Commit Graph

2674 Commits

Author SHA1 Message Date
Daniel Golle
ff8df2b3f9 hostapd: mesh: make forwarding configurable
For unencrypted mesh networks our scripts take care of setting
the various mesh_param values. wpa_supplicant changes somes of them
when being used for SAE encrypted mesh and previously didn't allow
configuring any of them. Add support for setting mesh_fwding (which
has to be set to 0 when using other routing protocols on top of
802.11s) and update our script to pass the value to wpa_supplicant.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-18 22:12:18 +02:00
Daniel Engberg
ed4ac0ed65 curl: Deprecate idn(1) support and switch to xz tarball
libidn(1) is deprecated, add libidn2 support
Switch to xz tarball (smaller size)

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-04-16 22:01:09 +02:00
Hans Dedecker
20d3c118ae netifd: update to latest git HEAD (coverity fixes)
513eb27 system-linux: check ioctl return value in system_vlan()
df1625d system-linux: check ioctl return value in system_if_flags()
209c508 system-linux: fix segfault on alloc failure in system_if_check()
4a8e20e system-linux: fix segfault on error in system_add_ip6_tunnel()
36e4700 handler: fix resource leak on error in netifd_init_script_handlers()
86a0e7c system-linux: remove unnecessary open call in system_if_dump_info()
1e2cf67 system-linux: fix memory leak on error in system_add_vxlan()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-16 13:12:48 +02:00
Stijn Tintel
03774d28e1 lldpd: bump to 1.0.1
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-04-15 21:41:36 +03:00
Daniel Golle
c52ef396f9 hostapd: fix compile of -mini variants
Fixes commit d88934aa5a (hostapd: update to git snapshot of 2018-04-09)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-13 06:01:16 +02:00
Daniel Golle
d88934aa5a hostapd: update to git snapshot of 2018-04-09
And import patchset to allow 802.11s mesh on DFS channels, see also
http://lists.infradead.org/pipermail/hostap/2018-April/038418.html
Fix sae_password for encryption mesh (sent upstream as well).
Also refreshed existing patches and fixed 463-add-mcast_rate-to-11s.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-13 03:27:01 +02:00
Matthias Schiffer
85a35c644e
ebtables: update to latest git 2018-04-11
2e783b227766 ebt_ip: add support for matching IGMP type
b5fbb8d786c9 ebt_ip: add support for matching ICMP type and code
c5e5b784fd1a Move ICMP type handling functions from ebt_ip6 to useful_functions.c
11da52177196 include: sync linux/netfilter_bridge/ebt_ip.h with kernel

Note: the new features require at least kernel 4.17 or backported patches.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-04-12 07:34:57 +02:00
Matthias Schiffer
177fa14340
iptables: split physdev match out as a separate package
Split physdev match out of ipt-extra to allow installing ipt-extra without
pulling in br-netfilter.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-04-09 19:41:48 +02:00
Hans Dedecker
3612d90351 dnsmasq: remove example domains from rfc6761.conf (FS#1447)
RFC6771 does not exclude the forwarding of the example domain as it
states : "Caching DNS servers SHOULD NOT recognize example names as
special and SHOULD resolve them normally."
Example domains cannot be assigned to any user or person by DNS
registrars as they're registered in perpetuity to IANA meaning
they can be resolved; therefore let's remove the example domains
from the rfc6761.conf file.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-09 17:35:17 +02:00
Hans Dedecker
9356a6bfc7 odhcpd: update to latest git HEAD
31f217f router: improve RFC7084 compliancy

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-09 17:17:24 +02:00
Hans Dedecker
f890821fe7 odhcp6c: update to latest git HEAD
74b5a3 script: fix possible negative delay
473f248 dhcpv6: always trigger script update in case of IA updates
ea18935 ra: rework route information option handling

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-05 21:52:15 +02:00
Felix Fietkau
adc3f31b2c firewall: update to the latest version, adds hw flow offload support
35b3e74 defaults: add support for setting --hw on the xt_FLOWOFFLOAD rule

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-04-05 18:12:30 +02:00
Felix Fietkau
d073f650cd kernel: add support for enabling hardware flow offload via iptables
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-04-05 18:12:30 +02:00
Hauke Mehrtens
9aaa23ec8b samba36: fix some security problems
This Adds fixes for the following security problems based on debians patches:
CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in trusted realms
CVE-2017-12163: Server memory information leak over SMB1
CVE-2017-12150: SMB1/2/3 connections may not require signing where they should
CVE-2018-1050: Denial of Service Attack on external print server.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-04-03 23:26:45 +02:00
Hans Dedecker
986f80595b netifd: update to latest git HEAD
3dc8c91 interface-ip: fix memory leak in interface_ip_add_target_route()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-03 21:28:53 +02:00
Hans Dedecker
ac593d895a odhcp6c: update to latest git HEAD
5cbd305 odhcp6c: improve code readibility
eb83b7e treewide: improve error handling
b7b11cb dhcpv6: initialize ifreq struct
f0469e2 ra: handle socket fail creation
d573461 odhcp6c: fix file pointer leakage

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-31 19:31:42 +02:00
Kevin Darbyshire-Bryant
a64fae8354 Revert "iproute2: fix hidden uint to uin64_t promotion in json_print"
This reverts commit 745d0e7f4b.

It looks like upstream don't want the patch so let's revert it here too.

I hope a fix from upstream is forthcoming.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-03-31 09:18:31 +02:00
Hans Dedecker
479aaf6375 map: fix psidlen becoming negative (FS#1430)
Fix psidlen becomes negative in case embedded address bit lenght is smaller than
IPv4 suffix length.
While at it improve parameter checking making the code more logical and
easier to read.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-29 22:19:18 +02:00
Felix Fietkau
4bcf6acb14 Revert "ppp: make ppp-multilink provide ppp"
opkg currently has some issues with Provides and this change makes the
image builder fail because of that. Revert the change for now until opkg
is fixed

This reverts commit 092d75aa3e.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-03-29 11:57:40 +02:00
Daniel Golle
eba3b028e4 hostapd: update to git snapshot of 2018-03-26
The following patches were merged upstream:
000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
 replaced by commit 0e3bd7ac6
001-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
 replaced by commit cb5132bb3
002-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
 replaced by commit 87e2db16b
003-Prevent-installation-of-an-all-zero-TK.patch
 replaced by commit 53bb18cc8
004-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
 replaced by commit 0adc9b28b
005-TDLS-Reject-TPK-TK-reconfiguration.patch
 replaced by commit ff89af96e
006-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
 replaced by commit adae51f8b
007-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
 replaced by commit 2a9c5217b
008-WPA-Extra-defense-against-PTK-reinstalls-in-4-way-ha.patch
 replaced by commit a00e946c1
009-Clear-PMK-length-and-check-for-this-when-deriving-PT.patch
 replaced by commit b488a1294
010-Optional-AP-side-workaround-for-key-reinstallation-a.patch
 replaced by commit 6f234c1e2
011-Additional-consistentcy-checks-for-PTK-component-len.patch
 replaced by commit a6ea66530
012-Clear-BSSID-information-in-supplicant-state-machine-.patch
 replaced by commit c0fe5f125
013-WNM-Ignore-WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch
 replaced by commit 114f2830d

Some patches had to be modified to work with changed upstream source:
380-disable_ctrl_iface_mib.patch (adding more ifdef'ery)
plus some minor knits needed for other patches to apply which are not
worth being explicitely listed here.

For SAE key management in mesh mode, use the newly introduce
sae_password parameter instead of the psk parameter to also support
SAE keys which would fail the checks applied on the psk field (ie.
length and such). This fixes compatibility issues for users migrating
from authsae.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-03-27 19:25:32 +02:00
Felix Fietkau
d290024c42 netifd: update to the latest version (fixes FS#1452)
9c8d781 netifd: return the interface for locally addressable host dependencies

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-03-27 11:33:51 +02:00
Hans Dedecker
287f5ebd2f dnsmasq: improve init script portability (FS#1446)
Improve portability of init script by declaring resolvfile as local
in dnsmasq_stop function.
Fixes resolvfile being set for older busybox versions in dnsmasq_start
in a multi dnsmasq instance config when doing restart; this happens when
the last instance has a resolvfile configured while the first instance
being started has noresolv set to 1.

Base on a patch by "Phil"

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-24 18:50:45 +01:00
Rosen Penev
43788a91fb ethtool: Update to 4.15.
Contains kernel 4.14 updates. Compile tested on mvebu.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-03-23 23:49:55 +01:00
Kevin Darbyshire-Bryant
4a788fcf63 iproute2: cake: support new overhead reporting & stats structures
Cake in kernel space now splits stats structure handling across netlink
messages to reduce stack usage issue flagged by upstream kernel checks.
Update user space (tc) qdisc handling to understand this new regime.

Cake also reports packet overheads & compensation in a different way so
add display code for this. e.g.

'tc -s qdisc show dev eth0' reports this extra detail:

 min/max transport layer size:         28 /    1500
 min/max overhead-adjusted size:       65 /    1550
 average transport hdr offset:         14

Cake also supports output in JSON format.

Patch is bulkier than before because a (slightly out of date - see above
stats) man page is included for reference. Better than nothing!

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-03-23 22:08:22 +01:00
Hans Dedecker
0f30f56e38 firewall: update to latest git HEAD
5cdf15e helpers.conf: add CT rtsp helper
d5923f1 Reword rule comments
c1a295a defaults: add support for xt_FLOWOFFLOAD rule
41c2ab5 ipsets: add support for specifying entries

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-22 13:29:22 +01:00
Hans Dedecker
89b8ba96b4 openvpn: remove deprecated config options
Remove deprecated config options in 2.5 as described in [0]

[0] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-20 21:15:27 +01:00
Kevin Darbyshire-Bryant
745d0e7f4b iproute2: fix hidden uint to uin64_t promotion in json_print
print_int used 'int' type internally, whereas print_uint used 'uint64_t'

These helper functions eventually call vfprintf(fp, fmt, args) which is
a variable argument list function and is dependent upon 'fmt' containing
correct information about the length of the passed arguments.

Unfortunately print_int v print_uint offered no clue to the programmer
that internally passed ints to print_uint were being promoted to 64bits,
thus the format passed in 'fmt' string vs the actual passed integer
could be different lengths.  This is even more interesting on big endian
architectures where 'vfprintf' would be looking in the middle of an
int64 type.  Symptoms of this included tc qdisc showing bizarre values
for a variety of fields across a variety of qdiscs (e.g. refcnt, flows,
quantum)

print_u/int now stick with native int size.

A similar patch has been sent upstream.

Fixes FS#1425

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-03-19 11:40:01 +01:00
Kevin Darbyshire-Bryant
b0b5d0aebb dnsmasq: bump to 2.79 release
94b6878 Tidy crypto.c of old library compat. Now need libnettle 3.
8b96552 Fix compiler warning.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-03-19 11:39:13 +01:00
Rosen Penev
f4ea74abb6 curl: Update to 7.59
Compile tested on ar71xx.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-03-19 11:39:13 +01:00
Christian Bayer
49f3286bde openvpn: add config param verify_client_cert
Option --client-cert-not-required DEPRECATED is deprecated in v2.4 and removed in OpenVPN 2.5.
Replaced by param --verify-client-cert none|optional|require in v2.4 see
https://community.openvpn.net/openvpn/wiki/ DeprecatedOptions#a--client-cert-not-required

Signed-off-by: Christian Bayer <cave@cavebeat.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_	RELEASE increase]
2018-03-17 14:56:39 +01:00
Hans Dedecker
d88e928a44 dnsmasq: bump to 2.79rc2
ae29065 Fix debian/changelog syntax.
6b2b564 Enhance --synth-domain to allow names with sequential integers.
4f7bb57 Fix deletion of dhcp-options from inotify dynamic files.
56f0623 Allow trailing dot in CNAME.
f3223fb Fix nettle_hash() function to avoid ABI incompatibilities.
4c4f4c2 Debian dependency tweaking for new dnsmasq-base-lua package.
773af30 Man page typo fix.
4cc944b Merge branch 'master' of ssh://thekelleys.org.uk/var/local/git/dnsmasq
87e00fe Compiler warning fixes.
e7a4af8 Compiler warning fixes.
2d69d61 Add liblua-dev to Debian build-depends.
30e4a94 Debian package: add dnsmasq-base-lua binary package.
232a8f3 Merge messages for release.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-13 22:39:24 +01:00
Jo-Philipp Wich
e83bc5e3c7 6in4: support multiple additional user prefixes
Support configuration in the form...

    list ip6prefix 2001:db8:1234::/64
    list ip6prefix 2001:db8:5678::/64

... to allow specifying multiple routed IPv6 prefixes.

Implements feature request FS#1361.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-13 18:27:41 +01:00
Felix Fietkau
1cd76e2d85 netifd: update to the latest version (fixes FS#1358)
1f5a29c ip: do not add local routes for host dependencies
c06f842 device: add support for setting the isolate options for bridge ports
69aeaab interface-ip: fix route selection for host dependencies

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-03-13 13:35:05 +01:00
Felix Fietkau
092d75aa3e ppp: make ppp-multilink provide ppp
Fixes dependencies on ppp from other packages

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-03-12 20:02:29 +01:00
Philip Prindeville
61e0af06d9 iperf3: update to 3.5
Get rid of patches which are already upstream.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2018-03-09 22:13:22 +01:00
Magnus Kroken
ffbe51b294 openvpn: update to 2.4.5
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-03-09 22:13:21 +01:00
Hans Dedecker
332b736a3e ebtables: update to latest git 2018-01-17
068ba95 Fix locking if LOCKDIR does not exist

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-08 21:16:24 +01:00
Stijn Tintel
7cc9914aae firewall: bump to git HEAD
392811a ubus: let fw3_ubus_address() return the number of resolved addresses
359adcf options: emit an empty address item when resolving networks fails
503db4a zones: disable masq when resolving of all masq_src or masq_dest items failed
f50a524 helpers: implement explicit CT helper assignment support
a3ef503 zones: allow per-table log control
8ef12cb iptables: fix possible NULL pointer access on constructing rule masks

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-03-08 02:40:30 +02:00
Jason A. Donenfeld
b562c0c91b wireguard: bump to 20180304
7c0d711 version: bump snapshot
b6a5cc0 contrib: add extract-handshakes kprobe example
37dc953 wg-quick: if resolvconf/run/iface exists, use it
1f9be19 wg-quick: if resolvconf/interface-order exists, use it
4d2d395 noise: align static_identity keys
14395d2 compat: use correct -include path
38c6d8f noise: fix function prototype
302d0c0 global: in gnu code, use un-underscored asm
ff4e06b messages: MESSAGE_TOTAL is unused
ea81962 crypto: read only after init
e35f409 Kconfig: require DST_CACHE explicitly
9d5baf7 Revert "contrib: keygen-html: rewrite in pure javascript"
6e09a46 contrib: keygen-html: rewrite in pure javascript
e0af0f4 compat: workaround netlink refcount bug
ec65415 contrib: embedded-wg-library: add key generation functions
06099b8 allowedips: fix comment style
ce04251 contrib: embedded-wg-library: add ability to add and del interfaces
7403191 queueing: skb_reset: mark as xnet

Changes:

* queueing: skb_reset: mark as xnet

This allows cgroups to classify packets.

* contrib: embedded-wg-library: add ability to add and del interfaces
* contrib: embedded-wg-library: add key generation functions

The embeddable library gains a few extra tricks, for people implementing
plugins for various network managers.

* crypto: read only after init
* allowedips: fix comment style
* messages: MESSAGE_TOTAL is unused
* global: in gnu code, use un-underscored asm
* noise: fix function prototype

Small cleanups.

* compat: workaround netlink refcount bug

An upstream refcounting bug meant that in certain situations it became
impossible to unload the module. So, we work around it in the compat code. The
problem has been fixed in 4.16.

* contrib: keygen-html: rewrite in pure javascript
* Revert "contrib: keygen-html: rewrite in pure javascript"

We nearly moved away from emscripten'ing the fiat32 code, but the resultant
floating point javascript was just too terrifying.

* Kconfig: require DST_CACHE explicitly

Required for certain frankenkernels.

* compat: use correct -include path

Fixes certain out-of-tree build systems.

* noise: align static_identity keys

Gives us better alignment of private keys.

* wg-quick: if resolvconf/interface-order exists, use it
* wg-quick: if resolvconf/run/iface exists, use it

Better compatibility with Debian's resolvconf.

* contrib: add extract-handshakes kprobe example

Small utility for extracting ephemeral key data from the kernel's memory.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (git log --oneline description)
2018-03-06 08:52:13 +01:00
Hauke Mehrtens
45ae5c2de3 lantiq: Deactivate ASLR support for some applications
The lantiq components still leak some user space linker options into the
kernel space. This breaks with build when ASLR is activated, deactivate
it for now on these packages.

Fixes: FS#1391
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-03-03 12:58:55 +01:00
Hans Dedecker
694f0bb5af gre: squash grev4 and grev6 packages into gre (FS#1399)
The split-up into packages gre, grev4 and grev6 causes confusion for the
users as reported in FS#1399.
As IPv4 and IPv6 are considered now as bundled; squash the grev4 and grev6
packages into the gre package and let gre provide both grev4 and grev6.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-02 15:58:09 +01:00
Hans Dedecker
175b262328 netifd: add udhcpc link check to dhcp shell handler script
Fixes the assumption the busybox udhcpc applet is always enabled; in case
the symbolic link check fails the DHCP shell handler script will exit and
as result the DHCP protocol handler will not be registered in netifd.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-02 09:48:41 +01:00
Felix Fietkau
13224f8b73 iw: update to version 4.14
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-02-28 12:46:02 +01:00
Felix Fietkau
916e33fa1e netifd: update to the latest version, rewrite RPS/XPS handling
Remove RPS/XPS support from netifd core, move the logic to a hotplug
script that uses a different policy which provides better performance
and more fairness across flows

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-02-28 12:46:02 +01:00
Hans Dedecker
3bd2e195ec netifd: support DHCP sendopts as list options
Support config in the form of ....
	add_list sendopts=router:10.10.10.2
	add_list sendopts=nissrv:20.20.20.2
	add_list sendopts=0x7D:abba

This allows to configure sendopts having white spaces as option value

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-02-27 13:36:46 +01:00
Hauke Mehrtens
fc54256bc8 iptables: fix compile with kernel 3.18
This fixes a compile bug found by build bot with kernel 3.18

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-02-26 17:52:15 +01:00
Felix Fietkau
8f24653184 hostapd: do not register ubus objects for mesh interfaces
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-02-24 21:33:22 +01:00
Hans Dedecker
1a5863d6d7 odhcp6c: rework sendopts handling
Bring logic of sendopts handling in line with ip6prefix handling

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-02-24 21:04:06 +01:00
Jo-Philipp Wich
66222dd92b odhcp6c: support multiple additional user prefixes
Support configuration in the form...

    list ip6prefix 2001:db8:1234::/64
    list ip6prefix 2001:db8:5678::/64

... to allow specifying multiple additional IPv6 prefixes.

Implements feature request FS#1361.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-02-24 21:03:31 +01:00
Felix Fietkau
0f54d96d24 ethtool: import from packages, add myself as maintainer
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-02-24 16:12:57 +01:00
Jakub Tymejczyk
316eb26a3a samba36: fix build (issue #5574)
As indicated in #5574 samba fails to build with linker error due to lack
of talloc_* functions when the packet libtalloc also gets build.

According to Makefile it is compiled with "--without-libtalloc" option.
Running ./configure --help shows that there is another option connected
to libtalloc: --enable/disable-external-libtalloc.
Adding this option fixes build.

