Commit Graph

3740 Commits

Author SHA1 Message Date
Rui Salvaterra
cb9a69807e firewall3: bump to latest git HEAD
4cd7d4f Revert "firewall3: support table load on access on Linux 5.15+"
50979cc firewall3: remove unnecessary fw3_has_table

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
(cherry-picked from commit 435d7a052b)
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2022-07-19 21:30:56 +02:00
Stijn Tintel
1edf306b31 firewall4: bump to git HEAD
11f5c7b fw4.uc: fix zone helper assignment
  b9d35ff fw4.uc: don't skip zone for unavailable helper
  e35e26b tests: add test for zone helpers
  a063317 ruleset: fix conntrack helpers
  e1cb763 ruleset: reuse zone-jump.uc template for notrack and helper chain jumps
  11410b8 ruleset: reorder declarations & output tweaks
  880dd31 fw4: fix skipping invalid IPv6 ipset entries
  5994466 fw4: simplify `is_loopback_dev()`
  53886e5 fw4: fix crash in parse_cthelper() if no helpers are present
  11256ff fw4: add support for configurable includes
  3b5a033 tests: add test coverage for firewall includes
  d79911c fw4: support sets with timeout capability but without default expiry
  15c3831 fw4: add support for `option log` in rule and redirect sections

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit e8433fb433)
2022-07-01 13:45:18 +03:00
Etienne Champetier
fb3b927643 iptables: default to ip(6)tables-nft
OpenWrt now uses firewall4 (nft) by default,
so iptables should also default to nftables backend.

When multiple packages provide the same virtual package,
opkg pick the first one by alphabetical order,
so we rename iptables-legacy to iptables-zz-legacy and add
iptables-legacy in PROVIDES.

We also need to remove IPTABLES_NFTABLES config as
this cause recursive dependencies.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 35fec487e3)
2022-06-29 22:39:56 +02:00
Konstantin Demin
d8d8b82c59 dropbear: cherry-pick upstream commit 544f28a0
Resolves #10081

Reported-By: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
(cherry picked from commit f98bb1ffe5)
2022-06-27 22:34:07 +02:00
Alin Nastac
d8f8c78d96 464xlat: delete SNATed conntracks on interface teardown
Existing conntracks will continue to be SNATed to 192.0.0.1 even after
464xlat interface gets teared down. To prevent this, matching
conntracks must be killed.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
(cherry picked from commit 289c46869b)
2022-06-27 19:54:13 +02:00
David Bauer
f393581f66 hostapd: add owe_transition_ifname
Add the owe_transition_ifname config option to wifi-ifaces.

This allows to configure OWE transition VAPs without adding SSID / BSSID
to the uci conifg but instead autodiscovering these parameters from
other networks on the same PHY.

The following configuration creates a OWE transition mode network
constellation.

config wifi-iface 'open0'
	option device 'radio0'
	option ifname 'open0'
	option network 'lan'
	option mode 'ap'
	option ssid 'FreeNet'
	option encryption 'none'
	option owe_transition_ifname 'owe0'

config wifi-iface 'owe0'
	option device 'radio0'
	option ifname 'owe0'
	option network 'lan'
	option mode 'ap'
	option ssid 'owe_tm.FreeNet'
	option encryption 'owe'
	option hidden '1'
	option owe_transition_ifname 'open0'

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 574539ee2c)
2022-06-16 11:08:02 +02:00
Jan Hoffmann
9c0f94e955 ltq-vdsl-app: disconnect when service is stopped
Stop the connection when the control daemon is terminated. The code is
a modified version of the termination routine in version 4.23.1 of the
daemon (which doesn't support VR9 modems anymore).

This could also be implemented by calling the acos and acs commands via
dsl_cpe_pipe.sh in the init script. However, doing it in the daemon
itself has the advantage of also working if it is terminated in another
way (for example during sysupgrade).

Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
(cherry picked from commit 1daaef31b3)
2022-06-07 21:36:58 +02:00
Jan Hoffmann
d0397abd9d ltq-vdsl-app: set MAC address for vectoring error reports
This tells the modem about the WAN MAC address, which is used as source
address for vectoring error reports that are generated by the firmware.

It needs to be set early, as the MEI driver only actually writes the
value to the modem when is in reset state (i.e. the firmware has been
loaded, but connection has not started yet).

Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
(cherry picked from commit b35d33c8b8)
2022-06-07 21:36:58 +02:00
Daniel Golle
76b4b50bbe
netifd: update to git HEAD
2e1fcf4 netifd: fix hwmode for 60g band
 39ef9fe interface-ip: fix memory corruption bug when using jail network namespaces

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 7eb83b2015)
2022-06-05 11:37:57 +01:00
Felix Fietkau
2ca8bccb00
netifd: update to the latest version
4b4849cf5e5a interface-ip: unify host and proto route handling
507c0513d176 interface-ip: add support for excluding interfaces in host route lookup

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 24cc341fdc)
2022-06-05 11:37:47 +01:00
Daniel Golle
002e05bf9f
uqmi: update to git HEAD
56cb2d4 nas: add decoding of cell_id
 9a9019a uqmi: wms - added storage to read text messages

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 51c442c265)
2022-06-05 11:35:37 +01:00
Jo-Philipp Wich
dbd4c345fb firewall4: update to latest Git HEAD
210991d fw4: prefer /dev/stdin if available
4e5e322 fw4: make `fw4 restart` behavior more robust
221040e ruleset: emit time ranges when both start and stop times are specified
30a7d47 fw4: fix datetime parsing
fb9a6b2 ruleset: correct mangle_output chain type
6dd2617 fw4: fix logic flaw in testing hw flow offloading support
c7c9c84 fw4: ensure that negative bitcounts are properly translated
c4a78ed fw4: fix typo in emitted set types

Fixes: #9764, #9923, #9927, #9935, #9955
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit a7ddef6ef1)
2022-06-01 13:51:19 +02:00
Jo-Philipp Wich
80baa60259 firewall4: update to latest Git HEAD
c22eeef fw4: support negative CIDR bit notation
628d791 hotplug: reliably handle interfaces with ubus zone hints
d005293 fw4: store zone associations from ubus in statefile as well
b268225 fw4: filter non hw-offload capable devices when resolving lower devices
57984e0 fw4: always resolve lower flowtable devices
7782017 tests: fix mocked `fd.read("line")` api
72b196d config: remove restictions on DHCPv6 allow rule
f0cc317 fw4: refactor family selection for forwarding rules
b0b8122 treewide: use modern syntax
05995f1 fw4: fix emitting device jump rules for family restricted zones
b479815 fw4: fix family auto-selection for config nat rules
2816a82 ruleset: ensure that family-agnostic ICMP rules cover ICMPv6 as well
2379c3d tests: add test coverage for zone family selection logic

Fixes: #5066, #9611, #9765, #9854
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 2df17604a4)
2022-05-20 20:08:24 +02:00
Tiago Gaspar
5ff900e0ad firewall: config: remove restictions on DHCPv6 allow rule
Remove restrictions on source and destination addresses, which aren't
specified on RFC8415, and for some reason in openwrt are configured
to allow both link-local and ULA addresses.
As cleared out in issue #5066 there are some ISPs that use Gloabal
Unicast addresses, so fix this rule to allow them.

Fixes: #5066

Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
[rebase onto firewall3, clarify subject, bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 65258f5d60)
2022-05-04 15:28:41 +02:00
Daniel Golle
946f60aaeb dnsmasq: add logfacility file to jail mounts
If logfacility is a path to a file it needs to be r/w mounted in the
sandbox as well for dnsmasq to work.

Reported-by: @iointerrupt
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 2b5fa44f60)
2022-05-01 13:23:12 +02:00
David Bauer
832e3ad71a iwinfo: update to latest HEAD
dc6847e iwinfo: nl80211: omit A-hwmode on non-5GHz hardware

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit f757a8a098)
2022-04-27 00:55:07 +02:00
Jo-Philipp Wich
0481a5a35a firewall4: update to latest Git HEAD
fc83d46 ruleset: set auto-merge directive for interval sets
9bce873 fw4: fix skipping invalid ipset entries
425ea8a fw4: fix applying zone flags for source bound rules
a378883 fw4: fix emitting family specific redirect rules without any addrs
11feddf fw4: bracketize IPv6 addresses in dnat addr:port notation
9972f7d fw4: ensure to capitalize weekday names
fde8070 treewide: forward compatibility changes

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commits 1a35ac9990 and
 af02a12d7c)
2022-04-25 09:55:23 +02:00
David Bauer
dbe8d4fa2e iwinfo: update to latest HEAD
a479b9b devices: remove whitespace
562d015 iwinfo: nl80211: fix hwmode parsing for multi-band NICs

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-04-24 23:13:04 +02:00
Cezary Jackiewicz
0a5f3b0126 comgt: support ZTE MF286R modem
The modem is based on Marvell PXA1826 and uses ACM+RNDIS interface to
establish connection with custom commands specific to ZTE modems.
Two variants of modems were discovered, some identifying themselves
as "ZTE", and others as plain "Marvell", the chipset manufacturer.
The modem itself runs a fork of OpenWrt inside, which root shell can be
accessed via ADB interface.

Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit e02fb42c53)
2022-04-17 21:31:02 +02:00
Lech Perczak
83003b6c06 comgt: ncm: try to detect interface for ttyACM ports
Some modems expose ttyACM as their control ports, which have the
"device" symlink pointing one level down in sysfs tree. Try to find
network interfaces for them as well, this is commonly used for modems
exposing ACM + RNDIS or ACM + ECM interface combinations.

