Divested-WRT: No-nonsense hardened builds for Linksys WRT series

What unset Kconfig are you running into, I'm not seeing any.

@SkewedZeppelin
Thanks for the prompt response.
I got these when I ran 'make nconfig'

nn@m142 openwrt]$ make nconfig
tmp/.config-package.in:127845:error: recursive dependency detected!
tmp/.config-package.in:127845:	symbol PACKAGE_ethtool-full depends on PACKAGE_ethtool
tmp/.config-package.in:127832:	symbol PACKAGE_ethtool is selected by PACKAGE_ethtool-full
For a resolution refer to Documentation/kbuild/kconfig-language.rst
subsection "Kconfig recursive dependency limitations"

I ignore this and run 'make -j9' then I get

[nn@m142 openwrt]$ make -j9
make[2]: Entering directory '/home/nn/openwrt/scripts/config'
make[2]: 'conf' is up to date.
make[2]: Leaving directory '/home/nn/openwrt/scripts/config'
time: target/linux/prereq#0.29#0.07#0.37
 make[1] world
 make[2] package/cleanup
 make[2] target/compile
 make[3] -C target/linux compile
    ERROR: target/linux failed to build.
make -r world: build failed. Please re-run make with -j1 V=s or V=sc for a higher verbosity level to see what's going on
make: *** [/home/nn/openwrt/include/toplevel.mk:230: world] Error 1
[nn@m142 openwrt]$ 

I think i has something to do with interactive questions that @adworacz mentioned in his post, because when I run make with -j1 and V=s and press ENTER a few times and the build went OK.

press ENTER a few times and the build went OK.

If you are using an old copy of my patches, you should update them.

Likely this: https://github.com/divestedcg/Divested-WRT/blame/master/patches/0003-kernel-generic-5.10-config-hardening.patch#L37

Also relevant: PureFusion - wrt3200acm, wrt32x, wrt1200ac, wrt1900acs, wrt1900acV1, wrt1900acV2 Builds - #80 by RaZi3L

If you pick my patches, do check them for updates :wink:

1 Like

@adworacz
Thanks! I will try 'make -j9 V=s'

@SkewedZeppelin
That must be it. I just followed the instructions to update the build and did not re-apply the patches. I will try it now.

Thanks again!

I'll have to check again but I've run into this every time I make a new build of late, even with a make clean/git pull/make nconfig

Ahhh gotcha, I did a cursory glance, but maybe this was my problem, my patches were older than your 8/10 update.

@SkewedZeppelin
What is the best way to use your updated patches when trying to update my own build?

I have replaced the patches in the patches/ directory with the new ones.
TIA

@nn5

If you have no additional patches applied on top, something like:

cd ..
git clone https://github.com/divestedcg/divested-wrt.git
cd openwrt
git add -A && git reset --hard origin/master
git am ../divested-wrt/patches/*.patch
1 Like

I use make -j $(nproc) - never had a hiccup unless I messed up.

1 Like

@batkung,

Interested in your experience since I also have the WRT1900ACS(v2).

Do you have any Android devices on the router? We're entirely android here so the disconnect issue would hurt. I thought I saw some reports that advanced reboot was broken here too, but that doesn't look consistent. I'd want the reboot options so I could bounce back and forth as I bring up the new config.

I have a lot of work for the DSA conversion. My VLAN setup isn't crazy, and I wipe router settings on each upgrade. I have UCI scripts that reapply all my configs, and it took a while to get all the syntax correct but then it was golden for years.

There is a fair amount of change with all the interface/device renaming etc. Probably a fair amount of rescripting for me here.

tbh all I have done is install r17246 from the factory img with no settings preserved, then I restored my config files from an earlier build where I was having issues rebooting (it wouldn't reboot even if I tried from inside ssh) and then installed openvpn and the luci front end for it

I have an nvidia shield and an android TV and have no issues (although they are setup with wired connections)..the only wifi devices in my apartment are apple based.

if you are going from a david build to divested I would go the factory img route (although I actually reverted my router back to linksys firmware first (cos I had previously bricked the david build while messing with the vlan settings and had to restore via a serial cable to the PCB) and then went straight to divested.

I did have an issue with openvpn but that was due to me having multiple .conf files in the /etc/openvpn folder (the documentation for openvpn doesn't mention that this is not a good thing to have cos the openvpn will try to start all of the conf settings in that folder)

there was a fix I saw mentioned that had the wifi lease time set to a larger number, but I never implemented it and I'm running fine here.

good luck if you decide to go through with changing over to divested, it wasn't as painful as I thought it was going to be and it feels much safer knowing I'm running a build that is still supported.

@SkewedZeppelin Just wanted to let you know - refreshing your patches did the trick with my builds ("press enter a few times"). I can now successfully build with no input from me.

Thanks for letting me know what I was doing wrong.

Hi All,

Bit of a lurker here. I've been using the Divested builds coming from David's builds which worked very well on my WRT3200ACM. I think the Divested-WRT SNAPSHOT r17319+10-1c9a9f7c7a build was working well. Before that I had all the same issues as many of you particularly with Apple devices having a wireless connection, but not being able to get to the internet or even connect to the router using the IP address. I recently updated the Divested build however and have started having issues again. I'm not sure exactly what is happening, but thought I'd add this comment as a data point. Thanks

5 Likes

If we can confirm that build works by checking out the commit in question and rebuilding, we might be able to bisect and figure out the issue. I’ll look into doing something like this soon.

It looks like the kernel log menu item on Luci web interface disappears in the latest master branch build. Does anyone know how to get it back? TIA.

It is there for me under the first drop down.

Weird! I only see 'System Log' but no 'Kernel Log' with my newest build (r17467):

Yep it has been moved:

1 Like

Hi!
David's thread got closed so I will hijack this thread now :open_mouth:

Regarding this patch:
700-mvneta-tx-queue-workaround.patch
That forces all tx interrupt to CPU 0.
(there is also a generic function to do this dev_pick_tx_zero.
There is also dev_pick_tx_cpu_id which makes XPS actually work.)

// edit
No need for the dev_pick_tx_cpu_id generic function to make xps work.
Just remove the 700-mvneta-tx-queue-workaround.patch
Set rxq_number and txq_number to 2
Disable packet steering in OpenWRT
This will map 1 RX and 1 TX to each CPU.
But RPS is disabled by default so all interrupts for rxq land on CPU0
The TX queues get automatically spread over CPU0 and CPU1.

I always wondered why not just set the tx queues to 1 at the driver level.
But that doesn't work.
Changing txq_number in mvneta.c to 1 breaks the Ethernet functionality.
However removing (@line ~1475 and 4186, not sure if both are needed):

if (txq_number == 1)
	txq_map = (cpu == pp->rxq_def) ?
		MVNETA_CPU_TXQ_ACCESS(1) : 0;

Does make it work.
(Why is this MVNETA_CPU_TXQ_ACCESS(1) and not MVNETA_CPU_TXQ_ACCESS(0) ?)

// edit
Yes this must be MVNETA_CPU_TXQ_ACCESS(0) then it is possible to use txq_number 1.

 tc -s -d qdisc show dev eth0
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 12730627944 bytes 11558733 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0

And gets rid off the mq multiqeue.

So why does the if statement break the functionality?
// edit
See Above

The entire "rx/tx give cpu access" function iterates over all CPUs / tx/rx queues and sets the CPU queue access map with the help of modulo. (Is modulo 0 standardized ? What is the expected return value? 0?)

So...

  • iterate over CPUs,
  • iterate over the queues (rx/tx) decide with the help of modulo if CPU gets access
  • Update txq/rxq_map every time with helper functions MVNETA_CPU_T/RXQ_ACCESS
  • Write the CPU Map to register.

I guess setting tx/rx map to 0 removes all access?

When the loop hits if (txq_number == 1) ...
Check if the current CPU equals rxq_def
(rxq_def defines the default receive queue?
Where is this set?)
If Yes give the CPU access to tx queue 1 other set it 0 and remove all access.

So why does this not work?

There is was a commit for 3700.
3700 can only serve interrupts on CPU 0.
Why is the access map set to access all CPUs? When 3700 can only serve interrupts on CPU0?
(MVNETA_CPU_T/RXQ_ACCESS_ALL_MASK)

Anyway current setup is now:
My current setup:
2 RX Queues (1 for each CPU)
1 TX Queue

And replaced the eth0 qdisc with a simple low overhead one, pfifo/pfifo_fast
sqm on wan interface.
Obviously, this breaks hotplug (but doesn't work anyway).

I think Intel nics do the same? (on windows at least?).
For example my Intel NIC here comes with 4 receive queues but has itself assigned 5 msi-x vectors. That is 4 rx queues + 1 tx queue?

//edit
I think this is even better
1 RX Queue
1 TX Queue
RX mapped to CPU0
TX mapped to CPU1

cat /proc/interrupts
           CPU0       CPU1
..........
 45:       4366       9656      MPIC   8 Level     eth0
..........