docs/package/gluon-ebtables-limit-arp.rst

@@ -25,5 +25,6 @@ This package is installed by default if the selected routing
 feature is *mesh-batman-adv-15*.
 It can be unselected via::
 
-    GLUON_SITE_PACKAGES := \
-      -gluon-ebtables-limit-arp
+    packages {
+      '-gluon-ebtables-limit-arp',
+    }

docs/package/gluon-harden-dropbear.rst

+gluon-harden-dropbear
+=====================
+
+This package reduces the attack surface of dropbear, the SSH server on the router.
+
+If the root account either has no password configured or is locked,
+password authorization is disabled in dropbear's settings.
+
+If furthermore no SSH key is authorized to login, the ``dropbear`` service is disabled.
+
+Changing the password or updating authorized keys
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Via console
+"""""""""""
+
+Upon editing */etc/dropbear/authorized_keys* or changing root's password,
+a call to *gluon-reconfigure* as well as a reboot might be needed in order to have dropbear launched conditionally upon boot.
+
+.. code-block:: bash
+
+  passwd
+  gluon-reconfigure
+  reboot
+
+
+In setup-mode
+"""""""""""""
+
+As *gluon-reconfigure* is run when rebooting from the setup-mode web interface, no further steps are required.

docs/package/gluon-hoodselector.rst

@@ -66,7 +66,7 @@ and others which contain shapes.
 
 * **default domain**
 
-The default domain doesn’t hold any shapes and represents the inverted area of
+The default domain doesn't hold any shapes and represents the inverted area of
 all other shapes held by other domains with geo coordinates. It will only be
 entered if a node could not be matched to a geo domain. A suggested approach is
 to define the "old" network as default domain and gradually migrate nodes from

docs/package/gluon-logging.rst

+gluon-logging
+=============
+
+The *gluon-logging* package allows to configure a remote syslog server that
+will receive the systems log output that is also visible when calling ``logread``
+from a terminal.
+
+It supports both IPv4 and IPv6 endpoints over UDP and TCP.
+
+Note: The syslog mechanism is incapable of providing a complete log as network
+access is required to send out log messages and ``logd`` does not buffer and resend
+older log messages even though they might be available in ``logread``.
+
+This package conflicts with ``gluon-web-logging`` as it will overwrite the
+user-given syslog server on every upgrade.
+
+site.conf
+---------
+
+syslog.ip : required
+    - Destination address of the remote syslog server
+
+syslog.port : optional
+    - Destination port of the remote syslog server
+    - Defaults to 514
+
+syslog.proto : optional
+    - Protocol to transport syslog frames in, can be either ``tcp`` or ``udp``
+    - Defaults to UDP
+
+Example::
+
+  syslog = {
+    ip = "2001:db8::1",
+    port = 514,
+    proto = "udp",
+  },

docs/package/gluon-mesh-batman-adv.rst

@@ -168,3 +168,32 @@ or to at least manually mark the port to the Gluon router as a
 Alternatively, the filtering of IGMP/MLD reports can be disabled via
 the site.conf (which is not recommended in large meshes though).
 See :ref:`site.conf mesh section <user-site-mesh>` for details.
+
+Tweaking Hop Penalty
+^^^^^^^^^^^^^^^^^^^^
+
+In general, the usage of a directly connected uplink is preferred over a faster more distant connection.
+In situations where the uplink of a device should only be used as a fallback (e.g. metered connection or slower encryption), this can be tweaked using a hop_penalty in gluon.
+Examples of this are shown below:
+
+.. code-block:: sh
+
+  # use mesh-vpn as fallback only
+  uci set gluon.mesh_vpn.batadv_hop_penalty='120'
+  # optional penalty for wired mesh
+  uci set gluon.iface_lan.batadv_hop_penalty=10
+  # optional for mesh on wan
+  uci set gluon.iface_wan.batadv_hop_penalty=10
+  # don't forget to commit changes
+  uci commit gluon
+
+To apply the changes, run the following commands:
+
+.. code-block:: sh
+
+  gluon-reconfigure
+  reboot
+
+Further documentation of the hop penalty can be found here:
+
+https://www.open-mesh.org/doc/batman-adv/Tweaking.html#hop-penalty

docs/package/gluon-mesh-wireless-sae.rst

+gluon-mesh-wireless-sae
+=======================
+
+This package adds support for SAE on 802.11s mesh connections.
+
+Enabling this package will require all 802.11s mesh connections
+to be encrypted using the SAE key agreement scheme. The security
+of SAE relies upon the authentication through a shared secret.
+
+In the context of public mesh networks a shared secret is an
+obvious oxymoron. Still, this functionality may provide an improvement
+over unencrypted mesh connections in that it protects against a
+passive attacker who did not observe the key agreement. In addition
+Management Frame Protection (802.11w) gets automatically enabled on
+wireless mesh interfaces to prevent protocol-level deauthentication attacks.
+
+If `wifi.mesh.sae` is enabled, a shared secret will automatically be
+derived from the `prefix6` variable. This is as secure as it gets
+for a public mesh network.
+
+For *private* mesh networks `wifi.mesh.sae_passphrase` should be
+set to your shared secret.
+
+site.conf
+---------
+These settings apply to all 802.11s mesh interfaces on all radios.
+
+wifi.mesh.sae \: optional
+  - ``true`` enables SAE on 802.11s mesh connections
+  - ``false`` disables SAE on 802.11s mesh connections
+  - defaults to ``false``
+
+wifi.mesh.sae_passphrase \: optional
+  - sets a shared secret used to authenticate any two mesh nodes,
+    crucial for private mesh networks
+  - should not be set, if the shared secret is shared with untrusted
+    third parties, like in a public mesh network
+  - defaults to an autogenerated value derived from ``prefix6``
+
+
+Example::
+
+  wifi = {
+    mesh = {
+      sae = true,
+      -- sae_passphrase = "<shared secret>",
+    },
+  },
+

docs/package/gluon-radv-filterd.rst

@@ -20,22 +20,25 @@ In case a router is not a batman-adv originator itself, its TQ is defined by
 the originator it is connected to. This lookup uses the batman-adv global
 translation table.
 
-Initially the router is the selected by choosing the candidate with the
-strongest TQ. When another candidate can provide a better TQ metric it is not
-picked up as the selected router until it will outperform the currently
-selected router by X metric units. The hysteresis threshold is configurable
-and prevents excessive flapping of the gateway.
+Initially the router is selected by choosing the candidate with the strongest
+TQ. When another candidate can provide a better TQ metric, that outperforms the
+currently selected router by X metric units, it will be picked as the new
+selected router. The hysteresis threshold is configurable and prevents excessive
+flapping of the gateway.
 
-"Local" routers
----------------
+Local routers
+-------------
+
+Local routers (i.e. local internet gateways connected to some nodes) that are
+connected to the client interface via cable or WLAN instead of via the mesh
+(technically: appearing in the transtable_local) are taken into account with a
+fake TQ of 512, so that they are always preferred.
 
-The package has functionality to select "local" routers, i.e. those connected
-via cable or WLAN instead of via the mesh (technically: appearing in the
-``transtable_local``), a fake TQ of 512 so that they are always preferred.
-However, if used together with the :doc:`gluon-ebtables-filter-ra-dhcp`
-package, these router advertisements are filtered anyway and reach neither the
-node nor any other client. You currently have to disable the package or insert
-custom ebtables rules in order to use local routers.
+Be aware of problems if you plan to use local routers together with the
+:doc:`gluon-ebtables-filter-ra-dhcp` package. These router advertisements are
+filtered anyway and reach neither the node nor any other client. Therefore the
+use of local routers is not possible as long as the package
+``gluon-radv-filterd`` is used.
 
