92f5e18675bf interface: fix ifname present check in interface status
ef82defaae26 ubus: add active devices to bridger blacklist
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add a ubus method to request link-measurements from connected STAs.
In addition to the STAs address, the used and maximum transmit power can
be provided by the external process for the link-measurement. If they
are not provided, 0 is used as the default value.
Signed-off-by: David Bauer <mail@david-bauer.net>
Problem exist when dnsmasq is exclusively bind to particular interface.
After reconfiguring or restarting this interface, its index changes, but
dnsmasq uses the old one. When this problem occurs, dnsmasq does not
listen on the correct interface so DHCP does not work, and clients do not
get an IP address. Procd netdev param can be added to restart dnsmasq when
the interface index is changed.
Signed-off-by: Valentyn Datsko <valikk.d@gmail.com>
[combined into a single &&-connected statement]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This package uses BPF to create a fast path which improves bridging performance
by bypassing the bridge layer. It also supports creating tc offload rules for
hardware that supports it.
Hardware offload support can be used with MT7622 + MT7915 once it is merged
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Replace the tc-full dependency with tc + libnl-tiny
1cd5e12eecdc loader/interface: attach bpf program directly using netlink
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Evaluating the return value of 'json_load' didn't work in the
intended way resulting in PIN status no longer being read on modems
where --get-pin-status doesn't fail.
Fix this by trying --get-pin-status first and checking if pin1_status
field exists in JSON, and if it doesn't try again with
--uim-get-sim-state.
Fixes: #9501
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
860ca90 odhcpd: Support for Option NTP and SNTP
83e14f4 router: advertise removed addresses as invalid in 3 consecutive RAs
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
391a9fbd5ace dns: fix parsing vlan encapsulated protocol
6aeeddbc91ad interface: extend dns filters to cover vlan tagged traffic as well
1ab53d4ca601 bpf: return TC_ACT_UNSPEC to allow other filters to proceed
ca21e729af23 interface: switch to using clsact for filters
5d158f6b3c15 interface: run ingress bpf filter on main device ingress instead of ifb egress
bdfcb11847ce interface: fix duplicated dns filter line
b97405aa632a Revert "ubus: remove dnsmasq subscriber"
8fbaf39dbc95 interface: rework adding/removing filters, do not delete clsact
d7ba5804eae4 interface: replace open-coded ifb-dns string with QOSIFY_DNS_IFNAME
91cf440db9e2 loader: fix use of deprecated functions
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This tells the modem about the WAN MAC address, which is used as source
address for vectoring error reports that are generated by the firmware.
It needs to be set early, as the MEI driver only actually writes the
value to the modem when is in reset state (i.e. the firmware has been
loaded, but connection has not started yet).
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Add a patch to add some missing init_extensions{a,b}() calls
Package lib{arp,eb}t_*.so
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This allows to install ip6tables-nft without iptables-nft
This prepare the addition of {arp,eb}tables-nft
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This prepare the introduction of ebtables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This prepare the introduction of arptables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
drop the use of LIB_SUFFIX
Fixes: 00cbf6f6ab ("bpftools: update to standalone bpftools + libbpf, use the latest version")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When porting mwan3 from iptables to nftables I tried the new translation
tool for ipset ipset-translate. I noticed that no IPv6 ipset can be
created with the tool. I have reported the problem to the upstream
project and the following patch fixes the problem.
Until this upsream is included in a new release, this patch should be
used in Openwrt.
https://lore.kernel.org/netfilter-devel/20220228190217.2256371-1-pablo@netfilter.org/T/#m09cc3cb738f2e42024c7aecf5b7240d9f6bbc19c
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Modems used in ZTE mobile broadband routers require to query the data
session status using the same CID as one used to establish the session,
otherwise they will report the session as "disconnected" despite
reporting correct PDH in previous step. Without this change, IPv6
connection on these modems doesn't establish properly. In IPv4 this bug
is present as well, but for some reason querying of IPv4 status works
using temporary CID, this however seems noncompliant with QMI
specifications, so fix it as well.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Previously libxt_socket.so was included in iptables-mod-tproxy. It was
missed out when trying to make kmod-ipt-socket and kmod-ipt-tproxy
separate packages
Fixes: 4f443c88 ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
3276aed81c73 move run_cmd() to main.c
558eabc13c64 map: move dns host based lookup code to a separate function
6ff06d66c36c dns: add code for snooping dns packets
a78bd43c4a54 ubus: remove dnsmasq subscriber
9773ffa70f1f map: process dns patterns in the order in which they were defined
f13b67c9a786 dns: allow limiting dns entry matching to cname name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This adds the new tc-bpf variant and removes libxtables dependency from
the tc-tiny variant. The tc-full variant stays like before and contains
everything.
This allows to use tc without libxtables.
