Minor cleanup and code reorganization, along with a change to not disable
offload anymore when a tkip or sw crypto key is added
Signed-off-by: Felix Fietkau <nbd@nbd.name>
* compat: backport kfree_sensitive and switch to it
* netlink: consistently use NLA_POLICY_EXACT_LEN()
* netlink: consistently use NLA_POLICY_MIN_LEN()
* compat: backport NLA policy macros
Backports from upstream changes.
* peerlookup: take lock before checking hash in replace operation
A fix for a race condition caught by syzkaller.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
3d9bd73 utils: fix check_pid_path to work with deleted file as well
330f403 vlan: initialize device ifname earlier at creation time
c057e71 device: do not check state from within device_init
cb0c07b system-dummy: fix resolving ifindex
ccd9ddc bridge: add support for turning on vlan_filtering
82bcb64 bridge: add support for adding vlans to a bridge
0e8cea0 bridge: add support for VLAN filtering
6086b63 config: enable bridge vlan filtering by default for bridges that define VLANs
ac0710b device: look up full device name before traversing vlan chain
e32e21e bridge: flush vlan list on bridge free
645ceed interface-ip: clear host bits of the device prefix
d7b614a netifd-wireless: parse 'osen' encryption
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The Ed25519 key pairs are much shorter than RSA pairs and are supported
by default in OpenSSH. Looking at websites explaining how to create new
SSH keys, many suggest using Ed25519 rather than RSA, however consider
the former as not yet widely established. OpenWrt likely has a positive
influence on that development.
As enabling Ed25519 is a compile time option, it is currently not
possible to install the feature via `opkg` nor select that option in an
ImageBuilder.
Due to the size impact of **12kB** the option should only be enabled for
devices with `!SMALL_FLASH`.
This approach seems cleaner than splitting `dropbear` into two packages
like `dropbear` and `dropbear-ed25519`.
Signed-off-by: Paul Spooren <mail@aparcar.org>
When the libmagic from the file package in the packages feed was also
compiled and provided its libmagic.so file, util-linux tried to link
against it. Avoid this by explicitly disable libmagic support.
This fixes the following build error:
Package more is missing dependencies for the following libraries:
libmagic.so.1
Fixes: 36d9ed360a ("util-linux: update to 2.36")
Acked-by: Sebastian Kemper <sebastian_ml@gmx.net>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[Add commit description]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This also sets the ABI_VERSION as this is a versioned shared library.
The ipk sizes for mips_24Kc change like this:
old:
jansson_2.12-1_mips_24kc.ipk 18.692
new:
jansson4_2.13.1-1_mips_24kc.ipk 19.171
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Discussion on the mailing list reveals that this target has active
users. As we are finally able to upgrade this target to kernel 5.4,
add it back to master.
This reverts commit 7d29a55714 ("ath25: drop target") and
immediately moves the relevant files to 5.4, without touching
the content.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The LED's "label" property has been deprecated in upstream by:
|commit c5d18dd6b64e09dd6984bda9bdd55160af537a8c
|Author: Jacek Anaszewski <jacek.anaszewski@gmail.com>
|Date: Sun Jun 9 20:19:04 2019 +0200
|
| dt-bindings: leds: Add properties for LED name construction
|
| Introduce dedicated properties for conveying information about
| LED function and color. Mark old "label" property as deprecated.
|
| Additionally function-enumerator property is being provided
| for the cases when neither function nor color can be used
| for LED differentiation.
in order to be somewhat prepared, this patch adds a fallback
as a last resort to make the current led code work by falling
back to the node-name as the "label".
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
af30be0 Fix setting prefix for IPv6 link-local addresss
0314df4 Disable asking password again when prompt program returns 128
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The HooToo HT-TM05 is a battery powered router, with an Ethernet and USB port.
Vendor U-Boot limited to 1.5 MB kernel size, so use lzma loader (loader-okli).
Specifications:
SOC: MediaTek MT7620N
BATTERY: 10400mAh
WLAN: 802.11bgn
LAN: 1x 10/100 Mbps Ethernet
USB: 1x USB 2.0 (Type-A)
RAM: 64 MB
FLASH: GigaDevice GD25Q64, Serial 8 MB Flash, clocked at 50 MHz
Flash itself specified to 80 MHz, but speed limited by mt7620 SPI
fast-read enabled (m25p)
LED: Status LED (blue after boot, green with WiFi traffic
4 leds to indicate power level of the battery (unable to control)
INPUT: Power, reset button
MAC assignment based on vendor firmware:
2.4 GHz *:b4 (factory 0x04)
LAN/label *:b4 (factory 0x28)
WAN *:b5 (factory 0x2e)
Tested and working:
- Ethernet
- 2.4 GHz WiFi (Correct MAC-address)
- Installation from TFTP (recovery)
- OpenWRT sysupgrade (Preserving and non-preserving), through the usual
ways: command line and LuCI
- LEDs (except as noted above)
- Button (reset)
- I2C, which is needed for reading battery charge status and level
- U-Boot environment / variables (from U-Boot, and OpenWrt)
Installation:
- Download the needed OpenWrt install files, place them in the root
of a clean TFTP server running on your computer. Rename the files as,
- ramips-mt7620-hootoo_tm05-squashfs-kernel.bin => kernel
- ramips-mt7620-hootoo_tm05-squashfs-rootfs.bin => rootfs
- Plug the router into your computer via Ethernet
- Set your computer to use 10.10.10.254 as its IP address
- With your router shut down, hold down the power button until the first
white LED lights up.
- Push and hold the reset button and release the power button. Continue
holding the reset button for 30 seconds or until it begins searching
for files on your TFTP server, whichever comes first.
- The router (10.10.10.128) will look for your computer at 10.10.10.254
and install the two files. Once it has finished installation, it will
automatically reboot and start up OpenWrt.
- Set your computer to use DHCP for its IP address
Notes:
- U-Boot environment can be modified, u-boot-env is preserved on initial
install or sysupgrade
- mtd-concat functionality is included, to leave a "hole" for u-boot-env,
combining the OEM kernel and rootfs partitions
I would like to thank @mpratt14 and @xabolcs for their help getting the
lzma loader to work!
Signed-off-by: Russell Morris <rmorris@rkmorris.us>
[drop changes in image/Makefile, fix indent and PKG_RELEASE in
uboot-envtools, fix LOADER_FLASH_OFFS, minor commit message facelift,
add COMPILE to Device/Default]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This removes switches dependent on kernel version 4.14 as well as
several packages/modules selected only for that version.
This also removes sched-cake-virtual, which is not required anymore
now that we have only one variant of cake.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This target is still on kernel 4.14, and no attempt has been made to
update it to a newer kernel. Since we already are two LTS versions ahead
of that the target is dropped, as the chance of somebody bumping it will
only decrease with time.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This target still only works with kernel 4.14, and not so recent
attempts of getting newer kernel versions supported did not lead
to success. Therefore, drop the target, as we are already two
LTS kernel versions ahead and it does not seem like anybody will
pick up the work.
Patchwork series:
https://patchwork.ozlabs.org/project/openwrt/list/?series=169991&state=*
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues and the most notable of them
are described in more detail in the security advisories.
* Local side channel attack on RSA and static Diffie-Hellman
* Local side channel attack on classical CBC decryption in (D)TLS
* When checking X.509 CRLs, a certificate was only considered as revoked
if its revocationDate was in the past according to the local clock if
available.
Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Fix typo in comment.
Signed-off-by: Walter Sonius <walterav1984@gmail.com>
[commit title/message facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Drop init script from libaudit package. It will be added to the
'audit' package in the packages feed.
Fixes: efdf619f21 ("audit: build only libaudit")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The key folder is used by `opkg` and `usign` to store and retrieve
trusted public keys. Using `opkg-key` outside a running device is
unfeasible as the key folder is hard coded to `/etc/opkg/keys`.
This commit adds a variable OPKG_KEYS which defaults to `/etc/opkg/keys`
if unset, however allows set arbitrary key folder locations.
Arbitrary key folder locations are useful to add signature verification
to the ImageBuilders.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Deactivate multiple personalities support, because this causes compile
problems at least on the x86/64 target. As OpenWrt compiles all
binaries itself all binaries will use the native personality which is
also used by strace. This change will make it impossible to debug i386
binaries on x86_64 OpenWrt targets for example.
Just deactivate it for ARM64 too.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
hwclock was fixed to work with musl.
Unfortunately, the fix breaks under musl 1.2.x. Backported patch to fix
that.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Switched to upstream tarballs.
Switched to libcxxabi as using libsupc++ is quite wonky.
Fixed description.
Removed patches. The fixes are cosmetic.
Added ssp patch. This one is needed for i386 and powerpc under musl.
Compile tested every C++ package in the tree with the exception of
several boost packages. There's something broken with boost.
Ran tested with gerbera.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This will be used for libcxx.
libcxxabi is needed as libsupc++ is not good enough for libcxx. It uses
GCC specific stuff which causes failed compilation for some packages.
There are also runtime issues, most notably with cxxopts where the
program just crashes.
Reference: https://github.com/gerbera/gerbera/issues/795
Added patch to fix ARM compilation.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Static libraries and headers of libselinux and libsepol are required
for checkpolicy to build.
Fixes error:
policy_parse.y:45:10: fatal error: sepol/policydb/expand.h: No such file or directory
#include <sepol/policydb/expand.h>
^~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes build error:
load_policy.c:11:10: fatal error: libintl.h: No such file or directory
#include <libintl.h> /* for gettext() */
^~~~~~~~~~~
compilation terminated.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
FCC ID: U2M-ENH200
Engenius ENH202 is an outdoor wireless access point with 2 10/100 ports,
built-in ethernet switch, internal antenna plates and proprietery PoE.
Specification:
- Qualcomm/Atheros AR7240 rev 2
- 40 MHz reference clock
- 8 MB FLASH ST25P64V6P (aka ST M25P64)
- 32 MB RAM
- UART at J3 (populated)
- 2x 10/100 Mbps Ethernet (built-in switch at gmac1)
- 2.4 GHz, 2x2, 29dBm (Atheros AR9280 rev 2)
- internal antenna plates (10 dbi, semi-directional)
- 5 LEDs, 1 button (LAN, WAN, RSSI) (Reset)
Known Issues:
- Sysupgrade from ar71xx no longer possible
- Power LED not controllable, or unknown gpio
MAC addresses:
eth0/eth1 *:11 art 0x0/0x6
wlan *:10 art 0x120c
The device label lists both addresses, WLAN MAC and ETH MAC,
in that order.
Since 0x0 and 0x6 have the same content, it cannot be
determined which is eth0 and eth1, so we chose 0x0 for both.
Installation:
2 ways to flash factory.bin from OEM:
- Connect ethernet directly to board (the non POE port)
this is LAN for all images
- if you get Failsafe Mode from failed flash:
only use it to flash Original firmware from Engenius
or risk kernel loop or halt which requires serial cable
Method 1: Firmware upgrade page:
OEM webpage at 192.168.1.1
username and password "admin"
In upper right select Reset
"Restore to factory default settings"
Wait for reboot and login again
Navigate to "Firmware Upgrade" page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm and wait 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt boot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9f670000`
wait a minute
connect to ethernet and navigate to
"192.168.1.1/index.htm"
Select the factory.bin image and upload
wait about 3 minutes
Return to OEM:
If you have a serial cable, see Serial Failsafe instructions
*DISCLAIMER*
The Failsafe image is unique to Engenius boards.
If the failsafe image is missing or damaged this will not work
DO NOT downgrade to ar71xx this way, can cause kernel loop or halt
The easiest way to return to the OEM software is the Failsafe image
If you dont have a serial cable, you can ssh into openwrt and run
`mtd -r erase fakeroot`
Wait 3 minutes
connect to ethernet and navigate to 192.168.1.1/index.htm
select OEM firmware image from Engenius and click upgrade
Format of OEM firmware image:
The OEM software of ENH202 is a heavily modified version
of Openwrt Kamikaze bleeding-edge. One of the many modifications
is to the sysupgrade program. Image verification is performed
simply by the successful ungzip and untar of the supplied file
and name check and header verification of the resulting contents.
To form a factory.bin that is accepted by OEM Openwrt build,
the kernel and rootfs must have specific names...
openwrt-senao-enh202-uImage-lzma.bin
openwrt-senao-enh202-root.squashfs
and begin with the respective headers (uImage, squashfs).
Then the files must be tarballed and gzipped.
The resulting binary is actually a tar.gz file in disguise.
This can be verified by using binwalk on the OEM firmware images,
ungzipping then untaring, and by swapping headers to see
what the OEM upgrade utility accepts and rejects.
OKLI kernel loader is required because the OEM firmware
expects the kernel to be no greater than 1024k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on built-in switch:
ENH202 is originally configured to be an access point,
but with two ethernet ports, both WAN and LAN is possible.
the POE port is gmac0 which is preferred to be
the port for WAN because it gives link status
where swconfig does not.
Signed-off-by: Michael Pratt <mpratt51@gmail.com>
[assign label_mac in 02_network, use ucidef_set_interface_wan,
use common device definition, some reordering]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Engenius ENS202EXT v1 is an outdoor wireless access point with 2 10/100 ports,
with built-in ethernet switch, detachable antennas and proprietery PoE.
FCC ID: A8J-ENS202
Specification:
- Qualcomm/Atheros AR9341 v1
- 535/400/200/40 MHz (CPU/DDR/AHB/REF)
- 64 MB of RAM
- 16 MB of FLASH MX25L12835F(MI-10G)
- UART (J1) header on PCB (unpopulated)
- 2x 10/100 Mbps Ethernet (built-in switch Atheros AR8229)
- 2.4 GHz, up to 27dBm (Atheros AR9340)
- 2x external, detachable antennas
- 7x LED (5 programmable in ath79), 1x GPIO button (Reset)
Known Issues:
- Sysupgrade from ar71xx no longer possible
- Ethernet LEDs stay on solid when connected, not programmable
MAC addresses:
eth0/eth1 *:7b art 0x0/0x6
wlan *:7a art 0x1002
The device label lists both addresses, WLAN MAC and ETH MAC,
in that order.
Since 0x0 and 0x6 have the same content, it cannot be
determined which is eth0 and eth1, so we chose 0x0 for both.
Installation:
2 ways to flash factory.bin from OEM:
- Connect ethernet directly to board (the non POE port)
this is LAN for all images
- if you get Failsafe Mode from failed flash:
only use it to flash Original firmware from Engenius
or risk kernel loop which requires serial cable
Method 1: Firmware upgrade page:
OEM webpage at 192.168.1.1
username and password "admin"
In upper right select Reset
"Restore to factory default settings"
Wait for reboot and login again
Navigate to "Firmware Upgrade" page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm and wait 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt boot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fdf0000`
wait a minute
connect to ethernet and navigate to
"192.168.1.1/index.htm"
Select the factory.bin image and upload
wait about 3 minutes
*If you are unable to get network/LuCI after flashing*
You must perform another factory reset:
After waiting 3 minutes or when Power LED stop blinking:
Hold Reset button for 15 seconds while powered on
or until Power LED blinks very fast
release and wait 2 minutes
Return to OEM:
If you have a serial cable, see Serial Failsafe instructions
*DISCLAIMER*
The Failsafe image is unique to this model.
The following directions are unique to this model.
DO NOT downgrade to ar71xx this way, can cause kernel loop
The easiest way to return to the OEM software is the Failsafe image
If you dont have a serial cable, you can ssh into openwrt and run
`mtd -r erase fakeroot`
Wait 3 minutes
connect to ethernet and navigate to 192.168.1.1/index.htm
select OEM firmware image from Engenius and click upgrade
TFTP Recovery:
For some reason, TFTP is not reliable on this board.
Takes many attempts, many timeouts before it fully transfers.
Starting with an initramfs.bin:
Connect to ethernet
set IP address and TFTP server to 192.168.1.101
set up infinite ping to 192.168.1.1
rename the initramfs.bin to "vmlinux-art-ramdisk" and host on TFTP server
disconnect power to the board
hold reset button while powering on board for 8 seconds
Wait a minute, power LED should blink eventually if successful
and a minute after that the pings should get replies
You have now loaded a temporary Openwrt with default settings temporarily.
You can use that image to sysupgrade another image to overwrite flash.
Format of OEM firmware image:
The OEM software of ENS202EXT is a heavily modified version
of Openwrt Kamikaze bleeding-edge. One of the many modifications
is to the sysupgrade program. Image verification is performed
simply by the successful ungzip and untar of the supplied file
and name check and header verification of the resulting contents.
To form a factory.bin that is accepted by OEM Openwrt build,
the kernel and rootfs must have specific names...
openwrt-senao-ens202ext-uImage-lzma.bin
openwrt-senao-ens202ext-root.squashfs
and begin with the respective headers (uImage, squashfs).
Then the files must be tarballed and gzipped.
The resulting binary is actually a tar.gz file in disguise.
This can be verified by using binwalk on the OEM firmware images,
ungzipping then untaring, and by swapping headers to see
what the OEM upgrade utility accepts and rejects.
Note on the factory.bin:
The newest kernel is too large to be in the kernel partition
the new ath79 kernel is beyond 1592k
Even ath79-tiny is 1580k
Checksum fails at boot because the bootloader (modified uboot)
expects kernel to be 1536k. If the kernel is larger, it gets
overwritten when rootfs is flashed, causing a broken image.
The mtdparts variable is part of the build and saving a new
uboot environment will not persist after flashing.
OEM version might interact with uboot or with the custom
OEM partition at 0x9f050000.
Failed checksums at boot cause failsafe image to launch,
allowing any image to be flashed again.
HOWEVER: one should not install older Openwrt from failsafe
because it can cause rootfs to be unmountable,
causing kernel loop after successful checksum.
The only way to rescue after that is with a serial cable.
For these reasons, a fake kernel (OKLI kernel loader)
and fake squashfs rootfs is implemented to take care of
the OEM firmware image verification and checksums at boot.
The OEM only verifies the checksum of the first image
of each partition respectively, which is the loader
and the fake squashfs. This completely frees
the "firmware" partition from all checks.
virtual_flash is implemented to make use of the wasted space.
this leaves only 2 erase blocks actually wasted.
The loader and fakeroot partitions must remain intact, otherwise
the next boot will fail, redirecting to the Failsafe image.
Because the partition table required is so different
than the OEM partition table and ar71xx partition table,
sysupgrades are not possible until one switches to ath79 kernel.
Note on sysupgrade.tgz:
To make things even more complicated, another change is needed to
fix an issue where network does not work after flashing from either
OEM software or Failsafe image, which implants the OEM (Openwrt Kamikaze)
configuration into the jffs2 /overlay when writing rootfs from factory.bin.
The upgrade script has this:
mtd -j "/tmp/_sys/sysupgrade.tgz" write "${rootfs}" "rootfs"
However, it also accepts scripts before and after:
before_local="/etc/before-upgradelocal.sh"
after_local="/etc/after-upgradelocal.sh"
before="before-upgrade.sh"
after="after-upgrade.sh"
Thus, we can solve the issue by making the .tgz an empty file
by making a before-upgrade.sh in the factory.bin
Note on built-in switch:
There is two ports on the board, POE through the power supply brick,
the other is on the board. For whatever reason, in the ar71xx target,
both ports were on the built-in switch on eth1. In order to make use
of a port for WAN or a different LAN, one has to set up VLANs.
In ath79, eth0 and eth1 is defined in the DTS so that the
built-in switch is seen as eth0, but only for 1 port
the other port is on eth1 without a built-in switch.
eth0: switch0
CPU is port 0
board port is port 1
eth1: POE port on the power brick
Since there is two physical ports,
it can be configured as a full router,
with LAN for both wired and wireless.
According to the Datasheet, the port that is not on the switch
is connected to gmac0. It is preferred that gmac0 is chosen as WAN
over a port on an internal switch, so that link status can pass
to the kernel immediately which is more important for WAN connections.
Signed-off-by: Michael Pratt <mpratt51@gmail.com>
[apply sorting in 01_leds, make factory recipe more generic, create common
device node, move label-mac to 02_network, add MAC addresses to commit
message, remove kmod-leds-gpio, use gzip directly]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[update to 3.1]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
[removed python part for inclusion in core]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[fix build with GCC 10 and disable MIPS16 as build emits sync instruction]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
Add support for building bpftool and libbpf from the latest 5.8.3 kernel
sources, ensuring up-to-date functionality and fixes. Both are written to
be backwards compatible, which simplfies build and usage across different
OpenWRT image kernels.
'bpftool' is the primary userspace tool widely used for introspection and
manipulation of eBPF programs and maps. Two variants are built: a 'full'
version which supports object disassembly and depends on libbfd/libopcodes
(total ~500KB); and a 'minimal' version without disassembly functions and
dependencies. The default 'minimal' variant is otherwise fully functional,
and both are compiled using LTO for further (~30KB) size reductions.
'libbpf' provides shared/static libraries and dev files needed for building
userspace programs that perform eBPF interaction.
Several cross-compilation and build-failure problems are addressed by new
patches and ones backported from farther upstream:
* 001-libbpf-ensure-no-local-symbols-counted-in-ABI-check.patch
* 002-libbpf-fix-build-failure-from-uninitialized-variable.patch
* 003-bpftool-allow-passing-BPFTOOL_VERSION-to-make.patch
* 004-v5.9-bpftool-use-only-ftw-for-file-tree-parsing.patch
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The variable VERSION_REPO is used by opkg to download package(list)s.
Now that the default installation support encrypted HTTP opkg should
make use of it.
Suggested-by: Petr Štetiar <ynezz@true.cz>
Suggested-by: Baptiste Jonglez <baptiste@bitsofnetworks.org>
Signed-off-by: Paul Spooren <mail@aparcar.org>
Acked-by: Baptiste Jonglez <baptiste@bitsofnetworks.org>
Instead of using http and https for source downloads from
downloads.openwrt.org, always use https for it's better security.
Signed-off-by: Paul Spooren <mail@aparcar.org>
The usage of granular `SOURCE_DATE_EPOCH` for packages is an
incrementing integer which could be useful for downstream tooling,
therefore add it to the packages manifest.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Instead of using INSTALL_SUID use the more flexible PKG_FILE_MODES
variable withn the Makefile to set the SUID bit.
Signed-off-by: Paul Spooren <mail@aparcar.org>
4318ab1 opkg: allow to configure the path to the signature verification script
cf44c2f libopkg: fix compiler warning
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Two versions of `px5g` exists without sharing code. For clarification
rename the previously existing MbedTLS based version to `px5g-mbedtls`
to exists next to `px5g-wolfssl`.
Rename code file of MbedTLS from `px5g.c` to `px5g-mbedtls.c`.
Signed-off-by: Paul Spooren <mail@aparcar.org>
This package creates certificates and private keys, just like `px5g`
does. Hower it uses WolfSSL rather than MbedTLS.
Signed-off-by: Paul Spooren <mail@aparcar.org>
As the package curl has been moved to packages.git and only libcurl
depends on libnghttps move it as well to packages.git.
This is based on the Hamburg 2019 decision that non essential packages
should move outside base.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[update to 2.20200229, adjust Makefile, and move to openwrt.git]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[update to 3.1, make use of Python 3, and move to openwrt.git]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[update to 3.1, make use of Python 3, use ALTERNATIVES, and move to openwrt.git]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
This target has been mostly replaced by ath79 and won't be included
in the upcoming release anymore. Finally put it to rest.
This also removes all references in packages, tools, etc. as well as
the uboot-ar71xx and vsc73x5-ucode packages.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
In a multi-wan setup, netifd may need guidance on which wan device to
use to create the route to the remote peer.
This commit adds a 'tunlink' option similar to other tunneling interfaces
such as 6in4, 6rd, gre, etc.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
curl is replaced by uclient-fetch within the OpenWrt build system and we
can therefore move curl to packages.git. This is based on the Hamburg
2019 decision that non essential packages should move outside base.
Signed-off-by: Paul Spooren <mail@aparcar.org>
This fixes the following compile errors after the wolfssl 4.5.0 update:
LD wpa_cli
../src/crypto/tls_wolfssl.c: In function 'tls_match_alt_subject':
../src/crypto/tls_wolfssl.c:610:11: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
type = GEN_EMAIL;
^~~~~~~~~
ENAVAIL
../src/crypto/tls_wolfssl.c:610:11: note: each undeclared identifier is reported only once for each function it appears in
../src/crypto/tls_wolfssl.c:613:11: error: 'GEN_DNS' undeclared (first use in this function)
type = GEN_DNS;
^~~~~~~
../src/crypto/tls_wolfssl.c:616:11: error: 'GEN_URI' undeclared (first use in this function)
type = GEN_URI;
^~~~~~~
../src/crypto/tls_wolfssl.c: In function 'wolfssl_tls_cert_event':
../src/crypto/tls_wolfssl.c:902:20: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
if (gen->type != GEN_EMAIL &&
^~~~~~~~~
ENAVAIL
../src/crypto/tls_wolfssl.c:903:20: error: 'GEN_DNS' undeclared (first use in this function)
gen->type != GEN_DNS &&
^~~~~~~
../src/crypto/tls_wolfssl.c:904:20: error: 'GEN_URI' undeclared (first use in this function)
gen->type != GEN_URI)
^~~~~~~
Makefile:2029: recipe for target '../src/crypto/tls_wolfssl.o' failed
Fixes: 00722a720c ("wolfssl: Update to version 4.5.0")
Reported-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The release notes says this:
As already said, the changes since 2.1.1 are primarily bug fixes, addressing
compiler warnings and issues reported by diagnostic tools, but also build
failures for some configurations.
https://lists.infradead.org/pipermail/linux-mtd/2020-July/081299.html
The size of the ubi-utils ipk increases on mips BE by 0.2%
old:
ubi-utils_2.1.1-1_mips_24kc.ipk: 70992
new:
ubi-utils_2.1.2-1_mips_24kc.ipk: 71109
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes the following security problems:
* In earlier versions of wolfSSL there exists a potential man in the
middle attack on TLS 1.3 clients.
* Denial of service attack on TLS 1.3 servers from repetitively sending
ChangeCipherSpecs messages. (CVE-2020-12457)
* Potential cache timing attacks on public key operations in builds that
are not using SP (single precision). (CVE-2020-15309)
* When using SGX with EC scalar multiplication the possibility of side-
channel attacks are present.
* Leak of private key in the case that PEM format private keys are
bundled in with PEM certificates into a single file.
* During the handshake, clear application_data messages in epoch 0 are
processed and returned to the application.
Full changelog:
https://www.wolfssl.com/docs/wolfssl-changelog/
Fix a build error on big endian systems by backporting a pull request:
https://github.com/wolfSSL/wolfssl/pull/3255
The size of the ipk increases on mips BE by 1.4%
old:
libwolfssl24_4.4.0-stable-2_mips_24kc.ipk: 386246
new:
libwolfssl24_4.5.0-stable-1_mips_24kc.ipk: 391528
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Instead of using mbedtls by default use wolfssl. We now integrate
wolfssl in the default build so use it also as default ssl library for
curl.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Backport a commit from upstream curl to fix a problem in configure with
wolfssl.
checking size of time_t... configure: error: cannot determine a size for time_t
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This introduces the vendor_model scheme to this target in order to
harmonize device names within the target and with the rest of
OpenWrt. In addition, custom board names are dropped in favor
of the generic script which takes the compatible.
Use the SUPPORTED_DEVICES variable to store the compatible where it
deviates from the device name, so we can use it in build recipes.
While at it, harmonize a few indents as well.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch,
and provides bug fixes and minor enhancements. This release includes
fixes for security issues and the most severe one is described in more
detail in a security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07
* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private
key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros).
Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some
changes to the download URLs are required. For the time being, the
ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
[Use https://codeload.github.com and new tar.gz file]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
93e2334 exfat: fix build error on linux-5.4,5.5 kernel
01a7b8c exfat: fix name_hash computation on big endian systems
8f92bc0 exfat: fix wrong size update of stream entry by typo
Removed commented material that was for testing compilation.
Removed patch as the error was fixed upstream. First entry above.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The driver currently only support managed and monitor mode
Changes since v1:
- drop the @DRIVER_11N_SUPPORT dependency
Signed-off-by: mohammad rasim <mohammad.rasim96@gmail.com>
For example, Turris MOX SDIO card is using Marvell (NXP) 88W8997 chip.
Technical specs of 88W8997:
- 28nm
- 802.11 ac wave-2
It should support simultaneous dual-band 2.4 GHz and 5 GHz,
but it requires to support multiSSID for one Wi-Fi card [1], which is
not supported in OpenWrt, yet and if we tried to run two instances of
hostapd, it didn't work well, so it's 2.4 GHz or 5 GHz.
- 2x2 MU-MIMO
- Bluetooth 5.1 with LE support
- Unfortunately, there can be connected only 8 clients at the same time
(limited by FW, however, there exists "enterprise" chip, its equal chip,
it is just different that it uses different FW)
Symlink is necessary as mwifiex_sdio tries to load sd8997_uapsta.bin
[ 13.651182] mwifiex_sdio mmc0:0001:1: Direct firmware load for mrvl/sd8997_uapsta.bin failed with error -2
[ 13.661065] mwifiex_sdio mmc0:0001:1: Falling back to user helper
[ 13.684880] firmware mrvl!sd8997_uapsta.bin: firmware_loading_store: map pages failed
[ 13.695910] mwifiex_sdio mmc0:0001:1: Failed to get firmware mrvl/sd8997_uapsta.bin
[ 13.703774] mwifiex_sdio mmc0:0001:1: info: _mwifiex_fw_dpc: unregister device
Pali Rohár sent two patches [2] [3] into kernel to fix default firmware name for SD8997, so
the symlink will not be required in the future versions of kernel, which
was accepted and right now, according to my details it was backported to 5.8, 5.7 and 5.4
[1] https://bugs.openwrt.org/index.php?do=details&task_id=3243
[2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=00eb0cb36fad5
[3] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2e1fcac52a9ea
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
For many target we have added CONFIG_WATCHDOG_CORE=y to the target
config due to the following error:
Package kmod-hwmon-sch5627 is missing dependencies for the following
libraries:
watchdog.ko
However, actually the proper way appears to be setting the
dependency for the kmod-hwmon-sch5627 package, as the error message
demands.
Do this in this patch and remove the target config entries added
due to this issue.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This commit adds a `selinux` variant which comes with with a number of
SELinux applets and also SELinux label support.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Fixes package libcurl build issue :
Package libcurl is missing dependencies for the following libraries:
libzstd.so.1
Suggested-by: Syrone Wong <wong.syrone@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
8027c7d95274 mt76: mt7615: fix reading airtime statistics
3743e7c904de mt76: mt7915: optimize mt7915_mac_sta_poll
d2fe5e8330c6 mt76: mt7915: fix variable initialization in sta poll
692065b4c9db mt76: mt7915: only enable hw amsdu for AP and station
b54157df7c27 mt7615: update firmware to version 20200814
888990e159d2 mt76: use threaded NAPI
3a3306e408f2 mt76: mt7915: add 802.11 encap offload support
795b772cd392 mt76: mt7915: add encap offload for 4-address mode stations
55d79ab7fa23 mt76: dma: update q->queued immediately on cleanup
23dbd64d6324 mt76: mt7915: schedule tx tasklet in mt7915_mac_tx_free
5cf34cda70af mt76: mt7915: significantly reduce interrupt load
87a69429069f mt76: add utility functions for deferring work to a kernel thread
2f1318a06d0a mt76: convert from tx tasklet to tx worker thread
72f0979566be mt76: mt7915: add support for accessing mapped registers via bus ops
f9ce5c776c9a mt76: use ieee80211_rx_list to pass frames to the network stack as a batch
25dd8bdae3bf mt76: mt7615: significantly reduce interrupt load
7c5445dec812 mt76: mt7615: release mutex in mt7615_reset_test_set
e68c3e254822 mt76: mt7663s: use NULL instead of 0 in sdio code
4368380e20e7 mt76: mt7663s: fix resume failure
bea386f27914 mt76: mt7663s: fix unable to handle kernel paging request
b8780c44c716 mt76: mt7615: fix possible memory leak in mt7615_tm_set_tx_power
37a1c7ed6796 mt76: mt7615: fix a possible NULL pointer dereference in mt7615_pm_wake_work
8c7c1a207d25 mt76: fix a possible NULL pointer dereference in mt76_testmode_dump
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Abort the dhcp-check based on the interface instead of the carrier
state. In cases where the interface is up but the carrier is down,
netifd won't cause a dnsmasq reload, thus dhcp won't become active
on this interface.
Signed-off-by: David Bauer <mail@david-bauer.net>
"type" is already used as a common option for all protocols types, so
using the same option name for the map type makes the configuration
ambiguous. Luci in particular adds controls for both options and sees
errors when reading the resulting configuration.
Use "maptype" instead, but still fallback to "type" if "maptype" is not
set. This allows configurations to migrate without breaking old
configurations.
This addresses FS#3287.
Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
The is no reason to catch the output by $() and then echo it again.
Remove the useless echos.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The legacy map version based on the IPv6 Interface Identifier in
draft-ietf-softwire-map-03 was typically used by uncommenting the LEGACY
variable in the map.sh file, which is not ideal. A proper configuration
option is needed instead.
The IPv6 Interface Identifier format described in the draft was
eventually changed in RFC7597, but is still used by some major ISPs,
including in Japan.
Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
If not needed, disabling scp allows for a nice size reduction.
Dropbear executable size comparison:
153621 bytes (baseline)
133077 bytes (without scp)
In other words, we trim a total of 20544 bytes.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
ALLNET ALL-WAP02860AC is a dual-band wireless access point.
Specification
SoC: Qualcomm Atheros QCA9558
RAM: 128 MB DDR2
Flash: 16 MB SPI NOR
WIFI: 2.4 GHz 3T3R integrated
5 GHz 3T3R QCA9880 Mini PCIe card
Ethernet: 1x 10/100/1000 Mbps AR8035-A, PoE capable (802.3at)
LEDS: 5x, which four are GPIO controlled
Buttons: 1x GPIO controlled
UART: 4 pin header near Mini PCIe card, starting count from white
triangle on PCB
1. VCC 3.3V, 2. GND, 3. TX, 4. RX
baud: 115200, parity: none, flow control: none
MAC addresses
Calibration data does not contain valid MAC addresses.
The calculated MAC addresses are chosen in accordance with OEM firmware.
Because of:
a) constrained environment (SNMP) when connecting through Telnet
or SSH,
b) hard-coded kernel and rootfs sizes,
c) checksum verification of kerenel and rootfs images in bootloder,
creating factory image accepted by OEM web interface is difficult,
therefore, to install OpenWrt on this device UART connection is needed.
The teardown is simple, unscrew four screws to disassemble the casing,
plus two screws to separate mainboard from the casing.
Before flashing, be sure to have a copy of factory firmware, in case You
wish to revert to original firmware.
Installation
1. Prepare TFTP server with OpenWrt initramfs-kernel image.
2. Connect to LAN port.
3. Connect to UART port.
4. Power on the device and when prompted to stop autoboot, hit any key.
5. Alter U-Boot environment with following commands:
setenv failsafe_boot bootm 0x9f0a0000
saveenv
6. Adjust "ipaddr" and "serverip" addresses in U-Boot environment, use
'setenv' to do that, then run following commands:
tftpboot 0x81000000 <openwrt_initramfs-kernel_image_name>
bootm 0x81000000
7. Wait about 1 minute for OpenWrt to boot.
8. Transfer OpenWrt sysupgrade image to /tmp directory and flash it
with:
sysupgrade -n /tmp/<openwrt_sysupgrade_image_name>
9. After flashing, the access point will reboot to OpenWrt. Wait few
minutes, until the Power LED stops blinking, then it's ready for
configuration.
Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
[add MAC address comment to commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The most recent patch added add lines in one block instead of in the
appropriate places to keep Makefiles in consistent style. Fix that.
Fixes: ff02e1561f ("pcre: add host variant of libpcre")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
34aed01ca865 mt76: mt7915: use ieee80211_free_txskb to free tx skbs
efc8669db5f9 mt76: mt7915: fix max_mpdu_size field for A-MSDU
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Dependencies are meant to express actual run-time dependencies and
strictly speaking, libselinux can be build and used on kernels without
SELinux (not in a very meaningful way, but never mind).
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This commit adds a `selinux` variant to `procd` allowing to load an
SELinux policy at boot.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This driver is only used by ipq806x SoCs. Move it there and drop
dependency from ipq40xx since it's not used anywere.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
[rebase on changes to previous patches]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Paul Blazejowski <paulb@blazebox.homeip.net> [R7800]
- Replace dwc3 phy patch with upstream version
- Rework the dts to use the upstream bindings
- Update changed config flags
- Rename module to reflect config name
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
[fix qcom,tx-deamp_3_5db typo, refresh patches, rename kmod]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Paul Blazejowski <paulb@blazebox.homeip.net> [R7800]
The ssh symlink was still being created even when dbclient was disabled in the
build configuration. Fix this annoyance.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
8d9a62e4def7 mt76: mt7915: fix crash on tx rate report for invalid stations
825343467df4 mt76: fix double DMA unmap of the first buffer on 7615/7915
99804560372b mt76: mt7615: register ext_phy if DBDC is detected
93407be934b2 mt76: mt7615: move drv_own/fw_own in mt7615_mcu_ops
e7774de844e8 mt76: mt7663s: move drv_own/fw_own in mt7615_mcu_ops
a5602514ab03 mt76: mt7615: hold mt76 lock queueing wd in mt7615_queue_key_update
5c42061ce181 mt76: do not inject packets if MT76_STATE_PM is set
ae4757a0ae90 mt76: mt7615: reschedule runtime-pm receiving a tx interrupt
c4544d1e8a1a mt76: mt76s: fix oom in mt76s_tx_queue_skb_raw
dc73103874cc mt76: mt76s: move tx processing in a dedicated wq
c828c84cb134 mt76: mt7663s: move rx processing in txrx wq
2b34f2f6b0ef mt76: mt76s: move status processing in txrx wq
f957b050d848 mt76: mt76s: move tx/rx processing in 2 separate works
6fe964295bd9 mt76: mt76s: get rid of unused variable
43d6127d8851 mt76: mt7915: enable U-APSD on AP side
58774b605f1c mt76: set interrupt mask register to 0 before requesting irq
06f722d8046c mt76: mt7915: clean up and fix interrupt masking in the irq handler
2fbd6baac103 mt76: mt7615: only clear unmasked interrupts in irq tasklet
5ea8b6187da2 mt76: mt76x02: clean up and fix interrupt masking in the irq handler
f2e71f0c1b7e mt76: mt7615: do not do any work in napi poll after calling napi_complete_done()
1eb94624bb12 mt76: mt7915: do not do any work in napi poll after calling napi_complete_done()
5e0c587b9ac1 mt76: mt7915: clean up station stats polling and rate control update
9ab20dfbf7b1 mt76: mt7915: increase tx retry count
fa69dd96f9c0 mt76: mt7915: enable offloading of sequence number assignment
9816f9812adb mt76: move mt76_check_agg_ssn to driver tx_prepare calls
ad90170b0af9 mt76: mt7615: remove mtxq->agg_ssn assignment
335cd51be4c6 mt76: mt7915: simplify aggregation session check
21f7734cbb49 mt76: mt7915: add missing flags in WMM parameter settings
21182f90d947 mt76: mt7915: add Tx A-MSDU offloading support
27670514328f mt76: mt7615: use v1 MCU API on MT7615 to fix issues with adding/removing stations
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Not a large change from last time, but should fix at least one rare wave-2
crash. The htt-mgt-community builds are trimmed for supporting lots of
stations (typically 150+ stations per radio).
Tested on Netgear R7800.
Signed-off-by: Michael Yartys <michael.yartys@gmail.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Bump PKG_RELEASE for the affected packages as replacing "which" by
"command -v" represents a content change.
Fixes: 1fdf6b745c ("treewide: replace `which` with `command -v`")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Fix shellcheck SC2230
> which is non-standard. Use builtin 'command -v' instead.
Using `command -v` is POSIX compliant while `which` is not. Also to
mention, `command -v` is a shell builtin whereas `which` is a separate
busybox applet.
Once applied to everything concerning OpenWrt we can disable the busybox
feature `which` and save 3.8kB.
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Paul Spooren <mail@aparcar.org>
[also replace cases in zram-swap]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This problem has been fixed in upstream commit
6b6a3d9339f1c08efaa18a7fb7357e20b48bdc95. This patch now (harmlessly)
adds the same definition a second time.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
[bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Now that my patches have been merged into upstream U-Boot, resync the
cosmetic changes and the commit IDs from the final commits.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
The pkgconfig file references the host directories, not the openwrt
ones. Used SED to fix as is done elsewhere. Removed CMAKE_INSTALL as a
result.
Removed now pointless CFLAGS.
Added PKG_BUILD_PARALLEL for faster compilation.
Various rearrangements for consistency between packages.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
677aa53 Fix -W option for pppoe-discovery utility (#157)
115c419 Accept Malformed Windows Success Message (#156)
5bdb148 pppd: Add documentation of stop-bits option to pppd man page (#154)
2a7981f Add ipv6cp-accept-remote option
0678d3b pppd: Fix the default value for ipv6cp-accept-local to false
Refresh patches
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
readelf is linked against this library on MIPS64BE
This fixes a build problem on MIPS64BE.
In addition also explicitly activate it in the configure command.
Fixes: 60f595daab ("binutils: update to version 2.34")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
A bunch of kernel modules depends on kmod-usb-net, but does not
select it. Make AddDepends/usb-net selective, so we can drop
some redundant +kmod-usb-net definitions for DEVICE_PACKAGES.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This commit adds a patch to procd to support loading the SELinux
policy early at boot time, and adjusts the procd package to use this
SELinux support when libselinux is enabled.
The procd patch has been submitted separately [1]: obviously the
intent is to have it merged in the procd Git repository rather than
have it in OpenWrt itself.
[1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025791.html
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase, add commit message]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
[split commit into openwrt.git and procd.git]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This adds support for ZyXEL NBG6616 uboot-env access
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[add "ar71xx" to commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
mac80211 reports a packet loss event to user space when 50 consecutive packets
were not acked. On a high throughput link with long aggregates and sudden
link changes, this can trigger way too easily.
Mitigate false positives by only triggering the event on a packet loss if
no ACK was received for at least a second
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Exchange the patch fixing the kernel ringbuffer WARNING flood for the
one accepted upstream.
Fixes commit a956c14d6a ("mac80211: util: don't warn on missing sband
iftype data")
Signed-off-by: David Bauer <mail@david-bauer.net>
The hostapd configuration logic is supposed to accept "option key" as
legacy alias for "option auth_secret". This particular fallback option
failed to work though because "key" was not a registered configuration
variable.
Fix this issue by registering the "key" option as well, similar to the
existing "server" nad "port" options.
Ref: https://github.com/openwrt/openwrt/pull/3282
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
If an existing "wpa_psk_file" is passed to hostapd, the "key" option may
be omitted.
While we're at it, also improve the passphrase length checking to ensure
that it is either exactly 64 bytes or 8 to 63 bytes.
Fixes: FS#2689
Ref: https://github.com/openwrt/openwrt/pull/3283
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add a dependency on kmod-nls-base for the new exfat driver. Otherwise
the build fails on ramips and ath79 on kernel 5.4:
Package kmod-fs-exfat is missing dependencies for the following libraries:
nls_base.ko
Fixes commit cd41234d2f ("exfat: add out of tree module")
Signed-off-by: David Bauer <mail@david-bauer.net>
The board name is equivalent to the compatible, not the device
definition. Fix it.
Fixes: b4588c8538 ("kernel/om-watchdog: Apply device renames from ramips")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Add package which provides size optimized wpad with support for just
WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[adapt to recent changes, add dependency for WPA_WOLFSSL config]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
When passing a section or option value to config_get() which contains
characters that happen to be valid variable interpolation expressions,
the function returns a nonsensical expression result instead of the
expected empty string.
When the passed section or option name contains other characters which
are not valid within a shell variable name, a substitution error is
occuring instead.
The issue can be easily reproduced by one of the following examples:
root@OpenWrt:~# . /lib/functions.sh
root@OpenWrt:~# config load system
root@OpenWrt:~# config_get variable invalid-section option
root@OpenWrt:~# echo "$variable"
section_option:-
root@OpenWrt:~# . /lib/functions.sh
root@OpenWrt:~# config load system
root@OpenWrt:~# config_get variable section invalid-option
root@OpenWrt:~# echo "$variable"
option:-
root@OpenWrt:~# . /lib/functions.sh
root@OpenWrt:~# config load system
root@OpenWrt:~# config_get variable section invalid@option
-ash: eval: syntax error: bad substitution
Fix this issue by only performing interpolations when the given section
and option arguments are free of illegal characters.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Before this commit, if uci option "dnssec" was set, we pass "--dnssec"
and friends to dnsmasq, let it start and decide whether to quit and
whether to emit message for diagnosis
# dnsmasq --dnssec; echo $?
dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h
1
DNSSEC as a feature is different from others like dhcp, tftp in that
it's a security feature. Better be explicit. With this change
committed, we make it so by not allowing it in the first in the
initscript, should dnsmasq later decides to not quit (not likely) or
quit without above explicit error (unlikely but less so ;)
So this is just being proactive. on/off choices with uci option
"dnssec" are still available like before
Link: https://github.com/openwrt/openwrt/pull/3265#issuecomment-667795302
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
47a9f0d service: add method to query available container features
afbaba9 initd: attempt to mount cgroup2
ead60fe jail: use pidns semantics also for timens
759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits
83053b6 instance: add instances into unified cgroup hierarchy
16159bb jail: parse OCI cgroups resources
282ff0c jail: only free cgroups if they were allocated
ab55357 jail: fix freeing cgroups avl
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This patch adds support for the WNDR4300TN, marketed by Belgian ISP
Telenet. The hardware is the same as the WNDR4300 v1, without the
fifth ethernet port (WAN) and the USB port. The circuit board has
the traces, but the components are missing.
Specifications:
* SoC: Atheros AR9344
* RAM: 128 MB
* Flash: 128 MB NAND flash
* WiFi: Atheros AR9580 (5 GHz) and AR9344 (2.4 GHz)
* Ethernet: 4x 1000Base-T
* LED: Power, LAN, WiFi 2.4GHz, WiFi 5GHz, WPS
* UART: on board, to the right of the RF shield at the top of the board
Installation:
* Flashing through the OEM web interface:
+ Connect your computer to the router with an ethernet cable and browse
to http://192.168.0.51/
+ Log in with the default credentials are admin:password
+ Browse to Advanced > Administration > Firmware Upgrade in the Telenet
interface
+ Upload the Openwrt firmware: openwrt-ath79-nand-netgear_wndr4300tn-squashfs-factory.img
+ Proceed with the firmware installation and give the device a few
minutes to finish and reboot.
* Flashing through TFTP:
+ Configure your wired client with a static IP in the 192.168.1.x range,
e.g. 192.168.1.10 and netmask 255.255.255.0.
+ Power off the router.
+ Press and hold the RESET button (the factory reset button on the bottom
of the device, with the gray circle around it, next to the Telenet logo)
and turn the router on while keeping the button pressed.
+ The power LED will start flashing orange. You can release the button
once it switches to flashing green.
+ Transfer the image over TFTP:
$ tftp 192.168.1.1 -m binary -c put openwrt-ath79-nand-netgear_wndr4300tn-squashfs-factory.img
Signed-off-by: Davy Hollevoet <github@natox.be>
[use DT label reference for adding LEDs in DTSI files]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
47a9f0d service: add method to query available container features
afbaba9 initd: attempt to mount cgroup2
ead60fe jail: use pidns semantics also for timens
759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits
83053b6 instance: add instances into unified cgroup hierarchy
16159bb jail: parse OCI cgroups resources
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Testmode commands are typically only used for manufacturing or vendor specific
debugging features, so they should not be in the default image
Signed-off-by: Felix Fietkau <nbd@nbd.name>
With the introduction of the generic OpenVPN hotplug mechanism, wrapped
--up and --down scripts got the wrong amount and order of arguments passed,
breaking existing configurations and functionality.
Fix this issue by passing the same amount of arguments in the same expected
order as if the scripts were executed by the OpenVPN daemon directly.
Ref: https://github.com/openwrt/openwrt/pull/1596#issuecomment-668935156
Fixes: 8fe9940db6 ("openvpn: add generic hotplug mechanism")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This package provides the necessary files to translate `config dsa_vlan`
and `config dsa_port` sections of `/etc/config/network` into appropriate
bridge vlan filter rules.
The approach of the configuration is to bridge all DSA ports into a logical
bridge device, called "switch0" by default, and to set VLAN port membership,
tagging state and PVID as specified by UCI on each port and on the switch
bridge device itself, allowing logical interfaces to reference port VLAN
groups by using "switch0.N" as ifname, where N denotes the VLAN ID.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
212f836 ubus: rename JSON-RPC format related functions
628341f ubus: use local "blob_buf" in uh_ubus_handle_request_object()
9d663e7 ubus: use BLOBMSG_TYPE_UNSPEC for "params" JSON attribute
77d345e ubus: drop unused "obj" arguments
8d9e1fc ubus: parse "call" method params only for relevant call
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* compat: rhel 8.3 beta removed nf_nat_core.h
* compat: ipv6_dst_lookup_flow was ported to rhel 7.9 beta
This compat tag adds support for RHEL 8.3 beta and RHEL 7.9 beta, in addition
to RHEL 8.2 and RHEL 7.8. It also marks the first time that
<https://www.wireguard.com/build-status/> is all green for all RHEL kernels.
After quite a bit of trickery, we've finally got the RHEL kernels building
automatically.
* compat: allow override of depmod basedir
When building in an environment with a different modules install path, it's
not possible to override the depmod basedir flag by setting the DEPMODBASEDIR
environment variable.
* compat: add missing headers for ip_tunnel_parse_protocol
This fixes compilation with some unusual configurations.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
ifconfig is effectively deprecated for quite some time now. Let's
replace the remaining occurrences for packages by the
corresponding ip commands now.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Update the openvpn sample configurations to use modern options in favor
of deprecated ones, suggest more sane default settings and add some
warnings.
* Add tls_crypt and ncp_disable to the sample configuration
* Replace nsCertType with remote_cert_tls in client sample configuration
* Comment out "option compress", compression should not be preferred
* Advise 2048-bit Diffie-Hellman parameters by default
* Add warnings about compression and use of Blowfish (BF-CBC)
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
The wg utility compiles and runs without issues in MIPS16 mode, despite setting
PKG_USE_MIPS16:=0 in the makefile. Let's remove this, allowing for a substantial
size reduction of the wg executable. Since wg is a just a configuration utility,
it shouldn't be performance-critical, as the crypto heavy-lifting is done on the
kernel side.
wg sizes for both modes:
MIPS32: 64309 bytes
MIPS16: 42501 bytes
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
>From an email conversation with the person responsible for upstreaming
the exFAT driver, it seems the staging one in kernel 5.4 is not so
good. Excerpts below.
Namjae Jeon:
Hm... exfat in 5.4 kernel that we did crap shit long time ago is
contributed by someone who we don't know.
This version is unstable and low quality code. We have been improving
it continuously.
and staging version exfat is removed from linux 5.7 kernel.
linux exfat oot version is a backport of exfat in linux 5.7 kernel to
support lower version kernel, and it is a real.
You can see the patch history fro linux-exfat-oot.
this version support timezone and boot sector verification feature newly.
and better filesystem structure and much clean code quality that
reviewed by high profile kernel developers. and add many bug fixes.
And this version is officially maintained by me and kernel guys.
I would not recommend to use staging exfat version.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Don't kill the wireless daemon on teardown. hostapd as well as
wpa_supplicant are managed by procd which would detect the shutdown of
either process as a crash loop.
Signed-off-by: David Bauer <mail@david-bauer.net>
When retrieving the PID for hostapd and wpa_supplicant via ubus the
wrong service name is currently used. This leads to the following error
in the log:
netifd: radio0 (1409): WARNING (wireless_add_process):
executable path /usr/sbin/wpad does not match process path (/proc/exe)
Fixing the service name retrieves the correct PID and therefore the
warning won't occur.
Signed-off-by: David Bauer <mail@david-bauer.net>
This replaces the internal device names "Audi" and "Viper" with the
real model names, which a user would look for. This makes the
Linksys devices on this target consistent with the names recently
changed for mvebu based on the same idea.
As a consequence, the "viper" device definition is split into two
separate definitions with the correct names for both real models.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Explicitly mount the BPF filesystem if available. This is used for pinning
eBPF programs and maps, making them accessible to other eBPF programs or
from userspace with the help of libbpf or bpftool.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
[daniel@makrotopia.org: bumped PKG_RELEASE]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is
exceptionally hard to read. This tries to make things a little
easier by inverting the hierarchy of the conditions, so SSL_VARIANT
is checked first and LOCAL_VARIANT is checked second.
This exploits the fact that some of the previous conditions were
unnecessary, e.g. there is no hostapd-mesh*, so we don't need
to exclude this combination.
It also should make it a little easier to see which options are
actually switched by SSL_VARIANT and which by LOCAL_VARIANT.
The patch is supposed to be cosmetic.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
So far, the compatibility mechanism only works if both device and
image are already updated to the new routines. This patch extends
the sysupgrade metadata and fwtool_check_image() to account for
"older" images as well:
The basic mechanism for older devices to check for image compatibility
is the supported_devices entry. This can be exploited by putting
a custom message into this variable of the metadata, so older FW
will produce a mismatch and print the message as it thinks it's the
list of supported devices. So, we have two cases:
device 1.0, image 1.0:
The metadata will just contain supported_devices as before.
device 1.0, image 1.1:
The metadata will contain:
"new_supported_devices":["device_string1", "device_string2", ...],
"supported_devices":["Image version 1.1 incompatible to device: ..."]
If the device is "legacy", i.e. does not have the updated fwtool.sh,
it will just fail with image check and print the content of
supported_devices. If DEVICE_COMPAT_MESSAGE is set, this will be
printed on old devices as well through the same mechanism. Otherwise
a generic "Please check documentation ..." is appended.
Upgrade can still be performed with -F like when
SUPPORTED_DEVICES has been removed to prevent bricking.
If the device has updated fwtool.sh (but is 1.0), it will just use
the new_supported_devices instead, and work as intended (flashing
with -n will work, flashing without will print the appropriate
warning).
This mechanism should provide a fair tradeoff between simplicity
and functionality.
Since we touched a lot of fields in metadata, this also bumps
metadata_version to 1.1.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
We regularly encounter the situation that devices are subject to
changes that will make them incompatible to previous versions.
Removing SUPPORTED_DEVICES will not really be helpful in most of these
cases, as this only helps after a rename.
To solve this situation, this patchset introduces a compatibility
version for devices. In this patch, the actual checks are implemented
into fwtool_check_image():
If an incompatible change is introduced, one can increase either
the minor version (1.0->1.1) or the major version (1.0->2.0).
Minor version increment:
This will still allow sysupgrade, but require to reset config
(-n or SAVE_CONFIG=0). If sysupgrade is called without -n, a
corresponding message will be printed. If sysupgrade is called
with -n, it will just pass, with supported devices being checked
as usual. (Which will allow us to add back SUPPORTED_DEVICES for
many cases.)
Major version increment:
This is meant for potential (rare) cases where sysupgrade is
not possible at all, because it would break the device.
In this case, a warning will be printed, and -n won't help.
If image check fails because of one of the versions parts not
matching, the content of DEVICE_COMPAT_MESSAGE is printed in
addition to the generic message (if set).
For both cases, upgrade can still be forced with -F as usual.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
We regularly encounter the situation that devices are subject to
changes that will make them incompatible to previous versions.
Removing SUPPORTED_DEVICES will not really be helpful in most of these
cases, as this only helps after a rename.
To solve this situation, this patchset introduces a compatibility
version for devices. To complement the DEVICE_COMPAT_VERSION set
for the image to be flashed, this implements a compat_version on
the device, so it will have something to compare with the image.
The only viable way to achieve this seems to be via board.d files,
i.e. this is technically adding a compat version for the device's
config.
Like for the network setup, this will set up a command
ucidef_set_compat_version to set the compat_version in board.d.
This will then add a string to /etc/board.json, which will be
translated into uci system config by bin/config_generate.
By this, the compat_version, being a version of the config, will
also be exposed to the user.
As with DEVICE_COMPAT_VERSION, missing uci entry will be assumed
as compat_version "1.0", so we only need to add this if a device
needs to be bumped, e.g.
ucidef_set_compat_version "1.1"
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
28be011 instance: make sure values are not inherited from previous runs
2ae5cbc uxc: remove debugging left-over
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
For a few packages, the current TITLE is too long, so it is not
displayed at all when running make menuconfig. Despite, there is
no indication of OpenSSL vs. wolfSSL in the titles.
Thus, this patch adjusts titles to be generally shorter, and adds
the SSL variant to it.
While at it, make things easier by creating a shared definition for
eapol-test like it's done already for all the other flavors.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Drop outdated and by now broken patchset originally supplied by
Peter Oh in August 2018 but never merged upstream.
Instead add the more promissing rework recently submitted by
Markus Theil who picked up Peter's patchset, fixed and completed it
and added support for HE (802.11ax) in mesh mode.
This is only compile tested and needs some real-life testing.
Fixes: FS#3214
Fixes: 167028b750 ("hostapd: Update to version 2.9 (2019-08-08)")
Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed")
Fixes: 017320ead3 ("hostapd: bring back mesh patches")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
c3ca99f jail: serialize hook execution
8ff8970 jail: add some remaining OCI features
9d5fa0a uxc: behave more like a compliant OCI run-time
1274033 uxc: fix create operation
2d811a4 jail: add 'kill' method to container.%s object
08133b8 uxc: use new container.%s kill ubus API
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This adds a function for generating a valid random MAC address (unset MC
bit / set locally administered bit).
It is necessary for devices which do not have a MAC address programmed
by the manufacturer.
Signed-off-by: David Bauer <mail@david-bauer.net>
Update the U-Boot to version v2020.07. Also replace the Makefile rewrite
with a proper patch, explaining why this hack is needed.
Run-tested: FriendlyARM NanoPi R2S
Signed-off-by: David Bauer <mail@david-bauer.net>
also install the firmware for all the supported boards
Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
[fix ATF blob path in uboot-rockchip]
Signed-off-by: David Bauer <mail@david-bauer.net>
In imx6, we currently use the model from DTS to derive a board name
manually in /lib/imx6.sh.
However, if we have individual DTS files anyway, we can exploit
generic 02_sysinfo and use the compatible as board name directly.
While at it, remove the wildcards from /lib/upgrade/platform.sh as
these might make code shorter, but are quite unpleasant when grepping
for a specific device.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
OpenWrt lately has harmonized device (definition) names to the
pattern vendor_model to improve overall consistency, also with
other values like the DTS compatible.
This patch applies that scheme to the layerscape target.
Since this (intentionally) creates a bigger overlap between DTS names,
compatible, and device definition name, it also moves DEVICE_DTS and
SUPPORTED_DEVICES definitions to the Device/Default blocks.
Apart from that, it also modifies several packages to use consistent
naming in order to keep the $(1) file references working.
While at it, remove one layer of complexity for the setup in
tfa-layerscape package.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The kernel currently floods the ringbuffer with warnings when adding a
mesh interface for a device not support HE 6GHz modes.
Return without warning in this case, as mesh_add_he_6ghz_cap_ie calls
ieee80211_ie_build_he_6ghz_cap regardless of the supported interface
modes.
Signed-off-by: David Bauer <mail@david-bauer.net>
48777de rcS: cast format string to int64_t
a4df90f jail: fix wrong format for 32-bit
c482c5d jail: add support for referencing existing namespaces
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The following patches:
* 972-ath10k_fix-crash-due-to-wrong-handling-of-peer_bw_rxnss_override-parameter.patch
* 973-ath10k_fix-band_center_freq-handling-for-VHT160-in-recent-firmwares.patch
are replaced by this commit in the upstream kernel:
* 3db24065c2c8 ("ath10k: enable VHT160 and VHT80+80 modes")
The following patches were applied upstream:
* 001-rt2800-enable-MFP-support-unconditionally.patch
* 090-wireless-Use-linux-stddef.h-instead-of-stddef.h.patch
The rtw88 driver is now split into multiple kernel modules, just put it
all into one OpenWrt kernel package.
rtl8812au-ct was patched to compile against the mac80211 from kernel
5.8, but not runtime tested.
Add a patch which fixes ath10k on IPQ40XX, this patch was send upstream
and fixes a crash when loading ath10k on this SoC.
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq40xx/ map-ac2200]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Ever since this package was introduced, the SDK for mt7629 failed to
build as it started failing on this package.
Fixed by porting Hauke's similar patch for uboot-sunxi to uboot-mediatek.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
If using a configuration file for OpenVPN, allow overriding name of the
interface. The reason is that then people could use configuration file
provided by VPN provider directly and override the name of the interface
to include it in correct firewall zone without need to alter the
configuration file.
Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
(cherry picked from commit c93667358515ec078ef4ac96393623ac084e5c9e)
Split out code that parses openvpn configuration file into separate file
that can be later included in various scripts and reused.
Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
(cherry picked from commit 86d8467c8ab792c79809a08c223dd9d40da6da2e)
Previously hostapd would not stop transmitting when a DFS event was
detected and no available channel to switch to was available.
Disable and re-enable the interface to enter DFS state. This way, TX
does not happen until the kernel notifies hostapd about the NOP
expiring.
Signed-off-by: David Bauer <mail@david-bauer.net>
Currently a device which has a DFS channel selected using the UCI
channel setting might switch to a non-DFS channel in case no chanlist is
provided (UCI setting "channels") when the radio detects a DFS event.
Automatically add a chanlist consisting of the configured channel when
the device does not operate in auto-channel mode and no chanlist set to
circumvent this issue.
Signed-off-by: David Bauer <mail@david-bauer.net>
Similar to wireguard, vxlan can configure multiple peers or add specific
entries to the fdb for a single mac address.
While you can still use peeraddr/peer6addr option within the proto
vxlan/vxlan6 section to not break existing configurations, this patch
allows to add multiple sections that conigure fdb entries via the bridge
command. As such, the bridge command is now a dependency of the vxlan
package. (To be honest without the bridge command available, vxlan isn't
very much fun to use or debug at all)
Field names are taken direclty from the bridge command.
Example with all supported parameters, since this hasn't been documented so
far:
config interface 'vx0'
option proto 'vxlan6' # use vxlan over ipv6
# main options
option ip6addr '2001:db8::1' # listen address
option tunlink 'wan6' # optional if listen address given
option peer6addr '2001:db8::2' # now optional
option port '8472' # this is the standard port under linux
option vid '42' # VXLAN Network Identifier to use
option mtu '1430' # vxlan6 has 70 bytes overhead
# extra options
option rxcsum '0' # allow receiving packets without checksum
option txcsum '0' # send packets without checksum
option ttl '16' # specifies the TTL value for outgoing packets
option tos '0' # specifies the TOS value for outgoing packets
option macaddr '11:22:33:44:55:66' # optional, manually specify mac
# default is a random address
Single peer with head-end replication. Corresponds to the following call
to bridge:
$ bridge fdb append 00:00:00:00:00:00 dev vx0 dst 2001:db8::3
config vxlan_peer
option vxlan 'vx0'
option dst '2001:db8::3' # always required
For multiple peers, this section can be repeated for each dst address.
It's possible to specify a multicast address as destination. Useful when
multicast routing is available or within one lan segment:
config vxlan_peer
option vxlan 'vx0'
option dst 'ff02::1337' # multicast group to join.
# all bum traffic will be send there
option via 'eth1' # for multicast, an outgoing interface needs
# to be specified
All available peer options for completeness:
config vxlan_peer
option vxlan 'vx0' # the interface to configure
option lladdr 'aa:bb:cc:dd:ee:ff' # specific mac,
option dst '2001:db8::4' # connected to this peer
option via 'eth0.1' # use this interface only
option port '4789' # use different port for this peer
option vni '23' # override vni for this peer
option src_vni '123' # see man 3 bridge
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
vxlan can be configured without a peer address. This is used to prepare
an interface and add peers later.
Fixes: FS#2743
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Acked-by: Matthias Schiffer <mschiffer@universe-factory.net>
This fixes a nasty problem introduced in 2.81 which causes random
crashes on systems where there's significant DNS activity over TCP. It
also fixes DNSSEC validation problems with zero-TTL DNSKEY and DS
records.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Further complete OCI container support in ujail:
f5f305e jail: move /tmp/resolv.conf.d to /dev/resolv.conf.d
6f078ae jail: add support for defining devices
686cf7a jail: actually apply filesystem-specific mount options
f91009a jail: refactor default mounts into new structure
66ae2d9 jail: re-implement /proc/sys/net read-write in netns hack
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
9eddf0f jail: fix hooks
1b1286b jail: parse and apply OCI sysctl values
c049047 jail: implement OCI user additionalGIDs
0e1920c jail: read and apply umask from OCI if defined
1c46cc3 jail: parse and apply POSIX rlimits
76adac5 jail: /proc/$pid/oom_score_adj to OCI defined oomScoreAdj
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
8d5208f jail: fix false return in case of nofail mount
b41f76b procd: fix compile if procd-ujail is not selected
86a5105 jail: fs: fix build on uClibc-ng
bfce7d1 jail: fix some more mount options
268126a jail: add support for maskedPaths and readonlyPaths
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This file is always present because it is part of the ltq-dsl-base
package on which these packages depend.
This check would not have been necessary in the past, because the script
was part of the TARGET_LANTIQ on which these packages also depend.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
It does not make sense to install this components on lantiq systems
where the dsl subsystem is not needed/used.
This also makes it possible to use the files also on other targets.
(hopefully ipq401x / FritzBox 7530 in the near future)
Signed-off-by: Martin Schiller <ms.3headeddevs@gmail.com>
The last commit to this package that added the pkgconfig file did not
fix the paths to point to the prefix.
This allows packages to find lzo properly.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Specifications:
* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: Nanya NT5CC128M16IP-DIT (256M DDR3-1600)
* Flash: Macronix MX30LF1G18AC-TI (128M NAND)
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7615N (2.4 GHz & 5 GHz)
4 antennae: 1 internal and 3 non-deatachable
* USB: 3.0 (x1)
* LEDs:
White (x1 logo)
Green (x6 eth + wps)
Orange (x5, hardware-bound)
* Buttons:
Reset (x1)
WPS (x1)
Everything works! Been running it for a couple weeks now and haven't had
any problems. Please let me know if you run into any.
Installation:
Flash factory image through GUI.
This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.
Reverting to factory firmware:
Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.
Signed-off-by: Santiago Rodriguez-Papa <contact@rodsan.dev>
[use v1 only, minor DTS adjustments, use LINKSYS_HWNAME and add it to
DEVICE_VARS, wrap DEVICE_PACKAGES, adjust commit message/title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
In the package guidelines, PKG_VERSION is supposed to be used as
"The upstream version number that we're downloading", while
PKG_RELEASE is referred to as "The version of this package Makefile".
Thus, the variables in a strict interpretation provide a clear
distinction between "their" (upstream) version in PKG_VERSION and
"our" (local OpenWrt trunk) version in PKG_RELEASE.
For local (OpenWrt-only) packages, this implies that those will only
need PKG_RELEASE defined, while PKG_VERSION does not apply following
a strict interpretation. While the majority of "our" packages actually
follow that scheme, there are also some that mix both variables or
have one of them defined but keep them at "1".
This is misleading and confusing, which can be observed by the fact
that there typically either one of the variables is never bumped or
the choice of the variable to increase depends on the person doing the
change.
Consequently, this patch aims at clarifying the situation by
consistently using only PKG_RELEASE for "our" packages. To achieve
that, PKG_VERSION is removed there, bumping PKG_RELEASE where
necessary to ensure the resulting package version string is bigger
than before.
During adjustment, one has to make sure that the new resulting composite
package version will not be considered "older" than the previous one.
A useful tool for evaluating that is 'opkg compare-versions'. In
principle, there are the following cases:
1. Sole PKG_VERSION replaced by sole PKG_RELEASE:
In this case, the resulting version string does not change, it's
just the value of the variable put in the file. Consequently, we
do not bump the number in these cases so nobody is tempted to
install the same package again.
2. PKG_VERSION and PKG_RELEASE replaced by sole PKG_RELEASE:
In this case, the resulting version string has been "version-release",
e.g. 1-3 or 1.0-3. For this case, the new PKG_RELEASE will just
need to be higher than the previous PKG_VERSION.
For the cases where PKG_VERSION has always sticked to "1", and
PKG_RELEASE has been incremented, we take the most recent value of
PKG_RELEASE.
Apart from that, a few packages appear to have developed their own
complex versioning scheme, e.g. using x.y.z number for PKG_VERSION
_and_ a PKG_RELEASE (qos-scripts) or using dates for PKG_VERSION
(adb-enablemodem, wwan). I didn't touch these few in this patch.
Cc: Hans Dedecker <dedeckeh@gmail.com>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: Andre Valentin <avalentin@marcant.net>
Cc: Matthias Schiffer <mschiffer@universe-factory.net>
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Steven Barth <steven@midlink.org>
Cc: Daniel Golle <dgolle@allnet.de>
Cc: John Crispin <john@phrozen.org>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Bumping package version has been overlooked in a previous commit.
While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter
is meant for upstream version number only.
(The effective version string for the package would be "3" in both
cases, so there is no harm done for version comparison.)
Fixes: 0453c3866f ("vxlan: fix udp checksum control")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
So far, passing "rxcsum" and "txcsum" had no effect.
Fixes: 95ab18e012 ("vxlan: add options to enable and disable UDP
checksums")
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
[add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Feature detection doesn't recognize ipset v7 use on kernel v5.x systems
and thus disables the tc ematch function em_ipset.
- backport patch:
* 002-configure-support-ipset-v7.patch:
650591a7a70c configure: support ipset version 7 with kernel version 5
Fixes: 4e0c54bc5b ("kernel: add support for kernel 5.4")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Recent iproute2 5.x versions modified the symbols resolved for plugins,
causing "tc .. action xt .." to fail. Update the list of symbols to fix.
Fixes: b61495409b ("iproute2: tc: reduce size of dynamic symbol table")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Optional instance watchdog timeout and watchdog mode can be set by
adding: procd_set_param $mode $timeout
$mode is an integer [0-1] representing instance watchdog mode of
operation:
0 = disabled
1 = passive mode, client must periodically poke watchdog via ubus
$timeout is an integer representing how often, in seconds, the watchdog must be poked.
Signed-off-by: Daniel Bailey <danielb@meshplusplus.com>
aed7fb3 procd: fix compilation with uClibc-ng
9d0f831 jail: fix segfault with len(uidmap/gidmap) > 1
42a6217 jail: consider PATH for argv in OCI container
83f4b72 jail: actually chdir into OCI defined CWD
fc9f614 jail: parse and run OCI hooks
02eec92 jail: memory allocation fixes
71e75f4 jail: refactor mount support to cover OCI spec
b586e7d jail: don't make mount source read-only
dacab12 uxc: fix 'stop' command
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This release brings parity with the commits Linus released a few hours
ago into 5.8-rc5.
* receive: account for napi_gro_receive never returning GRO_DROP
The napi_gro_receive function no longer returns GRO_DROP ever, making
handling GRO_DROP dead code. This commit removes that dead code.
Further, it's not even clear that device drivers have any business in
taking action after passing off received packets; that's arguably out of
their hands.
* device: implement header_ops->parse_protocol for AF_PACKET
WireGuard uses skb->protocol to determine packet type, and bails out if
it's not set or set to something it's not expecting. For AF_PACKET
injection, we need to support its call chain of:
packet_sendmsg -> packet_snd -> packet_parse_headers ->
dev_parse_header_protocol -> parse_protocol
Without a valid parse_protocol, this returns zero, and wireguard then
rejects the skb. So, this wires up the ip_tunnel handler for layer 3
packets for that case.
* queueing: make use of ip_tunnel_parse_protocol
Now that wg_examine_packet_protocol has been added for general
consumption as ip_tunnel_parse_protocol, it's possible to remove
wg_examine_packet_protocol and simply use the new
ip_tunnel_parse_protocol function directly.
* compat: backport ip_tunnel_parse_protocol and ip_tunnel_header_ops
These are required for moving wg_examine_packet_protocol out of
wireguard and into upstream.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Add support for Marvell MACCHIATObin Single Shot, cortex-a72 based
Marvell ARMADA 8040 Community board. Single Shot was broken as the
device tree is different on the Double Shot Board.
Specifications:
- Quad core Cortex-A72 (up to 2GHz)
- DDR4 DIMM slot with optional ECC and single/dual chip select support
- Dual 10GbE (1/2.5/10GbE) SFP+
2.5GbE (1/2.5GbE) via SFP
1GbE via copper
- SPI Flash
- 3 X SATA 3.0 connectors
- MicroSD connector
- eMMC
- PCI x4 3.0 slot
- USB 2.0 Headers (Internal)
- USB 3.0 connector
- Console port (UART) over microUSB connector
- 20-pin Connector for CPU JTAG debugger
- 2 X UART Headers
- 12V input via DC Jack
- ATX type power connector
- Form Factor: Mini-ITX (170 mm x 170 mm)
More details at http://macchiatobin.net
Installation:
Write the Image to your Micro SD Card and insert it in the
MACCHIATObin Single Shot SD Card Slot.
In the U-Boot Environment:
1. reset U-Boot environment:
env default -a
saveenv
2. prepare U-Boot with boot script:
setenv bootcmd "load mmc 1:1 0x4d00000 boot.scr; source 0x4d00000"
saveenv
or manually (hanging lines indicate wrapped one-line command):
setenv fdt_name armada-8040-mcbin-singleshot.dtb
setenv image_name Image
setenv bootcmd 'mmc dev 1; ext4load mmc 1:1 $kernel_addr
$image_name;ext4load mmc 1:1 $fdt_addr $fdt_name;setenv
bootargs $console root=/dev/mmcblk1p2 rw rootwait; booti
$kernel_addr - $fdt_addr'
saveenv
On newer Bootloaders (18.12) the Variables have been changed, use:
setenv fdt_name armada-8040-mcbin-singleshot.dtb
setenv image_name Image
setenv bootcmd 'mmc dev 1; ext4load mmc 1:1 $kernel_addr_r
$image_name;ext4load mmc 1:1 $fdt_addr_r $fdt_name;setenv
bootargs $console root=/dev/mmcblk1p2 rw rootwait; booti
$kernel_addr_r - $fdt_addr_r'
Reported-by: Alexandra Alth <alexandra@alth.de>
Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
Tested-by: Alexandra Alth <alexandra@alth.de>
[add specs and installation as provided by Alexandra Alth]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Between kernels 4.20 and 5.0, a new variant of this board has been
introduced ("Single Shot"), and the existing one has been renamed
with the appendix "Double Shot". [1]
This also adjusted the first compatible in the list:
marvell,armada8040-mcbin -> marvell,armada8040-mcbin-doubleshot
This patch updates the OpenWrt implementation of this device by
adjusting the relevant references to that compatible (i.e., our
board name).
To still provide support for 4.19 with our setup, this adds a
small patch to change the compatible there as well.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1f0bbe2700051886b954192b6c1751233fe0f52
Cc: Tomasz Maciej Nowak <tomek_n@o2.pl>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
The firmware is currently just copied. It can end up with o= on the
device (this is the case for voice_ar9_firmware.bin for instance).
Instead of copying it the Makefile is changed to use the macro
"$(INSTALL_DATA)" in order for the file to be world-readable.
While at it refactor the device node creation in the init script with
loop.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
[removed 2nd part with custom group handling for device nodes]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
There had been an issue in Layerscape QSPI driver for very long
time, which made squashfs,jffs2 rootfs not work on QSPI NOR.
And the ubifs had been used as a workaround.
Now the issue has been fixed. So convert to use squashfs,jffs2
rootfs on QSPI NOR for Layerscape boards (LS1012ARDB/LS1046ARDB/
LS1088ARDB), and update u-boot bootargs for booting.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
The rootfs squashfs is already highly (XZ) compressed. Storing the applet
messages in compressed form will increase the entropy and reduce the overall
image compression ratio.
Size diffs (compressed vs uncompressed):
busybox (the executable): 364596 vs 384804 bytes.
OpenWrt target images (the kernel image is unchanged, obviously):
omnia-medkit-openwrt-mvebu-cortexa9-cznic_turris-omnia-initramfs.tar.gz:
9163597 vs 9162531 bytes (1066 bytes difference).
openwrt-mvebu-cortexa9-cznic_turris-omnia-initramfs-kernel.bin:
9161688 vs 9160600 bytes (1088 bytes difference).
openwrt-mvebu-cortexa9-cznic_turris-omnia-sysupgrade.img.gz:
9729550 vs 9729230 bytes (320 bytes difference).
All in all, we save just a little bit over 1 kiB. As an added bonus, we
also don't have to decompress the messages twice, (first from squashfs,
then from the bzip2 message storage).
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[added additional size comparision diff detaisl]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Zram is only strictly dependent on lzo, not lz4. Break this dependency and
make the lz4 module visible in the configuration, in order for the user to
have the choice of enabling/disabling it, if (s)he sees fit.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
The block-mount swapon implementation doesn't support discard, so make zram-swap
depend only on the default BusyBox implementation or, when unavailable, on the
one present in the swap-utils package.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
The clock_gettime(CLOCK_MONOTONIC) syscall exists for so long that the first
kernel version to support it is not even specified in the man page [1]. Let's
enable it on BusyBox by default. Otherwise, gettimeofday will be used instead,
which will give wrong results if the date/time is reset (time moving backwards).
[1] https://linux.die.net/man/2/clock_gettime
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
CMake is less error prone that autotools and also compiles faster.
Fixed license information.
Added pkgconfig file to InstallDev so that packages that use it can
find lzo.
Before:
time make package/lzo/compile -j 12
________________________________________________________
Executed in 20.87 secs fish external
usr time 26.95 secs 0.00 micros 26.95 secs
sys time 5.49 secs 305.00 micros 5.49 secs
After:
time make package/lzo/compile -j 12
________________________________________________________
Executed in 13.22 secs fish external
usr time 19.59 secs 328.00 micros 19.59 secs
sys time 4.03 secs 10.00 micros 4.03 secs
Time output is with fish shell. make clean was ran before both attempts.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
f4e9bf73ac5c examples/lua: attempt to highlight some traps
53b9a2123fc6 lua/uloop: fd_add: use absolute indices for arguments
c0941d3289fc lua/uloop: make get_sock_fd capable of absolute addresses
161c25960ba2 lua/uloop: fd_add() better args checking
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Quoting part of original message from eefb5f741015 commit in
linux-firmware repository:
This adds the "minifw" version of the EIP197 firmware, which the inside-
secure driver will use as a fallback if the original full-featured
firmware cannot be found. This allows for using the inside-secure driver
and hardware without access to "official" firmware only available under
NDA.
Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
The block index of u-boot-env changed from mtd1 to mtd3 after upgrading kernel to 5.4.
This patch search the mtd block by label name, work as expect when perform a clean flash.
Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>