Commit Graph

1820 Commits

Author SHA1 Message Date
Valentyn Datsko
76f55e3c3f
dnsmasq: add procd interface index tracking
Problem exist when dnsmasq is exclusively bind to particular interface.
After reconfiguring or restarting this interface, its index changes, but
dnsmasq uses the old one. When this problem occurs, dnsmasq does not
listen on the correct interface so DHCP does not work, and clients do not
get an IP address. Procd netdev param can be added to restart dnsmasq when
the interface index is changed.

Signed-off-by: Valentyn Datsko <valikk.d@gmail.com>
[combined into a single &&-connected statement]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-04-06 17:32:42 +01:00
Felix Fietkau
64f629e207 bridger: add bridge forwarding accelerator
This package uses BPF to create a fast path which improves bridging performance
by bypassing the bridge layer. It also supports creating tc offload rules for
hardware that supports it.
Hardware offload support can be used with MT7622 + MT7915 once it is merged

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-04-06 14:13:26 +02:00
Hans Dedecker
73c6d8fd04 odhcpd: update to git HEAD
860ca90 odhcpd: Support for Option NTP and SNTP
83e14f4 router: advertise removed addresses as invalid in 3 consecutive RAs

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-03-22 22:03:37 +01:00
Nick Lowe
e8d048c5e0 hostapd: SAE - Enable hunting-and-pecking and H2E
Enable both the hunting-and-pecking loop and hash-to-element mechanisms
by default in OpenWRT with SAE.

Commercial Wi-Fi solutions increasingly frequently now ship with both
hunting-and-pecking and hash-to-element (H2E) enabled by default as this
is more secure and more performant than offering hunting-and-pecking
alone for H2E capable clients.

The hunting and pecking loop mechanism is inherently fragile and prone to
timing-based side channels in its design and is more computationally
intensive to perform. Hash-to-element (H2E) is its long-term
replacement to address these concerns.

For clients that only support the hunting-and-pecking loop mechanism,
this is still available to use by default.

For clients that in addition support, or were to require, the
hash-to-element (H2E) mechanism, this is then available for use.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2022-02-24 18:04:05 +01:00
Eneas U de Queiroz
e6df13d0e1 hostapd: fallback to psk when generating r0kh/r1kh
The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret".  auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well.  In
this case,  auth_secret is empty, and the default value of the key can
be computed from the SSID alone.

Fallback to using $key when auth_secret is empty.  While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
[make ft_key local]
Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-19 16:14:52 +01:00
David Bauer
6f78723977 hostapd: add STA extended capabilities to get_clients
Add the STAs extended capabilities to the ubus STA information. This
way, external daemons can be made aware of a STAs capabilities.

This field is of an array type and contains 0 or more bytes of a STAs
advertised extended capabilities.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-19 16:14:45 +01:00
David Bauer
04ed224543 hostapd: refresh patches
Refresh patches after updating to hostapd v2.10.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-08 00:21:41 +01:00
David Bauer
adb8c09a83 hostapd: update to v2.10
Upstreamed patches:
020-mesh-make-forwarding-configurable.patch
e6db1bc5da3fd7d5f4dba24aa102543b4749912f
550-WNM-allow-specifying-dialog-token.patch
979f19716539362f8ce60a77bf1b88fdcf5ba8e5
720-ACS-fix-channel-100-frequency.patch
2341585c349231af00cdef8d51458df01bc6965f
741-proxyarp-fix-compilation-with-Hotspot-2.0-disabled.patch
08bdf4f90de61a84ed8f4dd918272dd9d36e2e1f

Compile-tested: wpad-wolfssl hostapd-openssl
Run-tested: ath79-generic

Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-02-08 00:21:27 +01:00
Felix Fietkau
46e0eeb760 hostapd: automatically calculate channel center freq on chan_switch
Simplifies switching to different channels when on >= VHT80

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-07 17:01:18 +01:00
Jo-Philipp Wich
881a059977 uhttpd: update to latest Git HEAD
2f8b136 main: fix leaking -p/-s argument values
881fd3b ucode: adjust to latest ucode api
8b2868e file: specify UTF-8 as charset for dirlists, add option to override
3a5bd84 main: add ucode options to help text
16aa142 examples: add ucode handler example
3ceccd0 ucode: add ucode plugin support
f0f1406 examples: add example Lua handler script
9e87095 listen: avoid invalid memory access

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
David Bauer
2a31e9ca97 hostapd: add op-class to get_status output
Include the current operation class to hostapd get_status interface.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-01-14 22:12:44 +01:00
Nick Hainke
f61816fdff hostapd: refresh patchset
Recently the hostapd has undergone many changes. The patches were not refreshed.
Refreshed with
    make package/hostapd/{clean,refresh}

Refreshed:
    - 380-disable_ctrl_iface_mib.patch
    - 600-ubus_support.patch
    - 700-wifi-reload.patch
    - 720-iface_max_num_sta.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2021-12-31 12:11:59 +01:00
Raphaël Mélotte
69ce75fb12 hostapd: add fallback for WPS on stations
Up to now the WPS script triggered WPS on the stations only if it
could not trigger it successfully on any hostapd instance.

In a Multi-AP context, there can be a need (to establish a new
wireless backhaul link) to trigger WPS on the stations, regardless of
whether there is already a hostapd instance configured or not. The
current script makes it impossible, as if hostapd is running and
configured, WPS would always be triggered on hostapd only.

To allow both possibilities, the following changes are made:

- Change the "pressed" action to "release", so that we can make use of
the "$SEEN" variables (to know for how long the button was pressed).

- If the button is pressed for less than 3 seconds, keep the original
behavior.

- If the button is pressed for 3 seconds or more, trigger WPS on the
stations, regardless of the status of any running hostapd instance.

- Add comments explaining both behaviors.

- While at it, replace the usage of '-a' with a '[] && []'
construct (see [1]).

This gives users a "fallback" mechanism to onboard a device to a
Multi-AP network, even if the device already has a configured hostapd
instance running.

[1]: https://github.com/koalaman/shellcheck/wiki/SC2166

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-12-27 16:32:02 +00:00
David Bauer
5ca7793418 hostapd: add missing function declaration
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-27 03:13:36 +01:00
Felix Fietkau
5e67cd63c4 hostapd: only attempt to set qos map if supported by the driver
Fixes issues with brcmfmac

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-23 19:18:56 +01:00
Arnout Vandecappelle (Essensium/Mind)
0210f37534 hostapd: keep HE capability after channel switch in AP+STA/Mesh
The auto-ht option already kept HT and VHT support, but wasn't updated
to support HE (11ax).

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-12-21 22:21:38 +00:00
David Bauer
54cfe0774c hostapd: make OpenWrt statistics per-BSS
WNM and RRM statistics were incorrectly per-PHY, leading to shared
statistic counters per BSS.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-20 00:15:03 +01:00
David Bauer
6d1e380666 hostapd: provide BSS-transition-queries to ubus subscribers
Provide incoming BSS transition queries to ubus subscribers.

This allows external steering daemons to provide clients with
an optimal list of transition candidates.

This commit has no functional state in case no ubus subscriber is
present or it does not handle this ubus message.

To prevent hostapd from sending out a generic response by itself, a
subscribing daemon has to return a non-zero response code to hostapd.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-20 00:15:03 +01:00
David Bauer
dd39249f08 hostapd: WNM: allow specifying dialog-token
Backport a patch to allow extending the ubus BSS-transition method
for specifying individual dialog tokens for BSS transition
management requests.

This is required for handling BSS transition queries in the future.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-20 00:15:03 +01:00
David Bauer
9090e0be4d hostapd: close correct blobmsg table
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-16 20:27:07 +01:00
David Bauer
16bcaa71fa hostapd: add OpenWrt specific statistic counters
This adds a new struct for storing statistics not (yet) tracked by
hostapd regarding RRM and WNM activity.

These statistics can be read using the get_status hostapd interface ubus
method.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-15 00:13:40 +01:00
Felix Fietkau
ea49690ff4 hostapd: add support for specifying the FILS DHCP server
The 'fils_dhcp' option can be set to '*' in order to autodetect the DHCP server
For proto=dhcp networks, the discovered dhcp server will be used
For all other networks, udhcpc is called to discover the address

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-10 11:33:49 +01:00
Felix Fietkau
b7d9bced30 hostapd: add support for enabling FILS on AP and client interfaces
This is only supported with WPA-enterprise

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-10 11:33:49 +01:00
Felix Fietkau
5b66dfaf6c hostapd: enable FILS support in the full config and add build feature discovery
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-10 11:33:49 +01:00
Felix Fietkau
fbc9ce779f hostapd: make hostapd/supplicant/wpad packages depend on a specific version of hostapd-commoon
This avoids potential version mismatch between packages when upgraded
individually

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-01 16:39:12 +01:00
David Bauer
3ba9846842 hostapd: add beacon_interval to get_status ubus output
Add the beacon interval to hostapd status output. This allows external
services to discover the beacon interval for a specific VAP.

This way, external wireless management daemons can correctly calculate
fields containing TBTT value from absolute time-values.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-11-25 02:41:42 +01:00
Felix Fietkau
f84053af5c hostapd: add a patch that allows processing auth requests for peers in blocked state
If authentication fails repeatedly e.g. because of a weak signal, the link
can end up in blocked state. If one of the nodes tries to establish a link
again before it is unblocked on the other side, it will block the link to
that other side. The same happens on the other side when it unblocks the
link. In that scenario, the link never recovers on its own.

To fix this, allow restarting authentication even if the link is in blocked
state, but don't initiate the attempt until the blocked period is over.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-24 18:26:47 +01:00
Mark Mentovai
398cbb76fa
hostapd: allow hostapd under ujail to communicate with hostapd_cli
When procd-ujail is available, 1f78538387 runs hostapd as user
"network", with only limited additional capabilities (CAP_NET_ADMIN and
CAP_NET_RAW).

hostapd_cli (CONFIG_PACKAGE_hostapd-utils) communicates with hostapd
over a named UNIX-domain socket. hostapd_cli is responsible for creating
this socket at /tmp/wpa_ctrl_$pid_$counter. Since it typically runs as
root, this endpoint is normally created with uid root, gid root, mode
0755. As a result, hostapd running as uid network is able to receive
control messages sent through this interface, but is not able to respond
to them. If debug-level logging is enabled (CONFIG_WPA_MSG_MIN_PRIORITY
<= 2 at build, and log_level <= 2 in /etc/config/wireless wifi-device),
this message will appear from hostapd:

CTRL: sendto failed: Permission denied

As a fix, hostapd_cli should create the socket node in the filesystem
with uid network, gid network, mode 0770. This borrows the presently
Android-only strategy already in hostapd intended to solve the same
problem on Android.

If procd-ujail is not available and hostapd falls back to running as
root, it will still be able to read from and write to the socket even if
the node in the filesystem has been restricted to the network user and
group. This matches the logic in
package/network/services/hostapd/files/wpad.init, which sets the uid and
gid of /var/run/hostapd to network regardless of whether procd-ujail is
available.

As it appears that the "network" user and group are statically allocated
uid 101 and gid 101, respectively, per
package/base-files/files/etc/passwd and USERID in
package/network/services/hostapd/Makefile, this patch also uses a
constant 101 for the uid and gid.

Signed-off-by: Mark Mentovai <mark@moxienet.com>
[refreshed patch]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-23 18:53:31 +00:00
Oldřich Jedlička
1818157daa dnsmasq: fix ismounted check
Fix the return value, shell return codes should be 0 to indicate success
(i.e. mount point found), 1 should be failure (i.e. mount point not-found).

Fixes: ac4e8aa ("dnsmasq: fix more dnsmasq jail issues")
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
2021-11-23 14:57:52 +00:00
David Bauer
7ae04d3799 hostapd: fix use after free bugs
Using a pointer one lifter after it freed is not the best idea.
Let's not do that.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-11-19 21:58:12 +01:00
Eneas U de Queiroz
5720ac8f4c hostapd: set VARIANT=* for wpa-cli, hostapd-utils
19aae94 [build: avoid rebuilds of unset VARIANT packages] builds
packages defined without a VARIANT only once, using the first VARIANT
defined in the Makefile.

This caused problems with wpa-cli, as it is only built for variants that
include supplicant support, and the first VARIANT defined may not build
it.

The same happens to hostapd-utils, which is not built for
supplicant-only variants.

To circumvent this, set VARIANT=* for both packages so that they get
built for every defined variant.  This should not cause spurious
rebuilds, since tey are not a dependency of any other package defined in
this Makefile.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-11-15 00:38:46 +01:00
Stijn Tintel
53247d3cb4 lldpd: add reload trigger
This is needed to reload the service when calling reload_config, if the
UCI config has changed.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-14 21:26:41 +02:00
Stijn Tintel
d44ab665a6 lldpd: consolidate procd command lines
There is no need to have multiple lines for this.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-14 21:26:41 +02:00
Stijn Tintel
f054fcd98a lldpd: bump to 1.0.13
Fixes CVE-2021-43612.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-14 21:26:41 +02:00
Rui Salvaterra
c8340120e7 dnsmasq: fix the dynamic dns object names patch
We can't use booleans, since we're not including stdbool.h. Use integers
instead.

Fixes: 0b79e7c01e ("dnsmasq: generate the dns object name dynamically")

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-11-12 23:11:56 +01:00
Daniel Golle
0cbc6b16db
dnsmasq: add ubus acl to allow calls to hotplug.tftp object
dnsmasq may call hotplug.dhcp, hotplug.neigh and hotplug.tftp.
Only the first two callees were listed in the ACL, so add missing
hotplug.tftp.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-12 15:02:58 +00:00
Felix Fietkau
0b79e7c01e dnsmasq: generate the dns object name dynamically
Fixes an issue with running multiple dnsmasq instances

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-10 10:07:04 +01:00
Paul Fertser
8a6b1a8d29 dnsmasq: add match_tag for --dhcp-host
A set of tags can be specified for --dhcp-host option to restrict the
assignment to the requests which match all the tags.

Example usage:

config vendorclass
        option networkid 'udhcp'
        option vendorclass 'udhcp'

config host
        option mac '*:*:*:*:*:*'
        list match_tag 'switch.10'
        list match_tag 'udhcp'
        option ip '192.168.25.10'

Signed-off-by: Paul Fertser <fercerpav@gmail.com>
2021-11-09 16:45:38 +00:00
Felix Fietkau
d8b33dad0b dnsmasq: add support for monitoring and modifying dns lookup results via ubus
The monitoring functionality will be used for dns rule support in qosify

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-08 15:06:19 +01:00
Stijn Tintel
a05452e4d6 omcproxy: bump to git HEAD
bfba2aa groups: use uloop_timeout_remaining64

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 15:04:45 +02:00
Felix Fietkau
efff3520f4 hostapd: support qos_map_set without CONFIG_INTERWORKING
This feature is useful on its own even without full interworking support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-04 11:50:51 +01:00
Felix Fietkau
a5e3def182 hostapd: add wmm qos map set by default
This implements the mapping recommendations from RFC8325, with an
update from RFC8622. This ensures that DSCP marked packets are properly
sorted into WMM classes.
The map can be disabled by setting iw_qos_map_set to something invalid
like 'none'

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-03 22:47:55 +01:00
Eneas U de Queiroz
67f9245ee5 hostapd: avoid unnecessary package rebuilds
Package hostapd-common is a dependency of every other package defined in
hostpad Makefile.  It is currently built next to the bottom of that
Makefile's package list.

If you run make back to back, then check-compile will compare the
hostapd-common timestamp to the variant being compiled, to decide if the
varint needs to be rebuilt or not.  Since the hostapd-conf package is
built towards the end of the list, it will be newer than most of the
variants, causing unnecessary package rebuilds.

Move it to the top, so that its timestamp will be older than dependent
packages, avoiding unnecessary rebuild of every selected variant.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-11-01 20:18:55 +01:00
Daniel Golle
a44e4aaef9
dnsmasq: fix jail mount in case of ignore_hosts_dir being set
Commit a2fcd3900c ("dnsmasq: improve init script") broke the existing
handling for hosts_dir. Remove the redundant mount again to fix it.

Reported-by: Hartmut Birr <e9hack@gmail.com>
Fixes: a2fcd3900c ("dnsmasq: improve init script")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-01 12:02:24 +00:00
Daniel Golle
a2fcd3900c
dnsmasq: improve init script
* fix restart in LuCI (inherited umask was to restrictive)
 * make directory of hosts-file (!= /tmp) accessible in ujail

Reported-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-10-31 13:07:48 +00:00
Sven Roederer
5287defa1f dropbear: add config options for agent-forwarding support
* SSH agent forwarding might cause security issues, locally and on the jump
  machine (https://defn.io/2019/04/12/ssh-forwarding/). So allow to
  completely disabling it.
* separate options for client and server
* keep it enabled by default

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2021-10-30 16:32:54 +02:00
Michael Peleshenko
db639238f2 umdns: add missing syscall to seccomp filter
The 'madvise', syscall is missing.
Found with 'utrace /usr/sbin/umdns' on an R7800 and RT3200.

Signed-off-by: Michael Peleshenko <mpeleshenko@gmail.com>
2021-10-27 19:25:59 +01:00
Michael Peleshenko
40c18e95dc umdns: add missing syscall to seccomp filter
The 'clock_gettime64', syscall is missing.
Found with 'utrace /usr/sbin/umdns' on an R7800.

Signed-off-by: Michael Peleshenko <mpeleshenko@gmail.com>
2021-10-23 19:31:32 +02:00
David Bauer
9b880f09f3 hostapd: ubus: fix uninitialized pointer
This fixes passing a bogus non-null pointer to the ubus handler in case
the transition request is rejected.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-21 17:09:35 +02:00
Felix Fietkau
63c01ad025 hostapd: fix up patches after the last commit
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-10-21 12:37:23 +02:00
Felix Fietkau
da4be02fcd hostapd: fix a race condition on adding AP mode wds sta interfaces
Both hostapd and netifd attempt to add a VLAN device to a bridge.
Depending on which one wins the race, bridge vlan settings might be incomplete,
or hostapd might run into an error and refuse to service the client.
Fix this by preventing hostapd from adding interfaces to the bridge and
instead rely entirely on netifd handling this properly

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-10-21 11:31:53 +02:00
David Bauer
43c64ffa74 hostapd: fix goto loop for ubus assoc handler
When a ubus event handler denies a association with a non-zero return
value, the code jumps to preceeding code, creating an endless loop until
the event handler accepts the assc request.

Move the ubus handler further up the code to avoid creating such a loop.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-19 17:27:05 +02:00
David Bauer
0eed96ca5d hostapd: ubus: add BSS transtiton request method
The existing wnm_disassoc_imminent ubus method only supports issuing a
bss transition request with the disassoc imminent flag set.
For use-cases, where the client is requested to roam to another BSS
without a pending disassoc, this existing method is not suitable.

Add a new bss_transition_request ubus method, which provides a more
universal way to dispatch a transition request. It takes the following
arguments:

Required:
addr: String - MAC-address of the STA to send the request to (colon-seperated)

Optional:
abridged - Bool - Indicates if the abridged flag is set
disassociation_imminent: Bool - Whether or not the disassoc_imminent
                         flag is set
disassociation_timer: I32 - number of TBTTs after which the client will
                      be disassociated
validity_period: I32 - number of TBTTs after which the beacon
                 candidate list (if included) will be invalid
neighbors: blob-array - Array of strings containing neighbor reports as
           hex-string

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-13 22:55:45 +02:00
David Bauer
a3de42e72c hostapd: ubus: add notification for BSS transition response
To allow steering daemons to be aware of the STA-decided transition
target, publish WNM transition responses to ubus. This way, steerings
daemons can learn about STA-chosen targets and send a better selection
of transition candidates.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-13 22:55:06 +02:00
Ronny Kotzschmar
72bfc35f8f umdns: add missing syscalls to seccomp filter
The 'mmap', 'mmap2', 'munmap' syscalls are missing.
Found with 'utrace /usr/sbin/umdns'.

Signed-off-by: Ronny Kotzschmar <ro.ok@me.com>
2021-10-07 23:21:59 -10:00
Paul Fertser
ed7769aa40 dnsmasq: add explicit "set:" for client-matching options
Bring the usage in line with the dnsmasq man page and the other options
where set: is mandatory.

No functional change.

Signed-off-by: Paul Fertser <fercerpav@gmail.com>
2021-10-03 21:48:16 +02:00
Jesus Fernandez Manzano
5269c47e8d hostapd: fix segfault when deinit mesh ifaces
In hostapd_ubus_add_bss(), ubus objects are not registered for mesh
interfaces. This provokes a segfault when accessing the ubus object in
mesh deinit.

This commit adds the same condition to hostapd_ubus_free_bss() for
discarding those mesh interfaces.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
2021-09-24 12:32:19 +02:00
Felix Fietkau
17d19a7d43 hostapd: let netifd set bridge port attributes for snooping
Avoids race conditions on bridge member add/remove

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-09-21 19:43:20 +02:00
Felix Fietkau
ef24475658 ustp: update to the latest version
c62d85cf7a0d bridge: check port bpdu filter status and apply it to the config
25555611be91 libnetlink: turn rtnetlink error answers into debug msgs
462b3a491347 build: use pthread cflags/ldflags

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-09-21 19:43:20 +02:00
Etan Kissling
02a2b44eab dnsmasq: add config option for connmark DNS filtering
This adds uci support to configure connmark based DNS filtering.

Signed-off-by: Etan Kissling <etan_kissling@apple.com>
(imported from upstream mailing list
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/015151.html)
Signed-off-by: Etan Kissling <etan.kissling@gmail.com>
2021-09-14 20:56:20 +02:00
Etan Kissling
d2d0044ebf dnsmasq: Update to version 2.86
Summary of upstream CHANGELOG:
* Handle DHCPREBIND requests in the DHCPv6 server code.
* Fix bug which caused dnsmasq to lose track of processes forked.
* Major rewrite of the DNS server and domain handling code.
* Revise resource handling for number of concurrent DNS queries.
* Improve efficiency of DNSSEC.
* Connection track mark based DNS query filtering.
* Allow smaller than 64 prefix lengths in synth-domain.
* Make domains generated by --synth-domain appear in replies
  when in authoritative mode.
* Ensure CAP_NET_ADMIN capability is available when
  conntrack is configured.
* When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
  given a directory as argument, define the order in which
  files within that directory are read.
* Support some wildcard matching of input tags to --tag-if.

Signed-off-by: Etan Kissling <etan.kissling@gmail.com>
2021-09-14 20:38:59 +02:00
David Bauer
ec2078e3ef hostapd: enable proxy-arp support for hostapd-full
The hostapd.sh script already has support for configuring proxy-ARP,
however no built variant has support for it enabled.

Enable proxy-ARP support for hostapd-full builds in order to allow users
to actually use this feature.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-08-28 01:31:15 +02:00
David Bauer
7073e88a76 hostapd: fix Proxy-ARP with Hotspot 2.0 disabled
The disable_dgaf config fiels is only available in case Hostapd is
compiled with Hotspot 2.0 support, however Proxy-ARP does not depend on
Hotspot 2.0.

Only add the code related to this config field when Hotspot 2.0 is
enabled to fix compilation with the aformentioned preconditions.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-08-28 01:31:15 +02:00
David Bauer
99786e121b hostapd: refresh patches
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-08-28 01:31:15 +02:00
Felix Fietkau
3ebbf795df ustp: add OpenWrt STP/RSTP daemon
This integrates with netifd in order to provide STP/RSTP protocol support
in user space. It defaults to using RSTP for bridges with stp enabled.
This daemon has no config files, it uses the configuration passed from
netifd via ubus

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-08-26 13:27:27 +02:00
Felix Fietkau
c26d741d07 hostapd: enable ht40 in wpa_supplicant when using wider HE modes
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-08-24 17:35:45 +02:00
Stijn Tintel
6393ea1581 uhttpd: add config option for json_script
Add a config option for json_script instead of unconditionally including
all json files in /etc/uhttpd in every uhttpd instance. This makes it
possible to configure a single instance with an unconditional redirect,
which currently renders all other uhttpd instances unusable.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Felix Fietkau <nbd@nbd.name>
2021-08-24 14:45:42 +03:00
Hans Dedecker
c0afe3a5d2 odhcpd: update to latest git HEAD
01b4e60 dhcpv4: fix uninitialized hostname in some ubus events
1666769 dhcpv6-ia: allow up to 64 bit wide hostid

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-08-23 21:53:13 +02:00
Stijn Tintel
31d984a96e lldpd: bump to 1.0.12
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-08-22 18:07:20 +03:00
Fritz D. Ansel
65ee14a118 dropbear: allow to use with xinetd
with xinetd allowed+blocked (ipv6) hosts could be set
what is not possible with stock dropbear package

The file size increased 12 Bytes, so this "opimisation" did not really helped.
Within a compressed storage format it is 0..

ipk: 111.171 -> 111.361 = 190 bytes
bin: 215.128 -> 215.140 =  12 bytes

Signed-off-by: Fritz D. Ansel <fdansel@yandex.ru>
2021-08-21 15:59:39 +02:00
Felix Fietkau
8b7517465b hostapd: fix broken check in radar detection notification
This check was accidentally left in after reworking the code,
causing a segfault

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-08-11 19:01:09 +02:00
Jesus Fernandez Manzano
af83e3ce0f hostapd: respect fixed channel BW in HE20 mode
When using htmode 'HE20' with a radio mode that uses wpa-supplicant
(like mesh or sta), it will default to 40 MHz bw if disable_ht40 is not
set. This commit fixes this behaviour.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
2021-08-08 19:50:46 +02:00
Daniel Golle
ddc8d085f3
dnsmasq: reset EXTRA_MOUNT in the right place
EXTRA_MOUNT variable should be reset in dnsmasq_start() rather than
just once at the beginning of the script.

Fixes: ac4e8aa2f8 ("dnsmasq: fix more dnsmasq jail issues")
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-01 15:06:57 +01:00
Daniel Golle
ac4e8aa2f8
dnsmasq: fix more dnsmasq jail issues
* remove superflus mounts of /dev/null and /dev/urandom
 * reset EXTRA_MOUNTS at the beginning of the script
 * add mount according to ignore_hosts_dir
 * don't add mount for file which is inside a directory already in the
   EXTRA_MOUNTS list

Fixes: 59c63224e1 ("dnsmasq: rework jail mounts")
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-01 11:35:31 +01:00
Daniel Golle
59c63224e1
dnsmasq: rework jail mounts
* split into multiple lines to improve readability
 * use EXTRA_MOUNT for addnhosts instead of blindly adding /tmp/hosts
 * remove no longer needed mount for /sbin/hotplug-call
 * add dhcp-script.sh dependencies (jshn, ubus)

Fixes: 3a94c2ca5c ("dnsmasq: add /tmp/hosts/ to jail_mount")
Fixes: aed95c4cb8 ("dnsmasq: switch to ubus-based hotplug call")
Reported-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-01 03:47:43 +01:00
Felix Fietkau
f1b98fa4fa hostapd: add missing chunk for the snoop interface fix
Fixes: 7b46377a0c ("hostapd: make the snooping interface (for proxyarp) configurable")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-28 12:41:36 +02:00
Felix Fietkau
ae1c5d0d6a hostapd: make proxyarp work with libnl-tiny
Remove a dependency on libnl3-route

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-28 05:55:11 +02:00
Felix Fietkau
5dd1bd5b80 hostapd: fix a segfault on sta disconnect with proxy arp enabled
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-28 05:55:11 +02:00
Felix Fietkau
7b46377a0c hostapd: make the snooping interface (for proxyarp) configurable
Use the VLAN interface instead of the bridge, to ensure that hostapd receives
untagged DHCP packets

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-28 05:55:11 +02:00
Nick Hainke
3a94c2ca5c dnsmasq: add /tmp/hosts/ to jail_mount
Programs like the olsr-name-plugin write hostname files to "/tmp/hosts/".
If you don't add this to the jail_mount, dnsmasq can't read it anymore.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2021-07-19 13:11:23 +01:00
Hans Dedecker
033d5ff25e odhcpd: fix invalid DHCPv6 ADVERTSIE with small configured leasetime (FS#3935)
bc9d317 dhcpv6-ia: fix invalid preferred lifetime

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-07-18 19:34:10 +02:00
Felix Fietkau
9ec5f5f230 hostapd: add "force" parameter for channel switch
This will restart the interface in case the CSA fails and can be used to
force the device on a DFS channel (including full CAC)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-15 10:46:10 +02:00
Felix Fietkau
8f7e6db230 hostapd: fix uninitialized stack variable on CSA
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-12 13:34:08 +02:00
Felix Fietkau
da2c244e8c hostapd: initialize ht/vht/he mode on channel switch by default
Use the current mode, but allow overwriting via ubus command parameters

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-12 13:33:56 +02:00
Felix Fietkau
1ec4af4151 hostapd: add support for enabling HE on channel switch
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-12 13:33:47 +02:00
Felix Fietkau
9aa0561534 hostapd: make it possible to update station airtime weights via ubus
This allows dynamic tuning based on other runtime information

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-12 13:31:40 +02:00
David Bauer
b0483b19f9 hostapd: add HE flag to get_clients
Expose the hostapd HE flag via ubus to indicate HE capable devices.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-07-06 02:27:06 +02:00
Martin Weinelt
cde154c871 hostapd: remove unused mac_buff allocation
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
2021-07-06 02:26:44 +02:00
Martin Weinelt
398df62756 hostapd: report bssid, ssid and channel over ubus
Imports a function from iw to convert frequencies to channel numbers.

Co-authored-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
[fix potential out of bounds read]
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-07-06 02:26:38 +02:00
Kevin Darbyshire-Bryant
e4cfefa9fc dnsmasq: use local option for local domain parameter
'--local' is a synonym for '--server' so let's use '--local' in the
resultant config file for uci's 'local' instead of uci's local
parameter being turned into '--server'.  Slightly less confusion all
round.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-07-05 16:49:06 +01:00
Etan Kissling
ba5bd8e556 dnsmasq: distinct Ubus names for multiple instances
Currently, when using multiple dnsmasq instances they are all assigned
to the same Ubus instance name. This does not work, as only a single
instance can register with Ubus at a time. In the log, this leads to
`Cannot add object to UBus: Invalid argument` error messages.
Furthermore, upstream 3c93e8eb41952a9c91699386132d6fe83050e9be changes
behaviour so that instead of the log, dnsmasq exits at start instead.

With this patch, all dnsmasq instances are assigned unique names so that
they can register with Ubus concurrently. One of the enabled instances
is always assigned the previous default name "dnsmasq" to avoid breaking
backwards compatibility with other software relying on that default.
Previously, a random instance got assigned that name (while the others
produced error logs). Now, the first unnamed dnsmasq config section is
assigned the default name. If there are no unnamed dnsmasq sections the
first encountered named dnsmasq config section is assigned instead.

A similar issue exists for Dbus and was similarly addressed.

Signed-off-by: Etan Kissling <etan.kissling@gmail.com>
[tweaked commit message] dnsmasq was not crashing it is exiting
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-06-29 11:27:26 +01:00
Kevin Darbyshire-Bryant
76cc8a036c Revert "dnsmasq: Update to version 2.86test3"
This reverts commit 3628870015.

dnsmasq v2.86test3 has some issues with ubus, so is being reverted.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-06-26 20:31:29 +01:00
Kevin Darbyshire-Bryant
2a9d7ecd27 Revert "dnsmasq: add config option for connmark DNS filtering"
This reverts commit dea4bae7c2.

dnsmasq v2.86test3 has some issues with ubus and needs reverting, hence
this needs reverting.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-06-26 20:30:58 +01:00
Etan Kissling
dea4bae7c2 dnsmasq: add config option for connmark DNS filtering
This adds uci support to configure connmark based DNS filtering.

Signed-off-by: Etan Kissling <etan_kissling@apple.com>
(See https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/015151.html)
Signed-off-by: Etan Kissling <etan.kissling@gmail.com>
2021-06-26 13:28:47 +01:00
Etan Kissling
3628870015 dnsmasq: Update to version 2.86test3
Need this version to add config option for connmark DNS filtering.

Summary of upstream CHANGELOG:
* Handle DHCPREBIND requests in the DHCPv6 server code.
* Fix bug which caused dnsmasq to lose track of processes forked.
* Major rewrite of the DNS server and domain handling code.
* Revise resource handling for number of concurrent DNS queries.
* Improve efficiency of DNSSEC.
* Connection track mark based DNS query filtering.

Signed-off-by: Etan Kissling <etan.kissling@gmail.com>
2021-06-26 13:28:08 +01:00
Felix Fietkau
1818b038d7 hostapd: add support for providing vendor specific IE elements
They can be added as hex digit strings via the 'vendor_elements' option

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-24 15:56:46 +02:00
Raphaël Mélotte
acdb7c38c6 hostapd: add default_disabled option to the supplicant
With the default configuration we generate, the supplicant starts
scanning and tries to connect to any open network when the interface
is enabled.

In some cases it can be desirable to prevent the supplicant from
scanning by itself. For example, if on the same radio an AP is
configured and an unconfigured STA is added (to be configured with
WPS), the AP might not be able to beacon until the STA stops
scanning.

In such a case, the STA configuration can still be required to set
specific settings (e.g. multi_ap_backhaul_sta) so it can't be set to
"disabled" in uci (because that would prevent the supplicant from
being run at all). The alternative is to add the "disabled" parameter
to the default network block in the supplicant configuration.

This patch adds a "default_disabled" setting in UCI which, when set,
adds the "disabled" parameter to the supplicant default network block.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-06-23 14:52:16 -10:00
Timo Sigurdsson
bf98faaac8 hostapd: make wnm_sleep_mode_no_keys configurable
In the aftermath of the KRACK attacks, hostapd gained an AP-side workaround
against WNM-Sleep Mode GTK/IGTK reinstallation attacks. WNM Sleep Mode is not
enabled by default on OpenWrt, but it is configurable through the option
wnm_sleep_mode. Thus, make the AP-side workaround configurable as well by
exposing the option wnm_sleep_mode_no_keys. If you use the option
wpa_disable_eapol_key_retries and have wnm_sleep_mode enabled, you might
consider using this workaround.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
2021-06-22 11:10:06 -10:00
Timo Sigurdsson
85ce590705 hostapd: fix handling of the channel utilization options
Commit 0a7657c ("hostapd: add channel utilization as config option") added the
two new uci options bss_load_update_period and chan_util_avg_period. However,
the corresponding "config_add_int" calls for these options weren't added, so
attempting to actually use these options and change their values is bound to
fail - they always stay at their defaults. Add the missing code to actually
make these options work.

Fixes: 0a7657c ("hostapd: add channel utilization as config option")
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
2021-06-21 19:04:06 -10:00
Timo Sigurdsson
9f09c1936a hostapd: make country3 option configurable
The country3 option in hostapd.conf allows the third octet of the country
string to be set. It can be used e.g. to indicate indoor or outdoor use (see
hostapd.conf for further details). Make this option configurable but optional
in OpenWrt.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
2021-06-21 19:02:33 -10:00
Michael Yartys
b9b4aef4f2 hostapd: add support for setting sae_pwe
Make it possible to specify the SAE mechanism for PWE derivation. The
following values are possible:

0 = hunting-and-pecking loop only
1 = hash-to-element only
2 = both hunting-and-pecking loop and hash-to-element enabled

hostapd currently defaults to hunting-and-pecking loop only.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
2021-06-20 15:42:52 -10:00
Dobroslaw Kijowski
bb2ac5a33b hostapd: stop advertising 11w feature
This is a follow up of 1a9b896d ("treewide: nuke DRIVER_11W_SUPPORT").
LuCI commit ab010406 ("luci-mod-network: skip check for 802.11w feature")
skips check of the 11w feature [1]. Now advertising it in hostapd is
superfluous so stop doing it.

[1]: https://github.com/openwrt/luci/pull/4689

Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
[remove outdated PKG_RELEASE bump and update to SPDX]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-06-20 14:11:30 -10:00
Martin Schiller
2c6c1501af uhttpd: make organization (O=) of the cert configurable via uci
Make the organization (O=) of the cert configurable via uci. If not
configured, use a combination of "OpenWrt" and an unique id like it was
done before.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2021-06-20 13:50:36 -10:00
Rosen Penev
3dabb62581 treewide: remove PKG_INSTALL from CMake packages
It's already default with cmake.mk

Found with:

git grep PKG_INSTALL\: | cut -d ':' -f 1 | sort -u > ins
git grep cmake.mk | cut -d ':' -f 1 > cmake
comm -1 -2 ins cmake

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-19 20:44:59 -10:00
Hans Dedecker
6ed0ddde05 odhcpd: update to latest git HEAD
564d25e config: fix ra_flags none setting

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-06-13 22:28:40 +02:00
Rosen Penev
09de28090c package: fix cmake packages build with ninja
+= is needed for CMAKE_OPTIONS.

mt76 needs Ninja disabled as the kernel stuff uses normal make.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-12 10:46:39 +02:00
Felix Fietkau
305c1b8d74 hostapd: configure inter-AP communication interface for 802.11r
In setups using VLAN bridge filtering, hostapd may need to communicate using
a VLAN interface on top of the bridge, instead of using the bridge directly

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-05 06:53:29 +02:00
Felix Fietkau
89bd8607f8 hostapd: fix bringing up vlan interfaces with the no-bridge option
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-04 20:36:42 +02:00
Hans Dedecker
4fd4e9997a odhcpd: update to git HEAD
a12fcb3 config: log config parse failures to syslog
ebd4297 cmake: enforce additonal compiler checks
405da32 odhcpd: fix extra compiler warning

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-06-03 21:07:42 +02:00
John Crispin
96e9c81aab hostapd: fix radius problem due to invalid attributes
The offending commit caused the configuration file to contain:
  radius_auth_req_attr=
  radius_acct_req_attr=
which cause hostapd to add an ATTR of type 0 into the messages.

hostapd: RADIUS message: code=4 (Accounting-Request) identifier=0 length=93
hostapd:    Attribute 40 (Acct-Status-Type) length=6
hostapd:       Value: 7
hostapd:    Attribute 30 (Called-Station-Id) length=28
hostapd:       Value: 'C4-41-1E-F5-2D-55:OpenWifi'
hostapd:    Attribute 61 (NAS-Port-Type) length=6
hostapd:       Value: 19
hostapd:    Attribute 0 (?Unknown?) length=3    <----------------
hostapd:    Attribute 55 (Event-Timestamp) length=6
hostapd:       Value: 1622726457
hostapd:    Attribute 41 (Acct-Delay-Time) length=6
hostapd:       Value: 0
hostapd:    Attribute 44 (Acct-Session-Id) length=18
hostapd:       Value: '9B5961E7235AAEC6'

Fixes: 3bd6c8c728 (hostapd: add additional radius options)
Signed-off-by: John Crispin <john@phrozen.org>
2021-06-03 16:00:51 +02:00
John Crispin
98621c9782 hostapd: add eap_server support
This makes it possible to avoid using a RADIUS server for WPA enterprise authentication

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Felix Fietkau
704ab6a002 hostapd: add default values for r0kh/r1kh
This allows WPA enterprise roaming in the same mobility domain without any
manual key configuration (aside from radius credentials)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Felix Fietkau
ec223cf724 hostapd: add support for specifying the maxassoc parameter as a device option
It allows enforcing a limit on associated stations to be enforced for the
full device, e.g. in order to deal with hardware/driver limitations

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Felix Fietkau
e309b57619 hostapd: add support for configuring proxy ARP
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Felix Fietkau
190d4b6184 hostapd: add configurable rssi thresholds for rejecting assoc/probe requests
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Felix Fietkau
46509a51dd hostapd: add support for configuring the beacon rate
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Adrian Schmutzler
54cc1756e2 hostapd: update to version 2021-05-22
This update only adds one commit:
b102f19bcc53 tests: Opportunistic Wireless Encryption - SA Query

The main reason for the bump is to have a newer PKG_SOURCE_DATE,
so we can reset PKG_RELEASE to 1 (this has not been done for the
most recent bump), and replace it with AUTORELEASE.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-05-29 00:31:25 +02:00
Felix Fietkau
962d530dea hostapd: support verbose build using V=sc
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-27 12:17:02 +02:00
David Bauer
553cc47ec7 hostapd: ACS: fix channel 100 frequency
Channel 100 is a valid channel to choose for 80MHz operation. However,
it's assigned to 5500 MHz, not 5550MHz. In fact, there is no channel
assigned to this frequency.

Fix this obbvious typo to allow ACS to select channel 100 for 80 MHz
operation again.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-26 23:12:09 +02:00
Felix Fietkau
d87b58bb09 hostapd: fix adding back stations after a missed deauth/disassoc
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
eefed841b0 hostapd: update to version 2021-05-21
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
26da5c2359 hostapd: add support for configuring rts threshold
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
2319cf4ec0 hostapd: fix max_oper_chwidth setting for HE
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
John Crispin
3bd6c8c728 hostapd: add additional radius options
- add functionality to configure RADIUS NAS-Id and Operator-Name
- add functionality to configure RADIUS accounting interval
- enable RADIUS "Chargeable User Identity"

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
c76f1d8330 hostapd: add extra options for hotspot 2.0 / interworking
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
753a91d1d1 hostapd: report radar detected events via ubus
Events are reported on all BSS interfaces

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
8e2ca15726 hostapd: improve channel switch support
Instead of requiring the user to call it on each BSS individually,
run it on all BSSs internally.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
33c69aee41 hostapd: add missing inline stubs for ubus vlan event support
Only used when building without ubus support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
John Crispin
937dd79e2a hostapd: fix civic location option
Signed-off-by: John Crispin <john@phrozen.org>
2021-05-26 11:48:14 +02:00
David Bauer
ddcb970274 hostapd: wolfssl: add RNG to EC key
Since upstream commit 6467de5a8840 ("Randomize z ordinates in
scalar mult when timing resistant") WolfSSL requires a RNG for
the EC key when built hardened which is the default.

Set the RNG for the EC key to fix connections for OWE clients.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-21 15:44:05 +02:00
Felix Fietkau
cf45caeff1 hostapd: add patch for disabling automatic bridging of vlan interfaces
netifd is responsible for handling that, except if the vlan bridge
was provided by the config

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-18 12:52:52 +02:00
Felix Fietkau
2d89d7c748 hostapd: add ubus notifications for adding/removing vlan interfaces
This can be used to handle network configuration of dynamically created vlan
interfaces in a more flexible way

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-18 12:52:52 +02:00
Stijn Tintel
844598dcbb umdns: bump to git HEAD
777a0b service: fix compilation with GCC 10

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-05-16 03:59:54 +03:00
Leonardo Mörlein
b993b68b6c build: introduce $(MKHASH)
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if

    make TOPDIR="$(pwd)" -C "$pkgdir" compile

was called manually. In most of the cases, I just saw warnings like this:

    make: Entering directory '/home/.../package/gluon-status-page'
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    [...]

While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.

After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
2021-05-13 15:13:15 +02:00
Alan Swanson
3980daffa4 dnsmasq: Update to version 2.85
Fixes issue with merged DNS requests in 2.83/2.84 not being
retried on the firsts failed request causing lookup failures.

Also fixes the following security problem in dnsmasq:
* CVE-2021-3448:
  If specifiying the source address or interface to be used
  when contacting upstream name servers such as:
  server=8.8.8.8@1.2.3.4, server=8.8.8.8@1.2.3.4#66 and
  server=8.8.8.8@eth0 then all would use the same socket
  bound to the explicitly configured port. Now only
  server=8.8.8.8@1.2.3.4#66 will use the explicitly
  configured port and the others random source ports.

Remove upstreamed patches and update remaining patch.

Signed-off-by: Alan Swanson <reiver@improbability.net>
[refreshed old runtime support patch]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-05-05 09:19:46 +01:00
João Henriques
e8a5670122 dnsmasq: add ignore hosts dir to dnsmasq init script
When running multiple instances of dnsmasq, for example one being for the lan
and another for a guest network, it might not be desirable to have the same dns names
configured in both networks

Signed-off-by: João Henriques <joaoh88@gmail.com>
2021-04-24 21:35:27 +02:00
Daniel Golle
00a85a1634
umdns: add missing syscalls to seccomp filter
Looks like 'openat', 'pipe2' and 'ppoll' are now needed, possibly due
to changes on libraries used by umdns now using slightly different
calls.

Found using
/etc/init.d/umdns trace
now use umdns, ie. cover all ubus call etc., then
/etc/init.d/umdns stop
find list of syscalls traced in /tmp/umdns.*.json

Fixes: FS#3355 ("UMDNS: does not start on master with seccomp")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-04-10 17:36:03 +01:00
Stijn Tintel
bcdf600fc5 lldpd: further size reductions
Size difference on mips_4kec:
Before: 120196
After:  120006

Closes https://github.com/openwrt/openwrt/pull/3823

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Suggested-by: Lucian Cristian <lucian.cristian@gmail.com>
2021-04-05 18:50:17 +03:00
Stijn Tintel
e4d7e7b3e4 lldpd: enable LTO
Size difference on mips_4kec:
W/o LTO: 139674
W/ LTO:  120196

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Suggested-by: Lucian Cristian <lucian.cristian@gmail.com>
2021-04-05 18:50:11 +03:00
Stijn Tintel
8946be0ab5 lldpd: bump to 1.0.9
Contains fixes related to CVE-2020-27827.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-04-05 18:27:42 +03:00
Stijn Tintel
c935c6ffb6 lldpd: add libcap dependency
Now that libcap is in OpenWrt base, we can drop our custom patch to
disable libcap support and have lldpd depend on it instead. This will
allow the monitor process to drop its privileges instead of running as
root, improving security.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-04-05 18:20:48 +03:00
Rui Salvaterra
d38f456582 hostapd: enable airtime policy for the -basic variants
Airtime policy configuration is extremely useful in multiple BSS scenarios.
Since nowadays most people configure both private and guest networks (at
least), it makes sense to enable it by default, except for the most limited
of the variants.

Size of the hostapd-basic-openssl binary (mipsel 24Kc -O2):
543944 bytes (airtime policy disabled)
548040 bytes (airtime policy enabled)

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Acked-by: Daniel Golle <daniel@makrotopia.org>
2021-04-03 18:57:13 +02:00
Jan Pavlinec
abbaf696f6 igmpproxy: remove package
Moved to packages repo because it was considered
non-essential for most router configurations.

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[shorten commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-03-21 22:45:20 +01:00
Hauke Mehrtens
1170655f8b uhttpd: update to git HEAD
15346de client: Always close connection with request body in case of error

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-03-21 22:34:13 +01:00
Hauke Mehrtens
501221af54 uhttpd: Execute uci commit and reload_config once
Instead of doing uci commit and reload_config for each setting do it
only once when one of these options was changed. This should make it a
little faster when both conditions are taken.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-03-21 22:16:32 +01:00
Hauke Mehrtens
d25d281fd6 uhttpd: Reload config after uhttpd-mod-ubus was added
Without this change the config is only committed, but the uhttpd daemon
is not reloaded. This reload is needed to apply the config. Without the
reload of uhttpd, the ubus server is not available over http and returns
a Error 404.

This caused problems when installing luci on the snapshots and
accessing it without reloading uhttpd.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-03-21 22:16:31 +01:00
Daniel Golle
d28880cdd8
umdns: add syscalls needed on Aarch64
Now that ujail supports seccomp also on Aarch64, add missing syscall
'fstat' to the list of allowed syscalls.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-19 22:33:33 +00:00
Eike Ritter
46cd0765d0 ppp: compile fix: unset FILTER variable in Makefile
If the environment variable FILTER is set before compilation,
compilation of the ppp-package will fail with the error message

Package ppp is missing dependencies for the following libraries:
libpcap.so.1

The reason is that the OpenWrt-patch for the Makefile only comments
out the line FILTER=y. Hence the pcap-library will be dynamically
linked if the environment variable FILTER is set elsewhere, which
causes compilation to fail. The fix consists on explicitly unsetting
the variable FILTER instead.

Signed-off-by: Eike Ritter <git@rittere.co.uk>
2021-03-19 00:25:58 +01:00
Stefan Lippers-Hollmann
1ca5de13a1 hostapd: P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.

Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.

This fixes the following security vulnerabilities/bugs:

- CVE-2021-27803 - A vulnerability was discovered in how p2p/p2p_pd.c
  in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision
  discovery requests. It could result in denial of service or other
  impact (potentially execution of arbitrary code), for an attacker
  within radio range.

Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2021-03-01 00:34:23 +01:00
Jan Pavlinec
0c0c9c734d igmpproxy: update to version 0.3
Changes:
- Remove custom Build/Compile because it's no longer needed
- Remove std=gnu99 which is added automaticaly by igmpproxy if needed
- Remove -Dlog from CFLAGS because igmpproxy doesn't have log function

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
2021-03-01 00:34:23 +01:00
Ilya Lipnitskiy
06351f1bd0 kernel: migrate wireguard into the kernel tree
On Linux 5.4, build WireGuard from backports. Linux 5.10 contains
wireguard in-tree.

Add in-kernel crypto libraries required by WireGuard along with
arch-specific optimizations.

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
2021-02-26 20:41:01 +01:00
Hauke Mehrtens
030bc39c35 ppp: Update to version 2.4.9
Upstream integrated multiple patches from Distributions and did other
changes:
* rp-pppoe.so was renamed to pppoe.so
* Converted to ANSI C

The following patches were applied upstream:
* 100-debian_ip-ip_option.patch
* 101-debian_close_dev_ppp.patch
* 103-debian_fix_link_pidfile.patch
* 106-debian_stripMSdomain.patch
* 107-debian_pppoatm_wildcard.patch
* 110-debian_defaultroute.patch
* 202-no_strip.patch

Compilation with musl libc was fixed upstream so
140-pppoe_compile_fix.patch is not needed any more

Parts of the 203-opt_flags.patch patch were applied in a different way
upstream.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-24 00:30:20 +01:00
Ilya Lipnitskiy
17f7b217d3 wireguard: don't build on Linux 5.10
There are efforts underway to bring wireguard in-tree for Linux 5.4 and
to have a common build infrastructure for both 5.4 and 5.10 for
kmod-wireguard[0]. Until then, restrict kmod-wireguard to build only on
Linux 5.4, because the wireguard-compat package will not build on Linux
5.10.

[0]: https://github.com/openwrt/openwrt/pull/3885

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
2021-02-23 20:13:30 +01:00
Raphaël Mélotte
fb860b4e41 hostapd: backport ignoring 4addr mode enabling error
This is a backport of the upstream commit 58bbbb598144 ("nl80211: Ignore
4addr mode enabling error if it was already enabled") which fixes same
issue as in the current fix contained in '130-wpa_supplicant-multi_ap_roam.patch',
but in a different way:

 nl80211_set_4addr_mode() could fail when trying to enable 4addr mode on
 an interface that is in a bridge and has 4addr mode already enabled.
 This operation would not have been necessary in the first place and this
 failure results in disconnecting, e.g., when roaming from one backhaul
 BSS to another BSS with Multi AP.

 Avoid this issue by ignoring the nl80211 command failure in the case
 where 4addr mode is being enabled while it has already been enabled.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[bump PKG_RELEASE, more verbose commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-02-20 10:38:48 +01:00
Daniel Golle
d79eeba688
odhcpd: setup dhcpv4 server automagically
Automatically setup dhcpv4 server just like it's done for dhcpv6.
To select whether odhcpd or dnsmasq are serving DHCPv4 requests there
still is the 'maindhcp' option. To make things less confusing, make
sure things really work out-of-the-box in case dnsmasq is not even
installed at the time the uci-defaults script is being run.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-15 00:34:43 +00:00
Raphaël Mélotte
68073e2d46 hostapd: add patch for setting 4addr mode in multi_ap
This patch is required to be able to roam from one backhaul AP to
another one in the same ESS.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(daniel@makrotopia.org: PKG_REVISION bump and refreshed patches)
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-02-13 13:44:22 +00:00
Raphaël Mélotte
14b9100f1c hostapd: reconfigure wps credentials on reload
This patch fixes a bug that prevents updating Multi-AP credentials
after hostapd has started.

It was sent to upstream hostapd here:
https://patchwork.ozlabs.org/bundle/rmelotte/hostapd:%20update%20WPS%20credentials%20on%20SIGHUP/

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-02-12 08:52:41 +01:00
Raphaël Mélotte
59fa9c28d6 hostapd: add notifications for management frames
This patch allows other applications to get events management
frames (for example: association requests).

This is useful in Multi-AP context to be able to save association
requests from stations.

It has been sent to upstream hostapd in this series:
https://patchwork.ozlabs.org/project/hostap/list/?series=217500

'700-wifi-reload.patch' is updated due to the introduction of
'110-notify-mgmt-frames.patch'.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-02-12 08:52:41 +01:00
Kevin Darbyshire-Bryant
db00f312d3 dnsmasq: Bump to v2.84
dnsmasq v2.84rc2 has been promoted to release.

No functional difference between v2.83test3 and v2.84/v2.84rc2

Backport 2 patches to fix the version reporting

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-02-08 13:16:24 +00:00
Daniel Golle
aed95c4cb8 dnsmasq: switch to ubus-based hotplug call
Use new ubus-based hotplug call in dhcp-script.sh
As sysntpd now makes use of the new ubus-based hotplug calls, dnsmasq
no longer needs to ship ACL to cover ntpd-hotplug.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-08 00:57:14 +00:00
Petr Štetiar
43ff6e641e hostapd: add forgotten patch for P2P vulnerability fix
Commit 7c8c4f1be6 ("hostapd: fix P2P group information processing
vulnerability") was missing the actual patch for the vulnerability.

Fixes: 7c8c4f1be6 ("hostapd: fix P2P group information processing vulnerability")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-02-04 09:11:50 +01:00
Daniel Golle
7c8c4f1be6 hostapd: fix P2P group information processing vulnerability
A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners.
This issue was discovered by fuzz testing of wpa_supplicant by Google's
OSS-Fuzz.

https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-04 01:05:32 +00:00
Hans Dedecker
1b484f1a12 odhcpd: update to latest git HEAD
8d8a8cd dhcpv6-ia: apply prefix_filter on dhcpv6

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-01-30 21:25:09 +01:00
Paul Spooren
7b63d89b52 umdns: bump to 2021-01-26
* i78aa36b umdns: fix 64-bit time format string
* start using $(AUTORELEASE)
* Update Copyright

Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-01-26 13:08:56 -10:00
Kevin Darbyshire-Bryant
297f82fc58 dnsmasq: Update to 2.84test3
dnsmasq v2.83 has a bug in handling duplicate queries which means it may
try to reply using the incorrect network socket.  This is especially
noticeable in dual stack environments where replies may be mis-directed to
IPv4 addresses on an IPv6 socket or IPv6 addresses on an IPv4 socket.

This results in system log spam such as:
dnsmasq[16020]: failed to send packet: Network unreachable
dnsmasq[16020]: failed to send packet: Address family not supported by protocol

dnsmasq v2.84test3 resolves these issues.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-01-24 15:56:39 +00:00
Hauke Mehrtens
e87c0d934c dnsmasq: Update to version 2.83
This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
  Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
  overflow in sort_rrset() when DNSSEC is used. This can allow a remote
  attacker to write arbitrary data into target device's memory that can
  lead to memory corruption and other unexpected behaviors on the target
  device.
* CVE-2020-25682:
  Dnsmasq versions before 2.83 is susceptible to buffer overflow in
  extract_name() function due to missing length check, when DNSSEC is
  enabled. This can allow a remote attacker to cause memory corruption
  on the target device.
* CVE-2020-25683:
  Dnsmasq version before 2.83 is susceptible to a heap-based buffer
  overflow when DNSSEC is enabled. A remote attacker, who can create
  valid DNS replies, could use this flaw to cause an overflow in a heap-
  allocated memory. This flaw is caused by the lack of length checks in
  rtc1035.c:extract_name(), which could be abused to make the code
  execute memcpy() with a negative size in get_rdata() and cause a crash
  in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
  A lack of proper address/port check implemented in Dnsmasq version <
  2.83 reply_query function makes forging replies easier to an off-path
  attacker.
* CVE-2020-25685:
  A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
  versions before 2.83 reply_query function allows remote attackers to
  spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
  Multiple DNS query requests for the same resource name (RRNAME) by
  Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
  traffic, using a birthday attack (RFC 5452), that can lead to DNS
  cache poisoning.
* CVE-2020-25687:
  Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
  overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
  remote attacker, who can create valid DNS replies, could use this flaw
  to cause an overflow in a heap-allocated memory. This flaw is caused
  by the lack of length checks in rtc1035.c:extract_name(), which could
  be abused to make the code execute memcpy() with a negative size in
  sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
  Service.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-01-19 13:01:03 +01:00
Leon M. George
d5bbd4975c hostapd: fix setting wps_state to "not configured"
With encryption disabled, it was intended to set wpa_state=1 (enabled,
not configured) through the 'wps_not_configured' flag.
The flag is set appropriately but the condition using it is broken.
Instead, 'wps_configured' is checked and wpa_state is always 2 (enabled,
configured). Fix it by using the correct variable name.

Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")

Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit title/message improvements]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-15 18:17:45 +01:00
Leon M. George
fa02225ee6 hostapd: fix key_mgmt typo
The key_mgmt variable was mistyped when checking against "WPS", so
the if clause was never entered.

Fixes: f5753aae23 ("hostapd: add support for WPS pushbutton station")

Signed-off-by: Leon M. George <leon@georgemail.eu>
[add commit message, bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-14 03:54:06 +01:00
Leon M. George
f72ce73e36 hostapd: remove trailing whitespaces
Signed-off-by: Leon M. George <leon@georgemail.eu>
2021-01-14 03:50:38 +01:00
Leon M. George
4bde00c2a3 hostapd: remove unused variable
'base' was never used.

Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")

Signed-off-by: Leon M. George <leon@georgemail.eu>
2021-01-14 03:48:41 +01:00
Leon M. George
3497b30b9c hostapd: remove unused variable
'enc_str' was never used.

Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")

Signed-off-by: Leon M. George <leon@georgemail.eu>
2021-01-14 03:45:17 +01:00
Daniel Golle
1f78538387 hostapd: run as user 'network' if procd-ujail is installed
Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running
hostapd and wpa_supplicant without root priviledges.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-14 00:52:50 +00:00
Daniel Golle
1e2d162092 hostapd: improve error handling when adding supplicant config
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-14 00:52:49 +00:00
Etan Kissling
7babb978ad hostapd: add multicast_to_unicast and per_sta_vif
This allows configuration of multicast_to_unicast and per_sta_vif options.
- multicast_to_unicast requests multicast-to-unicast conversion.
- per_sta_vif assigns each station its own AP_VLAN interface.

Signed-off-by: Etan Kissling <etan_kissling@apple.com>
2021-01-14 00:52:49 +00:00
Daniel Golle
2d305ff13a hostapd: return PID on config_add call
To simplify the way netifd acquires the PIDs of wpa_supplicant and
hostapd let the config_add method of both of them return the PID of the
called process. Use the returned PID instead of querying procd when
adding wpa_supplicant configuration.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-10 19:15:51 +00:00
Robert Marko
f246dfde33 hostapd: wpa_supplicant: Enable proper GCMP cipher support
This patch enables hostapd.sh to properly configure wpa_supplicant
for when GCMP is used as cipher in station mode.
Without this wpa_supplicant will be unable to connect to AP.
This is needed for wil6210 as it does not support CCMP.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2021-01-05 02:16:24 +00:00
Nick Hainke
6773bee107 odhcpd: bump to latest version
3bda900 odhcpd: add option for setting preferred lifetime

Signed-off-by: Nick Hainke <vincent@systemli.org>
2021-01-04 08:01:16 +01:00
Florian Beverborg
22e568d0fe hostapd: add support for custom per-BSS options
This adds an option "hostapd_bss_options" that does the same as
"hostapd_options" but on a per-BSS level, instead of a per-device level.

This can be used, for example, to configure different per-devce sae_passwords
per BSS or to augment some of the existing per-BSS options.

Signed-off-by: Florian Beverborg <flo@beverb.org>
[remove whitespace errors, bump release]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-01-03 12:31:42 -10:00
Hauke Mehrtens
7aa8c00e4b ppp: Remove already applied patch
This patch was already applied upstream and not needed here.

Fixes: 06403981e1 ("ppp: update to version 2.4.7.git-2019-05-06")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-01-01 19:55:59 +01:00
Felix Fietkau
e1851720f1 hostapd: do not restart hostapd instance on wireless restarts
Add the flag that prevents netifd from killing hostapd/wpa_supplicant

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-12-31 14:26:00 +01:00
Hans Dedecker
bc99b56d7e odhcpd: update to latest git HEAD
b75bcad dhcpv6-ia: remove assignment equal to 0 checks
d1ae052 dhcpv6-ia: fix logic to include IA_PD prefix with lifetimes set to 0
9d5e379 dhcpv6-ia: fix prefix delegation behavior

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-12-24 17:23:41 +01:00
Dobroslaw Kijowski
1a9b896d8b treewide: nuke DRIVER_11W_SUPPORT
As of hostapd upstream commit 7d2ed8ba "Remove CONFIG_IEEE80211W build parameter"
https://w1.fi/cgit/hostap/commit?id=7d2ed8bae86a31dd2df45c24b3f7281d55315482
802.11w feature is always enabled in the build time.

It doesn't make sense to opt-in 802.11w per driver as hostapd will always
be compiled with this feature enabled.

As suggested by Hauke Mehrtens, for now keep 11w enabled in build_features.h
for compatibility reasons. This option will be dropped when LuCI is adjusted.

Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
2020-12-23 16:36:08 +01:00
John Crispin
ceb612e463 hostapd: pass respawn settings when registering the service
When hostapd gets restarted to often/quickly will cause procd to not restart it
anymore. it will think that hapd is in a crash loop.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [adjust respawn time]
2020-12-22 19:30:26 +01:00
Nick Lowe
cb41bc5088 hostapd: Use EAPOLv1 (802.1X-2001) if WPA enabled
Currently, EAPOLv2 (802.1X-2004) is used by default for legacy clients that
are not WPA2 (RSN) capable. These legacy clients are often intolerant to this
EAPOL version and fail to connect.

hostapd.conf upstream documents for eapol_version the following and that this
is a known compatibility issue with version 2:

// IEEE 802.1X/EAPOL version
// hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
// version 2. However, there are many client implementations that do not handle
// the new version number correctly (they seem to drop the frames completely).
// In order to make hostapd interoperate with these clients, the version number
// can be set to the older version (1) with this configuration value.
// Note: When using MACsec, eapol_version shall be set to 3, which is
// defined in IEEE Std 802.1X-2010.
//eapol_version=2

For the wpa parameter, hostapd.conf upstream documents that this is a bitfield,
configured as follows:

// Enable WPA. Setting this variable configures the AP to require WPA (either
// WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
// wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
// Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice.
// For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
// RADIUS authentication server must be configured, and WPA-EAP must be included
// in wpa_key_mgmt.
// This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
// and/or WPA2 (full IEEE 802.11i/RSN):
// bit0 = WPA
// bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
// Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2.
// In other words, for WPA3, wpa=2 is used the configuration (and
// wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK).
//wpa=2

For client compatibility therefore:

EAPOLv1 (802.1X-2001) should be used by default where WPA is enabled.
EAPOLv2 (802.1X-2004) should be used by default where WPA is disabled.

To fix this, we can therefore change in the script:

set_default eapol_version 0

To the following:

set_default eapol_version $((wpa & 1))

This therefore:
1) Sets eapol_version to 1 where WPA has been enabled via wpa bit0 being set.
2) Sets eapol_version to 0 where WPA has been disabled via wpa bit0 being unset.

For usual configurations that only have WPA2 enabled, EAPOLv2 is then used.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-12-22 19:11:50 +01:00
Nadim Atiya
1302bee12a hostapd: parse skip_inactivity_poll option
hostapd.sh does not parse skip_inactivity_poll boolean from
/etc/config/wireless despite being mentioned in the documentation [1].
This change fixes this, and by default sets its value to 0 [1].

[1] https://openwrt.org/docs/guide-user/network/wifi/basic

Signed-off-by: Nadim Atiya <nadim.atiya@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[fix and reformat commit message, make patch apply]
2020-12-22 15:23:35 +00:00
Petr Štetiar
0cf3c5dd72 uhttpd: don't redirect to HTTPS by default
So we can ship px5g-wolfssl by default in the release image, but still
make the HTTPS for LuCI optional. This small change with addition of
`CONFIG_PACKAGE_px5g-wolfssl=y` into the buildbot's seed config for the
next release should provide optional HTTPS in the next release.

Disabling the current default automatic uhttpd's redirect to HTTPS
should make the HTTPS optional. That's it, user would either need to
switch to HTTPS by manually switching to https:// protocol in the URL or
by issuing the following commands to make the HTTPS automatic redirect
permanent:

 $ uci set uhttpd.main.redirect_https=1
 $ uci commit uhttpd
 $ service uhttpd reload

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-20 10:36:51 +01:00
Daniel Golle
b2d48c1dfe odhcpd: remove local mkdir_p implementation
Replace local mkdir_p implementation in favour of using mkdir_p now
added to libubox.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-13 00:13:18 +00:00
Konstantin Demin
52aa2017d3 dropbear: bump package version
Bump package version after previous changes.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-11 13:48:24 +01:00
Konstantin Demin
228298290e dropbear: add ssh-askpass support in configuration
binary size cost is much less than 1k.

tested on ath79/generic:
  bin: 215128 -> 215132 (+4b)
  ipk: 111183 -> 111494 (+311b)

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Konstantin Demin
e1bd9645b6 dropbear: roll up recipes into mapping lists
this commit removes manual recipes for options and introduces mapping lists:
- DB_OPT_COMMON holds option mappings which are common for all builds;
- DB_OPT_CONFIG holds option mappings which are depend on config settings.

DB_OPT_COMMON is space-separated list of 'words', each of them is in format:
  'header_option|value'

'header_option' is added with value 'value' to 'localoptions.h'.

if 'header_option' is preceded by two exclamation marks ('!!')
then option is not added to 'localoptions.h' but replaced in 'sysoptions.h'.

in short:
   option|value - add option to localoptions.h
 !!option|value - replace option in sysoptions.h

DB_OPT_CONFIG is space-separated list of 'words', each of them is in format:
  'header_option|config_variable|value_enabled|value_disabled'

'header_option' is handled likewise in DB_OPT_COMMON.

if 'config_variable' is enabled (technically: not disabled)
then 'header_option' is set to 'value_enabled' and 'value_disabled' otherwise.

in short:
   option|config|enabled|disabled = add option to localoptions.h
 !!option|config|enabled|disabled = replace option in sysoptions.h

   option := (config) ? enabled : disabled

If you're not sure that option's value doesn't have '|' within - add your recipe
manually right after '$(Build/Configure/dropbear_headers)' and write some words
about your decision.

PS about two exclamation marks:
early idea was to use one exclamation mark to denote such header options
but then i thought single exclamation mark may be overlooked by mistake.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Konstantin Demin
79d5c24724 dropbear: rework recipes that configure build
- add two helper functions to avoid mistakes with
  choice of correct header file to work with
- update rules accordingly

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Konstantin Demin
42eff7c7e6 dropbear: reorder options in Configure recipe
put static options at first place, then place configurable options.
also put DROPBEAR_ECC right before DROPBEAR_ECC_FULL to ease maintainance.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Konstantin Demin
7e122c353a dropbear: enable back DROPBEAR_USE_PASSWORD_ENV
this option was disabled in 2011 and these long nine years showed us that change was definitely wrong.

binary size cost is much less than 1k.

tested on ath79/generic:
  bin: 215128 -> 215128 (no change)
  ipk: 111108 -> 111183 (+75b)

Fixes: 3c801b3dc0 ("tune some more options by default to decrease size")
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Jo-Philipp Wich
dd5b3b58d8 lldpd: fix autoreconf failure
The lldpd sources ship a modified local AX_LIB_READLINE M4 macro which
conflicts with the official macro shipped by autoconf-archive.

Due to the official macro having the same name and a higher serial
number, autoconf will prefer including that one instead of the local
copy, preventing the substitution of @READLINE_LIBS@ in Makefile.in
templates, ultimately leading to the following build failure when
linking lldpcli:

    ...-gcc: error: READLINE_LIBS@: No such file or directory

Avoid this problem by renaming the locally shipped macro to not clash
with the official implementation anymore.

Ref: https://github.com/lldpd/lldpd/pull/423
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-12-09 12:36:40 +01:00
Nick Lowe
ce5bcff304 hostapd: Disable 802.11b data rates by default
Set legacy_rates to 0 by default to disable 802.11b data rates by default.

The time has long come where 802.11b DSSS/CCK data rates should be disabled
by default in OpenWRT. Users in need of 802.11b client support can reasonably
enable these where they are needed.

The balance of equities has significantly, and for a long time, tipped
such that dropping backwards compatibility by default with 802.11b
devices is appropriate, proportionate and justified. By doing so,
management and control traffic is moved by default to a 20
MHz wide 6 Mb/s OFDM data rate instead of a 22 MHz wide 1 Mb/s DSSS data
rate. This is significantly more airtime efficient.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-12-06 08:51:32 -10:00
Rosen Penev
28a9ac74cc openvpn: remove
This will be moved to packages.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Paul Spooren <mail@aparcar.org>
2020-12-05 10:09:01 -10:00
Rosen Penev
57a8028949 openvpn-easy-rsa: remove
This will be moved to packages.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-05 10:08:49 -10:00
Jan Pavlinec
520403cd49 umdns: add check for seccomp list
This should fix an issue when user have a router with enabled seccomp
and tries to run umdns package which was build with SDK with disabled
seccomp support.

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
2020-11-30 10:38:13 +00:00
Nick Lowe
81ff23fc91 hostapd: Add cell_density data rates option
Add a cell_density option to configure data rates for normal, high and
very high cell density wireless deployments.

The purpose of using a minimum basic/mandatory data rate that is higher
than 6 Mb/s, or 5.5 Mb/s (802.11b compatible), in high cell density
environments is to transmit broadcast/multicast data frames using less
airtime or to reduce management overheads where significant co-channel
interference (CCI) exists and cannot be avoided.

Caution: Without careful design and validation, configuration of a too
high minimum basic/mandatory data rate can sacrifice connection stability
or disrupt the ability to reliably connect and authenticate for little to
no capacity benefit. This is because this configuration affects the
ability of clients to hear and demodulate management, control and
broadcast/multicast data frames.

Deployments that have not been specifically designed and validated are
usually best suited to use 6, 12 and 24 Mb/s as basic/mandatory data
rates.

Only usually seek to configure a 12 Mb/s, or 11 Mb/s (802.11b
compatible), minimum basic/mandatory rate in high cell density
deployments that have been designed and validated for this.

For many deployments, the minimum basic/mandatory data rate should not be
configured above 12 Mb/s to 18 Mb/s, 24 Mb/s or higher. Such a
configuration is only appropriate for use in very high cell density
deployment scenarios.

A cell_density of Very High (3) should only be used where a deployment
has a valid use case and has been designed and validated specifically for
this use, nearly always with highly directional antennas - an example
would be stadium deployments. For example, with a 24 Mb/s OFDM minimum
basic/mandatory data rate, approximately a -73 dBm RSSI is required to
decode frames. Many clients will not have roamed elsewhere by the time
that they experience -73 dBm and, where they do, they frequently may not
hear and be able to demodulate beacon, control or broadcast/multicast
data frames causing connectivity issues.

There is a myth that disabling lower basic/mandatory data rates will
improve roaming and avoid sticky clients. For 802.11n, 802.11ac and
802.11ax clients this is not correct as clients will shift to and use
lower MCS rates and not to the 802.11b or 802.11g/802.11a rates that are
able to be used as basic/mandatory data rates.

There is a myth that disabling lower basic/mandatory data rates will
ensure that clients only use higher data rates and that better
performance is assured. For 802.11n, 802.11ac and 802.11ax clients this
is not correct as clients will shift around and use MCS rates and not the
802.11b or 802.11g/802.11a rates that able to be used as basic/mandatory
data rates.

Cell Density

0 - Disabled (Default)
Setting cell_density to 0 does not configure data rates. This is the
default.

1 - Normal Cell Density
Setting cell_density to 1 configures the basic/mandatory rates to 6, 12
and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting cell_density to 1 configures the basic/mandatory rates to the 5.5
and 11 Mb/s DSSS rates where legacy_rates is 1. Supported rates lower
than the minimum basic/mandatory rate are not offered.

2 - High Cell Density
Setting the cell_density to 2 configures the basic/mandatory rates to the
12 and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting the cell_density to 2 configures the basic/mandatory rates to the
11 Mb/s DSSS rate where legacy_rates is 1. Supported rates lower than the
minimum basic/mandatory rate are not offered.

3 - Very High Cell Density
Setting the cell_density to 3 configures the basic/mandatory rates to the
24 Mb/s OFDM rate where legacy_rates is 0. Supported rates lower than the
minimum basic/mandatory rate are not offered.
Setting the cell_density to 3 only has effect where legacy_rates is 0,
else this has the same effect as being configured with a cell_density of 2.

Where specified, the basic_rate and supported_rates options continue to
override both the cell_density and legacy_rates options.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-11-30 09:31:15 +01:00
Daniel Golle
64cbfd1f54 umdns: update seccomp filter rules
Add 'writev' syscall to list of allowed syscalls.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-27 01:23:43 +00:00