6594c6b ubus: use dhcpv6 ia assignment flag
a90cc2e dhcpv6-ia: avoid setting lifetime to infinite for static assignments
bb07fa4 dhcpv4: avoid setting lifetime to infinite for static assignments
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Bump to iptable 1.8.4 and address packaging issue as mentioned in the
original bump/revert cycle.
"This reverts commit 10cbc896c0.
The updated iptables package does not build due to the following error
encountered on the buildbots:
cp: cannot stat '.../iptables-1.8.4/ipkg-install/usr/lib/libiptc.so.*': No such file or directory
The changelog mentions "build: remove -Wl,--no-as-needed and libiptc.so" so
it appears as if further packaging changes are needed beyond a simple
version bump."
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Bump to latest release candidate and drop 2 local patches that have been
upstreamed.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Bump to dnsmasq 2.81rc2. In the process discovered several compiler
warnings one with a logical error.
2 relevant patches sent upstream, added as 2 local patches for OpenWrt
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
1st release candidate for v2.81 after 18 months.
Refresh patches & remove all upstreamed leaving:
110-ipset-remove-old-kernel-support.patch
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
The current implementation is significantly lowering lantiq
performace [1][2] by using RPS with non-irq CPUs and XPS
with alternating CPUs.
The previous netifd implementation (by default but could be
configured) simply used all CPUs and this patch essentially
reverts to this behaviour.
The only document suggesting using non-interrupt CPUs is Red
Hat [3] where if the network interrupt rate is extremely high
excluding the CPU that handles network interrupts *may* also
improve performance.
The original packet steering patches [4] advise that optimal
settings for the CPU mask seems to depend on architectures
and cache hierarcy so one size does not fit all. It also
advises that the overhead in processing for a lightly loaded
server can cause performance degradation.
Ideally, proper IRQ balancing is a better option with
the irqbalance daemon or manually.
The kernel does not enable packet steering by default, so
also disable in OpenWRT by default. (Though mvebu with its
hardware scheduling issues [5] might want to enable packet
steering by default.)
Change undocumented "default_ps" parameter to clearer
"packet_steering" parameter. The old parameter was only ever
set in target/linux/mediatek/base-files/etc/uci-defaults/99-net-ps
and matched the default.
[1] https://forum.openwrt.org/t/18-06-4-speed-fix-for-bt-homehub-5a
[2] https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=1105
[3] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/performance_tuning_guide/network-rps
[4] https://marc.info/?l=linux-netdev&m=125792239522685&w=2
[5] https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=2e1f6f1682d3974d8ea52310e460f1bbe470390fFixes: #1852Fixes: #2573
Signed-off-by: Alan Swanson <reiver@improbability.net>
This activates PIE ASLR support by default when the regular option is
selected.
Size increase on imx6:
112681 ppp_2.4.8-2_arm_cortex-a9_neon.ipk
121879 ppp_2.4.8-2_arm_cortex-a9_neon.ipk
= 9198 diff
Acked-by: Alexander Couzens <lynxis@fe80.eu>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This reverts commit 215598fd03 since it
didn't contain a reference to the CVE it addresses. The next commit
will re-add the commit including a CVE reference in its commit message.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add a radio_config_id property. If the radio config changes return an error
upon receiving the reconf call.
Signed-off-by: John Crispin <john@phrozen.org>
c888e17e06 ("hostapd: manage instances via procd instead of pidfile")
added procd support for managing hostapd and wpa_supplicant daemons
but at the same time limited wiphy names to 'phy*'.
This brings back initial behaviour (introduced in 60fb4c92b6 ("hostapd:
add ubus reload") and makes procd manage daemons for any wiphy device
found in '/sys/class/ieee80211'.
CC: Felix Fietkau <nbd@nbd.name>
CC: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
The function trace_on_exit() is given to atexit() as a parameter, but
atexit() only takes a function pointer to a function with a void
parameter.
This problem was introduced when the on_exit() function was incompletely
replaced by atexit().
Fixes: ba6c8bd614 ("linux-atm: add portability fixes")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This adds the direct dependencies introduced by TARGET_LDFLAGS
to the package's DEPENDS variable.
This was found by accidentally building rssileds on octeon, which
resulted in:
"Package rssileds is missing dependencies for the following libraries:
libnl-tiny.so"
Though the dependencies are provided when building for the
relevant targets ar71xx, ath79 and ramips, it seems more tidy to
specify them explicitly.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()
Signed-off-by: Petr Štetiar <ynezz@true.cz>
A file, package/network/services/dnsmasq/files/50-dnsmasq-migrate-resolv-conf-auto.sh,
was added in commit 6a28552120, but it
does not exit in a way that tells the uci-defaults mechanism that it
succeeded, and so it is not cleaned up after running successfully. Add
an exit 0 to the end to correct that.
Signed-off-by: Russell Senior <russell@personaltelco.net>
* send: cleanup skb padding calculation
* socket: remove useless synchronize_net
Sorry for the back-to-back releases. This fixes a regression spotted by Eric
Dumazet.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: split uids into multiple commands
Newer android's ndc implementations have limits on uid size, so we have to
break these into several lists.
* man: document dynamic debug trick for Linux
This comes up occasionally, so it may be useful to mention its
possibility in the man page. At least the Arch Linux and Ubuntu kernels
support dynamic debugging, so this advice will at least help somebody. So that
you don't have to go digging into the commit, this adds this helpful tidbit
to the man page for getting debug logs on Linux:
# modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
* extract-{handshakes,keys}: rework for upstream kernel
These tools will now use the source code from the running kernel instead of
from the old monolithic repo. Essential for the functioning of Wireshark.
* netlink: remove libmnl requirement
We no longer require libmnl. It turns out that inlining the small subset of
libmnl that we actually use results in a smaller binary than the overhead of
linking to the external library. And we intend to gradually morph this code
into something domain specific as a libwg emerges. Performance has also
increased, thanks to the inliner. On all platforms, wg(8) only needs a normal
libc. Compile time on my system is still less than one second. So all in all
we have: smaller binary, zero dependencies, faster performance.
Packagers should no longer have their wireguard-tools package depend on
libmnl.
* embeddable-wg-library: use newer string_list
* netlink: don't pretend that sysconf isn't a function
Small cleanups.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The $(space) definition in the hostapd Makefile ceased to work with
GNU Make 4.3 and later, leading to syntax errors in the generated
Kconfig files.
Drop the superfluous redefinition and reuse the working $(space)
declaration from rules.mk to fix this issue.
Fixes: GH#2713
Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469
Reported-by: Karel Kočí <cynerd@email.cz>
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Tested-by: Shaleen Jain <shaleen@jain.sh>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* compat: support building for RHEL-8.2
* compat: remove RHEL-7.6 workaround
Bleeding edge RHEL users should be content now (which includes the actual
RedHat employees I've been talking to about getting this into the RHEL kernel
itself). Also, we remove old hacks for versions we no longer support anyway.
* allowedips: remove previously added list item when OOM fail
* noise: reject peers with low order public keys
With this now being upstream, we benefit from increased fuzzing coverage of
the code, uncovering these two bugs.
* netns: ensure non-addition of peers with failed precomputation
* netns: tie socket waiting to target pid
An added test to our test suite for the above and a small fix for high-load CI
scenarios.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This reverts commit 96424c143d.
The commit changed libiwinfo's internal ABI which breaks a number of
downstream projects, including LuCI and rpcd-mod-iwinfo.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
eba5a20 iwinfo: add device id for BCM43602
a6914dc iwinfo: add BSS load element to scan result
bb21698 iwinfo: add device id for Atheros AR9287
7483398 iwinfo: add device id for MediaTek MT7615E
Signed-off-by: David Bauer <mail@david-bauer.net>
I'm having another attempt at trying to getting the 'store dscp into
conntrack connmark' functionality into upstream kernel, since the
restore function (act_ctinfo) has been accepted.
The syntax has changed from 'savedscp' to 'set-dscpmark' since that
conforms more closely with existing functionality.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Fixes handling CSA when using AP+STA or AP+Mesh
This change was accidentally dropped in commit 167028b75
("hostapd: Update to version 2.9 (2019-08-08)")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Without this change, wpa-cli features depend on which wpad build variant was
used to build the wpa-cli package
Signed-off-by: Felix Fietkau <nbd@nbd.name>
"[[" is a bash extension for test. As the ash-implementation is not
fully compatible we drop its usage.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
[remove shebang, slightly facelift commit title/message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
"[[" is a bash extension for test. As the ash-implementation is not
fully compatible we drop its usage.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
"[[" is a bash extension for test. As the ash-implementation is not
fully compatible we drop its usage.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* Makefile: remove pwd from compile output
* Makefile: add standard 'all' target
* Makefile: evaluate git version lazily
Quality of life improvements for packagers.
* ipc: simplify inflatable buffer and add fuzzer
* fuzz: add generic command argument fuzzer
* fuzz: add set and setconf fuzzers
More fuzzers and a slicker string list implementation. These fuzzers now find
themselves configuring wireguard interfaces from scratch after several million
mutations, which is fun to watch.
* netlink: make sure to clear return value when trying again
Prior, if a dump was interrupted by a concurrent set operation, we'd try
again, but forget to reset an error flag, so we'd keep trying again forever.
Now we do the right thing and succeed when we succeed.
* Makefile: sort inputs to linker so that build is reproducible
Earlier versions of make(1) passed GLOB_NOSORT to glob(3), resulting in the
linker receiving its inputs in a filesystem-dependent order. This screwed up
reproducible builds.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* Makefile: strip prefixed v from version.h
This fixes a mistake in dmesg output and when parsing the sysfs entry in the
filesystem.
* device: skb_list_walk_safe moved upstream
This is a 5.6 change, which we won't support here, but it does make the code
cleaner, so we make this change to keep things in sync.
* curve25519: x86_64: replace with formally verified implementation
This comes from INRIA's HACL*/Vale. It implements the same algorithm and
implementation strategy as the code it replaces, only this code has been
formally verified, sans the base point multiplication, which uses code
similar to prior, only it uses the formally verified field arithmetic
alongside reproducable ladder generation steps. This doesn't have a
pure-bmi2 version, which means haswell no longer benefits, but the
increased (doubled) code complexity is not worth it for a single
generation of chips that's already old.
Performance-wise, this is around 1% slower on older microarchitectures,
and slightly faster on newer microarchitectures, mainly 10nm ones or
backports of 10nm to 14nm. This implementation is "everest" below:
Xeon E5-2680 v4 (Broadwell)
armfazh: 133340 cycles per call
everest: 133436 cycles per call
Xeon Gold 5120 (Sky Lake Server)
armfazh: 112636 cycles per call
everest: 113906 cycles per call
Core i5-6300U (Sky Lake Client)
armfazh: 116810 cycles per call
everest: 117916 cycles per call
Core i7-7600U (Kaby Lake)
armfazh: 119523 cycles per call
everest: 119040 cycles per call
Core i7-8750H (Coffee Lake)
armfazh: 113914 cycles per call
everest: 113650 cycles per call
Core i9-9880H (Coffee Lake Refresh)
armfazh: 112616 cycles per call
everest: 114082 cycles per call
Core i3-8121U (Cannon Lake)
armfazh: 113202 cycles per call
everest: 111382 cycles per call
Core i7-8265U (Whiskey Lake)
armfazh: 127307 cycles per call
everest: 127697 cycles per call
Core i7-8550U (Kaby Lake Refresh)
armfazh: 127522 cycles per call
everest: 127083 cycles per call
Xeon Platinum 8275CL (Cascade Lake)
armfazh: 114380 cycles per call
everest: 114656 cycles per call
Achieving these kind of results with formally verified code is quite
remarkable, especialy considering that performance is favorable for
newer chips.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP.
The code for applying those values had a few bugs leading to bogus values,
which caused significant latency and packet loss.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Prepare netifd for handling procd service jails having their own
network namespace.
Intefaces having the jail attribute will only be brought up inside the
jail's network namespace by procd calling the newly introduced ubus
method 'netns_updown'.
Currently proto 'static' is supported and configuration changes are
not yet being handled (ie. you'll have to restart the jailed service
for changes to take effect).
Example /etc/config/network snippet:
config device 'veth0'
option type 'veth'
option name 'vhost0'
option peer_name 'virt0'
config interface 'virt'
option type 'bridge'
list ifname 'vhost0'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
config interface 'virt0'
option ifname 'virt0'
option proto 'static'
option ipaddr '10.0.0.2'
option netmask '255.255.255.0'
option gateway '10.0.0.1'
option dns '10.0.0.1'
option jail 'transmission'
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
6db312a dhcpv6-ia: use dhcp leasetime to set preferred/valid statefull lifetimes
2520c48 dhcpv6-ia: introduce DHCPv6 pd and ia assignments flags
b413d8a dhcpv6-ia: cleanup prefix delegation routes
b0902af dhcpv6-ia: remove passing interface as parameter to apply_lease
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Currently, it is very cumbersome for a user to connect to a WPA-Enterprise
based network securely because the RADIUS server's CA certificate must first be
extracted from the EAPOL handshake using tcpdump or other methods before it can
be pinned using the ca_cert(2) fields. To make this process easier and more
secure (combined with changes in openwrt/openwrt#2654), this commit adds
support for validating against the built-in CA bundle when the ca-bundle
package is installed. Related LuCI changes in openwrt/luci#3513.
Signed-off-by: David Lam <david@thedavid.net>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
If a config section of a peer does not have a public key defined, the
whole interface does not start. The following log is shown
daemon.notice netifd: test (21071): Line unrecognized: `PublicKey='
daemon.notice netifd: test (21071): Configuration parsing erro
The command 'wg show' does only show the interface name.
With this change we skip the peer for this interface and emit a log
message. So the other peers get configured.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
With this change it is now possible to switch off single instances of
the uhttpd config. Until now it was only possible to switch all
instances of uhttpd on or off.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Rekey GTK on STA disassociate
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Allows dtim_period to be configurable, the default is from hostapd.
Adds additional regulatory tunables for power constraint and spectrum
managment.
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Failsafe code of dropbear should be in the dropbear package not the
base-files package.
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>