Commit Graph

3426 Commits

Author SHA1 Message Date
Paul Spooren
a5d030a54f curl: move package to packages.git
curl is replaced by uclient-fetch within the OpenWrt build system and we
can therefore move curl to packages.git. This is based on the Hamburg
2019 decision that non essential packages should move outside base.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-08-27 21:18:21 +02:00
Hauke Mehrtens
bc19481826 hostapd: Fix compile errors after wolfssl update
This fixes the following compile errors after the wolfssl 4.5.0 update:
  LD  wpa_cli
../src/crypto/tls_wolfssl.c: In function 'tls_match_alt_subject':
../src/crypto/tls_wolfssl.c:610:11: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
    type = GEN_EMAIL;
           ^~~~~~~~~
           ENAVAIL
../src/crypto/tls_wolfssl.c:610:11: note: each undeclared identifier is reported only once for each function it appears in
../src/crypto/tls_wolfssl.c:613:11: error: 'GEN_DNS' undeclared (first use in this function)
    type = GEN_DNS;
           ^~~~~~~
../src/crypto/tls_wolfssl.c:616:11: error: 'GEN_URI' undeclared (first use in this function)
    type = GEN_URI;
           ^~~~~~~
../src/crypto/tls_wolfssl.c: In function 'wolfssl_tls_cert_event':
../src/crypto/tls_wolfssl.c:902:20: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
   if (gen->type != GEN_EMAIL &&
                    ^~~~~~~~~
                    ENAVAIL
../src/crypto/tls_wolfssl.c:903:20: error: 'GEN_DNS' undeclared (first use in this function)
       gen->type != GEN_DNS &&
                    ^~~~~~~
../src/crypto/tls_wolfssl.c:904:20: error: 'GEN_URI' undeclared (first use in this function)
       gen->type != GEN_URI)
                    ^~~~~~~
Makefile:2029: recipe for target '../src/crypto/tls_wolfssl.o' failed

Fixes: 00722a720c ("wolfssl: Update to version 4.5.0")
Reported-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-27 12:11:47 +02:00
Hauke Mehrtens
2745f6afe6 curl: Use wolfssl by default
Instead of using mbedtls by default use wolfssl. We now integrate
wolfssl in the default build so use it also as default ssl library for
curl.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-26 21:00:43 +02:00
Hauke Mehrtens
b5191f3366 curl: Fix build with wolfssl
Backport a commit from upstream curl to fix a problem in configure with
wolfssl.

checking size of time_t... configure: error: cannot determine a size for time_t

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-26 21:00:42 +02:00
Hauke Mehrtens
a69949a13f firewall: Fix PKG_MIRROR_HASH
Fixes: 6c57fb7aa9 ("firewall: bump to version 2020-07-05")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-24 18:54:00 +02:00
Josef Schlehofer
e742a31f07 ipset: update to version 7.6
Changelog:
https://ipset.netfilter.org/changelog.html

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2020-08-24 18:53:59 +02:00
Hans Dedecker
4358373e69 curl: disable zstd support
Fixes package libcurl build issue :

Package libcurl is missing dependencies for the following libraries:
libzstd.so.1

Suggested-by: Syrone Wong <wong.syrone@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-08-23 11:03:40 +02:00
Josef Schlehofer
17d16e093f curl: update to version 7.72.0
Changes in this version can be found here:
https://curl.haxx.se/changes.html#7_72_0

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2020-08-21 21:25:56 +02:00
David Bauer
aa403a440a dnsmasq: abort dhcp_check on interface state
Abort the dhcp-check based on the interface instead of the carrier
state. In cases where the interface is up but the carrier is down,
netifd won't cause a dnsmasq reload, thus dhcp won't become active
on this interface.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-08-20 23:45:26 +02:00
Remi NGUYEN VAN
bcf0704bd2 map: rename type to maptype (FS#3287)
"type" is already used as a common option for all protocols types, so
using the same option name for the map type makes the configuration
ambiguous. Luci in particular adds controls for both options and sees
errors when reading the resulting configuration.

Use "maptype" instead, but still fallback to "type" if "maptype" is not
set. This allows configurations to migrate without breaking old
configurations.

This addresses FS#3287.

Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-08-19 21:14:00 +02:00
Adrian Schmutzler
18ab496c32 ltq-dsl-base: remove useless echos in lantiq_dsl.sh
The is no reason to catch the output by $() and then echo it again.

Remove the useless echos.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-17 23:25:41 +02:00
Remi NGUYEN VAN
1e696c6ced map: add a legacymap option
The legacy map version based on the IPv6 Interface Identifier in
draft-ietf-softwire-map-03 was typically used by uncommenting the LEGACY
variable in the map.sh file, which is not ideal. A proper configuration
option is needed instead.

The IPv6 Interface Identifier format described in the draft was
eventually changed in RFC7597, but is still used by some major ISPs,
including in Japan.

Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-08-15 20:37:02 +02:00
Rui Salvaterra
763ce13b0b dropbear: allow disabling support for scp
If not needed, disabling scp allows for a nice size reduction.

Dropbear executable size comparison:

153621 bytes (baseline)
133077 bytes (without scp)

In other words, we trim a total of 20544 bytes.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-08-15 20:25:08 +02:00
Daniel Golle
0709f6e798 iproute2: disable SELinux for now
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-13 14:03:07 +01:00
Rui Salvaterra
e5eeb34a8c dropbear: fix ssh alternative when dbclient isn't built
The ssh symlink was still being created even when dbclient was disabled in the
build configuration. Fix this annoyance.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-08-12 21:57:37 +02:00
Hans Dedecker
5e512cc9c1 ppp: update to latest git HEAD
677aa53 Fix -W option for pppoe-discovery utility (#157)
115c419 Accept Malformed Windows Success Message (#156)
5bdb148 pppd: Add documentation of stop-bits option to pppd man page (#154)
2a7981f Add ipv6cp-accept-remote option
0678d3b pppd: Fix the default value for ipv6cp-accept-local to false

Refresh patches

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-08-11 21:27:07 +02:00
Jo-Philipp Wich
bc1c9fdc20 hostapd: recognize option "key" as alias for "auth_secret"
The hostapd configuration logic is supposed to accept "option key" as
legacy alias for "option auth_secret". This particular fallback option
failed to work though because "key" was not a registered configuration
variable.

Fix this issue by registering the "key" option as well, similar to the
existing "server" nad "port" options.

Ref: https://github.com/openwrt/openwrt/pull/3282
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-07 21:19:29 +02:00
Jo-Philipp Wich
321503dbf3 hostapd: make "key" option optional if "wpa_psk_file" is provided
If an existing "wpa_psk_file" is passed to hostapd, the "key" option may
be omitted.

While we're at it, also improve the passphrase length checking to ensure
that it is either exactly 64 bytes or 8 to 63 bytes.

Fixes: FS#2689
Ref: https://github.com/openwrt/openwrt/pull/3283
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-07 21:04:02 +02:00
Petr Štetiar
c487cf8e94 hostapd: add wpad-basic-wolfssl variant
Add package which provides size optimized wpad with support for just
WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
[adapt to recent changes, add dependency for WPA_WOLFSSL config]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-07 12:02:19 +02:00
Yousong Zhou
064dc1e81b dnsmasq: abort when dnssec requested but not available
Before this commit, if uci option "dnssec" was set, we pass "--dnssec"
and friends to dnsmasq, let it start and decide whether to quit and
whether to emit message for diagnosis

  # dnsmasq --dnssec; echo $?
  dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h
  1

DNSSEC as a feature is different from others like dhcp, tftp in that
it's a security feature.  Better be explicit.  With this change
committed, we make it so by not allowing it in the first in the
initscript, should dnsmasq later decides to not quit (not likely) or
quit without above explicit error (unlikely but less so ;)

So this is just being proactive.  on/off choices with uci option
"dnssec" are still available like before

Link: https://github.com/openwrt/openwrt/pull/3265#issuecomment-667795302
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2020-08-07 15:56:30 +08:00
Jo-Philipp Wich
11ea7ba698 Revert "dsaconfig: introduce package for UCI configuration of VLAN filter rules"
This reverts commit 96b87196b0.

This commit was not meant to go into master.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 19:13:43 +02:00
Jo-Philipp Wich
f85bc0d77d Revert "add vfconfig"
This reverts commit 34553e8cc9.

This commit was not meant to go into master.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 19:13:21 +02:00
Jo-Philipp Wich
b92f54b919 openvpn: fix arguments passing to wrapped up and down scripts
With the introduction of the generic OpenVPN hotplug mechanism, wrapped
--up and --down scripts got the wrong amount and order of arguments passed,
breaking existing configurations and functionality.

Fix this issue by passing the same amount of arguments in the same expected
order as if the scripts were executed by the OpenVPN daemon directly.

Ref: https://github.com/openwrt/openwrt/pull/1596#issuecomment-668935156
Fixes: 8fe9940db6 ("openvpn: add generic hotplug mechanism")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 08:34:31 +02:00
Jo-Philipp Wich
34553e8cc9 add vfconfig
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 08:34:19 +02:00
Jo-Philipp Wich
96b87196b0 dsaconfig: introduce package for UCI configuration of VLAN filter rules
This package provides the necessary files to translate `config dsa_vlan`
and `config dsa_port` sections  of `/etc/config/network` into appropriate
bridge vlan filter rules.

The approach of the configuration is to bridge all DSA ports into a logical
bridge device, called "switch0" by default, and to set VLAN port membership,
tagging state and PVID as specified by UCI on each port and on the switch
bridge device itself, allowing logical interfaces to reference port VLAN
groups by using "switch0.N" as ifname, where N denotes the VLAN ID.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 08:34:19 +02:00
Rafał Miłecki
3d167ed805 uhttpd: update to the latest master
212f836 ubus: rename JSON-RPC format related functions
628341f ubus: use local "blob_buf" in uh_ubus_handle_request_object()
9d663e7 ubus: use BLOBMSG_TYPE_UNSPEC for "params" JSON attribute
77d345e ubus: drop unused "obj" arguments
8d9e1fc ubus: parse "call" method params only for relevant call

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2020-08-05 15:49:03 +02:00
Jason A. Donenfeld
80a6d3d4a2 wireguard: bump to 1.0.20200729
* compat: rhel 8.3 beta removed nf_nat_core.h
* compat: ipv6_dst_lookup_flow was ported to rhel 7.9 beta

This compat tag adds support for RHEL 8.3 beta and RHEL 7.9 beta, in addition
to RHEL 8.2 and RHEL 7.8. It also marks the first time that
<https://www.wireguard.com/build-status/> is all green for all RHEL kernels.
After quite a bit of trickery, we've finally got the RHEL kernels building
automatically.

* compat: allow override of depmod basedir

When building in an environment with a different modules install path, it's
not possible to override the depmod basedir flag by setting the DEPMODBASEDIR
environment variable.

* compat: add missing headers for ip_tunnel_parse_protocol

This fixes compilation with some unusual configurations.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-08-03 23:14:24 +02:00
Adrian Schmutzler
50413e1ec8 package: replace remaining occurrences of ifconfig with ip
ifconfig is effectively deprecated for quite some time now. Let's
replace the remaining occurrences for packages by the
corresponding ip commands now.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-03 10:42:35 +02:00
Magnus Kroken
48a9d99a21 openvpn: revise sample configuration
Update the openvpn sample configurations to use modern options in favor
of deprecated ones, suggest more sane default settings and add some
warnings.

* Add tls_crypt and ncp_disable to the sample configuration
* Replace nsCertType with remote_cert_tls in client sample configuration
* Comment out "option compress", compression should not be preferred
* Advise 2048-bit Diffie-Hellman parameters by default
* Add warnings about compression and use of Blowfish (BF-CBC)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2020-08-01 14:54:39 +01:00
Rui Salvaterra
f2af32c20c wireguard-tools: allow compiling with MIPS16 instructions
The wg utility compiles and runs without issues in MIPS16 mode, despite setting
PKG_USE_MIPS16:=0 in the makefile. Let's remove this, allowing for a substantial
size reduction of the wg executable. Since wg is a just a configuration utility,
it shouldn't be performance-critical, as the crypto heavy-lifting is done on the
kernel side.

wg sizes for both modes:

MIPS32: 64309 bytes
MIPS16: 42501 bytes

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-08-01 14:54:39 +01:00
David Bauer
8b3e170526 hostapd: fix incorrect service name
When retrieving the PID for hostapd and wpa_supplicant via ubus the
wrong service name is currently used. This leads to the following error
in the log:

netifd: radio0 (1409): WARNING (wireless_add_process):
executable path /usr/sbin/wpad does not match process  path (/proc/exe)

Fixing the service name retrieves the correct PID and therefore the
warning won't occur.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-07-31 19:51:51 +02:00
Adrian Schmutzler
c4dd7fc23b hostapd: reorganize config selection hierarchy for WPA3
The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is
exceptionally hard to read. This tries to make things a little
easier by inverting the hierarchy of the conditions, so SSL_VARIANT
is checked first and LOCAL_VARIANT is checked second.

This exploits the fact that some of the previous conditions were
unnecessary, e.g. there is no hostapd-mesh*, so we don't need
to exclude this combination.

It also should make it a little easier to see which options are
actually switched by SSL_VARIANT and which by LOCAL_VARIANT.

The patch is supposed to be cosmetic.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-31 11:40:15 +02:00
Adrian Schmutzler
917980fd8a hostapd: improve TITLE for packages
For a few packages, the current TITLE is too long, so it is not
displayed at all when running make menuconfig. Despite, there is
no indication of OpenSSL vs. wolfSSL in the titles.

Thus, this patch adjusts titles to be generally shorter, and adds
the SSL variant to it.

While at it, make things easier by creating a shared definition for
eapol-test like it's done already for all the other flavors.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-30 16:27:44 +01:00
Daniel Golle
34705946e2 hostapd: update mesh DFS patches and add mesh HE support
Drop outdated and by now broken patchset originally supplied by
Peter Oh in August 2018 but never merged upstream.
Instead add the more promissing rework recently submitted by
Markus Theil who picked up Peter's patchset, fixed and completed it
and added support for HE (802.11ax) in mesh mode.

This is only compile tested and needs some real-life testing.

Fixes: FS#3214
Fixes: 167028b750 ("hostapd: Update to version 2.9 (2019-08-08)")
Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed")
Fixes: 017320ead3 ("hostapd: bring back mesh patches")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-30 16:27:44 +01:00
Yousong Zhou
6c57fb7aa9 firewall: bump to version 2020-07-05
Changes since last source version

  e9b90df zones: apply tcp mss clamping also on ingress path
  050816a redirects: fix segmentation fault
  f62a52b treewide: replace unsafe string functions
  23cc543 improve reload logic
  9d7f49d redurects: add support to define multiple zones for dnat reflection rules
  f87d0b0 firewall3: defaults: fix uci flow_offloading option
  fe9602c rules: fix typo
  7cc2a84 defaults: robustify flow table detection.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2020-07-26 18:10:52 +08:00
Hauke Mehrtens
ed2015c386 mac80211: Update to version 5.8-rc2-1
The following patches:
* 972-ath10k_fix-crash-due-to-wrong-handling-of-peer_bw_rxnss_override-parameter.patch
* 973-ath10k_fix-band_center_freq-handling-for-VHT160-in-recent-firmwares.patch
are replaced by this commit in the upstream kernel:
* 3db24065c2c8 ("ath10k: enable VHT160 and VHT80+80 modes")

The following patches were applied upstream:
* 001-rt2800-enable-MFP-support-unconditionally.patch
* 090-wireless-Use-linux-stddef.h-instead-of-stddef.h.patch

The rtw88 driver is now split into multiple kernel modules, just put it
all into one OpenWrt kernel package.

rtl8812au-ct was patched to compile against the mac80211 from kernel
5.8, but not runtime tested.

Add a patch which fixes ath10k on IPQ40XX, this patch was send upstream
and fixes a crash when loading ath10k on this SoC.

Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq40xx/ map-ac2200]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-07-23 23:39:56 +02:00
Michal Hrusecky
cdb25bcef3 openvpn: Allow override of interface name
If using a configuration file for OpenVPN, allow overriding name of the
interface. The reason is that then people could use configuration file
provided by VPN provider directly and override the name of the interface
to include it in correct firewall zone without need to alter the
configuration file.

Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
(cherry picked from commit c93667358515ec078ef4ac96393623ac084e5c9e)
2020-07-23 13:10:09 +02:00
Michal Hrusecky
8483bf3126 openpvn: Split out config parsing code for reuse
Split out code that parses openvpn configuration file into separate file
that can be later included in various scripts and reused.

Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
(cherry picked from commit 86d8467c8ab792c79809a08c223dd9d40da6da2e)
2020-07-23 13:10:09 +02:00
Kevin Darbyshire-Bryant
017cd5bfb0 umdns: fix compiling using gcc 10
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-07-22 15:59:54 +01:00
David Bauer
93bbd998aa hostapd: enter DFS state if no available channel is found
Previously hostapd would not stop transmitting when a DFS event was
detected and no available channel to switch to was available.

Disable and re-enable the interface to enter DFS state. This way, TX
does not happen until the kernel notifies hostapd about the NOP
expiring.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-07-20 15:08:19 +02:00
Johannes Kimmel
65e9de3c33 vxlan: add capability for multiple fdb entries
Similar to wireguard, vxlan can configure multiple peers or add specific
entries to the fdb for a single mac address.

While you can still use peeraddr/peer6addr option within the proto
vxlan/vxlan6 section to not break existing configurations, this patch
allows to add multiple sections that conigure fdb entries via the bridge
command. As such, the bridge command is now a dependency of the vxlan
package. (To be honest without the bridge command available, vxlan isn't
very much fun to use or debug at all)

Field names are taken direclty from the bridge command.

Example with all supported parameters, since this hasn't been documented so
far:

  config interface 'vx0'
      option proto     'vxlan6'      # use vxlan over ipv6

      # main options
      option ip6addr   '2001:db8::1' # listen address
      option tunlink   'wan6'        # optional if listen address given
      option peer6addr '2001:db8::2' # now optional
      option port      '8472'        # this is the standard port under linux
      option vid       '42'          # VXLAN Network Identifier to use
      option mtu       '1430'        # vxlan6 has 70 bytes overhead

      # extra options
      option rxcsum  '0'  # allow receiving packets without checksum
      option txcsum  '0'  # send packets without checksum
      option ttl     '16' # specifies the TTL value for outgoing packets
      option tos     '0'  # specifies the TOS value for outgoing packets
      option macaddr '11:22:33:44:55:66' # optional, manually specify mac
                                         # default is a random address

Single peer with head-end replication. Corresponds to the following call
to bridge:

  $ bridge fdb append 00:00:00:00:00:00 dev vx0 dst 2001:db8::3

  config vxlan_peer
      option vxlan 'vx0'
      option dst '2001:db8::3' # always required

For multiple peers, this section can be repeated for each dst address.

It's possible to specify a multicast address as destination. Useful when
multicast routing is available or within one lan segment:

  config vxlan_peer
      option vxlan 'vx0'
      option dst 'ff02::1337' # multicast group to join.
                              # all bum traffic will be send there
      option via 'eth1'       # for multicast, an outgoing interface needs
                              # to be specified

All available peer options for completeness:

  config vxlan_peer
      option vxlan   'vx0'               # the interface to configure
      option lladdr  'aa:bb:cc:dd:ee:ff' # specific mac,
      option dst     '2001:db8::4'       # connected to this peer
      option via     'eth0.1'            # use this interface only
      option port    '4789'              # use different port for this peer
      option vni     '23'                # override vni for this peer
      option src_vni '123'               # see man 3 bridge

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
2020-07-20 13:43:36 +02:00
Johannes Kimmel
5222aadbf3 vxlan: remove mandatory peeraddr
vxlan can be configured without a peer address. This is used to prepare
an interface and add peers later.

Fixes: FS#2743

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Acked-by: Matthias Schiffer <mschiffer@universe-factory.net>
2020-07-20 13:43:36 +02:00
Kevin Darbyshire-Bryant
a197fa093c dnsmasq: bump to 2.82
This fixes a nasty problem introduced in 2.81 which causes random
crashes on systems where there's significant DNS activity over TCP. It
also fixes DNSSEC validation problems with zero-TTL DNSKEY and DS
records.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-07-20 10:38:35 +01:00
Martin Schiller
6299c1760a ltq-*dsl-app: dsl_control: remove unneeded check for lantiq_dsl.sh
This file is always present because it is part of the ltq-dsl-base
package on which these packages depend.

This check would not have been necessary in the past, because the script
was part of the TARGET_LANTIQ on which these packages also depend.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2020-07-17 12:14:32 +02:00
Martin Schiller
4d8552c265 lantiq: move dsl related base-files into own package
It does not make sense to install this components on lantiq systems
where the dsl subsystem is not needed/used.

This also makes it possible to use the files also on other targets.
(hopefully ipq401x / FritzBox 7530 in the near future)

Signed-off-by: Martin Schiller <ms.3headeddevs@gmail.com>
2020-07-17 12:14:32 +02:00
Adrian Schmutzler
9c170cb92f package: drop PKG_VERSION for purely local packages
In the package guidelines, PKG_VERSION is supposed to be used as
"The upstream version number that we're downloading", while
PKG_RELEASE is referred to as "The version of this package Makefile".
Thus, the variables in a strict interpretation provide a clear
distinction between "their" (upstream) version in PKG_VERSION and
"our" (local OpenWrt trunk) version in PKG_RELEASE.

For local (OpenWrt-only) packages, this implies that those will only
need PKG_RELEASE defined, while PKG_VERSION does not apply following
a strict interpretation. While the majority of "our" packages actually
follow that scheme, there are also some that mix both variables or
have one of them defined but keep them at "1".

This is misleading and confusing, which can be observed by the fact
that there typically either one of the variables is never bumped or
the choice of the variable to increase depends on the person doing the
change.

Consequently, this patch aims at clarifying the situation by
consistently using only PKG_RELEASE for "our" packages. To achieve
that, PKG_VERSION is removed there, bumping PKG_RELEASE where
necessary to ensure the resulting package version string is bigger
than before.

During adjustment, one has to make sure that the new resulting composite
package version will not be considered "older" than the previous one.

A useful tool for evaluating that is 'opkg compare-versions'. In
principle, there are the following cases:

1. Sole PKG_VERSION replaced by sole PKG_RELEASE:
   In this case, the resulting version string does not change, it's
   just the value of the variable put in the file. Consequently, we
   do not bump the number in these cases so nobody is tempted to
   install the same package again.

2. PKG_VERSION and PKG_RELEASE replaced by sole PKG_RELEASE:
   In this case, the resulting version string has been "version-release",
   e.g. 1-3 or 1.0-3. For this case, the new PKG_RELEASE will just
   need to be higher than the previous PKG_VERSION.
   For the cases where PKG_VERSION has always sticked to "1", and
   PKG_RELEASE has been incremented, we take the most recent value of
   PKG_RELEASE.

Apart from that, a few packages appear to have developed their own
complex versioning scheme, e.g. using x.y.z number for PKG_VERSION
_and_ a PKG_RELEASE (qos-scripts) or using dates for PKG_VERSION
(adb-enablemodem, wwan). I didn't touch these few in this patch.

Cc: Hans Dedecker <dedeckeh@gmail.com>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: Andre Valentin <avalentin@marcant.net>
Cc: Matthias Schiffer <mschiffer@universe-factory.net>
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Steven Barth <steven@midlink.org>
Cc: Daniel Golle <dgolle@allnet.de>
Cc: John Crispin <john@phrozen.org>

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-15 18:33:56 +02:00
Adrian Schmutzler
b29d620ed2 vxlan: bump and change to PKG_RELEASE
Bumping package version has been overlooked in a previous commit.

While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter
is meant for upstream version number only.
(The effective version string for the package would be "3" in both
cases, so there is no harm done for version comparison.)

Fixes: 0453c3866f ("vxlan: fix udp checksum control")

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-15 18:33:56 +02:00
Johannes Kimmel
0453c3866f vxlan: fix udp checksum control
So far, passing "rxcsum" and "txcsum" had no effect.

Fixes: 95ab18e012 ("vxlan: add options to enable and disable UDP
checksums")

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
[add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-15 00:23:38 +02:00
Tony Ambardar
e89a7d72a5 iproute2: tc: fix missing em_ipset module
Feature detection doesn't recognize ipset v7 use on kernel v5.x systems
and thus disables the tc ematch function em_ipset.

- backport patch:
  * 002-configure-support-ipset-v7.patch:
    650591a7a70c configure: support ipset version 7 with kernel version 5

Fixes: 4e0c54bc5b ("kernel: add support for kernel 5.4")

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2020-07-14 22:00:43 +02:00
Tony Ambardar
9852104c71 iproute2: tc: fix dynamic symbol table size optimization
Recent iproute2 5.x versions modified the symbols resolved for plugins,
causing "tc .. action xt .." to fail. Update the list of symbols to fix.

Fixes: b61495409b ("iproute2: tc: reduce size of dynamic symbol table")

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2020-07-14 22:00:43 +02:00
Jason A. Donenfeld
ad81e2da08 wireguard: bump to 1.0.20200712
This release brings parity with the commits Linus released a few hours
ago into 5.8-rc5.

* receive: account for napi_gro_receive never returning GRO_DROP

The napi_gro_receive function no longer returns GRO_DROP ever, making
handling GRO_DROP dead code. This commit removes that dead code.
Further, it's not even clear that device drivers have any business in
taking action after passing off received packets; that's arguably out of
their hands.

* device: implement header_ops->parse_protocol for AF_PACKET

WireGuard uses skb->protocol to determine packet type, and bails out if
it's not set or set to something it's not expecting. For AF_PACKET
injection, we need to support its call chain of:

    packet_sendmsg -> packet_snd -> packet_parse_headers ->
      dev_parse_header_protocol -> parse_protocol

Without a valid parse_protocol, this returns zero, and wireguard then
rejects the skb. So, this wires up the ip_tunnel handler for layer 3
packets for that case.

* queueing: make use of ip_tunnel_parse_protocol

Now that wg_examine_packet_protocol has been added for general
consumption as ip_tunnel_parse_protocol, it's possible to remove
wg_examine_packet_protocol and simply use the new
ip_tunnel_parse_protocol function directly.

* compat: backport ip_tunnel_parse_protocol and ip_tunnel_header_ops

These are required for moving wg_examine_packet_protocol out of
wireguard and into upstream.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-07-13 08:02:02 +02:00
Adrian Schmutzler
b837216345 wireguard-tools: replace backticks by $(...)
This replaces deprecated backticks by more versatile $(...) syntax.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-11 12:52:01 +02:00
Kirill Lukonin
667fbb8151 comgt: add new script to send ussd request and get the answer
New script for comgt. Should help to fetch balance or any additional information with USSD.
This script uses the standard AT command which should be supported by all modems.

Run-tested on: Mikrotik wAP LTE KIT

Signed-off-by: Kirill Lukonin <klukonin@gmail.com>
[fixed from/sob]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-08 16:07:05 +02:00
Hans Dedecker
2b479512bc curl: bump to 7.71.1
For changes in 7.71.1; see https://curl.haxx.se/changes.html#7_71_1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-07-07 22:16:47 +02:00
Petr Štetiar
4e57fd5ada dropbear: make rsa-sha2-256 pubkeys usable again
Upstream in commit 972d723484d8 ("split signkey_type and signature_type
for RSA sha1 vs sha256") has added strict checking of pubkey algorithms
which made keys with SHA-256 hashing algorithm unusable as they still
reuse the `ssh-rsa` public key format. So fix this by disabling the
check for `rsa-sha2-256` pubkeys.

Ref: https://tools.ietf.org/html/rfc8332#section-3
Fixes: d4c80f5b17 ("dropbear: bump to 2020.80")
Tested-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-07 19:47:24 +02:00
Hans Dedecker
9858a8c582 odhcpd: bump to latest git HEAD
5da5299 odhcpd: fix compilation with GCC10

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-07-02 22:28:06 +02:00
Hans Dedecker
cbb66f9edb curl: bump to 7.71.0
For changes in 7.71.0; see https://curl.haxx.se/changes.html#7_71_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-07-01 22:19:50 +02:00
Hans Dedecker
d4c80f5b17 dropbear: bump to 2020.80
- drop patches (applied upstream)
 * 001-backport_GNU_SOURCE-for-random.patch
 * 002-backport-move-GNU_SOURCE-earlier.patch
 * 010-backport-disable-toom-and-karatsuba.patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-30 22:13:46 +02:00
Rui Salvaterra
69ca308673 dropbear: init: replace backticks with $()
This replaces deprecated backticks by more versatile $(...) syntax.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[add commit description]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-06-30 19:01:18 +02:00
Sukru Senli
c856f7adfb netifd: replace timesvr with timesrv
/lib/netifd/dhcp.script:
         Keep support for 'timesvr' while also supporting 'timesrv'
         Add log message indicating deprecation of 'timesvr'

Signed-off-by: Sukru Senli <sukru.senli@iopsys.eu>
2020-06-27 00:19:13 +02:00
Hans Dedecker
751e6ab8e6 dropbear: fix compilation for uClibc
Backport patches which fix compile issue for uClibc-ng :

dbrandom.c:174:8: warning: implicit declaration of function 'getrandom'; did you mean 'genrandom'? [-Wimplicit-function-declaration]
  ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
        ^~~~~~~~~
        genrandom
dbrandom.c:174:36: error: 'GRND_NONBLOCK' undeclared (first use in this function); did you mean 'SOCK_NONBLOCK'?
  ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
                                    ^~~~~~~~~~~~~
                                    SOCK_NONBLOCK

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-24 22:36:21 +02:00
Jason A. Donenfeld
ea5192e6c5 wireguard: bump to 1.0.20200623
* compat: drop centos 8.1 support as 8.2 is now out

Of note, as well, is that we now have both RHEL7 and RHEL8 in our CI at
<https://www.wireguard.com/build-status/>.

* Kbuild: remove -fvisibility=hidden from cflags

This fixes an issue when compiling wireguard as a module for ARM kernels in
THUMB2 mode without the JUMP11 workaround.

* noise: do not assign initiation time in if condition

Style fix.

* device: avoid circular netns references

Fixes a circular reference issue with network namespaces.

* netns: workaround bad 5.2.y backport

This works around a back backport in the 5.2.y series.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-24 08:01:37 +02:00
Sven Roederer
7e67d14486 igmpproxy: remove some bashism
"[[" is a bash extension for test. As the ash-implementation is not
fully compatible we drop its usage.
This follows up 3519bf4976

As a result, we also need to move the and/or out of the test brackets.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
[squash from two patches, adjust commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-06-23 20:00:16 +02:00
Konstantin Demin
29e170dbaa dropbear: bump to 2020.79
- drop patches (applied upstream):
  * 010-backport-change-address-logging.patch
  * 020-backport-ed25519-support.patch
  * 021-backport-chacha20-poly1305-support.patch
- backport patches:
  * 010-backport-disable-toom-and-karatsuba.patch:
    reduce dropbear binary size (about ~8Kb).
- refresh patches.
- don't bother anymore with following config options
  because they are disabled in upstream too:
  * DROPBEAR_3DES
  * DROPBEAR_ENABLE_CBC_MODE
  * DROPBEAR_SHA1_96_HMAC
- explicitly disable DO_MOTD as it was before commit a1099ed:
  upstream has (accidentally) switched it to 0 in release 2019.77,
  but reverted back in release 2020.79.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-06-21 21:33:23 +02:00
Karel Kočí
a4248577a0 hostapd: fix compilation of wpa_supplicant
Ubus patch as it seems have been broken by some rebase in the past as
the location of line that adds ubus object file was in condition for
CONFIG_MACSEC. That condition was adding object files that are not
touched by ubus patch. This means ubus.o does not have to be included in
that case. When it has to be and when build fails is when CONFIG_AP is
set. All files included in wpa_supplicant that are touched by this patch
are in this condition. This means that this is for sure the original
place for it.

Signed-off-by: Karel Kočí <karel.koci@nic.cz>
2020-06-18 20:08:18 +02:00
Rozhuk Ivan
ba7ddae9a9 comgt-ncm: do not attempt to connect if the control device is invalid
After a hardware reconnect, the control device might be unavailable and
attempting to interact with it will lead to hanging gcom calls, leaving
the protocol setup in an unrecoverable state.

Change the protocol handler to bail out early and notify netifd if the
control device is not defined or if the underlying device node does not
exist.

Also ensure that the "disconnect", "connect" and "setmode" commands are
actually defined before trying to invoke them.

Finally attempt to re-query the device manufacturer if it is unset in
the interface state in order to prevent UNUPPORTED_MODEM errors after
a modem hardware reconnect.

Signed-off-by: Rozhuk Ivan <rozhuk.im@gmail.com>
[reword subject and commit message]
Ref: https://github.com/openwrt/openwrt/pull/2352
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-06-17 23:14:46 +02:00
Florian Eckert
8fe9940db6 openvpn: add generic hotplug mechanism
Pass a default --up and --down executable to each started OpenVPN instance
which triggers /etc/hotplug.d/openvpn/ scripts whenever an instance
goes up or down.

User-configured up and down scripts are invoked by the default shipped
01-user hotplug handler to ensure that existing setups continue to work
as before.

As a consequence of this change, the up, down and script_security OpenVPN
options are removed from the option file, since we're always passing them
via the command line, they do not need to get included into the generated
configuration.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[reword commit message, move hotplug executable to /usr/libexec]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-06-17 22:43:48 +02:00
Hans Dedecker
a241f439dc iproute2: update to 5.7.0
Update iproute2 to latest stable 5.7.0; for the changes see https://lwn.net/Articles/822152/

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-13 21:36:27 +02:00
Johann Neuhauser
c0ddb85a1d hostapd: hostapd_set_psk_file: fix defaut value for mac
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Bringing up of station vlan fails if the optional mac entry isn't set.
The default mac "00:00:00:00:00:00", which should match all stations,
is mistakenly set to the non used variable "isolate". This results in
a wrong formatted .psk file which has to be "vlan_id mac key".

fixes: 5aa2ddd0: hostapd: add support for wifi-station and wifi-vlan sections

Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
2020-06-13 18:31:43 +02:00
Kevin Darbyshire-Bryant
46555ce5bc odhcpd: remove bogus IPKG_INSTROOT reference
IPKG_INSTROOT is only set under image builder and we won't be running
this script at build time either, so remove the reference before it gets
cargo-culted into other scripts.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-11 15:46:55 +01:00
Adrian Schmutzler
78e8360878 soloscli: fix uci-defaults file
The folder for the uci-defaults file of this package is wrong, so
the file most probably has not been executed at all for several
years at least.

Fix the folder and remove the useless shebang for the file.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-06-11 01:49:24 +02:00
Felix Fietkau
4baf90de8d netifd: disable receive packet steering for DSA slave devices
It is already handled on the master device. Doing it twice reduces
performance

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-06-10 16:17:12 +02:00
Felix Fietkau
41d7a14ead hostapd: add config symbol for allowing drivers to enable 802.11ax support
Also expose a build feature for it

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-06-10 12:56:35 +02:00
Petr Štetiar
df6a33a8d4 hostapd: update to latest Git hostap_2_9-1331-g5a8b366233f5
Bump to latest Git and refresh all patches in order to get fix for "UPnP
SUBSCRIBE misbehavior in hostapd WPS AP" (CVE-2020-12695).

 General security vulnerability in the way the callback URLs in the UPnP
 SUBSCRIBE command are used were reported (VU#339275, CVE-2020-12695).
 Some of the described issues may be applicable to the use of UPnP in WPS
 AP mode functionality for supporting external registrars.

Ref: https://w1.fi/security/2020-1/
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-06-09 16:59:33 +02:00
Kevin Darbyshire-Bryant
68b94f0fb4 umdnsd: update to latest git HEAD
d13290b Fix advertised IPv6 addresses

Don't just serve link-local addresses via mdns, offer all.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-06-08 20:16:17 +01:00
Stijn Tintel
8a858363b0 hostapd: silence rm
When bringing up wifi the first time after boot, these warnings appear:

netifd: radio0 (1370): rm: can't remove '/var/run/hostapd-wlan0.psk': No such file or directory
netifd: radio0 (1370): rm: can't remove '/var/run/hostapd-wlan0.vlan': No such file or directory

Silence them by adding the "-f" option to rm.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: John Crispin <john@phrozen.org>
2020-06-08 08:59:02 +03:00
Hans Dedecker
9e7fe7faf5 netifd: update to latest git HEAD
51e9fb8 system-linux: improve handling of device rename

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-06 20:55:53 +02:00
John Crispin
5aa2ddd0d6 hostapd: add support for wifi-station and wifi-vlan sections
This patch adds support for 2 new uci sections.

config wifi-vlan
	# iface is optional. if it is not defined the vlan will apply
	# to all interfaces
        option iface	default_radio0
        option name	guest
        option vid	100
        option network	guest

config wifi-station
	# iface is optional. if it is not defined the station will apply
	# to all interfaces
        option iface	default_radio0
        # mac is optional. if it is not defined it will be a catch all
	# for any sta using this key
	option mac	'00:11:22:33:44:55'
        # vid is optional. if it is not defined, the sta will be part of
	# the primary iface.
	option vid	100
        option key	testtest

With this patch applied it is possible to use multiple PSKs on a single BSS.

Signed-off-by: John Crispin <john@phrozen.org>
2020-06-04 13:36:37 +02:00
John Crispin
303b463394 netifd: update to latest HEAD
db275e1 interface-ip: fix build on non-linux systems
3392046 system-dummy: fix missing return
a56b457 netifd: wireless: add support for tracking wifi-station sections
4ce33ce netifd: wireless: add support for tracking wifi-vlan sections

Signed-off-by: John Crispin <john@phrozen.org>
2020-06-04 13:36:37 +02:00
Petr Štetiar
7f0fb3e5d4 iwinfo: update to version 2020-06-03
2faa20e5e9d1 iwinfo: add device id for Mikrotik R11e-5HacD miniPCIe card
d577a9d38a3b iwinfo: add device id for Marvell 88W8997 SDIO wifi card
f6b7d16d2ffa iwinfo: add device id for Atheros AR9287 PCIe wifi card

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-06-03 16:49:28 +02:00
Sven Roederer
2171493f7f dnsmasq: add /etc/dnsmasq.d/ to conffiles
This directory can hold configuration-snippets which should also included in the backup.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2020-06-03 16:49:28 +02:00
Daniel Golle
b1f26b7160 uhttpd: fix script timeout
939c281 proc: do not cancel script killing after writing headers

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-06-03 10:50:01 +01:00
Hans Dedecker
8d2c031f21 ppp: update to version 2.4.8.git-2020-05-25
ddd57c2 pppd: Add lcp-echo-adaptive option
c319558 pppd: Handle SIGINT and SIGTERM during interrupted syscalls (#148)
0bc11fb Added missing options to manual pages. (#149)
b1fcf16 Merge branch 'monotonic-time' of https://github.com/themiron/ppp
c78e312 pppd: linux: use monotonic time if possible

Remove patch 121-debian_adaptive_lcp_echo as patch is upstream accepted
Remove patch 206-compensate_time_change.patch as timewrap issues are
solved by a patch making use of monotonic time

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-05-31 21:13:50 +02:00
Vladislav Grishenko
f166cf9ca0 dropbear: add ed25519 and chacha20-poly1305
- add Ed25519 support (backport):
  * DROPBEAR_ED25519 option for ssh-ed25519,
  * disabled by default
- add Chacha20-Poly1305 support (backport):
  * DROPBEAR_CHACHA20POLY1305 for chacha20-poly1305@openssh.com,
  * enabled by default
- update feature costs in binary size

Signed-off-by: Vladislav Grishenko <themiron@mail.ru>
2020-05-30 21:27:10 +02:00
Jo-Philipp Wich
559b338466 qos-scripts: fix interface resolving
Also ensure that the error message is actually printed to stderr and that
the rule generation is aborted if an interface cannot be resolved.

Ref: https://github.com/openwrt/luci/issues/3975
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-05-29 10:34:58 +02:00
Enrique Rodríguez Valencia
6e8bb68996 hostapd: Add disable_vht when using NOHT/HT* modes
disable_vht parameter needs to be set when using wpa_supplicant NOHT/HT* modes.

Signed-off-by: Enrique Rodríguez Valencia <enrique.rodriguez@galgus.net>
2020-05-28 14:06:55 +01:00
David Bauer
a9f7510150 hostapd: add WEP as queryable build feature
Commit 472fd98c5b ("hostapd: disable support for Wired Equivalent
Privacy by default") made support for WEP optional.

Expose the WEP support to LuCi or other userspace tools using the
existing interface. This way they are able to remove WEP from the
available ciphers if hostapd is built without WEP support.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-05-22 21:54:30 +02:00
Philip Prindeville
de8b88ce17 firewall: add rule for traceroute support
Running your firewall's "wan" zone in REJECT zone (1) exposes the
presence of the router, (2) depending on the sophistication of
fingerprinting tools might identify the OS and release running on
the firewall which then identifies known vulnerabilities with it
and (3) perhaps most importantly of all, your firewall can be
used in a DDoS reflection attack with spoofed traffic generating
ICMP Unreachables or TCP RST's to overwhelm a victim or saturate
his link.

This rule, when enabled, allows traceroute to work even when the
default input policy of the firewall for the wan zone has been
set to DROP.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2020-05-21 20:23:10 +02:00
Hans Dedecker
bc55258464 netifd: ingress/egress vlan qos mapping support
74e0222 vlandev: support setting ingress/egress QoS mappings

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-05-21 20:21:02 +02:00
Hauke Mehrtens
289c632425 mac80211: Update to version 5.7-rc3-1
This updates the mac80211 backport.

The removed patches are already integrated in the upstream version.

The 131-Revert-mac80211-aes-cmac-switch-to-shash-CMAC-driver.patch patch
was manually adapted to the changes in kernel 5.7.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-05-21 14:39:34 +02:00
Hauke Mehrtens
9ca21dc7d5 mac80211: Update to version 5.5.19
This updates the mac80211 backport.

The removed patches are already integrated in the upstream version.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-05-21 14:39:34 +02:00
Daniel Golle
017320ead3 hostapd: bring back mesh patches
Bring back 802.11s mesh features to the level previously available
before the recent hostapd version bump. This is mostly to support use
of 802.11s on DFS channels, but also making mesh forwarding
configurable which is crucial for use of 802.11s MAC with other routing
protocols, such as batman-adv, on top.
While at it, fix new compiler warning by adapting 700-wifi-reload.patch
to upstream changes, now building without any warnings again.

Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-05-21 10:21:59 +01:00
Jason A. Donenfeld
a860fe2304 wireguard: bump to 1.0.20200520
This version has the various slew of bug fixes and compat fixes and
such, but the most interesting thing from an OpenWRT perspective is that
WireGuard now plays nicely with cake and fq_codel. I'll be very
interested to hear from OpenWRT users whether this makes a measurable
difference. Usual set of full changes follows.

This release aligns with the changes I sent to DaveM for 5.7-rc7 and were
pushed to net.git about 45 minutes ago.

* qemu: use newer iproute2 for gcc-10
* qemu: add -fcommon for compiling ping with gcc-10

These enable the test suite to compile with gcc-10.

* noise: read preshared key while taking lock

Matt noticed a benign data race when porting the Linux code to OpenBSD.

* queueing: preserve flow hash across packet scrubbing
* noise: separate receive counter from send counter

WireGuard now works with fq_codel, cake, and other qdiscs that make use of
skb->hash. This should significantly improve latency spikes related to
buffer bloat. Here's a before and after graph from some data Toke measured:
https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png

* compat: support RHEL 8 as 8.2, drop 8.1 support
* compat: support CentOS 8 explicitly
* compat: RHEL7 backported the skb hash renamings

The usual RHEL churn.

* compat: backport renamed/missing skb hash members

The new support for fq_codel and friends meant more backporting work.

* compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4

The main motivation for releasing this now: three stable kernels were released
at the same time, with a patch that necessitated updating in our compat layer.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21 08:18:01 +02:00
Petr Štetiar
472fd98c5b hostapd: disable support for Wired Equivalent Privacy by default
Upstream in commit 200c7693c9a1 ("Make WEP functionality an optional
build parameter") has made WEP functionality an optional build parameter
disabled as default, because WEP should not be used for anything
anymore. As a step towards removing it completely, they moved all WEP
related functionality behind CONFIG_WEP blocks and disabled it by
default.

This functionality is subject to be completely removed in a future
release.

So follow this good security advice, deprecation notice and disable WEP
by default, but still allow custom builds with WEP support via
CONFIG_WPA_ENABLE_WEP config option till upstream removes support for
WEP completely.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-21 08:18:01 +02:00
Petr Štetiar
0a3ec87a66 hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed
Bump package to latest upstream Git HEAD which is commit dd2daf0848ed
("HE: Process HE 6 GHz band capab from associating HE STA"). Since last
update there was 1238 commits done in the upstream tree with 618 files
changed, 53399 insertions, 24928 deletions.

I didn't bothered to rebase mesh patches as the changes seems not
trivial and I don't have enough knowledge of those parts to do/test that
properly, so someone else has to forward port them, ideally upstream
them so we don't need to bother anymore. I've just deleted them for now:

 004-mesh-use-setup-completion-callback-to-complete-mesh-.patch
 005-mesh-update-ssid-frequency-as-pri-sec-channel-switch.patch
 006-mesh-inform-kernel-driver-DFS-handler-in-userspace.patch
 007-mesh-apply-channel-attributes-before-running-Mesh.patch
 011-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch
 013-mesh-do-not-allow-pri-sec-channel-switch.patch
 015-mesh-do-not-use-offchan-mgmt-tx-on-DFS.patch
 016-mesh-fix-channel-switch-error-during-CAC.patch
 018-mesh-make-forwarding-configurable.patch

Refreshed all other patches, removed upstreamed patches:

 051-wpa_supplicant-fix-race-condition-in-mesh-mpm-new-pe.patch
 067-0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
 070-driver_nl80211-fix-WMM-queue-mapping-for-regulatory-.patch
 071-driver_nl80211-fix-regulatory-limits-for-wmm-cwmin-c.patch
 090-wolfssl-fix-crypto_bignum_sum.patch
 091-0001-wolfssl-Fix-compiler-warnings-on-size_t-printf-forma.patch
 091-0002-wolfssl-Fix-crypto_bignum_rand-implementation.patch
 091-0003-wolfssl-Do-not-hardcode-include-directory-in-wpa_sup.patch
 800-usleep.patch

Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq8065/NBG6817; ipq40xx/MAP-AC2200]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-21 08:18:01 +02:00
Jason A. Donenfeld
0727c83a76 wireguard-tools: bump to 1.0.20200513
* ipc: add support for openbsd kernel implementation
* ipc: cleanup openbsd support
* wg-quick: add support for openbsd kernel implementation
* wg-quick: cleanup openbsd support

Very exciting! wg(8) and wg-quick(8) now support the kernel implementation for
OpenBSD. OpenBSD is the second kernel, after Linux, to receive full fledged
and supported WireGuard kernel support. We'll probably send our patch set up
to the list during this next week. `ifconfig wg0 create` to make an interface,
and `wg ...` like usual to configure WireGuard aspects of it, like usual.

* wg-quick: support dns search domains

If DNS= has a non-IP in it, it is now treated as a search domain in
resolv.conf.  This new feature will be rolling out across our various GUI
clients in the next week or so.

* Makefile: simplify silent cleaning
* ipc: remove extra space
* git: add gitattributes so tarball doesn't have gitignore files
* terminal: specialize color_mode to stdout only

Small cleanups.

* highlighter: insist on 256-bit keys, not 257-bit or 258-bit

The highlighter's key checker is now stricter with base64 validation.

* wg-quick: android: support application whitelist

Android users can now have an application whitelist instead of application
blacklist.

* systemd: add wg-quick.target

This enables all wg-quick at .services to be restarted or managed as a unit via
wg-quick.target.

* Makefile: remember to install all systemd units

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-20 08:14:00 +02:00
Daniel Golle
631c437a91 hostapd: backport wolfssl bignum fixes
crypto_bignum_rand() use needless time-consuming filtering
which resulted in SAE no longer connecting within time limits.
Import fixes from hostap upstream to fix that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-05-16 22:28:08 +01:00
Adrian Schmutzler
4cfa63edc0 wwan: replace backticks by $(...)
This replaces deprecated backticks by more versatile $(...) syntax.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-05-13 19:01:23 +02:00
Adrian Schmutzler
04a8d3f453 comgt: replace backticks by $(...)
This replaces deprecated backticks by more versatile $(...) syntax.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-05-13 19:01:23 +02:00
Adrian Schmutzler
ffa3a8e9b0 netifd: replace backticks by $(...)
This replaces deprecated backticks by more versatile $(...) syntax.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-05-13 19:01:23 +02:00
Adrian Schmutzler
d2d63cc6e0 ltq-vdsl-app: replace backticks by $(...)
This replaces deprecated backticks by more versatile $(...) syntax.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-05-13 19:01:23 +02:00
Kevin Darbyshire-Bryant
5e0a56b8ae umdns: re-enable address-of-packed-member warning
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-05-10 20:44:59 +01:00
Kevin Darbyshire-Bryant
ed91d72eac dnsmasq: hotplug script tidyup
Hotplug scripts are sourced so the #!/bin/sh is superfluous/deceptive.
Re-arrange script to only source 'procd' if we get to the stage of
needing to signal the process, reduce hotplug processing load a little.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-05-10 20:40:30 +01:00
Daniel A. Maierhofer
128250e8fc lldpd: add management IP setting
add option to set management IP pattern

also add missing 'unconfigure system hostname'

for example pattern '!192.168.1.1' makes it possible that
WAN IP is selected instead of LAN IP

Signed-off-by: Daniel A. Maierhofer <git@damadmai.at>
[grammar and spelling fixes in commit message]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2020-05-08 05:54:39 +03:00
Rosen Penev
73fa1aba94 samba36: Remove
Samba 3.6 is completely unsupported, in addition to having tons of patches

It also causes kernel panics on some platforms when sendfile is enabled.
Example:

https://github.com/gnubee-git/GnuBee_Docs/issues/45

I have reproduced on ramips as well as mvebu in the past.

Samba 4 is an alternative available in the packages repo.

cifsd is a lightweight alternative available in the packages repo. It is
also a faster alternative to both Samba versions (lower CPU usage). It
was renamed to ksmbd.

To summarize, here are the alternatives:
- ksmbd + luci-app-cifsd
- samba4 + luci-app-samba4

Signed-off-by: Rosen Penev <rosenp@gmail.com>
[drop samba36-server from GEMINI_NAS_PACKAGES, ksmbd rename + summary]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2020-05-08 03:32:52 +03:00
Yangbo Lu
2b31f143f9 layerscape: update restool to LSDK-20.04
Update restool to latest LSDK-20.04.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
2020-05-07 12:53:06 +02:00
Jason A. Donenfeld
4f6343ffe7 wireguard: bump to 1.0.20200506
* compat: timeconst.h is a generated artifact

Before we were trying to check for timeconst.h by looking in the kernel
source directory. This isn't quite correct on configurations in which
the object directory is separate from the kernel source directory, for
example when using O="elsewhere" as a make option when building the
kernel. The correct fix is to use $(CURDIR), which should point to
where we want.

* compat: use bash instead of bc for HZ-->USEC calculation

This should make packaging somewhat easier, as bash is generally already
available (at least for dkms), whereas bc isn't provided by distros by
default in their build meta packages.

* socket: remove errant restriction on looping to self

It's already possible to create two different interfaces and loop
packets between them. This has always been possible with tunnels in the
kernel, and isn't specific to wireguard. Therefore, the networking stack
already needs to deal with that. At the very least, the packet winds up
exceeding the MTU and is discarded at that point. So, since this is
already something that happens, there's no need to forbid the not very
exceptional case of routing a packet back to the same interface; this
loop is no different than others, and we shouldn't special case it, but
rather rely on generic handling of loops in general. This also makes it
easier to do interesting things with wireguard such as onion routing.
At the same time, we add a selftest for this, ensuring that both onion
routing works and infinite routing loops do not crash the kernel. We
also add a test case for wireguard interfaces nesting packets and
sending traffic between each other, as well as the loop in this case
too. We make sure to send some throughput-heavy traffic for this use
case, to stress out any possible recursion issues with the locks around
workqueues.

* send: cond_resched() when processing tx ringbuffers

Users with pathological hardware reported CPU stalls on CONFIG_
PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning
these workers would never terminate. That turned out not to be okay on
systems without forced preemption. This commit adds a cond_resched() to
the bottom of each loop iteration, so that these workers don't hog the
core. We don't do this on encryption/decryption because the compat
module here uses simd_relax, which already includes a call to schedule
in preempt_enable.

* selftests: initalize ipv6 members to NULL to squelch clang warning

This fixes a worthless warning from clang.

* send/receive: use explicit unlikely branch instead of implicit coalescing

Some code readibility cleanups.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-07 12:53:06 +02:00
Hauke Mehrtens
5019a06fc1 ppp: Fix mirror hash
Fixes: ae06a650d6 ("ppp: update to version 2.4.8.git-2020-03-21")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-05-06 21:29:08 +02:00
Hans Dedecker
0836d0dea2 odhcpd: update to latest git HEAD (FS#3056)
5ce0770 router: fix Lan host reachibility due to identical RIO and PIO prefixes (FS#3056)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-05-04 21:29:24 +02:00
Josef Schlehofer
0e522d5f4a curl: update to version 7.70.0
- Release notes:
https://curl.haxx.se/changes.html#7_70_0

- Refreshed patch

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2020-05-04 07:59:46 +02:00
Jason A. Donenfeld
f57230c4e6 wireguard: bump to 1.0.20200429
* compat: support latest suse 15.1 and 15.2
* compat: support RHEL 7.8's faulty siphash backport
* compat: error out if bc is missing
* compat: backport hsiphash_1u32 for tests

We now have improved support for RHEL 7.8, SUSE 15.[12], and Ubuntu 16.04.

* compat: include sch_generic.h header for skb_reset_tc

A fix for a compiler error on kernels with weird configs.

* compat: import latest fixes for ptr_ring
* compat: don't assume READ_ONCE barriers on old kernels
* compat: kvmalloc_array is not required anyway

ptr_ring.h from upstream was imported, with compat modifications, to our
compat layer, to receive the latest fixes.

* compat: prefix icmp[v6]_ndo_send with __compat

Some distros that backported icmp[v6]_ndo_send still try to build the compat
module in some corner case circumstances, resulting in errors.  Work around
this with the usual __compat games.

* compat: ip6_dst_lookup_flow was backported to 3.16.83
* compat: ip6_dst_lookup_flow was backported to 4.19.119

Greg and Ben backported the ip6_dst_lookup_flow patches to stable kernels,
causing breaking in our compat module, which these changes fix.

* git: add gitattributes so tarball doesn't have gitignore files

Distros won't need to clean this up manually now.

* crypto: do not export symbols

These don't do anything and only increased file size.

* queueing: cleanup ptr_ring in error path of packet_queue_init

Sultan Alsawaf reported a memory leak on an error path.

* main: mark as in-tree

Now that we're upstream, there's no need to set the taint flag.

* receive: use tunnel helpers for decapsulating ECN markings

ECN markings are now decapsulated using RFC6040 instead of the old RFC3168.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-04-30 08:00:53 +02:00
Petr Štetiar
b17a5a9bdb dnsmasq: always inform about disabled dhcp service
Init script checks for an already active DHCP server on the interface
and if such DHCP server is found, then it logs "refusing to start DHCP"
message, starts dnsmasq without DHCP service unless `option force 1` is
set and caches the DHCP server check result.

Each consecutive service start then uses this cached DHCP server check
result, but doesn't provide log feedback about disabled DHCP service
anymore.

So this patch ensures, that the log message about disabled DHCP service
on particular interface is always provided.

Acked-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-04-30 00:52:04 +02:00
Antonio Quartulli
4b3b8ec81c wpad-wolfssl: fix crypto_bignum_sub()
Backport patch from hostapd.git master that fixes copy/paste error in
crypto_bignum_sub() in crypto_wolfssl.c.

This missing fix was discovered while testing SAE over a mesh interface.

With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with
wpad-mesh-wolfssl.

Cc: Sean Parkinson <sean@wolfssl.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-04-28 11:45:44 +01:00
Kevin Darbyshire-Bryant
9e7d11f3e2 relayd: bump to version 2020-04-25
f4d759b dhcp.c: further improve validation

Further improve input validation for CVE-2020-11752

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-26 13:00:36 +01:00
Kevin Darbyshire-Bryant
9f7c8ed078 umdns: update to version 2020-04-25
cdac046 dns.c: fix input validation fix

Due to a slight foobar typo, failing to de-reference a pointer, previous
fix not quite as complete as it should have been.

Improve CVE-2020-11750 fix

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-26 13:00:32 +01:00
Kevin Darbyshire-Bryant
be172e663f relayd: bump to version 2020-04-20
796da66 dhcp.c: improve input validation & length checks

Addresses CVE-2020-11752

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-20 11:32:07 +01:00
Kevin Darbyshire-Bryant
533da61ac6 umdns: update to version 2020-04-20
e74a3f9 dns.c: improve input validation

Addresses CVE-2020-11750

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-20 11:32:07 +01:00
Hauke Mehrtens
ce1798e915 dante: Fix compile with glibc
When compiled with glibc the config_scan.c wants to use the
cpupolicy2numeric() function which is only available when
HAVE_SCHED_SETSCHEDULER is set. It looks like the wrong define was used here.

This fixes a build problem with glibc in combination with the force
ac_cv_func_sched_setscheduler=no in the OpenWrt CONFIGURE_VARS.

This fixes the following compile error with glibc:
----------------------------------------------------------------------
/bin/ld: config_scan.o: in function `socks_yylex':
dante-1.4.1/sockd/config_scan.l:461: undefined reference to `cpupolicy2numeric'
collect2: error: ld returned 1 exit status
make[5]: *** [Makefile:522: sockd] Error 1

Fixes: aaf46a8fe2 ("dante: disable sched_getscheduler() - not implemented in musl")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-04-18 21:06:45 +02:00
Magnus Kroken
d7e98bd7c5 openvpn: update to 2.4.9
This is primarily a maintenance release with bugfixes and improvements.
This release also fixes a security issue (CVE-2020-11810) which allows
disrupting service of a freshly connected client that has not yet
negotiated session keys. The vulnerability cannot be used to
inject or steal VPN traffic.

Release announcement:
https://openvpn.net/community-downloads/#heading-13812
Full list of changes:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2020-04-18 20:34:08 +02:00
Daniel Golle
e23de62845 netifd: clean up netns functionality
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-04-14 13:53:11 +01:00
Daniel Golle
a5a90a94ce netifd: fix jail ifdown and jails without jail_ifname
The previous commit introduced a regression for netns jails without
jail_ifname set. Fix that.

Fixes: 4e4f7c6d2d ("netifd: network namespace jail improvements")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-04-14 00:55:02 +01:00
Daniel Golle
4e4f7c6d2d netifd: network namespace jail improvements
aaaca2e interface: allocate and free memory for jail name
 d93126d interface: allow renaming interface when moving to jail netns

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-04-14 00:22:21 +01:00
Daniel Golle
f37d634236 hostapd: reduce to a single instance per service
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-04-14 00:22:21 +01:00
Rosen Penev
76d22fc24b hostapd: backport usleep patch
Optionally fixes compilation with uClibc-ng.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-04-13 22:40:19 +02:00
Kirill Lukonin
dce97df740 wpa_supplicant: disable CONFIG_WRITE functionality
CONFIG_WRITE functionality is not used and could be removed.
Looks helpful for devices with small flash because wpad is also affected.

Little testing shows that about 6 KB could be saved.

Signed-off-by: Kirill Lukonin <klukonin@gmail.com>
2020-04-13 22:40:06 +02:00
Kevin Darbyshire-Bryant
4f34e430ed dnsmasq: bump to v2.81
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-12 15:04:48 +01:00
Hans Dedecker
8d9e26457c iproute2: update to 5.6.0
Update iproute2 to latest stable 5.6.0; for the changes see https://lwn.net/Articles/816778/

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-04-11 21:02:26 +02:00
Norbert van Bolhuis
9aa3d5b345 linux-atm: Include linux/sockios.h for SIOCGSTAMP
Since linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115
(2019-04-19) the asm-generic/sockios.h header no longer defines
SIOCGSTAMP. Instead it provides only SIOCGSTAMP_OLD.

The linux/sockios.h header now defines SIOCGSTAMP using either
SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. This linux only
header file is not included so we get a build failure.

Signed-off-by: Norbert van Bolhuis <nvbolhuis@aimvalley.nl>
2020-04-09 00:12:46 +02:00
Rosen Penev
d8bde3687a iproute2: add kmod-netlink-diag for ss
Allows proper usage of the ss tool. Otherwise, several errors and bad
data gets thrown:

Cannot open netlink socket: Protocol not supported
Cannot open netlink socket: Protocol not supported
Cannot open netlink socket: Protocol not supported
Cannot open netlink socket: Protocol not supported
Cannot open netlink socket: Protocol not supported
Cannot open netlink socket: Protocol not supported
Cannot open netlink socket: Protocol not supported

Originally reported here: https://github.com/openwrt/packages/issues/8232

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-04-07 20:40:03 +02:00
Hans Dedecker
ae06a650d6 ppp: update to version 2.4.8.git-2020-03-21
Use upstream latest git HEAD as it allows to remove the patches
700-radius-Prevent-buffer-overflow-in-rc_mksid,
701-pppd-Fix-bounds-check-in-EAP-code and
702-pppd-Ignore-received-EAP-messages-when-not-doing-EAP and
take in other fixes.

41a7323 pppd: Fixed spelling 'unkown' => 'unknown' (#141)
6b014be pppd: Print version information to stdout instead of stderr (#133)
cba2736 pppd: Add RFC1990 (Multilink) to the See Also section of the man page
f2f9554 pppd: Add mppe.h to the list of headers to install if MPPE is defined
ae54fcf pppd: Obfuscate password argument string
8d45443 pppd: Ignore received EAP messages when not doing EAP
8d7970b pppd: Fix bounds check in EAP code
858976b radius: Prevent buffer overflow in rc_mksid()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-04-06 20:42:45 +02:00
Kevin Darbyshire-Bryant
4540c3c3bf dnsmasq: bump to 2.81rc5
Bump to 2.81rc5 and re-work ipset-remove-old-kernel-support.

More runtime kernel version checking is done in 2.81rc5 in various parts
of the code, so expand the ipset patch' scope to inlude those new areas
and rename to something a bit more generic.:wq

Upstream changes from rc4

532246f Tweak to DNSSEC logging.
8caf3d7 Fix rare problem allocating frec for DNSSEC.
d162bee Allow overriding of ubus service name.
b43585c Fix nameserver list in auth mode.
3f60ecd Fixed resource leak on ubus_init failure.
0506a5e Handle old kernels that don't do NETLINK_NO_ENOBUFS.
e7ee1aa Extend stop-dns-rebind to reject IPv6 LL and ULA addresses. We also reject the loopback address if rebind-localhost-ok is NOT set.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-06 09:30:45 +01:00
Peter Stadler
5c1d88a83f netifd: fix 14_migrate-dhcp-release script
prepend 'uci' to 'commit network'

Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
2020-04-05 18:54:22 +02:00
Kevin Darbyshire-Bryant
82df192a01 dropbear: backport add ip address to exit without auth messages
201e359 Handle early exit when addrstring isn't set
fa4c464 Improve address logging on early exit messages (#83)

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-05 10:56:52 +01:00
Kevin Darbyshire-Bryant
1c6143e4a0 hostapd: Move hostapd variants to WirelessAPD menu
It seemed very confusing when trying to select the different variants of
hostapd which are somewhat scattered about under the menu 'Network'.
Moving all hostapd variants under a common submenu helps avoid
confusion.

Inspired-by: Kevin Mahoney <kevin.mahoney@zenotec.net>
[Fixup badly formatted patch, change menu name]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-05 10:41:49 +01:00
Kevin Darbyshire-Bryant
22ae8bd50e umdns: update to the version 2020-04-05
ab7a39a umdns: fix unused error
45c4953 dns: explicitly endian-convert all fields in header and question

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-05 09:24:22 +01:00
Kevin Darbyshire-Bryant
02640f0147 umdns: suppress address-of-packed-member warning
gcc 8 & 9 appear to be more picky with regards access alignment to
packed structures, leading to this warning in dns.c:

dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer
(alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer
(alignment 2) may result in an unaligned pointer value
[-Werror=address-of-packed-member]

261 |  uint16_t *swap = (uint16_t *) q;

Work around what I think is a false positive by turning the warning off.
Not ideal, but not quite as not ideal as build failure.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-04 11:28:18 +01:00
Jason A. Donenfeld
e32eaf5896 wireguard: bump to 1.0.20200401
Recent backports to 5.5 and 5.4 broke our compat layer. This release is
to keep things running with the latest upstream stable kernels.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-04-01 22:24:58 +02:00
Jason A. Donenfeld
84025110cc wireguard: bump to 1.0.20200330
* queueing: backport skb_reset_redirect change from 5.6
* version: bump

This release has only one slight change, to put it closer to the 5.6
codebase, but its main purpose is to bump us to a 1.0.y version number.
Now that WireGuard 1.0.0 has been released for Linux 5.6 [1], we can put
the same number on the backport compat codebase.

When OpenWRT bumps to Linux 5.6, we'll be able to drop this package
entirely, which I look forward to seeing.

[1] https://lists.zx2c4.com/pipermail/wireguard/2020-March/005206.html

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-03-31 08:01:34 +02:00
Nick Hainke
c9c3fd1320 hostapd: add abridged flag in disassoc_imminent
If the abridged flag is set to 1 the APs that are listed in the BSS
Transition Candidate List are prioritized. If the bit is not set, the
APs have the same prioritization as the APs that are not in the list.

If you want to steer a client, you should set the flag!

The flag can be set by adding {...,'abridged': true,...} to the normal
ubus call.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2020-03-30 01:46:50 +02:00
Nick Hainke
c8ef465e10 hostapd: expose beacon reports through ubus
Subscribe to beacon reports through ubus.
Can be used for hearing map and client steering purposes.

First enable rrm:
    ubus call hostapd.wlan0 bss_mgmt_enable '{"beacon_report":True}'

Subscribe to the hostapd notifications via ubus.

Request beacon report:
    ubus call hostapd.wlan0 rrm_beacon_req
	'{"addr":"00:xx:xx:xx:xx:xx", "op_class":0, "channel":1,
	"duration":1,"mode":2,"bssid":"ff:ff:ff:ff:ff:ff", "ssid":""}'

Signed-off-by: Nick Hainke <vincent@systemli.org>
[rework identation]
Signed-off-by: David Bauer <mail@david-bauer.net>
2020-03-30 01:46:50 +02:00
Jesus Fernandez Manzano
86440659b5 hostapd: Add 802.11r support for WPA3-Enterprise
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
2020-03-30 01:46:50 +02:00
Hans Dedecker
089cddc252 odhcp6c: update to latest git HEAD
f575351 ra: fix sending router solicitations

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-29 22:24:30 +02:00
Kevin Darbyshire-Bryant
8d25c8e7f6 dnsmasq: bump to 2.81rc4
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-29 18:30:08 +01:00
Kevin Darbyshire-Bryant
94dae0f191 nftables: implement no/json variants
Replace the build time choice of json support with a package based
choice.  Users requiring a json aware version of 'nft' may now install
nftables-json.

The default choice to fulfill the 'nftables' package dependency is
'nftables-nojson'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-29 17:27:54 +01:00
DENG Qingfang
972daf7fdc curl: rebuild when libopenssl config changes
When some libopenssl options change curl will have to be rebuild to
adapt to those changes, avoiding undefined reference errors or features
disabled in curl.

Add CONFIG_OPENSSL_ENGINE, CONFIG_OPENSSL_WITH_COMPRESSION and
CONFIG_OPENSSL_WITH_NPN to PKG_CONFIG_DEPENDS so it will trigger
rebuild every time the options are changed.

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-03-29 14:31:04 +01:00
Hans Dedecker
001211a5ba netifd: fix compilation with musl 1.2.0
1e8328 system-linux: fix compilation with musl 1.2.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-26 21:58:02 +01:00
Hans Dedecker
ea69b13d84 odhcp6c: fix compilation with musl 1.2.0
49305e6 odhcp6c: fix compilation with musl 1.2.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-26 21:58:02 +01:00
Henrique de Moraes Holschuh
556b8581a1 dnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)
Fix the test for an enabled sysntp initscript in dnsmasq.init, and get
rid of "test -o" while at it.

Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an
RTC-less ath79 router.  dnssec-no-timecheck would be clearly missing
from /var/etc/dnsmasq.conf.* while the router was still a few days in
the past due to non-working DNSSEC + DNS-based NTP server config.

The fix was tested with the router in the "DNSSEC broken state": it
properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp
was able to resolve the server name to an IP address, and set the system
time.  DNSSEC was then enabled by SIGINT through the ntp hotplug hook,
as expected.

A missing system.ntp.enabled UCI node is required for the bug to show
up.  The reasons for why it would be missing in the first place were not
investigated.

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-03-25 21:40:51 +01:00
Henrique de Moraes Holschuh
f81403c433 dnsmasq: init: get rid of test -a and test -o
Refer to shellcheck SC2166.  There are just too many caveats that are
shell-dependent on test -a and test -o to use them.

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
2020-03-25 21:39:20 +01:00
Jo-Philipp Wich
052aaa7c96 uhttpd: bump to latest Git HEAD
5e9c23c client: allow keep-alive for POST requests
5fc551d tls: support specifying accepted TLS ciphers

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-03-25 19:22:10 +01:00
Kevin Darbyshire-Bryant
9b0290ffbd nftables: bump to 0.9.3
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-24 14:42:48 +00:00
Jordan Sokolic
27ffd5ee30 dnsmasq: add 'scriptarp' option
Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions.
The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended
to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute.

Also enable --script-arp if has_handlers returns true.

Signed-off-by: Jordan Sokolic <oofnik@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-03-22 22:17:37 +01:00
David Bauer
46d0ce19f1 iwinfo: update to latest Git HEAD
9f5a7c4 iwinfo: add missing HT modename for HT-None
06a03c9 Revert "iwinfo: add BSS load element to scan result"
9a4bae8 iwinfo: add device id for Qualcomm Atheros QCA9990
eba5a20 iwinfo: add device id for BCM43602
a6914dc iwinfo: add BSS load element to scan result
bb21698 iwinfo: add device id for Atheros AR9287
7483398 iwinfo: add device id for MediaTek MT7615E

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-03-22 02:08:02 +01:00
Rafał Miłecki
8c33debb52 samba36: log error if getting device info failed
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2020-03-21 22:35:45 +01:00
Jason A. Donenfeld
2bd56595a6 wireguard: bump to 0.0.20200318
WireGuard had a brief professional security audit. The auditors didn't find
any vulnerabilities, but they did suggest one defense-in-depth suggestion to
protect against potential API misuse down the road, mentioned below. This
compat snapshot corresponds with the patches I just pushed to Dave for
5.6-rc7.

* curve25519-x86_64: avoid use of r12

This buys us 100 extra cycles, which isn't much, but it winds up being even
faster on PaX kernels, which use r12 as a RAP register.

* wireguard: queueing: account for skb->protocol==0

This is the defense-in-depth change. We deal with skb->protocol==0 just fine,
but the advice to deal explicitly with it seems like a good idea.

* receive: remove dead code from default packet type case

A default case of a particular switch statement should never be hit, so
instead of printing a pretty debug message there, we full-on WARN(), so that
we get bug reports.

* noise: error out precomputed DH during handshake rather than config

All peer keys will now be addable, even if they're low order. However, no
handshake messages will be produced successfully. This is a more consistent
behavior with other low order keys, where the handshake just won't complete if
they're being used anywhere.

* send: use normaler alignment formula from upstream

We're trying to keep a minimal delta with upstream for the compat backport.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-03-21 09:42:07 +01:00
Jason A. Donenfeld
858c6b17c8 wireguard-tools: bump to 1.0.20200319
* netlink: initialize mostly unused field
* curve25519: squelch warnings on clang

Code quality improvements.

* man: fix grammar in wg(8) and wg-quick(8)
* man: backlink wg-quick(8) in wg(8)
* man: add a warning to the SaveConfig description

Man page improvements. We hope to rewrite our man pages in mdocml at some
point soon.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-03-21 09:41:52 +01:00
Daniel Golle
50a59b3a39 hostapd: fix segfault in wpa_supplicant ubus
When introducing ubus reload support, ubus initialization was moved
to the service level instead of being carried out when adding a BSS
configuration. While this works when using wpa_supplicant in that way,
it breaks the ability to run wpa_supplicant on the command line, eg.
for debugging purposes.
Fix that by re-introducing ubus context intialization when adding
configuration.

Reported-by: @PolynomialDivision https://github.com/openwrt/openwrt/pull/2417
Fixes: 60fb4c92b6 ("hostapd: add ubus reload")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-03-18 19:05:22 +01:00
Leon M. George
b78f61c336 hostapd: fix pointer cast warnings
Signed-off-by: Leon M. George <leon@georgemail.eu>
2020-03-17 10:23:28 +01:00
Leon M. George
a8a993e64c hostapd: remove trailing whitespace
Signed-off-by: Leon M. George <leon@georgemail.eu>
2020-03-17 10:23:28 +01:00
Hans Dedecker
3db9b83f16 curl: bump to 7.69.1
For changes in 7.69.1; see https://curl.haxx.se/changes.html#7_69_1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-16 21:31:01 +01:00
Rozhuk Ivan
d890f85e59 wwan: fix hotplug event handling
Hotplug manager send: "remove" -> "add" -> "bind" events,
script interpret bind as "not add" = "remove" and mark device
as unavailable.

Signed-off-by: Rozhuk Ivan <rozhuk.im@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-03-16 21:03:25 +01:00
Rozhuk Ivan
4821ff064b comgt: fix hotplug event handling
Hotplug manager send: "remove" -> "add" -> "bind" events,
script interpret bind as "not add" = "remove" and mark device
as unavailable.

Signed-off-by: Rozhuk Ivan <rozhuk.im@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-03-16 21:02:33 +01:00
Hans Dedecker
d21f5aaa99 netifd: update to latest git HEAD
dbdef93 interface-ip: transfer prefix route ownership for deprecated ipv6addr to kernel

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-16 20:59:12 +01:00
Mathias Kresin
1a9408281b iproute2: revert add libcap support, enabled in ip-full
This reverts commit a6da3f9ef7.

The libcap isn't as optional as the commit messages suggests. A hard
dependency to the libcap package is added, which is only available in
the external packages feed. Therefore it is impossible to package
ip-full without having the external packages feed up and running, which
is a regression to the former behaviour.

Signed-off-by: Mathias Kresin <dev@kresin.me>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-15 21:38:05 +01:00
Hans Dedecker
a5c30efeb1 odhcpd: update to latest git HEAD
6594c6b ubus: use dhcpv6 ia assignment flag
a90cc2e dhcpv6-ia: avoid setting lifetime to infinite for static assignments
bb07fa4 dhcpv4: avoid setting lifetime to infinite for static assignments

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-15 20:09:19 +01:00
Kevin Darbyshire-Bryant
d7613bd02f iptables: update to 1.8.4
Bump to iptable 1.8.4 and address packaging issue as mentioned in the
original bump/revert cycle.

"This reverts commit 10cbc896c0.
The updated iptables package does not build due to the following error
encountered on the buildbots:
    cp: cannot stat '.../iptables-1.8.4/ipkg-install/usr/lib/libiptc.so.*': No such file or directory

The changelog mentions "build: remove -Wl,--no-as-needed and libiptc.so" so
it appears as if further packaging changes are needed beyond a simple
version bump."

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-15 15:55:56 +00:00
Hans Dedecker
659ae99e9b curl: bump to 7.69.0
For changes in 7.69.0; see https://curl.haxx.se/changes.html#7_69_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-10 22:15:18 +01:00
Kevin Darbyshire-Bryant
04a21c26a0 dnsmasq: bump to v2.81rc3
Bump to latest release candidate and drop 2 local patches that have been
upstreamed.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-10 12:49:07 +00:00
Kevin Darbyshire-Bryant
0b84b89251 dnsmasq: bump to 2.81rc2 + 2 local
Bump to dnsmasq 2.81rc2.  In the process discovered several compiler
warnings one with a logical error.

2 relevant patches sent upstream, added as 2 local patches for OpenWrt

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-06 15:47:56 +00:00
Kevin Darbyshire-Bryant
3251ac8f2d dnsmasq: bump to v2.81rc1
1st release candidate for v2.81 after 18 months.

Refresh patches & remove all upstreamed leaving:

110-ipset-remove-old-kernel-support.patch

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-04 20:44:23 +00:00
Alan Swanson
25cb5685c1 netifd: rename 20-smp-tune to 20-smp-packet-steering
Rename the script to be more obvious that this is for
packet steering only.

Signed-off-by: Alan Swanson <reiver@improbability.net>
2020-03-03 22:43:09 +01:00
Alan Swanson
d3868f15f8 netifd: change RPS/XPS handling to all CPUs and disable by default
The current implementation is significantly lowering lantiq
performace [1][2] by using RPS with non-irq CPUs and XPS
with alternating CPUs.

The previous netifd implementation (by default but could be
configured) simply used all CPUs and this patch essentially
reverts to this behaviour.

The only document suggesting using non-interrupt CPUs is Red
Hat [3] where if the network interrupt rate is extremely high
excluding the CPU that handles network interrupts *may* also
improve performance.

The original packet steering patches [4] advise that optimal
settings for the CPU mask seems to depend on architectures
and cache hierarcy so one size does not fit all. It also
advises that the overhead in processing for a lightly loaded
server can cause performance degradation.

Ideally, proper IRQ balancing is a better option with
the irqbalance daemon or manually.

The kernel does not enable packet steering by default, so
also disable in OpenWRT by default. (Though mvebu with its
hardware scheduling issues [5] might want to enable packet
steering by default.)

Change undocumented "default_ps" parameter to clearer
"packet_steering" parameter. The old parameter was only ever
set in target/linux/mediatek/base-files/etc/uci-defaults/99-net-ps
and matched the default.

[1] https://forum.openwrt.org/t/18-06-4-speed-fix-for-bt-homehub-5a
[2] https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=1105
[3] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/performance_tuning_guide/network-rps
[4] https://marc.info/?l=linux-netdev&m=125792239522685&w=2
[5] https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=2e1f6f1682d3974d8ea52310e460f1bbe470390f

Fixes: #1852
Fixes: #2573

Signed-off-by: Alan Swanson <reiver@improbability.net>
2020-03-03 22:43:08 +01:00
Petr Štetiar
2c3c83e40b ppp: activate PIE ASLR by default
This activates PIE ASLR support by default when the regular option is
selected.

Size increase on imx6:

 112681 ppp_2.4.8-2_arm_cortex-a9_neon.ipk
 121879 ppp_2.4.8-2_arm_cortex-a9_neon.ipk
 = 9198 diff

Acked-by: Alexander Couzens <lynxis@fe80.eu>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-03-01 21:35:59 +01:00
Petr Štetiar
35890514bb ppp: backport security fixes
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()

Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fixes: CVE-2020-8597
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-26 16:38:43 +01:00
Jo-Philipp Wich
817e775319 Revert "ppp: backport security fixes"
This reverts commit 215598fd03 since it
didn't contain a reference to the CVE it addresses. The next commit
will re-add the commit including a CVE reference in its commit message.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-26 16:37:27 +01:00
John Crispin
d3b7838ebe hostapd: enhance wifi reload
Add a radio_config_id property. If the radio config changes return an error
upon receiving the reconf call.

Signed-off-by: John Crispin <john@phrozen.org>
2020-02-25 17:01:55 +01:00
Piotr Dymacz
2d113f89d2 hostapd: start hostapd/wpa_supplicant for all wiphy devices
c888e17e06 ("hostapd: manage instances via procd instead of pidfile")
added procd support for managing hostapd and wpa_supplicant daemons
but at the same time limited wiphy names to 'phy*'.

This brings back initial behaviour (introduced in 60fb4c92b6 ("hostapd:
add ubus reload") and makes procd manage daemons for any wiphy device
found in '/sys/class/ieee80211'.

CC: Felix Fietkau <nbd@nbd.name>
CC: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2020-02-24 23:27:50 +01:00
Piotr Dymacz
82679ca0b9 umbim: move package to 'WWAN' submenu
'uqmi' was moved to 'WWAN' submenu in 9abdeee0b7.
Let's be consistent and do the same with 'umbim'.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2020-02-24 23:27:50 +01:00
Hauke Mehrtens
806354ab53 linux-atm: Fix compile warning
The function trace_on_exit() is given to atexit() as a parameter, but
atexit() only takes a function pointer to a function with a void
parameter.

This problem was introduced when the on_exit() function was incompletely
replaced by atexit().

Fixes: ba6c8bd614 ("linux-atm: add portability fixes")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-02-24 23:25:28 +01:00
DENG Qingfang
b9d29b78c8 iw: update to 5.4
Update iw to 5.4
This increases the ipk size of iw-tiny/full by about 400 bytes

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-02-22 16:38:41 +01:00
Adrian Schmutzler
a5b2c6f5ed rssileds: add dependencies based on LDFLAGS
This adds the direct dependencies introduced by TARGET_LDFLAGS
to the package's DEPENDS variable.

This was found by accidentally building rssileds on octeon, which
resulted in:

"Package rssileds is missing dependencies for the following libraries:
libnl-tiny.so"

Though the dependencies are provided when building for the
relevant targets ar71xx, ath79 and ramips, it seems more tidy to
specify them explicitly.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-02-22 14:26:01 +01:00
Stijn Tintel
a9b5473c92 lldpd: bump to 1.0.5
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2020-02-22 10:31:28 +02:00
Petr Štetiar
215598fd03 ppp: backport security fixes
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-02-20 09:12:12 +01:00
Russell Senior
731f7ea48a dnsmasq: fix uci-defaults script to exit 0 so it is cleaned up
A file, package/network/services/dnsmasq/files/50-dnsmasq-migrate-resolv-conf-auto.sh,
was added in commit 6a28552120, but it
does not exit in a way that tells the uci-defaults mechanism that it
succeeded, and so it is not cleaned up after running successfully. Add
an exit 0 to the end to correct that.

Signed-off-by: Russell Senior <russell@personaltelco.net>
2020-02-19 22:02:59 +01:00
Jason A. Donenfeld
49caf9f98a wireguard: bump to 0.0.20200215
* send: cleanup skb padding calculation
* socket: remove useless synchronize_net

Sorry for the back-to-back releases. This fixes a regression spotted by Eric
Dumazet.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-02-15 08:57:49 +01:00
DENG Qingfang
5715b21f80 iproute2: update to 5.5.0, enable LTO
Update iproute2 to 5.5.0
Enable LTO to save several KB of size

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-02-13 21:35:13 +01:00
Jo-Philipp Wich
04069fde19 uhttpd: update to latest Git HEAD
2ee323c file: poke ustream after starting deferred program

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-12 18:01:13 +01:00
Jason A. Donenfeld
cb17d7aed7 wireguard-tools: bump to 1.0.20200206
* wg-quick: android: split uids into multiple commands

Newer android's ndc implementations have limits on uid size, so we have to
break these into several lists.

* man: document dynamic debug trick for Linux

This comes up occasionally, so it may be useful to mention its
possibility in the man page. At least the Arch Linux and Ubuntu kernels
support dynamic debugging, so this advice will at least help somebody. So that
you don't have to go digging into the commit, this adds this helpful tidbit
to the man page for getting debug logs on Linux:

 # modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

* extract-{handshakes,keys}: rework for upstream kernel

These tools will now use the source code from the running kernel instead of
from the old monolithic repo. Essential for the functioning of Wireshark.

* netlink: remove libmnl requirement

We no longer require libmnl. It turns out that inlining the small subset of
libmnl that we actually use results in a smaller binary than the overhead of
linking to the external library. And we intend to gradually morph this code
into something domain specific as a libwg emerges. Performance has also
increased, thanks to the inliner. On all platforms, wg(8) only needs a normal
libc. Compile time on my system is still less than one second. So all in all
we have: smaller binary, zero dependencies, faster performance.

Packagers should no longer have their wireguard-tools package depend on
libmnl.

* embeddable-wg-library: use newer string_list
* netlink: don't pretend that sysconf isn't a function

Small cleanups.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-02-09 21:25:51 +01:00
Jo-Philipp Wich
766e778226 hostapd: remove erroneous $(space) redefinition
The $(space) definition in the hostapd Makefile ceased to work with
GNU Make 4.3 and later, leading to syntax errors in the generated
Kconfig files.

Drop the superfluous redefinition and reuse the working $(space)
declaration from rules.mk to fix this issue.

Fixes: GH#2713
Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469
Reported-by: Karel Kočí <cynerd@email.cz>
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Tested-by: Shaleen Jain <shaleen@jain.sh>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-08 11:45:33 +01:00
Jason A. Donenfeld
71de48bd37 wireguard: bump to 0.0.20200205
* compat: support building for RHEL-8.2
* compat: remove RHEL-7.6 workaround

Bleeding edge RHEL users should be content now (which includes the actual
RedHat employees I've been talking to about getting this into the RHEL kernel
itself). Also, we remove old hacks for versions we no longer support anyway.

* allowedips: remove previously added list item when OOM fail
* noise: reject peers with low order public keys

With this now being upstream, we benefit from increased fuzzing coverage of
the code, uncovering these two bugs.

* netns: ensure non-addition of peers with failed precomputation
* netns: tie socket waiting to target pid

An added test to our test suite for the above and a small fix for high-load CI
scenarios.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-02-05 21:56:02 +01:00
Jo-Philipp Wich
5f5ec7660c Revert "iwinfo: update to latest Git HEAD"
This reverts commit 96424c143d.

The commit changed libiwinfo's internal ABI which breaks a number of
downstream projects, including LuCI and rpcd-mod-iwinfo.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-05 15:31:39 +01:00
David Bauer
96424c143d iwinfo: update to latest Git HEAD
eba5a20 iwinfo: add device id for BCM43602
a6914dc iwinfo: add BSS load element to scan result
bb21698 iwinfo: add device id for Atheros AR9287
7483398 iwinfo: add device id for MediaTek MT7615E

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-02-04 20:14:47 +01:00
John Crispin
df773ead9a bcm4xxx: fix iwinfo behaviour
Signed-off-by: John Crispin <john@phrozen.org>
2020-02-04 07:48:09 +01:00
Kevin Darbyshire-Bryant
e481df07fa iptables: set-dscpmark follow upstreamimg attempt
I'm having another attempt at trying to getting the 'store dscp into
conntrack connmark' functionality into upstream kernel, since the
restore function (act_ctinfo) has been accepted.

The syntax has changed from 'savedscp' to 'set-dscpmark' since that
conforms more closely with existing functionality.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-01-31 20:21:43 +00:00
Felix Fietkau
b3e86cbb4f hostapd: add back support for passing CSA events from sta/mesh to AP interfaces
Fixes handling CSA when using AP+STA or AP+Mesh
This change was accidentally dropped in commit 167028b75
("hostapd: Update to version 2.9 (2019-08-08)")

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-01-29 12:25:10 +01:00
Jason A. Donenfeld
c2859bf126 wireguard: bump to 0.0.20200128
This fixes a few small oversights for the 5.5 compat layer.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-28 22:33:40 +01:00
Felix Fietkau
03e9e4ba9e hostapd: unconditionally enable ap/mesh for wpa-cli
Without this change, wpa-cli features depend on which wpad build variant was
used to build the wpa-cli package

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-01-28 14:38:43 +01:00
Sven Roederer
3519bf4976 hostapd: remove some bashisms
"[[" is a bash extension for test. As the ash-implementation is not
fully compatible we drop its usage.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
[remove shebang, slightly facelift commit title/message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-01-26 22:03:00 +01:00
Sven Roederer
bad59fd51b 6in4/6in4.sh: remove some bashism (usage of [[)
"[[" is a bash extension for test. As the ash-implementation is not
fully compatible we drop its usage.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2020-01-26 22:02:51 +01:00
Sven Roederer
bc357aaa2b netifd/config.sh: remove some bashism (usage of [[)
"[[" is a bash extension for test. As the ash-implementation is not
fully compatible we drop its usage.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2020-01-26 22:02:39 +01:00
Jason A. Donenfeld
4576a753f2 wireguard-tools: bump to 1.0.20200121
* Makefile: remove pwd from compile output
* Makefile: add standard 'all' target
* Makefile: evaluate git version lazily

Quality of life improvements for packagers.

* ipc: simplify inflatable buffer and add fuzzer
* fuzz: add generic command argument fuzzer
* fuzz: add set and setconf fuzzers

More fuzzers and a slicker string list implementation. These fuzzers now find
themselves configuring wireguard interfaces from scratch after several million
mutations, which is fun to watch.

* netlink: make sure to clear return value when trying again

Prior, if a dump was interrupted by a concurrent set operation, we'd try
again, but forget to reset an error flag, so we'd keep trying again forever.
Now we do the right thing and succeed when we succeed.

* Makefile: sort inputs to linker so that build is reproducible

Earlier versions of make(1) passed GLOB_NOSORT to glob(3), resulting in the
linker receiving its inputs in a filesystem-dependent order. This screwed up
reproducible builds.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-24 08:21:04 +01:00
Jason A. Donenfeld
ec13b34118 wireguard: bump to 0.0.20200121
* Makefile: strip prefixed v from version.h

This fixes a mistake in dmesg output and when parsing the sysfs entry in the
filesystem.

* device: skb_list_walk_safe moved upstream

This is a 5.6 change, which we won't support here, but it does make the code
cleaner, so we make this change to keep things in sync.

* curve25519: x86_64: replace with formally verified implementation

This comes from INRIA's HACL*/Vale. It implements the same algorithm and
implementation strategy as the code it replaces, only this code has been
formally verified, sans the base point multiplication, which uses code
similar to prior, only it uses the formally verified field arithmetic
alongside reproducable ladder generation steps. This doesn't have a
pure-bmi2 version, which means haswell no longer benefits, but the
increased (doubled) code complexity is not worth it for a single
generation of chips that's already old.

Performance-wise, this is around 1% slower on older microarchitectures,
and slightly faster on newer microarchitectures, mainly 10nm ones or
backports of 10nm to 14nm. This implementation is "everest" below:

Xeon E5-2680 v4 (Broadwell)

armfazh: 133340 cycles per call
everest: 133436 cycles per call

Xeon Gold 5120 (Sky Lake Server)

armfazh: 112636 cycles per call
everest: 113906 cycles per call

Core i5-6300U (Sky Lake Client)

armfazh: 116810 cycles per call
everest: 117916 cycles per call

Core i7-7600U (Kaby Lake)

armfazh: 119523 cycles per call
everest: 119040 cycles per call

Core i7-8750H (Coffee Lake)

armfazh: 113914 cycles per call
everest: 113650 cycles per call

Core i9-9880H (Coffee Lake Refresh)

armfazh: 112616 cycles per call
everest: 114082 cycles per call

Core i3-8121U (Cannon Lake)

armfazh: 113202 cycles per call
everest: 111382 cycles per call

Core i7-8265U (Whiskey Lake)

armfazh: 127307 cycles per call
everest: 127697 cycles per call

Core i7-8550U (Kaby Lake Refresh)

armfazh: 127522 cycles per call
everest: 127083 cycles per call

Xeon Platinum 8275CL (Cascade Lake)

armfazh: 114380 cycles per call
everest: 114656 cycles per call

Achieving these kind of results with formally verified code is quite
remarkable, especialy considering that performance is favorable for
newer chips.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-24 08:21:04 +01:00
Felix Fietkau
c07f6e8659 hostapd: fix faulty WMM IE parameters with ETSI regulatory domains
hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP.
The code for applying those values had a few bugs leading to bogus values,
which caused significant latency and packet loss.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-01-23 14:53:13 +01:00
Jan Pavlinec
2982997f1b curl: update to version 7.68.0 (security fix)
Fixes
CVE-2019-15601

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
2020-01-21 22:17:53 +01:00
Daniel Golle
e4ce8f59f5 netifd: add basic support for jail network namespaces
Prepare netifd for handling procd service jails having their own
network namespace.
Intefaces having the jail attribute will only be brought up inside the
jail's network namespace by procd calling the newly introduced ubus
method 'netns_updown'.
Currently proto 'static' is supported and configuration changes are
not yet being handled (ie. you'll have to restart the jailed service
for changes to take effect).

Example /etc/config/network snippet:
config device 'veth0'
    option type 'veth'
    option name 'vhost0'
    option peer_name 'virt0'

config interface 'virt'
    option type 'bridge'
    list ifname 'vhost0'
    option proto 'static'
    option ipaddr '10.0.0.1'
    option netmask '255.255.255.0'

config interface 'virt0'
    option ifname 'virt0'
    option proto 'static'
    option ipaddr '10.0.0.2'
    option netmask '255.255.255.0'
    option gateway '10.0.0.1'
    option dns '10.0.0.1'
    option jail 'transmission'

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-21 10:25:27 +02:00
Hans Dedecker
f0c0f92ce4 odhcpd: update to version 2020-01-14
6db312a dhcpv6-ia: use dhcp leasetime to set preferred/valid statefull lifetimes
2520c48 dhcpv6-ia: introduce DHCPv6 pd and ia assignments flags
b413d8a dhcpv6-ia: cleanup prefix delegation routes
b0902af dhcpv6-ia: remove passing interface as parameter to apply_lease

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-01-16 21:53:17 +01:00
David Lam
a5f3648a1c hostapd: add support for system cert bundle validation
Currently, it is very cumbersome for a user to connect to a WPA-Enterprise
based network securely because the RADIUS server's CA certificate must first be
extracted from the EAPOL handshake using tcpdump or other methods before it can
be pinned using the ca_cert(2) fields. To make this process easier and more
secure (combined with changes in openwrt/openwrt#2654), this commit adds
support for validating against the built-in CA bundle when the ca-bundle
package is installed. Related LuCI changes in openwrt/luci#3513.

Signed-off-by: David Lam <david@thedavid.net>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-01-16 12:08:18 +01:00
Daniel Golle
702c70264b hostapd: cleanup IBSS-RSN
set noscan also for IBSS and remove redundant/obsolete variable.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-16 10:26:21 +02:00
John Crispin
a3dd95ef63 dropbear: fix compile error
Fixes: 0da193ee69 ("dropbear: move failsafe code out of base-files")
Signed-off-by: John Crispin <john@phrozen.org>
2020-01-15 21:31:12 +01:00
Florian Eckert
7151054abd wireguard: skip peer config if public key of the peer is not defined
If a config section of a peer does not have a public key defined, the
whole interface does not start. The following log is shown

daemon.notice netifd: test (21071): Line unrecognized: `PublicKey='
daemon.notice netifd: test (21071): Configuration parsing erro

The command 'wg show' does only show the interface name.

With this change we skip the peer for this interface and emit a log
message. So the other peers get configured.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2020-01-15 21:19:01 +01:00
Florian Eckert
ee2014e680 uhttpd: add enable instance option
With this change it is now possible to switch off single instances of
the uhttpd config. Until now it was only possible to switch all
instances of uhttpd on or off.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2020-01-15 20:16:42 +01:00
Kyle Copperfield
0fcb4a3981 hostapd: add wpa_strict_rekey support
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Rekey GTK on STA disassociate

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:13:49 +01:00
Kyle Copperfield
30c64825c7 hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_required
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Allows dtim_period to be configurable, the default is from hostapd.
Adds additional regulatory tunables for power constraint and spectrum
managment.

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:13:44 +01:00
Kyle Copperfield
0da193ee69 dropbear: move failsafe code out of base-files
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Failsafe code of dropbear should be in the dropbear package not the
base-files package.

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:04:06 +01:00
David Lam
22b07ff73e hostapd: add support for subject validation
The wpa_supplicant supports certificate subject validation via the
subject match(2) and altsubject_match(2) fields. domain_match(2) and
domain_suffix_match(2) fields are also supported for advanced matches.
This validation is especially important when connecting to access
points that use PAP as the Phase 2 authentication type. Without proper
validation, the user's password can be transmitted to a rogue access
point in plaintext without the user's knowledge. Most organizations
already require these attributes to be included to ensure that the
connection from the STA and the AP is secure. Includes LuCI changes via
openwrt/luci#3444.

From the documentation:

subject_match - Constraint for server certificate subject. This substring
is matched against the subject of the authentication server certificate.
If this string is set, the server sertificate is only accepted if it
contains this string in the subject. The subject string is in following
format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as
.example.com

subject_match2 - Constraint for server certificate subject. This field is
like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST
tunnel) authentication.

altsubject_match - Constraint for server certificate alt. subject.
Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate. If
this string is set, the server sertificate is only accepted if it
contains one of the entries in an alternative subject name extension.
altSubjectName string is in following format: TYPE:VALUE Example:
EMAIL:server@example.com Example:
DNS:server.example.com;DNS:server2.example.com Following types are
supported: EMAIL, DNS, URI

altsubject_match2 - Constraint for server certificate alt. subject. This
field is like altsubject_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.

domain_match - Constraint for server domain name. If set, this FQDN is
used as a full match requirement for the
server certificate in SubjectAltName dNSName element(s). If a
matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same full match comparison. This behavior is similar to
domain_suffix_match, but has the requirement of a full match, i.e.,
no subdomains or wildcard matches are allowed. Case-insensitive
comparison is used, so "Example.com" matches "example.com", but would
not match "test.Example.com". More than one match string can be
provided by using semicolons to
separate the strings (e.g., example.org;example.com). When multiple
strings are specified, a match with any one of the values is considered
a sufficient match for the certificate, i.e., the conditions are ORed
together.

domain_match2 - Constraint for server domain name. This field is like
domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel)
authentication.

domain_suffix_match - Constraint for server domain name. If set, this
FQDN is used as a suffix match requirement for the AAA server
certificate in SubjectAltName dNSName element(s). If a matching dNSName
is found, this constraint is met. If no dNSName values are present,
this constraint is matched against SubjectName CN using same suffix
match comparison. Suffix match here means that the host/domain name is
compared one label at a time starting from the top-level domain and all
the labels in domain_suffix_match shall be included in the certificate.
The certificate may include additional sub-level labels in addition to
the required labels. More than one match string can be provided by using
semicolons to separate the strings (e.g., example.org;example.com).
When multiple strings are specified, a match with any one of the values
is considered a sufficient match for the certificate, i.e., the
conditions are ORed together. For example,
domain_suffix_match=example.com would match test.example.com but would
not match test-example.com. This field is like domain_match, but used
for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication.

domain_suffix_match2 - Constraint for server domain name. This field is
like domain_suffix_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.

Signed-off-by: David Lam <david@thedavid.net>
2020-01-14 17:46:27 +01:00
Petr Štetiar
2b28358a37 odhcpd: activate PIE ASLR by default
This activates PIE ASLR support by default when the regular option is
selected.

Size increase on x86/64:

 odhcpd-ipv6only Installed-Size: 36821 -> 38216

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-14 00:06:40 +01:00
Hauke Mehrtens
a2571f3c81 uhttpd: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 39% uncompressed and 21% compressed
on MIPS BE.

old:
33,189 /usr/sbin/uhttpd
23,016 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk

new:
46,212 /usr/sbin/uhttpd
27,979 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
6b2379d048 hostapd: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 26% uncompressed and 16% compressed
on MIPS BE.

old:
460,933 /usr/sbin/wpad
283,891 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk

new:
584,508 /usr/sbin/wpad
330,281 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
7ab6613026 dropbear: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 18% uncompressed and 17% compressed
on MIPS BE.

old:
164,261 /usr/sbin/dropbear
 85,648 dropbear_2019.78-2_mips_24kc.ipk

new:
194,492 /usr/sbin/dropbear
100,309 dropbear_2019.78-2_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
dae0ac7770 dnsmasq: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 37% uncompressed and 18% compressed
on MIPS BE.

old:
146,933 /usr/sbin/dnsmasq
101,837 dnsmasq_2.80-14_mips_24kc.ipk

new:
202,020 /usr/sbin/dnsmasq
120,577 dnsmasq_2.80-14_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hans Dedecker
3446702cdb ethtool: bump to 5.4
7dc0af7 Release version 5.4.
914912e ethtool: add 0x16 and 0x1c extended compliance codes
600b779 ethtool: mark 10G Base-ER as SFF-8472 revision 10.4 onwards
696565d ethtool: correctly interpret bitrate of 255
2941970 fix unused parameter warning in e1000_get_mac_type()
5e814f2 fix unused parameter warning in fjes_dump_regs()
b1a5279 fix unused parameter warning in ixgb_dump_regs()
6608751 fix unused parameter warning in ibm_emac_dump_regs()
1c30119 fix unused parameter warning in et131x_dump_regs()
a56aba4 fix unused parameter warning in amd8111e_dump_regs()
f40d32d fix unused parameter warning in fec_dump_regs()
8b84f1a fix unused parameter warning in at76c50x_usb_dump_regs()
f725f5a fix unused parameter warning in smsc911x_dump_regs()
a12cd66 fix unused parameter warning in e1000_dump_regs()
e058656 fix unused parameter warning in igb_dump_regs()
debac02 fix unused parameter warning in de2104[01]_dump_regs()
d434eea fix unused parameter warning in e100_dump_regs()
8df12f3 fix unused parameter warning in vioc_dump_regs()
92d716b fix unused parameter warning in tg3_dump_{eeprom, regs}()
211c99e fix unused parameter warning in fec_8xx_dump_regs()
362fb8b fix unused parameter warning in ixgbevf_dump_regs()
87903c2 fix unused parameter warning in st_{mac100, gmac}_dump_regs()
c1eaddf fix unused parameter warning in vmxnet3_dump_regs()
313c9f8 fix unused parameter warning in dsa_dump_regs()
183e8a2 fix unused parameter warning in {skge, sky2}_dump_regs()
7f84c13 fix unused parameter warning in lan78xx_dump_regs()
02d0aaa fix unused parameter warning in realtek_dump_regs()
726d607 fix unused parameter warning in ixgbe_dump_regs()
967177c fix unused parameter warning in netsemi_dump_eeprom()
710a414 fix unused parameter warning in natsemi_dump_regs()
283398a fix unused parameter warning in print_simple_table()
0404267 fix unused parameter warning in sfc_dump_regs()
57c7298 fix unused parameter warning in altera_tse_dump_regs()
302e91a fix unused parameter warning in dump_eeprom()
2054a8c fix unused parameter warning in find_option()
d5432a9 fix unused parameter warnings in do_version() and show_usage()
c430e75 fix arithmetic on pointer to void is a GNU extension warning
e568431 ethtool: implement support for Energy Detect Power Down
e391f4c ethtool: sync ethtool-copy.h: adds support for EDPD

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-01-12 22:19:37 +01:00
Jason A. Donenfeld
7936cb94a9 wireguard-tools: bump to 1.0.20200102
* systemd: update documentation URL
* global: bump copyright

Usual house keeping.

* Makefile: DEBUG_TOOLS -> DEBUG and document
* Makefile: port static analysis check
* dns-hatchet: adjust path for new repo layout
* Makefile: rework automatic version.h mangling

These are some important-ish cleanups for downstream package maintainers that
should make packaging this a lot smoother.

* man: add documentation about removing explicit listen-port

Documentation improvement.

* wg-quick: linux: quote ifname for nft

This should fix issues with weirdly named ifnames and odd versions of nft(8).

* fuzz: find bugs in the config syntax parser
* fuzz: find bugs when parsing uapi input

These are two fuzzers that have been laying around without a repo for a while.
Perhaps somebody with enough compute power will find bugs with them.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-09 18:54:24 +01:00
Jason A. Donenfeld
62c2199bd8 wireguard: bump to 0.0.20200105
* socket: mark skbs as not on list when receiving via gro

Certain drivers will pass gro skbs to udp, at which point the udp driver
simply iterates through them and passes them off to encap_rcv, which is
where we pick up. At the moment, we're not attempting to coalesce these
into bundles, but we also don't want to wind up having cascaded lists of
skbs treated separately. The right behavior here, then, is to just mark
each incoming one as not on a list. This can be seen in practice, for
example, with Qualcomm's rmnet_perf driver. This lead to crashes on
OnePlus devices and possibly other Qualcomm 4.14 devices. But I fear
that it could lead to issues on other drivers on weird OpenWRT routers.

This commit is upstream in net-next as:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=736775d06bac60d7a353e405398b48b2bd8b1e54

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-09 18:54:24 +01:00
Daniel Golle
6a28552120 dnsmasq: add uci-defaults script for config migration
When running sysupgrade from an existing configuration, UCI option
dhcp.@dnsmasq[0].resolvfile needs to be modified in case it has not
been changed from it's original value.
Accomplish that using a uci-defaults script.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-09 15:37:53 +02:00
David Bauer
ab16adf80b hostapd: disable ft_psk_generate_local for non-PSK networks
Without this commit, ft_psk_generate_local is enabled for non-PSK
networks by default. This breaks 802.11r for EAP networks.

Disable ft_psk_generate_local by default for non-PSK networks resolves
this misbehavior.

Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Martin Weinelt <martin@darmstadt.freifunk.net>
2020-01-09 01:01:20 +01:00
Matthias Schiffer
41c19dd542
ethtool: fix PKG_CONFIG_DEPENDS
Add missing CONFIG_ prefix.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2020-01-07 20:53:31 +01:00
Matthias Schiffer
9924db5b37
iperf: fix PKG_CONFIG_DEPENDS
Fix typo in PKG_CONFIG_DEPENDS and missing CONFIG_ prefix.

Fixes: e98e046f06 ("iperf: Allow enabling multicast support")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2020-01-07 20:52:23 +01:00
Daniel Golle
2e3cf4500b dnsmasq: bump PKG_RELEASE
Previous commit should have bumped PKG_RELEASE, but git add was
forgotten... Add it now.

Fixes: cd48d8d342 ("dnsmasq: switch to /tmp/resolv.conf.d/resolv.conf.auto")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-07 15:44:16 +02:00
Daniel Golle
cd48d8d342 dnsmasq: switch to /tmp/resolv.conf.d/resolv.conf.auto
Mount-bind directory instead of resolv.conf.auto file in jail to
avoid problems when the file is deleted/replaced.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-07 15:37:22 +02:00
Daniel Golle
5e1604477a netifd: move /tmp/resolv.conf.auto to /tmp/resolv.conf.d/
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-07 15:36:59 +02:00
Daniel Golle
fedc5d30ae base-files: move /tmp/resolv.conf.auto to /tmp/resolv.conf.d/
Having it in a directory it more friendly for mount-bind.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-07 15:36:03 +02:00
Hauke Mehrtens
414d054138 dnsmasq: Fix potential dnsmasq crash with TCP
This is a backport from the dnsmasq master which should fix a bug which
could cause a crash in dnsmasq.

I saw the following crashes in my log:
[522413.117215] do_page_fault(): sending SIGSEGV to dnsmasq for invalid read access from 2a001450
[522413.124464] epc = 004197f1 in dnsmasq[400000+23000]
[522413.129459] ra  = 004197ef in dnsmasq[400000+23000]
This is happening in blockdata_write() when block->next is
dereferenced, but I am not sure if this is related to this problem or if
this is a different problem. I am unable to reproduce this problem.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-06 17:44:22 +01:00
Hauke Mehrtens
8fb6be73b5 iwinfo: Update to version 2020-01-05
bf2c106 nl80211: add htmode to iwinfo_ops

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-05 20:19:37 +01:00
Andrea Dalla Costa
52f0b0913d ead: fix resource leak in tinysrp
Add call to fclose for file pointer fp in function t_openpw.
The resource leak could happen during an error handling.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-05 19:36:46 +01:00
DENG Qingfang
983605e61f pppd: update to 2.4.8
78cd384 Update README and patchlevel.h for 2.4.8 release
5d03403 pppd: Avoid use of strnlen (and strlen) in vslprintf
a1e950a pppd: Fix IPv6 default route code for Solaris
ca5e61b plugins/rp-pppoe: Make tag parsing loop condition more accurate
c10c3c7 pppd: Make sure word read from options file is null-terminated
b311e98 pppd: Limit memory accessed by string formats with max length specified
3ea9de9 pppd: Eliminate some more compiler warnings
57edb1a pppd: Include time.h header before using time_t
09f695f pppd: Don't free static string
03104ba pppd.h: Add missing headers
388597e pppd: Add defaultroute6 and related options
66ce4ba pppd: Avoid declarations within statements in main.c
5637180 pppd: Fix `ifname` option in case of multilink (#105)
d00f8a0 pppd: Fix variable reference syntax in Makefile.linux
b6b4d28 pppd: Check tdb pointer before closing

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-01-05 19:36:45 +01:00
Matt Merhar
3d7f76383f dropbear: add missing zlib dependency for dropbearconvert
If CONFIG_DROPBEAR_ZLIB is set, building fails at the packaging stage
due to an undeclared dependency on libz.so.1.

As is already done for the main dropbear package, conditionally add a
dependency on zlib.

Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
2020-01-05 19:36:45 +01:00
Rosen Penev
121ad10601 lldpd: Fix compilation without fortify-headers
Upstream backport.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-01-05 19:36:45 +01:00
Florian Fainelli
e98e046f06 iperf: Allow enabling multicast support
iperf2 is useful for testing UDP over multicast, add an option to permit
the enabling/disabling of multicast support.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2020-01-03 20:30:09 -08:00
Jo-Philipp Wich
0590d74db2 Revert "iptables: update to 1.8.4"
This reverts commit 10cbc896c0.

The updated iptables package does not build due to the following error
encountered on the buildbots:

    cp: cannot stat '.../iptables-1.8.4/ipkg-install/usr/lib/libiptc.so.*': No such file or directory

The changelog mentions "build: remove -Wl,--no-as-needed and libiptc.so" so
it appears as if further packaging changes are needed beyond a simple
version bump.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-12-30 23:07:29 +01:00
DENG Qingfang
10cbc896c0 iptables: update to 1.8.4
Update iptables to 1.8.4

ChangeLog:
  https://netfilter.org/projects/iptables/files/changes-iptables-1.8.4.txt

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-12-30 21:14:31 +01:00
David Bauer
3026cfe172 iwinfo: update to 2019-12-27
a6f6c05 nl80211: properly handle netdev names starting with "radio"
31dcef3 iwinfo: add several QC/A device ids

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-12-30 15:09:30 +01:00
Jason A. Donenfeld
ea980fb9c6 wireguard: bump to 20191226
As announced on the mailing list, WireGuard will be in Linux 5.6. As a
result, the wg(8) tool, used by OpenWRT in the same manner as ip(8), is
moving to its own wireguard-tools repo. Meanwhile, the out-of-tree
kernel module for kernels 3.10 - 5.5 moved to its own wireguard-linux-
compat repo. Yesterday, releases were cut out of these repos, so this
commit bumps packages to match. Since wg(8) and the compat kernel module
are versioned and released separately, we create a wireguard-tools
Makefile to contain the source for the new tools repo. Later, when
OpenWRT moves permanently to Linux 5.6, we'll drop the original module
package, leaving only the tools. So this commit shuffles the build
definition around a bit but is basically the same idea as before.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-27 16:34:27 +01:00
Eneas U de Queiroz
3018c4c02f curl: rename cyassl->wolfssl
The old name was dropped and no longer works.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-12-26 23:30:33 +01:00
Kevin Darbyshire-Bryant
9cf9f903a3 wireguard: bump to 20191219
edad0d6 version: bump snapshot
0e38a3c compat: ipv6_dst_lookup_flow was backported to 5.3 and 5.4
2e52c41 wg-quick: linux: use already configured addresses instead of in-memory
3721521 tools: adjust wg.8 syntax for consistency in COMMANDS section
21a1498 wg-quick: linux: try both iptables(8) and nft(8) on teardown

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-12-24 20:53:32 +00:00
Rosen Penev
fd211e1677 iperf: Fix compilation with libcxx
Avoids redefining bool.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-12-23 00:22:07 +01:00
Jo-Philipp Wich
97af1fc979 uhttpd: reset PKG_RELEASE
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-12-22 23:03:59 +01:00
Jo-Philipp Wich
f34f9a414d uhttpd: update to latest Git HEAD
5f9ae57 client: fix invalid data access through invalid content-length values

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-12-22 22:50:00 +01:00
Magnus Kroken
bf43e5bbf9 openvpn: update to 2.4.8
Backport two upstream commits that allow building
openvpn-openssl without OpenSSLs deprecated APIs.

Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2019-12-22 10:45:09 +01:00
Petr Štetiar
98b3526bf2 iputils: move iputils tools to packages feed
iputils has moved from the master tree to the packages feed, and is
switching from the abandoned skbuff.net upstream to
github.com/iputils/iputils.

Ref: https://git.openwrt.org/556698cedf9e86a0ffe9f148d4e8e733676c26f6
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-19 22:41:57 +01:00
Kevin Darbyshire-Bryant
ca7ed1712e wireguard: bump to 0.0.20191212
1ec6ece version: bump snapshot
e13de91 main: remove unused include <linux/version.h>
72eb17c wg-quick: linux: support older nft(8)
1d8e978 global: fix up spelling
e02713e wg-quick: linux: add support for nft and prefer it
b4e3a83 compat: support building for RHEL-8.1 instead of RHEL-8.0
f29e3ac socket: convert to ipv6_dst_lookup_flow for 5.5

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-12-17 19:46:41 +00:00
Hans Dedecker
a15f658ed0 odhcpd: update to latest git HEAD
d60f0a6 treewide: optimize syslog priority values

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-12-15 20:54:25 +01:00
Daniel Golle
24b97579d2 hostapd: re-introduce process tracking
Before commit 60fb4c92b6 ("hostapd: add ubus reload") netifd was
tracking hostapd/wpa_supplicant and restarting wifi in case of a
process crash. Restore this behaviour by tracking the PIDs of
hostapd and wpa_supplicant.
Also make sure hostapd and/or wpa_supplicant have been started before
emmitting ubus calls to them using ubus wait_for.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-12-08 19:52:39 +01:00
Felix Fietkau
c888e17e06 hostapd: manage instances via procd instead of pidfile
Allows graceful restart of crashing hostapd/wpa_supplicant instances

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: attempt to launch only present services]
2019-12-08 19:52:38 +01:00
Felix Fietkau
4225b83a76 hostapd: fix crash regression triggered by mesh mode
Fixes: 60fb4c92b6 ("hostapd: add ubus reload")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: polish commit message]
2019-12-08 19:51:53 +01:00
David Bauer
1ccf4bb93b hostapd: enable CTRL_IFACE_MIB for hostapd-full
This enables the CTRL_IFACE_MIB symbol for wpad-full and hostapd-full.
If it is not enabled, statistic outputs such as "hostapd_cli all_sta"
are empty.

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-12-08 12:49:09 +01:00
Hans Dedecker
39d9010c20 iproute2: update to 5.4.0
Update iproute2 to latest stable version, see https://lwn.net/Articles/805654/
for the changes in 5.4.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-12-06 18:35:55 +01:00
Jason A. Donenfeld
82a8f91c89 wireguard: bump to 0.0.20191205
* wg-quick: linux: suppress error when finding unused table

This fixes a spurious warning messages seen with recent versions of iproute2
and kernels.

* wg-quick: linux: ensure postdown hooks execute
* wg-quick: linux: have remove_iptables return true
* wg-quick: linux: iptables-* -w is not widely supported

Adding in iptables had some hiccups. For the record, I'm very unhappy about
having to put any firewalling code into wg-quick(8). We'll of course need to
support nftables too at some point if this continues. I'm investigating with
upstream the possibility of adding a sysctl to patch the issue that iptables
is handling now, so hopefully at somepoint down the line we'll be able to shed
this dependency once again.

* send: use kfree_skb_list
* device: prepare skb_list_walk_safe for upstreaming
* send: avoid touching skb->{next,prev} directly

Suggestions from LKML.

* ipc: make sure userspace communication frees wgdevice

Free things properly on error paths.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 12:11:40 +01:00
Alin Nastac
416d2cc71e gre: add ipv6 parameter to gre interfaces
IPv6 protocol is enabled on all gre interfaces, but gre(v6)tap
interfaces are usually added to a bridge interface, in which case
IPv6 should be enabled only on the bridge interface.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2019-12-02 21:52:33 +01:00
Hans Dedecker
806339a4cc curl: bump to 7.67.0
For changes in 7.67.0; see https://curl.haxx.se/changes.html#7_67_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-12-02 20:50:57 +01:00
Hans Dedecker
f573e5756a netifd: update to latest git HEAD
e45b140 interface: warn if ip6hint is truncated

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-11-29 21:56:42 +01:00
Jason A. Donenfeld
2fedf023e4 wireguard: bump to 0.0.20191127
* messages: recalculate rekey max based on a one minute flood
* allowedips: safely dereference rcu roots
* socket: remove redundant check of new4
* allowedips: avoid double lock in selftest error case
* tools: add syncconf command

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-11-27 20:20:31 +01:00
Kevin Darbyshire-Bryant
f1ca277405 dnsmasq: correct sense & usage of dnsseccheckunsigned
dnsmasq v2.80 made 'dnssec-check-unsigned' the default, thus the uci
option was rendered ineffectual: we checked unsigned zones no matter the
setting.

Disabling the checking of unsigned zones is now achieve with the
"--dnssec-check-unsigned=no" dnsmasq option.

Update init script to pass required option in the disabled case.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-11-23 08:29:15 +00:00
Jo-Philipp Wich
482114d3f7 firewall: update to latest Git HEAD
8174814 utils: persist effective extra_src and extra_dest options in state file
72a486f zones: fix emitting match rules for zones with only "extra" options

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-11-22 18:53:57 +01:00
Kevin Darbyshire-Bryant
3cee6f3f24 netifd: dhcp proto convert release to norelease
Change dhcp no/release on shutdown to 'norelease' uci option to match
existing proto dhcpv6 usage.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2019-11-20 10:52:57 +00:00
John Crispin
60fb4c92b6 hostapd: add ubus reload
Add ubus interface to hostapd and wpa_supplicant to allow dynamically
reloading wiface configuration without having to restart the hostapd
process.
As a consequence, both hostapd and wpa_supplicant are now started
persistently on boot for each wifi device in the system and then
receive ubus calls adding, modifying or removing interface
configuration.
At a later stage it would be desirable to reduce the services to one
single instance managing all radios.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-11-12 11:52:26 +01:00
Daniel Golle
155ede4f1f netifd: add dynamic wireless reconfiguration
7a723d0 wireless: add ubus method for reloading configuration
 e15147c wireless: make reconf opt-in and allow serializing configuration

Set new option 'reconf' in 'wifi-device' section to enable dynamic
re-configuration on that radio.
If necessary, also set option 'serialize' which forced netifd to
configure interfaces of wireless devices one-by-one.
Both options are disabled by default.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-11-12 11:51:36 +01:00
DENG Qingfang
2ea8cd73fe ipset: update to 7.4
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-11-09 14:33:42 +01:00
Hauke Mehrtens
e926681387 swconfig: Activate LTO compile option
This decreases the size of the swconfig application by 25% on MIPS BE.

old:
16,916 /sbin/swconfig

new:
12,565 /sbin/swconfig

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-08 23:57:53 +01:00
Hauke Mehrtens
6596c95eca dnsmasq: Activate LTO
This decreases the binary size when PIE ASLR is activated by 8% on MIPS BE.

old:
202,020 /usr/sbin/dnsmasq

new:
185,676 /usr/sbin/dnsmasq

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-08 23:57:51 +01:00
David Bauer
3034f8c3b8 hostapd: enable PMKSA and OK caching for WPA3-Personal
This enables PMKSA and opportunistic key caching by default for
WPA2/WPA3-Personal, WPA3-Personal and OWE auth types.
Otherwise, Apple devices won't connect to the WPA3 network.

This should not degrade security, as there's no external authentication
provider.

Tested with OCEDO Koala and iPhone 7 (iOS 13.1).

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-11-04 18:46:54 +01:00
Kyle Copperfield
87f9292300 hostapd: add IEEE 802.11k support
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Enables radio resource management to be reported by hostapd to clients.

Ref: https://github.com/lede-project/source/pull/1430
Co-developed-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2019-11-02 20:51:52 +01:00
Hauke Mehrtens
ddab758997 lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
When ASLR_PIE was activated globally these drivers failed to build
because the user space LDFLAGS leaked into the kernel build process.
This was fixed in upstream Linux kernel commit ce99d0bf312d ("kbuild:
clear LDFLAGS in the top Makefile") which went into Linux 4.17. The
lantiq target is now on Linux 4.19 only and these exceptions are not
needed any more.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-01 21:19:40 +01:00
Yousong Zhou
289d532ddd dropbear: rebuild libs on config change
Required as dependency on dropbear config headers is not tracked in
dropbear build system

Fixes FS#2275

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-11-01 06:59:51 +00:00
Hauke Mehrtens
e6cadb215c mac80211: Update to version 5.4-rc2
This updates mac80211 to backports based on kernel 5.4-rc2

ath10k-ct was updated to match the API changes and iw now uses the new
nl80211.h header file.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-10-19 12:35:55 +02:00
Florian Eckert
c7c14aaad3 wwan: Double quote to prevent globbing and word splitting
Fix some shellcheck warnings.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-18 19:48:41 +02:00
Florian Eckert
a78a539afd wwan: add ec25 to database
Add ec25 to database.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-18 19:48:21 +02:00
Florian Eckert
68b1b0bb39 wwan: add mc7304 to database
Add mc7304 to database.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-18 19:47:58 +02:00
Florian Eckert
c45c7606cc wwan: check new uci bus option on proto setup event
If system has more then one and different wwan interface (modem). Then the
wwan protohandler will always take the modem which is discovered first.
The protohandler will always setup the same interface. To fix this add a
new usb "bus" option which is associated with wwan device and so will set
the specified interface up. With this change more then one interface
could be mananged by the wwan protohandler.

If the "bus" option is not set in the uci network config then the protohandler
behaves as before the change. The protohanldler will take the first
interface which he founds.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2019-10-18 19:46:21 +02:00
Sean Kenny
9105057cc0 6in4: add rfc1918 check function
This is a precursor to adding proper support for multiple
6in4 tunnels with the already programmed tunlink parameter.
This is an essential sanity check so as to not break existing
and working behind NAT setups.

Signed-off-by: Sean Kenny <skenny@wfap.ca>

6in4: add myip he.net api parameter logic

This is to add proper support for multiple 6in4 tunnels
with the already programmed tunlink parameter.
As it stands before this commit, if there is a multi wan setup that
consists of dynamic ips, there is no way to use the
dynamic update feature as the he.net api is implicitly using
the ip address of the caller. This will explicitly use the
ipaddr specified in the interface config OR the ip of the
tunlink interface specified in the dynamic update api call instead
ONLY if the final resolved ipaddr variable is not an rfc1918 address.

Signed-off-by: Sean Kenny <skenny@wfap.ca>
2019-10-18 19:23:07 +02:00
Kevin Darbyshire-Bryant
9d5e266cb1 wireguard: bump to latest snapshot 20191012
8eb8443 version: bump snapshot
be09cf5 wg-quick: android: use Binder for setting DNS on Android 10
4716f85 noise: recompare stamps after taking write lock
54db197 netlink: allow preventing creation of new peers when updating
f1b87d1 netns: add test for failing 5.3 FIB changes
a3539c4 qemu: bump default version

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-10-16 16:13:39 +01:00
Jo-Philipp Wich
bc61458b73 iwinfo: update to latest Git HEAD
07315b6 nl80211: handle hidden SSIDs in wpa_supplicant scan results
3ac846e lua: fix string description of mixed WPA3 modes

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-16 16:48:40 +02:00
Martin Schiller
71e04091a9 lantiq: fix dsl_control status handling.
Commit 7519a36774 ("base-files,procd: add generic service status")
introduced the generic 'status' command which broke the previous
dsl_control status output. To fix this, let's rename the "old" command
to "dslstat".

Fixes: 7519a36774 ("base-files,procd: add generic service status")
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2019-10-15 23:23:08 +02:00
Jo-Philipp Wich
57b834281b iwinfo: update to latest Git HEAD
a29b7d4 nl80211: align path to phy mapping logic with mac80211.sh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-15 15:52:01 +02:00
Hans Dedecker
34c4741da0 odhcpd: update to latest git HEAD
9a4531a ndp: fix endian issue

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-14 21:35:09 +02:00
Eneas U de Queiroz
ee5a3f6d60 hostapd: adjust to removal of WOLFSSL_HAS_AES_GCM
WolfSSL is always built with AES-GCM support now.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-10-12 23:43:08 +02:00
DENG Qingfang
394273c066 tcpdump: update to 4.9.3
Fixed CVEs:
	CVE-2017-16808
	CVE-2018-10103
	CVE-2018-10105
	CVE-2018-14461
	CVE-2018-14462
	CVE-2018-14463
	CVE-2018-14464
	CVE-2018-14465
	CVE-2018-14466
	CVE-2018-14467
	CVE-2018-14468
	CVE-2018-14469
	CVE-2018-14470
	CVE-2018-14879
	CVE-2018-14880
	CVE-2018-14881
	CVE-2018-14882
	CVE-2018-16227
	CVE-2018-16228
	CVE-2018-16229
	CVE-2018-16230
	CVE-2018-16300
	CVE-2018-16301
	CVE-2018-16451
	CVE-2018-16452
	CVE-2019-15166
	CVE-2019-15167

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-10-12 23:37:00 +02:00
Hans Dedecker
f8b58757d0 ppp: update to version 2.4.7.git-2019-10-04
0d004db Revert "pppd: Include time.h before using time_t"
e400854 pppdump: Eliminate printf format warning by using %zd
7f2f0de pppd: Refactor setjmp/longjmp with pipe pair in event wait loop
4e71317 make: Avoid using host include for cross-compiling
3202f89 pppoe: Remove the use of cdefs
d8e8d7a pppd: Remove unused rcsid variables
486f854 pppd: Fix GLIBC version test for non-glibc toolchains
b6cd558 pppd: Include time.h before using time_t
ef8ec11 radius: Fix compiler warning
f6330ec magic: Remove K&R style of arguments
347904e Add Submitting-patches.md

Remove patches 130-no_cdefs_h.patch, 131-missing_prototype_macro.patch,
132-fix_linux_includes.patch as fixed upstream
Refresh patches

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-10 22:37:10 +02:00
Hans Dedecker
27bf8abe69 firewall: update to latest git HEAD
daed0cf utils: fix resource leak

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-04 20:42:26 +02:00
Hans Dedecker
1ed5c1b146 odhcpd: update to latest git HEAD
e76ad06 netlink: fix potential infinite loops

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-04 20:42:17 +02:00
Hauke Mehrtens
9a4fb78e7c iw: Update to version 5.3
Wifi HE (ieee80211ax) parsing is currently only activated in the full
version because it increases the compressed size by 2.5KBytes.

This also activates link time optimization (LTO) again, the problem was
fixed upstream

This increases the uncompressed binary size of iw-tiny by about 1.7%

old:
34446 iw_5.0.1-1_mipsel_24kc.ipk
new:
35064 iw_5.3-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-10-03 17:59:19 +02:00
Hans Dedecker
6077cde98a ethtool: bump to 5.3
76c4682 Release version 5.3.
3870efc ethtool: dump nested registers
7c06fa8 gitignore: ignore vim swapfiles and patches
49d1401 ethtool: igb: dump RR2DCDELAY register

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-30 21:53:35 +02:00
Jo-Philipp Wich
f2b9181bb1 iwinfo: update to latest Git HEAD
2a95086 nl80211: recognize SAE encrypted mesh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-30 12:44:13 +02:00
Felix Fietkau
d25cc3207d iw: add patch to include local BSS rx time in survey information
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-09-29 22:16:27 +02:00
DENG Qingfang
eddbd68b6d iproute2: update to 5.3.0
Update iproute2 to 5.3.0

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-09-28 21:26:53 +02:00
Brandy Krueger
1fe1a200d9 wireguard: bump to 0.0.20190913
Changes since 0.0.20190702:

define conversion constants for ancient kernels
android: refactor and add incoming allow rules
enforce that unused bits of flags are zero
immediately rekey all peers after changing device private key
support running in OpenVZ environments
do not run bc on clean target
skip peers with invalid keys
account for upstream configuration maze changes
openbsd: fix alternate routing table syntax
account for android-4.9 backport of addr_gen_mode
don't fail down when using systemd-resolved
allow specifying kernel release
enforce named pipe ownership and use protected prefix
work around ubuntu breakage
support newer PaX
don't rewrite siphash when it's from compat
squelch warnings for stack limit on broken kernel configs
support rhel/centos 7.7

Signed-off-by: Brandy Krueger <krueger.brandy24@gmail.com>
2019-09-28 21:01:53 +02:00
Jo-Philipp Wich
ced4c0e635 iwinfo: update to latest Git HEAD
313e827 nl80211: keep awaiting wpa_supplicant scan results on busy response
a766751 nl80211: fix parsing of mixed wpa encryption in wpa_supp scan results
f096bfd utils: support parsing SAE and OWE key management suites from IEs

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-22 18:58:50 +02:00
Hauke Mehrtens
49cc712b44 hostapd: Add mesh support for wpad full
This increases the size of the binary slightly:

old:
427722 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
431696 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk

new:
442109 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
445997 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
998686364d hostapd: use getrandom syscall
hostapd will not use the getrandom() syscall and as a fallback use
/dev/random, the syscall is supported since Linux 3.17 and in the musl,
glibc and uclibc version used by OpenWrt.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
0d86bf518a hostapd: Remove unneeded patch
All the content of this function is proceeded by IEEE8021X_EAPOL no code
accesses the ssid variable outside of this ifdef.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
9b4a27455c hostapd: use config option CONFIG_NO_LINUX_PACKET_SOCKET_WAR
Instead of patching the workaround away, just use the config option.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
167028b750 hostapd: Update to version 2.9 (2019-08-08)
The size of the ipkgs increase a bit (between 0.7% and 1.1%):

old 2019-04-21 (2.8):
288264 wpad-basic_2019-04-21-63962824-1_mipsel_24kc.ipk
256188 wpad-mini_2019-04-21-63962824-1_mipsel_24kc.ipk
427475 wpad-openssl_2019-04-21-63962824-1_mipsel_24kc.ipk
423071 wpad-wolfssl_2019-04-21-63962824-1_mipsel_24kc.ipk

new 2019-08-08 (2.9):
290217 wpad-basic_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
258745 wpad-mini_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
431732 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
427641 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:38 +02:00
Hauke Mehrtens
8af79550e6 hostapd: Update to version 2.8 (2019-04-21)
This also syncs the configuration files with the default configuration
files, but no extra options are activated or deactivated.

The mesh patches were partially merged into hostapd 2.8, the remaining
patches were extracted from patchwork and are now applied by OpenWrt.
The patches still have open questions which are not fixed by the author.
They were taken from this page:
https://patchwork.ozlabs.org/project/hostap/list/?series=62725&state=*

The changes in 007-mesh-apply-channel-attributes-before-running-Mesh.patch
where first applied to hostapd, but later reverted in hostapd commit
3e949655ccc5 because they caused memory leaks.

The size of the ipkgs increase a bit (between 1.3% and 2.3%):

old 2018-12-02 (2.7):
283337 wpad-basic_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk
252857 wpad-mini_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk
417473 wpad-openssl_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk
415105 wpad-wolfssl_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk

new 2019-04-21 (2.8):
288264 wpad-basic_2019-04-21-63962824-1_mipsel_24kc.ipk
256188 wpad-mini_2019-04-21-63962824-1_mipsel_24kc.ipk
427475 wpad-openssl_2019-04-21-63962824-1_mipsel_24kc.ipk
423071 wpad-wolfssl_2019-04-21-63962824-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2019-09-22 17:39:26 +02:00
Hauke Mehrtens
a6981604b3 hostapd: Fix AP mode PMF disconnection protection bypass
This fixes
* CVE-2019-16275 AP mode PMF disconnection protection bypass
https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-21 01:12:35 +02:00
Jo-Philipp Wich
d6bd3fd5c4 iwinfo: update to latest Git HEAD
02112f9 cli: fix reporting of mixed WPA2/WPA3 versions
7faeaea nl80211: properly detect WEP encryption in wpa_supp scan results
629b5ff nl80211: do not confuse open connections with WEP ones
3d47ddd nl80211: rework hostapd and wpa_supplicant wpa suite parsing

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:32:49 +02:00
Jo-Philipp Wich
abb4f4075e hostapd: mirror ieee80211w ap mode defaults in station mode
For AP mode, OpenWrt automatically sets ieee80211w to either 1 or 2, depending
on whether the encryption is set to sae-mixed, or sae/owe/eap suite-b.

Mirror the same defaults for client mode connections, in order to allow an
OpenWrt station to associate to an OpenWrt ap with SAE, OWE or Suite-B encryption
without the need to manually specify "option ieee80211w" on the station.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:27:28 +02:00
Jo-Philipp Wich
4209b28d23 hostapd: fix OWE settings in client mode
This changes fixes the generation of the wpa_supplicant client configuration
in WPA3 OWE client mode. Instead of incorrectly emitting key_mgmt=NONE, use
the proper key_mgmt=OWE setting instead.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:27:21 +02:00
Leon M. George
f974f8213b hostapd: declare struct wpa_bss early
wps_supplicant.h assumes that 'struct wpa_bss' is forward declared if
CONFIG_WPS is not defined.  With the later inclusion of
600-ubus_support, the issue manifests in warnings like these:

wps_supplicant.h:113:15: warning: 'struct wpa_bss' declared inside parameter list will not be visible outside of this definition or declaration
        struct wpa_bss *bss)
               ^~~~~~~

This patch forward declares 'struct wpa_bss' regardless.

Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit message facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-19 23:43:27 +02:00
Leon M. George
a123df2758 hostapd: revert signature change in patch
The original wpa_hexdump uses a 'void *' for the payload.  With patch
410-limit_debug_messages, the signature changes and compiler warnings
occur at various places.  One such warning is:

 wpa_debug.h:106:20: note: expected 'const u8 * {aka const unsigned char *}' but argument is of type 'struct wpa_eapol_key *'

Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit message facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-19 23:43:27 +02:00
Hans Dedecker
71cf4a272c curl: bump to 7.66.0
Refresh patches, for changes in version 7.66.0 see https://curl.haxx.se/changes.html#7_66_0

Fixes CVEs:
    CVE-2019-5481
    CVE-2019-5482

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-19 22:23:01 +02:00
Jo-Philipp Wich
5ef9e4f107 firewall: update to latest Git HEAD
383eb58 ubus: do not overwrite ipset name attribute

Ref: https://forum.openwrt.org/t/fw3-ipset-procd-objects/44044
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-18 10:51:24 +02:00
Petr Štetiar
2cf209ce91 firewall: update to latest git HEAD
c26f8907d1d2 firewall3: fix typo that affects ICMPv6 rules with numeric icmp_type

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-15 22:56:09 +02:00
Petr Štetiar
296e1f253c netifd,lldpd,rpcd,log: use generic service_running
commit eb204d14f75c ("base-files: implement generic service_running")
introduced generic service_running so it's not needed to copy&paste same
3 lines over and over again.

I've removed service_running from netifd/network init script as well,
because it was not working properly, looked quite strange and I didn't
understand the intention:

 $ /etc/init.d/network stop
 $ service network running && echo "yes" || echo "nope"
     ( have to wait for 30s )
 Command failed: Request timed out
 yes

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-15 22:53:01 +02:00
Hans Dedecker
a33d60c896 odhcpd: update to latest git HEAD
1d24009 netlink: rename netlink callback handlers
91a28e4 ndp: answer global-addressed NS manually
fd93e36 dhcpv6: retry failed PD assignments on addrlist change

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-15 20:43:14 +02:00
Hans Dedecker
ce6311d301 odhcpd: fix update to git HEAD
Fixes commit 7ff5b12e90

e73bf11 config: ra_management compatibility support
d818380 odhcpd: router: Fix out of scope memory access
94a1c94 dhcpv6-ia: free assignment when validity timer expires
752fc2c router: speed up initial router advertisements
09aa022 router: close socket upon NETEV_IFINDEX_CHANGE fixed
79eb160 router: fix previous commit
6034b5c router: close socket upon NETEV_IFINDEX_CHANGE
000182f router: fix lingering uloop socket descriptor
f6c2242 router: support ra_lifetime being 0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-12 22:37:54 +02:00
Ingo Feinerer
ca0ad9e0e9 umbim: update to latest git HEAD
184b707 umbim: add home provider query support

Signed-off-by: Ingo Feinerer <feinerer@logic.at>
2019-09-12 22:29:47 +02:00
Hans Dedecker
7ff5b12e90 odhcpd: update to latest git HEAD (FS#2019)
e73bf11 config: ra_management compatibility support
d818380 odhcpd: router: Fix out of scope memory access
94a1c94 dhcpv6-ia: free assignment when validity timer expires
752fc2c router: speed up initial router advertisements
09aa022 router: close socket upon NETEV_IFINDEX_CHANGE fixed
79eb160 router: fix previous commit
6034b5c router: close socket upon NETEV_IFINDEX_CHANGE
000182f router: fix lingering uloop socket descriptor
f6c2242 router: support ra_lifetime being 0
d111809 router: make RA flags configurable (FS#2019)

Update odhcpd defaults according to the new RA flags implementation

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-12 22:22:29 +02:00
David Bauer
7db2f1a71f iwinfo: update to latest Git HEAD
a88fb42 iwinfo: add device id for Qualcomm Atheros QCA9886
1b69d86 iwinfo: add device id for Qualcomm Atheros QCA9887

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-09-12 15:38:08 +02:00
Hauke Mehrtens
7bed9bf10f hostapd: SAE/EAP-pwd side-channel attack update
Fixes this security problem:
* SAE/EAP-pwd side-channel attack update
https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-10 21:51:41 +02:00
Hauke Mehrtens
9f34bf51d6 hostapd: Fix security problem
This fixes:
CVE-2019-11555 "EAP-pwd message reassembly issue with unexpected fragment"
https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt

This shouöld not affect OpenWrt in the default settings as we do not use
EAP-pwd.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-10 21:51:26 +02:00
Hauke Mehrtens
359bff6052 firewall: update to latest git HEAD
487bd0d utils: Fix string format message

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-08 18:39:13 +02:00
Hans Dedecker
7db6559914 firewal: update to latest git HEAD
4d0c703 firewall3: Fix some format string problems
8c404ef iptables.c: lock the xtables.lock
c1d3a4d utils: implement fw3_lock_path() & fw3_unlock_path()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-07 21:23:43 +02:00
Hans Dedecker
1855c23794 odhcp6c: update to latest git HEAD
e199804 dhcpv6: sanitize oro options

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-07 13:11:53 +02:00
Hauke Mehrtens
6658447534 iwinfo: update to latest Git HEAD
f599a8d iwinfo: Fix rate buffer size
71ec9be iwinfo: Fix buffer size
f8ef450 iwinfo: Add support for WPA3

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-01 19:48:43 +02:00
Konstantin Demin
b74f1f335a nftables: bump to version 0.9.2
- exclude Python-related stuff from build
- drop patches:
  * 010-uclibc-ng.patch, applied upstream

ipkg size decrease by 2.8%:
old:
194.851 nftables_0.9.0-2_arm_cortex-a7_neon-vfpv4.ipk
new:
189.581 nftables_0.9.2-1_arm_cortex-a7_neon-vfpv4.ipk

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-09-01 18:38:04 +02:00
Eneas U de Queiroz
7f2b230b3b uhttpd: add support to generate EC keys
This adds the key_type and ec_curve options to enable the generation of
EC keys during initialization, using openssl or the new options added to
px5g.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-09-01 00:35:11 +02:00
Jo-Philipp Wich
b13f3300d5 iwinfo: update to latest Git HEAD
a9f9557 nl80211: support reading hardware id from phy directly
c586cd3 iwinfo: add device id for MediaTek MT7612E
d4382dd iwinfo: add device id for Atheros AR9390

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-08-28 12:09:14 +02:00
DENG Qingfang
bd098231ba iproute2: update to 5.2.0
Remove upstream patches

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-08-24 21:58:13 +02:00
Kevin Darbyshire-Bryant
bd01346bb4 firewall: update to latest git HEAD
bf29c1e firewall3: ipset: Handle reload_set properly

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-08-22 09:31:57 +01:00
Christian Lamparter
cfd0748497 iftop: update to HEAD of 2018-10-03 - 77901c
Update iftop to commit 77901c8c53e01359d83b8090aacfe62214658183

git log --pretty=oneline --abbrev-commit 949ed0f7..77901c8c

77901c8 Support scales beyond 1Gbps

Created with the help of the make-package-update-commit.sh script.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-08-18 20:56:41 +02:00
Jo-Philipp Wich
d1f207ecc9 uhttpd: update to latest Git HEAD
6b03f96 ubus: increase maximum ubus request size to 64KB

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-08-18 20:00:06 +02:00
Alin Nastac
a6da3f9ef7 iproute2: add libcap support, enabled in ip-full
Preserve optionality of libcap by having configuration script follow the
HAVE_CAP environment variable, used similarly to the HAVE_ELF variable.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase/refresh patches]
2019-08-18 14:44:10 +02:00
Hauke Mehrtens
928e893a11 mac80211: Update to version 5.3-rc4-1
The removed patches were applied upstream.
The type of the RT2X00_LIB_EEPROM config option was changed to bool,
because boolean is an invalid value and the new kconfig system
complained about this.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-08-17 13:41:16 +02:00
Hauke Mehrtens
1d4df52c21 hostapd: Allow CONFIG_IEEE80211W for all but mini variant
This commit will activate CONFIG_IEEE80211W for all, but the mini
variant when at least one driver supports it. This will add ieee80211w
support for the mesh variant for example.

Fixes: FS#2397
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-08-17 00:16:08 +02:00
Hauke Mehrtens
f34e825834 hostapd: Remove ROBO switch support
The driver was removed from OpenWrt a long time ago.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-08-17 00:16:08 +02:00
Kevin Darbyshire-Bryant
51ffce0694 firewall: improve ipset support
Bump to latest git HEAD

509e673 firewall3: Improve ipset support

The enabled option did not work properly for ipsets, as it was not
checked on create/destroy of a set. After this commit, sets are only
created/destroyed if enabled is set to true.

Add support for reloading, or recreating, ipsets on firewall reload.  By
setting "reload_set" to true, the set will be destroyed and then
re-created when the firewall is reloaded.

Add support for the counters and comment extensions. By setting
"counters" or "comment" to true, then counters or comments are added to
the set.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-08-16 11:27:24 +01:00
Hans Dedecker
63ced14048 dnsmasq: use nettle ecc_curve access functions
Fixes compile issues with nettle 3.5.1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-09 21:40:13 +02:00
Vincent Wiemann
ccb4b96b8a comgt-ncm: add driver dependencies again
In the commit 623716dd43 ("comgt-ncm: Fix NCM protocol")
the dependencies to vendor NCM drivers were removed, because:

> comgt-ncm should not depend on the USB-serial-related kernel modules,
> as the cdc-wdm control device works without them. There is also no need
> to depend on kmod-huawei-cdc-ncm, since other manufacturers (like
> Ericsson and Samsung) which use other kernel modules should also be
> supported.

From a user-perspective this does not make sense, as installing comgt-ncm
(or luci-proto-ncm) should install all needed dependencies for using such
a device.

Furthermore depending on kmod-huawei-cdc-ncm does not mean that Ericsson
and Samsung devices can't be supported. By the way it seems that Ericsson
and Samsung devices never used NCM, but act as serial modems.

Thus this commit adds the dependencies again.

Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
[fixed title capitalization, formatted commit message,
renamed Sony-Ericsson to Ericsson]
Signed-off-by: David Bauer <mail@david-bauer.net>
2019-08-08 21:33:34 +02:00
Hans Dedecker
d70a35c365 netifd: update to latest git HEAD
5e02f94 system-linux: fix resource leak

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-07 13:55:52 +02:00
Rosen Penev
1b1c47577b linux-atm: Add missing headers
This fixes compilation with -Werror=implicit-function-declaration.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-08-05 23:22:26 +02:00
Jeffery To
e545fac8d9 build: include BUILD_VARIANT in PKG_BUILD_DIR
This changes the default PKG_BUILD_DIR to take BUILD_VARIANT into
account (if set), so that packages do not need to manually override
PKG_BUILD_DIR just to handle variants.

This also updates most base packages with variants to use the updated
default PKG_BUILD_DIR.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2019-08-05 23:22:26 +02:00
Hans Dedecker
018395392c ethtool: bump to 5.2
379c096 Release version 5.2.
2bce6d9 ethtool: Add 100BaseT1 and 1000BaseT1 link modes
67ffbf5 ethtool: sync ethtool-copy.h with linux-next from 30/05/2019
687152b ethtool.spec: Use standard file location macros

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-05 21:04:44 +02:00
Hans Dedecker
efb7b7a12a firewall: update to latest git HEAD
de94097 utils: coverity resource leak warning

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-05 14:18:27 +02:00
DENG Qingfang
edd9b39fab ipset: update to 7.3
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-08-05 09:42:09 +02:00
Kevin Darbyshire-Bryant
fc5d46dc62 Revert "dnsmasq: backport latest patches"
This reverts commit e9eec39aac.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-08-03 20:55:52 +01:00
Kevin Darbyshire-Bryant
a275466729 Revert "dnsmasq: improve insecure DS warning"
This reverts commit cd91f2327f.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-08-03 20:55:45 +01:00
Kevin Darbyshire-Bryant
4bc02a421f iptables: fix connmark savedscp build
Add <strings.h> for ffs() definition.

Reported-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-29 20:23:13 +01:00
Kevin Darbyshire-Bryant
cd91f2327f dnsmasq: improve insecure DS warning
Log the failing domain in the insecure DS warning.

Patch has been sent upstream.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-25 12:29:08 +01:00
Kevin Darbyshire-Bryant
e9eec39aac dnsmasq: backport latest patches
Backport upstream patches pre 2.81rc for testing purposes.

Let's see what falls out!

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-25 12:23:46 +01:00
Kevin Darbyshire-Bryant
1aad1d17ed iptables: add connmark savedscp support
iptables: connmark - add savedscp option

Naive user space front end to xt_connmark 'savedscp' option.

e.g.

iptables -A QOS_MARK_eth0 -t mangle -j CONNMARK --savedscp-mark 0xfc000000/0x01000000

Will save DSCP into the top 6 bits and OR 0x01 (ie set) the least
significant bit of most significant byte.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-25 10:18:23 +01:00
Hans Dedecker
11617bcb3b netifd: update to latest git HEAD
899f168 system-linux: Coverity fixes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-07-22 21:48:34 +02:00