docs/releases/v2018.2.3.rst

+Gluon 2018.2.3
+==============
+
+Added hardware support
+~~~~~~~~~~~~~~~~~~~~~~
+
+ar71xx-generic
+^^^^^^^^^^^^^^
+
+* TP-Link
+
+  - CPE210 v3
+  
+ar71xx-nand
+^^^^^^^^^^^
+
+* Aerohive
+
+  - HiveAP 121
+
+mcp85xx-p1020
+^^^^^^^^^^^^^
+
+* Aerohive
+
+  - HiveAP 330
+
+ramips-mt76x8
+^^^^^^^^^^^^^
+
+* TP-Link
+
+  - TL-MR3420 v5 [#noibss]_
+  
+.. [#noibss]
+  Device or target does not support AP+IBSS mode: This device or target will not be built
+  when *GLUON_WLAN_MESH* is set to ``ibss``.
+
+
+Bugfixes
+~~~~~~~~
+
+* Fixes passwordless SSH access when gluon-authorized-keys was used without gluon-setup-mode. (`#1777 <https://github.com/freifunk-gluon/gluon/issues/1777>`_)
+
+* Fixes ingress traffic shaping. A necessary kernel config value was not set. (`#1790 <https://github.com/freifunk-gluon/gluon/issues/1790>`_)
+
+* Fixes the generation of the bootloader image for the AVM FRITZ!Box 4040. (`#1766 <https://github.com/freifunk-gluon/gluon/issues/1766>`_)
+
+* Fixes the IBSS mesh on the GL.iNet AR750. The wrong driver/firmware package was previously selected. (`#1792 <https://github.com/freifunk-gluon/gluon/pull/1792>`_)
+
+* Fixes the primary mac selection on the TP-Link Archer C25 v1. (`#1771 <https://github.com/freifunk-gluon/gluon/issues/1771>`_)
+
+
+Other changes
+~~~~~~~~~~~~~
+
+* Linux kernel has been updated to either
+  
+  - 4.9.188 (ar71xx, brcm2708, mpc85xx) or
+  - 4.14.137 (ipq40xx, ipq806x, mvebu, ramips, sunxi, x86).
+
+
+Known issues
+~~~~~~~~~~~~
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are
+  unknown (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is
+  disabled (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected
+  (like VMware when promiscuous mode is disallowed).
+
+* Inconsistent respondd API
+  (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API
+  will still be supported for a while.
+
+* Frequent reboots due to out-of-memory or high load due to memory pressure on
+  weak hardware especially in larger meshes
+  (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.

docs/releases/v2018.2.rst

@@ -81,6 +81,12 @@ ramips-mt7621 [#noibss]_
   AP+IBSS mode unsupported: This target is not built when *GLUON_WLAN_MESH* is
   set to ``ibss``.
 
+.. note::
+
+    The *ramips-mt7628* target has been renamed to *ramips-mt76x8*, and the *sunxi*
+    target has been renamed to *sunxi-cortexa7*. You might have to update your build
+    scripts accordingly.
+
 New features
 ************
 
@@ -90,10 +96,11 @@ following larger new features:
 OpenStreetMap-based map in config wizard
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-When the features *web-wizard* and *web-osm* are enabled, the configuration
-wizard will try to load an OSM-based map to allow the user to specify the node
-location. Loading the map requires a working internet connection, for example
-via WLAN (while connected to the Gluon node via Ethernet).
+When the feature *config-mode-geo-location-osm* (package
+*gluon-config-mode-geo-location-osm*) is enabled, the configuration wizard will
+try to load an OSM-based map to allow the user to specify the node location.
+Loading the map requires a working internet connection, for example via WLAN
+(while connected to the Gluon node via Ethernet).
 
 See the :ref:`config_mode <user-site-config_mode>` section for the *site.conf*
 configuration of this feature.
@@ -120,8 +127,12 @@ adding ``-gluon-ebtables-limit-arp`` to *GLUON_SITE_PACKAGES*.
 Site changes
 ************
 
-No changes need to be made to *site.conf* or *site.mk* when upgrading from
-Gluon v2018.1.x.
+If an opkg repository for ``lede`` was configured the key needs to be migrated
+to ``openwrt``. ``lede`` is ignored and without an ``openwrt`` key the default
+OpenWrt repository is used.
+
+No other changes need to be made to *site.conf* or *site.mk* when upgrading
+from Gluon v2018.1.x.
 
