Re: [OpenWrt-Devel] [PATCH netifd 3/6] interface-ip: Remove ip loop policy rules as kernel issue is fixed

[Kristian Evensen]

Hi,

On Wed, Sep 9, 2015 at 3:45 PM, Hans Dedecker  wrote:
> Remove ip loop policy rules as workaround for the kernel using unspecified 
> address
> to lookup locally originating traffic is fixed by 
> http://lkml.iu.edu/hypermail/linux/kernel/1505.0/03094.html
>
> Signed-off-by: Hans Dedecker 

This patch breaks (at least) IPv4 on multihomed routers that keep all
default routes in other tables than main. Without these rules, traffic
originating from the router (and not bound to an interface) will not
be routed anywhere and dropped.

-Kristian
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH procd] system: fix undefined behavior in wdt offline check

[Alexander Couzens]

watchdog_fd() is returning a char* and not a int. checking against < 0 could
lead in undefined behaviour.

Signed-off-by: Alexander Couzens 
---
 system.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system.c b/system.c
index 82c672e..fb7fbe4 100644
--- a/system.c
+++ b/system.c
@@ -282,7 +282,7 @@ static int watchdog_set(struct ubus_context *ctx, struct 
ubus_object *obj,
if (tb[WDT_STOP])
watchdog_set_stopped(blobmsg_get_bool(tb[WDT_STOP]));
 
-   if (watchdog_fd() < 0)
+   if (watchdog_fd() == NULL)
status = "offline";
else if (watchdog_get_stopped())
status = "stopped";
-- 
2.5.3
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH netifd 2/6] iprule: Insert network and address ip rules before main table lookup rule

[Hans Dedecker]

On Wed, Sep 23, 2015 at 11:52 AM, Kristian Evensen <
kristian.even...@gmail.com> wrote:

> Sorry about partial reply, clumsy fingers.
>
> On Wed, Sep 23, 2015 at 11:31 AM, Hans Dedecker 
> wrote:
> > Can you share the uci network config and ifstatus of the different
> > interfaces ?
>
> UCI config is nothing more than ... proto dhcp ... ip4/ip6table X
>
> >>
> >>
> >> I don't see any other fix than a partial revert. I guess the ADDR-rule
> can
> >> stay.
> >
> > Is the service hosted on the multihomed router or on a lan device; nat
> > involved or not ?
>
> The current service I am access is a router located on one of the
> external networks.
>
> > It seems odd to me if the service is hosted on the gateway the nw rule is
> > hit as the local table lookup has pref 1 while the NW policy rules start
> > from 2
>
> The route that needs to be hit is contained in main. Here is a more
> detailed description of what happens.
>
> - External router has IP 192.168.0.1 and netmask 255.255.255.0.
> - When I try to access this router, outgoing traffic is routed
> correctly as it does not match any source rules and hit the network
> rule in the main table (192.168.0.0/24 dev X src Y).
> - When the reply comes, problem occurs. Since the network rule is
> checked before the main table, we get a match on the "from
> 192.168.0.0/24"-rule and packet is routed back out on the
> 192.168.0.0/24 interface. The correct route (i.e., the route for my
> local network) is in the main table.
>
Ah ok I see the issue; traffic coming from behind the gateway and targeted
to a direct connected device on the wan is impacted.

>
> I have a question about this patch. In what scenario is it needed? Or
> rather, will you ever use source based routing and have a default

route in the main table? As far as I remember, these rules are only

Indeed we're using source based routing in combination with a default route
in the main routing table; even the specific routing table(s) can contain a
default route
Based on the addr rule the traffic is guided to a specific routing table so
it leaves on the correct interface

Hans

> added when you have specified an ip4/ip6table. Or do you have one

interface without an ipXtable value?
>
> -Kristian
>
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

[Kevin Darbyshire-Bryant]

On 23/09/15 03:42, Yousong Zhou wrote:
> On 23 September 2015 at 01:52, Bastian Bittorf  wrote:
>> dnsmasq maintains dnsmasq.time across reboots and uses it as a means of
>> determining if current time is good enough to validate dnssec time
>> stamps.  By including /etc/dnsmasq.time as a time source for sysfixtime,
>> the mechanism was effectively defeated because time was set to the last
>> time that dnsmasq considered current even though that time is in
>> the past.  Since that time is out of date, dns(sec) resolution would
>> fail thus defeating any ntp based mechanisms for setting the clock
>> correctly.
>>
>> In theory the process is defeated by any files in /etc that are newer
>> than /etc/dnsmasq.time however dnsmasq now updates the file's timestamp
>> on process TERM so hopefully /etc/dnsmasq.time is the latest file
>> timestamp in /etc as part of openWrt shutdown/reboot.
>>
I'm glad there's so much interest in this topic.  I have to declare a
bias/interest in this because I was the guy who persuaded Simon
(dnsmasq) to implement the timestamp check file option.  The motivation
was to provide an easier path for users of dnsmasq to switch on dnssec
and have it 'just work', well hopefully.  The existing
--dnssec-no-timecheck has some practical difficulties and at the time I
was marginally involved in the 'tomato' project which just proved too
difficult to adapt to use '--dnssec-no-timecheck'
> In theory, a security sensitive mechanism's dependence on a
> non-reliable timestamp file with access permission nobody:nogroup
> makes little sense to me.  How about that we do --dnssec-no-timecheck
> on dnsmasq startup time and notify it of the system time change from
> ntpd hotplug script?
If the concern is someone mangling the timestamp file then a relatively
easy solution is to create a dnsmasq user/group, have dnsmasq drop to
that user rather than nobody, create a directory solely for the
timestamp file '/etc/dnsmasq.d' (perm 600) and store the timestamp file
there out of everyone else's reach.

Manipulating the timestamp file and system time before dnsmasq start has
the following effects as I understand it:

1) system time equal or ahead of timestamp file - dnsmasq considers
system time correct (updates timestamp file) and will now check dnssec
signature timestamps.  If the system time is not actually 'internet
time' (within a tolerance of which I'm unclear) and dnsmasq is using
'dnssec-check-unsigned' then ALL dns resolution will fail (everything is
considered BOGUS) - arguably a fail safe in that it just stops!  This
become really problematic when trying to resolve name to ip addresses of
ntp servers ;-)  Manual workaround, stop dnsmasq, restart sysntpd, wait
10 seconds, start dnsmasq, get on with life :-)

2) system time behind timestamp file - dnsmasq considers system time
'incorrect' and doesn't check dnssec signature timestamps, yet. 
dns(sec) resolution will work, though timestamps are not checked.  The
full implications of this I don't understand (at least I'm honest) 
dnsmasq compares system time and filestamp time for each lookup and when
it detects system time > filestamp time starts checking dnssec signature
timestamps (see 1) 

In essence dnsmasq tries to maintain a 'last known good time' timestamp
file.  Moving that timestamp file out of everyone else's reach is
probably a good idea as this removes one source of manipulation.  This
'just' leaves the problem of someone effectively manipulating system
time at boot via the 'sysfixtime' script.  They can only move the time
forward and if they go too far from internet time then name resolution
will stop (see 1 above)

--dnssec-no-timecheck on the other hand assumes time is incorrect and so
by default doesn't check signature timestamps.  Signature checking is
enabled by sending SIGHUP (which does a few other things as well)  A
problem with this approach is handling dnsmasq re-starts
(crashes)/reconfigures.  If by default dnsmasq is always started with
'--dnssec-no-timecheck' then a process restart will put it back into
'less secure' mode until something notices and sends another SIGHUP.  I
guess ntpd could be patched to create a flag that says 'time has been
set' and the dnsmasq startup process modified to include/exclude
'--dnssec-no-timecheck' as required.  Care needs to be taken to remove
this flag at reboot.

>
> Another idea would be to delegate timestamp update task to a specific
> service program like ntpd or procd and later on system startup we set
> system time from the specific file.
>
>> Either way, including /etc/dnsmasq.time as a time source for sysfixtime
>> is not helpful.
> Agree.
:-)  Including it almost guaranteed dnsmasq fell into the trap mentioned
in 1)
>
> yousong
>




smime.p7s
Description: S/MIME Cryptographic Signature
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org

Re: [OpenWrt-Devel] [PATCH netifd 2/6] iprule: Insert network and address ip rules before main table lookup rule

[Kristian Evensen]

On Wed, Sep 23, 2015 at 1:07 PM, Hans Dedecker  wrote:
> Indeed we're using source based routing in combination with a default route
> in the main routing table; even the specific routing table(s) can contain a
> default route
> Based on the addr rule the traffic is guided to a specific routing table so
> it leaves on the correct interface

Thanks for letting me know. If you add the lo-rules, then do you do
not need the default route in main table. Or does this break something
else? Note that I am talking about v4, I dont currently have a
v6-network to test with :(

-Kristian
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

[Bastian Bittorf]

* Kevin Darbyshire-Bryant  [23.09.2015 12:21]:

[...]

> signature timestamps.  If the system time is not actually 'internet
> time' (within a tolerance of which I'm unclear) and dnsmasq is using
> 'dnssec-check-unsigned' then ALL dns resolution will fail (everything is
> considered BOGUS) - arguably a fail safe in that it just stops!  This
> become really problematic when trying to resolve name to ip addresses of
> ntp servers ;-)

good point. so it makes sense to startup dnsmasq without dnssec strict
checks and reconfigure it when NTP was successful?

it would be really helpful if ntp can mark (with a file) somehow, that
time is 'good'. At least the returncode indicates that:

root@box:~ /usr/sbin/ntpd -q -n -p 1.openwrt.pool.ntp.org
root@box:~ echo $?
0

(it is e.g. 143 when it fails)

so if first timesetting is done, it has to trigger dnsmasq...

bye, bastian
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] ZyXEL NBG4615

[Nerijus Baliunas]

On Sat, 19 Sep 2015 12:11:06 +0200 John Crispin  wrote:

> rt305x has a rgmii that the switch connects to. however we dont have
> support in the driver for that rgmii port. you will need to first atch
> the driver to support the rgmii interface and then hook up the switch
> driver.

As I don't know how to hook the switch driver, I tried to copy ar8216.c and .h
to drivers/net/ethernet/ralink, added ar8216.o to Makefile, but when compiling
I get an error:
  CC  drivers/net/ethernet/ralink/ar8216.o
drivers/net/ethernet/ralink/ar8216.c: In function 'ar8216_mangle_tx':
drivers/net/ethernet/ralink/ar8216.c:482:32: error: 'struct net_device' has no 
member named 'phy_ptr'
  struct ar8xxx_priv *priv = dev->phy_ptr;

Then I plan to add ar8xxx_init(); to ralink_soc_eth.c, but it probably is a bad 
idea.
Could anyone guide me?

Regards,
Nerijus
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH] [SIGNED-OFF] Add WeIO Board Support

[Drasko DRASKOVIC]

A kind reminder,
please someone take a look at this patch and integrate it if it is OK.

BR,
Drasko


On Sun, Sep 20, 2015 at 7:27 PM, Drasko DRASKOVIC
 wrote:
> Add support for WeIO board (http://we-io.net).
> This board is based on Carambola2 board form 8Devices.
>
> Signed-off-by: Drasko DRASKOVIC 
> ---
>  target/linux/ar71xx/base-files/lib/ar71xx.sh   |   3 +
>  .../ar71xx/base-files/lib/upgrade/platform.sh  |   3 +-
>  target/linux/ar71xx/config-4.1 |   1 +
>  .../linux/ar71xx/files/arch/mips/ath79/mach-weio.c | 145 
> +
>  target/linux/ar71xx/generic/profiles/weio.mk   |  17 +++
>  target/linux/ar71xx/image/Makefile |   8 ++
>  .../700-MIPS-ath79-openwrt-machines.patch  |  21 ++-
>  7 files changed, 192 insertions(+), 6 deletions(-)
>  create mode 100644 target/linux/ar71xx/files/arch/mips/ath79/mach-weio.c
>  create mode 100644 target/linux/ar71xx/generic/profiles/weio.mk
>
> diff --git a/target/linux/ar71xx/base-files/lib/ar71xx.sh 
> b/target/linux/ar71xx/base-files/lib/ar71xx.sh
> index efb3d16..ad98cfb 100755
> --- a/target/linux/ar71xx/base-files/lib/ar71xx.sh
> +++ b/target/linux/ar71xx/base-files/lib/ar71xx.sh
> @@ -850,6 +850,9 @@ ar71xx_board_detect() {
> *"UniFi AP Pro")
> name="uap-pro"
> ;;
> +   *"WeIO")
> +   name="weio"
> +   ;;
> *WHR-G301N)
> name="whr-g301n"
> ;;
> diff --git a/target/linux/ar71xx/base-files/lib/upgrade/platform.sh 
> b/target/linux/ar71xx/base-files/lib/upgrade/platform.sh
> index cad8b43..c947b78 100755
> --- a/target/linux/ar71xx/base-files/lib/upgrade/platform.sh
> +++ b/target/linux/ar71xx/base-files/lib/upgrade/platform.sh
> @@ -252,7 +252,8 @@ platform_check_image() {
> nbg460n_550n_550nh | \
> unifi | \
> unifi-outdoor | \
> -   carambola2 )
> +   carambola2 | \
> +   weio )
> [ "$magic" != "2705" ] && {
> echo "Invalid image type."
> return 1
> diff --git a/target/linux/ar71xx/config-4.1 b/target/linux/ar71xx/config-4.1
> index 51f2f2f..50dc7b2 100644
> --- a/target/linux/ar71xx/config-4.1
> +++ b/target/linux/ar71xx/config-4.1
> @@ -143,6 +143,7 @@ CONFIG_ATH79_MACH_TL_WR941ND=y
>  CONFIG_ATH79_MACH_TUBE2H=y
>  CONFIG_ATH79_MACH_UBNT=y
>  CONFIG_ATH79_MACH_UBNT_XM=y
> +CONFIG_ATH79_MACH_WEIO=y
>  CONFIG_ATH79_MACH_WHR_HP_G300N=y
>  CONFIG_ATH79_MACH_WLAE_AG300N=y
>  CONFIG_ATH79_MACH_WLR8100=y
> diff --git a/target/linux/ar71xx/files/arch/mips/ath79/mach-weio.c 
> b/target/linux/ar71xx/files/arch/mips/ath79/mach-weio.c
> new file mode 100644
> index 000..44a831b
> --- /dev/null
> +++ b/target/linux/ar71xx/files/arch/mips/ath79/mach-weio.c
> @@ -0,0 +1,145 @@
> +/**
> + * WEIO Web Of Things Platform
> + *
> + * Copyright (C) 2013 Drasko DRASKOVIC and Uros PETREVSKI
> + *
> + *  ##  ##    ###
> + *  ##  ##  ## ####  ## ##
> + *  ##  ##  ## ####  ## ##
> + *  ##  ##  ## ####  ## ##
> + *  ##  ##  ## ####  ## ##
> + *  ##  ##  ## ####  ## ##
> + *   ###  ###     ###
> + *
> + *   Web Of Things Platform
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License
> + * as published by the Free Software Foundation; either version 2
> + * of the License, or (at your option) any later version.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, write to the Free Software
> + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
> + *
> + * Authors :
> + * Drasko DRASKOVIC 
> + * Uros PETREVSKI 
> + */
> +
> +#include 
> +#include 
> +#include "common.h"
> +#include "dev-eth.h"
> +#include "dev-gpio-buttons.h"
> +#include "dev-leds-gpio.h"
> +#include "dev-m25p80.h"
> +#include "dev-spi.h"
> +#include "dev-usb.h"
> +#include "dev-wmac.h"
> +#include "machtypes.h"
> +#include "linux/i2c-gpio.h"
> +#include "linux/platform_device.h"
> +
> +#define WEIO_GPIO_LED_STA  1
> +#define WEIO_GPIO_LED_AP   16
> +
> +#define WEIO_GPIO_BTN_AP   20
> +#define WEIO_GPIO_BTN_RESET23
> +
> +#define WEIO_KEYS_POLL_INTERVAL20  /* msecs */
> +#define WEIO_KEYS_DEBOUNCE_INTERVAL(3 * WEIO_KEYS_POLL_INTERVAL)
> +
> 

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

[Bastian Bittorf]

* Yousong Zhou  [23.09.2015 07:58]:
> In theory, a security sensitive mechanism's dependence on a
> non-reliable timestamp file with access permission nobody:nogroup
> makes little sense to me.  How about that we do --dnssec-no-timecheck
> on dnsmasq startup time and notify it of the system time change from
> ntpd hotplug script?

this sounds good to me, but will be another patch.

should we drop this patch completely or does it still
make sense to deny reading '/etc/dnsmasq.time'?

and: of which hotplug script you are talking about?
find /etc/hotplug.d -name '*ntp*'
= empty

> Another idea would be to delegate timestamp update task to a specific
> service program like ntpd or procd and later on system startup we set
> system time from the specific file.

unsure if this is overkill, just for 1 service.

thanks for feedback - bye, bastian
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH] Configure IPv6 kernel options in config/Config-kernel.in

[John Crispin]

On 22/09/2015 22:17, Arjen de Korte wrote:
> Citeren John Crispin :
> 
>> On 22/09/2015 19:31, Arjen de Korte wrote:
>>> Revision 46834 changed IPv6 support from a module to builtin. But
>>> since the configuration of the IPv6 kernel options was left in
>>> package/kernel/linux/modules/netsupport.mk, this means that an
>>> empty kmod-ipv6 module was still being generated (not packaged).
>>>
>>> This patch moves the configuration of the IPv6 kernel options to
>>> config/Config-kernel.in to remove this last bit of the module.
>>>
>>> Note that CONFIG_IPV6_PRIVACY was dropped (enabled by default
>>> since Linux v3.13), so this option is no longer needed.
>>>
>>> See
>>> https://github.com/torvalds/linux/commit/5d9efa7ee99eed58388f186c13cf2e2a87e9ceb4
>>>
>>>
>>> Signed-off-by: Arjen de Korte 
>>> ---
>>>  config/Config-kernel.in| 23 +++
>>>  package/kernel/linux/modules/netsupport.mk | 22 --
>>>  2 files changed, 23 insertions(+), 22 deletions(-)
>>>
>>> diff --git a/config/Config-kernel.in b/config/Config-kernel.in
>>> index 2572bf4..4082e1e 100644
>>> --- a/config/Config-kernel.in
>>> +++ b/config/Config-kernel.in
>>> @@ -544,3 +544,26 @@ config KERNEL_SECCOMP
>>>  default n
>>>  help
>>>Build kernel with support for seccomp.
>>> +
>>> +#
>>> +# IPv6 configuration
>>> +#
>>> +
>>> +config KERNEL_IPV6
>>> +def_bool IPV6
>>> +
>>> +if KERNEL_IPV6
>>> +
>>> +config KERNEL_IPV6_MULTIPLE_TABLES
>>> +def_bool y
>>> +
>>> +config KERNEL_IPV6_SUBTREES
>>> +def_bool y
>>> +
>>> +config KERNEL_IPV6_MROUTE
>>> +def_bool y
>>> +
>>> +config KERNEL_IPV6_PIMSM_V2
>>> +def_bool n
>>> +
>>> +endif
>>> diff --git a/package/kernel/linux/modules/netsupport.mk
>>> b/package/kernel/linux/modules/netsupport.mk
>>> index b81d9b4..7a7ca43 100644
>>> --- a/package/kernel/linux/modules/netsupport.mk
>>> +++ b/package/kernel/linux/modules/netsupport.mk
>>> @@ -453,28 +453,6 @@ endef
>>>  $(eval $(call KernelPackage,iptunnel6))
>>>
>>>
>>> -define KernelPackage/ipv6
>>> -  SUBMENU:=$(NETWORK_SUPPORT_MENU)
>>> -  TITLE:=IPv6 support
>>> -  DEPENDS:=@IPV6
>>> -  HIDDEN:=1
>>> -  DEFAULT:=y
>>> -  KCONFIG:= \
>>> -CONFIG_IPV6=y \
>>> -CONFIG_IPV6_PRIVACY=y \
>>> -CONFIG_IPV6_MULTIPLE_TABLES=y \
>>> -CONFIG_IPV6_MROUTE=y \
>>> -CONFIG_IPV6_PIMSM_V2=n \
>>> -CONFIG_IPV6_SUBTREES=y
>>> -endef
>>> -
>>> -define KernelPackage/ipv6/description
>>> - Kernel modules for IPv6 support
>>> -endef
>>> -
>>> -$(eval $(call KernelPackage,ipv6))
>>> -
>>> -
>>
>> this will break all targets still on v3.18
> 
> What part will be broken? I tried adm5120 with and without this patch
> and the kernel binaries had identical sizes (which leads me to believe
> they will be the same).
> 
> Arjen
> 

had a brainfart i guess ...
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] Automatic service reload

[Florian Eckert]

You have call the shell script in der /sbin/reload_config
Am 23.09.2015 4:56 vorm. schrieb "Lars Boegild Thomsen" <
l...@bright-things.com>:

> Hi Everybody,
>
>
>
> I am struggling a bit with triggering automatic service reload based on
> configuration change.
>
>
>
> Latest trunk and all that jazz. New software package called "mqttbridge"
> which basically is meant to publish ubus method results to mqtt. Init is in
> /etc/init.d/mqttbridge, config in /etc/config/mqttbridge.
>
>
>
> In the "olden days" this was all defined in /etc/config/ucitrack -
> something along this line:
>
>
>
> config mqttbridge
>
> option init mqttbridge
>
>
>
> However, according to this:
>
>
>
>
> http://wiki.openwrt.org/inbox/procd-init-scripts#procd_triggers_on_config_filenetwork_interface_changes
>
>
>
> It would appear that ucitrack is no longer used? I have also tried the
> service_triggers in the init script:
>
>
>
> root@pm2:/etc/config# cat /etc/init.d/mqttbridge
>
> #!/bin/sh /etc/rc.common
>
>
>
> START=90
>
>
>
> USE_PROCD=1
>
> NAME=mqttbridge
>
> PROG=/usr/sbin/mqttbridge
>
>
>
> start_service()
>
> {
>
> procd_open_instance
>
> procd_set_param respawn
>
> procd_set_param command "$PROG"
>
> procd_close_instance
>
> }
>
>
>
> service_triggers()
>
> {
>
> procd_add_reload_trigger "mqttbridge"
>
> }
>
>
>
> The thing is - neither approach (or rather both of them) works. Manual
> "/etc/init.d/mqttbridge" restart works fine, but automatic reload is never
> triggered on configuration change.
>
>
>
> What did I miss and what is the correct approach.
>
>
>
> --
>
> Lars Bøgild Thomsen
>
> Public Key: http://bright-things.com/lars-bogild-thomsen/
>
> ___
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>
>
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH netifd 2/6] iprule: Insert network and address ip rules before main table lookup rule

[Kristian Evensen]

Hi,

On Wed, Sep 9, 2015 at 3:45 PM, Hans Dedecker  wrote:
> Specific IP address and network rules are now checked before the main table 
> lookup as the main table
> often holds a default route. As a result the IP address and network rules 
> pointing to s specific
> routing table will not be checked anymore; by reversing the order the 
> specific routing tables
> are checked first if the ip rule matches.

This commit breaks existing behavior in the following use case:

A multihomed router with some service available on one of the external
interfaces that should be reachable on the WAN. The destination
routing works fine, but replies are sent out on the wrong interface.
The reason is that the nw rule is checked before main, so packets are
routed back out on the WAN interface (and not to the LAN).

I don't see any other fix than a partial revert. I guess the ADDR-rule can stay.

-Kristian
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] compression with 'brotli' / squashfs / FYI

[Bastian Bittorf]

i did a quick test, how good 'brotli' performs in compression
on binary files versus e.g. xz/lzma...here it is:

bytes:
10.905.600  uncompressed
 4.192.280  gzip -9
 3.362.626  brotli -11
 3.098.216  xz -9 --extreme
 3.097.691  lzma -9 --extreme

the uncompressed file is an unsquashfs'ed rootfs from
bin/ar71xx/openwrt-ar71xx-generic-root.squashfs and then
tar'ed.

so nothing to talk about for now, especially the
decompressor is HUGE and this must be taken into account.

bye, bastian
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

[Kevin Darbyshire-Bryant]

On 23/09/15 07:13, Bastian Bittorf wrote:
> * Yousong Zhou  [23.09.2015 07:58]:
>> In theory, a security sensitive mechanism's dependence on a
>> non-reliable timestamp file with access permission nobody:nogroup
>> makes little sense to me.  How about that we do --dnssec-no-timecheck
>> on dnsmasq startup time and notify it of the system time change from
>> ntpd hotplug script?
> this sounds good to me, but will be another patch.
>
> should we drop this patch completely or does it still
> make sense to deny reading '/etc/dnsmasq.time'?
In my humble opinion the startup efficiency improvements alone are worth
having and in the short term at least, dnsmasq should not be being fed
with its own timestamp.

There will be another email in reply to the other issues.

Cheers,

Kevin




smime.p7s
Description: S/MIME Cryptographic Signature
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

[Steven Barth]

Using --dnssec-no-timecheck is impractical since it reacts to SIGHUP which
is already overloaded and might be triggered by e.g. config changes.

Btw. an ntp hotplug infrastructure exists:
https://dev.openwrt.org/changeset/43421

Please also consider that some devices have an RTC, so disabling timecheck
indiscriminately at startup might not be ideal either.



Cheers,

Steven
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH][RESEND] libnl: split libnl into smaller libraries

[Alexandru Ardelean]

From: Alexandru Ardelean 

Some modules may require only libnl-genl, some
libnl-route and fewer would require libnl-nf.

This patch splits the entire libnl package into smaller
more granular libs that can be installed individually as required.

Also added libnl*.so symlinks for convenience.

Signed-off-by: Alexandru Ardelean 
---
 package/libs/libnl/Makefile | 101 ++--
 1 file changed, 88 insertions(+), 13 deletions(-)

diff --git a/package/libs/libnl/Makefile b/package/libs/libnl/Makefile
index 995fda2..857bbe2 100644
--- a/package/libs/libnl/Makefile
+++ b/package/libs/libnl/Makefile
@@ -18,16 +18,61 @@ PKG_LICENSE:=LGPL-2.1
 
 include $(INCLUDE_DIR)/package.mk
 
-define Package/libnl
+define Package/libnl/default
   SECTION:=libs
   CATEGORY:=Libraries
-  TITLE:=netlink socket library
-  DEPENDS:=+libpthread
   URL:=http://people.suug.ch/~tgr/libnl/
 endef
 
+define Package/libnl-core
+$(call Package/libnl/default)
+  TITLE:=Core Netlink Library
+  DEPENDS:=+libpthread
+endef
+
+define Package/libnl-genl
+$(call Package/libnl/default)
+  TITLE:=Generic Netlink Library
+  DEPENDS:=+libnl-core
+endef
+
+define Package/libnl-route
+$(call Package/libnl/default)
+  TITLE:=Routing Netlink Library
+  DEPENDS:=+libnl-core
+endef
+
+define Package/libnl-nf
+$(call Package/libnl/default)
+  TITLE:=Netfilter Netlink Library
+  DEPENDS:=+libnl-route
+endef
+
+define Package/libnl
+$(call Package/libnl/default)
+  TITLE:=Full Netlink Library
+  DEPENDS:=+libnl-genl +libnl-route +libnl-nf
+endef
+
+define Package/libnl-core/description
+ Common code for all netlink libraries
+endef
+
+define Package/libnl-genl/description
+ Generic Netlink Library Functions
+endef
+
+define Package/libnl-route/description
+ Routing Netlink Library Functions
+endef
+
+define Package/libnl-nf/description
+ Netfilter Netlink Library Functions
+endef
+
 define Package/libnl/description
- This package contains a library for applications dealing with netlink sockets
+ Socket handling, connection management, sending and receiving of data,
+ message construction and parsing, object caching system, etc.
 endef
 
