<mangix>
philipp64: perl packages are...special. opkg is erroring on (un)installation
<mangix>
when openwrt migrates to apk, hopefully this will also go away
<philipp64>
mangix: thanks
<philipp64>
show of hands... do many people operate an IP-PBX on their firewall?
danitool has quit [Quit: Cubum autem in duos cubos, aut quadratoquadratum in duos quadratoquadratos]
<slh>
that's one of the things I'd like to do, but don't take the chance to actually do (asterisk...)
<neggles>
highly, highly recommend keeping SIP out of your firewall/router unless you've only running a single line
<dwfreed>
why's that?
<slh>
SIP is a high risk service - and asterisk a beast with many heads
<philipp64>
Well, in my case, I only need to peer with my ISP's switch... so I can block everything else...
<neggles>
VoIP is a nightmare at the best of times
<neggles>
there is very little reason to even *have* a SIP PBX unless you only have one outside line, you have multiple SIP clients you want to attach to it, and your SIP provider won't give you multiple accounts
Tapper has quit [Ping timeout: 480 seconds]
<neggles>
if you put a SIP PBX on your firewall, and it comes even remotely close to full CPU load, your VoIP call quality will go through the floor (if they even work at all) - especially if it has to do transcoding
<neggles>
not that most openwrt devices have the horsepower for transcoding anyway
<neggles>
a VoIP PBX needs a *lot* more processing power than most people expect - 3CX's SIP PBX (which is just asterisk underneath really) will technically run on a pi 3B+, for example, but it's a bad move and they'll only support running it on a Pi 4
<neggles>
(it's also free as in beer, though not open/free as in freedom)
<neggles>
hmm
<neggles>
is there a way to add something to FEATURES for just one device within a target? or would I need to add a new subtarget?
<slh>
if your feature is just having a specific package installed, DEVICE_PACKAGES - if not, kernel and packages are shared
guerby_ has quit [Read error: Connection reset by peer]
guerby_ has joined #openwrt-devel
Luke-Jr has quit [Ping timeout: 480 seconds]
srslypascal is now known as Guest10433
srslypascal has joined #openwrt-devel
Guest10433 has quit [Ping timeout: 480 seconds]
srslypascal is now known as Guest10435
srslypascal has joined #openwrt-devel
srslypascal has quit [Remote host closed the connection]
srslypascal has joined #openwrt-devel
srslypascal has quit [Remote host closed the connection]
Luke-Jr has joined #openwrt-devel
Guest10435 has quit [Ping timeout: 480 seconds]
srslypascal has joined #openwrt-devel
dangole has quit [Ping timeout: 480 seconds]
fda- has joined #openwrt-devel
fda has quit [Ping timeout: 480 seconds]
<Grommish>
Is there anyway to directly run Host/Install on a package? standard package/feeds/packages/xxxx/host/install doesn't work
<neggles>
slh: the feature in this case would be `ubifs` - this device stores the kernel + dtb as a FIT image in a ubivol, and rootfs/rwfs are also ubi volumes
<neggles>
the rest of 'em do not
<slh>
neggles: in that case you'll either need a subtarget or enable ubifs for all devices (the whole target)
<neggles>
slh: ok, thought so. it's ipq806x, half these devices have UbiFit images anyway, turning it on for everything would probably be fine...
<slh>
there are some devices which don't have that much space left for the kernel partition (ea8500, vr2600 are 3 MB, nbg6817 4 MB - all Netgear devices are currently on 4 MB, those could be extended, but not easily (and I'm not sure by how much))
goliath has quit [Quit: SIGSEGV]
<neggles>
slh: ah, okay
<neggles>
subtarget then... i'll deal with that once i have it working properly :P
release has joined #openwrt-devel
KB1SPH is now known as Guest10457
release is now known as kb1sph
<slh>
neggles: not necessarily, just have a look at how much of a difference it really makes (on the kernel in particular)
<hgl>
philipp64, I'm trying to compile the strongswan package 5.9.2 on the 21.20.01 SDK, the compilation can success, but charon gives "chunk_unmap_clear: symbol not found" for the pem plugin, I wonder if you ever encountered this, or 5.9.2 is not supported on 21.20.01?
Guest10457 has quit [Ping timeout: 480 seconds]
<hgl>
philipp64, I also got a question regarding the strongswan package if you don't mind: I can't find any settings relating to pools in the init script, I wonder how a client is supposed to get a virtual IP without that setting?
<neggles>
to really take advantage of 4x4 on the AP side you'll need significant physical separation, if only to avoid co-channel interference
<neggles>
but even at 160mhz 2x2 AX is what 1800mbps half-duplex?
<PaulFertser>
I thought it's enough to not have the AP antennas colinear to get fully usable independent spatial streams.
<neggles>
depends, if both of your client devices are in the same place, they'll interfere with each other (co-channel interference, the reason why putting two APs right next to each other makes them both perform atrociously)
<neggles>
and they'll both follow the same-ish multipath paths to the AP
<neggles>
there are only two "real" chains/polarities, horizontal and vertical
<neggles>
AFAIK, 4x4 APs mostly use the extras to improve signal from clients whose antenna polarizations are not perfectly aligned with theirs (e.g. a phone that's not being held dead vertical) and to abuse multipath to talk to multiple physically-separated clients at once
<neggles>
on an unrelated note, YES! sophos APX530 boots to shell!
<Namidairo>
something something bss coloring
<neggles>
bss coloring doesn't change physics / allow two APs to magically use the same channel at the same time without interfering
<neggles>
it just makes those APs and their clients able to immediately identify interference from another AP and, if SNR/power margins etc. allow, ignore it / yell over the top
<Namidairo>
*client puts fingers in ears and starts yelling lalala i can't hear you*
nitroshift has quit [Remote host closed the connection]
nitroshift has joined #openwrt-devel
<neggles>
ah worked it out, nss shenanigans
rmilecki has joined #openwrt-devel
nlowe has joined #openwrt-devel
pmelange has joined #openwrt-devel
pmelange has quit [Read error: Connection reset by peer]
rua has quit [Ping timeout: 480 seconds]
rua has joined #openwrt-devel
Habbie has quit [Ping timeout: 480 seconds]
Habbie has joined #openwrt-devel
pmelange has joined #openwrt-devel
pmelange has left #openwrt-devel [#openwrt-devel]
ecloud has quit [Ping timeout: 480 seconds]
<Namidairo>
nss is great, ask the people working on 807x
ecloud has joined #openwrt-devel
rua has quit [Remote host closed the connection]
rua has joined #openwrt-devel
nlowe has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<neggles>
Namidairo: nss *is* great
<neggles>
nss *drivers* not so much...
nlowe has joined #openwrt-devel
<rsalvaterra>
neggles: Is it, though? How flexible is the NSS? Can it run arbitrary qdiscs (e.g. cake)? :/
<neggles>
rsalvaterra: I honestly have no idea, but I don't think there's any reason it *couldn't* - most of the acceleration/queueing stuff is programmed
<neggles>
you'd probably need to be able to write your own firmware for it though and I doubt QCA will hand over the tools for that anytime soon
<rsalvaterra>
Hand over the firmware source? Hah! xD
<rsalvaterra>
Or even the toolchain…
<neggles>
it does have support for quite a few different qdiscs already
<Habbie>
it reads a namespace from uci, and creates it (but at the wrong time), it does not move interfaces into them yet
<Habbie>
note that there's a hack you can do (i did not try it but somebody in here agreed) - run a fake process via procd (like sleep 1000000000) and stick it in a namespace with a few interfaces
<jow>
the system-linux.c integration will look completely different
<jow>
since we're not issuing ethtool ioclts but netlink messages
nitroshift has quit [Remote host closed the connection]
<nick[m]1234>
@jow I think it makes a difference to change the namespace of a device, since it always remembers where it came from? However, maybe I am wrong.
<jow>
nick[m]1234: but I mean there's a difference in netifd between creating a new interface (e.g. a macvlan device, a bridge device or a vlan device)
<jow>
and applying settings upon an existing device (e.g. eth0)
<jow>
not sure offhand if and how you need to handle it
<Habbie>
you'll also have to add namespace support to the wireguard bits
<Habbie>
because those actually create the wg interface
<jow>
maybe you can always assume the device exists at the point where the settings are applied and you can unconditionally do RTM_SETLINK w/ NETNSA_NSID
<Habbie>
but that's a shell script so that's easy
<jow>
Habbie: actually no, once a new netdev appears (e.g. externally created by scripts or programs), netifd will claim it and apply its configured settings on it
<jow>
so wireguard would not actually need to be netns aware if netifd gains support for imposing netns on arbitrary devices
<jow>
wireguard as in the proto handler script for wireguard
<jow>
of course it could be extended to create the device in the correct netns from the get-go to eliminate the short window of the device being in the default ns
<Habbie>
except a wg interface may want to have two netnses applied
<Habbie>
one inside, one outside
<Habbie>
i don't know if we can fix that without touching the handler
<jow>
ah right, like a veth pair
<Habbie>
but, touching the handler is not a problem either
<Habbie>
yes, i've been assuming some other "virtual" devices have similar needs
<jow>
but having two netns andpoints on wireguard sounds like it is replacing the functionality of veth then?
<jow>
what's the usecase, encrypted tunnel between namespaces?
<Habbie>
my usecase is that i want to run wg over the internet to some endpoint
<Habbie>
but have the IP sitting on wg0 live in a non-internet namespace
<Habbie>
packets go into wg0 from ns B
<Habbie>
wg wraps them up
<Habbie>
sends them out to the internet which is in ns A
<jow>
simply "ip link set dev wg0 netns xxx" isn't enough?
<jow>
where comes the second netns into play?
<Habbie>
this replaces my current setup (on openbsd, but that doesn't really matter) where openvpn runs in the 'internet' namespaces (rtable) but tun0 does not
<Habbie>
jow, with wg, there's the netns it was created in, and the netns it was moved into
<Habbie>
one netns carries the encrypted packets
<Habbie>
the other carries plain packets
<nick[m]1234>
Habbie: is it okay, if I build up on your codebase and try finishing your work? how should I reference you?
<jow>
ah right, so basically "outer" netns and "inner" netns
<Habbie>
nick[m]1234, of course! Peter van Dijk or @Habbie
<Habbie>
jow, yes
<Habbie>
nick[m]1234, also do let me know if you have questions, get stuck, or want me to test something :)
<nick[m]1234>
however, not sure if Im capable of finishing it, but I will have a look! :)
<Habbie>
we'll see
<Habbie>
otherwise i'll likely have time to continue the work later this month
<Habbie>
i got stuck on figuring out where to put the rest - like the _merge_ function jow mentioned
<nick[m]1234>
Habbie: cool thanks
<nick[m]1234>
since you all talk about your use cases, mine is to add a (dhcp,static) interface in a new namespace. on that I want to use "ip ..." to also add there the wg, and move it via ip to the normal network namespace.
nlowe has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
valku has joined #openwrt-devel
<f00b4r0>
Habbie: dunno if that's similar but I use netns on a server that acts as a "wg hub", interconnecting several endpoints and their networks, but without them ever seeing the server's own network or the server's software being aware of the existence of the wg networks (except for the ones I actually run within that namespace). Very convenient :)
Tapper has joined #openwrt-devel
<Habbie>
f00b4r0, neat :)
<f00b4r0>
also, nice article you wrote :)
<Habbie>
thanks!
nlowe has joined #openwrt-devel
nlowe has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<nick[m]1234>
dangole added already some namespace support as part from jailing
<Habbie>
yep
<Habbie>
so moving interfaces is 80% there for us
<Habbie>
this is the trick i mentioned earlier
<Habbie>
except i forgot to use the word 'jail' :)
mattytap has quit [Ping timeout: 480 seconds]
srslypascal has quit [Quit: Leaving]
srslypascal has joined #openwrt-devel
<philipp64>
neggles: in my case, I have 3 lines, including a fax machine attached to a Sipura ATA2. The handsets are a mix of SPA504G and SPA942. I also do find-me/follow-me to my cell phone with hairpinning. my firewall is a 4-core AMD GX-412TC at 600MHz with 4GB DRAM... and every call comes in as uLaw, so no transcoding required... but even if it did, I've got ample CPU.
<philipp64>
hgl: I mostly do island-to-island configs (i.e. multiple hubs)... I've not tested much in the way of road-warrior configs. file a feature request and I or Thermi will look at it.
<dangole>
nick[m]1234, Habbie: i have improved jail netns support since and netns-enabled jails/containers now got their own ubus and netifd instances.
<dangole>
Habbie: containers/jails having their own netns are a bit of a different use-case, but it'd be nice if we find a unified approach towards network namespaces in netifd
<dangole>
stintel: even nicer, because then it's probably getting even better in case CPU was the bottleneck now (which it probably would be if both bgn and ax is maxed out)
<dangole>
stintel: and i do know how to irc, was just out for the day
<stintel>
:P
<dangole>
stintel: sysupgrade slowness is due to 4k sectors which are needed due to the partition layout not being aligned with the rather erase large block size btw...
<dangole>
stintel: haven't fixed that in ubootmod yet because we'd have to relocate 'factory' and 'eeprom there as well then :/
<stintel>
I'm not using ubootmod ;)
<dangole>
stintel: i thought that, just telling that it wouldn't make it any better at this point
<dangole>
stintel: jffs2 format takes like 10 minutes, that's really annoying when using sysupgrade and keeping configuration...
<dangole>
stintel: and it probably also isn't really nice for the flash to be used in that way (?)
<rsalvaterra>
I guess WED is an MT7915+ thing, since it's poking some magic MT_WED_* registers… no luck for our MT7615 chips, I guess. :/
<dangole>
rsalvaterra: U6LR comes with MT7915
pmelange has joined #openwrt-devel
<rsalvaterra>
I know, but my Redmi AC2100 comes with MT7615. :P
<Habbie>
dangole, understood - my plan (i don't know what nick's plan is) was to start with the main netifd managing them, as there are no processes involved, but a netifd per ns might also make sense
<mattytap_>
stintel: I've worked on the dts for the marvell switch common to the WAtchGuard qoriq/m300/m200 and mpc85xx/t30 and probably more... IMHO they can be identical.
<dangole>
Habbie: it's kinda handy to clone() or fork() at some point, but i reckon avoiding it (ie. using setns() when possible) would be even nicer. :)
<mattytap_>
your m300 dts is the most complete of the dts I've looked at and they all follow the linux.org marvell.txt spec
<mattytap_>
so Im wondering about creating a dtsi stub just for this marvell switch to go in the fsl folder.
<mattytap_>
but how to we make this available for multiple targets mpc85xx and qoriq
<dangole>
Habbie: initially I had netifd clone()ing itself, nbd advised to better moved the responsibility to launch the per-netns instance to procd-ujail, and so i did, so to avoid duplicating open filehandlers and all that. if we can handle everything in a single instance of netifd, that would of course be even nicer
<stintel>
mattytap_: target/linux/generic/files/
cmonroe has joined #openwrt-devel
<stintel>
mattytap_: did you work on the ppc asm by chance?
KGB-1 has quit [Quit: KGB-1]
KGB-1 has joined #openwrt-devel
<mattytap_>
Not yet sorry, but will do soon. I just needed to clear my head of the dts stuff first.
<stintel>
no worries, just checking
<stintel>
I might pick it up myself when I'm finished with firewall4
KGB-1 has quit [Quit: KGB-1]
KGB-1 has joined #openwrt-devel
rua has quit [Ping timeout: 480 seconds]
Borromini has joined #openwrt-devel
rua has joined #openwrt-devel
KGB-1 has quit [Quit: KGB-1]
KGB-1 has joined #openwrt-devel
Tapper has quit [Ping timeout: 480 seconds]
mattytap_ has quit [Ping timeout: 480 seconds]
mattytap has joined #openwrt-devel
mattytap has quit [Ping timeout: 480 seconds]
<blocktrron1>
hmm, does the ipq501x feature a NPU?
mattytap has joined #openwrt-devel
<Habbie>
dangole, nick[m]1234, here's an entirely unfinished thought i had while i was outside - ifnetd already has a concept of names for netnses. We 'just' need to export those names so that ip netns can also see them, and add a flag so the jails/netnses can live with zero processes in them?
<dangole>
Habbie: Yes that sounds like it can work. You can actually already do that by using 'sleep' or some other dummy as jailed process :)
<Habbie>
yes! i mentioned that to nick[m]1234 earlier
<Habbie>
but then it's hard to access
<Habbie>
also! making it visible to ip netns means persisting it with a mount anyway
<Habbie>
so unless i'm missing something (and i most likely are), this might actually be quite simple
<Habbie>
*am
KGB-1 has quit [Quit: KGB-1]
<aparcar>
Does busybox create the symlinks automatically or do we somehow take care of that?
KGB-1 has joined #openwrt-devel
KGB-1 has quit []
<nick[m]1234>
dangole, Habbie I am not really sure if I unerstand you correctly. I just wanted to follow the way @habbie implemnted netns already, because that looked straight forward. Maybe it is not a good idea, that I should implement this. xD
<Habbie>
i only have rough ideas
<Habbie>
you are typing code
<Habbie>
don't stop because i typed words :)
KGB-1 has joined #openwrt-devel
<Habbie>
and perhaps i might also type code at some point, and we might see that we both had some great ideas, and combine them, etc.
<nick[m]1234>
actually, I just added the netns, to the ubus output, compiled the netns version, and tried if it works so far. xD so I am not so far.
<Habbie>
ubus? nice
<nick[m]1234>
so everything is set up correctly so far
<nick[m]1234>
now I wanted to findout, how I can move the interface, to the created network namespace, and looked at the fnuctoin that is already existing so the system_link_netns_move
<Habbie>
right, which wants an fd, which I -think- you can get by opening /var/run/netns/foo ?
Tapper has joined #openwrt-devel
<nick[m]1234>
yes, 1 second I can send you the function for that
<Habbie>
but i am currently not sure of many things
<Habbie>
oh! my browser did not scroll all the way to the anchor
<Habbie>
rewind
<Habbie>
nick[m]1234, yes, that's the one :)
<dangole>
nick[m]1234, Habbie: you can access the ubus (and network.* objects) belonging to a jail/netns-container via `ubus -s /var/containers/ubus-${jail_name}/ubus`
<Habbie>
so kinda like how ip netns does things too - like a per-namespace resolv.conf
<rsalvaterra>
aparcar: The busybox build takes care of creating each applet's symlink.
<blocktrron1>
slh: the u-boot GPL does not include a PPE driver / uses a synopsys MAC IP driver contrary to ipq60xx and ipq807x which utilize edma
<blocktrron1>
the wiki was the only source I've found, but it looks copy-paste.
<slh>
I haven't actually played with ipq50xx so far (only ipq8074, ipq8074a, ipq8071a and ipq6018)
<blocktrron1>
me neither.
<rsalvaterra>
The sad thing with IPQ SoCs is almost always being paired with QCA Wi-Fi. :P
<slh>
lots of untapped potential, but a long road ahead...
<blocktrron1>
rsalvaterra: +1
<blocktrron1>
ipq50xx sounded interesting, as from the GPL code it looks like it does not require the proprietary Ubicom-NSS they've found in atheros basement
<blocktrron1>
hence my question
<slh>
blocktrron1: miwifi_ra72_firmware_98605_1.0.55.bin/squashfs-root/lib/firmware/qca-nss0-retail.bin looks a lot like the same old story
<robimarko>
You dont actually need it on any of the SoC-s for wired
<robimarko>
In theory if you had the datasheet for the PPE inside of IPQ60xx or IPQ807x you wouldnt need it at all
<blocktrron1>
is it required for wireless?
<robimarko>
No
<robimarko>
Its just for offloading networking and various crypto
<robimarko>
As the second UBI32 core has EIP IP
<robimarko>
Which has its own 4 binary blobs
<robimarko>
But note that the NSS-DP drivers implementation of plain HW networking is crap
<robimarko>
It looks they quite literaly did it just so you have networking even without NSS
<robimarko>
As they just utilize single set of IRQ-s so under load it will just hammer one CPU core
<robimarko>
And you cant IRQ balance it
<blocktrron1>
So it's a downgrade compared to ipq40xx in that regard?
<robimarko>
The ethernet controller is updated EDMA, the switch also got much needed updates
<robimarko>
But they copy/pasted the 1GB switch
<robimarko>
But the performance without NSS could be way better if there was a proper driver
<robimarko>
Cause their crap is designed to always be used with NSS FW and the whole deal
<blocktrron1>
Hmm okay
<robimarko>
At worse the performance is at IPQ40xx level
<rsalvaterra>
Everyone is so eager to ship fw4 by default in the next release, but mwan3 is pretty much a vital component for lots of people (myself included) and only works with iptables…
<rsalvaterra>
… feckert, are you planning on coding an mwan4? :)
<blocktrron1>
robimarko: how is cnss2 related? is it a seperate piece of software running on the ubicom core or just a name for a kernel-interface?
<blocktrron1>
I'm just trying to catch up with what QCA has done, after living happyily with MTK for the past year
<robimarko>
Its their kernel/userspace helper
<robimarko>
You dont actually need it
<robimarko>
ath11k doesnt it use it all
<robimarko>
With their properiatery driver it handles caldata, BDF-s, regdata and other maintaince stuff
yolo has quit [Remote host closed the connection]
robimarko has quit [Quit: Page closed]
Borromini has quit [Quit: leaving]
nlowe has joined #openwrt-devel
nlowe has quit [Read error: Connection reset by peer]
svlobanov has joined #openwrt-devel
<svlobanov>
hi. does anyone know how to compile musl bits/stat.h with clang? https://github.com/bminor/musl/blob/master/arch/aarch64/bits/stat.h . clang doesn't want to compile it with the error: In file included from /Volumes/OpenWrt2/openwrt6/staging_dir/toolchain-aarch64_cortex-a53_gcc-11.2.0_musl/include/sys/stat.h:23: /Volumes/OpenWrt2/openwrt6/staging_dir/toolchain-aarch64_cortex-a53_gcc-11.2.0_musl/include/bits/stat.h:1
<svlobanov>
7:19: error: expected member name or ';' after declaration specifiers unsigned __unused[2]; https://pastebin.com/s5gYWfp8
<svlobanov>
looks like some more flags required to accept code like 'unsigned __unused[2];'