The variants have the following sizes:
root@OpenWrt:/# ls -al /usr/libexec/tc-*
-rwxr-xr-x 1 root root 282453 Mar 1 21:55 /usr/libexec/tc-bpf
-rwxr-xr-x 1 root root 282533 Mar 1 21:55 /usr/libexec/tc-full
-rwxr-xr-x 1 root root 266037 Mar 1 21:55 /usr/libexec/tc-tiny
They are linking the following shared libraries:
root@OpenWrt:/# ldd /usr/libexec/tc-tiny
/lib/ld-musl-mips-sf.so.1 (0x77d6e000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d4a000)
libc.so => /lib/ld-musl-mips-sf.so.1 (0x77d6e000)
root@OpenWrt:/# ldd /usr/libexec/tc-bpf
/lib/ld-musl-mips-sf.so.1 (0x77da6000)
libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77d60000)
libelf.so.1 => /usr/lib/libelf.so.1 (0x77d3e000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d1a000)
libc.so => /lib/ld-musl-mips-sf.so.1 (0x77da6000)
libz.so.1 => /usr/lib/libz.so.1 (0x77cf6000)
root@OpenWrt:/# ldd /usr/libexec/tc-full
/lib/ld-musl-mips-sf.so.1 (0x77de8000)
libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77da2000)
libelf.so.1 => /usr/lib/libelf.so.1 (0x77d80000)
libxtables.so.12 => /usr/lib/libxtables.so.12 (0x77d66000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d42000)
libc.so => /lib/ld-musl-mips-sf.so.1 (0x77de8000)
libz.so.1 => /usr/lib/libz.so.1 (0x77d1e000)
This is based on a patch from Tiago Gaspar.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Without PKG_RELEASE, it's impossible to trigger package updates when
changing files included in the package that are not in the qosify git
repository.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Felix Fietkau <nbd@nbd.name>
Update to the latest upstream version. In this version there is a new
tool with which you can convert ipsets into nftables sets. Since we are
now using nftables as default firewall, this could be a useful tool for
porting ipsets to nftables sets.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
iptables-nft doesn't depend on libip{4,6}tc, so move
libiptext* libs in their own packages to clean up dependencies
Rename libxtables-nft to libiptext-nft
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Using PROVIDES allows to have other packages continue to
depend on iptables and users to pick between legacy and nft
version.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
'iptables-mod-' can be used directly by firewall3, by
iptables and by iptables-nft. They are not linked to
iptables but to libxtables, so fix the dependencies to allow
to remove iptables(-legacy)
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
libxtables doesn't depend on libnftnl, iptables-nft does,
so move the dependency to not pull libnftnl with firewall3/iptables-legacy
Also libxtables-nft depends on IPTABLES_NFTABLES
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Enable both the hunting-and-pecking loop and hash-to-element mechanisms
by default in OpenWRT with SAE.
Commercial Wi-Fi solutions increasingly frequently now ship with both
hunting-and-pecking and hash-to-element (H2E) enabled by default as this
is more secure and more performant than offering hunting-and-pecking
alone for H2E capable clients.
The hunting and pecking loop mechanism is inherently fragile and prone to
timing-based side channels in its design and is more computationally
intensive to perform. Hash-to-element (H2E) is its long-term
replacement to address these concerns.
For clients that only support the hunting-and-pecking loop mechanism,
this is still available to use by default.
For clients that in addition support, or were to require, the
hash-to-element (H2E) mechanism, this is then available for use.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Contains following changes:
136006b88826 cmake: fix usage of implicit library and include paths
bc0e84d689e2 netifd: interface-ip: don't set fib6 policies if ipv6 disabled
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret". auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well. In
this case, auth_secret is empty, and the default value of the key can
be computed from the SSID alone.
Fallback to using $key when auth_secret is empty. While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
[make ft_key local]
Signed-off-by: David Bauer <mail@david-bauer.net>
Add the STAs extended capabilities to the ubus STA information. This
way, external daemons can be made aware of a STAs capabilities.
This field is of an array type and contains 0 or more bytes of a STAs
advertised extended capabilities.
Signed-off-by: David Bauer <mail@david-bauer.net>
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
53caa1a fw4: resolve zone layer 2 devices for hw flow offloading
9fe58f5 fw4: rework and fix family inheritance logic
8795296 tests: mocklib: fix infinite recursion in wrapped print()
281b1bc tests: change mocked wan interface type to PPPoE
93b710d tests: mocklib: forward compatibility change
1a94915 fw4: only stage reflection rules if all required addrs are known
5c21714 fw4: add device iifname/oifname matches to DSCP and MARK rules
3eacc97 tests: adjust 01_ruleset test case to latest changes
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When the uci configuration is created automatically during a very early
stage, where no entropy daemon is set up, generating the key directly is
not an option. Therefore we allow to set the private_key to "generate"
and generate the private key directly before the interface is taken up.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Tested-by: Jan-Niklas Burfeind <git@aiyionpri.me>
