project/netifd.git
3 months agodevice: do not pull device present state from hotplug events
Felix Fietkau [Tue, 3 Sep 2024 08:11:26 +0000 (10:11 +0200)]
device: do not pull device present state from hotplug events

Use hotplug events as trigger for system_if_check instead.
Fixes a race condition in event processing

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 months agodevice: add more debugging code
Felix Fietkau [Mon, 2 Sep 2024 18:26:54 +0000 (20:26 +0200)]
device: add more debugging code

Helps figure out corner cases

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 months agointerface: add support for disabling renew on topology change
Felix Fietkau [Wed, 17 Jul 2024 17:56:50 +0000 (19:56 +0200)]
interface: add support for disabling renew on topology change

In some cases this may trigger too many dhcp requests, tripping up upstream
servers, so there needs to be an option to disable this behavior.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 months agosystem-linux: re-apply ethtool on phy attachment
Daniel Golle [Fri, 5 Jul 2024 18:15:10 +0000 (19:15 +0100)]
system-linux: re-apply ethtool on phy attachment

ethtool settings applied before the interface is in IFF_UP state
are going to be lost when phylink is being used.
This is the case with many modern NICs as well as when using SFP
modules, resulting in the speed, duplex, *pause and autoneg
settings not having any effect.

Reapply ethtool settings once the PHY is attached.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
6 months agowireless: add support for defining wifi interfaces via procd service data
Felix Fietkau [Mon, 3 Jun 2024 18:29:20 +0000 (20:29 +0200)]
wireless: add support for defining wifi interfaces via procd service data

This makes it possible to dynamically define wifi interfaces from other
services without having to update the config.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
6 months agowireless: use blobmsg_parse_attr
Felix Fietkau [Mon, 3 Jun 2024 18:33:03 +0000 (20:33 +0200)]
wireless: use blobmsg_parse_attr

Simplify the code

Signed-off-by: Felix Fietkau <nbd@nbd.name>
6 months agoproto-shell: add proto property for skipping device config
Felix Fietkau [Mon, 13 May 2024 13:58:27 +0000 (15:58 +0200)]
proto-shell: add proto property for skipping device config

This is useful for PPPoE, where settings like MTU should not be applied to
the lower device

Signed-off-by: Felix Fietkau <nbd@nbd.name>
9 months agoCMake: bump the minimum required CMake version to 3.5
Yegor Yefremov [Fri, 12 Jan 2024 07:50:32 +0000 (08:50 +0100)]
CMake: bump the minimum required CMake version to 3.5

From: Yegor Yefremov <yegorslists@googlemail.com>

Older CMake versions are marked as deprecated and generate
the related warning:

Compatibility with CMake < 3.5 will be removed from a future
version of CMake.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
11 months agodevice: restore cleared flags on device down
Erik Karlsson [Tue, 5 Dec 2023 23:22:58 +0000 (00:22 +0100)]
device: restore cleared flags on device down

In case flags have been cleared because settings failed to apply,
restore them when the device is brought down so that they will be
re-attempted the next time the device is brought up.

Signed-off-by: Erik Karlsson <erik.karlsson@genexis.eu>
11 months agosystem-linux: fix race condition in netlink socket error handing
Matthias Schiffer [Tue, 2 Jan 2024 14:58:30 +0000 (15:58 +0100)]
system-linux: fix race condition in netlink socket error handing

The error handling needed for the buffer growth logic relies on
uloop_fd's error flag, which is set based on epoll events. Doing so
without handling recvmsg's error codes is racy, as an error state may be
set between receiving epoll events and the next recvmsg, but calling
recvmsg clears the error state.

To fix this, add handling for errors returned by nl_recvmsgs_default()
and nl_recv(); checking for u->error and retrieving the error status
using getsockopt() becomes redundant.

We have observed this issue on Gluon (recent OpenWrt 23.05); on some
devices with DSA switches, the bridge interface's carrier-on event would
consistenly get lost during boot due to insufficient buffer space
(see [1]).

We have bisected the issue to netifd commit 516ab774cc16 ("system-linux:
fix race condition on bringing up wireless devices"), but that commit only
uncovered the preexisting bug by switching from getting the carrier state
from sysfs to using the netlink messages in cb_rtnl_event().

I suspect that other recent issues about netifd missing a carrier state
change like [2] may have the same underlying cause.

[1] https://github.com/freifunk-gluon/gluon/issues/3130
[2] https://github.com/openwrt/openwrt/issues/13863

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
11 months agoRevert "system-linux: set pending to 0 on ifindex found or error for if_get_master"
Felix Fietkau [Tue, 19 Dec 2023 21:32:56 +0000 (22:32 +0100)]
Revert "system-linux: set pending to 0 on ifindex found or error for if_get_master"

This reverts commit 66a7652176a7580b55076a0975b77c2bfb5bf7ce.
Users reported that netifd hangs after this commit. I suspect that the added
optimization which sets data->pending to false early might be the cause.
It might leave unprocessed netlink messages in the socket, which could mess up
the next netlink call.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
11 months agodevice: Log error message if device initialization failed
Dustin Spicuzza [Wed, 19 Apr 2023 17:44:56 +0000 (13:44 -0400)]
device: Log error message if device initialization failed

Signed-off-by: Dustin Spicuzza <dustin@virtualroadside.com>
11 months agonetifd: fix undefined va_list value which can cause crashes
Mikael Magnusson [Fri, 15 Dec 2023 22:19:47 +0000 (23:19 +0100)]
netifd: fix undefined va_list value which can cause crashes

Reinitialize the va_list value after the call
to netifd_udebug_vprintf() in netifd_log_message().

It's needed since netifd_udebug_vprintf() invokes vsnprintf()
which in turn invokes the va_arg() macro, and after that call
the va_list value is undefined.

Signed-off-by: Mikael Magnusson <mikma@users.sourceforge.net>
12 months agosystem-linux: set pending to 0 on ifindex found or error for if_get_master
Christian Marangi [Sun, 17 Dec 2023 15:47:16 +0000 (16:47 +0100)]
system-linux: set pending to 0 on ifindex found or error for if_get_master

Fix Coverity Defect 1559194 reporting an Infinite loop when
data->pending is not set to 0 on finishing the callback.

While this is a false-positive report as ACK is always called, this is a
good time to optimize the code and make the callback exit early if we
find the ifindex for the DSA conduit.

Correctly set pending to 0 on ifindex found or error for if_get_master
valid netlink callback.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
12 months agosystem-linux: skip refreshing MAC on master change if custom MAC
Christian Marangi [Tue, 12 Dec 2023 00:15:55 +0000 (01:15 +0100)]
system-linux: skip refreshing MAC on master change if custom MAC

If custom MAC or a default MAC needs to be applied, skip refreshing MAC
after master change to correctly apply the custom MAC.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
12 months agosystem-linux: set master early on apply settings
Christian Marangi [Tue, 12 Dec 2023 00:14:25 +0000 (01:14 +0100)]
system-linux: set master early on apply settings

Move master setting up before anything as settings may gets reset on
master change.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
12 months agobridge: rework config change pvid handling
Felix Fietkau [Tue, 5 Dec 2023 11:37:50 +0000 (12:37 +0100)]
bridge: rework config change pvid handling

Fix issues when a member port is moved from one VLAN to another

Signed-off-by: Felix Fietkau <nbd@nbd.name>
12 months agobridge: fix reload on bridge vlan changes
Felix Fietkau [Tue, 5 Dec 2023 10:52:44 +0000 (11:52 +0100)]
bridge: fix reload on bridge vlan changes

config_pending needs to be set even if the bridge is inactive, in order to
handle changes to the member list

Signed-off-by: Felix Fietkau <nbd@nbd.name>
12 months agodebug: remove newline from debug messages
Felix Fietkau [Tue, 5 Dec 2023 10:28:57 +0000 (11:28 +0100)]
debug: remove newline from debug messages

Signed-off-by: Felix Fietkau <nbd@nbd.name>
12 months agonetifd: add netlink udebug ring
Felix Fietkau [Tue, 5 Dec 2023 09:35:30 +0000 (10:35 +0100)]
netifd: add netlink udebug ring

Signed-off-by: Felix Fietkau <nbd@nbd.name>
12 months agoudebug: use helper code for ubus config handling
Felix Fietkau [Mon, 27 Nov 2023 17:40:14 +0000 (18:40 +0100)]
udebug: use helper code for ubus config handling

Signed-off-by: Felix Fietkau <nbd@nbd.name>
12 months agowireless: add bridge_isolate option
Felix Fietkau [Mon, 20 Nov 2023 18:03:06 +0000 (19:03 +0100)]
wireless: add bridge_isolate option

This enables the device bridge port isolate flag

Signed-off-by: Felix Fietkau <nbd@nbd.name>
12 months agosystem-linux: fix bogus debug error messages on adding bridge members
Felix Fietkau [Mon, 20 Nov 2023 17:35:49 +0000 (18:35 +0100)]
system-linux: fix bogus debug error messages on adding bridge members

Signed-off-by: Felix Fietkau <nbd@nbd.name>
12 months agoreplace DPRINTF calls with D(...)
Felix Fietkau [Mon, 20 Nov 2023 16:02:43 +0000 (17:02 +0100)]
replace DPRINTF calls with D(...)

This makes messages appear in udebug output

Signed-off-by: Felix Fietkau <nbd@nbd.name>
12 months agoadd udebug support
Felix Fietkau [Mon, 20 Nov 2023 16:00:08 +0000 (17:00 +0100)]
add udebug support

Add internal debug messages and log messages to the ring buffer

Signed-off-by: Felix Fietkau <nbd@nbd.name>
13 months agointerface-ip: fix IPv4 route target masking
Jo-Philipp Wich [Tue, 14 Nov 2023 13:01:44 +0000 (14:01 +0100)]
interface-ip: fix IPv4 route target masking

A previous commit supposed to mask out excess host bits in route targets
failed to correctly calculate the mask value, causing it to produce
improper results for certain mask lengths.

Fixes: #17
Fixes: 76eb342 ("interface-ip: mask out host bits in IPv4 route targets")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
13 months agosystem-linux: refresh MAC address on DSA port conduit change
Christian Marangi [Sat, 11 Nov 2023 22:27:11 +0000 (23:27 +0100)]
system-linux: refresh MAC address on DSA port conduit change

On changing the conduit for a DSA port, the conduit may have different
a MAC address. In the scenario where a port is part of a bridge and
is the primary port, some inconsistency may arise where the bridge have
the MAC address of the previous conduit and is never updated.
This inconsistency cause problem with packet forwarding with FDB and
other related problems.

To fix this, refresh the original MAC address after the conduit for the
DSA port is changed by polling the new MAC address for the device using
ioctl API.

Fixes: 2dc7f450f3a2 ("system-linux: add option to configure DSA conduit device")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
13 months agowireless: fix premature removal of hotplug devices due to down state
Felix Fietkau [Fri, 10 Nov 2023 14:34:23 +0000 (15:34 +0100)]
wireless: fix premature removal of hotplug devices due to down state

When a device is added that isn't up, status toggles can sometimes lead to a
DEV_EVENT_REMOVE event, which causes the device to be removed from an interface
or a bridge.
Fix this by toggling the dev->disabled status instead based on IFF_UP, and
adding a check to bridge/interface code to only permanently remove devices that
are actually gone.

Fixes: 516ab774cc16 ("system-linux: fix race condition on bringing up wireless devices")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
13 months agowireless: fix sign comparison warning
Felix Fietkau [Fri, 10 Nov 2023 12:53:38 +0000 (13:53 +0100)]
wireless: fix sign comparison warning

Signed-off-by: Felix Fietkau <nbd@nbd.name>
13 months agodevice: add support to configure eee
Rahul Thakur [Sat, 19 Aug 2023 03:33:46 +0000 (09:03 +0530)]
device: add support to configure eee

Add support for configurable EEE option i.e. energy efficient ethernet.

The option can be configured by adding the config for the device in the
network uci config. Example:

config device
option name 'eth0'
option eee '1'

Signed-off-by: Rahul Thakur <rahul.thakur@iopsys.eu>
13 months agosystem-linux: fix compilation error if IFLA_DSA_MASTER is not supported
Christian Marangi [Thu, 9 Nov 2023 16:24:36 +0000 (17:24 +0100)]
system-linux: fix compilation error if IFLA_DSA_MASTER is not supported

Changing DSA port conduit was introduced only with kernel 6.1. Fix
compilation error by disabling support for this on unsupported kernels.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
13 months agosystem-linux: make system_if_get_master_ifindex static
Christian Marangi [Thu, 9 Nov 2023 16:19:48 +0000 (17:19 +0100)]
system-linux: make system_if_get_master_ifindex static

Make system_if_get_master_ifindex static as it was wrongly exposed and
is only used in system-linux.c.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
13 months agosystem-linux: add option to configure DSA conduit device
Christian Marangi [Thu, 2 Nov 2023 15:34:47 +0000 (16:34 +0100)]
system-linux: add option to configure DSA conduit device

Device might have multiple CPU port with DSA based switch and OEM
firmware might set specific port to one CPU port (for example WAN) to
sustain full gigabit traffic with the kernel.

To set them iproute2 tool is currently required.
Add support to set the DSA port conduit directly from network config
using netlink. Example:

config device
            option name 'lan1'
            option conduit 'eth1'

Conduit option refer to the CPU port interface. Invalid option will
simply be ignored and won't be applied similar to what iproute2 does.

Option can also be set in board.json by setting the conduit option.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
13 months agosystem-linux: add support for configurable GRO option
Christian Marangi [Wed, 25 Oct 2023 01:27:58 +0000 (03:27 +0200)]
system-linux: add support for configurable GRO option

Add support for configurable GRO option. Some device doesn't have HW
Checksum support and may suffer from performance regression by using
GRO. Disabling GRO restore the original performance and make the device
usable again.

The option can be configured by adding the config for the device in the
network config. Example:

config device
option name 'eth0'
option gro '0'

The option can also be configured by adding the config to the
board.json.

Notice that a new "kind" of settings are introduced
"system_if_apply_settings_after_up". Option set in this function will be
executed AFTER the interface is UP. This is needed as some option
(example GRO) needs to be applied after the interface is UP and applying
them before results in error in ioctl.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
13 months agointerface-ip: allow configuring routes without explicit interface
Jo-Philipp Wich [Thu, 24 Aug 2023 12:43:31 +0000 (14:43 +0200)]
interface-ip: allow configuring routes without explicit interface

Support the configuration of network routes not bound to any specific
interface. In case such a route is configured, it will be internally
owned by the loopback interface and have a new DEVROUTE_NODEV flag
set to inhibit the RTA_OIF attribute when installing the kernel route.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
13 months agointerface-ip: mask out host bits in IPv4 route targets
Jo-Philipp Wich [Thu, 24 Aug 2023 12:16:00 +0000 (14:16 +0200)]
interface-ip: mask out host bits in IPv4 route targets

The kernel will reject attempts to install routes with target addresses
having host bits set with an "Invalid prefix for given prefix length"
error.

A route configuration like the one below will silently fail to apply:

    config route
        option interface lan
        option target 10.40.40.1/24

Attempting to do the same with iproute2 will fail as well:

    # ip route add 10.40.40.1/24 dev br-lan
    Error: Invalid prefix for given prefix length.

However, for IPv6 route targets with set host bits are allowed:

    # ip -6 route add 3000::1/64 via fe80::1234:5678:9abcd:ef01 dev br-lan
    # ip -6 route list 3000::1/64
    3000::/64 via fe80::1234:5678:9abc:def1 dev br-lan metric 1024 pref medium

In order to stay consistent here, and to avoid unecessary configuration
pitfalls, make netifd more lenient and simply mask out excess host bits
while parsing IPv4 route configuration.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
13 months agosystem-linux: fix race condition on bringing up wireless devices
Felix Fietkau [Tue, 7 Nov 2023 12:22:06 +0000 (13:22 +0100)]
system-linux: fix race condition on bringing up wireless devices

When wireless devices are added via hotplug before their state is set to up,
adding routes to the device can fail in the kernel.
Since the up state is managed externally, use it as input for netifd's device
present state, so that they are only brought up when ready.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
13 months agodevice: fix build error on 32 bit systems
Felix Fietkau [Mon, 6 Nov 2023 12:16:38 +0000 (13:16 +0100)]
device: fix build error on 32 bit systems

Increase size of the diff fields for uci_blob_diff calls, since the device
attribute list increased to >32 entries

Signed-off-by: Felix Fietkau <nbd@nbd.name>
13 months agobridge: add support for configuring vlans for auth=1,auth_status=false
Felix Fietkau [Fri, 3 Nov 2023 06:58:59 +0000 (07:58 +0100)]
bridge: add support for configuring vlans for auth=1,auth_status=false

This allows detecting MAC addresses via FDB learning, or snooping
unauthenticated packets on a dedicated VLAN

Signed-off-by: Felix Fietkau <nbd@nbd.name>
13 months agobridge: add auth-required bridge members with auth_status=0 if vlan is enabled
Felix Fietkau [Thu, 2 Nov 2023 16:45:29 +0000 (17:45 +0100)]
bridge: add auth-required bridge members with auth_status=0 if vlan is enabled

This allows auth decisions based on FDB information of the port (MAC auth)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
13 months agodevice: send notifications for device events via ubus
Felix Fietkau [Wed, 1 Nov 2023 08:44:26 +0000 (09:44 +0100)]
device: send notifications for device events via ubus

Send them on the network.device object

Signed-off-by: Felix Fietkau <nbd@nbd.name>
13 months agodevice/bridge: support passing extra vlans in the device_set_state call
Felix Fietkau [Wed, 1 Nov 2023 05:25:16 +0000 (06:25 +0100)]
device/bridge: support passing extra vlans in the device_set_state call

This can be used by RADIUS based 802.1x auth to dynamically define the member
vlans for the port based on its authentication status.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
13 months agoconfig: fix incompatible with jshn network-device entry
Christian Marangi [Fri, 20 Oct 2023 10:40:27 +0000 (12:40 +0200)]
config: fix incompatible with jshn network-device entry

On parsing jshn "normalize" the entry of any non alphanumeric char to
'_'. This resulted in the secanrio where the data passed by board.json
with entry 'network-device' being converted to 'network_device', and the
system still expecting data with the original 'network-device'.

To fix this, changes needs to be done in multiple place. Any function in
core uci-defaults.sh that expect 'network-device' needs to be changed to
'network_device' and here in netifd core, we need to switch to use
'network_device' directly to prevent any conflict with jshn conversion.

The issue was exposed by commit 4ebba8a05d09 ("realtek: add support for
HPE 1920-8g-poe+") in openwrt core where board_config_load call from
03_gpio introduced the key normalization by jshn.

board.json is not considered stable and is not migrated on sysupgrade
but actually recreated with up to date data, hence no migration or
special handling are needed and the entry can be directly changed.

Ref: https://forum.openwrt.org/t/57875/2589
Ref: https://github.com/openwrt/openwrt/pull/13622
Reported-by: Michael 'ASAP' Weinrich <michael@a5ap.net>
Fixes: 42c48866f1c1 ("config: parse default mac address from board.json")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
14 months agointerface: do not release device on link down
Erik Karlsson [Tue, 19 Sep 2023 11:37:59 +0000 (13:37 +0200)]
interface: do not release device on link down

On IFPEV_DOWN, do not release the main device if the interface is
intended to be brought back up again by interface_handle_config_change
and there is no configuration change. This avoids releasing the device
and then claiming it again when link is lost.

Releasing and then claiming the device can, if the driver is
configured to power the PHY down when IFF_UP is cleared, cause the PHY
to be power cycled. This can in combination with glitchy hardware
and/or drivers where it takes a few seconds for the link to stabilize
after the PHY has been powered up cause a loop where loss of link
causes netifd to power cycle the PHY and when the PHY comes back up
the link glitches and the cycle repeats.

Signed-off-by: Erik Karlsson <erik.karlsson@genexis.eu>
14 months agowireless: update prev_config on SET_DATA notify
Felix Fietkau [Tue, 19 Sep 2023 09:44:34 +0000 (11:44 +0200)]
wireless: update prev_config on SET_DATA notify

Fixes passing phy name from setup to teardown

Signed-off-by: Felix Fietkau <nbd@nbd.name>
15 months agowireless: dynamically enable/disable virtual interfaces base on network interface...
Felix Fietkau [Fri, 15 Sep 2023 18:30:04 +0000 (20:30 +0200)]
wireless: dynamically enable/disable virtual interfaces base on network interface autostart

This allows disabling individual interfaces with ifup/ifdown calls

Signed-off-by: Felix Fietkau <nbd@nbd.name>
15 months agowireless: clean up prev_config handling
Felix Fietkau [Fri, 15 Sep 2023 18:12:04 +0000 (20:12 +0200)]
wireless: clean up prev_config handling

Always update prev_config directly after creating it

Signed-off-by: Felix Fietkau <nbd@nbd.name>
15 months agowireless: rework and fix vlan/station config reload handling
Felix Fietkau [Fri, 15 Sep 2023 11:06:02 +0000 (13:06 +0200)]
wireless: rework and fix vlan/station config reload handling

The vif name of sections was not properly updated.
Rework the config structure to maintain stations/vlans in a vlist in the vif struct.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
15 months agomake_ethtool_modes_h.sh: apply anti-bashism
Daniel Golle [Thu, 31 Aug 2023 23:56:35 +0000 (00:56 +0100)]
make_ethtool_modes_h.sh: apply anti-bashism

Use 'printf' instead of 'echo -e' and use 'sed' instead of 'cut' to be
compatible with shells other than bash and not require cut.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
15 months agosystem-linux: switch to new ETHTOOL_xLINKSETTINGS API
Ruiwei Chen [Sat, 25 Mar 2023 05:44:53 +0000 (13:44 +0800)]
system-linux: switch to new ETHTOOL_xLINKSETTINGS API

ETHTOOL_GSET / ETHTOOL_SSET API is deprecated since Linux v5.2
released in 2016, see torvalds/linux@3f1ac7a700d03 ("net: ethtool: add
new ETHTOOL_xLINKSETTINGS API"). All still maintained OpenWrt versions
use kernel versions new enough to support the new API.

Hence migrate to ETHTOOL_xLINKSETTINGS API API to handle
auto-negotiation for flow-control as well as higher bandwidth like
2.5G, 5G and 10G.

Use ethtool API to switch on or off auto-negotiation of Ethernet
interfaces, and set speed and duplex accordingly in case auto-
negotiation is switched off.

Add support for flow-control settings, both manual/force mode for
RX and TX pause frames as well as advertising Pause and Asym_Pause
bits.

Instead of hard-coding the supported modes, generate a header file
describing them from <linux/ethtool.h>.

Signed-off-by: Ruiwei Chen <crwbak@gmail.com>
[generate list of link modes from toolchain headers, select by speed
and duplex, also use new API for dump function, add support for flow-
control settings]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
15 months agoscripts/netifd-wireless.sh: properly fix WPA3 Enterprise support
Felix Fietkau [Thu, 31 Aug 2023 09:19:04 +0000 (11:19 +0200)]
scripts/netifd-wireless.sh: properly fix WPA3 Enterprise support

Support the following values for the different WPA3 Enterprise modes:

- wpa3-mixed: WPA3 Enterprise transitional mode
This supports EAP with both SHA1 and SHA-256, with optional MFP
- wpa3: WPA3 Enterprise only mode
This supports only SHA256 with mandatory MFP
- wpa3-192: WPA3 Enterprise with mandatory 192 bit support
This uses only GCMP-256 ciphers

Disable 192 bit support and GCMP-256 ciphers for the regular "wpa3" mode.
It seems that even leaving in optional 192 bit support breaks auth on some
clients, including iOS devices.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
16 months agonetifd: fix disabling radio via config if reconf is being used
Prasun Maiti [Thu, 17 Aug 2023 12:17:18 +0000 (17:47 +0530)]
netifd: fix disabling radio via config if reconf is being used

Do not bypass down/up reconfig codepath if the radio is being disabled,
otherwise it will be left running.

Signed-off-by: Prasun Maiti <prasunmaiti87@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [fix commit description]
17 months agowireless: enable dynamic reconfiguration by default
Felix Fietkau [Mon, 17 Jul 2023 09:04:29 +0000 (11:04 +0200)]
wireless: enable dynamic reconfiguration by default

Signed-off-by: Felix Fietkau <nbd@nbd.name>
17 months agowireless: add support for replacing data blobs at runtime
Felix Fietkau [Mon, 17 Jul 2023 09:03:30 +0000 (11:03 +0200)]
wireless: add support for replacing data blobs at runtime

Needed for dynamic reconfiguration

Signed-off-by: Felix Fietkau <nbd@nbd.name>
17 months agobridge: fix config reload on 32 bit systems
Felix Fietkau [Mon, 3 Jul 2023 09:09:08 +0000 (11:09 +0200)]
bridge: fix config reload on 32 bit systems

unsigned long diff overflows and needs to be turned into an array

Signed-off-by: Felix Fietkau <nbd@nbd.name>
17 months agowireless: fix another reconf issue
Felix Fietkau [Thu, 29 Jun 2023 10:27:02 +0000 (12:27 +0200)]
wireless: fix another reconf issue

Defer handling wdev config updates until the entire config has been processed.
Fixes an issue where only the changes of the first modified vif would be accepted

Signed-off-by: Felix Fietkau <nbd@nbd.name>
17 months agowireless: fix handling config reload with reconf=1
Felix Fietkau [Wed, 28 Jun 2023 12:35:46 +0000 (14:35 +0200)]
wireless: fix handling config reload with reconf=1

If reload triggers while the wdev is up, and reconf is set to 1, run the
setup handler immediately, otherwise the change will not be applied.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
17 months agowireless: fix changing reconf/serialize options in configuration
Felix Fietkau [Wed, 28 Jun 2023 12:22:15 +0000 (14:22 +0200)]
wireless: fix changing reconf/serialize options in configuration

Signed-off-by: Felix Fietkau <nbd@nbd.name>
17 months agobridge: add support for configuring extra vlans for the bridge itself
Felix Fietkau [Tue, 27 Jun 2023 08:48:26 +0000 (10:48 +0200)]
bridge: add support for configuring extra vlans for the bridge itself

Can be configured in the same way as extra bridge member vlans

Signed-off-by: Felix Fietkau <nbd@nbd.name>
17 months agobridge: fix coverity false positive report
Christian Marangi [Sat, 24 Jun 2023 12:34:12 +0000 (14:34 +0200)]
bridge: fix coverity false positive report

Fix Coverity Defect 1532481 reporting a Resource leak when
!bm->node.avl.key is false in bridge_hotplug_add.

This is not a real issue, since bm->node.avl.key is always NULL for newly
allocated entries and guaranteed to be non-NULL for entries returned by
vlist_find.

