package/gluon-ebtables-limit-arp/src/mac.h

-/*
- * Copyright (c) 2017 Linus Lüssing <linus.luessing@c0d3.blue>
- *
- * SPDX-License-Identifier: GPL-2.0+
- * License-Filename: LICENSE
- */
+// SPDX-FileCopyrightText: 2017 Linus Lüssing <linus.luessing@c0d3.blue>
+// SPDX-License-Identifier: GPL-2.0-or-later
 
 #ifndef _MAC_H_
 #define _MAC_H_

package/gluon-ebtables-source-filter/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-ebtables-source-filter
-PKG_VERSION:=1
-PKG_RELEASE:=1
 
 include ../gluon.mk
 

package/gluon-ebtables-source-filter/check_site.lua

-need_string_match(in_domain({'prefix4'}), '^%d+.%d+.%d+.%d+/%d+$', false)
-need_string_array_match(in_domain({'extra_prefixes6'}), '^[%x:]+/%d+$', false)

package/gluon-ebtables/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-ebtables
-PKG_VERSION:=1
-PKG_RELEASE:=1
-
-PKG_CONFIG_DEPENDS := CONFIG_GLUON_SPECIALIZE_KERNEL
 
 include ../gluon.mk
 
 define Package/gluon-ebtables
   TITLE:=Ebtables support
   DEPENDS:=+gluon-core +ebtables-tiny \
-	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_T_FILTER \
-	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_T_NAT \
-	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_ARP \
-	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_IP \
-	+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_IP6 \
-	+!GLUON_SPECIALIZE_KERNEL:kmod-ebtables \
-	+!GLUON_SPECIALIZE_KERNEL:kmod-ebtables-ipv4 \
-	+!GLUON_SPECIALIZE_KERNEL:kmod-ebtables-ipv6
+	+kmod-ebtables +kmod-ebtables-ipv4 +kmod-ebtables-ipv6
 endef
 
 define Package/gluon-ebtables/description

package/gluon-ebtables/files/etc/init.d/gluon-ebtables

@@ -15,11 +15,9 @@
 # Removing a specific rule file:
 # $ /etc/init.d/gluon-ebtables stop /lib/gluon/ebtables/100-mcast-chain
 
-
 START=19
 STOP=91
 
-
 exec_file() {
 	local file="$1"
 
@@ -37,12 +35,10 @@ exec_file() {
 }
 
 exec_all() {
-	local sort_arg="$1"
-
 	local old_ifs="$IFS"
 	IFS='
 '
-	for file in `find /lib/gluon/ebtables -type f | sort $sort_arg`; do
+	for file in $(find /lib/gluon/ebtables -type f | sort "$@"); do
 		exec_file "$file"
 	done
 	IFS="$old_ifs"
@@ -51,7 +47,9 @@ exec_all() {
 
 start() {
 	(
+		# shellcheck disable=SC2030,SC2031,SC2089
 		export EBTABLES_RULE='"ebtables-tiny -t " .. table .. " -A " .. command'
+		# shellcheck disable=SC2030,SC2031,SC2089
 		export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. "  -N " .. name .. " -P " .. policy'
 
 		# Contains /var/lib/ebtables/lock for '--concurrent'
@@ -59,7 +57,7 @@ start() {
 			mkdir -p /var/lib/ebtables
 
 		if [ -z "$1" ]; then
-			exec_all ''
+			exec_all
 		else
 			exec_file "$1"
 		fi
@@ -68,11 +66,13 @@ start() {
 
 stop() {
 	(
+		# shellcheck disable=SC2030,SC2031,SC2090
 		export EBTABLES_RULE='"ebtables-tiny -t " ..	table .. " -D " .. command'
+		# shellcheck disable=SC2030,SC2031,SC2090
 		export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. " -X " .. name'
 
 		if [ -z "$1" ]; then
-			exec_all '-r'
+			exec_all -r
 		else
 			exec_file "$1"
 		fi

package/gluon-harden-dropbear/Makefile

+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-harden-dropbear
+
+include ../gluon.mk
+
+define Package/gluon-harden-dropbear
+  TITLE:=Reduces dropbears exposition
+  DEPENDS:=+gluon-core +gluon-lock-password
+endef
+
+define Package/gluon-harden-dropbear/description
+	This packages disables password access if root is locked and disables dropbear if no access is configured.
+endef
+
+$(eval $(call BuildPackageGluon,gluon-harden-dropbear))

package/gluon-harden-dropbear/files/lib/gluon/upgrade/105-harden-dropbear

+#!/usr/bin/lua
+
+local uci = require('simple-uci').cursor()
+local util = require('gluon.util')
+
+local function is_root_pw_unlocked()
+	for line in io.lines("/etc/shadow") do
+		if line:match("^root:!") then
+			return false
+		end
+	end
+	return true
+end
+
+local function has_authorized_keys()
+	local file = io.open("/etc/dropbear/authorized_keys", "r")
+	if not file then
+		return false
+	end
+	for line in file:lines() do
+		-- if the line is neither comments nor solely whitespaces
+		if not (line:match("^%s*#") or line:match("^%s*$")) then
+			file:close()
+			return true
+		end
+	end
+	file:close()
+	return false
+end
+
+local root_pw_is_unlocked = is_root_pw_unlocked()
+
+local password_auth = 'off'
+if root_pw_is_unlocked then
+	password_auth = 'on'
+end
+
+-- disable dropbear alltogether, if no access is configured
+local enable_dropbear = has_authorized_keys() or root_pw_is_unlocked
+
+uci:foreach('dropbear', 'dropbear', function(s)
+	uci:tset('dropbear', s['.name'], {
+		enable = enable_dropbear,
+		PasswordAuth = password_auth,
+		RootPasswordAuth = password_auth}
+	)
+end)
+
+uci:save('dropbear')

package/gluon-hoodselector/Makefile

@@ -2,14 +2,11 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-hoodselector
 
-GLUON_VERSION:=3
-PKG_VERSION:=2
-
 include ../gluon.mk
 
 define Package/gluon-hoodselector
   TITLE:=Automatically migrate nodes between domains.
-  DEPENDS:=+luaposix +libgluonutil +lua-math-polygon +libjson-c +gluon-site +micrond +luabitop @GLUON_MULTIDOMAIN
+  DEPENDS:=+luaposix +libgluonutil +lua-math-polygon +libjson-c +gluon-site +micrond +lua-bit32 @GLUON_MULTIDOMAIN
   CONFLICTS:=+gluon-config-mode-domain-select
 endef
 

package/gluon-hoodselector/luasrc/usr/lib/lua/hoodselector/util.lua

@@ -3,14 +3,8 @@ local math_polygon = require('math-polygon')
 local json = require ('jsonc')
 local uci = require('simple-uci').cursor()
 local site = require ('gluon.site')
-local logger = require('posix.syslog')
 local M = {}
 
-function M.log(msg)
-	io.stdout:write(msg..'\n')
-	logger.openlog(msg, logger.LOG_PID)
-end
-
 function M.get_domains()
 	local list = {}
 	for _, domain_path in ipairs(util.glob('/lib/gluon/domains/*.json')) do
@@ -67,10 +61,8 @@ end
 
 function M.set_domain_config(domain)
 	if uci:get('gluon', 'core', 'domain') ~= domain.domain_code then
-		uci:set('gluon', 'core', 'domain', domain.domain_code)
-		uci:commit('gluon')
-		os.execute('gluon-reconfigure')
-		M.log('Set domain "'..domain.domain.domain_names[domain.domain_code]..'"')
+		os.execute(string.format("exec gluon-switch-domain --no-reboot '%s'", domain.domain_code))
+		util.log('Set domain "' .. domain.domain.domain_names[domain.domain_code] .. '"', true)
 		return true
 	end
 	return false

package/gluon-hoodselector/luasrc/usr/sbin/hoodselector

 #!/usr/bin/lua
 
-local bit = require('bit')
+local bit = require('bit32')
+local util = require ('gluon.util')
 local unistd = require('posix.unistd')
 local fcntl = require('posix.fcntl')
 local hoodutil = require('hoodselector.util')
@@ -10,7 +11,7 @@ local lockfile = '/var/lock/hoodselector.lock'
 local lockfd, err = fcntl.open(lockfile, bit.bor(fcntl.O_WRONLY, fcntl.O_CREAT), 384) -- mode 0600
 
 if not lockfd then
-	hoodutil.log(err, '\n')
+	util.log(err, true)
 	os.exit(1)
 end
 
@@ -40,8 +41,7 @@ if geo.lat ~= nil and geo.lon ~= nil then
 	local geo_base_domain = hoodutil.get_domain_by_geo(jdomains, geo)
 	if geo_base_domain ~= nil then
 		if hoodutil.set_domain_config(geo_base_domain) then
-			os.execute("gluon-reload")
-			hoodutil.log('Domain set by geolocation mode.\n')
+			util.log('Domain set by geolocation mode.', true)
 		end
 		return
 	end
@@ -51,6 +51,4 @@ else
 end
 
 -- default domain mode
-if hoodutil.set_domain_config(hoodutil.get_default_domain(hoodutil.get_domains())) then
-	os.execute("gluon-reload")
-end
+hoodutil.set_domain_config(hoodutil.get_default_domain(hoodutil.get_domains()))

package/gluon-iptables-clamp-mss-to-pmtu/Makefile

@@ -2,14 +2,11 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-iptables-clamp-mss-to-pmtu
 
-GLUON_VERSION = $(shell git describe --always --dirty=+ 2>/dev/null || echo unknown)
-PKG_VERSION:=$(if $(DUMP),x,$(GLUON_VERSION))
-
 include ../gluon.mk
 
 define Package/$(PKG_NAME)
   TITLE:=This will establish a firewall rule to clamp the mss to pmtu on the mesh-vpn interface when the connection is towards 64:ff9b::/96
-  DEPENDS:= +ip6tables
+  DEPENDS:= +ip6tables-zz-legacy
 endef
 
 define Package/$(PKG_NAME)/description

package/gluon-l3roamd/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-l3roamd
-PKG_VERSION:=1
 
 include ../gluon.mk
 
 define Package/gluon-l3roamd
-  TITLE:=Configure l3roamd for babel
-  DEPENDS:=+gluon-core +l3roamd +uc
+  TITLE:=Configure l3roamd for l3-mesh
+  DEPENDS:=+gluon-core +gluon-mesh-layer3-common +l3roamd +uc
 endef
 
 $(eval $(call BuildPackageGluon,gluon-l3roamd))

package/gluon-l3roamd/check_site.lua

-need_string_match(in_domain({'prefix6'}), '^[%x:]+/64$', true)
-need_string_match(in_domain({'node_client_prefix6'}), '^[%x:]+/64$', false)
-need_string_match(in_domain({'prefix4'}), '^%d+.%d+.%d+.%d+/%d+$', false)

package/gluon-l3roamd/files/etc/init.d/gluon-l3roamd

@@ -27,7 +27,7 @@ reload_service() {
 
 	for i in $(echotol3roamd "get_meshifs"| jsonfilter -e "@.mesh_interfaces[@]")
 	do
-		if ! ubus call network.interface dump | jsonfilter -e "@.interface[@.proto='gluon_mesh' && @.up=true].device"|grep -q $i
+		if ! ubus call network.interface dump | jsonfilter -e "@.interface[@.proto='gluon_mesh' && @.up=true].device" | grep -qxF "$i"
 		then
 			echotol3roamd "del_meshif $i"
 		fi
@@ -35,15 +35,17 @@ reload_service() {
 }
 
 start_service () {
-	local interfaces=$(
+	local interfaces prefix4 prefix6 localip roamingprefix
+
+	interfaces=$(
 		for dev in $(gluon-list-mesh-interfaces); do echo " -m $dev"; done
 		[ "$(ifstatus local_node | jsonfilter -e '@.up')" = 'true' ] && echo ' -i local-node'
 	)
 
-	local prefix4="$(lua -e 'prefix4 = require("gluon.site").prefix4() if prefix4 then print(" -p " .. prefix4) end')"
-	local prefix6="$(lua -e 'print(" -p " .. require("gluon.site").prefix6())')"
-	local localip="$(uci get network.loopback.ip6addr | cut -d/ -f1)"
-	local roamingprefix="$(lua -e 'roamingprefix = require("gluon.site").node_client_prefix6() if roamingprefix then print(" -P " .. roamingprefix) end')"
+	prefix4="$(lua -e 'prefix4 = require("gluon.site").prefix4() if prefix4 then print(" -p " .. prefix4) end')"
+	prefix6="$(lua -e 'print(" -p " .. require("gluon.site").prefix6())')"
+	localip="$(uci get network.loopback.ip6addr | cut -d/ -f1)"
+	roamingprefix="$(lua -e 'print(" -P " .. require("gluon.l3").node_client_prefix6())')"
 
 	/sbin/sysctl -w net.ipv6.neigh.default.gc_thresh1=2
 	/sbin/sysctl -w net.ipv4.neigh.default.gc_thresh1=2
@@ -51,14 +53,17 @@ start_service () {
 	procd_open_instance
 	procd_set_param stdout 1
 	procd_set_param stderr 1
-	procd_set_param respawn ${respawn_threshold:-3660} ${respawn_timeout:-5} ${respawn_retry:-0}
-	procd_set_param command "$PROG" -s /var/run/l3roamd.sock $prefix4 $prefix6 $interfaces -t 254 -a $localip -b br-client $roamingprefix
+	procd_set_param respawn "${respawn_threshold:-3660}" "${respawn_timeout:-5}" "${respawn_retry:-0}"
+	# shellcheck disable=SC2086
+	procd_set_param command "$PROG" -s /var/run/l3roamd.sock $prefix4 $prefix6 $interfaces -t 254 -a "$localip" -b br-client "$roamingprefix"
 	procd_close_instance
 }
 
 service_triggers() {
-	local script=$(readlink "$initscript")
-	local name=$(basename "${script:-$initscript}")
+	local script name
+	# shellcheck disable=SC2154
+	script=$(readlink "$initscript")
+	name=$(basename "${script:-$initscript}")
 
 	procd_open_trigger
 	procd_add_raw_trigger 'interface.*' 0 "/etc/init.d/$name" reload

package/gluon-l3roamd/luasrc/lib/gluon/upgrade/150-firewall-l3roamd → package/gluon-l3roamd/luasrc/lib/gluon/upgrade/320-firewall-l3roamd

 #!/usr/bin/lua
+
 local uci = require('simple-uci').cursor()
 
+uci:section('firewall', 'zone', 'l3roamd', {
+	name = 'l3roamd',
+	input = 'ACCEPT',
+	output = 'ACCEPT',
+	forward = 'REJECT',
+	device = 'l3roam+',
+	log = '1',
+})
+
+uci:section('firewall', 'forwarding', 'flc', {
+	src = 'l3roamd',
+	dest = 'loc_client',
+})
+
+uci:section('firewall', 'forwarding', 'fcl', {
+	src = 'loc_client',
+	dest = 'l3roamd',
+})
+
 uci:section('firewall', 'rule',  'mesh_l3roamd', {
 	name = 'mesh_l3roamd',
 	src = 'mesh',

package/gluon-l3roamd/luasrc/lib/gluon/upgrade/380-gluon-l3roamd-route

-#!/usr/bin/lua
-local uci = require('simple-uci').cursor()
-
-uci:delete('network', 'l3roam')
-uci:delete('network', 'l3roamd_client')
-
-uci:save('network')

package/gluon-lock-password/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-lock-password
-PKG_VERSION:=1
-PKG_RELEASE:=1
 
 include ../gluon.mk
 

package/gluon-logging/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-logging
-PKG_VERSION:=1
 
 include ../gluon.mk
 

package/gluon-mesh-babel/Makefile

-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=gluon-mesh-babel
-PKG_VERSION:=1
-
-PKG_BUILD_DEPENDS := libbabelhelper
-PKG_BUILD_DEPENDS += libjson-c
-
-include ../gluon.mk
-
-define Package/gluon-mesh-babel
-  TITLE:=Babel mesh
-  DEPENDS:=+gluon-core +babeld +gluon-mmfd +libiwinfo +libgluonutil +firewall +libjson-c +libnl-tiny +libubus +libubox +libblobmsg-json +libbabelhelper +luabitop
-  PROVIDES:=gluon-mesh-provider
-endef
-
-define Package/gluon-mesh-babel/install
-	$(Gluon/Build/Install)
-
-	$(INSTALL_DIR) $(1)/lib/gluon/status-page/providers
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/neighbours-babel $(1)/lib/gluon/status-page/providers/
-endef
-
-$(eval $(call BuildPackageGluon,gluon-mesh-babel))

package/gluon-mesh-babel/check_site.lua

-need_string_match(in_domain({'node_prefix6'}), '^[%x:]+/64$')
-need_string_match(in_domain({'node_client_prefix6'}), '^[%x:]+/64$')
-
-need_string_match(in_domain({'next_node', 'ip6'}), '^[%x:]+$', false)
-need_string_match(in_domain({'next_node', 'ip4'}), '^%d+.%d+.%d+.%d+$', false)
-
-need_string_match(in_domain({'next_node', 'mac'}), '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$', false)