Add New Page: You are not allowed to add pages Select section/namespace. New page title.
 

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

development_resources:experimental:tor_router_on_openwrt [2013/11/08 20:26] (current)
Line 1: Line 1:
 +h1. Torouter
  
 +h2. Steph'​s notes
 +
 +h3. Firewall, startup/​config scripts: ​
 +
 +Rules are generated from scripts like /​lib/​firewall/​config.sh,​ core.sh, etc.  They come from OpenWRT and most people don't quite understand them.  So it's not necessary to understand, say, the mangle table to be able to replicate the rules or get them to work with Tor.  I think Tor has a couple of rules it needs which can be configured with UCI, and that's about it.  How does the TorRouter do it?
 +
 +<pre>
 +/​lib/​firewall
 + config.sh
 + core.sh
 + config – foreach fw_load_forwarding forwarding
 + \ /
 +   \ /
 + callback function
 +
 +/​etc/​config/​whatever ​  |
 +                  \/
 + module ​ -  section ​ -  variable
 + /
 +  ​   /
 +     config defaults
 +
 +  ​ type       name
 +         /          /
 +     config interface loopback
 + not necessary to specify name, 
 + UCI can generate
 + uci -x 
 + firewall.config ​  (ac?) 2df3
 +</​pre>​
 +
 +Init scripts often have a bit that parses /​etc/​config/​whatever into whatever'​s low level config file
 +For firewall, this turns /​etc/​config/​firewall → netfilter
 +<pre> /​etc/​init.d/​... calls /​lib/​firewall/​core ---> /​lib/​firewall/​fw.s </​pre>​
 +
 +h3. OpenWRT'​s fw startup script
 +
 +Has compl. Bash cmds that write the firewall @ runtime. ​ UCI also supports included like a firewall ruleset
 +The bash scripts read the UCI file
 +
 +<pre> Commotion.sh
 +Commotion.sh
 +fx: setup_interface_meshif
 + env -i ACTION … hotplug-call “iface” → /​etc/​hotplug.d/​iface ​  /​20firewall → turns fw up and down when iface changes
 + /​olsrd
 + /​masq
 + might reconfig
 + daemon and restart
 +/​etc/​config/​network
 +/​etc/​config/​network
 + |
 + option proto static
 +   dhcp
 + gets int'd by init scripts
 + looks for fx called setup_interface_name-of-protocol </​pre>​
 +
 +h3. Adding a new user without resorting to /etc/passwd and shadow
 +
 +http://​wiki.openwrt.org/​doc/​uci/​users
 +
 +Made a /​etc/​config/​user file.  But neither uci commit nor reboot caused a user to show up in /​etc/​passwd. ​ Uci commit makes sense b/c that's used to take changes stored in flash from a config change through the gui or some programatic change, and writes it to a config file, I think. ​ But the reboot is annoying.
 +
 +Per Josh and Seamus, that file isn't going to work except with the Racoon-brand ipsec, as mentioned in the OpenWRT docs.  That's the only thing that has hooks for it.
 +
 +Vanilla openwrt'​s passwd file is here, and does indeed contain the contents that we see on a commotion node:
 +<​pre>​DR1/​commotion-openwrt/​openwrt/​package/​base-files/​files/​etc</​pre>​
 +
 +
 +<​pre>​cp -a tor-openwrt and tor-openwrt-luci oti/​commotion/​DR1-0403/​commotion-openwrt/​openwrt/​package
 +  SECTION:​=net ​
 +  CATEGORY:​=Network
 +  SECTION:​=luci ​
 +  CATEGORY:​=LuCI ​
 +
 +steph@cercis:​~/​per/​projects/​2013-projects/​oti/​commotion/​DR1-0403/​commotion-openwrt/​openwrt$ make Package/​tor-alpha-openwrt/​install ​
 + ​make[1] Package/​tor-alpha-openwrt/​install ​
 +make -r Package/​tor-alpha-openwrt/​install:​ build failed. Please re-run make with V=s to see what's going on 
 +make: *** [Package/​tor-alpha-openwrt/​install] Error 1</​pre>​
 +
 +The tor make process creates this file, which contains the passwd and shadow mods:
 +<​pre>/​home/​steph/​per/​projects/​2013-projects/​oti/​commotion/​DR1-0403/​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​tor-0.2.3.19-rc/​ipkg-ar71xx/​tor-alpha-openwrt/​CONTROL/​postinst</​pre>​
 +
 +I think it just didn't get executed. ​ But apparently it needs to be executed during the build process b/c it gets the value of <​code>​${IPKG_INSTROOT}</​code>​ from somewhere upstream. -I think I figured out something about this...
 +
 +h3. Where does init.d come from?
 +
 +<​pre>​Pare this down so it makes sense.
 +steph@temp:​~/​per/​projects/​2013-projects/​oti/​commotion/​DR1-0403$ find . -name init.d ​
 +./​commotion-openwrt/​openwrt/​staging_dir/​target-mips_r2_uClibc-0.9.33.2/​root-ar71xx/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​package/​qos-scripts/​files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​package/​netifd/​files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​package/​broadcom-wl/​files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​package/​base-files/​files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​linux-ar71xx_generic/​trelay-0.1/​ipkg-ar71xx/​kmod-trelay/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​linux-ar71xx_generic/​base-files/​ipkg-ar71xx/​base-files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​busybox-1.19.4/​ipkg-ar71xx/​busybox/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​tor-0.2.3.19-rc/​ipkg-ar71xx/​tor-alpha-openwrt/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​freifunk-watchdog/​ipkg-ar71xx/​freifunk-watchdog/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​qos-scripts/​ipkg-all/​qos-scripts/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​ubus-2013-01-13/​ipkg-ar71xx/​ubusd/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​netifd-2013-01-29.2/​ipkg-ar71xx/​netifd/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​avahi/​nodbus/​avahi-0.6.31/​ipkg-ar71xx/​avahi-daemon/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​freifunk-p2pblock/​ipkg-ar71xx/​freifunk-p2pblock/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​root-ar71xx/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​etherwake-1.09.orig/​ipkg-ar71xx/​etherwake/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​serval-dna-batphone-release-0.90/​ipkg-ar71xx/​serval-dna/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​commotion-daemon-bundle/​commotion-daemon-bundle-master/​ipkg-ar71xx/​commotiond/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​commotion-daemon-bundle/​commotion-daemon-bundle-master/​openwrt/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​tor-0.2.3.22-rc/​ipkg-ar71xx/​tor-alpha/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​uhttpd-2012-10-30/​ipkg-ar71xx/​uhttpd/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​dropbear-2011.54/​ipkg-ar71xx/​dropbear/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​contrib/​package/​freifunk-common/​files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​contrib/​package/​freifunk-policyrouting/​files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​ipkg-ar71xx/​luci-app-statistics/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​ipkg-ar71xx/​luci-mod-admin-core/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​ipkg-ar71xx/​luci-app-firewall/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​ipkg-ar71xx/​luci-app-splash/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​modules/​admin-core/​dist/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​modules/​admin-core/​root/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​libs/​lucid/​root/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​applications/​luci-firewall/​dist/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​applications/​luci-firewall/​root/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​applications/​luci-splash/​dist/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​applications/​luci-splash/​root/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​applications/​luci-statistics/​dist/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​applications/​luci-statistics/​root/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​luci-0.11.1/​applications/​luci-pbx/​root/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​ahcpd-0.53/​ipkg-ar71xx/​ahcpd/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​rng-tools-3/​ipkg-ar71xx/​rng-tools/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​freifunk-policyrouting/​ipkg-ar71xx/​freifunk-policyrouting/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​dnsmasq-nodhcpv6/​dnsmasq-2.62/​ipkg-ar71xx/​dnsmasq/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​relayd-2011-10-24/​ipkg-ar71xx/​relayd/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​olsrd-release-0.6.5/​ipkg-ar71xx/​olsrd/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​firewall-2/​ipkg-all/​firewall/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​n2n-3875/​ipkg-ar71xx/​n2n/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​build_dir/​target-mips_r2_uClibc-0.9.33.2/​collectd-4.10.7/​ipkg-ar71xx/​collectd/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​feeds/​commotion/​packages/​serval-dna/​files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​feeds/​packages/​net/<​architecture>/​files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​feeds/​packages/​utils/​wview/​files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​feeds/​packages/​utils/​pcmciautils/​files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​feeds/​luci/​freifunk-common/​files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​feeds/​luci/​freifunk-policyrouting/​files/​etc/​init.d ​
 +./​commotion-openwrt/​openwrt/​target/​linux/<​architecture>/​base-files/​etc/​init.d</​pre>​
 +
 +h3. NVRAM, How Rules Get Loaded
 +
 +OpenWRT changed to UCI, which minimized writes to flash memory and loads a bunch of stuff to /var/state. (For example, cat /​var/​state/​network.) Prior to that, NVRAM would get written to a lot, which wears out the flash storage.
 +
 +h3. Hotplug
 +
 +OpenWRT runs a hotplug daemon like HAL, accepts events from kernel and runs commands
 + Ex: USB devices or interfaces up and down
 + a way to asynchronously load fx's
 +
 +Knowing this can avoid some confusion. ​ On a normal system, you'd expect certain actions to be triggered by config files that you can read.  But there are lots of instances in Commotion when it's acting a certain way, you want to find out what's causing it, and you want to tear your hair out b/c none of the config files you're reading look like they should cause the behavior. ​ It could be the hotplug daemon accepting kernel events.
 +
 +<​pre>​UCI
 +CBI (config ​ interface) ​ - (is LuCI's MVC?)
 + model for LuCI
 + like a database.
 + How LuCI interacts with UCI data on the node
 + Think of it like SQL for UCI
 +
 +M V C
 +o i o
 +d e n
 +e w t
 +l | roller
 +| \   \
 +|  \   \
 +data\   \
 +    representation
 +     accepts events and mediates b/t model and view </​pre>​
 +
 +h3. Tor setbacks
 +
 +User doesn'​t get created if you bake Tor into an image instead of installing it after build with opkg.  I think I solved this or got close...document the pros and cons of what Will and I talked about
 +
 +Various errors get thrown
 +
 +What you really want is not just a route from anywhere on the mesh to a transparent proxy, but rather a tunnel from any mesh node to that proxy. ​ That's the way that traffic from the mesh will get to the internet via that Tor node.
development_resources/experimental/tor_router_on_openwrt.txt · Last modified: 2013/11/08 20:26 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported