Commit Graph

3964 Commits

Author SHA1 Message Date
Baptiste Jonglez
ef597b026b firewall: config: drop input traffic by default
This is necessary with firewall4 to avoid a hard-to-diagnose race
condition during boot, causing DNAT rules not to be taken into account
correctly.

The root cause is that, during boot, the ruleset is mostly empty, and
interface-related rules (including DNAT rules) are added incrementally.
If a packet hits the input chain before the DNAT rules are setup, it can
create buggy conntrack entries that will persist indefinitely.

This new default should be safe because firewall4 explicitly accepts
authorized traffic and rejects the rest.  Thus, in normal operations, the
default policy is not used.

Fixes: #10749
Ref: https://github.com/openwrt/openwrt/issues/10749
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2022-11-01 23:25:39 +01:00
Hauke Mehrtens
5c70b19c42 iwinfo: update to the latest version
00aab87 Correctly identify key management algorithms starting with "FT-"

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-11-01 18:04:39 +01:00
Hans Dedecker
63db906516 odhcpd: update to git HEAD
a92c0a7 dhcpv6-ia: make tmp lease file hidden
4a673e1 fix null pointer dereference for INFORM messages
860ca90 odhcpd: Support for Option NTP and SNTP

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-10-31 17:56:10 +01:00
Roland Barenbrug
cc5d8ae427 ltq-vdsl-vr9-app: extend ubus call to provide DSL statistics
Adding a new method to `ubus call dsl` to retrieve DSL statistics
used to feed the DSL charts (bit allocation, SNR, QLN and HLOG)

Signed-off-by: Roland Barenbrug <roland@treslong.com>
[fix pointer error, clean up]
Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-10-30 23:14:45 +01:00
Roland Barenbrug
5787e0c9fe ltq-vdsl-vr9-app: skip invalid line status values
DSL_G997_LineStatusData_t defines special invalid values, skip these
metrics.

Signed-off-by: Roland Barenbrug <roland@treslong.com>
[split patch]
Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-10-30 23:14:45 +01:00
Nick Hainke
0dfe1d2175 iproute2: update to 6.0.0
Release Notes:
https://lore.kernel.org/netdev/20221004082610.56b04719@hermes.local/t/

Remove upstreamed patch:
- 010-ipstats-Add-param.h-for-musl.patch

Refreshed:
- 140-keep_libmnl_optional.patch
- 145-keep_libelf_optional.patch
- 150-keep_libcap_optional.patch
- 155-keep_tirpc_optional.patch
- 170-ip_tiny.patch
- 190-fix-nls-rpath-link.patch
- 200-drop_libbsd_dependency.patch
- 300-selinux-configurable.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-22 22:50:36 +02:00
Nick Hainke
5479281c72 thc-ipv6: update to 3.8
Remove upstreamed patches:
- 000-cflags_override.patch

Manually refresh patches:
- 100-no-ssl.patch

Add patches:
- 101-remove-march-native.patch

Add THC_APPLETS:
- toobigsniff6
- flood_unreach6
- connect6

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-22 21:10:34 +02:00
Petr Štetiar
a80e198cd3 wireless-tools: add package CPE ID
Common Platform Enumeration (CPE) is a structured naming scheme for
information technology systems, software, and packages.

Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-10-19 21:40:23 +02:00
Nick Hainke
7129d1e9c9 ethtool: update to 6.0
Release Notes:
https://lwn.net/Articles/910841/

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-18 15:09:23 +02:00
Jo-Philipp Wich
5e2e048c0e firewall4: update to latest Git HEAD
7ae5e14 fw4: gracefully handle `null` return values from `fd.read("line")`

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-10-18 09:50:05 +02:00
Glen Huang
1bd63df263 uhttpd: use acme hotplug
Reload uhttpd after certificates are renewed with acme.

Reviewed-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Glen Huang <i@glenhuang.com>
2022-10-18 08:38:07 +02:00
Jo-Philipp Wich
cb24be47ff firewall4: update to latest Git HEAD
4fbf6d7 ruleset.uc: log forwarded traffic not matched by zone policies
c7201a3 main.uc: reintroduce set reload restriction
756f1e2 ruleset: fix emitting set_mark/set_xmark rules with masks
3db4741 ruleset: properly handle zone names starting with a digit
43d8ef5 fw4: fix formatting of default log prefix
592ba45 main.uc: remove uneeded/wrong set reload restrictions
b0a6bff tests: fix testcases
145e159 fw4: recognize `option log` and `option counter` in `config nat` sections
ce050a8 fw4: fall back to device if l3_device is not available in ifstatus

Fixes: #10639, #10965
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-10-15 00:39:48 +02:00
Felix Fietkau
735f5f18dd iwinfo: update to the latest version
0496c722f1d7 nl80211: fix issues with renamed wiphy and multiple phy per device

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-14 13:12:07 +02:00
Nick Hainke
e5cab973a4
hostapd: add measurement report value for beacon reports
Add the measurement report value to the beacon reports send via ubus. It
is possible to derive from the measurement report if a station refused to
do a beacon report and why. It is important to know why a station refuses
to do a beacon-report. In particular, we should not request a beacon
report from a station again that refused a beacon-report before.

The rejection reasons can be found by looking at the bits defined by:
- MEASUREMENT_REPORT_MODE_ACCEPT
- MEASUREMENT_REPORT_MODE_REJECT_LATE
- MEASUREMENT_REPORT_MODE_REJECT_INCAPABLE
- MEASUREMENT_REPORT_MODE_REJECT_REFUSED

Suggested-by: Ian Clowes <clowes_ian@hotmail.com>
Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-13 16:53:37 +02:00
Lech Perczak
df08849c00 odhcp6c: respect 'delegate' option for 464XLAT sub-interface
dhcpv6.script contained support for disabling prefix delegation of 464XLAT
sub-interface, but netifd protocol handler was missing the required
export to disable this. Add missing export, akin to DS-Lite and MAP.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2022-10-09 19:08:36 +02:00
Daniel Cousens
3bd04767ba
build: prefer HTTPS if available (for packages)
Changes PKG_SOURCE_URL's for arptables, bsdiff, dnsmasq,
fortify-headers, ipset, ipset-dns, libaudit, libpcap, libressl,
lua, lua5.3, tcpdump and valgrind, to HTTPS

Signed-off-by: Daniel Cousens <github@dcousens.com>
2022-10-05 17:37:07 +02:00
Petr Štetiar
f1b7e1434f treewide: fix security issues by bumping all packages using libwolfssl
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.

So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all
packages using wolfSSL library.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-10-03 17:52:06 +02:00
Manas Sambhus
3e2ea10e5e
qos-scripts: fix trailing whitespace in config files
Signed-off-by: Manas Sambhus <manas.sambhus+github@gmail.com>
2022-09-27 17:16:46 +02:00
Manas Sambhus
0ca634e9ef
qos-scripts: replace modprobe by rmmod
modprobe -r is not available on all platforms, hence use rmmod

Signed-off-by: Manas Sambhus <manas.sambhus+github@gmail.com>
2022-09-27 17:16:45 +02:00
Manas Sambhus
db0c0a31d8
ppp: use modprobe in place of insmod
This will prevent `module is already loaded` lines from
appearing in the logs when a PPP connection is reconnecting

Signed-off-by: Manas Sambhus <manas.sambhus+github@gmail.com>
2022-09-27 17:16:42 +02:00
Kevin Darbyshire-Bryant
582c098c09 nftables: backport fix to interval based rules
'rule inet dscpclassify dscp_match  meta l4proto { udp }  th dport { 3478 }
 th sport { 3478-3497, 16384-16387 } goto ct_set_ef' works with
'nft add', but not 'nft insert', the latter yields:
"BUG: unhandled op 4".

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2022-09-26 18:02:15 +01:00
Felix Fietkau
c787962e1d iwinfo: update to the latest version
46f04f3808e8 devices: add MediaTek MT7986 WiSoC
b3e08c8b5a8f ops: make support for wireless extensions optional
1f695d9c7f82 nl80211: allow phy names that don't start with 'phy'
b7f9f06e1594 nl80211: fix phy/netdev index lookup
4a43b0d40ba5 nl80211: look up the phy name instead of assuming name == phy<idx>

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-22 15:26:58 +02:00
Felix Fietkau
8cb995445a hostapd: add ubus notification on sta authorized
Also include the station auth_type in the ubus and log message in order
to detect, if clients used FT or FILS to associate

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-22 15:26:58 +02:00
Felix Fietkau
6eeb5d4564 kernel: disable wireless extensions only when needed
They are only needed by a few very old drivers

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-22 15:26:58 +02:00
Daniel Golle
3cee396bf8 xdp-tools: update to version 1.2.8
82628d8 libxdp: Fix resource leaks
 7fb0af0 libxdp: always clone program fd before taking ownership of it
 d8cd007 headers: Update kernel btf.h header file
 2265125 (tag: v1.2.7) xdp-filter: Update examples in documentation
 2b65008 libxdp: Fix libxdp compilation error
 2387514 xsk: remove unused variable outstanding_tx
 00b5a95 Fix section names in xsk programs
 d4ff1f9 (tag: v1.2.8) Bump TOOLS_VERSION to 1.2.8

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-09-20 04:33:12 +01:00
David Bauer
94037ab6b0 hostapd: update to 2022-07-29
b704dc72e tests: sigma_dut and updated ConfResult value for Configurator failures
89de431f2 DPP: Add config response status value to DPP-CONF-SENT
10104915a tests: sigma_dut and DPP PB session overlap
80d5e264c Enhance QCA vendor roam event to indicate MLO links after reassociation
662249306 Update copyright notices for the QCA vendor definitions
8adcdd659 tests: Temporary workaround for dpp_chirp_ap_5g
ddcd15c2d tests: Fix fuzzing/sae build
7fa67861a tests: Fix p2p_channel_avoid3
ee3567d65 tests: Add more time for scan/connection
1d08b238c nl80211: Allow more time for the initial scan with 6 GHz
ac9e6a2ab tests: Allow 6 GHz opclasses in MBO checks
faf9c04cb Remove a host of unnecessary OPENSSL_IS_BORINGSSL ifdefs
b9cd5a82f Always process pending QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH data
ef4cd8e33 QoS: Use common classifier_mask for ipv4/ipv6
93be02592 Add fixed FDD mode to qca_btc_chain_mode QCA vendor attribute
e7cbfa1c1 tests: sigma_dut and DPP Enrollee unsupported curves
5565fbee2 DPP: Check Enrollee supported curves when building Config Response
ceae05cec tests: sigma_dut and DPP MUDURL setting for hostapd
4cfb484e9 DPP: Allow dpp_controller_start without arguments in CLIs
c97000933 Fix ifdef condition for imsi_privacy_cert
2a9a61d6c tests: SAE with extended key AKM
e35f6ed1d tests: More detailed report on SAE PMKSA caching error case
f70db167a SAE: Derive a variable length PMK with the new AKM suites
91010e6f6 SAE: Indicate AKM suite selector in commit for new AKM suites
e81ec0962 SAE: Use H2E unconditionally with the new AKM suites
f8eed2e8b SAE: Store PMK length and AKM in SAE data
9dc4e9d13 SAE: EAPOL-Key and key/MIC length information for the new AKM suites
a32ef3cfb SAE: Driver capability flags for the new SAE AKM suites
91df8c9c6 SAE: Internal WPA_KEY_MGMT_* defines for extended key AKMs
5c8a714b1 SAE: Use wpa_key_mgmt_sae() helper
5456b0f26 Define new RSN AKM suite selector values
def33101c DPP: Clear push button announcement state on wpa_supplicant FLUSH
35587fa8f tests: DPP Controller/Relay with need to discover Controller
d22dfe918 DPP: Event message for indicating when Relay would need a Controller
ca7892e98 tests: DPP Relay and adding/removing connection to a Controller
bfe3cfc38 DPP: Allow Relay connections to Controllers to be added and removed
808834b18 Add a comparison function for hostapd_ip_addr
f7763880b DPP: Advertise Configurator connectivity on Relay automatically
ff7cc1d49 tests: DPP Relay and dynamic Controller addition
ca682f80a DPP: Dynamic Controller initiated connection on Relay
d2388bcca DPP: Strict validation of PKEX peer bootstrapping key during auth
a7b8cef8b DPP3: Fix push button boostrapping key passing through PKEX
69d7c8e6b DPP: Add peer=id entry for PKEX-over-TCP case
b607d2723 tests: sigma_dut and DPP PB Configurator in wpa_supplicant
1ff9251a8 DPP3: Push button Configurator in wpa_supplicant
b94e46bc7 tests: PB Configurator in wpa_supplicant
ca4e82cbf tests: sigma_dut DPP/PKEX initiator as Configurator over TCP and Wi-Fi
e9137950f DPP: Recognize own PKEX Exchange Request if it ends up being received
692956446 DPP: Note PKEX code/identifier deletion in debug log
dfa9183b1 tests: DPP reconfig after Controller-initiated operation through Relay
ae4a3a6f6 DPP: Add DPP-CONF-REQ-RX event for Controller
17216b524 tests: sigma_dut DPP/PKEX initiator as Configurator (TCP) through Relay
fb2937b85 DPP: Allow Controller to initiate PKEX through Relay
15af83cf1 DPP: Delete PKEX code and identifier on success completion of PKEX
d86ed5b72 tests: Allow DPP_PKEX_REMOVE success in dpp_pkex_hostapd_errors
0a4f391b1 tests: sigma_dut and DPP Connector Privacy
479e412a6 DPP3: Default value for dpp_connector_privacy
7d12871ba test: DPP Private Peer Introduction protocol
148de3e0d DPP3: Private Peer Introduction protocol
786ea402b HPKE base mode with single-shot API
f0273bc81 OpenSSL: Remove a forgotten debug print
f2bb0839f test: DPP 3rd party config information
68209ddbe DPP: Allow 3rd party information to be added into config object
0e2217c95 DPP: Allow 3rd party information to be added into config request obj
3d82fbe05 Add QCA vendor subcommand and attributes for SCS rule configuration
16b62ddfa QCA vendor attribute for DBAM configuration
004b1ff47 tests: DPP Controller initiating through Relay
451ede2c3 DPP: Allow AP/Relay to be configured to listed for new TCP connections
248654d36 tests: sigma_dut DPP PB test cases
697b7d7ec tests: DPP push button
7bbe85987 DPP3: Allow external configuration to be specified on AP for PB
8db786a43 DPP3: Testing functionality for push button announcements
37bccfcab DPP3: Push button bootstrap mechanism
a0054fe7c Add AP and STA specific P802.11az security capabilities (vendor command)
159e63613 QCA vendor command for CoAP offload processing
3b7bb17f6 Add QCA vendor attribute for TIM beacon statistics
09a281e52 Add QCA vendor interface for PASN offload to userspace
809fb96fa Add a vendor attribute to configure concurrency policy for AP interface
a5754f531 Rename QCA_NL80211_VENDOR_SUBCMD_CONCURRENT_MULTI_STA_POLICY
085a3fc76 EHT: Add 320 channel width support
bafe35df0 Move CHANWIDTH_* definitions from ieee80211_defs.h to defs.h
92f549901 tests: Remove the 80+80 vs. 160 part from wpa2_ocv_ap_vht160_mismatch
c580c2aec tests: Make OCV negative test error cases more robust
3c2ba98ad Add QCA vendor event to indicate driver recovery after internal failures
6b461f68c Set current_ssid before changing state to ASSOCIATING
8dd826741 QCA vendor attribute to configure direct data path for audio traffic
504be2f9d QCA vendor command support to get WLAN radio combinations
d5905dbc8 OCV: Check the Frequency Segment 1 Channel Number only on 80+80 MHz

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-09-20 01:15:36 +02:00
David Bauer
5110cf7ebd hostapd: don't select indoor channel on outdoor operation
Don't select channels designated for exclusive-indoor use when the
country3 element is set on outdoor operation.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-09-18 03:58:54 +02:00
Andre Heider
1afd0fefd2 ltq-[a|v]dsl-app: provide ltq-dsl-app
This makes it easier for packages to depend on any
lantiq/intel/maxlinear compatible dsl daemon.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-09-17 17:39:23 +02:00
Andre Heider
33e2115fe4 ltq-vdsl-app: rename to ltq-vdsl-vr9-app
This matches the scheme used by other target packages and will avoid
confusion with any future version.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-09-17 17:39:23 +02:00
Andre Heider
07536cff51 lantiq: rename ltq-vdsl folder to ltq-vdsl-vr9
Now PKG_NAME matches the folder name, and this will avoid confusion with
any future version.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-09-17 17:39:23 +02:00
Felix Fietkau
2b1e651178 unetd: add missing init script
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-16 22:02:28 +02:00
Felix Fietkau
51c727e268 unetd: update to the latest version
e065a7627a46 pex: update last query sent timestamp
6c888f897862 unet-cli: add stun server list editing support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-16 21:58:07 +02:00
Felix Fietkau
40874f0934 unetd: update to the latest version
21360a1b1ce6 cli: fix typo
abfebece0af1 wg-linux: ship a copy of linux/wireguard.h
1cbb1a543cb3 pex: reduce unnecessary ping traffic
0c2f39e52d5d pex: remove pex event debug spam
dcf1362c2104 pex: add support for sending/receiving global PEX messages via unix socket
df5f70b8858c ubus: notify on network updates
e58a56697131 add DHT discovery service
be175767bc67 pex: keep active pex hosts after the specified timeout
543e4a3d2ed7 pex: move rx header check to callback function
395659b9c415 pex: move raw ip send code to sendto_rawudp() in utils.c
dda15ea8b3b2 pex: add utility function to get the sockets based on type / address family
e88f2cd4d3f0 utils: add support for passings address family to network_get_endpoint()
639cdcdf6eda pex: add support for figuring out the external data port via STUN servers
9144339ebe1f pex: improve handling of a longer list of PEX hosts
38212218ecdd unet-cli: add DHT support
0d37ca75434d pex: automatically create host entries from incoming endpoint port notifications
035fcc56ef60 host: keep multiple endpoint candidates, one for each type
a089e8ae7504 pex: avoid sending a query to a host more than once every 15 seconds

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-16 21:11:32 +02:00
Felix Fietkau
f8e3d7a4e3 unetd: select unetd from unet-cli instead of depending on it
Some people may explicitly want to select unet-cli for admin purposes

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-16 21:11:32 +02:00
Felix Fietkau
55aa11d121 unetd: only depend on bpf-headers if BPF toolchain support is available
If BPF is unavailable, unetd can be built without it (by disabling VXLAN support).

