ucentral: development update

* yet another huge data model 2 update

Signed-off-by: John Crispin <john@phrozen.org>

.github/workflows/build-dev.yml

@@ -10,7 +10,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        target: ['cig_wf188', 'cig_wf194c', 'cig_wf160d', 'edgecore_eap101', 'edgecore_eap102', 'edgecore_ecs4100-12ph', 'edgecore_ecw5211', 'linksys_e8450-ubi', 'linksys_ea8300', 'tplink_cpe210_v3', 'tplink_cpe510_v3', 'tplink_eap225_outdoor_v1', 'tplink_ex227', 'tplink_ex447', 'zyxel_gs1900-10hp']
+        target: ['cig_wf188', 'cig_wf194c', 'cig_wf160d', 'edgecore_eap101', 'edgecore_eap102', 'edgecore_ecs4100-12ph', 'edgecore_ecw5211', 'linksys_e8450-ubi', 'linksys_ea8300', 'tplink_cpe210_v3', 'tplink_cpe510_v3', 'tplink_eap225_outdoor_v1', 'tplink_ex227', 'tplink_ex447' ]
 
     steps:
     - uses: actions/checkout@v2
@@ -38,6 +38,6 @@ jobs:
         curl -u $GH_BUILD_USERNAME:$GH_BUILD_PASSWORD -T "$TAR_NAME" "https://tip.jfrog.io/artifactory/tip-wlan-ap-firmware/uCentral/$LOWERCASE_TARGET/"$TAR_NAME""
         IMG_NAME="$(date +%Y%m%d)-$LOWERCASE_TARGET-$BRANCH-$HASH-upgrade.bin";
         TIP_VERSION="$(grep DISTRIB_TIP= openwrt/tmp/openwrt_release | cut -d\' -f2)"
-        echo -e "{\n\t\"image\":\""${IMG_NAME}"\",\n\t\"revision\": \""${TIP_VERSION}"\",\n\t\"timestamp\":\""$(date +%s)"\",\n\n\t\"compatible\": \""${LOWERCASE_TARGET}"\"\n}" > latest-upgrade.json
+        echo -e "{\n\t\"image\":\""${IMG_NAME}"\",\n\t\"revision\": \""${TIP_VERSION}"\",\n\t\"timestamp\":\""$(date +%s)"\",\n\t\"compatible\": \""${LOWERCASE_TARGET}"\"\n}" > latest-upgrade.json
         [ -f openwrt/tmp/image-file ] && curl -u $GH_BUILD_USERNAME:$GH_BUILD_PASSWORD -T "openwrt/$(cat openwrt/tmp/image-file)" "https://tip.jfrog.io/artifactory/tip-wlan-ap-firmware/uCentral/$LOWERCASE_TARGET/"$IMG_NAME""
         [ -f openwrt/tmp/image-file ] && curl -u $GH_BUILD_USERNAME:$GH_BUILD_PASSWORD -T "latest-upgrade.json" "https://tip.jfrog.io/artifactory/tip-wlan-ap-firmware/uCentral/$LOWERCASE_TARGET/latest-upgrade.json"

feeds/ucentral/ieee8021x/Makefile

@@ -1,30 +1,30 @@
 include $(TOPDIR)/rules.mk
 
-PKG_NAME:=wired-802.1x
+PKG_NAME:=ieee8021x
 PKG_RELEASE:=1
 
 PKG_LICENSE:=GPL-2.0
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 
-PKG_SOURCE_URL=https://github.com/blogic/wired-802.1x.git
+PKG_SOURCE_URL=https://github.com/blogic/ieee8021x.git
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2021-04-12
-PKG_SOURCE_VERSION:=2f394a8416d8bed2298efe9737b86bcebe69744f
+PKG_SOURCE_VERSION:=53caaa84e483cfe0fb63c024347ce71df0c707a4
 
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
 
-define Package/wired-802.1x
+define Package/ieee8021x
   SECTION:=net
   CATEGORY:=Network
   TITLE:=Wired 802.1x
   DEPENDS:=+libubox +libubus +libuci
 endef
 
-define Package/wired-802.1x/install
+define Package/ieee8021x/install
 	$(INSTALL_DIR) $(1)/usr/sbin
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/wired-802.1x $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ieee8021x $(1)/usr/sbin/
 	$(CP) ./files/* $(1)
 endef
 
-$(eval $(call BuildPackage,wired-802.1x))
+$(eval $(call BuildPackage,ieee8021x))

feeds/ucentral/ieee8021x/files/etc/config/ieee8021x

@@ -0,0 +1,6 @@
+#config network
+#	option network	'lan'
+#	list ports	'lan1'
+#	list ports	'lan2'
+#	list ports	'lan3'
+#	list ports	'lan4'

feeds/ucentral/ieee8021x/files/etc/init.d/ieee8021x

@@ -0,0 +1,24 @@
+#!/bin/sh /etc/rc.common
+
+START=80
+USE_PROCD=1
+PROG=/usr/sbin/ieee8021x
+
+reload_service() {
+	restart
+}
+
+service_triggers() {
+	procd_add_reload_trigger ieee8021x
+}
+
+start_service() {
+	procd_open_instance
+	procd_set_param command "$PROG"
+	procd_set_param respawn
+	procd_close_instance
+
+	# add a dummy user DB until we have EAP-TLS support
+	echo "\"bob\" MD5 \"hello\"" > /tmp/run/hostapd-ieee8021x.eap_user 
+	echo "\"bob\" MD5 \"hello\" [2]" >> /tmp/run/hostapd-ieee8021x.eap_user 
+}

feeds/ucentral/ucentral-defaults/files/etc/ucentral/big.json

@@ -0,0 +1,189 @@
+{
+	"uuid": 1,
+	"radios": [
+		{
+			"band": "6G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		},
+		{
+			"band": "5G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		},
+		{
+			"band": "2G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		}
+	],
+
+	"interfaces": [
+		{
+			"name": "WAN",
+			"role": "upstream",
+			"ethernet": [
+				{
+					"select-ports": [
+						"WAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "dynamic"
+			},
+			"tunnel": {
+				"proto": "mesh"
+			},
+			"services": [ "lldp" ],
+			"ssids": [
+				{
+					"name": "uCentral-Mesh",
+					"wifi-bands": [
+						"5G"
+					],
+					"bss-mode": "mesh",
+					"encryption": {
+						"proto": "psk2",
+						"key": "aaaaaaaa",
+						"ieee80211w": "optional"
+					}
+				},
+				{
+					"name": "uCentral",
+					"wifi-bands": [
+						"5G",
+						"2G"
+					],
+					"bss-mode": "ap",
+					"encryption": {
+						"proto": "psk2",
+						"key": "OpenWifi",
+						"ieee80211w": "optional"
+					},
+					"roaming": {
+						"message-exchange": "ds",
+						"generate-psk": true
+					}
+				}
+			]
+		},
+		{
+			"name": "WAN100",
+			"role": "upstream",
+			"vlan": {
+				"id": 100
+			},
+			"ethernet": [
+				{
+					"select-ports": [
+						"WAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "dynamic"
+			},
+			"ssids": [
+				{
+					"name": "uCentral.200",
+					"wifi-bands": [
+						"2G"
+					],
+					"bss-mode": "ap",
+					"encryption": {
+						"proto": "psk2",
+						"key": "OpenWifi",
+						"ieee80211w": "optional"
+					},
+					"roaming": {
+						"message-exchange": "ds",
+						"generate-psk": true
+					},
+					"rate-limit": {
+						"ingress-rate": 10,
+						"egress-rate": 10
+					}
+				}
+			]
+		},
+		{
+			"name": "LAN",
+			"role": "downstream",
+			"services": [ "http", "lldp" ],
+			"ethernet": [
+				{
+					"select-ports": [
+						"LAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "static",
+				"subnet": "192.168.10.1/24",
+				"dhcp": {
+					"lease-first": 10,
+					"lease-count": 100,
+					"lease-time": "6h"
+				}
+			},
+			"ssids": [
+				{
+					"name": "uCentral-NAT",
+					"wifi-bands": [
+						"2G"
+					],
+					"bss-mode": "ap",
+					"encryption": {
+						"proto": "psk2",
+						"key": "OpenWifi",
+						"ieee80211w": "optional"
+					},
+					"roaming": {
+						"message-exchange": "ds",
+						"generate-psk": true
+					},
+					"rate-limit": {
+						"ingress-rate": 10,
+						"egress-rate": 10
+					}
+				}
+			]
+		}
+	],
+	"services": {
+		"lldp": {
+			"describe": "uCentral",
+			"location": "universe"
+		},
+		"http": {
+			"http-port": 80
+		},
+		"ntp": {
+			"servers": [
+				"0.openwrt.pool.ntp.org",
+				"1.openwrt.pool.ntp.org"
+			],
+			"local-server": true
+		},
+		"rtty": {
+			"host": "websocket.usync.org",
+			"token": "7049cb6b7949ba06c6b356d76f0f6275"
+		}
+	},
+	"metrics": {
+		"statistics": {
+			"interval": 120,
+			"types": [ "ssids", "lldp", "clients" ]
+		},
+		"health": {
+			"interval": 120
+		},
+		"wifi-frames": {
+			"filters": [ "probe", "auth" ]
+		}
+	}
+}

feeds/ucentral/ucentral-defaults/files/etc/ucentral/default.json

@@ -0,0 +1,88 @@
+{
+	"uuid": 1,
+	"radios": [
+		{
+			"band": "6G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		},
+		{
+			"band": "5G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		},
+		{
+			"band": "2G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		}
+	],
+
+	"interfaces": [
+		{
+			"name": "WAN",
+			"role": "upstream",
+			"ethernet": [
+				{
+					"select-ports": [
+						"WAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "dynamic"
+			},
+			"ssids": [
+				{
+					"name": "OpenWifi",
+					"wifi-bands": [
+						"5G",
+						"2G"
+					],
+					"bss-mode": "ap",
+					"encryption": {
+						"proto": "psk2",
+						"key": "OpenWifi",
+						"ieee80211w": "optional"
+					},
+					"roaming": {
+						"message-exchange": "ds",
+						"generate-psk": true
+					}
+				}
+			]
+		},
+		{
+			"name": "LAN",
+			"role": "downstream",
+			"ethernet": [
+				{
+					"select-ports": [
+						"LAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "static",
+				"subnet": "192.168.1.1/24",
+				"dhcp": {
+					"lease-first": 10,
+					"lease-count": 100,
+					"lease-time": "6h"
+				}
+			}
+		}
+	],
+	"metrics": {
+		"statistics": {
+			"interval": 120,
+			"types": [ "ssids", "lldp", "clients" ]
+		},
+		"health": {
+			"interval": 120
+		}
+	}
+}

feeds/ucentral/ucentral-defaults/files/etc/ucentral/gre.json

@@ -0,0 +1,89 @@
+{
+	"uuid": 1,
+	"radios": [
+		{
+			"band": "6G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		},
+		{
+			"band": "5G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		},
+		{
+			"band": "2G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		}
+	],
+
+	"interfaces": [
+		{
+			"name": "WAN",
+			"role": "upstream",
+			"ethernet": [
+				{
+					"select-ports": [
+						"WAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "dynamic"
+			}
+		},
+		{
+			"name": "GRE",
+			"role": "upstream",
+			"vlan": {
+				"id": 50
+			},
+			"tunnel": {
+				"proto": "gre",
+				"peer-address": "50.210.104.108"
+			}
+		},
+		{
+			"name": "LAN",
+			"role": "downstream",
+			"ethernet": [
+				{
+					"select-ports": [
+						"LAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "static",
+				"subnet": "192.168.1.1/24",
+				"dhcp": {
+					"lease-first": 10,
+					"lease-count": 100,
+					"lease-time": "6h"
+				}
+			},
+			"ssids": [
+				{
+					"name": "Maverick",
+					"wifi-bands": [
+						"5G",
+						"2G"
+					],
+					"bss-mode": "ap",
+					"encryption": {
+						"proto": "none",
+						"ieee80211w": "optional"
+					},
+					"roaming": {
+						"message-exchange": "ds",
+						"generate-psk": true
+					}
+				}
+			]
+		}
+	]
+}

feeds/ucentral/ucentral-defaults/files/etc/ucentral/ieee8021x.json

@@ -0,0 +1,44 @@
+{
+	"uuid": 1,
+	"interfaces": [
+		{
+			"name": "WAN",
+			"role": "upstream",
+			"ethernet": [
+				{
+					"select-ports": [
+						"WAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "dynamic"
+			}
+		},
+		{
+			"name": "LAN",
+			"role": "downstream",
+			"services": [ "ieee8021x" ],
+			"ethernet": [
+				{
+					"select-ports": [
+						"LAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "static",
+				"subnet": "192.168.1.1/24",
+				"dhcp": {
+					"lease-first": 10,
+					"lease-count": 100,
+					"lease-time": "6h"
+				}
+			}
+		}
+	],
+	"services": {
+		"ieee8021x": {
+		}
+	}
+}

feeds/ucentral/ucentral-defaults/files/etc/ucentral/metrics.json

@@ -43,6 +43,9 @@
 		},
 		"health": {
 			"interval": 120
+		},
+		"wifi-frames": {
+			"filters": [ "probe", "auth" ]
 		}
 	}
 }

feeds/ucentral/ucentral-defaults/files/etc/ucentral/multi-psk.json

@@ -0,0 +1,95 @@
+{
+	"uuid": 1,
+	"radios": [
+		{
+			"band": "6G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		},
+		{
+			"band": "5G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		},
+		{
+			"band": "2G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		}
+	],
+
+	"interfaces": [
+		{
+			"name": "WAN",
+			"role": "upstream",
+			"ethernet": [
+				{
+					"select-ports": [
+						"WAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "dynamic"
+			}
+		},
+		{
+			"name": "LAN",
+			"role": "downstream",
+			"services": [ "http" ],
+			"ethernet": [
+				{
+					"select-ports": [
+						"LAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "static",
+				"subnet": "192.168.1.1/24",
+				"dhcp": {
+					"lease-first": 10,
+					"lease-count": 100,
+					"lease-time": "6h"
+				}
+			},
+			"ssids": [
+				{
+					"name": "Maverick",
+					"wifi-bands": [
+						"5G",
+						"2G"
+					],
+					"bss-mode": "ap",
+					"encryption": {
+						"proto": "psk2",
+						"ieee80211w": "optional",
+						"key": "OpenWifi"
+					},
+					"multi-psk": [
+						{
+							"key": "aaaaaaaa",
+							"vlan-id": 123,
+							"mac": "00:11:22:33:44:55"
+						},
+						{
+							"key": "bbbbbbbb"
+						}
+					],
+					"roaming": {
+						"message-exchange": "ds",
+						"generate-psk": true
+					}
+				}
+			]
+		}
+	],
+	"services": {
+		"http": {
+			"http-port": 80
+		}
+	}
+}

feeds/ucentral/ucentral-defaults/files/etc/ucentral/wds-ap.yml

@@ -0,0 +1,88 @@
+{
+	"uuid": 1,
+	"radios": [
+		{
+			"band": "6G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		},
+		{
+			"band": "5G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		},
+		{
+			"band": "2G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		}
+	],
+
+	"interfaces": [
+		{
+			"name": "WAN",
+			"role": "upstream",
+			"ethernet": [
+				{
+					"select-ports": [
+						"WAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "dynamic"
+			},
+			"ssids": [
+				{
+					"name": "OpenWifi-WDS",
+					"wifi-bands": [
+						"5G",
+						"2G"
+					],
+					"bss-mode": "wds-ap",
+					"encryption": {
+						"proto": "psk2",
+						"key": "OpenWifi",
+						"ieee80211w": "optional"
+					},
+					"roaming": {
+						"message-exchange": "ds",
+						"generate-psk": true
+					}
+				}
+			]
+		},
+		{
+			"name": "LAN",
+			"role": "downstream",
+			"ethernet": [
+				{
+					"select-ports": [
+						"LAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "static",
+				"subnet": "192.168.1.1/24",
+				"dhcp": {
+					"lease-first": 10,
+					"lease-count": 100,
+					"lease-time": "6h"
+				}
+			}
+		}
+	],
+	"metrics": {
+		"statistics": {
+			"interval": 120,
+			"types": [ "ssids", "lldp", "clients" ]
+		},
+		"health": {
+			"interval": 120
+		}
+	}
+}

feeds/ucentral/ucentral-defaults/files/etc/ucentral/wds-repeater.yml

@@ -0,0 +1,88 @@
+{
+	"uuid": 1,
+	"radios": [
+		{
+			"band": "6G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		},
+		{
+			"band": "5G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		},
+		{
+			"band": "2G",
+			"country": "CA",
+			"channel-mode": "HE",
+			"channel-width": 80
+		}
+	],
+
+	"interfaces": [
+		{
+			"name": "WAN",
+			"role": "upstream",
+			"ethernet": [
+				{
+					"select-ports": [
+						"WAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "dynamic"
+			},
+			"ssids": [
+				{
+					"name": "OpenWifi-WDS",
+					"wifi-bands": [
+						"5G",
+						"2G"
+					],
+					"bss-mode": "wds-repeater",
+					"encryption": {
+						"proto": "psk2",
+						"key": "OpenWifi",
+						"ieee80211w": "optional"
+					},
+					"roaming": {
+						"message-exchange": "ds",
+						"generate-psk": true
+					}
+				}
+			]
+		},
+		{
+			"name": "LAN",
+			"role": "downstream",
+			"ethernet": [
+				{
+					"select-ports": [
+						"LAN*"
+					]
+				}
+			],
+			"ipv4": {
+				"addressing": "static",
+				"subnet": "192.168.1.1/24",
+				"dhcp": {
+					"lease-first": 10,
+					"lease-count": 100,
+					"lease-time": "6h"
+				}
+			}
+		}
+	],
+	"metrics": {
+		"statistics": {
+			"interval": 120,
+			"types": [ "ssids", "lldp", "clients" ]
+		},
+		"health": {
+			"interval": 120
+		}
+	}
+}

feeds/ucentral/ucentral-event/Makefile

@@ -6,7 +6,7 @@ PKG_RELEASE:=1
 PKG_SOURCE_URL=https://github.com/blogic/ucentral-event.git
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2021-04-13
-PKG_SOURCE_VERSION:=58112ec4963d51232177df6aee5be7260dd8d8e5
+PKG_SOURCE_VERSION:=f3a32527c89cdcbecf7d8b7c0ab59677401a74d2
 
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=BSD-3-Clause
@@ -26,9 +26,10 @@ TARGET_CFLAGS += \
 	-I$(STAGING_DIR)/usr/include/libnl-tiny
 
 define Package/ucentral-event/install
-	$(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/init.d
+	$(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/init.d $(1)/etc/config
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ucentral-event $(1)/usr/sbin/
 	$(INSTALL_BIN) ./files/ucentral-event $(1)/etc/init.d/
+	$(INSTALL_DATA) ./files/event $(1)/etc/config/
 endef
 
 $(eval $(call BuildPackage,ucentral-event))

feeds/ucentral/ucentral-event/files/event

@@ -1,2 +1,22 @@
-config event dhcp
-	option type dhcp
+#config event wifi
+#	option type 'wifi'
+#	list filter 'probe'
+#	list filter 'auth'
+#	list filter 'assoc'
+#	list filter 'disassoc'
+#	list filter 'deauth'
+#	list filter 'local-deauth'
+#	list filter 'inactive-deauth'
+#	list filter 'key-mismatch'
+#	list filter 'beacon-report'
+#	list filter 'radar-detected'
+
+#config event dhcp
+#	option type 'dhcp'
+#	list filter 'ack'
+#	list filter 'discover'
+#	list filter 'offer'
+#	list filter 'request'
+#	list filter 'solicit'
+#	list filter 'reply'
+#	list filter 'renew'

feeds/ucentral/ucentral-event/files/ucentral-event

@@ -6,7 +6,7 @@ USE_PROCD=1
 PROG=/usr/sbin/ucentral-event
 
 service_triggers() {
-	procd_add_reload_trigger ucentral
+	procd_add_reload_trigger event
 }
 
 start_service() {

feeds/ucentral/ucentral-schema/Makefile

@@ -6,7 +6,7 @@ PKG_RELEASE:=1
 PKG_SOURCE_URL=https://github.com/blogic/ucentral-schema.git
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2021-02-15
-PKG_SOURCE_VERSION:=c64a0eee031d24a458b2b6b112a3711b2634feac
+PKG_SOURCE_VERSION:=cac24ac6cb8b3779cf605b89cdcaca00ab1d7052
 
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=BSD-3-Clause

feeds/ucentral/wired-802.1x/files/etc/config/wired1x

@@ -1,3 +0,0 @@
-config network
-	#option ports 'lan1 lan2 lan3'
-	#option network lan

feeds/ucentral/wired-802.1x/files/etc/init.d/wired-802.1x

@@ -1,17 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-START=80
-
-USE_PROCD=1
-PROG=/usr/sbin/wired-802.1x
-
-service_triggers() {
-	procd_add_reload_trigger wired1x
-}
-
-start_service() {
-	procd_open_instance
-	procd_set_param command "$PROG"
-	procd_set_param respawn
-	procd_close_instance
-}

patches/0019-lldp-add-TIP-tweaks.patch

@@ -1,13 +1,13 @@
-From 4b8fbdd73b3da67eeffd9612642218a1b9dc417d Mon Sep 17 00:00:00 2001
+From a5af4baec7cbe2a6ffe845d71fc15af00e022321 Mon Sep 17 00:00:00 2001
 From: John Crispin <john@phrozen.org>
 Date: Fri, 4 Dec 2020 16:29:35 +0100
-Subject: [PATCH 01/18] lldp: add TIP tweaks
+Subject: [PATCH 01/19] lldp: add TIP tweaks
 
 Signed-off-by: John Crispin <john@phrozen.org>
 ---
  .../network/services/lldpd/files/lldpd.config    | 16 ----------------
- package/network/services/lldpd/files/lldpd.init  |  6 +++++-
- 2 files changed, 5 insertions(+), 17 deletions(-)
+ package/network/services/lldpd/files/lldpd.init  | 11 ++++++++++-
+ 2 files changed, 10 insertions(+), 17 deletions(-)
 
 diff --git a/package/network/services/lldpd/files/lldpd.config b/package/network/services/lldpd/files/lldpd.config
 index 5e7c51ba7e..b37dda87bf 100644
@@ -35,7 +35,7 @@ index 5e7c51ba7e..b37dda87bf 100644
 -	list interface "loopback"
 -	list interface "lan"
 diff --git a/package/network/services/lldpd/files/lldpd.init b/package/network/services/lldpd/files/lldpd.init
-index 7a5b25e016..4f613ec664 100644
+index 7a5b25e016..8d855a1856 100644
 --- a/package/network/services/lldpd/files/lldpd.init
 +++ b/package/network/services/lldpd/files/lldpd.init
 @@ -10,6 +10,10 @@ LLDPSOCKET=/var/run/lldpd.socket
@@ -58,6 +58,25 @@ index 7a5b25e016..4f613ec664 100644
  			append ifnames "${ifname:-$iface}" ","
  		fi
  	done
+@@ -58,6 +62,7 @@ write_lldpd_conf()
+ 
+ start_service() {
+ 
++	local enable
+ 	local enable_cdp
+ 	local enable_fdp
+ 	local enable_sonmp
+@@ -68,6 +73,10 @@ start_service() {
+ 	local agentxsocket
+ 
+ 	config_load 'lldpd'
++	config_get_bool enable 'config' 'enable' 0
++
++	[ "$enable" -eq 1 ] || return
++
+ 	config_get_bool enable_cdp 'config' 'enable_cdp' 0
+ 	config_get_bool enable_fdp 'config' 'enable_fdp' 0
+ 	config_get_bool enable_sonmp 'config' 'enable_sonmp' 0
 -- 
 2.25.1
 

patches/0024-netifd-libubox-update-to-latest-HEAD.patch

@@ -0,0 +1,476 @@
+From 5171503cfa4387370fd4c33bbcf0d8c4b6ec86e4 Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Tue, 18 May 2021 10:46:43 +0200
+Subject: [PATCH] netifd/libubox: update to latest HEAD
+
+* required for wired ieee8021x
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ package/libs/libubox/Makefile                 |   4 +-
+ package/network/config/netifd/Makefile        |   4 +-
+ .../config/netifd/patches/100-8021x.patch     | 421 ++++++++++++++++++
+ 3 files changed, 425 insertions(+), 4 deletions(-)
+ create mode 100644 package/network/config/netifd/patches/100-8021x.patch
+
+diff --git a/package/libs/libubox/Makefile b/package/libs/libubox/Makefile
+index 4d582eacfd..8644764d59 100644
+--- a/package/libs/libubox/Makefile
++++ b/package/libs/libubox/Makefile
+@@ -5,9 +5,9 @@ PKG_RELEASE=1
+ 
+ PKG_SOURCE_PROTO:=git
+ PKG_SOURCE_URL=$(PROJECT_GIT)/project/libubox.git
+-PKG_MIRROR_HASH:=97dc4eba01cf2c5d6a6d0db3747e0cdc0d95cb87e51b3115272e7d3e69a8b255
++#PKG_MIRROR_HASH:=97dc4eba01cf2c5d6a6d0db3747e0cdc0d95cb87e51b3115272e7d3e69a8b255
+ PKG_SOURCE_DATE:=2020-12-12
+-PKG_SOURCE_VERSION:=357877693ca363b12e6e7e14d345639b2440cd07
++PKG_SOURCE_VERSION:=b14c4688612c05c78ce984d7bde633bce8703b1e
+ PKG_ABI_VERSION:=$(call abi_version_str,$(PKG_SOURCE_DATE))
+ CMAKE_INSTALL:=1
+ 
+diff --git a/package/network/config/netifd/Makefile b/package/network/config/netifd/Makefile
+index 7061456b08..03e3c3ca2a 100644
+--- a/package/network/config/netifd/Makefile
++++ b/package/network/config/netifd/Makefile
+@@ -6,8 +6,8 @@ PKG_RELEASE:=1
+ PKG_SOURCE_PROTO:=git
+ PKG_SOURCE_URL=$(PROJECT_GIT)/project/netifd.git
+ PKG_SOURCE_DATE:=2021-01-09
+-PKG_SOURCE_VERSION:=c00c8335d6188daa326ecfe5a62da15a9b9987e1
+-PKG_MIRROR_HASH:=c740e51e0cec13eec336ba1c7a643db3b64a9a2235f8c1b73a566cb89e841190
++PKG_SOURCE_VERSION:=3052f2f67686f3d540d4d941e4664730de530741
++#PKG_MIRROR_HASH:=c740e51e0cec13eec336ba1c7a643db3b64a9a2235f8c1b73a566cb89e841190
+ PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
+ 
+ PKG_LICENSE:=GPL-2.0
+diff --git a/package/network/config/netifd/patches/100-8021x.patch b/package/network/config/netifd/patches/100-8021x.patch
+new file mode 100644
+index 0000000000..eb8eaaa6fb
+--- /dev/null
++++ b/package/network/config/netifd/patches/100-8021x.patch
+@@ -0,0 +1,421 @@
++Return-path: <nbd@nbd.name>
++X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ds12
++X-Spam-Level: 
++X-Spam-Status: No, score=-8.0 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2
++Envelope-to: john@phrozen.org
++Delivery-date: Mon, 17 May 2021 11:23:58 +0200
++Received: from p54ae9ff2.dip0.t-ipconnect.de ([84.174.159.242] helo=localhost.localdomain)
++	by ds12 with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
++	(Exim 4.89)
++	(envelope-from <nbd@nbd.name>)
++	id 1liZTi-0007JJ-8s
++	for john@phrozen.org; Mon, 17 May 2021 11:23:58 +0200
++From: Felix Fietkau <nbd@nbd.name>
++To: john@phrozen.org
++Subject: [PATCH netifd] device: add support for configuring devices with external auth handler
++Date: Mon, 17 May 2021 11:23:56 +0200
++Message-Id: <20210517092356.85402-1-nbd@nbd.name>
++X-Mailer: git-send-email 2.30.1
++MIME-Version: 1.0
++Content-Transfer-Encoding: 8bit
++
++This can be used to support 802.1x on wired devices.
++In order to use this, the device section for each port needing authentication
++needs to contain the option auth 1
++When set, this option prevents devices from being added to bridges or configured
++with IP settings by default, until the set_state ubus call on network.device
++sets "auth_status" to true for the device.
++
++Signed-off-by: Felix Fietkau <nbd@nbd.name>
++---
++ bridge.c    | 58 +++++++++++++++++++++++++++++++++++++----------------
++ device.c    | 34 +++++++++++++++++++++++++++++++
++ device.h    | 17 +++++++++++++++-
++ interface.c | 21 ++++++++++++++-----
++ ubus.c      |  6 ++++++
++ 5 files changed, 113 insertions(+), 23 deletions(-)
++
++diff --git a/bridge.c b/bridge.c
++index 099dfe4d24ef..397ac979daaf 100644
++--- a/bridge.c
+++++ b/bridge.c
++@@ -122,6 +122,7 @@ struct bridge_member {
++ 	struct device_user dev;
++ 	uint16_t pvid;
++ 	bool present;
+++	bool active;
++ 	char name[];
++ };
++ 
++@@ -299,19 +300,21 @@ bridge_set_vlan_state(struct bridge_state *bst, struct bridge_vlan *vlan, bool a
++ }
++ 
++ static int
++-bridge_disable_member(struct bridge_member *bm)
+++bridge_disable_member(struct bridge_member *bm, bool keep_dev)
++ {
++ 	struct bridge_state *bst = bm->bst;
++ 	struct bridge_vlan *vlan;
++ 
++-	if (!bm->present)
+++	if (!bm->present || !bm->active)
++ 		return 0;
++ 
+++	bm->active = false;
++ 	vlist_for_each_element(&bst->dev.vlans, vlan, node)
++ 		bridge_set_member_vlan(bm, vlan, false);
++ 
++ 	system_bridge_delif(&bst->dev, bm->dev.dev);
++-	device_release(&bm->dev);
+++	if (!keep_dev)
+++		device_release(&bm->dev);
++ 
++ 	device_broadcast_event(&bst->dev, DEV_EVENT_TOPO_CHANGE);
++ 
++@@ -356,6 +359,7 @@ bridge_enable_member(struct bridge_member *bm)
++ {
++ 	struct bridge_state *bst = bm->bst;
++ 	struct bridge_vlan *vlan;
+++	struct device *dev;
++ 	int ret;
++ 
++ 	if (!bm->present)
++@@ -375,12 +379,20 @@ bridge_enable_member(struct bridge_member *bm)
++ 	if (ret < 0)
++ 		goto error;
++ 
+++	dev = bm->dev.dev;
+++	if (dev->settings.auth && !dev->auth_status)
+++		return -1;
+++
+++	if (bm->active)
+++		return 0;
+++
++ 	ret = system_bridge_addif(&bst->dev, bm->dev.dev);
++ 	if (ret < 0) {
++ 		D(DEVICE, "Bridge device %s could not be added\n", bm->dev.dev->ifname);
++ 		goto error;
++ 	}
++ 
+++	bm->active = true;
++ 	if (bst->has_vlans) {
++ 		/* delete default VLAN 1 */
++ 		system_bridge_vlan(bm->dev.dev->ifname, 1, false, 0);
++@@ -412,7 +424,7 @@ bridge_remove_member(struct bridge_member *bm)
++ 		return;
++ 
++ 	if (bst->dev.active)
++-		bridge_disable_member(bm);
+++		bridge_disable_member(bm, false);
++ 
++ 	bm->present = false;
++ 	bm->bst->n_present--;
++@@ -481,10 +493,11 @@ bridge_check_retry(struct bridge_state *bst)
++ }
++ 
++ static void
++-bridge_member_cb(struct device_user *dev, enum device_event ev)
+++bridge_member_cb(struct device_user *dep, enum device_event ev)
++ {
++-	struct bridge_member *bm = container_of(dev, struct bridge_member, dev);
+++	struct bridge_member *bm = container_of(dep, struct bridge_member, dev);
++ 	struct bridge_state *bst = bm->bst;
+++	struct device *dev = dep->dev;
++ 
++ 	switch (ev) {
++ 	case DEV_EVENT_ADD:
++@@ -495,19 +508,30 @@ bridge_member_cb(struct device_user *dev, enum device_event ev)
++ 
++ 		if (bst->n_present == 1)
++ 			device_set_present(&bst->dev, true);
++-		if (bst->dev.active && !bridge_enable_member(bm)) {
++-			/*
++-			 * Adding a bridge member can overwrite the bridge mtu
++-			 * in the kernel, apply the bridge settings in case the
++-			 * bridge mtu is set
++-			 */
++-			system_if_apply_settings(&bst->dev, &bst->dev.settings,
++-						 DEV_OPT_MTU | DEV_OPT_MTU6);
++-		}
+++		fallthrough;
+++	case DEV_EVENT_AUTH_UP:
+++		if (!bst->dev.active)
+++			break;
+++
+++		if (bridge_enable_member(bm))
+++			break;
+++
+++		/*
+++		 * Adding a bridge member can overwrite the bridge mtu
+++		 * in the kernel, apply the bridge settings in case the
+++		 * bridge mtu is set
+++		 */
+++		system_if_apply_settings(&bst->dev, &bst->dev.settings,
+++					 DEV_OPT_MTU | DEV_OPT_MTU6);
+++		break;
+++	case DEV_EVENT_LINK_DOWN:
+++		if (!dev->settings.auth)
+++			break;
++ 
+++		bridge_disable_member(bm, true);
++ 		break;
++ 	case DEV_EVENT_REMOVE:
++-		if (dev->hotplug) {
+++		if (dep->hotplug) {
++ 			vlist_delete(&bst->members, &bm->node);
++ 			return;
++ 		}
++@@ -529,7 +553,7 @@ bridge_set_down(struct bridge_state *bst)
++ 	bst->set_state(&bst->dev, false);
++ 
++ 	vlist_for_each_element(&bst->members, bm, node)
++-		bridge_disable_member(bm);
+++		bridge_disable_member(bm, false);
++ 
++ 	bridge_disable_interface(bst);
++ 
++diff --git a/device.c b/device.c
++index 7f011b615fbf..26254cc2eb90 100644
++--- a/device.c
+++++ b/device.c
++@@ -59,6 +59,7 @@ static const struct blobmsg_policy dev_attrs[__DEV_ATTR_MAX] = {
++ 	[DEV_ATTR_DROP_GRATUITOUS_ARP] = { .name = "drop_gratuitous_arp", .type = BLOBMSG_TYPE_BOOL },
++ 	[DEV_ATTR_DROP_UNSOLICITED_NA] = { .name = "drop_unsolicited_na", .type = BLOBMSG_TYPE_BOOL },
++ 	[DEV_ATTR_ARP_ACCEPT] = { .name = "arp_accept", .type = BLOBMSG_TYPE_BOOL },
+++	[DEV_ATTR_AUTH] = { .name = "auth", .type = BLOBMSG_TYPE_BOOL },
++ };
++ 
++ const struct uci_blob_param_list device_attr_list = {
++@@ -270,6 +271,7 @@ device_merge_settings(struct device *dev, struct device_settings *n)
++ 		s->drop_unsolicited_na : os->drop_unsolicited_na;
++ 	n->arp_accept = s->flags & DEV_OPT_ARP_ACCEPT ?
++ 		s->arp_accept : os->arp_accept;
+++	n->auth = s->flags & DEV_OPT_AUTH ? s->auth : os->auth;
++ 	n->flags = s->flags | os->flags | os->valid_flags;
++ }
++ 
++@@ -439,6 +441,11 @@ device_init_settings(struct device *dev, struct blob_attr **tb)
++ 		s->flags |= DEV_OPT_ARP_ACCEPT;
++ 	}
++ 
+++	if ((cur = tb[DEV_ATTR_AUTH])) {
+++		s->auth = blobmsg_get_bool(cur);
+++		s->flags |= DEV_OPT_AUTH;
+++	}
+++
++ 	device_set_disabled(dev, disabled);
++ }
++ 
++@@ -716,6 +723,28 @@ device_refresh_present(struct device *dev)
++ 	__device_set_present(dev, state);
++ }
++ 
+++void
+++device_set_auth_status(struct device *dev, bool value)
+++{
+++	if (dev->auth_status == value)
+++		return;
+++
+++	dev->auth_status = value;
+++	if (!dev->present)
+++		return;
+++
+++	if (dev->auth_status) {
+++		device_broadcast_event(dev, DEV_EVENT_AUTH_UP);
+++		return;
+++	}
+++
+++	device_broadcast_event(dev, DEV_EVENT_LINK_DOWN);
+++	if (!dev->link_active)
+++		return;
+++
+++	device_broadcast_event(dev, DEV_EVENT_LINK_UP);
+++}
+++
++ void device_set_present(struct device *dev, bool state)
++ {
++ 	if (dev->sys_present == state)
++@@ -734,6 +763,8 @@ void device_set_link(struct device *dev, bool state)
++ 	netifd_log_message(L_NOTICE, "%s '%s' link is %s\n", dev->type->name, dev->ifname, state ? "up" : "down" );
++ 
++ 	dev->link_active = state;
+++	if (!state)
+++		dev->auth_status = false;
++ 	device_broadcast_event(dev, state ? DEV_EVENT_LINK_UP : DEV_EVENT_LINK_DOWN);
++ }
++ 
++@@ -1091,6 +1122,7 @@ device_dump_status(struct blob_buf *b, struct device *dev)
++ 
++ 	blobmsg_add_u8(b, "up", !!dev->active);
++ 	blobmsg_add_u8(b, "carrier", !!dev->link_active);
+++	blobmsg_add_u8(b, "auth_status", !!dev->auth_status);
++ 
++ 	if (dev->type->dump_info)
++ 		dev->type->dump_info(dev, b);
++@@ -1157,6 +1189,8 @@ device_dump_status(struct blob_buf *b, struct device *dev)
++ 			blobmsg_add_u8(b, "drop_unsolicited_na", st.drop_unsolicited_na);
++ 		if (st.flags & DEV_OPT_ARP_ACCEPT)
++ 			blobmsg_add_u8(b, "arp_accept", st.arp_accept);
+++		if (st.flags & DEV_OPT_AUTH)
+++			blobmsg_add_u8(b, "auth", st.auth);
++ 	}
++ 
++ 	s = blobmsg_open_table(b, "statistics");
++diff --git a/device.h b/device.h
++index f6eaf275e18c..ed07791ba458 100644
++--- a/device.h
+++++ b/device.h
++@@ -59,6 +59,7 @@ enum {
++ 	DEV_ATTR_DROP_GRATUITOUS_ARP,
++ 	DEV_ATTR_DROP_UNSOLICITED_NA,
++ 	DEV_ATTR_ARP_ACCEPT,
+++	DEV_ATTR_AUTH,
++ 	__DEV_ATTR_MAX,
++ };
++ 
++@@ -100,7 +101,7 @@ enum {
++ 	DEV_OPT_MLDVERSION		= (1 << 8),
++ 	DEV_OPT_NEIGHREACHABLETIME	= (1 << 9),
++ 	DEV_OPT_DEFAULT_MACADDR		= (1 << 10),
++-	/* 1 bit hole */
+++	DEV_OPT_AUTH			= (1 << 11),
++ 	DEV_OPT_MTU6			= (1 << 12),
++ 	DEV_OPT_DADTRANSMITS		= (1 << 13),
++ 	DEV_OPT_MULTICAST_TO_UNICAST	= (1 << 14),
++@@ -134,6 +135,7 @@ enum device_event {
++ 	DEV_EVENT_UP,
++ 	DEV_EVENT_DOWN,
++ 
+++	DEV_EVENT_AUTH_UP,
++ 	DEV_EVENT_LINK_UP,
++ 	DEV_EVENT_LINK_DOWN,
++ 
++@@ -192,6 +194,7 @@ struct device_settings {
++ 	bool drop_gratuitous_arp;
++ 	bool drop_unsolicited_na;
++ 	bool arp_accept;
+++	bool auth;
++ };
++ 
++ /*
++@@ -220,6 +223,7 @@ struct device {
++ 	int active;
++ 	/* DEV_EVENT_LINK_UP */
++ 	bool link_active;
+++	bool auth_status;
++ 
++ 	bool external;
++ 	bool disabled;
++@@ -324,6 +328,8 @@ struct device *get_vlan_device_chain(const char *ifname, bool create);
++ void alias_notify_device(const char *name, struct device *dev);
++ struct device *device_alias_get(const char *name);
++ 
+++void device_set_auth_status(struct device *dev, bool value);
+++
++ static inline void
++ device_set_deferred(struct device *dev, bool value)
++ {
++@@ -338,6 +344,15 @@ device_set_disabled(struct device *dev, bool value)
++ 	device_refresh_present(dev);
++ }
++ 
+++static inline bool
+++device_link_active(struct device *dev)
+++{
+++	if (dev->settings.auth && !dev->auth_status)
+++		return false;
+++
+++	return dev->link_active;
+++}
+++
++ bool device_check_ip6segmentrouting(void);
++ 
++ #endif
++diff --git a/interface.c b/interface.c
++index 2a8f604207c3..a91246a1ae03 100644
++--- a/interface.c
+++++ b/interface.c
++@@ -99,6 +99,17 @@ interface_error_flush(struct interface *iface)
++ 	}
++ }
++ 
+++static bool
+++interface_force_link(struct interface *iface)
+++{
+++	struct device *dev = iface->main_dev.dev;
+++
+++	if (dev && dev->settings.auth)
+++		return false;
+++
+++	return iface->force_link;
+++}
+++
++ static void
++ interface_clear_errors(struct interface *iface)
++ {
++@@ -344,7 +355,7 @@ __interface_set_up(struct interface *iface)
++ static void
++ interface_check_state(struct interface *iface)
++ {
++-	bool link_state = iface->link_state || iface->force_link;
+++	bool link_state = iface->link_state || interface_force_link(iface);
++ 
++ 	switch (iface->state) {
++ 	case IFS_UP:
++@@ -390,7 +401,8 @@ interface_set_link_state(struct interface *iface, bool new_state)
++ 	iface->link_state = new_state;
++ 	interface_check_state(iface);
++ 
++-	if (new_state && iface->force_link && iface->state == IFS_UP && !iface->link_up_event) {
+++	if (new_state && interface_force_link(iface) &&
+++	    iface->state == IFS_UP && !iface->link_up_event) {
++ 		interface_event(iface, IFEV_LINK_UP);
++ 		iface->link_up_event = true;
++ 	}
++@@ -424,11 +436,10 @@ interface_main_dev_cb(struct device_user *dep, enum device_event ev)
++ 	case DEV_EVENT_DOWN:
++ 		interface_set_enabled(iface, false);
++ 		break;
+++	case DEV_EVENT_AUTH_UP:
++ 	case DEV_EVENT_LINK_UP:
++-		interface_set_link_state(iface, true);
++-		break;
++ 	case DEV_EVENT_LINK_DOWN:
++-		interface_set_link_state(iface, false);
+++		interface_set_link_state(iface, device_link_active(dep->dev));
++ 		break;
++ 	case DEV_EVENT_TOPO_CHANGE:
++ 		interface_proto_event(iface->proto, PROTO_CMD_RENEW, false);
++diff --git a/ubus.c b/ubus.c
++index 9098c662cc41..be150626bc02 100644
++--- a/ubus.c
+++++ b/ubus.c
++@@ -298,12 +298,14 @@ error:
++ enum {
++ 	DEV_STATE_NAME,
++ 	DEV_STATE_DEFER,
+++	DEV_STATE_AUTH_STATUS,
++ 	__DEV_STATE_MAX,
++ };
++ 
++ static const struct blobmsg_policy dev_state_policy[__DEV_STATE_MAX] = {
++ 	[DEV_STATE_NAME] = { .name = "name", .type = BLOBMSG_TYPE_STRING },
++ 	[DEV_STATE_DEFER] = { .name = "defer", .type = BLOBMSG_TYPE_BOOL },
+++	[DEV_STATE_AUTH_STATUS] = { .name = "auth_status", .type = BLOBMSG_TYPE_BOOL },
++ };
++ 
++ static int
++@@ -329,6 +331,10 @@ netifd_handle_set_state(struct ubus_context *ctx, struct ubus_object *obj,
++ 	if (cur)
++ 		device_set_deferred(dev, !!blobmsg_get_u8(cur));
++ 
+++	cur = tb[DEV_STATE_AUTH_STATUS];
+++	if (cur)
+++		device_set_auth_status(dev, !!blobmsg_get_u8(cur));
+++
++ 	return 0;
++ }
++ 
++-- 
++2.30.1
++
+-- 
+2.25.1
+

profiles/ucentral-ap.yml

@@ -17,6 +17,7 @@ packages:
   - curl
   - dnsmasq-full
   - gre
+  - ieee8021x
   - igmpproxy
   - ip-bridge
   - lldpd
@@ -41,7 +42,6 @@ packages:
   - udevmand
   - umdns
   - vxlan
-  - wired-802.1x
   - wpad-mesh-openssl
 diffconfig: |
   CONFIG_OPENSSL_ENGINE=y

profiles/ucentral-switch.yml

@@ -8,9 +8,9 @@ include:
   - webui
 
 packages:
-  - libmosquitto-ssl
   - lldpd
   - curl
+  - ieee8021x
   - ip-bridge
   - ucentral-client
   - ucentral-schema