Signed-off-by: Jakub Tymejczyk <jakub@tymejczyk.pl>
2018-02-24 11:23:46 +01:00
Hauke Mehrtens
92419ab4c7 iproute2: Add support for ports in xfrm on SCTP
Remove this old patch which prevents showing the xfrm ports for SCTP

This was added in commit 60c1f0f64d ("finally move buildroot-ng to trunk")

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-02-24 10:29:25 +01:00
Ansuel Smith
2805402f86 iptables: update to 1.6.2
459b6932 policy: add nft translation for simple policy none/strict use case
255e55b7 tests: xlate-test: no need to require superuser privileges
6990bbc5 extensions: hashlimit: remove space before burst in translation to nft
13ecaeb0 extensions: hashlimit: Rename 'flow table' keyword to meter
c252a2b0 extensions: Add test for cluster nft translation
bda1daa4 extensions: ip6t_{S,D}NAT: add more tests
88fa4543 extensions: ip6t_{S,D}NAT: multiple to-dst/to-src arguments not reported
64a0e098 extensions: libxt_cluster: Add translation to nft
6067208f extensions: add support for 'srh' match
0f387b07 extensions: hashlimit: fix incorrect burst in translations
1ffe6a74 extensions: libxt_hashlimit: Do not print default timeout and burst
27de281d extensions: Add macro _DEFAULT_SOURCE.
75364151 iptables: Remove const qualifier from struct option.
8b0da213 iptables: masquerade: add randomize-full support
e64db006 iptables: patch to correct linker flag sequence
033eac81 extensions: libxt_tcpmss: Add test case for invalid ranges.
505bfa11 iptables: xtables-eb: Remove const qualifier from struct option
a6d6821a iptables: extensions: Fix MARK target help
71de414c libxt_sctp: fix array out of range in print_chunk
1a32381a extensions: add tests for ipcomp protocol
4bd51770 tests: xlate: print output in same way as nft-test.py
d0e3d95f libxt_recent: Remove ineffective checks for info->name
23e6ed71 libxt_TOS: add tests for translation infrastructure
9564595e Update .gitignore
bebce197 iptables: iptables-compat translation for TCPMSS
dbbab0aa extensions: libxt_tcpmss: Detect invalid ranges
0e958281 iptables-translate: add test file for TCPMSS extension
de3c68b6 iptables-compat: do not allow to delete populated user define chains
f4b80ce7 iptables: change large file support handling
f5b46c2f iptables: Constify option struct
21ba5b38 ip{,6}tables-restore: Don't accept wait-interval without wait
60e0ffd3 ip{,6}tables-restore: Don't ignore missing wait-interval value
af468b6e utils: Add a man page for nfnl_osf
1773dcaa utils: nfnl_osf: Fix synopsis in help text
895ce096 extensions: libxt_bpf: fix missing __NR_bpf declaration
3c633296 xtables-compat-restore: fix translation of mangle's OUTPUT
1c32e560 netfilter: xt_hashlimit: add rate match mode
b5331f88 xtables-compat: fix memory leak when listing
91ae12e3 xtables-compat-restore: fix several memory leaks
79e1edd1 iptables-xml: Fix segfault on jump without a target
c49a93f1 xtables-translate: fix double space before comment
79fa7cc2 libip6t_icmp6: xlate: remove leftover space
8e62f572 tests: xlate: generalize owner
8d994bcf iptables: Add file output option to iptables-save
f8e5ebc5 iptables: Fix crash on malformed iptables-restore
80d8bfaa iptables: insist that the lock is held.
c29d99c8 libxtables: Display weird character warning for wildcards
1fe96cfb tests: xlate: check if it is being run as root
3f92b259 tests: xlate: remove python 3.5 dependency
d89dc47a iptables-restore/save: exit when given an unknown option
65801d02 iptables-restore.8: document -w/-W options
9cd3adbe iptables-restore/ip6tables-restore: add --version/-V argument
1ec1fb7a extensions: libxt_hashlimit: fix 64-bit printf formats
27f69f4a iptables: extensions: Remove typedef in struct.
340105fa tests: add regression tests for xtables-translate
b669e184 extensions: libxt_TOS: Add translation to nft
b2a84476 iptables: Remove unnecessary braces.
2963a8df iptables: Remove explicit static variables initalization.
1cf4ba6f iptables: Constify option struct
999eaa24 iptables-restore: support acquiring the lock.
6e2e169e iptables: remove duplicated argument parsing code
836846f0 iptables: move XT_LOCK_NAME from CFLAGS to config.h.
b91af533 iptables: set the path of the lock file via a configure option.
0e94eb2e iptables-translate: print nft iff there are more expanded rules to print
48ad179b libxtables: abolish AI_CANONNAME
9f50bbdf libxtables: remove unnecessary nesting from host_to_ip(6)addr
c6df55d6 iptables-translate: print nft command for each expand rules via dns names
82dacbb8 xtables-translate: Avoid querying the kernel
9f972f45 extensions: libxt_addrtype: Add translation to nft
2c8e251e utils: nfsynproxy: fix build with musl libc
9b8cb756 libiptc: don't set_changed() when checking rules with module jumps
eb66632d extensions: libxt_hashlimit: Add translation to nft
72bb3dbf xshared: using the blocking file lock request when we wait indefinitely
24f81746 xshared: do not lock again and again if "-w" option is not specified
fc3c3b4e libxt_hashlimit: add new unit test to catch kernel bug
516d9191 iptables: update pf.os

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2018-02-23 19:15:54 +01:00
Felix Fietkau
820f030998 netfilter: add a xt_FLOWOFFLOAD target for NAT/routing offload support
This makes it possible to add an iptables rule that offloads routing/NAT
packet processing to a software fast path. This fast path is much
quicker than running packets through the regular tables/chains.

Requires Linux 4.14

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-02-21 20:12:42 +01:00
Felix Fietkau
bc3e0f6052 nftables: update to 0.8.2, backport flowtable support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-02-21 20:12:41 +01:00
Felix Fietkau
981cca12b6 hostapd: add support for sending 802.11v disassoc imminent notifications to clients via ubus
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-02-21 19:29:09 +01:00
Felix Fietkau
01b2c0fc49 hostapd: add support for issuing 802.11k beacon measurement requests via ubus
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-02-21 19:29:04 +01:00
Felix Fietkau
21bb42fb8a hostapd: expose client 802.11k capabilities via ubus
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-02-21 19:28:59 +01:00
Nick Hainke
e2681eb06a hostapd: return with 80211 codes in handle event function
If the auth or assoc request was denied the reason
was always WLAN_STATUS_UNSPECIFIED_FAILURE.
That's why for example the wpa supplicant was always
trying to reconnect to the AP.
Now it's possible to give reasoncodes why the auth
or assoc was denied.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2018-02-21 19:28:56 +01:00
Lorenzo Santina
83b4fa9b3b hostapd: add IEEE 802.11v support
Add Wireless Network Management (IEEE 802.11v)
support to:
- hostapd-full
- wpa_supplicant-full

It must be enabled at runtime via UCI with:
- option ieee80211v '1'

Add UCI support for:
- time_advertisement
- time_zone
- wnm_sleep_mode
- bss_transition

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
2018-02-21 19:28:50 +01:00
Felix Fietkau
6b1816f8a3 hostapd: add support for turning on 802.11k/v features via ubus
Neighbor reports are enabled implicitly on use, beacon reports and BSS
transition management need to be enabled explicitly

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-02-21 19:28:43 +01:00
Mathias Kresin
04cb1e0fd2 ppp: fix build with kernel 4.14.9+
With a9772285a724 ("linux/compiler.h: Split into compiler.h and
compiler_types.h") compiler.h was refactored and most its content was
moved to compiler_types.h. Both files are required to build ppp-mod-pppoa.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-02-20 19:25:17 +01:00
Hans Dedecker
97c27f01be odhcpd: fix interop with wide DHCPv6 client (FS#1377)
96033e9 dhcpv6-ia: don't always send reconf accept option (FS#1377)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-02-20 16:30:15 +01:00
Koen Vandeputte
e16cc7a8c8 uqmi: ensure CID is a numeric value before proceeding
The current implementation only checked if uqmi itself executed
correctly which is also the case when the returned value is actually
an error.

Rework this, checking that CID is a numeric value, which can only
be true if uqmi itself also executed correctly.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-20 08:33:07 +01:00
Kevin Darbyshire-Bryant
16245a5d8e dnsmasq: bump to 2.79rc1
1721453 Remove special handling of A-for-A queries.
499d8dd Fix boundary for test introduced in 3e3f1029c9ec6c63e430ff51063a6301d4b2262
6f1cbfd Fix debian/readme typo.
55ecde7 Inotify: Ignore backup files created by editors
6b54d69 Make failure to chown() pidfile a warning.
246a31c Change ownership of pid file, to keep systemd happy.
83e4b73 Remove confusion between --user and --script-user.
6340ca7 Tweak heuristic for initial DNSSEC memory allocation.
baf553d Default min-port to 1024 to avoid reserved ports.
486bcd5 Simplify and correct bindtodevice().
be9a74d Close Debian bug for CVE-2017-15107.
ffcbc0f Example config typo fixes.
a969ba6 Special case NSEC processing for root DS record, to avoid spurious BOGUS.
f178172 Add homepage to Debian control file.
cd7df61 Fix DNSSEC validation errors introduced in 4fe6744a220eddd3f1749b40cac3dfc510787de6
c1a4e25 Try to be a little more clever at falling back to smaller DNS packet sizes.
4fe6744 DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies.
3bd4c47 Remove limit on length of command-line options.
98196c4 Typo fix.
22cd860  Allow more than one --bridge-interface option to refer to an interface.
3c973ad Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time validation.
faaf306 Spelling fixes.
c7e6aea Change references to gPXE to iPXE. Development of EtherBoot gPXE was always development of iPXE core developer Michael Brown.
e541245 Handle duplicate RRs in DNSSEC validation.
84a01be Bump year in Debian copyright notice.
d1ced3a Update copyrights to 2018.
a6cee69 Fix exit code from dhcp_release6.
0039920 Severely fix code formating of contrib/lease-tools/dhcp_release6.c
39d8550 Run Debian startup regex in "C" locale.
ef3d137 Fix infinite retries in strict-order mode.
8c707e1 Make 373e91738929a3d416e6292e65824184ba8428a6 compile without DNSSEC.
373e917 Fix a6004d7f17687ac2455f724d0b57098c413f128d to cope with >256 RRs in answer section.
74f0f9a Commment language tweaks.
ed6bdb0 Man page typos.
c88af04 Modify doc.html to mention git-over-http is now available.
ae0187d Fix trust-anchor regexp in Debian init script.
0c50e3d Bump version in Debian package.
075366a Open inotify socket only when used.
8e8b2d6 Release notes update.
087eb76 Always return a SERVFAIL response to DNS queries with RD=0.
ebedcba Typo in printf format string added in 22dee512f3738f87539a79aeb52b9e670b3bd104
0954a97 Remove RSA/MD5 DNSSEC algorithm.
b77efc1 Tidy DNSSEC algorithm table use.
3b0cb34 Fix manpage which said ZSK but meant KSK.
aa6f832 Add a few DNS RRs to the table.
ad9c6f0 Add support for Ed25519 DNSSEC signature algorithm.
a6004d7 Fix caching logic for validated answers.
c366717 Tidy up add_resource_record() buffer size checks.
22dee51 Log DNS server max packet size reduction.
6fd5d79 Fix logic on EDNS0 headers.
9d6918d Use IP[V6]_UNICAST_IF socket option instead of SO_BINDTODEVICE for DNS.
a49c5c2 Fix search_servers() segfault with DNSSEC.
30858e3 Spaces in CNAME options break parsing.

Refresh patches.
Remove upstreamed patches:
	250-Fix-infinite-retries-in-strict-order-mode.patch
	260-dnssec-SIGINT.patch
	270-dnssec-wildcards.patch

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-02-18 22:10:17 +01:00
Stijn Tintel
1c308bbbf5 dropbear: add option to set receive window size
The default receive window size in dropbear is hardcoded to 24576 byte
to limit memory usage. This value was chosen for 100Mbps networks, and
limits the throughput of scp on faster networks. It also severely limits
scp throughput on high-latency links.

Add an option to set the receive window size so that people can improve
performance without having to recompile dropbear.

Setting the window size to the highest value supported by dropbear
improves throughput from my build machine to an APU2 on the same LAN
from 7MB/s to 7.9MB/s, and to an APU2 over a link with ~65ms latency
from 320KB/s to 7.5MB/s.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-02-18 02:59:57 +01:00
Philip Prindeville
81ccf24c09 iperf3: update to 3.4
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2018-02-17 13:48:02 +01:00
Russell Senior
42b94a74e9 openvpn: fix interface with mbedtls_sha256
Between mbedtls 2.6.0 and 2.7.0, the void returning mbedtls_MODULE* functions
were deprecated in favor of functions returning an int error code.  Use
the new function mbedtls_sha256_ret().

Signed-off-by: Russell Senior <russell@personaltelco.net>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-17 12:29:33 +01:00
Russell Senior
e05a6018fc curl: fix interface with mbedtls_sha256
Between mbedtls 2.6.0 and 2.7.0, the void returning mbedtls_MODULE* functions
were deprecated in favor of functions returning an int error code.  Use
the new function mbedtls_sha256_ret().

Signed-off-by: Russell Senior <russell@personaltelco.net>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-17 12:29:23 +01:00
Hauke Mehrtens
95745516a2 nftables: update to version 0.8.2
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-02-15 23:31:23 +01:00
Hauke Mehrtens
e7c179326a iproute2: update to version 4.15.0
The musl compatibility patches are now included in the upstream version.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-02-15 23:31:23 +01:00
Daniel Golle
a3b9cbafc3 iwinfo: update to latest git HEAD
223e09b add support for expected throughput

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-02-15 04:57:38 +01:00
Koen Vandeputte
f21f8376e9 uqmi: bump package release
fixes: da8990e717 ("uqmi: use built-in command for data-link verification")

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-13 10:25:30 +01:00
Koen Vandeputte
da8990e717 uqmi: use built-in command for data-link verification
uqmi contains a command for directly querying the modem if there
is a valid data connection, so let's use it.

This avoids the cases were all previous tests are succesful, but the
actual data link is not up for some reasons, leading to states were we
thought the link was up when it actually wasn't ..

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-13 10:01:53 +01:00
Koen Vandeputte
3508f8abb4 uqmi: use correct value for connection checking
Originally, the implementation only checked if uqmi command
execution succeeded properly without actually checking it's returned data.

This lead to a pass, even when the returned data was indicating an error.

Rework the verification to actually check the returned data,
which can only be correct if the uqmi command itself also executed correctly.

On command execution success, value "pdh_" is a pure numeric value.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-13 10:01:53 +01:00
Koen Vandeputte
3c5471032b uqmi: use general method for state cleaning
Debugging shows that using the general method properly cleans on each
run, while the method specifying the client-ID shows "No effect"
even while in connected state.

Fixes several connectivity issues seen on specific modems.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-02-13 10:01:53 +01:00
Kristian Evensen
2d27ebbb93 iptables: Support building connlabel module
It is currently possible to enable connlabel-support in iptables.
However, in order for connlabel to work properly, the kernel module must
also be present. This patch adds support for building the
connlabel-module, and selects it by default when connlabel-support is
enabled.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
2018-02-13 10:01:52 +01:00
Yangbo Lu
3a0fa1e7b8 layerscape: update restool to 2017-12-03
Updated restool to 2017-12-03 and removed patches
since the new version had involved them.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
2018-02-13 10:01:49 +01:00
Hans Dedecker
787326b43e odhcp6c: fix appending of emtpy sendopt value (FS#1336)
Don't append an empty sendopts value as odhcp6c bails out
immediately on an empty -x option triggering an infinite start
loop of odhcp6c

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-02-08 18:29:37 +01:00
Hans Dedecker
d8acbb86a1 odhcp6c: change sendopts option into list
Commit a26045049b added support for sendopts as a string; since multiple
sendopts values can be specified it makes more sense to model it as a
list of strings.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-02-08 12:19:48 +01:00
Hans Dedecker
112f0469c4 netifd: update to latest git HEAD
1be329c netifd-proto: add proto_config_add_array wrapper

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-02-07 12:03:56 +01:00
Kevin Darbyshire-Bryant
256477f7af wireguard: bump to 20180202
Bump to latest wireguard release snapshot:

2675814 version: bump snapshot
381d703 qemu: update base versions
c3fbd9d curve25519: break more things with more test cases
93fa0d9 curve25519: replace fiat64 with faster hacl64
6177bdd curve25519: replace hacl64 with fiat64
b9bf37d curve25519: verify that specialized basepoint implementations are correct
bd3f0d8 tools: dedup secret normalization
1f87434 chacha20poly1305: better buffer alignment
78959ed chacha20poly1305: use existing rol32 function
494cdea tools: fread doesn't change errno
ab89bdc device: let udev know what kind of device we are
62e8720 qemu: disable AVX-512 in userland
6342bf7 qemu: disable PIE for compilation
e23e451 contrib: keygen-html: share curve25519 implementation with kernel
6b28fa6 tools: share curve25519 implementations with kernel
c80cbfa poly1305: add poly-specific self-tests
10a2edf curve25519-fiat32: uninline certain functions

No patch refresh required.

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-02-03 14:29:57 +01:00
Matthias Schiffer
1cb06d8907
firewall: depend on kmod-nf-conntrack6
Firewall rules don't work as intended without conntrack support. The recent
cleanup removed the kmod-nf-conntrack6 dependency from the iptables
modules; add it to the firewall package instead.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-02-02 14:00:04 +01:00
Hans Dedecker
60e07ffec5 netifd: add defaultreqopts config option
By default udhcpc asks for a default list of options; the config option
defaultreqopts allows to tweak this behavior.
When set to 0 udhcpc will not ask for any options except for the options
specified in the reqopts config option.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-02-01 21:44:12 +01:00
Hans Dedecker
cc7a005c1a odhcp6c: add defaultreqopts config option
By default odhcp6c asks for a default list of options; the config option
defaultreqopts allows to tweak this behavior.
When set to 0 odhcp6c will not ask for any options except for the options
specified in the reqopts config option.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-02-01 15:19:30 +01:00
Matthias Schiffer
bbef76f1b1
nftables: remove dependency on kmod-nf-nat
For minimal firewall setups, NAT support may be unnecessary.

It would be possible to further reduce the minimum number of installed
modules, e.g. by separating IPv4 and IPv6 support or moving conntrack
support into a separate kmod package. We go with a more complete
kmod-nft-core for now, until a concrete usecase for smaller packages
arises.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-31 13:32:40 +01:00
Hans Dedecker
1d9296dcdb curl: bump to 7.58.0
a0b5e8944 progress-bar: get screen width on windows
65ceb20df test1454: --connect-to with IPv6 address w/o IPv6 support!
eb6e3c4f6 CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support
96186de1f docs: fix man page syntax to make test 1140 OK again
af32cd385 http: prevent custom Authorization headers in redirects
993dd5651 curl: progress bar refresh, get width using ioctl()
9d82cde7b RELEASE-NOTES: synced with bb0ffcc36
bb0ffcc36 libcurl-env.3: first take
ec122c4c8 TODO: two possible name resolver improvements
a5e6d6ebc http2: don't close connection when single transfer is stopped
87ddeee59 test558: fix for multissl builds
da07dbb86 examples/url2file.c: add missing curl_global_cleanup() call
ddafd45af SSH: Fix state machine for ssh-agent authentication
9e4ad1e2a openssl: fix potential memory leak in SSLKEYLOGFILE logic
ca9c93e3e openssl: fix the libressl build again
2c0c4dff0 unit1307: test many wildcards too
2a1b2b4ef curl_fnmatch: only allow 5 '*' sections in a single pattern
cb5accab9 ftp-wildcard: fix matching an empty string with "*[^a]"
25c40c9af SMB: fix numeric constant suffix and variable types
945df7410 CURLOPT_TCP_NODELAY.3: fix typo
8dd4edeb9 smtp/pop3/imap_get_message: decrease the data length too...
84fcaa2e7 openssl: enable SSLKEYLOGFILE support by default
e44ddfd47 mime: clone mime tree upon easy handle duplication.
2c821bba8 docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
a06311be2 test395: HTTP with overflow Content-Length value
67595e7d2 test394: verify abort of rubbish in Content-Length: value
ac17d7947 test393: verify --max-filesize with excessive Content-Length
f68e67271 HTTP: bail out on negative Content-Length: values
0616dfa1e configure.ac: append extra linker flags instead of prepending them.
650b9c1d6 RELEASE-NOTES: synced with 6fa10c8fa
6fa10c8fa setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
3b548ffde setopt: reintroduce non-static Curl_vsetopt() for OS400 support
fa3dbb9a1 http2: fix incorrect trailer buffer size
2a6dbb815 easy: fix connection ownership in curl_easy_pause
89f680473 system.h: Additionally check __LONG_MAX__ for defining curl_off_t
14d07be37 COPYING: it's 2018!
a8ce5efba progress: calculate transfer speed on milliseconds if possible
d4e40f069 scripts: allow all perl scripts to be run directly
e4f86025d mail-rcpt.d: fix short-text description
908a9a674 build: remove HAVE_LIMITS_H check
129390a51 openssl: fix memory leak of SSLKEYLOGFILE filename
272613df0 Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX"
481539e90 test1554: improve the error handling
593dcc553 test1554: add global initialization and cleanup
dc831260b curl_version_info.3: call the argument 'age'
58d7cd28a brotli: data at the end of content can be lost
a0f3eaf25 examples/cacertinmem: ignore cert-already-exists error
859ac3602 tool_getparam: Support size modifiers for --max-filesize
b399b0490 build: Fixed incorrect script termination from commit ad1dc10e61
a9b774a77 Makefile.vc: Added our standard copyright header
22fddb85a winbuild: Added support for VC15
ad1dc10e6 build: Added Visual Studio 2017 project files
d409640d6 build-wolfssl.bat: Added support for VC15
a4e88317d build-openssl.bat: Added support for VC15
c97648b55 curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX
b43755789 examples/rtsp: fix error handling macros
f009bbe1f curl_easy_reset: release mime-related data.
4acc9d3d1 content_encoding: rework zlib_inflate
e639d4ca4 brotli: allow compiling with version 0.6.0.
9c6a6be88 CURLOPT_READFUNCTION.3: refer to argument with correct name
02f207a76 rand: add a clang-analyzer work-around
13ce373a5 krb5: fix a potential access of uninitialized memory
41982b6ac conncache: fix a return code [regression]
5d0ba70e1 curl: support >256 bytes warning messsages
188a43a8f libssh: fix a syntax error in configure.ac
7ef0c2d86 examples/smtp-mail.c: use separate defines for options and mail
621b24505 THANKS: added missing names
cc0cca1ba mailmap: added/clarified several names
9d7a59c8f setopt: less *or equal* than INT_MAX/1000 should be fine
2437dbbf1 vtls: replaced getenv() with curl_getenv()
ef5633d4b RELEASE-NOTES: synced with 3b9ea70ee
3b9ea70ee TODO: Expose tried IP addresses that failed
48c184a60 curl.1: mention http:// and https:// as valid proxy prefixes
76db03dd9 curl.1: documented two missing valid exit codes
63e58b8b4 CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference
671f0b506 Revert "curl: don't set CURLOPT_INTERLEAVEDATA"
4b6f3cff7 tests: mark data files as non-executable in git
98c572ed3 tests: update .gitignore for libtests
e959f16c5 multi_done: prune DNS cache
06a0a26fb mailmap: fixup two old git Author "aliases"
7ab4e7adb openssl: Disable file buffering for Win32 SSLKEYLOGFILE
b1b94305d RESOLVE: output verbose text when trying to set a duplicate name
bbea75ad6 CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
a4a56ec93 sftp: allow quoted commands to use relative paths
9fb5a943f CURLOPT_PRIVATE.3: fix grammar
179ee78e8 curl: remove __EMX__ #ifdefs
9dfb19483 openssl: improve data-pending check for https proxy
9ffad8eb1 curl: don't set CURLOPT_INTERLEAVEDATA
912324024 curl.h: remove incorrect comment about ERRORBUFFER
ebaab4d17 configure: add AX_CODE_COVERAGE only if using gcc
b5881d1fb curl: limit -# update frequency for unknown total size
546e7db78 BINDINGS: another PostgreSQL client
55e609890 CONNECT: keep close connection flag in http_connect_state struct
c103cac3c include: get netinet/in.h before linux/tcp.h
00cda0f9b openldap: fix checksrc nits
ff07f07cc openldap: add commented out debug possibilities
bb0ca2d44 examples: move threaded-shared-conn.c to the "complicated" ones
4fb85b87b RELEASE-NOTES: synced with b261c44e8
b261c44e8 URL: tolerate backslash after drive letter for FILE:
24dcd7466 tests: added netinet/in6.h includes in test servers
76ebd5417 configure: check for netinet/in6.h
0c65678e7 curl-config: add --ssl-backends
ea3a5d07d conncache: only allow multiplexing within same multi handle
415b8dff8 threaded-shared-conn.c: fixed typo in commenta
5254d8bf2 threaded-shared-conn.c: new example
07cb27c98 conncache: fix several lock issues
85f0133ea libssh: remove dead code in sftp_qoute
615edc1f7 sasl_getmesssage: make sure we have a long enough string to pass
440140946 libssh2: remove dead code from SSH_SFTP_QUOTE
6401ddad4 ssh-libssh.c: please checksrc
918530752 libssh: fixed dereference in statvfs access
8dad32bcf RESOURCES: update spec names
a08f5a77c libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS
8843c0939 libssh: no need to call sftp_get_error as ssh_get_error is sufficient
3cef6f22e libssh: fix minor static code analyzer nits
10bb0b471 openssl: pkcs12 is supported by boringssl
8eff32f0b travis: use pip2 instead of pip
b7f534597 lib582: do not verify host for SFTP
a2f396680 libssh: added SFTP support
c75c9d4fb symbols-in-versions: added new symbols with 7.56.3 version
05675ab5a .travis.yml: added build --with-libssh
38aef6dc4 libssh2: return CURLE_UPLOAD_FAILED on failure to upload
75427291e libssh2: send the correct CURLE error code on scp file not found
c92d2e14c Added support for libssh SSH SCP back-end
3973ee6a6 RELEASE-NOTES: synced with af8cc7a69
af8cc7a69 curlver: towards 7.57.1
4b4142491 lib: don't export all symbols, just everything curl_*
9194a9959 SSL: Avoid magic allocation of SSL backend specific data
744ee5838 examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
270494e1a travis: add boringssl build

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-01-28 21:03:46 +01:00
Stephan Brunner
285791934b hostapd: add support for hostapd's radius_client_addr
Add support for hostapd's radius_client_addr in order to
force hostapd to send RADIUS packets from the correct source
interface rather than letting linux select the most appropriate.

Signed-off-by: Stephan Brunner <s.brunner@stephan-brunner.net>
2018-01-27 16:46:45 +01:00
Yousong Zhou
e6de92cdcc iptables: make kmod-ipt-debug part of default ALL build
The iptables TRACE target is only available in raw table that's why the
dependency was moved from iptables-mod-trace into kmod-ipt-debug

Fixes FS#1219

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-01-26 15:29:02 +08:00
Kevin Darbyshire-Bryant
03a00eeab3 wireguard: bump to 20180118
Bump to latest wireguard release snapshot:

9a93a3d version: bump snapshot
7bc0579 contrib: keygen-html: update curve25519 implementation
ffc13a3 tools: import new curve25519 implementations
0ae7356 curve25519: wire up new impls and remove donna
f90e36b curve25519: resolve symbol clash between fe types
505bc05 curve25519: import 64-bit hacl-star implementation
8c02050 curve25519: import 32-bit fiat-crypto implementation
96157fd curve25519: modularize implementation
4830fc7 poly1305: remove indirect calls
bfd1a5e tools: plug memleak in config error path
09bf49b external-tests: add python implementation
b4d5801 wg-quick: ifnames have max len of 15
6fcd86c socket: check for null socket before fishing out sport
ddb8270 global: year bump
399d766 receive: treat packet checking as irrelevant for timers

No patch refresh required.

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-01-25 22:40:06 +01:00
Matthias Schiffer
95ab18e012
vxlan: add options to enable and disable UDP checksums
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-24 13:53:34 +01:00
Matthias Schiffer
4d001af7c5
netifd: update to latest git HEAD
af3cadb system-linux: VXLAN: add options to enable and disable UDP checksums

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-24 13:50:50 +01:00
Koen Vandeputte
5bdbc10b1b uqmi: silence error on pin verification
If a device only supports the 2nd verification method (uim),
the first method will fail as expected reporting an error:

"Command not supported"

Silence both separate methods and only report an error regarding
pin verification if both fail.

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-01-22 08:46:46 +01:00
Hauke Mehrtens
4336efe14b kernel: use upstream patches for musl
This replaces the current patches used to make the kernel headers
compatible with musl with the version which was accepted upstream. This
is included in upstream kernel 4.15.
This was compile tested with iproute2 build on all supported kernel
versions with musl and one one with glibc.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-01-20 22:11:33 +01:00
Philip Prindeville
a30791242b nftables: update to 0.8.1
Note this requires libnftnl-1.0.8 or higher, so that update needs
to be merged first.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2018-01-20 20:22:01 +01:00
Kevin Darbyshire-Bryant
adaf1cbcc8 dnsmasq: backport validation fix in dnssec security fix
A DNSSEC validation error was introduced in the fix for CVE-2017-15107

Backport the upstream fix to the fix (a simple typo)

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-01-20 14:22:39 +01:00
Kevin Darbyshire-Bryant
a3198061f8 dnsmasq: backport dnssec security fix
CVE-2017-15107

An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org  and still have it signed by the
signature for the wildcard. So, for example

!.example.org NSEC zz.example.org

is fine.

The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.

This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-01-19 22:11:16 +01:00
Hans Dedecker
26045049ba odhcp6c: add sendopts config support and update to latest git HEAD
Add sendopts config support allowing to add options in sent DHCPv6 packets.

Options can be configured as follows :
	uci set network.wan6.sendopts="sntpservers:3001:3001::1,3001:3001::2 11:00000000000000000000006674692F 0x3e8:ABCDEF"

Based on a patch by Frank Andrieu <fandrieu@gmail.com>

See https://git.openwrt.org/?p=project/odhcp6c.git;a=commit;h=510aaf6d528210c5e8a6159f9b80b32615e88c5f
for a more detailed description.

Latest git changes :
	1f93bd4 dhcpv6: rework option passthrough logic
	a477e95 odhcp6c: rework userclass and vendorclass command handling
	510aaf6 odhcp6c: add -x opt:val support
	ab75be1 treewide: update copyrights to 2018
	f3a4609 odhcp6c: let odhcp6c_add_state return a success/failure indication

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-01-18 11:39:42 +01:00
Felix Fietkau
8061c62f5d authsae: remove package
It is no longer actively maintained and does not work well in many
configurations. Fully replaced by wpad-mesh

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-01-17 11:05:11 +01:00
Jo-Philipp Wich
5bbcd80e3f xtables-addons: remove from base
The package has been moved to the package feed repository to allow for
non-base dependencies such as Perl.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-16 19:40:29 +01:00
Jo-Philipp Wich
190c1c3cc8 iwinfo: update to latest git HEAD
5a5e21b nl80211: skip event notifications in wpa_supplicant scan result reply

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-16 14:10:52 +01:00
Kevin Darbyshire-Bryant
aba3b1c6a3 dnsmasq: use SIGINT for dnssec time valid
Dnsmasq used SIGHUP to do too many things: 1) set dnssec time validation
enabled, 2) bump SOA zone serial, 3) clear dns cache, 4) reload hosts
files, 5) reload resolvers/servers files.

Many subsystems within LEDE can send SIGHUP to dnsmasq: 1) ntpd hotplug
(to indicate time is valid for dnssec) 2) odhcpd (to indicate a
new/removed host - typically DHCPv6 leases) 3) procd on interface state
changes 4) procd on system config state changes, 5) service reload.

If dnssec time validation is enabled before the system clock has been
set to a sensible time, name resolution will fail.  Because name
resolution fails, ntpd is unable to resolve time server names to
addresses, so is unable to set time.  Classic chicken/egg.

Since commits 23bba9cb33 (service reload) &
4f02285d8b (system config)  make it more
likely a SIGHUP will be sent for events other than 'ntpd has set time'
it is more likely that an errant 'name resolution is failing for
everything' situation will be encountered.

Fortunately the upstream dnsmasq people agree and have moved 'check
dnssec timestamp enable' from SIGHUP handler to SIGINT.

Backport the upstream patch to use SIGINT.
ntpd hotplug script updated to use SIGINT.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-01-15 22:34:51 +01:00
Koen Vandeputte
7488be7010 uqmi: fix raw-ip mode for newer lte modems
Some newer LTE modems, like the MC7455 or EC25-E do not support
"802.3" mode, and will stay in "raw-ip" regardless of the mode being
set.

In this case, the driver must be informed that it should handle all
packets in raw mode. [1]

This commit fixes connectivity issues for these devices.

Before:

[ Node 5 ] udhcpc -i wwan0
udhcpc: started, v1.27.2
udhcpc: sending discover
udhcpc: sending discover
udhcpc: sending discover

After:

[ Node 5 ] udhcpc -i wwan0
udhcpc: started, v1.27.2
udhcpc: sending discover
udhcpc: sending select for 100.66.245.226
udhcpc: lease of 100.66.245.226 obtained, lease time 7200
udhcpc: ifconfig wwan0 100.66.245.226 netmask 255.255.255.252 broadcast
+
udhcpc: setting default routers: 100.66.245.225

[1] https://lists.freedesktop.org/archives/libqmi-
devel/2017-January/002064.html

Tested on cns3xxx using a Sierra Wireless MC7455 LTE-A

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
[bumped PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-15 15:30:53 +01:00
Hans Dedecker
4e48230954 6rd: pass ipcalc as argument to eval
Instead of grepping for NETWORK after calling ipcalc.sh; pass ipcalc.sh as
argument to eval allowing to use $NETWORK to retrieve the IPv4 prefix
(ip4prefix).

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-01-15 09:49:26 +01:00
Matthias Schiffer
37cf77d946
treewide: fix build depends to refer to source package names
Build depends must refer to source packages rather than binary package
names.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:44 +01:00
Matthias Schiffer
f73f1aee76
ebtables: update to latest git 2017-10-24
6a82659 Use flock() for --concurrent option
73c2371 ebtables: extensions: Constify option struct

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-11 11:50:50 +01:00
Hans Dedecker
377c4a68fe omcproxy: silence fw3 warnings
Silence fw3 warnings in omcproxy init script in case fw3 is not enabled

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-01-10 21:38:55 +01:00
Jo-Philipp Wich
fe920d01bb treewide: replace LEDE_GIT with PROJECT_GIT
Remove LEDE_GIT references in favor to the new name-agnostic
PROJECT_GIT variable.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-10 21:27:32 +01:00
Mogula Pranay
012d20eebe netifd: update dhcp.script to handle dynamic routing
Certain DHCP servers push a gateway outside of the assigned interface subnet,
to support those situations, install a host route towards the gateway.

If Gateway and IP are served in same network, openwrt quagga cannot learn
routes (rip routes are not getting added, showing inactive) whereas
working fine when Gateway and IP are in different network.

Signed-off-by: Mogula Pranay <mogula.pranay@nxp.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-01-10 09:19:08 +01:00
Mathias Kresin
18f49449b0 ltq-xdsl-app: drop script for renaming the netdev
Our netdevs are named dsl by default now, the rename via scripts isn't
required anymore.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-01-10 08:08:53 +01:00
Mathias Kresin
e4936a957d ltq-xdsl-app: drop manual br2684ctl reload
br2684ctl starts automatically, set up reload triggers, which fire as soon
as a atm driver is loaded. No need to do the reload via the script.

The reload is only required as soon as we can reliable switch between atm
and ptm driver and need to be implemented in a race free way.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-01-10 08:08:53 +01:00
Martin Schiller
1b1388f640 linux-atm: add br2684ctl option to specify the netdev name
Add the uci option nameprefix to specifc a target netdev name. Patch the
br2684ctl code to accept and set a netdev name via commandline parameters.

It allows to use the same netdev name for ATM and PTM lines on lantiq
xdsl hardware.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Signed-off-by: Mathis Kresin <dev@kresin.me>
2018-01-10 08:08:53 +01:00
Hauke Mehrtens
f1fb710483 lantiq: activate noise margin delta for VDSL too
Previously this was only activated for ADSL, this patch activates the
same setting also for VDSL, this feature is also support for VDSL in the
same way it works for ADSL.
I tested it with DSL FW 5.7.9.5.1.7 against a Broadcom 177.140 DSLCO
(Deutsche Telekom) and saw different data rates and Max. Attainable Data
Rates depending on the ds_snr_offset settings I choose.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-01-07 23:42:54 +01:00
Jo-Philipp Wich
6e4fa5d1a3 hostapd: bump PKG_RELEASE after 802.11w changes
Fixes: 8a57531855 "hostapd: set group_mgmt_cipher when ieee80211w is enabled"
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-07 12:42:45 +01:00
Jo-Philipp Wich
8a57531855 hostapd: set group_mgmt_cipher when ieee80211w is enabled
In order to properly support 802.11w, hostapd needs to advertise a group
management cipher when negotiating associations.

Introduce a new per-wifi-iface option "ieee80211w_mgmt_cipher" which
defaults to the standard AES-128-CMAC cipher and always emit a
"group_mgmt_cipher" setting in native hostapd config when 802.11w is
enabled.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-07 12:33:47 +01:00
Hans Dedecker
6c76decd61 netifd: update to latest git HEAD
fd5c399 proto: allow dumping protocol handlers without config_params

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-01-04 09:49:45 +01:00
John Crispin
25302c0a08 umdns: update to latest git HEAD
7897441 umdnsd: Replace strerror(errno) with %m.

Signed-off-by: John Crispin <john@phrozen.org>
2018-01-02 14:29:12 +01:00
Hauke Mehrtens
9f626501cb nftables: fix sha256sum
The mirror was delivering a file with a different hash.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-12-31 18:46:13 +01:00
rektide de la faye
0f72690a2d iptables: fix nftables compile issue (FS#711)
Enabling IPTABLES_NFTABLES resulted in an error during build:#
*** No rule to make target '../extensions/libext.a',
needed by 'xtables-compat-multi'."

Comments from Alexander Lochmann and Fedor Konstantinov in FS#711
provided fixes for this build error, allowing iptables to compile.
https://bugs.lede-project.org/index.php?do=details&task_id=711.

This commit updates the Makefile.am xtables_compat_multi_LDFLAGS
and _LDADD, moving linking of extensions to LDFLAGS.

Signed-off-by: rektide de la faye <rektide@voodoowarez.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-29 18:06:25 +01:00
Florian Eckert
23bba9cb33 dnsmasq: send procd signal on service reload
Send a SIGHUP signal via procd to the dnsmasq service so the instance(s)
re-read(s) the /tmp/hosts/dhcp config.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2017-12-26 23:35:45 +01:00
Florian Eckert
4f02285d8b dnsmasq: rewrite config on host name modification
If the hostname in /etc/config/system is modified the dnsmasq should also
get triggered to rewrite/reload the config.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2017-12-26 23:35:34 +01:00
Kevin Darbyshire-Bryant
edf5ae2026 wireguard: bump to 20171221
7e945a8 version: bump snapshot
f2168aa compat: kernels < 3.13 modified genl_ops
52004fd crypto: compile on UML
6b69b65 wg-quick: dumber matching for default routes
aa35d9d wg-quick: add the "Table" config option
037c389 keygen-html: remove prebuilt file

No patch refresh required.

