This can happen if the bridge or a stacked vlan device gets recreated.
Ensure that hostapd sees the change and handles it gracefully.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
fbaca4b cache: improve update call by doing a full refresh probe
93c9036 dns: reply to A/AAAA questions for additional hostnames
Signed-off-by: John Crispin <john@phrozen.org>
In file included from hostapd-wpad-basic-mbedtls/hostapd-2024.03.09~695277a5/src/ap/ubus.h:11,
from hostapd-wpad-basic-mbedtls/hostapd-2024.03.09~695277a5/src/ap/hostapd.h:21,
from main.c:26:
hostapd-2024.03.09~695277a5/src/ap/sta_info.h: In function 'ap_sta_is_mld':
hostapd-2024.03.09~695277a5/src/ap/sta_info.h:425:20: error: invalid use of undefined type 'struct hostapd_data'
425 | return hapd->conf->mld_ap && sta && sta->mld_info.mld_sta;
| ^~
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Ipv6 delegate option is not respected by proto of ppp/pptp/pppoe/pppoa
this add support for them.
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15508
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
If the `intval` obtained from `info` is indeed 0, it cannot be set to `conf`.
Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15495
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Remove upstreamed from 2.11 release:
060-nl80211-fix-crash-when-adding-an-interface-fails.patch
Rebase all other patches
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16338
Signed-off-by: Robert Marko <robimarko@gmail.com>
Release 2.11 has been quite a few new features and fixes since the 2.10
release. The following ChangeLog entries highlight some of the main
changes:
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* HE/IEEE 802.11ax/Wi-Fi 6
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* SAE: add support for fetching the password from a RADIUS server
* support OpenSSL 3.0 API changes
* support background radar detection and CAC with some additional
drivers
* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
* EAP-SIM/AKA: support IMSI privacy
* improve 4-way handshake operations
- use Secure=1 in message 3 during PTK rekeying
...and many more
Remove upstreamed patches:
023-ndisc_snoop-call-dl_list_del-before-freeing-ipv6-add.patch
030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
040-mesh-allow-processing-authentication-frames-in-block.patch
181-driver_nl80211-update-drv-ifindex-on-removing-the-fi.patch
182-nl80211-move-nl80211_put_freq_params-call-outside-of.patch
183-hostapd-cancel-channel_list_update_timeout-in-hostap.patch
210-build-de-duplicate-_DIRS-before-calling-mkdir.patch
253-qos_map_set_without_interworking.patch
751-qos_map_ignore_when_unsupported.patch
800-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
801-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
802-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch
Other patches has been updated.
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16338
Signed-off-by: Robert Marko <robimarko@gmail.com>
Include hotfix suggested by Sebastian Gottschall to fix bug introduced
with APuP patchset
Signed-off-by: Gioacchino Mazzurco <gio@polymathes.cc>
Link: 0c3001a69e
Link: https://github.com/openwrt/openwrt/pull/16298
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Forward client mac address and subnet on dns queries. Pi-hole and Adguard use this feature to send the originators ip address/subnet so it can be logged and not just the nat address of the router. This feature has been added since version 2.56 of dnsmasq and would be nice to expose this feature in openwrt.
Signed-off-by: Carsten Schuette <schuettecarsten@googlemail.com>
Link: https://github.com/openwrt/openwrt/pull/15965
Signed-off-by: Robert Marko <robimarko@gmail.com>
Fixes#16075
When the SSL certificate used by uhttpd has been changed, calling
`/etc/init.d/uhttpd reload` will now have the effect of restarting the
daemon to make the change effective.
Signed-off-by: Sylvain Monné <sylvain@monne.contact>
Link: https://github.com/openwrt/openwrt/pull/16076
Signed-off-by: Robert Marko <robimarko@gmail.com>
The recommended maximum validity period is currently 397 days
and some browsers throw warning with longer periods.
Reference to
https://cabforum.org/working-groups/server/baseline-requirements/
6.3.2 Certificate operational periods and key pair usage periods
Subscriber Certificates issued on or after 1 September 2020
SHOULD NOT have a Validity Period greater than 397 days and
MUST NOT have a Validity Period greater than 398 days.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <robimarko@gmail.com>
The introduction of MacOS Catalina includes new requirements for self-signed certificates.
See: https://support.apple.com/en-us/HT210176
These new requirements include the addition of two TLS server certificate extensions.
- extendedKeyUsage
- subjectAltName
The extendedKeyUsage must be set to serverAuth.
The subjectAltName must be set to the DNS name of the server.
In the absense of these new extensions, when the LUCI web interface is configured to use HTTPS and
self-signed certs, MacOS user running Google Chrome browsers will not be able to access the LUCI web enterface.
If you are generating self-signed certs which do not include that extension, Chrome will
report "NET::ERR_CERT_INVALID" instead of "NET::ERR_CERT_AUTHORITY_INVALID". You can click through to
ignore the latter, but not the former.
This change updates the uhttpd init script to generate self-signed cert that meets the new requirements.
Signed-off-by: Pat Fruth <pat@patfruth.com>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <robimarko@gmail.com>
This patch backports fixes for a security vulnerability impacting the
hostapd implementation of SAE H2E.
As upgrading hostapd would require more testing, the second mitigation
step which involves backporting several patches was adopted as outlined
in the official advisory[1].
An explanation of the impact of the vulnerability is provided from the
advisory[1]:
This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.
[1]: https://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/16042
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Don't ignore probe requests which contain an invalid DS parameter for the
current operating channel.
As the comment outlines, the drop shall only apply if
dot11RadioMeasurementActivated is set to 1.
However, it was observed Linux clients (Debian 12 / NixOS 23.11)
with an Intel 8265 NIC may generate a probe request frame with
dot11RadioMeasurementActivated set to false and an invalid DSSS
parameter.
These were also dropped even though they should not have been. They
however should not have contained this parameter in the first place.
Don't drop Probe Requests which contain such an invalid field. This may
lead to more probe responses being sent, however it does fix very
frequent connection issues for these clients on 2.4 GHz.
Signed-off-by: David Bauer <mail@david-bauer.net>
Don't install /usr/lib/opkg/info in package install as it doesn't make
sense and conflicts with APK installations.
Fixes: a377aa9ab5 ("add dropkey ssh keys and config files to the conffiles section (#2014)")
Link: https://github.com/openwrt/openwrt/pull/15543
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
don't mention SHA1 in order to not confuse users - SHA1 support is already disabled (except RSA-SHA1 signagures).
ref: https://github.com/openwrt/openwrt/issues/15281
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- update dropbear to latest stable 2024.85;
for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop cherry-picked patches (merged in release 2024.84)
- refresh remaining patches
Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
99dd990690bc treewide: refactor pref(erred) to preferred_lt (lifetime)
4c2b51eab368 treewide: refactor valid to valid_lt (lifetime)
3b4e06055900 router: inherit user-assigned preferred_lifetime
e164414aa184 router: limit prefix preferred_lt to valid_lt in accordance with RFC4861
a2176af7bdeb treewide: spell-fixes and new comments for extra clarification
4590efd3a2b3 treewide: normalize spaces to tabs
2edc60cb7c7a router: rename minvalid to lowest_found_lifetime
7ee72ee17bfa router: disambiguate and clarify 'no route' messages
a29882318a4c config: set RFC defaults for preferred lifetime
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
The DropBear's dropbearkey supports limited set of arguments of
OpenSSH ssh-keygen: -t, -q -N -Y
After the change you can generate a key with the same command.
Still many features of the original OpenSSH ssh-keygen are absent in
the dropbearkey.
If it's needed then users should install openssh-keygen package that
will replace the /usr/bin/ssh-keygen with the full version.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/14174
[ wrap commit description to 80 columns ]
Link: https://github.com/openwrt/openwrt/pull/14174
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Because these capability advertisements default to on in lldpd, they
became absent at reload, and not restart, due to how the reload logic
works ( keep daemon running, send unconfigured and then the new config
via socket ), and it was not evident unless you happened to be looking
for it (e.g. via pcap or tcpdump). It was also not evident from the
manpage ( have now sent patches upstream ).
At reload time, the unconfigure logic disabled them unless they were
explicitly enabled (compare with other settings where 'unconfigure' just
resets them). Now they default to on/enabled at init time, and are
explicitly 'unconfigure'd at startup if the user disables them via:
lldp_mgmt_addr_advertisements=0
lldp_capability_advertisements=0
In other words: explicit is necessary to disable the advertisements.
The same applies to 'configure system capabilities enabled'. Technically
'unconfigure'd is the default but now it is explicit at reload.
Tested on: 23.05.3
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
ec8c620fd5f4 split bridge-local disable into rx and tx
40b1c5b6be4e flow: do not attempt to offload bridge-local flows
Signed-off-by: Felix Fietkau <nbd@nbd.name>
For interface type parameters, the man page documents patterns:
```
*,!eth*,!!eth1
uses all interfaces, except interfaces starting with "eth",
but including "eth1".
```
* Renamed `_ifname` to `_l2dev`.
* get the l2dev via network_get_physdev (and not l3dev)
* Glob pattern `*` is also valid - use noglob for this
The net result is that now interface 'names' including globs '*' and '!'
inversions are included in the generated lldpd configs.
Temporarily `set -o noglob` and then `set +o noglob` to disable & enable
globbing respectively, because when we pass `*` as an interface choice,
other file and pathnames get sucked in from where the init script runs,
and the `*` never makes it to lldpd.
Tested extensively on: 22.03.6, 23.05.3
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
[ squash with commit bumping release version ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
3159bbe0a2eb improve isolation when selecting a fixed output port
c77a7a1ff74d nl: fix getting flow offload stats
a08e51e679dd add support for disabling bridge-local flows via config
Signed-off-by: Felix Fietkau <nbd@nbd.name>
only available from >= 1.0.15
Comments are useful. Apparently this config parameter was committed when
openwrt used an older version of lldpd which did not yet support it.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>