 respondd module
 ---------------

docs/package/gluon-radvd.rst

+gluon-radvd
+===========
+
+This package provides service files and configuration endpoints for the IPv6
+router advertisement daemon.
+
+Arguments
+---------
+
+This package provides skeleton service files for ``uradvd``.
+It requires another package to provide the arguments ``uradvd`` is supposed to
+be launched with.
+
+:doc:`gluon-mesh-batman-adv` and ``gluon-mesh-layer3-common`` are two packages
+providing such arguments in order to announce default routes for Layer 3 meshes,
+while only announcing prefixes for Layer 2 meshes.
+
+site.conf
+---------
+
+radvd.preferred_lifetime : optional
+    - the span of time during which the address can be freely used as a source
+      and destination for traffic. Should be less or equal valid-lifetime.
+    - defaults to ``14400`` seconds => 4h
+radvd.valid_lifetime : optional
+    - the total time the prefix remains available before becoming unusable
+    - defaults to ``86400`` seconds => one day
+
+Example::
+
+  radvd = {
+    preferred_lifetime = 150,
+    valid_lifetime = 300,
+  },

docs/package/gluon-scheduled-domain-switch.rst

@@ -10,6 +10,9 @@ powered off while this was supposed to happen, it might not be able to acquire t
 correct time. In this case, the node will switch after it has not seen any gateway
 for a given period of time.
 
+In older versions ping was used against an array of endpoints to determine mesh-connectivity.
+Nowadays *gluon-state-check* is used for this and evaluates mesh-(VPN) connectivity and NTP states.
+
 site.conf
 ---------
 All those settings have to be defined exclusively in the domain, not the site.
@@ -21,9 +24,6 @@ domain_switch : optional (needed for domains to switch)
     - amount of time without reachable gateway to switch unconditionally
   switch_time :
     - UNIX epoch after which domain will be switched
-    connection_check_targets :
-        - array of IPv6 addresses which are probed to determine if the node is
-	  connected to the mesh
 
 Example::
 
@@ -31,8 +31,4 @@ Example::
     target_domain = 'new_domain',
     switch_after_offline_mins = 120,
     switch_time = 1546344000, -- 01.01.2019 - 12:00 UTC
-    connection_check_targets = {
-      '2001:4860:4860::8888',
-      '2001:4860:4860::8844',
-    },
   },

docs/package/gluon-web-cellular.rst

+.. _package-gluon-web-cellular:
+
+gluon-web-cellular
+==================
+
+This package allows to configure WWAN for capable cellular devices.
+
+This works by creating an abstraction layer into Gluon which takes common options (SIM PIN / APN) and translates it to modem-specific settings based on the specific device using. 
+Doing so limits the use-case onto specific models (no LTE sticks possible) but provides a common interface.
+
+The WWAN is assigned the WAN firewall zone and wired WAN can still be used, however without prioritization.
+The traffic path is not configured to prefer one uplink source or the other.
+
+.. image:: gluon-web-cellular.png

docs/package/gluon-web-network.rst

+gluon-web-network
+=================
+
+The package *gluon-web-network* is part of :ref:`Feature Flag <user-site-feature-flags>` web-advanced.
+It allows to configure the network interfaces roles of the gluon node in config mode through checkboxes.
+
+It is a user-friendly way to configure what otherwise would need the :ref:`wired-mesh-commandline`.
+
+.. image:: gluon-web-network.png
+
+configuration options
+---------------------
+
+The following roles can be assigned to the interfaces:
+
+* `Uplink` - interface is used for WAN connection, which is used for the VPN if `mesh-vpn` checkbox is enabled in basic config mode
+* `Mesh` - interface is used for :doc:`../features/wired-mesh`. Using this on the WAN interface is also known as "Mesh-on-WAN"
+* `Client` - interface is used as client network - connected devices to this interface should get a working internet configuration through DHCP
+
+The roles `Uplink`/`Mesh` and `Client` are mutually exclusive.

