spr-networks / super Goto Github PK

QR codes should have a margin / quiet zone (in this case a white border) around them to assist readers. Though I didn't have any trouble scanning it with iOS.

The differences between docker-compose-prebuilt.yml and docker-compose-src.yml appear to be whether they specify image or build sections. These could probably be merged (along with run_{prebuilt,docker_compose}.sh) because it is valid to specify both, and the behavior is documented:

Without any explicit user directives, Compose implementation with Build support MUST first try to pull Image, then build from source if image was not found on registry.

The command docker-compose build can explicitly force a build of images locally, and docker-compose pull can explicitly force a pull of all images, which would simplify or obviate the need for pull_containers.sh.

The run_monitor.sh script can apparently be removed, since it references the non-existent file monitor-services-compose.yml.

Docker-compose from ubuntu's branch has a pull which appears to have stopped working -- it conflicts with the build and does nothing. its unclear when this behavior started. as a workaround users can still use docker pull or use docker ce's latest and greatest

we could use docker's repository for the installers to use a more up to date docker stack for people, and provide a pull.sh script as a workraound

the base network should be validated to be a network address, ie 192.168.2.0 vs 192.168.2.1

I got a password that contained the substring 1l, which are hard to differentiate when displayed in a proportional font (e.g., if sent over a messaging app).

It would be good to consider password ergonomics generally. E.g., the uavpxq-ehthib-estutw-tlniyx-qzsizv style is easier to type on a phone keyboard, requiring few switches to the numeric/symbol keys. On the other hand with something like a printer this might be more tedious.

To ease setup of devices that share an iCloud Keychain or similar syncing mechanism, I'd like to be able to clone the password from an existing device, without having to go looking for what the donor device's password is.

it was observed that theres a size mismatch in the coredhcp_client , netlink needs an update

Usually dragging on empty space will switch tabs smoothly. Occasionally though it gets into a glitchy state where it will snap suddenly if the mouse is dragged at all. In the video, it starts out working OK, but after I interact with the Frequency Band popup, the smoothness is replaced but sudden tab switches.

I've previously seen it where it interpreted interacting with the popups or buttons as drags instead of clicks, which is why I was clicking randomly.

I think the dragging behavior should be disabled for mouse events since it is more of a touch-based gesture.

The cursor position jumps while entering a value into the "Wifi Name" field on the web interface when doing first-time setup on Safari. I could not reproduce on Chrome. Also Safari tries to autocomplete a name from my contacts which might be related.

@lts-po

attempting to add a tempest weather station on a 2.4ghz radio fails with WPA mismatch

Need to ensure that an ubuntu update does not break how interfaces are named.

Can roll this into superd or another service.

When clicking the update / check buttons on both the webui or iOS app, there's no feedback from the UI to tell the user that something is happening. This is confusing and probably leads to user clicking it multiple times until something happens.

I am getting errors doing the virtual setup on Ubuntu 22.04 droplet.
Same errors using local PC running dedicated Ubuntu 22.04 or Windows WSL2 version.
Running as root on the droplet, sudo user on local machines.
...
[+] num peers already configured: 0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 12 100 10 100 2 533 106 --:--:-- --:--:-- --:--:-- 666
parse error: Invalid numeric literal at line 1, column 4
wg: Key is not the correct length or format
parse error: Invalid numeric literal at line 1, column 4
parse error: Invalid numeric literal at line 1, column 4
parse error: Invalid numeric literal at line 1, column 4
parse error: Invalid numeric literal at line 1, column 4
Invalid device identity

When a device successfully connect to the AP, the iOS SPR app sends a successful notification but this one only embeds the MAC address of the client. It'd be nice to also includes the associated name if possible.

As discussed on Discord, I was trying to build the Docker container images on a VM with 4 GB, and consistently encountered issues trying to build the dns image. When I edited all the Dockerfiles to remove the tmpfs mount, builds succeeded. Therefore I assume it's something to do with running out of RAM, which manifested itself in an unusual way (failing to making a TCP connection to proxy.golang.org).

On iOS, there's no good way (AFAIK) to display the list of connected devices; the connected devices are highlighted like they are in the Web UI.

in safari, text inputs lose focus while typing

I can only have one device in "pending" state (where the MAC address is unassigned until the device connects) at a time. If I try to add another one, it silently replaces the first.

It should be possible to have multiple pending devices because they will connect with different passwords and therefore can be differentiated.

Then boot the drive on the Pi. Setup will complete on device and reboot. You should be able to navigate to the device on port 80 and see a setup screen

I'm unclear on how I'm supposed to navigate to the device. Over what interface? The USB-Ethernet dongle is listed as optional. In that case does it vend an initial Wi-Fi network, and if so, what are the details? What is the default IP address for reaching the router?

The instructions do not mention to configure LANIF=eth1 for the USB dongle, is that necessary?

I have wireguard disabled yet the 'Active VPN connection' panel on the main page displays '3':

It was noticed that ubuntu seems to show only one bssid / ssid in the visibile networks. its possible theres a UI glitch/state error with finding the best bssid for an ssid to connect to

here's a stackoverflow user with the same issue

https://askubuntu.com/questions/1422292/connection-to-the-wrong-access-point

Suppose theres a device X

I want devices A, B, and C to access X but not each other.

Today I would have to make group AX, BX, CX to achieve this.

Maybe we should create one-way groups for this purpose so a user doesnt have to manage multiple groups

I had a device routinely trying and failing to authenticate to the network. I waited for the auth failure popup and copied the MAC address, then used the Add Device flow to add a new entry with the same MAC address and (it turned out) the wrong password.

On the QR code screen, the connection status immediately changed to "Success" even though there was no successful attempt. And when the device did attempt to connect a moment later, I got the PSK failure alert.

seeing substantial UI lag in PFW w/ the time picker.

icloud keychain sync will interfere with unique passwords per device.

if a group of devices are enrolled in icloud keychain sync, the user should know to set the same password for each of those devices, otherwise sync will break connectivity when the password is changed

this ismaybe, sort of a flaw in icloud keychain

This is on Safari 16 on macOS 12.6. The device list extends below the bounds of the browser window. When I use the ••• menu and try to delete an entry, the menu abruptly closes as I get close to the "Delete" menu item. I have to extend the window size to get it to work.

See attached from iOS 15 on an iPhone 12 mini. I cannot scroll the menu to get to the Speed Test option. (Clip is slightly trimmed in the middle to fit on GitHub.)

Also it seems possible to scroll the page under the menu somehow (see end of clip).

it was reported that the xdp filter does not handle ip options properly, and will need to be updated for VLAN tagged traffic as well.

Background:

• The XDP filter helps enforce the zero-trust security model, where a per device password is assigned
• Wired devices currently do not have any such security guarantee against MAC spoofing until VLAN tags are supported.
• IP options could be used to have a device with one MAC address/key, create a DHCP request for a different device's MAC address

Impact:

• This would result in an arp entry and route to the wrong WiFi VLAN (to the malicious device)
• Because the MAC is used to inform wifi encryption , and ap_isolate=1 results in unique GTKs, it was previously observed (when this filter was written) that the malicious device receives encrypted traffic and can send garbaled packets but can not send/receive plaintext traffic.
• The main impact is expected to mainly be side-channel information about packets/traffic size
• Additional attacks could be possible due to logic state issues in the wifi firmware itself, falling under the category of frag attacks (https://www.fragattacks.com/)

https://github.com/spr-networks/super/blob/main/wifid/code/filter_dhcp_mismatch.c

The code should be updated. When a packet is UDP and on port 67 it should also

1. Check that h_proto in the ethernet header matches IPv4
2. Check that frag_off is 0
3. Check that ip_hl does not include any options

The input box on that UI has an annoying behavior; you can't click on it to display the various clients but have to click on the arrow on the far right of the box

I'm not quite sure if it's on purpose or not but it seems like doing an update does wipe the dns logging (successful & blocked queries); figured I'd open an issue just in case it's not on purpose :)

I added a domain override using the 'Add Domain Override' menu but the DNS name included a trailing .; like foo.com..

See attached pic:

Clicking the checkbox to disable wireguard in the VPN UI view triggers the below exception:

Uncaught TypeError: Cannot read properties of undefined (reading 'put')
    at value (Wireguard.js:28:17)
    at n.value (Wireguard.js:58:53)
    at onValueChange (index.tsx:89:26)
    at onChange (index.js:52:7)
    at Object.He (react-dom.production.min.js:52:317)
    at Ye (react-dom.production.min.js:52:471)
    at react-dom.production.min.js:53:35
    at Or (react-dom.production.min.js:100:68)
    at Er (react-dom.production.min.js:101:380)
    at react-dom.production.min.js:113:65

I'm trying to enter a device name but it won't let me hit delete/backspace because that would result in an empty field and therefore an invalid device name.

My superdns container logs have tens or hundreds of MBs of entries:

[ERROR] Recovered from panic in server: "dns://:53" runtime error: invalid memory address or nil pointer dereference

The router (Clearfog) has a working Internet connection and DNS. Clients can route traffic to the Internet but cannot resolve DNS via the router.

; <<>> DiG 9.10.6 <<>> @10.0.0.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 710
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 18 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Mon Jul 10 20:27:49 PDT 2023
;; MSG SIZE  rcvd: 39

Restarting the container, the full docker compose stack, or the entire router did not resolve the issue.

when adding a port to the firewall thats upstream enabled, its not available . upstream enable off is fine.

need fix and end to end test

I have a device that I added to the DNS ignore list later on, so wanted to clear the DNS history for it as well. Clicking on the delete button doesn't seem to do anything; no obvious exception either (running 0.2.7):

If I select the lan_upstream tag when adding a new device, then hit Save, the resulting device list entry does not have the requested tag.

I'm asked for an IP to add to the "Host Privacy IP List" but I'd like to be able to select a Wi-Fi client by name. Or just add a tag or something in the clients list, rather than use this interface separately?

I flashed release 0.2.16 to a USB drive and booted a Raspberry Pi off of it, following the instructions.

The file /etc/ssh/sshd_config.d/60-cloudimg-settings.conf contained the PasswordAuthentication no setting so I wasn't able to SSH into the system to do any administration. The instructions seem to indicate it should work.

This is also inconsistent with the Clearfog release.

https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing

Many of the Dockerfiles declare very similar sets of apt packages:

RUN apt-get install -y iptables nftables iproute2 netcat inetutils-ping net-tools nano ca-certificates
RUN apt-get install -y iptables nftables iproute2 netcat inetutils-ping net-tools nano ca-certificates curl
RUN apt-get install -y nftables iproute2 netcat inetutils-ping net-tools nano ca-certificates
RUN apt-get install -y nftables iproute2 netcat inetutils-ping net-tools nano ca-certificates curl
RUN apt-get install -y nftables iproute2 netcat inetutils-ping net-tools nano ca-certificates curl hostapd systemd jq jc iw
RUN apt-get install -y nftables iproute2 netcat inetutils-ping net-tools nano ca-certificates git curl
RUN apt-get install -y nftables iproute2 netcat inetutils-ping net-tools nano ca-certificates git curl clang
RUN apt-get install -y --no-install-recommends ca-certificates nftables iproute2 netcat inetutils-ping net-tools nano
RUN apt-get install -y --no-install-recommends nftables iproute2 netcat inetutils-ping net-tools nano ca-certificates git curl
RUN apt-get install -y --no-install-recommends nftables iproute2 netcat inetutils-ping net-tools nano wireguard-tools

This is going to take up a lot of space and increase build time generating many different layers that are similar to one another. Consider factoring out the common group and installing them all at once as the first step.

There is also an official note on best practices when using apt-get. The recommendation is to make all package installations follow this pattern (with alphabetized packages for better diffs):

RUN apt-get update && apt-get install -y \
    aufs-tools \
    automake \
    build-essential \
    curl \
    dpkg-sig \
    libcap-dev \
    libsqlite3-dev \
    mercurial \
    reprepro \
    ruby1.9.1 \
    ruby1.9.1-dev \
    s3cmd=1.1.* \
 && rm -rf /var/lib/apt/lists/*

You may end up running multiple installations in one Dockerfile (e.g., common packages vs container-specific packages).

hostapd supports multiple BSSIDs/virtual ssids when the card supports it. for additional compatibility with random IOT devices or a lazy way to connect devices, super could support a basic bssid with a static password for all devices.

https://github.com/torvalds/linux/blob/42e66b1cc3a070671001f8a1e933a80818a192bf/net/netfilter/nfnetlink_log.c#L599

It was expected that nft log would always have a timestamp, but that may not be the case. Investigate why this doesn't always happen.

Temporary workaround by
5d685c0

Problem to solve

Container networks are currently poorly supported on SPR. As a workaround, users have to add rules to allow docker to do its thing or default to the "bridge" (docker0) network.

# Custom docker network workaround
nft insert rule inet filter FORWARD iifname "br*" accept
nft insert rule inet filter INPUT iifname "br*" accept

Feature: Support container network firewall rules & connectivity

Users can define rules for what the container should be able to access. LAN, WAN, LAN_UPSTREAM?, DNS, or specific device groups on the network.

We can listen to docker events and when a network is created or connected-to, its network is registered with SPR and managed.

Feature: Containers as a network sinks

Containers can run Tor, VPNs, and network experiments. We should make it possible to make a container a network sink similar to Site VPN forwarding, or possibly even a network relay where traffic comes back out onto the network after passing through the container.

I don't know if this is due to my broadband environment,
At some point, my internet was a little slow, so I SSH to it and saw that the htop and
Coredns was excessively using 300% of all CPU resources all the time.

I didn't see anything special in the docker logs. So i did a quick google search and found the same issue.

So I added "max_concurrent 1000" to the forward configuration and ran "docker-compose restart dns" and it calmed down.

• coredns/coredns#4544
• kubernetes-sigs/kubespray#9307

Please consider adding max_concurrent 1000 or N to the default configuration.

The setup guide implies that the USB Wi-Fi dongle will be wlan1 while the built-in interface wlan0 cannot be used:

The current setup assumes you'll be using a Raspberry Pi Model 4b with an mt76 based wireless adapter (wlan1).

Note that the built-in Raspberry PI Wireless card can not be used as an AP by default as it does not support AP/VLAN, which is a feature that SPR relies on.

However only wlan0 appears in the UI and therefore I had to proceed with setup with that interface.