gluon
gluon copied to clipboard
freifunk-gluon
OLSRDv2 Support: Initial Meshing
MMFD firewall rule split is in #2553 for seperate review
Thanks! This goes in the right direction. But maybe we could avoid even more duplicate definitions?
Maybe we could get it in a shape where the gluon-mesh-babel package, via 310-gluon-mesh-babel-firewall, only needs to add the following firewall rule:
uci:section('firewall', 'rule', 'mesh_babel', {
src = 'mesh',
src_ip = 'fe80::/64',
dest_port = '6696',
proto = 'udp',
target = 'ACCEPT',
})
And gluon-mesh-olsrd, via 310-gluon-mesh-olsrd-firewall only adds this?
uci:section('firewall', 'rule', 'mesh_olsrd', {
src = 'mesh',
src_ip = 'fe80::/64',
dest_port = '269',
proto = 'udp',
target = 'ACCEPT',
})
And move all the other rules like this maybe:
- fcc, fcm, fmc, fmm
- to a common package, like gluon-mesh-layer3-common, make gluon-mesh-{olsrd,babeld} depend on it
- flc, fcl
- -> gluon-l3roamd package
- mesh_respondd_mcast_ll, mesh_respondd_mcast2, mmfd_respondd_ll, mmfd_respondd_mesh
- -> to gluon-mmfd
(@NeoRaider would that make sense to you, too, or any alternative suggestions?)
Btw. do you have some more insights on the firewall "HACK" comment in 360-gluon-mesh-olsrd-setup-intf, why would you need to add it there instead of in 310-gluon-mesh-babel-firewall? And would olsrd2 be fine with src_ip = fe80::/64 instead of "*"? (Or is there a bug, a regression that was added at some point, to BABEL, too?)
Also gluon-mesh-babel/luasrc/lib/gluon/upgrade/430-gluon-mesh-babel-add-mmfd-interface looks like it should be moved to the gluon-mmfd package, to be able to reuse it for olsrd, too?
Also, I don't see where you configure the site.node_prefix6() in /etc/config/network at the moment. Am I missing something? Or should package/gluon-mesh-babel/luasrc/lib/gluon/upgrade/300-gluon-mesh-babel-ip6 be moved to a gluon-mesh-layer3-common package, too?
Btw. do you have some more insights on the firewall "HACK" comment in 360-gluon-mesh-olsrd-setup-intf, why would you need to add it there instead of in 310-gluon-mesh-babel-firewall? And would olsrd2 be fine with src_ip = fe80::/64 instead of "*"?
That was from back when gluon_mesh wasn't used and we were hacking ip4 in with static. Now there's a patch on graz branch to have ip4 with gluon_mesh.
Maybe it'll just work.
As for fe80:: : OLSR just uses the first IP it finds. Currently the rule is to simply allow anything from mesh zone, as that just works. Plus this makes patching in ip4 less of a PITA for me.
Another thing: Do I need any rules for wired_mesh? Or is the actual mesh interface always in mesh zone?
I've rebased the pull request against master, it should be much smaller now. This is now ready for review. I will fixup the commit messages after review.
I've rebased the pull request against master, it should be much smaller now. This is now ready for review. I will fixup the commit messages after review.
Shouldn't 310-gluon-mesh-olsrd-firewall be removed, too?
Meshing with role uplink+mesh set on a single interface and vxlan not set fails. The workarround for this would be macvlan, but that was rejected. But it's better that it's broken, otherwise mesh traffic could end up leaking for real and no one wants that mess.
This PR is now done from my side and everything's tested. Note that clientap is not included, neither are any respondd modules or anything, that'll come later. Depends #2404 #2739
#2404 is now merged and https://github.com/freifunk-gluon/gluon/pull/2739 is not relevant as a dependency without graz modules installed
tested with the change, node runs and meshes over ethernet. ssh to/from other nodes works.
