Set tls (with ca-bundle), wpa3 to optional to slim down firmware for 8M target

coiaprant · March 24, 2025, 1:13pm

At the current rate of firmware growth, we can expect to end support for 8m firmware within a few years

In order to extend the 8M firmware support cycle as long as possible, we should slim down and tailor the firmware.

Most of the 8M firmware devices are older and most of them are mipsel devices.
For example, ar9331, mt762x

Most of these devices only support 802.11 b/g/n and ac.
And most device only has 10/100Mbps ethernet port.

We would like to remove the built-in tls (with ca-bundle) support to support these devices longer

We should also reduce the additional storage overhead from nftables and kernel growth

So I suggest that use wpad-basic to replace wpad-basic-mbedtls

And remove mbedtls and ca-bundle.

Trim nftables ASAP.

Drop WPA3 support by default on 8M Flash.

Users can download and install if they want to use new feature.

Dante · March 24, 2025, 1:18pm

There's nothing really stopping you from building a custom image right now (no TLS, WPA3, PPP, IPv6, slimmed-down kernel or busybox, etc.). There are some forum posts of people building images even for 4/32 devices. Or am I misreading something?

AFAIK, the idea behind devices being supported whatever the specs are, is that they all are on the same baseline feature set out of the box. If you start picking and choosing what to build for each device, it's going to be hard to figure out what a specific version of OpenWrt is without digging into that device. This is already somewhat complicated with undergoing swconfig/DSA switch.

coiaprant · March 24, 2025, 1:26pm

This is actually quite common in other distributions.

Such as Debian and Ubuntu
They offer a standard installation and a minimal installation.

We should also make a minimum installation for these devices.

As you can see, the firmware has now grown to around 6m, an increase of 2M from 19.07.

This campaign is imminent.

At current rates, these devices will be completely abandoned in three to five years.

Anyway, there is very little firmware space available now.

brada4 · March 24, 2025, 1:34pm

You can make your own packaging in firmware-selector.
One patch could trim some from nftables -

permit fw4 with nftables-nojson
add luci to show raw ruleset ipo json reparse

Just an idea, 1/3MB worth

coiaprant · March 24, 2025, 1:49pm

Yes, I known.

LuCI is often killed by OOM on 64M memory devices, Even though I have read the 8/64M warnings

In fact, these devices may not be suitable for these new features
It may not be good to install these inappropriate features by default?

I want to hear from the community.

Dante · March 24, 2025, 1:58pm

Up to a month ago my parents were using a 8/64 device with OpenWrt 24.10 (and all the version since the 8.09 before that IIRC) with LuCi and WPA3. So not sure about the OOM part. I guess it depends on the usage scenario. But TBH you can't expect the hardware to be supported forever by volunteers. Again, nothing is stopping you from building your own image once the upstream support ends.

brada4 · March 24, 2025, 2:04pm

Well , you are one of community you want it or not. I see wep tkip gone before wpa3 is touched though.

coiaprant · March 24, 2025, 3:31pm

In fact, when you do an opkg update, it may be OOM.

If you don't often open LuCI to modify settings, it really won't OOM. I think it's the same as the 8/64 warning.

My architecture is Wireless Client as WAN + AP with LAN
With PPPoSSH with gfwlist in dnsmasq (A List to query Google instead of ISP DNS via PPPoSSH)

Also with a China Mainland ipsets (nftables)

I used htop to look at it, and all of this took up a total of 36 megabytes of memory, and I forgot how much free memory was available, probably less than 10M (not include cache/buffer).

Actually, I'm not sure if this is caused by OOM, but the memory is almost full.

When I make a change in LuCI or run opkg update, the router dies (ping lost) and is automatically restarted by the watchdog

Can you ask what router you are using? Do you need to enable the packet steering (RPS)?

brada4 · March 24, 2025, 4:53pm

Ok, how big is your dnsmasq getting after gfwlist?
How much is added to ram usage loading geoip? Mostly what is nftl&st header (should be memory policy not performance)

coiaprant · March 24, 2025, 5:53pm

About 4M-5M RAM
with 50 devices got ip from dhcp

brada4 · March 24, 2025, 5:58pm

it is 3-4x mem usage difference between nft sset performance and memory.

coiaprant · March 25, 2025, 6:23am

ipset imported via /cgi-bin/luci/admin/network/firewall/ipsets

brada4 · March 25, 2025, 7:16am

What is the memory impact thereof? Openwrt starts at ~20-25MB used +1MB per wifi client. You should still be very safe luading 10k entries in 2 places.
Is it cidr (with netmasks) or ranges (first is better)

coiaprant · March 25, 2025, 6:43pm

CIDR
http://www.ipdeny.com/ipblocks/data/countries/cn.zone

brada4 · March 25, 2025, 8:53pm

run nft list ruleset | grep -A 10 -B 10 set\ (space at the end)
See if policy is defined.

coiaprant · March 26, 2025, 5:39am

Yes

brada4 · March 27, 2025, 7:05am

It is the largest set store, it uses less memory if type is ip saddr and policy memory

reinerotto · March 27, 2025, 8:16am

Checking for ip in nft-sets is terribly slow. Much faster is using ipsets in raw table, instead. Works in parallel with nf-tables, if necessary.