Fixes: edf3aced9f9a ("bridge: add support for adding vlan ranges via hotplug")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
17 months agobridge: add support for adding vlan ranges via hotplug
Felix Fietkau [Fri, 23 Jun 2023 10:36:51 +0000 (12:36 +0200)]
bridge: add support for adding vlan ranges via hotplug

This simplifies using wireless devices as VLAN trunking ports

Signed-off-by: Felix Fietkau <nbd@nbd.name>
17 months agobridge: make hotplug-added vlans default to tagged
Felix Fietkau [Fri, 23 Jun 2023 09:48:20 +0000 (11:48 +0200)]
bridge: make hotplug-added vlans default to tagged

This simplifies adding extra vlans and ranges

Signed-off-by: Felix Fietkau <nbd@nbd.name>
17 months agobridge: add support for configuring extra tagged vlans on member devices
Felix Fietkau [Fri, 23 Jun 2023 08:17:45 +0000 (10:17 +0200)]
bridge: add support for configuring extra tagged vlans on member devices

This can be used to allow trunking dynamically allocated VLANs into a specific
member port. In order to use this, add a device section for the member port with
the 'vlan' array option, which can contain vlan numbers or ranges.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
17 months agowireless: add network_vlan config attribute
Felix Fietkau [Wed, 21 Jun 2023 18:47:05 +0000 (20:47 +0200)]
wireless: add network_vlan config attribute

This can be used to make a wireless interface/vlan a tagged member of extra VLANs.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
17 months agovlan/vlandev: pass through extra vlan information passed via hotplug
Felix Fietkau [Wed, 21 Jun 2023 18:46:24 +0000 (20:46 +0200)]
vlan/vlandev: pass through extra vlan information passed via hotplug

This adds support for adding extra tagged VLANs in addition to the primary one

Signed-off-by: Felix Fietkau <nbd@nbd.name>
18 months agosystem-linux: fix memory leak in system_bridge_vlan_check
Felix Fietkau [Sun, 4 Jun 2023 16:34:01 +0000 (18:34 +0200)]
system-linux: fix memory leak in system_bridge_vlan_check

The message passed to nl_send_auto_complete still needs to be freed
even in the normal path

Fixes: https://github.com/openwrt/netifd/issues/4
Fixes: 85f01c44a950 ("bridge: check bridge port vlan membership on link-up events")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
18 months agobridge: bridge_dump_info: add dumping of bridge attributes staging/ynezz/fixes-bridge-inspect
Petr Štetiar [Thu, 9 Mar 2023 13:57:51 +0000 (14:57 +0100)]
bridge: bridge_dump_info: add dumping of bridge attributes

There are internal decisions being made using several bridge attributes
like for example in bridge_reload(), but those attributes are not
available for the outside inspection, thus hard to follow.

So lets make inspection easier and simply just add dumping of those
bridge attributes as well.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
18 months agobridge: make it more clear why the config was applied
Petr Štetiar [Thu, 9 Mar 2023 08:30:19 +0000 (09:30 +0100)]
bridge: make it more clear why the config was applied

In some cases we see, that the bridge configuration was applied, but its
not exactly clear why it was done, so lets add a simple debugging output
which should provide currently missing clue.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
18 months agocmake: fix build by reordering the cflags definitions
Petr Štetiar [Wed, 29 Mar 2023 07:29:54 +0000 (09:29 +0200)]
cmake: fix build by reordering the cflags definitions

I've noticed bunch of build errors being emitted by clang-15/gcc-10:

 netifd.h:83:33: error: unused parameter 'level' [-Werror,-Wunused-parameter]

and it seems, that the order of definitions matters as -Wextra probably
enables previously disabled warnings like -Wno-unused-parameter.

So lets fix it, by reordering the cflags definitions.

Fixes: 463a1207f076 ("netifd: Activate -Wextra compile warnings")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
18 months agotreewide: fix multiple compiler warnings
Petr Štetiar [Wed, 29 Mar 2023 07:45:04 +0000 (09:45 +0200)]
treewide: fix multiple compiler warnings

Fixes bunch of clang-15/gcc-10 compiler warnings, mostly related to
blobmsg_for_each_attr() usage:

 error: comparison of integers of different signs: 'int' and 'unsigned long' [-Werror,-Wsign-compare]
 error: comparison of integers of different signs: 'size_t' (aka 'unsigned long') and 'int' [-Werror,-Wsign-compare]
 error: format string is not a string literal [-Werror,-Wformat-nonliteral]

Signed-off-by: Petr Štetiar <ynezz@true.cz>
19 months agobridge: remove stray newline from device status vlan port list
Felix Fietkau [Thu, 4 May 2023 13:14:59 +0000 (15:14 +0200)]
bridge: remove stray newline from device status vlan port list

Signed-off-by: Felix Fietkau <nbd@nbd.name>
20 months agodevice: fix segfault when recreating devices
Felix Fietkau [Mon, 17 Apr 2023 11:11:53 +0000 (13:11 +0200)]
device: fix segfault when recreating devices

Depending on the configuration, the callback on device_release could end up
deleting the device_dep from the list. If that happens, it must not be added
back to the recreated device, since that leads to use-after-free issues.
Check dep->dev before adding it back.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
21 months agonetifd: Activate -Wextra compile warnings
Hauke Mehrtens [Sun, 12 Feb 2023 20:02:08 +0000 (21:02 +0100)]
netifd: Activate -Wextra compile warnings

This activates some more compile warnings.
-pedantic is not yet activated, then we see too many errors which I do
not know how to mitigate.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
21 months agonetifd: Explicitly zero initialize variables
Hauke Mehrtens [Sun, 12 Feb 2023 20:38:04 +0000 (21:38 +0100)]
netifd: Explicitly zero initialize variables

The -pedantic option was complaining about the old initialization and
prefers if it is explicitly initialized to zero.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
21 months agonetifd: Do not return values in void function
Hauke Mehrtens [Sun, 12 Feb 2023 20:07:14 +0000 (21:07 +0100)]
netifd: Do not return values in void function

These two functions return void, do not try to return a parameter.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
21 months agonetifd: Fix multiple -Wsign-compare warnings
Hauke Mehrtens [Sun, 12 Feb 2023 20:07:31 +0000 (21:07 +0100)]
netifd: Fix multiple -Wsign-compare warnings

This fixes warnings like this:
warning: comparison of integer expressions of different signedness: 'int' and 'long unsigned int' [-Wsign-compare]

Mostly this was an int compared to a size_t returned by ARRAY_SIZE().
The easiest fix is to count on the size_t type.

The ifindex is sometimes an unsigned int and sometimes a signed int in
the kernel interfaces. I think it normally fits into an unsigned 16 bit
value, so this should be fine. Do the one comparison where the
compiler complains as a long.

Casting the result of sizeof() to int should be safe. These values are
never out of range of int.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
21 months agonetifd: bridge: Fix format string position
Hauke Mehrtens [Sun, 12 Feb 2023 20:01:57 +0000 (21:01 +0100)]
netifd: bridge: Fix format string position

This fixes the following compile error:
error: format not a string literal, argument types not checked [-Werror=format-nonliteral]

blobmsg_printf() has the following signature:
int blobmsg_printf(struct blob_buf *buf, const char *name, const char *format, ...)

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
23 months agodevice: fix vlan device issues with disappearing lower devices
Felix Fietkau [Fri, 30 Dec 2022 15:38:41 +0000 (16:38 +0100)]
device: fix vlan device issues with disappearing lower devices

In some cases, if a VLAN is created on top of a bridge, a config reload
can lead to the bridge being torn down while netifd still considers the
VLAN device to be up.
In that case even a setup retry of an interface on top of the vlan does
not recreate the vlan device, because it is still claimed.
Fix this by releasing all device claims whenever a device goes away.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
23 months agovlandev: propagate topology changes
Felix Fietkau [Fri, 30 Dec 2022 14:16:50 +0000 (15:16 +0100)]
vlandev: propagate topology changes

Same as vlan

Signed-off-by: Felix Fietkau <nbd@nbd.name>
23 months agoutils: include utils.h last
Felix Fietkau [Thu, 29 Dec 2022 18:56:08 +0000 (19:56 +0100)]
utils: include utils.h last

Fixes conflict with some system headers that use the fallthrough keyword

Signed-off-by: Felix Fietkau <nbd@nbd.name>
23 months agosystem: move netdev types to system-linux.c where they are used
Felix Fietkau [Thu, 29 Dec 2022 18:55:30 +0000 (19:55 +0100)]
system: move netdev types to system-linux.c where they are used

Fixes compile error on non-linux systems (used for testing)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
23 months agowireless: add support for disabling multicast-to-unicast per virtual interface
Felix Fietkau [Mon, 19 Dec 2022 17:15:01 +0000 (18:15 +0100)]
wireless: add support for disabling multicast-to-unicast per virtual interface

Signed-off-by: Felix Fietkau <nbd@nbd.name>
23 months agowireless: allow set_retry ubus notify command to trigger a wdev restart
Felix Fietkau [Fri, 30 Sep 2022 12:34:44 +0000 (14:34 +0200)]
wireless: allow set_retry ubus notify command to trigger a wdev restart

This can be used to retry bringing up a wireless device after receiving a
hotplug event

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2 years agotreewide: correctly apply IFNAMSIZ limit
Jo-Philipp Wich [Thu, 17 Nov 2022 08:09:09 +0000 (09:09 +0100)]
treewide: correctly apply IFNAMSIZ limit

The `IFNAMSIZ` macro defines the required buffer size to hold a Linux
interface name including the terminating zero byte while netifd currently
uses an `IFNAMSIZ + 1` limit for interface name buffers.

This causes netifd to use overlong names (16 instead of 15 bytes) in
netlink communication with the kernel, leading to netlink failure replies
due to policy violations.

Fix this issue by applying the correct length, that is `IFNAMSIZ` directly,
to the corresponding buffers.

Ref: https://github.com/openwrt/openwrt/issues/11259
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agointerface: fix use-after-free bug when rewriting resolv.conf
Felix Fietkau [Thu, 25 Aug 2022 19:09:24 +0000 (21:09 +0200)]
interface: fix use-after-free bug when rewriting resolv.conf

After the call to interface_handle_config_change, the iface pointer will no
longer be valid if the interface has been deleted from the config

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2 years agonetifd: fix WPA3 enterprise ciphers
Joerg Werner [Mon, 15 Aug 2022 12:10:22 +0000 (14:10 +0200)]
netifd: fix WPA3 enterprise ciphers

WPA3 enterprise requires wpa_cipher to be GCMP-256 for good client/device
support, so if the user sets encryption to wpa3 or wpa3-mixed, then add
GCMP-256. Also allow explicit selection of GCMP-256/CCMP-256 ciphers by
adding gcmp256/ccmp256 at the end of the encryption value.

Signed-off-by: Joerg Werner <schreibubi@gmail.com>
2 years agointerface: support "zone" config option
Rafał Miłecki [Wed, 27 Jul 2022 05:34:39 +0000 (07:34 +0200)]
interface: support "zone" config option

Many protocol handlers support "zone" option independently and they pass
it in the "data". Then it's read e.g. by a firewall[34].

Add support for "zone" directly to the netifd so:
1. It works for all protocols
2. Handlers don't have to duplicate code

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2 years agointerface-ip: fix memory corruption bug when using jail network namespaces
Junnan Xu [Tue, 31 May 2022 14:31:19 +0000 (22:31 +0800)]
interface-ip: fix memory corruption bug when using jail network namespaces

memory corruption when resolv_conf specified by input -r parameters
and the resolv_conf length less than "/tmp/resolv.conf-.d/resolv.conf.auto"

Signed-off-by: Junnan Xu <junnanx.xu@gmail.com>
2 years agonetifd: fix hwmode for 60g band
Daniel Golle [Sun, 3 Apr 2022 12:02:22 +0000 (13:02 +0100)]
netifd: fix hwmode for 60g band

hwmode should be set to 'ad' for 60g band.

Reported-by: herman@zeilsteenfilm.nl
Fixes: 62e3cb5 ("scripts/netifd-wireless.sh: add support for specifying the operating band")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2 years agointerface-ip: add support for excluding interfaces in host route lookup
Felix Fietkau [Thu, 19 May 2022 15:21:23 +0000 (17:21 +0200)]
interface-ip: add support for excluding interfaces in host route lookup

When adding host routes needed for an interface to communicate, it may be
necessary to skip the interface itself, in case it provides a default route.
This helps with avoiding accidental loops

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2 years agointerface-ip: unify host and proto route handling
Felix Fietkau [Thu, 19 May 2022 14:45:52 +0000 (16:45 +0200)]
interface-ip: unify host and proto route handling

Make host routes use the same update logic as regular proto routes, including
the enable/disable handling.
This avoids unnecessary remove/add cycles when adding the same host route
multiple times

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2 years agocmake: fix usage of implicit library and include paths
Petr Štetiar [Sun, 20 Feb 2022 09:41:53 +0000 (10:41 +0100)]
cmake: fix usage of implicit library and include paths

And thus allow building in out of tree setups etc.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2 years agonetifd: interface-ip: don't set fib6 policies if ipv6 disabled
Julian Squires [Fri, 30 Apr 2021 14:30:37 +0000 (12:00 -0230)]
netifd: interface-ip: don't set fib6 policies if ipv6 disabled

If IPv6 is disabled on a device, netifd still creates rules for it:

0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo lookup unspec 12
4200000002:     from all iif eth0 lookup unspec 12
4200000003:     from all iif eth1 lookup unspec 12

When logread is asked to log to a remote system, it invokes usock such
that getaddrinfo is called with AI_ADDRCONFIG in the flags; if ipv6 is
disabled on lo, musl attempts to connect to ::1 but gets EACCES from
the kernel, because of the reject policy added; this causes logread to
fail to connect:

socket(AF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_UDP) = 8
connect(8, {sa_family=AF_INET6, sin6_port=htons(65535), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)

See <https://www.openwall.com/lists/musl/2021/04/30/2> for a
discussion of musl's handling of this.

This change only sets up the v6 rules if ipv6 is enabled on the
device.

Signed-off-by: Julian Squires <julian@cipht.net>
2 years agosystem-linux: expose hw-tc-offload ethtool feature in device status dump
Jo-Philipp Wich [Fri, 4 Feb 2022 18:06:52 +0000 (19:06 +0100)]
system-linux: expose hw-tc-offload ethtool feature in device status dump

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2 years agosystem-linux: add wrapper function for creating link config messages
Felix Fietkau [Tue, 1 Feb 2022 11:53:50 +0000 (12:53 +0100)]
system-linux: add wrapper function for creating link config messages

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2 years agosystem-linux: delete bridge devices using netlink
Felix Fietkau [Tue, 1 Feb 2022 10:58:44 +0000 (11:58 +0100)]
system-linux: delete bridge devices using netlink

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2 years agosystem-linux: create bridge devices using netlink
Felix Fietkau [Tue, 1 Feb 2022 10:56:54 +0000 (11:56 +0100)]
system-linux: create bridge devices using netlink

The legacy ioctl + sysfs configuration is deprecated, and the netlink code
is smaller and easier to read

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2 years agoiprule: add support for uidrange
Matthew Hagan [Sun, 16 Jan 2022 00:21:17 +0000 (00:21 +0000)]
iprule: add support for uidrange

Allow for per-user routing policies via the uidrange iprule option.
Option allows for a single UID or range of UIDs.

Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2 years agosystem: fix compilation with glibc 2.34
Hans Dedecker [Fri, 14 Jan 2022 20:27:39 +0000 (21:27 +0100)]
system: fix compilation with glibc 2.34

Fixes ARPHRD_PHONET/ARPHRD_PHONET_PIPE undeclared compilation error with
glibc 2.34

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2 years agoRevert "netifd: add devtype to ubus call"
Hans Dedecker [Wed, 12 Jan 2022 19:39:04 +0000 (20:39 +0100)]
Revert "netifd: add devtype to ubus call"

This reverts commit 7ccbf08570619a4d3eccf6401791075908bb1d78 as the
commit accidently slipped into the git tree

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>