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-12 21:31:27 +02:00
Daniel Golle
f5d6ed3007 xdp-tools: don't rely on host bpf headers
xdp-tools build currently breaks on build hosts which do not have
libbpf headers installed because the build system wrongly tries to
use the host's include path.
Properly pass path to libbpf headers to xdp-tools build system to
fix build e.g. on the buildbots.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-09-12 01:43:49 +01:00
Nick Hainke
5a80226e96 lldpd: update to 1.0.15
Release Notes:
https://github.com/lldpd/lldpd/releases/tag/1.0.15

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-11 01:30:11 +02:00
Kien Truong
fa468d4bcd iproute2: add missing libbpf dependency
This patch adds libbpf to the dependencies of tc-mod-iptables.

The package tc-mod-iptables is missing libbpf as a dependency,
which leads to the build failure described in bug #9491

    LIBBPF_FORCE=on set, but couldn't find a usable libbpf

The build dependency is already automatically added because some other
packages from iproute2 depend on libbpf, but bpftools has multiple build
variants. With multiple build variants none gets build by default and
the build system will not build bpftools before iproute2.

Fixes: #9491
Signed-off-by: Kien Truong <duckientruong@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-09-11 01:30:11 +02:00
Nick Hainke
fed8550df7 xdp-tools: update to v1.2.6
Release Notes:
https://github.com/xdp-project/xdp-tools/releases/tag/v1.2.6

The update contains important fixes for cross-compilation.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-07 04:22:39 +01:00
Nick Hainke
8eca549bdc lldpd: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:37 +01:00
Nick Hainke
5c238a44e9 ethtool: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:35 +01:00
Felix Fietkau
09ea1db93b hostapd: rename hostapd multicast_to_unicast option to multicast_to_unicast_all
There are two feature currently altered by the multicast_to_unicast option.
1. bridge level multicast_to_unicast via IGMP snooping
2. hostapd/mac80211 config multicast_to_unicast setting

The hostapd/mac80211 setting has the side effect of converting *all* multicast
or broadcast traffic into per-station duplicated unicast traffic, which can
in some cases break expectations of various protocols.
It also has been observed to cause ARP lookup failure between stations
connected to the same interface.

The bridge level feature is much more useful, since it only covers actual
multicast traffic managed by IGMP, and it implicitly defaults to 1 already.

Renaming the hostapd/mac80211 option to multicast_to_unicast_all should avoid
unintentionally enabling this feature

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-06 12:15:48 +02:00
Felix Fietkau
90f55f5bf1 unetd: update to the latest version
f5d02c32f811 pex: add support for sending endpoint notification from the wg port via raw socket
c3b1127236a0 ubus: add support for querying active networks
8ad119715168 ubus: add support for adding auth_connect hosts at runtime
26dc52789d41 network: add support for configuring extra peers via a separate json file
d7fb9e5b065b ubus: add reload command

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-01 20:42:08 +02:00
Felix Fietkau
23a7188ab4 unetd: fix handling of connect/tunnel list
change the type to array, so that uci lists can be used

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-01 20:42:08 +02:00
Jo-Philipp Wich
ab31ffc425 firewall4: update to latest Git HEAD
f5fcdcf cli: introduce test mode and refuse firewall restart on errors
a540f6d fw4: fix cosmetic issue with per-ruleset and per-table include paths
695e821 doc: fix swapped include positions in nftables.d README

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-09-01 12:39:05 +02:00
Felix Fietkau
2984a04206 mac80211: disable ft-over-ds by default
Testing has shown it to be very unreliable in variety of configurations.
It is not mandatory, so let's disable it by default until we have a better
solution.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-08-30 10:58:20 +02:00
Felix Fietkau
f39d9ea0c2 unetd: update to the latest version, makes VXLAN/eBPF optional
b75791a6db25 scripts/update-cmd.pl: reorder add/remove calls to better deal with dynamic changes
c29e1ad045d0 scripts/update-cmd.pl: set device up before adding routes/addresses
5ad35ce4beea scripts/update-cmd.pl: run update two times
5d79b88f00c1 add support for overriding peer-exchange-port for individual hosts
0041fcacb624 add support for disabling VXLAN/eBPF support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-08-29 20:55:49 +02:00
Felix Fietkau
314cad2cba unetd: update to the latest version
5cbd55f60346 unet-cli: fix formatting of help text
59b97448b636 build.sh: force use of -fPIC on static libraries to fix build error
74a14c00abb0 pex-msg: fix siphash key initializer

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-08-28 22:31:18 +02:00
Nick Hainke
36bec544d7 nftables: update to 1.0.5
Remove upstreamed patch:
- 0001-meta-don-t-use-non-POSIX-formats-in-strptime.patch

Changes:
13248670 build: Bump version to 1.0.5
3432eebd tests/py: disable arp family for queue statement
180ce4d7 meta: don't use non-POSIX formats in strptime()
c1c223f1 src: allow anon set concatenation with ether and vlan
87c3041b evaluate: search stacked header list for matching payload dep
b1e3ed03 netlink_delinearize: also postprocess OP_AND in set element context
f680055c tests: add a test case for ether and vlan listing
dbd5f348 debug: dump the l2 protocol stack
0d9daa04 proto: track full stack of seen l2 protocols, not just cumulative offset
89688c94 netlink_delinearize: postprocess binary ands in concatenations
0542a431 netlink_delinearize: allow postprocessing on concatenated elements
8efab552 parser_json: fix device parsing in netdev family
76fae8f5 src: proto: support DF, LE PHB, VA for DSCP
446e76db doc: Document limitations of ipsec expression with xfrm_interface
a2ddb38f cache: report an error message if cache initialization fails
649b8ce3 cache: validate handle string length
64c74ba5 cache: prepare nft_cache_evaluate() to return error
46980cdd rule: crash when uncollapsing command with unexisting table or set
8a6cdfaf cache: release pending rules when chain binding lookup fails
e17337df evaluate: report missing interval flag when using prefix/range in concatenation
45c097c6 scanner: allow prefix in ip6 scope
6c23bfa5 segtree: fix map listing with interface wildcard
8623772a scanner: don't pop active flex scanner scope
994bf500 parser: add missing synproxy scope closure
ed2426bc tests/py: Add a test for failing ipsec after counter
27107b49 evaluate: fix segfault when adding elements to invalid set
0f82b07f mnl: store netlink error location for set elements
15b3be2e src: remove NFT_NLATTR_LOC_MAX limit for netlink location error reporting
f56e901a parser_bison: fix error location for set elements
6d1ee926 intervals: check for EXPR_F_REMOVE in case of element mismatch
5357cb7b intervals: fix crash when trying to remove element in empty set
d54510f8 netlink_delinearize: memleak when parsing concatenation data
12a223ce libnftables: release top level scope
b91bbf88 optimize: limit statement is not supported yet
45a61a75 optimize: assume verdict is same when rules have no verdict
fa409176 optimize: only merge OP_IMPLICIT and OP_EQ relational
29e62111 tests: shell: run -c -o on ruleset
887405df optimize: add unsupported statement
8f61a69e optimize: add hash expression support
ca8fd77a optimize: add numgen expression support
721efd64 optimize: add binop expression support
f7e901a2 optimize: add fib expression support
54b1e49f optimize: add xfrm expression support
0beaea37 optimize: add osf expression support
d07fe8e8 optimize: fix verdict map merging
38d48fe5 optimize: fix reject statement
f9939f89 optimize: remove comment after merging
8f10f33a optimize: do not print stateful information
3ac932e9 optimize: do not merge rules with set reference in rhs
64ebb03a optimize: do not compare relational expression rhs when collecting statements
59e3a592 intervals: Do not sort cached set elements over and over again
d434de8b intervals: do not empty cache for maps
87ba510f intervals: do not report exact overlaps for new elements
498a5f0c rule: collapse set element commands
8fafe4e6 tests: shell: runtime set element automerge
638af0ce Revert "scanner: flags: move to own scope"

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-28 18:29:10 +02:00
Nick Hainke
9011f987d5 iproute2: replace musl-compilation-fix with upstream fix
Instead of defining the MIN version it is enough to include "#include
<sys/param.h>".

Delete patch:
- 105-ipstats-Define-MIN-function-to-fix-undefined-referen.patch

Add patch:
- 010-ipstats-Add-param.h-for-musl.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-28 18:29:10 +02:00
Nick Hainke
e74b79ed56 wireguard-tools: update to v1.0.20210914
Update to latest version.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-28 18:29:10 +02:00
Nick Hainke
8171aad4f1 ethtool: update to 5.19
Release Notes:
https://lore.kernel.org/netdev/20220821234539.f7nslwyd53bsftsy@lion.mk-sys.cz/T/

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-28 18:29:10 +02:00
Etienne Champetier
0c8d7e34ab iptables: default to ip(6)tables-nft when using buildroot
35fec487e3 fixed opkg usage,
but when using buildroot we were still defaulting to
ip(6)tables-legacy

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-08-27 22:39:32 +02:00
Felix Fietkau
104de8abe4 unetd: add WireGuard based VPN connection manager for OpenWrt
This package simplifies setting up wireguard networks on OpenWrt by a wireguard
network as a JSON file, which can be shared across all participating nodes.
It can be signed with an authentication key and automatically kept in sync.
unetd also supports deterministically generating ipv6 addresses for each host
based on the public key and storing those in a hosts file that can be used with
dnsmasq. It also supports automatically creating VXLAN tunnels between multiple
endpoints.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-08-27 15:24:58 +02:00
Felix Fietkau
31648c4b59 netifd: update to the latest version
76d2d41b7355 interface: fix use-after-free bug when rewriting resolv.conf

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-08-25 21:16:26 +02:00
Jo-Philipp Wich
fe86b2ffaa firewall4: update to latest Git HEAD
a4484d4 fw4: support automatic includes
ca7e3a1 fw4: honour enabled option of include sections
5a02f74 tests: add missing fs.stat) mock data for `nf_conntrack_dummy`
111a7f7 fw4: don't inherit zone family from ct helpers

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-08-24 23:25:11 +02:00
Jo-Philipp Wich
4ee77cfcfa uhttpd: update to latest Git HEAD
e3395cd ucode: initialize search path before VM init
8cb3f85 ucode: initialize default library search path
188dea2 utils: accept '?' as path terminator in uh_path_match()
c5eac5d file: support using dynamic script handlers as error pages
290ff88 relay: trigger close if in header read state with pending data
f9db538 ucode: ignore exit exceptions
8ba0b64 cmake: use variables and find_library for dependency

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-08-24 23:25:11 +02:00
Joerg Werner
9fbb76c047 hostapd: fix WPA3 enterprise keys and ciphers
WPA3 enterprise requires group_mgmt_cipher=BIP-GMAC-256 and if 802.11r is
active also wpa_key_mgmt FT-EAP-SHA384. This commit also requires
corresponding changes in netifd.

Signed-off-by: Joerg Werner <schreibubi@gmail.com>
2022-08-20 22:56:12 +02:00
Hauke Mehrtens
8008816a2c netifd: update to git HEAD
87fbefd interface: support "zone" config option
bfa039c netifd: fix WPA3 enterprise ciphers

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-08-20 22:56:12 +02:00
Hauke Mehrtens
cc6a323e23 iwinfo: update to latest HEAD
0dad3e6 Add support for CCMP-256 and GCMP-256 ciphers

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-08-20 22:56:12 +02:00
Hauke Mehrtens
60738feded iproute2: Fix KERNEL_INCLUDE in SDK
In the SDK the folder $(LINUX_DIR)/user_headers/include does not exist,
but it more or less contains the same content as
$(LINUX_DIR)/include/uapi which also exists in the SDK.

Since iproute2 commit 1d819dcc741e ("configure: fix parsing issue on
include_dir option") it checks if this folder exists and aborts the
build if it does not exists.
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=1d819dcc741e25958190e31f8186c940713fa0a8

With this commit the KERNEL_INCLUDE variable points to a valid folder
with the kernel include headers. I am not sure if they are actually
needed because the build worked before even with an invalid path.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-08-18 00:07:32 +02:00
Stijn Tintel
f37a7fa4e8 hostapd: add mbo flag to get_clients ubus method
There is no WLAN_STA_MBO flag, but according to the hostapd source code,
when an STA does not support MBO, cell_capa will be 0. Use this to
indicate MBO support in the get_clients ubus method.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: David Bauer <mail@david-bauer.net>
2022-08-15 16:53:27 +03:00
Hauke Mehrtens
90bedc411b umbim: bump to git HEAD
146bc77 umbim: fix invalid mbim message string encoding

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-08-13 20:53:10 +02:00
Hauke Mehrtens
cc2dfc5e4d iwinfo: update to latest HEAD
705d3b5 iwinfo: Add missing auth_suites mappings for WPA3

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-08-13 20:53:10 +02:00
Nick Hainke
b3a0c14824 iproute2: shrink ip-tiny size by disabling features
With the 5.18 and 5.19 update ip-tiny grows in size. Remove some
features bringing it back to the size before 5.18.

Remove
- Identifier-locator addressing (ila)
- MACsec Device Configuration (macsec)
- Multicast Routing Cache Management (mroute)
- mrule
- Virtual Routing and Forwarding (vrf)
- Segment Routing (sr)

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-13 20:53:10 +02:00
Nick Hainke
e871144013 iproute2: update to 5.19.0
Add patch:
- 105-ipstats-Define-MIN-function-to-fix-undefined-referen.patch

Refreshed:
- 170-ip_tiny.patch
- 195-build_variant_ip_tc.patch

Changes:
deb48554 v5.19.0
f8decf82 bpf_glue: include errno.h
71178ae0 rdma: update uapi/ib_user_verbs.h
96594fd2 vdpa: update uapi headers from 5.19-rc7
30c7b77f Revert "uapi: add vdpa.h"
c5433c4b ip neigh: Fix memory leak when doing 'get'
2cb76253 mptcp: Fix memory leak when getting limits
afdbb020 mptcp: Fix memory leak when doing 'endpoint show'
6db01afd bridge: Fix memory leak when doing 'fdb get'
1d540336 ip address: Fix memory leak when specifying device
325f706b uapi: add virtio_ring.h
291898c5 uapi: add vdpa.h
6e2fb804 uapi: update bpf.h
329fda18 ip: Fix size_columns() invocation that passes a 32-bit quantity
2a00a4b1 man: tc-fq_codel: add drop_batch
6bf5abef uapi: update mptcp.h
02410392 ip: Fix size_columns() for very large values
ed243312 man: tc-ct.8: fix example
2bb37e90 l2tp: fix typo in AF_INET6 checksum JSON print
855edb3d man: tc-fq_codel: Fix a typo.
4044a453 tc: declaration hides parameter
a44a7918 genl: fix duplicate include guard
703f2de6 uapi: change name for zerocopy sendfile in tls
248ad98e uapi: update socket.h
11e41a63 ip: Convert non-constant initializers to macros
8d3977ef Update kernel headers
5a1ad9f8 man: ip-stats.8: Describe groups xstats, xstats_slave and afstats
d9976d67 ipstats: Expose bond stats in ipstats
36e10429 ipstats: Expose bridge stats in ipstats
79f5ad95 iplink_bridge: Split bridge_print_stats_attr()
1247ed51 ipstats: Add groups "xstats", "xstats_slave"
c6900b79 ipstats: Add a third level of stats hierarchy, a "suite"
2ed73b9a iplink: Add JSON support to MPLS stats formatter
5ed8fd9d ipstats: Add a group "afstats", subgroup "mpls"
dff392fd iplink: Publish a function to format MPLS stats
72623b73 iplink: Fix formatting of MPLS stats
ce41750f ip: ipstats: Do not assume length of response attribute payload
40b50f15 bridge: vni: add support for stats dumping
c7f12a15 ip: iplink_vxlan: add support to set vnifiltering flag on vxlan device
45cd32f9 bridge: vxlan device vnifilter support
837294e4 libbpf: Remove use of bpf_map_is_offload_neutral
64e5ed77 libbpf: Remove use of bpf_program__set_priv and bpf_program__priv
ba6519cb libbpf: Use bpf_object__load instead of bpf_object__load_xattr
a6eb654d f_flower: add number of vlans man entry
5788732e f_flower: Check args with num_of_vlans
5ba31bcf f_flower: Add num of vlans parameter
b28eb051 man: Add man pages for the "stats" functions
a05a27c0 ipmonitor: Add monitoring support for stats events
0f1fd40c ipstats: Add offload subgroup "l3_stats"
179030fa ipstats: Add offload subgroup "hw_stats_info"
af5e7955 ipstats: Add a group "offload", subgroup "cpu_hit"
0517a2fd ipstats: Add a group "link"
df0b2c6d ipstats: Add a shell of "show" command
82f6444f ipstats: Add a "set" command
54d82b06 ip: Add a new family of commands, "stats"
5520cf16 ip: Publish functions for stats formatting
a463d6b1 libnetlink: Add filtering to rtnl_statsdump_req_filter()
38ae12d3 devlink: introduce -[he]x cmdline option to allow dumping numbers in hex format
bba95837 Update kernel headers
f6559bea ip-link: put types on man page in alphabetic order
ee53174b ip/iplink_virt_wifi: add support for virt_wifi

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-13 20:53:10 +02:00
Nick Hainke
d3b4422f62 iproute2: update to 5.18.0
The ip-tiny size grows from 124k (5.17.0) to 128k (5.18.0).

The update introduces a commit "configure: add check_libtirpc()" that
introduces a check for libtirpc. However, if libtirpc is already in the
staging directory due to an other dependency the check yields that the
library is installed and should be used resulting in failures like:

  Package ss is missing dependencies for the following libraries:
  libtirpc.so.3

To fix it add a patch making libtirpc optional again and setting it
"HAVE_TIRPC=n":
- 155-keep_tirpc_optional.patch

Fix patches:
- 130-no_netem_tipc_dcb_man_vdpa.patch

Refresh patches:
- 140-keep_libmnl_optional.patch
- 150-keep_libcap_optional.patch
- 180-drop_FAILED_POLICY.patch
- 200-drop_libbsd_dependency.patch

Changes:
6474b7c8 v5.18.0
4429a6c9 tipc: fix keylen check
6b6979b9 iplink: remove GSO_MAX_SIZE definition
19c3e009 doc: fix 'infact' --> 'in fact' typo
ed706c78 man: fix some typos
03589beb man: devlink-region: fix typo in example
b84fc332 tc: em_u32: fix offset parsing
b6d17086 uapi: update of virtio_ids
17bf51b7 libbpf: Remove use of bpf_map_is_offload_neutral
fa305925 libbpf: Remove use of bpf_program__set_priv and bpf_program__priv
9e0057b4 libbpf: Use bpf_object__load instead of bpf_object__load_xattr
e81fd551 devlink: fix "devlink health dump" command without arg
6f3b5843 man: use quote instead of acute accent
42d351fa man: 'allow to' -> 'allow one to'
d8a7a0f4 uapi: upstream update to stddef.h
5b2ff061 uapi: update from 5.18-rc1
292509f9 ss: remove an implicit dependency on rpcinfo
1ee309a4 configure: add check_libtirpc()
41848100 ip/geneve: add support for IFLA_GENEVE_INNER_PROTO_INHERIT
28add137 f_flower: Implement gtp options support
b25599c5 ip: GTP support in ip link
e4880869 man: bridge: document per-port mcast_router settings
9e82e828 bridge: support for controlling mcast_router per port
f1d18e2e Update kernel headers
8130653d vdpa: Update man page with added support to configure max vq pair
56eb8bf4 vdpa: Support reading device features
16482fd4 vdpa: Support for configuring max VQ pairs for a device
bd91c764 vdpa: Allow for printing negotiated features of a device
2d1954c8 vdpa: Remove unsupported command line option
93fb6810 Makefile: move HAVE_MNL check to top-level Makefile
2dee2101 man: ip-link: whitespace fixes to odd line breaks mid sentence
609b90aa man: ip-link: mention bridge port's default mcast_flood state
b1c3ad84 man: ip-link: document new bcast_flood flag on bridge ports
c354a434 ip: iplink_bridge_slave: support for broadcast flooding
909f0d51 man: bridge: add missing closing " in bridge show mdb
3b681cf9 man: bridge: document new bcast_flood flag for bridge ports
a6c848eb bridge: support for controlling flooding of broadcast per port
8acb5247 ip/batadv: allow to specify RA when creating link
0431d8e8 Import batman_adv.h header from last kernel sync point
239bfd45 Revert "configure: Allow command line override of toolchain"
a93c90c7 tc: separate action print for filter and action dump
d9977eaf bpf: Remove use of bpf_create_map_xattr
ac4e0913 bpf: Export bpf syscall wrapper
873bb975 bpf_glue: Remove use of bpf_load_program from libbpf
5e17b715 ss: display advertised TCP receive window and out-of-order counter
712ec66e tc: bash-completion: Add profinet and ethercat to procotol completion list
75061b35 lib: add profinet and ethercat as link layer protocol names
0a685b98 man8/ip-link.8: add locked port feature description and cmd syntax
d4fe3673 man8/bridge.8: add locked port feature description and cmd syntax
092af16b ip: iplink_bridge_slave: add locked port flag support
0e51a185 bridge: link: add command to set port in locked mode
04a0077d Update kernel headers
386ae64c configure: Allow command line override of toolchain
bea92cb0 mptcp: add port support for setting flags
2dbc6c90 mptcp: add fullmesh support for setting flags
5fb6bda0 mptcp: add fullmesh check for adding address
9831202f bond: add ns_ip6_target option
e8fd4d4b devlink: Remove strtouint8_t in favor of get_u8
2688abf0 devlink: Remove strtouint16_t in favor of get_u16
95c03f40 devlink: Remove strtouint32_t in favor of get_u32
7cb0e24d devlink: Remove strtouint64_t in favor of get_u64
7848f6bb Update kernel headers
4f015972 f_flower: fix indentation for enc_key_id and u32
25a9c4fa tunnel: Fix missing space after local/remote print
ff14875e Update documentation
8908cb25 Add support for the IOAM insertion frequency
cd24451e Update kernel headers
e4ba36f7 iplink: add ip-link documentation
5d57e130 iplink: add gro_max_size attribute handling
721435dc tc: u32: add json support in `print_raw`, `print_ipv4`, `print_ipv6`
c733722b tc: u32: add support for json output
5f44590d tc/f_flower: fix indentation
9948b6cb tc_util: fix breakage from clang changes
f4cd4f12 tc: add skip_hw and skip_sw to control action offload
ba5ac984 json_print: suppress clang format warning
bf71c8f2 libbpf: fix clang warning about format non-literal
5632cf69 tunnel: fix clang warning
c0248878 tipc: fix clang warning about empty format string
371c13e8 can: fix clang warning
8d27eee5 ipl2tp: fix clang warning
560d2336 tc_util: fix clang warning in print_masked_type
b2450e46 flower: fix clang warnings
4e27d538 netem: fix clang warnings
9d5e29e6 utils: add format attribute
343c4f52 tc: add format attribute to tc_print_rate

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-13 20:53:10 +02:00
Nick Hainke
e65337ce65 iproute2: update to 5.17.0
Remove backports:
- 0001-lib-fix-ax25.h-include-for-musl.patch

Changes:
4c424dfd v5.17.0
7846496b link_xfrm: if_id must be non zero
eed4bb1a testsuite: link xfrm delete no if_id test
ac0a54b2 rdma: make RES_PID and RES_KERN_NAME alternative to each other
885e281e uapi: update vdpa.h
19c0def1 ipaddress: remove 'label' compatibility with Linux-2.0 net aliases
1808f002 lib/fs: fix memory leak in get_task_name()
62c0700c uapi: update magic.h
c8d9d925 rdma: Fix the logic to print unsigned int.
a42dfaa4 Revert "rdma: Fix res_print_uint() and add res_print_u64()"
9d0badec rdma: Fix res_print_uint() and add res_print_u64()
86a1452b uapi: update to xfrm.h
09c6a3d2 bridge: Remove vlan listing from `bridge link`
e4fda259 bridge: Fix error string typo
cc143bda lnstat: fix strdup leak in -w argument parsing
90bbf861 iplink_can: print_usage: typo fix, add missing spaces
1b5c7414 dcb: Fix error reporting when accessing "dcb app"
a38d305d tc: fix duplicate fall-through
f8beda6e libnetlink: fix socket leak in rtnl_open_byproto()
7f70eb2a tc_util: Fix parsing action control with space and slash
29da83f8 iprule: Allow option dsfield in 'ip rule show'
07012a1f ss: use freecon() instead of free() when appropriate
03b4de0b man: Fix a typo in the flag documentation of ip address
924f6b4a dcb: app: Add missing "dcb app show dev X default-prio"
5c9571bc uapi: update kernel headers from 5.17-rc1
d542543b tc/action: print error to stderr
52370c61 mptcp: add id check for deleting address
c556f577 dcb: Rewrite array-formatting code to not cause warnings with Clang
0dc5da8e f_flower: fix checkpatch warnings
ffbcb246 netem: fix checkpatch warnings
8bced38a lib: fix ax25.h include for musl
e27bb8e5 uapi: add missing virtio headers
26ff0afa uapi: add missing rose and ax25 files
eb4206ec q_cake: allow changing to diffserv3
db530529 iplink_can: add ctrlmode_{supported,_static} to the "--details --json" output
ac2e9148 Update kernel headers
bb4cc9cc rdma: Don't allocate sparse array
b8767168 rdma: Limit copy data by the destination size
167e33f3 vdpa: Enable user to set mtu of the vdpa device
384938f9 vdpa: Enable user to set mac address of vdpa device
a311f0c4 vdpa: Enable user to query vdpa device config layout
9d8882d5 vdpa: Update kernel headers
5cb7ec0c Update kernel headers and import virtio_net
26113360 mptcp: add support for changing the backup flag
4b301b87 tc: Add support for ce_threshold_value/mask in fq_codel
99d09ee9 bond: add arp_missed_max option
432cb06b mptcp: add support for fullmesh flag
2d777dfe Update kernel headers
a21458fc vdpa: Remove duplicate vdpa UAPI header file

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-13 20:53:10 +02:00
Nick Hainke
9913514319 iproute2: update to 5.16.0
Import patch:
- 0001-lib-fix-ax25.h-include-for-musl.patch

Refreshed patches:
- 100-configure.patch
- 130-no_netem_tipc_dcb_man_vdpa.patch
- 140-keep_libmnl_optional.patch
- 145-keep_libelf_optional.patch
- 150-keep_libcap_optional.patch
- 170-ip_tiny.patch
- 190-fix-nls-rpath-link.patch
- 195-build_variant_ip_tc.patch
- 200-drop_libbsd_dependency.patch
- 300-selinux-configurable.patch

Size ip-full (mips_24kc):
- 176K	ip-full_5.16.0-1_mips_24kc.ipk
- 172K	ip-full_5.15.0-2_mips_24kc.ipk

Size ip-tiny (mips_24kc):
- 124K	ip-tiny_5.16.0-1_mips_24kc.ipk
- 124K	ip-tiny_5.15.0-2_mips_24kc.ipk