Co-developed-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit ed7957810c)
2022-04-17 21:31:02 +02:00
Lech Perczak
839cb17e3a comgt: ncm: select first available network interface for device
Some modems expose multiple network interfaces on the same USB device,
causing the connection setup script to fail, because glob matching in
the detection phase causes 'ls' to output more than one interface name
plus their base directories in sysfs. Avoid that by listing the
directories explicitly and then selecting first available interface.
This is the case for some variants of ZTE MF286R built-in modem, which
exposes both RNDIS and CDC-ECM network interfaces, causing the
connection setup to fail.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit b2940bb8b2)
2022-04-17 21:31:02 +02:00
Lech Perczak
c138cb80e9 comgt: ncm: allow specification of interface name
Add ifname property to UCI, which can be used to override the
autodetected interface name in case the detection fails due to having
none or more than one interface exposed by the modem, which is not
explicitly linked to TTY port. This is needed on certain variants of ZTE
MF286R built-in modem, which exposes both RNDIS and CDC-ECM interfaces
on the modem, on which the automatic detection may select the wrong
network interface.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit a67629bbe2)
2022-04-17 21:31:02 +02:00
David Bauer
75b83e94a3 hostapd: add ubus link-measurements notifications
Notify external ubus subscribers of received link-measurement reports.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit f6445cfa1a)
2022-04-17 01:16:58 +02:00
David Bauer
fd20720c71 hostapd: add ubus method for requesting link measurements
Add a ubus method to request link-measurements from connected STAs.

In addition to the STAs address, the used and maximum transmit power can
be provided by the external process for the link-measurement. If they
are not provided, 0 is used as the default value.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 965aa33a18)
2022-04-17 01:16:44 +02:00
David Bauer
04bc07ab84 hostapd: add support for enabling link measurements
Allow external processes to enable advertisement of link-measurement RRM
capability.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 2ca5c3da04)
2022-04-17 01:16:37 +02:00
Daniel Golle
7ea412ef5a
netifd: relax check in dhcp proto handler
Checking whether /sbin/udhcpc is a symbolic link breaks using the
DHCP proto handler inside procd-ujail where bind-mounts are used for
the resolved link. Check whether /sbin/udhcpc is executable instead
to allow using the proto handler for DHCP-provisioned containers.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit c5f113c43f)
2022-04-15 14:12:09 +01:00
Eneas U de Queiroz
fb597a9d4c nftables: add CONFLICT between versions
Have nftables-json conflict with nftables-nojson.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 1135b75d1f)
2022-04-11 22:45:16 +02:00
Konstantin Demin
d118e57b35 dropbear: bump to 2022.82
- update dropbear to latest stable 2022.82;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- use $(AUTORELEASE) in PKG_RELEASE
- use https for all uris
- refresh all patches
- rewrite patches:
  - 100-pubkey_path.patch
  - 130-ssh_ignore_x_args.patch

binary/pkg size changes:
- ath79/generic, mips:
  - binary: 215112 -> 219228 (+4116)
  - pkg: 111914 -> 113404 (+1490)
- ath79/tiny, mips:
  - binary: 172501 -> 172485 (-16)
  - pkg: 89871 -> 90904 (+1033)

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
(cherry picked from commit 65256aee23)
2022-04-10 16:26:01 +01:00
Valentyn Datsko
660923cd74 dnsmasq: add procd interface index tracking
Problem exist when dnsmasq is exclusively bind to particular interface.
After reconfiguring or restarting this interface, its index changes, but
dnsmasq uses the old one. When this problem occurs, dnsmasq does not
listen on the correct interface so DHCP does not work, and clients do not
get an IP address. Procd netdev param can be added to restart dnsmasq when
the interface index is changed.

Signed-off-by: Valentyn Datsko <valikk.d@gmail.com>
[combined into a single &&-connected statement]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 76f55e3c3f)
2022-04-10 16:26:01 +01:00
Daniel Golle
d7354297bb uqmi: fix acquiring PIN status
Evaluating the return value of 'json_load' didn't work in the
intended way resulting in PIN status no longer being read on modems
where --get-pin-status doesn't fail.
Fix this by trying --get-pin-status first and checking if pin1_status
field exists in JSON, and if it doesn't try again with
--uim-get-sim-state.

Fixes: #9501
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit ee7cb5e885)
2022-03-27 16:14:00 +01:00
Felix Fietkau
68b008756f qosify: update to the latest version
391a9fbd5ace dns: fix parsing vlan encapsulated protocol
6aeeddbc91ad interface: extend dns filters to cover vlan tagged traffic as well
1ab53d4ca601 bpf: return TC_ACT_UNSPEC to allow other filters to proceed
ca21e729af23 interface: switch to using clsact for filters
5d158f6b3c15 interface: run ingress bpf filter on main device ingress instead of ifb egress
bdfcb11847ce interface: fix duplicated dns filter line
b97405aa632a Revert "ubus: remove dnsmasq subscriber"
8fbaf39dbc95 interface: rework adding/removing filters, do not delete clsact
d7ba5804eae4 interface: replace open-coded ifb-dns string with QOSIFY_DNS_IFNAME
91cf440db9e2 loader: fix use of deprecated functions
57c7817f91c2 qosify: fix dscp values of ubus-added dns host entries

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit af434e0da2)
2022-03-22 10:29:18 +01:00
Etienne Champetier
30c15d06e8 iptables: bump PKG_RELEASE
Following {arp,eb}tables-nft addition, bump PKG_RELEASE

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
66bb6dde36 iptables: add {arp,eb}tables-nft
Add a patch to add some missing init_extensions{a,b}() calls
Package lib{arp,eb}t_*.so

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
c913be1da1 iptables: add xtables-nft package
This allows to install ip6tables-nft without iptables-nft
This prepare the addition of {arp,eb}tables-nft

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
afb6824a2c iptables: add xtables-legacy package
This allows to install ip6tables-legacy without iptables-legacy

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
905b49920f ebtables: rename to ebtables-legacy
This prepare the introduction of ebtables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
2f5088ef5f arptables: rename package to arptables-legacy
This prepare the introduction of arptables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Josef Schlehofer
013b043564 iwinfo: update to latest Git head
Changelog:
90bfbb9 devices: Add Cypress CYW43455
234075b devices: fix AMD RZ608 format
0e2a318 devices: add AMD RZ608 device-id

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-03-19 16:13:58 +01:00
Felix Fietkau
54aab4e719 bpftools: fix library path on 64 bit systems
drop the use of LIB_SUFFIX

Fixes: 00cbf6f6ab ("bpftools: update to standalone bpftools + libbpf, use the latest version")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-19 13:29:15 +01:00
Felix Fietkau
00cbf6f6ab bpftools: update to standalone bpftools + libbpf, use the latest version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-19 07:30:06 +01:00
Etienne Champetier
e9c99e0f7f iptables: backport missing init_extensions6() calls
This fixes ip6tables-nft no being able to use built-in
extensions like icmp6.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-13 19:24:13 +01:00
Florian Eckert
e5440ec871 ipset: add backport patch for IPv6 nftables ipset-translation
When porting mwan3 from iptables to nftables I tried the new translation
tool for ipset ipset-translate. I noticed that no IPv6 ipset can be
created with the tool. I have reported the problem to the upstream
project and the following patch fixes the problem.

Until this upsream is included in a new release, this patch should be
used in Openwrt.

https://lore.kernel.org/netfilter-devel/20220228190217.2256371-1-pablo@netfilter.org/T/#m09cc3cb738f2e42024c7aecf5b7240d9f6bbc19c

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2022-03-13 19:24:13 +01:00
Daniel Golle
2a801ee562
uqmi: update to git HEAD
44dd095 uqmi: corrected too short received SMS

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-03-12 11:07:27 +00:00
Lech Perczak
c8a88118af uqmi: set CID during 'query-data-status' operation
Modems used in ZTE mobile broadband routers require to query the data
session status using the same CID as one used to establish the session,
otherwise they will report the session as "disconnected" despite
reporting correct PDH in previous step. Without this change, IPv6
connection on these modems doesn't establish properly. In IPv4 this bug
is present as well, but for some reason querying of IPv4 status works
using temporary CID, this however seems noncompliant with QMI
specifications, so fix it as well.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-03-12 10:38:11 +00:00
Yousong Zhou
289fbc5102 iptables: add iptables-mod-socket
Previously libxt_socket.so was included in iptables-mod-tproxy.  It was
missed out when trying to make kmod-ipt-socket and kmod-ipt-tproxy
separate packages

Fixes: 4f443c88 ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2022-03-10 10:43:32 +08:00
Josef Schlehofer
d71928c1e3 nftables: update to version 1.0.2
Changelog:
https://lwn.net/ml/netdev/YhO5Pn+6+dgAgSd9@salvia/

Patches:

removed:
- 001-parser-allow-quoted-string-in-flowtable_expr_member:
it is now part of upstream release [1]

added:
- 001-examples-compile-with-make-check.patch:
backported from [2], it fixes:

nft-json-file.c:3:10: fatal error: nftables/libnftables.h: No such file or directory
    3 | #include <nftables/libnftables.h>
      |          ^~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.

[1] https://git.netfilter.org/nftables/commit/?h=v1.0.2&id=07af4429241c9832a613cb8620331ac54257d9df
[2] https://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-03-07 21:44:53 +01:00
Felix Fietkau
759149977e qosify: update to the latest version
3276aed81c73 move run_cmd() to main.c
558eabc13c64 map: move dns host based lookup code to a separate function
6ff06d66c36c dns: add code for snooping dns packets
a78bd43c4a54 ubus: remove dnsmasq subscriber
9773ffa70f1f map: process dns patterns in the order in which they were defined
f13b67c9a786 dns: allow limiting dns entry matching to cname name

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-06 23:01:24 +01:00
Hauke Mehrtens
921392e216 iproute2: Remove libxtables from some tc variants
This adds the new tc-bpf variant and removes libxtables dependency from
the tc-tiny variant. The tc-full variant stays like before and contains
everything.

This allows to use tc without libxtables.

