From the upstream repo:
Instead of assuming only one register is used, track all 16 regs
individually.
This avoids need for the 'PREV_PAYLOAD' hack and also avoids the need to
clear out old flags:
When we see that register 'x' will be written to, that register state is
reset automatically.
Existing dissector decodes
ip saddr 1.2.3.4 meta l4proto tcp
... as
-s 6.0.0.0 -p tcp
iptables-nft -s 1.2.3.4 -p tcp is decoded correctly because the expressions
are ordered like:
meta l4proto tcp ip saddr 1.2.3.4
|
... and 'meta l4proto' did clear the PAYLOAD flag.
The simpler fix is:
ctx->flags &= ~NFT_XT_CTX_PAYLOAD;
in nft_parse_cmp(), but that breaks dissection of '1-42', because
the second compare ('cmp lte 42') will not find the
payload expression anymore.
This commit fixes#11169 and openwrt/packages#22727, and potentially anyone that uses iptables-nft legacy support.
Signed-off-by: Rodrigo B. de Sousa Martins <rodrigo.sousa.577@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16504
[Added patch header]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 44b1993f76)
Because these capability advertisements default to on in lldpd, they
became absent at reload, and not restart, due to how the reload logic
works ( keep daemon running, send unconfigured and then the new config
via socket ), and it was not evident unless you happened to be looking
for it (e.g. via pcap or tcpdump). It was also not evident from the
manpage ( have now sent patches upstream ).
At reload time, the unconfigure logic disabled them unless they were
explicitly enabled (compare with other settings where 'unconfigure' just
resets them). Now they default to on/enabled at init time, and are
explicitly 'unconfigure'd at startup if the user disables them via:
lldp_mgmt_addr_advertisements=0
lldp_capability_advertisements=0
In other words: explicit is necessary to disable the advertisements.
The same applies to 'configure system capabilities enabled'. Technically
'unconfigure'd is the default but now it is explicit at reload.
Tested on: 23.05.3
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
(cherry picked from commit 708101c141)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
For interface type parameters, the man page documents patterns:
```
*,!eth*,!!eth1
uses all interfaces, except interfaces starting with "eth",
but including "eth1".
```
* Renamed `_ifname` to `_l2dev`.
* get the l2dev via network_get_physdev (and not l3dev)
* Glob pattern `*` is also valid - use noglob for this
The net result is that now interface 'names' including globs '*' and '!'
inversions are included in the generated lldpd configs.
Temporarily `set -o noglob` and then `set +o noglob` to disable & enable
globbing respectively, because when we pass `*` as an interface choice,
other file and pathnames get sucked in from where the init script runs,
and the `*` never makes it to lldpd.
Tested extensively on: 22.03.6, 23.05.3
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
[ squash with commit bumping release version ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 4a81d868db)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
Defaults to off.
Available from >= 0.7.15
These are sent in TLV
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
(cherry picked from commit 50021d3222)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
Defaults to off.
Only available from >= 1.0.15
These capabilities are sent in TLV.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
(cherry picked from commit 4d8f56bd59)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
only available from >= 1.0.15
Comments are useful. Apparently this config parameter was committed when
openwrt used an older version of lldpd which did not yet support it.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
(cherry picked from commit b476917502)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
No functionality/behaviour changes; code is synonymous
Tested on: 22.03.6
Signed-off-by: Paul Donald <newtwen@gmail.com>
(cherry picked from commit 5364fe0f01)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
For certain lldp_class scenarios (2 & 3) a policy must be set also.
Class 4 is default, although it's good to handle the policy eventuality.
Here, set a default lldp_policy for all lldp_class scenarios. Any
lldp_policy can now be set.
Depends on PR #14584 (which introduced an `if` block)
Tested on 22.03.5, 22.03.6
Signed-off-by: Paul Donald <newtwen@gmail.com>
(cherry picked from commit 497fafb8ae)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
Previously only partially implemented. After commit
5007f488bb lldp_location was never removed
Now, add the value of lldp_location to the generated config.
The location param has a few syntaxes, so the config acquires the first
usage from the man page: 'address country EU'
Supplementary fix for PR #14193 (this param was included in the original
PR #13018 but the lldp_location fixes were absent from PR #14193).
Tested on 22.03.5, 22.03.6
Signed-off-by: Paul Donald <newtwen@gmail.com>
(cherry picked from commit 53252eeb3b)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
from commit 3ce909914a
The lldpd man page says that "configure lldp tx-interval" can
specify an interval value in milliseconds by appending a "ms" suffix to
the figure. Thus mandating string handling, and not integer comparison.
Tested on 22.03.5
Signed-off-by: Paul Donald <newtwen@gmail.com>
(cherry picked from commit 79ee4cb039)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
from commit 909f063066
Now pass two params to get_config_cid_ifaces() for:
cid_interface
interface
Each of which is a CSV of interfaces.
Tested on 22.03.5
Signed-off-by: Paul Donald <newtwen@gmail.com>
(cherry picked from commit 228d4e7f1b)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
from commit ac771313eb
portidsubtype takes 1 of 2 possible keywords which do not need quoting:
configure lldp portidsubtype ifname | macaddress
The third keyword 'local' is used in the syntax when individual ports
are being defined:
configure [ports ethX [,…]] lldp portidsubtype local value
When this syntax is used, quoting is useful (see test cases for lldpd).
In the init file, the 'local' syntax is unused.
Tested on 22.03.5
Signed-off-by: Paul Donald <newtwen@gmail.com>
(cherry picked from commit bd1b17d589)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
from commit c98ee4dbb3
agent-type takes 1 of 3 possible keywords which do not require quoting:
configure lldp agent-type nearest-bridge | nearest-non-tpmr-bridge
| nearest-customer-bridge
Tested on 22.03.5
Signed-off-by: Paul Donald <newtwen@gmail.com>
(cherry picked from commit 24a4da527f)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
from commit 3ce909914a
'capabilities enabled x' where x is a string of CSV
Tested on 22.03.5
Signed-off-by: Paul Donald <newtwen@gmail.com>
(cherry picked from commit b039641071)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
allow EDP support if compiled and add force EDP option
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit d274867c21)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
prevent SNMP options being passed unless lldpd supports them
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit 8b2d02e48c)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
increment Makefile package release to reflect changes to init script
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit 1b36d44323)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
add option to set LLDP transmit delay, hold timers to set update frequency
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit a5f715da71)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
add option to override system platform instead of using kernel name
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit 4159acceeb)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
add option to force SONMP to be enabled even when no peer detected
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit 4ac134aa78)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
add option to force FDP when no peers detected
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit 1be2088a52)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
add option to specify CDPv1 or CDPv2 and separately enable or force each
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit b67182008f)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
add option to allow LLDP disabling while using other supported protocols
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit 61dbe756d8)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
add option portidsubtype to correct port identifiers and descriptions
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit ac771313eb)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
add option to set agent-type to control propogation
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit c98ee4dbb3)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
add option to enable LLDP MED fast-start and set fast-start timer
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit 24176a6bdd)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
add option to disable LLDP-MED inventory TLV transmission
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit 1753498b01)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
add option to disable advertising kernel version
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit 058f284b1a)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
add filter option to init script.
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit ac3ed75309)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
Bind to the configured system interfaces only. Switchport interfaces
are no longer ignored and uci interface values for LLDPD are honored.
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit 064b4999ad)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
Init script reload with trigger to detect config file update.
Reload command added to attempt non-impactful lldpd reload where
lldpcli can be used to update config without process restart.
Config hash function used to track whether process restart is needed.
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit e483c247dc)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
allow to overwrite the detected system capabilities e.g. if devices
does not operate as bridge.
Signed-off-by: Sebastian Pflieger <sebastian@pflieger.email>
(cherry picked from commit 3ce909914a)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
This patch fixes the list delimiter between 3GPP networks
passed to hostapd.
> list iw_anqp_3gpp_cell_net '262,001'
> list iw_anqp_3gpp_cell_net '262,002'
When passing a list of "iw_anqp_3gpp_cell_net" parameters via UCI,
hostapd would crash at startup:
> daemon.err hostapd: Line 73: Invalid anqp_3gpp_cell_net: 262,001:262,002
Using a semicolon as a delimiter, hostapd will start as expected.
Signed-off-by: Sarah Maedel <git@tbspace.de>
(cherry picked from commit 8de185a176)
This patch backports fixes for a security vulnerability impacting the
hostapd implementation of SAE H2E.
As upgrading hostapd would require more testing, the second mitigation
step which involves backporting several patches was adopted as outlined
in the official advisory[1].
An explanation of the impact of the vulnerability is provided from the
advisory[1]:
This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.
[1]: https://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/16043
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit db7f70fe61)
On some setup failures, iface->bss can be NULL
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 1ee5b7e506)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The data is modified within hostapd_add_iface
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 032d3fcf7a)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Update the nl80211.h file in iw with the version from backports.
The files were out of sync already before the mac80211 update. If iw set
the NL80211_ATTR_WIPHY_ANTENNA_GAIN attribute the kernel assumed it set
the NL80211_ATTR_PUNCT_BITMAP attribute because the id was the same.
Link: https://github.com/openwrt/openwrt/pull/15827
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Don't ignore probe requests which contain an invalid DS parameter for the
current operating channel.
As the comment outlines, the drop shall only apply if
dot11RadioMeasurementActivated is set to 1.
However, it was observed Linux clients (Debian 12 / NixOS 23.11)
with an Intel 8265 NIC may generate a probe request frame with
dot11RadioMeasurementActivated set to false and an invalid DSSS
parameter.
These were also dropped even though they should not have been. They
however should not have contained this parameter in the first place.
Don't drop Probe Requests which contain such an invalid field. This may
lead to more probe responses being sent, however it does fix very
frequent connection issues for these clients on 2.4 GHz.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 68e4cc9be5)
