Refactor common parts of gluon-mesh-vpn-fastd into a gluon-mesh-vpn-core package

The fastd_mesh_vpn site.conf section is renamed to mesh_vpn.fastd.

docs/site-example/site.conf

@@ -95,48 +95,50 @@
     -- },
   -- },
 
-  -- Refer to http://fastd.readthedocs.org/en/latest/ to better understand
-  -- what these options do.
-  fastd_mesh_vpn = {
-    -- List of crypto-methods to use.
-    methods = {'salsa2012+umac'},
-    -- enabled = true,
-    -- configurable = true,
-    -- syslog_level = 'warn',
-
-    mtu = 1280,
-    groups = {
-      backbone = {
-        -- Limit number of connected peers to reduce bandwidth.
-        limit = 1,
-
-        -- List of peers.
-        peers = {
-          peer1 = {
-            key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
-
-            -- This is a list, so you might add multiple entries.
-            remotes = {'ipv4 "xxx.somehost.invalid" port xxxxxx'},
+  mesh_vpn = {
+    -- Refer to http://fastd.readthedocs.org/en/latest/ to better understand
+    -- what these options do.
+    fastd = {
+      -- List of crypto-methods to use.
+      methods = {'salsa2012+umac'},
+      -- enabled = true,
+      -- configurable = true,
+      -- syslog_level = 'warn',
+
+      mtu = 1280,
+      groups = {
+        backbone = {
+          -- Limit number of connected peers to reduce bandwidth.
+          limit = 1,
+
+          -- List of peers.
+          peers = {
+            peer1 = {
+              key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
+
+              -- This is a list, so you might add multiple entries.
+              remotes = {'ipv4 "xxx.somehost.invalid" port xxxxxx'},
+            },
+            peer2 = {
+              key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
+              -- You can also omit the ipv4 to allow both connection via ipv4 and ipv6
+              remotes = {'"xxx.somehost2.invalid" port xxxxx'},
+            },
           },
-          peer2 = {
-            key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
-            -- You can also omit the ipv4 to allow both connection via ipv4 and ipv6
-            remotes = {'"xxx.somehost2.invalid" port xxxxx'},
-          },
-        },
 
-        -- Optional: nested peer groups
-        -- groups = {
-        --   backbone_sub = {
-        --     ...
-        --   },
+          -- Optional: nested peer groups
+          -- groups = {
+          --   backbone_sub = {
+          --     ...
+          --   },
+          --   ...
+          -- },
+        },
+        -- Optional: additional peer groups, possibly with other limits
+        -- backbone2 = {
         --   ...
         -- },
       },
-      -- Optional: additional peer groups, possibly with other limits
-      -- backbone2 = {
-      --   ...
-      -- },
     },
 
     bandwidth_limit = {

docs/user/site.rst

@@ -169,14 +169,18 @@ mesh \: optional
        mesh = {
          batman_adv = {
            gw_sel_class = 1,
-	 },
+         },
        }
 
 
-fastd_mesh_vpn
-    Remote server setup for the fastd-based mesh VPN.
+mesh_vpn
+    Remote server setup for the mesh VPN.
+
+    The `enabled` option can be set to true to enable the VPN by default. `mtu`
+    defines the MTU of the VPN interface.
 
-    The `enabled` option can be set to true to enable the VPN by default.
+    The `fastd` section configures settings specific to the *fastd* VPN
+    implementation.
 
     If `configurable` is set to `false` or unset, the method list will be replaced on updates
     with the list from the site configuration. Setting `configurable` to `true` will allow the user to
@@ -191,44 +195,47 @@ fastd_mesh_vpn
     You can set syslog_level from verbose (default) to warn to reduce syslog output.
     ::
 
-      fastd_mesh_vpn = {
-        methods = {'salsa2012+umac'},
-      	-- enabled = true,
-      	-- configurable = true,
-	-- syslog_level = 'warn',
+      mesh_vpn = {
+        -- enabled = true,
         mtu = 1280,
-        groups = {
-          backbone = {
-            -- Limit number of connected peers from this group
-            limit = 1,
-            peers = {
-              peer1 = {
-                key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
-                -- Having multiple domains prevents SPOF in freifunk.net
-                remotes = {
-                  'ipv4 "vpn1.alpha-centauri.freifunk.net" port 10000',
-                  'ipv4 "vpn1.alpha-centauri-freifunk.de" port 10000',
+
+        fastd = {
+          methods = {'salsa2012+umac'},
+          -- configurable = true,
+          -- syslog_level = 'warn',
+          groups = {
+            backbone = {
+              -- Limit number of connected peers from this group
+              limit = 1,
+              peers = {
+                peer1 = {
+                  key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
+                  -- Having multiple domains prevents SPOF in freifunk.net
+                  remotes = {
+                    'ipv4 "vpn1.alpha-centauri.freifunk.net" port 10000',
+                    'ipv4 "vpn1.alpha-centauri-freifunk.de" port 10000',
+                  },
+                },
+                peer2 = {
+                  key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
+                  -- You can also omit the ipv4 to allow both connection via ipv4 and ipv6
+                  remotes = {'"vpn2.alpha-centauri.freifunk.net" port 10000'},
                 },
               },
-              peer2 = {
-                key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
-                -- You can also omit the ipv4 to allow both connection via ipv4 and ipv6
-                remotes = {'"vpn2.alpha-centauri.freifunk.net" port 10000'},
-              },
+              -- Optional: nested peer groups
+              -- groups = {
+              --   lowend_backbone = {
+              --     limit = 1,
+              --     peers = ...
+              --   },
+              -- },
             },
-            -- Optional: nested peer groups
-            -- groups = {
-            --   lowend_backbone = {
-            --     limit = 1,
-            --     peers = ...
-            --   },
+            -- Optional: additional peer groups, possibly with other limits
+            -- peertopeer = {
+            --   limit = 10,
+            --   peers = { ... },
             -- },
           },
-          -- Optional: additional peer groups, possibly with other limits
-          -- peertopeer = {
-          --   limit = 10,
-          --   peers = { ... },
-          -- },
         },
 
         bandwidth_limit = {

package/gluon-mesh-vpn-core/Makefile

@@ -0,0 +1,35 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-mesh-vpn-core
+PKG_VERSION:=1
+
+
+include ../gluon.mk
+
+
+define Package/gluon-mesh-vpn-core
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Basic support for connecting meshes via VPN tunnels
+  DEPENDS:=+gluon-core +gluon-wan-dnsmasq +iptables +iptables-mod-extra +simple-tc
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Compile
+	$(call GluonSrcDiet,./luasrc,$(PKG_BUILD_DIR)/luadest/)
+endef
+
+define Package/gluon-mesh-vpn-core/install
+	$(CP) ./files/* $(1)/
+	$(CP) $(PKG_BUILD_DIR)/luadest/* $(1)/
+endef
+
+define Package/gluon-mesh-vpn-core/postinst
+#!/bin/sh
+$(call GluonCheckSite,check_site.lua)
+endef
+
+$(eval $(call BuildPackage,gluon-mesh-vpn-core))

package/gluon-mesh-vpn-core/check_site.lua

@@ -0,0 +1,8 @@
+need_boolean('mesh_vpn.enabled', false)
+need_number('mesh_vpn.mtu')
+
+if need_table('mesh_vpn.bandwidth_limit', nil, false) then
+	need_boolean('mesh_vpn.bandwidth_limit.enabled', false)
+	need_number('mesh_vpn.bandwidth_limit.ingress', false)
+	need_number('mesh_vpn.bandwidth_limit.egress', false)
+end

package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/iptables.rules

@@ -0,0 +1,3 @@
+*nat
+-I OUTPUT -m owner --gid-owner gluon-mesh-vpn -o lo -d 127.0.0.1 -p udp --dport 53 -j DNAT --to-destination :54
+COMMIT

package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/400-mesh-vpn

@@ -0,0 +1,60 @@
+#!/usr/bin/lua
+
+local site = require 'gluon.site_config'
+local users = require 'gluon.users'
+local util = require 'gluon.util'
+local fs = require 'nixio.fs'
+
+local uci = require('simple-uci').cursor()
+
+
+uci:section('network', 'interface', 'mesh_vpn', {
+	ifname = 'mesh-vpn',
+	proto = 'gluon_mesh',
+	transitive = true,
+	fixed_mtu = true,
+	macaddr = util.generate_mac(7),
+	mtu = site.mesh_vpn.mtu,
+})
+
+uci:save('network')
+
+
+if fs.access('/etc/config/gluon-simple-tc') then
+	os.rename('/etc/config/gluon-simple-tc', '/etc/config/simple-tc')
+end
+
+if not uci:get('simple-tc', 'mesh_vpn') then
+	local config = {
+		ifname = 'mesh-vpn',
+		enabled = false,
+	}
+
+
+	if site.mesh_vpn.bandwidth_limit then
+		if site.mesh_vpn.bandwidth_limit.enabled then
+			config.enabled = true
+		end
+
+		config.limit_ingress = site.mesh_vpn.bandwidth_limit.ingress
+		config.limit_egress = site.mesh_vpn.bandwidth_limit.egress
+	end
+
+	uci:section('simple-tc', 'interface', 'mesh_vpn', config)
+	uci:save('simple-tc')
+end
+
+
+-- The previously used user and group are removed, we now have a generic group
+users.remove_user('gluon-fastd')
+users.remove_group('gluon-fastd')
+
+users.add_group('gluon-mesh-vpn', 800)
+
+uci:section('firewall', 'include', 'mesh_vpn_dns', {
+	type = 'restore',
+	path = '/lib/gluon/mesh-vpn/iptables.rules',
+	family = 'ipv4',
+})
+
+uci:save('firewall')

package/gluon-mesh-vpn-fastd/Makefile

@@ -12,8 +12,8 @@ include ../gluon.mk
 define Package/gluon-mesh-vpn-fastd
   SECTION:=gluon
   CATEGORY:=Gluon
-  TITLE:=Support for connecting batman-adv meshes via fastd
-  DEPENDS:=+gluon-core +libgluonutil +gluon-wan-dnsmasq +fastd +iptables +iptables-mod-extra +simple-tc
+  TITLE:=Support for connecting meshes via fastd
+  DEPENDS:=+gluon-core +libgluonutil +gluon-mesh-vpn-core +fastd
 endef
 
 define Build/Prepare

package/gluon-mesh-vpn-fastd/check_site.lua

@@ -1,39 +1,30 @@
 local fastd_methods = {'salsa2012+gmac', 'salsa2012+umac', 'null+salsa2012+gmac', 'null+salsa2012+umac', 'null'}
-need_array_of('fastd_mesh_vpn.methods', fastd_methods)
-need_number('fastd_mesh_vpn.mtu')
-need_boolean('fastd_mesh_vpn.enabled', false)
-need_boolean('fastd_mesh_vpn.configurable', false)
+need_array_of('mesh_vpn.fastd.methods', fastd_methods)
+need_boolean('mesh_vpn.fastd.configurable', false)
 
-need_one_of('fastd_mesh_vpn.syslog_level', {'error', 'warn', 'info', 'verbose', 'debug', 'debug2'}, false)
+need_one_of('mesh_vpn.fastd.syslog_level', {'error', 'warn', 'info', 'verbose', 'debug', 'debug2'}, false)
 
 local function check_peer(prefix)
-  return function(k, _)
-    assert_uci_name(k)
+	return function(k, _)
+		assert_uci_name(k)
 
-    local table = string.format('%s[%q].', prefix, k)
+		local table = string.format('%s[%q].', prefix, k)
 
-    need_string_match(table .. 'key', '^%x+$')
-    need_string_array(table .. 'remotes')
-  end
+		need_string_match(table .. 'key', '^%x+$')
+		need_string_array(table .. 'remotes')
+	end
 end
 
 local function check_group(prefix)
-  return function(k, _)
-    assert_uci_name(k)
+	return function(k, _)
+		assert_uci_name(k)
 
-    local table = string.format('%s[%q].', prefix, k)
+		local table = string.format('%s[%q].', prefix, k)
 
-    need_number(table .. 'limit', false)
-    need_table(table .. 'peers', check_peer(table .. 'peers'), false)
-    need_table(table .. 'groups', check_group(table .. 'groups'), false)
-  end
+		need_number(table .. 'limit', false)
+		need_table(table .. 'peers', check_peer(table .. 'peers'), false)
+		need_table(table .. 'groups', check_group(table .. 'groups'), false)
+	end
 end
 
-need_table('fastd_mesh_vpn.groups', check_group('fastd_mesh_vpn.groups'))
-
-
-if need_table('fastd_mesh_vpn.bandwidth_limit', nil, false) then
-  need_boolean('fastd_mesh_vpn.bandwidth_limit.enabled', false)
-  need_number('fastd_mesh_vpn.bandwidth_limit.ingress', false)
-  need_number('fastd_mesh_vpn.bandwidth_limit.egress', false)
-end
+need_table('mesh_vpn.fastd.groups', check_group('mesh_vpn.fastd.groups'))

package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn-fastd/iptables.rules

@@ -1,3 +0,0 @@
-*nat
--I OUTPUT -m owner --gid-owner gluon-fastd -o lo -d 127.0.0.1 -p udp --dport 53 -j DNAT --to-destination :54
-COMMIT

package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd

@@ -1,144 +1,104 @@
 #!/usr/bin/lua
 
 local site = require 'gluon.site_config'
-local users = require 'gluon.users'
 local util = require 'gluon.util'
 
 local uci = require('simple-uci').cursor()
 
 
--- The previously used user is removed, we need root privileges to use the packet_mark option
-users.remove_user('gluon-fastd')
-
--- Group for iptables rule
-users.add_group('gluon-fastd', 800)
-
-
 local enabled = uci:get('fastd', 'mesh_vpn', 'enabled')
-if not enabled then
-  enabled = site.fastd_mesh_vpn.enabled or false
+if enabled == nil then
+	enabled = site.mesh_vpn.enabled or false
 end
 
 local syslog_level = uci:get('fastd', 'mesh_vpn', 'syslog_level') or 'verbose'
 
 local methods
 
-if site.fastd_mesh_vpn.configurable then
-  local has_null = util.contains(site.fastd_mesh_vpn.methods, 'null')
+if site.mesh_vpn.fastd.configurable then
+	local has_null = util.contains(site.mesh_vpn.fastd.methods, 'null')
 
-  local old_methods = uci:get('fastd', 'mesh_vpn', 'method')
-  if old_methods then
-    has_null = util.contains(old_methods, 'null')
-  end
+	local old_methods = uci:get('fastd', 'mesh_vpn', 'method')
+	if old_methods then
+		has_null = util.contains(old_methods, 'null')
+	end
 
-  methods = {}
-  if has_null then
-    table.insert(methods, 'null')
-  end
+	methods = {}
+	if has_null then
+		table.insert(methods, 'null')
+	end
 
-  for _, method in ipairs(site.fastd_mesh_vpn.methods) do
-    if method ~= 'null' then
-      table.insert(methods, method)
-    end
-  end
+	for _, method in ipairs(site.mesh_vpn.fastd.methods) do
+		if method ~= 'null' then
+			table.insert(methods, method)
+		end
+	end
 
 else
-  methods = site.fastd_mesh_vpn.methods
+	methods = site.mesh_vpn.fastd.methods
 end
 
 
-uci:section('fastd', 'fastd', 'mesh_vpn',
-	  {
-		  enabled = enabled,
-		  group = 'gluon-fastd',
-		  syslog_level = syslog_level,
-		  interface = 'mesh-vpn',
-		  mode = 'tap',
-		  mtu = site.fastd_mesh_vpn.mtu,
-		  secure_handshakes = true,
-		  method = methods,
-		  packet_mark = 1,
-		  status_socket = '/var/run/fastd.mesh_vpn.socket',
-	  }
-)
+uci:section('fastd', 'fastd', 'mesh_vpn', {
+	enabled = enabled,
+	group = 'gluon-mesh-vpn',
+	syslog_level = syslog_level,
+	interface = 'mesh-vpn',
+	mode = 'tap',
+	mtu = site.mesh_vpn.mtu,
+	secure_handshakes = true,
+	method = methods,
+	packet_mark = 1,
+	status_socket = '/var/run/fastd.mesh_vpn.socket',
+})
 uci:delete('fastd', 'mesh_vpn', 'user')
 
 
 local add_groups
 
 local function add_peer(group, name, config)
-  uci:section('fastd', 'peer', group .. '_peer_' .. name,
-    {
-      enabled = true,
-      net = 'mesh_vpn',
-      group = group,
-      key = config.key,
-      remote = config.remotes,
-    }
-  )
+	uci:section('fastd', 'peer', group .. '_peer_' .. name, {
+		enabled = true,
+		net = 'mesh_vpn',
+		group = group,
+		key = config.key,
+		remote = config.remotes,
+	})
 end
 
 local function add_group(name, config, parent)
-  uci:delete('fastd', name)
-  uci:delete_all('fastd', 'peer',
-    function(peer)
-      return (peer.net == 'mesh_vpn' and peer.group == name)
-    end
-  )
-
-
-  uci:section('fastd', 'peer_group', name,
-    {
-      enabled = true,
-      net = 'mesh_vpn',
-      parent = parent,
-      peer_limit = config.limit,
-    }
-  )
-
-  if config.peers then
-    for peername, peerconfig in pairs(config.peers) do
-      add_peer(name, peername, peerconfig)
-    end
-  end
-
-  add_groups(name, config.groups, name)
+	uci:delete('fastd', name)
+	uci:delete_all('fastd', 'peer',	function(peer)
+		return (peer.net == 'mesh_vpn' and peer.group == name)
+	end)
+
+
+	uci:section('fastd', 'peer_group', name, {
+		enabled = true,
+		net = 'mesh_vpn',
+		parent = parent,
+		peer_limit = config.limit,
+	})
+
+	if config.peers then
+		for peername, peerconfig in pairs(config.peers) do
+			add_peer(name, peername, peerconfig)
+		end
+	end
+
+	add_groups(name, config.groups, name)
 end
 
 -- declared local above
 function add_groups(prefix, groups, parent)
-  if groups then
-    for name, group in pairs(groups) do
-      add_group(prefix .. '_' .. name, group, parent)
-    end
-  end
+	if groups then
+		for name, group in pairs(groups) do
+			add_group(prefix .. '_' .. name, group, parent)
+		end
+	end
 end
 
-add_groups('mesh_vpn', site.fastd_mesh_vpn.groups)
+add_groups('mesh_vpn', site.mesh_vpn.fastd.groups)
 
 
 uci:save('fastd')
-
-
-uci:section('network', 'interface', 'mesh_vpn',
-  {
-    ifname = 'mesh-vpn',
-    proto = 'gluon_mesh',
-    transitive = true,
-    fixed_mtu = true,
-    macaddr = util.generate_mac(7),
-  }
-)
-
-uci:save('network')
-
-
-uci:section('firewall', 'include', 'mesh_vpn_dns',
-	  {
-	    type = 'restore',
-	    path = '/lib/gluon/mesh-vpn-fastd/iptables.rules',
-	    family = 'ipv4',
-	  }
-)
-
-uci:save('firewall')

package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/420-mesh-vpn-fastd-simple-tc

@@ -1,31 +0,0 @@
-#!/usr/bin/lua
-
-local site = require 'gluon.site_config'
-local uci = require('simple-uci').cursor()
-local fs = require 'nixio.fs'
-
-
-if fs.access('/etc/config/gluon-simple-tc') then
-  os.rename('/etc/config/gluon-simple-tc', '/etc/config/simple-tc')
-end
-
-
-if not uci:get('simple-tc', 'mesh_vpn') then
-  local config = {
-    ifname = 'mesh-vpn',
-    enabled = false,
-  }
-
-
-  if site.fastd_mesh_vpn.bandwidth_limit then
-    if site.fastd_mesh_vpn.bandwidth_limit.enabled then
-      config.enabled = true
-    end
-
-    config.limit_ingress = site.fastd_mesh_vpn.bandwidth_limit.ingress
-    config.limit_egress = site.fastd_mesh_vpn.bandwidth_limit.egress
-  end
-
-  uci:section('simple-tc', 'interface', 'mesh_vpn', config)
-  uci:save('simple-tc')
-end

package/gluon-web-mesh-vpn-fastd/check_site.lua

@@ -1,2 +1,2 @@
-assert(need_boolean('fastd_mesh_vpn.configurable') == true,
-       "site.conf error: expected `fastd_mesh_vpn.configurable' to be true")
+assert(need_boolean('mesh_vpn.fastd.configurable') == true,
+       "site.conf error: expected `mesh_vpn.fastd.configurable' to be true")

package/gluon-web-mesh-vpn-fastd/luasrc/lib/gluon/web/model/admin/mesh_vpn_fastd.lua

@@ -23,7 +23,7 @@ function mode:write(data)
 		table.insert(methods, 'null')
 	end
 
-	for _, method in ipairs(site.fastd_mesh_vpn.methods) do
+	for _, method in ipairs(site.mesh_vpn.fastd.methods) do
 		if method ~= 'null' then
 			table.insert(methods, method)
 		end