We add an 'httpauth' section type that contains the options:
prefix: What virtual or real URL is being protected
username: The username for the Basic Auth dialogue
password: Hashed (crypt()) or plaintext password for the Basic Auth dialogue
httpauth section names are given included as list
items to the instances to which they are to be applied.
Further any existing httpd.conf file (really whatever
is configured in the instance, but default of
/etc/httpd.conf) is appended to the per-instance httpd.conf
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
During reload, we could send invalid information to the other
side and confuse it.
That's why, during reload we'll pause execution, do the reconfig
and resume + update when reload is done.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The problem is that interfaces are specified at start as
command line arguments, making them unchange-able via reload.
That means, we have to move (since lldpd allows this) the
interfaces-match-pattern option to be in a config file and reload
the configuration.
It's either that, or do a 'restart'.
Since we're generating the lldpd.conf file, we'll have to
move the 'sysconfdir' of lldpd to /tmp, where the files will
get written ; this will prevent any unncessary flash writes.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Adds support in uci for configuring multiple dnsmasq instances via
multiple dnsmasq sections.
The uci sections host, boot, mac, tag, vendorclass, userclass,
circuitid, ... will refer to a dnsmasq instance via the instance
parameter defined in the section; if the instance parameter is
not specified backwards compatibility is preserved.
Start/Stopping a dnsmasq instance can be achieved by passing the
dnsmasq instance name as argument to start/stop via the init script.
Multiple dnsmasq instances is usefull in scenarios where you want to
bind a dnsmasq instance to an interface in order to isolate networks.
This patch is a rework of a multiple dnsmasq instance patch by Daniel Dickinson
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Add a partially random O= item to the certificate subject in order
to make the automatically generated certificates' subjects unique.
Firefox has problems when several self-signed certificates
with CA:true attribute and identical subjects have been
seen (and stored) by the browser. Reference to upstream bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1147544https://bugzilla.mozilla.org/show_bug.cgi?id=1056341https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34
Certificates created by the OpenSSL one-liner fall into that category.
Avoid identical certificate subjects by including a new 'O=' item
with CommonName + a random part (8 chars). Example:
/CN=LEDE/O=LEDEb986be0b/L=Unknown/ST=Somewhere/C=ZZ
That ensures that the browser properly sees the accumulating
certificates as separate items and does not spend time
trying to form a trust chain from them.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Prefer the old default 'px5g' for certificate creation
as Firefox seems to dislike OpenSSL-created certs.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
This option, defined by RFC3442, allows a DHCP server to send static
routes to a client. But the client has to request this option
explicitely.
Static routes are useful when the gateway configured by DHCP cannot be
in the same subnet as the client. This happens, for instance, when
using DHCP to hand out addresses in /32 subnets.
A new configuration option "classlessroute" is available, allowing
users to disable this feature (the option defaults to true).
Other DHCP clients already request this option by default (dhcpcd, for
instance, and possibly Windows). If a DHCP server does not support
this option, it will simply ignore it.
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
The special prefix of "/" should match any url by definition but the final
assertion which ensures that the matched prefix ends in '\0' or '/' is causing
matches against the "/" prefix to fail.
Update to current HEAD in order to fix this particular case.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
iperf upstream added some bugfixes to the already released 2.0.9 version
without changing the filename. This conflicts with old mirrored files
and the hash that we previously used.
To avoid conflict, use a renamed tarball from mirror2.openwrt.org
containing the new upstream changes
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This more of a demo for the previous commit that comes with
this one, where I added support for copying source from 'src' to
the build dir(s).
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Adds per-host leasetime support
Various bugfixes :
-Prioritize ifname resolving via ubus
-Free interface if ifindex cannot be resolved
-...
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [update mirror sha256]
Commit 8f24ee6382 ("uqmi: Add proper IPv6 support") changed the code
to fetch the IPv4 address via QMI by default instead of using DHCP to
make it consistent with the IPv6 codepath.
This breaks on at least some Sierra Wireless cards, where data exchanges
fail to work until the host has fetched a DHCP lease.
Leave v6 as it is, but always use DHCP for v4.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
* Change git packages to xz
* Update mirror checksums in packages where they are used
* Change a few source tarballs to xz if available upstream
* Remove unused lines in packages we're touching, requested by jow- and blogic
* We're relying more on xz-utils so add official mirror as primary source, master site as secondary.
* Add SHA256 checksums to multiple git tarball packages
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Quote resolveip hostname argument to avoid bad shell injections.
While at it fix pattern match logic in case multiple IPv6 addresses
are returned for a hostname as they're seperated by newline by
resolveip and not a white space
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Now that the uhttpd init script can generate certificates using openssl as
well, update the section name and related comment to be more generic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Support the usage of the OpenSSL command-line tool for generating
the SSL certificate for uhttpd. Traditionally 'px5g' based on
PolarSSL (or mbedTLS in LEDE), has been used for the creation.
uhttpd init script is enhanced by adding detection of an installed
openssl command-line binary (provided by 'openssl-util' package),
and if found, the tool is used for certificate generation.
Note: After this patch the script prefers to use the OpenSSL tool
if both it and px5g are installed.
This enables creating a truly OpenSSL-only version of LuCI
without dependency to PolarSSL/mbedTLS based px5g.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Fix rt_names build failure when FORTIFY_SOURCE disabled.
Include limits.h which otherwise gets automatically included
by fortify headers.
Solves FS #194
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Within the Lua binding, use the same logic as the command line interface for
reporting the used WPA ciphers. Instead of printing the intersection of
pairwise and group ciphers, report both group and pairwise ciphers.
This fixes a case where a connection which uses CCMP for pairwise and TKIP
as groupwise cipher is getting reported as using the NONE cipher.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Remove an invalid local variable declaration in the tunnel update subshell
invocation. Local declarations outside of function scopes are illegal since
the Busybox update to version 1.25.0 .
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Configurations without shadow passwords have been broken since the removal
of telnet: as the default entry in /etc/passwd is not empty (but rather
unset), there will be no way to log onto such a system by default. As
disabling shadow passwords is not useful anyways, remove this configuration
option.
The config symbol is kept (for a while), as packages from feeds depend on
it.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Match sections allow to set a tag specified by the option networkid if the client
sends an option and optionally the option value specified by the match option.
The force option will convert the dhcp-option to force-dhcp-option if set to 1 in
the dnsmasq config if options are specified in the dhcp_option option.
config match
option networkid tag
option match 12,myhost
option force 1
list dhcp_option '3,192.168.1.1'
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Permit users of the full variant to disable the NO_ID *.bind pseudo
domain masking.
Defaulted 'on' in all variants.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
As security precaution and to limit the attack surface based on
the version reported by tools like nmap mask out the dropbear
version so the version is not visible anymore by snooping on the
wire. Version is still visible by 'dropbear -V'
Based on a patch by Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [remove trailing _]
Don't expose dnsmasq version & other data to clients via the *.bind
pseudo domain. This uses a new 'NO_ID' compile time option which has been
discussed and submitted upstream.
This is an alternate to replacing version with 'unknown' which affects
the version reported to syslog and 'dnsmasq --version'
Run time tested with & without NO_ID on Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Regression introduced by 3481d0d dnsmasq: run as dedicated UID/GID
dnsmasq is unable to remove its own pidfile as /var/run/dnsmasq is owned
by root and now dnsmasq runs as dnsmasq:dnsmasq. Change directory
ownership to match.
dnsmasq initially starts as root, creates the pidfile, then drops to
requested non-root user. Until this fix dnsmasq had insufficient
privilege to remove its own pidfile.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
The iwinfo library might get compiled with different backends, depending on
the driver selection of the current target, so mark it as nonshared to avoid
broken libiwinfo support on other targets with same cpu architecture but
different wireless driver types.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
PPP daemon can be put into persist mode meaning the
daemon will not exit after a connection gets terminated
but will instead try to reopen the connection.
The re-initiation after the link has been terminated
can be controlled via holdoff; this is helpfull in
scenarios where a BRAS is in denial of service mode
due to link setup requests after a BRAS has gone down
Following uci parameters have been added :
persist (boolean) : Puts the ppp daemon in persist mode
maxfail (integer) : Number of consecutive fail attempts which
puts the PPP daemon in exit mode
holdoff (interget) : Specifies how many seconds to wait
before re-initiating link setup after it has been terminated
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* Only parse interfaces that are up during init_config (as the
script depends on this to determine the proper IP/subnet range)
* Add reload interface triggers for samba-designated interfaces
* Force full service restart upon config change to ensure Samba
binds to new interfaces (sending HUP signal doesn't work)
* Rename "interface" variable to "samba_iface" and move into
global scope
Needed to fix Samba connectivity for clients connecting from a
different LAN subnet (e.g. pseudobridge configurations) due to the
'bind interfaces only' setting.
Signed-off-by: Conn O'Griofa <connogriofa@gmail.com>
- Security: Message printout was vulnerable to format string injection.
If specific usernames including "%" symbols can be created on a system
(validated by getpwnam()) then an attacker could run arbitrary code as root
when connecting to Dropbear server.
A dbclient user who can control username or host arguments could potentially
run arbitrary code as the dbclient user. This could be a problem if scripts
or webpages pass untrusted input to the dbclient program.
- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
the local dropbearconvert user when parsing malicious key files
- Security: dbclient could run arbitrary code as the local dbclient user if
particular -m or -c arguments are provided. This could be an issue where
dbclient is used in scripts.
- Security: dbclient or dropbear server could expose process memory to the
running user if compiled with DEBUG_TRACE and running with -v
The security issues were reported by an anonymous researcher working with
Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
RADIUS accounting can be used even when RADIUS authentication is not
used. Move the accounting configuration outside of the EAP-exclusive
sections.
Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>
If option ist not set then ipv6 is still enabled on this Interface.
Check if variable is zero will fix this issue.
Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
multiple invocation of dnsmasq script (e.g. by procd and hotplugd)
might cause procd to restart dnsmasq with an incomplete config file.
Config file generation might take quite a long time on larger configs
due ubus calls for each listening interface...
Signed-off-by: Ulrich Weber <ulrich.weber@riverbed.com>
Emits an initial event after the first link-up of a force_link
interface. This is needed for making the dnsmasq dhcp check more
reliable
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Passing the hostname is currently broken in since the shipped busybox includes this commit:
https://git.busybox.net/busybox/commit/networking/udhcp/dhcpc.c?id=2017d48c0d70bef8768efb42909e605ea8eb5a21
Before:
Sun Jan 31 18:11:32 2016 daemon.notice netifd: Interface 'wan' is now down
Sun Jan 31 18:11:32 2016 daemon.notice netifd: Interface 'wan' is setting up now
Sun Jan 31 18:11:32 2016 daemon.notice netifd: wan (18158): udhcpc: option -h NAME is deprecated, use -x hostname:NAME
Sun Jan 31 18:11:32 2016 daemon.notice netifd: wan (18158): udhcpc: malformed hex string 'WR150'
After:
Sun Jan 31 18:11:33 2016 daemon.notice netifd: wan (18169): udhcpc (v1.23.2) started
Sun Jan 31 18:11:33 2016 daemon.notice netifd: wan (18169): Sending discover...
Sun Jan 31 18:11:33 2016 daemon.notice netifd: wan (18169): Sending select for xxx.yyy.zzz.xyz...
Sun Jan 31 18:11:33 2016 daemon.notice netifd: wan (18169): Lease of xxx.yyy.zzz.xyz obtained, lease time 600
Signed-off-by: Merlijn Wajer <merlijn@wizzup.org>
Removed socket options = TCP_NODELAY IPTOS_LOWDELAY
TCP_NODELAY (disables Nagle algorithm) is default since samba2.
IPTOS_LOWDELAY sets DSCP 0x10 coding (CS2)
The alternate IPTOS_THROUGHPUT sets DSCP 0x08 coding (CS1)
CS1 is a scavenger class, whilst CS2 is more OAM/interactive
(SNMP,SSH,syslog)
Using CS2 is definitely an abuse of DSCP classification, CS1 less so
however even if the ISP takes note of DSCP codings having a default that
sets traffic to CS2 is wrong. Better to use the default Best Effort
class.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
iftop would display portions of mac address with large ffffff prefixes.
Make if_hw_addr type consistent.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Move logging command line option to uci:
option verbose [0]/1/2 - mono-syllabic/verbose/noisy
Previously handled as 'OPTIONS' in .init script however variable
was ignored so never worked.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Removed some options which are default anyway and added bind interfaces
only which causes the interfaces line to actually have an effect. Can be
verified with netstat.
Signed-off by: Rosen Penev <rosenp@gmail.com>
Commit d9b20a6f35 (SVN r48426) changed the
mac80211 phy lookup logic to strip the platform/ directory component from
the phy path specification.
Fix iwinfo to follow that logic by trying to lookup phys both with and
without "platform/" prefix.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Following fixes are included in the latest version:
-Script is launched with incorrect action
-Possible buffer overflows
-Lots of minor bugfixes
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Cake AQM is experimenting with a codel/blue hybrid AQM COBALT instead
of just using codel alone. This patch updates tc to cope with some new
stats produced by COBALT.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
By default dnsmasq uses the time function; which returns the time since
Epoch; to retrieve the current time. On boards which have no realtime
clock this can lead to side effects when the time is synced via ntp
as the "time wrap" forces dhcp leases to be considered as expired.
By enabling the broken realtime clock build switch dnsmasq uses the
times utility which returns the number of clock tick.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
[Jo-Philipp Wich: change symbol name, add sym to PKG_CONFIG_DEPENDS]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Upstream OpenSSL hardening work introduced a change in shared code that
causes polarssl / mbedtls builds to break when no --tls-cipher is specified.
Import the upstream fix commit as patch until the next OpenVPN release gets
released and packaged.
Reported-by: Sebastian Koch <seb@metafly.info>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
With the addition of /etc/os-release patching lldpd to use
/etc/openwrt_release and to have the initscript use
/etc/openwrt_release and/or /etc/openwrt_version becomes
unnecessary.
Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
The ebtables code relies on the `-nostartfiles` linker argument to execute the
extension modules' `_init()` functions automatically which is not working
reliably across all supported targets and gcc versions.
Running an ebtables executable linked this way just crashes with a segmentation
fault at runtime on program startup, e.g. on ARM architectures.
In order to fix the issue ...
- remove the use of the -nostartfiles linker flag
- rename the init procedures to a generic name without implicit semantics
- explicitely annotate those init procedures as constructors
The patch has been taken from the Alpine Linux distribution at
http://git.alpinelinux.org/cgit/aports/tree/main/ebtables/fix-extension-init.patch
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Change dnsmasq's dnssec time check handling to use time validity
indicated by ntpd rather than maintaining a cross boot/upgrade
/etc/dnsmasq.time timestamp file. This saves flash device wear.
If ntpd client is configured in uci and you're using dnssec, then
dnsmasq will not check dnssec timestamp validity until ntpd hotplug
indicates sync via a stratum change. The ntpd hotplug leaves a status
flag file to indicate to dnsmasq.init that time is valid and that it
should now start in 'check dnssec timestamp valid' mode.
If ntpd client is not configured and you're using dnssec, then it is
presumed you're using an alternate time sync mechanism and that time is
correct, thus dnsmasq checks dnssec timestamps are valid from 1st start.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
V2 - stratum & step ntp changes indicate time is valid
V3 - on initial flag file step signal dnsmasq with SIGHUP if running
V4 - only accept step ntp changes. Accepting both stratum & step could
result in unpleasant script race conditions
V5 - Actually only accepting stratum is the correct thing to do after
further testing
V6 - improve handling of non busybox ntpd
if sysntpd not executable
dnsmasq checks dnssec timestamps
else
sysntp script disabled - look for timestamp file - allows external mechanism to use hotplug flag file
sysntp script enabled & uci ntp enabled - look for timestamp file
sysntp script enabled & uci ntp disabled - dnsmasq checks dnssec
timestamps
fi
In company networks everything except the http and https protocol is
often causes problems, because the network administrators try to block
everything else. To make it easier to use LEDE in company networks use
the https/http protocol for git access when possible.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
puts br2684ctl init after ADSL init instead of before, so that the ESI
is set at the right time, and for consistency with the PTM driver.
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
Add support for hostid dhcp config entry to dnsmasq. This allows
specification of dhcpv6 hostid suffix and works in the same way as
odhcpd.
Entries in auto generated dnsmasq.conf should conform to:
dhcp-host=mm:mm:mm:mm:mm:mm,IPv4addr,[::V6su:ffix],hostname
example based on sample config/dhcp entry:
config host
option name 'Kermit'
option mac 'E0:3F:49:A1:D4:AA'
option ip '192.168.235.4'
option hostid '4'
dhcp-host=E0:3F:49:A1:D4:AA,192.168.235.4,[::0:4],Kermit
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
By default dnsmasq uses random ports for outbound dns queries;
when the maxport UCI option is specified the ports used will
always be smaller than the specified value.
This is usefull for systems behind firewalls.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Currently, the uci data model does not provide support for specifying
the minimum TLS version supported in an OpenVPN instance (be it server
or client).
This patch adds support for writing the relevant option to the openvpn
configuration file at service startup.
Signed-off-by: Matteo Panella <morpheus@level28.org>
[Jo-Philipp Wich: shorten commit title, bump pkg release]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add cake support to 'tc' in iproute2
- Use a patch to modify tc instead of adding a new tc-adv package.
Patch creates q_cake.c that matches commit 3314230bc4
- Do not include the other things from tc-adv (cake0, cake2, pie etc.).
V2 - KDB Small update to base on latest cake tc changes (wash option
deprecated)
V3 - KDB Move kmod-sched-cake package to kernel as is kernel related
v4 - KDB Split into individual patches, tc & kmod
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Acked-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Fix a „semantic typo“ introduced in b78aae793e,
where TARGET_INIT_PATH was used instead of CONFIG_TARGET_INIT_PATH.
Signed-off-by: Dario Ernst <Dario.Ernst@riverbed.com>
Instead of making assumptions about the leasefile and resolv file make sure
we use what the user configures, but fall back to defaults if no configuration
is specified
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
Update to dnsmasq2.76. Refresh patches. Add new patch to fix musl
'poll.h' location warning.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
fixes:
CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL
- remove crypto auth compile fix
curl changelog of 7.46 states its fixed
- fix mbedtls and cyassl usability #19621 :
add path to certificate file (from Mozilla via curl) and
provide this in a new package
tested on ar71xx w. curl/mbedtls/wolfssl
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
conditionally save dnsmasq.time across sysupgrade
dnsmasq uses /etc/dnsmasq.time as record of the last known good
system time to aid its validation of dnssec timestamps. dnsmasq
updates the timestamp on process start/stop once it considers the system
time as valid. The timestamp file should be preserved across system
upgrade but should not be included as part of normal configuration
backups to prevent restores corrupting the current timestamp.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
conditionally save dnsmasq.time across sysupgrade
dnsmasq uses /etc/dnsmasq.time as record of the last known good
system time to aid its validation of dnssec timestamps. dnsmasq
updates the timestamp on process start/stop once it considers the system
time as valid. The timestamp file should be preserved across system
upgrade but should not be included as part of normal configuration
backups to prevent restores corrupting the current timestamp.
Update the dropbear package to version 2016.73, refresh patches.
The measured .ipk sizes on an x86_64 build are:
94588 dropbear_2015.71-3_x86_64.ipk
95316 dropbear_2016.73-1_x86_64.ipk
This is an increase of roughly 700 bytes after compression.
Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The original iperf package is unmaintained. This switches to the "iperf2"
project on sourceforge, a fork that started where the previous iperf left
off.
Version 2.0.8 fixes the issue that patch 002 handled, so that can be dropped.
Due to a faulty check in configure.ac, this version needs _GNU_SOURCE
defined to build properly against musl. Various other obsolete build
options were also removed.
Signed-off-by: Bert Vermeulen <bert@biot.com>
The option --disable-utmpx was deleted by accident in commit 7545c1d;
add it again to the CONFIGURE_ARGS list
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Remove the udhcpc -R release option as sending a DHCP release
is configurable via the uci option release.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The patch made sure the ncursesw library was not selected to save space,
but that library doesn't exist in this distribution at all.
Signed-off-by: Bert Vermeulen <bert@biot.com>
Update to latest HEAD in order to fix MARK rule generation for local traffic,
also fix a possible race condition during firewall start.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Patch Lua packet script defines SHRT_MAX which is already defined in <linux/kernel.h> and
is included indirectly by lauxlib.h. Fix the redefintion as it leads to compile failure
on systems which treat macro redefinition as an error
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Conntrack support reads the connection track mark associated with
incoming DNS queries and sets the same mark value on the upstream
forwarded DNS query. This can be usefull to track traffic generated
by dnsmasq to associate it with the clients who generate the queries,
usefull for bandwidth accouting and firewall.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
A dropbear instance having an interface config won't start if the interface is down as no
IP address is available.
Adding interface triggers for each configured interface executing the dropbear reload script
will start the dropbear instance when the interface is up.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Utmp support tracks who is currenlty logged in by logging info to the file /var/run/utmp (supported by busybox)
Putuline support will use the utmp structure to write to the utmp file
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Make sending a DHCP release configurable when the client exits allowing to clean up
IP/mac state info in intermediate devices.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
lua_packet_segment parameter start has type char pointer; in function lua_tg
it's assigned an uint16 value generating compiler warnings obviously indicating
posssible seg fault problems. Fix the issue by using the correct skb functions
so the parameter points to the position inside the sk_buff
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Stijn Cleynhens <stijn.cleynhens@gmail.com>
Add nonshared flag to package depending on specific targets or subtargets as
there's no guarantee otherwise that they'll be available in the shared repo.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Let DHCP client send a release when it exists so the DHCP server is
informed the IP address is released and allowing to clean up IP/mac
state info in intermediate devices.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Update to latest HEAD in order to remove the faulty "prelocal" ip rule leading
to unexpected policy rule precedence.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Running dnsmasq in a dedicated user/group allows matching its outgoing
traffic more easily using iptables' owner match.
Add UID/GID to the package metadata and append the user/group
parameters to the init script.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 49252
Fixes build with /bin/sh pointing to certain versions of dash (for example
on Void Linux).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 49218
Parameter allows to enable/disable static leases; by default the value is 1
to keep backwards compatibility
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 49187
The wpa_supplicant supports an "anonymous_identity" field, which some
EAP networks require. From the documentation:
anonymous_identity: Anonymous identity string for EAP (to be used as the
unencrypted identity with EAP types that support different tunnelled
identity, e.g., EAP-TTLS).
This change modifies the hostapd.sh script to propagate this field
from the UCI config to the wpa_supplicant.conf file.
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Reviewed-by: Manuel Munz <freifunk@somakoma.de>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 49181
Silence warning "daemon.notice netifd: wan6 (1139): sh: write error: Invalid argument"
when an invalid MTU is received via RA as kernel refuses to accept IPv6 mtu values
which are smaller than 1280 and bigger than the device mtu.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
git-svn-id: svn+ssh://svn.openwrt.org/openwrt/trunk@49054 3c298f89-4303-0410-b956-a3cf2f4a3e73
x509-username-field was added in OpenVPN 2.2, and verify-x509-name was
added in 2.3. This fixes ticket #18807.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
SVN-Revision: 48969
I do not know if this causes any problems now, but we should not set
it, because it is reserved. Some more recent versions of the Lantiq DSL
API driver and Control is checking if only valid bits are set.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48948
There are some cases where ISPs are running ATM over VDSL or PTM over
ADSL, this is not the common case, but these cases exist. Make it
possible to configure OpenWrt for such cases by adding a new config
option line_mode.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48947
The detailed annex option were only available in the danube DSL app
including the activation of G.992.2 Annex A (ADSL Lite). This is now
also added to the vdsl app for the vrx200.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48946
The adsl control app missed the activation of annex M and annex L in
the Annex A part, this now activates everything the firmware supports.
In Annex L type only the wide US (Mask1) was activated, now also the
narrow US (Mask2) version gets activated.
In addition annex J was also added.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48945
I am not calling dsl_cmd because I want to ignore the lock, quit
should also be send when someone else is accessing it. I saw that some
other call was stuck here and all following calls were stuck in the
dsl_cmd lock.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48943
Ensure that ikey and okey are sent in network byte order to the kernel.
Also don't mangle external IP addrs and routes when reconfiguring iinterfaces.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 48919
Enable setting a host-specific lease time for static hosts.
The new option is called "leasetime" and the format is similar
as for the default lease time: e.g. 12h, 3d, infinite
Default lease time is used for all hosts for which there is
no host-specific definition.
The option is added to /etc/config/dhcp for the selected hosts:
config host
option name 'Nexus'
option mac 'd8:50:66:55:59:7c'
option ip '192.168.1.245'
option leasetime '2h'
It gets appended to /var/etc/dnsmasq.conf like this:
dhcp-host=d8:50:66:55:59:7c,192.168.1.245,Nexus,2h
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 48801
Before r47933 Bit 1 (first bit) of xTSE Octet 1 (first octet) defaulted
to 1, which allowed T1.413 to operate.
Signed-off-by: Jonathan A. Kollasch <jakllsch@kollasch.net>
SVN-Revision: 48763
iptables is the only exception in the package tree, causing patch
behaviour to be inconsistent on this package.
Signed-off-by: Rick van der Zwet <rick.vanderzwet@anywi.com>
SVN-Revision: 48643
Supported syntax is inspired by ethtool. Example usages:
swconfig dev switch0 port 2 set link "duplex half speed 100"
swconfig dev switch0 port 2 set link "autoneg on"
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 48624
This fixes the following security problems:
CVE-2016-0754: remote file name path traversal in curl tool for Windows
http://curl.haxx.se/docs/adv_20160127A.html
CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use
http://curl.haxx.se/docs/adv_20160127B.html
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48614
UCI paramater multicast is added which allows to toggle multicast support on gre interfaces.
By default multicast support is enabled as gre tunnels are often used in combination with
routing protocols using multicast.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Nick Podolak <nicholas.podolak@dtechlabs.com>
SVN-Revision: 48596
* Enable drop_invalid by default to catch unnatted packets (#21738)
* Fix processing of inversions for -i, -o, -s, -d and -p flags
* Remove delegate_* chain indirection but rely on xt_id to identify own rules
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 48551
Commit 6a7e56b adds support for adding local hostname for own lan ula adress
but if ula prefix is not specified results into an invalid config (address=/OpenWrt.lan/1)
causing dnsmasq not to start up.
Use lanaddr6 when adding local hostname as the lan ula address is constructed based on the
UCI parameters ip6hint and ip6ifaceid and thus not always ula prefix suffixed with 1
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 48495
RSA keys should be generated with sufficient length.
Using 1024 bits is considered unsafe.
In other packages the used key length is 2048 bits.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
SVN-Revision: 48494
Update to upstream Git HEAD to include VHT rate support and a number of
coverity scan fixes.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 48487
This adds IPv6 support to qos-scripts for both tc/qdisc and the
iptables classification rules. The tc/qdisc part is accomplished
by removing "protocol ip" from the tc command line, causing the
rule to be applied to all protocols. The iptables part is
accomplished by adding each rule using both iptables and ip6tables.
This patch is based on previous work by Ilkka Ollakka and
Dominique Martinet.
Signed-off-by: Michael Marley <michael@michaelmarley.com>
SVN-Revision: 48452
This adds a "srciface" option that can be used on classification
rules in /etc/config/qos. This is useful to allow prioritization
based on the local network from which the traffic originates, for
example to deprioritize traffic from a guest network.
Signed-off-by: Michael Marley <michael@michaelmarley.com>
SVN-Revision: 48446
Set the save-mark mask for the qos_${cg} chain to 0xff instead of
0xf0. With the old value, the nibble that was saved would be
masked during the restore, preventing ingress traffic from being
classified. Thanks to nbd for recommending the fix.
Signed-off-by: Michael Marley <michael@michaelmarley.com>
SVN-Revision: 48388
The auth change appears to break the endpoint update for most users and with
my local tests the old update url works just fine.
This reverts commit 99c03a88cb6fed0519efdfaac305794653a12542.
SVN-Revision: 48384
Introduce config options client_cert2, priv_key2 and priv_key2_pwd
used for EAP-TLS phase2 authentication in WPA-EAP client mode.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48345
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...
The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.
Examples:
eap_type auth
'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2"
'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2"
'peap' 'EAP-GTC' -> phase2="auth=GTC"
Deprecated syntax supported for compatibility:
'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"
I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48309
This was generating a conffiles list that included the binary
and CONTROL/ files.
Signed-off-by: Rob Mosher <nyt-openwrt@countercultured.net>
SVN-Revision: 48296
This adds support for configuring VTI interfaces within /etc/config/network.
VTI interfaces are used to create IPsec tunnel interfaces. These interfaces
may be used for routing and other purposes.
Example config:
config interface 'vti1'
option proto 'vti'
option mtu '1500'
option tunlink 'wan'
option peeraddr '192.168.5.16'
option zone 'VPN'
option ikey 2
option okey 2
config interface 'vti1_static'
option proto 'static'
option ifname '@vti1'
option ipaddr '192.168.7.2/24'
The options ikey and okey correspond to the fwmark value of a ipsec policy.
The may be null if you do not want fwmarks.
Also peeraddr may be 0.0.0 if you want all ESP packets go through the
interface.
Example strongswan config:
conn vti
left=%any
leftcert=peer2.test.der
leftid=@peer2.test
right=192.168.5.16
rightid=@peer3.test
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
mark=2
auto=route
Signed-off-by: André Valentin <avalentin@marcant.net>
SVN-Revision: 48274
By default dnsmasq uses random ports for outbound dns queries;
when the minport UCI option is specified the ports used will
always be larger than the specified value.
This is usefull for systems behind firewalls.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 48244
This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A
patchset for these vulnerabilities was published on 16th December 2015.
Signed-off-by: Jan Čermák <jan.cermak@nic.cz>
SVN-Revision: 48133
Source package gre was depending on kmod-ip6-gre, however the actual
kernel module package that is created is kmod-gre6. Therefore
update (source) package gre for ipv6 gre support.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
SVN-Revision: 48100
In sta-only configuration, wpa_supplicant needs correct regulatory
domain because otherwise it may skip channel of its AP during scan.
Another alternative is to fix "iw reg set" in mac80211 netifd script.
Currently it fails if some phy has private regulatory domain which
matches configured one.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 48099
iproute2-4.0 had connmark support added by nbd. This does not work
with 4.x kernels. iproute2-4.3 is the latest version and has his
changes mainlined. This patch updates the package to iproute2-4.3
and fixes the patches so that it compiles. This should resolve
ticket #21374.
Signed-off-by: Rob Mosher <nyt-openwrt@countercultured.net>
SVN-Revision: 48098
Add back a slightly modified version of the lowlevel settings which
where removed with r46920.
In compare to the old lowlevel settings, the B43c tone is added to
tone_adsl_b and tone_adsl_bv.
If an unsupported tone value is used, the auto probing mode is used, in
compare to the fallback to tone_adsl_av and tone_vdsl_av with the old
lowlevel settings.
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 48054
According to ITU-T G.997.1 Amendment 2 (04/2013) section 2.1, bit 3 of
XTSE octet 8 either allow or denies the initialization of G.993.5.
Even if the current redistributable xDSL firmware doesn't include
G.993.5 vectoring support, enable this bit by default to allow people to
get their G.993.5 line working using a custom xDSL firmware.
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 48053
r47933 revealed that the driver/app in combination with the chosen
firmware does a good job in selecting a working xtse.
Use this probing mode if no annex is specified.
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 48052
This patch adds the missing VDSL2 bits to the annex specific XTSE (like
it should be according to the comments above the XTSE bits).
Since r47933 it's mandatory to remove the annex option to switch to
VDSL2 (only) operation mode.
As shown by ticket #21436 and a few mails I received personally, even
experienced users are not aware that they have to remove the annex
option to get their VDSL2 line working and as shown by this patch it
doesn't need to be that "complicated".
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 48051
MD5SUM is wrong, it was not updated during last update to v1.4.1.
Thanks to Daniel Dickinson <openwrt@daniel.thecshore.com> for reporting it.
Signed-off-by: Nicolas Thill <nico@openwrt.org>
SVN-Revision: 48017
Changed the tunnel update URL into format tunnelbrokers
example has, that made it work again. Current method gives "Username/Password
Authentication Failed." when I tried the wget line manually and logread
eventually says also "6in4: update failed". With corrected URL it works fine:
"good 111.222.333.444" or "nochg 111.222.333.444" and logread concurs with
success, and tunnel actually updates.
Tested-by: Vaasa Hacklab <info@vaasa.hacklab.fi>
Signed-off-by: Sami Olmari <sami@olmari.fi>
SVN-Revision: 48006
When using cli, print link state the same way kernel used to do it.
This will allow kernel switching PORT_LINK from SWITCH_TYPE_STRING.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 47998
Only the conditional dependency ought to be required;
if build fails with JSON there is some other problem
at work.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
SVN-Revision: 47976
By default dnsmasq sends an ICMP echo request before allocating
an IP address to a host; the uci option noping allows to disable
this check.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 47974
Changed option nonwildcard from --bind-interfaces into --bind-dynamic.
With this, Dnsmasq binds the address of individual interfaces, allowing multiple
dnsmasq instances, but if new interfaces or addresses appear, it automatically
listens on those. This makes dynamically created interfaces work in the same way as
the default, but allows also use of other DNS-servers (like Named) at the same time
on diffirent interfaces where Dnsmasq is NOT configured, whereas with
--bind-interfaces will still reserve every interface even if not used and thus
disallowing use of any other DNS-program even on unused interfaces.
Tested-by: Vaasa Hacklab <info@vaasa.hacklab.fi>
Signed-off-by: Sami Olmari <sami@olmari.fi>
SVN-Revision: 47953
Using the JSON output option depends on json library so
add select json-c library when JSON output is selected.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
SVN-Revision: 47928
- 1.4.x has IPv6 support
- set C std explicitly due to gcc 5 changes/old code style of dante
- disable pam via configure vars since detection of without pam option
is broken (-lpam gets linked in if available)
- remove and refresh patches
only compile tested
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 47926
- CONFIG_IFX_CLI is unused, couldn't find any reference to this config variable
- use disable-feature instead of enable-feature=no
- reorder configure args to have depending args together
- remove configure args which set the default value
- group enable-model and configure args which enable or disable features that
are covered by the feature set
The config.log contains the same values as before. The vdsl_cpe_control binary
has the same checksum as before.
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 47888
The typicial feature set doesn't include "DSL PM showtime counters support"
(INCLUDE_DSL_CPE_PM_SHOWTIME_COUNTERS). This feature provides the
vdsl_cpe_control command 'pmccsg', which is used by 'dsl_control status' to get
the line uptime.
The binary size increases to 103912 byte (+4256 byte) uncompressed.
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 47887
Add the option "--all-servers" which forces dnsmasq to send all
queries to all servers and then take the first answer.
Signed-off-by: Andréas Gustafsson <gurgalof@gmail.com>
SVN-Revision: 47857
this error was not visible until recent bump to
busybox 1.24.1 stable which introduced a warning message
when keyword 'local' is not used with a shell-function.
this does not change behavior and is a cosmetic cleanup.
fixes the following output:
root@box:~ ifup <interface>
/sbin/ifup: local: line 362: not in a function
/sbin/ifup: local: line 362: not in a function
/sbin/ifup: local: line 1: not in a function
Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com>
SVN-Revision: 47828
This should ensure that lldpd is among the first processes to stop,
so that it has time to send the shutdown LLDPU to the other side,
before the network goes down.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 47786
Support next to the non-HT/HT channel widths like HT20 or NOHT also VHT80
channels during the mesh join
iw dev mesh0 mesh join "meshnet" freq 5180 80MHz
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47782
Fix the id of NL80211_ATTR_WIPHY_ANTENNA_GAIN for antenna_gain command when
using compat-wireless 2015-10-26.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47778
Use the 'typical' compile configuration instead of 'full', which most
notably excludes the soap support.
/sbin/vdsl_cpe_control shrinks down to ~50%, from 178kb(!) to 90kb.
Signed-off-by: Andre Heider <a.heider@gmail.com>
SVN-Revision: 47769
In this upstream dsl driver app version the autoboot is deactivated activate
it again.
In addition to the update this also fixes some build warnings and makes it
use the same configure option as used in Lantiq UGW.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@lantiq.com>
SVN-Revision: 47637
The scripts for authsae and iw use the option mesh_id to get set the
"meshid" during a mesh join. But the script for wpad-mesh ignores the
option mesh_id and instead uses the option ssid. Unify the mesh
configuration and let the wpa_supplicant script also use the mesh_id from
the configuration.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47615
The OpenWrt wireless configuration for mcast_rate is defined as Kbit/s when
using wpa_supplicant for IBSS/802.11s and iw for unencrypted IBSS/802.11s.
But when using authsae, the unit for the same option is redefined as
Mbit/s. Better use the same unit for this option independent of the backend
which is used.
Old values for mcast_rate (< 1000) are still interpreted Mbit/s to avoid
problems during upgrades from older versions.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47614
The variable $mesh_id was never defined in authsae_start_interface and thus
the option meshid in $authsae_conf_file was always set to "".
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47613
Fixes compilation with Linux 4.3. Runtime tested on Ubiquiti EdgeRouter
Lite with Linux 3.18, 4.1 and 4.3.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
SVN-Revision: 47470
Only costs about 3k compressed, but significantly improves handling of
configuration mismatch
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 47439
as conntrack and conntrackd are completely independent programs,
serving a different purpose.
Also split by other distributions, as Debian and Ubuntu.
Signed-off-by: Ulrich Weber <uw@ocedo.com>
SVN-Revision: 47424
default configuration will fill up disk by
writing /var/log/conntrackd-stats.log
Introduced due init script auto start.
Signed-off-by: Ulrich Weber <uw@ocedo.com>
SVN-Revision: 47422
Seems the default one is not working as expected.
The way that reload should work is that the 'start' service
call should return 1 (if lldpd is running) and then a normal
restart would be called.
However, for lldpd a reload would mean just clearing all custom TLVs
(if they're configured) and reloading the configuration.
So, this patch adds a reload hook, which would:
- 'start' lldpd if it's not running (because we return 1 if not running)
- reload configuration if it is running (also previously
clearing custom TLVs if present)
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 47367
r46861 introduced a new option eapol_version to hostapd, but did not
provide a default value. When the option value is evaluated,
the non-existing value causes errors to the systen log:
"netifd: radio0: sh: out of range"
Add a no-op default value 0 for eapol_version. Only values 1 or 2 are
actually passed on, so 0 will not change the default action in hostapd.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 47361
Update iperf3 to point to the correct project website. Prior URL was the
old iperf2 website.
Signed-off-by: Karl Palsson <karlp@remake.is>
SVN-Revision: 47184
The two commits
5162e3b0ee7bd1d0fd6e75e1ca7993a1834b5291
"allow request handlers to disable chunked reponses"
and
618493e378e2239f0d30902e47adfa134e649fdc
"file: disable chunked encoding for file responses"
broke the chunked transfer encoding handling for proc responses in keep-alive
connections that followed a file response with http status 204 or 304.
The effect of this bug is that cgi responses following a 204 or 304 one where
sent neither in chunked encoding nor with a content-length header, causing
browsers to stall until the keep alive timeout was reached.
Fix the logic flaw by inverting the chunk prevention flag in the client state
and by testing the chunked encoding preconditions every time instead of
once upon client (re-)initialization.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 47161
One second is not enough for some devices to ackowledge null data frame
which is sent at the end of ap_max_inactivity interval. In particular,
this causes severe Wi-Fi instability with Apple iPhone which may take
up to 3 seconds to respond.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 47149
Seems the match pattern was being adapted from 'eth0' to ' eth0'
because of the way I added the procd command args.
This did not seem to be a problem when there were multiple interfaces,
just on devices with single interfaces for lldpd to listen on.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 47136
OpenVPN 2.3 added a route-pre-down option, to run a command before
routes are removed upon disconnection.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
SVN-Revision: 47134
When using FullMAC drivers (e.g. brcmfmac) we don't get mgmt frames so
check for banned client in probe request handler won't ever be used.
Since cfg80211 provides us info about STA associating let's put a check
there.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 47064
There is no RFC requirement that DHCPv6 servers must reply with a link local
address and some ISP servers in the wild appear to using addresses in the ULA
range to send DHCPv6 offers.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 47048
Since r46834, IPv6 support is builtin if selected. Therefor, dependencies
on kmod-ipv6 can no longer be fulfilled, since it is not a module anymore.
Signed-off-by: Arjen de Korte <arjen+openwrt@de-korte.org>
SVN-Revision: 47022
Using protocol qmi does not work since qmi.sh is not executable.
Setting option dhcp explicitely to 0 actually enables it.
This patch fixes both problems.
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 47014
Our ruleset requires kernel support for conntrack state matching, therfore
depend on the require kmod. Fixes#20542.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 46990
This call is no longer supported.
Maybe a come-back for it would be to use a config /etc/lldpd.conf
or /etc/lldpd.d/<some-file>.conf
Signed-off-by: Alexandru Ardelean <aa@ocedo.com>
SVN-Revision: 46966
Thanks to Sylwester Petela for testing my patch (successfully on an
ADSL connection) and for pointing out some configuration mistakes.
Others (including me) have also successfully tested this extensively
on VDSL connections.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
SVN-Revision: 46920
Move the pattern setting from netifd's service script to
/etc/sysctl.conf. Put the timestamp component '%t' just after
executable name '%e' for more natural order from output of ls command.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 46867
Add eapol_version to the openwrt wireless config ssid section.
Only eapol_version=1 and 2 will get passed to hostapd, the default
in hostapd is 2.
This is only useful for really old client devices that don't
accept eapol_version=2.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
SVN-Revision: 46861
As the OpenWrt build system only resolves build dependencies per directory,
all hostapd variants were causing libopenssl to be downloaded and built,
not only wpad-mesh. Fix this by applying the same workaround as in
ustream-ssl.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 46851
By setting the option pdptype to IP, IPV6 or IPV4V6 the user can
choose the context type between IPv4, IPv6 and dual stack,
respectively. The default setting is dual stack, except if option
ipv6=0 is specified, in which case IPv4 context is the default.
This allows for an out-of-the-box IPv6 support with modems
utilizing NCM-like protocols.
While we are at it, also add commands for Sierra DirectIP modems
(currently untested), which will allow us to drop the separate
comgt-directip package (once tested and verified working).
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 46844
Use the new --ip-family option to start both IPv4 and IPv6 sessions
by default. Autoconnect can't be used when starting two sessions,
so revert back to using the client IDs and packet data handles for
handling the network connection.
Some modem firmwares do not implement a RA server, therefore by
default use outband IP configuration and static addressing. Some
other firmwares report bogus IP configuration with the WDS get
current settings command. In this case inband configuration with
DHCP/RA can be optionally enabled by setting option dhcp to 1.
Per 3GPP standard a /64 prefix is served to all clients, which is
extended to LAN as specified in RFC 7278.
v2: Restrict the IPv6 gateway route source address
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 46843
Seems like my second try was again whitespace broken. Sorry for the noise.
Remove src_port from firewall.config to receive dhcpv6 replies. Fixes#20295.
Signed-off-by: Anselm Eberhardt <a.eberhardt@cygnusnetworks.de>
SVN-Revision: 46842
While technically required by the RFC, they are usually completely
unused (DSA), or have security issues (3DES, CBC)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 46814
This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46809
* ra: don't announce as default router if we aren't (regression)
* ra: reduce maximum announced dns lifetimes due to buggy clients
* dhcpv6: fix mac-based lease-matching
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46802
Add CONFIG_IEEE80211W variable to DRIVER_MAKEOPTS so that 802.11w
support is properly compiled in full variant.
This fixes#20179
Signed-off-by: Janusz Dziemidowicz <rraptorr@nails.eu.org>
SVN-Revision: 46737
Other VLAN related options are already being processed in netifd.sh
but the vlan_file option is missing. This option allows the mapping
of vlan IDs to network interfaces and will be used in dynamic VLAN
feature for binding stations to interfaces based on VLAN
assignments. The change is done similarly to the wpa_psk_file
option.
Signed-off-by: Gong Cheng <chengg11@yahoo.com>
SVN-Revision: 46652
Add /etc/samba/smbpasswd to list of samba conffiles
thus preserving samba passwords across sysupgrade
by default.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
SVN-Revision: 46606
Fixes a 100% cpu usage issue if using dhcp-script.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 46550
Better synchronize RA & DHCPv6 events
Accumulate some events to avoid flooding
Restart softwires for address and prefix changes
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46518
otherwise it's not picked up by toolchain:
staging_dir/toolchain-mipsel_24kec+dsp_gcc-4.8-linaro_musl-1.1.10/lib/gcc/mipsel-openwrt-linux-musl/4.8.3/../../../../mipsel-openwrt-linux-musl/bin/ld: cannot find -lsw
Signed-off-by: Roman Yeryomin <roman@advem.lv>
SVN-Revision: 46406
Also drop the configure (not .ac) patch part as autoreconf will
overwrite it anyway with a newly generated version.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
Acked-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 46385
Add 802.11r client support to wpa_supplicant. It's only enabled in
wpa_supplicant-full. hostapd gained 802.11r support in commit r45051.
Tested on a TP-Link TL-WR710N sta psk client with two 802.11r enabled
openwrt accesspoints (TP-Link TL-WDR3600).
Signed-off-by: Stefan Hellermann <stefan@the2masters.de>
SVN-Revision: 46377
odhcpd now sends unsolicited RAs also via unicast to known link-local
neighbors. This is an attempt to work-around common smartphone issues
https://code.google.com/p/android/issues/detail?id=32662
Also NDP-relay should now work more reliably now
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46357
The musl build "fix" introduced in r45108 removed all netinet/ether.h
includes, which made the prototypes of ether_aton and ether_ntoa
unavailable. As a result, the compiler assumed they return int instead
of a pointer. This currupted the pointer on 64bit targets, causing ebtables
to segfault in commands containing MAC addresses.
Since r46161 made it possible to include both the kernel and the libc
if_ether.h as long as the libc version is included first, this patch
changes the fix to remove the linux/if_ether.h from the ebtables source
(so the fixed version from the kernel is used) and ensures netinet/ether.h
is included early.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 46292
When enabled the dnsmasq DHCP server allocates the IP addresses sequentially
starting from the lowest available IP address.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 46211
This brings curl to version 7.43.0 and contains fixes for the following
security vulnerabilities:
CVE-2015-3236: lingering HTTP credentials in connection re-use
http://curl.haxx.se/docs/adv_20150617A.html
CVE-2015-3237: SMB send off unrelated memory contents
http://curl.haxx.se/docs/adv_20150617B.html
The 100-check_long_long patch is not needed any more, because the
upstream autoconf script already checks for long long when cyassl is
selected.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 46169
This is for security precautions. As persist_tun and persist_key are
already there, this should not cause compatibility issue.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 45961
- fix iconv detection because it adds host paths
- disable python detection (host python-config is found)
iconv issue is reported by buildbot config.log + replicated locally
see config.log in logs.tar.gz
python issue observed locally on Arch Linux
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 45953
Adds PPP unnumbered support via the parameter unnumbered which points to a logical OpenWRT interface.
The PPP proto shell handler will "borrow" an IP address from the unnumbered interface (if multiple
IP addresses are present the longest prefix different from 32 will be "borrowed") for which a host
interface dependency will be created. Due to the host interface dependency the PPP unnumbered interface
will only "borrow" an IP address from an interface which is up.
The borrowed IP address will be shared as local IP address by the PPP daemon and no other local IP
will be accepted from the peer in the IPCP negotiation.
A typical use case is the usage of a public IP subnet on the Lan interface which will be shared
by the PPP interface as local IP address.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45948
Commit 31214c38c8dd0f70366b523f9b0335145b9386bd removes IPv6 unneeded source-dest-routing workarounds;
as a result sourcerouting parameter is unused and can be removed.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45940
Commit 31214c38c8dd0f70366b523f9b0335145b9386bd removes IPv6 unneeded source-dest-routing workarounds;
as a result sourcerouting parameter is unused and can be removed.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45939
This prevents auto-detection of libxml2 and thus the error:
Package lldpd is missing dependencies for the following libraries:
libxml2.so.2
Preventing a dependency to libxml2 is preferred, since libxml2
would be a out-of-(core-)tree dependency.
Reported-by: Buildbot
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
SVN-Revision: 45859
* Rework hostapd and wpa_supplicant status parsing code
* Add support for querying available HT rates
* Relax definition of restricted channels
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45766
Use shared libipt{,4,6}ext.so libraries instead of statically linking
the userspace matches into the fw3 executable.
As a side effect the match initialization is extremely simplified
compared to the weak function pointer juggling performed before.
This also fixes the initialization of the multiport match.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45764
* drop unused lenient restore patch
* instead of statically linking core extensions, build shared libraries
for reuse in fw3
* strip outdated match revisions and aliases to trim down library size
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45758
If the first resolveip call will fail, peeraddr will be now empty, and
the subsequent resolveip call will try to resolve an empty string.
Fix this by storing the result in a temporary variable.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 45712
Bump dnsmasq to v2.73rc8
Important - fixes remotely exploitable buffer overflow introduced in all v2.73 test/release candidates.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
SVN-Revision: 45693
hand over parameters to user-script e.g. $1=deconfig
Signed-off-by: Leon George <leon@georgemail.de>
Signed-off-by: Christian Mehlis <christian@m3hlis.de>
SVN-Revision: 45626
The WAN port should at least respond to IGMP and MLD queries as
otherwise a snooping bridge/switch might drop traffic.
RFC4890 recommends to leave IGMP and MLD unfiltered as they are always
link-scoped anyways.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
SVN-Revision: 45613
OpenVPN assumes that its control channel messages are sent and received
unfragmented, this assumption is broken when CBC record splitting is
enabled in mbedTLS.
The record splitting is intended as countermeasure against BEAST attacks
which do not apply to OpenVPN, therefore we simply disable it until
upstream OpenVPN gains the ability to process fragmented control
messages.
Disabling the splitting also works around a (not remotely triggerable)
segmentation fault in mbedTLS.
References:
* https://dev.openwrt.org/ticket/19101
* https://community.openvpn.net/openvpn/ticket/524
* https://github.com/ARMmbed/mbedtls/pull/185
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45602
The most significant change from the previous version is the trimming of
the 300-ip_tiny.patch to lib/utils.c where a section previously patched
had vanished. That section of the patch was removed.
Built and lightly tested on ar71xx against uClibc and musl.
Signed-off-by: Russell Senior <russell@personaltelco.net>
SVN-Revision: 45512
Hostapd's control file location was changed in 2013, and that has apparently
broken the wps button hotplug script in cases where there are multiple radios
and wps is possibly configured also for the second radio. The current wps
button hotplug script always handles only the first radio.
https://dev.openwrt.org/browser/trunk/package/network/services/hostapd/files/wps-hotplug.sh
The reason is that the button hotplug script seeks directories like
/var/run/hostapd*, as the hostapd-phy0.conf files were earlier in
per-interface subdirectories.
Currently the *.conf files are directly in /var/run and the control sockets
are in /var/run/hostapd, but there is no subdirectory for each radio.
root@OpenWrt:/# ls /var/run/hostapd*
/var/run/hostapd-phy0.conf /var/run/hostapd-phy1.conf
/var/run/hostapd:
wlan0 wlan1
The hotplug script was attempted to be fixed after the hostapd change by
r38986 in Dec2013, but that change only unbroke the script for the first
radio, but left it broken for multiple radios.
https://dev.openwrt.org/changeset/38986/
The script fails to find subdirectories with [ -d "$dir" ], and passes just
the only found directory /var/run/hostapd, leading into activating only the
first radio, as hostapd_cli defaults to first socket found inthe passed
directory:
root@OpenWrt:/# hostapd_cli -?
...
usage: hostapd_cli [-p<path>] [-i<ifname>] [-hvB] [-a<path>] \
[-G<ping interval>] [command..]
...
-p<path> path to find control sockets (default: /var/run/hostapd)
...
-i<ifname> Interface to listen on (default: first interface found in the
socket path)
Below is a run with the default script and with my proposed solution.
Default script (with logging added):
==================================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh
if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
for dir in /var/run/hostapd*; do
[ -d "$dir" ] || continue
logger "WPS activated for: $dir"
hostapd_cli -p "$dir" wps_pbc
done
fi
>>>> WPS BUTTON PRESSED <<<<<
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Timed-out
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:38:50 2015 user.notice root: WPS activated for: /var/run/hostapd
wlan0 got WPS activated, while wlan1 remained inactive.
I have modified the script to search for sockets instead of directories and
to use the "-i" option with hostapd_cli, and now the script properly
activates wps for both radios. As "-i" needs the interface name instead of
the full path, the script first changes dir to /var/run/hostapd to get simply
the interface names.
Modified script (with logging):
===============================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh
if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
cd /var/run/hostapd
for dir in *; do
[ -S "$socket" ] || continue
logger "WPS activated for: $socket"
hostapd_cli -i "$socket" wps_pbc
done
fi
>>>> WPS BUTTON PRESSED <<<<<
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan0
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan1
Both radios got their WPS activated properly.
I am not sure if my solution is optimal, but it seems to work. WPS button is
maybe not that often used functionality, but it might be fixed in any case.
Routers with multiple radios are common now, so the bug is maybe more
prominent than earlier.
The modified script has been in a slightly different format in my community
build since r42420 in September 2014.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 45492
Two errors "netifd: radio0: sh: bad number" have recently surfaced in system
log in trunk when wifi interfaces come up. I tracked the errors to checking
numerical values of some config options without ensuring that the option has
any value.
The errors I see have apparently been introduced by r45051 (ieee80211r in
hostapd) and r45326 (start_disabled in mac80211). My patches fix two
instances of "bad number", but there may be a third one, as the original
report in bug 19345 pre-dates r45326 and already has two "bad number" errors
for radio0.
https://dev.openwrt.org/ticket/19345
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 45380
r45270 removed ieee80211n=%d from the format string but didn't remove
the parameter itself. Though this probably doesn't cause any harm, it's
quite confusing and unneeded.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 45351
it causes problems with newer iptables when ipv6 is disabled as iptc uncoditionally links ip6tc
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 45350
This patch adds the wpan-tools (iwpan) utility to OpenWRT
build system. This utility required to manage IEE-802.15.4
devices.
Signed-off-by: Varka Bhadram <varkab@cdac.in>
SVN-Revision: 45349
Enables last error support for the PPP protocol handlers.
In generic teardown the PPP daemon exit code is translated into
a self explaining error string which is set as interface error
by proto_notify_error in case of failure.
Signed-off-by: Johan Peeters <johan.peeters111@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45333
The arg argument is missing to the printer call in the print_option
utility when the option flag OPT_A2STRVAL is set.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45264
PPPD crashes (SEGV) when the dump or dryrun options are specified and an option
is internally defined as "o_special" with an option flag of "OPT_A2STRVAL".
As the option value is not saved when the parameter is processed, a reference
to the option will result into a crash (e.g. when printing).
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45263
User might have modified/extended template direct or by LuCI application.
So do not overwrite on update/upgrade.
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
SVN-Revision: 45258
This patch backports the option --tftp-no-fail to dnsmasq and prevents the
service from aborting if the specified TFTP root directory is not available;
this might be the case if TFTP files are located on external media that might
occasionally not be present at startup.
Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>
SVN-Revision: 45213
To enable 802.11r, wpa_key_mgmt should contain FT-EAP or FT-PSK. Allow
multiple key management algorithms to make this possible.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
SVN-Revision: 45050
The 802.11r implementation in hostapd uses nas_identifier as PMK-R0 Key
Holder identifier. As 802.11r can also be used with WPA Personal, nasid
should be appended to the hostapd config for all WPA types.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
SVN-Revision: 45049
'hostapd-common' is needed by all of the variants for wifi to function
correctly (a number of the target profiles simply select 'wpad-mini').
Signed-off-by: Nathan Hintz <nlhintz@hotmail.com>
SVN-Revision: 45048
These new variants include support for mesh mode and SAE crypto.
They always depend on openssl as EC operations are not provided by
the internal crypto implementation.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 45047
madwifi was dropped upstream, can't find it anywhere in OpenWrt
either, thus finally burrying madwifi.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45045
Helpful to disable when debugging lldpd crashes (when working on it).
When privilege separation is on, some crashes are stack-traced to
some privilege separation code.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 44967
from Erik Tews <erik@datenzone.de>
This patch has two effects. First, the quickleave feature/behaviour is
disabled for all groups that are used on more than one interface. The
idea of quickleave is to leave a group fast and later figure out whether
there is still somebody interested in that group. For groups used on
more than one interface, it is already known that there is still
somebody interested in that group.
Second, when a leave is received for a group that is used on more than
one interface, igmpproxy sends queries on all interface to discover
remeining listeners for that group. Previously these queries were only
send on the interface the leave was received on, so that listeners on
the other interfaces were not discovered and the group might be left on
the upstream router incorrectly.
This patch can be improved by sending the queries only on the interface
the leave was received on and adapting the algorithm in
internAgeRoute(...) in rttable.c in a way that only one interface is
actually processed and all other interfaces of the route are silently
assumed to be still active.
Signed-off-by: Erik Tews <erik@datenzone.de>
SVN-Revision: 44859
Certain DHCP servers push a gateway outside of the assigned interface subnet,
to support those situations install a host route towards the gateway.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44789
DNSMASQ has the ability to provide a menu to a pxeboot system, using
the --pxe-prompt and --pxe-service configuration options. The current
init.d script converting the "dhcp" file to "dnsmasq.conf" does not
find these options, but they are supported. This patch thus enables
the options.
Signed-off-by: Derek LaHousse <dlahouss@mtu.edu>
SVN-Revision: 44747
The --dhcp-boot option of dnsmasq does not require servername and serveraddress
arguments if the builtin tftp server is used.
Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>
SVN-Revision: 44744
The names for the config options were taken from lldpd's
configure.ac file.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 44743
Below you'll find a patch to add ipmark module support to ipset.
Changeset 44671 already bumped ipset to version 6.24, but it's still
compiled without ipmark support. This is a requirement for mwan3 v1.6.
Signed-off-by: Jeroen Louwes <jeroen.louwes@gmail.com>
SVN-Revision: 44742
Included you'll find a patch to bump ipset to version 6.24. This
version supports the ip,fwmark set, which is needed for mwan3 1.6.
Signed-off-by: Jeroen Louwes <jeroen.louwes@gmail.com>
SVN-Revision: 44671
The wwan package holds the hotplug script to set mobile broadband
interfaces (un)available. Add it as a dependency to comgt-ncm,
uqmi and umbim.
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 44631
Interface should not be set unavailable in all error cases,
returning 1 is enough.
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 44630
Adds ncm proto to the list of checked protocols, sets interfaces
unavailable on device removal and removes the unnecessary ifup
command.
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 44629
USB modem data files should be a part of the wwan package, which
actually uses them unlike comgt.
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 44628
In a dual-WAN setup, it's useful to specify an interface over which to
have PPTP.
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
SVN-Revision: 44507
When passing struct termios to ioctl TCGETS and TCSETS should be
used instead of TCGETA and TCSETA, which are meant for the older
struct termio. Should fix https://dev.openwrt.org/ticket/19012
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 44506
This change adds the configuration options "bssid_whitelist" and
"bssid_blacklist" used to limit the AP selection of a network to a
specified (finite) set or discard certain APs.
This can be useful for environments where multiple networks operate
using the same SSID and roaming between those is not desired. It is also
useful to ignore a faulty or otherwise unwanted AP.
In many applications it is useful not just to enumerate a group of well
known access points, but to use a address/mask notation to match an
entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00).
This is especially useful if an OpenWrt device with two radios is used to
retransmit the same network (one in AP mode for other clients, one as STA for
the uplink); the following configuration prevents the device from associating
with itself, given that the own AP to be avoided is using the bssid
'C0:FF:EE:D0:0D:42':
config wifi-iface
option device 'radio2'
option network 'uplink'
option mode 'sta'
option ssid 'MyNetwork'
option encryption 'none'
list bssid_blacklist 'C0:FF:EE:D0:0D:42/00:FF:FF:FF:FF:FF'
This change consists of the following cherry-picked upstream commits:
b3d6a0a8259002448a29f14855d58fe0a624ab76
b83e455451a875ba233b3b8ac29aff8b62f064f2
79cd993a623e101952b81fa6a29c674cd858504f
(squashed to implement bssid_{white,black}lists)
0047306bc9ab7d46e8cc22ff9a3e876c47626473
(Add os_snprintf_error() helper)
Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>
SVN-Revision: 44438
The recent rework of the 6in4 endpoint update broke the retry mechanism.
Rework the timeout handling and make the update status more verbose.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44327
Align init behaviour with other distros by starting an OpenVPN instance
for each config file found in /etc/openvpn/. This removes the additional
requirement to "register" the configs with uci and thus simplifies the
setup.
Make sure to respect the disabled state in uci to not suddenly autostart
instances which have been previously set to disabled, also skip configs
which are already started due to uci configuration.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44310
Busybox ash does not implement /dev/stdout, therfore any wget output
is written into a file /dev/stdout instead of onto the standard output.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44301
remove obsolete configuration settings
--disable-thread
--enable-nonblocking
--without-krb4
remove SSPI support
only supported on windows
correct --with/without-ca-path handling
only supported with OpenSSL and PolarSSL
correct LDAP/LDAPS protocol
add dependency libopenldap
added SCP/SFTP protocol
default "No"
depends on libssh2
added IDN support
default "No"
depends on libidn
added SMB protocol (new in 7.40)
default "No"
require 'cryptographic authentication' and either 'GnuTLS' or 'OpenSSL' selected
added Unix sockets support (new in 7.40)
default "No"
added error verbose messages
default "No"
changes to Makefile
Increase PKG_RELEASE
PKG_CONFIG_DEPENDS and CONFIGURE_ARGS
extended for new functionality
use "autoconf_bool" for all --enable/--disable options
restructure for easier reading
changes to Config.in
extended for new functionality
implement dependencies
restructure and grouping for easier reading
build tested on XUbuntu 14.10 x86 for x86 (generic) and ar71xx (WNDR3800)
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
SVN-Revision: 44243
This patch fixes the NCM protocol by adding the missing ifname
to the netifd script and changing one unintended "send" statement to
"print" in runcommand.gcom. It also cleans up logging and makes the
manufacturer names case-insensitive. Furthermore, comgt-ncm should
not depend on the USB-serial-related kernel modules, as the cdc-wdm
control device works without them. There is also no need to depend on
kmod-huawei-cdc-ncm, since other manufacturers (like Sony-Ericsson
and Samsung) which use other kernel modules should also be supported.
I'd appreciate if someone with Samsung or Sony-Ericsson modems could
test this, I was only able to test it with Huawei E3276, E3372 and
E353.
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 44182
* Update to version 7.40.0
* remove non existing config options around enable/disable HTTPS protocoll
* remove --with-ca-path if ssl support disabled
* set proxy support as default like all versions before CC did
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
SVN-Revision: 44176
The previous update introducing LFS support unconditionally changed the
sprintf() pattern used to print the file modification time to use PRIx64.
Explicitely convert the st_mtime member of the stat struct to uint64_t in
order to avoid type mismatch errors when building for non-64bit targets.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44138
* Fix the ubus plugin to not make its uhttpd_plugin entry symbol
constant as uhttpd needs to modify its list_head member
* Make sure that uhttpd supports large files by using 64bit ints
where appropriate and by passing _FILE_OFFSET_BITS=64 to the build
* Plug a possible memleak in the directory listing code
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44135
The previous implementation of the "host-uniq" option used plain strings for
passing the value to pppd which made it impossible to specify binary data.
Switch the format to a hex encoded string to support binary data.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44094
Extend the DHCPv4 handler script to store additional information from the
DHCP lease in the per-interface data object.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44092
Some Huawei mobile broadband sticks utilizing the NCM protocol expose
the control channel as a cdc-wdm device node instead of a virtual TTY.
This device node does not support the terminal ioctls. This patch
adds a check whether the provided device is a TTY or not and does not
attempt to use the terminal ioctls if they are not supported.
v2: reduce diffstat by simplifying code a little
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 44054
This patch adds a simple check to silence logging of messages about
unrecognized igmp packets which originate from devices in local network.
Without this patch igmpproxy floods openwrt syslog with messages such as:
user.warn igmpproxy[19818]: The source address 192.168.1.175 for group
239.255.250.250, is not in any valid net for upstream VIF.
Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
SVN-Revision: 44020
The --quiet-dhcp setting increases privacy by omitting DHCP lease logs including MAC addresses.
Signed-off-by: Lars Kruse <devel@sumpfralle.de>
SVN-Revision: 44006
Introduce configuration options to build an "hardened" OpenWRT.
Options to enable Stack-Smashing Protection, FORTIFY_SOURCE and RELRO
have been introduced.
uClibc makefile now automatically detects if SSP support is necessary.
hostapd makefile has been fixed to use "^" as sed separator since
using a comma was problematic when using "-Wl,-z,now" and the like in
TARGET_CFLAGS.
Currently enabling SSP on user space depends on enabling SSP kernel
side, this is due to the fact that TARGET_CFLAGS are used to build
kernel modules (at least). Suggestions on how to avoid this are welcome.
Using "select" instead of "depends on" doesn't seem to work with choice
entries.
Tested with a lantiq (WBMR) router, GCC 4.8, uClibc and a subset of
the available packages.
Needs to be tested with GCC 4.9 and the remaining packages.
PIE not currently included.
Signed-off-by: Alessandro Di Federico <ale+owrt@clearmind.me>
SVN-Revision: 44005
iproute2 includes "sanitized" linux kernel headers, which work fine for uClibc, however
with musl there is some header conflict, principally some ipv6 structure redefinition. This
patch removes <linux/in6.h> from include/linux/if_bridge.h to solve the problem.
Signed-off-by: Russell Senior <russell@personaltelco.net>
SVN-Revision: 43992
This patch fixes adding new stations for some specific drivers when
using more than 1 BSS.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 43951
Makes sure that the openvpn instance gets restarted in case of a crash.
Intentional stops using /etc/init.d/openvpn stop will not result in
respawning. Anything else will, e.g. killall openvpn.
Signed-off-by: Lars Gierth <larsg@systemli.org>
SVN-Revision: 43886
This patch tries to
- Let the DHCPv6 feature depend on CONFIG_IPV6.
- Conditionally select libnettle, kmod-ipv6, kmod-ipt-ipset only if the
corresponding features are enabled.
- Install `trust-anchors.conf` only if DNSSEC is selected.
- Add PKG_CONFIG_DEPENDS for the configurable options.
- Add a patch to let the Makefile of dnsmasq be aware of changes in
COPTS variable.
Big thanks goes to Frank Schäfer <fschaefer.oss@googlemail.com> for
providing necessary information on connections and dependency relations
between these CONFIGs and packages.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 43851
Target pxcab and ps3 were removed from maintaince in r34764 and r34765
respectively.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 43850
The uapsd option sets the uapsd_advertisement_enabled flag in hostapd.
The check for phy support is already implemented here in hostapd since 2011:
http://w1.fi/cgit/hostap/commit/?id=70619a5d8a3d32faa43d66bcb1b670cacf0c243e
So this can be safely set to 1 as default.
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
SVN-Revision: 43846