The variants have the following sizes:
root@OpenWrt:/# ls -al /usr/libexec/tc-*
-rwxr-xr-x    1 root     root        282453 Mar  1 21:55 /usr/libexec/tc-bpf
-rwxr-xr-x    1 root     root        282533 Mar  1 21:55 /usr/libexec/tc-full
-rwxr-xr-x    1 root     root        266037 Mar  1 21:55 /usr/libexec/tc-tiny

They are linking the following shared libraries:
root@OpenWrt:/# ldd /usr/libexec/tc-tiny
        /lib/ld-musl-mips-sf.so.1 (0x77d6e000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d4a000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x77d6e000)
root@OpenWrt:/# ldd /usr/libexec/tc-bpf
        /lib/ld-musl-mips-sf.so.1 (0x77da6000)
        libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77d60000)
        libelf.so.1 => /usr/lib/libelf.so.1 (0x77d3e000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d1a000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x77da6000)
        libz.so.1 => /usr/lib/libz.so.1 (0x77cf6000)
root@OpenWrt:/# ldd /usr/libexec/tc-full
        /lib/ld-musl-mips-sf.so.1 (0x77de8000)
        libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77da2000)
        libelf.so.1 => /usr/lib/libelf.so.1 (0x77d80000)
        libxtables.so.12 => /usr/lib/libxtables.so.12 (0x77d66000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d42000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x77de8000)
        libz.so.1 => /usr/lib/libz.so.1 (0x77d1e000)

This is based on a patch from Tiago Gaspar.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-03-05 21:06:35 +01:00
Stijn Tintel
c2d7896a65 qosify: bump to git HEAD
interface: disable autorate-ingress by default

Also change the example config to reflect this.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-03-04 20:37:05 +02:00
Stijn Tintel
1848b25cdd qosify: add PKG_RELEASE
Without PKG_RELEASE, it's impossible to trigger package updates when
changing files included in the package that are not in the qosify git
repository.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Felix Fietkau <nbd@nbd.name>
2022-03-04 20:25:05 +02:00
Florian Eckert
ba6a48366f ipset: update to 7.15
Update to the latest upstream version. In this version there is a new
tool with which you can convert ipsets into nftables sets. Since we are
now using nftables as default firewall, this could be a useful tool for
porting ipsets to nftables sets.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2022-03-01 21:17:30 +01:00
Paul Spooren
038d5bdab1 layerscape: use semantic versions for LSDK
PKG_VERSION should not contain the package name but the version only.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2022-03-01 00:01:18 +01:00
Etienne Champetier
d95b74f7c9 iptables: bump PKG_RELEASE
Following dependencies rework, bump PKG_RELEASE

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
39d50a2008 iptables: move libiptext* to their own packages
iptables-nft doesn't depend on libip{4,6}tc, so move
libiptext* libs in their own packages to clean up dependencies
Rename libxtables-nft to libiptext-nft

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
795e7155cb iptables: rename to ip(6)tables-legacy, add PROVIDES
Using PROVIDES allows to have other packages continue to
depend on iptables and users to pick between legacy and nft
version.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
316c406e62 iptables: move IPTABLES_{CONNLABEL,NFTABLES} to libxtables
Those 2 configs are not specific to iptables(-legacy)

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
d35a573004 iptables: make mod depend on libxtables
'iptables-mod-' can be used directly by firewall3, by
iptables and by iptables-nft. They are not linked to
iptables but to libxtables, so fix the dependencies to allow
to remove iptables(-legacy)

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
50d3271966 iptables: fix libnftnl/IPTABLES_NFTABLES dependency
libxtables doesn't depend on libnftnl, iptables-nft does,
so move the dependency to not pull libnftnl with firewall3/iptables-legacy

Also libxtables-nft depends on IPTABLES_NFTABLES

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Nick Lowe
e8d048c5e0 hostapd: SAE - Enable hunting-and-pecking and H2E
Enable both the hunting-and-pecking loop and hash-to-element mechanisms
by default in OpenWRT with SAE.

Commercial Wi-Fi solutions increasingly frequently now ship with both
hunting-and-pecking and hash-to-element (H2E) enabled by default as this
is more secure and more performant than offering hunting-and-pecking
alone for H2E capable clients.

The hunting and pecking loop mechanism is inherently fragile and prone to
timing-based side channels in its design and is more computationally
intensive to perform. Hash-to-element (H2E) is its long-term
replacement to address these concerns.

For clients that only support the hunting-and-pecking loop mechanism,
this is still available to use by default.

For clients that in addition support, or were to require, the
hash-to-element (H2E) mechanism, this is then available for use.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2022-02-24 18:04:05 +01:00
Felix Fietkau
cbfce92367 qosify: update to the latest version
65b42032063f interface: add missing autorate-ingress options

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-20 18:13:14 +01:00
Petr Štetiar
d8bf730fe0 netifd: bump to version 2022-02-20
Contains following changes:

 136006b88826 cmake: fix usage of implicit library and include paths
 bc0e84d689e2 netifd: interface-ip: don't set fib6 policies if ipv6 disabled

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-02-20 10:52:55 +01:00
Eneas U de Queiroz
e6df13d0e1 hostapd: fallback to psk when generating r0kh/r1kh
The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret".  auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well.  In
this case,  auth_secret is empty, and the default value of the key can
be computed from the SSID alone.

Fallback to using $key when auth_secret is empty.  While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
[make ft_key local]
Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-19 16:14:52 +01:00
David Bauer
6f78723977 hostapd: add STA extended capabilities to get_clients
Add the STAs extended capabilities to the ubus STA information. This
way, external daemons can be made aware of a STAs capabilities.

This field is of an array type and contains 0 or more bytes of a STAs
advertised extended capabilities.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-19 16:14:45 +01:00
Hauke Mehrtens
8f5875c4e2 tcpdump: Fix CVE-2018-16301
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-12 23:22:05 +01:00
Jo-Philipp Wich
0d1220acdf firewall4: update to latest Git HEAD
53caa1a fw4: resolve zone layer 2 devices for hw flow offloading
9fe58f5 fw4: rework and fix family inheritance logic
8795296 tests: mocklib: fix infinite recursion in wrapped print()
281b1bc tests: change mocked wan interface type to PPPoE
93b710d tests: mocklib: forward compatibility change
1a94915 fw4: only stage reflection rules if all required addrs are known
5c21714 fw4: add device iifname/oifname matches to DSCP and MARK rules
3eacc97 tests: adjust 01_ruleset test case to latest changes

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-12 20:51:22 +01:00
Felix Fietkau
8072bf3322 qosify: update to the latest version
e230e71e0a12 map: fix copy-paste error in codepoints map
580d2ccf89f3 bpf: declare tcp_ports/udp_ports without typedef
8d6c19a81f3f ubus: fix a use-after-free bug

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-10 21:08:09 +01:00
Leonardo Mörlein
5406684087 wireguard-tools: allow generating private_key
When the uci configuration is created automatically during a very early
stage, where no entropy daemon is set up, generating the key directly is
not an option. Therefore we allow to set the private_key to "generate"
and generate the private key directly before the interface is taken up.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Tested-by: Jan-Niklas Burfeind <git@aiyionpri.me>
2022-02-08 12:52:14 +01:00
David Bauer
04ed224543 hostapd: refresh patches
Refresh patches after updating to hostapd v2.10.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-08 00:21:41 +01:00
David Bauer
adb8c09a83 hostapd: update to v2.10
Upstreamed patches:
020-mesh-make-forwarding-configurable.patch
e6db1bc5da3fd7d5f4dba24aa102543b4749912f
550-WNM-allow-specifying-dialog-token.patch
979f19716539362f8ce60a77bf1b88fdcf5ba8e5
720-ACS-fix-channel-100-frequency.patch
2341585c349231af00cdef8d51458df01bc6965f
741-proxyarp-fix-compilation-with-Hotspot-2.0-disabled.patch
08bdf4f90de61a84ed8f4dd918272dd9d36e2e1f

Compile-tested: wpad-wolfssl hostapd-openssl
Run-tested: ath79-generic

Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-02-08 00:21:27 +01:00
Jo-Philipp Wich
ae75541594 firewall4: update to latest Git HEAD
a0518b6 fw4: gracefully handle unsupported hardware offloading
ac99eba init: fix boot action in init script

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 23:36:06 +01:00
Felix Fietkau
46e0eeb760 hostapd: automatically calculate channel center freq on chan_switch
Simplifies switching to different channels when on >= VHT80

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-07 17:01:18 +01:00
Jo-Philipp Wich
881a059977 uhttpd: update to latest Git HEAD
2f8b136 main: fix leaking -p/-s argument values
881fd3b ucode: adjust to latest ucode api
8b2868e file: specify UTF-8 as charset for dirlists, add option to override
3a5bd84 main: add ucode options to help text
16aa142 examples: add ucode handler example
3ceccd0 ucode: add ucode plugin support
f0f1406 examples: add example Lua handler script
9e87095 listen: avoid invalid memory access

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Jo-Philipp Wich
2dd6777f15 firewall4: update to latest Git HEAD
b54f462 fw4: parse traffic rules before forwarding rules
4d5af8b fw4: consolidate helper code
300c737 fw4: fix applying zone family restrictions to forwardings
eb9c25a tests: implement fs.opendir() mock interface
d30ff48 tests: fix mocked fs.popen() trace log
52831a0 fw4: improve flowtable handling
7cb10c8 fw4: disable "flow_offloading_hw" option for now
b2241a1 fw4: fix enabling NAT reflection rules for DNATs without explicit family

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Jo-Philipp Wich
3b1692c463 netifd: update to latest Git HEAD
fd4c9e1 system-linux: expose hw-tc-offload ethtool feature in device status dump
3d76f2e system-linux: add wrapper function for creating link config messages
88af2f1 system-linux: delete bridge devices using netlink
85c3548 system-linux: create bridge devices using netlink

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Felix Fietkau
03ea0405a6 mac80211: backport MBSSID/EMA support patches
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-03 15:16:47 +01:00
Etienne Champetier
0e32c6baf3 iptables: add ip{,6}tables-legacy{,-restore,-save} symlinks
Now that we can have both legacy and nft iptables variants
installed at the same time, install the legacy symlinks

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-03 00:02:31 +01:00
Etienne Champetier
3a5df36cf6 iptables: use ALTERNATIVES for ip(6)tables(-nft)
As nftables is now the default, ip(6)tables-nft gets higher priority

The removed symlinks ("$(CP)" line) will now be installed by the
ALTERNATIVES mechanism

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-03 00:02:31 +01:00
Etienne Champetier
b0bd6599e8 iptables: rework ip(6)tables-nft dependencies
according to iptables-nft man page,
"These tools use the libxtables framework extensions and hook to the nf_tables
kernel subsystem using the nft_compat module."

This means that to work, iptables-nft needs the same modules as
iptables legacy except the ip(6)table-{filter,mangle,nat,raw}
ip_tables, ip6tables.
When those modules are loaded iptables-nft-save output contains
"# Warning: iptables-legacy tables present, use iptables-legacy-save to see them"
But as long as it's empty it should not be a problem.

To have nft properly display the rules created by ip(6)tables-nft we need
all iptables targets and matches to be built as extension and not built-in
(/usr/lib/iptables/libip(6)t_*.so)

When switching a package to iptables-nft, you need to keep the
iptables-mod-* dependencies

This patch does minimal changes:
- remove the direct iptables-nft -> iptables dependency
- and more important add nft-compat dependency

The rule
iptables-nft -A OUTPUT -d 8.8.8.8 -m comment --comment "aaa" -j REJECT
becomes
table ip filter {
	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		ip daddr 8.8.8.8 # xt_comment counter packets 0 bytes 0 # xt_REJECT
	}
}

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-03 00:02:31 +01:00
Etienne Champetier
4e7ad15904 iptables: fix ip6tables-nft description
ip6tables-nft packages ip6tables* utils not iptables*

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-02 23:24:03 +01:00
Etienne Champetier
a5c8811c04 iptables: fix ip6tables-extra description
The define was referencing ip6tables-mod-extra instead of ip6tables-extra

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-02 23:24:03 +01:00
Daniel Golle
4367d4f869
uqmi: update to git HEAD
f254fc5 uqmi: add support for get operating mode

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-02-02 02:37:21 +00:00
Hauke Mehrtens
cec4614df8 ethtool: Update to version 5.16
795f420 cmis: Rename CMIS parsing functions
369b43a cmis: Initialize CMIS memory map
da16288 cmis: Use memory map during parsing
6acaeb9 cmis: Consolidate code between IOCTL and netlink paths
d7d15f7 sff-8636: Rename SFF-8636 parsing functions
4230597 sff-8636: Initialize SFF-8636 memory map
b74c040 sff-8636: Use memory map during parsing
799572f sff-8636: Consolidate code between IOCTL and netlink paths
9fdf45c sff-8079: Split SFF-8079 parsing function
2ccda25 netlink: eeprom: Export a function to request an EEPROM page
86792db cmis: Request specific pages for parsing in netlink path
6e2b32a sff-8636: Request specific pages for parsing in netlink path
c2170d4 sff-8079: Request specific pages for parsing in netlink path
9538f38 netlink: eeprom: Defer page requests to individual parsers
664586e Merge branch 'review/next/module-mem-map' into master
50fdaec ethtool: Set mask correctly for dumping advertised FEC modes
c5e7133 cable-test: Fix premature process termination
73091cd sff-8636: Use an SFF-8636 specific define for maximum number of channels
837c166 sff-common: Move OFFSET_TO_U16_PTR() to common header file
8658852 cmis: Initialize Page 02h in memory map
27b42a9 cmis: Initialize Banked Page 11h in memory map
340d88e cmis: Parse and print diagnostic information
eae6a99 cmis: Print Module State and Fault Cause
82012f2 cmis: Print Module-Level Controls
d7b1007 sff-8636: Print Power set and Power override bits
429f2fc Merge branch 'review/cmis-diag' into master
32457a9 monitor: do not show duplicate options in help text
c01963e Release version 5.16.

The sizes of the ipk changed on MIPS 24Kc like this:
34317 ethtool_5.15-1_mips_24kc.ipk
34311 ethtool_5.16-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Jo-Philipp Wich
edb41fea66 firewall4: update to latest Git HEAD
16a1070 fw4.uc: handle zone masq6 option
5f61dbf ruleset: fix chain selection for mark and dscp targets
0bc844b ruleset: properly deal with wildcards in zone device selectors
101988d fw4: fix family comparisons
127dbc0 ruleset: emit AF specific rules for DSCP matches
d63cb89 fw4: fix parsing inverted numeric DSCP values
8c8a867 fw4: fix wrong `parse_network()` return value on `parse_subnet()` failure
f85bb2d ruleset: consolidate zone matches for raw_prerouting and raw_output chains
5669bc7 fw4: consolidate device grouping logic
94f03e0 ruleset: properly render redirect targets without port
fff9779 fw4: fix family selection logic for redirect rules
ca88fcd tests: update interface dump mock data
e60bb4b ruleset: support non-contiguous address masks
8fec51a fw4: fix potential crashes when parsing invalid redirect sections
c08eb44 fw4: fix redirect destination zone resolving
0df6ba0 fw4: fix address selection logic for DNAT reflection rules
60a2518 tests: add test coverage for redirect rules
e479eff fw4: add RFC-8622 'Least Effort' (LE) DSCP mark
ac8a737 ruleset: remove redundant syn check
bd5dc4b tests: run testcases in strict mode
3ee6a5c ruleset: fix undeclared variable access uncovered by strict mode

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-01-28 19:13:37 +01:00
Hans Dedecker
7edd10f9df netifd: update to git HEAD
ed71876 iprule: add support for uidrange

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-01-23 18:54:16 +01:00
Matthew Hagan
46ce629fe0 ipip: add 'nohostroute' option
Add the nohostroute option as available for gre and wg tunnels to
allow the user to prevent explicit creation of a route to the peer
address.

Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
2022-01-19 20:57:59 +01:00
David Bauer
2a31e9ca97 hostapd: add op-class to get_status output
Include the current operation class to hostapd get_status interface.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-01-14 22:12:44 +01:00
Hans Dedecker
d9064c31ca netifd: update to git HEAD
3043206 system: fix compilation with glibc 2.34

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-01-14 21:46:29 +01:00
Paul Spooren
0637093e8c iptables: enable nftable support by default
OpenWrt plans to move over to firewall4 which uses nftables under the
hood. To allow a smooth migration the package `iptables-nft` offer a
transparent wrapper to apply iptables rules to nftables.

Without the config option for nftables the package isn't installed and
therefore can't be tested. This commit enabled it and therefore provides
the wrapper.

The size of the iptables package increases from 25436 to 26500 Bytes.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2022-01-14 00:42:28 +01:00
Hans Dedecker
7f2052ef22 netifd: update to git HEAD
96902e8 Revert "netifd: add devtype to ubus call"
29e6acf netifd: add devtype to ubus call
7ccbf08 netifd: add devtype to ubus call

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-01-12 21:14:29 +01:00
Kevin Darbyshire-Bryant
e955a08340 firewall: update to latest HEAD
0f16ea5 options.c: add DSCP code LE Least Effort
24ba465 firewall3: remove redundant syn check
df1306a firewall3: fix locking issue
3624c37 firewall3: support table load on access on Linux 5.15+

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2022-01-10 11:45:15 +00:00
Stijn Tintel
0f50d3daff firewall4: bump to git HEAD
9a509d4 ruleset.uc: consolidate ip and ip6 offload
 21f311d ruleset.uc: don't trim newline before comment sign
 f121383 tests: enable flow offloading in tests
 550df40 tests: add test for unknown defaults option
 47c5a5b tests: add test for deprecated rule option
 69a89d6 tests: add test for unknown rule option
 07579df fw4.uc: handle interface zone option

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-01-09 17:38:18 +02:00
Andre Heider
5ee1e04517 ltq-vdsl: move to the default device name /dev/dsl_cpe_api/0
This makes patching it for ltq-vdsl-app unnecessary and paves the way
for VRX518 support.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-01-08 00:49:59 +01:00
Stijn Tintel
4d1f133561 firewall4: bump to git HEAD
main.uc: fix device gathering

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-01-06 21:30:14 +02:00
Jo-Philipp Wich
7881dce7d8 firewall4: fix syntax error in dependency spec
Fixes: ae60af8572 ("firewall4: order DEPENDS alphabetically")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 16:58:06 +01:00
Stijn Tintel
53b87a7a28 firewall/firewall4: provide uci-firewall
Provide uci-firewall via PROVIDES in both firewall and firewall4. This
will allow us to change the dependency of luci-app-firewall to
uci-firewall, making it possible to use it with either implementation.

Move CONFLICTS from firewall4 to firewall, to solve this recursive
dependency problem:

tmp/.config-package.in:307:error: recursive dependency detected!
tmp/.config-package.in:307:     symbol PACKAGE_firewall is selected by PACKAGE_firewall4
tmp/.config-package.in:328:     symbol PACKAGE_firewall4 depends on PACKAGE_firewall

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 14:54:50 +02:00
Stijn Tintel
3ec25a657d firewall4: bump to git HEAD
4ead2a6 treewide: move executables to /sbin
 9ebc2f4 fw4.uc: filter duplicates in fw4.set
 85b74f3 treewide: support flow offloading
 be3b4e6 treewide: support hardware flow offloading
 38889b7 treewide: support set timeout
 31c7550 fw4.uc: do not skip defaults with invalid option
 334a127 fw4.uc: introduce DEPRECATED flag
 7a0d38f fw4.uc: add _name as deprecated option
 5e7ad3b fw4.uc: don't fail on unknown options
 be5f4e3 fw4.uc: allow use of cidr in ipsets

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 14:54:43 +02:00
Stijn Tintel
ae60af8572 firewall4: order DEPENDS alphabetically
Add some line breaks while at at, to improve readability.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 14:54:06 +02:00
Stijn Tintel
3d4acc34bb firewall4: drop kmod-ipt-nat from CONFLICTS
The limitation of not being able to use iptables and nft nat at the same
time exists only in kernels before 4.18.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 14:53:47 +02:00
Nick Hainke
f61816fdff hostapd: refresh patchset
Recently the hostapd has undergone many changes. The patches were not refreshed.
Refreshed with
    make package/hostapd/{clean,refresh}

Refreshed:
    - 380-disable_ctrl_iface_mib.patch
    - 600-ubus_support.patch
    - 700-wifi-reload.patch
    - 720-iface_max_num_sta.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2021-12-31 12:11:59 +01:00
Stijn Tintel
9ba6ee4e25 nftables: allow quoted string in flowtable_expr_member
This is required to be able to use flow offloading on devices with
ifnames that start with a digit, like 6in4-wan6.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-12-31 02:07:13 +02:00