summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2020-11-06iprule: move down address rule prioritypriority-fixMikael Magnusson
With this configuration it's possible to accept traffic from the LAN to the WAN address, if a rule between the network and address rules which looks up the main table is inserted by the administrator. Previously the reverse traffic was wrongly sent out on the WAN interface. This is useful when you run a service such as a VPN gateway on the router that you want to access both from the LAN and WAN. Signed-off-by: Mikael Magnusson <mikma@users.sourceforge.net>
2020-11-05bridge: only overwrite implicit vlan assignment if vlans are configuredHEADmasterFelix Fietkau
When VLAN filtering is enabled, but no vlans are defined, the implicit VLANs should stay, so that forwarding between ports still works. This is useful for setups where VLANs are assigned by external scripts instead of being configured via netifd Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-11-05system-dummy: set present state only for simple devicesFelix Fietkau
Fixes an issue with bringing up VLANs/bridges too early Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-11-05bridge: fix use-after-free bug on bridge member freeFelix Fietkau
When removing the device reference, the core might free the device. Use device_lock/unlock to keep the reference valid until it is no longer needed Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-11-05bridge: preserve hotplug ports on vlan update if config is unchangedFelix Fietkau
Fixes cleanup of port state Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-10-28bridge: show vlans in device statusFelix Fietkau
List vlans with member ports, VLAN IDs and flags Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-10-28vlandev: add pass-through hotplug ops that pass the VLAN info to the bridgeFelix Fietkau
Only used for 802.1q devices Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-10-28vlan: add pass-through hotplug ops that pass the VLAN info to the bridgeFelix Fietkau
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-10-28bridge: add support for defining port member vlans via hotplug opsFelix Fietkau
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-10-22interface: proto_ip: order by address index firstYousong Zhou
At the moment, dnsmasq initscript generates dhcp-range for an interface by inspecting first address of that interface from netifd ubus output. Order by address index as specified in the uci config makes netifd ubus output consistent with linux network interfaces' primary/secondary address settings. More importantly, the ubus output and dnsmasq config generation will be more predictable. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2020-10-22device_addr: record address index as in the blobYousong Zhou
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2020-10-22proto: rework parse_addr to return struct device_addrYousong Zhou
This is a preparation for the next commit to record address index for the returned device_addr struct Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2020-10-22build: find and use libnl header dirsYousong Zhou
Name of the libnl .pc file is libnl-3.0.pc This commit is mainly for testing netifd build on usual Linux systems. netifd Makefile in current OpenWrt build system specifies custom cmake flags to directly point to libnl-tiny Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2020-10-10system-linux: initialize ifreq struct before using itAlin Nastac
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
2020-09-12netifd: vxlan: add aging and maxaddress optionsJohannes Kimmel
For both options the values can just be passed to the kernel. All unsigned values are accepted, thus no range checking required. Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
2020-09-12netifd: vxlan: add most missing boolean optionsJohannes Kimmel
adds the folloing missing options: - learning - rsc - proxy - l2miss - l3miss - gbp See ip-link(3) for their meaning. still missing: - external - gpe I'm not sure how to handle them at the moment. It's unclear to me what IFLA_VXLAN_* value corresponds to the 'external' option and according to the manpage, gpe depends on it. Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
2020-09-12netifd: vxlan: refactor mapping of boolean attrsJohannes Kimmel
Add a small function to handle boolean options and make use of it to handle: - rxcsum - txcsum Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
2020-09-12netifd: vxlan: handle srcport rangeJohannes Kimmel
This adds adds the ability to set the source port range for vxlan interfaces. By default vxlans will use a random port within the ephermal range as source ports for packets. This is done to aid scaleability within a datacenter. But with these defaults it's impossible to punch through NATs or traverese most stateful firewalls easily. One solution is to fix the srcport to the same as dstport. If only srcportmin is specified, then srcportmax is set in a way that outgoing packets will only use srcportmin. If a range is to be specified, srcportmin and srcportmax have to be specified. srcportmax is exclusive. If only srcportmax is specified, the value is ignored and defaults are used. Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
2020-09-08netifd-wireless: parse 'osen' encryptionDaniel Golle
Support Hotspot 2.0 online signup with encryption, either as only encryption type of a dedicated SSID or together with WPA-EAP for single SSID setups. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-10interface-ip: clear host bits of the device prefixHans Dedecker
Clear the host bits of the device prefix in interface_ip_add_device_prefix as interface_set_prefix_address just ORs the calculated assignment part which would lead to an invalid IPv6 address if the host bits are not masked out Suggested-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-08-07bridge: flush vlan list on bridge freeFelix Fietkau
Fixes a potential memory leak Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-07-27device: look up full device name before traversing vlan chainFelix Fietkau
The user may have configured a VLAN device with explicit settings and the same name by adding a config device section Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-07-19config: enable bridge vlan filtering by default for bridges that define VLANsFelix Fietkau
Only enables it if the config option is not present. It can still be disabled. Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-07-19bridge: add support for VLAN filteringFelix Fietkau
VLANs can be defined using bridge-vlan sections, like the following example: config bridge-vlan option device 'switch0' option vlan '1' option ports "lan1 lan2 lan3 lan4:t*" Each member port can be confgured with optional attributes after ':' - t: member port is tagged - *: This is the primary VLAN for the port (PVID) VLAN member interfaces are automatically added as bridge members Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-07-18bridge: add support for adding vlans to a bridgeJohn Crispin
Add a rtnl helper for adding vlans to a bridge interface. Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-07-18bridge: add support for turning on vlan_filteringJohn Crispin
If we want a bridge to be vlan aware we need to be able to turn on filtering. Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-07-18system-dummy: fix resolving ifindexFelix Fietkau
Fixes bringup of devices Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-07-18device: do not check state from within device_initFelix Fietkau
At this point the device is usually not fully set up yet and cannot handle state changes / bringup Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-07-18vlan: initialize device ifname earlier at creation timeFelix Fietkau
Avoids attempting to add the device with an empty string as ifname Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-07-11utils: fix check_pid_path to work with deleted file as wellKarel Kočí
check_pid_patch is checking if process with given PID and executable path is running. If this code fails the rest of the code can be convinced that program is no longer running and possibly spawns new instance that can collide with already running one. This behavior was reproduced with hostapd. Symbolic link exe in process subdirectory in /proc points to original executable. The problem is that it reads as original path plus string ' (deleted)' if file is removed. The process is still running but original file is no longer available on files system. This behavior is triggered not only when file is removed (unlinked) but also when file is replaced. This happens clearly on package update. In general this happens any time all references (hard links) to file are removed from file system. This is not ultimate fix as exe link points to any last reference on file system with preference for original one. The problem is if there are multiple references and the original one is removed. This can be reproduced just by copying executable (hard linking) and unlinking the original one. In such case exe link would point to copy and not to original deleted one. Signed-off-by: Karel Kočí <karel.koci@nic.cz>
2020-06-06system-linux: improve handling of device renameKristian Evensen
After an interface has been renamed on a "fast" device (for example x86_64), the interface is sometimes not handled correctly by netifd. Looking in the logs, I see the following messages when renaming fails: Wed Mar 11 08:52:44 2020 kern.info kernel: [68383.522038] igb 0000:03:00.0 nlw_1: renamed from eth2 Wed Mar 11 08:52:44 2020 daemon.err netifd[2739]: __device_add_user(710): Add user for device 'nlw_1', refcount=2 Wed Mar 11 08:52:44 2020 daemon.err netifd[2739]: device_claim(413): Claim Network device nlw_1, new active count: 2 Wed Mar 11 08:52:44 2020 daemon.err netifd[2739]: device_claim(432): claim Network device nlw_1 failed: -1 Instrumenting netifd further reveals that there is a race between the hotplug "@move" event and ioctl(SIOCGIFINDEX). When the above error happens, the ioctl-call fails with ENODEV. Looking closer at the kernel code, it seems the hotplug-event is triggered before the renaming is completed. The easiest way to trigger the race, is if an interface name with the old name is not handled by netifd and an interface with the new name is. If only the old name is handled, or both names, I was not able to provoke the race. When the renaming is complete, a NEWLINK-message is generated. This patch modifies the logic surrounding renaming, so that we wait for the NEWLINK-message before marking an interface as present. The changes made are: * We only handle move-events for interfaces we know, and we return after device has been set as not present. * When we receive a NEWLINK message for an interface managed by netifd, we call device_set_present. device_set_present is guarded by the same checks as the add hotplug-event. After these changes, renaming works properly on both "fast" and "slow" devices. Removing a device is also handled correctly. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-04interface-ip: fix build on non-linux systemsFelix Fietkau
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-06-04system-dummy: fix missing returnFelix Fietkau
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-06-04netifd: wireless: add support for tracking wifi-station sectionsJohn Crispin
This new section allows us to assign mac specific key/vid settings to a station. Signed-off-by: John Crispin <john@phrozen.org>
2020-06-04netifd: wireless: add support for tracking wifi-vlan sectionsJohn Crispin
This new section allows us to create apvlan settings for hostapd. Signed-off-by: John Crispin <john@phrozen.org>
2020-05-21vlandev: support setting ingress/egress QoS mappingsPau Espin Pedrol
It allows setting mappings for instance this way: """ config device option name 'vlan41' option type '8021q' option vid '41' option ifname 'eth1' list ingress_qos_mapping '1:2' list ingress_qos_mapping '2:5' list egress_qos_mapping '0:3' """ Signed-off-by: Pau Espin Pedrol <pespin.shar@gmail.com> Tested-by: Pedro <pedrowrt@cas.cat>
2020-04-14interface, system: clean up netns functionalityDaniel Golle
Use struct device pointer as parameter instead of bare ifname allows for some simplication and again removing system_ifname_resolve() function introduced in commit d93126d. Fixes: d93126d ("interface: allow renaming interface when moving to jail netns") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-04-14interface: fix jail ifdown and jails without jail_ifnameDaniel Golle
Fixes: d93126d ("interface: allow renaming interface when moving to jail netns") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-04-14interface: allow renaming interface when moving to jail netnsDaniel Golle
Introduce jail_ifname option to define the name of a Linux network interface when moved into a jail's network namespace. This is useful for containers which expect the network interface to have a specific name (eg. 'host0' in case of systemd). While at it, clean-up and fix bugs in jail interface up/down routines. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-04-13interface: allocate and free memory for jail nameDaniel Golle
Memory returned by blogmsg_get_string() is volatile, hence use strdup() to have a permanent copy of the returned string and free it when no longer needed. Fixes: 1321c1b ("add basic support for jail network namespaces") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-03-27system-linux: fix PATH_MAX undeclared compilation errorAlin Nastac
Issue was introduced in commit 1321c1bd8fe921986c4eb39c3783ddd827b79543. Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
2020-03-26system-linux: fix compilation with musl 1.2.0Rosen Penev
Switched to the plain function instead of the now gone syscall. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-02-05interface-ip: transfer prefix route ownership for deprecated ipv6addr to kernelAlin Nastac
When netifd manages the prefix route directly, it will remove it the moment prefix gets deprecated. This will make it impossible for the target to send ICMPv6 errors back to LAN devices still using the deprecated prefix, thus breaking the L-14 requirement of RFC 7084. Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
2020-01-18add basic support for jail network namespacesDaniel Golle
Prepare netifd for handling procd service jails having their own network namespace. Intefaces having the jail attribute will only be brought inside the jail's network namespace by procd calling the newly introduced ubus method 'netns_updown'. Currently proto 'static' is supported and configuration changes are not yet being handled (ie. you'll have to restart the jailed service for changes to take effect). Example /etc/config/network snippet: config device 'veth0' option type 'veth' option name 'vhost0' option peer_name 'virt0' config interface 'virt' option type 'bridge' list ifname 'vhost0' option proto 'static' option ipaddr '10.0.0.1' option netmask '255.255.255.0' config interface 'virt0' option ifname 'virt0' option proto 'static' option ipaddr '10.0.0.2' option netmask '255.255.255.0' option gateway '10.0.0.1' option dns '10.0.0.1' option jail 'transmission' Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-04move resolv.conf.auto to /tmp/resolv.conf.d/Daniel Golle
Using /tmp/resolv.conf.d/ has the advantage that we can mount-bind it. Mount-bind'ing /tmp/resolv.conf.auto directly previously caused problems as the file is being deleted/replaced at run-time. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-12-04Revert "interface: warn if ip6hint is truncated"Jo-Philipp Wich
This reverts commit e45b1408284c05984b38a910a1f0a07d6c761397. Reverting the commit as the submitters Signed-off-by has been mistakingly added without the authors consent. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-11-29interface: warn if ip6hint is truncatedUwe Kleine-König
When for example a /60 is assigned to a network the last 4 bits of the ip6hint are unused. Emit a warning if any of these unused bits is set as it indicates that someone didn't understand how the hint is used. (As I did earlier today resulting in spending some time understanding the code.) Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-11-12wireless: make reconf opt-in and allow serializing configurationJohn Crispin
Add option 'reconf' to make dynamic re-configuration opt-in. Also add option 'serialize' to 'wifi-device' section and if set configure interfaces of wireless devices one-by-one. Both options are disabled by default. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-10-25wireless: add ubus method for reloading configurationJohn Crispin
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-08-05system-linux: fix resource leakHans Dedecker
Fix cb leak in case invalid type is specified in system_if_clear_entries Detected by Coverity in CID1431183 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>