Jan Luebbe authored 6 years ago and chrissi^ committed 3 months ago

For parker we need DHCP on the client interface. Ths rule
prevents us from doing so.
In addition: make sure old rules will be deleted on upgrade.

This change removes the prefix4 and prefix6 attributes from the
site.conf. These do not make sense in the context of parker.

Packages that are usually used in parker do not use these anymore. Some
other packages do - you should not enable those :-)

With this change a ipv6 route to prefix_6 will no longer be set on
br-client. Systems that already have this route will keep it.

With this change the (not working) redirect in the http status page has
been removed. We should consider to add this later on.

Hint: Some changes were moved from this commit to:
community-packages:ffbs-mesh-vpn-parker/files/lib/gluon/upgrade/401-respondd-firewall-parker
This reverts changes done in package/gluon-respondd/luasrc/lib/gluon/upgrade/400-respondd-firewall.

OpenWrt now allows to specify the ifname of the transition interface
instead of SSID and BSSID, internally automatically detecting these from
interfaces on the same PHY. Thus, these cross-VAP dependant
configuration can be omitted from UCI.

Signed-off-by: David Bauer <mail@david-bauer.net>

With the new role-based interface configuration, it would be better to
rename the wan/wan6 interfaces to uplink/uplink6, but that would cause
unnecessary churn for the firewall configuration, so it is left for a
later update.

As all interfaces with the 'uplink' role are in the br-wan bridge, it is
not possible to assign these to the 'mesh' role independently - instead,
br-wan is added as a mesh interface as soon as a single interface has
both the 'uplink' and 'mesh' roles. The UCI section for this
configuration is now called 'mesh_uplink' instead of 'mesh_wan'.

For all interfaces that have the 'mesh', but not the 'uplink' role a
second configuration 'mesh_other' is created. If there is more than one
such interface, all these interfaces are bridged as well (creating a
bridge 'br-mesh_other'). This replaces the 'mesh_lan' section with its
optional 'br-mesh_lan' bridge, but can also include interfaces that were
not considered "LAN" when interfaces roles are modified (via site.conf
or manually).

Avoid requiring gluon.wireless from gluon.platform, and requiring
gluon.platform from various other scripts.

* gluon-core: remove obsolete file 100-core-reset-sysctl

* gluon-core: remove obsolete cleanup line

* gluon-client-bridge: remove obsolete cleanup line

This renames the local_client zone to loc_client, as local_clint exceeds
the maximum zone length allowed for firewall3, which is 11 bytes.

This worked previously due to firewall3 using unsafe string operations.
Now creation of the chain fails (latest OpenWrt master).

Separate wireless-related helper methods from the util module to a
new wireless module. This keeps them separated, as the amount of
wireless helpers increased in the past, justifying a separate module.

Allow odhcp6c to fork the script to handle router
advertisments in 30 seconds intervals. This is the value
that was previously used in Gluon v2018.1 / LEDE 17.01.

The default value is 3 seconds and while it is RFC compliant
it can put alot of pressure on even moderately sized devices.

Signed-off-by: Martin Weinelt <martin@darmstadt.freifunk.net>

The commit b3762fc6 ("gluon-client-bridge: move IPv4 local subnet route
to br-client (#1312)") moves the IPv4 prefix from the local-port interface
to br-client. A client requesting an IPv4 connection to the IPv4 anycast
address of the node (the device running gluon) will create following
packets:

1. ARP packet from client to get the MAC of the mac address of the anycast
   IPv4 address
2. ARP reply from node to client with the anycast MAC address for the IPv4
   anycast address
3. IPv4 packet from client which requires reply (for example ICMP echo
   request)
4. ARP request for the client MAC address for its IPv4 address in prefix4
   (done with the mac address of br-client and transmitted over br-client)
5. IPv4 packet from node (transmitted over br-client with br-client MAC
   address) as reply for the client IPv4 packet (for example ICMP echo
   reply)

The step 4 and 5 are problematic here because packets use the node specific
MAC addresses from br-client instead of the anycast MAC address. The client
will receive the ARP packet with the node specific MAC address and change
their own neighbor IP (translation) table. This will for example break the
access to the status page to the connected device or the anycast DNS
forwarder implementation when the client roams to a different node.

This reverts commit b3762fc6 and adds an
upgrade code to remove local_node_route on on existing installations.

net.ipv6.conf.br-client.forwarding is moved from gluon-client-bridge to
gluon-mesh-batman-adv, as the setting is not useful with non-bridged
protocols.

This patch moves the prefix4 subnet route from the local-node veth
device to br-client (while keeping the next node ipv4 address on the
local node device).

This is in preparation to allow routing over the br-client interface
later.

Allows to remove some redundant UCI lookups.

The 'auto' attribute still allows enabling the interface using ifup, which
is not intended when wired mesh is disabled.

As core defines basic rules for this zone, it makes sense to create it
there.

 * gluon-core, gluon-client-bridge: introduce new firewall zone: local_client
 * gluon-core: put clients in local_client zone, introduce drop-zone,
   set dns-rules and zones
 * gluon-respondd: allow respondd on mesh
 * gluon-status-page-api: allow http input on mesh and client

Some files have received some additional refactoring.

In particular, this affects users of gluon.util.iterate_radios.

The next-node MAC address doesn't need to be unique in different
communities, so we can as well add a default value.

LEDE recently disabled multicast snooping by default:

https://git.lede-project.org/?p=project/netifd.git;a=commitdiff;h=52541140f8138e31958cdc3d7e42a4029fa6bbc9



Reenable it for Gluon as there have been no confirmed issues for
LEDE and no negative reports concerning Gluon v2016.2.x so far.

Closes #1025.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>

gluon-core: gluon.util: pass UCI cursor as argument to iterate_radios() instead of using local context

We always want to prefer the unique node address for outgoing traffic. Note
that this doesn't have an effect with batman-adv, as usually br-client will
be the outgoing interface, so the unique address would be chosen anyways.

macvlan interfaces never directly exchange traffic with the underlying
interface, but only with other hosts behind the interface. In consequence,
router advertisements from the uradvd running on br-client could never
reach local-node, preventing it from getting an IPv6 address without RAs
from an external radvd. Fix this be replacing the macvlan interface with
a veth pair (with the peer interface in br-client).

As a side effect, this saves about 5KB of flash, as the veth module is
simpler than macvlan.

When preparing the migration from macvlan to veth for local-node, MAC
address conflicts occurred as some ports of br-client had the same address
as local-node. Reverting the roles of both interfaces fixes this.

By default, br-client is left as an interface without addresses and
firewall rules that drop everything, so the bridge is used to connect its
ports only. gluon-mesh-batman-adv-core changes this to the usual set
of addresses and firewall rules.

Prepare reverting the roles of br-client and local-node to their state
before 8c4403ba.

Also simplify the local_node.peerdns setting.

We also make use of the boolean support of simple-uci to make scripts
clearer.

gluon-client-bridge, gluon-mesh-batman-adv-core: switch roles of br-client and local-node interfaces

MAC and IP addresses are switched. This makes the gluon-client-bridge
package more useful for different routing protocols that don't need a
unique address on the client bridge.

As a side effect, gluon-radvd is now using the next-node address, which had
been considered before, but was dismissed to avoid having gluon-radvd
depend on gluon-next-node and gluon-mesh-batman-adv. This will be useful
for announcing default routes via gluon-radvd.

One downside is that this introduces a minor dependency on batman-adv in
gluon-respondd: the hotplug script that checked for the client interface
before will now check for local-node. This doesn't really matter: for mesh
protocols without a local-node interface, the check will do nothing (which
makes sense, as there is no interface to bind to for mesh-wide respondd).

gluon-client-bridge: add LAN interfaces to client bridge by default (instead of doing this in the batman-adv-specific scripts)

This allows to weaken the gluon-mesh-batman-adv-core dependency of
gluon-luci-portconfig to gluon-client-bridge.

Some drivers (mt76) don't support arbitrary MAC addresses. Use the
addresses provided by the driver (avoiding the primary address) by default,
but fall back to our has-based scheme when the driver doesn't provide
(enough) addresses.