norn/parahub-mesh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add OTA auto-update and guest IPv6 via Yggdrasil

Browse Source 
OTA: build.sh writes version/profile to firmware, generates manifest.json
with SHA256 per device. parahub-autoupdate script runs nightly at 3am,
fetches manifest (Yggdrasil first), verifies checksum, runs sysupgrade.
sysupgrade.conf preserves /etc/parahub/, yggdrasil.conf, dropbear keys.

Guest IPv6: Yggdrasil 300::/64 subnet assigned to guest via SLAAC.
Separate yggdrasil firewall zone (5 zones total) with guest→yggdrasil
forwarding. IPv6 exempt from tc shaping — full speed to Parahub services.
IPv6 to WAN blocked. Heartbeat now reads version from file, not hardcoded.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Parahub AI
2026-02-06 08:09:27 +00:00
parent 6d6cffa42c
commit c5b9229ad0
6 changed files with 260 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
files/usr/bin/parahub-speed-control
View File

@@ -25,12 +25,16 @@ case "$1" in
# tc filter: packets with mark 0x20 → paid class
tc filter add dev $IFACE parent 1: protocol ip handle 0x20 fw flowid 1:20
# Exempt ALL IPv6 from shaping — only Yggdrasil IPv6 reaches guests (firewall enforced)
tc filter add dev $IFACE parent 1: protocol ipv6 prio 1 u32 match u32 0 0 flowid 1:20
# --- Ingress shaping (client → router, i.e. upload for client) via IFB ---
ip link add ifb-guest type ifb 2>/dev/null
ip link set ifb-guest up
tc qdisc del dev $IFACE ingress 2>/dev/null
tc qdisc add dev $IFACE ingress
tc filter add dev $IFACE parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev ifb-guest
tc filter add dev $IFACE parent ffff: protocol ipv6 u32 match u32 0 0 action mirred egress redirect dev ifb-guest
tc qdisc del dev ifb-guest root 2>/dev/null
tc qdisc add dev ifb-guest root handle 1: htb default 10
@@ -41,6 +45,9 @@ case "$1" in
tc qdisc add dev ifb-guest parent 1:20 fq_codel
tc filter add dev ifb-guest parent 1: protocol ip handle 0x20 fw flowid 1:20
# Exempt ALL IPv6 from ingress shaping
tc filter add dev ifb-guest parent 1: protocol ipv6 prio 1 u32 match u32 0 0 flowid 1:20
# --- nftables: paid_clients set + mark rules ---
nft add table inet parahub 2>/dev/null
nft flush table inet parahub 2>/dev/null