 Internals
 *********
@@ -141,7 +152,7 @@ Known issues
   disabled (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
 
   This may lead to issues in environments where a fixed MAC address is expected
-  (like VMware when promicious mode is disallowed).
+  (like VMware when promiscuous mode is disallowed).
 
 * Inconsistent respondd API
   (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)

docs/site-example/site.conf

--- This is an example site configuration for Gluon v2018.2
+-- This is an example site configuration for Gluon v2018.2.3
 --
 -- Take a look at the documentation located at
 -- https://gluon.readthedocs.io/ for details.

docs/user/faq.rst

 Frequently Asked Questions
 ==========================
 
+.. _faq-hardware:
+
+What hardware is supported?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A table with hardware supported by Gluon can be found on the `OpenWrt Wiki`_.
+If you want to find out if your device can potentially be supported 
+have a look at :doc:`../dev/hardware` for detailed hardware requirements.
+
+.. _OpenWrt Wiki: https://openwrt.org/toh/views/toh_gluon_supported
+
 .. _faq-dns:
 
-DNS does not work on the nodes
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Why does DNS not work on the nodes?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Gluon nodes will ignore the DNS server on the WAN port for everything except
 the mesh VPN, which can lead to confusion.
@@ -18,8 +28,8 @@ in this case, the *radvd* is only used to announce the DNS server.
 
 .. _faq-mtu:
 
-What is a good MTU on the mesh-vpn
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+What is a good MTU on the mesh-vpn?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Setting the MTU on the transport interface requires careful consideration, as
 setting it too low will cause excessive fragmentation and setting it too high
@@ -30,7 +40,7 @@ Consider these key values:
 - Payload: Allow for the transport of IPv6 packets, by adhering to the minimum MTU
   of 1280 Byte specified in RFC 2460
   - and configure `MSS clamping`_ accordingly,
-  - and announce your link MTU via Router Advertisments and DHCP
+  - and announce your link MTU via Router Advertisements and DHCP
 
   .. _MSS clamping: https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.cookbook.mtu-mss.html
 
@@ -48,7 +58,7 @@ For reference, the complete MTU stack looks like this:
 Minimum MTU
 -----------
 
-Calculcate the minimum transport MTU by adding the encapsulation overhead to the
+Calculate the minimum transport MTU by adding the encapsulation overhead to the
 minimum payload MTU required. This is the lowest recommended value, since going
 lower would cause unnecessary fragmentation for clients which respect the announced
 link MTU.

docs/user/getting_started.rst

@@ -8,7 +8,7 @@ Gluon's releases are managed using `Git tags`_. If you are just getting
 started with Gluon we recommend to use the latest stable release of Gluon.
 
 Take a look at the `list of gluon releases`_ and notice the latest release,
-e.g. *v2018.2*. Always get Gluon using git and don't try to download it
+e.g. *v2018.2.3*. Always get Gluon using git and don't try to download it
 as a Zip archive as the archive will be missing version information.
 
 Please keep in mind that there is no "default Gluon" build; a site configuration
@@ -44,7 +44,7 @@ Building the images
 -------------------
 
 To build Gluon, first check out the repository. Replace *RELEASE* with the
-version you'd like to checkout, e.g. *v2018.2*.
+version you'd like to checkout, e.g. *v2018.2.3*.
 
 ::
 
@@ -86,11 +86,20 @@ Next go back to the top-level Gluon directory and build Gluon::
     make update                        # Get other repositories used by Gluon
     make GLUON_TARGET=ar71xx-generic   # Build Gluon
 
-In case of errors read the messages carefully and try to fix the stated issues (e.g. install tools not available yet).
+In case of errors read the messages carefully and try to fix the stated issues
+(e.g. install missing tools not available or look for Troubleshooting_ in the wiki.
+
+.. _Troubleshooting: https://github.com/freifunk-gluon/gluon/wiki/Troubleshooting
 
 ``ar71xx-generic`` is the most common target and will generate images for most of the supported hardware.
 To see a complete list of supported targets, call ``make`` without setting ``GLUON_TARGET``.
 
+To build all targets use a loop like this:
+
+    for TARGET in $(make list-targets); do
+      make GLUON_TARGET=$TARGET
+    done
+
 You should generally reserve 5GB of disk space and additionally about 10GB for each `GLUON_TARGET`.
 
 The built images can be found in the directory `output/images`. Of these, the `factory`
@@ -172,7 +181,7 @@ GLUON_PRIORITY
 GLUON_REGION
   Some devices (at the moment the TP-Link Archer C7) contain a region code that restricts
   firmware installations. Set GLUON_REGION to ``eu`` or ``us`` to make the resulting
-  images installable from the respective stock firmwares.
+  images installable from the respective stock firmware.
 
 GLUON_RELEASE
   Firmware release number: This string is displayed in the config mode, announced
@@ -186,9 +195,6 @@ GLUON_TARGET
 Special variables
 .................
 
-GLUON_BUILDDIR
-  Working directory during build. Defaults to ``build``.
-
 GLUON_IMAGEDIR
   Path where images will be stored. Defaults to ``$(GLUON_OUTPUTDIR)/images``.
 

docs/user/site.rst

@@ -24,7 +24,7 @@ site_code
 domain_seed
     32 bytes of random data, encoded in hexadecimal, used to seed other random
     values specific to the mesh domain. It must be the same for all nodes of one
-    mesh, but should be different for firmwares that are not supposed to mesh with
+    mesh, but should be different for firmware that is not supposed to mesh with
     each other.
 
     The recommended way to generate a value for a new site is:
@@ -69,7 +69,7 @@ timezone
       -- Europe/Berlin
       timezone = 'CET-1CEST,M3.5.0,M10.5.0/3'
 
-ntp_server
+ntp_servers
     List of NTP servers available in your community or used by your community, e.g.:
     ::
 
@@ -152,7 +152,7 @@ wifi24 \: optional
     don't want users to connect to this mesh-SSID, so use a cryptic id that no
     one will accidentally mistake for the client WiFi.
 
-    ``ibss`` requires two parametersr: ``ssid`` (a string) and ``bssid`` (a MAC).
+    ``ibss`` requires two parameters: ``ssid`` (a string) and ``bssid`` (a MAC).
     An optional parameter ``vlan`` (integer) is supported.
 
     Both ``mesh`` and ``ibss`` accept an optional ``mcast_rate`` (kbit/s) parameter for
@@ -247,7 +247,7 @@ mesh
       throughput is at least 1500 kbit/s faster than the throughput of the
       currently selected gateway. 
 
-    For details on determining the threshhold, when to switch to a new gateway,
+    For details on determining the threshold, when to switch to a new gateway,
     see `batctl manpage`_, section "gw_mode".
     
     .. _batctl manpage: https://www.open-mesh.org/projects/batman-adv/wiki/Gateways
@@ -661,7 +661,7 @@ Site modules
 The file ``modules`` in the site repository is completely optional and can be used
 to supply additional package feeds from which packages are built. The git repositories
 specified here are retrieved in addition to the default feeds when ``make update``
-it called.
+is called.
 
 This file's format is very similar to the toplevel ``modules`` file of the Gluon
 tree, with the important different that the list of feeds must be assigned to

docs/user/x86.rst

@@ -19,8 +19,8 @@ The following targets for x86 images exist:
     * `virtualbox` (VDI image)
     * `vmware` (VMDK image)
 
-    These images only differ in the image file format, the content is the same. Therefore there is
-    only a single `x86-generic` sysupgrade image instead of three.
+    These images differ in the image file format, the content is the same. Therefore
+    a single `x86-generic` sysupgrade image is provided, only.
 
 `x86-geode`
     x86 image for Geode CPUs.

modules

@@ -2,19 +2,20 @@ GLUON_FEEDS='packages routing luci gluon'
 
 OPENWRT_REPO=https://git.openwrt.org/openwrt/openwrt.git
 OPENWRT_BRANCH=openwrt-18.06
-OPENWRT_COMMIT=eef6bd3393f406f73187a670fa34d5e6a228f9e8
+OPENWRT_COMMIT=89808e211cd5ef5989bd0becb8cd45f9340610ff
 
 PACKAGES_PACKAGES_REPO=https://github.com/openwrt/packages.git
 PACKAGES_PACKAGES_BRANCH=openwrt-18.06
-PACKAGES_PACKAGES_COMMIT=d05b98c6c86da58db5cbda3c945007be09583609
+PACKAGES_PACKAGES_COMMIT=5d3cb594e49132158ca7b41f4246421078e8f92a
 
 PACKAGES_ROUTING_REPO=https://github.com/openwrt-routing/packages.git
 PACKAGES_ROUTING_BRANCH=openwrt-18.06
-PACKAGES_ROUTING_COMMIT=bc6e7f6903c8237c77131aedfc92dba40e1bc6ac
+PACKAGES_ROUTING_COMMIT=7589804a56baac804421b492c93004c28a627abb
 
 PACKAGES_LUCI_REPO=https://github.com/openwrt/luci.git
 PACKAGES_LUCI_BRANCH=openwrt-18.06
 PACKAGES_LUCI_COMMIT=4ba85e3d82b684262c570e38a72d2dc3bb712a13
 
 PACKAGES_GLUON_REPO=https://github.com/freifunk-gluon/packages.git
-PACKAGES_GLUON_COMMIT=a52d5ced54acfe399b3ac36b33d53034f341f06b
+PACKAGES_GLUON_BRANCH=v2018.2.x
+PACKAGES_GLUON_COMMIT=a0ab6d6e712f9cc736e834ef3a8a5d2b4fc2a708

package/gluon-authorized-keys/Makefile

@@ -7,7 +7,7 @@ include ../gluon.mk
 
 define Package/gluon-authorized-keys
   TITLE:=Fill /etc/dropbear/authorized_keys from site.conf
-  DEPENDS:=+gluon-core
+  DEPENDS:=+gluon-core +gluon-lock-password
 endef
 
 $(eval $(call BuildPackageGluon,gluon-authorized-keys))

package/gluon-config-mode-geo-location/luasrc/lib/gluon/config-mode/wizard/0400-geo-location.lua

@@ -15,7 +15,7 @@ return function(form, uci)
 	if not text then
 		text = pkg_i18n.translate(
 			'If you want the location of your node to ' ..
-			'be displayed on the map, you can enter its coordinates here.'
+			'be displayed on public maps, you can enter its coordinates here.'
 		)
 		if osm then
 			text = text .. ' ' .. osm.help(i18n)

package/gluon-config-mode-mesh-vpn/luasrc/lib/gluon/config-mode/wizard/0300-mesh-vpn.lua

@@ -24,51 +24,39 @@ return function(form, uci)
 	local o
 
 	local meshvpn = s:option(Flag, "meshvpn", pkg_i18n.translate("Use internet connection (mesh VPN)"))
-	meshvpn.default = uci:get_bool("fastd", "mesh_vpn", "enabled") or uci:get_bool("tunneldigger", "mesh_vpn", "enabled")
+	meshvpn.default = uci:get_bool("gluon", "mesh_vpn", "enabled")
 	function meshvpn:write(data)
-		if has_fastd then
-			uci:set("fastd", "mesh_vpn", "enabled", data)
-		end
-		if has_tunneldigger then
-			uci:set("tunneldigger", "mesh_vpn", "enabled", data)
-		end
+		uci:set("gluon", "mesh_vpn", "enabled", data)
 	end
 
 	local limit = s:option(Flag, "limit_enabled", pkg_i18n.translate("Limit bandwidth"))
 	limit:depends(meshvpn, true)
-	limit.default = uci:get_bool("simple-tc", "mesh_vpn", "enabled")
+	limit.default = uci:get_bool("gluon", "mesh_vpn", "limit_enabled")
 	function limit:write(data)
-		uci:set("simple-tc", "mesh_vpn", "interface")
-		uci:set("simple-tc", "mesh_vpn", "enabled", data)
-		uci:set("simple-tc", "mesh_vpn", "ifname", "mesh-vpn")
-		if not data and has_tunneldigger then
-			uci:delete("tunneldigger", "mesh_vpn", "limit_bw_down")
-		end
+		uci:set("gluon", "mesh_vpn", "limit_enabled", data)
 	end
 
 	o = s:option(Value, "limit_ingress", pkg_i18n.translate("Downstream (kbit/s)"))
 	o:depends(limit, true)
-	if has_tunneldigger then
-		o.default = uci:get("tunneldigger", "mesh_vpn", "limit_bw_down")
-	else
-		o.default = uci:get("simple-tc", "mesh_vpn", "limit_ingress")
-	end
+	o.default = uci:get("gluon", "mesh_vpn", "limit_ingress")
 	o.datatype = "uinteger"
 	function o:write(data)
-		if has_tunneldigger then
-			uci:set("tunneldigger", "mesh_vpn", "limit_bw_down", data)
-		else
-			uci:set("simple-tc", "mesh_vpn", "limit_ingress", data)
-		end
+		uci:set("gluon", "mesh_vpn", "limit_ingress", data)
 	end
 
 	o = s:option(Value, "limit_egress", pkg_i18n.translate("Upstream (kbit/s)"))
 	o:depends(limit, true)
-	o.default = uci:get("simple-tc", "mesh_vpn", "limit_egress")
+	o.default = uci:get("gluon", "mesh_vpn", "limit_egress")
 	o.datatype = "uinteger"
 	function o:write(data)
-		uci:set("simple-tc", "mesh_vpn", "limit_egress", data)
+		uci:set("gluon", "mesh_vpn", "limit_egress", data)
+	end
+
+	function s:handle()
+		Section.handle(s)
+		uci:save('gluon')
+		os.execute('exec /lib/gluon/mesh-vpn/update-config')
 	end
 
-	return {'fastd', 'tunneldigger', 'simple-tc'}
+	return {'gluon', 'fastd', 'tunneldigger', 'simple-tc'}
 end

package/gluon-core/Config.in

@@ -50,6 +50,10 @@ config KERNEL_NET_CLS_ACT
 	bool
 	select KERNEL_NET_CLS
 
+config KERNEL_NET_ACT_POLICE
+	bool
+	select KERNEL_NET_CLS_ACT
+
 config KERNEL_NET_CLS_BASIC
 	bool
 	select KERNEL_NET_CLS

package/gluon-core/check_site.lua

@@ -3,15 +3,6 @@ need_string(in_site({'site_name'}))
 
 -- this_domain() returns nil when multidomain support is disabled
 if this_domain() then
-	function need_domain_name(path)
-		need_string(path)
-		need(path, function(default_domain)
-			local f = io.open(os.getenv('IPKG_INSTROOT') .. '/lib/gluon/domains/' .. default_domain .. '.json')
-			if not f then return false end
-			f:close()
-			return true
-		end, nil, 'be a valid domain name')
-	end
 	need_domain_name(in_site({'default_domain'}))
 
 	need_table(in_domain({'domain_names'}), function(domain)

package/gluon-core/luasrc/lib/gluon/upgrade/010-primary-mac

@@ -26,10 +26,11 @@ end
 if platform.match('ar71xx', 'generic', {'tl-wdr3600', 'tl-wdr4300',
                                         'tl-wr902ac-v1'}) then
   table.insert(try_files, 1, '/sys/class/ieee80211/phy1/macaddress')
-elseif platform.match('ramips', 'mt7621', {'dir-860l-b1'}) then
-  table.insert(try_files, 1, '/sys/class/ieee80211/phy1/macaddress')
-elseif platform.match('ar71xx', 'generic', {'unifi-outdoor-plus', 'carambola2',
-                                            'a40', 'a60', 'koala',
+elseif platform.match('ar71xx', 'generic', {'a40', 'a60',
+                                            'archer-c25-v1',
+                                            'archer-c7-v4', 'archer-c7-v5',
+                                            'carambola2',
+                                            'koala',
                                             'mr600', 'mr600v2',
                                             'mr900', 'mr900v2',
                                             'mr1750', 'mr1750v2',
@@ -39,15 +40,22 @@ elseif platform.match('ar71xx', 'generic', {'unifi-outdoor-plus', 'carambola2',
                                             'om2p-lc',
                                             'om5p', 'om5p-an',
                                             'om5p-ac', 'om5p-acv2',
-                                            'archer-c7-v4', 'archer-c7-v5'}) then
+                                            'unifi-outdoor-plus',
+                                            'unifiac-lite', 'unifiac-pro'}) then
   table.insert(try_files, 1, '/sys/class/net/eth0/address')
 elseif platform.match('ar71xx', 'generic', {'archer-c5', 'archer-c58-v1',
                                             'archer-c59-v1', 'archer-c60-v1',
                                             'archer-c7'}) then
   table.insert(try_files, 1, '/sys/class/net/eth1/address')
+elseif platform.match('ar71xx', 'nand', {'hiveap-121'}) then
+  table.insert(try_files, 1, '/sys/class/net/eth0/address')
 elseif platform.match('ipq40xx', nil, {'avm,fritzbox-4040',
                                        'openmesh,a42', 'openmesh,a62'}) then
   table.insert(try_files, 1, '/sys/class/net/eth0/address')
+elseif platform.match('mpc85xx', 'p1020', {'aerohive,hiveap-330'}) then
+  table.insert(try_files, 1, '/sys/class/net/eth0/address')
+elseif platform.match('ramips', 'mt7621', {'dir-860l-b1'}) then
+  table.insert(try_files, 1, '/sys/class/ieee80211/phy1/macaddress')
 end
 
 

package/gluon-core/luasrc/lib/gluon/upgrade/200-wireless

@@ -10,6 +10,43 @@ local uci = require('simple-uci').cursor()
 -- Initial
 if not sysconfig.gluon_version then
 	uci:delete_all('wireless', 'wifi-iface')
+
+	-- First count all radios with a fixed frequency band.
+	-- This is needed to distribute devices which have radios
+	-- capable of operating in the 2.4 GHz and 5 GHz band need
+	-- to be distributed evenly.
+	local radio_band_count = {band24=0, band5=0}
+	util.foreach_radio(uci, function(radio, index, config)
+		local hwmodes = iwinfo.nl80211.hwmodelist(util.find_phy(radio))
+		if (hwmodes.a or hwmodes.ac) and hwmodes.g then
+			-- Dualband - do nothing in this step
+		elseif hwmodes.g then
+			-- 2.4 GHz
+			radio_band_count["band24"] = radio_band_count["band24"] + 1
+		elseif hwmodes.a or hwmodes.ac then
+			-- 5 GHz
+			radio_band_count["band5"] = radio_band_count["band5"] + 1
+		end
+	end)
+
+	-- Use the number of all fixed 2.4G GHz and 5 GHz radios to
+	-- distribute dualband radios in this step.
+	util.foreach_radio(uci, function(radio, index, config)
+		local radio_name = radio['.name']
+		local hwmodes = iwinfo.nl80211.hwmodelist(util.find_phy(radio))
+		if (hwmodes.a or hwmodes.ac) and hwmodes.g then
+			-- Dualband radio
+			if radio_band_count["band24"] <= radio_band_count["band5"] then
+				-- Assign radio to 2.4GHz band
+				radio_band_count["band24"] = radio_band_count["band24"] + 1
+				uci:set('wireless', radio_name, 'hwmode', '11g')
+			else
+				-- Assign radio to 5GHz band
+				radio_band_count["band5"] = radio_band_count["band5"] + 1
+				uci:set('wireless', radio_name, 'hwmode', '11a')
+			end
+		end
+	end)
 end
 
 local function get_channel(radio, config)

package/gluon-core/luasrc/usr/lib/lua/gluon/util.lua

@@ -253,3 +253,12 @@ function foreach_radio(uci, f)
 		end
 	end
 end
+
+function get_uptime()
+	local uptime_file = readfile("/proc/uptime")
+	if uptime_file == nil then
+		-- Something went wrong reading "/proc/uptime"
+		return nil
+	end
+	return tonumber(uptime_file:match('^[^ ]+'))
+end

package/gluon-mesh-batman-adv/files/lib/gluon/ebtables/250-next-node

@@ -7,6 +7,9 @@ local macaddr = client_bridge.next_node_macaddr()
 rule('FORWARD --logical-out br-client -i bat0 -o local-port -j DROP')
 rule('FORWARD --logical-out br-client -i local-port -o bat0 -j DROP')
 
+rule('PREROUTING --logical-in br-client -i bat0 -s ' .. macaddr .. ' -j DROP', 'nat')
+rule('PREROUTING --logical-in br-client -i bat0 -d ' .. macaddr .. ' -j DROP', 'nat')
+
 rule('FORWARD --logical-out br-client -o bat0 -d ' .. macaddr .. ' -j DROP')
 rule('OUTPUT --logical-out br-client -o bat0 -d ' .. macaddr .. ' -j DROP')
 rule('FORWARD --logical-out br-client -o bat0 -s ' .. macaddr .. ' -j DROP')

package/gluon-mesh-batman-adv/src/respondd.c

@@ -26,6 +26,7 @@
 
 #include <respondd.h>
 
+#include <ifaddrs.h>
 #include <iwinfo.h>
 #include <json-c/json.h>
 #include <libgluonutil.h>
@@ -43,12 +44,16 @@
 #include <net/if.h>
 #include <netinet/in.h>
 
+#include <netlink/netlink.h>
+#include <netlink/genl/genl.h>
+
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
 
 #include <linux/ethtool.h>
 #include <linux/if_addr.h>
+#include <linux/rtnetlink.h>
 #include <linux/sockios.h>
 
 #include <batadv-genl.h>
@@ -71,55 +76,73 @@ struct gw_netlink_opts {
 };
 
 struct clients_netlink_opts {
-	size_t total;
-	size_t wifi;
+	size_t non_wifi;
 	struct batadv_nlquery_opts query_opts;
 };
 
+struct ip_address_information {
+	unsigned int ifindex;
+	struct json_object *addresses;
+};
 
-static struct json_object * get_addresses(void) {
-	FILE *f = fopen("/proc/net/if_inet6", "r");
-	if (!f)
-		return NULL;
+static int get_addresses_cb(struct nl_msg *msg, void *arg) {
+	struct ip_address_information *info = (struct ip_address_information*) arg;
 
-	char *line = NULL;
-	size_t len = 0;
-
-	struct json_object *ret = json_object_new_array();
-
-	while (getline(&line, &len, f) >= 0) {
-		/* IF_NAMESIZE would be enough, but adding 1 here is simpler than subtracting 1 in the format string */
-		char ifname[IF_NAMESIZE+1];
-		unsigned int flags;
-		struct in6_addr addr;
-		char buf[INET6_ADDRSTRLEN];
-
-		if (sscanf(line,
-			   "%2"SCNx8"%2"SCNx8"%2"SCNx8"%2"SCNx8"%2"SCNx8"%2"SCNx8"%2"SCNx8"%2"SCNx8
-			   "%2"SCNx8"%2"SCNx8"%2"SCNx8"%2"SCNx8"%2"SCNx8"%2"SCNx8"%2"SCNx8"%2"SCNx8
-			   "  %*x %*x %*x %x %"STRINGIFY(IF_NAMESIZE)"s",
-			   &addr.s6_addr[0], &addr.s6_addr[1], &addr.s6_addr[2], &addr.s6_addr[3],
-			   &addr.s6_addr[4], &addr.s6_addr[5], &addr.s6_addr[6], &addr.s6_addr[7],
-			   &addr.s6_addr[8], &addr.s6_addr[9], &addr.s6_addr[10], &addr.s6_addr[11],
-			   &addr.s6_addr[12], &addr.s6_addr[13], &addr.s6_addr[14], &addr.s6_addr[15],
-			   &flags, ifname) != 18)
-			continue;
+	struct nlmsghdr *nlh = nlmsg_hdr(msg);
+	struct ifaddrmsg *msg_content = NLMSG_DATA(nlh);
+	int remaining = nlh->nlmsg_len - NLMSG_LENGTH(sizeof(struct ifaddrmsg));
+	struct rtattr *hdr;
 
-		if (strcmp(ifname, "br-client"))
-			continue;
+	for (hdr = IFA_RTA(msg_content); RTA_OK(hdr, remaining); hdr = RTA_NEXT(hdr, remaining)) {
+		char addr_str_buf[INET6_ADDRSTRLEN];
 
-		if (flags & (IFA_F_TENTATIVE|IFA_F_DEPRECATED))
+		/* We are only interested in IP-addresses of br-client */
+		if (hdr->rta_type != IFA_ADDRESS ||
+			msg_content->ifa_index != info->ifindex ||
+			msg_content->ifa_flags & (IFA_F_TENTATIVE|IFA_F_DEPRECATED)) {
 			continue;
+		}
+
+		if (inet_ntop(AF_INET6, (struct in6_addr *) RTA_DATA(hdr), addr_str_buf, INET6_ADDRSTRLEN)) {
+			json_object_array_add(info->addresses, json_object_new_string(addr_str_buf));
+		}
+	}
 
-		inet_ntop(AF_INET6, &addr, buf, sizeof(buf));
+	return NL_OK;
+}
 
-		json_object_array_add(ret, json_object_new_string(buf));
+static struct json_object *get_addresses(void) {
+	struct ip_address_information info = {
+		.ifindex = if_nametoindex("br-client"),
+		.addresses = json_object_new_array(),
+	};
+	int err;
+
+	/* Open socket */
+	struct nl_sock *socket = nl_socket_alloc();
+	if (!socket) {
+		return info.addresses;
 	}
 
-	fclose(f);
-	free(line);
+	err = nl_connect(socket, NETLINK_ROUTE);
+	if (err < 0) {
+		goto out_free;
+	}
 
-	return ret;
+	/* Send message */
+	struct ifaddrmsg rt_hdr = { .ifa_family = AF_INET6, };
+	err = nl_send_simple(socket, RTM_GETADDR, NLM_F_REQUEST | NLM_F_ROOT, &rt_hdr, sizeof(struct ifaddrmsg));
+	if (err < 0) {
+		goto out_free;
+	}
+
+	/* Retrieve answer. Message is handled by get_addresses_cb */
+	nl_socket_modify_cb(socket, NL_CB_VALID, NL_CB_CUSTOM, get_addresses_cb, &info);
+	nl_recvmsgs_default(socket);
+
+out_free:
+	nl_socket_free(socket);
+	return info.addresses;
 }
 
 static void add_if_not_empty(struct json_object *obj, const char *key, struct json_object *val) {
@@ -529,26 +552,24 @@ static int parse_clients_list_netlink_cb(struct nl_msg *msg, void *arg)
 
 	flags = nla_get_u32(attrs[BATADV_ATTR_TT_FLAGS]);
 
-	if (flags & BATADV_TT_CLIENT_NOPURGE)
+	if (flags & (BATADV_TT_CLIENT_NOPURGE | BATADV_TT_CLIENT_WIFI))
 		return NL_OK;
 
 	lastseen = nla_get_u32(attrs[BATADV_ATTR_LAST_SEEN_MSECS]);
 	if (lastseen > MAX_INACTIVITY)
 		return NL_OK;
 
-	if (flags & BATADV_TT_CLIENT_WIFI)
-		opts->wifi++;
-
-	opts->total++;
+	opts->non_wifi++;
 
 	return NL_OK;
 }
 
 static struct json_object * get_clients(void) {
 	size_t wifi24 = 0, wifi5 = 0;
+	size_t total;
+	size_t wifi;
 	struct clients_netlink_opts opts = {
-		.total = 0,
-		.wifi = 0,
+		.non_wifi = 0,
 		.query_opts = {
 			.err = 0,
 		},
@@ -559,10 +580,12 @@ static struct json_object * get_clients(void) {
 			  &opts.query_opts);
 
 	count_stations(&wifi24, &wifi5);
+	wifi = wifi24 + wifi5;
+	total = wifi + opts.non_wifi;
 
 	struct json_object *ret = json_object_new_object();
-	json_object_object_add(ret, "total", json_object_new_int(opts.total));
-	json_object_object_add(ret, "wifi", json_object_new_int(opts.wifi));
+	json_object_object_add(ret, "total", json_object_new_int(total));
+	json_object_object_add(ret, "wifi", json_object_new_int(wifi));
 	json_object_object_add(ret, "wifi24", json_object_new_int(wifi24));
 	json_object_object_add(ret, "wifi5", json_object_new_int(wifi5));
 	return ret;

package/gluon-mesh-vpn-core/Makefile

@@ -13,6 +13,7 @@ define Package/gluon-mesh-vpn-core
 	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_PKTTYPE \
 	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_QUOTA \
 	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_CLS_BASIC \
+	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_ACT_POLICE \
 	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_SCH_TBF \
 	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_SCH_INGRESS
   USERID:=:gluon-mesh-vpn=800

package/gluon-mesh-vpn-core/luasrc/lib/gluon/mesh-vpn/update-config

+#!/usr/bin/lua
+
+local uci = require('simple-uci').cursor()
+local unistd = require 'posix.unistd'
+
+local vpn
+if unistd.access('/lib/gluon/mesh-vpn/fastd') then
+	vpn = 'fastd'
+elseif unistd.access('/lib/gluon/mesh-vpn/tunneldigger') then
+	vpn = 'tunneldigger'
+end
+
+local vpn_config = {
+	enabled = uci:get_bool('gluon', 'mesh_vpn', 'enabled'),
+	limit_enabled = uci:get_bool('gluon', 'mesh_vpn', 'limit_enabled'),
+	limit_egress = uci:get('gluon', 'mesh_vpn', 'limit_egress'),
+	limit_ingress = uci:get('gluon', 'mesh_vpn', 'limit_ingress'),
+}
+
+uci:delete('simple-tc', 'mesh_vpn')
+uci:section('simple-tc', 'interface', 'mesh_vpn', {
+	ifname = 'mesh-vpn',
+	enabled = vpn_config.limit_enabled,
+	limit_egress = vpn_config.limit_egress,
+})
+
+if vpn == 'fastd' then
+	uci:set('fastd', 'mesh_vpn', 'enabled', vpn_config.enabled)
+	uci:set('simple-tc', 'mesh_vpn', 'limit_ingress', vpn_config.limit_ingress)
+else
+	uci:set('fastd', 'mesh_vpn', 'enabled', false)
+end
+uci:save('fastd')
+
+if vpn == 'tunneldigger' then
+	uci:set('tunneldigger', 'mesh_vpn', 'enabled', vpn_config.enabled)
+
+	if vpn_config.limit_enabled then
+		uci:set('tunneldigger', 'mesh_vpn', 'limit_bw_down', vpn_config.limit_ingress)
+	else
+		uci:delete('tunneldigger', 'mesh_vpn', 'limit_bw_down')
+	end
+else
+	uci:set('tunneldigger', 'mesh_vpn', 'enabled', false)
+end
+uci:save('tunneldigger')
+
+uci:save('simple-tc')