Compile-test-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-12-23 22:08:12 +01:00
Hans Dedecker
d3ba3963c1 odhcpd: update to latest git HEAD
7aa2594 odhcpd: Replace strerror(errno) with %m format
750e457 Support muliple RAs on single interface

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-22 18:30:33 +01:00
Hauke Mehrtens
dda2229c52 layerscape: fix package download
The git hash was changed for multiple layerscape packages without
changing the version number. The LEDE build system will not download the
packages again if the old version is already there and so some people
and the build bots are using wrong version of some packages. Use
PKG_SOURCE_DATE instead of PKG_VERSION to generate packages with the
date and the first charterers of the git hash. This will change the file
name and make the build system download them again, also if in future
the git hash is changed the file name will change and trigger a new
download.

This should fix a problem spotted by build bot.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-12-21 10:02:16 +01:00
Hauke Mehrtens
436fe56485 xtables-addons: fix compile with kernel 4.14
This fixes a compile problems seen with kernel 4.14.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-12-16 22:14:49 +01:00
Hauke Mehrtens
c0160f01ae xtables-addons: update to version 2.14
This includes a compile fix needed for kernel 4.14.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-12-16 22:10:21 +01:00
Kevin Darbyshire-Bryant
a9940ca2d7 iproute2: cake: support new operating modes
There has been recent significant activity with the cake qdisc of late
Some of that effort is related to upstreaming to kernel & iproute2
mainline but we're not quite there yet.  This commit teaches tc how to
activate and interprete the latest cake operating modes, namely:

ingress mode: Instead of only counting packets that make it past the
shaper, include packets we've decided to drop as well, since they did
arrive with us on the link and took link capacity.
This mode is more suitable for shaping the ingress of a link
(e.g. from ISP) rather than the more normal egress.

ack-filter/ack-filter-aggressive: Filter excessive TCP ACKS.  Useful in
highly assymetric links (downstream v upstream capacity) where the
majority of upstream link capacity is occupied with ACKS for downstream
traffic.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-12-15 23:54:51 +01:00
Hans Dedecker
7f029c3924 netifd: update to latest git HEAD
4268193 interface-ip: harden eui64 IPv6 prefix address generation
81ff6d1 interface-ip: fix race condition in IPv6 prefix address generation
d3a5df0 handler: replace is_error() helper with NULL check

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-15 17:44:50 +01:00
Hans Dedecker
5d6f2a2764 uhttpd: fix PKG_CONFIG_DEPENDS (FS#1189)
Remove PACKAGE_uhttpd_debug config as this is an unused leftover
Add CONFIG_uhttpd_lua to PKG_CONFIG_DEPENDS

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-15 17:44:42 +01:00
Kevin Darbyshire-Bryant
30e18c8d64 wireguard: bump to 20171211
Bump to latest WireGuard snapshot release:

44f8e4d version: bump snapshot
bbe2f94 chacha20poly1305: wire up avx512vl for skylake-x
679e53a chacha20: avx512vl implementation
10b1232 poly1305: fix avx512f alignment bug
5fce163 chacha20poly1305: cleaner generic code
63a0031 blake2s-x86_64: fix spacing
d2e13a8 global: add SPDX tags to all files
d94f3dc chacha20-arm: fix with clang -fno-integrated-as.
3004f6b poly1305: update x86-64 kernel to AVX512F only
d452d86 tools: no need to put this on the stack
0ff098f tools: remove undocumented unused syntax
b1aa43c contrib: keygen-html for generating keys in the browser
e35e45a kernel-tree: jury rig is the more common spelling
210845c netlink: rename symbol to avoid clashes
fcf568e device: clear last handshake timer on ifdown
d698467 compat: fix 3.10 backport
5342867 device: do not clear keys during sleep on Android
88624d4 curve25519: explictly depend on AS_AVX
c45ed55 compat: support RAP in assembly
7f29cf9 curve25519: modularize dispatch

Refresh patches.

Compile-test-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-12-12 22:24:26 +01:00
Martin Schiller
65d62b5f4f dropbear: disable MD5 HMAC and switch to sha1 fingerprints
As MD5 is known weak for many years and more and more
penetration test tools complain about enabled MD5 HMAC
I think it's time to drop it.

By disabling the MD5 HMAC support dropbear  will also
automatically use SHA1 for fingerprints.
This shouldn't be a problem too.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2017-12-12 22:24:17 +01:00
Hans Dedecker
893a1ede2e dnsmasq: add DHCP build switch support in full variant
Add config option which allows to enable/disable DHCP support at compile
time. Make DHCPv6 support dependant on DHCP support as DHCPv6 support
implies having DHCP support.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-10 16:42:01 +01:00
Mathias Kresin
abdf0dea3a netifd: always send DHCPv4 hostname
udhcpc doesn't send a hostname by default. Use the system hostname if
nothing else is specified, to always send a hostname.

It syncs the behaviour to odhcpc, which always sends a hostname.

Signed-off-by: Mathias Kresin <dev@kresin.me>
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-08 21:00:26 +01:00
Zoltan HERPAI
2ffff58c2b merge: uhttpd: update cert generation to match system defaults
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
2017-12-08 19:41:18 +01:00
Zoltan HERPAI
23f774f727 merge: packages: update branding in core packages
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
2017-12-08 19:41:18 +01:00
Zoltan HERPAI
1f8585cf99 merge: ssid: update default ssid
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
2017-12-08 19:41:18 +01:00
Hans Dedecker
01c5cf0b24 odhcpd: fix faulty PKG_SOURCE_DATE in 711a816
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-07 18:43:01 +01:00
Hans Dedecker
a39ddff428 dnsmasq: write atomic host file
Different invocations of the dnsmasq init script (e.g. at startup by procd)
will rewrite the dhcp host file which might result into dnsmasq reading an
empty dhcp host file as it is being rewritten by the dnsmasq init script.
Let the dnsmasq init script first write to a temp dhcp host file so it does
not overwrite the contents of the existing dhcp host file.

Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-07 10:59:03 +01:00
Timo Sigurdsson
bd45e15d0a hostapd: backport fix for wnm_sleep_mode=0
wpa_disable_eapol_key_retries can't prevent attacks against the Wireless
Network Management (WNM) Sleep Mode handshake. Currently, hostapd
processes WNM Sleep Mode requests from clients regardless of the setting
wnm_sleep_mode. Backport Jouni Malinen's upstream patch 114f2830 in
order to ignore such requests by clients when wnm_sleep_mode is disabled
(which is the default).

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
[rewrite commit subject (<= 50 characters), bump PKG_RELEASE]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-12-07 02:00:23 +02:00
Timo Sigurdsson
6515887ed9 hostapd: Expose the tdls_prohibit option to UCI
wpa_disable_eapol_key_retries can't prevent attacks against the
Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested
that the existing hostapd option tdls_prohibit can be used to further
complicate this possibility at the AP side. tdls_prohibit=1 makes
hostapd advertise that use of TDLS is not allowed in the BSS.

Note: If an attacker manages to lure both TDLS peers into a fake
AP, hiding the tdls_prohibit advertisement from them, it might be
possible to bypass this protection.

Make this option configurable via UCI, but disabled by default.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
2017-12-07 01:57:29 +02:00
Hans Dedecker
79a19e5d27 iproute2: align ip help text for tiny variant
Tiny variant supports a subset of the ip commands; align the ip help
text so it actually reflects which commands are supported in the
tiny variant.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-06 22:30:54 +01:00
Russell Senior
c3c1185d56 iproute2: update to v4.14.1
Preserves optionality of libmnl by letting configuration
script follow the HAVE_MNL environment variable.

Signed-off-by: Russell Senior <russell@personaltelco.net>
2017-12-06 22:30:00 +01:00
Hans Dedecker
711a816770 odhcpd: update to latest git HEAD
c516801 dhcpv4: notify DHCP ACK and RELEASE via ubus

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-06 19:17:44 +01:00
Hans Dedecker
347d18177e dnsmasq: backport infinite dns retries fix
If all configured dns servers return refused in response to a query in
strict mode; dnsmasq will end up in an infinite loop retransmitting the
dns query resulting into high CPU load.
Problem is fixed by checking for the end of a dns server list iteration
in strict mode.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-06 14:55:12 +01:00
Felix Fietkau
aec1b6bfcb samba36: backport an upstream fix for an information leak (CVE-2017-15275)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-12-04 09:58:20 +01:00
Roman Yeryomin
b32e4c64c7 packages: dnsmasq: remove unused stamp file
Signed-off-by: Roman Yeryomin <roman@advem.lv>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2017-12-02 09:58:04 +01:00
Hans Dedecker
b0b289ea45 curl: bump to 7.57.0 (3 CVEs)
CVE-2017-8816: NTLM buffer overflow via integer overflow
CVE-2017-8817: FTP wildcard out of bounds read
CVE-2017-8818: SSL out of buffer access

For other bugfixes and changes in 7.57.0 see https://curl.haxx.se/changes.html

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-30 09:44:17 +01:00
Borja Salazar
759785c01a dnsmasq: add interface to ubus notification
Signed-off-by: Borja Salazar <borja.salazar@fon.com>
2017-11-29 22:03:39 +01:00
Jo-Philipp Wich
fcfd5cdb59 dnsmasq: fix dhcp-host entries with empty macs
Due to improper localization of helper variables, "config host" entries
without a given mac address may inherit the mac address of a preceeding,
leading to invalid generated netive configuration.

Fix the issue by marking the "macs" and "tags" helper variables in
dhcp_host_add() local, avoiding the need for explicitely resetting them
with each invocation.

Reported-by: Russell Senior <russell@personaltelco.net>
Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-11-28 18:11:25 +01:00
Kevin Darbyshire-Bryant
179125d334 wireguard: bump to snapshot 20171127
== Changes ==

 * compat: support timespec64 on old kernels
 * compat: support AVX512BW+VL by lying
 * compat: fix typo and ranges
 * compat: support 4.15's netlink and barrier changes
 * poly1305-avx512: requires AVX512F+VL+BW

 Numerous compat fixes which should keep us supporting 3.10-4.15-rc1.

 * blake2s: AVX512F+VL implementation
 * blake2s: tweak avx512 code
 * blake2s: hmac space optimization

 Another terrific submission from Samuel Neves: we now have an implementation
 of Blake2s using AVX512, which is extremely fast.

 * allowedips: optimize
 * allowedips: simplify
 * chacha20: directly assign constant and initial state

 Small performance tweaks.

 * tools: fix removing preshared keys
 * qemu: use netfilter.org https site
 * qemu: take shared lock for untarring

 Small bug fixes.

Remove myself from the maintainers list: we have enough and I'm happy to
carry on doing package bumps on ad-hoc basis without the 'official'
title.

Run-tested: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-11-27 14:50:04 +01:00
Stijn Tintel
2f1c05bb80 lldpd: bump to 0.9.9
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-11-27 09:43:23 +01:00
Fushan Wen
40868e3bb6 kmod-sched-cake: update to latest git HEAD
dfb2f6c pkt_sched: make compile again
5ab7026 sch_cake: make compile again
6f28803 codel5: make more checkpatch compliant
bd426aa Fix build error on 4.12
e4a3628 Whitespace tidy up

Signed-off-by: Fushan Wen <qydwhotmail@gmail.com>
2017-11-25 19:53:37 +01:00
Hans Dedecker
f965827bfb odhcpd: update to latest git HEAD
92e205d dhcpv6: fix compile issues when CER-ID extension is enabled

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-25 18:17:43 +01:00
Hans Dedecker
99ea749d37 odhcpd: add a full and ipv6only variant (FS#1188)
Add an ipv6only variant providing server services for RA, stateful and stateless
DHCPv6, prefix delegation and relay support for DHCPv6, NDP and RA.

The full variant called odhcpd supports DHCPv4 server as before.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-25 18:17:43 +01:00
Kevin Darbyshire-Bryant
088262ac7a wireguard: bump to 20171122
Bump to latest WireGuard snapshot release:

ed479fa (tag: 0.0.20171122) version: bump snapshot
efd9db0 chacha20poly1305: poly cleans up its own state
5700b61 poly1305-x86_64: unclobber %rbp
314c172 global: switch from timeval to timespec
9e4aa7a poly1305: import MIPS64 primitive from OpenSSL
7a5ce4e chacha20poly1305: import ARM primitives from OpenSSL
abad6ee chacha20poly1305: import x86_64 primitives from OpenSSL
6507a03 chacha20poly1305: add more test vectors, some of which are weird
6f136a3 compat: new kernels have netlink fixes
e4b3875 compat: stable finally backported fix
cc07250 qemu: use unprefixed strip when not cross-compiling
64f1a6d tools: tighten up strtoul parsing
c3a04fe device: uninitialize socket first in destruction
82e6e3b socket: only free socket after successful creation of new
df318d1 compat: fix compilation with PaX
d911cd9 curve25519-neon: compile in thumb mode
d355e57 compat: 3.16.50 got proper rt6_get_cookie
666ee61 qemu: update kernel
2420e18 allowedips: do not write out of bounds
185c324 selftest: allowedips: randomized test mutex update
3f6ed7e wg-quick: document localhost exception and v6 rule

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-11-24 12:55:38 +01:00
Hans Dedecker
6aa4b97a8a odhcpd: fix gcc7 build error
0573422 ndp: add switch/case fallthrough comments

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-21 15:15:20 +01:00
Leon M. George
63462910dd hostapd: remove unused local var declaration
Signed-off-by: Leon M. George <leon@georgemail.eu>
2017-11-21 13:11:42 +01:00
Leon M. George
cc0847eda3 hostapd: don't set htmode for wpa_supplicant
no longer supported

Signed-off-by: Leon M. George <leon@georgemail.eu>
2017-11-21 13:11:42 +01:00
Hans Dedecker
a28d1d5444 odhcpd: update to latest git HEAD (make dhcpv4 support optional)
fd80621 dhcpv4: make DHCPv4 support compiletime configurable
cf29925 treewide: rework handling of netlink events
24cdc1b treewide: add netlink file
5dfb716 treewide: align function naming

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-20 21:40:03 +01:00
Emerson Pinter
bc50a97dfc dnsmasq: load instance-specific conf-file if exists
Without this change, the instance-specific conf-file is being added to procd_add_jail_mount,
but not used by dnsmasq.

Signed-off-by: Emerson Pinter <dev@pinter.com.br>
2017-11-19 22:27:49 +01:00
Hans Dedecker
6fcf4228d8 netifd: update to latest git HEAD
c92106e interface-ip: add missing IPv6 policy rule

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-17 21:58:13 +01:00
Alexander Couzens
c61a239514
add PKG_CPE_ID ids to package and tools
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/

Thanks to swalker for CPE to package mapping and
keep tracking CVEs.

Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-11-17 02:24:35 +01:00
Kevin Darbyshire-Bryant
eea9d2505b wireguard: bump to 0.0.20171111
edaad55 (tag: 0.0.20171111) version: bump snapshot
7a989b3 tools: allow for NULL keys everywhere
46f8cbc curve25519: reject deriving from NULL private keys
9b43542 tools: remove ioctl cruft
f6cea8e allowedips: rename from routingtable
23f553e wg-quick: allow for tabs in keys
ab9befb netlink: make sure we reserve space for NLMSG_DONE
73405c0 compat: 4.4.0 has strange ECN function
868be0c wg-quick: stat the correct enclosing folder of config file
ceb11ba qemu: bump kernel version
0a8e173 receive: hoist fpu outside of receive loop
bee188a qemu: more debugging
f1fdd8d device: wait for all peers to be freed before destroying
2188248 qemu: check for memory leaks
c77a34e netlink: plug memory leak
0ac8efd device: please lockdep
a51e196 global: revert checkpatch.pl changes
65c49d7 Kconfig: remove trailing whitespace

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-11-16 22:35:36 +01:00
Felix Fietkau
d91494eedf hostapd: rework frequency/ht/vht selection for ibss/mesh
- Remove obsolete patch chunks regarding fixed_freq
- Instead of patching in custom HT40+/- parameters, use the standard
config syntax as much as possible.
- Use fixed_freq for mesh
- Fix issues with disabling obss scan when using fixed_freq on mesh

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-15 18:49:12 +01:00
Sven Eckelmann
772afef61d hostapd: explicitly set beacon interval for wpa_supplicant
The beacon_int is currently set explicitly for hostapd and when LEDE uses
iw to join and IBSS/mesh. But it was not done when wpa_supplicant was used
to join an encrypted IBSS or mesh.

This configuration is required when an AP interface is configured together
with an mesh interface. The beacon_int= line must therefore be re-added to
the wpa_supplicant config. The value is retrieved from the the global
variable.

Fixes: 1a16cb9c67 ("mac80211, hostapd: always explicitly set beacon interval")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [rebase]
2017-11-15 18:49:12 +01:00
Sven Eckelmann
43f66943d0 hostapd: set mcast_rate in mesh mode
The wpa_supplicant code for IBSS allows to set the mcast rate. It is
recommended to increase this value from 1 or 6 Mbit/s to something higher
when using a mesh protocol on top which uses the multicast packet loss as
indicator for the link quality.

This setting was unfortunately not applied for mesh mode. But it would be
beneficial when wpa_supplicant would behave similar to IBSS mode and set
this argument during mesh join like authsae already does. At least it is
helpful for companies/projects which are currently switching to 802.11s
(without mesh_fwding and with mesh_ttl set to 1) as replacement for IBSS
because newer drivers seem to support 802.11s but not IBSS anymore.

Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
Tested-by: Simon Wunderlich <simon.wunderlich@openmesh.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [refresh]
2017-11-15 18:49:06 +01:00
Felix Fietkau
46e875a0b0 hostapd: refresh ubus patch
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-15 18:46:50 +01:00
Hans Dedecker
31ebbe34cc igmpproxy: remove firewall rules when service is stopped
Remove multicast routing firewall rules when the igmpproxy is stopped by
triggering a firewall config change.
Keeping the firewall open from the wan for igmp and udp multicast is not
desired when the igmpproxy service is inactive.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-14 22:01:44 +01:00
Jaroslav Safka
17a4eacd0c dnsmasq: fix swapped ubus args mac and ip
Fix swapped arguments "mac" and "ip" when calling function
"ubus_event_bcast".

Signed-off-by: Jaroslav Safka <devel@safka.org>
2017-11-13 23:30:33 +01:00
Martin Schiller
e2f25e607d openvpn: add support to start/stop single instances
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
2017-11-13 21:37:24 +01:00
Felix Fietkau
12f9305c12 wireguard: fix portability issue
Check if the compiler defines __linux__, instead of assuming that the
host OS is the same as the target OS.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-11 13:20:39 +01:00
Felix Fietkau
f7186599ce wireguard: move to kernel build directory
It builds a kernel module, so its build dir should be target specific

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-11 13:20:39 +01:00
Yangbo Lu
23c1504059 layerscape: add restool package
restool is a user space application providing the
ability to dynamically create and manage Layerscape
DPAA2 containers and objects from Linux.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
2017-11-10 23:00:47 +01:00
Hans Dedecker
1928fc93ce firewall: update to latest git HEAD
c430937 ubus: parse the firewall data within the service itself

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-07 22:35:46 +01:00
Jo-Philipp Wich
05a4200d56 uhttpd: fix query string handling
Update to latest Git in order to fix potential memory corruption and invalid
memory access when handling query strings in conjunction with active basic
authentication.

a235636 2017-11-04 file: fix query string handling

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-11-07 12:02:06 +01:00
Daniel Golle
ebdf5ed50b netifd: fix PKG_MIRROR_HASH
commit fbde9ac718 set an incorrect sha256sum which doesn't match the
file http://sources.lede-project.org/netifd-2017-10-31-0f96606b.tar.xz
or a locally packaged checkout (which resulted in a file identical with
the one referenced by the URL above).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-11-07 00:21:02 +01:00
Yury Shvedov
09f90b7829 hostapd: remove default r1_key_holder generation
By default, hostapd assumes r1_key_holder equal to bssid. If LEDE
configures the same static r1 key holder ID on two different APs (BSSes) the
RRB exchanges fails behind them.

Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
2017-11-06 16:39:41 +01:00
Denis Osvald
ee791fa4ab netfilter, iptables: add optional CHECKSUM module
Signed-off-by: Denis Osvald <denis.osvald@sartura.hr>
2017-11-06 16:39:41 +01:00
Arjun AK
63d7c45886 iwinfo: add "PKG_MIRROR_HASH" to the Makefile
Defining it will let the build tool download the tarball file from
a buildbot server, avoiding a clone of the source repo.

Signed-off-by: Arjun AK <lede@arjunak.com>
2017-11-06 16:39:41 +01:00
Philip Prindeville
e03dcf494e iperf3: update to 3.3 and refresh patches
Taking the same patchset I've submitted upstream for inclusion.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2017-10-31 14:19:51 -06:00
Koen Vandeputte
06d5d01e8a uqmi: replace legacy command invoke with newer type
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2017-10-24 16:20:22 +02:00
Koen Vandeputte
09582d6b4d uqmi: also try newer pin verification
Newer devices tend to only support the newer version of the pin
verification command, so also try that one.

Fixes PIN issues with modems like the Sierra Wireless MC7455

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2017-10-24 16:20:21 +02:00
Kevin Darbyshire-Bryant
e0bd225269 wireguard: version bump to 0.0.20171101
Update wireguard to latest snapshot:

9fc5daf version: bump snapshot
748ca6b compat: unbreak unloading on kernels 4.6 through 4.9
7be9894 timers: switch to kees' new timer_list functions
6be9a66 wg-quick: save all hooks on save
752e7af version: bump snapshot
2cd9642 wg-quick: fsync the temporary file before renaming
b139499 wg-quick: allow for saving existing interface
582c201 contrib: add reresolve-dns
8e04be1 tools: correct type for CTRL_ATTR_FAMILY_ID
c138276 wg-quick: allow for the hatchet, but not by default
d03f2a0 global: use fewer BUG_ONs
6d681ce timers: guard entire setting in block
4bf32ca curve25519: only enable int128 if compiler support is sound
86e06a3 device: expand scope of destruct lock
e3661ab global: get rid of useless forward declarations
bedc77a device: only take reference if netns is different
7c07e22 wg-quick: remember to rewind DNS settings on failure
2352ec0 wg-quick: allow specifiying multiple hooks
573cb19 qemu: test using four cores
e09ec4d global: style nits
4d3deae qemu: work around ccache bugs
7491cd4 global: infuriating kernel iterator style
78e079c peer: store total number of peers instead of iterating
d4e2752 peer: get rid of peer_for_each magic
6cf12d1 compat: be sure to include header before testing
3ea08d8 qemu: allow for cross compilation
d467551 crypto/avx: make sure we can actually use ymm registers
c786c46 blake2: include headers for macros
328e386 global: accept decent check_patch.pl suggestions
a473592 compat: fix up stat calculation for udp tunnel
9d930f5 stats: more robust accounting
311ca62 selftest: initialize mutex in routingtable selftest
8a9a6d3 netns: use time-based test instead of quantity-based
e480068 netns: use read built-in instead of ncat hack for dmesg

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-11-04 18:10:21 +01:00
Tero Jänkä
82a4b8dd6a netifd: fix dns and domain variables pollution in dhcp.script
Unmodified dns and domain variables could be needed in user script (/etc/udhcpc.user).

Signed-off-by: Tero Jänkä <tero.janka@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (cleanup)
2017-11-02 18:20:55 +01:00
Hans Dedecker
b00cf0e58e curl: bump to 7.56.1
Refresh patches
Remove 320-curl-confopts.m4-fix-disable-threaded-resolver.patch as
integrated upstream

See https://curl.haxx.se/changes.html for the bugfixes in 7.56.0 and
7.56.1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-29 23:07:43 +01:00
Karl Vogel
76378c6b9f build: use KERNEL_MAKE_FLAGS for kernel file compilations
The build system already defines KERNEL_CROSS which defaults to TARGET_CROSS.
Make use of this variable for kernel makefiles.

Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
2017-10-29 16:17:05 +01:00
Jo-Philipp Wich
75021e9411 Revert "wpa_supplicant: log to syslog instead of stdout"
This reverts commit e7373e489d.

Support of "-s" depends on the CONFIG_DEBUG_SYSLOG compile time flag which
is not enabled for all build variants.

Revert the change for now until we can properly examine the size impact of
CONFIG_DEBUG_SYSLOG.

Fixes FS#1117.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-10-27 11:43:59 +02:00
Martin Wetterwald
378e1a4858 iptables: Fix target TRACE issue
The package kmod-ipt-debug builds the module xt_TRACE, which allows
users to use '-j TRACE' as target in the chain PREROUTING of the table
raw in iptables.

The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so
that this feature which is implemented deep inside the linux IP stack
(for example in sk_buff) is compiled.

But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals
that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which
fails as this dynamic library is not present on the system.

I created the package iptables-mod-trace which takes care of that, and
target TRACE now works!

https://dev.openwrt.org/ticket/16694
https://dev.openwrt.org/ticket/19661

Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
[Jo-Philipp Wich: also remove trace extension from builtin extension list
                  and depend on kmod-ipt-raw since its required for rules]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
2017-10-27 02:31:33 +02:00
John Crispin
21e59ee3a2 hostapd: fix up ubus support
Signed-off-by: John Crispin <john@phrozen.org>
2017-10-25 21:45:31 +02:00
Kevin Darbyshire-Bryant
240d4b1b6e ltq-xdsl-app: script style nit
Fix missing space style nit.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-10-25 18:48:51 +02:00
Mathias Kresin
dacf6db2ee ltq-adsl-app: add more script notifications
Backport HANDSHAKE and TRAINING notification from ltq-vdsl-app. It
unifies the dsl led blinking pattern accross all subtargets and allows
to get the current line status from the dsl led.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-25 08:45:05 +02:00
Mathias Kresin
b02b7004f8 lantiq: xway: rename nas0/ptm0 to dsl0
This change makes it possible to configure the wan/dsl ppp interface
settings independantly from the used TC-Layer (ATM/PTM).

By using dsl0 as interface name as for the xrx200 we can get rid of a
few conditionals which were introduced because of the different default
TC-Layer in xway and xrx200.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-25 08:45:05 +02:00
Mathias Kresin
1470c79ceb ltq-adsl-app: use notification based ATM/PTM driver load
This patch removes the fixed atm/ptm driver loading and
switches to notification based driver loading.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-25 08:45:05 +02:00
Mathias Kresin
d456a888d0 ltq-adsl-app: convert init script to procd
Use the procd features for the init script.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-25 08:45:05 +02:00
Hans Dedecker
fbde9ac718 netifd: bump to git HEAD version (FS#1037)
0f96606 proto: add point-to-point IPv4 address config support (FS#1037)
1ee788d ubus: display the point-to-point IPv4 address

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-19 21:48:49 +02:00
Stijn Tintel
060e37567e hostapd: bump PKG_RELEASE
The previous commit did not adjust PKG_RELEASE, therefore the
hostapd/wpad/wpa_supplicant packages containing the AP-side workaround
for KRACK do not appear as opkg update.

Bump the PKG_RELEASE to signify upgrades to downstream users.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-18 13:02:12 +03:00
Jason A. Donenfeld
f6c4a9c045 wireguard: version bump to 0.0.20171017
This is a simple version bump. Changes:

  * noise: handshake constants can be read-only after init
  * noise: no need to take the RCU lock if we're not dereferencing
  * send: improve dead packet control flow
  * receive: improve control flow
  * socket: eliminate dead code
  * device: our use of queues means this check is worthless
  * device: no need to take lock for integer comparison
  * blake2s: modernize API and have faster _final
  * compat: support READ_ONCE
  * compat: just make ro_after_init read_mostly

  Assorted cleanups to the module, including nice things like marking our
  precomputations as const.

  * Makefile: even prettier output
  * Makefile: do not clean before cloc
  * selftest: better test index for rate limiter
  * netns: disable accept_dad for all interfaces

  Fixes in our testing and build infrastructure. Now works on the 4.14 rc
  series.

  * qemu: add build-only target
  * qemu: work on ubuntu toolchain
  * qemu: add more debugging options to main makefile
  * qemu: simplify shutdown
  * qemu: open /dev/console if we're started early
  * qemu: phase out bitbanging
  * qemu: always create directory before untarring
  * qemu: newer packages
  * qemu: put hvc directive into configuration

  This is the beginning of working out a cross building test suite, so we do
  several tricks to be less platform independent.

  * tools: encoding: be more paranoid
  * tools: retry resolution except when fatal
  * tools: don't insist on having a private key
  * tools: add pass example to wg-quick man page
  * tools: style
  * tools: newline after warning
  * tools: account for padding being in zero attribute

  Several important tools fixes, one of which suppresses a needless warning.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-17 19:43:06 +02:00
Stijn Tintel
c5f97c9372 hostapd: add wpa_disable_eapol_key_retries option
Commit 2127425434 introduced an AP-side
workaround for key reinstallation attacks. This option can be used to
mitigate KRACK on the station side, in case those stations cannot be
updated. Since many devices are out there will not receive an update
anytime soon (if at all), it makes sense to include this workaround.

Unfortunately this can cause interoperability issues and reduced
robustness of key negotiation, so disable the workaround by default, and
add an option to allow the user to enable it if he deems necessary.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-17 17:25:05 +03:00
Stijn Tintel
2127425434 hostapd: backport extra changes related to KRACK
While these changes are not included in the advisory, upstream
encourages users to merge them.
See http://lists.infradead.org/pipermail/hostap/2017-October/037989.html

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-17 17:24:47 +03:00
Stijn Tintel
5fff2f44d5 hostapd: bump PKG_RELEASE
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefore the
fixed hostapd/wpad/wpa_supplicant packages do not appear as opkg update.

Bump the PKG_RELEASE to signify upgrades to downstream users.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-17 02:13:34 +03:00
Hauke Mehrtens
a29848c671 ppp: make the patches apply correctly again
This fixes a compile problem recently introduced by me.

Fixes: f40fd43ab2 ("ppp: fix compile warning")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-10-16 20:08:56 +02:00
Jason A. Donenfeld
699c6fcc31 wireguard: add wireguard to base packages
Move wireguard from openwrt/packages to base a package.

This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving
experimental kernel module that many find essential and useful. The
other is a VPN client. Both are inside of core. When you combine the two
characteristics, you get WireGuard. Generally speaking, because of the
extremely lightweight nature and "stateless" configuration of WireGuard,
many view it as a core and essential utility, initiated at boot time
and immediately configured by netifd, much like the use of things like
GRE tunnels.

WireGuard has a backwards and forwards compatible Netlink API, which
means the userspace tools should work with both newer and older kernels
as things change. There should be no versioning requirements, therefore,
between kernel bumps and userspace package bumps.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 14:01:21 +03:00
Felix Fietkau
bbda81ce30 hostapd: merge fixes for WPA packet number reuse with replayed messages and key reinstallation
Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088

For more information see:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 12:01:57 +02:00
Hauke Mehrtens
f40fd43ab2 ppp: fix compile warning
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-10-15 14:19:49 +02:00
Martin Schiller
2dc9c8206b lantiq: xrx200: rename nas0/ptm0 to dsl0
This change makes it possible to configure the wan/dsl ppp interface
settings independantly from the used TC-Layer (ATM/PTM).

Now you can move a device from an ADSL/ATM port to an VDSL/PTM port
without any configuration changes for example.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[use the dsl0 interface name for the default netdev trigger in 01_led,
add ip dependency]
Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-15 11:11:29 +02:00
Daniel Engberg
e4b6900fd6 libs/libnl: Update to 3.3.0
Update libnl to 3.3.0
Import patches to fix compilation
Source: https://git.busybox.net/buildroot/tree/package/libnl
Source: https://gitweb.gentoo.org/proj/musl.git/diff/dev-libs/libnl/files/libnl-3.3.0_rc1-musl.patch?id=48d2a287
Use more automatic toolchain logic

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-10-15 00:24:22 +02:00
Yunhui Fu
0f061af98e wpan-tools: add the wpan-ping to test the 6LoWPAN network
This patch adds the help tool wpan-ping to test the 6LoWPAN
network to help the user debug network problem.

Signed-off-by: Yunhui Fu <yhfudev@gmail.com>
2017-10-15 00:24:22 +02:00
Hans Dedecker
db18cee2d7 iproute2: bump to 4.13
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-13 21:48:44 +02:00
Christian Lamparter
7ffb707576 dnsmasq: add listen_address parameter
This patch adds a parser for the uci representation of
dnsmasq's "-a | --listen-address" option.

In summary, this option forces dnsmasq to listen on the
given IP address(es). Both interface and listen-address
options may be given, in which case the set of both
interfaces and addresses is used.

Note that if no interface option is given, but listen_address is,
dnsmasq will not automatically listen on the loopback interface.
To achieve this, the loopback IP addresses, 127.0.0.1 and/or ::1
must be explicitly added.

This option is useful for ujailed dnsmasq instances, that would
otherwise fail to work properly, because listening to the
"This host on this network" address (aka 0.0.0.0 see rfc1700 page 4)
may not be allowed.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
2017-10-13 16:54:58 +02:00
Alexandru Ardelean
a5d016f361 net: uqmi: fix blocking in endless loops when unplugging device
If you unplug a QMI device, the /dev/cdc-wdmX device
disappears but uqmi will continue to poll it endlessly.

Then, when you plug it back, you have 2 uqmi processes,
and that's bad, because 2 processes talking QMI to the
same device [and the same time] doesn't seem to work well.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2017-10-09 16:07:42 +02:00
Stijn Tintel
f8595a51d9 conntrack-tools: switch to git
There have been a number of interesting fixes in conntrack-tools since
the current latest release. Most notable is that this fixes IPv6
conntrack table syncing when cross-compiling conntrack-tools.

7e7748d src/main: refresh help message
fe32043 conntrackd.8: refresh file
47a4dda conntrackd.8: add reference to systemd
0cfe7ff doc/manual: include some bits about init systems
74a418b conntrackd: cthelper: ftp: Set match offset/len for PORT mangling
d833bed conntrackd: cthelper: ftp: Fix debug print
dd4b5a1 conntrackd: cthelper: Add new mdns helper
498d698 Link nfct and helper modules with `-z lazy`
9e94e85 sync-mode: print errno message on failure
ab81c35 log: print messages to stdout/sderr if running in console mode
631d92b log: introduce a mechanism to know if log was initialized
ccb1c8b conntrackd: replace error reporting in the config parser with dlog()
bee121e conntrackd: replace fprintf calls with dlog()
5a51b04 conntrack-tools: update Arturo Borrero Gonzalez email address
abb9984 helper: remove copy and paste from uapi kernel header
a91a004 src: add log message when resync is requested by other node
c2d8be1 systemd: fix missing log.h include
f6ca216 config: drop old/obsolete/deprecated conntrackd.conf config options
8b83771 conntrack: send mark filter to kernel iff set
1ba5e76 conntrackd: cthelper: Don't leak nat_tuple
832166d conntrackd: cthelper: Free pktb after use
ff843bc conntrackd: config: Do not strdup() tokens
b61c454 conntrackd: cthelper: ssdp: Track UPnP eventing
8ea394e conntrackd: Remove obsolete rule to catch ambiguous Checksum option
39398cd conntrackd: CommitTimeout breaks DisableExternalCache set On
29b390a conntrack: Support IPv6 NAT
381827a conntrackd: factorice tx_queue functions
131df89 conntrackd: factorize resync operations
d31bacc conntrackd: consolidate more code to use resync_send()
3d98496 conntrackd: request resync at startup
ef410bf conntrackd: remove use of HAVE_INET_PTON_IPV6
9d38445 conntrackd: evaluate configuration earlier
6feded7 conntrackd: cleanup if failed forking
dbfdea7 conntrackd: deprecate unix backlog configuration
210f542 conntrackd: make the daemon run in RT mode by default
37cc7f0 conntrackd: remove warning for -S
d2849d1 conntrack: Show multiple CPUs stats from proc
bc0b49a conntrackd: cthelper: ssdp: fix build with musl
0c77a25 tests: don't fail on modprobe since the driver might be built-in
eefe649 conntrack.8: refresh manpage

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-09 16:15:14 +03:00
Stijn Tintel
9e9696afc8 treewide: switch git.netfilter.org to HTTPS
As git.netfilter.org seems to support HTTPS, use that instead of HTTP
which is insecure, or GIT which is blocked on many corporate networks.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-08 21:10:36 +03:00
Stijn Tintel
6b533fd4bc ipset-dns: bump to git HEAD
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-08 20:51:03 +03:00
Hans Dedecker
778970735b curl: add nghttp2 support
Add config option support for nghttp2

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-07 19:17:44 +02:00
Stijn Tintel
c088203535 hostapd: escape double quoutes in wpad CFLAGS
A recent commit in hostapd added a build option to specify the default
TLS ciphers. This build option is passed via CFLAGS. Due to the way
CFLAGS are handled when building wpad, the compiler tries to recursively
expand TLS_DEFAULT_CIPHERS, resulting in the following error:

../src/crypto/tls_openssl.c: In function 'tls_init':
<command-line>:0:21: error: 'DEFAULT' undeclared (first use in this function)
../src/crypto/tls_openssl.c:1028:13: note: in expansion of macro 'TLS_DEFAULT_CIPHERS'
   ciphers = TLS_DEFAULT_CIPHERS;
             ^

Escape double quotes in the .cflags file to avoid this.

Fixes: 2f78034c3e ("hostapd: update to version 2017-08-24")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-07 05:49:22 +03:00
Koen Vandeputte
2f78034c3e hostapd: update to version 2017-08-24
- Deleted upstreamed patches & parts
- Refreshed all

Compile tested: full-option package + tools (hostapd + wpa_supplicant)
Run-tested: hostapd wpa2 hotspot & wpa_supplicant IBSS link

Targets: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2017-10-07 05:46:04 +03:00
Hans Dedecker
bd27331eea netifd: update to latest git HEAD version (FS#1030)
5df3f01 config: suppress error if no wireless config present (FS#1030)
3429bd8 system-linux: add support for hotplug event 'move'

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-06 22:12:33 +02:00
Hans Dedecker
834c93e00b dropbear: fix PKG_CONFIG_DEPENDS
Add CONFIG_DROPBEAR_UTMP, CONFIG_DROPBEAR_PUTUTLINE to PKG_CONFIG_DEPENDS

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-06 09:38:00 +02:00
Kevin Darbyshire-Bryant
67ac017fef dnsmasq: bump to v2.78
Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-10-02 18:26:53 +02:00
Hauke Mehrtens
a8f63a0717 mac80211: update to backports-4.14-rc2
This updates mac80211 to backprots-4.14-rc2.
This was compile and runtime tested with ath9k, ath10k and b43
with multiple stations and ieee80211w and in different scenarios by many
other people.

To create the backports-4.14-rc2-1.tar.xz use this repository:
https://git.kernel.org/pub/scm/linux/kernel/git/backports/backports.git
from tag v4.14-rc2-1

Then run this:
./gentree.py --git-revision v4.14-rc2 --clean  <path to linux repo> ../backports-4.14-rc2-1

This also adapts the ath10k-ct and mt76 driver to the changed cfg80211
APIs and syncs the nl80211.h file in iw with the new version from
backports-4.14-rc2.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-10-01 12:49:11 +02:00
Stijn Tintel
c317af777b iw: fix build on musl host
The empty version.sh script causes a problem when run by make:
make[3]: /usr/bin/env bash: Shell program not found

Adding a shebang line in version.sh seems to solve it.

Fixes FS#977.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-29 14:59:06 +03:00
Felix Fietkau
79216243d7 hostapd: add support for accessing 802.11k neighbor report elements via ubus
This API can be used to distribute neighbor report entries across
multiple APs on the same LAN.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-09-28 22:46:26 +02:00
Felix Fietkau
9f5f5d250e hostapd: add support for specifying device config options directly in uci
This is useful for tuning some more exotic parameters where it doesn't
make sense to attempt to cover everything in uci directly

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-09-28 22:45:59 +02:00
Marcin Jurkowski
a816e1eac7 dropbear: make ssh compression support configurable
Adds config option to enable compression support which is usefull
when using a terminal sessions over a slow link. Impact on binary
size is negligible but additional 60 kB (uncompressed) is needed for
a shared zlib library.

Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
2017-09-28 21:47:16 +02:00
John Crispin
00e9a7aacb umdns: update to latest git HEAD
b84fdac Add debug output for service_timeout
8f7e3bc Remove incorrect comma in http service json config
9f40133 Remove ttl==255 restriction for queries

Signed-off-by: John Crispin <john@phrozen.org>
2017-09-28 09:29:31 +02:00
Magnus Kroken
a9a37526a9 openvpn: update to 2.4.4
Fixes CVE-2017-12166: out of bounds write in key-method 1.

Remove the mirror that was temporarily added during the
2.4.3 release.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-09-28 04:05:44 +03:00
Lorenzo Santina
c14cc531e5 hostapd: update wpa_supplicant p2p config
Update the config file to the latest version.

Added CONFIG_EAP_FAST=y because it was the only
missing flag about EAP compared to full config.

Removed NEED_80211_COMMON flag because it is not part
of config file, it is set by the hostapd upstream Makefile.

Other flags are the same as before.

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-28 00:27:36 +03:00
Lorenzo Santina
1cde4395d0 hostapd: update wpa_supplicant mini config
Update the config file to the latest version.
Enabled flags are the same as before.

Removed NEED_80211_COMMON flag because it is not part
of config file, it is set by the hostapd upstream Makefile.

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-28 00:27:26 +03:00
Lorenzo Santina
65113799d7 hostapd: update wpa_supplicant full config
Update the config file to the latest version.
Enabled flags are the same as before.

Commented CONFIG_IEEE80211W=y flag because it is
set in the Makefile, only if the driver supports it.

Removed NEED_80211_COMMON flag because it is not part
of config file, it is set by the hostapd upstream Makefile.

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-28 00:27:14 +03:00
Lorenzo Santina
70ade53692 hostapd: update hostapd mini config
Update the config file to the latest version.
Enabled flags are the same as before.

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-28 00:27:01 +03:00
Lorenzo Santina
7865e86b0e hostapd: update hostapd full config
Update the config file to the latest version.
Enabled flags are the same as before.

Removed flag CONFIG_WPS2 because it is no more
needed due to this changelog (2014-06-04 - v2.2):
"remove WPS 1.0 only support, i.e., WSC 2.0
support is now enabled whenever CONFIG_WPS=y is set".

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-28 00:26:11 +03:00
Hans Dedecker
754659ddb5 curl: fix disable threaded resolver
Bump to 7.55.1 broke the disable threaded resolver feature as reported
in https://github.com/curl/curl/issues/1784.
As a result curl is always compiled with the threaded resolver feature
enabled which causes a dependency issue on pthread for uclibc.
Fix this issue by backporting the upstream curl commit which fixes
disable threaded resolver.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-09-27 17:33:48 +02:00
Stijn Tintel
456de21297 ipset: replace patch that was reverted upstream
Use the correct prefix for backports while at it.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-26 18:18:44 +03:00
Stijn Tintel
b0f8b13331 samba36: add Package/samba/Default
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-25 22:53:59 +03:00
Stijn Tintel
7e58392bcb ipset: bump to 6.34
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-25 22:52:46 +03:00
Stijn Tintel
d9beae9b9e curl: bump to 7.55.1
Update 200-no_docs_tests.patch.
Refresh patches.

Fixes the following CVEs:
- CVE-2017-1000099
- CVE-2017-1000100
- CVE-2017-1000101

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-25 07:42:34 +03:00
Stijn Tintel
2ad649d134 iperf: bump to 2.0.10
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-25 07:42:34 +03:00
Adrian Panella
ab26fc6c8d uhttp: update to latest version
3fd58e9 2017-08-19 uhttpd: add manifest support
88c0b4b 2017-07-09 file: fix basic auth regression
99957f6 2017-07-02 file: remove unused "auth" member from struct
path_info
c0a569d 2017-07-02 proc: expose HTTP_AUTH_USER and HTTP_AUTH_PASS
ad93be7 2017-07-02 auth: store parsed username and password
fa51d7f 2017-07-02 proc: do not declare empty process variables
a8bf9c0 2017-01-26 uhttpd: Add TCP_FASTOPEN support
e6cfc91 2016-10-25 lua: ensure that PATH_INFO starts with a slash

Signed-off-by: Adrian Panella <ianchi74@outlook.com>
2017-09-21 23:03:46 +02:00
Sven Roederer
ce53c0e718 openvpn: add "extra-certs" option
This option is used to specify a file containing PEM certs, to complete the
local certificate chain. Which is quite usefull for "split-CA" setups.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-09-19 20:05:57 +08:00
Lorenzo Santina
b0d2c4ac41 hostapd: ft_over_ds support
Add support for ft_over_ds flag in ieee80211r

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
2017-09-18 21:24:10 +02:00
Lorenzo Santina
70593acdd5 hostapd: ft_psk_generate_local support
Add support for ft_psk_generate_local flag in ieee80211r

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[original author]
Signed-off-by: Sergio <mailbox@sergio.spb.ru>
2017-09-18 21:23:35 +02:00
Marcin Jurkowski
feab5fa51e dnsmasq: fix dhcp "ignore" option on wwan interfaces
Init script won't append --no-dhcp-interface option if interface
protocol is one of: ncm, directip, qmi, mbim.
This is caused by IP address assigned to dynamically created netifd
interfaces. As a result there's no netmask assigned to the main
interface and dhcp_add() function returns prematurely.

By moving network subnet check we can ensure that --no-dhcp-interface is
properly generated for wwan interfaces.

Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase; move network checks]
2017-09-18 10:14:34 +02:00
Stijn Tintel
2375e279a7 tcpdump: noop commit to refer CVEs fixed in 4.9.2
When bumping tcpdump from 4.9.1 to 4.9.2, I did not include the fixed
CVEs in the commit message. As the list of fixed CVEs is quite long,
we should probably mention them in the changelogs of the releases to
come. This commit will make sure this happens.

The following CVEs were fixed in 21014d9708:

CVE-2017-11541
CVE-2017-11541
CVE-2017-11542
CVE-2017-11542
CVE-2017-11543
CVE-2017-11543
CVE-2017-12893
CVE-2017-12894
CVE-2017-12895
CVE-2017-12896
CVE-2017-12897
CVE-2017-12898
CVE-2017-12899
CVE-2017-12900
CVE-2017-12901
CVE-2017-12902
CVE-2017-12985
CVE-2017-12986
CVE-2017-12987
CVE-2017-12988
CVE-2017-12989
CVE-2017-12990
CVE-2017-12991
CVE-2017-12992
CVE-2017-12993
CVE-2017-12994
CVE-2017-12995
CVE-2017-12996
CVE-2017-12997
CVE-2017-12998
CVE-2017-12999
CVE-2017-13000
CVE-2017-13001
CVE-2017-13002
CVE-2017-13003
CVE-2017-13004
CVE-2017-13005
CVE-2017-13006
CVE-2017-13007
CVE-2017-13008
CVE-2017-13009
CVE-2017-13010
CVE-2017-13011
CVE-2017-13012
CVE-2017-13013
CVE-2017-13014
CVE-2017-13015
CVE-2017-13016
CVE-2017-13017
CVE-2017-13018
CVE-2017-13019
CVE-2017-13020
CVE-2017-13021
CVE-2017-13022
CVE-2017-13023
CVE-2017-13024
CVE-2017-13025
CVE-2017-13026
CVE-2017-13027
CVE-2017-13028
CVE-2017-13029
CVE-2017-13030
CVE-2017-13031
CVE-2017-13032
CVE-2017-13033
CVE-2017-13034
CVE-2017-13035
CVE-2017-13036
CVE-2017-13037
CVE-2017-13038
CVE-2017-13039
CVE-2017-13040
CVE-2017-13041
CVE-2017-13042
CVE-2017-13043
CVE-2017-13044
CVE-2017-13045
CVE-2017-13046
CVE-2017-13047
CVE-2017-13048
CVE-2017-13049
CVE-2017-13050
CVE-2017-13051
CVE-2017-13052
CVE-2017-13053
CVE-2017-13054
CVE-2017-13055
CVE-2017-13687
CVE-2017-13688
CVE-2017-13689
CVE-2017-13690
CVE-2017-13725

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-18 01:33:40 +03:00
Florian Fainelli
ef485bb23d dnsmasq: Pass TARGET_CPPFLAGS to Makefile
With the introduction of the ubus notifications, we would now fail building
dnsmasq with external toolchains that don't automatically search for headers.
Pass TARGET_CPPFLAGS to the Makefile to resolve that.

Fixes: 34a206bc11 ("dnsmasq: add ubus notifications for new leases")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-09-16 16:38:19 -07:00
Alexandru Ardelean
d03c23c8d4 cyassl,curl,libustream-ssl: rename every cyassl to wolfssl
This is to eliminate any ambiguity about the cyassl/wolfssl lib.

The rename happened some time ago (~3+ years).
As time goes by, people will start to forget cyassl and
start to get confused about the wolfSSL vs cyassl thing.

It's a good idea to keep up with the times (moving forward).

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2017-09-17 00:00:12 +02:00
Alexandru Ardelean
ad510c4d62 wwan: json format in some modem definitions
Method used:
```
cd package/network/utils/wwan/files/data
sed -e 's/}}/}/g' -i *
sed -e 's/}\t"acm": 1/\t"acm": 1/g' -i *
sed -e 's/}\t"generic": 1/\t"generic": 1/g' -i *
```

Manually adjusted commas.
Validated with
```
for f in `ls` ; do echo $f ; python -m json.tool < $f || break ; done
```

Thanks to @lynxis for pointing out the commas.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2017-09-16 23:04:46 +02:00
Karl Palsson
ae57675bba odhcpd: don't enable server mode on non-static lan port
Instead of blindly enabling the odhcpd v6 server and RA server on the
lan port, only do that if the lan port protocol is "static"

This prevents the unhelpful case of a device being a dhcpv4 client and
v6 server on the same ethernet port.

Signed-off-by: Karl Palsson <karlp@etactica.com>
[PKG_SOURCE_DATE increase; odhcpd.defaults script cleanup]
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-09-16 09:37:50 +02:00
Hans Dedecker
c88770c766 odhcpd: update to git HEAD version
f0bce9c dhcpv4: fix memset compile issue
0ba3278 dhcpv4: rework assignment lookup
e3b49f3 dhcpv4: cleanup dhcpv4_test usage
47fe122 dhcpv4: rework lease expire handling logic
028ab85 dhcpv4: force renew nonce authentication support
a827fca dhcpv4: avoid segfault when there's no IPv4 prefix
bea088b ndp: detect ifindex changes via interface netlink events
f66103e ubus: display accept reconf status for DHCPv6 assignments
f0e354b treewide: replace RELAYD prefix naming in macros
1a313f9 dhcpv4: fix possible segfault when lease is not created
e2d6eb4 dhcpv4: dhcpv4: move interface lease list insertion out of dhcpv4_assign

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-09-13 22:32:52 +02:00
Lorenzo Santina
fd84ecda7d treewide: fix shellscript syntax errors/typos
Fix multiple syntax errors in shelscripts (of packages only)
These errors were causing many conditions to not working properly

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[increase PKG_RELEASE, drop command substitution from directip.sh]
Signed-off-by: Mathias Kresin <dev@kresin.em>
2017-09-13 08:07:54 +02:00
Stijn Tintel
21014d9708 tcpdump: bump to 4.9.2
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-11 01:56:14 +02:00
Stijn Tintel
910e3bed12 lldpd: bump to 0.9.8
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-09-11 01:56:14 +02:00
Lorenzo Santina
bd24d53ea2 hostapd: fix iapp_interface option
ifname variable were not assigned due to syntax error
causing the hostapd config file to have an empty iapp_interface= option

Signed-off-by: Lorenzo Santina <lorenzo.santina.dev@gmail.com>
2017-09-10 08:30:32 +02:00
Kevin Darbyshire-Bryant
5629904ea8 dnsmasq: backport arcount edns0 fix
Don't return arcount=1 if EDNS0 RR won't fit in the packet.

Omitting the EDNS0 RR but setting arcount gives a malformed packet.
Also, don't accept UDP packet size less than 512 in received EDNS0.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-09-08 10:07:04 +02:00
Kevin Darbyshire-Bryant
9a753c49ea dnsmasq: backport official fix for CVE-2017-13704
Remove LEDE partial fix for CVE-2017-13704.

Backport official fix from upstream.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
2017-09-07 08:09:54 +02:00
Hans Dedecker
995193ccdb odhcp6c: add workaround for broken extendprefix scenario
Extendprefix is typically used to extend an IPv6 RA prefix from a mobile
wan link to the LAN; such scenario requires correct RA prefix settings
like the on link flag not being set.
However some mobile manufacter set the RA prefix on link flag which breaks
basic IPv6 routing.
Work around this issue by filtering out the route being equal to the
extended prefix.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-09-05 14:46:18 +02:00
Hans Dedecker
05c3647d35 odhcp6c: add ra_holdoff config option and update to git HEAD version (FS#964)
51733a6 ra: align RA update interval with RFC4861 (FS#964)

Add ra_holdoff config option which allows to configure the RA minimum
update interval which is by default 3 seconds as stated in RFC4861.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-09-03 21:34:48 +02:00
John Crispin
12930fc045 Revert "dropbear: Link ssh and scp command to /bin instead of /usr/bin"
This reverts commit f7528ed0a8.

Signed-off-by: John Crispin <john@phrozen.org>
2017-08-31 21:09:13 +02:00
Rosen Penev
f7528ed0a8 dropbear: Link ssh and scp command to /bin instead of /usr/bin
ssh and scp commands interfere with OpenSSH when installed in /usr/bin .

One use case is when installing dropbear to get root access when only OpenSSH is available (OpenSSH disallows root password logins). Once dropbear installs, it replaces OpenSSH's executables, even when removed with opkg. OpenSSH must be reinstalled to get them back.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2017-08-31 19:14:43 +02:00
Rosen Penev
343e3d2ba8 samba36: Remove syslog and load printers lines.
printer support is removed using 200-remove_printer_support.patch. the syslog parameter requires samba to be compiled with --with-syslog. Currently samba does not log to syslog and probably has not for a long time.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2017-08-30 18:12:48 +02:00
Rosen Penev
b2f60e6a72 samba36: Don't resolve interfaces.
It's redundant and also buggy. IPv6 link local addresses and ::1 are not resolved for example. Doesn't matter since lo and br-lan for example, resolve to them.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-08-30 17:05:10 +02:00
Rosen Penev
ccb79a310c samba36: Remove guest ok since LuCI configures it.
guest ok is set per share and as such, don't override it. also, fix an error introduced in the last commit.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2017-08-30 17:05:10 +02:00
Kevin Darbyshire-Bryant
ca79337306 dnsmasq: forward.c: fix CVE-2017-13704
Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
is called with header & limit pointing at the same address and thus
tries to clear memory from before the buffer begins.

answer_request() is called with an invalid edns packet size provided by
the client.  Ensure the udp_size provided by the client is bounded by
512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
MUST be treated as equal to 512"

The client that exposed the problem provided a payload udp size of 0.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-30 17:05:10 +02:00
Hans Dedecker
7a9410618d netifd: update to git HEAD version
7d94ede system-linux: parse map-e fmrs parameters as nested data json object

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-29 21:19:29 +02:00
Hans Dedecker
1b3ded7225 map: use nested json data object to store map-e fmrs parameters
Replace the string array containing the fmrs parameters by a nested data
json object holding an array of fmrs parameters

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-29 21:10:39 +02:00
Hans Dedecker
4b3ffecf2b map: fix boolean argument passed to blobmsg_check_attr in mapcalc
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-26 23:34:14 +02:00
Hans Dedecker
6c9e2d4a68 dnsmasq: fix indentation
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-25 14:29:19 +02:00
Kuang Rufan
1e6e37c4f6 dnsmasq: add support for multiple tags for each host.
Currently, dnsmasq support assigning multiple tags to a host record
(--dhcp-host), but we only support only 1 tag for a host. The commit
makes the following config to be valid:

  config host
      option name 'computer'
      option mac '00:11:22:33:44:55'
      option ip '192.168.1.100'
      list tag 'vendor_class'
      list tag 'vendor_id'

  config tag 'vendor_class'
      list dhcp_option 'option:vendor-class,00:...<omitted>'

  config tag 'vendor_id'
      option force '1'
      list dhcp_option 'option:vendor-id-encap,00:...<omitted>'

Signed-off-by: Kuang Rufan <kuangrufan@pset.suntec.net>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-25 14:28:49 +02:00
Hans Dedecker
7a8909411c map: add ealen as configurable uci parameter
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-24 20:56:07 +02:00
Koen Vandeputte
f47c41cff9 xtables-addons: update to version 2.13
Changes:

89d1b80 xt_condition: namespace support #2
c839e87 xt_geoip: check for allocation overflow
a587f95 compat_xtables: use more accurate printf format for NIPQUAD
1874fcd xt_DNETMAP: fix a buffer overflow
21ea7b7 xt_LOGMARK: resolve new gcc7 warnings
ee8da2b build: support for Linux 4.12
19a4359 xt_condition: add support for namespaces
1b37966 xt_psd: resolve compiler warning

Tested on cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2017-08-24 08:38:39 +02:00
John Crispin
d99c52765d Revert "iputils: switch to new upstream"
This reverts commit 77d3ac8e3e.
This reverts commit e665b3df2a.

Signed-off-by: John Crispin <john@phrozen.org>
2017-08-24 08:09:14 +02:00
Philip Prindeville
fc48aebdc1 iperf3: add SSL variant for iperf_auth feature
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2017-08-23 20:35:16 +02:00
Philip Prindeville
d55fff4ae7 iperf3: update to 3.2
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2017-08-23 20:35:16 +02:00
John Crispin
e665b3df2a iputils: update sha256sum
Signed-off-by: John Crispin <john@phrozen.org>
2017-08-23 19:34:24 +02:00
John Crispin
77d3ac8e3e iputils: switch to new upstream
Signed-off-by: John Crispin <john@phrozen.org>
2017-08-23 16:31:35 +02:00
Ansuel Smith
f099803eb5 samba36-net: new package
Samba could also be usefull for sending commands to windows pc (like shoutdown command). This new package add the bin to include this kind of command to the samba package.

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2017-08-23 15:08:39 +02:00
Rafał Miłecki
8de57c9746 iwinfo: update to the latest git HEAD
c1a03e8 nl80211: request split information about frequencies
5638567 nl80211: store info about freq being not available for some bandwidths
ce51cb8 Allow storing more info about each frequency
5c10efa nl80211: support receiving split frequencies
335967c nl80211: improve error handling
ab089dd nl80211: propagate netlink errors to callers
7bba117 nl80211: handle netlink errors in nl80211_wait()
d22c64c iwinfo: add device id for Ubiquiti NanoStation Loco M2

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-08-23 11:19:28 +02:00
John Crispin
4cac13f8e2 Revert "xtables-addons: fix nathelper-rtsp dependencies"
This reverts commit e2ef80130e.

