Conversation
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Add firewall address-sets: named sets of IP addresses and networks, usable as zone sources for per-IP access control, issue #1189. Static entries are part of the configuration; dynamic entries are managed at runtime with new add/remove/flush actions, from the CLI or over NETCONF/RESTCONF. Dynamic entries survive firewall configuration changes but are not saved to the configuration. Sets with a timeout expire their entries automatically. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Resetting a zone's services (or interfaces) wiped the entire zone:
action, interfaces, address-sets, everything but the name.
The keyed zone GET decodes into a wrapper expecting the node bare, but
the server nests it under the full parent path:
{"infix-firewall:firewall": {"zone": [ ... ]}}
The decode silently matched nothing, so the reset handler rebuilt the
zone from an empty struct and PUT only the zone name. The same
mismatch also broke network preservation when saving a zone.
Clear leaf-lists by deleting each instance instead of rebuilding the
zone with PUT, so a reset cannot touch anything else. Fix the wrapper
shape, document the nesting convention on the RESTCONF client Get, and
log a warning when a non-empty response decodes to a zero-valued
wrapper. When saving zones, omit empty leaf-lists and a defaulted
action. Refresh the firewall page after resets and update the handler
tests to mock the real response shape.
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Three more RESTCONF wrappers assume the response to a keyed GET is the bare node, when the server nests it under the full parent path: the container resource-usage stats always read zero, the WireGuard listen port never populated, and resetting advertised link modes silently re-enabled auto-negotiation on links where it was forced off. Same class of bug as the firewall zone reset fix: the decode matches nothing and the zero value is used as if valid. Model the full nesting in all three wrappers, reusing the existing container list wrapper. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Closes #985 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Developer builds report the bare upstream U-Boot version, e.g. 2025.01, and are easily mistaken for release builds. Nothing stamps a local version on non-release builds to tell them apart. Write a .scmversion of -DEVEL from a pre-build hook when INFIX_RELEASE is unset, so developer builds report 2025.01-DEVEL. Release builds are left untouched. Closes #919 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Services could not bind to addresses not yet present on an interface, e.g. floating VIPs managed by a routing daemon, since nonlocal bind was left at the kernel default of disabled. Enable net.ipv4.ip_nonlocal_bind and net.ipv6.ip_nonlocal_bind among the router defaults in /etc/sysctl.d. Closes #1022 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Releases exposed the RAUC upgrade bundle only inside the per-arch tarball, and shipped no ready-to-flash Raspberry Pi image; users had to unpack the tarball or assemble an image from a separate bootloader. Upload output/images/*.pkg as its own artifact, and build an rpi64 SD card image in the aarch64 release leg before rootfs.squashfs is stripped from the tarball, combining it with the rpi64 bootloader from the latest-boot release. Publish both as release assets; the tarball still carries the .pkg too. Closes #1084 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Infix defines its own Kconfig options with unprefixed names (IMAGE_*, QEMU_*, TRUSTED_KEYS*) and an INFIX_ prefix. Unprefixed names risk clashing with Buildroot and with other br2-externals/spins that source our tree. Rename all 86 options to a common IX_ prefix, collapsing the existing INFIX_ ones, e.g. INFIX_IMAGE_ID becomes IX_IMAGE_ID. The os-release INFIX_DESC field is a runtime interface, not a Kconfig option, and is kept; the qemu Config.in generator's @arch@ symbol is updated to match. Closes #1305 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add support for firewall address-set (ipset) ACLs, with YANG actions to add/remove/flush dynamic entries on demand at runtime.
Also, some WebUI fixes to the firewall, and sibling wrappers.
We also introduce an optional download mirror mechanism, and a mirror sync script for setting up a local file server. This PR also enables the mirror in all local runners: build, build-boot, and release.
During the setup of the file server it was discovered that Arm and RiscV builds did not use pre-built Go toolchain, so a fix for that is also included.
There's a few other fixes as well, just to make sure it's a pure "misc" branch 😅
Checklist
Tick relevant boxes, this PR is-a or has-a: