Allows reconfigurtion of remote syslog from within site.conf.
Conflicts with the gluon-web-logging package as user made changes
will be overwritten, because this package will reconfigure the syslog
destination on every upgrade.
Resolves#1845
This package adds support for SAE on 802.11s mesh connections.
Enabling this package will require all 802.11s mesh connections
to be encrypted using the SAE key agreement scheme. The security
of SAE relies upon the authentication through a shared secret.
In the context of public mesh networks a shared secret is an
obvious oxymoron. Still this functionality provides an improvement
over unencrypted mesh connections in that it protects against a
passive attacker who did not observe the key agreement. In addition
Management Frame Protection (802.11w) gets automatically enabled on
mesh interfaces to prevent protocol-level deauthentication attacks.
If `wifi.mesh.sae` is enabled a shared secret will automatically be
derived from the `prefix6` variable. This is as secure as it gets
for a public mesh network.
For *private* mesh networks `wifi.mesh.sae_passphrase` should be
set to your shared secret.
Fixes#1636
This adds a warning that entprise switches with an IGMP/MLD snooping
feature are not supported yet with IGMP/MLD filtering enabled.
For this to work, firstly the Linux bridge on the Gluon node needs to
support Multicast Router Discovery (RFC4286). But this feature was only
added to the Linux kernel recently, in 5.1.
Secondly, a Gluon node would need to periodically send "Multicast Router
Advertisment" (RFC4286) messages, to "announce" the multicast router
port setting on bridge port bat0.
Thirdly, the IGMP/MLD snooping switches would need to implement
RFC4286.
This adds documentation for the gluon-mesh-batman-adv package and
elaborates on its build and configuration options, as well as
the implemented multicast architecture.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
At the moment, we don't have a good guideline for package-specific
configuration, but it seems like a good idea not to split configuration
into too many tiny pages, especially for packages that aren't commonly
selected explicitly.
Some uncommon configuration is dropped from the example site.conf to remove
clutter.
We must ensure that each node becomes IGMP/MLD querier for its local
clients; having only a single querier for the whole mesh is generally
unreliable, leading to frequent "IGMP/MLD querier appeared/disappeared"
messages from batman-adv and unreliable snooping.
In smaller meshes it might be interesting only segment querier domains, but
allow membership reports to pass through the mesh, in order to support
snooping switches outside the mesh without special configuration. A
site.conf switch is provided to control this behaviour.
Fixes#1320
This package drops all incoming router advertisements except for the
default router with the best metric according to B.A.T.M.A.N. advanced.
Note that advertisements originating from the node itself (for example
via gluon-radvd) are not affected.
This patch adds a new gluon-ebtables package to filter IGMP/MLD messages
via ebtables.
For one thing this reduces multicast overhead: About one third of all
ICMPv6 multicast traffic in Lübeck or Hamburg is MLD.
Furthermore it removes a potential Distributed Denial-of-Service vector
(see Gluon ticket #553).
Finally, it is a prerequisite for enabling bridge multicast snooping in
a decentral and robust fashion.
Note that IGMP/MLD are filtered for multicast traffic coming from
the mesh, too (new MULTICAST_IN), as unfortunately there seem to
be other queriers somewhere in the mesh at least for Freifunk
Lübeck. Also adding these rules to be prepared to anyone intentionally
or unintentionally disabling these filters on his/her node.
Node operators not running Gluon (for instance gateway nodes) should
make sure to either enable multicast_router towards bat0 or disable
multicast snooping entirely if they have a bridge on top of bat0.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
gluon-radio-config contained only a single file. The code has been adjusted
to allow creating a Gluon configuration without WLAN support by removing
the wifi24 and wifi5 sections from site.conf.
Split basic radio configuration from gluon-mesh-batman-adv as this will
be required for virtually any wireless mesh protocol.
This package takes care of setting:
- wireless channel,
- htmode and
- regulatory domain
gluon-mesh-batman-adv-core depends on this package.
Matthias Schiffer