 TARGET_CFLAGS += -ffunction-sections $(FPIC)
@@ -40,18 +85,48 @@ define Build/Compile
 endef
 
 define Build/InstallDev
-   $(INSTALL_DIR) $(1)
-   $(CP) $(PKG_INSTALL_DIR)/* $(1)/
-   mkdir -p $(1)/usr/include/libnl
-   $(CP) $(PKG_BUILD_DIR)/include/linux $(1)/usr/include/libnl/
+   $(INSTALL_DIR) $(1)/usr/include/libnl $(1)/usr/lib/pkgconfig
+   $(CP) $(PKG_INSTALL_DIR)/usr/include/libnl3/* $(1)/usr/include/libnl/
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/*.pc $(1)/usr/lib/pkgconfig
+
+   # Copy symlinks
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-3.so $(1)/usr/lib/libnl.so
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-genl-3.so 
$(1)/usr/lib/libnl-genl.so
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-nf-3.so $(1)/usr/lib/libnl-nf.so
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-route-3.so 
$(1)/usr/lib/libnl-route.so
 endef
 
-define Package/libnl/install
+define Package/libnl-core/install
+   $(INSTALL_DIR) $(1)/usr/lib
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-3.so* $(1)/usr/lib/
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-3.so $(1)/usr/lib/libnl.so
+endef
+
+define Package/libnl-genl/install
$(INSTALL_DIR) $(1)/usr/lib
-   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-route-3.so.* $(1)/usr/lib/
-   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-genl-3.so.* $(1)/usr/lib/
-   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-nf-3.so.* $(1)/usr/lib/
-   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-3.so.* $(1)/usr/lib/
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-genl-3.so* $(1)/usr/lib/
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-genl-3.so 
$(1)/usr/lib/libnl-genl.so
+endef
+
+define Package/libnl-route/install
+   $(INSTALL_DIR) $(1)/usr/lib
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-route-3.so* $(1)/usr/lib/
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-route-3.so 
$(1)/usr/lib/libnl-route.so
+endef
+
+define Package/libnl-nf/install
+   $(INSTALL_DIR) $(1)/usr/lib
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-nf-3.so* $(1)/usr/lib/
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-nf-3.so $(1)/usr/lib/libnl-nf.so
+endef
+
+define Package/libnl/install
+   :
 endef
 
+$(eval $(call BuildPackage,libnl-core))
+$(eval $(call BuildPackage,libnl-genl))
+$(eval $(call BuildPackage,libnl-route))
+$(eval $(call BuildPackage,libnl-nf))
 $(eval $(call BuildPackage,libnl))
-- 
2.1.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] Automatic service reload

[Lars Boegild Thomsen]

Actually I think it's because the init script is called with a "reload" rather 
than a restart.  Adding this:

reload_service() {
restart
}

to the init script seems to have worked.

I am still a bit confused if /etc/config/ucitrack is still used for anything 
whatsoever.

On Wednesday 23 September 2015 08:22:42 Florian Eckert wrote:
> You have call the shell script in der /sbin/reload_config
> Am 23.09.2015 4:56 vorm. schrieb "Lars Boegild Thomsen" <
> l...@bright-things.com>:
> 
> > Hi Everybody,
> >
> >
> >
> > I am struggling a bit with triggering automatic service reload based on
> > configuration change.
> >
> >
> >
> > Latest trunk and all that jazz. New software package called "mqttbridge"
> > which basically is meant to publish ubus method results to mqtt. Init is in
> > /etc/init.d/mqttbridge, config in /etc/config/mqttbridge.
> >
> >
> >
> > In the "olden days" this was all defined in /etc/config/ucitrack -
> > something along this line:
> >
> >
> >
> > config mqttbridge
> >
> > option init mqttbridge
> >
> >
> >
> > However, according to this:
> >
> >
> >
> >
> > http://wiki.openwrt.org/inbox/procd-init-scripts#procd_triggers_on_config_filenetwork_interface_changes
> >
> >
> >
> > It would appear that ucitrack is no longer used? I have also tried the
> > service_triggers in the init script:
> >
> >
> >
> > root@pm2:/etc/config# cat /etc/init.d/mqttbridge
> >
> > #!/bin/sh /etc/rc.common
> >
> >
> >
> > START=90
> >
> >
> >
> > USE_PROCD=1
> >
> > NAME=mqttbridge
> >
> > PROG=/usr/sbin/mqttbridge
> >
> >
> >
> > start_service()
> >
> > {
> >
> > procd_open_instance
> >
> > procd_set_param respawn
> >
> > procd_set_param command "$PROG"
> >
> > procd_close_instance
> >
> > }
> >
> >
> >
> > service_triggers()
> >
> > {
> >
> > procd_add_reload_trigger "mqttbridge"
> >
> > }
> >
> >
> >
> > The thing is - neither approach (or rather both of them) works. Manual
> > "/etc/init.d/mqttbridge" restart works fine, but automatic reload is never
> > triggered on configuration change.
> >
> >
> >
> > What did I miss and what is the correct approach.
> >
> >
> >
> > --
> >
> > Lars Bøgild Thomsen
> >
> > Public Key: http://bright-things.com/lars-bogild-thomsen/
> >
> > ___
> > openwrt-devel mailing list
> > openwrt-devel@lists.openwrt.org
> > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
> >
> >

-- 
Lars Bøgild Thomsen
Mobile: +60 12 361 6644
Public Key: http://bright-things.com/lars-bogild-thomsen/

signature.asc
Description: This is a digitally signed message part.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH 1/1] uhttpd: fix wrong header file inclusion for PRI* constant definitions

[Andrej Krpic]

Signed-off-by: Andrej Krpic 
---
 file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/file.c b/file.c
index 6072825..9a2880f 100644
--- a/file.c
+++ b/file.c
@@ -26,7 +26,7 @@
 #include 
 #include 
 #include 
-#include 
+#include 
 
 #include 
 
-- 
2.4.6
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH netifd 2/6] iprule: Insert network and address ip rules before main table lookup rule

[Kristian Evensen]

On Wed, Sep 23, 2015 at 1:23 PM, Kristian Evensen
 wrote:
> On Wed, Sep 23, 2015 at 1:07 PM, Hans Dedecker  wrote:
>> Indeed we're using source based routing in combination with a default route
>> in the main routing table; even the specific routing table(s) can contain a
>> default route
>> Based on the addr rule the traffic is guided to a specific routing table so
>> it leaves on the correct interface

I should point out that I don't know what the "correct" behavior and
how (if) this should be solved. But these patches do break earlier
working use-cases, so I am not sure what the OpenWRT-policy on this
is.

