1
0
Commit Graph

1485 Commits

Author SHA1 Message Date
c6918fec00 firewall: use extraText for zone set contents
* the lua necessary is quite wordy, but it's less of a hack than
post-processing the rules file with pseudo-sed to get rid of `elements
= { }` lines

* also switch from stop/starting the firewall service to using a
signal, so that we don't go briefly offline every time a new interface
appears
2025-03-09 20:42:02 +00:00
d4e46dbe28 secrets/subscriber don't depend on the services we're watching
this means a watched service can stop and start without killing
the subscriber, and that we can watch for services that don't
yet exist
2025-03-09 20:35:40 +00:00
d1f87a56e0 secrets/subscriber: use correct numbers for signals to s6-svc 2025-03-09 20:34:29 +00:00
8c39b47cae output-template: allow splicing statements instead of expression
if the text inside the delimiters begins with ; (a semicolon) then
the rest of it is expected to be one or more Lua statements. It needs
to say `return "foo"` to interpolate anything, as there is no
implicit return of the value of the last statement
2025-03-05 22:38:48 +00:00
2c7a16d792 firewallgen: add extraText param to set
anything in here is added verbatim to the set definition
2025-03-05 22:36:35 +00:00
d6b06abb63 delet second copy of output-template 2025-03-02 21:34:02 +00:00
6b32aa569e think 2025-03-02 21:21:45 +00:00
234d1bd87e basic unit tests for output-template 2025-03-02 21:14:46 +00:00
c38f180fb7 output-template expose table module 2025-03-02 21:14:16 +00:00
9a8b22997c output-template: pass the tests 2025-03-02 21:09:32 +00:00
c32d09bd83 output-template: run the tests 2025-03-02 21:09:11 +00:00
6649ebeccd firewall: use watch-outputs to track changes in zone->interface map
includes a horrible hack to work around (claimed (by me)) deficiencies
in the nftables parser
2025-02-28 00:43:20 +00:00
929226ed9e delete commented code 2025-02-27 20:55:30 +00:00
a98f026210 think 2025-02-27 20:54:44 +00:00
f4dc001b71 check firewall zones in pppoe test 2025-02-25 23:32:05 +00:00
024c018262 run the output-template test 2025-02-22 00:10:19 +00:00
e1293e3778 think 2025-02-21 23:22:39 +00:00
0c406058e9 remove acceotance of udp sport 5 on wan
this was added for replies to dns queries but isn't needed for
that purpose as connection tracking does that anyway
2025-02-12 21:54:01 +00:00
19d441333c remove duplicate rule 2025-02-10 23:50:07 +00:00
a726c09ae4 improve explanaton of reverse path filtering rule
thanks RoS for the references :-)
2025-02-10 23:48:29 +00:00
7e2b0068e6 nixfmt-rfc-style
There is nothing in this commit except for the changes made by
nix-shell -p nixfmt-rfc-style --run "nixfmt ."

If this has mucked up your open branches then sorry about that. You
can probably nixfmt them to match before merging
2025-02-10 21:55:08 +00:00
dan
13cc5a8992 Merge pull request 'support firewall zones: don't hardcode interface names in rules' (#16) from firescape into main
Reviewed-on: #16
2025-02-10 21:23:15 +00:00
3f889c7119 default firewall zones in gateway profile 2025-02-10 21:21:08 +00:00
7f17125039 firewall: update zones with interface names as they appear 2025-02-10 21:21:08 +00:00
4bb081ffcf export anoia.svc:fileno so it can be used with event loops 2025-02-10 21:21:08 +00:00
6587813577 WIP add zones to firewall module
- zones are an attrset of name -> [interface-service]

- the firewall will create empty "ifname" sets for each zone name
 in each address family (ip, ip6)

- then watch the interface services, and add the "ifname" outputs
to the corresponding sets when they appear

This commit only adds the empty sets
2025-02-10 21:21:08 +00:00
1d780de0f1 add (very basic) set support in firewallgen
and add sets for lan/wan/dmz/guest interface names to default
firewall rules
2025-02-10 21:17:43 +00:00
8cf602da91 think 2025-02-10 21:17:43 +00:00
c92aacc6fd firewall rules: use @lan and @wan sets instead of ifnames
we don't have anything yet to create or populate the sets
2025-02-06 09:22:41 +00:00
eff255fe12 boot.expect: sleep more, for gl-ar750
the bootloader on gl-ar750 loses characters if we shovel them too fast
2025-02-05 20:35:04 +00:00
453baede61 rt3200: add installer compatibility note 2025-02-05 20:35:04 +00:00
dan
2295ed3110 Merge pull request 'OpenWrt One device support' (#13) from raboof/liminix:openwrt-one into main
Reviewed-on: #13
2025-01-08 13:57:39 +00:00
Arnout Engelen
e71d92eb3d
OpenWrt One support
https://openwrt.org/toh/openwrt/one
2025-01-07 16:10:04 +01:00
f77da6f14c remove remaining refs to kexecboot 2025-01-05 17:22:30 +00:00
61eaaa82eb drivel 2025-01-05 17:17:44 +00:00
95dd1a1fab add missing code-block 2025-01-05 15:45:04 +00:00
2f9b0f12f9 switch uid 2025-01-05 12:57:51 +00:00
9fd9b8b878 rt3200 kconfig for 6.6.x
* DMA stuff needed for wired ethernet

* DSA MDIO _probably_ (based on guessing from openwrt dmesg) needed
for wired ethernet

* some or all of NVMEM so that wireless drivers can read their eeprom
2025-01-05 00:16:03 +00:00
26f206d0e1 phram dtb reserved-memory needs no-map
c.f. 69429404ab

Co-authored-by: Arnout Engelen <arnout@bzzt.net>
2025-01-04 23:50:44 +00:00
8cd068ea68 belkin rt3200: set tftp loadAddress to match u-boot
the old value of 0x4007ff28 was originally copied from something
upstreamy but I have no record of what. 0x48000000 is $loadaddr
in u-boot so let's use that instead
2025-01-04 23:48:19 +00:00
350ddde260 add pkgs.openwrt_24_10
is needed by Belkin RT3200 and might also be handy for OpenWrt One?

this is very copy-pastey, will tidy it up after it
stops being a moving target
2025-01-03 23:52:08 +00:00
13cb8d3692 sort imports 2025-01-03 15:41:22 +00:00
62b7aea8ab add btrfs.nix to outputs imports 2025-01-03 15:40:33 +00:00
76e3fd9a55 add rt3200 to CI 2025-01-03 15:39:08 +00:00
92284fa9ba mtdimage can't be a default import
it adds kernel config that depend on openwrt patches,
which aren't used/needed on all devices
2025-01-03 00:19:17 +00:00
a2bb55e885 oops fix syntax error 2025-01-03 00:07:00 +00:00
74027b44d7 extract log persistence config from s6 to new module
because it frobs kernel config, it breaks levitate
as levitate evalModules doesn't include the kernel
2025-01-02 23:56:49 +00:00
ea5370b3f4 import mtdimage in outputs 2025-01-02 23:37:07 +00:00
55ed365920 turris omnia: default rootfs and bootloader settings 2025-01-02 23:36:15 +00:00
aa2160dd05 logtap: fix indentation
spaces not tabs
2025-01-02 22:45:00 +00:00