feat: Upgrade OpenWrt to 24.10.5, migrate to nftables/fw4, update arc… #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

abewartech wants to merge 1 commit into oofnikj:master from abewartech:master

.gitlab-ci.yml

-Original file line number
+Diff line change
@@ -1,6 +1,6 @@
     variables:
       CI_IMAGE: $DOCKER_HUB_USER/openwrt
-      RELEASE: "19.07.7"
+      RELEASE: "24.10.5"
     .build:
       image: docker:latest
@@ Expand Down @@

Dockerfile

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -7,15 +7,22 @@ RUN opkg remove --force-depends \
  
          iw* && \

        opkg update && \

        opkg install luci \

          wpad-wolfssl \

          iw-full \

          wpad-basic-mbedtls \

          iw \

          ip-full \

          kmod-mac80211 \

          dnsmasq-full \

          iptables-mod-checksum

          luci-mod-rpc \

          luci-lib-ipkg \

          luci-compat \

          luasocket \

          irqbalance \

          zram-swap \

          kmod-nft-offload

    RUN opkg list-upgradable | awk '{print $1}' | xargs opkg upgrade || true

    RUN echo "iptables -A POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill" >> /etc/firewall.user

    RUN mkdir -p /etc/nftables.d && \

        echo 'chain postrouting_mangle { type filter hook postrouting priority mangle; policy accept; udp dport 68 checksum fill; }' > /etc/nftables.d/10-checksum-fill.nft

    RUN sed -i '/^exit 0/i cat \/tmp\/resolv.conf > \/etc\/resolv.conf' /etc/rc.local

    ARG ts

build.sh

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -11,12 +11,12 @@ download_rootfs() {
  
    				version="https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2708/version.buildinfo"

    				gen_rootfs_from_img

    				return

    			elif [ "$ARCH" = "armvirt-32" ] ; then

    				rootfs_url="https://downloads.openwrt.org/snapshots/targets/armvirt/32/openwrt-armvirt-32-default-rootfs.tar.gz"

    				version="https://downloads.openwrt.org/snapshots/targets/armvirt/32/version.buildinfo"

    			elif [ "$ARCH" = "armvirt-64" ] ; then

    				rootfs_url="https://downloads.openwrt.org/snapshots/targets/armvirt/64/openwrt-armvirt-64-default-rootfs.tar.gz"

    				version="https://downloads.openwrt.org/snapshots/targets/armvirt/64/version.buildinfo"

    			elif [ "$ARCH" = "armvirt-32" ] || [ "$ARCH" = "armsr-armv7" ] ; then

    				rootfs_url="https://downloads.openwrt.org/snapshots/targets/armsr/armv7/openwrt-armsr-armv7-rootfs.tar.gz"

    				version="https://downloads.openwrt.org/snapshots/targets/armsr/armv7/version.buildinfo"

    			elif [ "$ARCH" = "armvirt-64" ] || [ "$ARCH" = "armsr-armv8" ] ; then

    				rootfs_url="https://downloads.openwrt.org/snapshots/targets/armsr/armv8/openwrt-armsr-armv8-rootfs.tar.gz"

    				version="https://downloads.openwrt.org/snapshots/targets/armsr/armv8/version.buildinfo"

    			elif [ "$ARCH" = "x86-64" ] ; then

    				rootfs_url="https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-x86-64-rootfs.tar.gz"

    				version="https://downloads.openwrt.org/snapshots/targets/x86/64/version.buildinfo"

    @@ -27,18 +27,23 @@ download_rootfs() {
  
    		;;

    		*)

    			if [ "$ARCH" = "bcm2708" ] ; then

    				img_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/brcm2708/bcm2708/openwrt-${OPENWRT_SOURCE_VER}-brcm2708-bcm2708-rpi-squashfs-factory.img.gz"

    				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/brcm2708/bcm2708/version.buildinfo"

    				img_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/bcm27xx/bcm2708/openwrt-${OPENWRT_SOURCE_VER}-bcm27xx-bcm2708-rpi-squashfs-factory.img.gz"

    				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/bcm27xx/bcm2708/version.buildinfo"

    				gen_rootfs_from_img

    				return

    			elif [ "$ARCH" = "armvirt-32" ] ; then

    				rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armvirt/32/openwrt-${OPENWRT_SOURCE_VER}-armvirt-32-default-rootfs.tar.gz"

    				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armvirt/32/version.buildinfo"

    			elif [ "$ARCH" = "armvirt-64" ] ; then

    				rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armvirt/64/openwrt-${OPENWRT_SOURCE_VER}-armvirt-64-default-rootfs.tar.gz"

    				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armvirt/64/version.buildinfo"

    			elif [ "$ARCH" = "armvirt-32" ] || [ "$ARCH" = "armsr-armv7" ] ; then

    				rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armsr/armv7/openwrt-${OPENWRT_SOURCE_VER}-armsr-armv7-rootfs.tar.gz"

    				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armsr/armv7/version.buildinfo"

    			elif [ "$ARCH" = "armvirt-64" ] || [ "$ARCH" = "armsr-armv8" ] ; then

    				rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armsr/armv8/openwrt-${OPENWRT_SOURCE_VER}-armsr-armv8-rootfs.tar.gz"

    				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/armsr/armv8/version.buildinfo"

    			elif [ "$ARCH" = "x86-64" ] ; then

    				rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/x86/64/openwrt-${OPENWRT_SOURCE_VER}-x86-64-generic-rootfs.tar.gz"

    				# Filename pattern changed for x86-64 in newer releases (no more -generic)

    				if [ "$(echo ${OPENWRT_SOURCE_VER} | cut -d. -f1)" -ge 21 ]; then

    					rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/x86/64/openwrt-${OPENWRT_SOURCE_VER}-x86-64-rootfs.tar.gz"

    				else

    					rootfs_url="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/x86/64/openwrt-${OPENWRT_SOURCE_VER}-x86-64-generic-rootfs.tar.gz"

    				fi

    				version="https://downloads.openwrt.org/releases/${OPENWRT_SOURCE_VER}/targets/x86/64/version.buildinfo"

    			else

    				echo "Unsupported architecture!"

etc/config/firewall.tpl

-Original file line number
+Diff line change
@@ -0,0 +1,28 @@
+    config defaults
+    	option syn_flood '1'
+    	option input 'ACCEPT'
+    	option output 'ACCEPT'
+    	option forward 'REJECT'
+    	option flow_offloading '1'
+    	option flow_offloading_hw '0'
+    config zone
+    	option name 'lan'
+    	list network 'lan'
+    	option input 'ACCEPT'
+    	option output 'ACCEPT'
+    	option forward 'ACCEPT'
+    config zone
+    	option name 'wan'
+    	list network 'wan'
+    	list network 'wan6'
+    	option input 'REJECT'
+    	option output 'ACCEPT'
+    	option forward 'REJECT'
+    	option masq '1'
+    	option mtu_fix '1'
+    config forwarding
+    	option src 'lan'
+    	option dest 'wan'

openwrt.conf.example

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -2,16 +2,16 @@
  
    ## General

    # OpenWrt version. Set to 'snapshot' to build from latest snapshot

    OPENWRT_SOURCE_VER=19.07.7

    # Architecture: one of x86-64, armvirt-32 (Raspberry Pi 2 / 3 / 4),

    # armvirt-64 (Raspberry Pi 3 / 4 running 64-bit OS, ODroid-C2 or similar),

    OPENWRT_SOURCE_VER=24.10.5

    # Architecture: one of x86-64, armsr-armv7 (Raspberry Pi 2 / 3 / 4 / 5),

    # armsr-armv8 (Raspberry Pi 3 / 4 / 5 running 64-bit OS),

    # or bcm2708 (Raspberry Pi Zero)

    ARCH=x86-64

    # Image & tag for pre-built Docker image, or if building locally

    IMAGE=oofnik/openwrt

    TAG=latest

    # container name

    CONTAINER=openwrt_1

    CONTAINER=openwrt_24

    # optional additional Docker create args, e.g. for PPPoE "--device /dev/ppp"

    ADDITIONAL_DOCKER_CREATE_ARGS=""

run.sh

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -122,6 +122,12 @@ _create_or_start_container() {
  
    			--sysctl net.netfilter.nf_conntrack_acct=1 \

    			--sysctl net.ipv6.conf.all.disable_ipv6=0 \

    			--sysctl net.ipv6.conf.all.forwarding=1 \

    			--sysctl net.core.rmem_max=16777216 \

    			--sysctl net.core.wmem_max=16777216 \

    			--sysctl net.ipv4.tcp_rmem="4096 87380 16777216" \

    			--sysctl net.ipv4.tcp_wmem="4096 65536 16777216" \

    			--sysctl net.core.netdev_max_backlog=5000 \

    			--sysctl net.core.somaxconn=1024 \

    			${ADDITIONAL_DOCKER_CREATE_ARGS} --name $CONTAINER $IMAGE:$TAG >/dev/null

    		docker network connect $WAN_NAME $CONTAINER

    @@ -133,12 +139,17 @@ _create_or_start_container() {
  
    _reload_fw() {

    	echo "* reloading firewall rules"

    	docker exec -i $CONTAINER sh -c '

    		for iptables in iptables ip6tables; do

    			for table in filter nat mangle; do

    				$iptables -t $table -F

    		if command -v fw4 >/dev/null; then

    			nft flush ruleset

    			/sbin/fw4 -q restart

    		else

    			for iptables in iptables ip6tables; do

    				for table in filter nat mangle; do

    					$iptables -t $table -F

    				done

    			done

    		done

    		/sbin/fw3 -q restart'

    			/sbin/fw3 -q restart

    		fi'

    }

    _prepare_wifi() {

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Upgrade OpenWrt to 24.10.5, migrate to nftables/fw4, update arc… #40

Uh oh!

Diff view

Diff view

There are no files selected for viewing

feat: Upgrade OpenWrt to 24.10.5, migrate to nftables/fw4, update arc… #40

Are you sure you want to change the base?

Uh oh!

feat: Upgrade OpenWrt to 24.10.5, migrate to nftables/fw4, update arc… #40

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing