Drop 030-extensions-libxt_bpf-Fix-build-with-old-kernel-versi.patch as pushed upstream
Added patches :
001-extensions_format-security_fixes_in_libip.patch
002-include_fix_build_with_kernel_headers_before_4_2.patch
101-remove-register-check.patch
The first and the second patch are upsteam fixes for compilation errors.
The third patch remove check if one target lib is already registred; this is caused by
shared libs that are loaded before the iptables execution.
Iptables changelog:
bba6bc6 (tag: v1.8.2) configure: bump versions for 1.8.2 release
61d6c38 xtables: add 'printf' attribute to xlate_add
5edb249 libxtables: xlate: init buffer to zero
9afd2a6 tests: shell: fix expected arptables-save output
6387941 arptables: fix --version info
d703c1f arptables: ignore --table argument.
d5754e3 arptables: make uni/multicast mac masks static
1b63e66 arptables: add test cases
5aecb2d arptables: pre-init hlen and ethertype
9677ed1 arptables: fix src/dst mac handling
ab0b6d5 arptables: fix target ip offset
c0c75ce arptables: fix -s/-d handling for negation and mask
3ac65af arptables: add basic test infra for arptables-nft
e31564f arptables: fix rule deletion/compare
2345ff6 arptables: remove code that is also commented-out in original arptables
50c2397 arptables-save: add -c option, like xtables-save
d9a518e arptables: use ->save for arptables-save, like xtables
5a52e6a extensions: test protocol and interface negation
85d7df9 xtables: Fix error return code in nft_chain_user_rename()
3ccb443 xtables: Clarify error message when deleting by index
95db364 xtables: Fix typo in do_command() error message
5f508b7 ebtables: use extrapositioned negation consistently
583b27e ebtables-save: add -c option, using xtables-style counters
e6723ab nft: add NFT_TABLE_* enumeration
21ec111 nft: replace nft_chain_dump() by nft_chain_list_get()
05947c8 iptables-nft: fix -f fragment option
7bd9feb libxtables: add and use mac print helpers
a10eb88 extensions: libebt_ip: fix tos negation
9b127b7 extensions: libebt_ip6: fix ip6-dport negation
c59ba1b xtables-nft: make -Z option work
1bf4a13 nft: add missing error string
a9f9377 iptables-tests: add % to run iptables commands
b81c8da iptables-tests: do not append xtables-multi to external commands
edf2b7c ebtables-nft: add arpreply target
2d1372e ebtables: add redirect test case
c3e8dbd ebtables: add test cases
cd90cef ebtables: relax -t table restriction, add snat/dnat test cases
fd95f1f ebtables: fix -j CONTINUE handling for add/delete
fb747f8 tests: add basic ebtables test support
d4bc5a3 iptables-nft: fix bogus handling of zero saddr/daddr
9ff9915 iptables-test: fix netns test
8c918db xtables: Fix for matching rules with wildcard interfaces
b2fc2a3 extensions: limit: unbreak build without libnftnl
682f39a xtables: Fix for spurious errors from iptables-translate
90f7dc3 (tag: v1.8.1) configure: bump versions for 1.8.1 release
0123183 iptables-test: add -N option to exercise netns removal path
abae556 libxtables: expose new etherdb lookup function through libxtables API
c2d9ed9 libxtables: prefix exported new functions for etherdb lookups
5a44360 Revert "extensions: libxt_quota: Allow setting the remaining quota"
2673faf xtables: Remove target_maxnamelen field
8ca3436 extensions: cgroup: fix option parsing for v2
0a8f2bc extensions: libxt_quota: Allow setting the remaining quota
b373a91 nft-shared: Use xtables_calloc()
5a40961 arptables: Use the shared nft_ipv46_parse_target()
9f07503 Combine parse_target() and command_jump() implementations
7373297 Combine command_match() implementations
a76ba54 libiptc: NULL-terminate errorname
a3716cc libxtables: Check extension real_name length
0195b64 iptables: Gitignore xtables-{legacy, nft}-multi scripts
671e40a xtables: Drop pointless check
7c9a152 arptables: Fix incorrect strcmp() in nft_arp_rule_find()
11e91a4 xtables: Don't read garbage in nft_ipv4_parse_payload()
d95c1e8 libxtables: Use posix_spawn() instead of vfork()
7e50eba Fix a few cases of pointless assignments
f40ce2d extensions: libebt_ip{, 6}: Drop pointless error checking
47fb86c nft-arp: Drop ineffective conditional
80aae9b iptables: Use print_ifaces() from xtables
8da04ff Share print_ipv{4,6}_addr() from xtables
b686594 iptables-apply: Replace signal numbers by names
f175dee iptables-apply: Quote strings passed to echo
52aa150 nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()
61ebf3f libxtables: Don't read garbage in xtables_strtoui()
ab639f2 libxtables: Avoid calling memcpy() with NULL source
22ef371 libiptc: Simplify alloc_handle() function signature
6b7145f libxt_time: Drop initialization of variable 'year'
749d3c2 libxt_ipvs: Avoid potential buffer overrun
8e798e0 libxt_conntrack: Avoid potential buffer overrun
74eb239 libxt_conntrack: Version 0 does not support XT_CONNTRACK_DIRECTION
d0c1f1b libxt_LED: Avoid string overrun while parsing led-trigger-id
23ef6f0 xtables: Remove unused variable in nft_is_table_compatible()
4e499d5 ip{, 6}tables-restore: Fix for uninitialized array 'curtable'
1788f54 Mark fall through cases in switch() statements
31f1434 libxtables: Integrate getethertype.c from xtables core
7ae4fb1 xtables: Fix for wrong assert() in __nft_table_flush()
8c786a3 nfnl_osf: Drop pointless check in xt_osf_strchr()
6fc7762 libxt_string: Fix array out of bounds check
2a68be1 xtables-save: Ignore uninteresting tables
f9efc8c extensions: add cgroup revision 2
9b8cb16 extensions: REJECT: Merge reject tables
56d7ab4 libxt_string: Avoid potential array out of bounds access
bfd41c8 ebtables: Fix for potential array boundary overstep
e6f9867 libiptc: Avoid side-effect in memset() calls
4144571 libxtables: Fix potential array overrun in xtables_option_parse()
9242b5d xtables: Accept --wait in iptables-nft-restore
c9f4f04 xtables: Don't check all rules for being compatible
15606f2 doc: Improve layout of u32 instructions
7345037 xtables-restore: Fix flushing referenced custom chains
7df11d1 xtables: Drop use of IP6T_F_PROTO
b6a06c1 xtables: Align return codes with legacy iptables
3bb497c xtables: Fix for deleting rules with comment
0800d9b ip6tables-translate: Fix libip6t_mh.txlate test
4cf650c ebtables-translate: Fix for libebt_limit.txlate
783e9c2 xtables: Add missing deinitialization
9771d06 ebtables: Review match/target lookup once more
85ed1ab extensions: libebt_mark: Drop mark_supplied check
6a46ca0 xtables: Add a few missing exit calls
acde6be ebtables-translate: Fix segfault while parsing extension options
2c4e4d2 ebtables: trivial: Leverage C99-style initializers a bit more
9f5b28a xlate-test: Fix for calling wrong command name
1a878a7 extensions: AUDIT: Provide translation
5ee03e6 xtables: Use meta l4proto for -p match
37b68b2 xtables: Fix for segfault when registering hashlimit extension
92f7b04 xtables: Fix for segfault in iptables-nft
294f9ef ebtables: Fix entries count in chain listing
6f29aa8 xtables: Make 'iptables -S nonexisting' return non-zero
7bccf30 ebtables: Fix for listing of non-existent chains
3d9a13d xtables: Fix for no output in iptables-nft -S
a33c6fd arptables: Drop extensions/libxt_mangle.c
02b8097 ebtables: Merge libebt_limit.c into libxt_limit.c
5de8dcf xtables: Use native nftables limit expression
514de48 ebtables: Remove flags misinterpretations
528cbf9 xtables: Fix for wrong counter format in -S output
9ca32c4 xtables: Don't pass full invflags to add_compat()
e055aeb xtables: Improve xtables-monitor first impression
b925733 tests: Fix skipping for recent nft-only tests
277f374 xtables: Spelling fixes in xtables-monitor
a9d9f64 xtables: Fix potential segfault in nft_rule_append()
fbf0bf7 tests: Add ebtables-{save,restore} testcases
f1d8508 tests: Add arptables-{save,restore} testcases
63c3dae xtables: Implement arptables-{save,restore}
aa7fb04 ebtables: Review match/target lookup
3f123dc ebtables-restore: Use xtables_restore_parse()
295d5a8 xtables-restore: Make COMMIT support configurable
1679b2c xtables-restore: Improve user-defined chain detection
2ce9f65 xtables: Match verbose ip{,6}tables output with legacy
cd79556 xtables: Reserve space for 'opt' column in ip6tables output
0357254 xtables: Print error when listing non-existent chains
206033e xtables: Fix for no output on first iptables-nft invocation
a0698de xtables: Do not count rules as chain references
d11b6b8 arptables: Fix jumps into user-defined chains
3f27955 arptables: Fix opcode printing in numeric output
f988fe4 xtables: Fix symlinks/names for ebtables-{save, restore}
3319c61 ebtables: Support --init-table command
3ec8aac arptables: Print policy only for base chains
83bc189 arptables: Fix for trailing spaces in output
aaed1b6 arptables: Fix memleaks in do_commandarp()
d67d85d ebtables: Print non-standard target parameters
2e478e9 ebtables: Fix match_list insertion
a192f03 ebtables: Fix for wrong program name in error messages
a2ed880 xshared: Consolidate argv construction routines
1cc0918 xshared: Consolidate parse_counters()
78b9d43 Consolidate DEBUGP macros
14ad525 xtables: Fix program name in xtables_error()
f7bbdb0 xtables: Use correct built-in chain count
ae574b2 xtables: Fix compilation with NLDEBUG defined
82d278c xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs
c2895ea xtables: Free chains in NFT_COMPAT_CHAIN_USER_DEL jobs
89d3443 xtables: Fix for nft_rule_flush() returning garbage
c259447 xtables: Allocate rule cache just once
ed30b93 nft: don't print rule counters unless verbose
31e4b59 iptables-restore: free the table lock when skipping a table
f8e29a1 xtables: avoid bogus 'is incompatible' warning
6ea7579 nft: decode meta l4proto
922508e xtables: implement ebtables-{save,restore}
25ef908 xtables: introduce nft_init_eb()
de8574a xtables: parameter to add_argv() may be const
6f60f22 xtables: pass format to nft_rule_save()
f3b772c xtables: introduce save_chain callback
fa1681f xtables: rename {print,save}_rule functions
444d581 xtables: get rid of nft_ipv{4,6}_save_counters()
34e1e23 xtables: eliminate nft_ipv{4,6}_rule_find()
de782e8 xtables: merge nft_ipv{4,6}_parse_target()
ae8eece xtables: get rid of nft_ipv{4,6}_print_header()
2687794 xtables: arp: make rule_to_cs callback private
1bf73c4 xtables: Use new callbacks in nft_rule_print_save()
1866625 xtables: introduce rule_to_cs/clear_cs callbacks
0589457 xtables: simplify struct nft_xt_ctx
d9c6a5d xtables: merge {ip,arp}tables_command_state structs
87b5b9e iptables: replace memset by c99-style initializers
907da5c xtables: fix crash if nft_rule_list_get() fails
565a223 xtables: Support nft suffix for arptables and ebtables
c468f01 tests: check iptables retval, not echo
47d1484 iptables: tests: add test for iptables-save and iptables-restore
e4e0704 extensions: don't bother to build libebt/libarp extensions if nft backend was disabled
17c66a5 iptables: tests: shell: Add README
6c2118c (tag: v1.8.0) configure: bump version and libnftnl dependency
7b66fc2 man: clarify translate tools do not modify any state
f7fec51 xtables-monitor: add --version option
b470b8e xtables-legacy: fix argv0 name for ip6tables-legacy
2028e54 xtables: display legacy/nf_tables flavor in error messages, too
fd8d7d7 ebtables-nft: add stp match
f15639b tests: add script that mimics firewalld startup
27f7db2 tests: fix variable name to multi-binary
2a89ec5 tests: add a few simple tests for list/new/delete
37d9d5b ebtables-nft: make -L, -X CHAINNAME work
816bd1f ebtables-nft: remove exec_style
b81708f ebtables-nft: don't crash on ebtables -X
de02a75 doc: fix some spellos and the dash escape
dcf4529 tests: add firewalld default ruleset from fedora 27
f23abd5 tests: add another ipv4 only ruleset
ed9cfe1 tests: add initial save/restore test cases
9933dc5 tests: adapt test suite to run with legacy+nftables based binaries
be70918 xtables: rename xt-multi binaries to -nft, -legacy
d49ba50 xtables-restore: init table before processing policies
344c6eb doc: Fix spelling error in hashlimit section
e063873 tests: make duplicate test work
d26c538 xtables: add xtables-monitor
db84371 xtables: translate nft meta trace set 1 to -j TRACE
20eac2a xtables: warn in case old-style (set/getsockopt) tables exist
c9f5e18 xtables: add nf_tables vs. legacy postfix to version strings
e5fed16 iptables8.in: Update coreteam names
672accf include: update kernel netfilter header files
856a875 xtables: silence two compiler warnings
ae6e159 xtables: remove dead code inherited from ebtables
107b7eb configure: add -Wlogical-op warning to cflags
bc7f49d ebtables-translate: remove --change-counters code
38b4166 iptables: tests: shell: add shell test-suite
1e6427a xtables-compat: skip invalid tables
cb368b6 xtables: more error printing fixes
b1b828f xtables: homogenize error message
4caa559 xtables: initialize basechains for rule flush command too
9b89622 xtables: rework rule cache logic
01e25e2 xtables: add chain cache
8d190e9 xtables: initialize basechains only once on ruleset restore
0a86351 xtables-compat: ignore '+' interface name
125d1ce xtables-compat: append all errors into single line
437746c xtables: extended error reporting
d1c79cd xtables: allocate struct xt_comment_info for comments
4e20209 xtables: use libnftnl batch API
49709e2 xtables-compat: remove nft_is_ruleset_compatible
03e1377 xtables: allow dumping of chains in specific table
94fd83d xtables: inconsistent error reporting for -X and no empty chain
c4f1622 ebtables-compat: add arp match extension
24ce746 ebtables-compat: add redirect match extension
84c04e3 ebtables-compat: add nat match extensions
14ec998 xtables-compat: ebtables: prefer snprintf to strncpy
5e2b473 xtables-compat: extend generic tests for masks and wildcards
1a696c9 libxtables: store all requested match types
bb436ce xtables-compat: ip6table-save: fix save of ip6 address masks
6454d7d ebtables-translate: suppress redundant protocols
07f4ca9 xtables-compat: ebtables: allow checking for zero-mac
0ca2d2a xtables-compat: ebtables: add helpers to print interface and mac addresses
3d9f300 xtables-compat: ebtables: remove interface masks from ebt_entry struct
20e2758 xtables-compat: ebtables: fix logical interface negation
2682bb0 xtables-compat: ebtables: add and use helper to parse all interface names
564862d xtables-compat: ebtables: split match/target print from nft_bridge_print_firewall
0ae81d0 xtables-compat: ebtables: kill ebtables_command_state
651cfee xtables-compat: pass correct table skeleton
652b98e xtables-compat: fix wildcard detection
49f4993 extensions: libip6t_srh.t: Add test cases for psid, nsid, and lsid
429143b extensions: libxt_CONNMARK: incorrect translation after v2
db7b4e0 extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark
155e1c0 extensions: libip6t_srh: support matching previous, next and last SID
f4ffda1 extensions: libipt_DNAT: tests added for shifted portmap range
6a9ffb1 xtables-compat-restore: flush table and its content with no -n
07ae37c xtables-compat: fix bogus error with -X and no user-defined chains
df3d92b xtables-compat-restore: flush user-defined chains with -n
ca16584 xtables-compat-restore: flush rules and delete user-defined chains
ac1e85a extensions: libipt_DNAT: use size of nf_nat_range2 for rev2
e25d99a xtables-compat: pass larger socket buffer
838746e xtables-compat: xtables-save: don't return 1
2211679 xtables-compat: ebtables: support concurrent option
a77a7d8 iptables-test: fix bug with rateest
de87405 xtables-compat: fix ipv4 frag (-f)
c7b2fd6 xtables-compat: also check tg2->userspacesize
5685938 xtables-compat: avoid unneeded bitwise ops
b9d7b49 xtables-compat: restore: sync options with iptables-restore
c0ef861 extensions: add xlate test for ipables -f
d79a7f1 xtables-compat: output -s,d first during save, just like iptables
d1eb4d5 iptables-compat: chains are purge out already from table flush
09f0d47 iptables-compat: do not fail on restore if user chain exists
8798eb8 iptables-compat: remove non-batching routines
b633ef9 xtables.conf: fix hook skeletons
7af2178 xtables-compat: fall back to comment match in case name is too long
e9aeecf xlate-test: use locally installed xlate tools
0ab58e3 xtables-compat: ebtables: handle mac masks properly
734ad40 xtables-compat: nft-arp: fix warning wrt. sprintf-out-of-bounds
fb7ae9f xtables-compat: truncate comments to 254 bytes
36976c4 extensions: libipt_DNAT: support shifted portmap ranges
d7ac61b iptables-test: add nft switch and test binaries from git
992e17d xtables-compat: only fetch revisions for ip/ip6
12a52ff xtables: Fix rules print/save after iptables update
1197c5e xtables: Register all match/target revisions supported by us and kernel
e3bb24c xtables: Check match/target size vs XT_ALIGN(size) at register time
3b2530c xtables: Do not register matches/targets with incompatible revision
d3f1437 xtables: Introduce and use common function to print val[/mask] arguments
29b1d97 xtables: Introduce and use common function to parse val[/mask] arguments
56aadc0 extensions: Initialize linear mapping of symbols in _init() of extension
79c2da9 extensions: ULOG: remove test
a0956ce ebtables-translate: turn off useless compat queries
9840869 nft: arptables: remove obsolete forward hook definition
7a37d14 iptables-compat: statify nft_restart()
a3aac1d iptables-compat: handle netlink dump EINTR errors
a567dc3 ebtables-compat: add 'vlan' match extension
7564bba ebtables-compat: add 'pkttype' match extension
4d40904 ebtables-translate: update table name on -t
5c8ce9c ebtables-compat: add 'ip6' match extension
8a85a14 libebt_ip: fix translations for tos and icmp
b6f0bec libebt_ip: add icmp support
f38ed1e xt-translate: quote interface names in translated output
71a6e37 icmp: split icmp type printing to header file
e67c088 ebtables-translate: add initial test cases
207dd5e xt-compat: add ebtables-translate
d988274 xlate-translate: split common parts into helper
1650806 xtables-eb: export 3 functions
6b2041c nft-bridge: add eb-translate backend functions
3063c37 nft-bridge: fix mac address printing
394a400 nft: fix crash when getprotobynumber() returns 0
6a1dbdf ebtables-compat: support intra-positioned negations
3e94f0a nft-bridge: add forward declaration for struct nftnl_rule
5024efe libebt_limit: print 'minute' and 'seconds', not 'min' and 'secs'
ce3c780 nft: make nft_init self-contained
cb151d5 xtables-translate: rm duplicate includes
69c089b xt-compat: constify a few struct members
03ecffe ebtables-compat: add initial translations
57af67d iptables: constify option struct
88231c4 ebtables-compat: load mark target
6b4e167 ebtables-compat: don't make failing extension load fatal
24110b5 libxt_comment: silence truncation warning
98fc8ce xtables-compat: only validate the xtables builtin tables
9d9b724 xtables-compat: skip unsupported tables
59d15cf xtables-compat: also validate priorities and hook points match expected values
eb35854 xtables-compat: fix snprintf truncation warnings
fc04c8a extensions: CLUSTERIP: do not allow --local-node 0
eb2c052 extensions: CLUSTERIP: add tests
ca3c397 iptables: add xtables-translate.8 manpage
5beb158 extensions: libxt_bpf: Fix build with old kernel versions
147a891 extenstions: ecn: add tcp ecn/cwr translation
ed928a8 extensions: add tests for comp match options
632ace7 xtables-compat-multi.c: Allow symlink of ebtables
d7ccc68 iptables: add xtables-compat.8 manpage
043da5b extensions: connmark: remove non-working translation
a93b502 extensions: prefer plain 'set' over 'set mark and'
577b7e2 xtables-compat-restore: use correct hook priorities
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
For the parameters tls-cipher and ncp-ciphers more than one option can
be used in the OpenVPN configuration, separated by a colon, which should
be implemented as a list in order to configure it more clearly. By
adding the new OPENVPN_LIST option to the openvpn.options file with the
tls-cipher and ncp-cipher parameters, uci can now add this option as a
"list" and the init script will generate the appropriate OpenVPN
configuration from it.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Update the OpenVPN package to version 2.4.6, refresh patches and drop
menuconfig options which are not supported upstream anymore.
Also fix the x509-alt-username configure flag - it is not supported
by mbedtls and was syntactically wrong in the Makefile - and the
port-share option which has been present in menuconfig but not been
used in the Makefile.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
dfa4ede interface: fix return code of __interface_add()
a82a8f6 netifd: fix resource leak on error in netifd_add_dynamic()
fa2403d config: fix resource leaks on error in config_parse_interface()
85de9de interface: fix memory leak on error in __interface_add()
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* chacha20,poly1305: fix up for win64
* poly1305: only export neon symbols when in use
* poly1305: cleanup leftover debugging changes
* crypto: resolve target prefix on buggy kernels
* chacha20,poly1305: don't do compiler testing in generator and remove xor helper
* crypto: better path resolution and more specific generated .S
* poly1305: make frame pointers for auxiliary calls
* chacha20,poly1305: do not use xlate
This should fix up the various build errors, warnings, and insertion errors
introduced by the previous snapshot, where we added some significant
refactoring. In short, we're trying to port to using Andy Polyakov's original
perlasm files, and this means quite a lot of work to re-do that had stableized
in our old .S.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
4b83102 treewide: switch to C-code style comments
70506bf treewide: make some functions static
d9872db interface: fix removal of dynamic interfaces
2f7ef7d interface: rework code to get rid of interface_set_dynamic
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* Zinc no longer ships generated assembly code. Rather, we now
bundle in the original perlasm generator for it. The primary purpose
of this snapshot is to get testing of this.
* Clarify the peer removal logic and make lifetimes more precise.
* Use READ_ONCE for is_valid and is_dead.
* No need to use atomic when the recounter is mutex protected.
* Fix up macros and annotations in allowedips.
* Increment drop counter when staged packets are dropped.
* Use static constants instead of enums for 64-bit values in selftest.
* Mark large constants as ULL in poly1305-donna64.
* Fix sparse warnings in allowedips debugging code.
* Do not use wg_peer_get_maybe_zero in timer callbacks, since we now can
carefully control the lifetime of these functions and ensure they never
execute after dropping the last reference.
* Cleanup hashing in ratelimiter.
* Do not guard timer removals, since del_timer is always okay.
* We now check for PM_AUTOSLEEP, which makes the clear*on-suspend decision a
bit more general.
* Set csum_level to ~0, since the poly1305 authenticator certainly means
that no data was modified in transit.
* Use CHECKSUM_PARTIAL check for skb_checksum_help instead of
skb_checksum_setup check.
* wg.8: specify that wg(8) shows runtime info too
* wg.8: AllowedIPs isn't actually required
* keygen-html: add missing glue macro
* wg-quick: android: do not choke on empty allowed-ips
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
SSIDs may contain UTF8 characters but ideally hostapd should be told
this is the case so it can advertise the fact. Default enable this
option.
add uci option utf8_ssid '0'/'1' for disable/enable e.g.
config wifi-iface
option utf8_ssid '0'
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This patch reverts commit 2dc1f54b12 as it
breaks the build for me on x86-64 if I've IPV6 support disabled. Same config
builds fine on `openwrt-18.06` branch at 55d078b2.
$ grep IPV6 .config
# CONFIG_KERNEL_IPV6 is not set
# CONFIG_IPV6 is not set
Build errors out on:
Package libiptc is missing dependencies for the following libraries:
libip6tc.so.0
Looking at iptables-1.6.2/libiptc/Makefile.am:
libiptc_la_LIBADD = libip4tc.la libip6tc.la
and to iptables-1.6.2/libiptc/libiptc.pc.in:
Requires: libip4tc libip6tc
It seems that libiptc needs v4/v6 libs, so v6 isn't optional.
Cc: Rosy Song <rosysong@rosinson.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
8a1ad80 Release version 4.19.
ecdf295 ethtool: Fix uninitialized variable use at qsfp dump
98c148e ethtool: better syntax for combinations of FEC modes
d4b9f3f ethtool: support combinations of FEC modes
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Update to the latest version of iproute2; see https://lwn.net/Articles/769354/
for a full overview of the changes in 4.19.
Remove 190-add-cake-to-tc patch as CAKE qdisc is now supported in 4.19.0
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Add configure argument --disable-ipv6 when ipv6 is deselected.
Add fix-non-ipv6-builds.patch as long there is no new upstream
release.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
When bumping Curl to 7.62.0 in commit 278e4eba09 I did not include the fixed
CVEs in the commit message; this commit fixes this.
The following CVEs were fixed in 7.62.0 :
CVE-2018-16839
CVE-2018-16840
CVE-2018-16842
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Install following as config files (600) perms instead of as data (644)
/usr/share/dnsmasq/dhcpbogushostname.conf
/usr/share/dnsmasq/trust-anchors.conf
/usr/share/dnsmasq/rfc6761.conf
/etc/hotplug.d/ntp/25-dnsmasqsec
/etc/config/dhcp
/etc/dnsmasq.conf
dnsmasq reads relevant config files before dropping root privilege and
running as dnsmasq:dnsmasq
ntpd runs as root so the hotplug script is still accessible
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Install the ip-tiny and ip-full variants in /usr/libexec as the suffixed
ip variants are not meant to be called directly
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
ba2ab5d version: bump snapshot
5f59c76 tools: wg-quick: wait for interface to disappear on freebsd
ac7e7a3 tools: don't fail if a netlink interface dump is inconsistent
8432585 main: get rid of unloaded debug message
139e57c tools: compile on gnu99
d65817c tools: use libc's endianness macro if no compiler macro
f985de2 global: give if statements brackets and other cleanups
b3a5d8a main: change module description
296d505 device: use textual error labels always
8bde328 allowedips: swap endianness early on
a650d49 timers: avoid using control statements in macro
db4dd93 allowedips: remove control statement from macro by rewriting
780a597 global: more nits
06b1236 global: rename struct wireguard_ to struct wg_
205dd46 netlink: do not stuff index into nla type
2c6b57b qemu: kill after 20 minutes
6f2953d compat: look in Kbuild and Makefile since they differ based on arch
a93d7e4 create-patch: blacklist instead of whitelist
8d53657 global: prefix functions used in callbacks with wg_
123f85c compat: don't output for grep errors
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
841b5d1 system-linux: enable by default ignore encaplimit for grev6 tunnels
125cbee system-linux: fix a typo in gre tunnel data parsing logic
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Make inclusion of the destination option header containing the tunnel
encapsulation limit configurable for IPv6 GRE packets.
Setting the uci parameter encaplimit to ignore; allows to disable the
insertion of the destination option header in the IPv6 GRE packets.
Otherwise the tunnel encapsulation limit value can be set to a value
from 0 till 255 by setting the encaplimit uci parameter accordingly.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Add a basic variant which provides WPA-PSK only, 802.11r and 802.11w and
is intended to support 11r & 11w (subject to driver support) out of the
box.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Backport two upstream fixes to address overly verbose logging of MAC ACL
rejection messages.
Fixes: FS#1468
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This patch fixes jailed dnsmasq running into the following issue:
|dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory
|dnsmasq[1]: FAILED to start up
|procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash
Fixes: a45f4f50e1 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[bump package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
53792c9 fix typo
df07182 Update German translation.
Remove local patch 001-fix-typo which is a backport of the above 53792c9
There is no practical difference between our test8 release and this rc
release, but this does at least say 'release candidate'
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This adds support for the WPA3-Enterprise mode authentication.
The settings for the WPA3-Enterpriese mode are defined in
WPA3_Specification_v1.0.pdf. This mode also requires ieee80211w and
guarantees at least 192 bit of security.
This does not increase the ipkg size by a significant size.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
OWE is defined in RFC 8110 and provides encryption and forward security
for open networks.
This is based on the requirements in the Wifi alliance document
Opportunistic_Wireless_Encryption_Specification_v1.0_0.pdf
The wifi alliance requires ieee80211w for the OWE mode.
This also makes it possible to configure the OWE transission mode which
allows it operate an open and an OWE BSSID in parallel and the client
should only show one network.
This increases the ipkg size by 5.800 Bytes.
Old: 402.541 Bytes
New: 408.341 Bytes
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This build the full openssl and wolfssl versions with SAE support which
is the main part of WPA3 PSK.
This needs elliptic curve cryptography which is only provided by these
two external cryptographic libraries and not by the internal
implementation.
The WPA3_Specification_v1.0.pdf file says that in SAE only mode
Protected Management Frames (PMF) is required, in mixed mode with
WPA2-PSK PMF should be required for clients using SAE, and optional for
clients using WPA2-PSK. The defaults are set now accordingly.
This increases the ipkg size by 8.515 Bytes.
Old: 394.026 Bytes
New: 402.541 Bytes
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This replaces the configuration files with the versions from the hostapd
project and the adaptions done by OpenWrt.
The resulting binaries should be the same.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Check pin count value from pin status and stop verification the pin if
the value is less then 3. This should prevent the proto-handler to
lock the SIM. If SIM is locked then the PUK is needed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Load the json output from uqmi --get-pin-status command and evaluate the
"pin1_status" value.
The following uqmi "pin1_status" values are evaluated:
- disabled
Do not verify PIN because SIM verification is disabled on this SIM
- blocked
Stop qmi_setup because SIM is locked and a PUK is required
- not_verified
SIM is not yet verified. Do a uqmi --verify-pin1 command if a SIM is
specified
- verified:
Do not verify the PIN because this was already done before
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
QMI proto setup-handler will wait forever if SIM does not get initialized.
To fix this stop polling pin status and notify netifd. Netifd will generate
then a "ifup-failed" ACTION.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
QMI proto setup-handler will wait forever if it is unable to registrate to
the mobile network. To fix this stop polling network registration status
and notify netifd. Netifd will generate then a "ifup-failed" ACTION.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This value will be used for now during following situations:
* Ask the sim with the uqmi --get-pin-status command.
* Wait for network registration with the uqmi --get-serving-system command.
This two commands wait forever in a while loop. Add a timeout to stop
waiting and so inform netifd.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Move uqmi std and error output on commands without using them to /dev/null.
This will remove useless outputs in the syslog.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for
specific hostnames. Clients claiming certain hostnames and thus
claiming DNS namespace represent a potential security risk. e.g. a
malicious host could claim 'wpad' for itself and redirect other web
client requests to it for nefarious purpose. See CERT VU#598349 for more
details.
Some Samsung TVs are claiming the hostname 'localhost', it is believed
not (yet) for nefarious purposes.
/usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames
in correct syntax to be excluded. e.g.
dhcp-name-match=set:dhcp_bogus_hostname,localhost
Inclusion of this file is controlled by uci option dhcpbogushostname
which is enabled by default.
To be absolutely clear, DHCP leases to these requesting hosts are still
permitted, but they do NOT get to claim ownership of the hostname
itself and hence put into DNS for other hosts to be confused/manipulate by.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
64750c1 version: bump snapshot
f11a2b8 global: style nits
4b34b6a crypto: clean up remaining .h->.c
06d9fc8 allowedips: document additional nobs
c32b5f9 makefile: do more generic wildcard so as to avoid rename issues
20f48d8 crypto: use BIT(i) & bitmap instead of (bitmap >> i) & 1
b6e09f6 crypto: disable broken implementations in selftests
fd50f77 compat: clang cannot handle __builtin_constant_p
bddaca7 compat: make asm/simd.h conditional on its existence
b4ba33e compat: account for ancient ARM assembler
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading.
0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN.
ee1df06 Tweak strategy for confirming SLAAC addresses.
1e87eba Clarify manpage for --auth-sec-servers
0893347 Make interface spec optional in --auth-server.
7cbf497 Example config file fix for CERT Vulnerability VU#598349.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Support for -D got broken in the 2.0.11 release by the upstream commit
218d8c667944 ("first pass L2 mode w/UDP checks, v4 only"). After that
commit clients were still able to connect but no traffic was passed.
It was reported and is fixed now in the upstream git repository.
Backport two patches to fix this. The first one is just a requirement
for the later to apply. The second one is the real fix and it needed
only a small adjustment to apply without backporing the commit
10887b59c7e7 ("fix --txstart-time report messages").
Fixes: 457e6d5a27 ("iperf: bump to 2.0.12")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* Account for big-endian 2^26 conversion in Poly1305.
* Account for big-endian NEON in Curve25519.
* Fix macros in big-endian AArch64 code so that this will actually run there
at all.
* Prefer if (IS_ENABLED(...)) over ifdef mazes when possible.
* Call simd_relax() within any preempt-disabling glue code every once in a
while so as not to increase latency if folks pass in super long buffers.
* Prefer compiler-defined architecture macros in assembly code, which puts us
in closer alignment with upstream CRYPTOGAMS code, and is cleaner.
* Non-static symbols are prefixed with wg_ to avoid polluting the global
namespace.
* Return a bool from simd_relax() indicating whether or not we were
rescheduled.
* Reflect the proper simd conditions on arm.
* Do not reorder lines in Kbuild files for the simd asm-generic addition,
since we don't want to cause merge conflicts.
* WARN() if the selftests fail in Zinc, since if this is an initcall, it won't
block module loading, so we want to be loud.
* Document some interdependencies beside include statements.
* Add missing static statement to fpu init functions.
* Use union in chacha to access state words as a flat matrix, instead of
casting a struct to a u8 and hoping all goes well. Then, by passing around
that array as a struct for as long as possible, we can update counter[0]
instead of state[12] in the generic blocks, which makes it clearer what's
happening.
* Remove __aligned(32) for chacha20_ctx since we no longer use vmovdqa on x86,
and the other implementations do not require that kind of alignment either.
* Submit patch to ARM tree for adjusting RiscPC's cflags to be -march=armv3 so
that we can build code that uses umull.
* Allow CONFIG_ARM[64] to imply [!]CONFIG_64BIT, and use zinc arch config
variables consistently throughout.
* Document rationale for the 2^26->2^64/32 conversion in code comments.
* Convert all of remaining BUG_ON to WARN_ON.
* Replace `bxeq lr` with `reteq lr` in ARM assembler to be compatible with old
ISAs via the macro in <asm/assembler.h>.
* Do not allow WireGuard to be a built-in if IPv6 is a module.
* Writeback the base register and reorder multiplications in the NEON x25519
implementation.
* Try all combinations of different implementations in selftests, so that
potential bugs are more immediately unearthed.
* Self tests and SIMD glue code work with #include, which lets the compiler
optimize these. Previously these files were .h, because they were included,
but a simple grep of the kernel tree shows 259 other files that carry out
this same pattern. Only they prefer to instead name the files with a .c
instead of a .h, so we now follow the convention.
* Support many more platforms in QEMU, especially big endian ones.
* Kernels < 3.17 don't have read_cpuid_part, so fix building there.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
33523a5 version: bump snapshot
0759480 curve25519-hacl64: reduce stack usage under KASAN
b9ab0fc chacha20: add bounds checking to selftests
2e99d19 chacha20-mips32r2: reduce stack and branches in loop, refactor jumptable handling
d6ac367 qemu: bump musl
28d8b7e crypto: make constant naming scheme consistent
56c4ea9 hchacha20: keep in native endian in words
0c3c0bc chacha20-arm: remove unused preambles
3dcd246 chacha20-arm: updated scalar code from Andy
6b9d5ca poly1305-mips64: remove useless preprocessor error
3ff3990 crypto-arm: rework KERNEL_MODE_NEON handling again
dd2f91e crypto: flatten out makefile
67a3cfb curve25519-fiat32: work around m68k compiler stack frame bug
9aa2943 allowedips: work around kasan stack frame bug in selftest
317b318 chacha20-arm: use new scalar implementation
b715e3b crypto-arm: rework KERNEL_MODE_NEON handling
77b07d9 global: reduce stack frame size
ddc2bd6 chacha20: add chunked selftest and test sliding alignments and hchacha20
2eead02 chacha20-mips32r2: reduce jumptable entry size and stack usage
a0ac620 chacha20-mips32r2: use simpler calling convention
09247c0 chacha20-arm: go with Ard's version to optimize for Cortex-A7
a329e0a chacha20-mips32r2: remove reorder directives
3b22533 chacha20-mips32r2: fix typo to allow reorder again
d4ac6bb poly1305-mips32r2: remove all reorder directives
197a30c global: put SPDX identifier on its own line
305806d ratelimiter: disable selftest with KASAN
4e06236 crypto: do not waste space on selftest items
5e0fd08 netlink: reverse my christmas trees
a61ea8b crypto: explicitly dual license
b161aff poly1305: account for simd being toggled off midway
470a0c5 allowedips: change from BUG_ON to WARN_ON
aa9e090 chacha20: prefer crypto_xor_cpy to avoid memmove
1b0adf5 poly1305: no need to trick gcc 8.1
a849803 blake2s: simplify final function
073f3d1 poly1305: better module description
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Bump to latest test release:
3a610a0 Finesse allocation of memory for "struct crec" cache entries.
48b090c Fix b6f926fbefcd2471699599e44f32b8d25b87b471 to not SEGV on startup (rarely).
4139298 Change behavior when RD bit unset in queries.
51cc10f Add warning about 0.0.0.0 and :: addresses to man page.
ea6cc33 Handle memory allocation failure in make_non_terminals()
ad03967 Add debian/tmpfiles.conf
f4fd07d Debian bugfix.
e3c08a3 Debian packaging fix. (restorecon)
118011f Debian packaging fix. (tmpfiles.d)
Delete our own backports of ea6cc33 & 4139298, so the only real changes
here, since we don't care about the Debian stuff are 48b090c & 3a610a0
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
musl doesn't come with an valid implementation of `sched_getscheduler()`;
it simply returns -ENOSYS for it. Without this option (and compile dante
with `sched_getscheduler()` enabled), you will get
error: serverinit(): sched_getscheduler(2): failed to retrieve current
cpuscheduling policy: Function not implemented
and dante won't start at all.
Ref: http://lists.alpinelinux.org/alpine-devel/3932.html
Ref: http://lists.alpinelinux.org/alpine-devel/3936.html
Signed-off-by: David Yang <mmyangfl@gmail.com>
[slightly reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The restool failed to work with current gcc-7.3.0-musl.
This patch is to add a restool fix-up patch to fix
multiple problems encountered in the get_device_file()
function:
- The deprecated atoi() function is replaced by strtoul
- An invalid memory access was being performed by using
memory from dir->d_name even after closedir(). This is
fixed by a strdup() on the device filename.
- Also, error prints now print any relevant error code.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
The restool source code had been migrated to codeaurora
for LSDK-18.06 release and the future release. This patch
is to update restool to LSDK-18.06 release.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
Backport upstream commit
Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
/etc/config/lldpd is only used by the init script, which only runs as root
Adjusted homepage and download URLs to use HTTPS.
-std=c99 is useful for GCC versions less than 6. Current OpenWrt uses 7.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Setting encaplimit to a numerical value results into the value being
included as tunnel encapsulation limit in the destination option header
for tunneled packets.
Several users have reported interop issues as not all ISPs support the
destination option header containing the tunnel encapsulation limit
resulting into broken map connectivity.
Therefore drop the default encaplimit value for map tunnels so
no destination option header is included by default.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Setting encaplimit to a numerical value results into the value being
included as tunnel encapsulation limit in the destination option header
for tunneled packets.
Several users have reported interop issues as not all ISPs support the
destination option header containing the tunnel encapsulation limit
resulting into broken ds-lite connectivity.
Therefore drop the default encaplimit value for ds-lite tunnels so
no destination option header is included by default.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* blake2s-x86_64: fix whitespace errors
* crypto: do not use compound literals in selftests
* crypto: make sure UML is properly disabled
* kconfig: make NEON depend on CPU_V7
* poly1305: rename finish to final
* chacha20: add constant for words in block
* curve25519-x86_64: remove useless define
* poly1305: precompute 5*r in init instead of blocks
* chacha20-arm: swap scalar and neon functions
* simd: add __must_check annotation
* poly1305: do not require simd context for arch
* chacha20-x86_64: cascade down implementations
* crypto: pass simd by reference
* chacha20-x86_64: don't activate simd for small blocks
* poly1305-x86_64: don't activate simd for small blocks
* crypto: do not use -include trick
* crypto: turn Zinc into individual modules
* chacha20poly1305: relax simd between sg chunks
* chacha20-x86_64: more limited cascade
* crypto: allow for disabling simd in zinc modules
* poly1305-x86_64: show full struct for state
* chacha20-x86_64: use correct cut off for avx512-vl
* curve25519-arm: only compile if symbols will be used
* chacha20poly1305: add __init to selftest helper functions
* chacha20: add independent self test
Tons of improvements all around the board to our cryptography library,
including some performance boosts with how we handle SIMD for small packets.
* send/receive: reduce number of sg entries
This quells a powerpc stack usage warning.
* global: remove non-essential inline annotations
We now allow the compiler to determine whether or not to inline certain
functions, while still manually choosing so for a few performance-critical
sections.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Allow setting specific routing tables via the ip4table and ip6table
options also when ${ifname}_4 and ${ifname}_6 child interfaces are
being created.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Pull in latest upstream tweaks:
Similar to the previous patch for no-split-gso, the negative keywords for
'nat', 'wash' and 'ack-filter' were not printed either. Add those as well.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
When the GSO splitting was turned into dual split-gso/no-split-gso options,
the printing of the latter was left out. Add that, so output is consistent
with the options passed
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* curve25519: arm: do not modify sp directly
* compat: support neon.h on old kernels
* compat: arch-namespace certain includes
* compat: move simd.h from crypto to compat since it's going upstream
This fixes a decent amount of compat breakage and thumb2-mode breakage
introduced by our move to Zinc.
* crypto: use CRYPTOGAMS license
Rather than using code from OpenSSL, use code directly from AndyP.
* poly1305: rewrite self tests from scratch
* poly1305: switch to donna
This makes our C Poly1305 implementation a bit more intensely tested and also
faster, especially on 64-bit systems. It also sets the stage for moving to a
HACL* implementation when that's ready.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Refresh patches
Changes since latest bump:
af3bd07 Man page typo.
d682099 Picky changes to 47b45b2967c931fed3c89a2e6a8df9f9183a5789
47b45b2 Fix lengths of interface names
2b38e38 Minor improvements in lease-tools
282eab7 Mark die function as never returning
c346f61 Handle ANY queries in context of da8b6517decdac593e7ce24bde2824dd841725c8
03212e5 Manpage typo.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Allowing DHCPV6_CLIENT_FQDN and DHCPV6_ACCEPT_RECONFIGURE to be turned off.
Defaulting to false, former behavior remains unchanged.
Signed-off-by: pacien <pacien.trangirard@pacien.net>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
The dnsmasq variants should provide dnsmasq, otherwise it is impossible
to include them in the image.
This change allows one to have CONFIG_PACKAGE_dnsmasq=m and
CONFIG_PACKAGE_dnsmasq-full=y, e.g. because you want DNSSEC support, or
IPSETs suport on your 3000-devices fleet ;-)
Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Refresh patches
Remove 240-ubus patch as upstream accepted.
Add uci option ubus which allows to enable/disable ubus support (enabled
by default)
Upstream commits since last bump:
da8b651 Implement --address=/example.com/#
c5db8f9 Tidy 7f876b64c22b2b18412e2e3d8506ee33e42db7c
974a6d0 Add --caa-record
b758b67 Improve logging of RRs from --dns-rr.
9bafdc6 Tidy up file parsing code.
97f876b Properly deal with unaligned addresses in DHCPv6 packets.
cbfbd17 Fix broken DNSSEC records in previous.
b6f926f Don't return NXDOMAIN to empty non-terminals.
c822620 Add --dhcp-name-match
397c050 Handle case of --auth-zone but no --auth-server.
1682d15 Add missing EDNS0 section. EDNS0 section missing in replies to EDNS0-containing queries where answer generated from --local=/<domain>/
dd33e98 Fix crash parsing a --synth-domain with no prefix. Problem introduced in 2.79/6b2b564ac34cb3c862f168e6b1457f9f0b9ca69c
c16d966 Add copyright to src/metrics.h
1dfed16 Remove C99 only code.
6f835ed Format fixes - ubus.c
9d6fd17 dnsmasq.c fix OPT_UBUS option usage
8c1b6a5 New metrics and ubus files.
8dcdb33 Add --enable-ubus option.
aba8bbb Add collection of metrics
caf4d57 Add OpenWRT ubus patch
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* Kconfig: use new-style help marker
* global: run through clang-format
* uapi: reformat
* global: satisfy check_patch.pl errors
* global: prefer sizeof(*pointer) when possible
* global: always find OOM unlikely
Tons of style cleanups.
* crypto: use unaligned helpers
We now avoid unaligned accesses for generic users of the crypto API.
* crypto: import zinc
More style cleanups and a rearrangement of the crypto routines to fit how this
is going to work upstream. This required some fairly big changes to our build
system, so there may be some build errors we'll have to address in subsequent
snapshots.
* compat: rng_is_initialized made it into 4.19
We therefore don't need it in the compat layer anymore.
* curve25519-hacl64: use formally verified C for comparisons
The previous code had been proved in Z3, but this new code from upstream
KreMLin is directly generated from the F*, which is preferable. The
assembly generated is identical.
* curve25519-x86_64: let the compiler decide when/how to load constants
Small performance boost.
* curve25519-arm: reformat
* curve25519-arm: cleanups from lkml
* curve25519-arm: add spaces after commas
* curve25519-arm: use ordinary prolog and epilogue
* curve25519-arm: do not waste 32 bytes of stack
* curve25519-arm: prefix immediates with #
This incorporates ASM nits from upstream review.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
CAKE supports overriding of its internal classification of
packets through the tc filter mechanism.
Update the man page in our package, even though we don't
build them. Someone may find the documentation useful.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 30598a05385b0ac2380dd4f30037a9f9d0318cf2)
OpenWrt used to ship hardcoded defaults for lcp-echo-failure and
lcp-echo-interval in the non-uci /etc/ppp/options file.
These values break uci support for *disabling* LCP echos through
the use of "option keepalive 0" as either omitting the keepalive
option or setting it to 0 will result in no lcp-echo-* flags
getting passed to the pppd cmdline, causing the pppd process to
revert to the defaults in /etc/ppp/options.
Address this issue by letting the uci "keepalive" option default
to the former hardcoded values "5, 1" and by removing the fixed
lcp-echo-failure and lcp-echo-interval settings from the
/etc/ppp/options files.
Ref: https://github.com/openwrt/luci/issues/2112
Ref: https://dev.archive.openwrt.org/ticket/2373.html
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=854
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=1259
Signed-off-by: Jo-Philipp Wich <jo@mein.io>