There is no WLAN_STA_MBO flag, but according to the hostapd source code,
when an STA does not support MBO, cell_capa will be 0. Use this to
indicate MBO support in the get_clients ubus method.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: David Bauer <mail@david-bauer.net>
With the 5.18 and 5.19 update ip-tiny grows in size. Remove some
features bringing it back to the size before 5.18.
Remove
- Identifier-locator addressing (ila)
- MACsec Device Configuration (macsec)
- Multicast Routing Cache Management (mroute)
- mrule
- Virtual Routing and Forwarding (vrf)
- Segment Routing (sr)
Signed-off-by: Nick Hainke <vincent@systemli.org>
Add patch:
- 105-ipstats-Define-MIN-function-to-fix-undefined-referen.patch
Refreshed:
- 170-ip_tiny.patch
- 195-build_variant_ip_tc.patch
Changes:
deb48554 v5.19.0
f8decf82 bpf_glue: include errno.h
71178ae0 rdma: update uapi/ib_user_verbs.h
96594fd2 vdpa: update uapi headers from 5.19-rc7
30c7b77f Revert "uapi: add vdpa.h"
c5433c4b ip neigh: Fix memory leak when doing 'get'
2cb76253 mptcp: Fix memory leak when getting limits
afdbb020 mptcp: Fix memory leak when doing 'endpoint show'
6db01afd bridge: Fix memory leak when doing 'fdb get'
1d540336 ip address: Fix memory leak when specifying device
325f706b uapi: add virtio_ring.h
291898c5 uapi: add vdpa.h
6e2fb804 uapi: update bpf.h
329fda18 ip: Fix size_columns() invocation that passes a 32-bit quantity
2a00a4b1 man: tc-fq_codel: add drop_batch
6bf5abef uapi: update mptcp.h
02410392 ip: Fix size_columns() for very large values
ed243312 man: tc-ct.8: fix example
2bb37e90 l2tp: fix typo in AF_INET6 checksum JSON print
855edb3d man: tc-fq_codel: Fix a typo.
4044a453 tc: declaration hides parameter
a44a7918 genl: fix duplicate include guard
703f2de6 uapi: change name for zerocopy sendfile in tls
248ad98e uapi: update socket.h
11e41a63 ip: Convert non-constant initializers to macros
8d3977ef Update kernel headers
5a1ad9f8 man: ip-stats.8: Describe groups xstats, xstats_slave and afstats
d9976d67 ipstats: Expose bond stats in ipstats
36e10429 ipstats: Expose bridge stats in ipstats
79f5ad95 iplink_bridge: Split bridge_print_stats_attr()
1247ed51 ipstats: Add groups "xstats", "xstats_slave"
c6900b79 ipstats: Add a third level of stats hierarchy, a "suite"
2ed73b9a iplink: Add JSON support to MPLS stats formatter
5ed8fd9d ipstats: Add a group "afstats", subgroup "mpls"
dff392fd iplink: Publish a function to format MPLS stats
72623b73 iplink: Fix formatting of MPLS stats
ce41750f ip: ipstats: Do not assume length of response attribute payload
40b50f15 bridge: vni: add support for stats dumping
c7f12a15 ip: iplink_vxlan: add support to set vnifiltering flag on vxlan device
45cd32f9 bridge: vxlan device vnifilter support
837294e4 libbpf: Remove use of bpf_map_is_offload_neutral
64e5ed77 libbpf: Remove use of bpf_program__set_priv and bpf_program__priv
ba6519cb libbpf: Use bpf_object__load instead of bpf_object__load_xattr
a6eb654d f_flower: add number of vlans man entry
5788732e f_flower: Check args with num_of_vlans
5ba31bcf f_flower: Add num of vlans parameter
b28eb051 man: Add man pages for the "stats" functions
a05a27c0 ipmonitor: Add monitoring support for stats events
0f1fd40c ipstats: Add offload subgroup "l3_stats"
179030fa ipstats: Add offload subgroup "hw_stats_info"
af5e7955 ipstats: Add a group "offload", subgroup "cpu_hit"
0517a2fd ipstats: Add a group "link"
df0b2c6d ipstats: Add a shell of "show" command
82f6444f ipstats: Add a "set" command
54d82b06 ip: Add a new family of commands, "stats"
5520cf16 ip: Publish functions for stats formatting
a463d6b1 libnetlink: Add filtering to rtnl_statsdump_req_filter()
38ae12d3 devlink: introduce -[he]x cmdline option to allow dumping numbers in hex format
bba95837 Update kernel headers
f6559bea ip-link: put types on man page in alphabetic order
ee53174b ip/iplink_virt_wifi: add support for virt_wifi
Signed-off-by: Nick Hainke <vincent@systemli.org>
The ip-tiny size grows from 124k (5.17.0) to 128k (5.18.0).
The update introduces a commit "configure: add check_libtirpc()" that
introduces a check for libtirpc. However, if libtirpc is already in the
staging directory due to an other dependency the check yields that the
library is installed and should be used resulting in failures like:
Package ss is missing dependencies for the following libraries:
libtirpc.so.3
To fix it add a patch making libtirpc optional again and setting it
"HAVE_TIRPC=n":
- 155-keep_tirpc_optional.patch
Fix patches:
- 130-no_netem_tipc_dcb_man_vdpa.patch
Refresh patches:
- 140-keep_libmnl_optional.patch
- 150-keep_libcap_optional.patch
- 180-drop_FAILED_POLICY.patch
- 200-drop_libbsd_dependency.patch
Changes:
6474b7c8 v5.18.0
4429a6c9 tipc: fix keylen check
6b6979b9 iplink: remove GSO_MAX_SIZE definition
19c3e009 doc: fix 'infact' --> 'in fact' typo
ed706c78 man: fix some typos
03589beb man: devlink-region: fix typo in example
b84fc332 tc: em_u32: fix offset parsing
b6d17086 uapi: update of virtio_ids
17bf51b7 libbpf: Remove use of bpf_map_is_offload_neutral
fa305925 libbpf: Remove use of bpf_program__set_priv and bpf_program__priv
9e0057b4 libbpf: Use bpf_object__load instead of bpf_object__load_xattr
e81fd551 devlink: fix "devlink health dump" command without arg
6f3b5843 man: use quote instead of acute accent
42d351fa man: 'allow to' -> 'allow one to'
d8a7a0f4 uapi: upstream update to stddef.h
5b2ff061 uapi: update from 5.18-rc1
292509f9 ss: remove an implicit dependency on rpcinfo
1ee309a4 configure: add check_libtirpc()
41848100 ip/geneve: add support for IFLA_GENEVE_INNER_PROTO_INHERIT
28add137 f_flower: Implement gtp options support
b25599c5 ip: GTP support in ip link
e4880869 man: bridge: document per-port mcast_router settings
9e82e828 bridge: support for controlling mcast_router per port
f1d18e2e Update kernel headers
8130653d vdpa: Update man page with added support to configure max vq pair
56eb8bf4 vdpa: Support reading device features
16482fd4 vdpa: Support for configuring max VQ pairs for a device
bd91c764 vdpa: Allow for printing negotiated features of a device
2d1954c8 vdpa: Remove unsupported command line option
93fb6810 Makefile: move HAVE_MNL check to top-level Makefile
2dee2101 man: ip-link: whitespace fixes to odd line breaks mid sentence
609b90aa man: ip-link: mention bridge port's default mcast_flood state
b1c3ad84 man: ip-link: document new bcast_flood flag on bridge ports
c354a434 ip: iplink_bridge_slave: support for broadcast flooding
909f0d51 man: bridge: add missing closing " in bridge show mdb
3b681cf9 man: bridge: document new bcast_flood flag for bridge ports
a6c848eb bridge: support for controlling flooding of broadcast per port
8acb5247 ip/batadv: allow to specify RA when creating link
0431d8e8 Import batman_adv.h header from last kernel sync point
239bfd45 Revert "configure: Allow command line override of toolchain"
a93c90c7 tc: separate action print for filter and action dump
d9977eaf bpf: Remove use of bpf_create_map_xattr
ac4e0913 bpf: Export bpf syscall wrapper
873bb975 bpf_glue: Remove use of bpf_load_program from libbpf
5e17b715 ss: display advertised TCP receive window and out-of-order counter
712ec66e tc: bash-completion: Add profinet and ethercat to procotol completion list
75061b35 lib: add profinet and ethercat as link layer protocol names
0a685b98 man8/ip-link.8: add locked port feature description and cmd syntax
d4fe3673 man8/bridge.8: add locked port feature description and cmd syntax
092af16b ip: iplink_bridge_slave: add locked port flag support
0e51a185 bridge: link: add command to set port in locked mode
04a0077d Update kernel headers
386ae64c configure: Allow command line override of toolchain
bea92cb0 mptcp: add port support for setting flags
2dbc6c90 mptcp: add fullmesh support for setting flags
5fb6bda0 mptcp: add fullmesh check for adding address
9831202f bond: add ns_ip6_target option
e8fd4d4b devlink: Remove strtouint8_t in favor of get_u8
2688abf0 devlink: Remove strtouint16_t in favor of get_u16
95c03f40 devlink: Remove strtouint32_t in favor of get_u32
7cb0e24d devlink: Remove strtouint64_t in favor of get_u64
7848f6bb Update kernel headers
4f015972 f_flower: fix indentation for enc_key_id and u32
25a9c4fa tunnel: Fix missing space after local/remote print
ff14875e Update documentation
8908cb25 Add support for the IOAM insertion frequency
cd24451e Update kernel headers
e4ba36f7 iplink: add ip-link documentation
5d57e130 iplink: add gro_max_size attribute handling
721435dc tc: u32: add json support in `print_raw`, `print_ipv4`, `print_ipv6`
c733722b tc: u32: add support for json output
5f44590d tc/f_flower: fix indentation
9948b6cb tc_util: fix breakage from clang changes
f4cd4f12 tc: add skip_hw and skip_sw to control action offload
ba5ac984 json_print: suppress clang format warning
bf71c8f2 libbpf: fix clang warning about format non-literal
5632cf69 tunnel: fix clang warning
c0248878 tipc: fix clang warning about empty format string
371c13e8 can: fix clang warning
8d27eee5 ipl2tp: fix clang warning
560d2336 tc_util: fix clang warning in print_masked_type
b2450e46 flower: fix clang warnings
4e27d538 netem: fix clang warnings
9d5e29e6 utils: add format attribute
343c4f52 tc: add format attribute to tc_print_rate
Signed-off-by: Nick Hainke <vincent@systemli.org>
Remove backports:
- 0001-lib-fix-ax25.h-include-for-musl.patch
Changes:
4c424dfd v5.17.0
7846496b link_xfrm: if_id must be non zero
eed4bb1a testsuite: link xfrm delete no if_id test
ac0a54b2 rdma: make RES_PID and RES_KERN_NAME alternative to each other
885e281e uapi: update vdpa.h
19c0def1 ipaddress: remove 'label' compatibility with Linux-2.0 net aliases
1808f002 lib/fs: fix memory leak in get_task_name()
62c0700c uapi: update magic.h
c8d9d925 rdma: Fix the logic to print unsigned int.
a42dfaa4 Revert "rdma: Fix res_print_uint() and add res_print_u64()"
9d0badec rdma: Fix res_print_uint() and add res_print_u64()
86a1452b uapi: update to xfrm.h
09c6a3d2 bridge: Remove vlan listing from `bridge link`
e4fda259 bridge: Fix error string typo
cc143bda lnstat: fix strdup leak in -w argument parsing
90bbf861 iplink_can: print_usage: typo fix, add missing spaces
1b5c7414 dcb: Fix error reporting when accessing "dcb app"
a38d305d tc: fix duplicate fall-through
f8beda6e libnetlink: fix socket leak in rtnl_open_byproto()
7f70eb2a tc_util: Fix parsing action control with space and slash
29da83f8 iprule: Allow option dsfield in 'ip rule show'
07012a1f ss: use freecon() instead of free() when appropriate
03b4de0b man: Fix a typo in the flag documentation of ip address
924f6b4a dcb: app: Add missing "dcb app show dev X default-prio"
5c9571bc uapi: update kernel headers from 5.17-rc1
d542543b tc/action: print error to stderr
52370c61 mptcp: add id check for deleting address
c556f577 dcb: Rewrite array-formatting code to not cause warnings with Clang
0dc5da8e f_flower: fix checkpatch warnings
ffbcb246 netem: fix checkpatch warnings
8bced38a lib: fix ax25.h include for musl
e27bb8e5 uapi: add missing virtio headers
26ff0afa uapi: add missing rose and ax25 files
eb4206ec q_cake: allow changing to diffserv3
db530529 iplink_can: add ctrlmode_{supported,_static} to the "--details --json" output
ac2e9148 Update kernel headers
bb4cc9cc rdma: Don't allocate sparse array
b8767168 rdma: Limit copy data by the destination size
167e33f3 vdpa: Enable user to set mtu of the vdpa device
384938f9 vdpa: Enable user to set mac address of vdpa device
a311f0c4 vdpa: Enable user to query vdpa device config layout
9d8882d5 vdpa: Update kernel headers
5cb7ec0c Update kernel headers and import virtio_net
26113360 mptcp: add support for changing the backup flag
4b301b87 tc: Add support for ce_threshold_value/mask in fq_codel
99d09ee9 bond: add arp_missed_max option
432cb06b mptcp: add support for fullmesh flag
2d777dfe Update kernel headers
a21458fc vdpa: Remove duplicate vdpa UAPI header file
Signed-off-by: Nick Hainke <vincent@systemli.org>
The ulog iptables target was removed with kernel 3.17, remove the kernel
and also the iptables package in OpenWrt too.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The nft NAT packages for IPv4 and IPv6 were merged into the common
packages with kernel 5.1. The kmod-nft-nat6 package was empty in our
build, remove it.
Multiple kernel configuration options were also removed, remove them
from our generic kernel configuration too.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Musl libc does not support the non-POSIX "%F" format for strptime() so
replace all occurrences of it with an equivalent "%Y-%m-%d" format.
Fixes: #10419
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Musl libc does not support the non-POSIX "%F" format for strptime() so
replace all occurrences of it with an equivalent "%Y-%m-%d" format.
Fixes: #10419
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The re-transmit counters can overflow the 32 bit representation resulting
in negative values being displayed. Background being that the numbers are
treated at some point as signed INT rather than unsigned INT.
Change the counters from 32 bit to 64 bit, should provide sufficient room
to avoid any overflow. Not the nicest solution but it works
Fixes: #10077
Signed-off-by: Roland Barenbrug <roland@treslong.com>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
The change of the PKG_VERSION caused the hash of the package to
change. This is because the PKG_VERSION is present in the
internal directory structure of the archive.
Fixes: e879cccaa2 ("uboot-layerscape: update PKG_HASH")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This PR allows a user to enable a private psk, where each station
may have it's own psk or use a common psk if it is not defined.
The private psk is defined using the sta's mac and a radius server
is required.
ppsk option should be enabled in the wireless configuration along with
radius server details. When using PPSK, the key is ignored, it will be
retrieved from radius server. SAE is not yet supported (private sae) in
hostapd.
Wireless example configuration:
option encryption 'psk2+ccmp'
option ppsk '1'
option auth_server '127.0.0.1'
option auth_secret 'radiusServerPassword'
If you want to use dynamic VLAN on PPSK also include:
option dynamic_vlan '2'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
It works enabling mac address verification on radius server and
requiring the tunnel-password (the private psk) from radius server.
In the radius server we need to configure the users. In case of
freeradius: /etc/freeradius3/mods-config/files/authorize
The user and Cleartext-Password should be the mac lower case using the
format "aabbccddeeff"
<sta mac> Cleartext-Password := "<sta mac>"
Tunnel-Password = <Private Password>
Example of a user configured in radius and using dynamic VLAN5:
8cb84a000000 Cleartext-Password := "8cb84a000000"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 5,
Tunnel-Password = MyPrivPw
If we want to have a default or shared psk, used when the mac is not
found in the list, we need to add the following at the end of the radius
authorize file:
DEFAULT Auth-Type := Accept
Tunnel-Password = SharedPw
And if using VLANs, for example VLAN6 for default users:
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 6,
Tunnel-Password = SharedPw
Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com>
the hash and timestamp of the remote copy of the archive
has changed since last bump
meaning the remote archive copy was recreated
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Remove upstreamed patches:
- 001-xtables-Call-init_extensions6-for-static-builds.patch
- 002-xtables-Call-init_extensions_a_b.patch
Fix patches:
- 102-iptables-disable-modprobe.patch
Fix warnings in the form of:
xtables.c:475:14: warning: 'get_modprobe' defined but not used [-Wunused-function]
475 | static char *get_modprobe(void)
| ^~~~~~~~~~~~
Backport patches:
- 020-treewide-use-uint-instead-of-u_int.patch
- 030-revert-fix-build-for-missing-ETH_ALEN-definition.patch
- 040-xshared-Fix-build-for-Werror-format-security.patch
- 050-build-fix-error-during-out-of-tree-build.patch
- 060-libxtables-unexport-init_extensions-declarations.patch
Refresh patches:
- 101-remove-check-already.patch
- 102-iptables-disable-modprobe.patch
- 200-configurable_builtin.patch
- 600-shared-libext.patch
- 700-disable-legacy-revisions.patch
Remove from Makefile:
$(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
Changelog:
fa0ccdbd configure: bump version for 1.8.8 release
8468fd4f nft: Fix EPERM handling for extensions without rev 0
ce9195c6 extensions: LOG: Document --log-macdecode in man page
404f304d man: *NAT: Review --random* option descriptions
0a538259 extensions: DNAT: Merge core printing functions
a7c2b728 libxtables: Revert change to struct xtables_pprot
fd64a587 libxtables: Drop xtables_globals 'optstring' field
3b8a6a6f xshared: Extend xtables_printhelp() for arptables
8ff84eaf xshared: Move arp_opcodes into shared space
adbfec0b extensions: MARK: Drop extra newline at end of help
1dcfb81e nft: split gen_payload() to allocate register and initialize expression
7e38890c nft: prepare for dynamic register allocation
165cafec nft: pass handle to helper functions to build netlink payload
94309632 nft: native mark matching support
aa92ec96 nft: pass struct nft_xt_ctx to parse_meta()
4c70c42f nft-shared: update context register for bitwise expression
18c96821 extensions: man: Document service name support in DNAT and REDIRECT
72d542b6 extensions: Merge REDIRECT into DNAT
14d77c8a extensions: Merge IPv4 and IPv6 DNAT targets
9621318b extensions: DNAT: Rename from libipt to libxt
2e0c9a40 extensions: ipt_DNAT: Combine xlate functions also
7adef314 extensions: ipt_DNAT: Merge v1/v2 print/save code
3f4f1cf0 extensions: ipt_DNAT: Merge v1 and v2 parsers
070a8626 Revert "libipt_[SD]NAT: avoid false error about multiple destinations specified"
08c14fa6 man: DNAT: Describe shifted port range feature
24fff5d7 xlate-test: Fix for empty source line on failure
ac4c84cc libxtables: Boost rule target checks by announcing chain names
f58b0d74 libxtables: Implement notargets hash table
b1aee6b2 nft: Reject standard targets as chain names when restoring
b555bfed tests: shell: Fix 0004-return-codes_0 for static builds
c293e116 nft: Review static extension loading
0836524f xtables: Call init_extensions{,a,b}() for static builds
6c689b63 Simplify static build extension loading
0c8e2535 libxtables: Fix for warning in xtables_ipmask_to_numeric
0c0cd434 nft: Don't pass command state opaque to family ops callbacks
b6196c75 xshared: Prefer xtables_chain_protos lookup over getprotoent
07ee529f nft: Speed up immediate parsing
b5f2faea nft: Simplify immediate parsing
17534cb1 Improve error messages for unsupported extensions
2dbb49d1 libxtables: Register only the highest revision extension
07e2107e xshared: Implement xtables lock timeout using signals
a3980769 tests: NFLOG: enable `--nflog-range` tests
b8e8ac27 tests: support explicit variant test result
adb03c3f tests: add `NOMATCH` test result
7a006c7d tests: iptables-test: rename variable
b7f15b42 iptables.8: Describe the effect of multiple -v flags
1407a9c4 tests: iptables-test: Support variant deviation
fc8f7289 nft: cache: Dump rules if debugging
73b91292 nft: Add debug output to table creation
51d9d9e0 ebtables: Support verbose mode
ad1ed75f nft: Set NFTNL_CHAIN_FAMILY in new chains
17ed253f iptables-restore: Support for extra debug output
a761a026 nft: Use verbose flag to toggle debug output
98e69b7e nft: add support for native tcp flag matching
92808bd5 nft-shared: add tcp flag dissection
6aba94ef nft: prefer native expressions instead of tcp match
c034cf31 nft: prefer native expressions instead of udp match
5489493e nft-shared: support native udp port delinearize
5795a1b5 nft-shared: support native tcp port range delinearize
250dce87 nft-shared: support native tcp port delinearize
ea5d45dc extensions: libxt_NFLOG: fix typo
26ecdf53 xshared: Fix response to unprivileged users
b32ae771 build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with `LT_INIT`
05286bab extensions: libxt_NFLOG: remove extra space when saving targets with prefixes
f0d02998 extensions: libxt_NFLOG: fix `--nflog-prefix` Python test-cases
f9df828a extensions: libxt_NFLOG: disable `--nflog-range` Python test-cases
62ad29e9 extensions: libxt_NFLOG: don't truncate log prefix on print/save
db99f601 extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG
30b178b9 extensions: *NAT: Kill multiple IPv4 range support
7ee5b970 tests: iptables-test: correct misspelt variable
223f02ca nft: fix indentation error.
5c2c2eea ip6tables: Use the shared do_parse, too
9baf3bf0 iptables: Use xtables' do_parse() function
e4f5185d nft: Move proto_parse and post_parse callbacks to xshared
ded7b579 xshared: Store parsed wait and wait_interval in xtables_args
62c3c93d xshared: Move do_parse to shared space
3039a52c xtables: Do not pass nft_handle to do_parse()
ece001c2 xtables: Pass xtables_args to check_inverse()
17abaeb1 xtables: Pass xtables_args to check_empty_interface()
dc8d8fce xtables: Move struct nft_xt_cmd_parse to xshared.h
98a4462f xtables: Pull table validity check out of do_parse()
d83371c7 xtables: Drop xtables' family on demand feature
49aa44ba nft-shared: set correct register value
b129b1cf iptables-*-restore: Drop pointless line reference
316d8efb libxtables: Extend basic_exit_err()
4bff5aef xtables_globals: Embed variant name in .program_version
51e5d293 xshared: Share exit_tryhelp()
56ac0452 xshared: Share a common printhelp function
4149b5d8 xshared: Share print_match_save() between legacy ip*tables
273d88a7 extensions: tcpmss: add iptables-translate support
7213561d xshared: Make load_proto() static
cf14b92b nft-shared: Drop unused function print_proto()
24f30842 xshared: Share print_header() with legacy iptables
a323c283 xshared: Share print_fragment() with legacy
1d73cec0 xshared: Share print_rule_details() with legacy
e5fb9f8e xshared: Share save_ipv{4,6}_addr() with legacy
22f2e1fc xshared: Share save_rule_details() with legacy
766e4872 xshared: Share print_iface() function
b5881e7f nft: Change whitespace printing in save_rule callback
1189d830 xshared: Merge and share parse_chain()
1eab8e83 extensions: hashlimit: Fix tests with HZ=1000
afa525ee xlate-test: Print full path if testing all files
b8d5271d Unbreak xtables-translate
0af80a91 nft: Merge xtables-arp-standalone.c into xtables-standalone.c
142cf724 xtables: arptables accepts empty interface names
ab0a785a xtables: Derive xtables_globals from family
6cf3976e nft-shared: Make nft_check_xt_legacy() family agnostic
832a0e2b nft-arp: Introduce post_parse callback
0aea399d arptables: Use standard data structures when parsing
fe83b12f libxtables: Introduce xtables_globals print_help callback
0687852d xtables-standalone: Drop version number from init errors
dded8ff3 nft: Add family ops callbacks wrapping different nft_cmd_* functions
38e1fe58 xtables: Simplify addr_mask freeing
cfdda180 nft-shared: Introduce init_cs family ops callback
65b150ae xshared: Store optstring in xtables_globals
2e6014c7 nft: Introduce builtin_tables_lookup()
db90ff64 tests: shell: fix bashism
45d8f769 nft: Delete builtin chains compatibly
e865a853 nft-chain: Introduce base_slot field
f9b33967 nft: Check base-chain compatibility when adding to cache
43189612 nft: cache: Avoid double free of unrecognized base-chains
040a15f2 xtables-translate: add missing argument and option to usage
2ed6dc75 tests: iptables-test: Fix conditional colors on stderr
63ab4fe3 ebtables: Avoid dropping policy when flushing
b714d45d iptables-test.py: print with color escapes only when stdout isatty
481626bb tests: shell: Return non-zero on error
7559af83 tests: iptables-test: Exit non-zero on error
c057939d tests: xlate-test: Exit non-zero on error
a8da7186 tests: iptables-test: Print errors to stderr
5166c445 tests: xlate-test: Print errors to stderr
fa78ff15 tests: xlate-test: Don't skip any input after the first empty line
fcbe454b tests: iptables-test: Fix missing chain case
61e85e31 iptables-nft: allow removal of empty builtin chains
544e7dc1 Fix a few doc typos
e438b976 nft: Use xtables_{m,c}alloc() everywhere
ca11c7b7 nft: Use xtables_malloc() in mnl_err_list_node_add()
cf410aa6 extensions: libxt_mac: Fix for missing space in listing
7ae14dc1 iptables-test: Make netns spawning more robust
bef9dc57 extensions: hashlimit: Fix tests with HZ=100
943fbf3e ip6tables: masquerade: use fully-random so that nft can understand the rule
ef7781eb libxtables: exit if called by setuid executeable
8629c53f tests/shell: Assert non-verbose mode is silent
57d1422d nft: Fix for non-verbose check command
26318637 ebtables: Dump atomic waste
765bf04e doc: ebtables-nft.8: Adjust for missing atomic-options
e727ccad xtables: Call init_extensions6() for static builds
9e1fffdf extensions: libxt_multiport: add translation for -m multiport --ports
c8145139 extensions: libxt_conntrack: simplify translation using negation
1c934617 extensions: libxt_tcp: rework translation to use flags match representation
bb01e33d extensions: libxt_connlimit: add translation
62828a6a tests: xlate-test: support multiline expectation
ba863c4b libxtables: extend xlate infrastructure
68ed965b extensions: libxt_string: Avoid buffer size warning for strncpy()
9b85e1ab libxtables: Introduce xtables_strdup() and use it everywhere
ca840c20 extensions: libebt_ip6: Use xtables_ip6parse_any()
084671d5 iptables-apply: Drop unused variable
0729ab37 nft: Avoid buffer size warnings copying iface names
eab75ed3 nft: Avoid memleak in error path of nft_cmd_new()
ffe88f8f libxtables: Fix memleak in xtopt_parse_hostmask()
8bb5bcae extensions: libebt_ip6: Drop unused variables
97fabae7 libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()
5818be17 extensions: sctp: Translate --chunk-types option
a61282ec extensions: sctp: Fix nftables translation
556f7044 Use proto_to_name() from xshared in more places
eea68ca8 ebtables-translate: Use shared ebt_get_current_chain() function
9dc50b5b xshared: Merge invflags handling code
3664249f xshared: Eliminate iptables_command_state->invert
f647f61f xtables: Make invflags 16bit wide
616800af extensions: SECMARK: Implement revision 1
1e984079 nft-arp: Make use of ipv4_addr_to_string()
acac2dbe Eliminate inet_aton() and inet_ntoa()
9084ef29 extensions: sctp: Explain match types in man page
a3e81c62 nft: Increase BATCH_PAGE_SIZE to support huge rulesets
fdf64dcd nft: cache: Sort chains on demand only
c5d9a723 fix build for missing ETH_ALEN definition
18d7535d extensions: libxt_conntrack: use bitops for status negation
18e334da extensions: libxt_conntrack: use bitops for state negation
831f57c7 libxtables: Simplify xtables_ipmask_to_cidr() a bit
46f9d3a9 xtables-translate: Fix translation of odd netmasks
330f5df0 nft: Fix bitwise expression avoidance detection
5f1fcace iptables-nft: fix -Z option
c9441657 include: Drop libipulog.h
30c1d443 ebtables: Exit gracefully on invalid table names
Signed-off-by: Nick Hainke <vincent@systemli.org>
Changes
- Add configure commands to alter inventory TLVs
Fixes
- Update seccomp rules for newer kernel/libc
- Correctly handle an interface whose index has changed
- Don't send VLANs when there are too many
Signed-off-by: Nick Hainke <vincent@systemli.org>
Remove upstreamed patches:
- 001-src-nl_extras.h-fix-compatibility-with-libnl-3.3.0.patch
Changes:
- examples: add README with details to the various examples
- examples: af_ieee802154_tx example
- examples: af_ieee802154_rx example
- examples: add af_packet_rx example
- examples: af_inet6_rx example
- examples: af_packet_tx example
- examples: af_inet6_tx example
- examples: add .gitignore file for examples directory
- src/nl_extras.h: fix compatibility with libnl 3.3.0
- wpan-ping: add the support to set wpan-ping interval
- wpan-ping: Add the filtering function for frame receiving
Signed-off-by: Nick Hainke <vincent@systemli.org>
- Use SPDX
- Add PKG_RELEASE
- Change wpan.cakelab.org to linux-wpan.org/wpan-tools.html
- Switch to github.com as PKG_SOURCE_URL
Signed-off-by: Nick Hainke <vincent@systemli.org>
Make sure the 'configure' shell script finds the libintl when linking
the test programs for discovering libpcap and libbpf.
Reported-by: @trippleflux
Fixes: 6ad1bea2a6 ("xdp-tools: add package")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The SDK does not have the LLVM toolchain yet.
Hopefully fixes errors in the form:
xsk_def_xdp_prog.c:4:10: fatal error: 'bpf/bpf_helpers.h' file not found
#include <bpf/bpf_helpers.h>
Fixes: 6ad1bea2a6 ("xdp-tools: add package")
Signed-off-by: Nick Hainke <vincent@systemli.org>
xdp-tools - Library and utilities for use with the eXpress Data Path:
Fast Programmable Packet Processing in the Operating System Kernel
* libxdp: library for attaching XDP programs and using AF_XDP sockets
* xdp-filter: a simple XDP-powered packet filter
* xdp-loader: an XDP program loader
* xdpdump: tool for capturing packets at the XDP layer
Thanks to Nick @PolynomialDivision Hainke for testing and fixing!
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Adjust
- 100-tcpdump_mini.patch
Remove upstreamed patches:
- 101-CVE-2020-8037.patch
- 102-CVE-2018-16301.patch
Changelog:
Wednesday, June 9, 2021 by gharris
Summary for 4.99.1 tcpdump release
Source code:
Squelch some compiler warnings
ICMP: Update the snapend for some nested IP packets.
MACsec: Update the snapend thus the ICV field is not payload
for the caller.
EIGRP: Fix packet header fields
SMB: Disable printer by default in CMake builds
OLSR: Print the protocol name even if the packet is invalid
MSDP: Print ": " before the protocol name
ESP: Remove padding, padding length and next header from the buffer
DHCPv6: Update the snapend for nested DHCPv6 packets
OpenFlow 1.0: Get snapend right for nested frames.
TCP: Update the snapend before decoding a MPTCP option
Ethernet, IEEE 802.15.4, IP, L2TP, TCP, ZEP: Add bounds checks
ForCES: Refine SPARSEDATA-TLV length check.
ASCII/hex: Use nd_trunc_longjmp() in truncation cases
GeoNet: Add a ND_TCHECK_LEN() call
Replace ND_TCHECK_/memcpy() pairs with GET_CPY_BYTES().
BGP: Fix overwrites of global 'astostr' temporary buffer
ARP: fix overwrites of static buffer in q922_string().
Frame Relay: have q922_string() handle errors better.
Building and testing:
Rebuild configure script when building release
Fix "make clean" for out-of-tree autotools builds
CMake: add stuff from CMAKE_PREFIX_PATH to PKG_CONFIG_PATH.
Documentation:
man: Update a reference as www.cifs.org is gone. [skip ci]
man: Update DNS sections
Solaris:
Fix a compile error with Sun C
Wednesday, December 30, 2020, by mcr@sandelman.ca, denis and fxl.
Summary for 4.99.0 tcpdump release
CVE-2018-16301: For the -F option handle large input files safely.
Improve the contents, wording and formatting of the man page.
Print unsupported link-layer protocol packets in hex.
Add support for new network protocols and DLTs: Arista, Autosar SOME/IP,
Broadcom LI and Ethernet switches tag, IEEE 802.15.9, IP-over-InfiniBand
(IPoIB), Linux SLL2, Linux vsockmon, MACsec, Marvell Distributed Switch
Architecture, OpenFlow 1.3, Precision Time Protocol (PTP), SSH, WHOIS,
ZigBee Encapsulation Protocol (ZEP).
Make protocol-specific updates for: AH, DHCP, DNS, ESP, FRF.16, HNCP,
ICMP6, IEEE 802.15.4, IPv6, IS-IS, Linux SLL, LLDP, LSP ping, MPTCP, NFS,
NSH, NTP, OSPF, OSPF6, PGM, PIM, PPTP, RADIUS, RSVP, Rx, SMB, UDLD,
VXLAN-GPE.
User interface:
Make SLL2 the default for Linux "any" pseudo-device.
Add --micro and --nano shorthands.
Add --count to print a counter only instead of decoding.
Add --print, to cause packet printing even with -w.
Add support for remote capture if libpcap supports it.
Display the "wireless" flag and connection status.
Flush the output packet buffer on a SIGUSR2.
Add the snapshot length to the "reading from file ..." message.
Fix local time printing (DST offset in timestamps).
Allow -C arguments > 2^31-1 GB if they can fit into a long.
Handle very large -f files by rejecting them.
Report periodic stats only when safe to do so.
Print the number of packets captured only as often as necessary.
With no -s, or with -s 0, don't specify the snapshot length with newer
versions of libpcap.
Improve version and usage message printing.
Building and testing:
Install into bindir, not sbindir.
autoconf: replace --with-system-libpcap with --disable-local-libpcap.
Require the compiler to support C99.
Better detect and use various C compilers and their features.
Add CMake as the second build system.
Make out-of-tree builds more reliable.
Use pkg-config to detect libpcap if available.
Improve Windows support.
Add more tests and improve the scripts that run them.
Test both with "normal" and "x87" floating-point.
Eliminate dependency on libdnet.
FreeBSD:
Print a proper error message about monitor mode VAP.
Use libcasper if available.
Fix failure to capture on RDMA device.
Include the correct capsicum header.
Source code:
Start the transition to longjmp() for packet truncation handling.
Introduce new helper functions, including GET_*(), nd_print_protocol(),
nd_print_invalid(), nd_print_trunc(), nd_trunc_longjmp() and others.
Put integer signedness right in many cases.
Introduce nd_uint*, nd_mac_addr, nd_ipv4 and nd_ipv6 types to fix
alignment issues, especially on SPARC.
Fix many C compiler, Coverity, UBSan and cppcheck warnings.
Fix issues detected with AddressSanitizer.
Remove many workarounds for older compilers and OSes.
Add a sanity check on packet header length.
Add and remove plenty of bounds checks.
Clean up pcap_findalldevs() call to find the first interface.
Use a short timeout, rather than immediate mode, for text output.
Handle DLT_ENC files *not* written on the same OS and byte-order host.
Add, and use, macros to do locale-independent case mapping.
Use a table instead of getprotobynumber().
Get rid of ND_UNALIGNED and ND_TCHECK().
Make roundup2() generally available.
Resync SMI list
against Wireshark.
Fix many typos.
Co-Developed-by: Ivan Pavlov <AuthorReflex@gmail.com>
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Signed-off-by: Nick Hainke <vincent@systemli.org>
Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile -basic and
-full variants with support for OCV. This feature can be configured in the
wireless config by setting ocv equal to one of the following values:
0 = disabled (hostapd/wpa_supplicant default)
1 = enabled if wpa_supplicant's SME in use. Otherwise enabled only when the
driver indicates support for operating channel validation.
Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile the -basic and
-full variants of hostapd with this feature, and enable discovery of this
feature for future luci integration. OCV can be configured by setting ocv
equal to one of the following values in the wireless config:
0 = disabled (hostapd/wpa_supplicant default)
1 = enabled
2 = enabled in workaround mode - Allow STA that claims OCV capability to
connect even if the STA doesn't send OCI or negotiate PMF.
Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
OpenWrt now uses firewall4 (nft) by default,
so iptables should also default to nftables backend.
When multiple packages provide the same virtual package,
opkg pick the first one by alphabetical order,
so we rename iptables-legacy to iptables-zz-legacy and add
iptables-legacy in PROVIDES.
We also need to remove IPTABLES_NFTABLES config as
this cause recursive dependencies.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Enabling mbo by default on 802.11ax devices breaks for encryption types
that do not enable 802.11w by default. Disable mbo by default to fix
this. Enabling mbo by default on 802.11ax devices was not explained in
the commit message anyway.
Fixes: 6eee983656 ("hostapd: introduce mbo option")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Support the use of MBO in the bss_transition_request ubus method.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
Introduce a new option mbo to toggle Multi Band Operation aka Agile
Multiband for a BSS.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
Multi Band Operation is required for 802.11ax certification, so let's
enable it if 802.11ax support is enabled.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
Multi Band Operation aka Agile Multiband introduces new Transition
and Transition Rejection Reason Codes that should improve client
steering. Add a config symbol to enable it, and enable it by default for
the full variants.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
9eabf30 Release version 5.18.
2b3ddcb ethtool: fec: Change the prompt string to adapt to current situations
d660dde pretty: add missing message descriptions for rings
aaeb16a pretty: support u8 enumerated types
6b320b8 rings: add support to set/get cqe size
41fddc0 update UAPI header copies
42e6c28 help: fix alignment of rx-buf-len parameter
e1d0a19 ethtool.8: Fix typo in man page
37f0586 Release version 5.17.
8c2984c strset: do not put a pointer to a local variable to nlctx
8fd02a2 ioctl: add the memory free operation after send_ioctl call fails
b9f25ea ethtool: Add support for OSFP transceiver modules
6e79542 features: add --json support
5ed5ce5 Merge branch 'next' into master
b90abbb man: document recently added parameters
51a9312 tunables: add support to get/set tx copybreak buf size
a081c2a rings: add support to set/get rx buf len
d699bab Merge branch 'master' into next
52db6b9 Merge branch 'review/module-extstate' into next
6407b52 monitor: add option for --show-module/--set-module
1f35786 ethtool: Add transceiver module extended state
2d4c5b7 ethtool: Add ability to control transceiver modules' power mode
005908b Update UAPI header copies
Signed-off-by: Nick Hainke <vincent@systemli.org>
Remove backport:
- 001-examples-compile-with-make-check.patch
87fdf683 build: Bump version to 1.0.3
c4ec825b nft: simplify chain lookup in do_list_chain
4f6724f1 intervals: fix compilation --with-mini-gmp
4c20fe95 json: update json output ordering to place rules after chains
57741350 netlink_delinearize: release last register on exit
d6fdb0d8 sets_with_ifnames: add test case for concatenated range
88b2345a segtree: add pretty-print support for wildcard strings in concatenated sets
806ab081 netlink: swap byteorder for host-endian concat data
c224aa6b intervals: deletion should adjust range not yet in the kernel
ea1f1c9f optimize: memleak in statement matrix
0a6dbfce optimize: merge nat rules with same selectors into map
743b0e81 optimize: do not clone unsupported statement
c8b35039 optimize: incorrect logic in verdict comparison
fc4da141 src: fix always-true assertions
d1289bff intervals: set on EXPR_F_KERNEL flag for new elements in set cache
721b9dec tests: add concat test case with integer base type subkey
22b750aa src: allow use of base integer types as set keys in concatenations
3ed9fada intervals: build list of elements to be added from cache
e45b4939 intervals: fix deletion of multiple ranges with automerge
3b7b22ae intervals: add elements with EXPR_F_KERNEL to purge list only
ea31855d netlink: remove unused argument from helper function
48204bd7 intervals: Simplify element sanity checks
ab1b21be intervals: unset EXPR_F_KERNEL for adjusted elements
e0beff27 src: restore interval sets work with string datatypes
3e8d934e intervals: support to partial deletion with automerge
7a6e1604 evaluate: allow for zero length ranges
3da9643f intervals: add support to automerge with kernel elements
7b061e63 mnl: update mnl_nft_setelem_del() to allow for more reuse
fdb8e0ff src: remove rbtree datastructure
81e36530 src: replace interval segment tree overlap and automerge
f1cc44ed src: add EXPR_F_KERNEL to identify expression in the kernel
ad43b84e segtree: add support for get element with sets that contain ifnames
06db2308 segtree: use correct byte order for 'element get'
4c6681a7 tests: add testcases for interface names in sets
5e393ea1 segtree: add string "range" reversal support
2fb4d7ea src: make interval sets work with string datatypes
403936c1 evaluate: string prefix expression must retain original length
ada50f84 segtree: split prefix and range creation to a helper function
ae7d32fc evaluate: keep prefix expression length
d2b23984 evaluate: make byteorder conversion on string base type a no-op
c36ecfc2 tests: py: Add meta time tests without 'meta' keyword
6fa4ff56 tests: py: Don't colorize output if stderr is redirected
f561a0cc tests: monitor: Hide temporary file names from error output
75fea8a5 tests: py: extend meta time coverage
4460b839 meta: fix compiler warning in date_type_parse()
02100978 meta: time: use uint64_t instead of time_t
4e0026dc include: add missing `#include`
ab74fb5b examples: add .gitignore file
bcad4761 tests: py: add inet/vmap tests
214494aa optimize: Restore optimization for raw payload expressions
82762ab6 src: allow to use integer type header fields via typeof set declaration
64bb3f43 src: allow to use typeof of raw expressions in set declaration
ff0f30e3 expression: typeof verdict needs verdict datatype
60f5c107 src: copy field_count for anonymous object maps as well
4cf97abf rule: Avoid segfault with anonymous chains
4e718641 evaluate: init cmd pointer for new on-stack context
1ea71c23 optimize: do not assume log prefix
3f36cc6c optimize: do not merge unsupported statement expressions
19960c8d optimize: incorrect assert() for unexpected expression type
3de1dbd2 optimize: more robust statement merge with vmap
99eb4696 optimize: fix vmap with anonymous sets
e8f0fa21 scanner: Fix for ipportmap nat statements
59d184be scanner: dup, fwd, tproxy: Move to own scopes
069a0450 scanner: meta: Move to own scope
2165324d scanner: at: Move to own scope
a67fce7f scanner: nat: Move to own scope
578467c1 scanner: policy: move to own scope
a1669709 scanner: flags: move to own scope
020372d9 scanner: reject: Move to own scope
543bf3c2 scanner: import, export: Move to own scopes
88105810 scanner: reset: move to own Scope
8a7e430a scanner: monitor: Move to own Scope
e5547017 scanner: rt: Extend scope over rt0, rt2 and srh
04c95f14 scanner: type: Move to own scope
62a95698 scanner: dst, frag, hbh, mh: Move to own scopes
a060d912 scanner: ah, esp: Move to own scopes
4e215fdf scanner: osf: Move to own scope
5166b298 scanner: dccp, th: Move to own scopes
3e04a6e2 scanner: udp{,lite}: Move to own scope
bbdcfbfa scanner: comp: Move to own scope.
232f2c32 scanner: synproxy: Move to own scope
26b53653 scanner: tcp: Move to own scope
f5722119 scanner: igmp: Move to own scope
a7d8cca9 scanner: icmp{,v6}: Move to own scope
5d837d27 src: add tcp option reset support
1d507ce7 build: explicitly pass --version-script to linker
e98a9b83 libnftables.map: export new nft_ctx_{get,set}_optimize API
9eb98b3b tests: add test case for flowtable with owner flag
18a08fb7 examples: compile with `make check' and add AM_CPPFLAGS
Signed-off-by: Nick Hainke <vincent@systemli.org>
Document the ubus methods we added to hostapd so that people don't have
to read code to figure out which methods are available and what they do.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Existing conntracks will continue to be SNATed to 192.0.0.1 even after
464xlat interface gets teared down. To prevent this, matching
conntracks must be killed.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
4383528e0 P2P: Use weighted preferred channel list for channel selection
f2c5c8d38 QCA vendor attribute to configure RX link speed threshold for roaming
94bc94b20 Add QCA vendor attribute for DO_ACS to allow using existing scan entries
b9e2826b9 P2P: Filter 6 GHz channels if peer doesn't support them
d5a9944b8 Reserve QCA vendor sub command id 206..212
ed63c286f Remove space before tab in QCA vendor commands
e4015440a ProxyARP: Clear bridge parameters on deinit only if hostapd set them
02047e9c8 hs20-osu-client: Explicit checks for snprintf() result
cd92f7f98 FIPS PRF: Avoid duplicate SHA1Init() functionality
5c87fcc15 OpenSSL: Use internal FIPS 186-2 PRF with OpenSSL 3.0
9e305878c SAE-PK: Fix build without AES-SIV
c41004d86 OpenSSL: Convert more crypto_ec_key routines to new EVP API
667a2959c OpenSSL: crypto_ec_key_get_public_key() using new EVP_PKEY API
5b97395b3 OpenSSL: crypto_ec_key_get_private_key() using new EVP_PKEY API
177ebfe10 crypto: Convert crypto_ec_key_get_public_key() to return new ec_point
26780d92f crypto: Convert crypto_ec_key_get_private_key() to return new bignum
c9c2c2d9c OpenSSL: Fix a memory leak on crypto_hash_init() error path
6d19dccf9 OpenSSL: Free OSSL_DECODER_CTX in tls_global_dh()
4f4479ef9 OpenSSL: crypto_ec_key_parse_{priv,pub}() without EC_KEY API
b092d8ee6 tests: imsi_privacy_attr
563699174 EAP-SIM/AKA peer: IMSI privacy attribute
1004fb7ee tests: Testing functionality to discard DPP Public Action frames
355069616 tests: Add forgotten files for expired IMSI privacy cert tests
b9a222cdd tests: sigma_dut and DPP curve-from-URI special functionality
fa36e7ee4 tests: sigma_dut controlled STA and EAP-AKA parameters
99165cc4b Rename wpa_supplicant imsi_privacy_key configuration parameter
dde7f90a4 tests: Update VM setup example to use Ubuntu 22.04 and UML
426932f06 tests: EAP-AKA and expired imsi_privacy_key
35eda6e70 EAP-SIM peer: Free imsi_privacy_key on an error path
1328cdeb1 Do not try to use network profile with invalid imsi_privacy_key
d1652dc7c OpenSSL: Refuse to accept expired RSA certificate
866e7b745 OpenSSL: Include rsa.h for OpenSSL 3.0
bc99366f9 OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
39e662308 tests: Work around reentrant logging issues due to __del__ misuse
72641f924 tests: Clean up failed test list in parallel-vm.py
e36a7c794 tests: Support pycryptodome
a44744d3b tests: Set ECB mode for AES explicitly to work with cryptodome
e90ea900a tests: sigma_dut DPP TCP Configurator as initiator with addr from URI
ed325ff0f DPP: Allow TCP destination (address/port) to be used from peer URI
e58dabbcf tests: DPP URI with host info
37bb4178b DPP: Host information in bootstrapping URI
1142b6e41 EHT: Do not check HE PHY capability info reserved fields
7173992b9 tests: Flush scan table in ap_wps_priority to make it more robust
b9313e17e tests: Update ap_wpa2_psk_ext_delayed_ptk_rekey to match implementation
bc3699179 Use Secure=1 in PTK rekeying EAPOL-Key msg 1/4 and 2/4
d2ce1b4d6 tests: Wait for request before responding in dscp_response
Compile-tested: all versions / ath79-generic, ramips-mt7621
Run-tested: hostapd-wolfssl / ath79-generic, ramips-mt7621
Signed-off-by: David Bauer <mail@david-bauer.net>
11f5c7b fw4.uc: fix zone helper assignment
b9d35ff fw4.uc: don't skip zone for unavailable helper
e35e26b tests: add test for zone helpers
a063317 ruleset: fix conntrack helpers
e1cb763 ruleset: reuse zone-jump.uc template for notrack and helper chain jumps
11410b8 ruleset: reorder declarations & output tweaks
880dd31 fw4: fix skipping invalid IPv6 ipset entries
5994466 fw4: simplify `is_loopback_dev()`
53886e5 fw4: fix crash in parse_cthelper() if no helpers are present
11256ff fw4: add support for configurable includes
3b5a033 tests: add test coverage for firewall includes
d79911c fw4: support sets with timeout capability but without default expiry
15c3831 fw4: add support for `option log` in rule and redirect sections
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Before this change UCI sections of both types were parsed in order as
specified in UCI. That didn't work well with all drivers (e.g. b53).
It seems that VLAN setup can reset / overwrite previously set ports
parameters. It resulted in "switch_port" options defined above
"switch_vlan"s being silently ignored.
Ideally swconfig & all drivers should be improved to handle that
properly but it'd be a waste of time at this point as DSA replaces
swconfig. Use this minor parsing change as a quick fix.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Fix hostapd feature detection after the bump to 2022-05-08.
getopt was not updated correctly after upstream added support for -q arg.
This reenables feature detection so that LuCi can check for features like
SAE, fast roaming etc.
Fixes: c35ff1affe ("hostapd: update to 2022-05-08")
Signed-off-by: Robert Marko <robimarko@gmail.com>
7e06706 iw: event: report missing radar events
5909e73 iw: survey: add support for radio stats
64bf570 update nl80211.h
0900996 iw: print Radar background capability if supported
56c6077 iw: print out assoc comeback event
a4e5418 iw: support 160MHz frequency command for 6GHz band
5a71b72 iw: Print local EHT capabilities
e3287a1 station: print EHT rate information
ff67fb2 iw: fix double tab in mesh path header
05a5267 iw: fix 'upto' -> 'up to'
00a2985 iw: handle VHT extended NSS
82e0bd1 update nl80211.h
c95877c info: add missing extended features
0976378 info: refactor extended features
79f20cb bump version to 5.19
Sync nl80211.h with our version of mac80211 and remove parts of the iw
code that are not supported by our version of mac80211.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
commit c3a4cddaaf ("hostapd: remove hostapd-hs20 variant")
as well as
commit 9f1927173a ("hostapd: wpas: add missing config symbols")
indicate hostapd-full should support Hotspot 2.0 already, but only
wpa_supplicant (and wpad) do.
How this happened is not really clear, as no commit adding support for
Hotspot 2.0 is in the history.
Fix this and add Hotspot 2.0 capability to hostapd-full.
Signed-off-by: David Bauer <mail@david-bauer.net>
Add the current BSS color to hostapd get_status method. This field is
set to -1 in case BSS color is not active for the BSS.
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
In case no specific BSS color is configured, set it to a random value.
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
Update hostapd to Git HEAD from 2022-05-08. This allows us to take
advantage of background radar-detection as well as BSS color collision
detection.
Suggested-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
This patch allows the user to set `auth_server` and related settings on
non WPA2 Enterprise AP modes in `/etc/config/wireless`, too, so the
Radius Attributes for Dynamic VLAN Assignment can be fetched from Radius.
Without this patch, `auth_server` and other needed options are only
written to `hostapd-phy<n>.conf` when `option encryption wpa2` is set.
`hostapd` however supports "Station MAC address -based authentication" for
non WPA Enterprise Modes, too.
A classic approch is to use `accept_mac_file` which contains MAC addr
and VLAN-ID pairs. But, using `accept_mac_file` does not support
VLAN assignment for unknown stations.
This is a sample `freeradius3` config, where a known station
("7e:a6:a7:2a:93:d2") is assigned to VLAN `65` and unknown stations are
assigned to VLAN `67`.
```
"7ea6a72a93d2" Cleartext-Password := "7ea6a72a93d2"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 65
DEFAULT Cleartext-Password := "%{User-Name}"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 67
```
Other option is to configure known stations via `accept_mac_file` and
using only Radius for unknown stations.
I tested this patch only with `wpa_key_mgmt=WPA-PSK`, and assumed that
it should work with other Encryption/Access Mode, too.
Signed-off-by: Bernd Naumann <bernd.naumann@kr217.de>
All known users of this ubus method have been updated to use the new
bss_transition_request method instead.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
2e1fcf4 netifd: fix hwmode for 60g band
39ef9fe interface-ip: fix memory corruption bug when using jail network namespaces
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
210991d fw4: prefer /dev/stdin if available
4e5e322 fw4: make `fw4 restart` behavior more robust
221040e ruleset: emit time ranges when both start and stop times are specified
30a7d47 fw4: fix datetime parsing
fb9a6b2 ruleset: correct mangle_output chain type
6dd2617 fw4: fix logic flaw in testing hw flow offloading support
c7c9c84 fw4: ensure that negative bitcounts are properly translated
c4a78ed fw4: fix typo in emitted set types
Fixes: #9764, #9923, #9927, #9935, #9955
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
4b4849cf5e5a interface-ip: unify host and proto route handling
507c0513d176 interface-ip: add support for excluding interfaces in host route lookup
Signed-off-by: Felix Fietkau <nbd@nbd.name>
c22eeef fw4: support negative CIDR bit notation
628d791 hotplug: reliably handle interfaces with ubus zone hints
d005293 fw4: store zone associations from ubus in statefile as well
b268225 fw4: filter non hw-offload capable devices when resolving lower devices
57984e0 fw4: always resolve lower flowtable devices
7782017 tests: fix mocked `fd.read("line")` api
72b196d config: remove restictions on DHCPv6 allow rule
f0cc317 fw4: refactor family selection for forwarding rules
b0b8122 treewide: use modern syntax
05995f1 fw4: fix emitting device jump rules for family restricted zones
b479815 fw4: fix family auto-selection for config nat rules
2816a82 ruleset: ensure that family-agnostic ICMP rules cover ICMPv6 as well
2379c3d tests: add test coverage for zone family selection logic
Fixes: #5066, #9611, #9765, #9854
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Remove restrictions on source and destination addresses, which aren't
specified on RFC8415, and for some reason in openwrt are configured
to allow both link-local and ULA addresses.
As cleared out in issue #5066 there are some ISPs that use Gloabal
Unicast addresses, so fix this rule to allow them.
Fixes: #5066
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
[rebase onto firewall3, clarify subject, bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Stop the connection when the control daemon is terminated. The code is
a modified version of the termination routine in version 4.23.1 of the
daemon (which doesn't support VR9 modems anymore).
This could also be implemented by calling the acos and acs commands via
dsl_cpe_pipe.sh in the init script. However, doing it in the daemon
itself has the advantage of also working if it is terminated in another
way (for example during sysupgrade).
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
If logfacility is a path to a file it needs to be r/w mounted in the
sandbox as well for dnsmasq to work.
Reported-by: @iointerrupt
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The modem is based on Marvell PXA1826 and uses ACM+RNDIS interface to
establish connection with custom commands specific to ZTE modems.
Two variants of modems were discovered, some identifying themselves
as "ZTE", and others as plain "Marvell", the chipset manufacturer.
The modem itself runs a fork of OpenWrt inside, which root shell can be
accessed via ADB interface.
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Some modems expose ttyACM as their control ports, which have the
"device" symlink pointing one level down in sysfs tree. Try to find
network interfaces for them as well, this is commonly used for modems
exposing ACM + RNDIS or ACM + ECM interface combinations.
Co-developed-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Some modems expose multiple network interfaces on the same USB device,
causing the connection setup script to fail, because glob matching in
the detection phase causes 'ls' to output more than one interface name
plus their base directories in sysfs. Avoid that by listing the
directories explicitly and then selecting first available interface.
This is the case for some variants of ZTE MF286R built-in modem, which
exposes both RNDIS and CDC-ECM network interfaces, causing the
connection setup to fail.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Add ifname property to UCI, which can be used to override the
autodetected interface name in case the detection fails due to having
none or more than one interface exposed by the modem, which is not
explicitly linked to TTY port. This is needed on certain variants of ZTE
MF286R built-in modem, which exposes both RNDIS and CDC-ECM interfaces
on the modem, on which the automatic detection may select the wrong
network interface.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Checking whether /sbin/udhcpc is a symbolic link breaks using the
DHCP proto handler inside procd-ujail where bind-mounts are used for
the resolved link. Check whether /sbin/udhcpc is executable instead
to allow using the proto handler for DHCP-provisioned containers.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4cd7d4f Revert "firewall3: support table load on access on Linux 5.15+"
50979cc firewall3: remove unnecessary fw3_has_table
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
92f5e18675bf interface: fix ifname present check in interface status
ef82defaae26 ubus: add active devices to bridger blacklist
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add a ubus method to request link-measurements from connected STAs.
In addition to the STAs address, the used and maximum transmit power can
be provided by the external process for the link-measurement. If they
are not provided, 0 is used as the default value.
Signed-off-by: David Bauer <mail@david-bauer.net>
Problem exist when dnsmasq is exclusively bind to particular interface.
After reconfiguring or restarting this interface, its index changes, but
dnsmasq uses the old one. When this problem occurs, dnsmasq does not
listen on the correct interface so DHCP does not work, and clients do not
get an IP address. Procd netdev param can be added to restart dnsmasq when
the interface index is changed.
Signed-off-by: Valentyn Datsko <valikk.d@gmail.com>
[combined into a single &&-connected statement]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This package uses BPF to create a fast path which improves bridging performance
by bypassing the bridge layer. It also supports creating tc offload rules for
hardware that supports it.
Hardware offload support can be used with MT7622 + MT7915 once it is merged
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Replace the tc-full dependency with tc + libnl-tiny
1cd5e12eecdc loader/interface: attach bpf program directly using netlink
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Evaluating the return value of 'json_load' didn't work in the
intended way resulting in PIN status no longer being read on modems
where --get-pin-status doesn't fail.
Fix this by trying --get-pin-status first and checking if pin1_status
field exists in JSON, and if it doesn't try again with
--uim-get-sim-state.
Fixes: #9501
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
860ca90 odhcpd: Support for Option NTP and SNTP
83e14f4 router: advertise removed addresses as invalid in 3 consecutive RAs
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
391a9fbd5ace dns: fix parsing vlan encapsulated protocol
6aeeddbc91ad interface: extend dns filters to cover vlan tagged traffic as well
1ab53d4ca601 bpf: return TC_ACT_UNSPEC to allow other filters to proceed
ca21e729af23 interface: switch to using clsact for filters
5d158f6b3c15 interface: run ingress bpf filter on main device ingress instead of ifb egress
bdfcb11847ce interface: fix duplicated dns filter line
b97405aa632a Revert "ubus: remove dnsmasq subscriber"
8fbaf39dbc95 interface: rework adding/removing filters, do not delete clsact
d7ba5804eae4 interface: replace open-coded ifb-dns string with QOSIFY_DNS_IFNAME
91cf440db9e2 loader: fix use of deprecated functions
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This tells the modem about the WAN MAC address, which is used as source
address for vectoring error reports that are generated by the firmware.
It needs to be set early, as the MEI driver only actually writes the
value to the modem when is in reset state (i.e. the firmware has been
loaded, but connection has not started yet).
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Add a patch to add some missing init_extensions{a,b}() calls
Package lib{arp,eb}t_*.so
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This allows to install ip6tables-nft without iptables-nft
This prepare the addition of {arp,eb}tables-nft
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This prepare the introduction of ebtables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This prepare the introduction of arptables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
drop the use of LIB_SUFFIX
Fixes: 00cbf6f6ab ("bpftools: update to standalone bpftools + libbpf, use the latest version")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When porting mwan3 from iptables to nftables I tried the new translation
tool for ipset ipset-translate. I noticed that no IPv6 ipset can be
created with the tool. I have reported the problem to the upstream
project and the following patch fixes the problem.
Until this upsream is included in a new release, this patch should be
used in Openwrt.
https://lore.kernel.org/netfilter-devel/20220228190217.2256371-1-pablo@netfilter.org/T/#m09cc3cb738f2e42024c7aecf5b7240d9f6bbc19c
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Modems used in ZTE mobile broadband routers require to query the data
session status using the same CID as one used to establish the session,
otherwise they will report the session as "disconnected" despite
reporting correct PDH in previous step. Without this change, IPv6
connection on these modems doesn't establish properly. In IPv4 this bug
is present as well, but for some reason querying of IPv4 status works
using temporary CID, this however seems noncompliant with QMI
specifications, so fix it as well.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Previously libxt_socket.so was included in iptables-mod-tproxy. It was
missed out when trying to make kmod-ipt-socket and kmod-ipt-tproxy
separate packages
Fixes: 4f443c88 ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
3276aed81c73 move run_cmd() to main.c
558eabc13c64 map: move dns host based lookup code to a separate function
6ff06d66c36c dns: add code for snooping dns packets
a78bd43c4a54 ubus: remove dnsmasq subscriber
9773ffa70f1f map: process dns patterns in the order in which they were defined
f13b67c9a786 dns: allow limiting dns entry matching to cname name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This adds the new tc-bpf variant and removes libxtables dependency from
the tc-tiny variant. The tc-full variant stays like before and contains
everything.
This allows to use tc without libxtables.
The variants have the following sizes:
root@OpenWrt:/# ls -al /usr/libexec/tc-*
-rwxr-xr-x 1 root root 282453 Mar 1 21:55 /usr/libexec/tc-bpf
-rwxr-xr-x 1 root root 282533 Mar 1 21:55 /usr/libexec/tc-full
-rwxr-xr-x 1 root root 266037 Mar 1 21:55 /usr/libexec/tc-tiny
They are linking the following shared libraries:
root@OpenWrt:/# ldd /usr/libexec/tc-tiny
/lib/ld-musl-mips-sf.so.1 (0x77d6e000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d4a000)
libc.so => /lib/ld-musl-mips-sf.so.1 (0x77d6e000)
root@OpenWrt:/# ldd /usr/libexec/tc-bpf
/lib/ld-musl-mips-sf.so.1 (0x77da6000)
libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77d60000)
libelf.so.1 => /usr/lib/libelf.so.1 (0x77d3e000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d1a000)
libc.so => /lib/ld-musl-mips-sf.so.1 (0x77da6000)
libz.so.1 => /usr/lib/libz.so.1 (0x77cf6000)
root@OpenWrt:/# ldd /usr/libexec/tc-full
/lib/ld-musl-mips-sf.so.1 (0x77de8000)
libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77da2000)
libelf.so.1 => /usr/lib/libelf.so.1 (0x77d80000)
libxtables.so.12 => /usr/lib/libxtables.so.12 (0x77d66000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d42000)
libc.so => /lib/ld-musl-mips-sf.so.1 (0x77de8000)
libz.so.1 => /usr/lib/libz.so.1 (0x77d1e000)
This is based on a patch from Tiago Gaspar.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Without PKG_RELEASE, it's impossible to trigger package updates when
changing files included in the package that are not in the qosify git
repository.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Felix Fietkau <nbd@nbd.name>
Update to the latest upstream version. In this version there is a new
tool with which you can convert ipsets into nftables sets. Since we are
now using nftables as default firewall, this could be a useful tool for
porting ipsets to nftables sets.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
iptables-nft doesn't depend on libip{4,6}tc, so move
libiptext* libs in their own packages to clean up dependencies
Rename libxtables-nft to libiptext-nft
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Using PROVIDES allows to have other packages continue to
depend on iptables and users to pick between legacy and nft
version.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
'iptables-mod-' can be used directly by firewall3, by
iptables and by iptables-nft. They are not linked to
iptables but to libxtables, so fix the dependencies to allow
to remove iptables(-legacy)
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
libxtables doesn't depend on libnftnl, iptables-nft does,
so move the dependency to not pull libnftnl with firewall3/iptables-legacy
Also libxtables-nft depends on IPTABLES_NFTABLES
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Enable both the hunting-and-pecking loop and hash-to-element mechanisms
by default in OpenWRT with SAE.
Commercial Wi-Fi solutions increasingly frequently now ship with both
hunting-and-pecking and hash-to-element (H2E) enabled by default as this
is more secure and more performant than offering hunting-and-pecking
alone for H2E capable clients.
The hunting and pecking loop mechanism is inherently fragile and prone to
timing-based side channels in its design and is more computationally
intensive to perform. Hash-to-element (H2E) is its long-term
replacement to address these concerns.
For clients that only support the hunting-and-pecking loop mechanism,
this is still available to use by default.
For clients that in addition support, or were to require, the
hash-to-element (H2E) mechanism, this is then available for use.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Contains following changes:
136006b88826 cmake: fix usage of implicit library and include paths
bc0e84d689e2 netifd: interface-ip: don't set fib6 policies if ipv6 disabled
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret". auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well. In
this case, auth_secret is empty, and the default value of the key can
be computed from the SSID alone.
Fallback to using $key when auth_secret is empty. While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
[make ft_key local]
Signed-off-by: David Bauer <mail@david-bauer.net>
Add the STAs extended capabilities to the ubus STA information. This
way, external daemons can be made aware of a STAs capabilities.
This field is of an array type and contains 0 or more bytes of a STAs
advertised extended capabilities.
Signed-off-by: David Bauer <mail@david-bauer.net>
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
53caa1a fw4: resolve zone layer 2 devices for hw flow offloading
9fe58f5 fw4: rework and fix family inheritance logic
8795296 tests: mocklib: fix infinite recursion in wrapped print()
281b1bc tests: change mocked wan interface type to PPPoE
93b710d tests: mocklib: forward compatibility change
1a94915 fw4: only stage reflection rules if all required addrs are known
5c21714 fw4: add device iifname/oifname matches to DSCP and MARK rules
3eacc97 tests: adjust 01_ruleset test case to latest changes
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When the uci configuration is created automatically during a very early
stage, where no entropy daemon is set up, generating the key directly is
not an option. Therefore we allow to set the private_key to "generate"
and generate the private key directly before the interface is taken up.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Tested-by: Jan-Niklas Burfeind <git@aiyionpri.me>
Now that we can have both legacy and nft iptables variants
installed at the same time, install the legacy symlinks
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
As nftables is now the default, ip(6)tables-nft gets higher priority
The removed symlinks ("$(CP)" line) will now be installed by the
ALTERNATIVES mechanism
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
according to iptables-nft man page,
"These tools use the libxtables framework extensions and hook to the nf_tables
kernel subsystem using the nft_compat module."
This means that to work, iptables-nft needs the same modules as
iptables legacy except the ip(6)table-{filter,mangle,nat,raw}
ip_tables, ip6tables.
When those modules are loaded iptables-nft-save output contains
"# Warning: iptables-legacy tables present, use iptables-legacy-save to see them"
But as long as it's empty it should not be a problem.
To have nft properly display the rules created by ip(6)tables-nft we need
all iptables targets and matches to be built as extension and not built-in
(/usr/lib/iptables/libip(6)t_*.so)
When switching a package to iptables-nft, you need to keep the
iptables-mod-* dependencies
This patch does minimal changes:
- remove the direct iptables-nft -> iptables dependency
- and more important add nft-compat dependency
The rule
iptables-nft -A OUTPUT -d 8.8.8.8 -m comment --comment "aaa" -j REJECT
becomes
table ip filter {
chain OUTPUT {
type filter hook output priority filter; policy accept;
ip daddr 8.8.8.8 # xt_comment counter packets 0 bytes 0 # xt_REJECT
}
}
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
795f420 cmis: Rename CMIS parsing functions
369b43a cmis: Initialize CMIS memory map
da16288 cmis: Use memory map during parsing
6acaeb9 cmis: Consolidate code between IOCTL and netlink paths
d7d15f7 sff-8636: Rename SFF-8636 parsing functions
4230597 sff-8636: Initialize SFF-8636 memory map
b74c040 sff-8636: Use memory map during parsing
799572f sff-8636: Consolidate code between IOCTL and netlink paths
9fdf45c sff-8079: Split SFF-8079 parsing function
2ccda25 netlink: eeprom: Export a function to request an EEPROM page
86792db cmis: Request specific pages for parsing in netlink path
6e2b32a sff-8636: Request specific pages for parsing in netlink path
c2170d4 sff-8079: Request specific pages for parsing in netlink path
9538f38 netlink: eeprom: Defer page requests to individual parsers
664586e Merge branch 'review/next/module-mem-map' into master
50fdaec ethtool: Set mask correctly for dumping advertised FEC modes
c5e7133 cable-test: Fix premature process termination
73091cd sff-8636: Use an SFF-8636 specific define for maximum number of channels
837c166 sff-common: Move OFFSET_TO_U16_PTR() to common header file
8658852 cmis: Initialize Page 02h in memory map
27b42a9 cmis: Initialize Banked Page 11h in memory map
340d88e cmis: Parse and print diagnostic information
eae6a99 cmis: Print Module State and Fault Cause
82012f2 cmis: Print Module-Level Controls
d7b1007 sff-8636: Print Power set and Power override bits
429f2fc Merge branch 'review/cmis-diag' into master
32457a9 monitor: do not show duplicate options in help text
c01963e Release version 5.16.
The sizes of the ipk changed on MIPS 24Kc like this:
34317 ethtool_5.15-1_mips_24kc.ipk
34311 ethtool_5.16-1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add the nohostroute option as available for gre and wg tunnels to
allow the user to prevent explicit creation of a route to the peer
address.
Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
OpenWrt plans to move over to firewall4 which uses nftables under the
hood. To allow a smooth migration the package `iptables-nft` offer a
transparent wrapper to apply iptables rules to nftables.
Without the config option for nftables the package isn't installed and
therefore can't be tested. This commit enabled it and therefore provides
the wrapper.
The size of the iptables package increases from 25436 to 26500 Bytes.
Signed-off-by: Paul Spooren <mail@aparcar.org>
0f16ea5 options.c: add DSCP code LE Least Effort
24ba465 firewall3: remove redundant syn check
df1306a firewall3: fix locking issue
3624c37 firewall3: support table load on access on Linux 5.15+
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
9a509d4 ruleset.uc: consolidate ip and ip6 offload
21f311d ruleset.uc: don't trim newline before comment sign
f121383 tests: enable flow offloading in tests
550df40 tests: add test for unknown defaults option
47c5a5b tests: add test for deprecated rule option
69a89d6 tests: add test for unknown rule option
07579df fw4.uc: handle interface zone option
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Provide uci-firewall via PROVIDES in both firewall and firewall4. This
will allow us to change the dependency of luci-app-firewall to
uci-firewall, making it possible to use it with either implementation.
Move CONFLICTS from firewall4 to firewall, to solve this recursive
dependency problem:
tmp/.config-package.in:307:error: recursive dependency detected!
tmp/.config-package.in:307: symbol PACKAGE_firewall is selected by PACKAGE_firewall4
tmp/.config-package.in:328: symbol PACKAGE_firewall4 depends on PACKAGE_firewall
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
4ead2a6 treewide: move executables to /sbin
9ebc2f4 fw4.uc: filter duplicates in fw4.set
85b74f3 treewide: support flow offloading
be3b4e6 treewide: support hardware flow offloading
38889b7 treewide: support set timeout
31c7550 fw4.uc: do not skip defaults with invalid option
334a127 fw4.uc: introduce DEPRECATED flag
7a0d38f fw4.uc: add _name as deprecated option
5e7ad3b fw4.uc: don't fail on unknown options
be5f4e3 fw4.uc: allow use of cidr in ipsets
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
The limitation of not being able to use iptables and nft nat at the same
time exists only in kernels before 4.18.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
Recently the hostapd has undergone many changes. The patches were not refreshed.
Refreshed with
make package/hostapd/{clean,refresh}
Refreshed:
- 380-disable_ctrl_iface_mib.patch
- 600-ubus_support.patch
- 700-wifi-reload.patch
- 720-iface_max_num_sta.patch
Signed-off-by: Nick Hainke <vincent@systemli.org>
This is required to be able to use flow offloading on devices with
ifnames that start with a digit, like 6in4-wan6.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The build of the manpages needs the pandoc tool, this is not in the
minimal requirements of OpenWrt, just remove the build of the restool
manpage. This fixes the build on systems without pandoc like the OpenWrt build bots.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Up to now the WPS script triggered WPS on the stations only if it
could not trigger it successfully on any hostapd instance.
In a Multi-AP context, there can be a need (to establish a new
wireless backhaul link) to trigger WPS on the stations, regardless of
whether there is already a hostapd instance configured or not. The
current script makes it impossible, as if hostapd is running and
configured, WPS would always be triggered on hostapd only.
To allow both possibilities, the following changes are made:
- Change the "pressed" action to "release", so that we can make use of
the "$SEEN" variables (to know for how long the button was pressed).
- If the button is pressed for less than 3 seconds, keep the original
behavior.
- If the button is pressed for 3 seconds or more, trigger WPS on the
stations, regardless of the status of any running hostapd instance.
- Add comments explaining both behaviors.
- While at it, replace the usage of '-a' with a '[] && []'
construct (see [1]).
This gives users a "fallback" mechanism to onboard a device to a
Multi-AP network, even if the device already has a configured hostapd
instance running.
[1]: https://github.com/koalaman/shellcheck/wiki/SC2166
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Otherwise, connection setup may fail due to JSON parse error in netifd.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[Updated commit description]
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
PIN2 is used only to restrict changing of fixed dialling feature,
does not affect network registration. Therefore explicitly check for
PIN1 state during connection setup, which is required for network
registration.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[Updated commit description]
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
This is needed to properly close the control channel.
Otherwise, on the next try the caps call may fail.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.
Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The auto-ht option already kept HT and VHT support, but wasn't updated
to support HE (11ax).
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Provide incoming BSS transition queries to ubus subscribers.
This allows external steering daemons to provide clients with
an optimal list of transition candidates.
This commit has no functional state in case no ubus subscriber is
present or it does not handle this ubus message.
To prevent hostapd from sending out a generic response by itself, a
subscribing daemon has to return a non-zero response code to hostapd.
Signed-off-by: David Bauer <mail@david-bauer.net>
Backport a patch to allow extending the ubus BSS-transition method
for specifying individual dialog tokens for BSS transition
management requests.
This is required for handling BSS transition queries in the future.
Signed-off-by: David Bauer <mail@david-bauer.net>
39b584b Revert "dhcpv6: add a minimum valid lifetime for IA_PD updates"
c9578e1 dhcpv6: add support for null IA_PD valid lifetime
ca43ea3 dhcpv6: add a minimum valid lifetime for IA_PD updates
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
5ca5e0b netifd: allow disabling rule/rule6 config sections
8875960 interface-ip: add support for IPv6 prefix invalidation
e589c05 interface-ip: use metric when looking for a route
b54ffde main: fix hotplug script usage message
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This adds a new struct for storing statistics not (yet) tracked by
hostapd regarding RRM and WNM activity.
These statistics can be read using the get_status hostapd interface ubus
method.
Signed-off-by: David Bauer <mail@david-bauer.net>
Revert a commit to allow providing CFLAGS and LIBS from OpenWrt package
Makefile.
This downgrades the nl80211.h to kernel 5.15 and removes FILS_CRYPTO_OFFLOAD.
This is needed to make it compatible with our patched mac80211 from
kernel 5.15
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The 'fils_dhcp' option can be set to '*' in order to autodetect the DHCP server
For proto=dhcp networks, the discovered dhcp server will be used
For all other networks, udhcpc is called to discover the address
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Among other things, this can be used to auto-configure the DHCP server
address for wireless APs using FILS, if the bridged interface is
configured to DHCP
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add the beacon interval to hostapd status output. This allows external
services to discover the beacon interval for a specific VAP.
This way, external wireless management daemons can correctly calculate
fields containing TBTT value from absolute time-values.
Signed-off-by: David Bauer <mail@david-bauer.net>
If authentication fails repeatedly e.g. because of a weak signal, the link
can end up in blocked state. If one of the nodes tries to establish a link
again before it is unblocked on the other side, it will block the link to
that other side. The same happens on the other side when it unblocks the
link. In that scenario, the link never recovers on its own.
To fix this, allow restarting authentication even if the link is in blocked
state, but don't initiate the attempt until the blocked period is over.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When procd-ujail is available, 1f78538387 runs hostapd as user
"network", with only limited additional capabilities (CAP_NET_ADMIN and
CAP_NET_RAW).
hostapd_cli (CONFIG_PACKAGE_hostapd-utils) communicates with hostapd
over a named UNIX-domain socket. hostapd_cli is responsible for creating
this socket at /tmp/wpa_ctrl_$pid_$counter. Since it typically runs as
root, this endpoint is normally created with uid root, gid root, mode
0755. As a result, hostapd running as uid network is able to receive
control messages sent through this interface, but is not able to respond
to them. If debug-level logging is enabled (CONFIG_WPA_MSG_MIN_PRIORITY
<= 2 at build, and log_level <= 2 in /etc/config/wireless wifi-device),
this message will appear from hostapd:
CTRL: sendto failed: Permission denied
As a fix, hostapd_cli should create the socket node in the filesystem
with uid network, gid network, mode 0770. This borrows the presently
Android-only strategy already in hostapd intended to solve the same
problem on Android.
If procd-ujail is not available and hostapd falls back to running as
root, it will still be able to read from and write to the socket even if
the node in the filesystem has been restricted to the network user and
group. This matches the logic in
package/network/services/hostapd/files/wpad.init, which sets the uid and
gid of /var/run/hostapd to network regardless of whether procd-ujail is
available.
As it appears that the "network" user and group are statically allocated
uid 101 and gid 101, respectively, per
package/base-files/files/etc/passwd and USERID in
package/network/services/hostapd/Makefile, this patch also uses a
constant 101 for the uid and gid.
Signed-off-by: Mark Mentovai <mark@moxienet.com>
[refreshed patch]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fix the return value, shell return codes should be 0 to indicate success
(i.e. mount point found), 1 should be failure (i.e. mount point not-found).
Fixes: ac4e8aa ("dnsmasq: fix more dnsmasq jail issues")
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
68961a555e42 ubus: drop dnsmasq check for dns_result method
1ca3e26b8169 bpf: refactor code to support explicit opt-in for bulk+prio detection
3f0acf039f41 bpf: move flow prio/bulk detection config into a separate data structure
bc54c97e3333 map, bpf: create a separate map for configured dscp classes
46cf3eae2d99 bpf: fix bulk flow detaction
88f1db7dd611 bpf: fix priority flow detection
b5dec7874373 bpf: remove access to skb->gso_size
e728a319a9a5 interface: unify status, always include ifname, ingress, egress
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Since sqm-scripts and qos-scripts packages are in the same category as qosify,
the firsts being in the Base System category, I find it understandable to move
the latter to Base System instead of network section.
Signed-off-by: Rodrigo B. de Sousa Martins <rodrigo.sousa.577@gmail.com>
19aae94 [build: avoid rebuilds of unset VARIANT packages] builds
packages defined without a VARIANT only once, using the first VARIANT
defined in the Makefile.
This caused problems with wpa-cli, as it is only built for variants that
include supplicant support, and the first VARIANT defined may not build
it.
The same happens to hostapd-utils, which is not built for
supplicant-only variants.
To circumvent this, set VARIANT=* for both packages so that they get
built for every defined variant. This should not cause spurious
rebuilds, since tey are not a dependency of any other package defined in
this Makefile.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
eb0a3ee fw4.uc: Do not quote port ranges
c5a8e3e tests: adapt test to new ICMP print logic
Also start using $(AUTORELEASE)
Signed-off-by: Paul Spooren <mail@aparcar.org>
from https://git.kernel.org/pub/scm/network/iproute2/iproute2.git
changes since 5.14.0:
ad3a118f rdma: Fix SRQ resource tracking information json
7a235a10 man: devlink-port: fix pfnum for devlink port add
229eaba5 uapi: pickup fix for xfrm ABI breakage
a500c5ac lib/bpf: fix map-in-map creation without prepopulation
7c032cac man: devlink-port: remove extra .br
04ee8e6f man: devlink-port: fix style
14802d84 man: devlink-port: fix the devlink port add synopsis
897772a7 cmd: use spaces instead of tabs for usage indentation
e7a98a96 mptcp: unbreak JSON endpoint list
2f5825cb lib: bpf_legacy: fix bpffs mount when /sys/fs/bpf exists
d756c08a tc/f_flower: fix port range parsing
92e32f77 uapi: updates from 5.15-rc1
e7e0e2ce iptuntap: fix multi-queue flag display
deef844b man: ip-link: remove double of
a3272b93 configure: restore backward compatibility
ceba5930 tree-wide: fix some typos found by Lintian
7a705242 ip: remove leftovers from IPX and DECnet
8ab1834e uapi: update headers from 5.15 merge
6d0d35ba ip/bond: add lacp active support
926ad641 Update kernel headers
c730bd0b ip/tunnel: always print all known attributes
df8912ed ipioam6: use print_nl instead of print_null
7e7270bb tc/skbmod: Introduce SKBMOD_F_ECN option
86c596ed IOAM man8
2d83c710 New IOAM6 encap type for routes
f0b3808a Add, show, link, remove IOAM namespaces and schemas
acbdef93 Import ioam6 uapi headers
2d6fa30b Update kernel headers
508ad89c ipneigh: add support to print brief output of neigh cache in tabular format
* update patch 170-ip_tiny.patch to accomodate ioam.
Signed-off-by: Russell Senior <russell@personaltelco.net>
0750f2b4d329 README: dnsmasq integration is complete
8e48d0b0cbba bpf: add initial support for splitting map dscp value into ingress and egress
bfc2cafe2a8c map: add support for defining aliases
Signed-off-by: Felix Fietkau <nbd@nbd.name>
We can't use booleans, since we're not including stdbool.h. Use integers
instead.
Fixes: 0b79e7c01e ("dnsmasq: generate the dns object name dynamically")
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
dnsmasq may call hotplug.dhcp, hotplug.neigh and hotplug.tftp.
Only the first two callees were listed in the ACL, so add missing
hotplug.tftp.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
A set of tags can be specified for --dhcp-host option to restrict the
assignment to the requests which match all the tags.
Example usage:
config vendorclass
option networkid 'udhcp'
option vendorclass 'udhcp'
config host
option mac '*:*:*:*:*:*'
list match_tag 'switch.10'
list match_tag 'udhcp'
option ip '192.168.25.10'
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Now that wildcard matching is supported, this makes it easier for packages
to supply their own qosify rules
Signed-off-by: Felix Fietkau <nbd@nbd.name>
737970946bc0 map: default to fnmatch matching for dns patterns. support regex via leading /
b56b112e62e2 ubus: fix crash caused by missing static keyword
3a420e272c18 qosify: support wildcards in classifier filenames
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2ca7352543da map: make a helper function for freeing entries
411432ec853b map: add support for adding dns regex patterns
14803cb559d8 ubus: remove unused enum
a0740172eda6 ubus: add api for providing dns lookup results for dns regex rules
406fbf478e87 ubus: add support for dynamically adding dns based rules
5fc91183d60a README: mention dns regex entries
3ed8c3eb1a3b README: document mapping file syntax
91ce2e77d302 map: introduce low effort codepoint from RFC8622
5ff14acca0e7 interface: enable NAT on interfaces by default
e70f70e496d7 README: fix typo
f25ded617478 README: fix another typo
675238bc2ce5 loader: always reinitialize programs
010eea0d98c3 map: improve timeout handling of IP entries
7ef54a7f04a0 map: add DF codepoint
6f7fbe698555 map: increase active timeout to 300
60e06a579a13 qosify-bpf: inline check_flow() to ensure that it is jited
f5ae89e8d869 ubus: subscribe to dnsmasq.dns for dns lookup results
Signed-off-by: Felix Fietkau <nbd@nbd.name>
e303ba8 uqmi: update code generator
7880de8 uqmi: sync data from libqmi project
d647f8d uqmi: add more diagnostics commands
6f95626 uim: add --uim-get-sim-state
Use newly introduce --uim-get-sim-state command to query PIN status
from modems which require using uim instead of dms command for that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This implements the mapping recommendations from RFC8325, with an
update from RFC8622. This ensures that DSCP marked packets are properly
sorted into WMM classes.
The map can be disabled by setting iw_qos_map_set to something invalid
like 'none'
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Build the tc-mod-iptables before the tc-tiny and tc-full packages.
This avoids unnecessary package rebuild when calling make back to back.
Before this change, tc-mod-iptables will be built after the main tc
binary packages.
Both tc-tiny and tc-full depend on tc-mod-ipables. If make is called
after the packages are already built, it will check the timestamps of
both packages, and will rebuild the main binaries, since the module
package will be newer than the tc package.
Calling BuildPackage,mod-iptables first ensures that its variant gets
built before the other packages' variants.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Package hostapd-common is a dependency of every other package defined in
hostpad Makefile. It is currently built next to the bottom of that
Makefile's package list.
If you run make back to back, then check-compile will compare the
hostapd-common timestamp to the variant being compiled, to decide if the
varint needs to be rebuilt or not. Since the hostapd-conf package is
built towards the end of the list, it will be newer than most of the
variants, causing unnecessary package rebuilds.
Move it to the top, so that its timestamp will be older than dependent
packages, avoiding unnecessary rebuild of every selected variant.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
qosify is simple daemon for setting up and managing CAKE along with a custom
eBPF based classifier that sets DSCP fields of packets.
It is configured via UCI and it supports the following features:
- simple TCP/UDP port based mapping
- IP address based mapping
- priority boosting based on average packet size
- bulk flow detection based on number of packets per second
- dynamically add IP entries with timeout
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Commit a2fcd3900c ("dnsmasq: improve init script") broke the existing
handling for hosts_dir. Remove the redundant mount again to fix it.
Reported-by: Hartmut Birr <e9hack@gmail.com>
Fixes: a2fcd3900c ("dnsmasq: improve init script")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* fix restart in LuCI (inherited umask was to restrictive)
* make directory of hosts-file (!= /tmp) accessible in ujail
Reported-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* SSH agent forwarding might cause security issues, locally and on the jump
machine (https://defn.io/2019/04/12/ssh-forwarding/). So allow to
completely disabling it.
* separate options for client and server
* keep it enabled by default
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
The 'madvise', syscall is missing.
Found with 'utrace /usr/sbin/umdns' on an R7800 and RT3200.
Signed-off-by: Michael Peleshenko <mpeleshenko@gmail.com>