aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/config
Commit message (Collapse)AuthorAgeFilesLines
...
* dsaconfig: introduce package for UCI configuration of VLAN filter rulesJo-Philipp Wich2020-08-064-0/+364
| | | | | | | | | | | | | | This package provides the necessary files to translate `config dsa_vlan` and `config dsa_port` sections of `/etc/config/network` into appropriate bridge vlan filter rules. The approach of the configuration is to bridge all DSA ports into a logical bridge device, called "switch0" by default, and to set VLAN port membership, tagging state and PVID as specified by UCI on each port and on the switch bridge device itself, allowing logical interfaces to reference port VLAN groups by using "switch0.N" as ifname, where N denotes the VLAN ID. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* package: replace remaining occurrences of ifconfig with ipAdrian Schmutzler2020-08-032-4/+4
| | | | | | | | ifconfig is effectively deprecated for quite some time now. Let's replace the remaining occurrences for packages by the corresponding ip commands now. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* firewall: bump to version 2020-07-05Yousong Zhou2020-07-261-3/+3
| | | | | | | | | | | | | | | Changes since last source version e9b90df zones: apply tcp mss clamping also on ingress path 050816a redirects: fix segmentation fault f62a52b treewide: replace unsafe string functions 23cc543 improve reload logic 9d7f49d redurects: add support to define multiple zones for dnat reflection rules f87d0b0 firewall3: defaults: fix uci flow_offloading option fe9602c rules: fix typo 7cc2a84 defaults: robustify flow table detection. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* vxlan: add capability for multiple fdb entriesJohannes Kimmel2020-07-202-2/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Similar to wireguard, vxlan can configure multiple peers or add specific entries to the fdb for a single mac address. While you can still use peeraddr/peer6addr option within the proto vxlan/vxlan6 section to not break existing configurations, this patch allows to add multiple sections that conigure fdb entries via the bridge command. As such, the bridge command is now a dependency of the vxlan package. (To be honest without the bridge command available, vxlan isn't very much fun to use or debug at all) Field names are taken direclty from the bridge command. Example with all supported parameters, since this hasn't been documented so far: config interface 'vx0' option proto 'vxlan6' # use vxlan over ipv6 # main options option ip6addr '2001:db8::1' # listen address option tunlink 'wan6' # optional if listen address given option peer6addr '2001:db8::2' # now optional option port '8472' # this is the standard port under linux option vid '42' # VXLAN Network Identifier to use option mtu '1430' # vxlan6 has 70 bytes overhead # extra options option rxcsum '0' # allow receiving packets without checksum option txcsum '0' # send packets without checksum option ttl '16' # specifies the TTL value for outgoing packets option tos '0' # specifies the TOS value for outgoing packets option macaddr '11:22:33:44:55:66' # optional, manually specify mac # default is a random address Single peer with head-end replication. Corresponds to the following call to bridge: $ bridge fdb append 00:00:00:00:00:00 dev vx0 dst 2001:db8::3 config vxlan_peer option vxlan 'vx0' option dst '2001:db8::3' # always required For multiple peers, this section can be repeated for each dst address. It's possible to specify a multicast address as destination. Useful when multicast routing is available or within one lan segment: config vxlan_peer option vxlan 'vx0' option dst 'ff02::1337' # multicast group to join. # all bum traffic will be send there option via 'eth1' # for multicast, an outgoing interface needs # to be specified All available peer options for completeness: config vxlan_peer option vxlan 'vx0' # the interface to configure option lladdr 'aa:bb:cc:dd:ee:ff' # specific mac, option dst '2001:db8::4' # connected to this peer option via 'eth0.1' # use this interface only option port '4789' # use different port for this peer option vni '23' # override vni for this peer option src_vni '123' # see man 3 bridge Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
* vxlan: remove mandatory peeraddrJohannes Kimmel2020-07-201-12/+0
| | | | | | | | | | vxlan can be configured without a peer address. This is used to prepare an interface and add peers later. Fixes: FS#2743 Signed-off-by: Johannes Kimmel <fff@bareminimum.eu> Acked-by: Matthias Schiffer <mschiffer@universe-factory.net>
* ltq-*dsl-app: dsl_control: remove unneeded check for lantiq_dsl.shMartin Schiller2020-07-174-4/+4
| | | | | | | | | | This file is always present because it is part of the ltq-dsl-base package on which these packages depend. This check would not have been necessary in the past, because the script was part of the TARGET_LANTIQ on which these packages also depend. Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* lantiq: move dsl related base-files into own packageMartin Schiller2020-07-172-2/+2
| | | | | | | | | | It does not make sense to install this components on lantiq systems where the dsl subsystem is not needed/used. This also makes it possible to use the files also on other targets. (hopefully ipq401x / FritzBox 7530 in the near future) Signed-off-by: Martin Schiller <ms.3headeddevs@gmail.com>
* package: drop PKG_VERSION for purely local packagesAdrian Schmutzler2020-07-154-4/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the package guidelines, PKG_VERSION is supposed to be used as "The upstream version number that we're downloading", while PKG_RELEASE is referred to as "The version of this package Makefile". Thus, the variables in a strict interpretation provide a clear distinction between "their" (upstream) version in PKG_VERSION and "our" (local OpenWrt trunk) version in PKG_RELEASE. For local (OpenWrt-only) packages, this implies that those will only need PKG_RELEASE defined, while PKG_VERSION does not apply following a strict interpretation. While the majority of "our" packages actually follow that scheme, there are also some that mix both variables or have one of them defined but keep them at "1". This is misleading and confusing, which can be observed by the fact that there typically either one of the variables is never bumped or the choice of the variable to increase depends on the person doing the change. Consequently, this patch aims at clarifying the situation by consistently using only PKG_RELEASE for "our" packages. To achieve that, PKG_VERSION is removed there, bumping PKG_RELEASE where necessary to ensure the resulting package version string is bigger than before. During adjustment, one has to make sure that the new resulting composite package version will not be considered "older" than the previous one. A useful tool for evaluating that is 'opkg compare-versions'. In principle, there are the following cases: 1. Sole PKG_VERSION replaced by sole PKG_RELEASE: In this case, the resulting version string does not change, it's just the value of the variable put in the file. Consequently, we do not bump the number in these cases so nobody is tempted to install the same package again. 2. PKG_VERSION and PKG_RELEASE replaced by sole PKG_RELEASE: In this case, the resulting version string has been "version-release", e.g. 1-3 or 1.0-3. For this case, the new PKG_RELEASE will just need to be higher than the previous PKG_VERSION. For the cases where PKG_VERSION has always sticked to "1", and PKG_RELEASE has been incremented, we take the most recent value of PKG_RELEASE. Apart from that, a few packages appear to have developed their own complex versioning scheme, e.g. using x.y.z number for PKG_VERSION _and_ a PKG_RELEASE (qos-scripts) or using dates for PKG_VERSION (adb-enablemodem, wwan). I didn't touch these few in this patch. Cc: Hans Dedecker <dedeckeh@gmail.com> Cc: Felix Fietkau <nbd@nbd.name> Cc: Andre Valentin <avalentin@marcant.net> Cc: Matthias Schiffer <mschiffer@universe-factory.net> Cc: Jo-Philipp Wich <jo@mein.io> Cc: Steven Barth <steven@midlink.org> Cc: Daniel Golle <dgolle@allnet.de> Cc: John Crispin <john@phrozen.org> Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* vxlan: bump and change to PKG_RELEASEAdrian Schmutzler2020-07-151-1/+1
| | | | | | | | | | | | | Bumping package version has been overlooked in a previous commit. While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter is meant for upstream version number only. (The effective version string for the package would be "3" in both cases, so there is no harm done for version comparison.) Fixes: 0453c3866feb ("vxlan: fix udp checksum control") Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* vxlan: fix udp checksum controlJohannes Kimmel2020-07-151-0/+2
| | | | | | | | | | | So far, passing "rxcsum" and "txcsum" had no effect. Fixes: 95ab18e0124e ("vxlan: add options to enable and disable UDP checksums") Signed-off-by: Johannes Kimmel <fff@bareminimum.eu> [add Fixes:] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* netifd: replace timesvr with timesrvSukru Senli2020-06-271-1/+7
| | | | | | | | /lib/netifd/dhcp.script: Keep support for 'timesvr' while also supporting 'timesrv' Add log message indicating deprecation of 'timesvr' Signed-off-by: Sukru Senli <sukru.senli@iopsys.eu>
* soloscli: fix uci-defaults fileAdrian Schmutzler2020-06-112-3/+1
| | | | | | | | | | The folder for the uci-defaults file of this package is wrong, so the file most probably has not been executed at all for several years at least. Fix the folder and remove the useless shebang for the file. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* netifd: disable receive packet steering for DSA slave devicesFelix Fietkau2020-06-101-4/+9
| | | | | | | It is already handled on the master device. Doing it twice reduces performance Signed-off-by: Felix Fietkau <nbd@nbd.name>
* netifd: update to latest git HEADHans Dedecker2020-06-061-3/+3
| | | | | | 51e9fb8 system-linux: improve handling of device rename Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: update to latest HEADJohn Crispin2020-06-041-4/+4
| | | | | | | | | db275e1 interface-ip: fix build on non-linux systems 3392046 system-dummy: fix missing return a56b457 netifd: wireless: add support for tracking wifi-station sections 4ce33ce netifd: wireless: add support for tracking wifi-vlan sections Signed-off-by: John Crispin <john@phrozen.org>
* qos-scripts: fix interface resolvingJo-Philipp Wich2020-05-292-8/+14
| | | | | | | | Also ensure that the error message is actually printed to stderr and that the rule generation is aborted if an interface cannot be resolved. Ref: https://github.com/openwrt/luci/issues/3975 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: add rule for traceroute supportPhilip Prindeville2020-05-211-0/+13
| | | | | | | | | | | | | | | | | Running your firewall's "wan" zone in REJECT zone (1) exposes the presence of the router, (2) depending on the sophistication of fingerprinting tools might identify the OS and release running on the firewall which then identifies known vulnerabilities with it and (3) perhaps most importantly of all, your firewall can be used in a DDoS reflection attack with spoofed traffic generating ICMP Unreachables or TCP RST's to overwhelm a victim or saturate his link. This rule, when enabled, allows traceroute to work even when the default input policy of the firewall for the wan zone has been set to DROP. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* netifd: ingress/egress vlan qos mapping supportHans Dedecker2020-05-211-3/+3
| | | | | | 74e0222 vlandev: support setting ingress/egress QoS mappings Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: replace backticks by $(...)Adrian Schmutzler2020-05-133-3/+3
| | | | | | This replaces deprecated backticks by more versatile $(...) syntax. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ltq-vdsl-app: replace backticks by $(...)Adrian Schmutzler2020-05-131-1/+1
| | | | | | This replaces deprecated backticks by more versatile $(...) syntax. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* netifd: clean up netns functionalityDaniel Golle2020-04-141-3/+3
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* netifd: fix jail ifdown and jails without jail_ifnameDaniel Golle2020-04-141-3/+3
| | | | | | | | The previous commit introduced a regression for netns jails without jail_ifname set. Fix that. Fixes: 4e4f7c6d2d ("netifd: network namespace jail improvements") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* netifd: network namespace jail improvementsDaniel Golle2020-04-141-3/+3
| | | | | | | aaaca2e interface: allocate and free memory for jail name d93126d interface: allow renaming interface when moving to jail netns Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* netifd: fix 14_migrate-dhcp-release scriptPeter Stadler2020-04-051-1/+1
| | | | | | prepend 'uci' to 'commit network' Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
* netifd: fix compilation with musl 1.2.0Hans Dedecker2020-03-261-3/+3
| | | | | | 1e8328 system-linux: fix compilation with musl 1.2.0 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: update to latest git HEADHans Dedecker2020-03-161-3/+3
| | | | | | dbdef93 interface-ip: transfer prefix route ownership for deprecated ipv6addr to kernel Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: rename 20-smp-tune to 20-smp-packet-steeringAlan Swanson2020-03-031-0/+0
| | | | | | | Rename the script to be more obvious that this is for packet steering only. Signed-off-by: Alan Swanson <reiver@improbability.net>
* netifd: change RPS/XPS handling to all CPUs and disable by defaultAlan Swanson2020-03-031-9/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current implementation is significantly lowering lantiq performace [1][2] by using RPS with non-irq CPUs and XPS with alternating CPUs. The previous netifd implementation (by default but could be configured) simply used all CPUs and this patch essentially reverts to this behaviour. The only document suggesting using non-interrupt CPUs is Red Hat [3] where if the network interrupt rate is extremely high excluding the CPU that handles network interrupts *may* also improve performance. The original packet steering patches [4] advise that optimal settings for the CPU mask seems to depend on architectures and cache hierarcy so one size does not fit all. It also advises that the overhead in processing for a lightly loaded server can cause performance degradation. Ideally, proper IRQ balancing is a better option with the irqbalance daemon or manually. The kernel does not enable packet steering by default, so also disable in OpenWRT by default. (Though mvebu with its hardware scheduling issues [5] might want to enable packet steering by default.) Change undocumented "default_ps" parameter to clearer "packet_steering" parameter. The old parameter was only ever set in target/linux/mediatek/base-files/etc/uci-defaults/99-net-ps and matched the default. [1] https://forum.openwrt.org/t/18-06-4-speed-fix-for-bt-homehub-5a [2] https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=1105 [3] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/performance_tuning_guide/network-rps [4] https://marc.info/?l=linux-netdev&m=125792239522685&w=2 [5] https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=2e1f6f1682d3974d8ea52310e460f1bbe470390f Fixes: #1852 Fixes: #2573 Signed-off-by: Alan Swanson <reiver@improbability.net>
* netifd/config.sh: remove some bashism (usage of [[)Sven Roederer2020-01-261-1/+1
| | | | | | | "[[" is a bash extension for test. As the ash-implementation is not fully compatible we drop its usage. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* netifd: add basic support for jail network namespacesDaniel Golle2020-01-211-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prepare netifd for handling procd service jails having their own network namespace. Intefaces having the jail attribute will only be brought up inside the jail's network namespace by procd calling the newly introduced ubus method 'netns_updown'. Currently proto 'static' is supported and configuration changes are not yet being handled (ie. you'll have to restart the jailed service for changes to take effect). Example /etc/config/network snippet: config device 'veth0' option type 'veth' option name 'vhost0' option peer_name 'virt0' config interface 'virt' option type 'bridge' list ifname 'vhost0' option proto 'static' option ipaddr '10.0.0.1' option netmask '255.255.255.0' config interface 'virt0' option ifname 'virt0' option proto 'static' option ipaddr '10.0.0.2' option netmask '255.255.255.0' option gateway '10.0.0.1' option dns '10.0.0.1' option jail 'transmission' Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* netifd: move /tmp/resolv.conf.auto to /tmp/resolv.conf.d/Daniel Golle2020-01-071-4/+4
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* gre: add ipv6 parameter to gre interfacesAlin Nastac2019-12-022-3/+5
| | | | | | | | | IPv6 protocol is enabled on all gre interfaces, but gre(v6)tap interfaces are usually added to a bridge interface, in which case IPv6 should be enabled only on the bridge interface. Signed-off-by: Alin Nastac <alin.nastac@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* netifd: update to latest git HEADHans Dedecker2019-11-291-3/+3
| | | | | | e45b140 interface: warn if ip6hint is truncated Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: update to latest Git HEADJo-Philipp Wich2019-11-221-3/+3
| | | | | | | 8174814 utils: persist effective extra_src and extra_dest options in state file 72a486f zones: fix emitting match rules for zones with only "extra" options Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* netifd: dhcp proto convert release to noreleaseKevin Darbyshire-Bryant2019-11-203-6/+29
| | | | | | | | Change dhcp no/release on shutdown to 'norelease' uci option to match existing proto dhcpv6 usage. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: add dynamic wireless reconfigurationDaniel Golle2019-11-121-3/+3
| | | | | | | | | | | | | 7a723d0 wireless: add ubus method for reloading configuration e15147c wireless: make reconf opt-in and allow serializing configuration Set new option 'reconf' in 'wifi-device' section to enable dynamic re-configuration on that radio. If necessary, also set option 'serialize' which forced netifd to configure interfaces of wireless devices one-by-one. Both options are disabled by default. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* swconfig: Activate LTO compile optionHauke Mehrtens2019-11-081-0/+3
| | | | | | | | | | | | This decreases the size of the swconfig application by 25% on MIPS BE. old: 16,916 /sbin/swconfig new: 12,565 /sbin/swconfig Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* lantiq: Allow PKG_ASLR_PIE for DSL and voice driversHauke Mehrtens2019-11-011-1/+0
| | | | | | | | | | | When ASLR_PIE was activated globally these drivers failed to build because the user space LDFLAGS leaked into the kernel build process. This was fixed in upstream Linux kernel commit ce99d0bf312d ("kbuild: clear LDFLAGS in the top Makefile") which went into Linux 4.17. The lantiq target is now on Linux 4.19 only and these exceptions are not needed any more. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* lantiq: fix dsl_control status handling.Martin Schiller2019-10-154-8/+8
| | | | | | | | | | Commit 7519a36774ca ("base-files,procd: add generic service status") introduced the generic 'status' command which broke the previous dsl_control status output. To fix this, let's rename the "old" command to "dslstat". Fixes: 7519a36774ca ("base-files,procd: add generic service status") Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* firewall: update to latest git HEADHans Dedecker2019-10-041-3/+3
| | | | | | daed0cf utils: fix resource leak Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: update to latest Git HEADJo-Philipp Wich2019-09-181-3/+3
| | | | | | | 383eb58 ubus: do not overwrite ipset name attribute Ref: https://forum.openwrt.org/t/fw3-ipset-procd-objects/44044 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: update to latest git HEADPetr Štetiar2019-09-151-3/+3
| | | | | | c26f8907d1d2 firewall3: fix typo that affects ICMPv6 rules with numeric icmp_type Signed-off-by: Petr Štetiar <ynezz@true.cz>
* netifd,lldpd,rpcd,log: use generic service_runningPetr Štetiar2019-09-151-5/+0
| | | | | | | | | | | | | | | | | | commit eb204d14f75c ("base-files: implement generic service_running") introduced generic service_running so it's not needed to copy&paste same 3 lines over and over again. I've removed service_running from netifd/network init script as well, because it was not working properly, looked quite strange and I didn't understand the intention: $ /etc/init.d/network stop $ service network running && echo "yes" || echo "nope" ( have to wait for 30s ) Command failed: Request timed out yes Signed-off-by: Petr Štetiar <ynezz@true.cz>
* firewall: update to latest git HEADHauke Mehrtens2019-09-081-3/+3
| | | | | | 487bd0d utils: Fix string format message Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* firewal: update to latest git HEADHans Dedecker2019-09-071-3/+3
| | | | | | | | 4d0c703 firewall3: Fix some format string problems 8c404ef iptables.c: lock the xtables.lock c1d3a4d utils: implement fw3_lock_path() & fw3_unlock_path() Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: update to latest git HEADKevin Darbyshire-Bryant2019-08-221-3/+3
| | | | | | bf29c1e firewall3: ipset: Handle reload_set properly Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* firewall: improve ipset supportKevin Darbyshire-Bryant2019-08-161-4/+4
| | | | | | | | | | | | | | | | | | | | Bump to latest git HEAD 509e673 firewall3: Improve ipset support The enabled option did not work properly for ipsets, as it was not checked on create/destroy of a set. After this commit, sets are only created/destroyed if enabled is set to true. Add support for reloading, or recreating, ipsets on firewall reload. By setting "reload_set" to true, the set will be destroyed and then re-created when the firewall is reloaded. Add support for the counters and comment extensions. By setting "counters" or "comment" to true, then counters or comments are added to the set. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* netifd: update to latest git HEADHans Dedecker2019-08-071-3/+3
| | | | | | 5e02f94 system-linux: fix resource leak Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: update to latest git HEADHans Dedecker2019-08-051-3/+3
| | | | | | de94097 utils: coverity resource leak warning Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: update to latest git HEADHans Dedecker2019-07-221-3/+3
| | | | | | 899f168 system-linux: Coverity fixes Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>