Changes:
ade99e20 v5.16.0
1225e307 testsuite: Fix tc/vlan.t test
4734fdb9 uapi: update to mptcp.h
c04e45d0 lib/bpf: fix verbose flag when using libbpf
73590d95 tc: flower: Fix buffer overflow on large labels
3f77bc62 uapi: update to if_ether.h
5f8bb902 ip/ipnexthop: fix unsigned overflow in parse_nh_group_type_res()
3184de37 lib/bpf_legacy: remove always-true check
79026c12 rdma: update uapi headers
fa58de9b vdpa: align uapi headers
be31c264 lnstat: fix buffer overflow in header output
0e949725 tc/m_vlan: fix print_vlan() conditional on TCA_VLAN_ACT_PUSH_ETH
9bd5ab0f mptcp: fix JSON output when dumping endpoints by id
a787d9ae man: tc-u32: Fix page to match new firstfrag behavior
af96c7b5 Fix some typos detected by Lintian in manpages
35c81b18 uapi: update vdpa.h
0c263d7c iplink_can: add new CAN FD bittiming parameters: Transmitter Delay Compensation (TDC)
0f7bb8d8 iplink_can: print brp and dbrp bittiming variables
67f3c7a5 iplink_can: use PRINT_ANY to factorize code and fix signedness
fd5e958c iplink_can: code refactoring of print_ctrlmode()
8316df6e iplink_can: fix configuration ranges in print_usage() and add unit
6e15d27a ip: add AMT support
9cae1de5 Import amt.h
258e350c Update kernel headers
047e9ae5 devlink: Fix cmd_dev_param_set() to check configuration mode
9e009e78 ip, neigh: Add NTF_EXT_MANAGED support
040e5252 ip, neigh: Add missing NTF_USE support
c76a3849 ip, neigh: Fix up spacing in netlink dump
76b30805 xfrm: enable to manage default policies
95cd2a62 iplink: enable to specify index when changing netns
cee0cf84 configure: add the --libdir option
0ee1950b configure: add the --prefix option
4b8bca5f configure: support --param=value style
99245d17 configure: simplify options parsing
c330d097 configure: fix parsing issue with more than one value per option
48c379bc configure: fix parsing issue on libbpf_dir option
1d819dcc configure: fix parsing issue on include_dir option
19ba785f rdma: Add optional-counters set/unset support
7d5cb70e rdma: Add stat "mode" support
d480cb71 rdma: Update uapi headers
e4ca6a49 Update kernel headers
a31e7b79 mptcp: cleanup include section.
41020eb0 Update documentation
8fb522cd Add support for IOAM encap modes
b840c620 ip: nexthop: keep cache netlink socket open
b9017435 devlink: print maximum number of snapshots if available
6448ed37 Update kernel headers
7ca868a7 ip: nexthop: add print_cache_nexthop which prints and manages the nh cache
5d5dc549 ip: route: print and cache detailed nexthop information when requested
cb3d18c2 ip: nexthop: add a helper which retrieves and prints cached nh entry
60a97030 ip: nexthop: add cache helpers
53d7c43b ip: nexthop: factor out ipnh_get_id rtnl talk into a helper
a2ca4312 ip: nexthop: factor out print_nexthop's nh entry printing
945c26db ip: nexthop: parse attributes into nh entry structure before printing
7ec1cee6 ip: nexthop: add nh entry structure
60a7515b ip: nexthop: split print_nh_res_group into parse and print parts
cfb0a872 ip: nexthop: add resilient group structure
371e889d ip: export print_rta_gateway version which outputs prepared gateway string
f7278996 ip: print_rta_if takes ifindex as device argument instead of attribute
e2cc9840 ROSE: Print decoded addresses rather than hex numbers.
26c5782f ROSE: Add rose_ntop implementation.
fd4c1c81 NETROM: Print decoded addresses rather than hex numbers.
c63b769a NETROM: Add netrom_ntop implementation.
399ae00a AX.25: Print decoded addresses rather than hex numbers.
3a92669b AX.25: Add ax25_ntop implementation.
ebbb7017 lib: bpf_legacy: add prog name, load time, uid and btf id in prog info dump
0431e1e7 ip: Support filter links/neighs with no master
12b3d6a2 man: ip-macsec: fix gcm-aes-256 formatting issue
ae895504 bridge: vlan: add support for mcast_router option
12fbe3e4 bridge: vlan: set vlan option attributes while parsing
db28c944 Update kernel headers
6d676ad9 ip: rewrite routel in python
1eaebad2 ip: remove routef script
adddf30c ip: remove ifcfg script
2c811088 ip: remove old rtpr script
72222cd4 bridge: vlan: add support for dumping router ports
7ad5505b bridge: vlan: add global mcast_querier option
061da2e2 bridge: vlan: add global mcast_startup_query_interval option
60dcd5c3 bridge: vlan: add global mcast_query_response_interval option
0e4cfa03 bridge: vlan: add global mcast_query_interval option
ebcee09c bridge: vlan: add global mcast_querier_interval option
3ae784f5 bridge: vlan: add global mcast_membership_interval option
2b6cc38d bridge: vlan: add global mcast_last_member_interval option
7cc7dbf4 bridge: vlan: add global mcast_startup_query_count option
3399c075 bridge: vlan: add global mcast_last_member_count option
a8d7212a bridge: vlan: add global mcast_mld_version option
29fada0f bridge: vlan: add global mcast_igmp_version option
1f608d59 bridge: vlan: add global mcast_snooping option
dee5eb05 bridge: vlan: add support to set global vlan options
ecf6d8b4 bridge: vlan: add support for vlan filtering when dumping options
720f8613 bridge: vlan: add support to show global vlan options
d3a961a9 bridge: vlan: skip unknown attributes when printing options
312e22fe bridge: vlan: factor out vlan option printing
d2eecb9d ip: bridge: add support for mcast_vlan_snooping
ebaa603b ip/bond: add lacp active support
8d6134b2 Update kernel headers
51d8fc70 ip/tunnel: always print all known attributes
71ba9c18 ipioam6: use print_nl instead of print_null
e7841194 tc/skbmod: Introduce SKBMOD_F_ECN option
78832863 IOAM man8
32f4969d New IOAM6 encap type for routes
29098125 Add, show, link, remove IOAM namespaces and schemas
e53f4cd5 Import ioam6 uapi headers
236696e5 Update kernel headers
cf866f0a ipneigh: add support to print brief output of neigh cache in tabular format

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-13 20:53:10 +02:00
Hauke Mehrtens
2a0284fb03 kernel: kmod-ipt-ulog: Remove package
The ulog iptables target was removed with kernel 3.17, remove the kernel
and also the iptables package in OpenWrt too.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-08-10 21:36:17 +02:00
Hauke Mehrtens
b75425370d kernel: kmod-nft-nat6: Remove package
The nft NAT packages for IPv4 and IPv6 were merged into the common
packages with kernel 5.1. The kmod-nft-nat6 package was empty in our
build, remove it.

Multiple kernel configuration options were also removed, remove them
from our generic kernel configuration too.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-08-10 21:36:17 +02:00
Jo-Philipp Wich
e6e4f97999 nftables: fix parsing date expressions
Musl libc does not support the non-POSIX "%F" format for strptime() so
replace all occurrences of it with an equivalent "%Y-%m-%d" format.

Fixes: #10419
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-08-09 11:51:46 +02:00
Jo-Philipp Wich
b5ec04f81a Revert "nftables: fix parsing date expressions"
This reverts commit eada892577.

The commit contained unrelated target changes.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-08-09 11:50:52 +02:00
Jo-Philipp Wich
eada892577 nftables: fix parsing date expressions
Musl libc does not support the non-POSIX "%F" format for strptime() so
replace all occurrences of it with an equivalent "%Y-%m-%d" format.

Fixes: #10419
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-08-09 00:20:14 +02:00
Hans Dedecker
a23d132cff odhcp6c: update to git HEAD
7d21e8d dhcpv6: add option to ignore stateless advertise

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-08-05 18:31:24 +02:00
Chen Minqiang
31cca8f8d3 umdns: add missing syscall to seccomp filter
There is some syscall missing:
'getdents64'
'getrandom'
'statx'
'newfstatat'

Found with:
'mkdir /etc/umdns; ln -s /tmp/1.json /etc/umdns/; utrace /usr/sbin/umdns'

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
2022-08-05 14:10:42 +02:00
Roland Barenbrug
456b9029d7 ltq-vdsl-app: Fix counter overflow resulting in negative values
The re-transmit counters can overflow the 32 bit representation resulting
in negative values being displayed. Background being that the numbers are
treated at some point as signed INT rather than unsigned INT.
Change the counters from 32 bit to 64 bit, should provide sufficient room
to avoid any overflow. Not the nicest solution but it works

Fixes: #10077
Signed-off-by: Roland Barenbrug <roland@treslong.com>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
2022-08-05 13:49:30 +02:00
Boris Krasnovskiy
00718b9d7a hostapd: prevent unused crypto lib dependencies from being compiled
Prevented unused crypto lib dependencies from being compiled

Signed-off-by: Boris Krasnovskiy <borkra@gmail.com>
2022-07-31 00:11:21 +02:00
Dávid Benko
f920908626 odhcp6c: update to latest git HEAD
9212bfc odhcp6c: fix IA discard when T1 > 0 and T2 = 0

Signed-off-by: Dávid Benko <davidbenko@davidbenko.dev>
2022-07-30 23:50:44 +02:00
Christian Lamparter
d4391ef073 layerscape: update remaining PKG_HASH / PKG_MIRROR_HASH
The change of the PKG_VERSION caused the hash of the package to
change. This is because the PKG_VERSION is present in the
internal directory structure of the archive.

Fixes: e879cccaa2 ("uboot-layerscape: update PKG_HASH")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-07-22 22:03:27 +02:00
Manuel Giganto
d12eb103e8
hostapd: add ppsk option (private psk)
This PR allows a user to enable a private psk, where each station
may have it's own psk or use a common psk if it is not defined.
The private psk is defined using the sta's mac and a radius server
is required.

ppsk option should be enabled in the wireless configuration along with
radius server details. When using PPSK, the key is ignored, it will be
retrieved from radius server. SAE is not yet supported (private sae) in
hostapd.

Wireless example configuration:
	option encryption 'psk2+ccmp'
	option ppsk '1'
	option auth_server '127.0.0.1'
	option auth_secret 'radiusServerPassword'

If you want to use dynamic VLAN on PPSK also include:
	option dynamic_vlan '2'
	option vlan_tagged_interface 'eth0'
	option vlan_bridge 'br-vlan'
	option vlan_naming '0'

It works enabling mac address verification on radius server and
requiring the tunnel-password (the private psk) from radius server.

In the radius server we need to configure the users. In case of
freeradius: /etc/freeradius3/mods-config/files/authorize
The user and Cleartext-Password should be the mac lower case using the
format "aabbccddeeff"

<sta mac> Cleartext-Password := "<sta mac>"
	Tunnel-Password = <Private Password>

Example of a user configured in radius and using dynamic VLAN5:

8cb84a000000 Cleartext-Password := "8cb84a000000"
	Tunnel-Type = VLAN,
	Tunnel-Medium-Type = IEEE-802,
	Tunnel-Private-Group-ID = 5,
	Tunnel-Password = MyPrivPw

If we want to have a default or shared psk, used when the mac is not
found in the list, we need to add the following at the end of the radius
authorize file:

DEFAULT Auth-Type := Accept
	Tunnel-Password = SharedPw

And if using VLANs, for example VLAN6 for default users:
DEFAULT Auth-Type := Accept
	Tunnel-Type = VLAN,
	Tunnel-Medium-Type = IEEE-802,
	Tunnel-Private-Group-ID = 6,
	Tunnel-Password = SharedPw

Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com>
2022-07-15 08:20:36 +02:00
Michael Pratt
ba7da73680 firewall3: update file hash
the hash and timestamp of the remote copy of the archive
has changed since last bump
meaning the remote archive copy was recreated

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-07-14 17:09:06 +01:00
Paul Blazejowski
4a1dcaf848 hostapd: apply patch to fix building openssl variant
Add patch from:
https://patchwork.ozlabs.org/project/hostap/patch/20220622121355.1337612-1-a.heider@gmail.com/

Fixes: dab9103 ("hostapd: update to 2022-06-02")
Signed-off-by: Paul Blazejowski <paulb@blazebox.homeip.net>
2022-07-11 00:50:54 +02:00
Nick Hainke
436fad7a3e iptables: update to 1.8.8
Remove upstreamed patches:
- 001-xtables-Call-init_extensions6-for-static-builds.patch
- 002-xtables-Call-init_extensions_a_b.patch

Fix patches:
- 102-iptables-disable-modprobe.patch
  Fix warnings in the form of:
  xtables.c:475:14: warning: 'get_modprobe' defined but not used [-Wunused-function]
  475 | static char *get_modprobe(void)
      |              ^~~~~~~~~~~~

Backport patches:
- 020-treewide-use-uint-instead-of-u_int.patch
- 030-revert-fix-build-for-missing-ETH_ALEN-definition.patch
- 040-xshared-Fix-build-for-Werror-format-security.patch
- 050-build-fix-error-during-out-of-tree-build.patch
- 060-libxtables-unexport-init_extensions-declarations.patch

Refresh patches:
- 101-remove-check-already.patch
- 102-iptables-disable-modprobe.patch
- 200-configurable_builtin.patch
- 600-shared-libext.patch
- 700-disable-legacy-revisions.patch

Remove from Makefile:
 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/

Changelog:
fa0ccdbd configure: bump version for 1.8.8 release
8468fd4f nft: Fix EPERM handling for extensions without rev 0
ce9195c6 extensions: LOG: Document --log-macdecode in man page
404f304d man: *NAT: Review --random* option descriptions
0a538259 extensions: DNAT: Merge core printing functions
a7c2b728 libxtables: Revert change to struct xtables_pprot
fd64a587 libxtables: Drop xtables_globals 'optstring' field
3b8a6a6f xshared: Extend xtables_printhelp() for arptables
8ff84eaf xshared: Move arp_opcodes into shared space
adbfec0b extensions: MARK: Drop extra newline at end of help
1dcfb81e nft: split gen_payload() to allocate register and initialize expression
7e38890c nft: prepare for dynamic register allocation
165cafec nft: pass handle to helper functions to build netlink payload
94309632 nft: native mark matching support
aa92ec96 nft: pass struct nft_xt_ctx to parse_meta()
4c70c42f nft-shared: update context register for bitwise expression
18c96821 extensions: man: Document service name support in DNAT and REDIRECT
72d542b6 extensions: Merge REDIRECT into DNAT
14d77c8a extensions: Merge IPv4 and IPv6 DNAT targets
9621318b extensions: DNAT: Rename from libipt to libxt
2e0c9a40 extensions: ipt_DNAT: Combine xlate functions also
7adef314 extensions: ipt_DNAT: Merge v1/v2 print/save code
3f4f1cf0 extensions: ipt_DNAT: Merge v1 and v2 parsers
070a8626 Revert "libipt_[SD]NAT: avoid false error about multiple destinations specified"
08c14fa6 man: DNAT: Describe shifted port range feature
24fff5d7 xlate-test: Fix for empty source line on failure
ac4c84cc libxtables: Boost rule target checks by announcing chain names
f58b0d74 libxtables: Implement notargets hash table
b1aee6b2 nft: Reject standard targets as chain names when restoring
b555bfed tests: shell: Fix 0004-return-codes_0 for static builds
c293e116 nft: Review static extension loading
0836524f xtables: Call init_extensions{,a,b}() for static builds
6c689b63 Simplify static build extension loading
0c8e2535 libxtables: Fix for warning in xtables_ipmask_to_numeric
0c0cd434 nft: Don't pass command state opaque to family ops callbacks
b6196c75 xshared: Prefer xtables_chain_protos lookup over getprotoent
07ee529f nft: Speed up immediate parsing
b5f2faea nft: Simplify immediate parsing
17534cb1 Improve error messages for unsupported extensions
2dbb49d1 libxtables: Register only the highest revision extension
07e2107e xshared: Implement xtables lock timeout using signals
a3980769 tests: NFLOG: enable `--nflog-range` tests
b8e8ac27 tests: support explicit variant test result
adb03c3f tests: add `NOMATCH` test result
7a006c7d tests: iptables-test: rename variable
b7f15b42 iptables.8: Describe the effect of multiple -v flags
1407a9c4 tests: iptables-test: Support variant deviation
fc8f7289 nft: cache: Dump rules if debugging
73b91292 nft: Add debug output to table creation
51d9d9e0 ebtables: Support verbose mode
ad1ed75f nft: Set NFTNL_CHAIN_FAMILY in new chains
17ed253f iptables-restore: Support for extra debug output
a761a026 nft: Use verbose flag to toggle debug output
98e69b7e nft: add support for native tcp flag matching
92808bd5 nft-shared: add tcp flag dissection
6aba94ef nft: prefer native expressions instead of tcp match
c034cf31 nft: prefer native expressions instead of udp match
5489493e nft-shared: support native udp port delinearize
5795a1b5 nft-shared: support native tcp port range delinearize
250dce87 nft-shared: support native tcp port delinearize
ea5d45dc extensions: libxt_NFLOG: fix typo
26ecdf53 xshared: Fix response to unprivileged users
b32ae771 build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with `LT_INIT`
05286bab extensions: libxt_NFLOG: remove extra space when saving targets with prefixes
f0d02998 extensions: libxt_NFLOG: fix `--nflog-prefix` Python test-cases
f9df828a extensions: libxt_NFLOG: disable `--nflog-range` Python test-cases
62ad29e9 extensions: libxt_NFLOG: don't truncate log prefix on print/save
db99f601 extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG
30b178b9 extensions: *NAT: Kill multiple IPv4 range support
7ee5b970 tests: iptables-test: correct misspelt variable
223f02ca nft: fix indentation error.
5c2c2eea ip6tables: Use the shared do_parse, too
9baf3bf0 iptables: Use xtables' do_parse() function
e4f5185d nft: Move proto_parse and post_parse callbacks to xshared
ded7b579 xshared: Store parsed wait and wait_interval in xtables_args
62c3c93d xshared: Move do_parse to shared space
3039a52c xtables: Do not pass nft_handle to do_parse()
ece001c2 xtables: Pass xtables_args to check_inverse()
17abaeb1 xtables: Pass xtables_args to check_empty_interface()
dc8d8fce xtables: Move struct nft_xt_cmd_parse to xshared.h
98a4462f xtables: Pull table validity check out of do_parse()
d83371c7 xtables: Drop xtables' family on demand feature
49aa44ba nft-shared: set correct register value
b129b1cf iptables-*-restore: Drop pointless line reference
316d8efb libxtables: Extend basic_exit_err()
4bff5aef xtables_globals: Embed variant name in .program_version
51e5d293 xshared: Share exit_tryhelp()
56ac0452 xshared: Share a common printhelp function
4149b5d8 xshared: Share print_match_save() between legacy ip*tables
273d88a7 extensions: tcpmss: add iptables-translate support
7213561d xshared: Make load_proto() static
cf14b92b nft-shared: Drop unused function print_proto()
24f30842 xshared: Share print_header() with legacy iptables
a323c283 xshared: Share print_fragment() with legacy
1d73cec0 xshared: Share print_rule_details() with legacy
e5fb9f8e xshared: Share save_ipv{4,6}_addr() with legacy
22f2e1fc xshared: Share save_rule_details() with legacy
766e4872 xshared: Share print_iface() function
b5881e7f nft: Change whitespace printing in save_rule callback
1189d830 xshared: Merge and share parse_chain()
1eab8e83 extensions: hashlimit: Fix tests with HZ=1000
afa525ee xlate-test: Print full path if testing all files
b8d5271d Unbreak xtables-translate
0af80a91 nft: Merge xtables-arp-standalone.c into xtables-standalone.c
142cf724 xtables: arptables accepts empty interface names
ab0a785a xtables: Derive xtables_globals from family
6cf3976e nft-shared: Make nft_check_xt_legacy() family agnostic
832a0e2b nft-arp: Introduce post_parse callback
0aea399d arptables: Use standard data structures when parsing
fe83b12f libxtables: Introduce xtables_globals print_help callback
0687852d xtables-standalone: Drop version number from init errors
dded8ff3 nft: Add family ops callbacks wrapping different nft_cmd_* functions
38e1fe58 xtables: Simplify addr_mask freeing
cfdda180 nft-shared: Introduce init_cs family ops callback
65b150ae xshared: Store optstring in xtables_globals
2e6014c7 nft: Introduce builtin_tables_lookup()
db90ff64 tests: shell: fix bashism
45d8f769 nft: Delete builtin chains compatibly
e865a853 nft-chain: Introduce base_slot field
f9b33967 nft: Check base-chain compatibility when adding to cache
43189612 nft: cache: Avoid double free of unrecognized base-chains
040a15f2 xtables-translate: add missing argument and option to usage
2ed6dc75 tests: iptables-test: Fix conditional colors on stderr
63ab4fe3 ebtables: Avoid dropping policy when flushing
b714d45d iptables-test.py: print with color escapes only when stdout isatty
481626bb tests: shell: Return non-zero on error
7559af83 tests: iptables-test: Exit non-zero on error
c057939d tests: xlate-test: Exit non-zero on error
a8da7186 tests: iptables-test: Print errors to stderr
5166c445 tests: xlate-test: Print errors to stderr
fa78ff15 tests: xlate-test: Don't skip any input after the first empty line
fcbe454b tests: iptables-test: Fix missing chain case
61e85e31 iptables-nft: allow removal of empty builtin chains
544e7dc1 Fix a few doc typos
e438b976 nft: Use xtables_{m,c}alloc() everywhere
ca11c7b7 nft: Use xtables_malloc() in mnl_err_list_node_add()
cf410aa6 extensions: libxt_mac: Fix for missing space in listing
7ae14dc1 iptables-test: Make netns spawning more robust
bef9dc57 extensions: hashlimit: Fix tests with HZ=100
943fbf3e ip6tables: masquerade: use fully-random so that nft can understand the rule
ef7781eb libxtables: exit if called by setuid executeable
8629c53f tests/shell: Assert non-verbose mode is silent
57d1422d nft: Fix for non-verbose check command
26318637 ebtables: Dump atomic waste
765bf04e doc: ebtables-nft.8: Adjust for missing atomic-options
e727ccad xtables: Call init_extensions6() for static builds
9e1fffdf extensions: libxt_multiport: add translation for -m multiport --ports
c8145139 extensions: libxt_conntrack: simplify translation using negation
1c934617 extensions: libxt_tcp: rework translation to use flags match representation
bb01e33d extensions: libxt_connlimit: add translation
62828a6a tests: xlate-test: support multiline expectation
ba863c4b libxtables: extend xlate infrastructure
68ed965b extensions: libxt_string: Avoid buffer size warning for strncpy()
9b85e1ab libxtables: Introduce xtables_strdup() and use it everywhere
ca840c20 extensions: libebt_ip6: Use xtables_ip6parse_any()
084671d5 iptables-apply: Drop unused variable
0729ab37 nft: Avoid buffer size warnings copying iface names
eab75ed3 nft: Avoid memleak in error path of nft_cmd_new()
ffe88f8f libxtables: Fix memleak in xtopt_parse_hostmask()
8bb5bcae extensions: libebt_ip6: Drop unused variables
97fabae7 libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()
5818be17 extensions: sctp: Translate --chunk-types option
a61282ec extensions: sctp: Fix nftables translation
556f7044 Use proto_to_name() from xshared in more places
eea68ca8 ebtables-translate: Use shared ebt_get_current_chain() function
9dc50b5b xshared: Merge invflags handling code
3664249f xshared: Eliminate iptables_command_state->invert
f647f61f xtables: Make invflags 16bit wide
616800af extensions: SECMARK: Implement revision 1
1e984079 nft-arp: Make use of ipv4_addr_to_string()
acac2dbe Eliminate inet_aton() and inet_ntoa()
9084ef29 extensions: sctp: Explain match types in man page
a3e81c62 nft: Increase BATCH_PAGE_SIZE to support huge rulesets
fdf64dcd nft: cache: Sort chains on demand only
c5d9a723 fix build for missing ETH_ALEN definition
18d7535d extensions: libxt_conntrack: use bitops for status negation
18e334da extensions: libxt_conntrack: use bitops for state negation
831f57c7 libxtables: Simplify xtables_ipmask_to_cidr() a bit
46f9d3a9 xtables-translate: Fix translation of odd netmasks
330f5df0 nft: Fix bitwise expression avoidance detection
5f1fcace iptables-nft: fix -Z option
c9441657 include: Drop libipulog.h
30c1d443 ebtables: Exit gracefully on invalid table names

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 19:07:47 +02:00
Nick Hainke
ce6e034c52 lldpd: update to 1.0.14
Changes
- Add configure commands to alter inventory TLVs

Fixes
- Update seccomp rules for newer kernel/libc
- Correctly handle an interface whose index has changed
- Don't send VLANs when there are too many

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 19:07:47 +02:00
Nick Hainke
2c7101360f lldpd: switch to codeload.github.com
The mirror does not seem to work well anymore. Switch to
codeload.github.com.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 19:07:47 +02:00
Nick Hainke
202ecc9f4b wpan-tools: update to 0.9
Changes:
- wpan-ping: fix ifname setting
- wpan-hwsim: hardware simulator configuration utility
- wpan-hwsim: fix long option argument option for dot
- Don't install examples
- hwsim: make sure lqi is always initialized
- iwpan: fix clang compiler warning on absolute-value
- examples: fix wrongly used unsigned attribute
- build: hwsim: fix list of files needed for dist build

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 18:16:34 +02:00
Nick Hainke
9194cee553 wpan-tools: update to 0.8
Remove upstreamed patches:
- 001-src-nl_extras.h-fix-compatibility-with-libnl-3.3.0.patch

Changes:
- examples: add README with details to the various examples
- examples: af_ieee802154_tx example
- examples: af_ieee802154_rx example
- examples: add af_packet_rx example
- examples: af_inet6_rx example
- examples: af_packet_tx example
- examples: af_inet6_tx example
- examples: add .gitignore file for examples directory
- src/nl_extras.h: fix compatibility with libnl 3.3.0
- wpan-ping: add the support to set wpan-ping interval
- wpan-ping: Add the filtering function for frame receiving

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 18:16:34 +02:00
Nick Hainke
3707e5cbe3 wpan-tools: cleanup Makefile
- Use SPDX
- Add PKG_RELEASE
- Change wpan.cakelab.org to linux-wpan.org/wpan-tools.html
- Switch to github.com as PKG_SOURCE_URL

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 18:16:34 +02:00
Daniel Golle
d29722e6ff
xdp-tools: fix build with NLS enabled
Make sure the 'configure' shell script finds the libintl when linking
the test programs for discovering libpcap and libbpf.

Reported-by: @trippleflux
Fixes: 6ad1bea2a6 ("xdp-tools: add package")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-07-06 22:38:20 +01:00
Nick Hainke
8288a4bbb3
xdp-tools: mark as nonshared
The SDK does not have the LLVM toolchain yet.

Hopefully fixes errors in the form:
  xsk_def_xdp_prog.c:4:10: fatal error: 'bpf/bpf_helpers.h' file not found
  #include <bpf/bpf_helpers.h>

Fixes: 6ad1bea2a6 ("xdp-tools: add package")
Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-06 22:38:02 +01:00
Daniel Golle
6ad1bea2a6
xdp-tools: add package
xdp-tools - Library and utilities for use with the eXpress Data Path:
Fast Programmable Packet Processing in the Operating System Kernel

 * libxdp: library for attaching XDP programs and using AF_XDP sockets
 * xdp-filter: a simple XDP-powered packet filter
 * xdp-loader: an XDP program loader
 * xdpdump: tool for capturing packets at the XDP layer

Thanks to Nick @PolynomialDivision Hainke for testing and fixing!

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-07-04 18:36:03 +01:00
Nick Hainke
86b0d3b00b tcpdump: update to 4.99.1
Adjust
- 100-tcpdump_mini.patch

Remove upstreamed patches:
- 101-CVE-2020-8037.patch
- 102-CVE-2018-16301.patch

Changelog:

  Wednesday, June 9, 2021 by gharris
  Summary for 4.99.1 tcpdump release
    Source code:
      Squelch some compiler warnings
      ICMP: Update the snapend for some nested IP packets.
      MACsec: Update the snapend thus the ICV field is not payload
        for the caller.
      EIGRP: Fix packet header fields
      SMB: Disable printer by default in CMake builds
      OLSR: Print the protocol name even if the packet is invalid
      MSDP: Print ": " before the protocol name
      ESP: Remove padding, padding length and next header from the buffer
      DHCPv6: Update the snapend for nested DHCPv6 packets
      OpenFlow 1.0: Get snapend right for nested frames.
      TCP: Update the snapend before decoding a MPTCP option
      Ethernet, IEEE 802.15.4, IP, L2TP, TCP, ZEP: Add bounds checks
      ForCES: Refine SPARSEDATA-TLV length check.
      ASCII/hex: Use nd_trunc_longjmp() in truncation cases
      GeoNet: Add a ND_TCHECK_LEN() call
      Replace ND_TCHECK_/memcpy() pairs with GET_CPY_BYTES().
      BGP: Fix overwrites of global 'astostr' temporary buffer
      ARP: fix overwrites of static buffer in q922_string().
      Frame Relay: have q922_string() handle errors better.
    Building and testing:
      Rebuild configure script when building release
      Fix "make clean" for out-of-tree autotools builds
      CMake: add stuff from CMAKE_PREFIX_PATH to PKG_CONFIG_PATH.
    Documentation:
      man: Update a reference as www.cifs.org is gone. [skip ci]
      man: Update DNS sections
    Solaris:
      Fix a compile error with Sun C

  Wednesday, December 30, 2020, by mcr@sandelman.ca, denis and fxl.
  Summary for 4.99.0 tcpdump release
    CVE-2018-16301: For the -F option handle large input files safely.
    Improve the contents, wording and formatting of the man page.
    Print unsupported link-layer protocol packets in hex.
    Add support for new network protocols and DLTs: Arista, Autosar SOME/IP,
      Broadcom LI and Ethernet switches tag, IEEE 802.15.9, IP-over-InfiniBand
      (IPoIB), Linux SLL2, Linux vsockmon, MACsec, Marvell Distributed Switch
      Architecture, OpenFlow 1.3, Precision Time Protocol (PTP), SSH, WHOIS,
      ZigBee Encapsulation Protocol (ZEP).
    Make protocol-specific updates for: AH, DHCP, DNS, ESP, FRF.16, HNCP,
      ICMP6, IEEE 802.15.4, IPv6, IS-IS, Linux SLL, LLDP, LSP ping, MPTCP, NFS,
      NSH, NTP, OSPF, OSPF6, PGM, PIM, PPTP, RADIUS, RSVP, Rx, SMB, UDLD,
      VXLAN-GPE.
    User interface:
      Make SLL2 the default for Linux "any" pseudo-device.
      Add --micro and --nano shorthands.
      Add --count to print a counter only instead of decoding.
      Add --print, to cause packet printing even with -w.
      Add support for remote capture if libpcap supports it.
      Display the "wireless" flag and connection status.
      Flush the output packet buffer on a SIGUSR2.
      Add the snapshot length to the "reading from file ..." message.
      Fix local time printing (DST offset in timestamps).
      Allow -C arguments > 2^31-1 GB if they can fit into a long.
      Handle very large -f files by rejecting them.
      Report periodic stats only when safe to do so.
      Print the number of packets captured only as often as necessary.
      With no -s, or with -s 0, don't specify the snapshot length with newer
        versions of libpcap.
      Improve version and usage message printing.
    Building and testing:
      Install into bindir, not sbindir.
      autoconf: replace --with-system-libpcap with --disable-local-libpcap.
      Require the compiler to support C99.
      Better detect and use various C compilers and their features.
      Add CMake as the second build system.
      Make out-of-tree builds more reliable.
      Use pkg-config to detect libpcap if available.
      Improve Windows support.
      Add more tests and improve the scripts that run them.
      Test both with "normal" and "x87" floating-point.
      Eliminate dependency on libdnet.
    FreeBSD:
      Print a proper error message about monitor mode VAP.
      Use libcasper if available.
      Fix failure to capture on RDMA device.
      Include the correct capsicum header.
    Source code:
      Start the transition to longjmp() for packet truncation handling.
      Introduce new helper functions, including GET_*(), nd_print_protocol(),
        nd_print_invalid(), nd_print_trunc(), nd_trunc_longjmp() and others.
      Put integer signedness right in many cases.
      Introduce nd_uint*, nd_mac_addr, nd_ipv4 and nd_ipv6 types to fix
        alignment issues, especially on SPARC.
      Fix many C compiler, Coverity, UBSan and cppcheck warnings.
      Fix issues detected with AddressSanitizer.
      Remove many workarounds for older compilers and OSes.
      Add a sanity check on packet header length.
      Add and remove plenty of bounds checks.
      Clean up pcap_findalldevs() call to find the first interface.
      Use a short timeout, rather than immediate mode, for text output.
      Handle DLT_ENC files *not* written on the same OS and byte-order host.
      Add, and use, macros to do locale-independent case mapping.
      Use a table instead of getprotobynumber().
      Get rid of ND_UNALIGNED and ND_TCHECK().
      Make roundup2() generally available.
      Resync SMI list
 against Wireshark.
      Fix many typos.

Co-Developed-by: Ivan Pavlov <AuthorReflex@gmail.com>
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-03 20:25:38 +02:00
Michael Yartys
442708dfe2 wpa_supplicant: compile with OCV support
Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile -basic and
-full variants with support for OCV. This feature can be configured in the
wireless config by setting ocv equal to one of the following values:

0 = disabled (hostapd/wpa_supplicant default)
1 = enabled if wpa_supplicant's SME in use. Otherwise enabled only when the
    driver indicates support for operating channel validation.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
2022-07-03 20:25:38 +02:00
Michael Yartys
f60628f33c hostapd: enable compilation of OCV and add build feature discovery
Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile the -basic and
-full variants of hostapd with this feature, and enable discovery of this
feature for future luci integration. OCV can be configured by setting ocv
equal to one of the following values in the wireless config:

0 = disabled (hostapd/wpa_supplicant default)
1 = enabled
2 = enabled in workaround mode - Allow STA that claims OCV capability to
    connect even if the STA doesn't send OCI or negotiate PMF.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
2022-07-03 20:25:38 +02:00
Etienne Champetier
35fec487e3 iptables: default to ip(6)tables-nft
OpenWrt now uses firewall4 (nft) by default,
so iptables should also default to nftables backend.

When multiple packages provide the same virtual package,
opkg pick the first one by alphabetical order,
so we rename iptables-legacy to iptables-zz-legacy and add
iptables-legacy in PROVIDES.

We also need to remove IPTABLES_NFTABLES config as
this cause recursive dependencies.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-06-29 00:57:56 +02:00
Stijn Tintel
6556cad99d hostapd: disable mbo by default
Enabling mbo by default on 802.11ax devices breaks for encryption types
that do not enable 802.11w by default. Disable mbo by default to fix
this. Enabling mbo by default on 802.11ax devices was not explained in
the commit message anyway.

Fixes: 6eee983656 ("hostapd: introduce mbo option")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-28 22:16:47 +03:00
Stijn Tintel
5c57f9bbea hostapd: support MBO in bss_transition_request
Support the use of MBO in the bss_transition_request ubus method.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
2022-06-28 03:23:51 +03:00
Stijn Tintel
6eee983656 hostapd: introduce mbo option
Introduce a new option mbo to toggle Multi Band Operation aka Agile
Multiband for a BSS.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
2022-06-28 03:23:51 +03:00
Stijn Tintel
eaad8dfc22 hostapd: enable MBO if 802.11ax is enabled
Multi Band Operation is required for 802.11ax certification, so let's
enable it if 802.11ax support is enabled.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
2022-06-28 03:23:51 +03:00
Stijn Tintel
48c321082c hostapd: add config symbol to enable MBO
Multi Band Operation aka Agile Multiband introduces new Transition
and Transition Rejection Reason Codes that should improve client
steering. Add a config symbol to enable it, and enable it by default for
the full variants.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
2022-06-28 03:23:50 +03:00
Konstantin Demin
f98bb1ffe5 dropbear: cherry-pick upstream commit 544f28a0
Resolves #10081

Reported-By: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2022-06-27 00:57:15 +02:00
Nick Hainke
71b211d304 arptables: update to 0.0.5 and cleanup
Update to 0.0.5:

efae894 arptables 0.0.5 release
1f3c6bc libarptc: Simplify alloc_handle by using calloc()
4e5e23a Eliminate compiler warning about size passed to strncmp()
bf11d72 Add .gitignore
28b22d5 arptables: legacy renaming
988d6a4 arptables: cleanup sysvinit script
f4ab8f6 src: Remove support for libc5
047f37b src: Use stdint types
4bb2f83 arptables: Add MARK target
dbbe9f7 arptables: Add revision field for arptables userspace
935acea src: fix compilation warning
5700dbf src: cache in tree and use x_tables.h
4b7d6b0 arptables: remove dead dynamic hooks code
c299484 arptables: fix potential buffer overflow (author: dcb)
9fcaf70 arptables: add missing long option --set-counters and update documentation
36daba3 arptables: install man pages
f79b957 Add man pages for arptables-{save,restore}
c492c16 add GPL text
8f58693 fix potential buffer overflows reported by static analysis
ee4ec13 make static analysis tool happy (false positive)
b064d44 build an libarptc.a archive

Cleanup Makefile:
- Switch to release versions
- Use ftp(http) mirror
- Add PKG_LICENSE_FILES

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-27 00:57:15 +02:00
Nick Hainke
fe5d3a4204 ethtool: update to 5.18
9eabf30 Release version 5.18.
2b3ddcb ethtool: fec: Change the prompt string to adapt to current situations
d660dde pretty: add missing message descriptions for rings
aaeb16a pretty: support u8 enumerated types
6b320b8 rings: add support to set/get cqe size
41fddc0 update UAPI header copies
42e6c28 help: fix alignment of rx-buf-len parameter
e1d0a19 ethtool.8: Fix typo in man page
37f0586 Release version 5.17.
8c2984c strset: do not put a pointer to a local variable to nlctx
8fd02a2 ioctl: add the memory free operation after send_ioctl call fails
b9f25ea ethtool: Add support for OSFP transceiver modules
6e79542 features: add --json support
5ed5ce5 Merge branch 'next' into  master
b90abbb man: document recently added parameters
51a9312 tunables: add support to get/set tx copybreak buf size
a081c2a rings: add support to set/get rx buf len
d699bab Merge branch 'master' into next
52db6b9 Merge branch 'review/module-extstate' into next
6407b52 monitor: add option for --show-module/--set-module
1f35786 ethtool: Add transceiver module extended state
2d4c5b7 ethtool: Add ability to control transceiver modules' power mode
005908b Update UAPI header copies

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-27 00:57:15 +02:00
Nick Hainke
a74a853d0d nftables: update to 1.0.4
Needs libnftnl 1.2.2.

3eb0da9f build: Bump version to 1.0.4
a964d1b5 tests: shell: remove leftover modules on cleanup
818f7dde evaluate: reset ctx->set after set interval evaluation
3835de19 tests: shell: sets_with_ifnames release netns on exit
59bd944f optimize: segfault when releasing unsupported statement

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-24 17:10:24 +02:00
Nick Hainke
879dd95f43 nftables: clean up Makefile
Add PKG_LICENSE_FILES. Use SPDX.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-24 17:10:24 +02:00
Nick Hainke
8704e75d25 nftables: update to 1.0.3
Remove backport:
- 001-examples-compile-with-make-check.patch

87fdf683 build: Bump version to 1.0.3
c4ec825b nft: simplify chain lookup in do_list_chain
4f6724f1 intervals: fix compilation --with-mini-gmp
4c20fe95 json: update json output ordering to place rules after chains
57741350 netlink_delinearize: release last register on exit
d6fdb0d8 sets_with_ifnames: add test case for concatenated range
88b2345a segtree: add pretty-print support for wildcard strings in concatenated sets
806ab081 netlink: swap byteorder for host-endian concat data
c224aa6b intervals: deletion should adjust range not yet in the kernel
ea1f1c9f optimize: memleak in statement matrix
0a6dbfce optimize: merge nat rules with same selectors into map
743b0e81 optimize: do not clone unsupported statement
c8b35039 optimize: incorrect logic in verdict comparison
fc4da141 src: fix always-true assertions
d1289bff intervals: set on EXPR_F_KERNEL flag for new elements in set cache
721b9dec tests: add concat test case with integer base type subkey
22b750aa src: allow use of base integer types as set keys in concatenations
3ed9fada intervals: build list of elements to be added from cache
e45b4939 intervals: fix deletion of multiple ranges with automerge
3b7b22ae intervals: add elements with EXPR_F_KERNEL to purge list only
ea31855d netlink: remove unused argument from helper function
48204bd7 intervals: Simplify element sanity checks
ab1b21be intervals: unset EXPR_F_KERNEL for adjusted elements
e0beff27 src: restore interval sets work with string datatypes
3e8d934e intervals: support to partial deletion with automerge
7a6e1604 evaluate: allow for zero length ranges
3da9643f intervals: add support to automerge with kernel elements
7b061e63 mnl: update mnl_nft_setelem_del() to allow for more reuse
fdb8e0ff src: remove rbtree datastructure
81e36530 src: replace interval segment tree overlap and automerge
f1cc44ed src: add EXPR_F_KERNEL to identify expression in the kernel
ad43b84e segtree: add support for get element with sets that contain ifnames
06db2308 segtree: use correct byte order for 'element get'
4c6681a7 tests: add testcases for interface names in sets
5e393ea1 segtree: add string "range" reversal support
2fb4d7ea src: make interval sets work with string datatypes
403936c1 evaluate: string prefix expression must retain original length
ada50f84 segtree: split prefix and range creation to a helper function
ae7d32fc evaluate: keep prefix expression length
d2b23984 evaluate: make byteorder conversion on string base type a no-op
c36ecfc2 tests: py: Add meta time tests without 'meta' keyword
6fa4ff56 tests: py: Don't colorize output if stderr is redirected
f561a0cc tests: monitor: Hide temporary file names from error output
75fea8a5 tests: py: extend meta time coverage
4460b839 meta: fix compiler warning in date_type_parse()
02100978 meta: time: use uint64_t instead of time_t
4e0026dc include: add missing `#include`
ab74fb5b examples: add .gitignore file
bcad4761 tests: py: add inet/vmap tests
214494aa optimize: Restore optimization for raw payload expressions
82762ab6 src: allow to use integer type header fields via typeof set declaration
64bb3f43 src: allow to use typeof of raw expressions in set declaration
ff0f30e3 expression: typeof verdict needs verdict datatype
60f5c107 src: copy field_count for anonymous object maps as well
4cf97abf rule: Avoid segfault with anonymous chains
4e718641 evaluate: init cmd pointer for new on-stack context
1ea71c23 optimize: do not assume log prefix
3f36cc6c optimize: do not merge unsupported statement expressions
19960c8d optimize: incorrect assert() for unexpected expression type
3de1dbd2 optimize: more robust statement merge with vmap
99eb4696 optimize: fix vmap with anonymous sets
e8f0fa21 scanner: Fix for ipportmap nat statements
59d184be scanner: dup, fwd, tproxy: Move to own scopes
069a0450 scanner: meta: Move to own scope
2165324d scanner: at: Move to own scope
a67fce7f scanner: nat: Move to own scope
578467c1 scanner: policy: move to own scope
a1669709 scanner: flags: move to own scope
020372d9 scanner: reject: Move to own scope
543bf3c2 scanner: import, export: Move to own scopes
88105810 scanner: reset: move to own Scope
8a7e430a scanner: monitor: Move to own Scope
e5547017 scanner: rt: Extend scope over rt0, rt2 and srh
04c95f14 scanner: type: Move to own scope
62a95698 scanner: dst, frag, hbh, mh: Move to own scopes
a060d912 scanner: ah, esp: Move to own scopes
4e215fdf scanner: osf: Move to own scope
5166b298 scanner: dccp, th: Move to own scopes
3e04a6e2 scanner: udp{,lite}: Move to own scope
bbdcfbfa scanner: comp: Move to own scope.
232f2c32 scanner: synproxy: Move to own scope
26b53653 scanner: tcp: Move to own scope
f5722119 scanner: igmp: Move to own scope
a7d8cca9 scanner: icmp{,v6}: Move to own scope
5d837d27 src: add tcp option reset support
1d507ce7 build: explicitly pass --version-script to linker
e98a9b83 libnftables.map: export new nft_ctx_{get,set}_optimize API
9eb98b3b tests: add test case for flowtable with owner flag
18a08fb7 examples: compile with `make check' and add AM_CPPFLAGS

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-24 17:10:24 +02:00
Stijn Tintel
33e7f7c028 hostapd: document ubus methods
Document the ubus methods we added to hostapd so that people don't have
to read code to figure out which methods are available and what they do.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-21 16:19:42 +03:00
Alin Nastac
289c46869b 464xlat: delete SNATed conntracks on interface teardown
Existing conntracks will continue to be SNATed to 192.0.0.1 even after
464xlat interface gets teared down. To prevent this, matching
conntracks must be killed.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2022-06-19 21:54:05 +02:00
David Bauer
dab91036d6 hostapd: update to 2022-06-02
4383528e0 P2P: Use weighted preferred channel list for channel selection
f2c5c8d38 QCA vendor attribute to configure RX link speed threshold for roaming
94bc94b20 Add QCA vendor attribute for DO_ACS to allow using existing scan entries
b9e2826b9 P2P: Filter 6 GHz channels if peer doesn't support them
d5a9944b8 Reserve QCA vendor sub command id 206..212
ed63c286f Remove space before tab in QCA vendor commands
e4015440a ProxyARP: Clear bridge parameters on deinit only if hostapd set them
02047e9c8 hs20-osu-client: Explicit checks for snprintf() result
cd92f7f98 FIPS PRF: Avoid duplicate SHA1Init() functionality
5c87fcc15 OpenSSL: Use internal FIPS 186-2 PRF with OpenSSL 3.0
9e305878c SAE-PK: Fix build without AES-SIV
c41004d86 OpenSSL: Convert more crypto_ec_key routines to new EVP API
667a2959c OpenSSL: crypto_ec_key_get_public_key() using new EVP_PKEY API
5b97395b3 OpenSSL: crypto_ec_key_get_private_key() using new EVP_PKEY API
177ebfe10 crypto: Convert crypto_ec_key_get_public_key() to return new ec_point
26780d92f crypto: Convert crypto_ec_key_get_private_key() to return new bignum
c9c2c2d9c OpenSSL: Fix a memory leak on crypto_hash_init() error path
6d19dccf9 OpenSSL: Free OSSL_DECODER_CTX in tls_global_dh()
4f4479ef9 OpenSSL: crypto_ec_key_parse_{priv,pub}() without EC_KEY API
b092d8ee6 tests: imsi_privacy_attr
563699174 EAP-SIM/AKA peer: IMSI privacy attribute
1004fb7ee tests: Testing functionality to discard DPP Public Action frames
355069616 tests: Add forgotten files for expired IMSI privacy cert tests
b9a222cdd tests: sigma_dut and DPP curve-from-URI special functionality
fa36e7ee4 tests: sigma_dut controlled STA and EAP-AKA parameters
99165cc4b Rename wpa_supplicant imsi_privacy_key configuration parameter
dde7f90a4 tests: Update VM setup example to use Ubuntu 22.04 and UML
426932f06 tests: EAP-AKA and expired imsi_privacy_key
35eda6e70 EAP-SIM peer: Free imsi_privacy_key on an error path
1328cdeb1 Do not try to use network profile with invalid imsi_privacy_key
d1652dc7c OpenSSL: Refuse to accept expired RSA certificate
866e7b745 OpenSSL: Include rsa.h for OpenSSL 3.0
bc99366f9 OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
39e662308 tests: Work around reentrant logging issues due to __del__ misuse
72641f924 tests: Clean up failed test list in parallel-vm.py
e36a7c794 tests: Support pycryptodome
a44744d3b tests: Set ECB mode for AES explicitly to work with cryptodome
e90ea900a tests: sigma_dut DPP TCP Configurator as initiator with addr from URI
ed325ff0f DPP: Allow TCP destination (address/port) to be used from peer URI
e58dabbcf tests: DPP URI with host info
37bb4178b DPP: Host information in bootstrapping URI
1142b6e41 EHT: Do not check HE PHY capability info reserved fields
7173992b9 tests: Flush scan table in ap_wps_priority to make it more robust
b9313e17e tests: Update ap_wpa2_psk_ext_delayed_ptk_rekey to match implementation
bc3699179 Use Secure=1 in PTK rekeying EAPOL-Key msg 1/4 and 2/4
d2ce1b4d6 tests: Wait for request before responding in dscp_response

Compile-tested: all versions / ath79-generic, ramips-mt7621
Run-tested: hostapd-wolfssl / ath79-generic, ramips-mt7621

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-06-18 22:11:12 +02:00
Stijn Tintel
e8433fb433 firewall4: bump to git HEAD
11f5c7b fw4.uc: fix zone helper assignment
  b9d35ff fw4.uc: don't skip zone for unavailable helper
  e35e26b tests: add test for zone helpers
  a063317 ruleset: fix conntrack helpers
  e1cb763 ruleset: reuse zone-jump.uc template for notrack and helper chain jumps
  11410b8 ruleset: reorder declarations & output tweaks
  880dd31 fw4: fix skipping invalid IPv6 ipset entries
  5994466 fw4: simplify `is_loopback_dev()`
  53886e5 fw4: fix crash in parse_cthelper() if no helpers are present
  11256ff fw4: add support for configurable includes
  3b5a033 tests: add test coverage for firewall includes
  d79911c fw4: support sets with timeout capability but without default expiry
  15c3831 fw4: add support for `option log` in rule and redirect sections

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-17 18:15:50 +03:00
David Bauer
574539ee2c hostapd: add owe_transition_ifname
Add the owe_transition_ifname config option to wifi-ifaces.

This allows to configure OWE transition VAPs without adding SSID / BSSID
to the uci conifg but instead autodiscovering these parameters from
other networks on the same PHY.

The following configuration creates a OWE transition mode network
constellation.

config wifi-iface 'open0'
	option device 'radio0'
	option ifname 'open0'
	option network 'lan'
	option mode 'ap'
	option ssid 'FreeNet'
	option encryption 'none'
	option owe_transition_ifname 'owe0'

config wifi-iface 'owe0'
	option device 'radio0'
	option ifname 'owe0'
	option network 'lan'
	option mode 'ap'
	option ssid 'owe_tm.FreeNet'
	option encryption 'owe'
	option hidden '1'
	option owe_transition_ifname 'open0'

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-06-16 11:07:19 +02:00
Rafał Miłecki
d75bb744ea swconfig: parse "switch_vlan" before "switch_port"
Before this change UCI sections of both types were parsed in order as
specified in UCI. That didn't work well with all drivers (e.g. b53).

It seems that VLAN setup can reset / overwrite previously set ports
parameters. It resulted in "switch_port" options defined above
"switch_vlan"s being silently ignored.

Ideally swconfig & all drivers should be improved to handle that
properly but it'd be a waste of time at this point as DSA replaces
swconfig. Use this minor parsing change as a quick fix.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2022-06-15 10:44:32 +02:00
Robert Marko
f03b20837b hostapd: fix feature detection
Fix hostapd feature detection after the bump to 2022-05-08.
getopt was not updated correctly after upstream added support for -q arg.

This reenables feature detection so that LuCi can check for features like
SAE, fast roaming etc.

Fixes: c35ff1affe ("hostapd: update to 2022-05-08")
Signed-off-by: Robert Marko <robimarko@gmail.com>
2022-06-12 23:03:36 +02:00
Stijn Tintel
bbce9f84ec iw: bump to 5.19
7e06706 iw: event: report missing radar events
  5909e73 iw: survey: add support for radio stats
  64bf570 update nl80211.h
  0900996 iw: print Radar background capability if supported
  56c6077 iw: print out assoc comeback event
  a4e5418 iw: support 160MHz frequency command for 6GHz band
  5a71b72 iw: Print local EHT capabilities
  e3287a1 station: print EHT rate information
  ff67fb2 iw: fix double tab in mesh path header
  05a5267 iw: fix 'upto' -> 'up to'
  00a2985 iw: handle VHT extended NSS
  82e0bd1 update nl80211.h
  c95877c info: add missing extended features
  0976378 info: refactor extended features
  79f20cb bump version to 5.19

Sync nl80211.h with our version of mac80211 and remove parts of the iw
code that are not supported by our version of mac80211.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-11 16:03:14 +03:00
David Bauer
b72c7db229 hostapd: fix missing HS20 support for hostapd-full
commit c3a4cddaaf ("hostapd: remove hostapd-hs20 variant")
as well as
commit 9f1927173a ("hostapd: wpas: add missing config symbols")
indicate hostapd-full should support Hotspot 2.0 already, but only
wpa_supplicant (and wpad) do.

How this happened is not really clear, as no commit adding support for
Hotspot 2.0 is in the history.

Fix this and add Hotspot 2.0 capability to hostapd-full.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-06-08 23:17:09 +02:00
David Bauer
6ee4383350 hostapd: ubus: add bss-color to get_status
Add the current BSS color to hostapd get_status method. This field is
set to -1 in case BSS color is not active for the BSS.

Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-08 23:16:20 +02:00
David Bauer
6c152ce5b0 hostapd: randomize default BSS color
In case no specific BSS color is configured, set it to a random value.

Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-08 23:16:12 +02:00
David Bauer
c35ff1affe hostapd: update to 2022-05-08
Update hostapd to Git HEAD from 2022-05-08. This allows us to take
advantage of background radar-detection as well as BSS color collision
detection.

Suggested-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-08 23:16:06 +02:00
Bernd Naumann
98d91e4d5e hostapd: Radius based VLANs on AP with PSK
This patch allows the user to set `auth_server` and related settings on
non WPA2 Enterprise AP modes in `/etc/config/wireless`, too, so the
Radius Attributes for Dynamic VLAN Assignment can be fetched from Radius.

Without this patch, `auth_server` and other needed options are only
written to `hostapd-phy<n>.conf` when `option encryption wpa2` is set.

`hostapd` however supports "Station MAC address -based authentication" for
non WPA Enterprise Modes, too.

A classic approch is to use `accept_mac_file` which contains MAC addr
and VLAN-ID pairs. But, using `accept_mac_file` does not support
VLAN assignment for unknown stations.

This is a sample `freeradius3` config, where a known station
("7e:a6:a7:2a:93:d2") is assigned to VLAN `65` and unknown stations are
assigned to VLAN `67`.

```
"7ea6a72a93d2" Cleartext-Password := "7ea6a72a93d2"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = 65

DEFAULT Cleartext-Password := "%{User-Name}"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = 67
```

Other option is to configure known stations via `accept_mac_file` and
using only Radius for unknown stations.

I tested this patch only with `wpa_key_mgmt=WPA-PSK`, and assumed that
it should work with other Encryption/Access Mode, too.

Signed-off-by: Bernd Naumann <bernd.naumann@kr217.de>
2022-06-08 16:04:04 +02:00
Stijn Tintel
d5e48a1e8e hostapd: drop wnm_disassoc_imminent
All known users of this ubus method have been updated to use the new
bss_transition_request method instead.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
2022-06-06 11:19:20 +03:00
Daniel Golle
7eb83b2015
netifd: update to git HEAD
2e1fcf4 netifd: fix hwmode for 60g band
 39ef9fe interface-ip: fix memory corruption bug when using jail network namespaces

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-06-01 20:49:14 +01:00
Christian 'Ansuel' Marangi
419a7ad2dd uhttpd: update to latest Git HEAD
d59d732 client: fix compilation error with GCC 12
51283f9 fix compiler uninitialized variable

Signed-off-by: Christian 'Ansuel' Marangi <ansuelsmth@gmail.com>
2022-06-01 14:41:46 +02:00
Jo-Philipp Wich
a7ddef6ef1 firewall4: update to latest Git HEAD
210991d fw4: prefer /dev/stdin if available
4e5e322 fw4: make `fw4 restart` behavior more robust
221040e ruleset: emit time ranges when both start and stop times are specified
30a7d47 fw4: fix datetime parsing
fb9a6b2 ruleset: correct mangle_output chain type
6dd2617 fw4: fix logic flaw in testing hw flow offloading support
c7c9c84 fw4: ensure that negative bitcounts are properly translated
c4a78ed fw4: fix typo in emitted set types

Fixes: #9764, #9923, #9927, #9935, #9955
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-05-31 21:17:37 +02:00
Felix Fietkau
24cc341fdc netifd: update to the latest version
4b4849cf5e5a interface-ip: unify host and proto route handling
507c0513d176 interface-ip: add support for excluding interfaces in host route lookup

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-05-23 14:12:44 +02:00
Jo-Philipp Wich
2df17604a4 firewall4: update to latest Git HEAD
c22eeef fw4: support negative CIDR bit notation
628d791 hotplug: reliably handle interfaces with ubus zone hints
d005293 fw4: store zone associations from ubus in statefile as well
b268225 fw4: filter non hw-offload capable devices when resolving lower devices
57984e0 fw4: always resolve lower flowtable devices
7782017 tests: fix mocked `fd.read("line")` api
72b196d config: remove restictions on DHCPv6 allow rule
f0cc317 fw4: refactor family selection for forwarding rules
b0b8122 treewide: use modern syntax
05995f1 fw4: fix emitting device jump rules for family restricted zones
b479815 fw4: fix family auto-selection for config nat rules
2816a82 ruleset: ensure that family-agnostic ICMP rules cover ICMPv6 as well
2379c3d tests: add test coverage for zone family selection logic

Fixes: #5066, #9611, #9765, #9854
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-05-20 19:53:04 +02:00
Tiago Gaspar
65258f5d60 firewall: config: remove restictions on DHCPv6 allow rule
Remove restrictions on source and destination addresses, which aren't
specified on RFC8415, and for some reason in openwrt are configured
to allow both link-local and ULA addresses.
As cleared out in issue #5066 there are some ISPs that use Gloabal
Unicast addresses, so fix this rule to allow them.

Fixes: #5066

Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
[rebase onto firewall3, clarify subject, bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-05-04 15:26:16 +02:00
Jan Hoffmann
1daaef31b3 ltq-vdsl-app: disconnect when service is stopped
Stop the connection when the control daemon is terminated. The code is
a modified version of the termination routine in version 4.23.1 of the
daemon (which doesn't support VR9 modems anymore).

This could also be implemented by calling the acos and acs commands via
dsl_cpe_pipe.sh in the init script. However, doing it in the daemon
itself has the advantage of also working if it is terminated in another
way (for example during sysupgrade).

Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
2022-05-04 01:38:04 +01:00
Daniel Golle
51c442c265
uqmi: update to git HEAD
56cb2d4 nas: add decoding of cell_id
 9a9019a uqmi: wms - added storage to read text messages

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-05-04 01:33:21 +01:00
Bruno Victal
0276fab649 dnsmasq: fix jail_mount for serversfile
Fix 'serversfile' option not being jail_mounted by the init script.

Signed-off-by: Bruno Victal <brunovictal@outlook.com>
2022-05-02 18:57:49 +01:00
David Bauer
f757a8a098 iwinfo: update to latest HEAD
dc6847e iwinfo: nl80211: omit A-hwmode on non-5GHz hardware

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-04-27 00:54:24 +02:00
Daniel Golle
2b5fa44f60
dnsmasq: add logfacility file to jail mounts
If logfacility is a path to a file it needs to be r/w mounted in the
sandbox as well for dnsmasq to work.

Reported-by: @iointerrupt
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-04-25 19:28:12 +01:00
David Bauer
46980294f6 iwinfo: update to latest HEAD
a479b9b devices: remove whitespace
562d015 iwinfo: nl80211: fix hwmode parsing for multi-band NICs

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-04-24 23:09:51 +02:00
Jo-Philipp Wich
af02a12d7c firewall4: update to latest Git HEAD
fc83d46 ruleset: set auto-merge directive for interval sets
9bce873 fw4: fix skipping invalid ipset entries
425ea8a fw4: fix applying zone flags for source bound rules

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-04-22 00:50:36 +02:00
Cezary Jackiewicz
e02fb42c53 comgt: support ZTE MF286R modem
The modem is based on Marvell PXA1826 and uses ACM+RNDIS interface to
establish connection with custom commands specific to ZTE modems.
Two variants of modems were discovered, some identifying themselves
as "ZTE", and others as plain "Marvell", the chipset manufacturer.
The modem itself runs a fork of OpenWrt inside, which root shell can be
accessed via ADB interface.

Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-04-16 14:02:11 +02:00
Lech Perczak
ed7957810c comgt: ncm: try to detect interface for ttyACM ports
Some modems expose ttyACM as their control ports, which have the
"device" symlink pointing one level down in sysfs tree. Try to find
network interfaces for them as well, this is commonly used for modems
exposing ACM + RNDIS or ACM + ECM interface combinations.

Co-developed-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-04-16 14:02:11 +02:00
Lech Perczak
b2940bb8b2 comgt: ncm: select first available network interface for device
Some modems expose multiple network interfaces on the same USB device,
causing the connection setup script to fail, because glob matching in
the detection phase causes 'ls' to output more than one interface name
plus their base directories in sysfs. Avoid that by listing the
directories explicitly and then selecting first available interface.
This is the case for some variants of ZTE MF286R built-in modem, which
exposes both RNDIS and CDC-ECM network interfaces, causing the
connection setup to fail.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-04-16 14:02:11 +02:00
Lech Perczak
a67629bbe2 comgt: ncm: allow specification of interface name
Add ifname property to UCI, which can be used to override the
autodetected interface name in case the detection fails due to having
none or more than one interface exposed by the modem, which is not
explicitly linked to TTY port. This is needed on certain variants of ZTE
MF286R built-in modem, which exposes both RNDIS and CDC-ECM interfaces
on the modem, on which the automatic detection may select the wrong
network interface.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-04-16 14:02:11 +02:00
Daniel Golle
c5f113c43f
netifd: relax check in dhcp proto handler
Checking whether /sbin/udhcpc is a symbolic link breaks using the
DHCP proto handler inside procd-ujail where bind-mounts are used for
the resolved link. Check whether /sbin/udhcpc is executable instead
to allow using the proto handler for DHCP-provisioned containers.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-04-13 19:51:00 +01:00
Rui Salvaterra
435d7a052b firewall3: bump to latest git HEAD
4cd7d4f Revert "firewall3: support table load on access on Linux 5.15+"
50979cc firewall3: remove unnecessary fw3_has_table

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2022-04-13 17:08:17 +01:00
Eneas U de Queiroz
1135b75d1f nftables: add CONFLICT between versions
Have nftables-json conflict with nftables-nojson.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-04-11 21:41:03 +02:00
Konstantin Demin
65256aee23 dropbear: bump to 2022.82
- update dropbear to latest stable 2022.82;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- use $(AUTORELEASE) in PKG_RELEASE
- use https for all uris
- refresh all patches
- rewrite patches:
  - 100-pubkey_path.patch
  - 130-ssh_ignore_x_args.patch

binary/pkg size changes:
- ath79/generic, mips:
  - binary: 215112 -> 219228 (+4116)
  - pkg: 111914 -> 113404 (+1490)
- ath79/tiny, mips:
  - binary: 172501 -> 172485 (-16)
  - pkg: 89871 -> 90904 (+1033)

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2022-04-09 19:31:31 +02:00
Felix Fietkau
0392644083 qosify: update to the latest version
92f5e18675bf interface: fix ifname present check in interface status
ef82defaae26 ubus: add active devices to bridger blacklist

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-04-08 13:07:47 +02:00
Jo-Philipp Wich
1a35ac9990 firewall4: update to latest Git HEAD
a378883 fw4: fix emitting family specific redirect rules without any addrs
11feddf fw4: bracketize IPv6 addresses in dnat addr:port notation
9972f7d fw4: ensure to capitalize weekday names
fde8070 treewide: forward compatibility changes

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-04-08 10:45:46 +02:00
David Bauer
f6445cfa1a hostapd: add ubus link-measurements notifications
Notify external ubus subscribers of received link-measurement reports.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-04-08 01:19:29 +02:00
David Bauer
965aa33a18 hostapd: add ubus method for requesting link measurements
Add a ubus method to request link-measurements from connected STAs.

In addition to the STAs address, the used and maximum transmit power can
be provided by the external process for the link-measurement. If they
are not provided, 0 is used as the default value.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-04-08 01:19:18 +02:00
David Bauer
2ca5c3da04 hostapd: add support for enabling link measurements
Allow external processes to enable advertisement of link-measurement RRM
capability.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-04-08 01:19:10 +02:00
Valentyn Datsko
76f55e3c3f
dnsmasq: add procd interface index tracking
Problem exist when dnsmasq is exclusively bind to particular interface.
After reconfiguring or restarting this interface, its index changes, but
dnsmasq uses the old one. When this problem occurs, dnsmasq does not
listen on the correct interface so DHCP does not work, and clients do not
get an IP address. Procd netdev param can be added to restart dnsmasq when
the interface index is changed.

Signed-off-by: Valentyn Datsko <valikk.d@gmail.com>
[combined into a single &&-connected statement]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-04-06 17:32:42 +01:00
Felix Fietkau
64f629e207 bridger: add bridge forwarding accelerator
This package uses BPF to create a fast path which improves bridging performance
by bypassing the bridge layer. It also supports creating tc offload rules for
hardware that supports it.
Hardware offload support can be used with MT7622 + MT7915 once it is merged

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-04-06 14:13:26 +02:00
Felix Fietkau
c38b2c5f16 qosify: update to the latest version
Replace the tc-full dependency with tc + libnl-tiny

1cd5e12eecdc loader/interface: attach bpf program directly using netlink

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-04-05 21:28:32 +02:00
Daniel Golle
ee7cb5e885
uqmi: fix acquiring PIN status
Evaluating the return value of 'json_load' didn't work in the
intended way resulting in PIN status no longer being read on modems
where --get-pin-status doesn't fail.
Fix this by trying --get-pin-status first and checking if pin1_status
field exists in JSON, and if it doesn't try again with
--uim-get-sim-state.

Fixes: #9501
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-03-24 18:45:19 +00:00
Hans Dedecker
73c6d8fd04 odhcpd: update to git HEAD
860ca90 odhcpd: Support for Option NTP and SNTP
83e14f4 router: advertise removed addresses as invalid in 3 consecutive RAs

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-03-22 22:03:37 +01:00
Felix Fietkau
af434e0da2 qosify: update to the latest version
57c7817f91c2 qosify: fix dscp values of ubus-added dns host entries

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-22 10:28:28 +01:00
Felix Fietkau
81f3c4dbcd qosify: update to the latest version
391a9fbd5ace dns: fix parsing vlan encapsulated protocol
6aeeddbc91ad interface: extend dns filters to cover vlan tagged traffic as well
1ab53d4ca601 bpf: return TC_ACT_UNSPEC to allow other filters to proceed
ca21e729af23 interface: switch to using clsact for filters
5d158f6b3c15 interface: run ingress bpf filter on main device ingress instead of ifb egress
bdfcb11847ce interface: fix duplicated dns filter line
b97405aa632a Revert "ubus: remove dnsmasq subscriber"
8fbaf39dbc95 interface: rework adding/removing filters, do not delete clsact
d7ba5804eae4 interface: replace open-coded ifb-dns string with QOSIFY_DNS_IFNAME
91cf440db9e2 loader: fix use of deprecated functions

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-21 20:27:15 +01:00
Jan Hoffmann
b35d33c8b8 ltq-vdsl-app: set MAC address for vectoring error reports
This tells the modem about the WAN MAC address, which is used as source
address for vectoring error reports that are generated by the firmware.

It needs to be set early, as the MEI driver only actually writes the
value to the modem when is in reset state (i.e. the firmware has been
loaded, but connection has not started yet).

Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
2022-03-21 12:28:34 +00:00
Etienne Champetier
30c15d06e8 iptables: bump PKG_RELEASE
Following {arp,eb}tables-nft addition, bump PKG_RELEASE

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
66bb6dde36 iptables: add {arp,eb}tables-nft
Add a patch to add some missing init_extensions{a,b}() calls
Package lib{arp,eb}t_*.so

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
c913be1da1 iptables: add xtables-nft package
This allows to install ip6tables-nft without iptables-nft
This prepare the addition of {arp,eb}tables-nft

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
afb6824a2c iptables: add xtables-legacy package
This allows to install ip6tables-legacy without iptables-legacy

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
905b49920f ebtables: rename to ebtables-legacy
This prepare the introduction of ebtables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
2f5088ef5f arptables: rename package to arptables-legacy
This prepare the introduction of arptables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Josef Schlehofer
013b043564 iwinfo: update to latest Git head
Changelog:
90bfbb9 devices: Add Cypress CYW43455
234075b devices: fix AMD RZ608 format
0e2a318 devices: add AMD RZ608 device-id

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-03-19 16:13:58 +01:00
Felix Fietkau
54aab4e719 bpftools: fix library path on 64 bit systems
drop the use of LIB_SUFFIX

Fixes: 00cbf6f6ab ("bpftools: update to standalone bpftools + libbpf, use the latest version")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-19 13:29:15 +01:00
Felix Fietkau
00cbf6f6ab bpftools: update to standalone bpftools + libbpf, use the latest version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-19 07:30:06 +01:00
Etienne Champetier
e9c99e0f7f iptables: backport missing init_extensions6() calls
This fixes ip6tables-nft no being able to use built-in
extensions like icmp6.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-13 19:24:13 +01:00
Florian Eckert
e5440ec871 ipset: add backport patch for IPv6 nftables ipset-translation
When porting mwan3 from iptables to nftables I tried the new translation
tool for ipset ipset-translate. I noticed that no IPv6 ipset can be
created with the tool. I have reported the problem to the upstream
project and the following patch fixes the problem.

Until this upsream is included in a new release, this patch should be
used in Openwrt.

https://lore.kernel.org/netfilter-devel/20220228190217.2256371-1-pablo@netfilter.org/T/#m09cc3cb738f2e42024c7aecf5b7240d9f6bbc19c

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2022-03-13 19:24:13 +01:00
Daniel Golle
2a801ee562
uqmi: update to git HEAD
44dd095 uqmi: corrected too short received SMS

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-03-12 11:07:27 +00:00
Lech Perczak
c8a88118af uqmi: set CID during 'query-data-status' operation
Modems used in ZTE mobile broadband routers require to query the data
session status using the same CID as one used to establish the session,
otherwise they will report the session as "disconnected" despite
reporting correct PDH in previous step. Without this change, IPv6
connection on these modems doesn't establish properly. In IPv4 this bug
is present as well, but for some reason querying of IPv4 status works
using temporary CID, this however seems noncompliant with QMI
specifications, so fix it as well.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-03-12 10:38:11 +00:00
Yousong Zhou
289fbc5102 iptables: add iptables-mod-socket
Previously libxt_socket.so was included in iptables-mod-tproxy.  It was
missed out when trying to make kmod-ipt-socket and kmod-ipt-tproxy
separate packages

Fixes: 4f443c88 ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2022-03-10 10:43:32 +08:00
Josef Schlehofer
d71928c1e3 nftables: update to version 1.0.2
Changelog:
https://lwn.net/ml/netdev/YhO5Pn+6+dgAgSd9@salvia/

Patches:

removed:
- 001-parser-allow-quoted-string-in-flowtable_expr_member:
it is now part of upstream release [1]

added:
- 001-examples-compile-with-make-check.patch:
backported from [2], it fixes:

nft-json-file.c:3:10: fatal error: nftables/libnftables.h: No such file or directory
    3 | #include <nftables/libnftables.h>
      |          ^~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.

[1] https://git.netfilter.org/nftables/commit/?h=v1.0.2&id=07af4429241c9832a613cb8620331ac54257d9df
[2] https://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-03-07 21:44:53 +01:00
Felix Fietkau
759149977e qosify: update to the latest version
3276aed81c73 move run_cmd() to main.c
558eabc13c64 map: move dns host based lookup code to a separate function
6ff06d66c36c dns: add code for snooping dns packets
a78bd43c4a54 ubus: remove dnsmasq subscriber
9773ffa70f1f map: process dns patterns in the order in which they were defined
f13b67c9a786 dns: allow limiting dns entry matching to cname name

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-06 23:01:24 +01:00
Hauke Mehrtens
921392e216 iproute2: Remove libxtables from some tc variants
This adds the new tc-bpf variant and removes libxtables dependency from
the tc-tiny variant. The tc-full variant stays like before and contains
everything.

This allows to use tc without libxtables.

The variants have the following sizes:
root@OpenWrt:/# ls -al /usr/libexec/tc-*
-rwxr-xr-x    1 root     root        282453 Mar  1 21:55 /usr/libexec/tc-bpf
-rwxr-xr-x    1 root     root        282533 Mar  1 21:55 /usr/libexec/tc-full
-rwxr-xr-x    1 root     root        266037 Mar  1 21:55 /usr/libexec/tc-tiny

They are linking the following shared libraries:
root@OpenWrt:/# ldd /usr/libexec/tc-tiny
        /lib/ld-musl-mips-sf.so.1 (0x77d6e000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d4a000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x77d6e000)
root@OpenWrt:/# ldd /usr/libexec/tc-bpf
        /lib/ld-musl-mips-sf.so.1 (0x77da6000)
        libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77d60000)
        libelf.so.1 => /usr/lib/libelf.so.1 (0x77d3e000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d1a000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x77da6000)
        libz.so.1 => /usr/lib/libz.so.1 (0x77cf6000)
root@OpenWrt:/# ldd /usr/libexec/tc-full
        /lib/ld-musl-mips-sf.so.1 (0x77de8000)
        libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77da2000)
        libelf.so.1 => /usr/lib/libelf.so.1 (0x77d80000)
        libxtables.so.12 => /usr/lib/libxtables.so.12 (0x77d66000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d42000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x77de8000)
        libz.so.1 => /usr/lib/libz.so.1 (0x77d1e000)

This is based on a patch from Tiago Gaspar.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-03-05 21:06:35 +01:00
Stijn Tintel
c2d7896a65 qosify: bump to git HEAD
interface: disable autorate-ingress by default

Also change the example config to reflect this.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-03-04 20:37:05 +02:00
Stijn Tintel
1848b25cdd qosify: add PKG_RELEASE
Without PKG_RELEASE, it's impossible to trigger package updates when
changing files included in the package that are not in the qosify git
repository.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Felix Fietkau <nbd@nbd.name>
2022-03-04 20:25:05 +02:00
Florian Eckert
ba6a48366f ipset: update to 7.15
Update to the latest upstream version. In this version there is a new
tool with which you can convert ipsets into nftables sets. Since we are
now using nftables as default firewall, this could be a useful tool for
porting ipsets to nftables sets.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2022-03-01 21:17:30 +01:00
Paul Spooren
038d5bdab1 layerscape: use semantic versions for LSDK
PKG_VERSION should not contain the package name but the version only.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2022-03-01 00:01:18 +01:00
Etienne Champetier
d95b74f7c9 iptables: bump PKG_RELEASE
Following dependencies rework, bump PKG_RELEASE

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
39d50a2008 iptables: move libiptext* to their own packages
iptables-nft doesn't depend on libip{4,6}tc, so move
libiptext* libs in their own packages to clean up dependencies
Rename libxtables-nft to libiptext-nft

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
795e7155cb iptables: rename to ip(6)tables-legacy, add PROVIDES
Using PROVIDES allows to have other packages continue to
depend on iptables and users to pick between legacy and nft
version.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
316c406e62 iptables: move IPTABLES_{CONNLABEL,NFTABLES} to libxtables
Those 2 configs are not specific to iptables(-legacy)

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
d35a573004 iptables: make mod depend on libxtables
'iptables-mod-' can be used directly by firewall3, by
iptables and by iptables-nft. They are not linked to
iptables but to libxtables, so fix the dependencies to allow
to remove iptables(-legacy)

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
50d3271966 iptables: fix libnftnl/IPTABLES_NFTABLES dependency
libxtables doesn't depend on libnftnl, iptables-nft does,
so move the dependency to not pull libnftnl with firewall3/iptables-legacy

Also libxtables-nft depends on IPTABLES_NFTABLES

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Nick Lowe
e8d048c5e0 hostapd: SAE - Enable hunting-and-pecking and H2E
Enable both the hunting-and-pecking loop and hash-to-element mechanisms
by default in OpenWRT with SAE.

Commercial Wi-Fi solutions increasingly frequently now ship with both
hunting-and-pecking and hash-to-element (H2E) enabled by default as this
is more secure and more performant than offering hunting-and-pecking
alone for H2E capable clients.

The hunting and pecking loop mechanism is inherently fragile and prone to
timing-based side channels in its design and is more computationally
intensive to perform. Hash-to-element (H2E) is its long-term
replacement to address these concerns.

For clients that only support the hunting-and-pecking loop mechanism,
this is still available to use by default.

For clients that in addition support, or were to require, the
hash-to-element (H2E) mechanism, this is then available for use.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2022-02-24 18:04:05 +01:00
Felix Fietkau
cbfce92367 qosify: update to the latest version
65b42032063f interface: add missing autorate-ingress options

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-20 18:13:14 +01:00
Petr Štetiar
d8bf730fe0 netifd: bump to version 2022-02-20
Contains following changes:

 136006b88826 cmake: fix usage of implicit library and include paths
 bc0e84d689e2 netifd: interface-ip: don't set fib6 policies if ipv6 disabled

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-02-20 10:52:55 +01:00
Eneas U de Queiroz
e6df13d0e1 hostapd: fallback to psk when generating r0kh/r1kh
The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret".  auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well.  In
this case,  auth_secret is empty, and the default value of the key can
be computed from the SSID alone.

Fallback to using $key when auth_secret is empty.  While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
[make ft_key local]
Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-19 16:14:52 +01:00
David Bauer
6f78723977 hostapd: add STA extended capabilities to get_clients
Add the STAs extended capabilities to the ubus STA information. This
way, external daemons can be made aware of a STAs capabilities.

This field is of an array type and contains 0 or more bytes of a STAs
advertised extended capabilities.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-19 16:14:45 +01:00
Hauke Mehrtens
8f5875c4e2 tcpdump: Fix CVE-2018-16301
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-12 23:22:05 +01:00
Jo-Philipp Wich
0d1220acdf firewall4: update to latest Git HEAD
53caa1a fw4: resolve zone layer 2 devices for hw flow offloading
9fe58f5 fw4: rework and fix family inheritance logic
8795296 tests: mocklib: fix infinite recursion in wrapped print()
281b1bc tests: change mocked wan interface type to PPPoE
93b710d tests: mocklib: forward compatibility change
1a94915 fw4: only stage reflection rules if all required addrs are known
5c21714 fw4: add device iifname/oifname matches to DSCP and MARK rules
3eacc97 tests: adjust 01_ruleset test case to latest changes

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-12 20:51:22 +01:00
Felix Fietkau
8072bf3322 qosify: update to the latest version
e230e71e0a12 map: fix copy-paste error in codepoints map
580d2ccf89f3 bpf: declare tcp_ports/udp_ports without typedef
8d6c19a81f3f ubus: fix a use-after-free bug

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-10 21:08:09 +01:00
Leonardo Mörlein
5406684087 wireguard-tools: allow generating private_key
When the uci configuration is created automatically during a very early
stage, where no entropy daemon is set up, generating the key directly is
not an option. Therefore we allow to set the private_key to "generate"
and generate the private key directly before the interface is taken up.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Tested-by: Jan-Niklas Burfeind <git@aiyionpri.me>
2022-02-08 12:52:14 +01:00
David Bauer
04ed224543 hostapd: refresh patches
Refresh patches after updating to hostapd v2.10.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-08 00:21:41 +01:00
David Bauer
adb8c09a83 hostapd: update to v2.10
Upstreamed patches:
020-mesh-make-forwarding-configurable.patch
e6db1bc5da3fd7d5f4dba24aa102543b4749912f
550-WNM-allow-specifying-dialog-token.patch
979f19716539362f8ce60a77bf1b88fdcf5ba8e5
720-ACS-fix-channel-100-frequency.patch
2341585c349231af00cdef8d51458df01bc6965f
741-proxyarp-fix-compilation-with-Hotspot-2.0-disabled.patch
08bdf4f90de61a84ed8f4dd918272dd9d36e2e1f

Compile-tested: wpad-wolfssl hostapd-openssl
Run-tested: ath79-generic

Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-02-08 00:21:27 +01:00
Jo-Philipp Wich
ae75541594 firewall4: update to latest Git HEAD
a0518b6 fw4: gracefully handle unsupported hardware offloading
ac99eba init: fix boot action in init script

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 23:36:06 +01:00
Felix Fietkau
46e0eeb760 hostapd: automatically calculate channel center freq on chan_switch
Simplifies switching to different channels when on >= VHT80

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-07 17:01:18 +01:00
Jo-Philipp Wich
881a059977 uhttpd: update to latest Git HEAD
2f8b136 main: fix leaking -p/-s argument values
881fd3b ucode: adjust to latest ucode api
8b2868e file: specify UTF-8 as charset for dirlists, add option to override
3a5bd84 main: add ucode options to help text
16aa142 examples: add ucode handler example
3ceccd0 ucode: add ucode plugin support
f0f1406 examples: add example Lua handler script
9e87095 listen: avoid invalid memory access

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Jo-Philipp Wich
2dd6777f15 firewall4: update to latest Git HEAD
b54f462 fw4: parse traffic rules before forwarding rules
4d5af8b fw4: consolidate helper code
300c737 fw4: fix applying zone family restrictions to forwardings
eb9c25a tests: implement fs.opendir() mock interface
d30ff48 tests: fix mocked fs.popen() trace log
52831a0 fw4: improve flowtable handling
7cb10c8 fw4: disable "flow_offloading_hw" option for now
b2241a1 fw4: fix enabling NAT reflection rules for DNATs without explicit family

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Jo-Philipp Wich
3b1692c463 netifd: update to latest Git HEAD
fd4c9e1 system-linux: expose hw-tc-offload ethtool feature in device status dump
3d76f2e system-linux: add wrapper function for creating link config messages
88af2f1 system-linux: delete bridge devices using netlink
85c3548 system-linux: create bridge devices using netlink

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Felix Fietkau
03ea0405a6 mac80211: backport MBSSID/EMA support patches
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-03 15:16:47 +01:00
Etienne Champetier
0e32c6baf3 iptables: add ip{,6}tables-legacy{,-restore,-save} symlinks
Now that we can have both legacy and nft iptables variants
installed at the same time, install the legacy symlinks

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-03 00:02:31 +01:00