docs/releases/index.rst

+Release Notes
+=============
+
+.. toctree::
+  :caption: Gluon 2023.2
+  :maxdepth: 2
+
+  v2023.2.5
+  v2023.2.4
+  v2023.2.3
+  v2023.2.2
+  v2023.2.1
+  v2023.2
+
+.. toctree::
+  :caption: Gluon 2023.1
+  :maxdepth: 2
+
+  v2023.1.2
+  v2023.1.1
+  v2023.1
+
+.. toctree::
+  :caption: Gluon 2022.1
+  :maxdepth: 2
+
+  v2022.1.4
+  v2022.1.3
+  v2022.1.2
+  v2022.1.1
+  v2022.1
+
+.. toctree::
+  :caption: Gluon 2021.1
+  :maxdepth: 2
+
+  v2021.1.2
+  v2021.1.1
+  v2021.1
+
+.. toctree::
+  :caption: Gluon 2020.2
+  :maxdepth: 2
+
+  v2020.2.3
+  v2020.2.2
+  v2020.2.1
+  v2020.2
+
+.. toctree::
+  :caption: Gluon 2020.1
+  :maxdepth: 2
+
+  v2020.1.4
+  v2020.1.3
+  v2020.1.2
+  v2020.1.1
+  v2020.1
+
+.. toctree::
+  :caption: Gluon 2019.1
+  :maxdepth: 2
+
+  v2019.1.3
+  v2019.1.2
+  v2019.1.1
+  v2019.1
+
+.. toctree::
+  :caption: Gluon 2018.2
+  :maxdepth: 2
+
+  v2018.2.4
+  v2018.2.3
+  v2018.2.2
+  v2018.2.1
+  v2018.2
+
+.. toctree::
+  :caption: Gluon 2018.1
+  :maxdepth: 2
+
+  v2018.1.4
+  v2018.1.3
+  v2018.1.2
+  v2018.1.1
+  v2018.1
+
+.. toctree::
+  :caption: Gluon 2017.1
+  :maxdepth: 2
+
+  v2017.1.8
+  v2017.1.7
+  v2017.1.6
+  v2017.1.5
+  v2017.1.4
+  v2017.1.3
+  v2017.1.2
+  v2017.1.1
+  v2017.1
+
+.. toctree::
+  :caption: Gluon 2016.2
+  :maxdepth: 2
+
+  v2016.2.7
+  v2016.2.6
+  v2016.2.5
+  v2016.2.4
+  v2016.2.3
+  v2016.2.2
+  v2016.2.1
+  v2016.2
+
+.. toctree::
+  :caption: Gluon 2016.1
+  :maxdepth: 2
+
+  v2016.1.6
+  v2016.1.5
+  v2016.1.4
+  v2016.1.3
+  v2016.1.2
+  v2016.1.1
+  v2016.1
+
+.. toctree::
+  :caption: Gluon 2015.1
+  :maxdepth: 2
+
+  v2015.1.2
+  v2015.1.1
+  v2015.1
+
+.. toctree::
+  :caption: Gluon 2014.4
+  :maxdepth: 2
+
+  v2014.4
+
+.. toctree::
+  :caption: Gluon 2014.3
+  :maxdepth: 2
+
+  v2014.3.1
+  v2014.3
+

docs/releases/v2014.4.rst

@@ -146,7 +146,7 @@ Ignored tx-power offset on Ubiquiti AirMax devices
 
 https://github.com/freifunk-gluon/gluon/issues/94
 
-There is still no OpenWRT support for determining the transmission
+There is still no OpenWrt support for determining the transmission
 power offsets on Ubiquiti AirMax devices (Bullet M2, Picostation
 M2, Nanostation (loco) M2, ...). Use Gluon with caution on these
 devices! Manual adjustment may be required.

docs/releases/v2015.1.rst

@@ -19,7 +19,7 @@ ar71xx-generic
 
   - DIR-615 (C1)
 
-* GL-Inet
+* GL.iNet
 
   - 6408A (v1)
   - 6416A (v1)

docs/releases/v2017.1.rst

@@ -88,6 +88,8 @@ New features
 * Add support for making nodes a DNS cache for clients
   (`#1000 <https://github.com/freifunk-gluon/gluon/pull/1000>`_)
 
+  See also: :doc:`../features/dns-cache`
+
 * Add L2TP via tunneldigger as an alternative VPN system
   (`#978 <https://github.com/freifunk-gluon/gluon/pull/978>`_)