210b41efc0
improve robustness of ppp readiness notification
...
there was a race where ip-up could write ifname and then
ip6-up could write its outputs and then test ifname and
signal ready before ip-up had written the rest of its outputs
2025-03-31 23:17:50 +01:00
53c6d506cf
dhcp6c subscribe to ppp ifindex
...
when the peer bounces ppp, s6 will restart the ppp process but not
restart the dependent services (because the service isn't considered
to have gone down)
so the dependent services need to notice when the outputs from ppp
have changed
2025-03-31 23:15:28 +01:00
01fe2159b4
ppp: write ifindex as output
...
because what happens if the service is restarted but the new ppp0 is
a different interface than the old one so that services which had
bound to it with the old name are now not getting new data
(I am not 100% that this actually happens but it seems like it would
be good to avoid it if it does)
2025-03-31 23:11:30 +01:00
d7d19b5ed0
dhcp6 client: fix service dir in address and prefix acquirers
...
the scripts now expect the actual service dir instead of the .outputs
subdir
2025-03-31 23:06:40 +01:00
ee683f2202
firewall: fix syntax of icmp v4 rule
2025-03-31 23:03:24 +01:00
d9723aeb87
secrets subscriber: make restart-all work
2025-03-31 23:01:48 +01:00
46ed8f0199
add bandwidth as a service option for ppp (l2tp, pppoe)
2025-03-27 20:23:26 +00:00
dd44fbaec1
rate limit for v4 icmp
2025-03-27 20:21:48 +00:00
89065be6cd
bandwidth is bits/second so divide by 8
2025-03-27 20:21:14 +00:00
420320e434
firewall: remove unused args/names/vars
2025-03-27 18:40:07 +00:00
1a6160bcab
firewall: show how to ratelimit icmp6 to 5% of available bandwidth
...
it's a little klunky as yet, requires setting properties.bandwidth on
the interface service
2025-03-25 23:53:02 +00:00
e5cfd41013
add nft_limit kmodule for rate limiting in firewall
2025-03-21 21:19:48 +00:00
2b0972ed73
svc.open accepts a /nix/store folder not an outputs folder
...
this mostly makes things simpler
2025-03-11 00:21:44 +00:00
9ab77a7d7e
remove unused function
2025-03-09 20:44:35 +00:00
c6918fec00
firewall: use extraText for zone set contents
...
* the lua necessary is quite wordy, but it's less of a hack than
post-processing the rules file with pseudo-sed to get rid of `elements
= { }` lines
* also switch from stop/starting the firewall service to using a
signal, so that we don't go briefly offline every time a new interface
appears
2025-03-09 20:42:02 +00:00
d4e46dbe28
secrets/subscriber don't depend on the services we're watching
...
this means a watched service can stop and start without killing
the subscriber, and that we can watch for services that don't
yet exist
2025-03-09 20:35:40 +00:00
d1f87a56e0
secrets/subscriber: use correct numbers for signals to s6-svc
2025-03-09 20:34:29 +00:00
6649ebeccd
firewall: use watch-outputs to track changes in zone->interface map
...
includes a horrible hack to work around (claimed (by me)) deficiencies
in the nftables parser
2025-02-28 00:43:20 +00:00
0c406058e9
remove acceotance of udp sport 5 on wan
...
this was added for replies to dns queries but isn't needed for
that purpose as connection tracking does that anyway
2025-02-12 21:54:01 +00:00
19d441333c
remove duplicate rule
2025-02-10 23:50:07 +00:00
a726c09ae4
improve explanaton of reverse path filtering rule
...
thanks RoS for the references :-)
2025-02-10 23:48:29 +00:00
7e2b0068e6
nixfmt-rfc-style
...
There is nothing in this commit except for the changes made by
nix-shell -p nixfmt-rfc-style --run "nixfmt ."
If this has mucked up your open branches then sorry about that. You
can probably nixfmt them to match before merging
2025-02-10 21:55:08 +00:00
3f889c7119
default firewall zones in gateway profile
2025-02-10 21:21:08 +00:00
7f17125039
firewall: update zones with interface names as they appear
2025-02-10 21:21:08 +00:00
6587813577
WIP add zones to firewall module
...
- zones are an attrset of name -> [interface-service]
- the firewall will create empty "ifname" sets for each zone name
in each address family (ip, ip6)
- then watch the interface services, and add the "ifname" outputs
to the corresponding sets when they appear
This commit only adds the empty sets
2025-02-10 21:21:08 +00:00
1d780de0f1
add (very basic) set support in firewallgen
...
and add sets for lan/wan/dmz/guest interface names to default
firewall rules
2025-02-10 21:17:43 +00:00
c92aacc6fd
firewall rules: use @lan and @wan sets instead of ifnames
...
we don't have anything yet to create or populate the sets
2025-02-06 09:22:41 +00:00
f77da6f14c
remove remaining refs to kexecboot
2025-01-05 17:22:30 +00:00
26f206d0e1
phram dtb reserved-memory needs no-map
...
c.f. 69429404ab
2025-01-04 23:50:44 +00:00
13cb8d3692
sort imports
2025-01-03 15:41:22 +00:00
62b7aea8ab
add btrfs.nix to outputs imports
2025-01-03 15:40:33 +00:00
92284fa9ba
mtdimage can't be a default import
...
it adds kernel config that depend on openwrt patches,
which aren't used/needed on all devices
2025-01-03 00:19:17 +00:00
74027b44d7
extract log persistence config from s6 to new module
...
because it frobs kernel config, it breaks levitate
as levitate evalModules doesn't include the kernel
2025-01-02 23:56:49 +00:00
ea5370b3f4
import mtdimage in outputs
2025-01-02 23:37:07 +00:00
7377f7ceb2
implement mechanism for reverting from update.sh
2025-01-02 22:19:49 +00:00
cc94ef57fa
in rc.init copy log from previous boot to place of safety
2025-01-01 18:22:45 +00:00
497307588f
automate ubimage instructions a little
2025-01-01 12:38:08 +00:00
28d39cd66d
provide etc/kconfig in updater output
...
this is for debugging/documentation purposes and isn't copied to the
device
2025-01-01 11:55:33 +00:00
f2e4e77d73
firewall: don't use oifname in input rules
...
because it's empty, these are input rules for the local machine
2024-12-29 23:17:31 +00:00
4d273a9469
dropbear would like /etc/shells to exist
2024-12-29 13:27:49 +00:00
40db175b41
complain if user attempting to tftpboot a ubifs
2024-12-29 13:26:45 +00:00
ab07212a7e
include jffs2 module per default
...
it has no effect unless enabled
2024-12-29 13:26:06 +00:00
294492a176
jiggle imports
2024-12-24 13:46:19 +00:00
Arnout Engelen
f8a275d1a3
use Linux kernel sources associated with openwrt by default
2024-12-24 12:30:15 +00:00
bc20f4c6b7
rt3200 test install
2024-12-23 23:59:52 +00:00
848214d104
add ubivolume output
2024-12-23 22:37:07 +00:00
ede8f12d2b
declare options.hardware.ubi unconditionally
...
this is so it can be defined in device modules even when
ubifs is not included in the configuration
2024-12-23 22:37:07 +00:00
6cd5b90678
outputs.rootubifs -> ubifs
2024-12-23 22:37:07 +00:00
db4f098c02
add fit bootloader
...
this is for the belkin rt3200, whose uboot doesn't do
extlinux but can load a fit from a ubifs. It adds the
a kernel+dtb as /boot/fit
2024-12-23 11:21:58 +00:00
1347937345
rename file
2024-12-23 10:31:22 +00:00
