project/netifd.git
3 years agobridge: tune default stp parameters
Felix Fietkau [Tue, 24 Aug 2021 15:16:05 +0000 (17:16 +0200)]
bridge: tune default stp parameters

The default forwarding delay 2 is broken and makes STP non-functional by
default. The kernel's default of 15 is rather long.
This commit changes makes the timer settings more aggressive than the
kernel's default while still being consistent and allowing proper
convergence for a network diameter up to 4

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agobridge: add support for an external STP daemon
Felix Fietkau [Sun, 22 Aug 2021 06:00:18 +0000 (08:00 +0200)]
bridge: add support for an external STP daemon

netifd notifies the stp daemon through the network.device object and sends
STP related configuration parameters. The daemon can also trigger a STP
restart in order to close the race on init

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agobridge: memset bst->config by default to avoid stale config values
Felix Fietkau [Tue, 24 Aug 2021 10:58:35 +0000 (12:58 +0200)]
bridge: memset bst->config by default to avoid stale config values

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agodevice: add support for configuring device link speed/duplex
Felix Fietkau [Mon, 2 Aug 2021 20:48:44 +0000 (22:48 +0200)]
device: add support for configuring device link speed/duplex

The 'speed' option can be set to the speed in Mbps
The 'duplex' option can be 1 or 0 for full or half duplex

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agodevice: extend device settings flags to 64 bit
Felix Fietkau [Thu, 29 Jul 2021 18:06:14 +0000 (20:06 +0200)]
device: extend device settings flags to 64 bit

The previous 32 bit limit is almost used up

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agobridge: fix regression in bringing up bridge ports
Felix Fietkau [Mon, 26 Jul 2021 18:39:17 +0000 (20:39 +0200)]
bridge: fix regression in bringing up bridge ports

Move the DEV_EVENT_LINK_UP case to avoid messing with a fallthrough
Only restart members if the vlan check returns a positive result

Fixes: 85f01c44a950 ("bridge: check bridge port vlan membership on link-up events")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agowireless: add back regular virtual interfaces on hotplug-add events as well
Felix Fietkau [Fri, 23 Jul 2021 09:37:57 +0000 (11:37 +0200)]
wireless: add back regular virtual interfaces on hotplug-add events as well

When hostapd does a DFS channel switch, it tears down all vifs except for the
primary one, which causes them got get dropped from the device configuration

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agobridge: check bridge port vlan membership on link-up events
Felix Fietkau [Fri, 23 Jul 2021 09:04:45 +0000 (11:04 +0200)]
bridge: check bridge port vlan membership on link-up events

When changing to a dfs channel, hostapd can bring down wlan interfaces and
reset their bridge membership. If that happens, the port loses its vlan
membership settings and needs to be reconfigured by netifd.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agovlan: fix device vlan alias handling
Felix Fietkau [Wed, 14 Jul 2021 13:22:09 +0000 (15:22 +0200)]
vlan: fix device vlan alias handling

A recent commit changed the vlan chain handling to not treat devices with
non-digit characters after "." as vlan devices. This broke aliases, which
rely on names after the "." component.
Fix dealing with both cases by first trying to set up a vlan regardless
of the non-digit characters, but for the first component allow falling back
to treating the first two parts as a full device name

Fixes: 013a1171e9b0 ("device: do not treat devices with non-digit characters after . as vlan devices")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agobridge: fix hotplug vlan overwrite on big-endian systems
Felix Fietkau [Tue, 13 Jul 2021 05:53:40 +0000 (07:53 +0200)]
bridge: fix hotplug vlan overwrite on big-endian systems

The avl key type for bridge vlans is uint16_t, so any lookup with a wider
type is going to fail on big-endian systems
This resulted in hotplug-added devices replacing configured member ports

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agobridge: bring up pre-existing vlans on hotplug as well
Felix Fietkau [Wed, 23 Jun 2021 08:01:41 +0000 (10:01 +0200)]
bridge: bring up pre-existing vlans on hotplug as well

When adding a member to an existing VLAN, it needs to be updated as well

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agobridge: fix enabling hotplug-added VLANs on the bridge port
Felix Fietkau [Tue, 22 Jun 2021 14:56:39 +0000 (16:56 +0200)]
bridge: fix enabling hotplug-added VLANs on the bridge port

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agowireless: handle WDS per-sta devices
Felix Fietkau [Sat, 19 Jun 2021 06:36:06 +0000 (08:36 +0200)]
wireless: handle WDS per-sta devices

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agodevice: do not treat devices with non-digit characters after . as vlan devices
Felix Fietkau [Sat, 19 Jun 2021 06:55:10 +0000 (08:55 +0200)]
device: do not treat devices with non-digit characters after . as vlan devices

Fixes corner cases related to AP WDS station interfaces

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agoexamples: make dummy wireless vif names shorter
Felix Fietkau [Sat, 19 Jun 2021 07:08:17 +0000 (09:08 +0200)]
examples: make dummy wireless vif names shorter

avoids running into ifname size limits

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agoubus: add a dummy mode ubus call to simulate hotplug events
Felix Fietkau [Sat, 19 Jun 2021 06:19:02 +0000 (08:19 +0200)]
ubus: add a dummy mode ubus call to simulate hotplug events

Can be used to test the device hotplug handling

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agodevice: move hotplug handling logic from system-linux.c to device.c
Felix Fietkau [Sat, 19 Jun 2021 06:11:21 +0000 (08:11 +0200)]
device: move hotplug handling logic from system-linux.c to device.c

Preparation for dealing with wifi per-station devices

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agobridge: fix setting pvid for updated vlans
Felix Fietkau [Thu, 17 Jun 2021 08:39:26 +0000 (10:39 +0200)]
bridge: fix setting pvid for updated vlans

defer adding back changed vlans until config processing is done

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agowireless: add some comments to functions
Alexander Couzens [Thu, 7 Jan 2021 01:59:33 +0000 (02:59 +0100)]
wireless: add some comments to functions

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
3 years agobridge: allow adding/removing VLANs to configured member ports via hotplug
Felix Fietkau [Fri, 4 Jun 2021 07:05:31 +0000 (09:05 +0200)]
bridge: allow adding/removing VLANs to configured member ports via hotplug

This is useful for a dynamic VLAN setup, where extra tags need to be created
on the trunking port on demand

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agowireless: pass the real network ifname to the setup script
Felix Fietkau [Fri, 4 Jun 2021 06:41:34 +0000 (08:41 +0200)]
wireless: pass the real network ifname to the setup script

If the network ifname is a VLAN on top of a VLAN-filtering bridge, hostapd
needs to know the VLAN ifname to communicate with other APs, if 802.11r is enabled.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agobridge: fix dynamic delete of hotplug vlans
Felix Fietkau [Wed, 2 Jun 2021 16:23:40 +0000 (18:23 +0200)]
bridge: fix dynamic delete of hotplug vlans

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agobridge: dynamically create vlans for hotplug members
Felix Fietkau [Wed, 2 Jun 2021 15:59:03 +0000 (17:59 +0200)]
bridge: dynamically create vlans for hotplug members

This makes it possible to use dynamic tags without changing the configuration

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agointerface: support "device" attribute and deprecate "ifname"
Rafał Miłecki [Tue, 25 May 2021 15:17:26 +0000 (17:17 +0200)]
interface: support "device" attribute and deprecate "ifname"

Interfaces need to be assigned to devices. For that purpose a "device"
option should be more accurate than "ifname" one.

For backward compatibility old option remains supported too.

Config example:

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'

config interface 'lan'
option device 'br-lan'
option proto 'static'

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
3 years agoscripts/netifd-wireless.sh: add support for specifying the operating band
Felix Fietkau [Mon, 24 May 2021 10:37:55 +0000 (12:37 +0200)]
scripts/netifd-wireless.sh: add support for specifying the operating band

Add the new 'band' option, which supports the following values: 2g, 5g, 6g, 60g

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agoconfig: fix ifname->ports compat rename
Felix Fietkau [Thu, 20 May 2021 08:57:52 +0000 (10:57 +0200)]
config: fix ifname->ports compat rename

Instead of looking it up as a string, use uci_rename.
That way it works both on list and string options

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agobridge: rename "ifname" attribute to "ports"
Rafał Miłecki [Fri, 14 May 2021 13:20:28 +0000 (15:20 +0200)]
bridge: rename "ifname" attribute to "ports"

Bridge aggregates multiple ports so use a more accurate name ("ports").
For backward compatibility add a temporary config translation.

Config example:

config interface 'lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
3 years agowireless: fix memory corruption bug when using vlans/station entries in the config
Felix Fietkau [Tue, 18 May 2021 04:20:00 +0000 (06:20 +0200)]
wireless: fix memory corruption bug when using vlans/station entries in the config

On config reload, any vif entries in the config added to the vlist will be
matched against existing ones, and the old entries preserved.
This means that the vif pointer is no longer valid after vlist_add.
Look up the vif again before using it for vlan/station entries.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agodevice: add support for configuring devices with external auth handler
Felix Fietkau [Mon, 17 May 2021 09:20:09 +0000 (11:20 +0200)]
device: add support for configuring devices with external auth handler

This can be used to support 802.1x on wired devices.
In order to use this, the device section for each port needing authentication
needs to contain the option auth 1
When set, this option prevents devices from being added to bridges or configured
with IP settings by default, until the set_state ubus call on network.device
sets "auth_status" to true for the device.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agoextdev: remove unused function
Felix Fietkau [Sun, 16 May 2021 16:06:48 +0000 (18:06 +0200)]
extdev: remove unused function

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agofix unannotated fall-through warnings
Felix Fietkau [Sun, 16 May 2021 16:04:18 +0000 (18:04 +0200)]
fix unannotated fall-through warnings

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agonetifd: add possibility to switch off route config
Florian Eckert [Tue, 24 Nov 2020 07:18:00 +0000 (08:18 +0100)]
netifd: add possibility to switch off route config

This change adds the new configuration option `disabled` for the route
section, which can be used to temporarily disable the section so that
the route is not set. The advantage is that we do not have to delete
this route configuration section to achieve this.

config route
  option disabled '1

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
3 years agonetifd: bridge: set default value for igmp_snoop
Zheng Qian [Tue, 2 Mar 2021 01:36:51 +0000 (09:36 +0800)]
netifd: bridge: set default value for igmp_snoop

When unchecked the igmp snoop option for a bridge by luci, it
just delete the igmp_snooping key from the config file.
So netifd can't change /sys/devices/virtual/net/br-lan/bridge/multicast_snooping from "1" to "0".

Option multicast_querier seems no input entry in luci, but it's
an related option.

This patch will set a default value to false for the bridge
option to fix this bug.

Signed-off-by: Zheng Qian <sotux82@gmail.com>
3 years agosystem-linux: add device options used by wpad
Daniel Golle [Sat, 12 Dec 2020 21:13:24 +0000 (21:13 +0000)]
system-linux: add device options used by wpad

Add device options used by wpad in preparation of running hostapd and
wpa_supplicant non-root (and hence those options will need to be taken
care of by netifd as sysctl is root-only):
 * drop_v4_unicast_in_l2_multicast
 * drop_v6_unicast_in_l2_multicast
 * drop_gratuitous_arp
 * drop_unsolicited_na
 * arp_accept

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agosystem-linux: reorder sysctl functions
Daniel Golle [Sat, 12 Dec 2020 17:16:11 +0000 (17:16 +0000)]
system-linux: reorder sysctl functions

Move system_set_sendredirects up to the other non-bridge-related sysctl
functions.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoextdev: add support for external device handlers
Arne Kappen [Wed, 9 Dec 2020 15:01:24 +0000 (16:01 +0100)]
extdev: add support for external device handlers

This allows to integrate external daemons that configure network devices with
netifd. At startup, netifd generates device handler stubs from descriptions in
/lib/netifd/extdev-config via the mechanism in handler.c. These are then added
to the list of device handlers. Device handlers stubs act as relays forwarding
calls against the device handler interface to the external daemon.

Signed-off-by: Arne Kappen <arne.kappen@hhi.fraunhofer.de>
3 years agohandler: add mechanism to generate external device handler stubs
Arne Kappen [Wed, 9 Dec 2020 15:01:23 +0000 (16:01 +0100)]
handler: add mechanism to generate external device handler stubs

Parse JSON files in a given directory and pass the information on to a callback
function for creation of an external device handler stub.
The description contains:
 - 'name': the name of the device type,
 - 'ubus_name': the name of the external device handler daemon on ubus,
 - 'bridge': a flag indicating whether the devices are bridge-like,
 - optionally 'br_prefix': a prefix for created devices
   (only for bridge-like, defaults to type name),
 - 'config': the UCI config options for devices of this type, and
 - optionally 'info' and 'stats': the format of calls to info() and dump().

Signed-off-by: Arne Kappen <arne.kappen@hhi.fraunhofer.de>
3 years agodevice: remove left-over comment
Arne Kappen [Wed, 9 Dec 2020 15:01:22 +0000 (16:01 +0100)]
device: remove left-over comment

Signed-off-by: Arne Kappen <arne.kappen@hhi.fraunhofer.de>
3 years agointerface-ip: add unreachable route if address is offlink
Hans Dedecker [Sat, 9 Jan 2021 20:18:45 +0000 (21:18 +0100)]
interface-ip: add unreachable route if address is offlink

In order to avoid a routing loop add an unreachable route for the
address prefix is the offlink flag is set for an address.
This fixes a routing loop which is currently present on point-to-point
links (e.g PPP) when the wan interface is assigned a globally unique
prefix (e.g. 2001:db8:1:0::/64) from which an IPv6 address is picked
and installed on the wan interface
(e.g. 2001:db8:1:0:5054:ff:feab:d87c/64)

The prefix route 2001:db8:1::/64 would be present in the routing table
which will route any packet with as destination 2001:db8:1::/64 to the wan
interface and would be routed back by the upstream router due to the
wan interface due to the assigned global unique prefix.
Besides not installing the prefix route 2001:db8:1::/64 on point-to-point links
adding an unreachable route is required to avoid the routing loop.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
3 years agointerface-ip: coding style fixes
Hans Dedecker [Sat, 9 Jan 2021 20:12:05 +0000 (21:12 +0100)]
interface-ip: coding style fixes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
3 years agonetifd: wireless: default to GCMP WPA cipher on 802.11ad
Daniel Golle [Tue, 5 Jan 2021 01:11:21 +0000 (01:11 +0000)]
netifd: wireless: default to GCMP WPA cipher on 802.11ad

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agowireless: add support for not killing processes on teardown
Felix Fietkau [Mon, 28 Dec 2020 13:42:30 +0000 (14:42 +0100)]
wireless: add support for not killing processes on teardown

When using a global hostapd/wpa_supplicant instance, it should not be killed
if a single radio is torn down

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agonetifd: fix a typo in vlandev hotplug support
Felix Fietkau [Mon, 14 Dec 2020 11:59:32 +0000 (12:59 +0100)]
netifd: fix a typo in vlandev hotplug support

Need to check the type of the vlan device, not the underlying device

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agonetifd: add segment routing support
Nick Hainke [Sat, 12 Dec 2020 20:50:53 +0000 (21:50 +0100)]
netifd: add segment routing support

seg6_enabled - Bool
  Accept or drop SR-enabled IPv6 packets on this interface.

More Information:
https://www.kernel.org/doc/html/latest/networking/seg6-sysctl.html

Now you can set as interface option
  option ip6segmentrouting '1'

It is not enough to turn on "seg6_enabled" on the interface. Further,
we have to enable "/all/seg6_enabled". This means that a working config
is "interface + all".

Signed-off-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [style fixes]
4 years agoconfig: parse default mac address from board.json
Felix Fietkau [Mon, 30 Nov 2020 11:34:13 +0000 (12:34 +0100)]
config: parse default mac address from board.json

Example:
{
"network-device": {
"eth0": {
"macaddr": "bc:a5:11:16:76:d7"
}
}
}

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agosystem-linux: move device settings handling to device.c
Felix Fietkau [Mon, 30 Nov 2020 11:08:32 +0000 (12:08 +0100)]
system-linux: move device settings handling to device.c

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agosystem-linux: simplify mask check in system_if_apply_settings
Felix Fietkau [Mon, 30 Nov 2020 10:52:22 +0000 (11:52 +0100)]
system-linux: simplify mask check in system_if_apply_settings

Mask flags against apply_mask only once instead of once per field

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agosystem-dummy: print configured mac address
Felix Fietkau [Mon, 30 Nov 2020 09:55:05 +0000 (10:55 +0100)]
system-dummy: print configured mac address

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agovlandev: support bridge-vlan aliases in the vid config parameter
Felix Fietkau [Thu, 26 Nov 2020 09:23:01 +0000 (10:23 +0100)]
vlandev: support bridge-vlan aliases in the vid config parameter

This can be used to generate default network configurations that define
the lan/wan interfaces as vlandevs with custom names and specify the actual
VLAN ID only in the bridge-vlan section without repeating it elsewhere

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agovlandev: dump vlan id in device status
Felix Fietkau [Thu, 26 Nov 2020 09:20:11 +0000 (10:20 +0100)]
vlandev: dump vlan id in device status

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agosystem-linux: add retry for adding member devices to a bridge
Felix Fietkau [Mon, 23 Nov 2020 11:42:36 +0000 (12:42 +0100)]
system-linux: add retry for adding member devices to a bridge

When netifd tries to add bridge members brought up by hostapd asynchronously
(e.g. after an autochannel run), the first try often fails with EBUSY or
EAGAIN, since it's racing against hostapd's own setup.
Add retry logic, which includes checking if the device was added to the
bridge in the meantime to deal with this issue

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agosystem-linux: implement full device present state management for force-external devices
Felix Fietkau [Mon, 23 Nov 2020 11:11:42 +0000 (12:11 +0100)]
system-linux: implement full device present state management for force-external devices

We need to detect when devices are present, because they can be created
asynchronously by hostapd after they have already been added by the wifi
setup script

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agobridge-vlan: add support for defining aliases for vlan ids
Felix Fietkau [Fri, 20 Nov 2020 17:58:10 +0000 (18:58 +0100)]
bridge-vlan: add support for defining aliases for vlan ids

When defining a bridge-vlan like this:

config bridge-vlan
option device 'switch0'
option vlan '1'
option ports 'lan1 lan2 lan3 lan4'
option alias 'lan'

You can use switch0.lan instead of switch0.1 to refer to the VLAN.
This ensures that the VLAN ID can be kept in a single place in the config

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agointerface: do not force link-ext hotplug interfaces to present by default
Felix Fietkau [Fri, 20 Nov 2020 12:49:00 +0000 (13:49 +0100)]
interface: do not force link-ext hotplug interfaces to present by default

On wireless interfaces, hostapd can sometimes defer the bringup of secondary
virtual interfaces until autochannel or coex scan completes.
Do not force the present state in that case in order to avoid attempting
to bring up the device before it is ready

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agoconfig: initialize bridge and bridge vlans before other devices
Felix Fietkau [Wed, 18 Nov 2020 14:15:01 +0000 (15:15 +0100)]
config: initialize bridge and bridge vlans before other devices

This allows vlan devices to access bridge vlan data safely, regardless
of the order in which sections appear in the config

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agowireless: fix passing bridge name for vlan hotplug pass-through
Felix Fietkau [Wed, 18 Nov 2020 12:38:17 +0000 (13:38 +0100)]
wireless: fix passing bridge name for vlan hotplug pass-through

When preparing the interface for hotplug add, pass the bridge
device back to the caller, since it may not match the original device

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agosystem-linux: only overwrite dev->present state on check_state for simple devices
Felix Fietkau [Fri, 13 Nov 2020 11:44:56 +0000 (12:44 +0100)]
system-linux: only overwrite dev->present state on check_state for simple devices

After settting config_pending for vlan devices, a check_state call from
device_init_pending was leading to the vlan device present state being
overwritten because the linux device didn't exist yet, even though the
vlan code had already indicated its present state based on the lower dev.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agobridge: only overwrite implicit vlan assignment if vlans are configured
Felix Fietkau [Thu, 5 Nov 2020 11:00:12 +0000 (12:00 +0100)]
bridge: only overwrite implicit vlan assignment if vlans are configured

When VLAN filtering is enabled, but no vlans are defined, the implicit
VLANs should stay, so that forwarding between ports still works.
This is useful for setups where VLANs are assigned by external scripts
instead of being configured via netifd

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agosystem-dummy: set present state only for simple devices
Felix Fietkau [Thu, 5 Nov 2020 10:58:40 +0000 (11:58 +0100)]
system-dummy: set present state only for simple devices

Fixes an issue with bringing up VLANs/bridges too early

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agobridge: fix use-after-free bug on bridge member free
Felix Fietkau [Wed, 4 Nov 2020 15:20:14 +0000 (16:20 +0100)]
bridge: fix use-after-free bug on bridge member free

When removing the device reference, the core might free the device.
Use device_lock/unlock to keep the reference valid until it is no longer needed

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agobridge: preserve hotplug ports on vlan update if config is unchanged
Felix Fietkau [Wed, 4 Nov 2020 11:19:20 +0000 (12:19 +0100)]
bridge: preserve hotplug ports on vlan update if config is unchanged

Fixes cleanup of port state

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agobridge: show vlans in device status
Felix Fietkau [Wed, 28 Oct 2020 17:54:39 +0000 (18:54 +0100)]
bridge: show vlans in device status

List vlans with member ports, VLAN IDs and flags

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agovlandev: add pass-through hotplug ops that pass the VLAN info to the bridge
Felix Fietkau [Fri, 7 Aug 2020 12:33:33 +0000 (14:33 +0200)]
vlandev: add pass-through hotplug ops that pass the VLAN info to the bridge

Only used for 802.1q devices

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agovlan: add pass-through hotplug ops that pass the VLAN info to the bridge
Felix Fietkau [Fri, 7 Aug 2020 12:26:33 +0000 (14:26 +0200)]
vlan: add pass-through hotplug ops that pass the VLAN info to the bridge

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agobridge: add support for defining port member vlans via hotplug ops
Felix Fietkau [Fri, 7 Aug 2020 12:19:06 +0000 (14:19 +0200)]
bridge: add support for defining port member vlans via hotplug ops

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agointerface: proto_ip: order by address index first
Yousong Zhou [Tue, 20 Oct 2020 02:49:18 +0000 (10:49 +0800)]
interface: proto_ip: order by address index first

At the moment, dnsmasq initscript generates dhcp-range for an interface
by inspecting first address of that interface from netifd ubus output.

Order by address index as specified in the uci config makes netifd ubus
output consistent with linux network interfaces' primary/secondary
address settings.  More importantly, the ubus output and dnsmasq config
generation will be more predictable.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
4 years agodevice_addr: record address index as in the blob
Yousong Zhou [Wed, 21 Oct 2020 02:50:54 +0000 (10:50 +0800)]
device_addr: record address index as in the blob

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
4 years agoproto: rework parse_addr to return struct device_addr
Yousong Zhou [Wed, 14 Oct 2020 06:37:13 +0000 (14:37 +0800)]
proto: rework parse_addr to return struct device_addr

This is a preparation for the next commit to record address index for
the returned device_addr struct

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
4 years agobuild: find and use libnl header dirs
Yousong Zhou [Wed, 14 Oct 2020 08:04:01 +0000 (16:04 +0800)]
build: find and use libnl header dirs

Name of the libnl .pc file is libnl-3.0.pc

This commit is mainly for testing netifd build on usual Linux systems.

netifd Makefile in current OpenWrt build system specifies custom cmake
flags to directly point to libnl-tiny

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
4 years agosystem-linux: initialize ifreq struct before using it
Alin Nastac [Thu, 8 Oct 2020 11:31:37 +0000 (13:31 +0200)]
system-linux: initialize ifreq struct before using it

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
4 years agonetifd: vxlan: add aging and maxaddress options
Johannes Kimmel [Fri, 4 Sep 2020 02:59:43 +0000 (04:59 +0200)]
netifd: vxlan: add aging and maxaddress options

For both options the values can just be passed to the kernel. All
unsigned values are accepted, thus no range checking required.

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
4 years agonetifd: vxlan: add most missing boolean options
Johannes Kimmel [Fri, 4 Sep 2020 02:59:42 +0000 (04:59 +0200)]
netifd: vxlan: add most missing boolean options

adds the folloing missing options:
  - learning
  - rsc
  - proxy
  - l2miss
  - l3miss
  - gbp

See ip-link(3) for their meaning.

still missing:
  - external
  - gpe

I'm not sure how to handle them at the moment. It's unclear to me what
IFLA_VXLAN_* value corresponds to the 'external' option and according to
the manpage, gpe depends on it.

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
4 years agonetifd: vxlan: refactor mapping of boolean attrs
Johannes Kimmel [Fri, 4 Sep 2020 02:59:41 +0000 (04:59 +0200)]
netifd: vxlan: refactor mapping of boolean attrs

Add a small function to handle boolean options and make use of it to handle:
  - rxcsum
  - txcsum

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
4 years agonetifd: vxlan: handle srcport range
Johannes Kimmel [Fri, 4 Sep 2020 02:59:40 +0000 (04:59 +0200)]
netifd: vxlan: handle srcport range

This adds adds the ability to set the source port range for vxlan
interfaces.

By default vxlans will use a random port within the ephermal range as
source ports for packets. This is done to aid scaleability within a
datacenter.

But with these defaults it's impossible to punch through NATs or
traverese most stateful firewalls easily. One solution is to fix the
srcport to the same as dstport.

If only srcportmin is specified, then srcportmax is set in a way that
outgoing packets will only use srcportmin.

If a range is to be specified, srcportmin and srcportmax have to be
specified. srcportmax is exclusive.

If only srcportmax is specified, the value is ignored and defaults are
used.

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
4 years agonetifd-wireless: parse 'osen' encryption
Daniel Golle [Tue, 8 Sep 2020 16:33:29 +0000 (17:33 +0100)]
netifd-wireless: parse 'osen' encryption

Support Hotspot 2.0 online signup with encryption, either as only
encryption type of a dedicated SSID or together with WPA-EAP for
single SSID setups.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agointerface-ip: clear host bits of the device prefix
Hans Dedecker [Sun, 9 Aug 2020 20:46:54 +0000 (22:46 +0200)]
interface-ip: clear host bits of the device prefix

Clear the host bits of the device prefix in
interface_ip_add_device_prefix as interface_set_prefix_address just ORs
the calculated assignment part which would lead to an invalid IPv6
address if the host bits are not masked out

Suggested-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
4 years agobridge: flush vlan list on bridge free
Felix Fietkau [Fri, 7 Aug 2020 10:07:53 +0000 (12:07 +0200)]
bridge: flush vlan list on bridge free

Fixes a potential memory leak

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agodevice: look up full device name before traversing vlan chain
Felix Fietkau [Mon, 27 Jul 2020 11:27:52 +0000 (13:27 +0200)]
device: look up full device name before traversing vlan chain

The user may have configured a VLAN device with explicit settings and the same
name by adding a config device section

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agoconfig: enable bridge vlan filtering by default for bridges that define VLANs
Felix Fietkau [Sat, 18 Jul 2020 10:01:23 +0000 (12:01 +0200)]
config: enable bridge vlan filtering by default for bridges that define VLANs

Only enables it if the config option is not present. It can still be disabled.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agobridge: add support for VLAN filtering
Felix Fietkau [Wed, 15 Jul 2020 15:18:20 +0000 (17:18 +0200)]
bridge: add support for VLAN filtering

VLANs can be defined using bridge-vlan sections, like the following example:

config bridge-vlan
option device 'switch0'
option vlan '1'
option ports "lan1 lan2 lan3 lan4:t*"

Each member port can be confgured with optional attributes after ':'
 - t: member port is tagged
 - *: This is the primary VLAN for the port (PVID)

VLAN member interfaces are automatically added as bridge members

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agobridge: add support for adding vlans to a bridge
John Crispin [Sun, 12 Jul 2020 16:50:19 +0000 (18:50 +0200)]
bridge: add support for adding vlans to a bridge

Add a rtnl helper for adding vlans to a bridge interface.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agobridge: add support for turning on vlan_filtering
John Crispin [Sun, 12 Jul 2020 16:50:18 +0000 (18:50 +0200)]
bridge: add support for turning on vlan_filtering

If we want a bridge to be vlan aware we need to be able to turn on
filtering.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agosystem-dummy: fix resolving ifindex
Felix Fietkau [Sat, 18 Jul 2020 14:03:18 +0000 (16:03 +0200)]
system-dummy: fix resolving ifindex

Fixes bringup of devices

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agodevice: do not check state from within device_init
Felix Fietkau [Sat, 18 Jul 2020 12:58:15 +0000 (14:58 +0200)]
device: do not check state from within device_init

At this point the device is usually not fully set up yet and cannot handle
state changes / bringup

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agovlan: initialize device ifname earlier at creation time
Felix Fietkau [Sat, 18 Jul 2020 12:26:07 +0000 (14:26 +0200)]
vlan: initialize device ifname earlier at creation time

Avoids attempting to add the device with an empty string as ifname

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agoutils: fix check_pid_path to work with deleted file as well
Karel Kočí [Thu, 2 Jul 2020 10:49:56 +0000 (12:49 +0200)]
utils: fix check_pid_path to work with deleted file as well

check_pid_patch is checking if process with given PID and executable
path is running. If this code fails the rest of the code can be
convinced that program is no longer running and possibly spawns new
instance that can collide with already running one. This behavior was
reproduced with hostapd.

Symbolic link exe in process subdirectory in /proc points to original
executable. The problem is that it reads as original path plus string
' (deleted)' if file is removed. The process is still running but
original file is no longer available on files system.

This behavior is triggered not only when file is removed (unlinked) but
also when file is replaced. This happens clearly on package update. In
general this happens any time all references (hard links) to file are
removed from file system.

This is not ultimate fix as exe link points to any last reference on
file system with preference for original one. The problem is if there
are multiple references and the original one is removed. This can be
reproduced just by copying executable (hard linking) and unlinking the
original one. In such case exe link would point to copy and not to
original deleted one.

Signed-off-by: Karel Kočí <karel.koci@nic.cz>
4 years agosystem-linux: improve handling of device rename
Kristian Evensen [Wed, 11 Mar 2020 13:13:10 +0000 (14:13 +0100)]
system-linux: improve handling of device rename

After an interface has been renamed on a "fast" device (for example
x86_64), the interface is sometimes not handled correctly by netifd.
Looking in the logs, I see the following messages when renaming fails:

Wed Mar 11 08:52:44 2020 kern.info kernel: [68383.522038] igb 0000:03:00.0 nlw_1: renamed from eth2
Wed Mar 11 08:52:44 2020 daemon.err netifd[2739]: __device_add_user(710): Add user for device 'nlw_1', refcount=2
Wed Mar 11 08:52:44 2020 daemon.err netifd[2739]: device_claim(413): Claim Network device nlw_1, new active count: 2
Wed Mar 11 08:52:44 2020 daemon.err netifd[2739]: device_claim(432): claim Network device nlw_1 failed: -1

Instrumenting netifd further reveals that there is a race between the hotplug
"@move" event and ioctl(SIOCGIFINDEX). When the above error happens, the
ioctl-call fails with ENODEV. Looking closer at the kernel code, it seems the
hotplug-event is triggered before the renaming is completed. The easiest way to
trigger the race, is if an interface name with the old name is not handled by
netifd and an interface with the new name is. If only the old name is handled,
or both names, I was not able to provoke the race.

When the renaming is complete, a NEWLINK-message is generated. This patch
modifies the logic surrounding renaming, so that we wait for the
NEWLINK-message before marking an interface as present. The changes made are:

* We only handle move-events for interfaces we know, and we return after
device has been set as not present.
* When we receive a NEWLINK message for an interface managed by netifd,
we call device_set_present. device_set_present is guarded by the same
checks as the add hotplug-event.

After these changes, renaming works properly on both "fast" and "slow"
devices. Removing a device is also handled correctly.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
4 years agointerface-ip: fix build on non-linux systems
Felix Fietkau [Thu, 4 Jun 2020 11:27:05 +0000 (13:27 +0200)]
interface-ip: fix build on non-linux systems

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agosystem-dummy: fix missing return
Felix Fietkau [Thu, 4 Jun 2020 11:26:46 +0000 (13:26 +0200)]
system-dummy: fix missing return

Signed-off-by: Felix Fietkau <nbd@nbd.name>
4 years agonetifd: wireless: add support for tracking wifi-station sections
John Crispin [Mon, 25 May 2020 09:49:19 +0000 (11:49 +0200)]
netifd: wireless: add support for tracking wifi-station sections

This new section allows us to assign mac specific key/vid settings to a
station.

Signed-off-by: John Crispin <john@phrozen.org>
4 years agonetifd: wireless: add support for tracking wifi-vlan sections
John Crispin [Mon, 25 May 2020 09:49:18 +0000 (11:49 +0200)]
netifd: wireless: add support for tracking wifi-vlan sections

This new section allows us to create apvlan settings for hostapd.

Signed-off-by: John Crispin <john@phrozen.org>
4 years agovlandev: support setting ingress/egress QoS mappings
Pau Espin Pedrol [Sun, 17 May 2020 18:39:44 +0000 (20:39 +0200)]
vlandev: support setting ingress/egress QoS mappings

It allows setting mappings for instance this way:
"""
config device
  option name 'vlan41'
  option type '8021q'
  option vid '41'
  option ifname 'eth1'
  list   ingress_qos_mapping '1:2'
  list   ingress_qos_mapping '2:5'
  list   egress_qos_mapping '0:3'
"""

Signed-off-by: Pau Espin Pedrol <pespin.shar@gmail.com>
Tested-by: Pedro <pedrowrt@cas.cat>
4 years agointerface, system: clean up netns functionality
Daniel Golle [Tue, 14 Apr 2020 11:51:47 +0000 (12:51 +0100)]
interface, system: clean up netns functionality

Use struct device pointer as parameter instead of bare ifname allows
for some simplication and again removing system_ifname_resolve()
function introduced in commit d93126d.

Fixes: d93126d ("interface: allow renaming interface when moving to jail netns")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agointerface: fix jail ifdown and jails without jail_ifname
Daniel Golle [Mon, 13 Apr 2020 23:36:29 +0000 (00:36 +0100)]
interface: fix jail ifdown and jails without jail_ifname

Fixes: d93126d ("interface: allow renaming interface when moving to jail netns")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agointerface: allow renaming interface when moving to jail netns
Daniel Golle [Mon, 13 Apr 2020 19:03:35 +0000 (20:03 +0100)]
interface: allow renaming interface when moving to jail netns

Introduce jail_ifname option to define the name of a Linux network
interface when moved into a jail's network namespace.
This is useful for containers which expect the network interface to
have a specific name (eg. 'host0' in case of systemd).
While at it, clean-up and fix bugs in jail interface up/down routines.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agointerface: allocate and free memory for jail name
Daniel Golle [Mon, 13 Apr 2020 15:24:25 +0000 (16:24 +0100)]
interface: allocate and free memory for jail name

Memory returned by blogmsg_get_string() is volatile, hence use strdup()
to have a permanent copy of the returned string and free it when no
longer needed.

Fixes: 1321c1b ("add basic support for jail network namespaces")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agosystem-linux: fix PATH_MAX undeclared compilation error
Alin Nastac [Fri, 27 Mar 2020 10:56:09 +0000 (11:56 +0100)]
system-linux: fix PATH_MAX undeclared compilation error

Issue was introduced in commit 1321c1bd8fe921986c4eb39c3783ddd827b79543.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
4 years agosystem-linux: fix compilation with musl 1.2.0
Rosen Penev [Wed, 25 Mar 2020 23:11:40 +0000 (16:11 -0700)]
system-linux: fix compilation with musl 1.2.0

Switched to the plain function instead of the now gone syscall.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
4 years agointerface-ip: transfer prefix route ownership for deprecated ipv6addr to kernel
Alin Nastac [Wed, 5 Feb 2020 13:36:33 +0000 (14:36 +0100)]
interface-ip: transfer prefix route ownership for deprecated ipv6addr to kernel

When netifd manages the prefix route directly, it will remove it
the moment prefix gets deprecated. This will make it impossible
for the target to send ICMPv6 errors back to LAN devices still
using the deprecated prefix, thus breaking the L-14 requirement
of RFC 7084.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
4 years agoadd basic support for jail network namespaces
Daniel Golle [Mon, 30 Dec 2019 12:57:47 +0000 (14:57 +0200)]
add basic support for jail network namespaces

Prepare netifd for handling procd service jails having their own
network namespace.
Intefaces having the jail attribute will only be brought inside the
jail's network namespace by procd calling the newly introduced ubus
method 'netns_updown'.
Currently proto 'static' is supported and configuration changes are
not yet being handled (ie. you'll have to restart the jailed service
for changes to take effect).

Example /etc/config/network snippet:

config device 'veth0'
    option type 'veth'
    option name 'vhost0'
    option peer_name 'virt0'

config interface 'virt'
    option type 'bridge'
    list ifname 'vhost0'
    option proto 'static'
    option ipaddr '10.0.0.1'
    option netmask '255.255.255.0'

config interface 'virt0'
    option ifname 'virt0'
    option proto 'static'
    option ipaddr '10.0.0.2'
    option netmask '255.255.255.0'
    option gateway '10.0.0.1'
    option dns '10.0.0.1'
    option jail 'transmission'

Signed-off-by: Daniel Golle <daniel@makrotopia.org>