Adding ffhl-gluon-mesh-batman-adv-brmldproxy

This is a copy of #2995 for the main Gluon repository:
-> freifunk-gluon/gluon#2995

Author: T-X

ffhl-brmldproxy/Makefile

@@ -0,0 +1,44 @@
+# SPDX-License-Identifier: MIT
+# Copyright (C) 2023 Linus Lüssing <[email protected]>
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=ffhl-brmldproxy
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_DATE:=2025-01-06
+PKG_SOURCE_URL=https://github.com/T-X/brmldproxy.git
+PKG_SOURCE_VERSION:=2b9ec1b64f7bffbbe01271894d53f1b371f48dfa
+PKG_MIRROR_HASH:=3db998649cc99ec0e64d39f7b06319a1b6e2b0f50e68e3cbb8f48023c31f0e3d
+
+PKG_MAINTAINER:=Linus Lüssing <[email protected]>
+PKG_LICENSE:=GPL-2.0-or-later
+PKG_LICENSE_FILES:=LICENSE
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/$(PKG_NAME)
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=Bridge MLD Proxy
+  DEPENDS:=+tc
+endef
+
+define Package/$(PKG_NAME)/description
+  A userspace controlled MLD proxy implementation for a Linux bridge.
+  The bridge itself will appear as a single multicast listening host
+  to any MLD querier on a configured proxy port, acting in deputy
+  for any other multicast listener behind adjacent bridge ports.
+  This potentially reduces MLD report overhead.
+  brmldproxy further allows to filter out specific multicast groups
+  and bridge ports from its combined MLD report.
+endef
+
+define Package/$(PKG_NAME)/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/brmldproxy $(1)/usr/sbin/
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,$(PKG_NAME)))

ffhl-brmldproxy/files/etc/config/brmldproxy

@@ -0,0 +1,20 @@
+#config brmldproxy 'lan'
+#	option disabled '1'
+#	# The bridge to apply brmldproxy to. Either the
+#	# bridge interface name or the UCI network interface
+#	# section name.
+#	option bridge 'lan'
+#	# Currently only "ipv6" is supported, optional.
+#	option family 'ipv6'
+#	# bridge port to proxy to
+#	list proxiedport 'wan0'
+#	# bridge port to proxy from
+#	list includedport 'lan0'
+#	# bridge port to exclude from proxying
+#	list excludedport 'lan1'
+#	# multicast IP address (range) to exclude from proxying
+#	list excludefilter 'ff00::/ff0e::'
+#	list excludefilter 'ff0e::/64'
+#	# multicast IP address (range) to include in proxying
+#	# (includes ff0e::123 even though ff0e::/64 was excluded above)
+#	list includefilter 'ff0e::123'

ffhl-brmldproxy/files/etc/hotplug.d/iface/50-brmldproxy

@@ -0,0 +1,37 @@
+# SPDX-License-Identifier: MIT
+# Copyright (C) 2023 Linus Lüssing <[email protected]>
+
+. /lib/functions.sh
+
+[ -z "$INTERFACE" ] && exit 0
+[ "$ACTION" != "ifup" ] && [ "$ACTION" != "ifdown" ] && exit 0
+
+/etc/init.d/brmldproxy enabled || exit 0
+
+
+brmldproxy_handle() {
+	local cfg="$1"
+	local disabled
+	local bridge
+
+	config_get_bool disabled "$cfg" disabled 0
+	[ "$disabled" -gt 0 ] && return 0
+
+	config_get bridge "$cfg" bridge
+
+	[ -z "$bridge" ] && return 0
+	[ "$bridge" != "$INTERFACE" ] && return 0
+
+	if [ "$ACTION" = "ifup" ]; then
+		/etc/init.d/brmldproxy start "$cfg" || return 0
+	else
+		/etc/init.d/brmldproxy stop "brmldproxy.$cfg" || return 0
+	fi
+
+	# success, stop
+	return 1
+}
+
+config_load brmldproxy
+
+config_foreach brmldproxy_handle brmldproxy

ffhl-brmldproxy/files/etc/init.d/brmldproxy

@@ -0,0 +1,111 @@
+#!/bin/sh /etc/rc.common
+# SPDX-License-Identifier: MIT
+# Copyright (C) 2023 Linus Lüssing <[email protected]>
+
+USE_PROCD=1
+
+START=19
+STOP=90
+
+brmldproxy_start() {
+	local cfg="$1"
+	local namespace="$2"
+	local disabled
+
+	local ifname
+	local family
+	local bridge
+	local includedports
+	local excludedports
+	local proxiedports
+	local includefilters
+	local excludefilters
+
+	config_get_bool disabled "$cfg" disabled 0
+	[ "$disabled" -gt 0 ] && return 0
+
+	config_get bridge "$cfg" "bridge"
+	config_get family "$cfg" "family"
+	config_get includedports "$cfg" "includedport"
+	config_get excludedports "$cfg" "excludedport"
+	config_get proxiedports "$cfg" "proxiedport"
+	config_get includefilters "$cfg" "includefilter"
+	config_get excludefilters "$cfg" "excludefilter"
+
+	[ -z "$bridge" ] && {
+		echo "Error: no bridge specified for $cfg" >&2
+		return 0
+	}
+
+	. /lib/functions/network.sh
+
+	if network_get_device ifname "$bridge" && [ -n "$ifname" ]; then
+		bridge="$ifname"
+	fi
+
+	[ -n "$excludedports" ] && excludedports=$(echo "$excludedports" | sed 's/[^ ]* */-e &/g')
+	[ -n "$includedports" ] && includedports=$(echo "$includedports" | sed 's/[^ ]* */-i &/g')
+	[ -n "$proxiedports" ] && proxiedports=$(echo "$proxiedports" | sed 's/[^ ]* */-p &/g')
+	[ -n "$includefilters" ] && includefilters=$(echo "$includefilters" | sed 's/[^ ]* */-I &/g')
+	[ -n "$excludefilters" ] && excludefilters=$(echo "$excludefilters" | sed 's/[^ ]* */-E &/g')
+
+	[ -z "$namespace" ] && namespace="brmldproxy"
+
+	procd_open_instance "$namespace.$cfg"
+
+	procd_set_param command /usr/sbin/brmldproxy
+	[ "${family}" = "ipv4" ] && procd_append_param command -4
+	[ "${family}" = "ipv6" ] && procd_append_param command -6
+	procd_append_param command -b "$bridge"
+	[ -n "$excludedports" ] && procd_append_param command $excludedports
+	[ -n "$includedports" ] && procd_append_param command $includedports
+	[ -n "$proxiedports" ] && procd_append_param command $proxiedports
+	[ -n "$includefilters" ] && procd_append_param command $includefilters
+	[ -n "$excludefilters" ] && procd_append_param command $excludefilters
+
+	procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5}
+
+	procd_set_param stderr 1
+	procd_close_instance
+}
+
+start_service() {
+	local cfg="$1"
+	local namespace="$2"
+	local instance_found=0
+
+	. /lib/functions/network.sh
+
+	# no procd boot startup, via hotplug or manual only
+	[ $PPID -eq 1 ] && return 0
+
+	config_cb() {
+		local type="$1"
+		local name="$2"
+		if [ "$type" = "brmldproxy" ]; then
+			if [ -n "$cfg" -a "$cfg" = "$name" ]; then
+				instance_found=1
+			fi
+		fi
+	}
+
+	config_load brmldproxy
+
+	if [ -n "$cfg" ]; then
+		[ "$instance_found" -gt 0 ] || return
+		brmldproxy_start "$cfg" "$namespace"
+	else
+		config_foreach brmldproxy_start brmldproxy "$namespace"
+	fi
+}
+
+stop_service() {
+	local cfg="$1"
+	local namespace="$2"
+
+	[ -z "$namespace" ] && namespace="brmldproxy"
+}
+
+service_triggers() {
+	procd_add_reload_trigger brmldproxy
+}

ffhl-gluon-mesh-batman-adv-brmldproxy/Makefile

@@ -0,0 +1,36 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=ffhl-gluon-mesh-batman-adv-brmldproxy
+
+include $(TOPDIR)/../package/gluon.mk
+
+define Package/$(PKG_NAME)
+  TITLE:=Bridge MLD Proxy for Gluon
+  DEPENDS:=+tc +kmod-sched +ffhl-brmldproxy +ip-bridge gluon-mesh-batman-adv
+endef
+
+define Package/$(PKG_NAME)/description
+	Gluon community wifi mesh firmware framework: Configuration to
+	enable brmldproxy in Gluon with batman-adv.
+
+	If filter_membership_reports is false in the site.conf
+	then no multicast listener is filtered, but the node will
+	respond on behalf of any of its local listeners, potentially
+	reducing duplicate MLD report overhead.
+
+	If filter_membership_reports is true in the site.conf
+	or absent then brmldproxy is additionally configured to
+	only send MLD reports for routeable IPv6 multicast addresses
+	and only to detected IPv6 multicast routers. If no such
+	router is detected or no local listeners for routeable
+	IPv6 multicast addresses exists then no MLD report is send
+	into the mesh. Which greatly reduces MLD overhead while
+	still allowing the usage of layer 3 IPv6 multicast routers.
+	This is the recommended setting especially in larger meshes.
+endef
+
+define Package/$(PKG_NAME)/conffiles
+/etc/config/brmldproxy
+endef
+
+$(eval $(call BuildPackageGluon,$(PKG_NAME)))

ffhl-gluon-mesh-batman-adv-brmldproxy/check_site.lua

@@ -0,0 +1 @@
+need_boolean({'mesh', 'filter_membership_reports'}, false)

ffhl-gluon-mesh-batman-adv-brmldproxy/files/etc/hotplug.d/iface/51-gluon-mesh-batman-adv-brmldproxy

@@ -0,0 +1,58 @@
+#!/bin/sh
+set -e
+
+if [ "$INTERFACE" != "client" ] || [ "$ACTION" != "ifup" ]; then exit 0; fi
+
+lookup_site() {
+	local path="$1" default="$2"
+	lua -e "print(require('gluon.site').$path('$default'))"
+}
+
+get_gluon_all_mc_routers_mac() {
+	local group_id="$(lua -e 'print(require("gluon.util").domain_seed_bytes("gluon-mesh-batman-adv-brmldproxy.gluon-all-mc-routers-group", 4))')"
+	group_id="$(echo "${group_id}" | sed 's/\(..\)/\1:/g;s/:$//')"
+
+	echo "33:33:${group_id}"
+}
+
+wait_for_qdisc() {
+	for i in $(seq 1 15); do
+		tc qdisc show dev bat0 handle "$1" | grep -q qdisc && break
+		sleep 1
+	done
+}
+
+add_filter() {
+	local parent="$1"
+	local prio="$2"
+	local handle="$3"
+	local rule="$4"
+
+	# shellcheck disable=SC2086 # Intended splitting of $rule
+	tc filter add dev bat0 \
+		parent "$parent" prio "$prio" handle "$handle" protocol ipv6 \
+		u32 $rule
+}
+
+if [ "$(lookup_site 'mesh.filter_membership_reports' 'true')" = "false" ]; then exit 0; fi
+
+wait_for_qdisc "fffe:"
+wait_for_qdisc "ffff:"
+
+# MLD reports, mesh outgoing:
+# 1) DNAT to 33:33:42:4e:f3:14
+# 2) Change ICMPv6 type to 100, keep original type in code field
+# => only send report to IPv6 multicast routers
+MC_MAC="$(get_gluon_all_mc_routers_mac)"
+add_filter fffe: 4221 11: "divisor 1"
+add_filter fffe: 4221 11::800 "ht 11: match u8 131 0xff at 48 match u8 0 0xff at 49 action pedit ex munge eth dst set ${MC_MAC} munge offset 0x30 u16 set 0x6483 action pipe classid 1:1"
+add_filter fffe: 4221 11::801 "ht 11: match u8 132 0xff at 48 match u8 0 0xff at 49 action pedit ex munge eth dst set ${MC_MAC} munge offset 0x30 u16 set 0x6484 action pipe classid 1:1"
+add_filter fffe: 4221 11::802 "ht 11: match u8 143 0xff at 48 match u8 0 0xff at 49 action pedit ex munge eth dst set ${MC_MAC} munge offset 0x30 u16 set 0x648f action pipe classid 1:1"
+add_filter fffe: 4221 801::800 "match mark 0x0800000 0x0800000 link 11:"
+
+# MLD reports, mesh incoming:
+# 1) undo DNAT
+# 2) Change ICMPv6 type back to MLD report
+add_filter ffff: 4223 2::231 "ht 2: match u8 100 0xff at 48 match u8 131 0xff at 49 action pedit ex munge eth dst set 33:33:00:00:00:01 munge offset 0x30 u16 set 0x8300 reclassify"
+add_filter ffff: 4223 2::232 "ht 2: match u8 100 0xff at 48 match u8 132 0xff at 49 action pedit ex munge eth dst set 33:33:00:00:00:01 munge offset 0x30 u16 set 0x8400 reclassify"
+add_filter ffff: 4223 2::243 "ht 2: match u8 100 0xff at 48 match u8 143 0xff at 49 action pedit ex munge eth dst set 33:33:00:00:00:16 munge offset 0x30 u16 set 0x8f00 reclassify"

ffhl-gluon-mesh-batman-adv-brmldproxy/files/lib/gluon/ebtables/104-mcast-allow-mld-reports-in

@@ -0,0 +1,3 @@
+rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j RETURN', 'nat') -- MLDv1 Report
+rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j RETURN', 'nat') -- MLDv1 Done
+rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j RETURN', 'nat') -- MLDv2 Report

ffhl-gluon-mesh-batman-adv-brmldproxy/files/usr/lib/micron.d/brmldproxy-router-check

@@ -0,0 +1 @@
+* * * * * /usr/sbin/gluon-brmldproxy-router-check

ffhl-gluon-mesh-batman-adv-brmldproxy/files/usr/sbin/gluon-brmldproxy-router-check

@@ -0,0 +1,43 @@
+#!/bin/sh
+
+lookup_site() {
+	local path="$1" default="$2"
+	lua -e "print(require('gluon.site').$path('$default'))"
+}
+
+lookup_prefix6() {
+	local prefix="$(lookup_site 'prefix6')"
+	echo "${prefix%/*}"
+}
+
+lookup_prefix6_len() {
+	local prefix="$(lookup_site 'prefix6')"
+	echo "${prefix#*/}"
+}
+
+# Generates and prints an RFC3306, section 4 style network prefix based
+# multicast address from the site prefix6 with a pseudo-random group-id
+# from the domain seed.
+get_gluon_all_mc_routers_ip6() {
+	local prefix6="$(lookup_prefix6)"
+	local prefix6_len="$(lookup_prefix6_len)"
+	local group_id="$(lua -e 'print(require("gluon.util").domain_seed_bytes("gluon-mesh-batman-adv-brmldproxy.gluon-all-mc-routers-group", 4))')"
+	group_id="$(echo "${group_id}" | sed 's/\(....\)/\1:/g;s/:$//')"
+
+	echo "ff32:$(printf "%x" "${prefix6_len}"):${prefix6}${group_id}"
+}
+
+update_router_recv() {
+	local action="$1"
+	local mc_ip6="$(get_gluon_all_mc_routers_ip6)"
+
+	bridge mdb "$action" dev br-client port local-port grp "${mc_ip6}" permanent 2> /dev/null
+}
+
+if [ "$(batctl mj | jsonfilter -e "@.mcast_flags.want_no_rtr_ipv6")" = "false" ]; then
+	update_router_recv add
+	echo 1 > /sys/class/net/brmldpb0/bridge/multicast_querier
+else
+	update_router_recv del
+	echo 0 > /sys/class/net/brmldpb0/bridge/multicast_querier
+fi