UDM v1.11.0

[mcpat-it]

Added new base for UDM v1.11.0

Build also:

1. ip6table_raw-4.19.152-al-linux-v10.2.0-v1.11.0.3921-f2e3fac.ko
2. iptable_raw-4.19.152-al-linux-v10.2.0-v1.11.0.3921-f2e3fac.ko
3. all kernel modules for nfs and cifs support

[peacey]

Hi @pwallner,

Thanks for this PR. This PR is using the kernel base from 1.10.0-12, but the kernel has changed substantially in 1.11.0 that you can't just use the same kernel base as 1.10.0-12 to compile modules for 1.11.0. We need the 1.11.0 kernel sources from Ubiquiti.

As a proof of concept, I used your PR to compile the wireguard module for 1.11.0. The module loaded successfully, but gives an "Address already in use" error when you try to bring the tunnel up.

# wg-quick up ./wg1-r.conf
Warning: `/mnt/data/wg-local/wg1-r.conf' is world accessible
[#] ip link add wg1-r type wireguard
[#] wg setconf wg1-r /dev/fd/63
[#] ip -4 address add 10.67.1.2/32 dev wg1-r
[#] ip link set mtu 1420 up dev wg1-r
RTNETLINK answers: Address already in use
[#] ip link delete dev wg1-r

So this module built with the 1.10.0-12 sources is not compatible with 1.11.0.

[mcpat-it]

What did u do? It seems u have already a tunnel running.

For me the tunnel is working... I compiled it only for raw iptables, the wireguard.ko is not needed because already in the kernel. I used new .config from 1.11.0 and modified for raw iptables and also for NFS and cifs support. For me everything is working (also nfs and cifs Mount and share).

# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /proc/self/fd/63
[#] ip -4 address add 10.200.200.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0

See here my build files, extract to /lib/modules 4.19.152-al-linux-v10.2.0-v1.11.0.3921-f2e3fac.tar.zip

and then try modprobe nfsd for example, you can see in dmesg that nfsd is working...

[peacey]

@pwallner I did not have any tunnel up. This was after a fresh restart and loading the wireguard module compiled with this PR.

I know 1.11.0 has an older version of the wireguard module built in, but the point of this project is to compile wireguard modules. If we are adding a new base, it must be able to compile the WireGuard module for that base. And the 1.10.0-12 base does not create compatible wireguard modules for 1.11.0. We need the kernel sources for 1.11.0.

Parts of the kernel in 1.11.0 have changed, and it's just coincidental that the NFS and CIFS modules are not effected. But kernel structures have changed in memory and things moved around, so the module can crash at any moment for whatever reason if they end up calling a structure or function that was changed in the kernel (like the wireguard module does which is why it doesn't work). So it's very risky to use the 1.10.0-12 base to compile other modules like NFS and CIFS since we do not know what was changed.

I suggest you try to compile the WireGuard module with your PR and see for yourself the module does not work.

[mcpat-it]

@peacey As you know 1.11.0 has an older version of the wireguard module built in, so I think we never can load a second (newer) instance of wireguard into the kernel?! The point of this project should be imho to support wireguard as much as possible, so for now at least to have the missing raw iptables because wireguard is already in the kernel.

Are you sure that parts of the kernel in 1.11.0 have changed in that way that we can't only use the new .config? I am not that Linux expert...

How can we get the new files? I just wrote an email to the ubiquiti support, we will see what I receive as an answer...

[peacey]

You can unload the pre-built module before you load the newly built one. It's just that the new module doesn't work. There were probably changes in how the kernel handles IP addresses or changes to structures that offset memory locations which screwed up the function calling.

We can't use the 1.10.0-12 sources to compile the iptables raw module either. The module can crash at any moment because it's not even calling functions or structures at the correct memory locations for the new kernel. It is very unsafe to do that. So even if it seems to be working, we should not use it.

And the point of this project is indeed to get wireguard working, but we have to do it properly. We usually ask Ubiquiti for kernel sources, but since they included wireguard in 1.11.0, we didn't bother asking them yet since it's low priority. And the iptables raw module isn't really needed if you use the workaround for now (just don't use 0.0.0.0/0 as an AllowedIPs - you can still use 0.0.0.0/1,128.0.0.0/1 to cover that universal subnet instead). So really it's not that big of a deal.

Of course it would be great if we got a hold of the 1.11.0 kernel sources. Then we could compile the new version of the wireguard module and the iptables raw module for 1.11.0. Usually @tusc asks the Ubiquiti for these sources, but if you do get them we can definitely use them to compile the modules for 1.11.0.

[mcpat-it]

@peacey sounds perfect and thx for explaining.

I come back to u if I get the files, otherwise I will use it from u for nfs and cifs support. I am now preparing everything for "optware" and will distribute it soon.

[mcpat-it]

@peacey @tusc 1.11.0

here we go...

[mcpat-it]

It works...

#rmmod wireguard
#opt-modprobe wireguard
# ./15-wireguard.sh start
Starting wireguard...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /proc/self/fd/63
[#] ip -4 address add 10.200.200.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0

dmesg output:

[715717.345073] wireguard: WireGuard 1.0.20210606 loaded. See www.wireguard.com for information.
[715717.345078] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

[peacey]

Hey @pwallner!

Thanks for getting the 1.11.0 sources! That is very helpful. I'll have a look at this later tonight and merge it since we've met the requirements now.

[mcpat-it]

Last question: How do you determine that a new kernel base is used and required. Because e.g. 1.10.0-12 was valid for "-v1.10.0-12.3672-bace201,-v1.10.0-13.3677-0ebe4e7,-v1.10.0-14.3682-1195971,-v1.10.0-15.3686-a2edd0c,-v1.10.0.3686-a2edd0c,-v1.10.4.3702-91ba352".

But not valid for "-v1.10.0-8.3636-d7f66e0,-v1.10.0-9.3648-8ab9f61,-v1.10.0-11.3661-7092871".

[peacey]

@pwallner In the case of 1.10.0-12, the release notes mentioned they changed some handling in the kernel code. And compiling the WireGuard kernel using -11 kernel didn't result in a working module for -12. But usually, if we compile the WireGuard module and it doesn't work, we assume they must have changed something in the kernel. This isn't always 100% because they could have changed something WireGuard doesn't use and we wouldn't know since WireGuard would still be working. But so far, we have been figuring it out when they do change.

[peacey]

For this pull request, can we remove the CIFS/NFS kernel config changes and only keep the iptables raw modules? It's just that this project is only for WireGuard, not for CIFS/NFS, so I don't want to add anything that's not necessary for WireGuard.

You're welcome to compile NFS/CIFS for yourself and distribute them with your own project. But for this project, I think it's better if we keep it minimal changes to support WireGuard only.

[mcpat-it]

Sure I agree. I am just building my own project based on your code if you agree. But I will mention the origin of the code. In parallel I am Building "optware" if you know it. Then people can start apt-get in the console (not unifi-is shell!).

[peacey]

Thanks @pwallner. I've merged this now. Of course you're welcome to use this code to do whatever you want.

[mcpat-it]

Thx a lot. Without your project it was not possible, got many ideas how to do it.