Signed-off-by: John Crispin <john@phrozen.org>
2017-08-23 09:54:53 +02:00
Philip Prindeville
e2ef80130e xtables-addons: fix nathelper-rtsp dependencies
Both nf_conntrack and nf_nat need to be called out.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2017-08-22 21:31:39 +02:00
John Crispin
34a206bc11 dnsmasq: add ubus notifications for new leases
Signed-off-by: John Crispin <john@phrozen.org>
2017-08-22 21:31:39 +02:00
John Crispin
d18e0dc7d1 hostapd: add additional ubus notifications
Signed-off-by: John Crispin <john@phrozen.org>
2017-08-22 21:31:39 +02:00
John Crispin
e622b30730 netifd: update to latest git HEAD
b5731bf allow setting rps/xps defualt values via uci
2a29d1a system: remove unused 6rd tunnel attributes
e627542 netifd: allow negative neighlocktime values
e41382c system-linux: parse ipv6 specific tunnel settings as nested data json object

Signed-off-by: John Crispin <john@phrozen.org>
2017-08-22 09:17:14 +02:00
Hans Dedecker
736950e947 odhcpd: update to latest git HEAD
94e65ee ndp: use IPv4 address list when comparing IPv4 addresses
ff5020d dhcpv6-ia: rework reconfigure accept logic

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-16 21:25:16 +02:00
Stijn Tintel
e7373e489d wpa_supplicant: log to syslog instead of stdout
While debugging an issue with a client device, wpa_supplicant did not
seem to log anything at all. Make wpa_supplicant log to syslog instead
of stdout, to make debugging easier and to be consistent with hostapd.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-08-10 16:35:53 +02:00
Hauke Mehrtens
779227d5ee nftables: remove date from version
We are using the normal 0.7 version of nftables, do not add an
additional date to the version number.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-08-09 23:20:56 +02:00
Martin Schiller
2da6c85c80 ltq-vdsl-app: add support for auto xfer_mode and auto line_mode
If xfer_mode is set to auto the vdsl_cpe_control daemon assumes that
ATM should be used for ADSL and PTM for VDSL.

xfer_mode and line_mode can be set to fixed value independantly from
each other.

The syntax for the tc_layer argument of vdsl_cpe_control is as follow:

-T<TcADSL>:<TcCfgUsADSL>:<TcCfgDsADSL>_<TcVDSL>:<TcCfgUsVDSL>:<TcCfgDsVDSL>

where TcADSL and TcVDSL can be: 1=ATM, 2=PTM/EFM, 4=Auto TC-Layer

and TcCfgUsADSL, TcCfgUsVDSL, TcCfgDsADSL, TcCfgDsVDSL can be:
1=64/65-octet encapsulation supported
2=64/65-octet encapsulation with pre-emption
3=64/65-octet encapsulation with short packets

Default: In case of no '-T' option is given, ADSL will be configured
in ATM and VDSL in PTM/EFM: -T1:0x1:0x1_2:0x1:0x1

The '-M' argument of dsl_cpe_control defines the initial DSL mode
(NextMode) for ADSL/VDSL multimode handling.

Possible Values: 0=API-default, 1=ADSL, 2=VDSL

Default: In case of no '-M' option is given, '0' (API-default) will
be selected.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2017-08-06 09:22:03 +02:00
Martin Schiller
f6254a215e ltq-vdsl-app: mask out ADSL bits when VDSL is requested
If the line_mode is fixed configured to vdsl, than only G.993 VDSL
should be used.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2017-08-06 09:22:03 +02:00
Martin Schiller
c6504327d1 ltq-vdsl-app: use notification based ATM/PTM driver load
This patch removes the fixed atm/ptm driver loading and
switches to notification based driver loading.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2017-08-06 09:22:03 +02:00
Mathias Kresin
a94555ce24 ltq-xdsl-app: drop esi call
The esi call was added to workaround a race condition between applying
a configured mac address to the wan interface and starting the protocol
(handler) as it was observed in a DHCP over ATM bridge configuration.

Martin Schiller, TDT GmbH was so kind to test with their local
infrastructure if the race condition still exists. The provided package
dumps captured behind the DSLAM shows that it doesn't. It was most
likely fixed with adding carrier support to the lantiq ptm/atm driver.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-08-06 09:22:03 +02:00
Hans Dedecker
fea89fa25b odhcpd: update to latest git HEAD (FS#402, FS#524)
296b4a0 dhcpv6: assign all viable DHCPv6 addresses by default (FS#402, FS#524)
f4d38e0 treewide: reflect managed mode is related to RA

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-03 21:25:32 +02:00
Daniel Engberg
911331ad0f tcpdump: Update to 4.9.1
Update tcpdump to 4.9.1

Fixes:
 * CVE-2017-11108: Fix bounds checking for STP.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-07-28 23:07:00 +02:00
Rosen Penev
9dcb3fe7eb samba36: Remove legacy options
Browseable is now set through LuCI per share, so remove it. Same with
writeable (inverted synonym for read only). domain master and preferred
master seem to be legacy settings for Windows 9x. encrypt passwords
defaults to yes. Probably should not be disabled either.

Also reordered alphabetically.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
[rewrap commit message, fix SoB, fix author, bump pkg revsion]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-07-22 16:55:01 +02:00
Stijn Tintel
97eb8abec0 netifd: update to git HEAD
d397e8c netifd: Fix printf calls + function declarations.
34afb76 system-linux: fix GRE ikey/okey endianness

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-07-21 22:00:37 +02:00
Alexandru Ardelean
d9f7ae6cdb ipset: split libipset as a subpackage
Intent is to link against it, and have the option to
not install the ipset utility (if needed).

One example/use-case is keepalived (from package)
feeds, where it would be nice to just depend on a
`libipset` (sub)package.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2017-07-21 15:12:48 +02:00
Jo-Philipp Wich
d0f6a514b1 dnsmasq: introduce config support for forced DHCP options
Introduce a new UCI list setting `list dhcp_option_force` which is available
in sections of type `dnsmasq` and `dhcp`.

The `dhcp_option_force` setting has the same semantics as `dhcp_option` but
generates `dhcp-option-force` directives instead of `dhcp-option` ones in
emitted native configuration.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-07-21 08:09:45 +02:00
Hans Dedecker
6f133a4402 dnsmasq: backport remove ping check of configured dhcp address
Remove ping check in DHCPDISCOVER case as too many buggy clients leave
an interface in configured state causing the ping check to fail.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-07-18 23:17:37 +02:00
Nick Brassel
eaf6f1532d nftables: Update to 0.7
Updated nftables to latest.

Signed-off-by: Nick Brassel <nick@tzarc.org>
2017-07-15 00:17:49 +02:00
Alif M. Ahmad
683e73735e
curl: bump to version 7.54.1
Upgrade the curl package to latest version. Patches refreshed.

Signed-off-by: Alif M. Ahmad <alive4ever@live.com>
2017-07-14 03:10:38 +02:00
Alin Nastac
d8748e537f netfilter: add iptables-mod-rpfilter package
Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw
-I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to
become full when a packet flood with randomly selected source IP addresses
is received from the lan side.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
2017-07-11 22:09:57 +02:00
Jo-Philipp Wich
a89c36b508 dnsmasq: restore ability to include/exclude raw device names
Commit 5cd88f4 "dnsmasq: remove use of uci state for getting network ifname"
broke the ability to specify unmanaged network device names for inclusion
and exclusion in the uci configuration.

Restore support for raw device names by falling back to the input value
when "network_get_device" yields no result.

Fixes FS#876.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-07-10 11:02:27 +02:00
Thomas Nixon
08cd5b769d lantiq: set up DSL front-end GPIOs if they exist
This is necessary for devices using the PSB80108/VRX220LD front-end
(currently only known on the Netgear DM200).

Signed-off-by: Thomas Nixon <tom@tomn.co.uk>
2017-07-07 07:13:24 +02:00
Hans Dedecker
e227bade26 odhcpd: update to the latest version
f0d78e7 ndp: optimize check_addr6_updates code
94afe3b ndp: fix syslog tracing for netlink neigbor and address events
18df6cc treewide: rework logic to retrieve IPv6 interface addresses
803b83e router: use enum to specify order and index of iov struct
5dad295 treewide: rework code to get rid of fixed IPv6 address arrays
3e4c8ad config: rework code to get rid of IFNAMSIZ usage
ab7813e treewide: use angle-brackets to include libubox header files

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-07-06 19:19:13 +02:00
DUPONCHEEL Sébastien
f3ae0f80bd dnsmasq: dnsmasq --rev-server support
This is functionally the same as --server, but provides some syntactic sugar to
make specifying address-to-name queries easier.

For example --rev-server=1.2.3.0/24,192.168.0.1 is exactly equivalent to
--server=/3.2.1.in-addr.arpa/192.168.0.1

Signed-off-by: DUPONCHEEL Sébastien <sebastien.duponcheel@corp.ovh.com>
2017-07-03 22:08:21 +02:00
Hans Dedecker
1d45ec2784 dhcpv6: add missing dollar sign in dhcpv6 script (FS#874)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-29 09:56:19 +02:00
Hans Dedecker
7d31fe6068 dnsmasq: backport patch fixing DNS failover (FS#841)
Backport upstream dnsmasq patch fixing DNS failover when first servers
returns REFUSED in strict mode; fixes issue FS#841.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-28 11:33:42 +02:00
Stijn Tintel
6371159b4a dropbear: add option to set max auth tries
Add a uci option to set the new max auth tries paramater in dropbear.
Set the default to 3, as 10 seems excessive.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-28 02:18:20 +02:00
Kevin Darbyshire-Bryant
9aaf3d3501 dropbear: server support option '-T' max auth tries
Add support for '-T n' for a run-time specification for maximum number
of authentication attempts where 'n' is between 1 and compile time
option MAX_AUTH_TRIES.

A default number of tries can be specified at compile time using
'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for
backwards compatibility.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-28 02:18:20 +02:00
Yury Shvedov
37c1513b1f hostapd: configure NAS ID regardless of encryption
RADIUS protocol could be used not only for authentication but for
accounting too. Accounting could be configured for any type of networks.
However there is no way to configure NAS Identifier for non-WPA
networks without this patch.

Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
[cleanup commit message]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-28 02:18:20 +02:00
Yury Shvedov
0e7bbcd43b hostapd: add acct_interval option
Make an ability to configure Accounting-Interim-Interval via UCI

Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
[add hostapd prefix, cleanup commit message]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-28 02:18:20 +02:00
Hans Dedecker
f33de80232 dnsmasq: backport tweak ICMP ping logic for DHCPv4
Don't start ping-check of address in DHCP discover if there already
exists a lease for the address. It has been reported under some
circumstances android and netbooted windows devices can reply to
ICMP pings if they have a lease and thus block the allocation of
the IP address the device already has during boot.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-26 10:49:13 +02:00
Magnus Kroken
45f4f6649a openvpn: update to 2.4.3
Fixes for security and other issues. See security announcement for more details:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

* Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508)
* Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520)
* Potential double-free in --x509-alt-username (CVE-2017-7521)
* Remote-triggerable memory leaks (CVE-2017-7512)
* Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522)
* Null-pointer dereference in establish_http_proxy_passthru()
* Restrict --x509-alt-username extension types
* Fix potential 1-byte overread in TCP option parsing
* Fix mbedtls fingerprint calculation
* openssl: fix overflow check for long --tls-cipher option
* Ensure option array p[] is always NULL-terminated
* Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:56:07 +02:00
Florian Eckert
4482063c34 treewide: add license tags
Add licence tags where missing.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2017-06-24 22:36:38 +02:00
Kevin Darbyshire-Bryant
4ed40be3e3 hostapd: add support for acs_chan_bias option
During auto channel selection we may wish to prefer certain channels
over others.

e.g. we can just squeeze 4 channels into europe so '1:0.8 5:0.8 9:0.8
13:0.8' does that.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-24 13:11:19 +02:00
Grégoire Delattre
680a5c5d3e dnsmasq: add dhcp-range tags configuration
dnsmasq can match tags in its dhcp-range configuration, this commit adds
the option to configure it in the dhcp section

uci configuration:
config dhcp 'lan'
        option interface 'lan'
        list tag 'blue'
        list tag '!red'
        option start '10'
        option limit '150'
        option leasetime '12h'

generated dnsmasq configuration:
dhcp-range=tag:blue,tag:!red,set:lan,192.168.1.10,192.168.1.159,255.255.255.0,12h

Signed-off-by: Grégoire Delattre <gregoire.delattre@gmail.com>
2017-06-20 22:33:41 +02:00
Hans Dedecker
c885482080 netifd: update to the latest version
ef5f7a0 ubus: remove superfluous error check in netifd_add_dynamic
5a68693 iprule: coding style line up
90e2e2c iprule: Add option to suppress unspecific routing lookups

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-18 22:22:03 +02:00
Kevin Darbyshire-Bryant
8f4085e2fd dropbear: fix service trigger syntax error
The classic single '&' when double '&&' conditional was meant.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-16 12:05:25 +02:00
Hans Dedecker
8180bbac7c Revert "dnsmasq: manage resolv.conf if when listening on 127.0.0.1#53"
This reverts commit a53f8ba677.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-14 22:51:08 +02:00
Paul Oranje
a53f8ba677 dnsmasq: manage resolv.conf if when listening on 127.0.0.1#53
With this patch the dnsmasq init script manages resolv.conf if and only if
when dnsmasq will listen on 127.0.0.1#53 (is main resolver instance).
Also, resolvfile is now set irrespective of the value of noresolv.

Fixes (partially) FS#785

Signed-off-by: Paul Oranje <por@xs4all.nl>
2017-06-12 11:08:21 +02:00
Kevin Darbyshire-Bryant
16a905b322 dnsmasq: make bind-dynamic 'non-wildcard' interfaces default
'non-wildcard' interfaces enables dnsmasq's '--bind-dynamic' mode.  This
binds to interfaces rather than wildcard addresses *and* keeps track of
interface comings/goings via a unique Linux api.

Quoting dnsmasq's author "bind-dynamic (bind individual addresses, keep
up with changes in interface config) ... On linux, there's actually no
sane reason not to use --bind-dynamic, and it's only not the default for
historical reasons."

Let's change history, well on LEDE at least, and change the default!

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-11 14:50:04 +02:00
Hans Dedecker
8b486ec2b5 dnsmasq: add dhcp-script hook conditionally
Commit b32689afd6 added support for dhcp-script hook.
Adding dhcp-script config option results into two instances of dnsmasq being run
which triggered oom issues on platforms having low memory.

The dnsmasq dhcp-script config option will now only be added if at least one of the
dhcp, tftp, neigh hotplug dirs has a regular hotplug file or if the dhcpscript uci
config option is specified.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-09 16:44:04 +02:00
Andrea Merello
860e053b29 Lantiq: make possible to tweak DSL SRN from UCI
This patch makes possible to tweak the downstream SNR margin on
Lantiq DSL devices.

The UCI parameter 'network.dsl.ds_snr_offset' is used to set the SNR
margin offset. It accepts values in range -50 to +50 in 0.1 dB units.

The SNR margin can thus be modified in range -5.0 to +5.0 dB in 0.1 dB
steps.

Currently this should only affect ADSL (not VDSL). It should be very
easy to make this work also on VDSL lines, but since I couldn't test
on VDSL lines this patch does not do that yet.

I have also a patch for LUCI about this, that I could submit.

Tested on FB3370 (Lantiq VR9) and Telecom Italia ADSL2+ line.

Signed-off-by: Andrea Merello <andrea.merello@gmail.com>
2017-06-03 17:48:57 +02:00
Jo-Philipp Wich
6db1d13084 umdns: remove superfluous include in init script
The umdns init script includes function/network.sh globally, outside of any
service procedure. This causes init script activation to fail in buildroot
and IB context if umdns is set to builtin.

Additionally, the network.sh helper is not actually used.

Drop the entire include in order to repair init script activation in build
host context. Fixes FS#658.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-02 01:29:32 +02:00
Kevin Darbyshire-Bryant
1fe41c4089 dnsmasq: bump to 2.77
Bump to the 2.77 release after quite a few test & release candidates.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-01 23:50:52 +02:00
Hans Dedecker
21f25bc4a3 ppp: propagate master firewall zone to dynamic slave interface
Assign the virtual DHCPv6 interface the firewall zone of the parent interface
so fw3 knows the zone to which the virtual DHCPv6 interface belongs.
This guarantees the firewall settings are applied correctly for the virtual
DHCPv6 interface and allows to query the zone to which the virtual DHCPv6
interface belongs via the fw3 network option.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-31 16:49:59 +02:00
Luiz Angelo Daros de Luca
b4f463d969 openvpn-easy-rsa: update to 3.0.1
easy-rsa v3 is now a single script. It expects a 'vars'
configuration file which path can be set using easy-rsa
options, environment variables or just looking in the
current directory.

The default usage would be:

 # cd /etc/easy-rsa
 # easy-rsa COMMAND [command-options]

Following upstream changes, /etc/easy-rsa/pki replaces
/etc/easy-rsa/keys directory.

The default /etc/easy-rsa/pki dir is marked to be kept during
upgrade (WARN: priv keys are saved in the system backup)
/etc/easy-rsa/openssl.1.0.cnf is now marked as config file while
index and serial got removed.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2017-05-31 00:28:26 +02:00
Kevin Darbyshire-Bryant
a4198f8c8d iproute2: bump to 4.11
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-05-30 14:00:31 +02:00
Jo-Philipp Wich
61eb18d3f7 firewall: fix stray continue statement
The previous commit introduced a faulty continue statement which might
lead to faulty rules not getting freed or reported.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 16:16:15 +02:00
Hans Dedecker
1422dab66e netifd: fix 6rd regression (FS#812)
08f1875 system-linux: fix 6rd regression

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-27 13:26:39 +02:00
Jo-Philipp Wich
6e46f6edc4 firewall: extend ubus support, exception handling, parse fixes
Update to latest Git HEAD in order to import a number of fixes and other
improvements:

3d2c18a options: improve handling of negations when parsing space separated values
0e5dd73 iptables: support -i, -o, -s and -d in option extra
4cb06c7 ubus: increase ubus network interface dump timeout
e5dfc82 iptables: add exception handling
f625954 firewall3: add check_snat() function
7d3d9dc firewall3: display the section type for UBUS rules
53ef9f1 firewall3: add UBUS support for include scripts
5cd4af4 firewall3: add UBUS support for ipset sections
02d6832 firewall3: add UBUS support for forwarding sections
0a7d36d firewall3: add UBUS support for redirect sections
d44f418 firewall3: add fw3_attr_parse_name_type() function
e264c8e firewall3: replace warn_rule() by warn_section()
6039c7f firewall3: check the return value of fw3_parse_options()

Fixes FS#548, FS#806, FS#811.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 12:19:48 +02:00
Jo-Philipp Wich
52e36cf80a samba: bump PKG_RELEASE
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the
fixed samba package does not appear as opkg update.

Bump the PKG_RELEASE to signify upgrades to downstream users.

Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 12:17:40 +02:00
Filip Moc
43e4e1f4a5 Move enablemodem from ramips to new package adb-enablemodem and make it used also by TL-MR6400
Signed-off-by: Filip Moc <lede@moc6.cz>
2017-05-27 07:54:40 +02:00
Nick Brassel
b32689afd6 dnsmasq: add dhcp-script hook for other packages
Adds a script which acts as a hook for when dnsmasq creates/destroys a
lease, or completes a TFTP file transfer. The hook loops through scripts
in appropriate directories inside '/etc/hotplug.d', executing each one with
the same arguments supplied by dnsmasq.

In case dnsmasq is jailed by ujail the dhcp-script hook will not work as
expected as ujail does not yet support executing a script within a jail.

Signed-off-by: Nick Brassel <nick@tzarc.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-26 21:28:30 +02:00
Felix Fietkau
c2dc7321d7 iptables: fix typos in 600-shared-libext.patch (FS#711)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-05-25 19:30:36 +02:00
Giuseppe Lippolis
4ba2f4dc63 DWR-512: adding wwan support for the dwr-512 3G modem
This PR allow the 3G modem embedded in the DWR-512 to be managed
by the wwan-ncm scripts. The modem will use the usb-option and
usb-cdc-ether drivers.
The DWR-512 DT is updated accordingly.

Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
2017-05-25 19:01:08 +02:00
Felix Fietkau
60241e52db firewall: update to the latest version, fixes a gcc7 build error
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-05-25 19:01:07 +02:00
Stijn Tintel
423a7a6b75 lldpd: bump to 0.9.7
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-05-24 14:56:22 +02:00
Stijn Tintel
3f0d3d12da samba: fix CVE-2017-7494
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-05-24 14:44:03 +02:00
Hans Dedecker
43cc399871 dnsmasq: bump to 2.77rc5
Some small tweaks and improvements :

9828ab1 Fix compiler warning.
f77700a Fix compiler warning.
0fbd980 Fix compiler warning.
43cdf1c Remove automatic IDN support when building i18n.
ff19b1a Fix &/&& confusion.
2aaea18 Add .gitattributes to substitute VERSION on export.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-22 23:08:06 +02:00
Hans Dedecker
c0a9a73393 6rd: add 6rd specific settings as nested json object
Add 6rd specific settings prefix, relay-prefix as a nested data json object

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-22 21:40:19 +02:00
Hans Dedecker
5f2408dbc5 netifd: update to git HEAD version
7573880 system-linux: parse 6rd specific settings as nested json data object
a063705 system-linux: remove redundant check for strtoul() return value
e6ebe0b build: disable unknown warning option error in clang
08d8f47 interface: add new "ifup-failed" hotplug event
20a1bac bridge: reset primary only after marking the member not present
6b9c267 build: suppress format truncation warnings to avoid errors with gcc7

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-22 21:40:19 +02:00
Rafał Miłecki
aaabf47ede umdns: update to the version 2017-05-22
This includes following changes:
0e8b948 Support specifying instance name in JSON file
49fdb9f Support PTR queries for a specific service
26ce7dc Allow filtering with instance name in service_reply
920c62a Store instance name in the struct service
ff09d9a Rename service_name function to the service_instance_name
64f78f1 Rename mdns_hostname variable to the umdns_host_label

Previous package update pulled commit 70c66fbbcde86 ("Fix sending
replies to PTR questions") which introduced a regression which this
update fixes.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-05-22 12:04:01 +02:00
Kevin Darbyshire-Bryant
6e10fc74fd dropbear: bump to 2017.75
- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.  Dropbear parsed authorized_keys as root, even if it were a
symlink.  The fix is to switch to user permissions when opening
authorized_keys

A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-05-21 23:56:17 +02:00
Alexandru Ardelean
ce8bfa9407 lldpd: drop specific respawn params [use system-wide]
I think I added these respawn params [a while back],
when I did the conversion to procd init script format.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2017-05-18 08:14:26 +02:00
Giuseppe Lippolis
db776c01e1 comgt-3g: enable modem before to setpin
some modems needs to be enabled with CFUN=1 before to set the pin

Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
2017-05-18 07:07:00 +02:00
Arjen de Korte
070a46121d dnsmasq: add IPv6 nameserver configuration in server mode
When in ra server mode, configure nameservers passed in router
announcements from the dns value (which is already used by odhcpd).

This also fixes FS#677 by using the global IPv6 address of the router
instead of the link local address (if no nameservers are configured).

Signed-off-by: Arjen de Korte <build+lede@de-korte.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2017-05-16 22:27:02 +02:00
Daniel Engberg
89807b627f network/utils/curl: Update to 7.54.0
Update curl to 7.54.0
Update and fresh patches

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-05-16 16:58:15 +02:00
Daniel Engberg
ea2927e1ea network/utils/ipset: Update to 6.32
Update ipset to 6.32

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-05-16 16:58:07 +02:00
Ansuel Smith
324ec18615 uhttpd: Enable integrated Lua by default
We enabled lua interpreter by default as it doesn't make any problem in the uhttpd config file and we modify the index page to use it.

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2017-05-16 16:57:01 +02:00
Hans Dedecker
6d7cb5337e odhcpd: update to git HEAD version
93abe6f config: fix invalid hoplimit in RA message
2ae08d1 config: fix invalid retranstime in RA message
0005cb4 config: fix invalid reachabletime in RA message
5683dd2 config: limit ra_mtu to 65535
f8d40a5 router: fix interface mtu read error
f8f4b87 config: limit ra_retranstime to 60000
a2d8bf6 dhcpv4: display two hex digits per octet in syslog
a9e9bc4 config: make RA retransTime configurable via uci
2cb6b48 config: make RA reachableTime configurable via uci
e4504db config: make RA curHopLimit configurable via uci
9dd5316 config: make RA mtu configurable via UCI
29cb2ff config: fix dhcpv4 server being started
0ef74ec ndp.c: add switch/case fallthrough comments

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-15 22:30:39 +02:00
Matthias Schiffer
1a16cb9c67
mac80211, hostapd: always explicitly set beacon interval
One of the latest mac80211 updates added sanity checks, requiring the
beacon intervals of all VIFs of the same radio to match. This often broke
AP+11s setups, as these modes use different default intervals, at least in
some configurations (observed on ath9k).

Instead of relying on driver or hostapd defaults, change the scripts to
always explicitly set the beacon interval, defaulting to 100. This also
applies the beacon interval to 11s interfaces, which had been forgotten
before. VIF-specific beacon_int setting is removed from hostapd.sh.

Fixes FS#619.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-05-13 17:12:54 +02:00
Matthias Schiffer
5e481881d7
hostapd: remove unused variable declarations in hostapd.sh
None of the variables in this "local" declaration are actually set in
wpa_supplicant_add_network().

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-05-13 16:27:22 +02:00
Kevin Darbyshire-Bryant
deef71375c dnsmasq: bump to 2.77rc3
Fix [FS#766] Intermittent SIGSEGV crash of dnsmasq-full

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-05-12 21:30:56 +02:00
Jo-Philipp Wich
e66f17ac1e openvpn: update to v2.4.2
Update to version 2.4.2 in order to address two potential Denial-of-Service
vectors in OpenVPN.

CVE-2017-7478 - Don't assert out on receiving too-large control packets
CVE-2017-7479 - Drop packets instead of assert out if packet id rolls over

Ref: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.2
Ref: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-12 11:54:48 +02:00
Arjen de Korte
44da45a881 dnsmasq: don't propagate DUID from one host to another
If no DUID is set for a host, it should be empty, not the last one set for a previous host.

Signed-off-by: Arjen de Korte <build+lede@de-korte.org>
2017-05-11 00:53:05 +02:00
Hans Dedecker
54ea0f45c8 dnsmasq: use append_interface_name when using option --interface-name
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-09 10:01:07 +02:00
Daniel Danzberger
eb99f8912a dnsmasq: add interface-name uci list.
This patch adds the interface-name option for each dhcp config
in /etc/config/dhcp.

With the interface_name option users can define a DNS name for each dhcp section
that will be resolved by dnsmasq with the underlaying interface address.

For example:
config dhcp 'lan'
	option interface 'lan'
	...
	list interface_name 'home.lan'
	...

Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2017-05-09 10:00:49 +02:00
Alberto Bursi
7296767639 dnsmasq: make tftp root if not existing
If there's a TFTP root directory configured, create it with mkdir -p
(which does not throw an error if the folder exists already)
before starting dnsmasq. This is useful for TFTP roots in /tmp, for example.

Originally submitted by nfw user aka Nathaniel Wesley Filardo

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
2017-05-04 23:10:09 +02:00
Hans Dedecker
cd5cd7c859 dnsmasq: fix dhcp_option usage warning
Don't display unnecessary dhcp_option usage warning in case
dhcp_option is empty

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-05-04 22:42:49 +02:00
Nick Lowe
ed62d91f4b hostapd: add legacy_rates option to disable 802.11b data rates.
Setting legacy_rates to 0 disables 802.11b data rates.
Setting legacy_rates to 1 enables 802.11b data rates. (Default)

The basic_rate option and supported_rates option are filtered based on this.

The rationale for the change, stronger now than in 2014, can be found in:

https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx

The balance of equities between compatibility with b clients and the
detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b
rates by default.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, defaults change]
2017-05-03 13:58:23 +02:00
Abhilash Tuse
41feba8c4a hostapd: fix reload frequency change patch
When sta is configured, hostapd receives 'stop' and 'update' command from
wpa_supplicant. In the update command, hostapd gets sta parameters with
which it configures ap.

Problem is, with the default wireless configuration:
mode:11g freq:2.4GHz channel:1
If sta is connected to 5GHz network, then ap does not work. Ideally with
340-reload_freq_change.patch hostapd should reload the frequency changes
and start ap in 5GHz, but ap becomes invisible in the network.

This issue can be reproduced with following /etc/config/wireless:
config wifi-device  radio0
        option type     mac80211
        option channel  1
        option hwmode   11g
        option path     'virtual/uccp420/uccwlan'
        option htmode   'none'

config wifi-iface 'ap'
        option device 'radio0'
        option encryption 'none'
        option mode 'ap'
        option network 'ap'
        option ssid 'MyTestNet'
        option encryption none

config wifi-iface 'sta'
       option device radio0
       option network sta
       option mode sta
       option ssid TestNet-5G
       option encryption psk2
       option key 12345

This change updates current_mode structure based on configured hw_mode
received from wpa_supplicant. Also prepare rates table after frequency
selection.

Signed-off-by: Abhilash Tuse <Abhilash.Tuse@imgtec.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, patch refresh]
2017-05-03 13:58:23 +02:00
Kevin Darbyshire-Bryant
b65c619d02 dnsmasq: bump to 2.77test5
A number of small tweaks & improvements on the way to a final release.
Most notable:

Improve DHCPv4 address-in-use check.
Remove the recently introduced RFC-6842 (Client-ids in DHCP replies)
support as it turns out some clients are getting upset.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-05-02 22:32:14 +02:00
Yousong Zhou
9b4c41524f iproute2: bump PKG_RELEASE
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-05-02 22:45:42 +08:00
Yousong Zhou
cfa5865187 iproute2: add ip-tiny, ip-full as alternatives of /sbin/ip
They will not be in conflict anymore ;)

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-05-02 22:42:36 +08:00
Hans Dedecker
c45ef702ff odhcpd: update to git HEAD version (FS#656,FS#595)
9268ca6 ndp: don't trigger IPv6 ping when neighbor entry is invalid
2b3355f ndp: fix adding proxy neighbor entries
7dff5b4 ndp: fix wrong interface name in syslog message
a54afb5 dhcpv6-ia: Fix segfault when writing DHCPv4 leases in state file
c0e9dbf ubus: don't segfault when there're no leases

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-28 21:59:29 +02:00
Hans Dedecker
9412fc2949 dnsmasq: support dhcp_option config as a list
Configuring dhcp_option as an option does not allow the usage of white
spaces in the option value; fix this by supporting dhcp_option as a list
config while still supporting the option config to maintain backwards
compatibility

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-27 22:04:29 +02:00
Hans Dedecker
e5bbead1a8 dropbear: fix procd interface trigger install
Install procd interface triggers only for interfaces which are enabled
so dropbear instances running on (an) enabled interface(s) are not
restarted due to an interface trigger of an interface which is disabled.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-26 21:29:16 +02:00
Hans Dedecker
4b195a611f netifd: return error status in reload_service
Based on a patch by Alexandru Ardelean.
netifd ubus reload call returns the actual reload error status;
return error status as well in reload_service

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-24 18:51:10 +02:00
Hans Dedecker
8e37d5b584 netifd: update to git HEAD version
11cb9cf ubus: add interface method to trigger renew event
4375d1b system-linux: allow "throw" route type
5fbd904 netifd: propagate error code on netifd_reload()
6e0acec interface-ip: fix device name for IPv6 link-local DNS server

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-24 18:50:36 +02:00
Hans Dedecker
6fd6582014 odhcpd: update to git HEAD version
570069d ubus: rework dumping IPv6 and IPv4 leases
4e579c4 dhcpv6-ia: simplify logic to write statefile and dhcpv6 logging

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-24 18:50:25 +02:00
Ansuel Smith
e80a041348 iptables: fix wrong depends for nftables support (FS#707)
The dep for the nftables support was wrong, if someone actually enable
that option gain a compilation error. This fix this problem.

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2017-04-22 21:33:46 +02:00
Bastian Bittorf
56457dbcb7 dnsmasq: fix uninitialized varname in init-script
minor/cosmetic: fixes the following misleading message:

root@box:~ /etc/init.d/dnsmasq restart
sh: out of range

Signed-off-by: Bastian Bittorf <bb@npl.de>
2017-04-17 13:10:31 +02:00
Felix Fietkau
5e2d15b4a6 iptables: set ABI_VERSION to force rebuild of dependent packages
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-04-12 10:51:36 +02:00
Ansuel Smith
98e43b13a7 iptables: bump to 1.6.1
Switch to git repo
Removed musl patch
Refreshed existing patch

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup]
2017-04-12 10:51:29 +02:00
Felix Fietkau
a7f8564b0f openvpn: add myself as maintainer
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-04-12 09:52:59 +02:00
Daniel Engberg
210e96d4cf OpenVPN: Update to 2.4.1
Update OpenVPN to 2.4.1
Remove 200-small_build_enable_occ.patch as it's included upstream.
Refresh patches
Add mirror and switch to HTTPS

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-04-12 09:52:57 +02:00
Hans Dedecker
fc859fb44b iproute2: add libgenl.h and ll_map.h to InstallDev section
Commit f4e312ddf8 adds libnetlink to
staging dir but did not add the header files libgenl.h and ll_map.h
which define functions belonging to libnetlink lib

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-08 20:53:44 +02:00
Daniel Golle
1c42598b7d dnsmasq: peacefully coexist with ISC DHCPd
Similar to odhcpd, allow using ISC DHCPd instead of dnsmasq.
Disable DHCP and/or DHCP6 in case ISC DHCP is present and
enabled.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-04-08 17:11:54 +02:00
Hans Dedecker
20e40db524 netifd: fix fw3 warnings in dhcp script
Fix fw3 warnings in dhcp script in case fw3 is not enabled

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-03 10:36:21 +02:00
Hans Dedecker
15ca327954 odhcpd: update to git HEAD version (FS#635)
3d9f406 rework IPv6 dns address selection (FS#635)
bc6c3ac ndp: keep an exact copy of IPv6 interface addresses
6eb1e01 ndp: code cleanup
eea7d03 rework IPv6 address dump logic
24d21c7 ndp: add syslog debug tracing

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-01 14:00:46 +02:00
Karl Vogel
5d4aecee3e dnsmasq: use logical interface name for dhcp relay config
The relay section should use the logical interface name and
not the linux network device name directly. This to be
consistent with other sections of the dnsmasq config where
'interface' means the logical interface.

Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
2017-03-29 21:04:35 +02:00
Yousong Zhou
8fb39f1682 firewall: document rules for IPSec ESP/ISAKMP with 'name' option
These are recommended practices by REC-22 and REC-24 of RFC6092:
"Recommended Simple Security Capabilities in Customer Premises Equipment
(CPE) for Providing Residential IPv6 Internet Service"

Fixes FS#640

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-03-28 17:43:58 +08:00
Matthias Schiffer
ea1855949b
iw: enable MESH ID in scan output
Make scan output useful for 802.11s meshes. The common print_ssid function
is used, so this doesn't add any additional code.

Based-on-patch-by: Jan-Tarek Butt <tarek@ring0.de>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-03-25 13:46:21 +01:00
Hans Dedecker
4d5b5c82e1 odhcp6c: update to git HEAD version
0463b05 dhcpv6: rebind capability support in reconfigure message (rfc6644)
53767fc dhcpv6: respect renew end point when handling reconfigure message
dd892e2 dhcpv6: calculate T1, T2 and T3 in a more sane manner
8a6ca6e md5: use libubox md5 library as local implementation
89822de dhcpv6: don't return renew msg in case of invalid msg type in reconfigure msg
4160c0e treewide: align coding style

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-03-22 21:59:29 +01:00
Martin Schiller
06c49dbccf openvpn: add extra respawn parameters
This change protects the openvpn instances to be marked as "in a crash
loop" and thereby the connection retries will run infinitely.

When the remote site of an openvpn connection goes down for some time
(network failure etc.) the openvpn instance in an openwrt/lede device
should not stop retrying to establish the connection.

With the current limit of 5 retries, there is a user interaction
required, which isn't really what you want when the device should
simply do everything to keep the vpn connection up.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2017-03-22 09:41:52 +01:00
Daniel Engberg
fd95397ee3 utils/tcpdump: Rework URLs
Add actual mirror and use main site as last resport
Source: http://www.tcpdump.org/mirrors.html

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-03-22 09:16:23 +01:00
Rafał Miłecki
106ae11edf umdns: update to the version 2017-03-21
This includes following changes:
480d7bc Fix sending unicast questions on cache expire
a0403cd Keep source sockaddr for every cached DNS record
1478293 Fix code freeing cached non-A(AAA) records too early
9f1cc22 Fix replying to "QU" questions received on unicast interface
943bedb Fix reading port of incoming packets
c725494 Use MCAST_PORT define for port 5353
ce7e9e9 Use one define for DNS-Based Service Discovery service name
e1bacef Drop entries cached for interface we're going to delete
496aeba Fix comment typo in cache_gc_timer
f89986b Fix refreshing cached A(AAA) records that expire

Previous updates made umdns work as expected on startup but there were
still many bugs. They were mostly related to runtime - cache management
and requests + responses. E.g. umdns was never able to send question on
DNS record expire. It was also ignoring all incoming unicast questions.

Since these issues are quite serious it makes sense to backport this
update to the stable branch.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-03-21 23:14:55 +01:00
Hans Dedecker
ebdbbb5f99 netifd: update to git HEAD version
a032166 interface-ip: set prefix indicator flag when IPv6 prefix lifetime changes
b4f8984 system-linux: parse vti specific settings as nested json data object
7e3b89a system-linux: parse gre specific settings as nested json data object

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-03-21 22:59:34 +01:00
Hans Dedecker
071355dd5c vti: add vti specific settings as nested json object
Add vti specific settings ikey and okey as a nested data json object

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-03-21 22:59:08 +01:00
Hans Dedecker
3a5bacdc7d gre: add gre specific settings as nested json object
Add gre specific settings ikey, okey, iseqno, oseqno, icsum
and ocsum as a nested data json object

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-03-21 22:58:43 +01:00
Daniel Engberg
17987b9fa4 iperf3: Update to 3.1.7
Update iperf3 to 3.1.7

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-03-20 08:25:33 +01:00
Yousong Zhou
312b9dcd65 iproute2: fix ip monitor can't work when NET_NS is not enabled
The bug appeared in v4.1.0 and was fixed since v4.8.0

Fixes FS#620

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-03-19 12:41:13 +08:00
Philip Prindeville
8e0775197a dnsmasq: don't point --resolv-file to default location unconditionally
If noresolv is set, we should not generate a --resolv-file parameter.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [minor cleanup]
2017-03-18 17:37:24 +01:00
Stijn Tintel
b03b293079 lldpd: bump to 0.9.6
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-03-18 12:08:03 +01:00
Hans Dedecker
53b84e4e2b odhcp6c: update to git HEAD version
7e0d8b8 CMakeLists: don't enable libubox md5 implementation by default

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-03-16 21:42:15 +01:00
Daniel Engberg
902590e175 curl: Adjust URLs
Update mirror list, add main site as last resort
Source: https://github.com/curl/curl-www/blob/master/latest.pl

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-03-15 22:49:09 +01:00
Felix Fietkau
2f09a1e3c9 iwcap: fix handling kill signal during dump
Do not run another loop iteration before checking the stop flag

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-03-14 13:29:03 +01:00
Rafał Miłecki
8eac991899 umdns: update to the version 2017-03-14
This includes 3 cleanups:
fd5a160 Don't cache hosts as services
80dd246 Refresh DNS records A and AAAA directly
6515101 Access cached records (instead of services) to read list of hosts

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-03-14 12:00:25 +01:00
Hauke Mehrtens
c481774298 curl: update to version 7.53.1
This fixes the following security problem:
* CVE-2017-2629 SSL_VERIFYSTATUS ignored

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-03-13 21:03:07 +01:00
Felix Fietkau
055e9dfb58 xtables-addons: fix build error on ARC
The kernel unconditionally pulls in a header file that defines
'current', which conflicts with the lua extension code.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-03-12 15:06:50 +01:00
Rafał Miłecki
0ebc681fe2 umdns: update to the 2017-03-10 version
This fixes crash in interface_start caused by freeing interface in
interface_free without stopping a timeout.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-03-10 11:59:29 +01:00
Matthias Schiffer
452f5446b8
vxlan: add new package for netifd VXLAN proto
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-03-10 01:23:50 +01:00