Need help creating a netifd compatible nebula package

Following advise from @vgaetera I've tried to make the nebula package netifd-compatible and I'm struggling to get it to work.

Here are the init script and the netifd proto script.

With those in place (and the following section in /etc/config/network), the ifup nebula1 doesn't actually call the init script to bring it up. :frowning:

config interface 'nebula1'
        option proto 'nebula'
        option config '/etc/nebula/config.yml'

Manually starting /etc/init.d/nebula works.

What do I need to change to make ifup nebula1 work? Also, how can I selectively kill a PROCD instance on ifdown?

grep -E '(proto_run_command|proto_kill_command)' /lib/netifd/proto/

I think what your really asking is when is it applicable to spawn instances from proto vs procd? &&|| what are some good examples where proto interacts with a procd "service"?

in your case... it's alot closer to sqm||banip||mwan3... which all have varying means to achieve similar outcomes... the key being... that the procd 'service' is not the actual listener...

1 Like

Thanks, the proto_run_command and proto_kill_command in DHCP proto escaped my attention! I will experiement with spawning process from proto instead. But no, not really what I'm asking -- I'd really prefer to spawn instances from PROCD because I can use the PROCD fw object there.

1 Like

Your reply inspired me to do more experiments and after a reboot spawning process from either proto or procd work. I'm still in the dark on how to selectively kill just a single PROCD instance for the proto_teardown tho. :frowning:

@jow -- can I use the firewall objects somehow in the proto scripts? If not (and I end up using the PROCD to spawn process for the protocol) how can I kill just a single instance of the PROCD script?

@jow @hnyman -- with the PROCD init-scripts I can create the firewall data I need, is it possible to do something similar with the proto netifd script?

This is what I'm trying to recreate in the proto script:

Should I call the PROCD script rather than actual binary from the netifd script instead?


Yes, you can publish firewall objects from proto handlers, check the following examples:

Thanks @jow, I've mad a little progress, but could use your help again.

Maybe I misunderstood what proto_config_add_string does, but when I run json_get_vars config, the $config is empty. I thought that proto_config_add_string is an equivalent of config_get to add relevant options to json to be retrieved later, but I've checked the json and there's no config option there. I have to grab it with the uci command.

Do I need to somehow reload the firewall? When I check with iptables-save I don't see the relevant rules.

Looks correct on a first glance. Did you restart netifd through /etc/init.d/network restart? Otherwise updated proto settings are not picked up.

Thanks for having a look, yes I've restarted the network.

I see the interface in luci (working on the luci-proto-nebula) and ifconfig, however unlike with the init script, I don't see it affecting the firewall. In the PROCD script I needed to add:

service_started() { procd_set_config_changed firewall; }
service_stopped() { procd_set_config_changed firewall; }

Is there an equivalent of these I'm missing in the netifd script?

So usually, the firewall reload is triggered by hotplug, specifically /etc/hotplug.d/iface/20-firewall

But I think the reason why it might not be working in your case is because your nebula interface is not part of any zone, so that the condition at line 8 causes the hotplug handler to bail out:

Thank you for your reply Jo. Is there any documentation about netifd anywhere besides browsing the code?

Even when it's working, when I tried to assign nebula as an interface for the dropbear instance config it still complains about interface not having a network device, so I can't really achieve the goal I've had when I started on the path of converting nebula to be netifd-compatible.