package/gluon-mesh-vpn-tunneldigger/files/usr/lib/micron.d/tunneldigger-watchdog

-*/5 * * * * /usr/bin/tunneldigger-watchdog

package/gluon-mesh-vpn-tunneldigger/luasrc/lib/gluon/upgrade/400-mesh-vpn-tunneldigger

-#!/usr/bin/lua
-
-local site = require 'gluon.site'
-local util = require 'gluon.util'
-
-local uci = require('simple-uci').cursor()
-
-
-local enabled
-
--- Delete old broker config section (remove in 2019)
-if not uci:get('tunneldigger', 'mesh_vpn') then
-	if uci:get_first('tunneldigger', 'broker', 'interface') == 'mesh-vpn' then
-		enabled = uci:get_first('tunneldigger', 'broker', 'enabled')
-	end
-
-	-- In the usual case (no migration from old tunneldigger package), the
-	-- enabled state is set in the 500-mesh-vpn script
-
-	uci:delete_all('tunneldigger', 'broker')
-end
-
-uci:section('tunneldigger', 'broker', 'mesh_vpn', {
-	enabled = enabled,
-	uuid = util.node_id(),
-	interface = 'mesh-vpn',
-	bind_interface = 'br-wan',
-	group = 'gluon-mesh-vpn',
-	broker_selection = 'usage',
-	address = site.mesh_vpn.tunneldigger.brokers(),
-})
-
-uci:save('tunneldigger')

package/gluon-mesh-vpn-tunneldigger/luasrc/usr/bin/tunneldigger-watchdog

-#!/usr/bin/lua
-
-local uci = require('simple-uci').cursor()
-
-local function restart_tunneldigger()
-	os.execute('logger -t tunneldigger-watchdog "Restarting Tunneldigger."')
-	os.execute('/etc/init.d/tunneldigger restart')
-end
-
-local function read_pid_file()
-	local pid_file = io.open('/var/run/tunneldigger.mesh-vpn.pid', 'r')
-	if not pid_file then
-		return nil
-	end
-	local pid = pid_file:read('*l')
-	pid_file:close()
-	return pid
-end
-
-local function has_mesh_vpn_neighbours()
-	local handle = io.popen('batctl o', 'r')
-	if not handle then
-		return false
-	end
-	for line in handle:lines() do
-		if line:find('mesh%-vpn') then
-			handle:close()
-			return true
-		end
-	end
-	handle:close()
-	return false
-end
-
-if uci:get_bool('tunneldigger', 'mesh_vpn', 'enabled') then
-	if io.popen('pgrep -x /usr/bin/tunneldigger'):read('*l') ~= read_pid_file() then
-		os.execute('logger -t tunneldigger-watchdog "Process-Pid does not match with pid-File."')
-		restart_tunneldigger()
-		return
-	end
-	if not has_mesh_vpn_neighbours() then
-		os.execute('logger -t tunneldigger-watchdog "No vpn-mesh neighbours found."')
-		restart_tunneldigger()
-		return
-	end
-end

package/gluon-mesh-vpn-wireguard/Makefile

+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-mesh-vpn-wireguard
+
+include ../gluon.mk
+
+define Package/gluon-mesh-vpn-wireguard
+  TITLE:=Support for connecting meshes via wireguard
+  DEPENDS:=+gluon-core +libgluonutil +gluon-mesh-vpn-core +wireguard-tools +wgpeerselector +libubox +libubus +simple-tc
+endef
+
+define Package/gluon-mesh-vpn-wireguard/install
+	$(Gluon/Build/Install)
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/gluon-hex-to-b64 $(1)/usr/sbin/
+endef
+
+$(eval $(call BuildPackageGluon,gluon-mesh-vpn-wireguard))

package/gluon-mesh-vpn-wireguard/check_site.lua

+local function check_peer(k)
+	need_alphanumeric_key(k)
+
+	need_string_match(in_domain(extend(k,
+		{'public_key'})), "^" .. ("[%a%d+/]"):rep(42) .. "[AEIMQUYcgkosw480]=$")
+	need_string(in_domain(extend(k, {'endpoint'})))
+end
+
+need_table({'mesh_vpn', 'wireguard', 'peers'}, check_peer)
+need_number({'mesh_vpn', 'wireguard', 'mtu'})

package/gluon-mesh-vpn-wireguard/files/lib/gluon/mesh-vpn/wireguard_pubkey.sh

+#!/bin/sh
+
+# shellcheck disable=SC1091,SC2034
+
+INCLUDE_ONLY=1
+. /lib/netifd/proto/wireguard.sh
+
+ensure_key_is_generated wg_mesh
+uci get "network.wg_mesh.private_key" | /usr/bin/wg pubkey

package/gluon-mesh-vpn-wireguard/files/lib/netifd/proto/gluon_wireguard.sh

+#!/bin/sh
+
+# shellcheck disable=SC1091
+
+. /lib/functions.sh
+. ../netifd-proto.sh
+init_proto "$@"
+
+proto_gluon_wireguard_init_config() {
+	:
+}
+
+interface_linklocal_from_wg_public_key() {
+	# We generate a predictable v6 address
+	local macaddr
+	macaddr="$(printf "%s" "$1"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/')"
+	local oldIFS="$IFS"; IFS=':';
+	# shellcheck disable=SC2086
+	set -- $macaddr; IFS="$oldIFS"
+	echo "fe80::$1$2:$3ff:fe$4:$5$6"
+}
+
+proto_gluon_wireguard_setup() {
+	local config="$1"
+	local ifname="$2"
+
+	local public_key
+	public_key="$(/lib/gluon/mesh-vpn/wireguard_pubkey.sh)"
+
+	# The wireguard proto itself can not be moved here, as the proto does not
+	# allow add_dynamic.
+
+	local wireguard_ip
+	wireguard_ip=$(interface_linklocal_from_wg_public_key "$public_key")
+
+	## Add IP
+
+	proto_add_host_dependency "$config" '' "$ifname"
+	proto_init_update "$ifname" 1
+	proto_add_data
+	json_add_string zone 'wired_mesh'
+	proto_close_data
+	proto_add_ipv6_address "$wireguard_ip" "128"
+	proto_send_update "$ifname"
+
+	## wgpeerselector
+
+	json_init
+	json_add_string name "${ifname}_peerselector"
+	json_add_string ifname "$ifname"
+	json_add_string proto 'wgpeerselector'
+	json_add_string unix_group 'gluon-mesh-vpn'
+	json_close_object
+	ubus call network add_dynamic "$(json_dump)"
+
+	## vxlan
+
+	json_init
+	json_add_string name "mesh-vpn"
+	json_add_string proto 'vxlan6'
+	json_add_string tunlink "$ifname"
+	# ip6addr (the lower interface ip6) is used by the vxlan.sh proto
+	json_add_string ip6addr "$wireguard_ip"
+	json_add_string peer6addr "fe80::1"
+	json_add_int vid "$(lua -e 'print(tonumber(require("gluon.util").domain_seed_bytes("gluon-mesh-vxlan", 3), 16))')"
+	json_add_boolean rxcsum '0'
+	json_add_boolean txcsum '0'
+	json_close_object
+	ubus call network add_dynamic "$(json_dump)"
+
+	proto_init_update "$ifname" 1
+	proto_send_update "$config"
+}
+
+proto_gluon_wireguard_teardown() {
+	local config="$1"
+
+	proto_init_update "*" 0
+	proto_send_update "$config"
+}
+
+add_protocol gluon_wireguard

package/gluon-mesh-vpn-wireguard/luasrc/lib/gluon/upgrade/400-mesh-vpn-wireguard

+#!/usr/bin/lua
+
+local uci = require('simple-uci').cursor()
+local unistd = require 'posix.unistd'
+local util = require('gluon.util')
+local site = require 'gluon.site'
+local sp = util.subprocess
+local wait = require 'posix.sys.wait'
+local vpn_core = require('gluon.mesh-vpn')
+local _, active_vpn = vpn_core.get_active_provider()
+
+local wg_private_key = uci:get("network_gluon-old", 'wg_mesh', "private_key")
+
+local function valid_fastd_key(fastd_key)
+	return fastd_key and fastd_key:match(('%x'):rep(64))
+end
+
+local function valid_wireguard_key(wireguard_key)
+	return wireguard_key and wireguard_key:match("^" .. ("[%a%d+/]"):rep(42) .. "[AEIMQUYcgkosw480]=$")
+end
+
+local function migrate_from_fastd_secret(fastd_secret)
+	local options = {
+		stdin = sp.PIPE,
+		stdout = sp.PIPE,
+	}
+	local pid, pipe = sp.popen('gluon-hex-to-b64', {}, options)
+
+	if not pid then
+		return
+	end
+
+	local inw = pipe.stdin
+	local out = pipe.stdout
+
+	unistd.write(inw, string.format('%s\n', fastd_secret))
+	unistd.close(inw)
+
+	local wpid, status, code = wait.wait(pid)
+	if wpid and status == 'exited' and code == 0 then
+		local result = unistd.read(out, 44)
+		unistd.close(out)
+		return result
+	end
+end
+
+if not valid_wireguard_key(wg_private_key) then
+	local fastd_secret = uci:get('fastd', 'mesh_vpn', 'secret')
+	if valid_fastd_key(fastd_secret) then
+		wg_private_key = migrate_from_fastd_secret(fastd_secret)
+	end
+end
+
+if not valid_wireguard_key(wg_private_key) then
+	wg_private_key = "generate"
+end
+
+
+uci:section('network', 'interface', 'wg_mesh', {
+	proto = 'wireguard',
+	fwmark = 1,
+	private_key = wg_private_key,
+	-- Add 70 bytes for IPv6 VXLAN overhead
+	mtu = active_vpn.mtu() + 70,
+})
+
+uci:section('network', 'interface', 'mesh_wg_mesh', {
+	ifname = 'wg_mesh',
+	proto = 'gluon_wireguard'
+})
+
+-- Clean up previous configuration
+uci:delete_all('wgpeerselector', 'peer', function(peer)
+	return peer.preserve ~= '1'
+end)
+
+for name, peer in pairs(site.mesh_vpn.wireguard.peers()) do
+	uci:section("wgpeerselector", "peer", name, {
+		enabled = true,
+		endpoint = peer.endpoint,
+		public_key = peer.public_key,
+		allowed_ips = { "fe80::1/128" },
+		ifname = 'wg_mesh',
+	})
+end
+
+uci:save("wgpeerselector")
+uci:save("network")

package/gluon-mesh-vpn-wireguard/luasrc/usr/lib/lua/gluon/mesh-vpn/provider/wireguard.lua

+local uci = require('simple-uci').cursor()
+
+local site = require 'gluon.site'
+local util = require 'gluon.util'
+local vpn_core = require 'gluon.mesh-vpn'
+
+local M = {}
+
+function M.public_key()
+	local key = util.trim(util.exec("/lib/gluon/mesh-vpn/wireguard_pubkey.sh"))
+
+	if key == '' then
+		key = nil
+	end
+
+	return key
+end
+
+function M.enable(val)
+	uci:set('network', 'wg_mesh', 'disabled', not val)
+	uci:save('network')
+end
+
+function M.active()
+	return site.mesh_vpn.wireguard() ~= nil
+end
+
+function M.set_limit(ingress_limit, egress_limit)
+	uci:delete('simple-tc', 'mesh_vpn')
+	if ingress_limit ~= nil and egress_limit ~= nil then
+		uci:section('simple-tc', 'interface', 'mesh_vpn', {
+			ifname = vpn_core.get_interface(),
+			enabled = true,
+			limit_egress = egress_limit,
+			limit_ingress = ingress_limit,
+		})
+	end
+
+	uci:save('simple-tc')
+end
+
+function M.mtu()
+	return site.mesh_vpn.wireguard.mtu()
+end
+
+return M

package/gluon-mesh-vpn-wireguard/src/Makefile

+all: respondd.so gluon-hex-to-b64
+
+CFLAGS += -Wall -Werror-implicit-function-declaration
+
+gluon-hex-to-b64: gluon-hex-to-b64.c
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -Wall -o $@ $^ $(LDLIBS) -lubox
+
+respondd.so: respondd.c
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -shared -fPIC -D_GNU_SOURCE -o $@ $^ $(LDLIBS) -lgluonutil -lubus

package/gluon-mesh-vpn-wireguard/src/gluon-hex-to-b64.c

+// SPDX-FileCopyrightText: 2022 Jan-Niklas Burfeind <gluon@aiyionpri.me>
+// SPDX-License-Identifier: BSD-2-Clause
+// SPDX-FileContributor: read_hex() by Matthias Schiffer <mschiffer@universe-factory.net>
+
+#include <libubox/utils.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/**
+ * how many blocks should be encoded at once - can be configured
+ */
+#define BLOCK_AMOUNT 32
+
+/**
+ * smallest possible block size to encode in b64 without further contex
+ * is three bytes - do not change
+ */
+#define CHUNK_SIZE (3*BLOCK_AMOUNT)
+
+/** print usage info and exit as failed */
+static void usage(void) {
+	fprintf(stderr, "Usage: gluon-hex-to-b64\n");
+	exit(1);
+}
+
+/**
+ * read a string of hexadecimal characters and return them as bytes
+ * return false in case any non-hexadecimal characters are provided
+ * return true on success
+ */
+static bool read_hex(uint8_t key[CHUNK_SIZE], const char *hexstr) {
+	if (strspn(hexstr, "0123456789abcdefABCDEF") != strlen(hexstr))
+		return false;
+
+	size_t i;
+	for (i = 0; i < CHUNK_SIZE; i++)
+		sscanf(&hexstr[2 * i], "%02hhx", &key[i]);
+
+	return true;
+}
+
+int main(int argc, char *argv[]) {
+	if (argc != 1)
+		usage();
+
+	unsigned char hex_input[CHUNK_SIZE * 2 + 1];
+	uint8_t as_bytes[CHUNK_SIZE];
+	int byte_count;
+	int b64_buflen = B64_ENCODE_LEN(CHUNK_SIZE);
+	int b64_return;
+	size_t ret;
+
+	char str[b64_buflen];
+
+	do {
+		ret = fread(hex_input, 1, sizeof(hex_input) - 1, stdin);
+		hex_input[ret] = '\0';
+
+		/* in case fread did not fill six characters */
+		if (ret != sizeof(hex_input)-1) {
+			/* drop newline by replacing it with a null character */
+			hex_input[strcspn(hex_input, "\n")] = 0;
+
+			/*
+			 * count length of resulting string and make sure it's even,
+			 * as bytes are represented using pairs of hex characters
+			 */
+			ret = strlen(hex_input);
+			if (ret % 2 == 1) {
+				fprintf(stderr, "Error: Incomplete hex representation of a byte.\n");
+				exit(EXIT_FAILURE);
+			}
+		}
+
+		byte_count = ret / 2;
+		b64_buflen = B64_ENCODE_LEN(byte_count);
+
+		/* in case read_hex fails due to invalid characters */
+		if (!read_hex(as_bytes, hex_input)) {
+			fprintf(stderr, "Error: Invalid hexadecimal input.\n");
+			exit(EXIT_FAILURE);
+		}
+
+		b64_return = b64_encode(as_bytes, byte_count, str, b64_buflen);
+
+		/* trailing '\0' is not counted by b64_encode(), so we subtract one character */
+		if (b64_buflen - 1 != b64_return) {
+			fprintf(stderr, "Error: Encoding bytes as b64 failed.\n");
+			exit(EXIT_FAILURE);
+		}
+
+		printf("%s", str);
+	/* repeat until a non full block is read */
+	} while (ret == sizeof(hex_input)-1);
+	printf("\n");
+
+	exit(EXIT_SUCCESS);
+}

package/gluon-mesh-vpn-wireguard/src/respondd.c

+/* SPDX-FileCopyrightText: 2020, Leonardo Mörlein <me@irrelefant.net> */
+/* SPDX-FileCopyrightText: 2016, Matthias Schiffer <mschiffer@universe-factory.net> */
+/* SPDX-License-Identifier: BSD-2-Clause */
+
+
+#include <respondd.h>
+
+#include <json-c/json.h>
+#include <libgluonutil.h>
+#include <uci.h>
+
+#include <ctype.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#include "libubus.h"
+
+static struct json_object * stdout_read(const char *cmd, const char *skip, bool oneword) {
+	FILE *f = popen(cmd, "r");
+	if (!f)
+		return NULL;
+
+	char *line = NULL;
+	size_t len = 0;
+	size_t skiplen = strlen(skip);
+
+	ssize_t read_chars = getline(&line, &len, f);
+
+	pclose(f);
+
+	if (read_chars < 1) {
+		free(line);
+		return NULL;
+	}
+
+	if (line[read_chars-1] == '\n')
+		line[read_chars-1] = '\0';
+
+	const char *content = line;
+	if (strncmp(content, skip, skiplen) == 0)
+		content += skiplen;
+
+	if (oneword) {
+		for (int i = 0; i < len; i++) {
+			if (isspace(line[i])) {
+				line[i] = 0;
+			}
+		}
+	}
+
+	struct json_object *ret = gluonutil_wrap_string(content);
+	free(line);
+	return ret;
+}
+
+static struct json_object * get_wireguard_public_key(void) {
+	return stdout_read("exec /lib/gluon/mesh-vpn/wireguard_pubkey.sh", "", false);
+}
+
+static struct json_object * get_wireguard_version(void) {
+	return stdout_read("exec wg -v", "wireguard-tools ", true);
+}
+
+static bool wireguard_enabled(void) {
+	bool enabled = true;
+
+	struct uci_context *ctx = uci_alloc_context();
+	if (!ctx)
+		goto disabled_nofree;
+	ctx->flags &= ~UCI_FLAG_STRICT;
+
+	struct uci_package *p;
+	if (uci_load(ctx, "network", &p))
+		goto disabled;
+
+	struct uci_section *s = uci_lookup_section(ctx, p, "wg_mesh");
+	if (!s)
+		goto disabled;
+
+	const char *disabled_str = uci_lookup_option_string(ctx, s, "disabled");
+	if (!disabled_str || !strcmp(disabled_str, "1"))
+		enabled = false;
+
+disabled:
+	uci_free_context(ctx);
+
+disabled_nofree:
+	return enabled;
+}
+
+static bool get_pubkey_privacy(void) {
+	bool ret = true;
+	struct json_object *site = NULL;
+
+	site = gluonutil_load_site_config();
+	if (!site)
+		goto end;
+
+	struct json_object *mesh_vpn;
+	if (!json_object_object_get_ex(site, "mesh_vpn", &mesh_vpn))
+		goto end;
+
+	struct json_object *pubkey_privacy;
+	if (!json_object_object_get_ex(mesh_vpn, "pubkey_privacy", &pubkey_privacy))
+		goto end;
+
+	ret = json_object_get_boolean(pubkey_privacy);
+
+end:
+	json_object_put(site);
+
+	return ret;
+}
+
+static struct json_object * get_wireguard(void) {
+	bool wg_enabled = wireguard_enabled();
+
+	struct json_object *ret = json_object_new_object();
