Add New Page: You are not allowed to add pages Select section/namespace. New page title.

h1. Torouter

h2. Steph's notes

h3. Firewall, startup/config scripts:

Rules are generated from scripts like /lib/firewall/,, etc. They come from OpenWRT and most people don't quite understand them. So it's not necessary to understand, say, the mangle table to be able to replicate the rules or get them to work with Tor. I think Tor has a couple of rules it needs which can be configured with UCI, and that's about it. How does the TorRouter do it?

<pre> /lib/firewall
config – foreach	fw_load_forwarding	forwarding
			\	/
			  \ /
			 callback function

/etc/config/whatever |

			module  -  section  -  variable
			    config defaults
					  type       name
				        /          /
			    config interface loopback
					not necessary to specify name, 
					UCI can generate
					uci -x 
					firewall.config   (ac?) 2df3


Init scripts often have a bit that parses /etc/config/whatever into whatever's low level config file For firewall, this turns /etc/config/firewall → netfilter <pre> /etc/init.d/… calls /lib/firewall/core —> /lib/firewall/fw.s </pre>

h3. OpenWRT's fw startup script

Has compl. Bash cmds that write the firewall @ runtime. UCI also supports included like a firewall ruleset The bash scripts read the UCI file

<pre> fx: setup_interface_meshif

env -i ACTION … hotplug-call “iface” → /etc/hotplug.d/iface   /20firewall → turns fw up and down when iface changes
										might reconfig
										daemon and 												restart

/etc/config/network /etc/config/network

option proto static
gets int'd by init scripts
looks for fx called setup_interface_name-of-protocol </pre>

h3. Adding a new user without resorting to /etc/passwd and shadow

Made a /etc/config/user file. But neither uci commit nor reboot caused a user to show up in /etc/passwd. Uci commit makes sense b/c that's used to take changes stored in flash from a config change through the gui or some programatic change, and writes it to a config file, I think. But the reboot is annoying.

Per Josh and Seamus, that file isn't going to work except with the Racoon-brand ipsec, as mentioned in the OpenWRT docs. That's the only thing that has hooks for it.

Vanilla openwrt's passwd file is here, and does indeed contain the contents that we see on a commotion node: <pre>DR1/commotion-openwrt/openwrt/package/base-files/files/etc</pre>

<pre>cp -a tor-openwrt and tor-openwrt-luci oti/commotion/DR1-0403/commotion-openwrt/openwrt/package


steph@cercis:~/per/projects/2013-projects/oti/commotion/DR1-0403/commotion-openwrt/openwrt$ make Package/tor-alpha-openwrt/install make[1] Package/tor-alpha-openwrt/install make -r Package/tor-alpha-openwrt/install: build failed. Please re-run make with V=s to see what's going on make: *** [Package/tor-alpha-openwrt/install] Error 1</pre>

The tor make process creates this file, which contains the passwd and shadow mods: <pre>/home/steph/per/projects/2013-projects/oti/commotion/DR1-0403/commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc-</pre>

I think it just didn't get executed. But apparently it needs to be executed during the build process b/c it gets the value of


from somewhere upstream. -I think I figured out something about this…

h3. Where does init.d come from?

<pre>Pare this down so it makes sense. steph@temp:~/per/projects/2013-projects/oti/commotion/DR1-0403$ find . -name init.d ./commotion-openwrt/openwrt/staging_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/package/qos-scripts/files/etc/init.d ./commotion-openwrt/openwrt/package/netifd/files/etc/init.d ./commotion-openwrt/openwrt/package/broadcom-wl/files/etc/init.d ./commotion-openwrt/openwrt/package/base-files/files/etc/init.d ./commotion-openwrt/openwrt/build_dir/linux-ar71xx_generic/trelay-0.1/ipkg-ar71xx/kmod-trelay/etc/init.d ./commotion-openwrt/openwrt/build_dir/linux-ar71xx_generic/base-files/ipkg-ar71xx/base-files/etc/init.d ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/build_dir/target-mips_r2_uClibc- ./commotion-openwrt/openwrt/feeds/commotion/packages/serval-dna/files/etc/init.d ./commotion-openwrt/openwrt/feeds/packages/net/<architecture>/files/etc/init.d ./commotion-openwrt/openwrt/feeds/packages/utils/wview/files/etc/init.d ./commotion-openwrt/openwrt/feeds/packages/utils/pcmciautils/files/etc/init.d ./commotion-openwrt/openwrt/feeds/luci/freifunk-common/files/etc/init.d ./commotion-openwrt/openwrt/feeds/luci/freifunk-policyrouting/files/etc/init.d ./commotion-openwrt/openwrt/target/linux/<architecture>/base-files/etc/init.d</pre>

h3. NVRAM, How Rules Get Loaded

OpenWRT changed to UCI, which minimized writes to flash memory and loads a bunch of stuff to /var/state. (For example, cat /var/state/network.) Prior to that, NVRAM would get written to a lot, which wears out the flash storage.

h3. Hotplug

OpenWRT runs a hotplug daemon like HAL, accepts events from kernel and runs commands

Ex: USB devices or interfaces up and down
a way to asynchronously load fx's

Knowing this can avoid some confusion. On a normal system, you'd expect certain actions to be triggered by config files that you can read. But there are lots of instances in Commotion when it's acting a certain way, you want to find out what's causing it, and you want to tear your hair out b/c none of the config files you're reading look like they should cause the behavior. It could be the hotplug daemon accepting kernel events.

<pre>UCI CBI (config interface) - (is LuCI's MVC?)

model for LuCI
like a database.
How LuCI interacts with UCI data on the node
Think of it like SQL for UCI

M V C o i o d e n e w t l | roller

data\ \

    accepts events and mediates b/t model and view </pre>								

h3. Tor setbacks

User doesn't get created if you bake Tor into an image instead of installing it after build with opkg. I think I solved this or got close…document the pros and cons of what Will and I talked about

Various errors get thrown

What you really want is not just a route from anywhere on the mesh to a transparent proxy, but rather a tunnel from any mesh node to that proxy. That's the way that traffic from the mesh will get to the internet via that Tor node.

development_resources/experimental/tor_router_on_openwrt.txt · Last modified: 2013/11/08 20:26 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported