Daniel Barlow 
							
						 
					 
					
						
						
							
						
						71aed767f2 
					 
					
						
						
							
							switch logtap to use fifo unstead of af_unix  
						
						
						
						
					 
					
						2025-10-08 20:10:11 +01:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						a343e63231 
					 
					
						
						
							
							rename logshipper -> logtap  
						
						... 
						
						
						
						- it matches the executable name
- it doesn't ship anything anyway, it's just plumbing 
						
						
					 
					
						2025-10-08 20:10:11 +01:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						cacde953cb 
					 
					
						
						
							
							don't ask chrony to drop privs, it needs libpcap  
						
						
						
						
					 
					
						2025-10-08 20:10:11 +01:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						7e6a59631a 
					 
					
						
						
							
							firewall needs the secrets subscriber  
						
						
						
						
					 
					
						2025-08-12 20:07:39 +01:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						f728b584a2 
					 
					
						
						
							
							add "nobody" user needed by rp-pppoe  
						
						
						
						
					 
					
						2025-04-14 21:27:44 +01:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						210b41efc0 
					 
					
						
						
							
							improve robustness of ppp readiness notification  
						
						... 
						
						
						
						there was a race where ip-up could write ifname and then
ip6-up could write its outputs and then test ifname and
signal ready before ip-up had written the rest of its outputs 
						
						
					 
					
						2025-03-31 23:17:50 +01:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						53c6d506cf 
					 
					
						
						
							
							dhcp6c subscribe to ppp ifindex  
						
						... 
						
						
						
						when the peer bounces ppp, s6 will restart the ppp process but not
restart the dependent services (because the service isn't considered
to have gone down)
so the dependent services need to notice when the outputs from ppp
have changed 
						
						
					 
					
						2025-03-31 23:15:28 +01:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						01fe2159b4 
					 
					
						
						
							
							ppp: write ifindex as output  
						
						... 
						
						
						
						because what happens if the service is restarted but the new ppp0 is
a different interface than the old one so that services which had
bound to it with the old name are now not getting new data
(I am not 100% that this actually happens but it seems like it would
be good to avoid it if it does) 
						
						
					 
					
						2025-03-31 23:11:30 +01:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						d7d19b5ed0 
					 
					
						
						
							
							dhcp6 client: fix service dir in address and prefix acquirers  
						
						... 
						
						
						
						the scripts now expect the actual service dir instead of the .outputs
subdir 
						
						
					 
					
						2025-03-31 23:06:40 +01:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						ee683f2202 
					 
					
						
						
							
							firewall: fix syntax of icmp v4 rule  
						
						
						
						
					 
					
						2025-03-31 23:03:24 +01:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						d9723aeb87 
					 
					
						
						
							
							secrets subscriber: make restart-all work  
						
						
						
						
					 
					
						2025-03-31 23:01:48 +01:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						46ed8f0199 
					 
					
						
						
							
							add bandwidth as a service option for ppp (l2tp, pppoe)  
						
						
						
						
					 
					
						2025-03-27 20:23:26 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						dd44fbaec1 
					 
					
						
						
							
							rate limit for v4 icmp  
						
						
						
						
					 
					
						2025-03-27 20:21:48 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						89065be6cd 
					 
					
						
						
							
							bandwidth is bits/second so divide by 8  
						
						
						
						
					 
					
						2025-03-27 20:21:14 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						420320e434 
					 
					
						
						
							
							firewall: remove unused args/names/vars  
						
						
						
						
					 
					
						2025-03-27 18:40:07 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						1a6160bcab 
					 
					
						
						
							
							firewall: show  how to ratelimit icmp6 to 5% of available bandwidth  
						
						... 
						
						
						
						it's a little klunky as yet, requires setting properties.bandwidth on
the interface service 
						
						
					 
					
						2025-03-25 23:53:02 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						e5cfd41013 
					 
					
						
						
							
							add nft_limit kmodule for rate limiting in firewall  
						
						
						
						
					 
					
						2025-03-21 21:19:48 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						2b0972ed73 
					 
					
						
						
							
							svc.open accepts a /nix/store folder not an outputs folder  
						
						... 
						
						
						
						this mostly makes things simpler 
						
						
					 
					
						2025-03-11 00:21:44 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						9ab77a7d7e 
					 
					
						
						
							
							remove unused function  
						
						
						
						
					 
					
						2025-03-09 20:44:35 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						c6918fec00 
					 
					
						
						
							
							firewall: use extraText for zone set contents  
						
						... 
						
						
						
						* the lua necessary is quite wordy, but it's less of a hack than
post-processing the rules file with pseudo-sed to get rid of `elements
= { }` lines
* also switch from stop/starting the firewall service to using a
signal, so that we don't go briefly offline every time a new interface
appears 
						
						
					 
					
						2025-03-09 20:42:02 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						d4e46dbe28 
					 
					
						
						
							
							secrets/subscriber don't depend on the services we're watching  
						
						... 
						
						
						
						this means a watched service can stop and start without killing
the subscriber, and that we can watch for services that don't
yet exist 
						
						
					 
					
						2025-03-09 20:35:40 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						d1f87a56e0 
					 
					
						
						
							
							secrets/subscriber: use correct numbers for signals to s6-svc  
						
						
						
						
					 
					
						2025-03-09 20:34:29 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						6649ebeccd 
					 
					
						
						
							
							firewall: use watch-outputs to track changes in zone->interface map  
						
						... 
						
						
						
						includes a horrible hack to work around (claimed (by me)) deficiencies
in the nftables parser 
						
						
					 
					
						2025-02-28 00:43:20 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						0c406058e9 
					 
					
						
						
							
							remove acceotance of udp sport 5 on wan  
						
						... 
						
						
						
						this was added for replies to dns queries but isn't needed for
that purpose as connection tracking does that anyway 
						
						
					 
					
						2025-02-12 21:54:01 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						19d441333c 
					 
					
						
						
							
							remove duplicate rule  
						
						
						
						
					 
					
						2025-02-10 23:50:07 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						a726c09ae4 
					 
					
						
						
							
							improve explanaton of reverse path filtering rule  
						
						... 
						
						
						
						thanks RoS for the references :-) 
						
						
					 
					
						2025-02-10 23:48:29 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						7e2b0068e6 
					 
					
						
						
							
							nixfmt-rfc-style  
						
						... 
						
						
						
						There is nothing in this commit except for the changes made by
nix-shell -p nixfmt-rfc-style --run "nixfmt ."
If this has mucked up your open branches then sorry about that. You
can probably nixfmt them to match before merging 
						
						
					 
					
						2025-02-10 21:55:08 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						3f889c7119 
					 
					
						
						
							
							default firewall zones in gateway profile  
						
						
						
						
					 
					
						2025-02-10 21:21:08 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						7f17125039 
					 
					
						
						
							
							firewall: update zones with interface names as they appear  
						
						
						
						
					 
					
						2025-02-10 21:21:08 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						6587813577 
					 
					
						
						
							
							WIP add zones to firewall module  
						
						... 
						
						
						
						- zones are an attrset of name -> [interface-service]
- the firewall will create empty "ifname" sets for each zone name
 in each address family (ip, ip6)
- then watch the interface services, and add the "ifname" outputs
to the corresponding sets when they appear
This commit only adds the empty sets 
						
						
					 
					
						2025-02-10 21:21:08 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						1d780de0f1 
					 
					
						
						
							
							add (very basic) set support in firewallgen  
						
						... 
						
						
						
						and add sets for lan/wan/dmz/guest interface names to default
firewall rules 
						
						
					 
					
						2025-02-10 21:17:43 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						c92aacc6fd 
					 
					
						
						
							
							firewall rules: use @lan and @wan sets instead of ifnames  
						
						... 
						
						
						
						we don't have anything yet to create or populate the sets 
						
						
					 
					
						2025-02-06 09:22:41 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						f77da6f14c 
					 
					
						
						
							
							remove remaining refs to kexecboot  
						
						
						
						
					 
					
						2025-01-05 17:22:30 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						26f206d0e1 
					 
					
						
						
							
							phram dtb reserved-memory needs no-map  
						
						... 
						
						
						
						c.f. 69429404abarnout@bzzt.net > 
						
						
					 
					
						2025-01-04 23:50:44 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						13cb8d3692 
					 
					
						
						
							
							sort imports  
						
						
						
						
					 
					
						2025-01-03 15:41:22 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						62b7aea8ab 
					 
					
						
						
							
							add btrfs.nix to outputs imports  
						
						
						
						
					 
					
						2025-01-03 15:40:33 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						92284fa9ba 
					 
					
						
						
							
							mtdimage can't be a default import  
						
						... 
						
						
						
						it adds kernel config that depend on openwrt patches,
which aren't used/needed on all devices 
						
						
					 
					
						2025-01-03 00:19:17 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						74027b44d7 
					 
					
						
						
							
							extract log persistence config from s6 to new module  
						
						... 
						
						
						
						because it frobs kernel config, it breaks levitate
as levitate evalModules doesn't include the kernel 
						
						
					 
					
						2025-01-02 23:56:49 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						ea5370b3f4 
					 
					
						
						
							
							import mtdimage in outputs  
						
						
						
						
					 
					
						2025-01-02 23:37:07 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						7377f7ceb2 
					 
					
						
						
							
							implement mechanism for reverting from update.sh  
						
						
						
						
					 
					
						2025-01-02 22:19:49 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						cc94ef57fa 
					 
					
						
						
							
							in rc.init copy log from previous boot to place of safety  
						
						
						
						
					 
					
						2025-01-01 18:22:45 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						497307588f 
					 
					
						
						
							
							automate ubimage instructions a little  
						
						
						
						
					 
					
						2025-01-01 12:38:08 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						28d39cd66d 
					 
					
						
						
							
							provide etc/kconfig in updater output  
						
						... 
						
						
						
						this is for debugging/documentation purposes and isn't copied to the
device 
						
						
					 
					
						2025-01-01 11:55:33 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						f2e4e77d73 
					 
					
						
						
							
							firewall: don't use oifname in input rules  
						
						... 
						
						
						
						because it's empty, these are input rules for the local machine 
						
						
					 
					
						2024-12-29 23:17:31 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						4d273a9469 
					 
					
						
						
							
							dropbear would like /etc/shells to exist  
						
						
						
						
					 
					
						2024-12-29 13:27:49 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						40db175b41 
					 
					
						
						
							
							complain if user attempting to tftpboot a ubifs  
						
						
						
						
					 
					
						2024-12-29 13:26:45 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						ab07212a7e 
					 
					
						
						
							
							include jffs2 module per default  
						
						... 
						
						
						
						it has no effect unless enabled 
						
						
					 
					
						2024-12-29 13:26:06 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						294492a176 
					 
					
						
						
							
							jiggle imports  
						
						
						
						
					 
					
						2024-12-24 13:46:19 +00:00 
						 
				 
			
				
					
						
							
							
								Arnout Engelen 
							
						 
					 
					
						
						
							
						
						f8a275d1a3 
					 
					
						
						
							
							use Linux kernel sources associated with openwrt by default  
						
						
						
						
					 
					
						2024-12-24 12:30:15 +00:00 
						 
				 
			
				
					
						
							
							
								Daniel Barlow 
							
						 
					 
					
						
						
							
						
						bc20f4c6b7 
					 
					
						
						
							
							rt3200 test install  
						
						
						
						
					 
					
						2024-12-23 23:59:52 +00:00