+	json_object_object_add(ret, "version", get_wireguard_version());
+	json_object_object_add(ret, "enabled", json_object_new_boolean(wg_enabled));
+	if (wg_enabled && !get_pubkey_privacy())
+		json_object_object_add(ret, "public_key", get_wireguard_public_key());
+	return ret;
+}
+
+static struct json_object * respondd_provider_nodeinfo(void) {
+	struct json_object *ret = json_object_new_object();
+
+	struct json_object *software = json_object_new_object();
+	json_object_object_add(software, "wireguard", get_wireguard());
+	json_object_object_add(ret, "software", software);
+
+	return ret;
+}
+
+static json_object *blobmsg_attr2json(struct blob_attr *attr, int type)
+{
+	int len = blobmsg_data_len(attr);
+	struct blobmsg_data *data = blobmsg_data(attr);
+	struct blob_attr *inner_attr;
+	json_object *res = NULL;
+	switch(type) {
+		case BLOBMSG_TYPE_STRING:
+			return gluonutil_wrap_string(blobmsg_get_string(attr));
+		case BLOBMSG_TYPE_BOOL:
+			return json_object_new_boolean(blobmsg_get_bool(attr));
+		case BLOBMSG_TYPE_INT16:
+			return json_object_new_double(blobmsg_get_u16(attr));
+		case BLOBMSG_TYPE_INT32:
+			return json_object_new_double(blobmsg_get_u32(attr));
+		case BLOBMSG_TYPE_INT64:
+			return json_object_new_double(blobmsg_get_u64(attr));
+		case BLOBMSG_TYPE_DOUBLE:
+			return json_object_new_double(blobmsg_get_double(attr));
+		case BLOBMSG_TYPE_TABLE:
+			res = json_object_new_object();
+			__blob_for_each_attr(inner_attr, data, len) {
+				json_object_object_add(res, blobmsg_name(inner_attr), blobmsg_attr2json(inner_attr, blobmsg_type(inner_attr)));
+			};
+			break;
+		case BLOBMSG_TYPE_ARRAY:
+			res = json_object_new_array();
+			__blob_for_each_attr(inner_attr, data, len) {
+				json_object_array_add(res, blobmsg_attr2json(inner_attr, blobmsg_type(inner_attr)));
+			}
+			break;
+	}
+
+	return res;
+}
+
+static void cb_wgpeerselector_vpn(struct ubus_request *req, int type, struct blob_attr *msg)
+{
+	json_object_object_add(req->priv, "mesh_vpn", blobmsg_attr2json(msg, type));
+}
+
+static struct json_object * respondd_provider_statistics(void) {
+	struct json_object *ret = json_object_new_object();
+	struct ubus_context *ctx = ubus_connect(NULL);
+	uint32_t ubus_path_id;
+
+	if (!ctx) {
+		fprintf(stderr, "Error in gluon-mesh-vpn-wireguard.so: Failed to connect to ubus.\n");
+		goto err;
+	}
+
+	if (ubus_lookup_id(ctx, "wgpeerselector.wg_mesh", &ubus_path_id)) {
+		goto err;
+	}
+
+	ubus_invoke(ctx, ubus_path_id, "status", NULL, cb_wgpeerselector_vpn, ret, 1000);
+
+err:
+	if (ctx)
+		ubus_free(ctx);
+	return ret;
+}
+
+
+const struct respondd_provider_info respondd_providers[] = {
+	{"nodeinfo", respondd_provider_nodeinfo},
+	{"statistics", respondd_provider_statistics},
+	{}
+};

package/gluon-mesh-wireless-sae/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-mesh-wireless-sae
-PKG_VERSION:=1
 
 include ../gluon.mk
 
 define Package/gluon-mesh-wireless-sae
   TITLE:=Encryption of 802.11s Mesh Links through SAE
-  DEPENDS:=+gluon-core +wpa-supplicant-openssl
+  DEPENDS:=+gluon-core +wpa-supplicant-mesh-mbedtls
 endef
 
 $(eval $(call BuildPackageGluon,gluon-mesh-wireless-sae))

package/gluon-mesh-wireless-sae/luasrc/lib/gluon/upgrade/205-wireless-mesh-sae

@@ -11,7 +11,7 @@ local function configure_sae(vif)
 	uci:set('wireless', vif, 'key', site.wifi.mesh.sae_passphrase() or hash.md5(site.prefix6()))
 end
 
-wireless.foreach_radio(uci, function(radio, _, _)
+wireless.foreach_radio(uci, function(radio)
 	local radio_name = radio['.name']
 	local vif = 'mesh_' .. radio_name
 	local enable = site.wifi.mesh.sae(false)

package/gluon-mmfd/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-mmfd
-PKG_VERSION:=1
 
 include ../gluon.mk
 

package/gluon-mmfd/files/etc/init.d/mmfd

@@ -5,12 +5,23 @@ START=50
 DAEMON=/usr/sbin/mmfd
 SOCKET=/var/run/mmfd.sock
 
+waitforsocket() {
+	while ! echo "get_neighbours" | uc $SOCKET
+	do
+		sleep 1
+		echo "waiting for successful socket connection for mmfd"
+	done
+}
+
+
 start_service() {
-	local interfaces=$(for dev in $(gluon-list-mesh-interfaces); do echo " -i $dev"; done)
+	local interfaces
+	interfaces=$(for dev in $(gluon-list-mesh-interfaces); do echo " -i $dev"; done)
 
 	procd_open_instance
-	procd_set_param command $DAEMON -s $SOCKET $interfaces
-	procd_set_param respawn ${respawn_threshold:-60} ${respawn_timeout:-1} ${respawn_retry:-0}
+	# shellcheck disable=SC2086
+	procd_set_param command "$DAEMON" -s "$SOCKET" $interfaces
+	procd_set_param respawn "${respawn_threshold:-60}" "${respawn_timeout:-1}" "${respawn_retry:-0}"
 	procd_set_param stderr 1
 	procd_set_param stdout 1
 	procd_close_instance
@@ -21,15 +32,15 @@ mmfd_get_interfaces() {
 }
 
 mmfd_has_interface() {
-	mmfd_get_interfaces | grep -q "^$1$"
+	mmfd_get_interfaces | grep -qxF "$1"
 }
 
 addif() {
-	echo "add_meshif $@" | uc $SOCKET
+	echo "add_meshif $1" | uc $SOCKET
 }
 
 delif() {
-	echo "del_meshif $@" | uc $SOCKET
+	echo "del_meshif $1" | uc $SOCKET
 }
 
 reload_service() {
@@ -37,22 +48,24 @@ reload_service() {
 
 	for i in $(ubus call network.interface dump | jsonfilter -e "@.interface[@.proto='gluon_mesh' && @.up=true].device")
 	do
-		if ! mmfd_has_interface $i; then
-			addif $i
+		if ! mmfd_has_interface "$i"; then
+			addif "$i"
 		fi
 	done
 
 	for i in $(mmfd_get_interfaces)
 	do
-		if ! ubus call network.interface dump | jsonfilter -e "@.interface[@.proto='gluon_mesh' && @.up=true].device" | grep -q "^$i$"; then
-			delif $i
+		if ! ubus call network.interface dump | jsonfilter -e "@.interface[@.proto='gluon_mesh' && @.up=true].device" | grep -qxF "$i"; then
+			delif "$i"
 		fi
 	done
 }
 
 service_triggers() {
-	local script=$(readlink "$initscript")
-	local name=$(basename "${script:-$initscript}")
+	local script name
+	# shellcheck disable=SC2154
+	script=$(readlink "$initscript")
+	name=$(basename "${script:-$initscript}")
 
 	procd_open_trigger
 	procd_add_raw_trigger "interface.*" 0 "/etc/init.d/$name" reload

package/gluon-mesh-babel/luasrc/lib/gluon/upgrade/140-gluon-mesh-babel-firewall → package/gluon-mmfd/luasrc/lib/gluon/upgrade/310-gluon-mmfd-firewall

@@ -3,15 +3,6 @@
 local uci = require('simple-uci').cursor()
 local site = require "gluon.site"
 
-uci:section('firewall', 'zone', 'l3roamd', {
-	name = 'l3roamd',
-	input = 'ACCEPT',
-	output = 'ACCEPT',
-	forward = 'REJECT',
-	device = 'l3roam+',
-	log = '1',
-})
-
 uci:section('firewall', 'zone', 'mmfd', {
 	name = 'mmfd',
 	input = 'REJECT',
@@ -21,35 +12,12 @@ uci:section('firewall', 'zone', 'mmfd', {
 	log = '1',
 })
 
--- forwardings and respective rules
-uci:section('firewall', 'forwarding', 'fcc', {
-	src = 'local_client',
-	dest = 'local_client',
-})
-
-uci:section('firewall', 'forwarding', 'fcm', {
-	src = 'local_client',
-	dest = 'mesh',
-})
-
-uci:section('firewall', 'forwarding', 'fmc', {
-	src = 'mesh',
-	dest = 'local_client',
-})
-
-uci:section('firewall', 'forwarding', 'fmm', {
+uci:section('firewall', 'rule',  'mesh_mmfd', {
 	src = 'mesh',
-	dest = 'mesh',
-})
-
-uci:section('firewall', 'forwarding', 'flc', {
-	src = 'l3roamd',
-	dest = 'local_client',
-})
-
-uci:section('firewall', 'forwarding', 'fcl', {
-	src = 'local_client',
-	dest = 'l3roamd',
+	src_ip = 'fe80::/64',
+	dest_port = '27275',
+	proto = 'udp',
+	target = 'ACCEPT',
 })
 
 uci:section('firewall', 'rule',  'mesh_respondd_mcast_ll', {
@@ -62,7 +30,7 @@ uci:section('firewall', 'rule',  'mesh_respondd_mcast_ll', {
 
 uci:section('firewall', 'rule',  'mesh_respondd_mcast2', {
 	src = 'mesh',
-	src_ip = site.node_prefix6(),
+	src_ip = site.node_prefix6() or site.prefix6(),
 	dest_port = '1001',
 	proto = 'udp',
 	target = 'ACCEPT',
@@ -78,26 +46,10 @@ uci:section('firewall', 'rule',  'mmfd_respondd_ll', {
 
 uci:section('firewall', 'rule',  'mmfd_respondd_mesh', {
 	src = 'mmfd',
-	src_ip = site.node_prefix6(),
+	src_ip = site.node_prefix6() or site.prefix6(),
 	dest_port = '1001',
 	proto = 'udp',
 	target = 'ACCEPT',
 })
 
-uci:section('firewall', 'rule',  'mesh_mmfd', {
-	src = 'mesh',
-	src_ip = 'fe80::/64',
-	dest_port = '27275',
-	proto = 'udp',
-	target = 'ACCEPT',
-})
-
-uci:section('firewall', 'rule', 'mesh_babel', {
-	src = 'mesh',
-	src_ip = 'fe80::/64',
-	dest_port = '6696',
-	proto = 'udp',
-	target = 'ACCEPT',
-})
-
 uci:save('firewall')

package/gluon-mesh-babel/luasrc/lib/gluon/upgrade/430-gluon-mesh-babel-add-mmfd-interface → package/gluon-mmfd/luasrc/lib/gluon/upgrade/430-gluon-mmfd-interface

@@ -2,10 +2,10 @@
 
 local uci = require('simple-uci').cursor()
 
-uci:delete('network', 'mmfd')
 uci:section('network', 'interface', 'mmfd', {
 	proto = 'static',
 	ifname = 'mmfd0',
 	ip6addr = 'fe80::1/64'
 })
+
 uci:save('network')

package/gluon-neighbour-info/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-neighbour-info
-PKG_VERSION:=1
-PKG_RELEASE:=1
 
 include ../gluon.mk