Let DHCP client send a release when it exists so the DHCP server is
informed the IP address is released and allowing to clean up IP/mac
state info in intermediate devices.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Update to latest HEAD in order to remove the faulty "prelocal" ip rule leading
to unexpected policy rule precedence.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Running dnsmasq in a dedicated user/group allows matching its outgoing
traffic more easily using iptables' owner match.
Add UID/GID to the package metadata and append the user/group
parameters to the init script.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 49252
Fixes build with /bin/sh pointing to certain versions of dash (for example
on Void Linux).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 49218
Parameter allows to enable/disable static leases; by default the value is 1
to keep backwards compatibility
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 49187
The wpa_supplicant supports an "anonymous_identity" field, which some
EAP networks require. From the documentation:
anonymous_identity: Anonymous identity string for EAP (to be used as the
unencrypted identity with EAP types that support different tunnelled
identity, e.g., EAP-TTLS).
This change modifies the hostapd.sh script to propagate this field
from the UCI config to the wpa_supplicant.conf file.
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Reviewed-by: Manuel Munz <freifunk@somakoma.de>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 49181
Silence warning "daemon.notice netifd: wan6 (1139): sh: write error: Invalid argument"
when an invalid MTU is received via RA as kernel refuses to accept IPv6 mtu values
which are smaller than 1280 and bigger than the device mtu.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
git-svn-id: svn+ssh://svn.openwrt.org/openwrt/trunk@49054 3c298f89-4303-0410-b956-a3cf2f4a3e73
x509-username-field was added in OpenVPN 2.2, and verify-x509-name was
added in 2.3. This fixes ticket #18807.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
SVN-Revision: 48969
I do not know if this causes any problems now, but we should not set
it, because it is reserved. Some more recent versions of the Lantiq DSL
API driver and Control is checking if only valid bits are set.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48948
There are some cases where ISPs are running ATM over VDSL or PTM over
ADSL, this is not the common case, but these cases exist. Make it
possible to configure OpenWrt for such cases by adding a new config
option line_mode.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48947
The detailed annex option were only available in the danube DSL app
including the activation of G.992.2 Annex A (ADSL Lite). This is now
also added to the vdsl app for the vrx200.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48946
The adsl control app missed the activation of annex M and annex L in
the Annex A part, this now activates everything the firmware supports.
In Annex L type only the wide US (Mask1) was activated, now also the
narrow US (Mask2) version gets activated.
In addition annex J was also added.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48945
I am not calling dsl_cmd because I want to ignore the lock, quit
should also be send when someone else is accessing it. I saw that some
other call was stuck here and all following calls were stuck in the
dsl_cmd lock.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48943
Ensure that ikey and okey are sent in network byte order to the kernel.
Also don't mangle external IP addrs and routes when reconfiguring iinterfaces.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 48919
Enable setting a host-specific lease time for static hosts.
The new option is called "leasetime" and the format is similar
as for the default lease time: e.g. 12h, 3d, infinite
Default lease time is used for all hosts for which there is
no host-specific definition.
The option is added to /etc/config/dhcp for the selected hosts:
config host
option name 'Nexus'
option mac 'd8:50:66:55:59:7c'
option ip '192.168.1.245'
option leasetime '2h'
It gets appended to /var/etc/dnsmasq.conf like this:
dhcp-host=d8:50:66:55:59:7c,192.168.1.245,Nexus,2h
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 48801
Before r47933 Bit 1 (first bit) of xTSE Octet 1 (first octet) defaulted
to 1, which allowed T1.413 to operate.
Signed-off-by: Jonathan A. Kollasch <jakllsch@kollasch.net>
SVN-Revision: 48763
iptables is the only exception in the package tree, causing patch
behaviour to be inconsistent on this package.
Signed-off-by: Rick van der Zwet <rick.vanderzwet@anywi.com>
SVN-Revision: 48643
Supported syntax is inspired by ethtool. Example usages:
swconfig dev switch0 port 2 set link "duplex half speed 100"
swconfig dev switch0 port 2 set link "autoneg on"
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 48624
This fixes the following security problems:
CVE-2016-0754: remote file name path traversal in curl tool for Windows
http://curl.haxx.se/docs/adv_20160127A.html
CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use
http://curl.haxx.se/docs/adv_20160127B.html
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48614
UCI paramater multicast is added which allows to toggle multicast support on gre interfaces.
By default multicast support is enabled as gre tunnels are often used in combination with
routing protocols using multicast.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Nick Podolak <nicholas.podolak@dtechlabs.com>
SVN-Revision: 48596
* Enable drop_invalid by default to catch unnatted packets (#21738)
* Fix processing of inversions for -i, -o, -s, -d and -p flags
* Remove delegate_* chain indirection but rely on xt_id to identify own rules
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 48551
Commit 6a7e56b adds support for adding local hostname for own lan ula adress
but if ula prefix is not specified results into an invalid config (address=/OpenWrt.lan/1)
causing dnsmasq not to start up.
Use lanaddr6 when adding local hostname as the lan ula address is constructed based on the
UCI parameters ip6hint and ip6ifaceid and thus not always ula prefix suffixed with 1
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 48495
RSA keys should be generated with sufficient length.
Using 1024 bits is considered unsafe.
In other packages the used key length is 2048 bits.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
SVN-Revision: 48494
Update to upstream Git HEAD to include VHT rate support and a number of
coverity scan fixes.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 48487
This adds IPv6 support to qos-scripts for both tc/qdisc and the
iptables classification rules. The tc/qdisc part is accomplished
by removing "protocol ip" from the tc command line, causing the
rule to be applied to all protocols. The iptables part is
accomplished by adding each rule using both iptables and ip6tables.
This patch is based on previous work by Ilkka Ollakka and
Dominique Martinet.
Signed-off-by: Michael Marley <michael@michaelmarley.com>
SVN-Revision: 48452
This adds a "srciface" option that can be used on classification
rules in /etc/config/qos. This is useful to allow prioritization
based on the local network from which the traffic originates, for
example to deprioritize traffic from a guest network.
Signed-off-by: Michael Marley <michael@michaelmarley.com>
SVN-Revision: 48446
Set the save-mark mask for the qos_${cg} chain to 0xff instead of
0xf0. With the old value, the nibble that was saved would be
masked during the restore, preventing ingress traffic from being
classified. Thanks to nbd for recommending the fix.
Signed-off-by: Michael Marley <michael@michaelmarley.com>
SVN-Revision: 48388
The auth change appears to break the endpoint update for most users and with
my local tests the old update url works just fine.
This reverts commit 99c03a88cb6fed0519efdfaac305794653a12542.
SVN-Revision: 48384
Introduce config options client_cert2, priv_key2 and priv_key2_pwd
used for EAP-TLS phase2 authentication in WPA-EAP client mode.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48345
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...
The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.
Examples:
eap_type auth
'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2"
'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2"
'peap' 'EAP-GTC' -> phase2="auth=GTC"
Deprecated syntax supported for compatibility:
'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"
I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48309
This was generating a conffiles list that included the binary
and CONTROL/ files.
Signed-off-by: Rob Mosher <nyt-openwrt@countercultured.net>
SVN-Revision: 48296
This adds support for configuring VTI interfaces within /etc/config/network.
VTI interfaces are used to create IPsec tunnel interfaces. These interfaces
may be used for routing and other purposes.
Example config:
config interface 'vti1'
option proto 'vti'
option mtu '1500'
option tunlink 'wan'
option peeraddr '192.168.5.16'
option zone 'VPN'
option ikey 2
option okey 2
config interface 'vti1_static'
option proto 'static'
option ifname '@vti1'
option ipaddr '192.168.7.2/24'
The options ikey and okey correspond to the fwmark value of a ipsec policy.
The may be null if you do not want fwmarks.
Also peeraddr may be 0.0.0 if you want all ESP packets go through the
interface.
Example strongswan config:
conn vti
left=%any
leftcert=peer2.test.der
leftid=@peer2.test
right=192.168.5.16
rightid=@peer3.test
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
mark=2
auto=route
Signed-off-by: André Valentin <avalentin@marcant.net>
SVN-Revision: 48274
By default dnsmasq uses random ports for outbound dns queries;
when the minport UCI option is specified the ports used will
always be larger than the specified value.
This is usefull for systems behind firewalls.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 48244
This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A
patchset for these vulnerabilities was published on 16th December 2015.
Signed-off-by: Jan Čermák <jan.cermak@nic.cz>
SVN-Revision: 48133
Source package gre was depending on kmod-ip6-gre, however the actual
kernel module package that is created is kmod-gre6. Therefore
update (source) package gre for ipv6 gre support.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
SVN-Revision: 48100
In sta-only configuration, wpa_supplicant needs correct regulatory
domain because otherwise it may skip channel of its AP during scan.
Another alternative is to fix "iw reg set" in mac80211 netifd script.
Currently it fails if some phy has private regulatory domain which
matches configured one.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 48099
iproute2-4.0 had connmark support added by nbd. This does not work
with 4.x kernels. iproute2-4.3 is the latest version and has his
changes mainlined. This patch updates the package to iproute2-4.3
and fixes the patches so that it compiles. This should resolve
ticket #21374.
Signed-off-by: Rob Mosher <nyt-openwrt@countercultured.net>
SVN-Revision: 48098
Add back a slightly modified version of the lowlevel settings which
where removed with r46920.
In compare to the old lowlevel settings, the B43c tone is added to
tone_adsl_b and tone_adsl_bv.
If an unsupported tone value is used, the auto probing mode is used, in
compare to the fallback to tone_adsl_av and tone_vdsl_av with the old
lowlevel settings.
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 48054
According to ITU-T G.997.1 Amendment 2 (04/2013) section 2.1, bit 3 of
XTSE octet 8 either allow or denies the initialization of G.993.5.
Even if the current redistributable xDSL firmware doesn't include
G.993.5 vectoring support, enable this bit by default to allow people to
get their G.993.5 line working using a custom xDSL firmware.
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 48053
r47933 revealed that the driver/app in combination with the chosen
firmware does a good job in selecting a working xtse.
Use this probing mode if no annex is specified.
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 48052
This patch adds the missing VDSL2 bits to the annex specific XTSE (like
it should be according to the comments above the XTSE bits).
Since r47933 it's mandatory to remove the annex option to switch to
VDSL2 (only) operation mode.
As shown by ticket #21436 and a few mails I received personally, even
experienced users are not aware that they have to remove the annex
option to get their VDSL2 line working and as shown by this patch it
doesn't need to be that "complicated".
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 48051
MD5SUM is wrong, it was not updated during last update to v1.4.1.
Thanks to Daniel Dickinson <openwrt@daniel.thecshore.com> for reporting it.
Signed-off-by: Nicolas Thill <nico@openwrt.org>
SVN-Revision: 48017
Changed the tunnel update URL into format tunnelbrokers
example has, that made it work again. Current method gives "Username/Password
Authentication Failed." when I tried the wget line manually and logread
eventually says also "6in4: update failed". With corrected URL it works fine:
"good 111.222.333.444" or "nochg 111.222.333.444" and logread concurs with
success, and tunnel actually updates.
Tested-by: Vaasa Hacklab <info@vaasa.hacklab.fi>
Signed-off-by: Sami Olmari <sami@olmari.fi>
SVN-Revision: 48006
When using cli, print link state the same way kernel used to do it.
This will allow kernel switching PORT_LINK from SWITCH_TYPE_STRING.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 47998
Only the conditional dependency ought to be required;
if build fails with JSON there is some other problem
at work.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
SVN-Revision: 47976
By default dnsmasq sends an ICMP echo request before allocating
an IP address to a host; the uci option noping allows to disable
this check.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 47974
Changed option nonwildcard from --bind-interfaces into --bind-dynamic.
With this, Dnsmasq binds the address of individual interfaces, allowing multiple
dnsmasq instances, but if new interfaces or addresses appear, it automatically
listens on those. This makes dynamically created interfaces work in the same way as
the default, but allows also use of other DNS-servers (like Named) at the same time
on diffirent interfaces where Dnsmasq is NOT configured, whereas with
--bind-interfaces will still reserve every interface even if not used and thus
disallowing use of any other DNS-program even on unused interfaces.
Tested-by: Vaasa Hacklab <info@vaasa.hacklab.fi>
Signed-off-by: Sami Olmari <sami@olmari.fi>
SVN-Revision: 47953
Using the JSON output option depends on json library so
add select json-c library when JSON output is selected.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
SVN-Revision: 47928
- 1.4.x has IPv6 support
- set C std explicitly due to gcc 5 changes/old code style of dante
- disable pam via configure vars since detection of without pam option
is broken (-lpam gets linked in if available)
- remove and refresh patches
only compile tested
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 47926
- CONFIG_IFX_CLI is unused, couldn't find any reference to this config variable
- use disable-feature instead of enable-feature=no
- reorder configure args to have depending args together
- remove configure args which set the default value
- group enable-model and configure args which enable or disable features that
are covered by the feature set
The config.log contains the same values as before. The vdsl_cpe_control binary
has the same checksum as before.
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 47888
The typicial feature set doesn't include "DSL PM showtime counters support"
(INCLUDE_DSL_CPE_PM_SHOWTIME_COUNTERS). This feature provides the
vdsl_cpe_control command 'pmccsg', which is used by 'dsl_control status' to get
the line uptime.
The binary size increases to 103912 byte (+4256 byte) uncompressed.
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 47887
Add the option "--all-servers" which forces dnsmasq to send all
queries to all servers and then take the first answer.
Signed-off-by: Andréas Gustafsson <gurgalof@gmail.com>
SVN-Revision: 47857
this error was not visible until recent bump to
busybox 1.24.1 stable which introduced a warning message
when keyword 'local' is not used with a shell-function.
this does not change behavior and is a cosmetic cleanup.
fixes the following output:
root@box:~ ifup <interface>
/sbin/ifup: local: line 362: not in a function
/sbin/ifup: local: line 362: not in a function
/sbin/ifup: local: line 1: not in a function
Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com>
SVN-Revision: 47828
This should ensure that lldpd is among the first processes to stop,
so that it has time to send the shutdown LLDPU to the other side,
before the network goes down.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 47786
Support next to the non-HT/HT channel widths like HT20 or NOHT also VHT80
channels during the mesh join
iw dev mesh0 mesh join "meshnet" freq 5180 80MHz
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47782
Fix the id of NL80211_ATTR_WIPHY_ANTENNA_GAIN for antenna_gain command when
using compat-wireless 2015-10-26.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47778
Use the 'typical' compile configuration instead of 'full', which most
notably excludes the soap support.
/sbin/vdsl_cpe_control shrinks down to ~50%, from 178kb(!) to 90kb.
Signed-off-by: Andre Heider <a.heider@gmail.com>
SVN-Revision: 47769
In this upstream dsl driver app version the autoboot is deactivated activate
it again.
In addition to the update this also fixes some build warnings and makes it
use the same configure option as used in Lantiq UGW.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@lantiq.com>
SVN-Revision: 47637
The scripts for authsae and iw use the option mesh_id to get set the
"meshid" during a mesh join. But the script for wpad-mesh ignores the
option mesh_id and instead uses the option ssid. Unify the mesh
configuration and let the wpa_supplicant script also use the mesh_id from
the configuration.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47615
The OpenWrt wireless configuration for mcast_rate is defined as Kbit/s when
using wpa_supplicant for IBSS/802.11s and iw for unencrypted IBSS/802.11s.
But when using authsae, the unit for the same option is redefined as
Mbit/s. Better use the same unit for this option independent of the backend
which is used.
Old values for mcast_rate (< 1000) are still interpreted Mbit/s to avoid
problems during upgrades from older versions.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47614
The variable $mesh_id was never defined in authsae_start_interface and thus
the option meshid in $authsae_conf_file was always set to "".
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47613
Fixes compilation with Linux 4.3. Runtime tested on Ubiquiti EdgeRouter
Lite with Linux 3.18, 4.1 and 4.3.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
SVN-Revision: 47470
Only costs about 3k compressed, but significantly improves handling of
configuration mismatch
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 47439
as conntrack and conntrackd are completely independent programs,
serving a different purpose.
Also split by other distributions, as Debian and Ubuntu.
Signed-off-by: Ulrich Weber <uw@ocedo.com>
SVN-Revision: 47424
default configuration will fill up disk by
writing /var/log/conntrackd-stats.log
Introduced due init script auto start.
Signed-off-by: Ulrich Weber <uw@ocedo.com>
SVN-Revision: 47422
Seems the default one is not working as expected.
The way that reload should work is that the 'start' service
call should return 1 (if lldpd is running) and then a normal
restart would be called.
However, for lldpd a reload would mean just clearing all custom TLVs
(if they're configured) and reloading the configuration.
So, this patch adds a reload hook, which would:
- 'start' lldpd if it's not running (because we return 1 if not running)
- reload configuration if it is running (also previously
clearing custom TLVs if present)
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 47367
r46861 introduced a new option eapol_version to hostapd, but did not
provide a default value. When the option value is evaluated,
the non-existing value causes errors to the systen log:
"netifd: radio0: sh: out of range"
Add a no-op default value 0 for eapol_version. Only values 1 or 2 are
actually passed on, so 0 will not change the default action in hostapd.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 47361
Update iperf3 to point to the correct project website. Prior URL was the
old iperf2 website.
Signed-off-by: Karl Palsson <karlp@remake.is>
SVN-Revision: 47184
The two commits
5162e3b0ee7bd1d0fd6e75e1ca7993a1834b5291
"allow request handlers to disable chunked reponses"
and
618493e378e2239f0d30902e47adfa134e649fdc
"file: disable chunked encoding for file responses"
broke the chunked transfer encoding handling for proc responses in keep-alive
connections that followed a file response with http status 204 or 304.
The effect of this bug is that cgi responses following a 204 or 304 one where
sent neither in chunked encoding nor with a content-length header, causing
browsers to stall until the keep alive timeout was reached.
Fix the logic flaw by inverting the chunk prevention flag in the client state
and by testing the chunked encoding preconditions every time instead of
once upon client (re-)initialization.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 47161
One second is not enough for some devices to ackowledge null data frame
which is sent at the end of ap_max_inactivity interval. In particular,
this causes severe Wi-Fi instability with Apple iPhone which may take
up to 3 seconds to respond.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 47149
Seems the match pattern was being adapted from 'eth0' to ' eth0'
because of the way I added the procd command args.
This did not seem to be a problem when there were multiple interfaces,
just on devices with single interfaces for lldpd to listen on.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 47136
OpenVPN 2.3 added a route-pre-down option, to run a command before
routes are removed upon disconnection.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
SVN-Revision: 47134
When using FullMAC drivers (e.g. brcmfmac) we don't get mgmt frames so
check for banned client in probe request handler won't ever be used.
Since cfg80211 provides us info about STA associating let's put a check
there.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 47064
There is no RFC requirement that DHCPv6 servers must reply with a link local
address and some ISP servers in the wild appear to using addresses in the ULA
range to send DHCPv6 offers.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 47048
Since r46834, IPv6 support is builtin if selected. Therefor, dependencies
on kmod-ipv6 can no longer be fulfilled, since it is not a module anymore.
Signed-off-by: Arjen de Korte <arjen+openwrt@de-korte.org>
SVN-Revision: 47022
Using protocol qmi does not work since qmi.sh is not executable.
Setting option dhcp explicitely to 0 actually enables it.
This patch fixes both problems.
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 47014
Our ruleset requires kernel support for conntrack state matching, therfore
depend on the require kmod. Fixes#20542.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 46990
This call is no longer supported.
Maybe a come-back for it would be to use a config /etc/lldpd.conf
or /etc/lldpd.d/<some-file>.conf
Signed-off-by: Alexandru Ardelean <aa@ocedo.com>
SVN-Revision: 46966
Thanks to Sylwester Petela for testing my patch (successfully on an
ADSL connection) and for pointing out some configuration mistakes.
Others (including me) have also successfully tested this extensively
on VDSL connections.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
SVN-Revision: 46920
Move the pattern setting from netifd's service script to
/etc/sysctl.conf. Put the timestamp component '%t' just after
executable name '%e' for more natural order from output of ls command.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 46867
Add eapol_version to the openwrt wireless config ssid section.
Only eapol_version=1 and 2 will get passed to hostapd, the default
in hostapd is 2.
This is only useful for really old client devices that don't
accept eapol_version=2.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
SVN-Revision: 46861
As the OpenWrt build system only resolves build dependencies per directory,
all hostapd variants were causing libopenssl to be downloaded and built,
not only wpad-mesh. Fix this by applying the same workaround as in
ustream-ssl.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 46851
By setting the option pdptype to IP, IPV6 or IPV4V6 the user can
choose the context type between IPv4, IPv6 and dual stack,
respectively. The default setting is dual stack, except if option
ipv6=0 is specified, in which case IPv4 context is the default.
This allows for an out-of-the-box IPv6 support with modems
utilizing NCM-like protocols.
While we are at it, also add commands for Sierra DirectIP modems
(currently untested), which will allow us to drop the separate
comgt-directip package (once tested and verified working).
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 46844
Use the new --ip-family option to start both IPv4 and IPv6 sessions
by default. Autoconnect can't be used when starting two sessions,
so revert back to using the client IDs and packet data handles for
handling the network connection.
Some modem firmwares do not implement a RA server, therefore by
default use outband IP configuration and static addressing. Some
other firmwares report bogus IP configuration with the WDS get
current settings command. In this case inband configuration with
DHCP/RA can be optionally enabled by setting option dhcp to 1.
Per 3GPP standard a /64 prefix is served to all clients, which is
extended to LAN as specified in RFC 7278.
v2: Restrict the IPv6 gateway route source address
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 46843
Seems like my second try was again whitespace broken. Sorry for the noise.
Remove src_port from firewall.config to receive dhcpv6 replies. Fixes#20295.
Signed-off-by: Anselm Eberhardt <a.eberhardt@cygnusnetworks.de>
SVN-Revision: 46842
While technically required by the RFC, they are usually completely
unused (DSA), or have security issues (3DES, CBC)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 46814
This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46809
* ra: don't announce as default router if we aren't (regression)
* ra: reduce maximum announced dns lifetimes due to buggy clients
* dhcpv6: fix mac-based lease-matching
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46802
Add CONFIG_IEEE80211W variable to DRIVER_MAKEOPTS so that 802.11w
support is properly compiled in full variant.
This fixes#20179
Signed-off-by: Janusz Dziemidowicz <rraptorr@nails.eu.org>
SVN-Revision: 46737
Other VLAN related options are already being processed in netifd.sh
but the vlan_file option is missing. This option allows the mapping
of vlan IDs to network interfaces and will be used in dynamic VLAN
feature for binding stations to interfaces based on VLAN
assignments. The change is done similarly to the wpa_psk_file
option.
Signed-off-by: Gong Cheng <chengg11@yahoo.com>
SVN-Revision: 46652
Add /etc/samba/smbpasswd to list of samba conffiles
thus preserving samba passwords across sysupgrade
by default.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
SVN-Revision: 46606
Fixes a 100% cpu usage issue if using dhcp-script.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 46550
Better synchronize RA & DHCPv6 events
Accumulate some events to avoid flooding
Restart softwires for address and prefix changes
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46518
otherwise it's not picked up by toolchain:
staging_dir/toolchain-mipsel_24kec+dsp_gcc-4.8-linaro_musl-1.1.10/lib/gcc/mipsel-openwrt-linux-musl/4.8.3/../../../../mipsel-openwrt-linux-musl/bin/ld: cannot find -lsw
Signed-off-by: Roman Yeryomin <roman@advem.lv>
SVN-Revision: 46406
Also drop the configure (not .ac) patch part as autoreconf will
overwrite it anyway with a newly generated version.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
Acked-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 46385
Add 802.11r client support to wpa_supplicant. It's only enabled in
wpa_supplicant-full. hostapd gained 802.11r support in commit r45051.
Tested on a TP-Link TL-WR710N sta psk client with two 802.11r enabled
openwrt accesspoints (TP-Link TL-WDR3600).
Signed-off-by: Stefan Hellermann <stefan@the2masters.de>
SVN-Revision: 46377
odhcpd now sends unsolicited RAs also via unicast to known link-local
neighbors. This is an attempt to work-around common smartphone issues
https://code.google.com/p/android/issues/detail?id=32662
Also NDP-relay should now work more reliably now
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46357
The musl build "fix" introduced in r45108 removed all netinet/ether.h
includes, which made the prototypes of ether_aton and ether_ntoa
unavailable. As a result, the compiler assumed they return int instead
of a pointer. This currupted the pointer on 64bit targets, causing ebtables
to segfault in commands containing MAC addresses.
Since r46161 made it possible to include both the kernel and the libc
if_ether.h as long as the libc version is included first, this patch
changes the fix to remove the linux/if_ether.h from the ebtables source
(so the fixed version from the kernel is used) and ensures netinet/ether.h
is included early.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 46292
When enabled the dnsmasq DHCP server allocates the IP addresses sequentially
starting from the lowest available IP address.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 46211
This brings curl to version 7.43.0 and contains fixes for the following
security vulnerabilities:
CVE-2015-3236: lingering HTTP credentials in connection re-use
http://curl.haxx.se/docs/adv_20150617A.html
CVE-2015-3237: SMB send off unrelated memory contents
http://curl.haxx.se/docs/adv_20150617B.html
The 100-check_long_long patch is not needed any more, because the
upstream autoconf script already checks for long long when cyassl is
selected.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 46169
This is for security precautions. As persist_tun and persist_key are
already there, this should not cause compatibility issue.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 45961
- fix iconv detection because it adds host paths
- disable python detection (host python-config is found)
iconv issue is reported by buildbot config.log + replicated locally
see config.log in logs.tar.gz
python issue observed locally on Arch Linux
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 45953
Adds PPP unnumbered support via the parameter unnumbered which points to a logical OpenWRT interface.
The PPP proto shell handler will "borrow" an IP address from the unnumbered interface (if multiple
IP addresses are present the longest prefix different from 32 will be "borrowed") for which a host
interface dependency will be created. Due to the host interface dependency the PPP unnumbered interface
will only "borrow" an IP address from an interface which is up.
The borrowed IP address will be shared as local IP address by the PPP daemon and no other local IP
will be accepted from the peer in the IPCP negotiation.
A typical use case is the usage of a public IP subnet on the Lan interface which will be shared
by the PPP interface as local IP address.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45948
Commit 31214c38c8dd0f70366b523f9b0335145b9386bd removes IPv6 unneeded source-dest-routing workarounds;
as a result sourcerouting parameter is unused and can be removed.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45940
Commit 31214c38c8dd0f70366b523f9b0335145b9386bd removes IPv6 unneeded source-dest-routing workarounds;
as a result sourcerouting parameter is unused and can be removed.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45939
This prevents auto-detection of libxml2 and thus the error:
Package lldpd is missing dependencies for the following libraries:
libxml2.so.2
Preventing a dependency to libxml2 is preferred, since libxml2
would be a out-of-(core-)tree dependency.
Reported-by: Buildbot
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
SVN-Revision: 45859
* Rework hostapd and wpa_supplicant status parsing code
* Add support for querying available HT rates
* Relax definition of restricted channels
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45766
Use shared libipt{,4,6}ext.so libraries instead of statically linking
the userspace matches into the fw3 executable.
As a side effect the match initialization is extremely simplified
compared to the weak function pointer juggling performed before.
This also fixes the initialization of the multiport match.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45764
* drop unused lenient restore patch
* instead of statically linking core extensions, build shared libraries
for reuse in fw3
* strip outdated match revisions and aliases to trim down library size
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45758
If the first resolveip call will fail, peeraddr will be now empty, and
the subsequent resolveip call will try to resolve an empty string.
Fix this by storing the result in a temporary variable.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 45712
Bump dnsmasq to v2.73rc8
Important - fixes remotely exploitable buffer overflow introduced in all v2.73 test/release candidates.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
SVN-Revision: 45693
hand over parameters to user-script e.g. $1=deconfig
Signed-off-by: Leon George <leon@georgemail.de>
Signed-off-by: Christian Mehlis <christian@m3hlis.de>
SVN-Revision: 45626
The WAN port should at least respond to IGMP and MLD queries as
otherwise a snooping bridge/switch might drop traffic.
RFC4890 recommends to leave IGMP and MLD unfiltered as they are always
link-scoped anyways.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
SVN-Revision: 45613
OpenVPN assumes that its control channel messages are sent and received
unfragmented, this assumption is broken when CBC record splitting is
enabled in mbedTLS.
The record splitting is intended as countermeasure against BEAST attacks
which do not apply to OpenVPN, therefore we simply disable it until
upstream OpenVPN gains the ability to process fragmented control
messages.
Disabling the splitting also works around a (not remotely triggerable)
segmentation fault in mbedTLS.
References:
* https://dev.openwrt.org/ticket/19101
* https://community.openvpn.net/openvpn/ticket/524
* https://github.com/ARMmbed/mbedtls/pull/185
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45602
The most significant change from the previous version is the trimming of
the 300-ip_tiny.patch to lib/utils.c where a section previously patched
had vanished. That section of the patch was removed.
Built and lightly tested on ar71xx against uClibc and musl.
Signed-off-by: Russell Senior <russell@personaltelco.net>
SVN-Revision: 45512
Hostapd's control file location was changed in 2013, and that has apparently
broken the wps button hotplug script in cases where there are multiple radios
and wps is possibly configured also for the second radio. The current wps
button hotplug script always handles only the first radio.
https://dev.openwrt.org/browser/trunk/package/network/services/hostapd/files/wps-hotplug.sh
The reason is that the button hotplug script seeks directories like
/var/run/hostapd*, as the hostapd-phy0.conf files were earlier in
per-interface subdirectories.
Currently the *.conf files are directly in /var/run and the control sockets
are in /var/run/hostapd, but there is no subdirectory for each radio.
root@OpenWrt:/# ls /var/run/hostapd*
/var/run/hostapd-phy0.conf /var/run/hostapd-phy1.conf
/var/run/hostapd:
wlan0 wlan1
The hotplug script was attempted to be fixed after the hostapd change by
r38986 in Dec2013, but that change only unbroke the script for the first
radio, but left it broken for multiple radios.
https://dev.openwrt.org/changeset/38986/
The script fails to find subdirectories with [ -d "$dir" ], and passes just
the only found directory /var/run/hostapd, leading into activating only the
first radio, as hostapd_cli defaults to first socket found inthe passed
directory:
root@OpenWrt:/# hostapd_cli -?
...
usage: hostapd_cli [-p<path>] [-i<ifname>] [-hvB] [-a<path>] \
[-G<ping interval>] [command..]
...
-p<path> path to find control sockets (default: /var/run/hostapd)
...
-i<ifname> Interface to listen on (default: first interface found in the
socket path)
Below is a run with the default script and with my proposed solution.
Default script (with logging added):
==================================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh
if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
for dir in /var/run/hostapd*; do
[ -d "$dir" ] || continue
logger "WPS activated for: $dir"
hostapd_cli -p "$dir" wps_pbc
done
fi
>>>> WPS BUTTON PRESSED <<<<<
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Timed-out
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:38:50 2015 user.notice root: WPS activated for: /var/run/hostapd
wlan0 got WPS activated, while wlan1 remained inactive.
I have modified the script to search for sockets instead of directories and
to use the "-i" option with hostapd_cli, and now the script properly
activates wps for both radios. As "-i" needs the interface name instead of
the full path, the script first changes dir to /var/run/hostapd to get simply
the interface names.
Modified script (with logging):
===============================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh
if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
cd /var/run/hostapd
for dir in *; do
[ -S "$socket" ] || continue
logger "WPS activated for: $socket"
hostapd_cli -i "$socket" wps_pbc
done
fi
>>>> WPS BUTTON PRESSED <<<<<
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan0
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan1
Both radios got their WPS activated properly.
I am not sure if my solution is optimal, but it seems to work. WPS button is
maybe not that often used functionality, but it might be fixed in any case.
Routers with multiple radios are common now, so the bug is maybe more
prominent than earlier.
The modified script has been in a slightly different format in my community
build since r42420 in September 2014.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 45492