Merge branch 'configurable-methods'

docs/site-example/site.conf

@@ -89,6 +89,8 @@
   fastd_mesh_vpn = {
     -- List of crypto-methods to use.
     methods = {'salsa2012+umac'},
+    -- configurable = true,
+
     mtu = 1426,
     groups = {
       backbone = {

docs/user/site.rst

@@ -97,11 +97,22 @@ next_node : package
 
 
 fastd_mesh_vpn
-    Remote server setup for vpn.
+    Remote server setup for the fastd-based mesh VPN.
+
+    If `configurable` is false or unset, the method list will be replaced on updates
+    with the list in the site configuration. Setting `configurable` to `true` will allow the user to
+    add the method ``null`` to the front of the method list or remove ``null`` from it,
+    and make this change survive updates. Settings configurable is necessary for the
+    package `gluon-luci-mesh-vpn-fastd`, which adds a UI for this configuration.
+
+    In any case, the ``null`` method should always be the first method in the list
+    if it is supported at all. You should only set `configurable` to `true` if the
+    configured peers support both the ``null`` method and methods with encryption.
     ::
 
       fastd_mesh_vpn = {
         methods = {'salsa2012+umac'},
+	-- configurable = true,
         mtu = 1426,
         groups = {
           backbone = {

package/gluon-luci-mesh-vpn-fastd/Makefile

@@ -0,0 +1,41 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-luci-mesh-vpn-fastd
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(GLUONDIR)/include/package.mk
+
+PKG_CONFIG_DEPENDS += $(GLUON_I18N_CONFIG)
+
+define Package/gluon-luci-mesh-vpn-fastd
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Luci module to enable and disable encryption for the mesh VPN
+  DEPENDS:=+gluon-luci-admin +gluon-mesh-vpn-fastd
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+	$(call GluonBuildI18N,gluon-mesh-vpn-fastd,i18n)
+endef
+
+define Package/gluon-luci-mesh-vpn-fastd/install
+	$(CP) ./files/* $(1)/
+	$(call GluonInstallI18N,gluon-mesh-vpn-fastd,$(1))
+endef
+
+define Package/gluon-luci-mesh-vpn-fastd/postinst
+#!/bin/sh
+$(call GluonCheckSite,check_site.lua)
+endef
+
+$(eval $(call BuildPackage,gluon-luci-mesh-vpn-fastd))

package/gluon-luci-mesh-vpn-fastd/check_site.lua

@@ -0,0 +1,2 @@
+assert(need_boolean('fastd_mesh_vpn.configurable') == true,
+       "site.conf error: expected `fastd_mesh_vpn.configurable' to be true")

package/gluon-luci-mesh-vpn-fastd/files/usr/lib/lua/luci/controller/admin/mesh_vpn_fastd.lua

@@ -0,0 +1,5 @@
+module("luci.controller.admin.mesh_vpn_fastd", package.seeall)
+
+function index()
+  entry({"admin", "mesh_vpn_fastd"}, cbi("admin/mesh_vpn_fastd"), _("Mesh VPN"), 20)
+end

package/gluon-luci-mesh-vpn-fastd/files/usr/lib/lua/luci/model/cbi/admin/mesh_vpn_fastd.lua

@@ -0,0 +1,41 @@
+local uci = luci.model.uci.cursor()
+local util = luci.util
+
+local f = SimpleForm('mesh_vpn', translate('Mesh VPN'))
+f.template = "admin/expertmode"
+
+local s = f:section(SimpleSection)
+
+local o = s:option(Value, 'mode')
+o.template = "gluon/cbi/mesh-vpn-fastd-mode"
+
+local methods = uci:get('fastd', 'mesh_vpn', 'method')
+if util.contains(methods, 'null') then
+  o.default = 'performance'
+else
+  o.default = 'security'
+end
+
+function f.handle(self, state, data)
+  if state == FORM_VALID then
+    local site = require 'gluon.site_config'
+
+    local methods = {}
+    if data.mode == 'performance' then
+      table.insert(methods, 'null')
+    end
+
+    for _, method in ipairs(site.fastd_mesh_vpn.methods) do
+      if method ~= 'null' then
+	table.insert(methods, method)
+      end
+    end
+
+    uci:set('fastd', 'mesh_vpn', 'method', methods)
+
+    uci:save('fastd')
+    uci:commit('fastd')
+  end
+end
+
+return f

package/gluon-luci-mesh-vpn-fastd/files/usr/lib/lua/luci/view/gluon/cbi/mesh-vpn-fastd-mode.htm

@@ -0,0 +1,32 @@
+<div class="cbi-value">
+  <div class="cbi-value-title">
+    <input class="cbi-input-radio" onclick="cbi_d_update(this.id)" onchange="cbi_d_update(this.id)" type="radio" value="security"<%= attr("id", cbid..'1') .. attr("name", cbid) .. ifattr((self:cfgvalue(section) or self.default) == "security", "checked", "checked") %> />
+  </div>
+  <div class="cbi-value-field-long">
+    <label<%= attr("for", cbid..'1') %> class="cbi-value-title"><%:Security mode%></label>
+    <br />
+    <%= translate(
+        'In security mode, the mesh VPN uses an encrypted tunnel to connect to the VPN servers. ' ..
+        'The encryption ensures that it is impossible for your internet access provider to see what ' ..
+        'data is exchanged over your node.'
+    ) %>
+    <br />
+  </div>
+  <div class="cbi-value-field-long-after"></div>
+</div>
+
+<div class="cbi-value cbi-value-last">
+  <div class="cbi-value-title">
+    <input class="cbi-input-radio" onclick="cbi_d_update(this.id)" onchange="cbi_d_update(this.id)" type="radio" value="performance"<%= attr("id", cbid..'2') .. attr("name", cbid) .. ifattr((self:cfgvalue(section) or self.default) == "performance", "checked", "checked") %> />
+  </div>
+  <div class="cbi-value-field-long">
+    <label<%= attr("for", cbid..'2') %> class="cbi-value-title"><%:Performance mode%></label>
+    <br />
+    <%= translate(
+        'In performance mode, no encryption is used. This usually allows for higher throughput, but the data exchanged over your node is not ' ..
+        'protected against eavesdroppers.'
+    ) %>
+    <br />
+  </div>
+  <div class="cbi-value-field-long-after"></div>
+</div>

package/gluon-luci-mesh-vpn-fastd/i18n/de.po

@@ -0,0 +1,38 @@
+msgid ""
+msgstr ""
+"Content-Type: text/plain; charset=UTF-8\n"
+"Project-Id-Version: PACKAGE VERSION\n"
+"PO-Revision-Date: 2015-05-03 20:39+0200\n"
+"Last-Translator:  <mschiffer@universe-factory.net>\n"
+"Language-Team: German\n"
+"Language: de\n"
+"MIME-Version: 1.0\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+msgid ""
+"In performance mode, no encryption is used. This usually allows for higher "
+"throughput, but the data exchanged over your node is not protected against "
+"eavesdroppers."
+msgstr ""
+"Im Modus &bdquo;Hohe Geschwindigkeit&ldquo; wird auf Verschlüsselung verzichtet. "
+"Dies erlaubt häufig eine höhere Bandbreite als mit Verschlüsselung, aber die "
+"Verbindung ist nicht gegen Abhören geschützt."
+
+msgid ""
+"In security mode, the mesh VPN uses an encrypted tunnel to connect to the "
+"VPN servers. The encryption ensures that it is impossible for your internet "
+"access provider to see what data is exchanged over your node."
+msgstr ""
+"Im Modus &bdquo;Hohe Sicherheit&ldquo; wird ein verschlüsselter Tunnel verwendet. "
+"Dies schließt aus, dass dein Internetzugangsprovider herausfinden kann, was für "
+"Daten über deinen Knoten übertragen werden."
+
+msgid "Mesh VPN"
+msgstr "Mesh-VPN"
+
+msgid "Performance mode"
+msgstr "Hohe Geschwindigkeit"
+
+msgid "Security mode"
+msgstr "Hohe Sicherheit"

package/gluon-luci-mesh-vpn-fastd/i18n/gluon-luci-mesh-vpn-fastd.pot

@@ -0,0 +1,23 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8"
+
+msgid ""
+"In performance mode, no encryption is used. This usually allows for higher "
+"throughput, but the data exchanged over your node is not protected against "
+"eavesdroppers."
+msgstr ""
+
+msgid ""
+"In security mode, the mesh VPN uses an encrypted tunnel to connect to the "
+"VPN servers. The encryption ensures that it is impossible for your internet "
+"access provider to see what data is exchanged over your node."
+msgstr ""
+
+msgid "Mesh VPN"
+msgstr ""
+
+msgid "Performance mode"
+msgstr ""
+
+msgid "Security mode"
+msgstr ""

package/gluon-luci-theme/sass/cascade.scss

@@ -648,6 +648,21 @@ div.cbi-value-field {
   }
 }
 
+div.cbi-value-field-long {
+  flex: 10;
+  position: relative;
+
+
+  input, select, input + label {
+    position: relative;
+    top: -0.39em;
+  }
+}
+
+div.cbi-value-field-long-after {
+  flex: 2;
+}
+
 div.cbi-value-description {
   font-size: 8pt;
 }

package/gluon-mesh-vpn-fastd/check_site.lua

@@ -1,6 +1,7 @@
 need_string_array('fastd_mesh_vpn.methods')
 need_number('fastd_mesh_vpn.mtu')
 need_boolean('fastd_mesh_vpn.enabled', false)
+need_boolean('fastd_mesh_vpn.configurable', false)
 
 
 local function check_peer(prefix)

package/gluon-mesh-vpn-fastd/files/lib/gluon/upgrade/400-mesh-vpn-fastd

@@ -5,6 +5,7 @@ local users = require 'gluon.users'
 local util = require 'gluon.util'
 
 local uci = require('luci.model.uci').cursor()
+local lutil = require 'luci.util'
 
 
 -- The previously used user is removed, we need root privileges to use the packet_mark option
@@ -20,6 +21,33 @@ if not enabled then
 end
 
 
+local methods
+
+if site.fastd_mesh_vpn.configurable then
+  local has_null = lutil.contains(site.fastd_mesh_vpn.methods, 'null')
+
+  local old_methods = uci:get('fastd', 'mesh_vpn', 'method')
+  if old_methods then
+    has_null = lutil.contains(old_methods, 'null')
+  end
+
+
+  methods = {}
+  if has_null then
+    table.insert(methods, 'null')
+  end
+
+  for _, method in ipairs(site.fastd_mesh_vpn.methods) do
+    if method ~= 'null' then
+      table.insert(methods, method)
+    end
+  end
+
+else
+  methods = site.fastd_mesh_vpn.methods
+end
+
+
 uci:section('fastd', 'fastd', 'mesh_vpn',
 	  {
 		  enabled = enabled,
@@ -29,7 +57,7 @@ uci:section('fastd', 'fastd', 'mesh_vpn',
 		  mode = 'tap',
 		  mtu = site.fastd_mesh_vpn.mtu,
 		  secure_handshakes = 1,
-		  method = site.fastd_mesh_vpn.methods,
+		  method = methods,
 		  packet_mark = 1,
 		  status_socket = '/var/run/fastd.mesh_vpn.socket',
 	  }