-Kristian
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH 2/2] ramips: add support for 16MB VoCore

[Álvaro Fernández Rojas]

Signed-off-by: Álvaro Fernández Rojas 
---
 target/linux/ramips/dts/VOCORE-16M.dts |  41 ++
 target/linux/ramips/dts/VOCORE-8M.dts  |  41 ++
 target/linux/ramips/dts/VOCORE.dts | 231 -
 target/linux/ramips/dts/VOCORE.dtsi| 197 
 target/linux/ramips/image/Makefile |  12 +-
 5 files changed, 290 insertions(+), 232 deletions(-)
 create mode 100644 target/linux/ramips/dts/VOCORE-16M.dts
 create mode 100644 target/linux/ramips/dts/VOCORE-8M.dts
 delete mode 100644 target/linux/ramips/dts/VOCORE.dts
 create mode 100644 target/linux/ramips/dts/VOCORE.dtsi

diff --git a/target/linux/ramips/dts/VOCORE-16M.dts 
b/target/linux/ramips/dts/VOCORE-16M.dts
new file mode 100644
index 000..464c137
--- /dev/null
+++ b/target/linux/ramips/dts/VOCORE-16M.dts
@@ -0,0 +1,41 @@
+/dts-v1/;
+
+/include/ "VOCORE.dtsi"
+
+/ {
+   palmbus@1000 {
+   spi@b00 {
+   m25p80@0 {
+   #address-cells = <1>;
+   #size-cells = <1>;
+   compatible = "w25q128";
+   reg = <0>;
+   linux,modalias = "m25p80", "w25q128";
+   spi-max-frequency = <1000>;
+
+   partition@0 {
+   label = "uboot";
+   reg = <0x0 0x3>;
+   read-only;
+   };
+
+   partition@3 {
+   label = "uboot-env";
+   reg = <0x3 0x1>;
+   read-only;
+   };
+
+   factory: partition@4 {
+   label = "factory";
+   reg = <0x4 0x1>;
+   read-only;
+   };
+
+   partition@5 {
+   label = "firmware";
+   reg = <0x5 0xfb>;
+   };
+   };
+   };
+   };
+};
diff --git a/target/linux/ramips/dts/VOCORE-8M.dts 
b/target/linux/ramips/dts/VOCORE-8M.dts
new file mode 100644
index 000..8a081ed
--- /dev/null
+++ b/target/linux/ramips/dts/VOCORE-8M.dts
@@ -0,0 +1,41 @@
+/dts-v1/;
+
+/include/ "VOCORE.dtsi"
+
+/ {
+   palmbus@1000 {
+   spi@b00 {
+   m25p80@0 {
+   #address-cells = <1>;
+   #size-cells = <1>;
+   compatible = "s25fl064k";
+   reg = <0>;
+   linux,modalias = "m25p80", "s25fl064k";
+   spi-max-frequency = <1000>;
+
+   partition@0 {
+   label = "uboot";
+   reg = <0x0 0x3>;
+   read-only;
+   };
+
+   partition@3 {
+   label = "uboot-env";
+   reg = <0x3 0x1>;
+   read-only;
+   };
+
+   factory: partition@4 {
+   label = "factory";
+   reg = <0x4 0x1>;
+   read-only;
+   };
+
+   partition@5 {
+   label = "firmware";
+   reg = <0x5 0x7b>;
+   };
+   };
+   };
+   };
+};
diff --git a/target/linux/ramips/dts/VOCORE.dts 
b/target/linux/ramips/dts/VOCORE.dts
deleted file mode 100644
index 5e386e4..000
--- a/target/linux/ramips/dts/VOCORE.dts
+++ /dev/null
@@ -1,231 +0,0 @@
-/dts-v1/;
-
-/include/ "rt5350.dtsi"
-
-/ {
-   compatible = "VoCore", "ralink,rt5350-soc";
-   model = "VoCore";
-
-   palmbus@1000 {
-   gpio1: gpio@660 {
-   status = "okay";
-   };
-
-   i2c@900 {
-   status = "okay";
-   };
-
-   spi@b00 {
-   status = "okay";
-
-   m25p80@0 {
-   #address-cells = <1>;
-   #size-cells = <1>;
-   compatible = "s25fl064k";
-   reg = 

[OpenWrt-Devel] [PATCH 1/2] ramips: fix size-cells for spi nodes

[Álvaro Fernández Rojas]

Signed-off-by: Álvaro Fernández Rojas 
---
 target/linux/ramips/dts/mt7620a.dtsi  | 2 +-
 target/linux/ramips/dts/mt7620n.dtsi  | 2 +-
 target/linux/ramips/dts/mt7621.dtsi   | 2 +-
 target/linux/ramips/dts/mt7628an.dtsi | 2 +-
 target/linux/ramips/dts/rt3352.dtsi   | 2 +-
 target/linux/ramips/dts/rt5350.dtsi   | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/target/linux/ramips/dts/mt7620a.dtsi 
b/target/linux/ramips/dts/mt7620a.dtsi
index 80e8977..026e745 100644
--- a/target/linux/ramips/dts/mt7620a.dtsi
+++ b/target/linux/ramips/dts/mt7620a.dtsi
@@ -210,7 +210,7 @@
reset-names = "spi";
 
#address-cells = <1>;
-   #size-cells = <1>;
+   #size-cells = <0>;
 
status = "disabled";
 
diff --git a/target/linux/ramips/dts/mt7620n.dtsi 
b/target/linux/ramips/dts/mt7620n.dtsi
index e886c6f..b1586ec 100644
--- a/target/linux/ramips/dts/mt7620n.dtsi
+++ b/target/linux/ramips/dts/mt7620n.dtsi
@@ -162,7 +162,7 @@
reset-names = "spi";
 
#address-cells = <1>;
-   #size-cells = <1>;
+   #size-cells = <0>;
 
status = "disabled";
 
diff --git a/target/linux/ramips/dts/mt7621.dtsi 
b/target/linux/ramips/dts/mt7621.dtsi
index bc79d39..fd2e100 100644
--- a/target/linux/ramips/dts/mt7621.dtsi
+++ b/target/linux/ramips/dts/mt7621.dtsi
@@ -94,7 +94,7 @@
reset-names = "spi";
 
#address-cells = <1>;
-   #size-cells = <1>;
+   #size-cells = <0>;
 
pinctrl-names = "default";
pinctrl-0 = <_pins>;
diff --git a/target/linux/ramips/dts/mt7628an.dtsi 
b/target/linux/ramips/dts/mt7628an.dtsi
index 02f9df3..2eb96e7 100644
--- a/target/linux/ramips/dts/mt7628an.dtsi
+++ b/target/linux/ramips/dts/mt7628an.dtsi
@@ -110,7 +110,7 @@
reset-names = "spi";
 
#address-cells = <1>;
-   #size-cells = <1>;
+   #size-cells = <0>;
 
pinctrl-names = "default";
pinctrl-0 = <_pins>;
diff --git a/target/linux/ramips/dts/rt3352.dtsi 
b/target/linux/ramips/dts/rt3352.dtsi
index 009277f..b04845c 100644
--- a/target/linux/ramips/dts/rt3352.dtsi
+++ b/target/linux/ramips/dts/rt3352.dtsi
@@ -144,7 +144,7 @@
compatible = "ralink,rt3352-spi", "ralink,rt2880-spi";
reg = <0xb00 0x100>;
#address-cells = <1>;
-   #size-cells = <1>;
+   #size-cells = <0>;
 
resets = < 18>;
reset-names = "spi";
diff --git a/target/linux/ramips/dts/rt5350.dtsi 
b/target/linux/ramips/dts/rt5350.dtsi
index 5282e5b..8dd06c8 100644
--- a/target/linux/ramips/dts/rt5350.dtsi
+++ b/target/linux/ramips/dts/rt5350.dtsi
@@ -158,7 +158,7 @@
reset-names = "spi";
 
#address-cells = <1>;
-   #size-cells = <1>;
+   #size-cells = <0>;
 
pinctrl-names = "default";
pinctrl-0 = <_pins _cs1>;
-- 
1.9.1
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH netifd 2/6] iprule: Insert network and address ip rules before main table lookup rule

[Hans Dedecker]

On Wed, Sep 23, 2015 at 9:50 AM, Kristian Evensen <
kristian.even...@gmail.com> wrote:

> Hi,
>
> On Wed, Sep 9, 2015 at 3:45 PM, Hans Dedecker  wrote:
> > Specific IP address and network rules are now checked before the main
> table lookup as the main table
> > often holds a default route. As a result the IP address and network
> rules pointing to s specific
> > routing table will not be checked anymore; by reversing the order the
> specific routing tables
> > are checked first if the ip rule matches.
>
> This commit breaks existing behavior in the following use case:
>
> A multihomed router with some service available on one of the external
> interfaces that should be reachable on the WAN. The destination

routing works fine, but replies are sent out on the wrong interface.
> The reason is that the nw rule is checked before main, so packets are
> routed back out on the WAN interface (and not to the LAN).

Can you share the uci network config and ifstatus of the different
interfaces ?

>
> I don't see any other fix than a partial revert. I guess the ADDR-rule can
> stay.

Is the service hosted on the multihomed router or on a lan device; nat
involved or not ?
It seems odd to me if the service is hosted on the gateway the nw rule is
hit as the local table lookup has pref 1 while the NW policy rules start
from 2

Hans

>




> -Kristian
>
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH netifd 2/6] iprule: Insert network and address ip rules before main table lookup rule

[Kristian Evensen]

Sorry about partial reply, clumsy fingers.

On Wed, Sep 23, 2015 at 11:31 AM, Hans Dedecker  wrote:
> Can you share the uci network config and ifstatus of the different
> interfaces ?

UCI config is nothing more than ... proto dhcp ... ip4/ip6table X

>>
>>
>> I don't see any other fix than a partial revert. I guess the ADDR-rule can
>> stay.
>
> Is the service hosted on the multihomed router or on a lan device; nat
> involved or not ?

The current service I am access is a router located on one of the
external networks.

> It seems odd to me if the service is hosted on the gateway the nw rule is
> hit as the local table lookup has pref 1 while the NW policy rules start
> from 2

The route that needs to be hit is contained in main. Here is a more
detailed description of what happens.

- External router has IP 192.168.0.1 and netmask 255.255.255.0.
- When I try to access this router, outgoing traffic is routed
correctly as it does not match any source rules and hit the network
rule in the main table (192.168.0.0/24 dev X src Y).
- When the reply comes, problem occurs. Since the network rule is
checked before the main table, we get a match on the "from
192.168.0.0/24"-rule and packet is routed back out on the
192.168.0.0/24 interface. The correct route (i.e., the route for my
local network) is in the main table.

I have a question about this patch. In what scenario is it needed? Or
rather, will you ever use source based routing and have a default
route in the main table? As far as I remember, these rules are only
added when you have specified an ip4/ip6table. Or do you have one
interface without an ipXtable value?

-Kristian
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel