret=1
 
-awk "BEGIN    { sep=0 }
+awk 'BEGIN    {
-    /^---\$/ { sep=1; next }
+	sep = 0
-              { if(sep==0) print > \"$upper\";
+}
-                else       print > \"$lower\"}" \
-    "$manifest"
 
-while read line
+/^---$/ {
+	sep = 1;
+	next
+}
+
+{
+	if(sep == 0) {
+		print > "'"$upper"'"
+	} else {
+		print > "'"$lower"'"
+	}
+}' "$manifest"
+
+while read -r line
 do
-    if ecdsaverify -s "$line" -p "$public" "$upper"; then
+	if ecdsaverify -s "$line" -p "$public" "$upper"; then
-        ret=0
+		ret=0
-        break
+		break
-    fi
+	fi
 done < "$lower"
 
 rm -f "$upper" "$lower"

docs/_static/css/custom.css

@@ -0,0 +1,10 @@
+/*
+	This fixes the vertical position of list markers when the first
+	element in the <li> is a <pre> block
+
+	Scrolling inside the <pre> block is still working as expected
+*/
+.rst-content pre.literal-block,
+.rst-content div[class^='highlight'] pre {
+	overflow: visible;
+}

docs/conf.py

@@ -20,11 +20,11 @@
 # -- Project information -----------------------------------------------------
 
 project = 'Gluon'
-copyright = '2015-2019, Project Gluon'
+copyright = 'Project Gluon'
 author = 'Project Gluon'
 
 # The short X.Y version
-version = '2018.2+'
+version = '2022.1'
 # The full version, including alpha/beta/rc tags
 release = version
 
@@ -58,7 +58,7 @@ master_doc = 'index'
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
@@ -71,6 +71,13 @@ pygments_style = None
 # Don't highlight code blocks unless requested explicitly
 highlight_language = 'none'
 
+# Ignore links to the config mode, as well as anchors on on hackint, which are
+# used to mark channel names and do not exist. Regular links are not effected.
+linkcheck_ignore = [
+    'http://192.168.1.1',
+    'https://webirc.hackint.org/#'
+]
+
 
 # -- Options for HTML output -------------------------------------------------
 
@@ -89,7 +96,7 @@ html_theme = 'sphinx_rtd_theme'
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
 #
-# html_static_path = ['_static']
+html_static_path = ['_static']
 
 # Custom sidebar templates, must be a dictionary that maps document names
 # to template names.
@@ -101,6 +108,10 @@ html_theme = 'sphinx_rtd_theme'
 #
 # html_sidebars = {}
 
+# These paths are either relative to html_static_path
+# or fully qualified paths (eg. https://...)
+html_css_files = ['css/custom.css']
+
 
 # -- Options for HTMLHelp output ---------------------------------------------
 
@@ -133,7 +144,7 @@ latex_elements = {
 #  author, documentclass [howto, manual, or own class]).
 latex_documents = [
     (master_doc, 'Gluon.tex', 'Gluon Documentation',
-     'Project Gluon', 'manual'),
+    'Project Gluon', 'manual'),
 ]
 
 
@@ -143,7 +154,7 @@ latex_documents = [
 # (source start file, name, description, authors, manual section).
 man_pages = [
     (master_doc, 'gluon', 'Gluon Documentation',
-     [author], 1)
+    [author], 1)
 ]
 
 
@@ -154,8 +165,8 @@ man_pages = [
 #  dir menu entry, description, category)
 texinfo_documents = [
     (master_doc, 'Gluon', 'Gluon Documentation',
-     author, 'Gluon', 'One line description of project.',
+    author, 'Gluon', 'One line description of project.',
-     'Miscellaneous'),
+    'Miscellaneous'),
 ]
 
 

docs/dev/basics.rst

@@ -23,6 +23,7 @@ webbrowser. You're welcome to join us!
 .. _hackint: https://hackint.org/
 .. _webchat: https://webirc.hackint.org/#irc://irc.hackint.org/#gluon
 
+.. _working-with-repositories:
 
 Working with repositories
 -------------------------
@@ -32,7 +33,7 @@ rerun
 
 ::
 
-	make update
+  make update
 
 `make update` also applies the patches that can be found in the directories found in
 `patches`; the resulting branch will be called `patched`, while the commit specified in `modules`
@@ -44,7 +45,7 @@ using
 
 ::
 
-	make update-patches
+  make update-patches
 
 If applying a patch fails because you have changed the base commit, the repository will be reset to the old `patched` branch
 and you can try rebasing it onto the new `base` branch yourself and after that call `make update-patches` to fix the problem.
@@ -52,6 +53,14 @@ and you can try rebasing it onto the new `base` branch yourself and after that c
 Always call `make update-patches` after making changes to a module repository as `make update` will overwrite your
 commits, making `git reflog` the only way to recover them!
 
+::
+
+  make refresh-patches
+
+In order to refresh patches when updating feeds or the OpenWrt base, `make refresh-patches` applies and updates all of their patches without installing feed packages to the OpenWrt build system.
+
+This command speeds up the maintenance of updating OpenWrt and feeds.
+
 Development Guidelines
 ----------------------
 Lua should be used instead of sh whenever sensible. The following criteria
@@ -67,5 +76,10 @@ apply:
 
 - use tabs instead of spaces
 - trailing whitespaces must be eliminated
+- files need to end with a final newline
+- newlines need to have Unix line endings (lf)
+
+To that end we provide a ``.editorconfig`` configuration, which is supported by most
+of the editors out there.
 
 If you add Lua scripts to gluon, check formatting with ``luacheck``.

docs/dev/build.rst

@@ -0,0 +1,104 @@
+Build system
+============
+
+This page explains internals of the Gluon build system. It is currently very
+incomplete; please contribute if you can!
+
+Feed management
+---------------
+
+Rather that relying on the *feed.conf* mechanism of OpenWrt directly, Gluon
+manages its feeds (*"modules"*) using a collection of scripts. This solution was
+selected for multiple reasons:
+
+- Feeds lists from Gluon base and the site repository are combined
+- Patchsets are applied to downloaded feed repositories automatically
+
+The following variables specifically affect the feed management:
+
+GLUON_FEEDS
+    List of base feeds; defined in file *modules* in Gluon base
+
+GLUON_SITE_FEED
+    List of site feeds; defined in file *modules* in site config
+
+\*_REPO, \*_BRANCH, \*_COMMIT
+    Git repository URL, branch and
+    commit ID of the feeds to use. The branch name may be omitted; the default
+    branch will be used in this case.
+
+GLUON_BASE_FEEDS
+    Additional feed definitions to be added to *feeds.conf*
+    verbatim. By default, this contains a reference to the Gluon base packages;
+    when using the Gluon build system to build a non-Gluon system, the variable
+    can be set to the empty string.
+
+Helper scripts
+--------------
+
+Several tasks of the build process have been separated from the Makefile into
+external scripts, which are stored in the *scripts* directory. This was done to
+ease maintenance of these scripts and the Makefile, by avoiding a lot of escaping.
+These scripts are either bash or Lua scripts that run on the build system.
+
+default_feeds.sh
+    Defines the constant ``DEFAULT_FEEDS`` with the names of all feeds listed in
+    *openwrt/feeds.conf.default*. This script is only used as an include by other
+    scripts.
+
+feeds.sh
+    Creates the *openwrt/feeds.conf* file from ``FEEDS`` and ``DEFAULT_FEEDS``. The
+    feeds from ``FEEDS`` are linked to the matching subfolder of *packages/* and not
+    explicitly defined feeds of ``DEFAULT_FEEDS`` are setup as dummy (src-dummy).
+    This *openwrt/feeds.conf* is used to reinstall all packages of all feeds with
+    the *openwrt/scripts/feeds* tool.
+
+modules.sh
+    Defines the constants ``GLUON_MODULES`` and ``FEEDS`` by reading the *modules*
+    files of the Gluon repository root and the site configuration. The returned
+    variables look like:
+
+    - ``FEEDS``: "*feedA feedB ...*"
+    - ``GLUON_MODULES``: "*openwrt packages/feedA packages/feedB ...*"
+
+    This script is only used as an include by other scripts.
+
+patch.sh
+    (Re-)applies the patches from the *patches* directory to all ``GLUON_MODULES``
+    and checks out the files to the filesystem.
+    This is done for each repo by:
+
+    - creating a temporary clone of the repo to patch
+      - only branch *base* is used
+    - applying all patches via *git am* on top of this temporary *base* branch
+      - this branch is named *patched*
+    - copying the temporary clone to the *openwrt* (for OpenWrt Base) or
+      *packages* (for feeds) folder
+      - *git fetch* is used with the temporary clone as source
+      - *git checkout* is called to update the filesystem
+    - updating all git submodules
+
+    This solution with a temporary clone ensures that the timestamps of checked
+    out files are not changed by any intermediate patch steps, but only when
+    updating the checkout with the final result. This avoids triggering unnecessary
+    rebuilds.
+
+update.sh
+    Sets up a working clone of the ``GLUON_MODULES`` (external repos) from the external
+    source and installs it into *packages/* directory. It simply tries to set the *base*
+    branch of the cloned repo to the correct commit. If this fails it fetches the
+    upstream branch and tries again to set the local *base* branch.
+
+getversion.sh
+    Used to determine the version numbers of the repositories of Gluon and the
+    site configuration, to be included in the built firmware images as
+    */lib/gluon/gluon-version* and */lib/gluon/site-version*.
+
+    By default, this uses ``git describe`` to generate a version number based
+    on the last git tag. This can be overridden by putting a file called
+    *.scmversion* into the root of the respective repositories.
+
+    A command like ``rm -f .scmversion; echo "$(./scripts/getversion.sh .)" > .scmversion``
+    can be used before applying local patches to ensure that the reported
+    version numbers refer to an upstream commit ID rather than an arbitrary
+    local one after ``git am``.

docs/dev/debugging.rst

@@ -0,0 +1,51 @@
+Debugging
+=========
+
+
+.. _dev-debugging-kernel-oops:
+
+Kernel Oops
+-----------
+
+Sometimes a running Linux kernel detects an error during runtime that can't
+be corrected.
+This usually generates a stack trace that points to the location in the code
+that caused the oops.
+
+Linux kernels in Gluon (and OpenWrt) are stripped.
+That means they do not contain any debug symbols.
+On one hand this leads to a smaller binary and faster loading times on the
+target.
+On the other hand this means that in a case of a stack trace the unwinder
+can only print memory locations and no further debugging information.
+
+Gluon stores a compressed kernel with debug symbols for every target
+in the directory `output/debug/`.
+These kernels should be kept along with the images as long as the images
+are in use.
+This allows the developer to analyse a stack trace later.
+
+Decoding Stacktraces
+....................
+
+The tooling is contained in the kernel source tree in the file
+`decode_stacktrace.sh <https://github.com/torvalds/linux/blob/master/scripts/decode_stacktrace.sh>`__.
+This file and the needed source tree are available in the directory: ::
+
+  openwrt/build_dir/target-<architecture>/linux-<architecture>/linux-<version>/
+
+.. note::
+  Make sure to use a kernel tree that matches the version and patches
+  that was used to build the kernel.
+  If in doubt just re-build the images for the target.
+
+Some more information on how to use this tool can be found at
+`LWN <https://lwn.net/Articles/592724/>`__.
+
+Obtaining Stacktraces
+.....................
+
+On many targets stack traces can be read from the following
+location after reboot: ::
+
+  /sys/kernel/debug/crashlog

docs/dev/hardware.rst

@@ -1,144 +1,238 @@
-Adding support for new hardware
+Adding hardware support
-===============================
+=======================
 This page will give a short overview on how to add support
 for new hardware to Gluon.
 
 Hardware requirements
 ---------------------
-Having an ath9k (or ath10k) based WLAN adapter is highly recommended,
+Having an ath9k, ath10k or mt76 based WLAN adapter is highly recommended,
 although other chipsets may also work. VAP (multiple SSID) support
-is a requirement.
+with simultaneous AP + Mesh Point (802.11s) operation is required.
 
+Device checklist
+----------------
+The description of pull requests adding device support must include the
+`device integration checklist
+<https://github.com/freifunk-gluon/gluon/wiki/Device-Integration-checklist>`_.
+The checklist ensures that core functionality of Gluon is well supported on the
+device.
 
-.. _hardware-adding-profiles:
+.. _device-class-definition:
 
-Adding profiles
+Device classes
----------------
+--------------
-The vast majority of devices with ath9k WLAN is based on the ar71xx target of OpenWrt.
+All supported hardware is categorized into "device classes". This allows to
-If the hardware you want to add support for is ar71xx, adding a new profile
+adjust the feature set of Gluon to the different hardware's capabilities via
-is sufficient.
+``site.mk`` without having to list individual devices.
 
-Profiles are defined in ``targets/*`` in a shell-based DSL (so common shell
+There are currently two devices classes defined: "standard" and "tiny". The
-command syntax like ``if`` can be used).
+"tiny" class contains all devices that do not meet the following requirements:
 
-The ``device`` command is used to define an image build for a device. It takes
+- At least 7 MiB of usable firmware space
-two or three parameters.
+- At least 64 MiB of RAM (128MiB for devices with ath10k radio)
 
-The first parameter defines the Gluon profile name, which is used to refer to the
+Target configuration
-device and is part of the generated image name. The profile name must be same as
+--------------------
-the output of the following command (on the target device), so the autoupdater
+Gluon's hardware support is based on OpenWrt's. For each supported target,
-can work::
+a configuration file exists at ``targets/<target>-<subtarget>`` (or just
+``target/<target>`` for targets without subtargets) that contains all
+Gluon-specific settings for the target. The generic configuration
+``targets/generic`` contains settings that affect all targets.
 
-    lua -e 'print(require("platform_info").get_image_name())'
+All targets must be listed in ``target/targets.mk``.
 
-While porting Gluon to a new device, it might happen that the profile name is
+The target configuration language is based on Lua, so Lua's syntax for variables
-unknown. Best practise is to generate an image first by using an arbitrary value
+and control structures can be used.
-and then executing the lua command on the device and use its output from then on.
 
-The second parameter defines the name of the image files generated by OpenWrt. Usually,
+Device definitions
-it is also the OpenWrt profile name; for devices that still use the old image build
+~~~~~~~~~~~~~~~~~~
-code, a third parameter with the OpenWrt profile name can be passed. The profile names
+To configure a device to be built for Gluon, the ``device`` function is used.
-can be found in the image Makefiles in ``openwrt/target/linux/<target>/image/Makefile``.
+In the simplest case, only two arguments are passed, for example:
 
-Examples::
+.. code-block:: lua
 
-    device tp-link-tl-wr1043n-nd-v1 tl-wr1043nd-v1
+  device('tp-link-tl-wdr3600-v1', 'tplink_tl-wdr3600-v1')
-    device alfa-network-hornet-ub hornet-ub HORNETUB
+
+The first argument is the device name in Gluon, which is part of the output
+image filename, and must correspond to the model string looked up by the
+autoupdater. The second argument is the corresponding device profile name in
+OpenWrt, as found in ``openwrt/target/linux/<target>/image/*``.
+
+A table of additional settings can be passed as a third argument:
+
+.. code-block:: lua
+
+  device('ubiquiti-edgerouter-x', 'ubnt_edgerouter-x', {
+    factory = false,
+    packages = {'-hostapd-mini'},
+    manifest_aliases = {
+      'ubnt-erx',
+    },
+  })
+
+The supported additional settings are described in the following sections.
 
 Suffixes and extensions
-'''''''''''''''''''''''
+~~~~~~~~~~~~~~~~~~~~~~~
+For many targets, OpenWrt generates images with the suffixes
+``-squashfs-factory.bin`` and ``-squashfs-sysupgrade.bin``. For devices with
+different image names, is it possible to override the suffixes and extensions
+using the settings ``factory``, ``factory_ext``, ``sysupgrade`` and
+``sysupgrade_ext``, for example:
 
-By default, image files are expected to have the extension ``.bin``. In addition,
+.. code-block:: lua
-the images generated by OpenWrt have a suffix before the extension that defaults to
-``-squashfs-factory`` and ``-squashfs-sysupgrade``.
 
-This can be changed using the ``factory`` and ``sysupgrade`` commands, either at
+  {
-the top of the file to set the defaults for all images, or for a single image. There
+    factory = '-squashfs-combined',
-are three forms with 0 to 2 arguments (all work with ``sysupgrade`` as well)::
+    factory_ext = '.img.gz',
+    sysupgrade = '-squashfs-combined',
+    sysupgrade_ext = '.img.gz',
+  }
 
-    factory SUFFIX .EXT
+Only settings that differ from the defaults need to be passed. ``factory`` and
-    factory .EXT
+``sysupgrade`` can be set to ``false`` when no such images exist.
-    factory
 
-When only an extension is given, the default suffix is retained. When no arguments
+For some device types, there are multiple factory images with different
-are given, this signals that no factory (or sysupgrade) image exists.
+extensions. ``factory_ext`` can be set to a table of strings to account for this
+case:
 
-Aliases
+.. code-block:: lua
-'''''''
 
-Sometimes multiple models use the same OpenWrt images. In this case, the ``alias``
+  {
-command can be used to create symlinks and additional entries in the autoupdater
+    factory_ext = {'.img.gz', '.vmdk', '.vdi'},
-manifest for the alternative models.
+  }
 
-Standalone images
+TODO: Extra images
-'''''''''''''''''
 
-On targets without *per-device rootfs* support in OpenWrt, the commands described above
+Aliases and manifest aliases
-can't be used. Instead, ``factory_image`` and ``sysupgrade_image`` are used::
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Sometimes multiple devices exist that use the same OpenWrt images. To make it
+easier to find these images, the ``aliases`` setting can be used to define
+additional device names. Gluon will create symlinks for these names in the
+image output directory.
 
-    factory_image PROFILE IMAGE .EXT
+.. code-block:: lua
-    sysupgrade_image PROFILE IMAGE .EXT
 
-Again, the profile name must match the value printed by the aforementioned Lua
+  device('aruba-ap-303', 'aruba_ap-303', {
-command. The image name must match the part between the target name and the extension
+    factory = false,
-as generated by OpenWrt and is to be omitted when no such part exists.
+    aliases = {'aruba-instant-on-ap11'},
+  })
 
-Packages
+The aliased name will also be added to the autoupdate manifest, allowing upgrade
-''''''''
+images to be found under the different name on targets that perform model name
+detection at runtime.
 
-The ``packages`` command takes an arbitrary number of arguments. Each argument
+It is also possible to add alternative names to the autoupdater manifest without
-defines an additional package to include in the images in addition to the default
+creating a symlink by using ``manifest_aliases`` instead of ``aliases``, which
-package sets defined by OpenWrt. When a package name is prefixed by a minus sign, the
+should be done when the alternative name does not refer to a separate device.
-packages are excluded instead.
+This is particularly useful to allow the autoupdater to work when the model name
+changed between Gluon versions.
 
-The ``packages`` command may be used at the top of a target definition to modify
+Package lists
-the default package list for all images, or just for a single device (when the
+~~~~~~~~~~~~~
-target supports *per-default rootfs*).
+Gluon generates lists of packages that are installed in all images based on a
+default list and the features and packages specified in the site configuration.
 
+In addition, OpenWrt defines additional per-device package lists. These lists
+may be modified in Gluon's device definitions, for example to include additional
+drivers and firmware, or to remove unneeded software. Packages to remove are
+prefixed with a ``-`` character.
 
-Configuration
+For many ath10k-based devices, this is used to replace the "CT" variant of
-'''''''''''''
+ath10k with the mainline-based version:
 
-The ``config`` command allows to add arbitrary target-specific OpenWrt configuration
+.. code-block:: lua
-to be emitted to ``.config``.
 
-Notes
+  local ATH10K_PACKAGES_QCA9880 = {
-'''''
+    'kmod-ath10k',
+    '-kmod-ath10k-ct',
+    '-kmod-ath10k-ct-smallbuffers',
+    'ath10k-firmware-qca988x',
+    '-ath10k-firmware-qca988x-ct',
+  }
+  device('openmesh-a40', 'openmesh_a40', {
+    packages = ATH10K_PACKAGES_QCA9880,
+    factory = false,
+  })
 
-On devices with multiple WLAN adapters, care must also be taken that the primary MAC address is
+This example also shows how to define a local variable, allowing the package
-configured correctly. ``/lib/gluon/core/sysconfig/primary_mac`` should contain the MAC address which
+list to be reused for multiple devices.
-can be found on a label on most hardware; if it does not, ``/lib/gluon/upgrade/010-primary-mac``
-in ``gluon-core`` might need a fix. (There have also been cases in which the address was incorrect
-even on devices with only one WLAN adapter, in these cases a OpenWrt bug was the cause).
 
+Device flags
+~~~~~~~~~~~~
 
-Adding support for new hardware targets
+The settings ``class``, ``deprecated`` or ``broken`` should be set according to
----------------------------------------
+the device support status. The default values are as follows:
 
-Adding a new target is much more complex than adding a new profile. There are two basic steps
+.. code-block:: lua
-required for adding a new target:
 
-Package adjustments
+  {
-'''''''''''''''''''
+    class = 'standard',
+    deprecated = false,
+    broken = false,
+  }
 
-One package that may need adjustments for new targets is ``libplatforminfo`` (to be found in
+- Device classes are described in :ref:`device-class-definition`
-`packages/gluon/libs/libplatforminfo <https://github.com/freifunk-gluon/packages/tree/master/libs/libplatforminfo>`_).
+- Broken devices are untested or do not meet our requirements as given by the
-If the new platform works fine with the definitions found in ``default.c``, nothing needs to be done. Otherwise,
+  device checklist
-create a definition for the added target or subtarget, either by symlinking one of the files in the ``templates``
+- Deprecated devices are slated for removal in a future Gluon version due to
-directory, or adding a new source file.
+  hardware constraints
 
-On many targets, Gluon's network setup scripts (mainly in the package ``gluon-core``)
+Global settings
-won't run correctly without some adjustments, so better double check that everything is fine there (and the files
+~~~~~~~~~~~~~~~
-``primary_mac``, ``lan_ifname`` and ``wan_ifname`` in ``/lib/gluon/core/sysconfig/`` contain sensible values).
+There is a number of directives that can be used outside of a ``device()``
+definition:
 
-Build system support
+- ``include('filename')``: Include another file with global settings
-''''''''''''''''''''
+- ``config(key, value)``: Set a config symbol in OpenWrt's ``.config``. Value
+  may be a string, number, boolean, or nil. Booleans and nil are used for
+  tristate symbols, where nil sets the symbol to ``m``.
+- ``try_config(key, value)``: Like ``config()``, but do not fail if setting
+  the symbol is not possible (usually because its dependencies are not met)
+- ``packages { 'package1', '-package2', ... }``: Define a list of packages to
+  add or remove for all devices of a target. Package lists passed to multiple
+  calls of ``packages`` will be aggregated.
+- ``defaults { key = value, ... }``: Set default values for any of the
+  additional settings that can be passed to ``device()``.
 
-A definition for the new target must be created under ``targets``, and it must be added
+Helper functions
-to ``targets/targets.mk``. The ``GluonTarget`` macro takes one to three arguments:
+~~~~~~~~~~~~~~~~
-the target name, the Gluon subtarget name (if the target has subtargets), and the
+The following helpers can be used in the target configuration:
-OpenWrt subtarget name (if it differs from the Gluon subtarget). The third argument
-can be used to define multiple Gluon targets with different configuration for the
-same OpenWrt target, like it is done for the ``ar71xx-tiny`` target.
 
-After this, is should be sufficient to call ``make GLUON_TARGET=<target>`` to build the images for the new target.
+- ``env.KEY`` allows to access environment variables
+- ``istrue(value)`` returns true if the passed string is a positive number
+  (often used with ``env``, for example ``if istrue(env.GLUON_DEBUG) then ...``)
+
+Hardware support in packages
+----------------------------
+In addition to the target configuration files, some device-specific changes may
+be required in packages.
+
+gluon-core
+~~~~~~~~~~
+- ``/lib/gluon/upgrade/010-primary-mac``: Override primary MAC address selection
+
+  Usually, the primary (label) MAC address is defined in OpenWrt's Device Trees.
+  For devices or targets where this is not the case, it is possible to specify
+  what interface to take the primary MAC address from in ``010-primary-mac``.
+
+- ``/lib/gluon/upgrade/020-interfaces``: Override LAN/WAN interface assignment
+
+  On PoE-powered devices, the PoE input port should be "WAN".
+
+- ``/usr/lib/lua/gluon/platform.lua``: Contains a list of outdoor devices
+
+gluon-setup-mode
+~~~~~~~~~~~~~~~~
+- ``/lib/gluon/upgrade/320-setup-ifname``: Contains a list of devices that use
+  the WAN port for the config mode
+
+  On PoE-powered devices, the PoE input port should be used for the config
+  mode. This is handled correctly by default for outdoor devices listed in
+  ``platform.lua``.
+
+libplatforminfo
+~~~~~~~~~~~~~~~
+When adding support for a new target to Gluon, it may be necessary to adjust
+libplatforminfo to define how autoupdater image names are derived from the
+model name.

docs/dev/mac_addresses.rst

@@ -10,9 +10,9 @@ Gluon tries to solve this issue by using a hash of the primary MAC address as a
 
 * 0: client0; WAN
 * 1: mesh0
-* 2: ibss0
+* 2: owe0
 * 3: wan_radio0 (private WLAN); batman-adv primary address
 * 4: client1; LAN
 * 5: mesh1
-* 6: ibss1
+* 6: owe1
 * 7: wan_radio1 (private WLAN); mesh VPN

docs/dev/packages.rst

@@ -3,6 +3,88 @@ Package development
 
 Gluon packages are OpenWrt packages and follow the same rules described at https://openwrt.org/docs/guide-developer/packages.
 
+Development workflow
+====================
+
+When you are developing packages, it often happens that you iteratively want to deploy
+and verify the state your development. There are two ways to verify your changes:
+
+1)
+  One way is to rebuild the complete firmware, flash it, configure it and verify your
+  development then. This usually takes at least a few minutes to get your changes
+  working so you can test them. Especially if you iterate a lot, this becomes tedious.
+
+2)
+  Another way is to rebuild only the package you are currently working on and
+  to deploy this package to your test system. Here not even a reboot is required.
+  This makes iterating relatively fast. Your test system could be real hardware or
+  even a qemu in most cases.
+
+Gluon provides scripts to enhance workflow 2). Here is an example illustrating
+the workflow using these scripts:
+
+.. code-block:: shell
+
+  # start a local qemu instance
+  contrib/run_qemu.sh output/images/factory/[...]-x86-64.img
+
+  # apply changes to the desired package
+  vi package/gluon-ebtables/files/etc/init.d/gluon-ebtables
+
+  # rebuild and push the package to the qemu instance
+  contrib/push_pkg.sh package/gluon-ebtables/
+
+  # test your changes
+  ...
+
+  # do more changes
+  ...
+
+  # rebuild and push the package to the qemu instance
+  contrib/push_pkg.sh package/gluon-ebtables/
+
+  # test your changes
+  ...
+
+  (and so on...)
+
+  # see help of the script for more information
+  contrib/push_pkg.sh -h
+  ...
+
+Features of ``push_pkg.sh``:
+
+* Works with compiled and non-compiled packages.
+
+  * This means it can be used in the development of C-code, Lua-Code and mostly any other code.
+
+* Works with native OpenWrt and Gluon packages.
+* Pushes to remote machines or local qemu instances.
+* Pushes multiple packages in in one call if desired.
+* Performs site.conf checks.
+
+Implementation details of ``push_pkg.sh``:
+
+* First, the script builds an opkg package using the OpenWrt build system.
+* This package is pushed to a *target machine* using scp:
+
+  * By default the *target machine* is a locally running x86 qemu started using ``run_qemu.sh``.
+  * The *target machine* can also be remote machine. (See the cli switch ``-r``)
+  * Remote machines are not limited to a specific architecture. All architectures supported by gluon can be used as remote machines.
+
+* Finally opkg is used to install/update the packages in the target machine.
+
+  * While doing this, it will not override ``/etc/config`` with package defaults by default. (See the cli switch ``-P``).
+  * While doing this, opkg calls the ``check_site.lua`` from the package as post_install script to validate the ``site.conf``. This means that the ``site.conf`` of the target machine is used for this validation.
+
+Note that:
+
+* ``push_pkg.sh`` does neither build nor push dependencies of the packages automatically. If you want to update dependencies, you must explicitly specify them to be pushed.
+* If you add new packages, you must run ``make update config GLUON_TARGET=...``.
+* You can change the gluon target of the target machine via ``make config GLUON_TARGET=...``.
+* If you want to update the ``site.conf`` of the target machine, use ``push_pkg.sh package/gluon-site/``.
+* Sometimes when things break, you can heal them by compiling a package with its dependencies: ``cd openwrt; make package/gluon-ebtables/clean; make package/gluon-ebtables/compile; cd ..``.
+* You can exit qemu by pressing ``CTRL + a`` and ``c`` afterwards.
 
 Gluon package makefiles
 =======================
@@ -71,44 +153,62 @@ Feature flags
 =============
 
 Feature flags provide a convenient way to define package selections without
-making it necessary to list each package explicitly.
+making it necessary to list each package explicitly. The list of features to
+enable for a Gluon build is set by the *GLUON_FEATURES* variable in *site.mk*.
 
 The main feature flag definition file is ``package/features``, but each package
 feed can provide additional definitions in a file called ``features`` at the root
 of the feed repository.
 
-Each flag *$flag* without any explicit definition will simply include the package
+Each flag *$flag* will include the package the name *gluon-$flag* by default.
-with the name *gluon-$flag* by default. The feature definition file can modify
+The feature definition file can modify the package selection by adding or removing
-the package selection in two ways:
+packages when certain combinations of flags are set.
 
-* The *nodefault* function suppresses default of including the *gluon-$flag*
+Feature definitions use Lua syntax. Two basic functions are defined:
-  package
+
-* The *packages* function adds a list of packages (or removes, when package
+* *feature(name, pkgs)*: Defines a new feature. *feature()* expects a feature
-  names are prepended with minus signs) when a given logical expression
+  (flag) name and a list of packages to add or remove when the feature is
-  is satisfied
+  enabled.
+
+  * Defining a feature using *feature* replaces the default definition of
+    just including *gluon-$flag*.
+  * A package is removed when the package name is prefixed with a ``-`` (after
+    the opening quotation mark).
+
+* *when(expr, pkgs)*: Adds or removes packages when a given logical expression
+  of feature flags is satisfied.
+
+  * *expr* is a logical expression composed of feature flag names (each prefixed
+    with an underscore before the opening quotation mark), logical operators
+    (*and*, *or*, *not*) and parentheses.
+  * Referencing a feature flag in *expr* has no effect on the default handling
+    of the flag. When no *feature()* entry for a flag exists, it will still
+    add *gluon-$flag* by default.
+  * *pkgs* is handled as for *feature()*.
 
 Example::
 
-    nodefault 'web-wizard'
+    feature('web-wizard', {
+      'gluon-config-mode-hostname',
+      'gluon-config-mode-geo-location',
+      'gluon-config-mode-contact-info',
+      'gluon-config-mode-outdoor',
+    })
 
-    packages 'web-wizard' \
+    when(_'web-wizard' and (_'mesh-vpn-fastd' or _'mesh-vpn-tunneldigger'), {
-      'gluon-config-mode-hostname' \
+      'gluon-config-mode-mesh-vpn',
-      'gluon-config-mode-geo-location' \
+    })
-      'gluon-config-mode-contact-info'
+
+    feature('no-radvd', {
+      '-gluon-radvd',
+    })
 
-    packages 'web-wizard & (mesh-vpn-fastd | mesh-vpn-tunneldigger)' \
-      'gluon-config-mode-mesh-vpn'
 
 This will
 
-* disable the inclusion of a (non-existent) package called *gluon-web-wizard*
+* disable the inclusion of the (non-existent) packages *gluon-web-wizard* and *gluon-no-radvd* when their
-* enable three config mode packages when the *web-wizard* feature is enabled
+  corresponding feature flags appear in *GLUON_FEATURES*
+* enable four additional config mode packages when the *web-wizard* feature is enabled
 * enable *gluon-config-mode-mesh-vpn* when both *web-wizard* and one
   of *mesh-vpn-fastd* and *mesh-vpn-tunneldigger* are enabled
-
+* disable the *gluon-radvd* package when *gluon-no-radvd* is enabled
-Supported syntax elements of logical expressions are:
-
-* \& (and)
-* \| (or)
-* \! (not)
-* parentheses

docs/dev/uplink.rst

@@ -1,5 +1,5 @@
-WAN support
+Uplink support
-===========
+==============
 
 As the WAN port of a node will be connected to a user's private network, it
 is essential that the node only uses the WAN when it is absolutely necessary.
@@ -11,6 +11,12 @@ There are two cases in which the WAN port is used:
 After the VPN connection has been established, the node should be able to reach
 the mesh's DNS servers and use these for all other name resolution.
 
+If a device has only a single Ethernet port (or group of ports), it will be
+used as an uplink port even when it is not labelled as "WAN" by default. This
+behavior can be controlled using the ``interfaces.single.default_roles``
+site.conf option. It is also possible to alter the interface assignment after
+installation by modifying ``/etc/config/gluon`` and running
+``gluon-reconfigure``.
 
 Routing tables
 ~~~~~~~~~~~~~~

docs/dev/web/controller.rst

@@ -74,8 +74,7 @@ Useful functions:
   - *header* (*key*, *value*): Adds an HTTP header to the reply to be sent to
     the client. Has no effect when non-header data has already been written.
   - *prepare_content* (*mime*): Sets the *Content-Type* header to the given MIME
-    type, potentially setting additional headers or modifying the MIME type to
+    type
-    accommodate browser quirks
   - *write* (*data*, ...): Sends the given data to the client. If headers have not
     been sent, it will be done before the data is written.
 

docs/features/autoupdater.rst

@@ -7,8 +7,11 @@ Building Images
 ---------------
 
 By default, the autoupdater is disabled (as it is usually not helpful to have unexpected updates
-during development), but it can be enabled by setting the variable GLUON_BRANCH when building
+during development), but it can be enabled by setting the variable ``GLUON_AUTOUPDATER_ENABLED`` to ``1`` when building.
-to override the default branch set in the site configuration.
+It is also possible to override the default branch during build using the variable ``GLUON_AUTOUPDATER_BRANCH``.
+
+If a default branch is set neither in *site.conf* nor via ``GLUON_AUTOUPDATER_BRANCH``, the default branch is
+implementation-defined. Currently, the branch with the first name in alphabetical order is chosen.
 
 A manifest file for the updater can be generated with `make manifest`. A signing script (using
 ``ecdsautils``) can be found in the `contrib` directory. When creating the manifest, the
@@ -27,20 +30,42 @@ in ``site.mk``, care must be taken to pass the same ``GLUON_RELEASE`` to ``make
 as otherwise the generated manifest will be incomplete.
 
 
+Manifest format
+------------------------
+
+The manifest starts with a short header, followed by the list of firmwares and signatures.
+The header contains the following information:
+
+.. code-block:: sh
+
+    BRANCH=stable
+    DATE=2020-10-07 00:00:00+02:00
+    PRIORITY=7
+
+- ``BRANCH`` is the autoupdater branch name that needs to match the nodes configuration.
+- ``DATE`` specifies when the time period for the update begins. Nodes will do their regular update during a random minute
+  between 4:00 and 4:59 am. Nodes might not always have a reliable NTP synchronization, which is why a fallback mechanism
+  exists, that checks for an update, and will execute if ``DATE`` is at least 24h in the past.
+- ``PRIORITY`` can be configured as ``GLUON_PRIORITY`` when generating the manifest or in ``site.mk``, and defines
+  the number of days over which the update should be stretched out after ``DATE``. Nodes will calculate a probability
+  based on the time left to determine when to update.
+
+
 Automated nightly builds
 ------------------------
 
 A fully automated nightly build could use the following commands:
 
-::
+.. code-block:: sh
 
     git pull
-    (git -C site pull)
+    # git -C site pull
     make update
-    make clean GLUON_TARGET=ar71xx-generic
+    make clean GLUON_TARGET=ath79-generic
     NUM_CORES_PLUS_ONE=$(expr $(nproc) + 1)
-    make -j$NUM_CORES_PLUS_ONE GLUON_TARGET=ar71xx-generic GLUON_BRANCH=experimental GLUON_RELEASE=$GLUON_RELEASE
+    make -j$NUM_CORES_PLUS_ONE GLUON_TARGET=ath79-generic GLUON_RELEASE=$GLUON_RELEASE \
-    make manifest GLUON_BRANCH=experimental GLUON_RELEASE=$GLUON_RELEASE
+        GLUON_AUTOUPDATER_BRANCH=experimental GLUON_AUTOUPDATER_ENABLED=1
+    make manifest GLUON_RELEASE=$GLUON_RELEASE GLUON_AUTOUPDATER_BRANCH=experimental
     contrib/sign.sh $SECRETKEY output/images/sysupgrade/experimental.manifest
 
     rm -rf /where/to/put/this/experimental
@@ -74,16 +99,16 @@ These commands can be used on a node:
 
 ::
 
-   # Update with some probability
+  # Update with some probability
-   autoupdater
+  autoupdater
 
 ::
 
-   # Force update check, even when the updater is disabled
+  # Force update check, even when the updater is disabled
-   autoupdater -f
+  autoupdater -f
 
 ::
 
-   # If fallback is true the updater will perform an update only if the timespan
+  # If fallback is true the updater will perform an update only if the timespan
-   # PRIORITY days (as defined in the manifest) and another 24h have passed
+  # PRIORITY days (as defined in the manifest) and another 24h have passed
-   autoupdater --fallback
+  autoupdater --fallback

docs/features/configmode.rst

@@ -14,10 +14,13 @@ Activating Config Mode
 ----------------------
 
 Config Mode is automatically entered at the first boot. You can re-enter
-Config Mode by pressing and holding the RESET/WPS button for about three
+Config Mode by pressing and holding the RESET/WPS/DECT button for about three
 seconds. The device should reboot (all LEDs will turn off briefly) and
 Config Mode will be available.
 
+If you have access to the console of the node, there is the
+``gluon-enter-setup-mode`` command, which reboots a node into Config Mode.
+
 
 Port Configuration
 ------------------

docs/features/dns-cache.rst

@@ -0,0 +1,51 @@
+DNS caching
+===========
+
+User experience may be greatly improved when dns is accelerated. Also, it
+seems like a good idea to keep the number of packages being exchanged
+between node and gateway as small as possible. In order to do this, a
+DNS cache may be used on a node. The dnsmasq instance listening on port
+53 on the node will be reconfigured to answer requests, use a list of
+upstream servers and a specific cache size if the options listed below are
+added to site.conf. Upstream servers are the DNS servers which are normally
+used by the nodes to resolve hostnames (e.g. gateways/supernodes).
+
+There are the following settings:
+    servers
+    cacheentries
+
+To use the node's DNS server, both options should be set. The node will cache at
+most 'cacheentries' many DNS records in RAM. The 'servers' list will be used to
+resolve the received DNS queries if the request cannot be answered from
+cache. Gateways should announce the "next node" address via DHCP and RDNSS (if
+any). Note that not setting 'servers' here will lead to DNS not working: Once
+the gateways all announce the "next node" address for DNS, there is no way for
+nodes to automatically determine DNS servers. They have to be baked into the
+firmware.
+
+If these settings do not exist, the cache is not initialized and RAM usage will
+not increase.
+
+When next_node.name is set, an A record and an AAAA record for the
+next-node IP address are placed in the dnsmasq configuration. This means that
+the content of next_node.name may be resolved even without upstream connectivity.
+It is suggested to use the same name as the DNS server provides:
+e.g. nextnode.location.community.example.org (This way the name also works if a
+client uses static DNS Servers). Hint: If next_node.name does not contain a dot
+some browsers would open the searchpage instead.
+
+::
+
+  dns = {
+    cacheentries = 5000,
+    servers = { '2001:db8::1', },
+  },
+
+  next_node = {
+    name = { 'nextnode.location.community.example.org', 'nextnode', 'nn' },
+    ip6 = '2001:db8:8::1',
+    ip4 = '198.51.100.1',
+  }
+
+
+Each cache entry will occupy about 90 bytes of RAM.

docs/features/dns-forwarder.rst

@@ -1,26 +0,0 @@
-DNS forwarder
-=============
-
-A Gluon node can be configured to act as a DNS forwarder. Requests for the
-next-node hostname(s) can be answered locally, without querying the upstream
-resolver.
-
-**Note:** While this reduces answer time and allows to use the next-node
-hostname without upstream connectivity, this feature should not be used for
-next-node hostnames that are FQDN when the zone uses DNSSEC.
-
-One or more upstream resolvers can be configured in the *dns.servers* setting.
-When *next_node.name* is set, A and/or AAAA records for the next-node IP
-addresses are placed in the dnsmasq configuration.
-
-::
-
-  dns = {
-    servers = { '2001:db8::1', },
-  },
-
-  next_node = {
-    name = { 'nextnode.location.community.example.org', 'nextnode', 'nn' },
-    ip6 = '2001:db8:8::1',
-    ip4 = '198.51.100.1',
-  }

docs/features/monitoring.rst

@@ -47,7 +47,7 @@ installed. Please note that at least one alfred daemon is required to run as
 
 .. _alfred-json: https://github.com/ffnord/alfred-json
 
-The following datatypes are used:
+The following data types are used:
 
 * `nodeinfo`: 158
 * `statistics`: 159

docs/features/multidomain.rst

@@ -21,18 +21,18 @@ Overview
 Multidomain support allows to build a single firmware with multiple,
 switchable domain configurations. The nomenclature is as follows:
 
--  ``site``: an aggregate over multiple domains
+- ``site``: an aggregate over multiple domains
--  ``domain``: mesh network with connectivity parameters that prevent
+- ``domain``: mesh network with connectivity parameters that prevent
-   accidental bridging with other domains
+  accidental bridging with other domains
--  ``domain code``: unique domain identifier
+- ``domain code``: unique domain identifier
--  ``domain name``: pretty name for a domain code
+- ``domain name``: pretty name for a domain code
 
 By default Gluon builds firmware with a single domain embedded into
 ``site.conf``. To use multiple domains, enable it in ``site.mk``:
 
 ::
 
-    GLUON_MULTIDOMAIN=1
+  GLUON_MULTIDOMAIN=1
 
 In the site repository, create the ``domains/`` directory, which will
 hold your domain configurations. Each domain configuration file is named
@@ -41,26 +41,26 @@ supported.
 
 ::
 
-    site/
+  site/
-    |-- site.conf
+  |-- site.conf
-    |-- site.mk
+  |-- site.mk
-    |-- i18n/
+  |-- i18n/
-    |-- domains/
+  |-- domains/
-      |-- alpha_centauri.conf
+    |-- alpha_centauri.conf
-      |-- beta_centauri.conf
+    |-- beta_centauri.conf
-      |-- gamma_centauri.conf
+    |-- gamma_centauri.conf
 
 The domain configuration ``alpha_centauri.conf`` could look like this.
 
 ::
 
-    {
+  {
-      domain_names = {
+    domain_names = {
-        alpha_centauri = 'Alpha Centauri'
+      alpha_centauri = 'Alpha Centauri'
-      },
+    },
 
-      -- more domain specific config follows below
+    -- more domain specific config follows below
-    }
+  }
 
 In this example “Alpha Centauri” is the user-visible ``domain_name`` for the
 domain_code ``alpha_centauri``. Also note that the domain code
@@ -88,18 +88,25 @@ domain of a router, if and only if one of the above conditions matches.
 Switching the domain
 --------------------
 
-**via commandline**:
+Via commandline
+^^^^^^^^^^^^^^^
 
 ::
 
-    uci set gluon.core.domain="newdomaincode"
+  gluon-switch-domain 'newdomaincode'
-    gluon-reconfigure
-    reboot
 
-**via config mode:**
+When the node is not in config mode, ``gluon-switch-domain`` will automatically
+reboot the node by default. This can be suppressed by passing ``--no-reboot``::
 
-To allow switching the domain via config mode, ``config-mode-domain-select``
+  gluon-switch-domain --no-reboot 'newdomaincode'
-has to be added to GLUON_FEATURES in the site.mk.
+
+Switching the domain without reboot is currently **experimental**.
+
+Via config mode
+^^^^^^^^^^^^^^^
+
+To allow switching the domain via config mode, add ``config-mode-domain-select``
+to GLUON_FEATURES in site.mk.
 
 |image0|
 
@@ -116,117 +123,113 @@ site or domain context.
 site.conf only variables
 ^^^^^^^^^^^^^^^^^^^^^^^^
 
--  Used in as initial default values, when the firmware was just flashed
+- Used in as initial default values, when the firmware was just flashed
-   and/or the config mode is skipped, so they do not make sense in a
+  and/or the config mode is skipped, so they do not make sense in a
-   domain specific way:
+  domain specific way:
 
-   -  authorized_keys
+  - authorized_keys
-   -  default_domain
+  - default_domain
-   -  poe_passthrough
+  - poe_passthrough
-   -  mesh_on_wan
+  - interfaces.*.default_roles
-   -  mesh_on_lan
+  - setup_mode.skip
-   -  single_as_lan
+  - autoupdater.branch
-   -  setup_mode.skip
+  - mesh_vpn.enabled
-   -  autoupdater.branch
+  - mesh_vpn.pubkey_privacy
-   -  mesh_vpn.enabled
+  - mesh_vpn.bandwidth_limit
-   -  mesh_vpn.pubkey_privacy
+  - mesh_vpn.bandwidth_limit.enabled
-   -  mesh_vpn.bandwidth_limit
+  - mesh_vpn.bandwidth_limit.ingress
-   -  mesh_vpn.bandwidth_limit.enabled
+  - mesh_vpn.bandwidth_limit.egress
-   -  mesh_vpn.bandwidth_limit.ingress
-   -  mesh_vpn.bandwidth_limit.egress
 
--  Variables that influence the appearance of the config mode,
+- Variables that influence the appearance of the config mode,
-   domain-independent because they are relevant before a domain was selected.
+  domain-independent because they are relevant before a domain was selected.
 
-   -  config_mode.geo_location.show_altitude
+  - config_mode.geo_location.show_altitude
-   -  config_mode.hostname.optional
+  - config_mode.hostname.optional
-   -  config_mode.remote_login
+  - config_mode.remote_login
-   -  config_mode.remote_login.show_password_form
+  - config_mode.remote_login.show_password_form
-   -  config_mode.remote_login.min_password_length
+  - config_mode.remote_login.min_password_length
-   -  hostname_prefix
+  - hostname_prefix
-   -  mesh_vpn.fastd.configurable
+  - mesh_vpn.fastd.configurable
-   -  roles.default
+  - roles.default
-   -  roles.list
+  - roles.list
 
--  Specific to a firmware build itself:
+- Specific to a firmware build itself:
 
-   -  site_code
+  - site_code
-   -  site_name
+  - site_name
-   -  autoupdater.branches.*.name
+  - autoupdater.branches.*.name
-   -  autoupdater.branches.*.good_signatures
+  - autoupdater.branches.*.good_signatures
-   -  autoupdater.branches.*.pubkeys
+  - autoupdater.branches.*.pubkeys
 
--  We simply do not see any reason, why these variables could be helpful
+- We simply do not see any reason, why these variables could be helpful
-   in a domain specific way:
+  in a domain specific way:
 
-   -  mesh_vpn.fastd.syslog_level
+  - mesh_vpn.fastd.syslog_level
-   -  timezone
+  - timezone
-   -  regdom
+  - regdom
 
 domain.conf only variables
 ^^^^^^^^^^^^^^^^^^^^^^^^^^
 
--  Obviously:
+- Obviously:
 
-   -  domain_names
+  - domain_names
 
-      -  a table of domain codes to domain names
+    - a table of domain codes to domain names
-         ``domain_names = { foo = 'Foo Domain', bar = 'Bar Domain', baz = 'Baz Domain' }``
+      ``domain_names = { foo = 'Foo Domain', bar = 'Bar Domain', baz = 'Baz Domain' }``
 
-   -  hide_domain
+  - hide_domain
 
-      -  prevents a domain name(s) from appearing in config mode, either
+    - prevents a domain name(s) from appearing in config mode, either
-         boolean or array of domain codes
+      boolean or array of domain codes
 
-         -  ``true``, ``false``
+      - ``true``, ``false``
-         -  ``{ 'foo', 'bar' }``
+      - ``{ 'foo', 'bar' }``
 
--  Because each domain is considered as an own layer 2 network, these
+- Because each domain is considered a separate layer 2 network, these
-   values should be different in each domain:
+  values should be different in each domain:
 
-   -  next_node.ip4
+  - next_node.ip4
-   -  next_node.ip6
+  - next_node.ip6
-   -  next_node.name
+  - next_node.name
-   -  prefix6
+  - prefix6
-   -  prefix4
+  - prefix4
-   -  extra_prefixes6
+  - extra_prefixes6
 
--  To prevent accidental bridging of different domains, all meshing
+- To prevent accidental bridging of different domains, all meshing
-   technologies should be separated:
+  technologies should be separated:
 
-   -  domain_seed (wired mesh)
+  - domain_seed (wired mesh)
 
-      -  must be a random value used to derive the vxlan id for wired meshing
+    - must be a random value used to derive the vxlan id for wired meshing
 
-   -  wifi*.ibss.ssid
+  - wifi*.mesh.id
-   -  wifi*.ibss.bssid
+  - mesh_vpn.fastd.groups.*.peers.remotes
-   -  wifi*.mesh.id
+  - mesh_vpn.fastd.groups.*.peers.key
-   -  mesh_vpn.fastd.groups.*.peers.remotes
+  - mesh_vpn.tunneldigger.brokers
-   -  mesh_vpn.fastd.groups.*.peers.key
-   -  mesh_vpn.tunneldigger.brokers
 
--  Clients consider WiFi networks sharing the same ESSID as if they were
+- Clients consider WiFi networks sharing the same ESSID as if they were
-   the same L2 network and try to reconfirm and reuse previous
+  the same L2 network and try to reconfirm and reuse previous
-   addressing. If multiple neighbouring domains shared the same ESSID,
+  addressing. If multiple neighbouring domains shared the same ESSID,
-   the roaming experience of clients would degrade.
+  the roaming experience of clients would degrade.
 
-   -  wifi*.ap.ssid
+  - wifi*.ap.ssid
 
--  Some values should be only set in legacy domains and not in new domains.
+- Some values should be only set in legacy domains and not in new domains.
 
-   -  mesh.vxlan
+  - mesh.vxlan
 
-      -  By default, this value is `true`. It should be only set to `false`
+    - By default, this value is `true`. It should be only set to `false`
-         for one legacy domain, since vxlan prevents accidental wired
+      for one legacy domain, since vxlan prevents accidental wired
-         merges of domains. For old domains this value is still available
+      merges of domains. For old domains this value is still available
-         to keep compatibility between all nodes in one domain.
+      to keep compatibility between all nodes in one domain.
 
-   -  next_node.mac
+  - next_node.mac
 
-      -  For new domains, the default value should be used, since there is
+    - For new domains, the default value should be used, since there is
-         no need for a special mac (or domain specific mac). For old domains
+      no need for a special mac (or domain specific mac). For old domains
-         this value is still available to keep compatibility between all
+      this value is still available to keep compatibility between all
-         nodes in one domain.
+      nodes in one domain.
 
 Example config
 --------------

docs/features/private-wlan.rst

@@ -1,8 +1,16 @@
 Private WLAN
 ============
 
-It is possible to set up a private WLAN that bridges the WAN port and is separated from the mesh network.
+It is possible to set up a private WLAN that bridges the uplink port and is separated from the mesh network.
-Please note that you should not enable ``mesh_on_wan`` simultaneously.
+Please note that you should not enable Wired Mesh on the uplink port at the same time.
+
+The private WLAN is encrypted using WPA2 by default. On devices with enough flash and a supported radio,
+WPA3 or WPA2/WPA3 mixed-mode can be used instead of WPA2. For this to work, the ``wireless-encryption-wpa3``
+feature has to be added to ``GLUON_FEATURES``.
+
+It is recommended to enable IEEE 802.11w management frame protection for WPA2/WPA3 networks, however this
+can lead to connectivity problems for older clients. In this case, management frame protection can be
+made optional or completely disabled in the advanced settings tab.
 
 The private WLAN can be enabled through the config mode if the package ``gluon-web-private-wifi`` is installed.
 You may also enable a private WLAN using the command line::

docs/features/roles.rst

@@ -2,8 +2,8 @@ Roles
 =====
 
 It is possible to define a set of roles you want to distinguish at backend side. One node can own one
-role which it will announce via alfred inside the mesh. This will make it easier to differentiate
+role which it will announce via respondd/announced inside the mesh. This will make it easier to differentiate
-nodes when parsing alfred data. E.g to count only **normal** nodes and not the gateways
+nodes when parsing respondd data. E.g to count only **normal** nodes and not the gateways
 or servers (nodemap). A lot of things are possible.
 
 For this the section ``roles`` in ``site.conf`` is needed::
@@ -28,7 +28,7 @@ If you want node owners to change the defined roles via config-mode you can add
 
 The role is saved in ``gluon-node-info.system.role``. To change the role using command line do::
 
-  uci set gluon-node-info.system.role="$ROLE"
+  uci set gluon-node-info.@system[0].role="$ROLE"
   uci commit
 
 Please replace ``$ROLE`` by the role you want the node to own.

docs/features/vpn.rst

@@ -1,57 +1,212 @@
-Mesh-VPN
+Mesh VPN
 ========
 
-Gluon integrates several OSI-Layer 2 tunneling protocols to
+Gluon integrates several layer 2 tunneling protocols to
-enable interconnects between local meshes and provide
+allow connections between local meshes through the internet.
-internetwork access. Available protocols currently are:
 
-- fastd
+Protocol handlers
-- L2TPv3 (via tunneldigger)
+^^^^^^^^^^^^^^^^^
 
-fastd is a lightweight userspace tunneling daemon, that
+There are currently three protocol handlers which can be selected
+via ``GLUON_FEATURES`` in ``site.mk``:
+
+mesh-vpn-fastd
+""""""""""""""
+
+fastd is a lightweight userspace tunneling daemon that
 implements cipher suites that are specifically designed
 to work well on embedded devices. It offers encryption
-and authentication. Its primary drawback are the necessary
+and authentication.
-context-switches when forwarding packets.
+The primary drawback of fastd's encrypted connection modes
+is the necessary context switches when forwarding packets.
+A kernel-supported L2TPv3 offloading option is available to
+work around the context-switching bottleneck, but it comes
+at the cost of losing the ability to protect tunnel connections
+against eavesdropping or manipulation.
 
-L2TPv3 is an in-kernel tunneling protocol that performs well,
+mesh-vpn-tunneldigger
-but offers no security properties by itself.
+"""""""""""""""""""""
-The brokering of the tunnel happens through tunneldigger,
+
-its primary drawback being the lack of IPv6 support.
+Tunneldigger always uses L2TPv3, generally achieving the same
+performance as fastd with the ``null@l2tp`` method, but offering
+no security.
+Tunneldigger's primary drawback is the lack of IPv6 support.
+It also provides less configurability than fastd.
+
+mesh-vpn-wireguard
+""""""""""""""""""
+
+WireGuard is an encrypted in-kernel tunneling protocol that
+provides encrypted transmission and at the same time offers
+high throughput.
 
 fastd
------
+^^^^^
 
-Configurable Cipher
+.. _VPN fastd methods:
-^^^^^^^^^^^^^^^^^^^
+
+Methods
+"""""""
+
+fastd offers various different connection "methods" with different
+security properties that can be configured in the site configuration.
+
+The following methods are currently recommended:
+
+- ``salsa2012+umac``: Encrypted + authenticated
+- ``null+salsa2012+umac``: Unencrypted, authenticated
+- ``null@l2tp``: Unencrypted, unauthenticated
+
+Multiple methods can be listed in ``site.conf``. The first listed method
+supported by both the node and its peer will be used.
+
+The use of the ``null@l2tp`` method with offloading enabled can provide a
+considerable performance gain, especially on weaker embedded hardware.
+For L2TP offloading, the ``mesh-vpn-fastd-l2tp`` feature needs to be enabled in
+``site.mk``.
 
 
-From the site configuration fastd can be allowed to offer
+.. _vpn-gateway-configuration:
+
+Gateway / Supernode Configuration
+"""""""""""""""""""""""""""""""""
+
+When only using the ``null`` or ``null@l2tp`` methods without offloading,
+simply add these methods to the front of the method list. ``null@l2tp``
+should always appear before ``null`` in the configuration when both are enabled.
+fastd v22 or newer is needed for the ``null@l2tp`` method.
+
+It is often not necessary to enable L2TP offloading on supernodes for
+performance reasons. Nodes using offloading can communicate with supernodes that
+don't use offloading as long as both use the ``null@l2tp`` method.
+
+
+.. _vpn-gateway-configuration-offloading:
+
+Offloading on Gateways / Supernodes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To enable L2TP offloading on the supornodes, it is recommended to study the
+fastd documentation section pertaining to the `offload configuration option
+<https://fastd.readthedocs.io/en/stable/manual/config.html#option-offload>`_.
+
+However, the important changes to the fastd config on your Supernode are:
+
+    - | Set ``mode multitap;``
+      | Every peer gets their own interface.
+
+    - | Replace ``interface "foo":`` with ``interface "peer-%k";``
+      | ``%k`` is substituted for a portion of the peers public key.
+
+    - | Set ``offload l2tp yes;``
+      | This tells fastd to use the l2tp kernel module.
+
+    - | Set ``persist interface no;``
+      | This tells fastd to only keep interfaces around while the connection is active.
+
+Note that in ``multitap`` mode, which is required when using L2TP offloading,
+fastd will create one interface per peer on the supernode's. This allows
+offloading the L2TP forwarding into the kernel space. But this also means added
+complexity with regards to handling those interfaces.
+
+There are two main options on how you can handle this:
+
+    -  create ``on up`` and ``on down`` hooks
+
+        - to handle interface setup and destruction
+        - preferably using the async keyword, so hooks are not blocking fastd
+
+    - use a daemon like systemd-networkd
+
+Examples for both options can be found in the
+`Wiki <https://github.com/freifunk-gluon/gluon/wiki/fastd-l2tp-offloading-on-supernodes>`_.
+
+Configurable Method
+"""""""""""""""""""
+
+From the site configuration, fastd can be allowed to offer
 toggleable encryption in the config mode with the intent to
-increase throughput, although in practice the gain is minimal.
+increase throughput.
 
-**Site configuration:**
+There is also an older unprotected method ``null``. Use of the newer
+``null@l2tp`` method is generally recommended over ``null``, as the
+performance gains provided by the latter (compared to the encrypted
+and authenticated methods) are very small.
 
-1) Add the feature ``web-mesh-vpn-fastd`` in ``site.mk``
+Site configuration
-2) Set ``mesh_vpn.fastd.configurable = true`` in ``site.conf``
+~~~~~~~~~~~~~~~~~~
-3) Optionally add ``null`` to the ``mesh_vpn.fastd.methods`` table if you want "Performance mode" as default (not recommended)
 
-**Gateway configuration:**
+1)
+  Add the feature ``web-mesh-vpn-fastd`` in ``site.mk``
+2)
+  Set ``mesh_vpn.fastd.configurable = true`` in ``site.conf``
+3)
+  Optionally, add ``null@l2tp`` to the ``mesh_vpn.fastd.methods`` table if you want
+  "Performance mode" as default (not recommended)
 
-1) Prepend the ``null`` cipher in fastd's method list
+Config Mode
+~~~~~~~~~~~
 
-
-**Config Mode:**
 The resulting firmware will allow users to choose between secure (encrypted) and fast (unencrypted) transport.
 
 .. image:: fastd_mode.gif
 
-**Unix socket:**
+To confirm whether the correct cipher is being used, the log output
-To confirm whether the correct cipher is being used, fastds unix
+of fastd can be checked using ``logread``.
-socket can be interrogated, after installing for example `socat`.
 
-::
+WireGuard
+^^^^^^^^^
 
-       opkg update
+In order to support WireGuard in Gluon, a few technologies are glued together.
-       opkg install socat
+
-       socat - UNIX-CONNECT:/var/run/fastd.mesh_vpn.socket
+**VXLAN:** As Gluon typically relies on batman-adv, the Mesh VPN has to provide
+OSI Layer 2 transport. But WireGuard is an OSI Layer 3 tunneling protocol, so
+additional technology is necessary here. For this, we use VXLAN. In short, VXLAN
+is a well-known technology to encapsulate ethernet packages into IP packages.
+You can think of it as kind of similar to VLAN, but on a different layer. Here,
+we use VXLAN to transport batman-adv traffic over WireGuard.
+
+**wgpeerselector**: To connect all gluon nodes to each other, it is common to
+create a topology where each gluon node is connected to one of the available
+gateways via Mesh VPN respectively. To achieve this, the gluon node should be
+able to select a random gateway to connect to. But such "random selection of a
+peer" is not implemented in WireGuard by default. WireGuard only knows static
+peers. Therefore the *wgpeerselector* has been developed. It randomly selects a
+gateway, tries to establish a connection, and if it fails, tries to connect
+to the next gateway. This approach has several advantages, such as load
+balancing VPN connection attempts and avoiding problems with offline gateways.
+More information about the wgpeerselector and its algorithm can be found
+`here <https://github.com/freifunk-gluon/packages/blob/master/net/wgpeerselector/README.md>`__.
+
+On the gluon node both VXLAN and the wgpeerselector are well integrated and no
+explicit configuration of those tools is necessary, once the general WireGuard
+support has been configured.
+
+Attention must by paid to time synchronization. As WireGuard
+performs checks on timestamps in order to avoid replay attacks, time must
+be synchronized before the Mesh VPN connection is established. This means that
+the NTP servers specified in your site.conf must be publicly available (and not
+only through the mesh). Be aware that if you fail this, you may not directly see
+negative effects. Only when a previously connected node reboots the effect
+comes into play, as the gateway still knows about the old timestamp of the gluon
+node.
+
+gluon-mesh-vpn-key-translate
+""""""""""""""""""""""""""""
+
+Many communities already possess a collection of active fastd-keys when they
+plan migrating their community to WireGuard.
+These public keys known on the server-side can be derived into their WireGuard
+equivalent using `gluon-mesh-vpn-key-translate <https://github.com/AiyionPrime/gluon-mesh-vpn-key-translate>`__.
+The routers do the necessary reencoding of the private key seamlessly
+when updating firmware from fastd to the WireGuard variant.
+
+Gateway / Supernode Configuration
+"""""""""""""""""""""""""""""""""
+
+On the gateway side, a software called *wireguard-vxlan-glue* is necessary. It
+is a small daemon that dynamically adds and removes forwarding rules for VXLAN
+interfaces, so traffic is sent correctly into the WireGuard interface. Thereby
+the forwarding rules are only installed if a client is connected, so
+unnecessary traffic in the kernel is avoided. The source can be found
+`here <https://github.com/freifunkh/wireguard-vxlan-glue/>`__.

docs/features/wired-mesh.rst

@@ -50,38 +50,84 @@ Configuration
 Both Mesh-on-WAN and Mesh-on-LAN can be configured on the "Network" page
 of the *Advanced settings* (if the package ``gluon-web-network`` is installed).
 
-It is also possible to enable Mesh-on-WAN and Mesh-on-LAN by default by
+It is also possible to enable Mesh-on-WAN and Mesh-on-LAN by default by adding
-adding ``mesh_on_wan = true`` and ``mesh_on_lan = true`` to ``site.conf``.
+the ``mesh`` role to the ``interfaces.*.default_roles`` options in your
+:ref:`site.conf<user-site-interfaces>`.
+
+
+.. _wired-mesh-commandline:
 
 Commandline
 ===========
 
+Starting with release 2022.1, the wired network configuration is rebuilt from ``/etc/config/gluon``
+upon each ``gluon-reconfigure``.
+Therefore the network configuration is overwritten at least with every firmware upgrade.
+
+Every interface has a list of roles assigned to it which can be ``client``, ``mesh`` or ``uplink``.
+
+When the client role is assigned to an interface in combination with other roles
+(like 'client', 'mesh' in the Mesh-on-LAN example below), the other roles take
+precedence, enabling mesh but not client in the previous example.
+
+The setup/config-mode interface is every interface with the role ``client`` which makes removing
+it from interfaces not only unnecessary, but generally unrecommended.
+
+In order to make persistent changes to the router's configuration it's necessary to:
+
+* change the sections in ``/etc/config/gluon`` e.g. using uci (see examples below)
+* call ``gluon-reconfigure`` to re-generate ``/etc/config/network``
+* apply the networking changes, either through executing ``service network restart`` or by performing a ``reboot``
+
 Enable Mesh-on-WAN::
 
-  uci set network.mesh_wan.disabled=0
+  uci add_list gluon.iface_wan.role='mesh'
-  uci commit network
+  uci commit gluon
 
 Disable Mesh-on-WAN::
 
-  uci set network.mesh_wan.disabled=1
+  uci del_list gluon.iface_wan.role='mesh'
-  uci commit network
+  uci commit gluon
 
 Enable Mesh-on-LAN::
 
-  uci set network.mesh_lan.disabled=0
+  uci add_list gluon.iface_lan.role='mesh'
-  for ifname in $(cat /lib/gluon/core/sysconfig/lan_ifname); do
+  uci commit gluon
-    uci del_list network.client.ifname=$ifname
-  done
-  uci commit network
 
 Disable Mesh-on-LAN::
 
-  uci set network.mesh_lan.disabled=1
+  uci del_list gluon.iface_lan.role='mesh'
-  for ifname in $(cat /lib/gluon/core/sysconfig/lan_ifname); do
+  uci commit gluon
-    uci add_list network.client.ifname=$ifname
-  done
-  uci commit network
 
-Please note that this configuration has changed in Gluon 2016.1. Using
+For devices with a single interface, instead of `iface_lan` and `iface_wan` configuration is
-the old commands on 2016.1 and later will break the corresponding options
+done with `iface_single`.
+
+Enable Mesh-on-Single::
+
+  uci add_list gluon.iface_single.role='mesh'
+  uci commit gluon
+
+Disable Mesh-on-Single::
+
+  uci del_list gluon.iface_single.role='mesh'
+  uci commit gluon
+
+Furthermore it is possible to make use of 802.1Q VLAN.
+The following statements would create a VLAN with id 8 on ``eth0`` and join the mesh network with it::
+
+  uci set gluon.iface_lan_vlan8=interface
+  uci set gluon.iface_lan_vlan8.name='eth0.8'
+  uci add_list gluon.iface_lan_vlan8.role='mesh'
+  uci commit gluon
+
+Other VLAN-interfaces could be configured on the same parent interface in order to have
+all three roles available on ``eth0`` without having them interfere with each other.
+This feature comes in especially handy for the persistent configuration of virtual machines
+as offloader for bigger installations.
+
+A ``reboot`` is not sufficient to apply an altered configuration; calling ``gluon-reconfigure`` before is
+mandatory in order for changes to take effect.
+
+Please note that this configuration has changed in Gluon 2022.1. Using
+the old commands on 2022.1 and later will break the corresponding options
 in the *Advanced settings*.

docs/features/wlan-configuration.rst

@@ -2,10 +2,9 @@ WLAN configuration
 ==================
 
 Gluon allows to configure 2.4GHz and 5GHz radios independently. The configuration
-may include any or all of the three networks "client" (AP mode), "mesh" (802.11s
+may include one or both of the two networks "client" (AP mode) and "mesh" (802.11s
-mode) and "ibss" (adhoc mode), which can be used simultaneously (using "mesh" and
+mode), which can be used simultaneously. See :doc:`../user/site` for details on the
-"ibss" at same time should be avoided though as weaker hardware usually can't handle the additional
+configuration.
-load). See :doc:`../user/site` for details on the configuration.
 
 Upgrade behaviour
 -----------------
@@ -16,19 +15,12 @@ on upgrades the existing setting is always retained (as this setting may have be
 by the user). This means that it is not possible to enable or disable an existing network
 configurations during upgrades.
 
-For the "mesh" and "ibss" networks, the default setting only has an effect if none
-of the two has existed before. If a new configuration has been added for "mesh" or "ibss",
-while the other of the two has already existed before, the enabled/disabled state of the
-existing configuration will also be set for the new configuration.
-
-This allows upgrades to change from IBSS to 11s and vice-versa while retaining the
-"wireless meshing is enabled/disabled" property configured by the user regardless
-of the used mode.
-
 During upgrades the wifi channel of the 2.4GHz and 5GHz radio will be restored to the channel
-configured in the site.conf. If you need to preserve a user defined wifi channel during upgrades
+configured in the site.conf. The channel width will be reset to Gluon's default. If you need to preserve
-you can configure this via the uci section ``gluon-core.wireless``::
+these settings during upgrades you can configure this via the uci section ``gluon-core.wireless``::
 
-  uci set gluon-core.@wireless[0].preserve_channels='1'
+  uci set gluon.wireless.preserve_channels='1'
 
+When channels should be preserved, toggling the outdoor mode will have no effect on the channel settings.
+Therefore, the Outdoor mode settings won't be displayed in config mode.
 Keep in mind that nodes running wifi interfaces on custom channels can't mesh with default nodes anymore!

docs/index.rst

@@ -6,114 +6,80 @@ Several Freifunk communities in Germany use Gluon as the foundation of their Fre
 
 
 .. toctree::
-   :caption: User Documentation
+  :caption: User Documentation
-   :maxdepth: 2
+  :maxdepth: 2
 
-   user/getting_started
+  user/getting_started
-   user/site
+  user/site
-   user/supported_devices
+  user/supported_devices
-   user/x86
+  user/x86
-   user/faq
+  user/faq
+  user/mtu
 
 .. toctree::
-   :caption: Features
+  :caption: Features
-   :maxdepth: 2
+  :maxdepth: 2
 
-   features/configmode
+  features/configmode
-   features/autoupdater
+  features/autoupdater
-   features/wlan-configuration
+  features/wlan-configuration
-   features/private-wlan
+  features/private-wlan
-   features/wired-mesh
+  features/wired-mesh
-   features/dns-forwarder
+  features/dns-cache
-   features/monitoring
+  features/monitoring
-   features/multidomain
+  features/multidomain
-   features/authorized-keys
+  features/authorized-keys
-   features/roles
+  features/roles
-   features/vpn
+  features/vpn
 
 .. toctree::
-   :caption: Developer Documentation
+  :caption: Developer Documentation
-   :maxdepth: 2
+  :maxdepth: 2
 
-   dev/basics
+  dev/basics
-   dev/hardware
+  dev/hardware
-   dev/packages
+  dev/packages
-   dev/upgrade
+  dev/upgrade
-   dev/wan
+  dev/uplink
-   dev/mac_addresses
+  dev/mac_addresses
-   dev/site_library
+  dev/site_library
+  dev/build
+  dev/debugging
 
 .. toctree::
-   :caption: gluon-web Reference
+  :caption: gluon-web Reference
-   :maxdepth: 1
+  :maxdepth: 1
 
-   dev/web/controller
+  dev/web/controller
-   dev/web/model
+  dev/web/model
-   dev/web/view
+  dev/web/view
-   dev/web/i18n
+  dev/web/i18n
-   dev/web/config-mode
+  dev/web/config-mode
 
 .. toctree::
-   :caption: Packages
+  :caption: Packages
-   :maxdepth: 1
+  :maxdepth: 1
 
-   package/gluon-client-bridge
+  package/gluon-client-bridge
-   package/gluon-config-mode-domain-select
+  package/gluon-config-mode-domain-select
-   package/gluon-ebtables-filter-multicast
+  package/gluon-ebtables-filter-multicast
-   package/gluon-ebtables-filter-ra-dhcp
+  package/gluon-ebtables-filter-ra-dhcp
-   package/gluon-ebtables-limit-arp
+  package/gluon-ebtables-limit-arp
-   package/gluon-ebtables-source-filter
+  package/gluon-ebtables-source-filter
-   package/gluon-hoodselector
+  package/gluon-hoodselector
-   package/gluon-mesh-batman-adv
+  package/gluon-logging
-   package/gluon-radv-filterd
+  package/gluon-mesh-batman-adv
-   package/gluon-scheduled-domain-switch
+  package/gluon-mesh-wireless-sae
-   package/gluon-web-admin
+  package/gluon-radv-filterd
-   package/gluon-web-logging
+  package/gluon-scheduled-domain-switch
+  package/gluon-web-admin
+  package/gluon-web-logging
 
 .. toctree::
-   :caption: Releases
+  :caption: Releases
-   :maxdepth: 1
+  :maxdepth: 1
 
-   releases/v2019.1
+  releases/index
-   releases/v2018.2.3
-   releases/v2018.2.2
-   releases/v2018.2.1
-   releases/v2018.2
-   releases/v2018.1.4
-   releases/v2018.1.3
-   releases/v2018.1.2
-   releases/v2018.1.1
-   releases/v2018.1
-   releases/v2017.1.8
-   releases/v2017.1.7
-   releases/v2017.1.6
-   releases/v2017.1.5
-   releases/v2017.1.4
-   releases/v2017.1.3
-   releases/v2017.1.2
-   releases/v2017.1.1
-   releases/v2017.1
-   releases/v2016.2.7
-   releases/v2016.2.6
-   releases/v2016.2.5
-   releases/v2016.2.4
-   releases/v2016.2.3
-   releases/v2016.2.2
-   releases/v2016.2.1
-   releases/v2016.2
-   releases/v2016.1.6
-   releases/v2016.1.5
-   releases/v2016.1.4
-   releases/v2016.1.3
-   releases/v2016.1.2
-   releases/v2016.1.1
-   releases/v2016.1
-   releases/v2015.1.2
-   releases/v2015.1.1
-   releases/v2015.1
-   releases/v2014.4
-   releases/v2014.3.1
-   releases/v2014.3
 
 License
 -------

docs/multidomain-site-example/site.conf

@@ -20,10 +20,10 @@
   },
 
   mesh_vpn = {
-    mtu = 1312,
 
     fastd = {
       methods = {'salsa2012+umac'},
+      mtu = 1312,
     },
 
     bandwidth_limit = {

docs/multidomain-site-example/site.mk

@@ -29,7 +29,7 @@ GLUON_MULTIDOMAIN=1
 #		chosen feature flags
 
 
-GLUON_SITE_PACKAGES := haveged iwinfo
+GLUON_SITE_PACKAGES := iwinfo
 
 ##	DEFAULT_GLUON_RELEASE
 #		version string to use for images
@@ -58,6 +58,3 @@ GLUON_REGION ?= eu
 
 # Languages to include
 GLUON_LANGS ?= en de
-
-# Do not build images for deprecated devices
-GLUON_DEPRECATED ?= 0

docs/package/gluon-ebtables-limit-arp.rst

@@ -21,8 +21,8 @@ However it mitigates the impact on the mesh when a larger range of
 its IPv4 subnet is being scanned, which would otherwise result in
 a significant amount of ARP chatter, even for unused IP addresses.
 
-This package is selected by default if the installed routing
+This package is installed by default if the selected routing
-package is gluon-mesh-batman-adv-14 or gluon-mesh-batman-adv-15.
+feature is *mesh-batman-adv-15*.
 It can be unselected via::
 
     GLUON_SITE_PACKAGES := \

docs/package/gluon-hoodselector.rst

@@ -36,7 +36,7 @@ example of a regional domain:
 Behaviour
 ------------------
 
-The following is an abstract state diagramm which gives an overview
+The following is an abstract state diagram which gives an overview
 of the process:
 
 .. image:: ./gluon-hoodselector.svg
@@ -61,12 +61,12 @@ It provides a fallback to the default domain.
 Domain shapes
 -------------
 
-There are two types of domains: the unique dehault one without a defined shape
+There are two types of domains: the unique default one without a defined shape
 and others which contain shapes.
 
 * **default domain**
 
-The default domain doesn’t hold any shapes and represents the inverted area of
+The default domain doesn't hold any shapes and represents the inverted area of
 all other shapes held by other domains with geo coordinates. It will only be
 entered if a node could not be matched to a geo domain. A suggested approach is
 to define the "old" network as default domain and gradually migrate nodes from

docs/package/gluon-logging.rst

@@ -0,0 +1,37 @@
+gluon-logging
+=============
+
+The *gluon-logging* package allows to configure a remote syslog server that
+will receive the systems log output that is also visible when calling ``logread``
+from a terminal.
+
+It supports both IPv4 and IPv6 endpoints over UDP and TCP.
+
+Note: The syslog mechanism is incapable of providing a complete log as network
+access is required to send out log messages and ``logd`` does not buffer and resend
+older log messages even though they might be available in ``logread``.
+
+This package conflicts with ``gluon-web-logging`` as it will overwrite the
+user-given syslog server on every upgrade.
+
+site.conf
+---------
+
+syslog.ip : required
+    - Destination address of the remote syslog server
+
+syslog.port : optional
+    - Destination port of the remote syslog server
+    - Defaults to 514
+
+syslog.proto : optional
+    - Protocol to transport syslog frames in, can be either ``tcp`` or ``udp``
+    - Defaults to UDP
+
+Example::
+
+  syslog = {
+    ip = "2001:db8::1",
+    port = 514,
+    proto = "udp",
+  },

docs/package/gluon-mesh-batman-adv.rst

@@ -2,7 +2,7 @@ gluon-mesh-batman-adv
 =====================
 
 .. image:: gluon-mesh-batman-adv-logo.svg
-   :width: 300 px
+  :width: 300 px
 
 B.A.T.M.A.N. Advanced (often referenced as batman-adv) is an implementation of
 the B.A.T.M.A.N. routing protocol in form of a linux kernel module operating on layer 2.
@@ -20,49 +20,11 @@ B.A.T.M.A.N. Advanced project homepage:
 
 * https://www.open-mesh.org/projects/batman-adv/wiki/Wiki
 
-Flavours
---------
-
-Gluon currently supports two main build flavours of batman-adv:
-
-gluon-mesh-batman-adv-15
-^^^^^^^^^^^^^^^^^^^^^^^^
-
-This is the recommended batman-adv flavour to use.
-
-It follows recent, upstream batman-adv releases and is flexible to new feature additions.
-
-gluon-mesh-batman-adv-14 (`batman-adv-legacy`)
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-`gluon-mesh-batman-adv-14`, also known as `batman-adv-legacy` or batman-adv v2013.4
-is the last batman-adv release with the batman-adv compatibility version 14, which
-was released in October 2013.
-
-With batman-adv v2014.0.0 a compat breakage became necessary for the introduction
-of new features. However, one of these features was the addition of TVLV support
-(type-version-length-value fields) which from then on allowed adding features
-without breaking packet format compatibility. This made it possible to stay with
-compatibility version 15 so far.
-
-For new installations `gluon-mesh-batman-adv-14` is **not recommended**. It misses
-a lot of bugfixes and is currently only available for existing communities
-until they have migrated. This package will soon be deprecated and removed.
-
-Also see:
-
-* https://www.open-mesh.org/projects/batman-adv/wiki/Compatversion
-* https://www.open-mesh.org/news/56
-* https://github.com/freifunk-gluon/batman-adv-legacy/
-
-
 B.A.T.M.A.N. Routing Algorithms
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-For the `gluon-mesh-batman-adv-15` package two routing algorithms are selectable
+Two routing algorithms are selectable via
-via :ref:`site.conf mesh section <user-site-mesh>`: BATMAN_IV and BATMAN_V.
+:ref:`site.conf mesh section <user-site-mesh>`: BATMAN_IV and BATMAN_V.
-
-For the `gluon-mesh-batman-adv-14` package, BATMAN_IV_LEGACY needs to be selected.
 
 BATMAN_IV - stable
 """"""""""""""""""
@@ -85,21 +47,21 @@ Multicast Architecture
 ----------------------
 
 .. image:: gluon-mesh-batman-adv-multicast.svg
-   :width: 300 px
+  :width: 300 px
 
 While generally broadcast capability is a nice feature of a layer 2
 mesh protocol, it quickly reaches its limit.
 
 For meshes with about **50 nodes / 100 clients, or more** it is therefore highly
 recommended to add the :doc:`gluon-ebtables-filter-multicast`
-package. Also, with gluon-mesh-batman-adv-15 or gluon-mesh-batman-adv-14
+package. Also, with the *mesh-batman-adv-15* feature,
-installed :doc:`gluon-ebtables-limit-arp` is selected by default.
+:doc:`gluon-ebtables-limit-arp` is selected by default.
 
 Furthermore, by default IGMP and MLD messages are filtered. See
 :ref:`site.conf mesh section <user-site-mesh>` and
 :ref:`igmp-mld-domain-segmentation` for details.
 
-To achieve some level of scalabilty for multicast, multicast group
+To achieve some level of scalability for multicast, multicast group
 awareness is implemented and utilized in the following ways:
 
 Node-Local Multicast Handling

docs/package/gluon-mesh-wireless-sae.rst

@@ -0,0 +1,49 @@
+gluon-mesh-wireless-sae
+=======================
+
+This package adds support for SAE on 802.11s mesh connections.
+
+Enabling this package will require all 802.11s mesh connections
+to be encrypted using the SAE key agreement scheme. The security
+of SAE relies upon the authentication through a shared secret.
+
+In the context of public mesh networks a shared secret is an
+obvious oxymoron. Still, this functionality may provide an improvement
+over unencrypted mesh connections in that it protects against a
+passive attacker who did not observe the key agreement. In addition
+Management Frame Protection (802.11w) gets automatically enabled on
+wireless mesh interfaces to prevent protocol-level deauthentication attacks.
+
+If `wifi.mesh.sae` is enabled, a shared secret will automatically be
+derived from the `prefix6` variable. This is as secure as it gets
+for a public mesh network.
+
+For *private* mesh networks `wifi.mesh.sae_passphrase` should be
+set to your shared secret.
+
+site.conf
+---------
+These settings apply to all 802.11s mesh interfaces on all radios.
+
+wifi.mesh.sae \: optional
+  - ``true`` enables SAE on 802.11s mesh connections
+  - ``false`` disables SAE on 802.11s mesh connections
+  - defaults to ``false``
+
+wifi.mesh.sae_passphrase \: optional
+  - sets a shared secret used to authenticate any two mesh nodes,
+    crucial for private mesh networks
+  - should not be set, if the shared secret is shared with untrusted
+    third parties, like in a publish mesh network
+  - defaults to an autogenerated value derived from ``prefix6``
+
+
+Example::
+
+  wifi = {
+    mesh = {
+      sae = true,
+      -- sae_passphrase = "<shared secret>",
+    },
+  },
+

docs/package/gluon-radv-filterd.rst

@@ -13,29 +13,32 @@ Selected router
 The router selection mechanism is independent from the batman-adv gateway mode.
 In contrast, the device originating the router advertisement could be any router
 or client connected to the mesh, as radv-filterd captures all router
-advertisements originating  from it. All nodes announcing router advertisement
+advertisements originating from it. All nodes announcing router advertisement
 **with** a default lifetime greater than 0 are being considered as candidates.
 
 In case a router is not a batman-adv originator itself, its TQ is defined by
 the originator it is connected to. This lookup uses the batman-adv global
 translation table.
 
-Initially the router is the selected by choosing the candidate with the
+Initially the router is selected by choosing the candidate with the strongest
-strongest TQ. When another candidate can provide a better TQ metric it is not
+TQ. When another candidate can provide a better TQ metric, that outperforms the
-picked up as the selected router until it will outperform the currently
+currently selected router by X metric units, it will be picked as the new
-selected router by X metric units. The hysteresis threshold is configurable
+selected router. The hysteresis threshold is configurable and prevents excessive
-and prevents excessive flapping of the gateway.
+flapping of the gateway.
 
-"Local" routers
+Local routers
----------------
+-------------
 
-The package has functionality to select "local" routers, i.e. those connected
+Local routers (i.e. local internet gateways connected to some nodes) that are
-via cable or WLAN instead of via the mesh (technically: appearing in the
+connected to the client interface via cable or WLAN instead of via the mesh
-``transtable_local``), a fake TQ of 512 so that they are always preferred.
+(technically: appearing in the transtable_local) are taken into account with a
-However, if used together with the :doc:`gluon-ebtables-filter-ra-dhcp`
+fake TQ of 512, so that they are always preferred.
-package, these router advertisements are filtered anyway and reach neither the
+
-node nor any other client. You currently have to disable the package or insert
+Be aware of problems if you plan to use local routers together with the
-custom ebtables rules in order to use local routers.
+:doc:`gluon-ebtables-filter-ra-dhcp` package. These router advertisements are
+filtered anyway and reach neither the node nor any other client. Therefore the
+use of local routers is not possible as long as the package
+``gluon-radv-filterd`` is used.
 
 respondd module
 ---------------

docs/package/gluon-scheduled-domain-switch.rst

@@ -3,7 +3,7 @@ gluon-scheduled-domain-switch
 
 This package allows to switch a routers domain at a given point
 in time. This is needed for switching between incompatible transport
-protocols (e.g. 802.11s and IBSS or VXLAN).
+protocols (e.g. wired meshing with and without VXLAN).
 
 Nodes will switch when the defined *switch-time* has passed. In case the node was
 powered off while this was supposed to happen, it might not be able to acquire the
@@ -15,15 +15,15 @@ site.conf
 All those settings have to be defined exclusively in the domain, not the site.
 
 domain_switch : optional (needed for domains to switch)
-    target_domain :
+  target_domain :
-        - target domain to switch to
+    - target domain to switch to
-    switch_after_offline_mins :
+  switch_after_offline_mins :
-        - amount of time without reachable gateway to switch unconditionally
+    - amount of time without reachable gateway to switch unconditionally
-    switch_time :
+  switch_time :
-        - UNIX epoch after which domain will be switched
+    - UNIX epoch after which domain will be switched
-    connection_check_targets :
+  connection_check_targets :
-        - array of IPv6 addresses which are probed to determine if the node is
+    - array of IPv6 addresses which are probed to determine if the node is
-	  connected to the mesh
+      connected to the mesh
 
 Example::
 

docs/releases/index.rst

@@ -0,0 +1,129 @@
+Release Notes
+=============
+
+.. toctree::
+  :caption: Gluon 2022.1
+  :maxdepth: 2
+
+  v2022.1.4
+  v2022.1.3
+  v2022.1.2
+  v2022.1.1
+  v2022.1
+
+.. toctree::
+  :caption: Gluon 2021.1
+  :maxdepth: 2
+
+  v2021.1.2
+  v2021.1.1
+  v2021.1
+
+.. toctree::
+  :caption: Gluon 2020.2
+  :maxdepth: 2
+
+  v2020.2.3
+  v2020.2.2
+  v2020.2.1
+  v2020.2
+
+.. toctree::
+  :caption: Gluon 2020.1
+  :maxdepth: 2
+
+  v2020.1.4
+  v2020.1.3
+  v2020.1.2
+  v2020.1.1
+  v2020.1
+
+.. toctree::
+  :caption: Gluon 2019.1
+  :maxdepth: 2
+
+  v2019.1.3
+  v2019.1.2
+  v2019.1.1
+  v2019.1
+
+.. toctree::
+  :caption: Gluon 2018.2
+  :maxdepth: 2
+
+  v2018.2.4
+  v2018.2.3
+  v2018.2.2
+  v2018.2.1
+  v2018.2
+
+.. toctree::
+  :caption: Gluon 2018.1
+  :maxdepth: 2
+
+  v2018.1.4
+  v2018.1.3
+  v2018.1.2
+  v2018.1.1
+  v2018.1
+
+.. toctree::
+  :caption: Gluon 2017.1
+  :maxdepth: 2
+
+  v2017.1.8
+  v2017.1.7
+  v2017.1.6
+  v2017.1.5
+  v2017.1.4
+  v2017.1.3
+  v2017.1.2
+  v2017.1.1
+  v2017.1
+
+.. toctree::
+  :caption: Gluon 2016.2
+  :maxdepth: 2
+
+  v2016.2.7
+  v2016.2.6
+  v2016.2.5
+  v2016.2.4
+  v2016.2.3
+  v2016.2.2
+  v2016.2.1
+  v2016.2
+
+.. toctree::
+  :caption: Gluon 2016.1
+  :maxdepth: 2
+
+  v2016.1.6
+  v2016.1.5
+  v2016.1.4
+  v2016.1.3
+  v2016.1.2
+  v2016.1.1
+  v2016.1
+
+.. toctree::
+  :caption: Gluon 2015.1
+  :maxdepth: 2
+
+  v2015.1.2
+  v2015.1.1
+  v2015.1
+
+.. toctree::
+  :caption: Gluon 2014.4
+  :maxdepth: 2
+
+  v2014.4
+
+.. toctree::
+  :caption: Gluon 2014.3
+  :maxdepth: 2
+
+  v2014.3.1
+  v2014.3
+

docs/releases/v2015.1.rst

@@ -19,7 +19,7 @@ ar71xx-generic
 
   - DIR-615 (C1)
 
-* GL-Inet
+* GL.iNet
 
   - 6408A (v1)
   - 6416A (v1)
@@ -170,16 +170,16 @@ Site changes
     for example::
 
       fastd_mesh_vpn = {
-          methods = {'salsa2012+umac'},
+        methods = {'salsa2012+umac'},
-          mtu = 1426,
+        mtu = 1426,
-          groups = {
+        groups = {
-              backbone = {
+          backbone = {
-                  limit = 2,
+            limit = 2,
-                  peers = {
+            peers = {
-                      -- ...
+              -- ...
-                  }
+            }
-              }
           }
+        }
       }
 
   - ``config_mode``: The config mode messages aren't configured in ``site.conf`` anymore. Instead, they are
@@ -190,11 +190,11 @@ Site changes
     in the site i18n files. The ``site.conf`` section becomes::
 
       roles = {
-          default = 'foo',
+        default = 'foo',
-          list = {
+        list = {
-              'foo',
+          'foo',
-              'bar',
+          'bar',
-          }
+        }
       }
 
     The display string use i18n message IDs like ``gluon-luci-node-role:role:foo`` and ``gluon-luci-node-role:role:bar``.

docs/releases/v2016.1.5.rst

@@ -9,21 +9,21 @@ ar71xx-generic
 
 * OpenMesh
 
- - MR600 (v1, v2)
+  - MR600 (v1, v2)
- - MR900 (v1, v2)
+  - MR900 (v1, v2)
- - OM2P (v1, v2)
+  - OM2P (v1, v2)
- - OM2P-HS (v1, v2)
+  - OM2P-HS (v1, v2)
- - OM2P-LC
+  - OM2P-LC
- - OM5P
+  - OM5P
- - OM5P-AN
+  - OM5P-AN
 
 * Ubiquiti
 
- - Rocket M XW
+  - Rocket M XW
 
 * TP-LINK
 
- - TL-WR841N/ND v11
+  - TL-WR841N/ND v11
 
 Bugfixes
 ~~~~~~~~

docs/releases/v2017.1.rst

@@ -88,6 +88,8 @@ New features
 * Add support for making nodes a DNS cache for clients
   (`#1000 <https://github.com/freifunk-gluon/gluon/pull/1000>`_)
 
+  See also: :doc:`../features/dns-cache`
+
 * Add L2TP via tunneldigger as an alternative VPN system
   (`#978 <https://github.com/freifunk-gluon/gluon/pull/978>`_)
 

docs/releases/v2018.1.2.rst

@@ -28,7 +28,7 @@ Bugfixes
   As the path to both config mode and status page were changed between versions
   users could be affected by a redirect to a no more valid URL. 
 
-* batman-adv has received two bugfixes, which were `backported <https://github.com/openwrt-routing/packages/commit/7bf62cc8b556b5046f9bbd37687376fe9ea175bb>`_ from v2018.4
+* batman-adv has received two bugfixes, which were `backported <https://github.com/openwrt/routing/commit/7bf62cc8b556b5046f9bbd37687376fe9ea175bb>`_ from v2018.4
 
 Other changes
 ~~~~~~~~~~~~~

docs/releases/v2018.2.1.rst

@@ -21,7 +21,7 @@ ramips-mt7620
 ramips-mt76x8
 ^^^^^^^^^^^^^
 
-* Gl.iNet
+* GL.iNet
 
   - MT300N (v2) [#noibss]_
 

docs/releases/v2018.2.4.rst

@@ -0,0 +1,53 @@
+Gluon 2018.2.4
+==============
+
+End of life
+~~~~~~~~~~~~~~
+
+This will be the final release of the v2018.2.x series. Updating to the v2019.1.x release series is the recommended course of action, which should be fairly easy.
+
+Bugfixes
+~~~~~~~~
+
+* Fixes device alias for Ubiquiti UniFi AC LR. (`#1834 <https://github.com/freifunk-gluon/gluon/issues/1834>`_)
+  Autoupdates on this model were impossible before, since we were missing the proper device alias.
+
+* Add correct ath10k firmware package for OCEDO Koala. (`#1838 <https://github.com/freifunk-gluon/gluon/pull/1838>`_)
+
+* Fixes various batman-adv bugs with backports from 2019.4 and 2019.5 by updating the openwrt-routing packages feed
+
+Other changes
+~~~~~~~~~~~~~
+
+* Linux kernel has been updated to either
+  
+  - 4.9.207 (ar71xx, brcm2708, mpc85xx) or
+  - 4.14.160 (ipq40xx, ipq806x, mvebu, ramips, sunxi, x86).
+
+Known issues
+~~~~~~~~~~~~
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are
+  unknown (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is
+  disabled (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected
+  (like VMware when promiscuous mode is disallowed).
+
+* Inconsistent respondd API
+  (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API
+  will still be supported for a while.
+
+* Frequent reboots due to out-of-memory or high load due to memory pressure on
+  weak hardware especially in larger meshes
+  (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.

docs/releases/v2019.1.1.rst

@@ -0,0 +1,64 @@
+Gluon 2019.1.1
+##############
+
+Bugfixes
+********
+
+* Fixes device alias for Ubiquiti UniFi AC LR. (`#1834 <https://github.com/freifunk-gluon/gluon/issues/1834>`_)
+  Autoupdates on this model were impossible before, since we were missing the proper device alias.
+
+* Add correct ath10k firmware package for OCEDO Koala. (`#1838 <https://github.com/freifunk-gluon/gluon/pull/1838>`_)
+
+* Fixes various batman-adv bugs with backports from 2019.4 and 2019.5 by updating the openwrt-routing packages feed.
+
+* Fixes node role list.  (`#1851 <https://github.com/freifunk-gluon/gluon/issues/1851>`_)
+  With Gluon v2019.1 it became impossible to change the role of a node via the config mode.
+
+Other Changes
+*************
+
+* Linux kernel has been updated to either
+
+  - 4.9.207 (ar71xx, brcm2708, mpc85xx) or
+  - 4.14.160 (ipq40xx, ipq806x, mvebu, ramips, sunxi, x86).
+
+Known issues
+************
+
+* Out of memory situations with high client count on ath9k.
+  (`#1768 <https://github.com/freifunk-gluon/gluon/issues/1768>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+
+* Inconsistent respondd API (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API will still be supported for a while.
+
+* Frequent reboots due to out-of-memory or high load due to memory pressure on weak hardware especially in larger
+  meshes (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.
+

docs/releases/v2019.1.2.rst

@@ -0,0 +1,60 @@
+Gluon 2019.1.2
+##############
+
+Bugfixes
+********
+
+* Fixes a buffer-overflow vulnerability in libubox, a core component of OpenWrt
+  (CVE-2020-7248)
+
+* Fixes a vulnerability in the OpenWrt package manager (opkg). By using this vulnerability,
+  an attacker could bypass the integrity check of the package artifacts. (CVE-2020-7982)
+
+Other Changes
+*************
+
+* Linux kernel has been updated to either
+
+  - 4.9.211 (ar71xx, brcm2708, mpc85xx) or
+  - 4.14.167 (ipq40xx, ipq806x, mvebu, ramips, sunxi, x86).
+
+Known issues
+************
+
+* Out of memory situations with high client count on ath9k.
+  (`#1768 <https://github.com/freifunk-gluon/gluon/issues/1768>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+
+* Inconsistent respondd API (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API will still be supported for a while.
+
+* Frequent reboots due to out-of-memory or high load due to memory pressure on weak hardware especially in larger
+  meshes (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.
+

docs/releases/v2019.1.3.rst

@@ -0,0 +1,70 @@
+Gluon 2019.1.3
+==============
+
+Bugfixes
+--------
+
+- Fixes a bug in the tunneldigger watchdog where the watchdog would incorrectly find itself while looking up the running tunneldigger process. It then went on and assumed a PID mismatch between the tunneldigger service and its PID file and therefore caused an unnecessary restart of the tunnel. (`#1952 <https://github.com/freifunk-gluon/gluon/issues/1952>`_)
+
+- Fixes an oversight in the firewalling of the respondd service where queries from prefix listed in ``extra_prefixes6`` would be dropped. (`#1941 <https://github.com/freifunk-gluon/gluon/issues/1941>`_)
+
+- Fixes a bug in ``gluon-web`` where forms would not correctly update their field visibility on reset. This affected, for example, the private wifi page in the config mode. (`#1970 <https://github.com/freifunk-gluon/gluon/pull/1970>`_)
+
+- Fixes RX buffer sizing in the ath10k driver to allow for frames larger than 1528 Bytes. (`#1992 <https://github.com/freifunk-gluon/gluon/pull/1992>`_)
+
+- Fixed handling of mesh interfaces together with outdoor mode, site.conf defaults and config mode (`#2049 <https://github.com/freifunk-gluon/gluon/pull/2049>`_) (`#2054 <https://github.com/freifunk-gluon/gluon/pull/2054>`_)
+
+- Fixes a bug with perl when building Gluon v2019.1.x with GCC10
+
+- Fixes a buffer leak in fastd when receiving invalid packets
+
+Other Changes
+-------------
+
+- Linux kernel has been updated to either
+
+  - 4.9.237 (ar71xx, brcm2708, mpc85xx) or
+  - 4.14.199 (ipq40xx, ipq806x, mvebu, ramips, sunxi, x86).
+
+- Backports of batman-adv bugfixes
+
+Known issues
+------------
+
+* Out of memory situations with high client count on ath9k.
+  (`#1768 <https://github.com/freifunk-gluon/gluon/issues/1768>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+
+* Inconsistent respondd API (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API will still be supported for a while.
+
+* Frequent reboots due to out-of-memory or high load due to memory pressure on weak hardware especially in larger
+  meshes (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.
+

docs/releases/v2019.1.rst

@@ -15,6 +15,7 @@ possible.
 With Gluon v2019.1, nodes will not answer respondd queries on ``[ff02::2:1001]:1001`` anymore. Respondd
 querier setups still using this address must be updated to the new address ``[ff05::2:1001]:1001``
 (supported since Gluon v2017.1). This change was required due to cross-domain leakage of respondd data.
+If you are using hopglass-server to query respondd data, you need to update it to at least commit f0e2c0a5.
 
 If you are upgrading from a version prior to v2018.1, please note that the flash layout on some
 devices (TP-Link CPE/WBS 210/510) was changed. To avoid upgrade failures, make sure to upgrade
@@ -72,8 +73,8 @@ ramips-mt7621
 
 .. note::
 
-    The ``ipq806x`` target has been flagged as broken, as none of its devices are fully supported in this OpenWrt
+  The ``ipq806x`` target has been flagged as broken, as none of its devices are fully supported in this OpenWrt
-    release yet. You might have to update your build scripts accordingly.
+  release yet. You might have to update your build scripts accordingly.
 
 
 
@@ -91,7 +92,7 @@ to decide which module gets loaded and the scheduled domain switching functional
 the two versions.
 
 Note that if you were using ``gluon-mesh-batman-adv-14`` ("batman-adv-legacy") before you will need to update the
-``mesh.batman_adv.routing_algo`` setting from from ``BATMAN_IV`` to ``BATMAN_IV_LEGACY`` if you want to
+``mesh.batman_adv.routing_algo`` setting from ``BATMAN_IV`` to ``BATMAN_IV_LEGACY`` if you want to
 stay on v14 compat.
 
 See the :ref:`mesh <user-site-mesh>` section for the *site.conf* configuration of this feature.
@@ -108,20 +109,20 @@ have outdoor mode automatically enabled during their initial setup, specifically
 
 * Ubiquiti
 
-    - Bullet M
+  - Bullet M
-    - Litebeam M5
+  - Litebeam M5
-    - Nanostation M5
+  - Nanostation M5
-    - Nanostation M5 Loco
+  - Nanostation M5 Loco
-    - Rocket M5
+  - Rocket M5
-    - Rocket M5 TI
+  - Rocket M5 TI
-    - Unifi AC Mesh
+  - Unifi AC Mesh
-    - Unifi AC Mesh Pro
+  - Unifi AC Mesh Pro
-    - Unifi Outdoor
+  - Unifi Outdoor
 
 * TP-Link
 
-    - CPE510
+  - CPE510
-    - WBS510
+  - WBS510
 
 See the :ref:`wifi5 <user-site-wifi5>` section for the *site.conf* configuration of this feature.
 
@@ -157,7 +158,7 @@ Bugfixes
   (`#1777 <https://github.com/freifunk-gluon/gluon/issues/1777>`_)
 
 * Fixes cross-domain leakage of respondd data by not joining the link-local multicast group on br-client. Nodes will
-  not be answering respondd queries on  ``[ff02::2:1001]:1001`` anymore. Respondd queries using that adresss must be
+  not be answering respondd queries on  ``[ff02::2:1001]:1001`` anymore. Respondd queries using that address must be
   updated to the new address ``[ff05::2:1001]:1001``. (`#1701 <https://github.com/freifunk-gluon/gluon/issues/1701>`_)
 
 
@@ -252,13 +253,15 @@ Known issues
 
 * The integration of the BATMAN_V routing algorithm is incomplete.
 
-   - | Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
-     | Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
-     | metric.
 
-   - | Throughput values are not correctly acquired for different interface types.
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
-     | (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    metric.
-     | This affects virtual interface types like bridges and VXLAN.
+
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+
+    This affects virtual interface types like bridges and VXLAN.
 
 * Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
   (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)

docs/releases/v2020.1.1.rst

@@ -0,0 +1,61 @@
+Gluon 2020.1.1
+==============
+
+This is the first service release for the Gluon 2020.1.x line, fixing regressions reported by
+the community.
+
+Bugfixes
+--------
+
+- Fixed non-working LEDs on TP-Link Archer C5 v1 and Archer C7 v2 after an upgrade to Gluon 2020.1.
+
+- Fixed an issue which leads to AVM FRITZ!WLAN Repeater 450E devices being stuck in failsafe mode
+  after an upgrade to Gluon 2020.1.
+
+Other changes
+-------------
+
+- Linux kernel has been updated to 4.14.171
+
+Known issues
+------------
+
+- Out of memory situations with high client count on ath9k.
+  (`#1768 <https://github.com/freifunk-gluon/gluon/issues/1768>`_)
+
+- The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+
+    This affects virtual interface types like bridges and VXLAN.
+
+- Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+- The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+
+- Inconsistent respondd API (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API will still be supported for a while.
+
+- Frequent reboots due to out-of-memory or high load due to memory pressure on weak hardware especially in larger
+  meshes (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.
+
+- High chance of ending in a soft-bricked state for Ubiquiti EdgeRouter-X. Workaround is to
+  repeat initial installation using the serial console. (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)

docs/releases/v2020.1.2.rst

@@ -0,0 +1,84 @@
+Gluon 2020.1.2
+==============
+
+Removed hardware support
+------------------------
+
+lantiq-xway
+~~~~~~~~~~~
+
+- AVM FRITZ!Box 7320 [#switchports_not_working]_
+- AVM FRITZ!Box 7330 [#switchports_not_working]_
+- AVM FRITZ!Box 7330 SL [#switchports_not_working]_
+
+.. [#switchports_not_working]
+  The switchports on these devices are not working properly (`#1943 <https://github.com/freifunk-gluon/gluon/issues/1943>`_)
+
+Bugfixes
+--------
+
+- Fixes a bug in the tunneldigger watchdog where the watchdog would incorrectly find itself while looking up the running tunneldigger process. It then went on and assumed a PID mismatch between the tunneldigger service and its PID file and therefore caused an unnecessary restart of the tunnel. (`#1952 <https://github.com/freifunk-gluon/gluon/issues/1952>`_)
+
+- Fixes an oversight in the firewalling of the respondd service where queries from prefix listed in ``extra_prefixes6`` would be dropped. (`#1941 <https://github.com/freifunk-gluon/gluon/issues/1941>`_)
+
+- Fixes a bug in ``gluon-web`` where forms would not correctly update their field visibility on reset. This affected, for example, the private wifi page in the config mode. (`#1970 <https://github.com/freifunk-gluon/gluon/pull/1970>`_)
+
+- Fixes RX buffer sizing in the ath10k driver to allow for frames larger than 1528 Bytes. (`#1992 <https://github.com/freifunk-gluon/gluon/pull/1992>`_)
+
+- Fixes a regression in the v4.14 kernel where spurious data bus errors on ar71xx devices would cause a reboot. (`#1994 <https://github.com/freifunk-gluon/gluon/pull/1994>`_)
+
+
+Other changes
+-------------
+
+- Linux kernel has been updated to 4.14.176
+
+
+Internals
+---------
+
+- OpenWrt 19.07 introduced the urngd entropy daemon that serves the same function as the haveged service, which we have been recommending. To not have two redundant entropy daemons in this release we remove urngd in favor of haveged in the v2020.1 release series.
+
+Known issues
+------------
+
+- High chance of ending in a soft-bricked state for Ubiquiti EdgeRouter-X. Workaround is to
+  repeat initial installation using the serial console. (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+- Out of memory situations with high client count on ath9k.
+  (`#1768 <https://github.com/freifunk-gluon/gluon/issues/1768>`_)
+
+- The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+
+    This affects virtual interface types like bridges and VXLAN.
+
+- Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+- The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+
+- Inconsistent respondd API (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API will still be supported for a while.
+
+- Frequent reboots due to out-of-memory or high load due to memory pressure on weak hardware especially in larger
+  meshes (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.
+

docs/releases/v2020.1.3.rst

@@ -0,0 +1,57 @@
+Gluon 2020.1.3
+==============
+
+Bugfixes
+--------
+
+- Fixes a bug in musl which can lead to spurious crashes in fastd and other programs, which alternate between single-
+  and multi-threaded operation. (`#2029 <https://github.com/freifunk-gluon/gluon/issues/2029>`_)
+
+- Fixes a regression which led to around 2.5 MiB higher memory usage for ar71xx-tiny and ramips-rt305x targets.
+  While this decreases the memory usage, the image will become around 64KiB larger. (`#2032 <https://github.com/freifunk-gluon/gluon/issues/2032>`_)
+
+- Fixes a bug which can cause the TP-Link TL-MR3020 v1 to become stuck in failsafe mode.
+
+
+Other changes
+-------------
+
+- Linux kernel has been updated to 4.14.180
+
+
+Known issues
+------------
+
+- High chance of ending in a soft-bricked state for Ubiquiti EdgeRouter-X. Workaround is to
+  repeat initial installation using the serial console. (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+- Out of memory situations with high client count on ath9k.
+  (`#1768 <https://github.com/freifunk-gluon/gluon/issues/1768>`_)
+
+- The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+
+    This affects virtual interface types like bridges and VXLAN.
+
+- Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+- The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+
+- Inconsistent respondd API (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API will still be supported for a while.
+

docs/releases/v2020.1.4.rst

@@ -0,0 +1,47 @@
+Gluon 2020.1.4
+==============
+
+Added hardware support
+----------------------
+
+- Added support for TP-Link CPE210 3.20 (`#2080 <https://github.com/freifunk-gluon/gluon/issues/2080>`_)
+
+Bugfixes
+--------
+
+- Fixed a rare race-condition during mesh interface teardown (`#2057 <https://github.com/freifunk-gluon/gluon/pull/2057>`_)
+
+- Fixed handling of mesh interfaces together with outdoor mode, site.conf defaults and config mode (`#2049 <https://github.com/freifunk-gluon/gluon/pull/2049>`_) (`#2054 <https://github.com/freifunk-gluon/gluon/pull/2054>`_)
+
+Other changes
+-------------
+
+- Linux kernel has been updated to 4.14.193
+- Backports of batman-adv bugfixes
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the
+  NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).

docs/releases/v2020.1.rst

@@ -0,0 +1,240 @@
+Gluon 2020.1
+============
+
+This is the first release of Gluon in 2020, based on OpenWrt 19.07. It
+introduces the ath79 target, which will replace ar71xx in the short
+term.
+
+Added hardware support
+----------------------
+
+ath79-generic
+~~~~~~~~~~~~~
+
+- devolo WiFi pro 1200e
+- devolo WiFi pro 1200i
+- devolo WiFi pro 1750c
+- devolo WiFi pro 1750e
+- devolo WiFi pro 1750i
+- devolo WiFi pro 1750x
+- GL.iNet GL-AR300M-Lite
+- OCEDO Raccoon
+- TP-Link Archer C6 v2
+
+ipq40xx-generic
+~~~~~~~~~~~~~~~
+
+- Aruba AP-303
+- Aruba Instant On AP11
+- AVM FRITZ!Repeater 1200
+
+ipq806x-generic
+~~~~~~~~~~~~~~~
+
+- Netgear R7800
+
+lantiq-xway
+~~~~~~~~~~~
+
+- AVM FRITZ!Box 7312
+- AVM FRITZ!Box 7320
+- AVM FRITZ!Box 7330
+- AVM FRITZ!Box 7330 SL
+
+lantiq-xrx200
+~~~~~~~~~~~~~
+
+- AVM FRITZ!Box 7360 (v1, v2)
+- AVM FRITZ!Box 7360 SL
+- AVM FRITZ!Box 7362 SL
+- AVM FRITZ!Box 7412
+
+mpc85xx-p1020
+~~~~~~~~~~~~~
+
+- Enterasys WS-AP3710i
+- OCEDO Panda
+
+ramips-mt7620
+~~~~~~~~~~~~~
+
+- TP-Link Archer C2 (v1)
+- TP-Link Archer C20 (v1)
+- TP-Link Archer C20i
+- TP-Link Archer C50 (v1)
+- Xiaomi MiWifi Mini
+
+ramips-mt7621
+~~~~~~~~~~~~~
+
+- Netgear EX6150 (v1)
+- Netgear R6220
+
+ramips-mt76x8
+~~~~~~~~~~~~~
+
+- GL.iNet VIXMINI
+- TP-Link TL-MR3020 (v3)
+- TP-Link TL-WA801ND (v5)
+- TP-Link TL-WR902AC (v3)
+
+Removed hardware support
+------------------------
+
+- ALFA Network Hornet-UB [#kernelpartition_too_small]_
+- ALFA Network Tube2H [#kernelpartition_too_small]_
+- ALFA Network N2 [#kernelpartition_too_small]_
+- ALFA Network N5 [#kernelpartition_too_small]_
+
+.. [#kernelpartition_too_small]
+  The kernel partition on this device is too small to build a working image.
+
+Major changes
+-------------
+
+OpenWrt 19.07
+~~~~~~~~~~~~~
+
+Gluon v2020.1 is the first release to use OpenWrt 19.07. All targets
+therefore use Linux 4.14.166.
+
+batman-adv compat v14 removal
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Support for the long deprecated compat 14 version of batman-adv has been
+dropped. Communities still using this version should migrate to batman-adv
+using the scheduled domain switch.
+
+IBSS wireless mesh removal
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Support for the IBSS wireless protocol has been dropped. Communities
+still using IBSS are suggested to migrate to 802.11s using the scheduled
+domain switch.
+
+Performance enhancements
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+We install zram-swap by default on ``ar71xx`` devices with 8MB of flash
+and 32MB of RAM.
+
+Renamed targets
+~~~~~~~~~~~~~~~
+
+- The ``ipq40xx`` target was renamed to ``ipq40xx-generic``.
+- The ``ipq806x`` target was renamed to ``ipq806x-generic``.
+
+Status Page
+~~~~~~~~~~~
+
+- Gateway nexthop information has been added to the status page when batman-adv
+  is used. This includes its MAC address and prettyname as well as the interface
+  name towards the selected gateway.
+- The site name has been added to the status page. If the node is in a multidomain
+  setup it will also show the domain name.
+
+DECT button to enter config mode
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Many AVM devices don't feature a separate RESET/WPS button, therefore
+starting this release we support entering the config mode via DECT buttons.
+
+X86 partition size
+~~~~~~~~~~~~~~~~~~
+
+The x86 partition size has been reduced to fit on disks with a capacity of 128 MB.
+
+Bugfixes
+--------
+
+Autoupdater aliases
+~~~~~~~~~~~~~~~~~~~
+
+We have added several new aliases for autoupdater compatibility on
+the following devices:
+
+- Ubiquiti UniFi AC LR
+- Raspberry Pi
+
+Site changes
+------------
+
+site.mk
+~~~~~~~
+
+- The ``GLUON_WLAN_MESH`` variable can be dropped, as 802.11s is
+  the only supported wireless transport from now on.
+
+Internals
+---------
+
+Linting Targets
+~~~~~~~~~~~~~~~
+
+Support for linter make targets was added.
+
+- ``make lint``
+- ``make lint-sh`` to only check shell scripts
+- ``make lint-lua`` to only check lua scripts
+
+These require the shellcheck and luacheck tools. The docker image has
+been updated accordingly.
+
+Continuous integration
+~~~~~~~~~~~~~~~~~~~~~~
+
+We have implemented continuous integration testing using Jenkins and thereby
+ensure that all lua and shell scripts are linted, that the documentation
+still builds and warnings are highlighted, and that Gluon still
+compiles, by testing a build on the ``x86_64`` target. We expect this to
+significantly improve the feedback cycle and quality of contributions.
+
+Known issues
+************
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the
+  NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* LEDs on TP-Link Archer C5 v1 and Archer C7 v2 are not working after Upgrade to v2020.1
+  (`#1941 <https://github.com/freifunk-gluon/gluon/issues/1941>`_)
+
+* AVM FRITZ!WLAN Repeater 450E is stuck in failsafe mode. (`#1940 <https://github.com/freifunk-gluon/gluon/issues/1940>`_)
+
+* Out of memory situations with high client count on ath9k.
+  (`#1768 <https://github.com/freifunk-gluon/gluon/issues/1768>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+
+* Inconsistent respondd API (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API will still be supported for a while.
+
+* Frequent reboots due to out-of-memory or high load due to memory pressure on weak hardware especially in larger
+  meshes (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.
+

docs/releases/v2020.2.1.rst

@@ -0,0 +1,47 @@
+Gluon 2020.2.1
+==============
+
+Added hardware support
+----------------------
+
+- Added support for TP-Link CPE210 3.20 (`#2080 <https://github.com/freifunk-gluon/gluon/issues/2080>`_)
+
+Bugfixes
+--------
+
+- Fixed handling of *mesh_on_lan* enabled in site configuration (`#2090 <https://github.com/freifunk-gluon/gluon/issues/2090>`_)
+
+- Fixed build issues with lantiq-xrx200 target by removing unsupported DSL modem packages (`#2087 <https://github.com/freifunk-gluon/gluon/pull/2087>`_)
+
+Other changes
+-------------
+
+- Linux kernel has been updated to 4.14.193
+- Backports of batman-adv bugfixes
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the
+  NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations not using VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).

docs/releases/v2020.2.2.rst

@@ -0,0 +1,42 @@
+Gluon 2020.2.2
+==============
+
+Bugfixes
+--------
+
+- Fixed unstable WiFi on some units of the TP-Link Archer C50 v4 (`#2133 <https://github.com/freifunk-gluon/gluon/pull/2133>`_)
+
+- Fixed CVE-2020-27638 in fastd
+
+Other changes
+-------------
+
+- Linux kernel has been updated to 4.14.206
+- Backports of batman-adv bugfixes
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the
+  NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations not using VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).

docs/releases/v2020.2.3.rst

@@ -0,0 +1,49 @@
+Gluon 2020.2.3
+==============
+
+Bugfixes
+--------
+
+- LEDs on the ASUS RT-AC51 are now fully functional.
+
+- Netgear EX6150v1 randomly booting into failsafe mode has been fixed.
+  This happened dependent on the state of the mode setting switch.
+
+- Dnsmasq has been patched against multiple security issues in its DNS response validation.
+  See the OpenWrt advisory at https://openwrt.org/advisory/2021-01-19-1
+
+
+Other changes
+-------------
+
+- Linux kernel has been updated to 4.14.224
+- batman-adv fixes were backported from its 2021.0 release
+- OpenSSL has been updated to 1.1.1k
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the
+  NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations not using VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+

docs/releases/v2020.2.rst

@@ -0,0 +1,198 @@
+Gluon 2020.2
+============
+
+Added hardware support
+----------------------
+
+ath79-generic
+~~~~~~~~~~~~~
+
+* GL.iNet
+
+  - GL-AR750S
+
+* TP-Link
+
+  - CPE220 (v3)
+
+ipq40xx-generic
+~~~~~~~~~~~~~~~
+
+* EnGenius
+
+  - ENS620EXT [#outdoor]_
+
+* Linksys
+
+  - EA6350 (v3)
+
+lantiq-xrx200
+~~~~~~~~~~~~~
+
+* TP-Link
+
+  - TD-W8970
+
+lantiq-xway
+~~~~~~~~~~~
+
+* NETGEAR
+
+  - DGN3500B
+
+ramips-mt76x8
+~~~~~~~~~~~~~
+* Cudy
+
+  - WR1000
+
+
+x86-legacy [#newtarget]_
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Devices older than the Pentium 4
+
+
+.. [#newtarget]
+  This is a new target.
+
+.. [#outdoor]
+  This device is supposed to be set up outdoors and will therefore have its outdoor mode flag automatically enabled.
+
+
+Major changes
+-------------
+
+Device Classes
+~~~~~~~~~~~~~~
+
+Devices are now categorized into device classes. This device class can determine which features
+as well as packages are installed on the device when building images.
+
+Currently there are two classes used in Gluon, *tiny* and *standard*. All devices with less than 64M of RAM or
+less than 7M of usable firmware space are assigned to the tiny class.
+
+WPA3 support for Private WLAN
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The private WLAN now supports WPA3-SAE key exchange as well as management frame protection (802.11w).
+For this to work, the firmware needs to be built with the *wireless-encryption-wpa3* feature.
+
+OWE on Client Network
+~~~~~~~~~~~~~~~~~~~~~
+
+Gluon now allows to configure a VAP for the client network which supports opportunistic encryption on the
+client network for devices which support the OWE security type (also known as Enhanced Open).
+
+This encrypted VAP can be the only available access point or be configured in addition to an unencrypted VAP.
+In the latter case, the transition mode can be enabled, which enables compatible devices to automatically
+connect to the encrypted VAP while legacy devices continue to use the unencrypted connection.
+
+There are issues with some devices running Android 9 when connecting to a transition mode enabled network. See the site documentation for more information.
+
+SAE Encrypted Mesh Links
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Mesh links can now be operated in an encrypted mode using SAE authentication. For this to work, a common shared secret
+has to be distributed to all participating nodes using the site.conf.
+
+Responsive status page
+~~~~~~~~~~~~~~~~~~~~~~
+
+The status page design is now responsive and reflows better on mobile devices.
+
+Primary domain code
+~~~~~~~~~~~~~~~~~~~
+
+The primary domain code is now visible on the node status page as well as in the respondd information
+emitted by the node.
+
+Logging
+~~~~~~~
+
+The new *gluon-logging* package allows to configure a remote syslog server using the site.conf.
+This package can only be included when *gluon-web-logging* is excluded.
+
+Peer cleanup in fastd
+~~~~~~~~~~~~~~~~~~~~~
+
+fastd peers and groups are now removed on update in case they do not exist in the new site configuration.
+To preserve a custom peer across updates, add the *preserve* key to the peer's UCI configuration and set it to ``1``.
+
+
+Bugfixes
+--------
+
+- The WAN MAC address now matches the one defined in OpenWrt if VXLAN is enabled for the selected domain.
+
+- *gluon-reload* now reloads all relevant services.
+
+- Disabling outdoor mode and enabling meshing in the config mode can now be performed in a single step.
+
+- Fixed section visibility with enabled outdoor mode in config mode.
+
+
+Site changes
+------------
+
+site.mk
+~~~~~~~
+
+Starting with version 19.07 OpenWrt ships the urngd entropy daemon by default.
+It replaces the haveged daemon, for which we removed the support in Gluon. Remove ``haveged`` from your package selection.
+
+
+Internal
+--------
+
+Editorconfig
+~~~~~~~~~~~~
+
+Gluon now ships a *editorconfig* file to allow compatible editors to automatically apply key aspects of Gluon's code style.
+
+Continuous Integration
+~~~~~~~~~~~~~~~~~~~~~~
+
+* Jenkins
+
+  - The CI now has a test stage to verify Gluons runtime functionality.
+
+* GitHub Actions
+
+  - GitHub actions is now enabled for the Gluon project, build-testing all available targets.
+
+Build system
+~~~~~~~~~~~~
+
+- Source code minification can now be skipped by enabling the GLUON_MINIFY flag.
+
+- Enabling the GLUON_AUTOREMOVE flag will remove package build directories after they are built.
+  This reduces space consumption at the expense of subsequent builds being slower.
+
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the
+  NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations not using VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).

docs/releases/v2021.1.1.rst

@@ -0,0 +1,63 @@
+Gluon 2021.1.1
+==============
+
+Important notes
+---------------
+
+Upgrades to v2021.1 and later releases are only supported from releases v2018.2 and later. This is due to migrations that have been removed to simplify maintenance.
+
+
+Added hardware support
+----------------------
+
+
+ath79-generic
+~~~~~~~~~~~~~
+
+* Joy-IT
+
+    - JT-OR750i
+
+
+ramips-mt76x8
+~~~~~~~~~~~~~
+
+* Xiaomi
+
+    - Mi Router 4A (100M Edition)
+
+
+Bugfixes
+--------
+
+- Missing bandwidth limit settings resulted in a respondd crash for v2021.1.
+
+- The Tunneldigger VPN provider was not registered with the Gluon VPN backend, resulting in broken Tunneldigger configurations.
+
+- Disabling Radio interfaces in v2021.1 could lead to null pointer dereferences in the respondd airtime module, as the survey returns no data in this case.
+
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations without VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is disallowed).

docs/releases/v2021.1.2.rst

@@ -0,0 +1,131 @@
+Gluon 2021.1.2
+==============
+
+Important notes
+---------------
+
+This release fixes a **critical security vulnerability** in Gluon's
+autoupdater.
+
+Upgrades to v2021.1 and later releases are only supported from releases v2018.2
+and later. Migration code for upgrades from older versions has been removed to
+simplify maintenance.
+
+
+Updates
+-------
+
+- The Linux kernel was updated to version 4.14.275
+- The mac80211 wireless driver stack was updated to a version based on kernel
+  4.19.237
+
+Various minor package updates are not listed here and can be found in the commit
+log.
+
+
+Bugfixes
+--------
+
+* **[SECURITY]** Autoupdater: Fix signature verification
+
+  A recently discovered issue (CVE-2022-24884) in the *ecdsautils* package
+  allows forgery of cryptographic signatures. This vulnerability can be
+  exploited to create a manifest accepted by the autoupdater without knowledge
+  of the signers' private keys. By intercepting nodes' connections to the update
+  server, such a manifest allows to distribute malicious firmware updates.
+
+  This is a **critical** vulnerability. All nodes with autoupdater must be
+  updated. Requiring multiple signatures for an update does *not* mitigate the
+  issue.
+
+  As a temporary workaround, the issue can be mitigated on individual nodes by
+  disabling the autoupdater via config mode or using the following commands::
+
+    uci set autoupdater.settings.enabled=0
+    uci commit autoupdater
+
+  A fixed firmware should be installed manually before enabling the autoupdater
+  again.
+
+  See security advisory `GHSA-qhcg-9ffp-78pw
+  <https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw>`_
+  for further information on this vulnerability.
+
+* **[SECURITY]** Config Mode: Prevent Cross-Site Request Forgery (CSRF)
+
+  The Config Mode was not validating the *Origin* header of POST requests.
+  This allowed arbitrary websites to modify   configuration (including SSH keys)
+  on a Gluon node in Config Mode reachable from a user's browser by sending POST
+  requests with form data to 192.168.1.1.
+
+  The impact of this issue is considered low, as nodes are only vulnerable while
+  in Config Mode.
+
+* Config Mode: Fix occasionally hanging page load after submitting the
+  configuration wizard causing the reboot message and VPN key not to be
+  displayed
+
+* Config Mode (OSM): Update default OpenLayers source URL
+
+  The OSM feature of the Config Mode was broken when the default source URL was
+  used for OpenLayers, as the old URL has become unavailable. The default was
+  updated to a URL that should not become unavailable again.
+
+* Config Mode (OSM): Fix error when using ``"`` character in attribution text
+
+* respondd-module-airtime: Fix respondd crash on devices with disabled WLAN
+  interfaces
+
+  Several improvements were made to the error handling of the
+  *respondd-module-airtime* package. The "PHY ID" field (introduced in Gluon
+  2021.1) was removed again.
+
+* ipq40xx: Fix bad WLAN performance on Plasma Cloud PA1200 and PA2200 devices
+
+* Fix occasional build failure in "perl" package with high number of threads
+  (``-j32`` or higher)
+
+
+Other improvements
+------------------
+
+* Several improvements were made to the status page:
+
+  - WLAN channel display does not require the *respondd-module-airtime* package
+    anymore
+  - The "gateway nexthop" label now links to the status page of the nexthop node
+  - The timeout to retrieve information from neighbour nodes was increased,
+    making the display of the name
+    of overloaded, slow or otherwise badly reachable nodes more likely to
+    succeed
+
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a
+  soft-bricked state due to bad blocks on the NAND flash which the NAND driver
+  before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page.
+    (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to
+    account for the new throughput metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are
+  unknown (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations without VXLAN, the MAC address of the WAN interface is
+  modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected
+  (like VMware when promiscuous mode is disallowed).

docs/releases/v2021.1.rst

@@ -0,0 +1,141 @@
+Gluon 2021.1
+============
+
+Important notes
+---------------
+
+Upgrades to v2021.1 and later releases are only supported from releases v2018.2 and later. This is due to migrations that have been removed to simplify maintenance.
+
+
+Added hardware support
+----------------------
+
+
+ath79-generic
+~~~~~~~~~~~~~
+
+* Plasma Cloud
+
+    - PA300 [#outdoor]_
+    - PA300E [#outdoor]_
+
+* TP-Link
+
+    - Archer C2 v3
+    - Archer D50 v1
+
+
+ipq40xx-generic
+~~~~~~~~~~~~~~~
+
+* AVM
+
+    - FRITZ!Box 7530
+
+* Plasma Cloud
+
+    - PA1200 [#outdoor]_
+    - PA2200
+
+
+ramips-mt7620
+~~~~~~~~~~~~~
+
+* Netgear
+
+    - EX3700
+    - EX3800
+
+
+.. [#outdoor]
+  This device is supposed to be set up outdoors and will therefore have its outdoor mode flag automatically enabled.
+
+
+Major changes
+-------------
+
+Multicast optimizations (batman-adv)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In this release, we reenable the multicast optimizations, that have gone through another round of bug squashing upstream. With this feature batman-adv will distribute IPv6 link-local multicast packets via individual unicast packets instead of flooding them through the whole mesh as long as the number of subscribed nodes does not exceed 16. This reduces layer 2 overhead, especially for IPv6 Neighbor Discovery.
+
+We also relaxed the firewall for IPv6 multicast packets: Instead of always dropping non-essential multicast packets we now allow all IPv6 link-local multicast packets to pass when the destination group has up to 16 subscribers
+
+Status page
+~~~~~~~~~~~
+
+The status page has received much attention in this release and now exposes many more details that help to understand a node's setup remotely.
+
+Among other things, we now expose wireless client count per radio, the mac80211 identifiers, the frequencies radios are tuned to, as well as information about the VPN provider and details on the mesh protocol stack.
+
+
+gluon-switch-domain utility
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``gluon-switch-domain`` utility has been introduced to allow for a standard way to encapsulate the steps required for safely switching between domains. Existing packages like the hoodselector and the scheduled-domain-switch have been tied in with gluon-switch-domain.
+
+It has an experimental ``--no-reboot`` flag that requires further testing, to ensure it doesn't accidentally bridge separate domains.
+
+
+Other changes
+-------------
+
+- The private WLAN interface is now assigned the interface name `wan_radioX` where X is the phy index.
+- Linux kernel has been updated to 4.14.235
+- The kernel's mac80211 stack has been updated to 4.19.193-test1 to mitigate the `FragAttacks <https://www.fragattacks.com/>`_ vulnerabilities
+- OpenSSL has been updated to 1.1.1k, fixing CVE-2021-3449 and CVE-2021-3450
+- Dropbear has been patched against mishandling of special filenames in its scp component (CVE-2020-36524)
+
+Bugfixes
+--------
+
+- The firmware partition lookup in gluon-web-admin's firmware update page was using an old partition label and therefore failed to look up the available flash size. This resulted in misleading error messages in case the uploaded firmware file exceeds the flash size.
+
+- Android 9 and higher do not properly wake up to renew their MLD subscriptions, therefore dropping out of the Neighbor Discovery MLD group, which leads to broken IPv6 connectivity after the device has slept for a while. A workaround has been deployed to wake these devices up in regular intervals to prevent this regression.
+
+
+Internal
+--------
+
+Mesh-VPN Abstraction Layer
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In preparation for the introduction of new tunneling protocols, the gluon-mesh-vpn framework has been modularized. This allows for providers to use a standard interface and keep their implementation details in a dedicated package.
+
+
+Continuous Integration
+~~~~~~~~~~~~~~~~~~~~~~
+
+* GitHub Actions
+
+  - GitHub actions is now enabled for the Gluon project, build-testing all available targets.
+
+  - CI jobs are now run based on which paths have been modified.
+
+  - Linters for lua and shell scripts have been integrated.
+
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations without VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is disallowed).

docs/releases/v2022.1.1.rst

@@ -0,0 +1,85 @@
+Gluon 2022.1.1
+==============
+
+Important notes
+---------------
+
+This release mitigates multiple flaws in the Linux wireless stack fixing RCE and DoS vulnerabilities.
+
+
+Added hardware support
+----------------------
+
+ipq40xx-generic
+~~~~~~~~~~~~~~~
+
+- GL.iNet
+
+  - GL-AP1300
+
+mpc85xx-p1010
+~~~~~~~~~~~~~
+
+- TP-Link
+
+  - TL-WDR4900 (v1)
+
+ramips-mt7621
+~~~~~~~~~~~~~
+
+- ZyXEL
+
+  - NWA50AX
+
+rockchip-armv8
+~~~~~~~~~~~~~~
+
+- FriendlyElec
+
+  - NanoPi R4S (4GB LPDDR4)
+
+Bugfixes
+--------
+
+ * Multiple mitigations for (`critical vulnerabilities <https://seclists.org/oss-sec/2022/q4/20>`_) in the Linux kernel WLAN stack. This only concerns Gluon v2022.1, older Gluon versions are unaffected.
+
+   * CVE-2022-41674
+   * CVE-2022-42719
+   * CVE-2022-42720
+   * CVE-2022-42721
+   * CVE-2022-42722
+ * Fixes `security issues in WolfSSL <https://openwrt.org/releases/22.03/notes-22.03.1#security_fixes>`_. People who have installed additional, non-Gluon packages which rely on WolfSSL's TLS 1.3 implementation might be affected. Firmwares using either gluon-mesh-wireless-sae or gluon-wireless-encryption-wpa3 are unaffected by these issues, since only WPA-Enterprise relies on the affected TLS functionality.
+
+   * CVE-2022-38152
+   * CVE-2022-39173
+
+ * Fixes the update path for GL-AR300M and NanoStation Loco M2/M5 (XW) devices.
+
+Known issues
+------------
+
+* A workaround for Android devices not waking up to their MLD subscriptions was removed,
+  potentially breaking IPv6 connectivity for these devices after extended sleep periods.
+  (`#2672 <https://github.com/freifunk-gluon/gluon/issues/2672>`_)
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations without VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is disallowed).

docs/releases/v2022.1.2.rst

@@ -0,0 +1,37 @@
+Gluon 2022.1.2
+==============
+
+Bugfixes
+--------
+
+ * Various build-errors which sporadically occur when building with a large thread-count have been fixed
+
+ * Android devices do not lose their IPv6 connectivity after extended idle-time
+
+ * The 802.11s mesh network is now using 802.11ax HE-modes when supported by hardware
+
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations without VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is disallowed).

docs/releases/v2022.1.3.rst

@@ -0,0 +1,40 @@
+Gluon 2022.1.3
+==============
+
+Bugfixes
+--------
+
+* Ipq40xx Wave2 devices temporarily use non-ct firmware again to work around 802.11s unicast package loss in ath10k-ct
+  (`#2692 <https://github.com/freifunk-gluon/gluon/issues/2692>`_)
+
+* Modify kernel builds slightly to work around a boot hang on various devices based on the QCA9563 SoC - especially the Unifi AC-* devices
+  (`#2784 <https://github.com/freifunk-gluon/gluon/issues/2784>`_)
+
+* Work around an issue with wifi setup timing by waiting a bit while device initialisation is ongoing
+  (`#2779 <https://github.com/freifunk-gluon/gluon/issues/2779>`_)
+
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations without VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is disallowed).

docs/releases/v2022.1.4.rst

@@ -0,0 +1,136 @@
+Gluon 2022.1.4
+==============
+
+Added hardware support
+----------------------
+
+ath79-generic
+~~~~~~~~~~~~~
+
+- LibreRouter
+
+  - LibreRouter (v1)
+
+- Teltonika
+
+  - RUT230 (v1)
+
+
+ath79-nand
+~~~~~~~~~~
+
+- Aerohive
+
+  - HiveAP 121
+
+- NETGEAR
+
+  - WNDR4300 (v1)
+  
+
+lantiq-xrx200
+~~~~~~~~~~~~~
+
+- Arcadyan
+
+  - o2 Box 6431
+
+
+ramips-mt7621
+~~~~~~~~~~~~~
+
+- Cudy
+
+  - X6 (v1, v2)
+
+- D-Link
+
+  - DAP-X1860 (A1)
+
+- GL.iNet
+
+  - GL-MT1300
+  
+- Mercusys
+
+  - MR70X (v1)
+
+- Xiaomi
+
+  - Mi Router 3G
+  
+  
+ramips-mt76x8
+~~~~~~~~~~~~~
+
+- TP-Link
+
+  - RE200 (v3)
+  
+
+realtek-rtl838x
+~~~~~~~~~~~~~~~
+
+- D-Link
+
+  - DGS-1210-10P
+  
+
+ipq40xx-generic
+~~~~~~~~~~~~~~~
+
+- AVM
+
+  - FRITZBox 7520
+  
+  
+ipq40xx-mikrotik
+~~~~~~~~~~~~~~~~
+
+- Mikrotik
+
+  - hAP ac2
+
+
+Bugfixes
+--------
+
+* Enterasys WS-AP3705i now uses the correct image-name for use with the autoupdater
+  (`#2819 <https://github.com/freifunk-gluon/gluon/issues/2819>`_)
+
+* Reduce memory Usage for ath10k on ZyXEL WRE6606 devices
+  (`#2842 <https://github.com/freifunk-gluon/gluon/issues/2842>`_)
+
+* Replace the Workaround for failed boots on ath79 with a proper fix.
+  (`#2784 <https://github.com/freifunk-gluon/gluon/issues/2784#issuecomment-1452126501>`_)
+
+* AVM FRITZ!Box 7360 v2 flashed with the incorrect image for v1 will automatically update to the correct image.
+
+* Revert OOM inducing switch of ath79 Wave2 firmware back to -ct
+  (`#2879 <https://github.com/freifunk-gluon/gluon/pull/2879>`_)
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations without VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is disallowed).
+

docs/releases/v2022.1.rst

@@ -0,0 +1,417 @@
+Gluon 2022.1
+============
+
+Important notes
+---------------
+
+Upgrades to v2022.1 and later releases are only supported from releases v2020.1 and later. This is due to migrations that have been removed to simplify maintenance.
+
+
+Added hardware support
+----------------------
+
+ath79-generic
+~~~~~~~~~~~~~
+
+- D-Link
+
+  - DAP-2660 A1
+
+- Enterasys
+
+  - WS-AP3705i
+
+- Siemens
+
+  - WS-AP3610
+
+- TP-Link
+
+  - Archer A7 v5
+  - CPE510 v2
+  - CPE510 v3
+  - CPE710 v1
+  - EAP225-Outdoor v1
+  - WBS210 v2
+
+ath79-mikrotik
+~~~~~~~~~~~~~~
+
+- Mikrotik
+
+  - RB951Ui-2nD
+
+ipq40xx-generic
+~~~~~~~~~~~~~~~
+
+- Aruba Networks
+
+  - AP-303H
+  - AP-365
+  - InstantOn AP11D
+  - InstantOn AP17
+
+ipq40xx-mikrotik
+~~~~~~~~~~~~~~~~
+
+- Mikrotik
+
+  - SXTsq-5-AC
+
+ramips-mt7620
+~~~~~~~~~~~~~
+
+- Xiaomi
+
+  - Mi Router 3G (v2)
+
+ramips-mt7621
+~~~~~~~~~~~~~
+
+- Cudy
+
+  - WR2100
+
+- Netgear
+
+  - R6260
+  - WAC104
+  - WAX202
+
+- TP-Link
+
+  - RE500
+  - RE650 v1
+
+- Ubiquiti
+
+  - UniFi 6 Lite
+
+- Xiaomi
+
+  - Mi Router 4A (Gigabit Edition)
+
+ramips-mt7622
+~~~~~~~~~~~~~
+
+- Linksys
+
+  - E8450
+
+- Xiaomi
+
+  - AX3200
+
+- Ubiquiti
+
+  - UniFi 6 LR
+
+ramips-mt76x8
+~~~~~~~~~~~~~
+
+- GL.iNet
+
+  - microuter-N300
+
+- Netgear
+
+  - R6020
+
+- RAVPower
+
+  - RP-WD009
+
+- TP-Link
+
+  - Archer C20 v4
+  - Archer C20 v5
+  - RE200 v2
+  - RE305 v1
+
+- Xiaomi
+
+  - Mi Router 4C
+  - Mi Router 4A (100M Edition)
+
+rockchip-armv8
+~~~~~~~~~~~~~~
+
+- FriendlyElec
+
+  - NanoPi R2S
+
+mpc85xx-p1010
+~~~~~~~~~~~~~
+
+- Sophos
+
+  - RED 15w rev. 1
+
+mpc85xx-p1020
+~~~~~~~~~~~~~
+
+- Extreme Networks
+
+  - WS-AP3825i
+
+Removed Devices
+---------------
+
+This list contains devices which do not have enough memory or flash to
+be operated with this Gluon release.
+
+- D-Link
+
+  - DIR-615 (C1, D1, D2, D3, D4, H1)
+
+- Linksys
+
+  - WRT160NL
+
+- TP-Link
+
+  - TL-MR13U (v1)
+  - TL-MR3020 (v1)
+  - TL-MR3040 (v1, v2)
+  - TL-MR3220 (v1, v2)
+  - TL-MR3420 (v1, v2)
+  - TL-WA701N/ND (v1, v2)
+  - TL-WA730RE (v1)
+  - TL-WA750RE (v1)
+  - TL-WA801N/ND (v1, v2, v3)
+  - TL-WA830RE (v1, v2)
+  - TL-WA850RE (v1)
+  - TL-WA860RE (v1)
+  - TL-WA901N/ND (v1, v2, v3, v4, v5)
+  - TL-WA7210N (v2)
+  - TL-WA7510N (v1)
+  - TL-WR703N (v1)
+  - TL-WR710N (v1, v2)
+  - TL-WR740N (v1, v3, v4, v5)
+  - TL-WR741N/ND (v1, v2, v4, v5)
+  - TL-WR743N/ND (v1, v2)
+  - TL-WR840N (v2)
+  - TL-WR841N/ND (v3, v5, v7, v8, v9, v10, v11, v12)
+  - TL-WR841N/ND (v1, v2)
+  - TL-WR843N/ND (v1)
+  - TL-WR940N (v1, v2, v3, v4, v5, v6)
+  - TL-WR941ND (v2, v3, v4, v5, v6)
+  - TL-WR1043N/ND (v1)
+  - WDR4900
+
+- Ubiquiti
+
+  - AirGateway
+  - AirGateway Pro
+  - AirRouter
+  - Bullet
+  - LS-SR71
+  - Nanostation XM
+  - Nanostation Loco XM
+  - Picostation
+
+- Unknown
+
+  - A5-V11
+
+- VoCore
+
+  - VoCore (8M, 16M)
+
+Atheros target migration
+------------------------
+
+All Atheros MIPS devices built with the ``ar71xx-generic``,
+``ar71xx-nand`` as well as ``ar71xx-tiny`` were deprecated upstream and
+are therefore not available with Gluon anymore.
+
+Many devices previously built with ``ar71xx-generic`` and
+``ar71xx-nand`` are now available with the ``ath79-generic`` as well as
+``ath79-nand`` target respectively.
+
+Missing devices
+~~~~~~~~~~~~~~~
+
+The following devices have not yet been integrated into Gluons ath79
+targets.
+
+- 8Devices
+
+  - Carambola 2
+
+- Aerohive
+
+  - HiveAP 121
+
+- Allnet
+
+  - ALL0315
+
+- Buffalo
+
+  - WZR-HP-G300NH2
+  - WZR-HP-G450H
+
+- GL.iNet
+
+  - 6408A v1
+
+- NETGEAR
+
+  - WNDR4300
+  - WNDRMAC
+  -  WNDRMAC v2
+
+- TP-Link
+
+  - WR2543
+
+- Ubiquiti
+
+  - Rocket
+
+- WD
+
+  - MyNet N600
+  - MyNet N750
+
+- ZyXEL
+
+  - NB6616
+  - NB6716
+
+Features
+--------
+
+WireGuard
+~~~~~~~~~
+
+Gluon got WireGuard support. This allows offloading **encrypted**
+connections into kernel space, increasing performance by forwarding
+packets without the need for context switches between user and kernel
+space.
+
+In order to reuse existing (already verified) fastd-keypairs for
+WireGuard, a key derivation procedure is `currently being
+developed <https://github.com/freifunk-gluon/gluon/pull/2601>`__. This
+should ease migration from fastd to WireGuard in case whitelisting VPN
+keys is desired.
+
+fastd L2TP
+~~~~~~~~~~
+
+fastd can now act as a connection broker for unencrypted L2TP-based
+tunneling within Gluons mesh-vpn framework. This new ``null@l2tp``
+connection method allows for increased performance within existing
+fastd setups.
+
+In addition to a sufficiently
+:ref:`configured fastd-based VPN server<vpn-gateway-configuration>`,
+this requires further modifications to a sites :ref:`VPN fastd methods<VPN fastd methods>`.
+
+Major changes
+-------------
+
+OpenWrt
+~~~~~~~
+
+This release is based on the newest OpenWrt 22.03 release branch.
+It ships with Linux kernel 5.10 as well as wireless-backports 5.15.
+
+
+Network changes (DSA / Upgrade-Behavior)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``ramips-mt7621`` and ``lantiq-xrx200`` targets now use the upstream DSA
+subsystem instead of OpenWrt swconfig for managing ethernet switches.
+
+Gluon detects the existing user-intent and automatically applies it over
+to DSA syntax. See the section about network reconfiguration for more
+details.
+
+System reconfiguration
+~~~~~~~~~~~~~~~~~~~~~~
+
+The network and system-LED configurations are now re-generated after
+each update / invocation of ``gluon-reconfigure``.
+
+The user-intent is preserved within Gluon’s implemented functionality
+(Wired-Mesh / Client access / WAN).
+
+As an additional feature, Gluon now supports assigning roles to
+interfaces. This behavior is explained
+:ref:`here<wired-mesh-commandline>`.
+
+Site changes
+------------
+
+VPN provider MTU
+~~~~~~~~~~~~~~~~
+
+To account for multiple VPN methods available for a site, the MTU used
+for the VPN tunnel connection is now moved to the specific VPN provider
+configuration. For fastd this means that ``mesh_vpn.mtu`` needs to be
+moved to ``mesh_vpn.fastd.mtu``. (`#2352 <https://github.com/freifunk-gluon/gluon/pull/2352>`__)
+
+Preconfigured Interfaces Roles
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Instead of ``mesh_on_wan`` and ``mesh_on_lan`` there is now an
+``interfaces`` block to configure the default behavior of network
+interfaces. Details can be found in the 
+:ref:`documentation<user-site-interfaces>`.
+
+Minor changes
+-------------
+
+- The ``brcm2708-bcm2708`` ``brcm2708-bcm2709`` ``brcm2708-bcm2710``
+  targets were renamed to ``bcm27xx-bcm2708`` ``bcm27xx-bcm2709`` and
+  ``bcm27xx-bcm2710``
+- The GL.iNet GL-AR750S was moved to the ``ath79-nand`` subtarget
+- Gluon now ships the ath10k-ct firmware derivation for
+  QCA9886 / QCA9888 / QCA9896 / QCA9898 / QCA9984 /
+  QCA9994 / IPQ4018 / IPQ4028 / IPQ4019 / IPQ4029
+  radios (`#2541 <https://github.com/freifunk-gluon/gluon/pull/2541>`__)
+- WolfSSL instead of OpenSSL is now used when built with WPA3 support
+- The option to configure the wireless-channel independent from the
+  site-selected channel was moved from
+  ``gluon-core.wireless.preserve_channels`` to
+  ``gluon.wireless.preserve_channels``
+- ``gluon-info`` is a new command that provides information about the
+  current node
+- ``GLUON_DEPRECATED`` is now set to 0 by default
+- To reboot a running gluon-node into setup-mode, Gluon now offers the
+  ``gluon-enter-setup-mode`` command
+- Devices without WLAN do not show the private-wifi configuration
+  anymore
+- The Autoupdater now uses the site default branch in case it is
+  configured to use a non-existent / invalid branch
+
+Known issues
+------------
+
+* A workaround for Android devices not waking up to their MLD subscriptions was removed,
+  potentially breaking IPv6 connectivity for these devices after extended sleep periods.
+  (`#2672 <https://github.com/freifunk-gluon/gluon/issues/2672>`_)
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations without VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is disallowed).

docs/requirements.txt

@@ -0,0 +1 @@
+sphinx-rtd-theme==1.2.0