| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `IFNAMSIZ` macro defines the required buffer size to hold a Linux
interface name including the terminating zero byte while netifd currently
uses an `IFNAMSIZ + 1` limit for interface name buffers.
This causes netifd to use overlong names (16 instead of 15 bytes) in
netlink communication with the kernel, leading to netlink failure replies
due to policy violations.
Fix this issue by applying the correct length, that is `IFNAMSIZ` directly,
to the corresponding buffers.
Ref: https://github.com/openwrt/openwrt/issues/11259
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
| |
Instead of explicitly preventing free in specific code sections using
device_lock/device_unlock, defer all device free handling via uloop timeout
This avoids an entire class of lurking use-after-free bugs triggered
by device event processing and simplifies the code
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
| |
instead of relying on hostapd to manipulate bridge attributes (which can race
against netifd adding/removing of member ports), set the proxyarp related
attributes in netifd directly when bringing up the member port
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
| |
Regular AP/VLAN interfaces using 3-address modes should transmit any
STP packets, since devices behind them can not be part of any working bridge
topology. Enable a feature that drops any incoming or outgoing STP packets.
This does not apply to WDS AP VLAN or client mode interfaces, since they
could act as a proper bridge link
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
| |
netifd notifies the stp daemon through the network.device object and sends
STP related configuration parameters. The daemon can also trigger a STP
restart in order to close the race on init
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
| |
The 'speed' option can be set to the speed in Mbps
The 'duplex' option can be 1 or 0 for full or half duplex
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
| |
The previous 32 bit limit is almost used up
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
| |
When changing to a dfs channel, hostapd can bring down wlan interfaces and
reset their bridge membership. If that happens, the port loses its vlan
membership settings and needs to be reconfigured by netifd.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
| |
Fixes corner cases related to AP WDS station interfaces
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
| |
Preparation for dealing with wifi per-station devices
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
| |
defer adding back changed vlans until config processing is done
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
| |
This is useful for a dynamic VLAN setup, where extra tags need to be created
on the trunking port on demand
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
|
| |
This can be used to support 802.1x on wired devices.
In order to use this, the device section for each port needing authentication
needs to contain the option auth 1
When set, this option prevents devices from being added to bridges or configured
with IP settings by default, until the set_state ubus call on network.device
sets "auth_status" to true for the device.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add device options used by wpad in preparation of running hostapd and
wpa_supplicant non-root (and hence those options will need to be taken
care of by netifd as sysctl is root-only):
* drop_v4_unicast_in_l2_multicast
* drop_v6_unicast_in_l2_multicast
* drop_gratuitous_arp
* drop_unsolicited_na
* arp_accept
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
seg6_enabled - Bool
Accept or drop SR-enabled IPv6 packets on this interface.
More Information:
https://www.kernel.org/doc/html/latest/networking/seg6-sysctl.html
Now you can set as interface option
option ip6segmentrouting '1'
It is not enough to turn on "seg6_enabled" on the interface. Further,
we have to enable "/all/seg6_enabled". This means that a working config
is "interface + all".
Signed-off-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [style fixes]
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example:
{
"network-device": {
"eth0": {
"macaddr": "bc:a5:11:16:76:d7"
}
}
}
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When defining a bridge-vlan like this:
config bridge-vlan
option device 'switch0'
option vlan '1'
option ports 'lan1 lan2 lan3 lan4'
option alias 'lan'
You can use switch0.lan instead of switch0.1 to refer to the VLAN.
This ensures that the VLAN ID can be kept in a single place in the config
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
| |
When preparing the interface for hotplug add, pass the bridge
device back to the caller, since it may not match the original device
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
VLANs can be defined using bridge-vlan sections, like the following example:
config bridge-vlan
option device 'switch0'
option vlan '1'
option ports "lan1 lan2 lan3 lan4:t*"
Each member port can be confgured with optional attributes after ':'
- t: member port is tagged
- *: This is the primary VLAN for the port (PVID)
VLAN member interfaces are automatically added as bridge members
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
| |
Add a rtnl helper for adding vlans to a bridge interface.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
| |
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of truncating the device name when it exceeds IFNAMSIZ length;
let device_set_ifname return an error code and do not add the device
to the device list.
This avoids possible issues with device names becoming identical due the
truncation and as a result unexpected behavior.
Further let the different device types gracefully handle the error code
returned by device_init
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
| |
It is overly complex, yet does not cover common scenarios very well.
It will be replaced with a simpler shell script that provides a better
default policy
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
|
| |
Check if a mac address is actually present when generating an eui64 based
IPv6 address; in case of failure bail out.
At the same time make sure the active mac address is used as input for the
eui64 based IPv6 address and guarantee IPv6 prefix address generation is
based on the actual config by resetting the IPv6 prefix address in the
assignment structure when it gets deleted.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
| |
Signed-off-by: John Crispin <john@phrozen.org>
|
|
|
|
|
|
|
|
|
| |
When -1 is written in /proc/sys/net/ipv4/neigh/<iface>/locktime,
kernel disables ARP trashing protection. A value of 0 does not completely
disable this protection, a second ARP update being discarded if it
is processed during the same jiffie as the first update.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
|
|
|
|
|
|
|
| |
cppcheck found printf functions with signed instead of unsigned
formats. Fix those as well as some non-matching function
declarations.
Signed-off by: Rosen Penev <rosenp@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The UCI parameter neighlocktime allows to control the hardware
address to IP mapping lock time in the IPv4 neighbour table.
The IPv6 lock time was not set because it is not used at all in any
kernel versions, hardware address override being controlled in this case
by the override flag present in the NA packet.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
|
|
|
|
|
|
|
| |
Commit abf52371db75eb449f12209ca1b7ffaa9d2baa22 adds sendredirects
device config support by defining DEV_OPT_SENDREDIRECTS. Fix definition
overlap of DEV_OPT_SENREDIRECTS with DEV_OPT_LEARNING.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Setting /proc/sys/net/ipv4/conf/*/send_redirects is useful if a single
layer-2 domain is shared among routed subnets.
Sending redirects will prevents traffic from taking unnessesary detours
through a gateway in cases where direct connectivity on layer 2 exists.
This is commonly the case if an existing LAN infratructure with dump
switches is used to additionally carry routing protocols like OLSR
which are supported only by some nodes on the network.
It's important to note that the default value for send_redirects
differs for interface types (it's enabled on physical ethernet
interfaces, but disabled e.g. on VLANs) due to olsrd changing
/proc/sys/net/ipv4/conf/default/send_redirects during boot, thus the
default differs also depending e.g. on the way an on-board switch is
integrated on specific boards (as eth0 exists before olsrd is started,
eth0.1 gets created by netifd later on...)
Having a way to explicitely enable or disable send_redirects is
thus desireable also to unify the default behaviour among different,
but seemingly similar devices supported.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
| |
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
| |
While at it; make device_types static if only used in the device type file
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Setting the multicast_fast_leave option of a bridge allows to control
the forwarding of multicast traffic when an IGMP/MLD leave is received.
In case multicast_leave_option is enabled and a leave is received the
multicast membership will immediately be dropped on the bridge port while
in the other case the multicast membership will time out in the bridge.
This could be usefull in scenarios where explicit multicast membership
host tracking is not supported in the upstream network. In this case the
multicast stream is still flowing after a leave is received resulting into
possible bandwidth saturation on the lan if a new stream is joined as
multiple multicast streams are received.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
|
|
| |
Device handlers now also declare if they have bridge capabilities and include
a string to prefix device names for their types.
Signed-off-by: Arne Kappen <akappen@inet.tu-berlin.de>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup/fixes]
|
|
|
|
|
|
|
|
| |
- remove const from device handler struct
- pass device handler type to create function
Signed-off-by: Arne Kappen <akappen@inet.tu-berlin.de>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using the config below a dotted vlan interface stays down as get_vlan_device
does not find the device due to the aliased device stacked on top of the base
device.
As all devices; aliased devices being the exception; are in the device list
use device_find to find the device when setting the link state
config interface 'test'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
config interface 'test2'
option ifname '@test.1'
option proto 'dhcp'
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
|
|
| |
As device name is used as key in avl list a device name change will break the avl find logic.
Function device_set_ifname offers api to set the device name and re-inserts the avl node in the list
when the avl key value is changed.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
|
| |
The UCI parameter neighgcstaletime allows to control how much time will
STALE entries be kept in the neighbour table for both IPv4 and IPv6.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tuning these two options allows a more fine grained configuration of the
forwarding database (fdb) of a bridge.
The former allows to enable or disable the learning of the presence of
MAC addresses behind a bridge port. (default: enabled on all ports)
The latter allows to tune the behaviour in case a destination MAC address
of a frame is unknown to the fdb, like only flooding on specific ports or
not flooding on any port. (default: flood on all ports, except incoming)
This can be useful to create a dumb hub, for instance for monitoring
purposes. Or in larger layer 2 mesh networks to avoid keeping redundant
databases (e.g. with the batman-adv translation table).
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
|
|
|
|
|
|
|
|
| |
Make multicast device flag configurable by extending device attributes
with the multicast attribute
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Nick Podolak <nicholas.podolak@dtechlabs.com>
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
handlers
Set link_state for all device types via the device_set_link API as all devices are registered
in the device tree list making it possible to always get the device via device_get.
The decice link state parameter will now actually reflect the corresponding kernel device
carrier state in all cases.
Before this change a vlan/macvlan device could still have link_state enabled if an interface
was brought down; this was the case when the parent vlan/macvlan device was still enabled as
the netlink link_state event would be dropped for vlan/macvlan devices due to keep_link_state
in the function cb_rtnl_event.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
|
|
|
|
|
|
| |
Fixes a regression that caused WDS stations to repeat packets back to
the AP.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The multicast_router option of a bridge allows to control the forwarding
behaviour of multicast packets independant of the listener state:
* 0: Only forward if specific listener is present
* 1 (default): Forward if specific listener or a multicast router
was detected (currently only learned via query messages, no MRD
support yet)
* 2: Always forward any multicast traffic on this port
Since MRD is not mandated you might end up with silent multicast routers
(e.g. if your link has more than one multicast router; only one can
become the selected, "noisy" querier). Here you might need a manual
configuration option like the "multicast_router" option.
Other scenarios where this can be useful are for instance:
* Segmentation of IGMP/MLD domains together with ebtables
* Dedicated bridge port for monitoring/debugging purposes
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch the multicast_to_unicast feature can be disabled for all
wireless interfaces via an according option on the uci bridge interface.
This patch also exports the setting information to wireless handler
scripts. The hostapd script will need that information to determine
whether to enable or disable ap-isolation, for instance.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All IGMP and MLD versions suffer from a specific limitation (from a
snooping switch perspective): Report suppression.
Once a listener hears an IGMPv2/3 or MLDv1 report for the same group
itself participates in then it might (if this listener is an IGMPv3 or
MLDv2 listener) or will (if this is an IGMPv1/2 or MLDv1 listener)
refrain from sending its own report.
Therefore we might currently miss such surpressing listeners as they
won't receive the multicast packet with the mangled, unicasted
destination.
Fixing this by first isolating the STAs and giving the bridge more
control over traffic forwarding. E.g. refraining to forward listener
reports to other STAs.
For broadcast and unicast traffic to an STA on the same AP, the hairpin
feature of the bridge will reflect such traffic back to the AP
interface. However, if the AP interface is actually configured to
isolate STAs, then hairpin is kept disabled.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
|
|
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
|
|
|
|
|
|
| |
Config option dadtransmits allows to configure the amount of
Duplicate Address Detection probes to be sent
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|