package/gluon-core/luasrc/usr/lib/lua/gluon/sysconfig.lua

@@ -11,6 +11,10 @@ local function get(_, name)
 end
 
 local function set(_, name, val)
+	if val == get(nil, name) then
+		return
+	end
+
 	if val then
 		local f = io.open(sysconfigdir .. name, 'w+')
 		f:write(val, '\n')
@@ -20,15 +24,7 @@ local function set(_, name, val)
 	end
 end
 
-local setmetatable = setmetatable
-
-module 'gluon.sysconfig'
-
-setmetatable(_M,
-	{
+return setmetatable({}, {
 	__index = get,
 	__newindex = set,
-	}
-)
-
-return _M
+})

package/gluon-core/luasrc/usr/lib/lua/gluon/users.lua

 local util = require 'gluon.util'
 
-local os = os
-local string = string
 
+local M = {}
 
-module 'gluon.users'
-
-function remove_user(username)
+function M.remove_user(username)
 	os.execute('exec lock /var/lock/passwd')
 	util.replace_prefix('/etc/passwd', username .. ':')
 	util.replace_prefix('/etc/shadow', username .. ':')
 	os.execute('exec lock -u /var/lock/passwd')
 end
 
-function remove_group(groupname)
+function M.remove_group(groupname)
 	os.execute('exec lock /var/lock/group')
 	util.replace_prefix('/etc/group', groupname .. ':')
 	os.execute('exec lock -u /var/lock/group')
 end
+
+return M

package/gluon-core/luasrc/usr/lib/lua/gluon/util.lua

+local bit = require 'bit32'
+local posix_fcntl = require 'posix.fcntl'
+local posix_glob = require 'posix.glob'
+local posix_syslog = require 'posix.syslog'
+local posix_unistd = require 'posix.unistd'
+local hash = require 'hash'
+local sysconfig = require 'gluon.sysconfig'
+local site = require 'gluon.site'
+local unistd = require 'posix.unistd'
+
+
+local M = {}
+
 -- Writes all lines from the file input to the file output except those starting with prefix
 -- Doesn't close the output file, but returns the file object
 local function do_filter_prefix(input, output, prefix)
@@ -13,29 +26,11 @@ local function do_filter_prefix(input, output, prefix)
 	return f
 end
 
-
-local io = io
-local os = os
-local string = string
-local tonumber = tonumber
-local ipairs = ipairs
-local pairs = pairs
-local table = table
-
-local nixio = require 'nixio'
-local hash = require 'hash'
-local sysconfig = require 'gluon.sysconfig'
-local site = require 'gluon.site'
-local fs = require 'nixio.fs'
-
-
-module 'gluon.util'
-
-function trim(str)
-	return str:gsub("^%s*(.-)%s*$", "%1")
+function M.trim(str)
+	return (str:gsub("^%s*(.-)%s*$", "%1"))
 end
 
-function contains(table, value)
+function M.contains(table, value)
 	for k, v in pairs(table) do
 		if value == v then
 			return k
@@ -44,7 +39,20 @@ function contains(table, value)
 	return false
 end
 
-function add_to_set(t, itm)
+function M.file_contains_line(path, value)
+	if not unistd.access(path) then
+		return false
+	end
+
+	for line in io.lines(path) do
+		if line == value then
+			return true
+		end
+	end
+	return false
+end
+
+function M.add_to_set(t, itm)
 	for _,v in ipairs(t) do
 		if v == itm then return false end
 	end
@@ -52,7 +60,7 @@ function add_to_set(t, itm)
 	return true
 end
 
-function remove_from_set(t, itm)
+function M.remove_from_set(t, itm)
 	local i = 1
 	local changed = false
 	while i <= #t do
@@ -67,7 +75,7 @@ function remove_from_set(t, itm)
 end
 
 -- Removes all lines starting with a prefix from a file, optionally adding a new one
-function replace_prefix(file, prefix, add)
+function M.replace_prefix(file, prefix, add)
 	local tmp = file .. '.tmp'
 	local f = do_filter_prefix(file, tmp, prefix)
 	if add then
@@ -77,29 +85,33 @@ function replace_prefix(file, prefix, add)
 	os.rename(tmp, file)
 end
 
-function readline(fd)
-	local line = fd:read('*l')
-	fd:close()
-	return line
+local function readall(f)
+	if not f then
+		return nil
+	end
+
+	local data = f:read('*a')
+	f:close()
+	return data
 end
 
-function exec(command)
-	local pp   = io.popen(command)
-	local data = pp:read("*a")
-	pp:close()
+function M.readfile(file)
+	return readall(io.open(file))
+end
 
-	return data
+function M.exec(command)
+	return readall(io.popen(command))
 end
 
-function node_id()
-	return string.gsub(sysconfig.primary_mac, ':', '')
+function M.node_id()
+	return (string.gsub(sysconfig.primary_mac, ':', ''))
 end
 
-function default_hostname()
-	return site.hostname_prefix('') .. node_id()
+function M.default_hostname()
+	return site.hostname_prefix('') .. M.node_id()
 end
 
-function domain_seed_bytes(key, length)
+function M.domain_seed_bytes(key, length)
 	local ret = ''
 	local v = ''
 	local i = 0
@@ -115,7 +127,7 @@ function domain_seed_bytes(key, length)
 	return ret:sub(0, 2*length)
 end
 
-function get_mesh_devices(uconn)
+function M.get_mesh_devices(uconn)
 	local dump = uconn:call("network.interface", "dump", {})
 	local devices = {}
 	for _, interface in ipairs(dump.interface) do
@@ -126,44 +138,39 @@ function get_mesh_devices(uconn)
 	return devices
 end
 
-local function find_phy_by_path(path)
-	for phy in fs.glob('/sys/devices/' .. path .. '/ieee80211/phy*') do
-		return phy:match('([^/]+)$')
-	end
-
-	for phy in fs.glob('/sys/devices/platform/' .. path .. '/ieee80211/phy*') do
-		return phy:match('([^/]+)$')
-	end
-end
+-- Returns a list of all interfaces with a given role
+--
+-- If exclusive is set to true, only interfaces that have no other role
+-- are returned; this is used to ensure that the client role is not active
+-- at the same time as any other role
+function M.get_role_interfaces(uci, role, exclusive)
+	local ret = {}
 
-local function find_phy_by_macaddr(macaddr)
-	local addr = macaddr:lower()
-	for file in fs.glob('/sys/class/ieee80211/*/macaddress') do
-		if trim(fs.readfile(file)) == addr then
-			return file:match('([^/]+)/macaddress$')
+	local function add(name)
+		-- Interface names with a / prefix refer to sysconfig interfaces
+		-- (lan_ifname/wan_ifname/single_ifname)
+		if string.sub(name, 1, 1) == '/' then
+			name = sysconfig[string.sub(name, 2) .. '_ifname'] or ''
 		end
+		for iface in string.gmatch(name, '%S+') do
+			M.add_to_set(ret, iface)
 		end
 	end
 
-function find_phy(config)
-	if not config or config.type ~= 'mac80211' then
-		return nil
-	elseif config.path then
-		return find_phy_by_path(config.path)
-	elseif config.macaddr then
-		return find_phy_by_macaddr(config.macaddr)
-	else
-		return nil
-	end
+	uci:foreach('gluon', 'interface', function(s)
+		local roles = s.role or {}
+		if M.contains(roles, role) and (not exclusive or #roles == 1) then
+			add(s.name)
 		end
+	end)
 
-local function get_addresses(uci, radio)
-	local phy = find_phy(radio)
-	if not phy then
-		return function() end
+	return ret
 end
 
-	return io.lines('/sys/class/ieee80211/' .. phy .. '/addresses')
+-- Safe glob: returns an empty table when the glob fails because of
+-- a non-existing path
+function M.glob(pattern)
+	return posix_glob.glob(pattern, 0) or {}
 end
 
 -- Generates a (hopefully) unique MAC address
@@ -172,13 +179,13 @@ end
 -- IDs defined so far:
 -- 0: client0; WAN
 -- 1: mesh0
--- 2: ibss0
+-- 2: owe0
 -- 3: wan_radio0 (private WLAN); batman-adv primary address
 -- 4: client1; LAN
 -- 5: mesh1
--- 6: ibss1
+-- 6: owe1
 -- 7: wan_radio1 (private WLAN); mesh VPN
-function generate_mac(i)
+function M.generate_mac(i)
 	if i > 7 or i < 0 then return nil end -- max allowed id (0b111)
 
 	local hashed = string.sub(hash.md5(sysconfig.primary_mac), 0, 12)
@@ -187,60 +194,116 @@ function generate_mac(i)
 	m1 = tonumber(m1, 16)
 	m6 = tonumber(m6, 16)
 
-	m1 = nixio.bit.bor(m1, 0x02)  -- set locally administered bit
-	m1 = nixio.bit.band(m1, 0xFE) -- unset the multicast bit
+	m1 = bit.bor(m1, 0x02)  -- set locally administered bit
+	m1 = bit.band(m1, 0xFE) -- unset the multicast bit
 
 	-- It's necessary that the first 45 bits of the MAC address don't
 	-- vary on a single hardware interface, since some chips are using
 	-- a hardware MAC filter. (e.g 'rt305x')
 
-	m6 = nixio.bit.band(m6, 0xF8) -- zero the last three bits (space needed for counting)
+	m6 = bit.band(m6, 0xF8) -- zero the last three bits (space needed for counting)
 	m6 = m6 + i                   -- add virtual interface id
 
 	return string.format('%02x:%s:%s:%s:%s:%02x', m1, m2, m3, m4, m5, m6)
 end
 
-local function get_wlan_mac_from_driver(uci, radio, vif)
-	local primary = sysconfig.primary_mac:lower()
+function M.get_uptime()
+	local uptime_file = M.readfile("/proc/uptime")
+	if uptime_file == nil then
+		-- Something went wrong reading "/proc/uptime"
+		return nil
+	end
+	return tonumber(uptime_file:match('^[^ ]+'))
+end
 
-	local i = 1
-	for addr in get_addresses(uci, radio) do
-		if addr:lower() ~= primary then
-			if i == vif then
-				return addr
+function M.log(message, verbose)
+	if verbose then
+		io.stdout:write(message .. '\n')
 	end
 
-			i = i + 1
+	posix_syslog.syslog(posix_syslog.LOG_INFO, message)
 end
+
+local function close_fds(fds)
+	for _, fd in pairs(fds) do
+		posix_unistd.close(fd)
 	end
 end
 
-function get_wlan_mac(uci, radio, index, vif)
-	local addr = get_wlan_mac_from_driver(uci, radio, vif)
-	if addr then
-		return addr
+M.subprocess = {}
+
+M.subprocess.DEVNULL = -1
+M.subprocess.PIPE = 1
+
+-- Execute a program found using command PATH search, like the shell.
+-- Return the pid, as well as the I/O streams as pipes or nil on error.
+function M.subprocess.popen(path, argt, options)
+	argt = argt or {}
+	local childfds = {}
+	local parentfds = {}
+	local stdiostreams = {stdin = 0, stdout = 1, stderr = 2}
+
+	for iostream in pairs(stdiostreams) do
+		if options[iostream] == M.subprocess.PIPE then
+			local piper, pipew = posix_unistd.pipe()
+			if iostream == "stdin" then
+				childfds[iostream] = piper
+				parentfds[iostream] = pipew
+			else
+				childfds[iostream] = pipew
+				parentfds[iostream] = piper
+			end
+		end
 	end
 
-	return generate_mac(4*(index-1) + (vif-1))
+	-- childfds: r0, w1, w2
+	-- parentfds: w0, r1, r2
+
+	local pid, errmsg, errnum = posix_unistd.fork()
+
+	if pid == nil then
+		close_fds(parentfds)
+		close_fds(childfds)
+		return nil, errmsg, errnum
+	elseif pid == 0 then
+		local null = -1
+		if M.contains(options, M.subprocess.DEVNULL) then
+			-- only open if there's anything to discard
+			null = posix_fcntl.open('/dev/null', posix_fcntl.O_RDWR)
 		end
 
--- Iterate over all radios defined in UCI calling
--- f(radio, index, site.wifiX) for each radio found while passing
---  site.wifi24 for 2.4 GHz devices and site.wifi5 for 5 GHz ones.
-function foreach_radio(uci, f)
-	local radios = {}
+		for iostream, fd in pairs(stdiostreams) do
+			local option = options[iostream]
+			if option == M.subprocess.DEVNULL then
+				posix_unistd.dup2(null, fd)
+			elseif option == M.subprocess.PIPE then
+				posix_unistd.dup2(childfds[iostream], fd)
+			end
+		end
+		close_fds(childfds)
+		close_fds(parentfds)
 
-	uci:foreach('wireless', 'wifi-device', function(radio)
-		table.insert(radios, radio)
-	end)
+		-- close potential null
+		if null > 2 then
+			posix_unistd.close(null)
+		end
+
+		posix_unistd.execp(path, argt)
+		posix_unistd._exit(127)
+	end
 
-	for index, radio in ipairs(radios) do
-		local hwmode = radio.hwmode
+	close_fds(childfds)
 
-		if hwmode == '11g' or hwmode == '11ng' then
-			f(radio, index, site.wifi24)
-		elseif hwmode == '11a' or hwmode == '11na' then
-			f(radio, index, site.wifi5)
+	return pid, parentfds
+end
+
+function M.get_mem_total()
+	for line in io.lines('/proc/meminfo') do
+		local match = line:match('^MemTotal:%s+(%d+)')
+		if match then
+			return tonumber(match)
 		end
 	end
 end
+
+return M

package/gluon-core/luasrc/usr/lib/lua/gluon/wireless.lua

+local sysconfig = require 'gluon.sysconfig'
+local site = require 'gluon.site'
+local util = require 'gluon.util'
+
+local unistd = require 'posix.unistd'
+
+local iwinfo = require 'iwinfo'
+
+local M = {}
+
+function M.find_phy(config)
+	return iwinfo.nl80211.phyname(config['.name'])
+end
+
+local function get_addresses(radio)
+	local phy = M.find_phy(radio)
+	if not phy then
+		return function() end
+	end
+
+	return io.lines('/sys/class/ieee80211/' .. phy .. '/addresses')
+end
+
+local function get_wlan_mac_from_driver(radio, vif)
+	local primary = sysconfig.primary_mac:lower()
+
+	local addresses = {}
+	for address in get_addresses(radio) do
+		if address:lower() ~= primary then
+			table.insert(addresses, address)
+		end
+	end
+
+	-- Make sure we have at least 4 addresses
+	if #addresses < 4 then
+		return nil
+	end
+
+	return addresses[vif]
+end
+
+function M.get_wlan_mac(_, radio, index, vif)
+	local addr = get_wlan_mac_from_driver(radio, vif)
+	if addr then
+		return addr
+	end
+
+	return util.generate_mac(4*(index-1) + (vif-1))
+end
+
+-- Iterate over all radios defined in UCI calling
+-- f(radio, index, site.wifiX) for each radio found while passing
+--  site.wifi24 for 2.4 GHz devices and site.wifi5 for 5 GHz ones.
+function M.foreach_radio(uci, f)
+	local radios = {}
+
+	uci:foreach('wireless', 'wifi-device', function(radio)
+		table.insert(radios, radio)
+	end)
+
+	for index, radio in ipairs(radios) do
+		local band = radio.band
+
+		if band == '2g' then
+			f(radio, index, site.wifi24)
+		elseif band == '5g' then
+			f(radio, index, site.wifi5)
+		end
+	end
+end
+
+function M.preserve_channels(uci)
+	return uci:get_bool('gluon', 'wireless', 'preserve_channels')
+end
+
+function M.device_supports_wpa3()
+	return unistd.access('/lib/gluon/features/wpa3')
+end
+
+function M.device_supports_mfp(uci)
+	local supports_mfp = true
+
+	if not M.device_supports_wpa3() then
+		return false
+	end
+
+	uci:foreach('wireless', 'wifi-device', function(radio)
+		local phy = M.find_phy(radio)
+		local phypath = '/sys/kernel/debug/ieee80211/' .. phy .. '/'
+
+		if not util.file_contains_line(phypath .. 'hwflags', 'MFP_CAPABLE') then
+			supports_mfp = false
+			return false
+		end
+	end)
+
+	return supports_mfp
+end
+
+function M.device_uses_wlan(uci)
+	local ret = false
+
+	uci:foreach('wireless', 'wifi-device', function()
+		ret = true
+		return false
+	end)
+
+	return ret
+end
+
+function M.device_uses_11a(uci)
+	local ret = false
+
+	uci:foreach('wireless', 'wifi-device', function(radio)
+		if radio.band == '5g' then
+			ret = true
+			return false
+		end
+	end)
+
+	return ret
+end
+
+return M

package/gluon-ebtables-filter-multicast/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-ebtables-filter-multicast
-PKG_VERSION:=1
-PKG_RELEASE:=1
 
 include ../gluon.mk
 

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/355-mcast-drop

-rule ('MULTICAST_OUT -j DROP')

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-arp → package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-arp

-# Bridge loop avoidance
+-- Bridge loop avoidance
 rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-gratuitous --arp-mac-dst ff:43:05:00:00:00/ff:ff:ff:fc:00:00 -j RETURN'
 rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-gratuitous --arp-mac-dst ff:43:05:05:00:00/ff:ff:ff:ff:00:00 -j RETURN'
 

package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-respondd

+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 1001 --ip6-dst ff05::2:1001 -j RETURN'

package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop

+rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::1/128 -j DROP')
+rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::15c/128 -j DROP') -- Gluon VXLAN multicast group
+rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff00::/8 -j mark --set-mark 0x4 --mark-target RETURN')
+rule ('MULTICAST_OUT -j DROP')

package/gluon-ebtables-filter-ra-dhcp/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-ebtables-filter-ra-dhcp
-PKG_VERSION:=1
-PKG_RELEASE:=1
 
 include ../gluon.mk
 

package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv4

-rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY'
-rule 'OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY'
-
-rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY'
-rule 'INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY'